Page 1 Part No. 060500-10 December 2017 OmniSwitch AOS Release 8 Network Configuration Guide 8.4.1.R03 This user guide covers multiple OmniSwitch product lines and describes overall AOS feature configuration information. For platform specific feature support, please refer to the Specifications Guide and the Release Notes. www.al-enterprise.com...
Page 2 The functionality described in this guide is subject to change without notice. enterprise.alcatel-lucent.com Alcatel-Lucent and the Alcatel-Lucent Enterprise logo are trademarks of Alcatel-Lucent. To view other trademarks used by affiliated companies of ALE Holding, visit: enterprise.alcatel-lucent.com/trademarks. All other trademarks are the property of their respective owners.
Page 3: Table Of Contents
Contents About This Guide ......................xxi Supported Platforms ......................xxi Who Should Read this Manual? ..................xxi When Should I Read this Manual? .................. xxi What is in this Manual? ....................xxii What is Not in this Manual? ................... xxii How is the Information Organized? ................
Page 4 Contents Interfaces Violation Recovery ..................1-15 Violation Shutdown and Recovery Methods ............1-15 Interaction With Other Features ................1-16 Configuring Interface Violation Recovery .............1-17 Verifying the Interfaces Violation Recovery Configuration ........1-18 Clearing Ethernet Port Violations .................1-19 Link Monitoring ......................1-20 Monitoring Interface Errors ...................1-20 Monitoring Interface Flapping ................1-20 Monitoring Window ....................1-21 Configuring the Wait-to-Restore Timer ..............1-21...
Page 5 Contents Using Static Multicast MAC Addresses .................3-5 Configuring Static Multicast MAC Addresses ............3-5 Configuring MAC Address Table Aging Time ..............3-7 Configuring the Source Learning Status .................3-8 Increasing the MAC Address Table Size ................3-9 Displaying Source Learning Information ..............3-10 Chapter 4 Configuring VLANs ....................
Page 6 Contents High Availability VLAN Overview ................5-4 High Availability VLAN Operational Mode ............5-4 Traffic Flows in High Availability VLAN ...............5-5 Configuring High Availability VLANs on a Switch ............5-6 Creating and Deleting VLANs .................5-6 Adding and Removing Server Cluster Ports ............5-7 Assigning and Modifying Server Cluster Mode ............5-7 Assigning and Removing MAC Addresses ..............5-8 Application Examples .....................5-9 Example 1: Layer 2 Server Cluster ................5-9...
Page 7 Contents Configuring the Path Cost Mode ................6-31 Using Automatic VLAN Containment ..............6-31 Configuring STP Port Parameters .................6-33 Enabling/Disabling Spanning Tree on a Port ............6-34 Enabling/Disabling Loop-guard ................6-35 Configuring Port Priority ..................6-35 Configuring Port Path Cost ..................6-36 Configuring Port Mode ..................6-38 Configuring Port Connection Type ................6-40 Configuring the Edge Port Status ................6-41 Restricting Port Roles (Root Guard) ..............6-42...
Page 8 Contents Chapter 8 Configuring Static Link Aggregation ..............8-1 In This Chapter ........................8-1 Static Link Aggregation Default Values .................8-2 Quick Steps for Configuring Static Link Aggregation ...........8-3 Static Link Aggregation Overview .................8-5 Static Link Aggregation Operation ................8-5 Relationship to Other Features .................8-6 Configuring Static Link Aggregation Groups ..............8-6 Configuring Mandatory Static Link Aggregate Parameters ........8-6 Creating and Deleting a Static Link Aggregate Group ..........8-7...
Page 9 Contents Dual-Home Link Active-Active ..................10-3 DHL Active-Active Operation ................10-3 DHL Configuration Guidelines ................10-6 Configuring DHL Active-Active ................10-6 Dual-Home Link Active-Active Example ..............10-8 Recommended DHL Active-Active Topology ............10-10 Unsupported DHL Active-Active Topology (Network Loops) ......10-11 Displaying the Dual-Home Link Configuration ............10-12 Chapter 11 Configuring ERP .......................
Page 10 Contents MRP Overview ......................12-4 MVRP Overview ......................12-4 How MVRP Works ....................12-4 Interaction With Other Features ................12-6 Configuring MVRP .......................12-7 Enabling MVRP .....................12-7 Configuring the Maximum Number of VLANs .............12-7 Configuring MVRP Registration ................12-8 Configuring the MVRP Applicant Mode ...............12-9 Modifying MVRP Timers ..................12-10 Restricting VLAN Registration ................12-11 Restricting Static VLAN Registration ..............12-11 Restricting VLAN Advertisement ................12-12...
Page 11 Contents Parameter Description and Values ................14-3 Quick Steps for Configuring SIP Snooping ..............14-4 SIP Snooping Overview ....................14-5 Using SIP Snooping ......................14-6 Interoperability .......................14-7 SIP Snooping Configuration Guidelines ...............14-8 Configuring Edge Port ...................14-8 Configuring Trusted SIP Server ................14-8 Configuring SIP Snooping TCP Ports ..............14-9 Configuring SIP Snooping UDP Ports ..............14-9 Configuring the SIP Control DSCP ...............14-9 Configuring SOS Calls ...................14-9...
Page 12 Contents Configuring Route Map Redistribution ..............15-20 IP-Directed Broadcasts ..................15-26 Denial of Service (DoS) Filtering ................15-26 Enabling/Disabling IP Services ................15-31 Managing IP ........................15-32 Internet Control Message Protocol (ICMP) ............15-32 Using the Ping Command ..................15-34 Tracing an IP Route ....................15-35 Transmission Control Protocol (TCP) ..............15-36 Displaying UDP Information ................15-36 Tunneling ........................15-36 Generic Routing Encapsulation ................15-36...
Page 13 Contents Assigning IP Interfaces to a VRF Instance ............16-17 Configuring Routing Protocols for a Specific VRF Instance .......16-17 Removing a VRF Instance ...................16-17 Verifying the VRF Configuration ................16-18 Chapter 17 Configuring IPv6 ....................... 17-1 In This Chapter ......................17-1 IPv6 Defaults ......................... 17-2 Quick Steps for Configuring IPv6 Routing ..............17-3 IPv6 Overview ......................17-4 IPv6 Addressing .....................17-5...
Page 14 Contents IPsec Overview ......................18-5 Encapsulating Security Payload (ESP) ..............18-5 Authentication Header (AH) ..................18-6 IPsec on the OmniSwtich ..................18-7 Securing Traffic Using IPsec .................18-8 Discarding Traffic using IPsec ................18-9 Configuring IPsec on the OmniSwitch ...............18-10 Configuring an IPsec Master Key ................18-10 Configuring an IPsec Policy .................18-11 Configuring an IPsec SA ..................18-15 Enabling and Disabling Default Discard Policy ..........18-19...
Page 15 Contents Quick Steps for Configuring BFD ................20-4 Quick Steps for Configuring BFD Support for Layer 3 Protocols ......20-6 BFD Overview ......................20-10 Benefits of Using BFD For Failure Detection .............20-10 How the BFD Protocol Works ................20-10 Operational Mode and Echo Function ..............20-11 BFD Packet Formats ....................20-11 BFD Session Establishment .................20-12 Configuring BFD ......................20-14...
Page 16 Contents Configuring the DHCPv6 Relay Destination ............21-25 Viewing the DHCPv6 Relay configuration ............21-25 Verifying the DHCP Relay Configuration ..............21-26 Chapter 22 Configuring an Internal DHCP Server ..............22-1 In This Chapter ......................22-1 DHCP Server Default Values ..................22-2 Quick Steps to Configure Internal DHCP Server ............22-2 DHCP Server Overview ....................22-4 The DHCP process ....................22-4 Internal DHCP Server on OmniSwitch ..............22-4...
Page 17 Contents Configuring the Advertisement Interval ..............23-10 Configuring Virtual Router Priority ..............23-11 Setting Preemption for Virtual Routers ..............23-12 Enabling/Disabling a Virtual Router ..............23-13 Setting VRRP Traps .....................23-13 Setting VRRP Startup Delay ................23-14 Configuring Collective Management Functionality ..........23-14 Creating VRRP Tracking Policies ................23-17 Associating a Tracking Policy with a Virtual Router ..........23-17 Verifying the VRRP Configuration ................23-19 VRRPv2 Application Example ...................23-20...
Page 18 Contents Chapter 25 Configuring IP Multicast Switching ..............25-1 In This Chapter ......................25-1 IPMS Default Values ....................25-2 IPMSv6 Default Values ....................25-3 IPMS Overview ......................25-4 IPMS Example .......................25-4 Reserved IP Multicast Addresses ................25-5 IP Multicast Routing ....................25-5 Interaction With Other Features ..................25-7 IPMS for Shortest Path Bridging ................25-7 VLAN and Service Domains ..................25-7 Configuring IPMS on a Switch ..................25-9...
Page 19 Contents Enabling and Disabling Zero-based MLD Query ..........25-35 Modifying the MLD Router Timeout ..............25-36 Modifying the Source Timeout ................25-37 Enabling and Disabling the MLD Querying ............25-37 Modifying the MLD Robustness Variable ............25-38 Enabling and Disabling MLD Spoofing ...............25-39 Enabling and Disabling the MLD Zapping ............25-40 Limiting MLD Multicast Groups .................25-41 IPMS Application Example ..................25-42 IPMSv6 Application Example ..................25-44...
Page 20 Contents Configuring QoS ......................26-37 Configuring Global QoS Parameters ................26-38 Enabling/Disabling QoS ..................26-38 Using the QoS Log ....................26-38 Setting the Statistics Interval ................26-41 Returning the Global Configuration to Defaults ..........26-41 Verifying Global Settings ..................26-41 Creating Policies ......................26-42 Quick Steps for Creating Policies ................26-42 ASCII-File-Only Syntax ..................26-43 Creating Policy Conditions ..................26-44 Creating Policy Actions ..................26-45...
Page 21 Contents Chapter 27 Managing Policy Servers ..................27-1 In This Chapter ......................27-1 Policy Server Defaults ....................27-2 Policy Server Overview ....................27-3 Installing the LDAP Policy Server ................27-3 Modifying Policy Servers .....................27-4 Modifying LDAP Policy Server Parameters ............27-4 Disabling the Policy Server From Downloading Policies ........27-4 Modifying the Port Number ...................27-5 Modifying the Policy Server Username and Password ..........27-5 Modifying the Searchbase ..................27-5...
Page 22 Contents Source Learning ....................28-28 Universal Network Profile (UNP) ................28-28 Configuring Port-Based Network Access Control ............28-31 Setting Authentication Parameters for the Switch ..........28-32 Configuring UNP Port-Based Functionality ............28-38 Configuring UNP Profiles ..................28-51 Configuring the UNP Profile Mapping ..............28-54 Configuring QoS Policy Lists ................28-61 Configuring UNP Classification Rules ..............28-65 OmniAccess Stellar AP Integration ................28-69 How it Works .......................28-69...
Page 23 Contents Application Example 2: IP Phone — ClearPass Configuration ......28-150 Application Example 3: Guest — OmniSwitch Configuration ......28-153 Application Example 3: Guest — ClearPass Configuration ......28-154 Verifying the BYOD Configuration ..............28-159 Chapter 29 Configuring Application Monitoring and Enforcement ......... 29-1 In This Chapter ......................29-2 AppMon Defaults ......................29-3 Application Monitoring and Enforcement Overview ...........29-4...
Page 24 Contents Interaction With Other Features ..................30-9 General ........................30-9 QoS .........................30-9 sFLOW ........................30-9 Configuring AFP ......................30-10 Configuration Guidelines ..................30-10 Enabling/Disabling AFP ..................30-11 Enabling/Disabling Trap Generation ..............30-11 Changing the REGEX Signature Filename ............30-12 Reloading the REGEX Signature File ..............30-12 Defining Application REGEX Signatures and Groups ........30-13 Configuring AFP Port Modes ................30-16 Verifying the AFP Configuration ................30-18 Chapter 31...
Page 25 Contents Enabling/Disabling a Port Mapping Session ..............32-5 Enabling a Port Mapping Session ................32-5 Disabling a Port Mapping Session .................32-5 Disabling the Flooding of Unknown Unicast Traffic ..........32-5 Configuring a Port Mapping Direction .................32-5 Configuring Unidirectional Port Mapping .............32-5 Restoring Bidirectional Port Mapping ..............32-5 Sample Port Mapping Configuration ................32-6 Example Port Mapping Overview ................32-6 Example Port Mapping Configuration Steps ............32-7...
Page 26 Contents sFlow Overview ......................34-5 sFlow Defaults ......................34-5 Quick Steps for Configuring sFlow ...............34-5 Remote Monitoring (RMON) Overview ...............34-7 RMON Probe Defaults ...................34-7 Quick Steps for Enabling/Disabling RMON Probes ..........34-7 Switch Health Overview ....................34-8 Switch Health Defaults ...................34-8 Quick Steps for Configuring Switch Health ............34-8 Port Mirroring .......................34-9 What Ports Can Be Mirrored? ................34-9 How Port Mirroring Works ..................34-9...
Page 27 Contents Remote Monitoring (RMON) ..................34-28 Enabling or Disabling RMON Probes ..............34-30 Displaying RMON Tables ..................34-31 Monitoring Switch Health ...................34-35 Configuring Resource Thresholds ................34-36 Displaying Health Threshold Limits ..............34-37 Configuring Sampling Intervals ................34-38 Viewing Sampling Intervals .................34-38 Viewing Health Statistics for the Switch .............34-39 Viewing Health Statistics for a Specific Interface ..........34-40 Chapter 35 Configuring VLAN Stacking...
Page 28 Contents Switch Logging Notifications ................36-8 Specifying the Switch Logging Record Storage Limit ..........36-8 Chapter 37 Configuring Ethernet OAM ..................37-1 In This Chapter ......................37-1 Ethernet OAM Defaults ....................37-2 Ethernet OAM Overview ....................37-3 Ethernet Service OAM ...................37-3 Quick Steps for Configuring Ethernet OAM ..............37-8 Configuring Ethernet OAM ..................37-9 Configuring a Maintenance Domain ..............37-9 Configuring a Maintenance Association ..............37-10...
Page 29: About This Guide
These features are used when readying a switch for integration into a live network environment. Supported Platforms The information in this guide applies only to the following products: • OmniSwitch 9900 Series • OmniSwitch 6900 Series • OmniSwitch 6860 Series •...
Page 30: What Is In This Manual
What is in this Manual? About This Guide What is in this Manual? This configuration guide includes information about the following features: • Basic switch administrative features, such as file editing utilities, procedures for loading new software, and setting up system information (name of switch, date, time). •...
Page 31: Documentation Roadmap
About This Guide Documentation Roadmap Documentation Roadmap The OmniSwitch user documentation suite was designed to supply you with information at several critical junctures of the configuration process.The following section outlines a roadmap of the manuals that will help you at each stage of the configuration process. Under each stage, we point you to the manual or manuals that will be most helpful to you.
Page 32 Documentation Roadmap About This Guide Anytime The OmniSwitch AOS Release 8 CLI Reference Guide contains comprehensive information on all CLI commands supported by the switch. This guide includes syntax, default, usage, example, related CLI command, and CLI-to-MIB variable mapping information for all CLI commands supported by the switch. This guide can be consulted anytime during the configuration process to find detailed and specific information on each CLI command.
Page 33: Related Documentation
Guide, Network Configuration Guide, Advanced Routing Guide, and Data Center Switching Guide. • Technical Tips, Field Notices Includes information published by Alcatel-Lucent Enterprise’s Customer Support group. • Release Notes Includes critical Open Problem Reports, feature exceptions, and other important information on the features supported in the current release and any limitations to their support.
Page 34: Technical Support
Lucent Enterprise product’s features and functionality and on-site hardware replacement through our global network of highly qualified service delivery partners. With 24-hour access to Alcatel-Lucent Enterprise’s Service and Support web page, you’ll be able to view and update any case (open or closed) that you have reported to Alcatel-Lucent Enterprise’s technical support, open a new case or access helpful release notes, technical bulletins, and manuals.
Page 35 1 Configuring Ethernet Ports The Ethernet software is responsible for a variety of functions that support Ethernet ports on OmniSwitch Series switches. These functions include diagnostics, software loading, initialization, configuration of line parameters, gathering statistics, and responding to administrative requests from SNMP or CLI. In This Chapter This chapter describes the Ethernet port parameters of the switch and how to configure them through the Command Line Interface (CLI).
Page 36: Chapter 1 Configuring Ethernet Ports
Configuring Ethernet Ports Ethernet Port Defaults Ethernet Port Defaults The following table shows Ethernet port default values: Parameter Description Command Default Value/Comments Interface Line Speed interfaces speed AutoNeg Interface Duplex Mode interfaces duplex AutoNeg Trap Port Link Messages interfaces link-trap Disabled Interface Configuration interfaces...
Page 37: Ethernet Ports Overview
Configuring Ethernet Ports Ethernet Ports Overview Ethernet Ports Overview This chapter describes the Ethernet software CLI commands used for configuring and monitoring the Ethernet port parameters of your switch. Configuring Ethernet Port Parameters The following sections describe how to use CLI commands to configure ethernet ports. Enabling and Disabling Autonegotiation To enable or disable autonegotiation on a single port, a range of ports, or an entire slot, use the interfaces...
Page 38: Configuring Duplex Mode
Configuring Ethernet Ports Configuring Ethernet Port Parameters Configuring Duplex Mode interfaces duplex command is used to configure the duplex mode on a specific port, a range of ports, or all ports on a slot to full, half, or auto. (The auto option causes the switch to advertise all available duplex modes (half/full/both) for the port during autonegotiation.) In full duplex mode, the interface transmits and receives data simultaneously.
Page 39: Configuring A Port Alias
Configuring Ethernet Ports Configuring Ethernet Port Parameters Configuring a Port Alias interfaces alias command is used to configure an alias (i.e., description) for a single port. (You cannot configure an entire switch or a range of ports.) For example: -> interfaces 2/3 alias ip_phone1 ->...
Page 40: Configuring Flood Rate Limiting
Configuring Ethernet Ports Configuring Ethernet Port Parameters Configuring Flood Rate Limiting The OmniSwitch implementation of storm control supports flood rate limiting for broadcast, unknown unicast, and multicast traffic. A high threshold rate is configured in megabits-per-second (mbps), packets- per-second (pps), or as a percentage of the port speed. When the threshold value is reached, packets are dropped.
Page 41: Configuring Flood Rate Limit Action
Configuring Ethernet Ports Configuring Ethernet Port Parameters For example: -> interfaces 2/1/1 flood-limit bcast rate mbps 100 -> interfaces 2/1/2-5 flood-limit uucast rate pps 500 -> interfaces slot 3/1 flood-limit mcast rate cap% 50 The auto recovery has to enabled by configuring the low threshold. The high and low threshold when configured, will have same type [mbps, pps, and percentage].
Page 42 Configuring Ethernet Ports Configuring Ethernet Port Parameters -> interfaces 1/1-10 pause tx-and-rx To disable flow control for one or more ports, specify the disable parameter with the interfaces pause command. For example: -> interfaces 1/10 pause disable OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 1-8...
Page 43: Enabling And Disabling Enhanced Port Performance (Epp)
Configuring Ethernet Ports Configuring Ethernet Port Parameters Enabling and Disabling Enhanced Port Performance (EPP) EPP can assist in connecting with SFF-8431 non-compliant or electrically deficient devices. EPP can be used on some links to enhance the receive signal sampling resolution management and help to improve the link integrity to the link partner.
Page 44 Configuring Ethernet Ports Configuring Ethernet Port Parameters EPP - Check the Current Link Quality A Link-Quality parameter has been added to help support EPP functionality. If connectivity issues are being observed check the current link quality using the interfaces command and observe the EPP output. For example: ->...
Page 45: Configuring Energy Efficient Ethernet (802.3Az)
Configuring Ethernet Ports Configuring Ethernet Port Parameters Configuring Energy Efficient Ethernet (802.3az) Energy Efficient Ethernet (EEE) is a protocol to allow ports to operate in idle or low power mode when there is no traffic to send. When EEE is enabled on a port it will advertise its EEE capability to its link partner.
Page 46 Configuring Ethernet Ports Configuring Ethernet Port Parameters Note. The beacon LED feature does not affect the normal behavior of switch ports or traffic flow. It only sets LED colors and behaviors for the uses listed above. If an actual alarm or issue is detected on the switch, important LED status information related to the issue takes precedence and overrides beacon settings.
Page 47: Using Tdr Cable Diagnostics
Configuring Ethernet Ports Using TDR Cable Diagnostics Using TDR Cable Diagnostics Time Domain Reflectometry (TDR) is a feature that is used to detect cable faults. This feature is best deployed in networks where service providers and system administrators want to quickly diagnose the state of a cable during outages, before proceeding with further diagnosis.
Page 48: Clearing Tdr Test Statistics
Configuring Ethernet Ports Using TDR Cable Diagnostics Clearing TDR Test Statistics clear interfaces command is used to clear the statistics of the last test performed on the port. There is no global statistics clear command. For example, the following command clears the TDR statistics: ->...
Page 49: Interfaces Violation Recovery
Configuring Ethernet Ports Interfaces Violation Recovery Interfaces Violation Recovery The OmniSwitch allows features to shutdown an interface when a violation occurs on that interface. To support this functionality, the following interfaces violation recovery mechanisms are provided: • Manual recovery of a downed interface using the interfaces split-mode command.
Page 50: Interaction With Other Features
Configuring Ethernet Ports Interfaces Violation Recovery Interface Violation Exceptions An interface violation is not applied to an interface when any of the following scenarios occur: • An interface is already in a permanent shutdown state. In this case, the only method for recovery is to use the interfaces split-mode command.
Page 51: Configuring Interface Violation Recovery
Configuring Ethernet Ports Interfaces Violation Recovery Configuring Interface Violation Recovery The following sections provide information about how to configure parameter values that apply to the interfaces violation recovery mechanisms. Configuring the Violation Recovery Time The violation recovery time specifies the amount of time the switch waits before automatically recovering a port that was shut down due to a violation.
Page 52: Verifying The Interfaces Violation Recovery Configuration
Configuring Ethernet Ports Interfaces Violation Recovery The maximum recovery attempts value configured for a specific interface overrides the global value configured for all switch interfaces. To set the port-level value back to the global value, use the default parameter with the show interfaces command.
Page 53: Clearing Ethernet Port Violations
Configuring Ethernet Ports Clearing Ethernet Port Violations Clearing Ethernet Port Violations The following switch applications may trigger a violation condition on one or more ports: • Learned Port Security (LPS) • Quality of Service (QoS) • Network Security • UniDirectional Link Detection (UDLD) •...
Page 54: Link Monitoring
Configuring Ethernet Ports Link Monitoring Link Monitoring The Link Monitoring feature is used to monitor interface status to minimize the network protocol re- convergence that can occur when an interface becomes unstable. To track the stability of an interface, this feature monitors link errors and link flaps during a configured timeframe.
Page 55: Monitoring Window
Configuring Ethernet Ports Link Monitoring Monitoring Window The Link Monitoring window is a per-port configurable timer that is started whenever link-monitoring is enabled on a port. During this time frame interface receive errors and interface flaps are counted. If either of the values exceeds the configured thresholds the interface is shut down.
Page 56: Configuring The Wait-To-Shutdown Timer
Configuring Ethernet Ports Link Monitoring • If the interface goes down again while the WTR timer is still running, the WTR timer is stopped. Otherwise, the interface is recovered after the time expires. • The WTR timer functionality has no impact on link-error or link-flap detection; these features are configurable even when the WTR timer is disabled.
Page 57: Displaying Link Monitoring Information
Configuring Ethernet Ports Link Monitoring • The link-status of the remote connected port will be down when the WTS timer is running since the port is physically down. interfaces wait-to-shutdown command is used to configure the WTS timer value, in multiples of 10 milliseconds.
Page 58: Link Fault Propagation
Configuring Ethernet Ports Link Fault Propagation Link Fault Propagation The Link Fault Propagation (LFP) feature provides a mechanism to propagate a local interface failure into another local interface. In many scenarios, a set of ports provide connectivity to the network. If all these ports go down, the connectivity to the network is lost.
Page 59: Configuring Link Fault Propagation
Configuring Ethernet Ports Link Fault Propagation Configuring Link Fault Propagation Configuring LFP requires the following steps: Create an LFP group. This type of group identifies the source ports to monitor and the destination ports to bring down when all of the source ports go down. To create an LFP group, use the link-fault- propagation group command.
Page 60: Lfp Application Example
Configuring Ethernet Ports Link Fault Propagation LFP Application Example This section provides an example of using LFP in a layer 2 network configuration, as shown in the following sample topology: OS-1 L2 Network LACP 1 Access Stby Link Fault Propagation - Application Example In this example: •...
Page 61: Ieee 1588 Precision Time Protocol (Ptp)
Configuring Ethernet Ports IEEE 1588 Precision Time Protocol (PTP) IEEE 1588 Precision Time Protocol (PTP) The Precision Time Protocol (PTP) is a protocol used to synchronize clocks throughout a computer network. On a local area network, it achieves clock accuracy in the sub-microsecond range, making it suitable for measurement and control systems.
Page 62: Mac Security Overview
Configuring Ethernet Ports MAC Security Overview MAC Security Overview MACSec (MAC Security) provides point-to-point security on Ethernet links between directly connected nodes. MACSec prevents DoS/M-in-M/playback attacks, intrusion, wire-tapping, masquerading, and so on. MACSec can be used to secure most of the traffic on Ethernet links - LLDP frames, LACP frames, DHCP/ARP packets, and so on.
Page 63 Configuring Ethernet Ports MAC Security Overview In Static SA Mode, two or more manually configured SA keys are used to secure traffic on the point-to- point link between two nodes. Security is maintained by periodically rotating the SA keys. Each SA key must have a corresponding matching value on the other end of the MACSec link.
Page 64: Enabling/Disabling Macsec On An Interface
Configuring Ethernet Ports MAC Security Overview Enabling/Disabling MACSec on an Interface The MACSec configuration consists of three steps: • Create aes-gcm-128 keys and associate the keys to a keychain. Refer to the “Chassis Management and Monitoring Commands” chapter in the OmniSwitch AOS Release 8 CLI Reference Guide for more information on keychain configuration.
Page 65 2 Configuring UDLD UniDirectional Link Detection (UDLD) is a protocol for detecting and disabling unidirectional Ethernet fiber or copper links caused by mis-wiring of fiber strands, interface malfunctions, media converter faults, and so on. The UDLD protocol operates at Layer 2 in conjunction with the IEEE 802.3 - Layer 1 fault detection mechanisms.
Page 66: Chapter 2 Configuring Udld
Configuring UDLD UDLD Defaults UDLD Defaults Parameter Description Command Default UDLD administrative state udld Disabled UDLD status of a port udld port Disabled UDLD operational mode udld mode Normal Probe-message advertisement timer udld probe-timer 15 seconds Echo-based detection timer udld echo-wait-timer 8 seconds OmniSwitch AOS Release 8 Network Configuration Guide December 2017...
Page 67: Quick Steps For Configuring Udld
Configuring UDLD Quick Steps for Configuring UDLD Quick Steps for Configuring UDLD To enable the UDLD protocol on a switch, use the udld command. For example: -> udld enable To enable the UDLD protocol on a port, use the udld port command by entering udld port, followed by the slot and port number, and enable.
Page 68: Udld Overview
Configuring UDLD UDLD Overview UDLD Overview UDLD is a Layer 2 protocol used to examine the physical configuration connected through fiber-optic or twisted-pair Ethernet cables. When a port is affected and only a unidirectional link is working, UDLD detects and administratively shuts down the affected port, and alerts the user. Unidirectional links can create hazardous situations such as Spanning-Tree topology loops caused, for instance, by unwiring of fiber strands, interface malfunctions, faults of the media converter, and so on.
Page 69: Mechanisms To Detect Unidirectional Links
Configuring UDLD UDLD Overview Mechanisms to Detect Unidirectional Links The UDLD protocol is implemented to correct certain assumptions made by other protocols and to help the Spanning Tree Protocol to function properly to avoid dangerous Layer 2 loops. UDLD uses two basic mechanisms: •...
Page 70: Enabling And Disabling Udld
Configuring UDLD Configuring UDLD Configuring UDLD This section describes how to use Command Line Interface (CLI) commands to do the following: • “Enabling and Disabling UDLD” on page 2-6. • “Configuring the Operational Mode” on page 2-7. • “Configuring the Probe-Timer” on page 2-7.
Page 71: Configuring The Operational Mode
Configuring UDLD Configuring UDLD Configuring the Operational Mode To configure the operational mode, use the udld mode command as shown: -> udld mode aggressive For example, to configure the mode for port 4 on slot 2, enter: -> udld port 2/4 mode aggressive To configure the mode for multiple ports, specify a range of ports.
Page 72: Clearing Udld Statistics
Configuring UDLD Verifying the UDLD Configuration Clearing UDLD Statistics To clear the UDLD statistics, use the clear udld statistics port command. For example, to clear the statistics for port 4 on slot 1, enter: -> clear udld statistics port 1/4 To clear the UDLD statistics on all the ports, enter: ->...
Page 73: In This Chapter
Managing Source Learning Transparent bridging relies on a process referred to as source learning to handle traffic flow. Network devices communicate by sending and receiving data packets that each contain a source MAC address and a destination MAC address. When packets are received on switch network interface (NI) module ports, source learning examines each packet and compares the source MAC address to entries in a MAC address database table.
Page 74: Managing Source Learning
Managing Source Learning Source Learning Defaults Source Learning Defaults Parameter Description Command Default Static MAC address operating mode mac-learning static mac-address bridging MAC address aging timer mac-learning aging-time 300 seconds MAC source learning status per port mac-learning enabled MAC source learning mode mac-learning mode centralized OmniSwitch AOS Release 8 Network Configuration Guide...
Page 75: Mac Address Table Overview
Managing Source Learning MAC Address Table Overview MAC Address Table Overview Source learning builds and maintains the MAC address table on each switch. New MAC address table entries are created in one of two ways: they are dynamically learned or statically assigned. Dynamically learned MAC addresses are those that are obtained by the switch when source learning examines data packets and records the source address and the port and VLAN it was learned on.
Page 76: Configuring Static Mac Addresses
Managing Source Learning Using Static MAC Addresses Configuring Static MAC Addresses To configure a permanent, bridging static MAC address, see the example below: -> mac-learning vlan 1 port 1/1 static mac-address 00:00:02:CE:10:37 bridging Use the no form of this command to clear MAC address entries from the table: ->...
Page 77: Using Static Multicast Mac Addresses
Managing Source Learning Using Static Multicast MAC Addresses Using Static Multicast MAC Addresses Using static multicast MAC addresses allows you to send traffic intended for a single destination multicast MAC address to selected switch ports within a given VLAN. To specify which ports receive the multicast traffic, a static multicast address is assigned to each selected port for a given VLAN.
Page 78: Static Multicast Mac Addresses On Link Aggregate Ports
Managing Source Learning Using Static Multicast MAC Addresses Static Multicast MAC Addresses on Link Aggregate Ports Static multicast MAC addresses are not assigned to physical ports that belong to a link aggregate. Instead, they are assigned to a link aggregate ID that represents a collection of physical ports. This ID is specified at the time the link aggregate of ports is created and when using the mac-address-table static-multicast command.
Page 79: Configuring Mac Address Table Aging Time
Managing Source Learning Configuring MAC Address Table Aging Time Configuring MAC Address Table Aging Time Source learning also tracks MAC address age and removes addresses from the MAC address table that have aged beyond the aging timer value. When a device stops sending packets, source learning keeps track of how much time has passed since the last packet was received on the switch port of the device.
Page 80: Configuring The Source Learning Status
Managing Source Learning Configuring the Source Learning Status Configuring the Source Learning Status The source learning status for a port or link aggregate of ports is configurable using the mac-learning command. For example: -> mac-learning port 1/10 disable -> mac-learning port 1/15-20 disable ->...
Page 81: Increasing The Mac Address Table Size
Managing Source Learning Increasing the MAC Address Table Size Increasing the MAC Address Table Size There are two source learning modes available for the OmniSwitch: centralized and distributed. Enabling the distributed mode for the switch increases the table size for the switch. To enable the distributed MAC source learning mode for the chassis, use the mac-learning mode command.
Page 82: Displaying Source Learning Information
Managing Source Learning Displaying Source Learning Information Displaying Source Learning Information To display MAC Address Table entries, statistics, and aging time values, use the show commands listed below: show mac-learning Displays a list of all MAC addresses known to the MAC address table, including static and multicast MAC addresses.
Page 83: Configuring Vlans
4 Configuring VLANs In a flat bridged network, a broadcast domain is confined to a single LAN segment or even a specific physical location, such as a department or building floor. In a switch-based network, such as one comprised of OmniSwitch systems, a broadcast domain, or VLAN can span multiple physical switches and can include ports from a variety of media types.
Page 84: Vlan Defaults
Configuring VLANs VLAN Defaults VLAN Defaults Parameter Description Command Default VLAN identifier (VLAN ID) vlan VLAN 1 predefined on each switch. VLAN administrative state vlan Enabled VLAN description vlan name VLAN ID VLAN Spanning Tree state spantree vlan admin-state Enabled VLAN IP router interface ip interface None...
Page 85: Sample Vlan Configuration
Configuring VLANs Sample VLAN Configuration Sample VLAN Configuration The following steps provide a quick tutorial to create VLAN 100. Also included are steps to define a VLAN description, IP router interface, and static switch port assignments. Note. Optional. Creating a new VLAN involves specifying a VLAN ID that is not already assigned to an existing VLAN.
Page 86: Vlan Management Overview
Configuring VLANs VLAN Management Overview VLAN Management Overview One of the main benefits of using VLANs to segment network traffic, is that VLAN configuration and port assignment is handled through switch software. This eliminates the need to physically change a network device connection or location when adding or removing devices from the VLAN broadcast domain.
Page 87: Adding/Removing A Vlan
Configuring VLANs Creating/Modifying VLANs Adding/Removing a VLAN To add a VLAN to the switch configuration, enter vlan followed by a unique VLAN ID, an optional administrative status, and an optional description. For example, the following command creates VLAN 755 with a description: ->...
Page 88: Assigning Ports To Vlans
Configuring VLANs Assigning Ports to VLANs Assigning Ports to VLANs The OmniSwitch supports static assignment of physical switch ports to a VLAN. Once the assignment occurs, a VLAN port association (VPA) is created and tracked by VLAN management software on each switch.
Page 89: Using 802.1Q Tagging
Configuring VLANs Assigning Ports to VLANs Using 802.1Q Tagging Another method for assigning ports to VLANs involves configuring a switch port or link aggregate to process 802.1Q-tagged frames that contain a specific VLAN ID designation. This method, referred to as 802.1Q tagging (or trunking), allows a single network link to carry traffic for multiple VLANs.
Page 90 Configuring VLANs Assigning Ports to VLANs Port 4/3 is now configured to carry packets tagged with VLAN 5, even though VLAN 5 is not the default VLAN for the port. To enable tagging on link aggregation groups, enter the link aggregation group identification number in place of the slot and port number, as shown: ->...
Page 91: Enabling/Disabling Spanning Tree For A Vlan
Configuring VLANs Enabling/Disabling Spanning Tree for a VLAN Enabling/Disabling Spanning Tree for a VLAN The Spanning Tree operating mode for the switch determines how VLAN ports are evaluated to identify redundant data paths. If the Spanning Tree switch operating mode is set to flat, then VLAN port connections are checked against other VLAN port connections for redundant data paths.
Page 92: Configuring Vlan Ip Interfaces
Configuring VLANs Configuring VLAN IP Interfaces Configuring VLAN IP Interfaces Network device traffic is bridged (switched) at the Layer 2 level between ports that are assigned to the same VLAN. However, if a device needs to communicate with another device that belongs to a different VLAN, then Layer 3 routing is necessary to transmit traffic between the VLANs.
Page 93: Bridging Vlans Across Multiple Switches
Configuring VLANs Bridging VLANs Across Multiple Switches Bridging VLANs Across Multiple Switches To create a VLAN bridging domain that extends across multiple switches: Create a VLAN on each switch with the same VLAN ID number (for example, VLAN 10). On each switch, assign the ports that provide connections to other switches to the VLAN created in Step 1.
Page 94 Configuring VLANs Bridging VLANs Across Multiple Switches C and D was shut down to avoid such a loop. See Chapter 6, “Configuring Spanning Tree Parameters,” information about how Spanning Tree configures network topologies that are loop free. The following diagram shows the same bridging domain example as seen by the end user workstations. Because traffic between these workstations is bridged across physical switch connections within the VLAN 10 domain, the workstations are basically unaware that the switches even exist.
Page 95: Verifying The Vlan Configuration
Configuring VLANs Verifying the VLAN Configuration Verifying the VLAN Configuration To display information about the VLAN configuration for a single switch use the show commands listed below: show vlan Displays a list of all VLANs configured on the switch and the status of related VLAN properties (for example, admin and Spanning Tree status and router port definitions).
Page 96 Configuring VLANs Verifying the VLAN Configuration The above example output provides the following information: • VLAN 200 is the configured default VLAN for port 3/24, which is currently not active. • VLAN 200 is an 802.1Q-tagged VLAN for port 5/12, which is an active port but currently blocked from forwarding traffic.
Page 97: Using Private Vlans
Configuring VLANs Using Private VLANs Using Private VLANs The Private VLAN (PVLAN) feature provides the ability to isolate Layer 2 data between devices that are on the same VLAN. This type of data isolation improves security and simplifies system configuration. A standard VLAN usually represents a single broadcast domain, but a PVLAN divides a VLAN (Primary) into sub-VLANs (Secondary).
Page 98: Private Vlan Ports
Configuring VLANs Using Private VLANs • Isolated VLAN—In an Isolated VLAN, all hosts connected to a member port are Isolated at Layer 2. They can communicate only with the promiscuous port of the Primary VLAN. There can be only one Isolated VLAN within one Primary VLAN.
Page 99: Pvlan Management Overview
Configuring VLANs Using Private VLANs Associate the ports that will be part of the PVLAN. For example, to tag ports with Primary VLAN 200 and Secondary VLANs 250 and 251, enter: -> pvlan 200 members port 1/1/1-3 tagged -> pvlan 250 members port 1/1/10-12 tagged ->...
Page 100: Creating Pvlans
Configuring VLANs Using Private VLANs • Associate the Secondary VLANs to user ports or link aggregates, see page 4-21. • Verify the PVLAN configuration, see page 4-25. Creating PVLANs Before creating a PVLAN, consider the following points: • A Primary VLAN ID is created first and represents the PVLAN domain. When any Secondary VLANs are created, the Primary VLAN ID must be specified to identify the PVLAN to which the Secondary VLAN is assigned.
Page 101: Creating Secondary Vlans
Configuring VLANs Using Private VLANs When the Primary VLAN for a PVLAN is deleted, any router interfaces defined for the PVLAN are removed and all VLAN port associations are dropped. To view a list of PVLANs already configured on the switch, use the show pvlan command.
Page 102: Assigning Ports To Pvlans
Configuring VLANs Using Private VLANs You can also specify a range of Secondary VLAN IDs when creating Community VLANs. Use a hyphen to indicate a contiguous range and a space to separate multiple VLAN ID entries. For example, the following command creates and associates Community VLANs 20 through 25 to Primary VLAN 200 on the switch: ->...
Page 103 Configuring VLANs Using Private VLANs Only PVLAN Permit Only PVLAN Permit packets packets and the same Community VLAN packets Configuring Promiscuous Ports A PVLAN must have one promiscuous port associated with the Primary VLAN to communicate with all the community ports, isolated ports, and ISL ports. A promiscuous port can be tagged or untagged based on the network requirements.
Page 104: Protocol Configuration Requirements For Pvlan
Configuring VLANs Using Private VLANs To configure an isolated port, use the pvlan members command to assign a port or link aggregate as a tagged or untagged member of an Isolated Secondary VLAN. For example, the following commands create Isolated VLAN 250 as a Secondary VLAN to Primary VLAN 200 and then assign port 1/2/2 and link aggregate 10 to VLAN 250: ->...
Page 105 Configuring VLANs Using Private VLANs Enabling Ingress Source Filtering (ISF) for PVLANs ISF can be enabled only on the Primary VLAN of a PVLAN configuration. When enabled on the Primary VLAN, the configuration will be applied to the Secondary VLANs associated with the Primary VLAN. Enabling IPMS for PVLANs IPMS can be enabled only on the Primary VLAN of a PVLAN configuration.
Page 106: Sample Pvlan Use Case
Configuring VLANs Using Private VLANs Sample PVLAN Use Case PVLAN Spanning across Multiple Systems The following diagram shows how using a PVLAN configuration allows the traffic to be segmented at the Layer 2 level, thus limiting the broadcast domain and extending it across multiple switches. Community VLAN 115, 100 VLAN 50...
Page 107: Verifying The Pvlan Configuration
Configuring VLANs Using Private VLANs • Untagged traffic is passed into an untagged Secondary (community) port 1 on OmniSwitch-1. – The traffic will be tagged with the PVID of the port which is Secondary VLAN. – The ISL port will then carry the tagged traffic into the community port on the other switch (OmniSwitch-2:1, OmniSwitch-2:2).
Page 108: Configuring High Availability Vlans
5 Configuring High Availability VLANs High availability (HA) VLANs, unlike standard VLANs, allow you to send traffic intended for a single destination MAC address to multiple switch ports. These high availability VLANs can be used to manage server clusters. In This Chapter This chapter describes the basic components of high availability VLANs and how to configure them through the Command Line Interface (CLI).
Page 109: High Availability Default Values
Configuring High Availability VLANs High Availability Default Values High Availability Default Values The table below lists default values for high availability VLAN software. Parameter Description Command Default Value/Comments Server cluster admin state of the server-cluster admin-state - enable server cluster Server cluster id and mode server-cluster mode - L2...
Page 110: Quick Steps For Creating High Availability Vlans
Configuring High Availability VLANs Quick Steps for Creating High Availability VLANs Quick Steps for Creating High Availability VLANs Follow the steps below for a quick tutorial on configuring high availability (HA) VLANs. Additional information on how to configure each command is given in the sections that follow. Create a server cluster that will become the HA VLAN by using the command server-cluster configure the mode.
Page 111: High Availability Vlan Overview
Configuring High Availability VLANs High Availability VLAN Overview High Availability VLAN Overview High availability (HA) VLANs send traffic intended for a single destination MAC address to multiple switch ports. An HA VLAN is configured by creating a standard VLAN and then assigning ports to the VLAN.
Page 112: Traffic Flows In High Availability Vlan
Configuring High Availability VLANs High Availability VLAN Overview Traffic Flows in High Availability VLAN The figure below shows how ingress traffic is handled by high availability VLANs. OmniSwitch OmniSwitch 7800 MAC Address: 01:20:da:05:f5:2a MAC Address: 00:95:2a:05:ff:4a High Availability VLAN MAC Address: 00:95:2a:05:ff:4a Ingress Egress...
Page 113: Configuring High Availability Vlans On A Switch
Configuring High Availability VLANs Configuring High Availability VLANs on a Switch Configuring High Availability VLANs on a Switch This section describes how to use the Command Line Interface (CLI) commands to configure high availability (HA) VLANs on a switch. For a brief tutorial on configuring HA VLANs, see “Quick Steps for Creating High Availability VLANs”...
Page 114: Adding And Removing Server Cluster Ports
