SNR S2940-8G-v2 Configuration Manual

Table of Contents

Quick Links

Contents

I Basic Management Configuration

1 Switch management

1.1 Management options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1.2 CLI Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2 Basic Switch Configuration

2.1 Basic Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.2 Telnet Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.3 Configure Switch IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.4 SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.5 Switch Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

II Port Configuration

3 Port Configuration

3.1 Introduction to Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3.2 Network Port Configuration Task List . . . . . . . . . . . . . . . . . . . . . . . . . .

3.3 Port Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3.4 Port Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4 Port Isolation Function Configuration

4.1 Introduction to Port Isolation Function . . . . . . . . . . . . . . . . . . . . . . . . .

4.2 Task Sequence of Port Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4.3 Port Isolation Function Typical Examples . . . . . . . . . . . . . . . . . . . . . . .

5 Port Loopback Detection Function Configuration

5.1 Introduction to Port Loopback Detection Function . . . . . . . . . . . . . . . . . . .

5.2 Port Loopback Detection Function Configuration Task List . . . . . . . . . . . . . .

5.3 Port Loopback Detection Function Example . . . . . . . . . . . . . . . . . . . . . .

5.4 Port Loopback Detection Troubleshooting . . . . . . . . . . . . . . . . . . . . . . .

6 ULDP Function Configuration

6.1 Introduction to ULDP Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6.2 ULDP Configuration Task Sequence . . . . . . . . . . . . . . . . . . . . . . . . . .

6.3 ULDP Function Typical Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6.4 ULDP Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SNR S2940-8G-v2 Switch Configuration Guide

CONTENTS

Table of Contents

Troubleshooting

Need help?

Do you have a question about the S2940-8G-v2 and is the answer not in the manual?

