Page 1: Configuration Guide
SS2GR50i / SS2GR26i / SS2GR26ip L2/L4 Managed Gigabit Ethernet Switch With IP Stacking and PoE Support Configuration Guide (Ver 2.1)
Page 2 Copyright © Amer.com Corp., 1997-2009 All rights reserved. No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from Amer.com, as stipulated by the United States Copyright Act of 1976.
Page 3 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Overview SS2GR50i/26i/26ip series Layer 2/4 Gigabit Ethernet Switch is a high performance routing switch released can be deployed as an aggregation device for enterprise and campus networks. The switch supports a variety of network interfaces from 100Mb, 1000Mb to 10 GB Ethernet.
Page 4: Table Of Contents
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Table of Content Chapter 1 Switch Management ..................1 1.1 Management Options................... 1 1.1.1 Out-of-band management ................1 1.1.2 In-band Management ..................4 1.2 CLI Interface ......................9 1.2.1 Configuration Modes ..................10 1.2.2 Configuration Syntax ..................
Page 5 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Chapter 4 Port Configuration ..................47 4.1 Introduction to Port..................... 47 4.2 Network Port Configuration ................47 4.3 Port Configuration Example ................49 4.4 Port Troubleshooting..................50 Chapter 5 Port Loopback Detection Function Configuration........51 5.1 Introduction to Port Loopback Detection Function ..........
Page 6 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 9.1.3 Typical VLAN Application................69 9.2 GVRP Configuration................... 70 9.2.1 Introduction to GVRP..................70 9.2.2 GVRP Configuration Task List ................ 71 9.2.3 Typical GVRP Application ................72 9.2.4 VLAN Troubleshooting..................73 9.3 Dot1q-tunnel Configuration ................73 9.3.1 Dot1q-tunnel Introduction ................
Page 7 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip MSTP Example................... 97 MSTP Troubleshooting ................101 Chapter 12 QoS Configuration................... 102 12.1 QoS Introduction .................... 102 12.1.1 QoS Terms....................102 12.1.2 QoS Implementation ................... 103 12.1.3 Basic QoS Model..................103 12.2 QoS Configuration ..................108 12.3 QoS Example....................111...
Page 8 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 17.1 Introduction to DHCP ..................129 17.2 DHCP Server Configuration ................130 17.3 DHCP Configuration Example................ 132 17.4 DHCP Troubleshooting .................. 134 Chapter 18 DHCP Snooping Configuration............... 135 18.1 DHCP Snooping Introduction ................. 135 18.2 DHCP Snooping Configuration Task List............
Page 9 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 21.1.2 MLD Snooping Configuration Task ............. 159 21.1.3 MLD Snooping Examples ................161 21.1.4 MLD Snooping Troubleshooting ..............164 Chapter 22 Multicast VLAN Configuration..............165 22.1 Introductions to Multicast VLAN ..............165 22.2 Multicast VLAN Configuration Task List ............165 22.3 Examples Of Multicast VLAN .................
Page 10 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 25.3 The Number Limitation Function of Port, MAC in VLAN Typical Examples..215 25.4 The Number Limitation Function Of Port, MAC in VLAN Troubleshooting ..216 Chapter 26 Operational Configuration of AM Function ........... 217 26.1 Introduction to AM Function ................
Page 11 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 31.2 sFlow Configuration Task List ................ 235 31.3 sFlow Example....................237 31.4 sFlow Troubleshooting ................... 237 Chapter 32 SNTP Configuration................. 239 32.1 Introduction to SNTP..................239 32.2 Typical SNTP Configuration Example ............240 Chapter 33 Monitor and Debug ..................
Page 12: Chapter 1 Switch Management
Chapter 1 Switch Management 1.1 Management Options After purchasing the switch, the user needs to configure the switch for network management. SS2GR50i/26i series switch provides two management options: in-band management and out-of-band management. 1.1.1 Out-of-band management Out-of-band management is the management through Console interface. Generally, the user will use out-of-band management for the initial switch configuration, or when in-band management is not available.
Page 13 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip PC machine Has functional keyboard and RS-232,with terminal emulator installed, such as HyperTerminal included in Windows 9x/NT/2000/XP. Serial port cable One end attach to the RS-232 serial port, the other end to the Console port.
Page 14 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Fig 1-3 Opening HyperTerminal 2 3) In the ‘Connecting using’ drop-list, select the RS-232 serial port used by the PC, e.g. COM1, and click ‘OK’. Fig 1-4 Opening HyperTerminal 3 4) COM1 property appears, select ‘9600’ for ‘Baud rate’, ‘8’ for ‘Data bits’, ‘none’ for ‘Parity checksum’, ‘1’...
Page 15: In-Band Management
Step 3: Entering switch CLI interface Power on the switch, the following appears in the HyperTerminal windows, that is the CLI configuration mode for SS2GR50i/26i series Switch. switch> The user can now enter commands to manage the switch. For a detailed description for the commands, please refer to the following chapters.
Page 16 3) If not 2), Telnet client can connect to an IPv4/IPv6 address of the switch via other devices, such as a router. SS2GR50i/26i series switch is a Layer 3 switch that can be configured with several IPv4/IPv6 addresses. The following example assumes the shipment status of the switch where only VLAN1 exists in the system.
Page 17 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Run Telnet client program included in Windows with the specified Telnet target. Fig 1-7 Run telnet client program included in Windows Step 3: Login to the switch Login the Telnet configuration interface. Valid login name and password are required, otherwise the switch will reject Telnet access.
Page 18 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Fig 1-8 Telnet Configuration Interface 1.1.2.2 Management via HTTP To manage the switch via HTTP, the following conditions should be met: 1) Switch has an IPv4/IPv6 address configured 2) The host IPv4/IPv6 address (HTTP client) and the switch’s VLAN interface IPv4/IPv6 address are in the same network segment;...
Page 19 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Fig 1-9 Connect through HTTP Protocol When accessing a switch with IPv6 address, it is recommended to use the Firefox browser with 1.5 or later version. For example, if the IPv6 address of the switch is ‘3ffe:506:1:2::3’, enter the switch address at the address bar: http://[3ffe:506:1:2::3], where the address should be in the square brackets.
Page 20: Cli Interface
Management via snmp network management software, the host succeeds to ping an IP address of the switch, then run the switch, snmp network management software will be found by SS2GR50i/26i series, and operate it with read-write permission. For more detail please refer to the ‘Snmp Network Management Software Usage Guide’.
Page 21: Configuration Modes
Or, when exit command is run under Global Mode, it will also return to the Admin Mode. SS2GR50i/26i series Switch also provides a shortcut key sequence ‘Ctrl+z’, this allows an easy way to exit to Admin Mode from any configuration mode (except User Mode).
Page 22 Interface Mode for configuration of all the interfaces. Interface Configuration Mode Use the interface command under Global Mode can enter the interface mode specified. SS2GR50i/26i series Switch provides three interface type: VLAN interface, Ethernet port and port-channel, and accordingly the three interface configuration modes. Interface...
Page 23 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip etc. VLAN Configuration Mode Using the vlan <vlan-id> command under Global Mode can enter the corresponding VLAN Mode. Under VLAN Mode the user can configure all member ports of the corresponding VLAN. Run the exit command to exit the VLAN Mode to Global Mode.
Page 24: Configuration Syntax
1.2.2 Configuration Syntax SS2GR50i/26i series switch provides various configuration commands. Although all the commands are different, they all abide by the syntax for SS2GR50i/26i series Switch configuration commands. The general commands format of SS2GR50i/26i series Switch is shown below: cmdtxt <variable> { enum1 | … | enumN } [option] Conventions: cmdtxt in bold font indicates a command keyword;...
Page 25: Help Function
1.2.4 Help Function There are two ways in SS2GR50i/26i series switch for the user to access help information: the ‘help’ command and the ‘?’. Access to Help...
Page 26: Input Verification
The switch show error when user inputted wrong command, parameter, type and format. 1.2.6 Fuzzy Match Support SS2GR50i/26i series switch shell support fuzzy match in searching command and keyword. Shell will recognize commands or keywords correctly if the entered string causes no conflict.
Page 27: Chapter 2 Basic Switch Configuration
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Chapter 2 Basic Switch Configuration 2.1 Basic Switch Configuration Commands Basic switch configuration includes commands for entering and exiting the admin mode, commands for entering and exiting interface mode, for configuring and displaying the switch clock, for displaying the version information of the switch system, etc.
Page 28: Telnet Management
Telnet server. SS2GR50i/26i series switch can be either the Telnet Server or the Telnet client. When SS2GR50i/26i series switch is used as the Telnet server, the user can use the Telnet client program included in Windows or the other operation systems to login to SS2GR50i/26i series switch, as described earlier in the In-band management section.
Page 29: Ssh
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Configure the secure IP address to login to the switch through Telnet: the ‘no telnet-server securityip <ip-addr> telnet-server securityip no telnet-server securityip <ip-addr> <ip-addr>‘ command deletes authorized Telnet secure address. authentication login Configure...
Page 30 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Command Explanation Global Mode Enable SSH function on the switch; the ssh-server enable ‘no command ssh-server enable’ no ssh-server enable disables SSH function. Configure the username and password of SSH client software for logging on the ssh-user <user-name>...
Page 31: Switch Ip Addresses Configuration
Switch(Config)#ssh-server enable 2.3 Switch IP Addresses Configuration All Ethernet ports of SS2GR50i/26i series switch is default to Data Link layer ports and perform layer 2 forwarding. VLAN interface represent a Layer 3 interface function which can be assigned an IP address, which is also the IP address of the switch.
Page 32: Snmp Configuration
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 2. Manual configuration Command Explanation Configure the VLAN interface IP address; address <ip_address> <mask> the ‘no ip address <ip_address> <mask> [secondary] [secondary]’ command deletes VLAN no ip address <ip_address> <mask> interface IP address.
Page 33: Introduction To Mib
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip SNMP protocol provides a simple way of exchange network management information between two points in the network. SNMP employs a polling mechanism of message query, and transmits messages through UDP (a connectionless transport layer protocol). Therefore it is well supported by the existing computer networks.
Page 34 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip The network management information accessed by NMS is well defined and organized in a Management Information Base (MIB). MIB is pre-defined information which can be accessed by network management protocols. It is in layered and structured form. The pre-defined management information can be obtained from monitored network devices.
Page 35: Introduction To Rmon
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 2.4.3 Introduction to RMON RMON is the most important expansion of the standard SNMP. RMON is a set of MIB definitions, used to define standard network monitor functions and interfaces, enabling the communication between SNMP management terminals and remote monitors.
Page 36 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip command disables SNMP Agent function on the switch. 2. Configure SNMP community string Command Explanation Configure the community string for the snmp-server community {ro|rw} switch; the ‘no snmp-server community <string> <string>‘command deletes the configured no snmp-server community <string>...
Page 37: Typical Snmp Configuration Examples
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Command Explanation Set the group information on the switch. snmp-server group <group-string> This command is used to configure VACM {NoauthNopriv|AuthNopriv|AuthPriv} for SNMP v3. [[read <read-string>] [write <write-string>] [notify <notify-string>]] no snmp-server group <group-string>...
Page 38 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Scenario 1: The NMS network administrative software uses SNMP protocol to obtain data from the switch. The configuration on the switch is listed below: Switch(config)#snmp-server enable Switch(Config)# snmp-server community rw private Switch(Config)#snmp-server community ro public Switch(Config)#snmp-server securityip 1.1.1.5...
Page 39: Snmp Troubleshooting
