Os9000-6800-6850 Net Config 611r02 PDF
Os9000-6800-6850 Net Config 611r02 PDF
Os9000-6800-6850 Net Config 611r02 PDF
A
June 2006
www.alcatel.com
This user guide documents release 6.1.1 of the OmniSwitch 9000 Series
and release 6.1.2 of the OmniSwitch 6800 Series and of the OmniSwitch 6850 Series.
The functionality described in this guide is subject to change without notice.
Copyright 2006 by Alcatel Internetworking, Inc. All rights reserved. This document may not be repro-
duced in whole or in part without the express written permission of Alcatel Internetworking, Inc.
Alcatel and the Alcatel logo are registered trademarks of Alcatel. Xylan, OmniSwitch, OmniStack,
and Alcatel OmniVista are registered trademarks of Alcatel Internetworking, Inc.
OmniAccess, Omni Switch/Router, PolicyView, RouterView, SwitchManager, VoiceView,
WebView, X-Cell, X-Vision, and the Xylan logo are trademarks of Alcatel Internetworking, Inc.
This OmniSwitch product contains components which may be covered by one or more of the following
U.S. Patents:
U.S. Patent No. 6,339,830
U.S. Patent No. 6,070,243
U.S. Patent No. 6,061,368
U.S. Patent No. 5,394,402
U.S. Patent No. 6,047,024
U.S. Patent No. 6,314,106
U.S. Patent No. 6,542,507
U.S. Patent No. 6,874,090
This OmniSwitch 6800/6850/9000 Network Configuration Guide describes how to set up and monitor soft-
ware features that will allow your switch to operate in a live network environment. The software features
described in this manual are shipped standard with your OmniSwitch 6800 Series, OmniSwitch 6850
Series, and OmniSwitch 9000 Series switches. These features are used when setting up your OmniSwitch
in a network of switches and routers.
Supported Platforms
This information in this guide applies to the following products:
OmniSwitch 9600
OmniSwitch 9700
Note. This OmniSwitch Network Configuration Guide covers Release 6.1.1, which is supported on
OmniSwitch 9000 Series switches and 6.1.2, which is supported on the OmniSwitch 6800 and 6850 Series
switches. OmniSwitch 6600 Family, OmniSwitch 7700/7800, and OmniSwitch 8800 switches use Release
5.x. Please refer to the 5.x user guides for those switches.
Unsupported Platforms
The information in this guide does not apply to the following products:
OmniSwitch (original version with no numeric model name)
OmniSwitch 7700/7800
OmniSwitch 8800
Omni Switch/Router
OmniStack
OmniAccess
Basic Layer 2 functions, such as Ethernet port parameters, source learning, Spanning Tree, and Alcatel
interswitch protocols (AMAP and GMAP).
Advanced Layer 2 functions, such as 802.1Q tagging, Link Aggregation, and IP Multicast Switching.
Basic routing protocols and functions, such as static IP routes, RIP, DHCP Relay, and Virtual Router
Redundancy Protocol (VRRP).
Security features, such as switch access control, Authenticated VLANs (AVLANs), authentication
servers, and policy management.
Quality of Service (QoS) and Access Control Lists (ACLs) features, such as policy rules for prioritiz-
ing and filtering traffic, and remapping packet headers.
Diagnostic tools, such as RMON, port mirroring, and switch logging.
Documentation Roadmap
The OmniSwitch user documentation suite was designed to supply you with information at several critical
junctures of the configuration process. The following section outlines a roadmap of the manuals that will
help you at each stage of the configuration process. Under each stage, we point you to the manual or
manuals that will be most helpful to you.
Anytime
The OmniSwitch CLI Reference Guide contains comprehensive information on all CLI commands
supported by the switch. This guide includes syntax, default, usage, example, related CLI command, and
CLI-to-MIB variable mapping information for all CLI commands supported by the switch. This guide can
be consulted anytime during the configuration process to find detailed and specific information on each
CLI command.
Related Documentation
The following are the titles and descriptions of all the related OmniSwitch 6800/6850/9000 user manuals:
OmniSwitch 6800 Series Getting Started Guide
Describes the hardware and software procedures for getting an OmniSwitch 6800 Series switch up and
running. Also provides information on fundamental aspects of OmniSwitch software and stacking
architecture.
OmniSwitch 6850 Series Getting Started Guide
Describes the hardware and software procedures for getting an OmniSwitch 6850 Series switch up and
running. Also provides information on fundamental aspects of OmniSwitch software and stacking
architecture.
OmniSwitch 6800 Series Hardware Users Guide
Detailed technical specifications and procedures for the OmniSwitch 6800 Series chassis and compo-
nents. Also includes comprehensive information on assembling and managing stacked configurations.
OmniSwitch 6850 Series Hardware User Guide
Complete technical specifications and procedures for all OmniSwitch 6850 Series chassis, power
supplies, and fans. Also includes comprehensive information on assembling and managing stacked
configurations.
OmniSwitch 9000 Series Getting Started Guide
Describes the hardware and software procedures for getting an OmniSwitch 9000 Series up and
running. Also provides information on fundamental aspects of OmniSwitch software architecture.
OmniSwitch 9000 Series Hardware Users Guide
Complete technical specifications and procedures for all OmniSwitch 9000 Series chassis, power
supplies, fans, and Network Interface (NI) modules.
OmniSwitch CLI Reference Guide
Complete reference to all CLI commands supported on the OmniSwitch 9000 Series. Includes syntax
definitions, default values, examples, usage guidelines and CLI-to-MIB variable mappings.
OmniSwitch 6800/6850/9000 Switch Management Guide
Includes procedures for readying an individual switch for integration into a network. Topics include the
software directory architecture, image rollback protections, authenticated switch access, managing
switch files, system configuration, using SNMP, and using web management software (WebView).
OmniSwitch 6800/6850/9000 Network Configuration Guide
Includes network configuration procedures and descriptive information on all the major software
features and protocols included in the base software package. Chapters cover Layer 2 information
(Ethernet and VLAN configuration), Layer 3 information (routing protocols, such as RIP), security
options (authenticated VLANs), Quality of Service (QoS), and link aggregation.
Includes network configuration procedures and descriptive information on all the software features and
protocols included in the advanced routing software package. Chapters cover multicast routing
(DVMRP and PIM-SM), and OSPF.
Technical Tips, Field Notices
Includes critical Open Problem Reports, feature exceptions, and other important information on the
features supported in the current release and any limitations to their support.
User Manual CD
All user guides for the OmniSwitch 9000 Series are included on the User Manual CD that accompanied
your switch. This CD also includes user guides for other Alcatel data enterprise products. In addition, it
contains a stand-alone version of the on-line help system that is embedded in the OmniVista network
management application.
Besides the OmniVista documentation, all documentation on the User Manual CD is in PDF format and
requires the Adobe Acrobat Reader program for viewing. Acrobat Reader freeware is available at
www.adobe.com.
Note. In order to take advantage of the documentation CDs global search feature, it is recommended that
you select the option for searching PDF files before downloading Acrobat Reader freeware.
To verify that you are using Acrobat Reader with the global search option, look for the following button in
the toolbar:
Note. When printing pages from the documentation PDFs, de-select Fit to Page if it is selected in your
print dialog. Otherwise pages may print with slightly smaller margins.
Technical Support
An Alcatel service agreement brings your company the assurance of 7x24 no-excuses technical support.
Youll also receive regular software updates to maintain and maximize your Alcatel products features and
functionality and on-site hardware replacement through our global network of highly qualified service
delivery partners. Additionally, with 24-hour-a-day access to Alcatels Service and Support web page,
youll be able to view and update any case (open or closed) that you have reported to Alcatels technical
support, open a new case or access helpful release notes, technical bulletins, and manuals. For more infor-
mation on Alcatels Service Programs, see our web page at eservice.ind.alcatel.com, call us at 1-800-995-
2696, or email us at [email protected].
The Ethernet software is responsible for a variety of functions that support Ethernet, Gigabit Ethernet, and
10 Gigabit Ethernet ports on OmniSwitch 6800, 6850, and 9000 switches. These functions include diag-
nostics, software loading, initialization, configuration of line parameters, gathering statistics, and respond-
ing to administrative requests from SNMP or CLI.
In This Chapter
This chapter describes your switchs Ethernet port parameters and how to configure them through the
Command Line Interface (CLI). CLI Commands are used in the configuration examples. For more details
about the syntax of commands, see the OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
Setting Ethernet Parameters for All Port Types on page 1-8
Setting Combo Ethernet Port Parameters on OmniSwitch 6800 and 6850 Switches on page 1-18
For information about CLI commands that can be used to view Ethernet port parameters, see the
OmniSwitch CLI Reference Guide.
Ethernet Specifications
IEEE Standards Supported 802.3 Carrier Sense Multiple Access with Collision Detection
(CSMA/CD)
802.3u (100BaseTX)
802.3ab (1000BaseT)
802.3z (1000Base-X)
802.3ae (10GBase-X)
Ports Supported Ethernet (10 Mbps)
Fast Ethernet (100 Mbps)
Gigabit Ethernet (1 Gb/1000 Mbps)
10 Gigabit Ethernet (10 Gb/10000 Mbps)
Switching/Routing Support Layer 2 Switching/Layer 3 Routing
Backbone Support Fast Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet ports
Port Mirroring Support Fast Ethernet and Gigabit Ethernet ports
802.1Q Hardware Tagging Fast Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet ports
Jumbo Frame Configuration Supported on Gigabit Ethernet and 10 Gigabit Ethernet ports
Maximum Frame Size 1553 bytes (10/100 Mbps)
9216 bytes (1/10 Gbps)
Note. OmniSwitch 9000 Series switches do not support combo ports. These ports are supported on
OmniSwitch 6800 Series and OmniSwitch 6850 Series switches only.
Note. See Valid Port Settings on OmniSwitch 6800 Series Switches on page 1-5 and Valid Port
Settings on OmniSwitch 6850 Series Switches on page 1-5 for more information on combo ports. In addi-
tion, refer to the specific Hardware Users Guide for each type of switch.
The following three additional optional combo port modes are user configurable:
Preferred copper. In this mode, the switch will use the copper RJ-45 port instead of the equivalent fiber
MiniGBIC SFP port, if both ports are enabled and have a valid link.
Forced fiber. In this mode, the switch will always use the fiber MiniGBIC SFP port instead of the
equivalent copper RJ-45 port.
Forced copper. In this mode, the switch will always use the copper RJ-45 port instead of the equiva-
lent fiber MiniGBIC SFP port.
See Setting the Combo Port Type and Mode on page 1-18 for more information on configuring combo
ports.
See the OmniSwitch 6800 Series Hardware Users Guide for more information about the OmniSwitch 6800
hardware that is supported in the current release.
See the OmniSwitch 6850 Series Hardware Users Guide for more information about the OmniSwitch 6850
hardware that is supported in the current release.
Fast Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet switching modules can be used as backbone links,
with Gigabit Ethernet and 10 Gigabit Ethernet modules offering additional support for high-speed servers.
All modules support 802.1Q hardware tagging for enhanced compatibility. And all Gigabit and 10 Gigabit
modules support jumbo frame configuration.
See the OmniSwitch 9000 Hardware Users Guide for more information about the OmniSwitch 9000 hard-
ware that is available in the current release
Autonegotiation Guidelines
Please note a link will not be established on any copper Ethernet port if any one of the following is true:
The local port advertises 100 Mbps full duplex and the remote link partner is forced to 100 Mbps full
duplex.
The local port advertises 100 Mbps full duplex and the remote link partner is forced to 100 Mbps half
duplex.
The local port advertises 10 Mbps full duplex and the remote link partner is forced to 10 Mbps full
duplex.
The local port advertises 10 Mbps full duplex and the remote link partner is forced to 10 half duplex.
This is due to the fact that when the local device is set to auto negotiating 10/100 full duplex it senses the
remote device is not auto negotiating. Therefore it resolves to Parallel Detect with Highest Common
Denominator (HCD), which is 10/100 Half according to IEEE 802.3 Clause 28.2.3.1.
However, since the local device is set to auto negotiating at 10/100 full duplex it cannot form a 10/100
Mbps half duplex link in any of the above mentioned cases. One solution is to configure the local device
to autonegotiation, 10/100 Mbps, with auto or half duplex.
To enable trap port link messages on a single port, enter trap followed by the slot number, a slash (/), the
port number, and port link enable. For example, to enable trap port link messages on slot 2 port 3, enter:
-> trap 2/3 port link enable
To enable trap port link messages on a range of ports, enter trap followed by the slot number, a
slash (/), the first port number, a hyphen (-), the last port number, and port link enable. For example, to
enable trap port link messages ports 3 through 5 on slot 2, enter:
-> trap 2/3-5 port link enable
To disable trap port link messages on a single port, enter trap followed by the slot number, a slash (/), the
port number, and port link disable. For example, to disable trap port link messages on slot 2 port 3, enter:
-> trap 2/3 port link disable
To disable trap port link messages on a range of ports, enter trap followed by the slot number, a
slash (/), the first port number, a hyphen (-), the last port number, and port link disable. For example, to
disable trap port link messages ports 3 through 5 on slot 2, enter:
-> trap 2/3-5 port link disable
To reset Layer 2 statistics on a single port, enter interfaces followed by the slot number, a slash (/), the
port number, and no l2 statistics. For example, to reset all Layer 2 statistics counters on port 3 on slot 2,
enter:
-> interfaces 2/3 no l2 statistics
To reset Layer 2 statistics on a range of ports, enter interfaces followed by the slot number, a slash (/), the
first port number, a hyphen (-), the last port number, and no l2 statistics. For example, to reset all Layer 2
statistics counters on ports 1 through 3 on slot 2, enter:
-> interfaces 2/1-3 no l2 statistics
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to reset all Layer 2 statistics counters on port 3 on slot 2 and docu-
ment the port as Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/3 no l2 statistics
Note. The show interfaces, show interfaces accounting, and show interfaces counters commands can
be used to display Layer 2 statistics (e.g., input and output errors, deferred frames received, unicast pack-
ets transmitted). For information on using these commands, see the OmniSwitch CLI Reference Guide.
To enable or disable a single port, enter interfaces followed by the slot number, a slash (/), the port
number, admin, and the desired administrative setting (either up or down). For example, to administra-
tively disable port 3 on slot 2, enter:
-> interfaces 2/3 admin down
To enable or disable a range of ports, enter interfaces followed by the slot number, a slash (/), the first
port number, a hyphen (-), the last port number, admin, and the desired administrative setting (either up
or down). For example, to administratively disable ports 1 through 3 on slot 2, enter:
-> interfaces 2/1-3 admin down
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to administratively disable port 3 on slot 2 and document the port as
Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/3 admin down
Note. Note that the interfaces flood command is only available on OmniSwitch 6800 and 6850 switches.
In addition, the interfaces flood multicast command can also disable multicast flood rate limiting and is
available on the OmniSwitch 6800, 6850, and 9000 switches.
To specify flood only rate limiting for a single port, enter interfaces followed by the slot number, a
slash (/), the port number, and flood. For example, the following command applies flood only rate limit-
ing to port 2/3:
-> interfaces 2/3 flood
To specify flood only rate limiting for a range of ports, enter interfaces followed by the slot number, a
slash (/), the first port number, a hyphen (-), the last port number, and flood. For example, the following
command applies flood only rate limiting to ports 3 through 4 on slot 2:
-> interfaces 2/3-4 flood
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to apply flood only rate limiting to port 8/24 and document the port
as Gigabit Ethernet, enter:
-> interfaces gigaethernet 8/24 flood
To configure the peak rate value used for flood only rate limiting, see Configuring the Peak Flood Rate
Value on page 1-11 for more information.
To apply the peak flood rate value to multicast traffic on a single port, enter interfaces followed by the
slot number, a slash (/), the port number, and flood multicast. For example, to enable the maximum flood
rate for multicast traffic on port 3 on slot 2, enter:
-> interfaces 2/3 flood multicast
To apply the peak flood rate value to multicast traffic on a range of ports, enter interfaces followed by the
slot number, a slash (/), the first port number, a hyphen (-), the last port number, and flood multicast. For
example, to enable the maximum flood rate for multicast traffic on ports 3 through 4 on slot 2, enter:
-> interfaces 2/3-4 flood multicast
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to enable the maximum flood rate for multicast traffic on slot 2 and
document the slot as Gigabit Ethernet, enter:
-> interfaces gigaethernet 2 flood multicast
Note. Enabling multicast flood rate limiting with the interfaces flood multicast command will limit IP
Multicast Switching (IPMS) and non-IPMS multicast traffic.
By default the following peak flood rate values are used for limiting the rate at which traffic is flooded on
a switch port:
parameter default
Mbps (10 Ethernet) 4
Mbps (100 Fast Ethernet) 49
Mbps (Gigabit Ethernet) 496
Mbps (10 Gigabit Ethernet) 997
To change the peak flood rate for an entire slot, enter interfaces followed by the slot number, flood rate,
and the flood rate in megabits. For example, to configure the peak flood rate on slot 2 as 49 megabits,
enter:
-> interfaces 2 flood rate 49
To change the peak flood rate for a single port, enter interfaces followed by the slot number, a slash (/),
the port number, flood rate, and the flood rate in megabits. For example, to configure the peak flood rate
on port 3 on slot 2 as 49 megabits, enter:
-> interfaces 2/3 flood rate 49
To change the peak flood rate for a range of ports, enter interfaces followed by the slot number, a slash (/
), the first port number, a hyphen (-), the last port number, flood rate, and the flood rate in megabits. For
example, to configure the peak flood rate on ports 1 through 3 on slot 2 as 49 megabits, enter:
-> interfaces 2/1-3 flood rate 42
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to configure the peak flood rate on port 22 on slot 2 as 49 megabits
and document the port as Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/22 flood rate 49
To specify the type of traffic elligible for rate limiting, see Flood Only Rate Limiting on page 1-10 and
Multicast Flood Rate Limiting on page 1-11 for more information.
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to configure an alias of ip_phone1 for port 3 on slot 2 and docu-
ment the port as Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/3 alias ip_phone1
To configure the maximum frame size on a single port, enter interfaces followed by the slot number, a
slash (/), the port number, max frame, and the frame size in bytes. For example, to set the maximum
frame size on port 3 on slot 2 to 9216 bytes, enter:
-> interfaces 2/3 max frame 9216
To configure the maximum frame size on a range of ports, enter interfaces followed by the slot number, a
slash (/), the first port number, a hyphen (-), the last port number, max frame, and the frame size in bytes.
For example, to set the maximum frame size on ports 1 through 3 on slot 2 to 9216 bytes, enter:
-> interfaces 2/1-3 max frame 9216
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to set the maximum frame size on port 3 on slot 2 to 9216 bytes and
document the port as Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/3 max frame 9216
Ports 144 on OmniSwitch 6800-48 and OmniSwitch 6850-48 switches are non combo ports.
While you can use the CLI commands described in the following sections to configure combo ports, please
keep in mind that configuration changes made on combo ports configured as either forced fiber or
preferred fiber will only be made on the MiniGBIC SFP fiber ports and not to the copper RJ-45 10/100/
1000 ports.
Similarly, configuration changes made on combo ports configured as either forced copper or preferred
copper, will only be made on the copper RJ-45 10/100/1000 ports and not to the MiniGBIC SFP fiber port.
See Setting Combo Ethernet Port Parameters on OmniSwitch 6800 and 6850 Switches on page 1-18 for
more information on configuring combo ports.
To set the line speed on an entire switch, enter interfaces followed by the slot number and the desired
speed. For example, to set slot 2 to 100 Mbps, enter:
-> interfaces 2 speed 100
To set the line speed on a single port, enter interfaces followed by the slot number, a slash (/), the port
number, and the desired speed. For example, to set the line speed on slot 2 port 3 at 100 Mbps, enter:
-> interfaces 2/3 speed 100
To set the line speed on a range of ports, enter interfaces followed by the slot number, a slash (/), the first
port number, a hyphen (-), the last port number, and the desired speed. For example, to set the line speed
on ports 1 through 3 on slot 2 at 100 Mbps, enter:
-> interfaces 2/1-3 speed 100
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to configure the line speed on slot 2 port 3 at 100 Mbps and docu-
ment the interface type as Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/3 speed 100
Note. The Auto option sets both the duplex mode and line speed settings to autonegotiation.
To configure the duplex mode on an entire slot, enter interfaces followed by the slot number, duplex, and
the desired duplex setting (auto, full, or half). For example, to set the duplex mode on slot 2 to full, enter:
-> interfaces 2 duplex full
To configure the duplex mode on a single port, enter interfaces followed by the slot number, a slash (/),
the port number, duplex, and the desired duplex setting (auto, full, or half). For example, to set the
duplex mode on port 3 on slot 2 to full, enter:
-> interfaces 2/3 duplex full
To configure the duplex mode on a range of ports, enter interfaces followed by the slot number, a slash (/
), the first port number, a hyphen (-), the last port number, duplex, and the desired duplex setting (auto,
full, or half). For example, to set the duplex mode on ports 1 through 3 on slot 2 to full, enter:
-> interfaces 2/1-3 duplex full
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to set the duplex mode on port 3 on slot 2 and document the port as
Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/3 duplex full
To configure the inter-frame gap on an entire slot, enter interfaces, followed by the slot number, ifg, and
the desired inter-frame gap value. For example, to set the inter-frame gap value on slot 2 to 10 bytes, enter:
-> interfaces 2 ifg 10
To configure the inter-frame gap on a single port, enter interfaces, followed by the slot number, a slash (/
), the port number, ifg, and the desired inter-frame gap value. For example, to set the inter-frame gap value
on port 20 on slot 2 to 10 bytes, enter:
-> interfaces 2/20 ifg 10
To configure the inter-frame gap on a range of ports, enter interfaces, followed by the slot number, a slash
(/), the first port number, a hyphen (-), the last port number, ifg, and the desired inter-frame gap value. For
example, to set the inter-frame gap value on ports 20 through 22 on slot 2 to 10 bytes, enter:
-> interfaces 2/20-22 ifg 10
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to set the inter-frame gap value on port 20 on slot 2 to 10 bytes and
document the port as Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/20 ifg 10
Note. Since the interfaces ifg command is only supported on Gigabit interfaces, only the gigaethernet
keyword should be used.
To enable or disable autonegotiation on a single port, enter interfaces, followed by the slot number, a
slash (/), the port number, autoneg, and either enable or disable. For example, to enable autonegotiation
on port 3 on slot 2, enter:
-> interfaces 2/3 autoneg enable
To enable or disable autonegotiation on a range of ports, enter interfaces, followed by the slot number, a
slash (/), the first port number, a hyphen (-), the last port number, autoneg, and either enable or disable.
For example, to enable autonegotiation on ports 1 through 3 on slot 2, enter:
-> interfaces 2/1-3 autoneg enable
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to enable autonegotiation on port 3 on slot 2 and document the port
as Ethernet, enter:
-> interfaces ethernet 2/3 autoneg enable
Note. Please refer to Autonegotiation Guidelines on page 1-7 for guidelines on configuring autonegotia-
tion.
To configure crossover settings on a single port, enter interfaces, followed by the slot number, a slash (/),
the port number, crossover, and the desired setting. For example, to set the crossover configuration to auto
on port 3 on slot 2, enter:
-> interfaces 2/3 crossover auto
To configure crossover settings on a range of ports, enter interfaces, followed by the slot number, a slash
(/), the first port number, a hyphen (-), the last port number, crossover, and the desired setting. For exam-
ple, to set the crossover configuration to auto on ports 1 through 3 on slot 2, enter:
-> interfaces 2/1-3 crossover auto
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to set the crossover configuration to auto on port 3 on slot 2 and
document the port as Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/3 crossover auto
Ports 4548 on the OmniSwitch 6800-48 and OmniSwitch 6850-48 switches are combo ports.
Note. See OmniSwitch 6800 and 6850 Series Combo Ports on page 1-4 for an overview of combo port
types and modes.
To set a single combo port to forced fiber, enter interfaces, followed by the slot number, a slash (/), the
port number, and hybrid forced-fiber. For example, to set port 47 on slot 1 to forced fiber, enter:
-> interfaces 1/47 hybrid forced-fiber
To set a range of combo ports to forced fiber ports, enter interfaces, followed by the slot number, a
slash (/), the first port number, a hyphen (-), the last port number, and hybrid forced-fiber. For example,
to set combo ports 46 through 48 on slot 1 to forced fiber, enter:
-> interfaces 1/46-48 hybrid forced-fiber
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to set port 47 on slot 1 to forced fiber and document the interface
type as Gigabit Ethernet, enter:
-> interfaces gigaethernet 1/47 hybrid forced-fiber
To set a single combo port to preferred copper, enter interfaces, followed by the slot number, a slash (/),
the port number, and hybrid preferred-copper. For example, to set port 47 on slot 1 to preferred copper,
enter:
-> interfaces 1/47 hybrid preferred-copper
To set a range of combo ports to preferred copper ports, enter interfaces, followed by the slot number, a
slash (/), the first port number, a hyphen (-), the last port number, and hybrid preferred-copper. For
example, to set combo ports 46 through 48 on slot 1 to preferred copper, enter:
-> interfaces 1/46-48 hybrid preferred-copper
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to set port 47 on slot 1 to preferred copper and document the
interface type as Gigabit Ethernet, enter:
-> interfaces gigaethernet 1/47 hybrid preferred-copper
To set a single combo port to forced copper, enter interfaces, followed by the slot number, a slash (/), the
port number, and hybrid forced-copper. For example, to set port 47 on slot 1 to forced copper, enter:
-> interfaces 1/47 hybrid forced-copper
To set a range of combo ports to forced copper ports, enter interfaces, followed by the slot number, a
slash (/), the first port number, a hyphen (-), the last port number, and hybrid forced-copper. For exam-
ple, to set combo ports 46 through 48 on slot 1 to forced copper, enter:
-> interfaces 1/46-48 hybrid forced-copper
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to set port 47 on slot 1 to forced copper and document the interface
type as Gigabit Ethernet, enter:
-> interfaces gigaethernet 1/47 hybrid forced-copper
To set a single combo port to preferred fiber, enter interfaces, followed by the slot number, a slash (/), the
port number, and hybrid preferred-fiber. For example, to set port 47 on slot 1 to preferred fiber, enter:
-> interfaces 1/47 hybrid preferred-fiber
To set a range of combo ports to preferred fiber ports, enter interfaces, followed by the slot number, a
slash (/), the first port number, a hyphen (-), the last port number, and hybrid preferred-fiber. For exam-
ple, to set combo ports 46 through 48 on slot 1 to preferred fiber, enter:
-> interfaces 1/46-48 hybrid preferred-fiber
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to set port 47 on slot 1 to preferred fiber and document the interface
type as Gigabit Ethernet, enter:
-> interfaces gigaethernet 1/47 hybrid preferred-fiber
Note. In the interface hybrid speed command, the copper keyword is used to configure the copper RJ-45
10/100/1000 port while the fiber keyword is used to configure the fiber MiniGBIC SFP port.
To set the line speed for all combo ports on an entire switch, enter interfaces, followed by the slot
number, hybrid, either fiber or copper, and the desired speed. For example, to set all combo copper ports
on slot 2 to 100 Mbps, enter:
-> interfaces 2 hybrid copper speed 100
Note. using the interface hybrid speed command to set all combo ports on a switch, will not affect the
configurations of the non combo ports.
To set the line speed on a single combo port, enter interfaces, followed by the slot number, a slash (/), the
combo port number, hybrid, either fiber or copper, and the desired speed. For example, to set the line
speed on slot 2 combo copper RJ-45 port 47 to 100 Mbps, enter:
-> interfaces 2/47 hybrid copper speed 100
To set the line speed on a range of combo ports, enter interfaces, followed by the slot number, a slash (/),
the first combo port number, a hyphen (-), the last combo port number, hybrid, either fiber or copper,
and the desired speed. For example, to set the line speed on combo copper ports 46 through 48 on slot 2 to
100 Mbps, enter:
-> interfaces 2/46-48 hybrid copper speed 100
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to configure the line speed on slot 2 combo copper port 47 at 100
Mbps and document the interface type as Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/47 hybrid copper speed 100
Note. In the interface hybrid duplex command the copper keyword is used to configure the copper RJ-
45 10/100/1000 port while the fiber keyword is used to configure the fiber MiniGBIC SFP port.
To configure the duplex mode on an entire slot, enter interfaces, followed by the slot number, hybrid,
either fiber or copper, duplex, and the desired duplex setting (auto, full, or half). For example, to set the
duplex mode on all fiber combo ports on slot 2 to full, enter:
-> interfaces 2 hybrid fiber duplex full
Note. using the interface hybrid duplex command to set all combo ports on a switch, will not affect the
configurations of the non combo ports.
To configure the duplex mode on a single combo port, enter interfaces, followed by the slot number, a
slash (/), the combo port number, hybrid, either fiber or copper, duplex, and the desired duplex setting
(auto, full, or half). For example, to set the duplex mode on the fiber combo port 47 on slot 2 to full,
enter:
-> interfaces 2/47 hybrid fiber duplex full
To configure the duplex mode on a range of combo ports, enter interfaces, followed by the slot number, a
slash (/), the first combo port number, a hyphen (-), the last combo port number, hybrid, either fiber or
copper, duplex, and the desired duplex setting (auto, full, or half). For example, to set the duplex mode
on fiber combo ports 45 through 48 on slot 2 to full, enter:
-> interfaces 2/45-48 hybrid fiber duplex full
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to set the duplex mode on the fiber combo port 47 on slot 2 and
document the fiber combo port as Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/47 hybrid fiber duplex full
Note. In the interface hybrid autoneg command, the copper keyword is used to configure the copper RJ-
45 10/100/1000 port while the fiber keyword is used to configure the fiber MiniGBIC SFP port.
To enable or disable autonegotiation on all combo ports in an entire switch, enter interfaces, followed by
the slot number, hybrid, either fiber or copper, autoneg, and either enable or disable. For example, to
enable autonegotiation on all copper combo ports on slot 2, enter:
-> interfaces 2 hybrid copper autoneg enable
Note. using the interface hybrid autoneg command to set all combo ports on a switch will not affect the
configurations of the non combo ports.
To enable or disable autonegotiation on a single combo port, enter interfaces, followed by the slot
number, a slash (/), the combo port number, hybrid, either fiber or copper, autoneg, and either enable or
disable. For example, to enable autonegotiation on copper combo port 47 on slot 2, enter:
-> interfaces 2/47 hybrid copper autoneg enable
To enable or disable autonegotiation on a range of combo ports, enter interfaces, followed by the slot
number, a slash (/), the first combo port number, a hyphen (-), the last combo port number, hybrid, either
fiber or copper, autoneg, and either enable or disable. For example, to enable autonegotiation on copper
combo ports 45 through 48 on slot 2, enter:
-> interfaces 2/45-48 hybrid copper autoneg enable
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to enable autonegotiation on copper combo port 47 on slot 2 and
document the combo port as Gigabit Ethernet, enter:
-> interfaces gigaethernet 2/47 hybrid copper autoneg enable
Note. Please refer to Autonegotiation Guidelines on page 1-7 for guidelines on configuring autonegotia-
tion.
Note. In the interface hybrid crossover command, the copper keyword is used to configure the copper
RJ-45 10/100/1000 port while the fiber keyword is used to configure the fiber MiniGBIC SFP port.
Setting the crossover configuration to auto will configure the interface or interfaces to automatically
detect crossover settings. Setting crossover configuration to mdix will configure the interface or inter-
faces for MDIX (Media Dependent Interface with Crossover), which is the standard for hubs and switches.
Setting crossover to mdi will configure the interface or interfaces for MDI (Media Dependent Interface),
which is the standard for end stations. And setting the crossover configuration to disable will disable
crossover configuration on an interface or interfaces.
To configure crossover settings for all combo ports on an entire switch, enter interfaces, followed by the
slot number, hybrid, either fiber or copper, crossover, and the desired setting. For example, to set the
crossover configuration to auto on for all copper combo ports slot 2, enter:
-> interfaces 2 hybrid copper crossover auto
Note. using the interface hybrid crossover command to set all combo ports on a switch will not affect
the configurations of the non combo ports.
To configure crossover settings on a single combo port, enter interfaces, followed by the slot number, a
slash (/), the combo port number, hybrid, either fiber or copper, crossover, and the desired setting. For
example, to set the crossover configuration to auto on copper combo port 47 on slot 2, enter:
-> interfaces 2/47 hybrid copper crossover auto
To configure crossover settings on a range of combo ports, enter interfaces, followed by the slot number,
a slash (/), the first combo port number, a hyphen (-), the last combo port number, hybrid, either fiber or
copper, crossover, and the desired setting. For example, to set the crossover configuration to auto on
copper combo ports 45 through 48 on slot 2, enter:
-> interfaces 2/45-48 hybrid copper crossover auto
As an option, you can document the interface type by entering ethernet, fastethernet, or gigaethernet
before the slot number. For example, to set the crossover configuration to auto on copper combo port 47
on slot 2 and document the combo port as Gigabit Ethernet, enter:
-> interfaces gigaethernet hybrid copper 2/3 crossover auto
Workstation B connected
to RJ-45 port 1/46. Server A connected to
MiniGBIC SFP port 1/47
100 Mbps (primary) and RJ-45 port
1/47 (backup).
1 Gbps
2 Set copper combo ports 1/45 and 1/46 to forced copper modewhich will ensure the links stay up even
if a cable is plugged into MiniGBIC SFP combo ports 1/45/ and 1/46with the interfaces hybrid forced-
copper command by entering:
-> interfaces 1/45-46 hybrid forced-copper
3 Verify that combo ports 1/47 and 1/48 are set to the default setting of preferred fiber (which will make
the MiniGBIC SFP ports 1/47 and 1/48 the primary connections while copper combo ports 1/47 and 1/48
will only become active if the equivalent MiniGBIC SFP ports go down) with the show interfaces status
command as shown below:
-> show interfaces 1/45-48 status
DETECTED CONFIGURED
Slot/ AutoNego Speed Duplex Hybrid Speed Duplex Hybrid Trap
Port (Mbps) Type (Mbps) Mode LinkUpDown
-----+--------+------+------+------+--------+------+------+------
1/45 Enable - - - 100 Auto FC -
1/45 Enable - - - 1000 Full FC -
1/46 Enable - - - 100 Auto FC -
1/46 Enable - - - 1000 Full FC -
1/47 Enable - - - 1000 Full PF -
1/47 Enable - - - 100 Auto PF -
1/48 Enable - - - 1000 Full PF -
1/48 Enable - - - 100 Auto PF -
In the output above combo ports 1/47 and 1/48 are set to preferred fiber. (To configure combo ports as
preferred fiber use the interfaces hybrid preferred-fiber command.)
show interfaces flow control Displays interface flow control wait time settings in nanoseconds.
show interfaces Displays general interface information, such as hardware, MAC
address, input and output errors.
show interfaces accounting Displays interface accounting information.
show interfaces counters Displays interface counters information.
show interfaces counters Displays interface error frame information for Ethernet and Fast
errors Ethernet ports.
show interfaces collisions Displays collision statistics information for Ethernet and Fast Ethernet
ports.
show interfaces status Displays line status information.
show interfaces port Displays port status information.
show interfaces ifg Displays inter-frame gap values.
show interfaces flood rate Displays peak flood rate settings.
show interfaces traffic Displays interface traffic statistics.
show interfaces capability Displays autonegotiation, flow, speed, duplex, and crossover settings.
show interfaces hybrid Displays general interface information (e.g., hardware, MAC address,
input errors, output errors) for combo ports.
show interfaces hybrid status Displays line status information for combo ports.
show interfaces hybrid flow Displays interface flow control wait time settings in nanoseconds for
control combo ports.
show interfaces hybrid Displays autonegotiation, flow, speed, duplex, and crossover settings
capability for combo ports.
show interfaces hybrid Displays interface accounting information (e.g., packets received/trans-
accounting mitted, deferred frames received) for combo ports.
show interfaces hybrid Displays interface counters information (e.g., unicast, broadcast, multi-
counters cast packets received/transmitted) for combo ports.
show interfaces hybrid Displays interface error frame information (e.g., CRC errors, transit
counters errors errors, receive errors) for combo ports.
show interfaces hybrid Displays interface collision information (e.g., number of collisions,
collisions number of retries) for combo ports.
show interfaces hybrid traffic Displays interface traffic statistics for combo ports.
show interfaces hybrid port Displays interface port status (up or down) for combo ports.
show interfaces hybrid flood Displays interface peak flood rate settings for combo ports.
rate
show interfaces hybrid ifg Displays interface inter-frame gap values for combo ports.
These commands can be quite useful in troubleshooting and resolving potential configuration issues or
problems on your switch. For more information about the resulting displays from these commands, see the
OmniSwitch CLI Reference Guide.
Transparent bridging relies on a process referred to as source learning to handle traffic flow. Network
devices communicate by sending and receiving data packets that each contain a source MAC address and a
destination MAC address. When packets are received on switch network interface (NI) module ports,
source learning examines each packet and compares the source MAC address to entries in a MAC address
database table. If the table does not contain an entry for the source address, then a new record is created
associating the address with the port it was learned on. If an entry for the source address already exists in
the table, a new one is not created.
Packets are also filtered to determine if the source and destination address are on the same LAN segment.
If the destination address is not found in the MAC address table, then the packet is forwarded to all other
switches that are connected to the same LAN. If the MAC address table does contain a matching entry for
the destination address, then there is no need to forward the packet to the rest of the network.
In This Chapter
This chapter describes how to manage source learning entries in the switch MAC address table (often
referred to as the forwarding or filtering database) through the Command Line Interface (CLI). CLI
commands are used in the configuration examples; for more details about the syntax of commands, see the
OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
Using Static MAC Addresses on page 2-4.
Note. Optional. Creating a static MAC address involves specifying an address that is not already used in
another static entry or already dynamically learned by the switch. To determine if the address is already
known to the MAC address table, enter show mac-address-table. If the address does not appear in the
show mac-address-table output, then it is available to use for configuring a static MAC address entry. For
example,
-> show mac-address-table
Legend: Mac Address: * = address not valid
1 Create VLAN 200, if it does not already exist, using the following command:
2 Assign switch ports 2 through 5 on slot 3 to VLAN 200if they are not already associated with VLAN
200using the following command:
-> vlan 200 port default 3/2-5
3 Create a static MAC address entry using the following command to assign address 002D95:5BF30E to
port 3/4 associated with VLAN 200 and to specify a permanent management status for the static address:
-> mac-address-table permanent 00:2d:95:5B:F3:0E 3/4 200
4 Change the MAC address aging time to 1200 seconds (the default is 300 seconds) using the following
command:
-> mac-address-table aging-time 1200
Note. Optional. To verify the static MAC address configuration, enter show mac-address-table. For
example:
-> show mac-address-table
Legend: Mac Address: * = address not valid
The specified slot/port must already belong to the specified VLAN. Use the vlan port default
command to assign a port to a VLAN before you configure the static MAC address.
Only traffic from other ports associated with the same VLAN is directed to the static MAC address
slot/port.
Static MAC addresses are permanent addresses. This means that a static MAC address remains in use
even if the MAC ages out or the switch is rebooted.
There are two types of static MAC address behavior supported: bridging (default) or filtering. Enter
filtering to set up a denial of service to block potential hostile attacks. Traffic sent to or from a filtered
MAC address is dropped. Enter bridging for regular traffic flow to or from the MAC address. For
more information about Layer 2 filtering, see Chapter 26, Configuring QoS.
If a packet received on a port associated with the same VLAN contains a source address that matches a
static MAC address, the packet is discarded. The same source address on different ports within the
same VLAN is not supported.
If a static MAC address is configured on a port link that is down or disabled, an asterisk appears to the
right of the MAC address in the show mac-address-table command display. The asterisk indicates that
this is an invalid MAC address. When the port link comes up, however, the MAC address is then
considered valid and the asterisk no longer appears next to the address in the display.
Since permanent and bridging options for a static MAC are default settings, it is not necessary to enter
them as part of the command.
Use the no form of this command to clear MAC address entries from the table. If the MAC address status
type (permanent or learned) is not specified, then only permanent addresses are removed from the table.
The following example removes a MAC address entry that is assigned on port 2 of slot 3 for VLAN 855
from the MAC address table:
-> no mac-address-table 00:00:02:CE:10:37 3/2 855
If a slot/port and VLAN ID are not specified when removing MAC address table entries, then all MACs
defined with the specified status are removed. For example, the following command removes all learned
MAC addresses from the table, regardless of their slot/port or VLAN assignments:
-> no mac-address-table learned
To verify static MAC address configuration and other table entries, use the show mac-address-table
command. For more information about this command, see the OmniSwitch CLI Reference Guide.
For more information about configuring a link aggregate of ports, see Chapter 13, Configuring Static
Link Aggregation and Chapter 14, Configuring Dynamic Link Aggregation.
A MAC address learned on any VLAN port will age out if the time since a packet with that address was
last seen on the port exceeds 1200 seconds.
Note. Note that the aging time used is twice the length in time of the actual value specified. For example,
if an aging time of 60 seconds is specified, the MAC will age out after 120 seconds of inactivity.
When using the mac-address-table aging-time command in a switch configuration file (e.g., boot.cfg),
include an instance of this command specifying the VLAN ID for each VLAN configured on the switch.
This is necessary even though if all VLANs will have the same aging time value.
To set the aging time back to the default value, use the no form of the mac-address-table aging-time
command. For example, the following sets the aging time for all VLANs back to the default of 300
seconds:
-> no mac-address-table aging-time
Note. The MAC address table aging time is also used as the timeout value for the Address Resolution
Protocol (ARP) table. This timeout value determines how long the switch retains dynamically learned
ARP table entries. See Chapter 12, Configuring IP, for more information.
To display the aging time value for one or all VLANs, use the show mac-address-table aging-time
command. For more information about this command, see the OmniSwitch CLI Reference Guide.
When the above command is entered, all ports on the switch will use the software source learning mode,
unless they are configured to use a different mode. For example, the following command selects the hard-
ware source learning mode for ports 3/1 through 3/12:
-> source-learning 3/1-12 hardware
Note that in the above example, a range of port numbers is specified instead of using the chassis keyword.
This specifies that these ports are to use the hardware source learning mode, even though the software
mode is configured for the chassis. The port mode always takes precedence over the chassis mode.
Consider the following items when configuring the source learning mode:
If a port is a member of a link aggregate, the source learning mode for the link aggregate applies,
which is the default mode for the chassis. Once that port is no longer a member of the aggregate, the
mode configured for that port is applied.
When mobility is turned off for a port, the port reverts back to using the source learning mode that was
configured for that port. The same is true when an LPS configuration is removed from a port.
Note that if LPS is disabled on a port but the LPS configuration is not removed, the port is still consid-
ered an LPS port and will only use the software source learning mode.
show mac-address-table Displays a list of all MAC addresses known to the MAC address
table, including static MAC addresses.
show mac-address-table count Displays a count of the different types of MAC addresses (learned,
permanent, reset, and timeout). Also includes a total count of all
addresses known to the MAC address table.
show mac-address-table aging-time Displays the current MAC address aging timer value by switch or
VLAN.
show source-learning mode Displays the configured source learning mode for one or more ports.
For more information about the resulting displays from these commands, see the OmniSwitch CLI Refer-
ence Guide. An example of the output for the show mac-address-table and show mac-address-table
aging-time commands is also given in Sample MAC Address Table Configuration on page 2-2.
The Alcatel Multiple Spanning Tree (MST) implementation provides support for the IEEE 802.1s Multi-
ple Spanning Tree Protocol (MSTP). In addition to the 802.1D Spanning Tree Algorithm and Protocol
(STP) and the 802.1w Rapid Spanning Tree Algorithm and Protocol (RSTP), MSTP also ensures that there
is always only one data path between any two switches for a given Spanning Tree instance to prevent
network loops.
MSTP is an enhancement to the 802.1Q Common Spanning Tree (CST), which is provided when an Alca-
tel switch is running in the flat Spanning Tree operating mode. The flat mode applies a single spanning
tree instance across all VLAN port connections on a switch. MSTP allows the configuration of Multiple
Spanning Tree Instances (MSTIs) in addition to the CST instance. Each MSTI is mapped to a set of
VLANs. As a result, flat mode can support the forwarding of VLAN traffic over separate data paths.
In addition to 802.1s MSTP support, the 802.1D STP and 802.1w RSTP are still available in either the flat
or 1x1 mode. However, if using 802.1D or 802.1w in the flat mode, the single spanning tree instance per
switch algorithm applies.
In This Chapter
This chapter describes 802.1s MST in general and how MSTP works on the switch. It provides informa-
tion about configuring MSTP through the Command Line Interface (CLI). For more details about the
syntax of commands, see the OmniSwitch CLI Reference Guide. For more information about Spanning
Tree configuration commands as they apply to all supported protocols (STP, RSTP, and MSTP), see
Chapter 6, Configuring Spanning Tree Parameters.
The following topics are included in this chapter as they relate to the Alcatel implementation of the 802.1s
MSTP standard:
MST General Overview on page 3-4.
MST Specifications
IEEE Standards supported 802.1DMedia Access Control (MAC) Bridges
802.1wRapid Reconfiguration (802.1D Amendment 2)
802.1QVirtual Bridged Local Area Networks
802.1sMultiple Spanning Trees (802.1Q Amendment 3)
Spanning Tree Operating Modes supported Flat mode - one spanning tree instance per switch
1x1 mode - one spanning tree instance per VLAN
Spanning Tree Protocols supported 802.1D Standard Spanning Tree Algorithm and Protocol
(STP)
802.1w Rapid Spanning Tree Algorithm and Protocol (RSTP)
802.1s Multiple Spanning Tree Algorithm and Protocol
(MSTP)
Spanning Tree port eligibility Fixed ports (non-mobile)
802.1Q tagged ports
Link aggregate of ports
Maximum 1x1 Spanning Tree instances 252
per switch
Maximum flat mode 802.1S Multiple 16 MSTI, in addition to the Common and Internal Spanning
Spanning Tree Instances (MSTI) per Tree instance (also referred to as MSTI 0).
switch
CLI Command Prefix Recognition All Spanning Tree commands support prefix recognition. See
the Using the CLI chapter in the OmniSwitch 6800/6850/
9000 Switch Management Guide for more information.
What is the Common and Internal Spanning Tree Instance on page 3-9.
3/1 2/1
VLAN 100 VLAN 100
4/2 5/1
VLAN 200 VLAN 200
|| 5/2
4/8
VLAN 100 and VLAN 200 are each associated with their own Spanning Tree instance.
The connection between 3/1 and 2/1 is left in a forwarding state because it is part of the VLAN 100
Spanning Tree instance and is the only connection for that instance.
Note that if additional switches containing a VLAN 100 were attached to the switches in this diagram,
the 3/1 to 2/1 connection could also go into blocking if the VLAN 100 Spanning Tree instance deter-
mines it is necessary to avoid a network loop.
The connections between 4/8 and 5/2 and 4/2 and 5/1 are seen as redundant because they are both
controlled by the VLAN 200 Spanning Tree instance and connect to the same switches. The VLAN
200 Spanning Tree instance determines which connection provides the best data path and transitions
the other connection to a blocking state.
3/1 2/1
VLAN 100 VLAN 100
4/2 5/1
||
VLAN 200 VLAN 200
|| 5/2
4/8
3/1 2/1
VLAN 100 VLAN 100
CIST-0 CIST-0
4/2 5/1
VLAN 150 || VLAN 150
4/8 5/2
VLAN 200 || VLAN 200
MSTI-2 MSTI-2
2/12 3/6
VLAN 250 || VLAN 250
VLANs 100 and 150 are not associated with an MSTI. By default they are controlled by the CIST
instance 0, which exists on every switch.
VLANs 200 and 250 are associated with MSTI 2 so their traffic can traverse a path different from that
determined by the CIST.
Ports are blocked the same way they were blocked in the flat mode STP/RSTP example; all port
connections are compared to each other across VLANs to determine which connection provides the
best path.
However, because VLANs 200 and 250 are associated to MSTI 2, it is possible to change the port path
cost for ports 2/12, 3/6, 4/8 and/or 5/2 so that they provide the best path for MSTI 2 VLANs, but do not
carry CIST VLAN traffic or cause CIST ports to transition to a blocking state.
Another alternative is to assign all VLANs to an MSTI, leaving no VLANs controlled by the CIST. As
a result, the CIST BPDU will only contain MSTI information.
See Quick Steps for Configuring MSTIs on page 3-16 for more information about how to direct VLAN
traffic over separate data paths using MSTP.
Using MSTP (802.1s) has the following items in common with STP (802.1D) and RSTP (802.1w) proto-
cols:
Each protocol ensures one data path between any two switches within the network topology. This
prevents network loops from occurring while at the same time allowing for redundant path configura-
tion.
Each protocol provides automatic reconfiguration of the network Spanning Tree topology in the event
of a connection failure and/or when a switch is added to or removed from the network.
All three protocols are supported in the flat Spanning Tree operating mode.
The flat mode CST instance automatically determines port states and roles across VLAN port and
MSTI associations. This is because the CST instance is active on all ports and only one BPDU is used
to forward information for all MSTIs.
MSTP is based on RSTP.
VLAN to MSTI tableGenerated when VLANs are associated with MSTIs. Identifies the VLAN to
MSTI mapping for the switch.
Switches that share the same values for the configuration attributes described above belong to the same
region. For example, in the diagram below:
Switches A, B, and C all belong to the same region because they all are configured with the same
region name, revision level, and have the same VLANs mapped to the same MSTI.
The CST for the entire network sees Switches A, B, and C as one virtual bridge that is running a single
Spanning Tree instance. As a result, CST blocks the path between Switch C and Switch E instead of
blocking a path between the MST region switches to avoid a network loop.
The paths between Switch A and Switch C and the redundant path between Switch B and Switch C
were blocked as a result of the Internal Spanning Tree (IST) computations for the MST Region. See
What is the Internal Spanning Tree (IST) Instance on page 3-9 for more information.
Switch A Switch D
TM
OmniSwitch 9700
|| CST
IST
TM
OmniSwitch 9700 TM
OmniSwitch 9700 TM
OmniSwitch 9700
||
||
In addition to the attributes described above, the MST maximum hops parameter defines the number of
bridges authorized to propagate MST BPDU information. In essence, this value defines the size of the
region in that once the maximum number of hops is reached, the BPDU is discarded.
The maximum number of hops for the region is not one of the attributes that defines membership in the
region. See Quick Steps for Configuring an MST Region on page 3-14 for a tutorial on how to config-
ure MST region parameters.
Explicit commands allow the configuration of a particular Spanning Tree instance independent of which
mode and/or protocol is currently active on the switch. The configuration, however, does not go active
until the switch is changed to the appropriate mode. For example, if the switch is running in the 1x1 mode,
the following explicit commands changes the MSTI 3 priority to 12288:
-> bridge msti 3 priority 12288
Even though the above command is accepted in the 1x1 mode, the new priority value does not take effect
until the switch mode is changed to flat mode.
Note that explicit commands using the cist and msti keywords are required to define an MSTP (802.1s)
configuration. Implicit commands are only allowed for defining STP or RSTP configurations.
Implicit commands resemble previously implemented Spanning Tree commands, but apply to the appro-
priate instance based on the current mode and protocol that is active on the switch. For example, if the 1x1
mode is active, the instance number specified with the following command implies a VLAN ID:
-> bridge 255 priority 16384
If the flat mode is active, the single flat mode instance is implied and thus configured by the command.
Since the flat mode instance is implied in this case, there is no need to specify an instance number. For
example, the following command configures the protocol for the flat mode instance:
-> bridge protocol mstp
Similar to previous releases, it is possible to configure the flat mode instance by specifying 1 for the
instance number (e.g., bridge 1 protocol rstp). However, this is only available when the switch is already
running in the flat mode and STP or RSTP is the active protocol.
Note. When a snapshot is taken of the switch configuration, the explicit form of all Spanning Tree
commands is captured. For example, if the priority of MSTI 2 was changed from the default value to a
priority of 16384, then bridge msti 2 priority 16384 is the command captured to reflect this in the snap-
shot file. In addition, explicit commands are captured for both flat and 1x1 mode configurations.
For more information about Spanning Tree configuration commands as they apply to all supported proto-
cols (STP, RSTP, and MSTP), see Chapter 6, Configuring Spanning Tree Parameters.
Switch A Switch D
TM
OmniSwitch 9700
|| CST
IST
TM
OmniSwitch 9700 TM
OmniSwitch 9700 TM
OmniSwitch 9700
||
||
In order for switches A, B, and C in the above diagram to belong to the same MST region, they must all
share the same values for region name, revision level, and configuration digest (VLAN-to-MSTI
mapping).
The following steps are performed on each switch to define Alcatel Marketing as the MST region name,
2000 as the MST region revision level, map exiting VLANs to existing MSTIs, and 3 as the maximum
hops value for the region:
1 Configure an MST Region name using the bridge mst region name command. For example:
2 Configure the MST Region revision level using the bridge mst region revision level command. For
example:
-> bridge mst region revision level 2000
3 Map VLANs 100 and 200 to MSTI 2 and VLANs 300 and 400 to MSTI 4 using the bridge msti vlan
command to define the configuration digest. For example:
-> bridge msti 2 vlan 100 200
-> bridge msti 4 vlan 300 400
See Quick Steps for Configuring MSTIs on page 3-16 for a tutorial on how to create and map MSTIs
to VLANs.
4 Configure 3 as the maximum number of hops for the region using the bridge mst region max hops
command. For example:
-> bridge mst region max hops 3
Note. (Optional) Verify the MST region configuration on each switch with the show spantree mst region
command. For example:
-> show spantree mst region
Configuration Name : Alcatel Marketing,
Revision Level : 2000,
Configuration Digest : 0x922fb3f 31752d68 67fe1155 d0ce8380,
Revision Max hops : 3,
Cist Instance Number : 0
All switches configured with the exact same values as shown in the above example are considered
members of the Alcatel Marketing MST region.
3/1 2/1
VLAN 100 VLAN 100
CIST-0 CIST-0
4/2 5/1
VLAN 150 || VLAN 150
4/8 5/2
VLAN 200 || VLAN 200
MSTI-1 MSTI-1
2/12 3/6
VLAN 250 || VLAN 250
Switch A Switch B
Flat Mode MSTP (802.1s) Quick Steps Example
1 Change the Spanning Tree operating mode, if necessary, on Switch A and Switch B from 1x1 to flat
mode using the bridge mode command. For example:
-> bridge mode flat
Note that defining an MSTP configuration requires the use of explicit Spanning Tree commands, which
are available in both the flat and 1x1 mode. As a result, this step is optional. See Using Spanning Tree
Configuration Commands on page 3-10 for more information.
2 Change the Spanning Tree protocol to 802.1s using the bridge protocol command. For example:
3 Create VLANs 100, 200, 300, and 400 using the vlan command. For example:
4 Assign switch ports to VLANs, as shown in the above diagram, using the vlan port default command.
For example, the following commands assign ports 3/1, 4/2, 4/8, and 2/12 to VLANs 100, 150, 200, and
250 on Switch A:
-> vlan 100 port default 3/1
-> vlan 150 port default 4/2
The following commands assign ports 2/1, 5/1, 5/2, and 3/6 to VLANs 100, 150, 200, and 250 on
Switch B:
-> vlan 100 port default 2/1
-> vlan 150 port default 5/1
-> vlan 200 port default 5/2
-> vlan 250 port default 3/6
5 Create one MSTI using the bridge msti command. For example:
By default, all VLANs are associated with the CIST instance. As a result, VLANs 100 and 150 do not
require any configuration to map them to the CIST instance.
7 Configure the port path cost (PPC) for all ports on both switches associated with MSTI 1 to a PPC
value that is lower than the PPC value for the ports associated with the CIST instance using the bridge
msti slot/port path cost command. For example, the PPC for ports associated with the CIST instance is
set to the default of 200,000 for 100 MB connections. The following commands change the PPC value for
ports associated with the MSTI 1 to 20,000:
-> bridge msti 1 4/8 path cost 20,000
-> bridge msti 1 2/12 path cost 20,000
-> bridge msti 1 5/2 path cost 20,000
-> bridge msti 1 3/6 path cost 20,000
Note that in this example, port connections between VLANs 150, 200, and 250 on each switch initially
were blocked, as shown in the diagram on page 3-16. This is because in flat mode MSTP, each instance is
active on all ports resulting in a comparison of connections independent of VLAN and MSTI associations.
To avoid this and allow VLAN traffic to flow over separate data paths based on MSTI association, Step 7
of this tutorial configures a superior port path cost value for ports associated with MSTI 1. As a result,
MSTI 1 selects one of the data paths between its VLANs as the best path, rather than the CIST data paths,
as shown in the diagram on page 3-18. :
3/1 2/1
VLAN 100 VLAN 100
CIST-0 CIST-0
4/2 5/1
VLAN 150 || VLAN 150
4/8 5/2
VLAN 200 VLAN 200
MSTI-1 MSTI-1
2/12 3/6
VLAN 250 || VLAN 250
Switch A Switch B
Note that of the two data paths available to MSTI 1 VLANs, one is still blocked because it is seen as
redundant for that instance. In addition, the CIST data path still remains available for CIST VLAN traffic.
Another solution to this scenario is to assign all VLANs to an MSTI, leaving no VLANs controlled by the
CIST. As a result, the CIST BPDU will only contain MSTI information. See How MSTP Works on
page 3-4 for more information.
show spantree cist Displays the Spanning Tree bridge configuration for the flat mode Com-
mon and Internal Spanning Tree (CIST) instance.
show spantree msti Displays Spanning Tree bridge information for an 802.1s Multiple
Spanning Tree Instance (MSTI).
show spantree cist ports Displays Spanning Tree port information for the flat mode Common and
Internal Spanning Tree (CIST) instance.
show spantree msti ports Displays Spanning Tree port information for a flat mode 802.1s Multi-
ple Spanning Tree Instance (MSTI).
show spantree mst region Displays the Multiple Spanning Tree (MST) region information for the
switch.
show spantree cist vlan-map Displays the range of VLANs associated with the flat mode Common
and Internal Spanning Tree (CIST) instance.
show spantree msti vlan-map Displays the range of VLANs associated with the specified Multiple
Spanning Tree Instance (MSTI).
show spantree map-msti Displays the Multiple Spanning Tree Instance (MSTI) that is associated
to the specified VLAN.
show spantree mst port Displays a summary of Spanning Tree connection information and
instance associations for the specified port or a link aggregate of ports.
For more information about the resulting displays from these commands, see the OmniSwitch CLI Refer-
ence Guide.
Learned Port Security (LPS) provides a mechanism for authorizing source learning of MAC addresses on
Ethernet and Gigabit Ethernet ports. The only types of Ethernet ports that LPS does not support are link
aggregate and tagged (trunked) link aggregate ports. Using LPS to control source MAC address learning
provides the following benefits:
A configurable source learning time limit that applies to all LPS ports.
Two methods for handling unauthorized traffic: stopping all traffic on the port or only blocking traffic
that violates LPS criteria.
In This Chapter
This chapter describes how to configure LPS parameters through the Command Line Interface (CLI). CLI
commands are used in the configuration examples; for more details about the syntax of commands, see the
OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
Enabling LPS for a port on page 4-7.
Specifying a source learning time limit for all LPS ports on page 4-7.
Configuring the maximum number of MAC addressees learned per port on page 4-8.
Configuring a list of authorized MAC addresses for an LPS port on page 4-8.
Configuring a range of authorized MAC addresses for an LPS port on page 4-9.
Selecting the security violation mode for an LPS port on page 4-10.
For more information about source MAC address learning, see Chapter 2, Managing Source Learning.
Defining the maximum number of learned MAC addresses allowed on an LPS port.
Defining the time limit in which source learning is allowed on all LPS ports.
Note that LPS is supported on Ethernet and gigabit Ethernet fixed, mobile, tagged and authenticated ports.
Link aggregate and tagged (trunked) link aggregate ports are not eligible for LPS monitoring and control.
1 Enable LPS on ports 6 through 12 on slot 3, 4, and 5 using the following command:
2 Set the total number of learned MAC addresses allowed on the same ports to 25 using the following
command:
-> port-security 3/6-12 4/6-12 5/6-12 maximum 25
3 Configure the amount of time in which source learning is allowed on all LPS ports to 30 minutes using
the following command:
-> port-security shutdown 30
4 Select shutdown for the LPS violation mode using the following command:
Note. Optional. To verify LPS port configurations, use the show port-security. For example:
-> show port-security
To verify the new source learning time limit value, use the show port-security shutdown command. For
example:
-> show port-security shutdown
LPS Shutdown = 30
Additional LPS functionality allows the user to specify how the LPS port handles unauthorized traffic. The
following two options are available for this purpose:
Block only traffic that violates LPS port restrictions; authorized traffic is forwarded on the port.
Disable the LPS port when unauthorized traffic is received; all traffic is stopped and a port reset is
required to return the port to normal operation.
LPS functionality is supported on the following Ethernet and Gigabit Ethernet port types:
Fixed (non-mobile)
Mobile
802.1Q tagged
Authenticated
802.1X
Is the number of MAC addresses learned on the port below the maximum number allowed?
Is there a configured authorized MAC address entry for the LPS port that matches the packets source
MAC address?
Using the above criteria, the following table shows the conditions under which a MAC address is learned
or blocked on an LPS port:
When a source MAC address violates any of the LPS conditions, the address is considered unauthorized.
The LPS violation mode determines if the unauthorized MAC address is simply blocked on the port or if
the entire port is disabled (see Selecting the Security Violation Mode on page 4-10). Regardless of
which mode is selected, notice is sent to the Switch Logging task to indicate that a violation has occurred.
The management status for the MAC address entry; configured or dynamic.
Note that dynamic MAC address entries become configured entries after the switch configuration is saved
and the switch is rebooted. However, any dynamic MAC address entries that are not saved to the switch
configuration are cleared if the switch reboots before the next save.
If the LPS port is shut down or the network device is disconnected from the port, the LPS table entries for
this port are retained, but the source learning MAC address table entries for the same port are automati-
cally cleared. In addition, if an LPS table entry is intentionally cleared from the table, the MAC address for
this entry is automatically cleared from the source learning table at the same time.
To view the contents of the LPS table, use the show port-security command. Refer to the OmniSwitch
CLI Reference Guide for more information about this command.
To enable LPS on multiple ports, specify a range of ports or multiple slots. For example:
-> port-security 4/1-5 enable
-> port-security 5/12-20 6/10-15 enable
Note that when LPS is enabled on an active port, all MAC addresses learned on that port prior to the time
LPS was enabled are cleared from the source learning MAC address table.
To disable LPS on a port, use the port-security command with the disable parameter. For example, the
following command disables LPS on a range of ports:
-> port-security 5/21-24 6/1-4 disable
When LPS is disabled on a port, MAC address entries for that port are retained in the LPS table. The next
time LPS is enabled on the port, the same LPS table entries are again active. If there is a switch reboot
before the switch configuration is saved, however, dynamic MAC address entries are discarded from the
table.
Use the no form of this command to disable LPS and clear all entries (configured and dynamic) in the
LPS table for the specified port. For example:
-> no port-security 5/10
The LPS source learning time limit is a switch-wide parameter that applies to all LPS enabled ports, not
just one or a group of LPS ports. The following command example sets the time limit value to 30 minutes:
-> port-security shutdown time 30
Once the time limit value expires, source learning of any new dynamic MAC addresses is stopped on all
LPS ports even if the number of addresses learned does not exceed the maximum allowed.
Note. Source learning of configured authorized MAC addresses is still allowed after the LPS time limit
has expired; however, all learning is stopped if the number of MAC addresses learned meets or exceeds
the maximum number of addresses allowed, even if the LPS time limit has not expired.
To specify a maximum number of MAC addresses allowed for multiple ports, specify a range of ports or
multiple slots. For example:
-> port-security 1/10-15 maximum 10
-> port-security 2/1-5 4/2-8 5/10-14 maximum 25
Not that configured MAC addresses count towards the maximum number allowed. For example, if there
are 10 configured authorized MAC addresses for an LPS port and the maximum number of addresses
allowed is set to 15, then only 5 dynamically learned MAC address are allowed on this port.
If the maximum number of MAC addresses allowed is reached before the switch LPS time limit expires,
then all source learning of dynamic and configured MAC addresses is stopped on the LPS port.
To configure a single source MAC address entry for multiple ports, specify a range of ports or multiple
slots. For example:
-> port-security 4/1-5 mac 00:20:95:41:2e:3f
-> port-security 5/12-20 6/10-15 mac 00:20:da:cf:59:4a
Use the no form of this command to clear configured and/or dynamic MAC address entries from the LPS
table. For example, the following command removes a MAC address entry for port 12 of slot 4 from the
LPS table:
-> port-security 4/12 no mac 00:20:95:00:fa:5c
Note that when a MAC address is cleared from the LPS table, it is automatically cleared from the source
learning MAC address table at the same time.
To configure a source MAC address range for multiple ports, specify a range of ports or multiple slots. For
example:
-> port-security 4/1-5 mac-range low 00:20:da:00:00:10 high 00:20:da:00:00:50
-> port-security 2/1-4 4/5-8 mac-range low 00:20:d0:59:0c:9a high
00:20:d0:59:0c:9f
To set the range back to the default values, enter port-security followed by the ports slot/port designa-
tion then mac-range. Leaving off the low and high MAC addresses will reset the range back to
00:00:00:00:00:00 and ff:ff:ff:ff:ff:ff. For example, the following command sets the authorized MAC
address range to the default values for port 12 of slot 4:
-> port-security 4/12 mac-range
In addition, specifying a low end MAC and a high end MAC is optional. If either one is not specified, the
default value is used. For example, the following commands set the authorized MAC address range on the
specified ports to 00:da:25:59:0c:10ff:ff:ff:ff:ff:ff and 00:00:00:00:00:0000:da:25:00:00:9a:
-> port-security 2/8 mac-range low pp:da:25:59:0c
-> port-security 2/10 mac-range high 00:da:25:00:00:9a
Refer to the OmniSwitch CLI Reference Guide for more information about this command.
To configure the security violation mode for multiple LPS ports, specify a range of ports or multiple slots.
For example:
-> port-security 4/1-10 violation shutdown
-> port-security 1/10-15 2/1-10 violation restrict
For more information about the resulting display from these commands, see the OmniSwitch CLI Refer-
ence Guide. An example of the output for the show port-security and show port-security shutdown
commands is also given in Sample Learned Port Security Configuration on page 4-3.
In a flat bridged network, a broadcast domain is confined to a single LAN segment or even a specific
physical location, such as a department or building floor. In a switch-based network, such as one
comprised of Alcatel switching systems, a broadcast domainor VLAN can span multiple physical
switches and can include ports from a variety of media types. For example, a single VLAN could span
three different switches located in different buildings and include 10/100 Ethernet, Gigabit Ethernet,
802.1q tagged ports and/or a link aggregate of ports.
In This Chapter
This chapter describes how to define and manage VLAN configurations through the Command Line Inter-
face (CLI). CLI commands are used in the configuration examples; for more details about the syntax of
commands, see the OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
Creating/Modifying VLANs on page 5-5.
For information about statically and dynamically assigning switch ports to VLANs, see Chapter 7,
Assigning Ports to VLANs.
For information about defining VLAN rules that allow dynamic assignment of mobile ports to a VLAN,
see Chapter 9, Defining VLAN Rules.
For information about Spanning Tree, see Chapter 6, Configuring Spanning Tree Parameters.
For information about routing, see Chapter 12, Configuring IP.
For information about Layer 2 VLAN authentication, see Chapter 22, Configuring Authenticated
VLANs.
VLAN Specifications
RFCs Supported 2674 - Definitions of Managed Objects for Bridges
with Traffic Classes, Multicast Filtering and Virtual
LAN Extensions
IEEE Standards Supported 802.1Q - Virtual Bridged Local Area Networks
802.1D - Media Access Control Bridges
Maximum VLANs per switch 4094 (based on switch configuration and available
resources)
Maximum VLAN port associations per 32768
switch
Maximum IP router interfaces per switch 4094 (based on switch configuration and available
resources)
Maximum IPX router interfaces per switch 256
Maximum IP router interfaces per VLAN 8
Maximum Spanning Tree VLANs per switch 252
Maximum authenticated VLANs per switch 128
MAC Router Mode Supported Single
CLI Command Prefix Recognition All VLAN management commands support prefix
recognition. See the Using the CLI chapter in the
OmniSwitch 6800/6850/9000 Switch Management
Guide for more information.
VLAN Defaults
Parameter Description Command Default
VLAN identifier (VLAN ID) vlan VLAN 1 predefined on each
switch.
VLAN administrative state vlan Enabled
VLAN description vlan name VLAN identifier (VLAN ID)
VLAN Spanning Tree state vlan stp Enabled (Disabled if VLAN
count exceeds 254)
VLAN mobile tag status vlan mobile-tag Disabled
VLAN IP router interface ip interface VLAN 1 router interface.
VLAN IPX router interface vlan router ipx No router interface defined.
VLAN authentication status vlan authentication Disabled
VLAN port associations vlan port default All ports initially associated
with default VLAN 1.
Note. Optional. Creating a new VLAN involves specifying a VLAN ID that is not already assigned to an
existing VLAN. To determine if a VLAN already exists in the switch configuration, enter show vlan. If
VLAN 255 does not appear in the show vlan output, then it does not exist on the switch. For example,
1 Create VLAN 255 with a description (e.g., Finance IP Network) using the following command:
2 Define an IP router interface using the following command to assign an IP host address of 21.0.0.10 to
VLAN 255 that will enable routing of VLAN traffic to other subnets:
-> ip interface vlan-255 address 21.0.0.10 vlan 255
3 Assign switch ports 2 through 4 on slot 3 to VLAN 255 using the following command:
Note. Optional. To verify the VLAN 255 configuration, use the show vlan command. For example:
Enabling or disabling classification of mobile port traffic by 802.1Q tagged VLAN ID.
Defining VLAN IPX router interfaces to enable routing of VLAN IPX traffic.
Enabling or disabling unique MAC address assignments for each router VLAN defined.
In addition to the above tasks, VLAN management software tracks and reports the following information
to other switch software applications:
VLAN configuration changes, such as adding or deleting VLANs, modifying the status of VLAN prop-
erties (e.g., administrative, Spanning Tree, and authentication status), changing the VLAN description,
or configuring VLAN router interfaces.
VLAN port associations triggered by VLAN management and other switch software applications, such
as 802.1Q VLAN tagging and dynamic mobile port assignment.
The VLAN operational state, which is inactive until at least one active switch port is associated with
the VLAN.
Creating/Modifying VLANs
The initial configuration for all Alcatel switches consists of a default VLAN 1 and all switch ports are
initially assigned to this VLAN. When a switching module is added to the switch, the modules physical
ports are also assigned to VLAN 1. If additional VLANs are not configured on the switch, then the entire
switch is treated as one large broadcast domain. All ports will receive all traffic from all other ports.
