V1624 (L2) UserManual

User Manual
V1624 UMN:CLI
DPW:G-S-1624H0-04
UMN:CLI
User Manual
V1624
Copyright 2008 (C) Dasan Networks, Inc.

Issued by Technical Writing Team HUMAX Village 6F 11-4, Bundang-gu Gyeonggi-do, KOREA Helpdesk) 82-2-1588-7080 Technical modifications possible. Technical specifications and features are binding only insofar as they are specifically and expressly agreed upon in a written contract.
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Reason for Update

Summary: Initial release
Details: Chapter/Section All Reason for Update Initial release
Issue History
Issue Number 01 05/2008 Initial release Date of Issue Reason for Update
DPW:G-S-1624H0-04
UMN:CLI
User Manual
V1624
This document consists of a total 233 pages. All pages are issue 1.
Contents
1 Introduction .......................................................................................13
1.1 1.2 1.3 1.4 1.5 1.6 1.7 2.1 3.1 Audience............................................................................................... 13 Document Structure.............................................................................. 13 Document Convention .......................................................................... 14 Document Notation............................................................................... 14 Virus Protection .................................................................................... 15 CE Declaration of Conformity ............................................................... 15 GPL/LGPL Warranty and Liability Exclusion ........................................ 15 System Features .................................................................................. 18 Command Mode ................................................................................... 21
Top Mode ................................................................................................... 22 Global Configuration Mode ........................................................................ 22 Bridge Configuration Mode ........................................................................ 23 DHCP Pool Configuration Mode ................................................................ 24 DHCP Option 82 Configuration Mode........................................................ 24 Interface Configuration Mode..................................................................... 25 RMON Configuration Mode........................................................................ 25 Listing Available Commands ...................................................................... 26 Calling Command History .......................................................................... 27 Using Abbreviation ..................................................................................... 28 Exit Current Command Mode .................................................................... 28
2 System Overview ..............................................................................17 3 Command Line Interface (CLI) .........................................................21

3.1.1 3.1.2 3.1.3 3.1.4 3.1.5 3.1.6 3.1.7
3.2
Useful Tips............................................................................................ 26
3.2.1 3.2.2 3.2.3 3.2.4
4 System Connection and IP Address ................................................29

4.1 System Connection .............................................................................. 29
System Login ............................................................................................. 29 Password for Top Mode ............................................................................. 29 Changing Login Password ......................................................................... 30 Auto Log-out............................................................................................... 30 Management for System Account .............................................................. 31
Creating System Account............................................................................... 31
4.1.1 4.1.2 4.1.3 4.1.4 4.1.5 4.1.6 4.1.7
4.1.5.1
Telnet Access ............................................................................................. 31 System Rebooting...................................................................................... 32

Manual System Rebooting............................................................................. 32 Auto System Rebooting ................................................................................. 32
4.1.7.1 4.1.7.2
4.2
SSH (Secure Shell) .............................................................................. 34

SSH Server ................................................................................................ 34
Enabling SSH Server..................................................................................... 34 4.2.1.1
4.2.1
4.3
802.1x Authentication ........................................................................... 34

802.1x Authentication................................................................................. 35
4.3.1
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
4.3.1.1
Enabling 802.1x .............................................................................................35 Configuring Authentication Port......................................................................36 Designating User Authentication Interface .....................................................36 Configuring RADIUS Server...........................................................................36 The Number of Request for Authentication ....................................................37 Re-attempt Interval of Authentication Request ...............................................38 Configuring Term of Re-authentication ...........................................................39
4.3.2
Configuring Port-based 802.1x Authentication ...........................................36
4.3.2.1 4.3.2.2 4.3.2.3 4.3.2.4 4.3.2.5 4.3.2.6
4.3.3 4.3.4 4.3.5
Client Authentication through MAC Address...............................................40 Checking and Deleting 802.1x User Authentication Statistics ....................42 Disabling 802.1x User Authentication .........................................................43 Configuring Authorization Method...............................................................44 Designating User Authentication Interface..................................................44 Configuring Priority of Authorization Method ..............................................44 Checking Configured Priority of Authorization Method ...............................45 Configuring RADIUS ...................................................................................46
Configuring RADIUS Server...........................................................................46 Configuring Frequency of Retransmit.............................................................46 Configuring Timeout of Response ..................................................................46 Configuring TACACS Server ..........................................................................47 Selecting Authorization Type ..........................................................................48 Configuring Timeout of Response ..................................................................48
4.4
System Authentication .......................................................................... 43
4.4.1 4.4.2 4.4.3 4.4.4 4.4.5
4.4.5.1 4.4.5.2 4.4.5.3
4.4.6
Configuring TACACS+ ................................................................................47
4.4.6.1 4.4.6.2 4.4.6.3
4.4.7
Recording Users Configuration..................................................................48 Assigning IP Address on Network Interface................................................49 Configuring Default Gateway ......................................................................50
4.5
Assigning IP Address ............................................................................ 49
4.5.1 4.5.2
5 Port Basic Configuration.................................................................. 51

5.1 Port Basic Configuration ....................................................................... 51
Activating Port.............................................................................................52 Auto-nego....................................................................................................52 Port Rate .....................................................................................................53 Duplex Mode ...............................................................................................54 Flow Control ................................................................................................55 Port Description ..........................................................................................55 Port Statistics ..............................................................................................56 Link Uptime .................................................................................................58 Assigning Monitor Port and Mirrored Port...................................................59 Enabling Port Mirroring ...............................................................................60 Checking Configuration of Port Mirroring....................................................60 5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.1.8
5.2
Port Mirroring ........................................................................................ 59
5.2.1 5.2.2 5.2.3
6 System Environment ........................................................................ 61

6.1 Environment Configuration ................................................................... 61
Host Name ..................................................................................................61 Date and Time.............................................................................................61 Time-zone ...................................................................................................62 NTP .............................................................................................................64 6.1.1 6.1.2 6.1.3 6.1.4
DPW:G-S-1624H0-04
UMN:CLI
User Manual
V1624
6.1.5 6.1.6 6.1.7
Output Condition of Terminal Screen ......................................................... 64 Domain Name Server(DNS)....................................................................... 65 Login Banner.............................................................................................. 66 Checking Switch Configuration .................................................................. 68 Saving Configuration.................................................................................. 68 Restore Factory Default ............................................................................. 69 Configuration Backup................................................................................. 69 Network Connection................................................................................... 71 Packet Route.............................................................................................. 73 Cable Length.............................................................................................. 73 Accessed User through Telnet ................................................................... 74 Destination Information .............................................................................. 74 MAC Table.................................................................................................. 75 Aging time .................................................................................................. 75 Running Time of Switch ............................................................................. 76 System Information .................................................................................... 76 Checking Average of CPU Utilization......................................................... 76 CPU Statistics Limit.................................................................................... 77 CPU Process.............................................................................................. 78 Utilization of Memory.................................................................................. 79 Version of System Image ........................................................................... 79 Size of the System Image File ................................................................... 79 Installed OS................................................................................................ 80 Assigning Default OS ................................................................................. 80 Switch Status.............................................................................................. 80 Cable Diagnostics ...................................................................................... 81
6.2
Configuration Management .................................................................. 68
6.2.1 6.2.2 6.2.3 6.2.4
6.3
System Check ...................................................................................... 70
6.3.1 6.3.2 6.3.3 6.3.4 6.3.5 6.3.6 6.3.7 6.3.8 6.3.9 6.3.10 6.3.11 6.3.12 6.3.13 6.3.14 6.3.15 6.3.16 6.3.17 6.3.18 6.3.19
7 Network Management .......................................................................83

7.1 SNMP ................................................................................................... 83
Configuring Authority of Access to SNMP Agent........................................ 83 Configuring Accessed Person and Location of SNMP Agent .................... 84 Configuring SNMP Trap ............................................................................. 84
Configuring SNMP trap-host .......................................................................... 84 Configuring Type of SNMP Trap .................................................................... 85
7.1.1 7.1.2 7.1.3
7.1.3.1 7.1.3.2
7.1.4 7.1.5 7.1.6
Configuring IP Address of SNMP Agent..................................................... 88 SNMP Configuration .................................................................................. 88 Deleting SNMP........................................................................................... 89 Configuring RMON History......................................................................... 89
Assigning Source Port of Statistical Data....................................................... 90 Identifying Subject of RMON History ............................................................. 91 Configuring Number of Sample Data ............................................................. 91 Configuring Interval of Sample Inquiry........................................................... 91 Activating RMON History ............................................................................... 92 Deleting and Changing Configuration of RMON History ................................ 92 Identifying Subject of RMON Alarm ............................................................... 94 Configuring Object of Sample Inquiry ............................................................ 94
7.2
RMON................................................................................................... 89
7.2.1.1 7.2.1.2 7.2.1.3 7.2.1.4 7.2.1.5 7.2.1.6
7.2.1
7.2.2
Configuring RMON Alarm........................................................................... 93
7.2.2.1 7.2.2.2
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.2.2.3 7.2.2.4 7.2.2.5 7.2.2.6 7.2.2.7 7.2.2.8 7.2.2.9
Configuring Absolute Comparison and Delta Comparison. ............................94 Configuring Upper Bound of Threshold ..........................................................95 Configuring Lower Bound of Threshold ..........................................................95 Configuring Standard of the First Alarm .........................................................96 Configuring Interval of Sample Inquiry ...........................................................97 Activating RMON Alarm .................................................................................97 Deleting RMON Alarm and Changing Configuration ......................................98 Configuring Event Community........................................................................99 Event Description ...........................................................................................99 Identifying Subject of Event............................................................................99 Configuring Event Type ................................................................................100 Activating Event ...........................................................................................100 Deleting RMON Event and Changing Configuration ....................................101
7.2.3
Configuring RMON Event ...........................................................................98
7.2.3.1 7.2.3.2 7.2.3.3 7.2.3.4 7.2.3.5 7.2.3.6
7.3
Syslog ................................................................................................. 102

Level of Syslog Message ..........................................................................102 Disabling Syslog .......................................................................................105 Displaying Syslog Message ......................................................................105 Displaying Syslog Configuration ...............................................................105 CPU Utilization Threshold.........................................................................105 Memory Usage Threshold.........................................................................107 Port Traffic Threshold................................................................................107 Configuring Threshold of System Temperature ........................................108 How to Operate QoS.................................................................................109 Configuring QoS and Packet Filtering ......................................................110
Creating QoS Policy..................................................................................... 111 Configuring Additional Rules to QoS Policy ................................................. 112 Configuring Policy according to Packet Length ............................................ 113 Applying QoS Policy to Rule of Packet Filtering........................................... 113 Checking the Policy of QoS and the Rule of Packet Filtering....................... 114 Configuring CoS and ToS............................................................................. 115 Assigning CoS or ToS .................................................................................. 115 Configuring QoS map................................................................................... 116 Configuring Scheduling Value ...................................................................... 116 Packet Counter ............................................................................................ 118 Admin Access Rule ...................................................................................... 118 NetBIOS Filtering .........................................................................................121
7.3.1 7.3.2 7.3.3 7.3.4 7.3.5 7.3.6 7.3.7 7.3.8
7.4
QoS and Packet Filtering .................................................................... 109
7.4.1 7.4.2
7.4.2.1 7.4.2.2 7.4.2.3 7.4.2.4 7.4.2.5 7.4.2.6 7.4.2.7 7.4.2.8 7.4.2.9 7.4.2.10 7.4.2.11 7.4.2.12
7.5
MAC Filtering ...................................................................................... 122

Configuring Default Policy of MAC Filtering..............................................122 Adding Policy of MAC Filter ......................................................................122 Deleting MAC Filtering Policy ...................................................................123 Listing of MAC Filtering Policy ..................................................................123
7.5.1 7.5.2 7.5.3 7.5.4
7.6 7.7 7.8
Configuring Max Host ......................................................................... 124 Managing MAC Table.......................................................................... 125 Address Resolution Protocol (ARP).................................................... 126
ARP Table .................................................................................................126
Registering ARP Table .................................................................................126 Configuring ARP Ageing Timer.....................................................................126 7.8.1.1 7.8.1.2
7.8.1
DPW:G-S-1624H0-04
UMN:CLI
User Manual
V1624
7.8.1.3
Displaying ARP Table................................................................................... 127
7.8.2 7.8.3
ARP-Alias ................................................................................................. 127 ARP Inspection......................................................................................... 128

ARP Access List .......................................................................................... 128 Enabling ARP Inspection Filtering................................................................ 130 ARP Address Validation ............................................................................... 130 ARP Inspection on Trust Port....................................................................... 131 ARP Inspection Log-buffer ........................................................................... 131 Displaying ARP Inspection........................................................................... 132
7.8.3.1 7.8.3.2 7.8.3.3 7.8.3.4 7.8.3.5 7.8.3.6
7.8.4 7.8.5
Proxy-ARP ............................................................................................... 132 Gratuitous ARP ........................................................................................ 133 Blocking Echo Reply Message ................................................................ 134 Configuring Interval to Transmit ICMP Message ..................................... 135
7.9
ICMP................................................................................................... 134
7.9.1 7.9.2
7.10 Link Layer Carrier Forward (LLCF)..................................................... 137 7.11 TCP Flag Control................................................................................ 138
7.11.1 RST Configuration.................................................................................... 138 7.11.2 SYN Configuration ................................................................................... 138
7.12 Dump Packet ...................................................................................... 139

7.12.1 Checking Dump Packet............................................................................ 139 7.12.2 Dump Packet Debug ................................................................................ 140
7.13 Server Packet Filtering ....................................................................... 141 7.14 Attack Guard....................................................................................... 142 7.15 Port Traffic Monitoring ........................................................................ 143
8 System Main Function ....................................................................144

8.1 VLAN .................................................................................................. 144
Overview of VLAN.................................................................................... 144 Features of VLAN..................................................................................... 145 Configuring VLAN .................................................................................... 145
Creating VLAN............................................................................................. 145 Specifying PVID ........................................................................................... 146 Assigning Port in VLAN ............................................................................... 147 Disabling VLAN............................................................................................ 147 Configuring Shared-port .............................................................................. 148
8.1.1 8.1.2 8.1.3
8.1.3.1 8.1.3.2 8.1.3.3 8.1.3.4 8.1.3.5
8.2 8.3
Port Trunking ...................................................................................... 150 LACP .................................................................................................. 152

Enabling LACP......................................................................................... 152 Configuring Aggregator ............................................................................ 152 Configuring Member Port ......................................................................... 153 Checking LACP Configuration ................................................................. 154 Configuring Key of Member Port.............................................................. 155 Configuring Port Priority ........................................................................... 156 STP Operation ......................................................................................... 158 RSTP Operation ....................................................................................... 160 STP and RSTP Configuration .................................................................. 165
Activating STP ............................................................................................. 165 STP/RSTP Mode ......................................................................................... 165
8.3.1 8.3.2 8.3.3 8.3.4 8.3.5 8.3.6
8.4
STP and RSTP ................................................................................... 157
8.4.1 8.4.2 8.4.3
8.4.3.1 8.4.3.2
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.4.3.3 8.4.3.4 8.4.3.5
Root Switch ..................................................................................................165 Path-cost ......................................................................................................166 Port Priority ..................................................................................................168 Hello Time ....................................................................................................169 Forward Delay..............................................................................................169 Max Age .......................................................................................................170 Checking BPDU Configuration .....................................................................170
8.4.4
Configuring BPDU Transmission ..............................................................169
8.4.4.1 8.4.4.2 8.4.4.3 8.4.4.4
8.5 8.6 8.7 8.8
Loop Detection.................................................................................... 171 Single IP Management........................................................................ 173 Rate Limit............................................................................................ 176 Flood-Guard........................................................................................ 177
Configuring Port based Flood-guard.........................................................178 Configuring Flood-guard based on MAC Address ....................................179
8.8.1 8.8.2
8.9 Configuring Bandwidth-share-Group .................................................. 179 8.10 NAT ..................................................................................................... 181

8.10.1 8.10.2 8.10.3 8.10.4 8.10.5 8.10.6 8.10.7 Configuring Static NAT..............................................................................181 Configuring PAT ........................................................................................181 Configuring IP Masquerade ......................................................................182 Configuring Dynamic NAT.........................................................................182 Substituting DNS.......................................................................................182 Additional Functions..................................................................................183 IP Filtering .................................................................................................184
8.11 Bandwidth ........................................................................................... 187 8.12 DHCP.................................................................................................. 188

8.12.1 Configuring DHCP Server.........................................................................189
8.12.1.1 8.12.1.2 8.12.1.3 8.12.1.4 8.12.1.5 8.12.1.6 8.12.1.7 8.12.1.8 8.12.1.9 8.12.1.10 Configuring DHCP Subnet ...........................................................................189 Configuring IP Address Range .....................................................................189 Configuring Subnet Default Gateway ...........................................................190 Enabling DHCP Server.................................................................................190 Enabling 1:1 Assigning DHCP Server ..........................................................190 Configuring the Available Time to Use IP address .......................................191 Registering DNS Server...............................................................................191 Information of Assigned IP Address .............................................................192 Checking DHCP Syslog ...............................................................................193 Display Rate of IP Usage by DHCP Group ..................................................194
8.12.2 8.12.3 8.12.4 8.12.5 8.12.6 8.12.7
Assigning Static IP Address ......................................................................194 Blocking Static IP Address User................................................................194 Configuring DHCP Relay Agent ................................................................195 Initializing DHCP Lease Database............................................................196 Backing up DHCP Lease Database..........................................................196 DHCP Option-82 .......................................................................................197
Enabling DHCP Option-82 ...........................................................................197 Configuring Option-82 Packet Policy............................................................198 Configuring Trust Packet ..............................................................................198 Restricting the Number of Assigning IP Address ..........................................199
8.12.7.1 8.12.7.2 8.12.7.3 8.12.7.4
8.12.8 DHCP Snooping with Option82.................................................................199 8.12.9 DHCP Option 77 .......................................................................................200 8.12.10 DHCP Snooping Filtering..........................................................................201
DPW:G-S-1624H0-04
UMN:CLI
User Manual
V1624
8.12.11 Authorized ARP........................................................................................ 202 8.12.12 Displaying DHCP Configuration ............................................................... 202
8.13 Broadcast Storm Control .................................................................... 203 8.14 Blocking Direct Broadcast .................................................................. 204
9 IP Multicast ......................................................................................205
9.1 Multicast Group Membership.............................................................. 206
IGMP Basic .............................................................................................. 206 IGMP Version 2 ........................................................................................ 207
IGMP Static Join .......................................................................................... 208
9.1.1 9.1.2 9.1.3
9.1.2.1
IGMP Version 3 ........................................................................................ 209 Multicast Forwarding Database................................................................ 210

Blocking Unknown Multicast Traffic ............................................................. 210 Forwarding Entry Aging ............................................................................... 211 Displaying McFDB Information .................................................................... 211 Enabling IGMP Snooping............................................................................. 213 IGMP Snooping Version............................................................................... 213 IGMP Snooping Robustness Value.............................................................. 214 IGMP Snooping Querier Configuration ........................................................ 214 IGMP Snooping Last Member Query Interval .............................................. 216 IGMP Snooping Immediate Leave ............................................................... 217 IGMP Snooping Report Suppression ........................................................... 218 IGMP Snooping S-Query Report Agency..................................................... 218 Multicast Router Port Configuration ............................................................. 219 TCN Multicast Flooding................................................................................ 220 Explicit Host Tracking .................................................................................. 222 IGMPv3 Snooping Immediate Block ............................................................ 224
9.2
Multicast Functions............................................................................. 210

9.2.1.1 9.2.1.2 9.2.1.3
9.2.1
9.2.2
IGMP Snooping Basic .............................................................................. 212
9.2.2.1 9.2.2.2 9.2.2.3
9.2.3
IGMPv2 Snooping .................................................................................... 214
9.2.3.1 9.2.3.2 9.2.3.3 9.2.3.4 9.2.3.5 9.2.3.6 9.2.3.7
9.2.4
IGMPv3 Snooping .................................................................................... 222
9.2.4.1 9.2.4.2
9.2.5 9.2.6
Displaying IGMP Snooping Information ................................................... 224 IGMP Filtering and Throttling ................................................................... 225
IGMP Filtering.............................................................................................. 225 IGMP Throttling............................................................................................ 227 Displaying IGMP Filtering and Throttling...................................................... 227
9.2.6.1 9.2.6.2 9.2.6.3
10 System Software Upgrade..............................................................228

10.1 General Upgrade ................................................................................ 228 10.2 FTP Upgrade ...................................................................................... 229 10.3 Auto Upgrade ..................................................................................... 231
11 Abbreviations ..................................................................................232
10
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Illustrations
Fig. 2.1 Fig. 3.1 Fig. 4.1 Fig. 4.2 Fig. 5.1 Fig. 7.1 Fig. 7.2 Fig. 7.3 Fig. 8.1 Fig. 8.2 Fig. 8.3 Fig. 8.4 Fig. 8.5 Fig. 8.6 Fig. 8.7 Fig. 8.8 Fig. 8.9 Fig. 8.10 Fig. 8.11 Fig. 8.12 Fig. 8.13 Fig. 8.14 Fig. 8.15 Fig. 8.16 Fig. 8.17 Fig. 8.18 Fig. 8.19 Fig. 9.1 Fig. 9.2 Network Structure with V1624........................................................................17 Software mode structure ................................................................................21 Process of 802.1x Authentication...................................................................35 Multiple Authentication Servers......................................................................37 Port Mirroring..................................................................................................59 Necessity of NetBIOS Filtering.....................................................................121 ICMP Message.............................................................................................134 Link Layer Carrier Forward Process ............................................................137 VLAN ............................................................................................................144 Example of Loop ..........................................................................................157 Principle of Spanning Tree Protocol .............................................................157 Root Switch ..................................................................................................158 Designated Switch .......................................................................................159 Port Priority...................................................................................................160 Alternate Port and Backup port ....................................................................161 Example of Receiving Low BPDU................................................................162 Network Convergence of 802.1d..................................................................162 Network Convergence of 802.1w (1)............................................................163 Network Convergence of 802.1w (2)............................................................163 Network Convergence of 802.1w (3)............................................................164 Compatibility with 802.1d (1)........................................................................164 Compatibility with 802.1d (2)........................................................................165 Cascading of Switches.................................................................................173 Rate Limit and Flood Guard .........................................................................177 DHCP Service Structure...............................................................................188 Example of DHCP Relay Agent....................................................................195 DHCP Option 82 Operation..........................................................................197 The V1624 with IGMP Snooping..................................................................205 IGMP Snooping ............................................................................................212
DPW:G-S-1624H0-04
11
UMN:CLI
User Manual
V1624
Tables
Tab. 1.1 Tab. 1.2 Tab. 3.1 Tab. 3.2 Tab. 3.3 Tab. 3.4 Tab. 3.5 Tab. 3.6 Tab. 3.7 Tab. 3.8 Tab. 5.1 Tab. 6.1 Tab. 6.2 Tab. 6.3 Tab. 7.1 Tab. 7.2 Tab. 8.1 Tab. 8.2 Overview of Chapters.................................................................................... 13 Command Notation of Guide Book................................................................ 14 Main Commands of Top Mode ...................................................................... 22 Main Commands of Global Configuration Mode ........................................... 23 Main Commands of Bridge Configuration Mode ........................................... 23 Main Command of DHCP Pool Configuration Mode ..................................... 24 Main Command of DHCP Option 82 Configuration Mode............................. 24 Main Commands of Interface Configuration Mode........................................ 25 Main Commands of RMON Configuration Mode........................................... 25 Command Abbreviation ................................................................................. 28 V1624 Port Default Configuration ................................................................. 51 World Time Zone ........................................................................................... 62 Options for Ping............................................................................................. 71 The Description of the Result Report ............................................................ 81 ICMP message type .................................................................................... 134 Option for Dump Packet .............................................................................. 140 STP Path Cost............................................................................................. 166 RSTP Path Cost .......................................................................................... 167
12
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
1 Introduction
1.1 Audience
This manual is intended for V1624 single-board Fast Ethernet switch operators and maintenance personnel for providers of Ethernet services. This manual assumes that you are familiar with the following: Ethernet networking technology and standards Internet topologies and protocols Usage and functions of graphical user interfaces.
1.2
Document Structure
Tab. 1.1 briefly describes the structure of this document.
Chapter 1 Introduction 2 System Overview 3 Command Line Interface (CLI) 4 System Connection and IP Address 5 Port Basic Configuration 6 System Environment 7 Network Management 8 System Main Function 9 IP Multicast 10 System Software Upgrade 11 Abbreviations Description Introduces the overall information of the document. Introduces the V1624 system. It also lists the features of the system. Describes how to use the Command Line Interface (CLI). Describes how to manage the system account and IP address. Describes how to configure the Ethernet ports. Describes how to configure the system environment and management functions. Describes how to configure the network management functions. Describes how to configure the system main functions. Describes how to configure the IP multicast packets. Describes how to upgrade the system software. Lists all abbreviations and acronyms that appear in this document.
Tab. 1.1
Overview of Chapters
DPW:G-S-1624H0-04
13
UMN:CLI
User Manual
V1624
1.3
Document Convention
This guide uses the following conventions to convey instructions and information. Information
This information symbol provides useful information when using commands to configure and means reader take note. Notes contain helpful suggestions or references. Warning
This warning symbol means danger. You are in a situation that could cause bodily injury or broke the equipment. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents by making quick guide based on this guide.
1.4
Document Notation
The following table shows commands used in guidebook. Please be aware of each command to use them correctly.
Notation a NAME, PROFILE, VALUE, PORTS [] <> {} | Description Commands you should use as is. Variables for which you supply values. For entry this variable, see Section 5. Commands or variables that appear within square brackets [ ] are optional. Range of number that you can use. A choice of required keywords appears in braces { }. You must select one. Optional variables are separated by vertical bars |.
Tab. 1.2
Command Notation of Guide Book
14
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
1.5
!
Virus Protection
To prevent a virus infection you may not use any software other than that which is released for the Operating System (OS based on Basis Access Integrator), Local Craft Terminal (LCT) and transmission system. Even when exchanging data via network or external data media (e.g. floppy disks) there is a possibility of infecting your system with a virus. The occurrence of a virus in your system may lead to a loss of data and breakdown of functionality.
The operator is responsible for protecting against viruses, and for carrying out repair procedures when the system is infected. You have to do the following: You have to check every data media (used data media as well as new ones) for virus before reading data from it. You must ensure that a current valid virus scanning program is always available. This program has to be supplied with regular updates by certified software. It is recommended that you make periodic checks against viruses in your OS. At the LCT it is recommended to integrate the virus scanning program into the startup sequence.
1.6
CE Declaration of Conformity
The CE declaration of the product will be fulfilled if the construction and cabling is undertaken in accordance with the manual and the documents listed there in, e.g. mounting instructions, cable lists where necessary account should be taken of project-specific documents. Deviations from the specifications or unstipulated changes during construction, e.g. the use of cable types with lower screening values can lead to violation of the CE requirements. In such case, the conformity declaration is invalidated and the responsibility passes to those who have caused the deviations.
1.7
GPL/LGPL Warranty and Liability Exclusion

The Dasan Networks product, V1624, contains both proprietary software and Open Source Software. The Open Source Software is licensed to you at no charge under the GNU General Public License (GPL) and the GNU Lesser General Public License (LGPL). This Open Source Software was written by third parties and enjoys copyright protection. You are entitled to use this Open Source Software under the conditions set out in the GPL and LGPL licenses indicated above. In the event of conflicts between Dasan Networks license conditions and the GPL or LGPL license conditions, the GPL and LGPL conditions shall prevail with respect to the Open Source portions of the software. The GPL can be found under the following URL: http://www.gnu.org/copyleft/gpl.html The LGPL can be found under the following URL: http://www.gnu.org/copyleft/lgpl.html
DPW:G-S-1624H0-04
15
UMN:CLI
User Manual
V1624
In addition, if the source code to the Open Source Software has not been delivered with this product, you may obtain the source code (including the related copyright notices) by sending your request to the following e-mail address: opensrc@dasannetworks.com. You will, however, be required to reimburse Dasan Networks for its costs of postage and copying. Any source code request made by you must be sent within 3 years of your purchase of the product. Please include a copy of your sales receipt when submitting your request. Also, please include the exact name and number of the device and the version number of the installed software. The use of Open Source Software contained in this product in any manner other than the simple running of the program occurs at your own risk, that is, without any warranty claims against Dasan Networks. For more information about the warranties provided by the authors of the Open Source Software contained in this product, please consult the GPL and LGPL. You have no warranty claims against Dasan Networks when a defect in the product is or could have been caused by changes made by you in any part of the software or its configuration. In addition, you have no warranty claims against Dasan Networks when the Open Source Software infringes the intellectual property rights of a third party. Dasan Networks provides no technical support for either the software or the Open Source Software contained therein if either has been changed.
16
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
2 System Overview
To cope with geometrically increasing population of internet and create network environment that mass storage database such as graphic and voice file can be sent and received at ease, Fast Ethernet and Gigabit Ethernet are daily being progressed updated from old Ethernet. V1624, which is developed for the network environment, provides high-speedinternet service in wider area than existing equipments so that it is very efficient for WAN construction, large-scale company, ISPs. The V1624 has 24 ports of 10/100Base-TX as the service interface and 2 slots for uplink interfaces, which are 1000Base-X (SFP or GBIC), 10/100/1000Base-T, 100Base-FX and GE-PON of 1-port modular unit. Each modular unit can be inserted into up to 2 slots on the front panel. V1624 can be used for various applications as Fast Ethernet Layer 2 switch as well as GE-PON ONU. OLT is located in the central office, and it connects ONU via optical splitter. GE-PON uplink port provides voice, data and video service which are distributed over proper transmission media to maximum 24 Fast Ethernet subscribers within the customer premises from it. V1624 is Layer 2 switch, which transmits VLAN and traffic of PC on network and web server to medium switch or router. The Fig. 2.1 shows network construction with using V1624.
Internet
L3 Switch
L3 Switch
V1624
V1624
Fig. 2.1
Network Structure with V1624
DPW:G-S-1624H0-04
17
UMN:CLI
User Manual
V1624
2.1
System Features
V1624, Layer 2, provides various functions such as QoS, IP multicasting, STP, and VLAN. Without rebooting, new configurations is saved, and it is possible to monitor switch status through Syslog and SNMP, and it has self detection and warning function of overlapped IP address and MAC address. V1624 provides the following functions. Quality of Service (QoS) For the V1624, QoS-based forwarding sorts traffic into a number of classes and marks the packets accordingly. Thus, different quality of service is providing to each class, which the packets belong to. The QoS capabilities enable network managers to protect missioncritical applications and support differentiated level of bandwidth for managing traffic congestion. The V1624 support ingress and egress (shaping) rate limiting, and SP (Strict Priority) queue scheduling. Multicasting Since V1624 provides IGMP Snooping and IGMP Querier, you can use multicast communication. Through multicast communication, packets can be transmitted to hosts who need them so that overloading can be prevented. NAT(Network Address Translation) NAT(Network Address Translation) uses private IP address, which is supposed to be used in internal network. So, it can save limited IP source and strengthen security because IP address of internal network is protected. V1624 supports IP NAT complying with RFC 3022. SNMP Switch in SNMP is mounted can manage and monitor switch at remote place. V1624 supports SNMP version 1, 2, and four kinds of groups RMON so that administrator can check static data anytime. DHCP Server and Relay V1624 supports DHCP, which automatically assigns IP address to clients, accessed to network. You can effectively utilize limited IP source and lower cost to manage network because DHCP server manages all IP addresses from center. Single IP management In switch group, a switch configured as master can configure, manage, and monitor the other switches called slave with one IP address. Since one IP address can manage several switches, IP source can be saved.
18
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
VLAN(Virtual Local Area Network) VLAN(Virtual Local Area Network) is made by dividing one network into several logical networks. Packet cannot be transmitted and received between different VLANs. Therefore, it can prevent needless packets accumulating and strengthen security of VLAN. V1624 recognizes 802.1Q tagged frame and supports maximum 256 VLANs. Port Trunk V1624 aggregates several physical interfaces into one logical port(aggregate port). Port trunk aggregates interfaces with the standard of same speed, same duplex mode, and same VLAN ID. According to IEEE 802.3ad, V1624 can configure maximum six aggregate ports, which can include maximum eight ports to decrease traffic and improve fault recovery function. LACP(Link Aggregation Control Protocol) V1624 supports LACP, complying with IEEE 802.3ad, which aggregates multiple links of equipments to use more enlarged bandwidth. Rate-limit V1624 provides graded bandwidths to all ports. Through providing bandwidths graded by users configuration, ISP can charge graded billing plan and manage efficient and economized lines. STP (Spanning Tree Protocol) STP(Spanning Tree Protocol) enables switches, which have double-path to use the double-path without loops. That is, it activates only one path, which is the shortest one among several paths and blocks the others to prevent loop. PVST(Per VLAN Spanning Tree) V1624 supports PVST (Per VLAN Spanning Tree) that STP is independently operated per each VLAN. PVST prevents entire network freezing caused by Loop in one VLAN. RSTP(Rapid Spanning Tree Protocol) (802.1w) It is possible to construct stable and flexible network on metro Ethernet RING or existing P-to-P through supporting RSTP (Rapid Spanning Tree Protocol) complying with IEEE 802.1W. RSTP is designed to decrease STP reconvergency time innovatory. It innovate saves time of Fail over on Layer 2 switch, which has Redundant link. SSH Server Through enabled SSH (Secure Shell) server, the security of telnet and ftp server can be strengthened. 802.1x Port based Authentication V1624 restricts clients attempting to access to port by 802.1x port-based authentication to
DPW:G-S-1624H0-04
19
UMN:CLI
User Manual
V1624
enhance security and portability of network management. When a client attempts to connect to port of 802.1x port-based authentication enabled, the switch transfers required information to RADIUS server for authentication. Therefore, only authorized client who has access right can connect to the port. RADIUS and TACACS+ V1624 supports client authentication protocol, which is RADIUS (Remote Authentication Dial-In User Service) and TACACS+ (Terminal Access Controller Access Control System+). Not only user IP and password registered in switch but also authentication through RADIUS server and TACACS+ server are required to access. So, security of system and network management is strengthened. Broadcast Storm Control Broadcast storm control is, when too much of broadcast packets are being transmitted to network, a situation of network timeout because the packets occupy most of transmit capacity. V1624 supports broadcast packet, multicast packet, and Broadcast storm control, which disuses Flooding packet, that exceed the limit during the time configured by user. System Management It is easy for users who administer system by using telnet or console port to configure the functions for system operating through DSH (Dasan Shell) based on CLI. DSH is easy to configure the needed functions after looking for available commands by help menu different with UNIX.
20
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
3 Command Line Interface (CLI)

This chapter describes how to use the Command Line Interface (CLI), which is used to configure the V1624 system. Command Mode Useful Tips
3.1
Command Mode
You can configure and manage the V1624 by console terminal that is installed on users PC. For this, use the CLI-based interface commands. Connect RJ45-to-DB9 console cable to the V1624. This chapter explains how CLI command mode is organized before installing. CLI command mode is consisted as follow: Top Mode Global Configuration Mode Bridge Configuration Mode DHCP Pool Configuration Mode DHCP Option 82 Configuration Mode Interface Configuration Mode RMON Configuration Mode Fig. 3.1 shows V1624 software mode structure briefly.
User Log-in ID: root Password: vertex25 Top mode SWITCH#
configure terminal Global Configuration mode SWITCH(config)# interface INTERFACE INTERFACE: interface name Interface Configuration mode SWITCH(config-if)#
bridge Bridge Configuration mode SWITCH(bridge)#
ip dhcp subnet A.B.C.D netmask A.B.C.D group NAME DHCP Pool Configuration mode SWITCH(config-dhcp)# rmon-alarm <1-65535> rmon-event <1-65535> rmon-history <1-65535> ip dhcp option Option 82 Configuration mode SWITCH(config-option)# RMON Configuration mode SWITCH(config-rmonalarm[N])# SWITCH(config-rmonevent[N])# SWITCH(config-rmonhistory[N])#
Fig. 3.1
Software mode structure
DPW:G-S-1624H0-04
21
UMN:CLI
User Manual
V1624
3.1.1
Top Mode
When you log in to the switch, the CLI will start with Top mode that is a read-only mode. In this mode, you can see a system configuration and information with several commands. Tab. 3.1 shows main command of Top mode.
Command bping/ping/sping clock configure terminal reload telnet terminal line traceroute where which-route Description Checks network connecting status Inputs time and date in system Opens Global configuration mode. Reboots the system. Connects to another device through telnet. Configures the number of lines displayed in screen. Traces a packet route. Finds users accessed to system through telnet. Shows basic route of packet destination.
Tab. 3.1
Main Commands of Top Mode
3.1.2
Global Configuration Mode

In Global Configuration mode, you can configure general functions of the system. You can also open another configuration mode from this mode. To open Global Configuration mode, enter the configure terminal command, and then the system prompt will be changed from SWITCH# to SWITCH(config)#.
Command configure terminal Mode Top Description Opens Global Configuration mode from Top mode.
22
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Tab. 3.2 shows a couple of important main commands of Global Configuration mode.
Command arp bridge clear copy disconnect hostname inactivity-timer interface ip passwd qos restore factory-defaults snmp syslog time-zone user Description Registers IP address and MAC address in ARP table. Enters into Bridge configuration mode. Disables the configured function. Make a backup file of configuration or open back up file. Disconnect user accessed through telnet. Changes hostname of system prompt. Configures auto-logout function. Enters into Interface configuration mode. Configures various functions of interface such as DHCP server. Changes the password. Configures QoS. Initiates the configuration of switch. Configures Snmp. Configures Syslog. Configures Time-zone. Adds/deletes user with reading right.
Tab. 3.2
Main Commands of Global Configuration Mode
3.1.3
Bridge Configuration Mode

In Bridge Configuration mode, you can configure various Layer 2 functions such as VLAN, STP, LACP, etc. To open Bridge Configuration mode, enter the bridge command, then the system prompt will be changed from SWITCH(config)# to SWITCH(bridge)#.
Command bridge Mode Global Description Opens Bridge Configuration mode.
Tab. 3.3 shows a couple of main commands of Bridge Configuration mode.

Command bandwidth-share-group clear rcommand set Description Secures minimum port bandwidth and shares the bandwidth in one group. Disables the configured functions. Uses commands at remote place after configuring stacking. Configures port trunking, stacking, mirroring and STP.
Tab. 3.3
Main Commands of Bridge Configuration Mode
DPW:G-S-1624H0-04
23
UMN:CLI
User Manual
V1624
3.1.4
DHCP Pool Configuration Mode

In DHCP Pool Configuration mode, you can configure general functions of DHCP per each DHCP pool. The V1624 supports multiple DHCP environments with this pool based DHCP configuration. To open DHCP Pool Configuration mode, enter the ip dhcp subnet command, then the system prompt will be changed from SWITCH(config)# to SWITCH(config-dhcp)#.
Command ip dhcp subnet A.B.C.D netmask A.B.C.D group NAME Mode Global Description Opens DHCP Pool Configuration mode to configure DHCP.
Tab. 3.4 shows main commands of DHCP Pool Configuration mode.

Command default-gateway range Description Configures the default gateway of the pool. Configures the range of IP addresses.
Tab. 3.4
Main Command of DHCP Pool Configuration Mode
3.1.5
DHCP Option 82 Configuration Mode

In DHCP Option 82 Configuration mode, you can configure DHCP option 82 for DHCP relay agent. This feature enables network administrators to manage IP resources more efficiently. To open DHCP Option 82 Configuration mode, enter the ip dhcp option command, then the system prompt will be changed from SWITCH(config)# to SWITCH(dhcp-option)#.
Command ip dhcp option Mode Global Description Opens DHCP Option 82 Configuration mode to configure DHCP option 82.
Tab. 3.5 is the main commands of DHCP Option 82 Configuration mode.

Command lease-limit policy Description Specifies the limitation of the number of assigning IP addresses. Configures the policy for option 82 field in the DHCP packet.
Tab. 3.5
Main Command of DHCP Option 82 Configuration Mode
24
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
3.1.6
Interface Configuration Mode

To open Interface Configuration mode, enter the command, interface INTERFACE, on Global Configuration mode, and then the prompt is changed from SWITCH(config)# to SWITCH(config-if)#.
Command interface INTERFACE Mode Global Description Opens Interface Configuration mode.
Interface Configuration mode is to assign IP address in Ethernet interface and to activate or deactivate interface. Tab. 3.6 shows a couple of main commands of Interface Configuration mode.
Command bandwidth description ip shutdown Description Configures bandwidth used to make routing information. Makes description of interface. Assigns IP address. Deactivates interface.
Tab. 3.6
Main Commands of Interface Configuration Mode
3.1.7
RMON Configuration Mode

To open RMON-Alarm Configuration mode, enter rmon-alarm <1-65534>. To open RMON-Event Configuration mode, input rmon-event <1-65534>. And to open RMONHistory Configuration mode, enter rmon-history <1-65534>. Tab. 3.7 shows a couple of important main commands of RMON Configuration mode.
Command active owner Description Enables each RMON configuration. Shows the subject, which configures each RMON and uses related information.
Tab. 3.7
Main Commands of RMON Configuration Mode
DPW:G-S-1624H0-04
25
UMN:CLI
User Manual
V1624
3.2
Useful Tips
This section provides useful functions for users convenience while using CLI commands. They are as follow. Listing Available Commands Calling Command History Using Abbreviation Exit Current Command Mode
3.2.1
Listing Available Commands

To list available commands, input question mark <?>. When you input the question mark <?> in each command mode, you can see available commands used in this mode and variables after the commands. The following is the available commands on Top mode of the V1624.
SWITCH# ? bping clock configure exit ftp help list ping reload show sping telnet traceroute where which-route write SWITCH# Send icmp echo request packets to all connected network hosts Manually set the system clock Configuration from dsh interface Exit current mode and down to previous mode Open a ftp connection Description of the interactive help system Print command list Send echo messages Reload the system Show running system information Send icmp echo request packets to network host from given address Open a telnet connection Trace route to destination List active user connections Do route table lookup and display results Write running configuration to memory, network, or terminal
Question mark <?> will not be seen in the screen and you do not need to press <ENTER> key to display commands list.
If you need to find out the list of available commands of the current mode in detail, use the following command.
Command list Mode All Description Shows available commands of the current mode.
The following is an example of displaying list of available commands of Top mode.

