S4600 - 3.1.1 - Configuration Guide
Uploaded by
Hadrian1S4600 - 3.1.1 - Configuration Guide
Uploaded by
Hadrian1Content
CONTENT .................................................................................. 1-1
CHAPTER 1 BASIC MANAGEMENT CONFIGURATION ......... 1-1
1.1 SWITCH MANAGEMENT ........................................................................1-1
1.1.1 Management Options .............................................................................1-1
1.1.2 CLI Interface ..........................................................................................1-10
1.2 BASIC SWITCH CONFIGURATION ......................................................... 1-15
1.2.1 Basic Configuration ..............................................................................1-15
1.2.2 Telnet Management ...............................................................................1-16
1.2.3 Configure Switch IP Addresses ...........................................................1-20
1.2.4 SNMP Configuration .............................................................................1-21
1.2.5 Switch Upgrade .....................................................................................1-28
1.3 FILE SYSTEM .................................................................................... 1-38
1.3.1 Introduction to File Storage Devices ..................................................1-38
1.3.2 File System Operation Configuration Task list ..................................1-38
1.3.3 Typical Applications..............................................................................1-39
1.3.4 Troubleshooting ....................................................................................1-40
1.4 CLUSTER .......................................................................................... 1-40
1.4.1 Introduction to cluster network management ...................................1-40
1.4.2 Cluster Network Management Configuration Sequence ..................1-41
1.4.3 Examples of Cluster Administration ...................................................1-44
1.4.4 Cluster Administration Troubleshooting ............................................1-44
CHAPTER 2 LAYER 2 SERVICES CONFIGURATION .............. 2-1
2.1 PORT CONFIGURATION ........................................................................2-1
2.1.1 Introduction to Port.................................................................................2-1
2.1.2 Network Port Configuration Task List ..................................................2-1
2.1.3 Port Configuration Example ..................................................................2-3
2.1.4 Port Troubleshooting ..............................................................................2-4
2.2 PORT ISOLATION .................................................................................2-5
2.2.1 Introduction to Port Isolation Function ................................................2-5
2.2.2 Task Sequence of Port Isolation............................................................2-5
2.2.3 Port Isolation Function Typical Examples............................................2-6
2.3 PORT LOOPBACK DETECTION ..............................................................2-7
2.3.1 Introduction to Port Loopback Detection Function ............................2-7
2.3.2 Port Loopback Detection Function Configuration Task List..............2-8
2.3.3 Port Loopback Detection Function Example .......................................2-9
2.3.4 Port Loopback Detection Troubleshooting ........................................2-10
2.4 ULDP .............................................................................................. 2-10
2.4.1 Introduction to ULDP Function............................................................2-10
2.4.2 ULDP Configuration Task Sequence................................................... 2-11
2.4.3 ULDP Function Typical Examples .......................................................2-13
2.4.4 ULDP Troubleshooting .........................................................................2-15
2.5 LLDP .............................................................................................. 2-16
2.5.1 Introduction to LLDP Function ............................................................2-16
2.5.2 LLDP Function Configuration Task Sequence...................................2-17
2.5.3 LLDP Function Typical Example .........................................................2-19
2.5.4 LLDP Function Troubleshooting .........................................................2-20
2.6 LLDP-MED ..................................................................................... 2-20
2.6.1 Introduction to LLDP-MED ...................................................................2-20
2.6.2 LLDP-MED Configuration Task Sequence..........................................2-21
2.6.3 LLDP-MED Example ..............................................................................2-23
2.6.4 LLDP-MED Troubleshooting ................................................................2-25
2.7 PORT CHANNEL ................................................................................ 2-26
2.7.1 Introduction to Port Channel ...............................................................2-26
2.7.2 Brief Introduction to LACP ...................................................................2-27
2.7.3 Introduction to Load balance...............................................................2-28
2.7.4 Port Channel Configuration Task List ................................................2-28
2.7.5 Port Channel Examples ........................................................................2-30
2.7.6 Troubleshooting ....................................................................................2-32
2.8 MTU ................................................................................................ 2-33
2.8.1 Introduction to MTU ..............................................................................2-33
2.8.2 MTU Configuration Task Sequence ....................................................2-33
2.9 BPDU-TUNNEL ................................................................................... 2-33
2.9.1 Introduction to bpdu-tunnel .................................................................2-33
2.9.2 bpdu-tunnel Configuration Task List ..................................................2-34
2.9.3 Examples of bpdu-tunnel .....................................................................2-35
2.9.4 bpdu-tunnel Troubleshooting ..............................................................2-36
2.10 DDM.............................................................................................. 2-36
2.10.1 Introduction to DDM............................................................................2-37
2.10.2 DDM Configuration Task List .............................................................2-38
2.10.3 Examples of DDM ................................................................................2-40
2.10.4 DDM Troubleshooting .........................................................................2-43
2.11 EFM OAM ..................................................................................... 2-44
2.11.1 Introduction to EFM OAM ...................................................................2-44
2.11.2 EFM OAM Configuration.....................................................................2-47
2.11.3 EFM OAM Example .............................................................................2-49
2.11.4 EFM OAM Troubleshooting ................................................................2-49
2.12 PORT SECURITY ......................................................................... 2-50
2.12.1 Introduction to PORT SECURITY ......................................................2-50
2.12.2 PORT SECURITY Configuration Task List........................................2-50
2.12.3 Example of PORT SECURITY ............................................................2-51
2.12.4 PORT SECURITY Troubleshooting ...................................................2-52
2.13 EEE ENERGY-SAVING ...................................................................... 2-52
2.13.1 Introduction to EEE Energy-saving ..................................................2-52
2.13.2 EEE Energy-saving configuration List .............................................2-52
2.13.3 EEE Energy-saving Typical Examples ..............................................2-52
2.14 LED SHUT-OFF ............................................................................... 2-53
2.14.1 Introduction to LED shut-off ..............................................................2-53
2.14.2 LED shut-off Configuration ................................................................2-53
2.14.3 LED shut-off Examples.......................................................................2-53
2.15 VLAN ............................................................................................ 2-53
2.15.1 Introduction to VLAN ..........................................................................2-53
2.15.2 VLAN Configuration Task List ...........................................................2-55
2.15.3 Typical VLAN Application...................................................................2-57
2.15.4 Typical Application of Hybrid Port ....................................................2-58
2.16 GVRP............................................................................................ 2-60
2.16.1 Introduction to GVRP .........................................................................2-60
2.16.2 GVRP Configuration Task List ...........................................................2-61
2.16.3 Example of GVRP ................................................................................2-61
2.16.4 GVRP Troubleshooting .......................................................................2-63
2.17 DOT1Q-TUNNEL .............................................................................. 2-63
2.17.1 Introduction to Dot1q-tunnel .............................................................2-63
2.17.2 Dot1q-tunnel Configuration ...............................................................2-64
2.17.3 Typical Applications of the Dot1q-tunnel .........................................2-65
2.17.4 Dot1q-tunnel Troubleshooting ..........................................................2-66
2.18 SELECTIVE QINQ ............................................................................ 2-66
2.18.1 Introduction to Selective QinQ ..........................................................2-66
2.18.2 Selective QinQ Configuration ............................................................2-66
2.18.3 Typical Applications of Selective QinQ ............................................2-67
2.18.4 Selective QinQ Troubleshooting .......................................................2-69
2.19 VLAN-TRANSLATION ....................................................................... 2-69
2.19.1 Introduction to VLAN-translation ......................................................2-69
2.19.2 VLAN-translation Configuration ........................................................2-69
2.19.3 Typical application of VLAN-translation ...........................................2-70
2.19.4 VLAN-translation Troubleshooting ...................................................2-71
2.20 DYNAMIC VLAN.............................................................................. 2-71
2.20.1 Introduction to Dynamic VLAN ..........................................................2-71
2.20.2 Dynamic VLAN Configuration............................................................2-72
2.20.3 Typical Application of the Dynamic VLAN .......................................2-74
2.20.4 Dynamic VLAN Troubleshooting .......................................................2-75
2.21 VOICE VLAN .................................................................................. 2-75
2.21.1 Introduction to Voice VLAN ...............................................................2-75
2.21.2 Voice VLAN Configuration .................................................................2-76
2.21.3 Typical Applications of the Voice VLAN ...........................................2-77
2.21.4 Voice VLAN Troubleshooting.............................................................2-78
2.22 MULTI-TO-ONE VLAN TRANSLATION ................................................ 2-78
2.22.1 Introduction to Multi-to-One VLAN Translation ...............................2-78
2.22.2 Multi-to-One VLAN Translation Configuration .................................2-78
2.22.3 Typical application of Multi-to-One VLAN Translation ....................2-79
2.22.4 Multi-to-One VLAN Translation Troubleshooting ............................2-80
2.23 MAC ADDRESS TABLE .................................................................... 2-80
2.23.1 Introduction to MAC Address Table ..................................................2-80
2.23.2 Mac Address Table Configuration Task List ....................................2-82
2.23.3 Typical Configuration Examples .......................................................2-84
2.23.4 MAC Address Table Troubleshooting ...............................................2-84
2.24 MAC NOTIFICATION ........................................................................ 2-85
2.24.1 Introduction to MAC Notification ......................................................2-85
2.24.2 MAC Notification Configuration ........................................................2-85
2.24.3 MAC Notification Example .................................................................2-86
2.24.4 MAC Notification Troubleshooting....................................................2-87
CHAPTER 3 IP SERVICES CONFIGURATION ......................... 3-1
3.1 LAYER 3 INTERFACE ............................................................................3-1
3.1.1 Introduction to Layer 3 Interface ...........................................................3-1
3.1.2 Layer 3 Interface Configuration Task List ............................................3-1
3.2 IP CONFIGURATION .............................................................................3-2
3.2.1 Introduction to IPv4, IPv6 .......................................................................3-2
3.2.2 IP Configuration ......................................................................................3-3
3.2.3 IP Configuration Examples ....................................................................3-6
3.2.4 IPv6 Troubleshooting .............................................................................3-7
3.3 ARP ..................................................................................................3-7
3.3.1 Introduction to ARP ................................................................................3-7
3.3.2 ARP Configuration Task List..................................................................3-7
3.3.3 ARP Troubleshooting .............................................................................3-7
3.4 ARP SCANNING PREVENTION ..............................................................3-8
3.4.1 Introduction to ARP Scanning Prevention Function ...........................3-8
3.4.2 ARP Scanning Prevention Configuration Task Sequence..................3-8
3.4.3 ARP Scanning Prevention Typical Examples ....................................3-10
3.4.4 ARP Scanning Prevention Troubleshooting Help ............................. 3-11
3.5 PREVENT ARP SPOOFING.................................................................. 3-12
3.5.1 Overview ................................................................................................3-12
3.5.2 Prevent ARP Spoofing configuration..................................................3-13
3.5.3 Prevent ARP Spoofing Example ..........................................................3-13
3.6 ARP GUARD .................................................................................. 3-14
3.6.1 Introduction to ARP GUARD ................................................................3-14
3.6.2 ARP GUARD Configuration Task List .................................................3-15
3.7 GRATUITOUS ARP ............................................................................ 3-16
3.7.1 Introduction to Gratuitous ARP ...........................................................3-16
3.7.2 Gratuitous ARP Configuration Task List ............................................3-16
3.7.3 Gratuitous ARP Configuration Example .............................................3-16
3.7.4 Gratuitous ARP Troubleshooting ........................................................3-17
3.8 DYNAMIC ARP INSPECTION................................................................ 3-18
3.8.1 Introduction to Dynamic ARP Inspection Configuration ..................3-18
3.8.2 Dynamic ARP Inspection Configuration Task List ............................3-18
3.8.3 Dynamic ARP Inspection Configuration Example .............................3-19
3.9 DHCP.............................................................................................. 3-20
3.9.1 Introduction to DHCP ...........................................................................3-20
3.9.2 DHCP Server Configuration .................................................................3-21
3.9.3 DHCP Relay Configuration...................................................................3-23
3.9.4 DHCP Configuration Examples ...........................................................3-25
3.9.5 DHCP Troubleshooting .........................................................................3-28
3.10 DHCP OPTION 82 ........................................................................... 3-28
3.10.1 Introduction to DHCP option 82 ........................................................3-28
3.10.2 DHCP option 82 Configuration Task List..........................................3-30
3.10.3 DHCP option 82 Application Examples ............................................3-33
3.10.4 DHCP option 82 Troubleshooting .....................................................3-34
3.11 DHCP SNOOPING ........................................................................... 3-35
3.11.1 Introduction to DHCP Snooping ........................................................3-35
3.11.2 DHCP Snooping Configuration Task Sequence ..............................3-36
3.11.3 DHCP Snooping Typical Application .................................................3-40
3.11.4 DHCP Snooping Troubleshooting Help ............................................3-41
3.12 DHCP SNOOPING OPTION 82 ........................................................... 3-41
3.12.1 Introduction to DHCP Snooping option 82.......................................3-41
3.12.2 DHCP Snooping option 82 Configuration Task List ........................3-43
3.12.3 DHCP Snooping option 82 Application Examples ..........................3-44
3.12.4 DHCP Snooping option 82 Troubleshooting ....................................3-45
3.13 DHCP OPTION 60 AND OPTION 43 .................................................... 3-46
3.13.1 Introduction to DHCP option 60 and option 43................................3-46
3.13.2 DHCP option 60 and option 43 Configuration Task List .................3-46
3.13.3 DHCPv6 option 60 and option 43 Example ......................................3-47
3.13.4 DHCP option 60 and option 43 Troubleshooting .............................3-47
CHAPTER 4 MULTICAST PROTOCOL RELATED
CONFIGURATION ..................................................................... 4-1
4.1 IPV4 MULTICAST PROTOCOL OVERVIEW ...............................................4-1
4.1.1 Introduction to Multicast ........................................................................4-1
4.1.2 Multicast Address ...................................................................................4-1
4.1.3 IP Multicast Packet Transmission .........................................................4-3
4.1.4 IP Multicast Application ..........................................................................4-3
4.2 DCSCM.............................................................................................4-4
4.2.1 Introduction to DCSCM ..........................................................................4-4
4.2.2 DCSCM Configuration Task List ............................................................4-4
4.2.3 DCSCM Configuration Examples ..........................................................4-7
4.2.4 DCSCM Troubleshooting........................................................................4-8
4.3 IGMP SNOOPING ................................................................................4-8
4.3.1 Introduction to IGMP Snooping .............................................................4-8
4.3.2 IGMP Snooping Configuration Task List ..............................................4-9
4.3.3 IGMP Snooping Examples ................................................................... 4-11
4.3.4 IGMP Snooping Troubleshooting ........................................................4-13
4.4 IGMP SNOOPING AUTHENTICATION .................................................... 4-14
4.4.1 Introduction to IGMP Snooping Authentication ................................4-14
4.4.2 IGMP Snooping Authentication Task List...........................................4-14
4.4.3 IGMP Snooping Authentication Examples .........................................4-15
4.5 MULTICAST VLAN ............................................................................ 4-16
4.5.1 Introductions to Multicast VLAN .........................................................4-16
4.5.2 Multicast VLAN Configuration Task List ............................................4-17
4.5.3 Multicast VLAN Examples ....................................................................4-18
CHAPTER 5 SECURITY FUNCTION CONFIGURATION .......... 5-1
5.1 ACL ..................................................................................................5-1
5.1.1 Introduction to ACL ................................................................................5-1
5.1.2 ACL Configuration Task List ..................................................................5-2
5.1.3 ACL Example .........................................................................................5-13
5.1.4 ACL Troubleshooting ............................................................................5-16
5.2 SELF-DEFINED ACL .......................................................................... 5-18
5.2.1 Introduction to Self-defined ACL.........................................................5-18
5.2.2 Self-defined ACL Configuration ..........................................................5-19
5.2.3 Self-defined ACL Example ...................................................................5-21
5.2.4 Self-defined ACL Troubleshooting ......................................................5-21
5.3 802.1X ............................................................................................. 5-22
5.3.1 Introduction to 802.1x ...........................................................................5-22
5.3.2 802.1x Configuration Task List ............................................................5-33
5.3.3 802.1x Application Example .................................................................5-34
5.3.4 802.1x Troubleshooting ........................................................................5-38
5.4 THE NUMBER LIMITATION FUNCTION OF MAC AND IP IN PORT, VLAN ... 5-38
5.4.1 Introduction to the Number Limitation Function of MAC and IP in Port,
VLAN ................................................................................................................5-38
5.4.2 The Number Limitation Function of MAC and IP in Port, VLAN
Configuration Task Sequence ......................................................................5-39
5.4.3 The Number Limitation Function of MAC and IP in Port, VLAN Typical
Examples.........................................................................................................5-41
5.4.4 The Number Limitation Function of MAC and IP in Port, VLAN
Troubleshooting Help ....................................................................................5-42
5.5 AM .................................................................................................. 5-43
5.5.1 Introduction to AM Function ................................................................5-43
5.5.2 AM Function Configuration Task List .................................................5-43
5.5.3 AM Function Example...........................................................................5-44
5.5.4 AM Function Troubleshooting .............................................................5-45
5.6 SECURITY FEATURE ........................................................................... 5-45
5.6.1 Introduction to Security Feature .........................................................5-45
5.6.2 Security Feature Configuration ...........................................................5-45
5.6.3 Security Feature Example ....................................................................5-47
5.7 TACACS+ ....................................................................................... 5-48
5.7.1 Introduction to TACACS+ .....................................................................5-48
5.7.2 TACACS+ Configuration Task List ......................................................5-48
5.7.3 TACACS+ Scenarios Typical Examples ..............................................5-49
5.7.4 TACACS+ Troubleshooting ..................................................................5-49
5.8 RADIUS .......................................................................................... 5-50
5.8.1 Introduction to RADIUS ........................................................................5-50
5.8.2 RADIUS Configuration Task List .........................................................5-52
5.8.3 RADIUS Typical Examples ...................................................................5-54
5.8.4 RADIUS Troubleshooting .....................................................................5-55
5.9 SSL ................................................................................................. 5-56
5.9.1 Introduction to SSL ...............................................................................5-56
5.9.2 SSL Configuration Task List ................................................................5-57
5.9.3 SSL Typical Example ............................................................................5-58
5.9.4 SSL Troubleshooting ............................................................................5-59
5.10 VLAN-ACL ................................................................................... 5-59
5.10.1 Introduction to VLAN-ACL .................................................................5-59
5.10.2 VLAN-ACL Configuration Task List ..................................................5-59
5.10.3 VLAN-ACL Configuration Example ...................................................5-61
5.10.4 VLAN-ACL Troubleshooting ..............................................................5-62
5.11 CAPTIVE PORTAL AUTHENTICATION .................................................. 5-63
5.11.1 Captive Portal Authentication Configuration ...................................5-63
5.11.2 Accounting Function Configuration..................................................5-68
5.11.3 Free-resource Configuration..............................................................5-70
5.11.4 Authentication White-list Configuration ...........................................5-71
5.11.5 Automatic Page Pushing after Successful Authentication (it is not
supported currently) ......................................................................................5-73
5.11.6 http-redirect-filter ................................................................................5-75
5.11.7 Portal Non-perception.........................................................................5-77
5.11.8 Portal Escaping ...................................................................................5-80
5.12 MAB .............................................................................................. 5-87
5.12.1 Introduction to MAB............................................................................5-87
5.12.2 MAB Configuration Task List .............................................................5-87
5.12.3 MAB Example ......................................................................................5-89
5.12.4 MAB Troubleshooting .........................................................................5-91
5.13 PPPOE INTERMEDIATE AGENT ......................................................... 5-91
5.13.1 Introduction to PPPoE Intermediate Agent ......................................5-91
5.13.2 PPPoE Intermediate Agent Configuration Task List .......................5-95
5.13.3 PPPoE Intermediate Agent Typical Application ...............................5-96
5.13.4 PPPoE Intermediate Agent Troubleshooting ...................................5-98
5.14 QOS .............................................................................................. 5-98
5.14.1 Introduction to QoS ............................................................................5-98
5.14.2 QoS Configuration Task List........................................................... 5-104
5.14.3 QoS Example .................................................................................... 5-108
5.14.4 QoS Troubleshooting ....................................................................... 5-110
5.15 FLOW-BASED REDIRECTION ........................................................... 5-110
5.15.1 Introduction to Flow-based Redirection ......................................... 5-110
5.15.2 Flow-based Redirection Configuration Task Sequence ............... 5-110
5.15.3 Flow-based Redirection Examples ................................................. 5-111
5.15.4 Flow-based Redirection Troubleshooting Help ............................. 5-111
5.16 FLEXIBLE QINQ ............................................................................ 5-112
5.16.1 Introduction to Flexible QinQ .......................................................... 5-112
5.16.2 Flexible QinQ Configuration Task List............................................ 5-112
5.16.3 Flexible QinQ Example ..................................................................... 5-114
5.16.4 Flexible QinQ Troubleshooting ....................................................... 5-115
CHAPTER 6 RELIABILITY CONFIGURATION ......................... 6-1
6.1 MSTP ................................................................................................6-1
6.1.1 Introduction to MSTP ..............................................................................6-1
6.1.2 MSTP Configuration Task List ...............................................................6-3
6.1.3 MSTP Example ........................................................................................6-6
6.1.4 MSTP Troubleshooting ......................................................................... 6-11
6.2 ERPS .............................................................................................. 6-11
6.2.1 Introduction to ERPS ............................................................................ 6-11
6.2.2 ERPS Configuration ..............................................................................6-17
6.2.3 ERPS Examples.....................................................................................6-19
6.2.4 ERPS Troubleshooting .........................................................................6-25
6.3 MRPP ............................................................................................. 6-25
6.3.1 Introduction to MRPP ...........................................................................6-25
6.3.2 MRPP Configuration Task List.............................................................6-28
6.3.3 MRPP Typical Scenario ........................................................................6-29
6.3.4 MRPP Troubleshooting.........................................................................6-31
6.4 ULPP .............................................................................................. 6-32
6.4.1 Introduction to ULPP ............................................................................6-32
6.4.2 ULPP Configuration Task List .............................................................6-34
6.4.3 ULPP Typical Examples........................................................................6-36
6.4.4 ULPP Troubleshooting .........................................................................6-39
6.5 ULSM.............................................................................................. 6-39
6.5.1 Introduction to ULSM............................................................................6-39
6.5.2 ULSM Configuration Task List .............................................................6-40
6.5.3 ULSM Typical Example .........................................................................6-41
6.5.4 ULSM Troubleshooting .........................................................................6-42
CHAPTER 7 DEBUGGING AND DIAGNOSIS CONFIGURATION
................................................................................................... 7-1
7.1 MONITOR AND DEBUG .........................................................................7-1
7.1.1 Ping...........................................................................................................7-1
7.1.2 Ping6.........................................................................................................7-1
7.1.3 Traceroute ................................................................................................7-1
7.1.4 Traceroute6 ..............................................................................................7-2
7.1.5 Show .........................................................................................................7-2
7.1.6 Debug .......................................................................................................7-3
7.2 LOGGING ............................................................................................7-3
7.2.1 System Log Introduction ........................................................................7-3
7.2.2 System Log Configuration .....................................................................7-5
7.2.3 System Log Configuration Example .....................................................7-7
7.3 RELOAD SWITCH AFTER SPECIFIED TIME...............................................7-7
7.3.1 Introduce to Reload Switch after Specifid Time ..................................7-7
7.3.2 Reload Switch after Specifid Time Task List ........................................7-7
7.4 DEBUGGING AND DIAGNOSIS FOR PACKETS RECEIVED AND SENT BY CPU
...............................................................................................................7-8
7.4.1 Introduction to Debugging and Diagnosis for Packets Received and
Sent by CPU ......................................................................................................7-8
7.4.2 Debugging and Diagnosis for Packets Received and Sent by CPU
Task List ............................................................................................................7-8
7.5 MIRROR ..............................................................................................7-9
7.5.1 Introduction to Mirror .............................................................................7-9
7.5.2 Mirror Configuration Task List...............................................................7-9
7.5.3 Mirror Examples ....................................................................................7-10
7.5.4 Device Mirror Troubleshooting ............................................................ 7-11
7.6 RSPAN ........................................................................................... 7-11
7.6.1 Introduction to RSPAN ......................................................................... 7-11
7.6.2 RSPAN Configuration Task List...........................................................7-13
7.6.3 Typical Examples of RSPAN ................................................................7-14
7.6.4 RSPAN Troubleshooting ......................................................................7-17
7.7 SFLOW ............................................................................................. 7-18
7.7.1 Introduction to sFlow ...........................................................................7-18
7.7.2 sFlow Configuration Task List .............................................................7-18
7.7.3 sFlow Examples ....................................................................................7-20
7.7.4 sFlow Troubleshooting .........................................................................7-20
CHAPTER 8 NETWORK TIME MANAGEMENT
CONFIGURATION ..................................................................... 8-1
8.1 NTP...................................................................................................8-1
8.1.1 Introduction to NTP Function ................................................................8-1
8.1.2 NTP Function Configuration Task List .................................................8-1
8.1.3 Typical Examples of NTP Function .......................................................8-4
8.1.4 NTP Function Troubleshooting .............................................................8-4
8.2 SNTP ................................................................................................8-5
8.2.1 Introduction to SNTP ..............................................................................8-5
8.2.2 Typical Examples of SNTP Configuration ............................................8-6
8.3 SUMMER TIME .....................................................................................8-6
8.3.1 Introduction to Summer Time ................................................................8-6
8.3.2 Summer Time Configuration Task Sequence ......................................8-7
8.3.3 Examples of Summer Time ....................................................................8-7
8.3.4 Summer Time Troubleshooting .............................................................8-7
CHAPTER 9 POE CONFIGURATION ........................................ 9-1
9.1 POE ...................................................................................................9-1
9.1.1 Introduction to PoE .................................................................................9-1
9.1.2 PoE Configuration...................................................................................9-1
9.1.3 Typical Application of PoE .....................................................................9-3
9.1.4 PoE Troubleshooting Help .....................................................................9-4
CHAPTER 10 IPV6 CONFIGURATION.................................... 10-1
10.1 DHCPV6 ........................................................................................ 10-1
10.1.1 Introduction to DHCPv6 .....................................................................10-1
10.1.2 DHCPv6 Server Configuration ...........................................................10-2
10.1.3 DHCPv6 Relay Delegation Configuration .........................................10-3
10.1.4 DHCPv6 Prefix Delegation Server Configuration ............................10-4
10.1.5 DHCPv6 Prefix Delegation Client Configuration .............................10-5
10.1.6 DHCPv6 Configuration Examples .....................................................10-6
10.1.7 DHCPv6 Troubleshooting...................................................................10-8
10.2 DHCPV6 OPTION37, 38 .................................................................. 10-8
10.2.1 Introduction to DHCPv6 option37, 38 ...............................................10-8
10.2.2 DHCPv6 option37, 38 Configuration Task List ................................10-9
10.2.3 DHCPv6 option37, 38 Examples ..................................................... 10-14
10.2.4 DHCPv6 option37, 38 Troubleshooting ......................................... 10-17
10.3 IPV6 MULTICAST PROTOCOL .......................................................... 10-17
10.3.1 MLD Snooping .................................................................................. 10-17
10.4 IPV6 SECURITY RA ....................................................................... 10-21
10.4.1 Introduction to IPv6 Security RA.................................................... 10-21
10.4.2 IPv6 Security RA Configuration Task Sequence .......................... 10-22
10.4.3 IPv6 Security RA Typical Examples ............................................... 10-22
10.4.4 IPv6 Security RA Troubleshooting Help ........................................ 10-23
10.5 SAVI CONFIGURATION ................................................................... 10-23
10.5.1 Introduction to SAVI......................................................................... 10-23
10.5.2 SAVI Configuration .......................................................................... 10-24
10.5.3 SAVI Typical Application ................................................................. 10-27
10.5.4 SAVI Troubleshooting ...................................................................... 10-29
S4600_Configuration Guide Chapter 1 Basic Management Configuration
Chapter 1 Basic Management
Configuration
1.1 Switch Management
1.1.1 Management Options
After purchasing the switch, the user needs to configure the switch for network
management. Switch provides two management options: in-band management and out-of-band
management.
1.1.1.1 Out-Of-Band Management
Out-of-band management is the management through Console interface. Generally, the user
will use out-of-band management for the initial switch configuration, or when in-band
management is not available. For instance, the user must assign an IP address to the switch via
the Console interface to be able to access the switch through Telnet.
The procedures for managing the switch via Console interface are listed below:
Step 1: setting up the environment:
Connect with serial port
Figure 1-1 Out-of-band Management Configuration Environment
As shown in above, the serial port (RS-232) is connected to the switch with the serial cable
provided. The table below lists all the devices used in the connection.
Device Name Description
PC machine Has functional keyboard and RS-232, with terminal emulator
installed, such as HyperTerminal included in Windows
9x/NT/2000/XP.
1-1
S4600_Configuration Guide Chapter 1 Basic Management Configuration
Serial port cable One end attach to the RS-232 serial port, the other end to the
Console port.
Switch Functional Console port required.
Step 2: Entering the HyperTerminal
Open the HyperTerminal included in Windows after the connection established. The
example below is based on the HyperTerminal included in Windows XP.
1) Click Start menu - All Programs -Accessories -Communication - HyperTerminal.
Figure 1-2 Opening Hyper Terminal
2) Type a name for opening HyperTerminal, such as “Switch”.
Figure 1-3 Opening HyperTerminal
3) In the “Connecting using” drop-list, select the RS-232 serial port used by the PC, e.g. COM1,
and click “OK”.
1-2
S4600_Configuration Guide Chapter 1 Basic Management Configuration
Figure 1-4 Opening HyperTerminal
4) COM1 property appears, select “9600” for “Baud rate”, “8” for “Data bits”, “none” for “Parity
checksum”, “1” for stop bit and “none” for traffic control; or, you can also click “Restore default”
and click “OK”.
Figure 1-5 Opening HyperTerminal
Step 3: Entering switch CLI interface
Power on the switch, the following appears in the HyperTerminal windows, that is the CLI
configuration mode for Switch.
Testing RAM...
0x077C0000 RAM OK
Loading MiniBootROM...
Attaching to file system ...
1-3
S4600_Configuration Guide Chapter 1 Basic Management Configuration
Loading nos.img ... done.
Booting......
Starting at 0x10000...
Attaching to file system ...
……
--- Performing Power-On Self Tests (POST) ---
DRAM Test....................PASS!
PCI Device 1 Test............PASS!
FLASH Test...................PASS!
FAN Test.....................PASS!
Done All Pass.
------------------ DONE ---------------------
Current time is SUN JAN 01 00:00:00 2006
……
Switch>
The user can now enter commands to manage the switch. For a detailed description for the
commands, please refer to the following chapters.
1.1.1.2 In-band Management
In-band management refers to the management by login to the switch using Telnet, or using
HTTP, or using SNMP management software to configure the switch. In-band management
enables management of the switch for some devices attached to the switch. In the case when
in-band management fails due to switch configuration changes, out-of-band management can be
used for configuring and managing the switch.
1.1.1.2.1 Management via Telnet
To manage the switch with Telnet, the following conditions should be met:
1) Switch has an IPv4/IPv6 address configured;
2) The host IP address (Telnet client) and the switch’s VLAN interface IPv4/IPv6 address is in
the same network segment;
3) If 2) is not met, Telnet client can connect to an IPv4/IPv6 address of the switch via other
devices, such as a router.
The switch is a Layer 2 switch that can be configured with several IP addresses, the
configuration method refers to the relative chapter. The following example assumes the shipment
status of the switch where only VLAN1 exists in the system.
The following describes the steps for a Telnet client to connect to the switch’s VLAN1
interface by Telnet(IPV4 address example):
1-4
S4600_Configuration Guide Chapter 1 Basic Management Configuration
Connected with cable
Figure 1-6 Manage the switch by Telnet
Step 1: Configure the IP addresses for the switch and start the Telnet Server function on the
switch.
First is the configuration of host IP address. This should be within the same network
segment as the switch VLAN1 interface IP address. Suppose the switch VLAN1 interface IP
address is 10.1.128.251/24. Then, a possible host IP address is 10.1.128.252/24. Run “ping
10.1.128.251” from the host and verify the result, check for reasons if ping failed.
The IP address configuration commands for VLAN1 interface are listed below. Before in-band
management, the switch must be configured with an IP address by out-of-band management (i.e.
Console mode), the configuration commands are as follows (All switch configuration prompts are
assumed to be “Switch” hereafter if not otherwise specified):
Switch>
Switch>enable
Switch#config
Switch(config)#interface vlan 1
Switch(Config-if-Vlan1)#ip address 10.1.128.251 255.255.255.0
Switch(Config-if-Vlan1)#no shutdown
To enable the Telnet Server function, users should type the CLI command telnet-server
enable in the global mode as below:
Switch>enable
Switch#config
Switch(config)# telnet-server enable
Step 2: Run Telnet Client program.
Run Telnet client program included in Windows with the specified Telnet target.
1-5
S4600_Configuration Guide Chapter 1 Basic Management Configuration
Figure 1-7 Run telnet client program included in Windows
Step 3: Login to the switch.
Login to the Telnet configuration interface. Valid login name and password are required,
otherwise the switch will reject Telnet access. This is a method to protect the switch from
unauthorized access. As a result, when Telnet is enabled for configuring and managing the switch,
username and password for authorized Telnet users must be configured with the following
command: username <username> privilege <privilege> [password (0|7) <password>]. To open
the local authentication style with the following command: authentication line vty login local.
Privilege option must exist and just is 15. Assume an authorized user in the switch has a
username of “test”, and password of “test”, the configuration procedure should like the following:
Switch>enable
Switch#config
Switch(config)#username test privilege 15 password 0 test
Switch(config)#authentication line vty login local
Enter valid login name and password in the Telnet configuration interface, Telnet user will be
able to enter the switch’s CLI configuration interface. The commands used in the Telnet CLI
interface after login is the same as that in the Console interface.
1-6
S4600_Configuration Guide Chapter 1 Basic Management Configuration
Figure 1-8 Telnet Configuration Interface
1.1.1.2.2 Management via HTTP
To manage the switch via HTTP, the following conditions should be met:
1) Switch has an IPv4/IPv6 address configured;
2) The host IPv4/IPv6 address (HTTP client) and the switch’s VLAN interface IPv4/IPv6 address
are in the same network segment;
3) If 2) is not met, HTTP client should connect to an IPv4/IPv6 address of the switch via other
devices, such as a router.
Similar to management the switch via Telnet, as soon as the host succeeds to ping/ping6 an
IPv4/IPv6 address of the switch and to type the right login password, it can access the switch via
HTTP. The configuration list is as below:
Step 1: Configure the IP addresses for the switch and start the HTTP server function on the
switch.
For configuring the IP address on the switch through out-of-band management, see the
telnet management chapter.
To enable the WEB configuration, users should type the CLI command IP http server in the
global mode as below:
Switch>enable
Switch#config
Switch(config)#ip http server
Step 2: Run HTTP protocol on the host.
1-7
S4600_Configuration Guide Chapter 1 Basic Management Configuration
Open the Web browser on the host and type the IP address of the switch, or run directly the
HTTP protocol on the Windows. For example, the IP address of the switch is “10.1.128.251”;
Figure 1-9 Run HTTP Protocol
When accessing a switch with IPv6 address, it is recommended to use the Firefox browser
with 1.5 or later version. For example, if the IPv6 address of the switch is 3ffe:506:1:2::3. Input
the IPv6 address of the switch is http://[3ffe:506:1:2::3] and the address should draw together
with the square brackets.
Step 3: Login to the switch.
Login to the Web configuration interface. Valid login name and password are required,
otherwise the switch will reject HTTP access. This is a method to protect the switch from
unauthorized access. As a result, when Telnet is enabled for configuring and managing the switch,
username and password for authorized Telnet users must be configured with the following
command: username <username> privilege <privilege> [password (0|7) <password>]. To open
the local authentication style with the following command: authentication line web login local.
Privilege option must exist and just is 15. Assume an authorized user in the switch has a
username of “admin”, and password of “admin”, the configuration procedure should like the
following:
Switch>enable
Switch#config
Switch(config)#username admin privilege 15 password 0 admin
Switch(config)#authentication line web login local
The Web login interface of S4600-28P-SI is as below:
1-8
S4600_Configuration Guide Chapter 1 Basic Management Configuration
Figure 1-10 Web Login Interface
Input the right username and password, and then the main Web configuration interface is
shown as below.
Figure 1-11 Main Web Configuration Interface
Notice: When configure the switch, the name of the switch is composed with English letters.
1.1.1.2.3 Manage the Switch via SNMP Network Management
Software
The necessities required by SNMP network management software to manage switches:
1) IP addresses are configured on the switch;
1-9
S4600_Configuration Guide Chapter 1 Basic Management Configuration
2) The IP address of the client host and that of the VLAN interface on the switch it
subordinates to should be in the same segment;
3) If 2) is not met, the client should be able to reach an IP address of the switch through
devices like routers;
4) SNMP should be enabled.
The host with SNMP network management software should be able to ping the IP address of
the switch, so that, when running, SNMP network management software will be able to find it
and implement read/write operation on it. Details about how to manage switches via SNMP
network management software will not be covered in this manual, please refer to “Snmp
network management software user manual”.
1.1.2 CLI Interface
The switch provides thress management interface for users: CLI (Command Line Interface)
interface, Web interface, Snmp netword management software. We will introduce the CLI
interface and Web configuration interface in details, Web interface is familiar with CLI interface
function and will not be covered, please refer to “Snmp network management software user
manual”.
CLI interface is familiar to most users. As aforementioned, out-of-band management and
Telnet login are all performed through CLI interface to manage the switch.
CLI Interface is supported by Shell program, which consists of a set of configuration
commands. Those commands are categorized according to their functions in switch configuration
and management. Each category represents a different configuration mode. The Shell for the
switch is described below:
Configuration Modes
Configuration Syntax
Shortcut keys
Help function
Input verification
Fuzzy match support
1.1.2.1 Configuration Modes
1-10
S4600_Configuration Guide Chapter 1 Basic Management Configuration
Figure 1-12 Shell Configuration Modes
1.1.2.1.1 User Mode
On entering the CLI interface, entering user entry system first. If as common user, it is
defaulted to User Mode. The prompt shown is “Switch>“, the symbol “>“ is the prompt for User
Mode. When exit command is run under Admin Mode, it will also return to the User Mode.
Under User Mode, no configuration to the switch is allowed, only clock time and version
information of the switch can be queries.
1.1.2.1.2 Admin Mode
To Admin Mode sees the following: In user entry system, if as Admin user, it is defaulted to
Admin Mode. Admin Mode prompt “Switch#” can be entered under the User Mode by running
the enable command and entering corresponding access levels admin user password, if a
password has been set. Or, when exit command is run under Global Mode, it will also return to
the Admin Mode. Switch also provides a shortcut key sequence "Ctrl+z”, this allows an easy way
to exit to Admin Mode from any configuration mode (except User Mode).
Under Admin Mode, the user can query the switch configuration information, connection
status and traffic statistics of all ports; and the user can further enter the Global Mode from
Admin Mode to modify all configurations of the switch. For this reason, a password must be set
for entering Admin mode to prevent unauthorized access and malicious modification to the
switch.
1.1.2.1.3 Global Mode
Type the config command under Admin Mode will enter the Global Mode prompt
1-11
S4600_Configuration Guide Chapter 1 Basic Management Configuration
“Switch(config)#”. Use the exit command under other configuration modes such as Port Mode,
VLAN mode will return to Global Mode.
The user can perform global configuration settings under Global Mode, such as MAC Table,
Port Mirroring, VLAN creation, IGMP Snooping start and STP, etc. And the user can go further to
Port Mode for configuration of all the interfaces.
Interface Mode
Use the interface command under Global Mode can enter the interface mode specified.
Switch provides three interface type: 1. VLAN interface; 2. Ethernet port; 3. port-channel,
accordingly the three interface configuration modes.
Interface Type Entry Operates Exit
VLAN Interface Type interface vlan <Vlan-id> Configure switch IPs, Use the exit
command under Global Mode. etc command to
return to Global
Mode.
Ethernet Port Type interface ethernet Configure supported Use the exit
<interface-list> command under duplex mode, command to
Global Mode. speed, etc. of return to Global
Ethernet Port. Mode.
port-channel Type interface port-channel Configure Use the exit
<port-channel-number> port-channel related command to
command under Global Mode. settings such as return to Global
duplex mode, Mode.
speed, etc.
VLAN Mode
Using the vlan <vlan-id> command under Global Mode can enter the corresponding VLAN
Mode. Under VLAN Mode the user can configure all member ports of the corresponding VLAN.
Run the exit command to exit the VLAN Mode to Global Mode.
DHCP Address Pool Mode
Type the ip dhcp pool <name> command under Global Mode will enter the DHCP Address
Pool Mode prompt “Switch(Config-<name>-dhcp)#”. DHCP address pool properties can be
configured under DHCP Address Pool Mode. Run the exit command to exit the DHCP Address
Pool Mode to Global Mode.
ACL Mode
ACL type Entry Operates Exit
Standard IP Type ip access-list Configure parameters for Use the exit
ACL Mode standard command under Standard IP ACL Mode. command to return
Global Mode. to Global Mode.
Extended IP Type ip access-list Configure parameters for Use the exit
ACL Mode extanded command under Extended IP ACL Mode. command to return
1-12
S4600_Configuration Guide Chapter 1 Basic Management Configuration
Global Mode. to Global Mode.
1.1.2.2 Configuration Syntax
Switch provides various configuration commands. Although all the commands are different,
they all abide by the syntax for Switch configuration commands. The general commands format
of Switch is shown below:
cmdtxt <variable> {enum1 | … | enumN } [option1 | … | optionN]
Conventions: cmdtxt in bold font indicates a command keyword; <variable> indicates a variable
parameter; {enum1 | … | enumN } indicates a mandatory parameter that should be selected
from the parameter set enum1~enumN; and the square bracket ([ ]) in [option1 | … | optionN]
indicate an optional parameter. There may be combinations of “< >“, “{ }” and “[ ]” in the
command line, such as [<variable>], {enum1 <variable>| enum2}, [option1 [option2]], etc.
Here are examples for some actual configuration commands:
show version, no parameters required. This is a command with only a keyword and no
parameter, just type in the command to run.
vlan <vlan-id>, parameter values are required after the keyword.
firewall {enable | disable}, user can enter firewall enable or firewall disable for this
command.
snmp-server community {ro | rw} <string>, the followings are possible:
snmp-server community ro <string>
snmp-server community rw <string>
1.1.2.3 Shortcut Key Support
Switch provides several shortcut keys to facilitate user configuration, such as up, down, left,
right and Blank Space. If the terminal does not recognize Up and Down keys, ctrl +p and ctrl +n
can be used instead.
Key(s) Function
Back Space Delete a character before the cursor, and the cursor moves back.
Up “↑” Show previous command entered. Up to ten recently entered commands
can be shown.
Down “↓” Show next command entered. When use the Up key to get previously
entered commands, you can use the Down key to return to the next
command
Left “←” The cursor moves one character to the You can use the Left and Right
left. key to modify an entered
Right “→” The cursor moves one character to the command.
right.
Ctrl +p The same as Up key “↑”.
Ctrl +n The same as Down key “↓”.
Ctrl +b The same as Left key “←”.
1-13
S4600_Configuration Guide Chapter 1 Basic Management Configuration
Ctrl +f The same as Right key “→”.
Ctrl +z Return to the Admin Mode directly from the other configuration modes
(except User Mode).
Ctrl +c Break the ongoing command process, such as ping or other command
execution.
Tab When a string for a command or keyword is entered, the Tab can be
used to complete the command or keyword if there is no conflict.
1.1.2.4 Help Function
There are two ways in Switch for the user to access help information: the “help” command
and the “?”.
Access to Help Usage and function
Help Under any command line prompt, type in “help” and press Enter will get a
brief description of the associated help system.
“?” 1. Under any command line prompt, enter “?” to get a command list of the
current mode and related brief description.
2. Enter a “?” after the command keyword with an embedded space. If the
position should be a parameter, a description of that parameter type,
scope, etc, will be returned; if the position should be a keyword, then a
set of keywords with brief description will be returned; if the output is
“<cr>“, then the command is complete, press Enter to run the
command.
3. A “?” immediately following a string. This will display all the commands
that begin with that string.
1.1.2.5 Input Verification
1.1.2.5.1 Returned Information: success
All commands entered through keyboards undergo syntax check by the Shell. Nothing will be
returned if the user entered a correct command under corresponding modes and the execution is
successful.
1.1.2.5.2 Returned Information: error
Output error message Explanation
Unrecognized command or illegal The entered command does not exist, or there is
parameter! error in parameter scope, type or format.
Ambiguous command At least two interpretations is possible basing on the
current input.
Invalid command or parameter The command is recognized, but no valid parameter
1-14
S4600_Configuration Guide Chapter 1 Basic Management Configuration
record is found.
This command is not exist in current The command is recognized, but this command can
mode not be used under current mode.
Please configure precursor command The command is recognized, but the prerequisite
"*" at first! command has not been configured.
syntax error : missing '"' before the end Quotation marks are not used in pairs.
of command line!
1.1.2.5.3 Fuzzy Match Support
Switch shell support fuzzy match in searching command and keyword. Shell will recognize
commands or keywords correctly if the entered string causes no conflict.
For example:
1) For command 'show interfaces status ethernet1/1', typing 'sh in status ethernet1/1' will work.
2) However, for command “show running-config”, the system will report a “> Ambiguous
command!” error if only “show r” is entered, as Shell is unable to tell whether it is “show
run” or “show running-config”. Therefore, Shell will only recognize the command if “sh ru” is
entered.
1.2 Basic Switch Configuration
1.2.1 Basic Configuration
Basic switch configuration includes commands for entering and exiting the admin mode,
commands for entering and exiting interface mode, for configuring and displaying the switch
clock, for displaying the version information of the switch system, etc.
Command Explanation
Normal User Mode/ Admin Mode
The User uses enable command to step into
enable [<1-15>] admin mode from normal user mode or modify
disable the privilege level of the users. The disable
command is for exiting admin mode.
Admin Mode
config [terminal] Enter global mode from admin mode.
Various Modes
Exit current mode and enter previous mode, such
as using this command in global mode to go
exit
back to admin mode, and back to normal user
mode from admin mode.
show privilege Show privilege of the current users.
1-15
S4600_Configuration Guide Chapter 1 Basic Management Configuration
Except User Mode/ Admin Mode
Quit current mode and return to Admin mode
end
when not at User Mode/ Admin Mode.
Admin Mode
clock set <HH:MM:SS> [YYYY.MM.DD] Set system date and time.
show version Display version information of the switch.
set default Restore to the factory default.
Save current configuration parameters to Flash
write
Memory.
reload Hot reset the switch.
show cpu usage Show CPU usage rate.
show cpu utilization Show current CPU utilization rate.
show memory usage Show memory usage rate.
Global Mode
Configure the information displayed when the
banner motd <LINE>
login authentication of a telnet or console user is
no banner motd
successful.
Configure the password of entering into the
set boot password
bootrom next time.
web-auth privilege <1-15> Configure the level of logging in the switch by
no web-auth privilege web.
1.2.2 Telnet Management
1.2.2.1 Telnet
1.2.2.1.1 Introduction to Telnet
Telnet is a simple remote terminal protocol for remote login. Using Telnet, the user can login
to a remote host with its IP address of hostname from his own workstation. Telnet can send the
user’s keystrokes to the remote host and send the remote host output to the user’s screen
through TCP connection. This is a transparent service, as to the user, the keyboard and monitor
seems to be connected to the remote host directly.
Telnet employs the Client-Server mode, the local system is the Telnet client and the remote
host is the Telnet server. Switch can be either the Telnet Server or the Telnet client.
When switch is used as the Telnet server, the user can use the Telnet client program included
in Windows or the other operation systems to login to switch, as described earlier in the In-band
management section. As a Telnet server, switch allows up to 5 telnet client TCP connections.
And as Telnet client, using telnet command under Admin Mode allows the user to login to
the other remote hosts. Switch can only establish TCP connection to one remote host. If a
connection to another remote host is desired, the current TCP connection must be dropped.
1-16
S4600_Configuration Guide Chapter 1 Basic Management Configuration
1.2.2.1.2 Telnet Configuration Task List
1. Configure Telnet Server
2. Telnet to a remote host from the switch.
1. Configure Telnet Server
Command Explanation
Global Mode
Enable the Telnet server function in the
telnet-server enable
switch: the no command disables the
no telnet-server enable
Telnet function.
username <user-name> [privilege <privilege>] Configure user name and password of the
[password [0 | 7] <password>] telnet. The no form command deletes the
no username <username> telnet user authorization.
Enable command authorization function
for the login user with VTY (login with
Telnet and SSH). The no command
aaa authorization config-commands disables this function. Only enabling this
no aaa authorization config-commands command and configuring command
authorization manner, it will request to
authorize when executing some
command.
Configure the secure IP address to login to
authentication securityip <ip-addr> the switch through Telnet: the no
no authentication securityip <ip-addr> command deletes the authorized Telnet
secure address.
Configure IPv6 security address to login to
authentication securityipv6 <ipv6-addr> the switch through Telnet; the no
no authentication securityipv6 <ipv6-addr> command deletes the authorized Telnet
security address.
authentication ip access-class Binding standard IP ACL protocol to login
{<num-std>|<name>} with Telnet/SSH/Web; the no form
no authentication ip access-class command will cancel the binding ACL.
authentication ipv6 access-class Binding standard IPv6 ACL protocol to
{<num-std>|<name>} in login with Telnet/SSH/Web; the no form
no authentication ipv6 access-class command will cancel the binding ACL.
authentication line {console | vty | web} login
method1 [method2 …] Configure authentication method list with
no authentication line {console | vty | web} telnet.
login
authentication enable method1 [method2 …] Configure the enable authentication
no authentication enable method list.
authorization line {console | vty | web} exec Configure the authorization method list
1-17
S4600_Configuration Guide Chapter 1 Basic Management Configuration
method1 [method2 …] with telnet.
no authorization line {console | vty | web}
exec
Configure command authorization manner
authorization line vty command <1-15> and authorization selection priority of
{local | radius | tacacs} (none|) login user with VTY (login with Telnet and
no authorization line vty command <1-15> SSH). The no command recovers to be
default manner.
accounting line {console | vty} command
<1-15> {start-stop | stop-only | none}
method1 [method2…] Configure the accounting method list.
no accounting line {console | vty} command
<1-15>
Admin Mode
Display debug information for Telnet client
terminal monitor
login to the switch; the no command
terminal no monitor
disables the debug information.
Show the user information who logs in
show users through telnet or ssh. It includes line
number, user name and user IP.
Delete the logged user information on the
clear line vty <0-31> appointed line, force user to get down the
line who logs in through telnet or ssh.
2. Telnet to a remote host from the switch
Command Explanation
Admin Mode
telnet [vrf <vrf-name>] {<ip-addr> | <ipv6-addr> Login to a remote host with the Telnet
| host <hostname>} [<port>] client included in the switch.
1.2.2.2 SSH
1.2.2.2.1 Introduction to SSH
SSH (Secure Shell) is a protocol which ensures a secure remote access connection to network
devices. It is based on the reliable TCP/IP protocol. By conducting the mechanism such as key
distribution, authentication and encryption between SSH server and SSH client, a secure
connection is established. The information transferred on this connection is protected from being
intercepted and decrypted. The switch meets the requirements of SSH2.0. It supports SSH2.0
client software such as SSH Secure Client and putty. Users can run the above software to manage
the switch remotely.
The switch presently supports RSA authentication, 3DES cryptography protocol and SSH user
password authentication etc.
1-18
S4600_Configuration Guide Chapter 1 Basic Management Configuration
1.2.2.2.2 SSH Server Configuration Task List
Command Explanation
Global Mode
ssh-server enable Enable SSH function on the switch; the no
no ssh-server enable command disables SSH function.
username <username> [privilege Configure the username and password of
<privilege>] [password [0 | 7] <password>] SSH client software for logging on the switch;
no username <username> the no command deletes the username.
Configure timeout value for SSH
ssh-server timeout <timeout>
authentication; the no command restores the
no ssh-server timeout
default timeout value for SSH authentication.
Configure the number of times for retrying
ssh-server authentication-retires
SSH authentication; the no command
<authentication-retires>
restores the default number of times for
no ssh-server authentication-retries
retrying SSH authentication.
ssh-server host-key create rsa modulus Generate the new RSA host key on the SSH
<moduls> server.
Admin Mode
Display SSH debug information on the SSH
terminal monitor client side; the no command stops displaying
terminal no monitor SSH debug information on the SSH client
side.
1.2.2.2.3 Example of SSH Server Configuration
Example1:
Requirement: Enable SSH server on the switch, and run SSH2.0 client software such as
Secure shell client or putty on the terminal. Log on the switch by using the username and
password from the client.
Configure the IP address, add SSH user and enable SSH service on the switch. SSH2.0 client
can log on the switch by using the username and password to configure the switch.
Switch(config)#ssh-server enable
Switch(config)#interface vlan 1
Switch(Config-if-Vlan1)#ip address 100.100.100.200 255.255.255.0
Switch(Config-if-Vlan1)#exit
Switch(config)#username test privilege 15 password 0 test
In IPv6 networks, the terminal should run SSH client software which support IPv6, such as
putty6. Users should not modify the configuration of the switch except allocating an IPv6 address
for the local host.
1-19
S4600_Configuration Guide Chapter 1 Basic Management Configuration
1.2.3 Configure Switch IP Addresses
All Ethernet ports of switch are default to Data Link layer ports and perform layer 2
forwarding. VLAN interface represent a Layer 3 interface function which can be assigned an IP
address, which is also the IP address of the switch. All VLAN interface related configuration
commands can be configured under VLAN Mode. Switch provides three IP address configuration
methods:
Manual
BOOTP
DHCP
Manual configuration of IP address is assign an IP address manually for the switch.
In BOOTP/DHCP mode, the switch operates as a BOOTP/DHCP client, send broadcast packets
of BOOTPRequest to the BOOTP/DHCP servers, and the BOOTP/DHCP servers assign the address
on receiving the request. In addition, switch can act as a DHCP server, and dynamically assign
network parameters such as IP addresses, gateway addresses and DNS server addresses to DHCP
clients DHCP Server configuration is detailed in later chapters.
1.2.3.1 Switch IP Addresses Configuration Task List
1. Enable VLAN port mode
2. Manual configuration
3. BOOTP configuration
4. DHCP configuration
1. Enable VLAN port mode
Command Explanation
Global Mode
interface vlan <vlan-id> Create VLAN interface (layer 3 interface); the
no interface vlan <vlan-id> no command deletes the VLAN interface.
2. Manual configuration
Command Explanation
VLAN Interface Mode
ip address <ip_address> <mask> [secondary] Configure IP address of VLAN interface; the no
no ip address <ip_address> <mask> command deletes IP address of VLAN interface.
[secondary]
ipv6 address <ipv6-address / prefix-length> Configure IPv6 address, including aggregation
[eui-64] global unicast address, local site address and
no ipv6 address <ipv6-address / prefix-length> local link address. The no command deletes
IPv6 address.
1-20
S4600_Configuration Guide Chapter 1 Basic Management Configuration
3. BOOTP configuration
Command Explanation
VLAN Interface Mode
Enable the switch to be a BootP client and
ip bootp-client enable obtain IP address and gateway address through
no ip bootp-client enable BootP negotiation; the no command disables
the BootP client function.
4. DHCP configuration
Command Explanation
VLAN Interface Mode
Enable the switch to be a DHCP client and
ip bootp-client enable obtain IP address and gateway address through
no ip bootp-client enable DHCP negotiation; the no command disables
the DHCP client function.
1.2.4 SNMP Configuration
1.2.4.1 Introduction to SNMP
SNMP (Simple Network Management Protocol) is a standard network management protocol
widely used in computer network management. SNMP is an evolving protocol. SNMP v1
[RFC1157] is the first version of SNMP which is adapted by vast numbers of manufacturers for its
simplicity and easy implementation; SNMP v2c is an enhanced version of SNMP v1, which
supports layered network management; SNMP v3 strengthens the security by adding USM
(User-based Security Mode) and VACM (View-based Access Control Model).
SNMP protocol provides a simple way of exchange network management information
between two points in the network. SNMP employs a polling mechanism of message query, and
transmits messages through UDP (a connectionless transport layer protocol). Therefore it is well
supported by the existing computer networks.
SNMP protocol employs a station-agent mode. There are two parts in this structure: NMS
(Network Management Station) and Agent. NMS is the workstation on which SNMP client
program is running. It is the core on the SNMP network management. Agent is the server
software runs on the devices which need to be managed. NMS manages all the managed objects
through Agents. The switch supports Agent function.
The communication between NMS and Agent functions in Client/Server mode by exchanging
standard messages. NMS sends request and the Agent responds. There are seven types of SNMP
message:
Get-Request
Get-Response
Get-Next-Request
1-21
S4600_Configuration Guide Chapter 1 Basic Management Configuration
Get-Bulk-Request
Set-Request
Trap
Inform-Request
NMS sends queries to the Agent with Get-Request, Get-Next-Request, Get-Bulk-Request and
Set-Request messages; and the Agent, upon receiving the requests, replies with Get-Response
message. On some special situations, like network device ports are on Up/Down status or the
network topology changes, Agents can send Trap messages to NMS to inform the abnormal
events. Besides, NMS can also be set to alert to some abnormal events by enabling RMON
function. When alert events are triggered, Agents will send Trap messages or log the event
according to the settings. Inform-Request is mainly used for inter-NMS communication in the
layered network management.
USM ensures the transfer security by well-designed encryption and authentication. USM
encrypts the messages according to the user typed password. This mechanism ensures that the
messages can’t be viewed on transmission. And USM authentication ensures that the messages
can’t be changed on transmission. USM employs DES-CBC cryptography. And HMAC-MD5 and
HMAC-SHA are used for authentication.
VACM is used to classify the users’ access permission. It puts the users with the same access
permission in the same group. Users can’t conduct the operation which is not authorized.
1.2.4.2 Introduction to MIB
The network management information accessed by NMS is well defined and organized in a
Management Information Base (MIB). MIB is pre-defined information which can be accessed by
network management protocols. It is in layered and structured form. The pre-defined
management information can be obtained from monitored network devices. ISO ASN.1 defines a
tree structure for MID. Each MIB organizes all the available information with this tree structure.
And each node on this tree contains an OID (Object Identifier) and a brief description about the
node. OID is a set of integers divided by periods. It identifies the node and can be used to locate
the node in a MID tree structure, shown in the figure below:
1-22
S4600_Configuration Guide Chapter 1 Basic Management Configuration
Figure 1-13 ASN.1 Tree Instance
In this figure, the OID of the object A is 1.2.1.1. NMS can locate this object through this
unique OID and gets the standard variables of the object. MIB defines a set of standard variables
for monitored network devices by following this structure.
If the variable information of Agent MIB needs to be browsed, the MIB browse software
needs to be run on the NMS. MIB in the Agent usually consists of public MIB and private MIB. The
public MIB contains public network management information that can be accessed by all NMS;
private MIB contains specific information which can be viewed and controlled by the support of
the manufacturers.
MIB-I [RFC1156] is the first implemented public MIB of SNMP, and is replaced by MIB-II
[RFC1213]. MIB-II expands MIB-I and keeps the OID of MIB tree in MIB-I. MIB-II contains
sub-trees which are called groups. Objects in those groups cover all the functional domains in
network management. NMS obtains the network management information by visiting the MIB of
SNMP Agent.
The switch can operate as a SNMP Agent, and supports both SNMP v1/v2c and SNMP v3.
The switch supports basic MIB-II, RMON public MIB and other public MID such as BRIDGE MIB.
Besides, the switch supports self-defined private MIB.
1.2.4.3 Introduction to RMON
RMON is the most important expansion of the standard SNMP. RMON is a set of MIB
definitions, used to define standard network monitor functions and interfaces, enabling the
communication between SNMP management terminals and remote monitors. RMON provides a
highly efficient method to monitor actions inside the subnets.
MID of RMON consists of 10 groups. The switch supports the most frequently used group 1,
2, 3 and 9:
Statistics: Maintain basic usage and error statistics for each subnet monitored by the Agent.
History: Record periodical statistic samples available from Statistics.
Alarm: Allow management console users to set any count or integer for sample intervals and
alert thresholds for RMON Agent records.
Event: A list of all events generated by RMON Agent.
Alarm depends on the implementation of Event. Statistics and History display some current
or history subnet statistics. Alarm and Event provide a method to monitor any integer data
change in the network, and provide some alerts upon abnormal events (sending Trap or record in
logs).
1.2.4.4 SNMP Configuration
1.2.4.4.1 SNMP Configuration Task List
1. Enable or disable SNMP Agent server function
2. Configure SNMP community string
3. Configure IP address of SNMP management base
1-23
S4600_Configuration Guide Chapter 1 Basic Management Configuration
4. Configure engine ID
5. Configure user
6. Configure group
7. Configure view
8. Configuring TRAP
9. Enable/Disable RMON
1. Enable or disable SNMP Agent server function
Command Explanation
Global Mode
Enable the SNMP Agent function on the
snmp-server enabled
switch; the no command disables the SNMP
no snmp-server enabled
Agent function on the switch.
2. Configure SNMP community string
Command Explanation
Global Mode
snmp-server community {ro | rw} {0 | 7} Configure the community string for the switch;
<string> [access {<num-std>|<name>}] the no command deletes the configured
[ipv6-access {<ipv6-num-std>|<ipv6-name>}] community string.
[read <read-view-name>] [write
<write-view-name>]
no snmp-server community <string> [access
{<num-std>|<name>}] [ipv6-access
{<ipv6-num-std>|<ipv6-name>}]
3. Configure IP address of SNMP management station
Command Explanation
Global Mode
snmp-server securityip { <ipv4-address> | Configure IPv4/IPv6 security address which is
<ipv6-address> } allowed to access the switch on the NMS; the
no snmp-server securityip { <ipv4-address> | no command deletes the configured security
<ipv6-address> } address.
snmp-server securityip enable Enable or disable secure IP address check
snmp-server securityip disable function on the NMS.
4. Configure engine ID
Command Explanation
Global Mode
snmp-server engineid <engine-string> Configure the local engine ID on the switch.
no snmp-server engineid This command is used for SNMP v3.
5. Configure user
1-24
S4600_Configuration Guide Chapter 1 Basic Management Configuration
Command Explanation
Global Mode
snmp-server user <use-string> <group-string>
[{authPriv | authNoPriv} auth {md5 | sha}
<word>] [access {<num-std>|<name>}]
Add a user to a SNMP group. This command is
[ipv6-access {<ipv6-num-std>|<ipv6-name>}]
used to configure USM for SNMP v3.
no snmp-server user <user-string> [access
{<num-std>|<name>}] [ipv6-access
{<ipv6-num-std>|<ipv6-name>}]
6. Configure group
Command Explanation
Global Mode
snmp-server group <group-string>
{noauthnopriv|authnopriv|authpriv} [[read
<read-string>] [write <write-string>] [notify
<notify-string>]] [access
Set the group information on the switch. This
{<num-std>|<name>}] [ipv6-access
command is used to configure VACM for SNMP
{<ipv6-num-std>|<ipv6-name>}]
v3.
no snmp-server group <group-string>
{noauthnopriv|authnopriv|authpriv} [access
{<num-std>|<name>}] [ipv6-access
{<ipv6-num-std>|<ipv6-name>}]
7. Configure view
Command Explanation
Global Mode
snmp-server view <view-string> <oid-string>
{include|exclude} Configure view on the switch. This command is
no snmp-server view <view-string> used for SNMP v3.
[<oid-string>]
8. Configuring TRAP
Command Explanation
Global Mode
snmp-server enable traps Enable the switch to send Trap message. This
no snmp-server enable traps command is used for SNMP v1/v2/v3.
snmp-server host { <host-ipv4-address> | Set the host IPv4/IPv6 address which is used to
<host-ipv6-address> } {v1 | v2c | {v3 receive SNMP Trap information. For SNMP
{noauthnopriv | authnopriv | authpriv}}} v1/v2, this command also configures Trap
<user-string> community string; for SNMP v3, this command
no snmp-server host { <host-ipv4-address> | also configures Trap user name and security
<host-ipv6-address> } {v1 | v2c | {v3 level. The “no” form of this command cancels
{noauthnopriv | authnopriv | authpriv}}} this IPv4 or IPv6 address.
1-25
S4600_Configuration Guide Chapter 1 Basic Management Configuration
<user-string>
snmp-server trap-source {<ipv4-address> |
Set the source IPv4 or IPv6 address which is
<ipv6-address>}
used to send trap packet, the no command
no snmp-server trap-source {<ipv4-address> |
deletes the configuration.
<ipv6-address>}
Port mode
[no] switchport updown notification enable Enable/disable the function of sending the trap
message to the port of UP/DOWN event.
9. Enable/Disable RMON
Command Explanation
Global mode
rmon enable
Enable/disable RMON.
no rmon enable
1.2.4.5 Typical SNMP Configuration Examples
The IP address of the NMS is 1.1.1.5; the IP address of the switch (Agent) is 1.1.1.9.
Scenario 1: The NMS network administrative software uses SNMP protocol to obtain data from
the switch.
The configuration on the switch is listed below:
Switch(config)#snmp-server enable
Switch(config)#snmp-server community rw private
Switch(config)#snmp-server community ro public
Switch(config)#snmp-server securityip 1.1.1.5
The NMS can use private as the community string to access the switch with read-write permission,
or use public as the community string to access the switch with read-only permission.
Scenario 2: NMS will receive Trap messages from the switch (Note: NMS may have community
string verification for the Trap messages. In this scenario, the NMS uses a Trap verification
community string of usertrap).
The configuration on the switch is listed below:
Switch(config)#snmp-server enable
Switch(config)#snmp-server host 1.1.1.5 v1 usertrap
Switch(config)#snmp-server enable traps
Scenario 3: NMS uses SNMP v3 to obtain information from the switch.
The configuration on the switch is listed below:
Switch(config)#snmp-server
Switch(config)#snmp-server user tester UserGroup authPriv auth md5 hellotst
Switch(config)#snmp-server group UserGroup AuthPriv read max write max notify max
Switch(config)#snmp-server view max 1 include
1-26
S4600_Configuration Guide Chapter 1 Basic Management Configuration
Scenario 4: NMS wants to receive the v3Trap messages sent by the switch.
The configuration on the switch is listed below:
Switch(config)#snmp-server enable
Switch(config)#snmp-server host 10.1.1.2 v3 authpriv tester
Switch(config)#snmp-server enable traps
Scenario 5: The IPv6 address of the NMS is 2004:1:2:3::2; the IPv6 address of the switch (Agent)
is 2004:1:2:3::1. The NMS network administrative software uses SNMP protocol to obtain data
from the switch.
The configuration on the switch is listed below:
Switch(config)#snmp-server enable
Switch(config)#snmp-server community rw private
Switch(config)#snmp-server community ro public
Switch(config)#snmp-server securityip 2004:1:2:3::2
The NMS can use private as the community string to access the switch with read-write
permission, or use public as the community string to access the switch with read-only permission.
Scenario 6: NMS will receive Trap messages from the switch (Note: NMS may have community
string verification for the Trap messages. In this scenario, the NMS uses a Trap verification
community string of usertrap).
The configuration on the switch is listed below:
Switch(config)#snmp-server host 2004:1:2:3::2 v1 usertrap
Switch(config)#snmp-server enable traps
1.2.4.6 SNMP Troubleshooting
When users configure the SNMP, the SNMP server may fail to run properly due to physical
connection failure and wrong configuration, etc. Users can troubleshoot the problems by
following the guide below:
Good condition of the physical connection.
Interface and datalink layer protocol is Up (use the “show interface” command), and the
connection between the switch and host can be verified by ping (use “ping” command).
The switch enabled SNMP Agent server function (use “snmp-server” command)
Secure IP for NMS (use “snmp-server securityip” command) and community string (use
“snmp-server community” command) are correctly configured, as any of them fails, SNMP
will not be able to communicate with NMS properly.
If Trap function is required, remember to enable Trap (use “snmp-server enable traps”
command). And remember to properly configure the target host IP address and community
string for Trap (use “snmp-server host” command) to ensure Trap message can be sent to
the specified host.
If RMON function is required, RMON must be enabled first (use “rmon enable” command).
Use “show snmp” command to verify sent and received SNMP messages; Use “show snmp
1-27
S4600_Configuration Guide Chapter 1 Basic Management Configuration
status” command to verify SNMP configuration information; Use “debug snmp packet” to
enable SNMP debugging function and verify debug information.
If users still can’t solve the SNMP problems, Please contact our technical and service center.
1.2.5 Switch Upgrade
Switch provides two ways for switch upgrade: BootROM upgrade and the TFTP/FTP upgrade
under Shell.
1.2.5.1 Switch System Files
The system files includes system image file and boot file. The updating of the switch is to
update the two files by overwrite the old files with the new ones.
The system image files refers to the compressed files of the switch hardware drivers, and
software support program, etc, namely what we usually call the IMG update file. The IMG file can
only be saved in the FLASH with a defined name of nos.img
The boot file is for initiating the switch, namely what we usually call the ROM update file (It
can be compressed into IMG file if it is of large size). In switch, the boot file is allowed to save in
ROM only. Switch mandates the name of the boot file to be boot.rom.
The update method of the system image file and the boot file is the same. The switch
supplies the user with two modes of updating: 1. BootROM mode; 2. TFTP and FTP update at
Shell mode. This two update method will be explained in details in following two sections.
1.2.5.2 BootROM Upgrade
There is one method for BootROM upgrade: TFTP which can be configured at BootROM
command.
cable
Console cable
connection
connection
Figure 1-13 Typical topology for switch upgrade in BootROM mode
The upgrade procedures are listed below:
Step 1:
1-28
S4600_Configuration Guide Chapter 1 Basic Management Configuration
As shown in the figure, a PC is used as the console for the switch. A console cable is used to
connect PC to the management port on the switch. The PC should have TFTP server software
installed and has the image file required for the upgrade.
Step 2:
Press 'ctrl+b' on switch boot up until the switch enters BootROM monitor mode. The
operation result is shown below:
[Boot]:
Step 3:
Under BootROM mode, run 'setconfig' to set the IP address and mask of the switch under
BootROM mode, server IP address and mask. Suppose the switch address is 192.168.1.2,
and PC address is 192.168.1.66, and the configuration should like:
[Boot]: setconfig
Host IP Address: [10.1.1.1] 192.168.1.2
Server IP Address: [10.1.1.2] 192.168.1.66
[Boot]:
Step 4:
Enable TFTP server in the PC. Run TFTP server program. Before start downloading upgrade file to
the switch, verify the connectivity between the server and the switch by ping from the switch. If
ping succeeds, run 'load' command in the BootROM mode from the switch; if it fails, perform
troubleshooting to find out the cause.
The following update file boot.rom. (This device only supports the upgrading of the boot file
under the BootROM mode.)
[Boot]: load boot.rom
TFTP from server 192.168.1.66; our IP address is 192.168.1.2
Filename 'boot.rom'.
Load address: 0x81000000
Loading: #################################################################
################################
done
Bytes transferred = 438700 (6b1ac hex)
[Boot]:
Step 5:
Execute write boot.rom in BootROM mode. The following saves the update file.
[Boot]: write boot.rom
File exists, overwrite? (Y/N)[N] y
Writing flash:/boot.rom......
Write flash:/boot.rom OK.
1-29
S4600_Configuration Guide Chapter 1 Basic Management Configuration
[Boot]:
Step 6:
After successful upgrade, execute run or reboot command in BootROM mode to return to CLI
configuration interface.
[Boot]: run(or reboot)
Other commands in BootROM mode
1. DIR command
Used to list existing files in the FLASH.
[Boot]: dir
Scanning JFFS2FS: , done.
-rw-r--r-- 2861 Thu Jan 01 03:45:31 1970 portal.cfg
-rw-r--r--11577853 Thu Jan 01 00:04:56 1970 a.img
-rw-r--r-- 4 Thu Jan 01 03:15:07 1970 board_web_language
-rw-r--r—11577853 Thu Jan 01 13:58:15 1970 nos.img
4 file(s), 0 dir(s)
Total size:31457280 bytes , files used size:23158571 bytes, free size:8298709 bytes
[Boot]:
2. boot command
Used to set the IMAGE file to run upon system start-up, and the configuration file to run upon
configuration recovery.
[Boot]: boot img nos.img primary
0 bytes written, 2704 bytes skipped.
flash:/nos.img will be used as the primary img file at the next time!
[Boot]: show boot-files
The primary img file : flash:/nos.img
The backup img file : flash:/nos.img
The startup-config file: NULL
[Boot]:
1.2.5.3 FTP/TFTP Upgrade
1.2.5.3.1 Introduction to FTP/TFTP
FTP(File Transfer Protocol)/TFTP(Trivial File Transfer Protocol) are both file transfer protocols
1-30
S4600_Configuration Guide Chapter 1 Basic Management Configuration
that belonging to fourth layer(application layer) of the TCP/IP protocol stack, used for transferring
files between hosts, hosts and switches. Both of them transfer files in a client-server model. Their
differences are listed below.
FTP builds upon TCP to provide reliable connection-oriented data stream transfer service.
However, it does not provide file access authorization and uses simple authentication mechanism
(transfers username and password in plain text for authentication). When using FTP to transfer
files, two connections need to be established between the client and the server: a management
connection and a data connection. A transfer request should be sent by the FTP client to establish
management connection on port 21 in the server, and negotiate a data connection through the
management connection.
There are two types of data connections: active connection and passive connection.
In active connection, the client transmits its address and port number for data transmission
to the server, the management connection maintains until data transfer is complete. Then, using
the address and port number provided by the client, the server establishes data connection on
port 20 (if not engaged) to transfer data; if port 20 is engaged, the server automatically generates
some other port number to establish data connection.
In passive connection, the client, through management connection, notify the server to
establish a passive connection. The server then creates its own data listening port and informs
the client about the port, and the client establishes data connection to the specified port.
As data connection is established through the specified address and port, there is a third
party to provide data connection service.
TFTP builds upon UDP, providing unreliable data stream transfer service with no user
authentication or permission-based file access authorization. It ensures correct data transmission
by sending and acknowledging mechanism and retransmission of time-out packets. The
advantage of TFTP over FTP is that it is a simple and low overhead file transfer service.
Switch can operate as either FTP/TFTP client or server. When switch operates as a FTP/TFTP
client, configuration files or system files can be downloaded from the remote FTP/TFTP servers
(can be hosts or other switches) without affecting its normal operation. And file list can also be
retrieved from the server in ftp client mode. Of course, switch can also upload current
configuration files or system files to the remote FTP/TFTP servers (can be hosts or other switches).
When switch operates as a FTP/TFTP server, it can provide file upload and download service for
authorized FTP/TFTP clients, as file list service as FTP server.
Here are some terms frequently used in FTP/TFTP.
ROM: Short for EPROM, erasable read-only memory. EPROM is repalced by FLASH memory in
switch.
SDRAM: RAM memory in the switch, used for system software operation and configuration
sequence storage.
FLASH: Flash memory used to save system file and configuration file.
System file: including system image file and boot file.
System image file: refers to the compressed file for switch hardware driver and software support
program, usually refer to as IMAGE upgrade file. In switch, the system image file is allowed to
save in FLASH only. Switch mandates the name of system image file to be uploaded via FTP in
Global Mode to be nos.img, other IMAGE system files will be rejected. Boot file: refers to the file
initializes the switch, also referred to as the ROM upgrade file (Large size file can be compressed
1-31
S4600_Configuration Guide Chapter 1 Basic Management Configuration
as IMAGE file). In switch, the boot file is allowed to save in ROM only. Switch mandates the name
of the boot file to be boot.rom.
Configuration file: including start up configuration file and running configuration file. The
distinction between start up configuration file and running configuration file can facilitate the
backup and update of the configurations.
Start up configuration file: refers to the configuration sequence used in switch startup. Startup
configuration file stores in nonvolatile storage, corresponding to the so-called configuration save.
If the device does not support CF, the configuration file stores in FLASH only, if the device
supports CF, the configuration file stores in FLASH or CF, if the device supports multi-config file,
names the configuration file to be .cfg file, the default is startup.cfg. If the device does not
support multi-config file, mandates the name of startup configuration file to be startup-config.
Running configuration file: refers to the running configuration sequence use in the switch. In
switch, the running configuration file stores in the RAM. In the current version, the running
configuration sequence running-config can be saved from the RAM to FLASH by write command
or copy running-config startup-config command, so that the running configuration sequence
becomes the start up configuration file, which is called configuration save. To prevent illicit file
upload and easier configuration, switch mandates the name of running configuration file to be
running-config.
Factory configuration file: The configuration file shipped with switch in the name of
factory-config. Run set default and write, and restart the switch, factory configuration file will be
loaded to overwrite current start up configuration file.
1.2.5.3.2 FTP/TFTP Configuration
The configurations of switch as FTP and TFTP clients are almost the same, so the
configuration procedures for FTP and TFTP are described together in this manual.
1.2.5.3.2.1 FTP/TFTP Configuration Task List
1. FTP/TFTP client configuration
(1) Upload/download the configuration file or system file.
(2) For FTP client, server file list can be checked.
2. FTP server configuration
(1) Start FTP server
(2) Configure FTP login username and password
(3) Modify FTP server connection idle time
(4) Shut down FTP server
3. TFTP server configuration
(1) Start TFTP server
(2) Configure TFTP server connection idle time
(3) Configure retransmission times before timeout for packets without
acknowledgement
1-32
S4600_Configuration Guide Chapter 1 Basic Management Configuration
(4) Shut down TFTP server
1. FTP/TFTP client configuration
(1)FTP/TFTP client upload/download file
Command Explanation
Admin Mode
copy <source-url> <destination-url> [ascii |
FTP/TFTP client upload/download file.
binary]
(2)For FTP client, server file list can be checked.
Admin Mode
For FTP client, server file list can be checked.
ftp-dir <ftpServerUrl> FtpServerUrl format looks like: ftp: //user:
password@IPv4|IPv6 Address.
2. FTP server configuration
(1)Start FTP server
Command Explanation
Global Mode
ftp-server enable Start FTP server, the no command shuts down FTP
no ftp-server enable server and prevents FTP user from logging in.
(2)Configure FTP login username and password
Command Explanation
Global Mode
ip ftp username <username> password Configure FTP login username and password; this
[0 | 7] <password> no command will delete the username and
no ip ftp username<username> password.
(3)Modify FTP server connection idle time
Command Explanation
Global Mode
ftp-server timeout <seconds> Set connection idle time.
3. TFTP server configuration
(1)Start TFTP server
Command Explanation
Global Mode
Start TFTP server, the no command shuts down
tftp-server enable
TFTP server and prevents TFTP user from logging
no tftp-server enable
in.
(2)Modify TFTP server connection idle time
Command Explanation
Global Mode
tftp-server retransmission-timeout Set maximum retransmission time within timeout
<seconds> interval.
1-33
S4600_Configuration Guide Chapter 1 Basic Management Configuration
(3)Modify TFTP server connection retransmission time
Command Explanation
Global Mode
tftp-server retransmission-number
Set the retransmission time for TFTP server.
<number>
1.2.5.3.3 FTP/TFTP Configuration Examples
The configuration is same for IPv4 address or IPv6 address. The example only for IPv4
address.
10.1.1.2
10.1.1.1
Figure 1-14 Download nos.img file as FTP/TFTP client
Scenario 1: The switch is used as FTP/TFTP client. The switch connects from one of its ports to a
computer, which is a FTP/TFTP server with an IP address of 10.1.1.1; the switch acts as a FTP/TFTP
client, the IP address of the switch management VLAN is 10.1.1.2. Download “nos.img” file in the
computer to the switch.
FTP Configuration
Computer side configuration:
Start the FTP server software on the computer and set the username “Switch”, and the password
“superuser”. Place the “12_30_nos.img” file to the appropriate FTP server directory on the
computer.
The configuration procedures of the switch are listed below:
Switch(config)#interface vlan 1
Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0
Switch(Config-if-Vlan1)#no shut
Switch(Config-if-Vlan1)#exit
Switch(config)#exit
Switch#copy ftp: //Switch:[email protected]/12_30_nos.img nos.img
With the above commands, the switch will have the “nos.img” file in the computer
downloaded to the FLASH.
1-34
S4600_Configuration Guide Chapter 1 Basic Management Configuration
TFTP Configuration
Computer side configuration:
Start TFTP server software on the computer and place the “12_30_nos.img” file to the
appropriate TFTP server directory on the computer.
The configuration procedures of the switch are listed below:
Switch(config)#interface vlan 1
Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0
Switch(Config-if-Vlan1)#no shut
Switch(Config-if-Vlan1)#exit
Switch(config)#exit
Switch#copy tftp: //10.1.1.1/12_30_nos.img nos.img
Scenario 2: The switch is used as FTP server. The switch operates as the FTP server and connects
from one of its ports to a computer, which is a FTP client. Transfer the “nos.img” file in the switch
to the computer and save as 12_25_nos.img.
The configuration procedures of the switch are listed below:
Switch(config)#interface vlan 1
Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0
Switch(Config-if-Vlan1)#no shut
Switch(Config-if-Vlan1)#exit
Switch(config)#ftp-server enable
Switch(config)# username Admin password 0 superuser
Computer side configuration:
Login to the switch with any FTP client software, with the username “Switch” and password
“superuser”, use the command “get nos.img 12_25_nos.img” to download “nos.img” file from
the switch to the computer.
Scenario 3: The switch is used as TFTP server. The switch operates as the TFTP server and
connects from one of its ports to a computer, which is a TFTP client. Transfer the “nos.img” file in
the switch to the computer.
The configuration procedures of the switch are listed below:
Switch(config)#interface vlan 1
Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0
Switch(Config-if-Vlan1)#no shut
Switch(Config-if-Vlan1)#exit
Switch(config)#tftp-server enable
Computer side configuration:
Login to the switch with any TFTP client software, use the “tftp” command to download
“nos.img” file from the switch to the computer.
Scenario 4: Switch acts as FTP client to view file list on the FTP server. Synchronization conditions:
The switch connects to a computer by an Ethernet port, the computer is a FTP server with an IP
address of 10.1.1.1; the switch acts as a FTP client, and the IP address of the switch management
1-35
S4600_Configuration Guide Chapter 1 Basic Management Configuration
VLAN1 interface is 10.1.1.2.
FTP Configuration:
PC side:
Start the FTP server software on the PC and set the username “Switch”, and the password
“superuser”.
Switch:
Switch(config)#interface vlan 1
Switch(Config-if-Vlan1)#ip address 10.1.1.2 255.255.255.0
Switch(Config-if-Vlan1)#no shut
Switch(Config-if-Vlan1)#exit
Switch#copy ftp: //Switch: [email protected]
220 Serv-U FTP-Server v2.5 build 6 for WinSock ready...
331 User name okay, need password.
230 User logged in, proceed.
200 PORT Command successful.
150 Opening ASCII mode data connection for /bin/ls.
recv total = 480
nos.img
nos.rom
parsecommandline.cpp
position.doc
qmdict.zip
…(some display omitted here)
show.txt
snmp.TXT
226 Transfer complete.
1.2.5.3.4 FTP/TFTP Troubleshooting
1.2.5.3.4.1 FTP Troubleshooting
When upload/download system file with FTP protocol, the connectivity of the link must be
ensured, i.e., use the “Ping” command to verify the connectivity between the FTP client and
server before running the FTP program. If ping fails, you will need to check for appropriate
troubleshooting information to recover the link connectivity.
The following is what the message displays when files are successfully transferred.
Otherwise, please verify link connectivity and retry “copy” command again.
220 Serv-U FTP-Server v2.5 build 6 for WinSock ready...
331 User name okay, need password.
230 User logged in, proceed.
200 PORT Command successful.
nos.img file length = 1526021
1-36
S4600_Configuration Guide Chapter 1 Basic Management Configuration
read file ok
send file
150 Opening ASCII mode data connection for nos.img.
226 Transfer complete.
close ftp client.
The following is the message displays when files are successfully received. Otherwise, please
verify link connectivity and retry “copy” command again.
220 Serv-U FTP-Server v2.5 build 6 for WinSock ready...
331 User name okay, need password.
230 User logged in, proceed.
200 PORT Command successful.
recv total = 1526037
************************
write ok
150 Opening ASCII mode data connection for nos.img (1526037 bytes).
226 Transfer complete.
If the switch is upgrading system file or system start up file through FTP, the switch must not be
restarted until “close ftp client” or “226 Transfer complete.” is displayed, indicating upgrade is
successful, otherwise the switch may be rendered unable to start. If the system file and system
start up file upgrade through FTP fails, please try to upgrade again or use the BootROM mode to
upgrade.
1.2.5.3.4.2 TFTP Troubleshooting
When upload/download system file with TFTP protocol, the connectivity of the link must be
ensured, i.e., use the “Ping” command to verify the connectivity between the TFTP client and
server before running the TFTP program. If ping fails, you will need to check for appropriate
troubleshooting information to recover the link connectivity.
The following is the message displays when files are successfully transferred. Otherwise,
please verify link connectivity and retry “copy” command again.
nos.img file length = 1526021
read file ok
begin to send file, wait...
file transfers complete.
Close tftp client.
The following is the message displays when files are successfully received. Otherwise, please
verify link connectivity and retry “copy” command again.
begin to receive file, wait...
recv 1526037
************************
write ok
transfer complete
close tftp client.
If the switch is upgrading system file or system start up file through TFTP, the switch must not be
1-37
S4600_Configuration Guide Chapter 1 Basic Management Configuration
restarted until “close tftp client” is displayed, indicating upgrade is successful, otherwise the
switch may be rendered unable to start. If the system file and system start up file upgrade
through TFTP fails, please try upgrade again or use the BootROM mode to upgrade.
1.3 File System
1.3.1 Introduction to File Storage Devices
File storage devices used in switches mainly include FLASH cards. As the most common
storage device, FLASH is usually used to store system image files (IMG files), system boot files
(ROM files) and system configuration files (CFG files).
Flash can copy, delete, or rename files under Shell or Bootrom mode.
1.3.2 File System Operation Configuration Task list
1.The formatting operation of storage devices
2. The creation of sub-directories
3. The deletion of sub-directory
4. Changing the current working directory of the storage device
5. The display operation of the current working directory
6. The display operation of information about a designated file or directory
7. The deletion of a designated file in the file system
8. The renaming operation of files
9. The copying operation of files
1. The formatting operation of storage devices
Command Explanation
Admin Configuration Mode
format <device> Format the storage device.
2. The creation of sub-directories
Command Explanation
Admin Configuration Mode
mkdir <directory> Create a sub-directory in a designated directory
on a certain device.
3. The deletion of sub-directory
Command Explanation
1-38
S4600_Configuration Guide Chapter 1 Basic Management Configuration
Admin Configuration Mode
rmdir <directory> Delete a sub-directory in a designated directory
on a certain device.
4. Changing the current working directory of the storage device
Command Explanation
Admin Configuration Mode
cd <directory> Change the current working directory of the
storage device.
5. The display operation of the current working directory
Command Explanation
Admin Configuration Mode
pwd Display the current working directory.
6. The display operation of information about a designated file or directory
Command Explanation
Admin Configuration Mode
dir [WORD] Display information about a designated file or
directory on the storage device.
7. The deletion of a designated file in the file system
Command Explanation
Admin Configuration Mode
delete <file-url> Delete the designated file in the file system.
8. The renaming operation of files
Command Explanation
Admin Configuration Mode
rename <source-file-url> <dest-file> Change the name of a designated file on the
switch to a new one.
9. The copy operation of files
Command Explanation
Admin Configuration Mode
copy <source-file-url > <dest-file-url> Copy a designated file one the switch and store
it as a new one.
1.3.3 Typical Applications
Copy an IMG file flash:/nos.img stored in the FLASH on the boardcard, to cf:/nos-6.1.11.0.img.
The configuration of the switch is as follows:
1-39
S4600_Configuration Guide Chapter 1 Basic Management Configuration
Switch#copy flash:/nos.img flash:/nos-6.1.11.0.img
Copy flash:/nos.img to flash:/nos-6.1.11.0.img? [Y:N] y
Copyed file flash:/nos.img to flash:/nos-6.1.11.0.img.
1.3.4 Troubleshooting
If errors occur when users try to implement file system operations, please check whether
they are caused by the following reasons
Whether file names or paths are entered correctly.
When renaming a file, whether it is in use or the new file name is already used by an existing
file or directory.
1.4 Cluster
1.4.1 Introduction to cluster network management
Cluster network management is an in-band configuration management. Unlike CLI, SNMP
and Web Config which implement a direct management of the target switches through a
management workstation, cluster network management implements a direct management of the
target switches (member switches) through an intermediate switch (commander switch). A
commander switch can manage multiple member switches. As soon as a Public IP address is
configured in the commander switch, all the member switches which are configured with private
IP addresses can be managed remotely. This feature economizes public IP addresses which are
short of supply. Cluster network management can dynamically discover cluster feature enabled
switches (candidate switches). Network administrators can statically or dynamically add the
candidate switches to the cluster which is already established. Accordingly, they can configure
and manage the member switches through the commander switch. When the member switches
are distributed in various physical locations (such as on the different floors of the same building),
cluster network management has obvious advantages. Moreover, cluster network management is
an in-band management. The commander switch can communicate with member switches in
existing network. There is no need to build a specific network for network management.