Up to 4094 VLANs are supported per switch, including default VLAN 1. In compliance with the IEEE
802.1Q standard, each VLAN is identified by a unique number, referred to as the VLAN ID. The user spec-
ifies a VLAN ID to create, modify or remove a VLAN and to assign switch ports to a VLAN. When a
packet is received on a port, the ports VLAN ID is inserted into the packet. The packet is then bridged to
other ports that are assigned to the same VLAN ID. In essence, the VLAN broadcast domain is defined by
a collection of ports and packets assigned to its VLAN ID.
The operational status of a VLAN remains inactive until at least one active switch port is assigned to the
VLAN. This means that VLAN properties, such as Spanning Tree or router interfaces, also remain inac-
tive. Ports are considered active if they are connected to an active network device. Non-active port assign-
ments are allowed, but do not change the VLANs operational state.
Ports are either statically or dynamically assigned to VLANs. When a port is assigned to a VLAN, a
VLAN port association (VPA) is created and tracked by VLAN management switch software. For more
information about VPAs, see Defining VLAN Port Assignments on page 5-7 and Chapter 7, Assigning
Ports to VLANs.
Adding/Removing a VLAN
To add a VLAN to the switch configuration, enter vlan followed by a unique VLAN ID number between
2 and 4094, an optional administrative status, and an optional description. For example, the following
command creates VLAN 755 with a description:
-> vlan 755 enable name IP Finance Network
By default, administrative status and Spanning Tree are enabled when the VLAN is created and the VLAN
ID is used for the description if one is not specified. Note that quotation marks are required if the descrip-
tion contains multiple words separated by spaces. If the description consists of only one word or multiple
words separated by another character, such as a hyphen, then quotes are not required.
On the OmniSwitch 6800 and 6850, it is also possible to specify a range of VLAN IDs with the vlan
command. Use a hyphen to indicate a contiguous range and a space to separate multiple VLAN ID entries.
For example, the following command creates VLANs 10 through 15, 100 through 105, and VLAN 200 on
the switch:
-> vlan 10-15 100-105 200 name Marketing Network
To remove a VLAN from the switch configuration, use the no form of the vlan command.
-> no vlan 755
-> no vlan 100-105
-> no vlan 10-15 200
When a VLAN is deleted, any router interfaces defined for the VLAN are removed and all VLAN port
associations are dropped. For more information about VLAN router interfaces, see Configuring VLAN
Router Interfaces on page 5-11.
Note that up to 253 Spanning Tree instances per switch are supported in the 1x1 Spanning Tree mode.
Since each VLAN with Spanning Tree enabled uses one of these instances, only 253 VLANs can have an
active Spanning Tree instance at any given time.
To create more than 253 VLANs on a switch running in the 1x1 Spanning Tree mode, use the vlan stp
disable, vlan 1x1 stp disable, or vlan flat stp disable command to create a VLAN with Spanning Tree
disabled. See Enabling/Disabling Spanning Tree for a VLAN on page 5-10 for more information.
To view a list of VLANs already configured on the switch, use the show vlan command. See Verifying
the VLAN Configuration on page 5-15 for more information.
When the administrative status for a VLAN is disabled, VLAN port assignments are retained but traffic is
not forwarded on these ports. If any rules were defined for the VLAN, they are also retained and continue
to classify mobile port traffic. See Chapter 9, Defining VLAN Rules, for more information.
Note that quotation marks are required if the description consists of multiple words separated by spaces. If
the description consists of only one word or words are separated by another character, such as a hyphen,
then quotes are not required. For example,
-> vlan 455 name Marketing-IP-Network
All ports initially belong to default VLAN 1. When the vlan port default command is used, the ports
default VLAN assignment is changed to the specified VLAN. In the above example, VLAN 955 is now
the default VLAN for port 5 on slot 2 and this port is no longer associated with VLAN 1.
The vlan port default command is also used to change the default VLAN assignment for an aggregate of
ports. The link aggregate control number is specified instead of a slot and port. For example, the follow-
ing command assigns link aggregate 10 to VLAN 755:
-> vlan 755 port default 10
For more information about configuring an aggregate of ports, see Chapter 13, Configuring Static Link
Aggregation, and Chapter 14, Configuring Dynamic Link Aggregation.
Use the no form of the vlan port default command to remove a default VPA. When this is done, VLAN 1
is restored as the ports default VLAN.
-> vlan 955 no port default 2/5
1 Use the vlan port mobile command to enable mobility on switch ports that will participate in dynamic
VLAN assignment. See Chapter 7, Assigning Ports to VLANs,for detailed procedures.
2 Enable/disable mobile port properties that determine mobile port behavior. See Chapter 7, Assigning
Ports to VLANs, for detailed procedures.
3 Create VLANs that will receive and forward mobile port traffic. See Adding/Removing a VLAN on
page 5-5 for more information.
4 Configure the method of traffic classification (VLAN rules or tagged VLAN ID) that will trigger
dynamic assignment of mobile ports to the VLANs created in Step 3. See Configuring VLAN Rule Clas-
sification on page 5-8 and Enabling/Disabling VLAN Mobile Tag Classification on page 5-9.
Once the above configuration steps are completed, dynamic VLAN assignment occurs when a device
connected to a mobile port starts to send traffic. This traffic is examined by switch software to determine
which VLAN should carry the traffic based on the type of classification, if any, defined for a particular
VLAN.
Note that VLAN mobile tag classification takes precedence over VLAN rule classification. If a mobile
port receives traffic that matches a VLAN rule and also has an 802.1Q VLAN ID tag for a VLAN with
mobile tagging enabled, the port is dynamically assigned to the mobile tag VLAN and not the matching
rule VLAN.
See Chapter 7, Assigning Ports to VLANs, and Chapter 9, Defining VLAN Rules, for more informa-
tion and examples of dynamic VLAN port assignment.
If a mobile port that is statically assigned to VLAN 10 receives an 802.1Q tagged packet with a VLAN ID
of 1525, the port and packet are dynamically assigned to VLAN 1525. In this case, the mobile port now
has a VLAN port association defined for VLAN 10 and for VLAN 1525. If a mobile port, however,
receives a tagged packet containing a VLAN ID tag of 224, the packet is discarded because the VLAN
mobile tag classification attribute is disabled on VLAN 224.
In essence, the VLAN mobile tag attribute provides a dynamic 802.1Q tagging capability. Mobile ports
can now receive and process 802.1Q tagged packets destined for a VLAN that has this attribute enabled.
This feature also allows the dynamic assignment of mobile ports to more than one VLAN at the same
time, as discussed in the above example.
VLAN mobile tagging differs from 802.1Q tagging as follows:
If 802.1Q tagging is required on a fixed (non-mobile) port, then the vlan 802.1q command is still used to
statically tag VLANs for the port. See Chapter 11, Configuring 802.1Q, for more information.
Note the following when using the vlan stp command. For more information about the vlan stp command,
see the OmniSwitch CLI Reference Guide:
If the VLAN ID specified with this command is that of a VLAN that does not exist, the VLAN is auto-
matically created.
This command configures the VLAN STP status for both the 1x1 and flat Spanning Tree modes. Using
the 1x1 or flat parameter with this command, configures the STP status only for the mode specified by
the parameter.
Up to 253 Spanning Tree instances per switch are supported in the 1x1 Spanning Tree mode. Since
each VLAN with Spanning Tree enabled uses one of these instances, only 253 VLANs can have an
active Spanning Tree instance at any given time.
To create more than 253 VLANs on a switch running in the 1x1 Spanning Tree mode, use the vlan stp
disable, vlan 1x1 stp disable, or vlan flat stp disable form of this command to create a VLAN with
Spanning Tree disabled.
STP does not become operationally active on a VLAN unless the VLAN is operationally active, which
occurs when at least one active port is assigned to the VLAN. Also, STP is enabled/disabled on individual
ports. So even if STP is enabled for the VLAN, a port assigned to that VLAN must also have STP enabled.
See Chapter 6, Configuring Spanning Tree Parameters.
Once authentication is enabled on a VLAN, then only authenticated mobile port devices can join the
VLAN after completing the appropriate log-in process. To enable authentication on a mobile port, use the
vlan port authenticate command. For more information about mobile port commands and Layer 2
authentication for Alcatel switches, see Chapter 7, Assigning Ports to VLANs, and Chapter 22, Config-
uring Authenticated VLANs.
2 The IPX network address to assign to the router interface. An IPX network address consists of eight
hex characters (e.g., 4001690D or 0000210A). If less than eight hex digits are specified, the address is
prefixed with zeros to equal eight digits. For example, if 950A is entered, the actual IPX network address
value is 0000950A.
3 Select one of the following keywords to change the advertisement mode. By default, the advertisement
mode is set to active (RIP and SAP updates are processed):
4 IPX router encapsulation (defaults to Ethernet-II). Select one of the following keywords to change the
encapsulation:
5 A 16-bit value between 0 (the default) and 65535 that specifies the number of ticks for the IPX delay
time. A tick is approximately 1/18th of a second.
The following vlan router ipx command example configures an IPX router interface for VLAN 955 with
an IPX network address of 0000950A that will process RIP and SAP updates, use Ethernet-II encapsula-
tion when generating packets, and have a zero tick delay time value:
-> vlan 955 router ipx 950A active e2 timeticks 0
Specifying the advertisement mode, encapsulation, and delay time value in ticks is optional, so it is not
necessary to enter these parameters as part of the command to accept their default values. For example,
either one of the following commands will create an IPX router interface for VLAN 855 with the same
properties:
-> vlan 855 router ipx 8500100A active e2 timeticks 0
-> vlan 855 router ipx 8500100A
To remove an IPX router interface from a VLAN, use the no form of the vlan router ipx command.
-> vlan 855 no router ipx
It is not necessary to first remove the IPX router interface from the VLAN. The changes specified will
overwrite existing parameter values. For example, the following command changes the advertisement
mode to RIP only, the encapsulation to LLC, and the delay time value to 1500. The IPX address is not
changed in this example, but is required as part of the command syntax to identify a change to the router
interface:
-> vlan 955 router ipx 1000450C rip llc timeticks 10
Use the show vlan command to verify IPX router changes. For more information about this command, see
the OmniSwitch CLI Reference Guide.
To determine the total number of VLANs configured on the switch, and the number of VLANs with IP
router interfaces configured, use the show vlan router mac status command. For more information about
this command, see the OmniSwitch CLI Reference Guide.
1 Create a VLAN on each switch with the same VLAN ID number (e.g., VLAN 10).
2 If using mobile ports for end user device connections, define VLAN rules that will classify mobile port
traffic into the VLAN created in Step 1.
3 On each switch, assign the ports that will provide connections to other switches to the VLAN created in
Step 1.
4 On each switch, assign the ports that will provide connections to end user devices (e.g., workstations)
to the VLAN created in Step 1. (If using mobile ports, this step will occur automatically when the device
connected to the mobile port starts to send traffic.)
5 Connect switches and end user devices to the assigned ports.
The following diagram shows the physical configuration of an example VLAN bridging domain:
Switch B Switch C
138.0.0.3 138.0.0.4
2/2 3/10
VLAN 10 VLAN 10
2/3 3/9
2/10 3/2
VLAN 10 VLAN 10
2/9 3/1
TM
OmniSwitch 9700 TM
OmniSwitch 9700
3/8 3/3
Switch A Switch D
138.0.0.5
138.0.0.2
In the above diagram, VLAN 10 exists on all four switches and the connection ports between these
switches are assigned to VLAN 10. The workstations can communicate with each other because the ports
to which they are connected are also assigned to VLAN 10. It is important to note that connection cables
do not have to connect to the same port on each switch. The key is that the port must belong to the same
VLAN on each switch. To carry multiple VLANs between switches across a single physical connection
cable, use the 802.1Q tagging feature (see Chapter 11, Configuring 802.1Q).
The connection between Switch C and D is shown with a broken line because the ports that provide this
connection are in a blocking state. Spanning Tree is active by default on all switches, VLANs and ports.
The Spanning Tree algorithm determined that if all connections between switches were active, a network
loop would exist that could cause unnecessary broadcast traffic on the network. The path between Switch
C and D was shut down to avoid such a loop. See Chapter 6, Configuring Spanning Tree Parameters, for
information about how Spanning Tree configures network topologies that are loop free.
The following diagram shows the same bridging domain example as seen by the end user workstations.
Because traffic between these workstations is bridged across physical switch connections within the
VLAN 10 domain, the workstations are basically unaware that the switches even exist. Each workstation
believes that the others are all part of the same VLAN, even though they are physically connected to
different switches.
VLAN 10
138.0.0.3
138.0.0.4
138.0.0.2
138.0.0.5
Creating a VLAN bridging domain across multiple switches and/or stacks of switches allows VLAN
members to communicate with each other, even if they are not connected to the same physical switch.
This is how a logical grouping of users can traverse a physical network setup without routing and is one of
the many benefits of using VLANs.
show vlan Displays a list of all VLANs configured on the switch and the status of
related VLAN properties (e.g., admin and Spanning Tree status and
router port definitions).
show vlan port Displays a list of VLAN port assignments.
show ip interface Displays VLAN IP router interface information.
show vlan router mac status Displays the current MAC router operating mode (single or multiple)
and VLAN router port statistics.
For more information about the resulting displays from these commands, see the OmniSwitch CLI Refer-
ence Guide. An example of the output for the show vlan and show vlan port commands is also given in
Sample VLAN Configuration on page 5-3.
The Spanning Tree Algorithm and Protocol (STP) is a self-configuring algorithm that maintains a loop-
free topology while providing data path redundancy and network scalability. Based on the IEEE 802.1D
standard, the Alcatel STP implementation distributes the Spanning Tree load between the primary
management module and the network interface modules. In the case of a stack of switches, the STP load is
distributed between the primary management switch and other switches in the stack. This functionality
improves network robustness by providing a Spanning Tree that continues to respond to BPDUs and port
link up and down states in the event of a fail over to a backup management module or switch.
The Alcatel distributed implementation also incorporates the following Spanning Tree features:
Configures a physical topology into a single Spanning Tree to ensure that there is only one data path
between any two switches.
Supports fault tolerance within the network topology. The Spanning Tree is reconfigured in the event
of a data path or bridge failure or when a new switch is added to the topology.
Supports two Spanning Tree operating modes; flat (single STP instance per switch) and 1x1 (single
STP instance per VLAN).
Supports three Spanning Tree Algorithms; 802.1D (STP), 802.1w (RSTP), and 802.1s (MSTP).
Allows 802.1Q tagged ports and link aggregate logical ports to participate in the calculation of the STP
topology.
The Distributed Spanning Tree software is active on all switches by default. As a result, a loop-free
network topology is automatically calculated based on default Spanning Tree switch, VLAN, and port
parameter values. It is only necessary to configure Spanning Tree parameters to change how the topology
is calculated and maintained.
In This Chapter
This chapter provides an overview about how Spanning Tree works and how to configure Spanning Tree
parameters through the Command Line Interface (CLI). CLI commands are used in the configuration
examples; for more details about the syntax of commands, see the OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
Selecting the switch Spanning Tree operating mode (flat or 1x1) on page 6-9.
Note. The distinction between a backup port and an alternate port was introduced with the IEEE 802.1w
standard to help define rapid transition of an alternate port to a root port.
The role a port plays or may potentially play in the active Spanning Tree topology determines the ports
operating state; discarding, learning or forwarding. The port state is also configurable in that it is possi-
ble to enable or disable a ports administrative status and/or specify a forwarding or blocking state that is
only changed through user intervention.
The Spanning Tree Algorithm only includes ports in its calculations that are operational (link is up) and
have an enabled administrative status. The following table compares and defines 802.1D and 802.1w port
states and their associated port roles:
STP Port State RSTP Port State Port State Definition Port Role
Disabled Discarding Port is down or administratively disabled Disabled
and is not included in the topology.
Blocking Discarding Frames are dropped, nothing is learned or Alternate, Backup
forwarded on the port. Port is temporarily
excluded from topology.
Learning Learning Port is learning MAC addresses that are seen Root, Designated
on the port and adding them to the bridge
forwarding table, but not transmitting any
data. Port is included in the active topology.
Forwarding Forwarding Port is transmitting and receiving data and is Root, Designated
included in the active topology.
Once the Spanning Tree is calculated, there is only one root bridge, one designated bridge for each LAN,
and one root port on each bridge (except for the root bridge). Data travels back and forth between bridges
over forwarding port connections that form the best, non-redundant path to the root. The active topology
ensures that network loops do not exist.
Root ID The Bridge ID for the bridge that this bridge believes is the root.
Root Path Cost The sum of the Path Costs that lead from the root bridge to this bridge port.
The Path Cost is a configurable parameter value. The IEEE 802.1D standard specifies a
default value that is based on port speed. See Configuring Port Path Cost on
page 6-25 for more information.
Bridge ID An eight-byte hex value that identifies this bridge within the Spanning Tree. The first
two bytes contain a configurable priority value and the remaining six bytes contain a
bridge MAC address. See Configuring the Bridge Priority on page 6-15 for more
information.
Each switch chassis is assigned a dedicated base MAC address. This is the MAC
address that is combined with the priority value to provide a unique Bridge ID for the
switch. For more information about the base MAC address, see the appropriate Hard-
ware Users Guide for the switch
Port ID A 16-bit hex value that identifies the bridge port that transmitted this BPDU. The first 4
bits contain a configurable priority value and the remaining 12 bits contain the physical
switch port number. See Configuring Port Priority on page 6-24 for more information.
The sending and receiving of Configuration BPDU between switches participating in the bridged network
is how the root bridge is elected and the best path to the root is determined and then advertised to the rest
of the network. BPDU provide enough information for the STP software running on each switch to deter-
mine the following:
Which bridge will serve as the root bridge.
The shortest path between each bridge and the root bridge.
Which bridge will serve as the designated bridge for the LAN.
The port state (forwarding or discarding) for each bridge port based on the role the port will play in the
active Spanning Tree topology.
The following events trigger the transmitting and/or processing of BPDU in order to discover and main-
tain the Spanning Tree topology.
When a bridge first comes up, it assumes it is the root and starts transmitting Configuration BPDU on
all its active ports advertising its own bridge ID as the root bridge ID.
When a bridge receives BPDU on its root port that contains more attractive information (higher prior-
ity parameters and/or lower path costs), it forwards this information on to other LANs to which it is
connected for consideration.
When a bridge receives BPDU on its designated port that contains information that is less attractive
(lower priority values and/or higher path costs), it forwards its own information to other LANs to
which it is connected for consideration.
STP evaluates BPDU parameter values to select the best BPDU based on the following order of prece-
dence:
1 The lowest root bridge ID (lowest priority value, then lowest MAC address).
3 If root path costs are equal, the bridge ID of the bridge sending the BPDU.
4 If the previous three values tie, then the port ID (lowest priority value, then lowest port number).
When a topology change occurs, such as when a link goes down or a switch is added to the network, the
affected bridge sends Topology Change Notification (TCN) BPDU to the designated bridge for its LAN.
The designated bridge will then forward the TCN to the root bridge. The root then sends out a Configura-
tion BPDU and sets a Topology Change (TC) flag within the BPDU to notify other bridges that there is a
change in the configuration information. Once this change is propagated throughout the Spanning Tree
network, the root stops sending BPDU with the TC flag set and the Spanning Tree returns to an active,
stable topology.
Topology Examples
The following diagram shows an example of a physical network topology that incorporates data path
redundancy to ensure fault tolerance. These redundant paths, however, create loops in the network config-
uration. If a device connected to Switch A sends broadcast packets, Switch A will flood the packets out all
of its active ports. The switches connected to Switch A will in turn flood the broadcast packets out their
active ports, and Switch A will eventually receive the same packets back and the cycle will start over
again. This causes severe congestion on the network, often referred to as a broadcast storm.
Switch C
Switch D
TM
OmniSwitch 9700
TM
OmniSwitch 9700
Switch A
Switch B
The Spanning Tree Algorithm prevents network loops by ensuring that there is always only one active link
between any two switches. This is done by transitioning one of the redundant links into a blocking state,
leaving only one link actively forwarding traffic. If the active link goes down, then Spanning Tree will
transition one of the blocked links to the forwarding state to take over for the downed link. If a new switch
is added to the network, the Spanning Tree topology is automatically recalculated to include the monitor-
ing of links to the new switch.
The following diagram shows the logical connectivity of the same physical topology as determined by the
Spanning Tree Algorithm.
Switch D Switch C
(Root Bridge)
2/3 PC=4 3/8
TM
OmniSwitch 9700
Bridge ID Bridge ID
10, 00:00:00:00:00:01 13, 00:00:00:00:00:04
2/2 PC=19 3/9
2/1
3/10
PC=19 PC=100
2/10 3/2
Bridge ID Bridge ID
TM
OmniSwitch 9700
Switch A
(Designated Bridge) Switch B
In the above active Spanning Tree topology example, the following configuration decisions were made as
a result of calculations performed by the Spanning Tree Algorithm:
Switch D is the root bridge because its bridge ID has a priority value of 10 (the lower the priority value,
the higher the priority the bridge has in the Spanning Tree). If all four switches had the same priority,
then the switch with the lowest MAC address in its bridge ID would become the root.
Switch A is the designated bridge for Switch B, because it provides the best path for Switch B to the
root bridge.
Port 2/9 on Switch A is a designated port, because it connects the LAN from Switch B to Switch A.
All ports on Switch D are designated ports, because Switch D is the root and each port connects to a
LAN.
Ports 2/10, 3/1, and 3/8 are the root ports for Switches A, B, and C, respectively, because they offer the
shortest path towards the root bridge.
The port 3/9 connection on Switch C to port 2/2 on Switch D is in a discarding (blocking) state, as the
connection these ports provides is redundant (backup) and has a higher path cost value than the 2/3 to
3/8 connection between the same two switches. As a result, a network loop is avoided.
The port 3/2 connection on Switch B to port 3/10 on Switch C is also in a discarding (blocking) state,
as the connection these ports provides has a higher path cost to root Switch D than the path between
Switch B and Switch A. As a result, a network loop is avoided.
The following diagram shows a flat mode switch with STP (802.1D) as the active protocol. All ports,
regardless of their default VLAN configuration or tagged VLAN assignments, are considered part of one
Spanning Tree instance. To see an example of a flat mode switch with MSTP (802.1s) as the active proto-
col, see Chapter 3, Using 802.1s Multiple Spanning Tree.
Flat STP
In the above example, if port 8/3 connects to another switch and port 10/5 connects to that same switch,
the Spanning Tree Algorithm would detect a redundant path and transition one of the ports into a blocking
state. The same holds true for the tagged ports.
The following diagram shows a switch running in the 1x1 Spanning Tree mode and shows Spanning Tree
participation for both fixed and tagged ports.
STP 2 STP 3
STP 4
Switch
Port 1/3 Port 1/5
Default VLAN 5 Default VLAN 10
VLAN 2 (tagged)
Port 2/5
Port 2/3
Default VLAN 2
Default VLAN 5
VLAN 10 (tagged)
In the above example, STP2 is a single Spanning Tree instance since VLAN 5 contains only fixed ports.
STP 3 and STP 4 are a combination of single and 802.1Q Spanning Tree instances because VLAN 2
contains both fixed and tagged ports. On ports where VLAN 2 is the default VLAN, BPDU are not tagged.
On ports where VLAN 2 is a tagged VLAN, BPDU are also tagged.
Note that explicit commands using the cist and msti keywords are required to define an MSTP (802.1s)
configuration. Implicit commands are only allowed for defining STP or RSTP configurations. See
Chapter 3, Using 802.1s Multiple Spanning Tree, for more information about these keywords and using
implicit and explicit commands.
The following is a summary of Spanning Tree bridge configuration commands. For more information
about these commands, see the OmniSwitch CLI Reference Guide.
Note. When a snapshot is taken of the switch configuration, the explicit form of all Spanning Tree
commands is captured. For example, if the bridge protocol for the flat mode instance was changed from
STP to MSTP, then bridge cist protocol mstp is the command syntax captured to reflect this in the snap-
shot file. In addition, explicit commands are captured for both flat and 1x1 mode configurations.
The following sections provide information and procedures for using implicit bridge configuration
commands and also includes explicit command examples.
Note that when configuring the protocol value for a VLAN instance, MSTP is not an available option. This
protocol is only supported on the flat mode instance.
In addition, the explicit bridge 1x1 protocol command configures the protocol for a VLAN instance
regardless of which mode (1x1 or flat) is active on the switch. For example, the following command also
changes the protocol for VLAN 455 to RSTP:
-> bridge 1x1 455 protocol rstp
To configure the protocol for the single flat mode instance when the switch is running in either mode (1x1
or flat), use the bridge protocol command but do not specify an instance number. This command config-
ures the flat mode instance by default, so an instance number is not needed, as shown in the following
example:
-> bridge protocol mstp
As in previous releases, it is possible to configure the flat mode instance with the bridge protocol
command by specifying 1 as the instance number (e.g., bridge 1 protocol rstp). However, this is only
available when the switch is already running in the flat mode and STP or RSTP is the active protocol.
In addition, the explicit bridge cist protocol command configures the protocol for the flat mode instance
regardless of which mode (1x1 or flat) is active on the switch. For example, the following command
selects the RSTP protocol for the flat mode instance:
-> bridge cist protocol mstp
Note. Configuring a Spanning Tree bridge instance with a priority value that will cause the instance to
become the root is recommended, instead of relying on the comparison of switch base MAC addresses to
determine the root.
If the switch is running in the 1x1 Spanning Tree mode, then a priority value is assigned to each VLAN
instance. If the switch is running in the flat Spanning Tree mode, the priority is assigned to the flat mode
instance or an 802.1s Multiple Spanning Tree Instance (MSTI). In both cases, the default priority value
assigned is 32768. Note that priority values for an MSTI must be multiples of 4096.
To change the bridge priority value for a VLAN instance, specify a VLAN ID with the bridge priority
command when the switch is running in the 1x1 mode. For example, the following command changes the
priority for VLAN 455 to 25590:
-> bridge 455 priority 25590
The explicit bridge 1x1 priority command configures the priority for a VLAN instance when the switch
is running in either mode (1x1 or flat). For example, the following command performs the same function
as the command in the previous example:
-> bridge 1x1 455 priority 25590
To change the bridge priority value for the flat mode instance, use either the bridge priority command or
the bridge cist priority command. Note that both commands are available when the switch is running in
either mode (1x1 or flat) and an instance number is not required. For example, the following commands
change the priority value for the flat mode instance to 12288:
-> bridge priority 12288
-> bridge cist priority 12288
As in previous releases, it is possible to configure the flat mode instance with the bridge protocol
command by specifying 1 as the instance number (e.g., bridge 1 protocol rstp). However, this is only
available when the switch is already running in the flat mode and STP or RSTP is the active protocol.
The bridge priority value is also configurable for an 802.1s Multiple Spanning Tree Instance (MSTI). To
configure this value for an MSTI, use the explicit bridge msti priority command and specify the MSTI
ID for the instance number and a priority value that is a multiple of 4096. For example, the following
command configures the priority value for MSTI 10 to 61440:
-> bridge msti 10 priority 61440
Note that when MSTP (802.1s) is the active flat mode protocol, explicit Spanning Tree bridge commands
are required to configure parameter values. Implicit commands are for configuring parameters when the
STP or RSTP protocols are in use. See Chapter 3, Using 802.1s Multiple Spanning Tree, for more infor-
mation.
The explicit bridge 1x1 hello time command configures the hello time value for a VLAN instance when
the switch is running in either mode (1x1 or flat). For example, the following command performs the same
function as the command in the previous example:
-> bridge 1x1 455 hello time 5
To change the bridge hello time value for the flat mode instance, use either the bridge hello time
command or the bridge cist hello time command. Note that both commands are available when the switch
is running in either mode (1x1 or flat) and an instance number is not required. For example, the following
commands change the hello time value for the flat mode instance to 12288:
-> bridge hello time 10
-> bridge cist hello time 10
As in previous releases, it is possible to configure the flat mode instance with the bridge hello time
command by specifying 1 as the instance number (e.g., bridge 1 hello time 5). However, this is only
available when the switch is already running in the flat mode and STP or RSTP is the active protocol.
Note that the bridge hello time is not configurable for 802.1s Multiple Spanning Tree Instances (MSTI).
These instances inherit the hello time from the flat mode instance (CIST).
The explicit bridge 1x1 max age command configures the max age time for a VLAN instance when the
switch is running in either mode (1x1 or flat). For example, the following command performs the same
function as the command in the previous example:
-> bridge 1x1 455 max age 10
To change the max age time value for the flat mode instance, use either the bridge max age command or
the bridge cist max age command. Note that both commands are available when the switch is running in
either mode (1x1 or flat) and an instance number is not required. For example, the following commands
change the max age time for the flat mode instance to 10:
-> bridge max age 10
-> bridge cist max age 10
As in previous releases, it is possible to configure the flat mode instance with the bridge max age
command by specifying 1 as the instance number (e.g., bridge 1 max age 30). However, this is only avail-
able when the switch is already running in the flat mode and STP or RSTP is the active protocol.
Note that the max age time is not configurable for 802.1s Multiple Spanning Tree Instances (MSTI).
These instances inherit the max age time from the flat mode instance (CIST).
The explicit bridge 1x1 forward delay command configures the forward delay time for a VLAN instance
when the switch is running in either mode (1x1 or flat). For example, the following command performs the
same function as the command in the previous example:
-> bridge 1x1 455 forward delay 20
To change the forward delay time value for the flat mode instance, use either the bridge forward delay
command or the bridge cist forward delay command. Note that both commands are available when the
switch is running in either mode (1x1 or flat) and an instance number is not required. For example, the
following commands change the forward delay time for the flat mode instance to 10:
-> bridge forward delay 10
-> bridge cist forward delay 10
As in previous releases, it is possible to configure the flat mode instance with the bridge forward delay
command by specifying 1 as the instance number (e.g., bridge 1 forward delay 30). However, this is only
available when the switch is already running in the flat mode and STP or RSTP is the active protocol.
Note that the forward delay time is not configurable for 802.1s Multiple Spanning Tree Instances (MSTI).
These instances inherit the forward delay time from the flat mode instance (CIST).
Note. Make sure that disabling BPDU switching on a Spanning Tree disabled VLAN will not cause
network loops to go undetected.
VLAN 1 VLAN 1
4/2 5/1
802.1q tag
MSTI-1 VLAN 2 VLAN 2 MSTI-1
In the above diagram, port 4/2 is the Root port and port 5/1 is a Designated port for MSTI 1. AVC is not
enabled. If another link with the same speed and lower port numbers is added to default VLAN 1 on both
switches, the new link becomes the root for MSTI 1 and the tagged link between VLAN 2 is blocked, as
shown below:
3/1 2/1
VLAN 1 VLAN 1
||
4/2 802.1q tag 5/1
MSTI-1 VLAN 2 VLAN 2 MSTI-1
If AVC was enabled in the above example, AVC would have assigned the new link an infinite path cost
value that would make this link undesirable as the root for MSTI 1.
Balancing VLANs across links according to their Multiple Spanning Tree Instance (MSTI) grouping is
highly recommended to ensure that there is not a loss of connectivity during any possible topology
changes. Enabling AVC on the switch is another way to prevent undesirable ports from becoming the root
for an MSTI.
By default AVC is disabled on the switch. Use the bridge auto-vlan-containment command to globally
enable this feature for all 802.1s MSTIs. Once AVC is globally enabled, then it is possible to disable AVC
for individual MSTIs using the same command. For example, the following commands globally enable
AVC and then disable it for MSTI 10:
-> bridge auto-vlan-containment enable
-> bridge msti 10 auto-vlan-containment disable
Note that an administratively set port path cost takes precedence and prevents AVC configuration of the
path cost. The exception to this is if the port path cost is administratively set to zero, which resets the path
cost to the default value. In addition, AVC does not have any effect on root bridges.
Port state (forwarding or blocking) is dynamically determined by the Spanning Tree Algorithm, not
manually set.
The following is a summary of Spanning Tree port configuration commands. For more information about
these commands, see the OmniSwitch CLI Reference Guide.
The following sections provide information and procedures for using implicit Spanning Tree port configu-
ration commands and also includes explicit command examples.
Note. When a snapshot is taken of the switch configuration, the explicit form of all Spanning Tree
commands is captured. For example, if the bridge protocol for the flat mode instance was changed from
STP to MSTP, then bridge cist protocol mstp is the command syntax captured to reflect this in the snap-
shot file. In addition, explicit commands are captured for both flat and 1x1 mode configurations.
The explicit bridge 1x1 slot/port command configures the priority for a VLAN instance when the switch
is running in either mode (1x1 or flat). For example, the following commands perform the same function
as the commands in the previous example:
-> bridge 1x1 10 8/1 enable
-> bridge 1x1 20 6/2 disable
To change the port Spanning Tree status for the flat mode instance, use either the bridge slot/port
command or the bridge cist slot/port command. Note that both commands are available when the switch
is running in either mode (1x1 or flat) and an instance number is not required. For example, the following
commands disable the Spanning Tree status on port 1/24 for the flat mode instance:
-> bridge 1/24 disable
-> bridge cist 1/24 disable
As in previous releases, it is possible to configure the flat mode instance with the bridge slot/port
command by specifying 1 as the instance number (e.g., bridge 1 1/24 enable). However, this is only avail-
able when the switch is already running in the flat mode and STP or RSTP is the active protocol.
For more information about configuring an aggregate of ports, see Chapter 13, Configuring Static Link
Aggregation, and Chapter 14, Configuring Dynamic Link Aggregation.
The explicit bridge cist slot/port priority command configures the port priority value for a VLAN
instance when the switch is running in either mode (1x1 or flat). For example, the following command
performs the same function as the command in the previous example:
-> bridge 1x1 10 8/1 priority 3
To change the port priority value for the flat mode instance, use either the bridge slot/port priority
command or the bridge cist slot/port priority command. Note that both commands are available when
the switch is running in either mode (1x1 or flat) and an instance number is not required. For example, the
following commands change the priority value for port 1/24 for the flat mode instance to 15:
-> bridge 1/24 priority 15
-> bridge cist 1/24 priority 10
As in previous releases, it is possible to configure the flat mode instance with the bridge slot/port prior-
ity command by specifying 1 as the instance number (e.g., bridge 1 1/24 priority 15). However, this is
only available when the switch is already running in the flat mode and STP or RSTP is the active protocol.
The port priority value is also configurable for an 802.1s Multiple Spanning Tree Instance (MSTI). To
configure this value for an MSTI, use the explicit bridge msti slot/port priority command and specify the
MSTI ID for the instance number. For example, the following command configures the priority value for
port 1/12 for MSTI 10 to 5:
-> bridge msti 10 1/12 priority 5
Note that when MSTP (802.1s) is the active flat mode protocol, explicit Spanning Tree bridge commands
are required to configure parameter values. Implicit commands are for configuring parameters when the
STP or RSTP protocols are in use. See Chapter 3, Using 802.1s Multiple Spanning Tree, for more infor-
mation.
For more information about configuring an aggregate of ports, see Chapter 13, Configuring Static Link
Aggregation, and Chapter 14, Configuring Dynamic Link Aggregation.
IEEE 802.1D
Link Speed
Recommended Value
10 MB 2,000,000
100 MB 200,000
1 GB 20,000
10 Gbps 2,000
Is a 16-bit path cost value is in use and the path_cost is set to zero, the following IEEE 802.1D recom-
mended default path cost values based on link speed are used:
IEEE 802.1D
Link Speed
Recommended Value
4 Mbps 250
10 Mbps 100
16 Mbps 62
100 Mbps 19
1 Gbps 4
10 Gbps 2
By default, Spanning Tree is enabled on a port and the path cost is set to zero. If the switch is running in
the 1x1 Spanning Tree mode, then the port path cost applies to the specified VLAN instance associated
with the port. If the switch is running in the flat Spanning Tree mode, then the port path cost applies across
all VLANs associated with the port. The flat mode instance is specified as the ports instance, even if the
port is associated with other VLANs.
To change the port path cost value for a VLAN instance, specify a VLAN ID with the bridge slot/port
path cost command when the switch is running in the 1x1 mode. For example, the following command
configures a 16-bit path cost value for port 8/1 for VLAN 10 to 19 (the port speed is 100 MB, 19 is the
recommended value).
-> bridge 10 8/1 path cost 19
The explicit bridge 1x1 slot/port path cost command configures the port path cost value for a VLAN
instance when the switch is running in either mode (1x1 or flat). For example, the following command
performs the same function as the command in the previous example:
-> bridge 1x1 10 8/1 path cost 19
To change the port path cost value for the flat mode instance, use either the bridge slot/port path cost
command or the bridge cist slot/port path cost command. Note that both commands are available when
the switch is running in either mode (1x1 or flat) and an instance number is not required. For example, the
following commands configure a 32-bit path cost value for port 1/24 for the flat mode instance to 20,000
(the port speed is 1 GB, 20,000 is the recommended value):
-> bridge 1/24 path cost 20000
-> bridge cist 1/24 path cost 20000
As in previous releases, it is possible to configure the flat mode instance with the bridge slot/port path
cost command by specifying 1 as the instance number (e.g., bridge 1 1/24 path cost 19). However, this is
only available when the switch is already running in the flat mode and STP or RSTP is the active protocol.
The port path cost value is also configurable for an 802.1s Multiple Spanning Tree Instance (MSTI). To
configure this value for an MSTI, use the explicit bridge msti slot/port path cost command and specify
the MSTI ID for the instance number. For example, the following command configures the path cost value
for port 1/12 for MSTI 10 to 19:
-> bridge msti 10 1/12 path cost 19
Note that when MSTP (802.1s) is the active flat mode protocol, explicit Spanning Tree bridge commands
are required to configure parameter values. Implicit commands are for configuring parameters when the
STP or RSTP protocols are in use. See Chapter 3, Using 802.1s Multiple Spanning Tree, for more infor-
mation.
If a 16-bit path cost value is in use and the path_cost for a link aggregate is set to zero, the following
default values based on link speed and link aggregate size are used. Note that for Gigabit ports the aggre-
gate size is not applicable in this case:
To change the path cost value for a link aggregate, use the bridge slot/port path cost commands
described above, but specify a link aggregate control number instead of a slot and port. For example, the
following command sets the path cost for link aggregate 10 associated with VLAN 755 to 19:
-> bridge 755 10 path cost 19
For more information about configuring an aggregate of ports, see Chapter 13, Configuring Static Link
Aggregation, and Chapter 14, Configuring Dynamic Link Aggregation.
The explicit bridge 1x1 slot/port mode command configures the port mode for a VLAN instance when
the switch is running in either mode (1x1 or flat). For example, the following command performs the same
function as the command in the previous example:
-> bridge 1x1 10 8/1 mode forwarding
To change the port Spanning Tree mode for the flat mode instance, use either the bridge slot/port mode
command or the bridge cist slot/port mode command. Note that both commands are available when the
switch is running in either mode (1x1 or flat) and an instance number is not required. For example, the
following commands configure the Spanning Tree mode on port 1/24 for the flat mode instance:
-> bridge 1/24 mode blocking
-> bridge cist 1/24 mode blocking
As in previous releases, it is possible to configure the flat mode instance with the bridge slot/port mode
command by specifying 1 as the instance number (e.g., bridge 1 1/24 mode dynamic). However, this is
only available when the switch is already running in the flat mode and STP or RSTP is the active protocol.
For more information about configuring an aggregate of ports, see Chapter 13, Configuring Static Link
Aggregation, and Chapter 14, Configuring Dynamic Link Aggregation.
Edge port (port is at the edge of a bridged LAN, does not receive BPDU and has only one MAC
address learned). Edge ports, however, will operationally revert to a point to point or a no point to
point connection type if a BPDU is received on the port.
A port is considered connected to a point-to-point LAN segment if the port belongs to a link aggregate of
ports, or if auto negotiation determines if the port should run in full duplex mode, or if full duplex mode
was administratively set. Otherwise, that port is considered connected to a no point-to-point LAN
segment.
Rapid transition of a designated port to forwarding can only occur if the ports connection type is defined
as a point to point or an edge port. Defining a ports connection type as a point to point or as an edge port
makes the port eligible for rapid transition, regardless of what actually connects to the port. However, an
alternate port transition to the role of root port is always allowed regardless of the alternate ports connec-
tion type.
Note. Configure ports that will connect to a host (PC, workstation, server, etc.) as edge ports so that these
ports will transition directly to a forwarding state and not trigger an unwanted topology change when a
device is connected to the port. If a port is configured as a point to point or no point to point connection
type, the switch will assume a topology change when this port goes active and will flush and relearn all
learned MAC addresses for the ports assigned VLAN.
By default, Spanning Tree is enabled on the port and the connection type is set to auto point to point. The
auto point to point setting determines the connection type based on the operational status of the port.
If the switch is running in the 1x1 Spanning Tree mode, then the connection type applies to the specified
VLAN instance associated with the port. If the switch is running in the flat Spanning Tree mode, then the
connection type applies across all VLANs associated with the port. The flat mode instance is referenced as
the ports instance, even if the port is associated with other VLANs.
To change the port connection type for a VLAN instance, specify a VLAN ID with the bridge slot/port
connection command when the switch is running in the 1x1 mode. For example, the following command
defines an edge port connection type for port 8/1 associated with VLAN 10.
-> bridge 10 8/1 connection edgeport
The explicit bridge 1x1 slot/port connection command configures the connection type for a VLAN
instance when the switch is running in either mode (1x1 or flat). For example, the following command
performs the same function as the command in the previous example:
-> bridge 1x1 10 8/1 connection edgeport
To change the port Spanning Tree mode for the flat mode instance, use either the bridge slot/port
connection command or the bridge cist slot/port connection command. Note that both commands are
available when the switch is running in either mode (1x1 or flat) and an instance number is not required.
For example, the following commands configure the connection type for port 1/24 for the flat mode
instance:
-> bridge 1/24 connection ptp
-> bridge cist 1/24 connection ptp
As in previous releases, it is possible to configure the flat mode instance with the bridge slot/port connec-
tion command by specifying 1 as the instance number (e.g., bridge 1 1/24 connection noptp). However,
this is only available when the switch is already running in the flat mode and STP or RSTP is the active
protocol.
Note that the bridge slot/port connection command only configures one port at a time.
For more information about configuring an aggregate of ports, see Chapter 13, Configuring Static Link
Aggregation, and Chapter 14, Configuring Dynamic Link Aggregation.
Switch D Switch C
(Root Bridge)
VLAN 255 Bridge ID VLAN 255 Bridge ID
TM
OmniSwitch 9700
3/10
PC=4 PC=19
3/2
2/10
2/8 PC=4 3/3
VLAN 255 Bridge ID TM
OmniSwitch 9700
Each switch configuration has a VLAN 255 defined. The Spanning Tree administrative status for this
VLAN was enabled by default when the VLAN was created.
VLAN 255 on each switch is configured to use the 802.1w (rapid reconfiguration) Spanning Tree
Algorithm and Protocol.
Ports 2/1-3, 2/8-10, 3/1-3, and 3/8-10 provide connections to other switches and are all assigned to
VLAN 255 on their respective switches. The Spanning Tree administrative status for each port is
enabled by default.
The path cost for each port connection defaults to a value based on the link speed. For example, the
connection between Switch B and Switch C is a 100 Mbps link, which defaults to a path cost of 19.
VLAN 255 on Switch D is configured with a Bridge ID priority value of 10, which is less than the
same value for VLAN 255 configured on the other switches. As a result, VLAN 255 was elected the
Spanning Tree root bridge for the VLAN 255 broadcast domain.
A root port is identified for VLAN 255 on each switch, except the root VLAN 255 switch. The root
port identifies the port that provides the best path to the root VLAN.
VLAN 255 on Switch A was elected the designated bridge because it offers the best path cost for
Switch B to the root VLAN 255 on Switch D.
Port 2/9 on Switch A is the designated port for the Switch A to Switch B connection because Switch A
is the designated bridge for Switch B.
Redundant connections exist between Switch D and Switch C. Ports 2/2 and 3/9 are in a discarding
(blocking) state because this connection has a higher path cost than the connection provided through
ports 2/3 and 3/8. As a result, a network loop condition is avoided.
Redundant connections also exist between Switch A and Switch B. Although the path cost value for
both of these connections is the same, ports 2/8 and 3/3 are in a discarding state because their port
priority values (not shown) are higher than the same values for ports 2/10 and 3/1.
The ports that provide the connection between Switch B and Switch C are in a discarding (blocking)
state, because this connection has a higher path cost than the other connections leading to the root
VLAN 255 on Switch D. As a result, a network loop is avoided.
2 Assign the switch ports that provide connections between each switch to VLAN 255. For example, the
following commands entered on Switches A, B, C, and D, respectively, assign the ports shown in the
example network diagram on page 6-31 to VLAN 255:
-> vlan 255 port default 2/8-10
-> vlan 255 port default 3/1-3
-> vlan 255 port default 3/8-10
-> vlan 255 port default 2/1-3
3 Change the Spanning Tree protocol for VLAN 255 to 802.1w (rapid reconfiguration) on each switch
using the following command:
-> bridge 255 protocol 1w
4 Change the bridge priority value for VLAN 255 on Switch D to 10 using the following command
(leave the priority for VLAN 255 on the other three switches set to the default value of 32768):
-> bridge 255 priority 10
VLAN 255 on Switch D will have the lowest Bridge ID priority value of all four switches, which will
qualify it as the Spanning Tree root VLAN for the VLAN 255 broadcast domain.
Note. To verify the VLAN 255 Spanning Tree configuration on each switch use the following show
commands. The following outputs are for example purposes only and may not match values shown in the
sample network configuration:
-> show spantree 255
Spanning Tree Parameters for Vlan 255
Spanning Tree Status : ON,
Protocol : IEEE 802.1W (Fast STP),
mode : 1X1 (1 STP per Vlan),
Priority : 32768(0x0FA0),
Bridge ID : 8000-00:d0:95:00:00:04,
Designated Root : 000A-00:d0:95:00:00:01,
Cost to Root Bridge : 4,
Root Port : Slot 3 Interface 8,
Next Best Root Cost : 0,
Next Best Root Port : None,
Hold Time : 1,
Topology Changes : 3,
Topology age : 0:4:37
Current Parameters (seconds)
Max Age = 30,
Forward Delay = 15,
Hello Time = 2
Parameters system uses when attempting to become root
System Max Age = 30,
System Forward Delay = 15,
System Hello Time = 2
show spantree Displays VLAN Spanning Tree information, including parameter values
and topology change statistics.
show spantree ports Displays Spanning Tree information for switch ports, including parame-
ter values and the current port state.
For more information about the resulting displays from these commands, see the OmniSwitch CLI Refer-
ence Guide. An example of the output for the show spantree and show spantree ports commands is also
given in Example Network Configuration Steps on page 6-32.
Initially all switch ports are non-mobile (fixed) and are assigned to VLAN 1, which is also their config-
ured default VLAN. When additional VLANs are created on the switch, ports are assigned to the VLANs
so that traffic from devices connected to these ports is bridged within the VLAN domain. Switch ports are
either statically or dynamically assigned to VLANs.
Methods for statically assigning ports to VLANs include the following:
Using the vlan port default command to define a new configured default VLAN for both non-mobile
(fixed) and mobile ports. (See Statically Assigning Ports to VLANs on page 7-4.)
Using the vlan 802.1q command to define tagged VLANs for non-mobile ports. This method allows
the switch to bridge traffic for multiple VLANs over one physical port connection. (See Chapter 11,
Configuring 802.1Q.)
Configuring ports as members of a link aggregate that is assigned to a configured default VLAN. (See
Chapter 13, Configuring Static Link Aggregation, and Chapter 14, Configuring Dynamic Link
Aggregation.)
Dynamic assignment applies only to mobile ports. When traffic is received on a mobile port, the packets
are classified using one of the following methods to determine VLAN assignment (see Dynamically
Assigning Ports to VLANs on page 7-4 for more information):
Packet is tagged with a VLAN ID that matches the ID of another VLAN that has mobile tagging
enabled.
Packet contents matches criteria defined in a VLAN rule.
Regardless of how a port is assigned to a VLAN, once the assignment occurs, a VLAN port association
(VPA) is created and tracked by VLAN management software on each switch.
In This Chapter
This chapter describes how to statically assign ports to a new default VLAN and configure mobile ports
for dynamic assignment through the Command Line Interface (CLI). CLI commands are used in the
configuration examples; for more details about the syntax of commands, see the OmniSwitch CLI Refer-
ence Guide.
Configuration procedures described in this chapter include:
Statically assigning ports to VLANs on page 7-4.
2 Assign switch ports 2 through 5 on slot 3 to VLAN 255 using the following command:
VLAN 255 is now the configured default VLAN for ports 2 through 5 on slot 3.
4 Disable the default VLAN parameter for mobile ports 3/4 and 3/5 using the following command:
With this parameter disabled, VLAN 255 will not carry any traffic received on 3/4 or 3/5 that does not
match any VLAN rules configured on the switch.
Note. Optional. To verify that ports 2 through 5 on slot 3 were assigned to VLAN 255, enter show vlan
followed by 255 then port. For example:
-> show vlan 255 port
port type status
--------+---------+--------------
3/2 default inactive
3/3 default inactive
3/4 default inactive
3/5 default inactive
To verify the mobile status of ports 4 and 5 on slot 3 and determine which mobile port parameters are
enabled, enter show vlan port mobile followed by a slot and port number. For example:
-> show vlan port mobile 3/4
Mobility : on,
Config Default Vlan: 255,
Default Vlan Enabled: off,
Default Vlan Perm : on,
Default Vlan Restore: on,
Authentication : off,
Ignore BPDUs : off
Port 3/2 is now assigned to VLAN 755 and no longer associated with VLAN 1. In addition, VLAN 755 is
now the new configured default VLAN for the port.
A configured default VLAN is the VLAN statically assigned to a port. Any time the vlan port default
command is used, the VLAN assignment is static and a new configured default VLAN is defined for the
port. This command is also the only way to change a non-mobile port VLAN assignment. In addition, non-
mobile ports can only retain one VLAN assignment, unlike mobile ports that can dynamically associate
with multiple VLANs. See Dynamically Assigning Ports to VLANs on page 7-4 for more information
about mobile ports.
Additional methods for statically assigning ports to VLANs include the following:
Using the vlan 802.1q command to define tagged VLANs for non-mobile ports. This method allows
the switch to bridge traffic for multiple VLANs over one physical port connection. (See Chapter 11,
Configuring 802.1Q, for more information.)
Configuring ports as members of a link aggregate that is assigned to a configured default VLAN. (See
Chapter 13, Configuring Static Link Aggregation, and Chapter 14, Configuring Dynamic Link
Aggregation, for more information.)
When a port is statically assigned to a VLAN, a VLAN port association (VPA) is created and tracked by
VLAN management software on each switch. To display a list of all VPAs, use the show vlan port
command. For more information, see Verifying VLAN Port Associations and Mobile Port Properties on
page 7-19.
VLANs 2, 3, and 4 are configured on the switch, each one has VLAN mobile tagging enabled.
OmniSwitch
VLAN 2
Mobile Tag Enabled
VLAN 4
Mobile Tag Enabled
VLAN 1
Default VLAN VLAN 3
Mobile Tag Enabled
As soon as the workstations start sending traffic, switch software checks the 802.1Q VLAN ID tag of the
frames and looks for a VLAN that has the same ID and also has mobile tagging enabled. Since the work-
stations are sending tagged packets destined for the mobile tag enabled VLANs, each port is assigned to
the appropriate VLAN without user intervention. As the diagram on page 7-7 shows,
Port 1 is assigned to VLAN 2, because the workstation is transmitting tagged packets destined for
VLAN 2.
Port 2 is assigned to VLAN 3 because the workstation is transmitting tagged packets destined for
VLAN 3.
Port 3 is assigned to VLAN 4 because the workstation is transmitting tagged packets destined for
VLAN 4.
All three ports, however, retain their default VLAN 1 assignment, but now have an additional VLAN
port assignment that carries the matching traffic on the appropriate rule VLAN.
OmniSwitch
VLAN 2 VLAN 4
IP Network 130.0.0.0 IP Network 140.0.0.0
VLAN 1
Default VLAN
VLAN 3
IP Network 138.0.0.0
Dynamic VPA
Default VLAN
Three additional VLANs are configured on the switch, each one has an IP network address rule defined
for one of the IP subnets.
OmniSwitch
VLAN 2
IP Network 130.0.0.0
VLAN 4
IP Network 140.0.0.0
VLAN 1
Default VLAN VLAN 3
IP Network 138.0.0.0
As soon as the workstations start sending traffic, switch software checks the source subnet of the frames
and looks for a match with any configured IP network address rules. Since the workstations are sending
traffic that matches a VLAN rule, each port is assigned to the appropriate VLAN without user interven-
tion. As the diagram on page 7-10 shows,
Port 1 is assigned to VLAN 2, because the workstation is transmitting IP traffic on network 130.0.0.0
that matches the VLAN 2 network address rule.
Port 2 is assigned to VLAN 3 because the workstation is transmitting IP traffic on network 138.0.0.0
that matches the VLAN 3 network address rule.
Port 3 is assigned to VLAN 4 because the workstation is transmitting IP traffic on network 140.0.0.0
that matches the VLAN 4 network address rule.
OmniSwitch
VLAN 2 VLAN 4
IP Network 130.0.0.0 IP Network 140.0.0.0
VLAN 1
Default VLAN
VLAN 3
IP Network 138.0.0.0
Dynamic VPA
Default VLAN
1 Use the vlan port mobile command to enable mobility on switch ports that will participate in dynamic
VLAN assignment. See Enabling/Disabling Port Mobility on page 7-11 for detailed procedures.
2 Enable/disable mobile port properties that determine mobile port behavior. See Configuring Mobile
Port Properties on page 7-16 for detailed procedures.
3 Create VLANs that will receive and forward mobile port traffic. See Chapter 5, Configuring VLANs,
for more information.
4 Configure the method of traffic classification (VLAN rules or tagged VLAN ID) that will trigger
dynamic assignment of a mobile port to the VLANs created in Step 3. See VLAN Rule Classification on
page 7-8 and VLAN Mobile Tag Classification on page 7-5 for more information.
Once the above configuration steps are completed, dynamic VLAN assignment occurs when a device
connected to a mobile port starts to send traffic. This traffic is examined by switch software to determine
which VLAN should carry the traffic based on the type of classification, if any, defined for a particular
VLAN. See Dynamically Assigning Ports to VLANs on page 7-4 for more information and examples of
dynamic VLAN port assignment.
To enable mobility on multiple ports, specify a range of ports and/or multiple slots.
-> vlan port mobile 4/1-5 5/12-20 6/10-15
Only Ethernet and gigabit Ethernet ports are eligible to become mobile ports. If any of the following
conditions are true, however, these ports are considered non-mobile ports and are not available for
dynamic VLAN assignment:
The mobile status for the port is disabled (the default).
Spanning Tree is active on the port and the BPDU ignore status is disabled for the port. (See Ignoring
Bridge Protocol Data Units (BPDU) on page 7-11 for more information.)
The port is configured to mirror other ports.
Note. Mobile ports are automatically trusted ports regardless of the QoS settings. See Chapter 26,
Configuring QoS, for more information.
Use the show vlan port mobile command to display a list of ports that are mobile or are eligible to
become mobile. For more information about this command, see the OmniSwitch CLI Reference Guide.
Mobility remains off on the port even if the ports link is disabled or disconnected. Rebooting the
switch, however, will restore the ports original mobile status.
When BPDU ignore is enabled and the mobile port receives a BPDU, the following occurs:
The port retains its mobile status and remains eligible for dynamic VLAN assignment.
Note. Enabling BPDU ignore is not recommended. In specific cases where it is required, such as connect-
ing legacy networks to mobile port networks, make sure that ignoring BPDU on a mobile port will not
cause network loops to go undetected. Connectivity problems could also result if a mobile BPDU port
dynamically moves out of its configured default VLAN where it provides traffic flow to/from the network.
The following command enables mobility and BPDU ignore on port 8 of slot 3:
-> vlan port mobile 3/8 BPDU ignore enable
Enabling mobility on an active port that sends or receives BPDU (e.g. ports that connect two switches and
Spanning Tree is enabled on both the ports and their assigned VLANs) is not allowed. If mobility is
required on this type of port, enable mobility and the BPDU ignore parameter when the port is not active.
The effects of enabling or disabling mobile port properties are described through the following diagrams:
How Mobile Port Traffic that Does Not Match any VLAN Rules is Classified on page 7-14.
OmniSwitch
Configured Default
VLAN 1
VLAN 3
If device traffic does not match any VLAN rules, then the default
VLAN property determines if the traffic is forwarded on the ports
configured default VLAN (VLAN 1 in this example).
VLAN 3 VLAN 3
Device traffic that does not match any Device traffic that does not match
VLAN rules is forwarded on the mobile any VLAN rules is discarded.
ports configured default VLAN.
How Mobile Port Traffic that Does Not Match any VLAN Rules is Classified
Secondary Secondary
VLAN 3 VLAN 3
Why enable restore default VLAN? Why disable restore default VLAN?
Security. VLANs only contain mobile port VPAs are retained even when port traffic is
traffic that has recently matched rule criteria. idle for some time. When traffic resumes, it is
not necessary to relearn the same VPA again.
VPAs created from occasional network users Appropriate for devices that only send occa-
(e.g., laptop) are not unnecessarily retained. sional traffic.
Command Description
vlan port default vlan Enables or disables forwarding of mobile port traffic on the ports con-
figured default VLAN that does not match any existing VLAN rules.
vlan port default vlan restore Enables or disables the retention of VLAN port assignments when
mobile port traffic ages out.
vlan port authenticate Enables or disables authentication on a mobile port.
vlan port 802.1x Enables or disables 802.1X port-based access control on a mobile port.
Use the show vlan port mobile command to view the current status of these properties for one or more
mobile ports. See Verifying VLAN Port Associations and Mobile Port Properties on page 7-19 for more
information.
To enable or disable the configured default VLAN on multiple ports, specify a range of ports and/or multi-
ple slots.
-> vlan port 2/1-12 3/10-24 4/3-14 default vlan enable
Note. It is recommended that mobile ports with their default VLAN disabled should not share a VLAN
with any other types of ports (e.g., mobile ports with default VLAN enabled or non-mobile, fixed ports).
See Understanding Mobile Port Properties on page 7-12 for an overview and illustrations of how this
property affects mobile port behavior.
To enable or disable default VLAN restore on multiple ports, specify a range of ports and/or multiple
slots.
-> vlan port 2/1-12 3/10-24 4/3-14 default vlan restore enable
Note the following when changing the restore default VLAN status for a mobile port:
If a hub is connected to a mobile port, enabling default VLAN restore on that port is recommended.
VLAN port rule assignments are exempt from the effects of the restore default VLAN status. See
Chapter 9, Defining VLAN Rules, for more information about using port rules to forward mobile
port traffic
When a mobile port link is disabled and then enabled, all secondary VPAs for that port are automati-
cally dropped regardless of the restore default VLAN status for that port. Switch ports are disabled
when a device is disconnected from the port, a configuration change is made to disable the port, or
switch power is turned off.
See Understanding Mobile Port Properties on page 7-12 for an overview and illustrations of how this
property affects mobile port behavior.
To enable or disable authentication on multiple ports, specify a range of ports and/or multiple slots.
-> vlan port 6/1-32 8/10-24 9/3-14 authenticate enable
Only mobile ports are eligible for authentication. If enabled, the mobile port participates in the Layer 2
authentication process supported by Alcatel switches. This process restricts switch access at the VLAN
level. The user is required to enter a valid login ID and password before gaining membership to a VLAN.
For more information, see Chapter 22, Configuring Authenticated VLANs.
To enable or disable 802.1X on multiple ports, specify a range of ports and/or multiple slots.
-> vlan port 6/1-32 8/10-24 9/3-14 802.1x enable
-> vlan port 5/3-6 9/1-4 802.1x disable
Only mobile ports are eligible for 802.1X port-based access control. If enabled, the mobile port partici-
pates in the authentication and authorization process defined in the IEEE 802.1X standard and supported
by Alcatel switches. For more information, see Chapter 23, Configuring 802.1X.
show vlan port Displays a list of VLAN port assignments, including the type and status
for each assignment
show vlan port mobile Displays the mobile status and current mobile parameter values for each
port.
Type Description
default The port was statically assigned to the VLAN using the vlan port default
command. The VLAN is now the ports configured default VLAN.
qtagged The port was statically assigned to the VLAN using the vlan 802.1q com-
mand. The VLAN is a static secondary VLAN for the 802.1Q tagged port.
mobile The port is mobile and was dynamically assigned when traffic received on
the port matched VLAN criteria (VLAN rules or tagged VLAN ID). The
VLAN is a dynamic secondary VLAN assignment for the mobile port.
mirror The port is assigned to the VLAN because it is configured to mirror another
port that is assigned to the same VLAN. For more information about the
Port Mirroring feature, see Chapter 29, Diagnosing Switch Problems.
Status Description
inactive Port is not active (administratively disabled, down, or nothing connected to
the port) for the VPA.
blocking Port is active, but not forwarding traffic for the VPA.
forwarding Port is forwarding all traffic for the VPA.
filtering Mobile port traffic is filtered for the VPA; only traffic received on the port
that matches VLAN rules is forwarded. Occurs when a mobile ports VLAN
is administratively disabled or the ports default VLAN status is disabled.
Does not apply to fixed ports.
The following example uses the show vlan port command to display VPA information for all ports in
VLAN 200:
-> show vlan 200 port
VLAN 200 is a secondary VLAN for mobile port 5/11, which is currently forwarding traffic for this
VPA.
VLAN 200 is an 802.1Q tagged VLAN for port 5/12, which is an active port but currently blocked
from forwarding traffic.
Another example of the output for the show vlan port command is also given in Sample VLAN Port
Assignment on page 7-3. For more information about the resulting display from this command, see the
OmniSwitch CLI Reference Guide.
Note that the show vlan port mobile command only displays ports that are mobile or are eligible to
become mobile ports. For example, ports that are part of a link aggregate or are configured for 802.1Q
VLAN tagging are not included in the output of this command.
Another example of the output for the show vlan port mobile command is also given in Sample VLAN
Port Assignment on page 7-3. For more information about the resulting display from this command, see
the OmniSwitch CLI Reference Guide.
Port Mapping is a security feature, which controls communication between peer users. Each session
comprises a session ID, a set of user ports, and/or a set of network ports. The user ports within a session
cannot communicate with each other and can only communicate via network ports. In a port mapping
session with user port set A and network port set B, the ports in set A can only communicate with the ports
in set B. If set B is empty, the ports in set A can communicate with rest of the ports in the system.
A port mapping session can be configured in the unidirectional or bidirectional mode. In the unidirec-
tional mode, the network ports can communicate with each other within the session. In the bidirectional
mode, the network ports cannot communicate with each other. Network ports of a unidirectional port
mapping session can be shared with other unidirectional sessions, but cannot be shared with any sessions
configured in the bidirectional mode. Network ports of different sessions can communicate with each
other.
Note. Port Mapping is only supported on the OmniSwitch 6800 and 6850 switches for this release.
In This Chapter
This chapter describes the port mapping security feature and explains how to configure the same through
the Command Line Interface (CLI).
Configuration procedures described in this chapter include:
Creating/Deleting a Port Mapping Sessionsee Creating a Port Mapping Session on page 8-3 or
Deleting a Port Mapping Session on page 8-3.
Enabling/Disabling a Port Mapping Sessionsee Enabling a Port Mapping Session on page 8-4 or
Disabling a Port Mapping Session on page 8-4.
Configuring a Port Mapping Directionsee Configuring Unidirectional Port Mapping on page 8-4
and Restoring Bidirectional Port Mapping on page 8-4.
Configuring an example Port Mapping Sessionsee Sample Port Mapping Configuration on
page 8-5.
Verifying a Port Mapping Sessionsee Verifying the Port Mapping Configuration on page 8-6.
2 Enable the port mapping session with the port mapping command. For example:
Note. You can verify the configuration of the port mapping session by entering show port mapping
followed by the session ID
-> show port mapping 3
You can also verify the status of a port mapping session by using the show port mapping status
command.
You can create a port mapping session with link aggregate network ports. For example, to create a port
mapping session 3 with network ports of link aggregation group 7, you would enter:
-> port mapping 3 network-port linkagg 7
You can specify all the ports of a slot to be assigned to a mapping session. For example, to create a port
mapping session 3 with all the ports of slot 1 as network ports, you would enter:
-> port mapping 3 network-port slot 1
You can specify a range of ports to be assigned to a mapping session. For example, to create a port
mapping session 4 with ports 5 through 8 on slot 2 as user ports, you would enter:
-> port mapping 4 user-port 2/5-8
Similarly, to delete the network ports of link aggregation group 7 of a mapping session 4, you would enter:
-> port mapping 4 no network-port linkagg 7
Note. You must delete any attached ports with the port mapping user-port network-port command
before you can delete a port mapping session.
Note. To change the direction of an active session with network ports, delete the network ports of the
session, change the direction, and recreate the network ports.
The Switch D is configured by creating a port mapping session 1 with user ports 2/1, 2/2 and network
ports 1/1.
2/2 2/2
3/1 3/1
Port mapping session 1
2 Configure session 1 on Switch A in the unidirectional mode using the following command:
Similarly, create and enable a port mapping session 1 on Switch D by entering the following commands:
-> port mapping 1 user-port 2/1-2 network-port 1/1
show port mapping status Displays the status of one or more port mapping sessions.
show port mapping Displays the configuration of one or more port mapping sessions.
For more information about the displays that result from these commands, see the OmniSwitch CLI Refer-
ence Guide.
VLAN rules are used to classify mobile port traffic for dynamic VLAN port assignment. Rules are defined
by specifying a port, MAC address, protocol, network address, binding, or DHCP criteria to capture
certain types of network device traffic. It is also possible to define multiple rules for the same VLAN. A
mobile port is assigned to a VLAN if its traffic matches any one VLAN rule.
There is an additional method for dynamically assigning mobile ports to VLANs that involves enabling
VLAN mobile tagging. This method is similar to defining rules in that the feature is enabled on the VLAN
that is going to receive the mobile port tagged traffic. The difference, however, is that tagged packets
received on mobile ports are classified by their 802.1Q VLAN ID tag and not by whether or not their
source MAC, network address, or protocol type matches VLAN rule criteria.
In This Chapter
This chapter contains information and procedures for defining VLAN rules through the Command Line
Interface (CLI). CLI commands are used in the configuration examples; for more details about the syntax
of commands, see the OmniSwitch CLI Reference Guide. Refer to Chapter 5, Configuring VLANs, and
Chapter 7, Assigning Ports to VLANs, for information about the VLAN mobile tagging feature.
Configuration procedures described in this chapter include:
Defining DHCP rules on page 9-12.
Defining binding rules to restrict access to specific network devices on page 9-14.
For information about creating and managing VLANs, see Chapter 5, Configuring VLANs.
For information about enabling port mobility and defining mobile port properties, see Chapter 7, Assign-
ing Ports to VLANs.
1 Create VLAN 255 with a description (e.g., Finance IP Network) using the following command:
2 Define an IP network address rule for VLAN 255 that will capture mobile port traffic containing a
network 21.0.0.0 IP source address. For example:
-> vlan 255 ip 21.0.0.0
3 Define a DHCP MAC range rule for VLAN 255 that will capture mobile port DHCP traffic that
contains a source MAC address that falls within the range specified by the rule. For example:
-> vlan 255 dhcp mac 00:DA:95:00:59:10 00:DA:95:00:59:9F
4 Define an IPX protocol rule for VLAN 355 that will capture mobile port traffic containing an IPX
protocol type value. For example:
-> vlan 355 protocol ipx-e2
5 Define a MAC-IP-port binding rule that restricts assignment to VLAN 1500 to traffic received on
mobile port 3/10 containing a MAC address of 00:DA:95:00:CE:3F and an IP address of 21.0.0.43. For
example:
-> vlan 1500 binding mac-ip-port 00:da:95:00:ce:3f 21.0.0.43 3/10
Note. Optional. To verify that the rules in this tutorial were defined for VLANs 255, 355, and 1500, enter
show vlan rules. For example:
-> show vlan rules
Rule See
DHCP MAC Address DHCP Rules on page 9-5
DHCP MAC Range
DHCP Port
DHCP Generic
MAC-Port-IP Address Binding Binding Rules on page 9-6
MAC-Port-Protocol Binding
MAC-Port Binding
MAC-IP Address Binding
Port-IP Address Binding
Port-Protocol Binding
MAC Address MAC Address Rules on page 9-6
MAC Address Range
Network Address Network Address Rules on page 9-6
Protocol Protocol Rules on page 9-6
Port Port Rules on page 9-7
Use the show vlan rules command to display a list of rules already configured on the switch. For more
information about this command, refer to the OmniSwitch CLI Reference Guide.
DHCP Rules
Dynamic Host Configuration Protocol (DHCP) frames are sent from client workstations to request an IP
address from a DHCP server. The server responds with the same type of frames, which contain an IP
address for the client. If clients are connected to mobile ports, DHCP rules are used to classify this type of
traffic for the purposes of transmitting and receiving DHCP frames to and from the server.
When a mobile port receives a DHCP frame that matches a DHCP rule, the port is temporarily assigned to
the VLAN long enough to forward the DHCP requests within the VLAN broadcast domain. The source
MAC address of the DHCP frame, however, is not learned for that VLAN port association. As a result, the
show mac-address-table command output will not contain an entry for the DHCP source MAC address.
The show vlan port command output, however, will contain an entry for the temporary VLAN port asso-
ciation that occurs during this process.
Once a device connected to a mobile port receives an IP address from the DHCP server, the VLAN port
assignment triggered by the devices DHCP frames matching a VLAN DHCP rule is dropped unless regu-
lar port traffic matches another rule on that same VLAN. If this match occurs, or the traffic matches a rule
on another VLAN, then the source MAC address of the mobile ports frames is learned for that VLAN
port association.
DHCP rules are most often used in combination with IP network address rules. A DHCP client has an IP
address of all zeros (0.0.0.0) until it receives an IP address from a DHCP server, so initially it would not
match any IP network address rules.
Binding rules, MAC address rules, and protocol rules also capture DHCP client traffic. The exception to
this is binding rules that specify an IP address as part of the rule, similar to IP network address rule defini-
tions.
The following DHCP rule types are available:
DHCP MAC Address
DHCP Port
DHCP Generic
Binding Rules
Binding rules restrict VLAN assignment to specific devices by requiring that device traffic match all crite-
ria specified in the rule. As a result, a separate binding rule is required for each device. An unlimited
number of such rules, however, is allowed per VLAN and up to 8129 of each rule type is allowed per
switch. Although DHCP traffic is examined and processed first by switch software, binding rules take
precedence over all other rules.