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Switch(config)#snmp-server enable Switch(config)#snmp-server community rw private Switch(config)#snmp-server community ro public Switch(config)#snmp-server securityip 2004:1:2:3::2 NMS can use private as a group character string to acess the switch by read and write, also use public as a group character string to acess the switch only by read.
Page 40: Switch Firmware Upgrade
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 2.5 Switch Firmware Upgrade 2.5.1 Switch System Files The system files includes system image file and boot file. The updating of the switch is to update the two files by overwrite the old files with the new ones.
Page 41 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Fig 2-2 Typical topology for switch upgrade in BootROM mode The upgrade procedures are listed below, Step 1: As shown in the figure, a PC is used as the console for the switch. A console cable is used to connect PC to the management port on the switch.
Page 42 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Step 4: Enable FTP/TFTP server in the PC. For TFTP, run TFTP server program; for FTP, run FTP server program. Before start downloading upgrade file to the switch, verify the connectivity between the server and the switch by ping from the server.
Page 43: Ftp/Tftp Upgrade
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip interface. [Boot]:run(or reboot) Other commands in BootROM mode 1. DIR command Used to list existing files in the FLASH. [Boot]: dir boot.rom 327,440 1900-01-01 00:00:00 --SH boot.conf 83 1900-01-01 00:00:00 --SH nos.img 2,431,631 1980-01-01 00:21:34 ----...
Page 44 FTP in Global Mode to be nos.img, other IMAGE system files will be rejected. Boot file: refers to the file initializes the switch, also referred to as the ROM upgrade file (Large size file can be compressed as IMAGE file). In SS2GR50i/26i series switch, the boot file is allowed to...
Page 45 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip save in ROM only. SS2GR50i/26i series switch mandates the name of the boot file to be boot.rom. Configuration file: including start up configuration file and running configuration file. The distinction between start up configuration file and running configuration file can facilitate the backup and update of the configurations.
Page 46 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip （3） Configure retransmission times before timeout for packets without acknowledgement （4） Shut down TFTP server 1. FTP/TFTP client configuration (1)FTP/TFTP client upload/download file Command Explanation Admin Mode copy <source-url> FTP/TFTP client upload/download file <destination-url>...
Page 47 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 3. TFTP server configuration (1)Start TFTP server Command Explanation Global Mode Start TFTP server, the ‘no ftp-server enable’ tftp-server enable command shuts down TFTP server and no tftp-server enable prevents TFTP user from logging in.
Page 48 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 10.1.1.2 10.1.1.1 Fig-2-3 Download nos.img file as FTP/TFTP client Scenario 1: The switch is used as FTP/TFTP client. The switch connects from one of its ports to a computer, which is a FTP/TFTP server with an IP address of 10.1.1.1; the switch acts as a FTP/TFTP client, the IP address of the switch management VLAN is 10.1.1.2.
Page 49 Login to the switch with any TFTP client software, use the ‘tftp’ command to download ‘nos.img’ file from the switch to the computer. Scenario 4: SS2GR50i/26i series switch acts as FTP client to view file list on the FTP server. Synchronization conditions: The switch connects to a computer by an Ethernet port, the computer is a FTP server with an IP address of 10.1.1.1;...
Page 50 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip FTP Configuration PC side: Start the FTP server software on the PC and set the username ‘Switch’, and the password ‘Admin’. SS2GR50i/26i series switch: Switch(Config)#inter vlan 1 Switch(Config-If-Vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-If-Vlan1)#no shut Switch(Config-If-Vlan1)#exit Switch(Config)#dir ftp://Switch:superuser@10.1.1.1...
Page 51 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip close ftp client. The following is the message displays when files are successfully received. Otherwise, please verify link connectivity and retry ‘copy’ command again. 220 Serv-U FTP-Server v2.5 build 6 for WinSock ready...
Page 52 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip ************************ write ok transfer complete close tftp client. If the switch is upgrading system file or system start up file through TFTP, the switch must not be restarted until ‘close tftp client’ is displayed, indicating upgrade is successful, and otherwise the switch may be rendered unable to start.
Page 53: Chapter 3 Cluster Network Management Configuration
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Chapter 3 Cluster network management Configuration 3.1 Introduction to Cluster network management Cluster network management is an in-band configuration management. Unlike CLI, SNMP and Web Confige which implement a direct management of the target switches through a management workstation, cluster network management implements a direct management of the target switches (member switches) through an intermediate switch (commander switch).
Page 54: Cluster Network Management Configuration
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 3.2 Cluster Network Management Configuration Cluster Network Management Configuration Sequence: Enable or disable cluster function Create cluster 1) Create or delete cluster 2) Configure private IP address pool for member switches of the cluster...
Page 55 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip cluster member {candidate-sn <cand-sn> | mac-address <mac-add> Add or remove a member switch [<mem-id>] }[password <pass>] no cluster member < mem-id > 3． Configure attributes of the cluster in the commander switch Command...
Page 56: Examples Of Cluster Administration
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 5. Remote cluster network management Command Explanation Admin Mode In the commander switch, this command is used to configure and manage rcommand member <mem-id> member switches. In the member switch, this command is...
Page 57: Cluster Administrator Troubleshooting
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 3.4 Cluster Administrator Troubleshooting When encountering problems in applying the cluster admin, please check the following possible causes If the command switch is correctly configured and the auto adding function (cluster auto-add enable) is enabled. If the ports connected the command switch and member switch belongs to Vlan1 (assumed to be in Vlan1 under current application) Whether the connection between the command switch and the member switch is correct.
Page 58: Chapter 4 Port Configuration
SS2GR50i / SS2GR26i / SS2GR26ip Chapter 4 Port Configuration 4.1 Introduction to Port SS2GR50i/26i series switch include copper ports and Combo ports, Combo ports can be configured as 1000Mb copper ports and also 1000Mb fiber SFP ports, but should choose alternative one.
Page 59 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 2. Configure the properties for the Ethernet ports Explanation Command Interface Mode Sets the combo port mode (combo ports combo-forced-mode { copper-forced only);the “no | copper-preferred-auto | sfp-forced | combo-forced-mode” command restores the default combo sfp-preferred-auto } mode for combo ports, i.e, fiber ports first.
Page 60: Port Configuration Example
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 4.3 Port Configuration Example Fig 4-1 Port Configuration Example No VLAN has been configured in the switches, default VLAN1 is used. Switch Port Property Ingress bandwidth limit:50M Mirror source port 100M/full、mirror source port 1000M/full、mirror destination port...
Page 61: Port Troubleshooting
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 4.4 Port Troubleshooting Here are some situations that frequently occurs in port configuration and the advised solutions: Two connected fiber interfaces won’t link up if one interface is set to auto-negotiation but the other to forced speed/duplex.
Page 62: Chapter 5 Port Loopback Detection Function Configuration
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Chapter 5 Port Loopback Detection Function Configuration 5.1 Introduction to Port Loopback Detection Function With the development of switches, more and more users begin to access the network through Ethernet switches. In enterprise network, users access the network through layer-2 switches, which means urgent demands for both internet and the internal layer 2 Interworking.
Page 63 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 4. Display and debug the relevant information of port loopback detection 1. Configure time interval of loopback detection Command Explanation Global Mode time interval loopback loopback-detection interval-time detection <loopback> <no-loopback> 2. Enable port loopback detection function...
Page 64: Port Loopback Detection Example
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 5.3 Port Loopback Detection Example Figure 5-1 Port Loopback Detection Example As is shown in the above figure, the switch will detect the existence of loopbacks in the network topology. After enabling the function of loopback detection on the port connecting the switch with the outside network, the switch will notify the connected network about the existence of a loopback, and control the port on the switch to guarantee the normal operation of the whole network.
Page 65: Chapter 6 Poe Port Configuration
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Chapter 6 PoE Port Configuration PoE configuration only applies to PoE model in SS2GR series, exp. SS2GR26ip. 6.1 PoE Configuration PoE Configure steps 1. Turn on or off POE in global 2. Configure max output power in global 3.
Page 66: Configure Nonstandard Pd Detect Mode In Global
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 6.1.4 Configure nonstandard PD detect mode in global command description global configure mode Setup power for non IEEE standard PD power inline legacy enable device no power inline legacy enable Nocommand setup default configures.
Page 67: Enable Global Poe Settings
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip The POE switches named SW1 and setup max power supply on POE upto 150W. In this case, the PoE ports are connected to different PD devices listed below, Interface Ethernet 1/2 connect to IP phone...
Page 68: Poe Settings Through Web Gui
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 6.3 PoE Settings Through Web GUI PoE settings for each port can be done through web GUI, once you enabled the web service and added users for the switch. Figure 6-2 PoE config menu items...
Page 69 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Figure 6-3 Port settings for PoE...
Page 70: Poe Troubleshooting
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 6.4 PoE Troubleshooting Please check the following information when there are some issues about the POE： The shown power may be higher than max config power, the following is an example. Port setup power A as the real power for POE B as the total power in port （...
Page 71: Chapter 7 Port Channel Configuration
If a port in Port Channel fails, the other ports will undertake traffic of that port through a traffic allocation algorithm. This algorithm is carried out by the hardware. SS2GR50i/26i series switch offers 2 methods for configuring port aggregation: manual Port Channel creation and LACP (Link Aggregation Control Protocol) dynamic Port Channel creation.
Page 72: Port Channel Configuration Task List
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip For Port Channel to work properly, member ports of the Port Channel must have the same properties as follows: All ports are in full-duplex mode. All Ports are of the same speed. All ports are Access ports and belong to the same VLAN or are all Trunk ports.
Page 73: Port Channel Example
Figure 7-2 Configuring Port Channel in LACP Example: The switches in the description below are all SS2GR50i/26i series switch and as shown in the figure, ports 1, 2, 3, 4 of Switch1 are access ports that belong to vlan1. Add those four ports to group1 in active mode.
Page 74 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Switch2 (Config-Ethernet1/6)#port-group 2 mode passive Switch2 (Config-Ethernet1/6)#exit Switch2 (Config)# interface eth 1/8-10 Switch2 (Config-Port-Range)#port-group 2 mode passive Switch2 (Config-Port-Range)#exit Switch2 (Config)#interface port-channel 2 Switch2 (Config-If-Port-Channel2)# Configuration result: Shell prompts ports aggregated successfully after a while, now ports 1, 2, 3, 4of Switch 1 form an aggregated port named “Port-Channel1”, ports 1, 2, 3, 4 of Switch 2 forms an aggregated port...
Page 75: Port Channel Troubleshooting
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Switch1 (Config-Ethernet1/3)# port-group 1 mode on Switch1 (Config-Ethernet1/3)#exit Switch1 (Config)#interface eth 1/4 Switch1 (Config-Ethernet1/4)# port-group 1 mode on Switch1 (Config-Ethernet1/4)#exit Switch2#config Switch2 (Config)#port-group 2 Switch2 (Config)#interface eth 1/6 Switch2 (Config-Ethernet1/6)#port-group 2 mode on...
Page 76: Chapter 8 Jumbo Configuration
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Chapter 8 JUMBO Configuration 8.1 JUMBO Introduction So far the Jumbo (Jumbo Frame) has not reach a determined standard in the industry (including the format and length of the frame). Normally frames sized within 1519-8996 should be considered jumbo frame.
Page 77: Chapter 9 Vlan Configuration
IEEE announced IEEE 802.1Q protocol to direct the standardized VLAN implementation, and the VLAN function of SS2GR50i/26i series switch is implemented following IEEE 802.1Q. The key idea of VLAN technology is that a large LAN can be partitioned into many separate...
