contents 3026-48dc_manual.pdf · contents chapter 1. introduction to the products ..... 5 1.1...
TRANSCRIPT
Contents
Chapter 1. Introduction to the products ............................................................. 5 1.1 Product Overview...................................................................................... 6 1.2 Product Characteristics ............................................................................. 7 1.3 Standard Protocols supported................................................................... 8 1.4 Description of Functionality ....................................................................... 9 1.5 Front Panel ............................................................................................. 12 1.6 Back Panel.............................................................................................. 16 Chapter 2.Installation and Startup ................................................................... 18 2.1 Installation preparation............................................................................ 19 2.2 Installation steps ..................................................................................... 21 2.3 Power on procedure................................................................................ 25 2.4 Connecting steps .................................................................................... 25 2.5 Introduction to bootrom startup options................................................... 27 2.6 Next Step ................................................................................................ 29 Chapter 1.Configure functionalities of common usage .................................... 31 1.1 Basic configuration of the system ........................................................... 32 1.2 File management configuration............................................................... 34 1.3 Software upgrading................................................................................. 37 Chapter 2.Port Configuration........................................................................... 40 2.1 Common configuration for ports.............................................................. 41 2.2 MIRROR configuration ............................................................................ 42 2.3 TRUCK configuration .............................................................................. 42 2.4 STORM-CONTROL configuration ........................................................... 44 2.5 Separated port configuration................................................................... 45 2.6 Jumbo frame port configuration .............................................................. 46 2.7 Configuration examples............................................................................. 46 Chapter 3.VLAN Configuration ........................................................................ 49 3.1 Introduction to VLAN............................................................................... 50 3.2 VLAN configuration\ ................................................................................ 54 3.3 VLAN examples ...................................................................................... 57 Chapter 4.Private VLAN configuration............................................................. 59 4.1 Introduction to private VLAN group ......................................................... 60 4.2 Private VLAN configuration ..................................................................... 64 4.3 Private VLAN configuration examples..................................................... 67 Chapter 5.STP Configuration........................................................................... 71
5.1 STP introduction ..................................................................................... 72 5.2 STP configuration.................................................................................... 72 5.3 STP examples......................................................................................... 73 Chapter 6.Layer 2 Static Multicast Configuration............................................. 76 6.1 Introduction to Layer 2 static multicast .................................................... 78 6.2 Layer 2 static multicast configuration ...................................................... 80 6.3 Layer 2 static multicast configuration examples...................................... 81 Chapter 7. IGMP SNOOPING configuration .................................................... 83 7.1 Introduction to IGMP SNOOPING........................................................... 84 7.2 IGMP SNOOPING configuration ............................................................. 88 Chapter 8.Configuration AAA........................................................................... 90 8.1 Introduction to 802.1x ............................................................................. 91 8.2 Introduction to RADIUS........................................................................... 97 8.3 Configuration of 802.1x......................................................................... 101 8.4 Configure RADIUS................................................................................ 105 Chapter 9.Configure MAC Binding ................................................................ 107 9.1 Introduction to MAC binding.................................................................. 108 9.2 MAC binding configuration .................................................................... 109 9.3 MAC Binding Configuration Showing ..................................................... 111 Chapter 10.Configuration IP Binding ..............................................................112 10.1 Introduction to IP Binding .....................................................................113 10.2 Configuration of IP Binding ..................................................................114 10.3 Sample of IP Binding Configuration .....................................................115 Chapter 11.Configuration of ACL ....................................................................116 11.1 Introduction to ACL resource bank .......................................................117 11.2 Introduction to ACL filtration .................................................................119 11.3 Configuration of ACL Resource Bank.................................................. 121 11.4 Configuration of ACL Filtration............................................................. 122 Chapter 12.Configuration of QoS .................................................................. 124 12.1 Introduction to QoS ............................................................................. 125 12.2 QoS Configuration .............................................................................. 133 12.3 Sample for QoS Configuration ............................................................ 142 Chapter 13.Configure IP Route ..................................................................... 146 13.1 Introduction to IP Route ...................................................................... 147 13.2 ARP Configuration .............................................................................. 148 13.3 Configure Static Route ........................................................................ 149 Chapter 14.Configure IGMP .......................................................................... 151 14.1 Definitions of IGMP ............................................................................. 152
14.2 IGMP Protocol Realization .................................................................. 156 14.3 IGMP Configuration............................................................................. 157 Chapter 15.Configure Management Service ................................................. 160 15.1 Introduction to Management Service .................................................. 161 15.2 Management Service Configuration.................................................... 163 Chapter 16.Configure SNMP and RMON ...................................................... 165 16.1 Introduction to SNMP.......................................................................... 166 16.2 Introduction to RMON ......................................................................... 167 16.3 SNMP Configuration ........................................................................... 168 16.4 RMON Configuration........................................................................... 170 Chapter 17.Configure –debugging instrument ............................................... 173 17.1 The Introduction to Debugging Instruments ........................................ 174 17.2 the configure of debug instruments..................................................... 176 Chapter 18.WEB page configuration ............................................................. 180 18.1 WEB Page Summary .......................................................................... 181 18.2 Introduction to WEB page ................................................................... 187 Appendix A.Parameters Of Product Character .............................................. 235 Appendix B.Interface And Reticle Technical Instructions ............................... 237
Part 1 Hardware Operation
Chapter 1. Introduction to the products
This chapter mainly includes the description of the front panel and back panel of the iSpirit 3026 switch, its functionality characteristics and the standards that it supports. There are also some application examples in this chapter. Chapter Index:
1. Product Overview 2. Product Characteristics 3. Standard Protocols 4. Description of functionality 5. Front Panel 6. Back Panel
1.1 Product Overview
The iSpirit 3026 switch of UTStarcom is a smart 1000 Megabytes layer-2 switch that is manageable. It can be used for edge connect-in or confluent connection for various sizes of networks. Supported features include 802.1Q VLAN, a complete 802.1D tree protocol, port-bandwidth constraint and ACL,etc… It also supports dynamic layer-3 routing protocols including RIPv1 and RIPv2, thus provides smart multiple-layer switching solutions of high price-performance ratio for various sizes of networks. The iSpirit 3026 switch has a 200Mhz CPU, 32MB SDRAM and provides 24 10/100Base-T ports and 2 more extensible ports, each of which can have a 1000M fiber module or a 10/100Base-T self-negotiable RJ45 module. All ports support non-blockable full-speed layer 2 switching. The backplane bandwidth is 16Gbps and its packet capacity is 6.6 Mpps. The iSpirit 3026 switch has also integrated a series of patent technologies of UTStarcom, including Hyper-Safety, Hyper-Management, Hyper-Redundancy and Hyper-Watch, i.e., the five Hyper technologies. It can support CLI management through console, telnet or web which has a graphics interface. With one more advanced embedding operating system, the iSpirit 3026 switch can be used to construct an information network that is of high-speed, safety and convenience with high dependability. The outer look of the iSpirit 3026 switch is shown in Figure1-1.
Figure1-1.iSpirit 3026 switch model
1.2 Product Characteristics
1.2.1 Technology Features
10/100Mbps ports which are self negotiable with either direct-connect cables or cross-over cables;
10/100Mbps ports which are self negotiable and can be either in full-duplex mode or in half-duplex mode;
Modules supported: 100M single-mode or multi-mode fiber modules, 1000M single-mode or multi-mode fiber modules and 10/100/1000Base-T copper modules;
Supporting super-long cable, with a maximum CAT5 cable length of 140 meters; Auto source address learning; 8K ARL table; Providing flow control, and supporting IEEEE802.3X Head Of Line block and
backpressure; Providing 4 priority queues and 802.1p priority match, thus providing flexible priority
control at port level for multimedia and other kinds of data transmission; Supporting port binding with network adaptors, thus providing safe access; Supporting port trunking, with a maximum of 6 groups, each of which supports a
maximum of 8 ports of same speed; VLAN support: both port-based VLAN and 802.1Q tagged VLAN, with a maximum
configuration of 256 VLANs; Supporting STP protocol; Supporting MIB II and RMON, which has 4 different styles (Stastistics, History, Alarm
and Event); LED status indicator lights with 4 modes Static routing function Supporting IGMP snooping Supporting Xmodem software upgrading Supporting 802.1x authentication protocol
1.2.2 Application Features
1. 100M and 1000M combination technology The iSpirit 3026 switch supports fast Ethernet and 1000M Ethernet link aggregation, which
allows network administrators to either aggregating 8 10/100 ports into one communication tunnel, with a maximum of 6 trunk groups, or aggregating 2 Gigabit Ethernet ports into one up-link communication tunnel.
2. Safety Feature The iSpirit 3026 switch supports static configuration of ARL table and MAC address binding with ports, thus provides MAC access filter; And the unique Hyper-safety technology can also prevent forbidden or unallowed users to access network resources.
3. Powerful network management The iSpirit 3026 switch uses Hyper-management technology and thus its management capability is very powerful:
(1) can use Console and Telnet to configure with menu or CLI commands; (2) can use a network management software based on SNMP; (3) can configure through web with a graphics interface, which is convenient, powerful and
easy; (4) it has been embedded with multiple network management agents, including Bridge
MIB, MIB II, Entity MIN version 2, RMON MIN and Proprietary MIB; (5) support 4 groups of RMON network management protocols(1,2,3,9), providing various
information including statistics, history, warning and events information; (6) easy to upgrade software: can use the in-band TFTP protocol for upgrading.
4. VLAN The iSpirit 3026 switch supports port-based VLAN which conforms to 802.1Q standard.
1.3 Standard Protocols supported
Standard protocols supported by the iSpirit 3026 switch are shown in Table1-1. Table1-1:
Protocols References Bridge(tree protocol) IEEEE802.1d Ethernet IEEE802.3 Fast-Ethernet IEEE802.3u Complete full-duplex flow control IEEEE802.3x
1000M Ethernet IEEEE802.3z Link Aggregation IEEE802.3ad VLAN IEEE802.1Q UDP RFC 768,950,1071 TCP RFC 793 TFTP RFC 783 IP RFC 791 ICMP RFC 792 ARP RFC 826 Telnet RFC 854~ RFC 859 SMI RFC 1155 SNMP RFC 1157 MIBII RFC 1213 & RFC 1573 Ether-like MIB RFC 1398 Bridge MIB RFC 1493 Ether-like MIB RFC 1643 RMON RFC 1757 IBMPv2 RFC 1112
1.4 Description of Functionality
1.4.1 Port Trunking
Port Trunking is a technology which aggregates a network flow to a group of ports, thus provides a communication channel of high bandwidth with error-free between switches. Network flows can be distributed evenly between channels and thus provides load balance. Port trunking is supported by the iSpirit 3026 switch. Multiple physical ports can be combined to a logical port through port trunking. Features:
(1) If one port in the trunk group blocks or breaks down, data packets will be redistributed evenly to other ports in the group;
(2) If the malfunction port goes back to normal, data packets will also be redistributed among all ports in the group;
(3) Port trunking provided by the iSpirit 3026 switch is compatible with that provided by Intel and Cisco.
1.4.2 VLAN
1.VLAN introduction VLAN is used for collecting all kinds of transmission devices in one physical local network. Any combination of ports on a switch(including all ports) can be viewed as one VLAN. VLAN assignment is not limited by physical connection between hardware devices, users can configure VLAN flexibly by assigning different ports to different VLANs.
VLAN can relieve you from the restriction of physical connection when creating a broadcast domain. A VLAN is just a set of local network devices which are independent from the physical network topology. When they communicate with each other, all devices belong to one VLAN seem to be in the same physical local network no matter how to connect them. The main functionality of VLAN is as follows:
(1) can be used to constrain broadcast, flow-controlling its broadcast range. Here is an example: suppose a device in the “Research Department” VLAN broadcast a data packet, then only devices in the “Research Department” VLAN can receive this packet, other devices in other departments won’t receive it; (2) Provides additional safety. Communication between different VLANs can only be achieved through layer 3 transmission, instead of direct communication; (3) Make it easy to move and manage devices in the network.