The following binding rule types are available. The rule type name indicates the criteria the rule uses to
determine if device traffic qualifies for VLAN assignment. For example, the MAC-Port-IP address bind-
ing rule requires a matching source MAC and IP address in frames received from a device connected to
the port specified in the rule.
MAC-port-IP Address
MAC-port-protocol
MAC-port
MAC-IP Address
port-IP address
port-protocol
Note that MAC-port-IP and MAC-port binding rules are also supported on Authenticated VLANs
(AVLANs). See Configuring VLAN Rule Definitions on page 9-11 and Chapter 22, Configuring
Authenticated VLANs, for more information.
Protocol Rules
Protocol rules determine VLAN assignment based on the protocol a device uses to communicate. When
defining this type of rule, there are several generic protocol values to select from: IP, IPX, AppleTalk, or
DECNet. If none of these are sufficient, it is possible to specify an Ethernet type, Destination and Source
Service Access Protocol (DSAP/SSAP) header values, or a Sub-network Access Protocol (SNAP) type.
Note that specifying a SNAP protocol type restricts classification of mobile port traffic to the ethertype
value found in the IEEE 802.2 SNAP LLC frame header.
IP protocol rules also capture DHCP traffic, if no other DHCP rule exists that would classify the DHCP
traffic into another VLAN. Therefore, it is not necessary to combine DHCP rules with IP protocol rules
for the same VLAN.
Port Rules
Port rules are fundamentally different from all other supported rule types, in that traffic is not required to
trigger dynamic assignment of the mobile port to a VLAN. As soon as this type of rule is created, the
specified port is assigned to the VLAN only for the purpose of forwarding broadcast types of VLAN traf-
fic to a device connected to that same port.
Port rules are mostly used for silent devices, such as printers, that require VLAN membership to receive
traffic forwarded from the VLAN. These devices usually dont send traffic, so they do not trigger dynamic
assignment of their mobile ports to a VLAN.
It is also possible to specify the same port in more than one port rule defined for different VLANs. The
advantage to this is that traffic from multiple VLANs is forwarded out the one mobile port to the silent
device. For example, if port 3 on slot 2 is specified in a port rule defined for VLANs 255, 355, and 755,
then outgoing traffic from all three of these VLANs is forwarded on port 2/3.
Port rules only apply to outgoing mobile port traffic and do not classify incoming traffic. If a mobile port
is specified in a port rule, its incoming traffic is still classified for VLAN assignment in the same manner
as all other mobile port traffic.
VLAN assignments that are defined using port rules are exempt from the ports default VLAN restore
status. See Chapter 7, Assigning Ports to VLANs, for more information regarding a ports default
VLAN restore status and other mobile port properties.
Note. Another type of mobile traffic classification, referred to as VLAN mobile tagging, takes precedence
over all VLAN rules. If a mobile port receives an 802.1Q packet that contains a VLAN ID tag that
matches a VLAN that has mobile tagging enabled, the port and its traffic are assigned to this VLAN, even
if the traffic matches a rule defined on any other VLAN. See Chapter 7, Assigning Ports to VLANs, for
more information about VLAN mobile tag classification.
The VLAN rule precedence table on page 9-9 provides a list of all VLAN rules, including the two internal
rules mentioned above, in the order of precedence that switch software applies to classify mobile port
frames. The first column lists the rule type names, the second and third columns describe how the switch
handles frames that match or dont match rule criteria. The higher the rule is in the list, the higher its level
of precedence.
When a frame is received on a mobile port, switch software starts with rule one in the rule precedence
table and progresses down the list until there is a successful match between rule criteria and frame
contents. The exception to this is if there is a binding rule violation. In this case, the frame is blocked and
its source port is not assigned to the rules VLAN.
Each binding rule type contains multiple parameters that are used to determine if a mobile port frame qual-
ifies for assignment to the binding rule VLAN, violates one of the binding rule parameter values, or is
simply allowed on the port but not assigned to the binding rule VLAN. For example, as indicated in the
rule precedence table, a mobile port frame is compared to binding MAC-port rule criteria and processed as
follows:
If the frames source MAC address matches the rules MAC address, then the frames port must also
match the rules port to qualify for assignment to the rules VLAN.
If the frames source MAC matches but the frames port does not match, then a violation occurs and
the frame is blocked and the port is not assigned to the rules VLAN. There is no further attempt to
match this frame to rules of lower precedence.
If the frames source MAC does not match but the frames port does match, the frame is allowed but
the port is not assigned to the rules VLAN. The frame is then compared to other rules of lower precen-
dence in the table or carried on the mobile ports default VLAN if the frame does not match any other
VLAN rules and the mobile ports default VLAN is enabled.
In the above example, the MAC address parameter defines a critical match value for the binding rule. The
port parameter defines a non-critical match value for the binding rule. When a critical match occurs, the
contents of a frame must also match all other paramter values or the frame is dropped. If a non-critical
match occurs, the frame is still processed even if it does not match all other paramters.
Note. If the contents of a mobile port frame matches the values specified in both an IP network address
rule and a port-protocol binding rule, the IP network address rule takes precedence. However, if the
contents of such frame violates the port-protocol binding rule, the frame is dropped.
When a VLAN is administratively disabled, static port and dynamic mobile port assignments are
retained but traffic on these ports is not forwarded. However, VLAN rules remain active and continue
to classify mobile port traffic for VLAN membership.
When a VLAN is deleted from the switch configuration, all rules defined for that VLAN are automati-
cally removed and any static or dynamic port assignments are dropped.
It is possible to define MAC-port-IP and MAC-port binding rules for Authenticated VLANs
(AVLANs). However, these rules are not active until the avlan port-bound command is issued for the
AVLAN. Note that these rules only apply to traffic received on authenticated ports. See Chapter 22,
Configuring Authenticated VLANs, for more information.
Refer to the following sections (listed in the order of rule precedence) for instructions on how to define
each type of VLAN rule:
Rule See
DHCP MAC Address Defining DHCP MAC Address Rules on page 9-12
DHCP MAC Range Defining DHCP MAC Range Rules on page 9-13
DHCP Port Defining DHCP Port Rules on page 9-13
DHCP Generic Defining DHCP Generic Rules on page 9-14
MAC-Port-IP Address Binding Defining Binding Rules on page 9-14
MAC-Port Binding
Port-Protocol Binding
MAC Address Defining MAC Address Rules on page 9-17
MAC Address Range Defining MAC Range Rules on page 9-18
Network Address Defining IP Network Address Rules on page 9-18 and
Defining IPX Network Address Rules on page 9-19
Protocol Defining Protocol Rules on page 9-20
Port Defining Port Rules on page 9-21
To display a list of VLAN rules already configured on the switch, use the show vlan rules command. For
more information about this command, refer to the OmniSwitch CLI Reference Guide.
Only one MAC address is specified when using the vlan dhcp mac command to create a DHCP MAC
rule. Therefore, to specify multiple MAC addresses for the same VLAN, create a DHCP MAC rule for
each address. If dealing with a large number of MAC addresses in sequential order, consider using a
DHCP MAC range rule described in the next section.
Use the no form of the vlan dhcp mac command to remove a DHCP MAC address rule.
-> vlan 255 no dhcp mac 00:00:da:59:0c:11
Only valid source MAC addresses are allowed for the low and high end boundary MACs. For example,
multicast addresses (e.g., 01:00:00:c5:09:1a) are ignored even if they fall within a specified MAC range
and are not allowed as the low or high end boundary MAC. If an attempt is made to use a multicast
address for one of the boundary MACs, an error message is displayed and the rule is not created.
Use the no form of the vlan dhcp mac range command to remove a DHCP MAC range rule. Note that it
is only necessary to enter the low end MAC address to identify which rule to remove.
-> vlan 1000 no dhcp mac range 00:00:da:00:00:01
To specify multiple ports and/or slots, use a hyphen to specify a range of ports and a space to specify
multiple slots. For example,
-> vlan 255 dhcp port 4/1-5 5/12-20 6/10-15
Use the no form of the vlan dhcp port command to remove a DHCP port rule.
-> vlan 255 no dhcp port 2/10-12 3/1-5 6/1-9
Use the no form of the vlan dhcp generic command to remove a DHCP generic rule.
-> vlan 255 no dhcp generic
4 The device must use a specific IP address and use a specific MAC address (MAC-IP address binding
rule).
5 The device must use a specific port and a specific IP address (port-IP address binding rule).
6 The device must attach to a specific switch port and use a specific protocol (port-protocol binding
rule).
If frames do not contain matching criteria, they are compared against other existing VLAN rules of lower
precedence. However, if a frame violates criteria of any one binding rule, it is discarded. Refer to Under-
standing VLAN Rule Precedence on page 9-8 for more information.
Note that MAC-port-IP and MAC-port binding rules are also supported on Authenticated VLANs
(AVLANs). See Chapter 22, Configuring Authenticated VLANs, for more information.
The following subsections provide information about how to define each of the binding rule types.
In this example, frames received on mobile port 2/3 must contain a source MAC address of
00:00:da:59:0c:12 and a source IP address of 21.0.0.10 to qualify for dynamic assignment to VLAN 255.
Use the no form of the vlan binding mac-ip-port command to remove a MAC-port-IP binding rule. Note
that it is only necessary to enter the rules MAC address parameter value to identify which rule to remove.
-> vlan 255 no binding mac-ip-port 00:00:da:59:0c:12
Note that this binding rule type is also supported on AVLANs. See Chapter 22, Configuring Authenti-
cated VLANs, for more information.
The first example command specifies that frames received on mobile port 3/1 must contain a source MAC
address of 00:00:da:59:0c:12 and an IP protocol type to qualify for dynamic assignment to VLAN 355.
The second command specifies that frames received on mobile port 4/1 must contain a source MAC
address of 00:00:20:11:4a:29 and a DSAP/SSAP protocol value of 04/04 to qualify for dynamic assign-
ment to VLAN 455.
The following table lists command keywords for specifying a protocol type:
Note that specifying a SNAP protocol type restricts classification of mobile port traffic to the ethertype
value found in the IEEE 802.2 SNAP LLC frame header.
Use the no form of the vlan binding mac-port-protocol command to remove a MAC-port-protocol bind-
ing rule. Note that it is only necessary to enter the rules MAC address and protocol parameter values to
identify which rule to remove.
-> vlan 455 no binding mac-port-protocol 00:00:20:11:4a:29 dsapssap 04/04
Note that this binding rule type is also supported on AVLANs. See Chapter 22, Configuring Authenti-
cated VLANs, for more information.
In this example, frames received on mobile port 6/10 must contain a source MAC address of
00:02:9a:3e:f1:06 to qualify for dynamic assignment to VLAN 1500.
Use the no form of the vlan binding mac-port command to remove a MAC-port binding rule. Note that it
is only necessary to enter the rules MAC address parameter value to identify which rule to remove.
-> vlan 1500 no binding mac-port 00:02:9a:3e:f1:06
Note that this binding rule type is also supported on AVLANs. See Chapter 22, Configuring Authenti-
cated VLANs, for more information.
In this example, frames received on any mobile port must contain a source MAC address of
00:02:9a:3e:f1:07 and a source IP subnet address of 172.16.6.3 to qualify for dynamic assignment to
VLAN 1501.
Use the no form of the vlan binding mac-ip command to remove a MAC-IP binding rule. Note that it is
only necessary to enter the rules MAC address parameter value to identify which rule to remove.
-> vlan 1500 no binding mac-port 00:02:9a:3e:f1:07
In this example, frames received on mobile port 5/12 must contain a source IP subnet address of
172.16.6.4 to qualify for dynamic assignment to VLAN 1502.
Use the no form of the vlan binding ip-port command to remove an IP-port binding rule. Note that it is
only necessary to enter the rules IP subnet address parameter value to identify which rule to remove.
-> vlan 1502 no binding ip-port 172.16.6.4
Note that this binding rule type is also supported on AVLANs. See Chapter 22, Configuring Authenti-
cated VLANs, for more information.
The first example command specifies that frames received on mobile port 3/1 must contain an IP SNAP
protocol type to qualify for dynamic assignment to VLAN 1503. The second command specifies that
frames received on mobile port 4/1 must contain a DSAP/SSAP protocol value of F0/F0 to qualify for
dynamic assignment to VLAN 1504.
The following table lists command keywords for specifying a protocol type:
Note that specifying a SNAP protocol type restricts classification of mobile port traffic to the ethertype
value found in the IEEE 802.2 SNAP LLC frame header.
Use the no form of the vlan binding port-protocol command to remove a port-protocol binding rule.
-> vlan 255 no binding port-protocol 8/12 ethertype 0600
Only one MAC address is specified when using the vlan mac command to create a MAC address rule.
Therefore, to specify multiple MAC addresses for the same VLAN, create a separate rule for each address.
If dealing with a large number of MAC addresses, consider using MAC address range rules described in
the next section.
Use the no form of the vlan mac command to remove a MAC address rule.
-> vlan 255 no mac 00:00:da:59:0c:11
Only valid source MAC addresses are allowed for the low and high end boundary MACs. For example,
multicast addresses (e.g., 01:00:00:c5:09:1a) are ignored even if they fall within a specified MAC range
and are not allowed as the low or high end boundary MAC. If an attempt is made to use a multicast
address for one of the boundary MACs, an error message is displayed and the rule is not created.
Use the no form of the vlan mac range command to remove a MAC range rule. Note that it is only neces-
sary to enter the low end MAC address to identify which rule to remove.
-> vlan 1000 no mac range 00:00:da:00:00:01
Note. IP network address rules are applied to traffic received on both mobile and fixed (non-mobile) ports.
As a result, fixed port traffic that contains an IP address that is included in the IP subnet specified by the
rule is dropped. However, if the IP network address rule VLAN is also the default VLAN for the fixed
port, then the fixed port traffic is forwarded and not dropped.
To define an IP network address rule, enter vlan followed by an existing VLAN ID then ip followed by a
valid IP network address and an optional subnet mask. For example, the following command creates an IP
network address rule for VLAN 1200:
-> vlan 1200 ip 31.0.0.0 255.0.0.0
In this example, frames received on any mobile port must contain a network 31.0.0.0 source IP address
(e.g., 31.0.0.10, 31.0.0.4) to qualify for dynamic assignment to VLAN 1200.
If a subnet mask is not specified, the default class for the IP address is used (Class A, B, or C). For exam-
ple, either one of the following commands will create an IP network address rule for network 134.10.0.0:
-> vlan 1200 ip 134.10.0.0 255.255.0.0
-> vlan 1200 ip 134.10.0.0
The pool of available internet IP addresses is divided up into three classes, as shown in the following
table. Each class includes a range of IP addresses. The range an IP network address belongs to determines
the default class for the IP network when a subnet mask is not specified.
Use the no form of the vlan ip command to remove an IP network address rule.
-> vlan 1200 no ip 134.10.0.0
In this example, frames received on any mobile port must contain an IPX network a010590c address with
a Novell Raw (802.3) encapsulation to qualify for dynamic assignment to VLAN 1200.
IPX network addresses consist of eight hex digits. If an address less than eight digits is entered, the entry
is prefixed with zeros to equal eight characters. For example, the following command results in an IPX
network address rule for network 0000250b:
-> vlan 1210 ipx 250b snap
If an encapsulation parameter value is not specified, this value defaults to Ethernet-II encapsulation. For
example, either one of the following commands creates the same IPX network address rule:
-> vlan 1220 ipx 250c e2
-> vlan 1220 ipx 250c
If the IPX network address rule VLAN is going to route IPX traffic, it is important to specify a rule encap-
sulation that matches the IPX router port encapsulation. If there is a mismatch, connectivity with other
IPX devices may not occur. See Chapter 5, Configuring VLANs, for information about defining VLAN
IPX router ports.
Use the no form of the vlan ipx command to remove an IPX network address rule. Note that it is only
necessary to specify the IPX network address to identify which rule to remove:
-> vlan 1220 no ipx 250c
The first example command specifies that frames received on any mobile port must contain an IP SNAP
protocol type to qualify for dynamic assignment to VLAN 1503. The second command specifies that
frames received on any mobile port must contain a DSAP/SSAP protocol value of f0/f0 to qualify for
dynamic assignment to VLAN 1504.
If an attempt is made to define an Ethertype rule with a protocol type value that is equal to the value
already captured by one of the generic IP or IPX protocol rules, a message displays recommending the use
of the IP or IPX generic rule. The following example shows what happens when an attempt is made to
create a protocol rule with an Ethertype value of 0800 (IP Ethertype):
-> vlan 200 protocol ethertype 0800
ERROR: Part of ip ethernet protocol class - use <vlan # protocol ip-e2> instead
Note that specifying a SNAP protocol type restricts classification of mobile port traffic to the ethertype
value found in the IEEE 802.2 SNAP LLC frame header.
Use the no form of the vlan protocol command to remove a protocol rule.
-> vlan 1504 no protocol dsapssap f0/f0
In this example, all traffic on VLAN 755 is flooded out mobile port 2 on slot 3.
Note that it is possible to define a port rule for a non-mobile (fixed, untagged) port, however, the rule is
not active until mobility is enabled on the port.
Use the no form of the vlan port command to remove a port rule.
-> vlan 755 no port 2/3
The VLANs
This application example contains three (3) VLANs. These VLANs are called Test, Production, and
Branch. The Test VLAN connects to the main network, the Production VLAN, through an external router.
The configuration of this VLAN is self-contained, making it easy to duplicate for testing purposes. The
Test VLAN contains its own DHCP server and DHCP clients. The clients gain membership to the VLAN
through DHCP port rules.
The Production VLAN carries most of the traffic in this network. It does not contain a DHCP server, but
does contain DHCP clients that gain membership through DHCP port rules. Two external routers connect
this VLAN to the Test VLAN and a Branch VLAN. One of the external routersthe one connected to the
Branch VLANhas DHCP Relay functionality enabled. It is through this router that the DHCP clients in
the Production VLAN access the DHCP server in the Branch VLAN.
The Branch VLAN contains a number of DHCP client stations and its own DHCP server. The DHCP
clients gain membership to the VLAN through both DHCP port and MAC address rules. The DHCP server
allocates IP addresses to all Branch and Production VLAN clients.
The following table summarizes the VLAN architecture and rules for all devices in this network configu-
ration. The diagram on the following page illustrates this network configuration.
OmniSwitch
TM
OmniSwitch 9700
Client 1
DHCP Port
Rule
Server 1 Test VLAN
10.15.14.16 IP Subnet 10.15.X.X Client 2
DHCP Port Rules DHCP Port
Rule
Client 3
Router 1 DHCP
No DHCP Port Rule
Relay
Production VLAN Client 4
IP Subnet 10.15.128.X DHCP
DHCP Port Rules Port Rule
Router 2
DHCP
Relay On Client 5
DHCP
Port Rule
Client 7
DHCP
MAC
Client 8
DHCP Servers DHCP
Both DHCP servers become members in their MAC
respective VLANs via IP subnet rules.
DHCP Clients
Routers
Clients 1 to 6 are assigned to their respective
Router 1 provides connectivity between the Test VLANs through DHCP port rules. Clients 3 and
VLAN and the Production VLAN. It does not 4 are not in a VLAN with a DHCP server so they
have Bootp functionality enabled so it cannot must rely on the server in the Branch VLAN for
connect DHCP servers and clients from different initial addressing information. Clients 7 and 8
VLANs. share a port with other devices, so they are
assigned to the Branch VLAN via DHCP MAC
Router 2 connects the Production VLAN and the address rules.
Branch VLAN. With DHCP Relay enabled, this
router can provide connectivity between the
DHCP server in the Branch VLAN and the DHCP
clients in the Production VLAN.
show vlan rules Displays a list of rules for one or all VLANs configured on the switch.
For more information about the resulting display from this command, see the OmniSwitch CLI Reference
Guide. An example of the output for the show vlan rules command is also given in Sample VLAN Rule
Configuration on page 9-3.
Alcatel Interswitch Protocol (AIP) is used to discover adjacent switches in the network. The following
protocol is supported:
Alcatel Mapping Adjacency Protocol (AMAP), which is used to discover the topology of
OmniSwitches and Omni Switch/Router (Omni S/R). See AMAP Overview on page 10-3.
This protocol is described in detail in this chapter.
In This Chapter
This chapter describes the AMAP protocol and how to configure it through the Command Line Interface
(CLI). CLI commands are used in the configuration examples; for more details about the syntax of
commands, see the OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
Activating AMAP on page 10-5.
For information about statically and dynamically assigning switch ports to VLANs, see Chapter 7,
Assigning Ports to VLANs.
For information about defining VLAN rules that allow dynamic assignment of mobile ports to a VLAN,
see Chapter 9, Defining VLAN Rules.
AIP Specifications
Standards Not applicable at this time. AMAP is an Alcatel pro-
prietary protocol.
Maximum number of IP addresses 255
propagated by AMAP
AMAP Defaults
Parameter Description Command Default
AMAP status amap Enabled
Discovery time interval amap discovery time 30 seconds
Common time interval amap common time 300 seconds
AMAP Overview
The Alcatel Mapping Adjacency Protocol (AMAP) is used to discover the topology of OmniSwitches in a
particular installation. Using this protocol, each switch determines which OmniSwitches are adjacent to it
by sending and responding to Hello update packets. For the purposes of AMAP, adjacent switches are
those that:
have a Spanning Tree path between them
do not have any switch between them on the Spanning Tree path that has AMAP enabled
In the illustration here, all switches are on the Spanning Tree path. OmniSwitch A and OmniSwitch C
have AMAP enabled. OmniSwitch B does not. OmniSwitch A is adjacent to OmniSwitch C and vice
versa. If OmniSwitch B enables AMAP, the adjacency changes. OmniSwitch A would be next to
OmniSwitch B, B would be adjacent to both A and C, and C would be adjacent to B.
TM
OmniSwitch 9700
Note. All Hello packet transmissions are sent to a well-known MAC address (0020da:007004).
No
Yes Any No
Hello packet received Common Hello packet
before discovery Transmission State received?
time-out interval?
Configuring AMAP
AMAP is active by default. In addition to disabling or enabling AMAP, you can view a list of adjacent
switches or configure the time-out intervals for Hello packet transmission and reception.
Note. Ports in the common transmission state send out Hello packets based on the common time-out inter-
val described later.
The discovery time-out interval is set to 30 seconds by default. To display the current discovery time-out
interval, enter the following command:
-> show amap
To change the discovery time-out interval, use either of these forms of the command with the desired
value (any value between 1 and 65535). Note that the use of the time command keyword is optional. For
example:
-> amap discovery 60
-> amap discovery time 60
Note. Switches avoid synchronization by jittering the common time-out interval plus or minus 10 percent
of the configured value. For example, if the default common time-out interval is used (300 seconds), the
jitter is plus or minus 30 seconds.
When a Hello packet is received from an adjacent switch before the common time-out interval expires, the
switch sends a Hello reply and restarts the common transmission timer.
The common time-out interval is set to 300 seconds by default. To display the current common time-out
interval, enter the following command:
-> show amap
To change the common time-out interval, use either of these forms of the command with the desired value
(any value between 1 and 65535). Note that the use of the time command keyword is optional. For exam-
ple:
-> amap common 600
-> amap common time 600
AMAP:
Operational Status = enabled,
Common Phase Timeout Interval (seconds) = 300,
Discovery Phase Timeout Interval (seconds) = 30
Remote Switch B
Remote interface 2/1 0020da:032c40
Switch A (local)
TM
OmniSwitch 9700
See the OmniSwitch CLI Reference Guide for information about the show amap command.
802.1Q is the IEEE standard for segmenting networks into VLANs. 802.1Q segmentation is done by
adding a specific tag to a packet.
In this Chapter
This chapter describes the basic components of 802.1Q VLANs and how to configure them through the
Command Line Interface (CLI). The CLI commands are used in the configuration examples; for more
details about the syntax of commands, see 802.1Q Commands in the OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
Setting up an 802.1Q VLAN for a specific port. See Enabling Tagging on a Port on page 11-5.
Setting up an 802.1Q VLAN for a link aggregation group. See Enabling Tagging with Link Aggrega-
tion on page 11-5.
Configuring 802.1Q VLAN parameters. See Configuring the Frame Type on page 11-6.
For information on creating and managing VLANs, see Chapter 5, Configuring VLANs.
For information on creating and managing link aggregation groups, see Chapter 13, Configuring Static
Link Aggregation and Chapter 14, Configuring Dynamic Link Aggregation.
802.1Q Specifications
IEEE Specification Draft Standard P802.1Q/D11 IEEE Standards for
Local And Metropolitan Area Network: Virtual
Bridged Local Area Networks, July 30, 1998
Maximum Number of Tagged VLANs per 4093
Port
Maximum Number of Untagged VLANs per One untagged VLAN per port.
Port
Maximum Number of VLAN Port Associa- 32768
tions
Note. Up to 4093 VLANs can be assigned to a tagged port or link aggregation group. However, each
assignment counts as a single VLAN port association. Once the maximum number of VLAN port associa-
tions is reached, no more VLANs can be assigned to ports. For more information, see the chapter titled
Chapter 7, Assigning Ports to VLANs.
802.1Q Overview
Alcatels 802.1Q is an IEEE standard for sending frames through the network tagged with VLAN identifi-
cation. This chapter details procedures for configuring and monitoring 802.1Q tagging on a single port in a
switch or a link aggregation group in a switch.
802.1Q tagging is the IEEE version of VLANs. It is a method for segregating areas of a network into
distinct VLANs. By attaching a label or tag to a packet, the packet can be identified as being from a
specific area or identified as being destined for a specific area.
When enabling a tagged port, you will also need to specify whether only 802.1Q tagged traffic is allowed
on the port, or whether the port accepts both tagged and untagged traffic.
Tagged refers to four bytes of reserved space in the header of the packet. The four bytes of tagging are
broken down as follows: the first two bytes indicate whether the packet is an 802.1Q packet, and the next
two bytes carry the VLAN identification (VID) and priority.
On the ingress side, packets are classified in a VLAN. After classifying a packet, the switch adds an
802.1Q header to the packet. Egress processing of packets is done by the switch hardware. Packets have
an 802.1Q tag, which may be stripped off based on 802.1Q tagging/stripping rules.
If a port is configured to be a tagged port, then all the untagged traffic (including priority tagged or VLAN
0 traffic) received on the port will be dropped. You do not need to reboot the switch after changing the
configuration parameters.
Note. Priority tagged traffic or traffic from VLAN 0 is used for Quality of Service (QoS) functionality.
802.1Q views priority tagged traffic as untagged traffic.
In OmniSwitch 9000 switches only, mobile ports can be configured to accept 802.1Q traffic by enabling
the VLAN mobile tagging feature as described in Chapter 5, Configuring VLANs.
The following diagram illustrates a simple network by using tagged and untagged traffic:
VLAN 1 VLAN 1
untagged untagged
Stack 1 Stack 2
port 4/3
VLAN 2 tagged VLAN 2
tagged port 2/1 tagged
tagged/
untagged
VLAN 3 VLAN 3
tagged tagged
Stack 1 and 2 have three VLANs, one for untagged traffic and two for tagged traffic. The ports connect-
ing Stack 1 and 2 are configured in such a manner that Port 4/3 will only accept tagged traffic, while Port
2/1 will accept both tagged and untagged traffic.
The port can only be assigned to one untagged VLAN (in every case, this will be the default VLAN). In
the example above the default VLAN is VLAN 1. The port can be assigned to as many 802.1Q VLANs as
necessary, up to 4093 per port or 32768 VLAN port associations.
For the purposes of Quality of Service (QoS), 802.1Q ports are always considered to be trusted ports. For
more information on QoS and trusted ports, see Chapter 26, Configuring QoS.
Alcatels 802.1Q tagging is done at wire speed, providing high-performance throughput of tagged
frames.The procedures below use CLI commands that are thoroughly described in 802.1Q Commands of
the OmniSwitch CLI Reference Guide.
Note. 802.1Q on the OmniSwitch 6800/6850/9000 does not have the force tag internal feature, avail-
able on other OmniSwitch products.
The tagged port would now also be labeled port tag. Note that you must use quotes around the text
description.
The VLAN used to handle traffic on the tagged port must be created prior to using the vlan 802.1q
command. Creating a VLAN is described in Chapter 5, Configuring VLANs.
For more specific information, see the vlan 802.1q command section in the OmniSwitch CLI Reference
Guide.
(For further information on creating link aggregation groups, see Chapter 13, Configuring Static Link
Aggregation, or Chapter 14, Configuring Dynamic Link Aggregation.)
To add tagging to a port or link aggregation group and label it with a text name enter the text identifica-
tion following the slot and port number or link aggregation group identification number. For example, to
enable tagging on link aggregation group 8 with a text name of agg port tag, enter the command in the
following manner:
-> vlan 5 802.1q 8 agg port tag
The tagged port would now also be labeled agg port tag. Note that you must use quotes around the text
description.
To remove 802.1Q tagging from a selected port, use the same command as above with a no keyword
added, as shown:
-> vlan 5 no 802.1q 8
Note. The link aggregation group must be created first before it can be set to use 802.1Q tagging
For more specific information, see the vlan 802.1q command section in the OmniSwitch CLI Reference
Guide.
To configure a port back to accepting both tagged and untagged traffic, use the same command with the all
keyword, as shown:
-> vlan 802.1q 3/4 frame type all
Note. If you configure a port to accept only VLAN-tagged frames, then any frames received on this port
that do not carry a VLAN identification (i.e., untagged frames or priority-tagged frames) will be discarded
by the ingress rules for this port. Frames that are not discarded by this ingress rule are classified and
processed according to the ingress rules for this port.
When a port is set to support both tagged and untagged traffic, multiple VLANs for 802.1Q traffic can be
added to the port, but only one VLAN can be used to support untagged traffic. The untagged traffic VLAN
will always be the ports default VLAN.
Note. You cannot configure a link aggregation group to accept only tagged frames.
For more specific information, see the vlan 802.1q frame type command section in the OmniSwitch CLI
Reference Guide.
Application Example
In this section the steps to create 802.1Q connections between switches are shown.
The following diagram shows a simple network employing 802.1Q on both regular ports and link aggrega-
tion groups.
VLAN 1
Switch 2
(untagged)
VLAN 1 Stack 1
(untagged) Port 2/1 TM
OmniSwitch 9700
(tagged) VLAN 2
(tagged)
Port 1/1
VLAN 2
(untagged/
(tagged) tagged)
Ports VLAN 3
3/1, 3/2 (tagged)
Aggregate
Link 5
Ports
4/1, 4/2
VLAN 1
(untagged)
Stack 3
VLAN 3
(tagged)
The following sections show how to create the network illustrated above.
-> vlan 2
2 Set port 1/1 as a tagged port and assign it to VLAN 2 by entering the following:
The following steps apply to Switch 2. They will attach port 2/1 to VLAN 2 and set the port to accept
802.1Q tagged traffic only:
1 Create VLAN 2 by entering vlan 2 as shown below (VLAN 1 is the default VLAN for the switch):
-> vlan 2
2 Set port 2/1 as a tagged port and assign it to VLAN 2 by entering the following:
3 Set port 2/1 to accept only tagged traffic by entering the following:
2 Assign ports 3/1 and 3/2 to static aggregate VLAN 5 by entering the following two commands:
-> vlan 3
4 Configure 802.1Q tagging with a tagging ID of 3 on link aggregation group 5 (on VLAN 3) by enter-
ing vlan 3 802.1q 5 as shown below:
-> vlan 3 802.1q 5
The following steps apply to Stack 3. They will attach ports 4/1 and 4/2 as link aggregation group 5 to
VLAN 3.
1 Configure static link aggregation group 5 by entering the following:
2 Assign ports 4/1 and 4/2 to static link aggregation group 5 by entering the following two commands:
-> vlan 3
4 Configure 802.1Q tagging with a tagging ID of 3 on static link aggregation group 5 (on VLAN 3) by
entering the following:
-> vlan 3 802.1q 5
show 802.1q Displays 802.1Q tagging information for a single port or a link aggrega-
tion group.
For more information about the resulting display, see Chapter 14, 802.1Q Commands, in the
OmniSwitch CLI Reference Guide.
Internet Protocol (IP) is primarily a network-layer (Layer 3) protocol that contains addressing and control
information that enables packets to be forwarded. Along with Transmission Control Protocol (TCP), IP
represents the heart of the Internet protocols. IP has two primary responsibilities, providing connection-
less, best-effort delivery of datagrams through an internetwork; and providing fragmentation and reassem-
bly of datagrams to support data links with different Maximum Transmission Unit (MTU) sizes.
Note. IP routing (Layer 3) can be accomplished using static routes or by using one of the IP routing proto-
cols, Routing Information Protocol (RIP) and Open Shortest Path First (OSPF). For more information on
these protocols see Chapter 16, Configuring RIP, in this manual; or Configuring OSPF in the
OmniSwitch 6800/6850/9000 Advanced Routing Configuration Guide.
There are two versions of Internet Protocol supported, IPv4 and IPv6. For more information about using
IPv6, see Chapter 15, Configuring IPv6.
In This Chapter
This chapter describes IP and how to configure it through the Command Line Interface (CLI). It includes
instructions for enabling IP forwarding, as well as basic IP configuration commands (e.g., ip default-ttl).
CLI commands are used in the configuration examples; for more details about the syntax of commands,
see the OmniSwitch CLI Reference Guide. This chapter provides an overview of IP and includes informa-
tion about the following procedures:
IP Forwarding
Configuring an IP Router Interface (see page 12-7)
Creating a Static Route (see page 12-10)
Creating a Default Route (see page 12-10)
Configuring Address Resolution Protocol (ARP) (see page 12-11)
IP Configuration
Configuring the Router Primary Address (see page 12-14)
Configuring the Router ID (see page 12-14)
Configuring the Time-to-Live (TTL) Value (see page 12-14)
IP-Directed Broadcasts (see page 12-14)
Protecting the Switch from Denial of Service (DoS) attacks (see page 12-15)
Managing IP
Internet Control Message Protocol (ICMP) (see page 12-20)
Using the Ping Command (see page 12-23)
Tracing an IP Route (see page 12-24)
Displaying TCP Information (see page 12-24)
Displaying User Datagram Protocol (UDP) Information (see page 12-24)
IP Specifications
RFCs Supported RFC 791Internet Protocol
RFC 792Internet Control Message Protocol
RFC 826An Ethernet Address Resolution Protocol
Maximum VLANs per switch 4094 (based on switch configuration and available
resources)
Maximum router interface VLANs per switch 4094 IP and 64 IPX (based on switch configuration and
available resources)
Maximum IP interfaces per VLAN 8
Maximum ARP filters per switch 200
IP Defaults
The following table lists the defaults for IP configuration through the ip command.
Note. The operational status of a VLAN remains inactive until at least one active switch port is assigned
to the VLAN. Ports are considered active if they are connected to an active network device. Non-active
port assignments are allowed, but do not change the operational state of the VLAN.
To forward packets to a different VLAN on a switch, you must create a router interface on each VLAN.
The following steps show you how to enable IP forwarding between VLANs from scratch. If active
VLANs have already been created on the switch, you only need to create router interfaces on each VLAN
(Steps 5 and 6).
1 Create VLAN 1 with a description (e.g., VLAN 1) by using the vlan command. For example:
2 Create VLAN 2 with a description (e.g., VLAN 2) by using the vlan command. For example:
3 Assign an active port to VLAN 1 by using the vlan port default command. For example, the follow-
ing command assigns port 1 on slot 1 to VLAN 1:
-> vlan 1 port default 1/1
4 Assign an active port to VLAN 2 by using the vlan port default command. For example, the follow-
ing command assigns port 2 on slot 1 to VLAN 2:
-> vlan 2 port default 1/2
5 Create an IP router interface on VLAN 1 using the ip interface command. For example:
6 Create an IP router interface on VLAN 2 using the ip interface command. For example:
Note. See Chapter 5, Configuring VLANs. for more information about how to create VLANs and
VLAN router interfaces.
IP Overview
IP is a network-layer (Layer 3) protocol that contains addressing and control information that enables
packets to be forwarded on a network. IP is the primary network-layer protocol in the Internet protocol
suite. Along with TCP, IP represents the heart of the Internet protocols.
IP Protocols
IP is associated with several Layer 3 and Layer 4 protocols. These protocols are built into the base code
loaded on the switch. A brief overview of supported IP protocols is included below.
Transport Protocols
IP is both connectionless (it forwards each datagram separately) and unreliable (it does not guarantee
delivery of datagrams). This means that a datagram may be damaged in transit, thrown away by a busy
switch, or simply never make it to its destination. The resolution of these transit problems is to use a Layer
4 transport protocol, such as:
TCPA major data transport mechanism that provides reliable, connection-oriented, full-duplex data
streams. While the role of TCP is to add reliability to IP, TCP relies upon IP to do the actual delivering
of datagrams.
UDPA secondary transport-layer protocol that uses IP for delivery. UDP is not connection-oriented
and does not provide reliable end-to-end delivery of datagrams. But some applications can safely use
UDP to send datagrams that do not require the extra overhead added by TCP. For more information on
UDP, see Chapter 18, Configuring DHCP Relay.
Application-Layer Protocols
Application-layer protocols are used for switch configuration and management:
Bootstrap Protocol (BOOTP)/Dynamic Host Configuration Protocol (DHCP)May be used by an end
station to obtain an IP address. The switch provides a DHCP Relay that allows BOOTP requests/replies
to cross different networks.
Simple Network Management Protocol (SNMP)Allows communication between SNMP managers
and SNMP agents on an IP network. Network administrators use SNMP to monitor network perfor-
mance and manage network resources. For more information, see the Using SNMP chapter in the
OmniSwitch 6800/6850/9000 Switch Management Guide.
TelnetUsed for remote connections to a device. You can telnet to a switch and configure the switch
and the network by using the CLI.
File Transfer Protocol (FTP)Enables the transfer of files between hosts. This protocol is used to load
new images onto the switch.
Additional IP Protocols
There are several additional IP-related protocols that may be used with IP forwarding. These protocols are
included as part of the base code.
Address Resolution Protocol (ARP)Used to match the IP address of a device with its physical
(MAC) address. For more information, see Configuring Address Resolution Protocol (ARP) on
page 12-11.
Virtual Router Redundancy Protocol (VRRP)Used to back up routers. For more information, see
Chapter 19, Configuring VRRP.
Internet Control Message Protocol (ICMP)Specifies the generation of error messages, test packets,
and informational messages related to IP. ICMP supports the ping command used to determine if hosts
are online. For more information, see Internet Control Message Protocol (ICMP) on page 12-20.
Router Discovery Protocol (RDP)Used to advertise and discover routers on the LAN. For more
information, see Chapter 17, Configuring RDP.
Multicast ServicesIncludes IP multicast switching (IPMS). For more information, see Chapter 28,
Configuring IP Multicast Switching.
IP Forwarding
Network device traffic is bridged (switched) at the Layer 2 level between ports that are assigned to the
same VLAN. However, if a device needs to communicate with another device that belongs to a different
VLAN, then Layer 3 routing is necessary to transmit traffic between the VLANs. Bridging makes the deci-
sion on where to forward packets based on the packets destination MAC address; routing makes the deci-
sion on where to forward packets based on the packets IP network address (e.g., IP - 21.0.0.10).
Alcatel switches support routing of IP traffic. A VLAN is available for routing when at least one router
interface is defined for that VLAN and at least one active port is associated with the VLAN. If a VLAN
does not have a router interface, the ports associated with that VLAN are in essence firewalled from other
VLANs.
IP multinetting is also supported. A network is said to be multinetted when multiple IP subnets are brought
together within a single broadcast domain. It is now possible to configure up to eight IP interfaces per
VLAN. Each interface is configured with a different subnet. As a result, traffic from each configured
subnet can coexist on the same VLAN.
In the illustration below, an IP router interface has been configured on each VLAN. Therefore, worksta-
tions connected to ports on VLAN 1 on Switch 1 can communicate with VLAN 2; and workstations
connected to ports on VLAN 3 on Switch 2 can communicate with VLAN 2. Also, ports from both
switches have been assigned to VLAN 2, and a physical connection has been made between the switches.
Therefore, workstations connected to VLAN 1 on Switch 1 can communicate with workstations connected
to VLAN 3 on Switch 2.
Switch 1 Switch 2
TM
OmniSwitch 9700
TM
OmniSwitch 9700
= IP Router Interface
Physical
VLAN 1 VLAN 2 Connection VLAN 2 VLAN 3
110.0.0.0 120.0.0.0 120.0.0.0 130.0.0.0
IP Forwarding
If the switch is running in single MAC router mode, a maximum of 4094 VLANs can have IP interfaces
defined and a maximum of 64 VLANs can have IPX interfaces defined. In this mode, each router VLAN
is assigned the same MAC address, which is the base chassis MAC address for the switch.
See Chapter 5, Configuring VLANs, for more information about configuring the IPX router interfaces.
An IP address to assign to the router interface (e.g., 193.204.173.21). Note that router interface IP
addresses must be unique. You cannot have two router interfaces with the same IP address.
A subnet mask (defaults to the IP address class).
The forwarding status for the interface (defaults to forwarding). A forwarding router interface sends IP
frames to other subnets. A router interface that is not forwarding can receive frames from other hosts
on the same subnet.
An Ethernet-II or SNAP encapsulation for the interface (defaults to Ethernet-II). The encapsulation
determines the framing type the interface uses when generating frames that are forwarded out of
VLAN ports. Select an encapsulation that matches the encapsulation of the majority of VLAN traffic.
The Local Proxy ARP status for the VLAN. If enabled, traffic within the VLAN is routed instead of
bridged. ARP requests return the MAC address of the IP router interface defined for the VLAN. For
more information about Local Proxy ARP, see Local Proxy ARP on page 12-12.
The primary interface status. Designates the specified IP interface as the primary interface for the
VLAN. By default, the first interface bound to a VLAN becomes the primary interface for that VLAN.
The following ip interface command example creates an IP interface named Marketing with an IP
network address of 21.0.0.1 and binds the interface to VLAN 455:
-> ip interface Marketing address 21.0.0.1 vlan 455
Note. The ip interface command is not supported in Release 5.3.1. For this release use the vlan router ip
command instead. See the OmniSwitch CLI Reference Guide for more information.
The name parameter is the only parameter required with this command. Specifying additional parameters
is only necessary to configure a value other than the default value for that parameter. For example, both of
the following commands will create an IP router interface for VLAN 955 with a class A subnet mask, an
enabled forwarding status, Ethernet-II encapsulation, and a disabled Local Proxy ARP and primary inter-
face status:
-> ip interface Accounting address 71.0.0.1 mask 255.0.0.0 vlan 955 forward e2
no local-proxy-arp no primary
-> ip interface Accounting address 71.0.0.1 vlan 955
Note that when changing the IP address for the interface, the subnet mask will revert back to the default
mask value if it was previously set to a non-default value and it is not specified when changing the IP
address. For example, the following command changes the IP address for the Accounting interface:
-> ip interface Accounting address 40.0.0.1
The subnet mask for the Accounting interface was previously set to 255.255.255.0. The above example
resets the mask to the default value of 255.0.0.0 because 40.0.0.1 is a Class A address and no other mask
was specified with the command. This only occurs when the IP address is modified; all other parameter
values remain unchanged unless otherwise specified.
To avoid the problem in the above example, simply enter the non-default mask value whenever the IP
address is changed for the interface. For example:
-> ip interface Accounting address 40.0.0.1 mask 255.255.255.0
Use the show ip interface command to verify IP router interface changes. For more information about
these commands, see the OmniSwitch CLI Reference Guide.
To view a list of IP interfaces configured on the switch, use the show ip interface command. For more
information about this command, see the OmniSwitch CLI Reference Guide.
The admin parameter is the only configurable parameter supported with this type of interface.
Creating this interface does not deduct from the total number of IP interfaces allowed per VLAN or
switch.
OSPF advertises the host route to the Loopback0 IP interface in its Router-LSAs (as a Stub link) as an
internal route into all its configured areas.
See the OmniSwitch OmniSwitch 6800/6850/9000 Advanced Routing Configuration Guide for more infor-
mation.
The subnet mask is not required if you want to use the natural subnet mask. By default, the switch imposes
a natural mask on the IP address. In the above example, the Class B mask of 255.255.0.0 is implied. If you
do not want to use the natural mask, you must enter a subnet mask. For example, to create a static route to
IP address 10.255.11.0, you would have to enter the Class C mask of 255.255.255.0:
-> ip static-route 10.255.11.0 mask 255.255.255.0 gateway 171.11.2.1
When you create a static route, the default metric value of 1 is used. However, you can change the priority
of the route by increasing its metric value. The lower the metric value, the higher the priority. This metric
is added to the metric cost of the route. The metric range is 1 to 15.
For example:
-> ip static-route 10.255.11.0 mask 255.255.255.0 gateway 171.11.2.1 metric 5
Static routes do not age out of the IP Forwarding table; you must delete them from the table. Use the no ip
static route command to delete a static route. You must specify the destination IP address of the route as
well as the IP address of the first hop (gateway). For example, to delete a static route to IP address
171.11.0.0 through gateway 171.11.2.1 you would enter:
-> no ip static-route 171.11.0.0 gateway 171.11.2.1
The IP Forwarding table includes routes learned through one of the routing protocols (RIP, OSPF, BGP)
as well as any static routes that are configured. Use the show ip route command to display the IP
Forwarding table.
Note. A static route is not active unless the gateway it is using is active.
Note. You cannot create a default route by using the EMP port as a gateway.
When you add an entry to the ARP table, the IP address and hardware address (MAC address) are
required. Optionally, you may also specify:
Alias. Use the alias keyword to specify that the switch will act as an alias (proxy) for this IP address.
When the alias option is used, the switch responds to all ARP requests for the specified IP address with
its own MAC address. Note that this option is not related to Proxy ARP as defined in RFC 925.
For example:
-> arp 171.11.1.1 00:05:02:c0:7f:11 alias
Note. Because most hosts support the use of address resolution protocols to determine and cache address
information (called dynamic address resolution), you generally do not need to specify permanent ARP
entries.
Use the show arp command to display the ARP table and verify that the entry was deleted.
Note. You can also use the no arp command to delete a dynamic entry from the table.
Note. Dynamic entries remain in the ARP table until they time out. If the switch does not receive data
from a host for this user-specified time, the entry is removed from the table. If another packet is received
from this host, the switch goes through the discovery process again to add the entry to the table. The
switch uses the MAC Address table time-out value as the ARP time-out value. Use the mac-address-table
aging-time command to set the time-out value.
Note. The ip interface command is not supported in Release 5.3.1. For this release use the vlan router ip
command instead. See the OmniSwitch CLI Reference Guide for more information.
Note that when Local Proxy ARP is enabled for any one IP router interface associated with a VLAN, the
feature is applied to the entire VLAN. It is not necessary to enable it for each interface. However, if the IP
interface that has this feature enabled is moved to another VLAN, Local Proxy ARP is enabled for the
new VLAN and must be enabled on another interface for the old VLAN.
ARP Filtering
ARP filtering is used to determine whether or not the switch responds to ARP requests that contain a
specific IP address. This feature is generally used in conjunction with the Local Proxy ARP application;
however, ARP filtering is available for use on its own and/or with other applications.
By default, no ARP filters exist in the switch configuration. When there are no filters present, all ARP
packets are processed, unless they are blocked or redirected by some other feature.
Use the arp filter command to specify the following parameter values required to create an ARP filter:
An IP address (e.g., 193.204.173.21) used to determine whether or not an ARP packet is filtered.
An IP mask (e.g. 255.0.0.0) used to identify which part of the ARP packet IP address is compared to
the filter IP address.
An optional VLAN ID to specify that the filter is only applied to ARP packets from that VLAN.
Which ARP packet IP address to use for filtering (sender or target). If the target IP address in the ARP
packet matches a target IP specified in a filter, then the disposition for that filter applies to the ARP
packet. If the sender IP address in the ARP packet matches a sender IP specified in a filter, then the
disposition for that filter applies to the ARP packet.
The filter disposition (block or allow). If an ARP packet meets filter criteria, the switch is either
blocked from responding to the packet or allowed to respond to the packet depending on the filter
disposition. Packets that do not meet any filter criteria are responded to by the switch.
The following arp filter command example creates an ARP filter, which will block the switch from
responding to ARP packets that contain a sender IP address that starts with 198:
-> arp filter 198.0.0.0 mask 255.0.0.0 sender block
Up to 200 ARP filters can be defined on a single switch. To remove an individual filter, use the no form of
the arp filter command. For example:
-> no arp filter 198.0.0.0
To clear all ARP filters from the switch configuration, use the clear arp filter command. For example:
-> clear arp filter
Use the show arp filter command to verify the ARP filter configuration. For more information about this
and other ARP filter commands, see the OmniSwitch CLI Reference Guide.
IP Configuration
IP is enabled on the switch by default and there are few options that can, or need to be, configured. This
section provides instructions for some basic IP configuration options.
The default hop count is 64. The valid range is 1 to 255. Use the show ip config command to display the
default TTL value.
IP-Directed Broadcasts
An IP directed broadcast is an IP datagram that has all zeroes or all 1 in the host portion of the destination
IP address. The packet is sent to the broadcast address of a subnet to which the sender is not directly
attached. Directed broadcasts are used in denial-of-service smurf attacks. In a smurf attack, a continu-
ous stream of ping requests is sent from a falsified source address to a directed broadcast address, result-
ing in a large stream of replies, which can overload the host of the source address. By default, the switch
drops directed broadcasts. Typically, directed broadcasts should not be enabled.
Use the ip directed-broadcast command to enable or disable IP-directed broadcasts. For example:
-> ip directed-broadcast off
Use the show ip config command to display the IP-directed broadcast state.
.
DoS Settings
UDP/TCP closed = 10
UDP open = 20
TCP open = 5
Threshold = 2000
Decay = 2
TM
OmniSwitch 9700
Penalty Total = 0
In one minute, 10 TCP closed port packets and 10 UDP closed port packets are received. This would bring
the total penalty value to 200, as shown using the following equation:
(10 TCP X 10 penalty) + (10 UDP X 10 penalty) = 200
This value would be divided by 2 (due to the decay) and decreased to 100. The switch would not record a
port scan:
DoS Settings
UDP/TCP closed = 10
UDP open = 20
TCP open = 5
Threshold = 2000
Decay = 2
In the next minute, 10 more TCP and UDP closed port packets are received, along with 200 UDP open
port packets. This would bring the total penalty value to 4300, as shown using the following equation:
(100 previous minute value) + (10 TCP X 10 penalty) + (10 UDP X 10 penalty) +
(200 UDP X 20 penalty) = 4300
This value would be divided by 2 (due to decay) and decreased to 2150. The switch would record a port
scan and generate a trap to warn the administrator:
DoS Settings
UDP/TCP closed = 10
UDP open =20
TCP open = 5
Threshold = 2000
Decay = 2
10 TCP closed port packets
Generate DoS
Attack Warning
100 UDP open port packets Trap
The above functions and how to set their values are covered in the sections that follow.
Each type has its own command to assign a penalty value. Penalty values can be any non-negative inte-
ger. Each time a packet is received that matches an assigned penalty, the total penalty value for the switch
is increased by the penalty value of the packet in question.
To assign a penalty value to TCP/UDP packets bound for a closed port, use the ip dos scan close-port-
penalty command with a penalty value. For example, to assign a penalty value of 10 to TCP/UDP packets
destined for closed ports, enter the following:
-> ip dos scan close-port-penalty 10
To assign a penalty value to TCP packets bound for an open port, use the ip dos scan tcp open-port-
penalty command with a penalty value. For example, to assign a penalty value of 10 to TCP packets
destined for opened ports, enter the following:
-> ip dos scan tcp open-port-penalty 10
To assign a penalty value to UDP packets bound for an open port, use the ip dos scan udp open-port-
penalty command with a penalty value. For example, to assign a penalty value of 10 to TCP/UDP packets
destined for closed ports, enter the following:
-> ip dos scan udp open-port-penalty 10
To disable DoS traps, enter the same ip dos trap command, as shown:
-> ip dos trap disable
Enabling/Disabling IP Services
When a switch initially boots up, all supported TCP/UDP well-known service ports are enabled (open).
Although these ports provide access for essential switch management services, such as telnet, ftp, snmp,
etc., they also are vulnerable to DoS attacks. It is possible to scan open service ports and launch such
attacks based on well-known port information.
The ip service command allows you to selectively disable (close) TCP/UDP well-known service ports and
enable them when necessary. This command only operates on TCP/UDP ports that are opened by default.
It has no effect on ports that are opened by loading applications, such as RIP and BGP.
In addition, the ip service command allows you to designate which port to enable or disable by specifying
the name of a service or the well-known port number associated with that service. For example, both of the
following commands disable the telnet service:
-> no ip service telnet
-> no ip service port 23
Note that specifying a port number requires the use of the optional port keyword.
To enable or disable more than one service in a single command line, enter each service name separated by
a space. For example, the following command enables the telnet, ftp, and snmp service ports:
-> ip service telnet ftp snmp
The following table lists ip service command options for specifying TCP/UDP services and also includes
the well-known port number associated with each service:
service port
ftp 21
ssh 22
telnet 23
http 80
secure-http 443
avlan-http 260
avlan-secure-http 261
avlan-telnet 259
udp-relay 67
network-time 123
snmp 161
proprietary 1024
proprietary 1025
Managing IP
The following sections describe IP commands that can be used to monitor and troubleshoot IP forwarding
on the switch.
The following table is provide to identify the various ICMP messages, and their type and code:
In addition to the icmp type command, several commonly used ICMP messages have been separate CLI
commands for convenience. These commands are listed below with the ICMP message name, type, and
code:
These commands are entered as the icmp type command, only without specifying a type or code. The
echo, timestamp, and address mask commands have options for distinguishing between a request or a
reply, and the unreachable command has options distinguishing between a network, host, protocol, or port.
For example, to enable an echo request message, enter the following:
-> icmp echo request enable
See Chapter 22, IP Commands, for specifics on the ICMP message commands.
To disable all ICMP messages, enter the same command with the disable keyword. For example:
-> icmp messages enable
Likewise, to set the Timestamp Reply minimum packet gap to 100 microseconds, enter the following:
-> icmp timestamp reply min-pkt-gap 100
When you ping a device, the device IP address or host name is required. Optionally, you may also specify:
Count. Use the count keyword to set the number of frames to be transmitted.
Size. Use the size keyword to set the size, in bytes, of the data portion of the packet sent for this ping.
You can specify a size or a range of sizes up to 60000.
Interval. Use the interval keyword to set the frequency, in seconds, that the switch will poll the host.
Time-out. Use the time-out keyword to set the number of seconds the program will wait for a response
before timing out.
For example, to send a ping with a count of 2, a size of 32 bytes, an interval of 2 seconds, and a time-out
of 10 seconds you would enter:
-> ping 172.22.2.115 count 2 size 32 interval 2 timeout 10
Note. If you change the default values, they will only apply to the current ping. The next time you use the
ping command, the default values will be used unless you enter different values again.
Tracing an IP Route
The traceroute command is used to find the path taken by an IP packet from the local switch to a speci-
fied destination. This command displays the individual hops to the destination as well as some timing
information. When using this command, you must enter the name of the destination as part of the
command line (either the IP address or host name). Use the optional max-hop parameter to set a maxi-
mum hop count to the destination. If the trace reaches this maximum hop count without reaching the desti-
nation, the trace stops.
For example, to perform a traceroute to a device with an IP address of 172.22.2.115 with a maximum hop
count of 10 you would enter:
-> traceroute 172.22.2.115 max-hop 10
show ip interface Displays the usability status of interfaces configured for IP.
show ip route Displays the IP Forwarding table.
show ip config Displays IP configuration parameters.
show ip protocols Displays switch routing protocol information and status.
show ip service Displays the current status of TCP/UDP service ports. Includes service
name and well-known port number.
show arp Displays the ARP table.
show arp filter Displays the ARP filter configuration for the switch (OmniSwitch
9000 only).
show icmp control This command allows the viewing of the ICMP control settings.
show ip dos config Displays the configuration parameters of the DoS scan for the switch.
show ip dos statistics Displays the statistics on detected port scans for the switch.
For more information about the displays that result from these commands, see the OmniSwitch CLI Refer-
ence Guide.
Alcatels static link aggregation software allows you to combine several physical links into one large
virtual link known as a link aggregation group. Using link aggregation provides the following benefits:
Scalability. It is possible to configure up to 32 link aggregation groups that consist of 2, 4, or 8 10-
Mbps, 100-Mbps, 1-Gbps, or 10-Gbps Ethernet links.
Reliability. If one of the physical links in a link aggregate group goes down (unless it is the last one)
the link aggregate group can still operate.
Ease of Migration. Link aggregation can ease the transition from 100-Mbps Ethernet backbones to
Gigabit Ethernet backbones.
In This Chapter
This chapter describes the basic components of static link aggregation and how to configure them through
the Command Line Interface (CLI). CLI commands are used in the configuration examples; for more
details about the syntax of commands, see the OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
Configuring static link aggregation groups on page 13-7.
Adding and deleting ports from a static aggregate group on page 13-9.
Note. You can also configure and monitor static link aggregation with WebView, Alcatels embedded
web-based device management application. WebView is an interactive and easy-to-use GUI that can be
launched from OmniVista or a web browser. Please refer to WebViews online documentation for more
information on configuring and monitoring static link aggregation with WebView.
1 Create the static aggregate link on the local switch with the static linkagg size command. For example:
2 Assign all the necessary ports with the static agg agg num command. For example:
3 Create a VLAN for this static link aggregate group with the vlan command. For example:
4 Create the equivalent static aggregate link on the remote switch with the static linkagg size command.
For example:
-> static linkagg 1 size 4
5 Assign all the necessary ports with the static agg agg num command. For example:
6 Create a VLAN for this static link aggregate group with the vlan command. For example:
Note. Optional. You can verify your static link aggregation settings with the show linkagg command. For
example:
-> show linkagg 1
Static Aggregate
SNMP Id : 40000001,
Aggregate Number : 1,
SNMP Descriptor : Omnichannel Aggregate Number 1 ref 40000001 size 4,
Name : ,
Admin State : ENABLED,
Operational State : UP,
Aggregate Size : 4,
Number of Selected Ports : 4,
Number of Reserved Ports : 4,
Number of Attached Ports : 4,
Primary Port : 1/1
You can also use the show linkagg port port command to display information on specific ports. See
Displaying Static Link Aggregation Configuration and Statistics on page 13-12 for more information on
the show commands.
An example of what these commands look like entered sequentially on the command line on the local
switch:
-> static linkagg 1 size 4
-> static agg 1/1 agg num 1
-> static agg 1/2 agg num 1
-> static agg 1/3 agg num 1
-> static agg 1/4 agg num 1
-> vlan 10 port default 1
And an example of what these commands look like entered sequentially on the command line on the
remote switch:
-> static linkagg 1 size 4
-> static agg 1/9 agg num 1
-> static agg 1/10 agg num 1
-> static agg 1/11 agg num 1
-> static agg 1/12 agg num 1
-> vlan 10 port default 1
This chapter describes static link aggregation. For information on dynamic link aggregation, please refer
to Chapter 14, Configuring Dynamic Link Aggregation.
an OmniSwitch 6800 switch and an OmniSwitch 6850, OmniSwitch 9000, OmniSwitch 7700/7800,
OmniSwitch 8800, or OmniSwitch 6600 Series switch.
an OmniSwitch 6850 switch and an OmniSwitch 6800, OmniSwitch 9000, OmniSwitch 7700/7800,
OmniSwitch 8800, or OmniSwitch 6600 Series switch.
an OmniSwitch 9000 switch and an OmniSwitch 6800, OmniSwitch 6850, OmniSwitch 7700/7800,
OmniSwitch 8800, or OmniSwitch 6600 Series switch.
an OmniSwitch 6800, 6850, or 9000 switch and an early-generation Alcatel switch, such as an Omni
Switch/Router
However, static aggregate groups cannot be created between OmniSwitch 6800, 6850, or 9000 switches
and some switches from other vendors.
The figure below shows a static aggregate group that has been configured between Switch A and Switch
B. The static aggregate group links four ports on a single OS9-GNI-C24 on Switch A to two ports on one
OS9-GNI-C24 and two ports on another OS9-GNI-C24 on Switch B. The network administrator has
created a separate VLAN for this group so users can use this high speed link.
Switch A Switch B
Static Group
See Configuring Static Link Aggregation Groups on page 13-7 for information on using Command Line
Interface (CLI) commands to configure static aggregate groups and see Displaying Static Link Aggrega-
tion Configuration and Statistics on page 13-12 for information on using CLI to monitor static aggregate
groups.
802.1Q. For more information on configuring and monitoring 802.1Q see Chapter 11, Configuring
802.1Q.
Spanning Tree. For more information on Spanning Tree see Chapter 6, Configuring Spanning Tree
Parameters.
Note. See Application Example on page 13-11 for tutorials on using link aggregation with other
features.
Note. See Quick Steps for Configuring Static Link Aggregation on page 13-3 for a brief tutorial on
configuring these mandatory parameters.
Alcatels link aggregation software is preconfigured with the default values for static aggregate groups as
shown in the table in Static Link Aggregation Default Values on page 13-2. If you need to modify any
of these parameters, please see Modifying Static Aggregation Group Parameters on page 13-10 for more
information.
Note. See the Link Aggregation Commands chapter in the OmniSwitch CLI Reference Guide for
complete documentation of CLI commands for link aggregation.
1 Create the Static Aggregate Group on the Local and Remote Switches. To create a static aggregate
group use the static linkagg size command, which is described in Creating and Deleting a Static Link
Aggregate Group on page 13-8.
2 Assign Ports on the Local and Remote Switches to the Static Aggregate Group. To assign ports to
the static aggregate group you use the static agg agg num command, which is described in Adding and
Deleting Ports in a Static Aggregate Group on page 13-9.
Note. Depending on the needs of your network you may need to configure additional parameters.
Commands to configure optional static aggregate parameters are described in Modifying Static Aggrega-
tion Group Parameters on page 13-10.
Note. The number of links assigned to a static aggregate group should always be close to the number of
physical links that you plan to use. For example, if you are planning to use 2 physical links you should
create a group with a size of 2 and not 4 or 8.
As an option you can also specify a name and/or the administrative status of the group by entering static
linkagg followed by the user-specified aggregate number, size, the number of links in the static aggregate
group, name, the optional name (which can be up to 255 characters long), admin state, and either enable
or disable (the default is enable).
For example, to create static aggregate group 5 called static1 consisting of eight links that is administra-
tively disabled enter:
-> static linkagg 5 size 8 name static1 admin state disable
Note. If you want to specify spaces within a name for a static aggregate group the name must be specified
within quotes (e.g., Static Aggregate Group 5).
Note. You must delete any attached ports with the static agg agg num command before you can delete a
static link aggregate group.
Note. A port may belong to only one aggregate group. In addition, mobile ports cannot be aggregated. See
Chapter 7, Assigning Ports to VLANs, for more information on mobile ports.
As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alca-
tel CLI syntax. For example, to assign port 1 in slot 1 to static aggregate group 10 and document that port
1 in slot 5 is a Giga Ethernet port you would enter:
-> static gigaethernet agg 1/1 agg num 10
Note. The ethernet, fastethernet, and gigaethernet keywords do not modify a ports configuration. See
Chapter 1, Configuring Ethernet Ports, for information on configuring Ethernet ports.
Ports must be deleted in the reverse order in which they were assigned. For example, if port 9 through 16
were assigned to static aggregate group 2 you must first delete port 16, then port 15, and so forth. The
following is an example of how to delete ports in the proper sequence from the console:
-> static agg no 1/24
-> static agg no 1/23
-> static agg no 1/22
Static aggregate group administrative state (see Modifying the Static Aggregate Group Administra-
tive State on page 13-10)
Note. If you want to specify spaces within a name for a static aggregate group the name must be specified
within quotes (e.g., Static Aggregate Group 4).
Application Example
Static link aggregation groups are treated by the switchs software the same way it treats individual physi-
cal ports. This section demonstrates this by providing a sample network configuration that uses static link
aggregation along with other software features. In addition, a tutorial is provided that shows how to
configure this sample network using Command Line Interface (CLI) commands.
The figure below shows VLAN 8, which has been configured on static aggregate 1 and uses 802.1Q
tagging. The actual physical links connect ports 4/1, 4/2, 4/3, and 4/4 on Switch A to port 2/41, 2/42, 2/43,
and 2/44 on Switch B.
Switch A Switch B
Note. Only the steps to configure the local (i.e., Switch A) switch are provided here since the steps to
configure the remote (i.e., Switch B) switch would not be significantly different.
1 Configure static aggregate group 1 by entering static linkagg 1 size 4 as shown below:
2 Assign ports 4/1, 4/2, 4/3, and 4/4 to static aggregate group 1 by entering:
-> vlan 8
4 Configure 802.1Q tagging with a tagging ID of 8 on static aggregate group 1 (on VLAN 8) by enter-
ing:
-> vlan 8 802.1q 1
5 Repeat steps 1 through 4 on Switch B. All the commands would be the same except you would substi-
tute the appropriate port numbers.
Note. Optional. Use the show 802.1q command to display 802.1Q configurations.
When you use the show linkagg command without specifying the link aggregation group number and
when you use the show linkagg port command without specifying the slot and port number these
commands provide a global view of switch-wide link aggregate group and link aggregate port informa-
tion, respectively.
For example, to display global statistics on all link aggregate groups (both static and dynamic) you would
enter:
-> show linkagg
When you use the show linkagg command with the link aggregation group number and when you use the
show linkagg port command with the slot and port number these commands provide detailed views of
link aggregate group and link aggregate port information, respectively. These detailed views provide
excellent tools for diagnosing and troubleshooting problems.
For example, to display detailed statistics for port 1 in slot 4 that is attached to static link aggregate group
1 you would enter:
-> show linkagg port 4/1
Note. See the Link Aggregation Commands chapter in the OmniSwitch CLI Reference Guide for
complete documentation of show commands for link aggregation.
Alcatels dynamic link aggregation software allows you to combine several physical links into one large
virtual link known as a link aggregation group. Using link aggregation provides the following benefits:
Scalability. It is possible to configure up to 32 link aggregation groups that consist of 2, 4, or 8 10-
Mbps, 100-Mbps, 1-Gbps, or 10-Gbps Ethernet links.
Reliability. If one of the physical links in a link aggregate group goes down (unless it is the last one)
the link aggregate group can still operate.
Ease of Migration. Link aggregation can ease the transition from 100-Mbps Ethernet backbones to
Gigabit Ethernet backbones.
In This Chapter
This chapter describes the basic components of dynamic link aggregation and how to configure them
through the Command Line Interface (CLI). CLI commands are used in the configuration examples; for
more details about the syntax of commands, see the OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
Configuring dynamic link aggregation groups on page 14-10.
Configuring ports so they can be aggregated in dynamic link aggregation groups on page 14-12.
Note. You can also configure and monitor dynamic link aggregation with WebView, Alcatels embedded
Web-based device management application. WebView is an interactive and easy-to-use GUI that can be
launched from OmniVista or a Web browser. Please refer to WebViews online documentation for more
information on configuring and monitoring dynamic link aggregation with WebView.
1 Create the dynamic aggregate group on the local (actor) switch with the lacp linkagg size command as
shown below:
-> lacp linkagg 2 size 8 actor admin key 5
2 Configure ports (the number of ports should be less than or equal to the size value set in step 1) with
the same actor administrative key (which allows them to be aggregated) with the lacp agg actor admin
key command. For example:
-> lacp agg 1/1 actor admin key 5
-> lacp agg 1/4 actor admin key 5
-> lacp agg 3/3 actor admin key 5
-> lacp agg 5/4 actor admin key 5
-> lacp agg 6/1 actor admin key 5
-> lacp agg 6/2 actor admin key 5
-> lacp agg 7/3 actor admin key 5
-> lacp agg 8/1 actor admin key 5
3 Create a VLAN for this dynamic link aggregate group with the vlan command. For example:
4 Create the equivalent dynamic aggregate group on the remote (partner) switch with the lacp linkagg
size command as shown below:
-> lacp linkagg 2 size 8 actor admin key 5
5 Configure ports (the number of ports should be less than or equal to the size value set in step 4) with
the same actor administrative key (which allows them to be aggregated) with the lacp agg actor admin
key command. For example:
-> lacp agg 2/1 actor admin key 5
-> lacp agg 3/1 actor admin key 5
-> lacp agg 3/3 actor admin key 5
-> lacp agg 3/6 actor admin key 5
-> lacp agg 5/1 actor admin key 5
-> lacp agg 5/6 actor admin key 5
-> lacp agg 8/1 actor admin key 5
-> lacp agg 8/3 actor admin key 5
6 Create a VLAN for this dynamic link aggregate group with the vlan command. For example:
Note. As an option, you can verify your dynamic aggregation group settings with the show linkagg
command on either the actor or the partner switch. For example:
-> show linkagg 2
Dynamic Aggregate
SNMP Id : 40000002,
Aggregate Number : 2,
SNMP Descriptor : Dynamic Aggregate Number 2 ref 40000002 size 8,
Name : ,
Admin State : ENABLED,
Operational State : UP,
Aggregate Size : 8,
Number of Selected Ports : 8,
Number of Reserved Ports : 8,
Number of Attached Ports : 8,
Primary Port : 1/1,
LACP
MACAddress : [00:1f:cc:00:00:00],
Actor System Id : [00:20:da:81:d5:b0],
Actor System Priority : 0,
Actor Admin Key : 5,
Actor Oper Key : 0,
Partner System Id : [00:20:da:81:d5:b1],
Partner System Priority : 0,
Partner Admin Key : 5,
Partner Oper Key : 0
You can also use the show linkagg port port command to display information on specific ports. See
Displaying Dynamic Link Aggregation Configuration and Statistics on page 14-33 for more informa-
tion on show commands.
An example of what these commands look like entered sequentially on the command line on the actor
switch:
-> lacp linkagg 2 size 8 actor admin key 5
-> lacp agg 1/1 actor admin key 5
-> lacp agg 1/4 actor admin key 5
-> lacp agg 3/3 actor admin key 5
-> lacp agg 5/4 actor admin key 5
-> lacp agg 6/1 actor admin key 5
-> lacp agg 6/2 actor admin key 5
-> lacp agg 7/3 actor admin key 5
-> lacp agg 8/1 actor admin key 5
-> vlan 2 port default 2
An example of what these commands look like entered sequentially on the command line on the partner
switch:
-> lacp linkagg 2 size 8 actor admin key 5
-> lacp agg 2/1 actor admin key 5
-> lacp agg 3/1 actor admin key 5
-> lacp agg 3/3 actor admin key 5
-> lacp agg 3/6 actor admin key 5
-> lacp agg 5/1 actor admin key 5
-> lacp agg 5/6 actor admin key 5
-> lacp agg 8/1 actor admin key 5
-> lacp agg 8/3 actor admin key 5
-> vlan 2 port default 2
This chapter describes dynamic link aggregation. For information on static link aggregation, please refer
to Chapter 13, Configuring Static Link Aggregation.