Cluster network management has the following features:
Save IP addresses
Simplify configuration tasks
Indifference to network topology and distance limitation
Auto detecting and auto establishing
With factory default settings, multiple switches can be managed through cluster network
1-40
S4600_Configuration Guide Chapter 1 Basic Management Configuration
management
The commander switch can upgrade and configure any member switches in the cluster
1.4.2 Cluster Network Management Configuration
Sequence
Cluster Network Management Configuration Sequence:
1. Enable or disable cluster function
2. Create cluster
1) Configure private IP address pool for member switches of the cluster
2) Create or delete cluster
3) Add or remove a member switch
3. Configure attributes of the cluster in the commander switch
1) Enable or disable automatically adding cluster members
2) Set automatically added members to manually added ones
3) Set or modify the time interval of keep-alive messages on switches in the cluster.
4) Set or modify the max number of lost keep-alive messages that can be tolerated
5) Clear the list of candidate switches maintained by the switch
4. Configure attributes of the cluster in the candidate switch
1) Set the time interval of keep-alive messages of the cluster
2) Set the max number of lost keep-alive messages that can be tolerated in the
cluster
5. Remote cluster network management
1) Remote configuration management
2) Remotely upgrade member switch
3) Reboot member switch
6. Manage cluster network with web
1) Enable http
7. Manage cluster network with snmp
1) Enable snmp server
1. Enable or disable cluster
Command Explanation
Global Mode
cluster run [key <WORD>] [vid <VID>] Enable or disable cluster function in
no cluster run the switch.
2. Create a cluster
1-41
S4600_Configuration Guide Chapter 1 Basic Management Configuration
Command Explanation
Global Mode
cluster ip-pool <commander-ip> Configure the private IP address pool
no cluster ip-pool for cluster member devices.
cluster commander [<cluster_name>]
Create or delete a cluster.
no cluster commander
cluster member {candidate-sn <candidate-sn> |
mac-address <mac-addr> [id <member-id> ]}
Add or remove a member switch.
no cluster member {id <member-id> |
mac-address <mac-addr>}
3. Configure attributes of the cluster in the commander switch
Command Explanation
Global Mode
Enable or disable adding newly
cluster auto-add
discovered candidate switch to the
no cluster auto-add
cluster.
Change automatically added members
cluster member auto-to-user
into manually added ones.
cluster keepalive interval <second> Set the keep-alive interval of the
no cluster keepalive interval cluster.
Set the max number of lost keep-alive
cluster keepalive loss-count <int>
messages that can be tolerated in the
no cluster keepalive loss-count
cluster.
Admin mode
clear cluster nodes [nodes-sn <candidate-sn-list> | Clear nodes in the list of candidate
mac-address <mac-addr>] switches maintained by the switch.
4. Configure attributes of the cluster in the candidate switch
Command Explanation
Global Mode
cluster keepalive interval <second> Set the keep-alive interval of the
no cluster keepalive interval cluster.
Set the max number of lost keep-alive
cluster keepalive loss-count <int>
messages that can be tolerated in the
no cluster keepalive loss-count
clusters.
5. Remote cluster network management
Command Explanation
Admin Mode
1-42
S4600_Configuration Guide Chapter 1 Basic Management Configuration
In the commander switch, this
rcommand member <member-id> command is used to configure and
manage member switches.
In the member switch, this command
rcommand commander is used to configure the commander
switch.
In the commander switch, this
cluster reset member [id <member-id> |
command is used to reset the
mac-address <mac-addr>]
member switch.
In the commander switch, this
cluster update member <member-id> <src-url> command is used to remotely upgrade
<dst-filename>[ascii | binary] the member switch. It can only
upgrade nos.img file.
6. Manage cluster network with web
Command Explanation
Global Mode
Enable http function in commander
switch and member switch.
Notice: must insure the http function
be enabled in member switch when
ip http server commander switch visiting member
switch by web. The commander
switch visit member switch via beat
member node in member cluster
topology.
7. Manage cluster network with snmp
Command Explanation
Global Mode
Enable snmp server function in
commander switch and member
switch.
Notice: must insure the snmp server
function be enabled in member
snmp-server enable switch when commander switch
visiting member switch by snmp. The
commander switch visit member
switch via configure character string
<commander-community>@sw<mem
ber id>.
1-43
S4600_Configuration Guide Chapter 1 Basic Management Configuration
1.4.3 Examples of Cluster Administration
Scenario:
The four switches SW1-SW4, amongst the SW1 is the command switch and other switches are
member switch. The SW2 and SW4 is directly connected with the command switch, SW3
connects to the command switch through SW2.
E1 E2 E1 E2 E1 E1
SW1 SW2 SW3 SW4
Figure 1-15 Examples of Cluster
Configuration Procedure
1. Configure the command switch
Configuration of SW1:
Switch(config)#cluster run
Switch(config)#cluster ip-pool 10.2.3.4
Switch(config)#cluster commander 5526
Switch(config)#cluster auto-add
2. Configure the member switch
Configuration of SW2-SW4
Switch(config)#cluster run
1.4.4 Cluster Administration Troubleshooting
When encountering problems in applying the cluster admin, please check the following
possible causes:
If the command switch is correctly configured and the auto adding function (cluster
auto-add) is enabled. If the ports connected the command switch and member switch
belongs to the cluster vlan.
After cluster commander is enabled in VLAN1 of the command switch, please don’t enable a
routing protocol (RIP, OSPF, BGP) in this VLAN in order to prevent the routing protocol from
broadcasting the private cluster addresses in this VLAN to other switches and cause routing
loops.
Whether the connection between the command switch and the member switch is correct.
We can use the debug cluster packets to check if the command and the member switches
can receive and process related cluster admin packets correctly.
1-44
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Chapter 2 Layer 2 services
Configuration
2.1 Port Configuration
2.1.1 Introduction to Port
Switch contains Cable ports and Combo ports. The Combo ports can be configured as either
1000GX-TX ports or SFP Gigabit fiber ports.
If the user needs to configure some network ports, he/she can use the interface ethernet
<interface-list> command to enter the appropriate Ethernet port configuration mode, where
<interface-list> stands for one or more ports. If <interface-list> contains multiple ports, special
characters such as ';' or '-' can be used to separate ports, ';' is used for discrete port numbers and
'-' is used for consecutive port numbers. Suppose an operation should be performed on ports
2,3,4,5 the command would look like: interface ethernet 1/0/2-5. Port speed, duplex mode and
traffic control can be configured under Ethernet Port Mode causing the performance of the
corresponding network ports to change accordingly.
2.1.2 Network Port Configuration Task List
1. Enter the network port configuration mode
2. Configure the properties for the network ports
(1) Configure combo mode for combo ports
(2) Enable/Disable ports
(3) Configure port names
(4) Configure port cable types
(5) Configure port speed and duplex mode
(6) Configure bandwidth control
(7) Configure traffic control
(8) Enable/Disable port loopback function
(9) Configure broadcast storm control function for the switch
(10) Configure scan port mode
(11) Configure rate-violation control of the port
(12) Configure interval of port-rate-statistics
3. Virtual cable test
1. Enter the Ethernet port configuration mode
Command Explanation
2-1
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Global Mode
interface ethernet <interface-list> Enters the network port configuration mode.
2. Configure the properties for the Ethernet ports
Command Explanation
Port Mode
media-type {copper |
copper-preferred-auto | fiber | Sets the combo port mode (combo ports only).
sfp-preferred-auto}
shutdown
Enables/Disables specified ports.
no shutdown
description <string> Specifies or cancels the name of specified
no description ports.
speed-duplex {auto [10 [100 [1000]] [auto
| full | half |]] | force10-half |
force10-full | force100-half | force100-full Sets port speed and duplex mode of
| force100-fx [module-type 100/1000Base-TX or 100Base-FX ports. The no
{auto-detected | no-phy-integrated | format of this command restores the default
phy-integrated}] | {{force1g-half | setting, i.e., negotiates speed and duplex
force1g-full} [nonegotiate [master | mode automatically.
slave]]}| force10g-full}
no speed-duplex
Enables/Disables the auto-negotiation
negotiation {on|off}
function of 1000Base-FX ports.
bandwidth control <bandwidth> [both |
Sets or cancels the bandwidth used for
receive | transmit]
incoming/outgoing traffic for specified ports.
no bandwidth control
flow control Enables/Disables traffic control function for
no flow control specified ports.
loopback Enables/Disables loopback test function for
no loopback specified ports.
Enables the storm control function for
broadcasts, multicasts and unicasts with
storm control {unicast | broadcast |
unknown destinations (short for broadcast),
multicast} {kbps <Kbits> | pps <PPS>}
and sets the allowed broadcast packet number
no strom control {unicast | broadcast |
or the bit number passing per second; the no
multicast}>
format of this command disables the
broadcast storm control function.
2-2
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Configure that switch does not transmit
switchport flood-control broadcast, unknown multicast or unknown
{ bcast|mcast|ucast } unicast packets any more to the specified port;
no switchport flood-control no command restores the default
{ bcast|mcast|ucast } configuration. Note: This switch does not
support this command.
Configure the scan mode of the port as
port-scan-mode {interrupt | poll}
“interrupt” or “poll”, the no command
no port-scan-mode
restores the default scan mode.
Set the max packet reception rate of a port. If
the rate of the received packet violates the
rate-violation <200-2000000> [recovery
packet reception rate, shut down this port and
<0-86400>]
configures the recovery time, the default is
no rate-violation
300s. The no command will disable the
rate-violation function of a port.
Global Mode
port-rate-statistics interval <interval Configure the interval of port-rate-statistics.
-value>
3. Virtual cable test
Command Explanation
Admin Mode
virtual-cable-test interface (ethernet Test virtual cables of the port.
|)IFNAME
2.1.3 Port Configuration Example
Switch 1 1/0/7
1/0/9
1/0/10
1/0/12 1/0/8 Switch 2
Switch 3
Figure 2-1 Port Configuration Example
No VLAN has been configured in the switches, default VLAN1 is used.
2-3
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Switch Port Property
Switch1 1/0/7 Ingress bandwidth limit: 50 M
Switch2 1/0/8 Mirror source port
1/0/9 100Mbps full, mirror source port
1/0/10 1000Mbps full, mirror destination port
Switch3 1/0/12 100Mbps full
The configurations are listed below:
Switch1:
Switch1(config)#interface ethernet 1/0/7
Switch1(Config-If-Ethernet1/0/7)# bandwidth control 50000 receive
Switch2:
Switch2(config)#interface ethernet 1/0/9
Switch2(Config-If-Ethernet1/0/9)#speed-duplex force100-full
Switch2(Config-If-Ethernet1/0/9)#exit
Switch2(config)#interface ethernet 1/0/10
Switch2(Config-If-Ethernet1/0/10)#speed-duplex force1g-full
Switch2(Config-If-Ethernet1/0/10)#exit
Switch2(config)#monitor session 1 source interface ethernet 1/0/8;1/0/9
Switch2(config)#monitor session 1 destination interface ethernet 1/0/10
Switch3:
Switch3(config)#interface ethernet 1/0/12
Switch3(Config-If-Ethernet1/0/12)#speed-duplex force100-full
Switch3(Config-If-Ethernet1/0/12)#exit
2.1.4 Port Troubleshooting
Here are some situations that frequently occurs in port configuration and the advised
solutions:
Two connected fiber interfaces won’t link up if one interface is set to auto-negotiation
but the other to forced speed/duplex. This is determined by IEEE 802.3.
The following combinations are not recommended: enabling traffic control as well as
setting multicast limiting for the same port; setting broadcast, multicast and unknown
destination unicast control as well as port bandwidth limiting for the same port. If such
combinations are set, the port throughput may fall below the expected performance.
2-4
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
2.2 Port Isolation
2.2.1 Introduction to Port Isolation Function
Port isolation is an independent port-based function working in an inter-port way, which
isolates flows of different ports from each other. With the help of port isolation, users can isolate
ports within a VLAN to save VLAN resources and enhance network security. After this function is
configured, the ports in a port isolation group will be isolated from each other, while ports
belonging to different isolation groups or no such group can forward data to one another
normally. No more than 16 port isolation groups can a switch have.
This switch also supports the port isolation that based on vlan, namely it can realize port
isolation in one vlan.
2.2.2 Task Sequence of Port Isolation
1. Create an isolate port group
2. Add Ethernet ports into the group
3. Display the configuration of port isolation
1. Create an isolate port group
Command Explanation
Global Mode
Set a port isolation group; the no operation of
isolate-port group <WORD>
this command will delete the port isolation
no isolate-port group <WORD>
group.
2. Add Ethernet ports into the group
Command Explanation
Global Mode
isolate-port group <WORD> switchport Add one port or a group of ports into a port
interface [ethernet | port-channel] <IFNAME> isolation group to isolate, which will become
no isolate-port group <WORD> switchport isolated from the other ports in the group; the
interface [ethernet | port-channel] <IFNAME> no operation of this command will remove one
port or a group of ports out of a port isolation
group.
3. Display the configuration of port isolation
Command Explanation
Admin Mode and Global Mode
2-5
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Display the configuration of port isolation,
including all configured port isolation groups
show isolate-port group [ <WORD> ]
and Ethernet ports in each group.
2.2.3 Port Isolation Function Typical Examples
e1/0/15
Vlan 100
e1/0/1 S1 e1/0/10
S2 S3
Figure 2-2 Typical example of port isolation function
Case 1 : Realize port isolation in the vlan it belongs to.
The topology and configuration of switches are showed in the figure above, with e1/0/1, e1/0/10
and e1/0/15 all belonging to VLAN 100. The requirement is that, after port isolation is enabled on
switch S1, e1/0/1 and e1/0/10 on switch S1 can not communicate with each other, while both of
them can communicate with the uplink port e1/0/15. That is, the communication between any
pair of downlink ports is disabled (vlan100-120) while that between any downlink port and a
specified uplink port is normal. The uplink port can communicate with any port normally.
The configuration of S1:
Switch(config)#interference ethernet 1/0/1;10;15
Switch(config-if-port-range)#switchport mode trunk
Switch(config)#isolate-port group test
Switch(config)#isolate-port group test switchport interface ethernet 1/0/1;1/0/10
Case 2:Realize port isolation in a vlan
The topology and configuration of switches are showed in the figure above, with e1/0/1,
e1/0/10 and e1/0/15 all belonging to VLAN 100-120. The requirement is that, after port isolation is
enabled on switch S1, e1/0/1 and e1/0/10 on switch S1 can not communicate with each other in
2-6
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
vlan100 but communicate with each other in vlan101-120, while both of them can communicate
with the uplink port e1/0/15 in vlan100-120.
The configuration of S1:
Switch(config)#interference ethernet 1/0/1;10;15
Switch(config-if-port-range)#switchport mode trunk
Switch(config)#vlan 100
Switch(config-vlan 100)#isolate-port group test switchport interface ethernet 1/0/1;1/0/10
2.3 Port Loopback Detection
2.3.1 Introduction to Port Loopback Detection
Function
With the development of switches, more and more users begin to access the network
through Ethernet switches. In enterprise network, users access the network through layer-2
switches, which means urgent demands for both internet and the internal layer 2 Interworking.
When layer 2 Interworking is required, the messages will be forwarded through MAC addressing
the accuracy of which is the key to a correct Interworking between users. In layer 2 switching, the
messages are forwarded through MAC addressing. Layer 2 devices learn MAC addresses via
learning source MAC address, that is, when the port receives a message from an unknown source
MAC address, it will add this MAC to the receive port, so that the following messages with a
destination of this MAC can be forwarded directly, which also means learn the MAC address once
and for all to forward messages.
When a new source MAC is already learnt by the layer 2 device, only with a different source
port, the original source port will be modified to the new one, which means to correspond the
original MAC address with the new port. As a result, if there is any loopback existing in the link,
all MAC addresses within the whole layer 2 network will be corresponded with the port where
the loopback appears (usually the MAC address will be frequently shifted from one port to
another ), causing the layer 2 network collapsed. That is why it is a necessity to check port
loopbacks in the network. When a loopback is detected, the detecting device should send alarms
to the network management system, ensuring the network manager is able to discover, locate
and solve the problem in the network and protect users from a long-lasting disconnected
network.
Since detecting loopbacks can make dynamic judgment of the existence of loopbacks in the
link and tell whether it has gone, the devices supporting port control (such as port isolation and
port MAC address learning control) can maintain that automatically, which will not only reduce
the burden of network managers but also response time, minimizing the effect caused loopbacks
to the network.
2-7
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
2.3.2 Port Loopback Detection Function Configuration
Task List
1. Configure the time interval of loopback detection
2. Enable the function of port loopback detection
3. Configure the control method of port loopback detection
4. Display and debug the relevant information of port loopback detection
5. Configure the loopback-detection control mode (automatic recovery enabled or not)
1.Configure the time interval of loopback detection
Command Explanation
Global Mode
loopback-detection interval-time
Configure the time interval of loopback
<loopback> <no-loopback>
detection.
no loopback-detection interval-time
2.Enable the function of port loopback detection
Command Explanation
Port Mode
loopback-detection specified-vlan
<vlan-list> Enable and disable the function of port
no loopback-detection specified-vlan loopback detection.
<vlan-list>
3.Configure the control method of port loopback detection
Command Explanation
Port Mode
loopback-detection control {shutdown
Enable and disable the function of port
|block }
loopback detection control.
no loopback-detection control
4.Display and debug the relevant information of port loopback detection
Command Explanation
Admin Mode
Enable the debug information of the
debug loopback-detection function module of port loopback detection.
no debug loopback-detection The no operation of this command will
disable the debug information.
2-8
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Display the state and result of the loopback
show loopback-detection [interface detection of all ports, if no parameter is
<interface-list>] provided; otherwise, display the state and
result of the corresponding ports.
5. Configure the loopback-detection control mode (automatic recovery enabled or not)
Command Explanation
Global Mode
Configure the loopback-detection control
loopback-detection control-recovery
mode (automatic recovery enabled or not)
timeout <0-3600>
or recovery time.
2.3.3 Port Loopback Detection Function Example
SWITCH
Network Topology
Figure 2-3 Typical example of port loopback detection
As shown in the above configuration, the switch will detect the existence of loopbacks in the
network topology. After enabling the function of loopback detection on the port connecting the
switch with the outside network, the switch will notify the connected network about the
existence of a loopback, and control the port on the switch to guarantee the normal operation of
the whole network.
The configuration task sequence of SWITCH:
Switch(config)#loopback-detection interval-time 35 15
Switch(config)#interface ethernet 1/0/1
Switch(Config-If-Ethernet1/0/1)#loopback-detection special-vlan 1-3
Switch(Config-If-Ethernet1/0/1)#loopback-detection control block
If adopting the control method of block, MSTP should be globally enabled. And the
2-9
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
corresponding relation between the spanning tree instance and the VLAN should be configured.
Switch(config)#spanning-tree
Switch(config)#spanning-tree mst configuration
Switch(Config-Mstp-Region)#instance 1 vlan 1
Switch(Config-Mstp-Region)#instance 2 vlan 2
Switch(Config-Mstp-Region)#
2.3.4 Port Loopback Detection Troubleshooting
The function of port loopback detection is disabled by default and should only be enabled if
required.
2.4 ULDP
2.4.1 Introduction to ULDP Function
Unidirectional link is a common error state of link in networks, especially in fiber links.
Unidirectional link means that only one port of the link can receive messages from the other port,
while the latter one can not receive messages from the former one. Since the physical layer of
the link is connected and works normal, via the checking mechanism of the physical layer,
communication problems between the devices can not be found. As shown in Graph, the
problem in fiber connection can not be found through mechanisms in physical layer like
automatic negotiation.
Switch A
g1/0/1
g1/0/2 g1/0/3
g1/0/4
Switch B
Figure 2-4 Fiber Cross Connection
2-10
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Switch A
Switch B
g1/0/2
g1/0/1
g1/0/3 Switch C
Figure 2-5 One End of Each Fiber Not Connected
This kind of problem often appears in the following situations: GBIC (Giga Bitrate Interface
Converter) or interfaces have problems, software problems, hardware becomes unavailable or
operates abnormally. Unidirectional link will cause a series of problems, such as spinning tree
topological loop, broadcast black hole.
ULDP (Unidirectional Link Detection Protocol) can help avoid disasters that could happen in
the situations mentioned above. In a switch connected via fibers or copper Ethernet line (like
ultra five-kind twisted pair), ULDP can monitor the link state of physical links. Whenever a
unidirectional link is discovered, it will send warnings to users and can disable the port
automatically or manually according to users’ configuration.
The ULDP of switches recognizes remote devices and check the correctness of link
connections via interacting ULDP messages. When ULDP is enabled on a port, protocol state
machine will be started, which means different types of messages will be sent at different states
of the state machine to check the connection state of the link by exchanging information with
remote devices. ULDP can dynamically study the interval at which the remote device sends
notification messages and adjust the local TTL (time to live) according to that interval. Besides,
ULDP provides the reset mechanism, when the port is disabled by ULDP, it can check again
through reset mechanism. The time intervals of notification messages and reset in ULDP can be
configured by users, so that ULDP can respond faster to connection errors in different network
environments.
The premise of ULDP working normally is that link works in duplex mode, which means
ULDP is enabled on both ends of the link, using the same method of authentication and
password.
2.4.2 ULDP Configuration Task Sequence
1. Enable ULDP function globally
2. Enable ULDP function on a port
3. Configure aggressive mode globally
4. Configure aggressive mode on a port
5. Configure the method to shut down unidirectional link
2-11
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
6. Configure the interval of Hello messages
7. Configure the interval of Recovery
8. Reset the port shut down by ULDP
9. Display and debug the relative information of ULDP
1. Enable ULDP function globally
Command Explanation
Global configuration mode
uldp enable
Globally enable or disable ULDP function.
uldp disable
2. Enable ULDP function on a port
Command Explanation
Port configuration mode
uldp enable
Enable or disable ULDP function on a port.
uldp disable
3. Configure aggressive mode globally
Command Explanation
Global configuration mode
uldp aggressive-mode
Set the global working mode.
no uldp aggressive-mode
4. Configure aggressive mode on a port
Command Explanation
Port configuration mode
uldp aggressive-mode
Set the working mode of the port.
no uldp aggressive-mode
5. Configure the method to shut down unidirectional link
Command Explanation
Global configuration mode
uldp manual-shutdown Configure the method to shut down
no uldp manual-shutdown unidirectional link.
6. Configure the interval of Hello messages
Command Explanation
Global configuration mode
Configure the interval of Hello messages,
uldp hello-interval <integer>
ranging from 5 to 100 seconds. The value is
no uldp hello-interval
10 seconds by default.
7. Configure the interval of Recovery
2-12
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Command Explanation
Global configuration mode
Configure the interval of Recovery reset,
uldp recovery-time <integer>
ranging from 30 to 86400 seconds. The value
no uldp recovery-time <integer>
is 0 second by default.
8. Reset the port shut down by ULDP
Command Explanation
Global configuration mode or port
configuration mode
Reset all ports in global configuration
mode;
uldp reset
Reset the specified port in
port configuration mode.
9. Display and debug the relative information of ULDP
Command Explanation
Admin mode
Display ULDP information. No parameter
means to display global ULDP information.
show uldp [interface ethernet IFNAME] The parameter specifying a port will display
global information and the neighbor
information of the port.
debug uldp fsm interface ethernet
Enable or disable the debug switch of the
<IFname>
state machine transition information on the
no debug uldp fsm interface ethernet
specified port.
<IFname>
debug uldp error Enable or disable the debug switch of error
no debug uldp error information.
debug uldp event Enable or disable the debug switch of event
no debug uldp event information.
debug uldp packet {receive|send} Enable or disable the type of messages can
no debug uldp packet {receive|send} be received and sent on all ports.
debug uldp {hello|probe|echo| unidir|all}
[receive|send] interface ethernet <IFname> Enable or disable the content detail of a
no debug uldp {hello|probe|echo| particular type of messages can be received
unidir|all} [receive|send] interface ethernet and sent on the specified port.
<IFname>
2.4.3 ULDP Function Typical Examples
2-13
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Switch A
g1/0/1
g1/0/2 g1/0/3
g1/0/4
Switch B
PC2
PC1
Figure 2-6 Fiber Cross Connection
In the network topology in Graph, port g1/0/1 and port g1/0/2 of SWITCH A as well as port
g1/0/3 and port g1/0/4 of SWITCH B are all fiber ports. And the connection is cross connection. The
physical layer is connected and works normally, but the data link layer is abnormal. ULDP can
discover and disable this kind of error state of link. The final result is that port g1/0/1, g1/0/2 of
SWITCH A and port g1/0/3, g1/0/4 of SWITCH B are all shut down by ULDP. Only when the
connection is correct, can the ports work normally (won’t be shut down).
Switch A configuration sequence:
SwitchA(config)#uldp enable
SwitchA(config)#interface ethernet 1/0/1
SwitchA(Config-If-Ethernet1/0/1)#uldp enable
SwitchA(Config-If-Ethernet1/0/1)#exit
SwitchA(config)#interface ethernet 1/0/2
SwitchA(Config-If-Ethernet1/0/2)#uldp enable
Switch B configuration sequence:
SwitchB(config)#uldp enable
SwitchB(config)#interface ethernet1/0/3
SwitchB(Config-If-Ethernet1/0/3)#uldp enable
SwitchB(Config-If-Ethernet1/0/3)#exit
SwitchB(config)#interface ethernet 1/0/4
SwitchB(Config-If-Ethernet1/0/4)#uldp enable
As a result, port g1/0/1, g1/0/2 of SWITCH A are all shut down by ULDP, and there is
notification information on the CRT terminal of PC1.
%Oct 29 11:09:50 2007 A unidirectional link is detected! Port Ethernet1/0/1 need to be
shutted down!
%Oct 29 11:09:50 2007 Unidirectional port Ethernet1/0/1 shut down!
%Oct 29 11:09:50 2007 A unidirectional link is detected! Port Ethernet1/0/2 need to be
shutted down!
%Oct 29 11:09:50 2007 Unidirectional port Ethernet1/0/2 shutted down!
2-14
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Port g1/0/3, and port g1/0/4 of SWITCH B are all shut down by ULDP, and there is notification
information on the CRT terminal of PC2.
%Oct 29 11:09:50 2007 A unidirectional link is detected! Port Ethernet1/0/3 need to be
shutted down!
%Oct 29 11:09:50 2007 Unidirectional port Ethernet1/0/3 shutted down!
%Oct 29 11:09:50 2007 A unidirectional link is detected! Port Ethernet1/0/4 need to be
shutted down!
%Oct 29 11:09:50 2007 Unidirectional port Ethernet1/0/4 shutted down!
2.4.4 ULDP Troubleshooting
Configuration Notice:
In order to ensure that ULDP can discover that the one of fiber ports has not connected or
the ports are incorrectly cross connected, the ports have to work in duplex mode and have
the same rate.
If the automatic negotiation mechanism of the fiber ports with one port misconnected
decides the working mode and rate of the ports, ULDP won’t take effect no matter enabled
or not. In such situation, the port is considered as “Down”.
In order to make sure that neighbors can be correctly created and unidirectional links can be
correctly discovered, it is required that both end of the link should enable ULDP, using the
same authentication method and password. At present, no password is needed on both
ends.
The hello interval of sending hello messages can be changed (it is10 seconds by default and
ranges from 5 to 100 seconds) so that ULDP can respond faster to connection errors of links
in different network environments. But this interval should be less than 1/3 of the STP
convergence time. If the interval is too long, a STP loop will be generated before ULDP
discovers and shuts down the unidirectional connection port. If the interval is too short, the
network burden on the port will be increased, which means a reduced bandwidth.
ULDP does not handle any LACP event. It treats every link of TRUNK group (like Port-channel,
TRUNK ports) as independent, and handles each of them respectively.
ULDP does not compact with similar protocols of other vendors, which means users can not
use ULDP on one end and use other similar protocols on the other end.
ULDP function is disabled by default. After globally enabling ULDP function, the debug
switch can be enabled simultaneously to check the debug information. There are several
DEBUG commands provided to print debug information, such as information of events, state
machine, errors and messages. Different types of message information can also be printed
according to different parameters.
The Recovery timer is disabled by default and will only be enabled when the users have
configured recovery time (30-86400 seconds).
Reset command and reset mechanism can only reset the ports automatically shut down by
2-15
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
ULDP. The ports shut down manually by users or by other modules won’t be reset by ULDP.
2.5 LLDP
2.5.1 Introduction to LLDP Function
Link Layer Discovery Protocol (LLDP) is a new protocol defined in 802.1ab. It enables
neighbor devices to send notices of their own state to other devices, and enables all ports of
every device to store information about them. If necessary, the ports can also send update
information to the neighbor devices directly connected to them, and those neighbor devices will
store the information in standard SNMP MIBs. The network management system can check the
layer-two connection state from MIB. LLDP won’t configure or control network elements or flows,
but only report the configuration of layer-two. Another content of 802.1ab is to utilizing the
information provided by LLDP to find the conflicts in layer-two. IEEE now uses the existing
physical topology, interfaces and Entity MIBs of IETF.
To simplify, LLDP is a neighbor discovery protocol. It defines a standard method for Ethernet
devices, such as switches, routers and WLAN access points, to enable them to notify their
existence to other nodes in the network and store the discovery information of all neighbor
devices. For example, the detail information of the device configuration and discovery can both
use this protocol to advertise.
In specific, LLDP defines a general advertisement information set, a transportation
advertisement protocol and a method to store the received advertisement information. The
device to advertise its own information can put multiple pieces of advertisement information in
one LAN data packet to transport. The type of transportation is the type length value (TLV) field.
All devices supporting LLDP have to support device ID and port ID advertisement, but it is
assumed that, most devices should also support system name, system description and system
performance advertisement. System name and system description advertisement can also
provide useful information for collecting network flow data. System description advertisement
can include data such as the full name of the advertising device, hardware type of system, the
version information of software operation system and so on.
802.1AB Link Layer Discovery Protocol will make searching the problems in an enterprise
network an easier process and can strengthen the ability of network management tools to
discover and maintain accurate network topology structure.
Many kinds of network management software use “Automated Discovery” function to trace
the change and condition of topology, but most of them can reach layer-three and classify the
devices into all IP subnets at best. This kind of data are very primitive, only referring to basic
events like the adding and removing of relative devices instead of details about where and how
these devices operate with the network.
Layer 2 discovery covers information like which devices have which ports, which switches
connect to other devices and so on, it can also display the routs between clients, switches,
2-16
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
routers, application servers and network servers. Such details will be very meaningful for
schedule and investigate the source of network failure.
LLDP will be a very useful management tool, providing accurate information about network
mirroring, flow data and searching network problems.
2.5.2 LLDP Function Configuration Task Sequence
1. Globally enable LLDP function
2. Configure the port-based LLDP function switch
3. Configure the operating state of port LLDP
4. Configure the intervals of LLDP updating messages
5. Configure the aging time multiplier of LLDP messages
6. Configure the sending delay of updating messages
7. Configure the intervals of sending Trap messages
8. Configure to enable the Trap function of the port
9. Configure the optional information-sending attribute of the port
10. Configure to enable the managed address tlv of lldp port
11. Configure the size of space to store Remote Table of the port
12. Configure the type of operation when the Remote Table of the port is full
13. Display and debug the relative information of LLDP
1. Globally enable LLDP function
Command Explanation
Global Mode
lldp enable
Globally enable or disable LLDP function.
lldp disable
2. Configure the port-base LLDP function switch
Command Explanation
Port Mode
lldp enable Configure the port-base LLDP function
lldp disable switch.
3. Configure the operating state of port LLDP
Command Explanation
Port Mode
Configure the operating state of port
lldp mode (send|receive|both|disable)
LLDP.
4. Configure the intervals of LLDP updating messages
Command Explanation
Global Mode
2-17
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Configure the intervals of LLDP updating
lldp tx-interval <integer>
messages as the specified value or default
no lldp tx-interval
value.
5. Configure the aging time multiplier of LLDP messages
Command Explanation
Global Mode
Configure the aging time multiplier of LLDP
lldp msgTxHold <value>
messages as the specified value or default
no lldp msgTxHold
value.
6. Configure the sending delay of updating messages
Command Explanation
Global Mode
Configure the sending delay of updating
lldp transmit delay <seconds>
messages as the specified value or default
no lldp transmit delay
value.
7. Configure the intervals of sending Trap messages
Command Explanation
Global Mode
Configure the intervals of sending Trap
lldp notification interval <seconds>
messages as the specified value or default
no lldp notification interval
value.
8. Configure to enable the Trap function of the port
Command Explanation
Port Configuration Mode
Enable or disable the Trap function of the
lldp trap <enable|disable>
port.
9. Configure the optional information-sending attribute of the port
Command Explanation
Port Configuration Mode
Configure the optional
lldp transmit optional tlv [portDesc]
information-sending attribute of the
[sysName] [sysDesc] [sysCap]
port as the option value of default
no lldp transmit optional tlv
values.
Configure to enable the managed address tlv of lldp port
Command Explanation
Port Configuration Mode
2-18
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
lldp management-address tlv [A.B.C.D] Configure to enable/disable the
no lldp management-address tlv management address tlv of lldp port.
10. Configure the size of space to store Remote Table of the port
Command Explanation
Port Configuration Mode
Configure the size of space to store
lldp neighbors max-num < value >
Remote Table of the port as the specified
no lldp neighbors max-num
value or default value.
11. Configure the type of operation when the Remote Table of the port is full
Command Explanation
Port Configuration Mode
lldp tooManyNeighbors {discard | Configure the type of operation when the
delete} Remote Table of the port is full.
12. Display and debug the relative information of LLDP
Command Explanation
Admin, Global Mode
Display the current LLDP configuration
show lldp
information.
Display the LLDP configuration
show lldp interface ethernet <IFNAME>
information of the current port.
Display the information of all kinds of
show lldp traffic
counters.
show lldp neighbors interface Display the information of LLDP
ethernet < IFNAME > neighbors of the current port.
Display all ports with LLDP debug
show debugging lldp
enabled.
Admin Mode
debug lldp
Enable or disable the DEBUG switch.
no debug lldp
debug lldp packets interface ethernet
Enable or disable the DEBUG
<IFNAME>
packet-receiving and sending function in
no debug lldp packets interface ethernet
port or global mode.
<IFNAME>
Port configuration mode
clear lldp remote-table Clear Remote-table of the port.
2.5.3 LLDP Function Typical Example
2-19
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Figure 2-7 LLDP Function Typical Configuration Example
In the network topology graph above, the port 1,3 of SWITCH B are connected to port 2,4 of
SWITCH A. Port 1 of SWITCH B is configured to message-receiving-only mode, Option TLV of port
4 of SWITCH A is configured as portDes and SysCap.
SWITCH A configuration task sequence:
SwitchA(config)# lldp enable
SwitchA(config)#interface ethernet 1/0/4
SwitchA(Config-If-Ethernet1/0/4)#lldp transmit optional tlv portDesc sysCap
SwitchA(Config-If-Ethernet1/0/4)exit
SWITCH B configuration task sequence:
SwitchB(config)#lldp enable
SwitchB(config)#interface ethernet1/0/1
SwitchB(Config-If-Ethernet1/0/1)#lldp mode receive
SwitchB(Config-If-Ethernet1/0/1)#exit
2.5.4 LLDP Function Troubleshooting
LLDP function is disabled by default. After enabling the global switch of LLDP, users can
enable the debug switch “debug lldp” simultaneously to check debug information.
Using “show” function of LLDP function can display the configuration information in global
or port configuration mode.
2.6 LLDP-MED
2.6.1 Introduction to LLDP-MED
2-20
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
LLDP-MED (Link Layer Discovery Protocol-Media Endpoint Discovery) based on 802.1AB
LLDP (Link Layer Discovery Protocol) of IEEE. LLDP provides a standard link layer discovery mode,
it sends local device information (including its major capability, management IP address, device
ID and port ID) as TLV (type/length/value) triplets in LLDPDU (Link Layer Discovery Protocol Data
Unit) to the direct connection neighbors. The device information received by the neighbors will
be stored with a standard management information base (MIB). This allows a network
management system to quickly detect and identify the communication status of the link.
In 802.1AB LLDP, there is no transmission and management about the voice device
information. To deploy and manage voice device expediently, LLDP-MED TLVs provide multiple
information, such as PoE (Power over Ethernet), network policy, and the location information of
the emergent telephone service.
2.6.2 LLDP-MED Configuration Task Sequence
1. Basic LLDP-MED configuration
Command Explanation
Port mode
Configure the specified port to
lldp transmit med tlv all
send all LLDP-MED TLVs. The no
no lldp transmit med tlv all
command disables the function.
Configure the specified port to
lldp transmit med tlv capability send LLDP-MED Capability TLV.
no lldp transmit med tlv capability The no command disables the
capability.
Configure the specified port to
lldp transmit med tlv networkPolicy send LLDP-MED Network Policy
no lldp transmit med tlv networkPolicy TLV. The no command disables
the capability.
Configure the specified port to
send LLDP-MED Extended
lldp transmit med tlv extendPoe
Power-Via-MDI TLV. The no
no lldp transmit med tlv extendPoe
command disables the
capability.
Configure the specified port to
send LLDP-MED Location
lldp transmit med tlv location
Identification TLV. The no
no lldp transmit med tlv location
command disables the
capability.
Configure the port to send
LLDP-MED Inventory
lldp transmit med tlv inventory
Management TLVs. The no
no lldp transmit med tlv inventory
command disables the
capability.
network policy {voice | voice-signaling | guest-voice | Configure network policy of the
2-21
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
guest-voice-signaling | softphone-voice | port, including VLAN ID, the
video-conferencing | streaming-video | video-signaling} supported application (such as
[status {enable | disable}] [tag {tagged | untagged}] [vid voice and video), the
{<vlan-id> | dot1p}] [cos <cos-value>] [dscp application priority and the
<dscp-value> ] used policy, and so on.
no network policy {voice | voice-signaling | guest-voice
| guest-voice-signaling | softphone-voice |
video-conferencing | streaming- video | video-signaling}
Configure device type and
country code of the location
with Civic Address LCI format
civic location {dhcp server | switch | endpointDev}
and enter Civic Address LCI
<country-code>
address mode. The no
no civic location
command cancels all
configurations of the location
with Civic Address LCI format.
Configure the location with ECS
ecs location <tel-number> ELIN format on the port, the no
no ecs location command cancels the
configured location.
Enable or disable LLDP-MED
lldp med trap {enable | disable}
trap for the specified port.
Civic Address LCI address mode
{description-language | province-state | city | county |
street | locationNum | location | floor | room | postal |
Configure the detailed address
otherInfo} <address>
after enter Civic Address LCI
no {description-language | province-state | city | county
address mode of the port.
| street | locationNum | location | floor | room | postal
| otherInfo}
Global mode
When the fast LLDP-MED
startup mechanism is enabled,
it needs to fast send the LLDP
lldp med fast count <value> packets with LLDP-MED TLV, this
no lldp med fast count command is used to set the
value of the fast sending
packets, the no command
restores the default value.
Admin mode
Show the configuration of the
show lldp
global LLDP and LLDP-MED.
Show the configuration of LLDP
show lldp [interface ethernet <IFNAME>] and LLDP-MED on the current
port.
2-22
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Show LLDP and LLDP-MED
show lldp neighbors [interface ethernet <IFNAME>]
configuration of the neighbors.
Show the statistics of the sent
show lldp traffic and received packets of port
LLDP and LLDP-MED.
2.6.3 LLDP-MED Example
Figure 2-8 Basic LLDP-MED configuration topology
1) Configure Switch A
SwitchA(config)#interface ethernet1/0/1
SwitchA (Config-If-Ethernet1/0/1)# lldp enable
SwitchA (Config-If-Ethernet1/0/1)# lldp mode both(this configuration can be omitted, the default
mode is RxTx)
SwitchA (Config-If-Ethernet1/0/1)# lldp transmit med tlv capability
SwitchA (Config-If-Ethernet1/0/1)# lldp transmit med tlv network policy
SwitchA (Config-If-Ethernet1/0/1)# lldp transmit med tlv inventory
SwitchB (Config-If-Ethernet1/0/1)# network policy voice tag tagged vid 10 cos 5 dscp 15
SwitchA (Config-If-Ethernet1/0/1)# exit
SwitchA (config)#interface ethernet1/0/2
SwitchA (Config-If-Ethernet1/0/2)# lldp enable
SwitchA (Config-If-Ethernet1/0/2)# lldp mode both
2) Configure Switch B
SwitchB (config)#interface ethernet1/0/1
SwitchB(Config-If-Ethernet1/0/1)# lldp enable
SwitchB (Config-If-Ethernet1/0/1)# lldp mode both
SwitchB (Config-If-Ethernet1/0/1)# lldp transmit med tlv capability
SwitchB (Config-If-Ethernet1/0/1)# lldp transmit med tlv network policy
SwitchB (Config-If-Ethernet1/0/1)# lldp transmit med tlv inventory
2-23
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
SwitchB (Config-If-Ethernet1/0/1)# network policy voice tag tagged vid 10 cos 4
3) Verify the configuration
# Show the global status and interface status on Switch A.
SwitchA# show lldp neighbors interface ethernet 1/0/1
Port name : Ethernet1/0/1
Port Remote Counter : 1
TimeMark :20
ChassisIdSubtype :4
ChassisId :00-03-0f-00-00-02
PortIdSubtype :Local
PortId :1
PortDesc :****
SysName :****
SysDesc :*****
SysCapSupported :4
SysCapEnabled :4
LLDP MED Information :
MED Codes:
(CAP)Capabilities, (NP) Network Policy
(LI) Location Identification, (PSE)Power Source Entity
(PD) Power Device, (IN) Inventory
MED Capabilities:CAP,NP,PD,IN
MED Device Type: Endpoint Class III
Media Policy Type :Voice
Media Policy :Tagged
Media Policy Vlan id :10
Media Policy Priority :3
Media Policy Dscp :5
Power Type : PD
Power Source :Primary power source
Power Priority :low
Power Value :15.4 (Watts)
Hardware Revision:
Firmware Revision:4.0.1
Software Revision:6.2.30.0
Serial Number:
Manufacturer Name:****
Model Name:Unknown
Assert ID:Unknown
IEEE 802.3 Information :
auto-negotiation support: Supported
auto-negotiation support: Not Enabled
2-24
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
PMD auto-negotiation advertised capability: 1
operational MAU type: 1
SwitchA# show lldp neighbors interface ethernet 1/0/2
Port name : interface ethernet 1/0/2
Port Remote Counter:1
Neighbor Index: 1
Port name : Ethernet1/0/2
Port Remote Counter : 1
TimeMark :20
ChassisIdSubtype :4
ChassisId :00-03-0f-00-00-02
PortIdSubtype :Local
PortId :1
PortDesc :Ethernet1/0/1
SysName :****
SysDesc :*****
SysCapSupported :4
SysCapEnabled :4
Explanation:
1) Both Ethernet2 of switch A and Ethernet1 of switch B are the ports of network connection
device, they will not send LLDP packets with MED TLV information forwardly. Although configure
Ethernet1 of switch B to send MED TLV information, it will not send the related MED information,
that results the corresponding Remote table without the related MDE information on Ethernet2
of switch A.
2) LLDP-MED device is able to send LLDP packets with MED TLV forwardly, so the corresponding
Remote table with LLDP MED information on Ethernet1 of switch A.
2.6.4 LLDP-MED Troubleshooting
If problems occur when configuring LLDP-MED, please check whether the problem is caused
by the following reasons:
Check whether the global LLDP is enabled.
Only network connection device received LLDP packets with LLDP-MED TLV from the
near MED device, it sends LLDP-MED TLV. If network connection device configured the
command for sending LLDP-MED TLV, the packets also without LLDP-MED TLV sent by
the port, that means no MED information is received and the port does not enable the
function for sending LLDP-MED information.
If neighbor device has sent LLDP-MED information to network connection device, but
there is no LLDP-MED information by checking show lldp neighbors command, that
means LLDP-MED information sent by neighbor is error.
2-25
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
2.7 Port Channel
2.7.1 Introduction to Port Channel
To understand Port Channel, Port Group should be introduced first. Port Group is a group of
physical ports in the configuration level; only physical ports in the Port Group can take part in link
aggregation and become a member port of a Port Channel. Logically, Port Group is not a port but
a port sequence. Under certain conditions, physical ports in a Port Group perform port
aggregation to form a Port Channel that has all the properties of a logical port, therefore it
becomes an independent logical port. Port aggregation is a process of logical abstraction to
abstract a set of ports (port sequence) with the same properties to a logical port. Port Channel is
a collection of physical ports and used logically as one physical port. Port Channel can be used as
a normal port by the user, and can not only add network’s bandwidth, but also provide link
backup. Port aggregation is usually used when the switch is connected to routers, PCs or other
switches.
S1
S2
Figure 2-9 Port aggregation
As shown in the above, S1 is aggregated to a Port Channel, the bandwidth of this Port
Channel is the total of all the four ports. If traffic from S1 needs to be transferred to S2 through
the Port Channel, traffic allocation calculation will be performed based on the source MAC
address and the lowest bit of target MAC address. The calculation result will decide which port to
convey the traffic. If a port in Port Channel fails, the other ports will undertake traffic of that port
through a traffic allocation algorithm. This algorithm is carried out by the hardware.
Switch offers two methods for configuring port aggregation: manual Port Channel creation
and LACP (Link Aggregation Control Protocol) dynamic Port Channel creation. Port aggregation
can only be performed on ports in full-duplex mode.
For Port Channel to work properly, member ports of the Port Channel must have the same
properties as follows:
2-26
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
All ports are in full-duplex mode.
All Ports are of the same speed.
All ports are Access ports and belong to the same VLAN or are all TRUNK ports, or are all
Hybrid ports.
If the ports are all TRUNK ports or Hybrid ports, then their “Allowed VLAN” and “Native
VLAN” property should also be the same.
If Port Channel is configured manually or dynamically on switch, the system will
automatically set the port with the smallest number to be Master Port of the Port Channel. If the
spanning tree function is enabled in the switch, the spanning tree protocol will regard Port
Channel as a logical port and send BPDU frames via the master port.
Port aggregation is closely related with switch hardware. Switch allow physical port
aggregation of any two switches, maximum 128 groups and 8 ports in each port group are
supported.
Once ports are aggregated, they can be used as a normal port. Switch have a built-in
aggregation interface configuration mode, the user can perform related configuration in this
mode just like in the VLAN and physical interface configuration mode.
2.7.2 Brief Introduction to LACP
LACP (Link Aggregation Control Protocol) is a kind of protocol based on IEEE802.3ad
standard to implement the link dynamic aggregation. LACP protocol uses LACPDU (Link
Aggregation Control Protocol Data Unit) to exchange the information with the other end.
After LACP protocol of the port is enabled, this port will send LACPDU to the other end to
notify the system priority, the MAC address of the system, the priority of the port, the port ID and
the operation Key. After the other end receives the information, the information is compared
with the saving information of other ports to select the port which can be aggregated, accordingly,
both sides can reach an agreement about the ports join or exit the dynamic aggregation group.
The operation Key is created by LACP protocol according to the combination of
configuration (speed, duplex, basic configuration, management Key) of the ports to be
aggregated.
After the dynamic aggregation port enables LACP protocol, the management Key is 0 by
default. After the static aggregation port enables LACP, the management Key of the port is the
same with the ID of the aggregation group.
For the dynamic aggregation group, the members of the same group have the same
operation Key, for the static aggregation group, the ports of Active have the same operation Key.
The port aggregation is that multi-ports are aggregated to form an aggregation group, so as
to implement the out/in load balance in each member port of the aggregation group and
provides the better reliability.
2.7.2.1 Static LACP Aggregation
Static LACP aggregation is enforced by users configuration, and do not enable LACP protocol.
When configuring static LACP aggregation, use “on” mode to force the port to enter the
2-27
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
aggregation group.
2.7.2.2 Dynamic LACP Aggregation
1. The summary of the dynamic LACP aggregation
Dynamic LACP aggregation is an aggregation created/deleted by the system automatically, it
does not allow the user to add or delete the member ports of the dynamic LACP aggregation. The
ports which have the same attribute of speed and duplex, are connected to the same device,
have the same basic configuration, can be dynamically aggregated together. Even if only one port
can create the dynamic aggregation, that is the single port aggregation. In the dynamic
aggregation, LACP protocol of the port is at the enable state.
2. The port state of the dynamic aggregation group
In dynamic aggregation group, the ports have two states: selected or standby. Both selected
ports and standby ports can receive and send LACP protocol, but standby ports can not forward
the data packets.
Because the limitation of the max port number in the aggregation group, if the current
number of the member ports exceeds the limitation of the max port number, then the system of
this end will negotiates with the other end to decide the port state according to the port ID. The
negotiation steps are as follows:
Compare ID of the devices (the priority of the system + the MAC address of the system). First,
compare the priority of the systems, if they are same, then compare the MAC address of the
systems. The end with a small device ID has the high priority.
Compare the ID of the ports (the priority of the port + the ID of the port). For each port in
the side of the device which has the high device priority, first, compare the priority of the ports, if
the priorities are same, then compare the ID of the ports. The port with a small port ID is selected,
and the others become the standby ports.
In an aggregation group, the port which has the smallest port ID and is at the selected state
will be the master port, the other ports at the selected state will be the member port.
2.7.3 Introduction to Load balance
The current visits and data flow of the network are increasing; the processing capability and
calculated strength are both increasing. If the large amount of the data flow is transmitted from
one physical port of the switch at the same, it will cause the network congestion. If there are
many physical ports of the switch, it will cause the ports wasting. So there is a method which can
expand the network device and server bandwidth, increase the throughout, improve the
network flexibility and strengthen the data processing, it is Load Balance.
2.7.4 Port Channel Configuration Task List
1. Create a port group in Global Mode
2. Add ports to the specified group from the Port Mode of respective ports
2-28
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
3. Enter port-channel configuration mode
4. Set load-balance method for port-group
5. Set the system priority of LACP protocol
6. Set the port priority of the current port in LACP protocol
7. Set the timeout mode of the current port in LACP protocol
1. Creating a port group
Command Explanation
Global Mode
port-group <port-group-number>
Create or delete a port group.
no port-group <port-group-number>
2. Add physical ports to the port group
Command Explanation
Port Mode
port-group <port-group-number> mode {active
Add the ports to the port group and set their
| passive | on}
mode.
no port-group
3. Enter port-channel configuration mode.
Command Explanation
Global Mode
Enter port-channel configuration
interface port-channel <port-channel-number>
mode.
4. Set load-balance method for port-group
Command Explanation
Aggregation port configuration mode
load-balance {src-mac | dst-mac | dst-src-mac | src-ip
Set load-balance for port-group.
| dst-ip | dst-src-ip | ingress-port | dst-src-mac-ip }
5. Set the system priority of LACP protocol
Command Explanation
Global mode
Set the system priority of LACP
lacp system-priority <system-priority>
protocol, the no command restores the
no lacp system-priority
default value.
6. Set the port priority of the current port in LACP protocol
Command Explanation
2-29
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Port mode
Set the port priority in LACP protocol.
lacp port-priority <port-priority>
The no command restores the default
no lacp port-priority
value.
7. Set the timeout mode of the current port in LACP protocol
Command Explanation
Port mode
Set the timeout mode in LACP protocol.
lacp timeout {short | long}
The no command restores the default
no lacp timeout
value.
2.7.5 Port Channel Examples
Scenario 1: Configuring Port Channel in LACP.
S1
S2
Figure 2-10 Configure Port Channel in LACP
The switches in the description below are all switch and as shown in the figure, ports 1, 2, 3,
4 of S1 are access ports and add them to group1 with active mode. Ports 6, 8, 9, 10 of S2 are
access ports and add them to group2 with passive mode. All the ports should be connected with
cables.
The configuration steps are listed below:
Switch1#config
Switch1(config)#interface ethernet 1/0/1-4
Switch1(Config-If-Port-Range)#port-group 1 mode active
Switch1(Config-If-Port-Range)#exit
Switch1(config)#interface port-channel 1
Switch1(Config-If-Port-Channel1)#
2-30
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Switch2#config
Switch2(config)#port-group 2
Switch2(config)#interface ethernet 1/0/6
Switch2(Config-If-Ethernet1/0/6)#port-group 2 mode passive
Switch2(Config-If-Ethernet1/0/6)#exit
Switch2(config)#interface ethernet 1/0/8-10
Switch2(Config-If-Port-Range)#port-group 2 mode passive
Switch2(Config-If-Port-Range)#exit
Switch2(config)#interface port-channel 2
Switch2(Config-If-Port-Channel2)#
Configuration result:
Shell prompts ports aggregated successfully after a while, now ports 1, 2, 3, 4 of S1 form an
aggregated port named “Port-Channel1”, ports 6, 8, 9, 10 of S2 form an aggregated port named
“Port-Channel2”; can be configured in their respective aggregated port mode.
Scenario 2: Configuring Port Channel in ON mode.
S1
S2
Figure 2-11 Configure Port Channel in ON mode
As shown in the figure, ports 1, 2, 3, 4 of S1 are access ports and add them to group1 with
“on” mode. Ports 6, 8, 9, 10 of S2 are access ports and add them to group2 with “on” mode.
The configuration steps are listed below:
Switch1#config
Switch1(config)#interface ethernet 1/0/1
Switch1(Config-If-Ethernet1/0/1)#port-group 1 mode on
Switch1(Config-If-Ethernet1/0/1)#exit
Switch1(config)#interface ethernet 1/0/2
Switch1 (Config-If-Ethernet1/0/2)#port-group 1 mode on
Switch1 (Config-If-Ethernet1/0/2)#exit
Switch1 (config)#interface ethernet 1/0/3
2-31
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Switch1 (Config-If-Ethernet1/0/3)#port-group 1 mode on
Switch1 (Config-If-Ethernet1/0/3)#exit
Switch1 (config)#interface ethernet 1/0/4
Switch1 (Config-If-Ethernet1/0/4)#port-group 1 mode on
Switch1 (Config-If-Ethernet1/0/4)#exit
Switch2#config
Switch2(config)#port-group 2
Switch2(config)#interface ethernet 1/0/6
Switch2 (Config-If-Ethernet1/0/6)#port-group 2 mode on
Switch2 (Config-If-Ethernet1/0/6)#exit
Switch2 (config)#interface ethernet 1/0/8-10
Switch2(Config-If-Port-Range)#port-group 2 mode on
Switch2(Config-If-Port-Range)#exit
Configuration result:
Add ports 1, 2, 3, 4 of S1 to port-group1 in order, and we can see a group in 'on' mode is
completely joined forcedly, switch in other ends won’t exchange LACP PDU to complete
aggregation. Aggregation finishes immediately when the command to add port 1/0/2 to
port-group 1 is entered, port 1 and port 2 aggregate to be port-channel 1, when port 1/0/3 joins
port-group 1, port-channel 1 of port 1 and 2 are ungrouped and re-aggregate with port 3 to form
port-channel 1, when port 1/0/4 joins port-group 1, port-channel 1 of port 1, 2 and 3 are
ungrouped and re-aggregate with port 4 to form port-channel 1. (It should be noted that
whenever a new port joins in an aggregated port group, the group will be ungrouped first and
re-aggregated to form a new group.) Now all four ports in both S1 and S2 are aggregated in 'on'
mode and become an aggregated port respectively.
2.7.6 Troubleshooting
2.7.6.1 Port Channel Troubleshooting
If problems occur when configuring port aggregation, please first check the following for
causes.
Ensure all ports in a port group have the same properties, i.e., whether they are in
full-duplex mode, forced to the same speed, and have the same VLAN properties, etc. If
inconsistency occurs, make corrections.
Some commands cannot be used on a port in port-channel, such as arp, bandwidth, ip,
ip-forward, etc.
2.7.6.2 Load Balance Troubleshooting
2-32
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
2.8 MTU
2.8.1 Introduction to MTU
So far the Jumbo (Jumbo Frame) has not reach a determined standard in the industry
(including the format and length of the frame). Normally frames sized within 1519-12000 should
be considered jumbo frame. Networks with jumbo frames will increase the speed of the whole
network by 2% to 5%. Technically the Jumbo is just a lengthened frame sent and received by the
switch. However considering the length of Jumbo frames, they will not be sent to CPU. We
discard the Jumbo frames sent to CPU in the packet receiving process.
2.8.2 MTU Configuration Task Sequence
1. Configure enable MTU function
1. Configure enable MTU function
Command Explanation
Global Mode
Configure the MTU size of JUMBO frame,
mtu [<mtu-value>] enable the receiving/sending function of
no mtu enable JUMBO frame. The no command disables
sending and receiving function of MTU frames.
2.9 bpdu-tunnel
2.9.1 Introduction to bpdu-tunnel
BPDU Tunnel is a Layer 2 tunnel technology. It allows Layer 2 protocol packets of
geographically dispersed private network users to be transparently transmitted over specific
tunnels across a service provider network.
2.9.1.1 bpdu-tunnel function
In MAN application, multi-branches of a corporation may connect with each other by the
service provider network. VPN provided by the service provider enables the geographically
dispersed networks to form a local LAN, so the service provider needs to provide the tunnel
2-33
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
function, namely, data information generated by user’s network is able to inextenso arrive at
other networks of the same corporation through the service provider network. To maintain a
local concept, it not only needs to transmit the data within the user’s private network across the
tunnel, but also transmit layer 2 protocol packets within the user’s private network.
2.9.1.2 Background of bpdu-tunnel
Special lines are used in a service provider network to build user-specific Layer 2 networks.
As a result, a user network is broken down into parts located at different sides of the service
provider network. As shown in Figure, User A has two devices (CE 1 and CE 2) and both devices
belong to the same VLAN. User’s network is divided into network 1 and network 2, which are
connected by the service provider network. When Layer 2 protocol packets cannot implement
the passthrough across the service provider network, the user’s network cannot process
independent Layer 2 protocol calculation (for example, spanning tree calculation), so they affect
each other.
Figure 2-12 BPDU Tunnel application
2.9.2 bpdu-tunnel Configuration Task List
bpdu-tunnel configuration task list:
1. Configure tunnel MAC address globally
2. Configure the port to support the tunnel
1. Configure tunnel MAC address globally
Command Explanation
Global mode
2-34
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
bpdu-tunnel-protocol {stp| gvrp| dot1x}
{group-mac <mac> | default-group-mac}
bpdu-tunnel-protocol user-defined-protocol
<name> protocol-mac <mac> {group-mac <mac> |
default-group-mac}
bpdu-tunnel-protocol user-defined-protocol
<name> protocol-mac <mac> encape-type
ethernetii protocol-type <type> {group-mac
<mac> | default-group-mac}
Configure or cancel the tunnel MAC
bpdu-tunnel-protocol user-defined-protocol address globally.
<name> protocol-mac <mac> encape-type snap
{oui <oui>| } protocol-type <type> {group-mac
<mac> | default-group-mac}
bpdu-tunnel-protocol user-defined-protocol
<name> protocol-mac <mac> encape-type llc dsap
<dsap> ssap <ssap> {group-mac <mac> |
default-group-mac}
no bpdu-tunnel-protocol user-defined-protocol
<name>
2. Configure the port to support the tunnel
Command Explanation
Port mode
bpdu-tunnel-protocol {stp| gvrp| dot1x|
Enable the port to support the tunnel,
user-defined-protocol <name>}
the no command disables the
no bpdu-tunnel-protocol {stp| gvrp| dot1x|
function.
user-defined-protocol <name>}
2.9.3 Examples of bpdu-tunnel
Special lines are used in a service provider network to build user-specific Layer 2 networks.
As a result, a user network is broken down into parts located at different sides of the service
provider network. As shown in Figure, User A has two devices (CE 1 and CE 2) and both devices
belong to the same VLAN. User’s network is divided into network 1 and network 2, which are
connected by the service provider network. When Layer 2 protocol packets cannot implement
the passthrough across the service provider network, the user’s network cannot process
independent Layer 2 protocol calculation (for example, spanning tree calculation), so they affect
2-35
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
each other.
Figure 2-13 BPDU Tunnel application environment
With BPDU Tunnel, Layer 2 protocol packets from user’s networks can be passed through
over the service provider network in the following work flow:
1. After receiving a Layer 2 protocol packet from network 1 of user A, PE 1 in the service provider
network encapsulates the packet, replaces its destination MAC address with a specific multicast
MAC address, and then forwards the packet in the service provider network.
2. The encapsulated Layer 2 protocol packet (called BPDU Tunnel packet) is forwarded to PE 2 at
the other end of the service provider network, which de-encapsulates the packet, restores the
original destination MAC address of the packet, and then sends the packet to network 2 of user
A.
bpdu-tunnel configuration of edge switches PE1 and PE2 in users side port in the following:
PE1 configuration:
PE1(config)# bpdu-tunnel-protocol stp default-group-mac
PE1(config-if-ethernet1/0/1)# bpdu-tunnel-protocol stp
PE2 configuration:
PE2(config)# bpdu-tunnel-protocol stp default-group-mac
PE2(config-if-ethernet1/0/1)# bpdu-tunnel-protocol stp
2.9.4 bpdu-tunnel Troubleshooting
After port disables stp, gvrp and dot1x functions, it is able to configure bpdu-tunnel-protocol
function.
2.10 DDM
2-36
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
2.10.1 Introduction to DDM
2.10.1.1 Brief Introduction to DDM
DDM (Digital Diagnostic Monitor) makes the detailed digital diagnostic function standard in
SFF-8472 MSA. It set that the parameter signal is monitored and make it to digitize on the circuit
board of the inner module. After that, providing the demarcated result or the digitize measure
result and the demarcate parameter which are saved in the standard memory framework, so as
to expediently read by serial interface with double cables.
Normally, intelligent fiber modules support Digital Diagnostic function. Network
management units is able to monitor the parameters (temperature, voltage, bias current, tx
power and rx power) of the fiber module to obtain theirs thresholds and the real-time state of
the current fiber module by the inner MCU of the fiber module. That is able to help the network
management units to locate the fault in the fiber link, reduce the maintenance workload and
enhance the system reliability.
DDM applications are shown in the following:
1. Module lifetime forecast
Monitoring the bias current is able to forecast the laser lifetime. Administrator is able to find
some potential problems by monitoring voltage and temperature of the module.
(1)High Vcc voltage will result in the breakdown CMOS, low Vcc voltage will result in the
abnormity work.
(2)High rx power will damage the receiving module, low rx power will result that the receiving
module cannot work normally.
(3)High temperature will result in the fast aging of the hardware.
(4)Monitoring the received fiber power to monitor the capability of the link and the remote
switch.
2. Fault location
In fiber link, locating the fault is important to the fast overload of the service, fault isolation
is able to help administrator to fast locate the location of the link fault within the module (local
module or remote module) or on the link, it also reduce the time for restoring the fault of the
system.
Analyzing warning and alarm status of real-time parameters (temperature, voltage, bias
current, tx power and rx power) can fast locate the fault through Digital Diagnostic function.
Besides, the state of Tx Fault and Rx LOS is important for analyzing the fault.
3. Compatibility verification
Compatibility verification is used to analyze whether the environment of the module accords
the data manual or it is compatible with the corresponding standard, because the module
capability is able to be ensured only in the compatible environment. Sometimes, environment
parameters exceed the data manual or the corresponding standard, it will make the falling of the
module capability that result in the transmission error.
Environment is not compatible with the module are as below:
(1)Voltage exceeds the set range
(2)Rx power is overload or is under the sensitivity of the transceiver
2-37
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
(3)Temperature exceeds the range of the running temperature
2.10.1.2 DDM Function
DDM descriptions are shown in the following:
1. Show the monitoring information of the transceiver
Administrator is able to know the current working state of the transceiver and find some
potential problems through checking the real-time parameters (including TX power, RX power,
Temperature, Voltage, Bias current) and querying the monitoring information (such as warning,
alarm, real-time state and threshold, and so on). Besides, checking the fault information of the
fiber module helps administrator to fast locate the link fault and saves the restored time.
2. Threshold defined by the user
For real-time parameters (TX power, RX power, Temperature, Voltage, Bias current), there
are fixed thresholds. Because the user’s environments are difference, the users is able to define
the threshold (including high alarm, low alarm, high warn, low warn) to flexibly monitor the
working state of the transceiver and find the fault directly.
The thresholds configured by the user and the manufacturer can be shown at the same time.
When the threshold defined by the user is irrational, it will prompt the user and automatically
process alarm or warning according to the default threshold. (the user is able to restore all
thresholds to the default thresholds or restore a threshold to the default threshold)
Threshold rationality: high/low warn should be between high alarm and low alarm and high
threshold should be higher than low threshold, namely, high alarm>= high warn>= low warn>=
low alarm.
For fiber module, verification mode of the receiving power includes inner verification and
outer verification which are decided by the manufacturer. Besides the verification mode of the
real-time parameters and the default thresholds are same.
3. Transceiver monitoring
Besides checking the real-time working state of the transceiver, the user needs to monitor
the detailed status, such as the former abnormity time and the abnormity type. Transceiver
monitoring helps the user to find the former abnormity status through checking the log and
query the last abnormity status through executing the commands. When the user finds the
abnormity information of the fiber module, the fiber module information may be remonitored
after processing the abnormity information, here, the user is able to know the abnormity
information and renew the monitoring.
2.10.2 DDM Configuration Task List
DDM configuration task list:
1. Show the real-time monitoring information of the transceiver
2. Configure the alarm or warning thresholds of each parameter for the transceiver
3. Configure the state of the transceiver monitoring
(1) Configure the interval of the transceiver monitoring
(2) Configure the enable state of the transceiver monitoring
(3) Show the information of the transceiver monitoring
2-38
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
(4) Clear the information of the transceiver monitoring
1. Show the real-time monitoring information of the transceiver
Command Explanation
User mode, admin mode and global mode
show transceiver [interface ethernet Show the monitoring of the
<interface-list>][detail] transceiver.
2. Configure the alarm or warning thresholds of each parameter for the transceiver
Command Explanation
Port mode
transceiver threshold {default | {temperature |
voltage | bias | rx-power | tx-power} {high-alarm
Set the threshold defined by the user.
| low-alarm | high-warn | low-warn} {<value> |
default}}
3. Configure the state of the transceiver monitoring
(1) Configure the interval of the transceiver monitoring
Command Explanation
Global mode
Set the interval of the transceiver
transceiver-monitoring interval <minutes> monitor. The no command sets the
no transceiver-monitoring interval interval to be the default interval of
15 minutes.
(2)Configure the enable state of the transceiver monitoring
Command Explanation
Port mode
Set whether the transceiver
monitoring is enabled. Only the port
enables the transceiver monitoring,
transceiver-monitoring {enable | disable} the system records the abnormity
state. After the port disables the
function, the abnormity information
will be clear.
(3)Show the information of the transceiver monitoring
Command Explanation
Admin mode and global mode
2-39
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Show the information of the
transceiver monitoring, including the
show transceiver threshold-violation [interface last threshold-violation informatijon,
ethernet <interface-list>] the interval of the current transceiver
monitoring and whether the port
enables the transceiver monitoring.
(4)Clear the information of the transceiver monitoring
Command Explanation
Admin mode
clear transceiver threshold-violation [interface Clear the threshold violation of the
ethernet <interface-list>] transceiver monitor.
2.10.3 Examples of DDM
Example1:
Ethernet 21 and Ethernet 23 are inserted the fiber module with DDM, Ethernet 24 is
inserted the fiber module without DDM, Ethernet 22 does not insert any fiber module, show the
DDM information of the fiber module.
a、Show the information of all interfaces which can read the real-time parameters normally,(No
fiber module is inserted or the fiber module is not supported, the information will not be shown),
for example:
Switch#show transceiver
Interface Temp(℃) Voltage(V) Bias(mA) RX Power(dBM) TX Power(dBM)
1/0/21 33 3.31 6.11 -30.54(A-) -6.01
1/0/23 33 5.00(W+) 6.11 -20.54(W-) -6.02
b、Show the information of the specified interface. (N/A means no fiber module is inserted or
does not support the fiber module), for example:
Switch#show transceiver interface ethernet 1/0/21-22;23
Interface Temp(℃) Voltage(V) Bias(mA) RX Power(dBM) TX Power(dBM)
1/0/21 33 3.31 6.11 -30.54(A-) -6.01
1/0/22 N/A N/A N/A N/A N/A
1/0/23 33 5.00(W+) 6.11 -20.54(W-) -6.02
c、Show the detailed information, including base information, parameter value of the real-time
monitoring, warning, alarm, abnormity state, threshold information and the serial number, for
example:
Switch#show transceiver interface ethernet 1/0/21-22;24 detail
Ethernet 1/0/21 transceiver detail information:
Base information:
SFP found in this port, manufactured by company, on Sep 29 2010.
Type is 1000BASE-SX. Serial Number is 1108000001.
Link length is 550 m for 50um Multi-Mode Fiber.
2-40
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Link length is 270 m for 62.5um Multi-Mode Fiber.
Nominal bit rate is 1300 Mb/s, Laser wavelength is 850 nm.
Brief alarm information:
RX loss of signal
Voltage high
RX power low
Detail diagnostic and threshold information:
Diagnostic Threshold
Realtime Value High Alarm Low Alarm High Warn Low Warn
-------------- ----------- ----------- ------------ ---------
Temperature(℃) 33 70 0 70 0
Voltage(V) 7.31(A+) 5.00 0.00 5.00 0.00
Bias current(mA) 6.11(W+) 10.30 0.00 5.00 0.00
RX Power(dBM) -30.54(A-) 9.00 -25.00 9.00 -25.00
TX Power(dBM) -6.01 9.00 -25.00 9.00 -25.00
Ethernet 1/0/22 transceiver detail information: N/A
Ethernet 1/0/24 transceiver detail information:
Base information:
SFP found in this port, manufactured by company, on Sep 29 2010.
Type is 1000BASE-SX. Serial Number is 1108000001.
Link length is 550 m for 50um Multi-Mode Fiber.
Link length is 270 m for 62.5um Multi-Mode Fiber.
Nominal bit rate is 1300 Mb/s, Laser wavelength is 850 nm.
Brief alarm information: N/A
Detail diagnostic and threshold information: N/A
Explanation: If the serial number is 0, it means that it is not specified as bellow:
SFP found in this port, manufactured by company, on Sep 29 2010.
Type is 1000BASE-SX. Serial Number is not specified.
Link length is 550 m for 50um Multi-Mode Fiber.
Link length is 270 m for 62.5um Multi-Mode Fiber.
Nominal bit rate is 1300 Mb/s, Laser wavelength is 850 nm.
Example2:
Ethernet 21 is inserted the fiber module with DDM. Configure the threshold of the fiber
module after showing the DDM information.
Step1: Show the detailed DDM information.
Switch#show transceiver interface ethernet 1/0/21 detail
Ethernet 1/0/21 transceiver detail information:
Base information:
……
Brief alarm information:
2-41
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
RX loss of signal
Voltage high
RX power low
Detail diagnostic and threshold information:
Diagnostic Threshold
Realtime Value High Alarm Low Alarm High Warn Low Warn
-------------- ----------- ----------- ------------ ---------
Temperature(℃) 33 70 0 70 0
Voltage(V) 7.31(A+) 5.00 0.00 5.00 0.00
Bias current(mA) 6.11(W+) 10.30 0.00 5.00 0.00
RX Power(dBM) -30.54(A-) 9.00 -25.00 9.00 -25.00
TX Power(dBM) -13.01 9.00 -25.00 9.00 -25.00
Step2: Configure the tx-power threshold of the fiber module, the low-warning threshold is -12,
the low-alarm threshold is -10.00.
Switch#config
Switch(config)#interface ethernet 1/0/21
Switch(config-if-ethernet1/0/21)#transceiver threshold tx-power low-warning -12
Switch(config-if-ethernet1/0/21)#transceiver threshold tx-power low-alarm -10.00
Step3: Show the detailed DDM information of the fiber module. The alarm uses the threshold
configured by the user, the threshold configured by the manufacturer is labeled with the bracket.
There is the alarm with ‘A-’ due to -13.01 is less than -12.00.
Switch#show transceiver interface ethernet 1/0/21 detail
Ethernet 1/0/21 transceiver detail information:
Base information:
……
Brief alarm information:
RX loss of signal
Voltage high
RX power low
TX power low
Detail diagnostic and threshold information:
Diagnostic Threshold
Realtime Value High Alarm Low Alarm High Warn Low Warn
-------------- ----------- ----------- ---------- ---------
Temperature(℃) 33 70 0 70 0
Voltage(V) 7.31(A+) 5.00 0.00 5.00 0.00
Bias current(mA) 6.11(W+) 10.30 0.00 5.00 0.00
RX Power(dBM) -30.54(A-) 9.00 -25.00 9.00 -25.00
TX Power(dBM) -13.01(A-) 9.00 -12.00(-25.00) 9.00 -10.00(-25.00)
Example3:
Ethernet 21 is inserted the fiber module with DDM. Enable the transceiver monitoring of the
2-42
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
port after showing the transceiver monitoring of the fiber module.
Step1: Show the transceiver monitoring of the fiber module. Both ethernet 21 and ethernet 22
do not enable the transceiver monitoring, its interval is set to 30 minutes.
Switch(config)#show transceiver threshold-violation interface ethernet 1/0/21-22
Ethernet 1/0/21 transceiver threshold-violation information:
Transceiver monitor is disabled. Monitor interval is set to 30 minutes.
The last threshold-violation doesn’t exist.
Ethernet 1/0/22 transceiver threshold-violation information:
Transceiver monitor is disabled. Monitor interval is set to 30 minutes.
The last threshold-violation doesn’t exist.
Step2: Enable the transceiver monitoring of ethernet 21.
Switch(config)#interface ethernet 1/0/21
Switch(config-if-ethernet1/0/21)#transceiver-monitoring enable
Step3: Show the transceiver monitoring of the fiber module. In the following configuration,
ethernet 21 enabled the transceiver monitoring, the last threshold-violation time is Jan 02
11:00:50 2011, the detailed DDM information exceeding the threshold is also shown.
Switch(config-if-ethernet1/0/21)#quit
Switch(config)#show transceiver threshold-violation interface ethernet 1/0/21-22
Ethernet 1/0/21 transceiver threshold-violation information:
Transceiver monitor is enabled. Monitor interval is set to 30 minutes.
The current time is Jan 02 12:30:50 2011.
The last threshold-violation time is Jan 02 11:00:50 2011.
Brief alarm information:
RX loss of signal
RX power low
Detail diagnostic and threshold information:
Diagnostic Threshold
Realtime Value High Alarm Low Alarm High Warn Low Warn
------------ ----------- ----------- ------------ ---------
Temperature(℃) 33 70 0 70 0
Voltage(V) 7.31 10.00 0.00 5.00 0.00
Bias current(mA) 3.11 10.30 0.00 5.00 0.00
RX Power(dBM) -30.54(A-) 9.00 -25.00(-34) 9.00 -25.00
TX Power(dBM) -1.01 9.00 -12.05 9.00 -10.00
Ethernet 1/0/22 transceiver threshold-violation information:
Transceiver monitor is disabled. Monitor interval is set to 30 minutes.
The last threshold-violation doesn’t exist.
2.10.4 DDM Troubleshooting
2-43
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
If problems occur when configuring DDM, please check whether the problem is caused by
the following reasons:
Ensure that the transceiver of the fiber module has been inserted fast on the port, or else
DDM configuration will not be shown.
Ensure that SNMP configuration is valid, or else the warning event cannot inform the
network management system.
Because only some boards and box switches support SFP with DDM or XFP with DDM,
ensure the used board and switch support the corresponding function.
When using show transceiver command or show transceiver detail command, it cost much
time due to the switch will check all ports, so it is recommended to query the monitoring
information of the transceiver on the specified port.
Ensure the threshold defined by the user is valid. When any threshold is error, the
transceiver will give an alarm according to the default setting automatically.
2.11 EFM OAM
2.11.1 Introduction to EFM OAM
Ethernet is designed for Local Area Network at the beginning, but link length and network
scope is extended rapidly while Ethernet is also applied to Metropolitan Area Network and Wide
Area Network along with development. Due to lack the effectively management mechanism, it
affects Ethernet application to Metropolitan Area Network and Wide Area Network,
implementing OAM on Ethernet becomes a necessary development trend.
There are four protocol standards about Ethernet OAM, they are 802.3ah (EFM OAM),
802.3ag (CFM), E-LMI and Y.1731. EFM OAM and CFM are set for IEEE organization. EFM OAM
works in data link layer to validly discover and manage the data link status of rock-bottom. Using
EFM OAM can effectively advance management and maintenance for Ethernet to ensure the
stable network operation. CFM is used for monitoring the whole network connectivity and
locating the fault in access aggregation network layer. Compare with CFM, Y.1731 standard set by
ITU (International Telecommunications Union) is more powerful. E-LMI standard set by MEF is
only applied to UNI. So above protocols can be used to different network topology and
management, between them exist the complementary relation.
EFM OAM (Ethernet in the First Mile Operation, Administration and Maintenance) works in
data link layer of OSI model to implement the relative functions through OAM sublayer, figure is
as bleow:
2-44
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
OSI Model LAN
CSMA/CD
Application Layers
Presentation
Higher layers
Session
LLC
Transport
OAM(Optional)
Network MAC
Data Link Physical Layer
Physical
Figure 2-14 OAM location in OSI model
OAM protocol data units (OAMPDU) use destination MAC address 01-80-c2-00-00-02 of
protocol, the max transmission rate is 10Pkt/s.
EFM OAM is established on the basis of OAM connection, it provides a link operation
management mechanism such as link monitoring, remote fault detection and remote loopback
testing, the simple introduction for EFM OAM in the following:
1. Ethernet OAM connection establishment
Ethernet OAM entity discovers remote OAM entities and establishes sessions with them by
exchanging Information OAMPDUs. EFM OAM can operate in two modes: active mode and
passive mode. One session can only be established by the OAM entity working in the active mode
and ones working in the passive mode need to wait until it receives the connection request. After
an Ethernet OAM connection is established, the Ethernet OAM entities on both sides exchange
Information OAMPDUs continuously to keep the valid Ethernet OAM connection. If an Ethernet
OAM entity receives no Information OAMPDU for five seconds, the Ethernet OAM connection is
disconnected.
2. Link Monitoring
Fault detection in an Ethernet is difficult, especially when the physical connection in the
network is not disconnected but network performance is degrading gradually. Link monitoring is
used to detect and discover link faults in various environments. EFM OAM implements link
monitoring through the exchange of Event Notification OAMPDUs. When detecting a link error
event, the local OAM entity sends an Event Notification OAMPDU to notify the remote OAM
entity. At the same time it will log information and send SNMP Trap to the network management
system. While OAM entity on the other side receives the notification, it will also log and report it.
With the log information, network administrators can keep track of network status in time.
The link event monitored by EFM OAM means that the link happens the error event,
including Errored symbol period event, Errored frame event, Errored frame period event, Errored
frame seconds event.
Errored symbol period event: The errored symbol number can not be less than the low
threshold. (Symbol: the min data transmission unit of physical medium. It is unique for coding
system, the symbols may be different for different physical mediums, symbol rate means the
2-45
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
changed time of electron status per second. )
Errored frame period event: Specifying N is frame period, the errored frame number within
the period of receiving N frames can not be less than the low threshold. (Errored frame:
Receiving the errored frame detected by CRC.)
Errored frame event: The number of detected error frames over M seconds can not be less
than the low threshold.
Errored frame seconds event: The number of error frame seconds detected over M seconds
can not be less than the low threshold. (Errored frame second: Receiving an errored frame at
least in a second.)
3. Remote Fault Detection
In a network where traffic is interrupted due to device failures or unavailability, the flag field
defined in Ethernet OAMPDUs allows an Ethernet OAM entity to send fault information to its peer.
As Information OAMPDUs are exchanged continuously across established OAM connections, an
Ethernet OAM entity can inform one of its OAM peers of link faults through Information
OAMPDUs. Therefore, the network administrator can keep track of link status in time through the
log information and troubleshoot in time.
There are three kinds of link faults for Information OAMPDU, they are Critical Event, Dying
Gasp and Link Fault, and their definitions are different for each manufacturer, here the definitions
are as below:
Critical Event: EFM OAM function of port is disabled.
Link Fault: The number of unidirectional operation or fault can not be less than the high
threshold in local. Unidirectional Operation means unidirectional link can not work normally on
full-duplex link without autonegotiaction. EFM OAM can detect the fault and inform the remote
OAM peers through sending Information OAMPDU.
Dying Gasp: There is no definition present. Although device does not generate Dying Gasp
OAMPDU, it still receives and processes such OAMPDU sent by its peer.
4. Remote loopback testing
Remote loopback testing is available only after an Ethernet OAM connection is established.
With remote loopback enabled, operating Ethernet OAM entity in active mode issues remote
loopback requests and the peer responds to them. If the peer operates in loopback mode, it
returns all packets except Ethernet OAMPDUs to the senders along the original paths. Performing
remote loopback testing periodically helps to detect network faults in time. Furthermore,
performing remote loopback testing by network segments helps to locate network faults. Note:
The communication will not be processed normally in remote loopback mode.
Typical EFM OAM application topology is in the following, it is used for point-to-point link
and emulational IEEE 802.3 point-to-point link. Device enables EFM OAM through point-to-point
connection to monitor the link fault in the First Mile with Ethernet access. For user, the
connection between user to telecommunication is “the First Mile”, for service provider, it is “the
Last Mile”.
2-46
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Customer Service Provider Customer
802.3ah
Ethernet in
the First Mile
CE 802.1ah OAMPDU PE
Figure 2-15 Typical OAM application topology
2.11.2 EFM OAM Configuration
EFM OAM configuration task list
1. Enable EFM OAM function of port
2. Configure link monitor
3. Configure remote failure
Note: it needs to enable OAM first when configuring OAM parameters.
1. Enable EFM OAM function of port
Command Explanation
Port mode
Configure work mode of EFM OAM,
ethernet-oam mode {active | passive}
default is active mode.
ethernet-oam Enable EFM OAM of port, no
no ethernet-oam command disables EFM OAM of port.
Configure transmission period of
ethernet-oam period <seconds>
OAMPDU (optional), no command
no ethernet-oam period
restores the default value.
Configure timeout of EFM OAM
ethernet-oam timeout <seconds>
connection, no command restores the
no ethernet-oam timeout
default value.
2. Configure link monitor
Command Explanation
2-47
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Port mode
ethernet-oam link-monitor Enable link monitor of EFM OAM, no
no ethernet-oam link-monitor command disables link monitor.
ethernet-oam errored-symbol-period {threshold Configure the low threshold and
low <low-symbols> | window <seconds>} window period of errored symbol
no ethernet-oam errored-symbol-period period event, no command resotores
{threshold low | window } the default value. (optional)
ethernet-oam errored-frame-period {threshold Configure the low threshold and
low <low-frames> | window <seconds>} window period of errored frame
no ethernet-oam errored-frame-period {threshold period event, no command resotores
low | window } the default value.
ethernet-oam errored-frame {threshold low Configure the low threshold and
<low-frames> | window <seconds>} window period of errored frame
no ethernet-oam errored-frame {threshold low | event, no command resotores the
window } default value. (optional)
ethernet-oam errored-frame-seconds {threshold Configure the low threshold and
low <low-frame-seconds> | window <seconds>} window period of errored frame
no ethernet-oam errored-frame-seconds seconds event, no command
{threshold low | window } resotores the default value. (optional)
3. Configure remote failure
Command Explanation
Port mode
Enable remote failure detection of
EFM OAM (failure means
ethernet-oam remote-failure
critical-event or link-fault event of the
no ethernet-oam remote-failure
local), no command disables the
function. (optional)
ethernet-oam errored-symbol-period threshold Configure the high threshold of
high {high-symbols | none} errored symbol period event, no
no ethernet-oam errored-symbol-period threshold command restores the default value.
high (optional)
ethernet-oam errored-frame-period threshold Configure the high threshold of
high {high-frames | none} errored frame period event, no
no ethernet-oam errored-frame-period threshold command restores the default value.
high (optional)
ethernet-oam errored-frame threshold high Configure the high threshold of
{high-frames | none} errored frame event, no command
no ethernet-oam errored-frame threshold high restores the default value. (optional)
ethernet-oam errored-frame-seconds threshold Configure the high threshold of
high {high-frame-seconds | none} errored frame seconds event, no
no ethernet-oam errored-frame-seconds command restores the default value.
threshold high (optional)
2-48
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
4. Enable EFM OAM loopback of port
2.11.3 EFM OAM Example
Example:
CE and PE devices with point-to-point link enable EFM OAM to monitor “the First Mile” link
performance. It will report the log information to network management system when occurring
fault event and use remote loopback function to detect the link in necessary instance
Ethernet Ethernet
1/0/1 1/0/1
CE 802.1ah OAMPDU PE
Figure 2-16 Typical OAM application topology
Configuration procedure: (Omitting SNMP and Log configuration in the following)
Configuration on CE:
CE(config)#interface ethernet1/0/1
CE (config-if-ethernet1/0/1)#ethernet-oam mode passive
CE (config-if-ethernet1/0/1)#ethernet-oam
CE (config-if-ethernet1/0/1)#ethernet-oam remote-loopback supported
Other parameters use the default configuration.
Configuration on PE:
PE(config)#interface ethernet 1/0/1
PE (config-if-ethernet1/0/1)#ethernet-oam
Other parameters use the default configuration.
Execute the following command when using remote loopback.
PE(config-if-ethernet1/0/1)#ethernet-oam remote-loopback
Execute the following command to make one of OAM peers exiting OAM loopback after complete
detection.
PE(config-if-ethernet1/0/1)# no ethernet-oam remote-loopback
Execute the following command without supporting remote loopback.
CE(config-if-ethernet1/0/1)#no ethernet-oam remote-loopback supported
2.11.4 EFM OAM Troubleshooting
When using EFM OAM, it occurs the problem, please check whether the problem is resulted
by the following reasons:
Check whether OAM entities of two peers of link in passive mode. If so, EFM OAM
2-49
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
connection can not be established between two OAM entities.
Ensuring SNMP configuration is correct, or else errored event can not be reported to
network management system.
Link does not normally communicate in OAM loopback mode, it should cancel remote
loopback in time after detect the link performance.
Ensuring the used board supports remote loopback function.
Port should not configure STP, MRPP, ULPP, Flow Control, loopback detection functions
after it enables OAM loopback function, because OAM remote loopback function and
these functions are mutually exclusive.
Check the port negotiation status is auto negotiation status or not in both EFM OAM ends
of link, the port in auto negotiation status can not be UP.
2.12 PORT SECURITY
2.12.1 Introduction to PORT SECURITY
Port security is a MAC address-based security mechanism for network access controlling. It is
an extension to the existing 802.1x authentication and MAC authentication. It controls the access
of unauthorized devices to the network by checking the source MAC address of the received
frame and the access to unauthorized devices by checking the destination MAC address of the
sent frame. With port security, you can define various port security modes to make that a device
learns only legal source MAC addresses, so as to implement corresponding network security
management. After port security is enabled, the device detects an illegal frame, it triggers the
corresponding port security feature and takes a pre-defined action automatically. This reduces
user’s maintenance workload and greatly enhances system security.
2.12.2 PORT SECURITY Configuration Task List
1. Basic configuration for PORT SECURITY
Command Explanation
Port mode
switchport port-security Configure port-security of the
no switchport port-security interface.
switchport port-security mac-address <mac-address>
[vlan <vlan-id>] Configure the static security
no switchport port-security mac-address <mac-address> MAC of the interface.
[vlan <vlan-id>]
switchport port-security maximum <value> [vlan Configure the maximum
<vlan-list>] number of the security MAC
no switchport port-security maximum <value> [vlan address allowed by the
2-50
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
<vlan-list>] interface.
When exceeding the maximum
number of the configured MAC
addresses, MAC address
accessing the interface does not
switchport port-security violation {protect | recovery |
belongs to this interface in MAC
restrict | shutdown}
address table or a MAC address
no switchport port-security violation
is configured to several
interfaces in same VLAN, both
of them will violate the security
of the MAC address.
switchport port-security aging {static | time <value> |
Enable port-security aging entry
type {absolute | inactivity}}
of the interface, specify aging
no switchport port-security violation aging {static | time
time or aging type.
| type}
Admin mode
clear port-security {all | configured | dynamic | sticky}
Clear the secure MAC entry of
[[address <mac-addr> | interface <interface-id>] [vlan
the interface.
<vlan-id> ]]
show port-security [interface <interface-id>] [address | Show port-security
vlan] configuration.
2.12.3 Example of PORT SECURITY
HOST A
Ethernet1/0/1 Internet
SWITCH
HOST B
Figure 2-17 Typical topology chart for port security
When the interface enabled Port security function, configure the maximum number of the
secure MAC addresses allowed by a interface to be 10, the interface allows 10 users to access the
internet at most. If it exceeds the maximum number, the new user cannot access the internet, so
that it not only limit the user’s number but also access the internet safely. If configuring the
maximum number of the secure MAC addresses as 1, only HOST A or HOST B is able to access the
internet.
Configuration process:
#Configure the switch.
2-51
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Switch(config)#interface Ethernet 1/0/1
Switch(config-if-ethernet1/0/1)#switchport port-security
Switch(config-if- ethernet1/0/1)#switchport port-security maximum 10
Switch(config-if- ethernet1/0/1)#exit
Switch(config)#
2.12.4 PORT SECURITY Troubleshooting
If problems occur when configuring PORT SECURITY, please check whether the problem is
caused by the following reasons:
Check whether PORT SECURITY is enabled normally
Check whether the valid maximum number of MAC addresses is configured
2.13 EEE Energy-saving
2.13.1 Introduction to EEE Energy-saving
eee is Energy Efficient Ethernet. After the port is enabled this function, switch will
detect the port state automatically. If the port is free and there is no data transmission, this
port will change to the power saving mode and it will cut down the power of the port to
save the energy.