Page 78: Vlan Configuration Task List
Lowering network cost Enhancing network security VLAN and GVRP (GARP VLAN Registration Protocol) defined by 802.1Q are implemented in SS2GR50i/26i series switch. The chapter will describe the use and configuration of VLAN and GVRP in details. 9.1.2 VLAN Configuration Task List 1.
Page 79 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 4. Set the switch port type Command Explanation Interface Mode Set the current port as Trunk or Access port. switchport mode {trunk|access} 5. Set Trunk port Command Explanation Interface Mode Set/delete VLAN allowed to be crossed by Trunk.
Page 80: Typical Vlan Application
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Command Explanation VLAN mode Set/delete Private VLAN private-vlan association <secondary-vlan-list> association no private-vlan association 9.1.3 Typical VLAN Application Scenario: Figure 9-2 Typical VLAN Application Topology The existing LAN is required to be partitioned to 3 VLANs due to security and application requirements.
Page 81: Gvrp Configuration
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Connect the Trunk ports of both switches for a Trunk link to convey the cross-switch VLAN traffic; connect all network devices to the other ports of corresponding VLANs. In this example, port 1 and port 12 is spared and can be used for management port or for other purposes.
Page 82: Gvrp Configuration Task List
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip GVRP (GARP VLAN Registration Protocol) is an application based on GARP working mechanism. It is responsible for the maintenance of dynamic VLAN register information and population of such register information to the other switches. Switches support GVRP can receive VLAN dynamic register information from the other switches, and update local VLAN register information according the information received.
Page 83: Typical Gvrp Application
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 9.2.3 Typical GVRP Application Scenario: Figure 9-3 Typical GVRP Application Topology To enable dynamic VLAN information register and update among switches, GVRP protocol is to be configured in the switch. Configure GVRP in Switch A, B and C, enable Switch B to learn VLAN100 dynamically so that the two workstation connected to VLAN100 in Switch A and C can communicate with each other through Switch B without static VLAN100 entries.
Page 84: Vlan Troubleshooting
The GARP counter setting in for Trunk ports in both ends of Trunk link must be the same, otherwise GVRP will not work properly. It is recommended to avoid enabling GVRP and RSTP at the same time in SS2GR50i/26i series switch. If GVRP is to be enabled, RSTP function for the ports must be disabled first.
Page 85: Dot1Q-Tunnel Configuration
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Figure 9-4 Dot1q-tunnel based Internetworking mode As shown in figure above, after being enabled on the user port, dot1q-tunnel assigns each user a SPVLAN identification (SPVID). Here the identification of user is 3. Same SPVID should be assigned for the same network user on different PEs.
Page 86: Typical Applications Of The Dot1Q-Tunnel
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Configuration Task Sequence Of Dot1q-Tunnel: Configure the dot1q-tunnel function on the ports Configure the type of protocol (TPID) on the ports 1. Configure the dot1q-tunnel function on the ports Command Explanation Port mode...
Page 87: Dot1Q-Tunnel Troubleshooting
9.4.1 Dynamic VLAN Introduction The dynamic VLAN is named corresponding to the static VLAN (namely the port based VLAN). Dynamic VLAN supported by the SS2GR50i/26i series switch includes MAC-based VLAN, IP-subnet-based VLAN and Protocol-based VLAN. Detailed description is as follows The MAC-based VLAN division is based on the MAC address of each host, namely every host with a MAC address will be assigned to certain VLAN.
Page 88: Dynamic Vlan Configuration
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip The VLAN is divided by the network layer protocol, assigning different protocol to different VLANs. This is very attractive to the network administrators who wish to organize the user by applications and services. Moreover the user can move freely within the network while maintaining his membership.
Page 89 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip VLAN, namely specified MAC no mac-vlan {mac <mac-addrss>|all} address join/leave specified VLAN 4. Configure the IP-subnet-based VLAN function on the port Command Explanation Port Mode Enable/disable the port IP-subnet-base switchport subnet-vlan enable VLAN function on the port no switchport subnet-vlan enable 5.
Page 90: Typical Application Of The Dynamic Vlan
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 9.4.3 Typical Application of the Dynamic VLAN Scenario: In the office network Department A belongs to VLAN100. Several members of this department often have the need to move within the whole office network. It is also required to ensure the resource for other members of the department to access VLAN 100.
Page 91: Voice Vlan Configuration
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip communicate freely within the dynamic VLAN Figure 9-6 Dynamic VLAN Troubleshooting 9.5 Voice VLAN Configuration 9.5.1 Voice VLAN Introduction Voice VLAN is specially configured for the user voice data traffic. By setting a Voice VLAN and...
Page 92: Voice Vlan Configuration
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 9.5.2 Voice VLAN Configuration Voice VLAN Configuration Task Sequence Set the VLAN to Voice VLAN Add a voice equipment to Voice VLAN Enable the Voice VLAN on the port 1. Configure the VLAN to Voice VLAN...
Page 93: Voice Vlan Troubleshooting
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Figure 9-7 VLAN typical apply topology Figure Configuration items Configuration Explanation Voice VLAN Global configuration on the Switch Configuration procedure Switch 1: Switch(Config)#vlan 100 Switch(Config-Vlan100)#exit Switch(Config)#voice-vlan vlan 100 Switch(Config)#voice-vlan mac 00-03-0f-11-22-33 mask 255 priority 5 name...
Page 94: Chapter 10 Mac Table Configuration
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Chapter 10 MAC Table Configuration 10.1 Introduction to MAC Table MAC table is a table identifies the mapping relationship between destination MAC addresses and switch ports. MAC addresses can be categorized as static MAC addresses and dynamic MAC addresses.
Page 95: Forward Or Filter
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip The topology of the figure above: 4 PCs connected to SS2GR50i/26i series switch, where PC1 and PC2 belongs to a same physical segment (same collision domain), the physical segment connects to port 1/5 of SS2GR50i/26i series switch; PC3 and PC4 belongs to the same physical segment that connects to port 1/512 of SS2GR50i/26i series switch.
Page 96: Mac Address Table Configuration
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 0/0/12. 2. Filter data according to the MAC table If PC1 sends a message to PC2, the switch, on checking the MAC table, will find PC2 and PC1 are in the same physical segment and filter the message (i.e. drop this message).
Page 97: Typical Configuration Examples
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Configurate mac-address-table static/blackhole Command Explanation Global Mode mac-address-table {static|blackhole} address <mac-addr> vlan <vlan-id > interface [ethernet|portchannel] <interface-name> Set mac address table static, set mac mac-address-table address table blackhole: [static|blackhole|dynamic] [address <mac-addr>] [vlan <vlan-id>] [interface [ethernet|portchannel] <interface-name>]...
Page 98: Troubleshooting
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip another physical segment; PC2 and PC3 have static mapping set to port 7 and port 9, respectively. The configuration steps are listed below: 1. Set the MAC address 00-01-11-11-11-11 of PC1 as a filter address.
Page 99 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip 1. Enable MAC address binding function for the ports 2. Lock the MAC addresses for a port MAC address binding property configuration Enable MAC address binding function for the ports Command Explanation Interface Mode...
Page 100 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Set the maximum number of secure switchport port-security maximum MAC addresses for a port; the “no <value> switchport port-security no switchport port-security maximum maximum” command restores the <value> default value. Set the violation mode for the port;...
Page 101: Chapter 11 Mstp Configuration
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Chapter 11 MSTP Configuration 11.1 MSTP Introduction The MSTP (Multiple STP) is a new spanning-tree protocol which is based on the STP and the RSTP. It runs on all the bridges of a bridged-LAN. It calculates a common and internal spanning tree (CIST) for the bridge-LAN which consists of the bridges running the MSTP, the RSTP and the STP.
Page 102 Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip Fig11-1 Example of CIST and MST Region In the above network, if the bridges are running the STP other the RSTP, one port between Bridge M and Bridge B should be blocked. But if the bridges in the yellow range run the MSTP and are configured in the same MST region, MSTP will treat this region as a bridge.
Page 103: Port Roles
Switch Configuration SS2GR50i / SS2GR26i / SS2GR26ip regions. The bridges in a MST region receive the MST BPDU of other regions through Boundary Ports. They only process CIST related information and abandon MSTI information. 11.1.2 Port Roles The MSTP bridge assigns a port role to each port which runs MSTP.
Page 104 1. Enable MSTP and set the running mode Command Explanation Global Mode and Interface Mode spanning-tree Enable/Disable MSTP no spanning-tree Global Mode spanning-tree mode {mstp|stp} Set MSTP running mode no spanning-tree mode Interface Mode Force port migration to run under MSTP spanning-tree mcheck 2.
Page 105 Configuration Guide SS2GR50i/26i/26ip Command Explanation Global Mode Enter MSTP region mode. “ spanning-tree mst configuration spanning-tree mst configuration” command no spanning-tree mst configuration restores the default setting. MSTP region mode Create Instance and set mapping between instance <instance-id> vlan <vlan-list>...
Page 106 Configuration Guide SS2GR50i/26i/26ip 5. Configure the fast migrate feature for MSTP Command Explanation Interface Mode spanning-tree link-type Set the port link type {auto|force-true|force-false} no spanning-tree link-type spanning-tree portfast Set the port to be an boundary port no spanning-tree portfast 6. Configure MSTP format...
Page 107 Configuration Guide SS2GR50i/26i/26ip Command Explanation Global Mode Configure the FLUSH mode once topology changes. The protocol need to enable FLUSH every topology change, but it may bring about flow instability because flush for more times, thus configuring different solution is available spanning-tree tcflush enable by environment.
Page 108: B) Mstp Example
Configuration Guide SS2GR50i/26i/26ip b) MSTP Example The following is a typical MSTP application scenario: Figure 11-1 MSTP Typical MSTP Application Scenario The connections among the switches are shown in the above figure. All the switches run in the MSTP mode by default, their bridge priority, port priority and port route cost are all in the default values (equal).
Page 109 Configuration Guide SS2GR50i/26i/26ip Port 1 200000 200000 200000 Port 2 200000 200000 200000 Port 3 200000 200000 Port 4 200000 200000 Port 5 200000 200000 Port 6 200000 200000 Port 7 200000 200000 By default, the MSTP establishes a tree topology (in blue lines) rooted with Switch1. The ports marked with “x”...
Page 110 Configuration Guide SS2GR50i/26i/26ip SW3(Config)#vlan 20 SW3(Config-Vlan20)#exit SW3(Config)#vlan 30 SW3(Config-Vlan30)#exit SW3(Config)#vlan 40 SW3(Config-Vlan40)#exit SW3(Config)#vlan 50 SW3(Config-Vlan50)#exit SW3(Config)#spanning-tree mst configuration SW3(Config-Mstp-Region)#name mstp SW3(Config-Mstp-Region)#instance 3 vlan 20;30 SW3(Config-Mstp-Region)#instance 4 vlan 40;50 SW3(Config-Mstp-Region)#exit SW3(Config)#interface e1/1-7 SW3(Config-Port-Range)#switchport mode trunk SW3(Config-Port-Range)#exit SW3(Config)#spanning-tree SW3(Config)#spanning-tree mst 3 priority 0...
Page 111 Configuration Guide SS2GR50i/26i/26ip Figure 11-2 The Topology Of the Instance 0 after the MSTP Calculation Figure 11-3 The Topology Of the Instance 3 after the MSTP Calculation...
Page 112: C) Mstp Troubleshooting
Configuration Guide SS2GR50i/26i/26ip Figure 11-4 The Topology Of the Instance 4 after the MSTP Calculation c) MSTP Troubleshooting In order to run the MSTP on the switch port, the MSTP has to be enabled globally. If the MSTP is not enabled globally, it can’t be enabled on the port.
Page 113: Chapter 12 Qos Configuration
Configuration Guide SS2GR50i/26i/26ip Chapter 12 QoS Configuration 12.1 QoS Introduction QoS (Quality of Service) is a set of capabilities that allow you to create differentiated services for network traffic, thereby providing better service for selected network traffic. QoS is a guarantee for service quality of consistent and predictable data transfer service to fulfill program requirements.
Page 114: Qos Implementation
Configuration Guide SS2GR50i/26i/26ip information carried in the packet and ACLs. Policing: Ingress action of QoS that lays down the policing policy and manages the classified packets. Remark: Ingress action of QoS, perform allowing, degrading or discarding operations to packets according to the policing policies.
Page 115 Configuration Guide SS2GR50i/26i/26ip classification, policing and remark are sequential ingress actions, and Queuing and Scheduling are QoS egress actions. Figure 12-3 Basic QoS Model Classification: Classify traffic according to packet classification information and generate internal DSCP value based on the classification information. For different packet types and switch configurations,...