SWITCH# list bping A.B.C.D clock MMDDhhmmYYYY
26
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
configure terminal exit ftp DESTINATION help -- more
Press the <ENTER> key to skip to the next list.
In case of the V1624 installed command shell, you can find out commands starting with specific alphabet. Input the first letter and question mark without space. The following is an example of finding out the commands starting s in Top mode of V1624.
SWITCH# s ? set show Configure switch Show running system information
sping Send icmp echo request packets to network host from given address SWITCH# s
Also, it is possible to view variables you should input it after commands. After inputting the command you need, make one space and input question mark. The following is an example to display variables after the command, write. Please note that you must make one space after inputting.
SWITCH# write ? file memory terminal Write configuration to the file (same as write memory) Write configuration to the file (same as write file) Write to terminal
SWITCH# write
3.2.2
Calling Command History

In case of installed command shell, you do not have to enter repeated command again. When you need to call command history, use this arrow key <>. When you press the arrow key, the latest command you used will be displayed one by one. The following is an example of calling command history after using several commands. After using these commands in order: show clock configure terminal interface 1 exit, press the arrow key <> and then you will see the commands from latest one: exit interface 1 configure terminal show clock.
SWITCHconfig)# exit SWITCH# show clock Mon, 5 Jan 1970 23:50:12 GMT+0000 SWITCH# configure terminal SWITCH(config)# interface br1 SWITCH(config-if)# exit SWITCH(config)# exit SWITCH# (press the arrow key ) SWITCH# exit (arrow key ) SWITCH# interface br1 (arrow key )
DPW:G-S-1624H0-04
27
UMN:CLI
User Manual
V1624
SWITCH# configure terminal (arrow key ) SWITCH# show clock (arrow key )
3.2.3
Using Abbreviation
Most of the commands can be used also with abbreviated form. The following table shows some examples of abbreviated commands.
Command clock exit show configure terminal cl ex sh con te Abbreviation
Tab. 3.8
Command Abbreviation
3.2.4
Exit Current Command Mode

To exit to the previous command mode, use the following command.
Command exit end Mode All Description Exits to the previous command mode. Exits to Top mode.
If you use the command, exit, on Top mode, you will be logged out!
28
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
4 System Connection and IP Address

4.1 System Connection
After installing switch, the V1624 is supposed to examine that each port is rightly connected to network and management PC. And then, user connects to system to configure and manage the V1624. This section provides instructions how to change password for system connection, connect to system through telnet as the following order. System Login Password for Top Mode Changing Login Password Auto Log-out Management for System Account Telnet Access System Rebooting
4.1.1
System Login
After installing the V1624, finally make sure that each port is correctly connected to PC for network and management. And then, turn on the power and boot the system as follow. Step 1 When you turn on the switch, booting will be automatically started and login prompt will be displayed.
SWITCH login:
Step 2 When you enter login ID at the login prompt, password prompt will be displayed. And enter password to open Top mode. By default setting, login ID is configured as root and password is vertex25.
SWITCH login: root Password: vertex25 SWITCH>
4.1.2
Password for Top Mode

You can configure a password to enhance the security for Top mode. To configure a password for Top mode, use the following command.
Command passwd Mode Global Description Configures a password to begin Top mode.
DPW:G-S-1624H0-04
29
UMN:CLI
User Manual
V1624
4.1.3
Changing Login Password

To configure a password for created account, use the following command.
Command passwd [NAME] Mode Global Description Configures a password for created account.
The following is an example of changing password.

SWITCH(config)# passwd Changing password for admin Enter the new password (minimum of 5, maximum of 8 characters) Please use a combination of upper and lower case letters and numbers. Enter new password:junior95 Re-enter new password:junior95 Password changed. SWITCH(config)#
The password you are entering will not be seen in the screen, so please be careful not to make mistake.
4.1.4
Auto Log-out
For security reasons of the V1624, if no command is entered within the configured inactivity time, the user is automatically logged out of the system. Administrator can configure the inactivity timer. To enable auto-logout function, use the following command.
Command inactivity-timer <60-3600> inactivity-timer 0 Mode Enables auto log-out. Global 60-3600: time unit in seconds (Defaut: 600 seconds) Disables auto log-out. Description
To display a configuration of auto-logout function, use the following command.

Command show inactivity-timer Mode Top Global Description Shows a configuration of auto-logout function.
The following is an example of configuring auto-logout function as 60 seconds and viewing the configuration.
SWITCH(config)# inactivity-timer 60 SWITCH(config)# show inactivity-timer Log-out time : 60 seconds SWITCH(config)#
30
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
4.1.5
Management for System Account
4.1.5.1
Creating System Account

Although only administrator can manage and configure the switch, administrator can give right to use to person who need information on the switch. User cannot configure the switch by writing right but can check the switch state by reading right. To create a system account, use the following command.
Command user add NAME DESCRIPTION user del NAME Mode Global Description Creates a system account. Deletes a system account
The following is an example of adding user A who has reading right. The password is set to vertex25.
SWITCH(config)# user add A lhs Changing password for A Enter the new password (minimum of 5, maximum of 8 characters) Please use a combination of upper and lower case letters and numbers. Enter new password:vertex25 Re-enter new password:vertex25 Password changed. SWITCH(config)#
To display the created account, use the following command.

Command show user Mode Top/Global Description Shows the created account.
4.1.6
Telnet Access
To connect to the host through telnet at remote place, use the following command.
Command telnet DESTINATION [TCP-PORT] Mode Top Description Connects to a remote host. DESTINATION: IP address or host name
In case of telnet connection, you should wait for [OK] message, when you save a system configuration. Otherwise, all changes will be deleted when the telnet session is disconnected.
SWITCH# write memory [OK] SWITCH#
DPW:G-S-1624H0-04
31
UMN:CLI
User Manual
V1624
The system administrator can disconnect users connected from remote place. To disconnect a user connected through telnet, use the following command.
Command disconnect TTY-NUMBER Mode Top Description Disconnects a user connected through telnet.
The following is an example of disconnecting a user connected from a remote place.

SWITCH(config)# disconnect ttyp0 SWITCH(config)#
4.1.7
System Rebooting
4.1.7.1
Manual System Rebooting

When installing or maintaining the system, some tasks require rebooting the system by various reasons. Then you can reboot the system. To restart the system manually, use the following command.
Command reload Mode Top Restarts the system. Description
If you reboot the system without saving new configuration, new configuration will be deleted. So, you have to save the configuration before rebooting. Not to make that mistake, V1624 is supported to print the following message to ask if user really wants to reboot and save configuration. If you want to continue to reboot, press <y> key, if you want to save new configuration, press <n> key.
SWITCH# reload Do you want to save the system configuration? [y/n]]
i
4.1.7.2
The reload command will reboot the system with the current default system software. To change the default system software, use the set default-os command (see Section 0).
Auto System Rebooting

The V1624 reboots the system according to users configuration. There are two bases for system rebooting. These are CPU and memory. CPU is rebooted in case CPU Load or Interrupt Load continues for the configured time. Memory is automatically rebooted in case memory low occurs as the configured times.
32
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To enable auto system rebooting function, use the following command.

Command Mode Description Configure to reboot the system automatically in case an average of CPU or interrupt load exceeds the conset auto-reset cpu <50-100> <1100> TIME Bridge set auto-reset memory <1-120> <1-10> figured value during the user-defined time. 50-100: average of CPU load per 1 minute 1-100: average of interrupt load TIME: minute Configure to reboot the system automatically in case memory low occurs as the configured value. 1-120: time of memory low 1-10: count of memory low(The default is 5) clear auto-reset {cpu | memory} Disables auto system rebooting.
To show auto system rebooting configuration, use the following command.

Command show auto-reset {cpu | memory} Mode Global/ Bridge Description Shows a configuration of auto-rebooting function.
The following is an example of configuring auto-restarting function in case CPU load or Interrupt load maintains over 70% during 60 seconds and viewing the configuration.
SWITCH(config)# set auto-reset cpu 70 70 1 SWITCH(bridge)# show auto-reset -----------------------------Auto-Reset Configuration -----------------------------auto-reset-memory: auto-reset-cpu: cpu load: interrupt load: continuation time: SWITCH(bridge)# on on 70 70 1
DPW:G-S-1624H0-04
33
UMN:CLI
User Manual
V1624
4.2
SSH (Secure Shell)

Network security is getting more important according to using network has been generalized between users. However, typical FTP and telnet service has weakness for security. SSH (Secure Shell) is security shell for login. Through SSH, all data are encoded, traffic is compressed. So, transmit rate becomes faster, and tunnel for existing ftp and pop, which are not safe in security, is supported.
4.2.1
SSH Server
The V1624 can be operated as a SSH server. You can configure the switch as SSH server with the following procedure.
4.2.1.1
Enabling SSH Server

To enable/disable SSH server, use the following command.
Command ssh server enable ssh server disable Mode Global Enables SSH server. Disables SSH server. Description
4.3
802.1x Authentication
To enhance security and portability of network management, there are two ways of authentication based on MAC address and port-based authentication that restrict clients attempting to access to port. The port-based authentication (802.1x) decides to give access to RADIUS server having the information about user who tries to access. 802.1x authentication adopts EAP (Extensible Authentication Protocol) structure. In EAP system, there are EAP-MD5 (Message Digest 5), EAP-TLS (Transport Level Security), EAP-SRP (Secure Remote Password), EAP-TTLS(Tunneled TLS) and the V1624 supports EAP-MD5 and EAP-TLS. Accessing with users ID and password, EAP-MD5 is oneway Authentication based on the password. EAP-TLS accesses through the mutual authentication system of server authentication and personal authentication and it is possible to guarantee high security because of mutual authentication system. At a request of user Authentication, from users PC EAPOL-Start type of packets are transmitted to authenticator and authenticator again requests identification. After getting respond about identification, request to approve access to RADIUS server and be authenticated by checking access through users information.
34
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
The following figure explains the process of 802.1x authentication.

EAPOL (EAP over LAN)
EAP over RADIUS
RADIUS Server [Suppliant] [Authenticator] [Authentication Server]
EAPOL-Start
EAP-Request / Identity
EAP-Response / Identity
RADIUS-Access-Request
EAP-Request
RADIUS-Access-Challenge
EAP-Response
RADIUS-Access-Request
EAP-Success
RADIUS-Access-Accept
Fig. 4.1
Process of 802.1x Authentication
To enable 802.1x authentication on port of the V1624, you should be able to perform the following tasks.
4.3.1
802.1x Authentication
4.3.1.1
Enabling 802.1x
To configure 802.1x, the user should enable 802.1x daemon first. In order to enable 802.1x daemon, use the following command.
Command dot1x enable dot1x disable Mode Global Description Enables 802.1x daemon. Disables 802.1x daemon.
DPW:G-S-1624H0-04
35
UMN:CLI
User Manual
V1624
After configuring 802.1x port-based authentication with the above explanation, user can check the contents. In order to check configuration of 802.1x, use the following command.
Command show dot1x Mode Global Description Shows configuration of 802.1x.
4.3.2
Configuring Port-based 802.1x Authentication

Port based 802.1x authentication authenticates the port itself regardless of the number of clients. After enabling 802.1x daemon, configure port based authentication as the following.
4.3.2.1
Configuring Authentication Port

After enabling 802.1x daemon, user should configure which port to be used for 802.1x Port-Based Authentication. In order to configure 802.1x Port-Based Authentication, use the following command in Global configuration mode.
Command dot1x port enable PORT Global dot1x port disable PORT Mode Description Configures port of 802.1x port-based authentication. Disables configured port of 802.1x port-based authentication.
i
4.3.2.2
It is possible to configure more than one port-number by using , or -.
Designating User Authentication Interface

When more than two interfaces or IP addresses are configured in V1624 and authentication is used, the user can designate the source of packet transmitted to authentication server as a particular interface or IP address. In order to designate the user authentication interface, use the following command.
Command dot1x radius interface INTERFACE [A.B.C.D] Mode Global Description Designating the user authentication interface and IP address.
4.3.2.3
Configuring RADIUS Server

As RADIUS server is registered in authenticator, authenticator also can be registered in RADIUS server. Here, authenticator and RADIUS server need extra data authenticating each other besides they register each others IP address. The data is the key and should be the same value for each other. For the key value, every kinds of character can be used except for the space or special character.
36
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
RADIUS Server [Suppliant] [Authenticator] [Authentication Server]
Authentication request in order
RADIUS Servers A : 10.1.1.1 B : 20.1.1.1
Designate as default RADIUS server
Response
C : 30.1.1.1 : J : 100.1.1.1
Fig. 4.2
Multiple Authentication Servers
If you register in several servers, the authentication server starts form RADIUS server registered as first one, then requests the second RADIUS server in case there is no response. According to the order of registering the authentication request, the authentication request is tried and the server that responds to it becomes the default server from the point of response time. After default server is designated, all requests start from the RADIUS server. If there is no response from default server again, the authentication request is tried for RADIUS server designated as next one. To configure IP address of RADIUS server and key value, use the following command.
Command Mode Description Registers RADIUS server with key value and UDP port dot1x radius host IP-ADDRESS KEY Global of radius server. IP-ADDRESS: Ip address of radius server KEY: the value of key Deletes a registered RADIUS server.
no dot1x radius host IP-ADDRESS
4.3.2.4
The Number of Request for Authentication

After 802.1x port-based authentication being configured as explained above, when the user tries to connect with the port, the process of authentication is progressed among users PC and the equipment as authenticator and RADIUS server. It is possible to configure how many times the equipment that will be authenticator requests for authentication to RADIUS server.
DPW:G-S-1624H0-04
37
UMN:CLI
User Manual
V1624
To configure times of authentication request in V1624, please use the command in Global mode
Command dot1x radius retries NUMBER Mode Global Description Configure times of authentication request to RADIUS server
i
4.3.2.5
Authentication request means Radius-Access-Request in Fig. 4.2 Process of 802.1x Port-Based Authentication.
Re-attempt Interval of Authentication Request

In case there is no response after requesting authentication to RADIUS server from V1624, authentication request will be reattempted as many as configured above. However, the administrator needs to appoint waiting period to reattempt authentication request. For example, suppose the reattempt interval of authentication request is configured as 1000ms (1sec) and there is no respond for 1000ms, authentication request will be reattempted. Reattempt interval of authentication request becomes effective only in case that there is no response to request. For example, if RADUIS server is down and there is a response from other packets, reattempt interval of Authentication request is not supposed to take effect. In order to configure reattempt interval of authentication request, use the following command in Global configuration mode.
Command dot1x radius timeout TIME Mode Global Description Configures reattempt interval of authentication request to RADIUS server.
In V1624, reattempt interval of authentication request is basically configured as 100ms. (Unit : ms).
In case the distance from the server is too far and reattempt interval of Authentication request is configured too short regardless of time that request packet reaches to the server, authentication might not be occurred. Therefore, configure reattempt interval of Authentication request considering the distance with the server. If authentication often fails after configuration, configure enough time by checking reattempt interval of authentication request.
38
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
The following is an example of configuring the number of authentication request as 5 times and reattempt interval of Authentication request as 1 sec.
SWITCH(config)# dot1x radius retries 5 SWITCH(config)# dot1x radius timeout 1000 SWITCH(config)# show dot1x 802.1x authentication enabled Reauth period : 3600 (Seconds) Radius retries : 5 Radius timeout : 1000 (Milli-Second) Radius server | : 100.1.1.1 (Auth key : 1) 1 2 --------------------------------------802.1x |12345678901234567890123456 ------------+-------------------------PortEnable |.......................p.. PortAuthed |.......................... MacEnable |.......................... SWITCH(config)#
4.3.2.6
Configuring Term of Re-authentication

RAIDIUS server has the database about the user who has access right. The database is real-time upgraded so it is possible for user to lose the access right by updated database even though he is once authenticated. In this case, even though the user has an access to network, he should be authenticated so that the changed database is applied to. Besides, because of various reasons managing RADIUS server and 802.1x authentication port, the user is supposed to be re-authenticated every regular time. The administer of V1624 can configure a term of re-authentication To configure a term of re-authentication, use the following command in Global configuration mode.
Command dot1x reauth-period TIME Mode Global Description Configures a term of re-authentication. (Default: 3600 sec)
Re-authentication is applied to EAPOL-start in Fig. 4.2 Process of 802.1x Port-Based Authentication.
The following is an example to configure the period of 802.1x re-authentication as 30 min.

SWITCH(config)# dot1x reauth-period 1800 SWITCH(config)# show dot1x 802.1x authentication enabled Reauth period : 1800 (Seconds) Radius retries : 5 Radius timeout : 1000 (Milli-Second) Radius server | : 100.1.1.1 (Auth key : 1) 1 2 ---------------------------------------
DPW:G-S-1624H0-04
39
UMN:CLI
User Manual
V1624
802.1x |12345678901234567890123456 ------------+-------------------------PortEnable |.......................p.. PortAuthed |.......................... MacEnable |.......................... SWITCH(config)#
4.3.3
Client Authentication through MAC Address

Suppose there is a switch or a hub, that 802.1x authentication is not supported for, is not connected to V1624. If many clients are connected to the equipment and a client tries to be authenticated for V1624, all clients that are connected to the authenticated equipment will automatically have the access authority. For example, SWITCH A , that 802.1 authentication is not supported for, is connected to V1624 and Client A, B, C, D are connected to SWITCH A. And 802.1x user authentication is not supported for SWITCH A. If Client A is authenticated through SWITCH A in order to get access for all clients that are connected to SWITCH A will have the right to access like Client A. Therefore, in order to authenticate only for Client A , accessing to Client B, C, D should be blocked. In this case, if V1624 allows the access right through MAC address, it is possible to authenticate only for Client A.
If a client is connected to the equipment and 802.1x user authentication is supported for the equipment, it is unnecessary to use MAC address to allow user authentication.
To give the access right for clients using MAC address, use the following command.
Command dot1x mac enable PORT dot1x mac disable PORT Mode Description Configure to give the access right for clients using Global MAC address. Disables to give the access right using MAC address.
Before configuring 802.1x user authentication based on MAC address, block all packets that are entering to the authenticated port by using set mac-filter default-policy deny portnumber.
The following is the check of changing port unit user authentication that is configured in the system based on MAC address.
SWITCH(config)# show dot1x 802.1x authentication enabled Radius server : 100.1.1.1 (Auth key : 1) --------------------------------------| 1 2 802.1x |12345678901234567890123456 ------------+-------------------------PortEnable |.......................p.. PortAuthed |..........................
40
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
MacEnable |.......................... SWITCH(config)# set mac-filter default-policy deny 24 SWITCH(config)# dot1x mac enable 24 SWITCH(config)# show dot1x 802.1x authentication enabled Radius server : 100.1.1.1 (Auth key : 1) --------------------------------------| 1 2 802.1x |12345678901234567890123456 ------------+-------------------------PortEnable |.......................... PortAuthed |.......................... MacEnable |.......................m.. SWITCH(config)#
In order to check if the user authentication system works well by using MAC address, use the command show mac BRIDGE [PORT]. If the user authentication using MAC address works well, the permission part of the authenticated MAC address will be printed out as OK and the unauthenticated part will be marked as -.
SWITCH(config)# show mac br1 8 port (id) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) mac addr 08:00:46:9a:12:b8 00:0e:a6:25:48:40 00:03:47:de:27:9e 00:e0:98:8a:ea:b9 00:d0:59:64:bc:a7 00:00:f0:82:67:49 00:c0:ca:33:5b:5c 00:0c:6e:4c:0d:0f 00:00:86:60:fe:23 00:60:08:43:6b:67 00:0c:6e:4c:0d:15 00:c0:26:00:61:29 00:00:e2:6e:f8:3b 08:00:46:60:96:4b 00:0c:6e:4c:11:14 00:a0:b0:05:0d:a4 00:40:2b:23:58:02 show mac br1 permission OK in use 0.06 0.23 0.34 0.62 0.74 1.05 1.29 1.79 2.48 3.46 4.15 4.33 5.57 6.10 6.31 6.31 6.47
(Omitted) SWITCH(config)#
DPW:G-S-1624H0-04
41
UMN:CLI
User Manual
V1624
4.3.4
Checking and Deleting 802.1x User Authentication Statistics

It is possible for user to make reset state by checking and deleting the statistics of 802.1x user authentication. To check the statistics about the process of 802.1x user authentication, use the following command.
Command show dot1x PORT Mode Top/Global Description Checks the statistics of 802.1x user authentication on the port. Make Reset state by deleting the statistics of 802.1x on the port.
dot1x clear statistic PORT
Global
The following is to check the statistics of the port that is configured 802.1 user authentication
SWITCH(config)# show dot1x 24 Dot1x Packet Statistics -----------------------------------------------------------supplicant EAPOL START -> <- EAP-Req-Id EAP-Resp-Id -> Access-Req(Id) -> <- Challenge <- EAP-Req-MD5 EAP-Resp-MD5 -> Access-Req(MD5) -> <- Accept <- EAP-Success SWITCH(config)# NAS (port =24) Radius Server count ------------------------------------------------------------
The following is to check the result after deleting all statistics of 802.1x user authentication and making it as Reset state.
SWITCH(config)# dot1x clear statistic 24 SWITCH(config)# show dot1x 24 Dot1x Packet Statistics -----------------------------------------------------------supplicant EAPOL START -> <- EAP-Req-Id EAP-Resp-Id -> Access-Req(Id) -> <- Challenge <- EAP-Req-MD5 EAP-Resp-MD5 -> Access-Req(MD5) -> <- Accept <- EAP-Success SWITCH(config)# NAS (port =24) Radius Server count ------------------------------------------------------------
42
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
4.3.5
Disabling 802.1x User Authentication

To disable 802.1x user authentication, use the following command.
Command dot1x disable Global no dot1x Mode Description Disable 802.1x user authentication configuration and delete all configurations connected with user authentication.
If user disables 802.1x function, the configuration for 802.1x will be deleted.
The following is to disable the function in condition and check the contents.
SWITCH(config)# dot1x disable SWITCH(config)# show dot1x 802.1x authentication disabled SWITCH(config)#
4.4
System Authentication
V1624 is enhanced security of client authentication and user is able to configure authorization method in diverse ways. Usually, ID/password registered in switch is used but if you use RADIUS(Remote Authentication Dial-In User Service), which is client authentication protocol, and TACACS+(Terminal Access Controller Access Control System+), only clients recorded in each server can connect to the system. With TACACS+ configured, sends client information for authorization. You need to configure the followings for system authentication in V1624. Configuring Authorization Method Designating User Authentication Interface Configuring Priority of Authorization Method Checking Configured Priority of Authorization Method Configuring RADIUS Configuring TACACS+ Recording Users Configuration
To enable RADIUS or TACACS+, add user with reading right nameduserby using the command, user add. Or, all users connecting through authentication protocol are supposed to receive a right as root. Refer to 4.1.5 Management for System Account for the instruction to add user with reading right.
DPW:G-S-1624H0-04
43
UMN:CLI
User Manual
V1624
4.4.1
Configuring Authorization Method

You can authorize clients attempting to access to V1624 by using registered ID/password, RADIUS and TACACS+. It is possible to take all of three and to select one of them. In order to configure authorization method, use the following commands.
Command set login local {radiustacacs hostall} enable set login remote {radiustacacs hostall} enable Global Mode Description Configures authorization method for clients connecting through console. Configures authorization method for clients connecting through telnet.
host is authentication by using ID/password registered in switch, and this is default value.
Also, in order to disable configured authorization method, use the following commands.
Command set login local {radiustacacs hostall} disable set login remote {radiustacacs hostall} disable Global Mode Description Disables authorization method for clients connecting through console. Disables authorization method for clients connecting through telnet
4.4.2
Designating User Authentication Interface

When more than two interfaces or IP addresses are configured in V1624 and RADIUS or TACACS authentication is used, the user can designate the source of packet transmitted to authentication server as a particular interface or IP address. In order to designate the user authentication interface, use the following command.
Command set login {radius | tacacs} interface INTERFACE [A.B.C.D] Mode Global Description Designates the user authentication interface and IP address.
4.4.3
Configuring Priority of Authorization Method

After configuring authorization in diverse ways, you can configure priority of authorization method which method will be the first or second or the last. In order to configure priority of authorization method, use the following commands.
Command set login local {radiustacacs host} primary set login remote {radiustacacs host} primary Global Mode Description Configures priority of authorization method for clients connecting through console. Configures priority of authorization method for clients connecting through telnet.
44
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
i
4.4.4
By default, priority of V1624 authentication is set to host radius tacacs in order.
Checking Configured Priority of Authorization Method

User is able to check configured priority of authorization method. In order to do it, use the following command.
Command set login Mode Top/Global Description Shows configuration about authorization method.
The following is an example of configuring authorization method in V1624. It is configured to add RADIUS to default method in case of clients connecting through console and telnet. And, the priority is given to RADIUS in case of clients connecting through console and to default method in case of clients connecting through telnet. Then, check the configuration.
SWITCH(config)# user add user test1 Changing password for user Enter the new password (minimum of 5, maximum of 8 characters) Please use a combination of upper and lower case letters and numbers. Enter new password:vertex Re-enter new password:vertex Password changed. SWITCH(config)# set login local radius enable SWITCH(config)# set login remote radius enable SWITCH(config)# set login local radius primary SWITCH(config)# set login remote host primary SWITCH(config)# show login [AUTHEN] Local login : radius host Remote login : host radius Accounting mode : none -----------------------------------[RADIUS] <Radius Servers & Key> Radius Retries : 0 Radius Timeout : 0 -----------------------------------[TACACS] <Tacacs Servers & Key> Tacacs Timeout : 0 Tacacs Socket Port : 0 Tacacs Interface : Tacacs PPP Id : 0 Tacacs Authen Type : ASCII Tacacs Priority Level : min SWITCH(config)#
DPW:G-S-1624H0-04
45
UMN:CLI
User Manual
V1624
4.4.5
Configuring RADIUS
4.4.5.1
Configuring RADIUS Server

After configuring RADIUS for client authentication, you need to configure RADIUS server to be used in switch. To configure RADIUS server, use the following command.
Command set login radius add server A.B.C.D KEY [PORT] Mode Global Description Registers IP address and key value of RADIUS server to be used in switch. (MAX: 5 RADIUS server)
To delete registered RADIUS server, use the following command.

Command set login radius del server Mode Global Description Deletes registered RADIUS server.
A.B.C.D
4.4.5.2
Configuring Frequency of Retransmit

When V1624 cannot get any response from RADIUS server, it is supposed to retransmit request. By default, frequency of retransmit is three times, but user can configure the number of the times. To configure frequency of retransmit, use the following command.
Command set login radius retransmit Mode Description Configures the number of times to retransmit informaGlobal tion to RADIUS server. (Default: 3)
COUNT
4.4.5.3
Configuring Timeout of Response

In V1624, the number of seconds that the switch waits for a response from RADIUS server is configured. User can configure it for convenience. To configure timeout of response, use the following command.
Command Mode Description Configures the number of seconds that the switch waits set login radius timeout TIME Global for a response from RADIUS server. (Default: 5 sec)
The following is an example of configuring frequency of retransmit and timeout of response after registering RADIUS server.
SWITCH(config)# set login radius add server 100.1.1.1 1 SWITCH(config)# set login radius retransmit 5
46
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
SWITCH(config)# set login radius timeout 10 SWITCH(config)# show login [AUTHEN] Local login : radius host Remote login : host radius Accounting mode : none -----------------------------------[RADIUS] <Radius Servers & Key> 100.1.1.1 1 Radius Retries : 5 Radius Timeout : 10 -----------------------------------[TACACS] <Tacacs Servers & Key> Tacacs Timeout : 0 Tacacs Socket Port : 0 Tacacs Interface : Tacacs PPP Id : 0 Tacacs Authen Type : ASCII Tacacs Priority Level : min SWITCH(config)#
4.4.6
Configuring TACACS+
4.4.6.1
Configuring TACACS Server

After configuring TACACS+ for client authentication, you need to configure TACACS server to be used in switch. In order to configure TACACS server, use the following command.
Command set login tacacs add server A.B.C.D KEY Mode Description Registers IP address and key value of TACACS server Global to be used in switch. (MAX: 5)
And then, you should register interface of TACACS server connected to users switch. Use the following command.
Command set login tacacs interface INTERFACE [A.B.C.D] Mode Global Description Registers interface of TACACS server connected to users switch.
PORT is to input interface of TACACS server connected to users switch. Please check interface of TACACS server connected to users switch before inputting it.
DPW:G-S-1624H0-04
47
UMN:CLI
User Manual
V1624
To register port of TACACS server connected to users switch, use the following command.
Command set login tacacs socket-port Global tacacs del server Mode Description Registers interface of TACACS server connected to users switch. Deletes registered TACACS server.
PORT set login
A.B.C.D
4.4.6.2
Selecting Authorization Type

When you configure TACACS+ for authentication, you need to select authorization type of TACACS+. In order to select authorization type of TACACS+, use the following command.
Command set login tacacs auth-type {asciipapchap} Mode Global Description Selects authorization type of TACACS+. (Default: ascii)
Pap stands for Password Authentication Protocol and chap stands for Challenge Handshake Authentication Protocol.
4.4.6.3
Configuring Timeout of Response

In V1624, the number of seconds that the switch waits for a response from TACACS server is configured. User can configure it for convenience. To configure timeout of response, use the following command.
Command Mode Description Configures the number of seconds that the switch waits set login tacacs timeout TIME Global for a response from TACACS server. (Default: 5sec)
4.4.7
Recording Users Configuration

When user configures RADIUS or TACACS+ for system authentication, the system records specific services user has taken. Through this function, it is possible to apply billing policy to specific service. In order to enable this function, use the following command.
Command set login accounting-mode {nonestartstopboth} Mode Global Description Applies billing policy to switch.
start sets the standard on users login and stop sets the standard on users logout. both takes both of them and none disables applied billing policy.
48
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
4.5
4.5.1
Assigning IP Address
Assigning IP Address on Network Interface
The switch uses only the datas MAC address to determine where traffic needs to come from and which ports should receive the data. Switches do not need IP addresses to transmit packets. However, if you want to access to V1624 from remote place with TCP/IP through SNMP or telnet, it requires IP address. As the default setting, V1624 is configured with virtual interface br1. Perform the below steps. Step 1 Enter into Interface configuration mode which has the prompt, SWITCH(config-if)# to assign IP address in the switch. In order to begin Interface configuration mode, input the command, Interface interface-name after starting Global configuration mode which has the prompt, SWITCH(config)# by inputting configure terminal on Top mode.
SWITCH# configure terminal SWITCH(config)# interface br1 SWITCH(config-if)#
Step 2 To assign IP address to network interface, use the following commands.

Command ip address A.B.C.D/M Interface ip address A.B.C.D/M scope {host | link} Mode Description Assigns IP address in to interface. It configures global IP address. Assigns link/host IP address. Link is valid in specific internal network and host is valid in specific equipment.
The following is an example of assigning IP address 192.168.1.10 to br1.

SWITCH(config-if)# ip address 192.168.1.10/16 SWITCH(config-if)#
To delete a configured IP address, use the following command.

Command no ip address A.B.C.D/M Mode Interface Description Deletes a configured IP address.
Step 3 Activate network interface by using the following command.

Command no shutdown Mode Interface Description Activates network interface.
DPW:G-S-1624H0-04
49
UMN:CLI
User Manual
V1624
The following is an example of activating the interface, br1.

SWITCH(config-if)# no shutdown SWITCH(config-if)#
To disable an interface, use the following command.

Command shutdown Mode Interface Description Disables an interface.
Step 4 To display the assigned IP address, use the following command. The following is an example of it.
Command show ip Mode Interface Description Shows assigned IP address in interface
The following is an example of viewing the above configuration.

SWITCH(config-if)# show ip 34: br1: <RUNNING,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue link/ether 00:d0:cb:0a:a4:6d brd ff:ff:ff:ff:ff:ff inet 192.168.1.10/16 brd 192.166.255.255 scope global br1 SWITCH(config-if)#
4.5.2
Configuring Default Gateway

In order to make it possible to communicate when receiving packets with unknowing IP address, arrange default gateway, which all network 0.0.0.0 can pass. To view configured default gateway after configuring it, use the following command.
Command ip route 0.0.0.0/0 {A.B.C.D Global Deletes configured default gateway. Top/Global Shows users configuration of static route. Mode Arranges static route. Description
INTERFACE} no ip route 0.0.0.0/0 {A.B.C.D INTERFACE} show ip route
50
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
5 Port Basic Configuration

5.1 Port Basic Configuration
It is possible to configure default environment of port such as port state, speed. To configure port, you need to open Bridge configuration mode by using bridge command on Global configuration mode. When you are in Bridge configuration mode, system prompt will be changed to SWITCH(bridge)# from SWITCH(config)#.
Command bridge Mode Global Description Begins Bridge configuration mode.
The following table shows Default configuration for Bridge mode.

Command Port State Auto-negotiate Flow Control STP VLAN Available On On For VLAN 1 br1 Description
Tab. 5.1
V1624 Port Default Configuration
To view the configuration of users switch port, use the following command.
Command show port PORT Mode Top/Global/Bridge Description Shows port configuration.
When you use the command, show port command, if you input letter at port-number, the message, %Wrong expression. ex) 'show port 1,3' , 'show port 1-3,10' will be displayed, and if you input wrong number, the message, %Port number invalid will be displayed. The following is an example of checking port configuration.
SWITCH(bridge)# show port port %Wrong expression. ex) 'show port 1,3' , 'show port 1-3,10' SWITCH(bridge)# show port 100 -------------------------------------------------------------------------NO TYPE PVID STATUS (ADMIN/OPER) -------------------------------------------------------------------------%port number invalid SWITCH# SHARED MODE FLOWCTRL INSTALLED
On DSH command mode, you can use , and - at PORT to choose several ports.
DPW:G-S-1624H0-04
51
UMN:CLI
User Manual
V1624
You can configure the below functions about port basic configuration. Activating Port Auto-nego Port Rate Duplex Mode Flow Control Port Description Port Statistics Link Uptime
5.1.1
Activating Port
To activate port or deactivate port, use the following commands.
Command show port enable PORT show port disable PORT Mode Bridge Description Activates port. (Default) Deactivates port.
The following is an example of deactivating port 1 Ethernet port and checking it.
SWITCH(bridge)# show port 1 --------------------------------------------------------------------------NO TYPE PVID STATUS SHARED MODE FLOWCTRL INSTALLED (ADMIN/OPER) --------------------------------------------------------------------------1: Ethernet 1 Up/Down N Auto/Half/10 On Y SWITCH(bridge)# set port disable 1 SWITCH(bridge)# show port 1 --------------------------------------------------------------------------NO TYPE PVID STATUS SHARED MODE FLOWCTRL INSTALLED (ADMIN/OPER) --------------------------------------------------------------------------1: Ethernet SWITCH(bridge)# 1 Down/Down N Auto/Half/10 On Y
5.1.2
Auto-nego
You can configure auto-negotiation for a port, automatically to match the transmission speed and the duplex mode of the attached device. To determine if the speed and duplex mode are set to auto-negotiation, use the following command in the bridge configuration mode at global configuration level.
Command show port nego PORT on show port nego PORT off Mode Bridge Description Enables auto-negotiate. (Default) Disables auto-negotiate
52
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
With auto-nego enabled, port rate and duplex mode cannot be changed. The following is an example of deleting auto-negotiate of port 1 and 2 and checking it.
SWITCH(bridge)# show port 1-2 --------------------------------------------------------------------------NO TYPE PVID STATUS SHARED MODE FLOWCTRL INSTALLED (ADMIN/OPER) --------------------------------------------------------------------------1: 2: Ethernet Ethernet 1 1 Up/Down Up/Down N N Auto/Full/1000 Auto/Full/1000 On On Y Y
SWITCH(bridge)# set port nego 1-2 off SWITCH(bridge)# show port 1-2 --------------------------------------------------------------------------NO TYPE PVID STATUS SHARED MODE FLOWCTRL INSTALLED (ADMIN/OPER) --------------------------------------------------------------------------1: 2: Ethernet Ethernet 1 1 Up/Down Up/Down N N Force/Full/1000 Force/Full/1000 On On Y Y
SWITCH(bridge)#
User cannot configure auto-nego with 100BASE-FX port. The following is an example of a message displayed when you attempt to configure autonego with 100BASE-FX port.
SWITCH(bridge)# set port nego 25 on %FX port can't be changed to auto-nego mode SWITCH(bridge)#
!
5.1.3
To support Auto MDIX, you need to configure auto-nego as on.
Port Rate
It is possible to configure transmit rate of each port. To configure transmit rate of port, use the following command.
Command set port speed PORT {101001000} Mode Bridge Description Configure transmit rate of port as 10, 100, or 1000Mbps
When auto-nego is activated, port rate cannot be changed.
DPW:G-S-1624H0-04
53
UMN:CLI
User Manual
V1624
The following is an example of configuring transmit rate of port 1 as 10Mbps and checking it.
SWITCH(bridge)# show port 1 ---------------------------------------------------------------------------NO TYPE PVID STATUS (ADMIN/OPER) ---------------------------------------------------------------------------1: Ethernet 1 Up/Up Y Force/Full/100 Off Y SWITCH(bridge)# set port speed 1 10 SWITCH(bridge)# show port 1 ---------------------------------------------------------------------------NO TYPE PVID STATUS SHARED MODE FLOWCTRL INSTALLED (ADMIN/OPER) ---------------------------------------------------------------------------1: Ethernet 1 Up/Down Y Force/Full/10 Off Y SWITCH(bridge)# SHARED MODE FLOWCTRL INSTALLED
!
5.1.4
It is impossible to configure transmit rate of 1000BASE-X gigabit ethernet port.
Duplex Mode
Only unidirectional communication is possible on half duplex mode and bi-directional communication is possible on full duplex mode to transmit packet for two ways. By transmitting packet for two ways, Ethernet bandwidth is enlarged two times- 10Mbps to 20Mbps, 100Mbps to 200Mbps. To configure duplex mode of 10/100BASE-TX ethernet port, use the following command.
Command set port duplex PORT {full | half} Mode Bridge Description Configures duplex mode of port.
When auto-nego is activated, it is impossible to change transmit rate. The following is an example of configuring duplex mode of port 2 as half mode and checking it.
SWITCH(bridge)# show port 3 --------------------------------------------------------------------------NO TYPE PVID STATUS SHARED MODE FLOWCTRL INSTALLED (ADMIN/OPER) --------------------------------------------------------------------------3: Ethernet 1 Up/Down N Force/Full/100 On Y SWITCH(bridge)# set port duplex 3 half SWITCH(bridge)# show port 3 --------------------------------------------------------------------------NO TYPE PVID STATUS SHARED MODE FLOWCTRL INSTALLED (ADMIN/OPER) --------------------------------------------------------------------------3: Ethernet SWITCH(bridge)# 1 Up/Down N Force/Half/100 On Y
54
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
100BASE-FX ethernet and 1000BASE-X gigabit ethernet can be configured as full duplex. User of 100BASE-FX ethernet and 1000BASE-X gigabit ethernet cannot change the mode.
5.1.5
Flow Control
Ethernet ports on the switches use flow control to restrain the transmission of packets to the port for a period of time. Typically, if the receive buffer becomes full, the port transmits a "pause" packet that tells remote ports to delay sending more packets for a specified period of time. In addition, the Ethernet ports can receive and act upon "pause" packets from other devices. To enable flow control on the Ethernet port, use the following command.
Command set port flow-control PORT {onoff} Mode Bridge Enables flow control. (Default: on) Description
The following is an example of configuring flow control to port 4.

SWITCH(bridge)# set port flow-control 4 off SWITCH(bridge)# show port 4 --------------------------------------------------------------------------NO TYPE PVID STATUS SHARED MODE FLOWCTRL INSTALLED (ADMIN/OPER) --------------------------------------------------------------------------4: Ethernet SWITCH(bridge)# 1 Up/Down N Force/Full/100 Off Y
5.1.6
Port Description
For users reference, you can make description for each port. In order to write port description, use the following command.
Command set port description PORT DESCRIPTION Mode Bridge Description Makes description of each port.
To check description of port, use the following command.

Command show port description PORT Mode Top/Global/Bridge/Interface Description Shows description of port.
DPW:G-S-1624H0-04
55
UMN:CLI
User Manual
V1624
The following is an example of making description of port 1 and viewing it.

SWITCH(bridge)# set port description 1 test1 SWITCH(bridge)# show port description 1 ------------------------------------------------------------------NO TYPE STATE (ADM/OPR) ------------------------------------------------------------------1 Ethernet Up/Dn SWITCH(bridge)# 100FDX test1 LINK DESCRIPTION
To delete port description, use the following command.

Command clear port description PORT Mode Bridge Description Deletes description of specified port.
5.1.7
Port Statistics
To display traffic average of each port or interface MIB, RMON MIB data defined in SNMP MIB, use the following commands.
Command show PORT show port statistics interface PORT show port statistics rmon PORT show port statistics avg-type PORTS Top/Global port statistics avg-pkt Mode Description Shows traffic average of specified port.
Shows MIB data of specified port. Shows RMON MIB data of specified port. Shows the traffic statistics per packet type for a specified port.
The following is an example of viewing interface MIB data of port 13.

SWITCH(bridge)# show port statistics interface 1 Port 1 ifDescr ifType ifMtu ifSpeed ifPhysAddress ifAdminStatus ifOperStatus ifLastChange ifInOctets ifInUcastPkts ifInNUcastPkts ifInDiscards ifInErrors ifInUnknownProtos ifOutOctets ifOutUcastPkts ifOutNUcastPkts
56
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
ifOutDiscards ifOutErrors ifOutQLen ifSpecific SWITCH(bridge)#
The following is an example of viewing traffic average of port 21.

SWITCH(bridge)# show port statistics avg-pkt 1 ============================================================================== Port Time | | Tx pkts/s | bytes/s | | bits/s | Rx pkts/s | bytes/s | bits/s -----------------------------------------------------------------------------============================================================================== port 1 ----------------------------------------------------------------------5 sec: 1 min: 0 0 0 1 0 0 8 0 11 1 0 1106 155 15 8,848 1,240 120
10 min: 0 SWITCH(bridge)#
The following is an example of viewing RMON MIB data of port 13.

SWITCH(bridge)# show port statistics rmon 1 Port 1 ethernet etherStatsDropEvents etherStatsOctets etherStatsPkts etherStatsBroadcastPkts etherStatsMulticastPkts etherStatsCRCAlignErrors etherStatsUndersizePkts etherStatsOversizePkts etherStatsFragments etherStatsJabbers etherStatsCollisions etherStatsPkts64Octets etherStatsPkts65to127Octets etherStatsPkts128to255Octets etherStatsPkts256to511Octets etherStatsPkts512to1023Octets etherStatsPkts1024to1518Octets SWITCH(bridge)#
To display the statistics of the traffic handled by CPU, use the following command.
Command show cpu statistics avg-type PORTS show cpu statistics total PORTS Mode Top Global Bridge Description Shows the statistics of the traffic handled by CPU per packet type. Shows the traffic statistics of the average packet handled by CPU.
DPW:G-S-1624H0-04
57
UMN:CLI
User Manual
V1624
To delete the collected statistics of the traffic handled by CPU, use the following command.
Command Mode Description Deletes the collected statistics of the traffic handled by clear cpu statistics {PORTS | all} Global CPU. all: deletes all the collected statistics.
In order to clear all recorded statistics of port and initiate, use the following command. It is possible to initiate statistics of port and select specific port.
Command clear port statistics {PORT all} Mode Global Description Initializes port statistics. It is possible to select several ports.
5.1.8
Link Uptime
To display the link uptime of the port, use the following command.
Command show port link-uptime PORTS Mode Top Global Description Shows the link uptime of the port.
To clear the recorded uptime of the port, use the following command.
Command clear port link-uptime {PORTS | all} Mode Global Description Clears the recorded uptime of the port. all: deletes all ports.
The following is the sample output of the show port link-uptime command.
SWITCH# show port link-uptime 1-10 ===================================================== PORT: 1: 2: 3: 4: 5: 6: 7: 8: 9: 10: SWITCH# Today[H:M:S] [19:39:40] [00:00:00] [00:00:00] [00:00:00] [19:39:40] [00:00:00] [00:00:00] [00:00:00] [19:39:40] [19:39:40] Yesterday[H:M:S] [24:00:00] [00:00:00] [00:00:00] [00:00:00] [24:00:00] [00:00:00] [00:00:00] [00:00:00] [24:00:00] [24:00:00] LINK ON OFF OFF OFF ON OFF OFF OFF ON ON =====================================================
58
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
5.2
Port Mirroring
Port-mirroring means that user can monitor several ports from one port. In this function, one port to monitor is called monitor port and a port to be monitored is called mirrored port. Traffics transmitted from mirrored port are copied and sent to monitor port so that user can monitor it.
Fig. 5.1
Port Mirroring
Before configuring Port-mirroring in V1624, you need to assign mirrored ports/monitor port and activate Port-mirroring.
5.2.1
Assigning Monitor Port and Mirrored Port

User should assign monitor port and mirrored port to configure Port Mirroring. In order to assign monitor port and mirrored port, use the following command.
Command set mirror add PORT set mirror add PORT [egress | ingress] set mirror del PORT set mirror del PORT [egress | ingress] set mirror monitor {PORT | cpu} Bridge Mode Description Assigns mirrored port. Assigns mirrored port for egress or ingress. Disables assigned mirrored port. Disables assigned mirrored port for egress or ingress. Assigns monitor port.
The following is an example of configuring port 1 as monitor port and port 2~4 as mirrored ports.
SWITCH(bridge)# set mirror monitor 1
DPW:G-S-1624H0-04
59
UMN:CLI
User Manual
V1624
SWITCH(bridge)# set mirror add 2-4 SWITCH(bridge)#
5.2.2
Enabling Port Mirroring

Before using port mirroring, you should enable port mirroring. In order to enable port mirroring, use the following command.
Command set mirror enable set mirror disable Mode Bridge Description Enables port mirroring Disables port mirroring
The following is an example of enabling port mirroring.