In a word, VLAN is for the creation of layer 3 logical broadcast domains, it can be allocated either on one switch, or through multiple switches. VLAN can be used for logical VLAN separation of devices in one network with the same subnet address, i.e., separating them into multiple broadcast domains, thus avoiding broadcast storm.
2.VLAN categorization The iSpirit 3026 switch supports port-based VLAN. It allocates a set of ports on one or more switches into one logical group, and this is the easiest and most efficient way. Network administrators only need to assign a specific VLAN for a port, without considering the device it connects. IEEE802.1Q is an international standard for port-based VLAN of Ethernet switches, it allows the co-use of devices from different factories, with VLAN configurations to be understood by each other, thus they can communicate with each other. According to IEEE802.1Q, a port can be assigned as Tagged or Untagged, which determines whether the device that the port connects can support frames with 802.1Q Tag header or not. The ports on the iSpirit 3026 switch
can belong to multiple Tagged VLAN(identified by VLAN IDs) and one Untagged VLAN. The range for VLAN Ids is from 1 from 4094. The iSpirit 3026 switch can have as many as 256 VLANs.
3.The application of tagged VLAN Tagging is mostly used for VLAN configuration across multiple switches, where the connection between switches is usually called “relay”. After tagging, a VLAN can be created among multiple switches through one or more relays. Another advantage for using tagging is that a port can belong to multiple VLANs, which is very useful when you have a device(such as a server) that needs to belong to multiple VLANs, but the device should have a network interface card which supports 802.1Q.
4.VLAN tag assignment Every VLAN can be assigned a 802.1Q VLAN Tag. When a port is added to a VLAN with a 802.1Q Tag, it’s up to your choice whether it uses the VLAN tag. By default all ports on a switch belong to a default VLAN, but they don’t use the VLAN ID of this default VLAN, it’s not necessary for all ports to use a VLAN tag. When data packets are transmitted out of a port, the switch will determine whether adding or removing the VLAN tag to/from the data packets based on the VLAN configuration on the port.
5.Co-usage of tagged VLAN and port-based VLAN You can co-use Tagged VLAN and Port-based VLAN. A port can belong to multiple VLAN, if it only belongs to one untagged VLAN. In another word, a port can belong to one Port-based VLAN and multiple Tagged VLAN.
1.4.3 STP(Spanning Tree Protocol)
The iSpirit 3026 switch support STP protocol with IEEE802.1d standard. STP runs on bridges and switches, it’s a layer 2 protocol and is compatible with 802.1d standard. STP provides the dynamic switching between redundant devices in the network, thus you can setup backup communication channels in the network using STP, which guarantees that:
(1) The backup channel is close when the main channel is working normally; (2) When the main channel breaks down, the backup channel is activated automatically,
which let the data flow to be transmitted to the backup channel to make sure the device still works normally. So STP can also avoid a loop when redundancy exists in the network topology. On one hand, the existence of a loop will bring critical damage to the network; On the other hand, it is very important to have a backup channel.
1.4.4 ARL table
ARL means Address Resolution Login, it’s the kernel part for transmitting packets in a Layer 2 switch. The iSpirit 3026 switch stores separately for unicast and multicast, named arl and marl respectively. The hardware searches the arl table and the marl table for the related entry using the destination MAC address in a data packet, and then outputs the packet to the port identified by the entry. Table entries can be learned by the switch automatically through data transmission through input ports, or can be added by network administrators to the arl and marl tables.
1.5 Front Panel
The front panel of the iSpirit 3026 switch have 24 10/100Base-T RJ-45 ports, 2 extendible slots, ports LED status indicator lights, mode LED indicator lights and mode switches, etc… It’s shown in Figure1-2.
Figure1-2.The front panel of the iSpirt 3026 switch
1.5.1 10/100Base-T ports
The longest cord length for 10/100Base-T ports is 140 meters. Network devices it can connect include:
10Base-T compatible devices, such as work stations and concentrators connected through RJ-45 interfaces using CAT3, CAT4, CAT5 or CAT5E cord;
100Base-TX compatible devices, such as those connected through RJ-45 interfaces
using CAT5 or CAT5E cord, including high-speed work stations, servers, routers, concentrators or other switches;
Notes:
(1) CAT3 and CAT4 cord can only allow 10Mbps data flow, while CAT5 and CAT5E can have 100Mbps; (2) 10/100Base-T ports can auto-negotiate using either direct-connect cable or crossover cable.
Furthermore you can set the 10/100Base-T ports to half-duplex mode or full-duplex mode, 10M or 100M and compose the two configurations at your intention. You can also set the ports to be speed and duplex auto-negotiable according to IEEE802.3u standard. When a port is set to be auto-negotiable, it will learn the speed and duplex info of the connected device and inform it its own info. If the connected device is also auto-negotiable, the port will tune to the best connection, i.e., set the speed to be the maximum both devices can support; and if the connected device supports full-duplex, it will also use full-duplex.
More Info: According to IEEE802.3u standard, the auto-negotiation process needs to create connections for both devices to communicate and negotiate with each other, we recommend users to set both connecting ports to be auto-negotiable, thus to make sure the auto-negotiation function is able to tune the connection to the best status.
1.5.2 Extendible slots
The iSpirit 3026 switch have two extendible slots, which can use 100M single mode or multiple mode fiber module, 1000M single mode or multiple mode fiber module or 10/100/1000Base-T copper ports (shown in a previous chapter). The fiber configuration is shown in Table1-2. Table1-2:
Fiber Module Medium Wavelength Support
Max length 62.5um multiple mode 100M
single mode 50um multiple mode 1300nm 20000m
62.5um multiple mode 100M multiple mode 50um multiple mode
1300nm 2000m
62.5um multiple mode 550m 1000M single mode 50um multiple mode
1300nm 550m
10um single mode 10000m 62.5um multiple mode 220m 1000M
multiple mode 50um multiple mode 850nm
500m
Figure1-3.how to insert a module to the extendible slot
It’s shown in Figure1-3 how to insert a module to the extendible slot. Steps:
(1) insert the module into the slot along the track; (2) make sure that the module fully inosculates with the slot; (3) screw tightly;
Steps for removing a module is as follows: (1) unscrew, both for the left side and the right side, to let the module deviate from the panel; (2) grasp tightly the screws on the left and the right, pull the module out in equilibrium and make it separate from the box.
Notes: Extendible modules don’t support hot-plug, so you must turn the power off before plugging or unplugging, otherwise the switch may be damaged.
1.5.3 10/100/1000Base-T ports
10/100/1000Base-T ports can connect as long as 140 meters. Devices it can connect include: 10Base-T compatible devices, such as work stations and concentrators connected
through RJ-45 interfaces using CAT3, CAT4, CAT5 or CAT5E cord; 100Base-TX compatible devices, such as those connected through RJ-45 interfaces
using CAT5 or CAT5E cord, including high-speed work stations, servers, routers,
concentrators or other switches; 1000Base-TX compatible devices, such as those connected through RJ-45 interfaces
using CAT5 or CAT5E cord, including 1000M work stations, servers, routers or other switches.
Notes: CAT3 and CAT4 cord can only allow 10Mbps data flow, while CAT5 and CAT5E can have 100Mbps and 1000Mbps.
1.5.4 LED status indicator lights
Users can monitor the activity and performance of a switch through LED lights. Each port has a pair of lights for its link status and one mode light. Link-LED, mode-LED and mode switches are shown in Figure1-4.
Figure1-4.LED status indicator lights
1.Mode LED and mode switching User can use the mode button to let mode LED showing related mode info. Users can choose among modes including ACT, SPD, DUPX and DIAG. They are explained in Table1-3. Table1-3:
Mode LED port mode description ACT data receiving/sending
status to show data receiving/sending status. It’s the
default mode. SPD speed speed:10M,100M or 1000Mbps
DUPX duplex mode duplex mode: half or full diagnosis
DIAG diagnose to diagnose whether there is a problem
2.Port status LED
Table1-4 describes the color and related info of the port link status LEDs; Table1-6 explains the same info in different mode.
Table1-4: color info of port link status LED Port color link status
none connectionless Connecting port
green connected
Table1-5: color info of port status LED under different modes Mode color status
none no data ACT blinking green in transmission
10/100Base-T ports None 10Mbps green 100Mbps 1000Base-X GBIC module green 1000Mbps 10/100/1000Base-T ports none 10M or 100Mpbs
SPD
green 1000Mbps 10/100Base-T ports None half-duplex Green full-duplex 1000Base-X GBIC module green full-duplex 10/100/1000Base-T ports none half-duplex
DUPX
green full-duplex none normal DIAG blinking green abnormal
1.6 Back Panel
There is an DC power plug and an UART console port, as shown in Figure1-5.
Figure1-5.iSpirit 3026 Back Panel
1.6.1 Power connection
The iSpirit 3026 switch supports 36V~72V DC power. An alternating current cable is needed to connect with the power outlet.
1.6.2 COM
Users can use the UART port and the supplied console cord (specifically for this purpose) to connect the switch with a PC in order to manage the switch. Pin description of the console cord is shown in Appendix B
Chapter 2.Installation and Startup
This chapter discusses how to install and start the iSpirit 3026 switch correctly and how to use POST(Power On Self Test) to make sure the switch operates normally. Chapter Index:
1. Help info before installation 2. Installation steps 3. Power on procedure 4. Explanation for bootrom startup options 5. Connecting steps
2.1 Installation preparation
Before installing, users should read carefully the following warning information, we are not responsible for any direct or indirect, intentional or un-intentional damage or hidden problem due to incorrect installation.
Warning: (1) Only trained and certified specialist can install or change the device; (2) Users should read this manual carefully before power on the switch; (3) Before operating on a turned-on device, users should remove any mental decoration
(such as rings, necklace and watches…), since the temperature of mental decorations will go up quickly when contacting with the power and the ground, which may burn yourself badly or melt the decorations down on the switch;
(4) Don’t put the box on the top of other devices. In case it falls down, it may hurt someone or bring damages to devices;
(5) Users should make sure to be able to shut down the switch conveniently; (6) To avoid the temperature of the switch to be too high, don’t let it run in an environment
with a temperature above the suggested 45 centigrade degree (113 degree for Fahrenheit). To avoid limiting ventilation, don’t put anything else in the range of 7.6cm (3 inches) at the ventilation intake;
(7) The iSpirit 3026 switch will work normal in TN power system; (8) When installing the device, the ground cord should be connected first and unplugged
last; (9) The device will use the existent short circuit protection means of the building, so make
sure fuses or turnoff switches are installed already; (10) The device needs to be connected with the ground, so make sure that it connects the
ground during its usual operation; (11) Be careful when turning on the switch to avoid overloading the power system; (12) A mismatched voltage can either bring damage to the device or set off file. In case the
voltage requirement on the device label doesn’t match with the power supply, don’t connect them;
(13) If there is no power-on/off button on the device, you need to unplug the power cable to restarting the switch;
(14) Don’t touch the power supply in the switch before unplugging the power cord. For a device with an on/off button, if the power cord is still connected but the device has already been turned off, there is still voltage in the cord; The same thing for a device
without an on/off button. (15) Don’t operate on the device or connect /disconnect with it during flashing;\ (16) The handling of the device conforms to related national laws.?
2.1.1 Guideline for installation
The switch can be installed on a desk, in a rack, in a cabinet or on the wall. Before installation, you need to turn on the switch and run POST to make sure it works fine. Please see “Power on procedure” for more details.
Warning: there is no back up accessories. You may make the repairing service guarantee statement invalid by unscrewing, opening the box or decomposing the switch without formal permission.