Configuring High Availability VLANs Configuring High Availability VLANs on a Switch Deleting a VLAN To delete a VLAN use the no form of the vlan command by entering no vlan followed by the VLAN’s ID number. For example, to delete high availability VLAN 10 enter: ->...
Page 115: Assigning And Removing Mac Addresses
Configuring High Availability VLANs Configuring High Availability VLANs on a Switch To assign L3 mode to linkaggs, enter the commands as: -> server-cluster 3 linkagg 1 -> server-cluster 4 linkagg 1-3 To remove server cluster from a high availability VLAN, use the no form of the command. For example, ->...
Page 116: Application Examples
Configuring High Availability VLANs Application Examples Application Examples This section contains the following HAVLAN application examples: • “Example 1: Layer 2 Server Cluster” on page 5-9. • “Example 2: Layer 3 Server Cluster” on page 5-11. • “Example 3: Layer 3 Server Cluster with IP Multicast Address to Cluster (IGMP)” on page 5-13.
Page 117 Configuring High Availability VLANs Application Examples Create a default VLAN for the HA VLAN ports with the vlan command as shown below: -> vlan 10 Assign member ports to the new default VLAN with the vlan members untagged server-cluster commands as shown below: ->...
Page 118: Example 2: Layer 3 Server Cluster
Configuring High Availability VLANs Application Examples Example 2: Layer 3 Server Cluster In this example, A server cluster is configured with a unique IP address and a static ARP entry (cluster MAC) and a port list. Here, the server cluster IP address must be a unicast address. Switch connected to an L3 server cluster through 3 ports (1/3,1/4,1/5) •...
Page 119 Configuring High Availability VLANs Application Examples -> server-cluster 2 port 1/3 -> server-cluster 2 port 1/4 -> server-cluster 2 port 1/5 Assign an IP address for the by using the ip interface command. For example: -> ip interface "vlan 12" ->...
Page 120: Example 3: Layer 3 Server Cluster With Ip Multicast Address To Cluster (Igmp)
Configuring High Availability VLANs Application Examples Example 3: Layer 3 Server Cluster with IP Multicast Address to Cluster (IGMP) This example shows that a server cluster can be configured with a unique IP address and a IP multicast address. For this scenario, the server cluster IP address needs to be a unicast address and the MAC address (ARP entry) can be unicast or L2 multicast or IP multicast.
Page 121 Configuring High Availability VLANs Application Examples Configuration Example In this example, a packet is an L3 IP switched packet and Egress port can also be a linkagg port. Create a server cluster that will become the HA VLAN by using the command server-cluster configure the mode.
Page 122 Configuring High Availability VLANs Application Examples An example of what these commands look like entered sequentially on the command line: -> server-cluster 3 mode L3 admin-state enable -> vlan 12 -> vlan 12 members port 1/3 untagged -> vlan 12 members port 1/4 untagged ->...
Page 123: Displaying High Availability Vlan Status
Configuring High Availability VLANs Displaying High Availability VLAN Status Displaying High Availability VLAN Status You can use CLI show commands to display the current configuration and statistics of high availability VLANs on a switch. These commands include the following: show server-cluster Displays the server clusters configured in the system.
Page 124: Chapter 6 Configuring Spanning Tree Parameters
6 Configuring Spanning Tree Parameters The Spanning Tree Algorithm and Protocol (STP) is a self-configuring algorithm that maintains a loop- free topology on a network. STP helps to provide data path redundancy and network scalability. The OmniSwitch STP implementation, based on the IEEE 802.1D standard, distributes the Spanning Tree load between the primary management module and the network interface modules.
Page 125: In This Chapter
Configuring Spanning Tree Parameters In This Chapter In This Chapter This chapter provides an overview about how Spanning Tree works and how to configure Spanning Tree parameters through the Command Line Interface (CLI). CLI commands are used in the configuration examples;...
Page 126: Spanning Tree Bridge Parameter Defaults
Configuring Spanning Tree Parameters Spanning Tree Bridge Parameter Defaults Spanning Tree Bridge Parameter Defaults Parameter Description Command Default Spanning Tree operating mode spantree mode Per-VLAN (a separate Spanning Tree instance for each VLAN) PVST+ status spantree pvst+compatibility Disabled Spanning Tree status for a spantree vlan admin-state Enabled VLAN instance...
Page 127: Multiple Spanning Tree (Mst) Region Defaults
Configuring Spanning Tree Parameters Multiple Spanning Tree (MST) Region Defaults Multiple Spanning Tree (MST) Region Defaults Although the following parameter values are specific to MSTP, they are configurable regardless of which mode (flat or per-VLAN) or protocol is active on the switch. Parameter Description Command Default...
Page 128: Spanning Tree Overview
Configuring Spanning Tree Parameters Spanning Tree Overview Spanning Tree Overview The OmniSwitch supports the use of the 802.1D Spanning Tree Algorithm and Protocol (STP), the 802.1w Rapid Spanning Tree Algorithm and Protocol (RSTP), and the 802.1Q 2005 Multiple Spanning Tree Protocol (MSTP).
Page 129 Configuring Spanning Tree Parameters Spanning Tree Overview Role Port/Bridge Properties Root Port Port connection that provides the shortest path (lowest path cost value) to the root. The root bridge does not have a root port. Designated Port The designated bridge provides the LAN with the shortest path to the root. The designated port connects the LAN to this bridge.
Page 130 Configuring Spanning Tree Parameters Spanning Tree Overview Bridge Protocol Data Units (BPDU) Switches send layer 2 frames, referred to as Configuration Bridge Protocol Data Units (BPDU), to relay information to other switches. The information in these BPDU is used to calculate and reconfigure the Spanning Tree topology.
Page 131 Configuring Spanning Tree Parameters Spanning Tree Overview • When a bridge receives BPDU on its designated port that contains information that is less attractive (lower priority values and/or higher path costs), it forwards its own information to other LANs to which it is connected for consideration.
Page 132 Configuring Spanning Tree Parameters Spanning Tree Overview For Flat + MSTP MSTI instance 2014 May 19 15:26:44 U28E_7_12_7 swlogd: stpCmm _STPt warn(4) TCN Storm detected on port 0/10 for Msti 1001 For Flat + RSTP instance: 2014 May 19 15:26:44 U28E_7_12_7 swlogd: stpCmm _STPt warn(4) TCN Storm detected on port 1/1/1 For Per VLAN + RSTP instance 2014 May 19 15:26:44 U28E_7_12_7 swlogd: stpCmm _STPt warn(4) TCN Storm detected...
Page 133: Topology Examples
Configuring Spanning Tree Parameters Spanning Tree Overview Topology Examples The following diagram shows an example of a physical network topology that incorporates data path redundancy to ensure fault tolerance. These redundant paths, however, create loops in the network configuration. If a device connected to Switch A sends broadcast packets, Switch A floods the packets out all of its active ports.
Page 134 Configuring Spanning Tree Parameters Spanning Tree Overview The following diagram shows the logical connectivity of the same physical topology as determined by the Spanning Tree Algorithm: Switch C Switch D (Root Bridge) PC=4 Bridge ID Bridge ID 10, 00:00:00:00:00:01 13, 00:00:00:00:00:04 PC=19 3/10 PC=19...
Page 135: Mst General Overview
Configuring Spanning Tree Parameters MST General Overview MST General Overview The Multiple Spanning Tree (MST) feature allows for the mapping of one or more VLANs to a single Spanning Tree instance, referred to as a Multiple Spanning Tree Instance (MSTI), when the switch is running in the flat Spanning Tree mode.
Page 136 Configuring Spanning Tree Parameters MST General Overview VLAN 100 VLAN 100 VLAN 200 VLAN 200 Per-VLAN Mode STP/RSTP In the above per-VLAN mode example: • Both switches are running in the per-VLAN mode (one Spanning Tree instance per VLAN). • VLAN 100 and VLAN 200 are each associated with their own Spanning Tree instance.
Page 137 Configuring Spanning Tree Parameters MST General Overview VLAN 100 VLAN 100 CIST-0 CIST-0 VLAN 150 VLAN 150 VLAN 200 VLAN 200 MSTI-2 MSTI-2 2/12 VLAN 250 VLAN 250 Flat Mode MSTP In the above flat mode MSTP example: • Both switches are running in the flat mode and using MSTP. •...
Page 138: Comparing Mstp With Stp And Rstp
Configuring Spanning Tree Parameters MST General Overview Comparing MSTP with STP and RSTP Using MSTP has the following items in common with STP (802.1D) and RSTP (802.1w) protocols: • Each protocol ensures one data path between any two switches within the network topology. This prevents network loops from occurring while at the same time allowing for redundant path configuration.
Page 139: What Is A Multiple Spanning Tree Region
Configuring Spanning Tree Parameters MST General Overview What is a Multiple Spanning Tree Region A Multiple Spanning Tree region represents a group of MSTP switches. An MST region appears as a single, flat mode instance to switches outside the region. A switch can belong to only one region at a time. The region a switch belongs to is identified by the following configurable attributes, as defined by MSTP.
Page 140: What Is The Common Spanning Tree
Configuring Spanning Tree Parameters MST General Overview What is the Common Spanning Tree The Common Spanning Tree (CST) is the overall network Spanning Tree topology resulting from STP, RSTP, and/or MSTP calculations to provide a single data path through the network. The CST provides connectivity between MST regions and other MST regions and/or Single Spanning Tree (SST) switches.
Page 141: Mst Interoperability And Migration
Configuring Spanning Tree Parameters MST General Overview • Map VLANs to MSTI – All existing VLANs are mapped to the default CIST instance 0. Associating a VLAN to an MSTI specifies which Spanning Tree instance determines the best data path for traffic carried on the VLAN.
Page 142 Configuring Spanning Tree Parameters MST General Overview • STP and RSTP use a 16-bit port path cost (PPC) and MSTP uses a 32-bit PPC. When the protocol is changed to MSTP, the bridge priority and PPC values for the flat mode CIST instance are reset to their default values.
Page 143: Spanning Tree Operating Modes
Configuring Spanning Tree Parameters Spanning Tree Operating Modes Spanning Tree Operating Modes The switch can operate in one of two Spanning Tree modes: flat and per-VLAN. Both modes apply to the entire switch and determine whether a single Spanning Tree instance is applied across multiple VLANs (flat mode) or a single instance is applied to each VLAN (per-VLAN mode).
Page 144: Using Per-Vlan Spanning Tree Mode
Configuring Spanning Tree Parameters Spanning Tree Operating Modes Flat STP Switch Port 1/2 Default VLAN 5 VLAN 10 (tagged) Port 8/3 Port 2/5 Port 10/5 Default VLAN 5 Default VLAN 2 Default VLAN 20 VLAN 6 (tagged) Flat Spanning Tree Example In the above example, if port 8/3 connects to another switch and port 10/5 connects to that same switch, the Spanning Tree Algorithm would detect a redundant path and transition one of the ports into a blocking state.
Page 145: Using Per-Vlan Spanning Tree Mode With Pvst
Configuring Spanning Tree Parameters Spanning Tree Operating Modes The following diagram shows a switch running in the per-VLAN Spanning Tree mode and shows Spanning Tree participation for both fixed and tagged ports. STP 3 STP 2 STP 4 Switch Port 1/5 Port 1/3 Default VLAN 10 Default VLAN 5...
Page 146: Omniswitch Pvst+ Interoperability
Configuring Spanning Tree Parameters Spanning Tree Operating Modes OmniSwitch PVST+ Interoperability Native VLAN and OmniSwitch Default VLAN Cisco uses the standard IEEE BPDU format for the native VLAN (VLAN 1) over an 802.1Q trunk. Thus, by default the Common Spanning Tree (CST) instance of the native VLAN 1 for all Cisco switches and the STP instance for the default VLAN of a port on an OmniSwitch interoperates and successfully creates a loop-free topology.
Page 147 Configuring Spanning Tree Parameters Spanning Tree Operating Modes The following show command displays the PVST+ status. -> show spantree mode Spanning Tree Global Parameters Current Running Mode : per-vlan, Current Protocol : N/A (Per VLAN), Path Cost Mode : 32 BIT, Auto Vlan Containment : N/A Cisco PVST+ mode : Enabled...
Page 148 Configuring Spanning Tree Parameters Spanning Tree Operating Modes • Dynamic aggregate link (LACP) functions properly between OmniSwitch and Cisco switches. The Cisco switches send the BPDUs only on one physical link of the aggregate, similar to the OmniSwitch Primary port functionality. The path cost assigned to the aggregate link is not the same between OmniSwitch and Cisco switches since vendor-specific formulas are used to derive the path cost.
Page 149: Using Spanning Tree Configuration Commands
Configuring Spanning Tree Parameters Using Spanning Tree Configuration Commands Using Spanning Tree Configuration Commands The OmniSwitch Spanning Tree implementation uses commands that contain one of the following keywords to specify the type of Spanning Tree instance to modify: • cist – command applies to the Common and Internal Spanning Tree instance. The CIST is the single Spanning Tree flat mode instance that is available on all switches.
Page 150: Selecting The Spantree Protocol
Configuring Spanning Tree Parameters Configuring STP Bridge Parameters • If Spanning Tree is disabled on a VLAN, active ports associated with that VLAN are excluded from Spanning Tree calculations and remain in a forwarding state. • Note that when a switch is running in the flat mode, disabling Spanning Tree on VLAN 1 disables the instance for all VLANs and all active ports are then excluded from any Spanning Tree calculations and remain in a forwarding state.
Page 151: Configuring The Bridge Priority
Configuring Spanning Tree Parameters Configuring STP Bridge Parameters To configure the protocol for the flat mode CIST instance, use either the spantree protocol command or spantree protocol command with the cist parameter. Note that both commands are available when the switch is running in either mode (per-VLAN or flat).
Page 152: Configuring The Bridge Hello Time
Configuring Spanning Tree Parameters Configuring STP Bridge Parameters Configuring the Bridge Hello Time The bridge hello time interval is the number of seconds a bridge waits between transmissions of Configuration BPDU. When a bridge is attempting to become the root or if it has become the root or a designated bridge, it sends Configuration BPDU out all forwarding ports once every hello time value.
Page 153: Configuring The Forward Delay Time For The Switch
Configuring Spanning Tree Parameters Configuring STP Bridge Parameters To change the max-age time value for the flat mode CIST instance, use either the spantree max-age command or the spantree max-age command with the cist parameter. Note that both commands are available when the switch is running in either mode (per-VLAN or flat).
Page 154: Configuring The Path Cost Mode
Configuring Spanning Tree Parameters Configuring STP Bridge Parameters To enable or disable the switching of Spanning Tree BPDU for all VLAN and CIST instances when the switch is running in the per-VLAN mode, use the spantree bpdu-switching command: -> spantree bpdu-switching enable ->...
Page 155 Configuring Spanning Tree Parameters Configuring STP Bridge Parameters When AVC is enabled, it identifies undesirable ports and automatically configures them with an infinite path cost value. For example, in the following diagram a link exists between VLAN 2 on two different switches.
Page 156: Configuring Stp Port Parameters
Configuring Spanning Tree Parameters Configuring STP Port Parameters Configuring STP Port Parameters The following sections provide information and procedures for using CLI commands to configure STP port parameters. These parameters determine the behavior of a port for a specific Spanning Tree instance. When a switch is running in the per-VLAN STP mode, each VLAN is in essence a virtual STP bridge with its own STP instance and configurable parameters.
Page 157: Enabling/Disabling Spanning Tree On A Port
Configuring Spanning Tree Parameters Configuring STP Port Parameters Commands Used for ... spantree cist auto-edge Configures a port or an aggregate of ports for the flat mode Common and Internal Spanning Tree (CIST) as an edge port, automatically. spantree vlan auto-edge Configures a port or an aggregate of ports for the per-VLAN mode VLAN instance as an edge port, automatically.
Page 158: Enabling/Disabling Loop-Guard
Configuring Spanning Tree Parameters Configuring STP Port Parameters To change the port Spanning Tree status for the flat mode instance, use the spantree cist command. Note that this command is available when the switch is running in either mode (per-VLAN or flat). For example, the following command disables the Spanning Tree status on port 1/24 for the flat mode instance: ->...
Page 159: Configuring Port Path Cost
Configuring Spanning Tree Parameters Configuring STP Port Parameters instance associated with the port. If the switch is running in the flat Spanning Tree mode, then the port priority applies across all VLANs associated with the port. The flat mode instance is specified as the port instance, even if the port is associated with multiple VLANs.
Page 160 Configuring Spanning Tree Parameters Configuring STP Port Parameters 32-bit Path Cost 32-bit Path Cost Link Speed Physical Port Link Aggregate (2/4/8/16 Port) 10 Mbps 2000000 1200000, 800000, 600000, 400000 100 Mbps 200000 120000, 80000, 60000, 40000 20000 18000, 16000, 14000, 12000 2.5G 8000 7600, 7200, 6800, 6400...
Page 161: Configuring Port Mode
Configuring Spanning Tree Parameters Configuring STP Port Parameters To change the port path cost value for the flat mode instance regardless of which mode (per-VLAN or flat) is active for the switch, use the spantree cist path-cost command. For example, the following command configures a 32-bit path cost value for port 1/24 for the flat mode instance to 20,000 (the port speed is 1 GB, 20,000 is the recommended value): ->...
Page 162: Mode For Link Aggregate Ports
Configuring Spanning Tree Parameters Configuring STP Port Parameters instance number is not required. For example, the following command configures the Spanning Tree mode on port 1/24 for the flat mode instance: -> spantree cist port 1/24 mode blocking Mode for Link Aggregate Ports Physical ports that belong to a link aggregate do not participate in the Spanning Tree Algorithm.
Page 163: Configuring Port Connection Type
Configuring Spanning Tree Parameters Configuring STP Port Parameters Configuring Port Connection Type Specifying a port connection type is done when using the Rapid Spanning Tree Algorithm and Protocol (RSTP), as defined in the IEEE 802.1w standard. RSTP transitions a port from a blocking state directly to forwarding, bypassing the listening and learning states, to provide a rapid reconfiguration of the Spanning Tree in the event of a path or root bridge failure.
Page 164: Configuring The Edge Port Status
Configuring Spanning Tree Parameters Configuring STP Port Parameters To change the port Spanning Tree mode for the flat mode instance regardless of which mode (per-VLAN or flat) is active for the switch, use the spantree cist connection command. For example, the following command configures the connection type for port 1/24 for the flat mode instance: ->...
Page 165: Restricting Port Roles (Root Guard)
Configuring Spanning Tree Parameters Configuring STP Port Parameters Restricting Port Roles (Root Guard) All ports are automatically eligible for root port selection. A port in a CIST/MSTI instance or per-VLAN instance can be prevented from becoming the root port by restricting the role of the port (also referred to as enabling root guard).
Page 166: Sample Spanning Tree Configuration
Configuring Spanning Tree Parameters Sample Spanning Tree Configuration Sample Spanning Tree Configuration This section provides an example network configuration in which the Spanning Tree Algorithm and Protocol has calculated a loop-free topology. In addition, a tutorial is also included that provides steps on how to configure the example network topology using the Command Line Interface (CLI).
Page 167: Example Network Configuration Steps
Configuring Spanning Tree Parameters Sample Spanning Tree Configuration • The path cost for each port connection defaults to a value based on the link speed. For example, the connection between Switch B and Switch C is a 100 Mbps link, which defaults to a path cost of 19. •...
Page 168 Configuring Spanning Tree Parameters Sample Spanning Tree Configuration Change the bridge priority value for VLAN 255 on Switch D to 10 using the following command (leave the priority for VLAN 255 on the other three switches set to the default value): ->...
Page 169: Sample Mst Region Configuration
Configuring Spanning Tree Parameters Sample MST Region Configuration Sample MST Region Configuration An MST region identifies a group of MSTP switches that is seen as a single, flat mode instance by other regions and/or non-MSTP switches. A region is defined by three attributes: name, revision level, and a VLAN-to-MSTI mapping.
Page 170 Configuring Spanning Tree Parameters Sample MST Region Configuration Map VLANs 100 and 200 to MSTI 2 and VLANs 300 and 400 to MSTI 4 using the spantree msti vlan command to define the configuration digest. For example: -> spantree msti 2 vlan 100 200 ->...
Page 171: Sample Msti Configuration
Configuring Spanning Tree Parameters Sample MSTI Configuration Sample MSTI Configuration By default, the Spanning Tree software is active on all switches and operating in the per-VLAN mode using 802.1w RSTP. A loop-free network topology is automatically calculated based on default 802.1w RSTP switch, bridge, and port parameter values.
Page 172 Configuring Spanning Tree Parameters Sample MSTI Configuration The following commands assign ports 2/1, 5/1, 5/2, and 3/6 to VLANs 100, 150, 200, and 250 on Switch B: -> vlan 100 members port 2/1 untagged -> vlan 150 members port 5/1 untagged ->...
Page 173 Configuring Spanning Tree Parameters Sample MSTI Configuration VLAN 100 VLAN 100 CIST-0 CIST-0 VLAN 150 VLAN 150 VLAN 200 VLAN 200 MSTI-1 MSTI-1 2/12 VLAN 250 VLAN 250 Switch A Switch B Flat Mode MSTP with Superior MSTI 1 PPC Values Note.
Page 174: Verifying The Spanning Tree Configuration
Configuring Spanning Tree Parameters Verifying the Spanning Tree Configuration Verifying the Spanning Tree Configuration To display information about the Spanning Tree configuration on the switch, use the show commands listed below: show spantree cist Displays the Spanning Tree bridge configuration for the flat mode Common and Internal Spanning Tree (CIST) instance.
Page 175: Configuring Loopback Detection
7 Configuring Loopback Detection Loopback Detection (LBD) automatically detects the loop and shutdown the port involved in the loop. This prevents forwarding loops on ports that have forwarded network traffic which has looped back to the originating switch. LBD detects and prevents Layer 2 forwarding loops on a port either in the absence of other loop detection mechanisms such as STP/RSTP/MSTP, or when these mechanisms cannot detect it (for example, a client's equipment may drop BPDUs, or the STP protocol may be restricted to the network edge).
Page 176: Lbd Defaults
Configuring Loopback Detection LBD Defaults LBD Defaults The following table shows LBD default values. Parameter Description Command Default Value/Comments LBD administrative state loopback-detection Disabled LBD remote-origin loopback-detection Disabled administrative state LBD status of a port loopback-detection port Disabled Remote-origin LBD status of a loopback-detection port Disabled port...
Page 177: Quick Steps For Configuring Lbd
Configuring Loopback Detection Quick Steps for Configuring LBD Quick Steps for Configuring LBD The following steps provide a quick tutorial on how to configure LBD. Each step describes a specific operation and provides the CLI command syntax for performing that operation. To enable the LBD protocol on a switch, use the loopback-detection command.
Page 178: Lbd Overview
Configuring Loopback Detection LBD Overview LBD Overview Loopback Detection (LBD) automatically detects and prevents L2 forwarding loops on a port. LBD operates in addition to STP which detects forwarding loops. When a loopback is detected, the port is disabled and goes into a shutdown state. A trap is sent and the event is logged. When enabling and configuring Loopback Detection: •...
Page 179 Configuring Loopback Detection Remote-origin LBD Overview LBD and LBD and Remote-origin Remote-origin LBD LBD disabled. enabled globally Corporate LBD frames and on port. Network are dropped LBD frames are and counted as processed and invalid. port is moved to shut down state In the two systems VC1 and VC2, VC1 has both default LBD and remote origin LBD enabled globally and at the interface level (3/4).
Page 180: Interaction With Other Features
Configuring Loopback Detection Interaction With Other Features Interaction With Other Features This section contains important information about how other OmniSwitch features interact with LBD. Refer to the specific chapter for each feature to get more detailed information about how to configure and use the feature.
Page 181: Configuring Lbd
Configuring Loopback Detection Configuring LBD Configuring LBD This section describes how to use the OmniSwitch Command Line Interface (CLI) commands to configure LBD on a switch. • Enable LBD on a switch or port (see “Enabling LBD” on page 7-7) •...
Page 182: Configuring The Lbd Transmission Timer
Configuring Loopback Detection LBD for Service Access Interface To enable remote-origin LBD on multiple ports, specify a range of ports. For example: -> loopback-detection port 3/1/1-8 remote-origin enable Note. See “Remote-origin LBD Overview” on page 7-4 for more details. Configuring the LBD Transmission Timer To configure the transmission time period between LBD packet transmissions, use the loopback- detection service-access...
Page 183: Enabling Lbd On Service-Access Interface
Configuring Loopback Detection LBD for Service Access Interface Enabling LBD on Service-access Interface By default, LBD is disabled for the switch and on all service-access ports. To globally enable LBD for the switch, use the loopback-detection command. For example: -> loopback-detection enable To enable LBD on a service-access port, use the loopback-detection service-access command.
Page 184: Sample Scenarios
Configuring Loopback Detection LBD for Service Access Interface Sample Scenarios Scenario 1 • Switch A and B are AOS switches running loopback-detection. • Switch C is a legacy switch or a non AOS switch or a hub. • 1/2 and 2/2 are SAP ports having same ISID and path cost. •...
Page 185 Configuring Loopback Detection LBD for Service Access Interface Scenario 2 • Switch A and B are AOS switches running loopback-detection. • Switch C is a legacy switch or a non AOS switch or a hub. • 1/2 and 1/3 are SAP ports having same ISID and path cost. •...
Page 186: Verifying The Lbd Configuration
Configuring Loopback Detection Verifying the LBD Configuration Verifying the LBD Configuration To display LBD configuration and statistics information, use the show commands listed below: loopback-detection autorecovery- Displays the global LBD configuration information for the switch. timer show loopback-detection port Displays LBD configuration information for all ports on the switch. show loopback-detection statistics Displays LBD statistics information for a specific port on the switch.
Page 187: Chapter 8 Configuring Static Link Aggregation
8 Configuring Static Link Aggregation The OmniSwitch implementation of static link aggregation software allows you to combine several physical links into one large virtual link known as a link aggregation group. Using link aggregation provides the following benefits: • Scalability. It is possible to configure a maximum number of link aggregation groups as mentioned in the “Network Configuration Specifications”...
Page 188: Configuring Static Link Aggregation
Configuring Static Link Aggregation Static Link Aggregation Default Values Static Link Aggregation Default Values The table below lists default values and the commands to modify them for static aggregate groups. Parameter Description Command Default Value/Comments Administrative State linkagg static agg admin-state enabled Group Name linkagg static agg name...
Page 189: Quick Steps For Configuring Static Link Aggregation
Configuring Static Link Aggregation Quick Steps for Configuring Static Link Aggregation Quick Steps for Configuring Static Link Aggregation Follow the steps below for a quick tutorial on configuring a static aggregate link between two switches. Additional information on how to configure each command is given in the subsections that follow. Create the static aggregate link on the local switch with the linkagg static agg size command.
Page 190 Configuring Static Link Aggregation Quick Steps for Configuring Static Link Aggregation An example of what these commands look like entered sequentially on the command line on the local switch: -> linkagg static agg 1 size 4 -> linkagg static port 1/1-4 agg 1 ->...
Page 191: Static Link Aggregation Overview
Configuring Static Link Aggregation Static Link Aggregation Overview Static Link Aggregation Overview Link aggregation allows you to combine physical connections into large virtual connections known as link aggregation groups. You can create Virtual LANs (VLANs), 802.1Q framing, configure Quality of Service (QoS) conditions, and other networking features on link aggregation groups because the OmnniSwitch AOS software treats these virtual links just like physical links.
Page 192: Relationship To Other Features
Configuring Static Link Aggregation Configuring Static Link Aggregation Groups Relationship to Other Features Link aggregation groups are supported by other switch software features. The following features have CLI commands or command parameters that support link aggregation: • VLANs. For more information on VLANs see Chapter 4, “Configuring VLANs.”...
Page 193: Creating And Deleting A Static Link Aggregate Group
Configuring Static Link Aggregation Configuring Static Link Aggregation Groups Creating and Deleting a Static Link Aggregate Group The following subsections describe how to create and delete static link aggregate groups with the linkagg static agg size command. Creating a Static Aggregate Group To create a static aggregate group on a switch, enter linkagg static agg followed by the user-specified aggregate number, size, and the number of links in the static aggregate group: For example, to create static aggregate group 5 that consists of eight links, on a switch, enter:...
Page 194: Removing Ports From A Static Aggregate Group
Configuring Static Link Aggregation Configuring Static Link Aggregation Groups linkagg static port agg command by entering linkagg static port followed by the slot number, a slash (/), the port number, agg, and the number or ID of the static aggregate group. For example, to assign ports 1, 2, and 3 in slot 1 to static aggregate group 10 (which has a size of enter: ->...
Page 195: Modifying Static Aggregation Group Parameters
Configuring Static Link Aggregation Modifying Static Aggregation Group Parameters Modifying Static Aggregation Group Parameters This section describes how to modify the following static aggregate group parameters: • Static aggregate group name (see “Modifying the Static Aggregate Group Name” on page 8-9) •...
Page 196: Application Example
Configuring Static Link Aggregation Application Example Application Example Static link aggregation groups are treated by the switch software the same way it treats individual physical ports. This section demonstrates this by providing a sample network configuration that uses static link aggregation along with other software features.
Page 197: Displaying Static Link Aggregation Configuration And Statistics
Configuring Static Link Aggregation Displaying Static Link Aggregation Configuration and Statistics Displaying Static Link Aggregation Configuration and Statistics You can use Command Line Interface (CLI) show commands to display the current configuration and statistics of link aggregation. These commands include the following: linkagg range Displays information on link aggregation groups.
Page 198: Chapter 9 Configuring Dynamic Link Aggregation
9 Configuring Dynamic Link Aggregation The OmniSwitch implementation of dynamic link aggregation software allows you to combine several physical links into one large virtual link known as a link aggregation group. Using link aggregation provides the following benefits: • Scalability. It is possible to configure a maximum number of link aggregation groups as mentioned in the “Network Configuration Specifications”...
Page 199: Configuring Dynamic Link Aggregation
Configuring Dynamic Link Aggregation Dynamic Link Aggregation Default Values Dynamic Link Aggregation Default Values The table below lists default values for dynamic aggregate groups. Parameter Description Command Default Value/Comments Group Administrative State linkagg lacp agg admin-state enabled Group Name linkagg lacp agg name No name configured Group Actor Administrative Key linkagg lacp agg actor admin-key...
Page 200: Quick Steps For Configuring Dynamic Link Aggregation
Configuring Dynamic Link Aggregation Quick Steps for Configuring Dynamic Link Aggregation Quick Steps for Configuring Dynamic Link Aggregation Follow the steps below for a quick tutorial on configuring a dynamic aggregate link between two switches. Additional information on how to configure each command is given in the subsections that follow. Create the dynamic aggregate group on the local (actor) switch with the linkagg lacp agg size command as shown below:...
Page 201 Configuring Dynamic Link Aggregation Quick Steps for Configuring Dynamic Link Aggregation Note. As an option, you can verify your dynamic aggregation group settings with the linkagg range command on either the actor or the partner switch. For example: -> show linkagg agg 2 Dynamic Aggregate SNMP Id : 40000002,...
Page 202: Dynamic Link Aggregation Overview
Configuring Dynamic Link Aggregation Dynamic Link Aggregation Overview Dynamic Link Aggregation Overview Link aggregation allows you to combine physical connections into large virtual connections known as link aggregation groups. You can create Virtual LANs (VLANs), 802.1Q framing, configure Quality of Service (QoS) conditions, and other networking features on link aggregation groups because switch software treats these virtual links just like physical links.
Page 203 Configuring Dynamic Link Aggregation Dynamic Link Aggregation Overview Local (Actor) Switch Remote (Partner) Switch . Local (actor) switch sends requests to establish a dynamic aggregate group link to the remote (partner) switch. . Partner switch acknowl- edges that it can accept this dynamic group.
Page 204: Relationship To Other Features
Configuring Dynamic Link Aggregation Configuring Dynamic Link Aggregate Groups Relationship to Other Features Link aggregation groups are supported by other switch software features. For example, you can configure 802.1Q tagging on link aggregation groups in addition to configuring it on individual ports. The following features have CLI commands or command parameters that support link aggregation: •...
Page 205: Configuring Mandatory Dynamic Link Aggregate Parameters
Configuring Dynamic Link Aggregation Configuring Dynamic Link Aggregate Groups Configuring Mandatory Dynamic Link Aggregate Parameters When configuring LACP link aggregates on a switch you must perform the following steps: Create the Dynamic Aggregate Groups on the Local (Actor) and Remote (Partner) Switches. To create a dynamic aggregate group use the linkagg lacp agg size command, which is described in...
Page 206: Configuring Ports To Join And Removing Ports In A Dynamic Aggregate Group
Configuring Dynamic Link Aggregation Configuring Dynamic Link Aggregate Groups Deleting a Dynamic Aggregate Group To remove a dynamic aggregation group configuration from a switch use the no form of the linkagg lacp agg size command by entering no linkagg lacp agg followed by its dynamic aggregate group number. For example, to delete dynamic aggregate group 2 from the switch configuration, enter: ->...
Page 207: Removing Ports From A Dynamic Aggregate Group
Configuring Dynamic Link Aggregation Configuring Dynamic Link Aggregate Groups For example, to configure actor administrative key of 10, a local system ID (MAC address) of 00:20:da:06:ba:d3, and a local priority of 65535 to slot 4 port 1, enter: -> linkagg lacp port 4/1 actor admin-key 10 actor system-id 00:20:da:06:ba:d3 actor system-priority 65535 For example, to configure an actor administrative key of 10 to slot 4 port 1, enter: ->...
Page 208: Modifying Dynamic Link Aggregate Group Parameters
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters Modifying Dynamic Link Aggregate Group Parameters The table on page 9-2 lists default group and port settings for the OmniSwitch implementation of Dynamic Link Aggregation. These parameters ensure compliance with the IEEE 802.3ad specification. For most networks, these default values need not be modified or can be modified automatically by the switch software.
Page 209: Modifying The Dynamic Aggregate Group Name
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters Modifying the Dynamic Aggregate Group Name The following subsections describe how to configure and remove a dynamic aggregate group name with linkagg lacp agg name command. Configuring a Dynamic Aggregate Group name To configure a dynamic aggregate group name, enter linkagg lacp agg followed by the dynamic aggregate group number, name, and the user-specified name.
Page 210: Modifying The Dynamic Aggregate Group Actor System Priority
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters Configuring and Deleting the Dynamic Aggregate Group Actor Administrative Key The following subsections describe how to configure and delete a dynamic aggregate group actor administrative key with the linkagg lacp agg actor admin-key command.
Page 211: Modifying The Dynamic Aggregate Group Actor System Id
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters Modifying the Dynamic Aggregate Group Actor System ID By default, the dynamic aggregate group actor system ID (MAC address) is 00:00:00:00:00:00. The following subsections describe how to configure a user-specified value and how to restore the value to its default value with the linkagg lacp agg actor system-id command.
Page 212: Modifying The Dynamic Aggregate Group Partner System Priority
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters Modifying the Dynamic Aggregate Group Partner System Priority By default, the dynamic aggregate group partner system priority is 0. The following subsections describe how to configure a user-specified value and how to restore the value to its default value with the linkagg lacp agg partner system-priority command.
Page 213: Modifying Dynamic Link Aggregate Actor Port Parameters
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters Modifying Dynamic Link Aggregate Actor Port Parameters This section describes how to modify the following dynamic aggregate actor port parameters: • Actor port administrative state (see “Modifying the Actor Port System Administrative State” on page 9-16) •...
Page 214: Modifying The Actor Port System Id
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters linkagg lacp agg actor Definition admin-state Keyword collect Specifying this keyword has no effect because the system always determines its value. When this bit (bit 4) is set by the system, incoming LACPDU frames are collected from the individual ports that make up the dynamic aggregate group.
Page 215: Modifying The Actor Port System Priority
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters Configuring an Actor Port System ID You can configure the actor port system ID by entering linkagg lacp port, the slot number, a slash (/), the port number, actor system-id, and the user specified actor port system ID ( MAC address) in the hexadecimal format of xx:xx:xx:xx:xx:xx.
Page 216: Modifying Dynamic Aggregate Partner Port Parameters
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters Modifying the Actor Port Priority By default, the actor port priority (used to converge dynamic key changes) is 0. The following subsections describe how to configure a user-specified value and how to restore the value to its default value with the linkagg lacp port actor port priority command.
Page 217: Modifying The Partner Port System Administrative State
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters Modifying the Partner Port System Administrative State The system administrative state of a dynamic aggregate group partner ( remote switch) port is indicated by bit settings in Link Aggregation Control Protocol Data Unit (LACPDU) frames sent by this port. By default, bits 0 (indicating that the port is active), 1 (indicating that short timeouts are used for LACPDU frames), and 2 (indicating that this port is available for aggregation) are set in LACPDU frames.
Page 218: Modifying The Partner Port Administrative Key
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters For example, to set bits 0 (active) and 2 (aggregate) on dynamic aggregate partner port 49 in slot 7, enter: -> linkagg lacp port 7/49 partner admin-state active aggregate For example, to set bits 0 (active) and 2 (aggregate) on dynamic aggregate partner port 49 in slot 7 and document that the port is a Gigabit Ethernet port, enter: ->...
Page 219: Modifying The Partner Port System Id
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters Modifying the Partner Port System ID By default, the partner port system ID ( the MAC address used as the system ID on dynamic aggregate partner ports) is 00:00:00:00:00:00. The following subsections describe how to configure a user-specified value and how to restore the value to its default value with the linkagg lacp port partner admin system- command.
Page 220: Modifying The Partner Port Administrative Status
Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters Restoring the Partner Port System Priority To remove a user-configured system priority from a dynamic aggregate group partner port configuration use the no form of the linkagg lacp agg partner system-priority command by entering lacp port, the slot number, a slash (/), the port number, and partner admin-system-priority.
Page 221 Configuring Dynamic Link Aggregation Modifying Dynamic Link Aggregate Group Parameters For example, to modify the port priority of dynamic aggregate partner port 3 in slot 4 to 100, enter: -> linkagg lacp port 4/3 partner admin-port priority 100 Restoring the Partner Port Priority To remove a user-configured partner port priority from a dynamic aggregate group partner port configuration use the no form of the linkagg lacp port partner admin port-priority...
Page 222: Application Examples
Configuring Dynamic Link Aggregation Application Examples Application Examples Dynamic link aggregation groups are treated by the software on the switch as similar to individual physical ports. This section demonstrates the dynamic link aggregation feature by providing sample network configurations that use dynamic aggregation along with other software features. In addition, tutorials are provided that show how to configure these sample networks by using Command Line Interface (CLI) commands.
Page 223: Link Aggregation And Spanning Tree Example
Configuring Dynamic Link Aggregation Application Examples Link Aggregation and Spanning Tree Example As shown in the figure on page 9-25, VLAN 10, which uses the Spanning Tree Protocol (STP) with a priority of 15, has been configured to use dynamic aggregate group 7. The actual physical links connect ports 3/9 and 3/10 on Switch A to ports 1/1 and 1/2 on Switch B.
Page 224: Link Aggregation And Qos Example
Configuring Dynamic Link Aggregation Application Examples Link Aggregation and QoS Example As shown in the figure on page 9-25, VLAN 12, which uses 802.1Q frame tagging and 802.1p prioritization, has been configured to use dynamic aggregate group 7. The actual physical links connect ports 4/1, 4/2, 4/3, and 4/4 on Switch A to ports 1/1, 1/2, 1/3, and 1/4 on Switch C.
Page 225: Displaying Dynamic Link Aggregation Configuration And Statistics
Configuring Dynamic Link Aggregation Displaying Dynamic Link Aggregation Configuration and Statistics Displaying Dynamic Link Aggregation Configuration and Statistics You can use Command Line Interface (CLI) show commands to display the current configuration and statistics of link aggregation. These commands include the following: linkagg range Displays information on link aggregation groups.
Page 226 Configuring Dynamic Link Aggregation Displaying Dynamic Link Aggregation Configuration and Statistics Partner Admin Key : 8, Partner Oper Key : 0, Attached Agg Id : 0, Actor Port : 7, Actor Port Priority : 15, Partner Admin Port : 0, Partner Oper Port : 0, Partner Admin Port Priority...
Page 227: Configuring Dual-Home Links
10 Configuring Dual-Home Links Dual-Home Link (DHL) is a high availability feature that provides fast failover between core and edge switches without implementing Spanning Tree. The OmniSwitch provides the following method for implementing a DHL solution: DHL Active-Active—an edge technology that splits a number of VLANs between two active links. The forwarding status of each VLAN is modified by DHL to prevent network loops and maintain connectivity to the core when one of the links fails.
Page 228: Dual-Home Link Active-Active Defaults
Configuring Dual-Home Links Dual-Home Link Active-Active Defaults Dual-Home Link Active-Active Defaults The table below lists default values for dual-home link aggregate groups. Parameter Description Command Default Value/Comments DHL session ID dhl name If a name is not assigned to a DHL session, the session is configured as DHL-1 Admin state of DHL session...
Page 229: Dual-Home Link Active-Active
Configuring Dual-Home Links Dual-Home Link Active-Active Dual-Home Link Active-Active Dual-Home Link (DHL) Active-Active is a high availability feature that provides fast failover between core and edge switches without using Spanning Tree. To provide this functionality, DHL Active-Active splits a number of VLANs between two active links. The forwarding status of each VLAN is modified by DHL to prevent network loops and maintain connectivity to the core when one of the links fails.
Page 230: Protected Vlans
Configuring Dual-Home Links Dual-Home Link Active-Active Protected VLANs A protected VLAN is one that is assigned to both links in a DHL session. This means that if the link to which the VLAN is mapped fails, the VLAN is moved to the other active DHL link to maintain connectivity with the core switches.
Page 231 Configuring Dual-Home Links Dual-Home Link Active-Active topology change event and the MAC address table is not automatically flushed. This can create stale MAC address entries that are looking for end devices over the wrong link. To avoid stale MAC address entries in the forwarding tables of the core switches, some type of communication needs to occur between the edge uplink switch and the core switches.
Page 232: Dhl Configuration Guidelines
Configuring Dual-Home Links Dual-Home Link Active-Active DHL Configuration Guidelines Review the following guidelines before attempting to configure a DHL setup: • Make sure that DHL linkA and linkB are associated with each VLAN protected by the DHL session. Any VLAN not associated with either link or only associated with one of the links is unprotected. •...
Page 233 Configuring Dual-Home Links Dual-Home Link Active-Active -> dhl 10 pre-emption-time 500 Configure the MAC address flushing method for the DHL session using the dhl num mac-flushing command and specify either the raw or mvrp parameter option. By default, the MAC flushing method is set to none.
Page 234: Dual-Home Link Active-Active Example
Configuring Dual-Home Links Dual-Home Link Active-Active Dual-Home Link Active-Active Example The figure below shows two ports (1/1/10 and 1/1/12) that serve as link A and link B for a DHL session configured on the Edge switch. Both ports are associated with VLANs 1-10, where VLAN 1 is the default VLAN for both ports.
Page 235 Configuring Dual-Home Links Dual-Home Link Active-Active Configure port 1/1/10 and port 1/1/12 as the dual-home links (linkA, linkB) for the DHL session. -> dhl 1 linkA port 1/1/10 linkB port 1/1/12 Map VLANs 2, 4, 6, 8, and 10 to DHL linkB. ->...
Page 236: Recommended Dhl Active-Active Topology
Configuring Dual-Home Links Dual-Home Link Active-Active Recommended DHL Active-Active Topology The following is an example of a recommended topology for Dual-Home Link Active-Active. In the above topology, all uplinked switches are connected to the core network through redundant links, and the links are configured to use DHL Active-Active. Spanning Tree is disabled on all the DHL enabled ports of the uplinked devices.