Dynamic Group
an OmniSwitch 6800 switch and an OmniSwitch 6850, OmniSwitch 9000, OmniSwitch 7700/7800, or
OmniSwitch 8800 switch or OmniSwitch 6600 Family switch.
an OmniSwitch 6850 switch and an OmniSwitch 6800, OmniSwitch 9000, OmniSwitch 7700/7800, or
OmniSwitch 8800 switch or OmniSwitch 6600 Family switch.
an OmniSwitch 9000 switch and an OmniSwitch 6800, OmniSwitch 6850, OmniSwitch 7700/7800,
OmniSwitch 8800, OmniSwitch 6600 Family switch.
an OmniSwitch 6800, 6850, or 9000 switch and another vendors switch if that vendor supports IEEE
802.3ad LACP.
See Configuring Dynamic Link Aggregate Groups on page 14-10 for information on using Command
Line Interface (CLI) commands to configure dynamic aggregate groups and see Displaying Dynamic
Link Aggregation Configuration and Statistics on page 14-33 for information on using the CLI to moni-
tor dynamic aggregate groups.
802.1Q. For more information on configuring and monitoring 802.1Q, see Chapter 11, Configuring
802.1Q.
Spanning Tree. For more information on Spanning Tree, see Chapter 6, Configuring Spanning Tree
Parameters.
Note. See Application Examples on page 14-29 for tutorials on using link aggregation with other
features.
Note. See Quick Steps for Configuring Dynamic Link Aggregation on page 14-4 for a brief tutorial on
configuring these mandatory parameters.
Alcatels link aggregation software is preconfigured with the default values for dynamic aggregate groups
and ports shown in the table in Dynamic Link Aggregation Default Values on page 14-3. For most
configurations, using only the steps described in Creating and Deleting a Dynamic Aggregate Group on
page 14-11 will be necessary to configure a dynamic link aggregate group. However, if you need to
modify any of the parameters listed in the table on page 14-3, please see Modifying Dynamic Link
Aggregate Group Parameters on page 14-14 for more information.
Note. See the Link Aggregation Commands chapter in the OmniSwitch CLI Reference Guide for
complete documentation of show commands for link aggregation.
1 Create the Dynamic Aggregate Groups on the Local (Actor) and Remote (Partner) Switches. To
create a dynamic aggregate group use the lacp linkagg size command, which is described in Creating and
Deleting a Dynamic Aggregate Group on page 14-11.
2 Configure the Same Administrative Key on the Ports You Want to Join the Dynamic Aggregate
Group. To configure ports with the same administrative key (which allows them to be aggregated), use
the lacp agg actor admin key command, which is described in Configuring Ports to Join and Removing
Ports in a Dynamic Aggregate Group on page 14-12.
Note. Depending on the needs of your network you may need to configure additional parameters.
Commands to configure optional dynamic link aggregate parameters are described in Modifying
Dynamic Link Aggregate Group Parameters on page 14-14.These commands must be executed after you
create a dynamic aggregate group.
You can create up to 32 link aggregation (both static and dynamic) groups per a standalone switch or a
stack of switches. In addition, you can also specify optional parameters shown in the table below. These
parameters must be entered after size and the user-specified number of links.
For example, Alcatel recommends assigning the actor admin key when you create the dynamic aggregate
group to help ensure that ports are assigned to the correct group. To create a dynamic aggregate group
with aggregate number 3 consisting of two ports with an admin actor key of 10, for example, enter:
-> lacp linkagg 3 size 2 actor admin key 10
Note. The optional keywords for this command may be entered in any order as long as they are entered
after size and the user-specified number of links.
Note. You cannot delete a dynamic aggregate group if it has any attached ports. To remove attached ports
you must disable the dynamic aggregate group with the lacp linkagg admin state command, which is
described in Disabling a Dynamic Aggregate Group on page 14-15.
Note. A port may belong to only one aggregate group. In addition, mobile ports cannot be aggregated. See
Chapter 7, Assigning Ports to VLANs, for more information on mobile ports.
You must execute the lacp agg actor admin key command on all ports in a dynamic aggregate group. If
not, the ports will be unable to join the group.
In addition, you can also specify optional parameters shown in the table below. These keywords must be
entered after the actor admin key and the user-specified actor administrative key value.
Note. The actor admin state and partner admin state keywords have additional parameters, which are
described in Modifying the Actor Port System Administrative State on page 14-19 and Modifying the
Partner Port System Administrative State on page 14-23, respectively.
All of the optional keywords listed above for this command may be entered in any order as long as they
appear after the actor admin key keywords and their user-specified value.
For example, to configure actor administrative key of 10, a local system ID (MAC address) of
00:20:da:06:ba:d3, and a local priority of 65535 to slot 4 port 1, enter:
-> lacp agg 4/1 actor admin key 10 actor system id 00:20:da:06:ba:d3 actor
system priority 65535
As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alca-
tel CLI syntax. For example, to configure an actor administrative key of 10 and to document that the port
is a 10-Mbps Ethernet port to slot 4 port 1, enter:
-> lacp agg ethernet 4/1 actor admin key 10
Note. The ethernet, fastethernet, and gigaethernet keywords do not modify a ports configuration. See
Chapter 1, Configuring Ethernet Ports, for information on configuring Ethernet ports.
Ports must be deleted in the reverse order in which they were configured. For example, if port 9 through
16 were configured to join dynamic aggregate group 2 you must first delete port 16, then port 15, and so
forth. The following is an example of how to delete ports in the proper sequence from the console:
-> lacp agg no 4/24
-> lacp agg no 4/23
-> lacp agg no 4/22
Note. You must create a dynamic aggregate group before you can modify group or port parameters. See
Configuring Dynamic Link Aggregate Groups on page 14-10 for more information.
Group administrative state (see Modifying the Dynamic Aggregate Group Administrative State on
page 14-15)
Group local (actor) switch actor administrative key (see Configuring and Deleting the Dynamic
Aggregate Group Actor Administrative Key on page 14-15)
Group local (actor) switch system priority (see Modifying the Dynamic Aggregate Group Actor
System Priority on page 14-16)
Group local (actor) switch system ID (see Modifying the Dynamic Aggregate Group Actor System
ID on page 14-16)
Group remote (partner) administrative key (see Modifying the Dynamic Aggregate Group Partner
Administrative Key on page 14-17)
Group remote (partner) system priority (see Modifying the Dynamic Aggregate Group Partner System
Priority on page 14-17)
Group remote (partner) switch system ID (see Modifying the Dynamic Aggregate Group Partner
System ID on page 14-18)
For example, to name dynamic aggregate group 4 Engineering you would enter:
-> lacp linkagg 4 name Engineering
Note. If you want to specify spaces within a name, the name must be enclosed in quotes. For example:
-> lacp linkagg 4 name "Engineering Lab"
For example, to reset the partner system priority of dynamic aggregate group 4 to its default value you
would enter:
-> lacp linkagg 4 no partner system priority
Actor port system priority (see Modifying the Actor Port System Priority on page 14-21)
Actor port priority (see Modifying the Actor Port Priority on page 14-22)
Note. See Configuring Ports to Join and Removing Ports in a Dynamic Aggregate Group on page 14-12
for information on modifying a dynamic aggregate group administrative key.
All of the commands to modify actor port parameters allow you to add the ethernet, fastethernet, and
gigaethernet keywords before the slot and port number to document the interface type or make the
command look consistent with early-generation Alcatel CLI syntax. However, these keywords do not
modify a ports configuration. See Chapter 1, Configuring Ethernet Ports, for information on configur-
ing Ethernet ports.
Note. A port may belong to only one aggregate group. In addition, mobile ports cannot be aggregated. See
Chapter 7, Assigning Ports to VLANs, for more information on mobile ports.
Note. Specifying none removes all administrative states from the LACPDU configuration. For example:
-> lacp agg 5/49 actor admin state none
For example, to set bits 0 (active) and 2 (aggregate) on dynamic aggregate actor port 49 in slot 5 you
would enter:
-> lacp agg 5/49 actor admin state active aggregate
As an option you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alca-
tel CLI syntax. For example, to set bits 0 (active) and 2 (aggregate) on dynamic aggregate actor port 49 in
slot 5 and document that the port is a Gigabit Ethernet port you would enter:
-> lacp agg gigaethernet 5/49 actor admin state active aggregate
Note. Since individual bits with the LACPDU frame are set with the lacp agg actor admin state
command you can set some bits on and restore other bits within the same command. For example, if you
wanted to restore bit 2 (aggregate) to its default settings and set bit 0 (active) on dynamic aggregate actor
port 49 in slot 5 you would enter:
-> lacp agg 5/49 actor admin state active no aggregate
For example, to modify the system ID of the dynamic aggregate actor port 3 in slot 7 to
00:20:da:06:ba:d3 you would enter:
-> lacp agg 7/3 actor system id 00:20:da:06:ba:d3
As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alca-
tel CLI syntax. For example, to modify the system ID of the dynamic aggregate actor port 3 in slot 7 to
00:20:da:06:ba:d3 and document that the port is 10 Mbps Ethernet you would enter:
-> lacp agg ethernet 7/3 actor system id 00:20:da:06:ba:d3
As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alca-
tel CLI syntax. For example, to modify the system priority of dynamic aggregate actor port 5 in slot 2 to
200 and document that the port is a Giga Ethernet port you would enter:
-> lacp agg gigaethernet 2/5 actor system priority 200
As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alca-
tel CLI syntax. For example, to modify the actor port priority of dynamic aggregate actor port 1 in slot 2 to
100 and document that the port is a Giga Ethernet port you would enter:
-> lacp agg gigaethernet 2/1 actor port priority 100
Partner port system ID (see Modifying the Partner Port System ID on page 14-25)
Partner port system priority (see Modifying the Partner Port System Priority on page 14-26)
Partner port administrative state (see Modifying the Partner Port Administrative Status on
page 14-27)
Partner port priority (see Modifying the Partner Port Priority on page 14-27)
All of the commands to modify partner port parameters allow you to add the ethernet, fastethernet, and
gigaethernet keywords before the slot and port number to document the interface type or make the
command look consistent with early-generation Alcatel CLI syntax. However, these keywords do not
modify a ports configuration. See Chapter 1, Configuring Ethernet Ports, for information on configur-
ing Ethernet ports.
Note. A port may belong to only one aggregate group. In addition, mobile ports cannot be aggregated. See
Chapter 7, Assigning Ports to VLANs, for more information on mobile ports.
Keyword Definition
active Specifies that bit 0 in LACPDU frames is set, which indicates that the
link is able to exchange LACPDU frames. By default, this bit is set.
timeout Specifies that bit 1 in LACPDU frames is set, which indicates that a
short time-out is used for LACPDU frames. When this bit is disabled, a
long time-out is used for LACPDU frames. By default, this bit is set.
aggregate Specifies that bit 2 in LACPDU frames is set, which indicates that the
system considers this link to be a potential candidate for aggregation. If
this bit is not set, the system considers the link to be individual (it can
only operate as a single link). By default, this bit is set.
Keyword Definition
synchronize Specifies that bit 3 in the partner state octet is enabled. When this bit is
set, the port is allocated to the correct dynamic aggregation group. If
this bit is not enabled, the port is not allocated to the correct aggrega-
tion group. By default, this value is disabled.
collect Specifying this keyword has no effect because the system always deter-
mines its value. When this bit (bit 4) is set by the system, incoming
LACPDU frames are collected from the individual ports that make up
the dynamic aggregate group.
distribute Specifying this keyword has no effect because the system always deter-
mines its value. When this bit (bit 5) is set by the system, distributing
outgoing frames on the port is disabled.
default Specifying this keyword has no effect because the system always deter-
mines its value. When this bit (bit 6) is set by the system, it indicates
that the partner is using defaulted actor information administratively
configured for the partner.
expire Specifying this keyword has no effect because the system always deter-
mines its value. When this bit (bit 7) is set by the system, the actor can-
not receive LACPDU frames.
Note. Specifying none removes all administrative states from the LACPDU configuration. For example:
-> lacp agg 7/49 partner admin state none
For example, to set bits 0 (active) and 2 (aggregate) on dynamic aggregate partner port 49 in slot 7 you
would enter:
-> lacp agg 7/49 partner admin state active aggregate
As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alca-
tel CLI syntax. For example, to set bits 0 (active) and 2 (aggregate) on dynamic aggregate partner port 49
in slot 7 and document that the port is a Gigabit Ethernet port you would enter:
-> lacp agg gigaethernet 7/49 partner admin state active aggregate
Note. Since individual bits with the LACPDU frame are set with the lacp agg partner admin state
command you can set some bits on and restore other bits to default values within the same command. For
example, if you wanted to restore bit 2 (aggregate) to its default settings and set bit 0 (active) on dynamic
aggregate partner port 1 in slot 7 you would enter:
-> lacp agg 7/1 partner admin state active no aggregate
As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alca-
tel CLI syntax. For example, to modify the administrative key of a dynamic aggregate group partner port 1
in slot 6 to 1000 and document that the port is a 10 Mbps Ethernet port you would enter:
-> lacp agg ethernet 6/1 partner admin key 1000
As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alca-
tel CLI syntax. For example, to modify the system ID of dynamic aggregate partner port 49 in slot 6 to
00:20:da:06:ba:d3 and document that the port is a Gigabit Ethernet port you would enter:
-> lacp agg gigaethernet 6/49 partner admin system id 00:20:da:06:ba:d3
As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alca-
tel CLI syntax. For example, to modify the administrative priority of dynamic aggregate partner port 49 in
slot 4 to 100 and specify that the port is a Gigabit Ethernet port you would enter:
-> lacp agg gigaethernet 4/49 partner admin system priority 100
As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alca-
tel CLI syntax. For example, to modify the administrative status of dynamic aggregate partner port 1 in
slot 7 to 200 and document that the port is a Giga Ethernet port you would enter:
-> lacp agg gigaethernet 7/1 partner admin port 200
For example, to modify the port priority of dynamic aggregate partner port 3 in slot 4 to 100 you would
enter:
-> lacp agg 4/3 partner admin port priority 100
As an option, you can use the ethernet, fastethernet, and gigaethernet keywords before the slot and port
number to document the interface type or make the command look consistent with early-generation Alca-
tel CLI syntax. For example, to modify the port priority of dynamic aggregate partner port 3 in slot 4 to
100 and document that the port is a Giga Ethernet port you would enter:
-> lacp agg gigaethernet 4/3 partner admin port priority 100
Application Examples
Dynamic link aggregation groups are treated by the switchs software the same way it treats individual
physical ports.This section demonstrates this feature by providing sample network configurations that use
dynamic aggregation along with other software features. In addition, tutorials are provided that show how
to configure these sample networks by using Command Line Interface (CLI) commands.
TM
OmniSwitch 9700
Switch A
Dynamic Aggregate
Group 5
VLAN 10 has been configured to
TM
OmniSwitch 9700
Switch C
TM
OmniSwitch 9700
Dynamic Aggregate
Group 7
VLAN 12 with 802.1Q tagging
using 802.1p priority has been
configured to use this group.
The steps to configure VLAN 10 (Spanning Tree example) are described in Link Aggregation and Span-
ning Tree Example on page 14-30. The steps to configure VLAN 12 (802.1Q and 802.1p example) are
described in Link Aggregation and QoS Example on page 14-31.
Note. Although you would need to configure both the local (i.e., Switch A) and remote (i.e., Switches B
and C) switches, only the steps to configure the local switch are provided since the steps to configure the
remote switches are not significantly different.
Note. Only the steps to configure the local (i.e., Switch A) are provided here since the steps to configure
the remote (i.e., Switch B) would not be significantly different.
2 Configure ports 5/5 and 5/6 with the same actor administrative key (5) by entering:
-> vlan 10
4 If the Spanning Tree Protocol (STP) has been disabled on this VLAN (STP is enabled by default),
enable it on VLAN 10 by entering:
-> vlan 10 stp enable
Note. Optional. Use the show spantree ports command to determine if the STP is enabled or disabled and
to display other STP parameters. For example:
-> show spantree 10 ports
Spanning Tree Port Summary for Vlan 10
Adm Oper Man. Path Desig Fw Prim. Adm Op
Port Pri St St mode Cost Cost Role Tx Port Cnx Cnx Desig Bridge ID
-----+---+---+----+----+-----+-----+----+---+-----+---+---+---------------------
3/13 7 ENA FORW No 100 0 DESG 1 3/13 EDG NPT 000A-00:d0:95:6b:0a:c0
2/10 7 ENA FORW No 19 0 DESG 1 2/10 PTP PTP 000A-00:d0:95:6b:0a:c0
5/2 7 ENA DIS No 0 0 DIS 0 5/2 EDG NPT 0000-00:00:00:00:00:00
0/5 7 ENA FORW No 4 0 DESG 1 0/10 PTP PTP 000A-00:d0:95:6b:0a:c0
In the example above the link aggregation group is indicated by the 0 for the slot number.
5 Configure VLAN 10 (which uses dynamic aggregate group 5) to the highest (15) priority possible by
entering:
-> bridge 10 5 mode priority 15
6 Repeat steps 1 through 5 on Switch B. All the commands would be the same except you would substi-
tute the appropriate port numbers.
Note. Only the steps to configure the local (i.e., Switch A) switch are provided here since the steps to
configure the remote (i.e., Switch C) switch would not be significantly different.
2 Configure ports 4/1, 4/2, 4/3, and 4/4 the same actor administrative key (7) by entering:
-> vlan 12
4 Configure 802.1Q tagging with a tagging ID (i.e., VLAN ID) of 12 on dynamic aggregate group 7 by
entering:
-> vlan 12 802.1q 7
5 If the QoS Manager has been disabled (it is enabled by default) enable it by entering:
Note. Optional. Use the show qos config command to determine if the QoS Manager is enabled or
disabled.
7 Configure an 802.1p policy action with the highest priority possible (i.e., 7) for VLAN 12 called
vlan12_action by entering:
-> policy action vlan12_action 802.1P 7
8 Configure a QoS rule called vlan12_rule by using the policy condition and policy rules you config-
ured in steps 8 and 9 above by entering:
-> policy rule vlan12_rule enable condition vlan12_condition action
vlan12_action
9 Enable your 802.1p QoS settings by entering qos apply as shown below:
10 Repeat steps 1 through 9 on Switch C. All the commands would be the same except you would substi-
tute the appropriate port numbers.
Note. If you do not use the qos apply command any QoS policies you configured will be lost on the next
switch reboot.
When you use the show linkagg command without specifying the link aggregation group number and
when you use the show linkagg port command without specifying the slot and port number, these
commands provide a global view of switch-wide link aggregate group and link aggregate port informa-
tion, respectively.
For example, to display global statistics on all link aggregate groups (both dynamic and static) you would
enter:
-> show linkagg
When you use the show linkagg command with the link aggregation group number and when you use the
show linkagg port command with the slot and port number, these commands provide detailed views of
the link aggregate group and port information, respectively. These detailed views provide excellent tools
for diagnosing and troubleshooting problems.
For example, to display detailed statistics for port 1 in slot 2 that is attached to dynamic link aggregate
group 1 you would enter:
-> show linkagg port 2/1
Note. See the Link Aggregation Commands chapter in the OmniSwitch CLI Reference Guide for
complete documentation of show commands for link aggregation.
Internet Protocol version 6 (IPv6) is the next generation of Internet Protocol version 4 (IPv4). Both
versions are supported along with the ability to tunnel IPv6 traffic over IPv4. Implementing IPv6 solves
the limited address problem currently facing IPv4, which provides a 32-bit address space. IPv6 increases
the address space available to 128 bits.
Note. IPv6 is only supported on the OmniSwitch 6850 and OmniSwitch 9000 switches for this release.
In This Chapter
This chapter describes IPv6 and how to configure it through Command Line Interface (CLI). The CLI
commands are used in the configuration examples; for more details about the syntax of commands, see the
OmniSwitch CLI Reference Guide.
This chapter provides an overview of IPv6 and includes information about the following procedures:
Configuring an IPv6 Interface on page 15-10.
IPv6 Specifications
RFCs Supported 2460Internet Protocol, Version 6 (IPv6) Specification
2461Neighbor Discovery for IP Version 6 (IPv6)
2462IPv6 Stateless Address Autoconfiguration
2463Internet Control Message Protocol (ICMPv6) for the
Internet Protocol Version 6 (IPv6) Specification
2464Transmission of IPv6 Packets Over Ethernet
Networks
2893Transition Mechanisms for IPv6 Hosts and Routers
3513Internet Protocol Version 6 (IPv6) Addressing Archi-
tecture
3056Connection of IPv6 Domains via IPv4 Clouds
Maximum IPv6 interfaces 100
Maximum IPv6 global unicast addressess 100
Maximum IPv6 routes when there are no 6000
IPv4 routes present (which includes neighbor
entries, RIPng routes, and static routes)
Maximum IPv6 interfaces per VLAN 1
Maximum IPv6 interfaces per tunnel 1
Maximum IPv6 6to4 tunnels per switch 1
Maximum IPv6 configured tunnels per 255
switch
IPv6 Defaults
The following table lists the defaults for IPv6 configuration through the ip command.
Note that when the IPv6 interface is configured, the switch automatically generates a link-local address
for the interface. This allows for communication with other interfaces and/or devices on the same link,
but does not provide routing between interfaces.
2 Assign a unicast address to the v6if-v200 interface by using the ipv6 address command. For example:
3 Configure an IPv6 interface for VLAN 300 by using the ipv6 interface command. For example:
4 Assign a unicast address to the v6if-v300 interface by using the ipv6 address command. For example:
Note. Optional. To verify the IPv6 interface configuration, enter show ipv6 interface For example:
5 Enable RIPng for the switch by using the ipv6 load rip command. For example:
6 Create a RIPng interface for each of the IPv6 VLAN interfaces by using the ipv6 rip interface
command. For example:
-> ipv6 rip interface v6if-v200
-> ipv6 rip interface v6if-v300
IPv6 routing is now configured for VLAN 200 and VLAN 300 interfaces, but it is not active until at least
one port in each VLAN goes active.
IPv6 Overview
IPv6 provides the basic functionality that is offered with IPv4 but includes the following enhancements
and features not available with IPv4:
Increased IP address sizeIPv6 uses a 128-bit address, a substantial increase over the 32-bit IPv4
address size. Providing a larger address size also significantly increases the address space available,
thus eliminating the concern over running out of IP addresses. See IPv6 Addressing on page 15-5 for
more information.
Autoconfiguration of addressesWhen an IPv6 interface is created or a device is connected to the
switch, an IPv6 link-local address is automatically assigned for the interface and/or device. See Auto-
configuration of IPv6 Addresses on page 15-6 for more information.
Anycast addressesA new type of address. Packets sent to an anycast address are delivered to one
member of the anycast group.
Simplified header formatA simpler IPv6 header format is used to keep the processing and band-
width cost of IPv6 packets as low as possible. As a result, the IPv6 header is only twice the size of the
IPv4 header despite the significant increase in address size.
Improved support for header optionsImproved header option encoding allows more efficient
forwarding, fewer restrictions on the length of options, and greater flexibility to introduce new options.
Security improvementsExtension definitions provide support for authentication, data integrity, and
confidentiality.
Neighbor Discovery protocolA protocol defined for IPv6 that detects neighboring devices on the
same link and the availability of those devices. Additional information that is useful for facilitating the
interaction between devices on the same link is also detected (e.g., neighboring address prefixes,
address resolution, duplicate address detection, link MTU, and hop limit values, etc.).
This implementation of IPv6 also provides the following mechanisms to maintain compatibility between
IPv4 and IPv6:
Dual-stack support for both IPv4 and IPv6 on the same switch.
Embedded IPv4 addresses in the four lower-order bits of the IPv6 address.
The remainder of this section provides a brief overview of the new IPv6 address notation, autoconfigura-
tion of addresses, and tunneling of IPv6 over IPv4.
IPv6 Addressing
One of the main differences between IPv6 and IPv4 is that the address size has increased from 32 bits to
128 bits. Going to a 128-bit address also increases the size of the address space to the point where running
out of IPv6 addresses is not a concern.
The following types of IPv6 addresses are supported:
UnicastStandard unicast addresses, similar to IPv4.
MulticastAddresses that represent a group of devices. Traffic sent to a multicast address is delivered to
all members of the multicast group.
AnycastTraffic that is sent to this type of address is delivered to one member of the anycast group. The
device that receives the traffic is usually the one that is easiest to reach as determined by the active rout-
ing protocol.
Note. IPv6 does not support the use of broadcast addresses. This functionality is replaced using improved
multicast addressing capabilities.
IPv6 address types are identified by the high-order bits of the address, as shown in the following table:
Note that anycast addresses are unicast addresses that are not identifiable by a known prefix.
Because the last four words of the above address are uncompressed values, the double colon indicates that
the first four words of the address all contain zeros. Note that using the double colon is only allowed once
within a single address. So if the address was1234:531F:0:0:BCD2:F34A:0:0, a double colon could not
replace both sets of zeros. For example, the first two versions of this address shown below are valid, but
the last version is not valid:
1 1234:531F::BCD2:F34A:0:0
2 1234:531F:0:0:BCD2:F34A::
With IPv6 addresses that have long strings of zeros, the benefit of zero compression is more dramatic. For
example, address FF00:0:0:0:0:0:4501:32 becomes FF00::4501:32.
Note that hexidecimal notation used for IPv6 addresses resembles the notation which is used for MAC
addresses. However, it is important to remember that IPv6 addresses still identify a device at the Layer 3
level and MAC addresses identify a device at the Layer 2 level.
Another supported IPv6 address notation includes embedding an IPv4 address as the four lower-order bits
of the IPv6 address. This is especially useful when dealing with a mixed IPv4/IPv6 network. For example:
0:0:0:0:0:0:212.100.13.6
Stateless autoconfiguration is not available for assigning a global unicast or anycast address to an IPv6
interface. In other words, manual configuration is required to assign a non-link-local address to an inter-
face. See Assigning IPv6 Addresses on page 15-12 for more information.
Both stateless and stateful autoconfiguration is supported for devices, such as a workstation, when they are
connected to the switch. When the stateless method is used in this instance, the device listens for router
advertisements in order to obtain a subnet prefix. The unicast address for the device is then formed by
combining the subnet prefix with the interface ID for that device.
Stateful autoconfiguration refers to the use of an independent server, such as a DHCP server, to obtain an
IPv6 unicast address and other related information. Of course, manual configuration of an IPv6 address is
always available for devices as well.
Regardless of how an IPv6 address is obtained, duplicate address detection (DAD) is performed before the
address is assigned to an interface or device. If a duplicate is found, the address is not assigned. Note that
DAD is not performed for anycast addresses.
Please refer to RFCs 2462, 2464, and 3513 for more technical information about autoconfiguration and
IPv6 address notation.
Note. RIPng is not supported over 6to4 tunnels. However, it is possible to create a RIPng interface for a
configured tunnel. See Configuring IPv6 Tunnel Interfaces on page 15-14 for more information.
6to4 Tunnels
6to4 tunneling provides a mechanism for transporting IPv6 host traffic over an IPv4 network infrastruc-
ture to other IPv6 hosts and/or domains without having to configure explicit tunnel endpoints. Instead, an
IPv6 6to4 tunnel interface is created at points in the network where IPv6 packets are encapsulated (IPv4
header added) prior to transmission over the IPv4 network or decapsulated (IPv4 header stripped) for
transmission to an IPv6 destination.
An IPv6 6to4 tunnel interface is identified by its assigned address, which is derived by combining a 6to4
well-known prefix (2002) with a globally unique IPv4 address and embedded as the first 48 bits of an IPv6
address. For example, 2002:d467:8a89::137/64, where D467:8A89 is the hex equivalent of the IPv4
address 212.103.138.137.
6to4 tunnel interfaces are configured on routers and identify a 6to4 site. Because 6to4 tunnels are point-to-
multi-point in nature, any one 6to4 router can communicate with one or more other 6to4 routers across the
IPv4 cloud. Two common scenarios for using 6to4 tunnels are described below.
IPv4 Domain
3 The 6to4 border router encapsulates IPv6 packets with IPv4 headers and sends to the destination 6to4
border router over the IPv4 domain.
4 The destination 6to4 border router strips IPv4 header and forwards to 6to4 destination host.
The following diagram illustrates the basic traffic flow between native IPv6 hosts and 6to4 sites:
IPv4 Domain
IPv6
Router
6to4 Host
IPv6 Site
IPv6 Host
1 The 6to4 relay router advertises a route to 2002::/16 on its IPv6 router interface.
2 The IPv6 host traffic received by the relay router that has a next hop address that matches 2002::/16 is
routed to the 6to4 tunnel interface configured on the relay router.
3 The traffic routed to the 6to4 tunnel interface is then encapsulated into IPv4 headers and sent to the
destination 6to4 router over the IPv4 domain.
4 The destination 6to4 router strips the IPv4 header and forwards it to the IPv6 destination host.
For more information about configuring an IPv6 6to4 tunnel interface, see Configuring an IPv6 Inter-
face on page 15-10 and Configuring IPv6 Tunnel Interfaces on page 15-14. For more detailed informa-
tion and scenarios by using 6to4 tunnels, refer to RFC 3056.
Configured Tunnels
A configured tunnel is where the endpoint addresses are manually configured to create a point-to-point
tunnel. This type of tunnel is similar to the 6to4 tunnel on which IPv6 packets are encapsulated in IPv4
headers to facilitate communication over an IPv4 network. The difference between the two types of
tunnels is that configured tunnel endpoints require manual configuration, whereas 6to4 tunneling relies on
an embedded IPv4 destination address to identify tunnel endpoints.
For more information about IPv6 configured tunnels, see Configuring IPv6 Tunnel Interfaces on
page 15-14. For more detailed information about configured tunnels, refer to RFC 2893. Note that RFC
2893 also discusses automatic tunnels, which are not supported with this implementation of IPv6.
If creating a VLAN interface, the VLAN must already exist. See Chapter 5, Configuring VLANs, for
more information.
If creating a tunnel interface, a tunnel ID or 6to4 is specified. Only one 6to4 tunnel is allowed per
switch, so it is not necessary to specify an ID when creating this type of tunnel.
If a tunnel ID is specified, then a configured tunnel interface is created. This type of tunnel requires
additional configuration by using the ipv6 interface tunnel source destination command. See
Configuring IPv6 Tunnel Interfaces on page 15-14 for more information.
The following configurable interface parameters are set to their default values unless otherwise speci-
fied when the ip interface command is used:
Refer to the ipv6 interface command page in the OmniSwitch CLI Reference Guide for more details
regarding these parameters.
Each VLAN can have one IPv6 interface. Configuring both an IPv4 and IPv6 interface on the same
VLAN is allowed. Note that the VLAN interfaces of both types are not active until at least one port
associated with the VLAN goes active.
A link-local address is automatically configured for an IPv6 interface, except for 6to4 tunnels, when
the interface is configured. For more information regarding how this address is formed, see Autocon-
figuration of IPv6 Addresses on page 15-6.
Assigning more than one IPv6 address to a single IPv6 interface is allowed.
Assigning the same link-local address to multiple interfaces is allowed. Each global unicast prefix,
however, can only exist on one interface. For example, if an interface for a VLAN 100 is configured
with an address 4100:1000::1/64, an interface for VLAN 200 cannot have an address 4100:1000::2/64.
Each IPv6 interface anycast address must also have a unique prefix. However, multiple devices may
share the same anycast address prefix to identify themselves as members of the anycast group.
To create an IPv6 interface for a VLAN or configured tunnel, enter ipv6 interface followed by an inter-
face name, then vlan (or tunnel) followed by a VLAN ID (or tunnel ID). For example, the following two
commands create an IPv6 interface for VLAN 200 and an interface for tunnel 35:
-> ipv6 interface v6if-v200 vlan 200
-> ipv6 interface v6if-tunnel-35 tunnel 35
To create an IPv6 interface for a 6to4 tunnel, use the following command:
-> ipv6 interface v6if-6to4 tunnel 6to4
Use the show ipv6 interface command to verify the interface configuration for the switch. For more infor-
mation about this command, see the OmniSwitch CLI Reference Guide.
When an existing interface name is specified with the ipv6 interface command, the command modifies
specified parameters for that interface. If an unknown interface name is entered along with an existing
VLAN or tunnel parameter, a new interface is created with the name specified.
In the above example, 4100:1000:: is specified as the subnet prefix and 20 is the interface identifier. Note
that the IPv6 address is expressed using CIDR notation to specify the prefix length. In the above example,
/64 indicates a subnet prefix length of 64 bits.
To use the MAC address of an interface or device as the interface ID, specify the eui-64 option with this
command. For example:
-> ipv6 address 4100:1000::/64 eui-64 v6if-v200
The above command example creates address 4100:1000::2d0:95ff:fe12:fab2/64 for interface v6if-v200.
Note the following when configuring IPv6 addresses:
It is possible to assign more than one address to a single interface.
Any field of an address may contain all zeros or all ones. The exception to this is that the interface
identifier portion of the address cannot end in zero. If the eui-64 option is specified with the ipv6
address command, this is not an issue.
The EUI-64 interface identifier takes up the last 64 bits of the 128-bit IPv6 address. If the subnet prefix
combined with the EUI-64 interface ID is longer than 128 bits, an error occurs and the address is not
created.
A subnet router anycast address is automatically created when a global unicast address is assigned to an
interface. The anycast address is derived from the global address by adding an interface ID of all zeros
to the prefix of the global address. For example, the global address 4100:1000::20/64 generates the
anycast address 4100:1000::/64.
Devices, such as a PC, are eligible for stateless autoconfiguration of unicast addresses in addition to the
link-local address. If this type of configuration is in use on the network, manual configuration of
addresses is not required.
IPv6 VLAN or tunnel interfaces are only eligible for stateless autoconfiguration of their link-local
addresses. Manual configuration of addresses is required for all additional addresses.
See IPv6 Addressing on page 15-5 for an overview of IPv6 address notation. Refer to RFC 3513 for
more technical address information.
Note that the subnet router anycast address is automatically deleted when the last unicast address of the
same subnet is removed from the interface.
In the above example, 2002 is the well-known prefix that identifies a 6to4 tunnel. The D467:8A89 part of
the address that follows 2002 is the hex equivalent of the IPv4 address 212.103.138.137. Note that an IPv4
interface configured with the embedded IPv4 address is required on the switch. In addition, do not config-
ure a private (e.g., 192.168.10.1), broadcast, or unspecified address as the embedded IPv4 address.
One of the main benefits of 6to4 tunneling is that no other configuration is required to identify tunnel
endpoints. The router that the 6to4 tunnel interface is configured on will encapsulate IPv6 packets in IPv4
headers and send them to the IPv4 destination address where they will be processed. This is particularly
useful in situations where the IPv6 host is isolated.
The second type of tunnel supported is referred to as a configured tunnel. With this type of tunnel it is
necessary to specify an IPv4 address for the source and destination tunnel endpoints. Note that if bidirec-
tional communication is desired, then it is also necessary to create the tunnel interface at each end of the
tunnel.
Creating an IPv6 configured tunnel involves the following general steps:
Create an IPv6 tunnel interface using the ipv6 interface command.
Associate an IPv4 source and destination address with the tunnel interface by using the ipv6 interface
tunnel source destination command. These addresses identify the tunnel endpoints.
Associate an IPv6 address with the tunnel interface by using the ipv6 address command.
Configure a tunnel interface and associated addresses at the other end of tunnel.
Note that RIPng is not supported over 6to4 tunnels, but is allowed over configured tunnels. To use this
protocol on a configured tunnel, a RIPng interface is created for the tunnel interface. For example, the
following command creates a RIPng interface for tunnel v6if-tunnel-137:
-> ipv6 rip interface v6if-tunnel-137
show ipv6 interface Displays the status and configuration of IPv6 interfaces.
show ipv6 tunnel Displays IPv6 configured tunnel information and whether the 6to4
tunnel is enabled or not.
show ipv6 routes Displays the IPv6 Forwarding Table.
show ipv6 prefixes Displays IPv6 subnet prefixes used in router advertisements.
show ipv6 hosts Displays the IPv6 Local Host Table.
show ipv6 neighbors Displays the IPv6 Neighbor Table.
show ipv6 traffic Displays statistics for IPv6 traffic.
show ipv6 icmp statistics Displays ICMP6 statistics.
show ipv6 pmtu table Displays the IPv6 Path MTU Table.
show ipv6 tcp ports Displays TCP Over IPv6 Connection Table. Contains information
about existing TCP connections between IPv6 endpoints.
show ipv6 udp ports Displays the UDP Over IPv6 Listener Table. Contains information
about UDP/IPv6 endpoints.
For more information about the displays that result from these commands, see the OmniSwitch CLI Refer-
ence Guide.
Routing Information Protocol (RIP) is a widely used Interior Gateway Protocol (IGP) that uses hop count
as its routing metric. RIP-enabled routers update neighboring routers by transmitting a copy of their own
routing table. The RIP routing table uses the most efficient route to a destination, that is, the route with the
fewest hops and longest matching prefix.
The switch supports RIP version 1 (RIPv1), RIP version 2 (RIPv2), and RIPv2 that is compatible with
RIPv1. It also supports text key and MD5 authentication, on an interface basis, for RIPv2.
In This Chapter
This chapter describes RIP and how to configure it through the Command Line Interface (CLI). It includes
instructions for configuring basic RIP routing and fine-tuning RIP by using optional RIP configuration
parameters (e.g., RIP send/receive option and RIP interface metric). It also details RIP redistribution,
which allows a RIP network to exchange routing information with networks running different protocols
(e.g., OSPF and BGP). CLI commands are used in the configuration examples; for more details about the
syntax of commands, see the OmniSwitch CLI Reference Guide.
This chapter provides an overview of RIP and includes information about the following procedures:
RIP Routing
Loading RIP (see page 16-6)
Enabling RIP (see page 16-6)
Creating a RIP Interface (see page 16-7)
Enabling a RIP Interface (see page 16-7)
RIP Options
Configuring the RIP Forced Hold-down Interval (see page 16-9)
Enabling a RIP Host Route (see page 16-9)
RIP Redistribution
Enabling RIP Redistribution (see page 16-10)
Configuring RIP Redistribution Policies (see page 16-10)
Configuring RIP Redistribution Filters (see page 16-11)
RIP Security
Configuring Authentication Type (see page 16-14)
Configuring Passwords (see page 16-14)
RIP Specifications
RFCs Supported RFC 1058RIP v1
RFC 2453RIP v2
RFC 1722RIP v2 Protocol Applicability Statement
RFC 1724RIP v2 MIB Extension
Maximum Number of RIP Routes 2048
RIP Defaults
The following table lists the defaults for RIP configuration through the ip rip command.
1 Create VLAN 1 with a description (e.g., VLAN 1) by using the vlan command. For example:
2 Create VLAN 2 with a description (e.g., VLAN 2) by using the vlan command. For example:
3 Assign an active port to VLAN 1 by using the vlan port default command. For example, the follow-
ing command assigns port 1 on slot 1 to VLAN 1:
-> vlan 1 port default 1/1
4 Assign an active port to VLAN 2 by using the vlan port default command. For example, the follow-
ing command assigns port 2 on slot 1 to VLAN 2:
-> vlan 2 port default 1/2
7 Load RIP into the switch memory by using the ip load rip command. For example:
8 Enable RIP on the switch by using the ip rip status command. For example:
9 Create an RIP interface on VLAN 1 by using the ip rip interface command. For example:
10 Enable the RIP interface by using the ip rip interface status command. For example:
11 Create an RIP interface on VLAN 2 by using the ip rip interface command. For example:
12 Enable the RIP interface by using the ip rip interface status command. For example:
13 Enable redistribution of local routes on the switch by using the ip rip redist command. For example:
14 Use the ip rip redist-filter command to redistribute all local routes. For example:
15 Enable RIP redistribution by using the ip rip redist status command. For example:
Note. For more information on VLANs and router ports, see Chapter 5, Configuring VLANs.
RIP Overview
In switching, traffic may be transmitted from one media type to another within the same VLAN. Switch-
ing happens at Layer 2, the link layer; routing happens at Layer 3, the network layer. In IP routing, traffic
can be transmitted across VLANs. When IP routing is enabled, the switch uses routing protocols to build
routing tables that keep track of stations in the network and decide the best path for forwarding data. When
the switch receives a packet to be routed, it strips off the MAC header and examines the IP header. It looks
up the source/destination address in the routing table, and then adds the appropriate MAC address to the
packet. Calculating routing tables and stripping/adding MAC headers to packets is performed by switch
software.
IP is associated with several Layer 3 routing protocols. RIP is built into the base code loaded onto the
switch. Others are part of Alcatels optional Advanced Routing Software. IP supports the following IP
routing protocols:
RIPAn IGP that defines how routers exchange information. RIP makes routing decisions by using a
least-cost path method. RIPv1 and RIPv2 services allow the switch to learn routing information from
neighboring RIP routers. For more information and instructions for configuring RIP, see RIP Rout-
ing on page 16-5.
Open Shortest Path First (OSPF)An IGP that provides a routing function similar to RIP but uses
different techniques to determine the best route for a datagram. OSPF is part of Alcatels optional
Advanced Routing Software. For more information see the Configuring OSPF chapter in the
OmniSwitch 6800/6850/9000 Advanced Routing Configuration Guide.
When RIP is initially enabled on a switch, it issues a request for routing information, and listens for
responses to the request. If a switch configured to supply RIP hears the request, it responds with a
response packet based on information in its routing database. The response packet contains destination
network addresses and the routing metric for each destination. When a RIP response packet is received,
RIP takes the information and rebuilds the switchs routing database, adding new routes and better
(lower metric) routes to destinations already listed in the database.
RIP uses a hop count metric to measure the distance to a destination. In the RIP metric, a switch adver-
tises directly connected networks at a metric of 1. Networks that are reachable through one other gateway
are 2 hops, networks that are reachable through two gateways are 3 hops, etc. Thus, the number of hops (or
hop count) along a path from a given source to a given destination refers to the number of networks that
are traversed by a datagram along that path. When a switch receives a routing update that contains a new
or changed destination network entry, the switch adds one to the metric value indicated in the update and
enters the network in the routing table. After updating its routing table, the switch immediately begins
transmitting routing updates to inform other network switches of the change. These updates are sent inde-
pendently of the regularly scheduled updates. By default, RIP packets are broadcast every 30 seconds,
even if no change has occurred anywhere in a route or service.
RIP deletes routes from the database if the next switch to that destination says the route contains more
than 15 hops. In addition, all routes through a gateway are deleted by RIP if no updates are received from
that gateway for a specified time period. If a gateway is not heard from for 180 seconds, all routes from
that gateway are placed in a hold-down state. If the hold-down timer value is exceeded, the routes are
deleted from the routing database. These intervals also apply to deletion of specific routes.
RIP Version 2
RIP version 2 (RIPv2) adds additional capabilities to RIP. Not all RIPv2 enhancements are compatible
with RIPv1. To avoid supplying information to RIPv1 routes that could be misinterpreted, RIPv2 can only
use non-compatible features when its packets are multicast. Multicast is not supported by RIPv1. On inter-
faces that are not compatible with IP multicast, the RIPv1-compatible packets used do not contain poten-
tially confusing information. RIPv2 enhancements are listed below.
Next HopRIPv2 can advertise a next hop other than the switch supplying the routing update. This
capability is useful when advertising a static route to a silent switch not using RIP, since packets pass-
ing through the silent switch do not have to cross the network twice.
Network MaskRIPv1 assumes that all subnetworks of a given network have the same network mask.
It uses this assumption to calculate the network masks for all routes received. This assumption prevents
subnets with different netmasks from being included in RIP packets. RIPv2 adds the ability to specify
the network mask with each network in a packet. Because RIPv1 switches ignore the network mask in
RIPv2 packets, their calculation of the network mask could possibly be wrong. For this reason, RIPv1-
compatible RIPv2 packets cannot contain networks that would be misinterpreted by RIPv1. These
networks must only be provided in native RIPv2 packets that are multicast.
AuthenticationRIPv2 packets can contain an authentication key that may be used to verify the valid-
ity of the supplied routing data. Authentication may be used in RIPv1-compatible RIPv2 packets, but
RIPv1 switches will ignore authentication information. Authentication is a simple password in which
an authentication key of up to 16 characters is included in the packet. If this key does not match the
configured authentication key, the packet is discarded. For more information on RIP authentication, see
RIP Security on page 16-14.
IP MulticastIP Multicast Switching (IPMS) is a one-to-many communication technique employed by
emerging applications such as video distribution, news feeds, netcasting, and resource discovery.
Unlike unicast, which sends one packet per destination, multicast sends one packet to all devices in any
subnetwork that has at least one device requesting the multicast traffic. For more information on IPMS,
see Chapter 28, Configuring IP Multicast Switching.
RIP Routing
IP routing requires IP router ports to be configured on VLANs and a routing protocol to be enabled and
configured on the switch. RIP also requires a RIP interface to be created and enabled on the routing port.
In the illustration below, a router port and RIP interface have been configured on each VLAN. Therefore,
workstations connected to ports on VLAN 1 on Switch 1 can communicate with VLAN 2; and worksta-
tions connected to ports on VLAN 3 on Switch 2 can communicate with VLAN 2. Also, ports from both
switches have been assigned to VLAN 2, and a physical connection has been made between the switches.
Therefore, workstations connected to VLAN 1 on Switch 1 can communicate with workstations connected
to VLAN 3 on Switch 2.
Switch 1 Switch 2
Router Port/
= RIP Interface
Physical
VLAN 1 VLAN 2 Connection VLAN 3
VLAN 2
110.0.0.0 120.0.0.0 130.0.0.0
120.0.0.0
RIP Routing
Loading RIP
When the switch is initially configured, RIP must be loaded into the switch memory. Use the ip load rip
command to load RIP.
To remove RIP from the switch memory, you must manually edit the boot.cfg file. The boot.cfg file is an
ASCII text-based file that controls many of the switch parameters. Open the file and delete all references
to RIP. You must reboot the switch when this is complete.
Note. In simple networks where only IP forwarding is required, you may not want to use RIP. If you are
not using RIP, it is best not to load it to save switch resources.
Enabling RIP
RIP is disabled by default. Use the ip rip status command to enable RIP routing on the switch. For exam-
ple:
-> ip rip status enable
Use the ip rip status disable command to disable RIP routing on the switch. Use the show ip rip
command to display the current RIP status.
Use the no ip rip interface command to delete a RIP interface. Use the show ip rip interface command
to display configuration and error information for a RIP interface.
Note. You can create a RIP interface even if an IP router port has not been configured. However, RIP will
not function unless a RIP interface is created and enabled on an IP router port. For more information on
VLANs and router ports, see Chapter 5, Configuring VLANs..
To disable an RIP interface, use the disable keyword with the ip rip interface status command. For
example to disable RIP routing on a RIP interface 171.15.0.1 you would enter:
-> ip rip interface 171.15.0.1 status disable
v1compatible. Only RIPv2 broadcast packets (not multicast) will be sent by the switch.
both. Both RIPv1 and RIPv2 packets will be received by the switch.
Note. When you configure a metric for a RIP interface, this metric cost is added to the metric of the
incoming route.
Use the ip rip interface metric command to configure the RIP metric or cost for routes generated by a
RIP interface. Enter the IP address of the RIP interface as well as a metric value. For example, to set a
metric value of 2 for the RIP interface 171.15.0.1 you would enter:
-> ip rip interface 171.15.0.1 metric 2
RIP Options
The following sections detail procedures for configuring RIP options. RIP must be loaded and enabled on
the switch before you can configure any of the RIP configuration options.
RIP Redistribution
Redistribution provides a way to exchange routing information between RIP networks and OSPF and BGP
networks. It also redistributes local and static routes into RIP. Basically, redistribution makes a non-RIP
route look like a RIP route. Configuring RIP redistribution consists of the following tasks:
Use the ip rip redist status disable command to disable redistribution. Use the show ip rip command to
display the RIP redistribution status.
Use the no ip rip redist command to delete a redistribution policy. For example, to turn off redistribu-
tion of OSPF routes you would enter:
-> no ip rip redist ospf
Note. If you are configuring more than one route type, you must repeat the command for each one.
Use the show ip rip redist command to display the status of RIP policies.
Note. You must configure a redistribution policy before configuring a redistribution metric for that type.
See Configuring a RIP Redistribution Policy on page 16-10 for information on configuring redistribu-
tion policies. If you are configuring a metric value for more than one route type, you must repeat the
command for each one.
Note. You must first configure a redistribution policy before configuring a filter for a route type. See
Configuring a RIP Redistribution Policy on page 16-10 for information on configuring redistribution
policies.
Note. A network/subnetwork of 0.0.0.0. 0.0.0.0 will redistribute all routes for the configured route type.
Use the no ip rip redist-filter command to delete a filter. For example, to turn off redistribution for
OSPF routes to the 10.0.0.0 network you would enter:
-> no ip rip redist-filter ospf 10.0.0.0 255.0.0.0
Use the show ip rip redist-filter command to display the currently configured redistribution filters.
Note. Local interfaces will not be added to the RIP routing table unless RIP redistribution is enabled and a
filter is added for the local protocol.
Note. If you are configuring a metric value for more than one route type, you must repeat the command
for each one.
aggregate. Redistributes an aggregate route if there are one or more routes that match this filter.
no-subnets. Redistributes only those routes that exactly match the redistribution filter.
For example, if the route being filtered is an aggregate or subnet route and the routes that comprise the
aggregate or subnet route should not be redistributed, enter the ip rip redist-filter redist-control
command, and the no-subnets keyword.
-> ip rip redist-filter ospf 172.22.0.0 255.255.0.0 redist-control no-subnets
Note. By default, filters are set to allow subnet routes to be advertised. If this is the filter action required, it
is not necessary to use the redist-control keyword.
RIP Security
By default, there is no authentication used for a RIP. However, you can configure a password for a RIP
interface. To configure a password, you must first select the authentication type (simple or MD5), and then
configure a password.
For example, to configure the RIP interface 172.22.2.115 for simple authentication you would enter:
-> ip rip interface 172.22.2.115 auth-type simple
To configure the RIP interface 172.22.2.115 for MD5 authentication you would enter:
-> ip rip interface 172.22.2.115 md5 auth-type md5
Configuring Passwords
If you configure simple or MD5 authentication you must configure a text string that will be used as the
password for the RIP interface. If a password is used, all switches that are intended to communicate with
each other must share the same password.
After configuring the interface for simple authentication as described above, configure the password for
the interface by using the ip rip interface auth-key command. Enter the IP address of the RIP interface,
and then enter a 16-byte text string. For example to configure a password nms you would enter:
-> ip rip interface 172.22.2.115 auth-key nms
show ip rip Displays the RIP status and general configuration parameters (e.g.,
forced hold-down timer).
show ip rip routes Displays the RIP routing database. The routing database contains all
the routes learned through RIP.
show ip rip interface Displays the RIP interface status and configuration.
show ip rip peer Displays active RIP neighbors (peers).
show ip rip redist Displays general RIP redistribution parameters.
show ip rip redist-filter Displays currently configured RIP redistribution filters.
For more information about the displays that result from these commands, see the OmniSwitch CLI Refer-
ence Guide.
Router Discovery Protocol (RDP) is an extension of ICMP that allows end hosts to discover routers on
their networks. This implementation of RDP supports the router requirements as defined in RFC 1256.
In This Chapter
This chapter describes the RDP feature and how to configure RDP parameters through the Command Line
Interface (CLI). CLI commands are used in the configuration examples; for more details about the syntax
of commands, see the OmniSwitch CLI Reference Guide.
The following procedures are described:
Enabling/Disabling RDP on page 17-8.
RDP Specifications
RFCs Supported RFC 1256ICMP Router Discovery Messages
Router advertisements Supported
Host solicitations Only responses to solicitations supported in this
release.
Maximum number of RDP interfaces per One for each available IP interface configured
switch on the switch.
Advertisement destination addresses 224.0.0.1 (all systems multicast)
255.255.255.255 (broadcast)
RDP Defaults
Parameter Description CLI Command Default Value/Comments
RDP status for the switch ip router-discovery Disabled
RDP status for switch interfaces ip router-discovery Disabled
(router VLAN IP addresses) interface
Advertisement destination address ip router-discovery All systems multicast (224.0.0.1)
for an active RDP interface. interface advertise-
ment-address
Maximum time between advertise- ip router-discovery 600 seconds
ments sent from an active RDP inter- interface max-adver-
face tisement-interval
Minimum time between advertise- ip router-discovery 450 seconds
ments sent from an active RDP inter- interface min-adver- (0.75 * maximum advertisement interval)
face tisement-interval
Maximum time IP addresses con- ip router-discovery 1800 seconds
tained in an advertisement packet are interface advertise- (3 * maximum advertisement interval)
considered valid ment-lifetime
Preference level for IP addresses ip router-discovery 0
contained in an advertisement packet interface preference-
level
Note. Optional. To verify the global RDP configuration for the switch, enter the show ip router-discov-
ery command. The display is similar to the one shown below:
2 Use the following command to create an RDP interface for an IP router interface. In this example, an
RDP interface is created for the IP router interface named Marketing (note that the IP interface is refer-
enced by its name).
-> ip router-discovery interface Marketing enable
3 When an RDP interface is created, default values are set for the interface advertisement destination
address, transmission interval, lifetime, and preference level parameters. If you want to change the
default values for these parameters, see Creating an RDP Interface on page 17-8.
Note. Optional. To verify the RDP configuration for all RDP interfaces, enter the show ip router-
discovery interface command. The display is similar to the one shown below:
To verify the configuration for a specific RDP interface, specify the interface name when using the show
ip router-discovery interface command. The display is similar to the one shown below.
For more information about this command, refer to the RDP Commands chapter in the OmniSwitch CLI
Reference Guide.
RDP Overview
End host (clients) sending traffic to other networks need to forward their traffic to a router. In order to do
this, hosts need to find out if one or more routers exist on their LAN, then learn their IP addresses. One
way to discover neighboring routers is to manually configure a list of router IP addresses that the host
reads at startup. Another method available involves listening to routing protocol traffic to gather a list of
router IP addresses.
RDP provides an alternative method for hosts to discover routers on their network that involves the use of
ICMP advertisement and solicitation messages. Using RDP, hosts attached to multicast or broadcast
networks send solicitation messages when they start up. Routers respond to solicitation messages with an
advertisement message that contains the router IP addresses. In addition, routers first send advertisement
messages when their RDP interface becomes active, and then subsequently at random intervals.
When a host receives a router advertisement message, it adds the IP addresses contained in the message to
its list of default router gateways in the order of preference. As a result, the list of router IP addresses is
dynamically created and maintained, eliminating the need for manual configuration of such a list. In addi-
tion, hosts do not have to recognize many different routing protocols to discover router IP addresses.
The following diagram illustrates an example of using RDP in a typical network configuration:
RS-1
2/3
TM
OmniSwitch 9700 H-1
1/1
2/4
H-2
RS-2
1/2
Network 17.0.0.0
When interfaces 2/3 and 2/4 on hosts H-1 and H-2, respectively, become active, they transmit router solic-
itation ICMP messages on Network 17.0.0.0. The RDP enabled routers RS-1 and RS-2 pick up these pack-
ets on their RDP interfaces 1/1 and 1/2 and respond with router advertisement ICMP messages. RS-1 and
RS-2 also periodically send out router advertisements on their RDP interfaces.
RDP Interfaces
An RDP interface is created by enabling RDP on a VLAN router IP address. Once enabled, the RDP inter-
face becomes active and joins the all-routers IP multicast group (224.0.0.2). The interface then transmits
three initial router advertisement messages at random intervals that are no greater than 16 seconds apart.
This process occurs upon activation to increase the likelihood that end hosts will quickly discover this
router.
After an RDP interface becomes active and transmits its initial advertisements, subsequent advertisements
are transmitted at random intervals that fall between a configurable range of time. This range of time is
defined by specifying a maximum and minimum advertisement interval value. See Defining the Adver-
tisement Interval on page 17-9 for more information. Because advertisements are transmitted at random
intervals, the risk of system overload is reduced as advertisements from other routers on the same link are
not likely to transmit at the same time.
It is important to note that advertisements are only transmitted on RDP interfaces if the following condi-
tions are met:
The RDP global status is enabled on the switch.
Whether VRRP is disabled or enabled, there is one or more Master IP addresses for the VLAN. If
VRRP is enabled and if there are no Masters IP addresses, router advertisements are not sent on the
VLAN. (See Chapter 19, Configuring VRRP, for more information.)
The router advertisement is a multicast packet sent to the all-systems IP multicast group (224.0.0.1) or the
broadcast address. If VRRP is enabled, the message should be filled with IP addresses obtained from
VRRP Master IP address list; otherwise the IP address of the IP router interface is used.
Note that RDP is not recommended for detecting neighboring router failures, referred to as black holes, in
the network. However, it is possible to use RDP as a supplement for black hole detection by setting RDP
interface advertisement interval and lifetime values to values lower than the default values for these
parameters. See Defining the Advertisement Interval on page 17-9 and Setting the Advertisement Life-
time on page 17-10 for more information.
Security Concerns
ICMP RDP packets are not authenticated, which makes them vulnerable to the following attacks:
Passive monitoringAttackers can use RDP to re-route traffic from vulnerable systems through the
attackers system. This allows the attacker to monitor or record one side of the conversation. However,
the attacker must reside on the same network as the victim for this scenario to work.
Man in the middleAttacker modifies any of the outgoing traffic or plays man in the middle, acting
as a proxy between the router and the end host. In this case, the victim thinks that it is communicating
with an end host, not an attacker system. The end host thinks that is it communicating with a router
because the attacker system is passing information through to the host from the router. If the victim is a
secure Web server that uses SSL, the attacker sitting in between the server and an end host could inter-
cept unencrypted traffic. As is the case with passive monitoring, the attacker must reside on the same
network as the victim for this scenario to work.
Denial of service (DoS)Remote attackers can spoof these ICMP packets and remotely add bad
default-route entries into a victims routing table. This would cause the victim to forward frames to the
wrong address, thus making it impossible for the victims traffic to reach other networks. Because of
the large number of vulnerable systems and the fact that this attack will penetrate firewalls that do not
stop incoming ICMP packets, this DoS attack can become quite severe. (See Chapter 12, Configuring
IP, and Chapter 26, Configuring QoS, for more information about DoS attacks.)
Note. Security concerns associated with using RDP are generic to the feature as defined in RFC 1256 and
not specific to this implementation.
Enabling/Disabling RDP
RDP is included in the base software and is available when the switch starts up. However, by default this
feature is not operational until it is enabled on the switch.
To enable RDP operation on the switch, use the following command:
-> ip router-discovery enable
Once enabled, any existing RDP interfaces on the switch that are also enabled will activate and start to
send initial advertisements. See RDP Interfaces on page 17-6 for more information.
To disable RDP operation on the switch, use the following command:
-> ip router-discovery disable
Use the show ip router-discovery command to determine the current operational status of RDP on the
switch.
The IP router interface name is the name assigned to the interface when it was first created. For more
information about creating IP router interfaces, see Chapter 12, Configuring IP.
The first time an RDP interface is enabled, it is not necessary to enter enable as part of the command.
However, if the interface is subsequently disabled, then entering enable is required the next time this
command is used. For example, the following sequence of commands initially enables an RDP interface
for the Marketing IP router interface, then disables and again enables the same interface:
-> ip router-discovery interface Marketing
-> ip router-discovery interface Marketing disable
-> ip router-discovery interface Marketing enable
When the above RDP interface becomes active, advertisement packets are transmitted on all active ports
that belong to the VLAN associated with the Marketing interface. These packets contain the IP address
associated with the Marketing interface for the purposes of advertising this interface on the network.
When an RDP interface is created, it is automatically configured with the following default parameter
values:
It is only necessary to change the above parameter values if the default value is not sufficient. The follow-
ing subsections provide information about how to configure RDP interface parameters if it is necessary to
use a different value.
Enter all-systems-multicast when using this command to change the destination address to 224.0.0.1. For
example:
-> ip router-discovery interface Marketing advertisement-address all-systems-
multicast
Make sure that the value specified with this command is greater than the current minimum advertisement
interval value. By default, this value is set to 600 seconds.
Make sure that the value specified with this command is less than the current maximum advertisement
interval value. By default, this value is set to 0.75 * the default maximum interval value (450 seconds if
the maximum interval is set to its default value of 600 seconds).
By default, the lifetime value is set to 3 * the current maximum interval value (1800 seconds if the maxi-
mum interval is set to its default value of 600 seconds).
Note that router IP address preference levels are only compared with the preference levels of other routers
that exist on the same subnet. Set low preference levels to discourage selection of a specific router.
show ip router-discovery Displays the current operational status of RDP on the switch. Also
includes the number of advertisement packets transmitted and the num-
ber of solicitation packets received by all RDP interfaces on the switch.
show ip router- Displays the current RDP status, related parameter values, and RDP
discovery interface traffic statistics for one or more switch router RDP interfaces.
For more information about the resulting displays from these commands, see the OmniSwitch CLI Refer-
ence Guide. An example of the output for the show ip router-discovery and show ip router-discovery
interface commands is also given in Quick Steps for Configuring RDP on page 17-3.
The User Datagram Protocol (UDP) is a connectionless transport protocol that runs on top of IP networks.
The DHCP Relay allows you to use nonroutable protocols (such as UDP) in a routing environment. UDP
is used for applications that do not require the establishment of a session and end-to-end error checking.
Email and file transfer are two applications that could use UDP. UDP offers a direct way to send and
receive datagrams over an IP network and is primarily used for broadcasting messages. This chapter
describes the DHCP Relay feature. This feature allows UDP broadcast packets to be forwarded across
VLANs that have IP routing enabled.
In This Chapter
This chapter describes the basic components of DHCP Relay and how to configure them. CLI commands
are used in the configuration examples. For more details about the syntax of commands, see the
OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
Quick steps for configuring DHCP Relay on page 18-4.
Setting the Relay Forwarding Option to Standard, Per-VLAN, or AVLAN on page 18-11.
Using automatic IP configuration to obtain an IP address for the switch on page 18-12.
For information about the IP protocol, see Chapter 12, Configuring IP.
Note. The DHCP Relay functionality described in this chapter is supported on the OmniSwitch 6800,
6850, and 9000 switches unless otherwise stated in the following Specifications table or specifically noted
within any section of this chapter.
2 Set the forward delay timer for the BOOTP/DHCP relay. To set the timer for a 15 second delay, use the
following command:
-> ip helper forward delay 15
3 Set the maximum hop count value. To set a hop count of 3, use the following command:
Note. Optional. To verify the DHCP Relay configuration, enter the show ip helper command. The display
shown for the DHCP Relay configured in the above Quick Steps is shown here:
Configurable options: DHCP server IP address, Forward Delay, Maximum Hops, Forwarding Option,
automatic switch IP configuration
The port numbers indicate the destination port numbers in the UDP header. The DHCP Relay will verify
that the forward delay time (specified by the user) has elapsed before sending the packet down to UDP
with the destination IP address replaced by the address (also specified by the user).
If the relay is configured with multiple IP addresses, then the packet will be sent to all IP address destina-
tions. The DHCP Relay also verifies that the maximum hop count has not been exceeded. If the forward
delay time is not met or the maximum hop count is exceeded, the BOOTP/DHCP packet will be discarded
by the DHCP Relay.
The forwarding option allows you to specify if the relay should operate in the standard, per-VLAN only,
or AVLAN-only mode. The standard mode forwards all DHCP packets on a global relay service. The per-
VLAN only mode forwards DHCP packets that originate from a specific VLAN. The AVLAN-only mode
only forwards packets received on authenticated ports from non-authenticated clients. See Setting the
Relay Forwarding Option on page 18-11 for more information.
An additional function provided by the DHCP Relay service enables automatic IP address configuration
for default VLAN 1 when an unconfigured switch boots up. If this function is enabled, the switch broad-
casts a BootP or a DHCP request packet at boot time. When the switch receives an IP address from a
BootP/DHCP server, the address is assigned to default VLAN 1. See Enabling Automatic IP Configura-
tion on page 18-12 for more information.
Alternately the relay function may be provided by an external router connected to the switch; in this case,
the relay would be configured on the external router.
DHCP
DHCP (Dynamic Host Configuration Protocol) provides a framework for passing configuration informa-
tion to Internet hosts on a TCP/IP network. It is based on the Bootstrap Protocol (BOOTP), adding the
ability to automatically allocate reusable network addresses and additional configuration options. DHCP
consists of the following two components:
A protocol for delivering host-specific configuration parameters from a DHCP server to a host.
DHCP is built on a client-server model in which a designated DHCP server allocates network addresses
and delivers configuration parameters to dynamically configured hosts. It supports the following three
mechanisms for IP address allocation.
AutomaticDHCP assigns a permanent IP address to a host.
DynamicDHCP assigns an IP address to a host for a limited period of time (or until the host explic-
itly relinquishes the address).
ManualThe network administrator assigns a hosts IP address and DHCP simply conveys the
assigned address to the host.
OmniSwitch
TM
OmniSwitch 9700
External Router
with
DHCP Relay
125.0.0.1
DHCP Clients VLAN 1
IN OUT
125.0.0.2
DHCP Server
130.0.0.13
DHCP Clients
The external router inserts the subnet address of the first hop segment into the DHCP request frames from
the DHCP clients. This subnet address allows the DHCP server to locate the segment on which the
requesting client resides. In this example, all clients attached to the OmniSwitch are DHCP-ready and will
have the same subnet address (130.0.0.0) inserted into each of the requests by the routers DHCP Relay
function. The DHCP server will assign a different IP address to each of the clients. The switch does not
need an IP address assigned and all DHCP clients will be members of either a default VLAN or an IP
protocol VLAN.
DHCP Relay
125.0.0.21 130.0.0.21
(Router Port IP Address) (Router Port IP Address)
VLAN 2 VLAN 3
130.0.0.14 130.0.0.15
DHCP Clients
125.0.0.1 125.0.0.2
DHCP Client DHCP Server 130.0.0.13
DHCP Client
DHCP Clients in Two VLANs
During initialization, each network client forwards a DHCP request frame to the DHCP server using the
local broadcast address. For those locally attached stations, the frame will simply be switched.
In this case, the DHCP server and clients must be members of the same VLAN (they could also all be
members of the default VLAN). One way to accomplish this is to use DHCP rules in combination with IP
protocol rules to place all IP frames in the same VLAN. See Chapter 9, Defining VLAN Rules, for more
information.
Because the clients in the application example are not members of the same VLAN as the DHCP server,
they must request an IP address via the DHCP Relay routing entity in the switch. When a DHCP request
frame is received by the DHCP Relay entity, it will be forwarded from VLAN 3 to VLAN 2. All the
DHCP-ready clients in VLAN 3 must be members of the same VLAN, and the switch must have the
DHCP Relay function configured.
Global DHCP
For the global DHCP service, you must identify an IP address for the DHCP server.
The DHCP Relay forwards BOOTP/DHCP broadcasts to and from the specified address. If multiple
DHCP servers are used, one IP address must be configured for each server. You can configure up to 256
addresses for each relay service.
To delete an IP address, use the no form of the ip helper address command. The IP address specified
with this syntax will be deleted. If an IP address is not specified with this syntax, then all IP helper
addresses are deleted. The following command deletes an IP helper address:
-> ip helper no address 125.255.17.11
Per-VLAN DHCP
For the Per-VLAN DHCP service, you must identify the number of the VLAN that makes the relay
request.
The following syntax identifies two DHCP servers for VLAN 4 at two different IP addresses.
-> ip helper address 125.255.17.11 125.255.18.11 vlan 4
To delete an IP address, use the no form of the ip helper address command. The IP address specified with
this syntax will be deleted. If an IP address is not specified with this syntax, then all IP helper addresses
are deleted. The following command deletes an helper address for IP address 125.255.17.11:
-> ip helper no address 125.255.17.11
The only parameter that is required for BOOTP relay is the IP address to the DHCP server or to the next
hop to the DHCP server. The default values can be accepted for forward delay, hop count, and relay
forwarding option.
Alternately the relay function may be provided by an external router connected to the switch; in this case,
the relay would be configured on the external router.
The range for the forward delay time value is 0 to 65535 seconds.
The hops value represents the maximum number of relays. The range is from one to 16 hops. The default
maximum hops value is set to four. This maximum hops value only applies to DHCP Relay. All other
switch services will ignore this value.
Note. Automatic IP address configuration only supports the assignment of a permanent IP address to the
switch. Make sure that the DHCP server is configured with such an address before using this feature.
Using automatic IP configuration also allows the switch to specify the type of request packet to send;
BootP (the default) or DHCP. When the BootP/DHCP server receives the request packet from the switch,
it processes the request and sends an appropriate reply packet. When the switch receives a reply packet
from the BootP/DHCP server, one or more of the following occurs:
The router port for VLAN 1 is assigned the IP address provided by the server.
If the reply packet contains a subnet mask for the IP address, the mask is applied to the VLAN 1 router
port address. Otherwise, a default mask is determined based upon the class of the IP address. For exam-
ple, if the IP address is a Class A, B, or C address, then 255.0.0.0, 255.255.0.0, or 255.255.255.0 is
used for the subnet mask.
If the reply packet from the server contains a gateway IP address, then a static route entry of 0.0.0.0 is
created on the switch with the gateway address provided by the server.
Note. If the VLAN 1 router port is already configured with an IP address, the switch does not broadcast a
request packet at boot time even if automatic IP configuration is enabled.
To verify IP router port configuration for VLAN 1, use the show ip interface and show ip route
commands. For more information about these commands, refer to the OmniSwitch CLI Reference Guide.
Once enabled, the next time the switch boots up, DHCP Relay will broadcast a BootP (the default) or
DHCP request packet to obtain an IP address for default VLAN 1.
To disable automatic IP configuration for the switch, use the ip helper boot-up command with the disable
option, as shown below:
-> ip helper boot-up disable
Remote IDthe MAC address of the router interface associated with the VLAN ID specified in the
Circuit ID suboption.
The DHCP Option-82 feature is only applicable when DHCP relay is used to forward DHCP packets
between clients and servers associated with different VLANs. In addition, a secure IP network must exist
between the relay agent and the DHCP server.
How the Relay Agent Processes DHCP Packets from the Client
The following table describes how the relay agent processes DHCP packets received from clients when
the Option-82 feature is enabled for the switch:
If the DHCP packet from the client ... The relay agent ...
Contains a zero gateway IP address (0.0.0.0) and Inserts Option-82 with unique information to
no Option-82 data. identify the client source.