Guideline for installation location Please refer to the following information when you choose a location for the switch:
(1) The longest cable length is 140 meters for connecting from a 10/100Base-T port or a 10/100/1000Base-T port;
(2) The longest cable length is 10,000 meters for connecting from a 1000Base-X port; (3) The cable should be far from any electromagnetic disturbance, such as a radio, power
supply cord or a fluorescent light; (4) The space requirement for the front and back packet is as follows: Users can see clearly LEDs on the front panel; Users can use the ports conveniently so that the cord can be plugged/unplugged
easily; The power outlet can be connected with power supply using the power cord; There is no block in the range of 3 inches of the ventilation intake at the back panel;
(5) The required environment condition is explained in Appendix A; (6) There should no block around the switch and the ventilation intake; (7) The temperature around the switch should be lower than 40 centigrade degree.
Notes: The switch will have a higher temperature than normal if it’s installed in a closed multi-layer cabinet.
2.2 Installation steps
2.2.1 Install on a desk and in a rack
When you install the switch on a desk or in a rack, please refer to the following steps: (1) Four rubber underlays with adhesive tapes are provided with the switch. Pear off the adhesive tape and adhere them to the lacunose positions at the bottom of the switch; (2) Put the switch on the desk or in the rack near an DC power supply; (3) Plug the power cord. After turned on, the system will run POST, please refer to “Power on procedure” for more information.
2.2.2 Install in a cabinet
Warning: To avoid hurt themselves during installation or operation, users should use effective method to stabilize the switch. Please refer the following guidelines for safety:
(1) If there is only one device in the cabinet, install it at the bottom of cabinet; (2) If more, install them down-to-up in the order of decreasing weight; (3) If there are fixing equipments in the cabinet, please install them first before installing the
switch;
The supplied accessories for installation in a cabinet can be used for cabinets of 19 inches or 24 inches, the installation position is shown in Fighre2-1.
Fighre2-1. the installation position
Please refer to the following steps for installing in a 19 inches or 24 inches standard cabinet:
(1) Unscrew the switch;
(2) Put the flanges on the cabinet; (3) Install the switch into the cabinet
Fighre2-2. the installation position
1.Put the flanges on the cabinet The direction of the flanges and choice of the screws depend on the chosen 19 inches or 24 inches cabinet. Please refer to the following guideline to install two screws on each flange: (1) e 19 inches cabinet, put the longer edge of the flange on the switch using supplied screws; (2) 4 inches cabinet, put the shorter edge of the flange on the switch using supplied screws. Figure2-3 and Figure2-4 show how to install the flanges at the front and back panel of the switch, respectively. You need to install simultaneously in reverse direction.
Figure2-3. how to install the flanges at the front panel of the switch
Figure2-4. how to install the flanges at the back panel of the switch
2.Install the switch into the cabinet After installing the flanges on the switch, fix the flanges into the cabinet using supplied 4 screws (as shown in Figure2-5), then plug the power cord into the switch. After turned on, the system will first run POST, please refer to “Power on procedure” for more information.
Figure2-5.Install the switch into the cabinet
2.2.3 Install the switch on a wall
Two steps are necessary to install the switch on a wall: (1) Install the flanges onto the switch; (2) Install the switch onto the wall;
1.Install the flanges onto the switch
Users can install the switch on the wall either horizontally or vertically based on their own choice. Horizontal/vertical installation: install the longer edge of the flanges onto the switch using supplied screws, and install the shorter on to the wall, as shown in Figure2-6.
Figure2-6.Install the flanges onto the switch
2.Install the switch onto the wall
To best support the switch and the network cable, users need to determine whether installing on a pilaster or on a board (shown in Figure2-7), and then plug the power cord.
Figure2-7.Install the switch onto the wall
2.3 Power on procedure
2.3.1 POST
After installation, power supply is necessary to turn on the switch: (1) Plug one end of the power cord into the power jacket on the switch; (2) Plug another end of the power cord into a power supply jacket.
After power on, all port status LEDs will turn on and then go out in a second, then the system will go through the procedure of POST (Power On Self Test), during which the port status LEDs will light one by one; After all LEDs are lighted, it means that the system has already passed POST, and port LEDs are going to work in normal status; In ACT mode if LEDs are in good status, it shows that the switch is working normally. Please inform an authorized agent if your switch can’t pass POST.
2.4 Connecting steps
We’ll explain next how to connect a switch using the iSpirit 3026 switch as an example.
2.4.1 Connecting using the 10/100Mbps ports
10/100Mbps ports can be configured to use the same speed of the connected device. If the connected device doesn’t support auto-negotiation, users can set the speed or duplex mode by hand. Please refer to the following steps to connect a switch with a 10Base-T device or a 100Base-T device:
(1) For a 10Base-T device, connect it with a RJ-45 port on the front panel of the switch using CAT3, CAT4, CAT5 or CAT5E direct-connected or crossover cable (as shown in Figure2-8). Pin setting are shown in Appendix B;
(2) Connect the other end of the cable also with a RJ-45 port of the connected device. The corresponding port LEDs should turn on after the connection, otherwise it may be due to that the connected device is power off, there is a problem with the cable, or the interface card has a problem.
(3) If necessary you may need to reconfigure the switch and restart; (4) Repeat step1-3 to connect other needed devices to 10/100Mbps ports.
Figure2-8.Connecting using the 10/100Mbps ports
2.4.2 Connecting module ports
As explained in Chapter 1, install a 100Base-X fiber module and a 1000Base-X fiber module using the extendible slots (can’t be hot-plugged).
Notes: Please don’t remove the rubber stopple (at the ends of a fiber cable) and the rubber lid (on the cable) before connecting, to avoid any stain or damage.
(1) Use direct-connected CAT5 or CAT5E cable to connect work stations, servers or routers with RJ-45 ports at the front panel (as shown in Figure2-9), and use crossover cable to connect with switches or concentrators. ? Pin description is shown in the appendixes.
(2) Connect the other end of the cable with the RF-45 port of the connected device. The corresponding port LEDs should turn on after the connection, otherwise it may be due to that the connected device is power off, there is a problem with the cable, or the interface card has a problem.
(3) If necessary you may need to reconfigure the switch and restart; (4) Repeat step1-3 for other devices to 10/100/1000Base-T ports.
Figure2-9.servers or routers with RJ-45 ports at the front panel
2.4.3 Connecting using the console port
Connect a PC or terminal with the console port using the supplied console cord (specifically for this purpose). More information for the console port and cord can be found in Appendix B.
The PC or terminal should support VT100 mode. The terminal software (such as Hyperterminal, an application software for PC) will create a communication channel between PC or terminal with the switch when starting up. Please refer to the following steps to connect a PC or terminal with the switch:
(1) Plug the supplied console cord into the UART console port on the switch as shown in Figure2-10. Pin description is in Appendix B;
(2) Plug the other end of the cord to an UART COM port on the PC; (3) Start the terminal program (such as Hyperterminal) if you are using a PC or terminal; (4) Configure the text mode of the PC or terminal, such that it is the same as the
configuration of the console port of the switch:
Baud rate: 38400
Data bits: 8 Stop bit: 1 Checksum: none
2.5 Introduction to bootrom startup options
After power on, the system will go through the Bootrom startup procedure. Bootrom startup has two ways: either automatic or by users.
2.5.1 Automatic startup
By default, after power on, the switch will enter automatic startup mode in 3 seconds without
users’ intervention, then it will start the image program. The interface of waiting to enter startup mode is shown in Figure2-11.
Figure2-11. Automatic startup
2.5.2 Startup by users
At the interface of waiting to enter startup mode, users can type any key except “@” to let the system to step into Bootrom menu, which has a prompt of “[Switch Boot]”. At this prompt several commands are available, and you can type “?” to get help. Help information is shown in Figure2-12.
Figure2-12.Setup by users
Commands explanation: ?: to get help information @: to start the image program b<n>: to display or change the activated mode p: to show startup parameters c: to set startup parameters P: to show all PCI devices
2.5.3 Upgrading Hyper OS using console port
At the prompt “[Switch Boot]:”, type a capital “§”, after a series of “§” signs ? are shown, choose the “transfer” option from the terminal menu. set the protocol parameter to 1K Xmodem, then click on the “transfer” button, which will start the downloading.
2.6 Next Step
Users can refer to the following chapters for more information on configuration and management.
Part 2 Software configuration manual
Chapter 1.Configure functionalities of common usage
In the iSpirit 3026 switch, some functionalities are simpler than others, but they are used often. They are going to be introduced in this chapter. Chapter Index:
1. Basic configuration of the system 2. File management configuration 3. Software upgrading
1.1 Basic configuration of the system
Users can use CLI commands in the overall configuration mode (Switch#), these commands are used for usual management of the switch, such as changing the password, showing the configuration information, etc…. The system is in the EXEC mode first, type the command “enable” at this time and then type the password, the switch will enter the overall configuration mode, shown as follows: Switch>enable Password: Switch#
Commands lists: to set the IP address and netmask of VLAN1 on the switch
ip address <ip-address><subnet-mask> Example: Switch# ip address 192.168.2.3 255.255.255.0 to set the default gateway
ip gateway <gateway-address> Example: Switch# ip gateway 192.168.2.1 to restart the switch
Switch# reset to restart the switch back to factory settings
Switch# reset factory to change the password, which needs to be typed twice. This is an interactive command
Switch# password to save configuration to flash
Switch# save to go back to the upper level. If the system is currently in overall configuration mode, it will go
back to EXEC mode; if in EXEC mode, the command is just like a logout. Switch# exit To exit from the TELNET terminal. It is applicable to any CLI mode, but not
useful in console terminal. Switch# logout To clear information on the screen
Switch# cls
To test the network connectivity between the switch and the machine at the other end Switch# ping <remote-host> Example: support the IP address of a switch is 198.168.80.1, which has a directly connected PC with IP address 198.168.80.72. To test the connectivity between the switch and the PC: Switch# ping 198.168.80.72 If connected, it will show the connectivity as follows: PING 198.168.80.72: 56 data bytes 64 bytes from host (198.168.80.72): icmp_seq=0. time=0. ms 64 bytes from host (198.168.80.72): icmp_seq=1. time=0. ms 64 bytes from host (198.168.80.72): icmp_seq=2. time=0. ms 64 bytes from host (198.168.80.72): icmp_seq=3. time=0. ms 64 bytes from host (198.168.80.72): icmp_seq=4. time=0. ms --198.168.80.72 PING statistics— 5 packets transmitted, 5 packets received, 0% packet loss round-trip (ms) min/avg/max = 0/3/16 If not connected, it will show as follows: PING 198.168.80.72: 56 data bytes no answer from 198.168.80.72 To show the last 20 commands
Switch# show history To show system information, including system description, product name, version, and startup
time, etc… Switch# show system To show some configuration information, including IP address, MAC,IP gateway and protocols
startup information, etc… Switch# show system To show console connection parameters
Switch# show console To show the height and width of the current terminal connection, i.e., the maximum number of
characters can be shown Switch# show terminal To show IP information of VLAN1, including IP address, netmask and gateway
Switch# show ip To show version
Switch# show version
To show all TCP and UDP connections Switch# show connection To clear TELNET password
Switch# clear telnet password To get system time
Switch# get time To set idletime before automatic logout from CLI
Switch# idletime <timeout> To show idletime
Switch# show idletime To set system time
Switch# set time To set system prompt
Switch# switchname <switch-name>
1.2 File management configuration
After changing the configuration, you had better save it to flash, thus after reset, the configuration will still work. Users can also download or upload configuration file using TFTP. 1.Commands
Users can save configuration under any CLI mode by just type the command “save”. Under the overall configuration mode, you can backup the configuration file by uploading it to a host upload configuration <ip-address><file-name> ip-address: the IP address of the destination PC for uploading name: configuration file name Under the overall configuration mode, you can download a configuration file from a host
download configuration <ip-address><file-name> ip-address: the IP address of the source PC for downloading name: configuration file name (You need to start the TFTP program on the PC before the downloading/uploading) Notes: to let the configuration file take effect, the switch has to be restarted;
2.File uploading/downloading procedure
Steps: (1) set up the network environment. The PC host should be reachable from the switch that needs to back up configuration file, you can use ping to test; (2) save the configuration file at the switch; (3) upload the file to the PC. Up to now the backup procedure has been finished, go to the next step if necessary; (4) download the backup configuration file to the switch.
