Professional Documents
Culture Documents
V1624 UMN:CLI
DPW:G-S-1624H0-04
UMN:CLI
User Manual
V1624
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Issue History
Issue Number 01 05/2008 Initial release Date of Issue Reason for Update
DPW:G-S-1624H0-04
UMN:CLI
User Manual
V1624
This document consists of a total 233 pages. All pages are issue 1.
Contents
1 Introduction .......................................................................................13
1.1 1.2 1.3 1.4 1.5 1.6 1.7 2.1 3.1 Audience............................................................................................... 13 Document Structure.............................................................................. 13 Document Convention .......................................................................... 14 Document Notation............................................................................... 14 Virus Protection .................................................................................... 15 CE Declaration of Conformity ............................................................... 15 GPL/LGPL Warranty and Liability Exclusion ........................................ 15 System Features .................................................................................. 18 Command Mode ................................................................................... 21
Top Mode ................................................................................................... 22 Global Configuration Mode ........................................................................ 22 Bridge Configuration Mode ........................................................................ 23 DHCP Pool Configuration Mode ................................................................ 24 DHCP Option 82 Configuration Mode........................................................ 24 Interface Configuration Mode..................................................................... 25 RMON Configuration Mode........................................................................ 25 Listing Available Commands ...................................................................... 26 Calling Command History .......................................................................... 27 Using Abbreviation ..................................................................................... 28 Exit Current Command Mode .................................................................... 28
3.2
Useful Tips............................................................................................ 26
4.1.5.1
4.1.7.1 4.1.7.2
4.2
4.2.1
4.3
4.3.1
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
4.3.1.1
Enabling 802.1x .............................................................................................35 Configuring Authentication Port......................................................................36 Designating User Authentication Interface .....................................................36 Configuring RADIUS Server...........................................................................36 The Number of Request for Authentication ....................................................37 Re-attempt Interval of Authentication Request ...............................................38 Configuring Term of Re-authentication ...........................................................39
4.3.2
Client Authentication through MAC Address...............................................40 Checking and Deleting 802.1x User Authentication Statistics ....................42 Disabling 802.1x User Authentication .........................................................43 Configuring Authorization Method...............................................................44 Designating User Authentication Interface..................................................44 Configuring Priority of Authorization Method ..............................................44 Checking Configured Priority of Authorization Method ...............................45 Configuring RADIUS ...................................................................................46
Configuring RADIUS Server...........................................................................46 Configuring Frequency of Retransmit.............................................................46 Configuring Timeout of Response ..................................................................46 Configuring TACACS Server ..........................................................................47 Selecting Authorization Type ..........................................................................48 Configuring Timeout of Response ..................................................................48
4.4
4.4.6
4.4.7
Recording Users Configuration..................................................................48 Assigning IP Address on Network Interface................................................49 Configuring Default Gateway ......................................................................50
4.5
4.5.1 4.5.2
5.2
DPW:G-S-1624H0-04
UMN:CLI
User Manual
V1624
Output Condition of Terminal Screen ......................................................... 64 Domain Name Server(DNS)....................................................................... 65 Login Banner.............................................................................................. 66 Checking Switch Configuration .................................................................. 68 Saving Configuration.................................................................................. 68 Restore Factory Default ............................................................................. 69 Configuration Backup................................................................................. 69 Network Connection................................................................................... 71 Packet Route.............................................................................................. 73 Cable Length.............................................................................................. 73 Accessed User through Telnet ................................................................... 74 Destination Information .............................................................................. 74 MAC Table.................................................................................................. 75 Aging time .................................................................................................. 75 Running Time of Switch ............................................................................. 76 System Information .................................................................................... 76 Checking Average of CPU Utilization......................................................... 76 CPU Statistics Limit.................................................................................... 77 CPU Process.............................................................................................. 78 Utilization of Memory.................................................................................. 79 Version of System Image ........................................................................... 79 Size of the System Image File ................................................................... 79 Installed OS................................................................................................ 80 Assigning Default OS ................................................................................. 80 Switch Status.............................................................................................. 80 Cable Diagnostics ...................................................................................... 81
6.2
6.3
6.3.1 6.3.2 6.3.3 6.3.4 6.3.5 6.3.6 6.3.7 6.3.8 6.3.9 6.3.10 6.3.11 6.3.12 6.3.13 6.3.14 6.3.15 6.3.16 6.3.17 6.3.18 6.3.19
7.1.3.1 7.1.3.2
Configuring IP Address of SNMP Agent..................................................... 88 SNMP Configuration .................................................................................. 88 Deleting SNMP........................................................................................... 89 Configuring RMON History......................................................................... 89
Assigning Source Port of Statistical Data....................................................... 90 Identifying Subject of RMON History ............................................................. 91 Configuring Number of Sample Data ............................................................. 91 Configuring Interval of Sample Inquiry........................................................... 91 Activating RMON History ............................................................................... 92 Deleting and Changing Configuration of RMON History ................................ 92 Identifying Subject of RMON Alarm ............................................................... 94 Configuring Object of Sample Inquiry ............................................................ 94
7.2
RMON................................................................................................... 89
7.2.1.1 7.2.1.2 7.2.1.3 7.2.1.4 7.2.1.5 7.2.1.6
7.2.1
7.2.2
7.2.2.1 7.2.2.2
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Configuring Absolute Comparison and Delta Comparison. ............................94 Configuring Upper Bound of Threshold ..........................................................95 Configuring Lower Bound of Threshold ..........................................................95 Configuring Standard of the First Alarm .........................................................96 Configuring Interval of Sample Inquiry ...........................................................97 Activating RMON Alarm .................................................................................97 Deleting RMON Alarm and Changing Configuration ......................................98 Configuring Event Community........................................................................99 Event Description ...........................................................................................99 Identifying Subject of Event............................................................................99 Configuring Event Type ................................................................................100 Activating Event ...........................................................................................100 Deleting RMON Event and Changing Configuration ....................................101
7.2.3
7.3
7.4
7.4.1 7.4.2
7.4.2.1 7.4.2.2 7.4.2.3 7.4.2.4 7.4.2.5 7.4.2.6 7.4.2.7 7.4.2.8 7.4.2.9 7.4.2.10 7.4.2.11 7.4.2.12
7.5
Configuring Max Host ......................................................................... 124 Managing MAC Table.......................................................................... 125 Address Resolution Protocol (ARP).................................................... 126
ARP Table .................................................................................................126
Registering ARP Table .................................................................................126 Configuring ARP Ageing Timer.....................................................................126 7.8.1.1 7.8.1.2
7.8.1
DPW:G-S-1624H0-04
UMN:CLI
User Manual
V1624
7.8.1.3
7.8.2 7.8.3
7.8.4 7.8.5
Proxy-ARP ............................................................................................... 132 Gratuitous ARP ........................................................................................ 133 Blocking Echo Reply Message ................................................................ 134 Configuring Interval to Transmit ICMP Message ..................................... 135
7.9
ICMP................................................................................................... 134
7.9.1 7.9.2
7.10 Link Layer Carrier Forward (LLCF)..................................................... 137 7.11 TCP Flag Control................................................................................ 138
7.11.1 RST Configuration.................................................................................... 138 7.11.2 SYN Configuration ................................................................................... 138
7.13 Server Packet Filtering ....................................................................... 141 7.14 Attack Guard....................................................................................... 142 7.15 Port Traffic Monitoring ........................................................................ 143
8.2 8.3
8.4
8.4.3.1 8.4.3.2
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Root Switch ..................................................................................................165 Path-cost ......................................................................................................166 Port Priority ..................................................................................................168 Hello Time ....................................................................................................169 Forward Delay..............................................................................................169 Max Age .......................................................................................................170 Checking BPDU Configuration .....................................................................170
8.4.4
Loop Detection.................................................................................... 171 Single IP Management........................................................................ 173 Rate Limit............................................................................................ 176 Flood-Guard........................................................................................ 177
Configuring Port based Flood-guard.........................................................178 Configuring Flood-guard based on MAC Address ....................................179
8.8.1 8.8.2
Assigning Static IP Address ......................................................................194 Blocking Static IP Address User................................................................194 Configuring DHCP Relay Agent ................................................................195 Initializing DHCP Lease Database............................................................196 Backing up DHCP Lease Database..........................................................196 DHCP Option-82 .......................................................................................197
Enabling DHCP Option-82 ...........................................................................197 Configuring Option-82 Packet Policy............................................................198 Configuring Trust Packet ..............................................................................198 Restricting the Number of Assigning IP Address ..........................................199
8.12.8 DHCP Snooping with Option82.................................................................199 8.12.9 DHCP Option 77 .......................................................................................200 8.12.10 DHCP Snooping Filtering..........................................................................201
DPW:G-S-1624H0-04
UMN:CLI
User Manual
V1624
8.12.11 Authorized ARP........................................................................................ 202 8.12.12 Displaying DHCP Configuration ............................................................... 202
8.13 Broadcast Storm Control .................................................................... 203 8.14 Blocking Direct Broadcast .................................................................. 204
9 IP Multicast ......................................................................................205
9.1 Multicast Group Membership.............................................................. 206
IGMP Basic .............................................................................................. 206 IGMP Version 2 ........................................................................................ 207
IGMP Static Join .......................................................................................... 208
9.1.2.1
9.2
9.2.1
9.2.2
9.2.3
9.2.4
9.2.4.1 9.2.4.2
9.2.5 9.2.6
Displaying IGMP Snooping Information ................................................... 224 IGMP Filtering and Throttling ................................................................... 225
IGMP Filtering.............................................................................................. 225 IGMP Throttling............................................................................................ 227 Displaying IGMP Filtering and Throttling...................................................... 227
11 Abbreviations ..................................................................................232
10
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Illustrations
Fig. 2.1 Fig. 3.1 Fig. 4.1 Fig. 4.2 Fig. 5.1 Fig. 7.1 Fig. 7.2 Fig. 7.3 Fig. 8.1 Fig. 8.2 Fig. 8.3 Fig. 8.4 Fig. 8.5 Fig. 8.6 Fig. 8.7 Fig. 8.8 Fig. 8.9 Fig. 8.10 Fig. 8.11 Fig. 8.12 Fig. 8.13 Fig. 8.14 Fig. 8.15 Fig. 8.16 Fig. 8.17 Fig. 8.18 Fig. 8.19 Fig. 9.1 Fig. 9.2 Network Structure with V1624........................................................................17 Software mode structure ................................................................................21 Process of 802.1x Authentication...................................................................35 Multiple Authentication Servers......................................................................37 Port Mirroring..................................................................................................59 Necessity of NetBIOS Filtering.....................................................................121 ICMP Message.............................................................................................134 Link Layer Carrier Forward Process ............................................................137 VLAN ............................................................................................................144 Example of Loop ..........................................................................................157 Principle of Spanning Tree Protocol .............................................................157 Root Switch ..................................................................................................158 Designated Switch .......................................................................................159 Port Priority...................................................................................................160 Alternate Port and Backup port ....................................................................161 Example of Receiving Low BPDU................................................................162 Network Convergence of 802.1d..................................................................162 Network Convergence of 802.1w (1)............................................................163 Network Convergence of 802.1w (2)............................................................163 Network Convergence of 802.1w (3)............................................................164 Compatibility with 802.1d (1)........................................................................164 Compatibility with 802.1d (2)........................................................................165 Cascading of Switches.................................................................................173 Rate Limit and Flood Guard .........................................................................177 DHCP Service Structure...............................................................................188 Example of DHCP Relay Agent....................................................................195 DHCP Option 82 Operation..........................................................................197 The V1624 with IGMP Snooping..................................................................205 IGMP Snooping ............................................................................................212
DPW:G-S-1624H0-04
11
UMN:CLI
User Manual
V1624
Tables
Tab. 1.1 Tab. 1.2 Tab. 3.1 Tab. 3.2 Tab. 3.3 Tab. 3.4 Tab. 3.5 Tab. 3.6 Tab. 3.7 Tab. 3.8 Tab. 5.1 Tab. 6.1 Tab. 6.2 Tab. 6.3 Tab. 7.1 Tab. 7.2 Tab. 8.1 Tab. 8.2 Overview of Chapters.................................................................................... 13 Command Notation of Guide Book................................................................ 14 Main Commands of Top Mode ...................................................................... 22 Main Commands of Global Configuration Mode ........................................... 23 Main Commands of Bridge Configuration Mode ........................................... 23 Main Command of DHCP Pool Configuration Mode ..................................... 24 Main Command of DHCP Option 82 Configuration Mode............................. 24 Main Commands of Interface Configuration Mode........................................ 25 Main Commands of RMON Configuration Mode........................................... 25 Command Abbreviation ................................................................................. 28 V1624 Port Default Configuration ................................................................. 51 World Time Zone ........................................................................................... 62 Options for Ping............................................................................................. 71 The Description of the Result Report ............................................................ 81 ICMP message type .................................................................................... 134 Option for Dump Packet .............................................................................. 140 STP Path Cost............................................................................................. 166 RSTP Path Cost .......................................................................................... 167
12
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
1 Introduction
1.1 Audience
This manual is intended for V1624 single-board Fast Ethernet switch operators and maintenance personnel for providers of Ethernet services. This manual assumes that you are familiar with the following: Ethernet networking technology and standards Internet topologies and protocols Usage and functions of graphical user interfaces.
1.2
Document Structure
Tab. 1.1 briefly describes the structure of this document.
Chapter 1 Introduction 2 System Overview 3 Command Line Interface (CLI) 4 System Connection and IP Address 5 Port Basic Configuration 6 System Environment 7 Network Management 8 System Main Function 9 IP Multicast 10 System Software Upgrade 11 Abbreviations Description Introduces the overall information of the document. Introduces the V1624 system. It also lists the features of the system. Describes how to use the Command Line Interface (CLI). Describes how to manage the system account and IP address. Describes how to configure the Ethernet ports. Describes how to configure the system environment and management functions. Describes how to configure the network management functions. Describes how to configure the system main functions. Describes how to configure the IP multicast packets. Describes how to upgrade the system software. Lists all abbreviations and acronyms that appear in this document.
Tab. 1.1
Overview of Chapters
DPW:G-S-1624H0-04
13
UMN:CLI
User Manual
V1624
1.3
Document Convention
This guide uses the following conventions to convey instructions and information. Information
This information symbol provides useful information when using commands to configure and means reader take note. Notes contain helpful suggestions or references. Warning
This warning symbol means danger. You are in a situation that could cause bodily injury or broke the equipment. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents by making quick guide based on this guide.
1.4
Document Notation
The following table shows commands used in guidebook. Please be aware of each command to use them correctly.
Notation a NAME, PROFILE, VALUE, PORTS [] <> {} | Description Commands you should use as is. Variables for which you supply values. For entry this variable, see Section 5. Commands or variables that appear within square brackets [ ] are optional. Range of number that you can use. A choice of required keywords appears in braces { }. You must select one. Optional variables are separated by vertical bars |.
Tab. 1.2
14
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
1.5
!
Virus Protection
To prevent a virus infection you may not use any software other than that which is released for the Operating System (OS based on Basis Access Integrator), Local Craft Terminal (LCT) and transmission system. Even when exchanging data via network or external data media (e.g. floppy disks) there is a possibility of infecting your system with a virus. The occurrence of a virus in your system may lead to a loss of data and breakdown of functionality.
The operator is responsible for protecting against viruses, and for carrying out repair procedures when the system is infected. You have to do the following: You have to check every data media (used data media as well as new ones) for virus before reading data from it. You must ensure that a current valid virus scanning program is always available. This program has to be supplied with regular updates by certified software. It is recommended that you make periodic checks against viruses in your OS. At the LCT it is recommended to integrate the virus scanning program into the startup sequence.
1.6
CE Declaration of Conformity
The CE declaration of the product will be fulfilled if the construction and cabling is undertaken in accordance with the manual and the documents listed there in, e.g. mounting instructions, cable lists where necessary account should be taken of project-specific documents. Deviations from the specifications or unstipulated changes during construction, e.g. the use of cable types with lower screening values can lead to violation of the CE requirements. In such case, the conformity declaration is invalidated and the responsibility passes to those who have caused the deviations.
1.7
DPW:G-S-1624H0-04
15
UMN:CLI
User Manual
V1624
In addition, if the source code to the Open Source Software has not been delivered with this product, you may obtain the source code (including the related copyright notices) by sending your request to the following e-mail address: opensrc@dasannetworks.com. You will, however, be required to reimburse Dasan Networks for its costs of postage and copying. Any source code request made by you must be sent within 3 years of your purchase of the product. Please include a copy of your sales receipt when submitting your request. Also, please include the exact name and number of the device and the version number of the installed software. The use of Open Source Software contained in this product in any manner other than the simple running of the program occurs at your own risk, that is, without any warranty claims against Dasan Networks. For more information about the warranties provided by the authors of the Open Source Software contained in this product, please consult the GPL and LGPL. You have no warranty claims against Dasan Networks when a defect in the product is or could have been caused by changes made by you in any part of the software or its configuration. In addition, you have no warranty claims against Dasan Networks when the Open Source Software infringes the intellectual property rights of a third party. Dasan Networks provides no technical support for either the software or the Open Source Software contained therein if either has been changed.
16
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
2 System Overview
To cope with geometrically increasing population of internet and create network environment that mass storage database such as graphic and voice file can be sent and received at ease, Fast Ethernet and Gigabit Ethernet are daily being progressed updated from old Ethernet. V1624, which is developed for the network environment, provides high-speedinternet service in wider area than existing equipments so that it is very efficient for WAN construction, large-scale company, ISPs. The V1624 has 24 ports of 10/100Base-TX as the service interface and 2 slots for uplink interfaces, which are 1000Base-X (SFP or GBIC), 10/100/1000Base-T, 100Base-FX and GE-PON of 1-port modular unit. Each modular unit can be inserted into up to 2 slots on the front panel. V1624 can be used for various applications as Fast Ethernet Layer 2 switch as well as GE-PON ONU. OLT is located in the central office, and it connects ONU via optical splitter. GE-PON uplink port provides voice, data and video service which are distributed over proper transmission media to maximum 24 Fast Ethernet subscribers within the customer premises from it. V1624 is Layer 2 switch, which transmits VLAN and traffic of PC on network and web server to medium switch or router. The Fig. 2.1 shows network construction with using V1624.
Internet
L3 Switch
L3 Switch
V1624
V1624
Fig. 2.1
DPW:G-S-1624H0-04
17
UMN:CLI
User Manual
V1624
2.1
System Features
V1624, Layer 2, provides various functions such as QoS, IP multicasting, STP, and VLAN. Without rebooting, new configurations is saved, and it is possible to monitor switch status through Syslog and SNMP, and it has self detection and warning function of overlapped IP address and MAC address. V1624 provides the following functions. Quality of Service (QoS) For the V1624, QoS-based forwarding sorts traffic into a number of classes and marks the packets accordingly. Thus, different quality of service is providing to each class, which the packets belong to. The QoS capabilities enable network managers to protect missioncritical applications and support differentiated level of bandwidth for managing traffic congestion. The V1624 support ingress and egress (shaping) rate limiting, and SP (Strict Priority) queue scheduling. Multicasting Since V1624 provides IGMP Snooping and IGMP Querier, you can use multicast communication. Through multicast communication, packets can be transmitted to hosts who need them so that overloading can be prevented. NAT(Network Address Translation) NAT(Network Address Translation) uses private IP address, which is supposed to be used in internal network. So, it can save limited IP source and strengthen security because IP address of internal network is protected. V1624 supports IP NAT complying with RFC 3022. SNMP Switch in SNMP is mounted can manage and monitor switch at remote place. V1624 supports SNMP version 1, 2, and four kinds of groups RMON so that administrator can check static data anytime. DHCP Server and Relay V1624 supports DHCP, which automatically assigns IP address to clients, accessed to network. You can effectively utilize limited IP source and lower cost to manage network because DHCP server manages all IP addresses from center. Single IP management In switch group, a switch configured as master can configure, manage, and monitor the other switches called slave with one IP address. Since one IP address can manage several switches, IP source can be saved.
18
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
VLAN(Virtual Local Area Network) VLAN(Virtual Local Area Network) is made by dividing one network into several logical networks. Packet cannot be transmitted and received between different VLANs. Therefore, it can prevent needless packets accumulating and strengthen security of VLAN. V1624 recognizes 802.1Q tagged frame and supports maximum 256 VLANs. Port Trunk V1624 aggregates several physical interfaces into one logical port(aggregate port). Port trunk aggregates interfaces with the standard of same speed, same duplex mode, and same VLAN ID. According to IEEE 802.3ad, V1624 can configure maximum six aggregate ports, which can include maximum eight ports to decrease traffic and improve fault recovery function. LACP(Link Aggregation Control Protocol) V1624 supports LACP, complying with IEEE 802.3ad, which aggregates multiple links of equipments to use more enlarged bandwidth. Rate-limit V1624 provides graded bandwidths to all ports. Through providing bandwidths graded by users configuration, ISP can charge graded billing plan and manage efficient and economized lines. STP (Spanning Tree Protocol) STP(Spanning Tree Protocol) enables switches, which have double-path to use the double-path without loops. That is, it activates only one path, which is the shortest one among several paths and blocks the others to prevent loop. PVST(Per VLAN Spanning Tree) V1624 supports PVST (Per VLAN Spanning Tree) that STP is independently operated per each VLAN. PVST prevents entire network freezing caused by Loop in one VLAN. RSTP(Rapid Spanning Tree Protocol) (802.1w) It is possible to construct stable and flexible network on metro Ethernet RING or existing P-to-P through supporting RSTP (Rapid Spanning Tree Protocol) complying with IEEE 802.1W. RSTP is designed to decrease STP reconvergency time innovatory. It innovate saves time of Fail over on Layer 2 switch, which has Redundant link. SSH Server Through enabled SSH (Secure Shell) server, the security of telnet and ftp server can be strengthened. 802.1x Port based Authentication V1624 restricts clients attempting to access to port by 802.1x port-based authentication to
DPW:G-S-1624H0-04
19
UMN:CLI
User Manual
V1624
enhance security and portability of network management. When a client attempts to connect to port of 802.1x port-based authentication enabled, the switch transfers required information to RADIUS server for authentication. Therefore, only authorized client who has access right can connect to the port. RADIUS and TACACS+ V1624 supports client authentication protocol, which is RADIUS (Remote Authentication Dial-In User Service) and TACACS+ (Terminal Access Controller Access Control System+). Not only user IP and password registered in switch but also authentication through RADIUS server and TACACS+ server are required to access. So, security of system and network management is strengthened. Broadcast Storm Control Broadcast storm control is, when too much of broadcast packets are being transmitted to network, a situation of network timeout because the packets occupy most of transmit capacity. V1624 supports broadcast packet, multicast packet, and Broadcast storm control, which disuses Flooding packet, that exceed the limit during the time configured by user. System Management It is easy for users who administer system by using telnet or console port to configure the functions for system operating through DSH (Dasan Shell) based on CLI. DSH is easy to configure the needed functions after looking for available commands by help menu different with UNIX.
20
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
3.1
Command Mode
You can configure and manage the V1624 by console terminal that is installed on users PC. For this, use the CLI-based interface commands. Connect RJ45-to-DB9 console cable to the V1624. This chapter explains how CLI command mode is organized before installing. CLI command mode is consisted as follow: Top Mode Global Configuration Mode Bridge Configuration Mode DHCP Pool Configuration Mode DHCP Option 82 Configuration Mode Interface Configuration Mode RMON Configuration Mode Fig. 3.1 shows V1624 software mode structure briefly.
configure terminal Global Configuration mode SWITCH(config)# interface INTERFACE INTERFACE: interface name Interface Configuration mode SWITCH(config-if)#
ip dhcp subnet A.B.C.D netmask A.B.C.D group NAME DHCP Pool Configuration mode SWITCH(config-dhcp)# rmon-alarm <1-65535> rmon-event <1-65535> rmon-history <1-65535> ip dhcp option Option 82 Configuration mode SWITCH(config-option)# RMON Configuration mode SWITCH(config-rmonalarm[N])# SWITCH(config-rmonevent[N])# SWITCH(config-rmonhistory[N])#
Fig. 3.1
DPW:G-S-1624H0-04
21
UMN:CLI
User Manual
V1624
3.1.1
Top Mode
When you log in to the switch, the CLI will start with Top mode that is a read-only mode. In this mode, you can see a system configuration and information with several commands. Tab. 3.1 shows main command of Top mode.
Command bping/ping/sping clock configure terminal reload telnet terminal line traceroute where which-route Description Checks network connecting status Inputs time and date in system Opens Global configuration mode. Reboots the system. Connects to another device through telnet. Configures the number of lines displayed in screen. Traces a packet route. Finds users accessed to system through telnet. Shows basic route of packet destination.
Tab. 3.1
3.1.2
22
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Tab. 3.2 shows a couple of important main commands of Global Configuration mode.
Command arp bridge clear copy disconnect hostname inactivity-timer interface ip passwd qos restore factory-defaults snmp syslog time-zone user Description Registers IP address and MAC address in ARP table. Enters into Bridge configuration mode. Disables the configured function. Make a backup file of configuration or open back up file. Disconnect user accessed through telnet. Changes hostname of system prompt. Configures auto-logout function. Enters into Interface configuration mode. Configures various functions of interface such as DHCP server. Changes the password. Configures QoS. Initiates the configuration of switch. Configures Snmp. Configures Syslog. Configures Time-zone. Adds/deletes user with reading right.
Tab. 3.2
3.1.3
Tab. 3.3
DPW:G-S-1624H0-04
23
UMN:CLI
User Manual
V1624
3.1.4
Tab. 3.4
3.1.5
Tab. 3.5
24
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
3.1.6
Interface Configuration mode is to assign IP address in Ethernet interface and to activate or deactivate interface. Tab. 3.6 shows a couple of main commands of Interface Configuration mode.
Command bandwidth description ip shutdown Description Configures bandwidth used to make routing information. Makes description of interface. Assigns IP address. Deactivates interface.
Tab. 3.6
3.1.7
Tab. 3.7
DPW:G-S-1624H0-04
25
UMN:CLI
User Manual
V1624
3.2
Useful Tips
This section provides useful functions for users convenience while using CLI commands. They are as follow. Listing Available Commands Calling Command History Using Abbreviation Exit Current Command Mode
3.2.1
Question mark <?> will not be seen in the screen and you do not need to press <ENTER> key to display commands list.
If you need to find out the list of available commands of the current mode in detail, use the following command.
Command list Mode All Description Shows available commands of the current mode.
26
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
In case of the V1624 installed command shell, you can find out commands starting with specific alphabet. Input the first letter and question mark without space. The following is an example of finding out the commands starting s in Top mode of V1624.
SWITCH# s ? set show Configure switch Show running system information
sping Send icmp echo request packets to network host from given address SWITCH# s
Also, it is possible to view variables you should input it after commands. After inputting the command you need, make one space and input question mark. The following is an example to display variables after the command, write. Please note that you must make one space after inputting.
SWITCH# write ? file memory terminal Write configuration to the file (same as write memory) Write configuration to the file (same as write file) Write to terminal
SWITCH# write
3.2.2
DPW:G-S-1624H0-04
27
UMN:CLI
User Manual
V1624
SWITCH# configure terminal (arrow key ) SWITCH# show clock (arrow key )
3.2.3
Using Abbreviation
Most of the commands can be used also with abbreviated form. The following table shows some examples of abbreviated commands.