If the DHCP packet from the client ... The relay agent ...
Contains a zero gateway IP address (0.0.0.0) and Drops the packet, keeps the Option-82 data and
Option-82 data. forwards the packet, or replaces the Option-82
data with its own Option-82 data and forwards the
packet.
How the Relay Agent Processes DHCP Packets from the Server
Note that if a DHCP server does not support Option-82, the server strips the option from the packet. If the
server does support this option, the server will retain the Option-82 data received and send it back in a
reply packet.
When the relay agent receives a DHCP packet from the DHCP server and the Option-82 feature is
enabled, the agent will:
1 Extract the VLAN ID from the Circuit ID suboption field in the packet and compare the MAC address
of the IP router interface for that VLAN to the MAC address contained in the Remote ID suboption field
in the same packet.
2 If the IP router interface MAC address and the Remote ID MAC address are not the same, then the
agent will drop the packet.
3 If the two MAC addresses match, then a check is made to see if the slot/port value in the Circuit ID
suboption field in the packet matches a port that is associated with the VLAN also identified in the Circuit
ID suboption field.
4 If the slot/port information does not identify an actual port associated with the Circuit ID VLAN, then
the agent will drop the packet.
5 If the slot/port information does identify an actual port associated with the Circuit ID VLAN, then the
agent strips the Option-82 data from the packet and unicasts the packet to the port identified in the Circuit
ID suboption.
This same command is also used to disable this feature. For example:
-> ip helper agent-information disable
Note that because this feature is not available on a per-VLAN basis, DHCP Option-82 functionality is not
restricted to ports associated with a specific VLAN. Instead, DHCP traffic received on all ports is eligible
for Option-82 data insertion when it is relayed by the agent.
keepThe existing Option-82 data in the DHCP packet is retained and the packet is forwarded to the
server.
replaceThe existing Option-82 data in the DHCP packet is replaced with local relay agent data and
then forwarded to the server.
For example, the following commands configure DHCP Option-82 policies:
-> ip helper agent-information policy drop
Note that this type of policy applies to all DHCP packets received on all switch ports. In addition, if a
packet that contains existing Option-82 data also contains a gateway IP address that matches a local subnet
address, the relay agent will drop the packet and not apply any existing Option-82 policy.
If none of the above are true, then the relay agent accepts and forwards the packet. When the relay agent
receives a DHCPACK packet from a server, the agent extracts the following information to create an entry
in the DHCP Snooping binding table:
MAC address of the DHCP client.
IP address for the client that was assigned by the DHCP server.
The VLAN associated with the port from where the DHCP packet originated.
After extracting the above information and populating the binding table, the agent then forwards the
packet to the port from where the packet originated. Basically, the DHCP Snooping features prevents the
normal flooding of DHCP traffic. Instead, packets are delivered only to the appropriate client and server
ports.
Note that DHCP Snooping only applies to traffic that is relayed between VLANs. If a DHCP server and
client reside within the same VLAN domain, then DHCP Snooping is not applied to communications
between these devices.
Note. DHCP Snooping drops server packets received on untrusted ports (ports that connect to devices
outside the network or firewall). It is important to configure ports connected to DHCP servers as trusted
ports so that traffic to/from the server is not dropped.
When DHCP Snooping is enabled at the switch level, all DHCP packets received on all switch ports are
screened/filtered by DHCP Snooping. By default, only client DHCP traffic is allowed on the ports, unless
the trust mode for a port is configured to block or allow all DHCP traffic. See Configuring the Port Trust
Mode on page 18-18 for more information.
In addition, the following functionality is also activated by default when DHCP Snooping is enabled:
The DHCP Snooping binding table is created and maintained.
MAC address verification is performed to compare the source MAC address of the DHCP packet with
the client hardware address contained in the packet.
Option-82 data is inserted into the packet and then DHCP reply packets are only sent to the port from
where the DHCP request originated, instead of flooding these packets to all ports.
To enable or disable any of the above functionality at the switch level, use the following commands:
Enabling the binding table is not allowed if Option-82 data insertion is not enabled at either the switch
or VLAN level.
When this feature is enabled at the VLAN level, DHCP Snooping functionality is only applied to ports that
are associated with a VLAN that has this feature enabled. Up to 64 VLANs can have DHCP Snooping
enabled. Note that enabling DHCP Snooping at the switch level is not allowed if it is enabled for one or
more VLANs.
By default, when DHCP Snooping is enabled for a specific VLAN, MAC address verification and Option-
82 data insertion is also enabled for the VLAN by default. To disable or enable either of these two
features, use the ip helper dhcp-snooping vlan command with either the mac-address verification or
option-82 data-insertion parameters. For example:
-> ip helper dhcp-snooping vlan 200 mac-address verification disable
Note that if the binding table functionality is enabled, disabling Option-82 data insertion for the VLAN is
not allowed. See Configuring the DHCP Snooping Binding Table on page 18-20 for more information.
Note. If DHCP Snooping is not enabled for a VLAN, then all ports associated with the VLAN are consid-
ered trusted ports. VLAN-level DHCP Snooping does not filter DHCP traffic on ports associated with a
VLAN that does not have this feature enabled.
It is also possible to specify a range of ports. For example, the following command changes the trust mode
for ports 2/1 through 2/10 to trusted:
-> ip helper dhcp-snooping port 2/1-10 trust
Note that it is necessary to configure ports connected to DHCP servers within the network and/or firewall
as trusted ports so that necessary DHCP traffic to/from the server is not blocked. Configuring the port
mode as trusted also identifies the device connected to that port as a trusted device within the network.
Note that enabling traffic suppression on a port will prevent DHCP traffic between a DHCP server and
client that belong to the same VLAN domain.
Where <rate> is (packets per second * average packet size) or a specific overall data rate to use for limit-
ing the number of DHCP packets.
In the above rule example, however, DHCP requests are limited on all ports. To narrow the scope of the
rate limiting, add a source port condition to the rule. For example, the following condition specifies 3/2 as
a source port:
-> policy condition client-dhcp source port 3/2
In addition, you can also use the UserPorts port group to apply the rule to all ports that are members of this
group or configure a customized port group. For example:
-> policy condition client-dhcp source port group UserPorts
Note that when QoS policy rules are configured, they do not apply to the switch until the qos apply
command is performed. See Chapter 26, Configuring QoS, in the OmniSwitch 6800/6850/9000 Network
Configuration Guide for more information.
Note that enabling the binding table functionality is not allowed if Option-82 data insertion is not enabled
at either the switch or VLAN level.
In addition, it is also possible to configure static binding table entries. This type of entry is created using
available ip helper dhcp-snooping binding command parameters to define the static entry. For example,
the following command creates a static DHCP client entry:
-> ip helper dhcp-snooping binding 00:2a:95:51:6c:10 port 1/15 address
17.15.3.10 lease-time 3 vlan 200
To remove a static binding table entry, use the no form of the ip helper dhcp-snooping binding
command. For example:
To view the DHCP Snooping binding table contents, use the show ip helper dhcp-snooping binding
command. See the OmniSwitch CLI Reference Guide for example outputs of this command.
Each time an automatic save is performed, the dhcpBinding.db file is time stamped.
Synchronizing the binding table is only done when this command is used. There is no automatic trigger-
ing of this function. In addition, it is important to note that synchronizing the binding table loads dhcp-
Binding.db file contents into memory. This is the reverse of saving the binding table contents in memory
to the dhcpBinding.db file, which is done at automatic time intervals as defined by the binding table
timeout value. See Configuring the Binding Table Timeout on page 18-20 for more information.
show ip helper Displays the current forward delay time, the maximum number of hops,
the forwarding option (standard or AVLAN only), and each of the
DHCP server IP addresses configured. Also displays the current config-
uration status for the DHCP relay agent information option (Option-82)
and DHCP Snooping features.
show ip helper stats Displays the number of packets the DHCP Relay service has received
and transmitted, the number of packets dropped due to forward delay
and maximum hops violations, and the number of packets processed
since the last time these statistics were displayed.
show ip helper dhcp-snooping Displays a list of VLANs that have DHCP Snooping enabled and
vlan whether or not MAC address verification and Option-82 data insertion
is enabled for each VLAN.
show ip helper dhcp-snooping Displays the DHCP Snooping trust mode for the port and the number of
port packets destined for the port that were dropped due to a DHCP Snoop-
ing violation.
show ip helper dhcp-snooping Displays the contents of the DHCP Snooping binding table (database).
binding
The Virtual Router Redundancy Protocol (VRRP) is a standard router redundancy protocol supported in IP
version 4. It is based on RFC 3768 and provides redundancy by eliminating the single point of failure
inherent in a default route environment.
Note. RFC 3768, which obsoletes RFC 2338, does not include support for authentication types. As a
result, configuring VRRP authentication is no longer supported in this release..
In This Chapter
This chapter describes VRRP and how to configure it through the Command Line Interface (CLI). CLI
commands are used in the configuration examples; for more details about the syntax of commands, see the
OmniSwitch CLI Reference Guide.
This chapter provides an overview of VRRP and includes information about the following:
Virtual routerssee Creating a Virtual Router on page 19-8.
IP addresses for virtual routerssee Specifying an IP Address for a Virtual Router on page 19-9.
Preempting virtual routerssee Setting Preemption for Virtual Routers on page 19-11.
Verifying the VRRP configurationsee Verifying the VRRP Configuration on page 19-14.
VRRP Specifications
VRRP Defaults
The following table lists the defaults for VRRP configuration through the vrrp command and the relevant
command keywords:
-> vrrp 6 4
The VLAN must already be created on the switch. For information about creating VLANs, see
Chapter 5, Configuring VLANs.
2 Configure an IP address for the virtual router.
3 Repeat steps 1 through 2 on all of the physical switches that will participate in backing up the
address(es) associated with the virtual router.
4 Enable VRRP on each switch.
Note. Optional. To verify the VRRP configuration, enter the show vrrp command.The display is similar
to the one shown here:
VRRP trap generation: Enabled
VRRP startup delay: 45 (expired)
IP Admin Adv
VRID VLAN Address(es) Status Priority Preempt Interval
----+ ----+ -------------+----------+----------+--------+---------
6 4 10.10.2.3 Enabled 100 No 1
For more information about this display, see the OmniSwitch CLI Reference Guide.
VRRP Overview
VRRP allows routers on a LAN to back up a default route. VRRP dynamically assigns responsibility for a
virtual router to a physical router (VRRP router) on the LAN. The virtual router is associated with an IP
address (or set of IP addresses) on the LAN. A virtual router master is elected to forward packets for the
virtual routers IP address. If the master router becomes unavailable, the highest priority backup router will
transition to the master state.
Note. The IP address that is backed up may be the IP address of a physical router, or it may be a virtual IP
address.
The example provided here is intended for understanding VRRP and does not show a configuration that
would be used in an actual network.
VRRP Routers
OmniSwitch A OmniSwitch B
VRID 1
Master 1 Backup 1 Virtual Router
IP A
IP A IP B
default gateway to IP A
client station
In this example, each physical router is configured with a virtual router, VRID 1, which is associated with
IP address A. OmniSwitch A is the master router because it contains the physical interface to which IP
address A is assigned. OmniSwitch B is the backup router. The client is configured with a gateway address
of IP A.
When VRRP is configured on these switches, and both switches are available, OmniSwitch A will respond
to ARP requests for IP address A using the virtual routers MAC address (00:00:5E:00:01:01) instead of
the physical MAC address assigned to the interface. OmniSwitch A will accept packets sent to the virtual
MAC address and forward them as appropriate; it will also accept packets addressed to IP address A (such
as ICMP ping requests).
OmniSwitch B will respond to ARP requests for IP address B using the interfaces physical MAC address.
It will not respond to ARP requests for IP address A or to the virtual router MAC address.
If OmniSwitch A becomes unavailable, OmniSwitch B becomes the master router. OmniSwitch B will
then respond to ARP requests for IP address A using the virtual routers MAC address
(00:00:5E:00:01:01). It will also forward packets for IP address B and respond to ARP requests for IP
address B using the OmniSwitchs physical MAC address. OmniSwitch B, however, cannot accept pack-
ets addressed to IP address A (such as ICMP ping requests).
OmniSwitch B uses IP address B to access the LAN, but IP address B is not backed up. If OmniSwitch B
becomes unavailable, IP address B is unavailable.
Note. A limitation of the OmniSwitch is that a single VRID may only be associated with one VLAN.
Each VRRP router may back up one or more virtual routers. The VRRP router that contains the physical
interfaces to which the virtual router IP addresses are assigned is called the IP address owner. If it is avail-
able, the IP address owner will function as the master router. The master router assumes the responsibility
of forwarding packets sent to the IP addresses associated with the virtual router and answering ARP
requests for these addresses.
To minimize network traffic, only the master router sends VRRP advertisements on the LAN. The IP
address assigned to the physical interface on the current master router is used as the source address in
VRRP advertisements. The advertisements communicate to all VRRP routers the priority and state of the
master router associated with the VRID. The advertisements are IP multicast datagrams sent to the VRRP
multicast address 224.0.0.18 (as determined by the Internet Assigned Numbers Authority).
If a master router becomes unavailable, it stops sending VRRP advertisements on the LAN. The backup
routers know the master is unavailable based on the following algorithm:
Master Down Interval = (3 * Advertisement Interval) + Skew Time
where Advertisement Interval is the time interval between VRRP advertisements, and Skew Time is calcu-
lated based on the VRRP routers priority value as follows:
Skew Time = (256 - Priority) / 256
If backup routers are configured with priority values that are close in value, there may be a timing conflict,
and the first backup to take over may not be the one with the highest priority; a backup with a higher prior-
ity will then preempt the new master. The virtual router may be configured to prohibit any preemption
attempts, except by the IP address owner. An IP address owner, if it is available, will always become
master of any virtual router associated with its IP addresses.
Note. Duplicate IP address/MAC address messages may display when a backup takes over for a master,
depending on the timing of the takeover and the configured advertisement interval. This is particularly true
if more than one backup is configured.
ARP Requests
Each virtual router has a single well-known MAC address, which is used as the MAC address in ARP
replies instead of a VRRP router's physical MAC address. When an end host sends an ARP request to the
master routers IP address, the master router responds to the ARP request using the virtual router MAC
address. If a backup router takes over for the master, and an end host sends an ARP request, the backup
will reply to the request using the virtual router MAC address.
Gratuitous ARP requests for the virtual router IP address or MAC address are broadcast when the
OmniSwitch becomes the master router. For VRRP interfaces, gratuitous ARP requests/responses are
delayed at system boot until both the IP address and the virtual router MAC address are configured.
If an interface IP address is shared by a virtual router, the routing mechanism does not send a gratutitous
ARP for the IP address (since the virtual router will send a gratuitous ARP). This prevents traffic from
being forwarded to the router before its routing tables are stable.
ICMP Redirects
ICMP redirects are not sent out over VRRP interfaces.
VRRP Tracking
A virtual routers priority may be conditionally modified to prevent another router from taking over as
master. Tracking policies are used to conditionally modify the priority setting whenever a slot/port, IP
address and or IP interface associated with a virtual router goes down.
A tracking policy consists of a tracking ID, the value amount used to decrease the priority value, and the
slot/port number, IP address, or IP interface name to be monitored by the policy. The policy is then associ-
ated with one or more virtual routers.
Router Discovery Protocol (RDP)If RDP is enabled on the switch, and VRRP is enabled, RDP will
advertise VLAN IP addresses of virtual routers depending on whether there are virtual routers active on
the LAN, and whether those routers are backups or masters. When there are no virtual routers active on
the VLAN (either acting as master or backup), RDP will advertise all VLAN IP addresses. However, if
virtual routers are active, RDP will advertise IP addresses for any master routers; RDP will not adver-
tise IP addresses for backup routers.
For more information about RDP, see Chapter 17, Configuring RDP.
Configuration Overview
VRRP is part of the base software. At startup, VRRP is loaded onto the switch and is enabled. Virtual
routers must first be configured and enabled as described in the sections. Since VRRP is implemented on
multiple switches in the network, some VRRP parameters must be identical across switches:
VRRP and ACLs
If QoS filtering rules (Access Control Lists) are configured for Layer 3 traffic on a VRRP router, all of
the VRRP routers on the LAN must be configured with the same filtering rules; otherwise the security
of the network will be compromised. For more information about filtering, see Chapter 27, Configur-
ing ACLs.
Conflicting VRRP Parameters Across Switches
All virtual routers with the same VRID on the LAN should be configured with the same advertisement
interval and IP addresses. If the virtual routers are configured differently, it may result in more than one
virtual router acting as the master router. This in turn would result in duplicate IP and MAC address
messages as well as multiple routers forwarding duplicate packets to the virtual router MAC address.
Use the show vrrp statistics command to check for conflicting parameters. For information about
configuring VRRP parameters, see the remaining sections of this chapter.
Preempt mode. By default, preempt mode is enabled. Use no preempt to turn it off, and preempt to
turn it back on. For more information about the preempt mode, see Setting Preemption for Virtual
Routers on page 19-11.
Advertising interval (in seconds). Use the interval keyword with the desired number of seconds for the
delay in sending VRRP advertisement packets. The default is 1 second. See Configuring the Adver-
tisement Interval on page 19-10.
The following example creates a virtual router (with VRID 7) on VLAN 2 with a priority of 75. VRRP
messages will be sent at intervals of 2 seconds:
-> vrrp 7 2 priority 75 no preempt interval 2
Note. All virtual routers with the same VRID on the same LAN should be configured with the same
advertising interval; otherwise the network may produce duplicate IP or MAC address messages.
The vrrp command may also be used to specify whether the virtual router is enabled or disabled (it is
disabled by default). However, the virtual router must have an IP address assigned to it before it can be
enabled. Use the vrrp ip command as described in the next section to specify an IP address or addresses.
For more information about the vrrp command syntax, see the OmniSwitch CLI Reference Guide.
In this example, the vrrp ip command specifies that virtual router 6 on VLAN 4 will be used to backup IP
address 10.10.2.3. The virtual router is then enabled with the vrrp command.
Currently the OmniSwitch does not support multiple IP addresses on a single virtual router. If an
OmniSwitch is the IP address owner for a virtual router, then that address must be assigned to the virtual
router. If the OmniSwitch is configured as a backup for a VRRP router that allows more than one IP
address to be assigned to a virtual router, then multiple addresses may be assigned to the virtual router.
To remove an IP address from a virtual router, use the no form of the vrrp ip command. For example:
-> vrrp 6 4 disable
-> vrrp 6 4 no ip 10.10.2.3
In this example, virtual router 6 is disabled. (A virtual router must be disabled before IP addresses may be
added/removed from the router.) IP address 10.10.2.3 is then removed from the virtual router with the no
form of the vrrp ip command.
In this example, virtual router 6 is disabled. (If you are modifying an existing virtual router, the virtual
router must be disabled before it may be modified.) The vrrp command is then used to set the advertising
interval for virtual router 6 to 5 seconds.
In this example, virtual router 6 is disabled. (If you are modifying an existing virtual router, the virtual
router must be disabled before it may be modified.) The virtual router priority is then set to 50. The prior-
ity value is relative to the priority value configured for other virtual routers backing up the same IP
address. Since the default priority is 100, setting the value to 50 would typically provide a router with
lower priority in the VRRP network.
Note. The virtual router that owns the IP address(es) associated with the physical router always becomes
the master router if is available, regardless of the preempt mode setting and the priority values of the
backup routers.
To disable preemption for a virtual router, use the vrrp command with the no preempt keywords. For
example:
-> vrrp 6 4 disable
-> vrrp 6 4 no preempt
In this example, virtual router 23 is disabled. (If you are modifying an existing virtual router, the virtual
router must be disabled before it may be modified.) The virtual router is then configured to disable
preemption. If this virtual router takes over for an unavailable router, a router with a higher priority will
not be able to preempt it. For more information about priority, see Configuring Virtual Router Priority
on page 19-10.
In this example, a virtual router is created on VLAN 3 with a VRID of 7. An IP address is then assigned to
the virtual router. The virtual router is then enabled on the switch.
To disable a virtual router, use the disable keyword.
-> vrrp 7 3 disable
A virtual router must be disabled before it may be modified. Use the vrrp command to disable the virtual
router first; then use the command again to modify the parameters. For example:
-> vrrp 7 3 disable
-> vrrp 7 3 priority 200
-> vrrp 7 3 enable
In this example, virtual router 7 on VLAN 3 is disabled. The virtual router is then modified to change its
priority setting. (For information about configuring the priority setting, see Configuring Virtual Router
Priority on page 19-10.) The virtual router is then re-enabled and will be active on the switch.
To delete a virtual router, use the no form of the vrrp command with the relevant VRID and VLAN ID.
For example:
-> no vrrp 7 3
Virtual router 7 on VLAN 3 is deleted from the configuration. (The virtual router does not have to be
disabled before you delete it.)
The switch will now wait 75 seconds after a switch reboot before it will be available to take over as master
for another router.
In this example, a tracking policy ID (3) is created and enabled for IP address 20.1.1.3. If this address goes
inactive, a virtual router associated with this track ID will have its priority decremented by 50. Note that
the enable keyword administratively activates the tracking policy, but the policy does not take effect until
it is associated with one or more virtual routers (see the next section).
Note the following:
A virtual router must be administratively disabled before a tracking policy for the virtual router can be
added.
VRRP tracking does not override IP address ownership (the IP address owner will always have prior-
ity to become master, if it is available).
When the virtual router is re-enabled, tracking policy 3 will be used for that virtual router. If VLAN 2
goes down, VRID 6 will have its priority decremented by 50.
A VLAN tracking policy should not be associated with a virtual router on the same VLAN. For example:
-> vrrp 5 2 track-association 3
This configuration is allowed but will not really have an effect. If VLAN 2 goes down, this virtual router
goes down as well and the tracking policy is not applied.
Note. A master and a backup virtual router should not be tracking the same IP address; otherwise, when
the IP address becomes unreachable, both virtual routers will have their priorities decremented, and the
backup may temporarily take over if the master discovers that the IP address is unreachable before the
backup.
Typically you should not configure the same IP address tracking policies on physical VRRP routers that
back up each other; otherwise, the priority will be decremented for both master and backup when the
entity being tracked goes down.
show vrrp Displays the virtual router configuration for all virtual routers or for a
particular virtual router.
show vrrp statistics Displays statistics about VRRP packets for all virtual routers configured
on the switch or for a particular virtual router.
show vrrp track Displays information about tracking policies on the switch.
show vrrp track-association Displays the tracking policies associated with virtual routers.
For more information about the displays that result from these commands, see the OmniSwitch CLI Refer-
ence Guide.
VRID 1
Master 1 Backup 1
10.10.2.250
Virtual Routers
VRID 2
Backup 2 Master 2
10.10.2.245
10.10.2.250 10.10.2.254
VLAN 5
Note. The same VRRP configuration must be set up on each switch. The VRRP router that contains, or
owns, the IP address will automatically become the master for that virtual router. If the IP address is a
virtual address, the virtual router with the highest priority will become the master router.
In this scenario, the master of VRID 1 will respond to ARP requests for IP address A using the virtual
router MAC address for VRID 1 (00:00:5E:00:01:01). OmniSwitch 1 is the master for VRID 1 since it
contains the physical interface to which 10.10.2.3 is assigned. If OmniSwitch A should become unavail-
able, OmniSwitch B will become master for VRID 1.
In the same way, the master of VRID 2 will respond to ARP requests for IP address B using the virtual
router MAC address for VRID 2 (00:00:5E:00:01:02). OmniSwitch B is the master for VRID 2 since it
contains the physical interface to which 10.10.2.245 is assigned. If OmniSwitch B should become unavail-
able, OmniSwitch A will become master for 10.10.2.245. This configuration provides uninterrupted
service for the end hosts.
VRID 1
Master 1 Backup 1
10.10.2.250
Virtual Routers
VRID 2
Backup 2 Master 2
10.10.2.245
10.10.2.210 10.10.2.215
VLAN 5
In this example, the master for virtual router 1 has a priority of 100 and the backup for virtual router 1 has
a priority of 75. The virtual router configuration for VRID 1 on VRRP router A is as follows:
-> vrrp 1 5 priority 100
To ensure workstation clients 1 and 2 have connectivity to the internet, configure a tracking policy on
VRRP router A to monitor port 3/1 and associate the policy with VRID 1.
-> vrrp track 1 enable priority 50 port 3/1
-> vrrp 1 5 track-association 1
If port 3/1 on VRRP router A goes down, the master for virtual router A is still functioning but worksta-
tion clients 1 and 2 will not be able to get to the Internet. With this tracking policy enabled, however,
master router 1s priority will be temporarily decremented to 50, allowing backup router 1 to take over and
provide connectivity for those workstations. When port 3/1 on VRRP router A comes back up, master 1
will take over again.
Note. The preempt option must be enabled on virtual router 1; otherwise the original master will not be
able to take over. See Setting Preemption for Virtual Routers on page 19-11 for more information about
enabling preemption.
The Internet Packet Exchange (IPX) protocol, developed by Novell for NetWare, is a Layer 3 protocol
used to route packets through IPX networks. (NetWare is Novells network server operating system.)
In This Chapter
This chapter describes IPX and how to configure it through the Command Line Interface (CLI). It includes
instructions for configuring IPX routing and fine-tuning IPX by using optional IPX configuration parame-
ters (e.g., IPX packet extension and type-20 propagation). It also details IPX filtering, which is used to
control the operation of the IPX RIP/SAP protocols. CLI commands are used in the configuration exam-
ples; for more details about the syntax of commands, see the OmniSwitch CLI Reference Guide.
This chapter provides an overview of IPX and includes information about the following procedures:
IPX Routing
Enabling IPX Routing (see page 20-6)
Creating an IPX Router Port (see page 20-6)
Configuring an IPX Router Port (see page 20-7)
Creating/Deleting a Default Route (see page 20-7)
Creating/Deleting Static Routes (see page 20-8)
Configuring Type-20 Packet Forwarding (see page 20-8)
Configuring Extended RIP/SAP Packets (see page 20-9)
Configuring RIP/SAP Timers (see page 20-9)
Using the Ping Command (see page 20-10)
IPX RIP/SAP Filtering
Configuring Routing Information Protocol (RIP) Filters (see page 20-12)
Configuring Service Address Protocol (SAP) Filters (see page 20-12)
Configuring Get Next Server (GNS) Filters (see page 20-13)
Flushing the IPX RIP/SAP Tables (see page 20-14)
IPX Specifications
Specifications Supported IPX RIP and Service Advertising Protocol (SAP) router
specification; version 1.30; May 23, 1996 Part No. 107-
000029-001
IPX Defaults
The following table lists the defaults for IPX configuration through the ipx command.
1 Create VLAN 1 with a description (e.g., VLAN 1) by using the vlan command. For example:
2 Create VLAN 2 with a description (e.g., VLAN 2) by using the vlan command. For example:
3 Assign an active port to VLAN 1 by using the vlan port default command. For example, the follow-
ing command assigns port 1 on slot 1 to VLAN 1:
-> vlan 1 port default 1/1
4 Assign an active port to VLAN 2 by using the vlan port default command. For example, the follow-
ing command assigns port 2 on slot 1 to VLAN 2:
-> vlan 2 port default 1/2
5 Create an IPX router port on VLAN 1 by using the vlan router ipx command. For example:
6 Create an IPX router port on VLAN 2 by using the vlan router ipx command. For example:
Note. For more information on VLANs and router ports, see Chapter 5, Configuring VLANs.
IPX Overview
IPX specifies a connectionless datagram similar to the IP packet of TCP/IP networks. An IPX network
address consists of two parts, a network number and a node number. The IPX network number is assigned
by the network administrator. The node number is the Media Access Control (MAC) address for a network
interface in the end node.
IPX exchanges information by using its own version of RIP, which sends updates every 60 seconds.
NetWare also supports SAP to allow network resources, including file and print servers, to advertise their
network addresses and the services they provide. The user can also define routes. These routes, called
static routes, have higher priority than routes learned through RIP.
When IPX is enabled, devices connected to ports on the same VLAN are able to communicate. However,
to route packets between VLANs, you must create an IPX router port on each VLAN. In the illustration
below, a router port has been configured on each VLAN. Therefore, workstations connected to ports on
VLAN 1 on Switch 1 can communicate with VLAN 2; and workstations connected to ports on VLAN 3 on
Switch 2 can communicate with VLAN 2. Also, ports from both switches have been assigned to VLAN 2,
and a physical connection has been made between the switches. Therefore, workstations connected to
VLAN 1 on Switch 1 can communicate with workstations connected to VLAN 3 on Switch 2.
Switch 1 Switch 2
TM
OmniSwitch 9700 TM
OmniSwitch 9700
Physical
VLAN 1 VLAN 2 Connection VLAN 2 VLAN 3
00000111 00000222 00000222 00000333
Network Network
111 333
68:27:43:29:00:00 53:45:72:30:00:00
22:45:67:87:00:00 41:57:67:36:00:00
IPX Routing
In IPX routing, the switch builds routing tables to keep track of optimal destinations for traffic it receives
that is destined for remote IPX networks. The switch sends and receives routing messages or advertise-
ments to/from other switches in the network. When the switch receives an IPX packet, it looks up the
destination network number in its routing table. If the network is directly connected to the switch, the
switch also checks the destination node address.
IPX is associated with additional protocols built into the switch software. The switch supports the follow-
ing IPX protocols:
IPX RIPLayer 3 protocol used by NetWare routers to exchange IPX routing information. IPX RIP
functions similarly to IP RIP. IPX RIP uses two metrics to calculate the best route, hop count and ticks.
An IPX router periodically transmits packets containing the information currently in its own routing
table to neighboring IPX RIP routers to advertise the best route to an IPX destination.
SAPLayer 3 protocol used by NetWare routers to exchange IPX routing information. SAP is similar
in concept to IPX RIP. Just as RIP enables NetWare routers to exchange information about routes, SAP
enables NetWare devices to exchange information about available network services. NetWare worksta-
tions use SAP to obtain the network addresses of NetWare servers. IPX routers use SAP to gather
service information and then share it with other IPX routers.
Sequenced Packet Exchange (SPX)Transport-layer protocol that provides a reliable end-to-end
communications link by managing packet sequencing and delivery. SPX does not play a direct role in
IPX routing; it simply guarantees the delivery of routed packets.
IPX Routing
When IPX is enabled, devices connected to ports on the same VLAN are able to communicate. However,
to route packets to a device on a different VLAN, you must create an IPX router port on each VLAN.
Note. If fewer than eight hex digits are entered for an IPX network number, the entry is automatically
prefixed with zeros to equal eight digits.
Use the no vlan router ipx command to remove an IPX router port from the VLAN. For example, to
remove an IPX router port on VLAN 1 with an IPX address of 1000590C, you would enter:
-> no vlan 1 router ipx 1000590C
Use the show ipx interface command to display current IPX interface information.
Note. Router port IPX addresses must be unique. You cannot have two router ports with the same IPX
address.
Routing Type
By default, both RIP and SAP packets are processed (active). However, additional configurations can be
used:
active. RIP and SAP updates are processed (default).
inactive. RIP and SAP updates are not processed, but the router port remains active.
Encapsulation Type
Ethernet 2 encapsulation is the default encapsulation type. However, other types can be configured:
e2. Ethernet 2 encapsulation (default)
Delay
To configure the IPX delay, enter the syntax timeticks and specify the number of ticks for IPX delay time.
A tick is approximately 1/18th of a second. The valid range is 065535. The default is 0.
For example, to configure IPX router port 1000590C on VLAN 1 to process only RIP packets with a delay
of 10 you would enter:
-> vlan 1 router ipx 1000590C rip timeticks 10
For more information on optional command syntax see Chapter 20, VLAN Management Commands in
the OmniSwitch CLI Reference Guide. For more information on VLANs and configuring router ports, see
Chapter 5, Configuring VLANs.
The IPX network number is required. You can also enter the VLAN number of the first hop. For example,
to configure a default route by using VLAN 1 on the 222 network you would enter:
-> ipx default-route 1 222
The network node is only required if the default network is directly connected to the switch. For example,
to create a default route to network 222 (which is directly attached to the switch) you would enter:
-> ipx default-route 222 00:20:da:99:88:77
Use the no ipx default-route command to delete a default route. For example, to delete a default route by
using the 222 network as a first hop you would enter:
-> no ipx default-route 222
Use the show ipx default-route command to display IPX default routes.
Static routes do not age out of the routing tables; however, they can be deleted. Use the no ipx route
command to delete a static route. To delete a static route, you only need to enter the network number of
the destination node. For example, to delete a static route to network 222 you would enter:
-> no ipx route 222
You can also enable or disable Type 20 packet forwarding on a specific VLAN by using the optional
VLAN parameter. For example, to enable Type 20 packet forwarding only on VLAN 1 you would enter:
-> ipx type-20-propagation 1 enable
Use the show ipx type-20-propagation command to display Type 20 packet forwarding status for the
switch.
You can also enable or disable extended RIP/SAP packets on a specific VLAN by using the optional
VLAN parameter. For example, to enable extended RIP/SAP packets only on VLAN 1 you would enter:
-> ipx packet-extension 1 enable
Use the show ipx packet-extension command to display extended RIP/SAP packet status for the switch.
Use the no ipx timers command to return the timer values to the default of 60.
You can set the RIP/SAP timers on a specific VLAN by using the optional VLAN parameter. For exam-
ple, to set a RIP timer value of 120 and a SAP timer value of 180 on VLAN 1 you would enter:
-> ipx timers 1 120 180
Use the show ipx timers command to display the current RIP/SAP timer values.
Network devices that do not recognize the specific type of IPX ping request sent from the switch will not
respond at all. This lack of a response does not necessarily mean that a specific network device is inactive
or missing. Therefore, you might want to try using both types before concluding that the network device is
unreachable.
Use the ping ipx command to ping an IPX node. Enter the command, followed by the network and
network node number of the device you want to ping. The packet will use the default parameters for count
(5), size (64), time-out (1), and type (novell). For example, to ping an IPX device (node
00:20:da:05:16:94) on IPX network 304 you would enter:
-> ping ipx 304 00:20:da:05:16:94
When you ping a device, the device IPX address and node are required. Optionally, you may also specify:
Count. Use the count keyword to set the number of packets to be transmitted.
Size. Use the size keyword to set the size, in bytes, of the data portion of the packet sent for this ping.
The valid range is 1 to 8192.
Timeout. Use the timeout keyword to set the number of seconds the program will wait for a response
before timing out.
Type. Use the type keyword to specify the packet type you want to send (novell or alcatel). Use the
novell packet type to test the reachability of NetWare servers running the NetWare Loadable Module
(IPXRTR.NLM). This type cannot be used to reach NetWare workstations running IPXODI. You can
use the alcatel packet type to test the reachability of the Alcatel switches on which IPX routing is
enabled. However, Alcatel switches will respond to either type.
For example, to send a ping with a count of 2, a size of 32 bytes, a time-out of 10 seconds, that is an alca-
tel type packet you would enter:
-> ping ipx 304 00:20:da:05:16:94 count 2 size 32 timeout 10 type alcatel
Note. If you change the default values they will only apply to the current ping. The next time you use the
ping command, the default values will be used unless you enter different values again.
All types of IPX Filters can be configured either to allow or to block traffic. The default setting for all
filters is to allow traffic. Therefore, you will typically have to define only a filter to block traffic.
However, defining a filter to allow certain traffic may be useful in situations where a more generic filter
has been defined to block the majority of the traffic. For example, you could use a filter to allow traffic
from a specific host on a network where all other traffic has been blocked. A discussion of the precedence
of allow filters appears later in this section. Keep in mind that precedence applies only to allow filters,
not to block filters.
Note. You can apply filters to all router interfaces by defining a global filter, or you can limit the filter
to specific interfaces.
You can narrow the filter by specifying a VLAN. For example, to create a filter that will block all the
incoming RIP packets from VLAN 1 you would enter:
-> ipx filter 1 rip in block
You can also narrow the filter by specifying a network. You must enter the network number and the
network mask. For example, to create a filter that will block the incoming RIP packets from network 40
and its subnets you would enter:
-> ipx filter rip in block 40 mask ffffffff
Use the no ipx rip filter command to delete a RIP filter. For example, to delete a global RIP filter that was
configured to block incoming RIP packets you would enter:
-> no ipx filter rip in block
Use the optional syntax to delete a filter for a specific VLAN or network. If you are deleting the filter for a
specific network you can also enter the network mask. To delete a filter from all VLANs/networks, use
only the basic command syntax (e.g., no ipx filter rip in allow).
Use the show ipx filter command to display all IPX filters.
Note. RIP filters work only on switches running the RIP protocol. They do not work on switches running
the NLSP protocol. Use RIP filters with care because they can partition a physical network into two or
more segments.
You can narrow the filter by specifying a VLAN and a SAP type. For example, to create a filter that will
block 0004 (NetWare File Server) SAP updates from being sent to VLAN 1 you would enter:
-> ipx filter 1 sap 0004 out block
You can also narrow the filter by specifying a network. You must enter the network number and the
network mask. For example, to create a filter that will block 0004 SAP updates from being sent to network
222 and its subnets you would enter:
-> ipx filter sap 0004 out block 222 mask ffffffff
Use the no ipx sap filter command to delete a SAP filter. For example, to delete a global SAP filter that
was configured to block incoming SAP packets you would enter:
-> no ipx filter sap in block
Use the optional syntax to delete a filter for a specific VLAN or network. If you are deleting the filter for a
specific network, you can also enter the network mask. To delete a filter from all VLANs/networks, use
only the basic command syntax (e.g., no ipx filter sap in allow).
Use the show ipx filter command to display all IPX filters.
You can narrow the filter by specifying a VLAN. For example to block all GNS updates sent to VLAN 1
you would enter:
-> ipx filter 1 gns all out block
You can also narrow the filter by specifying a network. You must enter the network number and the
network mask. For example, to create a filter that will block updates sent to network 222 and its subnets
you would enter:
-> ipx filter gns all out block 222 mask ffffffff
Use the no ipx gns filter command to delete a GNS filter. For example, to delete a global GNS filter that
was configured to block all GNS updates you would enter:
-> no ipx filter gns all out block
Use the show ipx filter command to display all IPX filters.
Use the show ipx route command to display the IPX RIP Routing Table.
For more information about the displays that result from these commands, see the OmniSwitch CLI Refer-
ence Guide.
This chapter describes authentication servers and how they are used with the switch. The types of servers
described include Remote Authentication Dial-In User Service (RADIUS), Lightweight Directory Access
Protocol (LDAP), and SecurIDs ACE/Server.
In This Chapter
The chapter includes some information about attributes that must be configured on the servers, but it
primarily addresses configuring the switch through the Command Line Interface (CLI) to communicate
with the servers to retrieve authentication information about users.
Configuration procedures described include:
Configuring an ACE/Server. This procedure is described in ACE/Server on page 21-8.
Configuring a RADIUS Server. This procedure is described in RADIUS Servers on page 21-9.
Configuring an LDAP Server. This procedure is described in LDAP Servers on page 21-15.
For information about using servers for authenticating users to manage the switch, see the Switch Secu-
rity chapter in the OmniSwitch 6800/6850/9000 Switch Management Guide.
For information about using servers to retrieve authentication information for Layer 2 Authentication users
(authenticated VLANs), see Chapter 22, Configuring Authenticated VLANs.
RADIUS RFCs Supported RFC 2865Remote Authentication Dial In User Service (RADIUS)
RFC 2866RADIUS Accounting
RFC 2867RADIUS Accounting Modifications for Tunnel Proto-
col Support
RFC 2868RADIUS Attributes for Tunnel Protocol Support
RFC 2809Implementation of L2TP Compulsory Tunneling via
RADIUS
RFC 2869RADIUS Extensions
RFC 2548Microsoft Vendor-specific RADIUS Attributes
RFC 2882Network Access Servers Requirements: Extended
RADIUS Practices
LDAP RFCs Supported RFC 1789Connectionless Lightweight X.5000 Directory Access
Protocol
RFC 2247Using Domains in LDAP/X.500 Distinguished Names
RFC 2251Lightweight Directory Access Protocol (v3)
RFC 2252Lightweight Directory Access Protocol (v3): Attribute
Syntax Definitions
RFC 2253Lightweight Directory Access Protocol (v3): UTF-8
String Representation of Distinguished Names
RFC 2254The String Representation of LDAP Search Filters
RFC 2256A Summary of the X.500(96) User Schema for Use
with LDAPv3
Other RFCs RFC 2574User-based Security Model (USM) for version 3 of the
Simple Network Management Protocol (SNMPv3)
RFC 2924Accounting Attributes and Record Formats
RFC 2975Introduction to Accounting Management
RFC 2989Criteria for Evaluating AAA Protocols for Network
Access
Maximum number of authentication 4 (not including any backup servers)
servers in single authority mode
Maximum number of authentication 4 per VLAN (not including any backup servers)
servers in multiple authority mode
Maximum number of servers per 4 (not including any backup servers)
Authenticated Switch Access type
CLI Command Prefix Recognition The aaa radius-server and aaa ldap-server commands support
prefix recognition. See the Using the CLI chapter in the
OmniSwitch 6800/6850/9000 Switch Management Guide for more
information.
Server Defaults
The defaults for authentication server configuration on the switch are listed in the tables in the next
sections.
* The port defaults are based on the older RADIUS standards; some servers are set up with port numbers
based on the newer standards (ports 1812 and 1813 respectively).
2 Use the aaa radius-server and/or the aaa ldap-server command to configure the authentication
server(s). For example:
-> aaa radius-server rad1 host 10.10.2.1 10.10.3.5 key amadeus
-> aaa ldap-server ldap2 host 10.10.3.4 dn cn=manager password tpub base c=us
Note. (Optional) Verify the server configuration by entering the show aaa server command. For example:
-> show aaa server
Server name = rad1
Server type = RADIUS,
IP Address 1 = 10.10.2.1,
IP Address 2 = 10.10.3.5
Retry number = 3,
Timeout (in sec) = 2,
Authentication port = 1645,
Accounting port = 1646
Server name = ldap2
Server type = LDAP,
IP Address 1 = 10.10.3.4,
Port = 389,
Domain name = cn=manager,
Search base = c=us,
Retry number = 3,
Timeout (in sec) = 2,
See the CLI Reference Guide for information about the fields in this display.
3 If you are using ACE/Server, there is no required switch configuration; however, you must FTP the
sdconf.rec file from the server to the switchs /network directory.
4 Configure authentication on the switch. This step is described in other chapters. For a quick overview
of using the configured authentication servers with Authenticated VLANs, see AVLAN Configuration
Overview on page 22-4. For a quick overview of using the configured authentication servers with
Authenticated Switch Access, see the OmniSwitch 6800/6850/9000 Switch Management Guide.
Server Overview
Authentication servers are sometimes refered to as AAA servers (authentication, authorization, and
accounting). These servers are used for storing information about users who want to manage the switch
(Authenticated Switch Access) and users who need access to a particular VLAN or VLANs (Authenti-
cated VLANs).
RADIUS or LDAP servers may be used for Authenticated Switch Access and/or Authenticated VLANs.
Another type of server, SecurIDs ACE/Server, may be used for authenticated switch access only; the
ACE/Server is an authentication-only server (no authorization or accounting). Only RADIUS servers are
supported for 802.1X Port-Based Network Access Control.
The following table describes how each type of server may be used with the switch:
A RADIUS server supporting the challenge and response mechanism as defined in RADIUS RFC 2865
may access an ACE/Server for authentication purposes. The ACE/Server is then used for user authentica-
tion, and the RADIUS server is used for user authorization.
privileges
and receives login and privi- for login information, and
lege information about the OmniSwitch checks the switch for privi- OmniSwitch
user. lege information.
Authenticated VLANs
For authenticated VLANs, authentication servers contain a database of user names and passwords, chal-
lenges/responses, and other authentication criteria such as time-of-day access. The Authenticated VLAN
attribute is required on servers set up in multiple authority mode.
Servers may be configured using one of two different modes, single authority mode or multiple authority
mode. The mode specifies how the servers are set up for authentication: single authority mode uses a
single list (an authentication server and any backups) to poll with authentication requests. Multiple author-
ity mode uses multiple lists, one list for each authenticated VLAN. For more information about authority
modes and Authenticated VLANs, see Chapter 22, Configuring Authenticated VLANs.
OmniSwitch
Authentication
Authenticator PAE
Server
Supplicant
authentication
login request request
authorization
PC OmniSwitch granted
RADIUS server
For more information about configuring 802.1X ports on the switch, see Chapter 23, Configuring
802.1X.
ACE/Server
An external ACE/Server may be used for authenticated switch access. It cannot be used for Layer 2
authentication or for policy management. Attributes are not supported on ACE/Servers. These values must
be configured on the switch through the user commands. See the Switch Security chapter of the
OmniSwitch 6800/6850/9000 Switch Management Guide for more information about setting up the local
user database.
Since an ACE/Server does not store or send user privilege information to the switch, user privileges for
Secur/ID logins are determined by the switch. When a user attempts to log into the switch, the user ID and
password is sent to the ACE/Server. The server determines whether the login is valid. If the login is valid,
the user privileges must be determined. The switch checks its user database for the users privileges. If the
user is not in the database, the switch uses the default privilege, which is determined by the default user
account. For information about the default user account, see the Switch Security chapter of the
OmniSwitch 6800/6850/9000 Switch Management Guide.
There are no server-specific parameters that must be configured for the switch to communicate with an
attached ACE/Server; however, you must FTP the sdconf.rec file from the server to the switchs
/network directory. This file is required so that the switch will know the IP address of the ACE/Server.
For information about loading files onto the switch, see the OmniSwitch 6800/6850/9000 Switch Manage-
ment Guide.
The ACE client in the switch is version 4.1; it does not support the replicating and locking feature of ACE
5.0, but it may be used with an ACE 5.0 server if a legacy configuration file is loaded on the server. The
legacy configuration must specify authentication to two specific servers (master and slave). See the RSA
Security ACE/Server documentation for more information.
To display information about any servers configured for authentication, use the show aaa server
command. For more information about the output for this command, see the OmniSwitch CLI Reference
Guide.
Also, you may need to clear the ACE/Server secret occasionally because of misconfiguration or required
changes in configuration. Clearing the secret is described in the next section.
When you clear the secret on the switch, the secret must also be cleared on the ACE/Server as described
by the RSA Security ACE/Server documentation.
RADIUS Servers
RADIUS is a standard authentication and accounting protocol defined in RFC 2865 and RFC 2866. A
built-in RADIUS client is available in the switch. A RADIUS server that supports Vendor Specific
Attributes (VSAs) is required. The Alcatel attributes may include VLAN information, time-of-day, or
slot/port restrictions.
Standard Attributes
The following tables list RADIUS server attributes 139 and 6063, their descriptions, and whether the
Alcatel RADIUS client in the switch supports them. Attribute 26 is for vendor-specific information and is
discussed in Vendor-Specific Attributes for RADIUS on page 21-11. Attributes 4059 are used for
RADIUS accounting servers and are listed in RADIUS Accounting Server Attributes on page 21-13.
The Alcatel-Auth-Group attribute is used for Ethernet II only. If a different protocol, or more than one
protocol is required, use the Alcatel-Auth-Group-Protocol attribute instead. For example:
Alcatel-Auth-Group-Protocol 23: IP_E2 IP_SNAP
Alcatel-Auth-Group-Protocol 24: IPX_E2
In this example, authenticated users on VLAN 23 may use Ethernet II or SNAP encapsulation. Authenti-
cated users on VLAN 24 may use IPX with Ethernet II.
Note. For more information about configuring users on the switch, see the Switch Security chapter in
the OmniSwitch 6800/6850/9000 Switch Management Guide.
The following table lists the VSAs supported for RADIUS accounting servers. The attributes in the
radius.ini file may be modified if necessary.
When creating a new server, at least one host name or IP address (specified by the host keyword) is
required as well as the shared secret (specified by the key keyword).
In this example, the server name is rad1, the host address is 10.10.2.1, the backup address is 10.10.3.5,
and the shared secret is amadeus. Note that the shared secret must be configured exactly the same as on
the server.
-> aaa radius-server rad1 host 10.10.2.1 10.10.3.5 key amadeus
To modify a RADIUS server, enter the server name and the desired parameter to be modified.
-> aaa radius-server rad1 key mozart
If you are modifying the server and have just entered the aaa radius-server command to create or modify
the server, you can use command prefix recognition. For example:
-> aaa radius-server rad1 retransmit 5
-> timeout 5
For information about server defaults, see Server Defaults on page 21-3.
To remove a RADIUS server, use the no form of the command:
-> no aaa radius-server rad1
LDAP Servers
Lightweight Directory Access Protocol (LDAP) is a standard directory server protocol. The LDAP client
in the switch is based on several RFCs: 1798, 2247, 2251, 2252, 2253, 2254, 2255, and 2256. The proto-
col was developed as a way to use directory services over TCP/IP and to simplify the directory access
protocol (DAP) defined as part of the Open Systems Interconnection (OSI) effort. Originally it was a
front-end for X.500 DAP.
The protocol synchronizes and governs the communications between the LDAP client and the LDAP
server. The protocol also dictates how its databases of information, which are normally stored in hierarchi-
cal form, are searched, from the root directory down to distinct entries.
In addition, LDAP has its own format that permits LDAP-enabled Web browsers to perform directory
searches over TCP/IP.
2 Copy the relevant schema LDIF files from the Alcatel software CD to the configuration directory on
the server. (Each server type has a command line tool or a GUI tool for importing LDIF files.) Database
LDIF files may also be copied and used as templates. The schema files and the database files are specific
to the server type. The files available on the Alcatel software CD include the following:
aaa_schema.microsoft.ldif
aaa_schema.netscape.ldif
aaa_schema.novell.ldif
aaa_schema.openldap.schema
aaa_schema.sun.ldif
aaa_database.microsoft.ldif
aaa_database.netscape.ldif
aaa_database.novell.ldif
aaa_database.openldap.ldif
aaa_database.sun.ldif
3 After the server files have been imported, restart the server.
Information in the server files must match information configured on the switch through the
aaa ldap-server command. For example, the port number configured on the server must be the same as
the port number configured on the switch. See Configuring the LDAP Authentication Client on
page 21-25 for information about using this command.
entries definition
dn: <distinguished name> Defines the DN (required).
objectClass: top Defines top object class (at least one is required). Object
class defines the list of attributes required and allowed in
directory server entries.
objectClass: organizationalUnit Specifies that organizational unit should be part of the
object class.
ou: <organizationalUnit name> Defines the organizational units name.
<list of attritbutes> Defines the list of optional entry attributes.
Common Entries
The most common LDIF entries describe people in companies and organizations. The structure for such an
entry might look like the following:
dn: <distinguished name>
objectClass: top
objectClass: person
objectClass: organizational Person
cn: <common name>
sn: <surname>
<list of optional attributes>
This is how the entry would appear with actual data in it.
dn: uid=yname, ou=people, o=yourcompany
objectClass: top
objectClass: person
objectClass: organizational Person
cn: your name
sn: last name
givenname: first name
uid: yname
ou: people
description:
<list of optional attributes>
...
Directory Entries
Directory entries are used to store data in directory servers. LDAPenabled directory entries contain infor-
mation about an object (person, place, or thing) in the form of a Distinguished Name (DN) that should be
created in compliance with the LDAP protocol naming conventions.
Distinguished names are constructed from Relative Distinguished Names (RDNs), related entries that
share no more than one attribute value with a DN. RDNs are the components of DNs, and DNs are string
representations of entry names in directory servers.
Distinguished names typically consist of descriptive information about the entries they name, and
frequently include the full names of individuals in a network, their email addresses, TCP/IP addresses,
with related attributes such as a department name, used to further distinguish the DN. Entries include one
or more object classes, and often a number of attributes that are defined by values.
Object classes define all required and optional attributes (a set of object classes is referred to as a
schema). As a minimum, every entry must include the DN and one defined object class, like the name of
an organization. Attributes required by a particular object class must also be defined. Some commonly
used attributes that comprise a DN include the following:
Country (c), State or Province (st), Locality (l),
Organization (o), Organization Unit (ou),
and Common Name (cn)
Although each attribute would necessarily have its own values, the attribute syntax determines what kind
of values are allowed for a particular attribute, e.g., (c=US), where country is the attribute and US is the
value. Extra consideration for attribute language codes will be necessary if entries are made in more than
one language.
Entries are usually based on physical locations and established policies in a Directory Information Tree
(DIT); the DN locates an entry in the hierarchy of the tree. Alias entries pointing to other entries can also
be used to circumvent the hierarchy during searches for entries.
Once a directory is set up, DN attributes should thereafter be specified in the same order to keep the direc-
tory paths consistent. DN attributes are separated by commas as shown in this example:
cn=your name, ou=your function, o= your company, c=US
As there are other conventions used, please refer to the appropriate RFC specification for further details.
In addition to managing attributes in directory entries, LDAP makes the descriptive information stored in
the entries accessible to other applications. The general structure of entries in a directory tree is shown in
the following illustration. It also includes example entries at various branches in the tree.
ROOT
dn=c=US
c=Canada c=US
dn=o=your company,c=US
Directory Searches
DNs are always the starting point for searches unless indicated otherwise in the directory schema.
Searches involve the use of various criteria including scopes and filters which must be predefined, and
utility routines, such as Sort. Searches should be limited in scope to specific durations and areas of the
directory. Some other parameters used to control LDAP searches include the size of the search and
whether to include attributes associated with name searches.
Base objects and scopes are specified in the searches, and indicate where to search in the directory. Filters
are used to specify entries to select in a given scope. The filters are used to test the existence of object
class attributes, and enable LDAP to emulate a read of entry listings during the searches. All search pref-
erences are implemented by means of a filter in the search. Filtered searches are based on some compo-
nent of the DN.
Directory Modifications
Modifications to directory entries contain changes to DN entry attribute values, and are submitted to the
server by an LDAP client application. The LDAP-enabled directory server uses the DNs to find the entries
to either add or modify their attribute values.
Attributes are automatically created for requests to add values if the attributes are not already contained in
the entries.
All attributes are automatically deleted when requests to delete the last value of an attribute are submitted.
Attributes can also be deleted by specifying delete value operations without attaching any values.
Modified attribute values are replaced with other given values by submitting replace requests to the server,
which then translates and performs the requests.
components description
<ldap> Specifies TCP/IP connection for LDAP protocol. (The <ldaps>
prefix specifies SSL connection for LDAP protocol.)
<hostname> Host name of directory server or computer, or its IP address (in dot-
ted decimal format).
<port> TCP/IP port number for directory server. If using TCP/IP and
default port number (389), port need not be specified in the URL.
SSL port number for directory server (default is 636).
components description
<base_dn> DN of directory entry where search is initiated.
<attributes> Attributes to be returned for entry search results. All attributes are
returned if search attributes are not specified.
<scope> Different results are retrieved depending on the scopes associated
with entry searches.
Change Password
Password History
Account Lockout
LDAP Error Messages (e.g., Invalid Username/Password, Server Data Error, etc.)
For instructions on installing LDAP-enabled directory servers, refer to the vendor-specific instructions.
Note. Server schema extensions should be configured before the aaa ldap-server command is configured.
attribute description
bop-asa-func-priv-read-1 Read privileges for the user.
bop-asa-func-priv-read-2 Read privileges for the user.
bop-asa-func-priv-write-1 Write privileges for the user.
bop-asa-func-priv-write-2 Write privileges for the user.
bop-asa-allowed-access Whether the user has access to configure the switch.
bop-asa-snmp-level-security Whether the user may have SNMP access, and the
type of SNMP protocol used.
bop-shakey A key computed from the user password with the
alp2key tool.
bop-md5key A key computed from the user password with the
alp2key tool.
allowedtime The periods of time the user is allowed to log into the
switch.
switchgroups The VLAN ID and protocol (IP_E2, IP_SNAP,
IPX_E2, IPX_NOV, IPX_LLC, IPX_SNAP).
For more information about configuring users on the switch, see the Switch Security chapter of the
OmniSwitch 6800/6850/9000 Switch Management Guide.
An example using the alp2key tool to compute the SHA and MD5 keys for mypassword:
ors40595{}128: alp2key mypassword
bop-shakey: 0xb1112e3472ae836ec2b4d3f453023b9853d9d07c
bop-md5key: 0xeb3ad6ba929441a0ff64083d021c07f1
ors40595{}129:
Note. The bop-shakey and bop-md5key values must be recomputed and copied to the server any time a
users password is changed.
AccountStartTime
User account start times are tracked in the AccountStartTime attribute of the users directory entry that
keeps the time stamp and accounting information of user log-ins. The following fields (separated by
carriage returns |) are contained in the Login log. Some fields are only used for Layer 2 Authentication.
Fields Included For Any Type of Authentication
User account ID or username client entered to log-in: variable length digits.
Switch VLAN number client joins in multiple authority mode (0=single authority; 2=multiple author-
ity); variable-length digits.
Switch slot number to which client connects: nn
AccountStopTime
User account stop times are tracked in the AccountStopTime attribute that keeps the time stamp and
accounting information of successful user log-outs. The same fields as above (separated by carriage
returns |) are contained in the Logout log. A different carriage return such as the # sign may be used in
some situations. Additionally, these fields are included but apply only to the Logout log:
Fields For Any Type of Authentication
Log-out reason code, for example LOGOFF(18) or DISCONNECTED BY ADMIN(19)
AccountFailTime
The AccountFailTime attribute log records the time stamp and accounting information of unsuccessful
user log-ins. The same fields in the Login Logwhich are also part of the Logout log (separated by
carriage returns |)are contained in the Login Fail log. A different carriage return such as the # sign
may be used in some situations. Additionally, these fields are included but apply only to the Login Fail
log.
User account ID or username client entered to log-in: variable length digits.
Log-in fail error code: nn. For error code descriptions refer to the vendor-specific listing for the
specific directory server in use.
Log-out reason code, for example PASSWORD EXPIRED(7) or AUTHENTICATION FAILURE(21)
Dynamic Logging
Dynamic logging may be performed by an LDAP-enabled directory server if an LDAP server is config-
ured first in the list of authentication servers configured through the the aaa accounting vlan or aaa
accounting session command. Any other servers configured are used for accounting (storing history
records) only. For example:
-> aaa accounting session ldap2 rad1 rad2
In this example, server ldap2 will be used for dynamic logging, and servers rad1 and rad2 will be used
for accounting.
If you specify a RADIUS server first, all of the servers specified will be used for recording history records
(not logging). For example:
-> aaa accounting session rad1 ldap2
In this example, both the rad1 and ldap2 servers will be used for history only. Dynamic logging will not
take place on the LDAP server.
Dynamic entries are stored in the LDAP-enabled directory server database from the time the user success-
fully logs in until the user logs out. The entries are removed when the user logs out.
Entries are associated with the switch the user is logged into.
Each dynamic entry contains information about the users connection. The related attribute in the
server is bop-loggedusers.
A specific object class called alcatelBopSwitchLogging contains three attributes as follows:
Attribute Description
bop-basemac MAC range, which uniquely identifies the switch
bop-switchname Host name of the switch.
bop-loggedusers Current activity records for every user logged
onto the switch identified by bop-basemac.
Each switch that is connected to the LDAP-enabled directory server will have a DN starting with bop-
basemac-xxxxx, ou=bop-logging. If the organizational unit ou=bop.logging exists somewhere in the tree
under searchbase, logging records are written on the server. See the server manufacturers documentation
for more information about setting up the server.
For example:
ASA 0 : CONSOLE IP 65.97.233.108 Jones
Note. The server should be configured with the appropriate schema before the aaa ldap-server command
is configured.
The keywords for the aaa ldap-server command are listed here:
In this example, the switch will be able to communicate with an LDAP server (called ldap2) that has an IP
address of 10.10.3.4, a domain name of cn=manager, a password of tpub, and a searchbase of c=us. These
parameters must match the same parameters configured on the server itself.
Note. The distinguished name must be different from the searchbase name.
In this example, an existing LDAP server is modified with a different password, and then the timeout is
modified on a separate line. These two command lines are equivalent to:
-> aaa ldap-server ldap2 password my_pass timeout 4
The switch automatically sets the port number to 636 when SSL is enabled. The 636 port number is typi-
cally used on LDAP servers for SSL. The port number on the switch must match the port number config-
ured on the server. If the port number on the server is different from the default, use the aaa ldap-server
command with the port keyword to configure the port number. For example, if the server port number is
635, enter the following:
-> aaa ldap-server ldap2 port 635
The switch will now be able to communicate with the server on port 635.
To remove SSL from the server, use no with the ssl keyword. For example:
-> aaa ldap-server ldap2 no ssl
show aaa server Displays information about a particular AAA server or AAA servers.
An example of the output for this command is given in Quick Steps For Configuring Authentication
Servers on page 21-4. For more information about the output of this command, see the OmniSwitch CLI
Reference Guide.
Authenticated VLANs control user access to network resources based on VLAN assignment and a user
log-in process; the process is sometimes called user authentication or Layer 2 Authentication. (Another
type of security is device authentication, which is set up through the use of port-binding VLAN policies or
static port assignment. See Chapter 9, Defining VLAN Rules.) In this chapter, the terms authenticated
VLANs (AVLANs) and Layer 2 Authentication are synonymous.
Layer 2 Authentication is different from another feature in the switch called Authenticated Switch Access,
which is used to grant individual users access to manage the switch. For more information about Authenti-
cated Switch Access, see the Switch Security chapter in the OmniSwitch 6800/6850/9000 Switch
Management Guide.
In This Chapter
This chapter describes authenticated VLANs and how to configure them through the Command Line Inter-
face (CLI). CLI commands are used in the configuration examples; for more details about the syntax of
commands, see the OmniSwitch CLI Reference Guide.
The authentication components described in this chapter include:
Authentication clientssee Setting Up Authentication Clients on page 22-7.
Authentication agent
RADIUS or LDAP servers in the switch
Authentication port
DHCP server
This chapter describes all of these components in detail, except the external authentication servers, which
are described in Chapter 21, Managing Authentication Servers. A brief overview of the components is
given here:
Authentication serversA RADIUS or LDAP server must be configured in the network. The server
contains a database of user information that the switch checks whenever a user tries to authenticate
through the switch. (Note that the local user database on the switch may not be used for Layer 2 authenti-
cation.) Backup servers may be configured for the authentication server.
RADIUS or LDAP server. Follow the manufacturers instructions for your particular server. The
external server may also be used for Authenticated Switch Access. Server details, such as RADIUS
attributes and LDAP schema information, are given in Chapter 21, Managing Authentication Servers.
RADIUS or LDAP client in the switch. The switch must be set up to communicate with the RADIUS
or LDAP server. This chapter briefly describes the switch configuration. See Chapter 21, Managing
Authentication Servers, for detailed information about setting up switch parameters for authentication
servers.
Authentication clientsAuthentication clients login through the switch to get access to authenticated
VLANs. There are three types of clients:
AV-Client. This is an Alcatel-proprietary authentication client. The AV-Client does not require an IP
address prior to authentication. The client software must be installed on the users end station. This
chapter describes how to install and configure the client. See Installing the AV-Client on page 22-12.
Telnet client. Any standard Telnet client may be used. A IP address is required prior to authentication.
An overview of the Telnet client is provided in Setting Up Authentication Clients on page 22-7.
Web browser client. Any standard Web browser may be used (Netscape or Internet Explorer). An IP
address is required prior to authentication. See Web Browser Authentication Client on page 22-7 for
more information about Web browser clients.
Authenticated VLANsAt least one authenticated VLAN must be configured. See Configuring
Authenticated VLANs on page 22-26.
Authentication portAt least one mobile port must be configured on the switch as an authentication
port. This is the physical port through which authentication clients are attached to the switch. See Config-
uring Authenticated Ports on page 22-28
DHCP ServerA DHCP server can provide IP addresses to clients prior to authentication. After authen-
tication, any client can obtain an IP address in an authenticated VLAN to which the client is allowed
access. A relay to the server must be set up on the switch. See Setting Up the DHCP Server on
page 22-29.
Authentication agent in the switchAuthentication is enabled when the server(s) and the server author-
ity mode is specified on the switch. See Configuring the Server Authority Mode on page 22-32.
These components are described in more detail in the next sections.
2 Configure at least one authenticated VLAN. A router port must be set up in at least one authenti-
cated VLAN for the DHCP relay. See Configuring Authenticated VLANs on page 22-26.
3 Configure at least one authenticated mobile port. Required for connecting the clients to the switch.
See Configuring Authenticated Ports on page 22-28.
4 Set up the DHCP server. Required if you are using Telnet or Web browser clients. Required for any
clients that need to get IP addresses after authentication. See Setting Up the DHCP Server on
page 22-29.
5 Configure the authentication server authority mode. See Configuring the Server Authority Mode
on page 22-32.
6 Specify accounting servers for authentication sessions. Optional; accounting may also be done
through the switch logging feature in the switch. See Specifying Accounting Servers on page 22-35.
The following is a summary of commands used in these procedures.
Note that this command does not create a VLAN; the VLAN must already be created. For information
about creating VLANs, see Chapter 5, Configuring VLANs.
The VLAN must also have an IP router interface if Telnet or Web browser clients will be authenticating
into this VLAN. The following command configures an IP router interface on VLAN 2:
-> ip interface vlan-2 address 10.10.2.20 vlan 2
2 Create and enable at least one mobile authenticated port. The port must be in VLAN 1, the default
VLAN on the switch.
-> vlan port mobile 3/1
-> vlan port 3/1 authenticate enable
4 Set up a path to a DHCP server if users will be getting IP addresses from DHCP. The IP helper address
is the IP address of the DHCP server; the AVLAN default DHCP address is the address of any router port
configured on the VLAN.
-> ip helper address 10.10.2.5
-> aaa avlan default dhcp 10.10.2.20
If the relay will be used for authentication only, enter the ip helper avlan only command:
-> ip helper avlan only
Note. To check the DNS and DHCP authentication configuration, enter the show aaa avlan config
command. For example:
-> show aaa avlan config
default DHCP relay address = 192.9.33.222
authentication DNS name = authent.company.com
For more information about this command, see the OmniSwitch CLI Reference Guide.
5 Configure the switch to communicate with the authentication servers. Use the aaa radius-server or
aaa ldap-server command. For example:
-> aaa radius-server rad1 host 10.10.1.2 key wwwtoe timeout 3
-> aaa ldap server ldap2 host 199.1.1.1 dn manager password foo base c=us
See Chapter 21, Managing Authentication Servers, for more information about setting up external serv-
ers for authentication.
6 Enable authentication by specifying the authentication mode (single mode or multiple mode) and the
server. Use the RADIUS or LDAP server name(s) configured in step 5. For example:
-> aaa authentication vlan single-mode rad1 rad2
Note. Verify the authentication server configuration by entering the show aaa authentication vlan
command or verify the accounting server configuration by entering the show aaa accounting vlan
command. For example:
-> show aaa authentication vlan
All authenticated vlans
1rst authentication server = rad1,
2nd authentication server = ldap2
For more information about these commands, see the OmniSwitch CLI Reference Guide.
with one authenticated VLAN. The address may be assigned dynamically if a DHCP server is located
in the network. DHCP is required in networks with multiple authenticated VLANs.
Configure a DHCP server. Web browser clients may get IP addresses via a DHCP server prior to
authenticating or after authentication in order to move into a different VLAN. When multiple authenti-
cated VLANs are configured, after the client authenticates the client must issue a DHCP release/renew
request in order to be moved into the correct VLAN. Web browser clients automatically issue DHCP
release/renew requests after authentication. For more information, see Setting Up the DHCP Server
on page 22-29.
Configure a DNS name on the switch. A DNS name must be configured so that users may enter a
URL rather than an IP address in the browser command line. For more information, see Setting Up a
DNS Path on page 22-29.
The label.txt file will be used for Web browser authentication clients.
Note. If you want to return to the default language (English) for the Web browser prompts, delete the
contents of the file.
Important. When you install the Ksecu.img file after initial installation, any files in the /flash/switch/
avlan directory will be overwritten.
The /flash/switch/avlan directory contains authentication HTML pages for the client that may be modified
(to include a company logo, for example). The names of these files are: topA.html, topB.html,
bottomA.html, bottomB.html, and myLogo.gif.
The directory also contains files that must be installed on Mac OS Web browser clients as described in the
next sections.
4 Double-click on the application javlanInstall AppleScript inside the newly created directory. The work-
station is now setup for authentication.
2 Select Domain > Security > Authenticate. Enter the administrators password if required.
3 Select Domain > Security > Enable Root. Enter the password.
4 Select System Preferences/Login and select the login prompt to display when opening a new session.
8 If you are using a self-signed SSL certificate, or the certificate provided by Alcatel (wv-cert.pem), see
DNS Name and Web Browser Clients on page 22-11.
To set up the Mac OSX.1 for authentication:
1 In the browser URL command line, enter the DNS name configured on the switch (see the next section
for setting up the DNS name for Mac OSX clients). The authentication page displays.
2 Click on the link to download the installation software. The avlanInstall.tar file is copied to the Mac
desktop.
5 Make sure the SSL certificate is installed correctly (see SSL for Web Browser Clients on
page 22-11) and that the DNS name configured on the switch matches the DNS name in the certificate (see
DNS Name and Web Browser Clients on page 22-11).
Note. The keytool command requires a password. By default, the password is changeit.
On the browser workstation, the authentication user must enter the DNS name in the browser command
line to display the authentication page.
For more information about configuring a DNS name, see Setting Up a DNS Path on page 22-29.
Set the AV-Client as primary network login (Windows 95 and 98). See Setting the AV-Client as
Primary Network Login on page 22-18.
Configure the AV-Client for DHCP (optional). See Configuring the AV-Client Utility on
page 22-18.
2 Double-click the Network icon. When the Network window opens, select the Protocols tab.
3 Click the Add button and the Select Network Protocol window appears.
4 Select the DLC protocol from the list of Network Protocols. Click OK.
Windows 98
1 From your Windows desktop, select Start > Settings > Control Panel.
2 Double-click the Network icon. When the Network window opens, select the Configuration tab.
3 Click the Add button and the Select Network Component Type window appears.
5 When the Select Network Protocol window appears, select Microsoft from the list of manufacturers
and Microsoft 32-bit DLC from the list of Network Protocols. Click OK.
6 Follow the prompts requesting Windows files.
Windows 95
Install the 32-bit DLC protocol program and the update patch from the Microsoft FTP site
(ftp.microsoft.com). From the FTP site, download the MSDLC32.EXE and DLC32UPD.EXE files (or the
latest DLC protocol update). These files are self-extracting zip files. Follow these steps:
1 Double-click the MSDLC32.EXE file in the folder to which you want to download the file.
Note. Do not run MSDLC32.EXE file in the Windows or Windows/System folders. If you downloaded
the file to either of these locations, copy it to a temporary folder on your hard disk or copy it to an installa-
tion diskette before double-clicking on it.