SWITCH(bridge)# set mirror enable SWITCH(bridge)#
5.2.3
Checking Configuration of Port Mirroring

In order to verify the port mirroring, use the following command.
Command show mirror Mode Top/Global/Bridge Description Shows configuration of port mirroring.
The following is an example of configuring port 1 as monitor port to monitor incoming packets to port 2~4 and checking it.
SWITCH(bridge)# set mirror monitor 1 SWITCH(bridge)# set mirror add 2-4 SWITCH(bridge)# set mirror enable SWITCH(bridge)# show mirror Mirroring enabled Monitor port = 1 Ingress-mirrored ports -- 02 03 04 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -Egress-mirrored ports -- 02 03 04 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -SWITCH(bridge)#
60
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
6 System Environment
6.1 Environment Configuration
User must configure the following items. Host Name Date and Time Time-zone NTP Output Condition of Terminal Screen Domain Name Server(DNS) Login Banner
6.1.1
Host Name
Host name displayed on prompt is necessary to distinguish each device connected to network. In order to configure or change host name of switch, use the command, hostname on Global configuration mode.
Command hostname NAME Mode Global Description Configures host name of switch with new name user assigns.
The variable, NAME which follows command is the new name of switch user assigns. Default is SWITCH. The following is an example of changing hostname to DASAN.
SWITCH(config)# hostname DASAN DASAN(config)#
6.1.2
Date and Time

To configure or change time and date in switch, use the command, clock on Top mode.
Command clock MMDDhhmmYYYY Mode Global Description Configures or change time and date in users switch.
The variable, MMDDhhmmYYYY you need to enter after the command is Month-DayHour-Minute-Year. The following is an example of configuring as Dec. 13th, PM 04:14 in 2002.
SWITCH# clock 121316142002 Fri Dec 13 16:14:00 UTC 2002 SWITCH#
DPW:G-S-1624H0-04
61
UMN:CLI
User Manual
V1624
In order to view configured date and time, use the following command.
Command show clock Mode Top/Global Description Shows configured date and time
6.1.3
Time-zone
You can configure time-zone to the V1624 with the following command. Time-zone is classified GMT, UCT, UTC. If you want to know what kind of time-zone can you configure, use the show time-zone command. Time-zone is predefined as the UTC(Universal Coordinated Time) at the factory configuration
Command show time-zone Mode Top/Global Description Show the kinds of time-zone.
The command, show time-zone only displays kinds of time-zone. In order to verify configuration about time-zone, use the command, show clock. The following table shows the kinds of time-zone, which can configure to the Switch and a main country or area, belong to the time-zone. Tab. 6.1 shows the world time zone.
Time Zone GMT-12 GMT-11 GMT-10 GMT-9 GMT-8 GMT-7 GMT-6 GMT-5 GMT-4 Country/City Eniwetok Samoa Hawaii, Honolulu Alaska LA, Seattle Denver Chicago, Dallas New York, Miami George Town Time Zone GMT-3 GMT-2 GMT-1 GMT+0 GMT+1 GMT+2 GMT+3 GMT+4 GMT+5 Country/City Rio De Janeiro Maryland Azores London, Lisbon Berlin, Rome Cairo, Athens Moscow Teheran New Delhi Time Zone GMT+6 GMT+7 GMT+8 GMT+9 GMT+10 GMT+11 GMT+12 Country/City Rangoon Singapore Hong Kong Seoul, Tokyo Sydney, Okhotsk Wellington
Tab. 6.1
World Time Zone
To configure time-zone, use the following command.

Command time-zone TIME-ZONE Mode Global Description Configure or modify the current Time-zone on the Switch.
If time-zone is changed, the date and the time will be changed as much as a difference between existing time-zone and changed time-zone.
62
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
The following is an example of configuring time-zone after configuring the date and the time in the switch. Even though it is surely configured Tue, 16 Mar 2004 10 : 19 Am, it changed to Tue, 16 ME 2004 19:19 after configuring Time-zone again. This is because the difference between GMT+0 and GMT+9 is applied.
SWITCH(config)# clock 031610192004 Tue, 16 Mar 2004 10:19:00 GMT+0000 SWITCH(config)# time-zone GMT+9 SWITCH(config)# show clock Tue, 16 Mar 2004 19:19:49 GMT+0900 SWITCH(config)#
Therefore, you should configure the date and the time once again for such an above case.
SWITCH(config)# clock 031610262004 Tue, 16 Mar 2004 10:26:00 GMT+0900 SWITCH(config)#
If you change Time-zone, you should check the present time and date and reset them in case they are different.
To verify configuration about Time-zone, use the following command.

Command show clock Mode Top/Global Description Shows users configuration about date/time and Timezone.
The following is an example of configuring Time-zone as Seoul and viewing the configuration.
SWITCH(config)# time-zone GMT+9 SWITCH(config)# clock 121316142002 Fri, 13 Dec 2002 16:14:10 GMT+0900 SWITCH(config)# show clock Fri, 13 Dec 2002 16:14:10 GMT+0900 SWITCH(config)#
DPW:G-S-1624H0-04
63
UMN:CLI
User Manual
V1624
6.1.4
NTP
NTP(Network Time Protocol) can be used to configure users switches to 1/1000 second to guarantee the exact time on networks. The Switch and NTP server constantly transmit the massage each other to converge the correct time. It is very important to configure exact time to the Switch so that switch operates properly. The details about NTP will be given at STD and RFC 1119. To configure the switch in NTP, use the following commands.
Command ntp SERVER 1 [SERVER 2] [SERVER 3] ntp start no ntp Global Mode Description Specifies the IP address of the NTP server. It is possible up to three number of server. Runs NTP. Disables NTP function
We can use the public NTP server and private NTP server both and enter the Domain name or IP address of NTP server. Thetime.nuri.netis used in Korea, IP address is 203.255.112.96. The following is an example of configuring 203.255.112.96 as NTP server, running it and checking it.
SWITCH(config)# ntp 203.255.112.96 SWITCH(config)# ntp start SWITCH(config)# show running-config Building configuration... (omitted) no snmp ! ntp 203.255.112.96 ntp start ! SWITCH(config)#
6.1.5
Output Condition of Terminal Screen

By default setting, V1624 is configured to display 24 lines composed by 80 characters on console terminal screen. User can change the number of displayed lines by using the command, line. You can display maximum 512 lines. To configure the number of displayed lines on terminal screen, use the following command on Top mode.
Command Mode Description Configures the number of displayed lines on terminal terminal line <1~512> Top screen. (MAX: 512)
The following is an example of configuring the number of displayed lines in terminal screen as 20 lines.
SWITCH# terminal line 20 SWITCH#
64
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
6.1.6
Domain Name Server(DNS)

In V1624, it is possible to use hostname or URL instead of IP address when you use telnet, FTP, TFTP and ping command. To do it, you need to register DNS in V1624. In order to register DNS, use the following command.
Command dns server A.B.C.D Mode Global Description Registers default DNS server in switch
After registering DNS server and making connection to the server on network, you can use hostname instead of IP address for telnet, FTP, TFTP, or ping commands.
The above function can be used when users switch, DNS and certain domain are connected on network for communication.
To check registered DNS, use the following command.

Command show dns Mode Top/ Global Description Shows configuration of DNS server.
The following is an example of registering 168.126.63.1 as DNS server and checking it.
SWITCH(config)# dns server 168.126.63.1 SWITCH(config)# show dns nameserver 168.126.63.1 SWITCH(config)#
The above example is just for your reference. In real configuration, you must input the DNS server you are going to use. The following is an example of taking ping test with domain name after registering DNS server.
SWITCH# ping da-san.com PING da-san.com (203.236.124.3) from 203.236.124.248 : 56(84) bytes of data. 64 bytes from 203.236.124.3: icmp_seq=0 ttl=254 time=0.4 ms 64 bytes from 203.236.124.3: icmp_seq=1 ttl=254 time=0.3 ms 64 bytes from 203.236.124.3: icmp_seq=2 ttl=254 time=0.3 ms 64 bytes from 203.236.124.3: icmp_seq=3 ttl=254 time=0.3 ms 64 bytes from 203.236.124.3: icmp_seq=4 ttl=254 time=0.3 ms 64 bytes from 203.236.124.3: icmp_seq=5 ttl=254 time=0.2 ms 64 bytes from 203.236.124.3: icmp_seq=6 ttl=254 time=0.3 ms --- da-san.com ping statistics --7 packets transmitted, 7 packets received, 0% packet loss round-trip min/avg/max = 0.2/0.3/0.4 ms SWITCH#
In case of V1624, it is possible to use telnet, ftp, tftp, ping commands with Hostname in-
DPW:G-S-1624H0-04
65
UMN:CLI
User Manual
V1624
stead of IP address when the hosts are in specified domain after registering specific domain name. If you register domain name A in V1624, you can use hostname instead of IP address for telnet, FTP, TFTP and ping commands in Hosts. In order to register specific domain name so that user can use hostname instead of IP address to use commands such as telnet, ping for hosts in specified domain, use the following command.
Command dns search DOMAIN Mode Global Description Registers specified domain name.
The above function can be used when users switch, DNS server and certain domain are connected on network for communication. The following is an example of using hostname instead of IP address when you take ping test to Host B after registering domain A.
SWITCH(config)# dns search A SWITCH# ping B PING B.A (192.168.218.10) from 192.168.218.248 : 56(84) bytes of data. 64 bytes from 192.168.218.10: icmp_seq=0 ttl=127 time=0.6 ms 64 bytes from 192.168.218.10: icmp_seq=1 ttl=127 time=0.3 ms 64 bytes from 192.168.218.10: icmp_seq=2 ttl=127 time=0.3 ms 64 bytes from 192.168.218.10: icmp_seq=3 ttl=127 time=0.3 ms 64 bytes from 192.168.218.10: icmp_seq=4 ttl=127 time=0.3 ms --- B.A ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 0.3/0.4/0.6 ms SWITCH#
The above A and B are just for your reference. In actual configuration, you need to input domain name and hostname instead of A and B. To delete registered DNS server and domain name, use the following command.
Command no dns Mode Global Description Deletes DNS server and domain name.
6.1.7
Login Banner
It is possible to write message in system login page. Through the message, administrator can leave a message, displayed before/after system login or after login failure, to users accessed through ftp or telnet. In order to write a message in system login page, use the following commands.
Command set banner set banner login set banner login-fail set banner logout Global Mode Description Registers a message for system login. Registers a message for successful system login. Registers a message for login failure. Registers a message for system logout.
66
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
The below examples take set banner command, but it is samely used with the other three commands.
To delete login banner in system login page, use the following command.
Command clear banner clear banner login clear banner login-fail clear banner logout Global Mode Description Deletes a message for system login. Deletes a message for successful system login. Deletes a message for login failure. Deletes a message for system logout.
To view login banner, use the following command.

Command show banner Mode Top/Global Description Displays login banner user creates.
DPW:G-S-1624H0-04
67
UMN:CLI
User Manual
V1624
6.2
Configuration Management
User can check if users configurations are correct and save them in system. This section contains the following functions. Checking Switch Configuration Saving Configuration Restore Factory Default Configuration Backup
6.2.1
Checking Switch Configuration

User can view switch configuration. In order to do it, use the following command.
Command show running-config Mode Top/Global/Bridge/Interface Description Shows switch configuration.
The following is an example of viewing switch configuration.

SWITCH# show running-config Building configuration... Current configuration: hostname SWITCH (omitted) SWITCH#
6.2.2
Saving Configuration
After you download a new system image to V1624 from TFTP/FTP server, if the configuration files are changed, you must save the changed file in the flash memory. Unless you saved the changed file, the configuration file will delete incase of rebooting. To save the configuration files in the flash memory, use the following command.
Command write memory Mode Top/Global/Bridge/Interface Description Saves changed configuration in the flash memory.
The following is an example of saving configuration.

SWITCH# write memory Building configuration... [OK] SWITCH#
When you store configurations with using this command, please wait for [OK] message without any key pressed.
68
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
6.2.3
Restore Factory Default

User can delete an individual configuration one by one, and also can reload the switch with the default setting. To reload the switch, use the following command on Global configuration mode.
Command restore factory-defaults Mode Global Reloads the switch Description
After reloading with the command, restore factory-defaults, restore factory-defaults, you have to reboot the switch to initiate. The following is an example of reloading switch.
SWITCH(config)# restore factory-defaults Erasing configurations... [OK] You have to restart the system to apply the changes SWITCH(config)#
6.2.4
Configuration Backup
It is possible to save users configurations and to use for the data recovery or system operating. In order to back up users configuration, use the following commands. In order to use back up file, use the following command. Variable name is a kind of file name that can be configured by user.
Command copy running-config {NAME startup-config} copy startup-config NAME copy NAME-1 NAME-2 Global Mode Description Copies the current configuration with a name configured by user or startup configuration. Copies startup configuration with a name configured by user. Copies backup file with another name
To use backup file, use the following command.

Command copy NAME startup-config Mode Global Description Opens backup file named name to use as startup configuration
In order to apply back up file to switch, you should reboot the system.
To display backup files, use the following command.

Command show config-list Mode Global Description Displays backup files.
DPW:G-S-1624H0-04
69
UMN:CLI
User Manual
V1624
The following is an example of copying the current configuration with name S212 and listing all backup files.
SWITCH(config)# copy running-config S212 [OK] SWITCH(config)# show config-list ========================= CONFIG-LIST ========================= l3_default S212 SWITCH(config)#
In order to delete backup file, use the following command.

Command erase FILENAME Mode Global Deletes backup file. Description
6.3
System Check
When there is any problem in switch, user must find what the problem is and its solution. Also neither he nor she should always check switch to prevent trouble. Therefore user should not only be aware of switch status but also check if configurations are correctly changed. This section includes the following functions with DSH command. Network Connection Packet Route Cable Length Accessed User through Telnet
Destination Information MAC Table Aging time Running Time of Switch System Information Checking Average of CPU Utilization CPU Process Utilization of Memory Version of System Image Size of the System Image File Installed OS Assigning Default OS Switch Cable Diagnostics
70
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
6.3.1
Network Connection
To check if your system is correctly connected to the network, use the ping command. For IP network, this command transmits a message to internet control message protocol (ICMP). ICMP is an internet protocol that notifies fault situation and provides information on the location where IP packet is received. When the ICMP echo message is received at the location, its replying message is returned to the place where it came from. To perform a ping test to display network status, use the following command.
Command ping A.B.C.D Top ping OPTION A.B.C.D Mode Description Performs a ping test to verify network status. Performs a ping test to verify network status with a specified option.
Tab. 6.2 shows the options for the ping command.

Option -c -i -l -p -s Option -t Description Specifies the number of sending ICMP packet. Specifies the interval of sending ICMP packet. Specifies the maximum number of ICMP packets handled by CPU. Adds 16 Bytes pad to verify the data transfer. Specifies the size of the ICMP packet. Description Specifies TTL. TTL is a limit on the number of transmission that a unit of data can experience before it should be discarded. Specifies the address of the interface where the reply will be sent. (alias to the sping command)
-I
Tab. 6.2
Options for Ping
The following is an example of taking ping test for three times to check network connection with 192.168.1.10.
SWITCH# ping 192.168.1.218 c 3 PING 192.168.1.218 (192.168.1.218) from 192.168.1.10 : 56(84) bytes of data. 64 bytes from 192.168.1.218: icmp_seq=0 ttl=127 time=2.7 ms 64 bytes from 192.168.1.218: icmp_seq=1 ttl=127 time=1.3 ms 64 bytes from 192.168.1.218: icmp_seq=2 ttl=127 time=1.3 ms --- 192.168.1.218 ping statistics --3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 1.3/1.5/2.7 ms SWITCH#
Also, user of V1624 can view all hosts on same network with the switch. In order to view all hosts on same network with users switch, use the following command.
DPW:G-S-1624H0-04
71
UMN:CLI
User Manual
V1624
Command bping A.B.C.D
Mode Top
Description Checks a certain network connection and views all hosts on network.
You have to enter network address to view all hosts on network. If you enter host address, not network for bping test address, the result is same with regular ping test. The following is an example of checking network connection of network address 192.168.1.0 by using the command, bping and viewing all hosts on the network.
SWITCH# bping 192.168.1.0 64 bytes from 192.168.1.202: icmp_seq=0 ttl=255 time=2183.6 ms (DUP!) 64 bytes from 192.168.1.5: icmp_seq=1 ttl=255 time=1257.2 ms 64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=1331.4 ms (DUP!) 64 bytes from 192.168.1.102: icmp_seq=1 ttl=255 time=1471.0 ms (DUP!) 64 bytes from 192.168.1.124: icmp_seq=1 ttl=255 time=1544.0 ms (DUP!) --- 172.16.0.0 ping statistics --5 packets transmitted, 5 packets received, +120 duplicates, 0% packet loss round-trip min/avg/max = 0.8/3011.6/6008.5 ms SWITCH#
In case that users switch is configured with several IP addresses, sometimes you need to check network connection of between specific IP address and partner. To check network connection of between specific IP address and partner, use the following command.
Command sping SRC-IP-ADDRESS DES-IP-ADDRESS Mode Description Configures to have the partner who received message Top reply to configured address. Inputs the address the partner should reply to at source ip address.
In case that several IP addresses are configured in users device, use the command, sping. It is useless for device with one IP address.
The following is an example of using the command, sping for checking network connection of between 172.16.209.5 and 202.236.124.232 when IP address of the switch is configured as 192.168.1.10 and 172.16.209.5.
SWITCH# sping 172.16.209.5 202.236.124.232 PING 202.236.124.232 (203.236.124.232) from 172.16.209.5 : 56(84) bytes of data. 64 bytes from 202.236.124.232: icmp_seq=0 ttl=255 time=2.5 ms 64 bytes from 202.236.124.232: icmp_seq=1 ttl=255 time=1.0 ms 64 bytes from 202.236.124.232: icmp_seq=2 ttl=255 time=1.0 ms 64 bytes from 202.236.124.232: icmp_seq=3 ttl=255 time=1.0 ms 64 bytes from 202.236.124.232: icmp_seq=4 ttl=255 time=1.0 ms --- 202.236.124.232 ping statistics ---
72
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.0/1.3/2.5 ms SWITCH#
6.3.2
Packet Route
You can discover the routes that packets will actually take when traveling to their destinations. To do this, the traceroute command sends probe datagram and displays the roundtrip time for each node. If the timer goes off before a response comes in, an asterisk (*) is printed on the screen.
Command traceroute A.B.C.D Mode Top Description Traces packet routes through the network with input IP address or hostname.
The following is an example of tracing packet route sent to 192.168.1.10.

SWITCH# traceroute 192.168.1.10 traceroute to 192.168.1.10 (192.168.1.10), 30 hops max, 38 byte packets 1 2 3 4 5 6 7 8 9 10 11 12 hmt.da-san.com (203.236.124.252) 172.16.147.49 (172.16.147.49) 211.193.39.1 (211.193.39.1) 168.126.228.101 (168.126.228.101) 211.196.155.2 (211.196.155.2) 0.528 ms 0.450 ms 125.313 ms 6.597 ms 0.719 ms 13.171 ms 6.591 ms 141.994 ms
13.600 ms
6.848 ms
6.884 ms 7.749 ms
6.691 ms 6.995 ms 50.576 ms 13.549 ms 7.442 ms 11.795 ms
7.215 ms
7.023 ms
hh-k5-ge3.kornet.net (211.192.47.15) 128.134.40.182 (128.134.40.182) 211.39.255.229 (211.39.255.229) 211.45.90.253 (211.45.90.253) * * * * * * * * *
8.389 ms
34.922 ms
134.076 ms
12.646 ms
8.134 ms
13.891 ms
7.714 ms
13 * * * SWITCH#
6.3.3
Cable Length
You can check the cable length from the switch port to a workstation. To verify station-to-station cable length, use the following command in Global Configuration mode or Top mode.
Command show cable-length Mode Top Description Display the cable length from each Ethernet port on the switch to workstations.
This is the output display from the show cable-length command.

SWITCH(config)# show cable-length PORT | CABLE LENGTH ========================
DPW:G-S-1624H0-04
73
UMN:CLI
User Manual
V1624
1 2 3 4 5 6 18 19 20 21 22 23
140 (meter) over 140 (meter) over 140 (meter) over 140 (meter) over 140 (meter) over 20-39 (meter) 140 (meter) over 140 (meter) over 140 (meter) over 140 (meter) over 140 (meter) over 140 (meter) over
(omitted)
24 140 (meter) over SWITCH(config)#
! !
The show cable-length command can be used only on the UTP cables. You cannot use this command on the fiber optic cables. If using only one uplink interface on the V1624, you cannot use the show cable-length command on the port 26.
6.3.4
Accessed User through Telnet

In order to check accessed user through telnet, use the following command.
Command where Mode Top/Global Description Checks accessed user from remote place.
The following is an example of checking if there is any accessed user from remote place.
SWITCH# where root at ttyS0 from (null) for 4 minutes 40.10 seconds root at ttyp0 from 192.168.1.10:2181 for 14.68 seconds
6.3.5
Destination Information
In order to display destination information registered in routing table, use the following command.
Command which-route A.B.C.D Mode Top Description Displays destination information.
The following is an example of displaying destination information, 202.236.124.10 0.

SWITCH# which-route 202.236.124.100 202.236.124.100 via 172.16.1.254 dev br1 cache SWITCH# mtu 1500 rtt 375ms src 172.16.218.2
74
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
6.3.6
MAC Table
To display MAC table recorded in specific port, use the following command.
Command show mac BRIDGE [PORT] Mode Top/Global/Bridge Description Displays destination information.
You can use both port number and module number at PORT. For example, when you need to input port 34, you can input either 34 or 5/2, which means second port of five modules. The following is an example of displaying MAC table recorded in br1.
SWITCH(config)# show mac br1 port (id) eth24 (24) eth24 (24) eth24 (24) eth24 (24) eth24 (24) eth24 (24) eth24 (24) eth24 (24) eth24 (24) eth24 (24) -- more -(omitted) SWITCH(config)# mac addr 00:00:e8:81:50:4d 00:00:e8:81:5d:1b 00:00:e8:81:61:fa 00:00:e8:81:6c:56 00:00:e8:81:6c:6f 00:01:02:03:04:05 00:01:02:7c:eb:5b 00:01:e6:25:43:5b 00:02:78:e0:7b:f8 00:03:47:1a:c6:76 permission OK OK OK OK OK OK OK OK OK OK in use no no no no no no no no no no
There are more than about a thousand MAC addresses in MAC table. And it is difficult to find information you need at one sight. So, The system shows certain amount of addresses displaying -more-on standby status. Press any key to search more. After you find the information, you can go back to the system prompt without displaying the other table by pressing q.
6.3.7
Aging time
V1624 records MAC table to prevent Broadcast packets from transmitting. And unnecessary MAC address that does not response during specified time is deleted from the MAC table automatically. The specified time is called Ageing time. To specify the Ageing time, use the following command.
Command set stp ageing NAME TIME Mode Bridge Description Specifies the Ageing time.
DPW:G-S-1624H0-04
75
UMN:CLI
User Manual
V1624
6.3.8
Running Time of Switch

User can view time how long users switch has been running after booting. In order to view running time of users switch, use the following command.
Command show uptime Mode Top/Global Description Shows running time of users switch after power on
The following is an example of viewing running time of switch.

SWITCH# show uptime 0 days 4 hours 52 minutes 52.91 seconds SWITCH#
6.3.9
System Information
To display system information such as product model, memory size, hardware specification, and OS version, use the following command.
Command show system Mode Top/Global Description Shows system information.
The following is an example of checking system information.
SWITCH# show system SysInfo(System Information) Model Name Main Memory Size Flash Memory Size S/W Compatibility H/W Revision NOS Version SWITCH# : V1624 : 64 MB : 16 MB(INTEL IN28F640J3) : 6, 3 : DS-P7-01A-A0 : 9.10
6.3.10
Checking Average of CPU Utilization

It is possible to check average of CPU utilization. In order to do it, use the following command.
Command show cpuload Top/Global show cpu-trueload Mode Description Shows threshold of CPU utilization and average of CPU utilization. Shows the CPU load during the last 10 minutes in the time slots of every 5 seconds.
76
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
The following is an example of checking average of CPU utilization.

SWITCH(config)# show cpuload ---------------Average CPU load ---------------5 sec: 1 min: 10 min: 12.83( 6.95) % 5.94( 3.65) % 7.13( 4.25) %
CPU Load Threshold : 50 SWITCH(config)#
The following is the sample output of the show cpu-trueload command.

SWITCH(config)# show cpu-trueload 5 sec time slots ---------------11.03( 0.68) 10.99( 0.67) 11.04( 0.66) 11.03( 0.66) (Omitted) 11.09( 0.66) 11.09( 0.65) 11.05( 0.64) 11.10( 0.66) 10.40( 0.64) 11.07( 0.67) 11.11( 0.69) 11.13( 0.69) 11.09( 0.65) 11.00( 0.64) 11.05( 0.64) 11.96( 0.73) 11.04( 0.67) 11.04( 0.64) 11.03( 0.69) 11.94( 0.75) 10.99( 0.67) 11.06( 0.68) 11.14( 0.66) 12.14( 0.76) 11.01( 0.63) 11.05( 0.63) 10.95( 0.63) 11.00( 0.64) 11.04( 0.67) 11.01( 0.63) 10.99( 0.65) 11.02( 0.63) 11.01( 0.63) 10.96( 0.63) 10.99( 0.63) 11.06( 0.64) 11.02( 0.66) 11.01( 0.66) 11.01( 0.66) 10.98( 0.63)
Average CPU load ---------------5 sec: 1 min: 12.14( 0.76) % 11.31( 0.68) %
10 min: 11.25( 0.65) % SWITCH(config)#
6.3.11
CPU Statistics Limit

The V1624 can be configured to generate a syslog message when the number of the packet handled by CPU exceeds a specified value. This will allow the system administrators to monitor the switch and network status more effectively. To configure the switch to generate a syslog message according to the number of the packet handled by CPU, use the following command.
Command set cpu statistics-limit {unicast | multicast | broadcast} PORTS <10-100> Global Mode Description Generates a syslog message according to the specified number of the packet handled by CPU. This is configurable for each packet type and physical port.
DPW:G-S-1624H0-04
77
UMN:CLI
User Manual
V1624
unicast | multicast | broadcast: packet type PORTS: port number 10-100: packet count (actual value: 1000-10000)
To disable the switch to generate a syslog message according to the number of the packet handled by CPU, use the following command.
Command no cpu statistics-limit {unicast | multicast | broadcast} {PORTS | all} Top Global no cpu statistics-limit all {PORTS | all} Mode Description Disables the switch to generate a syslog message according to the number of the packet handled by CPU for each packet type. all: all physical ports Disables the switch to generate a syslog message according to the number of the packet handled by CPU for all packet types.
To display a configured value to generate a syslog message according to the number of the packet handled by CPU, use the following command.
Command Mode Top show cpu statistics-limit Global Bridge Description Shows a configured value to generate a syslog message according to the number of the packet handled by CPU.
6.3.12
CPU Process
It is possible to check CPU loading process classified by each process. Through this function, user can see which daemon possesses the most of CPU, if there is unnecessary daemon, and operating process of troubled daemon. This information is useful data to solve problem. To check CPU process, use the following command.
Command show process Mode Top/Global Description Checks CPU loading process
The following is an example of checking CPU process of switch.

SWITCH# show process USER root root root root root root root root root root SWITCH# PID %CPU %MEM 1 2 3 4 5 81 84 85 87 95 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.2 0.0 0.0 0.8 0.0 0.0 0.0 0.0 0.8 1.1 2.3 1.0 1.0 VSZ 1124 0 0 0 0 1104 1436 3108 1488 1304 RSS TTY 540 ? 0 ? 0 ? 0 ? 0 ? 504 ? 724 ? 1476 ? 624 ? 632 ttyS0 STAT START S SW SW SW SW S S S S S 14:55 14:55 14:55 14:55 14:55 14:55 14:55 14:55 14:55 14:55 TIME COMMAND 0:05 init 0:00 [kflushd] 0:00 [kupdate] 0:00 [kpiod] 0:00 [kswapd] 0:00 klogd -c 1 0:00 syslogd -m 0 0:15 /usr/sbin/zebra 0:00 /usr/sbin/inetd 0:00 ksh
78
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
6.3.13
Utilization of Memory
To display utilization of memory, use the following command.
Command show memory Mode Top/Global Description Shows utilization of switch memory
The following is an example of viewing utilization of switch memory.

SWITCH# show memory total: Mem: Swap: MemTotal: MemFree: MemShared: Buffers: Cached: SwapTotal: SwapFree: SWITCH# 0 used: 0 62068 kB 43256 kB 4724 kB 8192 kB 4276 kB 0 kB 0 kB free: 0 shared: buffers: 4837376 cached: 4378624 63557632 19263488 44294144 8388608
6.3.14
Version of System Image

User can display current system image version of V1624. In order to view the current system image version, use the following command.
Command show version Mode Top Description Shows version of system image.
The following is an example of viewing the system image version OS 3.09of the switch.
SWITCH# show version Switch OS Version : 3.15 #4499 SWITCH#
6.3.15
Size of the System Image File

User can verify the size of the current system image file of V1624. In order to do this, use the following command.
Command show os-size Mode Top/Global Description Shows size of system image.
The following is an example of viewing the size of the current system image file.
SWITCH# show os-size OS image size : 5733352 bytes
DPW:G-S-1624H0-04
79
UMN:CLI
User Manual
V1624
SWITCH#
6.3.16
Installed OS
It is possible to display utilization of flash memory. use the following command.
Command show flash Mode Top/Global Description Shows utilization of flash memory.
The following is an example of viewing utilization of flash memory.

SWITCH# show flash Flash Information(Bytes) ------------------------------------------------------Area Os1 (default) Os2 Config Boot Etc Total SWITCH# total 7340032 7340032 524288 1048576 524288 16777216 used 6171054 6171054 225288 1048576 524288 14140260 free 1168978 3.15 #4499 1168978 3.10 #4497 299000 0 0 2636956 -------------------------------------------------------
6.3.17
Assigning Default OS
When there are two different system images installed, user can assign one of them as default OS. To assign default OS, use the following command.
Command set default-os {os1os2} Mode Top Description Assigns default OS. (Default: os1)
The following is an example of assigning os2 as default OS.

SWITCH# set default-os os2 SWITCH#
i
6.3.18
To see a current default OS in the system, use the show flash command.
Switch Status
To display the temperature of switch, power status, and fan status, use the following command.
Command show status power show status temp Mode Top Global Shows power status. Shows temperature of switch. Description
80
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
show status fan
Bridge
Shows fan status of switch.
6.3.19
Cable Diagnostics
It takes about 5 seconds per port for the result of the cable diagnostic to be shown up after issuing the cable-diagnostic command. To display the status of the category 5 Ethernet cables connected to the V1624, use the following command.
Command Mode Top cable-diagnostic PORTS Global Bridge Shows the status of the connected cables. Description
In the result report of the diagnostics, it is assumed that the PAIR-A reflects the 3rd and 6th line of the RJ45 connector, and the PAIR-B reflects the 1st and 2nd line of the RJ45 connector. You can verify the status of the physical connection (STATUS), the location of the problem (LEN), and the link state of the connected network equipment (LINK STATE) for each pair. Tab. 6.3 shows the description of each state in the result report.
Items STATUS SHORT OPEN LINK STATE PARTNER UP PARTNER DOWN DETECTED ERROR NO LINK State Description A short circuit has occurred. A cable has been disconnected. Partner equipment is supplied with power. Partner equipment is not supplied with power. The problem on the cable has occurred. Partner equipment is not connected.
Tab. 6.3
The Description of the Result Report
The DETECTED ERROR state will be shown up only in case of the power disconnection of the connected network equipment.
The following is the sample output of the cable-diagnostic command.

SWITCH# cable-diagnostic 1-5 Please wait for a moment. ( About 5 seconds per port ) Pair-A is 3,6 line, Pair-B is 1,2 line. ---------------------------------------------------------------------------PORT PAIR-A STATUS PAIR-A LEN (Meters) 1 2 3 4 5 -OPEN ----3 ----OPEN ---PAIR-B STATUS PAIR-B LEN (Meters) -3 ---PARTNER UP DETECTED ERROR NO LINK NO LINK PARTNER UP LINK STATE
----------------------------------------------------------------------------
DPW:G-S-1624H0-04
81
UMN:CLI
User Manual
V1624
SWITCH#
82
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7 Network Management
7.1 SNMP
SNMP(Simple Network Management Protocol) system is consisted of three parts: SNMP manager, a managed device and SNMP agent. SNMP is an application-layer protocol that allows SNMP manager and agent stations to communicate with each other. SNMP provides a message format for sending information between SNMP manager and SNMP agent. The agent and MIB reside on the switch. In configuring SNMP on the switch, you define the relationship between the manager and the agent. According to community, you can give right only to read or right both to read and to write. The SNMP agent has MIB variables to reply to request from SNMP administrator. And SNMP administrator can obtain data from the agent and save data in the agent. The SNMP agent gets data from MIB, which saves information on system and network. The SNMP agent sends trap to administrator for some cases. Trap is a warning message to alert network status to SNMP administrator. Trap informs improper user authentication, rebooting, connection status (activate or deactivate), closing of TCP connection, disconnected to neighbor switch.
7.1.1
Configuring Authority of Access to SNMP Agent

Only authorized person can access to the SNMP agent installed in the switch by configuring password called as community. In order to configure the community, use the following command on Global configuration mode.
Command snmp community PASSWORD {ro | rw} Mode Global Description Configures community to allow authorized person to access.
Community means password, as we usually know. You can configure the community by entering password you want at password. And it is possible to give access right only to read or both to read and to write according to configuring password. The abbreviations following, ro stands for read-only and rw stands for read/write. They are commands to distinguish access right.
It is possible to configure SNMP community up to maximum three in V1624.
The followings are two examples of giving access right both to read and write by configuring password as administrator, and giving access right only to read by configuring password as everyone.
SWITCH(config)# snmp community administrator rw SWITCH(config)# snmp community everyone ro SWITCH(config)#
DPW:G-S-1624H0-04
83
UMN:CLI
User Manual
V1624
To delete configured community, use the following command.

Command no snmp community PASSMode Global Deletes community. Description
WORD {ro | rw}
7.1.2
Configuring Accessed Person and Location of SNMP Agent

You can configure accessed person and location of the SNMP agent so that these descriptions can be saved at SNMP configuration file. To configure accessed person and location of the SNMP agent, use the following commands.
Command snmp contact NAME snmp location NAME no snmp contact no snmp location Global Mode Description Enters name of accessed person. Enters location of SNMP agent. Deletes the specified basic information for each item.
The following is an example of configuring accessed person and location of SNMP agent as manager and Seoul.
SWITCH(config)# snmp contact manager SWITCH(config)# snmp location seoul SWITCH(config)#
7.1.3
Configuring SNMP Trap

SNMP trap is alert message that SNMP agent notifies SNMP manager about certain problems. If you configure SNMP trap, switch transmits pertinent information to network management program. In this case, trap message receivers are called trap-hosts.
7.1.3.1
Configuring SNMP trap-host

In order to configure trap-host who receives trap message, use the following command. In this case, you should input IP address of trap-host who is supposed to receive trap. For example, if SNMP manager is trap-host, you should input IP address of SNMP manager.
Command snmp trap-host A.B.C.D [A.B.C.D] no snmp trap-host Global Mode Description Enters name of accessed person. (MAX: 16 SNMP trap-host) Deletes configured SNMP trap-host.
The following is an example of assigning manager who has IP address 10.1.1.3 as traphost.
SWITCH(config)# snmp trap-host 10.1.1.3
84
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
SWITCH(config)#
When you assign more than one trap-host, you can configure it by inputting IP address one by one or inputting the IP addresses at once. The following is an example of configuring IP address 10.1.1.3, 20.1.1.5, and 30.1.1.2 as trap-host in two ways.
SWITCH(config)# snmp trap-host 10.1.1.3 SWITCH(config)# snmp trap-host 20.1.1.5 SWITCH(config)# snmp trap-host 30.1.1.2 SWITCH(config)# snmp trap-host 10.1.1.3 20.1.1.5 30.1.1.2 SWITCH(config)#
7.1.3.2
Configuring Type of SNMP Trap

There are 16 kinds of SNMP trap messages provided by SNMP cold-start, link-up/down, authentication failure, cpu-threshold, memory-threshold, port-threshold, dhcp-lease, dhcpillegal-entry, fan, module, power, ip-conflict, mac-flood-guard, and temp/major-temp. Each trap message is shown in the following cases. (1) authentication-failure is shown to inform wrong community is input when user trying to access to SNMP inputs wrong community. (2) cold-start is shown when SNMP is turned off and rebooted again. (3) link-up/down are shown when network of port specified by user is disconnected, or when the network is connected again. (4) cpu-threshold is shown when CPU utilization threshold configured by user. Also, when CPU load falls below the threshold, trap message will be shown to notify it. (5) memory-threshold is shown when memory usage exceeds the threshold specified by user. Also, when memory usage falls below the threshold, trap message will be shown to notify it. (6) port-threshold is shown when the port traffic exceeds the threshold configured by user. Also, when port traffic falls below the threshold, trap message will be shown. (7) dhcp-lease is shown when there is no more IP address can be assigned in subnet of DHCP server. Even though only one subnet does not have IP address to assign when there are several subnets, this trap message will be seen. (8) dhcp-illegal-entry is a trap message to report to block the client, when there is ARP request or ARP reply message for DHCP client prevented from using static IP address. (9) fan/module/power are shown when there is any problem in fan, module, and power. (10)ip-conflict is a trap message to report to conflict IP address. (11)mac-flood-guard is a trap message to report to exceed the threshold configured by user. (12)temp/major-temp are trap messages to report the threshold-excess of system temperature.
DPW:G-S-1624H0-04
85
UMN:CLI
User Manual
V1624
However, it may be inefficient work if all the trap messages are too frequently sent. Therefore, user can select type of trap sent to trap-host. To configure kinds of trap messages that user wants to receive, use the following commands.
Command snmp trap auth-fail snmp trap cold-start snmp trap link-down PORT Mode Description Configures authentication failure trap message to be sent. Configures cold-start trap message to be sent. Configures link-down message to be sent when network of port specified by user is disconnected. Configures link-down message to be sent when network of port specified by user is connected. Configures cpu-threshold trap message to be sent when CPU utilization threshold configured by user snmp trap cpu-threshold referred to 7.3.5 CPU Utilization Thresholds excesses, and when CPU utilization is down under the threshold, trap message will be seen to inform it. snmp trap port-threshold Sends trap message when port traffic in excesses of threshold and it goes down than the threshold. Sends dhcp-lease trap message to be sent is when snmp trap dhcp-lease Global there is no more IP address can be assigned in subnet of DHCP server. snmp trap dhcp-illegal-entry snmp trap fan snmp trap module Sends trap message when DHCP client prevent from using static IP address is blocked. Sends trap message when there is any problem in fan. Sends trap message when there is any problem in module. Sends trap message when there is any problem in power. Sends trap message in case of the threshold-excess of system temperature. Sends ip-conflict trap message to report to conflict IP address. Sends mac-flood-guard trap message to report to exsnmp trap mac-flood-guard ceed the threshold configured in8.8.2 Configuring Flood-guard based on MAC Address.
snmp trap link-up PORT
snmp trap power snmp trap major-temp snmp trap temperature snmp trap ip-conflict
By default, all kinds of trap messages are configured to send.
86
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To disable each message to trap-host, use the following commands.

Command no snmp trap auth-fail no snmp trap cold-start no snmp trap link-down PORT no snmp trap link-up PORT no snmp trap cpu-threshold no snmp trap port-threshold no snmp trap dhcp-lease no snmp trap dhcp-illegal-entry no snmp trap fan no snmp trap module no snmp trap power no snmp trap ip-conflict no snmp trap mac-flood-guard no snmp trap major-temp no snmp trap temperature Global Mode Description Disables authentication failure trap message. Disables cold-start trap message. Disables link-down trap message. Disables link-up trap message. Disables cpu-threshold trap message. Disables port threshold trap message. Disables dhcp-lease trap message. Disables dhcp-illegal-entry trap message. Disables fan trap message. Disables module trap message. Disables power trap message. Disables ip-conflit trap message.. Disables mac-flood-guard trap message Disables temperature trap message.
The following is an example of disabling authentication failure trap message.

SWITCH(config)# no snmp trap auth-fail SWITCH(config)#
V1624 can configure the priority for fan trap and door trap which has 4 levels that are criticalmajorminornormal. To configure the priority for fan trap and door trap, use the following command.
Command alarmclass door {critical | major | minor | normal} alarmclass fan1 {critical | major | minor | normal} Global Sets the priority for the fan trap. Mode Description Sets the priority for the door trap.
DPW:G-S-1624H0-04
87
UMN:CLI
User Manual
V1624
7.1.4
Configuring IP Address of SNMP Agent

In case SNMP agent has various IP addresses, SNMP transmits information through the best route when SNMP manager requests for information. Therefore, when the manager requests information, the information having different address from referred IP address could be transmitted. In V1624, user can designate IP address of SNMP agent in order to receive information again when the administrator requests for information. If SNMP manager configures IP address as 10.1.1.1, SNMP information is transmitted through IP address 10.1.1.1. To configure IP address of SNMP agent, use the following command.
Command snmp agent-address A.B.C.D no snmp agent-address A.B.C.D Mode Global Description Configures the priority for fan trap. Deletes IP address of SNMP agent.
If the designated IP address of SNMP agent is deleted from the switch, SNMP may not respond. If you try to delete the designated IP as the IP address of SNMP agent from device, it informs that SNMP may not respond as follows.
SWITCH(config)# snmp agent-address 10.1.1.1 SWTICH(config)# interface br1 SWITCH(config-if)# no ip addres 10.1.1.1/8 Warning : 172.16.209.100/16 is specified to the SNMP agent address. SNMP agent may not reply. SWITCH(config-if)#
7.1.5
SNMP Configuration
To check SNMP configuration, use the following command.
Command show running-config Mode Top/Global/Bridge/Interface Description Shows switch configuration.
The following is an example of viewing switch configuration.