Page 116 Configuration Guide SS2GR50i/26i/26ip Figure 12-4 Classification process Policing and remark: Each packet in classified ingress traffic is assigned an internal DSCP value and can be policed and remarked. Policing can be performed based on DSCP value to configure different policies that allocate bandwidth to classified traffic.
Page 117 Configuration Guide SS2GR50i/26i/26ip Figure 12u-5 Policing and Remarking process Queuing and scheduling: Packets at the egress will re-map the internal DSCP value to CoS value, the queuing operation assigns packets to appropriate queues of priority according to the CoS value; while the scheduling operation performs packet forwarding according to the prioritized queue weight.
Page 118 Configuration Guide SS2GR50i/26i/26ip Figure 12-6 Queuing and Scheduling process...
Page 119: Qos Configuration
Configuration Guide SS2GR50i/26i/26ip 12.2 QoS Configuration The configuration steps are listed below: Enable QoS QoS can be enabled or disabled in Global Mode. QoS must be enabled first in Global Mode to configure the other QoS commands. Configure class map.
Page 120 Configuration Guide SS2GR50i/26i/26ip <class-map-name>” command deletes the specified class map. Set matching criterion (classify data stream match {access-group <acl-index-or-name> by ACL, DSCP, VLAN ,Cos, or priority, etc) for | ip dscp <dscp-list>| ip precedence the class map; the “no match {access-group <ip-precedence-list>| ipv6 access-group...
Page 121 Configuration Guide SS2GR50i/26i/26ip degraded; “no policed-dscp-transmit}] police <rate-bps> police <rate-bps> <burst-byte> <burst-byte> [exceed-action {drop policed-dscp-transmit}]” command deletes [exceed-action {drop the specified policy. policed-dscp-transmit}] Define a policy set, perform different actions aggregate-policer to out-of-profile data streams, such as discard <aggregate-policer-name> <rate-bps>...
Page 122: Qos Example
Configuration Guide SS2GR50i/26i/26ip 5. Configure queue out method and weight Command Explanation Interface Mode Set the WRR weight for specified egress wrr-queue bandwidth <weight1 weight2 queue; the “no wrr-queue bandwidth” weight3 weight4 weight5 weight6 weight7 command restores the default setting.
Page 123 Configuration Guide SS2GR50i/26i/26ip Switch#config Switch(config)#mls qos Switch(config)#interface ethernet 1/1 Switch(config-Ethernet1/1)#wrr-queue bandwidth 1:1:2:2:4:4:8:8 Switch(config-Ethernet1/1)#mls qos trust cos pass-through dscp Switch(config-Ethernet1/1)#mls qos cos 5 Configuration result: When QoS enabled in Global Mode, the egress queue bandwidth proportion of port ethernet 1/1 is 1:1:2:2:4:4:8:8.
Page 124 Configuration Guide SS2GR50i/26i/26ip Figure 12-7 QoSTypical QoS topology As shown in the figure, inside the block is a QoS domain, SwitchA classifies different traffics and assigns different IP precedences. For example, set IP precedence for packets from segment 192.168.1.0 to 5 on port ethernet 1/1.
Page 125: Qos Troubleshooting
Configuration Guide SS2GR50i/26i/26ip Switch(config-Ethernet1/1)#mls qos trust ip-precedence pass-through dscp 12.4 QoS Troubleshooting QoS is disabled on switch ports by default, 8 sending queues are set by default, queue1 forwards normal packets, other queues are used for some important control packets (such as BPDU).
Page 126: Chapter 13 Flow-Based Redirection
Configuration Guide SS2GR50i/26i/26ip Chapter 13 Flow-based Redirection 13.1 Introduction to Flow-based Redirection Flow-based redirection function enables the switch to transmit the data frames meeting some special condition (specified by ACL) to another specified port. The fames meeting a same special condition are called a class of flow, the ingress port of the data frame is called the source port of redirection, and the specified egress port is called the destination port of redirection.
Page 127: Flow-Based Redirection Examples
Configuration Guide SS2GR50i/26i/26ip 13.3 Flow-based Redirection Examples Scenario: User’s request of configuration is listed as follows: redirecting the frames whose source IP is 192.168.1.111 received from port 1 to port 6, that is sending the frames whose source IP is 192.168.1.111 received from port 1 through port 6...
Page 128: Chapter 14 Layer 3 Management Configuration
14.1.1 Introduction to Layer 3 Interface Layer 3 interface can be created on SS2GR50i/26i series switch. The Layer 3 interface is not a physical interface but a virtual interface. Layer 3 interface is built on VLANs. The Layer 3 interface can contain one or more layer2 interfaces which belongs to the same VLAN, or no layer2 interfaces.
Page 129: Ipv4 Address Configuration
Configuration Guide SS2GR50i/26i/26ip 14.2.1 IPv4 Address Configuration IPv4 Configuration Task List: 1. Configure IPv4 address of layer 3 interface. 1. Configure IPv4 address of layer 3 interface. Command Explanation VLAN interface configuration mode Configure IP address of VLAN interface; address <ip-address>...
Page 130 Configuration Guide SS2GR50i/26i/26ip IPv6 function. (2) Configure interface IPv6 address Command Explanation Global Mode Configure IPv6 address, include aggregate global ipv6 address unicast address, local site address, local link <ipv6-address/prefix-length> [eui-64]no address. The no form command deletes IPv6 ipv6 address address.
Page 131 Configuration Guide SS2GR50i/26i/26ip Interface Mode Configure router announcement lifetime. The no ipv6 nd ra-lifetime <seconds> no ipv6 form command restored the default value 1800 nd ra-lifetime <seconds> seconds. (5)Configure minimum interval of router announcement Command Explanation Interface Mode Configure minimum...
Page 132: Ipv6 Troubleshooting
14.3 ARP 14.3.1 Introduction to ARP ARP (Address Resolution Protocol) is mainly used to resolve IP address to Ethernet MAC address. SS2GR50i/26i series switch supports static ARP configuration. 14.3.2 ARP Configuration Task List: 1. Configure static ARP 1. Configure static ARP...
Page 133: Chapter 15 Arp Scanning Prevention Function Configuration
Since ARP scanning threatens the security and stability of the network with great danger, so it is very significant to prevent it. SS2GR50i/26i series switch provides a complete resolution to prevent ARP scanning: if there is any host or port with ARP scanning features is found in the segment, the switch will cut off the attack source to ensure the security of the network.
Page 134 Configuration Guide SS2GR50i/26i/26ip Enable the ARP Scanning Prevention function. Command Explanation Global mode Enable or disable the ARP Scanning anti-arpscan enable Prevention function globally no anti-arpscan enable Configure the threshold of the port-based and IP-based ARP Scanning Prevention Command Explanation Global mode anti-arpscan port-based threshold <t...
Page 135 Configuration Guide SS2GR50i/26i/26ip Enable or disable the automatic recovery anti-arpscan recovery enable function no anti-arpscan recovery enable anti-arpscan recovery time <seconds> Set automatic recovery time no anti-arpscan recovery time Display relative information of debug information and ARP scanning Command Explanation...
Page 136: Arp Scanning Prevention Typical Examples
Configuration Guide SS2GR50i/26i/26ip 15.3 ARP Scanning Prevention Typical Examples SWITCH B E1/1 E1/19 SWITCH A E1/2 Server (192.168.1.100) Figure 15-1 ARP scanning prevention typical configuration example In the network topology above, port E1/1 of SWITCH B is connected to port E1/19 of SWITCH A, the port E1/2 of SWITCH A is connected to file server (IP address is 192.168.1.100/24), and all the other...
Page 137 Configuration Guide SS2GR50i/26i/26ip enable the debug switch, “debug anti-arpscan”, to view debug information.
Page 138: Chapter 16 Arp Guard Configuration
Configuration Guide SS2GR50i/26i/26ip Chapter 16 ARP GUARD Configuration 16.1 ARP GUARD Introduction There is serious security vulnerability in the design of ARP protocol, which is any network device, can send ARP messages to advertise the mapping relationship between IP address and MAC address. This provides a chance for ARP cheating.
Page 139 Configuration Guide SS2GR50i/26i/26ip Port configuration mode arp-guard ip <addr> Configure/delete ARP GUARD address no arp-guard ip <addr>...
Page 140: Chapter 17 Dhcp Configuration
Configuration Guide SS2GR50i/26i/26ip Chapter 17 DHCP Configuration 17.1 Introduction to DHCP DHCP [RFC2131] is the acronym for Dynamic Host Configuration Protocol. It is a protocol that assigns IP address dynamically from the address pool as well as other network configuration parameters such as default gateway, DNS server, and default route and host image file position within the network.
Page 141: Dhcp Server Configuration
DHCP client and server. SS2GR50i/26i series switch can act as both a DHCP server and a DHCP relay. DHCP server supports not only dynamic IP address assignment, but also manual IP address binding (i.e. specify a specific IP address to a specified MAC address or specified device ID over a long period.
Page 142 Configuration Guide SS2GR50i/26i/26ip Command Explanation DHCP Address Pool Mode network-address <network-number> Configures the address scope that can be [mask | prefix-length] allocated to the address pool no network-address default-switch Configures default gateway for DHCP [address1[address2[…address8]]] clients no default-switch dns-server Configures DNS server for DHCP clients [address1[address2[…address8]]]...
Page 143: Dhcp Configuration Example
17.3 DHCP Configuration Example Scenario 1: Too save configuration efforts of network administrators and users, a company is using SS2GR50i/26i series switch as a DHCP server. The Admin VLAN IP address is 10.16.1.2/24. The local area network for the company is divided into network A and B according to the office locations. The network configurations for location A and B are shown below.
Page 144 Configuration Guide SS2GR50i/26i/26ip Default gateway 10.16.1.200 Default gateway 10.16.1.200 10.16.1.201 10.16.1.201 DNS server 10.16.1.202 DNS server 10.16.1.202 WINS server 10.16.1.209 WINS server 10.16.1.209 WINS node type H-node WINS node type H-node Lease 3 days Lease 1 days In location A, a machine with MAC address 00-03-22-23-dc-ab is assigned with a fixed IP address of 10.16.1.210 and named as “management”.
Page 145: Dhcp Troubleshooting
Configuration Guide SS2GR50i/26i/26ip 17.4 DHCP Troubleshooting If the DHCP clients cannot obtain IP addresses and other network parameters, the following procedures can be followed when DHCP client hardware and cables have been verified ok. Verify the DHCP server is running, start the related DHCP server if not running.
Page 146: Chapter 18 Dhcp Snooping Configuration
Configuration Guide SS2GR50i/26i/26ip Chapter 18 DHCP Snooping Configuration 18.1 DHCP Snooping Introduction DHCP Snooping function is the process of DHCP receives IP through DHCP CLIENT protocol detected by switch. DHCP detection and DHCP SERVER configuration privately can be prevented by configuring the trustful port and untrusted port.
Page 147: Dhcp Snooping Configuration Task List
Configuration Guide SS2GR50i/26i/26ip capturing binding data; thus these users can access all resources without DOT1X authentication. Automatic Recovery A while after the switch shut down the port or sent blockhole, it should automatically recover the communication of the port or source MAC and send information to Log Server via syslog...
Page 148 Configuration Guide SS2GR50i/26i/26ip 4. Enable ARP binding for DHCP Snooping. Commands: Explanation Global Mode Enable/Disable ARP binding for Ip dhcp snooping binding arp DHCP Snooping. no Ip dhcp snooping binding arp 5. Set trusted ports Command Explanation Port configuration mode...
Page 149 Configuration Guide SS2GR50i/26i/26ip Command Explanation Port configuration mode ip dhcp snooping action {shutdown|blackhole} [recovery Set or delete the automatic defense <second>] action of the port. no ip dhcp snooping action 10. Enable the debug switch Command Explanation Adming Mode Debug ip dhcp snooping packet...
Page 150: Dhcp Snooping Typical Applications
Configuration Guide SS2GR50i/26i/26ip 18.3 DHCP Snooping Typical Applications Figure 18-1 DHCP Snooping Typical Applications As showed in the above picture, Mac-AA device is the normal user，connected to the un-trusted port 0/0/1 of the DCN switch. It acts as DHCP Client, and its IP is 1.1.1.5;DHCP Server and GateWay connect to the trusted ports 0/0/11 and 0/0/12 of the DCN switch;...
Page 151: Dhcp Snooping Troubleshooting
Configuration Guide SS2GR50i/26i/26ip 18.4 DHCP Snooping Troubleshooting 18.4.1 Monitor and Debug User can execute the debug ip dhcp snooping command to monitor and debug information. 18.4.2 DHCP Snooping Troubleshooting If there are problems when using DHCP Snooping, please check the following possible reasons: Check whether the global DHCP Snooping switch is enabled;...
Page 152: Chapter 19 Dhcp Option 82 Configuration
Configuration Guide SS2GR50i/26i/26ip Chapter 19 DHCP Option 82 Configuration 19.1 Introduction to DHCP option 82 DHCP option 82 is the Relay Agent Information Option; its option code is 82. DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy. The Relay Agent adds option 82 (including the client’s physical access port, the access device ID and other...
Page 153: Dhcp Snooping Option 82 Working Mechanism
Configuration Guide SS2GR50i/26i/26ip SubOpt: the number of sub-option, the sub-option number of Circuit ID is 1, the sub-option number of Remote ID is 2. Len: the number of bytes of Sub-option Value, not including the two bytes in SubOpt segment and Len segment.
Page 154: Dhcp Snooping Option 82 Configuration
Configuration Guide SS2GR50i/26i/26ip 19.2 DHCP Snooping option 82 Configuration 19.2.1 DHCP Snooping option 82 Configuration Task List 1. DHCP Snooping option 82 Configuration content 1) Enable DHCP Snooping 2) Enable DHCP Snooping binding function 3) Enable DHCP Snooping option 82 binding function...