Questions and answers

Summary of Contents for SNR S2940-8G-v2

Page 1: Table Of Contents
SNR S2940-8G-v2 Switch Configuration Guide CONTENTS Contents I Basic Management Configuration 1 Switch management 1.1 Management options ........
Page 2 SNR S2940-8G-v2 Switch Configuration Guide CONTENTS 7 LLDP Function Operation Configuration 7.1 Introduction to LLDP Function ......
Page 3 SNR S2940-8G-v2 Switch Configuration Guide CONTENTS 15 CFM-OAM Configuration 15.1 Overview ......... 102 15.2 CFM OAM Basic Concept .
Page 4 SNR S2940-8G-v2 Switch Configuration Guide CONTENTS 21.4 Dynamic VLAN Troubleshooting ......146 22 GVRP Configuration 22.1 Introduction to GVRP .
Page 5 SNR S2940-8G-v2 Switch Configuration Guide CONTENTS 28 Flexible QinQ Configuration 28.1 Introduction to Flexible QinQ ......195 28.2 Flexible QinQ Configuration Task List .
Page 6 SNR S2940-8G-v2 Switch Configuration Guide CONTENTS 35.4 DHCPv6 Prefix Delegation Server Configuration ....230 35.5 DHCPv6 Prefix Delegation Client Configuration ....232 35.6 DHCPv6 Configuration Examples .
Page 7 SNR S2940-8G-v2 Switch Configuration Guide CONTENTS IX Security Function Configuration 43 ACL Configuration 43.1 Introduction to ACL ........279 43.2 ACL Configuration Task List .
Page 8 SNR S2940-8G-v2 Switch Configuration Guide CONTENTS 51 SSL Configuration 51.1 Introduction to SSL ........344 51.2 SSL Configuration Task List .
Page 9 SNR S2940-8G-v2 Switch Configuration Guide CONTENTS 58.4 MRPP Troubleshooting ....... . . 383 59 ULPP Configuration 59.1 Introduction to ULPP .
Page 10 SNR S2940-8G-v2 Switch Configuration Guide CONTENTS XIII Debugging and Diagnosis 66 Monitor and Debug 66.1 Ping ..........412 66.2 Ping6 .
Page 11: I Basic Management Configuration
SNR S2940-8G-v2 Switch Configuration Guide Part I Basic Management Configuration...
Page 12: Switch Management
SNR S2940-8G-v2 Switch Configuration Guide Switch management Chapter 1 Switch management 1.1 Management options After purchasing the switch, the user needs to configure the switch for network management. Switch provides two management options: in-band management and out-of-band management. 1.1.1 Out-of-Band management Out-of-band management is the management through Console interface.
Page 13 SNR S2940-8G-v2 Switch Configuration Guide Switch management PC application such as Hyperterminal or PuTTY - makes communication between the switch and your PC or terminal possible. 1. Start the terminal-emulation program and open a session if you are using a PC or terminal.
Page 14 SNR S2940-8G-v2 Switch Configuration Guide Switch management 1.1.2 In-band Management In-band management refers to the management by login to the switch using Telnet, or using HTTP, or using SNMP management software to configure the switch. In-band management enables management of the switch for some devices attached to the switch. In the case when in-band management fails due to switch configuration changes, out-of-band management can be used for configuring and managing the switch.
Page 15 SNR S2940-8G-v2 Switch Configuration Guide Switch management Step 2: Run Telnet Client program. Run Telnet client program with the specified Telnet target. Step 3: Login to the switch. Login to the Telnet configuration interface. Valid login name and password are required, other- wise the switch will reject Telnet access.
Page 16 SNR S2940-8G-v2 Switch Configuration Guide Switch management Step 2: Run HTTP protocol on the host. Open the Web browser on the host and type the IP address of the switch, or run directly the HTTP protocol on the Windows. For example, the IP address of the switch is 10.1.128.251;...
Page 17: Cli Interface
SNR S2940-8G-v2 Switch Configuration Guide Switch management 1.2 CLI Interface The switch provides three management interface for users: CLI (Command Line Interface) inter- face, Web interface, Snmp network management software. We will introduce the CLI interface and Web configuration interface in details, Web interface is familiar with CLI interface function and will not be covered.
Page 18 SNR S2940-8G-v2 Switch Configuration Guide Switch management User Mode Admin Mode Global Mode Figure 1.2: Shell Configuration Modes Global Mode Type the config command under Admin Mode will enter the Global Mode prompt Switch(config)#. Use the exit command under other configuration modes such as Port Mode, VLAN mode will return to Global Mode.
Page 19: Configuration Syntax
SNR S2940-8G-v2 Switch Configuration Guide Switch management port- Type interface port-channel Configure port- Use the exit com- channel <port-channel-number> com- channel related mand to return to mand under Global Mode. settings such Global Mode. duplex mode, speed, etc. VLAN Mode Using the vlan <vlan-id>...
Page 20 SNR S2940-8G-v2 Switch Configuration Guide Switch management • show version, no parameters required. This is a command with only a keyword and no parameter, just type in the command to run. • vlan <vlan-id>, parameter values are required after the keyword.
Page 21: Shortcut Key Support
SNR S2940-8G-v2 Switch Configuration Guide Switch management 1.2.3 Shortcut Key Support Switch provides several shortcut keys to facilitate user configuration, such as up, down, left, right and Blank Space. If the terminal does not recognize Up and Down keys, Ctrl+p and Ctrl+n can be used instead.
Page 22: Input Verification
SNR S2940-8G-v2 Switch Configuration Guide Switch management 1.2.5 Input Verification Returned Information: success All commands entered through keyboards undergo syntax check by the Shell. Nothing will be returned if the user entered a correct command under corresponding modes and the execution is successful.
Page 23: Basic Switch Configuration
SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration Chapter 2 Basic Switch Configuration 2.1 Basic Configuration Basic switch configuration includes commands for entering and exiting the admin mode, com- mands for entering and exiting interface mode, for configuring and displaying the switch clock, for displaying the version information of the switch system, etc.
Page 24: Telnet Management
SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration 2.2 Telnet Management 2.2.1 Telnet Introduction to Telnet Telnet is a simple remote terminal protocol for remote login. Using Telnet, the user can login to a remote host with its IP address of hostname from his own workstation. Telnet can send the user's keystrokes to the remote host and send the remote host output to the user's screen through TCP connection.
Page 25 SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration authentication ip access-class { Binding standard IP ACL protocol to login with Tel- <num-std> | <name> } net/SSH/Web; the no form command will cancel the binding no authentication ip access- ACL. class...
Page 26 SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration 2. Telnet to a remote host from the switch Command Explanation Admin Mode telnet [vrf <vrf-name>] { <ip-addr> | <ipv6- Login to a remote host with the Telnet client in- addr> | host <hostname> } [<port>] cluded in the switch.
Page 27: Configure Switch Ip Addresses
SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration Example of SSH Server Configuration Example 1: Requirement: Enable SSH server on the switch, and run SSH2.0 client software such as Se- cure shell client or putty on the terminal. Log on the switch by using the username and password from the client.
Page 28: Snmp Configuration
SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration 1. Enable VLAN port mode Command Explanation Global Mode interface vlan <vlan-id> Create VLAN interface (layer 3 interface); the no command no interface vlan <vlan-id> deletes the VLAN interface. 2. Manual configuration...
Page 29: Introduction To Mib
SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration two points in the network. SNMP employs a polling mechanism of message query, and transmits messages through UDP (a connectionless transport layer protocol). Therefore it is well supported by the existing computer networks.
Page 30: Introduction To Rmon
SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration on this tree contains an OID (Object Identifier) and a brief description about the node. OID is a set of integers divided by periods. It identifies the node and can be used to locate the node in a MID tree structure.
Page 31 SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration 7. Configure view 8. Configuring TRAP 9. Enable/Disable RMON 1. Enable or disable SNMP Agent server function Command Explanation Global Mode snmp-server enabled Enable the SNMP Agent function on the switch; no snmp-server enabled the no command disables the SNMP Agent func- tion on the switch.
Page 32 SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration 5. Configure user Command Explanation Global Mode snmp-server user <use-string> <group- Add a user to a SNMP group. This command is string> [ { authPriv | authNoPriv } auth { used to configure USM for SNMP v3.
Page 33 SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration Command Explanation Global Mode snmp-server host { <host-ipv4-address> | Set the host IPv4/IPv6 address which is used <host-ipv6-address> } { v1 | v2c | { v3 { to receive SNMP Trap information. For SNMP...
Page 34 SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration Switch(config)#snmp-server Switch(config)#snmp-server user tester UserGroup authPriv auth md5 hellotst Switch(config)#snmp-server group UserGroup AuthPriv read max write max notify max Switch(config)#snmp-server view max 1 include Scenario 4: NMS wants to receive the v3Trap messages sent by the switch.
Page 35: Switch Upgrade
SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration • If Trap function is required, remember to enable Trap (use 'snmp-server enable traps' command). And remember to properly configure the target host IP address and community string for Trap (use 'snmp-server host' command) to ensure Trap message can be sent to the specified host.
Page 36 SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration Connect with Ethernet Connect with serial port Figure 2.1: Typical topology for switch upgrade in BootROM mode [Boot]: Step 3: Under BootROM mode, run 'setconfig' to set the IP address and mask of the switch under BootROM mode and server IP address.
Page 37 SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration Step 6: The following is the configuration for the system update image file. [Boot]: load nos.img Using switch device TFTP from server 192.168.1.66; our IP address is 192.168.1.2 Filename 'nos.img'. Load address: 0x82000000...
Page 38 SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration [Boot]: boot img nos.img primary flash:/nos.img will be used as the primary img file at the next time! [Boot]: show boot-files The primary img file : flash:/nos.img The backup img file : flash:/nos.img...
Page 39 SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration FTP/TFTP clients, as file list service as FTP server. Here are some terms frequently used in FTP/TFTP. ROM: Short for EPROM, erasable read-only memory. EPROM is repalced by FLASH memory in switch.
Page 40 SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration (a) Start FTP server (b) Configure FTP login username and password (c) Modify FTP server connection idle time (d) Shut down FTP server 3. TFTP server configuration (a) Start TFTP server (b) Configure TFTP server connection idle time...
Page 41 SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration (c)Modify FTP server connection idle time Command Explanation Global Mode ftp-server timeout <seconds> Set connection idle time. 3. TFTP server configuration (a)Start TFTP server Command Explanation Global Mode tftp-server enable Start TFTP server, the no command shuts down...
Page 42 SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration Switch(Config-if-Vlan1)#exit Switch(config)#exit Switch#copy ftp://Switch:switch@10.1.1.1/12_30_nos.img nos.img With the above commands, the switch will have the 'nos.img' file in the computer downloaded to the FLASH. • TFTP Configuration Computer side configuration: Start TFTP server software on the computer and place the '12_30_nos.img' file to the appro- priate TFTP server directory on the computer.
Page 43 SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration Computer side configuration: Login to the switch with any TFTP client software, use the 'tftp' command to download 'nos.img' file from the switch to the computer. Scenario 4: Switch acts as FTP client to view file list on the FTP server. Synchronization conditions: The switch connects to a computer by an Ethernet port, the computer is a FTP server with an IP address of 10.1.1.1;...
Page 44 SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration nos.img file length = 1526021 read file ok send file 150 Opening ASCII mode data connection for nos.img. 226 Transfer complete. close ftp client. • The following is the message displays when files are successfully received. Otherwise, please verify link connectivity and retry 'copy' command again.
Page 45 SNR S2940-8G-v2 Switch Configuration Guide Basic Switch Configuration If the switch is upgrading system file or system start up file through TFTP, the switch must not be restarted until 'close tftp client' is displayed, indicating upgrade is successful, otherwise the switch may be rendered unable to start.
Page 46: Port Configuration
SNR S2940-8G-v2 Switch Configuration Guide Part II Port Configuration...
Page 47: Port Configuration
SNR S2940-8G-v2 Switch Configuration Guide Port Configuration Chapter 3 Port Configuration 3.1 Introduction to Port Switch contains Cable ports and Combo ports. The Combo ports can be configured to as either 1000GX-TX ports or SFP Gigabit fiber ports. If the user needs to configure some network ports, he/she can use the interface ethernet <interface-list>...
Page 48 SNR S2940-8G-v2 Switch Configuration Guide Port Configuration (l) Configure interval of port-rate-statistics 3. Virtual cable test 1. Enter the Ethernet port configuration mode Command Explanation Global Mode interface ethernet <interface- Enters the network port configuration mode. list> 2. Configure the properties for the Ethernet ports...
Page 49 SNR S2940-8G-v2 Switch Configuration Guide Port Configuration storm-control { unicast | broad- Enables the storm control function for broadcasts, multi- cast | multicast } <Kbits> casts and unicasts with unknown destinations (short for broadcast), and sets the allowed broadcast packet number;...
Page 50: Port Configuration Example
SNR S2940-8G-v2 Switch Configuration Guide Port Configuration 3.3 Port Configuration Example 1/0/7 1/0/9 1/0/10 1/0/8 1/0/12 Figure 3.1: Port Configuration Example No VLAN has been configured in the switches, default VLAN1 is used. Switch Port Property Switch1 Ingress bandwidth limit: 50 M...
Page 51: Port Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide Port Configuration 3.4 Port Troubleshooting Here are some situations that frequently occurs in port configuration and the advised solutions: • Two connected fiber interfaces won't link up if one interface is set to auto-negotiation but the other to forced speed/duplex.
Page 52: Port Isolation Function Configuration
SNR S2940-8G-v2 Switch Configuration Guide Port Isolation Function Configuration Chapter 4 Port Isolation Function Configuration 4.1 Introduction to Port Isolation Function Port isolation is an independent port-based function working in an inter-port way, which isolates flows of different ports from each other. With the help of port isolation, users can isolate ports within a VLAN to save VLAN resources and enhance network security.
Page 53: Port Isolation Function Typical Examples
SNR S2940-8G-v2 Switch Configuration Guide Port Isolation Function Configuration 3. Display the configuration of port isolation Command Explanation Admin Mode and Global Mode show isolate-port group Display the configuration of port isolation, including all con- <WORD> ] figured port isolation groups and Ethernet ports in each group.
Page 54: Port Loopback Detection Function Configuration
SNR S2940-8G-v2 Switch Configuration Guide Port Loopback Detection Function Configuration Chapter 5 Port Loopback Detection Function Configuration 5.1 Introduction to Port Loopback Detection Function With the development of switches, more and more users begin to access the network through Ethernet switches. In enterprise network, users access the network through layer-2 switches, which means urgent demands for both internet and the internal layer 2 Interworking.
Page 55: Port Loopback Detection Function Configuration Task List
SNR S2940-8G-v2 Switch Configuration Guide Port Loopback Detection Function Configuration 5.2 Port Loopback Detection Function Configuration Task List 1. Configure the time interval of loopback detection 2. Enable the function of port loopback detection 3. Configure the control method of port loopback detection 4.
Page 56: Port Loopback Detection Function Example
SNR S2940-8G-v2 Switch Configuration Guide Port Loopback Detection Function Configuration 5. Configure the loopback-detection control mode (automatic recovery enabled or not) Command Explanation Global Mode loopback-detection control- Configure the loopback-detection control mode (automatic recovery timeout <0-3600> recovery enabled or not) or recovery time.
Page 57: Port Loopback Detection Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide Port Loopback Detection Function Configuration 5.4 Port Loopback Detection Troubleshooting The function of port loopback detection is disabled by default and should only be enabled if re- quired.
Page 58: Uldp Function Configuration
SNR S2940-8G-v2 Switch Configuration Guide ULDP Function Configuration Chapter 6 ULDP Function Configuration 6.1 Introduction to ULDP Function Unidirectional link is a common error state of link in networks, especially in fiber links. Unidirec- tional link means that only one port of the link can receive messages from the other port, while the latter one can not receive messages from the former one.
Page 59: Uldp Configuration Task Sequence
SNR S2940-8G-v2 Switch Configuration Guide ULDP Function Configuration SWITCH A SWITCH B 1/0/2 1/0/1 1/0/3 SWITCH C Figure 6.2: One End of Each Fiber Not Connected The ULDP of switches recognizes remote devices and check the correctness of link connec- tions via interacting ULDP messages.
Page 60 SNR S2940-8G-v2 Switch Configuration Guide ULDP Function Configuration 1. Enable ULDP function globally Command Explanation Global Configuration Mode uldp enable Globally enable or disable ULDP function. uldp disable 2. Enable ULDP function on a port Command Explanation Port Configuration Mode uldp enable Enable or disable ULDP function on a port.
Page 61: Uldp Function Typical Examples
SNR S2940-8G-v2 Switch Configuration Guide ULDP Function Configuration 8. Reset the port shut down by ULDP Command Explanation Global configuration mode or port configuration mode uldp reset Reset all ports in global configuration mode; Reset the specified port in port configuration mode.
Page 62 SNR S2940-8G-v2 Switch Configuration Guide ULDP Function Configuration SWITCH A 1/0/1 1/0/2 1/0/4 1/0/3 SWITCH B Figure 6.3: Fiber Cross Connection SwitchA(Config-If-Ethernet1/1)#exit SwitchA(config)#interface ethernet 1/2 SwitchA(Config-If-Ethernet1/2)#uldp enable Switch B configuration sequence: SwitchB(config)#uldp enable SwitchB(config)#interface ethernet1/3 SwitchB(Config-If-Ethernet1/3)#uldp enable SwitchB(Config-If-Ethernet1/3)#exit SwitchB(config)#interface ethernet 1/4...
Page 63: Uldp Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide ULDP Function Configuration 6.4 ULDP Troubleshooting Configuration Notice: • In order to ensure that ULDP can discover that the one of fiber ports has not connected or the ports are incorrectly cross connected, the ports have to work in duplex mode and have the same rate.
Page 64: Lldp Function Operation Configuration
SNR S2940-8G-v2 Switch Configuration Guide LLDP Function Operation Configuration Chapter 7 LLDP Function Operation Configuration 7.1 Introduction to LLDP Function Link Layer Discovery Protocol (LLDP) is a new protocol defined in 802.1ab. It enables neighbor devices to send notices of their own state to other devices, and enables all ports of every device to store information about them.
Page 65: Lldp Function Configuration Task Sequence
SNR S2940-8G-v2 Switch Configuration Guide LLDP Function Operation Configuration Layer 2 discovery covers information like which devices have which ports, which switches connect to other devices and so on, it can also display the routs between clients, switches, routers, application servers and network servers. Such details will be very meaningful for schedule and investigate the source of network failure.
Page 66 SNR S2940-8G-v2 Switch Configuration Guide LLDP Function Operation Configuration 3. Configure the operating state of port LLDP Command Explanation Port mode lldp mode ( send | receive | both Configure the operating state of port LLDP. | disable ) 4. Configure the intervals of LLDP updating messages...
Page 67 SNR S2940-8G-v2 Switch Configuration Guide LLDP Function Operation Configuration 9. Configure the optional information-sending attribute of the port Command Explanation Global mode lldp transmit optional tlv [port- Configure the optional information-sending attribute of the Desc] [sysName] [sysDesc] port as the option value of default values.
Page 68: Lldp Function Typical Example
SNR S2940-8G-v2 Switch Configuration Guide LLDP Function Operation Configuration 7.3 LLDP Function Typical Example In the network topology graph above, the port 1,3 of SWITCH B are connected to port 2,4 of SWITCH A. Port 1 of SWITCH B is configured to message-receiving-only mode, Option TLV of port 4 of SWITCH A is configured as portDes and SysCap.
Page 69: Port Channel Configuration
SNR S2940-8G-v2 Switch Configuration Guide Port Channel Configuration Chapter 8 Port Channel Configuration 8.1 Introduction to Port Channel To understand Port Channel, Port Group should be introduced first. Port Group is a group of physical ports in the configuration level; only physical ports in the Port Group can take part in link aggregation and become a member port of a Port Channel.
Page 70: Brief Introduction To Lacp
SNR S2940-8G-v2 Switch Configuration Guide Port Channel Configuration the lowest bit of target MAC address. The calculation result will decide which port to convey the traffic. If a port in Port Channel fails, the other ports will undertake traffic of that port through a traffic allocation algorithm.
Page 71: Static Lacp Aggregation
SNR S2940-8G-v2 Switch Configuration Guide Port Channel Configuration 8.2.1 Static LACP Aggregation Static LACP aggregation is enforced by users configuration, and do not enable LACP protocol. When configuring static LACP aggregation, use on mode to force the port to enter the aggregation group.
Page 72 SNR S2940-8G-v2 Switch Configuration Guide Port Channel Configuration 1. Creating a port group Command Explanation Global mode port-group <port-group- Create or delete a port group. number> port-group <port-group- number> 2. Add physical ports to the port group Command Explanation Port mode port-group <port-group-...
Page 73: Port Channel Examples
SNR S2940-8G-v2 Switch Configuration Guide Port Channel Configuration 7. Set the timeout mode of the current port in LACP protocol Command Explanation Port mode lacp timeout { short | long } Set the timeout mode in LACP protocol. The no command restores the default value.
Page 74: Port Channel Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide Port Channel Configuration Switch1(Config-If-Ethernet1/1)#exit Switch1(config)#interface ethernet 1/2 Switch1(Config-If-Ethernet1/2)#port-group 1 mode on Switch1(Config-If-Ethernet1/2)#exit Switch1(config)#interface ethernet 1/3 Switch1(Config-If-Ethernet1/3)#port-group 1 mode on Switch1(Config-If-Ethernet1/3)#exit Switch1(config)#interface ethernet 1/4 Switch1(Config-If-Ethernet1/4)#port-group 1 mode on Switch1(Config-If-Ethernet1/4)#exit Switch2#config Switch2(config)#port-group 2 Switch2(config)#interface ethernet 1/6 Switch2(Config-If-Ethernet1/6)#port-group 2 mode on...
Page 75: Mtu Configuration
SNR S2940-8G-v2 Switch Configuration Guide MTU Configuration Chapter 9 MTU Configuration 9.1 Introduction to MTU So far the Jumbo (Jumbo Frame) has not reach a determined standard in the industry (including the format and length of the frame). Normally frames sized within 1519-9000 should be considered jumbo frame.
Page 76: Efm Oam Configuration
SNR S2940-8G-v2 Switch Configuration Guide EFM OAM Configuration Chapter 10 EFM OAM Configuration 10.1 Introduction to EFM OAM Ethernet is designed for Local Area Network at the beginning, but link length and network scope is extended rapidly while Ethernet is also applied to Metropolitan Area Network and Wide Area Network along with development.
Page 77: Link Monitoring
SNR S2940-8G-v2 Switch Configuration Guide EFM OAM Configuration Figure 10.1: OAM location in OSI model OAM entity receives no Information OAMPDU for five seconds, the Ethernet OAM connection is disconnected. 10.1.2 Link Monitoring Fault detection in an Ethernet is difficult, especially when the physical connection in the network is not disconnected but network performance is degrading gradually.
Page 78: Remote Fault Detection
SNR S2940-8G-v2 Switch Configuration Guide EFM OAM Configuration 10.1.3 Remote Fault Detection In a network where traffic is interrupted due to device failures or unavailability, the flag field de- fined in Ethernet OAMPDUs allows an Ethernet OAM entity to send fault information to its peer.