Command clock exit show configure terminal cl ex sh con te Abbreviation
Tab. 3.8
Command Abbreviation
3.2.4
If you use the command, exit, on Top mode, you will be logged out!
28
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
4.1.1
System Login
After installing the V1624, finally make sure that each port is correctly connected to PC for network and management. And then, turn on the power and boot the system as follow. Step 1 When you turn on the switch, booting will be automatically started and login prompt will be displayed.
SWITCH login:
Step 2 When you enter login ID at the login prompt, password prompt will be displayed. And enter password to open Top mode. By default setting, login ID is configured as root and password is vertex25.
SWITCH login: root Password: vertex25 SWITCH>
4.1.2
DPW:G-S-1624H0-04
29
UMN:CLI
User Manual
V1624
4.1.3
The password you are entering will not be seen in the screen, so please be careful not to make mistake.
4.1.4
Auto Log-out
For security reasons of the V1624, if no command is entered within the configured inactivity time, the user is automatically logged out of the system. Administrator can configure the inactivity timer. To enable auto-logout function, use the following command.
Command inactivity-timer <60-3600> inactivity-timer 0 Mode Enables auto log-out. Global 60-3600: time unit in seconds (Defaut: 600 seconds) Disables auto log-out. Description
The following is an example of configuring auto-logout function as 60 seconds and viewing the configuration.
SWITCH(config)# inactivity-timer 60 SWITCH(config)# show inactivity-timer Log-out time : 60 seconds SWITCH(config)#
30
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
4.1.5
4.1.5.1
The following is an example of adding user A who has reading right. The password is set to vertex25.
SWITCH(config)# user add A lhs Changing password for A Enter the new password (minimum of 5, maximum of 8 characters) Please use a combination of upper and lower case letters and numbers. Enter new password:vertex25 Re-enter new password:vertex25 Password changed. SWITCH(config)#
4.1.6
Telnet Access
To connect to the host through telnet at remote place, use the following command.
Command telnet DESTINATION [TCP-PORT] Mode Top Description Connects to a remote host. DESTINATION: IP address or host name
In case of telnet connection, you should wait for [OK] message, when you save a system configuration. Otherwise, all changes will be deleted when the telnet session is disconnected.
SWITCH# write memory [OK] SWITCH#
DPW:G-S-1624H0-04
31
UMN:CLI
User Manual
V1624
The system administrator can disconnect users connected from remote place. To disconnect a user connected through telnet, use the following command.
Command disconnect TTY-NUMBER Mode Top Description Disconnects a user connected through telnet.
4.1.7
System Rebooting
4.1.7.1
If you reboot the system without saving new configuration, new configuration will be deleted. So, you have to save the configuration before rebooting. Not to make that mistake, V1624 is supported to print the following message to ask if user really wants to reboot and save configuration. If you want to continue to reboot, press <y> key, if you want to save new configuration, press <n> key.
SWITCH# reload Do you want to save the system configuration? [y/n]]
i
4.1.7.2
The reload command will reboot the system with the current default system software. To change the default system software, use the set default-os command (see Section 0).
32
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
The following is an example of configuring auto-restarting function in case CPU load or Interrupt load maintains over 70% during 60 seconds and viewing the configuration.
SWITCH(config)# set auto-reset cpu 70 70 1 SWITCH(bridge)# show auto-reset -----------------------------Auto-Reset Configuration -----------------------------auto-reset-memory: auto-reset-cpu: cpu load: interrupt load: continuation time: SWITCH(bridge)# on on 70 70 1
DPW:G-S-1624H0-04
33
UMN:CLI
User Manual
V1624
4.2
4.2.1
SSH Server
The V1624 can be operated as a SSH server. You can configure the switch as SSH server with the following procedure.
4.2.1.1
4.3
802.1x Authentication
To enhance security and portability of network management, there are two ways of authentication based on MAC address and port-based authentication that restrict clients attempting to access to port. The port-based authentication (802.1x) decides to give access to RADIUS server having the information about user who tries to access. 802.1x authentication adopts EAP (Extensible Authentication Protocol) structure. In EAP system, there are EAP-MD5 (Message Digest 5), EAP-TLS (Transport Level Security), EAP-SRP (Secure Remote Password), EAP-TTLS(Tunneled TLS) and the V1624 supports EAP-MD5 and EAP-TLS. Accessing with users ID and password, EAP-MD5 is oneway Authentication based on the password. EAP-TLS accesses through the mutual authentication system of server authentication and personal authentication and it is possible to guarantee high security because of mutual authentication system. At a request of user Authentication, from users PC EAPOL-Start type of packets are transmitted to authenticator and authenticator again requests identification. After getting respond about identification, request to approve access to RADIUS server and be authenticated by checking access through users information.
34
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
EAPOL-Start
EAP-Request / Identity
EAP-Response / Identity
RADIUS-Access-Request
EAP-Request
RADIUS-Access-Challenge
EAP-Response
RADIUS-Access-Request
EAP-Success
RADIUS-Access-Accept
Fig. 4.1
To enable 802.1x authentication on port of the V1624, you should be able to perform the following tasks.
4.3.1
802.1x Authentication
4.3.1.1
Enabling 802.1x
To configure 802.1x, the user should enable 802.1x daemon first. In order to enable 802.1x daemon, use the following command.
Command dot1x enable dot1x disable Mode Global Description Enables 802.1x daemon. Disables 802.1x daemon.
DPW:G-S-1624H0-04
35
UMN:CLI
User Manual
V1624
After configuring 802.1x port-based authentication with the above explanation, user can check the contents. In order to check configuration of 802.1x, use the following command.
Command show dot1x Mode Global Description Shows configuration of 802.1x.
4.3.2
4.3.2.1
i
4.3.2.2
4.3.2.3
36
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Response
C : 30.1.1.1 : J : 100.1.1.1
Fig. 4.2
If you register in several servers, the authentication server starts form RADIUS server registered as first one, then requests the second RADIUS server in case there is no response. According to the order of registering the authentication request, the authentication request is tried and the server that responds to it becomes the default server from the point of response time. After default server is designated, all requests start from the RADIUS server. If there is no response from default server again, the authentication request is tried for RADIUS server designated as next one. To configure IP address of RADIUS server and key value, use the following command.
Command Mode Description Registers RADIUS server with key value and UDP port dot1x radius host IP-ADDRESS KEY Global of radius server. IP-ADDRESS: Ip address of radius server KEY: the value of key Deletes a registered RADIUS server.
4.3.2.4
DPW:G-S-1624H0-04
37
UMN:CLI
User Manual
V1624
To configure times of authentication request in V1624, please use the command in Global mode
Command dot1x radius retries NUMBER Mode Global Description Configure times of authentication request to RADIUS server
i
4.3.2.5
Authentication request means Radius-Access-Request in Fig. 4.2 Process of 802.1x Port-Based Authentication.
In V1624, reattempt interval of authentication request is basically configured as 100ms. (Unit : ms).
In case the distance from the server is too far and reattempt interval of Authentication request is configured too short regardless of time that request packet reaches to the server, authentication might not be occurred. Therefore, configure reattempt interval of Authentication request considering the distance with the server. If authentication often fails after configuration, configure enough time by checking reattempt interval of authentication request.
38
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
The following is an example of configuring the number of authentication request as 5 times and reattempt interval of Authentication request as 1 sec.
SWITCH(config)# dot1x radius retries 5 SWITCH(config)# dot1x radius timeout 1000 SWITCH(config)# show dot1x 802.1x authentication enabled Reauth period : 3600 (Seconds) Radius retries : 5 Radius timeout : 1000 (Milli-Second) Radius server | : 100.1.1.1 (Auth key : 1) 1 2 --------------------------------------802.1x |12345678901234567890123456 ------------+-------------------------PortEnable |.......................p.. PortAuthed |.......................... MacEnable |.......................... SWITCH(config)#
4.3.2.6
DPW:G-S-1624H0-04
39
UMN:CLI
User Manual
V1624
4.3.3
If a client is connected to the equipment and 802.1x user authentication is supported for the equipment, it is unnecessary to use MAC address to allow user authentication.
To give the access right for clients using MAC address, use the following command.
Command dot1x mac enable PORT dot1x mac disable PORT Mode Description Configure to give the access right for clients using Global MAC address. Disables to give the access right using MAC address.
Before configuring 802.1x user authentication based on MAC address, block all packets that are entering to the authenticated port by using set mac-filter default-policy deny portnumber.
The following is the check of changing port unit user authentication that is configured in the system based on MAC address.
SWITCH(config)# show dot1x 802.1x authentication enabled Radius server : 100.1.1.1 (Auth key : 1) --------------------------------------| 1 2 802.1x |12345678901234567890123456 ------------+-------------------------PortEnable |.......................p.. PortAuthed |..........................
40
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
MacEnable |.......................... SWITCH(config)# set mac-filter default-policy deny 24 SWITCH(config)# dot1x mac enable 24 SWITCH(config)# show dot1x 802.1x authentication enabled Radius server : 100.1.1.1 (Auth key : 1) --------------------------------------| 1 2 802.1x |12345678901234567890123456 ------------+-------------------------PortEnable |.......................... PortAuthed |.......................... MacEnable |.......................m.. SWITCH(config)#
In order to check if the user authentication system works well by using MAC address, use the command show mac BRIDGE [PORT]. If the user authentication using MAC address works well, the permission part of the authenticated MAC address will be printed out as OK and the unauthenticated part will be marked as -.
SWITCH(config)# show mac br1 8 port (id) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) eth08(8) mac addr 08:00:46:9a:12:b8 00:0e:a6:25:48:40 00:03:47:de:27:9e 00:e0:98:8a:ea:b9 00:d0:59:64:bc:a7 00:00:f0:82:67:49 00:c0:ca:33:5b:5c 00:0c:6e:4c:0d:0f 00:00:86:60:fe:23 00:60:08:43:6b:67 00:0c:6e:4c:0d:15 00:c0:26:00:61:29 00:00:e2:6e:f8:3b 08:00:46:60:96:4b 00:0c:6e:4c:11:14 00:a0:b0:05:0d:a4 00:40:2b:23:58:02 show mac br1 permission OK in use 0.06 0.23 0.34 0.62 0.74 1.05 1.29 1.79 2.48 3.46 4.15 4.33 5.57 6.10 6.31 6.31 6.47
(Omitted) SWITCH(config)#
DPW:G-S-1624H0-04
41
UMN:CLI
User Manual
V1624
4.3.4
Global
The following is to check the statistics of the port that is configured 802.1 user authentication
SWITCH(config)# show dot1x 24 Dot1x Packet Statistics -----------------------------------------------------------supplicant EAPOL START -> <- EAP-Req-Id EAP-Resp-Id -> Access-Req(Id) -> <- Challenge <- EAP-Req-MD5 EAP-Resp-MD5 -> Access-Req(MD5) -> <- Accept <- EAP-Success SWITCH(config)# NAS (port =24) Radius Server count ------------------------------------------------------------
The following is to check the result after deleting all statistics of 802.1x user authentication and making it as Reset state.
SWITCH(config)# dot1x clear statistic 24 SWITCH(config)# show dot1x 24 Dot1x Packet Statistics -----------------------------------------------------------supplicant EAPOL START -> <- EAP-Req-Id EAP-Resp-Id -> Access-Req(Id) -> <- Challenge <- EAP-Req-MD5 EAP-Resp-MD5 -> Access-Req(MD5) -> <- Accept <- EAP-Success SWITCH(config)# NAS (port =24) Radius Server count ------------------------------------------------------------
42
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
4.3.5
If user disables 802.1x function, the configuration for 802.1x will be deleted.
The following is to disable the function in condition and check the contents.
SWITCH(config)# dot1x disable SWITCH(config)# show dot1x 802.1x authentication disabled SWITCH(config)#
4.4
System Authentication
V1624 is enhanced security of client authentication and user is able to configure authorization method in diverse ways. Usually, ID/password registered in switch is used but if you use RADIUS(Remote Authentication Dial-In User Service), which is client authentication protocol, and TACACS+(Terminal Access Controller Access Control System+), only clients recorded in each server can connect to the system. With TACACS+ configured, sends client information for authorization. You need to configure the followings for system authentication in V1624. Configuring Authorization Method Designating User Authentication Interface Configuring Priority of Authorization Method Checking Configured Priority of Authorization Method Configuring RADIUS Configuring TACACS+ Recording Users Configuration
To enable RADIUS or TACACS+, add user with reading right nameduserby using the command, user add. Or, all users connecting through authentication protocol are supposed to receive a right as root. Refer to 4.1.5 Management for System Account for the instruction to add user with reading right.
DPW:G-S-1624H0-04
43
UMN:CLI
User Manual
V1624
4.4.1
host is authentication by using ID/password registered in switch, and this is default value.
Also, in order to disable configured authorization method, use the following commands.
Command set login local {radiustacacs hostall} disable set login remote {radiustacacs hostall} disable Global Mode Description Disables authorization method for clients connecting through console. Disables authorization method for clients connecting through telnet
4.4.2
4.4.3
44
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
i
4.4.4
The following is an example of configuring authorization method in V1624. It is configured to add RADIUS to default method in case of clients connecting through console and telnet. And, the priority is given to RADIUS in case of clients connecting through console and to default method in case of clients connecting through telnet. Then, check the configuration.
SWITCH(config)# user add user test1 Changing password for user Enter the new password (minimum of 5, maximum of 8 characters) Please use a combination of upper and lower case letters and numbers. Enter new password:vertex Re-enter new password:vertex Password changed. SWITCH(config)# set login local radius enable SWITCH(config)# set login remote radius enable SWITCH(config)# set login local radius primary SWITCH(config)# set login remote host primary SWITCH(config)# show login [AUTHEN] Local login : radius host Remote login : host radius Accounting mode : none -----------------------------------[RADIUS] <Radius Servers & Key> Radius Retries : 0 Radius Timeout : 0 -----------------------------------[TACACS] <Tacacs Servers & Key> Tacacs Timeout : 0 Tacacs Socket Port : 0 Tacacs Interface : Tacacs PPP Id : 0 Tacacs Authen Type : ASCII Tacacs Priority Level : min SWITCH(config)#
DPW:G-S-1624H0-04
45
UMN:CLI
User Manual
V1624
4.4.5
Configuring RADIUS
4.4.5.1
A.B.C.D
4.4.5.2
COUNT
4.4.5.3
The following is an example of configuring frequency of retransmit and timeout of response after registering RADIUS server.
SWITCH(config)# set login radius add server 100.1.1.1 1 SWITCH(config)# set login radius retransmit 5
46
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
SWITCH(config)# set login radius timeout 10 SWITCH(config)# show login [AUTHEN] Local login : radius host Remote login : host radius Accounting mode : none -----------------------------------[RADIUS] <Radius Servers & Key> 100.1.1.1 1 Radius Retries : 5 Radius Timeout : 10 -----------------------------------[TACACS] <Tacacs Servers & Key> Tacacs Timeout : 0 Tacacs Socket Port : 0 Tacacs Interface : Tacacs PPP Id : 0 Tacacs Authen Type : ASCII Tacacs Priority Level : min SWITCH(config)#
4.4.6
Configuring TACACS+
4.4.6.1
And then, you should register interface of TACACS server connected to users switch. Use the following command.
Command set login tacacs interface INTERFACE [A.B.C.D] Mode Global Description Registers interface of TACACS server connected to users switch.
PORT is to input interface of TACACS server connected to users switch. Please check interface of TACACS server connected to users switch before inputting it.
DPW:G-S-1624H0-04
47
UMN:CLI
User Manual
V1624
To register port of TACACS server connected to users switch, use the following command.
Command set login tacacs socket-port Global tacacs del server Mode Description Registers interface of TACACS server connected to users switch. Deletes registered TACACS server.
A.B.C.D
4.4.6.2
Pap stands for Password Authentication Protocol and chap stands for Challenge Handshake Authentication Protocol.
4.4.6.3
4.4.7
start sets the standard on users login and stop sets the standard on users logout. both takes both of them and none disables applied billing policy.
48
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
4.5
4.5.1
Assigning IP Address
Assigning IP Address on Network Interface
The switch uses only the datas MAC address to determine where traffic needs to come from and which ports should receive the data. Switches do not need IP addresses to transmit packets. However, if you want to access to V1624 from remote place with TCP/IP through SNMP or telnet, it requires IP address. As the default setting, V1624 is configured with virtual interface br1. Perform the below steps. Step 1 Enter into Interface configuration mode which has the prompt, SWITCH(config-if)# to assign IP address in the switch. In order to begin Interface configuration mode, input the command, Interface interface-name after starting Global configuration mode which has the prompt, SWITCH(config)# by inputting configure terminal on Top mode.
SWITCH# configure terminal SWITCH(config)# interface br1 SWITCH(config-if)#
DPW:G-S-1624H0-04
49
UMN:CLI
User Manual
V1624
Step 4 To display the assigned IP address, use the following command. The following is an example of it.
Command show ip Mode Interface Description Shows assigned IP address in interface
4.5.2
50
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Tab. 5.1
To view the configuration of users switch port, use the following command.
Command show port PORT Mode Top/Global/Bridge Description Shows port configuration.
When you use the command, show port command, if you input letter at port-number, the message, %Wrong expression. ex) 'show port 1,3' , 'show port 1-3,10' will be displayed, and if you input wrong number, the message, %Port number invalid will be displayed. The following is an example of checking port configuration.
SWITCH(bridge)# show port port %Wrong expression. ex) 'show port 1,3' , 'show port 1-3,10' SWITCH(bridge)# show port 100 -------------------------------------------------------------------------NO TYPE PVID STATUS (ADMIN/OPER) -------------------------------------------------------------------------%port number invalid SWITCH# SHARED MODE FLOWCTRL INSTALLED
On DSH command mode, you can use , and - at PORT to choose several ports.
DPW:G-S-1624H0-04
51
UMN:CLI
User Manual
V1624
You can configure the below functions about port basic configuration. Activating Port Auto-nego Port Rate Duplex Mode Flow Control Port Description Port Statistics Link Uptime
5.1.1
Activating Port
To activate port or deactivate port, use the following commands.
Command show port enable PORT show port disable PORT Mode Bridge Description Activates port. (Default) Deactivates port.
The following is an example of deactivating port 1 Ethernet port and checking it.
SWITCH(bridge)# show port 1 --------------------------------------------------------------------------NO TYPE PVID STATUS SHARED MODE FLOWCTRL INSTALLED (ADMIN/OPER) --------------------------------------------------------------------------1: Ethernet 1 Up/Down N Auto/Half/10 On Y SWITCH(bridge)# set port disable 1 SWITCH(bridge)# show port 1 --------------------------------------------------------------------------NO TYPE PVID STATUS SHARED MODE FLOWCTRL INSTALLED (ADMIN/OPER) --------------------------------------------------------------------------1: Ethernet SWITCH(bridge)# 1 Down/Down N Auto/Half/10 On Y
5.1.2
Auto-nego
You can configure auto-negotiation for a port, automatically to match the transmission speed and the duplex mode of the attached device. To determine if the speed and duplex mode are set to auto-negotiation, use the following command in the bridge configuration mode at global configuration level.
Command show port nego PORT on show port nego PORT off Mode Bridge Description Enables auto-negotiate. (Default) Disables auto-negotiate
52
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
With auto-nego enabled, port rate and duplex mode cannot be changed. The following is an example of deleting auto-negotiate of port 1 and 2 and checking it.
SWITCH(bridge)# show port 1-2 --------------------------------------------------------------------------NO TYPE PVID STATUS SHARED MODE FLOWCTRL INSTALLED (ADMIN/OPER) --------------------------------------------------------------------------1: 2: Ethernet Ethernet 1 1 Up/Down Up/Down N N Auto/Full/1000 Auto/Full/1000 On On Y Y
SWITCH(bridge)# set port nego 1-2 off SWITCH(bridge)# show port 1-2 --------------------------------------------------------------------------NO TYPE PVID STATUS SHARED MODE FLOWCTRL INSTALLED (ADMIN/OPER) --------------------------------------------------------------------------1: 2: Ethernet Ethernet 1 1 Up/Down Up/Down N N Force/Full/1000 Force/Full/1000 On On Y Y
SWITCH(bridge)#
User cannot configure auto-nego with 100BASE-FX port. The following is an example of a message displayed when you attempt to configure autonego with 100BASE-FX port.
SWITCH(bridge)# set port nego 25 on %FX port can't be changed to auto-nego mode SWITCH(bridge)#
!
5.1.3
Port Rate
It is possible to configure transmit rate of each port. To configure transmit rate of port, use the following command.
Command set port speed PORT {101001000} Mode Bridge Description Configure transmit rate of port as 10, 100, or 1000Mbps
DPW:G-S-1624H0-04
53
UMN:CLI
User Manual
V1624
The following is an example of configuring transmit rate of port 1 as 10Mbps and checking it.
SWITCH(bridge)# show port 1 ---------------------------------------------------------------------------NO TYPE PVID STATUS (ADMIN/OPER) ---------------------------------------------------------------------------1: Ethernet 1 Up/Up Y Force/Full/100 Off Y SWITCH(bridge)# set port speed 1 10 SWITCH(bridge)# show port 1 ---------------------------------------------------------------------------NO TYPE PVID STATUS SHARED MODE FLOWCTRL INSTALLED (ADMIN/OPER) ---------------------------------------------------------------------------1: Ethernet 1 Up/Down Y Force/Full/10 Off Y SWITCH(bridge)# SHARED MODE FLOWCTRL INSTALLED
!
5.1.4
Duplex Mode
Only unidirectional communication is possible on half duplex mode and bi-directional communication is possible on full duplex mode to transmit packet for two ways. By transmitting packet for two ways, Ethernet bandwidth is enlarged two times- 10Mbps to 20Mbps, 100Mbps to 200Mbps. To configure duplex mode of 10/100BASE-TX ethernet port, use the following command.
Command set port duplex PORT {full | half} Mode Bridge Description Configures duplex mode of port.
When auto-nego is activated, it is impossible to change transmit rate. The following is an example of configuring duplex mode of port 2 as half mode and checking it.
SWITCH(bridge)# show port 3 --------------------------------------------------------------------------NO TYPE PVID STATUS SHARED MODE FLOWCTRL INSTALLED (ADMIN/OPER) --------------------------------------------------------------------------3: Ethernet 1 Up/Down N Force/Full/100 On Y SWITCH(bridge)# set port duplex 3 half SWITCH(bridge)# show port 3 --------------------------------------------------------------------------NO TYPE PVID STATUS SHARED MODE FLOWCTRL INSTALLED (ADMIN/OPER) --------------------------------------------------------------------------3: Ethernet SWITCH(bridge)# 1 Up/Down N Force/Half/100 On Y
54
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
100BASE-FX ethernet and 1000BASE-X gigabit ethernet can be configured as full duplex. User of 100BASE-FX ethernet and 1000BASE-X gigabit ethernet cannot change the mode.
5.1.5
Flow Control
Ethernet ports on the switches use flow control to restrain the transmission of packets to the port for a period of time. Typically, if the receive buffer becomes full, the port transmits a "pause" packet that tells remote ports to delay sending more packets for a specified period of time. In addition, the Ethernet ports can receive and act upon "pause" packets from other devices. To enable flow control on the Ethernet port, use the following command.
Command set port flow-control PORT {onoff} Mode Bridge Enables flow control. (Default: on) Description
5.1.6
Port Description
For users reference, you can make description for each port. In order to write port description, use the following command.
Command set port description PORT DESCRIPTION Mode Bridge Description Makes description of each port.
DPW:G-S-1624H0-04
55
UMN:CLI
User Manual
V1624
5.1.7
Port Statistics
To display traffic average of each port or interface MIB, RMON MIB data defined in SNMP MIB, use the following commands.
Command show PORT show port statistics interface PORT show port statistics rmon PORT show port statistics avg-type PORTS Top/Global port statistics avg-pkt Mode Description Shows traffic average of specified port.
Shows MIB data of specified port. Shows RMON MIB data of specified port. Shows the traffic statistics per packet type for a specified port.
56
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
10 min: 0 SWITCH(bridge)#
To display the statistics of the traffic handled by CPU, use the following command.
Command show cpu statistics avg-type PORTS show cpu statistics total PORTS Mode Top Global Bridge Description Shows the statistics of the traffic handled by CPU per packet type. Shows the traffic statistics of the average packet handled by CPU.
DPW:G-S-1624H0-04
57
UMN:CLI
User Manual
V1624
To delete the collected statistics of the traffic handled by CPU, use the following command.
Command Mode Description Deletes the collected statistics of the traffic handled by clear cpu statistics {PORTS | all} Global CPU. all: deletes all the collected statistics.
In order to clear all recorded statistics of port and initiate, use the following command. It is possible to initiate statistics of port and select specific port.
Command clear port statistics {PORT all} Mode Global Description Initializes port statistics. It is possible to select several ports.
5.1.8
Link Uptime
To display the link uptime of the port, use the following command.
Command show port link-uptime PORTS Mode Top Global Description Shows the link uptime of the port.
To clear the recorded uptime of the port, use the following command.
Command clear port link-uptime {PORTS | all} Mode Global Description Clears the recorded uptime of the port. all: deletes all ports.
The following is the sample output of the show port link-uptime command.
SWITCH# show port link-uptime 1-10 ===================================================== PORT: 1: 2: 3: 4: 5: 6: 7: 8: 9: 10: SWITCH# Today[H:M:S] [19:39:40] [00:00:00] [00:00:00] [00:00:00] [19:39:40] [00:00:00] [00:00:00] [00:00:00] [19:39:40] [19:39:40] Yesterday[H:M:S] [24:00:00] [00:00:00] [00:00:00] [00:00:00] [24:00:00] [00:00:00] [00:00:00] [00:00:00] [24:00:00] [24:00:00] LINK ON OFF OFF OFF ON OFF OFF OFF ON ON =====================================================
58
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
5.2
Port Mirroring
Port-mirroring means that user can monitor several ports from one port. In this function, one port to monitor is called monitor port and a port to be monitored is called mirrored port. Traffics transmitted from mirrored port are copied and sent to monitor port so that user can monitor it.
Fig. 5.1
Port Mirroring
Before configuring Port-mirroring in V1624, you need to assign mirrored ports/monitor port and activate Port-mirroring.
5.2.1
The following is an example of configuring port 1 as monitor port and port 2~4 as mirrored ports.
SWITCH(bridge)# set mirror monitor 1
DPW:G-S-1624H0-04
59
UMN:CLI
User Manual
V1624
5.2.2
5.2.3
The following is an example of configuring port 1 as monitor port to monitor incoming packets to port 2~4 and checking it.
SWITCH(bridge)# set mirror monitor 1 SWITCH(bridge)# set mirror add 2-4 SWITCH(bridge)# set mirror enable SWITCH(bridge)# show mirror Mirroring enabled Monitor port = 1 Ingress-mirrored ports -- 02 03 04 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -Egress-mirrored ports -- 02 03 04 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -SWITCH(bridge)#
60
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
6 System Environment
6.1 Environment Configuration
User must configure the following items. Host Name Date and Time Time-zone NTP Output Condition of Terminal Screen Domain Name Server(DNS) Login Banner
6.1.1
Host Name
Host name displayed on prompt is necessary to distinguish each device connected to network. In order to configure or change host name of switch, use the command, hostname on Global configuration mode.