SWITCH(config)# show running-config (omitted) snmp contact manager snmp location seoul snmp community everyone ro snmp community administrator rw no snmp trap auth-fail snmp trap-host 10.1.1.3 20.1.1.5 30.1.1.2 ! SWITCH(config)#
88
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.1.6
Deleting SNMP
To delete SNMP, use the following command.
Command no snmp Mode Global Deletes SNMP. Description
When you use the above command, all configurations concerned with SNMP will be deleted. The following is an example of deleting SNMP and checking it.
SWITCH(config)# no snmp SWITCH(config)# show running-config (omitted) no snmp ! SWITCH(config)#
7.2
RMON
RMON(Remote Monitoring) is a function to monitor communication status of devices connected to Ethernet at remote place. While SNMP can give information only about the device mounted SNMP agent, RMON gives information about overall segments including devices. Thus, user can manage network more effectively. For instance, in case of SNMP it is possible to be informed traffic about certain ports but through RMON you can monitor traffics occurred in overall network, traffics of each host connected to segment and current status of traffic between hosts. Since RMON processes quite lots of data, its processor share is very high. Therefore, administrator should take intensive care to prevent performance degradation and not to overload network transmission caused by RMON. There are nine defined RMON MIB groups in RFC 1757: Statistics, History, Alarm, Host, Host Top N, Matrix, Filter, Packet Capture and Event. V1624 supports three MIB groups of them, most basic ones: History, Alarm and Event.
7.2.1
Configuring RMON History

RMON History is periodical sample inquiry of statistical data about each traffic occurred in Ethernet port. Statistical data of all ports are pre-configured to be monitored at 30-minute interval, and 50 statistical data stored in one port. It also allows you to configure the time interval to take the sample and the number of samples you want to save. The following is an example of viewing the default configuration of History.
SWITCH(config)# show running-config (omitted) ! rmon-history 1 owner monitor data-source ifIndex.n1/port1 interval 30 requested-buckets 50 (omitted)
DPW:G-S-1624H0-04
89
UMN:CLI
User Manual
V1624
SWITCH(config)#
You need to enter into History configuration mode first to configure RMON history. In order to open History configuration mode, use the following command. After entering into History configuration mode, the system prompt is changed to SWITCH(config-rmonhistory[n]# from SWITCH(config)#. The variable n is number to be configured to distinguish each different History.
Command rmon-history <1-65534> Mode Global Description Configures a number to distinguish RMON History. It can be configured from 1 to 65,534.
The following is an example of entering into RMON History configuration mode to configure History 1.
SWITCH(config)# rmon-history 1 SWITCH(config-rmonhistory[1])#
Input a question mark(?) at the system prompt on History configuration mode if you want to list available commands. The following is an example of listing available commands on History configuration mode.
SWITCH(config-rmonhistory[1])# ? active data-source end exit interval list owner sources requested-buckets Define the bucket count for the interval show Show running system information SWITCH(config-rmonhistory[1])# Activate the history Define the data source object for the ethernet port End current mode and down to top mode Exit current mode and down to previous mode Define the time interval for the history Print command list Assign the owner who define and is using the history re
i
7.2.1.1
The question mark(?) you enter will not be seen. Right after entering the question mark, the commands will be displayed.
Assigning Source Port of Statistical Data

When you configure RMON History, you have to assign source port of statistical data. To invest statistical data from a certain port as sample inquiry, assign the port by using the following command.
Command data-source OID Mode RMON Description Assigns a source port of statistical port. The variable OBJECT should be formed as IFINDEX .NUMBER.
90
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
The following is an example of assigning port 1 as source port.

SWITCH(config-rmonhistory[1])# data-source ifindex.br1 SWITCH(config-rmonhistory[1])#
7.2.1.2
Identifying Subject of RMON History

User can configure RMON History and identify subject using many kinds of data from History. To identify subject using History, use the following command.
Command owner NAME Mode RMON Description Configures History and identifies subject using related data.
The following is an example of configuring subject of History as Dasan.

SWITCH(config-rmonhistory[1])# owner dasan SWITCH(config-rmonhistory[1])#
When you configure subject of RMON History, it is possible to input maximum 32 letters. If you input more than 32 letters, the error message, %Too long owner name will be displayed.
7.2.1.3
Configuring Number of Sample Data

User can configure the number of sample data in RMON History. In order to do that, use the following command.
Command requested-buckets COUNT Mode RMON Description Configures the number of sample data.
The following is an example of configuring the number of sample data as 25 in History.

SWITCH(config-rmonhistory[1])# requested-buckets 25 SWITCH(config-rmonhistory[1])#
i
7.2.1.4
You can configure the number of sample data as maximum 65,535.
Configuring Interval of Sample Inquiry

To configure the interval of sample inquiry in terms of second, use the following command.
Command interval TIME Mode RMON Description Configures the interval of sample inquiry. The default setting is 30 seconds. (MAX: 3,600 sec)
DPW:G-S-1624H0-04
91
UMN:CLI
User Manual
V1624
The following is an example of configuring the interval of sample inquiry as 60 seconds.

SWITCH(config-rmonhistory[1])# interval 60 SWITCH(config-rmonhistory[1])#
7.2.1.5
Activating RMON History

After finishing all configurations, you need to activate RMON History. In order to activate RMON history, use the following command.
Command active Mode RMON Description Activates RMON History.
The following is an example of activating RMON History and viewing the configuration
SWITCH(config-rmonhistory[1])# active SWITCH(config-rmonhistory[1])# show running-config Building configuration... (omitted) rmon-history 5 owner dasan data-source ifindex.hdlc1 interval 60 requested-buckets 25 active (omitted) SWITCH(config-rmonhistory[1])#
Before activating RMON History, check if users configuration is correct. After RMON History is activated, you cannot change its configuration. If you need to change configuration, you have to delete RMON History and configure it again.
7.2.1.6
Deleting and Changing Configuration of RMON History

When you need to change configuration of RMON History, you should delete RMON History of the number and change the configuration again. To delete RMON History, use the following command.
Command no rmon-history NUMBER Mode Global Description Deletes RMON History of specified number.
The following is an example of deleting RMON History 1.

SWITCH(config)# no rmon-history 1 SWITCH(config)#
92
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.2.2
Configuring RMON Alarm

RMON Alarm invests sample data at the interval as use configured, and when the data is not in the configured threshold. There are two ways to compare with the threshold: Absolute comparison and Delta comparison. Absolute Comparison Comparing sample data with the threshold at configured interval, if the data is more than the threshold or less than the threshold, Alarm is occurred. Delta Comparison Comparing difference between current data and the latest data with the threshold, if the data more than the threshold or less than the threshold, Alarm is occurred. You need to open RMON Alarm configuration mode first to configure RMON Alarm. In order to open RMON Alarm configuration mode, use the following command. After entering into RMON Alarm configuration mode, the system prompt is changed to SWITCH(configrmonalarm[n]# from SWITCH (config)#. The variable n is number to be configured to distinguish each RMON Alarm.
Command rmon-alarm <1-65534> Mode Global Description Begins RMON Alarm configuration mode.
The following is an example of entering into Alarm configuration mode to configure RMON Alarm 1.
SWITCH(config)# rmon-alarm 1 SWITCH(config-romonalarm[1]#
Input a question mark(?) at the system prompt on Alarm configuration mode if you want to list available commands. The following is an example of listing available commands on Alarm configuration mode.
SWITCH(config-rmonalarm[1])# ? active end exit falling-event falling-threshold list owner rising-event rising-threshold sample-interval sample-type sample-variable show Activate the event End current mode and down to top mode Exit current mode and down to previous mode Associate the falling threshold with an existing RMON event Define the falling threshold Print command list Assign the owner who define and is using the history resources Associate the rising threshold with an existing RMON event Define the rising threshold Specify the sampling interval for RMON alarm Define the sampling type Define the MIB Object for sample variable
Show running system information Define startup alarm type startup-type SWITCH(config-rmonalarm[1])#
DPW:G-S-1624H0-04
93
UMN:CLI
User Manual
V1624
7.2.2.1
Identifying Subject of RMON Alarm

User needs to configure RMON Alarm and identify subject using many kinds of data from Alarm. To identify subject using Alarm, use the following command.
Command owner NAME Mode Global Description Configures RMON Alarm and identifies subject using many kinds of data from Alarm.
The following is an example of configuring subject of Alarm as Dasan.

SWITCH(config-rmonalarm[1])# owner dasan SWITCH(config-rmonalarm[1])#
When you identify subject of RMON Alarm, it is possible to input maximum 32 letters. If you input more than 32 letters, the error message, %Too long owner name will be displayed.
7.2.2.2
Configuring Object of Sample Inquiry

User needs object value used for sample inquiry to provide RMON Alarm. The following is rule of object for sample inquiry. svcExt.mib prescribes object used as sample CntExt.mib prescribes notation of object value.
To assign object used for sample inquiry, use the following command.
Command sample-variable MIB-OBJECT Mode RMON Description Assigns MIB object used for sample inquiry.
The following is an example of configuring MIB object apSvcConnections used for sample inquiry
SWITCH(config-rmonalarm[1])# sample-variable apSvcConnections SWITCH(config-rmonalarm[1])#
7.2.2.3
Configuring Absolute Comparison and Delta Comparison.

It is possible to select the way to compare MIB object used for sample inquiry in case of configuring RMON Alarm. Absolute comparison directly compares object selected as sample with the threshold. For instance, when you want to know the point of 30,000 times of sample inquiry, if you configure apSvcConnections as 30,000, it is for Absolute comparison. To compare object selected as sample with the threshold, use the following command.
Command sample-type absolute Mode RMON Description Compares object with the threshold directly.
94
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Delta comparison compares difference between current data and the latest data with the threshold. For instance, in order to know the point of variable notation rule 100,000 more than the former rule, configure apCntHits as Delta comparison. To configure Delta comparison, use the following command.
Command sample-type delta Mode RMON Description Compares difference between current data and the latest data with the threshold.
7.2.2.4
Configuring Upper Bound of Threshold

If you need to occur Alarm when object used for sample inquiry is more than upper bound of threshold, you have to configure the upper bound of threshold. In order to configure upper bound of threshold, use the following command.
Command rising-threshold NUMBER Mode RMON Description Configures upper bound of threshold.
The following is an example of configuring upper bound of threshold as 100.

SWITCH(config-rmonalarm[1])# rising-threshold 100 SWITCH(config-rmonalarm[1])#
You can configure upper bound of threshold as maximum 2,147,483,647. If you configure it as 0, then there will not be Alarm.
After configuring upper bound of threshold, configure to occur the RMON Event when object is more than configured threshold. Use the following command.
Command rising-event <0-65535> Mode RMON Description Configures to occur for the RMON Event when object is more than configured threshold.
The following is an example of configuring to occur for the RMON event 1 when object is more than configured threshold.
SWITCH(config-rmonalarm[1])# rising-event 1 SWITCH(config-rmonalarm[1])#
i
7.2.2.5
If you configure the standard, the upper bound of threshold as 0, there will not be Event.
Configuring Lower Bound of Threshold

If you need to occur Alarm when object used for sample inquiry is less than lower bound of threshold, you should configure lower bound of threshold.
DPW:G-S-1624H0-04
95
UMN:CLI
User Manual
V1624
To configure lower bound of threshold, use the following command.

Command falling-threshold NUMBER Mode RMON Description Configures lower bound of threshold.
The following is an example of configuring lower bound of threshold as 90.

SWITCH(config-rmonalarm[1])# falling-threshold 90 SWITCH(config-rmonalarm[1])#
You can configure lower bound of threshold as maximum 2,147,483,647. If you configure it as 0, there will not be Alarm.
After configuring lower bound of threshold, configure to occur for the RMON Event when object is less than configured threshold. Use the following command.
Command falling-event <0-65535> Mode RMON Description Configures to occur for the RMON Alarm when object is less than configured threshold.
The following is an example of configuring ro occur RMON Event when object is less than configured threshold.
SWITCH(config-rmonalarm[1])# falling-event 2 SWITCH(config-rmonalarm[1])#
i
7.2.2.6
If you configure lower bound of threshold as 0, there will not be Event.
Configuring Standard of the First Alarm

It is possible for users to configure standard when Alarm is first occurred. User can select the first point when object is more than threshold, or the first point when object is less than threshold, or the first point when object is more than threshold or less than threshold. To configure the first RMON Alarm to occur when object is less than lower bound of threshold first, use the following command.
Command startup-type falling Mode RMON Description Configures the first RMON Alarm to occur when object is less than lower bound of threshold first.
To configure the first Alarm to occur when object is firstly more than upper bound of threshold, use the following command.
Command startup-type rising Mode RMON Description Configures the first Alarm to occur when object is firstly more than upper bound of threshold.
96
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To configure the first Alarm to occur when object is firstly more than threshold or less than threshold, use the following command.
Command startup-type rising-and-falling Mode RMON Description Configures the first Alarm to occur when object is firstly more than threshold or less than threshold.
7.2.2.7
Configuring Interval of Sample Inquiry

The interval of sample inquiry means time interval to compare selected sample data with upper bound of threshold or lower bound of threshold in terns of seconds. To configure interval of sample inquiry for RMON Alarm, use the following command.
Command sample-interval <0-65535> Mode RMON Description Configures interval of sample inquiry.
The following is an example of configuring interval of sample inquiry as 60 seconds.

SWITCH(config-rmonalarm[1])# sample-interval 60 SWITCH(config-rmonalarm[1])#
7.2.2.8
Activating RMON Alarm

After finishing all configurations, you need to activate RMON Alarm. To activate RMON Alarm, use the following command.
Command active Mode RMON Description Activates RMON Alarm.
The following is an example of activating RMON Alarm and viewing the configuration.
SWITCH(config-rmonalarm[1])# active SWITCH(config-rmonalarm[1])# show running-config Building configuration... (omitted) rmon-alarm 1 owner dasan sample-variable apSvcConnections sample-type absolute startup-type rising rising-threshold 100 falling-threshold 90 rising-event 1 falling-event 2 sample-interval 60 active (omitted) SWITCH(config-rmonalarm[1])#
DPW:G-S-1624H0-04
97
UMN:CLI
User Manual
V1624
You should make sure that all configurations are correct before activating RMON Alarm. After activating RMON Alarm, you cannot change configuration. If you need to change configuration, you have to delete RMON Alarm and configure it again.
7.2.2.9
Deleting RMON Alarm and Changing Configuration

When you need to change configuration of RMON Alarm, you should delete RMON Alarm of the number and configure it again. To delete RMON Alarm, use the following command.
Command no rmon-alarm NUMBER Mode RMON Description Deletes RMON Alarm of specified number.
The following is an example of deleting RMON Alarm 1.

SWITCH(config)# no rmon-alarm 1 SWITCH(config)#
7.2.3
Configuring RMON Event

RMON Event identifies all operations such as RMON Alarm in switch. User can configure Event message or Trap message to be sent to SNMP management server when sending RMON Alarm. You need to open Event configuration mode to configure RMON Event. When you enter into Event configuration mode by using the following command, the system prompt is changed to SWITCH(config-rmonevent[n]# from SWITCH(config)#. The variable n is a number to distinguish each different Event.
Command rmon-event <1~65534> Mode RMON Description Begins RMON Event configuration mode.
The following is an example of opening Event configuration mode to configure Rmon Event 1.
SWITCH(config)# rmon-event 1 SWITCH(config-rmonevent[1])#
To show the available commands list for RMON Event, input the question mark(?) at the system prompt on Event configuration mode. The following is an example of listing available commands on Event configuration mode.
SWITCH(config-rmonevent[1])# ? active community description end exit list Activate the event Define a community to an unactivated event Define description of RMON event End current mode and down to top mode Exit current mode and down to previous mode Print command list
98
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
owner show type
Assign the owner who define and is using the history resources Show running system information Define the event type determines where send the event notifia-
tion SWITCH(config-rmonevent[1])#
7.2.3.1
Configuring Event Community

When RMON Event is happened, you need to input community to transmit SNMP trap message to host. Community means a password to give message transmission right. To configure community for trap message transmission, use the following command.
Command community PASSWORD Mode RMON Description Configures password for trap message transmission right.
The following is an example of configuring community of RMON Event as password.

SWITCH(config-rmonevent[1])# community password SWITCH(config-rmonevent[1])#
7.2.3.2
Event Description
It is possible to describe Event briefly when Event is happened. However, the description will not be automatically made. Thus administrator should make the description. To make a description about Event, use the following command.
Command description DESCRIPTION Mode RMON Describes Event. (MAX: 126 character) Description
The following is an example of describing Event.

SWITCH(config-rmonevent[1])# description This event .. SWITCH(config-rmonevent[1])#
7.2.3.3
Identifying Subject of Event

User should configure Event and identify subject using various data from Event. In order to identify subject of Event, use the following command.
Command Mode Description Identifies subject of Event. You can use maximum 126 owner NAME RMON characters and this subject should be same with the subject of Alarm.
DPW:G-S-1624H0-04
99
UMN:CLI
User Manual
V1624
The following is an example of identifying subject of Event as dasan.

SWITCH(config-rmonevent[1])# owner dasan SWITCH(config-rmonevent[1])#
When you identify subject of RMON Event, it is possible to input maximum 32 letters. If you input more than 32 letters, the error message, %Too long owner name will be displayed.
7.2.3.4
Configuring Event Type

When RMON Event is happened, you need to configure Event type to arrange where to send Event. In order to configure Event type, use the following commands.
Command type log RMON Mode Description Configures Event type as log type. Event of log type is sent to the place where the log file is made. Configures Event type as trap type. Event of trap type is sent to SNMP administrator and PC. Configures Event type as both log type and trap type.
type trap type log-and-trap
7.2.3.5
Activating Event
After finishing all configurations, you should activate RMON Event. In order to activate RMON Event, use the following command.
Command active Mode RMON Activates Event. Description
The following is an example of activating RMON Event and viewing the above configuration.
SWITCH(config-rmonevent[1])# active SWITCH(config-rmonevent[1])# show running-config Building configuration... (omitted) ! rmon-event 1 owner dasan community password description This event ... type log-and-trap active (omitted) SWITCH(config-rmonevent[1])#
100
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
You should make sure that all configurations are correct before activating RMON Event. After activating RMON Event, you cannot change configuration. If you need to change configuration, you have to delete RMON Event and configure it again.
7.2.3.6
Deleting RMON Event and Changing Configuration

Before changing the configuration of RMON Event, you should delete RMON Event of the number and configure it again. In order to delete RMON Event, use the following command.
Command no rmon-event NUMBER Mode Global Description Deletes RMON Event of specified number.
The following is an example of deleting RMON Event 1.

SWITCH(config)# no rmon-event 1 SWITCH(config)#
DPW:G-S-1624H0-04
101
UMN:CLI
User Manual
V1624
7.3
Syslog
The function of syslog massage is to inform the troubles that occurred in users switch, to the network manager. By default, system logger is activated in V1624. Therefore, although you delete this function, it will be activated again.
By default, system logger is activated in V1624.
This section contains the following functions. Level of Syslog Message Disabling Syslog Displaying Syslog Message Displaying Syslog Configuration CPU Utilization Threshold Memory Usage Threshold Port Traffic Threshold Configuring Threshold of System Temperature
7.3.1
Level of Syslog Message

Syslog Output Level without a Priority To set a syslog output level, use the following command.
Command syslog output {emerg | alert | crit | err | warning | notice | info | debug} console syslog output {emerg | alert | crit | err | warning | notice | info | debug} local {volatile | nonvolatile} syslog output {emerg | alert | crit | err | warning | notice | info | debug} remote A.B.C.D Global Mode Description Generates a syslog message of selected level or higher and forwards it to the console. Generates a syslog message of selected level or higher in the system memory. volatile: deletes a syslog message after restart. non-volatile: reserves a syslog message. Generates a syslog message of selected level or higher and forwards it to a remote host.
To disable a specified syslog output, use the following command.

Command no syslog output {emerg | alert | crit | err | warning | notice | info | debug} console no syslog output {emerg | alert | crit | err | warning | notice | info | debug} local {volatile | non-volatile} no syslog output {emerg | alert | crit | err | warning | notice | info | debug} remote A.B.C.D Global Deletes a specified syslog output. Mode Description
102
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
The order of priority is emergency > alert > critical > error > warning > notice > info > debug. If you set a specific level of syslog output, you will receive only a syslog message for selected level or higher. If you want receive a syslog message for all the levels, you need to set the level to debug.
Syslog Output Level with a Priority To set the syslog output level for a specified syslog message with a priority, use the following command.
Command syslog output priority {auth | authpriv | cron | deamon | kern | lpr | mail | news | syslog | user | uucp} {emerg | alert | crit | err | warning | notice | info} console syslog output priority {auth | authpriv | cron | deamon | kern | lpr | mail | news | syslog | user | uucp} {emerg | alert | crit | err | warning | notice | info} local {volatile | non-volatile} syslog output priority {auth | authpriv | cron | deamon | kern | lpr | mail | news | syslog | user | uucp} {emerg | alert | crit | err | warning | notice | info} remote A.B.C.D Generates a specified syslog syslog message with a priority and forwards it to a remote host. Global Generates a specified syslog syslog message with a priority in the system memory. volatile: deletes a syslog message after restart. non-volatile: reserves a syslog message. Generates a specified syslog message with a priority and forwards it to the console. Mode Description
To delete the configured syslog output level for a specified syslog message with a priority, use the following command.
Command no syslog output priority {auth | authpriv | cron | deamon | kern | lpr | mail | news | syslog | user | uucp} {emerg | alert | crit | err | warning | notice | info} console no syslog output priority {auth | authpriv | cron | deamon | kern | lpr | mail | news | syslog | user | uucp} {emerg | alert | crit | err | warning | notice | info} local {volatile | non-volatile} no syslog output priority {auth | authpriv | cron | deamon | kern | lpr | mail | news | syslog | user | uucp} {emerg | alert | crit | err | warning | notice | info} remote A.B.C.D Global Deletes a specified syslog output level with a priority. Mode Description
DPW:G-S-1624H0-04
103
UMN:CLI
User Manual
V1624
User-defined Syslog Output Level with a Priority To set a user-defined syslog output level with a priority, use the following command.
Command syslog output priority {local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7} {emerg | alert | crit | err | warning | notice | info} console syslog output priority {local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7} {emerg | alert | crit | err | warning | notice | info} local {volatile | nonvolatile} syslog output priority {local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7} {emerg | alert | crit | err | warning | notice | info} remote A.B.C.D Generates a user-defined syslog message with a priority and forwards it to a remote host. Global Generates a user-defined syslog message with a priority in the system memory. volatile: deletes a syslog message after restart. non-volatile: reserves a syslog message. Generates a user-defined syslog message with a priority and forwards it to the console. Mode Description
To delete a user-defined syslog output level, use the following command.

Command no syslog output priority {local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7} {emerg | alert | crit | err | warning | notice | info} console no syslog output priority {local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7} {emerg | alert | crit | err | warning | notice | info} local {volatile | nonvolatile} no syslog output priority {local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7} {emerg | alert | crit | err | warning | notice | info} remote A.B.C.D Global Deletes a specified user-defined syslog output level with a priority. Mode Description
104
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.3.2
Disabling Syslog
To disable the syslog, use the following command.
Command no syslog Mode Global Disables the syslog. Description
i
7.3.3
The syslog is basically enabled in the system.
Displaying Syslog Message

To display the received syslog message in the system memory, use the following command.
Command Mode Description Shows a received syslog message. show syslog local {volatile | non-volatile} [NUMBER] Top show syslog local {volatile | non-volatile} reverse clear syslog local {volatile | nonvolatile} Global volatile: removes a syslog message after restart. non-volatile: reserves a syslog message. NUMBER: shows the last N syslog messages. Shows a received syslog message in the reverse direction. Removes a received syslog message.
7.3.4
Displaying Syslog Configuration

To display the configuration of the syslog, use the following command.
Command show syslog Mode Top Global Description Shows the configuration of the syslog.
7.3.5
CPU Utilization Threshold

V1624 has a function that sends syslog message to inform when CPU utilization excesses configured threshold or is less than the threshold. To configure threshold of CPU utilization, use the following command.
Command Mode Description Configures threshold of CPU utilization. The unit is % threshold cpu <0-100> Global and it is possible to configure from 20% to 100%. (Default: 50%)
DPW:G-S-1624H0-04
105
UMN:CLI
User Manual
V1624
To view configured threshold of CPU, use the following command.

Command show cpuload Mode Top/Global Description Shows configured threshold of CPU utilization and average of CPU utilization.
To specify the number of incoming packets on the CPU, use the following command.
Command set cpu packet limit <500-6000> Mode Global Description Specifies the number of incoming packets managed by CPU for 1 second. (Default: 2000)
To display the configured number of incoming packets on the CPU, use the following command.
Command show cpu packet limit Mode Top/Global/Bridge Description Shows the number of incoming packets on the CPU.
The following is an example of configuring threshold of CPU utilization as 70% and checking it.
SWITCH(config)# threshold cpu 70 SWITCH(config)# show cpuload ---------------Average CPU load ---------------5 sec: 1 min: 10 min: 3.95( 2.67) % 3.87( 2.67) % 3.86( 2.67) %
CPU Load Threshold : 70 SWITCH(config)#
After configured as the above, the following message will be displayed when CPU utilization excesses 70%.
Oct 18 17:37:24 [86] zebra[80]: CPU Overload Warning : Threshold [70] < CPU Load
And the following message will be displayed when the CPU utilization goes down less than 70%.
Oct 18 17:37:29 [39] zebra[80]: CPU Overload Cleared : Threshold [70] > CPU Load
In the above message, the number in [ ] means loading rate.
106
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.3.6
Memory Usage Threshold

If user configure memory usage threshold, in case the memory usage exceeds the threshold, user can check the excess through Syslog message or SNMP trap message. To configure memory usage threshold, use the following command.
Command threshold memory VALUE show running-config Mode Description Configures memory usage threshold. Global (Default: 30) Checks memory usage threshold.
The following is an example for configuring memory usage threshold to 20 and checking the configuration.
SWITCH(config)# threshold memory 20 SWITCH(config)# show running-config Building configuration... Current configuration: hostname SWITCH ! inactivity-timer 3600 ! set login radius timeout 10 ! set login tacacs timeout 5 ! threshold memory 20 (Omitted) SWITCH(config)#
7.3.7
Port Traffic Threshold

V1624 has a function that sends syslog message to inform when port traffic excesses configured threshold or is less than the threshold. To configure threshold of port traffic, use the following command.
Command Mode Description Configures threshold of port traffic. The unit is Mbps threshold port PORT <1-1000> Global and it is possible to configure from 1Mbps to 1000Mbps (Default: 1000Mbps) show port threshold Top/Global Shows configures threshold of port traffic.
The following is an example of configuring threshold of port 1 traffic as 500Mbps and checking it.
SWITCH(config)# threshold port 1 500
DPW:G-S-1624H0-04
107
UMN:CLI
User Manual
V1624
SWITCH(config)# show port threshold Port 1 : 500 Mbps Port 2 : 1000 Mbps Port 3 : 1000 Mbps Port 4 : 1000 Mbps Port 5 : 1000 Mbps Port 6 : 1000 Mbps Port 7 : 1000 Mbps Port 8 : 1000 Mbps Port 9 : 1000 Mbps Port 10 :1000 Mbps (omitted) SWITCH(config)#
7.3.8
Configuring Threshold of System Temperature

If you configure threshold of system temperature, the system is set to send Syslog message to inform when the temperature is higher than the threshold or lower than the threshold. To configure threshold of system temperature, use the following command on Global Configuration mode.
Command threshold temp <1-100> Mode Global Description Configures threshold of system temperature. The unit is and it can be from 1 to 100.
User can configure highest and lowest thresholds with new command. V1624 sends syslog message or SNMP trap message when the switch temperature is above or below the thresholds.
Command threshold temp-major HIGH- VALUE LOW- VALUE Mode Global Description Configures highest and lowest thresholds of system temperature between -30 and 70. (Unit : )
To view configured threshold of switch temperature, use the following command.

Command show status temp Mode Top/Global/Bridge Description Shows configured threshold of switch temperature.
The following is an example of configuring threshold of switch temperature as 45 and checking it.
SWITCH(config)# threshold temp 45 SWITCH(config)# show status temp Temperature 1: 62 C 45 C
Temperature threshold: SWITCH(config)#
108
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.4
QoS and Packet Filtering

QoS(Quality of Service) is one of useful functions to provide more convenient service about network traffic for users. It is very serviceable to prevent overloading and delaying or failing of sending traffic by giving priority to traffic. By the way, you need to be careful for other traffics not to be failed by the traffic configured as priority by user. QoS can give a priority to a specific traffic by basically offering the priority to the traffic or limiting the others. When processing data, data are usually supposed to be processed in time-order like first in, first out. This way, not processing specific data first, might lose all data in case of overloading traffics. However, in case of overloading traffics QoS can apply processing order to traffic by reorganizing priorities according to its importance. By favor of QoS, user can predict network performance in advance and manage bandwidth more effectively.
Advantages of QoS Controlling Network Resource Possible to control bandwidth, devices, IP address and so on. Network administrator can limit the bandwidth for transmitting FTP and process important data firstly as pri ority. Efficient Use of Resource After grasping for which data users network is used, it is possible to receive the most important one first. Customized Service By using QoS function, network business manager can supply more preferable ser vice to user. Priority Process of Important Data QoS secures bandwidth and minimizes delaying time in order to process the most important data or voice data firstly. The other data are processed from more impor tant data and then in time-order. Processing Various Types of Data By using V1600 series product family supporting QoS, it is possible to process various types of data on network.
7.4.1
How to Operate QoS

There are two general ways to operate QoS in the V1624. The first way is to apply QoS policy to the rule already configured by user. The second way is to give priority with CoS(Class of Service) value defined in IEEE 802.1p in addition to the configured rule, and to make the policy of processing packet in QoS map to apply it.
Making QoS Policy In order to classify traffics by users standard, make a policy for the standard and apply it. The standards to be used for classifying traffics are IP address, TCP/UCP, port number, protocol and so on.
DPW:G-S-1624H0-04
109
UMN:CLI
User Manual
V1624
Applying the Policy After making the policy to classify packets, you need to configure IP Precedence or DiffServ or Cos to give priority to classified packet into class. And choosing QoS policy is optional as follow: Permit is operated for the packets that match the rule. Deny is operated for the other packets that do not match the rule. Mirror transmits classified traffics to monitor port. Redirect re-transmits the other packets to specific port.
Scheduling In order to handle overloading of traffics, you need to configure differently processing orders of graphic by using scheduling algorithm. V1624 supports the following algorithms. Algorithm based on Priority This algorithm is used to process firstly more importance data than the others. Since all data are processed by their priorities, data with high priorities can be processed fast but data without low priorities might be delayed and piled up. Algorithm based on Ratio This algorithm, which processes data based on a certain ratio, is another way of transmitting packet in Layer 2 switch. In this way, fixed size of bandwidth is not served to queue. Instead of it, user can configure a certain ratio of packet processing according to users condition.
7.4.2
Configuring QoS and Packet Filtering

The followings are steps how to configure QoS in V1624. Creating QoS Policy Configuring Additional Rules to QoS Policy Configuring Policy according to Packet Length Applying QoS Policy to Rule of Packet Filtering Checking the Policy of QoS and the Rule of Packet Filtering Configuring CoS and ToS Assigning CoS or ToS Configuring QoS map Configuring Scheduling Value Packet Counter Admin Access Rule NetBIOS Filtering
110
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.4.2.1
Creating QoS Policy

Before configuring QoS policy, you need to configure a rule to apply the policy. In order to create a rule for traffics, use the following commands on Global Configuration mode.
Command rule NAME classify {lowmediumhigh}{INGRESS-PORT any} rule NAME classify {lowmediumhigh} {INGRESS-PORT any}{EGRESS-PORTany} rule NAME classify {lowmediumhigh}{INGRESS-PORT l any} {EGRESS-PORTany} {ETHTYPEarpip} rule NAME classify {lowmediumhigh}{INGRESS-PORT any} any] rule NAME classify {lowmediumhigh} {INGRESS-PORT any} {EGRESS-PORTany}ip {SRC-IP-ADDRESSSRC-IPADDRESS/Many} {DES-IP-ADDRESSDES-IP-ADDRESS/M any}{diffserv<0-63>precedence<0-7>tos<0-255>any} rule name classify {lowmediumhigh} {INGRESS-PORT any} {EGRESS-PORTany} ip {SRC-IP-ADDRESSSRC-IPADDRESS/Many} {DES-IP-ADDRESSDES-IP-ADDRESS/M any} any {tcpudp} rule NAME classify {lowmediumhigh} {INGRESS-PORT any} {EGRESS-PORTany} ip {SRC-IP-ADDRESSSRC-IPADDRESS/Many} {DES-IP-ADDRESSDES-IP-ADDRESS/M any} any {tcpudp} {SRC-PORT-NUMBERany} rule NAME classify {lowmediumhigh} {INGRESS-PORT any} {EGRESS-PORTany} ip {SRC-IP-ADDRESSSRC-IPADDRESS/Many} {DES-IP-ADDRESSDES-IP-ADDRESS/M any} any {tcpudp} {SRC-PORT-NUMBERany} {DES-PORTNUMBERany} rule NAME classify {lowmediumhigh} {INGRESS-PORT any} {EGRESS-PORTany} ip {SRC-IP-ADDRESSSRC-IPADDRESS/Many} {DES-IP-ADDRESSDES-IP-ADDRESS/M any} any {tcpudp} {SRC-PORT-NUMBERany} {DES-PORTNUMBERany} {TCPFLAGany} rule NAME classify {lowmediumhigh} {INGRESS-PORT any} {EGRESS-PORTany} ip {SRC-IP-ADDRESSSRC-IPADDRESS/Many} {DES-IP-ADDRESSDES-IP-ADDRESS/M any} any ip-proto <0-255> rule NAME classify {lowmediumhigh} {INGRESS-PORT any}{EGRESS-PORTany} ip {SRC-IP-ADDRESSSRC-IPADDRESS/Many} {DES-IP-ADDRESSDES-IP-ADDRESS/M any} any icmp <0 255> <0 255> Applies the rule to incoming packets that have a specific value in protocol filed Applies the rule to incoming packets that have a specific code. ICMP type or Global Assigns incoming port. Assigns ToS value to incoming packets of a specific IP address to the port, and applies the rule to the designated protocol. diffserv, packets preceof a {EGRESS-PORTany}ip {SRC-IP-ADDRESSSRC-IPADDRESS/Many}[DES-IP-ADDRESSDES-IP-ADDRESS/M Mode Description Creates a rule for incoming packets to the port Creates a rule for incoming packets to the port. Creates a rule for incoming packets of a specific ethertype to the port. Creates a rule for incoming packets of a specific IP address to the port.
dence(CoS), ToS value to specific IP address to the
DPW:G-S-1624H0-04
111
UMN:CLI
User Manual
V1624
In order to configure QoS policy for the packets toward CPU, configure egress-port to 0.
To remove the made rule, use the following command on Global Configuration mode.
Command no rule NAME Mode Global Description Removes the rule named NAME.
7.4.2.2
Configuring Additional Rules to QoS Policy

It is possible to add some additional rules of Layer 2 to QoS policy. And, when you configure the previous configuration without detail terms, it could be only Layer 2 QoS policy. In order to add Layer 2 rules to QoS policy, use the following commands.
Command rule NAME complement l2 {DST-MAC-ADDRany} rule NAME complement l2 {DST-MAC-ADDRany} MAC-ADDRany} rule NAME complement l2 {DST-MAC-ADDRany} MAC-ADDRany} any} rule NAME complement l2 {DST-MAC-ADDRany} MAC-ADDRany} any} <0-7> {SRC{<1-4094> Adds MAC address, VLAN ID, and 802.1p Priority. {SRCGlobal {<1-4094> Adds MAC address and VLAN ID {SRCAdds DST and SRC MAC address. Mode Description Adds DST MAC address.
You can enter the DST-MAC-ADDR and SRC-MAC-ADDR in the following two ways: 1. Single MAC address Enter one MAC address, which is a typical case. 2. Multiple MAC addresses To enter multiple MAC addresses, use the MAC address mask in the form of DSTMAC-ADDR/MASK or SRC-MAC-ADDR/MASK. The conditional selection of the par ticular MAC addresses is also possible with the MAC address mask. The MAC address mask has same form as a nominal MAC address. When specifying the MAC address mask, input F in the conditional field, and input 0 in the remaining field. The following is an example of classifying the packets that have the MAC addresses started at 01:00:5E.
SWITCH(config)# rule test complement l2 01:00:5E:00:00:00/FF:FF:FF:00:00:00
112
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.4.2.3
Configuring Policy according to Packet Length

User can configure a policy according to the packet length except ethernet header. In order to configure a policy according to the packet length, use the following command. This function is effective to prevent virus-infected packet.
Command rule NAME complement l3 ip length <21-65535> Mode Global Description Configures a policy according to the packet length.
7.4.2.4
Applying QoS Policy to Rule of Packet Filtering

User can apply the policy to the rule about classified packets as level. To apply the policy to the rule, use the following commands on Global configuration mode.
Command rule NAME match permit rule NAME match copy-to-cpu rule NAME match bandwidth BANDWIDTH rule NAME {matchno match} deny rule NAME {matchno match} redirect EGRESS-PORT rule NAME {matchno match} mirror rule NAME {matchno match} diffserv DIFFSERV Global Mode Description Allows packets that match the rule. Sends packets matched with the rule to CPU. Configures bandwidth for matched packet with the rule to use Denies matched packets with the rule ,or not matched ones with the rule. Retransmits matched packets with the rule ,or not matched ones with the rule to another port. Monitors matched packets with the rule ,or not matched ones with the rule. Configure DSCP in ToS of the rule.
It is impossible to apply several policies to one rule. In order to apply several policies to one rule, give a different name to each same rule, and then apply several policies to each rule. The following is an example of applying the policy to a rule named A to keep from all incoming packets to port 1.
SWITCH(config)# rule A classify low 1 SWITCH(config)# rule A match deny SWITCH(config)#
DPW:G-S-1624H0-04
113
UMN:CLI
User Manual
V1624
To remove applied policy, use the following command on Global configuration mode.
Command no rule NAME match permit no rule NAME match copy-tocpu no rule NAME match bandwidth no rule NAME {matchno Global {matchno Configures bandwidth for matched packet with the rule to use Denies matched packets with the rule ,or not matched ones with the rule. Retransmits matched packets with the rule ,or not matched ones with the rule to another port. {matchno Monitors matched packets with the rule ,or not matched ones with the rule. {matchno Configure DSCP in ToS of the rule. Mode Description Allows packets that match the rule. Sends packets matched with the rule to CPU.
match} deny no rule NAME
match} redirect no rule NAME
match} mirror no rule NAME
match} diffserv
7.4.2.5
Checking the Policy of QoS and the Rule of Packet Filtering

To check the policy of the rule configured by user, use the following command on Top or Global configuration mode.
Command show rule [NAME] Mode Top/Global Description Checks the policy of the rule configured by user.
The following is an example of checking the policy of the rule configured above by user.
SWITCH(config)# show rule A(low) iport: 1 match deny SWITCH(config)#
114
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.4.2.6
Configuring CoS and ToS

In order to configure QoS map by using the rule configured by user, firstly you should apply level to each rule to apply map. CoS is classified into 8 levels. And overwrite variable is used to decide if packets are processed with CoS level just in users device or also sent out to external network. That means, if a command contains overwrite, CoS level is applied to packets for external communication and if a command does not contain overwrite, it is applied to packets just in users device. In order to apply level to configured rule, use the following commands on Global configuration mode.
Command rule NAME {matchno match} cos <0~7> overwrite rule NAME {matchno match} cos same-as-tos overwrite rule NAME {matchno match} tos <0~7> rule NAME match tos same-ascos Global Mode Description Gives CoS value to matched packets with the rule or to not matched packets with the rule. Gives CoS value to IP ToS precedence of matched packets with the rule or not matched packets. Gives ToS value to matched packets with the rule or not matched packet with the rule. Configures ToS value of matched or not matched packets with rule as IP precedence.
Also, in order to remove applied level to the rule configured by user, use the following command on Global configuration mode.
Command no rule NAME {matchno Global Removes CoS value or ToS value given to matched packets or not matched packets with the rule. Mode Description
match} cos no rule NAME {matchno
match} tos
7.4.2.7
Assigning CoS or ToS

To assign a specified CoS or ToS to a configured rule, use the following command.
Command qos cpu-cos <0-7> Mode Global Description Assigns a specified CoS to the packets coming to the CPU.
DPW:G-S-1624H0-04
115
UMN:CLI
User Manual
V1624
7.4.2.8
Configuring QoS map

After giving CoS level to each rule, by using it, you can make QoS map. In case of the V1624, you can use total 4 queues. To divide the rule has level to queues 0~3 for making QoS map, use the following command on Global configuration mode.
Command Mode Description Divides the rule to queues. CoS number is 0~7 and qos map <0~7> <0~3> Global queue number is 0~3. (Default: queue 0 contains CoS 0~7.) (MAX: 4 queues)
CoS number is 0~7 and queue number is 0~3.
The following is an example of dividing CoS value, 0 to the rule named A and configuring it as 3.
SWITCH(config)# rule A match cos 0 SWITCH(config)# qos map 0 3 SWITCH(config)#
In order to check QoS map configured by user, use the following command on Top mode or Global configuration mode.
Command show qos Mode Top/Global Description Checks QoS map configured by user.
The following is an example of checking of the above configuration.

SWITCH(config)# show qos ------------------------------------------------Queue 0 1 2 3 MaxPacket disabled disabled disabled disabled MaxLatency(us) disabled disabled disabled disabled 0 CoS ------------------------------------------------1,2,3,4,5,6,7
------------------------------------------------SWITCH(config)#
7.4.2.9
Configuring Scheduling Value

In order to solve traffic overloading, certain rate of packet processing is divided to each queue. The factors to decide rate of packet processing are as follow. Max-packet Max-latency
116
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Max-packet is a value to decide the number how many packets are processed before passing to the next queue. For example, if you configure Max-packet as 100, 100 packets are processed and passed to the next queue.
To configure the number how many packets can be processed at one queue, use the following commands on Global Configuration mode.
Command qos max-packet <0~3><1~255> qos max-packet <0~3> unlimited Mode Description Configures the number how many packets can be Global processed to the queue Removes the configured Max-packet.
Max-latency configuration prevents starvation on low priority queue although there is congestion on the high priority queue. You can configure a specific queue with maxlatency time. The assigned queue will have a chance after configured time to process the packet even if there is starvation.
Command qos max-latency <0~3> <16~4080> qos maxlatency <0~3> disable Global Mode Description Configures Max-latency. It can be configured between 16 and 4080(microseconds). Remove the configured waiting time
To check configured scheduling, use the following command on Top mode or Global mode.
Command show qos Mode Top/Global Description Checks QoS map configured by user.
The following is an example of checking the configuration of Max-packet as 100 and Maxlatency as 16 for queue 0.
SWITCH(config)# qos max-latency 0 16 SWITCH(config)# qos max-packet 0 100 SWITCH(config)# show qos ------------------------------------------------Queue 0 1 2 3 MaxPacket 100 unlimited unlimited unlimited MaxLatency(us) 16 disabled disabled disabled 0 CoS ------------------------------------------------1,2,3,4,5,6,7
------------------------------------------------SWITCH(config)#
DPW:G-S-1624H0-04
117
UMN:CLI
User Manual
V1624
7.4.2.10
Packet Counter
When packets defined in QoS rule are come, QoS policy is applied. However, suppose that packet defined to throw out is come. In that case, it will be thrown out without any notice or record. For administrators, it would better to know the packet is transmitting although it is unnecessary and harmful. It is possible to know how many times packet defined in specified rule are come. If you want to know how many times packet defined in specified rule are come, assign Counter ID to the rule. You can also assign plural ID to one rule. Then, every time the QoS is applied, the number is recorded if Counter ID is assigned. To assign Counter ID to QoS rule, use the following command.
Command rule NAME match counter <031> no rule NAME match counter Global Mode Description Assigns Counter ID to QoS rule configured by user. Counter ID can be from o to 31. Disables Counter ID assigned by user.
To display how many times QoS policy is applied, use the following command.
Command no rule NAME match counter Mode Global Description Disables Counter ID assigned by user.
Meanwhile, in order to reset number of Counter, use the following command.

Command clear counter <0-31> Mode Global Description Resets number of Counter.
7.4.2.11
Admin Access Rule

Since you should apply too many rules when you configure to block incoming telnet, ftp, icmp and snmp to switch by using the way explained in(1) Creating QoS Policyand(2) Configuring Additional rules to QoS Policy, it is too complicated and spends lots of rules. To make it convenient, V1624 supports filtering function before forwarding packet to device connected to switch.
118
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To make a rule for blocking connection of incoming telnet, ftp, icmp, snmp to the switch, use the following commands.
Command admin-access-rule NAME classify {lowmediumhigh} ip [SRCADDRESS SRC -ADDRESS/Many] [DES-ADDRESS DES ADDRESS/Many] admin-access-rule NAME classify {lowmediumhigh} ip [SRC ADDRESS SRC -ADDRESS/Many] [DES -ADDRESS DES ADDRESS/Many]<0-255> admin-access-rule NAME classify {lowmediumhigh} ip [SRC ADDRESS SRC -ADDRESS/Many] [DES -ADDRESS DES ADDRESS/Many] ICMP [<0-255>any] admin-access-rule NAME classify {lowmediumhigh} ip [SRC ADDRESS SRC -ADDRESS/Many] [DES -ADDRESS DES ADDRESS/Many] tcp [SRC-PORTany] [DES-PORTany] admin-access-rule NAME classify {lowmediumhigh} ip [SRC ADDRESS SRC -ADDRESS/Many] [DES -ADDRESS DES ADDRESS/Many] udp [SRC-PORTany] [DES-PORTany] Global Mode Description Makes blocking of a rule for
connection Telnet,
incoming
FTP, ICMP, SNMP to the switch
The following table shows the commands used in case of applying the policy to configured rule.
Command admin-access-rule NAME match permit admin-access-rule NAME no match permit admin-access-rule NAME match deny admin-access-rule NAME no match deny Global Mode Description Allows packets that match with the rule. Allows packets that do not match with the rule. Denies packets that match with the rule. Denies packets that do not match with the rule.
The following is an example of blocking all incoming telnets to users switch.