Page 237: Unsupported Dhl Active-Active Topology (Network Loops)
Configuring Dual-Home Links Dual-Home Link Active-Active Unsupported DHL Active-Active Topology (Network Loops) The following is an example of an unsupported topology for Dual-Homed Link Active-Active. In the above topology, the link between the uplink device other than core network is not recommended as it creates a loop in the network.
Page 238: Displaying The Dual-Home Link Configuration
Configuring Dual-Home Links Displaying the Dual-Home Link Configuration Displaying the Dual-Home Link Configuration You can use Command Line Interface (CLI) show commands to display the current configuration and statistics of link aggregation. These commands include the following: show linkagg Displays information on link aggregation groups. show linkagg port Displays information on link aggregation ports.
Page 239: 11 Configuring Erp
11 Configuring ERP The ITU-T G.8032/Y.1344 Ethernet Ring Protection (ERP) switching mechanism is a self-configuring algorithm that maintains a loop-free topology while providing data path redundancy and network scalability. ERP provides fast recovery times for Ethernet ring topologies by utilizing traditional Ethernet MAC and bridge functions.
Page 240: Erp Defaults
Configuring ERP ERP Defaults ERP Defaults ERP default settings: Parameter Description Command Default ERP ring status erp-ring Disabled RPL status for the node erp-ring rpl-node Disabled The wait-to-restore timer value for erp-ring wait-to-restore 5 minutes the RPL node The guard-timer value for the ring erp-ring guard-timer 50 centi-seconds node...
Page 241: Erp Overview
Configuring ERP ERP Overview ERP Overview Ethernet Ring Protection (ERP) is a protection switching mechanism for Ethernet ring topologies, such as multi-ring and ladder networks. This implementation of ERP is based on the Recommendation ITU-T G.8032/Y.1344 and uses the ring Automatic Protection Switching (APS) protocol to coordinate the prevention of network loops within a bridged Ethernet ring.
Page 242: Erp Timers
Configuring ERP ERP Overview BPR—The Blocked Port Reference that identifies the ring port (0 for interconnection node or sub-ring, 1 for master ring) that is blocked. The BPR status is used in all R-APS messages. CCM—When an Ethernet ring contains no ERP capable nodes, CCM (Continuity Check Messages) are required to monitor the ring-port connectivity across the L2 network.
Page 243: Erp Basic Operation
Configuring ERP ERP Overview ERP Basic Operation ERP operates over standard Ethernet interfaces that are physically connected in a ring topology. It uses an Automatic Protection Switching (APS) protocol to coordinate protection and recovery switching mechanisms over the Ethernet ring. In an Ethernet ring, each node is connected to two adjacent nodes using two independent links called ring links.
Page 244: Overlapping Protected Vlans Between Erp Rings On Same Node
Configuring ERP ERP Overview Protection Mode When the failed link shown in the above illustration recovers, the ring transitions as follows back to the idle mode: • Nodes adjacent to the recovered link initiate an R-APS (NR) message and start the Guard Timer. •...
Page 245: Erpv2 Basic Operation
Configuring ERP ERP Overview ERPv2 Basic Operation The enhanced ERPv2 functionality supports multi-ring and ladder networks that contain interconnection nodes, interconnected shared links, master rings and sub-rings. Multiple sub-tending rings are supported over the same physical ring. A shared link can only be part of the master ring. The sub-rings connected to the interconnection nodes are not closed and cannot use the shared links.
Page 246 Configuring ERP ERP Overview R-APS Virtual Channel ERPv2 supports two implementation options for R-APS control channel of the sub-ring. • Virtual Channel Enabled - R-APS messages are encapsulated and transmitted over an R-APS Virtual channel configured on the major ring. •...
Page 247: Interaction With Other Features
Configuring ERP Interaction With Other Features Interaction With Other Features This section contains important information about interaction of ERP with other OmniSwitch features. Refer to the specific chapter for each feature to get more detailed information about how to configure and use the feature.
Page 248: Quick Steps For Configuring Erp With Standard Vlans
Configuring ERP Quick Steps for Configuring ERP with Standard VLANs Quick Steps for Configuring ERP with Standard VLANs The following steps provide a quick tutorial for configuring ERP. Create a VLAN using the vlan command and add the ring ports. ->...
Page 249: Quick Steps For Configuring Erp With Vlan Stacking
Configuring ERP Quick Steps for Configuring ERP with VLAN Stacking Quick Steps for Configuring ERP with VLAN Stacking The following steps provide a quick tutorial for configuring ERP with VLAN Stacking: Create a VLAN Stacking SVLAN 1001 using the command. ->...
Page 250: Erp Configuration Overview And Guidelines
Configuring ERP ERP Configuration Overview and Guidelines ERP Configuration Overview and Guidelines Configuring ERP requires several steps. These steps are outlined here and further described throughout this section. For a brief tutorial on configuring ERP, see ““Quick Steps for Configuring ERP with Standard VLANs”...
Page 251: Configuring An Erp Ring
Configuring ERP Configuring an ERP Ring Configuring an ERP Ring The following configuration steps are required to create an ERP ring: Determine which two ports on the switch are the ring ports. For example, ports 1/1 and 1/2. Determine which VLAN on the switch is the ERP service VLAN for the ring. If the VLAN does not exist, create the VLAN.
Page 252: Configuring An Rpl Port
Configuring ERP Configuring an ERP Ring Configuring an RPL Port A ring protection link (RPL) port can be a physical or logical port. The port must be a ring port before it is configured as an RPL port, and out of the two ring ports on the node, only one can be configured as a RPL port.
Page 253: Configuring Erp With Vlan Stacking Nnis
Configuring ERP Configuring an ERP Ring By default, the guard timer value is set to 50 centi-seconds. To change the value of this timer, use the erp- ring guard-timer command. For example: -> erp-ring 1 guard-timer 100 To restore the Guard Timer back to the default value, use the no form of the erp-ring guard-timer command.
Page 254: Clearing Erp Statistics
Configuring ERP Configuring an ERP Ring Configuring ERP Protected SVLANs An SVLAN becomes an ERP protected SVLAN when the SVLAN is associated with two NNI ports that also serve as ring ports. In this case, the SVLAN is automatically protected as part of the association with NNI ring ports.
Page 255: Erpv2 Configuration Overview And Guidelines
Configuring ERP ERPv2 Configuration Overview and Guidelines ERPv2 Configuration Overview and Guidelines The following section details the guidelines and prerequisites for configuring ERPv2 and details on how to configure the ERPv2 related parameters using the OmniSwitch CLI. Configuring the sample ERPv2 ring network involves the following tasks: Optional: Configure tagged ports or link aggregate ports before configuring ERP.
Page 256: Sample Switch Configuration
Configuring ERP ERPv2 Configuration Overview and Guidelines • The RPL can be placed anywhere on the Master Ring, including the shared links. • The RPL can be placed anywhere on the Sub Rings, including the only ring port of the interconnection nodes.
Page 257 Configuring ERP ERPv2 Configuration Overview and Guidelines Enabling and Disabling R-APS Virtual Channel User can enable and disable virtual channel. By default, R-APS virtual channel is enabled. Enabling R-APS Virtual Channel Enable R-APS virtual channel using the following command: -> erp-ring 2 virtual-channel enable R-APS messages from the sub-ring on the interconnection node are forwarded as normal data to the major ring ports.A node is identified as interconnection node when atleast one ring is configured with a sub-ring- port.
Page 258 Configuring ERP ERPv2 Configuration Overview and Guidelines Enabling or Disabling Revertive Mode Revertive mode is enabled by default. You can disable revertive mode by setting the following command: -> erp-ring 2 revertive enable You can enable revertive mode by setting following command: ->...
Page 259: Sample Ethernet Ring Protection Configuration
Configuring ERP Sample Ethernet Ring Protection Configuration Sample Ethernet Ring Protection Configuration This section provides an example network configuration in which ERP is configured on network switches to maintain a loop-free topology. In addition, a tutorial is also included that provides steps on how to configure the example network topology using the Command Line Interface (CLI).
Page 260: Example Erp Configuration Steps
Configuring ERP Sample Ethernet Ring Protection Configuration Example ERP Configuration Steps The following steps provide a quick tutorial for configuring the ERP ring network shown in the diagram page 11-21: Configure ERP ring 1 and add protected VLANs 11 through 20 on Switch A, B, C, D, and E using the following commands: ->...
Page 261: Sample Erpv2 Ring Configuration
Configuring ERP Sample ERPv2 Ring Configuration Sample ERPv2 Ring Configuration This section provides an example network configuration in which ERPv2 is configured on network switches to maintain a loop-free topology. In addition, a tutorial is also included that provides steps on how to configure the example network topology using the Command Line Interface (CLI).
Page 262: Configuring Shared Link
Configuring ERP Sample ERPv2 Ring Configuration The following sub-sections provide the details on prerequisites and different configurations for switches to set up an ERPv2 ring network using OmniSwitch CLI commands. Configuring Shared Link The following configurations must be performed on Switch A and Switch B. Step 1 : Create the Service VLAN and add to ring ports on Switch A and B that are part of a shared link: Switch A ->...
Page 263: Configuring Switches In Main Ring
Configuring ERP Sample ERPv2 Ring Configuration Switch B -> vlan 100-300 members port 2/2 tagged Switch B -> vlan 201-400 members port 1/6 tagged Configuring Switches in Main Ring The following configurations must be performed on Switch C, D, and E ->...
Page 264: Verifying The Erp Configuration
Configuring ERP Verifying the ERP Configuration Verifying the ERP Configuration A summary of the show commands used for verifying the ERP configuration is given here: show erp Displays the ERP configuration information for all rings, a specific ring, or for a specific ring port. show erp statistics Displays the ERP statistics for all rings, a specific ring, or a specific ring port.
Page 265: 12 Configuring Mvrp
12 Configuring MVRP Multiple VLAN Registration Protocol (MVRP) is standards-based Layer 2 network protocol for automatic configuration of VLAN information on switches. It was defined in the 802.1ak amendment to 802.1Q- 2005. MVRP provides a method to share VLAN information and configure the needed VLANs within a layer 2 network.
Page 266: Mvrp Defaults
Configuring MVRP MVRP Defaults MVRP Defaults The following table lists the defaults for MVRP configuration. Parameter Description Command Default Value/Comments Enables or disables MVRP globally mvrp disabled on a switch. Enables or disables MVRP on mvrp port disabled specific ports Maximum number of VLANs mvrp maximum-vlan Registration mode of the port...
Page 267: Quick Steps For Configuring Mvrp
Configuring MVRP Quick Steps for Configuring MVRP Quick Steps for Configuring MVRP The following steps provide a quick tutorial on how to configure MVRP. Each step describes a specific operation and provides the CLI command syntax for performing that operation. Create a VLAN using the vlan command.
Page 268: Mrp Overview
Configuring MVRP MRP Overview MRP Overview Multiple Registration Protocol (MRP) was introduced as a replacement for GARP with the IEEE 802.1ak- 2007 amendment. The Multiple VLAN Registration Protocol (MVRP) defines a MRP Application that provides the VLAN registration service. MVRP provides a mechanism for dynamic maintenance of the contents of dynamic VLAN registration Entries for each VLAN, and for propagating the information they contain to other bridges.
Page 269 Configuring MVRP MVRP Overview Switch A has 3 VLANs configured as static VLANs (10, 20, and 30). Other switches on the same network learn these 3 VLANs as dynamic VLANs. Also, the end station connected on port 5 is statically configured for VLAN 50.
Page 270: Interaction With Other Features
Configuring MVRP MVRP Overview Switch B Switch A Switch C End Station Static VLAN Static VLAN: 10, 20, 30 Static VLAN Dynamic VLAN: 10, 20, 30, 50 Dynamic VLAN: 50 Dynamic VLAN: 10, 20, 30, 50 Static VLAN 50 Dynamic Learning of VLAN 50 Note.
Page 271: Configuring Mvrp
Configuring MVRP Configuring MVRP Configuring MVRP This section describes how to configure MVRP using the Command Line Interface (CLI) commands. Enabling MVRP MVRP is used primarily to prune unnecessary broadcast and unknown unicast traffic, and to create and manage VLANs. MVRP has to be globally enabled on a switch before it can start forwarding MVRP frames.
Page 272: Configuring Mvrp Registration
Configuring MVRP Configuring MVRP Configuring MVRP Registration MVRP allows a port to register and de-register static VLANs. Every device has a list of all the switches and end stations that can be reached at any given time. When an attribute for a device is registered or de- registered, the set of reachable switches and end stations, also called participants, is modified.
Page 273: Configuring The Mvrp Applicant Mode
Configuring MVRP Configuring MVRP Setting MVRP Forbidden Registration The forbidden registration mode prevents any VLAN registration or de-registration. If dynamic VLANs previously created are present, they are de-registered. To configure a port to forbidden mode, use the mvrp registration command. For example, to configure port 2 of slot 1 to forbidden mode, enter the following: ->...
Page 274: Modifying Mvrp Timers
Configuring MVRP Configuring MVRP To set the applicant mode of port 1/2 to participant mode, enter the following: -> mvrp port 1/2 applicant participant When a port is set to non-participant mode, MVRP PDUs are not sent through the STP forwarding and blocking ports.
Page 275: Restricting Vlan Registration
Configuring MVRP Configuring MVRP To view the timer value assigned to a particular port, use the show mvrp timer command. -> show mvrp port 1/2 timer Join Timer (msec) : 600, Leave Timer (msec) : 1800, LeaveAll Timer (msec) : 30000, Periodic-Timer (sec) Note.
Page 276: Restricting Vlan Advertisement
Configuring MVRP Configuring MVRP Restricting VLAN Advertisement VLANs learned by a switch through MVRP can either be propagated to other switches or be blocked. This helps prune VLANs that have no members on a switch. If the applicant mode is set to participant or active, you can use the mvrp restrict-vlan-advertisement command to restrict the propagation of VLAN...
Page 277: Verifying The Mvrp Configuration
Configuring MVRP Verifying the MVRP Configuration Verifying the MVRP Configuration A summary of the commands used for verifying the MVRP configuration is given here: show mvrp last-pdu-origin Displays the source MAC address of the last MVRP message received on specific ports or aggregates. show mvrp configuration Displays the global configuration for MVRP.
Page 278: 13 Configuring 802.1Ab
13 Configuring 802.1AB Link Layer Discovery Protocol (LLDP) is an emerging standard that provides a solution for the configuration issues caused by expanding networks. LLDP supports the network management software used for complete network management. LLDP is implemented as per the IEEE 802.1AB standard. LLDP specifically defines a standard method for Ethernet network devices and Media Endpoint Devices (MED) to exchange information with its neighboring devices and maintain a database of the information.
Page 279: 802.1Ab Defaults Table
Configuring 802.1AB 802.1AB Defaults Table 802.1AB Defaults Table The following table shows the default settings of the configurable 802.1AB parameters. Parameter Description Command Default Value/Comments Transmit time interval for LLDPDUs lldp transmit interval 30 seconds Transmit hold multiplier value lldp transmit hold-multiplier Reinit delay lldp reinit delay 2 seconds...
Page 280: Quick Steps For Configuring 802.1Ab
Configuring 802.1AB Quick Steps for Configuring 802.1AB Quick Steps for Configuring 802.1AB To enable the transmission and the reception of LLDPDUs on a port, use the lldp lldpdu command. For example: -> lldp port 2/47 lldpdu tx-and-rx To control per port notification status about a change in a remote device associated to a port, use the lldp notification command.
Page 281: 802.1Ab Overview
Configuring 802.1AB 802.1AB Overview 802.1AB Overview LLDP is a Layer 2 protocol used to detect adjacent devices in a network. Each device in a network sends and receives LLDPDUs through all ports on which the protocol is enabled. If the protocol is disabled on a port, then LLDPDUs received on that port are dropped.
Page 282: Lldp-Media Endpoint Devices
Configuring 802.1AB 802.1AB Overview IEEE 802.1 Organizationally Specific TLV Set • Port VLAN ID TLV • Port and Protocol VLAN ID TLV • VLAN name TLV • Protocol identity TLV Note. If one TLV from this set is included in the LLDPDU, then all the other TLVs need to be included. IEEE 802.3 Organizationally Specific TLV Set •...
Page 283: Lldp Agent Operation
Configuring 802.1AB 802.1AB Overview • Inventory management, allowing network administrators to track their network devices, and determine their characteristics (manufacturer, software and hardware versions, and serial / asset number). • Support for receiving, storing and advertising of VLAN information from and to remote Network Connectivity Devices and Media Endpoint Devices (MEDs).
Page 284: Lldp Agent Security Mechanism
Configuring 802.1AB 802.1AB Overview LLDP Agent Security Mechanism The OmniSwitch LLDP Agent Security mechanism provides a solution for secure access to the network by detecting rogue devices and preventing them from accessing the internal network. LLDP agent secu- rity can be achieved by allowing only one trusted LLDP remote agent on a network port. User is provided an option to configure the Chassis ID subtype that can be used in validating the Chassis ID type in the incoming LLDP PDU.
Page 285: Configuring 802.1Ab
Configuring 802.1AB Configuring 802.1AB Configuring 802.1AB The following sections list detail procedures to enable 802.1AB and assign ports to 802.1AB. Configuring LLDPDU Flow lldp lldpdu command can be used to enable or disable the LLDPDU flow on a specific port, a slot, or all ports on a switch.
Page 286: Enabling And Disabling Management Tlv
Configuring 802.1AB Configuring 802.1AB Enabling and Disabling Management TLV lldp tlv management command is used to control per port management TLVs transmission in the LLDPDUs on a specific port, a slot, or all ports on a switch. When enabled, the LLDPDU administrative status must be in the transmit state.
Page 287: Enabling And Disabling Med Tlv
Configuring 802.1AB Configuring 802.1AB To disable the 802.3 TLV on a switch, enter the lldp tlv dot3 command, as shown: -> lldp chassis tlv dot3 mac-phy disable To disable 802.3 TLV on port 5 of slot 3, enter the following command at the CLI prompt: ->...
Page 288 -> show lldp local-port Local Slot 1/Port 1 LLDP Info: Port ID = 1001 (Locally assigned), Port Description = Alcatel-Lucent 1/1, Vlan = 1, AP Location = sw1, Local Slot 1/Port 2 LLDP Info: Port ID...
Page 289: Enabling And Disabling Application Priority Tlv
Configuring 802.1AB Configuring 802.1AB Note. For more information about WebView, see the OmniSwitch AOS Release 8 Switch Management Guide. Enabling and Disabling Application Priority TLV lldp tlv application command is used to include the LLDP-DCBx Application Priority TLV in the LLDPDUs transmitted on a specific port, a slot, or all ports on a switch.
Page 290: Setting The Transmit Interval
Configuring 802.1AB Configuring 802.1AB Configuring Application Priority TLV Parameters lldp tlv application priority command is used to configure the the LLDP-DCBx Application Priority TLV to advertise an 802.1p priority value for specific protocols on a specific port, a slot, or all ports on a switch.
Page 291: Application Example - Lldp Med
Configuring 802.1AB Configuring 802.1AB Application Example - LLDP MED The following example describes how to configure LLDP MED on the devices. Application Example - LLDP MED In the above example, the NMS obtains Layer 2 information about Core Switch, SwitchA, SwitchB, and AP.
Page 292: Verifying 802.1Ab Configuration
Configuring 802.1AB Verifying 802.1AB Configuration Verifying 802.1AB Configuration To display information about the ports configured to handle 802.1AB, use the following show command: show lldp system-statistics Displays system-wide statistics. show lldp statistics Displays port statistics. show lldp local-system Displays local system information. show lldp local-port Displays port information.
Page 293: 14 Configuring Sip Snooping
14 Configuring SIP Snooping Session Initiation Protocol (SIP) address the key challenge of real time delivery and monitoring requirements for media streams from SIP devices. SIP Snooping prioritizes voice and video traffic over non-voice traffic. • Identifies and marks the SIP and its corresponding media streams. Each media stream contains Real Time Protocol (RTP) and Real Time Control Protocol (RTCP) flows.
Page 294: Sip Snooping Defaults
Configuring SIP Snooping SIP Snooping Defaults SIP Snooping Defaults The following table shows SIP Snooping default values. Parameter Description Command Default Value/Comments The administrative status of SIP sip-snooping admin-state disable Snooping Configure the status of SIP snooping sip-snooping port admin-state disable SIP Snooping mode sip-snooping mode...
Page 295: Parameter Description And Values
Configuring SIP Snooping Parameter Description and Values Parameter Description and Values PARAMETER Description Default value Configurable Min Global SIP snooping Disable SIP snooping per port Enable SIP Snooping mode Automatic Number of SIP UDP Ports Number of SIP TCP Ports 5260 Number of Trusted Call server Number of SOS-Call...
Page 296: Quick Steps For Configuring Sip Snooping
Configuring SIP Snooping Quick Steps for Configuring SIP Snooping Quick Steps for Configuring SIP Snooping The following steps provide a quick tutorial on how to configure SIP Snooping. Each step describes a specific operation and provides the CLI command syntax for performing that operation. Create a global SIP policy to classify incoming flows.
Page 297: Sip Snooping Overview
Configuring SIP Snooping SIP Snooping Overview SIP Snooping Overview The Session Initiation Protocol (SIP) is an IETF-defined signaling protocol widely used for controlling communication sessions such as voice and video calls over Internet Protocol (IP). The protocol can be used for creating, modifying and terminating media sessions. Sessions may consist of one or several media streams.
Page 298: Using Sip Snooping
Configuring SIP Snooping Using SIP Snooping Using SIP Snooping A SIP network consists of the following network elements: • Edge switches, aggregation switches, and core switches • SIP user agents (e.g., SIP phones). SIP user agents are directly connected to edge switches One SIP Server is connected to the Core switch within the campus infrastructure The server is responsible for all the SIP functions such as registrar, proxy, redirect, gateway.
Page 299: Interoperability
Interoperability SIP Snooping can interact with the following equipment: No Equipment Description OpenTouch Business Edition 1.1 Server SIP based server from Alcatel-Lucent 500 Users (OTBE) Enterprise OXE IP Media Gateway MR3 Part of OTBE PCX Enterprise RM3...
Page 300: Sip Snooping Configuration Guidelines
Configuring SIP Snooping SIP Snooping Configuration Guidelines SIP Snooping Configuration Guidelines This section describes how to use OmniSwitch Command Line Interface (CLI) commands to configure SIP Snooping on a switch. Consider the following guidelines when configuring SIP Snooping entities: Configuring Edge Port SIP snooping requires that the uplink ports are configured as non-edge port.
Page 301: Configuring Sip Snooping Tcp Ports
Configuring SIP Snooping SIP Snooping Configuration Guidelines Configuring SIP Snooping TCP Ports The SIP snooping feature allows the configuration of TCP ports. This allows the SIP snooping functions to a list of TCP ports, SIP packets sent/received on the TCP ports will be snooped. A maximum of 8 TCP ports can be configured on a switch.
Page 302: Configuring Rtcp Thresholds
Configuring SIP Snooping SIP Snooping Configuration Guidelines Configuring RTCP Thresholds When RTCP monitoring is enabled, the SIP snooping feature also inspects the RTCP packet that carries performance metric for the RTP flow. Depending on the RTCP capabilities of the SIP user agent endpoints, the following metrics can be determined by software: •...
Page 303: Unsupported Topologies
Configuring SIP Snooping SIP Snooping Configuration Guidelines Other source conditions are also supported but are not foreseen to provide real benefits. The policy condition is not used as such in the hardware filtering entry, but is used by the SIP snooping module to determine the policy rule that the new RTP flow is matching.
Page 304: Sip Snooping Use Case
Configuring SIP Snooping SIP Snooping Use Case SIP Snooping Use Case In this section, advanced SIP configuration use cases are illustrated. Instead of having all voice audio/ video media streams treated the same way, more granular SIP policies can be configured. Expectations •...
Page 305 Configuring SIP Snooping SIP Snooping Use Case SIP Condition In this example, specific QoS treatments are configured based on the source IP subnet. • Voice source IP subnet 10.10.0.0 = DSCP 56 • Video source IP subnet 10.10.0.0=DSCP 32 • Voice source IP subnet 10.20.0.0 = DSCP 46 •...
Page 306 Configuring SIP Snooping SIP Snooping Use Case -> show sip-snooping call-records ended-calls full Legend: start date time duration media-type end-reason call-id / from-tag / to-tag IP address port DSCP (forward/reverse) policy-rule (F/R) Pkt count (F/R) statistics min / max / avg %samples exceeding threshold (F/R) -------------------------------------------------------------------------------- 2002-04-06 01:06:10 UTC 0d 0h 4m 15s Audio...
Page 307: Sip Snooping Limitations
Configuring SIP Snooping SIP Snooping Limitations SIP Snooping Limitations • Media types other than audio and video as application, image media types etc. are not supported. • Solution only supports SIP, no support of NOE (New Office Environment). • SIP Registrar, outbound proxy, proxy, redirect functions should be provided by the same server called the SIP Server.
Page 308: Verifying The Sip Snooping Configuration
Configuring SIP Snooping Verifying the SIP Snooping Configuration Verifying the SIP Snooping Configuration To display information about Sip Snooping on the switch, use the show commands listed below: show sip-snooping config Shows the SIP snooping configuration. show sip-snooping ports Displays the SIP snooping port level data. show sip-snooping call-records Displays the SIP-snooping active/ended call records.
Page 309: Chapter 15 Configuring Ip
15 Configuring IP Internet Protocol (IP) is primarily a network-layer (Layer 3) protocol that contains addressing and control information that enables packets to be forwarded. Along with Transmission Control Protocol (TCP), IP represents the heart of the Internet protocols. IP has two primary responsibilities, providing connectionless, best-effort delivery of datagrams through an internetwork;...
Page 310 Configuring IP In This Chapter • Managing IP – Internet Control Message Protocol (ICMP) (see page 15-32) – Using the Ping Command (see page 15-34) – Tracing an IP Route (see page 15-35) – Transmission Control Protocol (TCP) (see page 15-36) –...
Page 311: Ip Defaults
Configuring IP IP Defaults IP Defaults The following table lists the defaults for IP configuration through the ip command. Description Command Default IP-Directed Broadcasts ip directed-broadcast disable Time-to-Live Value ip default-ttl 64 (hops) IP interfaces ip interface VLAN 1 interface. ARP filters arp filter Quick Steps for Configuring IP Forwarding...
Page 312: Ip Overview
Configuring IP IP Overview Create an IP interface on VLAN 20 using the ip interface command. For example: -> ip interface vlan-20 address 171.11.1.1 vlan 20 Note. See Chapter 4, “Configuring VLANs,” for more information about how to create VLANs. IP Overview IP is a network-layer (Layer 3) protocol that contains addressing and control information that enables packets to be forwarded on a network.
Page 313 Configuring IP IP Overview • File Transfer Protocol (FTP)—Enables the transfer of files between hosts. This protocol is used to load new images onto the switch. Additional IP Protocols Many additional IP-related protocols can be used with IP forwarding. These protocols are included as part of the base code.
Page 314: Ip Forwarding
Configuring IP IP Forwarding IP Forwarding Network device traffic is bridged (switched) at the Layer 2 level between ports that are assigned to the same VLAN. However, if a device needs to communicate with another device that belongs to a different VLAN, then Layer 3 routing is necessary to transmit traffic between the VLANs.
Page 315: Configuring An Ip Interface
Configuring IP IP Forwarding Configuring an IP Interface IP is enabled by default. Using IP, devices connected to ports on the same VLAN are able to communicate. However, to forward packets to a different VLAN, create at least one IP interface on each VLAN.
Page 316: Modifying An Ip Router Interface
Configuring IP IP Forwarding Modifying an IP Router Interface The ip interface command is also used to modify existing IP interface parameter values. It is not necessary to remove the IP interface and then create it again with the new values. The changes specified overwrite existing parameter values.
Page 317: Configuring A Loopback0 Interface
Configuring IP IP Forwarding Configuring a Loopback0 Interface Loopback0 is the name assigned to an IP interface to identify a consistent address for network management purposes. The Loopback0 interface is not bound to any VLAN, so it always remains operationally active. If there are no active ports in the VLAN, all IP interface associated with that VLAN are not active.
Page 318: Configuring An Ip Managed Interface
Configuring IP IP Forwarding Configuring an IP Managed Interface By default, most applications that run on IP use the egress IP interface address as the source IP, while using a socket to communicate with a peer/server. However, it may be desirable to have some applications use a specific source IP for the packets that are sent out using the socket.
Page 319: Creating A Static Route Or Recursive Static Route
Configuring IP IP Forwarding Application Default Source Interface VRF Support SWLOG Outgoing interface Supported with any VRF (Configuration available only in the default VRF) Outgoing interface Servers can only be set in the default VRF Switch Access and Utilities (ping and traceroute command can specify a source address as an optional parameter) Telenet Outgoing interface Supported with any VRF...
Page 320: Creating A Default Route
Configuring IP IP Forwarding address of the first hop (gateway). For example, to delete a static route to IP address 171.11.0.0 through gateway 171.11.2.1, you would enter: -> no ip static-route 171.11.0.0 gateway 171.11.2.1 The IP Forwarding table includes routes learned through one of the routing protocols (RIP, OSPF, BGP) as well as any static routes that are configured.
Page 321: Configuring Address Resolution Protocol (Arp)
Configuring IP IP Forwarding Create a linkagg and then create a VLAN interface and assign the created linkagg as tagged or untagged to that VLAN. For example. • To create VLAN interface and assign linkagg 6 as tagged to that VLAN use the below command: ->...
Page 322: Deleting A Permanent Entry From The Arp Table
Configuring IP IP Forwarding When configuring a static multicast ARP entry, do not use any of the following multicast addresses: 01:00:5E:00:00:00 to 01:00:5E:7F:FF:FF 01:80:C2:XX.XX.XX 33:33:XX:XX:XX:XX The IP address and hardware address (MAC address) are required when you add an entry to the ARP table.
Page 323: Clearing A Dynamic Entry From The Arp Table
Configuring IP IP Forwarding Clearing a Dynamic Entry from the ARP Table Dynamic entries can be cleared using the ip distributed-arp admin-state command. This command clears all dynamic entries. Clear the permanent entries using the no arp command. Use the show arp command to display the table and verify that the table was cleared. Note.
Page 324: Distributed Arp
Configuring IP Distributed ARP • Which ARP packet IP address to use for filtering (sender or target). If the target IP address in the ARP packet matches a target IP specified in a filter, then the disposition for that filter applies to the ARP packet.
Page 325: Verifying The Distributed Arp
Configuring IP Distributed ARP To disable the feature, use the command as shown in the example: -> ip distributed-arp admin-state disable Note. To reset or update the designated-NI, the feature must be disabled and then enabled. Verifying the Distributed ARP The ARP utilization can be monitored and checked at any time using the show ip arp utilization command.
Page 326: Distributed Arp Management Example
Configuring IP Distributed ARP To view the designated-NI for the interface, use the show ip interface command. For example: -> show ip interface 15 Interface Name = 15 SNMP Interface Index 13600001, IP Address 15.2.2.1, Subnet Mask 255.255.255.0, Broadcast Address 15.2.2.255, Device vlan 215,...
Page 327: Ip Configuration
Configuring IP IP Configuration • When the threshold of 95% is met on a particular NI, the IP interface/VLAN with the lowest amount of ARPs will be moved first. The entire set of ARPs from a particular IP interface/VLAN is moved in case of NI overload.
Page 328: Configuring The Route Preference Of A Router
Configuring IP IP Configuration Configuring the Route Preference of a Router By default, the route preference of a router is in this order: local, static, OSPF, RIP, EBGP, and IBGP (highest to lowest). Use the ip route-pref command to change the route preference value of a router. For example, to configure the route preference of an OSPF route, you must enter: ->...
Page 329: Using Route Maps
Configuring IP IP Configuration Using Route Maps A route map specifies the criteria that are used to control redistribution of routes between protocols. Such criteria is defined by configuring route map statements. There are three different types of statements: • Action.
Page 330 Configuring IP IP Configuration The above command configures a match statement for the ospf-to-bgp route map to filter routes based on their tag value. When this route map is applied, only OSPF routes with a tag value of eight are redistributed into the BGP network.
Page 331 Configuring IP IP Configuration Configuring Route Map Sequences A route map can consist of one or more sequences of statements. The sequence number determines which statements belong to which sequence and the order in which sequences for the same route map are processed.
Page 332 Configuring IP IP Configuration Configuring Access Lists An IP access list provides a convenient way to add multiple IPv4 or IPv6 addresses to a route map. Using an access list avoids having to enter a separate route map statement for each individual IP address. Instead, a single statement is used that specifies the access list name.
Page 333 Configuring IP IP Configuration -> show ip redist Source Destination Protocol Protocol Status Route Map ------------+------------+---------+-------------------- LOCAL4 Enabled rip_1 LOCAL4 OSPF Enabled ospf_2 LOCAL4 Enabled bgp_3 OSPF Enabled ospf-to-bgp Configuring the Administrative Status of the Route Map Redistribution The administrative status of a route map redistribution configuration is enabled by default. To change the administrative status, use the status parameter with the ip redist command.
Page 334: Ip-Directed Broadcasts
Configuring IP IP Configuration IP-Directed Broadcasts An IP directed broadcast is an IP datagram that has all zeros or all 1 in the host portion of the destination IP address. The packet is sent to the broadcast address of a subnet to which the sender is not directly attached.
Page 335 Configuring IP IP Configuration • Multicast IP and MAC Address Mismatch—This attack is detected when: – the source MAC address of a packet received by a switch is a Multicast MAC address. – the destination IP and MAC addresses of a packet received by a switch is same as the Multicast IP and MAC addresses, but the Multicast IP and the Multicast MAC addresses do not match.
Page 336 Configuring IP IP Configuration DoS Settings UDP/TCP closed = 10 UDP open = 20 TCP open = 5 Threshold = 2000 Decay = 2 Penalty Total = 0 In 1 minute, 10 TCP closed port packets and 10 UDP closed port packets are received. This brings the total penalty value to 200, as shown using the following equation: (10 TCP X 10 penalty) + (10 UDP X 10 penalty) = 200 This value would be divided by 2 (due to the decay) and decreased to 100.
Page 337 Configuring IP IP Configuration DoS Settings UDP/TCP closed = 10 UDP open =20 TCP open = 5 Threshold = 2000 Decay = 2 10 TCP closed port packets 10 UDP closed port packets Generate DoS Attack Warning 100 UDP open port packets Trap Minute 2 Penalty Total = 2150 The above functions and how to set their values are covered in the sections that follow.
Page 338: Arp Poisoning
Configuring IP IP Configuration Setting the Port Scan Penalty Value Threshold The port scan penalty value threshold is the highest point the total penalty value for the switch can reach before a trap is generated informing the administrator that a port scan is in progress. To set the port scan penalty value threshold, enter the threshold value with the ip dos scan threshold command.
Page 339: Enabling/Disabling Ip Services
Configuring IP IP Configuration To verify the number of attacks detected for configured ARP poison restricted addresses, use the show ip dos arp-poison command. For more information about this command, see the OmniSwitch AOS Release 8 CLI Reference Guide. Enabling/Disabling IP Services When a switch initially boots up, all supported TCP/UDP well-known service ports are enabled (open).
Page 340: Managing Ip
Configuring IP Managing IP Managing IP The following sections describe IP commands that can be used to monitor and troubleshoot IP forwarding on the switch. Internet Control Message Protocol (ICMP) Internet Control Message Protocol (ICMP) is a network layer protocol within the IP protocol suite that provides message packets to report errors and other IP packet processing information back to the source.
Page 341 Configuring IP Managing IP Activating ICMP Control Messages ICMP messages are identified by a type and a code. This number pair specifies an ICMP message. For example, ICMP type 4, code 0, specifies the source quench ICMP message. To enable or disable an ICMP message, use the icmp type command with the type and code.
Page 342: Using The Ping Command
Configuring IP Managing IP Enabling All ICMP Types To enable all ICMP message types, use the icmp messages command with the enable keyword. For example: -> icmp messages enable To disable all ICMP messages, enter the same command with the disable keyword. For example: ->...
Page 343: Tracing An Ip Route
Configuring IP Managing IP • source-interface. Use the source-interface keyword to set the IP address to be used as source IP for the ping packets. • data-pattern. Use the data-pattern keyword to set the data pattern to be used in the data field of the ping packets.
Page 344: Transmission Control Protocol (Tcp)
Configuring IP Tunneling Transmission Control Protocol (TCP) TCP Half-open Timeout Configuration Use the ip tcp half-open-timeout command to configure the timeout periods for dropping half-open TCP connections. Current supported values are 3, 7, 15, 31 and 63 (in seconds). The default value is 63 seconds. ->...
Page 345: Tunneling Operation
Configuring IP Tunneling Consider the following when configuring the IPIP tunnel interfaces: • A switch can support up to 127 IPIP tunnel interfaces. • IPIP tunnel interfaces are included in the maximum number of IP interfaces that are supported on the switch.
Page 346: Configuring A Tunnel Interface
Configuring IP Tunneling Configuring a Tunnel Interface To configure a GRE tunnel, use the ip interface tunnel command as shown: tunnel -> ip interface "gre" source 23.23.23.1 destination 155.2.2.2 protocol gre In this example, the GRE tunnel named “gre” is created and assigned a source IP address of 23.23.23.1 and a destination IP address of 155.2.2.2.
Page 347: Verifying The Ip Configuration
Configuring IP Verifying the IP Configuration Verifying the IP Configuration A summary of the show commands used for verifying the IP configuration is given here: show ip interface Displays the usability status of interfaces configured for IP. show ip routes Displays the IP Forwarding table.
Page 348: Vrf Route Leak
Configuring IP VRF Route Leak VRF Route Leak VRF provides isolation of routing instances from each other. The basic principle of VRF is to exclude two or more routing domains mutually by containing the exchange of routing information and forwarding packets within the same routing instance.
Page 349: Configuring Vrf Route Leak
Configuring IP VRF Route Leak Redistribute imported routes to other routing protocols that are imported and added to the RDB from other VRFs using the ip redist command. For example, -> ip redist import into ospf route-map R3 status enable Configuring VRF Route Leak This section describes how to configure VRF Route Leak using the CLI commands.
Page 350: Verifying Vrf Route Leak Configuration
Configuring IP VRF Route Leak Import Routes from the GRT Import routes from GRT to the destination VRF. Use route map to filter imported routes. Only one route map can be configured for an import policy for each export VRF. Note.
Page 351: Chapter 16 Configuring Multiple Vrf
16 Configuring Multiple VRF Multiple Virtual Routing and Forwarding (VRF) provides a mechanism for segmenting Layer 3 traffic into virtual routing domains (instances) on the same switch. Each routing instance independently maintains its own routing and forwarding table, peer, and interface information. In This Chapter This chapter describes the Multiple VRF feature and how to configure it through the Command Line Interface (CLI).
Page 352: Vrf Defaults
Configuring Multiple VRF VRF Defaults VRF Defaults Parameter Description Command Default Value/Comments Active VRF instance Default VRF instance with max profile capabilities. OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 16-2...
Page 353: Quick Steps For Configuring Multiple Vrf
Configuring Multiple VRF Quick Steps for Configuring Multiple VRF Quick Steps for Configuring Multiple VRF The initial configuration for an OmniSwitch consists of a default VRF instance. This instance is always available and is not removable. The following procedure provides a quick tutorial for creating two additional VRF instances and configuring IPv4 protocols to run in each instance: Note.
Page 354 Configuring Multiple VRF Quick Steps for Configuring Multiple VRF Enable RIP on IP interface “intf100” in the IpOne VRF instance using the ip rip interface admin- state command. For example: IpOne::-> ip rip interface intf100 admin-state enable IpOne::-> Select IpTwo for the active VRF instance and create an IP router interface on VLAN 102 using the interface command.
Page 355 Configuring Multiple VRF Quick Steps for Configuring Multiple VRF -> vrf IpOne IpOne: -> show ip interface Total 1 interfaces Name IP Address Subnet Mask Status Forward Device --------------------+---------------+---------------+------+-------+-------- intfone 200.1.1.1 255.255.255.0 DOWN vlan 200 See the OmniSwitch AOS Release 8 CLI Reference Guide for information about the fields in the above displays.
Page 356: Multiple Vrf Overview
Configuring Multiple VRF Multiple VRF Overview Multiple VRF Overview The Multiple Virtual Routing and Forwarding (VRF) feature provides the ability to configure separate routing instances on the same switch. Similar to using VLANs to segment Layer 2 traffic, VRF instances are used to segment Layer 3 traffic.
Page 357 Configuring Multiple VRF Multiple VRF Overview Customer A Site 2 VRF A PE 2 Customer A Site 1 VRF A VRF A Customer B Site 2 VRF B VRF B Customer B Site 1 VRF B VRF A VRF B Service Provider IP Network VRF C...
Page 358: Vrf Profiles
Configuring Multiple VRF Multiple VRF Overview VRF Profiles The VRF feature supports two types of VRF instances: a low profile instance and a max profile instance. The type of profile assigned to a VRF instance determines the routing protocols and capabilities supported within that instance.
Page 359: Ascii-File-Only Syntax
Configuring Multiple VRF Multiple VRF Overview context-based CLI, see “Configuring VRF Instances” on page 16-15 “Verifying the VRF Configuration” on page 16-18. Note. All VRF instances are active in terms of routing and forwarding tasks whether or not the instance is the current CLI context.
Page 360 Configuring Multiple VRF Multiple VRF Overview Level Description Telnet/SSH/SFTP/ Radius/SNMP/HTTP/HTTPS/ NTP/LDAP/TACACS+/Syslog Default VRF Only Single VRF for all services Single VRF per service, each service can be on a different VRF Multiple VRFs per service, any service on any VRF OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 16-10...
Page 361: Vrf Interaction With Other Features
Configuring Multiple VRF VRF Interaction With Other Features VRF Interaction With Other Features This section contains important information about how other OmniSwitch features interact with VRF instances. Refer to the specific chapter for each feature to get more detailed information about how to configure and use the feature.
Page 362: Bgpv4
Configuring Multiple VRF VRF Interaction With Other Features • The VRF instance that the server is configured on becomes the “management” VRF instance and can perform authentication for any of the following services: Console HTTP Telnet SNMP SSH (ssh, sftp, and scp) •...
Page 363: Webview
Configuring Multiple VRF VRF Interaction With Other Features Supports VRF configuration for all NTP operations (both client and server). WebView Supports VRF configuration for "WebView Server" and "WebView Access". Syslog Server Supports VRF configuration for forwarding swlog output to the syslog daemon of the switch (or host). Quality of Service (QoS) •...
Page 364: Vlans
Configuring Multiple VRF VRF Interaction With Other Features VLANs Configuring an interface for a VLAN also associates that VLAN with the active VRF context. A VLAN, however, can only belong to one VRF instance at a time. As a result, all interfaces configured for a VLAN must belong to the same VRF instance.
Page 365: Configuring Vrf Instances
Configuring Multiple VRF Configuring VRF Instances Configuring VRF Instances Configuring the Multiple VRF feature consists of the following: • Creating a VRF instance with a low profile or the default max profile. • Assigning one or more IP interfaces to the instance. •...
Page 366: Selecting A Vrf Instance
Configuring Multiple VRF Configuring VRF Instances Changing the profile for an existing VRF instance is not allowed. To change the profile, first delete the VRF then create it again with a different profile. For example, to change profile IpTwo to a max profile VRF, use the following commands: ->...
Page 367: Assigning Ip Interfaces To A Vrf Instance
Configuring Multiple VRF Configuring VRF Instances Assigning IP Interfaces to a VRF Instance When a VRF instance is created or an existing instance is selected, any IP interface subsequently configured is associated with that instance. For example, the following commands select the IpOne VRF instance and configure an IP interface for that instance: ->...
Page 368: Verifying The Vrf Configuration
Configuring Multiple VRF Verifying the VRF Configuration Verifying the VRF Configuration To display a list of VRF instances configured for the switch, use the show vrf command. For example: -> show vrf Virtual Routers Profile Protocols --------------------+-------+------------------- default default BGP PIM VRRP IpOne IpTwo IpThree...
Page 369: Chapter 17 Configuring Ipv6
17 Configuring IPv6 Internet Protocol version 6 (IPv6) is the next generation of Internet Protocol version 4 (IPv4). Both versions are supported along with the ability to tunnel IPv6 traffic over IPv4. Implementing IPv6 solves the limited address problem currently facing IPv4, which provides a 32-bit address space. IPv6 increases the address space available to 128 bits.
Page 370 Configuring IPv6 IPv6 Defaults IPv6 Defaults The following table lists the defaults for IPv6 configuration through the ip command. Description Command Default Global status of IPv6 on the Enabled switch Interfaces ipv6 interface loopback 6to4 tunnels ipv6 interface tunnel_6to4 Prefixes ipv6 prefix None Hop Limit...