Command hostname NAME Mode Global Description Configures host name of switch with new name user assigns.
The variable, NAME which follows command is the new name of switch user assigns. Default is SWITCH. The following is an example of changing hostname to DASAN.
SWITCH(config)# hostname DASAN DASAN(config)#
6.1.2
The variable, MMDDhhmmYYYY you need to enter after the command is Month-DayHour-Minute-Year. The following is an example of configuring as Dec. 13th, PM 04:14 in 2002.
SWITCH# clock 121316142002 Fri Dec 13 16:14:00 UTC 2002 SWITCH#
DPW:G-S-1624H0-04
61
UMN:CLI
User Manual
V1624
In order to view configured date and time, use the following command.
Command show clock Mode Top/Global Description Shows configured date and time
6.1.3
Time-zone
You can configure time-zone to the V1624 with the following command. Time-zone is classified GMT, UCT, UTC. If you want to know what kind of time-zone can you configure, use the show time-zone command. Time-zone is predefined as the UTC(Universal Coordinated Time) at the factory configuration
Command show time-zone Mode Top/Global Description Show the kinds of time-zone.
The command, show time-zone only displays kinds of time-zone. In order to verify configuration about time-zone, use the command, show clock. The following table shows the kinds of time-zone, which can configure to the Switch and a main country or area, belong to the time-zone. Tab. 6.1 shows the world time zone.
Time Zone GMT-12 GMT-11 GMT-10 GMT-9 GMT-8 GMT-7 GMT-6 GMT-5 GMT-4 Country/City Eniwetok Samoa Hawaii, Honolulu Alaska LA, Seattle Denver Chicago, Dallas New York, Miami George Town Time Zone GMT-3 GMT-2 GMT-1 GMT+0 GMT+1 GMT+2 GMT+3 GMT+4 GMT+5 Country/City Rio De Janeiro Maryland Azores London, Lisbon Berlin, Rome Cairo, Athens Moscow Teheran New Delhi Time Zone GMT+6 GMT+7 GMT+8 GMT+9 GMT+10 GMT+11 GMT+12 Country/City Rangoon Singapore Hong Kong Seoul, Tokyo Sydney, Okhotsk Wellington
Tab. 6.1
If time-zone is changed, the date and the time will be changed as much as a difference between existing time-zone and changed time-zone.
62
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
The following is an example of configuring time-zone after configuring the date and the time in the switch. Even though it is surely configured Tue, 16 Mar 2004 10 : 19 Am, it changed to Tue, 16 ME 2004 19:19 after configuring Time-zone again. This is because the difference between GMT+0 and GMT+9 is applied.
SWITCH(config)# clock 031610192004 Tue, 16 Mar 2004 10:19:00 GMT+0000 SWITCH(config)# time-zone GMT+9 SWITCH(config)# show clock Tue, 16 Mar 2004 19:19:49 GMT+0900 SWITCH(config)#
Therefore, you should configure the date and the time once again for such an above case.
SWITCH(config)# clock 031610262004 Tue, 16 Mar 2004 10:26:00 GMT+0900 SWITCH(config)#
If you change Time-zone, you should check the present time and date and reset them in case they are different.
The following is an example of configuring Time-zone as Seoul and viewing the configuration.
SWITCH(config)# time-zone GMT+9 SWITCH(config)# clock 121316142002 Fri, 13 Dec 2002 16:14:10 GMT+0900 SWITCH(config)# show clock Fri, 13 Dec 2002 16:14:10 GMT+0900 SWITCH(config)#
DPW:G-S-1624H0-04
63
UMN:CLI
User Manual
V1624
6.1.4
NTP
NTP(Network Time Protocol) can be used to configure users switches to 1/1000 second to guarantee the exact time on networks. The Switch and NTP server constantly transmit the massage each other to converge the correct time. It is very important to configure exact time to the Switch so that switch operates properly. The details about NTP will be given at STD and RFC 1119. To configure the switch in NTP, use the following commands.
Command ntp SERVER 1 [SERVER 2] [SERVER 3] ntp start no ntp Global Mode Description Specifies the IP address of the NTP server. It is possible up to three number of server. Runs NTP. Disables NTP function
We can use the public NTP server and private NTP server both and enter the Domain name or IP address of NTP server. Thetime.nuri.netis used in Korea, IP address is 203.255.112.96. The following is an example of configuring 203.255.112.96 as NTP server, running it and checking it.
SWITCH(config)# ntp 203.255.112.96 SWITCH(config)# ntp start SWITCH(config)# show running-config Building configuration... (omitted) no snmp ! ntp 203.255.112.96 ntp start ! SWITCH(config)#
6.1.5
The following is an example of configuring the number of displayed lines in terminal screen as 20 lines.
SWITCH# terminal line 20 SWITCH#
64
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
6.1.6
After registering DNS server and making connection to the server on network, you can use hostname instead of IP address for telnet, FTP, TFTP, or ping commands.
The above function can be used when users switch, DNS and certain domain are connected on network for communication.
The following is an example of registering 168.126.63.1 as DNS server and checking it.
SWITCH(config)# dns server 168.126.63.1 SWITCH(config)# show dns nameserver 168.126.63.1 SWITCH(config)#
The above example is just for your reference. In real configuration, you must input the DNS server you are going to use. The following is an example of taking ping test with domain name after registering DNS server.
SWITCH# ping da-san.com PING da-san.com (203.236.124.3) from 203.236.124.248 : 56(84) bytes of data. 64 bytes from 203.236.124.3: icmp_seq=0 ttl=254 time=0.4 ms 64 bytes from 203.236.124.3: icmp_seq=1 ttl=254 time=0.3 ms 64 bytes from 203.236.124.3: icmp_seq=2 ttl=254 time=0.3 ms 64 bytes from 203.236.124.3: icmp_seq=3 ttl=254 time=0.3 ms 64 bytes from 203.236.124.3: icmp_seq=4 ttl=254 time=0.3 ms 64 bytes from 203.236.124.3: icmp_seq=5 ttl=254 time=0.2 ms 64 bytes from 203.236.124.3: icmp_seq=6 ttl=254 time=0.3 ms --- da-san.com ping statistics --7 packets transmitted, 7 packets received, 0% packet loss round-trip min/avg/max = 0.2/0.3/0.4 ms SWITCH#
In case of V1624, it is possible to use telnet, ftp, tftp, ping commands with Hostname in-
DPW:G-S-1624H0-04
65
UMN:CLI
User Manual
V1624
stead of IP address when the hosts are in specified domain after registering specific domain name. If you register domain name A in V1624, you can use hostname instead of IP address for telnet, FTP, TFTP and ping commands in Hosts. In order to register specific domain name so that user can use hostname instead of IP address to use commands such as telnet, ping for hosts in specified domain, use the following command.
Command dns search DOMAIN Mode Global Description Registers specified domain name.
The above function can be used when users switch, DNS server and certain domain are connected on network for communication. The following is an example of using hostname instead of IP address when you take ping test to Host B after registering domain A.
SWITCH(config)# dns search A SWITCH# ping B PING B.A (192.168.218.10) from 192.168.218.248 : 56(84) bytes of data. 64 bytes from 192.168.218.10: icmp_seq=0 ttl=127 time=0.6 ms 64 bytes from 192.168.218.10: icmp_seq=1 ttl=127 time=0.3 ms 64 bytes from 192.168.218.10: icmp_seq=2 ttl=127 time=0.3 ms 64 bytes from 192.168.218.10: icmp_seq=3 ttl=127 time=0.3 ms 64 bytes from 192.168.218.10: icmp_seq=4 ttl=127 time=0.3 ms --- B.A ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 0.3/0.4/0.6 ms SWITCH#
The above A and B are just for your reference. In actual configuration, you need to input domain name and hostname instead of A and B. To delete registered DNS server and domain name, use the following command.
Command no dns Mode Global Description Deletes DNS server and domain name.
6.1.7
Login Banner
It is possible to write message in system login page. Through the message, administrator can leave a message, displayed before/after system login or after login failure, to users accessed through ftp or telnet. In order to write a message in system login page, use the following commands.
Command set banner set banner login set banner login-fail set banner logout Global Mode Description Registers a message for system login. Registers a message for successful system login. Registers a message for login failure. Registers a message for system logout.
66
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
The below examples take set banner command, but it is samely used with the other three commands.
To delete login banner in system login page, use the following command.
Command clear banner clear banner login clear banner login-fail clear banner logout Global Mode Description Deletes a message for system login. Deletes a message for successful system login. Deletes a message for login failure. Deletes a message for system logout.
DPW:G-S-1624H0-04
67
UMN:CLI
User Manual
V1624
6.2
Configuration Management
User can check if users configurations are correct and save them in system. This section contains the following functions. Checking Switch Configuration Saving Configuration Restore Factory Default Configuration Backup
6.2.1
6.2.2
Saving Configuration
After you download a new system image to V1624 from TFTP/FTP server, if the configuration files are changed, you must save the changed file in the flash memory. Unless you saved the changed file, the configuration file will delete incase of rebooting. To save the configuration files in the flash memory, use the following command.
Command write memory Mode Top/Global/Bridge/Interface Description Saves changed configuration in the flash memory.
When you store configurations with using this command, please wait for [OK] message without any key pressed.
68
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
6.2.3
After reloading with the command, restore factory-defaults, restore factory-defaults, you have to reboot the switch to initiate. The following is an example of reloading switch.
SWITCH(config)# restore factory-defaults Erasing configurations... [OK] You have to restart the system to apply the changes SWITCH(config)#
6.2.4
Configuration Backup
It is possible to save users configurations and to use for the data recovery or system operating. In order to back up users configuration, use the following commands. In order to use back up file, use the following command. Variable name is a kind of file name that can be configured by user.
Command copy running-config {NAME startup-config} copy startup-config NAME copy NAME-1 NAME-2 Global Mode Description Copies the current configuration with a name configured by user or startup configuration. Copies startup configuration with a name configured by user. Copies backup file with another name
In order to apply back up file to switch, you should reboot the system.
DPW:G-S-1624H0-04
69
UMN:CLI
User Manual
V1624
The following is an example of copying the current configuration with name S212 and listing all backup files.
SWITCH(config)# copy running-config S212 [OK] SWITCH(config)# show config-list ========================= CONFIG-LIST ========================= l3_default S212 SWITCH(config)#
6.3
System Check
When there is any problem in switch, user must find what the problem is and its solution. Also neither he nor she should always check switch to prevent trouble. Therefore user should not only be aware of switch status but also check if configurations are correctly changed. This section includes the following functions with DSH command. Network Connection Packet Route Cable Length Accessed User through Telnet
Destination Information MAC Table Aging time Running Time of Switch System Information Checking Average of CPU Utilization CPU Process Utilization of Memory Version of System Image Size of the System Image File Installed OS Assigning Default OS Switch Cable Diagnostics
70
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
6.3.1
Network Connection
To check if your system is correctly connected to the network, use the ping command. For IP network, this command transmits a message to internet control message protocol (ICMP). ICMP is an internet protocol that notifies fault situation and provides information on the location where IP packet is received. When the ICMP echo message is received at the location, its replying message is returned to the place where it came from. To perform a ping test to display network status, use the following command.
Command ping A.B.C.D Top ping OPTION A.B.C.D Mode Description Performs a ping test to verify network status. Performs a ping test to verify network status with a specified option.
-I
Tab. 6.2
The following is an example of taking ping test for three times to check network connection with 192.168.1.10.
SWITCH# ping 192.168.1.218 c 3 PING 192.168.1.218 (192.168.1.218) from 192.168.1.10 : 56(84) bytes of data. 64 bytes from 192.168.1.218: icmp_seq=0 ttl=127 time=2.7 ms 64 bytes from 192.168.1.218: icmp_seq=1 ttl=127 time=1.3 ms 64 bytes from 192.168.1.218: icmp_seq=2 ttl=127 time=1.3 ms --- 192.168.1.218 ping statistics --3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 1.3/1.5/2.7 ms SWITCH#
Also, user of V1624 can view all hosts on same network with the switch. In order to view all hosts on same network with users switch, use the following command.
DPW:G-S-1624H0-04
71
UMN:CLI
User Manual
V1624
Mode Top
Description Checks a certain network connection and views all hosts on network.
You have to enter network address to view all hosts on network. If you enter host address, not network for bping test address, the result is same with regular ping test. The following is an example of checking network connection of network address 192.168.1.0 by using the command, bping and viewing all hosts on the network.
SWITCH# bping 192.168.1.0 64 bytes from 192.168.1.202: icmp_seq=0 ttl=255 time=2183.6 ms (DUP!) 64 bytes from 192.168.1.5: icmp_seq=1 ttl=255 time=1257.2 ms 64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=1331.4 ms (DUP!) 64 bytes from 192.168.1.102: icmp_seq=1 ttl=255 time=1471.0 ms (DUP!) 64 bytes from 192.168.1.124: icmp_seq=1 ttl=255 time=1544.0 ms (DUP!) --- 172.16.0.0 ping statistics --5 packets transmitted, 5 packets received, +120 duplicates, 0% packet loss round-trip min/avg/max = 0.8/3011.6/6008.5 ms SWITCH#
In case that users switch is configured with several IP addresses, sometimes you need to check network connection of between specific IP address and partner. To check network connection of between specific IP address and partner, use the following command.
Command sping SRC-IP-ADDRESS DES-IP-ADDRESS Mode Description Configures to have the partner who received message Top reply to configured address. Inputs the address the partner should reply to at source ip address.
In case that several IP addresses are configured in users device, use the command, sping. It is useless for device with one IP address.
The following is an example of using the command, sping for checking network connection of between 172.16.209.5 and 202.236.124.232 when IP address of the switch is configured as 192.168.1.10 and 172.16.209.5.
SWITCH# sping 172.16.209.5 202.236.124.232 PING 202.236.124.232 (203.236.124.232) from 172.16.209.5 : 56(84) bytes of data. 64 bytes from 202.236.124.232: icmp_seq=0 ttl=255 time=2.5 ms 64 bytes from 202.236.124.232: icmp_seq=1 ttl=255 time=1.0 ms 64 bytes from 202.236.124.232: icmp_seq=2 ttl=255 time=1.0 ms 64 bytes from 202.236.124.232: icmp_seq=3 ttl=255 time=1.0 ms 64 bytes from 202.236.124.232: icmp_seq=4 ttl=255 time=1.0 ms --- 202.236.124.232 ping statistics ---
72
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 1.0/1.3/2.5 ms SWITCH#
6.3.2
Packet Route
You can discover the routes that packets will actually take when traveling to their destinations. To do this, the traceroute command sends probe datagram and displays the roundtrip time for each node. If the timer goes off before a response comes in, an asterisk (*) is printed on the screen.
Command traceroute A.B.C.D Mode Top Description Traces packet routes through the network with input IP address or hostname.
13.600 ms
6.848 ms
6.884 ms 7.749 ms
7.215 ms
7.023 ms
8.389 ms
34.922 ms
134.076 ms
12.646 ms
8.134 ms
13.891 ms
7.714 ms
13 * * * SWITCH#
6.3.3
Cable Length
You can check the cable length from the switch port to a workstation. To verify station-to-station cable length, use the following command in Global Configuration mode or Top mode.
Command show cable-length Mode Top Description Display the cable length from each Ethernet port on the switch to workstations.
DPW:G-S-1624H0-04
73
UMN:CLI
User Manual
V1624
1 2 3 4 5 6 18 19 20 21 22 23
140 (meter) over 140 (meter) over 140 (meter) over 140 (meter) over 140 (meter) over 20-39 (meter) 140 (meter) over 140 (meter) over 140 (meter) over 140 (meter) over 140 (meter) over 140 (meter) over
(omitted)
! !
The show cable-length command can be used only on the UTP cables. You cannot use this command on the fiber optic cables. If using only one uplink interface on the V1624, you cannot use the show cable-length command on the port 26.
6.3.4
The following is an example of checking if there is any accessed user from remote place.
SWITCH# where root at ttyS0 from (null) for 4 minutes 40.10 seconds root at ttyp0 from 192.168.1.10:2181 for 14.68 seconds
6.3.5
Destination Information
In order to display destination information registered in routing table, use the following command.
Command which-route A.B.C.D Mode Top Description Displays destination information.
74
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
6.3.6
MAC Table
To display MAC table recorded in specific port, use the following command.
Command show mac BRIDGE [PORT] Mode Top/Global/Bridge Description Displays destination information.
You can use both port number and module number at PORT. For example, when you need to input port 34, you can input either 34 or 5/2, which means second port of five modules. The following is an example of displaying MAC table recorded in br1.
SWITCH(config)# show mac br1 port (id) eth24 (24) eth24 (24) eth24 (24) eth24 (24) eth24 (24) eth24 (24) eth24 (24) eth24 (24) eth24 (24) eth24 (24) -- more -(omitted) SWITCH(config)# mac addr 00:00:e8:81:50:4d 00:00:e8:81:5d:1b 00:00:e8:81:61:fa 00:00:e8:81:6c:56 00:00:e8:81:6c:6f 00:01:02:03:04:05 00:01:02:7c:eb:5b 00:01:e6:25:43:5b 00:02:78:e0:7b:f8 00:03:47:1a:c6:76 permission OK OK OK OK OK OK OK OK OK OK in use no no no no no no no no no no
There are more than about a thousand MAC addresses in MAC table. And it is difficult to find information you need at one sight. So, The system shows certain amount of addresses displaying -more-on standby status. Press any key to search more. After you find the information, you can go back to the system prompt without displaying the other table by pressing q.
6.3.7
Aging time
V1624 records MAC table to prevent Broadcast packets from transmitting. And unnecessary MAC address that does not response during specified time is deleted from the MAC table automatically. The specified time is called Ageing time. To specify the Ageing time, use the following command.
Command set stp ageing NAME TIME Mode Bridge Description Specifies the Ageing time.
DPW:G-S-1624H0-04
75
UMN:CLI
User Manual
V1624
6.3.8
6.3.9
System Information
To display system information such as product model, memory size, hardware specification, and OS version, use the following command.
Command show system Mode Top/Global Description Shows system information.
SWITCH# show system SysInfo(System Information) Model Name Main Memory Size Flash Memory Size S/W Compatibility H/W Revision NOS Version SWITCH# : V1624 : 64 MB : 16 MB(INTEL IN28F640J3) : 6, 3 : DS-P7-01A-A0 : 9.10
6.3.10
76
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Average CPU load ---------------5 sec: 1 min: 12.14( 0.76) % 11.31( 0.68) %
6.3.11
DPW:G-S-1624H0-04
77
UMN:CLI
User Manual
V1624
unicast | multicast | broadcast: packet type PORTS: port number 10-100: packet count (actual value: 1000-10000)
To disable the switch to generate a syslog message according to the number of the packet handled by CPU, use the following command.
Command no cpu statistics-limit {unicast | multicast | broadcast} {PORTS | all} Top Global no cpu statistics-limit all {PORTS | all} Mode Description Disables the switch to generate a syslog message according to the number of the packet handled by CPU for each packet type. all: all physical ports Disables the switch to generate a syslog message according to the number of the packet handled by CPU for all packet types.
To display a configured value to generate a syslog message according to the number of the packet handled by CPU, use the following command.
Command Mode Top show cpu statistics-limit Global Bridge Description Shows a configured value to generate a syslog message according to the number of the packet handled by CPU.
6.3.12
CPU Process
It is possible to check CPU loading process classified by each process. Through this function, user can see which daemon possesses the most of CPU, if there is unnecessary daemon, and operating process of troubled daemon. This information is useful data to solve problem. To check CPU process, use the following command.
Command show process Mode Top/Global Description Checks CPU loading process
78
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
6.3.13
Utilization of Memory
To display utilization of memory, use the following command.
Command show memory Mode Top/Global Description Shows utilization of switch memory
6.3.14
The following is an example of viewing the system image version OS 3.09of the switch.
SWITCH# show version Switch OS Version : 3.15 #4499 SWITCH#
6.3.15
The following is an example of viewing the size of the current system image file.
SWITCH# show os-size OS image size : 5733352 bytes
DPW:G-S-1624H0-04
79
UMN:CLI
User Manual
V1624
SWITCH#
6.3.16
Installed OS
It is possible to display utilization of flash memory. use the following command.
Command show flash Mode Top/Global Description Shows utilization of flash memory.
6.3.17
Assigning Default OS
When there are two different system images installed, user can assign one of them as default OS. To assign default OS, use the following command.
Command set default-os {os1os2} Mode Top Description Assigns default OS. (Default: os1)
i
6.3.18
To see a current default OS in the system, use the show flash command.
Switch Status
To display the temperature of switch, power status, and fan status, use the following command.
Command show status power show status temp Mode Top Global Shows power status. Shows temperature of switch. Description
80
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Bridge
6.3.19
Cable Diagnostics
It takes about 5 seconds per port for the result of the cable diagnostic to be shown up after issuing the cable-diagnostic command. To display the status of the category 5 Ethernet cables connected to the V1624, use the following command.
Command Mode Top cable-diagnostic PORTS Global Bridge Shows the status of the connected cables. Description
In the result report of the diagnostics, it is assumed that the PAIR-A reflects the 3rd and 6th line of the RJ45 connector, and the PAIR-B reflects the 1st and 2nd line of the RJ45 connector. You can verify the status of the physical connection (STATUS), the location of the problem (LEN), and the link state of the connected network equipment (LINK STATE) for each pair. Tab. 6.3 shows the description of each state in the result report.
Items STATUS SHORT OPEN LINK STATE PARTNER UP PARTNER DOWN DETECTED ERROR NO LINK State Description A short circuit has occurred. A cable has been disconnected. Partner equipment is supplied with power. Partner equipment is not supplied with power. The problem on the cable has occurred. Partner equipment is not connected.
Tab. 6.3
The DETECTED ERROR state will be shown up only in case of the power disconnection of the connected network equipment.
----------------------------------------------------------------------------
DPW:G-S-1624H0-04
81
UMN:CLI
User Manual
V1624
SWITCH#
82
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7 Network Management
7.1 SNMP
SNMP(Simple Network Management Protocol) system is consisted of three parts: SNMP manager, a managed device and SNMP agent. SNMP is an application-layer protocol that allows SNMP manager and agent stations to communicate with each other. SNMP provides a message format for sending information between SNMP manager and SNMP agent. The agent and MIB reside on the switch. In configuring SNMP on the switch, you define the relationship between the manager and the agent. According to community, you can give right only to read or right both to read and to write. The SNMP agent has MIB variables to reply to request from SNMP administrator. And SNMP administrator can obtain data from the agent and save data in the agent. The SNMP agent gets data from MIB, which saves information on system and network. The SNMP agent sends trap to administrator for some cases. Trap is a warning message to alert network status to SNMP administrator. Trap informs improper user authentication, rebooting, connection status (activate or deactivate), closing of TCP connection, disconnected to neighbor switch.
7.1.1
Community means password, as we usually know. You can configure the community by entering password you want at password. And it is possible to give access right only to read or both to read and to write according to configuring password. The abbreviations following, ro stands for read-only and rw stands for read/write. They are commands to distinguish access right.
The followings are two examples of giving access right both to read and write by configuring password as administrator, and giving access right only to read by configuring password as everyone.
SWITCH(config)# snmp community administrator rw SWITCH(config)# snmp community everyone ro SWITCH(config)#
DPW:G-S-1624H0-04
83
UMN:CLI
User Manual
V1624
7.1.2
The following is an example of configuring accessed person and location of SNMP agent as manager and Seoul.
SWITCH(config)# snmp contact manager SWITCH(config)# snmp location seoul SWITCH(config)#
7.1.3
7.1.3.1
The following is an example of assigning manager who has IP address 10.1.1.3 as traphost.
SWITCH(config)# snmp trap-host 10.1.1.3
84
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
SWITCH(config)#
When you assign more than one trap-host, you can configure it by inputting IP address one by one or inputting the IP addresses at once. The following is an example of configuring IP address 10.1.1.3, 20.1.1.5, and 30.1.1.2 as trap-host in two ways.
SWITCH(config)# snmp trap-host 10.1.1.3 SWITCH(config)# snmp trap-host 20.1.1.5 SWITCH(config)# snmp trap-host 30.1.1.2 SWITCH(config)# snmp trap-host 10.1.1.3 20.1.1.5 30.1.1.2 SWITCH(config)#
7.1.3.2
DPW:G-S-1624H0-04
85
UMN:CLI
User Manual
V1624
However, it may be inefficient work if all the trap messages are too frequently sent. Therefore, user can select type of trap sent to trap-host. To configure kinds of trap messages that user wants to receive, use the following commands.
Command snmp trap auth-fail snmp trap cold-start snmp trap link-down PORT Mode Description Configures authentication failure trap message to be sent. Configures cold-start trap message to be sent. Configures link-down message to be sent when network of port specified by user is disconnected. Configures link-down message to be sent when network of port specified by user is connected. Configures cpu-threshold trap message to be sent when CPU utilization threshold configured by user snmp trap cpu-threshold referred to 7.3.5 CPU Utilization Thresholds excesses, and when CPU utilization is down under the threshold, trap message will be seen to inform it. snmp trap port-threshold Sends trap message when port traffic in excesses of threshold and it goes down than the threshold. Sends dhcp-lease trap message to be sent is when snmp trap dhcp-lease Global there is no more IP address can be assigned in subnet of DHCP server. snmp trap dhcp-illegal-entry snmp trap fan snmp trap module Sends trap message when DHCP client prevent from using static IP address is blocked. Sends trap message when there is any problem in fan. Sends trap message when there is any problem in module. Sends trap message when there is any problem in power. Sends trap message in case of the threshold-excess of system temperature. Sends ip-conflict trap message to report to conflict IP address. Sends mac-flood-guard trap message to report to exsnmp trap mac-flood-guard ceed the threshold configured in8.8.2 Configuring Flood-guard based on MAC Address.
snmp trap power snmp trap major-temp snmp trap temperature snmp trap ip-conflict
86
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
V1624 can configure the priority for fan trap and door trap which has 4 levels that are criticalmajorminornormal. To configure the priority for fan trap and door trap, use the following command.
Command alarmclass door {critical | major | minor | normal} alarmclass fan1 {critical | major | minor | normal} Global Sets the priority for the fan trap. Mode Description Sets the priority for the door trap.
DPW:G-S-1624H0-04
87
UMN:CLI
User Manual
V1624
7.1.4
If the designated IP address of SNMP agent is deleted from the switch, SNMP may not respond. If you try to delete the designated IP as the IP address of SNMP agent from device, it informs that SNMP may not respond as follows.
SWITCH(config)# snmp agent-address 10.1.1.1 SWTICH(config)# interface br1 SWITCH(config-if)# no ip addres 10.1.1.1/8 Warning : 172.16.209.100/16 is specified to the SNMP agent address. SNMP agent may not reply. SWITCH(config-if)#
7.1.5
SNMP Configuration
To check SNMP configuration, use the following command.
Command show running-config Mode Top/Global/Bridge/Interface Description Shows switch configuration.
88
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.1.6
Deleting SNMP
To delete SNMP, use the following command.