Example: a switch has been configured with VLANs and interface addresses, and it needs to backup the configuration file: Step 1: set up a network environment as shown in Figure1-1.
Figure1-1.Set up a networks environment Use a console cord to connect the console port of the switch with a COM port on the PC, and also connect them with a network cable. Install the TFTP server program on the PC, and configure an IP address of the PC. Here suppose the IP address of the PC is 192.168.0.2. Then configure an IP address of the switch, supposing it’s 192.168.0.1. Notes: PC IP address and switch IP address should belong to the same IP subnet. To run TFTP server, you need to set the path information for the configuration file: First, start TFTP Server program. The interface is shown in Figure1-2;
Figure1-2.TFTP Server program
Then, set the path: Just click on the [Settings] button, a TFTPD32 configuration form will be shown as in Figure1-3.
Figure1-3.TFTP Server program configuration
In the “Base Directory” bar type the path, then click on [OK] button to confirm; Step 2: save the configuration to file at the switch Under any CLI mode, just type the “save” command to save the configuration file. Step 3: backup the file to the PC Switch# upload configuration 192.168.0.2 backup
Uploading configuration…… Complete Switch# Step 4: Download the file to the switch if necessary Switch# download configuration 192.168.0.2 backup Do you wish to continue ?[Y/N]: y Downloading configuration…… Complete. Step 5: reset Do you wish to continue? Y: yes; N: no
1.3 Software upgrading
The iSpirit 3026 switch supports on line software upgrading. Upgrading is also done by TFTP. 1.Commands
Under overall configuration mode, you can upgrade the image file of the switch: Switch# Download image <ip-address> <name> ip-address: the IP address of the PC where the image file is stored; name: the image file name. During the downloading process, DO NOT turn off the power, otherwise you may damage the image file, then the switch may not be able to be restarted. After downloading, you need to restart the switch to make the new image file taking effect.
2.Software upgrading procedure
(Similar as that for configuration file downloading) Steps: (1) Set up the upgrading environment Step 1: set up the network connection as shown in Figure1-4;
Figure1-4.Set up the net work connection
Step 2: connect the console port of the switch with a PC or terminal; Step 3: install TFTP server on the PC (where the image file is saved); Step 4: Copy the new image file to a directory on the PC, here suppose it’s C:\t; Step 5: Configure an IP address of the PC, suppose it’s 192.168.0.2; Step 6: Configure an IP address of the switch, suppose it’s `92.`68.0; Notes: PC IP address and switch IP address should belong to the same IP subnet.
(2) Start TFTP server. Step 1: start TFTP Server program. The interface is shown in Figure1-5.
Figure1-5.TFTP Server program
Step 2: set the path. After starting TFTP server program, set the path information and copy the new image file to this path. How: Just click on the [Settings] button, a TFTPD32 configuration form will be shown as in Figure1-6.
Figure1-6.TFTP Server program configuration
(3) Configure the switch Step 1: connect the switch. Choose a vlan interface and connect it with the PC (on which TFTP server program is running) using a network cable, and use the “ping” command to test the connection; Step 2: Type the following CLI command on the switch and wait until the downloading process has finished. Switch# download image 1902.168.0.2 switch.img Do you wish to continue ?[Y/N]: y downloading image …… Complete. Switch# Notes: DO NOT turn off power during the process of downloading. Step 3: restart the switch Switch# reset
Chapter 2.Port Configuration
This chapter introduce port configuration. Chapter Index:
1. Common configuration for ports 2. MIRROR configuration 3. TRUCK configuration 4. STORM-CONTROL configuration 5. Configuration examples
2.1 Common configuration for ports
Users can control connections through a port via port configuration, for example they can disable the port such that no connection are allowed through it. This section introduces common configurations for ports, including:
Disabling and enabling a port Setting port speed Showing port information
1.Disabling and enabling a port
Ports on the iSpirit 3026 switch are enabled by default. If users want to deny any connection through a port, they can disable the port.
To enable one or multiple contiguous ports under PORT RANGE configuration mode: enable
For example, to enable port 1 and port2: Switch(port1-2)# enable
To disable one or multiple contiguous ports under PORT RANGE configuration mode: disable
For example, to disable port 1 and port2: Switch(port1-2)# disable 2.Setting port speed
By default the speed for all ports is auto-negotiable. For 1000M ports, they can be forced to be 10M half-duplex, 10M full-duplex, 100M half- or full-duplex.
To set speed under PORT RANGE configuration mode: Speed <autonegotiate|half-10|full-10|half-100|full-100>
For example to set port 1 and port 2 to be 100M half-duplex: Switch(port1-2)# speed half-100
3.Showing port information
To show one or multiple contiguous ports information under the overall or PORT RANGE configuration mode: show port <port|port1-port2> For example to show port 1 and port 2 information:
Switch# show port 1-2
2.2 MIRROR configuration
Mirror is a very useful functionality which can be used to monitor data packet flow through a port, both for receiving and sending. It can use the mirror port to monitor data packets of other mirrored ports. The iSpirit 3026 switch supports mirror functionality, and can mirror multiple ports simultaneously, both for in-packets and out-packets. This section describes mirror configuration:
Mirror Egress Mirror Ingress Mirror Port
1.Mirror Egress
Egress configuration sets egress ports, whose sending packets will be monitored. 2.Mirror Ingress
Ingress configuration sets ingress ports, whose receiving packets will be monitored. 3.Mirror Port
Mirror port configuration is to set the port that’s used to monitor packets. The CLI command is interactive, users just need to type the port number. Notes: (1) Mirror egress and mirror ingress can’t include mirror port; (2) can only set one mirror port.
2.3 TRUCK configuration
Trunk is to aggregate multiple ports into one logical port, it can used to increase port bandwidth, providing redundancy and load balance. Trunk is a simple method for aggregating multiple ports to one. As a logical destination port, the switch will choose one physical port to send packets based on the aggregation policy of the software. Trunk functionality and aggregation policy are accomplished by software, if trunk is used for redundancy, the software should also check ports status and reorganize trunk
dynamically. All ports in a trunk group should have the same speed and be in full-duplex mode. Trunk is a layer 2 functionality, it’s supported by the iSpirit 3026 switch. The iSpirit 3026 switch can support 6 trunk groups, each of them can have a maximum number of 8 ports. And each port can only belong to one trunk group. To set load balance policy, we currently provide 6 options, which sets the Rtag to be 1-6:
1. load balance based on source MAC address for non-IP packets 2. load balance based on destination MAC address for non-IP packets 3. load balance based on the pair of source and destination MAC address for non-IP packets 4. load balance based on source MAC and source IP address for IP packets 5. load balance based on destination MAC and destination IP address for IP packets 6. load balance based on both of source and destination MAC and IP address for IP packets
This section will introduce the following information: Trunk configuration Trunk mcast configuration Trunk no ports configuration Trunk ports configuration Trunk Rtag configuration To show trunk information
1.Trunk configuration
To configure a trunk group, firstly type the trunk ID, there can be 6 of them; Secondly enter trunk Rtag, which has 6 load balance options; thirdly enter ports identification including module numbers and port numbers, which can have a maximum of 8. The CLI command is: trunk It’s an interactive command, users just type the corresponding parameters according the prompt information, including Trunk ID, Rtag, and trunk port list.
2.Trunk mcast configuration
Trunk mcast configuration adds an existent trunk group to a multicast group. It requests that the trunk ports should be a subset of the multicast ports group. Configure steps: firstly remove trunk ports from the multicast group; then add one port in the trunk group to the multicast group again, by default the added port is the one with the minimum port number in the trunk group. The command is: trunk mcast
It’s an interactive command.
3.Trunk no ports configuration
This configuration is to remove ports from a trunk group. Command: trunk no ports <trunk_id> <port|port1-port2> [port|port1-port2]…
4.Trunk ports configuration
This configuration is to add ports to a trunk group. Command: Trunk ports <trunk_id> <port|port1-port2> [port|port1-port2]… 5.Trunk Rtag configuration
It’s to set or change the load balance policy of a trunk group. The iSpirit 3026 switch allows setting the policy separately for each trunk group. Command: Trunk rtag <trunk_id> <rtag> 6.To show trunk information
Under the overall configuration mode users can show trunk configuration information using command “show trunk”: Switch# show trunk
2.4 STORM-CONTROL configuration
In real networks, DLF (Destination Lookup Failure, when packets will be handled like broadcast packets), multicast or broadcast transmission in high speed can block the network, thus it’s very important to be able to control such kind of storm traffic, to avoid network blocking. All ports of the iSpirit 3026 switch support storm control for broadcast, multicast and DLF packets. They can limit the transmission speed of broadcast packets, multicast packets and DLF packets. This section introduces storm-control configuration:
Default configuration Storm-control configuration To show storm-control configuration
1.Default configuration
All ports of the iSpirit 3026 switch can set broadcast rate, multicast rate and dlf rate. By default
broadcast rate (upper limit) is set to 1500 packets per second, to avoid broadcast storm. No default configuration for multicast and dlf unicast.
2.Storm-control configuration
Storm-control configuration of the iSpirit 3026 switch is identical for all ports. The storm-control command is interactive and users need to type corresponding parameters, and the setting is valid for all ports after configuration.
Switch# storm-control It’s an interactive command, users need to enter parameters including whether to control broadcast, multicast and DLF, and the upperlimit rate, which is the same for all the 3 kinds of transmission style. 3.To show storm-control configuration
Under the overall configuration mode or PORT RANGE mode, to show configuration information: show storm-control
2.5 Separated port configuration
In real network, users usually need network separation for data safety. The iSpirit 3026 switch provides several methods for separation: VLAN, private VLAN, protected VLAN and separated port. Separated port technology are to employed in one VLAN, users can set explicitly the egress port for the separated port, such that the separated port can only communicate with the specified egress port, and NOT with other ports in the vlan. Separated port is more flexible than protected vlan. Commands(used under PORT RANGE configuration mode):
1. To configure separation such that the separated port can only communicate with the uplink port: separated 2. To unset separation: no separated 3. to show separation configuration, either for one port or for all ports(this command can also be used under the overall configuration mode): show separated [port]
2.6 Jumbo frame port configuration
In real networks, it’s necessary to transmit jumbo frames (i.e. super-sized) for some special applications such as server clusters. The iSpirit 3026 switch supports jumbo frames transmission. Commands(can be used either in PORT RANGE mode or overall mode):
1. to set jumbo frame for ports jumbo size <frame-size> <port|port1-port2> 2. to show jumbo frame configuration for all ports show jumbo
2.7 Configuration examples
1.Mirror
Figure2-1.Configuration examples
As shown in Figure2-1, user 1 and user2 are communicating through a switch, usually other users won’t be able to know the exchanging information between them. To check whether there is any problem with the communication, a monitoring user wants to capture the data packets transmitted between them, which will need port mirror functionality. Suppose user 1 connects to port 1, user 2 connects to port 2, the monitoring user connects to port 3. Commands list:
To monitor data from/to user 1 Switch# mirror Mirror port: 3 Egress ports_list: 1 Ingress ports_list: 1 To monitor data from/to user 2
Switch mirror Mirror port: 3 Egress ports_list: 2 Ingress ports_list: 2
Notes: Don’t mess up mirror port and mirrored ports. Mirror port is the port that’s used to monitor data packets; Mirrored ports are the ports that are being monitored and whose packets are going to be captured, they include egress ports and ingress ports.
To show mirror configuration
Switch# show mirror Mirror mode: L2 Mirror port: 3 Egress ports_list: 2 Ingress ports_list: 2
2.Trunk (Figure 2-2)
Figure 2-2.Trunk configare
To configure a trunk between switch 1 and switch 2, each with port 1-4 in the trunk group. Type the following commands on each switch: Switch# trunk Trunk_id: 1 Trunk_rtag: 1 Ports _list: 1-4 Notes: When configuring a trunk, both switches should have the same number of ports in the trunk, with the same speed and duplex configuration, but the port identification number can be different.