Page 79: Efm Oam Configuration
SNR S2940-8G-v2 Switch Configuration Guide EFM OAM Configuration nection to monitor the link fault in the First Mile with Ethernet access. For user, the connection between user to telecommunication is the First Mile, for service provider, it is the Last Mile.
Page 80 SNR S2940-8G-v2 Switch Configuration Guide EFM OAM Configuration Command Explanation Port mode ethernet-oam errored-frame { Configure the low threshold and window period of errored threshold low <low-frames> | frame event, no command resotores the default value. (op- window <seconds> }...
Page 81: Efm Oam Example
SNR S2940-8G-v2 Switch Configuration Guide EFM OAM Configuration 10.3 EFM OAM Example Example: CE and PE devices with point-to-point link enable EFM OAM to monitor the First Mile link performance. It will report the log information to network management system when occurring...
Page 82: Efm Oam Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide EFM OAM Configuration 10.4 EFM OAM Troubleshooting When using EFM OAM, it occurs the problem, please check whether the problem is resulted by the following reasons: • Check whether OAM entities of two peers of link in passive mode. If so, EFM OAM connec- tion can not be established between two OAM entities.
Page 83: Port Security
SNR S2940-8G-v2 Switch Configuration Guide Port Security Chapter 11 Port Security 11.1 Introduction to Port Security Port security is a MAC address-based security mechanism for network access controlling. It is an extension to the existing 802.1x authentication and MAC authentication. It controls the ac-...
Page 84: Example Of Port Security
SNR S2940-8G-v2 Switch Configuration Guide Port Security Command Explanation Port mode switchport port-security violation When exceeding the maximum number of the configured { protect | restrict | shutdown } MAC addresses, MAC address accessing the interface does no switchport port-security viola-...
Page 85: Port Security Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide Port Security Switch(config-if-ethernet1/0/1)#switchport port-security maximum 10 Switch(config-if-ethernet1/0/1)#exit Switch(config)# 11.4 Port Security Troubleshooting If problems occur when configuring Port Security, please check whether the problem is caused by the following reasons: • Check whether Port Security is enabled normally...
Page 86: Ddm Configuration
SNR S2940-8G-v2 Switch Configuration Guide DDM Configuration Chapter 12 DDM Configuration 12.1 Introduction to DDM 12.1.1 Brief Introduction to DDM DDM (Digital Diagnostic Monitor) makes the detailed digital diagnostic function standard in SFF- 8472 MSA. It set that the parameter signal is monitored and make it to digitize on the circuit board of the inner module.
Page 87: Ddm Function
SNR S2940-8G-v2 Switch Configuration Guide DDM Configuration 3. Compatibility verification Compatibility verification is used to analyze whether the environment of the module accords the data manual or it is compatible with the corresponding standard, because the module capability is able to be ensured only in the compatible environment. Sometimes, environment parameters exceed the data manual or the corresponding standard, it will make the falling of the module capability that result in the transmission error.
Page 88: Ddm Configuration Task List
SNR S2940-8G-v2 Switch Configuration Guide DDM Configuration 12.2 DDM Configuration Task List DDM configuration task list: 1. Show the real-time monitoring information of the transceiver 2. Configure the alarm or warning thresholds of each parameter for the transceiver 3. Configure the state of the transceiver monitoring...
Page 89: Examples Of Ddm
SNR S2940-8G-v2 Switch Configuration Guide DDM Configuration (b)Configure the enable state of the transceiver monitoring Command Explanation Port mode transceiver-monitoring { enable | Set whether the transceiver monitoring is enabled. Only the disable } port enables the transceiver monitoring, the system records the abnormity state.
Page 90 SNR S2940-8G-v2 Switch Configuration Guide DDM Configuration 1/22 1/23 5.00(W+) 6.11 -20.54(W-) -6.02 c) Show the detailed information, including base information, parameter value of the real-time monitoring, warning, alarm, abnormity state and threshold information, for example: Switch#show transceiver interface ethernet 1/21-22;24 detail...
Page 91 SNR S2940-8G-v2 Switch Configuration Guide DDM Configuration RX loss of signal Voltage high RX power low Detail diagnostic and threshold information: Diagnostic Threshold Realtime High Alarm Low Alarm High Warn Low Warn ---------- ---------- --------- --------- --------- Temperature Voltage(V) 7.31(A+) 5.00...
Page 92: Ddm Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide DDM Configuration Switch(config)#show transceiver threshold-violation interface ethernet 1/21-22 Ethernet 1/21 transceiver threshold-violation information: Transceiver monitor is disabled. Monitor interval is set to 30 minutes. The last threshold-violation doesn't exist. Ethernet 1/22 transceiver threshold-violation information: Transceiver monitor is disabled. Monitor interval is set to 30 minutes.
Page 93 SNR S2940-8G-v2 Switch Configuration Guide DDM Configuration • Ensure that SNMP configuration is valid, or else the warning event cannot inform the network management system. • Because only some boards and box switches support SFP with DDM or XFP with DDM, ensure the used board and switch support the corresponding function.
Page 94: Lldp-Med
SNR S2940-8G-v2 Switch Configuration Guide LLDP-MED Chapter 13 LLDP-MED 13.1 Introduction to LLDP-MED LLDP-MED (Link Layer Discovery Protocol-Media Endpoint Discovery) based on 802.1AB LLDP (Link Layer Discovery Protocol) of IEEE. LLDP provides a standard link layer discovery mode, it sends local device information (including its major capability, management IP address, device ID and port ID) as TLV (type/length/value) triplets in LLDPDU (Link Layer Discovery Protocol Data Unit) to the direct connection neighbors.
Page 95 SNR S2940-8G-v2 Switch Configuration Guide LLDP-MED Command Explanation Port mode lldp transmit med tlv inventory Configure the port to send LLDP-MED Inventory Manage- no lldp transmit med tlv inventory ment TLVs. The no command disables the capability. network policy { voice | voice-...
Page 96: Lldp-Med Example
SNR S2940-8G-v2 Switch Configuration Guide LLDP-MED Command Explanation Admin mode show lldp Show the configuration of the global LLDP and LLDP-MED. show lldp [ interface ethernet Show the configuration of LLDP and LLDP-MED on the cur- <IFNAME> ] rent port.
Page 97 SNR S2940-8G-v2 Switch Configuration Guide LLDP-MED 3) Verify the configuration # Show the global status and interface status on Switch A. SwitchA# show lldp neighbors interface ethernet 1/0/1 Port name : Ethernet1/0/1 Port Remote Counter : 1 TimeMark :20 ChassisIdSubtype :4...
Page 98: Lldp-Med Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide LLDP-MED Port Remote Counter: 1 Neighbor Index: 1 Port name : Ethernet1/2 Port Remote Counter : 1 TimeMark :20 ChassisIdSubtype :4 ChassisId :f8-f0-82-00-00-02 PortIdSubtype :Local PortId :1 PortDesc :Ethernet1/0/1 SysName :**** SysDesc :***** SysCapSupported :4...
Page 99: Bpdu-Tunnel Configuration
SNR S2940-8G-v2 Switch Configuration Guide BPDU-Tunnel Configuration Chapter 14 BPDU-Tunnel Configuration 14.1 Introduction to bpdu-tunnel BPDU Tunnel is a Layer 2 tunnel technology. It allows Layer 2 protocol packets of geographically dispersed private network users to be transparently transmitted over specific tunnels across a service provider network.
Page 100: Bpdu-Tunnel Configuration Task List
SNR S2940-8G-v2 Switch Configuration Guide BPDU-Tunnel Configuration ISP Network User A network 1 User A network 2 VLAN 100 VLAN 100 Figure 14.1: BPDU Tunnel application 14.2 bpdu-tunnel Configuration Task List bpdu-tunnel configuration task list: 1. Configure tunnel MAC address globally 2.
Page 101: Bpdu-Tunnel Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide BPDU-Tunnel Configuration With BPDU Tunnel, Layer 2 protocol packets from user's networks can be passed through over the service provider network in the following work flow: 1. After receiving a Layer 2 protocol packet from network 1 of user A, PE 1 in the service provider network encapsulates the packet, replaces its destination MAC address with a spe- cific multicast MAC address, and then forwards the packet in the service provider network.
Page 102: Cfm-Oam Configuration
SNR S2940-8G-v2 Switch Configuration Guide CFM-OAM Configuration Chapter 15 CFM-OAM Configuration 15.1 Overview Since the Ethernet technology was naissance, it's simple and low-cost characteristics make it to become the dominant technology in the local area network.Recently, kilomega and million mega apply one after the other, this urges the network providers, facilities manufacturers and normalizer to advance the Ethernet technology to city and wide network.
Page 103: Cfm Oam Basic Concept
SNR S2940-8G-v2 Switch Configuration Guide CFM-OAM Configuration • ITU-Y.1731: OAM functions and mechanisms for Ethernet based network • MEF E-LMI: Ethernet Local Management Interface EFM OAM and CFM as the constitute to set the IEEE, EFM OAM working data link layer, as shown in Figure 15.1, can discover and manage the lower layer's data links effectively.
Page 104 SNR S2940-8G-v2 Switch Configuration Guide CFM-OAM Configuration Service Provider Domain Metro-1 Core Metro-3 Operator Domain Metro-2 Customer Domain Figure 15.1: Maintenance Domain vlanIds, there is a vlan that is a primary vlan. In the MD, there is an uncertainty of one vlanId corresponds to multi MA situation, therefore leave out of account for this moment.
Page 105: Introduction Of Cfm Oam Function
SNR S2940-8G-v2 Switch Configuration Guide CFM-OAM Configuration In more easy word, MEP sending and receiving the CFM messages from the local port is the Down MEP; in contrast, it is the Up MEP. MEP inherits the attributes of MD and MA that is located.
Page 106 SNR S2940-8G-v2 Switch Configuration Guide CFM-OAM Configuration • MEP received the failure MEPID or MAID, represent there is exist of internal configuration failure in MA or cross connection failure; • MEP receive the lower level of the CCM messages, represent there is exist of internal con- figuration failure in MA or cross connection failure;...
Page 107 SNR S2940-8G-v2 Switch Configuration Guide CFM-OAM Configuration MEP2 MEP1 MEP3 Figure 15.4: Path discovery sketch map detect whether it can arrive to the destination facility. The idiographic processes as follow: MEP sending the one way broadcast message (LBM), the destination address of the message is the outlying MP.
Page 108: Cfm Oam Basic Function Configuration
SNR S2940-8G-v2 Switch Configuration Guide CFM-OAM Configuration 15.3.4 Inform of Failure After CFM inspects the failure of linkage, there are several of methods to tackle with: • After checking the linkage failure, MEP will send the SNMP TRAP message to the manage- ment node, and inform failure occurred;...
Page 109 SNR S2940-8G-v2 Switch Configuration Guide CFM-OAM Configuration 15.4.2 CFM OAM Configuration Task List 1. Select to enable CFM OAM function mode 2. Enable CFM OAM function globally 3. Enable y1731 function globally (selectable) 4. Create MD 5. Create MA 6. Create MEP 7.
Page 110 SNR S2940-8G-v2 Switch Configuration Guide CFM-OAM Configuration 4. Create MD Command Explanation Global mode ethernet cfm domain < domain- Build up MD: enter into the MD configuration mode. name > level < level-id > If the MD is created successfully, the level will not be allowed no ethernet cfm domain <...
Page 111 SNR S2940-8G-v2 Switch Configuration Guide CFM-OAM Configuration 7. Configure RMEP Command Explanation MA Configuration Mode continuity-check receive rmep Open CCM message receiving function and build up rmep <mep-id> [active time < time >] in MA. If the mepid in an MA has been configured as MEP,...
Page 112: Cfm Oam Failure Confirmation
SNR S2940-8G-v2 Switch Configuration Guide CFM-OAM Configuration 10. Configure CC sending and detecting Command Explanation MA Configuration Mode continuity-check enable Using this command to open the maintenance point of CCM no continuity-check enable message sending and receiving functions. No command cancels the local CCM packets sending and detection.
Page 113: Cfm Oam Failure Orientation
SNR S2940-8G-v2 Switch Configuration Guide CFM-OAM Configuration The following data are needed to the inspection of failure manually: Serial number Data MD name MA name Destination MEP ID or MAC The require number, size and overtime of sending message from the loop- back function.
Page 114 SNR S2940-8G-v2 Switch Configuration Guide CFM-OAM Configuration 15.6.2 CFM OAM Failure Orientation Task List 1. Implement linktrace function Command Explanation Admin Mode traceroute ethernet { target-mep Check the path from the appointed maintaining point to the < target-mep-id > | target-mac target point.
Page 115: Ulpp Linkage (Selectable)
SNR S2940-8G-v2 Switch Configuration Guide CFM-OAM Configuration 15.7 ULPP Linkage (Selectable) 15.7.1 ULPP Linkage Task List 1. Configure ulpp linkage • Configure with the topology and ensure CC function is running normally. • Configure the ULPP function first. • ULPP linkage is just with down MEP.
Page 116 SNR S2940-8G-v2 Switch Configuration Guide CFM-OAM Configuration 1. The consider path of configuration: Using the following path of configuration to configure the ULPP linkage function: • Build up the VLAN, and adding the related ports to corresponding VLAN. • Build up the MD link_A in S1, S2 and the level is 4 •...
Page 117: Example Of Configuration Application
SNR S2940-8G-v2 Switch Configuration Guide CFM-OAM Configuration Using the same method to configure the receiving port 1/2 in S3 to receive flush message (4) Configure ulpp linkage in the S1 # Configure ulpp linkage in the 1/1 port in S1 Switch(config-if-ethernet1/1)#switchport ulpp group 1 track cfm level 4 3.
Page 118 SNR S2940-8G-v2 Switch Configuration Guide CFM-OAM Configuration The following Figure 15.7 is the CFM configuration application illustration, in order to actual- ize the inspection of the status of linkage, can follow the steps as shown below to undergo the configuration.
Page 119 SNR S2940-8G-v2 Switch Configuration Guide CFM-OAM Configuration Switch(config-if-ethernet1/1)#ethernet cfm mep 1 domain customer_A service MA1 # Build up MEP list as 1-4 in the MA1 of S2, configure RMEP1; 3-4, and build # up the Etherne1/1 on MEP2. Switch(config-ecfm-srv)#mep mepid 1-4 Switch(config-ecfm-srv)#continuity-check receive rmep 1;3-4...
Page 120: Cfm Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide CFM-OAM Configuration # Etherne1/2 on MEP2. Switch(config-ecfm-srv)#mep mepid 1-2 Switch(config-ecfm-srv)#continuity-check receive rmep 1 Switch(config-ecfm-srv)exit Switch(config-ecfm)exit Switch(config)#interface ethernet 1/2 Switch(config-if-ethernet1/1)#ethernet cfm mep 2 domain customer_A service MA2 (7) Initial the sending and receiving function of CCM information in S1, S2, S3, S4 in MA1...
Page 121 SNR S2940-8G-v2 Switch Configuration Guide CFM-OAM Configuration – MA name: 1∼43 characters straing.It can be formed by letter, number, underline and the first and the last character cannot be underline. The sum of MA and the domain name cannot excess than 44 characters.
Page 122 SNR S2940-8G-v2 Switch Configuration Guide CFM-OAM Configuration • It will only develop the MIP as the port status as UP; one port bases on one vlan to develop only one MIP; lower MIP point will have higher priority to develop.
Page 123: Vlan And Mac Table Configuration
SNR S2940-8G-v2 Switch Configuration Guide Part III VLAN and MAC Table Configuration...
Page 124: Vlan Configuration
SNR S2940-8G-v2 Switch Configuration Guide VLAN Configuration Chapter 16 VLAN Configuration 16.1 Introduction to VLAN VLAN (Virtual Local Area Network) is a technology that divides the logical addresses of devices within the network to separate network segments basing on functions, applications or manage- ment requirements.
Page 125: Vlan Configuration Task List
SNR S2940-8G-v2 Switch Configuration Guide VLAN Configuration • Saving network resources • Simplifying network management • Lowering network cost • Enhancing network security Switch Ethernet Ports can works in three kinds of modes: Access, Hybrid and Trunk, each mode has a different processing method in forwarding the packets with tagged or untagged.
Page 126 SNR S2940-8G-v2 Switch Configuration Guide VLAN Configuration 1. Create or delete VLAN Command Explanation Global mode vlan WORD Create/delete VLAN or enter VLAN Mode no vlan WORD 2. Set or delete VLAN name Command Explanation VLAN mode name <vlan-name> Set or delete VLAN name.
Page 127 SNR S2940-8G-v2 Switch Configuration Guide VLAN Configuration 7. Set Hybrid port Command Explanation Port mode switchport hybrid allowed vlan { WORD | all | add WORD | Set/delete the VLAN which is al- except WORD | remove WORD } { tag | untag }...
Page 128: Typical Vlan Application
SNR S2940-8G-v2 Switch Configuration Guide VLAN Configuration 16.3 Typical VLAN Application Scenario: VLAN2 VLAN100 VLAN200 Switch A Trunk Link Switch B VLAN2 VLAN100 VLAN200 Figure 16.2: Typical VLAN Application Topology The existing LAN is required to be partitioned to 3 VLANs due to security and application re- quirements.
Page 129: Typical Application Of Hybrid Port
SNR S2940-8G-v2 Switch Configuration Guide VLAN Configuration Switch(Config-Vlan200)#switchport interface ethernet 1/8-10 Switch(Config-Vlan200)#exit Switch(config)#interface ethernet 1/11 Switch(Config-If-Ethernet1/11)#switchport mode trunk Switch(Config-If-Ethernet1/11)#exit Switch B: Switch(config)#vlan 2 Switch(Config-Vlan2)#switchport interface ethernet 1/2-4 Switch(Config-Vlan2)#exit Switch(config)#vlan 100 Switch(Config-Vlan100)#switchport interface ethernet 1/5-7 Switch(Config-Vlan100)#exit Switch(config)#vlan 200 Switch(Config-Vlan200)#switchport interface ethernet 1/8-10...
Page 130 SNR S2940-8G-v2 Switch Configuration Guide VLAN Configuration Configuration items are as follows: Port Type PVID the VLANs are allowed to pass Port 1/10 of Switch A Access Allow the packets of VLAN 10 to pass with untag method. Port 1/10 of Switch B...
Page 131: Dot1Q-Tunnel Configuration
SNR S2940-8G-v2 Switch Configuration Guide Dot1q-tunnel Configuration Chapter 17 Dot1q-tunnel Configuration 17.1 Introduction to Dot1q-tunnel Dot1q-tunnel is also called QinQ (802.1Q-in-802.1Q), which is an expansion of 802.1Q. Its dom- inating idea is encapsulating the customer VLAN tag (CVLAN tag) to the service provider VLAN tag (SPVLAN tag).
Page 132: Dot1Q-Tunnel Configuration
SNR S2940-8G-v2 Switch Configuration Guide Dot1q-tunnel Configuration identical to the one sent by CE1. For the user, the role the operator network plays between PE1 and PE2, is to provide a reliable layer-2 link. The technology of Dot1q-tuunel provides the ISP internet the ability of supporting many client VLANs by only one VLAN of theirselves.
Page 133: Dot1Q-Tunnel Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide Dot1q-tunnel Configuration to public network, the TPID of the connected equipment is 9100; port1 of PE2 is connected to CE2, port10 is connected to public network. Configuration Item Configuration Explanation VLAN3 Port1 of PE1 and PE2.
Page 134: Selective Qinq Configuration
SNR S2940-8G-v2 Switch Configuration Guide Selective QinQ Configuration Chapter 18 Selective QinQ Configuration 18.1 Introduction to Selective QinQ Selective QinQ is an enhanced application for dot1q tunnel function. It is able to tag packets (they are received by the same port) with different outer VLAN tags based on different inner VLAN tags according to user’s requirement, so it is able to implement that packets of different types are...
Page 135: Typical Applications Of Selective Qinq
SNR S2940-8G-v2 Switch Configuration Guide Selective QinQ Configuration Switch B E1/9 VLAN1000/2000 E1/2 E1/1 E1/9 Switch A E1/1 E1/2 VLAN 100-200 VLAN 201-300 VLAN 100-200 VLAN 201-300 Figure 18.1: Selective QinQ application 18.3 Typical Applications of Selective QinQ 1. Ethernet1/1 of SwitchA provides public network access for PC users and Ethernet 1/2 of SwitchA provides public network access for IP phone users.
Page 136: Selective Qinq Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide Selective QinQ Configuration switch(config-if-ethernet1/1)#dot1q-tunnel selective enable # Configure Ethernet 1/2 as a hybrid port and configure it to remove # VLAN tags when forwarding packets of VLAN 2000. switch(config-if-ethernet1/2)#switchport mode hybrid switch(config-if-ethernet1/2)#switchport hybrid allowed vlan 2000 untag...
Page 137: Vlan-Translation Configuration
SNR S2940-8G-v2 Switch Configuration Guide VLAN-translation Configuration Chapter 19 VLAN-translation Configuration 19.1 Introduction to VLAN-translation VLAN translation, as one can tell from the name, which translates the original VLAN ID to new VLAN ID according to the user requirements so to exchange data across different VLANs. VLAN translation is classified to ingress translation and egress translation, respectively switch over the VLAN ID at the ingress or the egress.
Page 138: Typical Application Of Vlan-Translation
SNR S2940-8G-v2 Switch Configuration Guide VLAN-translation Configuration 3. Configure whether the packet is dropped when checking VLAN-translation is failing Command Explanation Port mode vlan-translation miss drop { in | out | both } Configure the VLAN-translation packet no vlan-translation miss drop { in | out | both } dropped on port if there is any failure.
Page 139: Vlan-Translation Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide VLAN-translation Configuration switch(Config-Ethernet1/0/1)#vlan-translation 3 to 20 out switch(Config-Ethernet1/0/1)#exit switch(Config)#interface ethernet 1/0/10 switch(Config-Ethernet1/0/10)#switchport mode trunk switch(Config-Ethernet1/0/10)#exit 19.4 VLAN-translation Troubleshooting Normally the VLAN-translation is applied on trunk ports. Normally before using the VLAN-translation, the dot1q-tunnel function needs to be enabled first, to adapt double tag data packet processes VLAN-translation.
Page 140: Multi-To-One Vlan Translation Configuration
SNR S2940-8G-v2 Switch Configuration Guide Multi-to-One VLAN Translation Configuration Chapter 20 Multi-to-One VLAN Translation Configuration 20.1 Introduction to Multi-to-One VLAN Translation Multi-to-One VLAN translation, it translates the original VLAN ID into the new VLAN ID according to user's requirement on uplink traffic, and restores the original VLAN ID on downlink traffic.
Page 141: Typical Application Of Multi-To-One Vlan Translation
SNR S2940-8G-v2 Switch Configuration Guide Multi-to-One VLAN Translation Configuration 20.3 Typical application of Multi-to-One VLAN Translation Scenario: UserA, userB and userC belong to VLAN1, VLAN2, VLAN3 respectively. Before entering the network layer, data traffic of userA, userB and userC is translated into VLAN 100 by Ethernet1/0/1 of edge switch1.
Page 142 SNR S2940-8G-v2 Switch Configuration Guide Multi-to-One VLAN Translation Configuration • The same MAC address should not exist in the original and the translated VLAN. • Check whether the hardware resource of the chip is able to ensure all clients to work normally.
Page 143: Dynamic Vlan Configuration
SNR S2940-8G-v2 Switch Configuration Guide Dynamic VLAN Configuration Chapter 21 Dynamic VLAN Configuration 21.1 Introduction to Dynamic VLAN The dynamic VLAN is named corresponding to the static VLAN (namely the port based VLAN). Dynamic VLAN supported by the switch includes MAC-based VLAN, IP-subnet-based VLAN and Protocol-based VLAN.
Page 144 SNR S2940-8G-v2 Switch Configuration Guide Dynamic VLAN Configuration 4. Configure the IP-subnet-based VLAN function on the port 5. Configure the correspondence between the IP subnet and the VLAN 6. Configure the correspondence between the Protocols and the VLAN 7. Adjust the priority of the dynamic VLAN 1.
Page 145: Typical Application Of The Dynamic Vlan
SNR S2940-8G-v2 Switch Configuration Guide Dynamic VLAN Configuration 6. Configure the correspondence between the Protocols and the VLAN Command Explanation Global mode protocol-vlan mode { ethernetii etype <etype-id> | llc { dsap Add/delete the correspondence <dsap-id> ssap <ssap-id> } | snap etype <etype-id> } vlan between the Protocols and the <vlan-id>...
Page 146: Dynamic Vlan Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide Dynamic VLAN Configuration For example, M at E1/0/1 of SwitchA, then the configuration procedures are as follows: Switch A: SwitchA(Config)#mac-vlan mac f8-f0-82-11-22-33 vlan 100 priority 0 SwitchA(Config)#interface ethernet 1/0/1 SwitchA(Config-Ethernet1/0/1)#swportport mode hybrid SwitchA(Config-Ethernet1/0/1)#swportport hybrid allowed vlan 100 untagged...
Page 147: Gvrp Configuration
SNR S2940-8G-v2 Switch Configuration Guide GVRP Configuration Chapter 22 GVRP Configuration 22.1 Introduction to GVRP GVRP, i.e. GARP VLAN Registration Protocol, is an application of GARP (Generic Attribute Reg- istration Protocol). GARP is mainly used to establish an attribute transmission mechanism to transmit attributes, so as to ensure protocol entities registering and deregistering the attribute.
Page 148: Gvrp Configuration Task List