2.13.2 EEE Energy-saving configuration List
1. Enable EEE energy-saving function
Command Explanation
Port Mode
Enable the energy-saving
function of the port; the no
eee enable
command disables the
no eee enable
energy-saving function of the
port.
2.13.3 EEE Energy-saving Typical Examples
Case:Configure the port 1 of switch as saving mode.
Below is the configuration steps:
Switch(config-if-ethernet1/0/1)# eee enable
2-52
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
2.14 LED shut-off
2.14.1 Introduction to LED shut-off
The LED shut-off function of the port can make all the LEDs off according to the
configured time-range by user no matter what the link-act status is. It can save power.
When there is no configured time-range, or the range is exceeded, the port LED can be on
according to the link-act status.
2.14.2 LED shut-off Configuration
1. Make the LED off in the appointed time-range
Command Explanation
Global Configuration Mode
Configure of cancel the LEDs to
port-led shutoff time-range <time-range-name>
be off in the appointed
no port-led shutoff
time-range.
2.14.3 LED shut-off Examples
Case: Configure all the LEDs to be off from Monday 14:30 to Friday 18:30.
The configuration steps are as below:
1. Configure a time-range:
switch(config)#:time-range t1
2. Appoint the time-range for t1:
switch(Config-Time-t1)#periodic Monday Friday 14:30:00 to 18:30:00
3. Configure the time-range of the LED OFF globally:
switch(config)#: port-led shutoff time-range t1
2.15 VLAN
2.15.1 Introduction to VLAN
VLAN (Virtual Local Area Network) is a technology that divides the logical addresses of
devices within the network to separate network segments basing on functions, applications or
management requirements. By this way, virtual workgroups can be formed regardless of the
physical location of the devices. IEEE announced IEEE 802.1Q protocol to direct the standardized
VLAN implementation, and the VLAN function of switch is implemented following IEEE 802.1Q.
2-53
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
The key idea of VLAN technology is that a large LAN can be partitioned into many separate
broadcast domains dynamically to meet the demands.
Switch Switch Switch
VLAN1
Server Server Server
VLAN2
PC PC PC
VLAN3 PC PC
Laser Printer
Figure 2-18 VLAN network defined logically
Each broadcast domain is a VLAN. VLANs have the same properties as the physical LANs,
except VLAN is a logical partition rather than physical one. Therefore, the partition of VLANs can
be performed regardless of physical locations, and the broadcast, multicast and unicast traffic
within a VLAN is separated from the other VLANs.
With the aforementioned features, VLAN technology provides us with the following
convenience:
Improving network performance
Saving network resources
Simplifying network management
Lowering network cost
Enhancing network security
Switch Ethernet Ports can works in three kinds of modes: Access, Hybrid and Trunk, each
mode has a different processing method in forwarding the packets with tagged or untagged.
The ports of Access type only belongs to one VLAN, usually they are used to connect the
ports of the computer.
The ports of Trunk type allow multi-VLANs to pass, can receive and send the packets of
multi-VLANs. Usually they are used to connect between the switches.
The ports of Hybrid type allow multi-VLANs to pass, can receive and send the packets of
multi-VLANs. They can be used to connect between the switches, or to a computer of the user.
Hybrid ports and Trunk ports receive the data with the same process method, but send the
data with different method: Hybrid ports can send the packets of multi-VLANs without the VLAN
tag, while Trunk ports send the packets of multi-VLANs with the VLAN tag except the port native
VLAN.
2-54
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
The switch implements VLAN and GVRP (GARP VLAN Registration Protocol) which are
defined by 802.1Q. The chapter will explain the use and the configuration of VLAN and GVRP in
detail.
2.15.2 VLAN Configuration Task List
1. Create or delete VLAN
2. Set or delete VLAN name
3. Assign Switch ports for VLAN
4. Set the switch port type
5. Set Trunk port
6. Set Access port
7. Set Hybrid port
8. Enable/Disable VLAN ingress rules globally
9. Configure Private VLAN
10. Set Private VLAN association
1. Create or delete VLAN
Command Explanation
Global Mode
vlan WORD
Create/delete VLAN or enter VLAN Mode
no vlan WORD
2. Set or delete VLAN name
Command Explanation
VLAN Mode
name <vlan-name>
Set or delete VLAN name.
no name
3. Assigning Switch ports for VLAN
Command Explanation
VLAN Mode
switchport interface <interface-list>
Assign Switch ports to VLAN.
no switchport interface <interface-list>
4. Set the Switch Port Type
Command Explanation
Port Mode
Set the current port as Trunk, Access or
switchport mode {trunk | access | hybrid}
Hybrid port.
5. Set Trunk port
2-55
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Command Explanation
Port Mode
switchport trunk allowed vlan {WORD | all | Set/delete VLAN allowed to be crossed by
add WORD | except WORD | remove WORD} Trunk. The “no” command restores the
no switchport trunk allowed vlan default setting.
switchport trunk native vlan <vlan-id>
Set/delete PVID for Trunk port.
no switchport trunk native vlan
6. Set Access port
Command Explanation
Port Mode
Add the current port to the specified
switchport access vlan <vlan-id>
VLAN. The “no” command restores the
no switchport access vlan
default setting.
7. Set Hybrid port
Command Explanation
Port Mode
switchport hybrid allowed vlan {WORD | all |
add WORD | except WORD | remove WORD} Set/delete the VLAN which is allowed by
{tag | untag} Hybrid port with tag or untag mode.
no switchport hybrid allowed vlan
switchport hybrid native vlan <vlan-id>
Set/delete PVID of the port.
no switchport hybrid native vlan
8. Disable/Enable VLAN Ingress Rules
Command Explanation
Port Mode
vlan ingress enable
Enable/Disable VLAN ingress rules.
no vlan ingress enable
9. Configure Private VLAN
Command Explanation
VLAN mode
private-vlan {primary | isolated | community} Configure current VLAN to Private VLAN.
no private-vlan The no command deletes private VLAN.
10. Set Private VLAN association
Command Explanation
VLAN mode
2-56
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
private-vlan association <secondary-vlan-list>
Set/delete Private VLAN association.
no private-vlan association
2.15.3 Typical VLAN Application
Scenario:
VLAN100
VLAN2 VLAN200
PC Workstation Workstation PC
PC
PC
Switch A
Trunk Link
Switch B
PC
PC
VLAN2
VLAN200
PC PC
Workstation VLAN100
Workstation
Figure 2-19 Typical VLAN Application Topology
The existing LAN is required to be partitioned to 3 VLANs due to security and application
requirements. The three VLANs are VLAN2, VLAN100 and VLAN200. Those three VLANs are cross
two different location A and B. One switch is placed in each site, and cross-location requirement
can be met if VLAN traffic can be transferred between the two switches.
Configuration Item Configuration description
VLAN2 Site A and site B switch port 2-4.
VLAN100 Site A and site B switch port 5-7.
VLAN200 Site A and site B switch port 8-10.
Trunk port Site A and site B switch port 11.
Connect the Trunk ports of both switches for a Trunk link to convey the cross-switch VLAN
traffic; connect all network devices to the other ports of corresponding VLANs.
In this example, port 1 and port 12 are spared and can be used for management port or for
other purposes.
The configuration steps are listed below:
2-57
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Switch A:
Switch(config)#vlan 2
Switch(Config-Vlan2)#switchport interface ethernet 1/0/2-4
Switch (Config-Vlan2)#exit
Switch (config)#vlan 100
Switch (Config-Vlan100)#switchport interface ethernet 1/0/5-7
Switch (Config-Vlan100)#exit
Switch (config)#vlan 200
Switch (Config-Vlan200)#switchport interface ethernet 1/0/8-10
Switch (Config-Vlan200)#exit
Switch (config)#interface ethernet 1/0/11
Switch (Config-If-Ethernet1/0/11)#switchport mode trunk
Switch(Config-If-Ethernet1/0/11)#exit
Switch(config)#
Switch B:
Switch(config)#vlan 2
Switch(Config-Vlan2)#switchport interface ethernet 1/0/2-4
Switch (Config-Vlan2)#exit
Switch (config)#vlan 100
Switch (Config-Vlan100)#switchport interface ethernet 1/0/5-7
Switch (Config-Vlan100)#exit
Switch (config)#vlan 200
Switch (Config-Vlan200)#switchport interface ethernet 1/0/8-10
Switch (Config-Vlan200)#exit
Switch (config)#interface ethernet 1/0/11
Switch (Config-If-Ethernet1/0/11)#switchport mode trunk
Switch (Config-If-Ethernet1/0/11)#exit
2.15.4 Typical Application of Hybrid Port
Scenario:
2-58
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
internet
Switch A
Switch B
PC1 PC2
Figure 2-20 Typical Application of Hybrid Port
PC1 connects to the interface Ethernet 1/0/7 of SwitchB, PC2 connects to the interface
Ethernet 1/0/9 of SwitchB, Ethernet 1/0/10 of SwitchA connect to Ethernet 1/0/10 of SwitchB.
It is required that PC1 and PC2 can not mutually access due to reason of the security, but
PC1 and PC2 can access other network resources through the gateway SwitchA. We can
implement this status through Hybrid port.
Configuration items are as follows:
Port Type PVID the VLANs are allowed to pass
Port 1/0/10 of Switch A Access 10 Allow the packets of VLAN 10 to pass
with untag method.
Port 1/0/10 of Switch B Hybrid 10 Allow the packets of VLAN 7, 9, 10 to
pass with untag method.
Port 1/0/7 of Switch B Hybrid 7 Allow the packets of VLAN 7, 10 to pass
with untag method.
Port 1/0/9 of Switch B Hybrid 9 Allow the packets of VLAN 9, 10 to pass
with untag method.
The configuration steps are listed below:
Switch A:
Switch(config)#vlan 10
Switch(Config-Vlan10)#switchport interface ethernet 1/0/10
Switch B:
2-59
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Switch(config)#vlan 7;9;10
Switch(config)#interface ethernet 1/0/7
Switch(Config-If-Ethernet1/0/7)#switchport mode hybrid
Switch(Config-If-Ethernet1/0/7)#switchport hybrid native vlan 7
Switch(Config-If-Ethernet1/0/7)#switchport hybrid allowed vlan 7;10 untag
Switch(Config-If-Ethernet1/0/7)#exit
Switch(Config)#interface Ethernet 1/0/9
Switch(Config-If-Ethernet1/0/9)#switchport mode hybrid
Switch(Config-If-Ethernet1/0/9)#switchport hybrid native vlan 9
Switch(Config-If-Ethernet1/0/9)#switchport hybrid allowed vlan 9;10 untag
Switch(Config-If-Ethernet1/0/9)#exit
Switch(Config)#interface Ethernet 1/0/10
Switch(Config-If-Ethernet1/0/10)#switchport mode hybrid
Switch(Config-If-Ethernet1/0/10)#switchport hybrid native vlan 10
Switch(Config-If-Ethernet1/0/10)#switchport hybrid allowed vlan 7;9;10 untag
Switch(Config-If-Ethernet1/0/10)#exit
2.16 GVRP
2.16.1 Introduction to GVRP
GVRP, i.e. GARP VLAN Registration Protocol, is an application of GARP (Generic Attribute
Registration Protocol). GARP is mainly used to establish an attribute transmission mechanism to
transmit attributes, so as to ensure protocol entities registering and deregistering the attribute.
According to different transmission attributes, GARP can be divided to many application protocols,
such as GMRP and GVRP. Therefore, GVRP is a protocol which transmits VLAN attributes to the
whole layer 2 network through GARP protocol.
Figure 2-21 a typical application scene
A and G switches are not directly connected in layer 2 network; BCDEF are intermediate
switches connecting A and G. Switch A and G configure VLAN100-1000 manually while BCDEF
switches do not. When GVRP is not enabled, A and G cannot communicate with each other,
2-60
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
because intermediate switches without relevant VLANs. However, after GVRP is enabled on all
switches, its VLAN attribute transmission mechanism enables the intermediate switches
registering the VLANs dynamically, and the VLAN in VLAN100-1000 of A and G can communicate
with each other. The VLANs dynamically registered by intermediate switches will be deregistered
when deregistering VLAN100-1000 of A and G switches manually. So the same VLAN of two
unadjacent switches can communicate mutually through GVRP protocol instead of configuring
each intermediate switch manually for achieving the purpose of simplifying VLAN configuration.
2.16.2 GVRP Configuration Task List
GVRP configuration task list:
1. Configure GVRP timer
2. Configure port type
3. Enable GVRP function
1. Configure GVRP timer
Command Explanation
Global mode
garp timer join <200-500>
garp timer leave <500-1200> Configure leaveall, join and leave
garp timer leaveall <5000-60000> timer for GVRP.
no garp timer (join | leave | leaveAll)
2. Configure port type
Command Explanation
Port mode
gvrp Enable/ disable GVRP function of
no gvrp port.
3. Enable GVRP function
Command Explanation
Global mode
gvrp Enable/ disable the global GVRP
no gvrp function of port.
2.16.3 Example of GVRP
GVRP application:
2-61
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Figure 2-22 Typical GVRP Application Topology
To enable dynamic VLAN information register and update among switches, GVRP protocol is
to be configured in the switch. Configure GVRP in Switch A, B and C, enable Switch B to learn
VLAN100 dynamically so that two workstations connected to VLAN100 in Switch A and C can
communicate with each other through Switch B without static VLAN100 entries.
Configuration Configuration description
Item
VLAN100 Port 2-6 of Switch A and C.
Trunk port Port 11 of Switch A and C, Port 10, 11 of Switch B.
Global GVRP Switch A, B, C.
Port GVRP Port 11 of Switch A and C, Port 10, 11 of Switch B.
Connect two workstations to the VLAN100 ports in switch A and B, connect port 11 of
Switch A to port 10 of Switch B, and port 11 of Switch B to port 11 of Switch C.
The configuration steps are listed below:
Switch A:
Switch(config)# gvrp
Switch(config)#vlan 100
Switch(Config-Vlan100)#switchport interface ethernet 1/0/2-6
Switch(Config-Vlan100)#exit
Switch(config)#interface ethernet 1/0/11
Switch(Config-If-Ethernet1/0/11)#switchport mode trunk
Switch(Config-If-Ethernet1/0/11)# gvrp
2-62
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Switch(Config-If-Ethernet1/0/11)#exit
Switch B:
Switch(config)#gvrp
Switch(config)#interface ethernet 1/0/10
Switch(Config-If-Ethernet1/0/10)#switchport mode trunk
Switch(Config-If-Ethernet1/0/10)# gvrp
Switch(Config-If-Ethernet1/0/10)#exit
Switch(config)#interface ethernet 1/0/11
Switch(Config-If-Ethernet1/0/11)#switchport mode trunk
Switch(Config-If-Ethernet1/0/11)# gvrp
Switch(Config-If-Ethernet1/0/11)#exit
Switch C:
Switch(config)# gvrp
Switch(config)#vlan 100
Switch(Config-Vlan100)#switchport interface ethernet 1/0/2-6
Switch(Config-Vlan100)#exit
Switch(config)#interface ethernet 1/0/11
Switch(Config-If-Ethernet1/0/11)#switchport mode trunk
Switch(Config-If-Ethernet1/0/11)# gvrp
Switch(Config-If-Ethernet1/0/11)#exit
2.16.4 GVRP Troubleshooting
The GARP counter setting for Trunk ports in both ends of Trunk link must be the same,
otherwise GVRP will not work normally. It is recommended to avoid enabling GVRP and RSTP at
the same time in switch. If GVRP needs to be enabled, RSTP function for the ports must be
disabled first.
2.17 Dot1q-tunnel
2.17.1 Introduction to Dot1q-tunnel
Dot1q-tunnel is also called QinQ (802.1Q-in-802.1Q), which is an expansion of 802.1Q. Its
dominating idea is encapsulating the customer VLAN tag (CVLAN tag) to the service provider
VLAN tag (SPVLAN tag). Carrying the two VLAN tags the packet is transmitted through the
backbone network of the ISP internet, so to provide a simple layer-2 tunnel for the users. It is
simple and easy to manage, applicable only by static configuration, and especially adaptive to
small office network or small scale metropolitan area network using layer-3 switch as backbone
equipment.
2-63
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
On the customer port
Trunk VLAN 200-300
This port on PE1 is enabled QinQ
CE1 Unsymmetrical PE1 and belong to VLAN3
connection SP networks
Trunk connection
Customer networks1 P
Trunk connection
This port on PE1 is enabled QinQ
PE2 CE2
and belong to VLAN3
Unsymmetrical
connection Customer
networks2
On the customer port
Trunk VLAN 200-300
Figure 2-23 Dot1q-tunnel based Internetworking mode
As shown in above, after being enabled on the user port, dot1q-tunnel assigns each user an
SPVLAN identification (SPVID). Here the identification of user is 3. Same SPVID should be assigned
for the same network user on different PEs. When packet reaches PE1 from CE1, it carries the
VLAN tag 200-300 of the user internal network. Since the dot1q-tunnel function is enabled, the
user port on PE1 will add on the packet another VLAN tag, of which the ID is the SPVID assigned
to the user. Afterwards, the packet will only be transmitted in VLAN3 when traveling in the ISP
internet network while carrying two VLAN tags (the inner tag is added when entering PE1, and
the outer is SPVID), whereas the VLAN information of the user network is open to the provider
network. When the packet reaches PE2 and before being forwarded to CE2 from the client port
on PE2, the outer VLAN tag is removed, then the packet CE2 receives is absolutely identical to the
one sent by CE1. For the user, the role the operator network plays between PE1 and PE2, is to
provide a reliable layer-2 link.
The technology of Dot1q-tuunel provides the ISP internet the ability of supporting many
client VLANs by only one VLAN of theirselves. Both the ISP internet and the clients can configure
their own VLAN independently.
It is obvious that, the dot1q-tunnel function has got following characteristics:
Applicable through simple static configuration, no complex configuration or
maintenance to be needed.
Operators will only have to assign one SPVID for each user, which increases the
number of concurrent supportable users; while the users has got the ultimate freedom in
selecting and managing the VLAN IDs (select within 1~4094 at users’ will).
The user network is considerably independent. When the ISP internet is upgrading their
network, the user networks do not have to change their original configuration.
Detailed description on the application and configuration of dot1q-tunnel will be provided in
this section.
2.17.2 Dot1q-tunnel Configuration
2-64
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Configuration Task Sequence of Dot1q-Tunnel:
1. Configure the dot1q-tunnel function on port
2. Configure the global protocol type (TPID)
1. Configure the dot1q-tunnel function on port
Command Explanation
Port mode
dot1q-tunnel enable Enter/exit the dot1q-tunnel mode on the
no dot1q-tunnel enable port.
2. Configure the global protocol type (TPID)
Command Explanation
Global mode
dot1q-tunnel tpid
Configure the global protocol type.
{0x8100|0x9100|0x9200|<1-65535>}
2.17.3 Typical Applications of the Dot1q-tunnel
Scenario:
Edge switch PE1 and PE2 of the ISP internet forward the VLAN200~300 data between CE1
and CE2 of the client network with VLAN3. The port1 of PE1 is connected to CE1, port10 is
connected to public network, the TPID of the connected equipment is 9100; port1 of PE2 is
connected to CE2, port10 is connected to public network.
Configuration Configuration Explanation
Item
VLAN3 Port1 of PE1 and PE2.
dot1q-tunnel Port1 of PE1 and PE2.
tpid 9100
Configuration procedure is as follows:
PE1:
Switch(config)#vlan 3
Switch(Config-Vlan3)#switchport interface ethernet 1/0/1
Switch(Config-Vlan3)#exit
Switch(Config)#interface ethernet 1/0/1
Switch(Config-Ethernet1/0/1)# dot1q-tunnel enable
Switch(Config-Ethernet1/0/1)# exit
Switch(Config)#interface ethernet 1/0/10
Switch(Config-Ethernet1/0/10)#switchport mode trunk
Switch(Config-Ethernet1/0/10)#exit
2-65
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Switch(config)#dot1q-tunnel tpid 0x9100
Switch(Config)#
PE2:
Switch(config)#vlan 3
Switch(Config-Vlan3)#switchport interface ethernet 1/0/1
Switch(Config-Vlan3)#exit
Switch(Config)#interface ethernet 1/0/1
Switch(Config-Ethernet1/0/1)# dot1q-tunnel enable
Switch(Config-Ethernet1/0/1)# exit
Switch(Config)#interface ethernet 1/0/10
Switch(Config-Ethernet1/0/10)#switchport mode trunk
Switch(Config-Ethernet1/0/10)#exit
Switch(config)#dot1q-tunnel tpid 0x9100
Switch(Config)#
2.17.4 Dot1q-tunnel Troubleshooting
Enabling dot1q-tunnel on Trunk port will make the tag of the data packet unpredictable
which is not required in the application. So it is not recommended to enable dot1q-tunnel
on Trunk port.
Configuring in port-channel is not supported.
Enabled with STP/MSTP is not supported.
Enabled with PVLAN is not supported.
2.18 Selective QinQ
2.18.1 Introduction to Selective QinQ
Selective QinQ is an enhanced application for dot1q tunnel function. It is able to tag packets
(they are received by the same port) with different outer VLAN tags based on different inner
VLAN tags according to user’s requirement, so it is able to implement that packets of different
types are assigned to different VLAN by selecting different transmission path.
2.18.2 Selective QinQ Configuration
Selective QinQ Configuration Task List:
1. Configure the port mapping relation between the inner tag and the outer tag
2-66
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
2. Configure selective QinQ of port
1. Configure the port mapping relation between the inner tag and the outer tag
Command Explanation
Port mode
dot1q-tunnel selective s-vlan <s-vid> c-vlan
Configure/delete the port mapping
<c-vid-list>
relation of the inner tag and the outer tag
no dot1q-tunnel selective s-vlan <s-vid> c-vlan
for selective QinQ.
<c-vid-list>
2. Configure selective QinQ of port
Command Explanation
Port mode
dot1q-tunnel selective enable
Enable/disable selective QinQ of the port.
no dot1q-tunnel selective enable
2.18.3 Typical Applications of Selective QinQ
IP Phone IP Phone IP Phone
PC PC
VLAN 100-200 Vlan 201-300
Eth1/0/1 Eth1/0/2
SP网络
VLAN1000/2000 Eth1/0/9
SWITCHB
Eth1/0/9
Eth 1/0/1 Eth 1/0/2
SWITCHA
IP Phone IP Phone IP Phone
PC PC
VLAN 100-200 Vlan 201-300
Figure 2-24 Selective QinQ application
1. Ethernet1/0/1 of SwitchA provides public network access for PC users and Ethernet 1/0/2 of
SwitchA provides public network access for IP phone users. PC users belong to VLAN 100 through
2-67
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
VLAN 200, and IP phone users belong to VLAN 201 through VLAN 300. Ethernet 1/0/9 of SwitchA
is connected to the public network.
2. Ethernet1/0/1 and Ethernet1/0/2 of SwitchB provide network access for PC users belonging to
VLAN 100 through VLAN 200 and IP phone users belonging to VLAN 201 through VLAN 300
respectively. Ethernet 1/0/9 is connected to the public network.
3. The public network permits packets of VLAN 1000 and VLAN 2000 to pass.
4. Enable the selective QinQ on Ethernet1/0/1 and Ethernet1/0/2 ports of Switch A and Switch B
respectively. Packets of VLAN 100 through VLAN 200 are tagged with the tag of VLAN 1000 as the
outer VLAN tag on Ethernet1/0/1, and packets of VLAN 201 through VLAN 300 are tagged with the
tag of VLAN 2000 as the outer VLAN tag on Ethernet1/0/2.
Steps of configuration:
# Create VLAN 1000 and VLAN 2000 on SwitchA.
switch(config)#vlan 1000;2000
# Configure Ethernet1/0/1 as a hybrid port and configure it to remove VLAN tags when forwarding
packets of VLAN 1000.
switch(config-if-ethernet1/0/1)#switchport hybrid allowed vlan 1000 untag
# Configure the mapping rules for selective QinQ on Ehernet1/0/1 to insert VLAN 1000 tag as the
outer VLAN tag in packets with the tags of VLAN 100 through VLAN 200.
switch(config-if-ethernet1/0/1)#dot1q-tunnel selective s-vlan 1000 c-vlan 100-200
# Enable selective QinQ on Ethernet1/0/1.
switch(config-if-ethernet1/0/1)#dot1q-tunnel selective enable
# Configure Ethernet 1/0/2 as a hybrid port and configure it to remove VLAN tags when
forwarding packets of VLAN 2000.
switch(config-if-ethernet1/0/2)#switchport mode hybrid
switch(config-if-ethernet1/0/2)#switchport hybrid allowed vlan 2000 untag
# Configure mapping rules for selective QinQ on Ehernet1/0/2 to insert VLAN 2000 tag as the
outer VLAN tag in packets with the tags of VLAN 201 through VLAN 300.
switch(config-if-ethernet1/0/2)#dot1q-tunnel selective s-vlan 2000 c-vlan 201-300
# Enable selective QinQ on Ethernet 1/0/2.
switch(config-if-ethernet1/0/2)#dot1q-tunnel selective enable
# Configure uplink port Ethernet 1/0/9 as a hybrid port and configure it to save VLAN tags when
forwarding packets of VLAN 1000 and VLAN 2000.
switch(config-if-ethernet1/0/2)#interface ethernet 1/0/9
switch(config-if-ethernet1/0/9)#switchport mode hybrid
switch(config-if-ethernet1/0/9)#switchport hybrid allowed vlan 1000;2000 tag
After the above configuration, packets of VLAN 100 through VLAN 200 from Ethernet1/0/1 are
automatically tagged with the tag of VLAN 1000 as the outer VLAN tag, and packets of VLAN 201
through VLAN 300 from Ethernet1/0/2 are automatically tagged with the tag of VLAN 2000 as the
outer VLAN tag on SwitchA.
The configuration on Switch B is similar to that on Switch A, the configuration is as follows:
switch(config)#vlan 1000;2000
switch(config)#interface ethernet 1/0/1
switch(config-if-ethernet1/0/1)#switchport mode hybrid
2-68
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
switch(config-if-ethernet1/0/1)#switchport hybrid allowed vlan 1000 untag
switch(config-if-ethernet1/0/1)#dot1q-tunnel selective s-vlan 1000 c-vlan 100-200
switch(config-if-ethernet1/0/1)#dot1q-tunnel selective enable
switch(config-if-ethernet1/0/1)#interface ethernet 1/0/2
switch(config-if-ethernet1/0/2)#switchport hybrid allowed vlan 2000 untag
switch(config-if-ethernet1/0/2)#dot1q-tunnel selective s-vlan 2000 c-vlan 201-300
switch(config-if-ethernet1/0/2)#dot1q-tunnel selective enable
switch(config-if-ethernet1/0/9)#switchport mode hybrid
switch(config-if-ethernet1/0/9)#switchport hybrid allowed vlan 1000;2000 tag
2.18.4 Selective QinQ Troubleshooting
Selective QinQ and dot1q-tunnel functions should not be configured synchronously for a
port.
2.19 VLAN-translation
2.19.1 Introduction to VLAN-translation
VLAN translation, as one can tell from the name, which translates the original VLAN ID to
new VLAN ID according to the user requirements so to exchange data across different VLANs.
VLAN translation supports ingress translation, and switch over the VLAN ID at the ingress.
Application and configuration of VLAN translation will be explained in detail in this section.
2.19.2 VLAN-translation Configuration
Configuration task sequence of VLAN-translation:
1. Configure the VLAN-translation function on the port
2. Configure the VLAN-translation relations on the port
3. Configure whether the packet is dropped when checking VLAN-translation is failing
4. Show the related configuration of vlan-translation
1. Configure the VLAN-translation of the port
Command Explanation
Port mode
vlan-translation enable Enter/exit the port VLAN-translation
no vlan-translation enable mode.
2. Configure the VLAN-translation relation of the port
Command Explanation
2-69
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Global/Port mode
vlan-translation <old-vlan-id> to
<new-vlan-id> in Add/delete a VLAN-translation relation.
no vlan-translation old-vlan-id in
3. Configuration the VLAN-translation function on the port to check failture whether lose
packets
Command Explanation
Port mode
vlan-translation miss drop {in | out | both} Set/cancel VLAN-translation to check lose
no vlan-translation miss drop {in | out | both} packets when translation failed.
4. Show the related configuration of vlan-translation
Command Explanation
Admin mode
Show the related configuration of
show vlan-translation
vlan-translation.
2.19.3 Typical application of VLAN-translation
Scenario:
Edge switch PE1 and PE2 of the ISP internet support the VLAN20 data task between CE1 and
CE2 of the client network with VLAN3. The port1/0/1 of PE1 is connected to CE1, port1/0/10 is
connected to public network; port1/0/1 of PE2 is connected to CE2, port1/0/10 is connected to
public network.
On the customer port
Trunk VLAN 200-300
The ingress of the port translates
CE1 Trunk connection PE1 VLAN20 to VLAN3, the egress
SP networks translates VLAN3 to VLAN20 on PE
Trunk connection
Customer networks1 P
Trunk connection
The ingress of the port translates
PE2 CE2
VLAN20 to VLAN3, the egress
translates VLAN3 to VLAN20 on PE Trunk
connection Customer
networks2
On the customer port
Trunk VLAN 20
Figure 2-25 Vlan translation topology mode
2-70
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Configuration Configuration Explanation
Item
VLAN-translation Port1/0/1 of PE1 and PE2.
Trunk port Port1/0/1 and Port1/0/10 of PE1 and PE2.
Configuration procedure is as follows:
PE1、PE2:
switch(Config)#interface ethernet 1/0/1
switch(Config-Ethernet1/0/1)#switchport mode trunk
switch(Config-Ethernet1/0/1)# vlan-translation enable
switch(Config-Ethernet1/0/1)# vlan-translation 20 to 3 in
switch(Config-Ethernet1/0/1)# vlan-translation 3 to 20 out
switch(Config-Ethernet1/0/1)# exit
switch(Config)#interface ethernet 1/0/10
switch(Config-Ethernet1/0/10)#switchport mode trunk
switch(Config-Ethernet1/0/10)#exit
switch(Config)#
Note: this switch only supports the in direction.
2.19.4 VLAN-translation Troubleshooting
Normally the VLAN-translation is applied on trunk ports.
Normally before using the VLAN-translation, the dot1q-tunnel function needs to be
enabled first, to adapt double tag data packet processes VLAN-translation.
When configuration vlan-translation of the egress, make sure native vlan of the port is
not identical with pvid of the packet. Otherwise, the tag of the packet will be stripped
in advance and the transform of vid cannot be completed.
QoS only matches vlan-id that the packet is translated when vlan-translation and QoS
be configured at the same time.
2.20 Dynamic VLAN
2.20.1 Introduction to Dynamic VLAN
The dynamic VLAN is named corresponding to the static VLAN (namely the port based VLAN).
Dynamic VLAN supported by the switch includes MAC-based VLAN, IP-subnet-based VLAN and
Protocol-based VLAN. Detailed description is as follows:
2-71
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
The MAC-based VLAN division is based on the MAC address of each host, namely every host
with a MAC address will be assigned to certain VLAN. By the means, the network user will
maintain his membership in his belonging VLAN when moves from a physical location to
another. As we can see the greatest advantage of this VLAN division is that the VLAN does not
have to be re-configured when the user physic location change, namely shift from one switch to
another, which is because it is user based, not switch port based.
The IP subnet based VLAN is divided according to the source IP address and its subnet mask
of every host. It assigns corresponding VLAN ID to the data packet according to the subnet
segment, leading the data packet to specified VLAN. Its advantage is the same as that of the
MAC-based VLAN: the user does not have to change configuration when relocated.
The VLAN is divided by the network layer protocol, assigning different protocol to different
VLANs. This is very attractive to the network administrators who wish to organize the user by
applications and services. Moreover the user can move freely within the network while
maintaining his membership. Advantage of this method enables user to change physical position
without changing their VLAN residing configuration, while the VLAN can be divided by types of
protocols which is important to the network administrators. Further, this method has no need of
added frame label to identify the VLAN which reduce the network traffic.
Notice: Dynamic VLAN needs to associate with Hybrid attribute of the ports to work, so the
ports that may be added to a dynamic VLAN must be configured as Hybrid port.
2.20.2 Dynamic VLAN Configuration
Dynamic VLAN Configuration Task Sequence:
1. Configure the MAC-based VLAN function on the port
2. Set the VLAN to MAC VLAN
3. Configure the correspondence between the MAC address and the VLAN
4. Configure the IP-subnet-based VLAN function on the port
5. Configure the correspondence between the IP subnet and the VLAN
6. Configure the correspondence between the Protocols and the VLAN
7. Adjust the priority of the dynamic VLAN
1. Configure the MAC-based VLAN function on the port
Command Explanation
Port Mode
switchport mac-vlan enable Enable/disable the MAC-based VLAN
no switchport mac-vlan enable function on the port.
2. Set the VLAN to MAC VLAN
Command Explanation
Global Mode
2-72
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Configure the specified VLAN to MAC
mac-vlan vlan <vlan-id> VLAN; the “no mac-vlan” command
no mac-vlan cancels the MAC VLAN configuration of
this VLAN.
3. Configure the correspondence between the MAC address and the VLAN
Command Explanation
Global Mode
mac-vlan mac <mac-addrss> <mac-mask> vlan Add/delete the correspondence between
<vlan-id> priority <priority-id> the MAC address and the VLAN, it means
no mac-vlan {mac <mac-addrss> to make the specified MAC address
<mac-mask>|all} join/leave the specified VLAN.
4. Configure the IP-subnet-based VLAN function on the port
Command Explanation
Port Mode
switchport subnet-vlan enable Enable/disable the port IP-subnet-base
no switchport subnet-vlan enable VLAN function on the port.
5. Configure the correspondence between the IP subnet and the VLAN
Command Explanation
Global Mode
subnet-vlan ip-address <ipv4-addrss> mask
Add/delete the correspondence between
<subnet-mask> vlan <vlan-id> priority
the IP subnet and the VLAN, namely
<priority-id>
specified IP subnet joins/leaves specified
no subnet-vlan {ip-address <ipv4-addrss>
VLAN.
mask <subnet-mask>|all}
6. Configure the correspondence between the Protocols and the VLAN
Command Explanation
Global Mode
protocol-vlan mode {ethernetii etype
<etype-id>|llc {dsap <dsap-id> ssap
Add/delete the correspondence between
<ssap-id>}|snap etype <etype-id>} vlan
the Protocols and the VLAN, namely
<vlan-id> priority <priority-id>
specified protocol joins/leaves specified
no protocol-vlan {mode {ethernetii etype
VLAN.
<etype-id>|llc {dsap <dsap-id> ssap
<ssap-id>}|snap etype <etype-id>}|all}
7. Adjust the priority of the dynamic VLAN
Command Explanation
2-73
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Global Mode
dynamic-vlan mac-vlan prefer Configure the priority of the dynamic
dynamic-vlan subnet-vlan prefer VLAN.
2.20.3 Typical Application of the Dynamic VLAN
Scenario:
In the office network Department A belongs to VLAN100. Several members of this
department often have the need to move within the whole office network. It is also required to
ensure the resource for other members of the department to access VLAN 100. Assume one of
the members is M, the MAC address of his PC is 00-03-0f-11-22-33, when M moves to VLAN200
or VLAN300, the port connecting M is configured as Hybrid mode and belongs to VLAN100 with
untag mode. In this way, the data of VLAN100 will be forwarded to the port connecting M, and
implement the communication requirement in VLAN100.
SwitchA SwitchB SwitchC
VLAN100
VLAN200
VLAN300
M
Figure 2-26 Typical topology application of dynamic VLAN
Configuration Configuration Explanation
Items
MAC-based VLAN Global configuration on Switch A, Switch B, Switch C.
For example, M at E1/0/1 of SwitchA, then the configuration procedures are as follows:
Switch A, Switch B, Switch C:
SwitchA (Config)#mac-vlan mac 00-03 -0f-11-22-33 vlan 100 priority 0
SwitchA (Config)#interface ethernet 1/0/1
SwitchA (Config-Ethernet1/0/1)# swportport mode hybrid
SwitchA (Config-Ethernet1/0/1)# swportport hybrid allowed vlan 100 untagged
SwitchB (Config)#mac-vlan mac 00-03-0f-11-22-33 vlan 100 priority 0
2-74
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
SwitchB (Config)#exit
SwitchB#
SwitchC (Config)#mac-vlan mac 00-03-0f-11-22-33 vlan 100 priority 0
SwitchC (Config)#exit
SwitchC#
2.20.4 Dynamic VLAN Troubleshooting
On the switch configured with dynamic VLAN, if the two connected equipment (e.g. PC) are
both belongs to the same dynamic VLAN, first communication between the two equipments
may not go through. The solution will be letting the two equipments positively send data
packet to the switch (such as ping), to let the switch learn their source MAC, then the two
equipments will be able to communicate freely within the dynamic VLAN.
Ping 192.168.1.200 Ping 192.168.1.100
Dynamic VLAN
192.168.1.100/24 192.168.1.200/24
Figure 2-27 Dynamic VLAN Troubleshooting
2.21 Voice VLAN
2.21.1 Introduction to Voice VLAN
Voice VLAN is specially configured for the user voice data traffic. By setting a Voice VLAN and
adding the ports of the connected voice equipments to the Voice VLAN, the user will be able to
configure QoS (Quality of service) service for voice data, and improve the voice data traffic
transmission priority to ensure the calling quality.
The switch can judge if the data traffic is the voice data traffic from specified equipment
according to the source MAC address field of the data packet entering the port. The packet with
the source MAC address complying with the system defined voice equipment OUI
2-75
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
(Organizationally Unique Identifier) will be considered the voice data traffic and transmitted to
the Voice VLAN.
The configuration is based on MAC address, acquiring a mechanism in which every voice
equipment transmitting information through the network has got its unique MAC address. VLAN
will trace the address belongs to specified MAC. By This means, VLAN allows the voice equipment
always belong to Voice VLAN when relocated physically. The greatest advantage of the VLAN is
the equipment can be automatically placed into Voice VLAN according to its voice traffic which
will be transmitted at specified priority. Meanwhile, when voice equipment is physically relocated,
it still belongs to the Voice VLAN without any further configuration modification, which is
because it is based on voice equipment other than switch port.
Notice: Voice VLAN needs to associate with Hybrid attribute of the ports to work, so the
ports that may be added to Voice VLAN must be configured as Hybrid port.
2.21.2 Voice VLAN Configuration
Voice VLAN Configuration Task Sequence:
1. Set the VLAN to Voice VLAN
2. Add a voice equipment to Voice VLAN
3. Enable the Voice VLAN on the port
1. Configure the VLAN to Voice VLAN
Command Explanation
Global Mode
voice-vlan vlan <vlan-id>
Set/cancel the VLAN as a Voice VLAN
no voice-vlan
2. Add a Voice equipment to a Voice VLAN
Command Explanation
Global Mode
voice-vlan mac <mac-address> mask
<mac-mask> priority <priority-id> [name
Specify certain voice equipment join/leave
<voice-name>]
the Voice VLAN
no voice-vlan {mac <mac-address> mask
<mac-mask>|name <voice-name> |all}
3. Enable the Voice VLAN of the port
Command Explanation
Port Mode
switchport voice-vlan enable Enable/disable the Voice VLAN function
no switchport voice-vlan enable on the port
2-76
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
2.21.3 Typical Applications of the Voice VLAN
Scenario:
A company realizes voice communication through configuring Voice VLAN. IP-phone1 and
IP-phone2 can be connected to any port of the switch, namely normal communication and
interconnected with other switches through the uplink port. IP-phone1 MAC address is
00-03-0f-11-22-33, connect port 1/0/1 of the switch, IP-phone2 MAC address is 00-03-0f-11-22-55,
connect port 1/0/2 of the switch.
Switch
IP-phone1 IP-phone2
Figure 2-28 VLAN typical apply topology Figure
Configuration Configuration Explanation
items
Voice VLAN Global configuration on the Switch.
Configuration procedure:
Switch 1:
Switch(config)#vlan 100
Switch(Config-Vlan100)#exit
Switch(config)#voice-vlan vlan 100
Switch(config)#voice-vlan mac 00-03-0f-11-22-33 mask 255 priority 5 name company
Switch(config)#voice-vlan mac 00-03-0f-11-22-55 mask 255 priority 5 name company
Switch(config)#interface ethernet 1/0/10
Switch(Config-If-Ethernet1/0/10)#switchport mode trunk
Switch(Config-If-Ethernet1/0/10)#exit
switch(Config)#interface ethernet 1/0/1
switch(Config-If-Ethernet1/0/1)#switchport mode hybrid
switch(Config-If-Ethernet1/0/1)#switchport hybrid allowed vlan 100 untag
switch(Config-If-Ethernet1/0/1)#exit
switch(Config)#interface ethernet 1/0/2
switch(Config-If-Ethernet1/0/2)#switchport mode hybrid
switch(Config-If-Ethernet1/0/2)#switchport hybrid allowed vlan 100 untag
2-77
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
switch(Config-If-Ethernet1/0/2)#exit
2.21.4 Voice VLAN Troubleshooting
Voice VLAN can not be applied concurrently with MAC-base VLAN. The Voice VLAN
support maximum 1024 sets of voice equipments, the exceeded number of
equipments will not be supported.
2.22 Multi-to-One VLAN Translation
2.22.1 Introduction to Multi-to-One VLAN Translation
Multi-to-One VLAN translation, it translates the original VLAN ID into the new VLAN ID
according to user’s requirement on uplink traffic, and restores the original VLAN ID on downlink
traffic.
Application and configuration of Multi-to-One VLAN translation will be explained in detail in
this section.
2.22.2 Multi-to-One VLAN Translation Configuration
Multi-to-One VLAN translation configuration task list:
1. Configure Multi-to-One VLAN translation on the port
2. Show the related configuration of Multi-to-One VLAN translation
1. Configure Multi-to-One VLAN translation on the port
Command Explanation
Port mode
vlan-translation n-to-1 <WORD> to
Configure/delete Multi-to-One VLAN
<new-vlan-id>
translation.
no vlan-translation n-to-1 <WORD>
2. Show the related configuration of Multi-to-One VLAN translation
Command Explanation
Admin mode
Show the related configuration of
show vlan-translation n-to-1
Multi-to-One VLAN translation.
2-78
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
2.22.3 Typical application of Multi-to-One VLAN
Translation
Scenario:
UserA, userB and userC belong to VLAN1, VLAN2, VLAN3 respectively. Before entering the
network layer, data traffic of userA, userB and userC is translated into VLAN 100 by Ethernet1/0/1
of edge switch1. Contrarily, data traffic of userA, userB and userC will be translated into VLAN1,
VLAN2, VLAN3 by Ethernet1/0/1 of edge switch1 from network layer respectively. In the same way,
it implements multi-to-one translation for userD, userE and userF on Ethernet1/0/1 of edge
switch2.
Figure 2-29 VLAN-translation typical application
Configuration Item Configuration Explanation
VLAN Switch1、Switch2
Trunk Port Downlink port 1/0/1 and uplink port 1/0/5 of Switch1 and Switch 2
Multi-to-One Downlink port 1/0/1 of Switch1 and Switch2
VLAN-translation
Configuration procedure is as follows:
2-79
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Switch1、Switch2:
switch(Config)# vlan 1-3;100
switch(Config-Ethernet1/0/1)#switchport mode trunk
switch(Config-Ethernet1/0/1)# vlan-translation n-to-1 1-3 to 100
switch(Config)#interface ethernet 1/0/5
switch(Config-Ethernet1/0/5)#switchport mode trunk
switch(Config-Ethernet1/0/5)#exit
2.22.4 Multi-to-One VLAN Translation Troubleshooting
Do not be used with Dot1q-tunnel at the same time.
Do not be used with VLAN-translation at the same time.
The same MAC address should not exist in the original and the translated VLAN.
Check whether the hardware resource of the chip is able to ensure all clients to work
normally.
Limit learning of MAC address may affect Multi-to-One VLAN Translation.
Multi-to-One VLAN Translation should be enabled after MAC learning.
2.23 MAC Address Table
2.23.1 Introduction to MAC Address Table
MAC table is a table identifies the mapping relationship between destination MAC addresses
and switch ports. MAC addresses can be categorized as static MAC addresses and dynamic MAC
addresses. Static MAC addresses are manually configured by the user, have the highest priority
and are permanently effective (will not be overwritten by dynamic MAC addresses); dynamic
MAC addresses are entries learnt by the switch in data frame forwarding, and is effective for a
limited period. When the switch receives a data frame to be forwarded, it stores the source MAC
address of the data frame and creates a mapping to the destination port. Then the MAC table is
queried for the destination MAC address, if hit, the data frame is forwarded in the associated port,
otherwise, the switch forwards the data frame to its broadcast domain. If a dynamic MAC address
is not learnt from the data frames to be forwarded for a long time, the entry will be deleted from
the switch MAC table.
There are two MAC table operations:
1. Obtain a MAC address.
2. Forward or filter data frame according to the MAC table.
2.23.1.1 Obtaining MAC Address Table
The MAC table can be built up statically and dynamically. Static configuration is to set up a
2-80
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
mapping between the MAC addresses and the ports; dynamic learning is the process in which the
switch learns the mapping between MAC addresses and ports, and updates the MAC table
regularly. In this section, we will focus on the dynamic learning process of MAC table.
Figure 2-30 MAC Table dynamic learning
The topology of the figure above: 4 PCs connected to switch, where PC1 and PC2 belongs to
a same physical segment (same collision domain), the physical segment connects to port 1/0/5 of
switch; PC3 and PC4 belongs to the same physical segment that connects to port 1/0/12 of switch.
The initial MAC table contains no address mapping entries. Take the communication of PC1
and PC3 as an example, the MAC address learning process is as follow:
1. When PC1 sends message to PC3, the switch receives the source MAC address
00-01-11-11-11-11 from this message, the mapping entry of 00-01-11-11-11-11 and port
1/0/5 is added to the switch MAC table.
2. At the same time, the switch learns the message is destined to 00-01-33-33-33-33, as the
MAC table contains only a mapping entry of MAC address 00-01-11-11-11-11 and port1/0/5,
and no port mapping for 00-01-33-33-33-33 present, the switch broadcast this message to all
the ports in the switch (assuming all ports belong to the default VLAN1).
3. PC3 and PC4 on port 1/0/12 receive the message sent by PC1, but PC4 will not reply, as the
destination MAC address is 00-01-33-33-33-33, only PC3 will reply to PC1. When port 1/0/12
receives the message sent by PC3, a mapping entry for MAC address 00-01-33-33-33-33 and
port 1/0/12 is added to the MAC table.
4. Now the MAC table has two dynamic entries, MAC address 00-01-11-11-11-11 - port 1/0/5
and 00-01-33-33-33-33 -port1/0/12.
5. After the communication between PC1 and PC3, the switch does not receive any message
sent from PC1 and PC3. And the MAC address mapping entries in the MAC table are deleted
in 300 to 2*300 seconds (ie, in single to double aging time). The 300 seconds here is the
default aging time for MAC address entry in switch. Aging time can be modified in switch.
2-81
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
2.23.1.2 Forward or Filter
The switch will forward or filter received data frames according to the MAC table. Take the
above figure as an example, assuming switch have learnt the MAC address of PC1 and PC3, and
the user manually configured the mapping relationship for PC2 and PC4 to ports. The MAC table
of switch will be:
MAC Address Port number Entry added by
00-01-11-11-11-11 1/0/5 Dynamic learning
00-01-22-22-22-22 1/0/5 Static configuration
00-01-33-33-33-33 1/0/12 Dynamic learning
00-01-44-44-44-44 1/0/12 Static configuration
1. Forward data according to the MAC table
If PC1 sends a message to PC3, the switch will forward the data received on port 1/0/5 from
port1/0/12.
2. Filter data according to the MAC table
If PC1 sends a message to PC2, the switch, on checking the MAC table, will find PC2 and PC1
are in the same physical segment and filter the message (i.e. drop this message).
Three types of frames can be forwarded by the switch:
Broadcast frame
Multicast frame
Unicast frame
The following describes how the switch deals with all the three types of frames:
1. Broadcast frame: The switch can segregate collision domains but not broadcast domains.
If no VLAN is set, all devices connected to the switch are in the same broadcast domain.
When the switch receives a broadcast frame, it forwards the frame in all ports. When
VLANs are configured in the switch, the MAC table will be adapted accordingly to add
VLAN information. In this case, the switch will not forward the received broadcast
frames in all ports, but forward the frames in all ports in the same VLAN.
2. Multicast frame: For the unknown multicast, the switch will broadcast it in the same
vlan, but the switch only forwards the multicast frames to the multicast group’s port if
IGMP Snooping function or the static multicast group has been configured.
3. Unicast frame: When no VLAN is configured, if the destination MAC addresses are in the
switch MAC table, the switch will directly forward the frames to the associated ports;
when the destination MAC address in a unicast frame is not found in the MAC table, the
switch will broadcast the unicast frame. When VLANs are configured, the switch will
forward unicast frame within the same VLAN. If the destination MAC address is found in
the MAC table but belonging to different VLANs, the switch can only broadcast the
unicast frame in the VLAN it belongs to.
2.23.2 Mac Address Table Configuration Task List
2-82
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
1. Configure the MAC address aging-time
2. Configure static MAC forwarding or filter entry
3. Clear dynamic address table
4. Configure MAC learning through CPU control
5.
1. Configure the MAC aging-time
Command Explanation
Global Mode
mac-address-table aging-time <0|aging-time> Configure the MAC address aging-time.
no mac-address-table aging-time
Configure static MAC forwarding or filter entry
Command Explanation
Global Mode
mac-address-table {static | blackhole} address
<mac-addr> vlan <vlan-id > [interface
ethernet <interface-name>] |
[source|destination|both] Configure static MAC entries, filter address
no mac-address-table {static | blackhole | entires.
dynamic} [address <mac-addr>] [vlan
<vlan-id>][interface ethernet
<interface-name>]
l2-address-table static-multicast address
{<ip-addr> |<mac-addr>} vlan <vlan-id>
{interface [ethernet <interface-name>] |
port-channel <port-channel-id>}
Configure static multicast MAC entries.
no l2-address-table static-multicast address
{<ip-addr> |<mac-addr>} vlan <vlan-id>
{interface [ethernet <interface-name>] |
port-channel <port-channel-id>}
2. Clear dynamic address table
Command Explanation
Admin Mode
clear mac-address-table dynamic [address Clear the dynamic address table.
<mac-addr>] [vlan <vlan-id>] [interface
[ethernet | portchannel] <interface-name>]
4. Configure MAC learning through CPU control
Command Explanation
2-83
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Global Mode
mac-address-learning cpu-control Enable MAC learning through CPU
no mac-address-learning cpu-control control, the no command restores that
the chip automatically learn MAC
address.
show collision-mac-address-table Show the hash collision mac table.
Admin Mode
clear collision-mac-address-table Clear the hash collision mac table.
2.23.3 Typical Configuration Examples
Figure 2-31 MAC Table typical configuration example
Scenario:
Four PCs as shown in the above figure connect to port 1/0/5, 1/0/7, 1/0/9, 1/0/11 of switch, all
the four PCs belong to the default VLAN1. As required by the network environment, dynamic
learning is enabled. PC1 holds sensitive data and can not be accessed by any other PC that is in
another physical segment; PC2 and PC3 have static mapping set to port 1/0/7 and port 1/0/9,
respectively.
The configuration steps are listed below:
1. Set the MAC address 00-01-11-11-11-11 of PC1 as a filter address.
Switch(config)#mac-address-table static 00-01-11-11-11-11 discard vlan 1.
2.Set the static mapping relationship for PC2 and PC3 to port 1/0/7 and port 1/0/9, respectively.
Switch(config)#mac-address-table static address 00-01-22-22-22-22 vlan 1 interface ethernet
1/0/7
Switch(config)#mac-address-table static address 00-01-33-33-33-33 vlan 1 interface ethernet
1/0/9
2.23.4 MAC Address Table Troubleshooting
2-84
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Using the show mac-address-table command, a port is found to be failed to learn the MAC
of a device connected to it. Possible reasons:
The connected cable is broken.
Spanning Tree is enabled and the port is in “discarding” status; or the device is just
connected to the port and Spanning Tree is still under calculation, wait until the
Spanning Tree calculation finishes, and the port will learn the MAC address.
If not the problems mentioned above, please check for the switch portand contact
technical support for solution.
2.24 MAC Notification
2.24.1 Introduction to MAC Notification
MAC Notification function depends on the notification. Add or remove the MAC address,
namely, when the device is added or removed, it will notify administrator about the changing by
the trap function of snmp.
2.24.2 MAC Notification Configuration
Mac notification configuration task list:
1. Configure the global snmp MAC notification
2. Configure the global MAC notification
3. Configure the interval for sending MAC notification
4. Configure the size of history table
5. Configure the trap type of MAC notification supported by the port
6. Show the configuration and the data of MAC notification
7. Clear the statistics of MAC notification trap
1. Configure the global snmp MAC notification
Command Explanation
Global mode
snmp-server enable traps mac-notification Configure or cancel the global snmp
no snmp-server enable traps mac-notification MAC notification.
2. Configure the global MAC notification
Command Explanation
Global mode
mac-address-table notification Configure or cancel the global MAC
no mac-address-table notification notification.
3. Configure the interval for sending MAC notification
2-85
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Command Explanation
Global mode
Configure the interval for sending the
mac-address-table notification interval <0-86400> MAC address notification, the no
no mac-address-table notification interval command restores the default
interval.
4. Configure the size of history table
Command Explanation
Global mode
mac-address-table notification history-size Configure the history table size, the
<0-500> no command restores the default
no mac-address-table notification history-size value.
5. Configure the trap type of MAC notification supported by the port
Command Explanation
Port mode
Configure or cancel the trap type of
mac-notification {added | both | removed}
MAC notification supported by the
no mac-notification
port.
6. Show the configuration and the data of MAC notification
Command Explanation
Admin mode
Show the configuration and the data
show mac-notification summary
of MAC notification.
7. Clear the statistics of MAC notification trap
Command Explanation
Admin mode
Clear the statistics of MAC notification
clear mac-notification statistics
trap.
2.24.3 MAC Notification Example
IP address of network management station (NMS) is 1.1.1.5, IP address of Agent is 1.1.1.9.
NMS will receive Trap message from Agent. (Note: NMS may set the authentication to the
community character string of trap, suppose the community character string as usertrap)
Configuration procedure in the following:
Switch(config)#snmp-server enable
2-86
S4600_Configuration Guide Chapter 2 Layer 2 services Configuration
Switch(config)#snmp-server enable traps mac-notification
Switch(config)# mac-address-table notification
Switch(config)# mac-address-table notification interval 5
Switch(config)# mac-address-table notification history-size 100
Switch(Config-If-Ethernet1/0/4)# mac-notification both
2.24.4 MAC Notification Troubleshooting
Check whether trap message is sent successfully by show command and debug command of
snmp.
2-87
S4600_Configuration Guide Chapter 3 IP services Configuration
Chapter 3 IP services Configuration
3.1 Layer 3 Interface
3.1.1 Introduction to Layer 3 Interface
Only one layer 3 management interface can be created on switch. The Layer 3 interface is
not a physical interface but a virtual interface. Layer 3 interface is built on VLANs. The Layer 3
interface can contain one or more layer 2 ports which belong to the same VLAN, or contain no
layer 2 ports. At least one of the Layer 2 ports contained in Layer 3 interface should be in UP state
for Layer 3 interface in UP state, otherwise, Layer 3 interface will be in DOWN state. The switch
can use the IP addresses set in the layer 3 management interface to communicate with the other
devices via IP.
3.1.2 Layer 3 Interface Configuration Task List
Layer 3 Interface Configuration Task List:
1. Create Layer 3 management interface
2. Configure VLAN interface description
1. Create Layer 3 Management Interface
Command Explanation
Global Mode
interface vlan <vlan-id> Creates a management VLAN interface; the no command
no interface vlan <vlan-id> deletes the VLAN interface created in the switch.
2. Configure VLAN interface description
Command Explanation
VLAN Interface Mode
Configure the description information of VLAN interface. The
description <text>
no command will cancel the description information of VLAN
no description
interface.
3-1
S4600_Configuration Guide Chapter 3 IP services Configuration
3.2 IP Configuration
3.2.1 Introduction to IPv4, IPv6
IPv4 is the current version of global universal Internet protocol. The practice has proved that
IPv4 is simple, flexible, open, stable, strong and easy to implement while collaborating well with
various protocols of upper and lower layers. Although IPv4 almost has not been changed since it
was established in 1980’s, it has kept growing to the current global scale with the promotion of
Internet. However, as Internet infrastructure and Internet application services continue boosting,
IPv4 has shown its deficiency when facing the present scale and complexity of Internet.
IPv6 refers to the sixth version of Internet protocol which is the next generation Internet
protocol designed by IETF to replace the current Internet protocol version 4 (IPv4). IPv6 was
specially developed to make up the shortages of IPv4 addresses so that Internet can develop
further.
The most important problem IPv6 has solved is to add the amount of IP addresses. IPv4
addresses have nearly run out, whereas the amount of Internet users has been increasing in
geometric series. With the greatly and continuously boosting of Internet services and application
devices (Home and Small Office Network, IP phone and Wireless Service Information Terminal
which make use of Internet,) which require IP addresses, the supply of IP addresses turns out to
be more and more tense. People have been working on the problem of shortage of IPv4
addresses for a long time by introducing various technologies to prolong the lifespan of existing
IPv4 infrastructure, including Network Address Translation(NAT for short), and Classless
Inter-Domain Routing(CIDR for short), etc.
Although the combination of CIDR, NAT and private addressing has temporarily mitigated
the problem of IPv4 address space shortage, NAT technology has disrupted the end-to-end model
which is the original intention of IP design by making it necessary for router devices that serve as
network intermediate nodes to maintain every connection status which increases network delay
greatly and decreases network performance. Moreover, the translation of network data packet
addresses baffles the end-to-end network security check, IPSec authentication header is such an
example.
Therefore, in order to solve all kinds of problems existing in IPv4 comprehensively, the next
generation Internet Protocol IPv6 designed by IETF has become the only feasible solution at
present.
First of all, the 128 bits addressing scheme of IPv6 Protocol can guarantee to provide enough
globally unique IP addresses for global IP network nodes in the range of time and space.
Moreover, besides increasing address space, IPv6 also enhanced many other essential designs of
IPv4.
Hierarchical addressing scheme facilitates Route Aggregation, effectively reduces route table
entries and enhances the efficiency and expansibility of routing and data packet processing.
The header design of IPv6 is more efficient compared with IPv4. It has less data fields and
takes out header checksum, thus expedites the processing speed of basic IPv6 header. In IPv6
header, fragment field can be shown as an optional extended field, so that data packets
fragmentation process won’t be done in router forwarding process, and Path MTU Discovery
3-2
S4600_Configuration Guide Chapter 3 IP services Configuration
Mechanism collaborates with data packet source which enhances the processing efficiency of
router.
Address automatic configuration and plug-and-play is supported. Large amounts of hosts can
find network routers easily by address automatic configuration function of IPv6 while obtaining a
globally unique IPv6 address automatically as well which makes the devices using IPv6 Internet
plug-and-play. Automatic address configuration function also makes the readdressing of existing
network easier and more convenient, and it is more convenient for network operators to manage
the transformation from one provider to another.
Support IPSec. IPSec is optional in IPv4, but required in IPv6 Protocol. IPv6 provides security
extended header, which provides end-to-end security services such as access control,
confidentiality and data integrity, consequently making the implement of encryption, validation
and Virtual Private Network easier.
Enhance the support for Mobile IP and mobile calculating devices. The Mobile IP Protocol
defined in IETF standard makes mobile devices movable without cutting the existing connection,
which is a network function getting more and more important. Unlike IPv4, the mobility of IPv6 is
from embedded automatic configuration to get transmission address (Care-Of-Address);
therefore it doesn’t need Foreign Agent. Furthermore, this kind of binding process enables
Correspondent Node communicate with Mobile Node directly, thereby avoids the extra system
cost caused by triangle routing choice required in IPv4.
Avoid the use of Network Address Translation. The purpose of the introduction of NAT
mechanism is to share and reuse same address space among different network segments. This
mechanism mitigates the problem of the shortage of IPv4 address temporally; meanwhile it adds
the burden of address translation process for network device and application. Since the address
space of IPv6 has increased greatly, address translation becomes unnecessary, thus the problems
and system cost caused by NAT deployment are solved naturally.
Support extensively deployed Routing Protocol. IPv6 has kept and extended the supports for
existing Internal Gateway Protocols (IGP for short), and Exterior Gateway Protocols (EGP for
short). For example, IPv6 Routing Protocol such as RIPng, OSPFv3, IS-ISv6 and MBGP4+, etc.
Multicast addresses increased and the support for multicast has enhanced. By dealing with
IPv4 broadcast functions such as Router Discovery and Router Query, IPv6 multicast has
completely replaced IPv4 broadcast in the sense of function. Multicast not only saves network
bandwidth, but enhances network efficiency as well.
3.2.2 IP Configuration
Layer 3 interface can be configured as IPv4 interface, IPv6 interface.
3.2.2.1 IPv4 Address Configuration
IPv4 address configuration task list:
1. Configure the IPv4 address of three-layer interface2. Configure the default gateway
1. Configure the IPv4 address of three-layer interface
Command Explanation
3-3
S4600_Configuration Guide Chapter 3 IP services Configuration
VLAN Interface Configuration Mode
Configure IP address of VLAN
ip address <ip-address> <mask> [secondary] interface; the no ip address
no ip address [<ip-address> <mask>] [<ip-address> <mask>] command
cancels IP address of VLAN interface.
3.2.2.2 IPv6 Address Configuration
The configuration Task List of IPv6 is as follows:
1. IPv6 basic configuration
(1) Configure interface IPv6 address
(2) Configure default gateway
2. IPv6 Neighbor Discovery Configuration
(1) Configure DAD neighbor solicitation message number
(2) Configure send neighbor solicitation message interval
(3) Configure static IPv6 neighbor entries
(4) Delete all entries in IPv6 neighbor table
1. IPv6 Basic Configuration
(1) Configure interface IPv6 address
Command Explanation
Interface Configuration Mode
Configure IPv6 address, including aggregatable
ipv6 address
global unicast addresses, site-local addresses and
<ipv6-address/prefix-length> [eui-64]
link-local addresses. The no ipv6 address
no ipv6 address
<ipv6-address/prefix-length> command cancels
<ipv6-address/prefix-length>
IPv6 address.
(2) Configure default gateway
Command Explanation
Global Mode
ipv6 default-gateway <X:X::X:X> Configure IPv6 default gateway of the router. The
no ipv6 default-gateway <X:X::X:X> no command cancels the configuration.
2. IPv6 Neighbor Discovery Configuration
(1) Configure DAD Neighbor solicitation Message number
Command Explanation
Interface Configuration Mode
3-4
S4600_Configuration Guide Chapter 3 IP services Configuration
Set the neighbor query message number sent in
ipv6 nd dad attempts <value> sequence when the interface makes duplicate
no ipv6 nd dad attempts address detection. The no command resumes
default value (1).
(2) Configure Send Neighbor solicitation Message Interval
Command Explanation
Interface Configuration Mode
Set the interval of the interface to send neighbor
ipv6 nd ns-interval <seconds>
query message. The NO command resumes
no ipv6 nd ns-interval
default value (1 second).
(3) Configure static IPv6 neighbor Entries
Command Explanation
Interface Configuration Mode
3-5
S4600_Configuration Guide Chapter 3 IP services Configuration
ipv6 neighbor <ipv6-address> Set static neighbor table entries, including
<hardware-address> interface neighbor IPv6 address, MAC address and
<interface-type interface-name> two-layer port.
no ipv6 neighbor <ipv6-address> Delete neighbor table entries.
(4) Delete all entries in IPv6 neighbor table
Command Explanation
Admin Mode
clear ipv6 neighbors Clear all static neighbor table entries.
3.2.3 IP Configuration Examples
3.2.3.1 Configuration Examples of IPv4
3.2.3.2 Configuration Examples of IPv6
3-6
S4600_Configuration Guide Chapter 3 IP services Configuration
3.2.4 IPv6 Troubleshooting
If the connected PC has not obtained IPv6 address, you should check the RA announcement
switch (the default is turned off)
3.3 ARP
3.3.1 Introduction to ARP
ARP (Address Resolution Protocol) is mainly used to resolve IP address to Ethernet MAC
address. Switch supports static ARP configuration.
3.3.2 ARP Configuration Task List
ARP Configuration Task List:
1. Configure static ARP
1. Configure static ARP
Command Explanation
Interface Configuration Mode
arp <ip_address> <mac_address> Configures a static ARP entry; the no command
no arp <ip_address> deletes a static ARP entry.
3.3.3 ARP Troubleshooting
If ping from the switch to directly connected network devices fails, the following can be used
to check the possible cause and create a solution.
Check whether the corresponding ARP has been learned by the switch.
If ARP has not been learned, then enabled ARP debugging information and view the
sending/receiving condition of ARP packets.
Defective cable is a common cause of ARP problems and may disable ARP learning.
3-7
S4600_Configuration Guide Chapter 3 IP services Configuration
3.4 ARP Scanning Prevention
3.4.1 Introduction to ARP Scanning Prevention
Function
ARP scanning is a common method of network attack. In order to detect all the active hosts
in a network segment, the attack source will broadcast lots of ARP messages in the segment,
which will take up a large part of the bandwidth of the network. It might even do
large-traffic-attack in the network via fake ARP messages to collapse of the network by
exhausting the bandwidth. Usually ARP scanning is just a preface of other more dangerous attack
methods, such as automatic virus infection or the ensuing port scanning, vulnerability scanning
aiming at stealing information, distorted message attack, and DOS attack, etc.
Since ARP scanning threatens the security and stability of the network with great danger, so
it is very significant to prevent it. Switch provides a complete resolution to prevent ARP scanning:
if there is any host or port with ARP scanning features is found in the segment, the switch will cut
off the attack source to ensure the security of the network.
There are two methods to prevent ARP scanning: port-based and IP-based. The port-based
ARP scanning will count the number to ARP messages received from a port in a certain time
range, if the number is larger than a preset threshold, this port will be “down”. The IP-based ARP
scanning rate-limiting and isolate two levels threshold, when it above level-1 threshold (the
limited threshold), the hardware transmits the ARP packet (including ARP request and reply) of
this host normally, and only limit the CPU rate. And produce trap warning to notify administrator
that there may be attacked; when packets rate is level-2 threshold (isolation threshold), it will
take action, record log and produce trap warning. The level-1 limited threshold and level-2 isolate
threshold will be open when enable IP-based ARP scanning in global mode, level-1 threshold will
take effect until it lower than level-2 threshold. The two kind of ARP scanning prevention can be
start using at the same time, after port is banned, it can recover the state by configure the
function of automatic recovery. After IP is banned, it can be automatic recovery when the rate of
received arp packets is lower than level-2 threshold.
To improve the effect of the switch, users can configure trusted ports and IP, the ARP
messages from which will not be checked by the switch. Thus the load of the switch can be
effectively decreased.
3.4.2 ARP Scanning Prevention Configuration Task
Sequence
1. Enable the ARP Scanning Prevention function.
2. Configure the threshold of the port-based and IP-based ARP Scanning Prevention
3. Configure trusted ports
4. Configure trusted IP
3-8
S4600_Configuration Guide Chapter 3 IP services Configuration
5. Configure automatic recovery time
6. Display relative information of debug information and ARP scanning
7. Configure the action after above level-2 threshold.
1. Enable the ARP Scanning Prevention function.
Command Explanation
Global configuration mode
anti-arpscan enable [ip|port] Enable or disable the ARP Scanning
no anti-arpscan enable [ip|port] Prevention function globally.
2. Configure the threshold of the port-based and IP-based ARP Scanning Prevention
Command Explanation
Global configuration mode
anti-arpscan port-based threshold
<threshold-value> Set the threshold of the port-based ARP
no anti-arpscan port-based Scanning Prevention.
threshold
anti-arpscan ip-based {level1|level2}
threshold <threshold-value> Set the threshold of the IP-based ARP
no anti-arpscan ip-based {level1|level2} Scanning Prevention.
threshold
3. Configure trusted ports
Command Explanation
Port configuration mode
anti-arpscan trust {port | supertrust-port |
iptrust-port}
Set the trust attributes of the ports.
no anti-arpscan trust {port | supertrust-port
| iptrust-port}
4. Configure trusted IP
Command Explanation
Global configuration mode
anti-arpscan trust ip <ip-address>
[<netmask>]
Set the trust attributes of IP.
no anti-arpscan trust ip <ip-address>
[<netmask>]
5. Configure automatic recovery time
Command Explanation
Global configuration mode
anti-arpscan recovery enable Enable or disable the automatic
no anti-arpscan recovery enable recovery function.
3-9
S4600_Configuration Guide Chapter 3 IP services Configuration
anti-arpscan recovery time <seconds>
Set automatic recovery time.
no anti-arpscan recovery time
6. Display relative information of debug information and ARP scanning
anti-arpscan log enable Enable or disable the log function of ARP
no anti-arpscan log enable scanning prevention.
anti-arpscan trap enable [level1|level2 ] Enable or disable the SNMP Trap function of
no anti-arpscan trap enable [level1|level2 ] ARP scanning prevention.
The maximum quantity of ARP scanning
anti-arpscan FFP max-num <num>
prevention function occupied FFP item.
show anti-arpscan [trust {ip | port |
Display the state of operation and
supertrust-port | iptrust-port} | prohibited
configuration of ARP scanning prevention.
{ip | port}]
Display source information or history source
show anti-arpscan ip-based attack-list
information of ARP scanning attacks
[history]
prevention.
Display the current configuration of arp
show anti-arpscan ip-based running-config
scanning prevention.
Flush ARP limited rate for specified host
clear anti-arpscan speed-limit< IP Address>
manually.
Flush IP business isolation for specified host
clear anti-arpscan ip-isolate<IP Address>
manually.
clear anti-arpscan attack-list {ip < IP Clear the ARP limit of the specific host or all
Address > | all } the hosts manually.
clear anti-arpscan attack-history-list {ip < IP Clear the history attacks source information
Address > | all } of ARP scanning prevention manually.
Admin Mode
debug anti-arpscan [port | ip] Enable or disable the debug switch of ARP
no debug anti-arpscan [port | ip] scanning prevention.
7. Configure the action after above level-2 threshold
Command Explanation
Global configuration Mode
After above level-2 threshold, users can
anti-arpscan ip-based level2 action {isolate
configure ip business isolation and discard
| discard-ARP}
ARP packets.
anti-arpscan ip-based arp-to-cpu speed
Configure the rate of ARP send to CPU when
<pps>
level-1 threshold overrun.
no anti-arpscan ip-based arp-to-cpu speed
3.4.3 ARP Scanning Prevention Typical Examples
3-10
S4600_Configuration Guide Chapter 3 IP services Configuration
SWITCH B
E1/0/1
E1/0/19
SWITCH A
E1/0/2
E1/0/2
PC PC
Server
192.168.1.100/24
Figure 3-1 ARP scanning prevention typical configuration example
In the network topology above, port E1/0/1 of SWITCH B is connected to port E1/0/19 of
SWITCH A, the port E1/0/2 of SWITCH A is connected to file server (IP address is 192.168.1.100/24),
and all the other ports of SWITCH A are connected to common PC. The following configuration
can prevent ARP scanning effectively without affecting the normal operation of the system.
SWITCH A configuration task sequence:
SwitchA(config)#anti-arpscan enable
SwitchA(config)#anti-arpscan recovery time 3600
SwitchA(config)#anti-arpscan trust ip 192.168.1.100 255.255.255.0
SwitchA(config)#interface ethernet1/0/2
SwitchA (Config-If-Ethernet1/0/2)#anti-arpscan trust port
SwitchA (Config-If-Ethernet1/0/2)#exit
SwitchA(config)#interface ethernet1/0/19
SwitchA (Config-If-Ethernet1/0/19)#anti-arpscan trust supertrust-port
Switch A(Config-If-Ethernet1/0/19)#exit
SWITCHB configuration task sequence:
Switch B(config)# anti-arpscan enable
SwitchB(config)#interface ethernet1/0/1
SwitchB(Config-If-Ethernet1/0/1)#anti-arpscan trust port
SwitchB(Config-If-Ethernet1/0/1)exit
3.4.4 ARP Scanning Prevention Troubleshooting Help
ARP scanning prevention is disabled by default. After enabling ARP scanning prevention,
users can enable the debug switch, “debug anti-arpscan”, to view debug information.
3-11
S4600_Configuration Guide Chapter 3 IP services Configuration
3.5 Prevent ARP Spoofing
3.5.1 Overview
3.5.1.1 ARP (Address Resolution Protocol)
Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to
relevant 48-bit physical address, that is MAC address, for instance, IP address is 192.168.0.1,
network card Mac address is 00-03-0F-FD-1D-2B. What the whole mapping process is that a host
computer send broadcast data packet involving IP address information of destination host
computer, ARP request, and then the destination host computer send a data packet involving its
IP address and Mac address to the host, so two host computers can exchange data by MAC
address.
3.5.1.2 ARP Spoofing
In terms of ARP Protocol design, to reduce redundant ARP data communication on networks,
even though a host computer receives an ARP reply which is not requested by itself, it will also
insert an entry to its ARP cache table, so it creates a possibility of “ARP spoofing”. If the hacker
wants to snoop the communication between two host computers in the same network (even if
are connected by the switches), it sends an ARP reply packet to two hosts separately, and make
them misunderstand MAC address of the other side as the hacker host MAC address. In this way,
the direct communication is actually communicated indirectly among the hacker host computer.
The hackers not only obtain communication information they need, but also only need to modify
some information in data packet and forward successfully. In this sniff way, the hacker host
computer doesn’t need to configure intermix mode of network card, that is because the data
packet between two communication sides are sent to hacker host computer on physical layer,
which works as a relay.
3.5.1.3 How to prevent void ARP Spoofing
There are many sniff, monitor and attack behaviors based on ARP protocol in networks, and
most of attack behaviors are based on ARP spoofing, so it is very important to prevent ARP
spoofing. ARP spoofing accesses normal network environment by counterfeiting legal IP address
firstly, and sends a great deal of counterfeited ARP application packets to switches, after switches
learn these packets, they will cover previously corrected IP, mapping of MAC address, and then
some corrected IP, MAC address mapping are modified to correspondence relationship
configured by attack packets so that the switch makes mistake on transfer packets, and takes an
effect on the whole network. Or the switches are made used of by vicious attackers, and they
intercept and capture packets transferred by switches or attack other switches, host computers
or network equipment.
What the essential method on preventing attack and spoofing switches based on ARP in
3-12
S4600_Configuration Guide Chapter 3 IP services Configuration
networks is to disable switch automatic update function; the cheater can’t modify corrected MAC
address in order to avoid wrong packets transfer and can’t obtain other information. At one time,
it doesn’t interrupt the automatic learning function of ARP. Thus it prevents ARP spoofing and
attack to a great extent.
3.5.2 Prevent ARP Spoofing configuration
The steps of preventing ARP spoofing configuration as below:
1. Disable ARP automatic update function
2. Disable ARP automatic learning function
3. Changing dynamic ARP to static ARP
1. Disable ARP automatic update function
Command Explanation
Global Mode and Port Mode
ip arp-security updateprotect Disable and enable ARP automatic update
no ip arp-security updateprotect function.
2. Disable ARP automatic learning function
Command Explanation
Global mode and Interface Mode
ip arp-security learnprotect Disable and enable ARP automatic learning
no ip arp-security learnprotect function.
3. Function on changing dynamic ARP to static ARP
Command Explanation
Global Mode and Port Mode
ip arp-security convert Change dynamic ARP to static ARP.
3.5.3 Prevent ARP Spoofing Example
Switch
A B
3-13
S4600_Configuration Guide Chapter 3 IP services Configuration
Equipment Explanation
Equipment Configuration Quality
switch IP:192.168.2.4; IP:192.168.1.4; mac: 00-00-00-00-00-04 1
A IP:192.168.2.1; mac: 00-00-00-00-00-01 1
B IP:192.168.1.2; mac: 00-00-00-00-00-02 1
C IP:192.168.2.3; mac: 00-00-00-00-00-03 some
There is a normal communication between B and C on above diagram. A wants switch to
forward packets sent by B to itself, so need switch sends the packets transfer from B to A. firstly A
sends ARP reply packet to switch, format is: 192.168.2.3, 00-00-00-00-00-01, mapping its MAC
address to C’s IP, so the switch changes IP address when it updates ARP list., then data packet of
192.168.2.3 is transferred to 00-00-00-00-00-01 address (A MAC address).
In further, a transfers its received packets to C by modifying source address and destination
address, the mutual communicated data between B and C are received by A unconsciously.
Because the ARP list is update timely, another task for A is to continuously send ARP reply packet,
and refreshes switch ARP list.
So it is very important to protect ARP list, configure to forbid ARP learning command in
stable environment, and then change all dynamic ARP to static ARP, the learned ARP will not be
refreshed, and protect for users.
Switch#config
Switch(config)#interface vlan 1
Switch(config-if-vlan1)#arp 192.168.2.1 00-00-00-00-00-01 interface ethernet 1/0/1
Switch(config-if-vlan1)#arp 192.168.2.2 00-00-00-00-00-02 interface ethernet 1/0/2
Switch(config-if-vlan1)#arp 192.168.2.3 00-00-00-00-00-03 interface ethernet 1/0/3
Switch(Config-If-Vlan3)#exit
Switch(Config)#ip arp-security learnprotect
Switch(Config)#
Switch(config)#ip arp-security convert
If the environment changing, it enable to forbid ARP refresh, once it learns ARP property, it
wont be refreshed by new ARP reply packet, and protect use data from sniffing.
Switch#config
Switch(config)#ip arp-security updateprotect
3.6 ARP GUARD
3.6.1 Introduction to ARP GUARD
There is serious security vulnerability in the design of ARP protocol, which is any network
device, can send ARP messages to advertise the mapping relationship between IP address and
MAC address. This provides a chance for ARP cheating. Attackers can send ARP REQUEST
messages or ARP REPLY messages to advertise a wrong mapping relationship between IP address
3-14
S4600_Configuration Guide Chapter 3 IP services Configuration
and MAC address, causing problems in network communication. The danger of ARP cheating has
two forms: 1. PC4 sends an ARP message to advertise that the IP address of PC2 is mapped to the
MAC address of PC4, which will cause all the IP messages to PC2 will be sent to PC4, thus PC4 will
be able to monitor and capture the messages to PC2; 2. PC4 sends ARP messages to advertise
that the IP address of PC2 is mapped to an illegal MAC address, which will prevent PC2 from
receiving the messages to it. Particularly, if the attacker pretends to be the gateway and do ARP
cheating, the whole network will be collapsed.
PC1 Switch
HUB A B C D
PC2
PC3
PC4 PC5 PC6
Figure 3-2 ARP GUARD schematic diagram
We utilize the filtering entries of the switch to protect the ARP entries of important network
devices from being imitated by other devices. The basic theory of doing this is that utilizing the
filtering entries of the switch to check all the ARP messages entering through the port, if the
source address of the ARP message is protected, the messages will be directly dropped and will
not be forwarded.
ARP GUARD function is usually used to protect the gateway from being attacked. If all the
accessed PCs in the network should be protected from ARP cheating, then a large number of ARP
GUARD address should be configured on the port, which will take up a big part of FFP entries in
the chip, and as a result, might affect other applications. So this will be improper. It is
recommended that adopting FREE RESOURCE related accessing scheme. Please refer to relative
documents for details.
3.6.2 ARP GUARD Configuration Task List
1. Configure the protected IP address
Command Explanation
Port configuration mode
arp-guard ip <addr>
Configure/delete ARP GUARD address
no arp-guard ip <addr>
3-15
S4600_Configuration Guide Chapter 3 IP services Configuration
3.7 Gratuitous ARP
3.7.1 Introduction to Gratuitous ARP
Gratuitous ARP is a kind of ARP request that is sent by the host with its IP address as the
destination of the ARP request.
The basic working mode for the switch is as below: The Layer 3 interfaces of the switch can
be configured to advertise gratuitous ARP packets period or the switch can be configured to
enable to send gratuitous ARP packets in all the interfaces globally.
The purpose of gratuitous ARP is as below:
1. To reduce the frequency that the host sends ARP request to the switch. The hosts in the
network will periodically send ARP requests to the gateway to update the MAC address of
the gateway. If the switch advertises gratuitous ARP requests, the host will not have to send
these requests. This will reduce the frequency the hosts’ sending ARP requests for the
gateway’s MAC address.
2. Gratuitous ARP is a method to prevent ARP cheating. The switch’s advertising gratuitous ARP
request will force the hosts to update its ARP table cache. Thus, forged ARP of gateway
cannot function.
3.7.2 Gratuitous ARP Configuration Task List
1. Enable gratuitous ARP and configure the interval to send gratuitous ARP request
2. Display configurations about gratuitous ARP
1. Enable gratuitous ARP and configure the interval to send gratuitous ARP request.
Command Explanation
Global Configuration Mode and Interface
Configuration Mode.
To enable gratuitous ARP and configure the
ip gratuitous-arp <5-1200>
interval to send gratuitous ARP request.
no ip gratuitous-arp
The no command cancels the gratuitous ARP.
2. Display configurations about gratuitous ARP
Command Explanation
Admin Mode and Configuration Mode
show ip gratuitous-arp [interface vlan To display configurations about gratuitous ARP.
<1-4094>]
3.7.3 Gratuitous ARP Configuration Example
3-16
S4600_Configuration Guide Chapter 3 IP services Configuration
Switch
Interface vlan10
Interface vlan1
192.168.15.254
192.168.14.254
255.255.255.0
255.255.255.0
PC1 PC2 PC3 PC4 PC5
Figure 3-3 Gratuitous ARP Configuration Example
For the network topology shown in the figure above, interface VLAN10 whose IP address is
192.168.15.254 and network address mask is 255.255.255.0 in the switch system. Five PCs – PC1,
PC2, PC3, PC4, PC5 are connected to the interface. Gratuitous ARP can be enabled through the
following configuration:
Configure global gratuitous ARP
Switch(config)#ip gratuitous-arp 300
Switch(config)#exit
Configure interface gratuitous ARP.
Switch(config)#interface vlan 10
Switch(Config-if-Vlan10)#ip gratuitous-arp 300
Switch(Config-if-Vlan10)#exit
1. Switch(config) #exit
3.7.4 Gratuitous ARP Troubleshooting
Gratuitous ARP is disabled by default. And when gratuitous ARP is enabled, the debugging
information about ARP packets can be retrieved through the command debug ARP send.
If gratuitous ARP is enabled in global configuration mode, it can be disabled only in global
configuration mode. If gratuitous ARP is configured in interface configuration mode, the
configuration can only be disabled in interface configuration mode. If gratuitous ARP is enabled in
both global and interface configuration mode, and the sending interval of gratuitous ARP is
configured in both configuration modes, the switch takes the value which is configured in
interface configuration mode.
3-17
S4600_Configuration Guide Chapter 3 IP services Configuration
3.8 Dynamic ARP Inspection
3.8.1 Introduction to Dynamic ARP Inspection
Configuration
DAI (Dynamic ARP Inspection) is a kind of security property that it can verificate the ARP
data packets in the network. Through DAI, the administrator can intercept, record and drop the
ARP data packets which have the invalid MAC address/IP address.
The dynamic ARP inspection judges the legality of the ARP data packets according to the
lawful IP and MAC addresses in a trusted database. This database can be created by the manual
static appointing or the dynamic DHCP monitoring learning. If the ARP data packet is received
from the trusted port, the switch will not inspect it and forward it directly. If the ARP data packet
is received from the untrusted port, the switch will only forward the lawful data packet. For the
illegal data, it will drop the data directly and record this action.
Notice: The trusted/untrusted port above is not the one of DHCP monitoring, it is the rules
that the dynamic ARP inspection function needs to configure.
3.8.2 Dynamic ARP Inspection Configuration Task List
1. Enable the dynamic ARP inspection based on vlan
Command Explanation
Global Mode
ip arp inspection vlan <vlan-id> Enable the dynamic ARP inspection function
no ip arp inspection vlan <vlan-id> based on vlan. The no command disables it.
2. Configure the trusted port
Command Explanation
Port Mode
Configure the port as the trusted port of the
ip arp inspection trust
dynamic ARP inspection. The no command
no ip arp inspection trust
configures the untrusted port.
3. Configure the rate for the untrusted ARP packet
Command Explanation
Port Mode
3-18
S4600_Configuration Guide Chapter 3 IP services Configuration
ip arp inspection limit-rate <rate> Limit the ARP packet rate of the untrusted port.
no ip arp inspection limit-rate <rate> The no command cancels the limited cpu rate.
3.8.3 Dynamic ARP Inspection Configuration Example
DHCP Server PC
Other Server
Environment: DHCP server and PC client are both en vlan 10.
The MAC of the DHCP server is 00-24-8c-01-05-90, the IP address of 192.168.10.2 needs to
be distributed statically, the DHCP server is connected to e 1/0/1. The MAC of the specific server
(Other Server) is 00-24-8c-01-05-80, the IP address of 192.168.10.3 needs to be distributed
statically, the other server is connected to e 1/0/2. The MAC of the PC client is 00-24-8c-01-05-96,
the IP address is gotten dynamically through the DHCP. The PC is connected to e 1/0/3. The layer3
interface of vlan 10 is 192.168.10.1, the MAC is 00-03-0F-01-02-03.
The configuration is as below:
ip arp inspection vlan 10
ip dhcp snooping enable
ip dhcp snooping vlan 10
!
Interface Ethernet1/0/1
description connect DHCP Server
switchport access vlan 10
ip dhcp snooping trust
ip arp inspection limit-rate 50
ip arp inspection trust
!
Interface Ethernet1/0/2
description connect to Other Server
switchport access vlan 10
ip arp inspection limit-rate 50
!
Interface Ethernet1/0/3
description connect to PC
switchport access vlan 10
ip arp inspection limit-rate 50
3-19
S4600_Configuration Guide Chapter 3 IP services Configuration
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
Explanation: In this case, there are two method of static and dynamic using of DAI. The ARP
packets from the untrusted port will all be transmitted to DHCP monitoring binding table for
checking if they are lawful.
After the client gotten the IP address dynamically, it can be modified to be the static IP
address, but it must be the same IP address to the dynamic one. If modifies to be other IP
address, it cannot be accessed in the network and the switch can send the warning about the
illegal ARP.
3.9 DHCP
3.9.1 Introduction to DHCP
DHCP [RFC2131] is the acronym for Dynamic Host Configuration Protocol. It is a protocol
that assigns IP address dynamically from the address pool as well as other network configuration
parameters such as default gateway, DNS server, and default route and host image file position
within the network. DHCP is the enhanced version of BOOTP. It is a mainstream technology that
can not only provide boot information for diskless workstations, but can also release the
administrators from manual recording of IP allocation and reduce user effort and cost on
configuration. Another benefit of DHCP is it can partially ease the pressure on IP demands, when
the user of an IP leaves the network that IP can be assigned to another user.
DHCP is a client-server protocol, the DHCP client requests the network address and
configuration parameters from the DHCP server; the server provides the network address and
configuration parameters for the clients; if DHCP server and clients are located in different
subnets, DHCP relay is required for DHCP packets to be transferred between the DHCP client and
DHCP server. The implementation of DHCP is shown below:
Discover
Offer
Request
Ack
DHCP SERVER
DHCP CLIENT
Figure 3-4 DHCP protocol interaction
Explanation:
1. DHCP client broadcasts DHCPDISCOVER packets in the local subnet.
3-20
S4600_Configuration Guide Chapter 3 IP services Configuration
2. On receiving the DHCPDISCOVER packet, DHCP server sends a DHCPOFFER packet along with
IP address and other network parameters to the DHCP client.
3. DHCP client broadcast DHCPREQUEST packet with the information for the DHCP server it
selected after selecting from the DHCPOFFER packets.
4. The DHCP server selected by the client sends a DHCPACK packet and the client gets an IP
address and other network configuration parameters.
The above four steps finish a Dynamic host configuration assignment process. However, if
the DHCP server and the DHCP client are not in the same network, the server will not receive the
DHCP broadcast packets sent by the client, therefore no DHCP packets will be sent to the client by
the server. In this case, a DHCP relay is required to forward such DHCP packets so that the DHCP
packets exchange can be completed between the DHCP client and server.
Switch can act as both a DHCP server and a DHCP relay. DHCP server supports not only
dynamic IP address assignment, but also manual IP address binding (i.e. specify a specific IP
address to a specified MAC address or specified device ID over a long period. The differences and
relations between dynamic IP address allocation and manual IP address binding are: 1) IP address
obtained dynamically can be different every time; manually bound IP address will be the same all
the time. 2) The lease period of IP address obtained dynamically is the same as the lease period
of the address pool, and is limited; the lease of manually bound IP address is theoretically endless.
3) Dynamically allocated address cannot be bound manually. 4) Dynamic DHCP address pool can
inherit the network configuration parameters of the dynamic DHCP address pool of the related
segment.
3.9.2 DHCP Server Configuration
DHCP Sever Configuration Task List:
1. Enable/Disable DHCP service
2. Configure DHCP Address pool
(1) Create/Delete DHCP Address pool
(2) Configure DHCP address pool parameters
(3) Configure manual DHCP address pool parameters
3. Enable logging for address conflicts
1. Enable/Disable DHCP service
2.
Command Explanation
Global Mode
service dhcp Enable DHCP server. The no command
no service dhcp disables DHCP server.