To delete a trunk group Switch# no trunk A A: trunk id, range: 0-5 To check any error
(1). If the trunk doesn’t work, check the status: switch# show trunk TGID RTAG status Ports 0 0 not ready 0x00000000(none) 1 1 Active 0x0000000f(fe1-fe4) 2 0 not ready 0x00000000(none) 3 0 not ready 0x00000000(none) 4 0 not ready 0x00000000(none) 5 0 not ready 0x00000000(none)
Thus you can check whether the configured trunk is active, whether the included ports number is correct and whether member ports are correct.
(2) Ports in the same trunk should belong to the same vlan, with the same speed and duplex configuration.
Chapter 3.VLAN Configuration
VLAN is a very important technology in a switch, it’s used often in real networks and is a critical method to partition the whole network topology to multiple subnetworks. VLAN means Virtual Local Area Network, it’s a logical network by organizing together multiple devices, no matter where they are physically in the network. Though logically, each vlan has the same functionality and characteristics of traditional physical networks. Each vlan represents a broadcast domain, broadcast packets can only transmit inside the vlan, not allowed to span multiple vlans. Communication spanning multiple vlans needs to accomplished by layer 3 transmission. The iSpirit 3026 switch supports VLAN and Private VLAN, so usually VLAN is also called normal VLAN. This chapter introduces normal VLAN configuration, for private VLAN, please refer to the corresponding chapter. Chapter Index:
1. Introduction to VLAN 2. VLAN configuration 3. VLAN examples
3.1 Introduction to VLAN
This section will give detail information for VLAN: Benefit of VLAN VLAN ID Member ports types of VLAN VLAN relay Data transmission in a VLAN VLAN vs. Private VLAN Subnetworks of VLAN
1.Benefit of VLAN
VLAN can extend a physical network to a large degree. Traditional physical networks can be very small, usually with up to 1000 devices, while physical networks with VLAN partitions can have 10,000 or even 100,000 devices. VLAN has the same functionality and characteristics as the traditional physical network.
Advantages: VLAN can control data flow in the network In traditional networks, all broadcast packets are transmitted to all devices, no matter whether needed or not, thus increasing the load of the network and the devices; While VLAN can organize devices into one logical network when needed. One VLAN represents one broadcast domain, broadcast packets can only transmit inside a VLAN, not across multiple VLANs. So VLAN partition can control effectively data flow in a network.
VLAN can improve network security Devices in a VLAN can only set up Layer 2 communication among themselves, communication with another VLAN must go through Layer 3 transmission. Without Layer 3 transmission, no communication is allowed between VLANs at all, thus VLAN can provide isolation and keep data safety in a VLAN. For example, the “research” department in a company doesn’t want to share data with the “marketing” department, then two VLANs can be created for them, one for each of them, without Layer 3 transmission.
VLAN makes it more convenient to move devices When a device in a traditional network is moved from one position to another, usually the network administrator has to modify its configuration, which is inconvenient for users. For VLAN, since a VLAN is a logical network, it can allocate devices in different locations into the same
logical network; when a device is moved, it still belongs to the same VLAN, so it’s not necessary to modify its configuration.
2.VLAN ID
Each VLAN has an identification number called VLAN ID (VID), with a range of 0~4095, during which 0 and 4095 are not used, so the VLAN ID only ranges from 1 to 4094. One VLAN has only one VLAN ID. The iSpirit 3026 switch can support a maximum of 255 VLANs. Users need to choose a VLAN ID among 1-4094 when creating a VLAN. There are three kinds of frames transmitted in a VLAN: non-tagged frame, frame with VID 0, frame with VID nonzero. Data packets for these 3 frames are shown in Figure3-1.
Figure3-1.3 Data packets for these 3 frames
All frames are tagged inside a switch. If a non-tagged frame is transferred to the switch, it will tag the frame by choosing a VLAN ID and filling it into the frame VID; If a frame with VID 0 is inputted, the switch will also choose a VLAN ID for it; For a frame with a nonzero VID, no change by the switch. 3.Member ports types of VLAN
The iSpirit 3026 switch supports Port-based VLAN and 802.1Q VLAN. A VLAN has two kinds of ports: untagged port and tagged port, and a VLAN can have them simultaneously. There can be no port, one or more ports in a VLAN. When a port belongs to a VLAN, it can be either untagged or tagged. A port can be an untagged member port of only one VLAN. When a port is configured to be
untagged of a VLAN, if it’s already an untagged member of another VLAN, it will be removed from it, i.e., the last configuration takes effect. A port can be an tagged member port of multiple VLANs. In this case, it’s also called VLAN Relay Port. A port can belong to a VLAN as untagged and belong to other multiple VLANs as tagged simultaneously. 4.VLAN relay
If a port is a tagged member port of two or more VLANs, it’s also called as a relay port of VLAN. Two switches can connect through a relay port, thus they can have two or more common VLANs between them. A relay example is shown in Figure3-2: Two switches connect through a replay port, which belongs to VLAN 2 and VLAN 3. Each switch has two VLANs, VLAN 2 and VLAN 3, and each VLAN has a user. Thus user 1 can communicate with user 3, user 2 with user 4, but user 1 can’t with user 2, neither for user 3 with user 4.
Figure3-2. Relay Port Vlan
5.Data transmission in a VLAN
When a switch receives a data packet from a port, it will follow these steps for layer2 transmission:
Determine which VLAN this packet belongs to; Check whether it’s broadcast, multicast or unicast; Determines output ports based on its type, there can be 0 ports, one or more ports. If 0,discard the packet; Tag or untag the packet based on the member port type; Send the packet.
(1) To determine which VLAN this packet belongs to:
If the received packet is tagged with a nonzero VID, the VLAN it belongs to is identified by the VID; if the packet is non-tagged or with a VID of 0, if the input port is an untagged member port of a VLAN, this VLAN is the one that the packet belongs to; otherwise, if the input port is not an untagged member of any VLAN, the packet will be discarded. (2) To check packet type: If the received packet has a destination MAC address of FF:FF:FF:FF:FF:FF, it’s a broadcast packet; If not broadcast while have a destination MAC address with the 40th bit being 1, it’s a multicast packet; Otherwise, it’s a unicast packet. (3) To determine output ports: For a broadcast packet, the output ports include all member ports of the VLAN that the packet belongs to. For a multicast packet, firstly search the hardware Layer 2 multicast transmission table based on the multicast MAC address and the VLAN it belongs to. If matching multicast entries are found, the intersection of output ports of the multicast entries and member ports of the VLAN are the output ports for the packet; If no common port, the packet will be discarded; If no multicast entry is found, the output ports will be determined based on the transmission mode of Layer2 hardware multicast transmission table: for unregistered multicast transmission mode, multicast packets are handled the same as for broadcast packets, i.e., the output ports include all member ports of the VLAN the packet belongs to; for registered mode, there will no output port, and the packet will be discarded. For a unicast packet, firstly search the hardware Layer 2 transmission table based on the destination MAC address and the VLAN it belongs to. If matching entries are found, the intersection of output ports of the entries and member ports of the VLAN are the output ports for the packet; If no common port, the packet is discarded; If no entry is found, the packet will be handled the same as for broadcast packets, i.e., the output ports include all member ports of the VLAN the packet belongs to. (4) To send a packet The packet will be sent to all output ports determined in the previous step. If a output port is an untagged member of the VLAN the packet belongs to, the packet will be sent without a VID tag; Otherwise, if tagged member, the packet will be tagged with the VLAN ID.
6.VLAN with Private VLAN
Since the iSpirit 3026 switch supports private VLAN, the “VLAN” is also called as normal VLAN. Normal VLAN and private VLAN are mutually exclusive in some degree. A normal VLAN represents a broadcast domain, each VLAN can form a sub-network, and communication across VLANs should go through Layer 3 transmission; while for private VLAN, a broadcast domain needs a private VLAN group. Each private VLAN group can form a sub-network, which is created in the main VLAN of the private VLAN group. Communication across multiple private VLAN groups should go through Layer 3 transmission, while communication inside a group just needs Layer 2 transmission. When creating a normal VLAN, users should make sure that the normal VLAN doesn’t fall in the range of any private VLAN of any private VLAN group. Otherwise, it won’t be created. When adding a port to a private VLAN, it can be a promiscuous port, a shared port or a separated port. No matter what kind of port it is, if it’s an untagged member of a normal VLAN, it should be removed from the normal VLAN first. When adding a port to a normal VLAN, if the port already belongs to a private VLAN, it can’t be set as an untagged member of the normal VLAN, but can be a tagged member. The command “show vlan” will only show information for normal VLANs. To show private VLAN, please use the command “show privatevlan”. (Please refer to Chapter 4 for more information.)
7.Sub-networks of VLAN
A VLAN represents a broadcast domain in the iSpirit 3026 switch, and a subnet interface can be created for each VLAN (actually all subnets are created based on VLAN.). The iSpirit 3026 switch can support a maximum number of 4094 VLANs, but can only have 26 subnets. After creating subnets on 26 VLANs, other VLANs can’t have any more subnet.
3.2 VLAN configuration
For the convenience of users, the iSpirit 3026 switch provides various of commands for VLAN
configuration. They are mostly used under the VLAN configuration mode and the PORT RANGE mode. By default the iSpirit 3026 switch has VLAN 1, which has all of the ports as untagged members. This section gives detail information for VLAN configuration:
To create and delete a VLAN; To configure an untagged member of a VLAN; To configure a tagged member of a VLAN; To show VLAN information
1.To create and delete a VLAN
Users can create one or more contiguous VLANs using one command. The following command creates VLANs under the overall configuration mode. If a vlanid is entered, it will create the mentioned VLAN and go to the VLAN mode; if the mentioned VLAN has been created before, it will just go to the VLAN mode without creating again; If a VLAN range like minvlanid-maxvlanid is entered, multiple contiguous VLANs will be created, but it won’t go to the VLAN mode; in case VLANs in the range are already existent, then no creation. The command: vlan {<vlanid>|<minvlanid-maxvlanid>} Users can delete one or more contiguous VLANs using one command. The following command deletes VLANs under the overall configuration mode. If a vlanid is entered, it will only delete the mentioned VLAN; If the mentioned VLAN doesn’t exist, no operation is done; If a VLAN range like minvlanid-maxvlanid is entered, multiple contiguous VLANs will be deleted; in case VLANs in the range don’t exist, then no operation is done. Once a VLAN is deleted, all port membership of this VLAN will also be removed. The command: no vlan {<vlanid>|<minvlanid-maxvlanid>} Notes: If a VLAN is owned by a private VLAN, it can’t be created or deleted.
2. To configure an untagged member of a VLAN
At the iSpirit 3026 switch, users can set untagged member ports either under the VLAN configuration mode or under the PORT RANGE mode.
To add untagged ports under VLAN mode:
untagged {<port>|<port1-port2>} [<port>|<port1-port2>] … To delete untagged ports under VLAN mode:
no untagged {<port>|<port1-port2>} [<port>|<port1-port2>] … To add untagged ports to one or multiple contiguous VLANs under PORT RANGE
mode: untagged-vlan {<vlanid>|<minvlanid-maxvlanid>} [<vlanid>|<minvlanid-maxvlanid>]…
To delete ports from one or multiple contiguous VLANs under PORT RANGE mode: nountagged-vlan{<vlanid>|<minvlanid-maxvlanid>}[<vlanid>|<minvlanid-maxvlanid>]
…
Notes: If a port already belongs to a private VLAN, it can’t be an untagged member of a normal VLAN; If a port already belongs to a normal VLAN as untagged, it should be deleted from the VLAN, before adding it to a private VLAN.
3. To configure a tagged member of a VLAN
At the iSpirit 3026 switch, users can set tagged member ports for one or multiple contiguous VLANs either under the VLAN configuration mode or under the PORT RANGE mode.