2 From your Windows desktop, select Start > Settings > Control Panel.
5 In the Select Network Component Type dialog box, double-click on the Protocol network component.
6 In the Select Network Protocol dialog box, click on the Have Disk button.
7 Specify the drive and path where the MSDLC32.EXE files (you should have already extracted them)
are located. For example, if you created an installation diskette, you would enter
<drive letter>:\
If you created a temporary folder on your hard disk, then you would enter
C:\<folder name>
where folder name is the directory or path into which you copied the MSDLC32.EXE files. Click OK.
9 When prompted, insert the Windows 95 disks so that other network components can be reinstalled.
10 When prompted, shut down your computer and restart Windows 95. This restart is required for the
DLC protocol stack to load on the system.
11 Next, the DLC protocol stack update must be loaded. Double click the DLC32UPD.EXE file. The
program will install itself. After installing the update, it is recommended that the system be rebooted.
2 Double-click the AV-Client icon. The installation routine begins and the following window displays:
3 We recommend that you follow the instructions on the screen regarding closing all Windows programs
before proceeding with the installation. Click on the Next button. The following window displays.
4 From this window you may install the client at the default destination folder shown on the screen or
you may click the Browse button to select a different directory. Click on the Next button. The software
loads, and the following window displays.
5 This window gives you the option of restarting your PC workstation now, or later. You cannot use the
AV-Client until you restart your computer. If you decide to restart now, be sure to remove any disks from
their drives. Click the Finish button to end the installation procedure.
2 Double-click the AV-Client icon. The installation routine begins and the following window displays:
3 We recommend that you follow the instructions on the screen regarding closing all Windows programs
before proceeding with the installation. Click on the Next button. The following window displays:
.
4 From this window you may install the client at the default destination folder shown on the screen or
you may click the Browse button to select a different directory. Click on the Next button. The software
loads, and the following window displays.
5 This window recommends that you read a text file included with the client before you exit the install
shield. Click on the box next to View the single sign-on Notes to select this option. Click on the Finish
button to end the installation process. Remember that you must restart your computer before you can run
the AV-Client.
2 Select the Client from the list and click the Add button. The Select Network Client Window
displays.
3 You can click the Have Disk button, enter the correct path for your disk drive in the space provided
and click OK. You can also browse to the directory where the AV-Client is installed and click OK. Select
Alcatel AVLAN Login Provider.
4 Select Alcatel AVLAN Login Provider as the Primary Network Login on the Configuration tab.
Note. Make sure to have your Windows 95 or 98 media available during this procedure.
Note. If you disable the AV-Client at startup, you can activate VLAN authentication by pointing your
mouse to the AV-Client icon on the Windows stem tray and right-clicking to select Logon.
Note. If the user reboots the PC workstation, the clients session with the network server is automatically
terminated.
2 Enter the user name for this device in the Login Name? field. This user name is configured on the
authentication server.
3 Enter the password for this user in the Password? field. If the client is set up for basic dialog mode
and the user enters the correct password, the user is authenticated. If the client is set up for extended mode,
the user will be prompted to enter the VLAN ID and challenge. After all required user information is
entered, the following message displays:
User xxxx authenticated by <Authentication Type> authentication
The user is now logged into the network and has access to all network resources in the VLAN with which
this user shares membership.
Note. If authentication is successful but an error was made while configuring VLANs, the user station
may not move into the VLAN the user requested.
2 To continue the procedure, click the Logoff button. The following screen indicates that the AV-Client
is sending a logoff request to the authentication server.
The next message on the screen indicates that the AV-Client is requesting an IP address in the default
VLAN. The client is removed from the authenticated VLAN and placed in the default VLAN.
When the AV-Client is logged into the network, the AV-Client icon on the Windows desktop has a
blue background. When the logoff procedure is completed, the screen disappears and the background
is gone from the AV-Client icon.
Note. If the AV-Client will be used with DHCP, the DHCP server must be configured as described in
Setting Up the DHCP Server on page 22-29.
At startup, an AV-Client user PC workstation will issue a Windows DHCP request if the AV-Clients
DHCP release/renew feature is enabled. This feature is disabled by default. The AV-Client is capable of
obtaining an address from the default client VLAN or whatever VLAN it authenticates into if a DHCP
server is located in the VLAN.
The DHCP tab of the configuration utility gives you several options for managing DHCP when it is
enabled. You also have the option of disabling DHCP operations.
Note. A delay between DHCP release and client logoff is recommended because the DHCP servers MAC
address may be timed out in the AV-Clients ARP table. If that is the case, the client must send an ARP
packet to discover the DHCP servers MAC address before it can send the release packet. If the logoff
packet is sent to the switch before the release packet gets sent, then the IP address will never be released.
Increasing the value of the delay parameter can prevent this from happening.
1 To configure the DHCP parameters, access the AV-Client configuration utility and select the DHCP
tab. The following screen displays:
2 Click the box next to Enable DHCP Operations. Several options will activate in the utility window as
shown in the following screen. When you click on a box next to an option, the option is activated in the
configuration window.
3 When you click one of the features, an indicator is activated directly below the feature. Specify the
number of seconds for the delay for the selected feature.
4 To apply the change, click the Apply button. When you click the OK button, the screen will close and
the change will take effect. If you decide not to implement the change, click the Cancel button and the
screen will close without implementing a change.
Note that the specified VLAN (in this case, VLAN 2) must already exist on the switch. A router port must
also be configured for the VLAN (with the ip interfacecommand) so that a DHCP relay may be set up.
For example:
-> vlan 2 router ip 10.10.2.20
See Setting Up the DHCP Server on page 22-29 for more information about setting up a DHCP server.
----------------------------------------------------------------
user1 00:20:da:05:f6:23 02 02 23
In this example, user1 is authenticated into VLAN 23 and is using MAC address 00:20:da:05:f6:23. To
remove user1 from authenticated VLAN 23, enter the aaa vlan no command with the MAC address. For
example:
-> aaa avlan no 00:20:da:05:f6:23
When this command is entered, user1 will be removed from VLAN 23. If the switch is set up so that
authenticated users may traffic in the default VLAN, the user will be placed into the default VLAN of the
authentication port. (See Setting Up the Default VLAN for Authentication Clients on page 22-27 for
information about setting up the switch so that authentication clients may traffic in the default VLAN prior
to authentication.)
For more information about the output display for the aaa avlan no and show avlan user commands, see
the OmniSwitch CLI Reference Guide.
Note. The MAC addresses of users may also be found in the log files generated by accounting servers.
This changes the authentication address for VLAN 3 to 10.10.2.80. The authentication IP address is also
used for the DNS address (see Setting Up a DNS Path on page 22-29).
Note. When modifying the authentication address for a specific VLAN, make sure that the new address
does not match an IP router interface address for the same VLAN. IP address resolution problems can
occur if these two addresses are not unique.
To display authentication addresses, use the show aaa avlan auth-ip command.
When this command is enabled, any authentication client initially belongs to the default VLAN of the
authentication port through which the client is connected. After authentication, if a client is removed from
an authenticated VLAN through the aaa avlan no command, the client is moved to the default VLAN.
To disable any default VLAN for authentication traffic, use the disable keyword with the command:
-> avlan default-traffic disable
WARNING: Traffic on default vlan is DISABLED.
Existing users on default vlan are not flushed.
Users now do not belong to and cannot traffic in the default VLAN prior to authentication. Note that any
existing users in the default VLAN are not flushed.
MAC-Port
The MAC-port-protocol, MAC-IP address, port-IP address, and Port-Protocol binding rules are not
supported on authenticated VLANs. In addition to the above binding rule types, however, a MAC range
rule may also be applied to authenticated ports. For more information about port binding and MAC range
rules and how to configure them, see Chapter 9, Defining VLAN Rules.
To enable port binding and MAC range rules on authenticated VLANs, use the avlan port-bound
command with the enable keyword.
-> avlan port-bound enable
This command allows some port binding rules (MAC-Port-IP address, MAC-Port, Port-IP address, and
MAC-Port-Protocol) and MAC range rules to be used on any authenticated VLAN.
To disable port binding rules on authenticated VLANs, use the disable keyword with the command:
-> avlan port-bound disable
To enable authentication on the mobile port, use the vlan port authenticate command:
-> vlan port 3/1 authenticate enable
For more information about the configuring VLAN ports, see Chapter 7, Assigning Ports to VLANs.
By default, authentication clients cannot traffic in the default VLAN for the authentication port unless the
avlan default-traffic command is enabled. See Setting Up the Default VLAN for Authentication
Clients on page 22-27.
When this command is configured, a Web browser client may enter auth.company in the browser
command line to initiate the authentication process.
To remove a DNS path from the configuration, use the no form of the command. For example:
-> no aaa avlan dns
The DNS path is removed from the configuration, and Web browser clients must enter the authentication
IP address to initiate the authentication process.
Note. For more information about configuring DHCP relay in general, see Chapter 18, Configuring
DHCP Relay.
Before Authentication
Normally, authentication clients cannot traffic in the default VLAN, so authentication clients do not
belong to any VLAN when they connect to the switch. Even if DHCP relay is enabled, the DHCP discov-
ery process cannot take place. To address this issue, a DHCP gateway address must be configured so that
the DHCP relay knows which router port address to use for serving initial IP addresses. (See Configur-
ing a DHCP Gateway for the Relay on page 22-31 for information about configuring the gateway
address.)
Note. The switch may be set up so that authentication clients will belong to the default VLAN prior to
authentication (see Setting Up the Default VLAN for Authentication Clients on page 22-27). If a DHCP
server is located in the default VLAN, clients may obtain initial IP addresses from this server without
using a relay. However, the DHCP server is typically not located in a default VLAN because it is more
difficult to manage from an authenticated part of the network.
After Authentication
When the client authenticates, the client is moved into the allowed VLAN based on VLAN information
sent from an authentication server (single mode authority) or based on VLAN information configured
directly on the switch (multiple mode authority).
For information about authentication server authority modes, see Configuring the Server Authority
Mode on page 22-32.
After authentication a client may be moved into a VLAN in which the clients current IP address does not
correspond. This will happen if the DHCP gateway address for assigning initial IP addresses is the router
port of an authenticated VLAN to which the client does not belong. (See Configuring a DHCP Gateway
for the Relay on page 22-31.)
In this case, clients will send DHCP release/renew requests to get an address in the authenticated VLAN to
which they have access; DHCP relay must be enabled so that the request can be forwarded to the appropri-
ate VLAN.
Note. Telnet clients typically require manual configuration for IP address release/renew. Web browser
clients will initiate their release/renew process automatically.
DHCP is automatically enabled on the switch whenever a DHCP server address is defined. For more infor-
mation about using the ip helper address command, see Chapter 18, Configuring DHCP Relay.
If multiple DHCP servers are used, one IP address must be configured for each server. The default VLAN
DHCP gateway must also be specified so that Telnet and Web browser clients can obtain IP addresses
prior to authentication. See the next section for more information.
If you want to specify that the relay only be used for packets coming in on an authenticated port, enter the
ip helper avlan only command.
-> ip helper avlan only
When this command is specified, the switch will act as a relay for authentication DHCP packets only; non-
authentication DHCP packets will not be relayed. For more information about using the ip helper avlan
only command, see Chapter 18, Configuring DHCP Relay.
Telnet and Web browser clients will initially receive an IP address in this scope. (After authentication,
these clients may require a new IP address if they do not belong to the VLAN associated with this gate-
way address.)
To remove a gateway address from the configuration, use the no form of the aaa avlan default dhcp
command. For example:
-> no aaa avlan default dhcp
At least one server must be configured in either mode. Up to three backup servers total may be specified.
The CLI commands required for specifying the servers are as follows:
aaa authentication vlan single-mode
aaa authentication vlan multiple-mode
Note. Each RADIUS and LDAP server may each have an additional backup host of the same type config-
ured through the aaa radius-server and aaa ldap-server commands.
In addition, the aaa accounting vlan command may be used to set up an accounting server or servers to
keep track of user session statistics. Setting up servers for accounting is described in Specifying Account-
ing Servers on page 22-35.
Authenticated
VLAN 2
VLAN 1
Authenticated
TM
OmniSwitch 9700
VLAN 3
LDAP or RADIUS
servers
To configure authentication in single mode, use the aaa authentication vlan command with the
single-mode keyword and name(s) of the relevant server and any backups.. At least one server must be
specified; the maximum is four servers. For example:
-> aaa authentication vlan single-mode ldap1 ldap2
In this example, authenticated VLANs are enabled on the switch in single mode. All authenticated VLANs
on the switch will use ldap1 to attempt to authenticate users. If ldap1 becomes unavailable, the switch
will use backup server ldap2. Both servers contain user information, including which VLANs users may
be authenticated through. (The servers must have been previously set up with the aaa ldap-server
command. For more information about setting up authentication servers, see Chapter 21, Managing
Authentication Servers.)
To disable authenticated VLANs, use the no form of the command. Note that the mode does not have to
specified. For example:
-> no aaa authentication vlan
Authenticated
VLAN 2
RADIUS server
VLAN 1 for VLAN 2
Authenticated
TM
OmniSwitch 9700
VLAN 3
Authenticated
VLAN 5
RADIUS servers
for VLAN 5
To configure authentication in multiple mode, use the aaa authentication vlan command with the
multiple-mode keyword, the relevant VLAN ID, and the names of the servers. The VLAN ID is required,
and at least one server must be specified (a maximum of four servers is allowed per VLAN). For example:
-> aaa authentication vlan multiple-mode 2 rad1
-> aaa authentication vlan multiple-mode 3 ldap1
-> aaa authentication vlan multiple-mode 4 ldap1
-> aaa authentication vlan multiple-mode 5 ldap2 ldap3
To disable authenticated VLANs in multiple mode, use the no form of the command and specify the rele-
vant VLAN. Note that the mode does not have to be specified. For example:
-> no aaa authentication vlan 2
This command disables authentication on VLAN 2. VLANs 3, 4, and 5 are still enabled for authentication.
In this example, a RADIUS server (rad1) is used for all accounting of authenticated VLANs; an LDAP
server (ldap2) is specified as a backup accounting server.
If the switch is configured for multiple authority mode, the VLAN ID must be specified. In multiple mode,
a different accounting server (with backups) may be specified for each VLAN. For example:
-> aaa accounting vlan 3 rad1 rad2 ldap1
-> aaa accounting vlan 4 ldap2 ldap3
In this example, rad1 is configured an an accounting server for VLAN 3; rad2 and ldap1 are backups that
are only used if the previous server in the list goes down. An LDAP server (ldap2) is configured for
accounting in VLAN 4; the backup server for VLAN 4 is ldap3.
If an external server is not specified with the command, AVLAN user session information will be logged
in the local switch log. For information about switch logging, see Chapter 30, Using Switch Logging. In
addition, the keyword local may be used so that logging will be done on the switch if the external server
or servers become unavailable. If local is specified, it must be specified last in the list of servers.
In the following example, single-mode authentication is already set up on the switch, the aaa accounting
vlan command configures a RADIUS server (rad1) for accounting. The local logging feature in the switch
(local) is the backup accounting mechanism.
-> aaa accounting vlan rad1 local
show aaa authentication vlan Displays information about authenticated VLANs and the server config-
uration.
show aaa accounting vlan Displays information about accounting servers configured for Authenti-
cated VLANs.
show avlan user Displays MAC addresses for authenticated VLAN users on the switch.
show aaa avlan config Displays the current global configuration for authenticated VLANs.
show aaa avlan auth-ip Displays the IP addresses for authenticated VLANs.
For more information about these commands, see the OmniSwitch CLI Reference Guide.
Physical devices attached to a LAN port on the switch through a point-to-point LAN connection may be
authenticated through the switch through port-based network access control. This control is available
through the IEEE 802.1X standard implemented on the switch.
In This Chapter
This chapter describes 802.1X ports used for port-based access control and how to configure them through
the Command Line Interface (CLI). CLI commands are used in the configuration examples; for more
details about the syntax of commands, see the OmniSwitch CLI Reference Guide.
This chapter provides an overview of 802.1X and includes the following information:
Setting Up Port-Based Network Access Control on page 23-11
802.1X Specifications
Note. The 802.1x functionality described in this chapter is supported on the OmniSwitch 6800, 6850, and
9000 switches unless otherwise stated in the following Specifications table or specifically noted within any
other section of this chapter.
802.1X Defaults
The following table lists the defaults for 802.1X port configuration through the 802.1x command and the
relevant command keywords:
The port is set up automatically with 802.1X defaults. See 802.1X Defaults on page 23-2 for informa-
tion about the defaults. For more information about vlan port commands, see Chapter 7, Assigning Ports
to VLANs.
2 Configure the RADIUS server to be used for port authentication.
See Chapter 21, Managing Authentication Servers, for more information about configuring RADIUS
authentication servers for 802.1X authentication.
Note. If 802.1X users will be authenticating into an authenticated VLAN, the VLAN must be configured
with the vlan authentication command. For information about configuring VLANs with authentication,
see Chapter 5, Configuring VLANs.
3 Associate the RADIUS server (or servers) with authentication for 802.1X ports.
4 (Optional) Associate the server (or servers) to be used for accounting (logging) 802.1X sessions. For
example:
-> aaa accounting 802.1x rad2 ldap3 local
5 (Optional) Configure port-access control parameters for the 802.1X port using the 802.1x command.
6 (Optional) Configure the number of times supplicant devices are polled for identification using the
802.1x supp-polling retry command.
-> 802.1x 3/1 supp-polling retry 10
Note. Verify the 802.1X port configuration using the 802.1x command:
-> show 802.1x 1/13
802.1x configuration for slot 1 port 13:
direction = both,
operational directions = both,
port-control = auto,
quiet-period (seconds) = 60,
tx-period (seconds) = 30,
supp-timeout (seconds) = 30,
server-timeout (seconds) = 30,
max-req = 2,
re-authperiod (seconds) = 3600,
reauthentication = no
Supplicant polling retry count = 2
Optional. To display the number of 802.1x users on the switch, use the show 802.1x users command:
->show 802.1x users
Optional. To display the number of non-802.1x users learned on the switch, use the show 802.1x non-
supplicant command:
->show 802.1x non-supplicant
See the OmniSwitch CLI Reference Guide for information about the fields in this display.
802.1X Overview
The 802.1X standard defines port-based network access controls, and provides the structure for authenti-
cating physical devices attached to a LAN. It uses the Extensible Authentication Protocol (EAP).
There are three components for 802.1X:
The SupplicantThis is the device connected to the switch that supports the 802.1x protocol. The
device may be connected directly to the switch or via a point-to-point LAN segment. Typically the
supplicant is a PC or laptop.
The Authenticator Port Access Entity (PAE)This entity requires authentication from the suppli-
cant. The authenticator is connected to the supplicant directly or via a point-to-point LAN segment.
The OmniSwitch acts as the authenticator.
The Authentication ServerThis component provides the authentication service and verifies the
credentials (username, password, challenge, etc.) of the supplicant. On the OmniSwitch, only RADIUS
servers are currently supported for 802.1X authentication.
Authentication
Authenticator PAE
Server
Supplicant
authentication
login request request
authorization
PC OmniSwitch granted
RADIUS server
802.1X Components
A device that does not use the 802.1x protocol for authentication is referred to as a non-supplicant. On an
OmniSwitch 9000, authentication of non-supplicants authomatically fails and the device is blocked from
accessing the port.
On the OmniSwitch 6800 and OmniSwitch 6850, the Access Guardian feature provides configurable
device classification policies to authenticate access of both supplicant and non-supplicant devices on
802.1x ports. See Using Access Guardian Policies on page 23-9 for more information.
Supplicant Classification
When an EAP frame or an unknown source data frame is received from a supplicant, the switch sends an
EAP packet to request the supplicants identity. The supplicant then sends the information (an EAP
response), which is validated on an authentication server set up for authenticating 802.1X ports. The server
determines whether additional information (a challenge, or secret) is required from the supplicant.
After the supplicant is successfully authenticated, the MAC address of the supplicant is learned in the
appropriate VLAN depending on the following conditions:
If the authentication server returned a VLAN ID, then the supplicant is assigned to that VLAN. All
subsequent traffic from the supplicant is then forwarded on that VLAN.
If the authentication server does not return a VLAN ID, then the supplicant is classified according to
any device classification policies that are configured for the port. See Using Access Guardian Poli-
cies on page 23-9 for more information.
If the authentication server does not return a VLAN ID and there are no user-configured device classi-
fication policies for the port, then by default Group Mobility is used to classify the supplicant. If Group
Mobility is unable to classify the supplicant, then the supplicant is assigned to the default VLAN for
the 802.1X port.
If the authentication server returns a VLAN ID that does not exist or authentication fails, the suppli-
cant is blocked.
Note that multiple supplicants can be authenticated on a given 802.1X port. Each supplicant MAC address
received on the port is authenticated and learned separately. Only those that authenticate successfully are
allowed on the port, as described above. Those that fail authentication are blocked on the 802.1X port.
The global configuration of this feature is controlled by the aaa authentication 802.1x command. This
command enables 802.1X for the switch and identifies the primary and backup authentication servers. See
Setting 802.1X Switch Parameters on page 23-11 for more information about configuring this
command.
Using the 802.1x command, an administrator may force an 802.1X port to always accept any frames on
the port (therefore not requiring a device to first authenticate on the port); or an administrator may force
the port to never accept any frames on the port. See Configuring the Port Authorization on page 23-12.
Re-authentication
After a supplicant has successfully authenticated through an 802.1X port, the switch may be configured to
periodically re-authenticate the supplicant (re-authentication is disabled by default). In addition, the
supplicant may be manually re-authenticated (see Re-authenticating an 802.1X Port on page 23-13).
The re-authentication process is transparent to a user connected to the authorized port. The process is used
for security and allows the authenticator (the OmniSwitch) to maintain the 802.1X connection.
Note. If the MAC address of the supplicant has aged out during the authentication session, the 802.1X
software in the switch will alert the source learning software in the switch to re-learn the address.
802.1X ports may also be initialized if there a problem on the port. Initializing a port drops connectivity to
the port and requires the port to be re-authenticated. See Initializing an 802.1X Port on page 23-13.
802.1X Accounting
802.1X authentication sessions may be logged if servers are set up for 802.1X accounting. Accounting
may also be done through the local Switch Logging feature. For information about setting up accounting
for 802.1X, see Configuring Accounting for 802.1X on page 23-14.
Policy Types
There are two type of policies: supplicant and non-supplicant. Supplicant policies use 802.1x authentica-
tion via a remote RADIUS server and provide alternative methods for classifying supplicants if the
authentication process either fails or does not return a VLAN ID.
Non-supplicant policies use MAC authentication via a remote RADIUS server or can bypass authentica-
tion and only allow strict assignment to specific VLANs. MAC authentication verifies the source MAC
address of a non-supplicant device via a remote RADIUS server. Similar to 802.1x authentication, the
switch sends RADIUS frames to the server with the source MAC address embedded in the username and
password attributes.
One supplicant and one non-supplicant policy is allowed for each 802.1x port. Configuring a new suppli-
cant or non-supplicant policy overwrites any policies that may already exist for the port. The following
types of device classification policies are available:
1 802.1x authenticationperforms 802.1x authentication via a remote RADIUS server.
3 Group Mobility rulesuses Group Mobility rules to determine the VLAN assignment for a device.
5 Default VLANassigns a device to the default VLAN for the 802.1x port.
The first policy applies only to supplicants; the second policy applies only to non-supplicants. The remain-
ing policies apply to both supplicants and non-supplicants. Policies three through six are combined with
policy one or two to provide alternative methods for classifying devices when successful authentication
does not return a VLAN ID. It is also possible to configure policies three through six without also specify-
ing policy one or two. In this case, no authentication is performed, but device classification is restricted to
non-authenticated VLANs.
When multiple policies are specified when configuring a device classification policy, they form a
compound policy. Compound policies that use 802.1x authentication are supplicant policies; all others are
non-supplicant policies.
The order in which policies are applied to client traffic is determined by the order in which the policy was
configured. For example, if a compound non-supplicant policy is configured by specifying MAC authenti-
cation, Group Mobility rules, and default VLAN, then the policies are applied in the following sequence:
1 MAC authentication is performed.
2 If authentication was successful and provided a VLAN ID, the client is assigned to that VLAN and no
further policies are applied.
3 If a VLAN ID was not provided or authentication failed, then Group Mobility rules are applied.
4 If there are no Group Mobility rules that match the client traffic, then the device is learned in the
default VLAN for the port.
See Configuring Access Guardian Policies on page 23-14 for more information about how to use and
configure policies.
In this example, the rad1 server will be used for authenticating 802.1X ports. If rad1 becomes unavail-
able, the switch will use rad2 for 802.1X authentication. When this command is used, 802.1X is automati-
cally enabled for the switch.
Note that the same RADIUS servers can be used for 802.1x (supplicant) and MAC (non-supplicant)
authentication. Using different servers for each type of authentication is allowed but not required.
For more information about using MAC authentication and classifying non-supplicant devices, see Using
Access Guardian Policies on page 23-9 and Configuring Access Guardian Policies on page 23-14.
The vlan port 802.1x command enables 802.1X on port 1 of slot 3. The port will be set up with defaults
listed in 802.1X Defaults on page 23-2.
To disable 802.1X on a port, use the disable option with vlan port 802.1x command. For more informa-
tion about vlan port commands, See Chapter 7, Assigning Ports to VLANs.
In this example, the port control direction is set to incoming traffic only on port 1 of slot 3.
The type of port control (or authorization) is configured with the port-control parameter described in the
next section.
In this example, the port control on port 1 of slot 3 is always authorized for any traffic.
The auto option configures the port to be open for traffic when a device successfully completes an 802.1X
authentication exchange with the switch.
Supplicant (or user) timeoutThe time before the switch will timeout an 802.1X user who is attempt-
ing to authenticate. During the authentication attempt, the switch sends requests for authentication
information (identity requests, challenge response, etc.) to the supplicant (see Configuring the Maxi-
mum Number of Requests on page 23-13). If the supplicant does not reply to these requests, the
supplicant is timed out when the timeout expires.
To modify the quiet timeout, use the 802.1x command with the quiet-period keyword. To modify the
transmit timeout, use the 802.1x command with the tx-period keyword. To modify the supplicant or user
timeout, use the 802.1x command with the supp-timeout keyword. For example:
-> 802.1x 3/1 quiet-period 50 tx-period 25 supp-timeout 25
This command changes the quiet timeout to 50 seconds; the transmit timeout to 25 seconds; and the user
timeout to 25 seconds.
Note. The authentication server timeout may also be configured (with the server-timeout keyword) but
the value is always superseded by the value set for the RADIUS server through the aaa radius-server
command.
In this example, the maximum number of requests that will be sent is three.
In this example, automatic re-authentication is enabled, and re-authentication will take place on the port
every 25 seconds.
To manually re-authenticate a port, use the 802.1x re-authenticate command. For example:
-> 802.1x re-authentication 3/1
This command drops connectivity on port 1 of slot 3. The switch sends out a Request Identity message and
restores connectivity when the port is successfully re-authenticated.
In this example, the RADIUS server rad1 will be used for accounting. If rad1 becomes unavailable, the
local Switch Logging function in the switch will log 802.1X sessions. For more information about Switch
Logging, see Chapter 30, Using Switch Logging.
The following table provides examples of policies that were incorrectly configured and a description of the
problem:
Note that if no policies are configured on an 802.1x port, non-supplicants are blocked on the port and the
following classification process is performed for supplicants by default:
1 802.1x authentication via remote RADIUS server is attempted.
2 If authentication fails or successful authentication returns a VLAN ID that does not exist, the device is
blocked.
3 If authentication is successful and returns a VLAN ID that exists in the switch configuration, suppli-
cant is assigned to that VLAN.
4 If authentication is successful but does not return a VLAN ID, Group Mobility rules are checked for
classification.
5 If Group Mobility classification fails, the supplicant is assigned to the default VLAN ID for the 802.1x
port.
If no policy keywords are specified with this command, then supplicants are blocked if 802.1x authentica-
tion fails or does not return a VLAN ID. When multiple policies are specified, the policy is referred to as a
compound supplicant policy. Note that the order in which parameters are configured determines the order
in which they are applied.
To configure a compound supplicant policy, use the pass and fail keywords to specify which policies to
apply when 802.1x authentication is successful but does not return a VLAN ID and which policies to
apply when 802.1x authentication fails or returns a VLAN ID that does not exist. The pass keyword is
implied and therefore an optional keyword. If the fail keyword is not used, the default action is to block
the device.
Note. When a policy is specified as a policy to apply when authentication fails, device classification is
restricted to assigning supplicant devices to VLANs that are not authenticated VLANs.
When multiple policies are specified, the policy is referred to as a compound non-supplicant policy. Note
that the order in which parameters are configured determines the order in which they are applied.
To configure a compound non-supplicant policy, use the pass and fail keywords to specify which policies
to apply when MAC authentication is successful but does not return a VLAN ID and which policies to
apply when MAC authentication fails. The pass keyword is implied and therefore an optional keyword. If
the fail keyword is not used, the default action is to block the device when authentication fails.
Note. When a policy is specified as a policy to apply when authentication fails, device classification is
restricted to assigning non-supplicant devices to VLANs that are not authenticated VLANs.
To configure a non-supplicant policy that will not perform MAC authentication, use the 802.1x non-
supplicant policy command. The following keywords are available with this command to specify one or
more policies for classifying devices:
Note that this type of policy does not use 802.1x or MAC authentication. As a result, all of the available
policy keywords restrict the assignment of the non-supplicant device to only those VLANs that are non-
authenticated VLANs. The pass and fail keywords are not used when configuring this type of policy.
For more information about the displays that result from these commands, see the OmniSwitch CLI Refer-
ence Guide.
Quality of Service (QoS) policies that are configured through Alcatels PolicyView network management
application are stored on a Lightweight Directory Access Protocol (LDAP) server. PolicyView is an
OmniVista application that runs on an attached workstation.
In This Chapter
This chapter describes how LDAP directory servers are used with the switch for policy management.
There is no required configuration on the switch. When policies are created on the directory server through
PolicyView, the PolicyView application automatically configures the switch to communicate with the
server. This chapter includes information about modifying configuration parameters through the
Command Line Interface (CLI) if manual reconfiguration is necessary. For more details about the syntax
of commands, see the OmniSwitch CLI Reference Guide.
Throughout this chapter the term policy server is used to refer to LDAP directory servers used to store
policies. Procedures described in this chapter include:
Installing the LDAP Policy Server on page 24-3
Note. The switch has separate mechanisms for managing QoS policies stored on an LDAP server and QoS
policies configured directly on the switch. For more information about creating policies directly on the
switch, see Chapter 26, Configuring QoS.
Information about installing the LDAP policy server is included in this chapter. Consult the server manu-
facturers documentation for detailed information about configuring the server.
OmniSwitch
PolicyView workstation
TM
OmniSwitch 9700
IP traffic;
voice and video
traffic
LDAP server
See your server documentation for additional details on setting up the server.
See the next sections of this chapter for information about modifying policy server parameters or viewing
information about policy servers.
Note. SSL configuration must be done manually through the policy server command.
For information about policy server parameter defaults, see Policy Server Defaults on page 24-2.
In this example, an LDAP server with an IP address of 10.10.2.3 will not be used to download policies.
Any policies already downloaded to the switch are not affected by disabling the server.
To re-enable the server, specify up.
-> policy server 10.10.2.3 admin up
If the policy server is not created on the default port, the no form of the command must include the port
number. For example:
-> no policy server 10.10.2.4 5000
Note that the port number must match the port number configured on the policy server.
If the port number is modified, any existing entry for that policy server is not removed. Another entry is
simply added to the policy server table.
Note. If you enable SSL, the port number is automatically set to 636. (This does not create another entry
in the port table.)
For example, if you configure a policy server with port 389 (the default), and then configure another
policy server with the same IP address but port number 5000, two entries will display on the show policy
server screen.
-> policy server 10.10.2.3
-> policy server 10.10.2.3 port number 5000
-> show policy server
To remove an entry, use the no form of the policy server command. For example:
-> no policy server 10.10.2.3 port number 389
If this command is entered, a user with a username of kandinsky and a password of blue will be able to
access the LDAP server to modify parameters on the server itself.
Note that the searchbase path must be a valid path in the server directory structure.
SSL is now enabled between the specified server and the switch. The port number in the switch configura-
tion will be automatically set to 636, which is the port number typically used for SSL; however, the port
number should be configured with whatever port number is set on the server. For information about
configuring the port number, see Modifying the Port Number on page 24-5.
To disable SSL, use no ssl with the command:
-> policy server 10.10.2.3 no ssl
SSL is disabled for the 10.10.2.3 policy server. No additional policies may be saved to the directory server
from the PolicyView application.
Use the show policy server long command to display the last load time. For example:
-> show policy server long
LDAP server 0
IP address : 10.10.2.3,
TCP port : 16652,
Enabled : Yes,
Operational Status : Down,
Preference : 99,
Authentication : password,
SSL : Disabled,
login DN : cn=DirMgr
searchbase : o=company
Last load time : 02/14/02 16:38:18
Note. If polices are applied from PolicyView or vice versa, it will activate all current configuration.
For more information about configuring policies through the CLI, see Chapter 26, Configuring QoS.
show policy server Displays information about servers from which policies may be down-
loaded to the switch.
show policy server long Displays detailed information about an LDAP policy server.
show policy server statistics Displays statistics about policy directory servers.
show policy server rules Displays the names of policies originating on a directory server that
have been downloaded to the switch.
show policy server events Displays any events related to a directory server.
Access Control List Manager (ACLMAN) is a function of the Quality of Service (QoS) application that
provides an interactive shell for using common industry syntax to create ACLs. Commands entered using
the ACLMAN shell are interpreted and converted to Alcatel CLI syntax that is used for creating QoS
filtering policies.
This implementation of ACLMAN also provides the following features:
Importing of text files that contain common industry ACL syntax.
The ability to assign a name, instead of a number, to an ACL or a group of ACL entries.
Modifying specific ACL entries without having to enter the entire ACL each time to make a change.
ACL logging extensions to display Layer 2 through 4 packet information associated with an ACL.
Note. ACLMAN is only supported on the OmniSwitch 6800 and 6850 switches for this release.
In This Chapter
This chapter describes how to configure and manage ACLs using the ACLMAN interactive shell.
The following topics are included in this chapter:
Quick Steps for Creating ACLs on page 25-3.
For a general discussion of Alcatel QoS policy rules and ACLs, see Chapter 26, Configuring QoS, and
Chapter 27, Configuring ACLs.
ACLMAN Defaults
The following table shows the defaults for ACLs:
-> aclman
Welcome to ACLMAN
Aclman#
When the shell goes operational, the Privileged Exec Mode is automatically activated.
2 Enter the configure terminal command to access the Global Configuration Mode.
Aclman#configure terminal
Aclman(config)#
3 Use the access-list command to create a standard ACL that will permit traffic originating from a
specific IP network.
Aclman(config)#access-list 1 permit 10.0.0.0 0.255.255.255
4 Use the interface ethernet command to enter the Interface Configuration Mode for a specific ethernet
switch port. To specify the switch port, enter the slot number followed by a slash and the port number on
that slot (e.g. 3/1 specifies port 1 on slot 3).
Aclman(config)#interface ethernet 1/1
Aclman(config-if)#
5 Use the ip access-group command to associate the access list created in Step 3 as a filter for either
incoming (in) or outgoing (out) traffic on port 1/1.
Aclman(config-if)#ip access-group 1 in
6 Enter the exit command to return to the Global Configuration Mode to create additional ACL entries or
enter the end command to return to the Privileged Exec Mode.
Aclman(config-if)#end
7 Optional. In the Privileged Exec Mode, use the show ip access-lists command to verify the ACL
configuration. The display is similar to the following:
Aclman#show ip access-lists
Standard IP access list 1
10 permit 10.0.0.0, wildcard bits 0.255.255.255
8 In the Privileged Exec Mode, use the write memory command to save the running ACL configura-
tion. Note that if this is not done, the ACL configuration is lost on the next reboot of the switch.
Aclman#write memory
9 To close the ACLMAN shell and return to the Alcatel CLI, access the Privileged Exec Mode and use
the exit command. Note that when modes other than the Privileged Exec Mode are active, the exit
command returns to the previous mode and does not close the ACLMAN shell. For example:
Aclman(config-if)#exit
Aclman(config)#exit
Aclman#exit
-> aclman
Welcome to ACLMAN
Aclman#
When the shell goes operational, the Privileged Exec Mode is automatically activated.
2 Use the import command to import supported ACLMAN syntax from a specified text file into the
running configuration. For example:
Aclman#import acl_file_1
3 Optional. Use the show running-config command to display the ACL configuration. The display is
similar to the following:
Aclman#show running-config
4 Save the ACLMAN running configuration using the write memory command. Note that if this is not
done, the ACL configuration is lost on the next reboot of the switch
Aclman#write memory
ACLMAN Overview
ACLMAN is a function of the Alcatel QoS system that allows network administrators to configure and
manage ACLs using common industry syntax. ACLs configured using ACLMAN are transparently
converted into Alcatel QoS filtering policies and applied to the switch.
An ACLMAN interactive shell provides an ACL command line interface that is similar to command inter-
faces that are available on other industry platforms. This shell serves as a configuration tool for creating
ACLs using common industry syntax commands and/or importing industry syntax from text files. See
Using the ACLMAN Shell on page 25-7 for more information.
The following industry ACL types and features are supported with this implementation of ACLMAN:
Standard ACL. This type of ACL compares the source address of a packet to the source address spec-
ified in the ACL.
Extended ACL. This type of ACL compares the source and destination address of a packet to the
source and destination address specified in the ACL. Also provides additional criteria for filtering
packets.
Numbered ACL. This type of ACL refers to standard or extended ACLs that are assigned a number
for identification.
Named ACL. This type of ACL refers to standard or extended ACLs that are assigned a name for
identification.
The following industry ACL types are currently not supported:
Reflexive ACLs
Authentication Proxy
Note. Issuing a write memory command is required to preserve the ACLMAN running configuration
across switch reboots.
Editing the aclman.cfg file is possible using a text editor and also provides an additional method for load-
ing ACL statements into the ACLMAN running configuration. For more information, see Editing the
ACLMAN Configuration File on page 25-20.
ACL Precedence
ACLMAN allows a user to apply common industry ACLs to an Alcatel switch. When these ACLs are
created using ACLMAN configuration tools, they are automatically assigned an Alcatel QoS internal
priority of 101.
Alcatel CLI/SNMP policies are assigned a priority of one by default. As a result, ACLMAN policies will
take precedence over Alcatel CLI/SNMP policies unless the Alcatel policies are configured with a prece-
dence value higher than 101.
QoS policies configured through LDAP are given a value in the range 30000 to 65535. Therefore LDAP
policies take precedence over ACLMAN policies.
Once the shell is active, then only supported ACLMAN syntax is allowed. There is no predetermined or
configurable timeout value that triggers an exit from the ACLMAN shell. The exit command is used to
return to the Alcatel CLI. However, if the configured timeout value for a CLI or telnet session is reached,
the entire session including the ACLMAN shell is dropped. The Alcatel CLI command, kill, is available to
terminate a session that is frozen.
The ACLMAN interactive shell supports partial command recognition. To use this optional feature, enter
enough of the command keyword to make it unique and then press the Tab key. ACLMAN fills out the
rest of the keyword. For example:
Aclman#confi
Aclman#configure ter
Aclman#configure terminal
Aclman(config)#
Entering a question mark (?) after a partial command provides a list of potential commands that match the
partial entry. For example:
Aclman#(config)i?
interface ip
Aclman#(config)i
Help is an available menu item in each of the shell command modes. In addition, help is also available by
entering a question mark (?) at the command prompt or after entering a command parameter. For example:
Aclman(config)#?
access-list Add an access list entry
end Return to privileged exec mode
exit Exit from configure mode
help Description of the interactive help system
interface Select an interface to configure
ip Global IP configuration subcommands
no Negate a command or set its defaults
time-range Define time range entries
Aclman(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1300-1999> IP standard access list (expanded range)
<2000-2699> IP extended access list (expanded range)
Aclman(config)#access-list
Command Description
clear access-list counters [name | number] Resets the statistics counters to zero for the specified ACL.
If an ACL name or number is not entered, then the counters
for all ACLs are reset.
configure replace Clears the entire running configuration out of memory and
replaces it with the contents of the aclman.cfg file.
configure terminal Accesses the Global Configuration command mode. Com-
mand prompt changes to Aclman(config)#
exit Closes the ACLMAN interactive shell and returns to the
Alcatel CLI. The ACLMAN shell is no longer active.
show access-lists [name | number] Displays the contents of the specified ACLs. If an ACL
name or number is not entered, all ACLs are shown.
show ip interface [type slot/port] Displays ACLs associated with the specified interface. If an
interface is not specified, all configured interfaces are
shown.
show running-config Displays the entire ACLMAN configuration, not just the
ACL configuration.
show time-range [name] Displays the specified time range. If no name is specified,
all time ranges are shown.
The Privileged Exec mode also includes the following commands that are specific to the Alcatel imple-
mentation of ACLMAN:
Command Description
import filename Imports ACL syntax from the specified text file.
logging-rate seconds Configures the logging rate time interval. The range is 0
to 3600 seconds. The default value is 30 seconds.
Command Description
qos {enable | disable} Enables or disables QoS policies. By default policies are
enabled. This command is the equivalent of the Alcatel
CLI qos enable and qos disable command. Note that
this command applies to both ACLMAN and Alcatel
CLI configured policies.
show logging Displays QoS logging information. This command is
equivalent to the Alcatel CLI show logging command.
show resources Displays a summary of QoS resources. The information
displayed is a subset of what is provided with the Alcatel
CLI show qos statistics command.
write memory Saves the running ACL configuration to the aclman.cfg
file. Note that if this command is not used, any ACL
configuration since the last write memory is lost when
the switch reboots.
Command Description
access-list access-list-number Creates a standard numbered ACL when the ACL num-
{permit | deny} ber specified is between 1 and 99 or 1300 and 1999.
{source source-wildcard | host address | any}
Repeat this command for each additional entry you want
no access-list access-list-number to add to the specified access-list-number.
Examples:
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 10 deny host 198.172.10.2
access-list 30 permit any
no access-list 10
Command Description
access-list access-list-number Creates an extended numbered ACL when the ACL
{permit | deny} number specified is between 100 and 199 or 2000 and
protocol 2699.
{source source-wildcard | host address | any}
[operator [port]] Repeat this command for each additional entry you want
{destination destination-wildcard | to add to the specified access-list-number.
host address | any}
[operator [port]] Use the no form of this command to remove the speci-
[established] fied ACL.
[precedence precedence]
[tos tos] Note: The operator [port] and established parameters
[log | log-input] are only used for TCP/UDP ACLs.
[time-range time-range-name]
See Supported Protocols and Services on page 25-15
no access-list access-list-number for a list of supported IP protocols and TCP/UDP service
types.
Examples:
access-list 101 permit ip any any
access-list 101 deny tcp ftp any any
access-list access-list-number remark Adds a comment to the specified ACL. Enter up to 256
characters. Note that quotation marks are not required.
Examples:
access-list 10 remark Allows all IP traffic
access-list 102 remark Blocks icmp traffic
exit Exits the Global Configuration Mode and returns to the
Privileged Exec Mode.
interface {ethernet | fastethernet | Invokes the Interface Configuration Mode (see page
gigabitethernet} slot/port 25-11) for the specified interface.
Examples:
interface ethernet 1/24
interface gigabitethernet 1/48
ip access-list {standard | extended} Creates a named ACL and invokes the Access List Con-
access-list-name figuration Mode (see page 25-12).
no ip access-list {standard | extended} Use the no form of this command to remove a named
access-list-name ACL.
Examples:
ip access-list standard TestACL1
ip access-list extended TestACL2
no ip access-list standard TestACL1
Command Description
ip access-list resequence access-list-name Renumbers the permit and deny statements in the
starting-sequence-number increment named ACL using the specified starting sequence num-
ber and increment value.
Examples:
ip access-list resequence TestACL1 10 10
ip access-list resequence TestACL2 1 4
ip access-list resequence 102 20 10
time-range time-range-name Creates a time range with the specified name and
invokes the Time Range Configuration Mode.
no time-range time-range-name
Examples:
time-range range1
no time-range range1
Command Description
ip access-group {number | name} {in | out} Associates the specified ACL number or name as an
incoming or outgoing filter. The ACL is applied to the
no ip access-group {number | name} {in | out} slot/port that was specified with the interface command.
Examples:
ip access-group 10 in
ip access-group acl_out_1 out
no ip access-group 10 in
end Exits the Interface Configuration Mode and returns to
the Privileged Exec Mode.
exit Exits the Interface Configuration Mode and returns to
the Global Configuration Mode.
Command Description
[sequence number] {permit | deny} Creates an ACL entry for the active named standard
{source source-wildcard | host address | ACL. The optional sequence number parameter specifies
any} the number assigned to the entry. If a number is not spec-
ified with this command, the next available number is
no [sequence number] used.
no {permit | deny} source [source-wildcard] Repeat this command for each additional entry that you
want to add to the active named ACL.
Examples:
permit any
permit 10.0.0.0 0.255.255.255
deny host 198.172.10.2
no permit any
Command Description
[sequence number] {permit | deny} Creates an ACL entry for the active named extended
protocol ACL. The optional sequence number parameter specifies
{source source-wildcard | host address | any} the number assigned to the entry. If a number is not spec-
[operator [port]] ified with this command, the next available number is
{destination destination-wildcard | used.
host address | any}
[operator [port]] Repeat this command for each additional entry that you
[established] want to add to the active named ACL.
[precedence precedence]
[tos tos] Use the no forms of this command to remove the speci-
[log | log-input] fied ACL entries.
[time-range time-range-name]
Note: The operator and established parameters are only
no [sequence number] used for TCP/UDP ACLs.
no deny protocol source source-wildcard See Supported Protocols and Services on page 25-15
destination destination-wildcard for a list of supported IP protocols and TCP/UDP service
types.
no permit
protocol Examples:
{source source-wildcard | host address | any} permit ip any any
[operator [port]] deny tcp ftp any any
{destination destination-wildcard | no ip any any
host address | any}
[operator [port]]
[established]
[precedence precedence]
[tos tos]
[log | log-input]
[time-range time-range-name]
remark remark Adds a comment to the active ACL. Enter up to 256
characters.
Examples:
remark ACL filters icmp traffic on any host.
end Exits the Access List Configuration Mode and returns to
the Privileged Exec Mode.
exit Exits the Access List Configuration Mode and returns to
the Global Configuration Mode.
Command Description
absolute [start time date] [end time date] Defines an absolute range of time for an ACL. Note that
only one period (absolute or periodic) for each time
no absolute range is supported.
Examples:
absolute start 12:30 1 january 2006 end 16:00 31
december 2006
periodic days-of-the-week hh:mm to [days-of- Defines a recurring range of time for an ACL. Note that
the-week] hh:mm only one period (absolute or periodic) for each time
range is supported.
no periodic days-of-the-week hh:mm to [days-
of-the-week] hh:mm Use the no form of this command to remove the range.
Examples:
periodic monday wednesday friday 10:00 to 16:00
end Exits the Time Range Configuration Mode and returns to
the Privileged Exec Mode.
exit Exits the Time Range Configuration Mode and returns to
the Global Configuration Mode.
Configuring a read-only access to the policy domain or QoS command set only allows the user access to
the following ACLMAN shell commands:
clear
exit
show access-lists
show ip interface
show logging
show resources
show running-config
show time-range
When creating extended TCP ACLs, enter one of the following supported TCP service types for the
required port parameter value. Note that using the port number to specify the service instead of the service
name is also allowed.
When creating extended UDP ACLs, enter one of the following supported UDP service types for the
required port parameter value. Note that using the port number to specify the service instead of the service
name is also allowed.
Configuring ACLs
This section describes using ACLMAN functionality to configure and apply common industry ACLs on an
Alcatel switch. For more information about using the Alcatel CLI to configure and manage ACLs, see
Chapter 24, Configuring QoS,.
To configure a common industry ACL, the following general steps are required:
1 Create an ACL. Use Global Configuration Mode commands to create numbered or named standard
and extended ACLs. In addition, importing of ACL text files is also supported. See ACL Configuration
Methods and Guidelines on page 25-16 for more information.
2 Apply the ACL to a switch interface. Use the interface command in the Global Configuration Mode
to associate an ACL as an incoming or outgoing filter for a specific switch interface.
3 Save the ACL configuration. Use the write memory command in the Privileged Exec Mode to save
the ACL configuration to the aclman.cfg file. See Saving the ACL Configuration on page 25-20 for
more information.
For a quick tutorial on how to configure ACLs, see Quick Steps for Creating ACLs on page 25-3. For a
description of ACLMAN command modes and syntax, see ACLMAN Modes and Commands on
page 25-8.
If a wildcard mask is not specified for an IP address used in an ACL, the mask value defaults to 0.0.0.0.
The order of permit and deny statements within an ACL is very important because statements are
processed in order.
A named standard ACL cannot have the same name as that of an existing extended ACL. The reverse
is also true; named extended ACLs cannot use a name already assigned to a standard ACL.
ACL names are truncated to 16 characters.
When a number is specified for an ACL remark entry, ACL entries are renumbered after a switch
reboot. For example:
Goodbye
->aclman
Aclman#show ip access-lists Test10
Extended IP access list Test10
10 remark This ACL permits any 10.0.0.0 traffic
20 remark This ACL denys all 20.0.0.0 traffic
30 permit ip host 10.0.0.0 any
40 deny ip host 20.0.0.0 any
Aclman#
The range of 100199 and 20002699 is reserved for extended ACLs. For example, the following
command creates an extended ACL:
Aclman#(config)access-list 102 permit ip any any
To add additional entries to the same ACL, specify the assigned number of the ACL that you want to
modify. For example, the following commands add entries to standard ACL 102:
To remove a numbered ACL, use the no form of the access-list command. Note that removing a single
entry from a standard ACL is not allowed without deleting the entire ACL. To avoid having to re-enter an
entire ACL each time a change is required, use one of the following configuration methods:
Create a named ACL instead of a numbered ACL. Removing individual ACL entries is allowed with-
out having to remove and re-enter the entire ACL. See Configuring Named Standard and Extended
ACLs on page 25-19 for more information.
Create the numbered ACL configuration in a text file and use the Privileged Exec Mode import
command to load the text file syntax into the ACLMAN running configuration. Then each time a
change is required for this ACL, simply edit the text file and import the file contents into the
ACLMAN configuration. For more information about importing ACL text files, see Importing ACL
Text Files on page 25-21.
The ip access-list command also invokes the Access List Configuration Mode, which is used to create
ACL entries for the named ACL. For example:
Aclman(config)#ip access-list standard Test1
Aclman(config-std-nacl#permit any
Aclman(config-std-nacl)#deny host 12.255.10.58
Aclman(config-std-nacl)#exit
Aclman(config)#
Note that it is possible to add and remove named ACL entries without having to delete and re-enter the
entire ACL configuration. For example:
Aclman(config)#ip access-list extended Test2
Aclman(config-ext-nacl)#permit ip any any
Aclman(config-ext-nacl)#permit udp host 198.172.10.4 any
Aclman(config-ext-nacl)#permit tcp host 11.22.3.1 any
Aclman(config-ext-nacl)#end
Aclman#configure terminal
Aclman(config)#ip access-list extended Test2
Aclman(config-ext-nacl)#no permit ip any any
Aclman(config-ext-nacl)#permit ip any 172.10.5.0 0.0.255.255
Aclman(config-ext-nacl)#end
In the above example, the permit ip any any entry is removed from the Test2 extended ACL. A new
entry, permit ip any 172.10.5.0 0.0.255.255, is then added to the same ACL. Note that new entries are
added to the end of the access list by default. However, it is possible to specify a sequence number with
the new ACL statement to position the statement at a desired location within the ACL. For example,
Aclman(config)#ip access-list extended Test 2
Aclman(config-ext-nacl)#15 deny tcp any any
Aclman(config-ext-nacl)#end
In the above example, the deny tcp any any entry was assigned sequence number 15, which positioned
the entry between statements 10 and 20.
Note. Note that ACLs are not applied to the switch until they are associated with a switch interface.
Note. Issuing a write memory command is required to preserve the ACLMAN running configuration
across switch reboots.
By default ACLMAN looks in the /flash directory on the switch for the filename specified with the
import command. If the file is in any other directory, specify the path where the text file is located along
with the filename. For example, the following command imports the ext_acl102 file located in the work-
ing directory on the switch:
Aclman#import working/std_acl102
Note that any errors encountered when importing the contents of a text file into the ACLMAN configura-
tion are logged to an aclman.cfg.1.err file on the switch. If this file already exists, then the error filename
number is incremented by a value of one (e.g., aclman.cfg.2.err, aclman.cfg.3.err) for each new error log
file that is created.
Importing ACL statements from a text file updates the ACLMAN running configuration. Use the write
memory command in the Privileged Exec Mode to save the updated running configuration to the
aclman.cfg file. This will add the imported statements to the ACLMAN startup configuration.
Note. Issuing a write memory command is required to preserve the ACLMAN running configuration
across switch reboots.
show policy condition Displays information about all pending and applied policy conditions or
a particular policy condition configured on the switch. Use the applied
keyword to display information about applied conditions only.
show policy action Displays information about all pending and applied policy actions or a
particular policy action configured on the switch. Use the applied key-
word to display information about applied actions only.
show policy rule Displays information about all pending and applied policy rules or a par-
ticular policy rule.
show active policy rule Displays the pending and applied policy rules that are active (enabled)
on the switch.
show qos config Displays global QoS configuration parameters.
When a show command is used to display output for all pending and applied policy configuration, the
following characters may appear in the display:
character definition
+ Indicates that the policy rule has been modified or has
been created since the last qos apply.
- Indicates the policy object is pending deletion.
# Indicates that the policy object differs between the pend-
ing/applied objects.
Alcatels QoS software provides a way to manipulate flows coming through the switch based on user-
configured policies. The flow manipulation (generally referred to as Quality of Service or QoS) may be as
simple as allowing/denying traffic, or as complicated as remapping 802.1p bits from a Layer 2 network to
ToS values in a Layer 3 network.
While policies may be used in many different types of network scenarios, there are several typical types
discussed in this chapter:
Basic QoSincludes traffic prioritization and bandwidth shaping
ICMP policiesincludes filtering, prioritizing, and/or rate limiting ICMP traffic for security
Access Control Lists (ACLs)ACLs are a specific type of QoS policy used for Layer 2 and
Layer 3/4 filtering. Since filtering is used in many different network situations, ACLs are described in a
separate chapter (see Chapter 27, Configuring ACLs).
In This Chapter
This chapter describes QoS in general and how policies are used on the switch. It provides information
about configuring QoS through the Command Line Interface (CLI). CLI commands are used in the config-
uration examples; for more details about the syntax of commands, see the OmniSwitch CLI Reference
Guide.
Configuration procedures described in this chapter include:
Setting up global QoS parameters (see page 26-13)
Setting up policy components, such as policy conditions and actions (see page 26-25)
Note. Policies may also be configured through the PolicyView NMS application and stored on an attached
LDAP server. LDAP policies are downloaded to the switch and managed via the Policy Manager feature
in the switch. For more information about managing LDAP policies, see Chapter 24, Managing Policy
Servers.
QoS Specifications
Note. The QoS functionality described in this chapter is supported on the OmniSwitch 6800, 6850, and
9000 switches unless otherwise stated in the following Specifications table or specifically noted within any
other section of this chapter.
OmniSwitch
email server
Note. Polices may be only be modified using the same source used to create them. Policies configured
through PolicyView may only be edited through PolicyView. Policies created directly on the switch
through the CLI or WebView may only be edited on the switch. Policies may be created through the CLI
or WebView, however, to override policies created in PolicyView. And vice versa.
This chapter discusses policy configuration using the CLI. For information about using WebView to
configure the switch, see the OmniSwitch 6800/6850/9000 Switch Management Guide. For information
about configuring policies through PolicyView, see the PolicyView online help.
Valid Policies
The switch does not allow you to create invalid condition/action combinations; if you enter an invalid
combination, an error message will display.
A list of valid condition and condition/action combinations is given in Condition Combinations on
page 26-6 and Action Combinations on page 26-8.
It is possible to configure a valid QoS rule that is active on the switch, however the switch is not able to
enforce the rule because some other switch function (for example, routing) is disabled. See the condition
and condition/action combinations tables for more information about valid combinations (Condition
Combinations on page 26-6 and Action Combinations on page 26-8).
Condition Combinations
The CLI prevents you from configuring invalid condition combinations that are never allowed; however, it
does allow you to create combinations that are supported in some scenarios. For example, you might
configure source ip and a destination ip for the same condition.
The following conditions are supported and may be combined with other conditions and/or actions:
Layer 1source port, source port group, destination port, destination port group.
Layer 2source MAC, source MAC group, destination MAC, destination MAC group, 802.1p, ether-
type, source VLAN, destination VLAN (multicast policies only).
Layer 3IP protocol, source IP, multicast IP, destination IP, source network group, destination
network group, multicast network group, ToS, DSCP, ICMP type, ICMP code.
Layer 4source TCP/UDP port, destination TCP/UDP port, service, service group, TCP flags (except
for ECN and CWR).
IP MulticastAn IP multicast condition is used in IGMP ACLs. The multicast IP is the multicast
group address used in the IGMP report packet.
Note the following:
The 802.1p and source VLAN conditions are the only Layer 2 conditions allowed in combination with
Layer 4 conditions.
The Layer 1 destination port condition only applies to bridged traffic, not routed traffic. This restric-
tion does not apply to the OmniSwitch 6800.
The IP multicast condition works in combination with Layer 1, Layer 2, and Layer 3 destination condi-
tions only if these conditions specify the device that sends the IGMP report packet.
Source and destination parameters can be combined in Layer 2, Layer 3, and Layer 4 conditions.
Individual items and their corresponding groups cannot be combined in the same condition. For exam-
ple, a source IP address cannot be included in a condition with a source IP network group.
Layer 2 and Layer 3 rules are always effected on bridged and routed traffic. As a result, combining
source or destination TCP/UDP port and IP protocol in a condition is allowed.
In a given rule, ToS or DSCP may be specified for a condition with priority specified for the action.
Use the following policy condition combinations table as a guide when configuring policy conditions. For
more information about policy action combinations, see Action Combinations on page 26-8.
IP Multicast
Layer 1 Layer 2 Layer 3* Layer 4* (IGMP)
Layer 1 All All All All destination only
*IP multicast traffic (not IGMP) is treated as regular traffic; QoS functionality works the same way
with this type of traffic, with the exception that the destination port condition does not apply.
Action Combinations
The CLI prevents you from configuring invalid action combinations that are never allowed; however, it
does allow you to create combinations that are supported in some scenarios. For example, an action speci-
fying maximum bandwidth may be combined with an action specifying priority.
The following actions are supported and may be combined with other actions:
ACL (disposition drop)
Priority
Maximum Bandwidth
Link Aggregate Redirection (not supported on the OmniSwitch 6800 and 6850)
Use the following policy action combinations table as a guide when creating policy rules. For more infor-
mation about policy condition combinations, see Condition Combinations on page 26-6.
Redirect Redirect
Drop Priority Stamp/Map Max BW Port Linkagg
Drop N/A No No No No No
Note that the minimum bandwidth action is not included in the list of actions because it is no longer
supported on the OmniSwitch 6800 and is not supported on the OmniSwitch 6850 or 9000.
QoS Defaults
The following tables list the defaults for global QoS parameters, individual port settings, policy rules, and
default policy rules.
Note that in the current software release, the deny and drop options produce the same effect that is, the
traffic is silently dropped.
Enabling/Disabling QoS
By default QoS is enabled on the switch. If QoS policies are configured and applied, the switch will
attempt to classify traffic and apply relevant policy actions.
To disable the QoS, use the qos command. For example:
-> qos disable
QoS is immediately disabled. When QoS is disabled globally, any flows coming into the switch are not
classified (matched to policies).
To re-enable QoS, enter the qos command with the enable option:
-> qos enable
QoS is immediately re-enabled. Any policies that are active on the switch will be used to classify traffic
coming into the switch.
Note that individual policy rules may be enabled or disabled with the policy rule command.
To activate the setting, enter the qos apply command. For more information about the qos apply
command, see Applying the Configuration on page 26-47.
Typically, the disposition is only configured when you are using policies for Access Control Lists (ACLs).
Note that if you set qos default bridged disposition to deny, you effectively drop all Layer 2 traffic that
does not match any policy. If you want to create ACLs to allow some Layer 2 traffic through the switch,
you must configure two rules for each type of Layer 2 traffic, one for source and one for destination. For
more information about ACLs, see Chapter 27, Configuring ACLs.
For more information about the available queuing schemes and configuring the servicing mode for indi-
vidual ports, see Prioritizing and Queue Mapping on page 26-19.
To display information about any QoS rules on the switch, enter debug qos rule:
-> debug qos rules
To change the type of debugging, use no with the relevant type of information that you want to remove.
For example:
-> debug qos no rule
To turn off debugging (which effectively turns off logging), enter the following:
-> no debug qos
The number of lines in the log is changed. To activate the change, enter the qos apply command.
Note. If you change the number of log lines, the QoS log may be completely cleared. To change the log
lines without clearing the log, set the log lines in the boot.cfg file; the log will be set to the specified
number of lines at the next reboot.
The log level is changed immediately but the setting is not saved in flash. To activate the change, enter the
qos apply command. For more information about the qos apply command, see Applying the Configura-
tion on page 26-47.
Note. A high log level value will impact the performance of the switch.
To activate the change, enter the qos apply command. For more information about the qos apply
command, see Applying the Configuration on page 26-47.
If event forwarding is disabled, PolicyView NMS applications will still be able to query the QoS software
for events, but the events will not be sent in real time.
To disable immediate forwarding of events to switch logging, enter the following command:
-> qos no log console
To activate the change, enter the qos apply command. For more information about the qos apply
command, see Applying the Configuration on page 26-47.
Use the swlog output command to configure switch logging to output logging events to the console. Note
that this is in addition to sending log events to a file in the flash file system of the switch. See the Using
Switch Logging chapter in the OmniSwitch 6800/6850/9000 Network Configuration Guide for more
information.
Insert rule 0
Rule index at 0
Insert rule 1
Rule index at 1
Insert rule 2
Rule index at 2
Enable rule r1 (1) 1,1
Enable rule r2 (0) 1,1
Enable rule yuba1 (2) 1,1
Verify rule r1(1)
Enable rule r1 (1) 1,1
Really enable r1
Update condition c1 for rule 1 (1)
Verify rule r2(1)
Enable rule r2 (0) 1,1
Really enable r2
Update condition c2 for rule 0 (1)
Verify rule yuba1(1)
Enable rule yuba1 (2) 1,1
Really enable yuba1
Update condition yubamac for rule 2 (1)
QoS Manager started TUE MAR 10 13:46:50 2002
Match rule 2 to 1
Match rule 2 to 2
Match rule 2 to 3
The log display may be modified through the qos log lines, qos log level, and debug qos commands. The
log display may also be output to the console through the qos log console command or sent to the policy
software in the switch (which manages policies downloaded from an LDAP server) through the qos
forward log command.
The switch may bridge and route traffic to the same destination.
Note that Layer 3 ACLs are effected on bridged IP traffic and Layer 2 ACLs are effected on routed traffic.
Statistics are displayed through the show qos statistics command. For more information about this
command, see the OmniSwitch CLI Reference Guide.
Note. The qos reset command only affects the global configuration. It does not affect any policy configu-
ration.
show qos config Displays global information about the QoS configuration.
show qos statistics Displays statistics about QoS events.
For more information about the syntax and displays of these commands, see the OmniSwitch CLI Refer-
ence Guide.
Shared Queues
Eight priority queues are available at startup for each port. Flows always share queues; however, when a
shared action is specified in policies, the policies will use the same values to implement maximum and
minimum bandwidth.
Note that the OmniSwitch 6800 also has eight priority queues per port but that two of these queues are
reserved for internal use and are not available
The higher the queue weight assigned to a DRR queue, the higher the percentage of traffic that is
serviced by that queue. For example, a queue with a weight of three will send four times as much traf-
fic as a queue with a weight of one.
The queuing scheme selected is the scheme that is used to shape traffic on destination (egress) ports and is
referred to as the QoS servicing mode for the port. It is possible to configure a default servicing mode that
will apply to all switch ports (see Setting the Global Default Servicing Mode on page 26-14) or config-
ure the servicing mode on an individual port basis (see Configuring the Servicing Mode for a Port on
page 26-21).
Note that the QoS servicing mode only applies to destination ports because it is at this point where traffic
shaping is effected on the flows. In addition, different ports can use different servicing modes.
The following command selects the WRR scheme for port 1/8:
-> qos port 1/8 servicing mode wrr
In the above example, a weight for each of the eight WRR queues was not specified; therefore, the default
value of 1 is used for each queue. The following example selects the WRR scheme for port 1/10 and
assigns a weighted value to each queue:
-> qos port 1/10 servicing mode wrr 0 2 3 4 8 1 1 7
To reset the servicing mode for the port back to the global default mode, use the default parameter with
this command and do not specify a queueing scheme. For example,
-> qos port 1/10 servicing mode default
The qos default servicing mode command is used to set the global default queuing scheme that is used
for all ports. See Setting the Global Default Servicing Mode on page 26-14 for more information.
Note the following when configuring the port servicing mode:
The qos port servicing mode command overrides the default servicing mode configured with the qos
default servicing mode command.
Once the qos port servicing mode command is used on a port, this same command is required to make
any additional mode changes for that port. If the port is changed back to the default servicing mode,
however, this restriction is removed and the qos default servicing mode command is also allowed on
the port.
Note that specifying both the minimum and maximum bandwidth value is allowed on the same command
line. Configuring the bandwidth values for different queues requires a separate command for each queue.
Note about mobile ports. Mobile ports cannot be Q-tagged like fixed ports; however, a mobile port will
join a tagged VLAN if tagged traffic for that VLAN comes in on the mobile port and the vlan mobile-tag
command is enabled for that VLAN. For more information about enabling this command, see Chapter 5,
Configuring VLANs.
Ports must be both trusted and configured for 802.1Q traffic in order to accept 802.1p traffic.
The following applies to ports that are trusted (for 802.1p traffic, the ports must also be able to accept
802.1Q packets):
The 802.1p or ToS/DSCP value is preserved.
If the incoming 802.1p or ToS/DSCP flow does not match a policy, the switch places the flow into a
default queue and prioritizes the flow based on the 802.1p or ToS/DSCP value in the flow.
If the incoming 802.1p or ToS/DSCP flow matches a policy, the switch queues the flow based on the
policy action.
The switch may be set globally so that all ports are trusted. Individual ports may be configured to override
the global setting.
To configure individual ports as trusted, use the qos port trusted command with the desired slot/port
number. For example:
-> qos port 3/2 trusted
The global setting is active immediately; however, the port setting requires qos apply to activate the
change. For more information about the qos apply command, see Applying the Configuration on
page 26-47.
To activate the configuration, enter the qos apply command. For more information about the qos apply
command, see Applying the Configuration on page 26-47.
For actions that set 802.1p bits, note that a limited set of policy conditions are supported. For information
about which conditions may be used with an 802.1p action, see Condition Combinations on page 26-6
and Action Combinations on page 26-8.
Note. 802.1p mapping may also be set for Layer 3 traffic, which typically has the 802.1p bits set to zero.
show qos port Displays information about all QoS ports or a particular port.
show qos queue Displays information for all QoS queues or only those queues associated
with a particular slot/port.
See the OmniSwitch CLI Reference Guide for more information about the syntax and displays for these
commands.
Creating Policies
This section describes how to create policies in general. For information about configuring specific types
of policies, see Policy Applications on page 26-50.
Basic commands for creating policies are as follows:
policy condition
policy action
policy rule
This section describes generally how to use these commands. See Policy Applications on page 26-50
For additional details about command syntax, see the OmniSwitch CLI Reference Guide.
Note. A policy rule may include a policy condition or a policy action that was created through Policy-
View rather than the CLI. But a policy rule, policy action, or policy condition may only be modified
through the source that created it. For example, if an action was created in PolicyView, it may be included
in a policy rule configured through the CLI, but it cannot be modified through the CLI.
Policies are not used to classify traffic until the qos apply command is entered. See Applying the Config-
uration on page 26-47.
To view information about how the switch will classify particular condition parameters, use the show
policy classify command. This is useful to test conditions before actually activating the policies on the
switch. See Testing Conditions on page 26-33.
Note. (Optional) Test the rule with the show policy classify command using information from the policy
condition. For example:
-> show policy classify l3 source ip 10.10.2.3
This command displays information about whether or not the indicated parameter may be used to classify
traffic based on policies that are configured on the switch.
2 Create a policy action with the policy action command. For example:
-> policy action action2 priority 7
3 Create a policy rule with the policy rule command. For example:
-> policy rule my_rule condition cond3 action action2
4 Use the qos apply command to apply the policy to the configuration. For example:
-> qos apply
Note. (Optional) To verify that the rule has been configured, use the show policy rule command. The
display is similar to the following:
-> show policy rule
Policy From Prec Enab Act Refl Log Trap Save
r1 cli 0 Yes Yes No No Yes Yes
(L2/3): cond1 -> action1
This command displays information about whether or not the indicated parameter may be used to classify
traffic based on policies that are configured on the switch. For more information about this display, see
Verifying Policy Configuration on page 26-32.
An example of how the example configuration commands might display when entered sequentially on the
command line is given here:
-> policy condition cond3 source ip 10.10.2.3
-> policy action action2 priority 7
-> policy rule my_rule condition cond3 action action2
-> qos apply
ASCII-File-Only Syntax
When the policy rule, policy condition, and policy action commands as well as any of the condition
group commands are configured and saved in an ASCII file (typically through the snapshot command),
the commands included in the file will include syntax indicating the commands origin. The origin speci-
fies where the rule, condition, condition group, or action was created, either an LDAP server or the CLI
(from ldap or from cli). For built-in QoS objects, the syntax displays as from blt. For example:
-> policy action A2 from ldap disposition accept
The from option is configurable (for LDAP or CLI only) on the command line; however, it is not recom-
mended that a QoS objects origin be modified. The blt keyword indicates built-in; this keyword cannot be
used on the command line. For information about built-in policies and QoS groups, see How Policies Are
Used on page 26-4.
Note. Policy condition configuration is not active until the qos apply command is entered. See Applying
the Configuration on page 26-47.
To create or modify a policy condition, use the policy condition command with the keyword for the type
of traffic you want to classify, for example, an IP address or group of IP addresses. In this example, a
condition (c3) is created for classifying traffic from source IP address 10.10.2.1:
-> policy condition c3 source ip 10.10.2.1
There are many options for configuring a condition, depending on how you want the switch to classify
traffic for this policy. An overview of the options is given here. Later sections of this chapter describe how
to use the options in particular network situations.