Page 155 Configuration Guide SS2GR50i/26i/26ip...
Page 156: Chapter 20 Ipv4 Multicast Protocol
Configuration Guide SS2GR50i/26i/26ip Chapter 20 IPv4 Multicast Protocol 20.1 IPv4 Multicast Protocol Overview This chapter will give an introduction to the configuration of IPv4 Multicast Protocol. All IPs in this chapter are IPv4. 20.1.1 Introduction to Multicast Various transmission modes can be adopted when the destination of packet (including data, sound and video) transmission is the minority users in the network.
Page 157 Configuration Guide SS2GR50i/26i/26ip 239.255.255.255. D class address can not appear in the source IP address field of an IP message. In the process of unicast data transmission, the transmission path of a data packet is from source address routing to destination address, and the transmission is performed with hop-by-hop principle. However, in IP Multicast environment, the destination addresses is a group instead of a single one, they form a group address.
Page 158: Ip Multicast Packet Transmission
Configuration Guide SS2GR50i/26i/26ip When Ethernet transmits Unicast IP messages, the destination MAC address it uses is the receiver’s MAC address. But in transmitting Multicast packets, the transmission destination is not a specific receiver any more, but a group with uncertain members, thus Multicast MAC address is used. Multicast MAC address is corresponding to Multicast IP address.
Page 159: Dcscm
Configuration Guide SS2GR50i/26i/26ip potential and Multicast operation will be generalized and popularized. 20.2 DCSCM 20.2.1 Introduction to DCSCM DCSCM (Destination Control and Source Control Multicast) technology mainly includes three aspects, i.e. Multicast Packet Source Controllable, Multicast User Controllable and Service-Oriented Priority Strategy Multicast.
Page 160 Configuration Guide SS2GR50i/26i/26ip Source Control Configuration has three parts, of which the first is to enable source control. The command of source control is as follows: Command: Explanation Global Configuration Mode Enable source control globally, the “no ip multicast source-control” command disables source control globally.
Page 161 Configuration Guide SS2GR50i/26i/26ip Used to configure the rules source control [no] ip multicast source-control uses to port, the NO form cancels the access-group <5000-5099> configuration. 2． Destination Control Configuration Like source control configuration, destination control configuration also has three steps.
Page 162: Dcscm Configuration Examples
Configuration Guide SS2GR50i/26i/26ip [no] multicast Used to configure the rules destination destination-control access-group control uses to port, the NO form cancels the <6000-7999> configuration. Global Configuration Mode [no] multicast Used to configure the rules destination destination-control <1-4094> control uses to specify VLAN-MAC, the NO <macaddr>...
Page 163: Dcscm Troubleshooting
Configuration Guide SS2GR50i/26i/26ip DC(config)#ip multicast source-control DC(config)#interface ethernet1/5 DC(Config-If-Ethernet1/5)#ip multicast source-control access-group 5000 DC(config)#interface ethernet1/10 DC(Config-If-Ethernet1/10)#ip multicast source-control access-group 5001 2． Destination Control We want to limit users with address in 10.0.0.0/8 network segment from entering the group of 238.0.0.0/8, so we can make the following configuration:...
Page 164: Igmp Snooping
SS2GR50i/26i series switch provides IGMP Snooping and is able to send a query from the switch so that the user can use SS2GR50i/26i series switch in IP multicast.
Page 165 Configuration Guide SS2GR50i/26i/26ip Configure the max group count of vlan and ip igmp snooping vlan < vlan-id > limit the max source count of every group. The {group <g_limit> | source <s_limit>} “no ip igmp snooping vlan <vlan-id> no ip igmp snooping vlan < vlan-id >...
Page 166: Igmp Snooping Example
Configuration Guide SS2GR50i/26i/26ip ip igmp snooping vlan <vlan-id> Configure the query robustness. The “no ip query-robustness <value> no ip igmp snooping vlan <vlan-id> igmp snooping vlan <vlan-id> query-robustness query-robustness” command restores to the default value Configure the suppression query time. The ip igmp snooping vlan <vlan-id>...
Page 167 Configuration Guide SS2GR50i/26i/26ip Example: As shown in the above figure, a VLAN 100 is configured in the switch and includes ports 1, 2, 6, 10 and 12. Four hosts are connected to port 2, 6, 10, 12 respectively and the multicast router is connected to port 1.
Page 168 Configuration Guide SS2GR50i/26i/26ip Multicast Router Group 1 Group 2 IGMP Snooping Query SwitchA Mrouter Port IGMP Snooping SwitchB Group 2 Group 1 Group 1 Group 1 SwitchB Group 2 Figure 20-2 The switches as IGMP Queries The configuration of Switch2 is the same as the switch in scenario 1, SwitchA takes the place of Multicast Router in scenario 1.
Page 169: Igmp Snooping Troubleshooting
Configuration Guide SS2GR50i/26i/26ip SWITCH which is used in Scenario 1 is replaced with ROUTER with specific configurations remains the same. And multicast and IGMP snooping configurations are the same with what it is in Scenario 1. To configure PIM-SM on ROUTER, and enable PIM-SM on vlan 100 (use the same PIM mode with the...
Page 170: Chapter 21 Ipv6 Multicast Protocol
Configuration Guide SS2GR50i/26i/26ip Chapter 21 IPv6 Multicast Protocol 21.1 MLD Snooping 21.1.1 MLD Snooping Introduction MLD, the Multicast Listener Discovery Protocol, is used to realize multicasting in the IPv6. MLD is used by the network equipments such as routers which supports multicast for multicast listener discovery, also used by listeners looking forward to join certain multicast group informing the router to receive data packets from certain multicast address, all of which are done through MLD message exchange.
Page 171 Configuration Guide SS2GR50i/26i/26ip Enable MLD Snooping on specific vlan. The “no” ipv6 mld snooping vlan <vlan-id> form of this command disables MLD Snooping on no ipv6 mld snooping vlan <vlan-id> specific vlan Configure the number of the groups in which the ipv6 mld snooping vlan <...
Page 172: Mld Snooping Examples
Configuration Guide SS2GR50i/26i/26ip no ipv6 mld snooping vlan <vlan-id> suppression-query-time Configure static-group on specified port of the vlan. Ipv6 mld snooping vlan <vlan-id> static-group The no form of the command cancels this <X:X::X:X> [source <X:X::X:X>] interface configuration. [ethernet | port-channel] <IFNAME>...
Page 173 Configuration Guide SS2GR50i/26i/26ip Multicast configuration: Assume there are two multicast servers: the Multicast Server 1 and the Multicast Server 2, amongst program 1 and 2 are supplied on the Multicast Server 1 while program 3 on the Multicast server 2, using group addresses respectively the Group 1, Group 2 and Group 3.
Page 174 Configuration Guide SS2GR50i/26i/26ip Scenario 2. MLD L2-general-querier Figure 21-2 Switches as MLD Querier Function Configuration of switch B is the same as the switches in case 1, and here the switch 1 replaces the Multicast Router in case 1. Assume the vlan 60 configured on it contains port 1, 2, 10, 12, amongst port 1 is connected to multicast server, port 2 to switch2.
Page 175: Mld Snooping Troubleshooting
Configuration Guide SS2GR50i/26i/26ip Same as scenario 1 Scenario 3.To run in cooperation with layer 3 multicast protocols. SWITCH which is used in Scenario 1 is replaced with ROUTER with specific configurations remains the same. And multicast and IGMP snooping configurations are the same with what it is in Scenario 1. To...
Page 176: Chapter 22 Multicast Vlan Configuration
Configuration Guide SS2GR50i/26i/26ip Chapter 22 Multicast VLAN Configuration 22.1 Introductions to Multicast VLAN Based on current multicast order method, when orders from users in different VLAN, each VLAN will copy a multicast traffic in this VLAN, which is a great waste of the bandwidth. By configuration of the multicast VLAN, we add the switch port to the multicast VLAN, with the IGMP Snooping functions enabled, users from different VLAN will share the same multicast VLAN.
Page 177: Examples Of Multicast Vlan
Configuration Guide SS2GR50i/26i/26ip “no” form of this command disables the no ip igmp snooping IGMP snooping function 22.3 Examples Of Multicast VLAN SwitchB SwitchA Work Station Figure 22-1 Function configuration of the Multicast VLAN As shown in the figure, the multicast server is connected to the layer 3 switch switchA through port 1/1 which belongs to the vlan10 of the switch.
Page 178 Configuration Guide SS2GR50i/26i/26ip SwitchB(config)#vlan 100 SwitchB(config-vlan100)#Switchport access ethernet 1/15 SwitchB(config-vlan100)exit SwitchB(config)#vlan 101 SwitchB(config-vlan101)#Switchport access ethernet 1/20 SwitchB(config-vlan101)exit SwitchB(config)# interface ethernet 1/10 SwitchB(Config-If-Ethernet1/10)#Switchport mode trunk SwitchB(Config-If-Ethernet1/10)#exit SwitchB(config)#vlan 20 SwitchB(config-vlan20)#multicast-vlan SwitchB(config-vlan20)#multicast-vlan association 100,101 SwitchB(config-vlan20)#exit SwitchB(config)#ip igmp snooping SwitchB(config)#ip igmp snooping vlan 20...
Page 179: Chapter 23 Acl Configuration
Configuration Guide SS2GR50i/26i/26ip Chapter 23 ACL Configuration 23.1 Introduction to ACL ACL (Access Control List) is an IP packet filtering mechanism employed in switches, providing network traffic control by granting or denying access the switches, effectively safeguarding the security of networks.
Page 180: Acl Configuration
Configuration Guide SS2GR50i/26i/26ip The following rules apply: An access-list can consist of several rules. Filtering of packets compares packet conditions to the rules, from the first rule to the first matched rule; the rest of the rules will not be processed.
Page 181 Configuration Guide SS2GR50i/26i/26ip 2. Configuring the packet filtering function Enable global packet filtering function Configure default action. 3. Configuring time range function Create the name of the time range Configure periodic time range Configure absolute time range 4. Bind access-list to a incoming direction of the specified port 5.
Page 182 Configuration Guide SS2GR50i/26i/26ip Creates a numbered IGMP extended IP access rule; if access-list <num> {deny | permit} igmp {{<sIpAddr> <sMask>} the numbered extended | any-source | {host-source <sIpAddr>}} {{<dIpAddr> access-list of specified <dMask>} | any-destination | {host-destination <dIpAddr>}} number does not exist, then [<igmp-type>] [precedence <prec>] [tos...
Page 183 Configuration Guide SS2GR50i/26i/26ip Creates a standard IP access-list based on nomenclature; the ‘no access-list ip standard <name> access-list ip standard no access-list ip standard <name> <name> ‘ command delete the name-based standard IP access-list Specify multiple ‘permit’ or ‘deny’ rules...
Page 184 Configuration Guide SS2GR50i/26i/26ip Creates an extended name-based [no] {deny | permit} icmp {{<sIpAddr> <sMask>} | ICMP IP access rule; the ‘no’ form any-source | {host-source <sIpAddr>}} {{<dIpAddr> command deletes this <dMask>} | any-destination | {host-destination name-based extended IP access <dIpAddr>}} [<icmp-type> [<icmp-code>]] [precedence rule <prec>] [tos <tos>][time-range<time-range-name>]...
Page 185 Configuration Guide SS2GR50i/26i/26ip (5) Configuring a numbered standard MAC access-list Command Explanation Global Mode Creates a numbered standard MAC access-list, if the access-list already access-list<num>{deny|permit}{any-source-mac|{ exists, then a rule will add to the host-source-mac<host_smac>}|{<smac><smac-m current access-list; the ‘no ask>}} access-list <num>‘ command no access-list <num>...
Page 186 Configuration Guide SS2GR50i/26i/26ip b. Specify multiple ‘permit’ or ‘deny’ rule entries Command Explanation Extended name-based MAC access rule Mode Creates an extended [no]{deny|permit}{any-source-mac|{host-source-mac<ho name-based MAC access rule st_smac>}|{<smac><smac-mask>}} matching MAC frame; the ‘no’ {any-destination-mac|{host-destination-mac form command deletes this <host_dmac>} |{<dmac> <dmac-mask>}} [cos <cos-val>...
Page 187 Configuration Guide SS2GR50i/26i/26ip (8) Configuring a numbered extended MAC-IP access-list Command Explanation Global mode access-list<num>{deny|permit}{any-source-mac| {host-source-mac<host_smac>}|{<smac><smac- mask>}} {any-destination-mac|{host-destination-mac Creates a numbered mac-icmp extended <host_dmac>}|{<dmac><dmac-mask>}}icmp mac-ip access rule; if the numbered {{<source><source-wildcard>}|any-source| extended access-list of specified number {host-source<source-host-ip>}} does not exist, then an access-list will be {{<destination><destination-wildcard>}|any-desti...
Page 188 Configuration Guide SS2GR50i/26i/26ip access-list<num>{deny|permit}{any-source-mac| {host-source-mac<host_smac>}|{<smac><smac- mask>}}{any-destination-mac|{host-destination- mac <host_dmac>}|{<dmac><dmac-mask>}}tcp Creates a numbered mac-icmp extended {{<source><source-wildcard>}|any-source| mac-tcp access rule; if the numbered {host-source<source-host-ip>}}[s-port{<port1> | extended access-list of specified number range <sPortMin> <sPortMax>}] does not exist, then an access-list will be {{<destination><destination-wildcard>}|any-desti created using this number.
Page 189 Configuration Guide SS2GR50i/26i/26ip Deletes this nunbered extended MAC-IP no access-list <num> access rule (9) Configuring a extended MAC-IP access-list based on nomenclature Create a extensive MAC-IP access-list based on nomenclature Command Explanation Global Mode Creates an extended name-based MAC-IP access rule; the ‘no’ form mac-ip-access-list extended <name>...