To add tagged ports under VLAN mode: tagged {<port>|<port1-port2>} [<port>|<port1-port2>] …
To delete tagged ports under VLAN mode: no tagged {<port>|<port1-port2>} [<port>|<port1-port2>] …
To add tagged ports to one or multiple contiguous VLANs under PORT RANGE mode: tagged-vlan {<vlanid>|<minvlanid-maxvlanid>} [<vlanid>|<minvlanid-maxvlanid>] …
To delete ports from one or multiple contiguous VLANs under PORT RANGE mode: notagged-vlan {<vlanid>|<minvlanid-maxvlanid>} [<vlanid>|<minvlanid-maxvlanid>] …
4. To show VLAN information
At the iSpirit 3026 switch, users can show VLAN information under multiple configuration modes, including VLAN overview and member ports information.
To show VLAN information: without any parameter, it will show overview information for all VLANs; with VLAN ID parameters, it will show member ports for one or multiple contiguous VLANs. Show vlan [<vlanid>|<minvlanid-maxvlanid>]
3.3 VLAN examples
Figure3-3.Vlan example
As shown in Figure3-3, there are two users: user 1 and user 2. Since the networks they use have different network functionality and different environment, it’s necessary for them to belong to different VLANs. User1 is in VLAN 2, connecting port 2 of a iSpirit 3026 switch, while user 2 is in VLAN 3 with port 3. Configuration:
Switch# vlan 2 Vlan 2 added Switch(vlan-2) exit Switch# vlan 3 Vlan 3 added Switch(vlan-3) vlan 2 Switch(vlan-2) untag 2 Switch(vlan-2) vlan 3 Switch(vlan-3) untag 3 Switch(vlan-3) exit
To check errors: After configuration, if you find that PCs can’t communicate with each other across different VLANs, it’s ok, since communication across different VLANs should go through Layer 3
transmission. In case PCs in the same VLAN can’t communication with each other, you should check: 1、VLANs already existent: Switch# show vlan
member port information for related VLANs switch# show vlan 2 vlan 2 port map (-=None,M=Tagged,U=Untagged)
switch# show vlan 3 vlan 2 port map
Chapter 4.Private VLAN configuration
To share common data while ensuring safety of private data in real networks, there are many Layer 2 isolation technologies. UTStarcom proposed a new idea of Private VLAN in the iSpirit 3026 switch for users to use and configure port isolation technology more conveniently. A private VLAN is composed of multiple contiguous VLAN (VLAN IDs are contiguous), it uses port partition to provide Layer 2 port isolation in a broadcast domain. With just several concepts, it’s easy to configure private VLAN. This chapter gives detail information about private VLAN:
1、troduction to private VLAN 2、ivate VLAN configuration 3、ivate VLAN examples
4.1 Introduction to private VLAN group
The iSpirit 3026 switch can support 12 groups private VLANs, each of them represents a single broadcast domain, i.e., there is only one subnet for a private VLAN group (we just use “group” in later literature for simplicity.). A group has multiple contiguous VLANs and can provide port isolation. Different groups represent different broadcast domain and thus are different subnets. Communication between groups should go through Layer 3 transmission This section describes private VLAN:
Port types of private VLAN VLAN range of private VLAN Private VLAN with normal VLAN Subnet of private VLAN
1. Port types of private VLAN
There are three types of ports in private VLAN: promiscuous ports, shared ports and separated ports. Promiscuous ports are uplink ports for a group, while shared ports and separated ports are those that are isolated. Promiscuous ports are uplink ports for a group, there should be at least one (can be more) promiscuous port in a group. Promiscuous ports can have Layer 2 communication with all other ports in the group, including promiscuous ports, shared ports and separated ports. In real networks, they usually connect with shared data servers and up links to INTERNET. Shared ports belong to isolated ports in a group. They have the concept of “grouping”, i.e., one or more shared ports can become a shared port group. In the iSpirit 3026 switch there can be a maximum of 6 shared port groups in a VLAN group. Shared ports can communicate with promiscuous ports and other ports in the same shared port group, but not with separated ports and ports in other shared port groups. If there is only one port in a shared port group, this port is actually a separated port. Separated ports also belong to isolated ports in a VLAN group, they don’t have the idea of “grouping”, and they are isolated from each other. Separated ports can only communicate with promiscuous ports, but no with shared ports and other separated ports. Isolated ports should exist for private VLAN, and there should be at least one separated port or one shared port group in a VLAN group; If there is no separated port, there should be one or more shared port group, and vice visa. But if there is only one separated port or one shared port group in a VLAN group, there is actually no isolation. So in real networks, a VLAN group should have at least two isolated ports.
Port overlapping is not allowed in a VLAN group, i.e., a port can either be separated, or shared, or promiscuous, but can’t be both of them or all of them; Furthermore, a shared port is unique in a shared group and among shared port groups, i.e., it can’t be the same as any other port in the same group or any other group. Port overlapping is not allowed among VLAN groups either, i.e., one port can only belongs to one VLAN group.
Figure4-1.example for private VLAN. As shown in Figure4-1, ports 1-6 and 7-9 belong to a private VLAN group, with port 1 and port 2 as separated; port 3-6 as shared, with port 3 and port 4 in a shared port group, port 5 and port 6 in a group; port 7-9 as promiscuous. According to functionality for different types of ports, here is the communication style for this VLAN group:
(Separated ports) user 1 and user 2 can only access server 1, server 2 and INTERNET, neither communication is allowed between them, nor between them and user 3-6;
(Shared ports) user 3 and user 4 can access server 1, server 2 and INTERNET, and they can also communicate with each other, but not allowed with user 1-2 and user 5-6; and so are user 5 and user 6: user 5 and user 6 can access server 1, server 2 and INTERNET, and they can also communicate with each other, but not allowed with user 1-4;
(Promiscuous ports) server 1 and server 2 can communicate with user 1-6, can access INTERNET, and they can communicate with each other.
Figure4-2. There are two private VLAN groups
There are two private VLAN groups in Figure4-2. Group 1 includes port 1-3 and port 11; Group 2 includes port 5-7 and port 12. In group 1, port 1 is separated; port 2 and 3 are shared and form a shared port group; port 11 is promiscuous. In group 2, port 5 is separated, port 6 and 7 are shared and form a shared port group; port 12 is promiscuous. According to functionality for different types of ports, here is the communication style for the two VLAN groups:
(Separated port, group 1) user 1 can only communicate with server 1, not with user 2-3;
(Shared ports, group 1) user 2-3 can communicate with server 1, and they can also communicate with each other, but not with user 1;
(Separated port, group 2) user 4 can only communicate with server 2, not with user 5-6;
(Shared ports, group 2) user 5-6 can communicate with server 2, and they can also communicate with each other, but not with user 4;
(Across VLAN groups) Communication between devices in group 1 and those in group 2 should go through Layer 3 transmission.
2. Nrange of private VLAN
A private VLAN group is composed of multiple contiguous VLANs, so users need to select
VLANs whose VLAN ID are contiguous when creating a VLAN group. VLANs in a group share a broadcast domain and form a subnet, communication between groups needs to go through Layer 3 transmission. VLANs in different VLAN groups should not overlap. For example, VLAN 10-19 are chosen to be in a VLAN group, any other VLAN group can’t have any of them between 10-19. There is an unique primary VLAN in each group, the primary VLAN ID must fall in the VLAN range of the group, and can be any of them in the range, for example you can use a VLAN ID like 10 for a group with range 10-19. The primary VLAN is used to create subnet for a VLAN group, since one group has only one subnet. Thus users can just create a subnet on the primary VLAN, and not allowed on other VLANs in the group. The VLAN range should be large enough to accommodate all devices, otherwise the creation of VLAN group may fail finally. The VLAN range depends on the number of separated ports and shared port groups, each separated port forms a VLAN, so is each shared port group. Thus you can get an inequality formula for the VLAN range of a VLAN group: No. VLANs > No. separated ports + No. shared port groups + 1 (one for the primary VLAN). For example, in Figure4-1, there are 2 separated ports, 2 shared port groups, so the total number of VLANs in this group should be at least 5. The upper limit for VLAN range (i.e., the number of VLANs in the VLAN group) is 26. Since there are only 26 ports on the iSpirit 3026 switch, this won’t be a problem.
3 . Ivate VLAN with normal VLAN
A normal VLAN represents a broadcast domain, each VLAN can form a sub-network, and communication across VLANs should go through Layer 3 transmission; while for private VLAN, a broadcast domain needs a private VLAN group. Each private VLAN group can form a sub-network, which is created in the main VLAN of the private VLAN group. Communication across multiple private VLAN groups should go through Layer 3 transmission, while communication inside a group just needs Layer 2 transmission. When creating a private VLAN group, users should make sure that any VLAN in its VLAN range is NOT occupied by any normal VLAN. Otherwise, it won’t be created. So is for creating normal VLAN. When adding a port to a private VLAN group, it can be a promiscuous port, a common port or a separation port. No matter what kind of port it is, if it’s already an untagged member of a normal VLAN, it should be removed from the normal VLAN first. When adding a port to a normal VLAN, if the port already belongs to a private VLAN group, it
can’t be set as an untagged member of the normal VLAN, but can be a tagged member. The command “show vlan” will only show information for normal VLANs. To show private VLAN, please use the command “show privatevlan”. 4. Subnet of private VLAN
A private VLAN group represents a single broadcast domain and can have one single subnet, which must be created on the primary VLAN (any other VLAN is not allowed to have subnets.). Once a private VLAN group and the corresponding subnet are created on a switch, only devices connecting with promiscuous ports can communicate with the subnet in the switch(i.e., can access (like ping) the subnet), not for others with shared ports or separated ports. So in real networks, don’t put network management work stations in positions only connecting with separated ports and shared ports, in stead, they should connect with promiscuous ports.
4.2 Private VLAN configuration
For the convenience of users, the iSpirit 3026 switch provides a PRIVATE VLAN configuration mode for CLI commands. Users can type most of the private VLAN commands to operate on one VLAN group under this mode. In the iSpirit 3026 switch, no VLAN and port configuration for any VLAN group. This section introduces how to configure private VLAN:
To configure private VLAN group To configure VLANs in a group To configure separated ports in a group To configure shared ports in a group To configure promiscuous ports in a group To enable or disable a group To show group information
1. To configure private VLAN group
When configuring a VLAN group, first choose a group and enter its PRIVATE VLAN mode. To enter the PRIVATE VLAN mode from the overall mode for a specific group with a
group-id between 1-12: privatevlan <group-id>
To delete a vlan group under overall mode:
no privatevlan <group-id>
Notes: (All of the following commands are in the PRIVATE VLAN mode, if not specified otherwise.) 2. To configure VLANs in a group
After entering PRIVATE VLAN mode, you need to choose a VLAN range and a VLAN as the primary VLAN. As said before, you may have to calculate in advance how many VLANs for the group.
To select VLAN range and primary VLAN, where the VLAN range is represented by the min-value and the max-value:
vlan <min-vlanid> <max-vlanid> <primary-vlanid> (this command is in PRIVATE VLAN mode)
Notes: If the command fails, there can be several possibilities:
(1) Min-vlanid is bigger than max-vlanid; (2) Primary-vlanid is not in the range between min-vlanid - max-vlanid; (3) The number in the range (max-vlanid minus min-vlanid) is bigger than 26; (4) Some VLAN in the range is already a normal VLAN; (5) There is overlapping in the VLAN range between this group and some other VLAN groups; (6) The VLAN group is active now.
3. To configure separated ports in a group
To configure one or more separated ports isolate {<port> <port1-port2>} [<port> <port1-port2>]…
To delete one or more separated ports, if they are not separated ports yet, no action. no isolate {<port> <port1-port2>} [<port> <port1-port2>]…
Notes: If the VLAN group being configured is active, these commands won’t work; There can no separated port, but if so, it should at least have one shared port group.
4. To configure shared ports in a group
To set a shared port group, which can have one or more shared ports. Community-id is the shared port group ID:
community <community-id> {<port> <port1-port2>}[<port> <port1-port2>]… To delete a shared port group, which will delete all ports in the group:
no community <community-id>
Notes: If the VLAN group being configured is active, these commands won’t work; There can no separated port, but if so, it should at least have one shared port group.