Port Mode
ip dhcp disbale The port disables DHCP services, the no
no ip dhcp disable command enables DHCP services.
3-21
S4600_Configuration Guide Chapter 3 IP services Configuration
2. Configure DHCP Address pool
(1) Create/Delete DHCP Address pool
Command Explanation
Global Mode
ip dhcp pool <name> Configure DHCP Address pool. The no
no ip dhcp pool <name> operation cancels the DHCP Address pool.
(2) Configure DHCP address pool parameters
Command Explanation
DHCP Address Pool Mode
Configure the address scope that can be
network-address <network-number>
allocated to the address pool. The no
[mask | prefix-length]
operation of this command cancels the
no network-address
allocation address pool.
default-router
Configure default gateway for DHCP clients.
[<address1>[<address2>[…<address8>]]]
The no operation cancels the default gateway.
no default-router
dns-server
Configure DNS server for DHCP clients. The no
[<address1>[<address2>[…<address8>]]]
command deletes DNS server configuration.
no dns-server
Configure Domain name for DHCP clients; the
domain-name <domain>
“no domain-name” command deletes the
no domain-name
domain name.
netbios-name-server
Configure the address for WINS server. The no
[<address1>[<address2>[…<address8>]]]
operation cancels the address for server.
no netbios-name-server
netbios-node-type
Configure node type for DHCP clients. The no
{b-node|h-node|m-node|p-node|<type-n
operation cancels the node type for DHCP
umber>}
clients.
no netbios-node-type
Configure the file to be imported for DHCP
bootfile <filename>
clients on boot up. The no command cancels
no bootfile
this operation.
next-server Configure the address of the server hosting
[<address1>[<address2>[…<address8>]]] file for importing. The no command deletes
no next-server the address of the server hosting file for
[<address1>[<address2>[…<address8>]]] importing.
Configure the network parameter specified by
option <code> {ascii <string> | hex <hex> |
the option code. The no command deletes
ipaddress <ipaddress>}
the network parameter specified by the
no option <code>
option code.
3-22
S4600_Configuration Guide Chapter 3 IP services Configuration
Configure the lease period allocated to
lease { days [hours][minutes] | infinite } addresses in the address pool. The no
no lease command deletes the lease period allocated
to addresses in the address pool.
max-lease-time {[<days>] [<hours>] Set the maximum lease time for the
[<minutes>] | infinite} addresses in the address pool; the no
no max-lease-time command restores the default setting.
Global Mode
ip dhcp excluded-address <low-address>
[<high-address>] Exclude the addresses in the address pool
no ip dhcp excluded-address that are not for dynamic allocation.
<low-address> [<high-address>]
(3) Configure manual DHCP address pool parameters
Command Explanation
DHCP Address Pool Mode
hardware-address <hardware-address>
Specify/delete the hardware address when
[{Ethernet | IEEE802|<type-number>}]
assigning address manually.
no hardware-address
Specify/delete the IP address to be assigned
host <address> [<mask> | <prefix-length> ]
to the specified client when binding address
no host
manually.
client-identifier <unique-identifier> Specify/delete the unique ID of the user
no client-identifier when binding address manually.
3. Enable logging for address conflicts
Command Explanation
Global Mode
ip dhcp conflict logging Enable/disable logging for DHCP address to
no ip dhcp conflict logging detect address conflicts.
Admin Mode
Delete a single address conflict record or all
clear ip dhcp conflict <address | all >
conflict records.
3.9.3 DHCP Relay Configuration
When the DHCP client and server are in different segments, DHCP relay is required to
transfer DHCP packets. Adding a DHCP relay makes it unnecessary to configure a DHCP server for
each segment, one DHCP server can provide the network configuration parameter for clients
from multiple segments, which is not only cost-effective but also management-effective.
3-23
S4600_Configuration Guide Chapter 3 IP services Configuration
DHCPDiscover(Broadcast) DHCPDiscover
DHCPOFFER(Unicast) DHCPOFFER
DHCPREQUEST(Broadcast) DHCPREQUEST
DHCPACK(Unicast) DHCP Relay DHCPACK
DHCP Client DHCP Server
Figure 3-5 DHCP relay
As shown in the above figure, the DHCP client and the DHCP server are in different networks,
the DHCP client performs the four DHCP steps as usual yet DHCP relay is added to the process.
1. The client broadcasts a DHCPDISCOVER packet, and DHCP relay inserts its own IP
address to the relay agent field in the DHCPDISCOVER packet on receiving the packet,
and forwards the packet to the specified DHCP server (for DHCP frame format, please
refer to RFC2131).
2. On the receiving the DHCPDISCOVER packets forwarded by DHCP relay, the DHCP server
sends the DHCPOFFER packet via DHCP relay to the DHCP client.
3. DHCP client chooses a DHCP server and broadcasts a DHCPREQUEST packet, DHCP relay
forwards the packet to the DHCP server after processing.
4. On receiving DHCPREQUEST, the DHCP server responds with a DHCPACK packet via
DHCP relay to the DHCP client.
DHCP Relay Configuration Task List:
1. Enable DHCP relay.
2. Configure DHCP relay to forward DHCP broadcast packet.
3. Configure share-vlan
1. Enable DHCP relay.
Command Explanation
Global Mode
service dhcp DHCP server and DHCP relay is enabled as the
no service dhcp DHCP service is enabled.
2. Configure DHCP relay to forward DHCP broadcast packet.
Command Explanation
Global Mode
ip forward-protocol udp bootps The UDP port 67 is used for DHCP broadcast
no ip forward-protocol udp bootps packet forwarding.
Interface Configuration Mode
Set the destination IP address for DHCP relay
ip helper-address <ipaddress>
forwarding; the “no ip helper-address
no ip helper-address <ipaddress>
<ipaddress>“command cancels the setting.
3. Configure share-vlan
3-24
S4600_Configuration Guide Chapter 3 IP services Configuration
When the user want to use layer 2 device as DHCP relay, there is the number limitation that
create layer 3 interface on layer 2 device, but using the layer 3 interface of share-vlan (it may
include many sub-vlan, however a sub-vlan only correspond to a share-vlan) can implement
DHCP relay forwarding, and the relay device needs to enable option82 function at the same time.
Command Explanation
Global Mode
ip dhcp relay share-vlan <vlanid>
sub-vlan <vlanlist> Create or delete share-vlan and it's sub-vlan.
no dhcp relay share-vlan
3.9.4 DHCP Configuration Examples
Scenario 1:
Too save configuration efforts of network administrators and users, a company is using
switch as a DHCP server. The Admin VLAN IP address is 10.16.1.2/16. The local area network for
the company is divided into network A and B according to the office locations. The network
configurations for location A and B are shown below.
PoolA(network 10.16.1.0) PoolB(network 10.16.2.0)
Device IP address Device IP address
Default gateway 10.16.1.200 Default gateway 10.16.1.200
10.16.1.201 10.16.1.201
DNS server 10.16.1.202 DNS server 10.16.1.202
WINS server 10.16.1.209 WWW server 10.16.1.209
WINS node type H-node
Lease 3 days Lease 1day
In location A, a machine with MAC address 00-03-22-23-dc-ab is assigned with a fixed IP address
of 10.16.1.210 and named as “management”.
Switch(config)#service dhcp
Switch(config)#interface vlan 1
Switch(Config-Vlan-1)#ip address 10.16.1.2 255.255.0.0
Switch(Config-Vlan-1)#exit
Switch(config)#ip dhcp pool A
Switch(dhcp-A-config)#network 10.16.1.0 24
Switch(dhcp-A-config)#lease 3
Switch(dhcp-A-config)#default-route 10.16.1.200 10.16.1.201
Switch(dhcp-A-config)#dns-server 10.16.1.202
Switch(dhcp-A-config)#netbios-name-server 10.16.1.209
Switch(dhcp-A-config)#netbios-node-type H-node
Switch(dhcp-A-config)#exit
Switch(config)#ip dhcp excluded-address 10.16.1.200 10.16.1.201
Switch(config)#ip dhcp pool B
Switch(dhcp-B-config)#network 10.16.2.0 24
3-25
S4600_Configuration Guide Chapter 3 IP services Configuration
Switch(dhcp-B-config)#lease 1
Switch(dhcp-B-config)#default-route 10.16.2.200 10.16.2.201
Switch(dhcp-B-config)#dns-server 10.16.2.202
Switch(dhcp-B-config)#option 72 ip 10.16.2.209
Switch(dhcp-config)#exit
Switch(config)#ip dhcp excluded-address 10.16.2.200 10.16.2.201
Switch(config)#ip dhcp pool A1
Switch(dhcp-A1-config)#host 10.16.1.210
Switch(dhcp-A1-config)#hardware-address 00-03-22-23-dc-ab
Switch(dhcp-A1-config)#exit
Usage Guide: When a DHCP/BOOTP client is connected to a VLAN1 port of the switch, the client
can only get its address from 10.16.1.0/24 instead of 10.16.2.0/24. This is because the broadcast
packet from the client will be requesting the IP address in the same segment of the VLAN
interface after VLAN interface forwarding, and the VLAN interface IP address is 10.16.1.2/24,
therefore the IP address assigned to the client will belong to 10.16.1.0/24.
If the DHCP/BOOTP client wants to have an address in 10.16.2.0/24, the gateway forwarding
broadcast packets of the client must belong to 10.16.2.0/24. The connectivity between the client
gateway and the switch must be ensured for the client to get an IP address from the 10.16.2.0/24
address pool.
Scenario 2:
E1/0/1 E1/0/2
DHCP Client
192.168.1.1 10.1.1.1
DHCP Client DHCPRelay
DHCP Server
10.1.1.10
DHCP Client
Figure 3-6 DHCP Relay Configuration
As shown in the above figure, route switch is configured as a DHCP relay. The DHCP server
address is 10.1.1.10, the configuration steps is as follows:
Switch(config)#service dhcp
Switch(config)#interface vlan 1
Switch(Config-if-Vlan1)#ip address 192.168.1.1 255.255.255.0
Switch(Config-if-Vlan1)#exit
Switch(config)#vlan 2
3-26
S4600_Configuration Guide Chapter 3 IP services Configuration
Switch(Config-Vlan-2)#exit
Switch(config)#interface Ethernet 1/0/2
Switch(Config-Erthernet1/0/2)#switchport access vlan 2
Switch(Config-Erthernet1/0/2)#exit
Switch(config)#interface vlan 2
Switch(Config-if-Vlan2)#ip address 10.1.1.1 255.255.255.0
Switch(Config-if-Vlan2)#exit
Switch(config)#ip forward-protocol udp bootps
Switch(config)#interface vlan 1
Switch(Config-if-Vlan1)#ip help-address 10.1.1.10
Switch(Config-if-Vlan1)#exit
Note: It is recommended to use the combination of command ip forward-protocol udp <port>
and ip helper-address <ipaddress>. ip help-address can only be configured for ports on layer 3
and cannot be configured on layer 2 ports directly.
Scenario 3:
Figure 3-7 DHCP configuration example
As shown in the above figure, PC1 is DHCP client, obtain the address through DHCP. Switch1
is a layer 2 access device, it enables DHCP Relay and option82 functions, Ethernet1/0/2 is a access
port, belongs to vlan3, Ethernet1/0/3 is a trunk port, connects to DHCP Server, DHCP Server
address is 192.168.40.199. Switch1 creates vlan1 and interface vlan1, configure IP address of
interface vlan1 as 192.168.40.50, configure the address of DHCP Relay forwarding as
192.168.40.199, configure vlan3 as a sub-vlan of vlan1. The configuration is as follows:
switch(config)#vlan 1
switch(config)#vlan 3
switch(config)#interface ethernet 1/0/2
Switch(Config-If-Ethernet1/0/2)#switchport access vlan 3
switch(config)#interface ethernet 1/0/3
Switch(Config-If-Ethernet1/0/2)#switchport mode trunk
switch(config)#service dhcp
switch(config)#ip forward-protocol udp bootps
switch(config)#ip dhcp relay information option
switch(config)#ip dhcp relay share-vlan 1 sub-vlan 3
3-27
S4600_Configuration Guide Chapter 3 IP services Configuration
switch(config-if-vlan1)#ip address 192.168.40.50 255.255.255.0
switch(config-if-vlan1)#ip helper-address 192.168.40.199
3.9.5 DHCP Troubleshooting
If the DHCP clients cannot obtain IP addresses and other network parameters, the following
procedures can be followed when DHCP client hardware and cables have been verified ok.
Verify the DHCP server is running, start the related DHCP server if not running.
In such case, DHCP server should be examined for an address pool that is in the same
segment of the switch VLAN, such a pool should be added if not present, and (This does not
indicate switch cannot assign IP address for different segments, see solution 2 for details.)
In DHCP service, pools for dynamic IP allocation and manual binding are conflicting, i.e., if
command “network-address” and “host” are run for a pool, only one of them will take effect;
furthermore, in manual binding, only one IP-MAC binding can be configured in one pool. If
multiple bindings are required, multiple manual pools can be created and IP-MAC bindings
set for each pool. New configuration in the same pool overwrites the previous configuration.
3.10 DHCP option 82
3.10.1 Introduction to DHCP option 82
DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82
is aimed at strengthening the security of DHCP servers and improving the IP address
configuration policy. The Relay Agent adds option 82 (including the client’s physical access port,
the access device ID and other information), to the DHCP request message from the client then
forwards the message to DHCP server. When the DHCP server which supports the option 82
function receives the message, it will allocate an IP address and other configuration information
for the client according to preconfigured policies and the option 82 information in the message.
At the same time, DHCP server can identify all the possible DHCP attack messages according to
the information in option 82 and defend against them. DHCP Relay Agent will peel the option 82
from the reply messages it receives, and forward the reply message to the specified port of the
network access device, according to the physical port information in the option. The application
of DHCP option 82 is transparent for the client.
3.10.1.1 DHCP option 82 Message Structure
A DHCP message can have several option segments; option 82 is one of them. It has to be
placed after other options but before option 255. The following is its format:
3-28
S4600_Configuration Guide Chapter 3 IP services Configuration
Code: represents the sequence number of the relay agent information option, the option 82 is
called so because RFC3046 is defined as 82.
Len: the number of bytes in Agent Information Field, not including the two bytes in Code
segment and Len segment.
Option 82 can have several sub-options, and need at least one sub-option. RFC3046 defines
the following two sub-options, whose formats are showed as follows:
SubOpt: the sequence number of sub-option, the sequence number of Circuit ID sub-option is 1,
the sequence number of Remote ID sub-option is 2.
Len: the number of bytes in Sub-option Value, not including the two bytes in SubOpt segment
and Len segment.
3.10.1.2 option 82 Working Mechanism
DHCPRelay Agent
DHCP Request DHCP Request Option82
DHCP Reply
DHCP Reply Option82
DHCP Client
DHCP Server
Figure 3-8 DHCP option 82 flow chart
If the DHCP Relay Agent supports option 82, the DHCP client should go through the
following four steps to get its IP address from the DHCP server: discover, offer, select and
acknowledge. The DHCP protocol follows the procedure below:
1)DHCP client sends a request broadcast message while initializing. This request message does
3-29
S4600_Configuration Guide Chapter 3 IP services Configuration
not have option 82.
2)DHCP Relay Agent will add the option 82 to the end of the request message it receives, then
relay and forward the message to the DHCP server. By default, the sub-option 1 of option 82
(Circuit ID) is the interface information of the switch connected to the DHCP client (VLAN name
and physical port name), but the users can configure the Circuit ID as they wish. The sub-option 2
of option 82(Remote ID) is the MAC address of the DHCP relay device.
3)After receiving the DHCP request message, the DHCP server will allocate IP address and other
information for the client according to the information and preconfigured policy in the option
segment of the message. Then it will forward the reply message with DHCP configuration
information and option 82 information to DHCP Relay Agent.
4)DHCP Relay Agent will peel the option 82 information from the replay message sent by DHCP
server, and then forward the message with DHCP configuration information to the DHCP client.
3.10.2 DHCP option 82 Configuration Task List
1. Enabling the DHCP option 82 of the Relay Agent
2. Configure the DHCP option 82 attributes of the interface
3. Enable the DHCP option 82 of server
4. Configure DHCP option 82 default format of Relay Agent
5. Configure delimiter
6. Configure creation method of option82
7. Diagnose and maintain DHCP option 82
1. Enabling the DHCP option 82 of the Relay Agent.
Command Explanation
Global mode
Set this command to enable the option 82
function of the switch Relay Agent. The “no
ip dhcp relay information option
ip dhcp relay information option” is used to
no ip dhcp relay information option
disable the option 82 function of the switch
Relay Agent.
2. Configure the DHCP option 82 attributes of the interface
Command Explanation
Interface configuration mode
3-30
S4600_Configuration Guide Chapter 3 IP services Configuration
This command is used to set the
retransmitting policy of the system for the
received DHCP request message which
contains option 82. The drop mode means
that if the message has option82, then the
system will drop it without processing; keep
mode means that the system will keep the
ip dhcp relay information policy {drop |
original option 82 segment in the message,
keep | replace}
and forward it to the server to process;
no ip dhcp relay information policy
replace mode means that the system will
replace the option 82 segment in the
existing message with its own option 82, and
forward the message to the server to
process. The “no ip dhcp relay information
policy” will set the retransmitting policy of
the option 82 DCHP message as “replace”.
This command is used to set the format of
option 82 sub-option1(Circuit ID option)
added to the DHCP request messages from
interface, standard means the standard
VLAN name and physical port name format,
ip dhcp relay information option
like”Vlan2+Ethernet1/0/12”,<circuit-id> is
subscriber-id {standard | <circuit-id>}
the circuit-id contents of option 82 specified
no ip dhcp relay information option
by users, which is a string no longer than
subscriber-id
64characters. The” no ip dhcp relay
information option subscriber-id”
command will set the format of added
option 82 sub-option1 (Circuit ID option) as
standard format.
Global Mode
Set the suboption2 (remote ID option)
ip dhcp relay information option remote-id content of option 82 added by DHCP request
{standard | <remote-id>} packets (They are received by the interface).
no ip dhcp relay information option The no command sets the additive
remote-id suboption2 (remote ID option) format of
option 82 as standard.
3. Enable the DHCP option 82 of server.
Command Explanation
Global mode
3-31
S4600_Configuration Guide Chapter 3 IP services Configuration
This command is used to enable the switch
DHCP server to identify option82. The “no ip
ip dhcp server relay information enable
dhcp server relay information enable”
no ip dhcp server relay information enable
command will make the server ignore the
option 82.
4. Configure DHCP option 82 default format of Relay Agent
Command Explanation
Global mode
ip dhcp relay information option Set subscriber-id format of Relay Agent
subscriber-id format {hex | acsii | vs-hp} option82.
ip dhcp relay information option remote-id Set remote-id format of Relay Agent
format {default | vs-hp} option82.
5. Configure delimiter
Command Explanation
Global mode
ip dhcp relay information option delimiter
Set the delimiter of each parameter for
[colon | dot | slash | space]
suboption of option82 in global mode, no
no ip dhcp relay information option
command restores the delimiter as slash.
delimiter
6. Configure creation method of option82
Command Explanation
Global mode
ip dhcp relay information option
self-defined remote-id {hostname | mac | Set creation method for option82, users can
string WORD} define the parameters of remote-id
no ip dhcp relay information option suboption by themselves
self-defined remote-id
ip dhcp relay information option Set self-defined format of remote-id for
self-defined remote-id format [ascii | hex] relay option82.
ip dhcp relay information option
self-defined subscriber-id {vlan | port | id
Set creation method for option82, users can
(switch-id (mac | hostname)| remote-mac)|
define the parameters of circute-id
string WORD }
suboption by themselves
no ip dhcp relay information option
self-defined subscriber-id
ip dhcp relay information option
Set self-defined format of circuit-id for relay
self-defined subscriber-id format [ascii |
option82.
hex]
7. Diagnose and maintain DHCP option 82
3-32
S4600_Configuration Guide Chapter 3 IP services Configuration
Command Explanation
Admin mode
This command will display the state
information of the DHCP option 82 in the
system, including option82 enabling switch,
show ip dhcp relay information option
the interface retransmitting policy, the
circuit ID mode and the DHCP server
option82 enabling switch.
This command is used to display the
information of data packets processing in
debug ip dhcp relay packet
DHCP Relay Agent, including the “add” and
“peel” action of option 82.
3.10.3 DHCP option 82 Application Examples
DHCP Relay Agent
Vlan2:ethernet1/0/3
Switch3
Switch1
DHCP Client PC1
Vlan3
Vlan2:ethernet1/0/2
DHCP Server
Switch2
DHCP Client PC2
Figure 3-9 A DHCP option 82 typical application example
In the above example, layer 2 switches Switch1 and Switch2 are both connected to layer 3
switch Switch3, Switch 3 will transmit the request message from DHCP client to DHCP serer as
DHCP Relay Agent. It will also transmit the reply message from the server to DHCP client to finish
the DHCP protocol procedure. If the DHCP option 82 is disabled, DHCP server cannot distinguish
that whether the DHCP client is from the network connected to Switch1 or Switch2. So, all the PC
terminals connected to Switch1 and Switch2 will get addresses from the public address pool of
the DHCP server. After the DHCP option 82 function is enabled, since the Switch3 appends the
port information of accessing Switch3 to the request message from the client, the server can tell
that whether the client is from the network of Swich1 or Swich2, and thus can allocate separate
address spaces for the two networks, to simplify the management of networks.
The following is the configuration of Switch3(MAC address is 00:03:0f:02:33:01):
Switch3(Config)#service dhcp
Switch3(Config)#ip dhcp relay information option
Switch3(Config)#ip forward-protocol udp bootps
Switch3(Config)#interface vlan 3
Switch3(Config-if-vlan3)#ip address 192.168.10.222 255.255.255.0
Switch3(Config-if-vlan2)#ip address 192.168.102.2 255.255.255.0
Switch3(Config-if-vlan2)#ip helper 192.168.10.88
3-33
S4600_Configuration Guide Chapter 3 IP services Configuration
Linux ISC DHCP Server supports option 82, its configuration file /etc/dhcpd.con is
ddns-update-style interim;
ignore client-updates;
class "Switch3Vlan2Class1" {
match if option agent.circuit-id = "Vlan2+Ethernet1/0/2" and option
agent.remote-id=00:03:0f:02:33:01;
}
class "Switch3Vlan2Class2" {
match if option agent.circuit-id = "Vlan2+Ethernet1/0/3" and option
agent.remote-id=00:03:0f:02:33:01;
}
subnet 192.168.102.0 netmask 255.255.255.0 {
option routers 192.168.102.2;
option subnet-mask 255.255.255.0;
option domain-name "example.com.cn";
option domain-name-servers 192.168.10.3;
authoritative;
pool {
range 192.168.102.21 192.168.102.50;
default-lease-time 86400; #24 Hours
max-lease-time 172800; #48 Hours
allow members of "Switch3Vlan2Class1";
}
pool {
range 192.168.102.51 192.168.102.80;
default-lease-time 43200; #12 Hours
max-lease-time 86400; #24 Hours
allow members of "Switch3Vlan2Class2";
}
}
Now, the DHCP server will allocate addresses for the network nodes from Switch1 which are
relayed by Switch3 within the range of 192.168.102.21 ~ 192.168.102.50, and allocate addresses
for the network nodes from Switch1 within the range of 192.168.102.51~192.168.102.80.
3.10.4 DHCP option 82 Troubleshooting
DHCP option 82 is implemented as a sub-function module of DHCP Relay Agent. Before using
it, users should make sure that the DHCP Relay Agent is configured correctly.
3-34
S4600_Configuration Guide Chapter 3 IP services Configuration
DHCP option 82 needs the DHCP Relay Agent and the DHCP server cooperate to finish the
task of allocating IP addresses. The DHCP server should set allocating policy correctly
depending on the network topology of the DHCP Relay Agent, or, even the Relay Agent can
operate normally, the allocation of addresses will fail. When there is more than one kind of
Relay Agent, please pay attention to the retransmitting policy of the interface DHCP request
messages.
To implement the option 82 function of DHCP Relay Agent, the “debug dhcp relay packet”
command can be used during the operating procedure, including adding the contents of
option 82, the retransmitting policy adopted, the option 82 contents of the server peeled by
the Relay Agent and etc., such information can help users to do troubleshooting.
To implement the option 82 function of DHCP server, the “debug ip dhcp server packet”
command can be used during the operating procedure to display the procedure of data
packets processing of the server, including displaying the identified option 82 information of
the request message and the option 82 information returned by the reply message.
3.11 DHCP Snooping
3.11.1 Introduction to DHCP Snooping
DHCP Snooping means that the switch monitors the IP-getting process of DHCP CLIENT via
DHCP protocol. It prevents DHCP attacks and illegal DHCP SERVER by setting trust ports and
untrust ports. And the DHCP messages from trust ports can be forwarded without being verified.
In typical settings, trust ports are used to connect DHCP SERVER or DHCP RELAY Proxy, and
untrust ports are used to connect DHCP CLINET. The switch will forward the DCHP request
messages from untrust ports, but not DHCP reply ones. If any DHCP reply messages is received
from a untrust port, besides giving an alarm, the switch will also implement designated actions
on the port according to settings, such as “shutdown”, or distributing a “blackhole”. If DHCP
Snooping binding is enabled, the switch will save binding information (including its MAC address,
IP address, IP lease, VLAN number and port number) of each DHCP CLINET on untrust ports in
DHCP snooping binding table With such information, DHCP Snooping can combine modules like
dot1x and ARP, or implement user-access-control independently.
Defense against Fake DHCP Server: once the switch intercepts the DHCP Server reply packets
(including DHCPOFFER, DHCPACK, and DHCPNAK), it will alarm and respond according to the
situation(shutdown the port or send Black hole) 。
Defense against DHCP over load attacks: To avoid too many DHCP messages attacking CPU, users
should limit the DHCP speed of receiving packets on trusted and non-trusted ports.
Record the binding data of DHCP: DHCP SNOOPING will record the binding data allocated by
3-35
S4600_Configuration Guide Chapter 3 IP services Configuration
DHCP SERVER while forwarding DHCP messages, it can also upload the binding data to the
specified server to backup it. The binding data is mainly used to configure the dynamic users of
dot1x user based ports. Please refer to the chapter called“dot1x configuration” to find more
about the usage of dot1x use-based mode.
Add binding ARP: DHCP SNOOPING can add static binding ARP according to the binding data
after capturing binding data, thus to avoid ARP cheating.
Add trusted users: DHCP SNOOPING can add trusted user list entries according to the parameters
in binding data after capturing binding data; thus these users can access all resources without
DOT1X authentication.
Automatic Recovery: A while after the switch shut down the port or send blockhole, it should
automatically recover the communication of the port or source MAC and send information to Log
Server via syslog.
LOG Function: When the switch discovers abnormal received packets or automatically recovers, it
should send syslog information to Log Server.
The Encryption of Private Messages: The communication between the switch and the inner
network security management system TrustView uses private messages. And the users can
encrypt those messages of version 2.
Add authentication option82 Function: It is used with dot1x dhcpoption82 authentication mode.
Different option 82 will be added in DHCP messages according to user’s authentication status.
3.11.2 DHCP Snooping Configuration Task Sequence
1. Enable DHCP Snooping
2. Enable DHCP Snooping binding function
3. Enable DHCP Snooping option82 function
4. Set the private packet version
5. Set DES encrypted key for private packets
6. Set helper server address
7. Set trusted ports
8. Enable DHCP Snooping binding DOT1X function
9. Enable DHCP Snooping binding USER function
10. Adding static list entries function
11. Set defense actions
12. Set rate limitation of DHCP messages
13. Enable the debug switch
14. Configure DHCP Snooping option 82 attributes
1. Enable DHCP Snooping
Command Explanation
Globe mode
3-36
S4600_Configuration Guide Chapter 3 IP services Configuration
ip dhcp snooping enable
Enable or disable the DHCP snooping function.
no ip dhcp snooping enable
2. Enable DHCP Snooping binding
Command Explanation
Globe mode
ip dhcp snooping binding enable Enable or disable the DHCP snooping binding
no ip dhcp snooping binding enable function.
3. Enable DHCP Snooping binding ARP function
Command Explanation
Globe mode
ip dhcp snooping binding arp
This command is not supported by the switch.
no ip dhcp snooping binding arp
4. Enable DHCP Snooping option82 function
Command Explanation
Globe mode
ip dhcp snooping information enable Enable/disable DHCP Snooping option 82
no ip dhcp snooping information enable function.
5. Set the private packet version
Command Explanation
Globe mode
ip user private packet version two
To configure/delete the private packet version.
no ip user private packet version two
6. Set DES encrypted key for private packets
Command Explanation
Globe mode
enable trustview key 0/7 <password> To configure/delete DES encrypted key for private
no enable trustview key packets.
7. Set helper server address
Command Explanation
Globe mode
ip user helper-address A.B.C.D [port
<udpport>] source <ipAddr>
Set or delete helper server address.
(secondary|)
no ip user helper-address (secondary|)
8. Set trusted ports
3-37
S4600_Configuration Guide Chapter 3 IP services Configuration
Command Explanation
Port mode
ip dhcp snooping trust Set or delete the DHCP snooping trust attributes
no ip dhcp snooping trust of ports.
9. Enable DHCP SNOOPING binding DOT1X function
Command Explanation
Port mode
ip dhcp snooping binding dot1x Enable or disable the DHCP snooping binding
no ip dhcp snooping binding dot1x dot1x function.
10. Enable or disable the DHCP SNOOPING binding USER function
Command Explanation
Port mode
ip dhcp snooping binding user-control
Enable or disable the DHCP snooping binding user
no ip dhcp snooping binding
function.
user-control
11. Add static binding information
Command Explanation
Globe mode
ip dhcp snooping binding user <mac>
address <ipAddr> interface
Add/delete DHCP snooping static binding list
(ethernet|) <ifname>
entries.
no ip dhcp snooping binding user
<mac> interface (ethernet|) <ifname>
12. Set defense actions
Command Explanation
Port mode
ip dhcp snooping action
{shutdown|blackhole} [recovery Set or delete the DHCP snooping automatic
<second>] defense actions of ports.
no ip dhcp snooping action
13. Set rate limitation of data transmission
Command Explanation
Globe mode
ip dhcp snooping limit-rate <pps> Set rate limitation of the transmission of DHCP
no ip dhcp snooping limit-rate snooping messages.
3-38
S4600_Configuration Guide Chapter 3 IP services Configuration
14. Enable the debug switch
Command Explanation
Admin mode
debug ip dhcp snooping packet
debug ip dhcp snooping event Please refer to the chapter on system
debug ip dhcp snooping update troubleshooting.
debug ip dhcp snooping binding
15. Configure DHCP Snooping option 82 attributes
Command Explanation
Globe mode
ip dhcp snooping information option
This command is used to set subscriber-id format
subscriber-id format {hex | acsii |
of DHCP snooping option82.
vs-hp}
Set the suboption2 (remote ID option) content of
ip dhcp snooping information option
option 82 added by DHCP request packets (they
remote-id {standard | <remote-id>}
are received by the port). The no command sets
no ip dhcp snooping information
the additive suboption2 (remote ID option)
option remote-id
format of option 82 as standard.
ip dhcp snooping information option
Set the delimiter of each parameter for suboption
delimiter [colon | dot | slash | space]
of option82 in global mode, no command restores
no ip dhcp snooping information
the delimiter as slash.
option delimiter
ip dhcp snooping information option
self-defined remote-id {hostname | Set creation method for option82, users can
mac | string WORD} define the parameters of remote-id suboption by
no ip dhcp snooping information themselves.
option self-defined remote-id
ip dhcp snooping information option
Set self-defined format of remote-id for snooping
self-defined remote-id format [ascii |
option82.
hex]
ip dhcp snooping information option
self-defined subscriber-id {vlan | port
Set creation method for option82, users can
| id (switch-id (mac | hostname)|
define the parameters of circute-id suboption by
remote-mac) | string WORD}
themselves.
no ip dhcp snooping information
option type self-defined subscriber-id
ip dhcp snooping information option
Set self-defined format of circuit-id for snooping
self-defined subscriber-id format [ascii
option82.
| hex]
Port mode
3-39
S4600_Configuration Guide Chapter 3 IP services Configuration
Set the suboption1 (circuit ID option) content of
ip dhcp snooping information option
option 82 added by DHCP request packets (they
subscriber-id {standard | <circuit-id>}
are received by the port). The no command sets
no ip dhcp snooping information
the additive suboption1 (circuit ID option) format
option subscriber-id
of option 82 as standard.
Command Explanation
Globe mode
This command is used to set that allow untrusted
ip dhcp snooping information option ports of DHCP snooping to receive DHCP packets
allow-untrusted (replace|) with option82 option. When the "replace" is
no ip dhcp snooping information setting, the potion82 option is allowed to replace.
option allow-untrusted (replace|) When disabling this command, all untrusted ports
will drop DHCP packets with option82 option.
3.11.3 DHCP Snooping Typical Application
Figure 3-10 Sketch Map of TRUNK
As showed in the above chart, Mac-AA device is the normal user, connected to the
non-trusted port 1/0/1 of the switch. It operates via DHCP Client, IP 1.1.1.5; DHCP Server and
GateWay are connected to the trusted ports 1/0/11 and 1/0/12 of the switch; the malicious user
Mac-BB is connected to the non-trusted port 1/0/10, trying to fake a DHCP Server(by sending
DHCPACK). Setting DHCP Snooping on the switch will effectively detect and block this kind of
network attack.
Configuration sequence is:
switch#
switch#config
switch(config)#ip dhcp snooping enable
switch(config)#interface ethernet 1/0/11
3-40
S4600_Configuration Guide Chapter 3 IP services Configuration
switch(Config-Ethernet1/0/11)#ip dhcp snooping trust
switch(Config-Ethernet1/0/11)#exit
switch(config)#interface ethernet 1/0/12
switch(Config-Ethernet1/0/12)#ip dhcp snooping trust
switch(Config-Ethernet1/0/12)#exit
switch(config)#interface ethernet 1/0/1-10
switch(Config-Port-Range)#ip dhcp snooping action shutdown
switch(Config-Port-Range)#
3.11.4 DHCP Snooping Troubleshooting Help
3.11.4.1 Monitor and Debug Information
The “debug ip dhcp snooping” command can be used to monitor the debug information.
3.11.4.2 DHCP Snooping Troubleshooting Help
If there is any problem happens when using DHCP Snooping function, please check if the
problem is caused by the following reasons:
Check that whether the global DHCP Snooping is enabled;
If the port does not react to invalid DHCP Server packets, please check that whether the
port is set as a non-trusted port of DHCP Snooping.
3.12 DHCP Snooping option 82
3.12.1 Introduction to DHCP Snooping option 82
DHCP option 82 is the Relay Agent Information Option, its option code is 82. DHCP option 82
is aimed at strengthening the security of DHCP servers and improving the IP address
configuration policy. Switch obtain DHCP request packets(include DHCPDISCOVER, DHCPREQUEST,
DHCPINFORM and DHCPRELEASE), DHCP SNOOPING is addesd to option 82 by request packets
(including the client’s physical access port, the access device ID and other information), to the
DHCP request message from the client then forwards the message to DHCP server. When the
DHCP server which supports the option 82 function receives the message, it will allocate an IP
address and other configuration information for the client according to preconfigured policies
and the option 82 information in the message. At the same time, DHCP server can identify all the
possible DHCP attack messages according to the information in option 82 and defend against
them. DHCP SNOOPING will peel the option 82 from the reply messages it receives, and forward
the reply message to the specified port of the network access device. The application of DHCP
3-41
S4600_Configuration Guide Chapter 3 IP services Configuration
option 82 is transparent for the client.
3.12.1.1 DHCP option 82 Message Structure
A DHCP message can have several option segments; option 82 is one of them. It has to be
placed after other options but before option 255. The following is its format:
Code: represents the sequence number of the relay agent information option, the option 82 is
called so because RFC3046 is defined as 82.
Len: the number of bytes in Agent Information Field, not including the two bytes in Code
segment and Len segment.
Option 82 can have several sub-options, and need at least one sub-option. RFC3046 defines
the following two sub-options, whose formats are showed as follows:
SubOpt: the sequence number of sub-option, the sequence number of Circuit ID sub-option is 1,
the sequence number of Remote ID sub-option is 2.
Len: the number of bytes in Sub-option Value, not including the two bytes in SubOpt segment
and Len segment.
3.12.1.2 DHCP Snooping option 82 Working Mechanism
3-42
S4600_Configuration Guide Chapter 3 IP services Configuration
DHCPSNOOPING
DHCP Request DHCP Request Option82
DHCP Reply
DHCP Reply Option82
DHCP Client
DHCP Server
Figure 3-11 DHCP option 82 flow chart
If the DHCP SNOOPING supports option 82, the DHCP client should go through the following
four steps to get its IP address from the DHCP server: discover, offer, select and acknowledge. The
DHCP protocol follows the procedure below:
1)DHCP client sends a request broadcast message while initializing. This request message does
not have option 82.
2)DHCP SNOOPING will add the option 82 to the end of the request message it receives, and
perform layer 2 forwarding. By default, the sub-option 1 of option 82 (Circuit ID) is the interface
information of the switch connected to the DHCP client (VLAN name and physical port name).
The sub-option 2 of option 82(Remote ID) is the CPU MAC address of the switch.
3)After receiving the DHCP request message, the DHCP server will allocate IP address and other
information for the client according to the information and preconfigured policy in the option
segment of the message. Then it will forward the reply message with DHCP configuration
information and option 82 information to DHCP SNOOPING.
4)DHCP SNOOPING will peel the option 82 information from the replay message sent by DHCP
server, then the message with DHCP configuration information to perform layer 2 forwarding.
3.12.2 DHCP Snooping option 82 Configuration Task
List
1. Enable DHCP SNOOPING
2. Enable DHCP Snooping binding function
3. Enable DHCP Snooping option 82 binding function
4. Configure trust ports
1. Enable DHCP SNOOPING
Command Explanation
Global mode
3-43
S4600_Configuration Guide Chapter 3 IP services Configuration
ip dhcp snooping enable
Enable or disable DHCP SNOOPING function.
no ip dhcp snooping enable
2. Enable DHCP Snooping binding function
Command Explanation
Global mode
ip dhcp snooping binding enable Enable or disable DHCP SNOOPING binding
no ip dhcp snooping binding enable function.
3. Enable DHCP Snooping option 82 function
Command Explanation
Global mode
ip dhcp snooping information enable Enable or disable DHCP SNOOPING option
no ip dhcp snooping information enable 82 function.
4. Configure trust ports
Command Explanation
Port mode
ip dhcp snooping trust Set or delete DHCP SNOOPING trust
no ip dhcp snooping trust attribute of ports.
3.12.3 DHCP Snooping option 82 Application
Examples
DHCP Client PC1
Switch1
Vlan1:eth1/0/3
DHCP Server
Figure 3-12 DHCP option 82 typical application example
In the above example, layer 2 Switch1 will transmit the request message from DHCP client to
DHCP serer through enable DHCP Snooping. It will also transmit the reply message from the
server to DHCP client to finish the DHCP protocol procedure. After the DHCP SNOOPING option
82 function is enabled, the Switch1 appends the port information of accessing Switch1 to the
3-44
S4600_Configuration Guide Chapter 3 IP services Configuration
request message from the client by option 82.
The following is the configuration of Switch1(MAC address is 00-03-0f-02-33-01):
Switch1(config)#ip dhcp snooping enable
Switch1(config)#ip dhcp snooping binding enable
Switch1(config)# ip dhcp snooping information enable
Switch1(Config-If-Ethernet1/0/12)#ip dhcp snooping trust
Linux ISC DHCP Server supports option 82, its configuration file /etc/dhcpd.conf is
ddns-update-style interim;
ignore client-updates;
class "Switch1Vlan1Class1" {
match if option agent.circuit-id = "Vlan1+Ethernet1/0/3" and option
agent.remote-id=00:03:0f:02:33:01;
}
subnet 192.168.102.0 netmask 255.255.255.0 {
option routers 192.168.102.2;
option subnet-mask 255.255.255.0;
option domain-name "example.com.cn";
option domain-name-servers 192.168.10.3;
authoritative;
pool {
range 192.168.102.51 192.168.102.80;
default-lease-time 43200; #12 Hours
max-lease-time 86400; #24 Hours
allow members of "Switch1Vlan1Class1";
}
}
Now, the DHCP server will allocate addresses for the network nodes from Switch1 within the
range of 192.168.102.51 ~ 192.168.102.80.
3.12.4 DHCP Snooping option 82 Troubleshooting
To implement the option 82 function of DHCP SNOOPING, the “debug ip dhcp snooping
packet” command can be used during the operating procedure, including adding the option
3-45
S4600_Configuration Guide Chapter 3 IP services Configuration
82 information of the request message, the option 82 information peeled by the reply
message.
3.13 DHCP option 60 and option 43
3.13.1 Introduction to DHCP option 60 and option 43
DHCP server analyzes DHCP packets from DHCP client. If packets with option 60, it will
decide whether option 43 is returned to DHCP client according to option 60 of packets and
configuration of option 60 and option 43 in DHCP server address pool.
Configure the corresponding option 60 and option 43 in DHCP server address pool:
1. Address pool configured option 60 and option 43 at the same time. The received DHCP packet
with option 60 from DHCP client, if it matches with option 60 of DHCP server address pool, DHCP
client will receive the option 43 configured in the address pool, or else do not return option 43 to
DHCP client.
2. Address pool only configured option 43, it will match with any option 60. If the received DHCP
packet with option 60 from DHCP client, DHCP client will receive the option 43 configured in the
address pool.
3. Address pool only configured option 60, it will not return option 43 to DHCP client.
3.13.2 DHCP option 60 and option 43 Configuration
Task List
1. Basic DHCP option 60 and option 43 configuration
Command Explanation
Address pool configuration mode
Configure option 60 character
option 60 ascii LINE string with ascii format in ip
dhcp pool mode.
Configure option 43 character
option 43 ascii LINE string with ascii format in ip
dhcp pool mode.
Configure option 60 character
option 60 hex WORD string with hex format in ip
dhcp pool mode.
Configure option 43 character
option 43 hex WORD string with hex format in ip
dhcp pool mode.
3-46
S4600_Configuration Guide Chapter 3 IP services Configuration
Configure option 60 character
option 60 ip A.B.C.D string with IP format in ip dhcp
pool mode.
Configure option 43 character
option 43 ip A.B.C.D string with IP format in ip dhcp
pool mode.
Delete the configured option 60
no option 60
in the address pool mode.
Delete the configured option 43
no option 43
in the address pool mode.
3.13.3 DHCPv6 option 60 and option 43 Example
Figure 3-13 Typical DHCP option 60 and option 43 topology
Fit AP obtains IP address and option 43 attribute by DHCP server to send unicast discovery
request for wireless controller. DHCP server configures option 60 matched with the option 60 of
fit ap to return option 43 attribute to FTP AP. The wireless controller addresses of DHCP option 43
are 192.168.10.5 and 192.168.10.6.
Configuration procedure:
# Configure DHCP server
switch (config)#ip dhcp pool a
switch (dhcp-a-config)#option 60 ascii AP1000
switch (dhcp-a-config)#option 43 hex 0104C0A80A050104C0A80A06
3.13.4 DHCP option 60 and option 43 Troubleshooting
If problems occur when configuring DHCP option 60 and option 43, please check whether
the problem is caused by the following reasons:
Check whether service dhcp function is enabled
If the address pool configured option 60, check whether it matches with the option 60 of
the packets.
3-47
S4600_Configuration Guide Chapter 4 Multicast Protocol Related Configuration
Chapter 4 Multicast Protocol Related
Configuration
4.1 IPv4 Multicast Protocol Overview
This chapter will give an introduction to the configuration of IPv4 Multicast Protocol.
4.1.1 Introduction to Multicast
Various transmission modes can be adopted when the destination of packet (including data,
sound and video) transmission is the minority users in the network. One way is to use Unicast
mode, i.e. to set up a separate data transmission path for each user; or, to use Broadcast mode,
which is to send messages to all users in the network, and they will receive the Broadcast
messages no matter they need or not. For example, if there are 200 users in a network who want
to receive the same packet, then the traditional solution is to send this packet for 200 times
separately via Unicast to guarantee the users who need the data can get all data wanted, or send
the data in the entire domain via Broadcast. Transferring the data in the whole range of
network .The users who need these data can get directly from the network. Both modes waste a
great deal of valuable bandwidth resource, and furthermore, Broadcast mode goes against the
security and secrecy.
The emergence of IP Multicast technology solved this problem in time. The Multicast source
only sends out the message once, Multicast Routing Protocol sets up tree-routing for Multicast
data packet, and then the transferred packet just starts to be duplicated and distributed in the
bifurcate crossing as far as possible. Thus the packet can be sent to every user who needs it
accurately and effectively.
It should be noticed that it is not necessary for Multicast source to join in Multicast group. It
sends data to some Multicast groups, but it is not necessarily a receiver of the group itself. There
can be more than one source sending packets to a Multicast group simultaneously. There may
exist routers in the network which do not support Multicast, but a Multicast router can
encapsulate the Multicast packets into Unicast IP packets with tunnel mode to send them to the
Multicast router next to it, which will take off the Unicast IP header and continue the Multicast
transmission process, thus a big alteration of network structure is avoided. The primary
advantages of Multicast are:
1. Enhance efficiency: reduce network traffic, lighten the load of server and CPU
1. Optimize performance: reduce redundant traffic
1. Distributed application: Enable Multipoint Application
4.1.2 Multicast Address
4-1
S4600_Configuration Guide Chapter 4 Multicast Protocol Related Configuration
The destination address of Multicast message uses class D IP address with range from
224.0.0.0 to 239.255.255.255. D class address can not appear in the source IP address field of an
IP message. In the process of Unicast data transmission, the transmission path of a data packet is
from source address routing to destination address, and the transmission is performed with
hop-by-hop principle. However, in IP Multicast environment, the destination addresses is a group
instead of a single one, they form a group address. All message receivers will join in a group, and
once they do, the data flowing to the group address will be sent to the receivers immediately
and all members in the group will receive the data packets. The members in a Multicast group
are dynamic, the hosts can join and leave the Multicast group at any time.
Multicast group can be permanent or temporary. Some of the Multicast group addresses
are assigned officially; they are called Permanent Multicast Group. Permanent Multicast Group
keeps its IP address fixed but its member structure can vary within. The member amount of
Permanent Multicast Group can be arbitrary, even zero. The IP Multicast addresses which are not
kept for use by Permanent Multicast Group can be utilized by temporary Multicast groups.
224.0.0.0~224.0.0.255 are reserved Multicast addresses (Permanent Group Address),
address 224.0.0.0 is reserved but not assigned, and other addresses are used by Routing Protocol;
224.0.1.0~238.255.255.255 are Multicast addresses available to users(Temporary Group
Address) and are valid in the entire domain of the network; 239.0.0.0~239.255.255.255 are
local management Multicast addresses, which are valid only in specific local domain. Frequently
used reserved multicast address list is as follows:
Benchmark address (reserved)
224.0.0.1 Address of all hosts
224.0.0.2 Address of all Multicast Routers
224.0.0.3 Unassigned
224.0.0.4 DVMRP Router
224.0.0.5 OSPF Router
224.0.0.6 OSPF DR
224.0.0.7 ST Router
224.0.0.8 ST host
224.0.0.9 RIP-2 Router
224.0.0.10 IGRP Router
224.0.0.11 Active Agent
224.0.0.12 DHCP Server/Relay Agent
224.0.0.13 All PIM Routers
224.0.0.14 RSVP Encapsulation
224.0.0.15 All CBT Routers
224.0.0.16 Specified SBM
224.0.0.17 All SBMS
224.0.0.18 VRRP
224.0.0.22 IGMP
When Ethernet transmits Unicast IP messages, the destination MAC address it uses is the
receiver’s MAC address. But in transmitting Multicast packets, the transmission destination is not
a specific receiver any more, but a group with uncertain members, thus Multicast MAC address is
used. Multicast MAC address is corresponding to Multicast IP address. It is prescribed in IANA
4-2
S4600_Configuration Guide Chapter 4 Multicast Protocol Related Configuration
(Internet Assigned Number Authority) that the higher 25 bits in Multicast MAC address is
0x01005e, and the lower 23bits in MAC address is the lower 23bits in Multicast IP address.
Since only 23bits out of the lower 28bits in IP Multicast address are mapped into MAC
address, therefore there are 32 IP Multicast addresses which are mapped into the same MAC
address.
4.1.3 IP Multicast Packet Transmission
In Multicast mode, the source host sends packets to the host group indicated by the
Multicast group address in the destination address field of IP data packet. Unlike Unicast mode,
Multicast data packet must be forwarded to a number of external interfaces to be sent to all
receiver sites in Multicast mode, thus Multicast transmission procedure is more complicated than
Unicast transmission procedure.
In order to guarantee that all Multicast packets get to the router via the shortest path, the
receipt interface of the Multicast packet must be checked in some certain way based on Unicast
router table; this checking mechanism is the basis for most Multicast Routing Protocol to forward
in Multicast mode --- RPF (Reverse Path Forwarding) check. Multicast router makes use of the
impressed packet source address to query Unicast Router Table or independent Multicast Router
Table to determine if the packet ingress interface is on the shortest path from receipt site to
source address. If shortest path Tree is used, then the source address is the address of source
host which sends Multicast Data Packets; if Shared Tree is used, then the source address is the
address of the root of the Shared-Tree. When Multicast data packet gets to the router, if RPF
check passes, then the data packet is forwarded according to Multicast forward item, and the
data packet will be discarded else wise.
4.1.4 IP Multicast Application
IP Multicast technology has effectively solved the problem of sending in single point and
receiving in multipoint. It has achieved the effective data transmission from a point to multiple
points, saved a great deal of network bandwidth and reduced network load. Making use of the
Multicast property of network, some new value-added operations can be supplied conveniently.
In Information Service areas such as online living broadcast, network TV, remote education,
remote medicine, real time video/audio meeting, the following applications may be supplied:
1) Application of Multimedia and Streaming Media
2) Data repository, finance application (stock) etc
3) Any data distribution application of “one point to multiple points”
In the situation of more and more multimedia operations in IP network, Multicast has
tremendous market potential and Multicast operation will be generalized and popularized.
4-3
S4600_Configuration Guide Chapter 4 Multicast Protocol Related Configuration
4.2 DCSCM
4.2.1 Introduction to DCSCM
DCSCM (Destination control and source control multicast) technology mainly includes three
aspects, i.e. Multicast Packet Source Controllable, Multicast User Controllable and
Service-Oriented Priority Strategy Multicast.
The Multicast Packet Source Controllable technology of Security Controllable Multicast
technology is mainly processed in the following manners:
1. On the edge switch, if source under-control multicast is configured, then only multicast
data from specified group of specified source can pass.
2. For RP switch in the core of PIM-SM, for REGISTER information out of specified source
and specified group, REGISTER_STOP is transmitted directly and table entry is not
allowed to set up. (This task is implemented in PIM-SM model).
The implement of Multicast User Controllable technology of Security Controllable
Multicast technology is based on the control over IGMP report message sent out by the user,
thus the model being controlled is IGMP snooping and IGMPmodel, of which the control logic
includes the following three, i.e. to take control based on VLAN+MAC address transmitting
packets, to take control based on IP address of transmitting packets and to take control based on
the port where messages enter, in which IGMP snooping can use the above three methods to
take control simultaneously, while since IGMP model is located at layer 3, it only takes control
over the IP address transmitting packets.
The Service-Oriented Priority Strategy Multicast of Security Controllable technology adopts
the following mode: for multicast data in limit range, set the priority specified by the user at the
join-in end so that data can be sent in a higher priority on TRUNK port, consequently guarantee
the transmission is processed in user-specified priority in the entire network.
4.2.2 DCSCM Configuration Task List
1. Source Control Configuration
2. Destination Control Configuration
3. Multicast Strategy Configuration
1. Source Control Configuration
Source Control Configuration has three parts, of which the first is to enable source control.
The command of source control is as follows:
Command Explanation
Global Configuration Mode
4-4
S4600_Configuration Guide Chapter 4 Multicast Protocol Related Configuration
Enable source control globally, the “no ip
multicast source-control” command disables
source control globally. It is noticeable that, after
enabling source control globally, all multicast
[no] ip multicast source-control
packets are discarded by default. All source
(Required)
control configuration can not be processed until
that it is enabled globally, while source control
can not be disabled until all configured rules are
disabled.
The next is to configure the rule of source control. It is configured in the same manner as for
ACL, and uses ACL number of 5000-5099, every rule number can be used to configure 10 rules. It
is noticeable that these rules are ordered, the front one is the one which is configured the earliest.
Once the configured rules are matched, the following rules won’t take effect, so rules of globally
allow must be put at the end. The commands are as follows:
Command Explanation
Global Configuration Mode
[no] access-list <5000-5099>
{deny|permit} ip {{<source>
<source-wildcard>}|{host-source
The rule used to configure source control. This
<source-host-ip>}|any-source}
rule does not take effect until it is applied to
{{<destination>
specified port. Using the NO form of it can delete
<destination-wildcard>}|{host-destina
specified rule.
tion
<destination-host-ip>}|any-destination
}
The last is to configure the configured rule to specified port.
Note: If the rules being configured will occupy the table entries of hardware, configuring too
many rules will result in configuration failure caused by bottom table entries being full, so we
suggest user to use the simplest rules if possible. The configuration rules are as follows:
Command Explanation
Port Configuration Mode
[no] ip multicast source-control Used to configure the rules source control uses to
access-group <5000-5099> port, the NO form cancels the configuration.
2. Destination Control Configuration
Like source control configuration, destination control configuration also has three steps.
First, enable destination control globally. Since destination control need to prevent
unauthorized user from receiving multicast data, the switch won’t broadcast the multicast data it
received after configuring global destination control. Therefore, It should be avoided to connect
two or more other Layer 3 switches in the same VLAN on a switch on which destination control is
enabled. The configuration commands are as follows:
Command Explanation
Global Configuration Mode
4-5
S4600_Configuration Guide Chapter 4 Multicast Protocol Related Configuration
Globally enable
destination control. The no operation
of this command will globally disable
[no] multicast destination-control destination control. All of the other
(required) configuration can only take effect after
globally enabled. The next is
configuring destination control rules,
which are similar.
Next is to configure the multicast destination control profile rule list and use the profile-id
number of 1-50.
Command Explanation
Global Configuration Mode
profile-id <1-50> {deny|permit}
{{<source/M> }|{host-source <source-host-ip>
(range <2-65535>|)}|any-source} Configure the destination control
{{<destination/M>}|{host-destination profile rule. The no command deletes
<destination-host-ip> (range it.
<2-255>|)}|any-destination}
no profile-id <1-50>
Then configure destination control rule. It is similar to source control, except to use ACL No.
of 6000-7999.
Command Explanation
Global Configuration Mode
[no] access-list <6000-7999> {{{add | delete}
profile-id WORD} | {{deny|permit} (ip) The rule used to configure destination
{{<source/M> }|{host-source <source-host-ip> control. This rule does not take effect
(range <2-65535>|)}|any-source} until it is applied to source IP or
{{<destination/M>}|{host-destination VLAN-MAC and port. Using the NO
<destination-host-ip> (range form of it can delete specified rule.
<2-255>|)}|any-destination}}
The last is to configure the rule to specified source IP, source VLAN MAC or specified port. It
is noticeable that, due to the above situations, these rules can only be used globally in enabling
IGMP-SNOOPING. And if IGMP-SNOOPING is not enabled, then only source IP rule can be used
under IGMP Protocol. The configuration commands are as follows:
Command Explanation
Port Configuration Mode
Used to configure the rules destination
[no] ip multicast destination-control
control uses to port, the NO form cancels
access-group <6000-7999>
the configuration.
Global Configuration Mode
Used to configure the rules destination
[no] ip multicast destination-control <1-4094>
control uses to specify VLAN-MAC, the
<macaddr> access-group <6000-7999>
NO form cancels the configuration.
4-6
S4600_Configuration Guide Chapter 4 Multicast Protocol Related Configuration
Used to configure the rules destination
[no] ip multicast destination-control control uses to specified IP address/net
<IPADDRESS/M> access-group <6000-7999> mask, the NO form cancels the
configuration.
3. Multicast Strategy Configuration
Multicast Strategy uses the manner of specifying priority for specified multicast data to
achieve and guarantee the effects the specific user requires. It is noticeable that multicast data
can not get a special care all along unless the data are transmitted at TRUNK port. The
configuration is very simple, it has only one command, i.e. to set priority for the specified
multicast. The commands are as follows:
Command Explanation
Global Configuration Mode
Configure multicast strategy, specify
[no] ip multicast policy <IPADDRESS/M>
priority for sources and groups in
<IPADDRESS/M> cos <priority>
specific range, and the range is <0-7>.
4.2.3 DCSCM Configuration Examples
1. Source Control
In order to prevent an Edge Switch from putting out multicast data ad asbitsium, we
configure Edge Switch so that only the switch at port Ethernet1/0/5 is allowed to transmit
multicast, and the data group must be 225.1.2.3. Also, switch connected up to port
Ethernet1/0/10 can transmit multicast data without any limit, and we can make the following
configuration.
EC(config)#access-list 5000 permit ip any host 225.1.2.3
EC(config)#access-list 5001 permit ip any any
EC(config)#ip multicast source-control
EC(config)#interface ethernet1/0/5
EC(Config-If-Ethernet1/0/5)#ip multicast source-control access-group 5000
EC(config)#interface ethernet1/0/10
EC(Config-If-Ethernet1/0/10)#ip multicast source-control access-group 5001
2. Destination Control
We want to limit users with address in 10.0.0.0/8 network segment from entering the group
of 238.0.0.0/8, so we can make the following configuration:
Firstly enable IGMP snooping in the VLAN it is located (Here it is assumed to be in VLAN2)
EC(config)#ip igmp snooping
EC(config)#ip igmp snooping vlan 2
After that, configure relative destination control access-list, and configure specified IP
address to use that access-list.
Switch(config)#access-list 6000 deny ip any 238.0.0.0 0.255.255.255
Switch(config)#access-list 6000 permit ip any any
Switch(config)#multicast destination-control
4-7
S4600_Configuration Guide Chapter 4 Multicast Protocol Related Configuration
Switch(config)#ip multicast destination-control 10.0.0.0/8 access-group 6000
In this way, users of this network segment can only join groups other than 238.0.0.0/8.
Or configure the destination control access-list by adding the profile list.
Switch (config)#profile-id 1 deny ip any 238.0.0.0 0.255.255.255
Switch (config)#access-list 6000 add profile-id 1
Switch (config)#multicast destination-control
Switch (config)#ip multicast destination-control 10.0.0.0/8 access-group 6000
3. Multicast strategy
Server 210.1.1.1 is distributing important multicast data on group 239.1.2.3, we can
configure on its join-in switch as follows:
Switch(config)#ip multicast policy 210.1.1.1/32 239.1.2.3/32 cos 4
In this way, the multicast stream will have a priority of value 4 (Usually this is pretty higher,
the higher possible one is protocol data; if higher priority is set, when there is too many multicast
data, it might cause abnormal behavior of the switch protocol) when it gets to other switches
through this switch.
4.2.4 DCSCM Troubleshooting
The effect of DCSCM module itself is similar to ACL, and the problems occurred are usually
related to improper configuration. Please read the descriptions above carefully. If you still can not
determine the cause of the problem, please send your configurations and the effects you expect
to the after-sale service staff of our company.
4.3 IGMP Snooping
4.3.1 Introduction to IGMP Snooping
IGMP (Internet Group Management Protocol) is a protocol used in IP multicast. IGMP is used
by multicast enabled network device (such as a router) for host membership query, and by hosts
that are joining a multicast group to inform the router to accept packets of a certain multicast
address. All those operations are done through IGMP message exchange. The router will use a
multicast address (224.0.0.1) that can address to all hosts to send an IGMP host membership
query message. If a host wants to join a multicast group, it will reply to the multicast address of
that a multicast group with an IGMP host membership reports a message.
IGMP Snooping is also referred to as IGMP listening. The switch prevents multicast traffic
from flooding through IGMP Snooping, multicast traffic is forwarded to ports associated to
multicast devices only. The switch listens to the IGMP messages between the multicast router
and hosts, and maintains multicast group forwarding table based on the listening result, and can
then decide to forward multicast packets according to the forwarding table.
Switch provides IGMP Snooping and is able to send a query from the switch so that the user
can use switch in IP multicast.
4-8
S4600_Configuration Guide Chapter 4 Multicast Protocol Related Configuration
4.3.2 IGMP Snooping Configuration Task List
1. Enable IGMP Snooping
2. Configure IGMP Snooping
1. Enable IGMP Snooping
Command Explanation
Global Mode
ip igmp snooping Enables IGMP Snooping. The no operation
no ip igmp snooping disables IGMP Snooping function.
2. Configure IGMP Snooping
Command Explanation
Global Mode
Enables IGMP Snooping for specified VLAN. The
ip igmp snooping vlan <vlan-id>
no operation disables IGMP Snooping for
no ip igmp snooping vlan <vlan-id>
specified VLAN.
ip igmp snooping proxy Enable IGMP Snooping proxy function, the no
no ip igmp snooping proxy command disables the function.
ip igmp snooping vlan < vlan-id > limit Configure the max group count of vlan and the
{group <g_limit> | source <s_limit>} max source count of every group. The “no ip
no ip igmp snooping vlan < vlan-id > limit igmp snooping vlan <vlan-id> limit” command
cancels this configuration.
ip igmp snooping vlan <1-4094> interface Configure the number of groups which are
(ethernet | port-channel|) IFNAME limit allowed joining and the maximum of the
{group <1-65535>| source <1-65535>} source in each group under the IGMP Snooping
strategy (replace | drop) port. Configure the strategy when it is up to the
no ip igmp snooping vlan <1-4094> interface upper limit, including “replace” and “drop”. No
(ethernet | port-channel|) IFNAME limit command configures as “no limitation”.
group source strategy
Set this vlan to layer 2 general querier. It is
ip igmp snooping vlan <vlan-id> recommended to configure a layer 2 general
l2-general-querier querier on a segment. The “no ip igmp
no ip igmp snooping vlan <vlan-id> snooping vlan <vlan-id>
l2-general-querier l2-general-querier”command cancels this
configuration.
ip igmp snooping vlan <vlan-id> Configure the version number of a general
l2-general-querier-version <version> query from a layer 2 general querier.
ip igmp snooping vlan <vlan-id> Configure the source address of a general
l2-general-querier-source <source> query from a layer 2 general querier.
4-9
S4600_Configuration Guide Chapter 4 Multicast Protocol Related Configuration
ip igmp snooping vlan <vlan-id>
mrouter-port interface <interface –name>
no ip igmp snooping vlan <vlan-id> Configure static mrouter port of vlan. The no
mrouter-port interface <interface –name> form of the command cancels this
configuration.
ip igmp snooping vlan <vlan-id>
mrouter-port learnpim Enable the function that the specified VLAN
no ip igmp snooping vlan <vlan-id> learns mrouter-port (according to pim packets),
mrouter-port learnpim the no command will disable the function.
ip igmp snooping vlan <vlan-id> mrpt Configure this survive time of mrouter port.
<value > The “no ip igmp snooping vlan <vlan-id> mrpt”
no ip igmp snooping vlan <vlan-id> mrpt command restores the default value.
ip igmp snooping vlan <vlan-id> Configure this query interval. The “no ip igmp
query-interval <value> snooping vlan <vlan-id> query-interval”
no ip igmp snooping vlan <vlan-id> command restores the default value.
query-interval
ip igmp snooping vlan <vlan-id> Enable the IGMP fast leave function for the
immediately-leave specified VLAN: the “no ip igmp snooping vlan
no ip igmp snooping vlan <vlan-id> <vlan-id> immediate-leave” command disables
immediately-leave the IGMP fast leave function.
ip igmp snooping vlan <vlan-id> query-mrsp Configure the maximum query response
<value> period. The “no ip igmp snooping vlan
no ip igmp snooping vlan <vlan-id> <vlan-id> query-mrsp” command restores to
query-mrsp the default value.
ip igmp snooping vlan <vlan-id> Configure the query robustness. The “no ip
query-robustness <value> igmp snooping vlan <vlan-id>
no ip igmp snooping vlan <vlan-id> query-robustness” command restores to the
query-robustness default value.
ip igmp snooping vlan <vlan-id> Configure the suppression query time. The “no
suppression-query-time <value> ip igmp snooping vlan <vlan-id>
no ip igmp snooping vlan <vlan-id> suppression-query-time” command restores to
suppression-query-time the default value.
4-10
S4600_Configuration Guide Chapter 4 Multicast Protocol Related Configuration
ip igmp snooping vlan <vlan-id> static-group
<A.B.C.D> [source <A.B.C.D>] interface
[ethernet | port-channel] <IFNAME>
Configure static-group on specified port of the
no ip igmp snooping vlan <vlan-id>
VLAN. The no form of the command cancels
static-group <A.B.C.D> [source <A.B.C.D>]
this configuration.
interface [ethernet | port-channel]
<IFNAME>
ip igmp snooping vlan <vlan-id> report
Configure forwarding IGMP packet source
source-address <A.B.C.D>
address, The no operation cancels the packet
no ip igmp snooping vlan <vlan-id> report
source address.
source-address
ip igmp snooping vlan <vlan-id>
Configure the maximum query response time
specific-query-mrsp <value>
of the specific group or source, the no
no ip igmp snooping vlan <vlan-id>
command restores the default value.
specific-query-mrspt
4.3.3 IGMP Snooping Examples
Scenario 1: IGMP Snooping function
Multicast router
Multicast Server 1 Multicast Server 2
Multicast port
IGMP Snooping
Group 1 Group 1 Group 1 Group 2
Figure 4-1 Enabling IGMP Snooping function
Example: As shown in the above figure, a VLAN 100 is configured in the switch and includes ports
1, 2, 6, 10 and 12. Four hosts are connected to port 2, 6, 10 and 12 respectively and the multicast
4-11
S4600_Configuration Guide Chapter 4 Multicast Protocol Related Configuration
router is connected to port 1. As IGMP Snooping is disabled by default either in the switch or in
the VLANs, If IGMP Snooping should be enabled in VLAN 100, the IGMP Snooping should be first
enabled for the switch in Global Mode and in VLAN 100 and set port 1 of VLAN 100 to be the
mrouter port.
The configuration steps are listed below:
Switch(config)#ip igmp snooping
Switch(config)#ip igmp snooping vlan 100
Switch(config)#ip igmp snooping vlan 100 mrouter interface ethernet 1/0/1
Multicast Configuration
Suppose two programs are provided in the Multicast Server using multicast address Group1 and
Group2, three of four hosts running multicast applications are connected to port 2, 6, 10 plays
program1, while the host is connected to port 12 plays program 2.
IGMP Snooping listening result:
The multicast table built by IGMP Snooping in VLAN 100 indicates ports 1, 2, 6, 10 in Group1 and
ports 1, 12 in Group2.
All the four hosts can receive the program of their choice: ports 2, 6, 10 will not receive the traffic
of program 2 and port 12 will not receive the traffic of program 1.
Scenario 2: L2-general-querier
Multicast
Server
Group 1 Group 2
Switch A
IGMP Snooping
L2 general querier
Multicast port
Switch B
IGMP Snooping
Group 1 Group 1 Group 1 Group 2
Figure 4-2 The switches as IGMP Queries
The configuration of Switch2 is the same as the switch in scenario 1, SwitchA takes the place of
Multicast Router in scenario 1. Let’s assume VLAN 60 is configured in SwitchA, including ports 1, 2,
10 and 12. Port 1 connects to the multicast server, and port 2 connects to Switch2. In order to
send Query at regular interval, IGMP query must enabled in Global mode and in VLAN60.
4-12
S4600_Configuration Guide Chapter 4 Multicast Protocol Related Configuration
The configuration steps are listed below:
SwitchA#config
SwitchA(config)#ip igmp snooping
SwitchA(config)#ip igmp snooping vlan 60
SwitchA(config)#ip igmp snooping vlan 60 L2-general-querier
SwitchB#config
SwitchB(config)#ip igmp snooping
SwitchB(config)#ip igmp snooping vlan 100
SwitchB(config)#ip igmp snooping vlan 100 mrouter interface ethernet 1/0/1
Multicast Configuration
The same as scenario 1
IGMP Snooping listening result:
Similar to scenario 1
Scenario 3: To run in cooperation with layer 3 multicast protocols.
SWITCH which is used in Scenario 1 is replaced with ROUTER with specific configurations remains
the same. And multicast and IGMP snooping configurations are the same with what it is in
Scenario 1. To configure PIM-SM on ROUTER, and enable PIM-SM on vlan 100 (use the same PIM
mode with the connected multicast router)
Configurations are listed as below:
switch#config
switch(config)#ip pim multicast-routing
switch(config)#interface vlan 100
switch(config-if-vlan100)#ip pim sparse-mode
4.3.4 IGMP Snooping Troubleshooting
On IGMP Snooping function configuration and usage, IGMP Snooping might not run properly
because of physical connection or configuration mistakes. So the users should note that:
Make sure correct physical connection
Activate IGMP Snooping on whole configuration mode (use ip igmp snooping)
Configure IGMP Snooping at VLAN on whole configuration mode ( use ip igmp snooping vlan
<vlan-id>)
Make sure one VLAN is configured as L2 common checker in same mask, or make sure
configured static mrouter
Use show ip igmp snooping vlan <vid> command check IGMP Snooping information
4-13
S4600_Configuration Guide Chapter 4 Multicast Protocol Related Configuration
4.4 IGMP Snooping Authentication
4.4.1 Introduction to IGMP Snooping Authentication
IGMP Snooping Authentication is the authentication of the multicast group of client
demanding in IGMP Snooping. Only the multicast group of client demanding passes the
authentication, it will be successful and the multicast traffic can be received. Otherwise it will be
failed. Currently, the authentication is only based on group, the multicast source information
authentication in Igmpv3 is not included.
4.4.2 IGMP Snooping Authentication Task List
1. Enable IGMP Snooping
2. Enable IGMP Snooping Authentication
3. Configure IGMP Snooping Authentication
4. Configure Radius
1. Enable IGMP Snooping
Command Explanation
Global Mode
ip igmp snooping Enable IGMP Snooping function, the no
no ip igmp snooping command disables it.
2. Enable IGMP Snooping Authentication
Command Explanation
Port Mode
igmp snooping authentication enable Enable the IGMP authentication function on
no igmp snooping authentication enable the port. The no command disables it. After
enabled IGMP authentication function, the
port will conduct authentication for the
multicast group of client demanding. Only the
multicast group of client demanding passes the
authentication, it will be successful. Otherwise
it will be failed.
3. Configure IGMP Snooping Authentication
Command Explanation
Port Mode
igmp snooping authentication free-rule Configure the authentication free-rule access
access-list <6000-7999> list of the multicast group. The no command
4-14
S4600_Configuration Guide Chapter 4 Multicast Protocol Related Configuration
no igmp snooping authentication free-rule deletes it.
access-list <6000-7999>
Global Mode
ip igmp snooping authentication radius none Configure the switch to work with successful
no ip igmp snooping authentication radius authentication when the radius server has no
none response. The no command recovers the
default authentication method, the switch
works with failed authentication.
ip igmp snooping authentication Configure the process procedure of igmp
forwarding-first authentication: issue the multicast table entry
no ip igmp snooping authentication to the multicast group of client demanding and
forwarding-first then conduct authentication. After the
authentication is successful, there is no action,
if the authentication failed, the issued table
entry will be deleted. The no command
recovers to be the default method: conducts
the authentication first, and issues the table
entry after the authentication result is back.
ip igmp snooping authentication timeout Configure the timeout of the table entry in
<30-30000> igmp authentication. The no command
no ip igmp snooping authentication timeout recovers to be the default value of 600
seconds.
4. Configure Radius
Command Explanation
Global Mode
aaa enable
Enable or disable AAA function.
no aaa enable
radius-server key <word>
Configure or delete RADIUS server key.
no radius-server key
radius-server authentication host
<A.B.C.D> Configure or delete RADIUS
no radius-server authentication host authentication server address.
<A.B.C.D>
4.4.3 IGMP Snooping Authentication Examples
4-15
S4600_Configuration Guide Chapter 4 Multicast Protocol Related Configuration
Figure 4-3 IGMP Snooping Authentication
As shown in the above figure, configures VLAN1 including port 1 and VLAN10 including port
2 on the switch. The host is connected to port 1, radius server is connected to port 2. Enables
IGMP Snooping on VLAN1, enables igmp authentication on port 1. The switch IP address is
configured as 10.1.1.2, and the IP address of radius server is configured as 10.1.1.3.
Configuration steps:
Switch#config
Switch(config)#ip igmp snooping
Switch(config)#ip igmp snooping vlan 1
Switch(config)#interface ethernet 1/0/1
Switch(config-if-ethernet1/0/1)#igmp snooping authentication enable
Switch(config-if-ethernet1/0/1)# exit
Switch(config)#ip igmp snooping authentication radius none
Switch(config)#interface vlan 10
Switch(config-if-vlan10)#ip address 10.1.1.2 255.255.255.0
Switch(config-if-vlan10)# exit
Switch(config)#radius-server authentication host 10.1.1.3
Switch(config)#radius-server key test
Switch(config)#aaa enable
4.5 Multicast VLAN
4.5.1 Introductions to Multicast VLAN
Based on current multicast order method, when orders from users in different VLAN, each
VLAN will copy a multicast traffic in this VLAN, which is a great waste of the bandwidth. By
configuration of the multicast VLAN, we add the switch port to the multicast VLAN, with the
IGMP Snooping/MLD Snooping functions enabled, users from different VLAN will share the same
multicast VLAN. The multicast traffic only exists within a multicast VLAN, so the bandwidth is
4-16
S4600_Configuration Guide Chapter 4 Multicast Protocol Related Configuration
saved. As the multicast VLAN is absolutely separated from the user VLAN, security and bandwidth
concerns can be met at the same time, after the multicast VLAN is configured, the multicast
traffic will be continuously sent to the users.
4.5.2 Multicast VLAN Configuration Task List
1. Enable the multicast VLAN function
2. Configure the IGMP Snooping
3. Configure the MLD Snooping
1. Enable the multicast VLAN function
Command Explanation
VLAN configuration mode
Configure a VLAN and enable the multicast
multicast-vlan
VLAN on it. The “no multicast-vlan” command
no multicast-vlan
disables the multicast function on the VLAN.
Associate a multicast VLAN with several VLANs.
multicast-vlan association <vlan-list> The no form of this command deletes the
no multicast-vlan association <vlan-list> related VLANs associated with the multicast
VLAN.
Associate the specified port with the multicast
multicast-vlan association interface (ethernet
VLAN, so the associated ports are able to
| port-channel|) IFNAME
receive the multicast flow. The no command
no multicast-vlan association interface
cancels the association between the ports and
(ethernet | port-channel|) IFNAME
the multicast VLAN.
multicast-vlan mode {dynamic| compatible} Configure the two modes of multicast vlan. The
no multicast-vlan mode {dynamic| no command cancels the mode configuration.
compatible}
2. Configure the IGMP Snooping
Command Explanation
Global Mode
ip igmp snooping vlan <vlan-id> Enable the IGMP Snooping function on the
no ip igmp snooping vlan <vlan-id> multicast VLAN. The no form of this command
disables the IGMP Snooping on the multicast
VLAN.
Enable the IGMP Snooping function. The no
ip igmp snooping
form of this command disables the IGMP
no ip igmp snooping
snooping function.
3. Configure the MLD Snooping
Enable MLD Snooping on multicast VLAN; the
ipv6 mld snooping vlan <vlan-id>
no form of this command disables MLD
no ipv6 mld snooping vlan <vlan-id>
Snooping on multicast VLAN.
ipv6 mld snooping Enable the MLD Snooping function. The no
4-17
S4600_Configuration Guide Chapter 4 Multicast Protocol Related Configuration
no ipv6 mld snooping form of this command disables the MLD
snooping function.
4.5.3 Multicast VLAN Examples
Figure 4-4 Function configuration of the Multicast VLAN
As shown in the figure, the multicast server is connected to the layer 3 switch switchA
through port 1/0/1 which belongs to the VLAN10 of the switch. The layer 3 switch switchA is
connected with layer 2 switches through the port1/0/10, which configured as trunk port. On the
switchB the VLAN100 is configured set to contain port1/0/15, and VLAN101 to contain port1/0/20.
PC1 and PC2 are respectively connected to port 1/0/15 and1/0/20. The switchB is connected with
the switchA through port1/0/10, which configured as trunk port. VLAN 20 is a multicast VLAN. By
configuring multicast vlan, the PC1 and PC2 will receives the multicast data from the multicast
VLAN.
Following configuration is based on the IP address of the switch has been configured and all
the equipment are connected correctly.
Configuration procedure
SwitchA#config
SwitchA(config)#vlan 10
SwitchA(config-vlan10)#switchport access ethernet 1/0/1
SwitchA(config-vlan10)exit
SwitchA(config)#interface vlan 10
Switch(Config-if-Vlan10)#ip pim dense-mode
Switch(Config-if-Vlan10)#exit
SwitchA(config)#vlan 20
SwitchA(config-vlan20)#exit
SwitchA(config)#interface vlan 20
SwitchA(Config-if-Vlan20)#ip pim dense-mode
SwitchA(Config-if-Vlan20)#exit
SwitchA(config)#ip pim multicast
SwitchA(config)# interface ethernet1/0/10
SwitchA(Config-If-Ethernet1/0/10)switchport mode trunk
4-18
S4600_Configuration Guide Chapter 4 Multicast Protocol Related Configuration
SwitchB#config
SwitchB(config)#vlan 100
SwitchB(config-vlan100)#Switchport access ethernet 1/0/15
SwitchB(config-vlan100)exit
SwitchB(config)#vlan 101
SwitchB(config-vlan101)#Switchport access ethernet 1/0/20
SwitchB(config-vlan101)exit
SwitchB(config)# interface ethernet 1/0/10
SwitchB(Config-If-Ethernet1/0/10)#switchport mode trunk
SwitchB(Config-If-Ethernet1/0/10)#exit
SwitchB(config)#vlan 20
SwitchB(config-vlan20)#multicast-vlan
SwitchB(config-vlan20)#multicast-vlan association 100,101
SwitchB(config-vlan20)#exit
SwitchB(config)#ip igmp snooping
SwitchB(config)#ip igmp snooping vlan 20
When multicast VLAN supports IPv6 multicast, usage is the same with IPv4, but the
difference is using with MLD Snooping, so does not give an example.
4-19
S4600_Configuration Guide Chapter 5 Security Function Configuration
Chapter 5 Security Function
Configuration
5.1 ACL
5.1.1 Introduction to ACL
ACL (Access Control List) is an IP packet filtering mechanism employed in switches,
providing network traffic control by granting or denying access the switches, effectively
safeguarding the security of networks. The user can lay down a set of rules according to some
information specific to packets, each rule describes the action for a packet with certain
information matched: 'permit' or 'deny'. The user can apply such rules to the incoming direction
of switch ports, so that data streams of specified ports must comply with the ACL rules assigned.
5.1.1.1 Access-list
Access-list is a sequential collection of conditions that corresponds to a specific rule. Each
rule consist of filter information and the action when the rule is matched. Information included in
a rule is the effective combination of conditions such as source IP, destination IP, IP protocol
number and TCP port, UDP port. Access-lists can be categorized by the following criteria:
Filter information based criterion: IP access-list (layer 3 or higher information), MAC
access-list (layer 2 information), and MAC-IP access-list (layer 2 or layer 3 or higher).
Configuration complexity based criterion: standard and extended, the extended mode
allows more specific filtering of information.
Nomenclature based criterion: numbered and named.
Description of an ACL should cover the above three aspects.
5.1.1.2 Access-group
When a set of access-lists are created, they can be applied to traffic of incoming direction on
all ports. Access-group is the description to the binding of an access-list to the incoming direction
on a specific port. When an access-group is created, all packets from in the incoming direction
through the port will be compared to the access-list rule to decide whether to permit or deny
access.
The current firmware only supports ingress ACL configuration.
5.1.1.3 Access-list Action and Global Default Action
There are two access-list actions and default actions: “permit” or “deny”. The following rules
5-1
S4600_Configuration Guide Chapter 5 Security Function Configuration
apply:
An access-list can consist of several rules. Filtering of packets compares packet
conditions to the rules, from the first rule to the first matched rule; the rest of the rules
will not be processed. Global default action applies only to IP packets in the
incoming direction on the ports.
Global default action applies only when packet flirter is enabled on a port and no ACL is
bound to that port, or no binding ACL matches.
5.1.2 ACL Configuration Task List
ACL Configuration Task Sequence:
1. Configuring access-list
(1) Configuring a numbered standard IP access-list
(2) Configuring a numbered extended IP access-list
(3) Configuring a standard IP access-list based on nomenclature
a) Create a standard IP access-list based on nomenclature
b) Specify multiple “permit” or “deny” rule entries
c) Exit ACL Configuration Mode
(4) Configuring an extended IP access-list based on nomenclature
a) Create an extensive IP access-list based on nomenclature
b) Specify multiple “permit” or “deny” rule entries
c) Exit ACL Configuration Mode
(5) Configuring a numbered standard MAC access-list
(6) Configuring a numbered extended MAC access-list
(7) Configuring a extended MAC access-list based on nomenclature
a) Create a extensive MAC access-list based on nomenclature
b) Specify multiple “permit” or “deny” rule entries
c) Exit ACL Configuration Mode
(8) Configuring a numbered extended MAC-IP access-list
(9) Configuring a extended MAC-IP access-list based on nomenclature
a) Create a extensive MAC-IP access-list based on nomenclature
b) Specify multiple “permit” or “deny” rule entries
c) Exit MAC-IP Configuration Mode
(10) Configuring a numbered standard IPv6 access-list
(11) Configuring a standard IPv6 access-list based on nomenclature
a) Create a standard IPv6 access-list based on nomenclature
b) Specify multiple permit or deny rule entries
c) Exit ACL Configuration Mode
2. Configuring the packet filtering function
(1) Enable global packet filtering function
5-2
S4600_Configuration Guide Chapter 5 Security Function Configuration
3. Configuring time range function
(1) Create the name of the time range
(2) Configure periodic time range
(3) Configure absolute time range
4. Bind access-list to an incoming direction of the specified port
5. Clear the filtering information of the specified port
1. Configuring access-list
(1) Configuring a numbered standard IP access-list
Command Explanation
Global Mode
Creates a numbered standard IP
access-list, if the access-list
access-list <num> {deny | permit} {{<sIpAddr> <sMask>} already exists, then a rule will add
| any-source | {host-source <sIpAddr>}} to the current access-list; the “no
no access-list <num> access-list <num>“ command
deletes a numbered standard IP
access-list.
(2) Configuring a numbered extensive IP access-list
Command Explanation
Global Mode
access-list <num> {deny | permit} icmp {{<sIpAddr> Creates a numbered ICMP
<sMask>} | any-source | {host-source <sIpAddr>}} extended IP access rule; if the
{{<dIpAddr> <dMask>} | any-destination | numbered extended access-list of
{host-destination <dIpAddr>}} [<icmp-type> specified number does not exist,
[<icmp-code>]] [precedence <prec>] [tos then an access-list will be created
<tos>][time-range<time-range-name>] using this number.
Creates a numbered IGMP
access-list <num> {deny | permit} igmp {{<sIpAddr>
extended IP access rule; if the
<sMask>} | any-source | {host-source <sIpAddr>}}
numbered extended access-list of
{{<dIpAddr> <dMask>} | any-destination |
specified number does not exist,
{host-destination <dIpAddr>}} [<igmp-type>] [precedence
then an access-list will be created
<prec>] [tos <tos>][time-range<time-range-name>]
using this number.
access-list <num> {deny | permit} tcp {{<sIpAddr>
Creates a numbered TCP
<sMask>} | any-source | {host-source <sIpAddr>}} [s-port
extended IP access rule; if the
{<sPort> | range <sPortMin> <sPortMax>}] {{<dIpAddr>
numbered extended access-list of
<dMask>} | any-destination | {host-destination
specified number does not exist,
<dIpAddr>}} [d-port {<dPort> | range <dPortMin>
then an access-list will be created
<dPortMax>}] [ack+fin+psh+rst+urg+syn] [precedence
using this number.
<prec>] [tos <tos>][time-range<time-range-name>]
5-3
S4600_Configuration Guide Chapter 5 Security Function Configuration
access-list <num> {deny | permit} udp {{<sIpAddr>
Creates a numbered UDP
<sMask>} | any-source | {host-source <sIpAddr>}} [s-port
extended IP access rule; if the
{<sPort> | range <sPortMin> <sPortMax>}] {{<dIpAddr>
numbered extended access-list of
<dMask>} | any-destination | {host-destination
specified number does not exist,
<dIpAddr>}} [d-port {<dPort> | range <dPortMin>
then an access-list will be created
<dPortMax>}] [precedence <prec>] [tos
using this number.
<tos>][time-range<time-range-name>]
Creates a numbered IP extended
access-list <num> {deny | permit} {eigrp | gre | igrp |
IP access rule for other specific IP
ipinip | ip | ospf | <protocol-num>} {{<sIpAddr>
protocol or all IP protocols; if the
<sMask>} | any-source | {host-source <sIpAddr>}}
numbered extended access-list of
{{<dIpAddr> <dMask>} | any-destination |
specified number does not exist,
{host-destination <dIpAddr>}} [precedence <prec>] [tos
then an access-list will be created
<tos>][time-range<time-range-name>]
using this number.
Deletes a numbered extensive IP
no access-list <num>
access-list.
(3) Configuring a standard IP access-list basing on nomenclature
a. Create a name-based standard IP access-list
Command Explanation
Global Mode
Creates a standard IP
access-list based on
nomenclature; the “no ip
ip access-list standard <name>
access-list standard
no ip access-list standard <name>
<name>“ command deletes
the name-based standard IP
access-list.
b. Specify multiple “permit” or “deny” rules
Command Explanation
Standard IP ACL Mode
Creates a standard
name-based IP access rule; the
[no] {deny | permit} {{<sIpAddr> <sMask>} | any-source
“no” form command deletes
| {host-source <sIpAddr>}}
the name-based standard IP
access rule.
c. Exit name-based standard IP ACL configuration mode
Command Explanation
Standard IP ACL Mode
Exits name-based standard IP
exit
ACL configuration mode.
(4) Configuring an name-based extended IP access-list
a. Create an extended IP access-list basing on nomenclature
Command Explanation
Global Mode
5-4
S4600_Configuration Guide Chapter 5 Security Function Configuration
Creates an extended IP
access-list basing on
nomenclature; the “no ip
ip access-list extended <name>
access-list extended <name>
no ip access-list extended <name>
“ command deletes the
name-based extended IP
access-list.
b. Specify multiple “permit” or “deny” rules
Command Explanation
Extended IP ACL Mode
[no] {deny | permit} icmp {{<sIpAddr> <sMask>} | Creates an extended
any-source | {host-source <sIpAddr>}} {{<dIpAddr> name-based ICMP IP access
<dMask>} | any-destination | {host-destination rule; the no form command
<dIpAddr>}} [<icmp-type> [<icmp-code>]] [precedence deletes this name-based
<prec>] [tos <tos>][time-range<time-range-name>] extended IP access rule.
[no] {deny | permit} igmp {{<sIpAddr> <sMask>} | Creates an extended
any-source | {host-source <sIpAddr>}} {{<dIpAddr> name-based IGMP IP access
<dMask>} | any-destination | {host-destination rule; the no form command
<dIpAddr>}} [<igmp-type>] [precedence <prec>] [tos deletes this name-based
<tos>][time-range<time-range-name>] extended IP access rule.
[no] {deny | permit} tcp {{<sIpAddr> <sMask>} |
any-source | {host-source <sIpAddr>}} [s-port {<sPort> | Creates an extended
range <sPortMin> <sPortMax>}] {{<dIpAddr> <dMask>} | name-based TCP IP access rule;
any-destination | {host-destination <dIpAddr>}} [d-port the no form command deletes
{<dPort> | range <dPortMin> <dPortMax>}] this name-based extended IP
[ack+fin+psh+rst+urg+syn] [precedence <prec>] [tos access rule.
<tos>][time-range<time-range-name>]
[no] {deny | permit} udp {{<sIpAddr> <sMask>} |
Creates an extended
any-source | {host-source <sIpAddr>}} [s-port {<sPort> |
name-based UDP IP access
range <sPortMin> <sPortMax>}] {{<dIpAddr> <dMask>} |
rule; the no form command
any-destination | {host-destination <dIpAddr>}} [d-port
deletes this name-based
{<dPort> | range <dPortMin> <dPortMax>}] [precedence
extended IP access rule.
<prec>] [tos <tos>][time-range<time-range-name>]
[no] {deny | permit} {eigrp | gre | igrp | ipinip | ip | ospf Creates an extended
| <protocol-num>} {{<sIpAddr> <sMask>} | any-source | name-based IP access rule for
{host-source <sIpAddr>}} {{<dIpAddr> <dMask>} | other IP protocols; the no form
any-destination | {host-destination <dIpAddr>}} command deletes this
[precedence <prec>] [tos name-based extended IP
<tos>][time-range<time-range-name>] access rule.
c. Exit extended IP ACL configuration mode
Command Explanation
Extended IP ACL Mode
Exits extended name-based IP
exit
ACL configuration mode.