SWITCH(config)# admin-access-rule A classify high ip any any tcp any 23 SWITCH(config)# admin-access-rule A match deny SWITCH(config)#
After configuring as the above, you cannot connect to telnet. To view the configurations about connecting to telnet, FTP, ICMP, SNMP, use the following command on Top mode or Global configuration mode.
Command show admin-access-rule [NAME] Mode Top/Global Description Shows the policy and rule about telnet, FTP, ICMP, and SNMP.
DPW:G-S-1624H0-04
119
UMN:CLI
User Manual
V1624
The following is an example of viewing the above configuration.

SWITCH(config)# show admin-access-rule A(high) ptype: IP protocol: TCP dstport 23 match deny SWITCH(config)#
The following table shows commands used in case of removing configured policy or applied policy to rule.
Command no admin-access-rule NAME no admin-access-rule NAME {no matchmatch} permit Global Mode Description Deletes a rule called name. Removes a policy that allowed a rule called name.
The following is an example of deleting only policy remaining configured rule.

SWITCH(config)# no admin-access-rule A match deny SWITCH(config)# show admin-access-rule A(high) ptype: IP protocol: TCP dstport 23 SWITCH(config)#
120
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.4.2.12
NetBIOS Filtering
NetBIOS is used at LAN(Local Area Network) environment where should share information with each other to communicate between computers. However, in case ISP(Internet Service Provider) provides internet communication through LAN service to specific area such as apartments, customers information should be kept.
Fig. 7.1
Necessity of NetBIOS Filtering
In this case, without NetBIOS filtering, customers data may be opened to each other even though the data should be kept. To keep customers information and prevent sharing information in the above case, NetBIOS filtering is necessary.
Command set netbios-filter PORT clear netbios-filter PORT show netbios-filter Global Mode Description Configures NetBIOS filtering in specified port. Disables NetBIOS filtering from specific port. Shows configuration of NetBIOS filtering.
The following is an example of configuring NetBIOS filtering in port 1~5 and checking it.
SWITCH(bridge)# set netbios-filter 1-5 SWITCH(bridge)# show netbios-filter o:enable .:disable -------------------------1 2 12345678901234567890123456 -------------------------ooooo..................... -------------------------SWITCH(bridge)#
DPW:G-S-1624H0-04
121
UMN:CLI
User Manual
V1624
7.5
MAC Filtering
It is possible to forward frame to MAC address of destination. Without specific performance degradation, maximum 4096 MAC addresses can be registered.
7.5.1
Configuring Default Policy of MAC Filtering

The basic policy of filtering based on system is set to allow all packets for each port. However the basic policy can be changed for users requests. After configuring basic policy of filtering for all packets, use the following command on Bridge mode to check the configuration.
Command set mac-filter default-policy Mode Description Configures basic policy of MAC Filtering in speci{denypermit} PORT show mac-filter default-policy Bridge fied port. (Default: permit) Top/Global/Bridge Shows the basic policy.
7.5.2
Adding Policy of MAC Filter

You can add the policy to block or to allow some packets of specific address after configuring the basic policy of MAC Filtering. To add this policy, use the following commands on Bridge mode.
Command set mac-filter default-policy Mode Bridge Description Allows or blocks packet that brings configured MAC address to specified port.
{denypermit} PORT
Variable MAC-ADDRESS is composed of twelve digits number in hex-decimal. It is possible to check it by using the command show mac. 00:d0:cb:06:01:32 is an example of MAC address.
To check users configuration about MAC filter policy, use the following commands.
Command show mac-filter show mac-filter COUNT show mac-filter COUNT MACADDR Top/Global/Bridge Mode Description Shows MAC filter policy. Shows MAC filter policy as many as user configures. Shows filter policy concerned with specified MAC address as many as user configures.
The latest policy is recorded as number 1. The following is an example of permitting MAC address 00:02:a5:74:9b:17 and 00:01:a7:70:01:d2 in port 3 of VLAN 1 and checking table of filter policy.
SWTICH(bridge)# set mac-filter add 00:02:a5:74:9b:17 permit 1 3
122
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
SWTICH(bridge)# set mac-filter add 00:01:a7:70:01:d2 permit 1 3 SWTICH(bridge)# show mac-filter ======================================================== ID | MAC | ACTION | VID | PORT 1 1 3 3 ======================================================== 2 1 00:01:a7:70:01:d2 PERMIT 00:02:a5:74:9b:17 PERMIT
The following is an example of viewing only one configuration.

SWTICH(bridge)# show mac-filter 1 ======================================================== ID | MAC | ACTION | VID | PORT PERMIT 1 3 ======================================================== 1 00:01:a7:70:01:d2 SWTICH(bridge)#
7.5.3
Deleting MAC Filtering Policy

To delete MAC filtering policy, use the following command.
Command set mac-filter del SOURCEMode Bridge Description Deletes filtering policy for specified MAC address.
MACADDR
The following is an example of deleting filtering policy of 00:02:a5:74:9b:17.

SWITCH(bridge)# set mac-filter del 00:02:a5:74:9b:17 SWITCH(bridge)#
To delete MAC filtering function, use the following command.

Command clear mac-filter Mode Bridge Description Deletes all MAC filtering functions.
7.5.4
Listing of MAC Filtering Policy

When you need to make many MAC filtering policies at a time, it is hard to input command one by one. In this case, it is more convenient to save MAC filtering policies at /etc/mfdb.conf and display the list of MAC filtering policy. To display the list of MAC filtering policy at /etc/mfdb.conf, use the following command.
Command set mac-filter list Mode Bridge Description Shows the list of MAC filtering policy at /etc/mfdb.conf.
DPW:G-S-1624H0-04
123
UMN:CLI
User Manual
V1624
7.6
Configuring Max Host

User can limit the number of users by configuring maximum number of users also named as Max host for each port. In this case, you need to consider not only the number of PCs in network but also devices such as switches in network. For V1624, you have to lock the port like MAC filtering before configuring Max Host. In case of ISPs, it is possible to arrange billing plan for each user by using this configuration. To configure Max host, use the following command.
Command set max-hosts PORT MAX-MACNUMBER clear max-hosts PORT Bridge Mode Description Limits the number of user by configuring Max host. Deletes configured max-host.
If Max host is configured as 0, no one can connect to the port.
The following is an example of configuring to allow two MAC addresses to port 1, and five addresses to port 2,3 ,and to ten addresses to port 4.
SWITCH(bridge)# set max-hosts 1 2 SWTICH(bridge)# set max-hosts 2 5 SWTICH(bridge)# set max-hosts 3 5 SWTICH(bridge)# set max-hosts 4 10 SWTICH(bridge)#
To check configured max host, use the following command.

Command show max-hosts Mode Top/Global/Bridge Description Shows configured max host.
The following is an example of viewing configured max hosts.

SWITCH(bridge)# show max-hosts port port port port port port port port port 1 : 2 : 3 : 4 : 5 : 6 : 7 : 8 : 9 : 0/2 (current/max) 0/5 (current/max) 0/5 (current/max) 0/10 (current/max) 0/Unlimited (current/max) 0/Unlimited (current/max) 0/Unlimited (current/max) 0/Unlimited (current/max) 0/Unlimited (current/max) 0/Unlimited (current/max) 0/Unlimited (current/max) 0/Unlimited (current/max) 52/Unlimited (current/max)
port 10 : port 11 : port 12 : port 13 :
(omitted) SWITCH(bridge)#
124
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.7
Managing MAC Table

There are two types of addresses registered in MAC table: Dynamic address and Static address. Dynamic address is deleted when it is not used after the switch registers it in MAC table. Static address is the configured address by user that is remained even after rebooting. To register Static address in MAC table, use the following command on Bridge configuration mode.
Command set mac BRIDGE PORT Mode Bridge Top/Global/Bridge Description Registers Static address in MAC table with MAC address, bridge name and port number Shows MAC address user configured.
MACADDR show mac BRIDGE [PORT]
The following is an example of registering MAC address 00:01:02:9a:61:17 in port 13 MAC table of br1.
SWITCH(bridge)# set mac 1 00:01:02:9a:61:17 SWITCH(bridge)#
The following is an example of showing MAC address of destination, the specified port number, VLAN ID, and time registered in table.
SWITCH(bridge)# show mac br1 1 port (id) eth01(01) eth01(01) eth01(01) eth01(01) eth01(01) eth01(01) eth01(01) eth01(01) mac addr 00:01:02:9a:61:1a 00:d0:cb:0a:00:77 00:02:78:e0:7d:cf 00:d0:59:58:45:3b 00:02:78:e0:7d:d6 00:d0:59:38:88:4c 00:01:e6:25:43:5b 00:c0:26:72:7d:7a permission static OK OK OK OK OK OK OK in use 0.00 5.88 6.15 6.83 6.99 7.27 7.53 8.52
(omitted) SWITCH(bridge)#
To delete a static MAC address from the MAC table, use the following command.
Command clear mac BRIDGE PORT MACADDR clear mac BRIDGE PORT static Bridge clear mac BRIDGE PORT dynamic clear mac BRIDGE PORT all Deletes dynamic MAC addresses from the port. Deletes all MAC addresses from the port. Mode Description Deletes static MAC addresses from the port.
DPW:G-S-1624H0-04
125
UMN:CLI
User Manual
V1624
7.8
Address Resolution Protocol (ARP)

Devices connected to IP network have two addresses, LAN address and network address. LAN address is sometimes called as a data link address because it is used in Layer 2 level, but more commonly the address is known as a MAC address. A switch on Ethernet needs a 48-bit-MAC address to transmit packets. In this case, the process of finding a proper MAC address from the IP address is called an address resolution. On the other hand, the progress of finding the proper IP address from the MAC address is called reverse address resolution. The switches and DSLAMs find their MAC addresses from the IP addresses through address resolution protocol (ARP). ARP saves these addresses in ARP table for quick search. Referring to the IP addresses in ARP table, the packets containing the IP address are transmitted to network. When configuring the ARP table, it is possible to do it only in some specific interfaces. ARP packets are classified Request packet and Reply packet. Request packets are transmitted to all nodes on the same Ethernet and they are not transmitted to Router. Reply packet is that node being a target of Request packet informs MAC address.
7.8.1
ARP Table
7.8.1.1
Registering ARP Table

The contents of ARP table are automatically recorded when MAC address corresponded with IP address is found. The network manager can use it on network by registering MAC address of the particular IP in ARP table. To unite a particular IP address to MAC address, use the following command.
Command arp A.B.C.D MACADDR [INTERFACE] no arp A.B.C.D [INTERFACE] clear arp Global Mode Description Register IP address and MAC address in ARP table. It is possible to designate a particular interface. Deletes IP address and MAC address. Deletes all contents of ARP table.
7.8.1.2
Configuring ARP Ageing Timer

The host who uses ARP should save mapping job for recently processed IP address and MAC address in table so that one does not use ARP repeatedly. It prevents to waste bandwidth by transmitting unnecessary packets caused from the same work. However, because of limitation of registering contents, it is supposed to be full some time. In order to prevent overload of ARP table, V1624 is configured to delete the registered contents after a certain amount of time. User can configure the ageing time of the contents registered in ARP table.
126
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To configure ageing time, use the following command.

Command arp-ageing-timer {11-min8-min 4-min} clear arp-ageing-timer Global Mode Description Configures ARP ageing timer. (Default: 11 minutes). Deletes IP address and MAC address.
To check ARP ageing timer, use the following command.

Command show arp-ageing-timer Mode Top/Global Description Able to check ARP ageing timer.
7.8.1.3
Displaying ARP Table

To check the registered ARP table, use the following command.
Command show arp [BRIDGE] Mode Top/Global Checks ARP table. Description
The following is an example of registering IP address 10.1.1.1 as MAC address 00:d0:cb:00:00:01.

SWITCH(config)# arp 10.1.1.1 00:d0:cb:00:00:01
The following command displays ARP table.

SWITCH(config)# show arp Address 172.16.1.254 HWtype ether HWaddress Flags Mask 00:D0:CB:06:01:32 C Iface br1
7.8.2
ARP-Alias
Although clients are joined in same client switch, it may be impossible to communicate between clients for their private security. When you need to make them communicate each other, V1624 supports ARP-alias, which responses ARP request from client net through Concentrating switch. To register address of client net range in ARP-Alias, use the following command.
Command arp-alias START-IP-ADDR ENDIP-ADDR [MACADDR] no arp-alias START-IP-ADDR Global Mode Description Registers IP address range and MAC address in ARPAlias to make users equipment response ARP request. Deletes registered IP address range of ARP-Alias. Deletes all ARP-Alias.
END-IP-ADDR clear arp-alias
Unless you input MAC address, MAC address of users equipment will be used for ARP response.
DPW:G-S-1624H0-04
127
UMN:CLI
User Manual
V1624
To display ARP-Alias, use the following command

Command show arp-alias Mode Top/Global Description Shows registered ARP-Alias.
7.8.3
ARP Inspection
ARP provides IP communication by mapping an IP address to a MAC address. However, a malicious user can attack ARP caches of systems by intercepting the traffic intended for other hosts on the subnet. For example, Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A. If Host C responses with an IP address of Host A (or B) and a MAC address of Host C, Host A and Host B can use Host Cs MAC address as the destination MAC address for traffic intended for Host A and Host B. ARP Inspection is a security feature that validates ARP packets in a network. It discards ARP packets with invalid IP-MAC address binding. To activate/deactivate the ARP inspection function in the system, use the following command.
Command ip arp inspection vlan VLANS no ip arp inspection vlan VLANS Mode Description Activates ARP inspection on a specified VLAN. Global VLANS: VLAN ID (1-4094) Deactivates ARP inspection on a specified VLAN.
7.8.3.1
ARP Access List

You can exclude a given range of IP addresses from the ARP inspection using ARP access lists. ARP access lists are created by the arp access-list command on the Global Configuration mode. ARP access list permits or denies the ARP packets of a given range of IP addresses. To create/delete ARP access list (ACL), use the following command.
Command Mode Description Opens ARP ACL configuration mode and creates an arp access-list NAME Global ARP access list. NAME: ARP access list name Deletes an ARP access list.
no arp access-list NAME
After opening ARP Access List Configuration mode, the prompt changes from SWITCH(config)# to SWITCH(config-arp-acl[NAME])#. After opening ARP ACL Configuration mode, a range of IP addresses can be configured to apply ARP inspection.
By default, ARP Access List discards the ARP packets of all IP addresses and MAC addresses.
128
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To specify the range of IP address to forward ARP packets, use the following command.
Command Mode Description Permits ARP packets of all IP addresses with all MAC addresses which have not learned before on ARP inpermit ip any mac {any | host MACADDR} spection table or a specific MAC address. any: ignores sender MAC address host: sender host MACADDR: sender MAC address permit ip host A.B.C.D mac {any | host MACADDR} permit ip range A.B.C.D A.B.C.D mac any permit ip A.B.C.D/M mac {any | host MACADDR} ARP-ACL Permits ARP packets from a specific host. MACADDR: MAC address Permits ARP packets of a given range of IP addresses. A.B.C.D: start/end IP address of sender Permits ARP packets of a sender IP network addresses. A.B.C.D/M: sender IP network address
To delete the configured ranged of IP address to permit ARP packets, use the following command.
Command no permit ip any mac {any | host MACADDR} no permit ip host A.B.C.D mac {any | host MACADDR} no permit ip range A.B.C.D ARP-ACL Deletes a configured range of IP address to permit ARP packets. any: ignores sender MAC address host: sender host MACADDR: sender MAC address A.B.C.D: start/end IP address of sender A.B.C.D/M: sender IP network address Mode Description
A.B.C.D mac any no permit ip A.B.C.D/M mac {any | host MACADDR}
By the following command, the ARP access list also refers to a DHCP snooping binding table to permit the ARP packets for DHCP users. This reference enables the system to permit ARP packets only for the IP addresses on the DHCP snooping binding table. The ARP access list with the DHCP snooping allows IP communications to users authorized by the DHCP snooping. To permit/discard ARP packets for the users authorized by the DHCP snooping, use the following command.
Command permit dhcp-snoop-inspection ARP-ACL no permit dhcp-snoopinspection Mode Description Permits ARP packets of users authorized by the DHCP snooping. Discards a configured ARP packets of users authorized by the DHCP snooping.
DPW:G-S-1624H0-04
129
UMN:CLI
User Manual
V1624
To display the configured APR access lists, use the following command.
Command show arp access-list [NAME] Mode Global Description Displays existing ARP access list names.
7.8.3.2
Enabling ARP Inspection Filtering

To enable/disable the ARP inspection filtering of a certain range of IP addresses from the ARP access list, use the following command.
Command ip arp inspection filter NAME vlan VLANS no ip arp inspection filter NAME vlan VLANS Global Mode Description Enables ARP inspection filtering with a configured ARP access list on specified VLAN. NAME: ARP access list name Disables ARP inspection filtering with a configured ARP access list on specified VLAN.
i
7.8.3.3
ARP inspection actually runs in the system after the configured ARP access list applies to specific VLAN using the ip arp inspection filter command.
ARP Address Validation

The V1624 also provides the ARP validation feature. Regardless of a static ARP table, the ARP validation will discard ARP packets in the following cases: In case a sender MAC address of ARP packet does not match a source MAC address of Ethernet header. In case a target MAC address of ARP reply packet does not match a destination MAC address of Ethernet header. In case of a sender IP address of ARP packet or target IP address is 0.0.0.0 or 255.255.255.255 or one of multicast IP addresses.
To enable/disable the ARP validation, use the following command.

Command Mode Description Enables the ARP validation with the following options. ip arp inspection validate {srcmac | dst-mac | ip} Global src-mac: source MAC address. dst-mac: destination MAC address. ip: source/destination IP address. Disables the ARP validation.
no ip arp inspection validate {src-mac | dst-mac | ip}
The src-mac, dst-mac, and ip options can be configured together.
130
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.8.3.4
ARP Inspection on Trust Port

The ARP inspection defines 2 trust states, trusted and untrusted. Incoming packets via trusted ports bypass the ARP inspection process, while those via untrusted ports go through the ARP inspection process. Normally, the ports connected to subscribers are configured as untrusted, while the ports connected to an upper network are configured as trusted. To set a trust state on a port for the ARP inspection, use the following command.
Command ip arp inspection trust port PORTS no ip arp inspection trust port PORTS Global Mode Description Sets a trust state on a port as trusted PORTS: port number Sets a trust state on a port as untrusted PORTS: port number
To display a configured trust port of the ARP inspection, use the following command.
Command show ip arp inspection trust port all show ip arp inspection trust [port PORTS] Top Global Shows a configured trust port of the ARP inspection. Mode Description
7.8.3.5
ARP Inspection Log-buffer

Log-buffer function shows the list of subscribers who have been used invalid fixed IP addresses. This function saves the information of users who are discarded by ARP inspection and generates periodic syslog messages. Log-buffer function is automatically enabled with ARP inspection. If V1624 receives invalid or denied ARP packets by ARP inspection, it creates the table of entries that include the information of port number, VLAN ID, source IP address, source MAC address and time. In addition, you can specify the maximum number of entries. After one of entries is displayed as a syslog message, it is removed in the order in which the entries appear in the list. To configure the options of log-buffer function, use the following command.
Command ip arp inspection log-buffer entries <0-1024> Global Mode Description Specifies the number of entries in log-buffer. 0-1024: the max. number of entries (default: 32) Sets the interval for displaying syslog messages of ip arp inspection log-buffer <0entries. 0-1024: the number of syslog messages per specified interval (default: 5) 0-86400: interval value in second (default: 1 sec) logs 86400> <0-1024> interval
DPW:G-S-1624H0-04
131
UMN:CLI
User Manual
V1624
To delete the configured options of log-buffer function, use the following command.
Command no ip arp inspection log-buffer {entries | logs} Mode Global Description Deletes the configured options of log-buffer function.
To display the configured log-buffer function and entries information, use the following command.
Command show ip arp inspection log Mode Top Global Description Displays the configured log-buffer function.
To clear all of collected entries in the list, use the following command.
Command clear ip arp inspection log Mode Global Description Clears all of collected entires in the log-buffer list.
7.8.3.6
Displaying ARP Inspection

To display a status of the ARP inspection, use the following command.
Command show ip arp inspection vlan show ip arp inspection vlan {VLANS | all} show ip arp inspection statistics {VLANS| all} Top Global Shows collected statistics of the ARP inspection. Shows a status of the ARP inspection. Mode Description
To clear collected statistics of the ARP inspection, use the following command.
Command clear ip arp inspection statistics vlan {VLANS| all} Mode Global Description Clears collected statistics of the ARP inspection.
7.8.4
Proxy-ARP
V1624 has Proxy-ARP function, which is to responds to ARP request instead of another switch. For example, Host A has IP address 172.16.10.100 and the subnet mask is set to /16. So, it is considered as connecting to network 172.16.0.0. In case Host A needs to send packet to Host D, Host A is supposed to send ARP request considering that Host D is on the same network. Since ARP request is transferred through broadcast, the ARP request from Host A is sent not to Host D, but to br1 interface and nodes belonged to subnet A. However, V1624 is aware that Host D belongs to another subnet and able to transmit
132
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
packets to Host D. Therefore, it responds to ARP request from Host A with its own MAC address. Using this way, all ARP requests from subnet A to subnet B are responded with MAC address of V1624, and packets, which should be transmitted to Host D from Host A are well transmitted through V1624. To enable proxy-ARP function, opens Interface mode of applicable interface and use the following command.
Command ip proxy-arp no ip proxy-arp Mode Interface Description Enables proxy-ARP function for applicable interface. Disables proxy-ARP function for applicable interface.
7.8.5
Gratuitous ARP
Through broadcasting Gratuitous ARP including IP address and MAC address of gateway, the communication continues even though IP address of gateway is assigned to the particular host. Configure the transmission rate of Gratuitous ARP and the transmission count by using the following command. In order to transmit Gratuitous ARP after ARP reply, also configure the starting time of transmission (delivery-start). Since a certain amount of time passed after transmitting ARP reply, Gratuitous ARP is transmitted.
Command arp-patrol [TIME] clear arp-patrol show running-config Global INTERVAL COUNT Mode Description Configures Gratuitous ARP. Disables Gratuitous ARP. Checks Gratuitous ARP configuration.
The following is an example of configuring Gratuitous ARP, the transmission rate for 10 sec, the transmission times for 4 and checking it.
SWITCH(config)# arp-patrol 10 4 SWITCH(config)# show running-config Building configuration... Current configuration: hostname SWITCH (Omitted) arp-patrol 10 4 ! no snmp ! SWITCH(config)#
DPW:G-S-1624H0-04
133
UMN:CLI
User Manual
V1624
7.9
ICMP
ICMP stands for Internet Control Message Protocol. When it is impossible to transmit data or configure route for data, ICMP sends error message about it to host. The first 4 bytes of all ICMP messages are same, but the other parts are different according to type field value and code field value. There are fifteen values of field to distinguish each different ICMP message, and code field value helps to distinguish each type in detail. The following shows simple ICMP message construction.
0 8-bit type 7 8-bit code 15 16 16-bit checksum 31
(contents depend on type and code)
Fig. 7.2
ICMP Message
The following table shows explanations for fifteen values of ICMP message type.
type 0 3 4 5 8 9 10 11 echo reply destination unreachable source quench redirect echo request router advertisement router solicitation time exceeded Explanation type 12 13 14 15 16 17 18 Explanation parameter problem timestamp request timestamp reply information request information reply address mask request address mask reply
Tab. 7.1
ICMP message type
It is possible to control ICMP message through users configuration. You can configure not to send echo reply message to the partner who is taking ping test to device and interval to transmit ICMP message. You can configure the following to control ICMP message. Blocking Echo Reply Message Configuring Interval to Transmit ICMP Message
7.9.1
Blocking Echo Reply Message

It is possible to configure not to send echo reply message to the partner who is taking ping test to device.
134
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To block echo reply message, use the following commands.

Command ip icmp echo ignore all Mode Description Blocks echo reply message to all partners who are taking ping test to device. Blocks echo reply message to partner who is taking Global no ip icmp echo ignore all no ip icmp echo ignore broadcast broadcast ping test to device. Releases blocked echo reply message to all partners who are taking ping test to device. Releases blocked echo reply message to partner who is taking broadcast ping test to device.
ip icmp echo ignore broadcast
7.9.2
Configuring Interval to Transmit ICMP Message

It is possible to configure interval to transmit ICMP message. After you configure the interval, ICMP message will not be sent until configured time based on the last message is up. For example, if you configure the interval as 1 second, ICMP will not be sent within 1 second after the last message has been sent. To configure interval to transmit ICMP message, use the following commands.
Command ip icmp interval dest-unreach INTERVAL ip icmp interval echo-reply INTERVAL ip icmp interval param-prob Global Mode Description Configure interval to transmit ICMP message about destination unreachable.(Default: 100ms) Configure interval to transmit ICMP message about echo reply. (Default: 0ms) Configure interval to transmit ICMP message about parameter problem.(Default: 100ms) Configure interval to transmit ICMP message about time exceeded.(Default: 1ms)
INTERVAL ip icmp interval time-exceed INTERVAL
When you configure interval as 0, ICMP message will keep being sent all the time regardless of time.
To delete the interval to generate ICMP messages, use the following command.
Command ip icmp interval dest-unreach disable ip icmp interval echo-reply disable ip icmp interval param-prob Global Configures not to send parameter problem message. Mode Description Configures not to send destination unreachable message. Configures not to send echo reply message.
disable ip icmp interval time-exceed disable
Configures not to send time exceeded message.
DPW:G-S-1624H0-04
135
UMN:CLI
User Manual
V1624
The following is an example of blocking echo reply message to all partners who are taking ping test to device.
SWITCH(config)# ip icmp ignore echo all SWITCH(config)# show running-config Building configuration... (omitted) ip icmp ignore echo all ! ip route 0.0.0.0/0 172.16.254.1 ! ! no snmp ! SWITCH(config)#
The following is an example of configuring interval to transmit destination unreachable message as 10 seconds.
SWITCH(config)# ip icmp interval dest-unreach 1000 SWITCH(config)# show running-config Building configuration... (omitted) ip icmp interval dest-unreach 1000 ! ip route 0.0.0.0/0 172.16.254.1 ! no snmp ! SWITCH(config)#
136
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.10
Link Layer Carrier Forward (LLCF)
A
Link Failure
V1624
V1624
Router
Transmits unnecessary packets, regardless of disconnected link
Router
Fig. 7.3
Link Layer Carrier Forward Process
In case that V1624 connects the router to the other devices, if the link of A and B is down, the link of B and C would be unnecessary for their connection. However, link D does not know about the link failure between A and B. Therefore, D does not stop sending unnecessary packets to C. To prevent this problem, LLCF function can be used when different switches are connected by two ports. If the link of one port is down, the other link will be down. When it is connected again, the other link will be connected later. This function is called Link layer carrier forward. To enable/disable LLCF function, use the following command.
Command set port llcf PORTS PORTS clear port llcf Mode Global Description Enables LLCF function between two ports Disables LLCF function.
When a link is reconnected, it might take some time to recover the link. If the link is recognized as being down until it is recovered, link would not be recovered. In order to solve such problem, the V1624 is configured to examine the link status of relative port after passing some time.
DPW:G-S-1624H0-04
137
UMN:CLI
User Manual
V1624
To specify the interval for checking the link status of the other port, use the following command.
Command set port llcf timer <1000-10000> Global clear port llcf timer Mode Description Configures time interval for checking the link status of the relative port. Deletes the configured interval for checking the link status of the relative port.
The default timer value of V1624 is 2500ms(2.5sec). The unit is micro-second(ms).
To display all configurations of LLCF function, use the following command.

Command show port llcf Mode Global Description Shows the configured status of LLCF function
7.11
TCP Flag Control

TCP(Transmission Control Protocol) header includes six kinds of flags that are URG, ACK, PSH, RST, SYN, and FIN. For the V1624, you can configure RST and SYN as the below.
7.11.1
RST Configuration
RST sends a message that TCP connection cannot be done to a person who tries to make it. However, it is also possible to configure not to send the message. This function will help prevent that hackers can find impossible connections. To configure to ignore the message that informs TCP connection cannot be done, use the following command.
Command ip tcp ignore rst-unknown no ip tcp ignore rst-unknown Mode Description Configures to ignore the message that informs TCP Global connection cannot be done. Enables RST.(Default:)
7.11.2
SYN Configuration
SYN sets up TCP connection. The V1624 transmits cookies with SYN to a person who tries to make TCP connection. And only when transmitted cookies are returned, it is possible to permit TCP connection. This function prevents connection overcrowding because of accessed users who are not using and helps the other users use service.
To permit connection only when transmitted cookies are returned after sending cookies with SYN, use the following command.
138
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Command ip tcp syncookies
Mode
Description Permits only when transmitted cookies are returned
Global no ip tcp syncookies
after sending cookies with SYN. Disables configuration to permit only when transmitted cookies are returned after sending cookies with SYN.
7.12
7.12.1
Dump Packet
Checking Dump Packet
It is possible for general user to have a look at the real packet with tcpdump function. In order to use Dump packet function, use the following command.
Command dump packet OPTION Mode Top Description Displays the packet applied to the condition.
It is possible to use all of those used in tcpdump for option and the content is as follows.
Option -a -d -e -f Description Attempt to convert network and broadcast addresses to names. Dump the compiled packet-matching code in a human readable form to standard output and stop. Print the link-level header on each dump line. Print `foreign' internet addresses numerically rather than symbolically (this option is intended to get around serious brain damage in Sun's yp server -- usually it hangs forever translating non-local internet numbers). -l Make stout line buffered. Useful if you want to see the data while capturing it. E.g., ``tcpdump or -n -N ``tcpdump -l > dat & tail -f dat''. -l | tee dat''
Don't convert host addresses to names. This can be used to avoid DNS lookups. Don't print domain name qualification of host names. instead of ``nic.ddn.mil''. E.g., if you give this flag then tcpdump will print ``nic''
-O -p
Do not run the packet-matching code optimizer. This is useful only if you suspect a bug in the optimizer. Don't put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, `-p' an abbreviation for `ether host {local-hw-addr} or ether broadcast'. cannot be used as
-q -S -t -v -w -x -c NUMBER -F FILE -i INTERFACE
Quick (quiet?) output. Print less protocol information so output lines are shorter. Print absolute, rather than relative, TCP sequence numbers. Don't print a timestamp on each dump line. Displays more information. Saves captured packets in file instead of displaying them by analyzing . Displays each packet as hex code. Closes after receiving the limited number of packets. Use file as input for the filter expression. An additional expression given on the command line is ignored. Assign packet passing some interface. If it is not designated, choose the interface having the lowest priority from system interface list. (at this time, loopback is excluded.).
DPW:G-S-1624H0-04
139
UMN:CLI
User Manual
V1624
-r FILE -s SNAPLEN
Read
packets from file (which was created with the -w option).
Standard input
is
used if file is ``-''.
Snarf snaplen bytes of data from each packet rather than the default of 68 (with SunOS's NIT, the minimum is actually 96). 68 bytes is adequate for IP, ICMP, TCP and UDP but may truncate protocol information from name server and NFS packets (see below). Packets truncated because of a limited snapshot are indicated in the output where proto is the name of the protocol level at which the truncation with ``[|proto]'', has occurred. Note that taking larger
snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. You should limit snaplen to the smallest number that will capture the protocol information you're interested in. Setting snaplen to 0 means use the required length to catch whole packets. -T TYPE The types are as follows. rpc(Remote Procedure Call), rtp(Real-Time Applications protocol), rtcp(Real-Time Application control protocol), vat(Visual Audio Tool), wb(distributed White Board). Marks the chosen packets as stated form by conditional expression. The types are as follows. EXPRESS Conditional expression
Tab. 7.2
Option for Dump Packet
7.12.2
Dump Packet Debug

Network Debugging function is provided in order to prevent system overload from blowing abnormal packet. In this function, monitoring process checks CPU overload status every 5 seconds. If there are more traffics than threshold configured by user, it captures packets using Tcpdump and stores the captured situation in file. To debug Dump Packet, use the following command.
Command Mode Description Debugging dump packets applicable to the base. COUNT: packet counting number dump packets debug COUNT VALUE TIME [<1-10] Top VALUE: CPU threshold NAME: file name TIME: Continuous time for abnormal state 1-10: dump file numbers
In order to store the captured file in NVRAM as the text type, choose nvram option. In case that the storage capacity is larger than NVRAM size of the equipment, overwrite from the first part of NVRAM. The following is an example of configuring Dump packet debug function and checking it.
SWITCH# dump packets debug 1 60 test SWITCH# show running-config Building configuration... Current configuration: hostname SWITCH ! set login radius timeout 10 set login tacacs timeout 5
140
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
! dump packets debug 1 60 test bridge ! set vlan pvid 1-18 1 ! set vlan create br1 1 ! interface br1 no shutdown ip address 172.16.113.54/16 ! ip route 0.0.0.0/0 172.16.1.254 ! arp-gratuitous 10 4 ! no snmp ! SWITCH#
7.13
Server Packet Filtering

DHCP(Dynamic Host Control Protocol) makes DHCP server assign IP address to DHCP clients automatically and manage the IP address. Most ISP operators provide the service as such a way. At this time, if a DHCP client connects with the equipment that can be the other DHCP server such as Internet access gateway router, communication failure might be occurred. DHCP filtering helps to operate DHCP service by blocking Request which enters through subscribers port and goes out into uplink port or the other subscribers port and Reply which enters to the subscribers port. To configure DHCP filtering function in particular port according to users demand, after enabling filtering function, designate the port needing DHCP filtering function by using the following command.
Command set dhcp-server-filter PORT clear dhcp-server-filter PORT show dhcp-server-filter bridge Mode Description Configures DHCP server packet filtering. Disables DHCP server packet filtering. Checks DHCP server packet filtering.
The following is an example for configuring DHCP filtering from 1 to 5 and checking it.
SWITCH(bridge)# set dhcp-server-filter 1-5 SWITCH(bridge)# show dhcp-server-filter o:enable .:disable -------------------------1 2 12345678901234567890123456 -------------------------ooooo..................... --------------------------
DPW:G-S-1624H0-04
141
UMN:CLI
User Manual
V1624
SWITCH(bridge)#
7.14
Attack Guard
The V1624 provides a function that prevents a tremendous amount of packets by virus, hacking, or another reason coming into the switch. If these packets are permitted to come, it can cause the switch or whole network to become unstable. Attack Guard inspects the amount of packets coming in for a second. If the packet flow reaches its high water mark, it blocks the packets on that port. Meanwhile, Attack Guard releases the blocking when the packet flow is down to its low water mark. With this function, you can control suspicious burst traffic on a specific port. To specify a port and two thresholds to prevent being attacked by huge traffic, use the following command.
Command Mode Description Blocks traffic rising over the high water mark on the specified port. set attack-guard {unicast | multicast | broadcast} PORT <10148810> {<10-148810> | static} Bridge 10-148810: range of high water mark (unit: pps) 10-148810: range of low water mark (unit: pps) static: sets low water mark as 0. That is, it needs to manually release port blocking with the below attackguard-recovery command set attack-guard-recovery PORT clear attack-guard {unicast | Removes port blocking on the specified port. Deletes attack guard configurations.
multicast | broadcast | all} PORT
To display the attack guard function, use the following command.

Command show attack_guard show attack_guard {unicast | multicast | broadcast} Mode Top Global Bridge Displays attack guard configurations. Description
142
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.15
Port Traffic Monitoring

The V1624 can generate a syslog and trap message if traffic flow on a certain port exceeds its threshold. You can specify a couple of parameters for traffic monitoring: a threshold rate, du-time, and trap time. This function keeps monitoring for a du-time. If traffic amount goes over threshold-rate, it generates a trap. A trap-time is a time interval between traps. If the trap-time passes, traffic monitoring function resumes observing the amount of traffic on a port. If the traffic flow is still over threshold, it delivers a trap again. To configure the port traffic monitoring function, use the following command.
Command Mode Description Enables traffic monitoring function on a specified port. THRESHOLD-RATE: traffic amount which is used to set port traffic-monitor PORT THRESHOLD-RATE all} DU-TIME Bridge TRAP-TIME {ingress | egress | determine whether to generate a trap range: 1-1000) DU-TIME: monitoring time (unit: 10 minutes, range: 1144) TRAP-TIME: time interval between traps (unit: 10 minutes, range: 1-144) clear port traffic-monitor PORT {ingress | egress | all } Top show port traffic-monitor PORT Global Bridge Removes traffic monitoring function on a specified port. (unit: Mbps,
Displays traffic monitoring configurations on a specified port
DPW:G-S-1624H0-04
143
UMN:CLI
User Manual
V1624
8 System Main Function

8.1 VLAN
This section describes the below items. Overview of VLAN Features of VLAN Configuring VLAN
8.1.1
Overview of VLAN
Nodes in same LAN can receive information when one node sends the information by using Broadcast. However, with using the Broadcast, node is supposed to be obliged to receive unnecessary information. To prevent this defect, nodes on same logical LAN are supposed to receive the information by dividing LAN into logical LAN. Like this, logically divided LAN is called as VLAN(Virtual LAN) and one VLAN may include several ports. Packets can be transmitted between ports in same VLAN when network is consisted of VLAN. Only through routing equipment to make connection in VLANs, packets can be transmitted between ports in each different VLAN. VLAN decreases Ethernet traffic to improve transmit rate and strengthens security by transmission per VLAN. You can construct VLAN based on port, MAC address, and protocol. V1624 supports VLAN based on port. V1624 complying with IEEE 802.1q can transmit both tagged packet and untagged packet, which does not have VLAN ID. All switch ports have VLAN ID(PVID) configured by system. So, unless user configures specific VLAN, known as untagged VLAN, system configures VLAN ID(PVID). Therefore, switch ports, which consist VLAN network can transmit packet to the VLAN, which has same number with VLAN number.
VLAN 1
5 6 7 8
4 3 2 1
Fig. 8.1
VLAN 3
9 10 12 11
VLAN 2
VLAN
144
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.1.2
Features of VLAN
Enlarged Network Bandwidth Users belonged in each different VLAN can use more enlarged bandwidth than no VLAN composition because they do not receive unnecessary Broadcast information. Cost-Effective Way When you use VLAN to prevent unnecessary traffic loading because of broadcast, you can get cost-effective network composition since switch is not needed. Strengthened Security Usually node shares broadcast information, in some case, authorization is required for the information. VLAN supports the way for VLAN member consisted of only authorized users so that network security can be more strengthened.
8.1.3
Configuring VLAN
The below functions are explained. Creating VLAN Specifying PVID Assigning Port in VLAN Disabling VLAN Configuring Shared-port
8.1.3.1
Creating VLAN
To configure VLAN on users network, use the following command.
Command set vlan create NAME <1-4094> clear vlan NAME Mode Description Configures new VLAN by assigning a VLAN name and bridge VLAN ID. VLAN ID can be assigned from 1 to 4,094. Deletes VLAN.
The variable vlan-name is a particular set of bridged interfaces. Frames are bridged only among interfaces in the same VLAN.
Make vlan-name form brN (N=integer). You cannot create virtual LAN without brN form at vlan-name. If you input wrong letter, not BrN, the following message will be displayed.
SWITCH(bridge)# set vlan create A 1 %bridge name must be started 'br' SWITCH(bridge)#
The variable vlan-id is VLAN tag with which the packet is transmitted. If a port is configured with tagging, it will send tagged traffic.
DPW:G-S-1624H0-04
145
UMN:CLI
User Manual
V1624
To check VLAN configuration in the switch use the following command, use the following command.
Command show vlan [NAME] Mode Top/Global/Bridge Description Shows VLAN configuration.
The following is an example of configuring VLAN and checking it. By default, all ports are configured as br1 in V1624.
SWITCH(bridge)# set vlan create br2 2 SWITCH(bridge)# set vlan create br3 3 SWITCH(bridge)# show vlan u: untagged port, t: tagged port ---------------------------------------------| 1 2 3 Name( VID) |12345678901234567890123456789012 -------------+-------------------------------br1( br2( br3( SWITCH(bridge)# 1) 2) 3) |uuuuuuuuuuuuuuuuuuuuuuuu........ |................................ |................................
8.1.3.2
Specifying PVID
By default, PVID 1 is specified to all ports. And user also can configure PVID. In order to configure PVID in a port, use the following command.
Command set vlan pvid PORT <1-4094> Mode Bridge Description Configures PVID. It can be from 1 to 4,094.
The following is an example of specifying PVID as 2 in port 2 and viewing.

SWITCH(bridge)# set vlan pvid 2 2 SWITCH(bridge)# show running-config (omitted) set vlan pvid 1,3-26 1 set vlan pvid 2 2 (omitted) SWITCH(bridge)#
146
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.1.3.3
Assigning Port in VLAN

After creating VLAN such as br2, br3, you need to assign port to VLAN. By default setting of V1624, all ports are aggregated into br1. So, to assign port to another VLAN, you should delete port in br1 first. In order to do it, use the following commands.
Command set vlan add NAME PORT Bridge Mode Description Assigns port to VLAN. Deletes port in VLAN.
{tagged | untagged} set vlan del NAME PORT
When you assign several ports in VLAN, you have to enter each port separated by a coma without space. And use dash mark - to arrange port range.
By default setting of V1624, all ports are belonged to br1. To avoid overlapping with br1 when assigning port to VLAN, you should delete the port in br1.
The following is an example of configuring port 7~10 as br2, 11~18 as br3 and the other ports as br1 and checking it.
SWITCH(bridge)# set vlan del br1 7-18 SWITCH(bridge)# set vlan add br2 7-10 untagged SWITCH(bridge)# set vlan add br3 11-18 untagged SWITCH(bridge)# show vlan u: untagged port, t: tagged port ---------------------------------------------| 1 2 3 Name( VID) |12345678901234567890123456789012 -------------+-------------------------------br1( br2( br3( SWITCH(bridge)# 1) 2) 3) |uuuuuu............uuuuuu........ |......uuuu...................... |..........uuuuuuuu..............
8.1.3.4
Disabling VLAN
The following steps are provided to disable VLAN. Step 1 Delete ports associated with a VLAN to be removed using the following command.
Command set vlan del NAME PORT Mode Bridge Description Deletes all ports in VLAN.
Step 2 Open Interface configuration mode of VLAN to be deleted and deactivate the virtual interface.
DPW:G-S-1624H0-04
147
UMN:CLI
User Manual
V1624
Command interface NAME shutdown
Mode Global Interface
Description Begins Interface configuration mode of specified VLAN. Deactivates virtual interface.
Step 3 Deletes VLAN.