SNR S2940-8G-v2 Switch Configuration Guide GVRP Configuration 22.2 GVRP Configuration Task List GVRP configuration task list: 1. Configure GVRP timer 2. Configure port type 3. Enable GVRP function 1. Configure GVRP timer Command Explanation Global mode garp timer join <200-500>...
Page 149: Example Of Gvrp
SNR S2940-8G-v2 Switch Configuration Guide GVRP Configuration 22.3 Example of GVRP GVRP application: Switch A Switch B Switch C Figure 22.2: Typical GVRP Application Topology To enable dynamic VLAN information register and update among switches, GVRP protocol is to be configured in the switch. Configure GVRP in Switch A, B and C, enable Switch B to learn VLAN100 dynamically so that two workstations connected to VLAN100 in Switch A and C can communicate with each other through Switch B without static VLAN100 entries.
Page 150: Gvrp Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide GVRP Configuration Switch(config)#interface ethernet 1/11 Switch(Config-If-Ethernet1/11)#switchport mode trunk Switch(Config-If-Ethernet1/11)#gvrp Switch(Config-If-Ethernet1/11)#exit Switch C: Switch(config)#gvrp Switch(config)#vlan 100 Switch(Config-Vlan100)#switchport interface ethernet 1/2-6 Switch(Config-Vlan100)#exit Switch(config)#interface ethernet 1/11 Switch(Config-If-Ethernet1/11)#switchport mode trunk Switch(Config-If-Ethernet1/11)#gvrp Switch(Config-If-Ethernet1/11)#exit 22.4 GVRP Troubleshooting The GARP counter setting for Trunk ports in both ends of Trunk link must be the same, otherwise GVRP will not work normally.
Page 151: Voice Vlan Configuration
SNR S2940-8G-v2 Switch Configuration Guide Voice VLAN Configuration Chapter 23 Voice VLAN Configuration 23.1 Introduction to Voice VLAN Voice VLAN is specially configured for the user voice data traffic. By setting a Voice VLAN and adding the ports of the connected voice equipments to the Voice VLAN, the user will be able to configure QoS (Quality of service) service for voice data, and improve the voice data traffic transmission priority to ensure the calling quality.
Page 152: Typical Applications Of The Voice Vlan
SNR S2940-8G-v2 Switch Configuration Guide Voice VLAN Configuration 1. Configure the VLAN to Voice VLAN Command Explanation Global mode voice-vlan vlan <vlan-id> Set/cancel the VLAN as a Voice VLAN no voice-vlan 2. Add a Voice equipment to a Voice VLAN...
Page 153: Voice Vlan Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide Voice VLAN Configuration Configuration procedure: Switch 1: Switch(config)#vlan 100 Switch(Config-Vlan100)#exit Switch(config)#voice-vlan vlan 100 Switch(config)#voice-vlan mac f8-f0-82-11-22-33 mask 255 priority 5 name company Switch(config)#voice-vlan mac f8-f0-82-11-22-55 mask 255 priority 5 name company Switch(config)#interface ethernet 1/0/10 Switch(Config-If-Ethernet1/0/10)#switchport mode trunk...
Page 154: Mac Table Configuration
SNR S2940-8G-v2 Switch Configuration Guide MAC Table Configuration Chapter 24 MAC Table Configuration 24.1 Introduction to MAC Table MAC table is a table identifies the mapping relationship between destination MAC addresses and switch ports. MAC addresses can be categorized as static MAC addresses and dynamic MAC addresses.
Page 155: Forward Or Filter
SNR S2940-8G-v2 Switch Configuration Guide MAC Table Configuration 2. At the same time, the switch learns the message is destined to 00-01-33-33-33-33, as the MAC table contains only a mapping entry of MAC address 00-01-11-11-11-11 and port1/5, and no port mapping for 00-01-33-33-33-33 present, the switch broadcast this message to all the ports in the switch (assuming all ports belong to the default VLAN1).
Page 156: Mac Address Table Configuration Task List
SNR S2940-8G-v2 Switch Configuration Guide MAC Table Configuration 1. Forward data according to the MAC table If PC1 sends a message to PC3, the switch will forward the data received on port 1/5 from port 1/12. 2. Filter data according to the MAC table If PC1 sends a message to PC2, the switch, on checking the MAC table, will find PC2 and PC1 are in the same physical segment and filter the message (i.e.
Page 157: Typical Configuration Examples
SNR S2940-8G-v2 Switch Configuration Guide MAC Table Configuration 2. Configure static MAC forwarding or filter entry Command Explanation Global Mode mac-address-table { static | static-multicast | blackhole Configure static MAC entries, static } address <mac-addr> vlan <vlan-id > [interface ether- multicast MAC entries, filter address net <interface-name>] | [source | destination | both]...
Page 158: Mac Table Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide MAC Table Configuration The configuration steps are listed below: 1. Set the MAC address 00-01-11-11-11-11 of PC1 as a filter address. Switch(config)#mac-address-table static 00-01-11-11-11-11 discard vlan 1 2. Set the static mapping relationship for PC2 and PC3 to port 1/7 and port 1/9, respectively.
Page 159 SNR S2940-8G-v2 Switch Configuration Guide MAC Table Configuration MAC Address Binding Configuration Task List 1. Enable MAC address binding function for the ports 2. Lock the MAC addresses for a port 3. MAC address binding property configuration 4. mac-notification trap configuration 1.
Page 160 SNR S2940-8G-v2 Switch Configuration Guide MAC Table Configuration 3. MAC address binding property configuration Command Explanation Port Mode switchport port-security maxi- Set the maximum number of secure MAC addresses for a mum <value> port; the 'no switchport port-security maximum' command no switchport port-security max- restores the default value.
Page 161: Mac Notification Configuration
SNR S2940-8G-v2 Switch Configuration Guide MAC Table Configuration 24.6 MAC Notification Configuration 24.6.1 Introduction to MAC Notification MAC Notification function depends on the notification. Add or remove the MAC address, namely, when the device is added or removed, it will notify administrator about the changing by the trap function of snmp.
Page 162 SNR S2940-8G-v2 Switch Configuration Guide MAC Table Configuration 3. Configure the interval for sending MAC notification Command Explanation Global mode mac-address-table notification Configure the interval for sending the MAC address notifi- interval <0-86400> cation, the no command restores the default interval.
Page 163 SNR S2940-8G-v2 Switch Configuration Guide MAC Table Configuration Switch(config)#mac-address-table notification interval 5 Switch(config)#mac-address-table notification history-size 100 Switch(Config-If-Ethernet1/4)#mac-notification both 24.6.4 MAC Notification Troubleshooting Check whether trap message is sent successfully by show command and debug command of snmp.
Page 164: Mstp Configuration
SNR S2940-8G-v2 Switch Configuration Guide Part IV MSTP Configuration...
Page 165: Mstp Configuration
SNR S2940-8G-v2 Switch Configuration Guide MSTP Configuration Chapter 25 MSTP Configuration 25.1 Introduction to MSTP The MSTP (Multiple STP) is a new spanning-tree protocol which is based on the STP and the RSTP. It runs on all the bridges of a bridged-LAN. It calculates a common and internal spanning tree (CIST) for the bridge-LAN which consists of the bridges running the MSTP, the RSTP and the STP.
Page 166 SNR S2940-8G-v2 Switch Configuration Guide MSTP Configuration Root Root REGION Figure 25.1: Example of CIST and MST Region configured in the same MST region, MSTP will treat this region as a bridge. Therefore, one port between Bridge B and Root is blocked and one port on Bridge D is blocked.
Page 167: Mstp Configuration Task List
SNR S2940-8G-v2 Switch Configuration Guide MSTP Configuration 25.1.2 Port Roles The MSTP bridge assigns a port role to each port which runs MSTP. • CIST port roles: Root Port, Designated Port, Alternate Port and Backup Port • On top of those roles, each MSTI port has one new role: Master Port.
Page 168 SNR S2940-8G-v2 Switch Configuration Guide MSTP Configuration Port Mode spanning-tree mcheck Force port migrate to run under MSTP. 2. Configure instance parameters Command Explanation Global Mode spanning-tree mst <instance-id> priority Set bridge priority for specified instance. <bridge-priority> no spanning-tree mst <instance-id> priority spanning-tree priority <bridge-priority>...
Page 169 SNR S2940-8G-v2 Switch Configuration Guide MSTP Configuration abort Quit MSTP region mode and return to Global mode without saving MSTP region configuration. exit Quit MSTP region mode and return to Global mode with saving MSTP region configuration. Cancel one command or set initial value.
Page 170 SNR S2940-8G-v2 Switch Configuration Guide MSTP Configuration spanning-tree port-priority Set the port priority. no spanning-tree port-priority spanning-tree rootguard Set the port is root port. no spanning-tree rootguard Global Mode spanning-tree transmit-hold- Set the max transmit-hold-count of port. count <tx-hold-count-value> no spanning-tree transmit-hold-...
Page 171: Mstp Example
SNR S2940-8G-v2 Switch Configuration Guide MSTP Configuration 25.3 MSTP Example The following is a typical MSTP application example: Figure 25.2: Typical MSTP Application Scenario The connections among the switches are shown in the above figure. All the switches run in the MSTP mode by default, their bridge priority, port priority and port route cost are all in the default values (equal).
Page 172 SNR S2940-8G-v2 Switch Configuration Guide MSTP Configuration Configurations Steps: Step 1: Configure port to VLAN mapping: • Create VLAN 20, 30, 40, 50 in Switch2, Switch3 and Switch4. • Set ports 1-7 as trunk ports in Switch2 Switch3 and Switch4.
Page 173 SNR S2940-8G-v2 Switch Configuration Guide MSTP Configuration Switch3(config)#vlan 50 Switch3(Config-Vlan50)#exit Switch3(config)#spanning-tree mst configuration Switch3(Config-Mstp-Region)#name mstp Switch3(Config-Mstp-Region)#instance 3 vlan 20;30 Switch3(Config-Mstp-Region)#instance 4 vlan 40;50 Switch3(Config-Mstp-Region)#exit Switch3(config)#interface e1/0/1-7 Switch3(Config-Port-Range)#switchport mode trunk Switch3(Config-Port-Range)#exit Switch3(config)#spanning-tree Switch3(config)#spanning-tree mst 3 priority 0 Switch4: Switch4(config)#vlan 20 Switch4(Config-Vlan20)#exit...
Page 174 SNR S2940-8G-v2 Switch Configuration Guide MSTP Configuration Figure 25.3: The Topology Of the Instance 0 after the MSTP Calculation Figure 25.4: The Topology Of the Instance 3 after the MSTP Calculation...
Page 175: Mstp Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide MSTP Configuration Figure 25.5: The Topology Of the Instance 4 after the MSTP Calculation 25.4 MSTP Troubleshooting • In order to run the MSTP on the switch port, the MSTP has to be enabled globally. If the MSTP is not enabled globally, it can't be enabled on the port.
Page 176: Qos And Flow-Based Redirection Configuration
SNR S2940-8G-v2 Switch Configuration Guide Part V QoS and Flow-based Redirection Configuration...
Page 177: Qos Configuration
SNR S2940-8G-v2 Switch Configuration Guide QoS Configuration Chapter 26 QoS Configuration 26.1 Introduction to QoS QoS (Quality of Service) is a set of capabilities that allow you to create differentiated services for network traffic, thereby providing better service for selected network traffic. QoS is a guarantee for service quality of consistent and predictable data transfer service to fulfill program requirements.
Page 178: Qos Implementation
SNR S2940-8G-v2 Switch Configuration Guide QoS Configuration Layer 3 IPv4 Packet Version Offset Proto IP-SA IP-DA Data length (1 byte) IP precedence or DSCP Figure 26.2: ToS priority MPLS TC(EXP): 0x8847 Label (20-bits) Figure 26.3: MPLS TC A field of the MPLS packets means the service class, there are 3 bits, the ranging from 0 to 7.
Page 179: Basic Qos Model
SNR S2940-8G-v2 Switch Configuration Guide QoS Configuration Based on differentiated service, QoS specifies a priority for each packet at the ingress. The classification information is carried in Layer 3 IP packet header or Layer 2 802.1Q frame header. QoS provides same service to packets of the same priority, while offers different operations for packets of different priority.
Page 180 SNR S2940-8G-v2 Switch Configuration Guide QoS Configuration Classification: Classify traffic according to packet classification information and generate in- ternal priority and drop precedence based the classification information. For different packet types and switch configurations, classification is performed differently; the flowchart below explains this...
Page 181 SNR S2940-8G-v2 Switch Configuration Guide QoS Configuration Policing and remark: Each packet in classified ingress traffic is assigned an internal priority value and a drop precedence value, and can be policed and remarked. Policing can be performed based on the flow to configure different policies that allocate band- width to classified traffic, the assigned bandwidth policy may be dual bucket dual color or dual bucket three color.
Page 182 SNR S2940-8G-v2 Switch Configuration Guide QoS Configuration Queuing and scheduling: There are the internal priority and the drop precedence for the egress packets, the queuing operation assigns the packets to different priority queues according to the internal priority, while the scheduling operation perform the packet forwarding according to the priority queue weight and the drop precedence.
Page 183: Qos Configuration Task List
SNR S2940-8G-v2 Switch Configuration Guide QoS Configuration 26.2 QoS Configuration Task List 1. Configure class map Set up a classification rule according to ACL, CoS, VLAN ID, IPv4 Precedent, DSCP, IPV6 FL to classify the data stream. Different classes of data streams will be processed with different policies.
Page 184 SNR S2940-8G-v2 Switch Configuration Guide QoS Configuration 2. Configure a policy map Command Explanation Global Mode policy-map <policy-map-name> Create a policy map and enter policy map no policy-map <policy-map-name> mode; the no command deletes the speci- fied policy map. class <class-map-name> [insert-before <class- After a policy map is created, it can be as- map-name>]...
Page 185 SNR S2940-8G-v2 Switch Configuration Guide QoS Configuration 3. Apply QoS to port or VLAN interface Policy class map configuration mode drop Drop or transmit data package that match the class, the no no drop command cancels the assigned action. transmit no transmit 3.
Page 186: Qos Example
SNR S2940-8G-v2 Switch Configuration Guide QoS Configuration 5. Configure QoS mapping Command Explanation Global Mode mls qos map (cos-dp <dp1..dp8> | dscp-dscp <in-dscp Set the priority mapping for QoS, list> to <out-dscp> | dscp-intp <in-dscp list> to <intp> | the no command restores the default dscp-dp <in-dscp list>...
Page 187 SNR S2940-8G-v2 Switch Configuration Guide QoS Configuration When QoS enabled in Global Mode, the egress queue bandwidth proportion of port ether- net1/0/1 is 1:1:2:2:4:4:8:8. When packets have CoS value coming in through port ethernet1/0/1, it will be map to the queue out according to the CoS value, CoS value 0 to 7 correspond to queue out 1, 2, 3, 4, 5, 6, 7, 8 respectively.
Page 188: Qos Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide QoS Configuration Switch(Config-PolicyMap-p1)#exit Switch(config)#interface ethernet 1/0/1 Switch(Config-If-Ethernet1/0/1)#service-policy input p1 QoS configuration in Switch2: Switch#config Switch(config)#interface ethernet 1/0/1 Switch(Config-If-Ethernet1/0/1)#mls qos trust cos 26.4 QoS Troubleshooting • trust cos and exp can be used with other trust or Policy Map.
Page 189 SNR S2940-8G-v2 Switch Configuration Guide QoS Configuration Start MPLS Trust packet (*0) (*1) Trust IP packet DSCP Trust (*2) Set the packet COS as tag packet the default COS (*4) COS-to-Int-Prio COS-to-Drop-Prec conversion according to the packet COS value (*5)
Page 190 SNR S2940-8G-v2 Switch Configuration Guide QoS Configuration Start Decide the color and Whether conﬁgure action accordng to the the policing policy policy The speciﬁc Drop the color action packet Drop Pass Select one or several options of the following: Set COS: Set L2 COS ﬁeld of the packet...
Page 191 SNR S2940-8G-v2 Switch Configuration Guide QoS Configuration Start MPLS Remark EXP ﬁeld of the packet packet according to Int- (*0) Prio-to-EXP mapping Remark DSCP and L2 COS ﬁelds of the packet according to Int-Prio-to-DSCP Int-Prio-to-COS mapping (*1) Select queue according to Int-...
Page 192 SNR S2940-8G-v2 Switch Configuration Guide QoS Configuration Server QoS Area Switch3 Switch2 Trunk Switch1 Figure 26.8: Typical QoS topology...
Page 193: Flow-Based Redirection
SNR S2940-8G-v2 Switch Configuration Guide Flow-based Redirection Chapter 27 Flow-based Redirection 27.1 Introduction to Flow-based Redirection Flow-based redirection function enables the switch to transmit the data frames meeting some special condition (specified by ACL) to another specified port. The fames meeting a same special condition are called a class of flow, the ingress port of the data frame is called the source port of redirection, and the specified egress port is called the destination port of redirection.
Page 194: Flow-Based Redirection Examples
SNR S2940-8G-v2 Switch Configuration Guide Flow-based Redirection 2. Check the current flow-based redirection configuration Command Explanation Global Mode/Admin Mode show flow-based-redirect { inter- Display the information of current flow-based redirection in face [ethernet <IFNAME> | <IF- the system/port. NAME>] } 27.3 Flow-based Redirection Examples...
Page 195: Flexible Qinq Configuration
SNR S2940-8G-v2 Switch Configuration Guide Flexible QinQ Configuration Chapter 28 Flexible QinQ Configuration 28.1 Introduction to Flexible QinQ 28.1.1 QinQ Technique Dot1q-tunnel is also called QinQ (802.1Q-in-802.1Q), which is an expansion of 802.1Q. Its domi- nating idea is encapsulating the customer VLAN tag (CVLAN tag) to the service provider VLAN tag (SPVLAN tag).
Page 196 SNR S2940-8G-v2 Switch Configuration Guide Flexible QinQ Configuration 2. Create flexible QinQ policy-map to relate with the class-map and set the corresponding op- eration 3. Bind flexible QinQ policy-map to port 4. Show flexible QinQ policy-map bound to port 1. Configure class map...
Page 197: Flexible Qinq Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide Flexible QinQ Configuration 4. Show flexible QinQ policy-map bound to port Command Explanation Admin mode show interface Show flexible QinQ configuration on the port. [<interface-id>] } 28.3 Flexible QinQ Troubleshooting If flexible QinQ policy can not be bound to the port, please check whether the problem is caused by the following reasons: •...
Page 198: L3 Forward And Arp Configuration
SNR S2940-8G-v2 Switch Configuration Guide Part VI L3 Forward and ARP Configuration...
Page 199: Layer 3 Management Configuration
SNR S2940-8G-v2 Switch Configuration Guide Layer 3 Management Configuration Chapter 29 Layer 3 Management Configuration Switch only support Layer 2 forwarding, but can configure a Layer 3 management port for the communication of all kinds of management protocols based on IP protocol.
Page 200: Ip Configuration
SNR S2940-8G-v2 Switch Configuration Guide Layer 3 Management Configuration 2. Configure VLAN interface description Command Explanation VLAN Interface Mode description <text> Configure the description information of VLAN interface. no description The no command will cancel the description information of VLAN interface.
Page 201 SNR S2940-8G-v2 Switch Configuration Guide Layer 3 Management Configuration takes out header checksum, thus expedites the processing speed of basic IPv6 header. In IPv6 header, fragment field can be shown as an optional extended field, so that data packets fragmen- tation process won't be done in router forwarding process, and Path MTU Discovery Mechanism collaborates with data packet source which enhances the processing efficiency of router.
Page 202 SNR S2940-8G-v2 Switch Configuration Guide Layer 3 Management Configuration 1. Configure the IPv4 address of three-layer interface Command Explanation VLAN Interface Configuration Mode ip address <ip-address> <mask> Configure IP address of VLAN interface; the no ip ad- [secondary] dress [<ip-address> <mask>] command cancels IP ad- no ip address [<ip-address>...
Page 203: Ipv6 Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide Layer 3 Management Configuration 2. IPv6 Neighbor Discovery Configuration (a) Configure DAD Neighbor solicitation Message number Command Explanation Interface Configuration Mode ipv6 nd dad attempts <value> Set the neighbor query message number sent in sequence no ipv6 nd dad attempts when the interface makes duplicate address detection.
Page 204 SNR S2940-8G-v2 Switch Configuration Guide Layer 3 Management Configuration Static route is mainly used in the following two conditions: 1) in stable networks to reduce load of route selection and routing data streams. For example, static route can be used in route to STUB network.
Page 205 SNR S2940-8G-v2 Switch Configuration Guide Layer 3 Management Configuration SwitchA SwitchC SwitchB VLAN2: VLAN2: VLAN1: VLAN1: 10.1.2.1 10.1.2.2 10.1.3.2 10.1.3.1 VLAN1: VLAN3: VLAN2: 10.1.1.1 10.1.5.1 10.1.4.1 PC-A: 10.1.1.2 PC-C: 10.1.5.2 PC-B: 10.1.4.2 Figure 29.1: Static Route Configurations Configuration steps: Configuration of layer3 SwitchA Switch#config Switch(config)#ip route 10.1.5.0 255.255.255.0 10.1.2.2...
Page 206: Arp
SNR S2940-8G-v2 Switch Configuration Guide Layer 3 Management Configuration 29.4 ARP 29.4.1 Introduction to ARP ARP (Address Resolution Protocol) is mainly used to resolve IP address to Ethernet MAC address. Switch supports both dynamic ARP and static ARP configuration. 29.4.2 ARP Configuration Task List ARP Configuration Task List: 1.
Page 207: Arp Scanning Prevention Function Configuration
SNR S2940-8G-v2 Switch Configuration Guide ARP Scanning Prevention Function Configuration Chapter 30 ARP Scanning Prevention Function Configuration 30.1 Introduction to ARP Scanning Prevention Function ARP scanning is a common method of network attack. In order to detect all the active hosts in a network segment, the attack source will broadcast lots of ARP messages in the segment, which will take up a large part of the bandwidth of the network.
Page 208 SNR S2940-8G-v2 Switch Configuration Guide ARP Scanning Prevention Function Configuration 4. Configure trusted IP 5. Configure automatic recovery time 6. Display relative information of debug information and ARP scanning 1. Enable the ARP Scanning Prevention function. Command Explanation Global configuration mode...
Page 209: Arp Scanning Prevention Typical Examples
SNR S2940-8G-v2 Switch Configuration Guide ARP Scanning Prevention Function Configuration 6. Display relative information of debug information and ARP scanning Command Explanation Global configuration mode anti-arpscan log enable Enable or disable the log function of ARP scan- no anti-arpscan log enable ning prevention.
Page 210: Arp Scanning Prevention Troubleshooting Help
SNR S2940-8G-v2 Switch Configuration Guide ARP Scanning Prevention Function Configuration SwitchA(Config-If-Ethernet1/0/2)#exit SwitchA(config)#interface ethernet1/0/19 SwitchA(Config-If-Ethernet1/0/19)#anti-arpscan trust supertrust-port SwitchA(Config-If-Ethernet1/0/19)#exit SWITCH B configuration task sequence: SwitchB(config)#anti-arpscan enable SwitchB(config)#interface ethernet1/0/1 SwitchB(Config-If-Ethernet1/0/1)#anti-arpscan trust port SwitchB(Config-If-Ethernet1/0/1)#exit 30.4 ARP Scanning Prevention Troubleshooting Help • ARP scanning prevention is disabled by default. After enabling ARP scanning prevention,...
Page 211: Prevent Arp Spoofing Configuration
SNR S2940-8G-v2 Switch Configuration Guide Prevent ARP Spoofing Configuration Chapter 31 Prevent ARP Spoofing Configuration 31.1 Overview 31.1.1 ARP (Address Resolution Protocol) Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to rele- vant 48-bit physical address, that is MAC address, for instance, IP address is 192.168.0.1, network card Mac address is f8-f0-82-FD-1D-2B.
Page 212: Prevent Arp Spoofing Configuration
SNR S2940-8G-v2 Switch Configuration Guide Prevent ARP Spoofing Configuration packets so that the switch makes mistake on transfer packets, and takes an effect on the whole network. Or the switches are made used of by vicious attackers, and they intercept and capture packets transferred by switches or attack other switches, host computers or network equipment.
Page 213: Prevent Arp Spoofing Example
SNR S2940-8G-v2 Switch Configuration Guide Prevent ARP Spoofing Configuration 31.3 Prevent ARP Spoofing Example Switch Figure 31.1: Prevent ARP spoofing configuration example Equipment Explanation Equipment Configuration Quality switch IP:192.168.2.4; mac: 00-00-00-00-00-04 IP:192.168.2.1; mac: 00-00-00-00-00-01 IP:192.168.1.2; mac: 00-00-00-00-00-02 IP:192.168.2.3; mac: 00-00-00-00-00-03 some There is a normal communication between B and C on above diagram.
Page 214: Arp Guard Configuration
SNR S2940-8G-v2 Switch Configuration Guide ARP Guard Configuration Chapter 32 ARP Guard Configuration 32.1 Introduction to ARP Guard There is serious security vulnerability in the design of ARP protocol, which is any network device, can send ARP messages to advertise the mapping relationship between IP address and MAC ad- dress.
Page 215: Arp Guard Configuration Task List
SNR S2940-8G-v2 Switch Configuration Guide ARP Guard Configuration that adopting FREE RESOURCE related accessing scheme. Please refer to relative documents for details. 32.2 ARP Guard Configuration Task List 1. Configure the protected IP address Command Explanation Port configuration mode arp-guard ip <addr>...
Page 216: Gratuitous Arp Configuration