Command no snmp Mode Global Deletes SNMP. Description
When you use the above command, all configurations concerned with SNMP will be deleted. The following is an example of deleting SNMP and checking it.
SWITCH(config)# no snmp SWITCH(config)# show running-config (omitted) no snmp ! SWITCH(config)#
7.2
RMON
RMON(Remote Monitoring) is a function to monitor communication status of devices connected to Ethernet at remote place. While SNMP can give information only about the device mounted SNMP agent, RMON gives information about overall segments including devices. Thus, user can manage network more effectively. For instance, in case of SNMP it is possible to be informed traffic about certain ports but through RMON you can monitor traffics occurred in overall network, traffics of each host connected to segment and current status of traffic between hosts. Since RMON processes quite lots of data, its processor share is very high. Therefore, administrator should take intensive care to prevent performance degradation and not to overload network transmission caused by RMON. There are nine defined RMON MIB groups in RFC 1757: Statistics, History, Alarm, Host, Host Top N, Matrix, Filter, Packet Capture and Event. V1624 supports three MIB groups of them, most basic ones: History, Alarm and Event.
7.2.1
DPW:G-S-1624H0-04
89
UMN:CLI
User Manual
V1624
SWITCH(config)#
You need to enter into History configuration mode first to configure RMON history. In order to open History configuration mode, use the following command. After entering into History configuration mode, the system prompt is changed to SWITCH(config-rmonhistory[n]# from SWITCH(config)#. The variable n is number to be configured to distinguish each different History.
Command rmon-history <1-65534> Mode Global Description Configures a number to distinguish RMON History. It can be configured from 1 to 65,534.
The following is an example of entering into RMON History configuration mode to configure History 1.
SWITCH(config)# rmon-history 1 SWITCH(config-rmonhistory[1])#
Input a question mark(?) at the system prompt on History configuration mode if you want to list available commands. The following is an example of listing available commands on History configuration mode.
SWITCH(config-rmonhistory[1])# ? active data-source end exit interval list owner sources requested-buckets Define the bucket count for the interval show Show running system information SWITCH(config-rmonhistory[1])# Activate the history Define the data source object for the ethernet port End current mode and down to top mode Exit current mode and down to previous mode Define the time interval for the history Print command list Assign the owner who define and is using the history re
i
7.2.1.1
The question mark(?) you enter will not be seen. Right after entering the question mark, the commands will be displayed.
90
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.2.1.2
When you configure subject of RMON History, it is possible to input maximum 32 letters. If you input more than 32 letters, the error message, %Too long owner name will be displayed.
7.2.1.3
i
7.2.1.4
DPW:G-S-1624H0-04
91
UMN:CLI
User Manual
V1624
7.2.1.5
The following is an example of activating RMON History and viewing the configuration
SWITCH(config-rmonhistory[1])# active SWITCH(config-rmonhistory[1])# show running-config Building configuration... (omitted) rmon-history 5 owner dasan data-source ifindex.hdlc1 interval 60 requested-buckets 25 active (omitted) SWITCH(config-rmonhistory[1])#
Before activating RMON History, check if users configuration is correct. After RMON History is activated, you cannot change its configuration. If you need to change configuration, you have to delete RMON History and configure it again.
7.2.1.6
92
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.2.2
The following is an example of entering into Alarm configuration mode to configure RMON Alarm 1.
SWITCH(config)# rmon-alarm 1 SWITCH(config-romonalarm[1]#
Input a question mark(?) at the system prompt on Alarm configuration mode if you want to list available commands. The following is an example of listing available commands on Alarm configuration mode.
SWITCH(config-rmonalarm[1])# ? active end exit falling-event falling-threshold list owner rising-event rising-threshold sample-interval sample-type sample-variable show Activate the event End current mode and down to top mode Exit current mode and down to previous mode Associate the falling threshold with an existing RMON event Define the falling threshold Print command list Assign the owner who define and is using the history resources Associate the rising threshold with an existing RMON event Define the rising threshold Specify the sampling interval for RMON alarm Define the sampling type Define the MIB Object for sample variable
Show running system information Define startup alarm type startup-type SWITCH(config-rmonalarm[1])#
DPW:G-S-1624H0-04
93
UMN:CLI
User Manual
V1624
7.2.2.1
When you identify subject of RMON Alarm, it is possible to input maximum 32 letters. If you input more than 32 letters, the error message, %Too long owner name will be displayed.
7.2.2.2
To assign object used for sample inquiry, use the following command.
Command sample-variable MIB-OBJECT Mode RMON Description Assigns MIB object used for sample inquiry.
The following is an example of configuring MIB object apSvcConnections used for sample inquiry
SWITCH(config-rmonalarm[1])# sample-variable apSvcConnections SWITCH(config-rmonalarm[1])#
7.2.2.3
94
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Delta comparison compares difference between current data and the latest data with the threshold. For instance, in order to know the point of variable notation rule 100,000 more than the former rule, configure apCntHits as Delta comparison. To configure Delta comparison, use the following command.
Command sample-type delta Mode RMON Description Compares difference between current data and the latest data with the threshold.
7.2.2.4
You can configure upper bound of threshold as maximum 2,147,483,647. If you configure it as 0, then there will not be Alarm.
After configuring upper bound of threshold, configure to occur the RMON Event when object is more than configured threshold. Use the following command.
Command rising-event <0-65535> Mode RMON Description Configures to occur for the RMON Event when object is more than configured threshold.
The following is an example of configuring to occur for the RMON event 1 when object is more than configured threshold.
SWITCH(config-rmonalarm[1])# rising-event 1 SWITCH(config-rmonalarm[1])#
i
7.2.2.5
If you configure the standard, the upper bound of threshold as 0, there will not be Event.
DPW:G-S-1624H0-04
95
UMN:CLI
User Manual
V1624
You can configure lower bound of threshold as maximum 2,147,483,647. If you configure it as 0, there will not be Alarm.
After configuring lower bound of threshold, configure to occur for the RMON Event when object is less than configured threshold. Use the following command.
Command falling-event <0-65535> Mode RMON Description Configures to occur for the RMON Alarm when object is less than configured threshold.
The following is an example of configuring ro occur RMON Event when object is less than configured threshold.
SWITCH(config-rmonalarm[1])# falling-event 2 SWITCH(config-rmonalarm[1])#
i
7.2.2.6
To configure the first Alarm to occur when object is firstly more than upper bound of threshold, use the following command.
Command startup-type rising Mode RMON Description Configures the first Alarm to occur when object is firstly more than upper bound of threshold.
96
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To configure the first Alarm to occur when object is firstly more than threshold or less than threshold, use the following command.
Command startup-type rising-and-falling Mode RMON Description Configures the first Alarm to occur when object is firstly more than threshold or less than threshold.
7.2.2.7
7.2.2.8
The following is an example of activating RMON Alarm and viewing the configuration.
SWITCH(config-rmonalarm[1])# active SWITCH(config-rmonalarm[1])# show running-config Building configuration... (omitted) rmon-alarm 1 owner dasan sample-variable apSvcConnections sample-type absolute startup-type rising rising-threshold 100 falling-threshold 90 rising-event 1 falling-event 2 sample-interval 60 active (omitted) SWITCH(config-rmonalarm[1])#
DPW:G-S-1624H0-04
97
UMN:CLI
User Manual
V1624
You should make sure that all configurations are correct before activating RMON Alarm. After activating RMON Alarm, you cannot change configuration. If you need to change configuration, you have to delete RMON Alarm and configure it again.
7.2.2.9
7.2.3
The following is an example of opening Event configuration mode to configure Rmon Event 1.
SWITCH(config)# rmon-event 1 SWITCH(config-rmonevent[1])#
To show the available commands list for RMON Event, input the question mark(?) at the system prompt on Event configuration mode. The following is an example of listing available commands on Event configuration mode.
SWITCH(config-rmonevent[1])# ? active community description end exit list Activate the event Define a community to an unactivated event Define description of RMON event End current mode and down to top mode Exit current mode and down to previous mode Print command list
98
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Assign the owner who define and is using the history resources Show running system information Define the event type determines where send the event notifia-
tion SWITCH(config-rmonevent[1])#
7.2.3.1
7.2.3.2
Event Description
It is possible to describe Event briefly when Event is happened. However, the description will not be automatically made. Thus administrator should make the description. To make a description about Event, use the following command.
Command description DESCRIPTION Mode RMON Describes Event. (MAX: 126 character) Description
7.2.3.3
DPW:G-S-1624H0-04
99
UMN:CLI
User Manual
V1624
When you identify subject of RMON Event, it is possible to input maximum 32 letters. If you input more than 32 letters, the error message, %Too long owner name will be displayed.
7.2.3.4
7.2.3.5
Activating Event
After finishing all configurations, you should activate RMON Event. In order to activate RMON Event, use the following command.
Command active Mode RMON Activates Event. Description
The following is an example of activating RMON Event and viewing the above configuration.
SWITCH(config-rmonevent[1])# active SWITCH(config-rmonevent[1])# show running-config Building configuration... (omitted) ! rmon-event 1 owner dasan community password description This event ... type log-and-trap active (omitted) SWITCH(config-rmonevent[1])#
100
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
You should make sure that all configurations are correct before activating RMON Event. After activating RMON Event, you cannot change configuration. If you need to change configuration, you have to delete RMON Event and configure it again.
7.2.3.6
DPW:G-S-1624H0-04
101
UMN:CLI
User Manual
V1624
7.3
Syslog
The function of syslog massage is to inform the troubles that occurred in users switch, to the network manager. By default, system logger is activated in V1624. Therefore, although you delete this function, it will be activated again.
This section contains the following functions. Level of Syslog Message Disabling Syslog Displaying Syslog Message Displaying Syslog Configuration CPU Utilization Threshold Memory Usage Threshold Port Traffic Threshold Configuring Threshold of System Temperature
7.3.1
102
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
The order of priority is emergency > alert > critical > error > warning > notice > info > debug. If you set a specific level of syslog output, you will receive only a syslog message for selected level or higher. If you want receive a syslog message for all the levels, you need to set the level to debug.
Syslog Output Level with a Priority To set the syslog output level for a specified syslog message with a priority, use the following command.
Command syslog output priority {auth | authpriv | cron | deamon | kern | lpr | mail | news | syslog | user | uucp} {emerg | alert | crit | err | warning | notice | info} console syslog output priority {auth | authpriv | cron | deamon | kern | lpr | mail | news | syslog | user | uucp} {emerg | alert | crit | err | warning | notice | info} local {volatile | non-volatile} syslog output priority {auth | authpriv | cron | deamon | kern | lpr | mail | news | syslog | user | uucp} {emerg | alert | crit | err | warning | notice | info} remote A.B.C.D Generates a specified syslog syslog message with a priority and forwards it to a remote host. Global Generates a specified syslog syslog message with a priority in the system memory. volatile: deletes a syslog message after restart. non-volatile: reserves a syslog message. Generates a specified syslog message with a priority and forwards it to the console. Mode Description
To delete the configured syslog output level for a specified syslog message with a priority, use the following command.
Command no syslog output priority {auth | authpriv | cron | deamon | kern | lpr | mail | news | syslog | user | uucp} {emerg | alert | crit | err | warning | notice | info} console no syslog output priority {auth | authpriv | cron | deamon | kern | lpr | mail | news | syslog | user | uucp} {emerg | alert | crit | err | warning | notice | info} local {volatile | non-volatile} no syslog output priority {auth | authpriv | cron | deamon | kern | lpr | mail | news | syslog | user | uucp} {emerg | alert | crit | err | warning | notice | info} remote A.B.C.D Global Deletes a specified syslog output level with a priority. Mode Description
DPW:G-S-1624H0-04
103
UMN:CLI
User Manual
V1624
User-defined Syslog Output Level with a Priority To set a user-defined syslog output level with a priority, use the following command.
Command syslog output priority {local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7} {emerg | alert | crit | err | warning | notice | info} console syslog output priority {local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7} {emerg | alert | crit | err | warning | notice | info} local {volatile | nonvolatile} syslog output priority {local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7} {emerg | alert | crit | err | warning | notice | info} remote A.B.C.D Generates a user-defined syslog message with a priority and forwards it to a remote host. Global Generates a user-defined syslog message with a priority in the system memory. volatile: deletes a syslog message after restart. non-volatile: reserves a syslog message. Generates a user-defined syslog message with a priority and forwards it to the console. Mode Description
104
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.3.2
Disabling Syslog
To disable the syslog, use the following command.
Command no syslog Mode Global Disables the syslog. Description
i
7.3.3
7.3.4
7.3.5
DPW:G-S-1624H0-04
105
UMN:CLI
User Manual
V1624
To specify the number of incoming packets on the CPU, use the following command.
Command set cpu packet limit <500-6000> Mode Global Description Specifies the number of incoming packets managed by CPU for 1 second. (Default: 2000)
To display the configured number of incoming packets on the CPU, use the following command.
Command show cpu packet limit Mode Top/Global/Bridge Description Shows the number of incoming packets on the CPU.
The following is an example of configuring threshold of CPU utilization as 70% and checking it.
SWITCH(config)# threshold cpu 70 SWITCH(config)# show cpuload ---------------Average CPU load ---------------5 sec: 1 min: 10 min: 3.95( 2.67) % 3.87( 2.67) % 3.86( 2.67) %
After configured as the above, the following message will be displayed when CPU utilization excesses 70%.
Oct 18 17:37:24 [86] zebra[80]: CPU Overload Warning : Threshold [70] < CPU Load
And the following message will be displayed when the CPU utilization goes down less than 70%.
Oct 18 17:37:29 [39] zebra[80]: CPU Overload Cleared : Threshold [70] > CPU Load
106
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.3.6
The following is an example for configuring memory usage threshold to 20 and checking the configuration.
SWITCH(config)# threshold memory 20 SWITCH(config)# show running-config Building configuration... Current configuration: hostname SWITCH ! inactivity-timer 3600 ! set login radius timeout 10 ! set login tacacs timeout 5 ! threshold memory 20 (Omitted) SWITCH(config)#
7.3.7
The following is an example of configuring threshold of port 1 traffic as 500Mbps and checking it.
SWITCH(config)# threshold port 1 500
DPW:G-S-1624H0-04
107
UMN:CLI
User Manual
V1624
SWITCH(config)# show port threshold Port 1 : 500 Mbps Port 2 : 1000 Mbps Port 3 : 1000 Mbps Port 4 : 1000 Mbps Port 5 : 1000 Mbps Port 6 : 1000 Mbps Port 7 : 1000 Mbps Port 8 : 1000 Mbps Port 9 : 1000 Mbps Port 10 :1000 Mbps (omitted) SWITCH(config)#
7.3.8
User can configure highest and lowest thresholds with new command. V1624 sends syslog message or SNMP trap message when the switch temperature is above or below the thresholds.
Command threshold temp-major HIGH- VALUE LOW- VALUE Mode Global Description Configures highest and lowest thresholds of system temperature between -30 and 70. (Unit : )
The following is an example of configuring threshold of switch temperature as 45 and checking it.
SWITCH(config)# threshold temp 45 SWITCH(config)# show status temp Temperature 1: 62 C 45 C
108
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.4
Advantages of QoS Controlling Network Resource Possible to control bandwidth, devices, IP address and so on. Network administrator can limit the bandwidth for transmitting FTP and process important data firstly as pri ority. Efficient Use of Resource After grasping for which data users network is used, it is possible to receive the most important one first. Customized Service By using QoS function, network business manager can supply more preferable ser vice to user. Priority Process of Important Data QoS secures bandwidth and minimizes delaying time in order to process the most important data or voice data firstly. The other data are processed from more impor tant data and then in time-order. Processing Various Types of Data By using V1600 series product family supporting QoS, it is possible to process various types of data on network.
7.4.1
Making QoS Policy In order to classify traffics by users standard, make a policy for the standard and apply it. The standards to be used for classifying traffics are IP address, TCP/UCP, port number, protocol and so on.
DPW:G-S-1624H0-04
109
UMN:CLI
User Manual
V1624
Applying the Policy After making the policy to classify packets, you need to configure IP Precedence or DiffServ or Cos to give priority to classified packet into class. And choosing QoS policy is optional as follow: Permit is operated for the packets that match the rule. Deny is operated for the other packets that do not match the rule. Mirror transmits classified traffics to monitor port. Redirect re-transmits the other packets to specific port.
Scheduling In order to handle overloading of traffics, you need to configure differently processing orders of graphic by using scheduling algorithm. V1624 supports the following algorithms. Algorithm based on Priority This algorithm is used to process firstly more importance data than the others. Since all data are processed by their priorities, data with high priorities can be processed fast but data without low priorities might be delayed and piled up. Algorithm based on Ratio This algorithm, which processes data based on a certain ratio, is another way of transmitting packet in Layer 2 switch. In this way, fixed size of bandwidth is not served to queue. Instead of it, user can configure a certain ratio of packet processing according to users condition.
7.4.2
110
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.4.2.1
DPW:G-S-1624H0-04
111
UMN:CLI
User Manual
V1624
In order to configure QoS policy for the packets toward CPU, configure egress-port to 0.
To remove the made rule, use the following command on Global Configuration mode.
Command no rule NAME Mode Global Description Removes the rule named NAME.
7.4.2.2
You can enter the DST-MAC-ADDR and SRC-MAC-ADDR in the following two ways: 1. Single MAC address Enter one MAC address, which is a typical case. 2. Multiple MAC addresses To enter multiple MAC addresses, use the MAC address mask in the form of DSTMAC-ADDR/MASK or SRC-MAC-ADDR/MASK. The conditional selection of the par ticular MAC addresses is also possible with the MAC address mask. The MAC address mask has same form as a nominal MAC address. When specifying the MAC address mask, input F in the conditional field, and input 0 in the remaining field. The following is an example of classifying the packets that have the MAC addresses started at 01:00:5E.
SWITCH(config)# rule test complement l2 01:00:5E:00:00:00/FF:FF:FF:00:00:00
112
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.4.2.3
7.4.2.4
It is impossible to apply several policies to one rule. In order to apply several policies to one rule, give a different name to each same rule, and then apply several policies to each rule. The following is an example of applying the policy to a rule named A to keep from all incoming packets to port 1.
SWITCH(config)# rule A classify low 1 SWITCH(config)# rule A match deny SWITCH(config)#
DPW:G-S-1624H0-04
113
UMN:CLI
User Manual
V1624
To remove applied policy, use the following command on Global configuration mode.
Command no rule NAME match permit no rule NAME match copy-tocpu no rule NAME match bandwidth no rule NAME {matchno Global {matchno Configures bandwidth for matched packet with the rule to use Denies matched packets with the rule ,or not matched ones with the rule. Retransmits matched packets with the rule ,or not matched ones with the rule to another port. {matchno Monitors matched packets with the rule ,or not matched ones with the rule. {matchno Configure DSCP in ToS of the rule. Mode Description Allows packets that match the rule. Sends packets matched with the rule to CPU.
match} diffserv
7.4.2.5
The following is an example of checking the policy of the rule configured above by user.
SWITCH(config)# show rule A(low) iport: 1 match deny SWITCH(config)#
114
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.4.2.6
Also, in order to remove applied level to the rule configured by user, use the following command on Global configuration mode.
Command no rule NAME {matchno Global Removes CoS value or ToS value given to matched packets or not matched packets with the rule. Mode Description
match} tos
7.4.2.7
DPW:G-S-1624H0-04
115
UMN:CLI
User Manual
V1624
7.4.2.8
The following is an example of dividing CoS value, 0 to the rule named A and configuring it as 3.
SWITCH(config)# rule A match cos 0 SWITCH(config)# qos map 0 3 SWITCH(config)#
In order to check QoS map configured by user, use the following command on Top mode or Global configuration mode.
Command show qos Mode Top/Global Description Checks QoS map configured by user.
------------------------------------------------SWITCH(config)#
7.4.2.9
116
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Max-packet is a value to decide the number how many packets are processed before passing to the next queue. For example, if you configure Max-packet as 100, 100 packets are processed and passed to the next queue.
To configure the number how many packets can be processed at one queue, use the following commands on Global Configuration mode.
Command qos max-packet <0~3><1~255> qos max-packet <0~3> unlimited Mode Description Configures the number how many packets can be Global processed to the queue Removes the configured Max-packet.
Max-latency configuration prevents starvation on low priority queue although there is congestion on the high priority queue. You can configure a specific queue with maxlatency time. The assigned queue will have a chance after configured time to process the packet even if there is starvation.
Command qos max-latency <0~3> <16~4080> qos max- latency <0~3> disable Global Mode Description Configures Max-latency. It can be configured between 16 and 4080(microseconds). Remove the configured waiting time
To check configured scheduling, use the following command on Top mode or Global mode.
Command show qos Mode Top/Global Description Checks QoS map configured by user.
The following is an example of checking the configuration of Max-packet as 100 and Maxlatency as 16 for queue 0.
SWITCH(config)# qos max-latency 0 16 SWITCH(config)# qos max-packet 0 100 SWITCH(config)# show qos ------------------------------------------------Queue 0 1 2 3 MaxPacket 100 unlimited unlimited unlimited MaxLatency(us) 16 disabled disabled disabled 0 CoS ------------------------------------------------1,2,3,4,5,6,7
------------------------------------------------SWITCH(config)#
DPW:G-S-1624H0-04
117
UMN:CLI
User Manual
V1624
7.4.2.10
Packet Counter
When packets defined in QoS rule are come, QoS policy is applied. However, suppose that packet defined to throw out is come. In that case, it will be thrown out without any notice or record. For administrators, it would better to know the packet is transmitting although it is unnecessary and harmful. It is possible to know how many times packet defined in specified rule are come. If you want to know how many times packet defined in specified rule are come, assign Counter ID to the rule. You can also assign plural ID to one rule. Then, every time the QoS is applied, the number is recorded if Counter ID is assigned. To assign Counter ID to QoS rule, use the following command.
Command rule NAME match counter <031> no rule NAME match counter Global Mode Description Assigns Counter ID to QoS rule configured by user. Counter ID can be from o to 31. Disables Counter ID assigned by user.
To display how many times QoS policy is applied, use the following command.
Command no rule NAME match counter Mode Global Description Disables Counter ID assigned by user.
7.4.2.11
118
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To make a rule for blocking connection of incoming telnet, ftp, icmp, snmp to the switch, use the following commands.
Command admin-access-rule NAME classify {lowmediumhigh} ip [SRCADDRESS SRC -ADDRESS/Many] [DES-ADDRESS DES ADDRESS/Many] admin-access-rule NAME classify {lowmediumhigh} ip [SRC ADDRESS SRC -ADDRESS/Many] [DES -ADDRESS DES ADDRESS/Many]<0-255> admin-access-rule NAME classify {lowmediumhigh} ip [SRC ADDRESS SRC -ADDRESS/Many] [DES -ADDRESS DES ADDRESS/Many] ICMP [<0-255>any] admin-access-rule NAME classify {lowmediumhigh} ip [SRC ADDRESS SRC -ADDRESS/Many] [DES -ADDRESS DES ADDRESS/Many] tcp [SRC-PORTany] [DES-PORTany] admin-access-rule NAME classify {lowmediumhigh} ip [SRC ADDRESS SRC -ADDRESS/Many] [DES -ADDRESS DES ADDRESS/Many] udp [SRC-PORTany] [DES-PORTany] Global Mode Description Makes blocking of a rule for
connection Telnet,
incoming
The following table shows the commands used in case of applying the policy to configured rule.
Command admin-access-rule NAME match permit admin-access-rule NAME no match permit admin-access-rule NAME match deny admin-access-rule NAME no match deny Global Mode Description Allows packets that match with the rule. Allows packets that do not match with the rule. Denies packets that match with the rule. Denies packets that do not match with the rule.
After configuring as the above, you cannot connect to telnet. To view the configurations about connecting to telnet, FTP, ICMP, SNMP, use the following command on Top mode or Global configuration mode.
Command show admin-access-rule [NAME] Mode Top/Global Description Shows the policy and rule about telnet, FTP, ICMP, and SNMP.
DPW:G-S-1624H0-04
119
UMN:CLI
User Manual
V1624
The following table shows commands used in case of removing configured policy or applied policy to rule.
Command no admin-access-rule NAME no admin-access-rule NAME {no matchmatch} permit Global Mode Description Deletes a rule called name. Removes a policy that allowed a rule called name.
120
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.4.2.12
NetBIOS Filtering
NetBIOS is used at LAN(Local Area Network) environment where should share information with each other to communicate between computers. However, in case ISP(Internet Service Provider) provides internet communication through LAN service to specific area such as apartments, customers information should be kept.
Fig. 7.1
In this case, without NetBIOS filtering, customers data may be opened to each other even though the data should be kept. To keep customers information and prevent sharing information in the above case, NetBIOS filtering is necessary.
Command set netbios-filter PORT clear netbios-filter PORT show netbios-filter Global Mode Description Configures NetBIOS filtering in specified port. Disables NetBIOS filtering from specific port. Shows configuration of NetBIOS filtering.
The following is an example of configuring NetBIOS filtering in port 1~5 and checking it.
SWITCH(bridge)# set netbios-filter 1-5 SWITCH(bridge)# show netbios-filter o:enable .:disable -------------------------1 2 12345678901234567890123456 -------------------------ooooo..................... -------------------------SWITCH(bridge)#
DPW:G-S-1624H0-04
121
UMN:CLI
User Manual
V1624
7.5
MAC Filtering
It is possible to forward frame to MAC address of destination. Without specific performance degradation, maximum 4096 MAC addresses can be registered.
7.5.1
7.5.2
{denypermit} PORT
Variable MAC-ADDRESS is composed of twelve digits number in hex-decimal. It is possible to check it by using the command show mac. 00:d0:cb:06:01:32 is an example of MAC address.
To check users configuration about MAC filter policy, use the following commands.
Command show mac-filter show mac-filter COUNT show mac-filter COUNT MACADDR Top/Global/Bridge Mode Description Shows MAC filter policy. Shows MAC filter policy as many as user configures. Shows filter policy concerned with specified MAC address as many as user configures.
The latest policy is recorded as number 1. The following is an example of permitting MAC address 00:02:a5:74:9b:17 and 00:01:a7:70:01:d2 in port 3 of VLAN 1 and checking table of filter policy.
SWTICH(bridge)# set mac-filter add 00:02:a5:74:9b:17 permit 1 3
122
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
SWTICH(bridge)# set mac-filter add 00:01:a7:70:01:d2 permit 1 3 SWTICH(bridge)# show mac-filter ======================================================== ID | MAC | ACTION | VID | PORT 1 1 3 3 ======================================================== 2 1 00:01:a7:70:01:d2 PERMIT 00:02:a5:74:9b:17 PERMIT
7.5.3
MACADDR
7.5.4
DPW:G-S-1624H0-04
123
UMN:CLI
User Manual
V1624
7.6
The following is an example of configuring to allow two MAC addresses to port 1, and five addresses to port 2,3 ,and to ten addresses to port 4.
SWITCH(bridge)# set max-hosts 1 2 SWTICH(bridge)# set max-hosts 2 5 SWTICH(bridge)# set max-hosts 3 5 SWTICH(bridge)# set max-hosts 4 10 SWTICH(bridge)#
(omitted) SWITCH(bridge)#
124
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.7
The following is an example of registering MAC address 00:01:02:9a:61:17 in port 13 MAC table of br1.