Page 371 Configuring IPv6 Quick Steps for Configuring IPv6 Routing Quick Steps for Configuring IPv6 Routing The following tutorial assumes that VLAN 200 and VLAN 300 already exist in the switch configuration. For information about how to configure VLANs, see Chapter 4, “Configuring VLANs.” Configure an IPv6 interface for VLAN 200 by using the ipv6 interface command.
Page 372 Configuring IPv6 IPv6 Overview IPv6 Overview IPv6 provides the basic functionality that is offered with IPv4 but includes the following enhancements and features not available with IPv4: • Increased IP address size—IPv6 uses a 128-bit address, a substantial increase over the 32-bit IPv4 address size.
Page 373 Configuring IPv6 IPv6 Overview IPv6 Addressing One of the main differences between IPv6 and IPv4 is that the address size has increased from 32 bits to 128 bits. Going to a 128-bit address also increases the size of the address space to the point where running out of IPv6 addresses is not a concern.
Page 374: Ipv6 Address Notation
Configuring IPv6 IPv6 Overview IPv6 Address Notation IPv4 addresses are expressed using dotted decimal notation and consist of four eight-bit octets. If this same method was used for IPv6 addresses, the address would contain 16 such octets, thus making it difficult to manage.
Page 375: Autoconfiguration Of Ipv6 Addresses
Configuring IPv6 IPv6 Overview Autoconfiguration of IPv6 Addresses This implementation of IPv6 supports the stateless autoconfiguration of link-local addresses for IPv6 VLAN and tunnel interfaces and for devices when they are connected to the switch. Stateless refers to the fact that little or no configuration is required to generate such addresses and there is no dependency on an address configuration server, such as a DHCP server, to provide the addresses.
Page 376: Globally Unique Local Ipv6 Unicast Addresses
Configuring IPv6 IPv6 Overview Globally Unique Local IPv6 Unicast Addresses These addresses are intended to be routable within a limited area such as a site but not on the global Internet. Unique Local IPv6 Unicast Addresses are used in conjunction with BGP (IBGP) speakers as well as exterior BGP (EBGP) neighbors based on configured policies.
Page 377 Configuring IPv6 IPv6 Overview Tunneling IPv6 over IPv4 It is likely that IPv6 and IPv4 network infrastructures will coexist for some time, if not indefinitely. Tunneling provides a mechanism for transitioning an IPv4 network to IPv6 and/or maintaining interoperability between IPv4 and IPv6 networks. This implementation of IPv6 supports tunneling of IPv6 traffic over IPv4.
Page 378 Configuring IPv6 IPv6 Overview The following diagram illustrates the basic traffic flow between IPv6 hosts communicating over an IPv4 domain: IPv6 6to4 IPv6 6to4 Border Router Border Router IPv4 Domain 6to4 Site 6to4 Site 6to4 Host 6to4 Host In the above diagram: The 6to4 hosts receive 6to4 prefix from Router Advertisement.
Page 379: Configured Tunnels
Configuring IPv6 IPv6 Overview The following diagram illustrates the basic traffic flow between native IPv6 hosts and 6to4 sites: IPv6 6to4 IPv6/IPv4 6to4 Border Router Relay Router IPv4 Domain 6to4 Site IPv6 Domain IPv6 Router 6to4 Host IPv6 Site IPv6 Host In the above diagram: The 6to4 relay router advertises a route to 2002::/16 on its IPv6 router interface.
Page 380 Configuring IPv6 IPv6 Overview Local Proxy Neighbor Discovery (LPND) Local Proxy Neighbor Discovery (LPND) is used to isolate IPv6 nodes on the same VLAN from each other. If LPND is enabled on an IPv6 VLAN interface, a client will not learn the MAC address of any other IPv6 node reached via the switch.
Page 381 Configuring IPv6 Configuring an IPv6 Interface Configuring an IPv6 Interface ipv6 interface command is used to create an IPv6 interface for a VLAN or a tunnel. Note the following when configuring an IPv6 interface: • A unique interface name is required for both a VLAN and tunnel interface. •...
Page 382 Configuring IPv6 Configuring an IPv6 Interface Configuring a Unique Local IPv6 Unicast Address ipv6 address global-id command is used to create a new value for the global ID. A 5-byte global ID value can be manually specified or automatically generated: ->...
Page 383 Configuring IPv6 Assigning IPv6 Addresses Assigning IPv6 Addresses When an IPv6 interface is created for a VLAN or a configured tunnel, an IPv6 link-local address is automatically created for that interface. This is also true when a device, such as a workstation, is connected to the switch.
Page 384 Configuring IPv6 Assigning IPv6 Addresses “IPv6 Addressing” on page 17-5 for an overview of IPv6 address notation. Refer to RFC 4291 for more technical address information. Removing an IPv6 Address To remove an IPv6 address from an interface, use the no form of the ipv6 address command as shown: ->...
Page 385 Configuring IPv6 Configuring IPv6 Tunnel Interfaces Configuring IPv6 Tunnel Interfaces There are two types of tunnels supported, 6to4 and configured. Both types facilitate the interaction of IPv6 networks with IPv4 networks by providing a mechanism for carrying IPv6 traffic over an IPv4 network infrastructure.
Page 386 Configuring IPv6 Creating an IPv6 Static Route Creating an IPv6 Static Route Static routes are user-defined and carry a higher priority than routes created by dynamic routing protocols. That is, if two routes have the same metric value, the static route has the higher priority. Static routes allow you to define, or customize, an explicit path to an IPv6 network segment, which is then added to the IPv6 Forwarding table.
Page 387: Configuring The Route Preference Of A Router
Configuring IPv6 Configuring the Route Preference of a Router Configuring the Route Preference of a Router By default, the route preference of a router is in this order: local, static, OSPFv3, RIPng, EBGP, and IBGP (highest to lowest). Use the ipv6 route-pref command to change the route preference value of a router.
Page 388: Configuring Ipv6
Configuring IPv6 Configuring Route Map Redistribution Configuring Route Map Redistribution It is possible to learn and advertise IPv6 routes between different protocols. Such a process is referred to as route redistribution and is configured using the ipv6 redist command. Redistribution uses route maps to control how external routes are learned and distributed. A route map consists of one or more user-defined statements that can determine which routes are allowed or denied access to the receiving network.
Page 389 Configuring IPv6 Configuring Route Map Redistribution Creating a Route Map When a route map is created, it is given a name (up to 20 characters), a sequence number, and an action (permit or deny). Specifying a sequence number is optional. If a value is not configured, then the number 50 is used by default.
Page 390 Configuring IPv6 Configuring Route Map Redistribution Deleting a Route Map Use the no form of the ip route-map command to delete an entire route map, a route map sequence, or a specific statement within a sequence. To delete an entire route map, enter no ip route-map followed by the route map name. For example, the following command deletes the entire route map named redistipv4: ->...
Page 391 Configuring IPv6 Configuring Route Map Redistribution a result, if there is no match for the tag value in sequence 10, then the match interface statement in sequence 20 is processed. However, if a route matches the tag 8 value, then sequence 20 is not used. The set statement for whichever sequence was matched is applied.
Page 392 Configuring IPv6 Configuring Route Map Redistribution Configuring Route Map Redistribution ipv6 redist command is used to configure the redistribution of routes from a source protocol into the destination protocol. This command is used on the IPv6 router that will perform the redistribution. Note.
Page 393: Configuring Local Proxy Neighbor Discovery
Configuring IPv6 Configuring Local Proxy Neighbor Discovery Route Map Redistribution Example The following example configures the redistribution of OSPFv3 routes into a RIPng network using a route map (ospf-to-rip) to filter specific routes: -> ip route-map ospf-to-rip sequence-number 10 action deny ->...
Page 394: Configuring Neighbor Unreachability Detection
Configuring IPv6 Configuring Neighbor Unreachability Detection Configuring Neighbor Unreachability Detection To specify the maximum number of neighbor solicitations to be sent during the Neighbor Unreachability Detection (NUD) process, use the ipv6 interface command with the retrans-max parameter. For example: -> ipv6 interface vlan_1 retrans-max 5 This example sets the maximum number of neighbor solicitations to 5 for the “vlan_1”...
Page 395: Configuring Router Advertisement Filtering
Configuring IPv6 Configuring Router Advertisement Filtering Configuring Router Advertisement Filtering To enable Router Advertisement (RA) filtering on an interface, use the ipv6 ra-filter trusted command. For example: -> ipv6 ra-filter vlan-3 This example enables RA filtering on the “vlan-3” interface. All RAs received on the interface will be dropped.
Page 396: Reply Or Ignore Echo Requests
Configuring IPv6 Reply or Ignore Echo Requests Reply or Ignore Echo Requests By default, the switch will reply to all echo requests, including those sent to anycast or multicast addresses. The ipv6 echo command can be used to configure the switch to ignore echo requests sent to anycast or multicast addresses.
Page 397: Ipv6 Emp Interface
Configuring IPv6 IPv6 EMP Interface IPv6 EMP Interface IPv6 EMP interface is an IPv6 interface associated with the physical EMP port. Only one global unicast address can be assigned to an IPv6 EMP interface. Link-local addresses will be assigned when the interface is first enabled and updated with IPv4 EMP address. If the switch has an EMP port even without the global unique IPv6 address configuration, IPv6 EMP interface shall be created and assigned with the link local address created using the MAC address of the EMP port.
Page 398 Configuring IPv6 IPv6 EMP Interface To Configure IPv6 EMP interface, configure the IP address and mask: Boot > boot empipv6masklength 64 Boot > show EMP IP Address : 10.200.105.21/24 Serial (console) baud : 9600 Serial (console) parity : none Serial (console) wordsize : 8 Serial (console) stopbits : 1 Serial (console) mode : modemControlOff...
Page 399: Verifying The Ipv6 Configuration
Configuring IPv6 Verifying the IPv6 Configuration Verifying the IPv6 Configuration A summary of the show commands used for verifying the IPv6 configuration is given here: show ipv6 redist Displays the route map redistribution configuration. show ipv6 interface Displays the status and configuration of IPv6 interfaces. show ipv6 tunnel configured Displays IPv6 configured tunnel information.
Page 400: Chapter 18 Configuring Ipsec
18 Configuring IPsec Internet Protocol security (IPsec) is a suite of protocols for securing IPv6 communications by authenticating and/or encrypting each IPv6 packet in a data stream. IPsec is a framework of open standards designed to provide interoperable, high quality, cryptographically-based security for IPv6 networks through the use of appropriate security protocols, cryptographic algorithms, and cryptographic keys.
Page 401: Ipsec Defaults
Configuring IPsec IPsec Defaults IPsec Defaults The following table shows the default settings of the configurable IPsec parameters. Parameter Description Command Default Value/Comments IPsec global status (A license file Disabled must be present on the switch) Master security key for the switch ipsec security-key No master security key set IPsec policy priority...
Page 402: Quick Steps For Configuring An Ipsec Ah Policy
Configuring IPsec Quick Steps for Configuring an IPsec AH Policy Quick Steps for Configuring an IPsec AH Policy IP Authentication Header (AH) provides data origin authentication, data integrity, and replay protection. Data integrity verifies that the contents of the datagram were not changed in transit, either deliberately or due to random errors, however, AH does not provide data encryption.
Page 403: Quick Steps For Configuring An Ipsec Discard Policy
Configuring IPsec Quick Steps for Configuring an IPsec Discard Policy Quick Steps for Configuring an IPsec Discard Policy IPsec can be used for discarding IPv6 traffic as well as configuring encryption and authentication. For discard policies, no rules, SAs or keys need to be defined. Define the policy.
Page 404: Ipsec Overview
Configuring IPsec IPsec Overview IPsec Overview IPsec provides protection to IPv6 traffic. To achieve this, IPsec provides security services for IPv6 packets at the network layer. These services include access control, data integrity, authentication, protection against replay, and data confidentiality. IPsec enables a system to select the security protocols, encryption and authentication algorithms, and use any cryptographic keys as required.
Page 405: Authentication Header (Ah)
Configuring IPsec IPsec Overview Unlike AH which only authenticates the data, ESP encrypts data and also optionally authenticates it. It provides these services by encrypting the original payload and encapsulating the packet between a header and a trailer, as shown in the figure below. 32-bit Security association identifier (SPI) Sequence Number...
Page 406: Ipsec On The Omniswtich
Configuring IPsec IPsec Overview Authentication Algorithms • HMAC-MD5 - An algorithm that produces a 128-bit hash (also called a digital signature or message digest) from a message of arbitrary length and a 16-byte key. The resulting hash is used, like a fingerprint of the input, to verify content and source authenticity and integrity.
Page 407: Securing Traffic Using Ipsec
Configuring IPsec IPsec Overview Securing Traffic Using IPsec Securing traffic using IPsec requires the following main procedures below: • Master Security Key—Used to encrypt SA keys when stored on the switch. • Policies—Determines which traffic should be processed using IPsec. •...
Page 408: Discarding Traffic Using Ipsec
Configuring IPsec IPsec Overview Discarding Traffic using IPsec In order to discard IPv6 datagrams, a policy is configured in the same manner as an IPsec security policy, the difference being that the action is set to ‘discard’ instead of ‘ipsec’. A discard policy can prevent IPv6 traffic from traversing the network.
Page 409: Configuring Ipsec On The Omniswitch
Configuring IPsec Configuring IPsec on the OmniSwitch Configuring IPsec on the OmniSwitch Before configuring IPsec the following security best practices should be followed: • Set the Master Security Key—This is used to encrypt SA keys when stored. • Use SSH, HTTPS, or SNMPv3 to prevent sensitive information such as SA keys from being sent in the clear.
Page 410: Configuring An Ipsec Policy
Configuring IPsec Configuring IPsec on the OmniSwitch The above command replaces the old security key with the new key value. The old key value must be entered to modify an existing key. If an incorrect old key value is entered, then setting the new key will fail.
Page 411: Enabling And Disabling A Policy
Configuring IPsec Configuring IPsec on the OmniSwitch Use the no form of the command to remove the configured IPsec policy. For example: -> no ipsec policy tcp_in Enabling and Disabling a Policy You can administratively enable or disable the configured security policy by using the keywords admin- state enable/disable after the command as shown below: ->...
Page 412: Assigning An Action To A Policy
Configuring IPsec Configuring IPsec on the OmniSwitch Assigning an Action to a Policy To define what action will be performed on the traffic specified in the security policy, you can use the following parameters: • discard - Discards the IPv6 packets. •...
Page 413: Configuring An Ipsec Rule
Configuring IPsec Configuring IPsec on the OmniSwitch -> show ipsec policy tcp_in Name = tcp_in Priority = 500 Source = 3ffe:1:1:1::99 Destination = 3ffe:1:1:1::1 Protocol = TCP Direction = in Action = ipsec State = active Rules: 1 : esp Description: IPsec on all inbound TCP Configuring an IPsec Rule...
Page 414: Configuring An Ipsec Sa
Configuring IPsec Configuring IPsec on the OmniSwitch Configuring an IPsec SA IPsec Security Association (SA) is a set of security information that describes a particular kind of secure connection between two devices. An SA specifies the actual IPsec algorithms applied to the IPv6 traffic (e.g.
Page 415: Verifying Ipsec Sa
Configuring IPsec Configuring IPsec on the OmniSwitch -> ipsec sa tcp_in_ah esp source 3ffe:1:1:1::99 destination 3ffe:1:1:1::1 spi 9901 encryption aes-cbc key-size 192 The above command configures an IPsec SA of ESP using aes-cbs and a key length of 192 bits. You can allow an IPsec SA to operate as an ESP confidentiality-only SA by using the none option with the authentication parameter or by simply omitting the authentication parameter from the command.
Page 416 Configuring IPsec Configuring IPsec on the OmniSwitch Algorithm Key Length HMAC-SHA1 160 Bits AES-XCBC-MAC 128 Bits Use the following information to determine how to create the proper key size: • Number of Characters = Key Size (in bits) / 8; Ex. A 160-bit key would require 20 characters for the key.
Page 417 Configuring IPsec Configuring IPsec on the OmniSwitch Once IPsec is configured for IPv6 on the switch, you can monitor the incoming and outgoing packets for the configured parameters by using the show ipsec ipv6 statistics command. -> show ipsec ipv6 statistics Inbound: Successful = 2787...
Page 418: Enabling And Disabling Default Discard Policy
Configuring IPsec Configuring IPsec on the OmniSwitch Enabling and Disabling Default Discard Policy A default discard IPsec policy drops all the inbound traffic that does not match an IPsec policy. This policy on its own drops all the incoming traffic destined for the switch, hence, it is required to add appropriate higher priority policies to allow the desired traffic to be received.
Page 419: Additional Examples
Configuring IPsec Additional Examples Additional Examples Configuring ESP The example below shows the commands for configuring ESP between two OmniSwitches for all TCP traffic. Switch A Switch B IPv6 address: 3ffe::100 IPv6 address: 3ffe::200 ESP Between Two OmniSwitches Switch A ->...
Page 420 Configuring IPsec Additional Examples Switch B -> ipsec security-key master-key-12345 -> ipsec policy tcp_out source 3ffe::200 destination 3ffe::100 protocol tcp out ipsec description “IPsec on TCP to 100” -> ipsec policy tcp_in source 3ffe::100 destination 3ffe::200 protocol tcp in ipsec description “IPsec on TCP from 100” ->...
Page 421: Discarding Ripng Packets
Configuring IPsec Additional Examples Discarding RIPng Packets RIPng uses the well known address of ff02::9 to advertise routes. The following example shows how IPsec can be configured to drop all RIPng packets. Switch A Switch B Link Local: fe80::100 Link Local: fe80::200 Discarding RIPng Packets Switch A ->...
Page 422: Verifying Ipsec Configuration
Configuring IPsec Verifying IPsec Configuration Verifying IPsec Configuration To display information such as details about manually configured IPsec Security Associations and other IPsec parameters configured on the switch, use the show commands listed in the following table:: show ipsec sa Displays information about manually configured IPsec SAs.
Page 423: Chapter 19 Configuring Rip
19 Configuring RIP Routing Information Protocol (RIP) is a widely used Interior Gateway Protocol (IGP) that uses hop count as its routing metric. RIP-enabled routers update neighboring routers by transmitting a copy of their own routing table. The RIP routing table uses the most efficient route to a destination, that is, the route with the fewest hops and longest matching prefix.
Page 424: Rip Defaults
Configuring RIP RIP Defaults RIP Defaults The following table lists the defaults for RIP configuration through the ip rip command. Description Command Default RIP Status ip rip admin-state disable RIP Forced Hold-Down Interval ip rip force-holddowntimer RIP Update Interval ip rip update-interval 30 seconds RIP Invalid Timer ip rip invalid-timer...
Page 425: Quick Steps For Configuring Rip Routing
Configuring RIP Quick Steps for Configuring RIP Routing Quick Steps for Configuring RIP Routing To forward packets to a device on a different VLAN, you must create a router interface on each VLAN. To route packets by using RIP, you must enable RIP and create a RIP interface on the router interface. The following steps show you how to enable RIP routing between VLANs “from scratch”.
Page 426: Rip Overview
Configuring RIP RIP Overview RIP Overview In switching, traffic can be transmitted from one media type to another within the same . Switching VLAN happens at Layer 2, the link layer; routing happens at Layer 3, the network layer. In IP routing, traffic can be transmitted across When IP routing is enabled, the switch uses routing protocols to build VLANs.
Page 427: Rip Version 2
Configuring RIP RIP Overview RIP Version 2 RIP version 2 (RIPv2) adds additional capabilities to RIP. Not all RIPv2 enhancements are compatible with RIPv1. To avoid supplying information to RIPv1 routes that could be misinterpreted, RIPv2 can only use non-compatible features when its packets are multicast. Multicast is not supported by RIPv1. On interfaces that are not compatible with IP multicast, the RIPv1-compatible packets used do not contain potentially confusing information.
Page 428: Rip Routing
Configuring RIP RIP Routing RIP Routing IP routing requires IP router interfaces to be configured on VLANs and a routing protocol to be enabled and configured on the switch. RIP also requires a RIP interface to be created and enabled on the routing interface.
Page 429: Enabling Rip
Configuring RIP RIP Routing Enabling RIP RIP is disabled by default. Use the ip rip admin-state command to enable RIP routing on the switch. For example: -> ip rip admin-state enable Use the ip rip admin-state disable command to disable RIP routing on the switch. Use the show ip rip command to display the current RIP status.
Page 430: Configuring The Rip Interface Receive Option
Configuring RIP RIP Routing • v2. Only RIPv2 packets is sent by the switch. • v1compatible. Only RIPv2 broadcast packets (not multicast) is sent by the switch. • none. Interface does not forward RIP packets. To set the default RIP send option use the ip rip interface send-version command. Use the show ip rip interface command to display the current interface send option.
Page 431: Rip Options
Configuring RIP RIP Options Configuring the RIP Interface Route Tag Use the ip rip route-tag command to configure a route tag value for routes generated by the RIP interface. This value is used to set priorities for RIP routing. Enter the command and the route tag value. For example, to set a route tag value of 1 you would enter: ->...
Page 432: Configuring The Rip Invalid Timer
Configuring RIP RIP Options Configuring the RIP Invalid Timer The RIP invalid timer value defines the time interval, in seconds, during which a route remains active in the Routing Information Base (RIB) before it is moved to the invalid state. This timer value must be at least three times the update interval value.
Page 433: Enabling A Rip Host Route
Configuring RIP RIP Options Enabling a RIP Host Route A host route differs from a network route, which is a route to a specific network. This command allows a direct connection to the host without using the RIP table. If a switch is directly attached to a host on a network, use the ip rip host-route command to enable a default route to the host.
Page 434: Configuring Redistribution
Configuring RIP Configuring Redistribution Configuring Redistribution It is possible to configure the RIP protocol to advertise routes learned from other routing protocols into the RIP network. Such a process is referred to as route redistribution and is configured using the ip redist command.
Page 435 Configuring RIP Configuring Redistribution Creating a Route Map When a route map is created, it is given a name (up to 20 characters), a sequence number, and an action (permit or deny). Specifying a sequence number is optional. If a value is not configured, then the number 50 is used by default.
Page 436 Configuring RIP Configuring Redistribution To delete a specific sequence number within a route map, enter no ip route-map followed by the route map name, then sequence-number followed by the actual number. For example, the following command deletes sequence 10 from the redistipv4 route map: ->...
Page 437 Configuring RIP Configuring Redistribution -> ip route-map rm_1 sequence-number 10 action permit -> ip route-map rm_1 sequence-number 10 match tag 5 -> ip route-map rm_1 sequence-number 10 match tag 8 The following route map sequence redistributes a route if the route has a tag of 8 or 5 and the route was learned on the IPv4 interface to-finance: ->...
Page 438 Configuring RIP Configuring Redistribution RIP routes received by the router interface are processed based on the contents of the ospf-to-rip route map. Routes that match criteria specified in this route map are either allowed or denied redistribution into the RIP network. The route map can also specify the modification of route information before the route is redistributed.
Page 439 Configuring RIP Configuring Redistribution Route Map Redistribution Example The following example configures the redistribution of OSPF routes into a RIP network using a route map (ospf-to-rip) to filter specific routes: -> ip route-map ospf-to-rip sequence-number 10 action deny -> ip route-map ospf-to-rip sequence-number 10 match tag 5 ->...
Page 440: Rip Security
Configuring RIP RIP Security RIP Security By default, there is no authentication used for a RIP. However, you can configure a password for a RIP interface. To configure a password, you must first select the authentication type (simple or MD5), and then configure a password.
Page 441: Verifying The Rip Configuration
Configuring RIP Verifying the RIP Configuration Verifying the RIP Configuration A summary of the show commands used for verifying the RIP configuration is given here: show ip rip Displays the RIP status and general configuration parameters (e.g., forced hold-down timer). show ip rip routes Displays the RIP routing database.
Page 442: Chapter 20 Configuring Bfd
20 Configuring BFD An increasingly important requirement of networking equipment is to rapidly detect communication failures between network systems to quickly establish alternative paths and reduce network convergence time. Data link hardware such as SONET alarms make failure detection fairly easy and quick. However, some media, such as Ethernet, do not support such kind of signaling, and some media can not detect certain kinds of failures in the path, such as failing interfaces or forwarding engine components.
Page 443: Bfd Defaults
Configuring BFD BFD Defaults BFD Defaults The following table shows the default settings for the configurable global BFD parameters. Parameter Description Command Default Value/Comments BFD global status for the switch ip bfd admin-state Disabled Global transmit time interval for BFD ip bfd transmit 300 milliseconds control packets...
Page 444 Configuring BFD BFD Defaults Parameter Description Command Default Value/Comments BFD session status with all OSPF or ip ospf interface bfd-state all- Enabled neighbors OSPFv3 neighbors of the ipv6 ospf interface bfd-state all- corresponding interface which are neighbors greater than or equal to “2-way” state BFD status for the IPv4 or IPv6 PIM ip pim bfd-state Disabled...
Page 445: Quick Steps For Configuring Bfd
Configuring BFD Quick Steps for Configuring BFD Quick Steps for Configuring BFD Configuring BFD involves: • Optional: Configuring BFD explicitly on the IP interfaces. • Configuring Layer 3 protocols to use BFD (see “Quick Steps for Configuring BFD Support for Layer 3 Protocols”...
Page 446 Configuring BFD Quick Steps for Configuring BFD Optional Configure the session detection time multiplier value for a specific BFD session using the ip|ipv6 bfd interface multiplier command. For example: -> ip bfd interface bfd-vlan-101 multiplier 5 -> ipv6 bfd interface bfd-vlan-201 multiplier 5 Optional Configure the global BFD echo packet time interval using the ip bfd echo-interval...
Page 447: Quick Steps For Configuring Bfd Support For Layer 3 Protocols
Configuring BFD Quick Steps for Configuring BFD -> show ipv6 bfd interfaces bfd-intf3 Interface Name = bfd-intf3 Interface IP Address = fe80::2efa:a2ff:fe13:e402, Admin Status = Disabled, Desired Transmit Interval = 300, Minimum Receive Interval = 300, Detection Time Multiplier = 3, Minimum Echo Receive Interval = 300, Authentication Present...
Page 448 Configuring BFD Quick Steps for Configuring BFD -> ip isis vlan 10 bfd-state enable -> ip isis bfd-state all-vlans enable Configuring BFD Support for OSPF Register OSPF with the BFD protocol using the ip ospf bfd-state command. For example: -> ip ospf bfd-state enable Enable BFD session on a specific OSPF interface using the ip ospf interface bfd-state command or on...
Page 449 Configuring BFD Quick Steps for Configuring BFD Enable BFD for a specific IPv6 PIM interface using the ipv6 pim interface bfd-state command or for all IPv6 PIM interfaces using the ipv6 pim bfd-state all-interfaces command. For example: -> ipv6 pim interface pimInt1 bfd-state enable ->...
Page 450: Configuring Bfd Support For Vrrp Track Policies
Configuring BFD Quick Steps for Configuring BFD • BFD is enabled for the interface on which the gateway address exists. • If multiple routes are configured with the same gateway address, only one BFD session is run. Note. To display the IPv6 static routes on which BFD is enabled use the show ipv6 router database command along with the protocol static option as shown below: ->...
Page 451: Bfd Overview
Configuring BFD BFD Overview BFD Overview Detecting communication failures as soon as possible is the first step in any network recovery process; until a failure is detected, network convergence can’t begin. By rapidly detecting failures, BFD enables faster convergence of routing protocols particularly on shared media such as Ethernet. The BFD protocol is very similar to the widely-used Hello mechanisms prevalent in a majority of routing protocols, with the exception that BFD tests bidirectional communication links, has smaller packets, and is focused exclusively on path-failure detection.
Page 452: Operational Mode And Echo Function
Configuring BFD BFD Overview In case a system stops receiving the packets within the predetermined time frame, some component in the bidirectional path to that particular system is assumed to have failed, and the BFD system simply informs its client protocol that a failure has occurred. It does this by sending rapid failure detection notices to respective registered routing protocols in the local router to initiate the router table recalculation process in order to accelerate routing convergence and network uptime.
Page 453: Bfd Session Establishment
Configuring BFD BFD Overview implementation of BFD for IPv4 routing protocols (BGP, OSPF, VRRP Remote Tracking, and static routes), associates BFD control packets in UDP packets using destination port 3784 and a source port in the range of 49152 to 65535. Note.
Page 454: Bfd Timer Negotiation
Configuring BFD BFD Overview Demultiplexing Each BFD session must be able to uniquely identify itself and received BFD packets among the myriad of BFD sessions that are running. Each BFD peer must choose an identifying and unique discriminator value. This value is sent in the “My Discriminator” field of the BFD control packet, and is reflected back in the “Your Discriminator”...
Page 455: Configuring Bfd
Configuring BFD Configuring BFD Configuring BFD Configuring BFD for your network requires the following approach: Optional: Configure a BFD session and related session parameter values. Once configured, enable all participating BFD sessions before configuring BFD interoperability with the supported Layer 3 protocols. “Configuring BFD Session Parameters”...
Page 456: Configuring The Bfd Transmit Time Interval
Configuring BFD Configuring BFD Note. The BFD interface session must be associated to an existing IPv4 or IPv6 interface that is configured with an IPv4 or IPv6 address. Configuring the BFD Transmit Time interval Transit Time Interval is the minimum amount of time that BFD waits between each successive transmission of control packets.
Page 457: Configuring The Bfd Multiplier
Configuring BFD Configuring BFD back to the sender without processing them through its forwarding path. If the sender does not receive several continuous echo packets from its peer, the BFD session is declared down. To change the default value of the global BFD echo packet time interval, use the ip bfd echo-interval command.
Page 458 Configuring BFD Configuring BFD The above command disables BFD globally on the routing instance. Note that disabling BFD does not remove the existing BFD configuration from the routing instance. Also, when BFD is globally disabled, all BFD functionality is disabled for the routing instance, but configuring BFD is still allowed. To enable a BFD session, use the ip|ipv6 bfd interface admin-state command.
Page 459: Configuring Bfd Support For Layer 3 Protocols
Configuring BFD Configuring BFD Detection Time Multiplier = 3, Minimum Echo Receive Interval = 300, Authentication Present = No, Oper Status = UP -> show ipv6 bfd interfaces bfd-intf3 Interface Name = bfd-intf3 Interface IP Address = fe80::2efa:a2ff:fe13:e402, Admin Status = Disabled, Desired Transmit Interval = 300,...
Page 460 Configuring BFD Configuring BFD -> show ip bgp Admin Status = disabled, Operational Status = down, Autonomous System Number = 1, BGP Router Id = 0.0.0.0, Confederation Identifier = 0, IGP Synchronization Status = disabled, Minimum AS Origin Interval (seconds) = 15, Default Local Preference = 100, Route Reflection...
Page 461 Configuring BFD Configuring BFD -> show ipv6 bgp neighbors Legends: Nbr = Neighbor = Autonomous System Nbr address Admin state Oper state BGP Id Up/Down Status ------------------------+----+-----------+-----------+--------+-----------+-------- 2001:100:3:4::1 enabled established 11.4.0.1 01h:42m:08s enabled fe80::200:57ff:fe28:7e89 10 enabled established 11.5.0.1 01h:40m:58s disabled Use the show ip|ipv6 bfd sessions command to view BFD sessions with all BFD neighbors.
Page 462 Configuring BFD Configuring BFD Configuring BFD Support for IS-IS BFD support for IS-IS is configured on a VLAN basis and is applied to all IPv4 and IPv6 interfaces associated with the VLAN. A single IS-IS adjacency covers both IPv4 and IPv6 interfaces, but the interfaces are treated independently within the adjacency.
Page 463 Configuring BFD Configuring BFD L1 Psnp-Auth Check : Enabled L2 Hello-Auth Check : Enabled L2 Csnp-Auth Check : Enabled L2 Psnp-Auth Check : Enabled Multi-Topology : Disabled Auto-Configuration : Disabled Area Address : None BFD Status : Disabled Once IS-IS is registered with BFD at the protocol level, enable BFD on the participating IS-IS VLANs using the ip isis vlan bfd-state command.
Page 464 Configuring BFD Configuring BFD Configuring BFD Support for OSPF The steps below show how to configure and verify BFD support for OSPF and OSPFv3, so that OSPF and OSPFv3 are registered protocols with BFD and receive forwarding path detection failure messages from BFD.
Page 465 Configuring BFD Configuring BFD -> show ipv6 ospf Status = Enabled, Router ID = 30.1.1.2, # Areas = 1, # Interfaces = 3, Area Border Router = No, AS Border Router = No, External Route Tag = 0, SPF Hold (seconds) = 10, SPF Delay (seconds) = 5,...
Page 466 Configuring BFD Configuring BFD -> show ipv6 ospf interface IPv6 Admin Intf Intf Intf Name DR Router ID BDR Router ID Status Status Type State Status ----------+-------------+--------------+---------+------+------+-------+-------- vlan-2071 5.5.5.5 0.0.0.0 Enabled BCAST Enabled vlan-2055 7.7.7.7 5.5.5.5 Enabled BCAST Enabled vlan-2056 7.7.7.7 5.5.5.5 Enabled...
Page 467 Configuring BFD Configuring BFD -> show ipv6 bfd sessions Legends: Neg. = Negotiated Discr = Discriminator Intvl = Interval (in milliseconds) Local Interface Neighbor State Remote Neg. Rx Neg. Tx EchoRx Discr Name Address Discr Intvl Intvl Intvl ------+---------+-------------------------+-------+-------+-------+-------+-------- bfd-intf3 fe80::2efa:a2ff:fe13:e402 To view a BFD session with a particular neighbor, use the show ip|ipv6 bfd sessions command followed...
Page 468 Configuring BFD Configuring BFD To associate BFD with the PIM protocol and to change the default BFD status for the PIM protocol, register IPv4 or IPv6 PIM with BFD at the protocol level using the ip pim bfd-state or the ipv6 pim bfd- state command.
Page 469 Configuring BFD Configuring BFD ASM Fast Join = disabled, SSM Fast Join = disabled, BIDIR Fast Join = disabled, BIDIR SSM Compatibility = disabled Register Rate Limit = 100 -> show IPv6 pim dense Status = enabled, Source Lifetime = 210, State Refresh Interval = 60, State Refresh Limit Interval = 0,...
Page 470 Configuring BFD Configuring BFD -> show ip bfd interfaces Interface Admin Min Rx Min EchoRx Detect OperStatus Name Status Interval Interval Interval Multiplier ---------+--------+---------+---------+----------+----------+---------- bfd-intf1 enabled bfd-intf2 enabled -> show ipv6 bfd interfaces Interface Admin Min Rx Min EchoRx Detect Oper Name Status...
Page 471 Configuring BFD Configuring BFD Interface IP Address = fe80::2efa:a2ff:fe13:e403, Source UDP Port = 49152, State = UP, Session Operating Mode = ECHO only, Remote discriminator = 0, Negotiated Tx interval = 0, Negotiated Rx interval = 0, Echo Rx interval = 300, Multiplier = 3,...
Page 472: Configuring Bfd Support For Static Routes
Configuring BFD Configuring BFD VRRP BFD-STATUS : Enabled Admin Adv. VRID VLAN IPv6 Address(es) Status Priority Preempt Accept Interval ----+----+--------------------------+--------+--------+-------+------+-------- fe80::200:5eff:fe00:201 Enabled 1010::30 fe80::200:5eff:fe00:202 Enabled 1020::30 Once VRRP is registered with BFD at the protocol level, enable BFD for a particular VRRP address tracking policy using the vrrp track command.
Page 473 Configuring BFD Configuring BFD -> ipv6 static-route 195:35::/64 gateway fe80::2d0:95ff:fe12:f470 bfd-state enable Note. Static Routes support BFD in the echo-only operational mode. The above commands enable BFD support for an IPv4 static route (destination IP address as 10.1.1.1, destination network mask as 255.0.0.0, and gateway address as 10.1.1.25) and an IPv6 static route (destination IPv6 address 195:35::/64 and gateway address fe80::2d0:95ff:fe12:f470.
Page 474: Bfd Application Example
Configuring BFD BFD Application Example BFD Application Example This section provides an example network configuration in which BFD is associated with the OSPF protocol running on the network. In addition, a tutorial is also included that provides steps on how to configure the example network topology using the Command Line Interface (CLI).
Page 475 Configuring BFD BFD Application Example Step 1: Prepare the Routers The first step is to create the VLANs on each router, add an IP interface to the VLAN, assign a port to the VLAN, and assign a router identification number to the routers. For the backbone connection, the network design in this case uses slot 2, port 1 as the egress port and slot 2, port 2 as ingress port on each router.
Page 476 Configuring BFD BFD Application Example • VLAN 12 handles the backbone connection from Router 1 to Router 2, using the IP router port 12.0.0.2 and physical port 2/1. • VLAN 23 handles the backbone connection from Router 2 to Router 3, using the IP router port 23.0.0.2 and physical port 2/2.
Page 477 Configuring BFD BFD Application Example Step 4: Configure OSPF Interfaces Next, OSPF interfaces must be created, enabled, and assigned to area 0.0.0.1. The OSPF interfaces should have the same interface name as the IP router interfaces created above in “Step 1: Prepare the Routers” on page 20-34.
Page 478 Configuring BFD BFD Application Example -> ip bfd interface vlan-10 -> ip bfd interface vlan-10 admin-state enable Router 2 -> ip bfd interface vlan-12 -> ip bfd interface vlan-12 admin-state enable -> ip bfd interface vlan-23 -> ip bfd interface vlan-23 admin-state enable ->...
Page 479 Configuring BFD BFD Application Example Step 8: Examine the Network After the network has been created, use the following show commands to check various aspects of the example network: • To verify the configured BFD status on routers, use the show ip bfd command.
Page 480: Verifying The Bfd Configuration
Configuring BFD Verifying the BFD Configuration Verifying the BFD Configuration To display information such as the BFD status for different session parameters and Layer 3 protocols, use the show commands listed in the following table: show ip bfd Displays the global BFD configuration for the routing instance. show ip|ipv6 bfd interfaces Displays the BFD interface configuration for the switch.
Page 481: Chapter 21 Configuring Dhcp Relay
21 Configuring DHCP Relay The User Datagram Protocol (UDP) is a connectionless transport protocol that runs on top of IP networks. The DHCP Relay allows you to use nonroutable protocols (such as UDP) in a routing environment. UDP is used for applications that do not require the establishment of a session and end-to-end error checking. Email and file transfer are two applications that could use UDP.
Page 482: Dhcp Relay Defaults
Configuring DHCP Relay DHCP Relay Defaults DHCP Relay Defaults The following table describes the default values of the DHCP Relay parameters: Parameter Description Command Default Value/Comments Default UDP service ip udp relay service BOOTP/DHCP Forward delay time value for DHCP Relay ip helper forward-delay 3 seconds Maximum number of hops...
Page 483: Quick Steps For Setting Up Dhcp Relay
Configuring DHCP Relay Quick Steps for Setting Up DHCP Relay Quick Steps for Setting Up DHCP Relay You must configure DHCP Relay on switches where packets are routed between IP networks. There is no separate command for enabling or disabling the relay service. DHCP Relay is automatically enabled on the switch whenever a DHCP server IP address is defined.
Page 484: Dhcp Relay Overview
Configuring DHCP Relay DHCP Relay Overview DHCP Relay Overview The DHCP Relay service, its corresponding port numbers, and configurable options are as follows: • DHCP Relay Service: BOOTP/DHCP • UDP Port Numbers 67/68 for Request/Response • Configurable options: DHCP server IP address, Forward Delay, Maximum Hops, Forwarding Option, automatic switch IP configuration The port numbers indicate the destination port numbers in the UDP header.
Page 485: Dhcp
Configuring DHCP Relay DHCP Relay Overview DHCP DHCP (Dynamic Host Configuration Protocol) provides a framework for passing configuration information to Internet hosts on a TCP/IP network. It is based on the Bootstrap Protocol (BOOTP), adding the ability to automatically allocate reusable network addresses and additional configuration options. DHCP consists of the following two components: •...
Page 486: External Dhcp Relay Application
Configuring DHCP Relay DHCP Relay Overview External DHCP Relay Application The DHCP Relay can be configured on a router that is external to the switch. In this application example the switched network has a single VLAN configured with multiple segments. All of the network hosts are DHCP-ready, meaning they obtain their network address from the DHCP server.
Page 487: Internal Dhcp Relay
Configuring DHCP Relay DHCP Relay Overview Internal DHCP Relay The internal DHCP Relay is configured using the UDP forwarding feature in the switch, available through ip helper address command. For more information, see “DHCP Relay Implementation” on page 21-8. This application example shows a network with two VLANs, each with multiple segments. All network clients are DHCP-ready and the DHCP server resides on just one of the VLANs.
Page 488: Dhcp Relay Implementation
Configuring DHCP Relay DHCP Relay Implementation DHCP Relay Implementation The OmniSwitch allows you to configure the DHCP Relay feature in one of two ways. You can set up a global DHCP Relay or you can set up the DHCP Relay based on the DHCP packet from the client. Both of these choices provide the same configuration options and capabilities.
Page 489: Configuring Bootp/Dhcp Relay Parameters
Configuring DHCP Relay DHCP Relay Implementation To delete an IP address, use the no form of the ip helper address command. The IP address specified with this syntax is deleted. If an IP address is not specified with this syntax, then all IP helper addresses are deleted.
Page 490: Setting Maximum Hops
Configuring DHCP Relay DHCP Relay Implementation Setting Maximum Hops This value specifies the maximum number of relays the BOOTP/DHCP packet can go through until it reaches its server destination. This limit keeps packets from “looping” through the network. If a UDP packet contains a hop count equal to the hops value, DHCP Relay discards the packet.
Page 491: Using Automatic Ip Configuration
Configuring DHCP Relay Using Automatic IP Configuration Using Automatic IP Configuration An additional function of the DHCP Relay feature enables a switch to broadcast a BootP or DHCP request packet at boot time to obtain an IP address for default VLAN 1. This function is separate from the previously described functions (such as Global DHCP, per-VLAN DHCP, and related configurable options) in that enabling or disabling automatic IP configuration does not exclude or prevent other DHCP Relay functionality.
Page 492: Configuring Udp Port Relay
Configuring DHCP Relay Configuring UDP Port Relay Configuring UDP Port Relay In addition to configuring a relay operation for BOOTP/DHCP traffic on the switch, it is also possible to configure relay for generic UDP service ports (NBNS/NBDD, other well-known UDP service ports, and service ports that are not well-known).
Page 493: Enabling/Disabling Udp Port Relay
Configuring DHCP Relay Configuring UDP Port Relay Enabling/Disabling UDP Port Relay By default, a global relay operation is enabled for BOOTP/DHCP relay well-known ports 67 and 68 that becomes active when an IP network host address for a DHCP server is specified. To enable or disable a relay operation for a UDP service port, use the ip udp relay service command.
Page 494: How The Relay Agent Processes Dhcp Packets From The Client
Configuring DHCP Relay Configuring UDP Port Relay For more information about using the ip udp relay service vlan command, see the OmniSwitch AOS Release 8 CLI Reference Guide. How the Relay Agent Processes DHCP Packets from the Client The following table describes how the relay agent processes DHCP packets received from clients when the Option-82 feature is enabled for the switch: If the DHCP packet from the client ...
Page 495 Configuring DHCP Relay Configuring UDP Port Relay Configuring a Relay Agent Information Option-82 Policy As previously mentioned, when the relay agent receives a DHCP packet from a client that already contains Option-82 data, the packet is dropped by default. However, it is possible to configure a DHCP Option-82 policy that directs the relay agent to drop, keep, or replace the existing Option-82 data and then forward the packet to the server.
Page 496: Using Dhcp Snooping
Configuring DHCP Relay Configuring UDP Port Relay Using DHCP Snooping Using DHCP Snooping improves network security by filtering DHCP messages received from devices outside the network and building and maintaining a binding table (database) to track access information for such devices. In order to identify DHCP traffic that originates from outside the network, DHCP Snooping categorizes ports as either trusted or untrusted.
Page 497: Dhcp Snooping Configuration Guidelines
Configuring DHCP Relay Configuring UDP Port Relay • The port from where the DHCP packet originated. • The VLAN associated with the port from where the DHCP packet originated. • The lease time for the assigned IP address. • The binding entry type; dynamic or static (user-configured). After extracting the above information and populating the binding table, the packet is then forwarded to the port from where the packet originated.
Page 498 Configuring DHCP Relay Configuring UDP Port Relay Switch-level DHCP Snooping By default, DHCP Snooping is disabled for the switch. To enable this feature at the switch level, use the dhcp-snooping admin-state command. For example: -> dhcp-snooping admin-state enable When DHCP Snooping is enabled at the switch level, all DHCP packets received on all switch ports are screened/filtered by DHCP Snooping.
Page 499: Configuring The Port Trust Mode
Configuring DHCP Relay Configuring UDP Port Relay -> dhcp-snooping vlan 200 mac-address-verification disable -> dhcp-snooping vlan 200 option-82-data-insertion disable Notes. • If the binding table functionality is enabled, disabling Option-82 data insertion for the VLAN is not allowed. See “Configuring the DHCP Snooping Binding Table” on page 21-20 for more information.
Page 500: Configuring The Dhcp Snooping Binding Table
Configuring DHCP Relay Configuring UDP Port Relay Configuring IP Source Filtering (Dynamic ARP Inspection (DAI)) IP source filtering applies to DHCP Snooping ports and restricts port traffic to only packets that contain the proper client source information in the packet. The DHCP Snooping binding table is used to verify the client information for the port that is enabled for IP source filtering.