5-5
S4600_Configuration Guide Chapter 5 Security Function Configuration
(5) Configuring a numbered standard MAC access-list
Command Explanation
Global Mode
Creates a numbered standard
MAC access-list, if the
access-list already exists, then
access-list<num>{deny|permit}{any-source-mac|{host-so
a rule will add to the current
urce-mac<host_smac>}|{<smac><smac-mask>}}
access-list; the “no access-list
no access-list <num>
<num>“ command deletes a
numbered standard MAC
access-list.
(6) Creates a numbered MAC extended access-list
Command Explanation
Global Mode
access-list<num> {deny|permit} {any-source-mac| Creates a numbered MAC
{host-source-mac<host_smac>}|{<smac><smac-mask>}}{ extended access-list, if the
any-destination-mac|{host-destination-mac<host_dmac> access-list already exists, then
}|{<dmac><dmac-mask>}}[{untagged-eth2 | tagged-eth2 a rule will add to the current
| untagged-802-3 | tagged-802-3} [ <offset1> <length1> access-list; the “no access-list
<value1> [ <offset2> <length2> <value2> [ <offset3> <num>“ command deletes a
<length3> <value3> [ <offset4> <length4> <value4> ]]]]] numbered MAC extended
no access-list <num> access-list.
(7) Configuring a extended MAC access-list based on nomenclature
a. Create an extensive MAC access-list based on nomenclature
Command Explanation
Global Mode
Creates an extended
name-based MAC access rule
mac-access-list extended <name> for other IP protocols; the no
no mac-access-list extended <name> form command deletes this
name-based extended MAC
access rule.
b. Specify multiple “permit” or “deny” rule entries
Command Explanation
Extended name-based MAC access rule Mode
5-6
S4600_Configuration Guide Chapter 5 Security Function Configuration
[no]{deny|permit}{any-source-mac|{host-source-mac<h
ost_smac>}|{<smac><smac-mask>}} Creates an extended
{any-destination-mac|{host-destination-mac name-based MAC access rule
<host_dmac>} |{<dmac> <dmac-mask>}} [cos <cos-val> matching MAC frame; the no
[<cos-bitmask>] [vlanId <vid-value> form command deletes this
[<vid-mask>][ethertype<protocol>[<protocol-mask>]]]] name-based extended MAC
access rule.
Creates an extended
[no]{deny|permit}{any-source-mac|{host-source-mac<h
name-based MAC access rule
ost_smac>}|{<smac><smac-mask>}}{any-destination-ma
matching untagged ethernet 2
c|{host-destination-mac<host_dmac>}|{<dmac><dmac-
frame; the no form command
mask>}}[untagged-eth2 [ethertype <protocol>
deletes this name-based
[protocol-mask]]]
extended MAC access rule.
Creates an name-based
[no]{deny|permit}{any-source-mac|{host-source-mac<h
extended MAC access rule
ost_smac>}|{<smac><smac-mask>}}
matching 802.3 frame; the no
{any-destination-mac|{host-destination-mac
form command deletes this
<host_dmac>}|{<dmac><dmac-mask>}}
name-based extended MAC
[untagged-802-3]
access rule.
[no]{deny|permit}{any-source-mac|{host-source-mac<h Creates an name-based
ost_smac>}|{<smac><smac-mask>}}{any-destination-ma extended MAC access rule
c|{host-destination-mac<host_dmac>}|{<dmac><dmac- matching tagged ethernet 2
mask>}}[tagged-eth2 [cos <cos-val> [<cos-bitmask>]] frame; the no form command
[vlanId <vid-value> [<vid-mask>]] [ethertype<protocol> deletes this name-based
[<protocol-mask>]]] extended MAC access rule.
Creates an name-based
[no]{deny|permit}{any-source-mac|{host-source-mac
extended MAC access rule
<host_smac>}|{<smac><smac-mask>}}
matching tagged 802.3 frame;
{any-destination-mac|{host-destination-mac<host_dmac
the no form command deletes
>}|{<dmac><dmac-mask>}} [tagged-802-3 [cos <cos-val>
this name-based extended
[<cos-bitmask>]] [vlanId <vid-value> [<vid-mask>]]]
MAC access rule.
c. Exit ACL Configuration Mode
Command Explanation
Extended name-based MAC access configure Mode
Quit the extended name-based
exit
MAC access configure mode.
(8) Configuring a numbered extended MAC-IP access-list
Command Explanation
Global mode
access-list<num>{deny|permit} {any-source-mac| Creates a numbered mac-icmp
{host-source-mac <host_smac>} | {<smac> extended mac-ip access rule; if
5-7
S4600_Configuration Guide Chapter 5 Security Function Configuration
<smac-mask>}} {any-destination-mac | the numbered extended
{host-destination-mac <host_dmac>} | access-list of specified number
{<dmac><dmac-mask>}} icmp {{<source> does not exist, then an
<source-wildcard>} |any-source| {host-source access-list will be created using
<source-host-ip>}} {{<destination> this number.
<destination-wildcard>} | any-destination |
{host-destination <destination-host-ip>}} [<icmp-type>
[<icmp-code>]] [precedence <precedence>] [tos <tos>]
[time-range <time-range-name>]
access-list<num>{deny|permit}{any-source-mac|
{host-source-mac<host_smac>}|{<smac><smac-mask>}}
Creates a numbered mac-igmp
{any-destination-mac|{host-destination-mac
extended mac-ip access rule; if
<host_dmac>}|{<dmac><dmac-mask>}}igmp
the numbered extended
{{<source><source-wildcard>}|any-source|
access-list of specified number
{host-source<source-host-ip>}}
does not exist, then an
{{<destination><destination-wildcard>}|any-destination|
access-list will be created using
{host-destination<destination-host-ip>}}
this number.
[<igmp-type>] [precedence <precedence>] [tos
<tos>][time-range<time-range-name>]
access-list<num>{deny|permit}{any-source-mac|
{host-source-mac<host_smac>}|{<smac><smac-mask>}}{
any-destination-mac|{host-destination-mac
Creates a numbered mac-ip
<host_dmac>}|{<dmac><dmac-mask>}}tcp
extended mac-tcp access rule;
{{<source><source-wildcard>}|any-source|
if the numbered extended
{host-source<source-host-ip>}} [s-port {<port1> | range
access-list of specified number
<sPortMin> <sPortMax>}]
does not exist, then an
{{<destination><destination-wildcard>}|any-destination|
access-list will be created using
{host-destination <destination-host-ip>}} [d-port
this number.
{<port3> | range <dPortMin> <dPortMax>}]
[ack+fin+psh+rst+urg+syn] [precedence <precedence>]
[tos <tos>][time-range<time-range-name>]
access-list<num>{deny|permit}{any-source-mac|
{host-source-mac<host_smac>}|{<smac><smac-mask>}}{
any-destination-mac|{host-destination-mac
Creates a numbered mac-udp
<host_dmac>}|{<dmac><dmac-mask>}}udp
extended mac-ip access rule; if
{{<source><source-wildcard>}|any-source|
the numbered extended
{host-source<source-host-ip>}} [s-port {<port1> | range
access-list of specified number
<sPortMin> <sPortMax>}]
does not exist, then an
{{<destination><destination-wildcard>}|any-destination|
access-list will be created using
{host-destination<destination-host-ip>}} [d-port {<port3>
this number.
| range <dPortMin> <dPortMax>}] [precedence
<precedence>] [tos
<tos>][time-range<time-range-name>]
access-list<num>{deny|permit}{any-source-mac| Creates a numbered extended
5-8
S4600_Configuration Guide Chapter 5 Security Function Configuration
{host-source-mac<host_smac>}|{<smac><smac-mask>}} mac-ip access rule for other
{any-destination-mac|{host-destination-mac specific mac-ip protocol or all
<host_dmac>}|{<dmac><dmac-mask>}} mac-ip protocols; if the
{eigrp|gre|igrp|ip|ipinip|ospf|{<protocol-num>}} numbered extended access-list
{{<source><source-wildcard>}|any-source| of specified number does not
{host-source<source-host-ip>}} exist, then an access-list will be
{{<destination><destination-wildcard>}|any-destination| created using this number.
{host-destination<destination-host-ip>}}
[precedence <precedence>] [tos
<tos>][time-range<time-range-name>]
Deletes this numbered
no access-list <num>
extended MAC-IP access rule.
(9) Configuring a extended MAC-IP access-list based on nomenclature
a. Create an extensive MAC-IP access-list based on nomenclature
Command Explanation
Global Mode
Creates an extended
name-based MAC-IP access
mac-ip-access-list extended <name>
rule; the no form command
no mac-ip-access-list extended <name>
deletes this name-based
extended MAC-IP access rule.
b. Specify multiple “permit” or “deny” rule entries
Command Explanation
Extended name-based MAC-IP access Mode
[no]{deny|permit} {any-source-mac|{host-source-mac
<host_smac>}|{<smac><smac-mask>}}
{any-destination-mac|{host-destination-mac Creates an extended
<host_dmac>}|{<dmac><dmac-mask>}}icmp name-based MAC-ICMP access
{{<source><source-wildcard>}|any-source| rule; the no form command
{host-source<source-host-ip>}} deletes this name-based
{{<destination><destination-wildcard>}|any-destination| extended MAC-ICMP access
{host-destination <destination-host-ip>}} [<icmp-type> rule.
[<icmp-code>]] [precedence
<precedence>][tos<tos>][time-range<time-range-name>]
[no]{deny|permit}{any-source-mac|{host-source-mac
<host_smac>}|{<smac><smac-mask>}} Creates an extended
{any-destination-mac|{host-destination-mac name-based MAC-IGMP access
<host_dmac>}|{<dmac><dmac-mask>}}igmp rule; the no form command
{{<source><source-wildcard>}|any-source| deletes this name-based
{host-source<source-host-ip>}} extended MAC-IGMP access
{{<destination><destination-wildcard>}|any-destination| rule.
{host-destination <destination-host-ip>}} [<igmp-type>]
5-9
S4600_Configuration Guide Chapter 5 Security Function Configuration
[precedence <precedence>] [tos
<tos>][time-range<time-range-name>]
[no]{deny|permit}{any-source-mac|{host-source-mac<h
ost_smac>}|{<smac><smac-mask>}}
{any-destination-mac|{host-destination-mac
<host_dmac>}|{<dmac><dmac-mask>}}tcp
Creates an extended
{{<source><source-wildcard>}|any-source|
name-based MAC-TCP access
{host-source<source-host-ip>}} [s-port {<port1> | range
rule; the no form command
<sPortMin> <sPortMax>}]
deletes this name-based
{{<destination><destination-wildcard>}|any-destination|
extended MAC-TCP access
{host-destination <destination-host-ip>}} [d-port
rule.
{<port3> | range <dPortMin> <dPortMax>}]
[ack+fin+psh+rst+urg+syn]
[precedence<precedence>][tos<tos>][time-range<time-r
ange-name>]
[no]{deny|permit}{any-source-mac|{host-source-mac<h
ost_smac>}|{<smac><smac-mask>}}
{any-destination-mac|{host-destination-mac
<host_dmac>}|{<dmac><dmac-mask>}}udp Creates an extended
{{<source><source-wildcard>}|any-source| name-based MAC-UDP access
{host-source<source-host-ip>}} [s-port {<port1> | range rule; the no form command
<sPortMin> <sPortMax>}] deletes this name-based
{{<destination><destination-wildcard>}|any-destination| extended MAC-UDP access
{host-destination <destination-host-ip>}} [d-port rule.
{<port3> | range <dPortMin> <dPortMax>}] [precedence
<precedence>] [tos
<tos>][time-range<time-range-name>]
[no]{deny|permit}{any-source-mac|{host-source-mac<h
ost_smac>}|{<smac><smac-mask>}}
{any-destination-mac|{host-destination-mac
Creates an extended
<host_dmac>}|{<dmac><dmac-mask>}}
name-based access rule for the
{eigrp|gre|igrp|ip|ipinip|ospf|{<protocol-num>}}
other IP protocol; the no form
{{<source><source-wildcard>}|any-source|
command deletes this
{host-source<source-host-ip>}}
name-based extended access
{{<destination><destination-wildcard>}|any-destination|
rule.
{host-destination<destination-host-ip>}}
[precedence<precedence>][tos<tos>][time-range<time-ra
nge-name>]
c. Exit MAC-IP Configuration Mode
Command Explanation
Extended name-based MAC-IP access Mode
Quit extended name-based
exit
MAC-IP access mode.
5-10
S4600_Configuration Guide Chapter 5 Security Function Configuration
(10) Configuring a numbered standard IPv6 access-list
Command Explanation
Global Mode
Creates a numbered standard
IPv6 access-list, if the
access-list already exists, then
ipv6 access-list <num> {deny | permit} {{<sIPv6Addr>
a rule will add to the current
<sPrefixlen>} | any-source | {host-source <sIpv6Addr>}}
access-list; the “no access-list
no ipv6 access-list <num>
<num>“ command deletes a
numbered standard IPv6
access-list.
(11)Configuring a standard IPv6 access-list based on nomenclature
a. Create a standard IPv6 access-list based on nomenclature
Command Explanation
Global Mode
ipv6 access-list standard <name> Creates a standard IP
no ipv6 access-list standard <name> access-list based on
nomenclature; the no
command delete the
name-based standard IPv6
access-list.
b. Specify multiple permit or deny rules
Command Explanation
Standard IPv6 ACL Mode
[no] {deny | permit} {{<sIPv6Prefix/sPrefixlen>} | Creates a standard
any-source | {host-source <sIPv6Addr> }} name-based IPv6 access rule;
the no form command deletes
the name-based standard IPv6
access rule.
c. Exit name-based standard IP ACL configuration mode
Command Explanation
Standard IPv6 ACL Mode
exit Exits name-based standard
IPv6 ACL configuration mode.
2. Configuring packet filtering function
(1) Enable global packet filtering function
Command Explanation
Global Mode
Enables global packet filtering
firewall enable
function.
5-11
S4600_Configuration Guide Chapter 5 Security Function Configuration
Disables global packet filtering
firewall disable
function.
3. Configuring time range function
(1)Create the name of the time range
Command Explanation
Global Mode
Create a time range named
time-range <time_range_name>
time_range_name.
Stop the time range function named
no time-range <time_range_name>
time_range_name.
(2)Configure periodic time range
Command Explanation
Time range Mode
absolute-periodic {Monday | Tuesday | Wednesday |
Thursday | Friday | Saturday | Sunday} <start_time> to
Configure the time range for
{Monday | Tuesday | Wednesday | Thursday | Friday |
the request of the week, and
Saturday | Sunday} <end_time>
every week will run by the
periodic {{Monday+Tuesday+Wednesday+Thursday+
time range.
Friday+Saturday+Sunday} | daily | weekdays | weekend}
<start_time> to <end_time>
[no] absolute-periodic {Monday | Tuesday | Wednesday
| Thursday | Friday | Saturday | Sunday} <start_time> to
{Monday | Tuesday | Wednesday | Thursday | Friday |
Saturday | Sunday} <end_time>
Stop the function of the time
range in the week.
[no] periodic {{Monday+Tuesday+Wednesday+Thursday+
Friday+Saturday+Sunday} | daily | weekdays | weekend}
<start_time> to <end_time>
(3)Configure absolute time range
Command Explanation
Global Mode
absolute start <start_time> <start_data> [end
<end_time> <end_data>] Configure absolute time range.
[no] absolute start <start_time> <start_data> [end Stop the function of the time
<end_time> <end_data>] range.
4. Bind access-list to a specific direction of the specified port.
Command Explanation
5-12
S4600_Configuration Guide Chapter 5 Security Function Configuration
Physical Port Mode/VLAN Interface Mode
{ip|ipv6|mac|mac-ip} access-group Apply an access-list to the ingress or
<acl-name> {in|out} [traffic-statistic] egress direction on the port; the no
no {ip|ipv6|mac|mac-ip} access-group command deletes the access-list bound
<acl-name> {in|out} to the port.
5. Clear the filtering information of the specified port
Command Explanation
Admin Mode
clear access-group statistic [ethernet Clear the filtering information of the specified
<interface-name> ] port.
5.1.3 ACL Example
Scenario 1:
The user has the following configuration requirement: port 10 of the switch connects to
10.0.0.0/24 segment, ftp is not desired for the user.
Configuration description:
1. Create a proper ACL
2. Configuring packet filtering function
3. Bind the ACL to the port
The configuration steps are listed below:
Switch(config)#access-list 110 deny tcp 10.0.0.0 0.0.0.255 any-destination d-port 21
Switch(config)#firewall enable
Switch(config)#interface ethernet 1/0/10
Switch(Config-If-Ethernet1/0/10)#ip access-group 110 in
Switch(Config-If-Ethernet1/0/10)#exit
Switch(config)#exit
Configuration result:
Switch#show firewall
Firewall status: enable.
Switch#show access-lists
access-list 110(used 1 time(s)) 1 rule(s)
access-list 110 deny tcp 10.0.0.0 0.0.0.255 any-destination d-port 21
Switch#show access-group interface ethernet 1/0/10
interface name:Ethernet1/0/10
the ingress acl use in firewall is 110, traffic-statistics Disable.
Scenario 2:
5-13
S4600_Configuration Guide Chapter 5 Security Function Configuration
The configuration requirement is stated as below: The switch should drop all the 802.3
datagram with 00-12-11-23-xx-xx as the source MAC address coming from interface 10.
Configuration description:
1. Create the corresponding MAC ACL.
2. Configure datagram filtering.
3. Bind the ACL to the related interface.
The configuration steps are listed as below.
Switch(config)#access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac
untagged-802-3
Switch(config)#access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any tagged-802
Switch(config)#firewall enable
Switch(config)#interface ethernet1/0/10
Switch(Config-If-Ethernet1/0/10)#mac access-group 1100 in
Switch(Config-If-Ethernet1/0/10)#exit
Switch(config)#exit
Configuration result:
Switch#show firewall
Firewall Status: Enable.
Switch #show access-lists
access-list 1100(used 1 time(s))
access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff
any-destination-mac
untagged-802-3
access-list 1100 deny 00-12-11-23-00-00 00-00-00-00-ff-ff
any-destination-mac
Switch #show access-group interface ethernet 1/0/10
interface name:Ethernet1/0/10
MAC Ingress access-list used is 1100,traffic-statistics Disable.
Scenario 3:
The configuration requirement is stated as below: The MAC address range of the network
connected to the interface 10 of the switch is 00-12-11-23-xx-xx, and IP network is 10.0.0.0/24.
FTP should be disabled and ping requests from outside network should be disabled.
Configuration description:
1. Create the corresponding access list.
2. Configure datagram filtering.
3. Bind the ACL to the related interface.
The configuration steps are listed as below.
Switch(config)#access-list 3110 deny 00-12-11-23-00-00 00-00-00-00-ff-ff any-destination-mac
tcp 10.0.0.0 0.0.0.255 any-destination d-port 21
Switch(config)#access-list 3110 deny any-source-mac 00-12-11-23-00-00 00-00-00-00-ff-ff icmp
5-14
S4600_Configuration Guide Chapter 5 Security Function Configuration
any-source 10.0.0.0 0.0.0.255
Switch(config)#firewall enable
Switch(config)#interface ethernet 1/0/10
Switch(Config-If-Ethernet1/0/10)#mac-ip access-group 3110 in
Switch(Config-Ethernet1/0/10)#exit
Switch(config)#exit
Configuration result:
Switch#show firewall
Firewall Status: Enable.
Switch#show access-lists
access-list 3110(used 1 time(s))
access-list 3110 deny 00-12-11-23-00-00 00-00-00-00-ff-ff
any-destination-mac
tcp 10.0.0.0 0.0.0.255 any-destination d-port 21
access-list 3110 deny any-source-mac 00-12-11-23-00-00 00-00-00-00-ff-ff icmp
any-source 10.0.0.0 0.0.0.255
Switch #show access-group interface ethernet 1/0/10
interface name:Ethernet1/0/10
MAC-IP Ingress access-list used is 3110, traffic-statistics Disable.
Scenario 4:
The configuration requirement is stated as below: IPv6 protocol runs on the interface 600 of
the switch. And the IPv6 network address is 2003:1:1:1::0/64. Users in the 2003:1:1:1:66::0/80
subnet should be disabled from accessing the outside network.
Configuration description:
1. Create the corresponding access list.
2. Configure datagram filting.
3. Bind the ACL to the related interface.
The configuration steps are listed as below.
Switch(config)#ipv6 access-list 600 permit 2003:1:1:1:66::0/80 any-destination
Switch(config)#ipv6 access-list 600 deny 2003:1:1:1::0/64 any-destination
Switch(config)#firewall enable
Switch(config)#interface ethernet 1/0/10
Switch(Config-If-Ethernet1/0/10)#ipv6 access-group 600 in
Switch(Config-If-Ethernet1/0/10)#exit
Switch(config)#exit
Configuration result:
Switch#show firewall
Firewall Status: Enable.
5-15
S4600_Configuration Guide Chapter 5 Security Function Configuration
Switch#show ipv6 access-lists
Ipv6 access-list 600(used 1 time(s))
ipv6 access-list 600 deny 2003:1:1:1::0/64 any-source
ipv6 access-list 600 permit 2003:1:1:1:66::0/80 any-source
Switch #show access-group interface ethernet 1/0/10
interface name:Ethernet1/0/10
IPv6 Ingress access-list used is 600, traffic-statistics Disable.
Scenario 5:
The configuration requirement is stated as below: The interface 1, 2, 5, 7 belongs to vlan100,
Hosts with 192.168.0.1 as its IP address should be disabled from accessing the listed interfaces.
Configuration description:
1. Create the corresponding access list.
2. Configure datagram filtering.
3. Bind the ACL to the related interface.
The configuration steps are listed as below.
Switch (config)#firewall enable
Switch (config)#vlan 100
Switch (Config-Vlan100)#switchport interface ethernet 1/0/1;2;5;7
Switch (Config-Vlan100)#exit
Switch (config)#access-list 1 deny host-source 192.168.0.1
Switch (config)#interface ethernet1/0/1;2;5;7
Switch (config-if-port-range)#ip access-group 1 in
Switch (Config-if-Vlan100)#exit
Configuration result:
Switch (config)#show access-group interface vlan 100
Interface VLAN 100:
Ethernet1/0/1: IP Ingress access-list used is 1, traffic-statistics Disable.
Ethernet1/0/2: IP Ingress access-list used is 1, traffic-statistics Disable.
Ethernet1/0/5: IP Ingress access-list used is 1, traffic-statistics Disable.
Ethernet1/0/7: IP Ingress access-list used is 1, traffic-statistics Disable.
5.1.4 ACL Troubleshooting
Checking for entries in the ACL is done in a top-down order and ends whenever an entry is
matched.
Default rule will be used only if no ACL is bound to the incoming direction of the port, or no
ACL entry is matched.Each ingress port can bind one MAC-IP ACL, one IP ACL, one MAC ACL,
one IPv6 ACL (via the physical interface mode or Vlan interface mode).
5-16
S4600_Configuration Guide Chapter 5 Security Function Configuration
When binding four ACL and packet matching several ACL at the same time, the priority
relations are as follows in a top-down order. If the priority is same, then the priority of
configuration at first is higher.
Ingress IPv6 ACL
Ingress MAC-IP ACL
Ingress IP ACL
Ingress MAC ACL
The number of ACLs that can be successfully bound depends on the content of the ACL
bound and the hardware resource limit. Users will be prompted if an ACL cannot be bound
due to hardware resource limitation.
If an access-list contains same filtering information but conflicting action rules,
binding to the port will fail with an error message. For instance, configuring
'permit tcp any any-destination' and 'deny tcp any any-destination' at the
same time is not permitted.
Viruses such as 'worm.blaster' can be blocked by configuring ACL to block
specific ICMP packets or specific TCP or UDP port packet.
If the physical mode of an interface is TRUNK, ACL can only be configured
through physical interface mode.
ACL configured in the physical mode can only be disabled in the physical mode.
Those configured in the VLAN interface configuration mode can only be
disabled in the VLAN interface mode.
When a physical interface is added into or removed from a VLAN (with the trunk interfaces
as exceptions), ACL configured in the corresponding VLAN will be bound or unbound
respectively. If ACL configured in the target VLAN, which is configured in VLAN interface
mode, conflicts with existing ACL configuration on the interface, which is configured in
physical interface mode, the configuration will fail to effect.
When no physical interfaces are configured in the VLAN, the ACL
configuration of the VLAN will be removed. And it can not recover if new interfaces
are added to the VLAN.
When the interface mode is changed from access mode to trunk mode, the
ACL configured in VLAN interface mode which is bound to physical interface will be
removed. And when the interface mode is changed from trunk mode to access mode,
ACL configured in VLAN1 interface mode will be bound to the physical interface. If
binding fails, the changing will fail either.
When removing a VLAN configuration, if there are any ACLs bound to the VLAN, the ACL will
be removed from all the physical interfaces belonging to the VLAN, and it will be bound to
VLAN 1 ACL(if ACL is configured in VLAN1). If VLAN 1 ACL binding fails, the VLAN removal
operation will fail.
5-17
S4600_Configuration Guide Chapter 5 Security Function Configuration
5.2 Self-defined ACL
5.2.1 Introduction to Self-defined ACL
ACL (Access Control Lists) is a packet filtering mechanism implemented by switch, providing
network access control by granting or denying access the switches, effectively safeguarding the
security of networks. The user can set a set of rules according to some information specific to
packets, each rule describes the action for a packet with certain information matched: 'permit' or
'deny'. The user can apply such rules to the incoming direction of switch ports, so that data
streams of specified ports must comply with the ACL rules assigned..
Self-defined ACL means that users can configure several self-defined windows as the
matching field when users configure ACL. Self-defined windows do not specify which field
definitely, but specify the offset in a packet and ignore the meaning of field. It matches the data
at offset position which begins to fix the byte length according to the value and mask
configuration.
5.2.1.1 Standard Self-defined ACL Template
Standard self-defined ACL can configure 12 windows and each of them can specify a start
offset position: start of L3 header / start of L4 header. Each window can specify offset, its value
from 0 to 178, unit is 2Bytes, namely, 0 means 0Bytes offset and 1 means 2Bytes offset. Besides,
offset is according to the start offset position.
A standard self-defined ACL template should be configured for the offset configuration of
every window before configuring the standard self-defined ACL list. This template is global and
takes effect to all standard self-defined ACL list. Standard self-defined ACL template can configure
the start offset position and offset for 12 windows at most. The window which is not configured is
not available, that means it cannot transmit configuration successfully if the standard self-defined
ACL use this window. When a window in the template is configured, it cannot be modified if the
standard self-defined ACL rule is configured with this window. But the standard self-defined ACL
rule is not configured, the window can be reconfigured, modified or deleted. Ipv6 only supports
windows 1 to 6, the biggest offset of I3start include the head of L2, and the biggest offset of
I4start include the head of L2 and L3.
5-18
S4600_Configuration Guide Chapter 5 Security Function Configuration
5.2.1.2 Digital Self-defined ACL
Digital self-defined ACL can configure multi-ACL lists and each of them can configure
multi-rules. One rule can configure value and mask for 12 windows at most. The length of every
window is 2Bytes; the name range of Digital self-defined ACL list is <1200-1299>.
5.2.1.3 Named Self-defined ACL
5.2.1.4 Self-defined ACL Configuration Transmitting
Standard self-defined ACL and extended self-defined ACL both can be configured to in
direction of vlan and port. If there is a rule which matches vlan id in self-defined ACL and this ACL
is configured to a vlan, the matching condition for the message is subject to vlan configuration.
5.2.1.5 Special Explanation
Because of the limit of the chip, standard self-defined ACL function cannot be configured
with am, ARP Scanning Prevention or dot1x at the same time. Besides, extended self-defined ACL
function cannot be configured with ipv6 ACL, savi, ip/ipv6 dcscm, ipv6 flow redirect or qos(match
ipv6 acl) at the same time.
5.2.2 Self-defined ACL Configuration
Task list of self-defined ACL configuration:
1. Configure user-defined ACL template
(1) Configure standard user-defined ACL template
2. Configure user-defined ACL
(1) Configure standard user-defined ACL
3. Bind user-defined ACL to specified port
4. Bind user-defined ACL to specified VLAN
1. Configure user-defined ACL template
(1) Configure standard user-defined ACL template
Command Explanation
Global Mode
userdefined-access-list standard offset Create a standard self-defined ACL template. If
[window1 {l3start | l4start} <offset>] the template exists, the corresponding window
[window2 { l3start | l4start } <offset>] of the template can be modified; the no
[window3 { l3start | l4start } <offset>] command deletes the window of the standard
[window4 { l3start | l4start } <offset>] self-defined ACL template. If the window is not
5-19
S4600_Configuration Guide Chapter 5 Security Function Configuration
[window5 { l3start | l4start } <offset>] specified, the standard self-defined ACL
[window6 { l3start | l4start } <offset>] template will be deleted.
[window7 { l3start | l4start } <offset>]
[window8 { l3start | l4start } <offset>]
[window9 { l3start | l4start } <offset>]
[window10 { l3start | l4start } <offset>]
[window11 { l3start | l4start } <offset>]
[window12 { l3start | l4start } <offset>]
no userdefined-access-list standard
offset [window1] [window2] [window3]
[window4] [window5] [window6] [window7]
[window8] [window9] [window10]
[window11] [window12]
2. Configure user-defined ACL
(1) Configure standard user-defined ACL
Command Explanation
Global Mode
userdefined-access-list standard Create a numbered standard self-defined ACL.
<1200-1299> {permit|deny} {window1| If the standard self-defined ACL exists, then a
window2|window3|window4|window5| rule will be added to the ACL. The no
window6|window7|window8|window9| command deletes a numbered standard
window10|window11|window12} self-defined ACL.
no userdefined-access-list standard
<1200-1299> {permit|deny} {window1|
window2|window3|window4|window5|
window6|window7|window8|window9|
window10|window11|window12}
3. Bind user-defined ACL to specified port
Command Explanation
Physical Port Mode
[no] userdefined access-group <name> {in} Apply userdefined-access-list to one direction
[traffic-statistic] of the port. Decide whether the statistical
counter should be added to the ACL according
to the options. The no command deletes the
configuration bound to the port.
4. Bind user-defined ACL to specified VLAN
Command Explanation
Global Mode
[no] vacl userdefined access-group <name> Apply userdefined-access-list to one direction
5-20
S4600_Configuration Guide Chapter 5 Security Function Configuration
{in} vlan <vlanId> [traffic-statistic] of the specified VLAN, decide whether the
statistical counter should be added to the ACL
according to the options. The no command
deletes the configuration bound to the
specified VLAN.
5.2.3 Self-defined ACL Example
Scenario 1:
The user has the following configuration requirement: port 10 of the switch connects to
10.0.0.0/24 segment; ftp is not desired for the user.
Configuration description:
Create a self-defined ACL template according to condition
1. Create a corresponding self-defined ACL
2. Bind the self-defined ACL to the port
3. The configuration steps are listed below:
4. Switch(config)# userdefined-access-list standard offset window1 l3start 4 window2
l4start 1 window3 l3start 3
Switch(config)#userdefined-access-list standard 1300 deny window1 0006 00FF window2 0015
FFFF window3 0A000000 FFFFFF00
Switch(config)#firewall enable
Switch(config)#interface ethernet1/10
Switch(config-if-ethernet1/10)#userdefined access-group 1300 in
Switch(config-if-ethernet1/10)#exit
Switch(config)#exit
Configuration result:
Switch#show access-lists
userdefined-access-list standard 1300(used 1 time(s)) 1 rule(s)
rule ID 1: window1 6 ff window2 15 ffff window3 a000000 ffffff00
Switch#show access-group interface ethernet 1/10
interface name:Ethernet1/10
Userdefined Ingress access-list used is 1300,traffic-statistics Disable.
5.2.4 Self-defined ACL Troubleshooting
5-21
S4600_Configuration Guide Chapter 5 Security Function Configuration
5.3 802.1x
5.3.1 Introduction to 802.1x
The 802.1x protocol originates from 802.11 protocol, the wireless LAN protocol of IEEE,
which is designed to provide a solution to doing authentication when users access a wireless LAN.
The LAN defined in IEEE 802 LAN protocol does not provide access authentication, which means
as long as the users can access a LAN controlling device (such as a LAN Switch), they will be able
to get all the devices or resources in the LAN. There was no looming danger in the environment
of LAN in those primary enterprise networks.
However, along with the boom of applications like mobile office and service operating
networks, the service providers should control and configure the access from user. The prevailing
application of WLAN and LAN access in telecommunication networks, in particular, make it
necessary to control ports in order to implement the user-level access control. And as a result,
IEEE LAN/WAN committee defined a standard, which is 802.1x, to do Port-Based Network Access
Control. This standard has been widely used in wireless LAN and ethernet.
“Port-Based Network Access Control” means to authenticate and control the user devices on
the level of ports of LAN access devices. Only when the user devices connected to the ports pass
the authentication, can they access the resources in the LAN, otherwise, the resources in the LAN
won’t be available.
5.3.1.1 The Authentication Structure of 802.1x
The system using 802.1x has a typical Client/Server structure, which contains three entities
(as illustrated in the next figure): Supplicant system, Authenticator system, and Authentication
server system.
Figure 5-1 The Authentication Structure of 802.1x
The supplicant system is an entity on one end of the LAN segment, should be
authenticated by the access controlling unit on the other end of the link. A Supplicant
5-22
S4600_Configuration Guide Chapter 5 Security Function Configuration
system usually is a user terminal device. Users start 802.1x authentication by starting
supplicant system software. A supplicant system should support EAPOL (Extensible
Authentication Protocol over LAN).
The authenticator system is another entity on one end of the LAN segment to
authenticate the supplicant systems connected. An authenticator system usually is a
network device supporting 802,1x protocol, providing ports to access the LAN for
supplicant systems. The ports provided can either be physical or logical.
The authentication server system is an entity to provide authentication service for
authenticator systems. The authentication server system is used to authenticate and
authorize users, as well as does fee-counting, and usually is a RADIUS (Remote
Authentication Dial-In User Service) server, which can store the relative user
information, including username, password and other parameters such as the VLAN
and ports which the user belongs to.
The three entities above concerns the following basic concepts: PAE of the port, the
controlled ports and the controlled direction.
1. PAE
PAE (Port Access Entity) is the entity to implement the operation of algorithms and
protocols.
The PAE of the supplicant system is supposed to respond the authentication request from
the authenticator systems and submit user’s authentication information to the
authenticator system. It can also send authentication request and off-line request to
authenticator.
The PAE of the authenticator system authenticates the supplicant systems needing to access
the LAN via the authentication server system, and deal with the
authenticated/unauthenticated state of the controlled port according to the result of the
authentication. The authenticated state means the user is allowed to access the network
resources, the unauthenticated state means only the EAPOL messages are allowed to be
received and sent while the user is forbidden to access network resources.
2. controlled/uncontrolled ports
The authenticator system provides ports to access the LAN for the supplicant systems. These
ports can be divided into two kinds of logical ports: controlled ports and uncontrolled ports.
The uncontrolled port is always in bi-directionally connected status, and mainly used to
transmit EAPOL protocol frames, to guarantee that the supplicant systems can always send
or receive authentication messages.
The controlled port is in connected status authenticated to transmit service messages. When
unauthenticated, no message from supplicant systems is allowed to be received.
The controlled and uncontrolled ports are two parts of one port, which means each frame
5-23
S4600_Configuration Guide Chapter 5 Security Function Configuration
reaching this port is visible on both the controlled and uncontrolled ports.
3. Controlled direction
In unauthenticated status, controlled ports can be set as unidirectional controlled or
bi-directionally controlled.
When the port is bi-directionally controlled, the sending and receiving of all frames is
forbidden.
When the port is unidirectional controlled, no frames can be received from the supplicant
systems while sending frames to the supplicant systems is allowed.
Notes: At present, this kind of switch only supports unidirectional control.
5.3.1.2 The Work Mechanism of 802.1x
IEEE 802.1x authentication system uses EAP (Extensible Authentication Protocol) to
implement exchange of authentication information between the supplicant system, authenticator
system and authentication server system.
Figure 5-2 the Work Mechanism of 802.1x
EAP messages adopt EAPOL encapsulation format between the PAE of the supplicant system
and the PAE of the authenticator system in the environment of LAN.
Between the PAE of the authenticator system and the RADIUS server, there are two methods
to exchange information: one method is that EAP messages adopt EAPOR (EAP over RADIUS)
encapsulation format in RADIUS protocol; the other is that EAP messages terminate with the
PAE of the authenticator system, and adopt the messages containing RAP (Password
Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol) attributes
to do the authentication interaction with the RADIUS server.
When the user pass the authentication, the authentication server system will send the
relative information of the user to authenticator system, the PAE of the authenticator
system will decide the authenticated/unauthenticated status of the controlled port
according to the authentication result of the RADIUS server.
5.3.1.3 The Encapsulation of EAPOL Messages
1. The Format of EAPOL Data Packets
EAPOL is a kind of message encapsulation format defined in 802.1x protocol, and is mainly
used to transmit EAP messages between the supplicant system and the authenticator system in
order to allow the transmission of EAP messages through the LAN. In IEEE 802/Ethernet LAN
environment, the format of EAPOL packet is illustrated in the next figure. The beginning of the
5-24
S4600_Configuration Guide Chapter 5 Security Function Configuration
EAPOL packet is the Type/Length domain in MAC frames.
Figure 5-3 the Format of EAPOL Data Packet
PAE Ethernet Type: Represents the type of the protocol whose value is 0x888E.
Protocol Version: Represents the version of the protocol supported by the sender of EAPOL
data packets.
Type: represents the type of the EAPOL data packets, including:
EAP-Packet (whose value is 0x00): the authentication information frame, used to carry EAP
messages. This kind of frame can pass through the authenticator system to transmit EAP
messages between the supplicant system and the authentication server system.
EAPOL-Start (whose value is 0x01): the frame to start authentication.
EAPOL-Logoff (whose value is 0x02): the frame requesting to quit.
EAPOL-Key (whose value is 0x03): the key information frame.
EAPOL-Encapsulated-ASF-Alert (whose value is 0x04): used to support the Alerting messages
of ASF (Alert Standard Forum). This kind of frame is used to encapsulate the relative
information of network management such as all kinds of alerting information, terminated by
terminal devices.
Length: represents the length of the data, that is, the length of the “Packet Body”, in byte.
There will be no following data domain when its value is 0.
Packet Body: represents the content of the data, which will be in different formats according
to different types.
2. The Format of EAP Data Packets
When the value of Type domain in EAPOL packet is EAP-Packet, the Packet Body is in EAP
format (illustrated in the next figure).
Figure 5-4 the Format of EAP Data Packets
Code: specifies the type of the EAP packet. There are four of them in total: Request
(1),Response(2),Success(3),Failure(4).
5-25
S4600_Configuration Guide Chapter 5 Security Function Configuration
There is no Data domain in the packets of which the type is Success or Failure, and the value
of the Length domains in such packets is 4.
The format of Data domains in the packets of which the type is Request and Response is
illustrated in the next figure. Type is the authentication type of EAP, the content of Type data
depends on the type. For example, when the value of the type is 1, it means Identity, and is
used to query the identity of the other side. When the type is 4, it means MD5-Challenge,
like PPP CHAP protocol, contains query messages.
Figure 5-5 the Format of Data Domain in Request and Response Packets
Identifier: to assist matching the Request and Response messages.
Length: the length of the EAP packet, covering the domains of Code, Identifier, Length and
Data, in byte.
Data: the content of the EAP packet, depending on the Code type.
5.3.1.4 The Encapsulation of EAP Attributes
RADIUS adds two attribute to support EAP authentication: EAP-Message and
Message-Authenticator. Please refer to the Introduction of RADIUS protocol in
“AAA-RADIUS-HWTACACS operation” to check the format of RADIUS messages.
1. EAP-Message
As illustrated in the next figure, this attribute is used to encapsulate EAP packet, the type
code is 79, String domain should be no longer than 253 bytes. If the data length in an EAP packet
is larger than 253 bytes, the packet can be divided into fragments, which then will be
encapsulated in several EAP-Messages attributes in their original order.
Figure 5-6 the Encapsulation of EAP-Message Attribute
2. Message-Authenticator
As illustrated in the next figure, this attribute is used in the process of using authentication
methods like EAP and CHAP to prevent the access request packets from being eavesdropped.
Message-Authenticator should be included in the packets containing the EAP-Message attribute,
or the packet will be dropped as an invalid one.
Figure 5-7 Message-Authenticator Attribute
5-26
S4600_Configuration Guide Chapter 5 Security Function Configuration
5.3.1.5 The Authentication Methods of 802.1x
The authentication can either be started by supplicant system initiatively or by devices.
When the device detects unauthenticated users to access the network, it will send supplicant
system EAP-Request/Identity messages to start authentication. On the other hand, the supplicant
system can send EAPOL-Start message to the device via supplicant software.
802.1 x systems supports EAP relay method and EAP termination method to implement
authentication with the remote RADIUS server. The following is the description of the process of
these two authentication methods, both started by the supplicant system.
5.3.1.5.1 EAP Relay Mode
EAP relay is specified in IEEE 802.1x standard to carry EAP in other high-level protocols, such
as EAP over RADIUS, making sure that extended authentication protocol messages can reach the
authentication server through complicated networks. In general, EAP relay requires the RADIUS
server to support EAP attributes: EAP-Message and Message-Authenticator.
EAP is a widely-used authentication frame to transmit the actual authentication protocol
rather than a special authentication mechanism. EAP provides some common function and allows
the authentication mechanisms expected in the negotiation, which are called EAP Method. The
advantage of EAP lies in that EAP mechanism working as a base needs no adjustment when a new
authentication protocol appears. The following figure illustrates the protocol stack of EAP
authentication method.
Figure 5-8 the Protocol Stack of EAP Authentication Method
By now, there are more than 50 EAP authentication methods has been developed, the
differences among which are those in the authentication mechanism and the management of
keys. The 4 most common EAP authentication methods are listed as follows:
EAP-MD5
EAP-TLS(Transport Layer Security)
EAP-TTLS(Tunneled Transport Layer Security)
PEAP(Protected Extensible Authentication Protocol)
They will be described in detail in the following part.
5-27
S4600_Configuration Guide Chapter 5 Security Function Configuration
Attention:
The switch, as the access controlling unit of Pass-through, will not check the content of
a particular EAP method, so can support all the EAP methods above and all the EAP
authentication methods that may be extended in the future.
In EAP relay, if any authentication method in EAP-MD5, EAP-TLS, EAP-TTLS and PEAP is
adopted, the authentication methods of the supplicant system and the RADIUS server
should be the same.
1. EAP-MD5 Authentication Method
EAP-MD5 is an IETF open standard which providing the least security, since MD5 Hash
function is vulnerable to dictionary attacks.
The following figure illustrated the basic operation flow of the EAP-MD5 authentication
method.
Figure 5-9 the Authentication Flow of 802.1x EAP-MD5
2. EAP-TLS Authentication Method
EAP-TLS is brought up by Microsoft based on EAP and TLS protocols. It uses PKI to protect
the id authentication between the supplicant system and the RADIUS server and the dynamically
5-28
S4600_Configuration Guide Chapter 5 Security Function Configuration
generated session keys, requiring both the supplicant system and the Radius authentication
server to possess digital certificate to implement bidirectional authentication. It is the earliest
EAP authentication method used in wireless LAN. Since every user should have a digital
certificate, this method is rarely used practically considering the difficult maintenance. However
it is still one of the safest EAP standards, and enjoys prevailing supports from the vendors of
wireless LAN hardware and software.
The following figure illustrates the basic operation flow of the EAP-TLS authentication
method.
Figure 5-10 the Authentication Flow of 802.1x EAP-TLS
3. EAP-TTLS Authentication Method
EAP-TTLS is a product of the cooperation of Funk Software and Certicom. It can provide an
authentication as strong as that provided by EAP-TLS, but without requiring users to have their
own digital certificate. The only request is that the Radius server should have a digital certificate.
The authentication of users’ identity is implemented with passwords transmitted in a safely
5-29
S4600_Configuration Guide Chapter 5 Security Function Configuration
encrypted tunnel established via the certificate of the authentication server. Any kind of
authentication request including EAP, PAP and MS-CHAPV2 can be transmitted within TTLS
tunnels.
4. PEAP Authentication Method
EAP-PEAP is brought up by Cisco, Microsoft and RAS Security as a recommended open
standard. It has long been utilized in products and provides very good security. Its design of
protocol and security is similar to that of EAP-TTLS, using a server’s PKI certificate to establish a
safe TLS tunnel in order to protect user authentication.
The following figure illustrates the basic operation flow of PEAP authentication method.
Figure 5-11 the Authentication Flow of 802.1x PEAP
5.3.1.5.2 EAP Termination Mode
In this mode, EAP messages will be terminated in the access control unit and mapped into
RADIUS messages, which is used to implement the authentication, authorization and
fee-counting. The basic operation flow is illustrated in the next figure.
In EAP termination mode, the access control unit and the RADIUS server can use PAP or
CHAP authentication method. The following figure will demonstrate the basic operation flow
using CHAP authentication method.
5-30
S4600_Configuration Guide Chapter 5 Security Function Configuration
Figure 5-12 the Authentication Flow of 802.1x EAP Termination Mode
5.3.1.6 The Extension and Optimization of 802.1x
Besides supporting the port- based access authentication method specified by the protocol,
devices also extend and optimize it when implementing the EAP relay mode and EAP termination
mode of 802.1x.
Supports some applications in the case of which one physical port can have more than one
users
There are three access control methods (the methods to authenticate users): port-based,
MAC-based and user-based (IP address+ MAC address+ port).
When the port-based method is used, as long as the first user of this port passes the
authentication, all the other users can access the network resources without being
authenticated. However, once the first user is offline, the network won’t be available to
all the other users.
When the MAC-based method is used, all the users accessing a port should be
authenticated separately, only those pass the authentication can access the network,
5-31
S4600_Configuration Guide Chapter 5 Security Function Configuration
while the others can not. When one user becomes offline, the other users will not be
affected.
When the user-based (IP address+ MAC address+ port) method is used, all users can
access limited resources before being authenticated. There are two kinds of control in
this method: standard control and advanced control. The user-based standard control
will not restrict the access to limited resources, which means all users of this port can
access limited resources before being authenticated. The user-based advanced control
will restrict the access to limited resources, only some particular users of the port can
access limited resources before being authenticated. Once those users pass the
authentication, they can access all resources.
Attention: when using private supplicant systems, user-based advanced control is
recommended to effectively prevent ARP cheat.
The maximum number of the authenticated users can be 4000, but less than 2000 will be
preferred
5.3.1.7 The Features of VLAN Allocation
1. Auto VLAN
Auto VLAN feature enables RADIUS server to change the VLAN to which the access port
belongs, based on the user information and the user access device information. When an 802.1x
user passes authentication on the server, the RADIUS server will send the authorization
information to the device, if the RADIUS server has enabled the VLAN-assigning function, then
the following attributes should be included in the Access-Accept messages:
Tunnel-Type = VLAN (13)
Tunnel-Medium-Type = 802 (6)
Tunnel-Private-Group-ID = VLANID
The VLANID here means the VID of VLAN, ranging from 1 to 4094. For example,
Tunnel-Private-Group-ID = 30 means VLAN 30.
When the switch receives the assigned Auto VLAN information, the current Access port will
leave the VLAN set by the user and join Auto VLAN.
Auto VLAN won’t change or affect the port’s configuration. But the priority of Auto VLAN is
higher than that of the user-set VLAN, that is Auto VLAN is the one takes effect when the
authentication is finished, while the user-set VLAN do not work until the user become offline.
Notes: At present, Auto VLAN can only be used in the port-based access control mode, and
on the ports whose link type is Access.
2. Guest VLAN
Guest VLAN feature is used to allow the unauthenticated user to access some specified
resources.
The user authentication port belongs to a default VLAN (Guest VLAN) before passing the
5-32
S4600_Configuration Guide Chapter 5 Security Function Configuration
802.1x authentication, with the right to access the resources within this VLAN without
authentication. But the resources in other networks are beyond reach. Once authenticated, the
port will leave Guest VLAN, and the user can access the resources of other networks.
In Guest VLAN, users can get 802.1x supplicant system software, update supplicant system
or update some other applications (such as anti-virus software, the patches of operating system).
The access device will add the port into Guest VLAN if there is no supplicant getting
authenticated successfully in a certain stretch of time because of lacking exclusive authentication
supplicant system or the version of the supplicant system being too low.
Once the 802.1x feature is enabled and the Guest VLAN is configured properly, a port will be
added into Guest VLAN, just like Auto VLAN, if there is no response message from the supplicant
system after the device sends more authentication-triggering messages than the upper limit
(EAP-Request/Identity) from the port.
The authentication server assigns an Auto VLAN, and then the port leaves Guest VLAN
and joins the assigned Auto VLAN. When the user becomes offline, the port will be
allocated to the specified Guest VLAN again.
The authentication server assigns an Auto VLAN, and then the port leaves Guest VLAN
and joins the specified VLAN. When the user becomes offline, the port will be allocated
to the specified Guest VLAN again.
5.3.2 802.1x Configuration Task List
802.1x Configuration Task List:
1. Enable IEEE 802.1x function
2. Access management unit property configuration
3. User access devices related property configuration (optional)
3. Supplicant related property configuration
Command Explanation
Global Mode
Sets the number of EAP request/MD5 frame to be sent
dot1x max-req <count>
before the switch re-initials authentication on no supplicant
no dot1x max-req
response, the no command restores the default setting.
dot1x re-authentication Enables periodical supplicant authentication; the no
no dot1x re-authentication command disables this function.
dot1x timeout quiet-period
Sets time to keep silent on port authentication failure; the
<seconds>
no command restores the default value.
no dot1x timeout quiet-period
dot1x timeout re-authperiod
Sets the supplicant re-authentication interval; the no
<seconds>
command restores the default setting.
no dot1x timeout re-authperiod
dot1x timeout tx-period Sets the interval for the supplicant to re-transmit EAP
<seconds> request/identity frame; the no command restores the
no dot1x timeout tx-period default setting.
5-33
S4600_Configuration Guide Chapter 5 Security Function Configuration
dot1x re-authenticate [interface Enables IEEE 802.1x re-authentication (no wait timeout
<interface-name> ] requires) for all ports or a specified port.
5.3.3 802.1x Application Example
5.3.3.1 Examples of Guest Vlan Applications
Update server Authenticator server
Ethernet1/0/3
VLAN10 VLAN2
Ethernet1/0/2 SWITCH
VLAN100 Ethernet1/0/6
VLAN5
Internet
User
Figure 5-13 the Network Topology of Guest VLAN
Notes: in the figures in this session, E2 means Ethernet 1/0/2, E3 means Ethernet 1/0/3
and E6 means Ethernet 1/0/6.
As showed in the next figure, a switch accesses the network using 802.1x authentication,
with a RADIUS server as its authentication server. Ethernet1/0/2, the port through which the user
accesses the switch belongs to VLAN100; the authentication server is in VLAN2; Update Server,
being in VLAN10, is for the user to download and update supplicant system software; Ethernet1/6,
the port used by the switch to access the Internet is in VLAN5.
Update server Authenticator server
Ethernet1/0/3
VLAN10 VLAN2
Ethernet1/0/2 SWITCH
VLAN10 Ethernet1/0/6
VLAN5
Internet
User
5-34
S4600_Configuration Guide Chapter 5 Security Function Configuration
Figure 5-14 User Joining Guest VLAN
As illustrated in the up figure, on the switch port Ethernet1/0/2, the 802.1x feature is enabled,
and the VLAN10 is set as the port’s Guest VLAN. Before the user gets authenticated or when the
user fails to do so, port Ethernet1/0/2 is added into VLAN10, allowing the user to access the
Update Server.
Update server Authenticator server
Ethernet1/0/3
VLAN10 VLAN2
Ethernet1/0/2 SWITCH
VLAN5 Ethernet1/0/6
VLAN5
Internet
User
Figure 5-15 User Being Online, VLAN Being Offline
As illustrated in the up figure, when the users become online after a successful
authentication, the authentication server will assign VLAN5, which makes the user and
Ethernet1/0/6 both in VLAN5, allowing the user to access the Internet.
The following are configuration steps:
# Configure RADIUS server.
Switch(config)#radius-server authentication host 10.1.1.3
Switch(config)#radius-server accounting host 10.1.1.3
Switch(config)#radius-server key test
Switch(config)#aaa enable
Switch(config)#aaa-accounting enable
# Create VLAN100.
Switch(config)#vlan 100
# Enable the global 802.1x function
Switch(config)#dot1x enable
# Enable the 802.1x function on port Ethernet1/0/2
Switch(config)#interface ethernet1/0/2
Switch(Config-If-Ethernet1/0/2)#dot1x enable
5-35
S4600_Configuration Guide Chapter 5 Security Function Configuration
# Set the link type of the port as access mode.
Switch(Config-If-Ethernet1/0/2)#switch-port mode access
# Set the access control mode on the port as portbased.
Switch(Config-If-Ethernet1/0/2)#dot1x port-method portbased
# Set the port’s Guest VLAN as 100.
Switch(Config-If-Ethernet1/0/2)#dot1x guest-vlan 100
Switch(Config-If-Ethernet1/0/2)#exit
Using the command of show running-config or show interface ethernet1/0/2, users can check
the configuration of Guest VLAN. When there is no online user, no failed user authentication or
no user gets offline successfully, and more authentication-triggering messages
(EAP-Request/Identity) are sent than the upper limit defined, users can check whether the Guest
VLAN configured on the port takes effect with the command show vlan id 100.
5.3.3.2 Examples of IPv4 Radius Applications
10.1.1.2
10.1.1.1 Radius Server
10.1.1.3
Figure 5-16 IEEE 802.1x Configuration Example Topology
The PC is connecting to port 1/0/2 of the switch; IEEE 802.1x authentication is enabled on
port1/0/2; the access mode is the default MAC-based authentication. The switch IP address is
10.1.1.2. Any port other than port 1/0/2 is used to connect to RADIUS authentication server,
which has an IP address of 10.1.1.3, and use the default port 1812 for authentication and port
1813 for accounting. IEEE 802.1x authentication client software is installed on the PC and is used
in IEEE 802.1x authentication.
The configuration procedures are listed below:
Switch(config)#interface vlan 1
Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0
Switch(Config-if-vlan1)#exit
Switch(config)#radius-server authentication host 10.1.1.3
Switch(config)#radius-server accounting host 10.1.1.3
5-36
S4600_Configuration Guide Chapter 5 Security Function Configuration
Switch(config)#radius-server key test
Switch(config)#aaa enable
Switch(config)#aaa-accounting enable
Switch(config)#dot1x enable
Switch(config)#interface ethernet 1/0/2
Switch(Config-Ethernet1/0/2)#dot1x enable
Switch(Config-Ethernet1/0/2)#exit
5.3.3.3 Examples of IPv6 Radius Application
2004:1:2:3::2
2004:1:2:3::1 Radius Server
2004:1:2:3::3
Figure 5-17 IPv6 Radius
Connect the computer to the interface 1/0/2 of the switch, and enable IEEE802.1x on
interface1/2. Use MAC based authentication. Configure the IP address of the switch as
2004:1:2:3::2, and connect the switch with any interface except interface 1/0/2 to the RADIUS
authentication server. Configure the IP address of the RADIUS server to be 2004:1:2:3::3. Use the
default ports 1812 and 1813 for authentication and accounting respectively. Install the
IEEE802.1x authentication client software on the computer, and use the client for IEEE802.1x
authentication.
The detailed configurations are listed as below:
Switch(config)#interface vlan 1
Switch(Config-if-vlan1)#ipv6 address 2004:1:2:3::2/64
Switch(Config-if-vlan1)#exit
Switch(config)#radius-server authentication host 2004:1:2:3::3
Switch(config)#radius-server accounting host 2004:1:2:3::3
Switch(config)#radius-server key test
Switch(config)#aaa enable
Switch(config)#aaa-accounting enable
Switch(config)#dot1x enable
Switch(config)#interface ethernet 1/0/2
5-37
S4600_Configuration Guide Chapter 5 Security Function Configuration
Switch(Config-If-Ethernet1/0/2)#dot1x enable
Switch(Config-If-Ethernet1/0/2)#exit
5.3.4 802.1x Troubleshooting
It is possible that 802.1x be configured on ports and 802.1x authentication be set to auto, t
switch can’t be to authenticated state after the user runs 802.1x supplicant software. Here are
some possible causes and solutions:
If 802.1x cannot be enabled for a port, make sure the port is not executing MAC binding, or
configured as a port aggregation. To enable the 802.1x authentication, the above functions
must be disabled.
If the switch is configured properly but still cannot pass through authentication, connectivity
between the switch and RADIUS server, the switch and 802.1x client should be verified, and
the port and VLAN configuration for the switch should be checked, too.
Check the event log in the RADIUS server for possible causes. In the event log, not only
unsuccessful logins are recorded, but prompts for the causes of unsuccessful login. If the
event log indicates wrong authenticator password, radius-server key parameter shall be
modified; if the event log indicates no such authenticator, the authenticator needs to be
added to the RADIUS server; if the event log indicates no such login user, the user login ID
and password may be wrong and should be verified and input again.
5.4 The Number Limitation Function of MAC and IP in
Port, VLAN
5.4.1 Introduction to the Number Limitation Function
of MAC and IP in Port, VLAN
MAC address list is used to identify the mapping relationship between the destination MAC
addresses and the ports of switch. There are two kinds of MAC addresses in the list: static MAC
address and dynamic MAC address. The static MAC address is set by users, having the highest
priority (will not be overwritten by dynamic MAC address), and will always be effective; dynamic
MAC address is learnt by the switch through transmitting data frames, and will only be effective
in a specific time range. When the switch receives a data framed waiting to be transmitted, it will
study the source MAC address of the data frame, build a mapping relationship with the receiving
port, and then look up the MAC address list for the destination MAC address. If any matching list
entry is found, the switch will transmit the data frame via the corresponding port, or, the switch
5-38
S4600_Configuration Guide Chapter 5 Security Function Configuration
will broadcast the data frame over the VLAN it belongs to. If the dynamically learnt MAC address
matches no transmitted data in a long time, the switch will delete it from the MAC address list.
Usually the switch supports both the static configuration and dynamic study of MAC address,
which means each port can have more than one static set MAC addresses and dynamically learnt
MAC addresses, and thus can implement the transmission of data traffic between port and
known MAC addresses. When a MAC address becomes out of date, it will be dealt with broadcast.
No number limitation is put on MAC address of the ports of our current switches; every port can
have several MAC addressed either by configuration or study, until the hardware list entries are
exhausted. To avoid too many MAC addresses of a port, we should limit the number of MAC
addresses a port can have.
For each INTERFACE VLAN, there is no number limitation of IP; the upper limit of the
number of IP is the upper limit of the number of user on an interface, which is, at the same time,
the upper limit of ARP and ND list entry. There is no relative configuration command can be used
to control the sent number of these list entries. To enhance the security and the controllability of
our products, we need to control the number of MAC address on each port and the number of
ARP, ND on each INTERFACE VLAN. The number of static or dynamic MAC address on a port
should not exceed the configuration. The number of user on each VLAN should not exceed the
configuration, either.
Limiting the number of MAC and ARP list entry can avoid DOS attack to a certain extent.
When malicious users frequently do MAC or ARP cheating, it will be easy for them to fill the MAC
and ARP list entries of the switch, causing successful DOS attacks.
To summer up, it is very meaningful to develop the number limitation function of MAC and
IP in port, VLAN. Switch can control the number of MAC address of ports and the number ARP,
ND list entry of ports and VLAN through configuration commands.
Limiting the number of dynamic MAC and IP of ports:
1. Limiting the number of dynamic MAC. If the number of dynamically learnt MAC address
by the switch is already larger than or equal with the max number of dynamic MAC address, then
shutdown the MAC study function on this port, otherwise, the port can continue its study.
2. Limiting the number of dynamic IP. If the number of dynamically learnt ARP and ND by the
switch is already larger than or equal with the max number of dynamic ARP and ND, then
shutdown the ARP and ND study function of this port, otherwise, the port can continue its study.
Limiting the number of MAC, ARP and ND of interfaces:
1. Limiting the number of dynamic MAC. If the number of dynamically learnt MAC address
by the VLAN of the switch is already larger than or equal with the max number of dynamic MAC
address, then shutdown the MAC study function of all the ports in this VLAN, otherwise, all the
ports in this VLAN can continue their study (except special ports).
2. Limiting the number of dynamic IP. If the number of dynamically learnt ARP and ND by the
switch is already larger than or equal with the max number of dynamic ARP and ND, then the
VLAN will not study any new ARP or ND, otherwise, the study can be continued.
5.4.2 The Number Limitation Function of MAC and IP in
Port, VLAN Configuration Task Sequence
5-39
S4600_Configuration Guide Chapter 5 Security Function Configuration
1. Enable the number limitation function of MAC and IP on ports
2. Enable the number limitation function of MAC and IP in VLAN
3. Configure the timeout value of querying dynamic MAC
4. Configure the violation mode of ports
5. Display and debug the relative information of number limitation of MAC and IP on ports
1. Enable the number limitation function of MAC and IP on ports
Command Explanation
Port configuration mode
switchport mac-address dynamic maximum
Enable and disable the number limitation
<value>
function of MAC on the ports.
no switchport mac-address dynamic
maximum
switchport arp dynamic maximum <value> Enable and disable the number limitation
no switchport arp dynamic maximum function of ARP on the ports.
switchport nd dynamic maximum <value> Enable and disable the number limitation
no switchport nd dynamic maximum function of ND on the ports.
2. Enable the number limitation function of MAC and IP in VLAN
Command Explanation
VLAN configuration mode
Enable and disable the number limitation
vlan mac-address dynamic maximum <value>
function of MAC in the VLAN.
no vlan mac-address dynamic maximum
Interface configuration mode
ip arp dynamic maximum <value> Enable and disable the number limitation
no ip arp dynamic maximum function of ARP in the VLAN.
ipv6 nd dynamic maximum <value> Enable and disable the number limitation
no ipv6 nd dynamic maximum function of NEIGHBOR in the VLAN.
3. Configure the timeout value of querying dynamic MAC
Command Explanation
Global configuration mode
Configure the timeout value of querying
mac-address query timeout <seconds> dynamic MAC.
4. Configure the violation mode of ports
Command Explanation
Port mode
switchport mac-address violation {protect | Set the violation mode of the port, the no
shutdown} [recovery <5-3600>] command restores the violation mode to
no switchport mac-address violation protect.
5-40
S4600_Configuration Guide Chapter 5 Security Function Configuration
5. Display and debug the relative information of number limitation of MAC and IP on ports
Command Explanation
Admin mode
show mac-address dynamic count {vlan Display the number of dynamic MAC in
<vlan-id> | interface ethernet corresponding ports and VLAN.
<portName> }
show arp-dynamic count {vlan
Display the number of dynamic ARP in
<vlan-id> | interface ethernet
corresponding ports and VLAN.
<portName> }
show nd-dynamic count {vlan
Display the number of dynamic NEIGHBOUR
<vlan-id> | interface ethernet
in corresponding ports and VLAN.
<portName> }
All kinds of debug information when limiting
debug switchport mac count
the number of MAC on ports.
no debug switchport mac count
debug switchport arp count All kinds of debug information when limiting
no debug switchport arp count the number of ARP on ports.
debug switchport nd count All kinds of debug information when limiting
no debug switchport nd count the number of NEIGHBOUR on ports.
All kinds of debug information when limiting
debug vlan mac count
the number of MAC in VLAN.
no debug vlan mac count
debug ip arp count All kinds of debug information when limiting
no debug ip arp count the number of ARP in VLAN.
debug ipv6 nd count All kinds of debug information when limiting
no debug ipv6 nd count the number of NEIGHBOURin VLAN.
5.4.3 The Number Limitation Function of MAC and IP in
Port, VLAN Typical Examples
SWITCH A
SWITCH B
………
PC PC PC PC PC
5-41
S4600_Configuration Guide Chapter 5 Security Function Configuration
Figure 5-18 The Number Limitation of MAC and IP in Port, VLAN Typical Configuration
Example
In the network topology above, SWITCH B connects to many PC users, before enabling the
number limitation function of MAC and IP in Port, VLAN, if the system hardware has no other
limitation, SWTICH A and SWTICH B can get the MAC, ARP, ND list entries of all the PC, so limiting
the MAC, ARP list entry can avoid DOS attack to a certain extent. When malicious users
frequently do MAC, ARP cheating, it will be easy for them to fill the MAC, ARP list entries of the
switch, causing successful DOS attacks. Limiting the MAC, ARP, ND list entry can prevent DOS
attack.
On port 1/0/1 of SWITCH A, set the max number can be learnt of dynamic MAC address as 20,
dynamic ARP address as 20, NEIGHBOR list entry as 10. In VLAN 1, set the max number of
dynamic MAC address as 30, of dynamic ARP address as 30, NEIGHBOR list entry as 20.
SWITCH A configuration task sequence:
Switch (config)#interface ethernet 1/0/1
Switch (Config-If-Ethernet1/0/1)#switchport mac-address dynamic maximum 20
Switch (Config-If-Ethernet1/0/1)#switchport arp dynamic maximum 20
Switch (Config-If-Ethernet1/0/1)#switchport nd dynamic maximum 10
Switch (Config-if-Vlan1)#vlan mac-address dynamic maximum 30
5.4.4 The Number Limitation Function of MAC and IP in
Port, VLAN Troubleshooting Help
The number limitation function in Port is disabled by default, if users need to limit the
number of user accessing the network, they can enable it. If the number limitation function of
MAC address can not be configured, please check whether Spanning-tree, dot1x, TRUNK is
running on the switch and whether the port is configured as a MAC-binding port. The number
limitation function of MAC address is mutually exclusive to these configurations, so if the users
need to enable the number limitation function of MAC address on the port, they should check
these functions mentioned above on this port are disabled.
If all the configurations are normal, after enabling the number limitation function of MAC
and IP in Port, VLAN, users can use debug commands to debug every limitation, check the details
of number limitations and judge whether the number limitation function is correct. If there is any
problem, please sent result to technical service center.
5-42
S4600_Configuration Guide Chapter 5 Security Function Configuration
5.5 AM
5.5.1 Introduction to AM Function
AM (Access Management) means that when a switch receives an IP or ARP message, it will
compare the information extracted from the message (such as source IP address or source
MAC-IP address) with the configured hardware address pool. If there is an entry in the address
pool matching the information (source IP address or source MAC-IP address), the message will be
forwarded, otherwise, dumped. The reason why source-IP-based AM should be supplemented by
source-MAC-IP-based AM is that IP address of a host might change. Only with a bound IP, can
users change the IP of the host into forwarding IP, and hence enable the messages from the host
to be forwarded by the switch. Given the fact that MAC-IP can be exclusively bound with a host, it
is necessary to make MAC-IP bound with a host for the purpose of preventing users from
maliciously modifying host IP to forward the messages from their hosts via the switch.
With the interface-bound attribute of AM, network mangers can bind the IP (MAC-IP)
address of a legal user to a specified interface. After that, only the messages sending by users
with specified IP (MAC-IP) addresses can be forwarded via the interface, and thus strengthen the
monitoring of the network security.
5.5.2 AM Function Configuration Task List
1. Enable AM function
2. Enable AM function on an interface
3. Configure the forwarding IP
4. Configure the forwarding MAC-IP
5. Delete all of the configured IP or MAC-IP or both
6. Display relative configuration information of AM
1. Enable AM function
Command Explanation
Global Mode
am enable
Globally enable or disable AM function.
no am enable
2. Enable AM function on an interface
Command Explanation
Port Mode
Enable/disable AM function on the port.
am port When the AM function is enabled on the
no am port port, no IP or ARP message will be
forwarded by default.
3. Configure the forwarding IP
Command Explanation
5-43
S4600_Configuration Guide Chapter 5 Security Function Configuration
Port Mode
am ip-pool <ip-address> <num>
Configure the forwarding IP of the port.
no am ip-pool <ip-address> <num>
4. Configure the forwarding MAC-IP
Command Explanation
Port Mode
am mac-ip-pool <mac-address>
<ip-address> Configure the forwarding MAC-IP of the
no am mac-ip-pool <mac-address> port.
<ip-address>
5. Delete all of the configured IP or MAC-IP or both
Command Explanation
Global Mode
Delete MAC-IP address pool or IP address
no am all [ip-pool|mac-ip-pool]
pool or both pools configured by all users.
6. Display relative configuration information of AM
Command Explanation
Global Configuration Mode
Display the AM configuration information
show am [interface <interface-name>]
of one port or all ports.
5.5.3 AM Function Example
Internet
SWITCH
Port1 Port2
HUB1 HUB2
………
PC1 PC2 PC30
Figure 5-19 a typical configuration example of AM function
In the topology above, 30 PCs, after converged by HUB1, connect with interface1 on the
switch. The IP addresses of these 30 PCs range from 100.10.10.1 to 100.10.10.30. Considering
5-44
S4600_Configuration Guide Chapter 5 Security Function Configuration
security, the system manager will only take user with an IP address within that range as legal ones.
And the switch will only forward data packets from legal users while dumping packets from other
users.
According to the requirements mentioned above, the switch can be configured as follows:
Switch(config)#am enable
Switch(config)#interface ethernet1/0/1
Switch(Config-If-Ethernet 1/0/1)#am port
Switch(Config-If-Ethernet 1/0/1)#am ip-pool 10.10.10.1 10
5.5.4 AM Function Troubleshooting
AM function is disabled by default, and after it is enabled, relative configuration of AM can
be made.
Users can view the current AM configuration with “show am” command, such as whether
the AM is enabled or not, and AM information on each interface, they can also use “show am
[interface <interface-name>]” command to check the AM configuration information on a specific
interface.
If any operational error happens, the system will display detailed corresponding prompt.
5.6 Security Feature
5.6.1 Introduction to Security Feature
Before introducing the security features, we here first introduce the DoS. The DoS is short
for Denial of Service, which is a simple but effective destructive attack on the internet. The server
under DoS attack will drop normal user data packet due to non-stop processing the attacker’s
data packet, leading to the denial of the service and worse can lead to leak of sensitive data of
the server.
Security feature refers to applications such as protocol check which is for protecting the
server from attacks such as DoS. The protocol check allows the user to drop matched packets
based on specified conditions. The security features provide several simple and effective
protections against Dos attacks while acting no influence on the linear forwarding performance of
the switch.
5.6.2 Security Feature Configuration
5-45
S4600_Configuration Guide Chapter 5 Security Function Configuration
5.6.2.1 Prevent IP Spoofing Function Configuration Task
Sequence
1.Enable the IP spoofing function.
Command Explanation
Global Mode
Enable/disable th
[no] dosattack-check srcip-equal-dstip
source address is
enable
address.
5.6.2.2 Prevent TCP Unauthorized Label Attack Function
Configuration Task Sequence
1.Enable the anti TCP unauthorized label attack function
Command Explanation
Global Mode
[no] dosattack-check tcp-flags enable Enable/disable checking TCP label function.
5.6.2.3 Anti Port Cheat Function Configuration Task Sequence
1. Enable the anti port cheat function
Command Explanation
Global Mode
[no] dosattack-check srcport-equal-dstport
Enable/disable the prevent-port-cheat function.
enable
5.6.2.4 Prevent TCP Fragment Attack Function Configuration
Task Sequence
1.Enable the prevent TCP fragment attack function
2.Configure the minimum permitted TCP head length of the packet
5-46
S4600_Configuration Guide Chapter 5 Security Function Configuration
Command Explanation
Global Mode
Enable/disable the prevent TCP fragment attack
[no] dosattack-check tcp-fragment enable
function.
Configure the minimum permitted TCP head
length of the packet. This command has no
dosattack-check tcp-header <size> effect when used separately, the user should
enable the dosattack-check tcp-fragment
enable.
Note: This function is not supported by switch.
5.6.2.5 Prevent ICMP Fragment Attack Function Configuration
Task Sequence
1. Enable the prevent ICMP fragment attack function
2. Configure the max permitted ICMPv4 net load length
Command Explanation
Global Mode
[no] dosattack-check icmp-attacking Enable/disable the prevent ICMP fragment
enable attack function.
Configure the max permitted ICMPv4 net load
length. This command has not effect when used
dosattack-check icmpv4-size <size>
separately, the user have to enable the
dosattack-check icmp-attacking enable.
5.6.3 Security Feature Example
Scenario:
The User has follows configuration requirements: the switch do not forward data packet
whose source IP address is equal to the destination address, and those whose source port is
equal to the destination port. Only the ping command with defaulted options is allowed within
the IPv4 network, namely the ICMP request packet can not be fragmented and its net length is
normally smaller than 100.
Configuration procedure:
Switch(config)# dosattack-check srcip-equal-dstip enable
Switch(config)# dosattack-check srcport-equal-dstport enable
Switch(config)# dosattack-check icmp-attacking enable
Switch(config)# dosattack-check icmpV4-size 100
5-47
S4600_Configuration Guide Chapter 5 Security Function Configuration
5.7 TACACS+
5.7.1 Introduction to TACACS+
TACACS+ terminal access controller access control protocol is a protocol similar to the radius
protocol for control the terminal access to the network. Three independent functions of
Authentication, Authorization, Accounting are also available in this protocol. Compared with
RADIUS, the transmission layer of TACACS+ protocol is adopted with TCP protocol, further with
the packet head ( except for standard packet head) encryption, this protocol is of a more reliable
transmission and encryption characteristics, and is more adapted to security control.
According to the characteristics of the TACACS+ (Version 1.78), we provide TACACS+
authentication function on the switch, when the user logs, such as telnet, the authentication of
user name and password can be carried out with TACACS+.
5.7.2 TACACS+ Configuration Task List
1. Configure the TACACS+ authentication key
2. Configure the TACACS+ server
3. Configure the TACACS+ authentication timeout time
4. Configure the IP address of the RADIUS NAS
1. Configure the TACACS+ authentication key
Command Explanation
Global Mode
Configure the TACACS+ server key; the “no
tacacs-server key {0 | 7}<string>
tacacs-server key” command deletes the
no tacacs-server key
key.
2. Configure TACACS+ server
Command Explanation
Global Mode
tacacs-server authentication host Configure the IP address, listening port
<ip-address> [port <port-number>] [timeout number, the value of timeout timer and the
<seconds>] [key {0 | 7} <string>] [primary] key string of the TACACS+ server; the no
no tacacs-server authentication host form of this command deletes the TACACS+
<ip-address> authentication server.
3. Configure the TACACS+ authentication timeout time
Command Explanation
Global Mode
5-48
S4600_Configuration Guide Chapter 5 Security Function Configuration
Configure the authentication timeout for the
tacacs-server timeout <seconds> TACACS+ server, the “no tacacs-server
no tacacs-server timeout timeout” command restores the default
configuration.
4. Configure the IP address of the TACACS+ NAS
Command Explanation
Global Mode
tacacs-server nas-ipv4 <ip-address> To configure the source IP address for the
no tacacs-server nas-ipv4 TACACS+ packets for the switch.
5.7.3 TACACS+ Scenarios Typical Examples
10.1.1.2
10.1.1.1 Tacacs Server
10.1.1.3
Figure 5-20 TACACS Configuration
A computer connects to a switch, of which the IP address is 10.1.1.2 and connected with a
TACACS+ authentication server; IP address of the server is 10.1.1.3 and the authentication port is
defaulted at 49, set telnet log on authentication of the switch as tacacs local, via using TACACS+
authentication server to achieve telnet user authentication.
Switch(config)#interface vlan 1
Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0
Switch(Config-if-vlan1)#exit
Switch(config)#tacacs-server authentication host 10.1.1.3
Switch(config)#tacacs-server key test
Switch(config)#authentication line vty login tacacs
5.7.4 TACACS+ Troubleshooting
In configuring and using TACACS+, the TACACS+ may fail to authentication due to reasons
such as physical connection failure or wrong configurations. The user should ensure the
following:
5-49
S4600_Configuration Guide Chapter 5 Security Function Configuration
First good condition of the TACACS+ server physical connection.
Second all interface and link protocols are in the UP state (use “show interface” command).
Then ensure the TACACS+ key configured on the switch is in accordance with the one
configured on TACACS+ server.
Finally ensure to connect to the correct TACACS+ server.
5.8 RADIUS
5.8.1 Introduction to RADIUS
5.8.1.1 AAA and RADIUS Introduction
AAA is short for Authentication, Authorization and Accounting, it provide a consistency
framework for the network management safely. According to the three functions of
Authentication, Authorization, Accounting, the framework can meet the access control for the
security network: which one can visit the network device, which access-level the user can have
and the accounting for the network resource.
RADIUS (Remote Authentication Dial in User Service), is a kind of distributed and
client/server protocol for information exchange. The RADIUS client is usually used on network
appliance to implement AAA in cooperation with 802.1x protocol. The RADIUS server maintains
the database for AAA, and communicates with the RADIUS client through RADIUS protocol. The
RADIUS protocol is the most common used protocol in the AAA framework.
5.8.1.2 Message structure for RADIUS
The RADIUS protocol uses UDP to deliver protocol packets. The packet format is shown as
below.
5-50
S4600_Configuration Guide Chapter 5 Security Function Configuration
Figure 5-21 Message structure for RADIUS
Code field(1octets): is the type of the RADIUS packet. Available value for the Code field is show as
below:
1 Access-Request
2 Access-Accept
3 Access-Reject
4 Accounting-Request
5 Accounting-Response
11 Access-Challenge
Identifier field (1 octet): Identifier for the request and answer packets.
Length field (2 octets): The length of the overall RADIUS packet, including Code, Identifier, Length,
Authenticator and Attributes
Authenticator field (16 octets): used for validation of the packets received from the RADIUS server.
Or it can be used to carry encrypted passwords. This field falls into two kinds: the Request
Authenticator and the Response Authenticator.
Attribute field: used to carry detailed information about AAA. An Attribute value is formed by
Type, Length, and Value fields.
Type field (1 octet), the type of the attribute value, which is shown as below:
Property Type of property Property Type of property
1 User-Name 23 Framed-IPX-Network
2 User-Password 24 State
3 CHAP-Password 25 Class
4 NAS-IP-Address 26 Vendor-Specific
5 NAS-Port 27 Session-Timeout
6 Service-Type 28 Idle-Timeout
7 Framed-Protocol 29 Termination-Action
5-51
S4600_Configuration Guide Chapter 5 Security Function Configuration
8 Framed-IP-Address 30 Called-Station-Id
9 Framed-IP-Netmask 31 Calling-Station-Id
10 Framed-Routing 32 NAS-Identifier
11 Filter-Id 33 Proxy-State
12 Framed-MTU 34 Login-LAT-Service
13 Framed-Compression 35 Login-LAT-Node
14 Login-IP-Host 36 Login-LAT-Group
15 Login-Service 37 Framed-AppleTalk-Link
16 Login-TCP-Port 38 Framed-AppleTalk-Network
17 (unassigned) 39 Framed-AppleTalk-Zone
18 Reply-Message 40-59 (reserved for accounting)
19 Callback-Number 60 CHAP-Challenge
20 Callback-Id 61 NAS-Port-Type
21 (unassigned) 62 Port-Limit
22 Framed-Route 63 Login-LAT-Port
Length field (1 octet), the length in octets of the attribute including Type, Length and Value
fields.
Value field, value of the attribute whose content and format is determined by the type and
length of the attribute.
5.8.2 RADIUS Configuration Task List
1. Enable the authentication and accounting function
2. Configure the RADIUS authentication key
3. Configure the RADIUS server
4. Configure the parameter of the RADIUS service
5. Configure the IP address of the RADIUS NAS
1. Enable the authentication and accounting function
Command Explanation
Global Mode
To enable the AAA authentication function.
aaa enable
The no form of this command will disable
no aaa enable
the AAA authentication function.
aaa-accounting enable To enable AAA accounting. The no form of
no aaa-accounting enable this command will disable AAA accounting.
Enable or disable the update accounting
aaa-accounting update {enable|disable}
function.
2. Configure the RADIUS authentication key
Command Explanation
5-52
S4600_Configuration Guide Chapter 5 Security Function Configuration
Global Mode
To configure the encryption key for the
radius-server key {0 | 7} <string>
RADIUS server. The no form of this
no radius-server key
command will remove the configured key.
3. Configure the RADIUS server
Command Explanation
Global Mode
radius-server authentication host
{<ipv4-address> | <ipv6-address>} [port Specifies the IPv4/IPv6 address and the port
<port-number>] [key {0 | 7} <string>] number, whether be primary server for
[primary] [access-mode {dot1x | telnet}] RADIUS accounting server; the no command
no radius-server authentication host deletes the RADIUS accounting server.
{<ipv4-address> | <ipv6-address>
radius-server accounting host
{<ipv4-address> | <ipv6-address>} [port Specifies the IPv4/IPv6 address and the port
<port-number>] [key {0 | 7} <string>] number, whether be primary server for
[primary] RADIUS accounting server; the no command
no radius-server accounting host deletes the RADIUS accounting server.
{<ipv4-address> | <ipv6-address>}
4. Configure the parameter of the RADIUS service
Command Explanation
Global Mode
To configure the interval that the RADIUS
radius-server dead-time <minutes> becomes available after it is down. The no
no radius-server dead-time form of this command will restore the
default configuration.
To configure retry times for the RADIUS
radius-server retransmit <retries>
packets. The no form of this command
no radius-server retransmit
restores the default configuration.
To configure the timeout value for the
radius-server timeout <seconds> RADIUS server. The no form of this
no radius-server timeout command will restore the default
configuration.
radius-server accounting-interim-update
To configure the update interval for
timeout <seconds>
accounting. The no form of this command
no radius-server accounting-interim-update
will restore the default configuration.
timeout
5. Configure the IP address of the RADIUS NAS
Command Explanation
Global Mode
5-53
S4600_Configuration Guide Chapter 5 Security Function Configuration
radius nas-ipv4 <ip-address> To configure the source IP address for the
no radius nas-ipv4 RADIUS packets for the switch.
radius nas-ipv6 <ipv6-address> To configure the source IPv6 address for the
no radius nas-ipv6 RADIUS packets for the switch.
5.8.3 RADIUS Typical Examples
5.8.3.1 IPv4 Radius Example
10.1.1.2
10.1.1.1 Radius Server
10.1.1.3
Figure 5-22 The Topology of IEEE802.1x configuration
A computer connects to a switch, of which the IP address is 10.1.1.2 and connected with a
RADIUS authentication server without Ethernet1/0/2; IP address of the server is 10.1.1.3 and the
authentication port is defaulted at 1812, accounting port is defaulted at 1813.
Configure steps as below:
Switch(config)#interface vlan 1
Switch(Config-if-vlan1)#ip address 10.1.1.2 255.255.255.0
Switch(Config-if-vlan1)#exit
Switch(config)#radius-server authentication host 10.1.1.3
Switch(config)#radius-server accounting host 10.1.1.3
Switch(config)#radius-server key test
Switch(config)#aaa enable
Switch(config)#aaa-accounting enable
5.8.3.2 IPv6 RadiusExample
5-54
S4600_Configuration Guide Chapter 5 Security Function Configuration
2004:1:2:3::2
2004:1:2:3::1 Radius Server
2004:1:2:3::3
Figure 5-23 The Topology of IPv6 Radius configuration
A computer connects to a switch, of which the IP address is 2004:1:2:3::2 and connected
with a RADIUS authentication server without Ethernet1/0/2; IP address of the server is
2004:1:2:3::3 and the authentication port is defaulted at 1812, accounting port is defaulted at
1813.
Configure steps as below:
Switch(config)#interface vlan 1
Switch(Config-if-vlan1)#ipv6 address 2004:1:2:3::2/64
Switch(Config-if-vlan1)#exit
Switch(config)#radius-server authentication host 2004:1:2:3::3
Switch(config)#radius-server accounting host 2004:1:2:3::3
Switch(config)#radius-server key test
Switch(config)#aaa enable
Switch(config)#aaa-accounting enable
5.8.4 RADIUS Troubleshooting
In configuring and using RADIUS, the RADIUS may fail to authentication due to reasons such
as physical connection failure or wrong configurations. The user should ensure the following:
First make sure good condition of the RADIUS server physical connection
Second all interface and link protocols are in the UP state (use “show interface” command)
Then ensure the RADIUS key configured on the switch is in accordance with the one
configured on RADIUS server
Finally ensure to connect to the correct RADIUS server
If the RADIUS authentication problem remains unsolved, please use debug aaa and other
debugging command and copy the DEBUG message within 3 minutes, send the recorded message
to the technical server center of our company.
5-55
S4600_Configuration Guide Chapter 5 Security Function Configuration
5.9 SSL
5.9.1 Introduction to SSL
As the computer networking technology spreads, the security of the network has been
taking more and more important impact on the availability and the usability of the networking
application. The network security has become one of the greatest barriers of modern networking
applications.
To protect sensitive data transferred through Web, Netscape introduced the Secure Socket
Layer – SSL protocol, for its Web browser. Up till now, SSL 2.0 and 3.0 has been released. SSL 2.0 is
obsolete because of security problems, and it is not supported on the switches of Network. The
SSL protocol uses the public-key encryption, and has become the industry standard for secure
communication on internet for Web browsing. The Web browser integrates HTTP and SSL to
realize secure communication.
SSL is a safety protocol to protect private data transmission on the Internet. SSL protocols
are designed for secure transmission between the client and the server, and authentication both
at the server sides and optional client. SSL protocols must build on reliable transport layer (such
as TCP). SSL protocols are independent for application layer. Some protocols such as HTTP, FTP,
TELNET and so on, can build on SSL protocols transparently. The SSL protocol negotiates for the
encryption algorithm, the encryption key and the server authentication before data is
transmitted. Ever since the negotiation is done, all the data being transferred will be encrypted.
Via above introduction, the security channel is provided by SSL protocols have below three
characteristics:
Privacy. First they encrypt the suite through negotiation, then all the messages be encrypted.
Affirmation. Though the client authentication of the conversational is optional, but the server
is always authenticated.
Reliability. The message integrality inspect is included in the sending message (use MAC).
5.9.1.1 Basic Element of SSL
The basic strategy of SSL provides a safety channel for random application data forwarding
between two communication programs. In theory, SSL connect is similar with encrypt TCP
connect. The position of SSL protocol is under application layer and on the TCP. If the mechanism
of the data forwarding in the lower layer is reliable, the data read-in the network will be
forwarded to the other program in sequence, lose packet and re-forwarding will not appear. A lot
of transmission protocols can provide such kind of service in theory, but in actual application, SSL
is almost running on TCP, and not running on UDP and IP directly.
When web function is running on the switch and client visit our web site through the
5-56
S4600_Configuration Guide Chapter 5 Security Function Configuration
internet browser, we can use SSL function. The communication between client and switch
through SSL connect can improve the security.
Firstly, SSL should be enabled on the switch. When the client tries to access the switch
through https method, a SSL session will be set up between the switch and the client. When the
SSL session has been set up, all the data transmission in the application layer will be encrypted.
SSL handshake is done when the SSL session is being set up. The switch should be able to
provide certification keys. Currently the keys provided by the switch are not the formal
certification keys issued by official authentic, but the private certification keys generated by SSL
software under Linux which may not be recognized by the web browser. With regard to the
switch application, it is not necessary to apply for a formal SSL certification key. A private
certification key is enough to make the communication safe between the users and the switch.
Currently it is not required that the client is able to check the validation of the certification key.
The encryption key and the encryption method should be negotiated during the handshake
period of the session which will be then used for data encryption.
SSL session handshake process:
Figure 5-24 SSL session handshake process
5.9.2 SSL Configuration Task List
1. Enable/disable SSL function
2. Configure/delete port number by SSL used
3. Configure/delete secure cipher suite by SSL used
4. Maintenance and diagnose for the SSL function
1. Enable/disable SSL function
Command Explanation
Global Mode
5-57
S4600_Configuration Guide Chapter 5 Security Function Configuration
ip http secure-server
Enable/disable SSL function.
no ip http secure-server
2. Configure/delete port number by SSL used
Command Explanation
Global Mode
Configure port number by SSL used, the“no ip
ip http secure-port <port-number>
http secure-port” command deletes the port
no ip http secure-port
number.
3. Configure/delete secure cipher suite by SSL used
Command Explanation
Global Mode
ip http secure-ciphersuite
Configure/delete secure cipher suite by SSL
{des-cbc3-sha|rc4-128-sha| des-cbc-sha}
used.
no ip http secure-ciphersuite
4. Maintenance and diagnose for the SSL function
Command Explanation
Admin Mode or Configuration Mode
show ip http secure-server status Show the configured SSL information.
debug ssl
Open/close the DEBUG for SSL function.
no debug ssl
5.9.3 SSL Typical Example
When the Web function is enabled on the switch, SSL can be configured for users to access
the web interface on the switch. If the SSL has been configured, communication between the
client and the switch will be encrypted through SSL for safety.
Firstly, SSL should be enabled on the switch. When the client tries to access the switch
through https method, a SSL session will be set up between the switch and the client. When the
SSL session has been set up, all the data transmission in the application layer will be encrypted.
Web Server
Date Acquisition
Fails
Malicious Users
Web Browser https
SSLSession
Connected
PC Users
5-58
S4600_Configuration Guide Chapter 5 Security Function Configuration
Figure 5-25
Configuration on the switch:
Switch(config)# ip http secure-server
Switch(config)# ip http secure-port 1025
Switch(config)# ip http secure-ciphersuite rc4-128-sha
5.9.4 SSL Troubleshooting
In configuring and using SSL, the SSL function may fail due to reasons such as physical
connection failure or wrong configurations. The user should ensure the following:
First good condition of the physical connection;
Second all interface and link protocols are in the UP state (use “show interface” command);
Then, make sure SSL function is enabled (use ip http secure-server command );
Don’t use the default port number if configured port number, pay attention to the port
number when input the web wide;
If SSL is enabled, SSL should be restarted after changes on the port configuration and
encryption configuration;
IE 7.0 or above should be used for use of des-cbc-sha;
If the SSL problems remain unsolved after above try, please use debug SSL and other
debugging command and copy the DEBUG message within 3 minutes, send the recorded
message to technical server center of our company.