Note. The group options in this command refer to groups of addresses, services, or ports that you config-
ure separately through policy group commands. Rather than create a separate condition for each address,
service, or port, use groups and attach the group to a single condition. See Using Condition Groups in
Policies on page 26-35 for more information about setting up groups.
More than one condition parameter may be specified. Some condition parameters, such as are mutually
exclusive. For supported combinations of condition parameters, see Condition Combinations on
page 26-6.
The condition will not be active on the switch until you enter the qos apply command.
The specified parameter (in this case, a source IP address) will be removed from the condition (c3) at the
next qos apply.
Note. You cannot remove all parameters from a policy condition. A condition must be configured with at
least one parameter.
The condition (c3) cannot be deleted if it is currently being used by a policy rule. If a rule is using the
condition, the switch will display an error message. For example:
ERROR: c3 is being used by rule my_rule
In this case, the condition will not be deleted. The condition (c3) must first be removed from the policy
rule (my_rule). See Creating Policy Rules on page 26-29 for more information about setting up rules.
If c3 is not used by a policy rule, it will be deleted after the next qos apply.
In this example, the action (Block) has a disposition of drop (disposition determines whether a flow is
allowed or dropped on the switch). This action may be used in a policy rule to deny a particular type of
traffic specified by a policy condition.
Note. Policy action configuration is not active until the qos apply command is entered. See Applying the
Configuration on page 26-47.
More than one action parameter may be specified. Some parameters may be mutually exclusive. In addi-
tion, some action parameters are only supported with particular condition parameters. For information
about supported combinations of condition and action parameters, see Condition Combinations on
page 26-6 and Action Combinations on page 26-8. See the OmniSwitch CLI Reference Guide for details
about command syntax.
Note. If you combine priority with 802.1p, dscp, tos, or map, in an action, the priority value is used to
prioritize the flow.
This example removes the configured priority value from action a6. If any policy rule is using action a6,
the default action will be to allow the flow classified by the policy condition.
The specified parameter (in this case, priority) will be removed from the action at the next qos apply.
The action cannot be deleted if it is currently being used by a policy rule. If a rule is using the action, the
switch will display an error message. For example:
ERROR: a6 is being used by rule my_rule
In this case, the action will not be deleted. The action (a6) must first be removed from the policy rule
(my_rule). See Creating Policy Rules on page 26-29 for more information about setting up rules.
If a6 is not used by a policy rule, it will be deleted after the next qos apply.
The rule (rule5) will only take effect after the qos apply command is entered. For more information about
the qos apply command, see Applying the Configuration on page 26-47.
The policy rule command may specify the following keywords:
In addition, a policy rule may be administratively disabled or re-enabled using the policy rule command.
By default rules are enabled. For a list of rule defaults, see Policy Rule Defaults on page 26-10.
Information about using the policy rule command options is given in the next sections.
Note the following when using validity periods to restrict the times when a rule is active:
Only one validity period is associated with a policy rule. Each time this command is entered with a
validity period name specified, the existing period name is overwritten with the new one.
A rule is only in effect when all the parameters of its validity period are true. In the above example,
rule r01 is only applied between 13:00 and 19:00 on Mondays and Fridays. During all other times and
days, the rule is not applied.
Software and hardware resources are allocated for rules associated with a validity period even if the
validity period is not active. Pre-allocating the resources makes sure the rule can be enforced when the
validity period becomes active.
Disabling Rules
By default, rules are enabled. Rules may be disabled or re-enabled through the policy rule command using
the disable and enable options. For example:
-> policy rule rule5 disable
Rule Precedence
The switch attempts to classify flows coming into the switch according to policy precedence. Only the rule
with the highest precedence will be applied to the flow. This is true even if the flow matches more than
one rule.
Precedence is particularly important for Access Control Lists (ACLs). For more details about precedence
and examples for using precedence, see Chapter 27, Configuring ACLs.
Saving Rules
The save option marks the policy rule so that the rule will be captured in an ASCII text file (using the
configuration snapshot command) and saved to the working directory (using the write memory
command or copy running-config working command). By default, rules are saved.
If the save option is removed from a rule, the qos apply command may activate the rule for the current
session, but the rule will not be saved over a reboot. Typically, the no save option is used for temporary
policies that you do not want saved in the switch configuration file.
To remove the save option from a policy rule, use no with the save keyword. For example:
-> policy rule rule5 no save
To reconfigure the rule as saved, use the policy rule command with the save option. For example:
-> policy rule rule5 save
For more information about the configuration snapshot, write memory, and copy running-config work-
ing commands, see the OmniSwitch 6800/6850/9000 Switch Management Guide and the OmniSwitch CLI
Reference Guide.
For more information about applying rules, see Applying the Configuration on page 26-47.
Logging Rules
Logging a rule may be useful for determining the source of firewall attacks. Note that logging rules is not
supported on the OmniSwitch 6800.
To specify that the switch should log information about flows that match the specified policy rule, use the
policy rule command with the log option. For example:
-> policy rule rule5 log
To stop the switch from logging information about flows that match a particular rule, use no with the log
keyword. For example:
-> policy rule rule5 no log
Deleting Rules
To remove a policy rule, use the no form of the command.
-> no policy rule rule1
show policy condition Displays information about all pending and applied policy conditions or
a particular policy condition configured on the switch. Use the applied
keyword to display information about applied conditions only.
show policy action Displays information about all pending and applied policy actions or a
particular policy action configured on the switch. Use the applied key-
word to display information about applied actions only.
show policy rule Displays information about all pending and applied policy rules or a par-
ticular policy rule. Use the applied keyword to display information
about applied rules only.
show active policy rule Displays applied policy rules that are active (enabled) on the switch.
When the command is used to show output for all pending and applied policy configuration, the following
characters may appear in the display:
character definition
+ Indicates that the policy rule has been modified or has
been created since the last qos apply.
- Indicates the policy object is pending deletion.
# Indicates that the policy object differs between the pend-
ing/applied objects.
For example:
The above display indicates that my_rule is inactive and is not used to classify traffic on the switch (the
Inact field displays Yes). The rule my_rule5 has been configured since the last qos apply command was
entered, as indicated by the plus (+) sign. The rule will not be used to classify traffic until the next qos
apply. Only mac1 is actively being used on the switch to classify traffic.
To display only policy rules that are active (enabled and applied) on the switch, use the show active
policy rule command. For example:
-> show active policy rule
Policy From Prec Enab Act Refl Log Trap Save Matches
mac1 cli 0 Yes Yes No No Yes Yes 0
{L2/3}: dmac1 -> pri2
In this example, the rule my_rule does not display because it is inactive. Rules are inactive if they are
administratively disabled through the policy rule command, or if the rule cannot be enforced by the
current hardware. Although my_rule5 is administratively active, it is still pending and not yet applied to
the configuration. Only mac1 is displayed here because it is active on the switch.
See the OmniSwitch CLI Reference Guide for more information about the output of these commands.
Testing Conditions
Before applying policies to the configuration through the qos apply command, you may want to see how
the policies will be used to classify traffic. Or you may want to see how theoretical traffic would be classi-
fied by policies that are already applied on the switch.
Use the show policy classify commands to see how the switch will classify certain condition parameters.
This command is used to examine the set of pending policies only. Use the applied keyword with the
command to examine the applied set of policies only. The command includes a keyword (l2, l3,
multicast) to indicate whether the Layer 2, Layer 3, or multicast classifier should be used to classify the
traffic.
The keywords used with these commands are similar to the keywords used for the policy condition
command. The keyword should be relevant to the type of traffic as listed in the table here:
show policy classify l2 show policy classify l3 show policy classify multicast
source port source port multicast ip
destination port destination port destination port
source mac source ip destination mac
destination mac destination ip destination vlan (multicast only)
source vlan ip protocol destination ip
source ip port
destination ip port
tos
dscp
To test a theoretical condition against the set of pending policies, enter the command and the relevant
keyword and value. The switch will display information about the potential traffic and attempt to match it
to a policy (pending policies only). For example:
-> show policy classify l2 destination mac 08:00:20:d1:6e:51
Packet headers:
L2:
*Port : 0/0 -> 0/0
*IfType : any -> any
*MAC : 000000:000000 -> 080020:D1E51
*VLAN : 0 -> 0
*802.1p : 0
L3/L4:
*IP : 0.0.0.0 -> 0.0.0.0
*TOS/DSCP : 0/0
The display shows Layer 2 or Layer 3 information, depending on what kind of traffic you are attempting to
classify. In this example, the display indicates that the switch found a rule, yuba, to classify destination
traffic with the specified Layer 2 information.
To test a theoretical condition against the set of applied policies, enter the command with the applied
keyword. The switch will display information about the potential traffic and attempt to match it to a policy
(applied policies only). For example:
-> show policy classify l3 applied source ip 143.209.92.131 destination ip
198.60.82.5
Packet headers:
L2:
*Port : 0/0 -> 0/0
*IfType : any -> any
*MAC : 000000:000000 -> 000000:000000
*VLAN : 0 -> 0
*802.1p : 0
L3/L4:
*IP : 143.209.92.131 -> 198.60.82.5
*TOS/DSCP : 0/0
In this example, the display indicates that the switch found an applied rule, r1, to classify Layer 3 flows
with the specified source and destination addresses.
To activate any policy rules that have not been applied, use the qos apply command. To delete rules that
have not been applied (and any other QoS configuration not already applied), use the qos revert
command. See Applying the Configuration on page 26-47.
ACLs
Access Control Lists (ACLs) typically use condition groups in policy conditions to reduce the number
of rules required to filter particular types of traffic. For more information about ACLs, see Chapter 27,
Configuring ACLs.
2 Attach the group to a policy condition. For more information about configuring conditions, see Creat-
ing Policy Conditions on page 26-27.
-> policy condition cond3 source network group netgroup1
Note. (Optional) Use the show policy network group command to display information about the network
group. Each type of condition group has a corresponding show command. For example:
-> show policy network group
Group Name: From Entries
Switch blt 4.0.1.166
10.0.1.166
See the OmniSwitch CLI Reference Guide for more information about the output of this display. See
Verifying Condition Group Configuration on page 26-43 for more information about using show
commands to display information about condition groups.
3 Attach the condition to a policy rule. (For more information about configuring rules, see Creating
Policy Rules on page 26-29.) In this example, action act4 has already been configured. For example:
-> policy rule my_rule condition cond3 action act4
4 Apply the configuration. See Applying the Configuration on page 26-47 for more information about
this command.
-> qos apply
Note. Network group configuration is not active until the qos apply command is entered.
In this example, a policy network group called netgroup2 is created with two IP addresses. No mask is
specified, so the IP addresses are assumed to be host addresses.
-> policy network group netgroup2 10.10.5.1 10.10.5.2
In the next example, a policy network group called netgroup3 is created with two IP addresses. The first
address also specifies a mask.
-> policy network group netgroup3 173.21.4.39 mask 255.255.255.0 10.10.5.3
In this example, the 173.201.4.39 address is subnetted, so that any address in the subnet will be included
in the network group. For the second address, 10.10.5.3, a mask is not specified; the address is assumed to
be a host address.
The network group may then be associated with a condition through the policy condition command. The
network group must be specified as a source network group or destination network group. In this
example, netgroup3 is configured for condition c4 as source network group:
-> policy condition c4 source network group netgroup3
To remove addresses from a network group, use no and the relevant address(es). For example:
-> policy network group netgroup3 no 173.21.4.39
This command deletes the 173.21.4.39 address from netgroup3 after the next qos apply.
To remove a network group from the configuration, use the no form of the policy network group
command with the relevant network group name. The network group must not be associated with any
policy condition or action. For example:
-> no policy network group netgroup3
If the network group is not currently associated with any condition or action, the network group
netgroup3 is deleted from the configuration after the next qos apply.
If a condition or an action is using netgroup3, the switch will display an error message similar to the
following:
ERROR: netgroup3 is being used by condition 'c4'
In this case, remove the network group from the condition first, then enter the no form of the policy
network group command. For example:
-> policy condition c4 no source network group
-> no policy network group netgroup3
The policy condition command removes the network group from the condition. (See Creating Policy
Conditions on page 26-27 for more information about configuring policy conditions.) The network group
will be deleted at the next qos apply.
Creating Services
Policy services are made up of TCP or UDP ports or port ranges. They include source or destination ports,
or both, but the ports must be the same type (TCP or UDP). Mixed port types cannot be included in the
same service.
Policy services may be associated with policy service groups, which are then associated with policy condi-
tions; or they may be directly associated with policy conditions.
To create a service, use the policy service command. With this command, there are two different methods
for configuring a service. You can specify the protocol and the IP port; or you can use shortcut keywords.
The following table lists the keyword combinations:
An IP protocol (TCP or UDP), source IP port and/or destination IP port (or port range) must be associated
with a service. IP port numbers are well-known port numbers defined by the IANA. For example, port
numbers for FTP are 20 and 21; Telnet is 23.
In this example, a policy service called telnet1 is created with the TCP protocol number (6) and the well-
known Telnet destination port number (23).
-> policy service telnet1 protocol 6 destination ip port 23
A shortcut for this command replaces the protocol and destination ip port keywords with destination
tcp port:
-> policy service telnet1 destination tcp port 23
In the next example, a policy service called ftp2 is created with port numbers for FTP (20 and 21):
-> policy service ftp2 protocol 6 source ip port 20-21 destination ip port 20
A shortcut for this command replaces the protocol, source ip port, and destination ip port keywords
with source tcp port and destination tcp port:
-> policy service ftp2 source tcp port 20-21 destination tcp port 20
Multiple services created through the policy service command may be associated with a policy service
group; or, individual services may be configured for a policy condition. If you have multiple services to
associate with a condition, configure a service group and attach it to a condition. Service groups are
described in Creating Service Groups on page 26-38.
Note. Service configuration is not active until the qos apply command is entered.
The ftp2 service is deleted from the configuration at the next qos apply if the service is not currently asso-
ciated with a policy condition or a service group.
In this example, a policy service group called serv_group is created with two policy services (telnet1 and
ftp2). The policy services were created with the policy service command. (See Creating Services on
page 26-37 for information about configuring policy services.)
Note. The policy service group can include only services with all source ports, all destination ports, or all
source and destination ports. For example, the group cannot include a service that specifies a source port
and another service that specifies a destination port.
The service group may then be associated with a condition through the policy condition command. For
example:
-> policy condition c6 service group serv_group
This command configures a condition called c6 with service group serv_group. All of the services speci-
fied in the service group will be included in the condition. (For more information about configuring condi-
tions, see Creating Policy Conditions on page 26-27.)
Note. Service group configuration must be specifically applied to the configuration with the qos apply
command.
To delete a service from the service group, use no with the relevant service name. For example:
-> policy service group serv_group no telnet1
In this example, the service telnet1 is removed from policy service group serv_group.
To delete a service group from the configuration, use the no form of the policy service group command.
The service group must not be associated with any condition. For example:
-> no policy service group serv_group
Service group serv_group will be deleted at the next qos apply. If serv_group is associated with a policy
condition, an error message will display instead. For example:
ERROR: serv_group is being used by condition 'c6'
In this case, remove the service group from the condition first; then enter the no policy service group
command. For example:
-> policy condition c6 no service group
-> no policy service group serv_group
The policy condition command removes the service group from the policy condition. (See Creating
Policy Conditions on page 26-27 for more information about configuring policy conditions.) The service
group will be deleted at the next qos apply.
This command creates MAC group macgrp2 with two MAC addresses. The first address includes a MAC
address mask, so that any MAC address starting with 08:00:20 will be included in macgrp2.
The MAC group may be then be associated with a condition through the policy condition command. Note
that the policy condition specifies whether the group should be used for source or destination. For exam-
ple:
-> policy condition cond3 source mac group macgrp2
This command creates a condition called cond3 that may be used in a policy rule to classify traffic by
source MAC addresses. The MAC addresses are specified in the MAC group. For more information about
configuring conditions, see Creating Policy Conditions on page 26-27.
Note. MAC group configuration is not active until the qos apply command is entered.
To delete addresses from a MAC group, use no and the relevant address(es):
-> policy mac group macgrp2 no 08:00:20:00:00:00
This command specifies that MAC address 08:00:20:00:00:00 will be deleted from macgrp2 at the next
qos apply.
To delete a MAC group, use the no form of the policy mac group command with the relevant MAC
group name. The group must not be associated with any policy condition. For example:
-> no policy mac group macgrp2
MAC group macgrp2 will be deleted at the next qos apply. If macgrp2 is associated with a policy condi-
tion, an error message will display instead:
ERROR: macgrp2 is being used by condition 'cond3'
In this case, remove the MAC group from the condition first; then enter the no policy mac group
command. For example:
-> policy condition cond3 no source mac group
-> no policy mac group macgrp2
The policy condition command removes the MAC group from the condition. See Creating Policy Condi-
tions on page 26-27 for more information about configuring policy conditions. The MAC group will be
deleted at the next qos apply.
The port group may then be associated with a condition through the policy condition command. Note that
the policy condition specifies whether the group should be used for source or destination. For example:
-> policy condition cond4 source port group techpubs
This command creates a condition called cond4 that may be used in a policy rule to classify traffic by
source port number. The port numbers are specified in the port group. For more information about config-
uring conditions, see Creating Policy Conditions on page 26-27.
Note. Port group configuration is not active until the qos apply command is entered.
To delete ports from a port group, use no and the relevant port number(s).
-> policy port group techpubs no 2/1
This command specifies that port 2/1 will be deleted from the techpubs port group at the next qos apply.
To delete a port group, use the no form of the policy port group command with the relevant port group
name. The port group must not be associated with any policy condition. For example:
-> no policy port group techpubs
The port group techpubs will be deleted at the next qos apply. If techpubs is associated with a policy
condition, an error message will display instead:
ERROR: techpubs is being used by condition 'cond4'
In this case, remove the port group from the condition first; then enter the no policy port group
command. For example:
-> policy condition cond4 no source port group
-> no policy port group techpubs
The policy condition command removes the port group from the policy condition. (See Creating Policy
Conditions on page 26-27 for more information about configuring policy conditions.) The port group will
be deleted at the next qos apply.
The show active policy rule command displays the number of packets that were dropped because they
exceeded the ingress bandwidth limit applied by a maximum bandwidth policy.
Note the following when configuring a bandwidth limit for egress ports:
Egress bandwidth limiting is done using a granularity of 64K bps.
It is also possible to configure a minimum and maximum bandwidth value for individual egress port
queues. See Configuring the Egress Queue Minimum/Maximum Bandwidth on page 26-22 for more
information.
The bandwidth limit configured using the qos port maximum bandwidth command takes precedence
over an egress queue limit configured on the same port.
The following subsections provide examples of ingress maximum bandwidth policies using both source
and destination port groups.
In this example, if both ports 1 and 2 are active ports, the 10000 bps maximum bandwidth is shared by
both ports. In other words, maximum bandwidth policies for port groups define a maximum bandwidth
value that is a total bandwidth amount for all ports, not an amount for each port.
In this example, the specified ports for pgroup2 span across two slots. As a result, the maximum band-
width limit specified by the policy action is increased to 20K for all of the ports. The bandwidth limit is
increased by multiplying the number of slots by the specified bandwidth value.
show policy network group Displays information about all pending and applied policy network
groups or a particular network group. Use the applied keyword to dis-
play information about applied groups only.
show policy service Displays information about all pending and applied policy services or a
particular policy service configured on the switch. Use the applied key-
word to display information about applied services only.
show policy service group Displays information about all pending and applied policy service
groups or a particular service group. Use the applied keyword to display
information about applied groups only.
show policy mac group Displays information about all pending and applied MAC groups or a
particular policy MAC group configured on the switch. Use the applied
keyword to display information about applied groups only.
show policy port group Displays information about all pending and applied policy port groups
or a particular port group. Use the applied keyword to display informa-
tion about applied groups only.
See the OmniSwitch CLI Reference Guide for more information about the syntax and output for these
commands.
When the command is used to show output for all pending and applied condition groups, the following
characters may appear in the display:
character definition
+ Indicates that the policy rule has been modified or has
been created since the last qos apply.
- Indicates the policy object is pending deletion.
# Indicates that the policy object differs between the pend-
ing/applied objects.
In the example shown here, netgroup1 is a new network group that has not yet been applied to the config-
uration.
-> show policy network group
Group Name: From Entries
Switch blt 4.0.1.166
10.0.1.166
143.209.92.166
192.85.3.1
When the qos apply command is entered, the plus sign (+) will be removed from netgroup1 in the
display. See Applying the Configuration on page 26-47 for more information about the qos apply
command.
2 Attach the map group to a policy action. See Creating Policy Actions on page 26-28 for more infor-
mation about creating policy actions.
-> policy action tosMap map tos to 802.1p using tosGroup
Note. (Optional) Use the show policy map group command to verify the map group.
-> show policy map group
Group Name From Entries
+tosGroup cli 1-2:5
4:5
5-6:7
For more information about this command, see Verifying Map Group Configuration on page 26-46 and
the OmniSwitch CLI Reference Guide.
3 Attach the action to a policy rule. In this example, the condition Traffic is already configured. For
more information about configuring rules, see Creating Policy Rules on page 26-29.
-> policy rule r3 condition Traffic action tosMap
4 Apply the configuration. For more information about this command, see Applying the Configuration
on page 26-47.
-> qos apply
The to and from values are separated by a colon (:). If traffic with 802.1p bits comes into the switch and
matches a policy that specifies the Map1 action, the bits will be remapped according to Group2. If the
incoming 802.1p value is 1 or 2, the value will be mapped to 5. If the incoming 802.1p value is 3, the
outgoing value will be 3 (the map group does not specify any mapping for a value of 3). If the incoming
802.1p value is 4, the value will be mapped to 5. If the incoming 802.1p value is 5 or 6, the value will be
mapped to 7.
When mapping to a different type of value, however (ToS/DSCP to 802.1p), any values in the incoming
flow that matches the rule but that are not included in the map group will be zeroed out. For example, the
following action specifies the same map group but instead specifies mapping 802.1p to ToS:
-> policy action Map2 map tos to 802.1p using Group2
In this case, if ToS traffic comes into the switch and matches a policy that specifies the Map2 action, the
ToS value will be mapped according to Group2 if the value is specified in Group2. If the incoming ToS
value is 2, the value will be mapped to 5; however, if the incoming value is 3, the switch will map the
value to zero because there is no mapping in Group2 for a value of 3.
Note. Ports on which the flow is mapped must be a trusted port; otherwise the flow will be dropped.
The to and from values are separated by a colon (:). For example, a value of 2 will be mapped to 5.
Note. Map group configuration is not active until the qos apply command is entered.
The remapping group may then be associated with a rule through the policy action command. In this
example, a policy condition called Traffic has already been configured.
-> policy action tosMap map tos to 802.1p using tosGroup
-> policy rule r3 condition Traffic action tosMap
To delete mapping values from a group, use no and the relevant values:
-> policy map group tosGroup no 1-2:4
The specified values will be deleted from the map group at the next qos apply.
To delete a map group, use the no form of the policy map group command. The map group must not be
associated with a policy action. For example:
-> no policy map group tosGroup
If tosGroup is currently associated with an action, an error message similar to the following will display:
ERROR: tosGroup is being used by action 'tosMap'
In this case, remove the map group from the action, then enter the no policy map group command:
-> policy action tosMap no map group
-> no policy map group tosGroup
Note. For Layer 2 flows, you cannot have more than one action that maps DSCP.
character definition
+ Indicates that the policy rule has been modified or has
been created since the last qos apply.
- Indicates the policy object is pending deletion.
# Indicates that the policy object differs between the pend-
ing/applied objects.
In the example here, a new map group, tosGroup, has not yet been applied to the configuration.
-> show policy map group
Group Name From Entries
+tosGroup cli 1-2:5
4:5
5-6:7
When the qos apply command is entered, the plus sign (+) will be removed from tosGroup in the display.
See Applying the Configuration on page 26-47 for more information about the qos apply command.
The qos apply command must be included in an ASCII text configuration file when QoS commands are
included. The command should be included after the last QoS command.
When the configuration is not yet applied, it is referred to as the pending configuration.
Global Commands. Many global QoS commands are active immediately on the switch without qos
apply. The settings configured by these commands will be active immediately. Other global commands
must specifically be applied. The commands are listed in the following table:
Port and Policy Commands. All port parameters and policy parameters must be applied with the qos
apply command.
The pending configuration is useful for reviewing policy rules before actually applying them to the switch.
The show policy classify commands may be used to review information about new conditions before they
are applied on the switch. See Testing Conditions on page 26-33.
Applied policy rules may also be administratively disabled (inactive). If a rule is administratively disabled,
the rule will exist in the applied configuration but will not be used to classify flows. For more information
about disabling/re-enabling a policy rule, see Creating Policy Rules on page 26-29.
This command ignores any pending policies (any additions, modifications, or deletions to the policy
configuration since the last qos apply) and writes the last applied policies to the pending configuration. At
this point, the pending policies are the same as the last applied policies.
In this example, there are two new pending policies and three applied policies:
If you enter qos revert, the configuration will then look like:
If you then enter qos apply, all policy information will be deleted.
In this example, there are two new pending policies and three applied policies:
If you enter qos flush, the configuration will then look like:
In this scenario, you can do one of two things. To write the applied policies back to the pending configura-
tion, use qos revert. Or, to delete all policy rule configuration, enter qos apply. If qos apply is entered,
the empty set of pending policies will be written to the applied policies and all policy rule configuration
will be deleted.
show policy condition Displays information about all pending and applied policy conditions or
a particular policy condition configured on the switch. Use the applied
keyword to display information about applied conditions only.
show policy action Displays information about all pending and applied policy actions or a
particular policy action configured on the switch. Use the applied key-
word to display information about applied actions only.
show policy rule Displays information about all pending and applied policy rules or a par-
ticular policy rule. Use the applied keyword to display information
about applied rules only.
show policy network group Displays information about all pending and applied policy network
groups or a particular network group. Use the applied keyword to dis-
play information about applied groups only.
show policy service Displays information about all pending and applied policy services or a
particular policy service configured on the switch. Use the applied key-
word to display information about applied services only.
show policy service group Displays information about all pending and applied policy service
groups or a particular service group. Use the applied keyword to display
information about applied groups only.
show policy mac group Displays information about all pending and applied MAC groups or a
particular policy MAC group configured on the switch. Use the applied
keyword to display information about applied groups only.
show policy port group Displays information about all pending and applied policy port groups
or a particular port group. Use the applied keyword to display informa-
tion about applied groups only.
show policy map group Displays information about all pending and applied policy map groups
or a particular map group. Use the applied keyword to display informa-
tion about applied groups only.
show policy classify Sends Layer 2, Layer 3, or multicast information to the classifier to see
how the switch will handle the packet. Use the applied keyword to
examine only applied conditions.
For more information about these commands, see the OmniSwitch CLI Reference Guide.
Policy Applications
Policies are used to classify incoming flows and treat the relevant outgoing flows. There are many ways to
classify the traffic and many ways to apply QoS parameters to the traffic.
Classifying traffic may be as simple as identifying a Layer 2 or Layer 3 address of an incoming flow.
Treating the traffic might involve prioritizing the traffic or rewriting an IP address. How the traffic is
treated (the action in the policy rule) typically defines the type of policy:
This section describes how to configure basic QoS policies and 802.1p/ToS/DSCP marking and mapping
policies. Policies used for Layer 2 and Layer 3/4 filters, are commonly referred to as Access Control Lists
(ACLs). Filtering is discussed in Chapter 27, Configuring ACLs.
Policies may also be used for prioritizing traffic in dynamic link aggregation groups. For more informa-
tion about dynamic link aggregates, see Chapter 14, Configuring Dynamic Link Aggregation.
OmniSwitch
ingress flow
queues for egress traffic
policy condition
classifies the flow
policy action determines
how packets are queued
Note. If multiple addresses, services, or ports should be given the same priority, use a policy condition
group to specify the group and associate the group with the condition. See Using Condition Groups in
Policies on page 26-35 for more information about groups.
Note that some condition parameters may be used in combination only under particular circumstances;
also, there are restrictions on condition/action parameter combinations. See Using Condition Groups in
Policies on page 26-35 and Condition Combinations on page 26-6.
Basic Commands
The following policy action commands are used for traffic prioritization or shaping:
policy action priority
policy action maximum bandwidth
To set up traffic prioritization and/or bandwidth shaping, follow the steps in the next section. For more
information about command syntax and options, see the OmniSwitch CLI Reference Guide.
Note that QoS ports may also be configured for bandwidth shaping through the qos port commands.
OmniSwitch
Network 1 TM
OmniSwitch 9700 Any
10.10.4.0 Network
priority applied
To create a policy rule to prioritize the traffic from Network 1, first create a condition for the traffic that
you want to prioritize. In this example, the condition is called ip_traffic. Then create an action to priori-
tize the traffic as highest priority. In this example, the action is called high. Combine the condition and the
action into a policy rule called rule1.
-> policy condition ip_traffic source ip 10.10.4.0 mask 255.255.255.0
-> policy action high priority 7
-> policy rule rule1 condition ip_traffic action high
The rule is not active on the switch until the qos apply command is entered on the command line. When
the rule is activated, any flows coming into the switch from 10.10.4.0 will be given the highest priority.
Note that the bandwidth may be specified in abbreviated units, in this case, 1k.
The rule is not active on the switch until the qos apply command is entered. When the rule is activated,
any flows coming into the switch from source IP address 10.10.5.3 will be queued with no more than 1k of
bandwidth.
Redirection Policies
A redirection policy sends traffic that matches the policy to a specific port or link aggregate instead of the
originally intended destination. This type of policy may use any condition; the policy action determines
which port or link aggregate to which the traffic is sent.
The following policy action commands are used for port and link aggregate redirection:
policy action redirect port
policy action redirect linkagg
Note the following regarding the use and configuration of redirection policies:
Redirection policies apply to both bridged and routed traffic.
When redirecting routed traffic from VLAN A to VLAN B, the redirect port or link aggregate ID must
belong to VLAN B (tagged or default VLAN).
Routed packets (from VLAN A to VLAN B) are not modified after they are redirected; the source and
MAC address remain the same. In addition, if the redirect port or link aggregate ID is tagged, the redi-
rected packets will have a tag from the ingress VLAN A.
If a route exists for the redirected flow, then redirected packets are the final post-routing packets.
If a route does not exist for the redirected flow, the flow is not redirected to the specified port or link
aggregate ID and is blackholed. As soon as a route is available, the flow is then redirected as speci-
fied in the policy.
In most cases, a redirected flow will not trigger an update to the routing and ARP tables. If necessary,
create a static route for the flow or assign the redirect port or link aggregate ID to the ingress VLAN
(VLAN A) to send packets to the redirect port until a route is available.
When redirecting bridged traffic on VLAN A, the redirect port or link aggregate ID must belong to
VLAN A (tagged or default VLAN).
In the following example, flows destined for UDP port 80 is redirected to switch port 3/2:
-> policy condition L4PORTCOND destination udp port 80
-> policy action REDIRECTPORT redirect port 3/2
-> policy rule L4PORTRULE condition L4PORTCOND action REDIRECTPORT
In the following example, flows destined for IP address 40.2.70.200 are redirected to link aggregate 10:
-> policy condition L4LACOND destination IP 40.2.70.200
-> policy action REDIRECTLA redirect linkagg 10
-> policy rule L4LARULE condition L4LACOND action REDIRECTLA
Note that in both examples above, the rules are not active on the switch until the qos apply command is
entered on the command line.
This policy (icmpRule) drops all ICMP traffic. To limit the dropped traffic to ICMP echo requests (pings)
and/or replies, use the policy condition icmptype to specify the appropriate condition. For example,
-> policy condition echo icmptype 8
-> policy condition reply icmptype 0
In the next example, the policy map group command specifies a group of values that should be mapped;
the policy action map command specifies what should be mapped (802.1p to 802.1p, ToS/DSCP to
802.1p) and the mapping group that should be used. For more details about creating map groups, see
Creating Map Groups on page 26-45.
Here, traffic from two different subnets must be mapped to 802.1p values in a network called Network C.
A map group (tosGroup) is created with mapping values.
-> policy map group tos_group 1-4:4 5-7:7
-> policy condition SubnetA source ip 10.10.5.0 mask 255.255.255.0
-> policy condition SubnetB source ip 12.12.2.0 mask 255.255.255.0
-> policy action map_action map tos to 802.1p using tos_group
The map_action specifies that ToS values will be mapped to 802.1p with the values specified in
tos_group. With these conditions and action set up, two policy rules can be configured for mapping
Subnet A and Subnet B to the ToS network:
-> policy rule RuleA condition SubnetA action map_action
-> policy rule RuleB condition SubnetB action map_action
Subnet A
10.10.5.0 OmniSwitch
Network C
Mapping
Subnet B policy
12.12.2.0
Mapping Application
Note. When a PBR QoS rule is applied to the configuration, it is applied to the entire switch, unless you
specify a built-in port group in the policy condition.
Policy Based Routing may be used to redirect traffic to a particular gateway based on source or destina-
tion IP address, source or destination network group, source or destination TCP/UDP port, a service or
service group, IP protocol, or built-in source port group.
Traffic may be redirected to a particular gateway regardless of what routes are listed in the routing table.
Note that the gateway address does not have to be on a directly connected VLAN; the address may be on
any network that is learned by the switch.
Note. If the routing table has a default route of 0.0.0.0, traffic matching a PBR policy will be redirected to
the route specified in the policy. For information about viewing the routing table, see Chapter 12, Config-
uring IP.
Policy Based Routing may be used to redirect untrusted traffic to a firewall. In this case, note that reply
packets will be not be allowed back through the firewall.
174.26.1.0
173.10.2.0
10.3.0.0
Firewall
173.5.1.0
173.5.1.254
OmniSwitch
In this example, all traffic originating in the 10.3 network is routed through the firewall, regardless of
whether or not a route exists.
-> policy condition Traffic3 source ip 10.3.0.0 mask 255.255.0.0
-> policy action Firewall permanent gateway ip 173.5.1.254
-> policy rule Redirect_All condition Traffic3 action Firewall
Note that the functionality of the firewall is important. In the example, the firewall is sending the traffic to
be routed remotely. If you instead set up a firewall to send the traffic back to the switch to be routed, you
should set up the policy condition with a built-in source port group so that traffic coming back from the
firewall will not get looped and sent back out to the firewall.
For example:
174.26.1.0
173.10.2.0
10.3.0.0
Firewall
173.5.1.0
173.5.1.254
OmniSwitch
In this scenario, traffic from the firewall is sent back to the switch to be re-routed. But because the traffic
re-enters the switch through a port that is not in the Slot01 port group, the traffic does not match the
Redirect_All policy and is routed normally through the switch.
-> policy condition Traffic3 source ip 10.3.0.0 mask 255.255.0.0 source port
group Slot01
-> policy action Firewall permanent gateway ip 173.5.1.254
-> policy rule Redirect_All condition Traffic3 action Firewall
Make sure to enter the qos apply command to activate the policy rule on the switch. Otherwise the rule
will be saved as part of the pending configuration, but will not be active.
Access Control Lists (ACLs) are Quality of Service (QoS) policies used to control whether or not packets
are allowed or denied at the switch or router interface. ACLs are sometimes referred to as filtering lists.
ACLs are distinguished by the kind of traffic they filter. In a QoS policy rule, the type of traffic is speci-
fied in the policy condition. The policy action determines whether the traffic is allowed or denied. For
detailed descriptions about configuring policy rules, see Chapter 26, Configuring QoS.
In general, the types of ACLs include:
Layer 2 ACLsfor filtering traffic at the MAC layer. Usually uses MAC addresses or MAC groups for
filtering.
Layer 3/4 ACLsfor filtering traffic at the network layer. Typically uses IP addresses or IP ports for
filtering; note that IPX filtering is not supported.
Multicast ACLsfor filtering IGMP traffic.
In This Chapter
This chapter describes ACLs and how to configure them through the Command Line Interface (CLI). CLI
commands are used in the configuration examples; for more details about the syntax of commands, see the
OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
Setting the Global Disposition. The disposition specifies the general allow/deny policy on the switch.
See Setting the Global Disposition on page 27-7.
Creating Condition Groups for ACLs. Groups are used for filtering on multiple addresses, ports, or
services. The group is then associated with the policy condition. See Creating Condition Groups For
ACLs on page 27-8.
Creating Policy Rules for ACLs. Policy rules for ACLs are basically QoS policy rules. Specific
parameters for ACLs are described in this chapter. See Configuring ACLs on page 27-8.
Using ACL Security Features. Specific port group, action, service group, and policy rule combina-
tions are provided to help improve network security. See Using ACL Security Features on
page 27-14.
ACL Specifications
These specifications are the same as those for QoS in general:
Note. The QoS/ACL functionality described in this chapter is supported on the OmniSwitch 6800, 6850,
and 9000 switches unless otherwise stated in the following Specifications table or specifically noted within
any other section of this chapter
ACL Defaults
The following table shows the defaults for ACLs:
Note that in the current software release, the deny and drop options produce the same effect; that is, that
traffic is silently dropped.
For more information about QoS defaults in general, see Chapter 26, Configuring QoS.
2 Create policy condition groups for multiple addresses or services that you want to filter. (If you have a
single address to filter, you can skip this step and simply include the address, service, or port in the policy
condition.) An example:
-> policy network group NetGroup1 192.68.82.0 mask 255.255.255.0 192.60.83.0
mask 255.255.255.0
3 Create a policy condition using the policy condition command. If you created a network group, MAC
group, service group, or port group, specify the group as part of the condition.
-> policy condition Lab3 source network group NetGroup1
Note. (Optional) Test the condition with the show policy classify command using information from the
policy condition. For example:
-> show policy classify l3 source ip 192.68.82.0
This command displays information about whether the indicated parameter may be used to classify traffic
based on policies that are configured on the switch. For more information about testing conditions, see
Testing Conditions on page 26-33 in Chapter 26, Configuring QoS.
4 Create a policy action with the policy action command. Use the keyword disposition and indicate
whether the flow(s) should be accepted or denied.
-> policy action Yes disposition accept
5 Create a policy rule with the policy rule command and include the relevant condition and action. Use
the keyword precedence to specify the priority of this rule over other rules for traffic matching the speci-
fied condition.
-> policy rule lab_rule1 condition Lab3 action Yes precedence 65535
6 Apply the policy configuration using the qos apply command. For details about using this command,
see Applying the Configuration on page 26-47 in Chapter 26, Configuring QoS.
ACL Overview
ACLs provide moderate security between networks. The following illustration shows how ACLs may be
used to filter subnetwork traffic through a private network, functioning like an internal firewall for LANs.
OmniSwitch
Subnetwork
router
OmniSwitch 9700
Private
TM
Network Public
Network
Filtering Rules
Subnetwork
(ACLs)
TM
OmniSwitch 9700
Subnetwork
OmniSwitch
When traffic arrives on the switch, the switch checks its policy database to attempt to match Layer 2 or
Layer 3/4 information in the protocol header to a filtering policy rule. If a match is found, it applies the
relevant disposition to the flow. Disposition determines whether a flow is allowed or denied. There is a
global disposition (the default is accept), and individual rules may be set up with their own dispositions.
Note. In some network situations, it is recommended that the global disposition be set to deny, and that
rules be created to allow certain types of traffic through the switch. To set the global disposition to deny,
use the qos default bridged disposition and qos default routed disposition commands. See Setting the
Global Disposition on page 27-7 for more information about these commands.
When multiple policy rules exist for a particular flow, each policy is applied to the flow as long as there
are no conflicts between the policies. If there is a conflict, then the policy with the highest precedence is
applied to the flow. See Rule Precedence on page 27-6 for more information about precedence.
Note. QoS policy rules may also be used for traffic prioritization and other network scenarios. For a
general discussion of QoS policy rules, see Chapter 26, Configuring QoS.
Rule Precedence
The switch attempts to classify flows coming into the switch according to policy precedence. Only the rule
with the highest precedence will be applied to the flow. This is true even if the flow matches more than
one rule.
Valid Combinations
There are limitations to the types of conditions that may be combined in a single rule. A brief overview of
these limitations is listed here:
The 802.1p and source VLAN conditions are the only Layer 2 conditions allowed in combination with
Layer 4 conditions.
The Layer 1 destination port condition only applies to bridged traffic, not routed traffic.
The IP multicast condition works in combination with Layer 1, Layer 2, and Layer 3 destination condi-
tions only if these conditions specify the device that sends the IGMP report packet.
Source and destination parameters can be combined in Layer 2, Layer 3, and Layer 4 conditions.
Individual items and their corresponding groups cannot be combined in the same condition. For exam-
ple, a source IP address cannot be included in a condition with a source IP network group.
Layer 2 and Layer 3 rules are always effected on bridged and routed traffic. As a result, combining
source or destination TCP/UDP port and IP protocol in a condition is allowed.
In a given rule, ToS or DSCP may be specified for a condition with priority specified for the action.
For more information about supported combinations, see Condition Combinations on page 26-6 and
Action Combinations on page 26-8 in Chapter 26, Configuring QoS.
2 Create a condition for the traffic to be filtered. This step is described in Creating Condition Groups
For ACLs on page 27-8 and Creating Policy Conditions For ACLs on page 27-9.
3 Create an action to accept or deny the traffic. This step is described in Creating Policy Actions For
ACLs on page 27-9.
4 Create a policy rule that combines the condition and the action. This step is described in Creating
Policy Rules for ACLs on page 27-10.
For a quick tutorial on how to configure ACLs, see Quick Steps for Creating ACLs on page 27-4.
Note. Note that the global disposition setting applies to all policy rules on the switch, not just those that
are configured for ACLs.
Policies may then be set up to allow routed traffic through the switch.
Note that in the current release of Alcatels QoS software, the drop and deny keywords produce the same
result (flows are silently dropped; no ICMP message is sent).
For more information about the global disposition commands, see Chapter 26, Configuring QoS, and the
OmniSwitch CLI Reference Guide.
Important. If you set the global bridged disposition (using the qos default bridged disposition
command) to deny or drop, it will result in dropping all Layer 2 traffic from the switch that does not
match any policy to accept traffic. You must create policies (one for source and one for destination) to
allow traffic on the switch.
If you set the bridged disposition to deny or drop, and you configure Layer 2 ACLs, you will need two
rules for each type of filter. For more information, see Layer 2 ACLs on page 27-10.
This command configures a network group (netgroup2) of three IP addresses. The network group is then
configured as part of a policy condition (cond2). The condition specifies that the addresses in the group
are source addresses. (For all condition groups except service groups, the policy condition specifies
whether the condition group is a source or destination group.)
If a network group was not used, a separate condition would have to be created for each IP address. Subse-
quently, a corresponding rule would have to be created for each condition. Using a network group reduces
the number of rules required.
For more details about using groups in policy conditions, see Using Condition Groups in Policies on
page 26-35 in Chapter 26, Configuring QoS.
Configuring ACLs
This section describes in detail the procedures for configuring ACLs. For more information about how to
configure policies in general, see Chapter 26, Configuring QoS. Command syntax is described in detail
in the OmniSwitch CLI Reference Guide.
The basic commands for configuring ACL rules are the same as those for configuring policy rules:
policy condition
policy action
policy rule
In this example, a Layer 2 condition (c2) specifies that traffic matches the ports included of the pgroup1
port group. The condition also specifies that the port group is a source group. Any traffic coming in on
ports 1 or 2 on slot 3, port 3 on slot 4, or port 4 on slot 5 will match condition c2.
For more information about condition groups, see Creating Condition Groups For ACLs on page 27-8.
The following table lists the keywords for the policy condition command that are typically used for the
different types of ACLs:
Layer 2 ACL Condition Layer 3/4 ACL Condition Multicast ACL Condition
Keywords Keywords Keywords
source mac source ip multicast ip
source mac group source network group multicast network group
destination mac destination ip destination ip
destination mac group destination network group destination vlan
source vlan source ip port destination port
source port destination ip port destination port group
source port group service destination mac
destination port service group destination mac group
destination port group ip protocol
ethertype destination port
802.1p destination port group
icmptype
icmpcode
tos
dscp
source tcp port
destination tcp port
source udp port
destination udp port
established
tcpflags
Note that the individual address, service, or port cannot be used in conjunction with the same type of
condition group. For example, you cannot specify in the same rule both a source MAC address and a
source MAC group.
If you do not specify a disposition for the policy action, the default (accept) will be used.
In this example, any traffic matching condition c3 will match rule7; rule7 is configured with the highest
precedence value. If any other rules are configured for traffic with a source address of 10.10.4.8, rule7
will take precedence over the other rules only if one of the following is true:
A conflict exists with another rule and rule7 has a higher precedence.
A conflict exists with another rule that has the same precedence value, but rule7 was created first.
The action configured for the rule, a1, allows traffic from 10.10.4.8, so the flow will be accepted on the
switch.
The rule will not be used to classify traffic or enforce the policy until the qos apply command is entered.
For information about applying policy parameters, see Applying the Configuration on page 26-47 in
Chapter 26, Configuring QoS.
Layer 2 ACLs
Layer 2 filtering filters traffic at the MAC layer. Layer 2 filtering may be done for both bridged and routed
packets. As MAC addresses are learned on the switch, QoS classifies the traffic based on:
MAC address or MAC group
Source VLAN
The switch classifies the MAC address as both source and destination.
The following policy condition keywords are used for Layer 2 ACLs:
A group and an individual item cannot be specified in the same condition. For example, a source MAC
address and a source MAC group cannot be specified in the same condition.
Note that combining Layer 2 and Layer 3 conditions in the same policy is supported. Refer to Condition
Combinations on page 26-6 and Action Combinations on page 26-8 in Chapter 26, Configuring QoS.
In this scenario, traffic with a source MAC address of 08:00:20:11:22:33 coming in on VLAN 5 would
match condition Address1, which is a condition for a policy rule called FilterA. FilterA is then applied to
the flow. Since FilterA has an action (BlockTraffic) that is set to deny traffic, the flow would be denied
on the switch.
Note that although this example contains only Layer 2 conditions, it is possible to combine Layer 2 and
Layer 3 conditions in the same policy.
Layer 3 ACLs
The QoS software in the switch filters routed and bridged traffic at Layer 3.
For Layer 3 filtering, the QoS software in the switch classifies traffic based on:
Source IP address or source network group
IP protocol
ICMP code
ICMP type
The following policy condition keywords are used for Layer 3 ACLs:
Note that combining Layer 2 and Layer 3 conditions in the same policy is supported. Refer to Condition
Combinations on page 26-6 and Action Combinations on page 26-8 in Chapter 26, Configuring QoS.
Traffic with a source IP address of 192.68.82.0, a source IP port of 23, using protocol 6, will match condi-
tion addr2, which is part of FilterL31. The action for the filter (Block) is set to deny traffic. The flow will
be dropped on the switch.
Note that although this example contains only Layer 2 conditions, it is possible to combine Layer 2 and
Layer 3 conditions in the same policy.
In this example, a network group, GroupA, is configured with three IP addresses. Condition cond7
includes GroupA as a destination group. Flows coming into the switch destined for any of the specified IP
addresses in the group will match rule FilterL32. FilterL32 is configured with an action (Ok) to allow the
traffic on the switch.
Note that although this example contains only Layer 2 conditions, it is possible to combine Layer 2 and
Layer 3 conditions in the same policy.
The following keywords may be used in the condition to indicate the client parameters:
If a destination group is specified, the corresponding single value keyword cannot be combined in the
same condition. For example, if a destination port is specified, a destination port group cannot be speci-
fied in the same condition.
To filter multicast clients, specify the multicast IP address, which is the address of the multicast group or
stream, and specify the client IP address, VLAN, MAC address, or slot/port. For example:
-> qos default multicast disposition deny
-> policy condition Mclient1 multicast ip 224.0.1.2 destination vlan 5
-> policy action ok disposition accept
-> policy rule Mrule condition Mclient1 action ok
In this example, any traffic coming in on VLAN 5 requesting membership to the 224.0.1.2 multicast group
will be allowed.
Note that the UserPorts group applies to both bridged and routed traffic, and it is not necessary to include
the UserPorts group in a condition and/or rule for the group to take effect. Once ports are designated as
members of this group, IP spoofed traffic is blocked while normal traffic is still allowed on the port.
The UserPorts group is also used in conjunction with the DropServices group. If a flow received on a port
that is a member of the UserPorts group is destined for a TCP or UDP port (service) specified in the
DropServices group, the flow is dropped. See Configuring a DropServices Group on page 27-15 for
more information.
To specify multiple types of traffic on the same command line, enter each type separated by a space. For
example:
-> qos user-port filter ospf bgp rip
Note that a slot and port is not required with the qos user-port command. This is because the command
applies to all ports that are members of the UserPorts group.
The following qos user-port command example uses the shutdown option to administratively disable the
user port if the specified type of traffic is received on that port:
-> qos user-port shutdown bpdu
Note that an SNMP trap is sent whenever a user port shutdown occurs. To enable a port disabled by a user
port shutdown operation, use the interfaces admin command to administratively enable the port or
disconnect and reconnect the port cable.
To disable the filter or shutdown function, use the no form of the qos user-port command. For example,
the following command disables the filtering operation for all user ports:
-> qos no user-port filter
Note that any changes to the UserPorts profile (e.g., adding or removing a traffic type) are not made until
the qos apply command is performed.
2 Add the services created in Step 1 to a service group called DropServices using the policy service
group command, as shown below:
-> policy service group DropServices tcp135 tcp445 udp137 udp138 udp445
Note that the DropServices group must be specified using the exact capitalization as shown in the
above example.
3 Add ports to the port group called UserPorts using the policy port group command, as shown below:
Note that the UserPorts group must be specified using the exact capitalization as shown in the above
example.
When the above steps are performed, an implicit ACL is created on the switch that applies to all VLANs.
This internal ACL takes precedence over any other policies configured on the switch.
Note that it is not necessary to include the BPDUShutdownPorts group in a condition and/or rule for the
group to take affect. In addition, this group must be specified using the exact capitalization shown in the
above example.
Once ports are designated as members of the BPDUShutdownPorts group, BPDUs are blocked by admin-
istratively shutting down a port when the port receives a BPDU. To restore a disabled port to enabled
status, disconnect and reconnect the cable or use the interfaces admin command to administratively
enable the port.
Note that using the BPDUShutdownPorts group is only available on the OmniSwitch 6800. Use the qos
user-port shutdown bpdu command available on the OmniSwitch 6850 and 9000 to block BPDU on
ports that are members of the UserPorts group.
Note that the above policy only blocks ICMP echo traffic, all other ICMP traffic is still allowed.
This example ACL policy will prevent any TCP connection from being initiated to the 192.168.10.0
network and all other IP traffic to the 192.168.10.0 network. Only TCP connections initiated from the
192.168.10.0 network are allowed.
Note that the above example ACL would prevent FTP sessions. See the policy condition established
command page in the OmniSwitch CLI Reference Guide for more information.
An ACL can also be defined using the tcpflags parameter to examine and qualify specific TCP flags indi-
vidually or in combination with other flags. This parameter can be used to prevent specific DOS attacks,
such as the christmas tree.
The following example use the tcpflags condition parameter to determine if the F (fin) and S (syn) TCP
flag bits are set to one and the A (ack) bit is set to zero:
-> policy condition c1 tcpflags all f s mask f s a
In this example, a match must occur on all the flags or the packet is not allowed. If the optional command
keyword any was used, then a match need only occur on any one of the flags. For example, the following
condition specifies that either the A (ack) bit or the R (rst) bit must equal one:
-> policy condition c1 tcpflags any a r mask a r
Note that if a flag is specified on the command line after the any or all keyword, then the match value is
one. If the flag only appears as part of the mask, then the match value is zero. See the policy condition
tcpflags command page in the OmniSwitch CLI Reference Guide for more information.
show policy condition Displays information about all pending and applied policy conditions or
a particular policy condition configured on the switch. Use the applied
keyword to display information about applied conditions only.
show policy action Displays information about all pending and applied policy actions or a
particular policy action configured on the switch. Use the applied key-
word to display information about applied actions only.
show policy rule Displays information about all pending and applied policy rules or a par-
ticular policy rule.
show active policy rule Displays the pending and applied policy rules that are active (enabled)
on the switch.
show qos config Displays global QoS configuration parameters.
When a show command is used to display output for all pending and applied policy configuration, the
following characters may appear in the display:
character definition
+ Indicates that the policy rule has been modified or has
been created since the last qos apply.
- Indicates the policy object is pending deletion.
# Indicates that the policy object differs between the pend-
ing/applied objects.
The following example shows all policy rules configured on the switch:
The display indicates that my_rule is active and is used to classify traffic on the switch (the Act field
displays Yes). The rule my_rule5 has been configured since the last qos apply command was entered, as
indicated by the plus (+) sign. The rule will not be used to classify traffic until the next qos apply. The
rule mac1 is not active, as indicated by the No in the Act field.
To display only policy rules that are active (enabled) on the switch, use the show active policy rule
command. For example:
-> show active policy rule
In this example, the rule my_rule does not display because it is inactive. Rules are inactive if they are
administratively disabled through the policy rule command, or if the rule cannot be enforced by the
current hardware. Both my_rule5 and mac1 are displayed here because they are active; however,
my_rule5 is a pending rule and will not be used to classify traffic until the qos apply command is entered.
See the OmniSwitch CLI Reference Guide for more information about the output of these commands.
OmniSwitch
Set up a policy rule called outside to deny Telnet traffic to the private network.
1 Create a policy service (traffic_in) for traffic originating from the well-known Telnet port number 23.
4 Then combine the condition and the action in a policy rule (outside).
An example of what these commands look like together on consecutive command lines:
-> policy service traffic_in source ip port 23 protocol 6
-> policy condition outside_cond service traffic_in
-> policy action outside_action disposition drop
-> policy rule outside condition outside_cond action outside_action
Note. IPMSv6 is only supported on the OmniSwitch 6850 and OmniSwitch 9000 switches for this release.
In This Chapter
This chapter describes the basic components of IPMS and how to configure them through the Command
Line Interface (CLI). CLI commands are used in the configuration examples; for more details about the
syntax of commands, see the OmniSwitch CLI Reference Guide.
Configuration procedures described in this chapter include:
Enabling and disabling IP Multicast Switching and Routing on page 28-8.
Enabling and disabling IPv6 Multicast Switching and Routing on page 28-21.
Note. You can also configure and monitor IPMS with WebView, Alcatels embedded Web-based device
management application. WebView is an interactive and easy-to-use GUI that can be launched from
OmniVista or a Web browser. Please refer to WebViews online documentation for more information on
configuring and monitoring IPMS/IPMSv6 with WebView.
IPMS Specifications
The table below lists specifications for Alcatels IPMS software.
IPMSv6 Specifications
The table below lists specifications for Alcatels IPMSv6 software.
IPMS Overview
A multicast group is defined by a multicast group address, which is a Class D IP address in the range
224.0.0.0 to 239.255.255.255. (Addresses in the range 239.0.0.0 to 239.255.255.255 are reserved for
boundaries.) The multicast group address is indicated in the destination address field of the IP header. (See
Reserved IP Multicast Addresses on page 28-6 for more information.)
IPMS tracks the source VLAN on which the Internet Group Management Protocol (IGMP) requests are
received. The network interfaces verify that a multicast packet is received by the switch on the source (or
expected) port.
IPMS Example
The figure on the following page shows an IPMS network where video content can be provided to clients
that request it. A server is attached to the switch that provides the source (i.e, multicast) IP addresses.
Clients from two different attached networks send IGMP reports to the switch to receive the video content.
OmniSwitch
TM
OmniSwitch 9700
Video
Source Port
Multicast Group
(dynamically built)
Multicast Stream
(destination IP address)
Multicast Server
Ports on end stations send (source IP address)
IGMP requests to receive
multicast traffic.
Network A
Network B
IP Multicast Routing
IP multicast routing can be used for IP Multicast Switching and Routing (IPMSR). IP multicast routing is
a way of controlling multicast traffic across networks. The IP multicast router discovers which networks
want to receive multicast traffic by sending out Internet Group Management Protocol (IGMP) queries and
receiving IGMP reports from attached networks. The IGMP reports signal that users want to join a multi-
cast group.
If there is more than one IP multicast router in the network, the router with the lowest IP address is elected
as the querier router, which is responsible for querying the subnetwork for group members.
The IP multicast routing package provides the following two separate protocols:
Protocol Independent Multicast Sparse Mode (PIM-SM) and Dense Mode (PIM-DM), which is
described in PIM on page 28-7.
Distance Vector Multicast Routing Protocol (DVMRP), which is described in DVMRP on page 28-7.
The multicast routing protocols build and maintain a multicast routing database. The multicast routing
protocols forward multicast traffic to networks that have requested group membership to a specific multi-
cast group. IPMS uses decisions made by the routing protocols and forwards multicast traffic to ports that
request group membership. See the OmniSwitch 6800/6850/9000 Advanced Routing Configuration Guide
for more information on IP multicast routing protocols.
PIM
Protocol-Independent Multicast (PIM) is an IP multicast routing protocol that uses routing information
provided by unicast routing protocols, such as RIP and OSPF. Sparse Mode PIM (PIM-SM) contrasts with
flood-and-prune dense mode multicast protocols, such as DVMRP and PIM Dense Mode (PIM-DM), in
that multicast forwarding in PIM-SM is initiated only via specific requests. Downstream routers must
explicitly join PIM-SM distribution trees in order to receive multicast streams on behalf of directly-
connected receivers or other downstream PIM-SM routers. This paradigm of receiver-initiated forwarding
makes PIM-SM ideal for network environments where receiver groups are thinly populated and band-
width conservation is a concern, such as in Wide Area Networks (WANs). PIM-DM packets are transmit-
ted on the same socket as PIM-SM packets as both use the same protocol and message format. Unlike
PIM-SM, in PIM-DM there are no periodic joins transmitted; only explicitly triggered prunes and grafts.
In PIM-DM, unlike PIM-SM, there is no Rendezvous Point (RP).
DVMRP
Distance Vector Multicast Routing Protocol (DVMRP) is a distributed multicast routing protocol that
dynamically generates per-source delivery trees based upon routing exchanges. When a multicast source
begins to transmit, the multicast data is flooded down the delivery tree to all points in the network.
DVMRP then prunes (i.e., removes branches from) the delivery tree where the traffic is unwanted. This is
in contrast to PIM-SM, which uses receiver-initiated (i.e., forward path) multicasting.
IGMP Version 3
IGMP is used by IPv4 systems (hosts and routers) to report their IP multicast group memberships to any
neighboring multicast routers. IGMP Version 2 (IGMPv2) handles forwarding by IP multicast destination
address only. IGMP Version 3 (IGMPv3) handles forwarding by source IP address and IP multicast desti-
nation address. The OmniSwitch 9000 switches support IGMPv1, IGMPv2, and IGMPv3.
Note. See Configuring the IGMP Version on page 28-9 for information on configuring the IGMP
version.
In IGMPv2, each membership report contains only one multicast group. In IGMPv3, membership reports
contain many multicast groups up to the Maximum Transmission Unit (MTU) size of the interface.
IGMPv3 uses source filtering and reports multicast memberships to neighboring routers by sending
membership reports. IGMPv3 also supports Source Specific Multicast (SSM) by allowing hosts to report
interest in receiving packets only from specific source addresses or from all but specific source addresses.
Note. See the IP Multicast Switching Commands chapter in the OmniSwitch CLI Reference Guide for
complete documentation of IPMS CLI commands.
Note. If IP Multicast switching and routing is enabled on the system, the VLAN configuration overrides
the systems configuration.
You can also enable IP Multicast switching and routing on the specified VLAN by entering:
-> ip multicast vlan 2 status enable
You can also change the IGMP protocol version on the specified VLAN by entering:
-> ip multicast vlan 5 version 1
For example, to configure port 10 in slot 4 with designated VLAN 2 as an IGMP static neighbor you
would enter:
-> ip multicast static-neighbor vlan 2 port 4/10
You can also configure a link aggregation group as an IGMP static neighbor port by entering
ip multicast static-neighbor followed by vlan, a space, VLAN number (which must be between 0 and
4095), a space, followed by port, a space, and the link aggregation group number.
For example, to configure link aggregation group 7 with designated VLAN 2 as a static neighbor you
would enter:
-> ip multicast static-neighbor vlan 2 port 7
You can also configure a link aggregation group as an IGMP static querier port by entering ip multicast
static-querier followed by vlan, a space, VLAN number (which must be between 0 and 4095), a space,
followed by port, a space, and the link aggregation group number.
For example, to configure link aggregation group 7 with designated VLAN 2 as a static querier you would
enter:
-> ip multicast static-querier vlan 2 port 7
space, the VLAN number, a space, followed by port, a space, the slot number of the port, a slash (/), and
the port number.
For example, to remove port 10 in slot 4 with designated VLAN 2 as an IPMS static querier you would
enter:
-> no ip multicast static-querier vlan 2 port 4/10
You can also configure a link aggregation group as an IPMS static group by entering
ip multicast static-group followed by vlan, a space, VLAN number (which must be between 0 and
4095), a space, followed by port, a space, and the link aggregation group number.
For example, to configure link aggregation group 7 with designated VLAN 2 as a static group you would
enter:
-> ip multicast static-group 225.0.0.2 vlan 2 port 7
You can also modify the IGMP query interval on the specified VLAN by entering:
-> ip multicast vlan 2 query-interval 60
You can also modify the IGMP last member query interval on the specified VLAN by entering:
-> ip multicast vlan 3 last-member-query-interval 60
To restore the IGMP last member query interval to its default value.
You can also restore the IGMP last member query interval on the specified VLAN by entering:
-> ip multicast vlan 2 last-member-query-interval 0
To restore the IGMP last member query interval to its default value.
You can also modify the IGMP query response interval on the specified VLAN by entering:
-> ip multicast vlan 3 query-response-interval 6000
You can also modify the IGMP router timeout on the specified VLAN by entering:
-> ip multicast vlan 2 router-timeout 360
You can also restore the IGMP router timeout on the specified VLAN by entering:
-> ip multicast vlan 2 router-timeout 0
You can also modify the source timeout on the specified VLAN by entering:
-> ip multicast vlan 2 source-timeout 360
You can also enable the IGMP querying on the specified VLAN by entering:
-> ip multicast vlan 2 querying enable
Note. If the links are known to be lossy, then robustness variable can be set to a higher value (7).
You can also modify the IGMP robustness variable from 1 to 7 on the specified VLAN by entering:
-> ip multicast vlan 2 robustness 3
You can also enable IGMP spoofing on the specified VLAN by entering:
-> ip multicast vlan 2 spoofing enable
You can also enable IGMP zapping on the specified VLAN by entering:
-> ip multicast vlan 2 zapping enable
IPMSv6 Overview
An IPv6 multicast address identifies a group of nodes. A node can belong to any number of multicast
groups. IPv6 multicast addresses are classified as fixed scope multicast addresses and variable scope
multicast addresses.(See the Reserved IPv6 Multicast Addresses on page 28-20.)
IPMSv6 tracks the source VLAN on which the Multicast Listener Discovery Protocol (MLD) requests are
received. The network interfaces verify that a multicast packet is received by the switch on the source (or
expected) port.
Note. IPMSv6 is only supported on the OmniSwitch 6850 and OmniSwitch 9000 switches for this release
IPMSv6 Example
The figure on the following page shows an IPMSv6 network where video content can be provided to
clients that request it. A server is attached to the switch that provides the source (i.e, multicast) IPv6
addresses. Clients from two different attached networks send MLD reports to the switch to receive the
video content.
OmniSwitch
TM
OmniSwitch 9700
Video
Source Port
Multicast Group
(dynamically built)
Multicast Stream
(destination IPv6 address)
Multicast Server
Ports on end stations send (source IPv6 address)
MLD requests to receive
multicast traffic.
Network A
Network B
Address Description
FF00:0:0:0:0:0:0:0 reserved
FF01:0:0:0:0:0:0:0 node-local scope address
FF02:0:0:0:0:0:0:0 link-local scope
FF03:0:0:0:0:0:0:0 unassigned
FF04:0:0:0:0:0:0:0 unassigned
FF05:0:0:0:0:0:0:0 site-local scope
FF06:0:0:0:0:0:0:0 unassigned
FF07:0:0:0:0:0:0:0 unassigned
FF08:0:0:0:0:0:0:0 organization-local scope
FF09:0:0:0:0:0:0:0 unassigned
FF0A:0:0:0:0:0:0:0 unassigned
FF0B:0:0:0:0:0:0:0 unassigned
FF0C:0:0:0:0:0:0:0 unassigned
FF0D:0:0:0:0:0:0:0 unassigned
FF0E:0:0:0:0:0:0:0 global scope
FF0F:0:0:0:0:0:0:0 reserved
MLD version 2
MLD is used by IPv6 systems (hosts and routers) to report their IPv6 multicast group memberships to any
neighboring multicast routers. MLD Version 1 (MLDv1) handles forwarding by IPv6 multicast destina-
tion addresses only. MLD Version 2 (MLDv2) handles forwarding by source IPv6 addresses and IPv6
multicast destination addresses. The OmniSwitch 9000 switches support MLDv1 and MLDv2.
Note. See Configuring the MLD Version 2 on page 28-22 for information on configuring the IGMP
version.
MLDv2 uses source filtering and reports multicast memberships to neighboring routers by sending
membership reports. MLDv2 also supports Source Specific Multicast (SSM) by allowing hosts to report
interest in receiving packets only from specific source addresses or from all but specific source addresses.
Note. See the IP Multicast Switching Commands chapter in the OmniSwitch CLI Reference Guide for
complete documentation of IPMSv6 CLI commands.
Note. If IPv6 Multicast switching and routing is enabled on the system, the VLAN configuration over-
rides the systems configuration.
You can also enable IPv6 Multicast switching and routing on the specified VLAN by entering:
-> ipv6 multicast vlan 2 status enable
You can also configure a link aggregation group as an MLD static neighbor port by entering
ipv6 multicast static-neighbor followed by vlan, a space, VLAN number (which must be between 0 and
4095), a space, followed by port, a space, and the link aggregation group number.
For example, to configure link aggregation group 7 with designated VLAN 2 as a static neighbor you
would enter:
-> ipv6 multicast static-neighbor vlan 2 port 7
You can also configure a link aggregation group as an MLD static querier port by entering
ipv6 multicast static-querier, followed by vlan, a space, VLAN number (which must be between 0 and
4095), a space, followed by port, a space, and the link aggregation group number.
For example, to configure link aggregation group 7 with designated VLAN 2 as a static querier you would
enter:
-> ipv6 multicast static-querier vlan 2 port 7
You can also configure a link aggregation group as an MLD static group by entering
ipv6 multicast static-group, followed by vlan, a space, VLAN number (which must be between 0 and
4095), a space, followed by port, a space, and the link aggregation group number.
For example, to configure link aggregation group 7 with designated VLAN 2 as a static group you would
enter:
-> ipv6 multicast static-group ff05::6 vlan 2 port 7
You can also modify the MLD query interval on the specified VLAN by entering:
-> ipv6 multicast vlan 2 query-interval 160
You can also restore the MLD query interval on the specified VLAN by entering:
-> no ipv6 multicast vlan 2 query-interval
You can also modify the MLD last member query interval on the specified VLAN by entering:
-> ipv6 multicast vlan 3 last-member-query-interval 2200
To restore the MLD last member query interval to its default (i.e., 1000 milliseconds) value.
You can also restore the MLD last member query interval on the specified VLAN by entering:
-> ipv6 multicast vlan 2 last-member-query-interval 0
To restore the MLD last member query interval to its default (i.e., 1000 milliseconds) value.
You can also modify the MLD query response interval on the specified VLAN by entering:
-> ipv6 multicast vlan 3 query-response-interval 20000
You can also restore the MLD query response interval on the specified VLAN by entering:
-> ipv6 multicast van 2 query-response-interval 0
You can also modify the MLD router timeout on the specified VLAN by entering:
-> ipv6 multicast vlan 2 router-timeout 360
You can also modify the source timeout on the specified VLAN by entering:
-> ipv6 multicast vlan 2 source-timeout 60
You can also enable the MLD querying on the specified VLAN by entering:
-> ipv6 multicast vlan 2 querying enable
Note. If the links are known to be lossy, then robustness can be set to a higher value (7).
You can also modify the MLD robustness variable from 1 to 7 on the specified VLAN by entering:
-> ipv6 multicast vlan 2 robustness 3
You can also enable MLD spoofing on the specified VLAN by entering:
-> ipv6 multicast vlan 2 spoofing enable
You can also enable MLD zapping on the specified VLAN by entering:
-> ipv6 multicast vlan 2 zapping enable
You can also disable MLD zapping on the specified VLAN by entering:
-> ipv6 multicast vlan 2 zapping disable
Video OmniSwitch
TM
OmniSwitch 9700
Multicast Server
(source IP address)
Static Neighbor
Attached to Slot 1, Port 5.
Static Querier
Attached to Slot 1, Port 2.
Network Clients
Network clients send IGMP
requests to receive multicast
traffic.
The network administrator has determined that the network is too lossy and therefore the robustness vari-
able needs to be set to a higher (i.e., 7) value.
Follow the steps below to configure this network:
Note. All the steps following Step 1 (which must be executed first) may be entered in any order.
2 Configure the client attached to Port 5 as a static neighbor belonging to VLAN 5 by entering:
3 Configure the client attached to Port 2 as a static querier belonging to VLAN 5 by entering:
An example of what these commands look like entered sequentially on the command line:
-> ip multicast status enable
-> ip multicast static-neighbor vlan 5 port 1/5
-> ip multicast static-querier vlan 5 port 1/2
-> ip multicast robustness 7
As an option, you can use the show ip multicast, show ip multicast neighbor, and
show ip multicast querier commands to confirm your settings as shown below:
-> show ip multicast
Status: Enabled
Querying: Disabled
Spoofing: Disabled
Zapping: Disabled
Version: 2
Robustness: 7
Query Interval (seconds): 125
Query Response Interval (tenths of seconds): 100
Last Member Query Interval(tenths of seconds):10
Router Timeout (seconds): 90
Source Timeout (seconds): 30
Total 1 Neighbors
Host Address VLAN Port Static Count Life
---------------+-----+-----+-------+------+-----
1.0.0.2 5 1/5 no 1 86
Total 1 Queriers
Host Address VLAN Port Static Count Life
---------------+-----+-----+-------+------+-----
1.0.0.3 5 1/2 no 1 250
OmniSwitch
Video
TM
OmniSwitch 9700
Multicast Server
(source IPv6 address)
Static Neighbor
Attached to Slot 1, Port 5.
Static Querier
Attached to Slot 1, Port 2.