Command clear vlan NAME Mode Bridge Deletes VLAN. Description
8.1.3.5
Configuring Shared-port
When user use the V1624 Layer 2 switch, it is impossible to communicate between VLANs because there is no router function. Especially, port assigned as Uplink port should receive packets from all VLANs, but in case of using the V1624 Layer 2 switch, the port cannot receive packets unless the port is configured to be included in all VLANs. Therefore, when you configure VLAN in Layer 2 switch, you have to configure Uplink port included in all VLANs no matter how many VLANs are made as follow showing an example of configuring port 1 ~ 16 as independent VLANs.
SWITCH(bridge)# set vlan del br1 2-25 SWITCH(bridge)# set vlan create br2 2 SWITCH(bridge)# set vlan create br3 3 SWITCH(bridge)# set vlan create br16 16 SWITCH(bridge)# set vlan add br2 2,26 untagged SWITCH(bridge)# set vlan add br3 3,26 untagged SWITCH(bridge)# set vlan add br16 16,26 untagged SWITCH(bridge)# show vlan u: untagged port, t: tagged port ---------------------------------------------| 1 2 3 Name( VID) |12345678901234567890123456789012 -------------+-------------------------------br1( 1) |u........................u...... br2( br3( br4( br5( br6( br7( br8( br9( br10( br11( br12( br13( br14( br15( br16( SWITCH(bridge)# 2) 3) 4) 5) 6) 7) 8) 9) |.u.......................u...... |..u......................u...... |...u.....................u...... |....u....................u...... |.....u...................u...... |......u..................u...... |.......u.................u...... |........u................u......
10) |.........u...............u...... 11) |..........u..............u...... 12) |...........u.............u...... 13) |............u............u...... 14) |.............u...........u...... 15) |..............u..........u...... 16) |...............u.........u......
148
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
This configuration can be applied for only in case of using V1624 as dedicated switch for L2. When untagged packet is transmitted on the above configuration, untagged packet received in port 1 gets pvid 1, and Uplink port, port 26 has pvid 1 also, so it can be transmitted to port 26. The thing is untagged packet received in Uplink port. Since it is not clear which pvid untagged packet should have, you need the following configuration to transmit untagged packets to all ports. It is necessary to configure another VLAN including Uplink port, port 26, and ports 1 ~ 16 on the above configuration. The following is an example of configuring br 17, which has pvid 17 in addition, and checking it.
SWITCH(bridge)# set vlan create br17 17 SWITCH(bridge)# set vlan add br17 1-16,26 untagged SWITCH(bridge)# show vlan u: untagged port, t: tagged port ---------------------------------------------| 1 2 3 Name( VID) |12345678901234567890123456789012 -------------+-------------------------------br1( br2( br3( br4( br5( br6( br7( br8( br9( br10( br11( br12( br13( br14( br15( br16( br17( SWITCH(bridge)# 1) 2) 3) 4) 5) 6) 7) 8) 9) |u........................u...... |.u.......................u...... |..u......................u...... |...u.....................u...... |....u....................u...... |.....u...................u...... |......u..................u...... |.......u.................u...... |........u................u......
10) |.........u...............u...... 11) |..........u..............u...... 12) |...........u.............u...... 13) |............u............u...... 14) |.............u...........u...... 15) |..............u..........u...... 16) |...............u.........u...... 17) |uuuuuuuuuuuuuuuu.........u......
Last of all, you should configure all ports, which are configured as the above, as sharedports. After that, untagged packet received in Uplink port, port 26 gets pvid 17 and is transmitted to ports 1 ~ 16. To configure as shared-port, use the following command on Bridge configuration mode.
Command set shared-port {enabledisable} PORT Mode Bridge Description Configures a specified port as shared-port.
DPW:G-S-1624H0-04
149
UMN:CLI
User Manual
V1624
To check the above configuration, use the following command.

Command show port PORT Mode Top/Global/Bridge Description Shows all information on port.
The following is an example of configuring ports 1 ~ 16 and Uplink port, port 26 as shared-port and checking the configuration.
SWITCH(bridge)# set shared-port enable 1 SWITCH(bridge)# set shared-port enable 2 SWITCH(bridge)# set shared-port enable 26 SWITCH(bridge)# show port 26 --------------------------------------------------------------------------NO TYPE PVID STATUS SHARED MODE FLOWCTRL INSTALLED (ADMIN/OPER) --------------------------------------------------------------------------26: Ethernet SWITCH(bridge)# 1 Up/Down Y Auto/Full/1000 On Y
8.2
Port Trunking
Port trunking enables you to dynamically group similarly configured interfaces into a single logical link (aggregate port) to increase bandwidth, while reducing the traffic congestion. When grouping the interfaces with the same speed, and duplex, traffic is distributed over an aggregate port. The switch supports up to six aggregate ports and each aggregate port can consist of up to eight ports. To aggregate port or delete aggregated port, use the following commands.
Command set trunk add <0-5> PORT Bridge Mode Description Configures physical port as logical port and assigns srcmac or dstmac to specify packet passing through aggregated port. Deletes physical port involved in logical port.
{srcmacdstmac} set trunk del <0-5> PORT
To check port trunk configuration, use the following command.

Command show trunk Mode Top/Global/Bridge Description Shows port trunk configuration.
150
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
The following is an example of configuring port 7 ~ 10 as trunk and checking it.

SWITCH(bridge)# set trunk add 0 7-10 srcmac SWITCH(bridge)# show trunk Trunk Group Trunk Group Trunk Group Trunk Group Trunk Group 0 : SRC_MAC : 7(x) 8(x) 9(x) 10(x) 1 : Inactive 2 : Inactive 3 : Inactive 4 : Inactive
Trunk Group 5 : Inactive SWITCH(bridge)#
Ports configured as Port Trunking become independent out of from VLAN. Therefore, you need to add them to VLAN again with new assigned number.
The following example shows: configuring ports 1 ~ 6, 19~26 as br1, configuring port 7 ~ 18 as br2, and then configuring ports 7 ~ 10 as Trunk, and adding virtual port 27configured as Trunk to br2.
SWITCH(bridge)# set vlan del br1 7-18 SWITCH(bridge)# set vlan add br2 7-18 untagged SWITCH(bridge)# set trunk add 0 7-10 srcmac SWITCH(bridge)# show vlan u: untagged port, t: tagged port ---------------------------------------------| 1 2 3 Name( VID) |12345678901234567890123456789012 -------------+-------------------------------br1( br2( 1) 2) |uuuuuu............uuuuuuuu...... |..........uuuuuuuu..............
SWITCH(bridge)# set vlan add br2 27 untagged SWITCH(bridge)# show vlan u: untagged port, t: tagged port ---------------------------------------------| 1 2 3 Name( VID) |12345678901234567890123456789012 -------------+-------------------------------br1( br2( SWTICH(bridge)# 1) 2) |uuuuuu............uuuuuuuu...... |..........uuuuuuuu........u.....
DPW:G-S-1624H0-04
151
UMN:CLI
User Manual
V1624
8.3
LACP
LACP(Link Aggregation Control Protocol) complying with IEEE 802.3ad bundles several physical ports together to from one logical port so that user can get enlarged bandwidth as described at 8.2 Port Trunking. However the difference with port trunking is that LACP automatically makes aggregated bandwidth by configuring aggregator to aggregate ports and physical member port to be aggregated into logical port. Besides. If aggregated port is made by port trunking, user should add it to VLAN by using command, but aggregated port by LACP is automatically added to VLAN. Perform the following tasks to configure LACP in V1624. Step 1 Enable LACP in users switch. Step 2 Configure aggregator. Step 3 Specify member port of aggregator and configures mode of member port.
You can make maximum six aggregators through LACP and maximum eight member ports can be aggregated.
The following details will be explained for users to configure LACP. Enabling LACP Configuring Aggregator Configuring Member Port Checking LACP Configuration Configuring Key of Member Port Configuring Port Priority
8.3.1
Enabling LACP
Before configuring LACP in switch, you need to enable LACP first. To enable and disable LACP, use the following command.
Command set lacp system interface IFNAME set lacp system interface disable Bridge Disables LACP and deletes LACP configuration. Mode Description Enables LACP in users switch
8.3.2
Configuring Aggregator
After enabling LACP, you should configure logical aggregator to aggregate several physical ports.
152
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To configure aggregator or delete it, use the following commands.

Command set lacp aggregator add <0-5> set lacp aggregator del <0-5> Mode Bridge Description Configures logical aggregator. Deletes aggregator..
You cannot configure both port trunking and LACP at the same time. Therefore only one function can be configured at one group-id.
When you configure aggregator, you need to specify packet passing through aggregator. To set the packet distribution method, use the following command.
Command set lacp aggregator <0-5> Mode Bridge Description Sets the packet distribution method. 0-5: group ID
method {srcmacdstmac}
i
8.3.3
Source Mac-address is abbreviated to srcmac and Destination Mac-address is abbreviated to dstmac.
Configuring Member Port

After finishing aggregator configuration, you should configure physical port to be member of aggregator. In order to configure member port of aggregator or delete it, use the following commands.
Command set lacp port add PORT set lacp port del PORT Mode Description Configures physical port to be member port of aggregaBridge tor. Deletes physical port to be member port of aggregator.
It is possible to configure several port-numbers by using , and -.
You need to configure mode of member port after member port configuration. There are two modes of member port that can be configured- active mode and passive mode. Active mode has higher priority than passive mode, and active mode becomes the standard, therefore passive mode is supposed to follow configuration of active mode.
Command set lacp port mode PORT {active passive} Mode Bridge Description Configures mode of member port.
If member port of two equipments connected to each other is configured as active mode, another value is required to decide priority. In this case, it is possible for user to configure
DPW:G-S-1624H0-04
153
UMN:CLI
User Manual
V1624
priority in switch. To give priority to switch in LACP, use the following command.
Command set lacp system priority <165535> Mode Bridge Description Gives priority value to switch in LACP.
When member ports of two equipments connected to each other are configured as active mode and passive mode, one equipment configured as active is standard, and if both equipments are configured as active mode, then one equipment with higher priority is the standard. However, if both equipments are configured as passive mode, then member ports of the equipments will not be linked.
8.3.4
Checking LACP Configuration

User can view configuration of LACP. To display LACP configuration, use the following command.
Command show lacp aggregator show lacp aggregator PORT Mode Top/Global/Bridge Description Shows information of aggregator. Shows information of member port.
The following is an example of configuring aggregators of SWITCH A and SWITCH B as 0, ports 2~ 3 as member port, and viewing the configuration.
<Configuration in SWITCH A>

SWITCH_A(bridge)# set lacp system interface br1 SWITCH_A(bridge)# set lacp aggregator add 0 SWITCH_A(bridge)# set lacp port add 2-3 SWITCH_A(bridge)# set lacp port mode 2-3 active SWITCH_A(bridge)# show lacp aggregator AGGR ---0 PORT ---02 PRIORITY -----------------0x8000.00D0CB0A01B3 AGGR ---0 KEY --1 ACTIVITY -------ACTIVE PARTNER -----------00D0CB22004E PARTNER ------2 3 MEMBER -----2(o)-3(o)
SWITCH_A(bridge)# show lacp port ENABLE -----ENABLE ENABLE
03 0 1 ACTIVE SWITCH_A(bridge)#
<Configuration in SWITCH B>

SWITCH_B(bridge)# set lacp system interface br1 SWITCH_B(bridge)# set lacp aggregator add 0 SWITCH_B(bridge)# set lacp port add 2-3 SWITCH_B(bridge)# set lacp port mode 2-3 passive SWITCH_B(bridge)# show lacp aggregator
154
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
AGGR ---0 PORT ---02
PRIORITY -----------------0x8000.00D0CB22004E AGGR ---0 KEY --ACTIVITY --------
PARTNER -----------00D0CB0A01B3 PARTNER ------2 3
MEMBER -----2(o)-3(o)
SWITCH_B(bridge)# show lacp port ENABLE -----ENABLE ENABLE
1 PASSIVE
03 0 1 PASSIVE SWITCH_B(bridge)#
AGGR section shows ID of aggregator when using command, show lacp port. It is not group-id user inputs when configuring aggregator. If you input letter or non existence port number at PORT, the message to inform error, %Wrong expression. ex) 'show port 1,3' , 'show port 1-3,10' will be displayed as the follow.
SWITCH(bridge)# show port aa %Wrong expression. ex) 'show port 1,3' , 'show port 1-3,10' SWITCH(bridge)#
8.3.5
Configuring Key of Member Port

Member port of LACP has key value. All member ports in one aggregator have same key values. In order to make an aggregator consisted of specified member ports, configure different key value with key value of another port by using the following command.
Command set lacp port key PORT <1-15> Mode Bridge Description Configures key value of member port. (Default: 1)
For example, switch A and switch B are linked with switch C. Two aggregators are configured in switch A and ports 7 ~ 10 are configured as member port. One aggregator is configured in switch B and ports 7 ~ 8 are configured as member port. And one aggregator is configured as switch C and port 9 ~ 10 are configured as member port. After these configurations, ports 7~8 of switch A and B are linked with ports 9~10 of switch A and C, then switch A is linked with switch B and C through aggregators. Meanwhile, switch A is linked with switch B. Two aggregators are configured in both switch A and B, ports 7~10 are configured as member port. With this configuration, if ports 7~10 are connected through cable, one aggregator including the ports is made. However, if key values of ports 7~10 are differently configured, two aggregators are made. The following is an example of aggregating ports 7~8 and ports 9~10 of SWITCH A and SWITCH B into different port as the above. Without changing key configuration, two aggregators are configured and ports 7~10 are configured as member port in SWITCH A and SWITCH B. <SWITCH A>
SWITCH_A(bridge)# set lacp system interface br1 SWITCH_A(bridge)# set lacp aggregator add 0
DPW:G-S-1624H0-04
155
UMN:CLI
User Manual
V1624
SWITCH_A(bridge)# set lacp aggregator add 1 SWITCH_A(bridge)# set lacp aggregator 0 method srcmac SWITCH_A(bridge)# set lacp aggregator 1 method srcmac SWITCH_A(bridge)# set lacp port add 7-10 SWITCH_A(bridge)# set lacp port mode 7-10 active SWITCH_A(bridge)# show lacp aggregator AGGR ---0 PRIORITY ------------------0x8000.00D0CB0A01B3 PARTNER -----------00D0CB0AA790 MEMBER -----eth07(o)-eth08(o)-eth09(o)-eth10(o)
1 0x8000.000000000000 SWITCH_A(bridge)#
<SWITCH B>
SWITCH_B(bridge)# set lacp system interface br1 SWITCH_B(bridge)# set lacp aggregator add 0 SWITCH_B(bridge)# set lacp aggregator add 1 SWITCH_B(bridge)# set lacp aggregator 0 method srcmac SWITCH_B(bridge)# set lacp aggregator 1 method srcmac SWITCH_B(bridge)# set lacp port add 7-10 SWITCH_B(bridge)# set lacp port mode 7-10 active SWITCH_B(bridge)# show lacp aggregator AGGR ---0 PRIORITY ------------------0x8000.00D0CB0A01B3 PARTNER -----------00D0CB0AA790 MEMBER -----eth07(o)-eth08(o)-eth09(o)-eth10(o)
1 0x8000.000000000000 SWITCH_B(bridge)#
8.3.6
Configuring Port Priority

One aggregator can include maximum eight ports. When there are ten ports configured, higher priories are selected. However, user can configure the priority when user wants specific port to configure as member port regardless of its priority.
To configure priority of LACP member port, use the following command.

Command set lacp port priority PORT <115> Mode Bridge Description Configures priority of member port.
156
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.4
STP and RSTP

The local area network (LAN), which is composed of double paths like token ring, has the advantage that it is possible to access in case of disconnection with one path. However, there is another problem called a loop when you always use the double paths. The loop may occur when double paths are used for link redundancy between switches and one sends unknown unicast or multicast packet that causes endless packet floating on the LAN like loop topology. That superfluous traffic eventually can result in network fault. It causes superfluous data transmission and network fault.
Switch A
Switch B
PC-A
PC-B
Fig. 8.2
Example of Loop
The spanning-tree protocol (STP) is the function to prevent the loop in LAN with more than two paths and to utilize the double paths efficiently. It is defined in IEEE 802.1d. If the STP is configured in the system, there is no loop since it chooses more efficient path of them and blocks the other path. In other words, when SWITCH C in the below figure sends packet to SWITCH B, path 1 is chosen and path 2 is blocked.
PC-B
VLAN 1
Switch A
Switch B
Blocking
Switch D Path 1 Path 2
PC-A
Switch C
Fig. 8.3
Principle of Spanning Tree Protocol
DPW:G-S-1624H0-04
157
UMN:CLI
User Manual
V1624
Meanwhile, the rapid spanning-tree protocol (RSTP) defined in IEEE 802.1w dramatically reduces the time of network convergence on the spanning-tree protocol (STP). It is easy and fast to configure new protocol. The IEEE 802.1w also supports backward compatibility with IEEE 802.1d. RSTP(Rapid Spanning-Tree Protocol) defined in IEEE 802.1w innovate reduces the time of network convergence on STP. Due to same vocabularies and configuration parameter used in 802.1d, it is easy and fast to configure new protocol. Also, 802.1w includes 802.1d inside, so it can provide comparability with 802.1d.
For comparability with configuration of switch installed old version, the default is STP mode. For more detail description of STP, refer to the following. STP Operation RSTP Operation STP and RSTP Configuration Configuring BPDU Transmission
8.4.1
STP Operation
The 802.1d STP defines port state as blocking, listening, learning, and forwarding. When STP is configured in LAN with double-path, switches exchange their information including bridge ID. It is named as BPDU (Bridge Protocol Data Unit). Switches decide port state based on the exchanged BPDU and automatically decide optimized path to communicate with the root switch. Root Switch The critical information to decide root switch is bridge ID. Bridge ID is composed of two bytes-priority and six bytes-MAC address. The root switch is decided with the lowest bridge ID.
Switch A Priority : 8
ROOT
DP DP
RP Switch B Priority : 9 DP RP
RP Switch C Priority : 10 DP
RP = Root Port DP = Designated Port Switch D
Fig. 8.4
Root Switch
158
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
After configuring STP, switches exchange their information. The priority of SWITCH A is 8, the priority of SWITCH B is 9 and the priority of SWITCH C is 10. In this case, SWITCH A is automatically configured as root switch. Designated Switch After deciding root switch, when SWITCH A transmits packet to SWITCH C, SWITCH A compares exchanged BPDU to decide path. The critical information to decide path is path-cost. Path-cost depends on transmit rate of LAN interface and path with lower pathcost is selected. The standard to decide designated switch is total root path-cost that is added with pathcost to root. Path-cost depends on transmit rate of switch LAN interface and switch with lower path-cost is selected to be designated switch.
Switch A Priority : 8
Root Switch
Designated Switch
Path-cost 50
Path-cost 100
Switch B Priority : 9
Switch C Priority : 10
Path-cost 100 Path 1 Path 2 Switch D
Path-cost 100
(PATH 1 = 50 + 100 = 150, PATH 2 = 100 + 100 = 200, PATH 1 < PATH 2, PATH 1 selected
Fig. 8.5
Designated Switch
In case of the above picture showing SWITCH C sends packet, path-cost of PATH 1 is 150 and path- cost of PATH 2 is total 200(100 + 100 ; path-cost of SWITCH C to B + pathcost of SWITCH B to C). Therefore lower path-cost, PATH 1 is chosen. In this case, port connected to Root switch is named Root port. In the above picture, port of SWITCH C connected to SWITCH A as Root switch is Root port. There can be only one Root port on equipment.
The standard to decide designated switch is total root path-cost that is added with pathcost to root. Switch with lower path-cost is selected to be designated switch. When root path-costs are same, bridge ID is compared. Designated Port and Root Port A Root Port is the port in the active topology that provides connectivity from the Designated Switch toward the root. A Designated Port is a port in the active topology used to
DPW:G-S-1624H0-04
159
UMN:CLI
User Manual
V1624
forward traffic away from the root onto the link for which this switch is the Designated Switch. That is; except root port in each switch, selected port to communicate is designated port. Port Priority Meanwhile, when path-costs of two paths are same, port-priority is compared. As the below picture, suppose that two switches are connected. Since the path-costs of two paths are 100, same, their port priorities are compared and port with smaller port priority is selected to transmit packet.
All these functions are automatically performed by BPDU, which is the information of switch. It is also possible to configure BPDU to modify root switch or path manually.
Root
- Path-cost 100 - Port priority 7 - Port 1 Path 1
Path 2 - Path-cost 100 - Port priority 8 - Port 2 ( path-cost of PATH 1 = path-cost of PATH 2 = 100 unable to compare PATH 1 port priority = 7, PATH 2 port priority = 8, PATH 1 PATH 2, PATH 1 is chosen )
Fig. 8.6
Port Priority
8.4.2
RSTP Operation
STP or RSTP is configured on network where Loop can be created. However, RSTP is more rapidly progressed than STP at the stage of reaching to the last topology. This section describes how the RSTP more improved than STP works. It contains the below sections. Port States RSTP defines port states as discarding, learning, and forwarding. Blocking of 802.1d and listening is combined into discarding. Same as STP, root port and designated port are decided by port state. But a port in blocking state is divided into alternate port and backup port. Alternate port means a port blocking BPDUs of priority of high numerical value from other switches, and backup port means a port blocking BPDUs of priority of high numerical value from another port of same equipment.
160
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Switch A ROOT
Switch B Alternate Port Designated Port Path 1 Path 2
Switch C Backup Port
Switch D
Fig. 8.7 Alternate Port and Backup port
The difference of between alternate port and backup port is that alternate port can alternate path of packet when there is a problem between Root switch and SWITCH C but Backup port cannot provide stable connection in that case. BPDU Policy 802.1d forwards BPDU following Hello-time installed in root switch and the other switch except root switch its own BPDU only when receiving BPDU from root switch. However, in 802.1w not only root switch but also all the other switches forward BPDU following Hellotime. BPDU is more frequently changed than the interval root switch exchanges, but with 802.1w it becomes faster to be master of the situation of changing network. By the way, when low BPDU is received from root switch or designated switch, it is immediately accepted. For example, suppose that root switch is disconnected to SWITCH B. Then, SWITCH B is considered to be root because of the disconnection and forwards BPDU. However, SWITCH C recognizes root existing, so it transmits BPDU including information of root to Bridge B. Thus, SWITCH B configures a port connected to SWITCH C as new root port.
DPW:G-S-1624H0-04
161
UMN:CLI
User Manual
V1624
Switch A ROOT
New Root Port Switch B Low BPDU
Switch C BPDU including Root information
Fig. 8.8
Example of Receiving Low BPDU
Rapid Network Convergence A new link is connected between SWITCH A and root. Root and SWITCH A is not directly connected, but indirectly through SWITCH D. After SWITCH A is newly connected to root, packet cannot be transmitted between the ports because state of two switches becomes listening, and no loop is created. In this state, if root transmits BPDU to SWITCH A, SWITCH A transmits new BPDU to SWITCH A and SWITCH C, switch C transmits new BPDU to SWITCH D. SWITCH D, which received BPDU from SWITCH C makes port connected to SWITCH C Blocking state to prevent loop after new link.
ROOT 1. New link created Switch A 2. Transmit BPDU at listening state
Switch B
Switch C
3. Block to prevent loop BPDU Flow Switch D
Fig. 8.9
Network Convergence of 802.1d
This is very epochal way of preventing a loop. The matter is that communication is disconnected during two times of BPDU Forward-delay till a port connected to switch D and SWITCH C is blocked. Then, right after the connection, it is possible to transmit BPDU al-
162
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
though packet cannot be transmitted between switch A and root.

ROOT 1. New link created Switch A 2. Negotiate between Switch A and ROOT (Traffic Blocking)
Switch B
Switch C
Switch D
Fig. 8.10
Network Convergence of 802.1w (1)
SWITCH A negotiates with root through BPDU. To make link between SWITCH A and root, port state of non-edge designated port of SWITCH is changed to blocking. Although SWITCH A is connected to root, loop will not be created because SWITCH A is blocked to SWITCH Band C. In this state, BPDU form root is transmitted to SWITCH B and C through SWITCH A. To configure forwarding state of SWITCH A, SWITCH A negotiates with SWITCH B and SWITCH C.
ROOT 3. Forwarding Switch A
3. Negotiate between Switch A and Switch B (Traffic Blocking)
3. Negotiate between Switch A and Switch C (Traffic Blocking)
Switch B
Switch C
Switch D
Fig. 8.11
DPW:G-S-1624H0-04
163
UMN:CLI
User Manual
V1624
SWITCH B has only edge-designated port. Edge designated does not cause loop, so it is defined in 802.1w to be changed to forwarding state. Therefore, SWITCH B does not need to block specific port to forwarding state of SWITCH A. However since SWITCH C has a port connected to SWITCH D, you should make blocking state of the port.
ROOT Switch A
4. Forwarding state
4. Forwarding state
Switch B
Switch C
4. Block to make Forwarding state of Switch A Switch D
Fig. 8.12
It is same with 802.1d to block the connection of SWITCH D and SWITCH C. However, 802.1w does not need any configured time to negotiate between switches to make forwarding state of specific port. So it is very fast progressed. During progress to forwarding state of port, listening and learning are not needed. These negotiations use BPDU. Compatibility with 802.1d RSTP internally includes STP, so it has compatibility with 802.1d. Therefore, RSTP can recognize BPDU of STP. But, STP cannot recognize BPDU of RSTP. For example, assume that SWITCH A and SWITCH B are operated as RSTP and SWITCH A is connected to SWITCH C as designated switch. Since SWITCH C, which is 802.1d ignores RSTP BPDU, it is interpreted that switch C is not connected to any switch or segment.
Fig. 8.13
Compatibility with 802.1d (1)
164
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
However, SWITCH A converts a port received BPDU into RSTP of 802.1d because it can read BPDU of SWITCH C. Then SWITCH C can read BPDU of SWITCH A and accepts SWITCH A as designated switch.
Fig. 8.14
Compatibility with 802.1d (2)
8.4.3
STP and RSTP Configuration
8.4.3.1
Activating STP
To use STP in switch, activate STP first. In order to activate STP, use the following command. You do not have to configure STP to prevent Loop in the switches in LAN that does not have double-path.
Command set stp enable NAME set stp disable NAME Mode Description Activates STP of VLAN. Bridge (Default: Disable) Deactivates STP in VLAN
8.4.3.2
STP/RSTP Mode
When you need to enable RSTP, you should configure force-version as RSTP with enabled STP. To configure force-version, use the following command.
Command set stp force-version NAME {stprstp} Mode Bridge Description Configures force-version in specified bridge.
8.4.3.3
Root Switch
Root switch should be decided first before running STP. Each switch has own Bridge ID. Root switch is selected by comparing Bridge Ids of the switches on same LAN.
DPW:G-S-1624H0-04
165
UMN:CLI
User Manual
V1624
To display Bridge ID of users switch, use the following commands.

Command show stp show stp NAME show stp NAME PORT Top/Global/Bridge Mode Description Shows Bridge ID and STP activating. Shows BPDU in more detail. Shows BPDU of port.
The following is an example of viewing Bridge ID.

SWITCH(config)# show stp bridge name bridge id STP enabled yes mode STP br1 8001.00d0cb0ac03a SWITCH(config)#
When Priority is configured upon users requests, however, Root switch can be changed as user wants. After changing Priority, the switch with the lowest Priority is supposed to be Root switch. To change Root switch after configuring Priority in switch, use the following command.
Command Mode Description Configures Priority in switch. The one with the lowest set stp priority NAME <0-15> Bridge Priority is chosen as Root switch and it is possible to configure from 0 to 15.
This is an example of checking the configuration after Priority of br1 is set to 10.
SWITCH(bridge)# set stp priority br1 10 SWITCH(bridge)# show stp bridge name bridge id STP enabled no
br1 a001.00d0cb0d0012 SWITCH(bridge)#
8.4.3.4
Path-cost
After deciding Root switch, you need to decide which path to transmit packet. To do this, the standard is path-cost. Generally, path-cost depends on transmission speed of LAN interface in switch. The following table shows path-cost according to transmit rate of LAN interface.
Transmit Rate 4M 10M 100M 1G 10G Path-cost 250 100 19 4 2
Tab. 8.1
STP Path Cost
166
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Transmit Rate 4M 10M 100M 1G 10G
Path-cost 20,000,000 2,000,000 200,000 20,000 2,000
Tab. 8.2
RSTP Path Cost
You can use same commands to configure STP and RSTP, but their path-costs are totally different. Please be careful not to make mistake.
When the route decided by path-cost gets overloading, you would better take another route. Considering these situations, it is possible to configure path-cost of Root port so that user can configure route manually. To configure path-cost, use the following command.
Command set stp path-cost NAME PORT {costdefault} Mode Description Configures path-cost to configure route manually. If you Bridge select default, default path-cost of specified port will on current mode be returned.
The following is an example of changing path-cost of br1 port 1 as 10 and checking it.
SWITCH(bridge)# show stp br1 bridge id bridge VLAN id designated root root port max age hello time forward delay ageing time hello timer topology change timer flags SWITCH(bridge)# set stp path-cost br1 1 10 SWITCH(bridge)# show stp br1 bridge id bridge VLAN id designated root root port max age hello time forward delay ageing time hello timer topology change timer flags 8001.00d0cb0ac03a 1 0001.00d0cb0a003f 1 20.00 2.00 15.00 300.00 2.00 0.00 root path cost bridge max age bridge hello time bridge forward delay gc interval tcn timer gc timer 10 20.00 2.00 15.00 4.00 0.00 1.89 mode STP 8001.00d0cb0ac03a 1 0001.00d0cb0a003f 1 20.00 2.00 15.00 300.00 2.00 0.00 root path cost bridge max age bridge hello time bridge forward delay gc interval tcn timer gc timer 0 20.00 2.00 15.00 4.00 0.00 1.89 mode STP
DPW:G-S-1624H0-04
167
UMN:CLI
User Manual
V1624
SWITCH(bridge)#
8.4.3.5
Port Priority
When all conditions of two routes are same, the last standard to decide route is portpriority. It is also possible to configure port priority so that user can configure route manually. To configure port-priority, use the following command.
Command set stp port-priority NAME PORT <0-255> Mode Bridge Description Configures port-priority.
The following is an example of changing port priority of br1 port 1 as 10 and checking it.
SWITCH(bridge)# show stp br1 1 bridge id bridge VLAN id (omitted) eth01 (1) port id VLAN tag designated root designated bridge designated port designated cost port migrate flags SWITCH(bridge)# set stp port-priority br1 1 10 SWITCH(bridge)# show stp br1 1 bridge id bridge VLAN id (omitted) eth01 (1) port id VLAN tag designated root designated bridge designated port designated cost port migrate flags SWITCH(bridge)# 0a01 untagged 0001.00d0cb0a003f 8001.00d0cb0aab8f 8003 200 SENDING_STP state current # of MACs path cost message age timer forward delay timer hold timer forwarding 0 19 300.00 0.00 0.00 8001.00d0cb0ac03a 1 mode STP 8001 untagged 0001.00d0cb0a003f 8001.00d0cb0aab8f 8003 200 SENDING_STP state current # of MACs path cost message age timer forward delay timer hold timer forwarding 0 19 300.00 0.00 0.00 8001.00d0cb0ac03a 1 mode STP
168
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.4.4
Configuring BPDU Transmission

Switches in which STP is installed exchange their information Bridge Protocol Data Unit (BPDU) to find best path. For STP, user can configure the following.
Hello time Hello time decides an interval time when a switch transmits BPDU. It can be configured from 1 to 10 seconds. The default is 2 seconds.
Max Age Root switch transmits new information every time based on information from another switches. However, if there are many switches on network, it takes lots of time to transmit BPDU. And if network status is changed while transmitting BPDU, this information is useless. To get rid of useless information, Max Age is identified in each information.
Forward Delay Switches find location of another switches connected to LAN though received BPDU and transmit packets. Since it takes certain time to receive BPDU and find the location before transmitting packet, switches send packet at regular interval. This interval time is named Forward Delay.
8.4.4.1
Hello Time
Hello time decides an interval time when a switch transmits BPDU. To configure Hello Time, use the following command.
Command set stp hello-time NAME <1 10> Mode Bridge Description Configures Hello time. (Default: 2)
The following is an example of configuring Hello Time of br1 as 5 seconds.

SWITCH(bridge)# set stp hello-time br1 5 SWITCH(bridge)#
8.4.4.2
Forward Delay
It is possible to configure Forward delay, which means time to take port status from Listening to Forwarding. To configure Forward delay, use the following command.
Command set stp forward-delay NAME <4 30> Mode Bridge Description Configures Forward delay. (Default: 15 sec)
DPW:G-S-1624H0-04
169
UMN:CLI
User Manual
V1624
The following is an example of configuring forward delay of br1 as 10 seconds.

SWITCH(bridge)# set stp forward-delay br1 10 SWITCH(bridge)#
8.4.4.3
Max Age
Max Age shows how long path message is valid. In order to configure Max Age to delete useless messages, use the following command.
Command set stp max-age NAME <640> Mode Bridge Configures Max Age. (Default: 20 sec) Description
The following is an example of configuring Max Age of BPDU from br1 as 15 seconds.
SWITCH(bridge)# set stp max-age br1 15 SWITCH(bridge)#
It is recommended that Max Age is configured less than twice of Forward Delay and more than twice of Hello Time.
8.4.4.4
Checking BPDU Configuration

To display BPDU configuration, use the following command.
Command show stp NAME Mode Top/Global/Bridge Description Shows BDPU of specified bridge.
The following is an example of checking the above configurations.

SWITCH(bridge)# show stp br1 bridge id bridge VLAN id designated root root port max age hello time forward delay ageing time topology change timer flags SWITCH(bridge)# 8001.00d0cb0ac03a 1 0001.00d0cb0a003f 1 20.00 2.00 15.00 300.00 0.00 path cost bridge max age bridge hello time bridge forward delay gc interval gc timer 0 15.00 5.00 10.00 4.00 1.89 mode STP
170
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.5
Loop Detection
The loop may occur when double paths are used for the link redundancy between switches and one sends unknown unicast or multicast packet that causes endless packet floating on the LAN like loop topology. That superfluous traffic eventually can result in network fault. It causes superfluous data transmission and network fault. To prevent this, the V1624 provides the loop detecting function. The loop detecting mechanism is as follows: The switch periodically sends the loop-detecting packet to all the ports with a certain interval, and then if receiving the loop-detecting packet sent before, the switch performs a pre-defined behavior. To enable/disable the loop detection globally, use the following command.
Command set loop-detect {enable | disable} Mode Bridge Description Enables/disables the loop detection globally.
For the detailed configuration of the loop detection, you need to issuing the set loopdetect enable command first. If you do not, all the commands concerning will show the error messages.
To configure a port with the loop detection, use the following command.
Command set loop-detect PORTS set loop-detect PORTS period <1-60> Mode Description Enables the loop detection on a specified port. Sets the interval of sending the loop detecting packet. (default: 30 seconds) Enables the blocking option. This configures a speciset loop-detect PORTS block Bridge set loop-detect PORTS timer <086400> fied port to automatically change its state to BLOCKED when a loop is detected on it. (default: disable) Sets the interval of changing the state of a blocked port to NORMAL. If you set the interval as 0, the state of the blocked port will not be changed automatically. (default: 600 seconds) set loop-detect PORTS unlock Forces the state of a blocked port to change to NORMAL.
You can also configure the source MAC address of the loop-detecting packet. Normally the systems MAC address will be the source MAC address of the loop-detecting packet, but if needed, Locally Administered Address (LAA) can be the address as well. If the switch is configured to use LAA as the source MAC address of the loop-detecting packet, the second bit of first byte of the packet will be set to 1. For example, if the switchs MAC address is 00:D0:cb:00:00:01, the source MAC address will be changed to 02:D0:cb:00:00:01.
DPW:G-S-1624H0-04
171
UMN:CLI
User Manual
V1624
To configure the source MAC address of the loop-detecting packet, use the following command.
Command set loop-detect srcmac laa Bridge set loop-detect srcmac system Mode Description Uses LAA as the source MAC address of the loopdetecting packet. Uses the systems MAC address as the source MAC address of the loop-detecting packet. (default)
If you would like to change the source MAC address of detection packets, you should disable the function of loop detection first. Please use the clear loop-detect command. To disable the loop detection on a specified port, use the following command.
Command clear loop-detect PORTS clear loop-detect PORTS block Mode Top Global Description Disables the loop detection on a specified port. Disables the blocking option.
To display the configured loop detection, use the following command.

Command Mode Top show loop-detect [PORTS] Global Bridge Shows the configured loop detection. Description
The loop detection cannot operate with LACP. In case that a certain port is included in the VLAN where STP is enabled, the blocking option cannot be enabled on the port. To use the loop detection feature with STP operating, use the following self loop detection. The self loop detection will load the BPDU with the loop detection packet.
To enable/disable self loop detection, use the following command.

Command set self-loop-detect {enable | disable} Mode Bridge Description Enables/disables the self loop detection.
To display the current status of the self loop detection, use the following command.
Command show self-loop-detect Mode Bridge Description Shows the current status of the self loop detection.
172
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
The following is an example of enabling the self loop detection.

SWITCH(bridge)# set self-loop-detect enable SWITCH(bridge)# show self-loop-detect self-loop detection enabled ----------------------------------| 1 2 Port |12345678901234567890123456 -------+--------------------------Loop |.......................... SWITCH(bridge)#
8.6
Single IP Management
Switch cascading technology available in the industry today provides two main benefits to customers. The first benefit is the ability to manage a group of switches using one single IP address. The second benefit is the ability to interconnect two or more switches to create a distributed fabric, which behaves in the network as a unified system. The V1624 provides the cascading technologys benefits for the customer. Additionally, V1624 is able to manage up to 16 units by one single IP address.
Switch
Internet
Master Switch Switch A
Switch Manage with the same IP address
Switch
Slave Switch Switch B
Slave Switch Switch C
Fig. 8.15
Cascading of Switches
Step1 Assign IP address to Master switch on Interface configuration mode and activate the interface with the command, no shutdown. ( Refer to 4.5 Assigning IP Address.)
When there are many connected switches, the other switches are managed by the IP address of Master switch.
DPW:G-S-1624H0-04
173
UMN:CLI
User Manual
V1624
Step 2 Configure Master switch by using the following command on Bridge Configuration mode.
Command set stack master Mode Bridge Description Configures Master switch.
Step 3 Create a name to configure VLAN in Master switch, which Slave switches belong to.
Command set stack device NAME Mode Bridge Description Configures VLAN in Master switch, which Slave switches belong to.
To manage switch group, the ports connect Master switch to Slave switch must be in same VLAN.
Step 4 Add new switch or delete a switch in switch group by using the following commands.
Command set stack add MAC-ADDR DESCRIPTION set stack del MAC-ADDR Bridge Deletes Slave switch in switch group. Mode Description Adds Slave switch in switch group.
You cannot add switches belonged to each different VLAN to same switch group.
Step 5 Configure Slave switch by using the following command on Bridge configuration mode.
Command set stack slave Mode Bridge Description Configures Slave switch connected to Master switch.
You have to enable Slave switch connected to Master switch.
Step 6 Create a name to enable VLAN by using the following command.

Command set stack device NAME Mode Bridge Description Configures VLAN of Slave switch.
174
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Step 7 Check stacking configuration by using the following command.

Command show stack Mode Top/Global/Bridge Description Shows information of Slave switch.
The followings are examples of configuring SWITCH A as master, SWITCH B as slave, and configuring stacking.
<SWITCH A>
SWITCH_A(bridge)# set stack device br1 SWITCH_A(bridge)# set stack add 00:d0:cb:22:00:11 SWITCH_A(bridge)# set stack master
<SWITCH B>
SWITCH_B(config)# set stack slave SWITCH_B(bridge)# set stack device br1
<SWITCH A>
SWITCH_A(bridge)# show stack device node 1 : br1 MAC address 00:d0:cb:0a:00:aa status active active type S212 S212 name SWITCH_A SWITCH_B port 26 26 node ID : 1
2 00:d0:cb:22:00:11 SWITCH_A(bridge)#
<SWITCH B>
SWITCH_B(bridge)# show stack device : br1 node ID : 2 SWITCH_B(bridge)#
After configuring switch group, you can configure and manage Slave switches. When you input Slave switch number after the command, rcommand, telnet window connected to the Slave switch will be seen. You can configure Slave switch by using DSH command. To finish Slave switch configuration, use the command, exit on Telnet. To configure Slave switch, use the following command.
Command rcommand NODE Mode Bridge Description Connects to Slave switch.
DPW:G-S-1624H0-04
175
UMN:CLI
User Manual
V1624
The NODE number is assigned as an order of stacking.
The following is an example of connecting to Slave SWITCH 3 at Master switch.

SWITCH(bridge)# rcommand 3 Trying 127.1.0.1(23)... Connected to 127.1.0.1. Escape character is '^]'. SWITCH login: root Password: vertex25 SWITCH# SWITCH# exit Connection closed by foreign host. SWITCH(bridge)#
Step 9 To disable stacking, use the following command.

Command clear stack Mode Bridge Description Disables stacking function.
8.7
Rate Limit
User can customize port bandwidth according to users environment. Through this configuration, you can prevent a certain port to monopolize whole bandwidth so that all ports can use bandwidth equally. egress and ingress can be configured both to be same and to be different. In order to configure port bandwidth, use the following command.
Command set rate PORT RATE [egress ingress] Mode Description Configures port bandwidth. If you input egress or inBridge gress, you can configure outgoing packet or incoming packet. The unit is Mbps.
Unless you input neither egress nor ingress, they are configured to be same. To switch, egress is incoming packet. So, it is uploaded to PC user. Meanwhile, current rate limit of ingress drops no matter when some packet more than configured bandwidth comes in. However, new released V1624 sends pause packet first to the partner when some packet more than configured bandwidth comes in, and then drops packets if it keeps coming in. In order to configure this function of Rate limit for ingress, use the following command.
Command set rate PORT RATE ingress enhanced Mode Bridge Description Configures Rate limit for Ingress to use pause packet.
176
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To display configured port bandwidth, use the following command.

Command show rate Mode Top/Global/Bridge Description Checks configured port bandwidth.
To delete configured port bandwidth, use the following command.

Command clear rate PORT RATE [egress ingress] Mode Bridge Description Deletes configured port bandwidth.
The following is an example of configuring port 1 bandwidth as 64Mbps, port 2 egress bandwidth as 52Mbps and checking it.
SWITCH(bridge)# set rate 1 64 SWITCH(bridge)# set rate 2 52 ingress SWITCH(bridge)# set rate 3 64 ingress enhanced SWITCH(bridge)# show rate ---------------------------------------------------------------Port 1 3 Ingress 64( 64.000) 64(Enhanced) Egress 64( 64.000) N/A | Port | | 2 4 Ingress 52( 52.000) N/A Egress N/A N/A --------------------------------+-------------------------------
(Omitted) SWITCH(bridge)#
8.8
Flood-Guard
Flood-guard limits number of packets, how many packets can be transmitted, in configured bandwidth, whereas Rate limit described in8.7 Rate Limitcontrols packets through configuring width of bandwidth, which packets pass through.
<Rate Limit> Configure Rate Limit on port <Flood Guard> Configure Flood-guard to allow packets as many as n per a second 1 2 Control bandwidth 3 : : n n+1 n+2 Bandwidth n packets allowed for a second Packets over thrown away
Fig. 8.16
Rate Limit and Flood Guard
DPW:G-S-1624H0-04
177
UMN:CLI
User Manual
V1624
V1624 supports Flood-guard based on MAC address and port. Configuring Port based Flood-guard Configuring Flood-guard based on MAC Address
8.8.1
Configuring Port based Flood-guard

To limit the number of packet that is transmitted in a certain port per sec, use the following command.
Command set flood-guard PORT COUNT clear flood-guard PORT Mode Description Limits the number of packet which is transmitted in a Bridge certain port per sec. Disables configured Flood-guard.
To display the contents of Flood Guard, use the following command.

Command show flood-guard Mode Top/Global/Bridge Description Checks the contents of configured Flood Guard.
The following is an example of limiting the number of packets that can be transmitted to the port 1 as 10,000.
SWITCH(bridge)# set flood-guard 1 10000 SWITCH(bridge)# show flood-guard --------------------------------Port Rate(fps) | Port Rate(fps) ----------------+---------------1 3 5 7 9 11 13 15 17 19 21 23 10000 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A | | | | | | | | | | | | 2 4 6 8 10 12 14 16 18 20 22 24 26 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
25 N/A | SWITCH(bridge)#
178
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.8.2
Configuring Flood-guard based on MAC Address

If the user configured the limitation of frame sent to same MAC address per sec, MAC address that sends frames more than the limitation will be Blocked for some time. To configure the limitation, use the following command.
Command set mac-flood-guard PORT <1-2000000> clear mac-flood-guard PORT Bridge Mode Description Limits the number of packets that can be transmitted per sec having the same MAC address. Disables the configured Flood Guard.
To display the configuration MAC-Flood Guard, use the following command.