SNR S2940-8G-v2 Switch Configuration Guide Gratuitous ARP Configuration Chapter 33 Gratuitous ARP Configuration 33.1 Introduction to Gratuitous ARP Gratuitous ARP is a kind of ARP request that is sent by the host with its IP address as the desti- nation of the ARP request.
Page 217: Gratuitous Arp Configuration Example
SNR S2940-8G-v2 Switch Configuration Guide Gratuitous ARP Configuration 2. Display configurations about gratuitous ARP Command Explanation Admin Mode and Configuration Mode show ip gratuitous-arp [interface To display configurations about gratuitous ARP. vlan <1-4094>] 33.3 Gratuitous ARP Configuration Example Switch Interface vlan 1 Interface vlan 10 192.168.14.254/24...
Page 218: Dhcp Configuration
SNR S2940-8G-v2 Switch Configuration Guide Part VII DHCP Configuration...
Page 219: Dhcp Configuration
SNR S2940-8G-v2 Switch Configuration Guide DHCP Configuration Chapter 34 DHCP Configuration 34.1 Introduction to DHCP DHCP [RFC2131] is the acronym for Dynamic Host Configuration Protocol. It is a protocol that assigns IP address dynamically from the address pool as well as other network configuration pa- rameters such as default gateway, DNS server, and default route and host image file position within the network.
Page 220: Dhcp Server Configuration
SNR S2940-8G-v2 Switch Configuration Guide DHCP Configuration 4. The DHCP server selected by the client sends a DHCPACK packet and the client gets an IP address and other network configuration parameters. The above four steps finish a Dynamic host configuration assignment process. However, if the...
Page 221 SNR S2940-8G-v2 Switch Configuration Guide DHCP Configuration 2. Configure DHCP Address pool (a) Create/Delete DHCP Address pool Command Explanation Global Mode ip dhcp pool <name> Configure DHCP Address pool. The no operation no ip dhcp pool <name> cancels the DHCP Address pool.
Page 222: Dhcp Relay Configuration
SNR S2940-8G-v2 Switch Configuration Guide DHCP Configuration Global Mode ip dhcp excluded-address <low-address> Exclude the addresses in the address pool that [<high-address>] are not for dynamic allocation. dhcp excluded-address <low- address> [<high-address>] (c) Configure manual DHCP address pool parameters Command...
Page 223 SNR S2940-8G-v2 Switch Configuration Guide DHCP Configuration As shown in the above figure, the DHCP client and the DHCP server are in different networks, the DHCP client performs the four DHCP steps as usual yet DHCP relay is added to the process.
Page 224: Dhcp Configuration Examples
SNR S2940-8G-v2 Switch Configuration Guide DHCP Configuration Command Explanation Global Mode dhcp relay share-vlan Create or delete share-vlan and it's sub-vlan. <vlanid> sub-vlan <vlanlist> no dhcp relay share-vlan 34.4 DHCP Configuration Examples Scenario 1: Too save configuration efforts of network administrators and users, a company is using switch as a DHCP server.
Page 225 SNR S2940-8G-v2 Switch Configuration Guide DHCP Configuration Switch(config)#ip dhcp pool A1 Switch(dhcp-A1-config)#host 10.16.1.210 Switch(dhcp-A1-config)#hardware-address 00-03-22-23-dc-ab Switch(dhcp-A1-config)#exit Usage Guide: When a DHCP/BOOTP client is connected to a VLAN1 port of the switch, the client can only get its address from 10.16.1.0/24 instead of 10.16.2.0/24. This is because the broadcast packet from the client will be requesting the IP address in the same segment of the VLAN interface after VLAN interface forwarding, and the VLAN interface IP address is 10.16.1.2/24,...
Page 226: Dhcp Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide DHCP Configuration Note: It is recommended to use the combination of command ip forward-protocol udp <port> and ip helper-address <ipaddress>. ip help-address can only be configured for ports on layer 3 and cannot be configured on layer 2 ports directly.
Page 227: Dhcpv6 Configuration
SNR S2940-8G-v2 Switch Configuration Guide DHCPv6 Configuration Chapter 35 DHCPv6 Configuration 35.1 Introduction to DHCPv6 DHCPv6 [RFC3315] is the IPv6 version for Dynamic Host Configuration Protocol (DHCP). It is a protocol that assigns IPv6 address as well as other network configuration parameters such as DNS address, and domain name to DHCPv6 client, DHCPv6 is a conditional auto address config- uration protocol relative to IPv6.
Page 228: Dhcpv6 Server Configuration
SNR S2940-8G-v2 Switch Configuration Guide DHCPv6 Configuration a SOLICIT packet to all the DHCP delay delegation and server with broadcast address as FF02::1:2. 2. Any DHCP server which receives the request, will reply the client with an ADVERTISE mes- sage, which includes the identity of the server - DUID, and its priority.
Page 229 SNR S2940-8G-v2 Switch Configuration Guide DHCPv6 Configuration 1. To enable/disable DHCPv6 service Command Explanation Global Mode service dhcpv6 To enable DHCPv6 service. no service dhcpv6 2. To configure DHCPv6 address pool (a) To achieve/delete DHCPv6 address pool Command Explanation Global Mode ipv6 dhcp pool <poolname>...
Page 230: Dhcpv6 Relay Delegation Configuration
SNR S2940-8G-v2 Switch Configuration Guide DHCPv6 Configuration 35.3 DHCPv6 Relay Delegation Configuration DHCPv6 relay delegation configuration task list as below: 1. To enable/disable DHCPv6 service 2. To configure DHCPv6 relay delegation on port 1. To enable DHCPv6 service Command Explanation...
Page 231 SNR S2940-8G-v2 Switch Configuration Guide DHCPv6 Configuration 1. To enable/delete DHCPv6 service Command Explanation Global Mode service dhcpv6 To enable DHCPv6 service. no service dhcpv6 2. To configure prefix delegation pool Command Explanation Global Mode ipv6 local pool <poolname> To configure prefix delegation pool.
Page 232: Dhcpv6 Prefix Delegation Client Configuration
SNR S2940-8G-v2 Switch Configuration Guide DHCPv6 Configuration (d) To configure other parameter of DHCPv6 address pool Command Explanation DHCPv6 address pool Configuration Mode dns-server <ipv6-address> To configure DNS server address for DHCPv6 client. no dns-server <ipv6-address> domain-name <domain-name> To configure domain name for DHCPv6 client.
Page 233: Dhcpv6 Configuration Examples
SNR S2940-8G-v2 Switch Configuration Guide DHCPv6 Configuration 35.6 DHCPv6 Configuration Examples Example 1: When deploying IPv6 networking, the switch can be configured as DHCPv6 server in order to manage the allocation of IPv6 addresses. Both the state and the stateless DHCPv6 are supported.
Page 234: Dhcpv6 Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide DHCPv6 Configuration Switch2(Config-if-Vlan10)#exit Switch2(config)#interface vlan 100 Switch2(Config-if-Vlan100)#ipv6 address 2001:da8:100:1::1/64 Switch2(Config-if-Vlan100)#no ipv6 nd suppress-ra Switch2(Config-if-Vlan100)#ipv6 nd managed-config-flag Switch2(Config-if-Vlan100)#ipv6 nd other-config-flag Switch2(Config-if-Vlan100)#exit Switch1 configuration: Switch1(config)#service dhcpv6 Switch1(config)#interface vlan 1 Switch1(Config-if-Vlan1)#ipv6 address 2001:da8:100:1::2/64 Switch1(Config-if-Vlan1)#ipv6 dhcp relay destination 2001:da8:10:1::1 35.7 DHCPv6 Troubleshooting...
Page 235: Dhcp Option 82 Configuration
SNR S2940-8G-v2 Switch Configuration Guide DHCP option 82 Configuration Chapter 36 DHCP option 82 Configuration 36.1 Introduction to DHCP option 82 DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82 is aimed at strengthening the security of DHCP servers and improving the IP address configuration policy.
Page 236 SNR S2940-8G-v2 Switch Configuration Guide DHCP option 82 Configuration SubOpt Sub-option Value SubOpt Sub-option Value Len: the number of bytes in Sub-option Value, not including the two bytes in SubOpt segment and Len segment. 36.1.2 DHCP option 82 Working Mechanism DHCP Request DHCP Request + Opt.82...
Page 237: Dhcp Option 82 Configuration Task List
SNR S2940-8G-v2 Switch Configuration Guide DHCP option 82 Configuration 36.2 DHCP option 82 Configuration Task List 1. Enabling the DHCP option 82 of the Relay Agent 2. Configure the DHCP option 82 attributes of the interface 3. Enable the DHCP option 82 of server 4.
Page 238 SNR S2940-8G-v2 Switch Configuration Guide DHCP option 82 Configuration Global Mode ip dhcp relay information option Set the suboption2 (remote ID option) content of option 82 remote-id { standard | <remote- added by DHCP request packets (They are received by the id>...
Page 239: Dhcp Option 82 Application Examples
SNR S2940-8G-v2 Switch Configuration Guide DHCP option 82 Configuration ip dhcp relay information op- Set self-defined format of remote-id for relay option82. tion self-defined remote-id for- mat [ascii | hex] ip dhcp relay information op- Set creation method for option82, users can define the pa- tion self-defined subscriber-id { rameters of circute-id suboption by themselves.
Page 240 SNR S2940-8G-v2 Switch Configuration Guide DHCP option 82 Configuration that whether the DHCP client is from the network connected to Switch1 or Switch2. So, all the PC terminals connected to Switch1 and Switch2 will get addresses from the public address pool of the DHCP server.
Page 241: Dhcp Option 82 Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide DHCP option 82 Configuration max-lease-time 86400; #24 Hours allow members of "Switch3Vlan2Class2"; Now, the DHCP server will allocate addresses for the network nodes from Switch1 which are relayed by Switch3 within the range of 192.168.102.21 ∼ 192.168.102.50, and allocate addresses for the network nodes from Switch1 within the range of 192.168.102.51 ∼...
Page 242: Dhcp Option 60 And Option 43
SNR S2940-8G-v2 Switch Configuration Guide DHCP option 60 and option 43 Chapter 37 DHCP option 60 and option 43 37.1 Introduction to DHCP option 60 and option 43 DHCP server analyzes DHCP packets from DHCP client. If packets with option 60, it will decide whether option 43 is returned to DHCP client according to option 60 of packets and configuration of option 60 and option 43 in DHCP server address pool.
Page 243: Dhcpv6 Option 60 And Option 43 Example
SNR S2940-8G-v2 Switch Configuration Guide DHCP option 60 and option 43 option 43 ip A.B.C.D Configure option 43 character string with IP format in ip dhcp pool mode. no option 60 Delete the configured option 60 in the address pool mode.
Page 244: Dhcpv6 Option37
SNR S2940-8G-v2 Switch Configuration Guide DHCPv6 option37, 38 Chapter 38 DHCPv6 option37, 38 38.1 Introduction to DHCPv6 option37, 38 DHCPv6 (Dynamic Host Configuration Protocol for IPv6) is designed for IPv6 address scheme and is used for assigning IPv6 prefixes, IPv6 addresses and other configuration parameters to hosts.
Page 245: Dhcpv6 Option37, 38 Configuration Task List
SNR S2940-8G-v2 Switch Configuration Guide DHCPv6 option37, 38 38.2 DHCPv6 option37, 38 Configuration Task List 1. Dhcpv6 snooping option basic functions configuration 2. Dhcpv6 relay option basic functions configuration 3. Dhcpv6 server option basic functions configuration 1.DHCPv6 snooping option basic functions configuration...
Page 246 SNR S2940-8G-v2 Switch Configuration Guide DHCPv6 option37, 38 ipv6 dhcp snooping subscriber- Configures user configuration options generate id select (sp | sv | pv | spv) de- subscriber-id. The no command restores to its original limiter WORD (delimiter WORD default configuration, i.e.
Page 247 SNR S2940-8G-v2 Switch Configuration Guide DHCPv6 option37, 38 ipv6 dhcp relay subscriber-id This command is used to set the form of adding option 38 <subscriber-id> in received DHCPv6 request packets, of which <subscriber- no ipv6 dhcp relay subscriber-id id> is the content of subscriber-id in user-defined option 38 and it is a string with a length of less than 128.
Page 248: Dhcpv6 Option37, 38 Examples
SNR S2940-8G-v2 Switch Configuration Guide DHCPv6 option37, 38 address range <start-ip> <end- This command is used to set address range for a DHCPv6 ip> class in DHCPv6 address pool configuration mode, the no no address range <start-ip> command is used to remove the addreass range. The pre- <end-ip>...
Page 249 SNR S2940-8G-v2 Switch Configuration Guide DHCPv6 option37, 38 Switch B configuration: SwitchB(config)#service dhcpv6 SwitchB(config)#ipv6 dhcp server remote-id option SwitchB(config)#ipv6 dhcp server subscriber-id option SwitchB(config)#ipv6 dhcp pool EDP SwitchB(dhcpv6-edp-config)#network-address 2001:da8:100:1::2 2001:da8:100:1::1000 SwitchB(dhcpv6-edp-config)#dns-server 2001::1 SwitchB(dhcpv6-edp-config)#domain-name dhcpv6.com SwitchB(dhcpv6-edp-config)#excluded-address 2001:da8:100:1::2 SwitchB(dhcpv6-edp-config)#exit SwitchB(config)# SwitchB(config)#ipv6 dhcp class CLASS1...
Page 250: Dhcpv6 Option37, 38 Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide DHCPv6 option37, 38 for IPv6 address allocation if special server is used for uniform allocation and management for IPv6 address. DHCPv6 server supports both stateful and stateless DHCPv6. Network topology: In access layer, layer2 access device Switch1 connects users in dormitory; in first-level aggre- gation layer, aggregation device Switch2 is used as DHCPv6 relay agent;...
Page 251: Dhcp Snooping Configuration
SNR S2940-8G-v2 Switch Configuration Guide DHCP Snooping Configuration Chapter 39 DHCP Snooping Configuration 39.1 Introduction to DHCP Snooping DHCP Snooping means that the switch monitors the IP-getting process of DHCP CLIENT via DHCP protocol. It prevents DHCP attacks and illegal DHCP SERVER by setting trust ports and untrust ports.
Page 252: Dhcp Snooping Configuration Task Sequence
SNR S2940-8G-v2 Switch Configuration Guide DHCP Snooping Configuration communication between the switch and the inner network security management system TrustView uses private messages. And the users can encrypt those messages of version 2. Add authentication option82 Function: It is used with dot1x dhcpoption82 authentication mode.
Page 253 SNR S2940-8G-v2 Switch Configuration Guide DHCP Snooping Configuration 2. Enable DHCP Snooping binding Command Explanation Global mode ip dhcp snooping binding enable Enable or disable the DHCP snooping binding func- no ip dhcp snooping binding enable tion. 3. Enable DHCP Snooping binding ARP function...
Page 254 SNR S2940-8G-v2 Switch Configuration Guide DHCP Snooping Configuration 9. Enable DHCP SNOOPING binding DOT1X function Command Explanation Port mode ip dhcp snooping binding dot1x Enable or disable the DHCP snooping binding no ip dhcp snooping binding dot1x dot1x function. 10. Enable or disable the DHCP SNOOPING binding USER function...
Page 255 SNR S2940-8G-v2 Switch Configuration Guide DHCP Snooping Configuration 15. Configure DHCP Snooping option 82 attributes Command Explanation Global mode dhcp snooping information option This command is used to set subscriber-id format subscriber-id format { hex | acsii | vs-hp } of DHCP snooping option82.
Page 256: Dhcp Snooping Typical Application
SNR S2940-8G-v2 Switch Configuration Guide DHCP Snooping Configuration 39.3 DHCP Snooping Typical Application Switch E1/0/1 E1/0/10 STOP DHCPACK E1/0/12 DHCP Client DHCP Server IP: 1.1.1.5 IP: 1.1.1.6 MAC: AA MAC: BB DHCP Server Figure 39.1: Sketch Map of TRUNK As showed in the above chart, Mac-AA device is the normal user, connected to the non-trusted port 1/0/1 of the switch.
Page 257: Multicast Protocol
SNR S2940-8G-v2 Switch Configuration Guide Part VIII Multicast Protocol...
Page 258: Ipv4 Multicast Protocol
SNR S2940-8G-v2 Switch Configuration Guide IPv4 Multicast Protocol Chapter 40 IPv4 Multicast Protocol 40.1 IPv4 Multicast Protocol Overview This chapter will give an introduction to the configuration of IPv4 Multicast Protocol. 40.1.1 Introduction to Multicast Various transmission modes can be adopted when the destination of packet (including data, sound and video) transmission is the minority users in the network.
Page 259 SNR S2940-8G-v2 Switch Configuration Guide IPv4 Multicast Protocol 40.1.2 Multicast Address The destination address of Multicast message uses class D IP address with range from 224.0.0.0 to 239.255.255.255. D class address can not appear in the source IP address field of an IP message.
Page 260: Dcscm
SNR S2940-8G-v2 Switch Configuration Guide IPv4 Multicast Protocol IANA (Internet Assigned Number Authority) that the higher 25 bits in Multicast MAC address is 0x01005e, and the lower 23bits in MAC address is the lower 23bits in Multicast IP address. Since only 23bits out of the lower 28bits in IP Multicast address are mapped into MAC address, therefore there are 32 IP Multicast addresses which are mapped into the same MAC address.
Page 261: Dcscm Configuration Task List
SNR S2940-8G-v2 Switch Configuration Guide IPv4 Multicast Protocol Priority Strategy Multicast. The Multicast Packet Source Controllable technology of Security Controllable Multicast tech- nology is mainly processed in the following manners: 1. On the edge switch, if source under-control multicast is configured, then only multicast data from specified group of specified source can pass.
Page 262 SNR S2940-8G-v2 Switch Configuration Guide IPv4 Multicast Protocol Once the configured rules are matched, the following rules won't take effect, so rules of globally allow must be put at the end. The commands are as follows: Command Explanation Global Configuration Mode [no] access-list <5000-5099>...
Page 263 SNR S2940-8G-v2 Switch Configuration Guide IPv4 Multicast Protocol The last is to configure the rule to specified source IP, source VLAN MAC or specified port. It is noticeable that, due to the above situations, these rules can only be used globally in enabling IGMP-SNOOPING.
Page 264: Igmp Snooping
SNR S2940-8G-v2 Switch Configuration Guide IPv4 Multicast Protocol 2. Destination Control We want to limit users with address in 10.0.0.0/8 network segment from entering the group of 238.0.0.0/8, so we can make the following configuration: Firstly enable IGMP snooping in the VLAN it is located (Here it is assumed to be in VLAN2)
Page 265: Igmp Snooping Configuration Task List
SNR S2940-8G-v2 Switch Configuration Guide IPv4 Multicast Protocol IGMP Snooping is also referred to as IGMP listening. The switch prevents multicast traffic from flooding through IGMP Snooping, multicast traffic is forwarded to ports associated to multicast devices only. The switch listens to the IGMP messages between the multicast router and hosts, and maintains multicast group forwarding table based on the listening result, and can then decide to forward multicast packets according to the forwarding table.
Page 266 SNR S2940-8G-v2 Switch Configuration Guide IPv4 Multicast Protocol ip igmp snooping vlan <vlan-id> l2-general- Configure the source address of a general query querier-source <source> from a layer 2 general querier. ip igmp snooping vlan <vlan-id> mrouter- Configure static mrouter port of vlan. The no form port interface <interface-name>...
Page 267: Igmp Snooping Examples
SNR S2940-8G-v2 Switch Configuration Guide IPv4 Multicast Protocol ip igmp snooping vlan <vlan-id> specific- Configure the maximum query response time of query-mrsp <value> the specific group or source, the no command re- no ip igmp snooping vlan <vlan-id> specific- stores the default value.
Page 268 SNR S2940-8G-v2 Switch Configuration Guide IPv4 Multicast Protocol Scenario 2: L2-general-querier Multicast Server Group 1 Group 2 Switch A IGMP Snooping L2 general querier Switch B IGMP Snooping Group 1 Group 1 Group 1 Group 2 Figure 40.2: The switches as IGMP Queries The configuration of Switch2 is the same as the switch in scenario 1, SwitchA takes the place of Multicast Router in scenario 1.
Page 269: Igmp Snooping Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide IPv4 Multicast Protocol IGMP snooping does not distribute entries when layer 3 multicast protocol is enabled. It only does the following tasks. • Remove the layer 2 multicast entries. • Provide query functions to the layer 3 with vlan, S, and G as the parameters.
Page 270: Ipv6 Multicast Protocol
SNR S2940-8G-v2 Switch Configuration Guide IPv6 Multicast Protocol Chapter 41 IPv6 Multicast Protocol 41.1 IPv6 DCSCM 41.2 MLD Snooping 41.2.1 Introduction to MLD Snooping MLD, the Multicast Listener Discovery Protocol, is used to realize multicasting in the IPv6. MLD is used by the network equipments such as routers which supports multicast for multicast listener...
Page 271 SNR S2940-8G-v2 Switch Configuration Guide IPv6 Multicast Protocol 2. Configure MLD Snooping Command Explanation Global Mode ipv6 mld snooping vlan <vlan-id> Enable MLD Snooping on specific VLAN. The 'no' no ipv6 mld snooping vlan <vlan-id> form of this command disables MLD Snooping on specific VLAN.
Page 272: Mld Snooping Examples
SNR S2940-8G-v2 Switch Configuration Guide IPv6 Multicast Protocol ipv6 mld snooping vlan <vlan-id> static- Configure static-group on specified port of the group <X:X::X:X> [source <X:X::X:X>] in- VLAN. The no form of the command cancels this terface [ethernet | port-channel] <IFNAME>...
Page 273 SNR S2940-8G-v2 Switch Configuration Guide IPv6 Multicast Protocol program 1 while the host connected to port 10 playing program 2, and the one to port 12 playing program 3. MLD Snooping interception results: The multicast table on vlan 100 shows: port 1, 2, 6 are in (Multicasting Server 1, Group1),...
Page 274: Mld Snooping Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide IPv6 Multicast Protocol Multicast configuration: Same as scenario 1 MLD Snooping interception results: Same as scenario 1 41.2.4 MLD Snooping Troubleshooting In configuring and using MLD Snooping, the MLD Snooping server may fail to run properly due to physical connection failure, wrong configuration, etc.
Page 275: Multicast Vlan
SNR S2940-8G-v2 Switch Configuration Guide Multicast VLAN Chapter 42 Multicast VLAN 42.1 Introductions to Multicast VLAN Based on current multicast order method, when orders from users in different VLAN, each VLAN will copy a multicast traffic in this VLAN, which is a great waste of the bandwidth. By configuration of the multicast VLAN, we add the switch port to the multicast VLAN, with the IGMP Snooping/MLD Snooping functions enabled, users from different VLAN will share the same multicast VLAN.
Page 276: Multicast Vlan Examples
SNR S2940-8G-v2 Switch Configuration Guide Multicast VLAN 2. Configure the IGMP Snooping Command Explanation Global Mode ip igmp snooping vlan <vlan-id> Enable the IGMP Snooping function on the multicast VLAN. no ip igmp snooping vlan <vlan- The no form of this command disables the IGMP Snooping id>...
Page 277 SNR S2940-8G-v2 Switch Configuration Guide Multicast VLAN SwitchA(config)#interface vlan 20 SwitchA(Config-if-Vlan20)#ip pim dense-mode SwitchA(Config-if-Vlan20)#exit SwitchA(config)#ip pim multicast SwitchA(config)# interface ethernet1/0/10 SwitchA(Config-If-Ethernet1/0/10)switchport mode trunk SwitchB#config SwitchB(config)#vlan 20 SwitchB(config)#vlan 100 SwitchB(config)#vlan 101 SwitchB(config)#interface ethernet 1/0/20 SwitchB(config-If-Ethernet)#switchport access vlan 101 SwitchB(config-If-Ethernet)exit SwitchB(config)#interface ethernet 1/0/15...
Page 278: Security Function Configuration
SNR S2940-8G-v2 Switch Configuration Guide Part IX Security Function Configuration...
Page 279: Acl Configuration
SNR S2940-8G-v2 Switch Configuration Guide ACL Configuration Chapter 43 ACL Configuration 43.1 Introduction to ACL ACL (Access Control List) is an IP packet filtering mechanism employed in switches, providing network traffic control by granting or denying access the switches, effectively safeguarding the security of networks.
Page 280: Acl Configuration Task List
SNR S2940-8G-v2 Switch Configuration Guide ACL Configuration 43.1.3 Access-list Action and Global Default Action There are two access-list actions and default actions: 'permit' or 'deny'. The following rules apply: • An access-list can consist of several rules. Filtering of packets compares packet conditions to the rules, from the first rule to the first matched rule;...
Page 281 SNR S2940-8G-v2 Switch Configuration Guide ACL Configuration (l) Configuring a standard IPv6 access-list based on nomenclature i. Create a standard IPv6 access-list based on nomenclature ii. Specify multiple permit or deny rule entries iii. Exit ACL Configuration Mode (m) Configuring an extended IPv6 access-list based on nomenclature.
Page 282 SNR S2940-8G-v2 Switch Configuration Guide ACL Configuration access-list <num> { deny | permit } igmp { { Creates a numbered IGMP extended IP <sIpAddr> <sMask> } | any-source | { host- access rule; if the numbered extended source <sIpAddr> } } { { <dIpAddr> <dMask>...
Page 283 SNR S2940-8G-v2 Switch Configuration Guide ACL Configuration ii. Specify multiple 'permit' or 'deny' rules Command Explanation Standard IP ACL Mode [no] { deny | permit } { { <sIpAddr> <sMask> } | Creates a standard name-based IP access any-source | { host-source <sIpAddr> } } rule;...
Page 284 SNR S2940-8G-v2 Switch Configuration Guide ACL Configuration [no] { deny | permit } tcp { { <sIpAddr> <sMask> Creates an extended name-based TCP IP } | any-source | { host-source <sIpAddr> } } access rule; the no form command deletes [s-port { <sPort>...
Page 285 SNR S2940-8G-v2 Switch Configuration Guide ACL Configuration (f) Creates a numbered MAC extended access-list Command Explanation Global Mode access-list<num> { deny | permit } { any- Creates a numbered MAC extended source-mac | { host-source-mac<host_smac> } access-list, if the access-list already | { <smac><smac-mask>...
Page 286 SNR S2940-8G-v2 Switch Configuration Guide ACL Configuration [no] { deny | permit } { any-source-mac | { host-source- Creates an extended name- mac<host_smac> } | { <smac><smac-mask> } } { any- based MAC access rule match- destination-mac | { host-destination-mac<host_dmac> } | { ing untagged ethernet 2 frame;...