Page 501: Configuring The Binding Table Timeout
Configuring DHCP Relay Configuring UDP Port Relay Configuring the Binding Table Timeout The contents of the DHCP Snooping binding table resides in the switch memory. In order to preserve table entries across switch reboots, the table contents is automatically saved to the dhcpBinding.db file located in the /flash/switch directory.
Page 502: Layer 2 Dhcp Snooping
Configuring DHCP Relay Configuring UDP Port Relay Layer 2 DHCP Snooping By default, DHCP broadcasts are flooded on the default VLAN of the client/server port. If the DHCP client and server are both members of the same VLAN domain, the broadcast packets from these sources are bridged as Layer 2 traffic and not processed by the relay agent.
Page 503: Quick Steps For Configuring Dhcpv6 Relay
Configuring DHCP Relay Quick Steps for Configuring DHCPv6 Relay Quick Steps for Configuring DHCPv6 Relay To configure the DHCPv6 relay feature, proceed as follows: Enable the DHCPv6 relay service on the switch using the ipv6 dhcp relay admin-state command. For example: ->...
Page 504: Dhcpv6 Relay Messages
Configuring DHCP Relay DHCPv6 Relay Configuration Overview A maximum of five unicast or link-scoped multicast relay destinations can be configured for each interface on which DHCPv6 Relay is enabled. The DHCPv6 relay for the interface will be automatically disabled when all the relay destinations configured for that interface is removed. DHCPv6 Relay Messages Relay-Forward Messages When the DHCPv6 relay agent receives the relay-forward message, it will verify the hop-count of the...
Page 505: Configuring The Dhcpv6 Relay Destination
Configuring DHCP Relay DHCPv6 Relay Configuration Overview Configuring the DHCPv6 Relay Destination The DHCPv6 relay enabled interface should be configured with the relay destination (DHCP server) to which the DHCPv6 client messages are sent. To configure the relay destination, use the ipv6 dhcp relay destination command.
Page 506: Verifying The Dhcp Relay Configuration
Configuring DHCP Relay Verifying the DHCP Relay Configuration Verifying the DHCP Relay Configuration To display information about the DHCP Relay and BOOTP/DHCP, use the show commands listed below. For more information about the resulting displays from these commands, see the OmniSwitch AOS Release 8 CLI Reference Guide.
Page 507: Chapter 22 Configuring An Internal Dhcp Server
22 Configuring an Internal DHCP Server The Dynamic Host Configuration Protocol (DHCP) offers a framework to provide configuration information to client interfaces on an IPv4 or IPv6 IP network. DHCP is based on the Bootstrap Protocol (BOOTP) and provides additional capabilities, such as dynamic allocation of reusable network addresses and configuration options.
Page 508: Dhcp Server Default Values
Configuring an Internal DHCP Server DHCP Server Default Values DHCP Server Default Values Parameter Description Command Default Value/Comments DHCP Server operation dhcp-server status disabled Quick Steps to Configure Internal DHCP Server DHCP server software is installed on the OmniSwitch to centrally manage IP addresses and other TCP/IP configuration settings for clients present on a network.
Page 509 Configuring an Internal DHCP Server Quick Steps to Configure Internal DHCP Server Create and customize the dhcpd.pcy file according to your requirements. Use the vi command to modify the existing configuration file. -> vi dhcpd.pcy For example: PingAttempts=0 PingDelay=500 HonorRequestedLeaseTime=False RegisteredClientsOnly=False ForceClass=None After entering the required information in the dhcpd.pcy file, type...
Page 510: Dhcp Server Overview
Configuring an Internal DHCP Server DHCP Server Overview DHCP Server Overview DHCP consists of two components: • A protocol to supply client-specific configuration parameters from a DHCP server to a client. • A mechanism to allocate network addresses to clients. A DHCP server uses the Dynamic Host Configuration Protocol to provide initialization parameters to the clients in the network.
Page 511: Interaction With Other Features
Configuring an Internal DHCP Server Interaction With Other Features VitalQIP Message Service This is the VitalQIP component that is present on the OmniSwitch acting as a remote server. This component allows the OmniSwitch to interact with other VitalQIP components. Also other services such as Active Lease Service register with the Message Server.
Page 512: Configuring Dhcp Server On Omniswitch
Configuring an Internal DHCP Server Configuring DHCP Server on OmniSwitch Configuring DHCP Server on OmniSwitch The DHCP server implementation on OmniSwitch makes use of the policy, configuration, and server s stored in the database file /flash/switch directory. Both the configuration and policy files must be present for the DHCP server to be enabled.
Page 513: Dhcp Configuration Files
Configuring an Internal DHCP Server Configuring DHCP Server on OmniSwitch MaxOutgoingDhcpMessageSize=1024 MaxPendingSeconds=120 MaxUnavailableTime=3600 MinimumRequestedLeaseTime=3600 NumberOfThreads=15 RegisteredClientsOnly=0 ReplyToUnmanagedInformationRequests=1 SendRequestedParamsOnly=1 SendUnicastOption=1 ;ServerDuidDefault=0001000146e6ebb10003ba3cbb0d ServerPreference=255 ServerStatefulMode=1 UpdateQIP=all The updated dhcpd(v6).pcy file is effective only after the dhcp-server restart command is performed. See the “Policy File Parameters and Syntax” on page 22-25 table for additional information on individual policy parameters and how to apply the policies for internal DHCP server on the OmniSwitch.
Page 514 Configuring an Internal DHCP Server Configuring DHCP Server on OmniSwitch Example dhcpd.conf File #Global parameters that specify addresses and lease time. option domain-name-servers 200.0.0.99; option domain-name "example.com"; option dhcp-lease-time 20000; #IP subnet subnet 200.0.0.0 netmask 255.255.255.0 #Dynamic scope and parameters that apply to this scope overriding global params. dynamic-dhcp range 220.0.0.100 220.0.0.130 option routers 220.0.0.254;...
Page 515 Configuring an Internal DHCP Server Configuring DHCP Server on OmniSwitch policy subnet-unavailable-descent-threshold 85; policy minimum-requested-lifetime 800; option renewal-time 700000; <- Options applicable option rebinding-time 1000000; option preferred-lifetime 2000000; option valid-lifetime 3000000; option dns-recursive-name-server 2001:468:603:c0e0::12001:468:603:c0e0::2; v6-manual-dhcp duid 00-02-00-00-00-09-0c-c0-84-d3-03-00-0a-11 2620:0000:0060:1480::1f01 { <- Manual DUID mapping option posix-timezone "MST7MDT6,116/02:00:00,298/02:00:00";...
Page 516: Dhcp Server Database File
Configuring an Internal DHCP Server Configuring DHCP Server on OmniSwitch DHCP Server Database file The dhcp(v6)Srv.db or the DHCP server database or lease file is initialized when the DHCP server function takes over or is restarted. The DHCP server database file contains the mappings between a client IP address and MAC address, referred to as a binding.
Page 517: Dhcp Server Application Example
Configuring an Internal DHCP Server DHCP Server Application Example DHCP Server Application Example In this application example the clients or hosts obtain their IP addresses from the internal DHCP server configured on the OmniSwitch. DHCP clients initially have no IP address and are provided IP addresses by the DHCP server.
Page 518 Configuring an Internal DHCP Server DHCP Server Application Example OmniSwitch 200.0.0.254 with DHCP Relay IP ROUTER AND DHCP SERVER 200.0.0.11-20 200.0.0.99 DNS Server DHCP Clients 220.0.0.101 220.0.0.102 220.0.0.105 220.0.0.104 DHCP Clients DHCP Clients 220.0.0.103 DHCP Clients Illustration of Internal DHCP Server Application Example OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 22-12...
Page 519: Verifying The Dhcp Server Configuration
Configuring an Internal DHCP Server Verifying the DHCP Server Configuration Verifying the DHCP Server Configuration To display information about the DHCP Server configuration and statistics use the show commands listed below: show dhcp-server leases Displays the leases offered by the DHCP server. show dhcp-server statistics Displays the statistics of the DHCP server.
Page 520: Configuration File Parameters And Syntax
Configuring an Internal DHCP Server Configuration File Parameters and Syntax Configuration File Parameters and Syntax The following table provides detailed information about the configuration file options and syntax specifications. Option dhcpd.conf dhcpd.conf Default Data type Description Code Key-word example Value subnet-mask Same as in Specifies the client’s subnet mask.
Page 521 Configuring an Internal DHCP Server Configuration File Parameters and Syntax Option dhcpd.conf dhcpd.conf Default Data type Description Code Key-word example Value resource- ip_address_ Specifies the IP address of the option resource- location-servers list Resource Location server available to location- the client. servers 10.10.0.100;...
Page 522 Configuring an Internal DHCP Server Configuration File Parameters and Syntax Option dhcpd.conf dhcpd.conf Default Data type Description Code Key-word example Value policy-filter Specifies policy filters for nonlocal option policy-filter address_ source routing. The filters consist of 10.10.0.100 mask_list the IP address list and masks. This 255.255.0.0;...
Page 523 Configuring an Internal DHCP Server Configuration File Parameters and Syntax Option dhcpd.conf dhcpd.conf Default Data type Description Code Key-word example Value mask-supplier boolean False True indicates that response to the option mask- supplier false; subnet mask request should use Internet Control Message Protocol (ICMP).
Page 524 Configuring an Internal DHCP Server Configuration File Parameters and Syntax Option dhcpd.conf dhcpd.conf Default Data type Description Code Key-word example Value tcp-keepalive- numeric Specifies the amount of time, in option tcp- keepalive- interval seconds, to wait before sending a interval 10; keep alive message on a TCP connection.
Page 525 Configuring an Internal DHCP Server Configuration File Parameters and Syntax Option dhcpd.conf dhcpd.conf Default Data type Description Code Key-word example Value netbios-name- ip_address_ Specifies a list of RFC 1001/1002 option netbios- name-servers servers list NBNS name servers listed in order of 10.10.0.100;...
Page 526 Configuring an Internal DHCP Server Configuration File Parameters and Syntax Option dhcpd.conf dhcpd.conf Default Data type Description Code Key-word example Value dhcp-option- 1, 2 or 3 Used to indicate that the DHCP option dhcp- option-overload overload server name or file fields are being overloaded by using them to carry DHCP options.
Page 527 Configuring an Internal DHCP Server Configuration File Parameters and Syntax Option dhcpd.conf dhcpd.conf Default Data type Description Code Key-word example Value novell-netware- text Used to convey the NetWare/IP option novell- netware-domain- domain-name domain name used by the NetWare/ name "xyz"; IP product.
Page 528 Configuring an Internal DHCP Server Configuration File Parameters and Syntax Option dhcpd.conf dhcpd.conf Default Data type Description Code Key-word example Value dhcp-www- ip_address_ Specifies a list of WWW servers option dhcp- www-server server list available to the client. Servers should 10.10.0.100;...
Page 529 Configuring an Internal DHCP Server Configuration File Parameters and Syntax Option dhcpd.conf dhcpd.conf Default Data type Description Code Key-word example Value Mandatory boolean FALSE This sub-option determines whether SLP Agents override their static configuration for scopes in the Scope List. This allows DHCP administrators to implement a policy of assigning a set of scopes to Agents for service provision.
Page 530 Configuring an Internal DHCP Server Configuration File Parameters and Syntax Option dhcpd.conf dhcpd.conf Default Data type Description Code Key-word example Value ipv4-auto- boolean False This option is used to check whether, option ipv4- auto- configuration and be notified if, autoconfiguration configuration should be disabled on the local false;...
Page 531: Policy File Parameters And Syntax
Configuring an Internal DHCP Server Policy File Parameters and Syntax Policy File Parameters and Syntax Default Policy Usage Description Value ActiveLease Determines how the expired leases are handled. ActiveLease Expiration Expiration The following values are available: = On Off - prevents expired leases from being automatically deleted after lease period is over.
Page 532 Configuring an Internal DHCP Server Policy File Parameters and Syntax Default Policy Usage Description Value Lease 60000 Specifies the time interval in milli seconds after Lease Expiration Expiration msecs which the lease expiration processing occurs. SleepTime = SleepTime 120000 Note: This value must not be less than 1 minute. MaxPending Specifies the number of seconds that an offered lease MaxPending...
Page 533 Configuring an Internal DHCP Server Policy File Parameters and Syntax Default Policy Usage Description Value PingBefore True If this value is set to True, the DHCP server performs PingBefore ManualDhcp ManualDhcp a ping before assigning a static DHCP address. If an = False ICMP_REPLY is received from the ping, then the DHCP offer is not sent to the client and the address is...
Page 534 Configuring an Internal DHCP Server Policy File Parameters and Syntax Default Policy Usage Description Value Deny None This policy does not allow connections from listed IP DenyConnectio nList=IP ConnectionList addresses and networks. An example of listed IP addresses addresses would be: DenyConnectionList=127.0.0.1,10.0.0.0/8.
Page 535: Chapter 23 Configuring Vrrp
23 Configuring VRRP The Virtual Router Redundancy Protocol (VRRPv2/VRRPv3) is a standard router redundancy protocol supported in IPv4/IPv6, based on RFC 3768 and RFC 2787. It provides redundancy by eliminating the single point of failure inherent in a default route environment.
Page 536: Vrrp Defaults
Configuring VRRP VRRP Defaults VRRP Defaults The following table lists the defaults for VRRP configuration through the vrrp|vrrp3 command and the relevant command keywords: Description Keyword Default Virtual router enabled or enable | disable Virtual routers are disabled disabled Priority priority Preempt mode preempt | no preempt...
Page 537: Quick Steps For Creating A Virtual Router
Configuring VRRP Quick Steps for Creating a Virtual Router Quick Steps for Creating a Virtual Router Create a virtual router. Specify a virtual router ID (VRID) and an existing VLAN ID. For example: -> vrrp 6 4 Specify a VLAN that is configured with an IP interface. For information about creating VLANs, see Chapter 4, “Configuring VLANs.”...
Page 538: Vrrp Overview
Configuring VRRP VRRP Overview VRRP Overview VRRP allows the routers on a LAN to backup a default route. VRRP dynamically assigns responsibility for a virtual router to a physical router (VRRP router) on the LAN. The virtual router is associated with an IP address (or set of IP addresses) on the LAN.
Page 539: Why Use Vrrp
Configuring VRRP VRRP Overview If OmniSwitch A becomes unavailable, OmniSwitch B becomes the master router. OmniSwitch B will then respond to ARP requests for IP address A using the virtual router’s MAC address (00:00:5E:00:01:01). It will also forward packets for IP address B and respond to ARP requests for IP address B using the OmniSwitch’s physical MAC address.
Page 540: Vrrp Mac Addresses
Configuring VRRP VRRP Overview Note. Duplicate IP address/MAC address messages may display when a backup takes over for a master, depending on the timing of the takeover and the configured advertisement interval. This is particularly true if more than one backup is configured. VRRP MAC Addresses Each virtual router has a single well-known MAC address, which is used as the source in all periodic VRRP advertisements sent by the master router, as the MAC address in ARP replies sent by VRRPv2, and...
Page 541: Vrrp Tracking
Configuring VRRP Interaction With Other Features VRRP Tracking A virtual router’s priority may be conditionally modified to prevent another router from taking over as master. Tracking policies are used to conditionally modify the priority setting whenever a slot/port, IP address and or IP interface associated with a virtual router goes down. A tracking policy consists of a tracking ID, the value used to decrease the priority value, and the slot/port number, IP address, or IP interface name to be monitored by the policy.
Page 542: Vrrp Configuration Overview
Configuring VRRP VRRP Configuration Overview VRRP Configuration Overview During startup, VRRP is loaded onto the switch and is enabled. Virtual routers must be configured and enabled as described in the following sections. Since VRRP is implemented on multiple switches in the network, some VRRP parameters must be identical across switches: •...
Page 543 Configuring VRRP VRRP Configuration Overview • Priority: Use the priority keyword to change the default priority value and set a desired value. Note that the IP address owner is automatically assigned a value of 255, which overrides any value that you may have already configured.
Page 544: Specifying An Ip Address For A Virtual Router
Configuring VRRP VRRP Configuration Overview Specifying an IP Address for a Virtual Router An IP address must be specified before a virtual router may be enabled. There are two vrrp|vrrp3 address command options for specifying an IP address for a virtual router: •...
Page 545: Configuring Virtual Router Priority
Configuring VRRP VRRP Configuration Overview address messages, both routers will begin forwarding packets sent to the virtual router MAC address. This will result in the forwarding of duplicate packets. • The backup VRRPv3 router will then take over and send a neighbor advertisement, which includes the virtual router IPv6 address and the virtual router MAC address.
Page 546: Setting Preemption For Virtual Routers
Configuring VRRP VRRP Configuration Overview -> vrrp 6 4 admin-state disable -> vrrp 6 4 priority 50 -> vrrp3 10 5 admin-state disable -> vrrp3 10 5 priority 50 In this example, VRRPv2 virtual router 6 and VRRPv3 virtual router 10 is disabled. (If you are modifying an existing virtual router, the virtual router must be disabled before it may be modified.) The virtual router priority is then set to 50.
Page 547: Enabling/Disabling A Virtual Router
Configuring VRRP VRRP Configuration Overview Enabling/Disabling a Virtual Router To administratively enable a virtual router, use the vrrp or vrrp3 command option with the admin-state enable keyword. Note that at least one IPv4 address must be configured for a VRRPv2 virtual router before the virtual router can be enabled;...
Page 548: Setting Vrrp Startup Delay
Configuring VRRP VRRP Configuration Overview To disable VRRP traps, use the no form of the vrrp trap or vrrp3 trap command option. For example: -> no vrrp trap -> no vrrp3 trap To re-enable traps, enter the vrrp trap or vrrp3 trap command. ->...
Page 549: Changing Default Parameter Values For A Virtual Router Group
Configuring VRRP VRRP Configuration Overview value to the existing virtual routers; you must first disable the virtual routers, then apply the new default value using the vrrp set command and enable the virtual routers again. For example, to change the default priority value to 50 on all the existing virtual routers on a switch, enter the following: ->...
Page 550 Configuring VRRP VRRP Configuration Overview After creating a virtual router group, you have to add virtual routers to the group using the vrrp group- association command. For example: -> vrrp 10 1 group-association 25 The above command adds the virtual router 10 on VLAN 1 to the virtual router group 25. A virtual router need not be disabled in order to be added to a virtual router group.
Page 551: Creating Vrrp Tracking Policies
Configuring VRRP Creating VRRP Tracking Policies Creating VRRP Tracking Policies To create a tracking policy, use the vrrp track command and specify the amount to decrease a virtual router’s priority and the slot/port, IP address, or IP interface name to be tracked. For example: ->...
Page 552 Configuring VRRP Creating VRRP Tracking Policies -> vrrp 6 4 track-association 3 -> vrrp3 10 5 admin-state disable -> vrrp3 10 5 track-association 3 In this example, VRRPv2 virtual router 6 on VLAN 4 and VRRPv3 virtual router 10 on VLAN 5 are disabled first so that tracking policy 3 may be associated with the virtual router.
Page 553: Verifying The Vrrp Configuration
Configuring VRRP Verifying the VRRP Configuration Verifying the VRRP Configuration A summary of the show commands used for verifying the VRRP configuration is given here: show vrrp|vrrp3 Displays the virtual router configuration for all virtual routers or for a particular virtual router. show vrrp|vrrp3 statistics Displays statistics about VRRP packets for all virtual routers configured on the switch or for a particular virtual router.
Page 554: Vrrpv2 Application Example
Configuring VRRP VRRPv2 Application Example VRRPv2 Application Example In addition to providing redundancy, VRRP can assist in load balancing outgoing traffic. The figure below shows two virtual routers with their hosts splitting traffic between them. Half of the hosts are configured with a default route to virtual router 1’s IP address (10.10.2.250), and the other half are configured with a default route to virtual router 2’s IP address (10.10.2.245).
Page 555: Vrrpv2 Tracking Example
Configuring VRRP VRRPv2 Application Example In this scenario, the master of VRID 1 will respond to ARP requests for IP address A using the virtual router MAC address for VRID 1 (00:00:5E:00:01:01). OmniSwitch 1 is the master for VRID 1 since it contains the physical interface to which 10.10.2.250 is assigned.
Page 556 Configuring VRRP VRRPv2 Application Example The virtual router configuration for VRID 1 and 2 on VRRP router B is as follows: -> vrrp 1 5 priority 75 -> vrrp 2 5 priority 100 preempt To ensure workstation clients 1 and 2 have connectivity to the Internet, configure a tracking policy on VRRP router A to monitor port 3/1 and associate the policy with VRID 1.
Page 557: Vrrpv3 Application Example
Configuring VRRP VRRPv3 Application Example VRRPv3 Application Example In addition to providing redundancy, VRRPv3 can assist in load balancing outgoing traffic. The figure below shows two virtual routers with their hosts splitting traffic between them. Half of the hosts are configured with a default route to virtual router 1’s IPv6 address ( ), and the other half are 213:100:1::56...
Page 558: Vrrpv3 Tracking Example
Configuring VRRP VRRPv3 Application Example In this scenario, the master of VRID 1 will respond to neighbor solicitation with a neighbor advertisement for IPv6 address A using the virtual router MAC address for VRID 1 (00:00:5E:00:02:01). OmniSwitch 1 is the master for VRID 1 since it contains the physical interface to which s assigned.
Page 559 Configuring VRRP VRRPv3 Application Example To ensure workstation clients 1 and 2 have connectivity to the internet, configure a tracking policy on VRRPv3 router A to monitor port 3/1 and associate the policy with VRID 1. -> vrrp3 track 1 admin-state enable priority 50 port 3/1 ->...
Page 560: Chapter 24 Configuring Server Load Balancing
24 Configuring Server Load Balancing The OmniSwitch implementation of Server Load Balancing (SLB) software provides a method to logically manage a group of physical servers sharing the same content (known as a server farm) as one large virtual server (known as an SLB cluster). SLB clusters are identified and accessed using either a Virtual IP (VIP) address or a QoS policy condition.
Page 561: Server Load Balancing Default Values
Configuring Server Load Balancing Server Load Balancing Default Values Server Load Balancing Default Values The following table lists default values for the SLB software: Parameter Description Command Default Value/Comments Global SLB administrative status ip slb admin-state Disabled Ping period ip slb cluster ping period 60 seconds Ping timeout ip slb cluster ping timeout...
Page 562: Quick Steps For Configuring Server Load Balancing
Configuring Server Load Balancing Quick Steps for Configuring Server Load Balancing Quick Steps for Configuring Server Load Balancing Follow the steps below for a quick tutorial on configuring parameters for SLB. Additional information on how to configure each command is given in the subsections that follow. Note that this example configures a VIP cluster.
Page 563: Quick Steps For Configuring A Qos Policy Condition Cluster
Configuring Server Load Balancing Quick Steps for Configuring Server Load Balancing An example of what these configuration commands look like entered sequentially on the command line: -> ip slb admin-state enable -> ip slb cluster WorldWideWeb vip 128.241.130.204 -> ip slb server ip 128.241.130.127 cluster WorldWideWeb ->...
Page 564 Configuring Server Load Balancing Quick Steps for Configuring Server Load Balancing Server 103.10.50.3 Admin status = Disabled, Operational status = Disabled, Weight = 2, Availability (%) = 0 As an option, you can also display traffic statistics for an SLB condition cluster by entering show ip slb cluster followed by the cluster name and the statistics parameter.
Page 565: Server Load Balancing Overview
Configuring Server Load Balancing Server Load Balancing Overview Server Load Balancing Overview The following sections describe SLB operational theory (see “Server Load Balancing Cluster Identification” on page 24-6), an SLB example (“Server Load Balancing Example” on page 24-7), and server health monitoring (see “Server Health Monitoring”...
Page 566: Server Load Balancing Example
Configuring Server Load Balancing Server Load Balancing Overview Server Load Balancing Example In the figure on the following page, an SLB cluster consisting of four (4) physical servers has been configured with a VIP of 128.241.130.204 and an SLB cluster name of “WorldWideWeb.” The switch processes requests sent by clients to the VIP of 128.241.130.204 and sends to the appropriate physical server, depending on configuration and the operational states of the physical servers.
Page 567: Weighted Round Robin Distribution Algorithm
Configuring Server Load Balancing Server Load Balancing Overview Weighted Round Robin Distribution Algorithm In order to distribute traffic among operating servers, the SLB cluster must have a method of selecting a server among a pool (cluster) of operating servers (“in service” mode) depending on some criteria. This method is commonly called the SLB cluster distribution algorithm.
Page 568: Server Health Monitoring
Configuring Server Load Balancing Server Load Balancing Overview Server Health Monitoring The OmniSwitch Server Load Balancing (SLB) software performs checks on the links from the switch to the servers. In addition, the SLB software also sends ICMP echo requests (ping packets) to the physical servers to determine their availability.
Page 569: Configuring Server Load Balancing On A Switch
Configuring Server Load Balancing Configuring Server Load Balancing on a Switch Configuring Server Load Balancing on a Switch This section describes how to use the OmniSwitch Command Line Interface (CLI) commands to configure Server Load Balancing (SLB) on a switch. Note.
Page 570: Configuring And Deleting Slb Clusters
Configuring Server Load Balancing Configuring Server Load Balancing on a Switch Configuring and Deleting SLB Clusters The following subsections describe how to configure and delete SLB clusters with the ip slb cluster command. Configuring an SLB Cluster with a VIP Address Consider the following when configuring a VIP cluster: •...
Page 571: Automatic Configuration Of Slb Policy Rules
Configuring Server Load Balancing Configuring Server Load Balancing on a Switch The condition created in the above example, “cond1”, uses the source port value to classify traffic. When this same condition is associated with an SLB cluster, client requests received on the specified source port are then sent to a server that is a member of the associated cluster.
Page 572: Assigning Servers To And Removing Servers From A Cluster
Configuring Server Load Balancing Configuring Server Load Balancing on a Switch Deleting an SLB Cluster To delete an SLB cluster, use the no form of the ip slb reset statistics command by entering no ip slb cluster followed by the name of the cluster. For example, to delete an SLB called “Web_Server”, you would enter: ->...
Page 573: Modifying Optional Parameters
Configuring Server Load Balancing Modifying Optional Parameters Modifying Optional Parameters As shown in the table on page 24-2, The OmniSwitch implementation of SLB software is preconfigured with default values for the SLB cluster’s “sticky” time, ping timeout, ping period, ping retries, and relative weight (preference).
Page 574: Modifying The Ping Retries
Configuring Server Load Balancing Modifying Optional Parameters Modifying the Ping Retries You can modify the ping retry value with the ip slb cluster ping retries command by entering ip slb cluster, the name of the SLB cluster, ping retries, and the user-specified number of ping retries. For example: ->...
Page 575: Taking Clusters And Servers On/Off Line
Configuring Server Load Balancing Taking Clusters and Servers On/Off Line Taking Clusters and Servers On/Off Line Server Load Balancing (SLB) show commands provide tools to monitor traffic and troubleshoot problems. These commands are described in “Displaying Server Load Balancing Status and Statistics” on page 24-21.
Page 576: Configuring Slb Probes
Configuring Server Load Balancing Configuring SLB Probes Taking a Server Off Line You can administratively disable a server in an SLB cluster and take it off line with the ip slb server ip cluster command by entering ip slb server, the IP address of the server you want to disable in dotted decimal format, cluster, the name of the SLB cluster to which the server belongs, and admin-state disable.
Page 577: Associating A Probe With A Cluster
Configuring Server Load Balancing Configuring SLB Probes Associating a Probe with a Cluster To associate an existing SLB probe with a cluster use the ip slb cluster probe command by entering ip slb cluster followed by the user-configured cluster name, probe, and the user-configured probe name. For example, to associate a probe called “cluster_probe1”...
Page 578: Modifying The Probe Retries
Configuring Server Load Balancing Configuring SLB Probes Modifying the Probe TCP/UDP Port To modify this value, use the ip slb probe port command by entering ip slb probe followed by the user- configured probe name, the probe type, port, and the user-specified port number. Note.
Page 579: Modifying The Probe Status
Configuring Server Load Balancing Configuring SLB Probes Modifying the Probe Status To modify this value, use the ip slb probe status command by entering ip slb probe followed by the user- configured probe name, either http or https, status, and the user-specified expected status. For example, to set the expected status for an HTTP SLB probe called “server_probe1”...
Page 580: Displaying Server Load Balancing Status And Statistics
Configuring Server Load Balancing Displaying Server Load Balancing Status and Statistics Displaying Server Load Balancing Status and Statistics You can use CLI show commands to display the current configuration and statistics of Server Load Balancing on a switch. These commands include the following: show ip slb Displays the status of server load balancing on a switch.
Page 581 Configuring Server Load Balancing Displaying Server Load Balancing Status and Statistics The show ip slb cluster server command provides detailed configuration information and statistics for individual SLB servers. To use the show ip slb cluster server command, enter the command, the name of the SLB cluster that the server belongs to, server, and the IP address of the server.
Page 582: Chapter 25 Configuring Ip Multicast Switching
25 Configuring IP Multicast Switching IP Multicast Switching is a one-to-many communication technique employed by emerging applications, such as video distribution, news feeds, conferencing, netcasting, and resource discovery (OSPF, RIP2, and BOOTP). Unlike unicast, which sends one packet per destination, multicast sends one packet to all devices in any subnetwork that has at least one device requesting the multicast traffic.
Page 583: Ipms Default Values
Configuring IP Multicast Switching IPMS Default Values • “Modifying IPMSv6 Parameters” on page 25-33. • “IPMSv6 Application Example” on page 25-44. • “Displaying IPMSv6 Configurations and Statistics” on page 25-47. IPMS Default Values The table below lists default values for the OmniSwitch IPMS implementation. Parameter Description Command Default Value/Comments...
Page 584: Ipmsv6 Default Values
Configuring IP Multicast Switching IPMSv6 Default Values IPMSv6 Default Values The table below lists default values for the OmniSwitch IPMSv6 implementation. Parameter Description Command Default Value/Comments Administrative Status ipv6 multicast admin-state disabled Flood initial unknown multicast ipv6 multicast flood-unknown disabled traffic MLD Querier Forwarding ipv6 multicast querier-...
Page 585: Ipms Overview
Configuring IP Multicast Switching IPMS Overview IPMS Overview A multicast group is defined by a multicast group address, which is a Class D IP address in the range 224.0.0.0 to 239.255.255.255. (Addresses in the range 239.0.0.0 to 239.255.255.255 are reserved for boundaries.) The multicast group address is indicated in the destination address field of the IP header.
Page 586: Reserved Ip Multicast Addresses
Configuring IP Multicast Switching IPMS Overview Reserved IP Multicast Addresses The Internet Assigned Numbers Authority (IANA) created the range for multicast addresses, which is 224.0.0.0 to 239.255.255.255. However, as the table below shows, certain addresses are reserved and cannot be used. Address or Address Range Description 224.0.0.0 through 224.0.0.255...
Page 587: Igmp Version 3
Configuring IP Multicast Switching IPMS Overview Protocol-Independent Multicast (PIM) is an IP multicast routing protocol that uses routing information provided by unicast routing protocols, such as RIP and OSPF. Sparse Mode PIM (PIM-SM) contrasts with flood-and-prune dense mode multicast protocols, such as DVMRP and PIM Dense Mode (PIM-DM), in that multicast forwarding in PIM-SM is initiated only through specific requests.
Page 588: Interaction With Other Features
Configuring IP Multicast Switching Interaction With Other Features Interaction With Other Features This section contains important information about IP Multicast Switching (IPMS) interaction with other OmniSwitch features. Refer to the specific chapter for each feature to get more detailed information about how to configure and use the feature.
Page 589 Configuring IP Multicast Switching Interaction With Other Features – Querying – Forward Mode Selection – Helper Address – SSM Mapping – Initial Packet Buffering Consider the following operational guidelines when configuring IPMS for SPB services: • IPMS must be explicitly enabled or disabled for each SPB service. •...
Page 590: Configuring Ipms On A Switch
Configuring IP Multicast Switching Configuring IPMS on a Switch Configuring IPMS on a Switch This section describes how to use Command Line Interface (CLI) commands to complete the following configuration tasks: • Enable and disable IP Multicast Switching and Routing (IPMSR) switch wide (see “Enabling and Disabling IP Multicast Status”...
Page 591: Enabling And Disabling Flooding Of Unknown Multicast Traffic
Configuring IP Multicast Switching Configuring IPMS on a Switch You can also disable IP Multicast switching and routing on the specified VLAN or SPB service by entering: -> ip multicast vlan 2 admin-state disable -> ip multicast service 10 admin-state disable Or, as an alternative, enter the following commands to restore the IP Multicast status to its default setting: ->...
Page 592: Enabling And Disabling Igmp Querier-Forwarding
Configuring IP Multicast Switching Configuring IPMS on a Switch Enabling and Disabling IGMP Querier-forwarding By default, IGMP querier-forwarding is disabled.The following subsections describe how to enable and disable IGMP querier-forwarding by using the ip multicast querier-forwarding command. Enabling the IGMP Querier-forwarding You can enable the IGMP querier-forwarding by entering ip multicast querier-forwarding followed by...
Page 593: Configuring And Restoring The Igmp Version
Configuring IP Multicast Switching Configuring IPMS on a Switch Configuring and Restoring the IGMP Version By default, the version of Internet Group Management Protocol (IGMP) membership is Version 2. The following subsections describe how to configure IGMP protocol version ranging from 1 to 3 with the multicast version command.
Page 594: Configuring And Removing An Igmp Static Querier
Configuring IP Multicast Switching Configuring IPMS on a Switch -> ip multicast static-neighbor service 10 sap port 1/1/23:10 In this example, 1/1/23:10 serves as a SAP ID, which is comprised of an access port number (1/1/23) and an encapsulation value (10). SPB service 10 is mapped to SAP ID 1/1/23:10. Traffic received on access port 1/1/23 that is tagged with VLAN 10 is encapsulated and then forwarded on service 10 through the SPB network.
Page 595: Configuring And Removing An Igmp Static Group
Configuring IP Multicast Switching Configuring IPMS on a Switch Removing an IGMP Static Querier To reset the port so that it is no longer an IGMP static querier port, use the no form of the ip multicast static-querier command. For example, the following command removes port 1/1/13 with designated VLAN 2 as an IGMP static querier: ->...
Page 596: Modifying Ipms Parameters
Configuring IP Multicast Switching Modifying IPMS Parameters Modifying IPMS Parameters The table in “IPMS Default Values” on page 25-2 lists default values for IPMS parameters. The following sections describe how to use CLI commands to modify these parameters. Modifying the IGMP Query Interval The default IGMP query interval (i.e., the time between IGMP queries) is 125 seconds.
Page 597: Modifying The Igmp Last Member Query Interval
Configuring IP Multicast Switching Modifying IPMS Parameters Modifying the IGMP Last Member Query Interval The default IGMP last member query interval (i.e., the time period to reply to an IGMP query message sent in response to a leave group message) is 10 tenths of seconds. The following subsections describe how to configure the IGMP last member query interval and restore it by using the ip multicast last- member-query-interval command.
Page 598: Modifying The Igmp Query Response Interval
Configuring IP Multicast Switching Modifying IPMS Parameters Modifying the IGMP Query Response Interval The default IGMP query response interval (i.e., the time period to reply to an IGMP query message) is 100 in tenths of seconds. The following subsections describe how to configure the query response interval and how to restore it with the ip multicast query-response-interval command.
Page 599: Modifying The Igmp Router Timeout
Configuring IP Multicast Switching Modifying IPMS Parameters Or, as an alternative, enter the following command to restore the zero-based IGMP query to its default setting (enabled): -> no ip multicast zero-based-query You can also enable the use of a zero-based IGMP query on the specified VLAN or SPB service by entering: ->...
Page 600: Modifying The Source Timeout
Configuring IP Multicast Switching Modifying IPMS Parameters -> no ip multicast router-timeout You can also restore the IGMP router timeout on the specified VLAN or SPB service by entering: -> ip multicast vlan 2 router-timeout 0 -> ip multicast service 10 router-timeout 0 Or, as an alternative, enter the following commands to restore the IGMP router timeout to its default value: ->...
Page 601: Enabling And Disabling Igmp Querying
Configuring IP Multicast Switching Modifying IPMS Parameters Enabling and Disabling IGMP Querying By default, IGMP querying is disabled.The following subsections describe how to enable and disable IGMP querying by using the ip multicast querying command. Enabling the IGMP Querying You can enable the IGMP querying by entering ip multicast querying followed by the enable keyword.
Page 602: Modifying The Igmp Robustness Variable
Configuring IP Multicast Switching Modifying IPMS Parameters Modifying the IGMP Robustness Variable The default value of the IGMP robustness variable (i.e., the variable that allows fine-tuning on a network, where the expected packet loss is higher) is 2. The following subsections describe how to set the value of the robustness variable and restore it with the ip multicast robustness command.
Page 603: Enabling And Disabling The Igmp Spoofing
Configuring IP Multicast Switching Modifying IPMS Parameters Enabling and Disabling the IGMP Spoofing By default, IGMP spoofing (i.e., replacing a client's MAC and IP address with the system's MAC and IP address, when proxying aggregated IGMP group membership information) is disabled on the switch. The following subsections describe how to enable and disable spoofing by using the ip multicast spoofing command.
Page 604: Enabling And Disabling The Igmp Zapping
Configuring IP Multicast Switching Modifying IPMS Parameters Or, as an alternative, enter the following commands to restore the IGMP spoofing to its default setting: -> no ip multicast vlan 2 spoofing -> no ip multicast service 10 spoofing Enabling and Disabling the IGMP Zapping By default, IGMP zapping (i.e., processing membership and source filter removals immediately without waiting for the specified time period for the protocol –...
Page 605: Setting The Igmp Group Limit
Configuring IP Multicast Switching Modifying IPMS Parameters Setting the IGMP Group Limit To set the IGMP global group limit and drop any requests above the limit, use the ip multicast max- group command as shown below: -> ip multicast max-group 25 action drop To set the IGMP group limit for a VLAN or SPB service and replace an existing session, use the multicast max-group command as shown below:...
Page 606: Ipmsv6 Overview
Configuring IP Multicast Switching IPMSv6 Overview IPMSv6 Overview An IPv6 multicast address identifies a group of nodes. A node can belong to any number of multicast groups. IPv6 multicast addresses are classified as fixed scope multicast addresses and variable scope multicast addresses.(See the “Reserved IPv6 Multicast Addresses”...
Page 607: Reserved Ipv6 Multicast Addresses
Configuring IP Multicast Switching IPMSv6 Overview Reserved IPv6 Multicast Addresses The Internet Assigned Numbers Authority (IANA) classified the scope for IPv6 multicast addresses as fixed scope multicast addresses and variable scope multicast addresses. However, as the table below shows only well-known addresses, which are reserved and cannot be assigned to any multicast group. Address Description FF00:0:0:0:0:0:0:0...
Page 608: Configuring Ipmsv6 On A Switch
Configuring IP Multicast Switching Configuring IPMSv6 on a Switch Configuring IPMSv6 on a Switch This section describes how to use Command Line Interface (CLI) commands to complete the following configuration tasks: • Enable and disable IPv6 Multicast Switching (IPMSv6) switch wide (see “Enabling and Disabling IPv6 Multicast Status”...
Page 609: Enabling And Disabling Flooding Of Unknown Multicast Traffic
Configuring IP Multicast Switching Configuring IPMSv6 on a Switch You can also disable IPv6 Multicast on the specified VLAN or SPB service by entering: -> ipv6 multicast vlan 2 admin-state disable -> ipv6 multicast service 10 admin-state disable Or, as an alternative, enter the following commands to restore the IPv6 Multicast status to its default setting: ->...
Page 610: Enabling And Disabling Mld Querier-Forwarding
Configuring IP Multicast Switching Configuring IPMSv6 on a Switch Enabling and Disabling MLD Querier-forwarding By default, MLD querier-forwarding is disabled.The following subsections describe how to enable and disable MLD querier-forwarding by using the ipv6 multicast querier-forwarding command. Enabling the MLD Querier-forwarding You can enable the MLD querier-forwarding by entering ipv6 multicast querier-forwarding followed by...
Page 611: Configuring And Removing An Mld Static Neighbor
Configuring IP Multicast Switching Configuring IPMSv6 on a Switch Restoring the MLD Version 1 To restore the MLD version to Version 1 (MLDv1) on the system if no VLAN or SPB service is specified, use the ipv6 multicast version command by entering: ->...
Page 612: Configuring And Removing An Mld Static Querier
Configuring IP Multicast Switching Configuring IPMSv6 on a Switch -> no ipv6 multicast static-neighbor vlan 2 port 1/1/13 To reset the SAP port so that it is no longer an MLD static neighbor port, use the no form of the ipv6 multicast static-neighbor command with the service and sap port parameters.
Page 613: Configuring And Removing An Mld Static Group
Configuring IP Multicast Switching Configuring IPMSv6 on a Switch Configuring and Removing an MLD Static Group MLD static group ports receive MLD reports generated on the specified IPv6 Multicast group address. The following subsections describe how to configure and remove an MLD static group by using the ipv6 multicast static-group command.
Page 614: Modifying Ipmsv6 Parameters
Configuring IP Multicast Switching Modifying IPMSv6 Parameters Modifying IPMSv6 Parameters The table in “IPMSv6 Default Values” on page 25-3 lists default values for IPMSv6 parameters. The following sections describe how to use CLI commands to modify these parameters. Modifying the MLD Query Interval The default IPMSv6 query interval (i.e., the time between MLD queries) is 125 in seconds.
Page 615: Modifying The Mld Last Member Query Interval
Configuring IP Multicast Switching Modifying IPMSv6 Parameters Modifying the MLD Last Member Query Interval The default MLD last member query interval (i.e., the time period to reply to an MLD query message sent in response to a leave group message) is 1000 milliseconds. The following subsections describe how to configure the MLD last member query interval and restore it by using the ipv6 multicast last-member- query-interval...
Page 616: Enabling And Disabling Zero-Based Mld Query
Configuring IP Multicast Switching Modifying IPMSv6 Parameters -> ipv6 multicast query-response-interval 20000 You can also modify the MLD query response interval on the specified VLAN or SPB service by entering: -> ipv6 multicast vlan 2 query-response-interval 20000 -> ipv6 multicast service 10 query-response-interval 20000 Restoring the MLD Query Response Interval To restore the MLD query response interval to its default value on the system if no VLAN or SPB service is specified, use the...
Page 617: Modifying The Mld Router Timeout
Configuring IP Multicast Switching Modifying IPMSv6 Parameters Disabling Zero-based MLD Query You can disable the use of a zero-based MLD query on the system by entering ipv6 multicast zero- based-query followed by the disable keyword. For example: -> ipv6 multicast zero-based-query disable You can also disable the use of a zero-based MLD query on the specified VLAN or SPB service by entering: ->...
Page 618: Modifying The Source Timeout
Configuring IP Multicast Switching Modifying IPMSv6 Parameters Modifying the Source Timeout The default source timeout (i.e., expiry time of IPv6 multicast sources) is 30 seconds. The following subsections describe how to configure a user-specified source timeout value and restore it by using the ipv6 multicast source-timeout command.
Page 619: Modifying The Mld Robustness Variable
Configuring IP Multicast Switching Modifying IPMSv6 Parameters Specifying a Static Source IPv6 Address By default, a source IPv6 address is not specified when MLD querying is enabled; the system automatically determines the addresses to use for MLD queries. However, a static source IPv6 address can be specified to overcome the need for an IPv6 interface.
Page 620: Enabling And Disabling Mld Spoofing
Configuring IP Multicast Switching Modifying IPMSv6 Parameters You can also modify the MLD robustness variable from 1 to 7 on the specified VLAN or SPB service by entering: -> ipv6 multicast vlan 2 robustness 3 -> ipv6 multicast service 10 robustness 3 Restoring the MLD Robustness Variable You can restore the MLD robustness variable to its default value on the system if no VLAN or SPB service is specified by entering ipv6 multicast robustness followed by the value 0, as shown below:...
Page 621: Enabling And Disabling The Mld Zapping
Configuring IP Multicast Switching Modifying IPMSv6 Parameters To configure a static source IPv6 address for a specific VLAN or SPB service, use the ipv6 multicast spoofing command with the vlan and static-source-ip parameters. For example: -> ipv6 multicast vlan 2 spoofing static-source-ip 3333::1 ->...
Page 622: Limiting Mld Multicast Groups
Configuring IP Multicast Switching Modifying IPMSv6 Parameters Disabling the MLD Zapping To disable MLD zapping on the system if no VLAN or SPB service is specified, use the ipv6 multicast zapping command as shown below: -> ipv6 multicast zapping disable Or, as an alternative, enter the following command to restore MLD zapping to its default setting: ->...