Command show mac-flood-guard [macs] Mode Top/Global/Bridge Description Shows the configuration of the MAC flood guard. macs: blocked MAC addresses
8.9
Configuring Bandwidth-share-Group
V1624 can prevent minimum secured bandwidth of ports belonged in one group exceeding the maximum bandwidth of the group. The maximum bandwidth configured by user should not be less than minimum secured bandwidth of ports in a group and bandwidth of ports depending on traffic amount. A port receiving too much traffic among ports configured in one group can use the bandwidth of another port receiving no traffic. If a packet is transmitted to an empty port, the minimum secured bandwidth is returned. In this way, user can secure minimum bandwidth for all ports and extend bandwidth of a port receiving too much traffic.
This function cannot be used with Rate limit. You have to disable Rate limit first in order to make a port configured Rate limit belong in Bandwidth-share-group. To configure, configure a group first by using the following command.
Command Mode Description Configures a group named NAME to configure Bandbandwidth-share-group NAME {ingressegress} BANDWIDTH Bridge width-share-group. BANDWIDTH: the maximum bandwidth of the group ( unit : Mbps)
After configuring a group, assign ports as members. In order to assign member to a group, use the following command.
Command bandwidth-share-group NAME Mode Bridge Description Assigns port to a group named name. BANDWIDTH is the minimum secured bandwidth and the unit is Mbps.
member PORT BANDWIDTH
DPW:G-S-1624H0-04
179
UMN:CLI
User Manual
V1624
The following example shows: configuring group A and the maximum bandwidth of ingress as 100Mbps and assigning ports 2 ~ 6 and the minimum secured bandwidth as 10Mbps.
SWITCH(bridge)# bandwidth-share-group A ingress 100 SWITCH(bridge)# bandwidth-share-group A member 2-6 10 SWITCH(bridge)# show running-config (Omitted) bandwidth-share-group A ingress 100 bandwidth-share-group A member 2-6 10 ! (Omitted)
To delete bandwidth-share-group or port in group, use the following command.

Command no NAME no bandwidth-share-group bandwidth-share-group Bridge Deletes a port in a group named NAME. Mode Description Deletes a group named NAME.
NAME member PORT
180
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.10
NAT
NAT(Network Address Translation) uses private IP address, which is supposed to be used in internal network. So, it can save limited IP source and strengthen security because IP address of internal network is protected. V1624 supports Static NAT, Port Address Translation (PAT) and Dynamic NAT. This section describes how configure NAT. It contains these sections. Configuring Static NAT Configuring PAT Configuring IP Masquerade Configuring Dynamic NAT Substituting DNS Additional Functions IP Filtering
8.10.1
Configuring Static NAT

Static NAT is to map a private IP address to a public IP address on one-to-one basis when communicating with external network. A switch enabled static NAT transfers packets with private IP address to packets with public IP address when sending packet of internal network. A is transferred to P and B is transferred to Q. As this way, one-to-one way to transfer private IP address to public IP address is named as Static NAT. Static In order to configure Static NAT, use the following command.
Command ip nat statistic PUBLIC-ADDR PRIVATE-ADDR no ip nat statistic PUBLIC-ADDR PRIVATE-ADDR Global Disables Static NAT. Mode Description Configures Static NAT.
8.10.2
Configuring PAT
V1624 provides the function, PAT(Port Address Translation) that converts IP addresses in local network to public IP addresses configured to the switch to access public network. To configure PAT, use the following command.
Command Mode Description Converts local IP address in local network to public IP ip nat pat A.B.C.D/M Global address to access public network. A.B.C.D/M: subnet to NAT Disables PAT for the applicable local network.
no ip nat pat A.B.C.D/M
If PAT is enabled using the command, public IP address to access public network will be automatically selected according to the applicable rule.
DPW:G-S-1624H0-04
181
UMN:CLI
User Manual
V1624
8.10.3
Configuring IP Masquerade
IP masquerade makes several local IP addresses connected to network bring one public IP address when it goes to exterior network. That is, data sent by each different local IP address looks like sending by one public IP address. To configure IP masquerade, use the following command.
Command Mode Description Assigns a specific public IP address to access public ip nat masq-address A.B.C.D Global network A.B.C.D: public IP address Disables IP masquerade
no ip nat masq-address A.B.C.D
8.10.4
Configuring Dynamic NAT

In Dynamic NAT, a switch specifies valid public IP Pool. When private IP address goes out, it uses public IP address in specified public IP Pool as source address. M is number of how many public IP addresses are and N is number of how many private IP addresses are. Since M, Public IP addresses confront with N, private IP addresses, Dynamic NAT is also called as N:M basis. Meanwhile, although public IP Pool is run out, still it is possible to assign through PAT. To configure Dynamic NAT, use the following command.
Command ip nat pool A.B.C.D A.B.C.D no ip nat pool Mode Description Configures Dynamic NAT. Global A.B.C.D : Lowest/highest IP address in address pool Disables Dynamic NAT.
i
8.10.5
The lowest address is IP address, which IP Pool is started, and highest address is IP address, which IP address is ended.
Substituting DNS
When host in private network tries to connect to domain name in the same network, V1624 has DNS(Domain Name Server), which substitutes private IP address for public IP address. To configure DNS, use the following command.
Command ip nat dns no ip nat dns Mode Description Configures DNS, which substitutes private IP address Global for public IP address of domain name. Disables DNS.
182
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.10.6
Additional Functions
In order to use other application program with configured IP address of NAT, use the following commands.
Command ip nat helper {cuseemedialpad ftpircquakeraudio vdolive} ip nat autofw {udptcp} LOWNUMBER HIGH-NUMBER {udp tcp} PORT ip nat portfw {udptcp} LOCALADDR PORT REMOTE-ADDR PORT [PREFERENCE-LEVEL] Global From the ports number configured at LOW to the port number configured at HIGH, goes out with assigned port number by designed protocol mode Converts the port of IP address and another application not configured in router into IP address and port to be communicated. Mode Description Helps masqueraded IP address be applied to applications such as Dialpad and FTP server program
To disable the above configurations, use the following commands.

Command no ip nat helper {cuseeme dialpadftpircquake raudiovdolive} no ip nat autofw {udptcp} LOW-NUMBER {udptcp} PORT no ip nat portfw {udptcp} LOCAL-ADDR ADDR PORT PORT REMOTEHIGH-NUMBER Global Deletes configured NAT. Mode Description
To check the configuration for NAT, use the following command.

Command show ip nat Mode Global Description Shows the configuration for NAT.
DPW:G-S-1624H0-04
183
UMN:CLI
User Manual
V1624
8.10.7
IP Filtering
When IP NAT is enabled, packets are sent up to CPU to run IP NAT. And user may need some of the packets. To filter packets processed in CPU, you need to use IP filtering. In order to enable IP filtering, use the following command.
Command ip filter add {permitdeny} {SRC-ADDRany} {DES-ADDRany} ip filter add {permitdeny} {SRC-ADDRany} {DES-ADDRany} {icmpudptcp} {SRC-PORT any} {DES-PORTany} [interface NAME] Ip filter add {permitdeny} {SRC-ADDRany} {DES-ADDRany} interface NAME Ip filter add {permitdeny} {any SRC-ADDR} {any DES-ADDR} icmp [forward] Ip filter add {permitdeny} {anySRC-ADDR} {any DES-ADDR} icmp TYPE {anyCODE} [forward] ip filter add {permitdeny} {anySRC-ADDR} {any DES-ADDR} icmp TYPE {anyCODE} interface NAME [forward] ip filter add {permitdeny} SRC-ADDR DESADDR {icmpudptcp} SRC-PORT DST-PORT forward ip filter add {permitdeny} SRC-ADDR DESADDR {icmpudptcp} SRC-PORT DST-PORT interface INTERFACE forward ip filter add {permitdeny} SRC-ADDR DESADDR forward ip filter add {permitdeny} SRC-ADDR DESADDR interface INTERFACE forward Configures basic policy for forwarding packets. Global Configures new policy for ICMP packets. Mode Configures packets. Configures new policy for incoming packets. You also can configure specific port of the address. Configures interface. basic policy for incoming Description basic policy for incoming
packets. You also can configure specific
184
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To delete configured IP packet filtering policy, use the following commands.

Command no ip filter add {permitdeny} {SRC-ADDRany} {DES-ADDRany} no ip filter add {permitdeny} {SRC-ADDRany} {DES-ADDRany} {icmpudptcp} {SRC-PORT any} {DES-PORTany} [interface NAME] no Ip filter add {permitdeny} {SRC-ADDRany} {DES-ADDRany} interface NAME no Ip filter add {permitdeny} {any SRCADDR} {any DES-ADDR} icmp [forward] no Ip filter add {permitdeny} {anySRC-ADDR} {any DES-ADDR} icmp TYPE {anyCODE} [forward] no ip filter add {permitdeny} {anySRC-ADDR} {any DES-ADDR} icmp TYPE {anyCODE} interface NAME [forward] no ip filter add {permitdeny} SRC-ADDR DESADDR {icmpudptcp} SRC-PORT DST-PORT forward no ip filter add {permitdeny} SRC-ADDR DESADDR {icmpudptcp} SRC-PORT DST-PORT interface INTERFACE forward no ip filter add {permitdeny} SRC-ADDR DESADDR forward no ip filter add {permitdeny} SRC-ADDR DESADDR interface INTERFACE forward Global Deletes configured IP packet filtering policy Mode Description
In case of using the command, ip filter add {permitdeny} {anySRC-ADDR} {anyDES-ADDR} icmp type {anycode}, user need to decide the value of type and code. The following command will show the list of the value.
Command show ip filter icmp type-list Mode Top/Global Description Show the list of type code for ICMP packet.
Configured IP filtering policy gets sequential Rule-number, and you can configure another policy through the Rule-number. To display IP filtering policies configured sequentially, use the following command.
Command show ip filter Mode Top/Global Description Shows configured IP filtering sequentially.
The following is an example of configuring IP filtering policy to block packet from 172.16.89.200/16 to 172.16.30.15/16 and to allow icmp.
DPW:G-S-1624H0-04
185
UMN:CLI
User Manual
V1624
SWITCH(config)# ip filter add permit 172.16.89.200/16 172.16.30.15/16 icmp any any SWITCH(config)# ip filter add deny 172.16.89.200/16 172.16.30.15/16 SWITCH(config)# show ip filter Chain input (policy ACCEPT): target ACCEPT DENY prot opt icmp -----all -----source 172.16.0.0/16 172.16.0.0/16 destination 172.16.0.0/16 172.16.0.0/16 ports any -> n/a any
Chain forward (policy ACCEPT): Chain output (policy ACCEPT): SWITCH(config)#
To change order to IP packet filtering policy, use the following commands and insert in existing policies.
Command ip filter insert RULE-NUMBER {permitdeny} {SRC-ADDRany} {DES-ADDRany} ip filter insert RULE-NUMBER {permitdeny} {SRC-ADDRany} {DES-ADDRany} {icmpudp tcp} {SRC-PORTany} {DES-PORTany} [interface NAME] ip filter insert RULE-NUMBER {permitdeny} {SRC-ADDRany} {DES-ADDRany} interface NAME ip filter insert {permitdeny} {anySRC-ADDR} {anyDES-ADDR} icmp [forward] ip filter insert {permitdeny} {anySRC-ADDR} {anyDES-ADDR} icmp TYPE {anyCODE} [forward] ip filter insert {permitdeny} {anySRC-ADDR} {anyDES-ADDR} icmp TYPE {anyCODE} interface NAME [forward] ip filter insert RULE-NUMBER {permitdeny} SRC-ADDR DES-ADDR {icmpudptcp} SRCPORT DST-PORT forward ip filter insert RULE-NUMBER {permitdeny} SRC-ADDR DES-ADDR {icmpudptcp} SRCPORT DST-PORT interface INTERFACE forward ip filter insert RULE-NUMBER {permitdeny} SRC-ADDR DES-ADDR forward ip filter insert RULE-NUMBER {permitdeny} SRC-ADDR forward DES-ADDR interface INTERFACE Global Inserts specified policy to specified Rulenumber. Mode Description
When you use the command, ip filter insert, specified policy gets specified Rule-number and the existing policies gets the next number.
186
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.11
Bandwidth
Routing protocol uses bandwidth information to measure routing distance value. In order to configure bandwidth of interface, use the following command.
Command bandwidth KILOBITS no bandwidth [KILOBITS] Mode Interface Description Configures bandwidth of interface. Deletes configured bandwidth of interface.
The bandwidth can be from 1 to 10,000,000Kbits. This bandwidth is for routing information implement and it does not concern physical bandwidth. The following is an example of configuring bandwidth as 1000Kbits and checking it.
SWITCH(config-if)# bandwidth 1000 SWITCH(config-if)# show running-config (omitted) interface br1 no shutdown bandwidth 1000 (omitted)
DPW:G-S-1624H0-04
187
UMN:CLI
User Manual
V1624
8.12
DHCP
DHCP(Dynamic Host Control Protocol) makes DHCP server assign IP address to DHCP clients automatically and manage the IP address. In the environment that all PCs may be not connected to network at the same time, all of they do not need to have IP addresses. When some of they need IP address, it can be automatically assigned. In this case, DHCP server is the one that assigns IP address automatically and DHCP clients are those, which PCs are. DHCP provides the following benefits. Saving COST With limited IP source, many users can connect to internet. So, it can save IP source and the cost. Effective Network Management Anyone can configure DHCP server and DHCP clients belonged to network managed by DHCP server access to network without professional knowledge such as configuring TCP/IP on network environment..
IP Packet (Broadcast)
DHCP Server or Relay Agent
DHCP Packet (Unicast)
Subnet
PC=DHCP Client
Fig. 8.17 DHCP Service Structure
The V1624 can be the DHCP server or the DHCP Relay agent according to users configuration. The DHCP Relay agents function is to connect the DHCP server to the DHCP client.
188
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.12.1
Configuring DHCP Server

If you want to use V1624 as the DHCP server, first of all, specify it as the DHCP server. After specifying V1624 as the DHCP server, you have to configure the following to support the DHCP service to the DHCP clients. Configuring DHCP Subnet Configuring IP Address Range Configuring Subnet Default Gateway Enabling DHCP Server Enabling 1:1 Assigning DHCP Server Configuring the Available Time to Use IP address Registering DNS Server Information of Assigned IP Address Checking DHCP Syslog Display Rate of IP Usage by DHCP Group
8.12.1.1
Configuring DHCP Subnet

Before configuring DHCP, you need to configure DHCP subnet first. When you configure DHCP subnet, you are entered into DHCP configuration mode where you can configure about subnet. And the system prompt will be changed to SWITCH(config-dhcp)# from SWITCH(config)#. To configure DHCP subnet, use the following command.
Command Mode Description Configures a DHCP subnet. ip dhcp subnet NETWORK netmask MASK group GROUP Global NETWORK: network address MASK: subnet mask GROUP: group name Deletes DHCP subnet.
no ip dhcp subnet NETWORK netmask MASK
You can configure IP address, default gateway, and DHCP group to be used in subnet configured by user. Input exit to go back to Global configuration mode, and input end to go to Top mode directly. The range of subnet configured on a certain group cannot be overlapped with another subnet.
8.12.1.2
Configuring IP Address Range

After configuring DHCP subnet, you need to configure IP address range used in the subnet. To configure IP address range, use the following command.
Command range START-ADDR END-ADDR Mode DHCP Description Configures IP address range.
DPW:G-S-1624H0-04
189
UMN:CLI
User Manual
V1624
It is possible to configure inconsecutive subnets in same IP address range. For example, you can configure subnet from 192.168.1.10 to 192.168.1.20 and from 192.168.1.30 to 192.168.1.40 in IP address range 192.168.1.0/24.
8.12.1.3
Configuring Subnet Default Gateway

You have to configure default gateway all IP addresses can be allowed so that DHCP server can communicate with unspecified IP address. In order to configure default gateway of subnet, use the following command.
Command default-gateway ADDR GATEWAYMode DHCP Description Configures default gateway of subnet.
8.12.1.4
Enabling DHCP Server

After performing the above configuring, activating DHCP daemon in Global Configuration mode, then the switch operates as DHCP server. To configure the switch as DHCP server, use the following command.
Command ip dhcp server no ip dhcp Mode Global Description Configures the switch as DHCP server. Disables DHCP server function.
! !
If DHCP daemon is not activated, the message, Can't start DHCP server. will be seen when shifting to Global Configuration mode after configuring subnet. If there is something wrong with DHCP configuration, the message, Can't start DHCP server. will be seen when activating DHCP daemon and DHCP server will not be enabled.
8.12.1.5
Enabling 1:1 Assigning DHCP Server

Meanwhile, V1624 supports special function that prohibits assigning plural IP address to one MAC address. Usually, V1624 assigns IP address to equipment, which already has assigned IP address because it may need more than one IP address. However, although personal computer does not need plural IP addresses, it gets them. This function prevents that case. In other words, it is possible for V1624 both to assign plural IP address to equipments and also prohibit assigning plural IP address to one MAC address. To prohibit assigning plural IP address to one MAC address, use the following command.
Command ip dhcp server with-haddr Mode Global Description Prohibits assigning plural IP address to one equipment.
190
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
i
8.12.1.6
When you do not need the function to prohibit assigning IP address to one MAC address, activate DHCP server with the command, ip dhcp server.
Configuring the Available Time to Use IP address

DHCP server administrator can configure the available time to use IP address assigned to DHCP client. This time is named IP-address lease time. The default is one-hour and the system ask if DHCP client wants to extend it by the end of the time. To configure IP address lease time, use the following command.
Command ip dhcp lease default SECONDS Global ip dhcp lease max SECONDS Mode Description Configures default IP address lease time in seconds. Configures maximum IP address lease time in seconds.
i
8.12.1.7
The default is one hour(3600 seconds), and the maximum is two hours.
Registering DNS Server

DHCP server basically informs IP address, default gateway, IP address lease time ,and available DNS server when DHCP client is accessed. Therefore, you should register DNS server that can be used in DHCP server. You can register up to two servers. To register DNS server, use the following command.
Command ip dhcp dns {A.B.C.D} [A.B.C.D] Mode Global Description Registers DNS server.
The following is an example of configuring DHCP server ; network range 192.168.1.0/24 as subnet and 192.168.1.10 ~ 192.168.1.20 and 192.168.1.30 ~ 192. 168.1.40 as IP address range. The default gateway of subnet is configured as 192.168.1.254 and DHCP server is activated.
SWITCH(config)# ip dhcp subnet 192.168.1.0 netmask 255.255.255.0 SWITCH(config-dhcp)# range 192.168.1.10 192.168.1.20 SWITCH(config-dhcp)# range 192.168.1.30 192.168.1.40 SWITCH(config-dhcp)# exit SWITCH(config)# ip dhcp server SWITCH(config)# show running-config Building configuration... (omitted) ip dhcp lease max 7200 ip dhcp lease default 3600 ip dhcp subnet 192.168.1.0 netmask 255.255.255.0 range 192.168.1.10 192.168.1.20 range 192.168.1.30 192.168.1.40 ip dhcp server
DPW:G-S-1624H0-04
191
UMN:CLI
User Manual
V1624
SWITCH(config)#
When user inputs wrong network subnet of IP address commands to be assigned by DHCP server with to activate DHCP, you will see the error message. The following is an example of the error message when configuring IP address range and DHCP server after wrong netmask configuration of 192.168.1.0 as 255.0.0.0, not 255.255.255.0.
The error message in the below example means that DHCP server is not activated.
SWITCH(config)# ip dhcp subnet 192.168.1.0 netmask 255.0.0.0 SWITCH(config-dhcp)# range 192.168.1.10 192.168.1.20 SWITCH(config-dhcp)# exit SWITCH(config)# ip dhcp server Address range 192.168.1.10 to 192.168.1.20 not on net 192.168.1.0/255.0.0.0! Can't start DHCP server. SWITCH(config)#
8.12.1.8
Information of Assigned IP Address

User can view DHCP information such as total amount of IP addresses that can be assigned, number of the current clients who have got IP address, and the clients information. To display information of assigned IP address, use the following commands. For more detail information, enter detail after the command.
Command show ip dhcp user Top/Global show ip dhcp user detail Mode Description Shows total amount of IP addresses that can be assigned and number of clients who receive IP address. Shows detail information of clients who receive IP address.
The following is an example of viewing total amount of IP addresses that can be assigned and number of clients who receive IP address
SWITCH(config)# show ip dhcp user Max lease: 0 (2003/03/12 13:19:05) Total ip: 22 Total users: 0 (0%) SWITCH(config)#
The above example describes that twenty-two IP addresses can be assigned and there is no client who receives IP address by the time.
192
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
The following is an example of viewing detail information of client when there is clients who receive IP address.
SWITCH(config)# show ip dhcp user detail lease 192.168.1.11 { starts Wed Mar 12 05:27:39 2003 ends Wed Mar 12 06:27:39 2003 hardware ethernet 00:50:da:ea:a0:04; uid 01:00:50:da:ea:a0:04; client-hostname "note";
8.12.1.9
Checking DHCP Syslog

Through Syslog, user can be aware of trouble occurred in DHCP server. Perform the below steps to view trouble in DHCP server. Step 1 Use the following command to configure Syslog of DHCP server.
Command ip dhcp server syslog Mode Global Description Configures syslog of trouble in DHCP server.
Step 2 Use the following command to check syslog.

Command show syslog local volatile Mode Top/Global Description Shows Syslog message.
The following is an example of checking DHCP Syslog.

SWITCH(config)# ip dhcp server syslog SWITCH(config)# show syslog local volatile Mar 12 13:11:55 Mar 12 13:12:00 55] Mar 12 13:12:05 5] Mar 12 13:12:10 Mar 12 13:23:33 Mar 12 13:23:33 Mar 12 13:23:35 Mar 12 13:27:59 Mar 12 13:30:11 Mar 12 13:30:11 Mar 12 13:54:38 Mar 12 13:54:38 Mar 12 14:04:21 Mar 12 14:08:34 SWITCH(config)# login[95]: root login dhcpd: Sending on on `ttyS0' dhcpd: Sending on Linux Raw/br1/172.16.0.0 Socket/fallback/fallback-net dhcpd: DHCPINFORM from 172.16.15.5 dhcpd: DHCPINFORM from 172.16.48.100 dhcpd: DHCPDISCOVER from 00:50:da:ea:a0:04 via br1 dhcpd: no free leases on subnet 172.16.0.0 dhcpd: Sending on Linux Raw/br1/172.16.0.0 dhcpd: Sending on Socket/fallback/fallback-net dhcpd: DHCPINFORM from 203.236.124.24 dhcpd: Sending on Linux Raw/br1/172.16.0.0 zebra[85]: CPU overload cleared : threshold [50] > CPU load init: Entering runlevel: 3 zebra[85]: CPU overload warning : threshold [50] < CPU load
DPW:G-S-1624H0-04
193
UMN:CLI
User Manual
V1624
8.12.1.10
Display Rate of IP Usage by DHCP Group

You can check rate of IP usage by each DHCP group. In order to view rate of IP usage by each group, use the following command.
Command show ip dhcp group Mode Top/Global Description Shows rate of IP usage by each group.
8.12.2
Assigning Static IP Address

User can assign static IP address to the specific client. In order to assign static IP address, use the following command.
Command ip dhcp host A.B.C.D MACADDR no ip dhcp host A.B.C.D Mode Global Description Assigns static IP address to DHCP client. Deletes an assigned static IP address.
! !
Do not assign static IP address from DHCP pool to DHCP client. DHCP function may work incorrectly. The function blocking static IP address is not applied to an assigned static IP address to DHCP client. To check an assigned static IP address to DHCP client, use the following command.
Command show running-config show mac INTERFACE [PORTS] show arp Global Checks an assigned static IP address to DHCP client. Mode Description
Only in case MAC address for DHCP client using static IP address is registered to ARP table, user can check an assigned static IP address, using the command, show mac interface or show arp.
8.12.3
Blocking Static IP Address User

V1624 can prevent the specific user from using IP address without re-authentication like a static IP address. In order to block static IP address user, use the following command.
Command ip dhcp security arp-lock {DEFAULT-LEASE-TIME TIME} no ip dhcp security arp-lock Disables the function blocking static IP address user. | MAXGlobal LEASE-TIME | USER-DEFINEDEnables the function blocking static IP address user. Mode Description
i
194
USER-DEFINED-TIME has the value between 0 and 7,200 seconds.
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To delete a list for blocked DHCP clients using static IP address, use the following command.
Command clear ip dhcp dhcp user illegalentry Mode Global Description Deletes a list for blocked DHCP clients using static IP address.
To display the list of the blocked DHCP clients illegally using a static IP address, use the following command.
Command show ip dhcp user illegal-entry {ip | mac} Mode Global Description Shows the list of the blocked DHCP clients illegally using a static IP address.
8.12.4
Configuring DHCP Relay Agent

You can configure the system to forward IP address that is requested from DHCP clients in V1624. It called the DHCP Relay agent. The DHCP Relay agent is of avail to manage a wide DHCP subnet.
DHCP Server
Relay Agent 1
Relay Agent 2
Subnet 1 *PC= DHCP Client
Subnet 2
Fig. 8.18
Example of DHCP Relay Agent
DPW:G-S-1624H0-04
195
UMN:CLI
User Manual
V1624
Use the following command in Global Configuration mode, to enable the DHCP relay feature on your system.
Command ip dhcp relay SERVER-ADDR [SERVER-ADDR] ADDR] no ip dhcp [SERVERGlobal Forwards IP address requests to the DHCP server. Mode Description
Deletes the DHCP Relay agent.
8.12.5
Initializing DHCP Lease Database

Data of IP address assigned by DHCP server is recorded in Lease Database. It is possible to initialize this database and to start new recording. If there is an IP address assigned, it is renewed after checking if user wants to use it. In order to initialize DHCP Lease Database, use the following command.
Command clear ip dhcp binding Mode Global Description Initializes DHCP Lease Database.
8.12.6
Backing up DHCP Lease Database

You can make the back-up file of DHCP Lease database through TFTP according to your configuration. In order to make the back-up file of DHCP Lease database through TFTP, use the following commands.
Since TFTP server does not authorize users with ID and password when they access to, the security is very vulnerable. To help the vulnerable security, you can make back-up file only when there is same file name with a file you need to copy in TFTP server.
Command ip dhcp database TFTP-ADDRS FILE-NAME write-delay TIME ip dhcp database FILE-NAME TFTPwrite-
Mode
Description Makes the back-up file of DHCP Lease database.
ADDRESS
Makes the back-up file of DHCP Lease database and configures time limit to access to TFTP server. Global Makes the back-up file of DHCP Lease database and configure the syslog message to be sent in case of access failure. Deletes DHCP Lease database back-up file.
delay TIME MAX-TIME ip dhcp database FILE-NAME TFTPwrite-
ADDRESS
delay TIME log no ip dhcp database TFTPADDRESS FILE-NAME
The unit of time is second when you configure backup interval of DHCP lease database with using the command, write-delay. and max-time is time limit to access to tftp server.
196
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.12.7
DHCP Option-82
As subscriber network is getting enlarged, DHCP server should assign IP addresses to many subscribers. User can manage subscribers efficiently using DHCP Option-82.In DHCP Option-82, DHCP Relay sends DHCP Request packets attaching Option-82 information and it authenticates the subscriber through this information. Through Option-82, DHCP not only assigns IP address but also restricts access to server. Moreover it provides differentiated service and enhances the security. V1624 transmits port number and Remote ID with Option-82 to DHCP server. The priority of port number is higher than that of Remote ID. When it receives Request packet without Option-82 information, it attaches its information. In case Remote ID recorded in Option-82 is same with MAC address of its system, it transmits packets after removing Option-82 by designated port number. The following is to show packets flow.
DHCP Server
2. DHCP Request + Option82
3. DHCP Respond + Option82
DHCP Relay Agent (Option-82)
1. DHCP Request
4. DHCP Respond
DHCP Client
Fig. 8.19
DHCP Option 82 Operation
This section describes how configure DHCP Option 82 It contains these sections. Enabling DHCP Option-82 Configuring Option-82 Packet Policy Configuring Trust Packet Restricting the Number of Assigning IP Address
8.12.7.1
Enabling DHCP Option-82

To enable/disable the DHCP option 82, use the following command.
Command ip dhcp option no ip dhcp option Mode Global Description Enables the DHCP option 82. Disables the DHCP option 82.
DPW:G-S-1624H0-04
197
UMN:CLI
User Manual
V1624
8.12.7.2
Configuring Option-82 Packet Policy

User can configure how to process the packets when DHCP Option-82 packets come to DHCP server or DHCP relay agent. To configure the policy for Option-82 packet, use the following command in Option-82 configuration mode.
Command policy {dropkeepreplace} Mode Option-82 Description Configures the policy for Option-82 packet. (Default: keep)
drop means to throw away Option-82 packet. keep means that Relay agent transmits packets preserving Option-82 which the agent sends, replace means to transmit by changing into its Option-82 information.. It is possible to configure the rule for Option-82 packets when V1624 is DHCP server or DHCP Relay agent.
8.12.7.3
Configuring Trust Packet

DHCP server decides to assign IP address using port number and remote-ID in an option-82 packet. So user should configure the value for those options to decide to assign IP address to an applicable packet. In case of using V1624 as DHCP server, in order to configure a condition to assign IP address, follow the below descriptions. Step 1 Configure the policy that drops all the packets as the default, and then configure the policy that permits the packets that can have IP address. The following is the command that configures the default policy.
Command trust default {permitdeny} Mode Option-82 Description Configures the default policy for option-82 packets.
deny means to drop all the packets, and permit means to permit all the packets.
Step 2 Configure an applicable port number and remote-ID to assign IP address. The packet that has the configured port number or remote-ID is filtered by the option, permit automatically. DHCP server checks port number in option-82 packet first, and if the port number is not matched with the configured value, the server will check remote-ID.
198
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
The following is the command that configures port number and remote-ID.
Command trust port PORT trust system MACADDR no trust port PORT no trust system MACADDR Option-82 Mode Description Configures a port number of option-82 packet. Configures a remote-ID of option-82 packet. Deletes a port number of option-82 packet. Deletes a remote-ID of option-82 packet.
i
8.12.7.4
Configuring trust packet is available only in DHCP server.
Restricting the Number of Assigning IP Address

User can restrict the number of assigning IP address when packets assigning IP address come into the switch. To restrict the number of assigning IP address, use the following command.
Command lease-limit <0-2000000000> lease-limit <0-2000000000> remote MACADDR lease-limit <0-2000000000> remote MACADDR circuit PORT no lease-limit no lease-limit remote MACADDR no lease-limit remote MACADDR circuit PORT Option-82 Mode Description Restricts the number of assigning IP address. Restricts the number of assigning IP address for an applicable remote-ID. Restricts the number of assigning IP address for an applicable port number and remote-ID. Releases the restricted number of IP address. Releases the restricted number of IP address for an applicable remote-ID. Releases the restricted number of IP address for an applicable port number and remote-ID.
8.12.8
DHCP Snooping with Option82

In case of L2 environment, when forwarding DHCP messages to a DHCP server, a DHCP switch can insert or remove DHCP option82 data on the DHCP messages from the clients. In case of a switch is enabled with DHCP snooping, it floods DHCP packets with DHCP option82 field when the DHCP option82 is enabled. This allows an enhanced security and efficient IP assignment in the Layer 2 environment with a DHCP option82 field. To enable/disable the switch enabled by DHCP snooping to insert or remove DHCP option82 field, use the following command.
Command ip dhcp snooping information option no ip dhcp snooping information option Global Mode Description Enables the switch to insert DHCP option 82 field in forwarded DHCP packets to the DHCP server. Disables the switch not to insert DHCP option 82 field in forwarded DHCP packets to the DHCP server
DPW:G-S-1624H0-04
199
UMN:CLI
User Manual
V1624
i
8.12.9
If DHCP snooping is enabled in the system of V1624, DHCP packets includes DHCP option82 field by default.
DHCP Option 77
The V1624 can send the packets based on the policy or value of DHCP user class ID in the DHCP message sent by the client. The user class ID on DHCP option 77 field identifies the type of client sending the DHCP Discover/Request message. If V1624 receives DHCP message from a client, it forwards the same packet to the server with keep policy of DHCP option 77. Otherwise, it adds user class ID to the packet on the configured port and forwards it to the server when the packet has no user class ID and the policy of DHCP option 77 is replace. DHCP server can use DHCP option 77 field to specify IP addresses of a particular pool based on user class ID of DHCP client.
To use DHCP option 77 fucntion, DHCP Option 77 must be enabled in the system of V1624. In case DHCP Option 77 is disabled in the system, the configured DHCP option 77 is automatically deleted.
To enable/disable DHCP option 77, use the following command.

Command ip dhcp option77 no ip dhcp option77 Mode Global Description Enables DHCP option 77 in the system Disables DHCP option 77 in the system
To configure a user class id of DHCP option 77 on a specified port, use the following command.
Command ip dhcp snooping user-class-id port PORT class-id CLASS-ID Mode Global Description Configures DHCP user class ID of DHCP option 77 per port.
To configure the policy of DHCP option 77 on a specified port, use the following command.
Command Mode Description Configures the policy of DHCP option 77 field for the DHCP Request packet (default: replace) ip dhcp snooping user-class-id policy {replace | keep} Global replace: forwards DHCP packets with user class ID according to DHCP option 77 field format. keep: forwards DHCP packets without any user class ID
200
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To delete the configured user class ID of DHCP option 77 field, use the following command.
Command no ip dhcp snooping user-classid port PORT class-id CLASS-ID no ip dhcp snooping user-classid port PORT all Global Deletes all configured user class IDs of a port. Mode Description Deletes a configured user class ID of a port.
8.12.10
DHCP Snooping Filtering

For enhanced security, the V1624 provides the DHCP snooping feature. The DHCP snooping maintains a DHCP snooping binding table based on a DHCP lease table, which filters the packet whose source IP address and MAC address are not matching with the DHCP snooping binding table. This feature allows network administrators to prevent an IP spoofing and the illegal use of a static IP address. To enable/disable DHCP snooping filtering, use the following command.
Command ip filter dhcp snoop PORTS {enable | disable} Mode Description Enables/disables DHCP snooping filtering on a speciGlobal fied port. PORTS: port number
Basically, the DHCP snooping only permits the IP addresses on the DHCP snooping binding table. However, you can configure the switch to permit the IP address which is not on the DHCP snooping binding table or to deny the IP address which is on the DHCP snooping binding table. To add/delete the entries (IP address and MAC address) on the DHCP snooping binding table, use the following command.
Command ip filter dhcp snoop permit Global Mode Description Adds a permit entry on the DHCP snooping binding table. Deletes an added permit entry.
PORTS A.B.C.D MACADDR ip filter dhcp snoop del PORTS {A.B.C.D | A.B.C.D/M}
To deny a specified IP address regardless of its existence on the DHCP snooping binding table, use the following command.
Command ip filter dhcp snoop deny A.B.C.D/M no ip filter dhcp snoop deny A.B.C.D/M Mode Global Description Denies a specified IP address. Releases a denied IP address.
DPW:G-S-1624H0-04
201
UMN:CLI
User Manual
V1624
To display the DHCP snooping binding table, use the following command.
Command show ip filter dhcp snoop Top Global Shows the DHCP snooping filtering list. Mode Description Shows the configured DHCP snooping filtering..
[PORTS] show ip filter dhcp snoop {permit | deny} show ip filter dhcp snoop permit PORTS
8.12.11
Authorized ARP
This function sets the time before ARP inspection starts to run. Before setting this, ARP inspection should be enabled. ARP inspection checks validity of incoming ARP packets by using DHCP snooping binding table and denies the ARP packets if they are not identified in the table. However, V1624 may be rebooted with any reason, then DHCP snooping bindinge enries, which are dynamically learned from ARP packets back and forth V1624 would be lost. Thus, ARP-inspection should be delayed to start during some time so that DHCP snooping table can build entries. If no time given, ARP inspection sees empty snooping table and drop every ARP packet. To specify the ARP inspection delay time, use the following command.
Command ip dhcp snooping arp-inspection start <1-2147483637> no ip dhcp snooping arpGlobal Mode Description Configures the ARP inspection delay time. If reboot, ARP-inspection resumes after the time you configure. 1-2147483637: delay time (unit: second, Default: 1800) Delete the configured ARP inspection delay time.
inspection start
8.12.12
Displaying DHCP Configuration

To check DHCP configuration, use the following command.
Command show running-config Mode Top/Global/Bridge/Interface Description Shows DHCP configuration.
The following is an example of viewing DHCP configuration.

SWITCH(config)# show running-config (omitted) ip dhcp lease max 7200 ip dhcp lease default 3600 ip dhcp subnet 10.1.1.1 netmask 255.0.0.0 range 10.1.1.1 10.1.1.10 default-gateway 10.1.1.254! (omitted) SWITCH(config)#
202
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
i
8.13
The above example is just for your reference. It may vary according to DHCP configuration.
Broadcast Storm Control

V1624 supports Broadcast Storm Control for Broadcast packet. Broadcast Storm is overloading situation of broadcast packets since they need major part of transmit capacity. Broadcast storm may be often occurred because of difference of versions. For example, when there are mixed 4.3 BSD and 4.2 BSD, or mixed AppleTalk Phase I and Phase II in TCP/IP, Storm may be occurred. In addition, when information of routing protocol regularly transmitted from router is wrong recognized by system, which does not support the protocol, Broadcast Storm may be occurred. Broadcast Storm Control is operated by system counts how many Broadcast packets are there for a second and if there are packets over configured limit, they are discarded. To configure Storm Control, use the following command.
Command set storm-control COUNT clear storm-control Mode Bridge Description Configures Storm Control. Disables Strom Control.
max-count can be from 120 and it becomes to the closest multiple. For example, if you input 500, it becomes 480. Newly-updated V1624 provides not only broadcast storm but also control of multicast and DLF(Destination Lookup Fail) storm. In order to use control of multicast and DLF storm, use the following commands. Then all configurations of Broadcast storm control will be equally applied to all VLANs.
Command set storm-control include dlf set storm-control include multicast clear storm-control include dlf clear storm-control include multicast Bridge Mode Description Enables DLF storm control. (Default: enable) Enables multicast storm control. (Default: disable) Disables DLF storm control. Disables multicast storm-control.
To check Storm Control configuration, use the following command.