Page 287 SNR S2940-8G-v2 Switch Configuration Guide ACL Configuration access-list<num> { deny | permit } { any-source-mac | { host- Creates a numbered mac-igmp source-mac<host_smac> } | { <smac><smac-mask> } } { extended mac-ip access rule; if any-destination-mac | { host-destination-mac <host_dmac>...
Page 288 SNR S2940-8G-v2 Switch Configuration Guide ACL Configuration (i) Configuring a extended MAC-IP access-list based on nomenclature i. Create an extensive MAC-IP access-list based on nomenclature Command Explanation Global Mode mac-ip-access-list extended <name> Creates an extended name-based MAC-IP no mac-ip-access-list extended <name>...
Page 289 SNR S2940-8G-v2 Switch Configuration Guide ACL Configuration [no] { deny | permit } { any-source-mac | { host-source- Creates an extended name- mac<host_smac> } | { <smac><smac-mask> } } { any- based MAC-UDP access rule; destination-mac | { host-destination-mac <host_dmac> } the no form command deletes | { <dmac><dmac-mask>...
Page 290 SNR S2940-8G-v2 Switch Configuration Guide ACL Configuration (k) Configuring a numbered extensive IPv6 access-list Command Explanation Global Mode ipv6 access-list <num-ext> { deny | permit } icmp { { Creates a numbered extended <sIPv6Prefix/sPrefixlen> } | any-source | { host-source IPv6 access-list, if the access- <sIPv6Addr>...
Page 291 SNR S2940-8G-v2 Switch Configuration Guide ACL Configuration iii. Exit name-based standard IP ACL configuration mode Command Explanation Standard IPv6 ACL Mode exit Exits name-based standard IPv6 ACL con- figuration mode. (m) Configuring an name-based extended IPv6 access-list i. Create an extended IPv6 access-list basing on nomenclature...
Page 292 SNR S2940-8G-v2 Switch Configuration Guide ACL Configuration [no] deny permit <proto> Creates an extended name-based IPv6 ac- <sIPv6Prefix/sPrefixlen> any-source cess rule for other IPv6 protocols; the no host-source <sIPv6Addr> form command deletes this name-based <dIPv6Prefix/dPrefixlen> | any-destination | extended IPv6 access rule.
Page 293 SNR S2940-8G-v2 Switch Configuration Guide ACL Configuration (b) Configure periodic time range Command Explanation Time range Mode absolute-periodic { Monday | Tuesday | Wednesday | Thurs- Configure the time range for the day | Friday | Saturday | Sunday } <start_time> to { Monday |...
Page 294: Acl Example
SNR S2940-8G-v2 Switch Configuration Guide ACL Configuration 43.3 ACL Example Scenario 1: The user has the following configuration requirement: port 10 of the switch connects to 10.0.0.0/24 segment, ftp is not desired for the user. Configuration description: 1. Create a proper ACL 2.
Page 295 SNR S2940-8G-v2 Switch Configuration Guide ACL Configuration Switch(config)#access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac untagged-802-3 Switch(config)#access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any tagged-802 Switch(config)#firewall enable Switch(config)#firewall default permit Switch(config)#interface ethernet1/0/10 Switch(Config-If-Ethernet1/0/10)#mac access-group 1100 in Switch(Config-If-Ethernet1/0/10)#exit Switch(config)#exit Configuration result: Switch#show firewall Firewall Status: Enable.
Page 296 SNR S2940-8G-v2 Switch Configuration Guide ACL Configuration Switch(config)#firewall default permit Switch(config)#interface ethernet 1/0/10 Switch(Config-If-Ethernet1/0/10)#mac-ip access-group 3110 in Switch(Config-Ethernet1/0/10)#exit Switch(config)#exit Configuration result: Switch#show firewall Firewall Status: Enable. Firewall Default Rule: Permit. Switch#show access-lists access-list 3110(used 1 time(s)) access-list 3110 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac tcp 10.0.0.0 0.0.0.255 any-destination d-port 21...
Page 297: Acl Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide ACL Configuration Switch#show firewall Firewall Status: Enable. Firewall Default Rule: Permit. Switch#show ipv6 access-lists Ipv6 access-list 600(used 1 time(s)) ipv6 access-list 600 deny 2003:1:1:1::0/64 any-source ipv6 access-list 600 permit 2003:1:1:1:66::0/80 any-source Switch #show access-group interface ethernet 1/0/10 interface name:Ethernet1/0/10 IPv6 Ingress access-list used is 600, traffic-statistics Disable.
Page 298 SNR S2940-8G-v2 Switch Configuration Guide ACL Configuration • Default rule will be used only if no ACL is bound to the incoming direction of the port, or no ACL entry is matched.Each ingress port can bind one MAC-IP ACL, one IP ACL, one MAC ACL, one IPv6 standard ACL (via the physical interface mode or Vlan interface mode).
Page 299: Self-Defined Acl Configuration
SNR S2940-8G-v2 Switch Configuration Guide Self-defined ACL Configuration Chapter 44 Self-defined ACL Configuration 44.1 Introduction to Self-defined ACL ACL (Access Control Lists) is a packet filtering mechanism implemented by switch, providing net- work access control by granting or denying access the switches, effectively safeguarding the secu- rity of networks.
Page 300: Self-Defined Acl Configuration
SNR S2940-8G-v2 Switch Configuration Guide Self-defined ACL Configuration start of L4 header. Every swindow can specify the offset from 0 to 31,unit is 2Bytes, namely, 0 means 0Bytes offset and 1 means 2Bytes offset; Every lwindow can specify the offset: from 0 to 15, unit is 4Bytes, namely, 0 means 0Bytes offset and 1 means 4Bytes offset.
Page 301 SNR S2940-8G-v2 Switch Configuration Guide Self-defined ACL Configuration (a) Configure standard user-defined ACL template (b) Configure extended user-defined ACL template 2. Configure user-defined ACL (a) Configure standard user-defined ACL (b) Configure extended user-defined ACL 3. Bind user-defined ACL to specified port 4.
Page 302 SNR S2940-8G-v2 Switch Configuration Guide Self-defined ACL Configuration 2. Configure user-defined ACL (a) Configure standard user-defined ACL Command Explanation Global Mode userdefined-access-list standard <num> {deny | permit} {any- Create a numbered stan- source-mac | { host-source-mac <host_smac>} | {<smac> dard self-defined ACL. If <smac-mask>}} {any-destination-mac | {host-destination-mac...
Page 303: Self-Defined Acl Example
SNR S2940-8G-v2 Switch Configuration Guide Self-defined ACL Configuration 4. Bind user-defined ACL to specified VLAN Command Explanation Global Mode [no] vacl userdefined access-group Apply userdefined-access-list to one direction of <name> {in} vlan <vlanId> [traffic-statistic] the specified VLAN, decide whether the statisti- cal counter should be added to the ACL accord- ing to the options.
Page 304 SNR S2940-8G-v2 Switch Configuration Guide Self-defined ACL Configuration 1. Create a self-defined ACL template according to condition 2. Create a corresponding self-defined ACL 3. Bind the self-defined ACL to the port The configuration steps are listed below: Switch(config)#userdefined-access-list standard offset window1 l3start 6...
Page 305: 802.1X Configuration
SNR S2940-8G-v2 Switch Configuration Guide 802.1x Configuration Chapter 45 802.1x Configuration 45.1 Introduction to 802.1x The 802.1x protocol originates from 802.11 protocol, the wireless LAN protocol of IEEE, which is designed to provide a solution to doing authentication when users access a wireless LAN. The...
Page 306 SNR S2940-8G-v2 Switch Configuration Guide 802.1x Configuration Authentication Supplicant system Authenticator system server system Authenticator Authentication Services offered Supplicant PAE server by Authenticator s EAP protocol exchanges system carried in higher Port layer protocol unauthorized LAN / WLAN Figure 45.1: The Authentication Structure of 802.1x •...
Page 307: The Encapsulation Of Eapol Messages
SNR S2940-8G-v2 Switch Configuration Guide 802.1x Configuration 3. Controlled direction In unauthenticated status, controlled ports can be set as unidirectional controlled or bi-directionally controlled. • When the port is bi-directionally controlled, the sending and receiving of all frames is forbid- den.
Page 308 SNR S2940-8G-v2 Switch Configuration Guide 802.1x Configuration PAE Ethernet Type Protocol Version Type Length Packet Body Figure 45.3: the Format of EAPOL Data Packet PAE Ethernet Type: Represents the type of the protocol whose value is 0x888E. Protocol Version: Represents the version of the protocol supported by the sender of EAPOL data packets.
Page 309: The Encapsulation Of Eap Attributes
SNR S2940-8G-v2 Switch Configuration Guide 802.1x Configuration Code Identifier Length Data Figure 45.4: the Format of EAP Data Packets Code Identifier Figure 45.5: the Format of Data Domain in Request and Response Packets Identifier: to assist matching the Request and Response messages.
Page 310 SNR S2940-8G-v2 Switch Configuration Guide 802.1x Configuration Message-Authenticator should be included in the packets containing the EAP-Message attribute, or the packet will be dropped as an invalid one. 18 bytes Type Length String Figure 45.7: Message-Authenticator Attribute 45.1.5 The Authentication Methods of 802.1x The authentication can either be started by supplicant system initiatively or by devices.
Page 311 SNR S2940-8G-v2 Switch Configuration Guide 802.1x Configuration 802.1x/EAPOL 802.3 802.5 802.11 Ethernet Token ring Wireless Figure 45.8: the Protocol Stack of EAP Authentication Method • The switch, as the access controlling unit of Pass-through, will not check the content of a particular EAP method, so can support all the EAP methods above and all the EAP authen- tication methods that may be extended in the future.
Page 312 SNR S2940-8G-v2 Switch Configuration Guide 802.1x Configuration RADIUS Supplicant EAPOL Authenticator EAPOR server System PAE EAPOL-Start EAP-Request/Identity RADIUS Access-Request EAP-Response/Identity (EAP-Response/Identity) RADIUS Access-Challenge EAP-Request/MD5 Challenge (EAP-Request/MD5 Challenge) RADIUS Access-Request EAP-Response/MD5 Challenge (EAP-Response/MD5 Challenge) RADIUS Access-Accept EAP-Success (EAP-Success) Port authorized Expiry of the handshake timer...
Page 313 SNR S2940-8G-v2 Switch Configuration Guide 802.1x Configuration Supplicant Authenticator RADIUS EAPOL EAPOR System PAE server EAPOL-Start EAP-Request/Identity RADIUS Access-Request EAP-Response/Identity (EAP-Response/Identity) RADIUS Access-Challenge EAP-Request/EAP-TLS Start (EAP-Request/EAP-TLS Start) RADIUS Access-Request EAP-Response/EAP-TLS client_hello (EAP-Response/EAP-TLS client_hello) RADIUS Access-Chall enge EAP-Response/EAP-TLS: (EAP-Response/EAP-TLS: TLS serv er_hello, TLS certificat e,...
Page 314: The Features Of Vlan Allocation
SNR S2940-8G-v2 Switch Configuration Guide 802.1x Configuration RADIUS Supplicant EAPOL Authenticator EAPOR server System PAE EAPOL-Start EAP-Request/Identity RADIUS Access-Request EAP-Response/Identity (EAP-Response/Identity) RADIUS Access-Challenge EAP-Request/PEAP Start (EAP-Request/PEAP Start) TLS Channel Established RADIUS Access-Request EAP-Response(Empty) EAP-Response(Empty) RADIUS Access-Challenge EAP-Request/MD5 Challenge (EAP-Request/MD5 Challenge)
Page 315 SNR S2940-8G-v2 Switch Configuration Guide 802.1x Configuration RADIUS Supplicant EAPOL Authenticator RADIUS server System PAE EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request/MD5 Challenge EAP-Response/MD5 Challenge RADIUS Access-Request (CHAP-Response/MD5 Challenge) RADIUS Access-Accept (CHAP-Success) EAP-Success Port authorized Expiry of the handshake timer Handshake request packet...
Page 316: Configuration Task List
SNR S2940-8G-v2 Switch Configuration Guide 802.1x Configuration The access device will add the port into Guest VLAN if there is no supplicant getting authenticated successfully in a certain stretch of time because of lacking exclusive authentication supplicant system or the version of the supplicant system being too low.
Page 317 SNR S2940-8G-v2 Switch Configuration Guide 802.1x Configuration 2. Access management unit property configuration (a) Configure port authentication status Command Explanation Port Mode dot1x port-control { auto | force-authorized | Sets the 802.1x authentication mode; the force-unauthorized } no command restores the default setting.
Page 318 SNR S2940-8G-v2 Switch Configuration Guide 802.1x Configuration dot1x eapor enable Enables the EAP relay authentication func- no dot1x eapor enable tion in the switch; the no command sets EAP local end authentication. (d) Configure the max user number Command Explanation Global Configuration Mode user-control limit <count>...
Page 319: Application Example
SNR S2940-8G-v2 Switch Configuration Guide 802.1x Configuration 45.3 802.1x Application Example 45.3.1 Examples of Guest Vlan Applications Update Authenticator Server Server E1/3 VLAN2 VLAN10 E1/6 Switch E1/2 VLAN5 Internet User Figure 45.13: The Network Topology of Guest VLAN Notes: in the figures in this session, E2 means Ethernet 1/0/2, E3 means Ethernet 1/0/3 and E6 means Ethernet 1/0/6.
Page 320 SNR S2940-8G-v2 Switch Configuration Guide 802.1x Configuration Update Authenticator Server Server E1/3 VLAN2 VLAN10 E1/6 Switch E1/2 VLAN5 Internet User Figure 45.14: User Joining Guest VLAN # Create VLAN100. Switch(config)#vlan 100 # Enable the global 802.1x function Switch(config)#dot1x enable # Enable the 802.1x function on port Ethernet1/0/2...
Page 321: Examples Of Ipv4 Radius Applications
SNR S2940-8G-v2 Switch Configuration Guide 802.1x Configuration Update Authenticator Server Server E1/3 VLAN2 VLAN10 E1/6 Switch E1/2 VLAN5 Internet User Figure 45.15: User Being Online, VLAN Being Offline are sent than the upper limit defined, users can check whether the Guest VLAN configured on the port takes effect with the command show vlan id 100.
Page 322 SNR S2940-8G-v2 Switch Configuration Guide 802.1x Configuration Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-vlan1)#exit Switch(config)#radius-server authentication host 10.1.1.3 Switch(config)#radius-server accounting host 10.1.1.3 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable Switch(config)#dot1x enable Switch(config)#interface ethernet 1/0/2 Switch(Config-Ethernet1/0/2)#dot1x enable Switch(Config-Ethernet1/0/2)#dot1x port-control auto Switch(Config-Ethernet1/0/2)#exit 45.3.3 Examples of IPv6 Radius Application...
Page 323: Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide 802.1x Configuration Switch(config)#interface ethernet 1/0/2 Switch(Config-If-Ethernet1/0/2)#dot1x enable Switch(Config-If-Ethernet1/0/2)#dot1x port-control auto Switch(Config-If-Ethernet1/0/2)#exit 45.4 802.1x Troubleshooting It is possible that 802.1x be configured on ports and 802.1x authentication be set to auto, t switch can't be to authenticated state after the user runs 802.1x supplicant software. Here are some possible causes and solutions: •...
Page 324: The Number Limitation Function Of Mac And Ip In Port, Vlan Configuration
SNR S2940-8G-v2 Switch Configuration Guide The Number Limitation Function of MAC and IP in Port, VLAN Configuration Chapter 46 The Number Limitation Function of MAC and IP in Port, VLAN Configuration 46.1 Introduction to the Number Limitation Function of MAC...
Page 325: The Number Limitation Function Of Mac And Ip In Port, Vlan Configuration Task Sequence
SNR S2940-8G-v2 Switch Configuration Guide The Number Limitation Function of MAC and IP in Port, VLAN Configuration malicious users frequently do MAC or ARP cheating, it will be easy for them to fill the MAC and ARP list entries of the switch, causing successful DOS attacks.
Page 326 SNR S2940-8G-v2 Switch Configuration Guide The Number Limitation Function of MAC and IP in Port, VLAN Configuration switchport arp dynamic maximum Enable and disable the number limitation function of <value> ARP on the ports. no switchport arp dynamic maximum switchport nd dynamic maximum Enable and disable the number limitation function of <value>...
Page 327: The Number Limitation Function Of Mac And Ip In Port, Vlan Typical Examples
SNR S2940-8G-v2 Switch Configuration Guide The Number Limitation Function of MAC and IP in Port, VLAN Configuration show nd-dynamic count { vlan <vlan- Display the number of dynamic NEIGHBOUR in corre- id> | interface ethernet <portName> } sponding ports and VLAN.
Page 328: The Number Limitation Function Of Mac And Ip In Port, Vlan Troubleshooting Help
SNR S2940-8G-v2 Switch Configuration Guide The Number Limitation Function of MAC and IP in Port, VLAN Configuration On port 1/0/1 of SWITCH A, set the max number can be learnt of dynamic MAC address as 20, dynamic ARP address as 20, NEIGHBOR list entry as 10. In VLAN 1, set the max number of dynamic MAC address as 30, of dynamic ARP address as 30, NEIGHBOR list entry as 20.
Page 329: Operational Configuration Of Am Function
SNR S2940-8G-v2 Switch Configuration Guide Operational Configuration of AM Function Chapter 47 Operational Configuration of AM Function 47.1 Introduction to AM Function AM (Access Management) means that when a switch receives an IP or ARP message, it will compare the information extracted from the message (such as source IP address or source MAC- IP address) with the configured hardware address pool.
Page 330 SNR S2940-8G-v2 Switch Configuration Guide Operational Configuration of AM Function 1. Enable AM function Command Explanation Global Mode am enable Globally enable or disable AM function. no am enable 2. Enable AM function on an interface Command Explanation Port Mode am port Enable/disable AM function on the port.
Page 331: Am Function Example
SNR S2940-8G-v2 Switch Configuration Guide Operational Configuration of AM Function 47.3 AM Function Example SWITCH Port 1 Port 2 HUB 1 HUB 2 Figure 47.1: a typical configuration example of AM function In the topology above, 30 PCs, after converged by HUB1, connect with interface1 on the switch.
Page 332: Security Feature Configuration
SNR S2940-8G-v2 Switch Configuration Guide Security Feature Configuration Chapter 48 Security Feature Configuration 48.1 Introduction to Security Feature Before introducing the security features, we here first introduce the DoS. The DoS is short for Denial of Service, which is a simple but effective destructive attack on the internet. The server under DoS attack will drop normal user data packet due to non-stop processing the attacker’s...
Page 333 SNR S2940-8G-v2 Switch Configuration Guide Security Feature Configuration 48.2.3 Anti Port Cheat Function Configuration Task Sequence 1. Enable the anti port cheat function Command Explanation Global mode [no] dosattack-check srcport-equal-dstport Enable/disable the prevent-port-cheat function. enable 48.2.4 Prevent TCP Fragment Attack Function Configuration Task Sequence 1.
Page 334: Security Feature Example
SNR S2940-8G-v2 Switch Configuration Guide Security Feature Configuration 48.3 Security Feature Example Scenario: The User has follows configuration requirements: the switch do not forward data packet whose source IP address is equal to the destination address, and those whose source port is equal to the destination port.
Page 335: Tacacs+ Configuration
SNR S2940-8G-v2 Switch Configuration Guide TACACS+ Configuration Chapter 49 TACACS+ Configuration 49.1 Introduction to TACACS+ TACACS+ terminal access controller access control protocol is a protocol similar to the radius protocol for control the terminal access to the network. Three independent functions of Authen- tication, Authorization, Accounting are also available in this protocol.
Page 336: Tacacs+ Scenarios Typical Examples
SNR S2940-8G-v2 Switch Configuration Guide TACACS+ Configuration 2. Configure TACACS+ server Command Explanation Global Mode tacacs-server authentication host <ip- Configure the IP address, listening port number, the address> [ port <port-number> ] [ value of timeout timer and the key string of the timeout <seconds>...
Page 337: Tacacs+ Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide TACACS+ Configuration Switch(config)#interface vlan 1 Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0 Switch(Config-if-vlan1)#exit Switch(config)#tacacs-server authentication host 10.1.1.3 Switch(config)#tacacs-server key test Switch(config)#authentication line vty login tacacs 49.4 TACACS+ Troubleshooting In configuring and using TACACS+, the TACACS+ may fail to authentication due to reasons such as physical connection failure or wrong configurations.
Page 338: Radius Configuration
SNR S2940-8G-v2 Switch Configuration Guide RADIUS Configuration Chapter 50 RADIUS Configuration 50.1 Introduction to RADIUS 50.1.1 AAA and RADIUS Introduction AAA is short for Authentication, Authorization and Accounting, it provide a consistency framework for the network management safely. According to the three functions of Authentication, Autho-...
Page 339 SNR S2940-8G-v2 Switch Configuration Guide RADIUS Configuration Code field(1octets): is the type of the RADIUS packet. Available value for the Code field is show as below: Access-Request Access-Accept Access-Reject Accounting-Request Accounting-Response Access-Challenge Identifier field (1 octet): Identifier for the request and answer packets.
Page 340: Radius Configuration Task List
SNR S2940-8G-v2 Switch Configuration Guide RADIUS Configuration fields. • Value field, value of the attribute whose content and format is determined by the type and length of the attribute. 50.2 RADIUS Configuration Task List 1. Enable the authentication and accounting function 2.
Page 341: Radius Typical Examples
SNR S2940-8G-v2 Switch Configuration Guide RADIUS Configuration radius-server accounting host { <ipv4-address> | Specifies the IPv4/IPv6 address and the <ipv6-address> } [port <port-number>] [key { 0 | port number, whether be primary server 7 } <string>] [primary] for RADIUS accounting server; the no no radius-server accounting host { <ipv4-...
Page 342 SNR S2940-8G-v2 Switch Configuration Guide RADIUS Configuration 10.1.1.2 10.1.1.1 RADIUS Server 10.1.1.3 Figure 50.2: The Topology of IEEE802.1x configuration Switch(config)#radius-server accounting host 10.1.1.3 Switch(config)#radius-server key test Switch(config)#aaa enable Switch(config)#aaa-accounting enable 50.3.2 IPv6 Radius Example 2004:1:2:3::2 2004:1:2:3::1 RADIUS Server 2004:1:2:3::3 Figure 50.3: The Topology of IPv6 Radius configuration A computer connects to a switch, of which the IP address is 2004:1:2:3::2 and connected with a RADIUS authentication server without Ethernet1/0/2;...
Page 343: Radius Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide RADIUS Configuration 50.4 RADIUS Troubleshooting In configuring and using RADIUS, the RADIUS may fail to authentication due to reasons such as physical connection failure or wrong configurations. The user should ensure the following: • First make sure good condition of the RADIUS server physical connection •...
Page 344: Ssl Configuration
SNR S2940-8G-v2 Switch Configuration Guide SSL Configuration Chapter 51 SSL Configuration 51.1 Introduction to SSL As the computer networking technology spreads, the security of the network has been taking more and more important impact on the availability and the usability of the networking application. The network security has become one of the greatest barriers of modern networking applications.
Page 345: Ssl Configuration Task List
SNR S2940-8G-v2 Switch Configuration Guide SSL Configuration the other program in sequence, lose packet and re-forwarding will not appear. A lot of transmis- sion protocols can provide such kind of service in theory, but in actual application, SSL is almost running on TCP, and not running on UDP and IP directly.
Page 346: Ssl Typical Example
SNR S2940-8G-v2 Switch Configuration Guide SSL Configuration 2. Configure/delete port number by SSL used Command Explanation Global Mode ip http secure-port <port-number> Configure port number by SSL used, the 'no ip http no ip http secure-port secure-port' command deletes the port number.
Page 347 SNR S2940-8G-v2 Switch Configuration Guide SSL Configuration • Don't use the default port number if configured port number, pay attention to the port number when input the web wide; • If SSL is enabled, SSL should be restarted after changes on the port configuration and en- cryption configuration;...
Page 348: Ipv6 Security Ra Configuration
SNR S2940-8G-v2 Switch Configuration Guide IPv6 Security RA Configuration Chapter 52 IPv6 Security RA Configuration 52.1 Introduction to IPv6 Security RA In IPv6 networks, the network topology is generally compromised of routers, layer-two switches and IPv6 hosts. Routers usually advertise RA, including link prefix, link MTU and other information, when the IPv6 hosts receive RA, they will create link address, and set the default router as the one sending RA in order to implement IPv6 network communication.
Page 349: Ipv6 Security Ra Typical Examples
SNR S2940-8G-v2 Switch Configuration Guide IPv6 Security RA Configuration 3. Display and debug the relative information of IPv6 security RA Command Explanation Admin Mode debug ipv6 security-ra Enable the debug information of IPv6 security RA mod- no debug ipv6 security-ra ule, the no operation of this command will disable the output of debug information of IPv6 security RA.
Page 350: Mab Configuration
SNR S2940-8G-v2 Switch Configuration Guide MAB Configuration Chapter 53 MAB Configuration 53.1 Introduction to MAB In actual network existing the device which can not install the authentication client, such as printer, PDA devices, they can not process 802.1x authentication. However, to access the network re- sources, they need to use MAB authentication to replace 802.1x authentication.
Page 351 SNR S2940-8G-v2 Switch Configuration Guide MAB Configuration (d) Configure the offline detection time (e) Configure other parameters 1. Enable MAB function Command Explanation Global Mode mac-authentication-bypass enable Enable the global MAB authentication function. no mac-authentication-bypass enable Port Mode mac-authentication-bypass enable Enable the port MAB authentication function.