SWITCH(bridge)# set mac 1 00:01:02:9a:61:17 SWITCH(bridge)#
The following is an example of showing MAC address of destination, the specified port number, VLAN ID, and time registered in table.
SWITCH(bridge)# show mac br1 1 port (id) eth01(01) eth01(01) eth01(01) eth01(01) eth01(01) eth01(01) eth01(01) eth01(01) mac addr 00:01:02:9a:61:1a 00:d0:cb:0a:00:77 00:02:78:e0:7d:cf 00:d0:59:58:45:3b 00:02:78:e0:7d:d6 00:d0:59:38:88:4c 00:01:e6:25:43:5b 00:c0:26:72:7d:7a permission static OK OK OK OK OK OK OK in use 0.00 5.88 6.15 6.83 6.99 7.27 7.53 8.52
(omitted) SWITCH(bridge)#
To delete a static MAC address from the MAC table, use the following command.
Command clear mac BRIDGE PORT MACADDR clear mac BRIDGE PORT static Bridge clear mac BRIDGE PORT dynamic clear mac BRIDGE PORT all Deletes dynamic MAC addresses from the port. Deletes all MAC addresses from the port. Mode Description Deletes static MAC addresses from the port.
DPW:G-S-1624H0-04
125
UMN:CLI
User Manual
V1624
7.8
7.8.1
ARP Table
7.8.1.1
7.8.1.2
126
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.8.1.3
7.8.2
ARP-Alias
Although clients are joined in same client switch, it may be impossible to communicate between clients for their private security. When you need to make them communicate each other, V1624 supports ARP-alias, which responses ARP request from client net through Concentrating switch. To register address of client net range in ARP-Alias, use the following command.
Command arp-alias START-IP-ADDR ENDIP-ADDR [MACADDR] no arp-alias START-IP-ADDR Global Mode Description Registers IP address range and MAC address in ARPAlias to make users equipment response ARP request. Deletes registered IP address range of ARP-Alias. Deletes all ARP-Alias.
Unless you input MAC address, MAC address of users equipment will be used for ARP response.
DPW:G-S-1624H0-04
127
UMN:CLI
User Manual
V1624
7.8.3
ARP Inspection
ARP provides IP communication by mapping an IP address to a MAC address. However, a malicious user can attack ARP caches of systems by intercepting the traffic intended for other hosts on the subnet. For example, Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A. If Host C responses with an IP address of Host A (or B) and a MAC address of Host C, Host A and Host B can use Host Cs MAC address as the destination MAC address for traffic intended for Host A and Host B. ARP Inspection is a security feature that validates ARP packets in a network. It discards ARP packets with invalid IP-MAC address binding. To activate/deactivate the ARP inspection function in the system, use the following command.
Command ip arp inspection vlan VLANS no ip arp inspection vlan VLANS Mode Description Activates ARP inspection on a specified VLAN. Global VLANS: VLAN ID (1-4094) Deactivates ARP inspection on a specified VLAN.
7.8.3.1
After opening ARP Access List Configuration mode, the prompt changes from SWITCH(config)# to SWITCH(config-arp-acl[NAME])#. After opening ARP ACL Configuration mode, a range of IP addresses can be configured to apply ARP inspection.
By default, ARP Access List discards the ARP packets of all IP addresses and MAC addresses.
128
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To specify the range of IP address to forward ARP packets, use the following command.
Command Mode Description Permits ARP packets of all IP addresses with all MAC addresses which have not learned before on ARP inpermit ip any mac {any | host MACADDR} spection table or a specific MAC address. any: ignores sender MAC address host: sender host MACADDR: sender MAC address permit ip host A.B.C.D mac {any | host MACADDR} permit ip range A.B.C.D A.B.C.D mac any permit ip A.B.C.D/M mac {any | host MACADDR} ARP-ACL Permits ARP packets from a specific host. MACADDR: MAC address Permits ARP packets of a given range of IP addresses. A.B.C.D: start/end IP address of sender Permits ARP packets of a sender IP network addresses. A.B.C.D/M: sender IP network address
To delete the configured ranged of IP address to permit ARP packets, use the following command.
Command no permit ip any mac {any | host MACADDR} no permit ip host A.B.C.D mac {any | host MACADDR} no permit ip range A.B.C.D ARP-ACL Deletes a configured range of IP address to permit ARP packets. any: ignores sender MAC address host: sender host MACADDR: sender MAC address A.B.C.D: start/end IP address of sender A.B.C.D/M: sender IP network address Mode Description
By the following command, the ARP access list also refers to a DHCP snooping binding table to permit the ARP packets for DHCP users. This reference enables the system to permit ARP packets only for the IP addresses on the DHCP snooping binding table. The ARP access list with the DHCP snooping allows IP communications to users authorized by the DHCP snooping. To permit/discard ARP packets for the users authorized by the DHCP snooping, use the following command.
Command permit dhcp-snoop-inspection ARP-ACL no permit dhcp-snoopinspection Mode Description Permits ARP packets of users authorized by the DHCP snooping. Discards a configured ARP packets of users authorized by the DHCP snooping.
DPW:G-S-1624H0-04
129
UMN:CLI
User Manual
V1624
To display the configured APR access lists, use the following command.
Command show arp access-list [NAME] Mode Global Description Displays existing ARP access list names.
7.8.3.2
i
7.8.3.3
ARP inspection actually runs in the system after the configured ARP access list applies to specific VLAN using the ip arp inspection filter command.
130
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.8.3.4
To display a configured trust port of the ARP inspection, use the following command.
Command show ip arp inspection trust port all show ip arp inspection trust [port PORTS] Top Global Shows a configured trust port of the ARP inspection. Mode Description
7.8.3.5
DPW:G-S-1624H0-04
131
UMN:CLI
User Manual
V1624
To delete the configured options of log-buffer function, use the following command.
Command no ip arp inspection log-buffer {entries | logs} Mode Global Description Deletes the configured options of log-buffer function.
To display the configured log-buffer function and entries information, use the following command.
Command show ip arp inspection log Mode Top Global Description Displays the configured log-buffer function.
To clear all of collected entries in the list, use the following command.
Command clear ip arp inspection log Mode Global Description Clears all of collected entires in the log-buffer list.
7.8.3.6
To clear collected statistics of the ARP inspection, use the following command.
Command clear ip arp inspection statistics vlan {VLANS| all} Mode Global Description Clears collected statistics of the ARP inspection.
7.8.4
Proxy-ARP
V1624 has Proxy-ARP function, which is to responds to ARP request instead of another switch. For example, Host A has IP address 172.16.10.100 and the subnet mask is set to /16. So, it is considered as connecting to network 172.16.0.0. In case Host A needs to send packet to Host D, Host A is supposed to send ARP request considering that Host D is on the same network. Since ARP request is transferred through broadcast, the ARP request from Host A is sent not to Host D, but to br1 interface and nodes belonged to subnet A. However, V1624 is aware that Host D belongs to another subnet and able to transmit
132
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
packets to Host D. Therefore, it responds to ARP request from Host A with its own MAC address. Using this way, all ARP requests from subnet A to subnet B are responded with MAC address of V1624, and packets, which should be transmitted to Host D from Host A are well transmitted through V1624. To enable proxy-ARP function, opens Interface mode of applicable interface and use the following command.
Command ip proxy-arp no ip proxy-arp Mode Interface Description Enables proxy-ARP function for applicable interface. Disables proxy-ARP function for applicable interface.
7.8.5
Gratuitous ARP
Through broadcasting Gratuitous ARP including IP address and MAC address of gateway, the communication continues even though IP address of gateway is assigned to the particular host. Configure the transmission rate of Gratuitous ARP and the transmission count by using the following command. In order to transmit Gratuitous ARP after ARP reply, also configure the starting time of transmission (delivery-start). Since a certain amount of time passed after transmitting ARP reply, Gratuitous ARP is transmitted.
Command arp-patrol [TIME] clear arp-patrol show running-config Global INTERVAL COUNT Mode Description Configures Gratuitous ARP. Disables Gratuitous ARP. Checks Gratuitous ARP configuration.
The following is an example of configuring Gratuitous ARP, the transmission rate for 10 sec, the transmission times for 4 and checking it.
SWITCH(config)# arp-patrol 10 4 SWITCH(config)# show running-config Building configuration... Current configuration: hostname SWITCH (Omitted) arp-patrol 10 4 ! no snmp ! SWITCH(config)#
DPW:G-S-1624H0-04
133
UMN:CLI
User Manual
V1624
7.9
ICMP
ICMP stands for Internet Control Message Protocol. When it is impossible to transmit data or configure route for data, ICMP sends error message about it to host. The first 4 bytes of all ICMP messages are same, but the other parts are different according to type field value and code field value. There are fifteen values of field to distinguish each different ICMP message, and code field value helps to distinguish each type in detail. The following shows simple ICMP message construction.
0 8-bit type 7 8-bit code 15 16 16-bit checksum 31
Fig. 7.2
ICMP Message
The following table shows explanations for fifteen values of ICMP message type.
type 0 3 4 5 8 9 10 11 echo reply destination unreachable source quench redirect echo request router advertisement router solicitation time exceeded Explanation type 12 13 14 15 16 17 18 Explanation parameter problem timestamp request timestamp reply information request information reply address mask request address mask reply
Tab. 7.1
It is possible to control ICMP message through users configuration. You can configure not to send echo reply message to the partner who is taking ping test to device and interval to transmit ICMP message. You can configure the following to control ICMP message. Blocking Echo Reply Message Configuring Interval to Transmit ICMP Message
7.9.1
134
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.9.2
When you configure interval as 0, ICMP message will keep being sent all the time regardless of time.
To delete the interval to generate ICMP messages, use the following command.
Command ip icmp interval dest-unreach disable ip icmp interval echo-reply disable ip icmp interval param-prob Global Configures not to send parameter problem message. Mode Description Configures not to send destination unreachable message. Configures not to send echo reply message.
DPW:G-S-1624H0-04
135
UMN:CLI
User Manual
V1624
The following is an example of blocking echo reply message to all partners who are taking ping test to device.
SWITCH(config)# ip icmp ignore echo all SWITCH(config)# show running-config Building configuration... (omitted) ip icmp ignore echo all ! ip route 0.0.0.0/0 172.16.254.1 ! ! no snmp ! SWITCH(config)#
The following is an example of configuring interval to transmit destination unreachable message as 10 seconds.
SWITCH(config)# ip icmp interval dest-unreach 1000 SWITCH(config)# show running-config Building configuration... (omitted) ip icmp interval dest-unreach 1000 ! ip route 0.0.0.0/0 172.16.254.1 ! no snmp ! SWITCH(config)#
136
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.10
A
Link Failure
V1624
V1624
Router
Router
Fig. 7.3
In case that V1624 connects the router to the other devices, if the link of A and B is down, the link of B and C would be unnecessary for their connection. However, link D does not know about the link failure between A and B. Therefore, D does not stop sending unnecessary packets to C. To prevent this problem, LLCF function can be used when different switches are connected by two ports. If the link of one port is down, the other link will be down. When it is connected again, the other link will be connected later. This function is called Link layer carrier forward. To enable/disable LLCF function, use the following command.
Command set port llcf PORTS PORTS clear port llcf Mode Global Description Enables LLCF function between two ports Disables LLCF function.
When a link is reconnected, it might take some time to recover the link. If the link is recognized as being down until it is recovered, link would not be recovered. In order to solve such problem, the V1624 is configured to examine the link status of relative port after passing some time.
DPW:G-S-1624H0-04
137
UMN:CLI
User Manual
V1624
To specify the interval for checking the link status of the other port, use the following command.
Command set port llcf timer <1000-10000> Global clear port llcf timer Mode Description Configures time interval for checking the link status of the relative port. Deletes the configured interval for checking the link status of the relative port.
7.11
7.11.1
RST Configuration
RST sends a message that TCP connection cannot be done to a person who tries to make it. However, it is also possible to configure not to send the message. This function will help prevent that hackers can find impossible connections. To configure to ignore the message that informs TCP connection cannot be done, use the following command.
Command ip tcp ignore rst-unknown no ip tcp ignore rst-unknown Mode Description Configures to ignore the message that informs TCP Global connection cannot be done. Enables RST.(Default:)
7.11.2
SYN Configuration
SYN sets up TCP connection. The V1624 transmits cookies with SYN to a person who tries to make TCP connection. And only when transmitted cookies are returned, it is possible to permit TCP connection. This function prevents connection overcrowding because of accessed users who are not using and helps the other users use service.
To permit connection only when transmitted cookies are returned after sending cookies with SYN, use the following command.
138
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Mode
after sending cookies with SYN. Disables configuration to permit only when transmitted cookies are returned after sending cookies with SYN.
7.12
7.12.1
Dump Packet
Checking Dump Packet
It is possible for general user to have a look at the real packet with tcpdump function. In order to use Dump packet function, use the following command.
Command dump packet OPTION Mode Top Description Displays the packet applied to the condition.
It is possible to use all of those used in tcpdump for option and the content is as follows.
Option -a -d -e -f Description Attempt to convert network and broadcast addresses to names. Dump the compiled packet-matching code in a human readable form to standard output and stop. Print the link-level header on each dump line. Print `foreign' internet addresses numerically rather than symbolically (this option is intended to get around serious brain damage in Sun's yp server -- usually it hangs forever translating non-local internet numbers). -l Make stout line buffered. Useful if you want to see the data while capturing it. E.g., ``tcpdump or -n -N ``tcpdump -l > dat & tail -f dat''. -l | tee dat''
Don't convert host addresses to names. This can be used to avoid DNS lookups. Don't print domain name qualification of host names. instead of ``nic.ddn.mil''. E.g., if you give this flag then tcpdump will print ``nic''
-O -p
Do not run the packet-matching code optimizer. This is useful only if you suspect a bug in the optimizer. Don't put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, `-p' an abbreviation for `ether host {local-hw-addr} or ether broadcast'. cannot be used as
Quick (quiet?) output. Print less protocol information so output lines are shorter. Print absolute, rather than relative, TCP sequence numbers. Don't print a timestamp on each dump line. Displays more information. Saves captured packets in file instead of displaying them by analyzing . Displays each packet as hex code. Closes after receiving the limited number of packets. Use file as input for the filter expression. An additional expression given on the command line is ignored. Assign packet passing some interface. If it is not designated, choose the interface having the lowest priority from system interface list. (at this time, loopback is excluded.).
DPW:G-S-1624H0-04
139
UMN:CLI
User Manual
V1624
-r FILE -s SNAPLEN
Read
Standard input
is
Snarf snaplen bytes of data from each packet rather than the default of 68 (with SunOS's NIT, the minimum is actually 96). 68 bytes is adequate for IP, ICMP, TCP and UDP but may truncate protocol information from name server and NFS packets (see below). Packets truncated because of a limited snapshot are indicated in the output where proto is the name of the protocol level at which the truncation with ``[|proto]'', has occurred. Note that taking larger
snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. You should limit snaplen to the smallest number that will capture the protocol information you're interested in. Setting snaplen to 0 means use the required length to catch whole packets. -T TYPE The types are as follows. rpc(Remote Procedure Call), rtp(Real-Time Applications protocol), rtcp(Real-Time Application control protocol), vat(Visual Audio Tool), wb(distributed White Board). Marks the chosen packets as stated form by conditional expression. The types are as follows. EXPRESS Conditional expression
Tab. 7.2
7.12.2
In order to store the captured file in NVRAM as the text type, choose nvram option. In case that the storage capacity is larger than NVRAM size of the equipment, overwrite from the first part of NVRAM. The following is an example of configuring Dump packet debug function and checking it.
SWITCH# dump packets debug 1 60 test SWITCH# show running-config Building configuration... Current configuration: hostname SWITCH ! set login radius timeout 10 set login tacacs timeout 5
140
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
! dump packets debug 1 60 test bridge ! set vlan pvid 1-18 1 ! set vlan create br1 1 ! interface br1 no shutdown ip address 172.16.113.54/16 ! ip route 0.0.0.0/0 172.16.1.254 ! arp-gratuitous 10 4 ! no snmp ! SWITCH#
7.13
The following is an example for configuring DHCP filtering from 1 to 5 and checking it.
SWITCH(bridge)# set dhcp-server-filter 1-5 SWITCH(bridge)# show dhcp-server-filter o:enable .:disable -------------------------1 2 12345678901234567890123456 -------------------------ooooo..................... --------------------------
DPW:G-S-1624H0-04
141
UMN:CLI
User Manual
V1624
SWITCH(bridge)#
7.14
Attack Guard
The V1624 provides a function that prevents a tremendous amount of packets by virus, hacking, or another reason coming into the switch. If these packets are permitted to come, it can cause the switch or whole network to become unstable. Attack Guard inspects the amount of packets coming in for a second. If the packet flow reaches its high water mark, it blocks the packets on that port. Meanwhile, Attack Guard releases the blocking when the packet flow is down to its low water mark. With this function, you can control suspicious burst traffic on a specific port. To specify a port and two thresholds to prevent being attacked by huge traffic, use the following command.
Command Mode Description Blocks traffic rising over the high water mark on the specified port. set attack-guard {unicast | multicast | broadcast} PORT <10148810> {<10-148810> | static} Bridge 10-148810: range of high water mark (unit: pps) 10-148810: range of low water mark (unit: pps) static: sets low water mark as 0. That is, it needs to manually release port blocking with the below attackguard-recovery command set attack-guard-recovery PORT clear attack-guard {unicast | Removes port blocking on the specified port. Deletes attack guard configurations.
142
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
7.15
DPW:G-S-1624H0-04
143
UMN:CLI
User Manual
V1624
8.1.1
Overview of VLAN
Nodes in same LAN can receive information when one node sends the information by using Broadcast. However, with using the Broadcast, node is supposed to be obliged to receive unnecessary information. To prevent this defect, nodes on same logical LAN are supposed to receive the information by dividing LAN into logical LAN. Like this, logically divided LAN is called as VLAN(Virtual LAN) and one VLAN may include several ports. Packets can be transmitted between ports in same VLAN when network is consisted of VLAN. Only through routing equipment to make connection in VLANs, packets can be transmitted between ports in each different VLAN. VLAN decreases Ethernet traffic to improve transmit rate and strengthens security by transmission per VLAN. You can construct VLAN based on port, MAC address, and protocol. V1624 supports VLAN based on port. V1624 complying with IEEE 802.1q can transmit both tagged packet and untagged packet, which does not have VLAN ID. All switch ports have VLAN ID(PVID) configured by system. So, unless user configures specific VLAN, known as untagged VLAN, system configures VLAN ID(PVID). Therefore, switch ports, which consist VLAN network can transmit packet to the VLAN, which has same number with VLAN number.
VLAN 1
5 6 7 8
4 3 2 1
Fig. 8.1
VLAN 3
9 10 12 11
VLAN 2
VLAN
144
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.1.2
Features of VLAN
Enlarged Network Bandwidth Users belonged in each different VLAN can use more enlarged bandwidth than no VLAN composition because they do not receive unnecessary Broadcast information. Cost-Effective Way When you use VLAN to prevent unnecessary traffic loading because of broadcast, you can get cost-effective network composition since switch is not needed. Strengthened Security Usually node shares broadcast information, in some case, authorization is required for the information. VLAN supports the way for VLAN member consisted of only authorized users so that network security can be more strengthened.
8.1.3
Configuring VLAN
The below functions are explained. Creating VLAN Specifying PVID Assigning Port in VLAN Disabling VLAN Configuring Shared-port
8.1.3.1
Creating VLAN
To configure VLAN on users network, use the following command.
Command set vlan create NAME <1-4094> clear vlan NAME Mode Description Configures new VLAN by assigning a VLAN name and bridge VLAN ID. VLAN ID can be assigned from 1 to 4,094. Deletes VLAN.
The variable vlan-name is a particular set of bridged interfaces. Frames are bridged only among interfaces in the same VLAN.
Make vlan-name form brN (N=integer). You cannot create virtual LAN without brN form at vlan-name. If you input wrong letter, not BrN, the following message will be displayed.
SWITCH(bridge)# set vlan create A 1 %bridge name must be started 'br' SWITCH(bridge)#
The variable vlan-id is VLAN tag with which the packet is transmitted. If a port is configured with tagging, it will send tagged traffic.
DPW:G-S-1624H0-04
145
UMN:CLI
User Manual
V1624
To check VLAN configuration in the switch use the following command, use the following command.
Command show vlan [NAME] Mode Top/Global/Bridge Description Shows VLAN configuration.
The following is an example of configuring VLAN and checking it. By default, all ports are configured as br1 in V1624.
SWITCH(bridge)# set vlan create br2 2 SWITCH(bridge)# set vlan create br3 3 SWITCH(bridge)# show vlan u: untagged port, t: tagged port ---------------------------------------------| 1 2 3 Name( VID) |12345678901234567890123456789012 -------------+-------------------------------br1( br2( br3( SWITCH(bridge)# 1) 2) 3) |uuuuuuuuuuuuuuuuuuuuuuuu........ |................................ |................................
8.1.3.2
Specifying PVID
By default, PVID 1 is specified to all ports. And user also can configure PVID. In order to configure PVID in a port, use the following command.
Command set vlan pvid PORT <1-4094> Mode Bridge Description Configures PVID. It can be from 1 to 4,094.
146
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.1.3.3
When you assign several ports in VLAN, you have to enter each port separated by a coma without space. And use dash mark - to arrange port range.
By default setting of V1624, all ports are belonged to br1. To avoid overlapping with br1 when assigning port to VLAN, you should delete the port in br1.
The following is an example of configuring port 7~10 as br2, 11~18 as br3 and the other ports as br1 and checking it.
SWITCH(bridge)# set vlan del br1 7-18 SWITCH(bridge)# set vlan add br2 7-10 untagged SWITCH(bridge)# set vlan add br3 11-18 untagged SWITCH(bridge)# show vlan u: untagged port, t: tagged port ---------------------------------------------| 1 2 3 Name( VID) |12345678901234567890123456789012 -------------+-------------------------------br1( br2( br3( SWITCH(bridge)# 1) 2) 3) |uuuuuu............uuuuuu........ |......uuuu...................... |..........uuuuuuuu..............
8.1.3.4
Disabling VLAN
The following steps are provided to disable VLAN. Step 1 Delete ports associated with a VLAN to be removed using the following command.
Command set vlan del NAME PORT Mode Bridge Description Deletes all ports in VLAN.
Step 2 Open Interface configuration mode of VLAN to be deleted and deactivate the virtual interface.
DPW:G-S-1624H0-04
147
UMN:CLI
User Manual
V1624
Description Begins Interface configuration mode of specified VLAN. Deactivates virtual interface.
8.1.3.5
Configuring Shared-port
When user use the V1624 Layer 2 switch, it is impossible to communicate between VLANs because there is no router function. Especially, port assigned as Uplink port should receive packets from all VLANs, but in case of using the V1624 Layer 2 switch, the port cannot receive packets unless the port is configured to be included in all VLANs. Therefore, when you configure VLAN in Layer 2 switch, you have to configure Uplink port included in all VLANs no matter how many VLANs are made as follow showing an example of configuring port 1 ~ 16 as independent VLANs.
SWITCH(bridge)# set vlan del br1 2-25 SWITCH(bridge)# set vlan create br2 2 SWITCH(bridge)# set vlan create br3 3 SWITCH(bridge)# set vlan create br16 16 SWITCH(bridge)# set vlan add br2 2,26 untagged SWITCH(bridge)# set vlan add br3 3,26 untagged SWITCH(bridge)# set vlan add br16 16,26 untagged SWITCH(bridge)# show vlan u: untagged port, t: tagged port ---------------------------------------------| 1 2 3 Name( VID) |12345678901234567890123456789012 -------------+-------------------------------br1( 1) |u........................u...... br2( br3( br4( br5( br6( br7( br8( br9( br10( br11( br12( br13( br14( br15( br16( SWITCH(bridge)# 2) 3) 4) 5) 6) 7) 8) 9) |.u.......................u...... |..u......................u...... |...u.....................u...... |....u....................u...... |.....u...................u...... |......u..................u...... |.......u.................u...... |........u................u......
10) |.........u...............u...... 11) |..........u..............u...... 12) |...........u.............u...... 13) |............u............u...... 14) |.............u...........u...... 15) |..............u..........u...... 16) |...............u.........u......
148
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
This configuration can be applied for only in case of using V1624 as dedicated switch for L2. When untagged packet is transmitted on the above configuration, untagged packet received in port 1 gets pvid 1, and Uplink port, port 26 has pvid 1 also, so it can be transmitted to port 26. The thing is untagged packet received in Uplink port. Since it is not clear which pvid untagged packet should have, you need the following configuration to transmit untagged packets to all ports. It is necessary to configure another VLAN including Uplink port, port 26, and ports 1 ~ 16 on the above configuration. The following is an example of configuring br 17, which has pvid 17 in addition, and checking it.
SWITCH(bridge)# set vlan create br17 17 SWITCH(bridge)# set vlan add br17 1-16,26 untagged SWITCH(bridge)# show vlan u: untagged port, t: tagged port ---------------------------------------------| 1 2 3 Name( VID) |12345678901234567890123456789012 -------------+-------------------------------br1( br2( br3( br4( br5( br6( br7( br8( br9( br10( br11( br12( br13( br14( br15( br16( br17( SWITCH(bridge)# 1) 2) 3) 4) 5) 6) 7) 8) 9) |u........................u...... |.u.......................u...... |..u......................u...... |...u.....................u...... |....u....................u...... |.....u...................u...... |......u..................u...... |.......u.................u...... |........u................u......
10) |.........u...............u...... 11) |..........u..............u...... 12) |...........u.............u...... 13) |............u............u...... 14) |.............u...........u...... 15) |..............u..........u...... 16) |...............u.........u...... 17) |uuuuuuuuuuuuuuuu.........u......
Last of all, you should configure all ports, which are configured as the above, as sharedports. After that, untagged packet received in Uplink port, port 26 gets pvid 17 and is transmitted to ports 1 ~ 16. To configure as shared-port, use the following command on Bridge configuration mode.
Command set shared-port {enabledisable} PORT Mode Bridge Description Configures a specified port as shared-port.
DPW:G-S-1624H0-04
149
UMN:CLI
User Manual
V1624
The following is an example of configuring ports 1 ~ 16 and Uplink port, port 26 as shared-port and checking the configuration.
SWITCH(bridge)# set shared-port enable 1 SWITCH(bridge)# set shared-port enable 2 SWITCH(bridge)# set shared-port enable 26 SWITCH(bridge)# show port 26 --------------------------------------------------------------------------NO TYPE PVID STATUS SHARED MODE FLOWCTRL INSTALLED (ADMIN/OPER) --------------------------------------------------------------------------26: Ethernet SWITCH(bridge)# 1 Up/Down Y Auto/Full/1000 On Y
8.2
Port Trunking
Port trunking enables you to dynamically group similarly configured interfaces into a single logical link (aggregate port) to increase bandwidth, while reducing the traffic congestion. When grouping the interfaces with the same speed, and duplex, traffic is distributed over an aggregate port. The switch supports up to six aggregate ports and each aggregate port can consist of up to eight ports. To aggregate port or delete aggregated port, use the following commands.