Command show storm-control Mode Bridge Description Shows Storm Control configuration.
DPW:G-S-1624H0-04
203
UMN:CLI
User Manual
V1624
8.14
Blocking Direct Broadcast

RFC 2644 recommends that system blocks broadcast packet of same network bandwidth with interface of equipment, namely Direct broadcast packet. Hereby, V1624 products are supposed to block Direct broadcast packet by default setting. However, you can enable or disable it in V1624. To block direct broadcast packets, use the following command.
Command no ip forward direct-broadcast ip forward direct-broadcast Mode Description Disables blocking Direct broadcast packet. Global (Default: enable) Disables blocking Direct broadcast packet.
The following is an example of blocking direct broadcast packets and checking it.
SWITCH(config)# ip forward direct-broadcast SWITCH(config)# show running-config Building configuration... (omitted) ! ip forward direct-broadcast ! no snmp ! SWITCH(config)#
204
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
9 IP Multicast
IP communication provides three types of packet transmission: unicast, broadcast and multicast. Unicast is the communication for a single source host to a single destination host. This is still the most common transmission form in the IP network. Broadcast is the communication for a single source host to all destination hosts on a network segment. This transmission is also widely used especially by network protocols, but it sometimes may not be efficient for those hosts in the subnet who are not participating in the broadcast. Multicast is the communication for a single or many source hosts to a specific group of destination hosts, which is interested in the information from the sources. This type of packet transmission can be deployed for a number of applications with more efficient utilization of the network infrastructure. The point of implementing multicast is how to deliver source traffic to specific destinations without any burden on the sources or receivers using the minimized network bandwidth. The solution is to create a group of hosts with addressing the group, and to let the network determine how to replicate the source traffic to the receivers. The traffic will then be addressed to the multicast address and replicated to the multiple receivers by network devices. Standard multicast protocols such as IGMP provide most of these capabilities. IP multicast features on the V1624 consist of the group membership management, Layer 2 multicast forwarding, which allows network administrators to successfully achieve the effective and flexible multicast deployment. Fig. 9.1 shows an example of the IP multicast network. In this case, the V1624 is configured only with IGMP snooping (L2 multicast forwarding feature) in the Layer 2 network.
Layer 2 Network
IGMP Join/Leave message
Layer 3 Network
PIM Join/Prune message
Multicast data
Set-top Box
Multicast Server V1624

Set-top Box
IGMP Snooping
PIM-SM
Fig. 9.1
The V1624 with IGMP Snooping
DPW:G-S-1624H0-04
205
UMN:CLI
User Manual
V1624
9.1
Multicast Group Membership

The most important implementation of the multicast is the group membership management. The multicast group membership allows a router to know which host is interested in receiving the traffic from a certain multicast group and to forward the multicast traffic corresponding to the group to that host. Even if there is more than one host interested in the group, the router forwards only one copy of the traffic stream to minimize the use of network bandwidth. Internet Group Management Protocol (IGMP) is a protocol used by routers and hosts to manage the multicast group membership. Using IGMP, hosts express an interest in a certain multicast group, and routers maintain the multicast group membership database by collecting the interests from the hosts.
9.1.1
IGMP Basic
Internet Group Management Protocol (IGMP) manages the host membership in multicast groups. The hosts inform a neighboring multicast router that they are interested in receiving the traffic from a certain multicast group by sending the membership report (join a group). The router then forwards the multicast traffic corresponding to the report to the hosts. A multicast router called as a querier is responsible for keeping track of the membership state of the multicast groups by sending periodic general query messages to current interested hosts. If there are no responses to the query from the hosts for a given time (leave a group), the router then stops forwarding the traffic. During the above transaction between hosts and routers, they are using IGMP messages to report or query the group membership. IGMP has three versions that are supported by hosts and routers. The followings are the simple definitions of each version: IGMP Version 1 The basic query-response mechanism for the group membership management is introduced. Routers, however, should use the timeout-based mechanism to discover members with no longer interests in the groups since there is no leave process. IGMP Version 2 IGMP messages such as leave group and specific-group query are added for the explicit leave process. This process greatly reduces the leave latency compared to IGMP version 1. Unwanted and unnecessary traffic can be constrained much faster. IGMP Version 3 The source filtering is supported. That is, hosts now can join a group with specifying including/excluding a set of sources, allowing supporting the source-specific multicast (SSM). It also increases the multicast address capability, and enhances the security from unknown multicast sources.
206
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
9.1.2
IGMP Version 2
In IGMP version 2, the new extensions such as the leave process, election of an IGMP querier, and membership report suppression are added. New IGMP messages, the leave group and group-specific query can be used by hosts to explicitly leave groups, resulting in great reduction of the leave latency. The V1624 runs IGMPv2 by default, IGMPv2 Messages There are three types of IGMPv2 messages of concern to the host-router interaction as shown below: Membership query A multicast router determines if any hosts are listening to a group by sending membership queries. The membership queries have two subtypes. General query: This is used to determine if any hosts are listening to any group. Group-specific query: This is used to determine if any hosts are listening to a particular group. Version 2 membership report This is used by hosts to join a group (unsolicited) or to respond to membership queries (solicited). Leave group This is used to explicitly leave a group.
IGMPv2 Operation An IGMP querier is the only router that sends membership query messages for a network segment. In IGMP version 2, the querier is a router with the lowest IP address on the subnet. If the router hears no queries during the timeout period, it becomes the querier. A host joins multicast groups by sending unsolicited membership report messages indicating its wish to receive multicast traffic for those groups (indicating that the host wants to become a member of the groups). The querier sends general query messages periodically to discover which multicast groups have members on the attached networks of the router. The messages are addressed to the all-hosts multicast group, which has the address of 224.0.0.1 with a timeto-live (TTL) value of 1. If hosts do not respond to the received query messages for the maximum response time advertised in the messages, a multicast router discovers that no local hosts are members of a multicast group, and then stops forwarding multicast traffic onto the local network from the source for the group. When hosts respond to membership queries from an IGMP querier, membership reports from the hosts other than the first one are suppressed to avoid increasing the unnecessary traffic. For an IGMP querier, it is sufficient to know that there is at least one interested member for a group on the network segment. When a host is not interested in receiving the multicast traffic for a particular group any more, it can explicitly leave the group by sending leave group messages. Upon receiving a leave message, a querier then sends out a group-specific query message to determine if there is still any host interested in receiving the traffic. If there is no reply, the querier stops forwarding the multicast traffic.
DPW:G-S-1624H0-04
207
UMN:CLI
User Manual
V1624
9.1.2.1
IGMP Static Join

When there are no more group members on a network segment or a host cannot report its group membership using IGMP, multicast traffic is no longer transmitted to the network segment. However, you may want to pull down multicast traffic to a network segment to reduce the time from when an IGMP join request is made to when the requested stream begins arriving at a host, which is called the zapping time. The IGMP static join feature has been developed to reduce the zapping time by statically creating a virtual host that behaves like a real on a port, even if there is no group member in the group where the port belongs. As a result, a multicast router realizes there is still group member, allowing multicast traffic to be permanently reachable on the group. To configure the IGMP static join, use the following command.
Command ip igmp static-group A.B.C.D vlan VLAN port PORT [reporter A.B.C.D] no ip igmp static-group Global Deletes the configured IGMP static join. *: all addresses Mode Description Configures the IGMP static join. A.B.C.D: IGMP group address VLANS: VLAN ID (1-4094) reporter: host address
[A.B.C.D] no ip igmp static-group A.B.C.D vlan VLAN [port PORT] no ip igmp static-group A.B.C.D vlan VLAN port PORT [{reporter A.B.C.D | *}]
To display the IGMP static join group list, use the following command.
Command Mode Top show ip igmp static-group Global Bridge Shows the IGMP static join group list. Description
i
!
If you do not specify the reporter option, the IP address configured on the VLAN is used as the source address of the membership report by default. If no IP address is configured on the VLAN, 0.0.0.0 is then used. This feature only supports an IGMPv2 host; it does not support IGMPv3 host.
208
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
9.1.3
IGMP Version 3
IGMP version 3 provides support for the source filtering, which is to receive multicast traffic for a group from specific source addresses, or from except specific source addresses, allowing the Source-Specific Multicast (SSM) model. The source filtering is implemented by the major revision of the membership report. IGMPv3 membership reports contain two types of the record: current-state and statechange. Each record specifies the information of the filter mode and source list. The report can contain multiple group records, allowing reporting of full current state using fewer packets. IGMPv3 snooping features are provided. IGMPv3 Messages There are two types of IGMPv3 messages of concern to the host-router interaction as shown below: Membership query A multicast router determines if any hosts are listening to a group by sending membership queries. There are three variants of the membership queries. General query: This is used to determine if any hosts are listening to any group. Group-specific query: This is used to determine if any hosts are listening to a particular group. Group-source-specific query: This is used to determine if any hosts are listening to a particular group and source. Version 3 membership report This is used by hosts to report the current multicast reception state, or changes in the multicast reception state, of their interfaces. IGMPv3 membership reports contain a group record that is a block of fields containing information of the host's membership in a single multicast group on the interface from which the report is sent. A single report may also contain multiple group records. Each group record has one of the following information: Current-state: This indicates the current filter mode including/excluding the specified multicast address. Filter-mode-change: This indicates a change from the current filter mode to the other mode. Source-list-change: This indicates a change allowing/blocking a list of the multicast sources specified in the record.
IGMPv3 Operation Basically, IGMPv3 has the same join/leave (allow/block in the IGMPv3 terminology) and query-response mechanism as IGMPv2s. Due to the major revision of the membership report, however, leave group messages are not used for the explicit leave process any longer. In IGMPv3 concept, membership reports with state-change records are used to allow or block multicast sources, and those with current-state records are used to respond to membership queries. Membership report suppression feature has been removed for multicast routers to keep track of membership state per host.
DPW:G-S-1624H0-04
209
UMN:CLI
User Manual
V1624
9.2
Multicast Functions
The V1624 provides various multicast functions including Layer 2 multicast forwarding, which allow you to achieve the fully effective and flexible multicast deployment. This section describes the following features: Multicast Forwarding Database IGMP Snooping Basic IGMPv2 Snooping IGMPv3 Snooping Displaying IGMP Snooping Information IGMP Filtering and Throttling
9.2.1
Multicast Forwarding Database

Internally, the V1624 forwards the multicast traffic referred to the multicast forwarding database (McFDB). The McFDB maintains multicast forwarding entries collected from multicast protocols and features, such as PIM, IGMP, etc. The McFDB has the same behavior as the Layer 2 FDB. When certain multicast traffic comes to a port, the switch looks for the forwarding information (the forwarding entry) for the traffic in the McFDB. If the McFDB has the information for the traffic, the switch forwards it to the proper ports. If the McFDB does not have the information for the traffic, the switch learns the information on the McFDB, and then floods it to all ports. If the information is not referred to forward another multicast traffic during the given aging time, it is aged out from the McFDB.
9.2.1.1
Blocking Unknown Multicast Traffic

When certain multicast traffic comes to a port and the McFDB has no forwarding information for the traffic, the multicast traffic is flooded to all ports by default. You can configure the switch not to flood unknown multicast traffic. To configure the switch not to flood unknown multicast traffic, use the following command.
Command ip unknown-multicast [port PORTS] block no ip unknown-multicast [port PORTS] block Global Mode Description Configures the switch not to flood unknown multicast traffic. PORTS: port number Configures the switch to flood unknown multicast traffic. (default)
This command should not be used for the ports to which a multicast router is attached!
210
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
9.2.1.2
Forwarding Entry Aging

To specify the aging time for forwarding entries on the McFDB, use the following command.
Command ip mcfdb aging-time <10-10000000> no ip mcfdb aging-time Global Mode Description Specifies the aging time for forwarding entries on the McFDB. 10-10000000: aging time (default: 300) Deletes the specified aging time for forwarding entries.
To specify the maximum number of forwarding entries on the McFDB, use the following command.
Command ip mcfdb aging-limit <256-65535> Global Mode Description Specifies the maximum number of forwarding entries on the McFDB. 256-65535: number of entries (default: 5000) Deletes the specified maximum number of forwarding entries.
no ip mcfdb aging-limit
9.2.1.3
Displaying McFDB Information

To display McFDB information, use the following command.
Command show ip mcfdb Mode Description Shows the current aging time and maximum number of forwarding entries. Shows the current forwarding entries. VLAN: VLAN ID (1-4094) Top Global show ip mfib [detail] show ip mfib group A.B.C.D [detail] show ip mfib vlan VLAN [detail] Bridge A.B.C.D: multicast group address mac-based: lists entries on a MAC address basis Shows the registered L3 multicast forwarding entries in the system. Shows L3 multicast forwarding entries of specified multicast group address or vlan ID.
show ip mcfdb aging-entry [vlan VLAN | group A.B.C.D] [macbased | detail]
To clear multicast forwarding entries, use the following command.

Command Mode Description Clears multicast forwarding entries. clear ip mcfdb [* | vlan VLAN] Top Global clear ip mcfdb vlan VLAN group A.B.C.D source A.B.C.D *: all forwarding entries VLAN: VLAN ID (1-4094) Clears a specified forwarding entry. group: multicast group source: multicast source
DPW:G-S-1624H0-04
211
UMN:CLI
User Manual
V1624
9.2.2
IGMP Snooping Basic

Layer 2 switches normally flood multicast traffic within the broadcast domain, since it has no entry in the Layer 2 forwarding table for the destination address. Multicast addresses never appear as source addresses, therefore the switch cannot dynamically learn multicast addresses. This multicast flooding causes unnecessary bandwidth usage and discarding unwanted frames on those nodes which did not want to receive the multicast transmission. To avoid such flooding, IGMP snooping feature has been developed. The purpose of IGMP snooping is to constrain the flooding of multicast traffic at Layer 2. IGMP snooping, as implied by the name, allows a switch to snoop the IGMP transaction between hosts and routers, and maintains the multicast forwarding table which contains the information acquired by the snooping. When the switch receives a join request from a host for a particular multicast group, the switch then adds a port number connected to the host and a destination multicast group to the forwarding table entry; when the switch receives a leave message from a host, it removes the entry from the table. By maintaining this multicast forwarding table, the V1624 dynamically forward multicast traffic only to those interfaces that want to receive it as nominal unicast forwarding does.
Multicast Packet
V1624 Multicast Router 1. Request the multicast traffic

Multicast Join Request Multicast traffic
2. Forward the multicast traffic to the port on which the join message is received
Fig. 9.2
IGMP Snooping
212
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
9.2.2.1
Enabling IGMP Snooping

The V1624 supports forwarding tables for IGMP snooping on a VLAN basis. You can enable IGMP snooping globally or on each VLAN respectively. By default, IGMP snooping is globally disabled. To enable IGMP snooping, use the following command.
Command ip igmp snooping Global ip igmp snooping vlan VLANS Mode Description Enables IGMP snooping globally. Enables IGMP snooping on a VLAN. VLANS: VLAN ID (1-4094)
To disable IGMP snooping, use the following command.

Command no ip igmp snooping no ip igmp snooping vlan VLANS Global Mode Description Disables IGMP snooping globally. Disables IGMP snooping on a VLAN. VLANS: VLAN ID (1-4094)
9.2.2.2
IGMP Snooping Version

The membership reports sent to the multicast router are sent based on the IGMP snooping version of the interface. If you statically specify the version on a certain interface, the reports are always sent out only with the specified version. If you do not statically specify the version, and a version 1 query is received on the interface, the interface dynamically sends out a version 1 report. If no version 1 query is received on the interface for the version 1 router present timeout period (400 seconds), the interface version goes back to its default value (2). To specify the IGMP snooping version, use the following command.
Command ip igmp snooping version <1-3> Global ip igmp snooping vlan VLANS version <1-3> Mode Description Configures the IGMP snooping version globally. 1-3: IGMP snooping version (default: 2) Configures the IGMP snooping version on a VLAN interface. VLANS: VLAN ID (1-4094)
To delete the specified IGMP snooping version, use the following command.
Command no ip igmp snooping version no ip igmp snooping vlan Global Deletes the specified IGMP snooping version. Mode Description
VLANS version
DPW:G-S-1624H0-04
213
UMN:CLI
User Manual
V1624
9.2.2.3
IGMP Snooping Robustness Value

The robustness variable allows tuning for the expected packet loss on a network. If a network is expected to be lossy, the robustness variable may be increased. When receiving the query message that contains a certain robustness variable from an IGMP snooping querier, a host returns the report message as many as the specified robustness variable. To configure the robustness variable, use the following command.
Command ip igmp snooping robustnessvariable <1-7> ip igmp snooping vlan VLANS robustness-variable <1-7> Global Mode Description Configures the robustness variable. (default: 2) Configures the robustness variable on a VLAN. VLANS: VLAN ID (1-4094)
To delete a specified robustness variable, use the following command.

Command no ip igmp snooping robustness-variable no ip igmp snooping vlan Global Deletes a specified robustness variable. Mode Description
VLANS robustness-variable
9.2.3
IGMPv2 Snooping
9.2.3.1
IGMP Snooping Querier Configuration

IGMP snooping querier should be used to support IGMP snooping in a VLAN where PIM and IGMP are not configured. When the IGMP snooping querier is enabled, the IGMP snooping querier sends out periodic general queries that trigger membership report messages from a host that wants to receive multicast traffic. The IGMP snooping querier listens to these membership reports to establish appropriate forwarding. Enabling IGMP Snooping Querier To enable the IGMP snooping querier, use the following command.
Command ip igmp snooping querier [address A.B.C.D] ip igmp snooping vlan VLANS querier [address A.B.C.D] Global Mode Description Enables the IGMP snooping querier globally. A.B.C.D: source address of IGMP snooping query Enables the IGMP snooping querier on a VLAN. VLANS: VLAN ID (1-4094)
214
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To disable the IGMP snooping querier, use the following command.

Command no ip igmp snooping querier [address] no ip igmp snooping vlan Global Disables the IGMP snooping querier. address: source address of IGMP snooping query Mode Description
VLANS querier [address]
If you do not specify a source address of an IGMP snooping query, the IP address configured on the VLAN is used as the source address by default. If no IP address is configured on the VLAN, 0.0.0.0 is then used. IGMP Snooping Query Interval An IGMP snooping querier periodically sends general query messages to trigger membership report messages from a host that wants to receive IP multicast traffic. To specify an interval to send general query messages, use the following command.
Command ip igmp snooping querier queryinterval <1-1800> ip igmp snooping vlan VLANS querier query-interval <1-1800> Global Mode Description Specifies an IGMP snooping query interval in the unit of second. 1-1800: query interval (default: 125) Specifies an IGMP snooping query interval on a VLAN. VLANS: VLAN ID (1-4094)
To delete a specified interval to send general query messages, use the following command.
Command no ip igmp snooping querier query-interval no ip igmp snooping vlan Global Disables a specified IGMP snooping query interval. Mode Description
VLANS querier query-interval
IGMP Snooping Query Response Time Membership query messages include the maximum query response time field. This field specifies the maximum time allowed before sending a responding report. The maximum query response time allows a router to quickly detect that there are no more hosts interested in receiving multicast traffic.
DPW:G-S-1624H0-04
215
UMN:CLI
User Manual
V1624
To specify a maximum query response time advertised in general query messages, use the following command.
Command ip igmp snooping querier maxresponse-time <1-25> ip igmp snooping vlan VLANS querier max-response-time <125> Global Mode Description Specifies a maximum query response time. 1-25: maximum response time (default: 10 seconds) Specifies a maximum query response time. VLANS: VLAN ID (1-4094)
To delete a specified maximum query response time, use the following command.
Command no ip igmp snooping querier max-response-time no time ip igmp snooping vlan Global Deletes a specified maximum query response time. Mode Description
VLANS querier max-response-
Displaying IGMP Snooping Querier Information To display IGMP querier information and configured parameters, use the following command.
Command show ip igmp snooping [vlan VLANS] querier [detail] Mode Top Global Bridge Description Shows IGMP querier information and configured parameters.
9.2.3.2
IGMP Snooping Last Member Query Interval

Upon receiving a leave message, a switch with IGMP snooping then sends out a groupspecific (IGMPv2) or group-source-specific query (IGMPv3) message to determine if there is still any host interested in receiving the traffic. If there is no reply, the switch stops forwarding the multicast traffic. However, IGMP messages may get lost for various reasons, so you can specify an interval to send query messages. To specify an interval to send group-specific or group-source-specific query messages, use the following command.
Command ip igmp snooping last-memberquery-interval <100-10000> Global ip igmp snooping vlan VLANS last-member-query-interval <100-10000> Mode Description Specifies a last member query interval. 100-10000: last member query interval (default: 1000 milliseconds) Specifies a last member query interval. VLANS: VLAN ID (1-4094)
216
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To delete a specified an interval to send group-specific or group-source-specific query messages, use the following command.
Command no ip igmp snooping lastGlobal Deletes a specified last member query interval. Mode Description
member-query-interval no ip igmp snooping vlan
VLANS interval
last-member-query-
9.2.3.3
IGMP Snooping Immediate Leave

Normally, an IGMP snooping querier sends a group-specific or group-source-specific query message upon receipt of a leave message from a host. If you want to set a leave latency as 0 (zero), you can omit the querying procedure. When the querying procedure is omitted, the switch immediately removes the entry from the forwarding table for that VLAN, and informs the multicast router. To enable the IGMP snooping immediate leave, use the following command.
Command ip igmp snooping immediateleave ip igmp snooping port PORTS immediate-leave ip igmp snooping vlan VLANS immediate-leave Global Mode Description Enables the IGMP snooping immediate leave globally. Enables the IGMP snooping immediate leave on a port. PORTS: port number Enables the IGMP snooping immediate leave on a VLAN. VLANS: VLAN ID (1-4094)
To disable the IGMP snooping immediate leave, use the following command.
Command no ip igmp snooping immediateleave no ip igmp snooping port PORTS immediate-leave no ip igmp snooping vlan VLANS immediate-leave Global Disables the IGMP snooping immediate leave. Mode Description
Use this command with the explicit host tracking feature (see Section 9.2.4.1). If you dont, when there is more than one IGMP host belonging to a VLAN, and a certain host sends a leave group message, the switch will remove all host entries on the forwarding table from the VLAN. The switch will lose contact with the hosts that should remain in the forwarding table until they send join requests in response to the switch's next general query message.
DPW:G-S-1624H0-04
217
UMN:CLI
User Manual
V1624
9.2.3.4
IGMP Snooping Report Suppression

If an IGMP querier sends general query messages, and hosts are still interested in the multicast traffic, the hosts should return membership report messages. For a multicast router, however, it is sufficient to know that there is at least one interested member for a group on the network segment. Responding a membership report per each of group members may unnecessarily increase the traffic on the network; only one report per group is enough. When the IGMP snooping report suppression is enabled, a switch suppresses membership reports from hosts other than the first one, allowing the switch to forward only one membership report in response to a general query from a multicast router. To enable the IGMP snooping report suppression, use the following command.
Command ip igmp snooping reportGlobal ip igmp snooping vlan VLANS report-suppression Mode Description Enables the IGMP snooping report suppression globally. Enables the IGMP snooping report suppression on a VLAN. VLANS: VLAN ID (1-4094)
suppression
To disable the IGMP snooping report suppression, use the following command.
Command no ip igmp snooping reportsuppression no ip igmp snooping vlan Global Disables the IGMP snooping report suppression. Mode Description
VLANS report-suppression
The IGMP snooping report suppression is supported only IGMPv1 and IGMPv2 reports. In case of an IGMPv3 report, a single membership report can contain the information for all the groups which a host is interested in. Thus, there is no need for the report suppression since the number of reports would be generally equal to the number of hosts only.
9.2.3.5
IGMP Snooping S-Query Report Agency

If IGMP snooping switch receives IGMP group-specific query messages from the multicast router, it just floods them into all of its ports. The hosts received the group-specific queries send the report messages according to their IGMP membership status. However, V1624 is enabled as IGMP snooping S-Query report agency, the group-specific queries are not sent downstream. When the switch receives a group-specific query, the switch terminates the query and sends an IGMP report if there is a receiver for the group. To enable IGMP snooping S-Query Report Agency, use the following command.
Command ip igmp snooping s-query-report agency Mode Global Description Enables IGMP snooping s-query-report agency.
218
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To disable IGMP snooping S-Query Report Agency, use the following command.
Command ip igmp snooping s-query-report agency Mode Global Description Disables IGMP snooping s-query-report agency.
9.2.3.6
Multicast Router Port Configuration

The multicast router port is the port which is directly connected to a multicast router. A switch adds multicast router ports to the forwarding table to forward membership reports only to those ports. Multicast router ports can be statically specified or dynamically learned by incoming IGMP queries and PIM hello packets. Static Multicast Router Port You can statically configure Layer 2 port as the multicast router port which is directly connected to a multicast router, allowing a static connection to a multicast router. To specify a multicast router port, use the following command.
Command ip igmp snooping mrouter port {PORTS | cpu} ip igmp snooping vlan VLANS mrouter port {PORTS | cpu} Global Mode Description Specifies a multicast router port globally. PORTS: port number Specifies a multicast router port on a VLAN. VLANS: VLAN ID (1-4094)
To delete a specified multicast router port, use the following command.

Command no ip igmp snooping mrouter port {PORTS | cpu} no cpu} ip igmp snooping vlan Global Deletes a specified multicast router port. Mode Description
VLANS mrouter port {PORTS |
Multicast Router Port Learning Multicast router ports are added to the forwarding table for every Layer 2 multicast entry. The switch dynamically learns those ports through snooping on PIM hello packets. To enable the switch to learn multicast router ports through PIM hello packets, use the following command.
Command ip igmp snooping mrouter learn pim Global ip igmp snooping vlan VLANS mrouter learn pim Mode Description Enables to learn multicast router ports through PIM hello packets globally. Enables to learn multicast router ports through PIM hello packets on a VLAN. VLANS: VLAN ID (1-4094)
DPW:G-S-1624H0-04
219
UMN:CLI
User Manual
V1624
To disable the switch to learn multicast router ports through PIM hello packets, use the following command.
Command no ip igmp snooping mrouter learn pim no ip igmp snooping vlan Global Disables to learn multicast router ports through PIM hello packets. Mode Description
VLANS mrouter learn pim
Multicast Router Port Forwarding The multicast traffic should be forwarded to IGMP snooping membership ports and multicast router ports because the multicast router needs to receive muticast source information. To enable the switch to forward the traffic to multicast router ports, use the following command.
Command ip multicast mrouter-passGlobal Mode Description Enables the switch to forward multicast traffic to the multicast router ports. Disables the switch to forward multicast traffic to the multicast router ports.
through no ip multicast mrouter-passthrough
Displaying Multicast Router Port To display a current multicast router port for IGMP snooping, use the following command.
Command show ip igmp snooping mrouter Mode Description Shows a current multicast router port for IGMP snoopTop Global show ip igmp snooping vlan VLANS mrouter Bridge ing globally. Shows a current multicast router port for IGMP snooping on a specified VLAN. VLANS: VLAN ID (1-4094)
9.2.3.7
TCN Multicast Flooding

When a network topology change occurs, the protocols for a link layer topology such as spanning tree protocol (STP), Ethernet ring protection (ERP), etc notify switches in the topology using a topology change notification (TCN). When TCN is received, the switch where an IGMP snooping is running will flood multicast traffic to all ports in a VLAN, since a network topology change in a VLAN may invalidate previously learned IGMP snooping information. However, this flooding behavior is not desirable if the switch has many ports that are subscribed to different groups. The traffic could exceed the capacity of the link between the switch and the end host, resulting in packet loss. Thus, a period of multicast flooding needs to be controlled to solve such a problem.
220
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Enabling TCN Multicast Flooding To enable the switch to flood multicast traffic when TCN is received, use the following command.
Command ip igmp snooping tcn flood Global ip igmp snooping tcn vlan VLANS flood Mode Description Enables the switch to flood multicast traffic when TCN is received. Enables the switch to flood multicast traffic on a VLAN when TCN is received. VLANS: VLAN ID (1-4094)
To disable the switch to flood multicast traffic when TCN is received, use the following command.
Command no ip igmp snooping tcn flood no ip igmp snooping tcn vlan VLANS flood Global Mode Description Disables the switch to flood multicast traffic when TCN is received
TCN Flooding Suppression When TCN is received, the switch where an IGMP snooping is running will flood multicast traffic to all ports until receiving two general queries, or during two general query intervals by default. You can also configure the switch to stop multicast flooding according to a specified query count or query interval. To specify a query count to stop multicast flooding, use the following command.
Command ip igmp snooping tcn flood query count <1-10> no ip igmp snooping tcn flood query count Global Mode Description Specifies a query count to stop multicast flooding. 1-10: query count value (default: 2) Deletes a specified query count to stop multicast flooding.
To specify a query interval to stop multicast flooding, use the following command.
Command Mode Description Specifies a query interval to stop multicast flooding in ip igmp snooping tcn flood query interval <1-1800> Global the unit of second. An actual stop-flooding interval is calculated by (query count) x (query interval). 1-1800: query interval value (default: 125) Deletes a specified query interval to stop multicast flooding.
no ip igmp snooping tcn flood query interval
DPW:G-S-1624H0-04
221
UMN:CLI
User Manual
V1624
TCN Flooding Query Solicitation Typically, if a network topology change occurs, the spanning tree root switch issues a query solicitation which is actually a global leave message with the group address 0.0.0.0. When a multicast router receives this solicitation, it immediately sends out IGMP general queries to hosts, allowing the fast convergence. You can direct the switch where an IGMP snooping is running to send a query solicitation when TCN is received. To enable the switch to send a query solicitation when TCN is received, use the following command.
Command ip igmp snooping tcn query solicit [address A.B.C.D] Mode Description Enables the switch to send a query solicitation when Global TCN is received. address: source IP address for query solicitation
To disable the switch to send a query solicitation when TCN is received, use the following command.
Command no ip igmp snooping tcn query solicit [address] Mode Global Description Disables the switch to send a query solicitation when TCN is received.
TCN Flooding Debug To enable/disable debugging of TCN flooding feature, use the following command.
Command debug igmp snooping tcn no debug igmp snooping tcn Mode Top Description Enables IGMP snooping TCN flooding debugging. Disables IGMP snooping TCN flooding debugging.
9.2.4
IGMPv3 Snooping
9.2.4.1
Explicit Host Tracking

Explicit host tracking is one of the important IGMP snooping features. It has the ability to build the explicit tracking database by collecting the host information via the membership reports sent by hosts. This database is used for the immediate leave for IGMPv2 hosts, the immediate block for IGMPv3 hosts, and IGMP statistics collection. To enable explicit host tracking, use the following command.
Command ip igmp snooping explicitGlobal Mode Description Enables explicit host tracking globally. Enables explicit host tracking on a VLAN. VLANS: VLAN ID (1-4094)
tracking ip igmp snooping vlan VLANS explicit-tracking
222
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To disable explicit host tracking, use the following command.

Command no ip igmp snooping explicittracking no ip igmp snooping vlan Global Mode Description Disables explicit host tracking globally. Disables explicit host tracking on a VLAN. VLANS: VLAN ID (1-4094)
VLANS explicit-tracking
You can also restrict the number of hosts on a port for the switch performance and enhanced security. To specify the maximum number of hosts on a port, use the following command.
Command ip igmp snooping explicitGlobal Mode Description Specifies the maximum number of hosts on a port. PORTS: port number 1-65535: maximum number of hosts (default: 1024) Deletes the specified maximum number of hosts
tracking max-hosts port PORTS count <1-65535> no ip igmp snooping explicittracking max-hosts port PORTS
To disable sending a group specific query to member hosts when one of them leaves the group, use the following command.
Command ip igmp snooping explicitGlobal Mode Description Does not send a group specific query to member hosts after one sends a leave message on a VLAN. Send a group specific query to hosts after one sends a leave message on a VLAN. (default)
tracking s-query-suppression no ip igmp snooping explicittracking s-query-suppression
To display the explicit tracking information, use the following command.

Command show ip igmp snooping explicittracking show ip igmp snooping explicittracking vlan VLANS show ip igmp snooping explicittracking port PORTS show ip igmp snooping explicittracking group A.B.C.D Top Global Bridge Mode Description Shows the explicit host tracking information globally. Shows the explicit host tracking information per VLAN. VLANS: VLAN ID (1-4094) Shows the explicit host tracking information per port. PORTS: port number Shows the explicit host tracking information per group. A.B.C.D: multicast group address
Explicit host tracking is enabled by default.
DPW:G-S-1624H0-04
223
UMN:CLI
User Manual
V1624
9.2.4.2
IGMPv3 Snooping Immediate Block

IGMPv3 immediate block feature allows a host to block sources with the block latency, 0 (zero) by referring to the explicit tracking database. When receiving a membership report with the state-change record from a host that is no longer interested in receiving multicast traffic from a certain source, the switch compares the source list for the host in the explicit tracking database with the source list in the received membership report. If both are matching, the switch removes the source entry from the list in the database, and stops forwarding the multicast traffic to the host; a group-source-specific query message is not needed for the membership leave process. To enable IGMPv3 immediate block, use the following command.
Command ip igmp snooping immediateblock ip igmp snooping vlan VLANS immediate-block Global Mode Description Enables immediate block globally. Enables immediate block on a VLAN. VLANS: VLAN ID (1-4094)
To disable IGMPv3 immediate block, use the following command.

Command no ip igmp snooping immediateblock no ip igmp snooping vlan Global Mode Description Disables immediate block globally. Disables immediate block on a VLAN. VLANS: VLAN ID (1-4094)
VLANS immediate-block
i
9.2.5
IGMPv3 immediate block is enabled by default.
Displaying IGMP Snooping Information

To display a current IGMP snooping configuration, use the following command.
Command show ip igmp snooping [vlan VLANS] Mode Top Global Bridge Description Shows a current IGMP snooping configuration. VLAN: VLAN ID (1-4094)
To display the IGMP snooping table, use the following command.

Command show ip igmp snooping groups [A.B.C.D | mac-based] show ip igmp snooping groups port {PORTS | cpu} [mac-based] show ip igmp snooping groups vlan VLANS [mac-based] Top Global Bridge Mode Description Shows the IGMP snooping table globally. mac-based: lists groups on a MAC address basis. Shows the IGMP snooping table per port. PORTS: port number Shows the IGMP snooping table per VLAN. VLANS: VLAN ID (1-4094)
224
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To display the collected IGMP snooping statistics, use the following command.
Command show ip igmp snooping stats port {PORTS | cpu} Mode Top Global Description Shows the statistics of IGMP snooping control packets. PORTS: port number
To clear the collected IGMP snooping statistics, use the following command.
Command clear ip igmp snooping stats port [PORTS | cpu] Mode Top Global Description Clears the collected IGMP snooping statistics PORTS: port number
9.2.6
IGMP Filtering and Throttling

IGMP filtering and throttling control the distribution of multicast services on each port. IGMP filtering controls which multicast groups a host on a port can join by associating an IGMP profile that contains one or more IGMP groups and specifies whether an access to the group is permitted or denied with a port. For this operation, configuring the IGMP profile is needed before configuring the IGMP filtering. IGMP throttling limits the maximum number of IGMP groups that a host on a port can join. Note that both IGMP filtering and throttling control only membership reports (join messages) from a host, and do not control multicast streams.
9.2.6.1
IGMP Filtering
Creating IGMP Profile You can configure an IGMP profile for IGMP filtering in IGMP Profile Configuration mode. The system prompt will be changed from SWITCH(config)# to SWITCH(config-igmpprofile[N])#. To create/modify an IGMP profile, use the following command.
Command ip igmp profile <1-2147483647> Global no ip igmp profile <1-2147483647> Mode Description Creates/modifies an IGMP profile. 1-2147483647: IGMP profile number Deletes a created IGMP profile.
IGMP Group Range To specify an IGMP group range to apply to IGMP filtering, use the following command.
Command Mode Description Specifies a range of IGMP groups. range A.B.C.D [A.B.C.D] IGMP Profile no range A.B.C.D [A.B.C.D] A.B.C.D: low multicast address A.B.C.D: high multicast address Deletes a specified range of IGMP groups.
DPW:G-S-1624H0-04
225
UMN:CLI
User Manual
V1624
A single IGMP group address is also possible. IGMP Filtering Policy To specify an action to permit or deny an access to an IGMP group range, use the following command.
Command {permit | deny} Mode IGMP Profile Description Specifies an action for an IGMP group range.
Enabling IGMP Filtering To enable IGMP filtering for a port, a configured IGMP profile needs to be applied to the port. To apply an IGMP profile to ports to enable IGMP filtering, use the following command.
Command ip igmp filter port PORTS profile <1-2147483647> no ip igmp filter port PORTS Global Mode Description Applies an IGMP profile to ports PORTS: port number 1-2147483647: IGMP profile number Releases an applied IGMP profile.
Before enabling IGMP filtering, please keep in mind the following restrictions.
Plural IGMP profiles cannot be applied to a single port. IGMP snooping must be enabled before enabling IGMP filtering. To delete a created IGMP profile, all ports where the profile applied must be released. IGMP filtering only supports IGMPv2.
To allow or discard IGMP messages by message type on a port, use the following command.
Command ip igmp filter port PORTS packet type {reportv1 | reportv2 | reportv3 | query | leave | all} no ip igmp filter port PORTS packet type {reportv1 | reportv2 | reportv3 | query | leave | all} Global Disables filtering the specified IGMP messages on a port. Filters the specified IGMP messages on a port. Mode Description
226
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
9.2.6.2
IGMP Throttling
You can configure the maximum number of multicast groups that a host on a port can join. To specify the maximum number of IGMP groups per port, use the following command.
Command Mode Description Specifies the maximum number of IGMP groups that ip igmp max-groups port PORTS count <1-2147483647> Global hosts on specific port can join. PORTS: port number 1-2147483647: number of IGMP groups ip igmp max-groups port all count <1-2147483647> no ip igmp max-groups port {PORTS | all} Specifies the maximum number of IGMP groups that hosts on all ports can join. Deletes a specified maximum number of IGMP groups.
To specify the maximum number of IGMP groups for the system, use the following command.
Command ip igmp max-groups system Global Mode Description Specifies the maximum number of IGMP groups that hosts in the system can join. 1-2147483647: number of IGMP groups Deletes a specified maximum number of IGMP groups.
count <1-2147483647> no ip igmp max-groups system
9.2.6.3
Displaying IGMP Filtering and Throttling

To display a configuration for IGMP filtering and throttling, use the following command.
Command Mode Top show ip igmp filter [port PORTS] Global Bridge Description Shows a configuration for IGMP filtering and throttling. PORTS: port number
To display existing IGMP profiles, use the following command.

Command show ip igmp profile [<1-2147483647>] Mode Top Global Bridge Description Shows existing IGMP profiles. 1-2147483647: IGMP profile number
DPW:G-S-1624H0-04
227
UMN:CLI
User Manual
V1624
10 System Software Upgrade

For the system enhancement and stability, new system software may be released. Using this software, the V1624 can be upgraded without any hardware change. You can simply upgrade your system software with the provided upgrade functionality via the CLI.
10.1
General Upgrade
The V1624 supports the dual system software functionality, which you can select applicable system software stored in the system according to various reasons such as the system compatibility or stability. To upgrade the system software of the switch, use the following command.
Command Mode Description Upgrades the system software of the switch via FTP or upgrade {ftp | tftp} A.B.C.D FILENAME {os1 | os2} TFTP. Global A.B.C.D: FTP/TFTP server address FILENAME: system software file name os1 | os2: the area where the system software is stored
! !
To upgrade the system software, an FTP or TFTP server must be set up first. Using the upgrade command, the switch will download the new system software from the server. To reflect the upgraded system software, the switch must restart using the reload command, see Section 4.1.7.1. The following is an example of upgrading the system software stored in os1.
SWITCH(config)# upgrade ftp 10.100.158.144 V16XX.3.15.x os1 FTP User Name:root FTP Password:vertex25 Hash mark printing on (1024 bytes/hash mark). Downloading NOS .... ############################################################################## ############################################################################## ############################################################################## ############################################################################## ############################################################################## ############################################################################## ############################################################################## ############################################################################## (Omitted) ############################################################################## ############################################################################## ############################################################################## ############################################################################## ############################################################################## ############################################################################## ########### 6154904 bytes download OK. SWITCH(config)#
228
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
SWITCH(config)# show flash Flash Information(Bytes) ------------------------------------------------------Area Os1 (default) Os2 Config Boot Etc Total SWITCH(config)# exit SWITCH# reload Warning : Changed configuration was not saved to flash memory. Do you still want to reload the system?[y|N] total 7340032 7340032 524288 1048576 524288 16777216 used 6154904 6154904 215048 1048576 524288 14097720 free 1185128 1185128 309240 0 0 2679496 3.15 #4499 3.10 #4412 -------------------------------------------------------
10.2
FTP Upgrade
The system software of the V1624 can be upgraded using FTP. This will allow or system administrators to remotely upgrade the system with the familiar interface. To upgrade the system software using FTP, perform the following step-by-step instruction: Step 1 Connect to the V1624 with your FTP client software. To login the system, you can use the system user ID and password.
Note that you must use the command line-based interface FTP client software when upgrading the V1624. If you use the graphic-based interface FTP client software, the system cannot recognize the upgraded software. Step 2 Set the file transfer mode to the binary mode using the following command.
Command bin Mode FTP Description Sets the file transfer mode to the binary mode.
Step 3 Enable to print out the hash marks as transferring a file using the following command.
Command hash Mode FTP Description Prints out the hash marks as transferring a file.
Step 3 Uploads the new system software using the following command.
Command Mode Description Uploads the system software. put FILENAME {os1 | os2} FTP FILENAME: system software file name os1 | os2: the area where the system software is stored
DPW:G-S-1624H0-04
229
UMN:CLI
User Manual
V1624
Step 4 Exit the FTP client using the following command.

Command exit Mode FTP Exits the FTP client. Description
To reflect the downloaded system software, the system must restart using the reload command! For more information, see Section 4.1.7.1. The following is an example of upgrading the system software of the V1624 using the FTP provided by Microsoft Windows XP in the remote place.
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\>ftp 10.27.41.84 Connected to 10.27.41.84. 220 FTP Server 1.2.4 (FTPD) User (10.27.41.84:(none)): root 331 Password required for root. Password:vertex25 230 User root logged in. ftp> bin 200 Type set to I. ftp> hash Hash mark printing On ftp: (2048 bytes/hash mark) . ftp> put V16XX.3.15.x os1 200 PORT command successful. 150 Opening BINARY mode data connection for os1. ############################################################################## ############################################################################## ############################################################################## ############################################################################## ############################################################################## ############################################################################## (Omitted) ############################################################################## ############################################################################## ############################################################################## ############################################################################## ############################################################################## ######################################### 226 Transfer complete. ftp: 6154904 bytes sent in 88.57Seconds 69.49Kbytes/sec. ftp> bye 221 Goodbye. C:\>
230
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
10.3
Auto Upgrade
For efficient system maintenance, the V1624 provides the auto upgrade functionality for the system software in the stacking environment. You can simply upgrade the system software of the stacked slave switches via the master switch. To upgrade the system software of the slave switch in the stacking environment, use the following command on the master switch.
Command Mode Description Upgrades the system software of the slave switch. auto-upgrade PASSWORD NODE USER-ID Top NODE: target switchs node ID USER-ID: target switchs user ID PASSWORD: target switchs password
i i
!
The auto-upgrade command will upgrade the system software of the slave switch with the current default system software of the master switch. You can see the node ID of the slave switch with the show stack command. For more information, see Section 8.6. To reflect the upgraded system software, the slave switch must restart. The following is an example of upgrading the system software of the slave switch via the master switch.
SWITCH# show stack device node 1 2 : br1 MAC address 00:d0:cb:26:75:77 00:d0:cb:11:9b:fc status active active type V1624 V1624 name SWITCH SWITCH port 26 26 node ID : 1
SWITCH# auto-upgrade 2 root vertex25 Upgrade NOS to slave[2] is started. Please wait a moment while upgrading... Upgrade success. 6154904 bytes upload OK. Do you want to reload slave[2] system ? [y/n] SWITCH#
DPW:G-S-1624H0-04
231
UMN:CLI
User Manual
V1624
11 Abbreviations
ARP CE CLI DA DHCP DSCP EN FE FTP GB GE HW ID IEC IEEE 802 IEEE 802.1 IEEE IGMP IP ISP L2 LACP LAN MAC NE OS PC PPP QoS RFC RSTP Address Resolution Protocol Communaut Europenne Command Line Interface Destination Address Dynamic Host Configuration Protocol Differentiated Service Code Point Europische Norm (European Standard) Fast Ethernet File Transfer Protocol Gigabyte Gigabit Ethernet Hardware Identifier International Electro technical Commission Standards for Local and Metropolitan Area Networks Glossary, Network Management, MAC Bridges, and Internetworking Institute of Electrical and Electronic Engineers Internet Group Management Protocol Internet Protocol Internet Service Provider Layer 2 Link Aggregation Control Protocol Local Area Network Medium Access Control Network Element Operating System Personal Computer Point to Point Protocol Quality of Service Request for Comments Rapid Spanning Tree Protocol
232
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
SNMP STP SW TCP UDP UMN VID VLAN
Simple Network Management Protocol Spanning Tree Protocol Software Transmission Control Protocol User Datagram Protocol User Manual VLAN ID Virtual Local Area Network
DPW:G-S-1624H0-04
233

V1624 (L2) UserManual

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

V1624 (L2) UserManual

Uploaded by

Copyright:

Available Formats

User Manual

Copyright 2008 (C) Dasan Networks, Inc.

Reason for Update

Details: Chapter/Section All Reason for Update Initial release

2 System Overview ..............................................................................17 3 Command Line Interface (CLI) .........................................................21

3.2.1 3.2.2 3.2.3 3.2.4

4 System Connection and IP Address ................................................29

4.1.1 4.1.2 4.1.3 4.1.4 4.1.5 4.1.6 4.1.7

Telnet Access ............................................................................................. 31 System Rebooting...................................................................................... 32

SSH (Secure Shell) .............................................................................. 34

802.1x Authentication ........................................................................... 34

Configuring Port-based 802.1x Authentication ...........................................36

4.3.2.1 4.3.2.2 4.3.2.3 4.3.2.4 4.3.2.5 4.3.2.6

4.3.3 4.3.4 4.3.5

System Authentication .......................................................................... 43

4.4.1 4.4.2 4.4.3 4.4.4 4.4.5

4.4.5.1 4.4.5.2 4.4.5.3

Configuring TACACS+ ................................................................................47

4.4.6.1 4.4.6.2 4.4.6.3

Assigning IP Address ............................................................................ 49

5 Port Basic Configuration.................................................................. 51

Port Mirroring ........................................................................................ 59

5.2.1 5.2.2 5.2.3

6 System Environment ........................................................................ 61

6.1.5 6.1.6 6.1.7

Configuration Management .................................................................. 68

6.2.1 6.2.2 6.2.3 6.2.4

System Check ...................................................................................... 70

7 Network Management .......................................................................83

7.1.1 7.1.2 7.1.3

7.1.4 7.1.5 7.1.6

Configuring RMON Alarm........................................................................... 93

7.2.2.3 7.2.2.4 7.2.2.5 7.2.2.6 7.2.2.7 7.2.2.8 7.2.2.9

Configuring RMON Event ...........................................................................98

7.2.3.1 7.2.3.2 7.2.3.3 7.2.3.4 7.2.3.5 7.2.3.6

Syslog ................................................................................................. 102

7.3.1 7.3.2 7.3.3 7.3.4 7.3.5 7.3.6 7.3.7 7.3.8

QoS and Packet Filtering .................................................................... 109

MAC Filtering ...................................................................................... 122

7.5.1 7.5.2 7.5.3 7.5.4

7.6 7.7 7.8

Displaying ARP Table................................................................................... 127

ARP-Alias ................................................................................................. 127 ARP Inspection......................................................................................... 128

7.8.3.1 7.8.3.2 7.8.3.3 7.8.3.4 7.8.3.5 7.8.3.6

7.12 Dump Packet ...................................................................................... 139

8 System Main Function ....................................................................144

8.1.1 8.1.2 8.1.3

8.1.3.1 8.1.3.2 8.1.3.3 8.1.3.4 8.1.3.5

Port Trunking ...................................................................................... 150 LACP .................................................................................................. 152

8.3.1 8.3.2 8.3.3 8.3.4 8.3.5 8.3.6

STP and RSTP ................................................................................... 157

8.4.1 8.4.2 8.4.3

8.4.3.3 8.4.3.4 8.4.3.5

Configuring BPDU Transmission ..............................................................169

8.4.4.1 8.4.4.2 8.4.4.3 8.4.4.4

8.5 8.6 8.7 8.8

8.9 Configuring Bandwidth-share-Group .................................................. 179 8.10 NAT ..................................................................................................... 181

8.11 Bandwidth ........................................................................................... 187 8.12 DHCP.................................................................................................. 188

8.12.2 8.12.3 8.12.4 8.12.5 8.12.6 8.12.7

8.12.7.1 8.12.7.2 8.12.7.3 8.12.7.4

9.1.1 9.1.2 9.1.3

IGMP Version 3 ........................................................................................ 209 Multicast Forwarding Database................................................................ 210