Page 352: Mab Example
SNR S2940-8G-v2 Switch Configuration Guide MAB Configuration mac-authentication-bypass timeout linkup-period To obtain IP again, set the interval of <0-30> down/up when MAB binding is changing no mac-authentication-bypass timeout linkup- into VLAN. period mac-authentication-bypass spoofing-garp-check Enable the spoofing-garp-check function, enable MAB function will not deal with spoofing- no mac-authentication-bypass spoofing-garp- garp any more;...
Page 353 SNR S2940-8G-v2 Switch Configuration Guide MAB Configuration function. Ethernet 1/3 is an access port, connects to the printer and enables MAB function. Ethernet 1/4 is a trunk port, connects to Switch2. Ethernet 1/4 is a trunk port of Switch2, connects to Switch1.
Page 354: Mab Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide MAB Configuration 53.4 MAB Troubleshooting If there is any problem happens when using MAB function, please check whether the problem is caused by the following reasons: • Make sure global and port MAB function are enabled;...
Page 355: Pppoe Intermediate Agent Configuration
SNR S2940-8G-v2 Switch Configuration Guide PPPoE Intermediate Agent Configuration Chapter 54 PPPoE Intermediate Agent Configuration 54.1 Introduction to PPPoE Intermediate Agent 54.1.1 Brief Introduction to PPPoE PPPoE (Point to Point Protocol over Ethernet) is a protocol that apply PPP protocol to Ethernet.
Page 356 SNR S2940-8G-v2 Switch Configuration Guide PPPoE Intermediate Agent Configuration PADO (PPPoE Active Discovery Offer) packet to client according to the received source MAC address of PADI packet, the packet will take sever name and service name. 3. Client sends PADR packet: The third step, client selects a server to process the session according to the received PADO packet.
Page 357 SNR S2940-8G-v2 Switch Configuration Guide PPPoE Intermediate Agent Configuration PPPoE Packet Format PPPoE packet format is as follows: Ethernet II frame Destination MAC Source MAC Type Field PPPoE Data CRC Check Sum PPPoE Data Version Type Code Session ID Length Field...
Page 358 SNR S2940-8G-v2 Switch Configuration Guide PPPoE Intermediate Agent Configuration PPPoE Intermediate Agent vendor tag Frame The following is the format of tag added by PPPoE IA, adding tag is the Uppermost function of PPPoE IA. 0x0105 (Vendor-Specific) TAG_LENGTH 0x00000DE9 (3561 decimal, i.e. ADSL Forum IANA entry)
Page 359: Pppoe Intermediate Agent Configuration Task List
SNR S2940-8G-v2 Switch Configuration Guide PPPoE Intermediate Agent Configuration PPPoE IA vendor tag can not exist in PPPoE packets sent by server to client, so we can strip and forward these vendor tags if they exist in PPPoE packets. Strip function must be configured on trust port, enabling strip function is not take effect on untrust port.
Page 360: Pppoe Intermediate Agent Typical Application
SNR S2940-8G-v2 Switch Configuration Guide PPPoE Intermediate Agent Configuration pppoe intermediate-agent circuit-id <string> Set circuit-id of port. no pppoe intermediate-agent circuit-id pppoe intermediate-agent remote-id <string> Set remote-id of port. no pppoe intermediate-agent remote-id 54.3 PPPoE Intermediate Agent Typical Application PPPoE Intermediate Agent typical application is as follows:...
Page 361: Pppoe Intermediate Agent Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide PPPoE Intermediate Agent Configuration Switch(config)#pppoe intermediate-agent Step 2: Configure port ethernet1/0/1 which connect server as trust port, and configure vendor tag strip function. Switch(config-if-ethernet1/0/1)#pppoe intermediate-agent trust Switch(config-if-ethernet1/0/1)#pppoe intermediate-agent vendor-tag strip Step 3: Port ethernet1/0/2 of vlan1 and port ethernet1/0/3 of vlan 1234 enable PPPoE IA function of port.
Page 362: Web Portal Configuration
SNR S2940-8G-v2 Switch Configuration Guide Web Portal Configuration Chapter 55 Web Portal Configuration 55.1 Introduction to Web Portal Authentication 802.1x authentication uses the special client to authenticate, the device uses the special layer 2 switch, the authentication server uses RADIUS server, the format of authentication message uses EAP protocol.
Page 363 SNR S2940-8G-v2 Switch Configuration Guide Web Portal Configuration 7. Delete the binding information of web portal authentication 1. Enable/disable web portal authentication globally Command Explanation Global Mode webportal enable Enable/disable web portal authentication no webportal enable globally. 2. Enable/disable web portal authentication of the port...
Page 364: Web Portal Authentication Typical Example
SNR S2940-8G-v2 Switch Configuration Guide Web Portal Configuration 7. Delete the binding information of web portal authentication Command Explanation Admin Mode clear webportal binding { mac WORD | interface Delete the binding information of web portal <ethernet IFNAME | IFNAME> | } authentication.
Page 365: Web Portal Authentication Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide Web Portal Configuration Switch(config-if-ethernet1/0/3)#webportal enable Web portal authentication associates with DHCP snooping binding to use, the configuration is as follows: Switch(config)#ip dhcp snooping enable Switch(config)#ip dhcp snooping binding enable Switch(config)#interface ethernet 1/0/2 Switch(config-if-ethernet1/0/2)#webportal enable Switch(config-if-ethernet1/0/2)#ip dhcp snooping binding webportal 55.4 Web Portal Authentication Troubleshooting...
Page 366: Vlan-Acl Configuration
SNR S2940-8G-v2 Switch Configuration Guide VLAN-ACL Configuration Chapter 56 VLAN-ACL Configuration 56.1 Introduction to VLAN-ACL The user can configure ACL policy to VLAN to implement the accessing control of all ports in VLAN, and VLAN-ACL enables the user to expediently manage the network. The user only needs to configure ACL policy in VLAN, the corresponding ACL action can takes effect on all member ports of VLAN, but it does not need to solely configure on each member port.
Page 367 SNR S2940-8G-v2 Switch Configuration Guide VLAN-ACL Configuration 1. Configure VLAN-ACL of IP type Command Explanation Global mode vacl ip access-group { <1-299> | WORD } { in | Configure or delete IP VLAN-ACL. out } [traffic-statistic] vlan WORD no vacl ip access-group { <1-299> | WORD } { in | out } vlan WORD 2.
Page 368: Vlan-Acl Configuration Example
SNR S2940-8G-v2 Switch Configuration Guide VLAN-ACL Configuration 56.3 VLAN-ACL Configuration Example A company's network configuration is as follows, all departments are divided by different VLANs, technique department is Vlan1, finance department is Vlan2. It is required that technique depart- ment can access the outside network at timeout, but finance department are not allowed to access the outside network at any time for the security.
Page 369: Vlan-Acl Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide VLAN-ACL Configuration Switch(config)#ip access-list extended vacl_b Switch(config-ip-ext-nacl-vacl_a)#permit ip any-source 192.168.1.0 0.0.0.255 Switch(config-ip-ext-nacl-vacl_a)#deny ip any-source any-destination 4) Apply the configuration to VLAN Switch(config)#vacl ip access-group vacl_a in vlan 1 Switch(config)#vacl ip access-group vacl_b in vlan 2 56.4 VLAN-ACL Troubleshooting...
Page 370: Savi Configuration
SNR S2940-8G-v2 Switch Configuration Guide SAVI Configuration Chapter 57 SAVI Configuration 57.1 Introduction to SAVI SAVI (Source Address Validation Improvement) is a security authentication method that provides the granularity level of the node source address. It gets the trust node information (such as port,...
Page 371 SNR S2940-8G-v2 Switch Configuration Guide SAVI Configuration 9. Configure IPv6 address prefix for a link 10. Configure the filter entry number of IPv6 address 11. Configure the check mode for SAVI conflict binding 12. Enable or disable user authentication 13. Enable or disable DHCPv6 trust of port 14.
Page 372 SNR S2940-8G-v2 Switch Configuration Guide SAVI Configuration Command Explanation Global Mode savi max-dad-prepare-delay <max-dad-prepare- Configure the max redetection lifetime pe- delay> riod for SAVI binding, no command restores no savi max-dad-prepare-delay the default value. 6. Configure the global max-slaac-life for SAVI...
Page 373: Savi Typical Application
SNR S2940-8G-v2 Switch Configuration Guide SAVI Configuration 11. Configure the check mode for SAVI conflict binding Command Explanation Global Mode savi check binding <simple | probe> mode Configure the check mode for the conflict no savi check binding mode binding, no command deletes the check mode.
Page 374: Savi Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide SAVI Configuration select the corresponding scene according to the actual requirement; in double stacks network, while SAVI function associates with IPv4 DHCP snooping to use, IPv4 and IPv6 source address authentication is implemented. Client 2...
Page 375 SNR S2940-8G-v2 Switch Configuration Guide SAVI Configuration • If node binding can not be set for the new user after enable SAVI function, please check whether the direct-link port configures the max binding number, and whether the binding number reaches to the max number. If the binding number exceeds the max binding limit, it is recommended to configure the bigger binding limit.
Page 376: Reliability Configuration
SNR S2940-8G-v2 Switch Configuration Guide Part X Reliability Configuration...
Page 377: Mrpp Configuration
SNR S2940-8G-v2 Switch Configuration Guide MRPP Configuration Chapter 58 MRPP Configuration 58.1 Introduction to MRPP MRPP (Multi-layer Ring Protection Protocol), is a link layer protocol applied on Ethernet loop pro- tection. It can avoid broadcast storm caused by data loop on Ethernet ring, and restore commu- nication among every node on ring network when the Ethernet ring has a break link.
Page 378: Mrpp Protocol Packet Types
SNR S2940-8G-v2 Switch Configuration Guide MRPP Configuration Each MRPP ring has two states. Health state: The whole ring net work physical link is connected. Break state: one or a few physical link break in ring network 3. nodes Each switch is named after a node on Ethernet. The node has some types: Primary node: each ring has a primary node, it is main node to detect and defend.
Page 379: Mrpp Protocol Operation System
SNR S2940-8G-v2 Switch Configuration Guide MRPP Configuration LINK-UP-FLUSH_FDB packet After primary detects ring failure to restore normal, and uses packet from primary port, and informs each transfer node to refresh own MAC address. 58.1.3 MRPP Protocol Operation System 1. Link Down Alarm System When transfer node finds themselves belonging to MRPP ring port Down, it sends link Down packet to primary node immediately.
Page 380 SNR S2940-8G-v2 Switch Configuration Guide MRPP Configuration 2. Configure MRPP ring Command Explanation Global Mode mrpp ring <ring-id> Create MRPP ring. The 'no' command deletes no mrpp ring <ring-id> MRPP ring and its configuration. MRPP ring mode control-vlan <vid> Configure control VLAN ID, format 'no' deletes no control-vlan configured control VLAN ID.
Page 381: Mrpp Typical Scenario
SNR S2940-8G-v2 Switch Configuration Guide MRPP Configuration 5. Display and debug MRPP relevant information Command Explanation Admin Mode debug mrpp Disable MRPP module debug information, format no debug mrpp 'no' disable MRPP debug information output. show mrpp { <ring-id> } Display MRPP ring configuration information.
Page 382 SNR S2940-8G-v2 Switch Configuration Guide MRPP Configuration Switch(mrpp-ring-4000)#node-mode master Switch(mrpp-ring-4000)#enable Switch(mrpp-ring-4000)#exit Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)#mrpp ring 4000 primary-port Switch(config-If-Ethernet1/0/1)#interface ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)#mrpp ring 4000 secondary-port Switch(config-If-Ethernet1/0/2)#exit Switch(Config)# SWITCH B configuration Task Sequence: Switch(Config)#mrpp enable Switch(Config)#mrpp ring 4000 Switch(mrpp-ring-4000)#control-vlan 4000 Switch(mrpp-ring-4000)#enable...
Page 383: Mrpp Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide MRPP Configuration 58.4 MRPP Troubleshooting The normal operation of MRPP protocol depends on normal configuration of each switch on MRPP ring, otherwise it is very possible to form ring and broadcast storm: • Configuring MRPP ring, you'd better disconnected the ring, and wait for each switch config- uration, then open the ring.
Page 384: Ulpp Configuration
SNR S2940-8G-v2 Switch Configuration Guide ULPP Configuration Chapter 59 ULPP Configuration 59.1 Introduction to ULPP Each ULPP group has two uplink ports, they are master port and slave port. The port may be a physical port or a port channel. The member ports of ULPP group have three states: Forwarding, Standby, Down.
Page 385 SNR S2940-8G-v2 Switch Configuration Guide ULPP Configuration the master port preempt the slave port. For keeping the continuance of the flows, the master port does not process to preempt by default, but turns into the Standby state. When configuring ULPP, it needs to specify the VLAN which is protected by this ULPP group through the method of MSTP instances, and ULPP does not provide the protection to other VLANs.
Page 386: Ulpp Configuration Task List
SNR S2940-8G-v2 Switch Configuration Guide ULPP Configuration 59.2 ULPP Configuration Task List 1. Create ULPP group globally 2. Configure ULPP group 3. Show and debug the relating information of ULPP 1. Create ULPP group globally Command Explanation Global mode ulpp group <integer>...
Page 387: Ulpp Typical Examples
SNR S2940-8G-v2 Switch Configuration Guide ULPP Configuration ulpp group <integer> master Configure or delete the master port of ULPP no ulpp group <integer> master group. ulpp group <integer> slave Configure or delete the slave port of ULPP no ulpp group <integer> slave group.
Page 388 SNR S2940-8G-v2 Switch Configuration Guide ULPP Configuration E1/0/1 E1/0/1 Switch A Switch B E1/0/2 E1/0/2 Switch C Switch D Figure 59.3: ULPP typical example 1 Switch(Config)#vlan 10 Switch(Config-vlan10)#switchport interface ethernet 1/0/1; 1/0/2 Switch(Config-vlan10)#exit Switch(Config)#spanning-tree mst configuration Switch(Config-Mstp-Region)#instance 1 vlan 10...
Page 389 SNR S2940-8G-v2 Switch Configuration Guide ULPP Configuration Switch(Config-vlan10)#switchport interface ethernet 1/0/2 Switch(Config-vlan10)#exit Switch(Config)#interface ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)#ulpp flush enable mac Switch(config-If-Ethernet1/0/2)#ulpp flush enable arp Switch(config-If-Ethernet1/0/2)#ulpp control vlan 10 59.3.2 ULPP Typical Example 2 VLAN 1-100 E1/0/1 E1/0/1 Switch A Switch B...
Page 390: Ulpp Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide ULPP Configuration Switch(ulpp-group-1)#preemption mode Switch(ulpp-group-2)#exit Switch(Config)#interface ethernet 1/0/1 Switch(config-If-Ethernet1/0/1)#switchport mode trunk Switch(config-If-Ethernet1/0/1)#ulpp group 1 master Switch(config-If-Ethernet1/0/1)#ulpp group 2 slave Switch(config-If-Ethernet1/0/1)#exit Switch(Config)#interface Ethernet 1/0/2 Switch(config-If-Ethernet1/0/2)#switchport mode trunk Switch(config-If-Ethernet1/0/2)#ulpp group 1 slave Switch(config-If-Ethernet1/0/2)#ulpp group 2 master Switch(config-If-Ethernet1/0/2)#exit...
Page 391: Ulsm Configuration
SNR S2940-8G-v2 Switch Configuration Guide ULSM Configuration Chapter 60 ULSM Configuration 60.1 Introduction to ULSM ULSM (Uplink State Monitor) is used to process the port state synchronization. Each ULSM group is made up of the uplink port and the downlink port, both the uplink port and the downlink port may be multiple.
Page 392: Ulsm Configuration Task List
SNR S2940-8G-v2 Switch Configuration Guide ULSM Configuration causes Switch A on which ULPP is configured to process uplink switchover and avoid the data dropped. 60.2 ULSM Configuration Task List 1. Create ULSM group globally 2. Configure ULSM group 3. Show and debug the relating information of ULSM 1.
Page 393 SNR S2940-8G-v2 Switch Configuration Guide ULSM Configuration E1/0/1 E1/0/1 Switch A Switch B E1/0/2 E1/0/3 E1/0/2 E1/0/4 Switch C Switch D Figure 60.2: ULSM typical example Switch(Config)#spanning-tree mst configuration Switch(Config-Mstp-Region)#instance 1 vlan 1 Switch(Config-Mstp-Region)#exit Switch(Config)#ulpp group 1 Switch(ulpp-group-1)#protect vlan-reference-instance 1...
Page 394: Ulsm Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide ULSM Configuration 60.4 ULSM Troubleshooting With the normal configuration, if the downlink port does not responds the down event of the uplink port, please enable the debug function of ULSM, copy the debug information of 3 minutes and the...
Page 395: Flow Monitor Configuration
SNR S2940-8G-v2 Switch Configuration Guide Part XI Flow Monitor Configuration...
Page 396: Mirror Configuration
SNR S2940-8G-v2 Switch Configuration Guide Mirror Configuration Chapter 61 Mirror Configuration 61.1 Introduction to Mirror Mirror functions include port mirror function, CPU mirror function, flow mirror function. Port mirror refers to the duplication of data frames sent/received on a port to another port.
Page 397: Mirror Examples
SNR S2940-8G-v2 Switch Configuration Guide Mirror Configuration 2. Specify mirror source port (CPU) Command Explanation Global Mode monitor session <session> source { interface Specifies mirror source port; the no com- <interface-list> | cpu [slot <slotnum> ] } { rx | tx mand deletes mirror source port.
Page 398: Device Mirror Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide Mirror Configuration 61.4 Device Mirror Troubleshooting If problems occur on configuring port mirroring, please check the following first for causes: • Whether the mirror destination port is a member of a TRUNK group or not, if yes, modify the TRUNK group.
Page 399: Sflow Configuration
SNR S2940-8G-v2 Switch Configuration Guide sFlow Configuration Chapter 62 sFlow Configuration 62.1 Introduction to sFlow The sFlow (RFC 3176) is a protocol based on standard network export and used on monitoring the network traffic information developed by the InMon Company. The monitored switch or router sends date to the client analyzer through its main operations such as sampling and statistic, then the analyzer will analyze according to the user requirements so to monitor the network.
Page 400 SNR S2940-8G-v2 Switch Configuration Guide sFlow Configuration 2. Configure the sFlow proxy address Command Explanation Global Mode sflow agent-address <collector- Configure the source IP address applied by the sFlow proxy; address> the no form of the command deletes this address.
Page 401: Sflow Examples
SNR S2940-8G-v2 Switch Configuration Guide sFlow Configuration 8. Configure the analyzer used by sFlow Command Explanation Global Mode sflow analyzer sflowtrend Configure the analyzer used by sFlow, the no command no sflow analyzer sflowtrend deletes the analyzer. 62.3 sFlow Examples Switch Figure 62.1: sFlow configuration topology...
Page 402: Sflow Troubleshooting
SNR S2940-8G-v2 Switch Configuration Guide sFlow Configuration 62.4 sFlow Troubleshooting In configuring and using sFlow, the sFlow server may fail to run properly due to physical connection failure, wrong configuration, etc. The user should ensure the following: • Ensure the physical connection is correct •...
Page 403: Network Time Management Configuration
SNR S2940-8G-v2 Switch Configuration Guide Part XII Network Time Management Configuration...
Page 404: Sntp Configuration
SNR S2940-8G-v2 Switch Configuration Guide SNTP Configuration Chapter 63 SNTP Configuration 63.1 Introduction to SNTP The Network Time Protocol (NTP) is widely used for clock synchronization for global computers connected to the Internet. NTP can assess packet sending/receiving delay in the network, and estimate the computer's clock deviation independently, so as to achieve high accuracy in network computer clocking.
Page 405: Ntp Function Configuration
SNR S2940-8G-v2 Switch Configuration Guide NTP Function Configuration Chapter 64 NTP Function Configuration 64.1 Introduction to NTP Function The NTP (Network Time Protocol) synchronizes timekeeping spans WAN and LAN among dis- tributed time servers and clients, it can get millisecond precision. The introduction of event, state, transmit function and action are defined in RFC-1305.
Page 406 SNR S2940-8G-v2 Switch Configuration Guide NTP Function Configuration 1. To enable NTP function Command Explanation Global mode ntp enable To enable or disable NTP function. ntp disable 2. To configure NTP server function Command Explanation Global mode ntp server { <ip-address> | <ipv6-address> } [ver- To enable the specified time server of time sion <version_no>] [key <key-id>]...
Page 407 SNR S2940-8G-v2 Switch Configuration Guide NTP Function Configuration Command Explanation VLAN Configuration Mode [no] ntp broadcast client To (un)configure specified interface to receive NTP broad- cast packets. [no] ntp multicast client To (un)configure specified interface to receive NTP multicast packets.
Page 408: Typical Examples Of Ntp Function
SNR S2940-8G-v2 Switch Configuration Guide NTP Function Configuration 64.3 Typical Examples of NTP Function A client switch wanted to synchronize time with time server in network, there is two time server in network, the one is used as host, the other is used as standby, the connection and configuration as follows (Switch A and Switch B are the switch or route which support NTP server): Switch A IP: 192.168.1.11...
Page 409: Summer Time Configuration
SNR S2940-8G-v2 Switch Configuration Guide Summer Time Configuration Chapter 65 Summer Time Configuration 65.1 Introduction to Summer Time Summer time is also called daylight saving time, it is a time system for saving energy sources. In summer the time is advanced 1 hour to keep early hours, reduce the lighting, so as to save electrolighting.
Page 410: Examples Of Summer Time
SNR S2940-8G-v2 Switch Configuration Guide Summer Time Configuration 65.3 Examples of Summer Time Example 1: The configuration requirement in the following: The summer time from 23:00 on April 1th, 2012 to 00:00 on October 1th, 2012, clock offset as 1 hour, and summer time is named as 2012.
Page 411: Debugging And Diagnosis
SNR S2940-8G-v2 Switch Configuration Guide Part XIII Debugging and Diagnosis...
Page 412: Monitor And Debug
SNR S2940-8G-v2 Switch Configuration Guide Monitor and Debug Chapter 66 Monitor and Debug When the users configures the switch, they will need to verify whether the configurations are correct and the switch is operating as expected, and in network failure, the users will also need to diagnostic the problem.
Page 413: Traceroute6
SNR S2940-8G-v2 Switch Configuration Guide Monitor and Debug Traceroute Options and explanations of the parameters of the Traceroute command please refer to traceroute command chapter in the command manual. 66.4 Traceroute6 The Traceroute6 function is used on testing the gateways passed through by the data packets from the source equipment to the destination equipment, to verify the accessibility and locate the network failure.
Page 414: Debug
SNR S2940-8G-v2 Switch Configuration Guide Monitor and Debug show switchport interface [ether- Display the VLAN port mode and the belonging VLAN num- net <IFNAME>] ber of the switch as well as the Trunk port information. show tcp Display the TCP connection status established currently on show tcp ipv6 the switch.
Page 415 SNR S2940-8G-v2 Switch Configuration Guide Monitor and Debug • Assign a proper log buffer zone inside the switch, for record the log information permanently or temporarily • Configure the log host, the log system will directly send the log information to the log host,...
Page 416: System Log Configuration
SNR S2940-8G-v2 Switch Configuration Guide Monitor and Debug • Restart the switch, mission abnormal, hot plug on the CHASSIS switch chips are classified critical • Up/down interface, topology change, aggregate port state change of the interface are notifi- cations warnings •...
Page 417 SNR S2940-8G-v2 Switch Configuration Guide Monitor and Debug logging loghost sequence-number Add the loghost sequence-number for the log, no logging loghost sequence-number the no command does not include the loghost sequence-number. 3. Enable/disable the log executed-commands Command Explanation Global Mode...
Page 418: Reload Switch After Specified Time
SNR S2940-8G-v2 Switch Configuration Guide Reload Switch after Specified Time Chapter 67 Reload Switch after Specified Time 67.1 Introduce to Reload Switch after Specifid Time Reload switch after specified time is to reboot the switch without shutdown its power after a spec- ified period of time, usually when updating the switch version.
Page 419: Debugging And Diagnosis For Packets Received And Sent By Cpu
SNR S2940-8G-v2 Switch Configuration Guide Debugging and Diagnosis for Packets Received and Sent by CPU Chapter 68 Debugging and Diagnosis for Packets Received and Sent by CPU 68.1 Introduction to Debugging and Diagnosis for Packets Re- ceived and Sent by CPU The following commands are used to debug and diagnose the packets received and sent by CPU, and are supposed to be used with the help of the technical support.
Page 420 SNR S2940-8G-v2 Switch Configuration Guide Debugging and Diagnosis for Packets Received and Sent by CPU debug driver { receive | send } [ interface Turn on the showing of the CPU receiving or { <interface-name> | all } ] [ protocol { sending packet informations.