Page 190 Configuration Guide SS2GR50i/26i/26ip [no]{deny|permit}{any-source-mac|{host-source-mac<h ost_smac>}|{<smac><smac-mask>}} {any-destination-mac|{host-destination-mac <host_dmac>}|{<dmac><dmac-mask>}}tcp Creates an extended {{<source><source-wildcard>}|any-source| name-based MAC-TCP access {host-source<source-host-ip>}}[s-port{<port1> | range rule; the ‘no’ form command <sPortMin> <sPortMax>}] deletes this name-based {{<destination><destination-wildcard>}|any-destination extended MAC-TCP access rule | {host-destination <destination-host-ip>}} [d-port{<port3> | range <sPortMin> <sPortMax>}][ack+fin+psh+rst+urg+syn] [precedence<precedence>][tos<tos>][time-range<time-...
Page 191 Configuration Guide SS2GR50i/26i/26ip Exit MAC-IP Configuration Mode Command Explanation Extended name-based MAC-IP access Mode Quit extended name-based exit MAC-IP access mode (10) Configuring a numbered standard IPV6 access-list Command Explanation Global Mode Creates a numbered standard ipv6 access-list <num> {deny | IPV6 access-list, if the access-list permit} {{<sIPv6Addr>...
Page 192 Configuration Guide SS2GR50i/26i/26ip configuration mode. 2. Configuring packet filtering function (1) Enable global packet filtering function Command Explanation Global Mode Enables global packet filtering function Firewall enable Disables global packet filtering function Firewall disable (2) Configure default action. Command Explanation...
Page 193 Configuration Guide SS2GR50i/26i/26ip [no]absolute-periodic{Monday|Tuesday|Wednesday|Thur sday|Friday|Saturday|Sunday}<start_time>to{Monday|Tu esday|Wednesday|Thursday|Friday|Saturday| Sunday} <end_time> Stop the function of the time range in the week [no]periodic{{Monday+Tuesday+Wednesday+Thursday+ Friday+Saturday+Sunday}|daily|weekdays| weekend} <start_time> to <end_time> (3)Configure absolute time range Command Explanation Global Mode Absolute Configure absolute time start<start_time><start_data>[end<end_time> range <end_data>] [no]absolute Stop the function of the time start<start_time><start_data>[end<end_time><en...
Page 194: Acl Example
Configuration Guide SS2GR50i/26i/26ip 23.3 ACL Example Scenario 1: The user has the following configuration requirement: port 1/10 of the switch connects to 10.0.0.0/24 segment; ftp is not desired for the user. Configuration description: Create a proper ACL Configuring packet filtering function...
Page 195 Configuration Guide SS2GR50i/26i/26ip Configuration result: Switch#show firewall Firewall Status: Enable. Firewall Default Rule: Permit. Switch #show access-lists access-list 1100(used 1 time(s)) access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac untagged-802-3 access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac Switch #show access-group interface ethernet 1/10 interface name:Ethernet1/10 MAC Ingress access-list used is 1100,traffic-statistics Disable.
Page 196: Acl Troubleshooting
Configuration Guide SS2GR50i/26i/26ip disabled from accessing the outside network. Configuration description: a) Create the corresponding access list. b) Configure datagram filting. Bind the ACL to the related interface. The configuration steps are listed as below. Switch(config)#ipv6 enable Switch(config)#ipv6 access-list 600 permit 2003:1:1:1:66::0/80 any-destination...
Page 197 VLAN, and it will be bound to VLAN 1 ACL (if ACL is configured in VLAN1). If VLAN 1 ACL binding fails, the VLAN removal operation will fail. SS2GR50i/26i series do not support MAC ACL,MAC IP and IPV6 ACL binding...
Page 198: Chapter 24 802.1X Configuration
Configuration Guide SS2GR50i/26i/26ip Chapter 24 802.1x Configuration 24.1 Introduction to 802.1x The 802.1x protocol originates from 802.11 protocol, the wireless LAN protocol of IEEE, which is designed to provide a solution to doing authentication when users access a wireless LAN. The LAN...
Page 199 Configuration Guide SS2GR50i/26i/26ip The supplicant system is an entity on one end of the lan segment, should be authenticated by the access controlling unit on the other end of the link. A Supplicant system usually is a user terminal device. Users starts 802.1x authentication by starting supplicant system software. A supplicant system should support EAPOL(Extensible Authentication Protocol over LAN).
Page 200: The Work Mechanism Of 802.1X
Configuration Guide SS2GR50i/26i/26ip The controlled and uncontrolled ports are two parts of one port, which means each frame reaching this port is visible on both the controlled and uncontrolled ports. 3. Controlled direction In unauthenticated status, controlled ports can be set as unidirectional controlled or bi-directionally controlled.
Page 201 Configuration Guide SS2GR50i/26i/26ip 1. The Format of EAPOL Data Packets EAPOL is a kind of message encapsulation format defined in 802.1x protocol, and is mainly used to transmit EAP messages between the supplicant system and the authenticator system in order to allow the transmission of EAP messages through the LAN.
Page 202: The Encapsulation Of Eap Attributes
Configuration Guide SS2GR50i/26i/26ip (illustrated in the next figure). Figure 24-4 the Format of EAP Data Packets Code: specifies the type of the EAP packet. There are four of them in total: Request(1),Response(2),Success(3),Failure(4). There is no Data domain in the packets of which the type is Success or Failure, and the value of the Length domains in such packets is 4.
Page 203: Web Authentication Proxy Based On 802.1X
The client authentication pattern of prior authentication system belongs to Amer.com privately. The devices are layer 2 switch of Amer.com and the authentication server is RADIUS server. EAP protocol is used for the authentication message pattern.
Page 204: The Authentication Methods Of 802.1X
Configuration Guide SS2GR50i/26i/26ip internet explorer is instead of the prior client software, the devises is layer 3 switch of Amer.com, authentication server is the standardized RADIUS server, and the authentication message is loaded in the EAP message to communicate. The ethernet frame can not be send because of the Java Applet...
Page 205 Configuration Guide SS2GR50i/26i/26ip Figure 24-8 the Protocol Stack of EAP Authentication Method By now, there are more than 50 EAP authentication methods has been developed, the differences among which are those in the authentication mechanism and the management of keys. The 4 most...
Page 206 Configuration Guide SS2GR50i/26i/26ip Figure 24-9 the Authentication Flow of 802.1x EAP-MD5 2. EAP-TLS Authentication Method EAP-TLS is brought up by Microsoft based on EAP and TLS protocols. It uses PKI to protect the id authentication between the supplicant system and the RADIUS server and the dynamically generated session keys, requiring both the supplicant system and the Radius authentication server to possess digital certificate to implement bidirectional authentication.
Page 207 Configuration Guide SS2GR50i/26i/26ip Figure 24-10 the Authentication Flow of 802.1x EAP-TLS 3. EAP-TTLS Authentication Method EAP-TTLS is a product of the cooperation of Funk Software and Certicom. It can provide an authentication as strong as that provided by EAP-TLS, but without requiring users to have their own digital certificate.
Page 208 Configuration Guide SS2GR50i/26i/26ip EAP-PEAP is brought up by Cisco, Microsoft and RAS Security as a recommended open standard. It has long been utilized in products and provides very good security. Its design of protocol and security is similar to that of EAP-TTLS, using a server’s PKI certificate to establish a safe TLS tunnel in order to protect user authentication.
Page 209: The Extension And Optimization Of 802.1X
Configuration Guide SS2GR50i/26i/26ip Figure 24-12 the Authentication Flow of 802.1x EAP Termination Mode 24.1.7 The Extension and Optimization of 802.1x Besides supporting the port- based access authentication method specified by the protocol, devices also extend and optimize it when implementing the EAP relay mode and EAP termination mode of 802.1x.
Page 210: The Features Of Vlan Allocation
Configuration Guide SS2GR50i/26i/26ip When the MAC-based method is used, all the users accessing a port should be authenticated separately, only those pass the authentication can access the network, while the others can not. When one user becomes offline, the other users will not be affected.
Page 211: Configuration Task List
Configuration Guide SS2GR50i/26i/26ip 2. Guest VLAN Guest VLAN feature is used to allow the unauthenticated user to access some specified resources. The user authentication port belongs to a default VLAN (Guest VLAN) before passing the 802.1x authentication, with the right to access the resources within this VLAN without authentication. But the resources in other networks are beyond reach.
Page 212 Enables the client software constrainedly using the private 802.1x authentication message format of dot1x privateclient enable Amer.com. The ‘ no dot1x privateclient enable’ no dot1x privateclient command disables this function, client software can use enable the standard 802.1x authentication message format.
Page 213 Configuration Guide SS2GR50i/26i/26ip Command Explanation Port Mode dot1x port-control Sets the 802.1x authentication mode; the ‘no dot1x {auto|force-authorized|forc port-control’ command restores the default setting. e-unauthorized } no dot1x port-control 2) Configure port access management method Command Explanation Port Mode dot1x port-method Sets the port access management method;...
Page 214 Configuration Guide SS2GR50i/26i/26ip Command Explanation Global Mode Enables the 802.1x address filter function in the switch; dot1x macfilter enable the ‘no dot1x macfilter enable’ command disables the no dot1x macfilter enable 802.1x address filter function. dot1x accept-mac <mac-address> [interface Adds 802.1x address filter table entry, the ‘no dot1x <interface-name>]...
Page 215 Configuration Guide SS2GR50i/26i/26ip dot1x timeout Sets the supplicant re-authentication interval; the ‘no re-authperiod <seconds> dot1x timeout re-authperiod’ command restores the no dot1x timeout default setting. re-authperiod Sets the interval for the supplicant to re-transmit EAP dot1x timeout tx-period request/identity frame; the ‘no dot1x timeout <seconds>...
Page 216 Configuration Guide SS2GR50i/26i/26ip 3) Configure RADIUS Service parameters. Command Explanation Global Mode Configures the restore time when RADIUS server is radius-server dead-time down; the ‘no radius-server dead-time’ command <minutes> restores the default setting. no radius-server dead-time Configures the re-transmission times for RADIUS; the radius-server retransmit <retries>...
Page 217: Application Example
Configuration Guide SS2GR50i/26i/26ip 24.3 802.1x Application Example 24.3.1 Examples of Guest Vlan Applications Figure 24-13 The Network Topology of Guest VLAN Notes In the figures in this session, E2 means Ethernet 2, E3 means Ethernet 3 and E6 means Ethernet 6.
Page 218 Configuration Guide SS2GR50i/26i/26ip Figure 24-14 User Joining Guest VLAN As illustrated in the up figure, on the switch port Ethernet1/2, the 802.1x feature is enabled, and the VLAN10 is set as the port’s Guest VLAN. Before the user gets authenticated or when the user fails to do so, port Ethernet1/2 is added into VLAN10, allowing the user to access the Update Server.
Page 219 Configuration Guide SS2GR50i/26i/26ip the user to access the Internet. The following are configuration steps: # Configure RADIUS server. Switch(config)#radius-server authentication host 10.1.1.3 Switch(config)#radius-server accounting host 10.1.1.3 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable # Create VLAN100. Switch(config)#vlan 100 # Enable the global 802.1x function Switch(config)#dot1x enable # Enable the 802.1x function on port Ethernet1/2...
Page 220: Examples Of Ipv4 Radius Applications
Configuration Guide SS2GR50i/26i/26ip 24.3.2 Examples of IPv4 Radius Applications 10.1.1.2 Radius Server 10.1.1.1 10.1.1.3 Figure 24-16 IEEE 802.1x Configuration Example Topology The PC is connecting to port 1/2 of the switch; IEEE 802.1x authentication is enabled on port 1/2; the access mode is the default MAC-based authentication.
Page 221: Ipv6 Radius Application
Configuration Guide SS2GR50i/26i/26ip 24.3.3 IPv6 Radius Application Figure 24-17 IPv6 Radius Connect the computer to the interface 1/2 of the switch, and enable IEEE802.1x on interface 1/2. Use MAC based authentication. Configure the IP adderss of the switch as 2004:1:2:3::2, and connect the swith with any interface except interface 1/2 to the RADIUS authentication server.
Page 222: Web Proxy Authentication Sample Application
Configuration Guide SS2GR50i/26i/26ip 24.3.4 802.1x Web Proxy Authentication Sample Application Figure 24-18 802.1x Web Proxy Authentication In the network topology shown as above, Ethernet 1/1 on SWITCH1 is connected to the Web server whose IP address is 192.168.20.20/24, and authentication port is 1812. PC is connect to Ethernet 1/16 on SWITCH1 through an unknown network.
Page 223: Troubleshooting
Configuration Guide SS2GR50i/26i/26ip Configuration task list on SWITCH1 Switch(config)#dot1x enable Switch(config)#dot1x web authentication enable Switch(config)#dot1x web redirect http://192.168.20.20/WebSupplicant/ Switch(config)#interface ethernet 1/16 Switch(Config-If-Ethernet1/16)#dot1x enable Switch(Config-If-Ethernet1/16)#dot1x port-method web based 24.4 802.1x Troubleshooting It is possible that 802.1x be configured on ports and 802.1x authentication be set to auto，but switch can’t be to authenticated state after the user runs 802.1x supplicant software.
Page 224: Chapter 25 Port/Mac Address Limiation In Vlan Configuratoin
Configuration Guide SS2GR50i/26i/26ip Chapter 25 Port/MAC Address Limiation in VLAN Configuratoin 25.1 Introduction to the Number Limitation Function of Port, MAC in VLAN MAC address list is used to identify the mapping relationship between the destination MAC addresses and the ports of switch. There are two kinds of MAC addresses in the list: static MAC address and dynamic MAC address.
Page 225: The Number Limitation Function Of Port, Mac In Vlan Configuration Task Sequence