5.10 VLAN-ACL
5.10.1 Introduction to VLAN-ACL
The user can configure ACL policy to VLAN to implement the accessing control of all ports in
VLAN, and VLAN-ACL enables the user to expediently manage the network. The user only needs
to configure ACL policy in VLAN, the corresponding ACL action can takes effect on all member
ports of VLAN, but it does not need to solely configure on each member port.
When VLAN ACL and Port ACL are configured at the same time, it will first match Port ACL
due to Port ACL priority is higher than VLAN-ACL.
VLAN-ACL ingress direction can implement the filtering of the packets, the packets match
the specific rules can be allowed or denied. ACL can support IP ACL, MAC ACL, MAC-IP ACL, IPv6
ACL. Ingress direction of VLAN can bind four kinds of ACL at the same time.
5.10.2 VLAN-ACL Configuration Task List
5-59
S4600_Configuration Guide Chapter 5 Security Function Configuration
1. Configure VLAN-ACL of IP type
2. Configure VLAN-ACL of MAC type
3. Configure VLAN-ACL of MAC-IP
4. Configure VLAN-ACL of IPv6 type
5. Show configuration and statistic information of VLAN-ACL
6. Clear statistic information of VLAN-ACL
1. Configure VLAN-ACL of IP type
Command Explanation
Global mode
vacl ip access-group {<1-299> | WORD} {in |
Configure or delete IP VLAN-ACL.
out} [traffic-statistic] vlan WORD
(Egress filtering is not supported by
no vacl ip access-group {<1-299> | WORD}
switch.)
{in | out} vlan WORD
2. Configure VLAN-ACL of MAC type
Command Explanation
Global mode
vacl mac access-group {<700-1199> | WORD}
Configure or delete MAC VLAN-ACL.
{in | out} [traffic-statistic] vlan WORD
(Egress filtering is not supported by
no vacl mac access-group {<700-1199> |
switch.)
WORD} {in | out} vlan WORD
3. Configure VLAN-ACL of MAC-IP
Command Explanation
Global mode
vacl mac-ip access-group {<3100-3299> |
Configure or delete MAC-IP VLAN-ACL.
WORD} {in | out} [traffic-statistic] vlan WORD
(Egress filtering is not supported by
no vacl mac-ip access-group {<3100-3299> |
switch.)
WORD} {in | out} vlan WORD
4. Configure VLAN-ACL of IPv6 type
Command Explanation
Global mode
vacl ipv6 access-group (<500-699> | WORD) Configure or delete IPv6 VLAN-ACL.
{in | out} (traffic-statistic|) vlan WORD (Egress filtering is not supported by
no ipv6 access-group {<500-699> | WORD} {in switch).This switch only supports the ipv6
| out} vlan WORD standard acl.
5. Show configuration and statistic information of VLAN-ACL
Command Explanation
Admin mode
5-60
S4600_Configuration Guide Chapter 5 Security Function Configuration
Show the configuration and the statistic
information of VACL.
show vacl [in | out] vlan [<vlan-id>]
(Egress filtering is not supported by
switch.)
6. Clear statistic information of VLAN-ACL
Command Explanation
Admin mode
Clear the statistic information of VACL.
clear vacl [in | out] statistic vlan [<vlan-id>] (Egress filtering is not supported by
switch.)
5.10.3 VLAN-ACL Configuration Example
A company’s network configuration is as follows, all departments are divided by different
VLANs, technique department is Vlan1, finance department is Vlan2. It is required that technique
department can access the outside network at timeout, but finance department are not allowed
to access the outside network at any time for the security. Then the following policies are
configured:
Set the policy VACL_A for technique department. At timeout they can access the outside
network, the rule as permit, but other times the rule as deny, and the policy is applied to
Vlan1.
Set the policy VACL_B of ACL for finance department. At any time they can not access the
outside network, but can access the inside network with no limitation, and apply the policy
to Vlan2.
Network environment is shown as below:
5-61
S4600_Configuration Guide Chapter 5 Security Function Configuration
Figure 5-26 VLAN-ACL configuration example
Configuration example:
1) First, configure a timerange, the valid time is the working hours of working day:
Switch(config)#time-range t1
Switch(config-time-range-t1)#periodic weekdays 9:00:00 to 12:00:00
Switch(config-time-range-t1)#periodic weekdays 13:00:00 to 18:00:00
2) Configure the extended acl_a of IP, at working hours it only allows to access the resource
within the internal network (such as 192.168.0.255).
Switch(config)# ip access-list extended vacl_a
Switch(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.0.0 0.0.0.255 time-range t1
Switch(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination time-range t1
3) Configure the extended acl_b of IP, at any time it only allows to access resource within the
internal network (such as 192.168.1.255).
Switch(config)#ip access-list extended vacl_b
Switch(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.1.0 0.0.0.255
Switch(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination
4) Apply the configuration to VLAN
Switch(config)#firewall enable
Switch(config)#vacl ip access-group vacl_a in vlan 1
Switch(config)#vacl ip access-group vacl_b in vlan 2
5.10.4 VLAN-ACL Troubleshooting
When VLAN ACL and Port ACL are configured at the same time, the priority is port>VLAN if
the two acl are the same kind of ac, such as that they are all ip acl or they are all mac acl. So
5-62
S4600_Configuration Guide Chapter 5 Security Function Configuration
only the rules on port is effective if the packets match the rule on port and vlan at the same
time. Now, it will not meet the principle of deny priority. If the two acl are not the same kine
of acl, it can meet the principle of deny priority.
Each ACL of different types can only apply one on a VLAN, such as the basic IP ACL, each
VLAN can applies one only.
5.11 Captive Portal Authentication
5.11.1 Captive Portal Authentication Configuration
5.11.1.1 Introduction to Captive Portal Authentication
The authentication function is a way to manage and control the network resources for users.
Authentication function memories the client authentication information in the authentication
server according to a certain principles. When a user needs to use the network resources, the
function of captive portal will redirect the network request of user to the authentication server,
and then the user needs to provide allowed username, password and other information, the
authentication server will judge the information of user and decide whether the user can be
allowed to use the network resources. The switch in authentication function plays a role of
communicating the user and the authentication server. Through the switch configuration, it
enables the user could connect and communicate with the authentication server, and the server
will analyze the data and provide the corresponding feedback to the user. Authentication
function based on the redirection function.
Redirection is a function of re-connecting the original request to a predetermined site and
continous to operate. The function is when the AP receives a client request, then transfer the
client request to a predetermined address, after the operation of the client and the redirected
address, in order to complete certain functions and operations. This operation can achieve the
aim to manage and monitor the user. Client redirected to portal authentication interface,
requiring the user to fill in the username and password, only when the username and password
pass the certification and they can use the network resources. Portal authentication can achieve
different control strategies for different types of users.
The portal server function is a way to configure different external portal server for different
CP configuration. When network bind different CP configuration, has configured different portal
server, it will launch the redirect page through their binding portal server. You can configure up to
10 external portal servers. Each CP configuration can bind one portal server.
5.11.1.2 Captive Portal Authentication Configuration
Authentication function task list is as below:
1. Enable/disable captive portal authentication function
5-63
S4600_Configuration Guide Chapter 5 Security Function Configuration
2. Configure captive portal redirect function
1) Configure or delete the portal server name
2) Configure the user instance
3) Configure redirect address
4) Configure the redirect url-head
5) Configure/delete radius server name
6) Configure to bind or relieve the portal server
7) Configure the url to carry the parameter of ac-name
8) Configure the url to carry the parameter of ssid
9) Configure the url to carry the parameter of nas-ip
3. Configure AAA function
1) Enable/stop AAA function
2) Configure RADIUS authentication server group name
4. Configure RADIUS authentication server
1) Configure RADIUS server key
2) Configure RADIUS authentication server address
5. Bind the portal rule to the port
1. Enable/disable captive portal authentication function
Command Explanation
Captive Portal Configuration Mode
enable Enable/disable captive portal
disable function globally.
2. Configure captive portal redirect function
Command Explanation
Captive Portal Configuration Mode
external portal-server server-name <name> {ipv4
| ipv6} <ipaddr> [port <1-65535>] Configure/delete external portal
no external portal-server {ipv4 | server.
ipv6}server-name <name>
nas-ip4 <A.B.C.D> Configure the nas-ip address.
Configure/delete portal routine of
configuration <cp-id>
different types of users. 10 kinds of
no configuration <cp-id>
routines can be configured.
Captive Portal Instance Configuration Mode
redirect url-head <word> Configure the redirect url-head
no redirect url-head including transmission protocol, host
name, port and path. The no
command deletes the configuration.
5-64
S4600_Configuration Guide Chapter 5 Security Function Configuration
radius-auth-server <server-name> Configure/delete authentication
no radius-auth-server server name.
portal-server {ipv4 | ipv6} <name>
Bind/unbind portal server name.
no portal-server {ipv4 | ipv6}
enable
Enable/disable a portal routine.
disable
ac-name <word> Configure the url to carry the
no ac-name parameter of acname. The no
command deletes it.
redirect attribute ssid name <word> Configure the url to carry the
no redirect attribute ssid name parameter of ssid. The no command
recovers the ssid to be the default
value.
redirect attribute nas-ip enable Configure the url to carry the
no redirect attribute nas-ip enable parameter of nas-ip. The no command
disables this function.
redirect attribute nas-ip name <word> Configure the name of the parameter
no redirect attribute nas-ip name of nas-ip carried in url. The no
command recovers the name to be
the default value.
3.Configure AAA function
Command Explanation
Global Mode
aaa enable Enable/stop the AAA function of a
no aaa enable captive portal routine.
aaa group server radius <word> Configure/delete RADIUS name of
no aaa group server radius <word> AAA function.
4. Configure RADIUS authentication server
Command Explanation
Global Mode
radius-server key <word> Configure/delete RADIUS server
no radius-server key key.
radius-server authentication host
<A.B.C.D> Configure/delete RADIUS
no radius-server authentication host authentication server address.
<A.B.C.D>
5-65
S4600_Configuration Guide Chapter 5 Security Function Configuration
5. Bind the portal rule to the port
Command Explanation
Config Mode
vlan-pool <1-255> <WORD> Configure or delete the vlan pool.
no vlan-pool <1-255> (optional)
Port Mode
Enable the port portal
authentication function and
appoint the instance number
which is bound to the port. It can
also appoint which vlan to be
portal enable configuration <id> [vlan-pool WORD ]
enabled portal. If the vlan is not
no portal enable [vlan-pool WORD]
appointed, all vlan is enabled
portal as default. The no
command disables the portal
authentication function of the
port. (necessary)
5.11.1.3 Captive Portal Authentication Examples
Fi
gure 5-27 authentication function configuration
As shown above, pc1 is the terminal client, there is the http browser but not the 802.1x
authentication client, pc1 wants to access the network through the portal authentication.
The switch1 is the accessing device with the configured accounting server addressas the IP
and port of the radius server, and it is enabled the accounting function. The Ethernet1/0/2 is
5-66
S4600_Configuration Guide Chapter 5 Security Function Configuration
connected to pc1, the port is enabled portal authentication function, and the redirection address
is configured as the IP and port of the portal server. So the Ethernet1/0/2 forbids all the traffic and
only allows the dhcp/dns/arp packets.
The switch2 is the convergence switch, the Ethernet1/0/2 is communicated to the radius
server, the Ethernet1/0/3 is communicated to the portal server. The address of the radius server is
192.168.40.100, and the address of the portal server is 192.168.40.99. The Ethernet1/0/4 is
connected to DHCP server and the Ethernet1/0/5 is connected to DNS server. The Ethernet1/0/6 is
the trunk port and connected to the Ethernet1/0/4 of the trunk port of switch1.
Configure the radius server:
switch (config)#radius-server key 0 test
switch (config)#aaa group server radius radius_aaa_1
switch (config-sg-radius)# server 192.168.40.100
The configuration of global authentication:
Switch(config)#interface vlan 1
Switch(config-if-vlan1)#ip address 192.168.40.50 255.255.255.0
Switch(config)#free-resource 1 destination ipv4 192.168.40.99/32
Switch(config)# vlan-pool 1 2-10
Configure the portal function and portal server under the portal instance:
Switch (config)#captive-portal
Switch (config-cp)#enable
Switch(config-cp)# nas-ipv4 192.168.40.50
Switch(config-cp)# external portal-server server-name abc ipv4 192.168.40.99
Switch (config-cp)# configuration 1
Switch (config-cp-instance)#name helix4
Switch (config-cp-instance)#radius-auth-server abc99
Switch (config-cp-instance)# redirect attribute nas-ip enable
Switch (config-cp-instance)#redirect attribute nas-ip name kk
Switch (config-cp-instance)#ac-name helix4
Switch (config-cp-instance)#redirect url-head http://192.168.40.99/a70.htm
Switch (config-cp-instance) # portal-server ipv4 abc
Enable the portal function on the port:
Switch (config)# interface ethernet1/0/2
Switch (config-if-ethernet1/0/2)#portal enable configuration 1 vlan-pool 1
5.11.1.4 Captive Portal Authentication Troubleshooting
Encounter problems when using the redirection function, please check whether the reasons
are as follows:
Whether launched the captive portal function and opened the portal configuration switch.
5-67
S4600_Configuration Guide Chapter 5 Security Function Configuration
Both the captive portal and the portal configuration should be open; otherwise, the captive
portal function will not work, the client also cannot be redirect to the specified page.
The authentication server name of AAA module is same to the configured authentication
name of captive portal.
Whether the port which connects the pc and switch is enabled portal authentication
function.
5.11.2 Accounting Function Configuration
5.11.2.1 Introduction to Accounting Function
The accounting function is used to monitoring and accounting users who using the network
resources. Client is unable to access the network resources before pass the captive portal
authentication, only through the portal authentication to access network resources. Define user’s
session duration to control the use of network resources time and flow of information.
5.11.2.2 Accounting Function Configuration
Accounting function configuration task list is as below:
1. Configure RADIUS accounting server
1) Configure/delete accounting server address
2. Configure AAA accounting function
1) Enable/disable accounting service function
3. Configure captive portal accounting function
1) Block/unblock portal function
2) Configure/delete captive portal configuration name
3) Enable/disable captive portal accounting function
4) Configure/delete captive portal accounting server name
5) Configure/delete captive portal session time
1. Configure RADIUS accounting server
Command Explanation
Global Mode
radius-server accounting host <A.B.C.D> Configure/delete accounting server
no radius-server accounting host <A.B.C.D> address
2. Configure AAA accounting function
Command Explanation
Global Mode
5-68
S4600_Configuration Guide Chapter 5 Security Function Configuration
aaa-accounting enable Enable/disable accounting service
no aaa-accounting function
3. Configure captive portal accounting function
Command Explanation
Captive Portal Configuration Mode
block
Block/unblock portal function
no block
name <word> Configure/delete captive portal
no name configuration name
radius accounting Enable/disable captive portal
no aaa-accounting accounting function
radius-acct-server <word> Configure/delete captive portal
no radius-acct-server accounting server name
session-timeout <0-86400> Configure/delete captive portal
session-timeout session time
5.11.2.3 Accounting Function Examples
Figure 5-28 accounting function configuration
5-69
S4600_Configuration Guide Chapter 5 Security Function Configuration
1. Configure the AAA accounting function on switch1.
AAA configuration of Switch1:
switch 1(config)# aaa enable
switch 1(config)# aaa-accounting enable
switch 1(config)# radius-server accounting host 192.168.40.100
switch1 (config)#radius-server key 0 test
switch1 (config)#aaa group server radius abc99
switch (config-sg-radius)# server 192.168.40.100
2. Configure the captive portal accounting function on switch1.
Switch 1(config)#captive-portal
Switch 1(config-cp)#enable
Switch1 (config-cp)# configuration 1
Switch1 (config-cp-instance)#radius accounting
Switch1 (config-cp-instance)# radius-acct-server abc99
5.11.2.4 Accounting Function Troubleshooting
Encounter problems when using the accounting function, please check whether the reasons
are as follows:
Whether launched the captive portal function and opened the portal configuration switch.
Both the captive portal and the portal configuration should be open; otherwise, the captive
portal function will not work, the client also cannot be redirect to the specified page.
The authentication server name of AAA module is same to the configured authentication
name of captive portal.
5.11.3 Free-resource Configuration
5.11.3.1 Introduction to Free-resource
Free-resource function is a method of captive portal module to achieve access the free
resources rule. By configuring the free-resource rules, one can makes certain the client directly
access the specific network resources without going through the portal authentication.
5.11.3.2 Free-resource Configuration
1. Configure the free-resource rule
Command Explanation
Config Mode
5-70
S4600_Configuration Guide Chapter 5 Security Function Configuration
free-resource destination {ipv4 A.B.C.D/M |ipv6
X:X:X:X/M} Configure or delete the free-resource
[no] free-resource destination {ipv4 A.B.C.D/M rule.
|ipv6 X:X:X:X/M}
5.11.3.3 Free-resource Examples
Case:
Set up an environment as shown below. The IP is the address segment for the Client1, and
the Destination IP is the address segment for client who wants to access the resources. Appoint
RADIUS server 1 as the authentication server, client1 and client2 can access the free-resource of
3.1.1.0/24 and will not be redirected to the authentication server.
Figure 5-29 multi-portal servers function configuration
Configuration steps:
Switch1(config-)# free-resource destination ipv4 3.1.1.0/24
5.11.3.4 Free-resource Troubleshooting
Encounter problems when using the redirection function, please check whether the reasons
are as follows:
Whether launched the captive portal function and opened the portal configuration switch.
Both the captive portal and the portal configuration should be open; otherwise, the captive
portal function will not work, the client also cannot be redirect to the specified page.
Whether the port which connects the client and switch is enabled portal rule.
5.11.4 Authentication White-list Configuration
5.11.4.1 Introduction to Authentication White-list
5-71
S4600_Configuration Guide Chapter 5 Security Function Configuration
Authentication white-list is used for some special users in the network. The administrator
can set permission to allow the users to connect to the network to use network resources
without authentication, but the administrator needs to get the user’s mac address. At the same
time the user who has the permission to use network resources do not need to billing. So the
user belongs to the advanced user.
5.11.4.2 Authentication White-list Configuration
1. Configure user mac with Authentication white-list function purview
Command Explanation
Config Mode
free mac < MACADD><MACMASK> Configure or delete the mac address
no free mac < MACADD><MACMASK> without needing to authenticate.
5.11.4.3 Authentication White-list Examples
Case:
As shown below, client1 and client2 are the terminal clients; the port connected to the
switch is enabled portal authentication. But these two clients are the advanced users, they need
no authentication to access the network.
Figure 5-30 Authentication White-list function configuration
Configuration steps:
Configure the authentication white-list for pc1 and pc2.
Switch1 (config)#free-mac 68-74-7f-29-76-04 ff-ff-ff-ff-ff-ff
Switch1 (config)#free-mac 00-03-0f-11-11-11 ff-ff-ff-ff-ff-ff
5.11.4.4 Authentication White-list Troubleshooting
When encountered problems in the process of using the Authentication White-list function,
5-72
S4600_Configuration Guide Chapter 5 Security Function Configuration
please check whether the reasons are as follows:
Whether the free mac and the client mac is matching.
Whether the port which connects the client and switch is enabled the portal rule.
5.11.5 Automatic Page Pushing after Successful
Authentication (it is not supported currently)
5.11.5.1 Introduction to Automatic Page Pushing after
Successful Authentication
The automatic page pushing function after the successful authentication means that the
web page which user needs to access can be re-opened after the authentication. According to the
actual situation, the welcome page before the automatic pushing authentication or the
appointed web page by the automatic pushing function can be configured.
5.11.5.2 Automatic Page Pushing after Successful
Authentication Configuration
Automatic Page Pushing after Successful Authentication Configuration is as below:
1. Enable/disable the captive portal authentication function
2. Configure the automatic page pushing after successful authentication
1. Enable/disable the captive portal authentication function
Command Explanation
Captive Portal Mode
enable Enable/disable the captive portal
disable authentication function on the switch.
2. Configure the automatic page pushing after successful authentication
Command Explanation
Captive Portal Instance Mode
redirect attribute url-after-login enable Enable the function that the redirect url carries
no redirect attribute url-after-login enable the pushed url after the successful
authentication. The no command disables it.
redirect attribute url-after-login name Configure the attribute name of the pushed url
<name> after the successful authentication which is
no redirect attribute url-after-login name carried in the redirect url. The no command
recovers the name to be the default value.
5-73
S4600_Configuration Guide Chapter 5 Security Function Configuration
redirect attribute url-after-login encode Configure the encode of the pushed url after
{plain-text|base64} the successful authentication which is carried
in the redirect url.
redirect attribute url-after-login value Configure the appointed url which is popped
<url-value> up after the successful authentication. The no
no redirect attribute url-after-login value command deletes it.
5.11.5.3 Automatic Page Pushing after Successful
Authentication Example
Case:
Configure the automatic page pushing after successful authentication on configuration1 of
http://www.test.com.
Figure 5-31 Automatic Page Pushing after Successful Authentication Configuration
Configuration steps:
Configure the portal server information for switch1.
switch1 (config-cp)#enable
switch1 (config-cp)#configuration 1
switch1 (config-cp-instance)#enable
switch1 (config-cp-instance)# redirect attribute url-after-login enable
switch1 (config-cp-instance)# redirect attribute url-after-login encode plain-text
switch1 (config-cp-instance)# redirect attribute url-after-login name ad
switch1 (config-cp-instance)# redirect attribute url-after-login value http://www.test.com
5-74
S4600_Configuration Guide Chapter 5 Security Function Configuration
5.11.5.4 Automatic Page Pushing after Successful
Authentication Troubleshooting
When there is problem in using the automatic page pushing function after the successful
authentication, please check the following reasons:
Check if the captive portal authentication function is configured correctly. The automatic
page pushing function after the successful authentication can be effect when the captive
portal function is normal.
If the command of redirect attribute url-after-login value is configured, the configured page
url can be pushed automatically after the authentication; if that command is not configured,
the page that the user access before the authentication can be pushed.
Check if the page before the authentication or the pushed page appointed by command
exists, if not, the page cannot be accessed after pushing.
5.11.6 http-redirect-filter
5.11.6.1 Introduction to http-redirect-filter
http-redirect-filter appoints the IP or domain name for the HTTP redirection of portal
authentication. Only the HTTP packet configured this IP or domain name can be redirected.
This function can be used with Captive Portal, which means to achieve filtering the user
accessing after enabled captive portal.
5.11.6.2 http-redirect-filter Configuration
http-redirect-filter configuration task list:
1. Configure the http-redirect-filter rule
2. Bind the http-redirect-filter rule to cp instance
1. Configure the http-redirect-filter rule
Command Explanation
Captive Portal Mode
http-redirect-filter <1-32> (ip A.B.C.D| domain Configure the http-redirect-filter rule. The no
WORD) communicated deletes it.
no http-redirect-filter (<1-32>|all)
2. Bind the http-redirect-filter rule to cp instance
Command Explanation
Captive Portal Mode
http-redirect-filter <1-32> Bind a rule to a instance of the captive portal.
no http-redirect-filter (<1-32>|all) The no command deletes the redirect binding.
5-75
S4600_Configuration Guide Chapter 5 Security Function Configuration
5.11.6.3 http-redirect-filter Examples
Figure 5-32 http-redirect-filter function case
As shown above, if client wants to access the public network of “test.permit.com” before the
portal authentication, the url white list should be configured. If client wants to be forbidden to
access the public network of “test.deny.com” after the portal authentication, the url black list
should be configured.
Configure with the following steps:
1. Configure the related authentication key, authentication server, accounting server and aaa
mode of the radius server under the global mode:
switch (config)#radius-server key 0 test
switch (config)#radius-server authentication host 192.168.1.252
switch (config)#radius-server accounting host 192.168.1.252
switch (config)#aaa-accounting enable
switch (config)#aaa enable
switch (config)#aaa group server radius radius_aaa_1
switch config-sg-radius)# server 192.168.1.252
switch(config)#interface vlan 192
switch(config-if-vlan1)#ip address 192.16.1.254 255.255.255.0
switch(config)#free-resource 1 destination ipv4 192.168.1.252/32
2. Configure the portal function, portal server under the portal instance:
Switch (config)#captive-portal
Switch (config-cp)#enable
5-76
S4600_Configuration Guide Chapter 5 Security Function Configuration
Switch(config-cp)# nas-ipv4 192.168.1.254
Switch(config-cp)# external portal-server server-name abc ipv4 192.168.1.253
Switch (config-cp)# configuration 1
Switch (config-cp-instance)#enable
Switch (config-cp-instance)#name helix4
Switch (config-cp-instance)#radius accounting
Switch (config-cp-instance)#radius-acct-server abc99
Switch (config-cp-instance)#radius-auth-server abc99
Switch (config-cp-instance)#redirect attribute nas-ip enable
Switch (config-cp-instance)#ac-name helix4
Switch (config-cp-instance)#redirect url-head http://192.168.1.253/a70.htm
Switch (config-cp-instance)#portal-server ipv4 abc
3. Configure the http-redirect-filter rule:
Switch (config)#captive-portal
Switch (config-cp)# http-redirect-filter 1 domain test.permit.com
Switch (config-cp)#configuration 1
Switch (config-cp-instance)# http-redirect-filter 1
4. Enable the portal function on the port:
Switch (config)# interface ethernet1/0/2
Switch (config-if-ethernet1/0/2)#portal enable configuration 1
The client can be redirected authentication only through accessing “test.permit.com” before
authentication. It cannot be redirected authentication by accessing other address.
5.11.6.4 http-redirect-filter Troubleshooting
If there are problems in using http-redirect-filter function, please check it with the following
steps:
Check if the configured rule is matching to the accessed domain name.
If the DNS server configuration is correct and if it can analys the configured domain name
correctly.
If the command of http-redirect-filter under captive-portal configuration is configured.
5.11.7 Portal Non-perception
5.11.7.1 Introduction to Portal Non-perception
5-77
S4600_Configuration Guide Chapter 5 Security Function Configuration
MAC authentication has the user experience that is "a authentication, multiple use". If you
opened the fast authentication of MAC, the user successfully authenticates the first landing
Portal page, subsequent user can use any application.
In order to achieve a large number of user's fast authentication of MAC, user must use an
external server to save the MAC binding information, and add it dynamically but not manually.
This new realization of the program is called fast authentication of MAC scheme, since the user
does not need to manually enter the user name and password for authentication when access
network again, also known as Portal non-perception of authentication scheme.
5.11.7.2 Portal Non-perception Configuration
1. Enable/disable the quick mac authentication function
Command Explanation
Captive Portal Config Mode
fast-mac-auth Enable/disable the quick mac authentication
no fast-mac-auth function.
5.11.7.3 Portal Non-perception Examples
The created environment is as the following figure including the parts as below:
1. PC, user can access the network through the switch.
2. Public network, this part can be free or other switch devices.
3. Server, it includes:
MAC binding server, it is used to save the authenticated terminal mac address;
Radius server, it is used for the portal authentication and accounting;
Portal server, it is used for the portal authentication;
MAC binding server, Radius server and portal server can be the same one device. The mac
binding server is the spread on the radius server.
5-78
S4600_Configuration Guide Chapter 5 Security Function Configuration
Figure 5-33
Configure as the following steps:
1. Configure the related authentication key, authentication server, accounting server and aaa
mode of the radius server under the global mode:
switch (config)#radius-server key 0 test
switch (config)#radius-server authentication host 192.16.1.26
switch (config)#radius-server accounting host 192.16.1.26
switch (config)#aaa-accounting enable
switch (config)#aaa enable
switch (config)#aaa group server radius radius_aaa_1
switch config-sg-radius)# server 192.16.1.26
switch(config)#interface vlan 192
switch(config-if-vlan1)#ip address 192.16.1.50 255.255.255.0
switch(config)#free-resource 1 destination ipv4 192.16.1.26/32
2. Configure the portal function, portal server under the portal instance:
Switch (config)#captive-portal
Switch (config-cp)#enable
Switch(config-cp)# nas-ipv4 192.168.1.50
Switch(config-cp)# external portal-server server-name abc ipv4 172.16.1.26
Switch (config-cp)# configuration 1
Switch (config-cp-instance)#enable
Switch (config-cp-instance)#name helix4
Switch (config-cp-instance)#radius accounting
Switch (config-cp-instance)#radius-acct-server abc99
Switch (config-cp-instance)#radius-auth-server abc99
Switch (config-cp-instance)#redirect attribute nas-ip enable
Switch (config-cp-instance)#ac-name helix4
Switch (config-cp-instance)#redirect url-head http://172.16.1.26/a70.htm
Switch (config-cp-instance) # portal-server ipv4 abc
3. Configure the portal non-perception:
Switch (config-cp)#enable
Switch (config-cp)#fast-mac-auth
4. Enable the portal function on the port:
Switch (config)# interface ethernet1/0/2
5-79
S4600_Configuration Guide Chapter 5 Security Function Configuration
Switch (config-if-ethernet1/0/2)#portal enable configuration 1
The normal portal authentication is needed in the first access. After the first time, user can
use the non-perception authentication of portal.
5.11.7.4 Portal Non-perception Troubleshooting
Please check if the reasons are the following situations when there are problems in using the
function of portal non-perception:
Check whether the captive-portal function is enabled.
Check whether the quick mac authentication function is enabled.
Check whether issued the app table entry to the switch if the quick mac authentication is
not effective after configured.
5.11.8 Portal Escaping
There is a risk in the current portal application. When the communication between the
access device and portal server is broken, the new user cannot get on-line and the on-line user
cannot get down; and the information of the access device and portal server is inconsistent. This
will bring the accounting error. These phenomenons can bring the inconvenience to the
operations and users.
The portal escaping function provides a good method to solve the above problems. It can
make the user on-line and use the network normally when the portal server or radius server
cannot working normally, and the new user can still access the network. So the portal escaping
includes portal server escaping and radius server escaping.
5.11.8.1 Portal Server Escaping
5.11.8.1.1 Introduction to Portal Server Escaping
The principle of portal server escaping function is that: switch probes the portal server
periodically. If the probing is successful, the server status will be configured as UP; if the probing
failed N times (N can be configured), it will change the status of unreachable to be DOWN
(escaping status), cancel the network authentication limit, allow the portal user accessing the
network without authentication and send the trap and log information of the status changing.
When it probes the server is reachable, it will recover the server status to be UP (authentication
status), restart the network authentication limit, reject the user without authentication accessing
the network and send the log and trap information of the status recovering.
The method that switch probes the portal server status is probing the TCP connection:
switch launches the TCP connection to the portal server port of the portal server (the default is
2000, it can be configured) regularly. If the connection is successful, it means that this portal
server is enabled, we consider that the probing is successful and the server is reachable (the
5-80
S4600_Configuration Guide Chapter 5 Security Function Configuration
status is UP); if the connection failed, we consider the probing failed.
Probing interval and maximum number of probing failures: the interval of the probing can
be configured through the command. The maximum number of probing failures means that the
probing failures before that the server is reachable. One probing failure does not mean that the
server is unreachable; user should view if the number of the probing failures achieves the
configured maximum value. If the number achieves the configured value, the server can be
considered as unreachable; otherwise, the number is just cumulative. After probing is successful,
this number will be cleared to be 0. The probing interval and maximum number of probing
failures can be configured through the command.
The server triggers the following three configurations when the status changes from
reachable to unreachable, the administrator can select through the configuration:
Send trap: send the trap information to the network management server. In the trap, it
records the portal server name and the status information before and after the change
of the server status.
Send log: send the log information to the log server. In the log, it records the portal
server name and the status information before and after the change of the server
status.
permit-all: it is also named as portal escaping. It means to cancel the portal
authentication temporarily and allow all the portal users accessing the network when
the portal server is in the unreachable status (down).
The server triggers the following three configurations when the status changes from
unreachable to reachable. “Send trap” and “send log” can be selected through the configuration;
“Disable portal escaping” is enforced to carry on:
Send trap: send the trap information to the network management server. In the trap, it
records the portal server name and the status information before and after the change
of the server status.
Send log: send the log information to the log server. In the log, it records the portal
server name and the status information before and after the change of the server
status.
Disable portal escaping: If the portal server status changes to the reachable status (up),
the portal authentication function of VAP will be recovered. The new user must pass
the portal authentication for accessing the network.
Notice: The portal escaping function can only achieve that the new and old users are not
affected when accessing the network currently. For the situation that user cannot get down the
line normally, there are other methods. For example, the portal server is recovered to be UP, the
access device will enforce the user to get down the line and it ensure that user can get down the
line normally.
5.11.8.1.2 Portal Escaping Configuration
5-81
S4600_Configuration Guide Chapter 5 Security Function Configuration
Portal escaping function configuration task list:
1. Enable the Portal escaping function and configure the probing interval and maximum number
of failures.
2. Show the current connection status of the Portal server.
1. Enable the Portal escaping function and configure the probing interval and maximum
number of failures
Command Explanation
Captive Portal Global Configuration Mode
portal-server-detect server-name <name> Enable the Portal server escaping function and
[interval <interval>] [retry <retries>][action configure the related parameters (selectable)
and the server configuration of status
{log | permit-all | trap }]
changing.
no portal-server-detect server-name <name>
2.Show the current connection status of the Portal server
Command Explanation
Admin Mode
show captive-portal ext-portal-server Show the portal server status including the
server-name <name> status server address and if the portal escaping
function is enabled.
5.11.8.1.3 Portal Escaping Examples
Figure 5-34 Portal server escaping function case
As shown above, in the situation of the normal working of portal server, the portal
authentication can be normal for the network accessing when client is on-line. When the portal
server is down or the connection between it and switch is broken, client cannot authenticate to
on-line if the portal escaping function is not enabled on switch. If the portal escaping function is
enabled on switch, switch can probe that the portal server is unavailable and start the portal
escaping function. And the client can access the network without authentication. If client has
5-82
S4600_Configuration Guide Chapter 5 Security Function Configuration
passed the authentication before the portal server is broken, it will not be affected and it can still
access the network.
The configuration is as below:
1. Configure the related authentication key, authentication server, accounting server and aaa
mode of the RADIUS server in global mode.
switch (config)#radius-server key 0 test
switch (config)#radius-server authentication host 192.16.1.26
switch (config)#radius-server accounting host 192.16.1.26
switch (config)#aaa-accounting enable
switch (config)#aaa enable
switch (config)#aaa group server radius radius_aaa_1
switch config-sg-radius)# server 192.16.1.26
switch(config)#interface vlan 192
switch(config-if-vlan1)#ip address 192.16.1.50 255.255.255.0
switch(config)#free-resource 1 destination ipv4 192.16.1.26/32
2. Configure the portal function, portal server under the portal instance:
Switch (config)#captive-portal
Switch (config-cp)#enable
Switch(config-cp)# nas-ipv4 192.168.1.50
Switch(config-cp)# external portal-server server-name abc ipv4 172.16.1.26
Switch (config-cp)# configuration 1
Switch (config-cp-instance)#enable
Switch (config-cp-instance)#name helix4
Switch (config-cp-instance)#radius accounting
Switch (config-cp-instance)#radius-acct-server abc99
Switch (config-cp-instance)#radius-auth-server abc99
Switch (config-cp-instance)#redirect attribute nas-ip enable
Switch (config-cp-instance)#ac-name helix4
Switch (config-cp-instance)#redirect url-head http://172.16.1.26/a70.htm
Switch (config-cp-instance) # portal-server ipv4 abc
3. Configure the portal escaping:
Switch (config-cp)#enable
Switch (config-cp)# portal-server-detect server-name abc interval 600 retry 2 action log permit-all
trap
4. Enable the portal function on the port:
5-83
S4600_Configuration Guide Chapter 5 Security Function Configuration
Switch (config)# interface ethernet1/0/2
Switch (config-if-ethernet1/0/2)#portal enable configuration 1
As shown above, the portal server of cmcc is bound to CP instance and the probing function
is configured; the probing interval is 600s. If the probing failed twice, send the trap information
and log of the unreachable server and the enable the portal escaping function to allow the user
without authentication accessing the network.
5.11.8.1.4 Portal Escaping Troubleshooting
In using, please adopt the following methods if the portal escaping function cannot be
effective.
Use the command of show captive-portal ext-portal-server server-name <name> status to
check if the detect mode of the portal server is “enable”. If it is not “enable”, it means that
the portal server escaping function is not enabled, please enable it.
If the portal escaping function is enabled, check if the Detect Operational Status is down.
Only when the server status is down, the portal escaping function can be enabled.
If the portal server status is down, and the escaping function cannot be effective, the device
may have the problem. Please contact to the sales engineers.
5.11.8.2 Radius Server Escaping
5.11.8.2.1 Introduction to Radius Server Escaping
After enabled the radius server escaping function, the escaping function is effective when all
the radius servers cannot achieve, and the traffic of the portal authentication client will be
allowed. When the authentication server is detected achieving again, the allowing rule will be
deleted.
5.11.8.2.2 Radius Server Escaping Configuration
Radius server escaping configuration task list:
1. Enable the radius server escaping function
2. Configure the detection interval of radius server
1. Enable the radius server escaping function
Command Explanation
Global Mode
radius-server escape {enable | disable } Enable the radius server escaping function.
2. Configure the detection interval of radius server
Command Explanation
5-84
S4600_Configuration Guide Chapter 5 Security Function Configuration
Global Mode
radius-server escape detection-interval Configure the detection interval of radius
{default | <second>} server and the default value is 180s.
5.11.8.2.3 Radius Server Escaping Examples
Figure 5-35 Radius server escaping case
The configuration is as below:
1 Configure the related authentication key, authentication server, accounting server and aaa
mode of the RADIUS server in global mode.
switch (config)#radius-server key 0 test
switch (config)#radius-server authentication host 192.16.1.26
switch (config)#radius-server accounting host 192.16.1.26
switch (config)#aaa-accounting enable
switch (config)#aaa enable
switch (config)#aaa group server radius radius_aaa_1
switch config-sg-radius)# server 192.16.1.26
switch(config)#interface vlan 192
switch(config-if-vlan1)#ip address 192.16.1.50 255.255.255.0
switch(config)#free-resource 1 destination ipv4 192.16.1.26/32
2 Configure the portal function, portal server under the portal instance:
Switch (config)#captive-portal
Switch (config-cp)#enable
Switch(config-cp)# nas-ipv4 192.168.1.50
5-85
S4600_Configuration Guide Chapter 5 Security Function Configuration
Switch(config-cp)# external portal-server server-name abc ipv4 172.16.1.26
Switch (config-cp)# configuration 1
Switch (config-cp-instance)#enable
Switch (config-cp-instance)#name helix4
Switch (config-cp-instance)#radius accounting
Switch (config-cp-instance)#radius-acct-server abc99
Switch (config-cp-instance)#radius-auth-server abc99
Switch (config-cp-instance)#redirect attribute nas-ip enable
Switch (config-cp-instance)#ac-name helix4
Switch (config-cp-instance)#redirect url-head http://172.16.1.26/a70.htm
Switch (config-cp-instance) # portal-server ipv4 abc
3 Configure the radius server escaping:
Switch (config)# radius-server escape enable
Switch (config)# radius-server escape detection-interval 120
4 Enable the portal function on the port:
Switch (config)# interface ethernet1/0/2
Switch (config-if-ethernet1/0/2)#portal enable configuration 1
The radius server is detected every 120s.
5.11.8.2.4 Radius Server Escaping Troubleshooting
If there are problems in using the radius server escaping function, please check it with the
following steps:
Check whether the radius server escaping function is enabled.
If this function is enabled, get the parameters of Retransmit and Time Out by the command
of show aaa config and then check whether if configured detection-interval is larger than
the value of (Retransmit+1)*Time Out. If the detection-interval is smaller than it, the
escaping function will fail.
If the command of show aaa config shows Is Server live by radius escape function =0, it
means the escaping is running but not effective. Please contact to the sales engineers.
5-86
S4600_Configuration Guide Chapter 5 Security Function Configuration
5.12 MAB
5.12.1 Introduction to MAB
In actual network existing the device which can not install the authentication client, such as
printer, PDA devices, they can not process 802.1x authentication. However, to access the network
resources, they need to use MAB authentication to replace 802.1x authentication.
MAB authentication is a network accessing authentication method based on the accessing
port and the MAC address of MAB user. The user needn’t install any authentication client, after
the authentication device receives ARP packets sent by MAB user, it will authenticate the MAC
address of the MAB user and there is the corresponding authentication information in the
authentication server, the matched packets of the port and the source MAC are allowed to pass
when the authentication is successful. MAB user didn’t need to input the username and
password manually in the process of authentication.
At present, MAB authentication device only supports RADIUS authentication method. There
is the selection method for the authentication username and password: use the MAC address of
the MAB user as the username and password, or the fixed username and password (all users use
the configured username and password to authenticate).
5.12.2 MAB Configuration Task List
MAB Configuration Task List:
1. Enable MAB function
1) Enable global MAB function
2) Enable port MAB function
2. Configure MAB authentication username and password
3. Configure MAB parameters
1) Configure guest-vlan
2) Configure the binding-limit of the port
3) Configure the reauthentication time
4) Configure the offline detection time
5) Configure other parameters
1. Enable MAB function
Command Explanation
Global Mode
mac-authentication-bypass enable Enable the global MAB authentication
no mac-authentication-bypass enable function.
Port Mode
mac-authentication-bypass enable
Enable the port MAB authentication function.
no mac-authentication-bypass enable
5-87
S4600_Configuration Guide Chapter 5 Security Function Configuration
2. Configure MAB authentication username and password
Command Explanation
Global Mode
mac-authentication-bypass
Set the authentication mode of MAB
username-format {mac-address | {fixed
authentication function.
username WORD password WORD}}
3. Configure MAB parameters
Command Explanation
Port Mode
mac-authentication-bypass Set guset vlan of MAB authentication, only
guest-vlan <1-4094> Hybrid port uses this command, it is not take
no mac-authentication-bypass guest-vlan effect on access port.
mac-authentication-bypass
binding-limit <1-100> Set the max MAB binding-limit of the port.
no mac-authentication-bypass
binding-limit
Global Mode
mac-authentication-bypass timeout
reauth-period <1-3600> Set the reauthentication interval after the
no mac-authentication-bypass timeout authentication is unsuccessful.
reauth-period
mac-authentication-bypass timeout
offline-detect (0|<60-7200>)
Set offline detection interval.
no mac-authentication-bypass
timeout offline-detect
mac-authentication-bypass timeout
quiet-period <1-60>
Set quiet-period of MAB authentication.
no mac-authentication-bypass
timeout quiet-period
mac-authentication-bypass timeout
stale-period <0-60> Set the time that delete the binding after the
no mac-authentication-bypass port is down.
timeout stale-period
mac-authentication-bypass timeout
To obtain IP again, set the interval of
linkup-period <0-30> down/up when MAB binding is changing into
no mac-authentication-bypass timeout
VLAN.
linkup-period
5-88
S4600_Configuration Guide Chapter 5 Security Function Configuration
mac-authentication-bypass Enable the spoofing-garp-check function,
spoofing-garp-check enable MAB function will not deal with spoofing-garp
no mac-authentication-bypass any more; the no command disables the
spoofing-garp-check enable function.
Configure the authentication mode and
authentication mab {radius | none} priority of MAC address, the no command
no authentication mab
restores the default authentication mode.
5.12.3 MAB Example
Example:
The typical example of MAB authentication function:
Update Server Radius Server Internet
Eth1/0/1 Eth1/0/2 Eth1/0/3
Switch2
Ethernet1/0/4
Ethernet1/0/4
Switch1
Eth1/0/1 Eth1/0/2 Eth1/0/3
PC1 PC2 Printer
Figure 5-36 AB application
Switch1 is a layer 2 accessing switch, Switch2 is a layer 3 aggregation switch.
Ethernet 1/0/1 is an access port of Switch1, connects to PC1, it enables 802.1x port-based
function and configures guest vlan as vlan8.
Ethernet 1/0/2 is a hybrid port, connects to PC2, native vlan of the port is vlan1, and
configures guest vlan as vlan8, it joins in vlan1, vlan8 and vlan10 with untag method and enables
5-89
S4600_Configuration Guide Chapter 5 Security Function Configuration
MAB function.
Ethernet 1/0/3 is an access port, connects to the printer and enables MAB function.
Ethernet 1/0/4 is a trunk port, connects to Switch2.
Ethernet 1/0/4 is a trunk port of Switch2, connects to Switch1.
Ethernet 1/0/1 is an access port, belongs to vlan8, connects to update server to download
and upgrade the client software.
Ethernet 1/0/2 is an access port, belongs to vlan9, connects to radius server which configure
auto vlan as vlan10.
Ethernet 1/0/3 is an access port, belongs to vlan10, connects to external internet resources.
To implement this application, the configuration is as follows:
Switch1 configuration:
(1) Enable 802.1x and MAB authentication function globally, configure username and password
of MAB authentication and radius-server address
Switch(config)# dot1x enable
Switch(config)# mac-authentication-bypass enable
Switch(config)#mac-authentication-bypass username-format fixed username mabuser password
mabpwd
Switch(config)#vlan 8-10
Switch(config)#interface vlan 9
Switch(config-if-vlan9)ip address 192.168.61.9 255.255.255.0
Switch(config-if-vlan9)exit
Switch(config)#radius-server authentication host 192.168.61.10
Switch(config)#radius-server accounting host 192.168.61.10
Switch(config)#radius-server key test
Switch(config)#aaa enable
Switch(config)#aaa-accounting enable
(2) Enable the authentication function of each port
Switch(config)#interface ethernet 1/0/1
Switch(config-if-ethernet1/0/1)#dot1x enable
Switch(config-if-ethernet1/0/1)#dot1x port-method portbased
Switch(config-if-ethernet1/0/1)#dot1x guest-vlan 8
Switch(config-if-ethernet1/0/1)#exit
Switch(config)#interface ethernet 1/0/2
Switch(config-if-ethernet1/0/2)#switchport mode hybrid
Switch(config-if-ethernet1/0/2)#switchport hybrid native vlan 1
Switch(config-if-ethernet1/0/2)#switchport hybrid allowed vlan 1;8;10 untag
Switch(config-if-ethernet1/0/2)#mac-authentication-bypass enable
Switch(config-if-ethernet1/0/2)#mac-authentication-bypass enable guest-vlan 8
Switch(config-if-ethernet1/0/2)#exit
5-90
S4600_Configuration Guide Chapter 5 Security Function Configuration
Switch(config)#interface ethernet 1/0/3
Switch(config-if-ethernet1/0/3)#switchport mode access
Switch(config-if-ethernet1/0/3)#mac-authentication-bypass enable
Switch(config-if-ethernet1/0/3)#exit
Switch(config)#interface ethernet 1/0/4
Switch(config-if-ethernet1/0/4)# switchport mode trunk
5.12.4 MAB Troubleshooting
If there is any problem happens when using MAB function, please check whether the
problem is caused by the following reasons:
Make sure global and port MAB function are enabled;
Make sure the correct username and password of MAB authentication are used;
Make sure the radius-server configuration is correct.
5.13 PPPoE Intermediate Agent
5.13.1 Introduction to PPPoE Intermediate Agent
5.13.1.1 Brief Introduction to PPPoE
PPPoE (Point to Point Protocol over Ethernet) is a protocol that apply PPP protocol to
Ethernet. PPP protocol is a link layer protocol and supply a communication method of
point-to-point, it is usually selected by host dial-up link, for example the link is line dial-up. PPP
protocol is applied to Ethernet that means PPPoE protocol makes many hosts of Ethernet to
connect a remote access collector through one or multiple bridge devices. If the remote access
collector is broadband access server (BAS), it can supply broadband access and accounting
functions for these hosts, so PPPoE protocol is used to broadband access authentication of
Ethernet usually.
5.13.1.2 Introduction to PPPoE IA
Along with broadband access technique is rapidly developed, broadband access network is
also developing from strength to strength, but security problem gradually becomes the focus,
soever the clients or the access device and the network are faced with security problem
(especially from the client) in the current access network. Traditional Ethernet user can not be
identified, traced and located exactly, however in exoteric and controllable network,
5-91
S4600_Configuration Guide Chapter 5 Security Function Configuration
identification and location are the basic character and requirement for user, for example, when
supplying the application that use user accounts to login, this method supplied by PPPoE
Intermediate Agent can availably avoid user accounts embezzled.
There are two stages for PPPoE protocol work: discovery stage and session stage. Discovery
stage is used to obtain MAC address of the remote server to establish a point-to-point link and a
session ID with the server, and session stage uses this session ID to communicate. PPPoE
Intermediate Agent only relates to discovery stage, so we simply introduce discovery stage.
There are four steps for discovery stage:
1. Client sends PADI packet: The first step, client uses broadcast address as destination
address and broadcast PADI (PPPoE Active Discovery Initiation) packet to discover
access collector in layer 2 network. Notice: This message may be sent to many access
collector of the network.
2. Broadband Access Server responds PADO packet: The second step, server responds
PADO (PPPoE Active Discovery Offer) packet to client according to the received source
MAC address of PADI packet, the packet will take sever name and service name.
3. Client sends PADR packet: The third step, client selects a server to process the session
according to the received PADO packet. It may receives many PADO packets for PADI
message of the first step may be sent to many servers (select the server according to
whether the service information of PADO packet match with the servce information
needed by client). MAC address of the other end used for session will be known after
server is selected, and send PADR (PPPoE Active Discovery Request) packet to it to
announce server the session requirement.
4. Server responds PADS packet: The fourth step, server establishes a session ID according
to the received PADR packet, this session ID will be sent to client through PADS (PPPoE
Active Discovery Session-confirmation) packet, hereto PPPoE discovery stage is
completed, enter session stage.
PADT (PPPoE Active Discovery Terminate) packet is an especial packet of PPPoE, its’ Ethernet
protocol number (0x8863) is the same as four packets above, so it can be considered a packet of
discovery stage. To stop a PPPoE session, PADT may be sent at the discretional time of the session.
(It can be sent by client or server)
PPPoE Intermediate Agent supplies a function that identify and locate the user. When
passing network access device, PADI and PADR messages sent by client with the access link tag of
this device at PPPoE discovery stage, so as to exactly identify and locate the user on server.
If the direct-link access device is LAN switch, the added information include: MAC, Slot ID,
Port Index, Vlan ID, and so on. This function is implemented according to Migration to
Ethernet-based DSL aggregation.
5.13.1.2.1 PPPoE Intermediate Agent Exchange Process
PPPoE Intermediate Agent exchange process is similar to PPPoE exchange process, for the
first exchange process, the access link tag is added to PADI and PADR packets. The exchange
process is as follows:
5-92
S4600_Configuration Guide Chapter 5 Security Function Configuration
Figure 5-37 PoE IA protocol exchange process
5.13.1.2.2 PPPoE Packet Format
PPPoE packet format is as follows:
Ethernet II frame
Destination MAC Source MAC Type Field PPPoE Data CRC Check Sum
PPPoE data
Version Type Code Session ID Length Field TLV1 …… TLV N
TLV frame
Type Length Data
Each field meanings in the following:
Type field (2 bytes) of Ethernet II frame: The protocol sets type field value of PPPoE protocol
packet as 0x8863 (include 5 kinds of packets in PPPoE discovery stage only), type field value of
session stage as 0x8864.
PPPoE version field (4 bits): Specify the current PPPoE protocol version, the current version
must be set as 0x1.
PPPoE type field (4 bits): Specify the protocol type, the current version must be set as 0x1.
PPPoE code field (1 byte): Specify the packet type. 0x09 means PADI packet, 0x07 means
PADO packet, 0x19 means PADR packet, 0x65 means PADS packet, 0xa7 means PADT packet.
PPPoE session ID field (2 bytes): Specify the session ID.
PPPoE length field (2 bytes): Specify the sum of all TLV length.
TLV type field (2 bytes): A TLV frame means a TAG, type field means TAG type, the table is as
follows.
TLV length field (2 bytes): Specify the length of TAG data field.
TLV data field (the length is not specified): Specify the transmitted data of TAG.
Tag Type Tag Explanation
5-93
S4600_Configuration Guide Chapter 5 Security Function Configuration
0x0000 The end of a series tag in PPPoE data field, it is saved for ensuring the version
compatibility and is applied by some packets.
0x0101 Service name. Indicate the supplied services by network.
0x0102 Server name. When user receives the PADO response packet of AC, it can obtain
the server name from the tag and select the corresponding server.
0x0103 Exclusive tag of the host. It is similar to tag field of PPPoE data packets and is used
to match the sending and reveiving end (Because broadcast network may exist
many PPPoE data packets synchronously).
0x0104 AC-Cookies. It is used to avoid the vicious DOS attack.
0x0105 The identifier of vendor.
0x0110 Relay session ID. PPPoE data packet can be interrupted to other AC, this field is
used to keep other connection.
0x0201 The error of service name. When the requested service name is not accepted by
other end, the response packet will take this tag.
0x0202 The error of server name.
0x0203 Common error.
Table 5-1 TAG value type of PPPoE
5.13.1.2.3 PPPoE Intermediate Agent vendor tag Frame
The following is the format of tag added by PPPoE IA, adding tag is the Uppermost function
of PPPoE IA.
Figure 5-38 PoE IA - vendor tag (4 bytes in each row)
Add TLV tag as 0x0105 for PPPoE IA, TAG_LENGTH is length field of vendor tag; 0x00000DE9
is “ADSL Forum” IANA entry of the fixed 4 bytes; 0x01 is type field of Agent Circuit ID, length is
length field and Agent Circuit ID value field; 0x02 is type field of Agent Remot ID, length is length
field and Agent Remote ID value field.
PPPoE IA supplies a default circuit ID value, the default circuit ID (The figure in the following)
5-94
S4600_Configuration Guide Chapter 5 Security Function Configuration
includes 5 fields, ANI (Access Node Identifier) can be configured by user, its length is less than 47
bytes. If there is no ANI configured, MAC is accessed by default, occupy 6 bytes and use space
symbol to compart, “eth” occupies 3 bytes and uses space symbol to compart, “Slot ID” occupies
2 bytes, use “/” to compart and occupy 1 byte, “Port Index” occupies 3 bytes, use “:” to compart
and occupy 1 byte, “Vlan ID” occupies 4 bytes, all fields use ASCII, user can configure ciucuit ID
for each port according to requirement.
ANI Space eth Space Slot ID / Port Index : Vlan ID
(n byte) ( 1byte) (3 byte) (1 byte) (2 byte) (1byte) (3 byte) (1 byte) (4 byte)
Figure 5-39 ent Circuit ID value
MAC of the access switch is the default remote ID value of PPPoE IA. remote ID value can be
configured by user flexibly, the length is less than 63 bytes.
5.13.1.2.4 Trust Port of PPPoE Intermediate Agent
Discovery stage sends five kinds of packets, PADI and PADR packets sent by client to server,
PADO and PADS packets sent by server to client, PADT packet can be sent by server or client.
In PPPoE IA, for security and reduce traffic, set a port connected server as trust port, set
ports connected client as untrust port, trust port can receive all packets, untrust port can receive
only PADI, PADR and PADT packets which are sent to server. To ensure client operation is correct,
it must set the port connected server as trust port, each access device has a trust port at least.
PPPoE IA vendor tag can not exist in PPPoE packets sent by server to client, so we can strip
and forward these vendor tags if they exist in PPPoE packets. Strip function must be configured
on trust port, enabling strip function is not take effect on untrust port.
5.13.2 PPPoE Intermediate Agent Configuration Task
List
1. Enable global PPPoE Intermediate Agent
2. Enable port PPPoE Intermediate Agent
Command Explanation
Global Mode
pppoe intermediate-agent Enabel global PPPoE Intermediate Agent
no pppoe intermediate-agent function.
pppoe intermediate-agent type tr-101
circuit-id access-node-id <string> Configure access node ID field value of
no pppoe intermediate-agent type tr-101 circuit ID in added vendor tag.
circuit-id access-node-id
5-95
S4600_Configuration Guide Chapter 5 Security Function Configuration
pppoe intermediate-agent type tr-101
circuit-id identifier-string <string> option {sp |
sv | pv | spv} delimiter <WORD> [delimiter
Configure circuit-id in added vendor tag.
<WORD> ]
no pppoe intermediate-agent type tr-101
circuit-id identifier-string option delimiter
pppoe intermediate-agent type self-defined
circuit-id {vlan| port|id (switch-id (mac |
hostname)| remote-mac) | string WORD} Configure the self-defined circuit-id.
no pppoe intermediate-agent type
self-defined circuit-id
pppoe intermediate-agent type self-defined
remoteid {mac | vlan-mac |hostname| string
WORD} Configure the self-defined remote-id.
no pppoe intermediate-agent type
self-defined remote-id
pppoe intermediate-agent delimiter <WORD> Configure the delimiter among the fields
no pppoe intermediate-agent delimiter in circuit-id and remote-id
pppoe intermediate-agent format (circuit-id |
remote-id) (hex | ascii) Configure the format with hex or ASCII for
no pppoe intermediate-agent format circuit-id and remote-id.
(circuit-id | remote-id)
Port Mode
pppoe intermediate-agent Enable PPPoE Intermediate Agent function
no pppoe intermediate-agent of port.
pppoe intermediate-agent vendor-tag strip
Set vendor tag strip function of port.
no pppoe intermediate-agent vendor-tag strip
pppoe intermediate-agent trust
Set a port as trust port.
no pppoe intermediate-agent trust
pppoe intermediate-agent circuit-id <string>
Set circuit-id of port.
no pppoe intermediate-agent circuit-id
pppoe intermediate-agent remote-id <string>
Set remote-id of port.
no pppoe intermediate-agent remote-id
5.13.3 PPPoE Intermediate Agent Typical Application
PPPoE Intermediate Agent typical application is as follows:
5-96
S4600_Configuration Guide Chapter 5 Security Function Configuration
Figure 5-40 PoE IA typical application
Both host and BAS server run PPPoE protocol, they are connected by layer 2 ethernet, switch
enables PPPoE Intermediate Agent function.
Typical configuration (1) in the following:
Step1: Switch enables global PPPoE IA function, MAC as 0a0b0c0d0e0f.
Switch(config)# pppoe intermediate-agent
Step2: Configure port ethernet1/0/1 which connect server as trust port, and configure vendor tag
strip function.
Switch(config-if-ethernet1/0/1)#pppoe intermediate-agent trust
Switch(config-if-ethernet1/0/1)#pppoe intermediate-agent vendor-tag strip
Step3: Port ethernet1/0/2 of vlan1 and port ethernet1/0/3 of vlan 1234 enable PPPoE IA function
of port.
Switch(config-if-ethernet1/0/2)#pppoe intermediate-agent
Switch(config-if-ethernet1/0/3)#pppoe intermediate-agent
Step4: Configure pppoe intermediate-agent access-node-id as abcd.
Switch(config)#pppoe intermediate-agent type tr-101 circuit-id access-node-id abcd
Step5: Configure circuit ID as aaaa, remote ID as xyz for port ethernet1/0/3.
Switch(config-if-ethernet1/0/3)#pppoe intermediate-agent circuit-id aaaa
Switch (config-if-ethernet1/0/3)#pppoe intermediate-agent remote-id xyz
circuit-id value is ”abcd eth 01/002:0001”, remote-id value is ”0a0b0c0d0e0f” for the added
vendor tag of port ethernet1/0/2.
circuit-id value is ”aaaa”, remote-id value is ”xyz” for the added vendor tag of port ethernet1/0/3.
Typical configuration (2) in the following:
Step1: Switch enables global PPPoE IA function, MAC as 0a0b0c0d0e0f.
Switch(config)#pppoe intermediate-agent
Step2: Configure port ethernet1/0/1 which connect server as trust port, and configure vendor tag
strip function.
Switch(config-if-ethernet1/0/1)#pppoe intermediate-agent trust
Switch(config-if-ethernet1/0/1)#pppoe intermediate-agent vendor-tag strip
Step3: Port ethernet1/0/2 of vlan1 and port ethernet1/0/3 of vlan 1234 enable PPPoE IA function
of port.
Switch(config-if-ethernet1/0/2)#pppoe intermediate-agent
Switch(config-if-ethernet1/0/3)#pppoe intermediate-agent
Step4: Configure pppoe intermediate-agent access-node-id as abcd.
Switch(config)#pppoe intermediate-agent type tr-101 circuit-id access-node-id abcd
Step5: Configure pppoe intermediate-agent identifier-string as “efgh”, combo mode as spv,
delimiter of Slot ID and Port ID as “#”, delimiter of Port ID and Vlan ID as “/”.
Switch(config)#pppoe intermediate-agent type tr-101 circuit-id identifier-string efgh option spv
delimiter # delimiter /
Step6: Configure circuit-id value as bbbb on port ethernet1/0/2.
Switch(config-if-ethernet1/0/2)#pppoe intermediate-agent circuit-id bbbb
Step7: Configure remote-id as xyz on ethernet1/0/3.
5-97
S4600_Configuration Guide Chapter 5 Security Function Configuration
Switch(config-if-ethernet1/0/3)#pppoe intermediate-agent remote-id xyz
circuit-id value is ”bbbb”, remote-id value is ”0a0b0c0d0e0f” for the added vendor tag of port
ethernet1/0/2.
circuit-id value is ”efgh eth 01#003/1234”, remote-id value is ”xyz” for the added vendor tag of
port ethernet1/0/3.
5.13.4 PPPoE Intermediate Agent Troubleshooting
Only switch enables global PPPoE intermediate agent firstly, this function can be run on port.
Configure a trust port at least, and this port can connect to server.
vendor tag strip function must be configured by trust port.
Circuit-id override priority is: pppoe intermediate-agent circuit-id < pppoe
intermediate-agent identifier-string option delimiter < pppoe intermediate-agent
access-node-id.
5.14 QoS
5.14.1 Introduction to QoS
QoS (Quality of Service) is a set of capabilities that allow you to create differentiated services
for network traffic, thereby providing better service for selected network traffic. QoS is a
guarantee for service quality of consistent and predictable data transfer service to fulfill program
requirements. QoS cannot generate extra bandwidth but provides more effective bandwidth
management according to the application requirement and network management policy.
5.14.1.1 QoS Terms
QoS: Quality of Service, provides a guarantee for service quality of consistent and predictable
data transfer service to fulfill program requirements. QoS cannot generate new bandwidth but
provides more effective bandwidth management according to the application requirement and
network management.
QoS Domain: QoS Domain supports QoS devices to form a net-topology that provides Quality of
Service, so this topology is defined as QoS Domain.
CoS: Class of Service, the classification information carried by Layer 2 802.1Q frames, taking 3 bits
of the Tag field in frame header, is called user priority level in the range of 0 to 7.
5-98
S4600_Configuration Guide Chapter 5 Security Function Configuration
Figure 5-41 oS priority
ToS: Type of Service, a one-byte field carried in Layer 3 IPv4 packet header to symbolize the
service type of IP packets. Among ToS field can be IP Precedence value or DSCP value.
Figure 5-42 oS priority
IP Precedence: IP priority. Classification information carried in Layer 3 IP packet header,
occupying 3 bits, in the range of 0 to 7.
DSCP: Differentiated Services Code Point, classification information carried in Layer 3 IP packet
header, occupying 6 bits, in the range of 0 to 63, and is downward compatible with IP
Precedence.
MPLS TC(EXP):
A field of the MPLS packets means the service class, there are 3 bits, the ranging from 0 to 7.
Internal Priority: The internal priority setting of the switch chip, it’s valid range relates with the
chip, it’s shortening is Int-Prio or IntP.
Drop Precedence: When processing the packets, firstly drop the packets with the bigger drop
precedence, the ranging is the ranging is 0-2 in three color algorithm, the ranging is 0-1 in dual
color algorithm. It’s shortening is Drop-Prec or DP.
Classification: The entry action of QoS, classifying packet traffic according to the classification
information carried in the packet and ACLs.
Policing: Ingress action of QoS that lays down the policing policy and manages the classified
packets.
Remark: Ingress action of QoS, perform allowing, degrading or discarding operations to packets
according to the policing policies.
Scheduling: QoS egress action. Configure the weight for eight egress queues WRR (Weighted
Round Robin).
In-Profile: Traffic within the QoS policing policy range (bandwidth or burst value) is called
In-Profile.
Out-of-Profile: Traffic out the QoS policing policy range (bandwidth or burst value) is called
Out-of-Profile.
5-99
S4600_Configuration Guide Chapter 5 Security Function Configuration
5.14.1.2 QoS Implementation
To implement the switch software QoS, a general, mature reference model should be given.
QoS can not create new bandwidth, but can maximize the adjustment and configuration for the
current bandwidth resource. Fully implemented QoS can achieve complete management over the
network traffic. The following is as accurate as possible a description of QoS.
The data transfer specifications of IP cover only addresses and services of source and
destination, and ensure correct packet transmission using OSI layer 4 or above protocols such as
TCP. However, rather than provide a mechanism for providing and protecting packet transmission
bandwidth, IP provide bandwidth service by the best effort. This is acceptable for services like
Mail and FTP, but for increasing multimedia business data and e-business data transmission, this
best effort method cannot satisfy the bandwidth and low-lag requirement.
Based on differentiated service, QoS specifies a priority for each packet at the ingress. The
classification information is carried in Layer 3 IP packet header or Layer 2 802.1Q frame header.
QoS provides same service to packets of the same priority, while offers different operations for
packets of different priority. QoS-enabled switch or router can provide different bandwidth
according to the packet classification information, and can remark on the classification
information according to the policing policies configured, and may discard some low priority
packets in case of bandwidth shortage.
If devices of each hop in a network support differentiated service, an end-to-end QoS
solution can be created. QoS configuration is flexible, the complexity or simplicity depends on the
network topology and devices and analysis to incoming/outgoing traffic.
5.14.1.3 Basic QoS Model
The basic QoS consists of four parts: Classification, Policing, Remark and Scheduling, where
classification, policing and remark are sequential ingress actions, and Queuing and Scheduling are
QoS egress actions.
Figure 5-43 asic QoS Model
Classification: Classify traffic according to packet classification information and generate internal
priority and drop precedence based the classification information. For different packet types and
switch configurations, classification is performed differently; the flowchart below explains this in
5-100
S4600_Configuration Guide Chapter 5 Security Function Configuration
detail.
Start
N tag packet
L2 COS value
L2 COS value of the
obtained by the
packet is its own L2
packet as the default
COS
COS(*1)
Trust DSCP Y IP packet
(*2)
N
N
Trust COS Y
N
(*2)
N tag packet
Y
Set Int-Prio as the
DSCP-to-Int-Prio
default ingress Int-
COS -to-Int-Prio conversion according to
Prio
conversion according to DSCP value of the packet
L2 COS value of the
packet
Enter the policing flow
Figure 5-44Classification process
5-101
S4600_Configuration Guide Chapter 5 Security Function Configuration
Policing and remark: Each packet in classified ingress traffic is assigned an internal
priority value and a drop precedence value, and can be policed and remarked.
Policing can be performed based on the flow to configure different policies that allocate
bandwidth to classified traffic, the assigned bandwidth policy may be dual bucket dual color or
dual bucket three color. The traffic, will be assigned with different color, can be discarded or
passed, for the passed packets, add the remarking action. Remarking uses a new DSCP value of
lower priority to replace the original higher level DSCP value in the packet. The following
flowchart describes the operations.
5-102
S4600_Configuration Guide Chapter 5 Security Function Configuration
Start
No Whether configure
the policy
Yes
Unrelated action Drop
with the color
Pass
The option is as follows:
Set Int-Prio: Set the internal priority of
the packets
Decide the packet color
and action according to
the policing policy
The specific
Drop
color action
Pass
Select one option of the following:
Set Int-Prio: Set the internal priority of the
packets(*1)
Policied-IntP-Transmit: Drop the internal priority of
the packets(*2)
Drop the
Enter scheduling
packets
Figure 5-45 Policing and Remarking process
Queuing and scheduling: There are the internal priority and the drop precedence for the egress
packets, the queuing operation assigns the packets to different priority queues according to the
internal priority, while the scheduling operation perform the packet forwarding according to the
priority queue weight and the drop precedence. The following flowchart describes the operations
during queuing and scheduling.
5-103
S4600_Configuration Guide Chapter 5 Security Function Configuration
Start
Remark DSCP and L2 COS fields
of the packets according to
Int-Prio-to-DSCP
Int-Prio-to-COS mapping(*1)
Select the queue according to
IntPrio-to-Queue mapping
Obtain the packet Drop-Prec
according to IntPrio-to-Drop-
Prec
Read the buffer value according
to the queue management
algorithm(WDRR/SP), the drop
precedence and the egress
queue
buffer is
available No
Yes
Place the packets into the
specified queue, and forward the
packets according to the weight
priority
Drop the
Finish packets
Figure 5-46 Queuing and Scheduling process
5.14.2 QoS Configuration Task List
Configure class map
Set up a classification rule according to ACL, CoS, VLAN ID, IPv4 Precedent, DSCP, IPV6 FL to
classify the data stream. Different classes of data streams will be processed with different
policies.
Configure a policy map
After data steam classification, a policy map can be created to associate with the class map
created earlier and enter class mode. Then different policies (such as bandwidth limit,
priority degrading assigning new DSCP value) can be applied to different data streams. You
5-104
S4600_Configuration Guide Chapter 5 Security Function Configuration
can also define a policy set that can be use in a policy map by several classes.
Apply QoS to the ports or the VLAN interfaces
Configure the trust mode for ports or bind policies to ports. A policy will only take effect on a
port when it is bound to that port.
Apply QoS to the ports or the VLAN interfaces
Configure the trust mode for ports or bind policies to ports. A policy will only take effect on a
port when it is bound to that port.
The policy may be bound to the specific VLAN.
It is not recommended to synchronously use policy map on VLAN and its port.
Configure queue management algorithm
Configure queue management algorithm, such as sp,wrr,sp+wrr , and so on.
1. Configure class map.
Command Explanation
Global Mode
policy burst <burst_group> Configure CBS value, only support 2 CBS
<normal_burst_bytes> and the default value is 1024 bytes. It
only can configure default value to return
to the default configuration.
Create a class map and enter class map
class-map <class-map-name> mode; the “no class-map
no class-map <class-map-name> <class-map-name>” command deletes
the specified class map.
match {access-group <acl-index-or-name> | ip
dscp <dscp-list>| ip precedence
<ip-precedence-list> | ipv6 access-group Set matching criterion (classify data
<acl-index-or-name> | ipv6 dscp <dscp-list> | stream by ACL, CoS, VLAN ID, IPv4
ipv6 flowlabel <flowlabel-list>| vlan <vlan-list>| Precedent, IPv6 FL or DSCP, etc) for the
cos <cos-list> } class map; the no command deletes
no match {access-group | ip dscp | ip precedence specified matching criterion.
| ipv6 access-group | ipv6 dscp | ipv6 flowlabel |
vlan |cos }
2. Configure a policy map
Command Explanation
Global Mode
Create a policy map and enter policy map
policy-map <policy-map-name>
mode; the no command deletes the
no policy-map <policy-map-name>
specified policy map.
After a policy map is created, it can be
class <class-map-name> [insert-before
associated to a class. Different policy or
<class-map-name>]
new DSCP value can be applied to
no class <class-map-name>
different data streams in class mode; the
5-105
S4600_Configuration Guide Chapter 5 Security Function Configuration
no command deletes the specified class.
set {ip dscp <new-dscp> | ip precedence Assign a new internal priority, outer tag
<new-precedence> | internal priority <new-inp> and so on for the classified traffic; the no
| drop precedence <new-dp> | cos <new-cos> | command cancels the new assigned
s-vid <new-vid>} value.
no set {ip dscp | ip precedence | internal priority
| drop precedence | cos | s-vid }
policy <bits_per_second> burst-group Configure a speed limit policy. It do not
<burst-group-id> support set action to color packets. The
no command will delete the mode
configuration.
Set statistic function for the classified
traffic. After enable this function under
the policy class map mode, add statistic
function to the traffic of the policy class
accounting
map. The messages can only red or
no accounting
green when passing policy. In the print
information, in packetsindicates
classification message numbers and not
support color statistic.
Policy class map configuration mode
drop Drop or transmit the traffic that match
no drop the class, the no command cancels the
assigned action.
transmit
no transmit
3. Apply QoS to port or VLAN interface
Command Explanation
Interface Configuration Mode
mls qos trust { cos | dscp} Configure port trust; the no command
no mls qos trust { cos | dscp} disables the current trust status of the
port.
Configure the default CoS value of the
mls qos cos {<default-cos>}
port; the no command restores the
no mls qos cos
default setting.
Apply a policy map to the specified port;
the no command deletes the specified
service-policy input <policy-map-name> policy map applied to the port. Egress
no service-policy input {<policy-map-name>} policy map is not supported yet or
deletes all the policy maps applied on the
ingress direction of the port .
Global Mode
service-policy input <policy-map-name> vlan Apply a policy map to the specified VLAN
5-106
S4600_Configuration Guide Chapter 5 Security Function Configuration
<vlan-list> interface; the no command deletes the
no service-policy input {<policy-map-name>} specified policy map applied to the VLAN
vlan <vlan-list> interface or deletes all the policy maps
applied in the ingress direction of the
vlan interface .
4. Configure queue management algorithm and weight
Command Explanation
Port Configuration Mode
mls qos queue algorithm {sp | wrr | wdrr } Set queue management algorithm based
no mls qos queue algorithm a port, the default queue management
algorithm is wrr.
mls qos queue weight <weight0..weight7> Set queue weight based a port, the
no mls qos queue weight default queue weight is 1 2 3 4 5 6 7 8.
mls qos queue wdrr weight <weight0..weight7> Set queue weight based a port, the
no mls qos queue wdrr weight default queue weight is 10 20 40 80 160
320 640 1280.
5. Configure QoS mapping
Command Explanation
Global Mode
mls qos map {cos-intp <intp1…intp8> | Set the priority mapping for QoS, the no
cos-dp<dp1…dp8> | dscp-intp <in-dscp list> to command restores the default mapping
<intp> | dscp-dp <in-dscp list> to <dp> | value.
dscp-dscp <in-dscp list> to <out-dscp>}
no mls qos map {cos-intp | cos-dp | dscp-intp |
dscp-dp | dscp-dscp}
6. Clear accounting data of the specific ports or VLANs
Command Explanation
Admin Mode
clear mls qos statistics [interface Clear accounting data of the specified
<interface-name> | vlan <vlan-id>] ports or VLAN Policy Map. If there are no
parameters, clear accounting data of all
policy map.
7. Show configuration of QoS
Command Explanation
Admin Mode
show mls qos maps [cos-intp | dscp-intp] Display the configuration of QoS
mapping.
show class-map [<class-map-name>] Display the classified map information of
QoS.
5-107
S4600_Configuration Guide Chapter 5 Security Function Configuration
show policy-map [<policy-map-name>] Display the policy map information of
QoS.
show mls qos {interface [<interface-id>] [policy | Display QoS configuration information on
queuing] | vlan <vlan-id>} a port.
5.14.3 QoS Example
Example 2:
In port ethernet1/0/2, set the bandwidth for packets from segment 192.168.1.0 to 10 Mb/s, with
a burst value of 4 MB, all packets exceed this bandwidth setting will be dropped.
The configuration steps are listed below:
Switch#config
Switch(config)#access-list 1 permit 192.168.1.0 0.0.0.255
Switch (config)#policy burst 1 4000
Switch(config)#class-map c1
Switch(Config-ClassMap-c1)#match access-group 1
Switch(Config-ClassMap-c1)#exit
Switch(config)#policy-map p1
Switch(Config-PolicyMap-p1)#class c1
Switch(Config-PolicyMap-p1-Class-c1)#policy 10000 burst-group 1
Switch(Config-PolicyMap-p1-Class-c1)#exit
Switch(Config-PolicyMap-p1)#exit
Switch(config)#interface ethernet 1/0/2
Switch(Config-If-Ethernet1/0/2)#service-policy input p1
Configuration result:
An ACL name 1 is set to matching segment 192.168.1.0. Enable QoS globally, create a class map
named c1, matching ACL1 in class map; create another policy map named p1 and refer to c1 in p1,
set appropriate policies to limit bandwidth and burst value. Apply this policy map on port
ethernet1/0/2. After the above settings done, bandwidth for packets from segment 192.168.1.0
through port ethernet 1/0/2 is set to 10 Mb/s, with a burst value of 4 MB, all packets exceed this
bandwidth setting in that segment will be dropped.
Example 3:
5-108
S4600_Configuration Guide Chapter 5 Security Function Configuration
Server
QoS area
Switch3
Switch2
Trunk
Switch1
Figure 5-47 pical QoS topology
As shown in the figure, inside the block is a QoS domain, Switch1 classifies different traffics
and assigns different IP precedences. For example, set CoS precedence for packets from segment
192.168.1.0 to 5 on port ethernet1/0/1. The port connecting to switch2 is a trunk port. In Switch2,
set port ethernet 1/0/1 that connecting to swtich1 to trust cos. Thus inside the QoS domain,
packets of different priorities will go to different queues and get different bandwidth.
The configuration steps are listed below:
QoS configuration in Switch1:
Switch#config
Switch(config)#access-list 1 permit 192.168.1.0 0.0.0.255
Switch(config)#class-map c1
Switch(Config-ClassMap-c1)#match access-group 1
Switch(Config-ClassMap-c1)#exit
Switch(config)#policy-map p1
Switch(Config-PolicyMap-p1)#class c1
Switch(Config-PolicyMap-p1-Class-c1)#set ip precedence 5
Switch(Config-PolicyMap-p1-Class-c1)#exit
Switch(Config-PolicyMap-p1)#exit
Switch(config)#interface ethernet 1/0/1
Switch(Config-If-Ethernet1/0/1)#service-policy input p1
QoS configuration in Switch2:
Switch#config
Switch(config)#interface ethernet 1/0/1
Switch(Config-If-Ethernet1/0/1)#mls qos trust cos
5-109
S4600_Configuration Guide Chapter 5 Security Function Configuration
5.14.4 QoS Troubleshooting
rust cos can be used with other trust or Policy Map.
trust dscp can be used with other trust or Policy Map. This configuration takes effect to
IPv4 and IPv6 packets.
trust dscp and trust cos may be configured at the same time, the priority is:
DSCP>COS.
If the dynamic VLAN (mac vlan/voice vlan/ip subnet vlan/protocol vlan) is configured,
then the packet COS value equals COS value of the dynamic VLAN.
Policy map can only be bound to ingress direction, egress is not supported yet.
At present, it is not recommended to synchronously use policy map on VLAN and
VLAN’s port.
Policy action set cos, set s-cos, set-dscp and set-ip-precedence can not be used in same
time, these action are mutually exclusive.
5.15 Flow-based Redirection
5.15.1 Introduction to Flow-based Redirection
Flow-based redirection function enables the switch to transmit the data frames meeting
some special condition (specified by ACL) to another specified port. The fames meeting a same
special condition are called a class of flow, the ingress port of the data frame is called the source
port of redirection, and the specified egress port is called the destination port of redirection.
Usually there are two kinds of application of flow-based redirection: 1. connecting a protocol
analyzer (for example, Sniffer) or a RMON monitor to the destination port of redirection, to
monitor and manage the network, and diagnose the problems in the network; 2. Special
transmission policy for a special type of data frames.
The switch can only designate a single destination port of redirection for a same class of flow
within a source port of redirection, while it can designate different destination ports of
redirection for different classes of flows within a source port of redirection. The same class of
flow can be applied to different source ports.
5.15.2 Flow-based Redirection Configuration Task
Sequence
1.Flow-based redirection configuration
2.Check the current flow-based redirection configuration
1. Flow-based redirection configuration
5-110
S4600_Configuration Guide Chapter 5 Security Function Configuration
Command Explanation
Physical Interface Configuration Mode
Specify flow-based redirection
access-group <aclname> redirect to interface [ethernet for the port; the “no
<IFNAME>|<IFNAME>] access-group <aclname>
no access-group <aclname> redirect redirect” command is used to
delete flow-based redirection.
2. Check the current flow-based redirection configuration
Command Explanation
Global Mode/Admin Mode
Display the information of
show flow-based-redirect {interface [ethernet
current flow-based redirection
<IFNAME> |<IFNAME>]}
in the system/port.
5.15.3 Flow-based Redirection Examples
Example:
User’s request of configuration is listed as follows: redirecting the frames whose source IP
is 192.168.1.111 received from port 1 to port 6, that is sending the frames whose source IP is
192.168.1.111 received from port 1 through port6.
Modification of configuration:
1: Set an ACL, the condition to be matched is: source IP is 192.168.1.111;
2: Apply the redirection based on this flow to port 1.
The following is the configuration procedure:
Switch(config)#access-list 1 permit host 192.168.1.111
Switch(config)#interface ethernet 1/0/1
Switch(Config-If-Ethernet1/0/1)# access-group 1 redirect to interface ethernet 1/0/6
5.15.4 Flow-based Redirection Troubleshooting Help
When the configuration of flow-based redirection fails, please check that whether it is the
following reasons causing the problem:
The type of flow (ACL) can only be digital standard IP ACL, digital extensive IP ACL,
nomenclature standard IP ACL, nomenclature extensive IP ACL, digital standard MAC
ACL, digital extensive MAC ACL, nomenclature standard MAC ACL, nomenclature extensive
MAC ACL, digital extensive IPv6 ACL, and nomenclature standard IPv6 ACL;
Parameters of Timerange and Portrange can not be set in ACL, the type of ACL should be
5-111
S4600_Configuration Guide Chapter 5 Security Function Configuration
Permit.
The redirection port must be 1000Mb port in the flow-based redirection function.
The redirection port can not itself port in the flow-based redirection function.
5.16 Flexible QinQ
5.16.1 Introduction to Flexible QinQ
5.16.1.1 QinQ Technique
Dot1q-tunnel is also called QinQ (802.1Q-in-802.1Q), which is an expansion of 802.1Q. Its
dominating idea is encapsulating the customer VLAN tag (CVLAN tag) to the service provider
VLAN tag (SPVLAN tag). The packet with two VLAN tags is transmitted through the backbone
network of the ISP internet to provide a simple layer-2 tunnel for the users. It is simple and easy
to manage, applicable only by static configuration, and especially adaptive to small office network
or small metropolitan area network using layer-3 switch as backbone equipment.
There are two kinds of QinQ: basic QinQ and flexible QinQ, the priority of flexible QinQ is
higher than basic QinQ.
5.16.1.2 Basic QinQ
Basic QinQ based the port. After a port configures QinQ, whether the received packet with
tag or not, the device still packs the default VLAN tag for the packet. Using basic QinQ is simple,
but the setting method of VLAN tag is inflexible.
5.16.1.3 Flexible QinQ
Flexible QinQ based data flow. It selects whether pack the external tag and packs what kind
of the external tag by matching the material flow. For example: implement the property of
flexible QinQ according to the user’s VLAN tag, MAC address, IPv4/IPv6 address, IPv4/IPv6
protocol and the port ID of the application, etc. So, it can encapsulate the external tag for the
packet and implements different scheme by different users or methods.
5.16.2 Flexible QinQ Configuration Task List
The match of flexible QinQ data flow uses policy-map rule of QoS to be sent, the configuration
task list is as follows:
1. Create class-map to classify different data flows
5-112
S4600_Configuration Guide Chapter 5 Security Function Configuration
2. Create flexible QinQ policy-map to relate with the class-map and set the corresponding
operation
3. Bind flexible QinQ policy-map to port
1. Configure class map
Command Explanation
Global mode
class-map <class-map-name> Create a class-map and enter class-map
no class-map <class-map-name> mode, the no command deletes the
specified class-map.
match {access-group <acl-index-or-name> | ip Set the match standard of class-map,
dscp <dscp-list>| ip precedence (classify data flow by ACL, IPv4 Precedent
<ip-precedence-list> | ipv6 access-group or DSCP, etc for the class map); the no
<acl-index-or-name> | ipv6 dscp <dscp-list> | command deletes the specified match
ipv6 flowlabel <flowlabel-list> | vlan <vlan-list> | standard.
cos <cos-list>}
no match {access-group | ip dscp | ip precedence
| ipv6 access-group | ipv6 dscp | ipv6 flowlabel
| vlan | cos }
2. Configure policy-map of flexible QinQ
Command Explanation
Global mode
policy-map <policy-map-name> Create a policy-map and enter
no policy-map <policy-map-name> policy-map mode, the no command
deletes the specified policy-map.
class <class-map-name> [insert-before After a policy-map is created, it can be
<class-map-name>] associated to a class. Different policy or
no class <class-map-name> new DSCP value can be applied to
different data flows in class mode; the
no command deletes the specified
class-map.
set {ip dscp <new-dscp> | ip precedence Assign the new inner priority, outer tag
<new-precedence> | internal priority <new-inp> | and so on for flow after classification, no
drop precedence <new-dp> | cos <new-cos> | command cancels the operation.
s-vid<new-vid>}
no set {ip dscp | ip precedence | internal priority |
drop precedence | cos|s-vid }
3. Bind flexible QinQ policy-map to port
Command Explanation
Port mode
service-policy <policy-map-name> in Apply a policy-map to a port, the no
no service-policy <policy-map-name> in command deletes the specified
5-113
S4600_Configuration Guide Chapter 5 Security Function Configuration
policy-map applied to the port.
4. Show flexible QinQ policy-map bound to port
Command Explanation
Admin mode
show mls qos {interface [<interface-id>] Show flexible QinQ configuration on the
port.
5.16.3 Flexible QinQ Example
Figure 5-48 exible QinQ application topology
As shown in the figure, the first user is assigned three DSCPs that the values are 10, 20, 30
respectively in DSLAM1. DSCP10 corresponds to Broad Band Network, DSCP20 corresponds to
VOIP, DSCP30 corresponds to VOD. After the downlink port enables flexible QinQ function, the
packets will be packed with different external tags according to DSCP of users. DSCP10 will be
packed an external tag 1001 (This tag is unique in public network), enter Broad Band
Network-DSCP10 and classfied to BRAS device. DSCP20 (or DSCP30) will be packed an external
VLAN tag 2001(or 3001) and classfied to SR device according to the flow rules. The second user
can be assigned different DSCPs in DSLAM2. Notice: The assigned DSCP of the second user may
be same with the first user and the DSCP value will be also packed an external tag. In the above
figure, the external tag of the second user is different to the first user for distinguishing DSLAM
location and locating the user finally.
The configuration in the following:
If the data flow of DSLAM1 enters the switch’s downlink port1, the configuration is as
follows:
Switch(config)#class-map c1
Switch(config-classmap-c1)#match ip dscp 10
5-114
S4600_Configuration Guide Chapter 5 Security Function Configuration
Switch(config-classmap-c1)#exit
Switch(config)#class-map c2
Switch(config-classmap-c2)#match ip dscp 20
Switch(config-classmap-c2)#exit
Switch(config)#class-map c3
Switch(config-classmap-c3)#match ip dscp 30
Switch(config-classmap-c3)#exit
Switch(config)#policy-map p1
Switch(config-policymap-p1)#class c1
Switch(config-policymap-p1-class-c1)# set s-vid 1001
Switch(config-policymap-p1)#class c2
Switch(config-policymap-p1-class-c2)# set s-vid 2001
Switch(config-policymap-p1)#class c3
Switch(config-policymap-p1-class-c3)# set s-vid 3001
Switch(config-policymap-p1-class-c3)#exit
Switch(config-policymap-p1)#exit
Switch(config)#interface ethernet 1/0/1
Switch(config-if-ethernet1/0/1)#dot1q-tunnel enable
Switch(config-if-ethernet1/0/1)#service-policy p1 in
If the data flow of DSLAM2 enters the switch’s downlink port1, the configuration is as follows:
Switch(config)#class-map c1
Switch(config-classmap-c1)#match ip dscp 10
Switch(config-classmap-c1)#exit
Switch(config)#class-map c2
Switch(config-classmap-c2)#match ip dscp 20
Switch(config-classmap-c2)#exit
Switch(config)#class-map c3
Switch(config-classmap-c3)#match ip dscp 30
Switch(config-classmap-c3)#exit
Switch(config)#policy-map p1
Switch(config-policymap-p1)#class c1
Switch(config-policymap-p1-class-c1)# set s-vid 1002
Switch(config-policymap-p1)#class c2
Switch(config-policymap-p1-class-c2)# set s-vid 2002
Switch(config-policymap-p1)#class c3
Switch(config-policymap-p1-class-c3)# set s-vid 3002
Switch(config-policymap-p1-class-c3)#exit
Switch(config-policymap-p1)#exit
Switch(config)#interface ethernet 1/0/1
Switch(config-if-ethernet1/0/1)#dot1q-tunnel enable
Switch(config-if-ethernet1/0/1)# service-policy p1 in
5.16.4 Flexible QinQ Troubleshooting
5-115
S4600_Configuration Guide Chapter 5 Security Function Configuration
If flexible QinQ policy can not be bound to the port, please check whether the problem is
caused by the following reasons:
Make sure flexible QinQ whether supports the configured class-map and policy-map
Make sure ACL includes permit rule if the class-map matches ACL rule
Make sure the switch exists enough TCAM resource to send the binding
Priority of flexible QinQ and vlan ingress filtering for processing packets is: flexible QinQ >
vlan ingress filtering
5-116
S4600_Configuration Guide Chapter 6 Reliability Configuration
Chapter 6 Reliability Configuration
6.1 MSTP
6.1.1 Introduction to MSTP
The MSTP (Multiple STP) is a new spanning-tree protocol which is based on the STP and the
RSTP. It runs on all the bridges of a bridged-LAN. It calculates a common and internal spanning
tree (CIST) for the bridge-LAN which consists of the bridges running the MSTP, the RSTP and the
STP. It also calculates the independent multiple spanning-tree instances (MSTI) for each MST
domain (MSTP domain). The MSTP, which adopts the RSTP for its rapid convergence of the
spanning tree, enables multiple VLANs to be mapped to the same spanning-tree instance which is
independent to other spanning-tree instances. The MSTP provides multiple forwarding paths for
data traffic and enables load balancing. Moreover, because multiple VLANs share a same MSTI,
the MSTP can reduce the number of spanning-tree instances, which consumes less CPU resources
and reduces the bandwidth consumption.