Page 623: Ipms Application Example
Configuring IP Multicast Switching IPMS Application Example IPMS Application Example The figure below shows a sample network with the switch sending multicast video. A client attached to Port 5 needs to be configured as a static IGMP neighbor and another client attached to Port 2 needs to be configured as a static IGMP querier.
Page 624 Configuring IP Multicast Switching IPMS Application Example An example of what these commands look like entered sequentially on the command line: -> ip multicast admin-state enable -> ip multicast static-neighbor vlan 5 port 1/5 -> ip multicast static-querier vlan 5 port 1/2 ->...
Page 625: Ipmsv6 Application Example
Configuring IP Multicast Switching IPMSv6 Application Example IPMSv6 Application Example The figure below shows a sample network with the switch sending multicast video. A client attached to Port 5 needs to be configured as a static MLD neighbor and another client attached to Port 2 needs to be configured as a static MLD querier.
Page 626 Configuring IP Multicast Switching IPMSv6 Application Example An example of what these commands look like entered sequentially on the command line: -> ipv6 multicast admin-state enable -> ipv6 multicast static-neighbor vlan 5 port 1/5 -> ipv6 multicast static-querier vlan 5 port 1/2 ->...
Page 627: Displaying Ipms Configurations And Statistics
Configuring IP Multicast Switching Displaying IPMS Configurations and Statistics Displaying IPMS Configurations and Statistics The OmniSwitch IP Multicast Switching (IPMS) show commands provide tools to monitor IPMS traffic and settings and to troubleshoot problems. These commands are described below: show ip multicast Displays the general IP Multicast switching and routing configuration parameters on a switch.
Page 628: Displaying Ipmsv6 Configurations And Statistics
Configuring IP Multicast Switching Displaying IPMSv6 Configurations and Statistics Displaying IPMSv6 Configurations and Statistics The OmniSwitch IPv6 Multicast Switching (IPMSv6) show commands provide tools to monitor IPMSv6 traffic and settings and to troubleshoot problems. These commands are described below: show ipv6 multicast Displays the general IPv6 Multicast switching and routing configuration parameters on a switch.
Page 629: Chapter 26 Configuring Qos
26 Configuring QoS The OmniSwitch software and queue management architecture provide a way to identify traffic entering the network and manipulate flows coming through the switch. The flow manipulation (generally referred to as Quality of Service or QoS) can be as simple as configuring QoS policies to allow/deny traffic or as complicated as remapping 802.1p bits from a Layer 2 network to ToS values in a Layer 3 network.
Page 630: In This Chapter
Configuring QoS In This Chapter In This Chapter This chapter describes QoS in general and how policies, port-based QoS configuration, and queue management are used on the switch. It provides information about configuring QoS through the Command Line Interface (CLI). CLI commands are used in the configuration examples; for more details about the syntax of commands, see the OmniSwitch AOS Release 8 CLI Reference Guide.
Page 631: Qos General Overview
Configuring QoS QoS General Overview QoS General Overview Quality of Service (QoS) refers to transmission quality and available service that is measured and sometimes guaranteed in advance for a particular type of traffic in a network. QoS lends itself to circuit- switched networks like ATM, which bundle traffic into cells of the same length and transmit the traffic over predefined virtual paths.
Page 632 Configuring QoS QoS General Overview Congestion Avoidance—Weighted Random Early Detection (WRED) is used for admission control and bandwidth management. Packets that are not high priority are randomly dropped to help avoid “tail drop” on the queues. See “OmniSwitCongestion Avoidance” on page 26-19.
Page 633: Classification
Configuring QoS Classification Classification Classification is the process of identifying certain types of network traffic (flows) and then, if necessary, marking a specific flow or group of flows with a priority (class of service) value. The class of service (CoS) value assigned is then used by other QoS features to determine how the flow is treated throughout the network.
Page 634: Classifying Bridged Traffic As Layer 3
Configuring QoS Classification • If a packet ingresses on a trusted port and does not match any QoS policy that sets priority, then the existing 802.1p value (non-IP packets) or the ToS/DSCP value (IP packets) or the default classification priority configured for the port is used to determine priority for the packet. •...
Page 635: Configuring Trusted Ports
Configuring QoS Classification Configuring Automatic Prioritization for IP Phone Traffic qos phones command is used to enable or disable automatic prioritization of IP phone traffic. In addition, this command also specifies whether to trust the IP phone traffic (the default) or apply a specified priority value to the traffic.
Page 636: Using Trusted Ports With Policies
Configuring QoS Classification To configure individual ports as trusted, use the qos port trusted command with the desired slot/port number. For example: -> qos port 3/2 trusted The global setting is active immediately; however, the port setting requires qos apply to activate the change.
Page 637: Congestion Management
Configuring QoS Congestion Management Congestion Management Queuing mechanisms are used to manage congestion on egress ports. When congestion occurs, packets are prioritized and placed into queues based on the CoS markings assigned to the packets during classification. If there is no congestion on the egress port, packets are sent out as soon as they are received. There are eight egress queues allocated for each port on an OmniSwitch.
Page 638 Configuring QoS Congestion Management LAG. When this occurs, the LAG QSI becomes the parent and the member port QSI is the child. Note that when a member port leaves a LAG, the QSI and profile for the port reverts back to the default values. The following example diagram shows the relationship between switch ports, QSet instances, and QSet profiles as they apply to unicast traffic.
Page 639: Qset Profiles
Configuring QoS Congestion Management Multicast Queues Unicast and multicast traffic are both queued and funneled separately through the switch. The QSet framework described in previous sections applies only to unicast traffic. Multicast traffic is queued based on the destination multicast group ID (MGID) for the packets. Pre-set queues and profiles associated with the MGID handle the multicast traffic.
Page 640 Configuring QoS Congestion Management • QSP 1, 2, 3, 4, and 5 are predefined profiles that are not modifiable and cannot be deleted from the switch configuration. Note that the OmniSwitch 9900 supports only QSP 1 and 5, but QSP 5 is not supported on all the other platforms.
Page 641 Configuring QoS Congestion Management Once the custom QSet profile is created, the following attributes for each queue profile (QP) are configurable using the qos qsp qp command: QP Attribute Command Parameters Description Peak Information Rate pir % Configures the Peak Information Rate limit that is applied to queue traffic.
Page 642 Configuring QoS Congestion Management QSet Profile 2 (1 EF + 7 SP) Queue Queue Scheduling Weight 802.1p ToS DSCP Notes Type X(5) X(5) Protected EF SP7+SP6 SP 100% 7, 6 7, 6 7.x, 6.x Straight SP 7 and 6 max (effective CIR = PR minus EF PIR) 100% Straight SP5 with starvation...
Page 643: Multicast And Unicast Traffic Distribution
Configuring QoS Congestion Management QSet Profile 5 (8 WRR) Queue Queue Scheduling Weight 802.1p ToS DSCP Notes Type WRR7 WRR7 shares bandwidth with other queues receiving traffic. WRR6 WRR6 shares bandwidth with other queues receiving traffic. WRR5 5.x, WRR5 shares bandwidth with other queues receiving traffic.
Page 644 Configuring QoS Congestion Management For information about multicast and unicast traffic distribution on specific OmniSwitch 6900 models, see “Multicast/Unicast Traffic Distribution for the OmniSwitch 6900-Q32 and OmniSwitch 6900-X72” on page 26-17. Non-Default Profile The CoS model implemented also applies for non-default QSet profiles (QSP 2–4), except on the OmniSwitch 6900.
Page 645 Configuring QoS Congestion Management Profile with a Mix of Strict Priority and WRR Unicast queues configured as Strict Priority will inherit behavior from the Strict Priority model, and unicast queues configured as WRR will inherit behavior from the WRR model. Multicast queues will always follow the behavior that the corresponding unicast queues are following.
Page 646: Multicast Source Pfc On The Omniswitch 6900
Configuring QoS Congestion Management Multicast Source PFC on the OmniSwitch 6900 Ingress admission control on the OmniSwitch 6900 does not distinguish between unicast and multicast traffic. Therefore, a multicast source connected to a port which is PFC aware will react to congestion thereby pausing transmission.
Page 647: Omniswitcongestion Avoidance
Configuring QoS OmniSwitCongestion Avoidance OmniSwitCongestion Avoidance Congestion avoidance mechanisms monitor queues to provide early detection and notification of potential queue congestion. If necessary, such mechanisms may even strategically drop low priority (non- conforming) packets to prevent congestion. Dropping packets signals the packet source to decrease the transmission rate, thus preventing the queue from overflowing.
Page 648 Configuring QoS OmniSwitCongestion Avoidance When enabled, WRP 1 applies the following color threshold values only to TCP traffic: Drop Color Gain Threshold Threshold Probability Yellow Green 100% The minimum and maximum threshold values are a percentage of the maximum average queue length. The OmniSwitch 6900 average queue length is calculated as follows: Total Number of Cells : 46080 Total Number of Ports : 64...
Page 649 Configuring QoS OmniSwitCongestion Avoidance Configuring the WRED Profile Configuring the WRED profile consists of enabling or disabling the administrative status of the profile for a specific QSet instance. Consider the following when configuring the WRED profile status: • WRED is supported only on the OmniSwitch 6900 and WRP 1 is the only profile supported. Configuring additional profiles is not supported at this time •...
Page 650: Traffic Policing And Shaping
Configuring QoS Traffic Policing and Shaping Traffic Policing and Shaping Traffic policing and shaping mechanisms are used to limit the rate of traffic. The main difference between the two is how they handle traffic that violates the specified rate. Policing either drops or remarks traffic that exceeds a configured maximum rate.
Page 651 Configuring QoS Traffic Policing and Shaping The TCM policier meters each packet and passes the metering result along with the packet to the Marker. Depending upon the result sent by the Meter, the packet is then marked with either the green, yellow, or red color.
Page 652 Configuring QoS Traffic Policing and Shaping TCM Type Meter Compliance Marker Color Result Packet is not CIR/CBS YELLOW Packet is transmitted with the Drop compliant but is PIR/PBS Precedence set to HIGH (packet is compliant. dropped first when congestion occurs on the egress queue. Packet is neither CIR/CBS nor Packet is dropped at the ingress.
Page 653 Configuring QoS Traffic Policing and Shaping specify a peak information rate value that is greater than the committed information rate value. For example, the following commands configure the meter to use the trTCM mode: -> policy action A4 cir 10m cbs 4k pir 20m ->...
Page 654: Configuring Policy Bandwidth Policing
Configuring QoS Traffic Policing and Shaping To configure the global DEI bit setting operation to mark traffic egressing on QoS destination ports, use qos dei command with the egress parameter option. For example: -> qos dei egress To configure the switch to map ingress traffic marked with the DEI bit, use the qos dei command with the ingress parameter option.
Page 655: Configuring Port Bandwidth Shaping
Configuring QoS Traffic Policing and Shaping • Although bandwidth policies are applied to ingress ports, it is possible to specify a destination port or destination port group in a bandwidth policy as well. Doing so, effects egress rate limiting/egress policing on the ingress port itself. The following subsections provide examples of ingress maximum bandwidth policies using both source and destination port groups.
Page 656: Qos Policy Overview
Configuring QoS QoS Policy Overview QoS Policy Overview A policy (or a policy rule) is made up of a condition and an action. The condition specifies parameters that the switch examines in incoming flows, such as destination address or Type of Service (ToS) bits. The action specifies what the switch does with a flow that matches the condition;...
Page 657: Policy Lists
Configuring QoS QoS Policy Overview Policy Lists A QoS policy list provides a method for grouping multiple policy rules together and applying the group of rules to specific types of traffic.The type of traffic to which a policy list is applied is determined by the type of list that is configured.
Page 658: Policy Conditions
Configuring QoS QoS Policy Overview Policy Conditions The following conditions are supported and can be combined with other conditions and/or actions: Supported Policy Conditions Table Layer 1 Layer 2 Layer 3 destination port source MAC IP protocol destination port group source MAC group source IP source port...
Page 659: Policy Actions
Configuring QoS QoS Policy Overview Policy Actions The following actions are supported and can be combined with other actions. Supported Policy Actions Table • ACL (disposition accept, drop, deny) • Priority/CoS • 802.1p ToS/DCSP Stamping and Mapping (only applies to the outer 802.1p value; cannot modify the inner value) •...
Page 660: Condition And Action Combinations
Configuring QoS QoS Policy Overview For specific information about how to configure policy conditions and actions to create a policy rule, see “Creating Policies” on page 26-42. Condition and Action Combinations Conditions and actions are combined in policy rules. The CLI prevents you from configuring invalid condition/action combinations that are never allowed;...
Page 661: Qos Defaults
Configuring QoS QoS Defaults QoS Defaults The following tables list the defaults for global QoS parameters, individual port settings, policy rules, default policy rules, and queue management profiles. Global QoS Defaults Use the qos reset command is to reset global values to their defaults. Description Command Default...
Page 662: Queue Management Defaults
Configuring QoS QoS Defaults Description Command/keyword Default The default 802.1p value inserted qos port default 802.1p into packets received on untrusted ports. The default DSCP value inserted qos port default dscp into packets received on untrusted ports. The default egress classification qos port default classification DSCP (802.1p for VLAN value inserted into packets...
Page 663: Policy Rule Defaults
Configuring QoS QoS Defaults Policy Rule Defaults The following are defaults for the policy rule command: Description Keyword Default Policy rule enabled or disabled enable | disable enabled Determines the order in which precedence rules are searched Whether the rule is saved to save flash immediately Whether messages about flows...
Page 664: Default (Built-In) Policies
Configuring QoS QoS Defaults Default (Built-in) Policies The switch includes some built-in policies, or default policies, for particular traffic types or situations where traffic does not match any policies. In all cases, the switch accepts the traffic and places it into default queues.
Page 665: Configuring Qos
Configuring QoS Configuring QoS Configuring QoS QoS configuration involves the following general steps: Configuring Global Parameters. In addition to enabling/disabling QoS, global configuration includes settings such as global port parameters and various timeouts. The type of parameters you might want to configure globally depends on the types of policies you can configure.
Page 666: Configuring Global Qos Parameters
Configuring QoS Configuring Global QoS Parameters Configuring Global QoS Parameters This section describes the global QoS configuration, which includes enabling and disabling QoS, applying and activating the configuration, controlling the QoS log display, and configuring QoS port and queue parameters. Enabling/Disabling QoS By default QoS is enabled on the switch.
Page 667: Number Of Lines In The Qos Log
Configuring QoS Configuring Global QoS Parameters To change the type of debugging, use no with the relevant type of information that you want to remove. For example: -> debug qos no rule To turn off debugging (which effectively turns off logging), enter the following: ->...
Page 668: Forwarding Log Events To The Console
Configuring QoS Configuring Global QoS Parameters Forwarding Log Events to the Console QoS log messages can be sent to the switch logging utility, which is an event logging application available on the OmniSwitch. The configuration of the switch logging utility then determines if QoS messages are sent to a log file in the switch’s flash file system, displayed on the switch console, and/or sent to a remote syslog server.
Page 669: Setting The Statistics Interval
Configuring QoS Configuring Global QoS Parameters software in the switch (which manages policies downloaded from an LDAP server) through the qos forward log command. Clearing the QoS Log The QoS log can get large if invalid rules are configured on the switch, or if a lot of QoS events have taken place.
Page 670: Creating Policies
Configuring QoS Creating Policies Creating Policies This section describes how to create policies in general. For information about configuring specific types of policies, see “Policy Applications” on page 26-74. Basic commands for creating policies are as follows: policy condition policy action policy rule This section describes generally how to use these commands.
Page 671: Ascii-File-Only Syntax
Configuring QoS Creating Policies ASCII-File-Only Syntax When the policy rule, policy condition, and policy action commands as well as any of the condition group commands are configured and saved in an ASCII file (typically through the snapshot command), the commands included in the file include syntax indicating the origin of the command. The origin specifies where the rule, condition, condition group, or action was created, either an LDAP server or the CLI (from ldap or from cli).
Page 672: Creating Policy Conditions
Configuring QoS Creating Policies Creating Policy Conditions This section describes how to create policy conditions in general. Creating policy conditions for particular types of network situations is described later in this chapter. Note. Policy condition configuration is not active until the qos apply command is entered. See “Applying the Configuration”...
Page 673: Creating Policy Actions
Configuring QoS Creating Policies Removing Condition Parameters To remove a classification parameter from the condition, use no with the relevant keyword. For example: -> policy condition c3 no source ip The specified parameter (in this case, a source IP address) is removed from the condition (c3) at the next qos apply.
Page 674: Creating Policy Rules
Configuring QoS Creating Policies policy action keywords disposition dcsp shared priority port-disable maximum bandwidth redirect port maximum depth redirect linkagg cir cbs pir pbs no-cache mirror 802.1p Note. If you combine priority with 802.1p, dscp, tos, or map, in an action, the priority value is used to prioritize the flow.
Page 675: Configuring A Rule Validity Period
Configuring QoS Creating Policies The rule (rule5) only takes effect after the qos apply command is entered. For more information about the qos apply command, see “Applying the Configuration” on page 26-71. The policy rule command can specify the following keywords: policy rule keywords precedence validity period...
Page 676: Rule Precedence
Configuring QoS Creating Policies Rule Precedence The switch attempts to classify flows coming into the switch according to policy precedence. Only the rule with the highest precedence is applied to the flow. This is true even if the flow matches more than one rule.
Page 677: Creating Policy Lists
Configuring QoS Creating Policies To stop the switch from logging information about flows that match a particular rule, use no with the log keyword. For example: -> policy rule rule5 no log When logging is active for a policy rule, a logging interval is applied to specify how often to look for flows that match the policy rule.
Page 678 Configuring QoS Creating Policies The following example creates a policy rule (rule1) that is automatically assigned to the default policy list. -> policy condition cond1 source mac 00:11:22:33:44:55 source vlan 100 -> policy action act1 disposition drop -> policy rule rule1 condition cond1 action act1 ->...
Page 679 Configuring QoS Creating Policies • A QoS policy list that is assigned to an Application Fingerprinting port must contain policy rules with the appfp-group condition. • QoS policy lists that contain rules with a link aggregate source port condition are not supported on the OmniSwitch 9900 or the OmniSwitch 6560.
Page 680: Verifying Policy Configuration
Configuring QoS Creating Policies -> policy rule r2 condition c1 action a1 default-list Rules associated with the default policy list are applied only to ingress traffic, unless the rule is also assigned to an egress policy list. Verifying Policy Configuration To view information about policy rules, conditions, and actions configured on the switch, use the following commands: show policy condition...
Page 681: Using Condition Groups In Policies
Configuring QoS Using Condition Groups in Policies Using Condition Groups in Policies Condition groups are made up of multiple IPv4 addresses, MAC addresses, services, ports, or VLANs to which you want to apply the same action or policy rule. Instead of creating a separate condition for each address, etc., create a condition group and associate the group with a condition.
Page 682: Creating Network Groups
Configuring QoS Using Condition Groups in Policies Creating Network Groups Use network policy groups for policies based on IPv4 source or destination addresses. Note that IPv6 addresses are not supported with network groups at this time. The policy condition specifies whether the network group is a source network group, destination network group, or multicast network group.
Page 683: Creating Services
Configuring QoS Using Condition Groups in Policies In this case, remove the network group from the condition first, then enter the no form of the policy network group command. For example: -> policy condition c4 no source network group -> no policy network group netgroup3 The policy condition command removes the network group from the condition.
Page 684: Creating Service Groups
Configuring QoS Using Condition Groups in Policies associate with a condition, configure a service group and attach it to a condition. Service groups are described in “Creating Service Groups” on page 26-56. Note. Service configuration is not active until the qos apply command is entered. To remove a policy service, enter the no form of the command.
Page 685: Creating Mac Groups
Configuring QoS Using Condition Groups in Policies In this case, remove the service group from the condition first; then enter the no policy service group command. For example: -> policy condition c6 no service group -> no policy service group serv_group The policy condition command removes the service group from the policy condition.
Page 686: Creating Port Groups
Configuring QoS Using Condition Groups in Policies The policy condition command removes the MAC group from the condition. See “Creating Policy Conditions” on page 26-44 for more information about configuring policy conditions. The MAC group is deleted at the next qos apply. Creating Port Groups Port groups are made up of slot and port number combinations.
Page 687: Verifying Condition Group Configuration
Configuring QoS Using Condition Groups in Policies Verifying Condition Group Configuration To display information about condition groups, use the following show commands: show policy network group Displays information about all pending and applied policy network groups or a particular network group. Use the applied keyword to display information about applied groups only.
Page 688: Using Map Groups
Configuring QoS Using Map Groups Using Map Groups Map groups are used to map 802.1p, ToS, or DSCP values to different values. The following mapping scenarios are supported: • 802.1p to 802.1p, based on Layer 2, Layer 3, and Layer 4 parameters and source/destination slot/port. In addition, 802.1p classification can trigger this action.
Page 689: How Map Groups Work
Configuring QoS Using Map Groups How Map Groups Work When mapping from 802.1p to 802.1p, the action results in remapping the specified values. Any values that are not specified in the map group are preserved. In this example, a map group is created for 802.1p bits.
Page 690: Verifying Map Group Configuration
Configuring QoS Using Map Groups If tosGroup is currently associated with an action, an error message similar to the following displays: ERROR: tosGroup is being used by action 'tosMap' In this case, remove the map group from the action, then enter the no policy map group command: ->...
Page 691: Using Access Control Lists
Configuring QoS Using Access Control Lists Using Access Control Lists Access Control Lists (ACLs) are QoS policies used to control whether or not packet flows are allowed or denied at the switch or router interface. ACLs are sometimes referred to as filtering lists. ACLs are distinguished by the kind of traffic they filter.
Page 692 Configuring QoS Using Access Control Lists Layer 2 ACL: Example 2 Maintaining the 802.1p Priority for IP Packets When a tagged IP packet ingresses on a trusted port and the default classification priority for that port is set to DSCP (using the default DSCP value of 0), the DSCP value of the packet is mapped to the 802.1p value of the same packet.
Page 693: Layer 3 Acls
Configuring QoS Using Access Control Lists Layer 3 ACLs The QoS software in the switch filters routed and bridged traffic at Layer 3. For Layer 3 filtering, the QoS software in the switch classifies traffic based on: • Source IP address or source network group •...
Page 694: Ipv6 Acls
Configuring QoS Using Access Control Lists IPv6 ACLs An ACL is considered an IPv6 ACL if the ipv6 keyword and/or any of the following specific policy condition keywords are used in the ACL to classify/filter IPv6 traffic: IPv6 ACL Keywords source ipv6 destination udp-port destination ipv6...
Page 695: Using Acl Security Features
Configuring QoS Using Access Control Lists The multicast ip or multicast network group keyword is required in the condition configured for a multicast ACL. The following keywords can be used in the condition to indicate the client parameters: Multicast ACL Keywords destination ip destination vlan destination port...
Page 696: Configuring A Userports Group
Configuring QoS Using Access Control Lists Configuring a UserPorts Group To prevent IP address spoofing and/or other types of traffic on specific ports, create a port group called UserPorts and add the ports to that group. For example, the following policy port group command adds ports 1/1-24, 2/1-24, 3/1, and 4/1 to the UserPorts group:...
Page 697: Configuring Icmp Drop Rules
Configuring QoS Using Access Control Lists -> qos user-port filter spoof bpdu rip In the above command example, if spoof and bpdu were not specified, then the switch would only filter RIP traffic. The following qos user-port command example uses the shutdown option to administratively disable the user port if the specified type of traffic is received on that port: ->...
Page 698 Configuring QoS Using Access Control Lists An ACL can also be defined using the tcpflags parameter to examine and qualify specific TCP flags individually or in combination with other flags. This parameter can be used to prevent specific DOS attacks, such as the christmas tree. The following example use the tcpflags condition parameter to determine if the F (fin) and S (syn) TCP flag bits are set to one and the A (ack) bit is set to zero: ->...
Page 699: Applying The Configuration
Configuring QoS Applying the Configuration Applying the Configuration Configuration for policy rules and many global QoS parameters must specifically be applied to the configuration with the qos apply command. Any parameters configured without this command are maintained for the current session but are not yet activated. For example, if you configure a new policy rule through the policy rule command, the switch cannot use it to classify traffic and enforce the policy action until the qos apply command is entered.
Page 700: Interaction With Ldap Policies
Configuring QoS Applying the Configuration In this example, there are two new pending policies and three applied policies: Pending Policies Applied Policies rule5 rule1 rule6 rule2 rule3 If you enter qos revert, the configuration then looks like: Pending Policies Applied Policies rule1 rule1 rule2...
Page 701: Verifying The Applied Policy Configuration
Configuring QoS Applying the Configuration Verifying the Applied Policy Configuration The policy show commands have an optional keyword (applied) to display only applied policy objects. These commands include: show policy condition Displays information about all pending and applied policy conditions or a particular policy condition configured on the switch.
Page 702: Policy Applications
Configuring QoS Policy Applications Policy Applications Policies are used to classify incoming flows and treat the relevant outgoing flows. There are many ways to classify the traffic and many ways to apply QoS parameters to the traffic. Classifying traffic can be as simple as identifying a Layer 2 or Layer 3 address of an incoming flow. Treating the traffic might involve prioritizing the traffic or rewriting an IP address.
Page 703: Basic Qos Policies
Configuring QoS Policy Applications Basic QoS Policies Traffic prioritization and bandwidth policing can be the most common types of QoS policies. For these policies, any condition can be created; the policy action indicates how the traffic must be prioritized or how the bandwidth must be shaped.
Page 704: Redirection Policies
Configuring QoS Policy Applications Bandwidth Policing Example In this example, a maximum bandwidth rate is effected on flows from a specific source IP address. First, create a condition for the traffic. In this example, the condition is called ip_traffic2. A policy action (flowShape) is then created to enforce a maximum bandwidth requirement for the flow.
Page 705: Policy Based Mirroring
Configuring QoS Policy Applications In the following example, flows destined for IP address 40.2.70.200 are redirected to link aggregate 10: -> policy condition L4LACOND destination IP 40.2.70.200 -> policy action REDIRECTLA redirect linkagg 10 -> policy rule L4LARULE condition L4LACOND action REDIRECTLA Note that in both examples above, the rules are not active on the switch until the qos apply command is entered on the command line.
Page 706: Icmp Policy Example
Configuring QoS Policy Applications ICMP Policy Example Policies can be configured for ICMP on a global basis on the switch. ICMP policies can be used for security (for example, to drop traffic from the ICMP blaster virus). In the following example, a condition called icmpCondition is created with no other condition parameters: ->...
Page 707: Policy Based Routing
Configuring QoS Policy Applications -> policy map group tos_group 1-4:4 5-7:7 -> policy condition SubnetA source ip 10.10.5.0 mask 255.255.255.0 -> policy condition SubnetB source ip 12.12.2.0 mask 255.255.255.0 -> policy action map_action map tos to 802.1p using tos_group The map_action specifies that ToS values is mapped to 802.1p with the values specified in tos_group. With these conditions and action set up, two policy rules can be configured for mapping Subnet A and Subnet B to the ToS network: ->...
Page 708 Configuring QoS Policy Applications 174.26.1.0 173.10.2.0 10.3.0.0 Firewall 173.5.1.0 173.5.1.254 OmniSwitch Routing all IP source traffic through a firewall In this example, all traffic originating in the 10.3 network is routed through the firewall, regardless of whether or not a route exists. ->...
Page 709 Configuring QoS Policy Applications -> policy condition Traffic3 source ip 10.3.0.0 mask 255.255.0.0 source port group Slot01 -> policy action Firewall permanent gateway ip 173.5.1.254 -> policy rule Redirect_All condition Traffic3 action Firewall Make sure to enter the qos apply command to activate the policy rule on the switch. Otherwise the rule is saved as part of the pending configuration, but is not active.
Page 710 Configuring QoS Policy Applications ! route 3,11,19,35,(3+(n*8)) -> policy condition c4 source ip 12.0.0.3 mask 255.0.0.7 -> policy action a4 permanent gateway-ip 10.0.0.4 -> policy rule r4 condition c4 action a4 ! route 4,12,20,36,(4+(n*8)) -> policy condition c5 source ip 12.0.0.4 mask 255.0.0.7 ->...
Page 711: In This Chapter
27 Managing Policy Servers Quality of Service (QoS) policies that are configured through the PolicyView network management application are stored on a Lightweight Directory Access Protocol (LDAP) server. PolicyView is an OmniVista application that runs on an attached workstation. In This Chapter This chapter describes how LDAP directory servers are used with the switch for policy management.
Page 712: Chapter 27 Managing Policy Servers
Managing Policy Servers Policy Server Defaults Policy Server Defaults Defaults for the policy server command are as follows: Description Keyword Default The port number for the server port 389 (SSL disabled) 636 (SSL enabled) Priority value assigned to a server, used to preference 0 (lowest) determine search order...
Page 713: Policy Server Overview
Managing Policy Servers Policy Server Overview Policy Server Overview The Lightweight Directory Access Protocol (LDAP) is a standard directory server protocol. The LDAP policy server client in the switch is based on RFC 2251. Currently, only LDAP servers are supported for policy management.
Page 714: Modifying Policy Servers
Managing Policy Servers Modifying Policy Servers Modifying Policy Servers Policy servers are automatically configured when the server is installed; however, policy server parameters can be modified if necessary. Note. SSL configuration must be done manually through the policy server command. Modifying LDAP Policy Server Parameters Use the policy server command to modify parameters for an LDAP policy server.
Page 715: Modifying The Port Number
Managing Policy Servers Modifying Policy Servers Modifying the Port Number To modify the port, enter the policy server command with the port keyword and the relevant port number. -> policy server 10.10.2.3 port 5000 Note that the port number must match the port number configured on the policy server. If the port number is modified, any existing entry for that policy server is not removed.
Page 716: Configuring A Secure Socket Layer For A Policy Server
Managing Policy Servers Modifying Policy Servers Configuring a Secure Socket Layer for a Policy Server A Secure Socket Layer (SSL) can be configured between the policy server and the switch. If SSL is enabled, the PolicyView application can no longer write policies to the LDAP directory server. By default, SSL is disabled.
Page 717: Interaction With Cli Policies
Managing Policy Servers Verifying the Policy Server Configuration Interaction With CLI Policies Policies configured via PolicyView can only be modified through PolicyView. They cannot be modified through the CLI. Any policy management done through the CLI only affects policies configured through the CLI.
Page 718 28 Configuring Access Guardian Access Guardian refers to the following OmniSwitch security functions that work together to provide a dynamic, proactive network security solution: • Universal Network Profile (UNP)—Access Guardian is configured and applied through the framework of the UNP feature. UNP is enabled on switch ports to activate Access Guardian functionality that is used to authenticate and classify users into UNP profiles.
Page 719: In This Chapter
Configuring Access Guardian In This Chapter In This Chapter This chapter provides an overview of Access Guardian security features and describes how to configure these features through the Command Line Interface (CLI). CLI commands are used in the configuration examples; for more details about the syntax of commands, see the OmniSwitch AOS Release 8 CLI Reference Guide.
Page 720: Access Guardian Defaults
Configuring Access Guardian Access Guardian Defaults Access Guardian Defaults This sections contains the default configuration settings for the Access Guardian security functions that are implemented through the Universal Network Profile (UNP), Captive Portal, Quarantine Manager and Remediation (QMR) features. Access Guardian Global Configuration Defaults The following global default values are applied to traffic received on all UNP ports or link aggregates.
Page 721 Configuring Access Guardian Access Guardian Defaults Description Command Default Captive Portal configuration unp profile captive-portal-profile No Captive Portal profile. profile assigned The authentication flag status for unp profile authentication-flag Disabled successful authentication. Create a tagged association unp profile mobile-tag Disabled between a UNP port and the VLAN or service that is mapped to the profile.
Page 722: Access Guardian Unp Port Defaults
Configuring Access Guardian Access Guardian Defaults Access Guardian UNP Port Defaults Access Guardian port-based functionality is implemented through the UNP feature. When UNP is enabled on a switch port or link aggregate with the unp port-type command, the following default configuration for UNP ports is applied: Description Command...
Page 723: Access Guardian Global Aaa Parameter Defaults
Configuring Access Guardian Access Guardian Defaults Description Command Default The type of service (SPB or unp dynamic-service No service is dynamically VXLAN) automatically created created. based on traffic received on the UNP access port. The amount of time before an unp 802.1x-authentication tx-period 30 seconds EAP Request Identity is...
Page 724: Access Guardian Aaa Profile Defaults
Configuring Access Guardian Access Guardian Defaults Description Command Default The RADIUS NAS-Identifier aaa radius nas-identifier System name attribute value The MAC address format to use aaa radius mac-format No delimiter when RADIUS client attributes Uppercase characters specify a MAC address value. Access Guardian AAA Profile Defaults An AAA profile defines and applies specific settings to UNP ports, link aggregates, or an Access Guardian Captive Portal profile.
Page 725: Access Guardian Captive Portal Defaults
Configuring Access Guardian Access Guardian Defaults Access Guardian Captive Portal Defaults The following global default configuration settings apply to the OmniSwitch internal implementation of the Captive Portal feature: Description Command Default Redirect URL name captive-portal name “captive-portal.com” Redirect IP address captive-portal ip-address 10.123.0.1 Redirect user after successful...
Page 726: Access Guardian Qmr Defaults
Configuring Access Guardian Access Guardian Defaults Description Keyword Default Change profile assignment after authentication-pass profile-change Disabled successful Captive Portal login. Access Guardian QMR Defaults The following global default configuration settings apply for the OmniSwitch implementation of the Quarantine Manage and Remediation (QMR) feature: Description Command Default...
Page 727: Quick Steps For Configuring Access Guardian
Configuring Access Guardian Quick Steps for Configuring Access Guardian Quick Steps for Configuring Access Guardian The following procedure provides a brief tutorial for setting up the OmniSwitch implementation of Access Guardian network access control. For additional configuration tutorials, see “Access Guardian Application Examples”...
Page 728 Configuring Access Guardian Quick Steps for Configuring Access Guardian -> unp classification mac-range 08-00-27-00-98-0A 08-00-27-00-98-FF profile1 na_employee There are additional types of classification rules that can also be configured to determine UNP profile assignment. See “UNP Classification Rules” on page 28-23 for more information.
Page 729: Access Guardian Overview
Configuring Access Guardian Access Guardian Overview Access Guardian Overview Access Guardian is a combination of authentication, device compliance, and access control functions that provide a proactive solution for network security. Implemented through the switch hardware and software, Access Guardian helps administrators: •...
Page 730: Device Authentication
Configuring Access Guardian Access Guardian Overview Role-Based Access—Once a profile assignment is determined for a device through authentication or classification, then the role of the device in the network is determined. The role assigned to a device determines the network resources to which the device is entitled to access. See “Role-based Access”...
Page 731: Device Classification
Configuring Access Guardian Access Guardian Overview For non-supplicant authentication, the client MAC address is sent as the username and password. The administrator can configure the password and username on the authentication server as the MAC address of the client. The calling-station-ID, accounting-session-ID are also sent for authentication. All of these IDs can be in uppercase or lowercase.
Page 732: Role-Based Access
Configuring Access Guardian Access Guardian Overview • Default UNP. A UNP associated with a UNP port to which traffic is assigned when other authentication or classification attempts fail to provide a profile name. • Trust VLAN tag. Configured on a UNP port to specify whether or not to trust the VLAN tag of the packets received on the port.
Page 733: Unp Profiles
Configuring Access Guardian Access Guardian Overview • Internal Captive Portal pre-login role—applied when a user is classified into a UNP profile that has the Captive Portal flag enabled. While in this pre-login state, only DHCP, DNS, ARP, and ICMP traffic from the user device is allowed. In addition, HTTP/HTTPS traffic is trapped and redirected to the internal Captive Portal server.
Page 734 Configuring Access Guardian Access Guardian Overview UNP classification rules are examined to determine if any of the rules match the device traffic. If so, the device is assigned to the profile associated with the matching rule. If there are no matching UNP classification rules, the UNP port-level configuration is used to determine a profile assignment for the device.
Page 735 Configuring Access Guardian Access Guardian Overview • The STP status is configurable and is enabled by default for dynamic VLANs. This STP instance is included in the maximum number of 1x1 STP instances allowed when the switch is running in the 1x1 STP mode.
Page 736 Configuring Access Guardian Access Guardian Overview Dynamic profiles are saved in the switch configuration, and profile attributes are configurable in the same manner as manually created profiles. Dynamic SAP Configuration When device traffic is assigned to a service profile, UNP first checks the switch configuration to see if a Service Access Point (SAP) already exists for the VLAN tag and other service profile attribute values that are specific to the type of service profile (SPB or VXLAN).
Page 737 Configuring Access Guardian Access Guardian Overview The type of SAP that the switch will dynamically create for the System Default profile is based on the dynamic service setting for the UNP access port on which the SAP is created. For example: •...
Page 738: Unp Ports
Configuring Access Guardian Access Guardian Overview VXLAN System Default Profile UNP derives the System Default profile attributes as follows to dynamically create a SAP for VXLAN traffic: • VNID —The system default VNID number (10,000,000) plus the customer domain ID number (zero by default) multiplied by 10,000.
Page 739 Configuring Access Guardian Access Guardian Overview • If a port is configured as a UNP bridge port, then traffic received on that port is only classified using VLAN profiles. • If a port is configured as a UNP access port, then traffic received on that port is only classified using service profiles.
Page 740: Unp Classification Rules
Configuring Access Guardian Access Guardian Overview The main benefit of UNP port domains is that they provide the ability to group physical UNP ports or link aggregates into one logical domain. Once a UNP port is assigned to a specific domain ID, only classification rules associated with the same domain ID are applied to that port.
Page 741 Configuring Access Guardian Access Guardian Overview Precedence Step/Rule Matching Condition 4. Domain ID Packet is learned on a port or link aggregate that is assigned to a matching domain ID. 5. MAC address + VLAN Packet contains a matching source MAC address and a matching VLAN ID tag.
Page 742: How It Works
Configuring Access Guardian Access Guardian Overview The precedence value assigned to the extended rule’s name is used to determine precedence among other extended classification rules configured on the switch. If a device matches all the criteria in two different extended rules, the rule with the highest precedence is applied to the device. Although some individual classification rules can be combined to for m a binding rule, a binding rule is not assigned a rule name and does not have a configurable precedence value.
Page 743: Interaction With Other Features
Configuring Access Guardian Interaction With Other Features Interaction With Other Features This section contains important information about how other OmniSwitch features interact with Access Guardian. Refer to the specific chapter for each feature to get more detailed information about how to configure and use the feature.
Page 744: Multiple Vlan Registration Protocol (Mvrp)
Configuring Access Guardian Interaction With Other Features • Configuring a static MAC address is not allowed on a UNP port unless LPS is also enabled on the same port. • When both LPS and UNP are enabled on the same port, –...
Page 745: Service Assurance Agent
Configuring Access Guardian Interaction With Other Features • If a QoS policy list is configured for a UNP profile, only the policy rules in the list are applied to traffic from devices classified into the profile. Any default list policy rules are not applied in this case. •...
Page 746 Configuring Access Guardian Interaction With Other Features • MAC-based and 802.1X-based authentication using a RADIUS-capable server. • Redirection for Captive Portal authentication. • Redirection to the Unified Policy Access Manager (UPAM) or the ClearPass Policy Manager (CPPM) for Bring Your Own Devices (BYOD) user device registration, integrity check, UNP assignment, and policy list assignment.
Page 747 Configuring Access Guardian Interaction With Other Features Feature UNP Port IPv6 Not supported. Learned Port Security (LPS) Supported (UNP is applied first then LPS if UNP classifies the MAC address in a forwarding state). Link Aggregation Supported (not supported on ports that are members of a link aggregate).
Page 748: Configuring Port-Based Network Access Control
Configuring Access Guardian Configuring Port-Based Network Access Control Configuring Port-Based Network Access Control For port-based network access control, the switch must know which servers to use for authenticating supplicant (802.1X) and non-supplicant (non-802.1X) user devices. In addition, the Universal Network Profile (UNP) feature must be active to perform authentication and classification functions for a supplicant and non-supplicate device.
Page 749: Setting Authentication Parameters For The Switch
Configuring Access Guardian Configuring Port-Based Network Access Control Setting Authentication Parameters for the Switch Use the aaa device-authentication command to specify which RADIUS servers the switch will use for 802.1X, MAC, and Captive Portal authentication. The server information must already be configured on the switch through the aaa radius-server command.
Page 750: Accounting Servers
Configuring Access Guardian Configuring Port-Based Network Access Control Use the show aaa device-authentication command to display a list of RADIUS servers assigned to provide 802.1X, MAC, or Captive Portal authentication. For example: -> show aaa device-authentication Authentication type = mac Authentication Server: 1st authentication server = rad1, 2nd authentication server = rad2...
Page 751 Configuring Access Guardian Configuring Port-Based Network Access Control Description Command Default Authentication Type The amount of time a aaa session-timeout Timer = disabled MAC, Captive Portal session remains active Time limit = 43200 after a successful login seconds (12 hours) The amount of time an aaa inactivity-logout Timer = disabled...