Configuration Guide SS2GR50i/26i/26ip equal with the max number of dynamic MAC address, then shutdown the MAC study function of all the ports in this VLAN, otherwise, all the ports in this VLAN can continue their study (except special ports). 25.2 The Number Limitation Function of Port, MAC in VLAN Configuration Task Sequence 1.
Page 226: The Number Limitation Function Of Port, Mac In Vlan Typical Examples
Configuration Guide SS2GR50i/26i/26ip show mac-address dynamic count Display the number of dynamic MAC {vlan <vlan-id>|interface ethernet in corresponding ports and VLAN <portName>} All kinds of debug information when debug switchport mac count limiting the number of MAC on ports no debug switchport mac count...
Page 227: The Number Limitation Function Of Port, Mac In Vlan Troubleshooting
Configuration Guide SS2GR50i/26i/26ip address as 30, of dynamic ARP address as 30, NEIGHBOR list entry as 20. SWITCH A configuration task sequence: Switch(config)# Switch (config)#int ethernet 3/1 Switch (Config-If-Ethernet3/1)#switchport mac-address dynamic maximum 20 Switch (Config-If-Ethernet3/1)#switchport arp dynamic maximum 20 Switch (Config-If-Ethernet3/1)#switchport nd dynamic maximum 10...
Page 228: Chapter 26 Operational Configuration Of Am Function
Configuration Guide SS2GR50i/26i/26ip Chapter 26 Operational Configuration of AM Function 26.1 Introduction to AM Function AM (Access Management) means that when a switch receives an IP or ARP message, it will compare the information extracted from the message (such as source IP address or source MAC-IP address) with the configured hardware address pool.
Page 229 Configuration Guide SS2GR50i/26i/26ip Command Explanation Interface Mode Enable/disable AM function on the interface. When the AM function is enabled on the am interface interface, no IP or ARP message will be no am interface forwarded by default. 3. Configure the forwarding IP...
Page 230: Example Of Am Function
Configuration Guide SS2GR50i/26i/26ip 26.3 Example of AM Function Figure 26-1 Typical configuration example of AM function In the topology above, 30 PCs, after converged by HUB1, connect with interface1 on the switch. The IP addresses of these 30 PCs range from 100.10.10.1 to 100.10.10.30. Considering security, the system manager will only take user with an IP address within that range as legal ones.
Page 231: Chapter 27 Security Feature Configuration
Configuration Guide SS2GR50i/26i/26ip Chapter 27 Security Feature Configuration 27.1 Security Feature Introduction Before introducing the security features, we here first introduce the DoS. The DoS is short for Denial of Service, which is a simple but effective destructive attack on the internet. The server under DoS attack will drop normal user data packet due to non-stop processing the attacker’s data packet, leading to the...
Page 232: Anti Port Cheat Function Configuration Task List
Configuration Guide SS2GR50i/26i/26ip Enable/disable checking IPv4 fragment. This command has no effect when used [no] dosattack-check separately, but if this function is not enabled, ipv4-first-fragment enable the switch will not drop the IPv4 fragment packet containing unauthorized TCP labels 27.2.3 Anti Port Cheat Function Configuration Task List 1.
Page 233: Security Feature Example
Configuration Guide SS2GR50i/26i/26ip Configure the max permitted ICMPv4 net load length Configure the max permitted ICMPv6 net load length Command Explanation Global Mode Enable/disable the prevent ICMP fragment [no] dosattack-check icmp-attacking attack function enable Configure the max permitted ICMPv4 net length.
Page 234: Chapter 28 Tacacs+ Configuration
Configuration Guide SS2GR50i/26i/26ip Chapter 28 TACACS+ Configuration 28.1 TACACS+ Introduction TACACS+ terminal access controller access control protocol is a protocol similar to the radius protocol for control the terminal access to the network. Three independent functions of Authentication, Authorization, Accounting are also available in this protocol. Compared with RADIUS, the transmission...
Page 235: Typical Tacacs+ Scenarios
Configuration Guide SS2GR50i/26i/26ip Command Explanation Global Mode Configure the authentication timeout for the TACACS+ server, the ‘no tacacs-server timeout <seconds> tacacs-server timeout’ command no tacacs-server timeout restores the default configuration 28.3 Typical TACACS+ Scenarios Switch 10.1.1.2 10.1.1.1 Tacacs Server 10.1.1.3 Figure 28-1 TACACS Configuration A computer connects to a switch, of which the IP address is 10.1.1.2 and connected with a TACACS+...
Page 236: Chapter 29 Mrpp Configuration
Configuration Guide SS2GR50i/26i/26ip Chapter 29 MRPP Configuration 29.1 MRPP introduction MRPP (Multi-layer Ring Protection Protocol), is a link layer protocol applied on Ethernet loop protection. It can avoid broadcast storm caused by data loop on Ethernet ring, and restore communication among every node on ring network when the Ethernet ring has a break link.
Page 237: Conception Introduction
Configuration Guide SS2GR50i/26i/26ip 29.1.1 Conception Introduction Figure 29-1 MRPP Sketch Map 1. Control VLAN Control VLAN is a virtual VLAN, only used to identify MRPP protocol packet transferred in the link. To avoid confusion with other configured VLAN, avoids configuring control VLAN ID to be the same with other configured VLAN ID.
Page 238: Mrpp Protocol Packet Types
Configuration Guide SS2GR50i/26i/26ip is used to receive Hello packet sending from primary node. When the Ethernet is in health state, the secondary port of primary node blocks other data in logical and only MRPP packet can pass. When the Ethernet is in break state, the secondary port of primary node releases block state, and forwards data packets.
Page 239: Mrpp Configuration Task List
Configuration Guide SS2GR50i/26i/26ip primary node immediately. The primary node receives link down packet and immediately releases block state of secondary port, and sends LINK-DOWN-FLUSH-FDB packet to inform all of transfer nodes, refreshing own MAC address forward list. 2. Poll System The primary port of primary node sends Hello packet to its neighbors timely according to configured Hello-timer.
Page 240: Mrpp Typical Scenario
Configuration Guide SS2GR50i/26i/26ip Create MRPP ring. format “no” deletes MRPP ring <ring-id> MRPP ring and its configuration no MRPP ring <ring-id> MRPP ring mode Configure control VLAN ID, format “no” Control-vlan <vid> deletes configured control VLAN ID. No Control-vlan Primary-port Ethernet Specify primary port of MRPP ring <interface-name>...
Page 241 Configuration Guide SS2GR50i/26i/26ip Figure 29-2MRPP typical configuration scenario 1 The above topology often occurs on using MRPP protocol. The multi switch constitutes a single MRPP ring, all of the switches only are configured an MRPP ring, thereby constitutes a single MRPP ring.
Page 242: Mrpp Troubleshooting
Configuration Guide SS2GR50i/26i/26ip SWITCH C configuration Task Sequence: Switch(config)#MRPP enable Switch(config)#MRPP ring 4000 Switch(MRPP-ring-4000)#control-vlan 4000 Switch(MRPP-ring-4000)#primary-port Ethernet 1/1 Switch(MRPP-ring-4000)#secondary-port Ethernet 1/2 Switch(MRPP-ring-4000)#enable Switch(MRPP-ring-4000)#exit Switch(config)# SWITCH D configuration Task Sequence: Switch(config)#MRPP enable Switch(config)#MRPP ring 4000 Switch(MRPP-ring-4000)#control-vlan 4000 Switch(MRPP-ring-4000)#primary-port Ethernet 1/11 Switch(MRPP-ring-4000)#secondary-port Ethernet 1/12...
Page 243: Chapter 30 Mirroring Configuration
Configuration Guide SS2GR50i/26i/26ip Chapter 30 Mirroring Configuration 30.1 Introduction to Mirroring Mirroring function include port mirroring function, CPU mirroring function, Flow mirroring function. Port mirroring refers to the duplication of data frames sent/received on a port to another port. The duplicated port is referred to as mirror source port and the duplicating port is referred to as mirror destination port.
Page 244: Mirroring Examples
Configuration Guide SS2GR50i/26i/26ip Configure the mirroring monitor session <session> source {interface source interface (CPU ); the <interface-list> | cpu } {rx| tx| both} no form command deletes the no monitor session <session> source {interface mirroring source interface. <interface-list> | cpu } 3.
Page 245: Mirroring Troubleshooting
Configuration Guide SS2GR50i/26i/26ip 30.4 Mirroring Troubleshooting If problems occur on configuring mirroring, please check the following first for causes: Whether the mirror destination port is a member of a trunk group or not, if yes, modify the trunk group. If the throughput of mirror destination port is smaller than the total throughput of mirror source port(s), the destination port will not be able to duplicate all source port traffic;...
Page 246: Chapter 31 Sflow Configuration
Configuration Guide SS2GR50i/26i/26ip Chapter 31 SFlow Configuration 31.1 sFlow introduction The sFlow (RFC 3176) is a protocol based on standard network export and used on monitoring the network traffic information developed by the InMon Company. The monitored switch or router sends date to the client analyzer through its main operations such as sampling and statistic, then the analyzer will analyze according to the user requirements so to monitor the network.
Page 247 Configuration Guide SS2GR50i/26i/26ip 2. Configure the sFlow proxy address Command Explanation Global Mode Configure the source IP address applied by sflow agent-address the sFlow proxy; the “no” form of the <collector-address> command deletes this address. no sflow agent-address 3. Configure the sFlow proxy priority...
Page 248: Sflow Example
Configuration Guide SS2GR50i/26i/26ip performing statistic sampling. The “no” form <interval-vlaue> of this command deletes no sflow counter-interval 31.3 sFlow Example Figure 31-1 sFlow configuration topology As shown in the figure, sFlow sampling is enabled on the port 3/1 and 3/2 of the switch. Assume the sFlow analysis software is installed on the PC with the address of 192.168.1.200.
Page 249 Configuration Guide SS2GR50i/26i/26ip...
Page 250: Chapter 32 Sntp Configuration
SNTP (1 to 50 ms) is usually sufficient for those services. Figure 32-1 SNTP Working Scenario SS2GR50i/26i series switch implements SNTPv4 and supports SNTP client unicast as described in RFC2030; SNTP client multicast and unicast are not supported, nor is the SNTP server function.
Page 251: Typical Sntp Configuration Example
SwitchC Figure 32-2 Typical SNTP Configuration All SS2GR50i/26i series switch in the autonomous zone are required to perform time synchronization, which is done through two redundant SNTP/NTP servers. For time to be synchronized, the network must be properly configured. There should be reachable route between any SS2GR50i/26i series switch and the two SNTP/NTP servers.
Page 252: Chapter 33 Monitor And Debug
SS2GR50i/26i series switch provides various debug commands including ping, telnet, show and debug, etc. to help the users to check system configuration, operating status and locate problem causes.
Page 253: Show
Configuration Guide SS2GR50i/26i/26ip The principle of the Traceroute6 under IPv6 is the same as that under IPv4, which adopts the hop limit field of the ICMPv6 and IPv6 header. First, Traceroute6 sends an IPv6 datagram (including source address, destination address and packet sent time) whose HOPLIMIT is set to 1. When first route on the path receives this datagram, it minus the HOPLIMIT by 1 and the HOPLIMIT is now 0.
Page 254: Debug
33.6 Debug All the protocols SS2GR50i/26i series switch supports have their corresponding debug commands. The users can use the information from debug commands for troubleshooting. Debug commands for their corresponding protocols will be introduced in the later chapters.
Page 255 Configuration Guide SS2GR50i/26i/26ip Through Console port to the local console Output the log information to remote Telnet terminal or monitor, this function is good for remote maintenance Assign a proper log buffer zone inside the switch, for record the log information permanently or...
Page 256: System Log Configuration
Configuration Guide SS2GR50i/26i/26ip levels are in accordance with the standard UNIX/LINUX syslog Table 33-1 Severity of the log information Severity Value Description System is unusable emergencies Action must be taken immediately alerts Critical conditions critical Error conditions errors Warning conditions...
Page 257: System Log Configuration Example
Configuration Guide SS2GR50i/26i/26ip Display and clear log buffer zone Command Description Admin Mode show logging buffered [level { critical | Show detailed log information in warnings} | range <begin-index> the log buffer channel <end-index>] Clear log buffer zone information clear logging sdram...
Page 258: Chapter 34 Reload Switch After Specified Time
Configuration Guide SS2GR50i/26i/26ip Chapter 34 Reload Switch after Specified Time 34.1 Introduce to reload switch after specifid time Reload switch after specified time is to reboot the switch without shutdown its power after a specified period of time, usually when updating the switch version. The switch can be rebooted after a period of time instead of immediately after its version being updated successfully.
Page 259: Chapter 35 Debugging And Diagnosis
Configuration Guide SS2GR50i/26i/26ip Chapter 35 Debugging and Diagnosis 35.1 Debugging and diagnosis for packets received and sent by CPU The following commands are used to debug and diagnose the packets received and sent by CPU, and are supposed to be used with the help of the technical support.
Page 260 Configuration Guide SS2GR50i/26i/26ip This series switches do not support cpu-rx-ratelimit channel <channel-id> the command <packets> no cpu-rx-ratelimit channel [<channel-id>] Admin mode Show the statistics of the CPU show cpu-rx queue [<queue-id>] received packets from the queue. Show the statistics of the CPU received packets of the protocol show cpu-rx protocol [<protocol-type>]...