6.1.1.1 MSTP Region
Because multiple VLANs can be mapped to a single spanning tree instance, IEEE 802.1s
committee raises the MST concept. The MST is used to make the association of a certain VLAN to
a certain spanning tree instance.
A MSTP region is composed of one or multiple bridges with the same MCID (MST
Configuration Identification) and the bridged-LAN (a certain bridge in the MSTP region is the
designated bridge of the LAN, and the bridges attaching to the LAN are not running STP). All the
bridges in the same MSTP region have the same MSID.
MSID consists of 3 attributes:
Configuration Name: Composed by digits and letters
Revision Level
Configuration Digest: VLANs mapping to spanning tree instances
The bridges with the same 3 above attributes are considered as in the same MST region.
When the MSTP calculates CIST in a bridged-LAN, a MSTP region is considered as a bridge.
See the figure below:
6-1
S4600_Configuration Guide Chapter 6 Reliability Configuration
Root A Root A
M E MST D
D REGION
F C
Figure 6-1 Example of CIST and MST Region
In the above network, if the bridges are running the STP or the RSTP, one port between
Bridge M and Bridge B should be blocked. But if the bridges in the yellow range run the MSTP and
are configured in the same MST region, MSTP will treat this region as a bridge. Therefore, one
port between Bridge B and Root is blocked and one port on Bridge D is blocked.
6.1.1.1.1 Operations within an MSTP Region
The IST connects all the MSTP bridges in a region. When the IST converges, the root of the
IST becomes the IST master, which is the switch within the region with the lowest bridge ID and
path cost to the CST root. The IST master is also the CST root if there is only one region within the
network. If the CST root is outside the region, one of the MSTP bridges at the boundary of the
region is selected as the IST master.
When an MSTP bridge initializes, it sends BPDUs claiming itself as the root of the CST and
the IST master, with both of the path costs to the CST root and to the IST master set to zero. The
bridge also initializes all of its MST instances and claims to be the root for all of them. If the
bridge receives superior MST root information (lower bridge ID, lower path cost, and so forth)
than currently stored for the port, it relinquishes its claim as the IST master.
Within a MST region, the IST is the only spanning-tree instance that sends and receives
BPDUs. Because the MST BPDU carries information for all instances, the number of BPDUs that
need to be processed by a switch to support multiple spanning-tree instances is significantly
reduced.
All MST instances within the same region share the same protocol timers, but each MST
instance has its own topology parameters, such as root switch ID, root path cost, and so forth.
6.1.1.1.2 Operations between MST Regions
If there are multiple regions or legacy 802.1D bridges within the network, MSTP establishes
and maintains the CST, which includes all MST regions and all legacy STP bridges in the network.
The MST instances combine with the IST at the boundary of the region to become the CST.
The MSTI is only valid within its MST region. An MSTI has nothing to do with MSTIs in other
MST regions. The bridges in a MST region receive the MST BPDU of other regions through
Boundary Ports. They only process CIST related information and abandon MSTI information.
6-2
S4600_Configuration Guide Chapter 6 Reliability Configuration
6.1.1.2 Port Roles
The MSTP bridge assigns a port role to each port which runs MSTP.
CIST port roles: Root Port, Designated Port, Alternate Port and Backup Port
On top of those roles, each MSTI port has one new role: Master Port.
The port roles in the CIST (Root Port, Designated Port, Alternate Port and Backup Port) are
defined in the same ways as those in the RSTP.
6.1.1.3 MSTP Load Balance
In a MSTP region, VLANs can by mapped to various instances. That can form various
topologies. Each instance is independent from the others and each distance can have its own
attributes such as bridge priority and port cost etc. Consequently, the VLANs in different
instances have their own paths. The traffic of the VLANs are load-balanced.
6.1.2 MSTP Configuration Task List
MSTP configuration task list:
1. Enable the MSTP and set the running mode
2. Configure instance parameters
3. Configure MSTP region parameters
4. Configure MSTP time parameters
5. Configure the fast migrate feature for MSTP
6. Configure the format of port packet
7. Configure the spanning-tree attribute of port
8. Configure the snooping attribute of authentication key
9. Configure the FLUSH mode once topology changes
1. Enable MSTP and set the running mode
Command Explanation
Global Mode and Port Mode
spanning-tree
Enable/Disable MSTP.
no spanning-tree
Global Mode
spanning-tree mode {mstp|stp|rstp}
Set MSTP running mode.
no spanning-tree mode
Port Mode
spanning-tree mcheck Force port migrate to run under MSTP.
2. Configure instance parameters
Command Explanation
Global Mode
spanning-tree mst <instance-id> priority Set bridge priority for specified instance.
6-3
S4600_Configuration Guide Chapter 6 Reliability Configuration
<bridge-priority>
no spanning-tree mst <instance-id> priority
spanning-tree priority <bridge-priority> Configure the spanning-tree priority of the
no spanning-tree priority switch.
Port Mode
spanning-tree mst <instance-id> cost <cost>
Set port path cost for specified instance.
no spanning-tree mst <instance-id> cost
spanning-tree mst <instance-id>
port-priority <port-priority>
Set port priority for specified instance.
no spanning-tree mst <instance-id>
port-priority
spanning-tree mst <instance-id> rootguard Configure currently port whether running
no spanning-tree mst <instance-id> rootguard in specified instance, configure the
rootguard rootguard port can’t turn to root port.
Configure currently port whether running
spanning-tree rootguard
rootguard in instance 0, configure the
no spanning-tree rootguard
rootguard port can’t turn to root port.
spanning-tree [mst <instance-id>]
Enable loopguard function on specified
loopguard
instance, the no command disables this
no spanning-tree [mst <instance-id>]
function.
loopguard
3. Configure MSTP region parameters
Command Explanation
Global Mode
spanning-tree mst configuration Enter MSTP region mode. The no
no spanning-tree mst configuration command restores the default setting.
MSTP region mode
Display the information of the current
show
running system.
instance <instance-id> vlan <vlan-list> Create Instance and set mapping
no instance <instance-id> [vlan <vlan-list> ] between VLAN and Instance.
name <name>
Set MSTP region name.
no name
revision-level <level>
Set MSTP region revision level.
no revision-level
Quit MSTP region mode and return to
abort Global mode without saving MSTP
region configuration.
Quit MSTP region mode and return to
exit Global mode with saving MSTP region
configuration.
no Cancel one command or set initial value.
6-4
S4600_Configuration Guide Chapter 6 Reliability Configuration
4. Configure MSTP time parameters
Command Explanation
Global Mode
spanning-tree forward-time <time> Set the value for switch forward delay
no spanning-tree forward-time time.
spanning-tree hello-time <time> Set the Hello time for sending BPDU
no spanning-tree hello-time messages.
spanning-tree maxage <time>
Set Aging time for BPDU messages.
no spanning-tree maxage
spanning-tree max-hop <hop-count> Set Maximum number of hops of BPDU
no spanning-tree max-hop messages in the MSTP region.
5. Configure the fast migrate feature for MSTP
Command Explanation
Port Mode
spanning-tree link-type p2p
{auto|force-true|force-false} Set the port link type.
no spanning-tree link-type
Set and cancel the port to be an boundary
port. bpdufilter receives the BPDU
spanning-tree portfast [bpdufilter| bpduguard]
discarding; bpduguard receives the BPDU
[recovery <30-3600>]
will disable port; no parameter receives
no spanning-tree portfast
the BPDU, the port becomes a
non-boundary port.
6. Configure the format of MSTP
Command Explanation
Port Mode
Configure the format of port
spanning-tree format standard spanning-tree packet, standard format is
spanning-tree format privacy provided by IEEE, privacy is
spanning-tree format auto compatible with CISCO and auto means
no spanning-tree format the format is determined by checking
the received packet.
7. Configure the spanning-tree attribute of port
Command Explanation
Port Mode
spanning-tree cost
Set the port path cost.
no spanning-tree cost
spanning-tree port-priority
Set the port priority.
no spanning-tree port-priority
6-5
S4600_Configuration Guide Chapter 6 Reliability Configuration
spanning-tree rootguard
Set the port is root port.
no spanning-tree rootguard
Global Mode
spanning-tree transmit-hold-count
<tx-hold-count-value> Set the max transmit-hold-count of port.
no spanning-tree transmit-hold-count
Set port cost format with dot1d or
spanning-tree cost-format {dot1d | dot1t}
dot1t.
8. Configure the snooping attribute of authentication key
Command Explanation
Port Mode
Set the port to use the authentication
spanning-tree digest-snooping string of partner port. The no
no spanning-tree digest-snooping command restores to use the generated
string.
9. Configure the FLUSH mode once topology changes
Command Explanation
Global Mode
Enable: the spanning-tree flush once the
topology changes.
Disable: the spanning tree don’t flush
when the topology changes.
spanning-tree tcflush {enable| disable| protect}
Protect: the spanning-tree flush not
no spanning-tree tcflush
more than one time every ten seconds.
The no command restores to default
setting, enable flush once the topology
changes.
Port Mode
Configure the port flush mode.
spanning-tree tcflush {enable| disable| protect}
The no command restores to use the
no spanning-tree tcflush
global configured flush mode.
6.1.3 MSTP Example
The following is a typical MSTP application example:
6-6
S4600_Configuration Guide Chapter 6 Reliability Configuration
SW1
1 2
1 1
2 2X
3 3X
SW2 4 6
5 7 SW3
4 6X
5X 7X
x
SW4
Figure 6-2 Typical MSTP Application Scenario
The connections among the switches are shown in the above figure. All the switches run in
the MSTP mode by default, their bridge priority, port priority and port route cost are all in the
default values (equal). The default configuration for switches is listed below:
Bridge Name SW1 SW2 SW3 SW4
Bridge MAC …00-00-01 …00-00-02 …00-00-03 …00-00-04
Address
Bridge Priority 32768 32768 32768 32768
port 1 128 128 128
port 2 128 128 128
port 3 128 128
port 4 128 128
Port Priority
port 5 128 128
port 6 128 128
port 7 128 128
port 1 200000 200000 200000
port 2 200000 200000 200000
port 3 200000 200000
port 4 200000 200000
Route Cost
port 5 200000 200000
port 6 200000 200000
port 7 200000 200000
By default, the MSTP establishes a tree topology (in blue lines) rooted with SwitchA. The
ports marked with “x” are in the discarding status, and the other ports are in the forwarding
status.
6-7
S4600_Configuration Guide Chapter 6 Reliability Configuration
Configurations Steps:
Step 1: Configure port to VLAN mapping:
Create VLAN 20, 30, 40, 50 in Switch2, Switch3 and Switch4.
Set ports 1-7 as trunk ports in Switch2 Switch3 and Switch4.
Step 2: Set Switch2, Switch3 and Switch4 in the same MSTP:
Set Switch2, Switch3 and Switch4 to have the same region name as mstp.
Map VLAN 20 and VLAN 30 in Switch2, Switch3 and Switch4 to Instance 3; Map VLAN
40 and VLAN 50 in Switch2, Switch3 and Switch4 to Instance 4.
Step 3: Set Switch3 as the root bridge of Instance 3; Set Switch4 as the root bridge of Instance 4
Set the bridge priority of Instance 3 in Switch3 as 0.
Set the bridge priority of Instance 4 in Switch4 as 0.
The detailed configuration is listed below:
Switch2:
Switch2(config)#vlan 20
Switch2(Config-Vlan20)#exit
Switch2(config)#vlan 30
Switch2(Config-Vlan30)#exit
Switch2(config)#vlan 40
Switch2(Config-Vlan40)#exit
Switch2(config)#vlan 50
Switch2(Config-Vlan50)#exit
Switch2(config)#spanning-tree mst configuration
Switch2(Config-Mstp-Region)#name mstp
Switch2(Config-Mstp-Region)#instance 3 vlan 20;30
Switch2(Config-Mstp-Region)#instance 4 vlan 40;50
Switch2(Config-Mstp-Region)#exit
Switch2(config)#interface e1/0/1-7
Switch2(Config-Port-Range)#switchport mode trunk
Switch2(Config-Port-Range)#exit
Switch2(config)#spanning-tree
Switch3:
Switch3(config)#vlan 20
Switch3(Config-Vlan20)#exit
Switch3(config)#vlan 30
Switch3(Config-Vlan30)#exit
Switch3(config)#vlan 40
Switch3(Config-Vlan40)#exit
Switch3(config)#vlan 50
Switch3(Config-Vlan50)#exit
6-8
S4600_Configuration Guide Chapter 6 Reliability Configuration
Switch3(config)#spanning-tree mst configuration
Switch3(Config-Mstp-Region)#name mstp
Switch3(Config-Mstp-Region)#instance 3 vlan 20;30
Switch3(Config-Mstp-Region)#instance 4 vlan 40;50
Switch3(Config-Mstp-Region)#exit
Switch3(config)#interface e1/0/1-7
Switch3(Config-Port-Range)#switchport mode trunk
Switch3(Config-Port-Range)#exit
Switch3(config)#spanning-tree
Switch3(config)#spanning-tree mst 3 priority 0
Switch4:
Switch4(config)#vlan 20
Switch4(Config-Vlan20)#exit
Switch4(config)#vlan 30
Switch4(Config-Vlan30)#exit
Switch4(config)#vlan 40
Switch4(Config-Vlan40)#exit
Switch4(config)#vlan 50
Switch4(Config-Vlan50)#exit
Switch4(config)#spanning-tree mst configuration
Switch4(Config-Mstp-Region)#name mstp
Switch4(Config-Mstp-Region)#instance 3 vlan 20;30
Switch4(Config-Mstp-Region)#instance 4 vlan 40;50
Switch4(Config-Mstp-Region)#exit
Switch4(config)#interface e1/0/1-7
Switch4(Config-Port-Range)#switchport mode trunk
Switch4(Config-Port-Range)#exit
Switch4(config)#spanning-tree
Switch4(config)#spanning-tree mst 4 priority 0
After the above configuration, Switch1 is the root bridge of the instance 0 of the entire
network. In the MSTP region which Switch2, Switch3 and Switch4 belong to, Switch2 is the region
root of the instance 0, Switch3 is the region root of the instance 3 and Switch4 is the region root
of the instance 4. The traffic of VLAN 20 and VLAN 30 is sent through the topology of the instance
3. The traffic of VLAN 40 and VLAN 50 is sent through the topology of the instance 4. And the
traffic of other VLANs is sent through the topology of the instance 0. The port 1 in Switch2 is the
master port of the instance 3 and the instance 4.
The MSTP calculation generates 3 topologies: the instance 0, the instance 3 and the instance
4 (marked with blue lines). The ports with the mark “x” are in the status of discarding. The other
ports are the status of forwarding. Because the instance 3 and the instance 4 are only valid in the
MSTP region, the following figure only shows the topology of the MSTP region.
6-9
S4600_Configuration Guide Chapter 6 Reliability Configuration
SW1
1 2
1 1X
2 2
3 3X
SW2 4 6
5 7 SW3
4 6X
5X 7X
x
SW4
Figure 6-3 The Topology Of the Instance 0 after the MSTP Calculation
2 2
3X 3
SW2 4 6
5 7 SW3
4X 6
5X 7X
x
SW4
Figure 6-4 The Topology Of the Instance 3 after the MSTP Calculation
2 2X
3 3X
SW2 4 6
5X 7X SW3
4 6
5 7
x
SW4
Figure 6-5 The Topology Of the Instance 4 after the MSTP Calculation
6-10
S4600_Configuration Guide Chapter 6 Reliability Configuration
6.1.4 MSTP Troubleshooting
In order to run the MSTP on the switch port, the MSTP has to be enabled globally. If the
MSTP is not enabled globally, it can’t be enabled on the port.
The MSTP parameters co work with each other, so the parameters should meet the
following conditions. Otherwise, the MSTP may work incorrectly.
2×(Bridge_Forward_Delay -1.0 seconds) >= Bridge_Max_Age
Bridge_Max_Age >= 2 ×(Bridge_Hello_Time + 1.0 seconds)
When users modify the MSTP parameters, they have to be sure about the changes of the
topologies. The global configuration is based on the bridge. Other configurations are based
on the individual instances.
6.2 ERPS
6.2.1 Introduction to ERPS
ERPS (Ethernet Ring Protection Switching) is a kind of layer2 anti-ring protocol which is
defined by ITU-T; the standard number is ITU-T G.8032/Y1344, also known as G.8032. G.8032
Ethernet standard absorbs the advantages of the ring network protection technology of EAPS,
RPR, SDH, STP.etc. It optimizes the detection mechanism and it can detect the
two-way/single-way fault, support the structure with multi-ring and multi-domain. At the same
time of achieving rotating of 50ms, it supports the master and slave and load sharing. It becomes
the newest standard of the Ethernet ring technology.
ERPS is the anti-ring protocol used in ring network protection. It includes: link switching in
loop fault, notification and loop rotating after loop restored, but it does not include the discovery
of link fault. The CCM function defined by 802.1ag protocol can be used in fault discovery and the
physical link fault detection can also be used. The principle is that it must be flexible no matter
which detection mechanism was used, the link fault can be found in a short time and it will be
noticed to the erps module. The link fault rotating time that erps asks is: flow discontinuity time
is 50ms at most with that the link length is in 1200km and in 16 nodes. It is demanding for the
link fault discovery and loop protection protocol rotating time.
6.2.1.1 ERPS Terminology
Ethernet ring:It is the closed physical ring network which is made up by many ring nodes, every
node on the ring has only two ports connecting to this ring network.
Ring protection link:RPL is a link on the ring network. When the ring network is healthy, the link
blocked by the node cannot transmit the data flow.
RPL owner node:When the ring network is healthy, the nodes connected to RPL will block the
RPL. At the same time, it will launch the link rotating when the ring network restored and it is
6-11
S4600_Configuration Guide Chapter 6 Reliability Configuration
configured as reversion.
RPL neighbor node:RPL neighbor node, it is the other node connected to RPL. When the ring
network is healthy, it will block the RPL.
Interconnection node:Cross node, when there are many rings are crossed, it is the node in the
cross position. On the cross nodes, there is one or more rings can be connected through two
ports. The ring connected through one port is the sub-ring, the ring connected through two ports
is the main ring.
R-APS virtual channel : It is the link which makes the sub-ring connect between two
interconnection nodes out of the sub-ring path. Its transmission characteristic is related to the
out ring network.
major-ring: It is the ring which connects the two ports on the interconnection node.
sub-ring:It is the ring which connects to other network through two interconnection nodes. it is
not a ring network, it will make up a ring network only when connect it through the
interconnection node.
ERP instance:It is a set protected by many vlan. The packet transmission of the vlan in this
instance pass the same ring network link, every vlan only belongs to one instance.
Revertive switch:After learning of the ring network fault restored, the RPL owner node will
restore the blockade status of RPL and make the network flow transmission path restore to the
link before the fault.
Non-revertive switch:After learning of the ring network fault restored, the RPL owner node will
not block the RPL, the network flow transmission path is same as before.
6.2.1.2 ERPS Function
6.2.1.2.1 Fault Switchover
The following is the single-ring and single link fault.
6-12
S4600_Configuration Guide Chapter 6 Reliability Configuration
Figure 6-6 single-link fault
The steps of fault switchover:
a) The ring network status is normal; RPL owner node of G sends the R-APS (NR,
RB) packet periodically. This packet explains that RPL link is in blockade status
and the ring network is healthy.
b) There is fault on the link between node C and D.
c) The node C and D detected the fault, they block the port which connected to the
fault link respectively and run the flush FDB.
d) At the same time, the node C and D send the fault notification packet of R-APS
(SF) respectively through the port connected to the ring network.
e) All the nodes which received R-APS (SF) packet will run the flush FDB. At the
same time, RPL owner node of G and RPL neighbor node of A will configure the
RPL connection port as forward. The node G will stop sending R-APS (NR,RB)
packet.
f) Because RPL link has removed the blockade, all nodes can receive two R-APS
(SF) packets (sent by node C and D). after receiving the new R-APS (SF) packet,
it will run the flush FDB.
g) Link fault message of R-APS (SF) will transmitting always in the ring network.
6.2.1.2.2 Failure Recovery
When the ring link restored, there are two methods on the ring nodes: one is
Revertive switch. After the ring link restored to be normal, the ring network will block the
RPL, and restore the forwarding status of the fault link. At this time, the forwarding path
of the data packet is same as the last once when it is normal. Another one is
Non-revertive switch. After the ring link restored to be normal, the link will keep the block
status. The data packet will continue to be forwarded with the current path.
6-13
S4600_Configuration Guide Chapter 6 Reliability Configuration
The environments of the two methods are different. When the block RPL can make
the data flow transmission path be the best, use the Revertive switch; when the path
costs are similar, there is no difference no matter which path will be blocked, for
preventing the secondary interruption of data flow, use the Non-revertive switch.
1. Revertive switch
The following is the single-ring and single link fault.
Figure 6-7 Revertive switch fault restoration of single link
The steps:
a) The fault still existed, the node which has detected the fault will send the R-APS
(SF) packets with the fault message periodically;
b) Fault restoration on the link;
c) The nodes of C and D detects the fault restoration, they will start the guard timer
and send the fault restoration packets of R-APS (NR) on the ports of the ring
network at the same time;
d) When the RPL owner node detected R-APS (NR) packets, it will start the WTR
timer and clear the local node fault message at the same time;
e) After the nodes C and D are time out, they receives the R-APS (NR) packets
from the peer. The node D thinks the priority of node C is higher, so it will stop
sending the R-APS (NR) packets with the local message and relieve the block of
the port;
f) When the WTR timer of RPL owner node G is time out, it will block the port
connected to RPL and send the R-APS (NR, RB) packets through the ring
network port to notify other nodes that RPL link has been blocked. At the same
time, the node G run the flush FDB;
g) When the node C received the R-APS (NR, RB) packets sent by RPL owner
node, it will relieve the block of the local port and stop sending NR packets at the
same time. After RPL neighbor node A received this packet, it will block the port
6-14
S4600_Configuration Guide Chapter 6 Reliability Configuration
connected to RPL. Other, all nodes will run the flush FDB after received R-APS
(NR, RB) packets.
2. Non-revertive switch
The following example is about the single-ring and single link fault as shown in Fig 2-3.
Figure 6-8 Non-revertive switch fault restoration of single link
The steps:
a) The fault still existed, the node which has detected the fault will send the R-APS
(SF) packets with the fault message periodically;
b) Fault restoration on the link;
c) The nodes of C and D detects the fault restoration, they will start the guard timer
and send the fault restoration packets of R-APS (NR) on the ports of the ring
network at the same time;
d) When the RPL owner node G detected the R-APS (NR) packets, it will clear the
local node fault message because of the configured non-revertive method, but it
will not start the WTR timer;
e) After the nodes C and D are time out, they receives the R-APS (NR) packets
from the peer. The node D thinks the priority of node C is higher, so it will stop
sending the R-APS (NR) packets and relieve the block of the local port;
f) If RPL owner node G runs clear command, it will be recovered to be revertive
method and it will block the port connected to RPL and send R-APS (NR, RB)
packets through the ring network port to notify other nodes that the RPL link has
been blocked. At the same time, it will run flush FDB;
g) When the node C received the packets sent by RPL owner node, it will relieve
the block of the local port and stop sending R-APS (NR) packets at the same
time. After RPL neighbor node A received this packet, it will block the port
connected to RPL. Other, all nodes will run the flush FDB after received the
packets.
6.2.1.2.3 Interconnection Ring Model
6-15
S4600_Configuration Guide Chapter 6 Reliability Configuration
ERPS protocol can support the protection and switching of the interconnection
ring. The interconnection ring includes two types: the interconnection ring model with
virtual channel and the interconnection ring model without virtual channel.
1. The interconnection ring model with virtual channel
As shown in Fig 2-4, three ring networks are interconnection. Ring 1 is the major ring
and it is made up with the ring nodes A, B, G, H and the links of them. When ring 1 is
health, it will block the link between nodes A and B. ring 2 is another major ring, it is
made up with the ring nodes C, D, E, F and the links of them. When ring 2 is health, it will
block the link between node C and D. ring 3 is a sub ring, it is made up with the nodes B,
C, F, G and the links of B-C and G-F. When ring 3 is health, it will block the link of B-C.
B-G links are the interconnection links of ring 1 and ring 3 and it belongs to ring 1. C-F
links are the interconnection links of ring 2 and ring 3 and it belongs to ring 2. Ring 1 and
ring 2 are both the close ring network, ring 3 is not a ring network. If treat ring 1 as the
link between the interconnection nodes B and G of ring 3 (virtual channel), and treat ring
2 as the link between the interconnection nodes C and F of ring 3 (virtual channel), ring 3
will be a ring network.
A D
B C
Major ring 1 Major ring 2
Sub-ring 3
G F
H E
Figure 6-9 the interconnection ring topology with virtual channel
The R-APS virtual channel supported by ring 1 and ring 2 treats ring 3 protocol
packets as the data packets. The transmission method of the packets is same as the
method of data packets. The node B of ring 3 sends and receives the ring 3 erps protocol
packets sent by node G, at the same time, the node G sends and receives the ring 3 erps
protocol packets sent by node B. For distinguishing the erps packets of ring 3 and the
erps packets of this major ring in ring 1 and ring 2, different control vlan can be used to
the protocol packets transmission of every ring.
When the sub ring 3 is changing, it should notify ring 1 and ring 2. The node on the
major ring will run flush FDB. The topology changing of the major ring 1 and ring 2 will
not affect the sub ring 3. Other, the topology changing of the major ring 1 and ring 2 will
not affect each other either.
2. The interconnection ring model without virtual channel
Change the way to understand the ring network as shown in Fig 2-5: ring 1 is the
major ring and it is made up with the ring nodes A, B, G, H and the links of them. When
ring 1 is health, it will block the link between nodes A and B. ring 2 is sub ring, it is made
up with the ring nodes C, D, E, F and the links of C-D, D-E and E-F. When ring 2 is health,
6-16
S4600_Configuration Guide Chapter 6 Reliability Configuration
it will block the link between node C and D. ring 3 is another sub ring, it is made up with
the nodes B, C, F, G and the links of B-C, C-F and F-G. When ring 3 is health, it will block
the link of B-C. B-G links are the interconnection links of ring 1 and ring 3 and it belongs
to ring 1. C-F links are the interconnection links of ring 2 and ring 3 and it belongs to ring
3. Ring 1 is the close ring network; ring 2 and ring 3 are not the ring network.
A D
B C
Major ring 1 Sub- ring 2
Sub-ring 3
G F
H E
Figure 6-10 the interconnection ring topology without virtual channel
Although ring 2 and ring 3 are not ring network neither, the erps packets of these two
sub ring need to be transmitted to all ring nodes. So, the block link should still transmit
erps protocol packets if the links of B-C and C-D are blocked, and the nodes B, C and C,
D of the block link should also receive and send the erps protocol packets.
When the sub ring 3 is changing, it should notify ring 1. The node on the major ring
will run flush FDB. The topology changing will not affect the sub ring 2. When the sub ring
2 is changing, it will affect the sub ring 3 and the major ring 1. The node on the major ring
should run flush FDB. But, the topology changing of the major ring 1 will not affect the
sub ring 2 and ring 3.
6.2.1.3 ERPS Application
ERPS is used for ring network and it is located in convergence layer, the
convergence loop can complete the layer2 convergence of business; insert the layer3
network to deal with the business at the same time. The convergence loop runs
ERPS protocol and provides layer2 redundancy protection exchange function of
convergence loop.
6.2.2 ERPS Configuration
ERPS Configuration task list as below:
1) Create the instance; the map is corresponding to the vlan which should be protected
2) Create ERPS loop, and configure the member port information. The default configuration:
support version V2, the main loop closing type and monitor the physical status of port
3) Configure ERPS loop instance and configure the protection instance, port roles. Configure
the ERPS loop instance name, R-APS level, timer information. Configure the controlling VLAN
at last and select the port to configure it as RPL owner and RPL Neighbor
1.Create the MSTP instance
6-17
S4600_Configuration Guide Chapter 6 Reliability Configuration
Command Explanation
Global Mode
spanning-tree mst configuration Enter into the MST configuration mode,
no spanning-tree mst configuration configure the parameters of MSTP
domain; the no command recovers to be
the default.
MST Mode
instance <instance value > vlan <vlan-list> Configure vlan which needs to be
no instance [instance-value] protected by the instance and mapping;
the no command deletes the appointed
instance.
2.Create ERPS ring and configure the member ports information
Command Explanation
Global Mode
erps ring <ring-name> Create ERPS ring and enter into the ERPS
no erps ring <ring-name> ring configuration mode; the no
command deletes the appointed erps
ring.
Port Mode
erps-ring <ring-name> port0 Configure the port0 or port1 which is the
erps-ring <ring-name> port1 ring node of port; the no command
erps-ring <ring-name> port0 deletes their property.
erps-ring <ring-name> port1
3.Configure ERPS ring instance
Command Explanation
Global Mode
erps ring <ring-name> Create ERPS ring and enter into the ERPS
no erps ring <ring-name> ring configuration mode; the no
command deletes the appointed erps
ring.
ERPS Ring Configuration Mode
eprs-instance <instance-id> Create ERPS ring instance and enter into
no eprs-instance <instance-id> the ERPS ring configuration mode; the no
command deletes the appointed ring
node instance.
description <instance-name> Configure the description string of ERPS
no description instance; the no command deletes the
appointed string.
rpl {port0 | port1} {owner | neighbour} Configure the member port of ERPS ring
no rpl {port0 | port1} instance as RPL owner or RPL neighbor;
the no command deletes the appointed
owner or neighbor node.
raps-mel <level-value> Configure the level of R-APS channel, the
6-18
S4600_Configuration Guide Chapter 6 Reliability Configuration
no raps-mel MEL field in the protocol packets is used
to detect if the current packet can pass
by; the no command deletes the level of
R-APS channel.
protected-instance <instance-list> Configure the protection instance of ERPS
no protected-instance ring instance. The no command deletes
the protection instance.
wtr-timer <wtr-times> Configure the WTR timer. The WTR timer
no wtr-timer is used to avoid the configuration of
frequent switching of RPL owner node
because of the periodic (discontinuity)
fault. The no command deletes the wtr
timer.
guard-timer <guard-times> Configure the Guard timer. The Guard
no guard-timer timer is used in Ethernet ring node to
avoid the wrong configuration according
to the outdated R-APS packets and avoid
the close loop. The no command deletes
the guard timer.
holdoff –timer <holdoff-times> Configure the Holdoff timer. The Holdoff
no holdoff –timer timer is used for Ethernet ring node
blocking fault report time. The no
command deletes the Holdoff timer.
control-vlan <vlan-id> Configure the control vlan of R-APS
no control-vlan channel transmission R-APS packets. In
the ERPS ring instance, this vlan is used to
deliver the ERPS protocol packets but not
to forward the user business packets. It
improves the security of ERPS protocol.
The no command deletes the Control
Vlan.
4.Show the configuration information of ERPS
Command Explanation
Global Mode
show erps ring {<ring-name> | brief} Show ERPS ring information.
show erps instance [ring <ring-name> [instance Show ERPS ring instance information.
<instance-id>]]
show erps status [ring <ring-name> [instance Show ERPS ring instance status
<instance-id>]] information.
show erps statistics [ring <ring-name> [instance Show ERPS ring instance statistic
<instance-id>]] information.
6.2.3 ERPS Examples
6-19
S4600_Configuration Guide Chapter 6 Reliability Configuration
Case 1:
As shown in the picture above, it is the explanation of ERPS configuration and application.
S1~S4 make up the ring network and provide the layer2 redundancy protection transform
function. For preventing the packets in VLAN10 ~ VLAN20 come to be loop, deploy the ERPS
protocol on the devices which make up the ring network. The forwarding path of user data
inserted through CE1 is S2-S1 and it is S3-S4 for the data which is deserted through CE2. For
protecting the Ethernet loop switching, configure it as below:
1. Configuration thinking
Configure ERPS loop redundancy protection as below:
Create ERPS loop of maijor_ring1 and configure the loop member port;
Configure the instance 1 on ERPS loop of maijor_ring1 and configure the protection instance,
member port role, timer and controlling VLAN.
2. Configuration steps
Step1: Create instance 2, VLAN2 and VLAN10-20 on S1 ~ S4, VLAN2 is used to transmit the
protocol packets, VLAN10-20 are used to transmit the data packets.
Configuration of S1:
S1#config
6-20
S4600_Configuration Guide Chapter 6 Reliability Configuration
S1(config)#spanning-tree mst configuration
S1(Config-Mstp-Region) instance 2 vlan 2;10-20
S1(Config-Mstp-Region)#exit
S1(config)#interface e1/0/1-2
S1(Config-If-Port-Range)#switchport mode trunk
The configuration of S2, S3 and S4 is same as S1.
Step2: Create ERPS loop and configure the member port information. The default
configuration: support version V2, main loop closing type and monitor the physical status of port.
Configuration of S1:
S1(config)#erps-ring maijor_ring1
S1(config-erps-ring)#exit
S1(config)# interface e1/0/1
S1(config-if-ethernet1/0/1)erps-ring maijor_ring1 port 0
S1(config-if-ethernet1/0/1)interface e1/0/2
S1(config-if-ethernet1/0/2)erps-ring maijor_ring1 port 1
Step3: Configure ERPS loop instance and configure the protection instance, port role.
Configure the ERPS loop instance name, R-APS level, timer information. Configure the controlling
VLAN at last and configure the port e1/0/2 of S2 as RPL owner and RPL Neighbor is for e1/0/1 of
S3.
Configuration of S1:
S1(config)# erps-ring maijor_ring1
S1(config-erps-ring)#erps-instance 1
S1(config-erps-ring-inst-1)#description instance1
S1(config-erps-ring-inst-1)#raps-mel 3
S1(config-erps-ring-inst-1)#protected-instance 2
S1(config-erps-ring-inst-1)#wtr-timer 8
S1(config-erps-ring-inst-1)#guard-timer 100
S1(config-erps-ring-inst-1)#holdoff-timer 5
S1(config-erps-ring-inst-1)# control-vlan 2
The configuration of S4 is same as S1.
Configuration of S2:
S2(config)# erps-ring maijor_ring1
S2(config-erps-ring)#erps-instance 1
S2(config-erps-ring-inst-1)#description instance1
S2(config-erps-ring-inst-1)#rpl port 1 owner
S2(config-erps-ring-inst-1)#non-revertive
S2(config-erps-ring-inst-1)#raps-mel 3
S2(config-erps-ring-inst-1)#protected-instance 2
S2(config-erps-ring-inst-1)#wtr-timer 8
S2(config-erps-ring-inst-1)#guard-timer 100
S2(config-erps-ring-inst-1)#holdoff-timer 5
6-21
S4600_Configuration Guide Chapter 6 Reliability Configuration
S2(config-erps-ring-inst-1)# control-vlan 2
Configuration of S3:
S3(config)# erps-ring maijor_ring1
S3(config-erps-ring)#erps-instance 1
S3(config-erps-ring-inst-1)#description instance1
S3(config-erps-ring-inst-1)# rp0 port 1 neighbour
S3(config-erps-ring-inst-1)#raps-mel 3
S3(config-erps-ring-inst-1)#protected-instance 2
S3(config-erps-ring-inst-1)#wtr-timer 8
S3(config-erps-ring-inst-1)#guard-timer 100
S3(config-erps-ring-inst-1)#holdoff-timer 5
S3(config-erps-ring-inst-1)# control-vlan 2
Step 4: Check the configuration result. After the configuration above is successful, check the
configuration result and below is for S2.
S2# show erps ring brief
Ring-ID Description Ring-topo Port0 Port1 Version Inst-Count
--------------------------------------------------------------------------------------------------------
1 maijor_ring1 maijor-ring 1/0/1 1/0/2 V2 1
Switch#show erps instance
ERPS Ring maijor_ring1
Instance 1
Description:instance1
Protected Instance : 2 Revertive mode: revertive
RAPS MEL: 3 R-APS-Virtual-Channel:
Control Vlan : 2
Guard Timer (csec) : 100
Holdoff Timer (seconds) : 5
WTR Timer (min) : 8
Port Role Port-Status
----------------------------------------------------------------
port0 Common Forwarding
port1 RPL Owner Blocked
3. Configure the file
The configuration file of S1:
S1#config
S1(config)#erps-ring maijor_ring1
S1(config)#spanning-tree mst configuration
S1(Config-Mstp-Region) instance 2 vlan 2;10-20
S1(Config-Mstp-Region)#exit
S1(config)#interface e1/0/1-2
S1(Config-If-Port-Range)#switchport mode trunk
6-22
S4600_Configuration Guide Chapter 6 Reliability Configuration
S1(Config-If-Port-Range)#exit
S1(config)# interface e1/0/1
S1(config-if-ethernet1/0/1)erps-ring maijor_ring1 port 0
S1(config-if-ethernet1/0/1)interface e1/0/2
S1(config-if-ethernet1/0/2)erps-ring maijor_ring1 port 1
S1(config-if-ethernet1/0/2)exit
S1(config)#erps-ring maijor_ring1
S1(config-erps-ring)#erps-instance 1
S1(config-erps-ring-inst-1)#description instance1
S1(config-erps-ring-inst-1)#raps-mel 3
S1(config-erps-ring-inst-1)#protected-instance 2
S1(config-erps-ring-inst-1)#wtr-timer 8
S1(config-erps-ring-inst-1)#guard-timer 100
S1(config-erps-ring-inst-1)#holdoff-timer 5
S1(config-erps-ring-inst-1)# control-vlan 2
The configuration file of S2:
S2#config
S2(config)#erps-ring maijor_ring1
S2(config)#spanning-tree mst configuration
S2(Config-Mstp-Region) instance 2 vlan 2;10-20
S2(Config-Mstp-Region)#exit
S2(config)#interface e1/0/1-2
S2(Config-If-Port-Range)#switchport mode trunk
S2(Config-If-Port-Range)#exit
S2(config)# interface e1/0/1
S2(config-if-ethernet1/0/1)erps-ring maijor_ring1 port 0
S2(config-if-ethernet1/0/1)interface e1/0/2
S2(config-if-ethernet1/0/2)erps-ring maijor_ring1 port 1
S2(config-if-ethernet1/0/2)exit
S2(config)#erps-ring maijor_ring1
S2(config-erps-ring)#erps-instance 1
S2(config-erps-ring-inst-1)#description instance1
S2(config-erps-ring-inst-1)#rpl port1 owner
S2(config-erps-ring-inst-1)#non-revertive
S2(config-erps-ring-inst-1)#raps-mel 3
S2(config-erps-ring-inst-1)#protected-instance 2
S2(config-erps-ring-inst-1)#wtr-timer 8
S2(config-erps-ring-inst-1)#guard-timer 100
S2(config-erps-ring-inst-1)#holdoff-timer 5
S2(config-erps-ring-inst-1)# control-vlan 2
The configuration file of S3:
S3#config
6-23
S4600_Configuration Guide Chapter 6 Reliability Configuration
S3(config)#erps-ring maijor_ring1
S3(config)#spanning-tree mst configuration
S3(Config-Mstp-Region) instance 2 vlan 2;10-20
S3(Config-Mstp-Region)#exit
S3(config)#interface e1/0/1-2
S3(Config-If-Port-Range)#switchport mode trunk
S3(Config-If-Port-Range)#exit
S3(config)# interface e1/0/1
S3(config-if-ethernet1/0/1)erps-ring maijor_ring1 port 0
S3(config-if-ethernet1/0/1)interface e1/0/2
S3(config-if-ethernet1/0/2)erps-ring maijor_ring1 port 1
S3(config-if-ethernet1/0/2)exit
S3(config)#erps-ring maijor_ring1
S3(config-erps-ring)#erps-instance 1
S3(config-erps-ring-inst-1)#description instance1
S3(config-erps-ring-inst-1)#rpl port1 neighbour
S3(config-erps-ring-inst-1)#raps-mel 3
S3(config-erps-ring-inst-1)#protected-instance 2
S3(config-erps-ring-inst-1)#wtr-timer 8
S3(config-erps-ring-inst-1)#guard-timer 100
S3(config-erps-ring-inst-1)#holdoff-timer 5
S3(config-erps-ring-inst-1)# control-vlan 2
The configuration file of S4:
S4#config
S4(config)#erps-ring maijor_ring1
S4(config)#spanning-tree mst configuration
S4(Config-Mstp-Region) instance 2 vlan 2;10-20
S4(Config-Mstp-Region)#exit
S4(config)#interface e1/0/1-2
S4(Config-If-Port-Range)#switchport mode trunk
S4(Config-If-Port-Range)#exit
S4(config)# interface e1/0/1
S4(config-if-ethernet1/0/1)erps-ring maijor_ring1 port 0
S4(config-if-ethernet1/0/1)interface e1/0/2
S4(config-if-ethernet1/0/2)erps-ring maijor_ring1 port 1
S4(config-if-ethernet1/0/2)exit
S4(config)#erps-ring maijor_ring1
S4(config-erps-ring)#erps-instance 1
S4(config-erps-ring-inst-1)#description instance1
S4(config-erps-ring-inst-1)#raps-mel 3
S4(config-erps-ring-inst-1)#protected-instance 2
S4(config-erps-ring-inst-1)#wtr-timer 8
S4(config-erps-ring-inst-1)#guard-timer 100
6-24
S4600_Configuration Guide Chapter 6 Reliability Configuration
S4(config-erps-ring-inst-1)#holdoff-timer 5
S4(config-erps-ring-inst-1)# control-vlan 2
6.2.4 ERPS Troubleshooting
If the configured ERPS loop cannot achieve the Ethernet loop switching protection, check if
it was wrong with the following reasons:
Check if the basic configuration is correct and check if the protection instance of every
node, control-vlan, wtr-timer, guard-timer and raps-mel are consistent.
Check if the vlan that user data flow is in is not the same one that control-vlan is in. In the
ERPS loop instance, control vlan is only used to transmit ERPS protocol packet but not the
user business packet; it improves the security of ERPS protocol. User ensures the
uniqueness of the configuration. This VLAN is as the vlan tag when sending R-APS packet.
In the instance, the protection VLAN configuration of all nodes must be consistent.
We suggest the port which user configured on ERPS node is trunk port and ensure that
the vlan and control vlan that data packet is in are in the protection instance and ERPS
only protect the data and protocol packet in the instance. For instance, the switch enables
a protocol (CFM, EFM, Layer3 interface) and it makes the switch send the protocol packet
out. Then, if the vlan ID which sends the packet is not in the protection instance, there
will be the loop in the topology.
If configure the port status test method as fastlink, the hardware must support fastlink
function. Break off the notification of port status changing; disable the mac soft study
function at the same time.
If it is configured associating with CFM, the hardware must support CC function and it can
achieve the ability of CCM sending packet in 3.3ms.
6.3 MRPP
6.3.1 Introduction to MRPP
MRPP (Multi-layer Ring Protection Protocol), is a link layer protocol applied on Ethernet loop
protection. It can avoid broadcast storm caused by data loop on Ethernet ring, and restore
communication among every node on ring network when the Ethernet ring has a break link.
MRPP is the expansion of EAPS (Ethernet link automatic protection protocol).
MRPP protocol is similar to STP protocol on function, MRPP has below characters, compare
to STP protocol:
<1> MRPP specifically uses to Ethernet ring topology
6-25
S4600_Configuration Guide Chapter 6 Reliability Configuration
<2> fast convergence, less than 1 s. ideally it can reach 100-50 ms.
6.3.1.1 Conception Introduction
SWITCH A SWITCH B SWITCH F
E1
SWITCH E SWITCH G
Master E2
Node Ring 1 Ring 2
Master Node
E1
E2
SWITCH C SWITCH D SWITCH H
Figure 6-11 MRPP Sketch Map
1. Control VLAN
Control VLAN is a virtual VLAN, only used to identify MRPP protocol packet transferred in
the link. To avoid confusion with other configured VLAN, avoids configuring control VLAN ID to
be the same with other configured VLAN ID. The different MRPP ring should configure the
different control VLAN ID.
2. Ethernet Ring (MRPP Ring)
Ring linked Ethernet network topology.
Each MRPP ring has two states.
Health state: The whole ring net work physical link is connected.
Break state: one or a few physical link break in ring network
3. nodes
Each switch is named after a node on Ethernet. The node has some types:
Primary node: each ring has a primary node, it is main node to detect and defend.
Transfer node: except for primary node, other nodes are transfer nodes on each ring.
The node role is determined by user configuration. As shown Fig 3-1, Switch A is primary node of
Ring 1, Switch B. Switch C; Switch D and Switch E are transfer nodes of Ring 1.
4. Primary port and secondary port
The primary node and transfer node have two ports connecting to Ethernet separately, one
is primary port, and another is secondary port. The role of port is determined by user
configuration.
Primary port and secondary port of primary node.
The primary port of primary node is used to send ring health examine packet (hello), the
secondary port is used to receive Hello packet sending from primary node. When the Ethernet is
6-26
S4600_Configuration Guide Chapter 6 Reliability Configuration
in health state, the secondary port of primary node blocks other data in logical and only MRPP
packet can pass. When the Ethernet is in break state, the secondary port of primary node
releases block state, and forwards data packets.
There are no difference on function between Primary port and secondary port of transfer
node.
The role of port is determined by user configuration. As shown Fig 3-1, Switch A E1 is
primary port, E2 is secondary port.
5. Timer
The two timers are used when the primary node sends and receives MRPP protocol packet:
Hello timer and Fail Timer.
Hello timer: define timer of time interval of health examine packet sending by primary node
primary port.
Fail timer: define timer of overtime interval of health examine packet receiving by primary
node primary port. The value of Fail timer must be more than or equal to the 3 times of value of
Hello timer.
6.3.1.2 MRPP Protocol Packet Types
Packet Type Explanation
Hello packet (Health examine packet) The primary port of primary node evokes to detect ring,
Hello if the secondary port of primary node can receive Hello
packet in configured overtime, so the ring is normal.
LINK-DOWN (link Down event packet) After transfer node detects Down event on port,
immediately sends LINK-DOWN packet to primary node,
and inform primary node ring to fail.
LINK-DOWN-FLUSH_FDB packet After primary node detects ring failure or receives
LINK-DOWN packet, open blocked secondary port, and
then uses two ports to send the packet, to inform each
transfer node to refresh own MAC address.
LINK-UP-FLUSH_FDB packet After primary detects ring failure to restore normal, and
uses packet from primary port, and informs each
transfer node to refresh own MAC address.
6.3.1.3 MRPP Protocol Operation System
1. Link Down Alarm System
When transfer node finds themselves belonging to MRPP ring port Down, it sends link Down
packet to primary node immediately. The primary node receives link down packet and
immediately releases block state of secondary port, and sends LINK-DOWN-FLUSH-FDB packet to
inform all of transfer nodes, refreshing own MAC address forward list.
6-27
S4600_Configuration Guide Chapter 6 Reliability Configuration
2. Poll System
The primary port of primary node sends Hello packet to its neighbors timely according to
configured Hello-timer.
If the ring is health, the secondary port of primary node receives health detect packet, and
the primary node keeps secondary port.
If the ring is break, the secondary port of primary node can’t receive health detect packet
when timer is over time. The primary releases the secondary port block state, and sends
LINK-DOWN-FLUSH_FDB packet to inform all of transfer nodes, to refresh own MAC address
forward list.
3. Ring Restore
After the primary node occur ring fail, if the secondary port receives Hello packet sending
from primary node, the ring has been restored, at the same time the primary node block its
secondary port, and sends its neighbor LINK-UP-Flush-FDB packet.
After MRPP ring port refresh UP on transfer node, the primary node maybe find ring restore
after a while. For the normal data VLAN, the network maybe forms a temporary ring and creates
broadcast storm. To avoid temporary ring, transfer node finds it to connect to ring network port
to refresh UP, immediately block temporarily (only permit control VLAN packet pass), after only
receiving LINK-UP-FLUSH-FDB packet from primary node, and releases the port block state.
6.3.2 MRPP Configuration Task List
1) Globally enable MRPP
2) Configure MRPP ring
3) Configure the query time of MRPP
4) Configure the compatible mode
5) Display and debug MRPP relevant information
1) Globally enable MRPP
Command Explanation
Global Mode
mrpp enable
Globally enable and disable MRPP.
no mrpp enable
2) Configure MRPP ring
Command Explanation
Global Mode
mrpp ring <ring-id> Create MRPP ring. The “no” command
no mrpp ring <ring-id> deletes MRPP ring and its configuration.
MRPP ring mode
control-vlan <vid> Configure control VLAN ID, format “no”
no control-vlan deletes configured control VLAN ID.
Configure node type of MRPP ring (primary
node-mode {master | transit}
node or secondary node).
6-28
S4600_Configuration Guide Chapter 6 Reliability Configuration
Configure Hello packet timer sending from
hello-timer < timer>
primary node of MRPP ring, format “no”
no hello-timer
restores default timer value.
Configure Hello packet overtime timer
fail-timer <timer>
sending from primary node of MRPP ring,
no fail-timer
format “no” restores default timer value.
enable Enable MRPP ring, format “no” disables
no enable enabled MRPP ring.
Port mode
mrpp ring <ring-id> primary-port {cos Specify primary port of MRPP ring and the
<cos>|} cos which is brought in the packet head tag
no mrpp ring <ring-id> primary-port of port sending packet.
mrpp ring <ring-id> secondary-port {cos Specify secondary port of MRPP ring and the
<cos>|} cos which is brought in the packet head tag
no mrpp ring <ring-id> secondary-port of port sending packet.
3) Configure the query time of MRPP
Command Explanation
Global Mode
mrpp poll-time <20-2000> Configure the query interval of MRPP.
4) Configure the compatible mode
Command Explanation
Global Mode
mrpp errp compatible Enable the compatible mode for ERRP, the
no mrpp errp compatible no command disables the compatible mode.
mrpp eaps compatible Enable the compatible mode for EAPS, the
no mrpp eaps compatible no command disables the compatible mode.
errp domain <domain-id> Create ERRP domain, the no command
no errp domain <domain-id> deletes the configured ERRP domain.
5) Display and debug MRPP relevant information
Command Explanation
Admin Mode
Disable MRPP module debug information,
debug mrpp
format “no” disable MRPP debug
no debug mrpp
information output.
Display MRPP ring configuration
show mrpp {<ring-id>}
information.
Display receiving data packet statistic
show mrpp statistics {<ring-id>}
information of MRPP ring.
Clear receiving data packet statistic
clear mrpp statistics {<ring-id>}
information of MRPP ring.
6.3.3 MRPP Typical Scenario
6-29
S4600_Configuration Guide Chapter 6 Reliability Configuration
SWITCH A SWITCH B
E1 E2
Master Node E2 E1
MRPP Ring 4000
E1 E2
E2 E1
SWITCH C SWITCH D
Figure 6-12 MRPP typical configuration scenario
The above topology often occurs on using MRPP protocol. The multi switch constitutes a
single MRPP ring, all of the switches only are configured an MRPP ring 4000, thereby constitutes
a single MRPP ring.
In above configuration, SWITCH A configuration is primary node of MRPP ring 4000, and
configures E1/0/1 to primary port, E1/0/2 to secondary port. Other switches are secondary nodes
of MRPP ring, configures primary port and secondary port separately.
To avoid ring, it should temporarily disable one of the ports of primary node, when it
enables each MRPP ring in the whole MRPP ring; and after all of the nodes are configured, open
the port.
When disable MRPP ring, it needs to insure the MRPP ring doesn’t have ring.
SWITCH A configuration Task Sequence:
Switch(Config)#mrpp enable
Switch(Config)#mrpp ring 4000
Switch(mrpp-ring-4000)#control-vlan 4000
Switch(mrpp-ring-4000)#fail-timer 18
Switch(mrpp-ring-4000)#hello-timer 5
Switch(mrpp-ring-4000)#node-mode master
Switch(mrpp-ring-4000)#enable
Switch(mrpp-ring-4000)#exit
Switch(Config)#interface ethernet 1/0/1
Switch(config-If-Ethernet1/0/1)#mrpp ring 4000 primary-port
Switch(config-If-Ethernet1/0/1)#interface ethernet 1/0/2
Switch(config-If-Ethernet1/0/2)#mrpp ring 4000 secondary-port
Switch(config-If-Ethernet1/0/2)#exit
Switch(Config)#
SWITCH B configuration Task Sequence:
Switch(Config)#mrpp enable
Switch(Config)#mrpp ring 4000
Switch(mrpp-ring-4000)#control-vlan 4000
Switch(mrpp-ring-4000)#enable
6-30
S4600_Configuration Guide Chapter 6 Reliability Configuration
Switch(mrpp-ring-4000)#exit
Switch(Config)#interface ethernet 1/0/1
Switch(config-If-Ethernet1/0/1)#mrpp ring 4000 primary-port
Switch(config-If-Ethernet1/0/1)#interface ethernet 1/0/2
Switch(config-If-Ethernet1/0/2)#mrpp ring 4000 secondary-port
Switch(config-If-Ethernet1/0/2)#exit
Switch(Config)#
SWITCH C configuration Task Sequence:
Switch(Config)#mrpp enable
Switch(Config)#mrpp ring 4000
Switch(mrpp-ring-4000)#control-vlan 4000
Switch(mrpp-ring-4000)#enable
Switch(mrpp-ring-4000)#exit
Switch(Config)#interface ethernet 1/0/1
Switch(config-If-Ethernet1/0/1)#mrpp ring 4000 primary-port
Switch(config-If-Ethernet1/0/1)#interface ethernet 1/0/2
Switch(config-If-Ethernet1/0/2)#mrpp ring 4000 secondary-port
Switch(config-If-Ethernet1/0/2)#exit
Switch(Config)#
SWITCH D configuration Task Sequence:
Switch(Config)#mrpp enable
Switch(Config)#mrpp ring 4000
Switch(mrpp-ring-4000)#control-vlan 4000
Switch(mrpp-ring-4000)#enable
Switch(mrpp-ring-4000)#exit
Switch(Config)#interface ethernet 1/0/1
Switch(config-If-Ethernet1/0/1)#mrpp ring 4000 primary-port
Switch(config-If-Ethernet1/0/1)#interface ethernet 1/0/2
Switch(config-If-Ethernet1/0/2)#mrpp ring 4000 secondary-port
Switch(config-If-Ethernet1/0/2)#exit
Switch(Config)#
6.3.4 MRPP Troubleshooting
The normal operation of MRPP protocol depends on normal configuration of each switch on
MRPP ring, otherwise it is very possible to form ring and broadcast storm:
Configuring MRPP ring, you’d better disconnected the ring, and wait for each switch
configuration, then open the ring.
When the MRPP ring of enabled switch is disabled on MRPP ring, it ensures the ring of the
MRPP ring has been disconnected.
When there is broadcast storm on MRPP ring, it disconnects the ring firstly, and ensures if
6-31
S4600_Configuration Guide Chapter 6 Reliability Configuration
each switch MRPP ring configuration on the ring is correct or not; if correct, restores the ring,
and then observes the ring is normal or not.
The convergence time of MRPP ring net is relative to the response mode of up/down. If use
poll mode, the convergence time as hundreds of milliseconds in simple ring net, if use
interrupt mode, the convergence time within 50 milliseconds.
Generally, the port is configured as poll mode, interrupt mode is only applied to better
performance environment, but the security of poll mode is better than interrupt mode,
port-scan-mode {interrupt | poll} command can be consulted.
In normal configuration, it still forms ring broadcast storm or ring block, please open debug
function of primary node MRPP, and used show MRPP statistics command to observe states
of primary node and transfer node and statistics information is normal or not, and then
sends results to our Technology Service Center.
6.4 ULPP
6.4.1 Introduction to ULPP
Each ULPP group has two uplink ports, they are master port and slave port. The port may be
a physical port or a port channel. The member ports of ULPP group have three states: Forwarding,
Standby, Down. Normally, only one port at the forwarding state, the other port is blocked at the
Standby state. When the master port has the link problem, the master port becomes down state,
and the slave port is siwthed to forwarding state.
6-32
S4600_Configuration Guide Chapter 6 Reliability Configuration
Figure 6-13 the using scene of ULPP
The above figure uses the double-uplink network, this is the typical application scene of
ULPP. SwitchA goes up to SwitchD through SwitchB and SwitchC, port A1 and port A2 are the
uplink ports. SwitchA configures ULPP, thereinto port A1 is set as the master port, port A2 is set
as the slave port. When port A1 at forwarding state has the problem, switch the uplink at once,
port A2 turns into forwarding state. After this, when recovering the master port, if the
preemption mode is not configured, port A2 keeps the Forwarding state, port A1 turns into the
Standby state.
After the preemption mode is enabled, so as to the master port preempts the slave port
when it recovered from the problem. For avoiding the frequent uplink switch caused by the
abnormity problem, the preemption delay mechanism is imported, and it needs to wait for some
times before the master port preempt the slave port. For keeping the continuance of the flows,
the master port does not process to preempt by default, but turns into the Standby state.
When configuring ULPP, it needs to specify the VLAN which is protected by this ULPP group
through the method of MSTP instances, and ULPP does not provide the protection to other
VLANs.
When the uplink switch is happennig, the primary forwarding entries of the device will not
be applied to new topology in the network. In the figure, SwitchA configures ULPP, the portA1 as
the master port at forwarding state, here the MAC address of PC is learned by Switch D from
portD3. After this, portA1 has the problem, the traffic is switched to portA2 to be forwarded. If
there is the data sent to PC by SwitchD, still the data will be forwarded from portD3, and will be
losed. Therefore, when switching the uplink, the device of configuring ULPP needs to send the
flush packets through the port which is switched to Forwarding state, and update MAC address
tables and ARP tables of other devices in the network. ULPP respectively uses two kinds of flush
packets to update the entries: the updated packets of MAC address and the deleted packets of
ARP.
6-33
S4600_Configuration Guide Chapter 6 Reliability Configuration
For making use of the bandwidth resource enough, ULPP can implement VLAN load balance
through the configuration. As the picture illustrated, SwitchA configures two ULPP groups: portA1
is the master port and portA2 is the slave port in group1, portA2 is the master port and portA1 is
the slave port in group2, the VLANs are protected by group1 and group2, they are 1-100 and
101-200. Here both portA1 and portA2 at the forwarding state, the master port and the slave
port mutually backup, and respectively forward the packets of the different VLAN ranges. When
portA1 has the problem, the traffic of VLAN 1-200 are forwarded by portA2. After this, when
portA1 is recovering the normal state, portA2 forwards the data of VLAN 101-200 sequentially,
but the data of VLAN 1-100 is switched to portA1 to forward.
Figure 6-14 VLAN load balance
6.4.2 ULPP Configuration Task List
1. Create ULPP group globally
2. Configure ULPP group
3. Show and debug the relating information of ULPP
1. Create ULPP group globally
Command Expalnation
Global mode
ulpp group <integer> Configure and delete ULPP group
no ulpp group <integer> globally.
2. Configure ULPP group
Command Explanation
ULPP group configuration mode
6-34
S4600_Configuration Guide Chapter 6 Reliability Configuration
Configure the preemption mode of
preemption mode
ULPP group. The no operation deletes
no preemption mode
the preemption mode.
Configure the preemption delay, the
preemption delay <integer>
no operation restores the default
no preemption delay
value 30s.
Configure the sending control VLAN,
control vlan <integer>
no operation restores the default
no control vlan
value 1.
Configure the protection VLANs, the
protect vlan-reference-instance <instance-list>
no operation deletes the protection
no protect vlan-reference-instance <instance-list>
VLANs.
flush enable mac Enable or disable sending the flush
flush disable mac packets which update MAC address.
flush enable arp Enable or disable sending the flush
flush disable arp packets which delete ARP.
Enable or disable sending the flush
flush enable mac-vlan
packets of deleting the dynamic
flush disable mac-vlan
unicast mac according to vlan.
description <string> Configure or delete ULPP group
no description description.
Port mode
Configure the receiving control
ulpp control vlan <vlan-list>
VLANs, no operation restores the
no ulpp control vlan <vlan-list>
default value 1.
Enable or disable receiving the flush
ulpp flush enable mac
packets which update the MAC
ulpp flush disable mac
address.
ulpp flush enable arp Enable or disable receiving the flush
ulpp flush disable arp packets which delete ARP.
ulpp flush enable mac-vlan Enable or disable receiving the flush
ulpp flush disable mac-vlan packets of mac-vlan type.
ulpp group <integer> master Configure or delete the master port of
no ulpp group <integer> master ULPP group.
ulpp group <integer> slave Configure or delete the slave port of
no ulpp group <integer> slave ULPP group.
3. Show and debug the relating information of ULPP
Command Explanation
Admin mode
Show the configuration information of the
show ulpp group [group-id]
configured ULPP group.
6-35
S4600_Configuration Guide Chapter 6 Reliability Configuration
show ulpp flush counter interface {ethernet Show the statistic information of the flush
<IFNAME> | <IFNAME>} packets.
Show flush type and control VLAN received
show ulpp flush-receive-port
by the port.
Clear the statistic information of the flush
clear ulpp flush counter interface <name>
packets.
debug ulpp flush {send | receive} interface
Show the information of the receiving and
<name>
sending flush packets, the no operation
no debug ulpp flush {send | receive}
disables the shown information.
interface <name>
debug ulpp flush content interface <name> Show the contents of the received flush
no debug ulpp flush content interface packets, the no operation disables the
<name> showing.
debug ulpp error Show the error information of ULPP, the no
no debug ulpp error operation disables the showing.
debug ulpp event Show the event information of ULPP, the no
no debug ulpp event operation disables the showing.
6.4.3 ULPP Typical Examples
6.4.3.1 ULPP Typical Example1
SwitchD
SwitchB E1/0/1 E1/0/2 SwitchC
E1/0/1 E1/0/2
SwitchA
Figure 6-15 ULPP typical example1
The above topology is the typical application environment of ULPP protocol.
SwitchA has two uplinks, they are SwitchB and SwitchC. When any protocols are not enabled,
this topology forms a ring. For avoiding the loopback, SwitchA can configure ULPP protocol, the
master port and the slave port of ULPP group. When both master port and slave port are up, the
slave port will be set as standby state and will not forward the data packets. When the master
6-36
S4600_Configuration Guide Chapter 6 Reliability Configuration
port is down, the slave port will be set as forwarding state and switch to the uplink. SwitchB and
SwitchC can enable the command that receives the flush packets, it is used to associate with
ULPP protocol running of SwitchA to switch the uplink immediately and reduce the switch delay.
When configuring ULPP protocol of SwitchA, first, create a ULPP group and configure the
protection VLAN of this group as vlan10, then configure interface Ethernet 1/0/1 as the master
port, interface Ethernet 1/0/2 as the slave port, the control VLAN as 10. SwitchB and SwitchC
configure the flush packets that receive ULPP.
SwitchA configuration task list:
Switch(Config)#vlan 10
Switch(Config-vlan10)#switchport interface ethernet 1/0/1; 1/0/2
Switch(Config-vlan10)#exit
Switch(Config)#spanning-tree mst configuration
Switch(Config-Mstp-Region)#instance 1 vlan 10
Switch(Config-Mstp-Region)#exit
Switch(Config)#ulpp group 1
Switch(ulpp-group-1)#protect vlan-reference-instance 1
Switch(ulpp-group-1)#control vlan 10
Switch(ulpp-group-1)#exit
Switch(Config)#interface ethernet 1/0/1
Switch(config-If-Ethernet1/0/1)# ulpp group 1 master
Switch(config-If-Ethernet1/0/1)#exit
Switch(Config)#interface Ethernet 1/0/2
Switch(config-If-Ethernet1/0/2)# ulpp group 1 slave
Switch(config-If-Ethernet1/0/2)#exit
SwitchB configuration task list:
Switch(Config)#vlan 10
Switch(Config-vlan10)#switchport interface ethernet 1/0/1
Switch(Config-vlan10)#exit
Switch(Config)#interface ethernet 1/0/1
Switch(config-If-Ethernet1/0/1)# ulpp flush enable mac
Switch(config-If-Ethernet1/0/1)# ulpp flush enable arp
Switch(config-If-Ethernet1/0/1)# ulpp control vlan 10
SwitchC configuration task list:
Switch(Config)#vlan 10
Switch(Config-vlan10)#switchport interface ethernet 1/0/2
Switch(Config-vlan10)#exit
Switch(Config)#interface ethernet 1/0/2
Switch(config-If-Ethernet1/0/2)# ulpp flush enable mac
Switch(config-If-Ethernet1/0/2)# ulpp flush enable arp
Switch(config-If-Ethernet1/0/2)# ulpp control vlan 10
6-37
S4600_Configuration Guide Chapter 6 Reliability Configuration
6.4.3.2 ULPP Typical Example2
SwitchD
SwitchB E1/0/1 E1/0/2 SwitchC
Vlan 1-100 Vlan 101-200
E1/0/1 E1/0/2
SwitchA
Figure 6-16 ULPP typical example2
ULPP can implement the VLAN-based load balance. As the picture illustrated, SwitchA
configures two ULPP groups: port E1/0/1 is the master port and port 1/0/2 is the slave port in
group1, port 1/0/2 is the master port and port 1/0/1 is the slave port in group2. The VLANs
protected by group1 are 1-100 and by group2 are 101-200. Here both port E1/0/1 and port E1/0/2
at the forwarding state, the master port and the slave port mutually backup, respectively forward
the packets of different VLAN ranges. When port E1/0/1 has the problem, the traffic of VLAN
1-200 are forwarded by port E1/0/2. When port E1/0/1 is recovering the normal state, still port
E1/0/2 forwards the data of VLAN 101-200, the data of VLAN 1-100 are switched to port E1/0/1 to
forward.
SwitchA configuration task list:
Switch(Config)#spanning-tree mst configuration
Switch(Config-Mstp-Region)#instance 1 vlan 1-100
Switch(Config-Mstp-Region)#instance 2 vlan 101-200
Switch(Config-Mstp-Region)#exit
Switch(Config)#ulpp group 1
Switch(ulpp-group-1)#protect vlan-reference-instance 1
Switch(ulpp-group-1)#preemption mode
Switch(ulpp-group-1)#exit
Switch(Config)#ulpp group 2
Switch(ulpp-group-2)#protect vlan-reference-instance 2
Switch(ulpp-group-1)#preemption mode
Switch(ulpp-group-2)#exit
Switch(Config)#interface ethernet 1/0/1
Switch(config-If-Ethernet1/0/1)#switchport mode trunk
Switch(config-If-Ethernet1/0/1)#ulpp group 1 master
Switch(config-If-Ethernet1/0/1)#ulpp group 2 slave
Switch(config-If-Ethernet1/0/1)#exit
6-38
S4600_Configuration Guide Chapter 6 Reliability Configuration
Switch(Config)#interface Ethernet 1/0/2
Switch(config-If-Ethernet1/0/2)#switchport mode trunk
Switch(config-If-Ethernet1/0/2)# ulpp group 1 slave
Switch(config-If-Ethernet1/0/2)# ulpp group 2 master
Switch(config-If-Ethernet1/0/2)#exit
SwitchB configuration task list:
Switch(Config)#interface ethernet 1/0/1
Switch(config-If-Ethernet1/0/1)#switchport mode trunk
Switch(config-If-Ethernet1/0/1)# ulpp flush enable mac
Switch(config-If-Ethernet1/0/1)# ulpp flush enable arp
SwitchC configuration task list:
Switch(Config)#interface ethernet 1/0/2
Switch(config-If-Ethernet1/0/2)# switchport mode trunk
Switch(config-If-Ethernet1/0/2)# ulpp flush enable mac
Switch(config-If-Ethernet1/0/2)# ulpp flush enable arp
6.4.4 ULPP Troubleshooting
At present, configuration of more than 2 multi-uplinks is allowed, but it may cause loopback,
so is not recommended.
With the normal configuration, if the broadcast storm happen or the communication along
the ring is broken, please enable the debug of ULPP, copy the debug information of 3
minutes and the configuration information, send them to our technical service center.
6.5 ULSM
6.5.1 Introduction to ULSM
ULSM (Uplink State Monitor) is used to process the port state synchronization. Each ULSM
group is made up of the uplink port and the downlink port, both the uplink port and the downlink
port may be multiple. The port may be a physical port or a port channel, but it can not be a
member port of a port channel, and each port only belongs to one ULSM group.
The uplink port is the monitored port of ULSM group. When all uplink ports are down or
there is no uplink port in ULSM group, ULSM group state is down. ULSM group state is up as long
as one uplink port is up.
The downlink port is the controlled port, its state changes along with Up/Down of ULSM
group and is always the same with ULSM group state.
6-39
S4600_Configuration Guide Chapter 6 Reliability Configuration
ULSM associates with ULPP to enable the downstream device to apperceive the link problem
of the upstream device and process correctly. As the picture illustrated, SwitchA configures ULPP,
here the traffic is forwarded by port A1. If the link between SwitchB and Switch D has the
problem, SwitchA can not apperceive the problem of the upstream link and sequentially forward
the traffic from port A1, cause traffic losing.
Configuring ULSM on SwitchB can solve the above problems. The steps are: set port B5 as
the uplink port of ULSM group, port B6 as the downlink port. When the link between SwitchB and
SwitchD has the problem, both the downlink port B6 and the state of ULSM group are down. It
causes Switch A on which ULPP is configured to process uplink switchover and avoid the data
dropped.
Figure 6-17 ULSM using scene
6.5.2 ULSM Configuration Task List
1. Create ULSM group globally
2. Configure ULSM group
3. Show and debug the relating information of ULSM
1. Create ULSM group globally
Command explanation
Global mode
ulsm group <group-id>
Configure and delete ULSM group globally.
no ulsm group <group-id>
2. Configure ULSM group
6-40
S4600_Configuration Guide Chapter 6 Reliability Configuration
Command explanation
Port mode
ulsm group <group-id> {uplink | downlink} Configure the uplink/downlink port of ULSM
no ulsm group <group-id> {uplink | group, the no command deletes the
downlink} uplink/downlink port.
3. Show and debug the relating information of ULSM
Command Explanation
Admin mode
Show the configuration information of ULSM
show ulsm group [group-id]
group.
debug ulsm event Show the event information of ULSM, the no
no debug ulsm event operation disables the shown information.
6.5.3 ULSM Typical Example
SwitchD
E1/0/3 E1/0/4
SwitchB E1/0/1 E1/0/2 SwitchC
E1/0/1 E1/0/2
SwitchA
Figure 6-18 Fig 5-2 ULSM typical example
The above topology is the typical application environment which is used by ULSM and ULPP
protocol.
ULSM is used to process the port state synchronization, its independent running is useless,
so it usually associates with ULPP protocol to use. In the topology, SwitchA enables ULPP protocol,
it is used to switch the uplink. SwitchB and SwitchC enable ULSM protocol to monitor whether
the uplink is down. If it is down, then ULSM will execute the down operation for the downlink
port to shutdown it, so ULPP protocol of Swtich A executes the relative operation of the uplink
switchover.
SwitchA configuration task list:
Switch(Config)#spanning-tree mst configuration
Switch(Config-Mstp-Region)#instance 1 vlan 1
6-41
S4600_Configuration Guide Chapter 6 Reliability Configuration
Switch(Config-Mstp-Region)#exit
Switch(Config)#ulpp group 1
Switch(ulpp-group-1)#protect vlan-reference-instance 1
Switch(ulpp-group-1)#exit
Switch(Config)#interface ethernet 1/0/1
Switch(config-If-Ethernet1/0/1)# ulpp group 1 master
Switch(config-If-Ethernet1/0/1)#exit
Switch(Config)#interface Ethernet 1/0/2
Switch(config-If-Ethernet1/0/2)# ulpp group 1 slave
Switch(config-If-Ethernet1/0/2)#exit
SwitchB configuration task list:
Switch(Config)#ulsm group 1
Switch(Config)#interface ethernet 1/0/1
Switch(config-If-Ethernet1/0/1)#ulsm group 1 downlink
Switch(config-If-Ethernet1/0/1)#exit
Switch(Config)#interface ethernet 1/0/3
Switch(config-If-Ethernet1/0/3)#ulsm group 1 uplink
Switch(config-If-Ethernet1/0/3)#exit
SwitchC configuration task list:
Switch(Config)#ulsm group 1
Switch(Config)#interface ethernet 1/0/2
Switch(config-If-Ethernet1/0/2)#ulsm group 1 downlink
Switch(config-If-Ethernet1/0/2)#exit
Switch(Config)#interface ethernet 1/0/4
Switch(config-If-Ethernet1/0/4)#ulsm group 1 uplink
Switch(config-If-Ethernet1/0/4)#exit
6.5.4 ULSM Troubleshooting
With the normal configuration, if the downlink port does not responds the down event of
the uplink port, please enable the debug function of ULSM, copy the debug information of 3
minutes and the configuration information, and send them to our technical service center.
6-42
S4600_Configuration Guide Chapter 7 Debugging and Diagnosis Configuration
Chapter 7 Debugging and Diagnosis
Configuration
7.1 Monitor and Debug
When the users configures the switch, they will need to verify whether the configurations
are correct and the switch is operating as expected, and in network failure, the users will also
need to diagnostic the problem. Switch provides various debug commands including ping, telnet,
show and debug, etc. to help the users to check system configuration, operating status and locate
problem causes.
7.1.1 Ping
Ping command is mainly used for sending ICMP query packet from the switches to remote
devices, also for check the accessibility between the switch and the remote device. Refer to the
Ping command chapter in the Command Manual for explanations of various parameters and
options of the Ping command.
7.1.2 Ping6
Ping6 command is mainly used by the switch to send ICMPv6 query packet to the remote
equipment, verifying the accessibility between the switch and the remote equipment. Options
and explanations of the parameters of the Ping6 command please refer to Ping6 command
chapter in the command manual.
7.1.3 Traceroute
Traceroute command is for testing the gateways through which the data packets travel from
the source device to the destination device, so to check the network accessibility and locate the
network failure.
Execution procedure of the Traceroute command consists of: first a data packet with TTL at 1
is sent to the destination address, if the first hop returns an ICMP error message to inform this
packet can not be sent (due to TTL timeout), a data packet with TTL at 2 will be sent. Also the
send hop may be a TTL timeout return, but the procedure will carries on till the data packet is
sent to its destination. These procedures is for recording every source address which returned
ICMP TTL timeout message, so to describe a path the IP data packets traveled to reach the
destination.
Traceroute Options and explanations of the parameters of the Traceroute command please
refer to traceroute command chapter in the command manual.
7-1
S4600_Configuration Guide Chapter 7 Debugging and Diagnosis Configuration
7.1.4 Traceroute6
The Traceroute6 function is used on testing the gateways passed through by the data
packets from the source equipment to the destination equipment, to verify the accessibility and
locate the network failure. The principle of the Traceroute6 under IPv6 is the same as that under
IPv4, which adopts the hop limit field of the ICMPv6 and IPv6 header. First, Traceroute6 sends an
IPv6 datagram (including source address, destination address and packet sent time) whose
HOPLIMIT is set to 1. When first route on the path receives this datagram, it minus the HOPLIMIT
by 1 and the HOPLIMIT is now 0. So the router will discard this datagram and returns with a
「ICMPv6 time exceeded」 message (including the source address of the IPv6 packet, all content
in the IPv6 packet and the IPv6 address of the router). Upon receiving this message, the
Traceroute6 sends another datagram of which the HOPLIMIT is increased to 2 so to discover the
second router. Plus 1 to the HOPLIMIT every time to discover another router, the Traceroute6
repeat this action till certain datagram reaches the destination.
Traceroute6 Options and explanations of the parameters of the Traceroute6 command
please refer to traceroute6 command chapter in the command manual.
7.1.5 Show
show command is used to display information about the system, port and protocol
operation. This part introduces the show command that displays system information, other show
commands will be discussed in other chapters.
Command Explanation
Admin Mode
show debugging Display the debugging state.
show flash Display the files and the sizes saved in the flash.
show history Display the recent user input history command.
Show the recent command history of all users.
Use clear history all-users command to clear the
show history all-users [detail] command history of all users saved by the system,
the max history number can be set by history
all-users max-length command.
show memory Display content in specified memory area
Display the switch parameter configuration
show running-config
validating at current operation state.
show running-config current-mode Show the configuration under the current mode.
Display the switch parameter configuration
written in the Flash Memory at current operation
show startup-config
state, which is normally the configuration file
applied in next time the switch starts up.
7-2
S4600_Configuration Guide Chapter 7 Debugging and Diagnosis Configuration
Display the VLAN port mode and the belonging
show switchport interface [ethernet
VLAN number of the switch as well as the Trunk
<IFNAME>]
port information.
show tcp Display the TCP connection status established
show tcp ipv6 currently on the switch.
show udp Display the UDP connection status established
show udp ipv6 currently on the switch.
Display the information of the Telnet client which
show telnet login currently establishes a Telnet connection with the
switch.
Display the operation information and the state of
each task running on the switch. It is used by the
show tech-support
technicians to diagnose whether the switch
operates properly.
show version Display the version of the switch.
show temperature This command is not supported by switch.
show fan This command is not supported by switch.
7.1.6 Debug
All the protocols switch supports have their corresponding debug commands. The users can
use the information from debug commands for troubleshooting. Debug commands for their
corresponding protocols will be introduced in the later chapters.
7.2 Logging
7.2.1 System Log Introduction
The system log takes all information output under it control, while making detailed
catalogue, so to select the information effectively. Combining with Debug programs, it will
provide a powerful support to the network administrator and developer in monitoring the
network operation state and locating the network failures.
The switch system log has following characteristics
Log output from four directions (or log channels) of the Console, Telnet terminal and
monitor, log buffer zone, and log host.
The log information is classified to four level of severities by which the information
will be filtered
According to the severity level the log information can be auto outputted to
corresponding log channel.
7-3
S4600_Configuration Guide Chapter 7 Debugging and Diagnosis Configuration
7.2.1.1 Log Output Channel
So far the system log can be outputted the log information through four channels:
Through Console port to the local console
Output the log information to remote Telnet terminal or monitor, this function is good
for remote maintenance
Assign a proper log buffer zone inside the switch, for record the log information
permanently or temporarily
Configure the log host, the log system will directly send the log information to the log
host, and save it in files to be viewed at any time
Among above log channels, users rarely use the console monitor, but will commonly choose
the Telnet terminal to monitor the system operation status. However information outputted from
these channels are of low traffic capacity and can not be recorded for later view. The other two
channels---the log buffer zone and log host channel are two important channels
SDRAM (Synchronous Dynamic Random Access Memory) and NVRAM (Non Vulnerable
Random Access Memory) is provided inside the switch as two part of the log buffer zone, The two
buffer zone record the log information in a circuit working pattern, namely when log information
need to be recorded exceeds the buffer size, the oldest log information will be erased and
replaced by the new log information, information saved in NVRAM will stay permanently while
those in SDRAM will lost when the system restarts or encounter an power failure. Information in
the log buffer zone is critical for monitoring the system operation and detecting abnormal states.
Note: the NVRAM log buffer may not exist on some switches, which only have the SDRAM
log buffer zone.
It is recommended to use the system log server. By configuring the log host on the switch,
the log can be sent to the log server for future examination.
7.2.1.2 Format and Severity of the Log Information
The log information format is compatible with the BSD syslog protocol, so we can record
and analyze the log by the systlog (system log protect session) on the UNIX/LINUX, as well as
syslog similar applications on PC.
The log information is classified into eight classes by severity or emergency procedure. One
level per value and the higher the emergency level the log information has, the smaller its value
will be. For example, the level of critical is 2, and warning is 4, debugging is leveled at 7, so the
critical is higher than warnings which no doubt is high than debugging. The rule applied in
filtering the log information by severity level is that: only the log information with level equal to
or higher than the threshold will be outputted. So when the severity threshold is set to
debugging, all information will be outputted and if set to critical, only critical, alerts and
7-4
S4600_Configuration Guide Chapter 7 Debugging and Diagnosis Configuration
emergencies will be outputted.
Follow table summarized the log information severity level and brief description. Note:
these severity levels are in accordance with the standard UNIX/LINUX syslog.
Severity of the log7-5information
Severity Value Description
emergencies 0 System is unusable
alerts 1 Action must be taken immediately
critical 2 Critical conditions
errors 3 Error conditions
warnings 4 Warning conditions
notifications 5 Normal but significant condition
informational 6 Informational messages
debugging 7 Debug-level messages
Right now the switch can generate information of following four levels
Restart the switch, mission abnormal are classified critical
Up/down interface, topology change, aggregate port state change of the interface are
notifications warnings
Outputted information from the CLI command is classified informational
Information from the debugging of CLI command is classified debugging
Log information can be automatically sent to corresponding channels with regard to
respective severity levels. Amongst the debugging information can only be sent to the monitor.
Those with the Informational level can only be sent to current monitor terminal, such as the
information from the Telnet terminal configuration command can only be transmitted to the
Telnet terminal. Warnings information can be sent to all terminal with also saved in the SDRAM
log buffer zone. And the critical information can be save both in SDRAM and the NVRAM (if exists)
besides sent to all terminals. To check the log save in SDRAM and the NVRAM, we can use the
show logging buffered command. To clear the log save in NVRAM and SDRAM log buffer zone, we
can use the clear logging command.
7.2.2 System Log Configuration
System Log Configuration Task Sequence:
1. Display and clear log buffer zone
2. Configure the log host output channel
3. Enable/disable the log executed-commands
4. Display the log source
5. Display executed-commands state
1. Display and clear log buffer zone
Command Description
7-5
S4600_Configuration Guide Chapter 7 Debugging and Diagnosis Configuration
Admin Mode
show logging buffered [ level {critical | warnings} | Show detailed log information in
range <begin-index> <end-index>] the log buffer channel.
clear logging sdram Clear log buffer zone information.
2. Configure the log host output channel
Command Description
Global Mode
logging {<ipv4-addr> | <ipv6-addr>} [ facility Enable the output channel of the
<local-number> ] [level <severity>] log host. The “no” form of this
no logging {<ipv4-addr> | <ipv6-addr>} [ facility command will disable the output at
<local-number>] the output channel of the log host.
Add the loghost sequence-number
logging loghost sequence-number for the log, the no command does
no logging loghost sequence-number not include the loghost
sequence-number.
Appoint the source IP address of the
log packet which is sent to the log
logging source-ip { <A.B.C.D> | <X:X::X:X> }
server, the ipv4 or ipv6 addresses
can be configured.
3. Enable/disable the log executed-commands
Command Description
Global mode
Enable or disable the logging
logging executed-commands {enable | disable}
executed-commands
4. Display the log source
Command Description
Admin and configuration mode
Show the log information source of
show logging source mstp
MSTP module.
5. Display executed-commands state
Command Description
Admin mode
Show the state of logging
show logging executed-commands state
executed-commands
7-6
S4600_Configuration Guide Chapter 7 Debugging and Diagnosis Configuration
7.2.3 System Log Configuration Example
Example 1: When managing VLAN the IPv4 address of the switch is 100.100.100.1, and the IPv4
address of the remote log server is 100.100.100.5. It is required to send the log information with
a severity equal to or higher than warnings to this log server and save in the log record
equipment local1.
Configuration procedure:
Switch(config)#interface vlan 1
Switch(Config-if-Vlan1)# ip address 100.100.100.1 255.255.255.0
Switch(Config-if-Vlan1)#exit
Switch(config)#logging 100.100.100.5 facility local1 level warnings
Example 2: When managing VLAN the IPv6 address of the switch is 3ffe:506::1, and the IPv4
address of the remote log server is 3ffe:506::4. It is required to send the log information with a
severity equal to or higher than critical to this log server and save the log in the record
equipment local7.
Configuration procedure
Switch(config)#interface vlan 1
Switch(Config-if-Vlan1)#ipv6 address 3ffe:506::1/64
Switch(Config-if-Vlan1)#exit
Switch(config)#logging 3ffe:506::4 facility local7 level critical
7.3 Reload Switch after Specified Time
7.3.1 Introduce to Reload Switch after Specifid Time
Reload switch after specified time is to reboot the switch without shutdown its power after
a specified period of time, usually when updating the switch version. The switch can be rebooted
after a period of time instead of immediately after its version being updated successfully.
7.3.2 Reload Switch after Specifid Time Task List
1. Reload switch after specified time
Command Explanation
Admin mode
Reload the switch after a specified time
reload after {[<HH:MM:SS>] [days <days>]}
period.
7-7
S4600_Configuration Guide Chapter 7 Debugging and Diagnosis Configuration
Cancel the specified time period to reload
reload cancel the switch.
7.4 Debugging and Diagnosis for Packets Received
and Sent by CPU
7.4.1 Introduction to Debugging and Diagnosis for
Packets Received and Sent by CPU
The following commands are used to debug and diagnose the packets received and sent by
CPU, and are supposed to be used with the help of the technical support.
7.4.2 Debugging and Diagnosis for Packets Received
and Sent by CPU Task List
Command Explanation
Global Mode
cpu-rx-ratelimit protocol Set the max rate of the CPU receiving packets of the protocol
<protocol-type> <packets> type, the no command set the max rate to default.
no cpu-rx-ratelimit protocol
[ <protocol- type> ]
clear cpu-rx-stat protocol Clear the statistics of the CPU received packets of the protocol
[ <protocol-type> ] type.
Admin Mode
show cpu-rx protocol Show the information of the CPU received packets of the
[ <protocol-type> ] protocol type.
debug driver {receive|send} Turn on the showing of the CPU receiving or sending packet
[interface {<interface-name> |all}] informations.
[protocol {<protocol-type>
|discard |all}] [detail]
7-8
S4600_Configuration Guide Chapter 7 Debugging and Diagnosis Configuration
no debug driver {receive | send} Turn off the showing of the CPU receiving or sending packet
informations.
Command Explanation
Admin Mode
protocol filter {protocol-type} Turn on/off the treatment of the named protocol packets, the
named protocol contains:
no Protocol filter {protocol-type} {arp|bgp|dhcp|dhcpv6|hsrp|http|igmp|ip|ldp|mpls|ospf|
pim|rip|snmp|telnet|vrrp}
7.5 Mirror
7.5.1 Introduction to Mirror
Mirror functions include port mirror function, CPU mirror function, flow mirror function.
Port mirror refers to the duplication of data frames sent/received on a port to another port.
The duplicated port is referred to as mirror source port and the duplicating port is referred to as
mirror destination port. A protocol analyzer (such as Sniffer) or a RMON monitor will be
connected at mirror destination port to monitor and manage the network, and diagnose the
problems in the network.
CPU mirror function means that the switch exactly copies the data frames received or sent
by the CPU to a port.
Flow mirror function means that the switch exactly copies the data frames received by the
specified rule of a port to another port. The flow mirror will take effect only the specified rule is
permit.
Switch supports one mirror destination port only. There is no limitation on mirror source
ports, one port or several ports is allowed. When there are more than one source ports, they can
be in the same VLAN or in different VLAN. The source port and destination port can be in
different VLAN.
7.5.2 Mirror Configuration Task List
1. Specify mirror destination port
2. Specify mirror source port
1. Specify mirror destination port
2. Specify mirror source port (CPU)
3. Specify flow mirror source
7-9
S4600_Configuration Guide Chapter 7 Debugging and Diagnosis Configuration
4. Select sample packets which is mirrored
1. Specify mirror destination port
Command Explanation
Global mode
monitor session <session> destination
Specifies mirror destination port; the no
interface <interface-number>
command deletes mirror destination source
no monitor session <session> destination
port.
interface <interface-number>
2. Specify mirror source port(CPU)
Command Explanation
Global mode
monitor session <session> source {interface
<interface-list> | cpu} {rx| tx| both} Specifies mirror source port; the no command
no monitor session <session> source deletes mirror source port.
{interface <interface-list> | cpu}
3. Specify flow mirror source
Command Explanation
Global mode
monitor session <session> source {interface Specifies flow mirror source
<interface-list>} access-group <num> {rx|tx|both} port and apply rule; the no
no monitor session <session> source {interface command deletes flow mirror
<interface-list>} access-group <num> source port.
4. Select sample packets which is mirrored
Command Explanation
Global mode
It means how many packets
that mirrors to the port of
monitor session <session> sample rate <num>
destination. The value range
no monitor session <session> sample rate
from 0 to 65535 and 0 means
unsample.
7.5.3 Mirror Examples
Example:
The requirement of the configurations is shown as below: to monitor at interface 1 the data
frames sent out by interface 9 and received from interface 7, sent and received by CPU, and the
data frames received by interface 15 and matched by rule 120(The source IP address is 1.2.3.4
and the destination IP address is 5.6.7.8).