5. To configure promiscuous ports in a group
To set one or more promiscuous ports promiscuous {<port> <port1-port2>}[<port> <port1-port2>]…
To delete one or more promiscuous ports no promiscuous {<port> <port1-port2>}[<port> <port1-port2>]…
Notes:
If the VLAN group being configured is active, these commands won’t work; There should be at least one promiscuous port
6. To enable or disable a group
The VLAN group won’t be active right after VLAN and ports configuration, it needs to be activated by specific commands.
To enable a private VLAN group: enable
Notes: There can be several possibilities if a VLAN group can’t work:
(1) min-vlanid, max-vlanid or primary-vlanid may be 0; (2) The VLAN range is too small, i.e., the total number VLANs in the range is less than the sum of No. separated ports + No. shared port groups + 1, as mentioned before; (3) No promiscuous port in the group; (4) Neither separated port nor shared port group exists in the group; (5) There is overlapping among promiscuous ports, shared ports and separated ports; (6) There is overlapping for ports between this VLAN group and other groups; (7) if a promiscuous port, or a shared port, or a separated port belongs to a normal VLAN as untagged, it should be removed from the normal VLAN first;
To disable a group disable
Notes: You can only modify the configuration when a VLAN group is inactive; otherwise, they can’t be changed. So to change configuration, you have to disable a VLAN group first, and then enable it again.
7. To show group information
To show VLAN groups information either under overall configuration mode or PRIVATE VLAN mode, group-id: 1-12. Without group-id, it will show all 12 groups information; with group-id, just shows the specified group: show privatevlan [group-id]
4.3 Private VLAN configuration examples
Figure4-3. example
Configuration:
Switch# private 1 ***enter PRIVATE VLAN mode Switch(privatevlan-1)# vlan 2 6 2 ***the VLAN range and the primary VLAN Switch(privatevlan-1)# isolate 1-2 ***separated ports Switch(privatevlan-1)# community 1 3-4 ***shared port group Switch(privatevlan-1)# community 2 5-6 ***shared port group Switch(privatevlan-1)# promiscuous 7-9 *** promiscuous ports Switch(privatevlan-1)# enable ***activation Switch# show privatevlan 1#
Private vlan group: 1 Status: active Max vlan number: 6 Min vlan number: 2 Primary vlan number: 2 Promiscuous port: 7 8 9 Isolate port: 1 2 Community 1 port: 3 4 Community 2 port: 5 6
Possible reasons if not working: 1、Min-vlanid is bigger than max-vlanid; 2、Primary-vlanid is not in the range of min-vlanid - max-vlanid; 3、The value (VLAN range) of max-vlanid minus min-vlanid is bigger than 26; 4、One or more VLANs in the VLAN range are already owned by normal VLANs; 5、There is overlapping in the VLAN ranges between the VLAN group being configured and other groups; 6、If the VLAN group is active, its configuration can’t be changed; 7、The VLAN range is too small, i.e., the total number VLANs in the range is less than the sum of No. separated ports + No. shared port groups + 1, as mentioned before; 8、No promiscuous port in the group; 9、Neither separated port nor shared port group exists in the group;
Figure4-4.example with two groups
Configuration of VLAN group 1: Switch# privatevlan 1 Switch(privatevlan-1)# vlan 1000 1002 1000 Switch(privatevlan-1)# isolate 1 Switch(privatevlan-1)# community 1 2-3 Switch(privatevlan-1)# promiscuous 7 Switch(privatevlan-1)# enable Switch# show privatevlan 1 Private vlan group : 1 status : active max vlan number : 1002 min vlan number : 1000 primary vlan number : 1000 promiscuit port : 7 iSolatePort port : 1 community 1 port : 2 3 Configuration of VLAN group 2: Switch# privatevlan 2
Switch(privatevlan-1)# vlan 2000 2002 2000 Switch(privatevlan-1)# isolate 4 Switch(privatevlan-1)# community 1 5-6 Switch(privatevlan-1)# promiscuous 8 Switch(privatevlan-1)# enable Switch# show privatevlan 2 Private vlan group : 2 status : active max vlan number : 2002 min vlan number : 2000 primary vlan number : 2000 promiscuit port : 8 iSolatePort port : 4 community 1 port : 5 6
Chapter 5.STP Configuration
This chapter describes STP (Spanning Tree Protocol) and its configuration. Chapter index:
1. Introduction to STP; 2. STP configuration 3. STP examples
5.1 STP introduction
The iSpirit 3026 switch supports IEEE802.1d standard STP. STP is a Layer 2 protocol with IEEE802.1d standard, it operates at the layer of Bridges and Switches. STP provides a method to dynamically switch between redundant devices in the network. So with STP, user can plan backup links when designing networks and STP will ensure that backup links are closed when main links are working; and once main links break down, backup links will be activated automatically to make sure the network still works. From another point of view, STP can avoid loops when there are redundancy in the network topology. On one hand, loops are critical problems for a network; On the other hand, to provide redundancy is also very important. STP can solve this paradox. Users can have this functionality through commands we provided.
5.2 STP configuration
Please refer to the following steps to configure STP: (1) To enable STP; (2) To configure STP.
By default, STP is closed on the switch, but STP calculation for all ports is on. A port will be added to STP calculation only when both of STP for the whole switch and the STP calculation for the port are on; Otherwise, it won’t be added. Commands:
To enable or disable STP under overall mode: stp no stp
To enable STP calculation of ports under overall mode: enable stp ports <port|port1-port2> [port|port1-port2]…
To disable STP calculation of ports under overall mode: disable stp ports <port|port1-port2> [port|port1-port2]…
To set bridge priority under overall mode, the default value is 32768, range: 0-65535: stp bridge priority <priority>
To set port priority under PORT RANGE mode, the default value is 128, range: 0-255: stp port priority <priority>
To set periodic time for sending BPDU packet of the bridge (overall mode), the default is 2 seconds:
stp bridge hello-time <time> To set STP transmission delay time (overall mode), default: 15s
stp bridge forward-delay <time> To set the maximum active time for STP configuration information of the bridge (overall
mode), default: 20s: (stored info from peers?) stp bridge max-age <time>
To show STP information of the bridge show stp bridge
To show STP information for a port (overall mode or PORT RANGE mode) show stp port <port>
5.3 STP examples
Figure5-1.example
As shown in Figure5-1, three switches form a circle, so it’s necessary to enable STP on each switch. (The following enabling command should be executed on all three switches): Switch# stp To make sure whether it’s turned on, try: Switch# show switch IP Address: 192.168.0.1 Subnet Mask: 255.255.255.0 Default Gateway: 0.0.0.0 MAC Address: 00:09:ca:90:97:01
Spanning Tree: Enable IGMP Snooping: Disable So it’s shown that STP is enabled. To disable STP: Switch# no stp More commands:
To set a switch as root, you need to set its bridge priority value smaller than that of the two others (priority: smaller means higher priority; default: 32768, range: 0-65535): Switch# stp bridge priority <priority>
To disable STP calculation of a port Switch# disable stp ports <port> ***port: 1-26 To check possible errors: (1) You may need to see which switch is the bridge root: Switch# show stp bridge — Designated Root Information — - Priority : 32768 MAC Address : 00:09:ca:01:75:02 Hello Time : 2s Forward Delay : 15s Max Age : 20s — Bridge STP Information — - Bridge Priority : 32768 MAC Address : 00:09:ca:01:75:02 Root Path Cost : 0 Root Port : 0 Bridge Hello Time : 2s Bridge Forward Delay : 15s Bridge Max Age : 20s (2) You may need to see STP ports information: Switch# show stp port portnumber ***port number (1=<A<=26) Switch# show stp port 3 — Port Information -— STP Port : Enable
Port ID : 3 Priority : 128 State : Disabled Path Cost : 19 Designated Cost : 0 — Designated Root Information — - Priority : 32768 MAC Address : 00:09:ca:90:97:01 — Designated Port Information — - Port ID : 3 Priority : 128 — Designated Bridge Information — - Priority : 32768 MAC Address : 00:09:ca:90:97:01
Chapter 6.Layer 2 Static Multicast Configuration
This chapter introduces what’s Layer 2 static multicast and how to configure. Chapter index:
1. Introduction to Layer 2 static multicast 2. Layer 2 static multicast configuration 3. Layer 2 static multicast configuration examples
In WAN (Wide Area Network) or Internet, sometimes it’s necessary to send the same copy of data to multiple receivers (not all of the receivers in the network, which can then use broadcast). If using unicast, the sender has to send one by one, it is becoming very inefficient when the number of receivers increases, by consuming too much network resources and overloading hosts and other devices. So multicast is becoming one of the main methods for point-to-multipoint transmission when such applications like tele-conferencing, VOD (Video On Demand), etc… are becoming popular. An unicast example is shown in Figure6-1, which uses point-to-point communication; A multicast example is shown if Figure6-2, which uses point-to-multipoint communication. Both of them are sending the same data from A to B and C. So two copies of data are sent in Figure6-1, to B and C, respectively; while only one copy is sent in Figure6-2.
Figure6-1. unicast example
Figure6-2. multiple example The iSpirit 3026 switch supports IGMP (Internet Group Management Protocol), IGMP Snooping and Layer 2 static multicast, all of them are used for providing multicasting services. IGMP is for group management, but due to that the iSpirit 3026 switch is a Layer 2 switch, there is no
dynamic learning of Layer 3 IP multicast addresses in a directed connected subnet. But it can send query packets and maintain multicast groups. IGMP Snooping monitors IGMP packets in the network and can learn multicast MAC address dynamically. Layer 2 static multicast functionality can be used to configure layer 2 multicast addresses by hand. This Chapter will only describe Layer 2 static multicast. Please refer to other chapters for other multicasting services mentioned above.
6.1 Introduction to Layer 2 static multicast
There is a Layer 2 hardware multicast transmission table in the iSpirit 3026 switch, it can be used for layer 2 multicast transmission in line speed. Multicast MAC address can be added either through IGMP Snooping dynamic learning or by configuration. This section includes the following information:
Layer 2 hardware multicast transmission table Layer 2 multicast MAC address Layer 2 multicast transmission mode Layer 2 static multicast and Layer 2 dynamic multicast
1. Layer 2 hardware multicast transmission table
The Layer 2 hardware multicast transmission table is used for layer 2 multicast transmission in line speed. It has 255 entries, i.e., 255 multicast MAC addresses. Each entry has three important fields: multicast MAC address, VLAN ID and output ports list, with the index as multicast MAC address and VLAN ID. In the table different VLANs (i.e., multiple subnets) can have the same multicast MAC address, which needs multiple entries. When a Layer 2 multicast flow enters the switch via a port, the system first searches its multicast MAC address and the VLAN ID it belongs to in the table, if a matched entry is found, its output ports list will be fetched, and the final output ports list for this flow will be the fetched list with the input port being removed from it. The output ports list in the table can have no, one or more output ports. 2. Layer 2 multicast MAC address
Mac address can be categorized as multicast MAC address and unicast MAC address. Multicast MAC address has the least significant bit of the highest byte being 1, while it’s 0 for unicast, as shown in Figure6-3. For example, 01:00:00:00:00:01 is multicast, 00:00:00: 00: 00:01 is unicast.
Figure6-3. multicast MAC address
Figure6-4. IP multicast MAC address Multicast MAC address can be either IP or non-IP. IP multicast MAC address is mapped from Layer 3 IP multicast address (as shown in Figure6-4), where the first three bytes must be 01:00:5e and the 23rd bit be 0, and the rest 23 bits are the same as the lower 23 bits of IP address, . Non-IP multicast MAC address includes all others excluding IP. For example, 01:00:5e:00:00:01 is IP multicast MAC address, while 01:00:ff:00:00:01 is non-IP. 3. Layer 2 multicast transmission mode
There are modes for using Layer 2 hardware multicast transmission table: unregistered or registered. For unregistered mode, if a matching entry is found in the table for a Layer 2 multicast flow, it’s transmitted according to the output ports list of the entry; Otherwise, if no entry is found, it’s transmitted as for broadcast, i.e., to all other ports in the VLAN. For registered mode, it’s different from unregistered mode in that data will be discarded if no matching entry is found. (Please refer to Chapter 3 “VLAN” for more info.) On the iSpirit 3026 switch, if IGMP SNOOPING is off, unregistered mode will be used; registered if otherwise.