This manual is also suitable for:

Ss2gr26i Ss2gr26ip

Amer.com SS2GR50i Configuration Manual

Chapter 1 Switch Management

Chapter 2 Basic Switch Configuration

Chapter 3 Cluster Network Management Configuration

Chapter 4 Port Configuration

Chapter 5 Port Loopback Detection Function Configuration

Chapter 6 Poe Port Configuration

Chapter 7 Port Channel Configuration

Chapter 8 JUMBO Configuration

Chapter 9 VLAN Configuration

Chapter 10 MAC Table Configuration

Chapter 11 MSTP Configuration

Chapter 12 Qos Configuration

Chapter 13 Flow-Based Redirection

Chapter 14 Layer 3 Management Configuration

Chapter 15 ARP Scanning Prevention Function Configuration

Chapter 16 ARP GUARD Configuration

Chapter 17 DHCP Configuration

Chapter 18 DHCP Snooping Configuration

Chapter 19 DHCP Option 82 Configuration

Chapter 20 Ipv4 Multicast Protocol

Chapter 21 Ipv6 Multicast Protocol

Chapter 22 Multicast VLAN Configuration

Chapter 23 ACL Configuration

Chapter 24 802.1X Configuration

Chapter 25 Port/Mac Address Limiation in VLAN Configuratoin

Chapter 26 Operational Configuration of am Function

Chapter 27 Security Feature Configuration

Chapter 28 TACACS+ Configuration

Chapter 29 MRPP Configuration

Chapter 30 Mirroring Configuration

Chapter 31 Sflow Configuration

Chapter 32 SNTP Configuration

Chapter 33 Monitor and Debug

Chapter 34 Reload Switch after Specified Time

Chapter 35 Debugging and Diagnosis

Quick Links

Configuration Guide

Troubleshooting

Need help?

Questions and answers

Related Manuals for Amer.com SS2GR50i

Summary of Contents for Amer.com SS2GR50i