Network Clients
Network clients send MLD
requests to receive multicast
traffic.
The network administrator has determined that the network is too lossy and therefore the robustness vari-
able needs to be set to a higher (i.e., 7) value.
Follow the steps below to configure this network:
Note. All the steps following Step 1 (which must be executed first) may be entered in any order.
2 Configure the client attached to Port 5 as a static MLD neighbor belonging to VLAN 5 by entering:
3 Configure the client attached to Port 2 as a static MLD querier belonging to VLAN 5 by entering:
An example of what these commands look like entered sequentially on the command line:
-> ipv6 multicast status enable
-> ipv6 multicast static-neighbor vlan 5 port 1/5
-> ipv6 multicast static-querier vlan 5 port 1/2
-> ipv6 multicast robustness 7
As an option, you can use the show ipv6 multicast, show ipv6 multicast neighbor, and
show ipv6 multicast querier commands to confirm your settings as shown below:
-> show ipv6 multicast
Status: Enabled
Querying: Disabled
Spoofing: Disabled
Zapping: Disabled
Version: 1
Robustness: 7
Query Interval (seconds): 125
Query Response Interval (milliseconds): 10000
Last Member Query Interval (milliseconds): 1000
Router Timeout (seconds): 90
Source Timeout (seconds): 30
Total 1 Neighbors
Host Address VLAN Port Static Count Life
-------------------------+-----+-----+-------+------+-----
fe80::2a0:ccff:fed3:2853 5 1/5 no 1 6
Total 1 Queriers
Host Address VLAN Port Static Count Life
-------------------------+-----+-----+-------+------+-----
fe80::2a0:ccff:fed3:2854 5 1/2 no 1 6
show ip multicast Displays the general IP Multicast switching and routing configuration
parameters on a switch.
show ip multicast group Displays all detected multicast groups that have members. If you do not
specify an IP address then all multicast groups on the switch will be dis-
played.
show ip multicast neighbor Displays all neighboring multicast routers.
show ip multicast querier Displays all multicast queriers.
show ip multicast forward Displays the IPMS multicast forwarding table. If you do not specify a
multicast group IP address, then the forwarding table for all multicast
groups will be displayed.
show ip multicast source Displays the IPMS multicast source table. If you do not specify a multi-
cast group IP address, then the source table for all multicast groups will
be displayed.
show ip multicast tunnel Displays the IP multicast switch and routing tunneling table entries
matching the specified IP multicast group address, or all the entries if no
IP multicast address is specified.
If you are interested in a quick look at IPMS groups on your switch you could use the
show ip multicast group command. For example:
-> show ip multicast group
Total 3 Groups
Group Address Source Address VLAN Port Mode Static Count Life
---------------+---------------+-----+-----+--------+-------+------+-----
231.0.0.3 1.0.0.5 1 2/1 exclude no 1 257
234.0.0.4 0.0.0.0 1 2/1 exclude no 1 218
229.0.0.1 0.0.0.0 1 2/13 exclude yes 0 0
Note. See the IP Multicast Switching Commands chapter in the OmniSwitch CLI Reference Guide for
complete documentation on IPMS show commands.
show ipv6 multicast Displays the general IPv6 Multicast switching and routing configuration
parameters on a switch.
show ipv6 multicast group Displays all detected multicast groups that have members. If you do not
specify an IPv6 address, then all multicast groups on the switch will be
displayed.
show ipv6 multicast neighbor Displays all neighboring IPv6 multicast routers.
show ipv6 multicast querier Displays all IPv6 multicast queriers.
show ipv6 multicast forward Displays the IPMSv6 multicast forwarding table. If you do not specify a
multicast group IPv6 address, then the forwarding table for all multicast
groups will be displayed.
show ipv6 multicast source Displays the IPMSv6 multicast source table. If you do not specify a
multicast group IPv6 address, then the source table for all multicast
groups will be displayed.
show ipv6 multicast tunnel Display the IPv6 multicast switch and routing tunneling table entries
matching the specified IPv6 multicast group address, or all the entries if
no IPv6 multicast address is specified.
If you are interested in a quick look at IPMSv6 groups on your switch you could use the
show ipv6 multicast group command. For example:
-> show ipv6 multicast group
Total 3 Groups
Group Address Source Address VLAN Port Mode Static Count Life
----------------+---------------+-----+-----+--------+-------+------+-----
ff05::5 :: 1 2/1 exclude no 1 145
ff05::6 3333::1 1 2/1 exclude no 1 242
Note. See the IPv6 Multicast Switching Commands chapter in the OmniSwitch CLI Reference Guide for
complete documentation on IPMS show commands.
Several tools are available for diagnosing problems that may occur with the switch. These tools include:
Port Mirroring
Port Monitoring
Port mirroring copies all incoming and outgoing traffic from a single mirrored Ethernet port to a second
mirroring Ethernet port, where it can be monitored with a Remote Network Monitoring (RMON) probe or
network analysis device without disrupting traffic flow on the mirrored port. The port monitoring feature
allows you to examine packets to and from a specific Ethernet port. sFlow is used for measuring high
speed switched network traffic. It is also used for collecting, storing, and analyzing the traffic data. Switch
Health monitoring software checks previously configured threshold levels for the switchs consumable
resources, and notifies the Network Monitoring Station (NMS) if those limits are violated.
In This Chapter
This chapter describes port mirroring, port monitoring, remote monitoring (RMON) probes, sFlow, and
switch health features and explains how to configure the same through the Command Line Interface (CLI).
Configuration procedures described in this chapter include:
Creating or Deleting a Port Mirroring Sessionsee Creating a Mirroring Session on page 29-17 or
Deleting A Mirroring Session on page 29-20.
Protection from Spanning Tree changes (Port Mirroring)see Unblocking Ports (Protection from
Spanning Tree) on page 29-18.
Enabling or Disabling Port Mirroring Statussee Enabling or Disabling Mirroring Status on
page 29-18 or Disabling a Mirroring Session (Disabling Mirroring Status) on page 29-18.
Configuring Port Mirroring Directionsee Configuring Port Mirroring Direction on page 29-19.
Enabling or Disabling a Port Mirroring Sessionsee Enabling or Disabling a Port Mirroring Session
(Shorthand) on page 29-19.
Configuring a Port Monitoring Sessionsee Configuring a Port Monitoring Session on page 29-22.
Enabling a Port Monitoring Sessionsee Enabling a Port Monitoring Session on page 29-22.
Disabling a Port Monitoring Sessionsee Disabling a Port Monitoring Session on page 29-22.
Deleting a Port Monitoring Sessionsee Deleting a Port Monitoring Session on page 29-22.
Pausing a Port Monitoring Sessionsee Pausing a Port Monitoring Session on page 29-23.
Configuring the persistence of a Port Monitoring Sessionsee Configuring Port Monitoring Session
Persistence on page 29-23.
Configuring a Port Monitoring data filesee Configuring a Port Monitoring Data File on
page 29-23.
Suppressing creation of a Port Monitoring data filesee Suppressing Port Monitoring File Creation
on page 29-24.
Configuring a Port Monitoring directionsee Configuring Port Monitoring Direction on page 29-24.
Displaying Port Monitoring Status and Datasee Displaying Port Monitoring Status and Data on
page 29-25.
Configuring a sFlow Sessionsee Configuring a sFlow Session on page 29-28.
Configuring a Fixed Primary Addresssee Configuring a Fixed Primary Address on page 29-29.
Enabling or Disabling RMON Probessee Enabling or Disabling RMON Probes on page 29-34.
Configuring Resource Threshold Limits (Switch Health)see Configuring Resource and Tempera-
ture Thresholds on page 29-40.
Configuring Sampling Intervalssee Configuring Sampling Intervals on page 29-42.
Resetting Health Statisticssee Resetting Health Statistics for the Switch on page 29-44.
For information about additional Diagnostics features such as Switch Logging and System Debugging/
Memory Management commands, see Chapter 30, Using Switch Logging.
Note. Optional. To verify the port mirroring configuration, enter show port mirroring status followed by
the port mirroring session ID number. The display is similar to the one shown below:
-> show port mirroring status 6
For more information about this command, see Displaying Port Mirroring Status on page 29-20 or the
Port Mirroring and Monitoring Commands chapter in the OmniSwitch CLI Reference guide.
2 Enable the port monitoring session by entering port monitoring, followed by the port monitoring
session ID, source, the slot and port number of the port to be monitored, and enable. For example:
-> port monitoring 6 source 2/3 enable
3 Optional. Configure optional parameters. For example, to create a file called monitor1 for port moni-
toring session 6 on port 2/3, enter:
-> port monitoring 6 source 2/3 file monitor1
Note. Optional. To verify the port monitoring configuration, enter show port mirroring status, followed
by the port monitoring session ID number. The display is similar to the one shown below:
-> show port monitoring status
For more information about this command, see Port Monitoring on page 29-21 or the Port Mirroring
and Monitoring Commands chapter in the OmniSwitch CLI Reference Guide.
sFlow Overview
The following sections detail the specifications, defaults, and quick set up steps for the sFlow feature.
Detailed procedures are found in sFlow on page 29-26.
Note. sFlow is only supported on the OmniSwitch 6850 and OmniSwitch 9000 for this release.
sFlow Specifications
RFCs Supported 3176 - sFlow
Management Information Base
Sampling Sampling rate of one (1) counts all packets and 0
(zero) disables sampling.
Agent IP Address As it need to send a fixed IP address in the data-
gram, loopback0 IP address is used.
sFlow Defaults
The following table shows sFlow default values.
sFlow Defaults
1 To create a sFlow receiver session, use the sflow receiver command by entering sflow
receiver, followed by the receiver index, name, and the address to be monitored. For example:
-> sflow receiver 1 name Golden address 198.206.181.3
2 Optional. Configure optional parameters. For example, to specify the timeout value 65535 for sFlow
receiver session on address 198.206.181.3, enter:
-> sflow receiver 1 name Golden address 198.206.181.3 timeout 65535
Note. Optional. To verify the sFlow receiver configuration, enter show sflow receiver, followed by the
sFlow receiver index. The display is similar to the one shown below:
-> show sflow receiver
Receiver 1
Name = Golden
Address = IP_V4 198.206.181.3
UDP Port = 6343
Timeout = 65535
Packet Size= 1400
DatagramVer= 5
For more information about this command, see sFlow on page 29-26 or the sFlow Commands chapter
in the OmniSwitch CLI Reference Guide.
1 To create a sFlow sampler session, use the sflow sampler command by entering sflow
sampler, followed by the instance ID, port list, receiver, and the rate. For example:
-> sflow sampler 1 2/1-5 receiver 1 rate 2048
2 Optional. Configure optional parameters. For example, to specify the sample-hdr-size value 128 for
sFlow sampler instance 1 on ports 2/1-5, enter:
-> sflow sampler 1 2/1-5 receiver 1 rate 2048 sample-hdr-size 128
Note. Optional. To verify the sFlow sampler configuration, enter show sflow sampler, followed by the
sFlow sampler instance ID. The display is similar to the one shown below:
-> show sflow sampler 1
For more information about this command, see sFlow on page 29-26 or the sFlow Commands chapter
in the OmniSwitch CLI Reference Guide.
1 To create a sFlow poller session, use the sflow poller command by entering sflow
poller, followed by the instance ID, port list, receiver, and the interval. For example:
-> sflow poller 1 2/6-10 receiver 1 interval 30
Note. Optional. To verify the sFlow poller configuration, enter show sflow poller, followed by the sFlow
poller instance ID. The display is similar to the one shown below:
-> show sflow poller
For more information about this command, see sFlow on page 29-26 or the sFlow Commands chapter
in the OmniSwitch CLI Reference Guide.
RMON Specifications
RFCs Supported 2819 - Remote Network Monitoring
Management Information Base
RMON Functionality Supported Basic RMON 4 group implementation
Ethernet Statistics group
History (Control and Statistics) group
Alarms group
Events group
RMON Functionality Not Supported RMON 10 group*
RMON2*
Host group
HostTopN group
Matrix group
Filter group
Packet Capture group
(*An external RMON probe that includes
RMON 10 group and RMON2 may be used
where full RMON probe functionality is
required.)
Flavor (Probe Type) Ethernet/History/Alarm
Status Active/Creating/Inactive
History Control Interval (seconds) 1 to 3600
History Sample Index Range 1 to 65535
Alarm Interval (seconds) 1 to 2147483647
Alarm Startup Alarm Rising Alarm/Falling Alarm/
RisingOrFalling Alarm
Alarm Sample Type Delta Value/Absolute
RMON Traps Supported RisingAlarm/FallingAlarm
These traps are generated whenever an Alarm
entry crosses either its Rising Threshold or its
Falling Threshold and generates an event con-
figured for sending SNMP traps.
2 To verify the RMON probe configuration, enter the show rmon probes command, with the keyword
for the type of probe. For example, to display the statistics probes, enter the following:
-> show rmon probes stats
3 To view statistics for a particular RMON probe, enter the show rmon probes command, with the
keyword for the type of probe, followed by the entry number for the desired RMON probe. For example:
-> show rmon probes 1011
For more information about these commands, see Displaying a List of RMON Probes on page 29-35,
Displaying Statistics for a Particular RMON Probe on page 29-36, or the RMON Commands chapter
in the OmniSwitch CLI Reference Guide.
The default settings for the command you entered will be displayed. For example:
Rx Threshold = 80
TxRx Threshold = 80
Memory Threshold = 80
CPU Threshold = 80
Temperature Threshold = 60
2 Enter the appropriate command to change the required health threshold or health sampling interval
parameter settings or reset all health statistics for the switch. For example:
-> health threshold memory 85
Note. Optional. To verify the Switch Health configuration, enter show health threshold, followed by the
parameter you modified (e.g., memory). The display is similar to the one shown below:
Memory Threshold = 85
For more information about this command, see Displaying Health Threshold Limits on page 29-41 or
the Health Monitoring Commands chapter in the OmniSwitch CLI Reference Guide.
Port Mirroring
On OmniSwitch 9000 switches, you can set up port mirroring between Ethernet ports within the same
switch chassis, while on OmniSwitch 6800 and 6850 switches, you can set up port mirroring across
switches within a stack. Ethernet ports supporting port mirroring include 10BaseT/100BaseTX/1000BaseT
(RJ-45), 1000BaseSX/LX/LH, and 10GBaseS/L (LC) connectors. When port mirroring is enabled, the
active mirrored port transmits and receives network traffic normally, and the mirroring port receives a
copy of all transmit and receive traffic to the active port. You can connect an RMON probe or network
analysis device to the mirroring port to see an exact duplication of traffic on the mirrored port without
disrupting network traffic to and from the mirrored port.
Port mirroring runs in the Chassis Management software and is supported for Ethernet (10 Mbps), Fast
Ethernet (100 Mbps), Gigabit Ethernet (1000 Mpbs), and 10 Gigabit Ethernet (10000 Mbps) ports. In addi-
tion, the switch supports N-to-1 port mirroring, where up to 24 source ports can be mirrored to a single
destination port.
Note the following restriction when configuring a port mirroring session:
One (1) port mirroring session is supported per standalone switch chassis, or in the case of OmniSwitch
6800 and 6850 switches, in a stack consisting of two or more switches.
You cannot configure a port mirroring and a port monitoring session on the same NI module in an
OmniSwitch 9000.
You cannot configure port mirroring and monitoring on the same switching ASIC on OmniSwitch
6850 Series switches. Each switching ASIC controls 24 ports (e.g., ports 124, 2548, etc.). For exam-
ple, if a port mirroring session is configured for ports 1/12 and 1/22, then configuring a port monitor-
ing session for any of the ports between 1 and 24 is not allowed.
You cannot configure port mirroring and monitoring on the same switching ASIC on OmniSwitch
6800 Series switches. Each switching ASIC controls 12 ports (e.g., ports 112, 1324, etc.). For exam-
ple, if a port mirroring session is configured for ports 1/6 and 1/10, then configuring a port monitoring
session for any of the ports between 1 and 12 is not allowed.
If a port mirroring session is configured across two switching ASICs, then configuring a monitoring
session is not allowed on any of the ports controlled by each of the ASICs involved. For example, if a
port mirroring session is configured for ports 1/8 and 1/30 on a 48-port switch, then configuring a port
monitoring session involving any of the ports between 1 and 48 is not allowed.
Note that when port mirroring is enabled, there may be some performance degradation, since all frames
received and transmitted by the mirrored port need to be copied and sent to the mirroring port.
NMS TM
OmniSwitch 9700
Workstation
Mirrored
(Active) Port
(w/ Incoming &
Outgoing Frames)
Mirroring
(Monitoring) Port
(w/ Copied Incoming
& Outgoing Frames)
Relationship Between Mirrored and Mirroring Ports
Note. If the mirroring port monitors mirrored traffic on an RMON probe belonging to a different VLAN
than the mirrored port, it should be protected from blocking due to Spanning Tree updates. See Unblock-
ing Ports (Protection from Spanning Tree) on page 29-18 for details.
The diagram on the following page illustrates how port mirroring can be used with an external RMON
probe to copy RMON probe frames and Management frames to and from the mirroring and mirrored ports.
Frames received from an RMON probe attached to the mirroring port can be seen as being received by the
mirrored port. These frames from the mirroring port are marked as if they are received on the mirrored
port before being sent over the switch backplane to an NMS station. Therefore, management frames
destined for the RMON probe are first forwarded out of the mirrored port. After being received on the
mirrored port, copies of the frames are mirrored out of the mirroring portthe probe attached to the
mirroring port receives the management frames.
NMS Workstation
TM
OmniSwitch 9700
Mirroring Port
Mirrored
C. Management frames from the NMS Workstation are sent to the mirrored port....
D. ...and port mirroring sends copies of the
Management frames to the mirroring port.
NMS Workstation
TM
OmniSwitch 9700
Mirroring Port
Mirrored Port
RMON Probe
OmniSwitch
Note. To prevent the mirroring (destination) port from being blocked due to Spanning Tree changes, be
sure to specify the VLAN ID number (from 1 to 4094) for the port that will remain unblocked (protected
from these changes while port mirroring is active). This parameter is optional; if it is not specified,
changes resulting from Spanning Tree could cause the port to become blocked (default). See Unblocking
Ports (Protection from Spanning Tree) below for details.
To create a mirroring session, enter the port mirroring source destination command and include the port
mirroring session ID number and the source and destination slot/ports, as shown in the following example:
-> port mirroring 6 source 2/3 destination 2/4
This command line specifies mirroring session 6, with the source (mirrored) port located in slot 2/port 3,
and the destination (mirroring) port located in slot 3/port 4.
Note. Neither the mirrored nor the mirroring ports can be a mobile port. See Chapter 7, Assigning Ports
to VLANs, for information on mobile ports.
Creating an N-to-1 port mirroring session is supported, where up to 24 source ports can be mirrored to a
single destination port. In the following example, port 1/2, 2/1, and 2/3 are mirrored on destination port 2/
4 in session 1:
-> port mirroring 1 source 1/2 destination 2/4
-> port mirroring 1 source 2/1 destination 2/4
-> port mirroring 1 source 2/3 destination 2/4
As an option, you can specify a range of source ports and/or multiple source ports. In the following exam-
ple, ports 1/2 through 1/6 are mirrored on destination port 2/4 in session 1:
-> port mirroring 1 source 1/2-6 destination 2/4
In the following example, ports 1/9, 2/7, and 3/5 are mirrored on destination port 2/4 in session 1:
-> port mirroring 1 source 1/9 2/7 3/5 destination 2/4
In the following example, 1/2 through 1/6 and 1/9, 2/7, and 3/5 are mirrored on destination port 2/4 in
session 1:
-> port mirroring 1 source 1/2-6 1/9 2/7 3/5 destination 2/4
Note. Ports can be added after a port mirroring session has been configured.
This command line specifies mirroring session 6, with the source (mirrored) port located in slot 2/port 3,
and the destination (mirroring) port located in slot 2/port 4. The mirroring port on VLAN 750 is protected
from Spanning Tree updates.
Note. If the unblocked VLAN identifier is not specified, the mirroring port could be blocked due to
changes in Spanning Tree.
Note. You can modify the parameters of a port mirroring session that has been disabled.
Keep in mind that the port mirroring session configuration remains valid, even though port mirroring has
been turned off. Note that the port mirroring session identifier and slot/port locations of the designated
interfaces must always be specified.
Note. Note that the port mirroring session identifier and slot/port locations of the designated interfaces
must always be specified.
Note. Optionally, you can also specify the optional unblocked VLAN ID number and either enable or
disable on the same command line.
In this example, the command specifies port mirroring session 6, with the mirrored (active) port located in
slot 2/port 3 and the mirroring port located in slot 6/port 4. The mirroring direction is unidirectional and
inward bound:
-> port mirroring 6 source 2/3 destination 6/4 inport
In this example, the command specifies port mirroring session 6, with the mirrored (active) port located in
slot 2/port 3, and the mirroring port located in slot 6/port 4. The mirroring direction is unidirectional and
outward bound:
-> port mirroring 6 source 2/3 destination 6/4 outport
You can use the bidirectional keyword to restore a mirroring session to its default bidirectional configura-
tion. For example:
-> port mirroring 6 source 2/3 destination 6/4 bidirectional
Note. Note that the port mirroring session identifier and slot/port locations of the designated interfaces
must always be specified.
Note. Port mirroring session parameters cannot be modified when a mirroring session is enabled. Before
you can modify parameters, the mirroring session must be disabled.
To disable a port mirroring session, enter the port mirroring command, followed by the port mirroring
session ID number and the keyword disable. The following command disables port mirroring session 6
(turning port mirroring off):
-> port mirroring 6 disable
Port Monitoring
An essential tool of the network engineer is a network packet capture device. A packet capture device is
usually a PC-based computer, such as the Sniffer, that provides a means for understanding and measur-
ing data traffic of a network. Understanding data flow in a VLAN-based switch presents unique chal-
lenges, primarily because traffic moves inside the switch, especially on dedicated devices.
The port monitoring feature allows you to examine packets to and from a specific Ethernet port. Port
monitoring has the following features:
Software commands to enable and display captured port data.
A file called pmonitor.enc is created in the /flash memory when you configure and enable a port
monitoring session.
Data packets time stamped.
The maximum number of monitoring sessions is limited to one per chassis and/or stack.
You cannot configure a port mirroring and a port monitoring session on the same NI module in an
OmniSwitch 9000.
You cannot configure port mirroring and monitoring on the same switching ASIC on OmniSwitch
6850 Series switches. Each switching ASIC controls 24 ports (e.g., ports 124, 2548, etc.). For exam-
ple, if a port mirroring session is configured for ports 1/12 and 1/22, then configuring a port monitor-
ing session for any of the ports between 1 and 24 is not allowed.
You cannot configure port mirroring and monitoring on the same switching ASIC on OmniSwitch
6800 Series switches. Each switching ASIC controls 12 ports (e.g., ports 112, 1324, etc.). For exam-
ple, if a port mirroring session is configured for ports 1/6 and 1/10, then configuring a port monitoring
session for any of the ports between 1 and 12 is not allowed.
If a port mirroring session is configured across two switching ASICs, then configuring a monitoring
session is not allowed on any of the ports controlled by each of the ASICs involved. For example, if a
port mirroring session is configured for ports 1/8 and 1/30 on a 48-port switch, then configuring a port
monitoring session involving any of the ports between 1 and 48 is not allowed.
Only the first 64 bytes of the traffic will be captured.
If both mirroring and monitoring are enabled, then packets will either be mirrored or monitored (i.e.,
sent to CPU), whichever comes first. See Mirroring on Multiple Ports on page 29-15 for more infor-
mation.
You can select to dump real-time packets to a file. Once a file is captured, you can FTP it to a Sniffer or
PC for viewing.
Note. One port monitoring session can be configured per chassis or stack.
In addition, you can also specify optional parameters shown in the table below. These parameters must be
entered after the slot and port number.
keywords
file no file size
no overwrite inport outport
bidirectional timeout enable
disable
For example, to configure port monitoring session 6 on port 2/3 and administratively enable it, enter:
-> port monitoring 6 source 2/3 enable
These keywords can be used when creating the port monitoring session or afterwards. See the sections
below for more information on using these keywords.
To resume a paused port monitoring session, use the port monitoring command by entering port
monitoring, followed by the port monitoring session ID and resume. For example, to resume port moni-
toring session 6, enter:
-> port monitoring 6 resume
Optionally, you can also configure the size of the file and/or you can configure the data file so that more-
recent packets will not overwrite older packets in the data file if the file size is exceeded.
To create a file and configure its size, use the port monitoring source CLI command by entering port
monitoring, followed by the user-specified session ID number, source, the slot number of the port to be
monitored, a slash (/), the port number of the port, file, the name of the file, size, and the size of the file in
16K byte increments. (The maximum size is 140K bytes.)
For example, to configure port monitoring session 6 on port 2/3 with a data file called user_port in the
/flash directory with a size of 49152 (3 * 16K), enter:
-> port monitoring 6 source 2/3 file /flash/user_port size 3
To prevent more recent packets from overwriting older packets in the data file, if the file size is exceeded,
use the port monitoring source CLI command by entering port monitoring, followed by the user-speci-
fied session ID number, source, the slot number of the port to be monitored, a slash (/), the port number of
the port, file, the name of the file, and overwrite off.
For example, to configure port monitoring session 6 on port 2/3 with a data file called user_port in the
/flash directory that will not overwrite older packets if the file size is exceeded, enter:
-> port monitoring 6 source 2/3 file user_port overwrite off
To allow more recent packets from overwriting older packets in the data file if the file size is exceeded
(the default), use the port monitoring source CLI command by entering port monitoring, followed by
the user-specified session ID number, source, the slot number of the port to be monitored, a slash (/), the
port number of the port, file, the name of the file, and overwrite on.
For example, to configure port monitoring session 6 on port 2/3 with a data file called user_port in the
/flash directory that will not overwrite older packets if the file size is exceeded, enter:
-> port monitoring 6 source 2/3 file /flash/user_port overwrite on
Note. The size and no overwrite options can be entered on the same command line.
To configure port monitoring session 6 on port 2/3 as unidirectional and outward bound, for example,
enter:
-> port monitoring 6 source 2/3 outport
For example, to restore port monitoring session 6 on port 2/3 to its bidirectional direction, enter:
-> port monitoring 6 source 2/3 bidirectional
For example, to display port monitoring data, use the show port monitoring file command as shown
below:
-> show port monitoring file
Note. For more information about the displays that result from these commands, see the OmniSwitch CLI
Reference Guide.
sFlow
sFlow is a network monitoring technology that gives visibility in to the activity of the network, by provid-
ing network usage information. It provides the data required to effectively control and manage the network
usage. sFlow is a sampling technology that meets the requirements for a network traffic monitoring solu-
tion.
sFlow is an industry standard with many vendors delivering products with this support. Some of the appli-
cations of the sFlow data include:
Detecting, diagnosing, and fixing network problems
Capacity planning
sFlow is a sampling technology embedded within switches/routers. It provides the ability to monitor the
traffic flows. It requires a sFlow agent software process running as part of the switch software and a sFlow
collector which receives and analyses the monitored data. The sFlow collector makes use of SNMP to
communicate with a sFlow agent in order to configure sFlow monitoring on the device (switch).
sFlow agent running on the switch/router, combines interface counters and traffic flow (packet) samples
preferably on all the interfaces into sFlow datagrams that are sent across the network to a sFlow collector.
Packet sampling on the switch/router is typically performed by the switching/routing ASICs, providing
wire-speed performance. In this case, sFlow agent does very little processing, by packaging data into
sFlow datagrams that are immediately sent on network. This minimizes the memory and CPU utilization
by sFlow agent.
sFlow Manager
The sFlow manager is the controller for all the modules. It initializes all other modules. It interfaces with
the Ethernet driver to get the counter samples periodically and reads sampled packets from the Q-
Dispatcher module. The counter samples are given to the poller module and sampled packets are given to
the sampler to format a UDP. The sFlow manager also has a timer which periodically sends timer ticks to
other sections.
Each sFlow manager instance has multiples of receiver, sampler, and poller instances. Each user
programmed port will have an individual sampler and poller. The sampler and poller could be potentially
pointing to multiple receivers if the user has configured multiple destination hosts.
Receiver
The receiver module has the details about the destination hosts where the sFlow datagrams are sent out. If
there are multiple destination then each destination has an instance of the receiver. All these receivers are
attached to the sFlow manager instance and to an associated sample/poller.
Sampler
The sampler is the module which gets hardware sampled from Q-Dispatcher and fills up the sampler part
of the UDP datagram.
Poller
The poller is the module which gets counter samples from Ethernet driver and fills up the counter part of
the UDP datagram.
In addition, you can also specify optional parameters shown in the table below. These parameters can be
entered after the ip address.
keywords
timeout packet-size
forever version
udp-port
For example, to configure sFlow receiver session 6 on switch 10.255.11.28 and to specify the packet-size
and timeout value, enter:
-> sflow receiver 6 name sflowtrend address 10.255.11.28 packet-size 1400 time-
out 600
To configure a sFlow sampler session, use the sflow sampler command by entering sflow sampler,
followed by the instance ID number, the slot number of the port to be monitored, a slash (/), and the port
number and receiver, the receiver_index.
For example, to configure sampler session 1 on port 2/3 enter:
-> sflow sampler 1 2/3 receiver 6
In addition, you can also specify optional parameters shown in the table below. These parameters can be
entered after the receiver index.
keywords
rate
sample-hdr-size
For example, to configure sFlow sampler session 1 on port 2/3 and to specify the rate and sample-hdr-size,
enter:
-> sflow sampler 1 2/3 receiver 6 rate 512 sample-hdr-size 128
To configure a sFlow poller session, use the sflow poller command by entering sflow poller, followed by
the instance ID number, the slot number of the port to be monitored, a slash (/), and the port number of the
port and receiver, the receiver_index.
For example, to configure poller session 3 on port 1/1 enter:
-> sflow poller 3 1/1 receiver 6
In addition, you can also specify optional parameters shown in the table below. These parameters can be
entered after the receiver index.
keywords
interval
For example, to configure sFlow poller session 3 on port 1/1 and specifies the interval, enter:
-> sflow poller 3 1/1 receiver 6 interval 5
Receiver 1
Name = Golden
Address = IP_V4 198.206.181.3
UDP Port = 6343
Timeout = 65535
Packet Size= 1400
DatagramVer= 5
Note. For more information about the displays that result from these commands, see the OmniSwitch CLI
Reference Guide.
Note. For more information about the displays that result from these commands, see the OmniSwitch CLI
Reference Guide.
Note. For more information about the displays that result from these commands, see the OmniSwitch CLI
Reference Guide.
Note. For more information about the displays that result from these commands, see the OmniSwitch CLI
Reference Guide.
To delete a sFlow sampler session, use the no form of the sflow sampler command by entering no sflow
sampler, followed by the instance ID number, the slot number of the port to delete, a slash (/), and the port
number of the port, enter:
-> no sflow sampler 1 2/3
To delete a sFlow poller session, use the no form of the sflow poller command by entering no sflow
poller, followed by the instance ID number, the slot number of the port to delete, a slash (/), and the port
number of the port, enter:
-> no sflow poller 3 1/1
C. Management frames from the NMS Workstation are sent to the mirrored port....
NMS Workstation
TM
OmniSwitch 9700
RMON Probe
OmniSwitch
RMON probes can be enabled or disabled via CLI commands. Configuration of Alarm threshold values
for RMON traps is a function reserved for RMON-monitoring NMS stations.
This feature supports basic RMON 4 group implementation in compliance with RFC 2819, including the
Ethernet Statistics, History (Control & Statistics), Alarms and Events groups (described below).
Note. RMON 10 group and RMON2 are not implemented in the current release. An external RMON probe
that includes RMON 10 group and RMON2 may be used where full RMON probe functionality is
required.
Ethernet Statistics
Ethernet statistics probes are created whenever new ports are inserted and activated in the chassis. When a
port is removed from the chassis or deactivated, the Ethernet statistics group entry associated with the
physical port is invalidated and the probe is deleted.
The Ethernet statistics group includes port utilization and error statistics measured by the RMON probe for
each monitored Ethernet interface on the switch. Examples of these statistics include CRC (Cyclic Redun-
dancy Check)/alignment, undersized/oversized packets, fragments, broadcast/multicast/unicast, and band-
width utilization statistics.
Alarm
The Alarm group collects periodic statistical samples from variables in the probe and compares them to
previously configured thresholds. If a sample crosses a previously configured threshold value, an Event is
generated. Examples include Absolute or Relative Values, Rising or Falling Thresholds on the Utilization
Frame Count and CRC Errors.
Event
The Event group controls generation and notification of events from the switch to NMS stations. For
example, customized reports based on the type of Alarm can be generated, printed and/or logged.
Note. The following RMON groups are not implemented: Host, HostTopN, Matrix, Filter, and Packet
Capture.
To enable or disable an entire group of RMON probes of a particular flavor type (such as Ethernet
Statistics, History, or Alarm), enter the command without specifying an entry-number, as shown in the
following examples.
The following command disables all currently defined (disabled) RMON Ethernet Statistics probes:
-> rmon probes stats disable
The following command enables all currently defined (disabled) RMON History probes:
-> rmon probes history enable
The following command enables all currently defined (disabled) RMON Alarm probes:
-> rmon probes alarm enable
Notes. Network activity on subnetworks attached to an RMON probe can be monitored by Network
Management Software (NMS) applications.
A display showing all current statistics RMON probes should appear, as shown in the following example:
Entry Slot/Port Flavor Status Duration System Resources
-------+-----------+-----------+----------+---------------+---------------------
4001 4/1 Ethernet Active 00:25:00 275 bytes
4008 4/8 Ethernet Active 00:25:00 275 bytes
4005 4/5 Ethernet Active 00:25:00 275 bytes
This table entry displays probe statistics for all probes on the switch. The probes are active, utilize 275
bytes of memory, and 25 minutes have elapsed since the last change in status occurred.
To show a list of the history probes, enter:
-> show rmon probes history
A display showing all current history RMON probes should appear, as shown in the following example:
Entry Slot/Port Flavor Status Duration System Resources
-------+----------+---------+-----------+------------+----------------
1 1/1 History Active 92:52:20 5464 bytes
30562 1/35 History Active 00:31:22 312236 bytes
30817 1/47 History Active 00:07:31 5200236 bytes
The table entry displays statistics for RMON History probes on the switch.
To show a list of the alarm probes, enter:
-> show rmon probes alarm
A display showing all current alarm RMON probes should appear, as shown in the following example:
Entry Slot/Port Flavor Status Duration System Resources
-------+-----------+-----------+----------+---------------+--------------------
31927 1/35 Alarm Active 00:25:51 608 bytes
A display showing statistics for the specified RMON probe will appear, as shown in the following
sections.
A display showing all logged RMON Events should appear, as shown in the following example:
Entry Time Description
---------+----------------+-----------------------------------------------------
1 00:08:00 etherStatsPkts.4008: [Falling trap] Falling Event
2 00:26:00 etherStatsCollisions.2008: Rising Event
3 00:39:00 etherStatsCollisions.2008: Rising Event
The display shown above identifies the Entry number of the specified Event, along with the elapsed time
since the last change in status (measured in hours/minutes/seconds) and a description of the Alarm condi-
tion detected by the probe for all RMON Logged Events. For example, Entry number 3 is linked to ether-
StatsCollisions.2008: [Rising trap] Rising Event, an Alarm condition detected by the RMON probe in
which a trap was generated based on a Rising Threshold Alarm, with an elapsed time of 39 minutes since
the last change in status.
A display showing the specific logged RMON Event should appear, as shown in the following example:
Entry Time Description
---------+----------------+-----------------------------------------------------
3 00:39:00 etherStatsCollisions.2008: Rising Event
The display shown above identifies the Entry number of the specified Event, along with the elapsed time
since the last change in status (measured in hours/minutes/seconds) and a description of the Alarm condi-
tion detected by the probe for the specific RMON Logged Event. For example, Entry number 3 is linked to
etherStatsCollisions.2008: [Rising trap] Rising Event, an Alarm condition detected by the RMON probe
in which a trap was generated based on a Rising Threshold Alarm, with an elapsed time of 39 minutes
since the last change in status.
NMS Workstation
TM
OmniSwitch 9700
OmniSwitch
TM
OmniSwitch 9700
TM
OmniSwitch 9700
Threshold level
Additionally, Health Monitoring provides the capacity to specify thresholds for the resource utilization
levels it monitors and generates traps based on the specified threshold criteria.
The following sections include a discussion of CLI commands that can be used to configure resource
parameters and monitor or reset statistics for switch resources. These commands include:
health thresholdConfigures threshold limits for input traffic (RX), output/input traffic (TX/RX),
memory usage, CPU usage, and chassis temperature. See page 29-40 for more information.
show health thresholdDisplays current health threshold settings. See page 29-41 for details.
health intervalConfigures sampling interval between health statistics checks. See page 29-42 for
more information.
show health intervalDisplays current health sampling interval, measured in seconds. See page
29-42 for details.
show health Displays health statistics for the switch, as percentages of total resource capacity. See
page 29-43 for more information.
health statistics resetResets health statistics for the switch. See page 29-44 for details.
Note. When a resource falls back below the configured threshold, an addition trap is sent to the user. This
indicates that the resource is no longer operating beyond its configured threshold limit.
The health threshold command is used to configure threshold limits for input traffic (RX), output/input
traffic (TX/RX), memory usage, CPU usage and chassis temperature.
To configure thresholds for these resources, enter the health threshold command, followed by the input
traffic, output/input traffic, memory usage, CPU usage, or chassis temperature value, where:
memory Specifies a value for the memory usage threshold. Memory usage
refers to the total amount of RAM memory currently used by switch
applications. The default memory usage threshold is 80 percent.
cpu Specifies a value for the CPU usage threshold. CPU usage refers to the
total amount of CPU processor capacity currently used by switch appli-
cations. The default CPU usage threshold is 80 percent.
temperature Specifies a value for the chassis temperature threshold (Celsius).
The default temperature threshold is 60 degrees Celsius.
For example, to specify a CPU usage threshold of 85 percent, enter the following command:
-> health threshold cpu 85
For more information on the health threshold command, refer to Chapter 36, Health Monitoring
Commands, in the OmniSwitch CLI Reference Guide.
Note. When you specify a new value for a threshold limit, the value is automatically applied across all
levels of the switch (switch, module, and port). You cannot select differing values for each level.
To display a specific health threshold, enter the show health threshold command, followed by the appro-
priate suffix syntax:
rx
txrx
memory
cpu
temperature
For example, if you want to view only the health threshold for memory usage, enter the following
command:
-> show health threshold memory
Memory Threshold = 80
Note. For detailed definitions of each of the threshold types, refer to Configuring Resource and Tempera-
ture Thresholds on page 29-40, as well as Chapter 36, Health Monitoring Commands, in the
OmniSwitch CLI Reference Guide.
Valid values for the seconds parameter include 1, 2, 3, 4, 5, 6, 10, 12, 15, 20, or 30.
Sampling Interval = 5
Device 1 Min 1 Hr 1 Hr
Resources Limit Curr Avg Avg Max
-----------------+-------+------+------+-----+----
Receive 80 00 00 00 00
Transmit/Receive 80 00 00 00 00
Memory 80 87* 87 86 87
Cpu 80 08 05 04 08
Temperature Cmm 60 34 34 33 34
Temperature Cmm Cpu 60 28 28 27 28
In the screen sample shown above, the Device Resources field displays the device resources that are being
measured (for example, Receive displays statistics for traffic received by the switch; Transmit/Receive
displays statistics for traffic transmitted and received by the switch; Memory displays statistics for switch
memory; and CPU displays statistics for the switch CPU). The Limit field displays currently configured
device threshold levels as percentages of available bandwidth. The Curr field displays current bandwidth
usage for the specified device resource. 1 Min. Avg. refers to the average device bandwidth used over a 1
minute period. 1 Hr. Avg. refers to the average device bandwidth used over a 1 hour period, and 1 Hr.
Max. refers to the maximum device bandwidth used over a 1 hour period.
Note. If the Current value appears with an asterisk displayed next to it, the Current value exceeds the
Threshold limit. For example, if the Current value for Memory is displayed as 85* and the Threshold
Limit is displayed as 80, the asterisk indicates that the Current value has exceeded the Threshold Limit
value.
In the screen sample shown above, the port 04/03 Resources field displays the port resources that are
being measured (for example, Receive displays statistics for traffic received by the switch, while Trans-
mit/Receive displays statistics for traffic transmitted and received by the switch). The Limit field displays
currently configured resource threshold levels as percentages of available bandwidth. The Curr field
displays current bandwidth usage for the specified resource. 1 Min. Avg. refers to the average resource
bandwidth used over a 1 minute period. 1 Hr. Avg. refers to the average resource bandwidth used over a 1
hour period, and 1 Hr. Max. refers to the maximum resource bandwidth used over a 1 hour period.
Switch logging is an event logging utility that is useful in maintaining and servicing the switch. Switch
logging uses a formatted string mechanism to either record or discard event data from switch applications.
The log records are copied to the output devices configured for the switch. Log records can be sent to a
text file and written into the flash file system. The log records can also be scrolled to the switchs console
or to a remote IP address.
Switch logging information can be customized and configured through Command Line Interface (CLI)
commands, WebView, and SNMP. Log information can be helpful in resolving configuration or
authentication issues, as well as general switch errors.
This chapter describes the switch logging feature, how to configure it and display switch logging
information through the Command Line Interface (CLI). CLI commands are used in the configuration
examples. For more details about the syntax of commands, see the OmniSwitch CLI Reference Guide.
In This Chapter
The following procedures are described:
Enabling Switch Logging on page 30-6
Notes. Switch logging commands are not intended for use with low-level hardware and software
debugging. It is strongly recommended that you contact an Alcatel Customer Service representative for
assistance with debugging functions.
-> swlog
2 Specify the ID of the application to be logged along with the logging severity level.
Here, the application ID specifies bridging and the severity is set to the warning level.
3 Specify the output device to which the switch logging information will be sent.
In this example, the switch logging information will be sent to the console port.
Note. Optional. To verify the switch logging configuration, enter the show swlog command. The display
is similar to the one shown below:
Switch Logging is:
- INITIALIZED
- RUNNING
Log Device(s)
----------------
flash
console
For more information about this command, or the Switch Logging Commands chapter in the
OmniSwitch CLI Reference Guide.
Notes. Although switch logging provides complementary functionality to switch debugging facilities, the
switch logging commands are not intended for use with low-level hardware and software debugging
functions.
The configuration snapshot command can be used to capture and save all switch logging configuration
settings in a text file that can be viewed, edited, and used as a configuration file. See the Working with
Configuration Files chapter of the OmniSwitch 6800/6850/9000 Switch Management Guide for details.
Numeric
CLI Keyword Application ID
Equivalent
IDLE 255 APPID_IDLE
DIAG 0 APPID_DIAGNOSTICS
IPC-DIAG 1 APPID_IPC_DIAGNOSTICS
QDRIVER 2 APPID_QDRIVER
QDISPATCHER 3 APPID_QDISPATCHER
IPC-LINK 4 APPID_IPC_LINK
NI-SUPERVISION 5 APPID_NI_SUP_AND_PROBER
INTERFACE 6 APPID_ESM_DRIVER
802.1Q 7 APPID_802.1Q
VLAN 8 APPID_VLAN_MGR
GM 9 APPID_GROUPMOBILITY (RESERVED)
BRIDGE 10 APPID_SRCLEANING
Numeric
CLI Keyword Application ID
Equivalent
STP 11 APPID_SPANNINGTREE
LINKAGG 12 APPID_LINKAGGREGATION
QOS 13 APPID_QOS
RSVP 14 APPID_RSVP
IP 15 APPID_IP
IPMS 17 APPID_IPMS
AMAP 18 APPID_XMAP
GMAP 19 APPID_GMAP
AAA 20 APPID_AAA
IPC-MON 21 APPID_IPC_MON
IP-HELPER 22 APPID_BOOTP_RELAY
PMM 23 APPID_MIRRORING_MONITORING
MODULE 24 APPID_L3HRE
SLB 25 APPID_SLB
EIPC 26 APPID_EIPC
CHASSIS 64 APPID_CHASSISUPER
PORT-MGR 65 APPID_PORT_MANAGER
CONFIG 66 APPID_CONFIGMANAGER
CLI 67 APPID_CLI
SNMP 68 APPID_SNMP_AGENT
WEB 69 APPID_WEBMGT
MIPGW 70 APPID_MIPGW
SESSION 71 APPID_SESSION_MANAGER
TRAP 72 APPID_TRAP_MANAGER
POLICY 73 APPID_POLICY_MANAGER
DRC 74 APPID_DRC
SYSTEM 75 APPID_SYSTEM_SERVICES
HEALTH 76 APPID_HEALTHMON
NAN-DRIVER 78 APPID_NAN_DRIVER
RMON 79 APPID_RMON
TELNET 80 APPID_TELNET
PSM 81 APPID_PSM
FTP 82 APPID_FTP
SMNI 83 APPID_SMNI
DISTRIB 84 APPID_DISTRIB
Numeric
CLI Keyword Application ID
Equivalent
EPILOGUE 85 APPID_EPILOGUE
LDAP 86 APPID_LDAP
NOSNMP 87 APPID_NOSNMP
SSL 88 APPID_SSL
DBGGW 89 APPID_DBGGW
LANPOWER 108 APPID_LANPOWER
The level keyword assigns the error-type severity level to the specified application IDs. Values range from
2 (highest severity) to 9 (lowest severity). The values are defined in the following table:
The following command makes the same assignment by using the severity level and application numbers.
-> swlog appid 75 level 3
To disable the switch logging output to the console, enter the following command:
-> no swlog output console
No confirmation message will appear on the console screen for either command.
To disable the switch logging output to flash memory, enter the following command:
-> no swlog output flash
Note. It is not necessary to specify the IP address in the no swlog output socket command.
The switch logging severity level for each application that is not set to the info (6) setting.
Log Device(s)
----------------
flash
console
->
For this example, switch logging is enabled. Switch logging information is being sent to the switchs flash
memory and to the console. Additionally, the severity level for the chassis application ID has been set to
the debug3 (or 9) severity level.
Note. Use the ls command, which is described in the OmniSwitch 6800/6850/9000 Switch Management
Guide, to determine the amount of available flash memory.
For example, to set the switch logging file to 500000 bytes enter:
-> swlog output flash file-size 500000
This command will cause the switch to clear all the switch logging information and begin recording again.
As a result, the switch will display a shorter file when you execute the show log swlog command. You
may want to use swlog clear when the switch logging display is too long due to some of the data being old
or out of date.
No confirmation message will appear on the screen.
Note. Switch logging frequently records a very large volume of data. It can take several minutes for all the
switch logging information to scroll to the console screen.
------------------------+--------------+-------+--------------------------------
MON NOV 11 12:42:11 2005 SYSTEM info Switch Logging files cleared by
command
MON NOV 11 13:07:26 2005 WEB info The HTTP session login successfu
l!
MON NOV 11 13:18:24 2005 WEB info The HTTP session login successfu
l!
MON NOV 11 13:24:03 2005 TELNET info New telnet connection, Address,
128.251.30.88
MON NOV 11 13:24:03 2005 TELNET info Session 4, Created
MON NOV 11 13:59:04 2005 WEB info The HTTP session user logout suc
cessful!
The Application field specifies the application ID for which the stored swlog information is displayed
(e.g., SYSTEM).
The Level field specifies the severity level for which the stored information is displayed (e.g.,
Warning).
The Log Message field specifies the condition recorded by the switch logging feature. The informa-
tion in this field usually wraps around to the next line of the screen display as shown in this example.
This appendix contains Alcatel and third-party software vendor license and copyright statements.
IMPORTANT. Please read the terms and conditions of this license agreement carefully before opening
this package.
By opening this package, you accept and agree to the terms of this license agreement. If you are not
willing to be bound by the terms of this license agreement, do not open this package. Please
promptly return the product and any materials in unopened form to the place where you obtained it
for a full refund.
1. License Grant. This is a license, not a sales agreement, between you (the Licensee) and AII. AII
hereby grants to Licensee, and Licensee accepts, a non-exclusive license to use program media and
computer software contained therein (the Licensed Files) and the accompanying user documentation
(collectively the Licensed Materials), only as authorized in this License Agreement. Licensee, subject to
the terms of this License Agreement, may use one copy of the Licensed Files on the Licensees system.
Licensee agrees not to assign, sublicense, transfer, pledge, lease, rent, or share their rights under this
License Agreement. Licensee may retain the program media for backup purposes with retention of the
copyright and other proprietary notices. Except as authorized under this paragraph, no copies of the
Licensed Materials or any portions thereof may be made by Licensee and Licensee shall not modify,
decompile, disassemble, reverse engineer, or otherwise attempt to derive the Source Code. Licensee is also
advised that AII products contain embedded software known as firmware which resides in silicon.
Licensee may not copy the firmware or transfer the firmware to another medium.
2. AIIs Rights. Licensee acknowledges and agrees that the Licensed Materials are the sole property of
AII and its licensors (herein its licensors), protected by U.S. copyright law, trademark law, and are
licensed on a right to use basis. Licensee further acknowledges and agrees that all rights, title, and interest
in and to the Licensed Materials are and shall remain with AII and its licensors and that no such right,
license, or interest shall be asserted with respect to such copyrights and trademarks. This License Agree-
ment does not convey to Licensee an interest in or to the Licensed Materials, but only a limited right to use
revocable in accordance with the terms of this License Agreement.
3. Confidentiality. AII considers the Licensed Files to contain valuable trade secrets of AII, the unautho-
rized disclosure of which could cause irreparable harm to AII. Except as expressly set forth herein,
Licensee agrees to use reasonable efforts not to disclose the Licensed Files to any third party and not to
use the Licensed Files other than for the purpose authorized by this License Agreement. This confidential-
ity obligation shall continue after any termination of this License Agreement.
4. Indemnity. Licensee agrees to indemnify, defend and hold AII harmless from any claim, lawsuit, legal
proceeding, settlement or judgment (including without limitation AIIs reasonable United States and local
attorneys and expert witnesses fees and costs) arising out of or in connection with the unauthorized copy-
ing, marketing, performance or distribution of the Licensed Files.
5. Limited Warranty. AII warrants, for Licensees benefit alone, that the program media shall, for a
period of ninety (90) days from the date of commencement of this License Agreement (referred to as the
Warranty Period), be free from defects in material and workmanship. AII further warrants, for Licensee
benefit alone, that during the Warranty Period the Licensed Files shall operate substantially in accordance
with the functional specifications in the User Guide. If during the Warranty Period, a defect in the
Licensed Files appears, Licensee may return the Licensed Files to AII for either replacement or, if so
elected by AII, refund of amounts paid by Licensee under this License Agreement. EXCEPT FOR THE
WARRANTIES SET FORTH ABOVE, THE LICENSED MATERIALS ARE LICENSED AS IS AND
AII AND ITS LICENSORS DISCLAIM ANY AND ALL OTHER WARRANTIES, WHETHER
EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) ANY IMPLIED WARRANTIES
OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT
ALLOW THE EXCLUSION OF IMPLIED WARRANTIES SO THE ABOVE EXCLUSIONS MAY
NOT APPLY TO LICENSEE. THIS WARRANTY GIVES THE LICENSEE SPECIFIC LEGAL
RIGHTS. LICENSEE MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM STATE TO
STATE.
6. Limitation of Liability. AIIs cumulative liability to Licensee or any other party for any loss or
damages resulting from any claims, demands, or actions arising out of or relating to this License Agree-
ment shall not exceed the license fee paid to AII for the Licensed Materials. IN NO EVENT SHALL AII
BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR EXEM-
PLARY DAMAGES OR LOST PROFITS, EVEN IF AII HAS BEEN ADVISED OF THE POSSIBIL-
ITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE LIMITATION OR EXCLUSION
OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITA-
TION OR EXCLUSION TO INCIDENTAL OR CONSEQUENTIAL DAMAGES MAY NOT APPLY
TO LICENSEE.
7. Export Control. This product is subject to the jurisdiction of the United States. Licensee may not
export or reexport the Licensed Files, without complying with all United States export laws and regula-
tions, including but not limited to (i) obtaining prior authorization from the U.S. Department of Commerce
if a validated export license is required, and (ii) obtaining written assurances from licensees, if required.
8. Support and Maintenance. Except as may be provided in a separate agreement between AII and
Licensee, if any, AII is under no obligation to maintain or support the copies of the Licensed Files made
and distributed hereunder and AII has no obligation to furnish Licensee with any further assistance, docu-
mentation or information of any nature or kind.
9. Term. This License Agreement is effective upon Licensee opening this package and shall continue until
terminated. Licensee may terminate this License Agreement at any time by returning the Licensed Materi-
als and all copies thereof and extracts therefrom to AII and certifying to AII in writing that all Licensed
Materials and all copies thereof and extracts therefrom have been returned or erased by the memory of
Licensees computer or made non-readable. AII may terminate this License Agreement upon the breach by
Licensee of any term hereof. Upon such termination by AII, Licensee agrees to return to AII or destroy the
Licensed Materials and all copies and portions thereof.
10. Governing Law. This License Agreement shall be construed and governed in accordance with the
laws of the State of California.
11. Severability. Should any term of this License Agreement be declared void or unenforceable by any
court of competent jurisdiction, such declaration shall have no effect on the remaining terms herein.
12. No Waiver. The failure of either party to enforce any rights granted hereunder or to take action against
the other party in the event of any breach hereunder shall not be deemed a waiver by that party as to
subsequent enforcement of rights or subsequent actions in the event of future breaches.
13. Notes to United States Government Users. Software and documentation are provided with restricted
rights. Use, duplication or disclosure by the government is subject to (i) restrictions set forth in GSA ADP
Schedule Contract with AIIs reseller(s), or (ii) restrictions set forth in subparagraph (c) (1) and (2) of 48
CFR 52.227-19, as applicable.
14.Third Party Materials. Licensee is notified that the Licensed Files contain third party software and
materials licensed to AII by certain third party licensors. Some third party licensors (e.g., Wind River and
their licensors with respect to the Run-Time Module) are third part beneficiaries to this License Agree-
ment with full rights of enforcement. Please refer to the section entitled Third Party Licenses and
Notices on page A-4 for the third party license and notice terms.
2 Redistributions in binary form must reproduce applicable copyright statements and notices, this list of
conditions, and the following disclaimer in the documentation and/or other materials provided with the
distribution.
3 Redistributions must contain a verbatim copy of this document.
4 The names and trademarks of the authors and copyright holders must not be used in advertising or
otherwise to promote the sale, use or other dealing in this Software without specific, written prior permis-
sion.
5 Due credit should be given to the OpenLDAP Project.
6 The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished
by a version number. You may use the Software under terms of this license revision or under the terms of
any subsequent revision of the license.
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND CONTRIBUTORS AS
IS AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION OR ITS
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEM-
PLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCURE-
MENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
OpenLDAP is a trademark of the OpenLDAP Foundation.
Copyright 1999-2000 The OpenLDAP Foundation, Redwood City,
California, USA. All Rights Reserved. Permission to copy and
distributed verbatim copies of this document is granted.
C. Linux
Linux is written and distributed under the GNU General Public License which means that its source code
is freely-distributed and available to the general public.
Preamble
The licenses for most software are designed to take away your freedom to share and change it. By
contrast, the GNU General Public License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This General Public License applies to most of
the Free Software Foundations software and to any other program whose authors commit to using it.
(Some other Free Software Foundation software is covered by the GNU Library General Public License
instead.) You can apply it to your programs, too.
When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are
designed to make sure that you have the freedom to distribute copies of free software (and charge for this
service if you wish), that you receive source code or can get it if you want it, that you can change the soft-
ware or use pieces of it in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask
you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute
copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the
recipients all the rights that you have. You must make sure that they, too, receive or can get the source
code. And you must show them these terms so they know their rights.
We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which
gives you legal permission to copy, distribute and/or modify the software.
Also, for each authors protection and ours, we want to make certain that everyone understands that there
is no warranty for this free software. If the software is modified by someone else and passed on, we want
its recipients to know that what they have is not the original, so that any problems introduced by others
will not reflect on the original authors reputations.
Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that
redistributors of a free program will individually obtain patent licenses, in effect making the program
proprietary. To prevent this, we have made it clear that any patent must be licensed for everyones free use
or not licensed at all.
The precise terms and conditions for copying, distribution and modification follow.
verbatim or with modifications and/or translated into another language. (Hereinafter, translation is
included without limitation in the term modification.) Each licensee is addressed as you.
Activities other than copying, distribution and modification are not covered by this License; they are
outside its scope. The act of running the Program is not restricted, and the output from the Program is
covered only if its contents constitute a work based on the Program (independent of having been made by
running the Program). Whether that is true depends on what the Program does.
1 You may copy and distribute verbatim copies of the Programs source code as you receive it, in any
medium, provided that you conspicuously and appropriately publish on each copy an appropriate copy-
right notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the
absence of any warranty; and give any other recipients of the Program a copy of this License along with
the Program.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer
warranty protection in exchange for a fee.
2 You may modify your copy or copies of the Program or any portion of it, thus forming a work based on
the Program, and copy and distribute such modifications or work under the terms of Section 1 above,
provided that you also meet all of these conditions:
a You must cause the modified files to carry prominent notices stating that you changed the files and
the date of any change.
b You must cause any work that you distribute or publish, that in whole or in part contains or is
derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties
under the terms of this License.
c If the modified program normally reads commands interactively when run, you must cause it, when
started running for such interactive use in the most ordinary way, to print or display an announcement
including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you
provide a warranty) and that users may redistribute the program under these conditions, and telling the
user how to view a copy of this License. (Exception: if the Program itself is interactive but does not
normally print such an announcement, your work based on the Program is not required to print an
announcement.)
These requirements apply to the modified work as a whole. If identifiable sections of that work are not
derived from the Program, and can be reasonably considered independent and separate works in them-
selves, then this License, and its terms, do not apply to those sections when you distribute them as sepa-
rate works. But when you distribute the same sections as part of a whole which is a work based on the
Program, the distribution of the whole must be on the terms of this License, whose permissions for other
licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is
not the intent of this section to claim rights or contest your rights to work written entirely by you; rather,
the intent is to exercise the right to control the distribution of derivative or collective works based on the
Program.
In addition, mere aggregation of another work not based on the Program with the Program (or with a work
based on the Program) on a volume of a storage or distribution medium does not bring the other work
under the scope of this License.
3 You may copy and distribute the Program (or a work based on it, under Section 2) in object code or
executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:
a Accompany it with the complete corresponding machine-readable source code, which must be
distributed under the terms of Sections 1 and 2 above on a medium customarily used for software inter-
change; or,
b Accompany it with a written offer, valid for at least three years, to give any third party, for a charge
no more than your cost of physically performing source distribution, a complete machine-readable
copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a
medium customarily used for software interchange; or,
c Accompany it with the information you received as to the offer to distribute corresponding source
code. (This alternative is allowed only for noncommercial distribution and only if you received the
program in object code or executable form with such an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for making modifications to it. For an
executable work, complete source code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to control compilation and installation of the
executable. However, as a special exception, the source code distributed need not include anything that is
normally distributed (in either source or binary form) with the major components (compiler, kernel, and so
on) of the operating system on which the executable runs, unless that component itself accompanies the
executable.
If distribution of executable or object code is made by offering access to copy from a designated place,
then offering equivalent access to copy the source code from the same place counts as distribution of the
source code, even though third parties are not compelled to copy the source along with the object code.
4 You may not copy, modify, sublicense, or distribute the Program except as expressly provided under
this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will
automatically terminate your rights under this License. However, parties who have received copies, or
rights, from you under this License will not have their licenses terminated so long as such parties remain
in full compliance.
5 You are not required to accept this License, since you have not signed it. However, nothing else grants
you permission to modify or distribute the Program or its derivative works. These actions are prohibited
by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any
work based on the Program), you indicate your acceptance of this License to do so, and all its terms and
conditions for copying, distributing or modifying the Program or works based on it.
6 Each time you redistribute the Program (or any work based on the Program), the recipient automati-
cally receives a license from the original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further restrictions on the recipients exercise of the
rights granted herein. You are not responsible for enforcing compliance by third parties to this License.
7 If, as a consequence of a court judgment or allegation of patent infringement or for any other reason
(not limited to patent issues), conditions are imposed on you (whether by court order, agreement or other-
wise) that contradict the conditions of this License, they do not excuse you from the conditions of this
License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and
any other pertinent obligations, then as a consequence you may not distribute the Program at all. For
example, if a patent license would not permit royalty-free redistribution of the Program by all those who
receive copies directly or indirectly through you, then the only way you could satisfy both it and this
License would be to refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the
balance of the section is intended to apply and the section as a whole is intended to apply in other circum-
stances.
It is not the purpose of this section to induce you to infringe any patents or other property right claims or
to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the
free software distribution system, which is implemented by public license practices. Many people have
made generous contributions to the wide range of software distributed through that system in reliance on
consistent application of that system; it is up to the author/donor to decide if he or she is willing to distrib-
ute software through any other system and a licensee cannot impose that choice.
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this
License.
8 If the distribution and/or use of the Program is restricted in certain countries either by patents or by
copyrighted interfaces, the original copyright holder who places the Program under this License may add
an explicit geographical distribution limitation excluding those countries, so that distribution is permitted
only in or among countries not thus excluded. In such case, this License incorporates the limitation as if
written in the body of this License.
9 The Free Software Foundation may publish revised and/or new versions of the General Public License
from time to time. Such new versions will be similar in spirit to the present version, but may differ in
detail to address new problems or concerns.
Each version is given a distinguishing version number. If the Program specifies a version number of this
License which applies to it and any later version, you have the option of following the terms and condi-
tions either of that version or of any later version published by the Free Software Foundation. If the
Program does not specify a version number of this License, you may choose any version ever published by
the Free Software Foundation.
10 If you wish to incorporate parts of the Program into other free programs whose distribution conditions
are different, write to the author to ask for permission. For software which is copyrighted by the Free Soft-
ware Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our
decision will be guided by the two goals of preserving the free status of all derivatives of our free soft-
ware and of promoting the sharing and reuse of software generally.
NO WARRANTY
11 BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR
THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO
THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12 IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARIS-
ING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT
LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES
SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE
WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
E. University of California
Provided with this product is certain TCP input and Telnet client software developed by the University of
California, Berkeley.
F. Carnegie-Mellon University
Provided with this product is certain BOOTP Relay software developed by Carnegie-Mellon University.
G. Random.c
PR 30872 B Kesner created May 5 2000
PR 30872 B Kesner June 16 2000 moved batch_entropy_process to own task iWhirlpool to make code
more efficient
random.c -- A strong random number generator
Version 1.89, last modified 19-Sep-99
Copyright Theodore Tso, 1994, 1995, 1996, 1997, 1998, 1999. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, and the entire permission notice
in its entirety, including the disclaimer of warranties.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote products derived from this software
without specific prior written permission. ALTERNATIVELY, this product may be distributed under the
terms of the GNU Public License, in which case the provisions of the GPL are required INSTEAD OF the
above restrictions. (This clause is necessary due to a potential bad interaction between the GPL and the
restrictions contained in a BSD-style copyright.)
THIS SOFTWARE IS PROVIDED AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF WHICH ARE HEREBY DISCLAIMED. IN
NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROF-
ITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABIL-
ITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF NOT
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
H. Apptitude, Inc.
Provided with this product is certain network monitoring software (MeterWorks/RMON) licensed from
Apptitude, Inc., whose copyright notice is as follows: Copyright (C) 1997-1999 by Apptitude, Inc. All
Rights Reserved. Licensee is notified that Apptitude, Inc. (formerly, Technically Elite, Inc.), a California
corporation with principal offices at 6330 San Ignacio Avenue, San Jose, California, is a third party bene-
ficiary to the Software License Agreement. The provisions of the Software License Agreement as applied
to MeterWorks/RMON are made expressly for the benefit of Apptitude, Inc., and are enforceable by
Apptitude, Inc. in addition to AII. IN NO EVENT SHALL APPTITUDE, INC. OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES, INCLUDING COSTS OF PROCUREMENT OF SUBSTITUTE
PRODUCTS OR SERVICES, LOST PROFITS, OR ANY SPECIAL, INDIRECT, CONSEQUENTIAL
OR INCIDENTAL DAMAGES, HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
ARISING IN ANY WAY OUT OF THIS AGREEMENT.
I. Agranat
Provided with this product is certain web server software (EMWEB PRODUCT) licensed from Agranat
Systems, Inc. (Agranat). Agranat has granted to AII certain warranties of performance, which warran-
ties [or portion thereof] AII now extends to Licensee. IN NO EVENT, HOWEVER, SHALL AGRANAT
BE LIABLE TO LICENSEE FOR ANY INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES
OF LICENSEE OR A THIRD PARTY AGAINST LICENSEE ARISING OUT OF, OR IN CONNEC-
TION WITH, THIS DISTRIBUTION OF EMWEB PRODUCT TO LICENSEE. In case of any termina-
tion of the Software License Agreement between AII and Licensee, Licensee shall immediately return the
EMWEB Product and any back-up copy to AII, and will certify to AII in writing that all EMWEB Prod-
uct components and any copies of the software have been returned or erased by the memory of Licensees
computer or made non-readable.
lacp agg actor port priority command 14-22 learned MAC addresses 2-4
lacp agg actor system id command 14-20 static MAC addresses 2-4
lacp agg actor system priority command 14-21 MAC address VLAN rules 9-6
lacp agg partner admin key command 14-25 MAC addresses
lacp agg partner admin port command 14-27 aging time 2-6, 6-18
lacp agg partner admin port priority command 14-27 dynamic link aggregation 14-16, 14-18, 14-20, 14-25
lacp agg partner admin state command 14-23 learned 2-4
lacp agg partner admin system id command 14-25 statically assigned 2-4
lacp agg partner admin system priority command 14-26 mac-address-table command 2-4
lacp linkagg actor admin key command 14-15 mac-address-table-aging-time command 2-6
lacp linkagg actor system id command 14-16 map groups 26-44
lacp linkagg actor system priority command 14-16 application 26-53
lacp linkagg admin state command 14-15 how to create 26-45
lacp linkagg name command 14-14 verify information about 26-46
lacp linkagg partner admin key command 14-17 master router
lacp linkagg partner system id command 14-18 VRRP 19-5
lacp linkagg partner system priority command 14-17 mobile port properties 7-16
lacp linkagg size command 14-4, 14-11 authentication 7-17
Layer 2 BPDU ignore 7-11
statistics counters 1-9 default VLAN membership 7-12
Layer 2 Authentication restore default VLAN 7-12
see authenticated VLANs mobile ports 7-11
LDAP accounting servers application examples 7-3, 7-6, 7-8
dynamic log 21-24 authentication 5-11
standard attributes 21-22 defaults 7-2
used for authenticated VLANs 22-35 dynamic VLAN port assignment 7-4, 7-12
LDAP authentication servers secondary VLANs 7-13
directory entries 21-17 trusted 26-5, 26-22
functional privileges 21-21 VLAN rules 9-1
passwords for 21-20
schema extensions 21-17
N
SNMP attributes on authentication servers 21-22
network address VLAN rules 9-6
SSL 21-26
non combo ports
VSAs for Authenticated Switch Access 21-21
configuring 1-13
LDAP servers
Novell
see policy servers
IPX 20-1
used for QoS policies 24-3
Learned Port Security
defaults 4-2 O
Lightweight Directory Access Protocol OSPF 16-4
see LDAP servers
line speed 1-14, 1-21
link aggregation
P
802.1Q 11-5 pending configuration 26-47
dynamic link aggregation 14-1 pending policies
enabling tagging 11-5 deleting 26-48
Spanning Tree parameters 6-24, 6-25, 6-27, 6-28, 6-30 testing 26-33
static link aggregation 13-1 Per VLAN DHCP 18-9
logged events PIM-SM 28-7
detail level 26-15 ping
sent to PolicyView 26-15 IP 12-23
types of events 26-14 IPX 20-10
ping command 12-23
ping ipx command 20-10
M policies
MAC address table 2-1, 2-4 application examples 26-50
aging time 2-6 applied 26-47
duplicate MAC addresses 2-4 built-in 26-11
conditions 26-27
802.1w rapid reconfiguration protocol 6-14 static VLAN port assignment 7-4
automatic VLAN containment 6-20 STP
forward delay time 6-18 see Spanning Tree Algorithm and Protocol
hello time 6-16 subnet mask 12-10
maximum age time 6-17 switch health
priority 6-15 application examples 29-13
Spanning Tree port parameters 6-21 defaults 29-13
connection type 6-29 monitoring 29-39
link aggregate ports 6-24, 6-25, 6-27, 6-28, 6-30 specifications 29-12
mode 6-28 switch health statistics
path cost 6-25 resetting 29-45
priority 6-24 viewing 29-44
specification switch logging
IPv6 15-2 application examples 30-4
specifications application ID 30-6
802.1Q 11-2 defaults 30-3
dynamic link aggregation 14-2 output 30-9
Ethernet 1-2 severity level 30-8
interswitch protocols 10-2 specifications 30-2
IP 12-2 status 30-10
IPX 20-2 swlog appid level command 30-6
Port Mapping 8-2 swlog clear command 30-11
port mirroring 29-3 swlog command 30-4, 30-6
port monitoring 29-5, 29-7 swlog output command 30-9
RDP 17-2 swlog output flash file-size command 30-11
RIP 16-2
RMON 29-10
T
static link aggregation 13-2
TCN BPDU
switch health 29-12
see Topology Change Notification BPDU
switch logging 30-2
TCP
SPX 20-5
statistics 12-24
SSL
Telnet
for LDAP authentication servers 21-26
authentication client 22-7
policy servers 24-6
Timers
static agg agg num command 13-3, 13-9
RIP and SAP 20-9
static link aggregation 13-1
time-to-live
adding ports 13-9
see TTL
application examples 13-3, 13-11
Topology Change Notification BPDU 6-7
configuration steps 13-7
ToS
creating 13-8
trusted ports 26-22
defaults 13-2
traceroute command 12-24
deleting 13-8
tracking
deleting ports 13-9
VRRP 19-7
disabling 13-10
traffic prioritization 26-50
enabling 13-10
trap port link command 1-8
group names 13-10
traps
groups 13-5, 14-7
port link messages 1-8
overview 13-5, 14-7
trusted ports
specifications 13-2
see also ports
verify information about 13-12
used with QoS policies 26-23
static linkagg admin state command 13-10
TTL value 12-14
static linkagg name command 13-10
Tunneling 15-7
static linkagg size command 13-3, 13-8
Type-20 Packet Forwarding 20-8
static MAC addresses 2-4
static route
IP 12-10 U
IPX 20-8 UDP 12-24
metric 12-10 statistics 12-24
subnet mask 12-10