SNR S2940-8G-v2 Configuration Manual

I Basic Management Configuration

1 Switch Management

2 Basic Switch Configuration

Port Configuration

3 Port Configuration

4 Port Isolation Function Configuration

5 Port Loopback Detection Function Configuration

6 ULDP Function Configuration

7 LLDP Function Operation Configuration

8 Port Channel Configuration

9 MTU Configuration

10 EFM OAM Configuration

11 Port Security

12 DDM Configuration

13 Lldp-Med

14 BPDU-Tunnel Configuration

15 CFM-OAM Configuration

VLAN and MAC Table Configuration

16 VLAN Configuration

17 Dot1Q-Tunnel Configuration

18 Selective Qinq Configuration

19 VLAN-Translation Configuration

20 Multi-To-One VLAN Translation Configuration

21 Dynamic VLAN Configuration

22 GVRP Configuration

23 Voice VLAN Configuration

24 MAC Table Configuration

MSTP Configuration

25 MSTP Configuration

Qos and Flow-Based Redirection Configuration

26 Qos Configuration

27 Flow-Based Redirection

28 Flexible Qinq Configuration

L3 Forward and ARP Configuration

29 Layer 3 Management Configuration

30 ARP Scanning Prevention Function Configuration

31 Prevent ARP Spoofing Configuration

32 ARP Guard Configuration

33 Gratuitous ARP Configuration

DHCP Configuration

34 DHCP Configuration

35 Dhcpv6 Configuration

36 DHCP Option 82 Configuration

37 DHCP Option 60 and Option 43

38 Dhcpv6 Option37

39 DHCP Snooping Configuration

Multicast Protocol

40 Ipv4 Multicast Protocol

41 Ipv6 Multicast Protocol

42 Multicast VLAN

Security Function Configuration

43 ACL Configuration

44 Self-Defined ACL Configuration

45 1X Configuration

46 The Number Limitation Function of MAC and IP in Port, VLAN Configuration

47 Operational Configuration of am Function

48 Security Feature Configuration

49 TACACS+ Configuration

50 RADIUS Configuration

51 SSL Configuration

Quick Links

Troubleshooting

Need help?

Questions and answers

Related Manuals for SNR S2940-8G-v2

Summary of Contents for SNR S2940-8G-v2