Page 752 Configuring Access Guardian Configuring Port-Based Network Access Control Use the show aaa radius config command to display RADIUS client attribute values and the MAC address format. For example: -> show aaa radius config RADIUS client attributes: NAS port id = default, NAS identifier = default MAC format delimiter:...
Page 753 Configuring Access Guardian Configuring Port-Based Network Access Control -> aaa profile ap-1 mac inactivity-logout enable -> aaa profile ap-1 captive-portal inactivity-logout enable interval 600 Use the unp aaa-profile command to assign an AAA profile to a UNP port or UNP link aggregate. For example: ->...
Page 754 Configuring Access Guardian Configuring Port-Based Network Access Control Inactivity Timeout: Status = disable, Interval (sec) = 600 Accounting Interim: Interval (sec) = 600, Trust Radius = disable RADIUS client attributes: NAS port id = default, NAS identifier = default, MAC format delimiter: Username = none, UserNameCase = uppercase, Password...
Page 755: Configuring Unp Port-Based Functionality
Configuring Access Guardian Configuring Port-Based Network Access Control Redirect http proxy-port = 8080 Redirect Server IP = 10.1.1.1 Allowed IP Note. When device authentication fails due to an unreachable RADIUS server, an event message is sent to the switch logging utility (swlog). See Chapter 51, “Switch Logging Commands,”...
Page 756 Configuring Access Guardian Configuring Port-Based Network Access Control unp 802.1x-authentication bypass- Configures whether to bypass 802.1X authentication on the port. 8021x “Configuring 802.1X Authentication Bypass” on page 28-44. unp 802.1x-authentication failure- Configures whether to attempt MAC authentication if 802.1X policy authentication fails or let the port configuration classify the device.
Page 757 Configuring Access Guardian Configuring Port-Based Network Access Control unp admin-state Configures the administrative status of the UNP configuration for the port. By default, the status is enabled. When disabled, the UNP configuration is retained but not active for port traffic. unp dynamic-service Configures whether the System Default service profile dynamically creates an SPB Service Access Point (SAP) or a VXLAN SAP...
Page 758 Configuring Access Guardian Configuring Port-Based Network Access Control 802.1x Bypass = Disabled, 802.1x failure-policy = default, Mac-auth allow-eap = -, Mac authentication = Enabled, Mac Pass Alternate Profile = -, Classification = Enabled, Trust-tag = Enabled, Default Profile = -, Port Domain Num = 0, AAA Profile...
Page 759 Configuring Access Guardian Configuring Port-Based Network Access Control -> no unp port-template portTemplate-1 -> unp port-template portTemplate-2 802.1x-authentication -> unp port-template portTemplate-2 classification -> unp port-template domain 10 -> no unp port-template portTemplate-2 Use the show unp port-template command to display the UNP port template configuration. For example: ->...
Page 760 Configuring Access Guardian Configuring Port-Based Network Access Control To see the name of the template that is assigned to a port, use the show unp port config command. For example: -> show unp port 1/1/5 config Port 1/1/5 Port-Type = BRIDGE, Redirect Port Bounce = Disabled, 802.1x authentication...
Page 761 Configuring Access Guardian Configuring Port-Based Network Access Control Modifying Port Templates Modifying UNP port parameter values that are applied through an existing port template is allowed. Consider the following guidelines when changing template parameter values: • Changing any template parameter value automatically applies the new value to all UNP ports to which the template is assigned.
Page 762 Configuring Access Guardian Configuring Port-Based Network Access Control • fail—802.1X authentication is attempted if the device fails the initial MAC authentication. If the device passes MAC authentication, 802.1X authentication is bypassed (EAP frames are ignored) and the device is classified as a non-supplicant. •...
Page 763 Configuring Access Guardian Configuring Port-Based Network Access Control • If the initial MAC authentication passes (Access-Accept), 802.1X authentication is bypassed for this user and all EAP frames are ignored. • If the initial MAC authentication fails (Access-Reject), 802.1X authentication is attempted for the user. During this transition, the EAP frames are allowed and the switch must force the supplicant to restart a fresh EAP session by sending a multicast Request Identity EAPOL on the port.
Page 764 Configuring Access Guardian Configuring Port-Based Network Access Control values become the latest bandwidth values for the profile, so they are applied to all user devices associated with the profile. • The bandwidth limitation applied on a port through UNP classification is not removed when a user logs out or ages out.
Page 765 Configuring Access Guardian Configuring Port-Based Network Access Control By default, all UNP ports are assigned to domain 0. To add additional domain IDs, use the unp domain description command. For example, the following command creates domain 2 with an optional description: ->...
Page 766 Configuring Access Guardian Configuring Port-Based Network Access Control • When traffic is received from devices connected to ports 1/15-20, the switch determines if there are any classification rules associated with domain 2 and applies that rule to the traffic. Because UNP ports 1/15-20 belong to domain 2, the MAC address range rule is applied to traffic received on those ports.
Page 767 Configuring Access Guardian Configuring Port-Based Network Access Control example, the profile “DropL2” was configured to discard STP, GVRP, and 802.1ab frames. No other protocol settings were changed, so the default settings still apply for the other protocols. • Remove any profile associations with UNP access ports before attempting to modify or delete the profile.
Page 768: Configuring Unp Profiles
Configuring Access Guardian Configuring Port-Based Network Access Control Configuring UNP Profiles A Universal Network Profile (UNP) is assigned to a host device through one of the following Access Guardian methods: The device authentication process via a remote RADIUS-capable server, a Unified Policy Access Manager (UPAM) server, or a ClearPass Policy Manager (CPPM) server.
Page 769 Configuring Access Guardian Configuring Port-Based Network Access Control unp profile captive-portal- Configures the status of internal Captive Portal authentication for authentication the profile. When enabled, triggers the OmniSwitch Captive Portal authentication process for users classified into the profile. unp profile authentication-flag Configures the status of the authentication flag for the profile.
Page 770 Configuring Access Guardian Configuring Port-Based Network Access Control • Profile location and time period policies are configurable on the switch or on the RADIUS server. If the policies are configured on both the switch and the RADIUS server, then the switch policies take precedence.
Page 771: Configuring The Unp Profile Mapping
Configuring Access Guardian Configuring Port-Based Network Access Control To verify the UNP profile configuration for the switch, use the show unp profile command. For example: -> show unp profile guest Profile Name: guest Qos Policy = qlist1, Location Policy = loclist1, Period Policy = timelist1, CP Profile...
Page 772 Configuring Access Guardian Configuring Port-Based Network Access Control Consider the following when configuring a VLAN mapping for a UNP profile: • The VLAN associated with a profile must already exist in the switch configuration, unless one of the following conditions occur: –...
Page 773 Configuring Access Guardian Configuring Port-Based Network Access Control -> show vlan 450 Name : UNP-DYN-VLAN, Type : UNP Dynamic Vlan, Administrative State : enabled, Operational State : disabled, IP Router Port : disabled, IP MTU : 1500 • Dynamic VLANs are not saved in the “! VLAN:” section of the switch configuration file (boot.cfg). However, the unp commands to enable dynamic VLAN configuration and create the UNP are saved in the “! DA-UNP:”...
Page 774 Configuring Access Guardian Configuring Port-Based Network Access Control Enabling Dynamic Profile Configuration The UNP feature provides the ability to enable dynamic VLAN profile configuration, which allows “on the fly” configuration of profiles when specific traffic conditions occur. By default, dynamic profile configuration is disabled for the switch.
Page 775 Configuring Access Guardian Configuring Port-Based Network Access Control SAA profile is first created and then assigned to a UNP VLAN-based profile; UNP service-based profiles do not support this functionality. Note. Although SAA profiles can be configured and assigned to a UNP through the CLI, these profiles are mainly used by the OmniVista network management application to monitor connections between virtual machines (VMs) in a data center network.
Page 776 Configuring Access Guardian Configuring Port-Based Network Access Control • Removing a service mapping configuration requires deleting the entire profile from the switch configuration (no unp profile profile_name). • The VLAN tag value indicates whether the VLAN tag information from the classified packets is used to assign the traffic to a SAP or if specific single or double-tagged values are used to assign the traffic to a SAP.
Page 777 Configuring Access Guardian Configuring Port-Based Network Access Control • The egress VLAN translation status for the SPB service or the VXLAN service mapping associated with the profile is also configurable. By default, VLAN translation is disabled. – When enabled, the VLAN tags for profile traffic are processed according to the settings for the SAP on which the frames will egress, not according to the settings for the SAP on which the frames were received.
Page 778: Configuring Qos Policy Lists
Configuring Access Guardian Configuring Port-Based Network Access Control -> unp vxlan far-end-ip-list vteps 10.1.1.1 20.1.1.1 30.1.1.1 40.1.1.1 To verify the VXLAN far-end IP address list configuration, use the show unp vxlan far-end-ip-list command. For example: -> show unp vxlan far-end-ip-list toDataCenter2 Far-End-Ip-List Name: vteps, IP-Count: 4, IP-Addresses: 10.1.1.1...
Page 779 Configuring Access Guardian Configuring Port-Based Network Access Control -> policy rule r1 condition c1 action a1 -> policy condition c2 source ip 10.5.5.0 -> policy action a2 disposition accept -> policy rule r2 condition c2 action a2 -> policy list temp_rules type unp ->...
Page 780 Configuring Access Guardian Configuring Port-Based Network Access Control Dynamically Changing the Policy List Assignment (User Role) The QoS policy list assigned to a UNP profile determines the initial role (network access) for a user device classified into the profile. This role can be dynamically changed for the user through the Captive Portal authentication mechanism, when a different policy list is returned for the user from a RADIUS, Unified Policy Access Manager (UPAM), or ClearPass Policy Manager (CPPM) server, or when the user is placed into a Captive Portal pre-login, unauthorized, or quarantined state.
Page 781 Configuring Access Guardian Configuring Port-Based Network Access Control • The name of an existing QoS policy list. To configure a user-defined role, use the unp user-role command. For example: -> unp user-role role1 precedence 10 -> unp user-role role1 policy-list role1-list ->...
Page 782: Configuring Unp Classification Rules
Configuring Access Guardian Configuring Port-Based Network Access Control Configuring UNP Classification Rules UNP classification rules are defined and associated with UNP profiles to provide an additional method for classifying a device into a profile. If authentication is not available or does not return a profile name for whatever reason, classification rules are applied to determine the profile assignment.
Page 783 Configuring Access Guardian Configuring Port-Based Network Access Control -> unp classification vlan-tag 10 profile1 serverA • Combine the VLAN ID tag rule with other rules to include the tag as a required parameter to match for the rule. For example, to include the VLAN tag with a MAC address rule, use the unp classification mac-address rule command with the vlan-tag option: ->...
Page 784 Configuring Access Guardian Configuring Port-Based Network Access Control -> unp classification lldp med-endpoint access-point profile1 defaultWLANProfile Note. An LLDP MED Endpoint AP rule is implicitly created and assigned to “defaultWLANProfile” (a built-in UNP profile on the switch) when the switch boots up. This facilitates the automatic discovery and management of OmniAccess Stellar APs that are connected to the switch.
Page 785 Configuring Access Guardian Configuring Port-Based Network Access Control For example, the following commands create an extended classification rule named “ext-r1” with the precedence value set to 255 and assign the rule to a the “corporate” UNP profile: -> unp classification-rule ext-r1 precedence 255 ->...
Page 786: Omniaccess Stellar Ap Integration
Configuring Access Guardian OmniAccess Stellar AP Integration OmniAccess Stellar AP Integration Access Guardian provides the framework through which OmniAccess Stellar Access Points (APs) connected to an OmniSwitch are detected, learned, and managed. Wireless client traffic is then forwarded from the AP to the OmniSwitch and onto the wired network. This integration provides a unified wireless over wired network access solution.
Page 787: Configuration Guidelines
Configuring Access Guardian OmniAccess Stellar AP Integration DHCP Server DHCP scope: 10.255.125.0/24 (AP management subnet) 10.255.10.0/24 (AP client subnet) VLAN 125 VLAN 10 (10.255.125.1/24) (10.255.10.1/24) 1/1/24 1/1/1 Switch classifies AP into the Switch sends LLDP with: defaultWLANProfile; AP assigned - Port VLAN ID = 125 to VLAN 125.
Page 788 Configuring Access Guardian OmniAccess Stellar AP Integration • Link Layer Detection Protocol (LLDP) parameters. The first packet a connected AP device sends should be an LLDP-MED TLV that identifies the device as an AP. When the AP device is detected on the UNP port, the switch sends LLDP packets to the AP device to communicate the management VLAN (LLDP Port Vlan ID TLV) and the AP Location (LLDP Proprietary TLV).
Page 789: Quick Steps For Configuring Omniswitch Ap Discovery
Configuring Access Guardian OmniAccess Stellar AP Integration • Dynamic VLAN configuration. The switch operationally enables dynamic VLAN configuration to ensure that when the VLAN tag of AP client-tagged traffic does not match an existing switch VLAN, the switch will dynamically create the VLAN. –...
Page 790 Configuring Access Guardian OmniAccess Stellar AP Integration Configure any switch port that will connect to a Stellar AP device as a UNP bridge port. For example: -> unp port 1/1/12 port-type bridge If necessary, enable the UNP AP mode for the switch (this mode is enabled by default). For example: ->...
Page 791 Configuring Access Guardian OmniAccess Stellar AP Integration Use the show unp profile map command to verify the AP management VLAN is mapped to the “defaultWLANProfile”. For example: -> show unp profile defaultWLANProfile map vlan Profile Name Vlan-Id --------------------------------+-------- defaultWLANProfile Use the show unp profile command to verify the configurable defaultWLANProfile parameter values.
Page 792 For example: -> show system System: Description: Alcatel-Lucent Enterprise OS6860E-P48 8.3.1.R02 GA Development, February 10, 2017., Object ID: 1.3.6.1.4.1.6486.801.1.1.2.1.11.1.8, Up Time: 11 days 3 hours 5 minutes and 49 seconds,...
Page 793: Using Captive Portal Authentication
Configuring Access Guardian Using Captive Portal Authentication Using Captive Portal Authentication Captive Portal authentication is a mechanism by which user credentials are obtained through Web pages and authenticated through a RADIUS server. If the authentication is successful, the RADIUS server may return a role (policy list) that is applied to traffic from the user device.
Page 794: Configuration Tasks And Guidelines
Configuring Access Guardian Using Captive Portal Authentication • “Using Captive Portal Configuration Profiles” on page 28-79 • “Authenticating with Captive Portal” on page 28-80. Configuration Tasks and Guidelines Consider the following tasks and guidelines when configuring the internal Captive Portal feature: •...
Page 795: Quick Steps For Configuring Captive Portal Authentication
Configuring Access Guardian Using Captive Portal Authentication • Make sure that a standard browser is available on the client device. No specialized client software is required. When a device is classified into a UNP profile that has Captive Portal enabled, the user device is placed into a pre-login role.
Page 796: Using Captive Portal Configuration Profiles
Configuring Access Guardian Using Captive Portal Authentication When the client enters the appropriate login credentials and clicks on the “Submit” button on the login page, the client is presented with the Captive Portal status page. This page indicates that the login was successful and the remaining session time.
Page 797: Replacing The Captive Portal Certificate
Configuring Access Guardian Using Captive Portal Authentication Use the unp profile captive-portal-profile command to assign a Captive Portal configuration profile to a UNP profile. For example: -> unp profile cp_unp captive-portal-profile cp_p1 Use the show captive-portal profile-names command to display the Captive Portal profile configuration. For more information about the commands described in this section, see the OmniSwitch AOS Release 8 CLI Reference Guide.
Page 798: Logging Into The Network With Captive Portal
Configuring Access Guardian Using Captive Portal Authentication Logging Into the Network with Captive Portal Once a user device is in the Captive Portal state, the following steps are required to complete the authentication process: Open a Web browser window on the client device. If there is a default home page, the browser attempts to connect to that URL.
Page 799: Logging Off The Network With Captive Portal
Configuring Access Guardian Using Captive Portal Authentication The user is now logged into the network and has access to all network resources as determined by the Captive Portal role (QoS policy list) assigned to the user. The original profile and associated VLAN membership for the user was not changed;...
Page 800: Using Guest Tunneling
Configuring Access Guardian Using Guest Tunneling Using Guest Tunneling Guest Tunneling is a mechanism that is used to identify and isolate guest traffic from the rest of the internal network traffic. The tunneling protocol used is Layer 2 Generic Routing Encapsulation (GRE). A GRE tunnel is defined by configuring one end of the tunnel on an edge (access) switch and the other end of the tunnel on a Guest Tunnel Termination Switch (GTTS).
Page 801: Configuration Overview And Guidelines
Configuring Access Guardian Using Guest Tunneling Configuration Overview and Guidelines The following components comprise the Guest Tunneling solution: • An L2 GRE tunnel. Guest Tunneling endpoints are defined on edge switches that connect to guest devices and on the designated Guest Tunnel Termination Switch. These endpoints define an L2 GRE tunnel through which guest traffic is isolated and tunneled through the network.
Page 802 Configuring Access Guardian Using Guest Tunneling Edge Switch Configuration Guidelines Consider the following information and guidelines provided in this section when configuring a Guest Tunneling endpoint on an edge switch. UNP Profile Mapping • A Guest Tunneling endpoint is defined on an edge switch through the configuration of a UNP profile that is mapped to L2 GRE tunnel service parameter values.
Page 803 Configuring Access Guardian Using Guest Tunneling Switch Ports for Guest Devices Configure the ports on which traffic from guest devices will be received as UNP bridge ports. Note that VLAN translation is not supported on UNP ports that connect to guest devices. There is no VLAN association with the SAP created for the L2 GRE tunnel, so all traffic egressing on the UNP port must be untagged.
Page 804 Configuring Access Guardian Using Guest Tunneling L2 GRE Tunnel SAP Guidelines • The L2 GRE Service Access Point (SAP) is comprised of an L2 GRE service ID associated with the loopback access port and a VLAN tag encapsulation value. The SAP is used to identify the traffic that will be mapped to the guest tunnel.
Page 805: Quick Steps For Configuring Guest Tunneling
Configuring Access Guardian Using Guest Tunneling Quick Steps for Configuring Guest Tunneling This section provides a quick tutorial for configuring the Guest Tunneling feature on each participating edge switch and on the Guest Tunnel Termination Switch. The configuration steps included in this section are based on the “Guest Tunneling Configuration Example”...
Page 806 Configuring Access Guardian Using Guest Tunneling Use the vlan command to create the VLAN on which guest traffic is forwarded to a perimeter network and/or the Internet. The VLAN loopback port is also assigned to this VLAN (either tagged or as the default VLAN for the loopback port).
Page 807: Guest Tunneling Configuration Example
Configuring Access Guardian Using Guest Tunneling Guest Tunneling Configuration Example All traffic identified as guest at the edge switch is tunneled through an L2 GRE tunnel to the Guest Tunnel Termination Switch (GTTS). When the traffic reaches the GTTS, the GRE encapsulation information is removed and the traffic is then forwarded through the Guest VLAN to the Internet.
Page 808 Configuring Access Guardian Using Guest Tunneling • When the encapsulated guest traffic reaches GTTS-1, the GRE encapsulation information is removed and the traffic is passed through the SAP loopback port to the VLAN loopback port. • The VLAN loopback port is tagged with VLAN 50, where the guest traffic is then granted access to perimeter network resources and the Internet.
Page 809 Configuring Access Guardian Using Guest Tunneling GTTS-1: -> ip interface “Loopback0” 30.0.0.2 -> vlan 50 -> vlan 50 members port 1/1/3 tagged -> vlan 50 members port 1/1/4 untagged -> service l2profile Guest-l2profile stp drop 802.1x drop 802.1ab drop 802.3ad drop gvrp drop mvrp drop amap drop ->...
Page 810: Using Quarantine Manager And Remediation
Configuring Access Guardian Using Quarantine Manager and Remediation Using Quarantine Manager and Remediation A client MAC address is determined to be in a quarantined state when one of the following occurs: • The OmniVista Quarantine Manager (OVQM) application receives a TRAP indicating that the MAC address has to be quarantined.
Page 811 Configuring Access Guardian Using Quarantine Manager and Remediation • QMR custom proxy port. This specifies the HTTP proxy port number to which quarantined client traffic is redirected for remediation. The default HTTP port used is TCP 80 and TCP 8080. qmr quarantine custom-proxy-port command is used to configure a different proxy port number to use.
Page 812: Access Guardian Application Examples
Configuring Access Guardian Access Guardian Application Examples Access Guardian Application Examples This section provides some typical application examples in which Access Guardian is used to implement network access control in a sample network configuration. The following diagram depicts an Access Guardian network implementation that applies to all of the application examples in this section.
Page 813: Application Example 1: Classification (Port Mobility)
Configuring Access Guardian Access Guardian Application Examples Application Example 1: Classification (Port Mobility) In this configuration example, network access control for Employee1 is provided through the Access Guardian classification mechanism; no authentication is necessary. Classification is a function of the UNP feature and is enabled or disabled on UNP ports.
Page 814: Application Example 2: 802.1X Authentication
Configuring Access Guardian Access Guardian Application Examples • The MAC addresses are learned in the assigned VLANs and the device port is now an untagged member of the assigned VLANs. UNP Port Template Example In Application Example 1 (Classification), individual CLI commands are used in Steps 6 and 7 to configure UNP port parameters.
Page 815 Configuring Access Guardian Access Guardian Application Examples Create the required UNP profile and map the profile to VLAN 20. -> unp profile corporate -> unp profile corporate map vlan 20 Create another UNP profile that will serve as a default profile; map the profile to VLAN 10. ->...
Page 816: Application Example 3: Internal Captive Portal Authentication
Configuring Access Guardian Access Guardian Application Examples Configure the profile to specify the “alu-authserver” for RADIUS server accounting. -> aaa profile ag-aaa-profile accounting 802.1x alu-authserver Assign the AAA profile to a UNP port or to a UNP port template. -> unp port 2/1/1 aaa-profile ag-aaa-profile ->...
Page 817 Configuring Access Guardian Access Guardian Application Examples Create the QoS policy list to apply to the user upon successful Captive Portal authentication. -> policy condition cp-default-C1 source ip Any destination ip Any -> policy action cp-default-A1 -> policy rule cp-default-R1 condition cp-default-C1 action cp-default-A1 ->...
Page 818: Application Example 4: Supplicant/Non-Supplicant With Captive Portal Authentication
Configuring Access Guardian Access Guardian Application Examples Enable Captive Portal for the UNP profile and assign the Captive Portal profile to the same UNP profile. -> unp profile guest captive-portal-authentication -> unp profile guest captive-portal-profile cp-profile How it Works In this example, traffic arriving on the UNP port triggers the following process on the switch: •...
Page 819 Configuring Access Guardian Access Guardian Application Examples • Guest supplicant device. – Fails 802.1X authentication. – If an 802.1X failure policy is not set and classification is not enabled, a default UNP profile associated with the UNP port will be assigned. Captive Portal authentication is enabled for the default profile.
Page 820 Configuring Access Guardian Access Guardian Application Examples Create a port template to pre-define and apply configuration parameters to the UNP port. -> unp port-template auth-template Set the default UNP profile parameter for the port template to “guest”. -> unp port-template auth-template default-profile guest Set the MAC and 802.1X authentication parameters to “enable”...
Page 821: Application Example 5: Ip Phone (Lldp Network Policy Tlv Mobile Tag)
Configuring Access Guardian Access Guardian Application Examples • The Captive Portal authentication pass condition applies a new access policy list to the client. • If Captive Portal authentication fails, the client remains in a built-in Captive Portal pre-login state. Application Example 5: IP Phone (LLDP Network Policy TLV/ Mobile Tag) In this example, network access control is provided for the following IP phone devices: •...
Page 822 Configuring Access Guardian Access Guardian Application Examples Map the default UNP profile to VLAN 10. -> unp profile def_unp map vlan 10 Create a UNP port template to pre-define and apply configuration parameters to the UNP port. -> unp port-template voice-template Set the default profile parameter for the port template to “def_unp”.
Page 823: Application Example 6: Restricted Role (Policy List) Assignment
Configuring Access Guardian Access Guardian Application Examples • LLDP frames are exchanged between the IP phone and the switch. This traffic will be untagged but will be accepted by the switch since these are control frames. • Subsequent data traffic will be tagged with the right VLAN after the LLDP exchange; this traffic will be accepted because the VLAN is a tagged member of the port.
Page 824 Configuring Access Guardian Access Guardian Application Examples -> qos quarantine mac-group bad-macs Make sure the name of this group on the OmniSwitch matches the group name used by OVQM The Quarantine MAC address group is populated from the same group located on an LDAP server. However, it is also possible to manually add MAC addresses to the MAC address group on the switch.
Page 825 Configuring Access Guardian Access Guardian Application Examples UNP Profile - Location Policy A location-based policy is associated with a UNP profile to define a specific location from which a device can access the network. When a user classified into the UNP profile violates the location policy, the user is moved into an Unauthorized role.
Page 826: Verifying Access Guardian Users
Configuring Access Guardian Verifying Access Guardian Users Verifying Access Guardian Users The following UNP show commands provide a centralized way to verify the status of users authenticated and classified through Access Guardian security mechanisms: show unp user show unp user status show unp user details This section provides sample display outputs from the show unp user commands.
Page 827 Configuring Access Guardian Verifying Access Guardian Users -> show unp user authentication-type mac User Port Username Mac address Vlan Profile Auth Role ------+-----------------+-----------------+-------+-----+-----------+-----+-------- 1/1/7 00:00:00:00:00:07 00:00:00:00:00:07 1.1.1.7 unp-emp Employee 0/12 00:00:00:00:00:14 00:00:00:00:00:14 1.1.2.4 unp-7 Employee Total users : 2 show unp user status command displays the status of the authentication and validation process for MAC addresses learned on a UNP port or link aggregate: ->...
Page 828 Configuring Access Guardian Verifying Access Guardian Users Profile Source : RADIUS Server Profile, Profile From Auth Server : Employee, Classification profile rule : -, Role : Employee, Role Source : Profile, User role rule : -, Restricted Access : No, Location Policy Status : Passed, Time Policy Status...
Page 829: Logging Users Out Of The Network
Configuring Access Guardian Verifying Access Guardian Users Vlan : 30, Authentication Type : MAC, Authentication Status : Authenticated, Authentication Failure Reason : -, Authentication Retry Count : -, Authentication Server IP Used = 10.135.62.129, Authentication Server Used = rad1, Server Reply-Message = -, Profile : Contractor,...
Page 830 Configuring Access Guardian Verifying Access Guardian Users -> unp user flush service-id 10 • authentication-type {802.1x, mac, none}—Flushes the MAC addresses of all users authenticated with the specified authentication type or users that have not been authenticated. For example: -> unp user flush authentication-type 802.1x ->...
Page 831: Verifying The Access Guardian Configuration
Configuring Access Guardian Verifying the Access Guardian Configuration Verifying the Access Guardian Configuration A summary of the show commands used for verifying the Access Guardian configuration is given here: show unp global configuration Displays the global UNP parameter settings for the switch show unp port Displays the UNP configuration for a port or link aggregate.
Page 832: Bring Your Own Devices (Byod) Overview
Configuring Access Guardian Bring Your Own Devices (BYOD) Overview Bring Your Own Devices (BYOD) Overview The OmniSwitch implementation of Bring Your Own Devices (BYOD) leverages the OmniVista Unified Policy Access Manager (UPAM) or the ClearPass Policy Manager (CPPM) and Access Guardian features on the OmniSwitch.
Page 833: Key Components Of A Byod Solution
Configuring Access Guardian Bring Your Own Devices (BYOD) Overview Key Components of a BYOD Solution The OmniSwitch BYOD solution comprises of the following main components: • The network infrastructure consisting of both wireless and wireline networks. The OmniSwitch leverages the Access Guardian features, such as 802.1X (supplicant) and MAC (non-supplicant) authentication and classification through the Universal Network Profile (UNP) framework to support the BYOD solution.
Page 834: Clearpass Onboard
Configuring Access Guardian Bring Your Own Devices (BYOD) Overview Unified Policy Access Manager and ClearPass Policy Manager The OmniSwitch BYOD solution requires the association and configuration of the OmniVista Unified Policy Access Manager (UPAM) or the ClearPass Policy Manager (CPPM). Note.
Page 835 Configuring Access Guardian Bring Your Own Devices (BYOD) Overview • Quick Connect supports native supplicants on Windows Vista, XP, 7, Apple, and Android devices. ClearPass OnGuard ClearPass OnGuard agents perform advanced endpoint posture checking to ensure compliance is met before the devices connect. The following functionalities are provided: •...
Page 836 Configuring Access Guardian Bring Your Own Devices (BYOD) Overview 41 DM-ACK On reception of Disconnect request message (DM), all device authentication is removed from the switch. Disconnect request message (DM) Acknowledgment for RADIUS/UPAM or ClearPass authentication 42 DM-NACK Disconnect request message (DM) Not Acknowledged 43 CoA-Request CoA message is sent from UPAM or ClearPass Server.
Page 837 The following VSAs can be imported to the UPAM or ClearPass server: Num. ClearPass/RADIUS VSA Type Description 6 Alcatel-Lucent-Port-Desc string Description of the port. This attribute is currently defined in the Alcatel dictionary as: RADIUS attribute type = 26 (VSA)
Page 838 Perform the following to import the VSA dictionary into the CPPM server: Download the Alcatel-Lucent-Enterprise.xml file from the Service & Support website. Click on Dictionary->Import Dictionary and browse for the Alcatel-Lucent-Enterprise.xml file. Click on Server Configuration->Reboot to reboot the server.
Page 839 Configuring Access Guardian Bring Your Own Devices (BYOD) Overview Port Bounce A port bounce is used to terminate a user session and discard all associated session context for non- supplicants. This is done by disabling and re-enabling the port and clearing any authentication state for the devices on the port.
Page 840: Configuring Omniswitch Byod Support
Configuring Access Guardian Bring Your Own Devices (BYOD) Overview Configuring OmniSwitch BYOD Support BYOD is supported on UNP ports for supplicant and non-supplicant registered and guest users and devices.The BYOD solution leverages the existing Access Guardian UNP capability and is applicable only on UNP ports.
Page 841 Configuring Access Guardian Bring Your Own Devices (BYOD) Overview Configuring UNP Profiles Users connected to UNP-enabled ports are moved into a specific UNP profile based on the outcome of the authentication process. This type of profile is created using the unp profile command.
Page 842 Configuring Access Guardian Bring Your Own Devices (BYOD) Overview -> policy service http80 destination tcp-port 80 -> policy service http8080 destination tcp-port 8080 -> policy service https443 destination tcp-port 443 -> policy service group alaRestrictedHttpSG http80 http8080 https443 -> policy port group pg1 1/1/1-20 ->...
Page 843: Byod Authentication Process Overview
Configuring Access Guardian Bring Your Own Devices (BYOD) Overview BYOD Authentication Process Overview This section describes the basic BYOD process with respect to the OmniSwitch interaction with the UPAM or ClearPass server. Authentication for Registered Devices (802.1X) The BYOD solution provides the following authentication process for registered devices (for example, IT issued employee devices): When 802.1X authentication is enabled on a UNP port and the OmniSwitch detects a user device on that port, the authentication process is triggered to classify the user.
Page 844: Multicast Domain Name System
Configuring Access Guardian Bring Your Own Devices (BYOD) Overview Multicast Domain Name System The Multicast Domain Name System (mDNS) is a resolution service that is used to discover services on a LAN. Using mDNS allows the resolution of host names to IP addresses within small networks without the need for a conventional DNS server.
Page 845: Simple Service Discovery Protocol
Configuring Access Guardian Bring Your Own Devices (BYOD) Overview Simple Service Discovery Protocol The Digital Living Network Alliance (DLNA) is a standards organization that defines the guidelines for multimedia devices. It also certifies communication between devices allowing them to discover and recognize each other and share digital content.
Page 846 Configuring Access Guardian Bring Your Own Devices (BYOD) Overview SSDP frames received from the WLAN controller are encapsulated as follows: DA-MAC SA - MAC IP Header Payload OmniSwitch MAC WLAN controller Src IP: WLAN controller IP SSDP frame destined to MAC/intermediate Dst IP: OmniSwitch IP the wired service/ client...
Page 847 Configuring Access Guardian Bring Your Own Devices (BYOD) Overview • The OmniSwitch 6860 relays SSDP packets from the DLNA-capable printer and TV to the WLAN controller through the Layer 2 GRE tunnel. See “Messages Received by the OmniSwitch from Wired SSDP Devices”...
Page 848 Configuring Access Guardian Bring Your Own Devices (BYOD) Overview • The WLAN controller applies the service policies and sends encapsulated SSDP packets through the Layer 2 GRE tunnel to the end service devices connected to the OmniSwitch 6860. • The OmniSwitch 6860 receives encapsulated SSDP packets through the GRE tunnel from the WLAN controller.
Page 849: Zero Configuration Networking (Mdns And Ssdp)
Configuring Access Guardian Bring Your Own Devices (BYOD) Overview Zero Configuration Networking (mDNS and SSDP) Zero configuration networking is a set of protocols that can be used to discover services. It allows communications between network devices and allowing them to advertise and share each others' resources.
Page 850 Configuring Access Guardian Bring Your Own Devices (BYOD) Overview How It Works? Aruba Mode Aruba Mode is configured if the network has only an Aruba wireless controller. In this mode, all the switches must be mDNS and SSDP enabled. All the edge switches must be configured to use the L2GRE tunnel of the Aruba wireless controller.
Page 851 Configuring Access Guardian Bring Your Own Devices (BYOD) Overview Gateway Mode Gateway mode is configured if the network has no WLAN controller. In this mode, the traffic from the edge switch is forwarded to the configured gateway switch. The gateway will replicate and forward the received mDNS and SSDP packets on all the VLANs, based on a pre-configured VLAN sharing list.
Page 852 Configuring Access Guardian Bring Your Own Devices (BYOD) Overview • Airprint1 will advertise its service information through mDNS service advertisement packets. • Edge switch Sw2 will flood these packets in VLAN20 to the gateway. • Mac2 laptop in VLAN 20 will receive this advertisement directly from the Edge switch sw2. •...
Page 853: Backward Compatibility
Configuring Access Guardian Bring Your Own Devices (BYOD) Overview Note. Refer to “Quick Steps for Zero Configuration mDNS and SSDP” on page 28-137 for procedures on how to configure each mode. Backward Compatibility mDNS and SSDP with Aruba mode is backward compatible. The configurations made using the older CLI commands will continue to work provided the Loopback0 IP address is configured as the source endpoint address.
Page 854 Configuring Access Guardian Bring Your Own Devices (BYOD) Overview Quick Steps for Zero Configuration mDNS and SSDP Zero configuration varies with respect to the type of modes (Tunnel (Aruba), Gateway, Tunnel Standard, Responder Mode). If the network consists of Aruba wireless controllers (Aruba mode), the following must be configured on the edge switch: Enable mDNS and SSDP functionality using the zeroconf mdns admin-state...
Page 855 Configuring Access Guardian Bring Your Own Devices (BYOD) Overview Configure the mode of operation for the switch. For gateway mode, set the mode to gateway. To configure the mode, use the zeroconf mode command. For example: -> zeroconf mode gateway Configure the gateway VLAN list.
Page 856 Configuring Access Guardian Bring Your Own Devices (BYOD) Overview When Responder is running on a core OmniSwitch (Responder mode), the following must be configured on the responder: Enable mDNS and SSDP functionality using the zeroconf mdns admin-state zeroconf ssdp admin-state command.
Page 857 Configuring Access Guardian Bring Your Own Devices (BYOD) Overview Service Rule Configuration Service rules are configured on the responder switch. Service rules define the criteria by which the mDNS responder will decide the services that can be shared with the clients. If there are no service rules configured, the responder switch will learn all the services but will not process any query received from the mDNS or SSDP client.
Page 858 Configuring Access Guardian Bring Your Own Devices (BYOD) Overview Learning a Service If the responder doesn’t learn a service, that specific service can be queried for re-learning by the responder. To manually query for a specific service, use the zeroconf service-id query-request command.
Page 859: Byod Application Examples
Configuring Access Guardian BYOD Application Examples BYOD Application Examples Note. The application examples provided in this section are specific to the ClearPass Policy Manager (CPPM). Refer to the OmniVista Unified Policy Access Manager (UPAM) documentation for in-depth configuration information and requirements. The application scenarios provide various examples of how the ClearPass server and the OmniSwitch can be leveraged to provide different network access levels and Universal Network Profiles (UNPs) for employees, guests, and other network-based devices.
Page 860: Application Example 1: 802.1X — Omniswitch Configuration
Configuring Access Guardian BYOD Application Examples ClearPass RADIUS Server RADUS/RADIUS Proxy “alu-cppm” (10.255.13.250) authentication authorization request response OmniSwitch (10.255.13.26) Guest - MAC IP Phone - MAC Employee - 802.1X Authentication Authentication BYOD Network with Employee and Guest Devices Application Example 1: 802.1X — OmniSwitch Configuration The OmniSwitch configuration for an 802.1X supplicant: Enable UNP port-based functionality as follows: ->...
Page 861: Application Example 1: 802.1X — Clearpass Configuration
Configuring Access Guardian BYOD Application Examples Application Example 1: 802.1X — ClearPass Configuration Step 1. ClearPass (802.1X) - Creating employee users and roles Create user role: Roles->Add Roles Create users and assign role: Local Users -> Add Users OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-144...
Page 862 Configuring Access Guardian BYOD Application Examples Step 2. ClearPass (802.1X) - Create Profiles and Policies Create Profile: Attributes (tab) - Type: Radius:IETF - Filter-ID (11) - Value = UNP-employee (Note: must match UNP Profile on OmniSwitch) Create Enforcement Policy: Rules (tab) View Policies Summary Summary OmniSwitch AOS Release 8 Network Configuration Guide...
Page 863 Configuring Access Guardian BYOD Application Examples Step 3. ClearPass (802.1X) - Create 802.1X services Add OmniSwitch to ClearPass Database Devices (tab) Add 802.1X Wired Service Service (tab) Configure 802.1X Authentication Authentication (tab) OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-146...
Page 864 Configuring Access Guardian BYOD Application Examples Configure Enforcement Enforcement (tab) Reorder Authentication Devices Devices OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-147...
Page 865 Configuring Access Guardian BYOD Application Examples Step 4. ClearPass (802.1X) - Configure PC Configure PC Properties Configure PC Advanced Settings OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-148...
Page 866: Application Example 2: Ip Phone — Omniswitch Configuration
Configuring Access Guardian BYOD Application Examples Step 5. ClearPass (802.1X) - Confirm Device Authentication Confirm device Authentication OmniSwitch Confirm Device Authentication ClearPass Application Example 2: IP Phone — OmniSwitch Configuration The OmniSwitch configuration for a non-supplicant IP phone: Configure UNP port-based functionality as follows: ->...
Page 867: Application Example 2: Ip Phone — Clearpass Configuration
Configuring Access Guardian BYOD Application Examples Application Example 2: IP Phone — ClearPass Configuration Step 1. ClearPass (IP Phone) - Creating static host list Create static host list: Identity->Static Host List Create Authentication Source Authentication-Sources- Add Authentication Source Type: Static Host List Host List: IP Phone MAC List OmniSwitch AOS Release 8 Network Configuration Guide...
Page 868 Configuring Access Guardian BYOD Application Examples Step 2. ClearPass (IP Phone) - Create Profiles and Policies Create Profile: Profile (tab) - Name: ALU IP Phone Profile - Template: Aruba RADIUS Enforcement Attributes (tab) - Type: Radius:IETF - Filter-ID (11) - Value = UNP-phone (Note: must match UNP Profile on OmniSwitch) Create Enforcement...
Page 869 Configuring Access Guardian BYOD Application Examples Step 3. ClearPass (IP Phone) - Create MAC Authentication Service Add MAC Authentication Service Service (tab) -Type: MAC Authentication Authentication (tab) - Authentication Sources: Static MAC Database Enforcement (tab) - Enforcement Policy: ALU IP Phone Enforcement Policy OmniSwitch AOS Release 8 Network Configuration Guide December 2017...
Page 870: Application Example 3: Guest — Omniswitch Configuration
Configuring Access Guardian BYOD Application Examples Application Example 3: Guest — OmniSwitch Configuration The OmniSwitch configuration for guest UNP, VLANs, and redirection: Configure UNP port-based functionality as follows: -> unp port 1/1/13 port-type bridge -> unp port 1/1/13 802.1x-authentication -> unp port 1/1/13 mac-authentication Configure MAC-authentication for ClearPass RADIUS on an OmniSwitch as follows: ->...
Page 871: Application Example 3: Guest — Clearpass Configuration
Application Example 3: Guest — ClearPass Configuration Step 1: ClearPass (Guest) - Create Guest Account and Web login page Create guest account Guest->List Accounts Create web login page Configuration-Web Logins Name- Alcatel-Lucent Secure Access Page name: secure- access Vendor Settings: Alcatel-Lucent Login Method: Server-...
Page 872 Configuring Access Guardian BYOD Application Examples Create custom skin if desired OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-155...
Page 873 Configuring Access Guardian BYOD Application Examples Step 2: ClearPass (Guest) - Create Profiles Create Restricted Profile: Enforcement->Profiles Template: RADIUS Based Enforcement Name: ALU Restricted Profile Type: RADIUS Action: Accept Attribute Type: Radius:IETF, Alcatel- Lucent-Enterprise Attribute Name: Filter- ID, Alcatel-Redirection- Attribute Value: UNP- restricted, (redirect URL) Create Guest Profile: Enforcement->Profiles...
Page 874 Configuring Access Guardian BYOD Application Examples Step 3: ClearPass (Guest) - Create MAC and Web Authentication Services Add MAC Authentication Service Configuration->Services Type: MAC Authentication Name: ALU Wired MAC Authentication Service Monitor Mode: Disabled Service Rule Type: Radius:IETF Service Rule Name: NAS-Port-Type Service Rule Operator:...
Page 875 Configuring Access Guardian BYOD Application Examples Step 4: ClearPass (Guest) - Login Example Example Redirect Example login OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 28-158...
Page 876: Verifying The Byod Configuration
Configuring Access Guardian BYOD Application Examples Verifying the BYOD Configuration A summary of the commands used for verifying the BYOD configuration is given here: show unp global configuration Displays global BYOD parameter values, such as the redirection server name, the port bounce status, and pause timer value. show unp user Displays the status of the new BYOD clients that access the network.
Page 877: Chapter 29 Configuring Application Monitoring And Enforcement
29 Configuring Application Monitoring and Enforcement Application usage patterns in the enterprise network is changing with the increase in use of the social networking, browser based file sharing, and peer to peer applications. The use of these applications result in the new traffic patterns in the network that are not straightforward to distinguish. OmniSwitch Application Monitoring and Enforcement (AppMon) feature addresses the key challenges of real time classification of flows at application level by providing differential QoS treatment in the form of higher priority marking and security policies at application level.
Page 878: In This Chapter
Configuring Application Monitoring and Enforcement In This Chapter In This Chapter This chapter provides an overview of the AppMon feature and describes how to configure this feature through the Command Line Interface (CLI). CLI commands are used in the configuration examples; for more details about the syntax of commands, see the OmniSwitch AOS Release 8 CLI Reference Guide.
Page 879: Appmon Defaults
Configuring Application Monitoring and Enforcement AppMon Defaults AppMon Defaults Description Keyword Default AppMon default global status app-mon admin-state Disabled AppMon default status on the app-mon port admin-state Disabled physical port AppMon L3 mode app-mon l3-mode Enabled for both monitoring and enforcement (both Ipv4, Ipv6) AppMon L4 mode...
Page 880: Application Monitoring And Enforcement Overview