Command set trunk add <0-5> PORT Bridge Mode Description Configures physical port as logical port and assigns srcmac or dstmac to specify packet passing through aggregated port. Deletes physical port involved in logical port.
150
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Ports configured as Port Trunking become independent out of from VLAN. Therefore, you need to add them to VLAN again with new assigned number.
The following example shows: configuring ports 1 ~ 6, 19~26 as br1, configuring port 7 ~ 18 as br2, and then configuring ports 7 ~ 10 as Trunk, and adding virtual port 27configured as Trunk to br2.
SWITCH(bridge)# set vlan del br1 7-18 SWITCH(bridge)# set vlan add br2 7-18 untagged SWITCH(bridge)# set trunk add 0 7-10 srcmac SWITCH(bridge)# show vlan u: untagged port, t: tagged port ---------------------------------------------| 1 2 3 Name( VID) |12345678901234567890123456789012 -------------+-------------------------------br1( br2( 1) 2) |uuuuuu............uuuuuuuu...... |..........uuuuuuuu..............
SWITCH(bridge)# set vlan add br2 27 untagged SWITCH(bridge)# show vlan u: untagged port, t: tagged port ---------------------------------------------| 1 2 3 Name( VID) |12345678901234567890123456789012 -------------+-------------------------------br1( br2( SWTICH(bridge)# 1) 2) |uuuuuu............uuuuuuuu...... |..........uuuuuuuu........u.....
DPW:G-S-1624H0-04
151
UMN:CLI
User Manual
V1624
8.3
LACP
LACP(Link Aggregation Control Protocol) complying with IEEE 802.3ad bundles several physical ports together to from one logical port so that user can get enlarged bandwidth as described at 8.2 Port Trunking. However the difference with port trunking is that LACP automatically makes aggregated bandwidth by configuring aggregator to aggregate ports and physical member port to be aggregated into logical port. Besides. If aggregated port is made by port trunking, user should add it to VLAN by using command, but aggregated port by LACP is automatically added to VLAN. Perform the following tasks to configure LACP in V1624. Step 1 Enable LACP in users switch. Step 2 Configure aggregator. Step 3 Specify member port of aggregator and configures mode of member port.
You can make maximum six aggregators through LACP and maximum eight member ports can be aggregated.
The following details will be explained for users to configure LACP. Enabling LACP Configuring Aggregator Configuring Member Port Checking LACP Configuration Configuring Key of Member Port Configuring Port Priority
8.3.1
Enabling LACP
Before configuring LACP in switch, you need to enable LACP first. To enable and disable LACP, use the following command.
Command set lacp system interface IFNAME set lacp system interface disable Bridge Disables LACP and deletes LACP configuration. Mode Description Enables LACP in users switch
8.3.2
Configuring Aggregator
After enabling LACP, you should configure logical aggregator to aggregate several physical ports.
152
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
You cannot configure both port trunking and LACP at the same time. Therefore only one function can be configured at one group-id.
When you configure aggregator, you need to specify packet passing through aggregator. To set the packet distribution method, use the following command.
Command set lacp aggregator <0-5> Mode Bridge Description Sets the packet distribution method. 0-5: group ID
method {srcmacdstmac}
i
8.3.3
You need to configure mode of member port after member port configuration. There are two modes of member port that can be configured- active mode and passive mode. Active mode has higher priority than passive mode, and active mode becomes the standard, therefore passive mode is supposed to follow configuration of active mode.
Command set lacp port mode PORT {active passive} Mode Bridge Description Configures mode of member port.
If member port of two equipments connected to each other is configured as active mode, another value is required to decide priority. In this case, it is possible for user to configure
DPW:G-S-1624H0-04
153
UMN:CLI
User Manual
V1624
priority in switch. To give priority to switch in LACP, use the following command.
Command set lacp system priority <165535> Mode Bridge Description Gives priority value to switch in LACP.
When member ports of two equipments connected to each other are configured as active mode and passive mode, one equipment configured as active is standard, and if both equipments are configured as active mode, then one equipment with higher priority is the standard. However, if both equipments are configured as passive mode, then member ports of the equipments will not be linked.
8.3.4
The following is an example of configuring aggregators of SWITCH A and SWITCH B as 0, ports 2~ 3 as member port, and viewing the configuration.
03 0 1 ACTIVE SWITCH_A(bridge)#
154
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
MEMBER -----2(o)-3(o)
1 PASSIVE
03 0 1 PASSIVE SWITCH_B(bridge)#
AGGR section shows ID of aggregator when using command, show lacp port. It is not group-id user inputs when configuring aggregator. If you input letter or non existence port number at PORT, the message to inform error, %Wrong expression. ex) 'show port 1,3' , 'show port 1-3,10' will be displayed as the follow.
SWITCH(bridge)# show port aa %Wrong expression. ex) 'show port 1,3' , 'show port 1-3,10' SWITCH(bridge)#
8.3.5
For example, switch A and switch B are linked with switch C. Two aggregators are configured in switch A and ports 7 ~ 10 are configured as member port. One aggregator is configured in switch B and ports 7 ~ 8 are configured as member port. And one aggregator is configured as switch C and port 9 ~ 10 are configured as member port. After these configurations, ports 7~8 of switch A and B are linked with ports 9~10 of switch A and C, then switch A is linked with switch B and C through aggregators. Meanwhile, switch A is linked with switch B. Two aggregators are configured in both switch A and B, ports 7~10 are configured as member port. With this configuration, if ports 7~10 are connected through cable, one aggregator including the ports is made. However, if key values of ports 7~10 are differently configured, two aggregators are made. The following is an example of aggregating ports 7~8 and ports 9~10 of SWITCH A and SWITCH B into different port as the above. Without changing key configuration, two aggregators are configured and ports 7~10 are configured as member port in SWITCH A and SWITCH B. <SWITCH A>
SWITCH_A(bridge)# set lacp system interface br1 SWITCH_A(bridge)# set lacp aggregator add 0
DPW:G-S-1624H0-04
155
UMN:CLI
User Manual
V1624
SWITCH_A(bridge)# set lacp aggregator add 1 SWITCH_A(bridge)# set lacp aggregator 0 method srcmac SWITCH_A(bridge)# set lacp aggregator 1 method srcmac SWITCH_A(bridge)# set lacp port add 7-10 SWITCH_A(bridge)# set lacp port mode 7-10 active SWITCH_A(bridge)# show lacp aggregator AGGR ---0 PRIORITY ------------------0x8000.00D0CB0A01B3 PARTNER -----------00D0CB0AA790 MEMBER -----eth07(o)-eth08(o)-eth09(o)-eth10(o)
1 0x8000.000000000000 SWITCH_A(bridge)#
<SWITCH B>
SWITCH_B(bridge)# set lacp system interface br1 SWITCH_B(bridge)# set lacp aggregator add 0 SWITCH_B(bridge)# set lacp aggregator add 1 SWITCH_B(bridge)# set lacp aggregator 0 method srcmac SWITCH_B(bridge)# set lacp aggregator 1 method srcmac SWITCH_B(bridge)# set lacp port add 7-10 SWITCH_B(bridge)# set lacp port mode 7-10 active SWITCH_B(bridge)# show lacp aggregator AGGR ---0 PRIORITY ------------------0x8000.00D0CB0A01B3 PARTNER -----------00D0CB0AA790 MEMBER -----eth07(o)-eth08(o)-eth09(o)-eth10(o)
1 0x8000.000000000000 SWITCH_B(bridge)#
8.3.6
156
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.4
Switch A
Switch B
PC-A
PC-B
Fig. 8.2
Example of Loop
The spanning-tree protocol (STP) is the function to prevent the loop in LAN with more than two paths and to utilize the double paths efficiently. It is defined in IEEE 802.1d. If the STP is configured in the system, there is no loop since it chooses more efficient path of them and blocks the other path. In other words, when SWITCH C in the below figure sends packet to SWITCH B, path 1 is chosen and path 2 is blocked.
PC-B
VLAN 1
Switch A
Switch B
Blocking
PC-A
Switch C
Fig. 8.3
DPW:G-S-1624H0-04
157
UMN:CLI
User Manual
V1624
Meanwhile, the rapid spanning-tree protocol (RSTP) defined in IEEE 802.1w dramatically reduces the time of network convergence on the spanning-tree protocol (STP). It is easy and fast to configure new protocol. The IEEE 802.1w also supports backward compatibility with IEEE 802.1d. RSTP(Rapid Spanning-Tree Protocol) defined in IEEE 802.1w innovate reduces the time of network convergence on STP. Due to same vocabularies and configuration parameter used in 802.1d, it is easy and fast to configure new protocol. Also, 802.1w includes 802.1d inside, so it can provide comparability with 802.1d.
For comparability with configuration of switch installed old version, the default is STP mode. For more detail description of STP, refer to the following. STP Operation RSTP Operation STP and RSTP Configuration Configuring BPDU Transmission
8.4.1
STP Operation
The 802.1d STP defines port state as blocking, listening, learning, and forwarding. When STP is configured in LAN with double-path, switches exchange their information including bridge ID. It is named as BPDU (Bridge Protocol Data Unit). Switches decide port state based on the exchanged BPDU and automatically decide optimized path to communicate with the root switch. Root Switch The critical information to decide root switch is bridge ID. Bridge ID is composed of two bytes-priority and six bytes-MAC address. The root switch is decided with the lowest bridge ID.
Switch A Priority : 8
ROOT
DP DP
RP Switch B Priority : 9 DP RP
RP Switch C Priority : 10 DP
Fig. 8.4
Root Switch
158
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
After configuring STP, switches exchange their information. The priority of SWITCH A is 8, the priority of SWITCH B is 9 and the priority of SWITCH C is 10. In this case, SWITCH A is automatically configured as root switch. Designated Switch After deciding root switch, when SWITCH A transmits packet to SWITCH C, SWITCH A compares exchanged BPDU to decide path. The critical information to decide path is path-cost. Path-cost depends on transmit rate of LAN interface and path with lower pathcost is selected. The standard to decide designated switch is total root path-cost that is added with pathcost to root. Path-cost depends on transmit rate of switch LAN interface and switch with lower path-cost is selected to be designated switch.
Switch A Priority : 8
Root Switch
Designated Switch
Path-cost 50
Path-cost 100
Switch B Priority : 9
Switch C Priority : 10
Path-cost 100
(PATH 1 = 50 + 100 = 150, PATH 2 = 100 + 100 = 200, PATH 1 < PATH 2, PATH 1 selected
Fig. 8.5
Designated Switch
In case of the above picture showing SWITCH C sends packet, path-cost of PATH 1 is 150 and path- cost of PATH 2 is total 200(100 + 100 ; path-cost of SWITCH C to B + pathcost of SWITCH B to C). Therefore lower path-cost, PATH 1 is chosen. In this case, port connected to Root switch is named Root port. In the above picture, port of SWITCH C connected to SWITCH A as Root switch is Root port. There can be only one Root port on equipment.
The standard to decide designated switch is total root path-cost that is added with pathcost to root. Switch with lower path-cost is selected to be designated switch. When root path-costs are same, bridge ID is compared. Designated Port and Root Port A Root Port is the port in the active topology that provides connectivity from the Designated Switch toward the root. A Designated Port is a port in the active topology used to
DPW:G-S-1624H0-04
159
UMN:CLI
User Manual
V1624
forward traffic away from the root onto the link for which this switch is the Designated Switch. That is; except root port in each switch, selected port to communicate is designated port. Port Priority Meanwhile, when path-costs of two paths are same, port-priority is compared. As the below picture, suppose that two switches are connected. Since the path-costs of two paths are 100, same, their port priorities are compared and port with smaller port priority is selected to transmit packet.
All these functions are automatically performed by BPDU, which is the information of switch. It is also possible to configure BPDU to modify root switch or path manually.
Root
Path 2 - Path-cost 100 - Port priority 8 - Port 2 ( path-cost of PATH 1 = path-cost of PATH 2 = 100 unable to compare PATH 1 port priority = 7, PATH 2 port priority = 8, PATH 1 PATH 2, PATH 1 is chosen )
Fig. 8.6
Port Priority
8.4.2
RSTP Operation
STP or RSTP is configured on network where Loop can be created. However, RSTP is more rapidly progressed than STP at the stage of reaching to the last topology. This section describes how the RSTP more improved than STP works. It contains the below sections. Port States RSTP defines port states as discarding, learning, and forwarding. Blocking of 802.1d and listening is combined into discarding. Same as STP, root port and designated port are decided by port state. But a port in blocking state is divided into alternate port and backup port. Alternate port means a port blocking BPDUs of priority of high numerical value from other switches, and backup port means a port blocking BPDUs of priority of high numerical value from another port of same equipment.
160
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Switch A ROOT
Switch D
Fig. 8.7 Alternate Port and Backup port
The difference of between alternate port and backup port is that alternate port can alternate path of packet when there is a problem between Root switch and SWITCH C but Backup port cannot provide stable connection in that case. BPDU Policy 802.1d forwards BPDU following Hello-time installed in root switch and the other switch except root switch its own BPDU only when receiving BPDU from root switch. However, in 802.1w not only root switch but also all the other switches forward BPDU following Hellotime. BPDU is more frequently changed than the interval root switch exchanges, but with 802.1w it becomes faster to be master of the situation of changing network. By the way, when low BPDU is received from root switch or designated switch, it is immediately accepted. For example, suppose that root switch is disconnected to SWITCH B. Then, SWITCH B is considered to be root because of the disconnection and forwards BPDU. However, SWITCH C recognizes root existing, so it transmits BPDU including information of root to Bridge B. Thus, SWITCH B configures a port connected to SWITCH C as new root port.
DPW:G-S-1624H0-04
161
UMN:CLI
User Manual
V1624
Switch A ROOT
Fig. 8.8
Rapid Network Convergence A new link is connected between SWITCH A and root. Root and SWITCH A is not directly connected, but indirectly through SWITCH D. After SWITCH A is newly connected to root, packet cannot be transmitted between the ports because state of two switches becomes listening, and no loop is created. In this state, if root transmits BPDU to SWITCH A, SWITCH A transmits new BPDU to SWITCH A and SWITCH C, switch C transmits new BPDU to SWITCH D. SWITCH D, which received BPDU from SWITCH C makes port connected to SWITCH C Blocking state to prevent loop after new link.
ROOT 1. New link created Switch A 2. Transmit BPDU at listening state
Switch B
Switch C
Fig. 8.9
This is very epochal way of preventing a loop. The matter is that communication is disconnected during two times of BPDU Forward-delay till a port connected to switch D and SWITCH C is blocked. Then, right after the connection, it is possible to transmit BPDU al-
162
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Switch B
Switch C
Switch D
Fig. 8.10
SWITCH A negotiates with root through BPDU. To make link between SWITCH A and root, port state of non-edge designated port of SWITCH is changed to blocking. Although SWITCH A is connected to root, loop will not be created because SWITCH A is blocked to SWITCH Band C. In this state, BPDU form root is transmitted to SWITCH B and C through SWITCH A. To configure forwarding state of SWITCH A, SWITCH A negotiates with SWITCH B and SWITCH C.
ROOT 3. Forwarding Switch A
Switch B
Switch C
Switch D
Fig. 8.11
DPW:G-S-1624H0-04
163
UMN:CLI
User Manual
V1624
SWITCH B has only edge-designated port. Edge designated does not cause loop, so it is defined in 802.1w to be changed to forwarding state. Therefore, SWITCH B does not need to block specific port to forwarding state of SWITCH A. However since SWITCH C has a port connected to SWITCH D, you should make blocking state of the port.
ROOT Switch A
4. Forwarding state
4. Forwarding state
Switch B
Switch C
Fig. 8.12
It is same with 802.1d to block the connection of SWITCH D and SWITCH C. However, 802.1w does not need any configured time to negotiate between switches to make forwarding state of specific port. So it is very fast progressed. During progress to forwarding state of port, listening and learning are not needed. These negotiations use BPDU. Compatibility with 802.1d RSTP internally includes STP, so it has compatibility with 802.1d. Therefore, RSTP can recognize BPDU of STP. But, STP cannot recognize BPDU of RSTP. For example, assume that SWITCH A and SWITCH B are operated as RSTP and SWITCH A is connected to SWITCH C as designated switch. Since SWITCH C, which is 802.1d ignores RSTP BPDU, it is interpreted that switch C is not connected to any switch or segment.
Fig. 8.13
164
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
However, SWITCH A converts a port received BPDU into RSTP of 802.1d because it can read BPDU of SWITCH C. Then SWITCH C can read BPDU of SWITCH A and accepts SWITCH A as designated switch.
Fig. 8.14
8.4.3
8.4.3.1
Activating STP
To use STP in switch, activate STP first. In order to activate STP, use the following command. You do not have to configure STP to prevent Loop in the switches in LAN that does not have double-path.
Command set stp enable NAME set stp disable NAME Mode Description Activates STP of VLAN. Bridge (Default: Disable) Deactivates STP in VLAN
8.4.3.2
STP/RSTP Mode
When you need to enable RSTP, you should configure force-version as RSTP with enabled STP. To configure force-version, use the following command.
Command set stp force-version NAME {stprstp} Mode Bridge Description Configures force-version in specified bridge.
8.4.3.3
Root Switch
Root switch should be decided first before running STP. Each switch has own Bridge ID. Root switch is selected by comparing Bridge Ids of the switches on same LAN.
DPW:G-S-1624H0-04
165
UMN:CLI
User Manual
V1624
When Priority is configured upon users requests, however, Root switch can be changed as user wants. After changing Priority, the switch with the lowest Priority is supposed to be Root switch. To change Root switch after configuring Priority in switch, use the following command.
Command Mode Description Configures Priority in switch. The one with the lowest set stp priority NAME <0-15> Bridge Priority is chosen as Root switch and it is possible to configure from 0 to 15.
This is an example of checking the configuration after Priority of br1 is set to 10.
SWITCH(bridge)# set stp priority br1 10 SWITCH(bridge)# show stp bridge name bridge id STP enabled no
8.4.3.4
Path-cost
After deciding Root switch, you need to decide which path to transmit packet. To do this, the standard is path-cost. Generally, path-cost depends on transmission speed of LAN interface in switch. The following table shows path-cost according to transmit rate of LAN interface.
Transmit Rate 4M 10M 100M 1G 10G Path-cost 250 100 19 4 2
Tab. 8.1
166
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Tab. 8.2
You can use same commands to configure STP and RSTP, but their path-costs are totally different. Please be careful not to make mistake.
When the route decided by path-cost gets overloading, you would better take another route. Considering these situations, it is possible to configure path-cost of Root port so that user can configure route manually. To configure path-cost, use the following command.
Command set stp path-cost NAME PORT {costdefault} Mode Description Configures path-cost to configure route manually. If you Bridge select default, default path-cost of specified port will on current mode be returned.
The following is an example of changing path-cost of br1 port 1 as 10 and checking it.
SWITCH(bridge)# show stp br1 bridge id bridge VLAN id designated root root port max age hello time forward delay ageing time hello timer topology change timer flags SWITCH(bridge)# set stp path-cost br1 1 10 SWITCH(bridge)# show stp br1 bridge id bridge VLAN id designated root root port max age hello time forward delay ageing time hello timer topology change timer flags 8001.00d0cb0ac03a 1 0001.00d0cb0a003f 1 20.00 2.00 15.00 300.00 2.00 0.00 root path cost bridge max age bridge hello time bridge forward delay gc interval tcn timer gc timer 10 20.00 2.00 15.00 4.00 0.00 1.89 mode STP 8001.00d0cb0ac03a 1 0001.00d0cb0a003f 1 20.00 2.00 15.00 300.00 2.00 0.00 root path cost bridge max age bridge hello time bridge forward delay gc interval tcn timer gc timer 0 20.00 2.00 15.00 4.00 0.00 1.89 mode STP
DPW:G-S-1624H0-04
167
UMN:CLI
User Manual
V1624
SWITCH(bridge)#
8.4.3.5
Port Priority
When all conditions of two routes are same, the last standard to decide route is portpriority. It is also possible to configure port priority so that user can configure route manually. To configure port-priority, use the following command.
Command set stp port-priority NAME PORT <0-255> Mode Bridge Description Configures port-priority.
The following is an example of changing port priority of br1 port 1 as 10 and checking it.
SWITCH(bridge)# show stp br1 1 bridge id bridge VLAN id (omitted) eth01 (1) port id VLAN tag designated root designated bridge designated port designated cost port migrate flags SWITCH(bridge)# set stp port-priority br1 1 10 SWITCH(bridge)# show stp br1 1 bridge id bridge VLAN id (omitted) eth01 (1) port id VLAN tag designated root designated bridge designated port designated cost port migrate flags SWITCH(bridge)# 0a01 untagged 0001.00d0cb0a003f 8001.00d0cb0aab8f 8003 200 SENDING_STP state current # of MACs path cost message age timer forward delay timer hold timer forwarding 0 19 300.00 0.00 0.00 8001.00d0cb0ac03a 1 mode STP 8001 untagged 0001.00d0cb0a003f 8001.00d0cb0aab8f 8003 200 SENDING_STP state current # of MACs path cost message age timer forward delay timer hold timer forwarding 0 19 300.00 0.00 0.00 8001.00d0cb0ac03a 1 mode STP
168
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.4.4
Hello time Hello time decides an interval time when a switch transmits BPDU. It can be configured from 1 to 10 seconds. The default is 2 seconds.
Max Age Root switch transmits new information every time based on information from another switches. However, if there are many switches on network, it takes lots of time to transmit BPDU. And if network status is changed while transmitting BPDU, this information is useless. To get rid of useless information, Max Age is identified in each information.
Forward Delay Switches find location of another switches connected to LAN though received BPDU and transmit packets. Since it takes certain time to receive BPDU and find the location before transmitting packet, switches send packet at regular interval. This interval time is named Forward Delay.
8.4.4.1
Hello Time
Hello time decides an interval time when a switch transmits BPDU. To configure Hello Time, use the following command.
Command set stp hello-time NAME <1 10> Mode Bridge Description Configures Hello time. (Default: 2)
8.4.4.2
Forward Delay
It is possible to configure Forward delay, which means time to take port status from Listening to Forwarding. To configure Forward delay, use the following command.
Command set stp forward-delay NAME <4 30> Mode Bridge Description Configures Forward delay. (Default: 15 sec)
DPW:G-S-1624H0-04
169
UMN:CLI
User Manual
V1624
8.4.4.3
Max Age
Max Age shows how long path message is valid. In order to configure Max Age to delete useless messages, use the following command.
Command set stp max-age NAME <640> Mode Bridge Configures Max Age. (Default: 20 sec) Description
The following is an example of configuring Max Age of BPDU from br1 as 15 seconds.
SWITCH(bridge)# set stp max-age br1 15 SWITCH(bridge)#
It is recommended that Max Age is configured less than twice of Forward Delay and more than twice of Hello Time.
8.4.4.4
170
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.5
Loop Detection
The loop may occur when double paths are used for the link redundancy between switches and one sends unknown unicast or multicast packet that causes endless packet floating on the LAN like loop topology. That superfluous traffic eventually can result in network fault. It causes superfluous data transmission and network fault. To prevent this, the V1624 provides the loop detecting function. The loop detecting mechanism is as follows: The switch periodically sends the loop-detecting packet to all the ports with a certain interval, and then if receiving the loop-detecting packet sent before, the switch performs a pre-defined behavior. To enable/disable the loop detection globally, use the following command.
Command set loop-detect {enable | disable} Mode Bridge Description Enables/disables the loop detection globally.
For the detailed configuration of the loop detection, you need to issuing the set loopdetect enable command first. If you do not, all the commands concerning will show the error messages.
To configure a port with the loop detection, use the following command.
Command set loop-detect PORTS set loop-detect PORTS period <1-60> Mode Description Enables the loop detection on a specified port. Sets the interval of sending the loop detecting packet. (default: 30 seconds) Enables the blocking option. This configures a speciset loop-detect PORTS block Bridge set loop-detect PORTS timer <086400> fied port to automatically change its state to BLOCKED when a loop is detected on it. (default: disable) Sets the interval of changing the state of a blocked port to NORMAL. If you set the interval as 0, the state of the blocked port will not be changed automatically. (default: 600 seconds) set loop-detect PORTS unlock Forces the state of a blocked port to change to NORMAL.
You can also configure the source MAC address of the loop-detecting packet. Normally the systems MAC address will be the source MAC address of the loop-detecting packet, but if needed, Locally Administered Address (LAA) can be the address as well. If the switch is configured to use LAA as the source MAC address of the loop-detecting packet, the second bit of first byte of the packet will be set to 1. For example, if the switchs MAC address is 00:D0:cb:00:00:01, the source MAC address will be changed to 02:D0:cb:00:00:01.
DPW:G-S-1624H0-04
171
UMN:CLI
User Manual
V1624
To configure the source MAC address of the loop-detecting packet, use the following command.
Command set loop-detect srcmac laa Bridge set loop-detect srcmac system Mode Description Uses LAA as the source MAC address of the loopdetecting packet. Uses the systems MAC address as the source MAC address of the loop-detecting packet. (default)
If you would like to change the source MAC address of detection packets, you should disable the function of loop detection first. Please use the clear loop-detect command. To disable the loop detection on a specified port, use the following command.
Command clear loop-detect PORTS clear loop-detect PORTS block Mode Top Global Description Disables the loop detection on a specified port. Disables the blocking option.
The loop detection cannot operate with LACP. In case that a certain port is included in the VLAN where STP is enabled, the blocking option cannot be enabled on the port. To use the loop detection feature with STP operating, use the following self loop detection. The self loop detection will load the BPDU with the loop detection packet.
To display the current status of the self loop detection, use the following command.
Command show self-loop-detect Mode Bridge Description Shows the current status of the self loop detection.
172
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.6
Single IP Management
Switch cascading technology available in the industry today provides two main benefits to customers. The first benefit is the ability to manage a group of switches using one single IP address. The second benefit is the ability to interconnect two or more switches to create a distributed fabric, which behaves in the network as a unified system. The V1624 provides the cascading technologys benefits for the customer. Additionally, V1624 is able to manage up to 16 units by one single IP address.
Switch
Internet
Switch
Fig. 8.15
Cascading of Switches
Step1 Assign IP address to Master switch on Interface configuration mode and activate the interface with the command, no shutdown. ( Refer to 4.5 Assigning IP Address.)
When there are many connected switches, the other switches are managed by the IP address of Master switch.
DPW:G-S-1624H0-04
173
UMN:CLI
User Manual
V1624
Step 2 Configure Master switch by using the following command on Bridge Configuration mode.
Command set stack master Mode Bridge Description Configures Master switch.
Step 3 Create a name to configure VLAN in Master switch, which Slave switches belong to.
Command set stack device NAME Mode Bridge Description Configures VLAN in Master switch, which Slave switches belong to.
To manage switch group, the ports connect Master switch to Slave switch must be in same VLAN.
Step 4 Add new switch or delete a switch in switch group by using the following commands.
Command set stack add MAC-ADDR DESCRIPTION set stack del MAC-ADDR Bridge Deletes Slave switch in switch group. Mode Description Adds Slave switch in switch group.
You cannot add switches belonged to each different VLAN to same switch group.
Step 5 Configure Slave switch by using the following command on Bridge configuration mode.