7-10
S4600_Configuration Guide Chapter 7 Debugging and Diagnosis Configuration
Configuration guidelines:
1. Configure interface 1 to be a mirror destination interface.
2. Configure the interface 7 ingress and interface 9 egress to be mirrored source.
3. Configure the CPU as one of the source.
4. Configure access list 120.
5. Configure access 120 to binding interface 15 ingress.
Configuration procedure is as follows:
Switch(config)#monitor session 1 destination interface ethernet 1/0/1
Switch(config)#monitor session 1 source interface ethernet 1/0/7 rx
Switch(config)#monitor session 1 source interface ethernet 1/0/9 tx
Switch(config)#monitor session 1 source cpu
Switch(config)#access-list 120 permit tcp 1.2.3.4 0.0.0.255 5.6.7.8 0.0.0.255
Switch(config)#monitor session 1 source interface ethernet 1/0/15 access-list 120 rx
7.5.4 Device Mirror Troubleshooting
If problems occur on configuring port mirroring, please check the following first for causes:
Whether the mirror destination port is a member of a TRUNK group or not, if yes,
modify the TRUNK group.
If the throughput of mirror destination port is smaller than the total throughput of
mirror source port(s), the destination port will not be able to duplicate all source
port traffic; please decrease the number of source ports, duplicate traffic for one
direction only or choose a port with greater throughput as the destination port.
Mirror destination port can not be pulled into Isolate vlan, or will affect mirror
between VLAN.
It does not support packets from flow export mirror to flow inport.
When undertaking port mirror, the source mirror is tx direction of port. The out flow
from port will be mirrored, and it includes the packets that switch cup reply form the
port (such as arp reply).
7.6 RSPAN
7.6.1 Introduction to RSPAN
7-11
S4600_Configuration Guide Chapter 7 Debugging and Diagnosis Configuration
Port mirroring refers to the duplication of data frames sent/received on a port to another
port. The duplicated port is referred to as mirror source port and the duplicating port is referred
to as mirror destination port. It is more convenience for network administrator to monitor and
manage the network and diagnostic after the mirroring function achieved. But it only used for
such instance that the mirror source port and the mirror destination ports are located in the
same switch.
RSPAN (remote switched port analyzer) refers to remote port mirroring. It eliminates the
limitation that the source port and the destination port must be located on the same switch. This
feature makes it possible for the source port and the destination port to be located on different
devices in the network, and facilitates the network administrator to manage remote switches. It
can’t forward traffic flows on remote mirror VLAN.
There are three types of switches with the RSPAN enabled:
1. Source switch: The switch to which the monitored port belongs. The source switch copies
the mirrored traffic flows to the Remote VLAN, and then through Layer 2 forwarding, the
mirrored flows are sent to an intermediate switch or destination switch.
2. Intermediate switch: Switches between the source switch and destination switch on the
network. Intermediate switch forwards mirrored flows to the next intermediate switch
or the destination switch. Circumstances can occur where no intermediate switch is
present, if a direct connection exists between the source and destination switches.
3. Destination switch: The switch to which the destination port for remote mirroring
belongs. It forwards mirrored flows it received from the Remote VLAN to the monitoring
device through the destination port.
When configuring the RSPAN mirroring of the source switch, reflector port mode or
destination mirror port mode can be selected. The destination switch will redirect all the data
frames in the RSPAN VLAN to the RSPAN destination port. For RSPAN mirroring, normal mode and
advanced mode can be chosen, normal is introduced by default and fit the normal user. The
advanced mode fit the advanced user.
1. Advanced mode: To redirect data frames in RSPAN VLAN to the RSPAN destination port,
the intermediary and destination devices should support the redirection of flow.
2. Normal mode: To configure the RSPAN destination port in the RSPAN VLAN. Thus,
datagrams in the RSPAN VLAN will be broadcasted to the destination port. In this mode,
the destination port should be in RSPAN VLAN, and the source port should not be
configured for broadcasting storm control. TRUNK ports should be configured carefully in
order not to forward RSPAN datagrams to external networks. The normal mode has the
benefit of easy configuration, and reduced system resources.
To be noticed: Normal mode is introduced by default. When using the normal mode,
datagrams with reserved MAC addresses cannot be broadcasted.
For chassis switches, at most 4 mirror destination ports are supported, and source or
destination port of one mirror session can be configured on each line card. For box switches, only
one mirror session can be configured.The number of the source mirror ports is not limited, and
can be one or more. Multiple source ports are not restricted to be in the same VLAN. The
destination port and the source ports can be in different VLAN.
For configuration of RSPAN, a dedicated RSPAN VLAN should be configured first for
carrying the RSPAN datagrams. The default VLAN, dynamic VLAN, private VLAN,
7-12
S4600_Configuration Guide Chapter 7 Debugging and Diagnosis Configuration
multicast VLAN, and the layer 3 interface enabled VLAN cannot be configured as the
RSPAN VLAN. The reflector port must belong to the RSPAN VLAN. The destination port
should be connected to the Monitor and the configured as access port or the TRUNK port.
The RSPAN reflector port will be working dedicatedly for mirroring, when a port is
configured as a reflector port, it will discards all the existing connections to the remote
peer, disable configurations related to loopback interfaces, and stop forwarding
datagram. Connectivity between the source and destination switch for Remote VLAN,
should be made sure by configuration.
To be noticed:
1. Layer 3 interfaces related to RSPAN VLAN should not be configured on the source,
intermediate, and the destination switches, or the mirrored datagrams may be discarded.
2. For the source and intermediate switches in the RSPAN connections, the native VLAN
of TRUNK port cannot be configured as the RSPAN VLAN, Otherwise the RSPAN tag will be
disposed before reaching the destination switches.
3. The source port, in access or trunk mode, should not be added to RSPAN VLAN if
advanced RSPAN mode is chosen. When the reflector port is used for a inter-card mirroring
of CPU TX data, it must be configured as TRUNK port and allows the RSPAN VLAN data
passing, the Native VLAN should not be configured as RSPAN VLAN.
4. When configuring the remote mirroring function, the network bandwidth should be
considered in order to carry the network flow and the mirrored flow.
Keywards:
RSPAN: Remote Switched Port Analyzer.
RSPAN VLAN: Dedicated VLAN for RSPAN.
RSPAN Tag: The VLAN tag which is attached to MTP of the RSPAN datagrams.
Reflector Port: The local mirroring port between the RSPAN source and destination ports,
which is not directly connected to the intermediate switches.
7.6.2 RSPAN Configuration Task List
1. Configure RSPAN VLAN
2. Configure mirror source port(cpu)
3. Configure mirror destination port
4. Configure reflector port
5. Configure remote VLAN of mirror group
1. Configure RSPAN VLAN
Command Explanation
VLAN Configuration Mode
7-13
S4600_Configuration Guide Chapter 7 Debugging and Diagnosis Configuration
To configure the specified VLAN as RSPAN
remote-span
VLAN. The no command will remove the
no remote-span
configuration of RSPAN VLAN.
2. Configure mirror source port(CPU)
Command Explanation
Global Mode
monitor session <session> source {interface
<interface-list> | cpu [slot <slotnum>]} {rx|
tx| both} To configure mirror source port; The no
no monitor session <session> source command deletes the mirror source port.
{interface <interface-list> | cpu [slot
<slotnum>]}
3. Configure mirror destination port
Command Explanation
Global Mode
monitor session <session> destination
To configure mirror destination interface; The
interface <interface-number>
no command deletes the mirror destination
no monitor session <session> destination
port.
interface <interface-number>
4. Configure reflector port
Command Explanation
Global Mode
monitor session <session> reflector-port To configure the interface to reflector
<interface-number> port; The no command deletes the reflector
no monitor session <session> reflector-port port.
5. Configure remote VLAN of mirror group
Command Explanation
Global Mode
monitor session <session> To configure remote VLAN of mirror
remote vlan <vid> group, the no command deletes the remote
no monitor session <session> remote vlan VLAN of mirror group.
7.6.3 Typical Examples of RSPAN
Before RSPAN is invented, network administrators had to connect their PCs directly to the
switches, in order to check the statistics of the network.
However, with the help of RSPAN, the network administrators can configure and supervise
the switches remotely, which brings more efficiency. The figure below shows a sample application
of RSPAN.
7-14
S4600_Configuration Guide Chapter 7 Debugging and Diagnosis Configuration
Destination Switch
Source Switch Intermediate Switch
E9
E2 E7
E1 E6 E10
PC1 Monitor
Figure 7-1 RSPAN Application Sample
Two configuration solutions can be chosen for RSPAN: the first is without reflector port, and
the other is with reflector port. For the first one, only one fixed port can be connected to the
intermediate switch. However, no reflector port has to be configured. This maximizes the usage
of witch ports. For the latter one, the port connected to the intermediate switch is not fixed.
Datagrams can be broadcasted in the RSPAN VLAN through the loopback, which is much more
flexible.
The normal mode configuration is show as below:
Solution 1:
Source switch:
Interface ethernet 1/0/1 is the source port for mirroring.
Interface ethernet 1/0/2 is the destination port which is connected to the intermediate switch.
RSPAN VLAN is 5.
Switch(config)#vlan 5
Switch(Config-Vlan5)#remote-span
Switch(Config-Vlan5)#exit
Switch(config)#interface ethernet 1/0/2
Switch(Config-If-Ethernet1/0/2)#switchport mode trunk
Switch(Config-If-Ethernet1/0/2)#exit
Switch(config)#monitor session 1 source interface ethernet1/0/1 rx
Switch(config)#monitor session 1 destination interface ethernet1/0/2
Switch(config)#monitor session 1 remote vlan 5
Intermediate switch:
Interface ethernet1/0/6 is the source port which is connected to the source switch.
Interface ethernet1/0/7 is the destination port which is connected to the intermediate switch. The
native VLAN of this port cannot be configured as RSPAN VLAN, or the mirrored data may not be
carried by the destination switch.
RSPAN VLAN is 5.
Switch(config)#vlan 5
Switch(Config-Vlan5)#remote-span
7-15
S4600_Configuration Guide Chapter 7 Debugging and Diagnosis Configuration
Switch(Config-Vlan5)#exit
Switch(config)#interface ethernet 1/0/6-7
Switch(Config-If-Port-Range)#switchport mode trunk
Switch(Config-If-Port-Range)#exit
Destination switch:
Interface ethernet1/0/9 is the source port, which is connected to the source switch.
Interface ethernet1/0/10 is the destination port which is connected to the monitor. This port is
required to be configured as an access port, and belong to the RSPAN VLAN.
RSPAN VLAN is 5.
Switch(config)#vlan 5
Switch(Config-Vlan5)#remote-span
Switch(Config-Vlan5)#exit
Switch(config)#interface ethernet 1/0/9
Switch(Config-If-Ethernet1/0/9)#switchport mode trunk
Switch(Config-If-Ethernet1/0/9)#exit
Switch(config)#interface ethernet 1/0/10
Switch(Config-If-Ethernet1/0/10)#switchport access vlan 5
Switch(Config-If-Ethernet1/0/10)#exit
Solution 2:
Source switch:
Interface ethernet 1/0/1 is the source port.
Interface ethernet 1/0/2 is the TRUNK port, which is connected to the intermediate switch. The
native VLAN should not be a RSPAN VLAN.
Interface Ethernet 1/0/3 is a reflector port. The reflector port belongs the RSPAN VLAN, it is access
port or TRUNK port of the RSPAN VLAN.
RSPAN VLAN is 5.
Switch(config)#vlan 5
Switch(Config-Vlan5)#remote-span
Switch(Config-Vlan5)#exit
Switch(config)#interface ethernet1/0/2
Switch(Config-If-Ethernet1/0/2)#switchport mode trunk
Switch(Config-If-Ethernet1/0/2)#exit
Switch(config)#interface ethernet 1/0/3
Switch(Config-If-Ethernet1/0/3)#switchport mode trunk
Switch(Config-If-Ethernet1/0/3)#exit
Switch(config)#monitor session 1 source interface ethernet1/0/1 rx
Switch(config)#monitor session 1 reflector-port ethernet1/0/3
Switch(config)#monitor session 1 remote vlan 5
Intermediate switch:
7-16
S4600_Configuration Guide Chapter 7 Debugging and Diagnosis Configuration
Interface ethernet1/0/6 is the source port which is connected to the source switch.
Interface ethernet1/0/7 is the destination port which is connected to the destination switch. The
native VLAN of the port should not be configured as RSPAN VLAN, or the mirrored data may not
be carried by the destination switch.
RSPAN VLAN is 5.
Switch(config)#vlan 5
Switch(Config-Vlan5)#remote-span
Switch(Config-Vlan5)#exit
Switch(config)#interface ethernet 1/0/6-7
Switch(Config-If-Port-Range)#switchport mode trunk
Switch(Config-If-Port-Range)#exit
Destination switch:
Interface ethernet1/0/9 is the source port which is connected to the source switch.
Interface ethernet1/0/10 is the destination port which is connected to the monitor. This port is
required to be configured as an access port, and belong to the RSPAN VLAN.
RSPAN VLAN is 5.
Switch(config)#vlan 5
Switch(Config-Vlan5)#remote-span
Switch(Config-Vlan5)#exit
Switch(config)#interface ethernet 1/0/9
Switch(Config-If-Ethernet1/0/9)#switchport mode trunk
Switch(Config-If-Ethernet1/0/9)#exit
Switch(config)#interface ethernet 1/0/10
Switch(Config-If-Ethernet1/0/10)#switchport access vlan 5
Switch(Config-If-Ethernet1/0/10)#exit
7.6.4 RSPAN Troubleshooting
Due to the following reasons, RSPAN may not function:
Whether the destination mirror port is a member of the Port-channel group. If so, please
change the Port-channel group configuration;
The throughput the destination port is less than the total throughput of the source mirror
ports. If so, the destination cannot catch all the datagrams from every source ports. To solve
the problem, please reduce the number of the source ports, or mirror only single direction
data flow, or choose some other port with higher capacity as the destination port.
Between the source switch and the intermediate switch, whether the native VLAN of the
TRUNK ports is configured as RSPAN VLAN. If so, please change the native VLAN for the
TRUNK ports.
After configured RSPAN, the vlan tag will be added on the packet of the egress mirror. It will
7-17
S4600_Configuration Guide Chapter 7 Debugging and Diagnosis Configuration
cause the abort error frame on the reflection port, so the default MTU value of the switch
should be modified.
7.7 sFlow
7.7.1 Introduction to sFlow
The sFlow (RFC 3176) is a protocol based on standard network export and used on
monitoring the network traffic information developed by the InMon Company. The monitored
switch or router sends date to the client analyzer through its main operations such as sampling
and statistic, then the analyzer will analyze according to the user requirements so to monitor the
network.
A sFlow monitor system includes: sFlow proxy, central data collector and sFlow analyzer. The
sFlow proxy collects data from the switch using sampling technology. The sFlow collector is for
formatting the sample data statistic which is to be forwarded to the sFlow analyzer which will
analyze the sample data and perform corresponding measure according to the result. Our switch
here acts as the proxy and central data collector in the sFlow system.
We have achieved data sampling and statistic targeting physical port.
Our data sample includes the IPv4 and IPv6 packets. Extensions of other types are not
supported so far. As for non IPv4 and IPv6 packet, the unify HEADER mode will be adopted
following the requirements in RFC3176, copying the head information of the packet based on
analyzing the type of its protocol.
The latest sFlow protocol presented by InMon Company is the version 5. Since it is the
version 4 which is realized in the RFC3176, version conflict might exist in some case such as the
structure and the packet format. This is because the version 5 has not become the official
protocol, so, in order to be compatible with current applications, we will continue to follow the
RFC3176.
7.7.2 sFlow Configuration Task List
1. Configure sFlow Collector address
Command Explanation
Global mode and Port Mode
sflow destination <collector-address> Configure the IP address and port number of
[<collector-port>] the host in which the sFlow analysis software is
no sflow destination installed. As for the ports, if IP address is
configured on the port, the port configuration
will be applied, or else will be applied the
global configuration. The “no sflow
7-18
S4600_Configuration Guide Chapter 7 Debugging and Diagnosis Configuration
destination” command restores to the default
port value and deletes the IP address.
2. Configure the sFlow proxy address
Command Explanation
Global Mode
sflow agent-address <collector-address> Configure the source IP address applied by the
no sflow agent-address sFlow proxy; the “no” form of the command
deletes this address.
3. Configure the sFlow proxy priority
Command Explanation
Global Mode
sflow priority <priority-vlaue> Configure the priority when sFlow receives
no sflow priority packet from the hardware; the “no sflow
priority” command restores to the default
4. Configure the packet head length copied by sFlow
Command Explanation
Port Mode
sflow header-len <length-vlaue> Configure the length of the packet data head
no sflow header-len copied in the sFlow data sampling; the “no”
form of this command restores to the default
value.
5. Configure the max data head length of the sFlow packet
Command Explanation
Port Mode
sflow data-len <length-vlaue> Configure the max length of the data packet in
no sflow data-len sFlow; the “no” form of this command restores
to the default.
6. Configure the sampling rate value
Command Explanation
Port Mode
sflow rate {input <input-rate> | output Configure the sampling rate when sFlow
<output-rate >} performing hardware sampling. The “no”
no sflow rate [input | output] command deletes the rate value.
7. Configure the sFlow statistic sampling interval
Command Explanation
Port Mode
sflow counter-interval <interval-vlaue> Configure the max interval when sFlow
no sflow counter-interval performing statistic sampling. The “no” form of
this command deletes
8. Configure the analyzer used by sFlow
Command Explanation
Global Mode
sflow analyzer sflowtrend Configure the analyzer used by sFlow, the no
7-19
S4600_Configuration Guide Chapter 7 Debugging and Diagnosis Configuration
no sflow analyzer sflowtrend command deletes the analyzer.
7.7.3 sFlow Examples
SWITCH PC
Figure 7-2 sFlow configuration topology
As shown in the figure, sFlow sampling is enabled on the port 1/0/1 and 1/0/2 of the switch.
Assume the sFlow analysis software is installed on the PC with the address of 192.168.1.200. The
address of the layer 3 interface on the SwitchA connected with PC is 192.168.1.100. A loopback
interface with the address of 10.1.144.2 is configured on the SwitchA. sFlow configuration is as
follows:
Configuration procedure is as follows:
Switch#config
Switch (config)#sflow ageng-address 10.1.144.2
Switch (config)#sflow destination 192.168.1.200
Switch (config)#sflow priority 1
Switch (config)# interface ethernet1/0/1
Switch (Config-If-Ethernet1/0/1)#sflow rate input 10000
Switch (Config-If-Ethernet1/0/1)#sflow rate output 10000
Switch (Config-If-Ethernet1/0/1)#sflow counter-interval 20
Switch (Config-If-Ethernet1/0/1)#exit
Switch (config)# interface ethernet1/0/2
Switch (Config-If-Ethernet1/0/2)#sflow rate input 20000
Switch (Config-If-Ethernet1/0/2)#sflow rate output 20000
Switch (Config-If-Ethernet1/0/2)#sflow counter-interval 40
7.7.4 sFlow Troubleshooting
In configuring and using sFlow, the sFlow server may fail to run properly due to physical
connection failure, wrong configuration, etc. The user should ensure the following:
Ensure the physical connection is correct
Guarantee the address of the sFlow analyzer configured under global or port mode is
accessible.
If traffic sampling is required, the sampling rate of the interface must be configured
If statistic sampling is required, the statistic sampling interval of the interface must be
configured
7-20
S4600_Configuration Guide Chapter 7 Debugging and Diagnosis Configuration
If the examination remains unsolved, please contact with the technical service center
of our company.
7-21
S4600_Configuration Guide Chapter 8 Network Time Management Configuration
Chapter 8 Network Time Management
Configuration
8.1 NTP
8.1.1 Introduction to NTP Function
The NTP (Network Time Protocol) synchronizes timekeeping spans WAN and LAN among
distributed time servers and clients, it can get millisecond precision. The introduction of event,
state, transmit function and action are defined in RFC-1305.
The purpose of using NTP is to keep consistent timekeeping among all clock-dependent
devices within the network so that the devices can provide diverse applications based on the
consistent time.
For a local system running NTP, its time can be synchronized by other reference sources and
can be used as a reference source to synchronize other clocks, also can synchronize each other by
transmit NTP packets.
8.1.2 NTP Function Configuration Task List
1. To enable NTP function
2. To configure NTP server function
3. To configure the max number of broadcast or multicast servers supported by the NTP client
4. To configure time zone
5. To configure NTP access control list
6. To configure NTP authentication
7. To specified some interface as NTP broadcast/multicast client interface
8. To configure some interface can’t receive NTP packets
9. To configure the request packet sending interval of ntp client
10. Display information
11. Debug
1. To enable NTP function
Command Explication
Global Mode
ntp enable
To enable or disable NTP function.
ntp disable
2. To configure NTP server function
Command Explication
8-1
S4600_Configuration Guide Chapter 8 Network Time Management Configuration
Global Mode
ntp server {<ip-address> | <ipv6-address>}
[version <version_no>] [key <key-id>] To enable the specified time server of time
no ntp server {<ip-address> | source.
<ipv6-address>}
3. To configure the max number of broadcast or multicast servers supported by the NTP client
Command Explication
Global Mode
Set the max number of broadcast or
ntp broadcast server count <number> multicast servers supported by the NTP
no ntp broadcast server count client. The no operation will cancel the
configuration and restore the default value.
4. To configure time zone
Command Explication
Global Mode
clock timezone WORD {add | subtract} This command configures timezone in global
<0-23> [<0-59>] mode, the no command deletes the
no clock timezone WORD configured timezone.
5. To configure NTP access control list
Command Explication
Global Mode
ntp access-group server <acl>
To configure NTP server access control list.
no ntp access-group server < acl>
6. To configure NTP authentication
Command Explication
Global Mode
ntp authenticate
To enable NTP authentication function.
no ntp authenticate
ntp authentication-key <key-id> md5
To configure authentication key for NTP
<value>
authentication.
no ntp authentication-key <key-id>
ntp trusted-key <key-id>
To configure trusted key.
no ntp trusted-key <key-id>
7. To specified some interface as NTP multicast client interface
Command Explication
vlan Configuration Mode
8-2
S4600_Configuration Guide Chapter 8 Network Time Management Configuration
ntp multicast client To configure specified interface to receive
no ntp multicast client NTP multicast packets.
ntp ipv6 multicast client To configure specified interface to receive
no ntp ipv6 multicast client IPv6 NTP multicast packets.
8. To configure some interface can’t receive NTP packets
Command Explication
vlan Configuration Mode
ntp disable
To disable the NTP function.
no ntp disable
9. To configure the request packet sending interval of ntp client
Command Explication
Global Mode
Configure the request packet sending
ntp syn-interval <1-3600> interval of ntp client as 1s-3600s. The no
no ntp syn-interval command recovers to be the default value
of 64s.
10. Display information
Command Explication
Admin Mode
show ntp status To display the state of time synchronize.
show ntp session [ <ip-address> |
To display the information of NTP session.
<ipv6-address> ]
11. Debug
Command Explication
Admin Mode
debug ntp authentication To enable debug switch of NTP
no debug ntp authentication authentication.
debug ntp packets [send | receive] To enable debug switch of NTP packet
no debug ntp packets [send | receive] information.
debug ntp adjust To enable debug switch of time update
no debug ntp adjust information.
8-3
S4600_Configuration Guide Chapter 8 Network Time Management Configuration
debug ntp sync To enable debug switch of time synchronize
no debug ntp sync information.
debug ntp events To enable debug switch of NTP event
no debug ntp events information.
8.1.3 Typical Examples of NTP Function
A client switch wanted to synchronize time with time server in network, there is two time
server in network, the one is used as host, the other is used as standby, the connection and
configuration as follows (Switch A and Switch B are the switch or route which support NTP
server ):
The configuration of Switch C is as follows: (Switch A and Switch B may have the different
command because of different companies, we not explain there, our switches are not support
NTP server at present)
Switch C:
Switch(config)#ntp enable
Switch(config)#interface vlan 1
Switch(Config-if-Vlan1)#ip address 192.168.1.12 255.255.255.0
Switch(config)#interface vlan 2
Switch(Config-if-Vlan1)#ip address 192.168.2.12 255.255.255.0
Switch(config)#ntp server 192.168.1.11
Switch(config)#ntp server 192.168.2.11
8.1.4 NTP Function Troubleshooting
In configuration procedures, if there is error occurred, the system can give out the debug
information.
The NTP function disables by default, the show command can be used to display current
configuration. If the configuration is right please use debug every relative debugging command
and display specific information in procedure, and the function is configured right or not, you can
8-4
S4600_Configuration Guide Chapter 8 Network Time Management Configuration
also use show command to display the NTP running information, any questions please send the
recorded message to the technical service center.
8.2 SNTP
8.2.1 Introduction to SNTP
The Network Time Protocol (NTP) is widely used for clock synchronization for global
computers connected to the Internet. NTP can assess packet sending/receiving delay in the
network, and estimate the computer’s clock deviation independently, so as to achieve high
accuracy in network computer clocking. In most positions, NTP can provide accuracy from 1 to
50ms according to the characteristics of the synchronization source and network route.
Simple Network Time Protocol (SNTP) is the simplified version of NTP, removing the complex
algorithm of NTP. SNTP is used for hosts who do not require full NTP functions; it is a subset of
NTP. It is common practice to synchronize the clocks of several hosts in local area network with
other NTP hosts through the Internet, and use those hosts to provide time synchronization
service for other clients in LAN. The figure below depicts a NTP/SNTP application network
topology, where SNTP mainly works between second level servers and various terminals since
such scenarios do not require very high time accuracy, and the accuracy of SNTP (1 to 50 ms) is
usually sufficient for those services.
Figure 8-1 Working Scenario
Switch implements SNTPv4 and supports SNTP client unicast as described in RFC2030; SNTP
client multicast and unicast are not supported, nor is the SNTP server function.
8-5
S4600_Configuration Guide Chapter 8 Network Time Management Configuration
8.2.2 Typical Examples of SNTP Configuration
SNTP/NTP SNTP/NTP
SERVER SERVER
… …
SWITCH SWITCH SWITCH
Figure 8-2 Typical SNTP Configuration
All switches in the autonomous zone are required to perform time synchronization, which is
done through two redundant SNTP/NTP servers. For time to be synchronized, the network must
be properly configured. There should be reachable route between any switch and the two
SNTP/NTP servers.
Example: Assume the IP addresses of the SNTP/NTP servers are 10.1.1.1 and 20.1.1.1,
respectively, and SNTP/NTP server function (such as NTP master) is enabled, then configurations
for any switch should like the following:
Switch#config
Switch(config)#sntp server 10.1.1.1
8.3 Summer Time
8.3.1 Introduction to Summer Time
Summer time is also called daylight saving time, it is a time system for saving energy sources.
In summer the time is advanced 1 hour to keep early hours, reduce the lighting, so as to save
electrolighting. The rule that adopt summer time is different in each country. At present, almost
110 countries implement summer time.
8-6
S4600_Configuration Guide Chapter 8 Network Time Management Configuration
Compare with the standard time, usually set summer time 1 hour late, for example, when
summer time is implementing, 10:00 am of the standard time is considered 11:00 am of summer
time.
8.3.2 Summer Time Configuration Task Sequence
1. Configure absolute or recurrent time range of summer time
Command Explanation
Global Mode
clock summer-time <word> absolute Set absolute time range of summer time, start
<HH:MM> <YYYY.MM.DD> <HH:MM> and end summer time is configured with
<YYYY.MM.DD> [<offset>] specified year.
no clock summer-time
clock summer-time <word> recurring Set recurrent time range of summer time,
<HH:MM> <MM.DD> <HH:MM> <MM.DD> every year the summer time begins from the
[<offset>] start time and end at the end time.
no clock summer-time
clock summer-time <word> recurring Set recurrent time range of summer time,
<HH:MM> <week> <day> <month> <HH:MM> every year the summer time begins from the
<week> <day> <month> [<offset>] start time and end at the end time.
no clock summer-time
8.3.3 Examples of Summer Time
Example1:
The configuration requirement in the following: The summer time from 23:00 on April 1th,
2012 to 00:00 on October 1th, 2012, clock offset as 1 hour, and summer time is named as 2012.
Configuration procedure is as follows:
Switch(config)# clock summer-time 2012 absolute 23:00 2012.4.1 00:00 2012.10.1
Example2:
The configuration requirement in the following: The summer time from 23:00 on the first
Saturday of April to 00:00 on the last Sunday of October year after year, clock offset as 2 hours,
and summer time is named as time_travel.
Configuration procedure is as follows:
Switch(config)#clock summer-time time_travel recurring 23:00 first sat apr 00:00 last sun oct 120
8.3.4 Summer Time Troubleshooting
If there is any problem happens when using summer time, please check whether the
8-7
S4600_Configuration Guide Chapter 8 Network Time Management Configuration
problem is caused by the following reasons:
Check whether command mode in global mode
Check whether system clock is correct
8-8
S4600_Configuration Guide Chapter 9 POE Configuration
Chapter 9 POE Configuration
9.1 PoE
9.1.1 Introduction to PoE
PoE (Power over Ethernet) is a technology to provide direct currents for some IP-based
terminals (such as IP phones, APs of wireless LANs and network cameras) while transmitting data
to them. Such DC-receiving devices are called PD (Powered Device). The max distance of reliable
power supply provided by PoE is 100 meters.
IEEE 802.3af standard is a new PoE standard, and an extension to the current Ethernet
standard by adding new items on power supply via network cables to IEEE 802.3 standard. It is
also the first international standard on power distribution. IEEE 802.3at standard is the upgraded
version of IEEE 802.3af, the maximum power of each port is 30W. It can meet the requirements of
the higher power from PD device.
The application of PoE used to be in two areas: IP phone and 802.11 wireless network,
however, along with the development of this technology, many applications with more practical
meanings have emerged and benefited from PoE, such as video monitoring, integrated building
management solution, and remote video service booth. All these existing and predictably more of
such applications arouse needs for switches supporting PoE.
9.1.2 PoE Configuration
The PoE Configuration Task List:
1. Globally enable or disable PoE
2. Globally Set the Max Output Power
3. Globally set power management mode
4. Globally set non-standard PD detection mode
5. Modify the power-on mode of the port
6. Enable or disable PoE on specified ports
7. Set the max output power on specified ports
8. Set the power priority on specified ports
1. Globally Enable or Disable PoE
Command Explanation
Global Mode
power inline enable
Enable/disable PoE globally.
no power inline enable
9-1
S4600_Configuration Guide Chapter 9 POE Configuration
2. Globally set the max output power
Command Explanation
Global Mode
power inline max <max-wattage>
Globally set the max output power of PoE.
no power inline max
3. Globally set the power management mode
Command Explanation
Global Mode
power inline police enable Enable/disable the power priority
no power inline police enable management policy mode.
4. Modify the power-on mode of the port
Command Explanation
Global Mode
power inline legacy enable
Modify the power-on mode of the port.
no power inline legacy enable
5. Globally enable or disable the allowed high-inrush current when
nonstandard PD is powered instantaneously
Command Explanation
Global Mode
Enable/disable the allowed high-inrush
power inline high-inrush enable
current when nonstandard PD is powered
no power inline high-inrush enable
instantaneously.
Globally enable or disable the allowed high-inrush current when nonstandard PD is powered
instantaneously
Command Explanation
Port Mode
power inline power-up mode(af| Enable/disable the allowed high-inrush
high-inrush|pre-at|at) current when nonstandard PD is powered
no power inline power-up mode instantaneously.
6. Enable or disable PoE on specified ports
Command Explanation
Port Mode
power inline enable
Enable/ disable PoE.
no power inline enable
9-2
S4600_Configuration Guide Chapter 9 POE Configuration
7. Set the max output power on specified ports
Command Explanation
Port Mode
power inline max <max-wattage>
Set the max output power on specified ports.
no power inline max
8. Set the power priority on specified ports
Command Explanation
Port Mode
power inline priority {critical | high | low} Set the power priority on specified ports.
9.1.3 Typical Application of PoE
Requirements of Network Deployment
Set the max output power of DCRS-5960-28T-POE to 370W, assuming that the default max
power can satisfy the requirements.
Ethernet interface 1/0/2 is connected to an IP phone.
Ethernet interface 1/0/4 is connected to a wireless AP.
Ethernet interface 1/0/6 is connected to a Bluetooth AP.
Ethernet interface 1/0/8 is connected to a network camera.
The IP phone connected to Ethernet interface has the highest-level power supply priority:
critical, which requires the power supply to the newly connected PD being cut off if it causes
PSE power-overload (i.e. adopting the priority policy of PD power management).
Power of subordinate AP devices connected to Ethernet interface 1/0/6 should not exceeds
9000mW.
Topology of Network
9-3
S4600_Configuration Guide Chapter 9 POE Configuration
Configuration Steps:
Globally enable PoE:
Switch(Config)# power inline enable
Globally set the max power to 370W:
Switch(Config)# power inline max 370
Globally enable the priority policy of power management:
Switch(Config)# power inline police enable
Set the priority of Port 1/0/2 to critical:
Switch(Config-Ethernet1/0/2)# power inline priority critical
Set the max output power of Port 1/0/6 to 9000mW:
Switch(Config-Ethernet1/0/6)#power inline max 9000
9.1.4 PoE Troubleshooting Help
If problems occur on using PoE, please check:
When the global value of Power Remaining is less than 15W, due to the power source
protection mechanism, the power supply to new PDs will be cut off in first-come-first-serve
mode, while the existing low-priority devices will also be disconnected in priority policy
mode. If the Power Remaining is over 15W, say 16W, any newly connected device with a
power no more than 15W can get its power supply normally, without affecting other devices.
Such a power supply buffer of 15W is designed for power source protection, and calls for
special attention.
The displayed value of Power might over the value of Max. This involves the relationship
between the displayed power and the actual power, for instance:
The power set on the port: A, represents the actual output PoE power
The displayed power: B, represents the total power of the port (total current × total
9-4
S4600_Configuration Guide Chapter 9 POE Configuration
voltage)
The power loss set on the port: C, represents power loss of the internal Sensor ohmic
resistance, MosFet etc.
Then: B=A+C
If the power is set as A=500mW, according to the following table, the compensating
current will be I=2.44mA (500mW/50V=10mA assuming the current working voltage is 50V),
plus the compensating power C=50V×2.44mA=122mA
B=A+C=500+122=622mW. So, only when the displayed power reaches 622mW, the PD will
be disconnected
Table:
Max Working Current (mA) Compensating Current (mA)
50 2.44
100 4.88
150 9.76
200 17.08
250 24.41
350 31.73
9-5
S4600_Configuration Guide Chapter 10 IPv6 Configuration
Chapter 10 IPv6 Configuration
10.1 DHCPv6
10.1.1 Introduction to DHCPv6
DHCPv6 [RFC3315] is the IPv6 version for Dynamic Host Configuration Protocol (DHCP). It is a
protocol that assigns IPv6 address as well as other network configuration parameters such as DNS
address, and domain name to DHCPv6 client, DHCPv6 is a conditional auto address configuration
protocol relative to IPv6. In the conditional address configuration process, DHCPv6 server assigns
a complete IPv6 address to client, and provides DNS address, domain name and other
configuration information, maybe the DHCPv6 packet can transmit through relay delegation, at
last the binding of IPv6 address and client can be recorded by DHCPv6 server, all that can
enhance the management of network; DHCPv6 server can also provide non state DHCPv6 service,
that is only assigns DNS address and domain name and other configuration information but not
assigns IPv6 address, it can solve the bug of IPv6 auto address configuration in non state; DHCPv6
can provide extend function of DHCPv6 prefix delegation, upstream route can assign address
prefix to downstream route automatically, that achieve the IPv6 address auto assignment in
levels of network environment, and resolved the problem of ISP and IPv6 network dispose.
There are three entities in the DHCPv6 protocol – the client, the relay and the server. The
DHCPv6 protocol is based on the UDP protocol. The DHCPv6 client sends request messages to the
DHCP server or DHCP relay with the destination port as 547, and the DHCPv6 server and relay
send replying messages with the destination port as 546. The DHCPv6 client sends solicit or
request messages with the multicast address – ff02::1:2 for DHCP relay and server.
Solicit (Muticast)
Advertise (Unicast)
Request (Muticast)
Reply (Unicast)
DHCPv6 SERVER
DHCPv6 CLIENT
Figure 10-1 DHCPv6 negotiation
When a DHCPv6 client tries to request an IPv6 address and other configurations from the
DHCPv6 server, the client has to find the location of the DHCP server, and then request
configurations from the DHCP server.
1. In the time of located server, the DHCP client tries to find a DHCPv6 server by
broadcasting a SOLICIT packet to all the DHCP delay delegation and server with
broadcast address as FF02::1:2.
10-1
S4600_Configuration Guide Chapter 10 IPv6 Configuration
2. Any DHCP server which receives the request, will reply the client with an ADVERTISE
message, which includes the identity of the server –DUID, and its priority.
3. It is possible that the client receives multiple ADVERTISE messages. The client should
select one and reply it with a REQUEST message to request the address which is
advertised in the ADVERTISE message.
4. The selected DHCPv6 server then confirms the client about the IPv6 address and any
other configuration with the REPLY message.
The above four steps finish a Dynamic host configuration assignment process. However, if
the DHCPv6 server and the DHCPv6 client are not in the same network, the server will not
receive the DHCPv6 broadcast packets sent by the client, therefore no DHCPv6 packets will be
sent to the client by the server. In this case, a DHCPv6 relay is required to forward such DHCPv6
packets so that the DHCPv6 packets exchange can be completed between the DHCPv6 client and
server.
At the time this manual is written, DHCPv6 server, relay and prefix delegation client have
been implemented on the switch. When the DHCPv6 relay receives any messages from the
DHCPv6 client, it will encapsulate the request in a Relay-forward packet and deliver it to the next
DHCPv6 relay or the DHCPv6 server. The DHCPv6 messages coming from the server will be
encapsulated as relay reply packets to the DHCPv6 relay. The relay then removes the
encapsulation and delivers it the DHCPv6 client or the next DHCPv6 relay in the network.
For DHCPv6 prefix delegation where DHCPv6 server is configured on the PE router and
DHCPv6 client it configured on the CPE router, the CPE router is able to send address prefix
allocation request to the PE router and get a pre-configured address prefix, but not set the
address prefix manually. The protocol negotiation between the client and the prefix delegation
client is quite similar to that when getting a DHCPv6 address. Then the CPE router divides the
allocated prefix – whose length should be less than 64 characters, into 64 subnets. The divided
address prefix will be advertised through routing advertisement messages (RA) to the host
directly connected to the client.
10.1.2 DHCPv6 Server Configuration
DHCPv6 server configuration task list as below:
1. To enable/disable DHCPv6 service
2. To configure DHCPv6 address pool
(1) To achieve/delete DHCPv6 address pool
(2) To configure parameter of DHCPv6 address pool
3. To enable DHCPv6 server function on port
1. To enable/disable DHCPv6 service
Command Explanation
Global Mode
10-2
S4600_Configuration Guide Chapter 10 IPv6 Configuration
service dhcpv6
To enable DHCPv6 service.
no service dhcpv6
2. To configure DHCPv6 address pool
(1)To achieve/delete DHCPv6 address pool
Command Explanation
Global Mode
ipv6 dhcp pool <poolname>
To configure DHCPv6 address pool.
no ipv6 dhcp pool <poolname>
(2)To configure parameter of DHCPv6 address pool
Command Explanation
DHCPv6 address pool Configuration Mode
network-address <ipv6-pool-start-address>
{<ipv6-pool-end-address> | To configure the range of IPv6 address
<prefix-length>} [eui-64] assignable of address pool.
no network-address
dns-server <ipv6-address> To configure DNS server address for DHCPv6
no dns-server <ipv6-address> client.
domain-name <domain-name>
To configure DHCPv6 client domain name.
no domain-name <domain-name>
excluded-address <ipv6-address> To exclude IPv6 address which isn’t used for
no excluded-address <ipv6-address> dynamic assignment in address pool.
lifetime {<valid-time> | infinity}
To configure valid time or preferred time of
{<preferred-time> | infinity}
DHCPv6 address pool.
no lifetime
3. To enable DHCPv6 server function on port.
Command Explanation
Interface Configuration Mode
ipv6 dhcp server <poolname>
To enable DHCPv6 server function on
[preference <value>] [rapid-commit]
specified port, and binding the used DHCPv6
[allow-hint]
address pool.
no ipv6 dhcp server <poolname>
10.1.3 DHCPv6 Relay Delegation Configuration
DHCPv6 relay delegation configuration task list as below:
1. To enable/disable DHCPv6 service
2. To configure DHCPv6 relay delegation on port
1. To enable DHCPv6 service
Command Explanation
10-3
S4600_Configuration Guide Chapter 10 IPv6 Configuration
Global Mode
service dhcpv6
To enableDHCPv6 service.
no service dhcpv6
2. To configure DHCPv6 relay delegation on port
Command Explanation
Interface Configuration Mode
ipv6 dhcp relay destination
{[<ipv6-address>] [interface
To specify the destination address of
{ <interface-name> | vlan <1-4096>}]}
DHCPv6 relay transmit; The no form of this
no ipv6 dhcp relay destination
command delete the configuration.
{[<ipv6-address>] [interface
{ <interface-name> | vlan <1-4096>}]}
10.1.4 DHCPv6 Prefix Delegation Server Configuration
DHCPv6 prefix delegation server configuration task list as below:
1. To enable/delete DHCPv6 service
2. To configure prefix delegation pool
3. To configure DHCPv6 address pool
(1) To achieve/delete DHCPv6 address pool
(2) To configure prefix delegation pool used by DHCPv6 address pool
(3) To configure static prefix delegation binding
(4) To configure other parameters of DHCPv6 address pool
4. To enable DHCPv6 prefix delegation server function on port
1. To enable/delete DHCPv6 service
Command Explanation
Global Mode
service dhcpv6
To enable DHCPv6 service.
no service dhcpv6
2. To configure prefix delegation pool
Command Explanation
Global Mode
ipv6 local pool <poolname>
<prefix|prefix-length> <assigned-length> To configure prefix delegation pool.
no ipv6 local pool <poolname>
3. To configure DHCPv6 address pool
(1)To achieve/delete DHCPv6 address pool
Command Explanation
Global Mode
10-4
S4600_Configuration Guide Chapter 10 IPv6 Configuration
ipv6 dhcp pool <poolname>
To configure DHCPv6 address pool.
no ipv6 dhcp pool <poolname>
(2)To configure prefix delegation pool used by DHCPv6 address pool
Command Explanation
DHCPv6 address pool Configuration Mode
prefix-delegation pool <poolname> To specify prefix delegation pool used by
[lifetime <valid-time> <preferred-time>] DHCPv6 address pool, and assign usable
no prefix-delegation pool <poolname> prefix to client.
(3) To configure static prefix delegation binding
Command Explanation
DHCPv6 address pool Configuration Mode
prefix-delegation
<ipv6-prefix/prefix-length> <client-DUID>
[iaid <iaid>] [lifetime <valid-time>
To specify IPv6 prefix and any prefix required
<preferred-time>]
static binding by client.
no prefix-delegation
<ipv6-prefix/prefix-length> <client-DUID>
[iaid <iaid>]
(4) To configure other parameter of DHCPv6 address pool
Command Explanation
DHCPv6 address pool Configuration Mode
dns-server <ipv6-address> To configure DNS server address for DHCPv6
no dns-server <ipv6-address> client.
domain-name <domain-name>
To configure domain name for DHCPv6 client.
no domain-name <domain-name>
4. To enable DHCPv6 prefix delegation server function on port
Command Explanation
Interface Configuration Mode
ipv6 dhcp server <poolname> [preference To enable DHCPv6 server function on
<value>] [rapid-commit] [allow-hint] specified port, and binding used DHCPv6
no ipv6 dhcp server <poolname> address pool.
10.1.5 DHCPv6 Prefix Delegation Client Configuration
DHCPv6 prefix delegation client configuration task list as below:
1. To enable/disable DHCPv6 service
2. To enable DHCPv6 prefix delegation client function on port
1. To enable/disable DHCPv6 service
Command Explanation
10-5
S4600_Configuration Guide Chapter 10 IPv6 Configuration
Global Mode
service dhcpv6
To enable DHCPv6 service.
no service dhcpv6
2. To enable DHCPv6 prefix delegation client function on port
Command Explanation
Interface Configuration Mode
To enable client prefix delegation request
ipv6 dhcp client pd <prefix-name>
function on specified port, and the prefix
[rapid-commit]
obtained associate with universal prefix
no ipv6 dhcp client pd
configured.
10.1.6 DHCPv6 Configuration Examples
Example1:
When deploying IPv6 networking, the switch can be configured as DHCPv6 server in order to
manage the allocation of IPv6 addresses. Both the state and the stateless DHCPv6 are supported.
Topology:
The access layer use Switch1 switch to connect users of dormitory buildings and it is
configured as DHCPv6 relay delegation; Switch3 is configured as DHCPv6 server in secondary
aggregation layer, and connected with backbone network or higher aggregation layers; The
Windows Vista which be provided with DHCPv6 client must load on PC.
Usage guide:
10-6
S4600_Configuration Guide Chapter 10 IPv6 Configuration
Switch3 configuration:
Switch3>enable
Switch3#config
Switch3(config)#service dhcpv6
Switch3(config)#ipv6 dhcp pool EastDormPool
Switch3(dhcpv6-EastDormPool-config)#network-address 2001:da8:100:1::1 2001:da8:100:1::100
Switch3(dhcpv6-EastDormPool-config)#excluded-address 2001:da8:100:1::1
Switch3(dhcpv6-EastDormPool-config)#dns-server 2001:da8::20
Switch3(dhcpv6-EastDormPool-config)#dns-server 2001:da8::21
Switch3(dhcpv6-EastDormPool-config)#domain-name dhcpv6.com
Switch3(dhcpv6-EastDormPool-config)#lifetime 1000 600
Switch3(dhcpv6-EastDormPool-config)#exit
Switch3(config)#interface vlan 1
Switch3(Config-if-Vlan1)#ipv6 address 2001:da8:1:1::1/64
Switch3(Config-if-Vlan1)#exit
Switch3(config)#interface vlan 10
Switch3(Config-if-Vlan10)#ipv6 address 2001:da8:10:1::1/64
Switch3(Config-if-Vlan10)#ipv6 dhcp server EastDormPool preference 80
Switch3(Config-if-Vlan10)#exit
Switch3(config)#
Switch2 configuration:
Switch2>enable
Switch2#config
Switch2(config)#service dhcpv6
Switch2(config)#interface vlan 1
Switch2(Config-if-Vlan1)#ipv6 address 2001:da8:1:1::2/64
Switch2(Config-if-Vlan1)#exit
Switch2(config)#interface vlan 10
Switch2(Config-if-Vlan10)#ipv6 address 2001:da8:10:1::2/64
Switch2(Config-if-Vlan10)#exit
Switch2(config)#interface vlan 100
Switch2(Config-if-Vlan100)#ipv6 address 2001:da8:100:1::1/64
Switch2(Config-if-Vlan100)#no ipv6 nd suppress-ra
Switch2(Config-if-Vlan100)#ipv6 nd managed-config-flag
Switch2(Config-if-Vlan100)#ipv6 nd other-config-flag
Switch2(Config-if-Vlan100)#exit
Switch2(config)#
Switch1 configuration:
Switch1(config)#service dhcpv6
Switch2(config)#interface vlan 1
Switch2(Config-if-Vlan1)#ipv6 address 2001:da8:100:1::2/64
Switch2(Config-if-Vlan1)#ipv6 dhcp relay destination 2001:da8:10:1::1
10-7
S4600_Configuration Guide Chapter 10 IPv6 Configuration
10.1.7 DHCPv6 Troubleshooting
If the DHCPv6 clients cannot obtain IPv6 addresses and other network parameters, the
following procedures can be followed when DHCPv6 client hardware and cables have been
verified ok:
Verify the DHCPv6 server is running, start the related DHCP v6 server function if not running;
If the DHCPv6 clients and servers are not in the same physical network, verify the router
responsible for DHCPv6 packet forwarding has DHCPv6 relay function. If DHCPv6 relay is not
available for the intermediate router, it is recommended to replace the router or upgrade its
software to one that has a DHCPv6 relay function;
Sometimes hosts are connected to the DHCPv6 enabled switches, but can not get IPv6
addresses. In this situation, it should be checked first whether the ports which the hosts are
connected to, are connected with the port which the DHCPv6 server is connected to. If
connected directly, it should be checked then whether the IPv6 address pool of the VLAN
which the port belongs to, is in the same subnet with the address pool configure in the
DHCPv6 server; If not connected directly, and any layer three DHCPv6 relay is configured
between the hosts and the DHCPv6 server, it should be checked first whether an valid IPv6
address has been configured for the switch interface which the hosts are connected to. If not
configured, configure an valid IPv6 address. If configured, it should be checked whether the
configured IPv6 address is in the same subnet with the DHCPv6 server. If not, please add it to
the address pool.
10.2 DHCPv6 option37, 38
10.2.1 Introduction to DHCPv6 option37, 38
DHCPv6 (Dynamic Host Configuration Protocol for IPv6) is designed for IPv6 address scheme
and is used for assigning IPv6 prefixes, IPv6 addresses and other configuration parameters to
hosts.
When DHCPv6 client wants to request address and configure parameter of DHCPv6 server
from different link, it needs to communicate with server through DHCPv6 relay agent. DHCPv6
message received by relay agent node is reencapsulated to be relay-forward packets and they
are forwarded to the server which sends the relay-reply packets to DHCPv6 relay agent node in
different link, after that, relay agent node restores DHCPv6 message to DHCPv6 client to finish
communication between client and server.
10-8
S4600_Configuration Guide Chapter 10 IPv6 Configuration
There are some problems when using DHCPv6 relay agent, for example: How to assign IP
address in the fixed range to the specifiec users? How to avoid illegal DHCPv6 client to forge IP
address exhaust attack triggered by MAC address fields of DHCPv6 packets? How to avoid illegal
DHCPv6 client to trigger deny service attack through using MAC address of other legal clients?
Therefore, IETF set rfc4649 and rfc4580, i.e. DHCPv6 option 37 and option 38 to solve these
problems.
DHCPv6 option 37 and option 38 is similar to DHCP option 82. When DHCPv6 client sends
request packets to DHCPv6 server though DHCPv6 relay agent, if DHCPv6 relay agent supports
option 37 and option 38, they will be added to request packets. For the respond packets of server,
option 37 and option 38 are meaningless and are peeled from the respond packets. Therefore,
the application of option 37 and option 38 is transparent for client.
DHCPv6 server can authenticate identity of DHCPv6 client and DHCPv6 relay device by
option 37 and option 38, assign and manage client address neatly through configuring the assign
policy, prevent DHCPv6 attack availably according to the inclusive client information, such as
forging MAC address fields of DHCPv6 packets to trigger IP address exhaust attack. Since server
can identify multiple request packets from the same access port, it can assign the address
number through policy limit to avoid address exhaust. However, rfc4649 and rfc4580 do not set
how to use opton 37 and option 38 for DHCPv6 server, users can use it neatly according to their
own demand.
10.2.2 DHCPv6 option37, 38 Configuration Task List
1. Dhcpv6 snooping option basic functions configuration
2. Dhcpv6 relay option basic functions configuration
3. Dhcpv6 server option basic functions configuration
1.DHCPv6 snooping option basic functions configuration
Command Description
Global mode
This command enables DHCPv6
ipv6 dhcp snooping remote-id option SNOOPING to support option
no ipv6 dhcp snooping remote-id option 37 option, no command
disables it.
This command enables DHCPv6
ipv6 dhcp snooping subscriber-id option SNOOPING to support option
no ipv6 dhcp snooping subscriber-id option 38 option, no command
disables it.
This command is used to
configure the reforward policy
ipv6 dhcp snooping remote-id policy {drop | keep | of the system when receiving
replace} DHCPv6 packets with option 37,
no ipv6 dhcp snooping remote-id policy which can be:
drop, the system simply
discards it with option 37;
10-9
S4600_Configuration Guide Chapter 10 IPv6 Configuration
keep, the system keeps option
37 unchanged and forwards the
packet to the server;
replace, the system replaces
option 37 of current packet with
its own before forwarding it to
the server. no command
configures the reforward policy
of DHCPv6 packets with option
37 as replace.
This command is used to
configure the reforward policy
of the system when receiving
DHCPv6 packets with option 38,
which can be:
drop, the system simply
discards it with option 38;
ipv6 dhcp snooping subscriber-id policy {drop | keep | keep, the system keeps option
replace} 38 unchanged and forwards the
no ipv6 dhcp snooping subscriber-id policy packet to the server;
replace, the system replaces
option 38 of current packet with
its own before forwarding it to
the server. no command
configures the reforward policy
of DHCPv6 packets with option
38 as replace.
Configures user configuration
options to generate
ipv6 dhcp snooping subscriber-id select (sp | sv | pv | subscriber-id, no command
spv) delimiter WORD (delimiter WORD |) restores to its original default
no ipv6 dhcp snooping subscriber-id select delimiter configuration, i.e. enterprise
number together with vlan
MAC.
Configures user configuration
ipv6 dhcp snooping subscriber-id select (sp|sv|pv|spv)
options to generate
delimiter WORD (delimiter WORD |)
subscriber-id. The no command
no ipv6 dhcp snooping subscriber-id select
restores to its original default
delimiter
configuration, i.e. vlan name
together with port name.
Port mode
This command is used to set
ipv6 dhcp snooping remote-id <remote-id>
the form of adding option 37 in
no ipv6 dhcp snooping remote-id
received DHCPv6 request
10-10
S4600_Configuration Guide Chapter 10 IPv6 Configuration
packets, of which <remote-id>
is the content of remote-id in
user-defined option 37 and it is
a string with a length of less
than 128. The no operation
restores remote-id in option 37
to enterprise-number together
with vlan MAC address.
This command is used to set
the form of adding option 38 in
received DHCPv6 request
packets, of which
<subscriber-id> is the content
ipv6 dhcp snooping subscriber-id <subscriber-id> of subscriber-id in user-defined
no ipv6 dhcp snooping subscriber-id option 38 and it is a string with
a length of less than 128. The
no operation restores
subscriber-id in option 38 to
vlan name together with port
name such as
"Vlan2+Ethernet1/0/2".
2. DHCPv6 relay option basic functions configuration
Command Description
Global mode
This command enables the
ipv6 dhcp relay remote-id option switch relay to support option
no ipv6 dhcp relay remote-id option 37 and the no form of this
command disables it.
This command enables the
ipv6 dhcp relay subscriber-id option switch relay to support the
no ipv6 dhcp relay subscriber-id option option 38, the no form of this
command disables it.
Configures user configuration
options to generate remote-id.
ipv6 dhcp relay remote-id delimiter WORD The no command restores to its
no ipv6 dhcp relay remote-id delimiter original default configuration,
i.e. enterprise number together
with vlan MAC.
Configures user configuration
ipv6 dhcp relay subscriber-id select (sp | sv | pv | spv) options to generate
delimiter WORD (delimiter WORD |) subscriber-id. The no command
no ipv6 dhcp relay subscriber-id select delimiter restores to its original default
configuration, i.e. vlan name
10-11
S4600_Configuration Guide Chapter 10 IPv6 Configuration
together with port name.
Layer3 Interface configuration mode
This command is used to set
the form of adding option 37 in
received DHCPv6 request
packets, of which <remote-id>
is the content of remote-id in
ipv6 dhcp relay remote-id <remote-id>
user-defined option 37 and it is
no ipv6 dhcp relay remote-id
a string with a length of less
than 128. The no operation
restores remote-id in option 37
to enterprise-number together
with vlan MAC address.
This command is used to set
the form of adding option 38 in
received DHCPv6 request
packets, of which
<subscriber-id> is the content
of subscriber-id in user-defined
ipv6 dhcp relay subscriber-id <subscriber-id>
option 38 and it is a string with
no ipv6 dhcp relay subscriber-id
a length of less than 128. The
no operation restores
subscriber-id in option 38 to
vlan name together with port
name such as
"Vlan2+Ethernet1/0/2".
3. Dhcpv6 server option basic functions configuration
Command Description
Global mode
This command enables DHCPv6
server to support the
ipv6 dhcp server remote-id option
identification of option 37, the
no ipv6 dhcp server remote-id option
no form of this command
disables it.
This command enables DHCPv6
server to support the
ipv6 dhcp server subscriber-id option
identification of option 38, the
no ipv6 dhcp server subscriber-id option
no form of this command
disables it.
This command enables DHCPv6
ipv6 dhcp use class server to support the using of
no ipv6 dhcp use class DHCPv6 class during address
assignment, the no form of this
10-12
S4600_Configuration Guide Chapter 10 IPv6 Configuration
command disables it without
removing the relative DHCPv6
class information that has been
configured.
This command defines a
DHCPv6 class and enters
ipv6 dhcp class <class-name>
DHCPv6 class mode, the no
no ipv6 dhcp class <class-name>
form of this command removes
this DHCPv6 class.
Interface configuration mode
This command enables the
DHCPv6 server to support
selections when multiple option
37 or option 38 options exist
and the option 37 and option
ipv6 dhcp server select relay-forw
38 of relay-forw in the
no ipv6 dhcp server select relay-forw
innermost layer are selected.
The no operation of it restores
the default configuration, i.e.
selecting option 37 and option
38 of the original packets.
IPv6 DHCP Class configuration mode
{remote-id [*] <remote-id> [*] | subscriber-id [*] This command configures
<subscriber-id> [*]} option 37 and option 38 that
no {remote-id [*] <remote-id> [*] | subscriber-id [*] match the class in ipv6 dhcp
<subscriber-id> [*]} class configuration mode.
DHCPv6 address pool configuration mode
This command associates class
to address pool in DHCPv6
address pool configuration
class <class-name>
mode and enters class
no class <class-name>
configuration mode in address
pool. Use no command to
remove the link.
This command is used to set
address range for a DHCPv6
class in DHCPv6 address pool
address range <start-ip> <end-ip> configuration mode, the no
no address range <start-ip> <end-ip> command is used to remove
the addreass range. The
prefix/plen form is not
supported.
10-13
S4600_Configuration Guide Chapter 10 IPv6 Configuration
10.2.3 DHCPv6 option37, 38 Examples
10.2.3.1 DHCPv6 Snooping option37, 38 Example
Switch B
Interface E1/0/1
Switch A
Interface E1/0/2 Interface E1/0/3 Interface E1/0/4
MAC-AA MAC-BB MAC-CC
Figure 10-2 DHCPv6 Snooping option schematic
As is shown in the figure above, Mac-AA, Mac-BB and Mac-CC are normal users, connected
to untrusted interface 1/0/2, 1/0/3 and 1/0/4 respectively, and they get IP 2010:2, 2010:3 and
2010:4 through DHCPv6 Client; DHCPv6 Server is connected to the trusted interface 1/0/1.
Configure three address assignment policies (CLASS), of which CLASS1 matches option 38,
CLASS2 matches option 37 and CLASS3 matches option 37 and option 38. In the address pool
EastDormPool, the requests matched with CLASS1, CLASS2 and CLASS3 will be assigned an
address ranging from 2001:da8:100:1::2 to 2001:da8:100:1::30, from 2001:da8:100:1::31 to
2001:da8:100:1::60 and from 2001:da8:100:1::61 to2001:da8:100:1::100 respectively; DHCPv6
snooping function is enabled and option 37 and option 38 are configured in Switch A.
Switch A configuration:
SwitchA(config)#ipv6 dhcp snooping remote-id option
SwitchA(config)#ipv6 dhcp snooping subscriber-id option
SwitchA(config)#int e 1/0/1
SwitchA(config-if-ethernet1/0/1)#ipv6 dhcp snooping trust
SwitchA(config-if-ethernet1/0/1)#exit
SwitchA(config)#interface vlan 1
SwitchA(config-if-vlan1)#ipv6 address 2001:da8:100:1::1
SwitchA(config-if-vlan1)#exit
SwitchA(config)#interface ethernet 1/0/1-4
SwitchA(config-if-port-range)#switchport access vlan 1
SwitchA(config-if-port-range)#exit
10-14
S4600_Configuration Guide Chapter 10 IPv6 Configuration
SwitchA(config)#
Switch B configuration:
SwitchB(config)#service dhcpv6
SwitchB(config)#ipv6 dhcp server remote-id option
SwitchB(config)#ipv6 dhcp server subscriber-id option
SwitchB(config)#ipv6 dhcp pool EastDormPool
SwitchB(dhcpv6-eastdormpool-config)#network-address 2001:da8:100:1::2
2001:da8:100:1::1000
SwitchB(dhcpv6-eastdormpool-config)#dns-server 2001::1
SwitchB(dhcpv6-eastdormpool-config)#domain-name dhcpv6.com
SwitchB(dhcpv6-eastdormpool-config)# excluded-address 2001:da8:100:1::2
SwitchB(dhcpv6-eastdormpool-config)#exit
SwitchB(config)#
SwitchB(config)#ipv6 dhcp class CLASS1
SwitchB(dhcpv6-class-class1-config)#remote-id 00-03-0f-00-00-01 subscriber-id
vlan1+Ethernet1/0/1
SwitchB(dhcpv6-class-class1-config)#exit
SwitchB(config)#ipv6 dhcp class CLASS2
SwitchB(dhcpv6-class-class2-config)#remote-id 00-03-0f-00-00-01 subscriber-id
vlan1+Ethernet1/0/2
SwitchB(dhcpv6-class-class2-config)#exit
SwitchB(config)#ipv6 dhcp class CLASS3
SwitchB(dhcpv6-class-class3-config)#remote-id 00-03-0f-00-00-01 subscriber-id
vlan1+Ethernet1/0/3
SwitchB(dhcpv6-class-class3-config)#exit
SwitchB(config)#ipv6 dhcp pool EastDormPool
SwitchB(dhcpv6-eastdormpool-config)#class CLASS1
SwitchB(dhcpv6-pool-eastdormpool-class-class1-config)#address range 2001:da8:100:1::3
2001:da8:100:1::30
SwitchB(dhcpv6-pool-eastdormpool-class-class1-config)#exit
SwitchB(dhcpv6-eastdormpool-config)#class CLASS2
SwitchB(dhcpv6-pool-eastdormpool-class-class2-config)#address range 2001:da8:100:1::31
2001:da8:100:1::60
SwitchB(dhcpv6-eastdormpool-config)#class CLASS3
SwitchB(dhcpv6-pool-eastdormpool-class-class3-config)#address range 2001:da8:100:1::61
2001:da8:100:1::100
SwitchB(dhcpv6-pool-eastdormpool-class-class3-config)#exit
SwitchB(dhcpv6-eastdormpool-config)#exit
SwitchB(config)#interface vlan 1
SwitchB(config-if-vlan1)#ipv6 address 2001:da8:100:1::2/64
SwitchB(config-if-vlan1)#ipv6 dhcp server EastDormPool
SwitchB(config-if-vlan1)#exit
SwitchB(config)#
10-15
S4600_Configuration Guide Chapter 10 IPv6 Configuration
10.2.3.2 DHCPv6 Relay option37, 38 Example
Example 1:
When deploying IPv6 campus network, DHCPv6 server function of routing device can be
used for IPv6 address allocation if special server is used for uniform allocation and management
for IPv6 address. DHCPv6 server supports both stateful and stateless DHCPv6.
Network topology:
In access layer, layer2 access device Switch1 connects users in dormitory; in first-level
aggregation layer, aggregation device Switch2 is used as DHCPv6 relay agent; in second-level
aggregation layer, aggregation device Switch3 is used as DHCPv6 server and connects with
backbone network or devices in higher aggregation layer; in user side, PCs are generally loaded
with Windows Vista system, thus having DHCPv6 client.
Figure 10-3 DHCPv6 relay option schematic
Switch2 configuration:
S2(config)#service dhcpv6
S2(config)#ipv6 dhcp relay remote-id option
S2(config)#ipv6 dhcp relay subscriber-id option
S2(config)#vlan 10
S2(config-vlan10)#int vlan 10
S2(config-if-vlan10)#ipv6 address 2001:da8:1:::2/64
S2(config-if-vlan10)#ipv6 dhcp relay destination 2001:da8:10:1::1
S2(config-if-vlan10)#exit
S2(config)#
10-16
S4600_Configuration Guide Chapter 10 IPv6 Configuration
10.2.4 DHCPv6 option37, 38 Troubleshooting
Request packets sent by DHCPv6 client are multicast packets received by the device within its
VLAN, if DHCPv6 server wants to receive the packets from client, DHCPv6 client and DHCPv6
server must be in the same VLAN, otherwise it needs to use DHCPv6 relay.
Snooping option37,38 can process one of the following operations for DHCPv6 request
packets with option37,38: replace the original option37,38 with its own; discard the packets
with option37,38; do not execute adding, discarding or forwarding operation. Therefore,
please check policy configuration of snooping option37,38 on second device when obtaining
the false address or no address is obtained according to option37,38.
DHCPv6 server obtains option37,38 of the packets from client by default, if no, it will obtain
option37,38 of the packet sent by relay.
DHCPv6 server only checks whether the first DHCPv6 relay adds option37,38 that means only
option37,38 of the innermost relay-forw is valid in relay packets.
10.3 IPv6 Multicast Protocol
10.3.1 MLD Snooping
10.3.1.1 Introduction to MLD Snooping
MLD, the Multicast Listener Discovery Protocol, is used to realize multicasting in the IPv6.
MLD is used by the network equipments such as routers which supports multicast for multicast
listener discovery, also used by listeners looking forward to join certain multicast group informing
the router to receive data packets from certain multicast address, all of which are done through
MLD message exchange. First the router send an MLD Multicast listener Query message through
a multicast address which can address all the listeners (namely ff02::1). Once there is a listener
who wishes to join the multicast address, it will send a MLD Multicast listener Report back
through the multicast address.
MLD Snooping is namely the MLD listening. The switch restricts the multicast traffic from
flooding through MLD Snooping, and forward the multicast traffic to ports associated to multicast
devices only. The switch listens to the MLD messages between multicast routers and listeners,
and maintains the multicast group forwarding list based on the listening result. The switches
forwards multicast packets according to the multicast forwarding list
The switch realizes the MLD Snooping function while supporting MLD v2. This way, the user
can acquire IPv6 multicast with the switch.
10.3.1.2 MLD Snooping Configuration Task
10-17
S4600_Configuration Guide Chapter 10 IPv6 Configuration
1. Enable the MLD Snooping function
2. Configure the MLD Snooping
1. Enable the MLD Snooping function
Command Explanation
Global Mode
Enable global MLD Snooping, the “no ipv6
ipv6 mld snooping
mld snooping” command disables the global
no ipv6 mld snooping
MLD snooping.
2. Configure MLD Snooping
Command Explanation
Global Mode
Enable MLD Snooping on specific VLAN. The
ipv6 mld snooping vlan <vlan-id>
“no” form of this command disables MLD
no ipv6 mld snooping vlan <vlan-id>
Snooping on specific VLAN.
Configure the number of the groups in which the
ipv6 mld snooping vlan <vlan-id> limit
MLD Snooping can join, and the maximum
{group <g_limit> | source <s_limit>}
number of sources in each group. The “no” form
no ipv6 mld snooping vlan <vlan-id> limit
of this command restores to the default.
ipv6 mld snooping vlan <vlan-id> Set the VLAN level 2 general querier, which is
l2-general-querier recommended on each segment. The “no” form
no ipv6 mld snooping vlan <vlan-id> of this command cancels the level 2 general
l2-general-querier querier configuration.
ipv6 mld snooping vlan <vlan-id>
Configure the static mrouter port in specific vlan.
mrouter-port interface <interface –name>
The “no” form of this command cancels the
no ipv6 mld snooping vlan <vlan-id>
mrouter port configuration.
mrouter-port interface <interface –name>
ipv6 mld snooping vlan <vlan-id> Enable the function that the specified VLAN
mrouter-port learnpim6 learns mrouter-port (according to pimv6
no ipv6 mld snooping vlan <vlan-id> packets), the no command will disable the
mrouter-port learnpim6 function.
ipv6 mld snooping vlan <vlan-id> mrpt Configure the keep-alive time of the mrouter
<value> port. The “no” form of this command restores to
no ipv6 mld snooping vlan <vlan-id> mrpt the default.
ipv6 mld snooping vlan <vlan-id>
query-interval <value> Configure the query interval. The “no” form of
no ipv6 mld snooping vlan <vlan-id> this command restores to the default.
query-interval
ipv6 mld snooping vlan <vlan-id> Configure immediate leave multicast group
immediate-leave function for the MLD Snooping of specific VLAN.
no ipv6 mld snooping vlan <vlan-id> The “no” form of this command cancels the
immediate-leave immediate leave configuration.
ipv6 mld snooping vlan <vlan-id> Configure the query maximum response period.
query-mrsp <value> The “no” form of this command restores to the
10-18
S4600_Configuration Guide Chapter 10 IPv6 Configuration
no ipv6 mld snooping vlan <vlan-id> default.
query-mrsp
ipv6 mld snooping vlan <vlan-id>
query-robustness <value> Configure the query robustness, the “no” form
no ipv6 mld snooping vlan <vlan-id> of this command restores to the default.
query-robustness
ipv6 mld snooping vlan <vlan-id>
suppression-query-time <value> Configure the suppression query time. The “no”
no ipv6 mld snooping vlan <vlan-id> form of this command restores to the default
suppression-query-time
Ipv6 mld snooping vlan <vlan-id>
static-group <X:X::X:X> [source <X:X::X:X>]
interface [ethernet | port-channel]
Configure static-group on specified port of the
<IFNAME>
VLAN. The no form of the command cancels this
no ipv6 mld snooping vlan <vlan-id>
configuration.
static-group <X:X::X:X> [source <X:X::X:X>]
interface [ethernet | port-channel]
<IFNAME>
10.3.1.3 MLD Snooping Examples
Scenario 1: MLD Snooping Function
Multicast Router
Mrouter Port
MLD Snooping
Switch
Group1 Group1 Group1 Group2
Figure 10-4 Open the switch MLD Snooping Function figure
As shown above, the vlan 100 configured on the switch consists of ports 1, 2, 6, 10 and 12.
Four hosts are respectively connected to 2, 6, 10 and 12 while the multicast router on port 1.
Suppose we need MLD Snooping on VLAN 100, however by default, the global MLD Snooping as
well as the MLD Snooping on each VLAN are, therefore first we have to enable the global MLD
Snooping at the same time enable the MLD Snooping on VLAN 100, furthermore we need to set
the port 1 of VLAN 100 as a mrouter port.
Configuration procedure is as follows.
Switch#config
10-19
S4600_Configuration Guide Chapter 10 IPv6 Configuration
Switch(config)#ipv6 mld snooping
Switch(config)#ipv6 mld snooping vlan 100
Switch(config)#ipv6 mld snooping vlan 100 mrouter-port interface ethernet 1/0/1
Multicast configuration:
Assume there are two multicast servers: the Multicast Server 1 and the Multicast Server 2,
amongst program 1 and 2 are supplied on the Multicast Server 1 while program 3 on the
Multicast server 2, using group addresses respectively the Group 1, Group 2 and Group 3.
Concurrently multicast application is operating on the four hosts. Two hosts connected to port 2,
6 are playing program 1 while the host connected to port 10 playing program 2, and the one to
port 12 playing program 3.
MLD Snooping interception results:
The multicast table on vlan 100 shows: port 1, 2, 6 are in (Multicasting Server 1, Group1),
port1, 10 are in (Multicasting Server 1,Group2), and port1, 121, 12 are in (Multicasting Server 2,
Group3)
All the four hosts successfully receive programs they are interested in. port2, 6 receives no
traffic from program2 and 3; port10 receives no traffic from program 1 and 3, and port12 receives
no traffic from program1 and 2.
Scenario 2: MLD L2-general-querier
SwitchA
SwitchB
10-20
S4600_Configuration Guide Chapter 10 IPv6 Configuration
Figure 10-5 Switch as MLD Querier Function figure
Configuration of switch B is the same as the switches in case 1, and here the switch 1 replaces the
Multicast Router in case 1. Assume the vlan 60 configured on it contains port 1, 2, 10 and 12,
amongst port 1 is connected to multicast server, port 2 to switch2. To send Query periodically,
global MLD Snooping has to be enabled while executing the mld snooping vlan 60
l2-general-querier, setting the vlan 60 to a Level 2 General Querier.
Configuration procedure is as follows:
SwitchA#config
SwitchA(config)#ipv6 mld snooping
SwitchA(config)#ipv6 mld snooping vlan 60
SwitchA(config)#ipv6 mld snooping vlan 60 l2-general-querier
SwitchB#config
SwitchB(config)#ipv6 mld snooping
SwitchB(config)#ipv6 mld snooping vlan 100
SwitchB(config)#ipv6 mld snooping vlan 100 mrouter interface ethernet 1/0/1
Multicast configuration:
Same as scenario 1
MLD Snooping interception results:
Same as scenario 1
10.3.1.4 MLD Snooping Troubleshooting
In configuring and using MLD Snooping, the MLD Snooping server may fail to run properly
due to physical connection failure, wrong configuration, etc. The user should ensure the
following:
Ensure the physical connection is correct
Ensure the MLD Snooping is enabled under global mode (using ipv6 mld snooping)
Ensure the MLD Snooping is configured on the vlan under global mode (using ipv6 mld
snooping vlan <vlan-id>)
Ensure there is a vlan configured as a L2 general querier, or there is a static mrouter
configured in a segment,
Use command to check if the MLD snooping information is correct
10.4 IPv6 Security RA
10.4.1 Introduction to IPv6 Security RA
10-21
S4600_Configuration Guide Chapter 10 IPv6 Configuration
In IPv6 networks, the network topology is generally compromised of routers, layer-two
switches and IPv6 hosts. Routers usually advertise RA, including link prefix, link MTU and other
information, when the IPv6 hosts receive RA, they will create link address, and set the default
router as the one sending RA in order to implement IPv6 network communication. If a vicious
IPv6 host sends RA to cause that normal IPv6 users set the default router as the vicious IPv6 host
user, the vicious user will be able to capture the information of other users, which will threat the
network security. Simultaneously, the normal users get incorrect address and will not be able to
connect to the network. So, in order to implement the security RA function, configuring on the
switch ports to reject vicious RA messages is necessary, thus to prevent forwarding vicious RA to a
certain extent and to avoid affecting the normal operation of the network.
10.4.2 IPv6 Security RA Configuration Task Sequence
1. Globally enable IPv6 security RA
2. Enable IPv6 security RA on a port
3. Display and debug the relative information of IPv6 security RA
1. Globally enable IPv6 security RA
Command Explanation
Global Configuration Mode
ipv6 security-ra enable
Globally enable and disable IPv6 security RA.
no ipv6 security-ra enable
2. Enable IPv6 security RA on a port
Command Explanation
Port Configuration Mode
ipv6 security-ra enable Enable and disable IPv6 security RA in port
no ipv6 security-ra enable configuration mode.
3. Display and debug the relative information of IPv6 security RA
Command Explanation
Admin Mode
Enable the debug information of IPv6
debug ipv6 security-ra security RA module, the no operation of this
no debug ipv6 security-ra command will disable the output of debug
information of IPv6 security RA.
show ipv6 security-ra [interface Display the distrust port and whether
<interface-list>] globally security RA is enabled.
10.4.3 IPv6 Security RA Typical Examples
10-22
S4600_Configuration Guide Chapter 10 IPv6 Configuration
其它 IPv6 网络
RA Ethernet1/0/1
X
Ethernet1/0/3 Ethernet1/0/2
RA
PC 用户 非法用户
Figure 10-6 IPv6 Security RA sketch map
Instructions: if the illegal user in the graph advertises RA, the normal user will receive the RA,
set the default router as the vicious IPv6 host user and change its own address. This will cause
the normal user to not be able to connect the network. We want to set security RA on the 1/0/2
port of the switch, so that the RA from the illegal user will not affect the normal user.
Switch configuration task sequence:
Switch#config
Switch(config)#ipv6 security-ra enable
Switch(Config-If-Ethernet1/0/2)# ipv6 security-ra enable
10.4.4 IPv6 Security RA Troubleshooting Help
The function of IPv6 security RA is quite simple, if the function does not meet the
expectation after configuring IPv6 security RA:
Check if the switch is correctly configured.
Check if there are rules conflicting with security RA function configured on the switch,
this kind of rules will cause RA messages to be forwarded.
10.5 SAVI Configuration
10.5.1 Introduction to SAVI
SAVI (Source Address Validation Improvement) is a security authentication method that
10-23
S4600_Configuration Guide Chapter 10 IPv6 Configuration
provides the granularity level of the node source address. It gets the trust node information (such
as port, MAC address information), namely, anchor information by monitoring the interaction
process of the relative protocol packets (such as ND protocol, DHCPv6 protocol) and using CPS
(Control Packet Snooping) mechanism. After that, it binds the anchor information with the node
source address and sends the corresponding filter rules, allow the packets which match the filter
rules to pass only, so as to reach the aim that check the validity of node source address.
SAVI function includes ND Snooping function, DHCPv6 Snooping function and RA Snooping
according to the protocol packet type. ND Snooping function is used to detect ND protocol packet,
it sets IPv6 address binding obtained by nodes with the stateless address configuration. DHCPv6
Snooping function is used to detect DHCPv6 protocol packet, it sets IPv6 address binding
obtained by nodes with the stateful address configuration. RA Snooping function is used to avoid
the lawless node sending the spurious RA packet.
10.5.2 SAVI Configuration
SAVI configuration task list:
1. Enable or disable SAVI function
2. Enable or disable application scene function for SAVI
3. Configure SAVI binding function
4. Configure the global max-dad-delay for SAVI
5. Configure the global max-dad-prepare-delay for SAVI
6. Configure the global max-slaac-life for SAVI
7. Configure the lifetime period for SAVI bind-protect
8. Enable or disable SAVI prefix check function
9. Configure IPv6 address prefix for a link
10. Configure the filter entry number of IPv6 address
11. Configure the check mode for SAVI conflict binding
12. Enable or disable user authentication
13. Enable or disable DHCPv6 trust of port
14. Enable or disable ND trust of port
15. Configure the binding number
1. Enable or disable SAVI function
Command Explanation
Global mode
savi enable Enable the global SAVI function, no
no savi enable command disables the function.
2. Enable or disable application scene function for SAVI
Command Explanation
Global mode
10-24
S4600_Configuration Guide Chapter 10 IPv6 Configuration
savi ipv6 {dhcp-only | slaac-only | Enable the application scene function for
dhcp-slaac} enable SAVI, no command disables the function.
no savi ipv6 {dhcp-only | slaac-only |
dhcp-slaac} enable
3. Configure SAVI binding function
Command Explanation
Global mode
savi ipv6 check source binding ip Configure a static or dynamic binding
<ip-address> mac <mac-address> interface manually, no command deletes the
<if-name> {type [slaac | dhcp] lifetime configured binding. This command may be
<lifetime> | type static} configured in a global function of savi
no savi ipv6 check source binding ip enable, slaac-only enable, dhcp-only
<ip-address> interface <if-name> enable or dhcp-slaac enable.
4. Configure the global max-dad-delay for SAVI
Command Explanation
Global mode
savi max-dad-delay <max-dad-delay> Configure the max lifetime period of SAVI
no savi max-dad-delay binding at DETECTION state, no command
restores the default value.
5. Configure the global max-dad-prepare-delay for SAVI
Command Explanation
Global mode
savi max-dad-prepare-delay Configure the max redetection lifetime
<max-dad-prepare-delay> period for SAVI binding, no command
no savi max-dad-prepare-delay restores the default value.
6. Configure the global max-slaac-life for SAVI
Command Explanation
Global mode
savi max-slaac-life <max-slaac-life> Configure the lifetime period of the
no savi max-slaac-life dynamic slaac binding at BOUND state,
no command restores the default value.
7. Configure the lifetime period for SAVI bind-protect
Command Explanation
Global mode
savi timeout bind-protect <protect-time> Configure the bind-protect lifetime period
no savi timeout bind-protect to a port after its state from up to down,
no command restores the default value.
10-25
S4600_Configuration Guide Chapter 10 IPv6 Configuration
8. Enable or disable SAVI prefix check function
Command Explanation
Global mode
ipv6 cps prefix check enable Enable the address prefix check for SAVI,
no ipv6 cps prefix check enable no command disables the function.
9. Configure IPv6 address prefix for a link
Command Explanation
Global mode
ipv6 cps prefix <ip-address> vlan <vid> Configure IPv6 address prefix for a link
no ipv6 cps prefix <ip-address> manually, no command deletes the
configured address prefix.
10. Configure the filter entry number of IPv6 address
Command Explanation
Global mode
savi ipv6 mac-binding-limit <limit-num> Configure the corresponding dynamic
no savi ipv6 mac-binding-limit binding number for the same MAC
address, no command restores the default
value. Note: The binding number only
limits the dynamic binding, but does not
limit the static binding number.
11. Configure the check mode for SAVI conflict binding
Command Explanation
Global mode
savi check binding <simple | probe> mode Configure the check mode for the conflict
no savi check binding mode binding, no command deletes the check
mode.
12. Enable or disable user authentication
Command Explanation
Port mode
savi ipv6 check source [ip-address Enable the control authentication function
mac-address | ip-address | mac-address] for user, no command disables the
no savi ipv6 check source function.
13. Enable or disable DHCPv6 trust of port
Command Explanation
Port mode
ipv6 dhcp snooping trust Enable DHCPv6 trust port, no command
no ipv6 dhcp snooping trust disables the trust function. (port is
10-26
S4600_Configuration Guide Chapter 10 IPv6 Configuration
translated from trust port into untrust
port)
14. Enable or disable ND trust of port
Command Explanation
Port mode
ipv6 nd snooping trust Configure a port as slaac trust and RA
no ipv6 nd snooping trust trust, no command deletes the port’s trust
function.
15. Configure the binding number
Command Explanation
Port mode
savi ipv6 binding num <limit-num> Configure the binding number of a port, no
no savi ipv6 binding num command restores the default value. Note:
The binding number only limits the
dynamic binding, but does not limit the
static binding number.
10.5.3 SAVI Typical Application
In actual application, SAVI function is usually applied in access layer switch to check the
validity of node source address on direct-link. There are four typical application scenes for SAVI
function: DHCP-Only, Slaac-Only, DHCP-Slaac and Static binding. In network environment, users
can select the corresponding scene according to the actual requirement; in double stacks
network, while SAVI function associates with IPv4 DHCP snooping to use, IPv4 and IPv6 source
address authentication is implemented.
Typical network topology application for SAVI function:
10-27
S4600_Configuration Guide Chapter 10 IPv6 Configuration
Switch3
Ethernet1/0/1 Ethernet1/0/2
Switch2 Switch1
Ethernet1/0/12 Ethernet1/0/13
Client_1 Client_2
Figure 10-7
Client_1 and Client_2 means two different user’s PC installed IPv6 protocol, respectively
connect with port Ethernet1/0/12 of Switch1 and port Ethernet1/0/13 of Switch2, and enable the
source address check function of SAVI. Ethernet1/0/1 and Ethernet1/0/2 are uplink ports of
Switch1 and Switch2 respectively, enable DHCP trust and ND trust functions. Aggregation Switch3
enables DHCPv6 server function and route advertisement function.
Configuration steps of SAVI DHCP-SLAAC scene:
Switch1>enable
Switch1#config
Switch1(config)#savi enable
Switch1(config)#savi ipv6 dhcp-slaac enable
Switch1(config)#savi check binding probe mode
Switch1(config)#interface ethernet1/0/1
Switch1(config-if-ethernet1/0/1)#ipv6 dhcp snooping trust
Switch1(config-if-ethernet1/0/1)#ipv6 nd snooping trust
Switch1(config-if-ethernet1/0/1)#exit
Switch1(config)#interface ethernet1/0/12-20
10-28
S4600_Configuration Guide Chapter 10 IPv6 Configuration
Switch1(config-if-port-range)#savi ipv6 check source ip-address mac-address
Switch1(config-if-port-range)#savi ipv6 binding num 4
Switch1(config-if-port-range)#exit
Switch1(config)#exit
Switch1#write
10.5.4 SAVI Troubleshooting
After ensure no problem about SAVI client hardware and cable, please check the status
which may exist and the propositional solutions in the following:
If IPv6 packets are filtered incorrectly after enable SAVI function, please ensure the global
SAVI function enabled. After that, enable the global function of the corresponding SAVI
scene according to the actual application scene and enable the port authentication function.
If client can not correctly obtain IPv6 address assigned by DHCPv6 server after enable SAVI
function, please ensure DHCP port trust is configured by uplink port with DHCPv6 server.
If node binding can not be set for the new user after enable SAVI function, please check
whether the direct-link port configures the max binding number, and whether the binding
number reaches to the max number. If the binding number exceeds the max binding limit, it
is recommended to configure the bigger binding limit.
If node binding can not be set for new user after configure the bigger binding limit, please
check whether the direct-link port configures the corresponding binding number, and
whether the corresponding binding number reaches to the max number in the same MAC
address. If the binding number exceeds the max binding limit, it is recommended to
configure the bigger binding limit.
10-29
You might also like
- Set Up Central Governance To Use Data Quality Management Derivation ScenariosNo ratings yetSet Up Central Governance To Use Data Quality Management Derivation Scenarios70 pages
- DDA Assessment Results - UST LTD 230822No ratings yetDDA Assessment Results - UST LTD 23082220 pages
- 4 Using SAP Business Suite To Automate Business ProcessesNo ratings yet4 Using SAP Business Suite To Automate Business Processes22 pages
- BPML and Project Schedule - MM - UPI - IndiaNo ratings yetBPML and Project Schedule - MM - UPI - India15 pages
- Sd1003:Sd Sales V 1.0: India Sap Coe, Slide 1No ratings yetSd1003:Sd Sales V 1.0: India Sap Coe, Slide 146 pages
- Using Machine Learning and ERP To Improve SalesNo ratings yetUsing Machine Learning and ERP To Improve Sales10 pages
- SAP HANA Predictive Analysis Library PAL en100% (2)SAP HANA Predictive Analysis Library PAL en243 pages
- What's New in SAP Integrated Business Planning For Supply Chain 2305No ratings yetWhat's New in SAP Integrated Business Planning For Supply Chain 2305188 pages
- Change Pointers Is The One of The IDOC Processing Method in ALENo ratings yetChange Pointers Is The One of The IDOC Processing Method in ALE3 pages
- SAP BusinessObjects BI Customization GuideNo ratings yetSAP BusinessObjects BI Customization Guide138 pages
- SAP Enhancement Package 8 For SAP ERP 6.0: Java and ABAP100% (1)SAP Enhancement Package 8 For SAP ERP 6.0: Java and ABAP27 pages
- S5750E-16 (28) (52) F (X) (C) (-P) - SI (R2.0) - v3.1.3 - Configuration Guide PDFNo ratings yetS5750E-16 (28) (52) F (X) (C) (-P) - SI (R2.0) - v3.1.3 - Configuration Guide PDF658 pages
- Raisecom Switch Software Configuration Guide100% (2)Raisecom Switch Software Configuration Guide163 pages
- Raisecom ISCOM Series Switch ConfiguratiNo ratings yetRaisecom ISCOM Series Switch Configurati163 pages
- EasyPath EPON Operation ManualV3.30-GWD-320130520No ratings yetEasyPath EPON Operation ManualV3.30-GWD-320130520333 pages
- 700_7000 Managed Industrial Ethernet Switches Software ManualNo ratings yet700_7000 Managed Industrial Ethernet Switches Software Manual153 pages
- Coding for Kids Python Learn to Code with 50 Awesome Games and Activities 2019th Edition Adrienne B. Tacke pdf download100% (2)Coding for Kids Python Learn to Code with 50 Awesome Games and Activities 2019th Edition Adrienne B. Tacke pdf download69 pages
- 6.1 a-Z List of Windows CMD Commands — Also Included CMD Commands PDFNo ratings yet6.1 a-Z List of Windows CMD Commands — Also Included CMD Commands PDF16 pages
- Tutorial 11 Plot A Force vs. Displacement CurveNo ratings yetTutorial 11 Plot A Force vs. Displacement Curve11 pages
- Download the PDF of Solution Manual for Concepts of Database Management, 9th Edition, Joy L. Starks, Philip J. Pratt, Mary Z. Last to read all chapters100% (8)Download the PDF of Solution Manual for Concepts of Database Management, 9th Edition, Joy L. Starks, Philip J. Pratt, Mary Z. Last to read all chapters45 pages
- Noise Cancellation Using Adaptive FilteringNo ratings yetNoise Cancellation Using Adaptive Filtering6 pages
- MIF Digital Feeder Relay - GE Grid SolutionsNo ratings yetMIF Digital Feeder Relay - GE Grid Solutions1 page
- Best Ways To Ask For Credit Card Information in ONo ratings yetBest Ways To Ask For Credit Card Information in O1 page
- 161 - EbookThe Python Book - The Ultimate Guide To Coding With Python (PDFDrive)No ratings yet161 - EbookThe Python Book - The Ultimate Guide To Coding With Python (PDFDrive)20 pages
- Data Mining: Clustering Validation Minimum Description Length Information Theory Co-ClusteringNo ratings yetData Mining: Clustering Validation Minimum Description Length Information Theory Co-Clustering67 pages
- Meil122 - Performance Task 1 - Manatad, Adelle Melyssa Imoen M.No ratings yetMeil122 - Performance Task 1 - Manatad, Adelle Melyssa Imoen M.6 pages
- Refresh Methods in Power BI Projects 1686723157No ratings yetRefresh Methods in Power BI Projects 16867231576 pages
- The Use of Search Engines Learning Competency: Use Search Engines To Conduct A Guided Search On A Given Topic. EN7SS-II-c-1.5.3No ratings yetThe Use of Search Engines Learning Competency: Use Search Engines To Conduct A Guided Search On A Given Topic. EN7SS-II-c-1.5.37 pages