Configuring Application Monitoring and Enforcement Application Monitoring and Enforcement Overview Application Monitoring and Enforcement Overview Application Monitoring and Enforcement (AppMon) feature is provided to address the key challenges of real time classification of flows at application level. It provides differential QoS treatment in the form of higher priority marking and security policies at application level.
Page 881: Application Enforcement
Configuring Application Monitoring and Enforcement Application Monitoring and Enforcement Overview Application monitoring functionality includes: • Identify traffic flows from attached networks at Layer 3. • Application recognition of these traffic flows. • Signature toolkit upgrade from OmniVista. • Report the identified application flow information. •...
Page 882 Configuring Application Monitoring and Enforcement Application Monitoring and Enforcement Overview • Report application specific flow details including 5-tuple flow credentials, total number of flows, number of flows per application, and so on. • Associate QoS policies with UNP profile and provide user level policy treatment. Main QoS policy action includes DSCP/802.1p/Priority Marking, Disposition drop/accept, and rate-limiter.
Page 883: Quick Steps For Configuring Appmon
Configuring Application Monitoring and Enforcement Application Monitoring and Enforcement Overview Quick Steps for Configuring AppMon The following quick steps provide a brief tutorial for configuring AppMon on OmniSwitch. Use the app-mon admin-state command to globally enable AppMon functionality on the switch. ->...
Page 884: Application Signature File/Kit
Configuring Application Monitoring and Enforcement Application Signature File/Kit Application Signature File/Kit Signatures are pattern recipes that are chosen for uniquely identifying an associated application (or protocol). When a new application or protocol is encountered, it is analyzed and an appropriate signature is developed and added to a database (referred to as a signature library).
Page 885: Application Flow Database
Configuring Application Monitoring and Enforcement Application Signature File/Kit Application Flow Database When a match occurs between IP traffic and the application signature, a flow entry is created based on the following 5-tuple: • Source IP Address (IPv4 or IPv6) • Destination IP Address (IPv4 or IPv6) •...
Page 886: Configuring Appmon
Configuring Application Monitoring and Enforcement Configuring AppMon Configuring AppMon This section provides the following information about how to configure AppMon on the OmniSwitch: • “Configuration Guidelines” on page 29-11. • “Enabling/Disabling AppMon” on page 29-13. • “Enabling/Disabling AppMon Per Port or Slot” on page 29-13 •...
Page 887: Configuration Guidelines
Configuring Application Monitoring and Enforcement Configuring AppMon Configuration Guidelines Review the guidelines in this section before configuring AppMon on the OmniSwitch. • AppMon works on an application level and not on individual application events/operations. On configuring an application, all associated events are considered for application monitoring and enforcement.
Page 888 Configuring Application Monitoring and Enforcement Configuring AppMon Captive-Portal Status = -, QMR Status = Passed, Redirect Url = -, SIP Call Type = Not in a call, SIP Media Type = None, Applications = whatsapp Total users : 1 • For QoS policies, AppMon can be enabled on any OmniSwitch 6860 or OmniSwitch 6860E element of the network for enforcing policy actions such as drop, 802.1p/DSCP priority marking, and rate limiting.
Page 889: Enabling/Disabling Appmon
Configuring Application Monitoring and Enforcement Configuring AppMon Enabling/Disabling AppMon To enable AppMon feature globally on the switch, use the app-mon admin-state command with the enable option. By default, AppMon is disabled on the switch. -> app-mon admin-state enable To disable AppMon functionality, use the app-mon admin-state command with the disable option.
Page 890: Create Auto-Groups
Configuring Application Monitoring and Enforcement Configuring AppMon Create Auto-Groups Auto-Group functionality automatically creates application-groups based on the classification of supported applications in the signature file. The ‘Category’ field is used for classification (for example, Youtube will be part of Web category, and Webex will be part of Audio/Video category). To create application groups automatically on the switch, use the app-mon auto-group create command.
Page 891: Configuring Application List
Configuring Application Monitoring and Enforcement Configuring AppMon Configuring Application List Configure an application list for enforcement or monitoring. The list can be formed with individual applications or with application groups. A separate application list is maintained for both enforcement and monitor features.
Page 892: Configuring L3 Mode Of Operation
Configuring Application Monitoring and Enforcement Configuring AppMon Configuring L3 Mode of Operation To enable or disable monitoring and enforcement for IPv4 flows, IPv6 flows, or both, use the app-mon l3- mode command. By default, monitoring and enforcement is enabled for both IPv4 and IPv6 flows. For example, the following command enables monitoring and enforcement for IPv4 packets: ->...
Page 893: Clearing Flow Table Entries
Configuring Application Monitoring and Enforcement Configuring AppMon Clearing Flow Table Entries To clear all the learned flow-table entries from the monitor or enforcement application list, use the app- mon flow-table flush command. For example: -> app-mon flow-table enforcement flush -> app-mon flow-table monitor flush Configuring Flow Table Statistics Update To enable or disable flow table statistics update for enforcement applications, use the app-mon flow-table...
Page 894: Configuring Logging Threshold
Configuring Application Monitoring and Enforcement Configuring AppMon Configuring Logging Threshold To configure the threshold value for the number of matched flows for enforcement and monitor applications, use the app-mon logging-threshold command. The maximum number of flows to be logged is in the range of 1000–60000 flows. When the logging threshold value is set to ‘0’, flows are not logged to the log file.
Page 895: Clearing Application List
Configuring Application Monitoring and Enforcement Configuring AppMon Clearing Application List To remove all the applications from the enforcement or monitor application list, use the clear app-mon app-list command. This command does not clear the active application list, until ‘app-mon apply’ is used. For example: ->...
Page 896: Verifying Appmon Configuration
Configuring Application Monitoring and Enforcement Verifying AppMon Configuration Verifying AppMon Configuration A summary of the show commands used for verifying the AppMon configuration is given here. show app-mon config Displays global AppMon configuration, which includes information about admin-state, running mode, IP mode, aging-timer, and total signatures.
Page 897: In This Chapter
30 Configuring Application Fingerprinting The OmniSwitch Application Fingerprinting (AFP) feature attempts to detect and identify remote applications by scanning IP packets and comparing the packets to pre-defined bit patterns (application signatures). Once an application is identified, AFP collects and stores information about the application flow in a database on the local switch.
Page 898: Chapter 30 Configuring Application Fingerprinting
Configuring Application Fingerprinting AFP Defaults AFP Defaults Description Keyword Default The status of AFP functionality on app-fingerprint admin-state Enabled the switch. The status of AFP activation on app-fingerprint port Disabled switch ports and link aggregates. ASCII text file containing REGEX app-fingerprint signature-file flash/app-signature/ application signatures.
Page 899 Configuring Application Fingerprinting AFP Defaults App Name: smtp Description: Simple Mail Transfer Protocol, 220[\x09-\x0d -~]* (e?smtp|simple mail) App Name: ssh Description: Secure Shell, ssh-[12]\.[0-9] App Name: vnc Description: Virtual Network Computing, rfb 00[1-9]\.00[0-9]\x0a$ Application Groups App Group: chatting = jabber App Group: mail = smtp App Group: network = bgp dhcp rtsp smb App Group: p2p = hotline...
Page 900: Quick Steps For Configuring Afp
Configuring Application Fingerprinting Quick Steps for Configuring AFP Quick Steps for Configuring AFP The following quick steps provide a brief tutorial for configuring Application Fingerprinting to monitor and profile host applications on the network: Use the app-fingerprint admin-state command to globally enable Application Fingerprinting func- tionality on the switch: ->...
Page 901: Afp Overview
Configuring Application Fingerprinting AFP Overview AFP Overview The OmniSwitch Application Fingerprinting (AFP) feature attempts to detect and identify remote applications by scanning IP packets received on an AFP port and comparing the packet contents against predefined bit patterns or signatures. Once the application is identified, the switch can collect the source and destination information, apply QoS, or generate an SNMP Trap.
Page 902: Application Fingerprinting Modes
Configuring Application Fingerprinting AFP Overview Application Fingerprinting Modes The Application Fingerprinting process is enabled on a per-port basis. When configuring a port or link aggregate as an AFP port, the user must also specify one of three operational modes for the port: monitoring, QoS, or UNP.
Page 903: Using The Application Regex Signature File
Configuring Application Fingerprinting AFP Overview Using the UNP Mode Using the Universal Network Profile (UNP) mode also triggers IP packet sampling on the port but first attempts to see if the ingress traffic is classified into a UNP. • If the traffic is assigned to a UNP, the switch then checks if the UNP is associated with an AFP QoS policy list that contains the AFP policy condition.
Page 904: Application Fingerprinting Database
Configuring Application Fingerprinting AFP Overview The “app-regex.txt” file contains a sample configuration to use as a guide for defining AFP application signatures and groups (see “AFP Defaults” on page 30-2). Application Fingerprinting Database When a match occurs between an IP traffic flow and a REGEX application signature, the following multi- tuple classifier is generated and stored in a local switch database to identify and track the application associated with the flow: •...
Page 905: Interaction With Other Features
Configuring Application Fingerprinting Interaction With Other Features Interaction With Other Features This section contains important information about how Application Fingerprinting (AFP) functionality interacts with other OmniSwitch features. Refer to the specific chapter for each feature to get more detailed information about how to configure and use the feature. General •...
Page 906: Configuring Afp
Configuring Application Fingerprinting Configuring AFP Configuring AFP This section provides the following information about how to configure and activate the OmniSwitch implementation of Application Fingerprinting: • “Configuration Guidelines” on page 30-10. • “Enabling/Disabling AFP” on page 30-11. • “Enabling/Disabling Trap Generation” on page 30-11 •...
Page 907: Enabling/Disabling Afp
Configuring Application Fingerprinting Configuring AFP • If a policy list assigned to an AFP port or assigned to a UNP associated with an AFP port does not contain a rule with the appfp-group condition, sampled IP traffic on the port is not matched against any REGEX signatures to determine if any QoS actions in the rule are applied to that traffic.
Page 908: Changing The Regex Signature Filename
Configuring Application Fingerprinting Configuring AFP -> show app-fingerprint configuration Admin-state: Enabled, SNMP Trap: Disabled, Signature File: app-regex.txt Changing the REGEX Signature Filename A default REGEX signature file, named “app-regex.txt” is provided in the “/flash/app-signature/” directory on the OmniSwitch. This file is a user-configurable ASCII text file. Adding, removing, or changing application signatures and groups defined in this file is allowed.
Page 909: Defining Application Regex Signatures And Groups
Configuring Application Fingerprinting Configuring AFP Defining Application REGEX Signatures and Groups To define a new application signature entry in the REGEX signature file, use the following formatting conventions: application-name App-name: application-description Description: REGEX-signature Application signature formatting guidelines: • The application signature “Description:” field is optional, but the “App-name:” field and REGEX signature are required.
Page 910 Configuring Application Fingerprinting Configuring AFP Verifying the Application Signature and Group Definitions Use the show app-fingerprint app-name show app-fingerprint app-group commands to display the application signature and group configuration defined in the REGEX signature file. For example: -> show app-fingerprint app-name App Name: hotline Description:...
Page 911 Configuring Application Fingerprinting Configuring AFP Example REGEX Signature File This section contains an example “app-regex.txt” file. Note that application signatures and groups are defined using the formatting conventions described in “Defining Application REGEX Signatures and Groups” on page 30-13. App-name: TCP-Syn-BDos Description: TCP-Syn-BDos \x02\xfe..\x80.*\xc0\xa8\x05\xca.*(\x0c|\x04)\x00\x00\x50 App-name: UDP-Flood...
Page 912: Configuring Afp Port Modes
Configuring Application Fingerprinting Configuring AFP Configuring AFP Port Modes Configuring a port or link aggregate as an AFP port also applies an operational mode to the port. The operational mode (monitoring, QoS, or Universal Network Profile) applied determines the following: •...
Page 913 Configuring Application Fingerprinting Configuring AFP Verifying the AFP Mode Configuration The QoS and UNP modes both specify application groups for AFP processing. This difference is that the QoS mode directly associates a policy list name with the AFP port, but the UNP mode uses a policy list assigned to a UNP associated with traffic received on the AFP port.
Page 914: Verifying The Afp Configuration
Configuring Application Fingerprinting Verifying the AFP Configuration Verifying the AFP Configuration A summary of the show commands used for verifying the AFP configuration is given here. For some examples of these commands, see “Quick Steps for Configuring AFP” on page 30-4 “Configuring AFP”...
Page 915: In This Chapter
31 Managing Authentication Servers This chapter describes authentication servers and how they are used with the switch. The types of servers described include Remote Authentication Dial-In User Service (RADIUS), Lightweight Directory Access Protocol (LDAP), Terminal Access Controller Access Control System (TACACS+), and SecurID ACE/ Server.
Page 916: Server Defaults
Managing Authentication Servers Server Defaults Server Defaults The defaults for authentication server configuration on the switch are listed in the tables in the next sections. RADIUS Authentication Servers Defaults for the aaa radius-server command are as follows: Description Keyword Default Number of retries on the server before the retransmit switch tries a backup server...
Page 917 Managing Authentication Servers Server Defaults Description Keyword Default Timeout for server replies to authentication timeout requests Whether a Secure Socket Layer is configured ssl | no ssl no ssl for the server OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 31-3...
Page 918: Quick Steps For Configuring Authentication Servers
Managing Authentication Servers Quick Steps For Configuring Authentication Servers Quick Steps For Configuring Authentication Servers For RADIUS, TACACS+, or LDAP servers, configure user attribute information on the servers. See “RADIUS Servers” on page 31-7, “TACACS+ Server” on page 31-13, and “LDAP Servers”...
Page 919: Server Overview
Managing Authentication Servers Server Overview Server Overview Authentication servers are sometimes referred to as AAA servers (authentication, authorization, and accounting). These servers are used for storing information about users who want to manage the switch (Authenticated Switch Access) and users who need access to a particular VLAN or VLANs (Authenticated VLANs).
Page 920 Managing Authentication Servers Server Overview A RADIUS server supporting the challenge and response mechanism as defined in RADIUS RFC 2865 can access an ACE/Server for authentication purposes. The ACE/Server is then used for user authentication, and the RADIUS server is used for user authorization. End Station End Station login request...
Page 921: Radius Servers
Standard Attributes The following tables list RADIUS server attributes 1–39 and 60–63, their descriptions, and whether the Alcatel-Lucent Enterprise RADIUS client in the switch supports them. Attribute 26 is for vendor-specific information and is discussed in “Vendor-Specific Attributes for RADIUS” on page 31-9.
Page 922 Managing Authentication Servers RADIUS Servers Num. Standard Attribute Notes Framed-Protocol Not supported. These attributes are used for dial-up sessions; Framed-IP-Address not applicable to the RADIUS client in the switch. Framed-IP-Netmask Framed-Routing Filter-Id Framed-MTU Framed-Compression Login-IP-Host Login-Service Login-TCP-Port 17 Unassigned — 18 Reply-Message Multiple reply messages are supported, but the length of all the reply messages returned in one access-accept or access-...
Page 923 RADIUS Servers Vendor-Specific Attributes for RADIUS The Alcatel-Lucent Enterprise RADIUS client supports attribute 26, which includes a vendor ID and some additional sub-attributes called subtypes. The vendor ID and the subtypes collectively are called Vendor Specific Attributes (VSAs). Alcatel-Lucent Enterprise, through partnering arrangements, has included these VSAs in some vendors’...
Page 924: Radius Accounting Server Attributes
Managing Authentication Servers RADIUS Servers The Alcatel-Lucent-Auth-Group attribute is used for Ethernet II only. If a different protocol, or more than one protocol is required, use the Alcatel-Lucent-Auth-Group-Protocol attribute instead. For example: Alcatel-Lucent-Auth-Group-Protocol 23: IP_E2 IP_SNAP Alcatel-Lucent-Auth-Group-Protocol 24: IPX_E2 In this example, authenticated users on VLAN 23 can use Ethernet II or SNAP encapsulation.
Page 925: Configuring The Radius Client
The following table lists the VSAs supported for RADIUS accounting servers. The attributes in the radius.ini file can be modified if necessary. Num. Accounting VSA Type Description Alcatel-Lucent-Auth-Group integer The authenticated VLAN number. The only protocol associated with this attribute is Ethernet II. If other protocols are required, use the protocol attribute instead.
Page 926: Radius Over Tls
Managing Authentication Servers RADIUS Servers -> aaa radius-server rad1 key mozart If you are modifying the server and have just entered the aaa radius-server command to create or modify the server, you can use command prefix recognition. For example: -> aaa radius-server rad1 retransmit 5 ->...
Page 927: Tacacs+ Server
Managing Authentication Servers TACACS+ Server TACACS+ Server Terminal Access Controller Access Control System (TACACS+) is a standard authentication and accounting protocol defined in RFC 1321 that employs TCP for reliable transport. A built-in TACACS+ client is available in the switch. A TACACS+ server allows access control for routers, network access servers, and other networked devices through one or more centralized servers.
Page 928: Configuring The Tacacs+ Client
Managing Authentication Servers TACACS+ Server Configuring the TACACS+ Client Use the aaa tacacs+-server command to configure TACACS+ parameters on the switch. TACACS+ server keywords timeout host port When creating a new server, at least one host name or IP address (specified by the host keyword) is required as well as the shared secret (specified by the key keyword).
Page 929: Ldap Servers
(Each server type has a command line tool or a GUI tool for importing LDIF files.) Database LDIF files can also be copied and used as templates. The schema files and the database files are specific to the server type. The files available on the Alcatel-Lucent Enterprise software CD include the following: aaa_schema.microsoft.ldif...
Page 930: Ldap Server Details
Managing Authentication Servers LDAP Servers LDAP Server Details LDAP servers must be configured with the properly defined LDAP schema and correct database suffix, including well-populated data. LDAP schema is extensible, permitting entry of user-defined schema as needed. LDAP servers are also able to import and export directory databases using LDIF (LDAP Data Interchange Format).
Page 931: Directory Entries
Managing Authentication Servers LDAP Servers This is how the entry would appear with actual data in it. dn: uid=yname, ou=people, o=yourcompany objectClass: top objectClass: person objectClass: organizational Person cn: your name sn: last name givenname: first name uid: yname ou: people description: <list of optional attributes>...
Page 932: Directory Searches
Managing Authentication Servers LDAP Servers In addition to managing attributes in directory entries, LDAP makes the descriptive information stored in the entries accessible to other applications. The general structure of entries in a directory tree is shown in the following illustration. It also includes example entries at various branches in the tree. ROOT dn=c=US c=Canada...
Page 933: Directory Compare And Sort
Managing Authentication Servers LDAP Servers All attributes are automatically deleted when requests to delete the last value of an attribute are submitted. Attributes can also be deleted by specifying delete value operations without attaching any values. Modified attribute values are replaced with other given values by submitting replace requests to the server, which then translates and performs the requests.
Page 934: Password Policies And Directory Servers
Managing Authentication Servers LDAP Servers components description <base_dn> DN of directory entry where search is initiated. <attributes> Attributes to be returned for entry search results. All attributes are returned if search attributes are not specified. <scope> Different results are retrieved depending on the scopes associated with entry searches.
Page 935: Directory Server Schema For Ldap Authentication
Managing Authentication Servers LDAP Servers Directory Server Schema for LDAP Authentication Object classes and attributes need to be modified accordingly to include LDAP authentication in the network (object classes and attributes are used specifically here to map user account information contained in the directory servers).
Page 936: Configuring Functional Privileges On The Server
OmniSwitch AOS Release 8 Switch Management Guide. Configuring Authentication Key Attributes The alp2key tool is provided on the Alcatel-Lucent Enterprise software CD for computing SNMP authentication keys.The alp2key application is supplied in two versions, one for Unix (Solaris 2.5.1 or higher) and one for Windows (NT 4.0 and higher).
Page 937: Ldap Accounting Attributes
User account ID or username client entered to log-in: variable length digits. • Time Stamp (YYYYMMDDHHMMSS (YYYY:year, MM:month, DD:day, HH:hour, MM:minute, SS:second) • Switch serial number: Alcatel-Lucent.BOP.<switch name>.<MAC address> • Client IP address: variable length digits. Fields Included for Layer 2 Authentication Only •...
Page 938: Dynamic Logging
Managing Authentication Servers LDAP Servers • Number of frames received on the port during the client session from log-in to log-out: variable length digits. • Number of frames sent on the port during the client session from log-in to log-out: variable length digits.
Page 939: Configuring The Ldap Authentication Client
Managing Authentication Servers LDAP Servers Each switch that is connected to the LDAP-enabled directory server has a DN starting with bop-basemac- xxxxx, ou=bop-logging. If the organizational unit ou=bop.logging exists somewhere in the tree under searchbase, logging records are written on the server. See the documentation of the server manufacturer for more information about setting up the server.
Page 940: Creating An Ldap Authentication Server
Managing Authentication Servers LDAP Servers The keywords for the aaa ldap-server command are listed here: Required for creating: optional: host type retransmit password timeout base port Creating an LDAP Authentication Server An example of creating an LDAP server: -> aaa ldap-server ldap2 host 10.10.3.4 dn cn=manager password tpub base c=us In this example, the switch can communicate with an LDAP server (called ldap2) that has an IP address of 10.10.3.4, a domain name of cn=manager, a password of tpub, and a searchbase of c=us.
Page 941: Verifying The Authentication Server Configuration
Managing Authentication Servers Verifying the Authentication Server Configuration To set up SSL on the server, specify ssl with the aaa ldap-server command: -> aaa ldap-server ldap2 ssl The switch automatically sets the port number to 636 when SSL is enabled. The 636 port number is typically used on LDAP servers for SSL.
Page 942 32 Configuring Port Mapping Port Mapping is a security feature that controls communication between peer users. Each session comprises of a session ID, a set of user ports, and/or a set of network ports. The user ports within a session cannot communicate with each other and can only communicate through network ports.
Page 943: Chapter 32 Configuring Port Mapping
Configuring Port Mapping Port Mapping Defaults Port Mapping Defaults The following table shows port mapping default values. Parameter Description CLI Command Default Value/Comments Mapping Session port-mapping user-port network-port No mapping sessions Creation Mapping Status port-mapping Disabled configuration Port Mapping Direction port-mapping unidirectional Bidirectional bidirectional...
Page 944: Quick Steps For Configuring Port Mapping
Configuring Port Mapping Quick Steps for Configuring Port Mapping Quick Steps for Configuring Port Mapping Follow the steps below for a quick tutorial on configuring port mapping sessions. Additional information on how to configure each command is given in the subsections that follow. Create a port mapping session with the user ports, network ports, or both user ports and network ports with the port-mapping user-port network-port...
Page 945: Creating/Deleting A Port Mapping Session
Configuring Port Mapping Creating/Deleting a Port Mapping Session Creating/Deleting a Port Mapping Session Before port mapping can be used, it is necessary to create a port mapping session. The following subsections describe how to create and delete a port mapping session with the port-mapping user-port network-port port-mapping...
Page 946: Enabling/Disabling A Port Mapping Session
Configuring Port Mapping Enabling/Disabling a Port Mapping Session Enabling/Disabling a Port Mapping Session By default, the port mapping session is disabled. The following subsections describe how to enable and disable the port mapping session with the port-mapping command. Enabling a Port Mapping Session To enable a port mapping session, enter port-mapping followed by the session ID and enable.
Page 947: Sample Port Mapping Configuration
Configuring Port Mapping Sample Port Mapping Configuration Sample Port Mapping Configuration This section provides an example port mapping network configuration. In addition, a tutorial is also included that provides steps on how to configure the example port mapping session using the Command Line Interface (CLI).
Page 948: Example Port Mapping Configuration Steps
Configuring Port Mapping Verifying the Port Mapping Configuration Example Port Mapping Configuration Steps The following steps provide a quick tutorial to configure the port mapping session shown in the diagram page 32-6. Configure session 1 on Switch A in the unidirectional mode using the following command: ->...
Page 949: Chapter 33 Configuring Learned Port Security
33 Configuring Learned Port Security Learned Port Security (LPS) provides a mechanism for authorizing source learning of MAC addresses on Ethernet ports. The only types of Ethernet ports that LPS does not support are link aggregate and 802.1Q trunked link aggregate ports. Using LPS to control source MAC address learning provides the following benefits: •...
Page 950: Learned Port Security Defaults
Configuring Learned Port Security Learned Port Security Defaults Learned Port Security Defaults Parameter Description Command Default LPS status for a port. port-security disabled Number of learned MAC addresses port-security maximum allowed on an LPS port. Maximum number of filtered MAC port-security port max- addresses that the LPS port can filtering...
Page 951: Sample Learned Port Security Configuration
Configuring Learned Port Security Sample Learned Port Security Configuration Sample Learned Port Security Configuration This section provides a quick tutorial to perform the following tasks: • Enabling LPS on a set of switch ports. • Defining the maximum number of learned MAC addresses allowed on an LPS port. •...
Page 952 Configuring Learned Port Security Sample Learned Port Security Configuration -> show port-security learning-window Learning-Window 30 min, Convert-to-static DISABLE, No Aging DISABLE, Boot Up ENABLE, Learn As Static DISABLE, Mac Move DISABLE, Remaining Learning Window = 1796 sec, OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 33-4...
Page 953: Learned Port Security Overview
Configuring Learned Port Security Learned Port Security Overview Learned Port Security Overview Learned Port Security (LPS) provides a mechanism for controlling network device access on one or more switch ports. Configurable LPS parameters allow the user to restrict the source learning of host MAC addresses to: •...
Page 954: Mac Address Types
Configuring Learned Port Security Learned Port Security Overview • Allow MAC movement. When this option is enabled, a pseudo-static MAC address learned on one port can move to another port in the same VLAN without getting dropped. • Automatically learn MAC addresses as static MAC addresses. When this option is enabled, learned MAC addresses are automatically converted to static MAC addresses during the learning window time.
Page 955 Configuring Learned Port Security Learned Port Security Overview MAC Address Behavior on LPS Ports The following table shows how LPS MAC addresses are treated when specific switch or LPS actions are taken: Action Static Pseudo-Static Dynamic Bridged Dynamic Filtered LPS port removed Flushed Flushed Flushed...
Page 956: Dynamic Configuration Of Authorized Mac Addresses
Configuring Learned Port Security Learned Port Security Overview Dynamic Configuration of Authorized MAC Addresses When LPS is configured on a switch port, the learning of source MAC addresses is initiated. An entry containing the address and the port that learns the MAC address is made in an LPS database table. This entry is used as a criteria for authorizing future traffic from the source MAC address on that same port.
Page 957: Interaction With Other Features
Configuring Learned Port Security Interaction With Other Features • All MAC addresses learned on the port. • The management status for the MAC address entry; configured or dynamic. If the LPS port is shut down or the network device is disconnected from the port, the LPS table entries and the source learning MAC address table entries for the port are automatically cleared.
Page 958: Configuring Learned Port Security
Configuring Learned Port Security Configuring Learned Port Security Configuring Learned Port Security This section describes how to use Command Line Interface (CLI) command to configure Learned Port Security (LPS) on a switch. See the “Sample Learned Port Security Configuration” on page 33-3 for a brief tutorial on configuring LPS.
Page 959 Configuring Learned Port Security Configuring Learned Port Security Enabling LPS Functionality on a Port By default, LPS is disabled on all switch ports. To enable LPS on a port, use the port-security command. with the admin-state enable parameter. For example, the following command enables LPS on port 1/4: ->...
Page 960: Configuring The Lps Learning Window
Configuring Learned Port Security Configuring Learned Port Security Configuring the LPS Learning Window By default, the LPS source learning window time limit is set to infinity. This means that there is no limit on the amount of time during which MAC addresses are learned on all LPS ports. To limit the amount of time that source learning is allowed on LPS ports, use the port-security learning-window command.
Page 961 Configuring Learned Port Security Configuring Learned Port Security mac-move Specifies whether or not a pseudo-static MAC address learned on one LPS port can move to another LPS port in the same VLAN without getting dropped. See “Configuring the MAC Movement Status”...
Page 962 Configuring Learned Port Security Configuring Learned Port Security The following command disables this option for the learning window: -> port-security learning-window 30 convert-to-static disable If the LPS learning window is set to a specific time and the convert-to-static option is enabled, the convert-to-static option is automatically disabled when the learning window time is set to zero.
Page 963: Configuring The Number Of Bridged Mac Addresses Allowed
Configuring Learned Port Security Configuring Learned Port Security By default, the MAC movement option is disabled. To enable this option for the learning window, use the following command: -> port-security learning-window 30 mac-move enable The following command disables this option for the learning window: ->...
Page 964: Configuring The Number Of Filtered Mac Addresses Allowed
Configuring Learned Port Security Configuring Learned Port Security Configuring the Trap Threshold for Bridged MAC Addresses The LPS trap threshold value determines how many bridged MAC addresses the port must learn before a trap is sent. Once this value is reached, a trap is sent for every MAC learned thereafter. By default, when one bridged MAC addresses is learned on an LPS port, the switch sends a trap.
Page 965: Selecting The Security Violation Mode
Configuring Learned Port Security Configuring Learned Port Security -> port-security port 2/1-4 mac-range low 00:20:d0:59:0c:9a high 00:20:d0:59:0c:9f To restore the range to the default values, use the port-security parameter followed by the port keyword and slot/port designation of the port and the mac-range. The MAC address range is restored to 00:00:00:00:00:00 and ff:ff:ff:ff:ff:ff when the low and high MAC addresses are excluded.
Page 966 Configuring Learned Port Security Configuring Learned Port Security To configure the security violation mode for multiple LPS ports, specify a range of ports or multiple slots. For example: -> port-security port 4/1-10 violation shutdown -> port-security port 1/10-15 violation restrict Note.
Page 967: Displaying Learned Port Security Information
Configuring Learned Port Security Displaying Learned Port Security Information Displaying Learned Port Security Information To display Learned Port Security (LPS) port and table information, use the show commands listed below: show port-security Displays the LPS configuration and table entries. show port-security learning-window Displays the amount of time during which source learning can occur on all LPS ports.
Page 968: In This Chapter
34 Diagnosing Switch Problems Several tools are available for diagnosing problems that occur with the switch. These tools include: • Port Mirroring • Port Monitoring • sFlow • Remote Monitoring (RMON) probes • Switch Health Monitoring Port mirroring copies all incoming and outgoing traffic from configured mirror ports to a second mirroring Ethernet port, where it can be monitored with a Remote Network Monitoring (RMON) probe or network analysis device without disrupting traffic flow on the mirrored port.
Page 969 Diagnosing Switch Problems In This Chapter • Disabling a Port Monitoring Session—see “Disabling a Port Monitoring Session” on page 34-19. • Deleting a Port Monitoring Session—see “Deleting a Port Monitoring Session” on page 34-19. • Pausing a Port Monitoring Session—see “Pausing a Port Monitoring Session”...
Page 970: Port Mirroring Overview
Diagnosing Switch Problems Port Mirroring Overview Port Mirroring Overview The following sections detail the specifications, defaults, and quick set up steps for the port mirroring feature. Detailed procedures are found in “Port Mirroring” on page 34-9. Port Mirroring Defaults The following table shows port mirroring default values. Parameter Description CLI Command Default Value/Comments...
Page 971: Port Monitoring Overview
Diagnosing Switch Problems Port Monitoring Overview Port Monitoring Overview The following sections detail the specifications, defaults, and quick set up steps for the port mirroring feature. Detailed procedures are found in “Port Monitoring” on page 34-18. Port Monitoring Defaults The following table shows port mirroring default values. Parameter Description CLI Command Default Value/Comments...
Page 972: Sflow Overview
Diagnosing Switch Problems sFlow Overview sFlow Overview The following sections detail the specifications, defaults, and quick set up steps for the sFlow feature. Detailed procedures are found in “sFlow” on page 34-23. sFlow Defaults The following table shows sFlow default values: Parameter Description CLI Command Default Value/Comments...
Page 973 Diagnosing Switch Problems sFlow Overview Follow the steps below to create a sFlow sampler session. To create a sFlow sampler session, use the sflow sampler command by entering sflow sampler, followed by the instance ID, port list, receiver, and the rate. For example: ->...
Page 974: Remote Monitoring (Rmon) Overview
Diagnosing Switch Problems Remote Monitoring (RMON) Overview Remote Monitoring (RMON) Overview The following sections detail the specifications, defaults, and quick set up steps for the RMON feature. Detailed procedures are found in “Remote Monitoring (RMON)” on page 34-28. RMON Probe Defaults The following table shows Remote Network Monitoring default values.
Page 975: Switch Health Overview
Diagnosing Switch Problems Switch Health Overview Switch Health Overview The following sections detail the specifications, defaults, and quick set up steps for the switch health feature. Detailed procedures are found in “Monitoring Switch Health” on page 34-35. Switch Health Defaults The following table shows Switch Health default values.
Page 976: Port Mirroring
Diagnosing Switch Problems Port Mirroring Port Mirroring On chassis-based or standalone switches, you can set up port mirroring sessions between Ethernet ports within the same switch. All Ethernet ports support port mirroring. When port mirroring is enabled, the active “mirrored” port transmits and receives network traffic normally, and the “mirroring”...
Page 977: What Happens To The Mirroring Port
Diagnosing Switch Problems Port Mirroring Workstation Mirrored (Active) Port (w/ Incoming & Outgoing Frames) Mirroring (Monitoring) Port (w/ Copied Incoming & Outgoing Frames) Relationship Between Mirrored and Mirroring Ports What Happens to the Mirroring Port Mirroring Port (MTP), can not be assigned to a port with Tagged VLAN configured on it. Once the Mirroring Port (MTP) is configured the port does not belong to any VLAN.
Page 978 Diagnosing Switch Problems Port Mirroring mirrored port before being sent over the switch backplane to an NMS station. Therefore, management frames destined for the RMON probe are first forwarded out of the mirrored port. After being received on the mirrored port, copies of the frames are mirrored out of the mirroring port—the probe attached to the mirroring port receives the management frames.
Page 979: Remote Port Mirroring
Diagnosing Switch Problems Port Mirroring Remote Port Mirroring Remote Port Mirroring expands the port mirroring functionality by allowing mirrored traffic to be carried over the network to a remote switch. With Remote Port Mirroring the traffic is carried over the network using a dedicated Remote Port Mirroring VLAN, no other traffic is allowed on this VLAN.
Page 980: Creating A Mirroring Session
Diagnosing Switch Problems Port Mirroring Creating a Mirroring Session Before port mirroring can be used, it is necessary to create a port mirroring session. The port-mirroring source destination CLI command can be used to create a mirroring session between a mirrored (active) port and a mirroring port.
Page 981: Unblocking Ports (Protection From Spanning Tree)
Diagnosing Switch Problems Port Mirroring Unblocking Ports (Protection from Spanning Tree) Spanning tree is disabled by default on an MTP port. When unblocked VLAN is configured , the VLAN ID specified is assigned to the MTP port as the default VLAN. Hence allowing inbound traffic and handling traffic for that VLAN ID.
Page 982: Configuring Port Mirroring Direction
Diagnosing Switch Problems Port Mirroring Configuring Port Mirroring Direction By default, port mirroring sessions are bidirectional. To configure the direction of a port mirroring session between a mirrored port and a mirroring port, use the port-mirroring source destination CLI command by entering port mirroring, followed by the port mirroring session ID number, the source and destination slot/ports, and bidirectional, inport, or outport.
Page 983: Displaying Port Mirroring Status
Diagnosing Switch Problems Port Mirroring Displaying Port Mirroring Status To display port mirroring status, use the show port-mirroring status command. To display all port mirroring sessions, enter: -> show port-mirroring status 6 Session Mirror Mirror Unblocked Config Oper Destination Direction Vlan Status Status...
Page 984: Configuring Remote Port Mirroring
Diagnosing Switch Problems Port Mirroring Configuring Remote Port Mirroring This section describes the steps required to configure Remote Port Mirroring between Source, Intermediate, and Destination switches. The following diagram shows an example of a Remote Port Mirroring configuration: Destination switch Intermediate switch Local MTP...
Page 985: Port Monitoring
Diagnosing Switch Problems Port Monitoring Configuring Destination Switch Follow the steps given below to configure the Destination Switch: -> vlan 1000 -> spantree vlan 1000 admin-state disable -> vlan 1000 members port 3/1-2 tagged Enter the following QoS commands to override source learning: ->...
Page 986: Configuring A Port Monitoring Session
Diagnosing Switch Problems Port Monitoring Configuring a Port Monitoring Session To configure a port monitoring session, use the port-monitoring source command by entering port - monitoring, followed by the user-specified session ID number, source, the slot number of the port to be monitored, a slash (/), and the port number of the port.
Page 987: Pausing A Port Monitoring Session
Diagnosing Switch Problems Port Monitoring Pausing a Port Monitoring Session To pause a port monitoring session, use the port-monitoring command by entering port-monitoring, followed by the port monitoring session ID and pause. For example, to pause port monitoring session 6, enter: ->...
Page 988: Configuring Port Monitoring Direction
Diagnosing Switch Problems Port Monitoring To select the type of port monitoring information captured, use the port-monitoring source command by entering port-monitoring, followed by the user-specified session ID number, source, the slot number of the port to be monitored, a slash (/), the port number of the port, file, the name of the file, and the capture-type keyword followed by the keywords, full or brief.
Page 989: Configuring The Capture Type
Diagnosing Switch Problems Port Monitoring Configuring the Capture Type To configure the amount of data to be captured, use the port-monitoring source capture-type command. If the capture type mode is set to ‘brief’, only the first 64 bytes of packets will be captured. If the capture type mode is set to ‘full’, then the full packet is captured regardless of the packet size.
Page 990: Sflow
Diagnosing Switch Problems sFlow sFlow sFlow is a network monitoring technology that gives visibility in to the activity of the network, by providing network usage information. It provides the data required to effectively control and manage the network usage. sFlow is a sampling technology that meets the requirements for a network traffic monitoring solution.
Page 991: Sampler
Diagnosing Switch Problems sFlow Sampler The sampler is the module which gathers samples and fills up the sampler part of the UDP datagram. Poller The poller is the module which gets counter samples from Ethernet driver and fills up the counter part of the UDP datagram.
Page 992: Configuring A Fixed Primary Address
Diagnosing Switch Problems sFlow To configure a sFlow poller session, use the sflow poller command by entering sflow poller, followed by the instance ID number, the slot number of the port to be monitored, a slash (/), and the port number of the port and receiver, then receiver_index.
Page 993: Displaying A Sflow Sampler
Diagnosing Switch Problems sFlow Displaying a sFlow Sampler show sflow sampler command is used to display the sampler table. For example, to view the sFlow sampler table, enter the show sflow sampler command without specifying any additional parameters. A screen similar to the following example is displayed, as shown below: ->...
Page 994: Displaying A Sflow Agent
A screen similar to the following example is displayed, as shown below: -> show sflow agent Agent Version = 1.3; Alcatel-Lucent; 6.1.1 Agent IP = 127.0.0.1 Note. For more information about the displays that result from these commands, see the OmniSwitch AOS Release 8 CLI Reference Guide.
Page 995: Remote Monitoring (Rmon)
Diagnosing Switch Problems Remote Monitoring (RMON) Remote Monitoring (RMON) Remote Network Monitoring (RMON) is an SNMP protocol used to manage networks remotely. RMON probes can be used to collect, interpret, and forward statistical data about network traffic from designated active ports in a LAN segment to an NMS (Network Management System) application for monitoring and analysis without negatively impacting network performance.
Page 996: Ethernet Statistics
Diagnosing Switch Problems Remote Monitoring (RMON) RMON probes can be enabled or disabled through CLI commands. Configuration of Alarm threshold values for RMON traps is a function reserved for RMON-monitoring NMS stations. This feature supports basic RMON 4 group implementation in compliance with RFC 2819, including the Ethernet Statistics, History (Control &...
Page 997: Enabling Or Disabling Rmon Probes
Diagnosing Switch Problems Remote Monitoring (RMON) Enabling or Disabling RMON Probes To enable or disable an individual RMON probe, enter the rmon probes CLI command. Be sure to specify the type of probe (stats/history/alarm), followed by the entry number (optional), as shown in the following examples.
Page 998: Displaying Rmon Tables
Diagnosing Switch Problems Remote Monitoring (RMON) Displaying RMON Tables Two separate commands can be used to retrieve and view Remote Monitoring data: show rmon probes show rmon events. The retrieved statistics appear in a table format (a collection of related data that meets the criteria specified in the command you entered).
Page 999: Displaying Statistics For A Particular Rmon Probe
Diagnosing Switch Problems Remote Monitoring (RMON) Displaying Statistics for a Particular RMON Probe To view statistics for a particular current RMON probe, enter the show rmon probes command, specifying an entry number for a particular probe, such as: -> show rmon probes 4005 A display showing statistics for the specified RMON probe appears, as shown in the following sections.
Page 1000: Sample Display For History Probe
Diagnosing Switch Problems Remote Monitoring (RMON) Sample Display for History Probe The display shown here identifies RMON Probe 10325’s Owner description and interface location (Analyzer-p:128.251.18.166 on slot 1, port 35), the total number of History Control Buckets (samples) requested and granted (2), along with the time interval for each sample (30 seconds) and system-generated Sample Index ID number (5859).

This manual is also suitable for:

Omniswitch 6900 series Omniswitch 6860 series Omniswitch 6865 series Omniswitch 6560 series

Alcatel-Lucent OmniSwitch 9900 Series Network Configuration Manual

About this Guide

Chapter 1 Configuring Ethernet Ports

Chapter 2 Configuring UDLD

Chapter 3 Managing Source Learning

Chapter 4 Configuring Vlans

Configuring Vlans

Chapter 34 Diagnosing Switch Problems

Chapter 5 Configuring High Availability Vlans

Chapter 6 Configuring Spanning Tree Parameters

Configuring Loopback Detection

Chapter 7 Configuring Loopback Detection

Chapter 8 Configuring Static Link Aggregation

Configuring Static Link Aggregation

Chapter 9 Configuring Dynamic Link Aggregation

Configuring Dynamic Link Aggregation

Configuring Dual-Home Links

Chapter 10 Configuring Dual-Home Links

Chapter 11 Configuring ERP

Quick Links

Related Manuals for Alcatel-Lucent OmniSwitch 9900 Series

Summary of Contents for Alcatel-Lucent OmniSwitch 9900 Series