Command set stack slave Mode Bridge Description Configures Slave switch connected to Master switch.
174
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
The followings are examples of configuring SWITCH A as master, SWITCH B as slave, and configuring stacking.
<SWITCH A>
SWITCH_A(bridge)# set stack device br1 SWITCH_A(bridge)# set stack add 00:d0:cb:22:00:11 SWITCH_A(bridge)# set stack master
<SWITCH B>
SWITCH_B(config)# set stack slave SWITCH_B(bridge)# set stack device br1
<SWITCH A>
SWITCH_A(bridge)# show stack device node 1 : br1 MAC address 00:d0:cb:0a:00:aa status active active type S212 S212 name SWITCH_A SWITCH_B port 26 26 node ID : 1
2 00:d0:cb:22:00:11 SWITCH_A(bridge)#
<SWITCH B>
SWITCH_B(bridge)# show stack device : br1 node ID : 2 SWITCH_B(bridge)#
After configuring switch group, you can configure and manage Slave switches. When you input Slave switch number after the command, rcommand, telnet window connected to the Slave switch will be seen. You can configure Slave switch by using DSH command. To finish Slave switch configuration, use the command, exit on Telnet. To configure Slave switch, use the following command.
Command rcommand NODE Mode Bridge Description Connects to Slave switch.
DPW:G-S-1624H0-04
175
UMN:CLI
User Manual
V1624
8.7
Rate Limit
User can customize port bandwidth according to users environment. Through this configuration, you can prevent a certain port to monopolize whole bandwidth so that all ports can use bandwidth equally. egress and ingress can be configured both to be same and to be different. In order to configure port bandwidth, use the following command.
Command set rate PORT RATE [egress ingress] Mode Description Configures port bandwidth. If you input egress or inBridge gress, you can configure outgoing packet or incoming packet. The unit is Mbps.
Unless you input neither egress nor ingress, they are configured to be same. To switch, egress is incoming packet. So, it is uploaded to PC user. Meanwhile, current rate limit of ingress drops no matter when some packet more than configured bandwidth comes in. However, new released V1624 sends pause packet first to the partner when some packet more than configured bandwidth comes in, and then drops packets if it keeps coming in. In order to configure this function of Rate limit for ingress, use the following command.
Command set rate PORT RATE ingress enhanced Mode Bridge Description Configures Rate limit for Ingress to use pause packet.
176
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
The following is an example of configuring port 1 bandwidth as 64Mbps, port 2 egress bandwidth as 52Mbps and checking it.
SWITCH(bridge)# set rate 1 64 SWITCH(bridge)# set rate 2 52 ingress SWITCH(bridge)# set rate 3 64 ingress enhanced SWITCH(bridge)# show rate ---------------------------------------------------------------Port 1 3 Ingress 64( 64.000) 64(Enhanced) Egress 64( 64.000) N/A | Port | | 2 4 Ingress 52( 52.000) N/A Egress N/A N/A --------------------------------+-------------------------------
(Omitted) SWITCH(bridge)#
8.8
Flood-Guard
Flood-guard limits number of packets, how many packets can be transmitted, in configured bandwidth, whereas Rate limit described in8.7 Rate Limitcontrols packets through configuring width of bandwidth, which packets pass through.
<Rate Limit> Configure Rate Limit on port <Flood Guard> Configure Flood-guard to allow packets as many as n per a second 1 2 Control bandwidth 3 : : n n+1 n+2 Bandwidth n packets allowed for a second Packets over thrown away
Fig. 8.16
DPW:G-S-1624H0-04
177
UMN:CLI
User Manual
V1624
V1624 supports Flood-guard based on MAC address and port. Configuring Port based Flood-guard Configuring Flood-guard based on MAC Address
8.8.1
The following is an example of limiting the number of packets that can be transmitted to the port 1 as 10,000.
SWITCH(bridge)# set flood-guard 1 10000 SWITCH(bridge)# show flood-guard --------------------------------Port Rate(fps) | Port Rate(fps) ----------------+---------------1 3 5 7 9 11 13 15 17 19 21 23 10000 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A | | | | | | | | | | | | 2 4 6 8 10 12 14 16 18 20 22 24 26 N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
25 N/A | SWITCH(bridge)#
178
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.8.2
8.9
Configuring Bandwidth-share-Group
V1624 can prevent minimum secured bandwidth of ports belonged in one group exceeding the maximum bandwidth of the group. The maximum bandwidth configured by user should not be less than minimum secured bandwidth of ports in a group and bandwidth of ports depending on traffic amount. A port receiving too much traffic among ports configured in one group can use the bandwidth of another port receiving no traffic. If a packet is transmitted to an empty port, the minimum secured bandwidth is returned. In this way, user can secure minimum bandwidth for all ports and extend bandwidth of a port receiving too much traffic.
This function cannot be used with Rate limit. You have to disable Rate limit first in order to make a port configured Rate limit belong in Bandwidth-share-group. To configure, configure a group first by using the following command.
Command Mode Description Configures a group named NAME to configure Bandbandwidth-share-group NAME {ingressegress} BANDWIDTH Bridge width-share-group. BANDWIDTH: the maximum bandwidth of the group ( unit : Mbps)
After configuring a group, assign ports as members. In order to assign member to a group, use the following command.
Command bandwidth-share-group NAME Mode Bridge Description Assigns port to a group named name. BANDWIDTH is the minimum secured bandwidth and the unit is Mbps.
DPW:G-S-1624H0-04
179
UMN:CLI
User Manual
V1624
The following example shows: configuring group A and the maximum bandwidth of ingress as 100Mbps and assigning ports 2 ~ 6 and the minimum secured bandwidth as 10Mbps.
SWITCH(bridge)# bandwidth-share-group A ingress 100 SWITCH(bridge)# bandwidth-share-group A member 2-6 10 SWITCH(bridge)# show running-config (Omitted) bandwidth-share-group A ingress 100 bandwidth-share-group A member 2-6 10 ! (Omitted)
180
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.10
NAT
NAT(Network Address Translation) uses private IP address, which is supposed to be used in internal network. So, it can save limited IP source and strengthen security because IP address of internal network is protected. V1624 supports Static NAT, Port Address Translation (PAT) and Dynamic NAT. This section describes how configure NAT. It contains these sections. Configuring Static NAT Configuring PAT Configuring IP Masquerade Configuring Dynamic NAT Substituting DNS Additional Functions IP Filtering
8.10.1
8.10.2
Configuring PAT
V1624 provides the function, PAT(Port Address Translation) that converts IP addresses in local network to public IP addresses configured to the switch to access public network. To configure PAT, use the following command.
Command Mode Description Converts local IP address in local network to public IP ip nat pat A.B.C.D/M Global address to access public network. A.B.C.D/M: subnet to NAT Disables PAT for the applicable local network.
If PAT is enabled using the command, public IP address to access public network will be automatically selected according to the applicable rule.
DPW:G-S-1624H0-04
181
UMN:CLI
User Manual
V1624
8.10.3
Configuring IP Masquerade
IP masquerade makes several local IP addresses connected to network bring one public IP address when it goes to exterior network. That is, data sent by each different local IP address looks like sending by one public IP address. To configure IP masquerade, use the following command.
Command Mode Description Assigns a specific public IP address to access public ip nat masq-address A.B.C.D Global network A.B.C.D: public IP address Disables IP masquerade
8.10.4
i
8.10.5
The lowest address is IP address, which IP Pool is started, and highest address is IP address, which IP address is ended.
Substituting DNS
When host in private network tries to connect to domain name in the same network, V1624 has DNS(Domain Name Server), which substitutes private IP address for public IP address. To configure DNS, use the following command.
Command ip nat dns no ip nat dns Mode Description Configures DNS, which substitutes private IP address Global for public IP address of domain name. Disables DNS.
182
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.10.6
Additional Functions
In order to use other application program with configured IP address of NAT, use the following commands.
Command ip nat helper {cuseemedialpad ftpircquakeraudio vdolive} ip nat autofw {udptcp} LOWNUMBER HIGH-NUMBER {udp tcp} PORT ip nat portfw {udptcp} LOCALADDR PORT REMOTE-ADDR PORT [PREFERENCE-LEVEL] Global From the ports number configured at LOW to the port number configured at HIGH, goes out with assigned port number by designed protocol mode Converts the port of IP address and another application not configured in router into IP address and port to be communicated. Mode Description Helps masqueraded IP address be applied to applications such as Dialpad and FTP server program
DPW:G-S-1624H0-04
183
UMN:CLI
User Manual
V1624
8.10.7
IP Filtering
When IP NAT is enabled, packets are sent up to CPU to run IP NAT. And user may need some of the packets. To filter packets processed in CPU, you need to use IP filtering. In order to enable IP filtering, use the following command.
Command ip filter add {permitdeny} {SRC-ADDRany} {DES-ADDRany} ip filter add {permitdeny} {SRC-ADDRany} {DES-ADDRany} {icmpudptcp} {SRC-PORT any} {DES-PORTany} [interface NAME] Ip filter add {permitdeny} {SRC-ADDRany} {DES-ADDRany} interface NAME Ip filter add {permitdeny} {any SRC-ADDR} {any DES-ADDR} icmp [forward] Ip filter add {permitdeny} {anySRC-ADDR} {any DES-ADDR} icmp TYPE {anyCODE} [forward] ip filter add {permitdeny} {anySRC-ADDR} {any DES-ADDR} icmp TYPE {anyCODE} interface NAME [forward] ip filter add {permitdeny} SRC-ADDR DESADDR {icmpudptcp} SRC-PORT DST-PORT forward ip filter add {permitdeny} SRC-ADDR DESADDR {icmpudptcp} SRC-PORT DST-PORT interface INTERFACE forward ip filter add {permitdeny} SRC-ADDR DESADDR forward ip filter add {permitdeny} SRC-ADDR DESADDR interface INTERFACE forward Configures basic policy for forwarding packets. Global Configures new policy for ICMP packets. Mode Configures packets. Configures new policy for incoming packets. You also can configure specific port of the address. Configures interface. basic policy for incoming Description basic policy for incoming
184
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
In case of using the command, ip filter add {permitdeny} {anySRC-ADDR} {anyDES-ADDR} icmp type {anycode}, user need to decide the value of type and code. The following command will show the list of the value.
Command show ip filter icmp type-list Mode Top/Global Description Show the list of type code for ICMP packet.
Configured IP filtering policy gets sequential Rule-number, and you can configure another policy through the Rule-number. To display IP filtering policies configured sequentially, use the following command.
Command show ip filter Mode Top/Global Description Shows configured IP filtering sequentially.
The following is an example of configuring IP filtering policy to block packet from 172.16.89.200/16 to 172.16.30.15/16 and to allow icmp.
DPW:G-S-1624H0-04
185
UMN:CLI
User Manual
V1624
SWITCH(config)# ip filter add permit 172.16.89.200/16 172.16.30.15/16 icmp any any SWITCH(config)# ip filter add deny 172.16.89.200/16 172.16.30.15/16 SWITCH(config)# show ip filter Chain input (policy ACCEPT): target ACCEPT DENY prot opt icmp -----all -----source 172.16.0.0/16 172.16.0.0/16 destination 172.16.0.0/16 172.16.0.0/16 ports any -> n/a any
To change order to IP packet filtering policy, use the following commands and insert in existing policies.
Command ip filter insert RULE-NUMBER {permitdeny} {SRC-ADDRany} {DES-ADDRany} ip filter insert RULE-NUMBER {permitdeny} {SRC-ADDRany} {DES-ADDRany} {icmpudp tcp} {SRC-PORTany} {DES-PORTany} [interface NAME] ip filter insert RULE-NUMBER {permitdeny} {SRC-ADDRany} {DES-ADDRany} interface NAME ip filter insert {permitdeny} {anySRC-ADDR} {anyDES-ADDR} icmp [forward] ip filter insert {permitdeny} {anySRC-ADDR} {anyDES-ADDR} icmp TYPE {anyCODE} [forward] ip filter insert {permitdeny} {anySRC-ADDR} {anyDES-ADDR} icmp TYPE {anyCODE} interface NAME [forward] ip filter insert RULE-NUMBER {permitdeny} SRC-ADDR DES-ADDR {icmpudptcp} SRCPORT DST-PORT forward ip filter insert RULE-NUMBER {permitdeny} SRC-ADDR DES-ADDR {icmpudptcp} SRCPORT DST-PORT interface INTERFACE forward ip filter insert RULE-NUMBER {permitdeny} SRC-ADDR DES-ADDR forward ip filter insert RULE-NUMBER {permitdeny} SRC-ADDR forward DES-ADDR interface INTERFACE Global Inserts specified policy to specified Rulenumber. Mode Description
When you use the command, ip filter insert, specified policy gets specified Rule-number and the existing policies gets the next number.
186
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.11
Bandwidth
Routing protocol uses bandwidth information to measure routing distance value. In order to configure bandwidth of interface, use the following command.
Command bandwidth KILOBITS no bandwidth [KILOBITS] Mode Interface Description Configures bandwidth of interface. Deletes configured bandwidth of interface.
The bandwidth can be from 1 to 10,000,000Kbits. This bandwidth is for routing information implement and it does not concern physical bandwidth. The following is an example of configuring bandwidth as 1000Kbits and checking it.
SWITCH(config-if)# bandwidth 1000 SWITCH(config-if)# show running-config (omitted) interface br1 no shutdown bandwidth 1000 (omitted)
DPW:G-S-1624H0-04
187
UMN:CLI
User Manual
V1624
8.12
DHCP
DHCP(Dynamic Host Control Protocol) makes DHCP server assign IP address to DHCP clients automatically and manage the IP address. In the environment that all PCs may be not connected to network at the same time, all of they do not need to have IP addresses. When some of they need IP address, it can be automatically assigned. In this case, DHCP server is the one that assigns IP address automatically and DHCP clients are those, which PCs are. DHCP provides the following benefits. Saving COST With limited IP source, many users can connect to internet. So, it can save IP source and the cost. Effective Network Management Anyone can configure DHCP server and DHCP clients belonged to network managed by DHCP server access to network without professional knowledge such as configuring TCP/IP on network environment..
IP Packet (Broadcast)
Subnet
PC=DHCP Client
Fig. 8.17 DHCP Service Structure
The V1624 can be the DHCP server or the DHCP Relay agent according to users configuration. The DHCP Relay agents function is to connect the DHCP server to the DHCP client.
188
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.12.1
8.12.1.1
You can configure IP address, default gateway, and DHCP group to be used in subnet configured by user. Input exit to go back to Global configuration mode, and input end to go to Top mode directly. The range of subnet configured on a certain group cannot be overlapped with another subnet.
8.12.1.2
DPW:G-S-1624H0-04
189
UMN:CLI
User Manual
V1624
It is possible to configure inconsecutive subnets in same IP address range. For example, you can configure subnet from 192.168.1.10 to 192.168.1.20 and from 192.168.1.30 to 192.168.1.40 in IP address range 192.168.1.0/24.
8.12.1.3
8.12.1.4
! !
If DHCP daemon is not activated, the message, Can't start DHCP server. will be seen when shifting to Global Configuration mode after configuring subnet. If there is something wrong with DHCP configuration, the message, Can't start DHCP server. will be seen when activating DHCP daemon and DHCP server will not be enabled.
8.12.1.5
190
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
i
8.12.1.6
When you do not need the function to prohibit assigning IP address to one MAC address, activate DHCP server with the command, ip dhcp server.
i
8.12.1.7
The default is one hour(3600 seconds), and the maximum is two hours.
The following is an example of configuring DHCP server ; network range 192.168.1.0/24 as subnet and 192.168.1.10 ~ 192.168.1.20 and 192.168.1.30 ~ 192. 168.1.40 as IP address range. The default gateway of subnet is configured as 192.168.1.254 and DHCP server is activated.
SWITCH(config)# ip dhcp subnet 192.168.1.0 netmask 255.255.255.0 SWITCH(config-dhcp)# range 192.168.1.10 192.168.1.20 SWITCH(config-dhcp)# range 192.168.1.30 192.168.1.40 SWITCH(config-dhcp)# exit SWITCH(config)# ip dhcp server SWITCH(config)# show running-config Building configuration... (omitted) ip dhcp lease max 7200 ip dhcp lease default 3600 ip dhcp subnet 192.168.1.0 netmask 255.255.255.0 range 192.168.1.10 192.168.1.20 range 192.168.1.30 192.168.1.40 ip dhcp server
DPW:G-S-1624H0-04
191
UMN:CLI
User Manual
V1624
SWITCH(config)#
When user inputs wrong network subnet of IP address commands to be assigned by DHCP server with to activate DHCP, you will see the error message. The following is an example of the error message when configuring IP address range and DHCP server after wrong netmask configuration of 192.168.1.0 as 255.0.0.0, not 255.255.255.0.
The error message in the below example means that DHCP server is not activated.
SWITCH(config)# ip dhcp subnet 192.168.1.0 netmask 255.0.0.0 SWITCH(config-dhcp)# range 192.168.1.10 192.168.1.20 SWITCH(config-dhcp)# exit SWITCH(config)# ip dhcp server Address range 192.168.1.10 to 192.168.1.20 not on net 192.168.1.0/255.0.0.0! Can't start DHCP server. SWITCH(config)#
8.12.1.8
The following is an example of viewing total amount of IP addresses that can be assigned and number of clients who receive IP address
SWITCH(config)# show ip dhcp user Max lease: 0 (2003/03/12 13:19:05) Total ip: 22 Total users: 0 (0%) SWITCH(config)#
The above example describes that twenty-two IP addresses can be assigned and there is no client who receives IP address by the time.
192
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
The following is an example of viewing detail information of client when there is clients who receive IP address.
SWITCH(config)# show ip dhcp user detail lease 192.168.1.11 { starts Wed Mar 12 05:27:39 2003 ends Wed Mar 12 06:27:39 2003 hardware ethernet 00:50:da:ea:a0:04; uid 01:00:50:da:ea:a0:04; client-hostname "note";
8.12.1.9
DPW:G-S-1624H0-04
193
UMN:CLI
User Manual
V1624
8.12.1.10
8.12.2
! !
Do not assign static IP address from DHCP pool to DHCP client. DHCP function may work incorrectly. The function blocking static IP address is not applied to an assigned static IP address to DHCP client. To check an assigned static IP address to DHCP client, use the following command.
Command show running-config show mac INTERFACE [PORTS] show arp Global Checks an assigned static IP address to DHCP client. Mode Description
Only in case MAC address for DHCP client using static IP address is registered to ARP table, user can check an assigned static IP address, using the command, show mac interface or show arp.
8.12.3
i
194
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To delete a list for blocked DHCP clients using static IP address, use the following command.
Command clear ip dhcp dhcp user illegalentry Mode Global Description Deletes a list for blocked DHCP clients using static IP address.
To display the list of the blocked DHCP clients illegally using a static IP address, use the following command.
Command show ip dhcp user illegal-entry {ip | mac} Mode Global Description Shows the list of the blocked DHCP clients illegally using a static IP address.
8.12.4
Relay Agent 1
Relay Agent 2
Subnet 2
Fig. 8.18
DPW:G-S-1624H0-04
195
UMN:CLI
User Manual
V1624
Use the following command in Global Configuration mode, to enable the DHCP relay feature on your system.
Command ip dhcp relay SERVER-ADDR [SERVER-ADDR] ADDR] no ip dhcp [SERVERGlobal Forwards IP address requests to the DHCP server. Mode Description
8.12.5
8.12.6
Since TFTP server does not authorize users with ID and password when they access to, the security is very vulnerable. To help the vulnerable security, you can make back-up file only when there is same file name with a file you need to copy in TFTP server.
Command ip dhcp database TFTP-ADDRS FILE-NAME write-delay TIME ip dhcp database FILE-NAME TFTPwrite-
Mode
ADDRESS
Makes the back-up file of DHCP Lease database and configures time limit to access to TFTP server. Global Makes the back-up file of DHCP Lease database and configure the syslog message to be sent in case of access failure. Deletes DHCP Lease database back-up file.
ADDRESS
The unit of time is second when you configure backup interval of DHCP lease database with using the command, write-delay. and max-time is time limit to access to tftp server.
196
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
8.12.7
DHCP Option-82
As subscriber network is getting enlarged, DHCP server should assign IP addresses to many subscribers. User can manage subscribers efficiently using DHCP Option-82.In DHCP Option-82, DHCP Relay sends DHCP Request packets attaching Option-82 information and it authenticates the subscriber through this information. Through Option-82, DHCP not only assigns IP address but also restricts access to server. Moreover it provides differentiated service and enhances the security. V1624 transmits port number and Remote ID with Option-82 to DHCP server. The priority of port number is higher than that of Remote ID. When it receives Request packet without Option-82 information, it attaches its information. In case Remote ID recorded in Option-82 is same with MAC address of its system, it transmits packets after removing Option-82 by designated port number. The following is to show packets flow.
DHCP Server
1. DHCP Request
4. DHCP Respond
DHCP Client
Fig. 8.19
This section describes how configure DHCP Option 82 It contains these sections. Enabling DHCP Option-82 Configuring Option-82 Packet Policy Configuring Trust Packet Restricting the Number of Assigning IP Address
8.12.7.1
DPW:G-S-1624H0-04
197
UMN:CLI
User Manual
V1624
8.12.7.2
drop means to throw away Option-82 packet. keep means that Relay agent transmits packets preserving Option-82 which the agent sends, replace means to transmit by changing into its Option-82 information.. It is possible to configure the rule for Option-82 packets when V1624 is DHCP server or DHCP Relay agent.
8.12.7.3
deny means to drop all the packets, and permit means to permit all the packets.
Step 2 Configure an applicable port number and remote-ID to assign IP address. The packet that has the configured port number or remote-ID is filtered by the option, permit automatically. DHCP server checks port number in option-82 packet first, and if the port number is not matched with the configured value, the server will check remote-ID.
198
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
The following is the command that configures port number and remote-ID.
Command trust port PORT trust system MACADDR no trust port PORT no trust system MACADDR Option-82 Mode Description Configures a port number of option-82 packet. Configures a remote-ID of option-82 packet. Deletes a port number of option-82 packet. Deletes a remote-ID of option-82 packet.
i
8.12.7.4
8.12.8
DPW:G-S-1624H0-04
199
UMN:CLI
User Manual
V1624
i
8.12.9
If DHCP snooping is enabled in the system of V1624, DHCP packets includes DHCP option82 field by default.
DHCP Option 77
The V1624 can send the packets based on the policy or value of DHCP user class ID in the DHCP message sent by the client. The user class ID on DHCP option 77 field identifies the type of client sending the DHCP Discover/Request message. If V1624 receives DHCP message from a client, it forwards the same packet to the server with keep policy of DHCP option 77. Otherwise, it adds user class ID to the packet on the configured port and forwards it to the server when the packet has no user class ID and the policy of DHCP option 77 is replace. DHCP server can use DHCP option 77 field to specify IP addresses of a particular pool based on user class ID of DHCP client.
To use DHCP option 77 fucntion, DHCP Option 77 must be enabled in the system of V1624. In case DHCP Option 77 is disabled in the system, the configured DHCP option 77 is automatically deleted.
To configure a user class id of DHCP option 77 on a specified port, use the following command.
Command ip dhcp snooping user-class-id port PORT class-id CLASS-ID Mode Global Description Configures DHCP user class ID of DHCP option 77 per port.
To configure the policy of DHCP option 77 on a specified port, use the following command.
Command Mode Description Configures the policy of DHCP option 77 field for the DHCP Request packet (default: replace) ip dhcp snooping user-class-id policy {replace | keep} Global replace: forwards DHCP packets with user class ID according to DHCP option 77 field format. keep: forwards DHCP packets without any user class ID
200
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To delete the configured user class ID of DHCP option 77 field, use the following command.
Command no ip dhcp snooping user-classid port PORT class-id CLASS-ID no ip dhcp snooping user-classid port PORT all Global Deletes all configured user class IDs of a port. Mode Description Deletes a configured user class ID of a port.
8.12.10
Basically, the DHCP snooping only permits the IP addresses on the DHCP snooping binding table. However, you can configure the switch to permit the IP address which is not on the DHCP snooping binding table or to deny the IP address which is on the DHCP snooping binding table. To add/delete the entries (IP address and MAC address) on the DHCP snooping binding table, use the following command.
Command ip filter dhcp snoop permit Global Mode Description Adds a permit entry on the DHCP snooping binding table. Deletes an added permit entry.
PORTS A.B.C.D MACADDR ip filter dhcp snoop del PORTS {A.B.C.D | A.B.C.D/M}
To deny a specified IP address regardless of its existence on the DHCP snooping binding table, use the following command.
Command ip filter dhcp snoop deny A.B.C.D/M no ip filter dhcp snoop deny A.B.C.D/M Mode Global Description Denies a specified IP address. Releases a denied IP address.
DPW:G-S-1624H0-04
201
UMN:CLI
User Manual
V1624
To display the DHCP snooping binding table, use the following command.
Command show ip filter dhcp snoop Top Global Shows the DHCP snooping filtering list. Mode Description Shows the configured DHCP snooping filtering..
[PORTS] show ip filter dhcp snoop {permit | deny} show ip filter dhcp snoop permit PORTS
8.12.11
Authorized ARP
This function sets the time before ARP inspection starts to run. Before setting this, ARP inspection should be enabled. ARP inspection checks validity of incoming ARP packets by using DHCP snooping binding table and denies the ARP packets if they are not identified in the table. However, V1624 may be rebooted with any reason, then DHCP snooping bindinge enries, which are dynamically learned from ARP packets back and forth V1624 would be lost. Thus, ARP-inspection should be delayed to start during some time so that DHCP snooping table can build entries. If no time given, ARP inspection sees empty snooping table and drop every ARP packet. To specify the ARP inspection delay time, use the following command.
Command ip dhcp snooping arp-inspection start <1-2147483637> no ip dhcp snooping arpGlobal Mode Description Configures the ARP inspection delay time. If reboot, ARP-inspection resumes after the time you configure. 1-2147483637: delay time (unit: second, Default: 1800) Delete the configured ARP inspection delay time.
inspection start
8.12.12
202
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
i
8.13
The above example is just for your reference. It may vary according to DHCP configuration.
max-count can be from 120 and it becomes to the closest multiple. For example, if you input 500, it becomes 480. Newly-updated V1624 provides not only broadcast storm but also control of multicast and DLF(Destination Lookup Fail) storm. In order to use control of multicast and DLF storm, use the following commands. Then all configurations of Broadcast storm control will be equally applied to all VLANs.
Command set storm-control include dlf set storm-control include multicast clear storm-control include dlf clear storm-control include multicast Bridge Mode Description Enables DLF storm control. (Default: enable) Enables multicast storm control. (Default: disable) Disables DLF storm control. Disables multicast storm-control.
DPW:G-S-1624H0-04
203
UMN:CLI
User Manual
V1624
8.14
The following is an example of blocking direct broadcast packets and checking it.
SWITCH(config)# ip forward direct-broadcast SWITCH(config)# show running-config Building configuration... (omitted) ! ip forward direct-broadcast ! no snmp ! SWITCH(config)#
204
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
9 IP Multicast
IP communication provides three types of packet transmission: unicast, broadcast and multicast. Unicast is the communication for a single source host to a single destination host. This is still the most common transmission form in the IP network. Broadcast is the communication for a single source host to all destination hosts on a network segment. This transmission is also widely used especially by network protocols, but it sometimes may not be efficient for those hosts in the subnet who are not participating in the broadcast. Multicast is the communication for a single or many source hosts to a specific group of destination hosts, which is interested in the information from the sources. This type of packet transmission can be deployed for a number of applications with more efficient utilization of the network infrastructure. The point of implementing multicast is how to deliver source traffic to specific destinations without any burden on the sources or receivers using the minimized network bandwidth. The solution is to create a group of hosts with addressing the group, and to let the network determine how to replicate the source traffic to the receivers. The traffic will then be addressed to the multicast address and replicated to the multiple receivers by network devices. Standard multicast protocols such as IGMP provide most of these capabilities. IP multicast features on the V1624 consist of the group membership management, Layer 2 multicast forwarding, which allows network administrators to successfully achieve the effective and flexible multicast deployment. Fig. 9.1 shows an example of the IP multicast network. In this case, the V1624 is configured only with IGMP snooping (L2 multicast forwarding feature) in the Layer 2 network.
Layer 2 Network
IGMP Join/Leave message
Layer 3 Network
PIM Join/Prune message
Multicast data
Set-top Box
IGMP Snooping
PIM-SM
Fig. 9.1
DPW:G-S-1624H0-04
205
UMN:CLI
User Manual
V1624
9.1
9.1.1
IGMP Basic
Internet Group Management Protocol (IGMP) manages the host membership in multicast groups. The hosts inform a neighboring multicast router that they are interested in receiving the traffic from a certain multicast group by sending the membership report (join a group). The router then forwards the multicast traffic corresponding to the report to the hosts. A multicast router called as a querier is responsible for keeping track of the membership state of the multicast groups by sending periodic general query messages to current interested hosts. If there are no responses to the query from the hosts for a given time (leave a group), the router then stops forwarding the traffic. During the above transaction between hosts and routers, they are using IGMP messages to report or query the group membership. IGMP has three versions that are supported by hosts and routers. The followings are the simple definitions of each version: IGMP Version 1 The basic query-response mechanism for the group membership management is introduced. Routers, however, should use the timeout-based mechanism to discover members with no longer interests in the groups since there is no leave process. IGMP Version 2 IGMP messages such as leave group and specific-group query are added for the explicit leave process. This process greatly reduces the leave latency compared to IGMP version 1. Unwanted and unnecessary traffic can be constrained much faster. IGMP Version 3 The source filtering is supported. That is, hosts now can join a group with specifying including/excluding a set of sources, allowing supporting the source-specific multicast (SSM). It also increases the multicast address capability, and enhances the security from unknown multicast sources.
206
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
9.1.2
IGMP Version 2
In IGMP version 2, the new extensions such as the leave process, election of an IGMP querier, and membership report suppression are added. New IGMP messages, the leave group and group-specific query can be used by hosts to explicitly leave groups, resulting in great reduction of the leave latency. The V1624 runs IGMPv2 by default, IGMPv2 Messages There are three types of IGMPv2 messages of concern to the host-router interaction as shown below: Membership query A multicast router determines if any hosts are listening to a group by sending membership queries. The membership queries have two subtypes. General query: This is used to determine if any hosts are listening to any group. Group-specific query: This is used to determine if any hosts are listening to a particular group. Version 2 membership report This is used by hosts to join a group (unsolicited) or to respond to membership queries (solicited). Leave group This is used to explicitly leave a group.
IGMPv2 Operation An IGMP querier is the only router that sends membership query messages for a network segment. In IGMP version 2, the querier is a router with the lowest IP address on the subnet. If the router hears no queries during the timeout period, it becomes the querier. A host joins multicast groups by sending unsolicited membership report messages indicating its wish to receive multicast traffic for those groups (indicating that the host wants to become a member of the groups). The querier sends general query messages periodically to discover which multicast groups have members on the attached networks of the router. The messages are addressed to the all-hosts multicast group, which has the address of 224.0.0.1 with a timeto-live (TTL) value of 1. If hosts do not respond to the received query messages for the maximum response time advertised in the messages, a multicast router discovers that no local hosts are members of a multicast group, and then stops forwarding multicast traffic onto the local network from the source for the group. When hosts respond to membership queries from an IGMP querier, membership reports from the hosts other than the first one are suppressed to avoid increasing the unnecessary traffic. For an IGMP querier, it is sufficient to know that there is at least one interested member for a group on the network segment. When a host is not interested in receiving the multicast traffic for a particular group any more, it can explicitly leave the group by sending leave group messages. Upon receiving a leave message, a querier then sends out a group-specific query message to determine if there is still any host interested in receiving the traffic. If there is no reply, the querier stops forwarding the multicast traffic.
DPW:G-S-1624H0-04
207
UMN:CLI
User Manual
V1624
9.1.2.1
[A.B.C.D] no ip igmp static-group A.B.C.D vlan VLAN [port PORT] no ip igmp static-group A.B.C.D vlan VLAN port PORT [{reporter A.B.C.D | *}]
To display the IGMP static join group list, use the following command.
Command Mode Top show ip igmp static-group Global Bridge Shows the IGMP static join group list. Description
i
!
If you do not specify the reporter option, the IP address configured on the VLAN is used as the source address of the membership report by default. If no IP address is configured on the VLAN, 0.0.0.0 is then used. This feature only supports an IGMPv2 host; it does not support IGMPv3 host.
208
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
9.1.3
IGMP Version 3
IGMP version 3 provides support for the source filtering, which is to receive multicast traffic for a group from specific source addresses, or from except specific source addresses, allowing the Source-Specific Multicast (SSM) model. The source filtering is implemented by the major revision of the membership report. IGMPv3 membership reports contain two types of the record: current-state and statechange. Each record specifies the information of the filter mode and source list. The report can contain multiple group records, allowing reporting of full current state using fewer packets. IGMPv3 snooping features are provided. IGMPv3 Messages There are two types of IGMPv3 messages of concern to the host-router interaction as shown below: Membership query A multicast router determines if any hosts are listening to a group by sending membership queries. There are three variants of the membership queries. General query: This is used to determine if any hosts are listening to any group. Group-specific query: This is used to determine if any hosts are listening to a particular group. Group-source-specific query: This is used to determine if any hosts are listening to a particular group and source. Version 3 membership report This is used by hosts to report the current multicast reception state, or changes in the multicast reception state, of their interfaces. IGMPv3 membership reports contain a group record that is a block of fields containing information of the host's membership in a single multicast group on the interface from which the report is sent. A single report may also contain multiple group records. Each group record has one of the following information: Current-state: This indicates the current filter mode including/excluding the specified multicast address. Filter-mode-change: This indicates a change from the current filter mode to the other mode. Source-list-change: This indicates a change allowing/blocking a list of the multicast sources specified in the record.
IGMPv3 Operation Basically, IGMPv3 has the same join/leave (allow/block in the IGMPv3 terminology) and query-response mechanism as IGMPv2s. Due to the major revision of the membership report, however, leave group messages are not used for the explicit leave process any longer. In IGMPv3 concept, membership reports with state-change records are used to allow or block multicast sources, and those with current-state records are used to respond to membership queries. Membership report suppression feature has been removed for multicast routers to keep track of membership state per host.
DPW:G-S-1624H0-04
209
UMN:CLI
User Manual
V1624
9.2
Multicast Functions
The V1624 provides various multicast functions including Layer 2 multicast forwarding, which allow you to achieve the fully effective and flexible multicast deployment. This section describes the following features: Multicast Forwarding Database IGMP Snooping Basic IGMPv2 Snooping IGMPv3 Snooping Displaying IGMP Snooping Information IGMP Filtering and Throttling
9.2.1
9.2.1.1
This command should not be used for the ports to which a multicast router is attached!
210
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
9.2.1.2
To specify the maximum number of forwarding entries on the McFDB, use the following command.
Command ip mcfdb aging-limit <256-65535> Global Mode Description Specifies the maximum number of forwarding entries on the McFDB. 256-65535: number of entries (default: 5000) Deletes the specified maximum number of forwarding entries.
no ip mcfdb aging-limit
9.2.1.3
DPW:G-S-1624H0-04
211
UMN:CLI
User Manual
V1624
9.2.2
Multicast Packet
2. Forward the multicast traffic to the port on which the join message is received
Fig. 9.2
IGMP Snooping
212
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
9.2.2.1
9.2.2.2
To delete the specified IGMP snooping version, use the following command.
Command no ip igmp snooping version no ip igmp snooping vlan Global Deletes the specified IGMP snooping version. Mode Description
VLANS version
DPW:G-S-1624H0-04
213
UMN:CLI
User Manual
V1624
9.2.2.3
VLANS robustness-variable
9.2.3
IGMPv2 Snooping
9.2.3.1
214
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
If you do not specify a source address of an IGMP snooping query, the IP address configured on the VLAN is used as the source address by default. If no IP address is configured on the VLAN, 0.0.0.0 is then used. IGMP Snooping Query Interval An IGMP snooping querier periodically sends general query messages to trigger membership report messages from a host that wants to receive IP multicast traffic. To specify an interval to send general query messages, use the following command.
Command ip igmp snooping querier queryinterval <1-1800> ip igmp snooping vlan VLANS querier query-interval <1-1800> Global Mode Description Specifies an IGMP snooping query interval in the unit of second. 1-1800: query interval (default: 125) Specifies an IGMP snooping query interval on a VLAN. VLANS: VLAN ID (1-4094)
To delete a specified interval to send general query messages, use the following command.
Command no ip igmp snooping querier query-interval no ip igmp snooping vlan Global Disables a specified IGMP snooping query interval. Mode Description
IGMP Snooping Query Response Time Membership query messages include the maximum query response time field. This field specifies the maximum time allowed before sending a responding report. The maximum query response time allows a router to quickly detect that there are no more hosts interested in receiving multicast traffic.
DPW:G-S-1624H0-04
215
UMN:CLI
User Manual
V1624
To specify a maximum query response time advertised in general query messages, use the following command.
Command ip igmp snooping querier maxresponse-time <1-25> ip igmp snooping vlan VLANS querier max-response-time <125> Global Mode Description Specifies a maximum query response time. 1-25: maximum response time (default: 10 seconds) Specifies a maximum query response time. VLANS: VLAN ID (1-4094)
To delete a specified maximum query response time, use the following command.
Command no ip igmp snooping querier max-response-time no time ip igmp snooping vlan Global Deletes a specified maximum query response time. Mode Description
Displaying IGMP Snooping Querier Information To display IGMP querier information and configured parameters, use the following command.
Command show ip igmp snooping [vlan VLANS] querier [detail] Mode Top Global Bridge Description Shows IGMP querier information and configured parameters.
9.2.3.2
216
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To delete a specified an interval to send group-specific or group-source-specific query messages, use the following command.
Command no ip igmp snooping lastGlobal Deletes a specified last member query interval. Mode Description
VLANS interval
last-member-query-
9.2.3.3
To disable the IGMP snooping immediate leave, use the following command.
Command no ip igmp snooping immediateleave no ip igmp snooping port PORTS immediate-leave no ip igmp snooping vlan VLANS immediate-leave Global Disables the IGMP snooping immediate leave. Mode Description
Use this command with the explicit host tracking feature (see Section 9.2.4.1). If you dont, when there is more than one IGMP host belonging to a VLAN, and a certain host sends a leave group message, the switch will remove all host entries on the forwarding table from the VLAN. The switch will lose contact with the hosts that should remain in the forwarding table until they send join requests in response to the switch's next general query message.
DPW:G-S-1624H0-04
217
UMN:CLI
User Manual
V1624
9.2.3.4
suppression
To disable the IGMP snooping report suppression, use the following command.
Command no ip igmp snooping reportsuppression no ip igmp snooping vlan Global Disables the IGMP snooping report suppression. Mode Description
VLANS report-suppression
The IGMP snooping report suppression is supported only IGMPv1 and IGMPv2 reports. In case of an IGMPv3 report, a single membership report can contain the information for all the groups which a host is interested in. Thus, there is no need for the report suppression since the number of reports would be generally equal to the number of hosts only.
9.2.3.5
218
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To disable IGMP snooping S-Query Report Agency, use the following command.
Command ip igmp snooping s-query-report agency Mode Global Description Disables IGMP snooping s-query-report agency.
9.2.3.6
Multicast Router Port Learning Multicast router ports are added to the forwarding table for every Layer 2 multicast entry. The switch dynamically learns those ports through snooping on PIM hello packets. To enable the switch to learn multicast router ports through PIM hello packets, use the following command.
Command ip igmp snooping mrouter learn pim Global ip igmp snooping vlan VLANS mrouter learn pim Mode Description Enables to learn multicast router ports through PIM hello packets globally. Enables to learn multicast router ports through PIM hello packets on a VLAN. VLANS: VLAN ID (1-4094)
DPW:G-S-1624H0-04
219
UMN:CLI
User Manual
V1624
To disable the switch to learn multicast router ports through PIM hello packets, use the following command.
Command no ip igmp snooping mrouter learn pim no ip igmp snooping vlan Global Disables to learn multicast router ports through PIM hello packets. Mode Description
Multicast Router Port Forwarding The multicast traffic should be forwarded to IGMP snooping membership ports and multicast router ports because the multicast router needs to receive muticast source information. To enable the switch to forward the traffic to multicast router ports, use the following command.
Command ip multicast mrouter-passGlobal Mode Description Enables the switch to forward multicast traffic to the multicast router ports. Disables the switch to forward multicast traffic to the multicast router ports.
Displaying Multicast Router Port To display a current multicast router port for IGMP snooping, use the following command.
Command show ip igmp snooping mrouter Mode Description Shows a current multicast router port for IGMP snoopTop Global show ip igmp snooping vlan VLANS mrouter Bridge ing globally. Shows a current multicast router port for IGMP snooping on a specified VLAN. VLANS: VLAN ID (1-4094)
9.2.3.7
220
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Enabling TCN Multicast Flooding To enable the switch to flood multicast traffic when TCN is received, use the following command.
Command ip igmp snooping tcn flood Global ip igmp snooping tcn vlan VLANS flood Mode Description Enables the switch to flood multicast traffic when TCN is received. Enables the switch to flood multicast traffic on a VLAN when TCN is received. VLANS: VLAN ID (1-4094)
To disable the switch to flood multicast traffic when TCN is received, use the following command.
Command no ip igmp snooping tcn flood no ip igmp snooping tcn vlan VLANS flood Global Mode Description Disables the switch to flood multicast traffic when TCN is received
TCN Flooding Suppression When TCN is received, the switch where an IGMP snooping is running will flood multicast traffic to all ports until receiving two general queries, or during two general query intervals by default. You can also configure the switch to stop multicast flooding according to a specified query count or query interval. To specify a query count to stop multicast flooding, use the following command.
Command ip igmp snooping tcn flood query count <1-10> no ip igmp snooping tcn flood query count Global Mode Description Specifies a query count to stop multicast flooding. 1-10: query count value (default: 2) Deletes a specified query count to stop multicast flooding.
To specify a query interval to stop multicast flooding, use the following command.
Command Mode Description Specifies a query interval to stop multicast flooding in ip igmp snooping tcn flood query interval <1-1800> Global the unit of second. An actual stop-flooding interval is calculated by (query count) x (query interval). 1-1800: query interval value (default: 125) Deletes a specified query interval to stop multicast flooding.
DPW:G-S-1624H0-04
221
UMN:CLI
User Manual
V1624
TCN Flooding Query Solicitation Typically, if a network topology change occurs, the spanning tree root switch issues a query solicitation which is actually a global leave message with the group address 0.0.0.0. When a multicast router receives this solicitation, it immediately sends out IGMP general queries to hosts, allowing the fast convergence. You can direct the switch where an IGMP snooping is running to send a query solicitation when TCN is received. To enable the switch to send a query solicitation when TCN is received, use the following command.
Command ip igmp snooping tcn query solicit [address A.B.C.D] Mode Description Enables the switch to send a query solicitation when Global TCN is received. address: source IP address for query solicitation
To disable the switch to send a query solicitation when TCN is received, use the following command.
Command no ip igmp snooping tcn query solicit [address] Mode Global Description Disables the switch to send a query solicitation when TCN is received.
TCN Flooding Debug To enable/disable debugging of TCN flooding feature, use the following command.
Command debug igmp snooping tcn no debug igmp snooping tcn Mode Top Description Enables IGMP snooping TCN flooding debugging. Disables IGMP snooping TCN flooding debugging.
9.2.4
IGMPv3 Snooping
9.2.4.1
222
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
VLANS explicit-tracking
You can also restrict the number of hosts on a port for the switch performance and enhanced security. To specify the maximum number of hosts on a port, use the following command.
Command ip igmp snooping explicitGlobal Mode Description Specifies the maximum number of hosts on a port. PORTS: port number 1-65535: maximum number of hosts (default: 1024) Deletes the specified maximum number of hosts
tracking max-hosts port PORTS count <1-65535> no ip igmp snooping explicittracking max-hosts port PORTS
To disable sending a group specific query to member hosts when one of them leaves the group, use the following command.
Command ip igmp snooping explicitGlobal Mode Description Does not send a group specific query to member hosts after one sends a leave message on a VLAN. Send a group specific query to hosts after one sends a leave message on a VLAN. (default)
DPW:G-S-1624H0-04
223
UMN:CLI
User Manual
V1624
9.2.4.2
VLANS immediate-block
i
9.2.5
224
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
To display the collected IGMP snooping statistics, use the following command.
Command show ip igmp snooping stats port {PORTS | cpu} Mode Top Global Description Shows the statistics of IGMP snooping control packets. PORTS: port number
To clear the collected IGMP snooping statistics, use the following command.
Command clear ip igmp snooping stats port [PORTS | cpu] Mode Top Global Description Clears the collected IGMP snooping statistics PORTS: port number
9.2.6
9.2.6.1
IGMP Filtering
Creating IGMP Profile You can configure an IGMP profile for IGMP filtering in IGMP Profile Configuration mode. The system prompt will be changed from SWITCH(config)# to SWITCH(config-igmpprofile[N])#. To create/modify an IGMP profile, use the following command.
Command ip igmp profile <1-2147483647> Global no ip igmp profile <1-2147483647> Mode Description Creates/modifies an IGMP profile. 1-2147483647: IGMP profile number Deletes a created IGMP profile.
IGMP Group Range To specify an IGMP group range to apply to IGMP filtering, use the following command.
Command Mode Description Specifies a range of IGMP groups. range A.B.C.D [A.B.C.D] IGMP Profile no range A.B.C.D [A.B.C.D] A.B.C.D: low multicast address A.B.C.D: high multicast address Deletes a specified range of IGMP groups.
DPW:G-S-1624H0-04
225
UMN:CLI
User Manual
V1624
A single IGMP group address is also possible. IGMP Filtering Policy To specify an action to permit or deny an access to an IGMP group range, use the following command.
Command {permit | deny} Mode IGMP Profile Description Specifies an action for an IGMP group range.
Enabling IGMP Filtering To enable IGMP filtering for a port, a configured IGMP profile needs to be applied to the port. To apply an IGMP profile to ports to enable IGMP filtering, use the following command.
Command ip igmp filter port PORTS profile <1-2147483647> no ip igmp filter port PORTS Global Mode Description Applies an IGMP profile to ports PORTS: port number 1-2147483647: IGMP profile number Releases an applied IGMP profile.
Before enabling IGMP filtering, please keep in mind the following restrictions.
Plural IGMP profiles cannot be applied to a single port. IGMP snooping must be enabled before enabling IGMP filtering. To delete a created IGMP profile, all ports where the profile applied must be released. IGMP filtering only supports IGMPv2.
To allow or discard IGMP messages by message type on a port, use the following command.
Command ip igmp filter port PORTS packet type {reportv1 | reportv2 | reportv3 | query | leave | all} no ip igmp filter port PORTS packet type {reportv1 | reportv2 | reportv3 | query | leave | all} Global Disables filtering the specified IGMP messages on a port. Filters the specified IGMP messages on a port. Mode Description
226
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
9.2.6.2
IGMP Throttling
You can configure the maximum number of multicast groups that a host on a port can join. To specify the maximum number of IGMP groups per port, use the following command.
Command Mode Description Specifies the maximum number of IGMP groups that ip igmp max-groups port PORTS count <1-2147483647> Global hosts on specific port can join. PORTS: port number 1-2147483647: number of IGMP groups ip igmp max-groups port all count <1-2147483647> no ip igmp max-groups port {PORTS | all} Specifies the maximum number of IGMP groups that hosts on all ports can join. Deletes a specified maximum number of IGMP groups.
To specify the maximum number of IGMP groups for the system, use the following command.
Command ip igmp max-groups system Global Mode Description Specifies the maximum number of IGMP groups that hosts in the system can join. 1-2147483647: number of IGMP groups Deletes a specified maximum number of IGMP groups.
9.2.6.3
DPW:G-S-1624H0-04
227
UMN:CLI
User Manual
V1624
10.1
General Upgrade
The V1624 supports the dual system software functionality, which you can select applicable system software stored in the system according to various reasons such as the system compatibility or stability. To upgrade the system software of the switch, use the following command.
Command Mode Description Upgrades the system software of the switch via FTP or upgrade {ftp | tftp} A.B.C.D FILENAME {os1 | os2} TFTP. Global A.B.C.D: FTP/TFTP server address FILENAME: system software file name os1 | os2: the area where the system software is stored
! !
To upgrade the system software, an FTP or TFTP server must be set up first. Using the upgrade command, the switch will download the new system software from the server. To reflect the upgraded system software, the switch must restart using the reload command, see Section 4.1.7.1. The following is an example of upgrading the system software stored in os1.
SWITCH(config)# upgrade ftp 10.100.158.144 V16XX.3.15.x os1 FTP User Name:root FTP Password:vertex25 Hash mark printing on (1024 bytes/hash mark). Downloading NOS .... ############################################################################## ############################################################################## ############################################################################## ############################################################################## ############################################################################## ############################################################################## ############################################################################## ############################################################################## (Omitted) ############################################################################## ############################################################################## ############################################################################## ############################################################################## ############################################################################## ############################################################################## ########### 6154904 bytes download OK. SWITCH(config)#
228
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
SWITCH(config)# show flash Flash Information(Bytes) ------------------------------------------------------Area Os1 (default) Os2 Config Boot Etc Total SWITCH(config)# exit SWITCH# reload Warning : Changed configuration was not saved to flash memory. Do you still want to reload the system?[y|N] total 7340032 7340032 524288 1048576 524288 16777216 used 6154904 6154904 215048 1048576 524288 14097720 free 1185128 1185128 309240 0 0 2679496 3.15 #4499 3.10 #4412 -------------------------------------------------------
10.2
FTP Upgrade
The system software of the V1624 can be upgraded using FTP. This will allow or system administrators to remotely upgrade the system with the familiar interface. To upgrade the system software using FTP, perform the following step-by-step instruction: Step 1 Connect to the V1624 with your FTP client software. To login the system, you can use the system user ID and password.
Note that you must use the command line-based interface FTP client software when upgrading the V1624. If you use the graphic-based interface FTP client software, the system cannot recognize the upgraded software. Step 2 Set the file transfer mode to the binary mode using the following command.
Command bin Mode FTP Description Sets the file transfer mode to the binary mode.
Step 3 Enable to print out the hash marks as transferring a file using the following command.
Command hash Mode FTP Description Prints out the hash marks as transferring a file.
Step 3 Uploads the new system software using the following command.
Command Mode Description Uploads the system software. put FILENAME {os1 | os2} FTP FILENAME: system software file name os1 | os2: the area where the system software is stored
DPW:G-S-1624H0-04
229
UMN:CLI
User Manual
V1624
To reflect the downloaded system software, the system must restart using the reload command! For more information, see Section 4.1.7.1. The following is an example of upgrading the system software of the V1624 using the FTP provided by Microsoft Windows XP in the remote place.
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\>ftp 10.27.41.84 Connected to 10.27.41.84. 220 FTP Server 1.2.4 (FTPD) User (10.27.41.84:(none)): root 331 Password required for root. Password:vertex25 230 User root logged in. ftp> bin 200 Type set to I. ftp> hash Hash mark printing On ftp: (2048 bytes/hash mark) . ftp> put V16XX.3.15.x os1 200 PORT command successful. 150 Opening BINARY mode data connection for os1. ############################################################################## ############################################################################## ############################################################################## ############################################################################## ############################################################################## ############################################################################## (Omitted) ############################################################################## ############################################################################## ############################################################################## ############################################################################## ############################################################################## ######################################### 226 Transfer complete. ftp: 6154904 bytes sent in 88.57Seconds 69.49Kbytes/sec. ftp> bye 221 Goodbye. C:\>
230
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
10.3
Auto Upgrade
For efficient system maintenance, the V1624 provides the auto upgrade functionality for the system software in the stacking environment. You can simply upgrade the system software of the stacked slave switches via the master switch. To upgrade the system software of the slave switch in the stacking environment, use the following command on the master switch.
Command Mode Description Upgrades the system software of the slave switch. auto-upgrade PASSWORD NODE USER-ID Top NODE: target switchs node ID USER-ID: target switchs user ID PASSWORD: target switchs password
i i
!
The auto-upgrade command will upgrade the system software of the slave switch with the current default system software of the master switch. You can see the node ID of the slave switch with the show stack command. For more information, see Section 8.6. To reflect the upgraded system software, the slave switch must restart. The following is an example of upgrading the system software of the slave switch via the master switch.
SWITCH# show stack device node 1 2 : br1 MAC address 00:d0:cb:26:75:77 00:d0:cb:11:9b:fc status active active type V1624 V1624 name SWITCH SWITCH port 26 26 node ID : 1
SWITCH# auto-upgrade 2 root vertex25 Upgrade NOS to slave[2] is started. Please wait a moment while upgrading... Upgrade success. 6154904 bytes upload OK. Do you want to reload slave[2] system ? [y/n] SWITCH#
DPW:G-S-1624H0-04
231
UMN:CLI
User Manual
V1624
11 Abbreviations
ARP CE CLI DA DHCP DSCP EN FE FTP GB GE HW ID IEC IEEE 802 IEEE 802.1 IEEE IGMP IP ISP L2 LACP LAN MAC NE OS PC PPP QoS RFC RSTP Address Resolution Protocol Communaut Europenne Command Line Interface Destination Address Dynamic Host Configuration Protocol Differentiated Service Code Point Europische Norm (European Standard) Fast Ethernet File Transfer Protocol Gigabyte Gigabit Ethernet Hardware Identifier International Electro technical Commission Standards for Local and Metropolitan Area Networks Glossary, Network Management, MAC Bridges, and Internetworking Institute of Electrical and Electronic Engineers Internet Group Management Protocol Internet Protocol Internet Service Provider Layer 2 Link Aggregation Control Protocol Local Area Network Medium Access Control Network Element Operating System Personal Computer Point to Point Protocol Quality of Service Request for Comments Rapid Spanning Tree Protocol
232
DPW:G-S-1624H0-04
User Manual
V1624
UMN:CLI
Simple Network Management Protocol Spanning Tree Protocol Software Transmission Control Protocol User Datagram Protocol User Manual VLAN ID Virtual Local Area Network
DPW:G-S-1624H0-04
233