4. Layer 2 static multicast and Layer 2 dynamic multicast
Entries of multicast MAC address can be added into the Layer 2 hardware multicast
transmission table either by learning dynamically from IGMP SNOOPING, or by static configuration. IGMP SNOOPING will only include IP address, while static configuration may have non-IP address. As said before, unregistered mode will be used for the hardware transmission table if IGMP SNOOPING is closed, when no address will be added through dynamic learning. So the table will be empty without static configuration. To limit broadcast range, users can add static multicast entries that can specify the output ports list and thus reduce multicast data flow in the network. When multicast is widely used in the network, users can enable IGMP SNOOPING on the switch in order to limit multicast data flow. Then registered mode will be used, and multicast address can be learned dynamically. Only multicast flow with matched entries will be transmitted. For those that can’t be learned but need to be transmitted, users can add static addresses to the table. When both of static configuration and dynamic learning have the same entry, the output ports list will be the union of their ports. When deleting static entries, only static configured ports are removed, while dynamic ones are kept; and so is deleting dynamic entries, i.e., when dynamic entries become invalid, only dynamic ports are deleted, while static ones are kept.
6.2 Layer 2 static multicast configuration
By default there is no static multicast configuration on the iSpirit 3026 switch. This section describes how to configure static multicast:
To configure Layer 2 static multicast addresses; To show Layer 2 multicast address information
1. To configure Layer 2 static multicast addresses
It’s easy to configure Layer 2 static multicast addresses, including creating multicast address entries and adding output ports to them, and deleting multicast address entries and removing output ports from them.
To create multicast entries and adding output ports under overall mode. Input parameters: VLAN ID, multicast MAC address and output ports list. If the entry doesn’t exist, a new one will be created with the specified output ports list; Otherwise if it already exists, the specified output ports list will be added to it. multicast <vlanid> <mac-address> {<port>|<port1-port2>} [<port>|<port1-port2>] …
To delete multicast entries and removing output ports under overall mode. Input parameters: VLAN ID and multicast MAC address, while the output ports list is optional. Without
entering output ports list, the entry will be deleted with its output ports list cleared; Otherwise, if a output ports list is included in the command, it will remove the specified ports from the entry.
no multicast <vlanid> <mac-address> [<port>|<port1-port2>]…
2. To show Layer 2 multicast address information
Layer 2 multicast addresses include those configured statically and those learned dynamically. The iSpirit 3026 switch provides two commands for showing information, one for static only and the other for both of them.
To show static configuration under overall mode: show multicast static
To show both of them under overall mode: show multicast
6.3 Layer 2 static multicast configuration examples
An example is shown in Figure6-5.
Figure6-5.example As shown in Figure6-5, there is a multicast server with IP address 172.16.4.1. It is in VLAN 2, with a destination address of 224.100.100.240 (MAC: 01:00:5e:64:64:f0) for multicast data sending. Support user 1 and user 2 are connecting to port 1 and port 2 on the iSpirit 3026 switch, respectively, to let them receive multicast data, users need to add port 1-2 to the multicast group 01:00:5e:64:64:f0 in VLAN 2 by configuring static multicast as follows: switch# multicast 2 01:00:5e:64:64:f0 1-2 switch# show multicast static
multicast address: 01:00:5e:64:64:f0 vlan id: 2 port list: 1 2
Chapter 7. IGMP SNOOPING configuration
This chapter introduces IGMP SNOOPING and it’s configuration. Chapter index: 1. Introduction to IGMP SNOOPING; 2. IGMP SNOOPING configuration.
In WAN (Wide Area Network) or Internet, when sending the same copy of data to multiple receivers (not all of the receivers in the network, which can then use broadcast), if using unicast, the sender has to send one by one, it is becoming very inefficient when the number of receivers increases, by consuming too much network resources and overloading hosts and other devices. So multicast is becoming one of the main methods for point-to-multipoint transmission when such applications like tele-conferencing, VOD (Video On Demand), etc… are becoming more popular. The iSpirit 3026 switch supports IGMP (Internet Group Management Protocol), IGMP Snooping and Layer 2 static multicast, all of them are used for providing multicasting services. IGMP is for group management. IGMP Snooping monitors IGMP packets in the network and can also learn multicast MAC address dynamically. Layer 2 static multicast functionality can be used to configure layer 2 multicast addresses by hand.
7.1 Introduction to IGMP SNOOPING
In traditional network multicast packets in a subnet is handled as broadcast, which may increase the network flow dramatically and thus block the network. With IGMP SNOOPING on the switch, it can dynamically learn IP multicast addresses and maintain the output ports list, as a result, multicast data are only sent to output ports list and network flow can be decreased to a large degree. For Layer 2 static multicast addresses are configured by hand, while for IGMP SNOOPING, they are learned dynamically. They are closely related to each other. Please refer to Chapter 6 “Layer 2 static multicast configuration” for more information on static multicast. Section Index:
The procedure for IGMP SNOOPING; Layer 2 dynamic multicast and Layer 2 static multicast; To add a group; To delete a group.
1. The procedure for IGMP SNOOPING
IGMP SNOOPING is a Layer 2 network protocol, it monitors the IGMP packets passing through the switch and maintains multicast routing entries based on information such as ingress ports, VLAN ID and multicast addresses collected from the packets, finally these IGMP packets are transmitted. Only ports that are added to a multicast group are allowed to receive multicast data packets. So IGMP SNOOPING can decrease network load and save network bandwidth.
A multicast entry includes multicast group address, member ports, VLAN ID, Age and Type. IGMP SNOOPING learns a multicast entry dynamically. When a port receives a IGMP REPORT packet, IGMP SNOOPING will create a new multicast group with the ingress port of the REPORT packet being added to the group; When a IGMP QUERY packet is received, if the multicast group already exists in the switch, its ingress port will also be added to the group, otherwise the QUERY packet is just be transmitted. IGMP SNOOPING also supports the Leave method of IGMP V2, if IGMP SNOOPING is configured with immediate leave being enabled, when a IGMP LEAVE packet is received, its ingress port will be removed from the group immediately. IGMP SNOOPING has two refreshing methods: the Leave method mentioned above and the aging method. It usually use the aging method to delete old groups. When a group is added by IGMP SNOOPING, it’s time stamped; and the group will be deleted later when it’s over the configured age-time. 2. Layer 2 dynamic multicast with Layer 2 static multicast
Entries of multicast MAC address can be added into the Layer 2 hardware multicast transmission table either by learning dynamically from IGMP SNOOPING, or by static configuration. IGMP SNOOPING will only include IP address, while static configuration may have non-IP address. As said before, unregistered mode will be used for the hardware transmission table if IGMP SNOOPING is closed, when no address will be added through dynamic learning. So the table will be empty without static configuration. To limit broadcast range, users can add static multicast entries that can specify the output ports list and thus reduce multicast data flow in the network. When multicast is widely used in the network, users can enable IGMP SNOOPING on the switch in order to limit multicast data flow. Then registered mode will be used, and multicast address can be learned dynamically. Only multicast flow with matched entries will be transmitted. For those that can’t be learned but need to be transmitted, users can add static addresses to the table. When both of static configuration and dynamic learning have the same entry, the output ports list will be the union of their ports. When deleting static entries, only static configured ports are removed, while dynamic ones are kept; and so is deleting dynamic entries, i.e., when dynamic entries become invalid, only dynamic ports are deleted, while static ones are kept. 3. To add a group
When a host wants to join in a group, it will send an IGMP REPORT packet, which has the multicast group address the host wants to join. When a switch (with IGMP SNOOPING on)
receives an IGMP QUERY packet, it will send it to all other ports in the same VLAN; when a host hoping to join the group gets the QUERY packet, it will respond with an IGMP REPORT packet; when the REPORT packet arrives at the switch, a Layer 2 multicast entry will be created, with its output ports list being the union of the ingress port of the QUERY packet and the ingress port of the REPORT packet. An example is shown in Figure7-1.
Figure7-1.example As shown in Figure7-1, all devices are in the same subnet, suppose it’s VLAN 2. IGMPv2 is running on the router, which sends out IGMP QUERY packets periodically. Host 1 wants to join the group 224.1.1.1. When the switch receives an IGMP QUERY packet from port 3/1, it will record the ingress port and transmits the packet to port 1/1 and port 1/2; Host 1 will respond with an IGMP REPORT packet after receiving the QUERY packet, while it’s not for Host 2 since it doesn’t want to join the group; After the switch receives the REPORT packet from port 1/1, it will send it out from the ingress port 3/1 for the previous QUERY packet and create a Layer 2 multicast entry (support it’s not existent already) with following fields (shown in Table7-1): Tabel 7-1: Layer 2 multicast ddress Vlan ID Output port list
01:00:5e:01:01:01 2 1/1 , 3/1
Figure7-2.example
The same example is shown in Figure7-2, with Host 2 also wants to join the group. As shown Figure7-2, Host 1 has already joined the group 224.1.1.1. Now Host 2 also wants to join the group. When Host 2 gets the QUERY packet, it will also respond with a REPORT packet; When the switch receives the REPORT packet at port 1/2, it will transmit it out of the ingress port 3/1 of the QUERY packet, and add port 1/2 to the multicast entry, as shown in Table7-2: Table7-2: Layer 2 multicast ddress Vlan ID Output port list
01:00:5e:01:01:01 2 1/1, 1/2, 3/1
4. To delete a group
To set up a steady multicasting environment, devices with IGMP (such as routers) will send out IGMP QUERY packets periodically to all hosts. Hosts that have already joined the group or hosts that hope to join will respond with IGMP REPORT packets. There are two methods for hosts to leave a group: leave actively or passively. Hosts leaving actively will send IGMP LEAVE packets to routers or switches, while hosts leaving passively just don’t send IGMP REPORT packets when receiving QUERY packets from the routers or
switches. Corresponding to the two leaving methods for hosts, there are also two methods for switches to remove ports from multicast entries: aging or getting LEAVE packets. Leave through aging: When a switch doesn’t get REPORT packets for a group from a port for some period of time, the port will be deleted from the corresponding multicast entry; if no port is left in the entry, the entry will also be removed. Leave through LEAVE packets: When a switch has enabled the option “immediate leave”, if a port gets a LEAVE packet for a group, the port will be deleted from the corresponding multicast entry; if no port is left in the entry, the entry will also be removed. The “immediate leave” functionality is usually used when one port has only one connected host.
7.2 IGMP SNOOPING configuration
This section describes how to configure IGMP SNOOPING. Section index: Default configuration for IGMP SNOOPING; To enable and disable IGMP SNOOPING; To enable and disable “immediate leave”; To configure the aging time for multicast; To show multicast information.
1. Default configuration for IGMP SNOOPING
By default IGMP SNOOPING is disabled, and Layer 2 hardware multicast transmission table is in unregistered mode (as mentioned before). The option “immediate leave” is also disabled by default. The multicast aging time is 300 seconds by default.
2. To enable and disable IGMP SNOOPING
To enable IGMP SNOOPING under overall mode, which will add an entry to FFP (Fast Filter Process) of all ports:
igmp snooping To disable IGMP SNOOPING under overall mode:
no igmp snooping 3. To enable and disable “immediate leave”
To enable “immediate leave” under overall mode:
igmp snooping immediate-leave To disable “immediate leave” under overall mode:
no igmp snooping immediate-leave
4. To configure the aging time for multicast
To set multicast aging time under overall mode (unit: second) : igmp snooping age <age-interval>
5. To show multicast information
To show IGMP SNOOPING information under overall mode: show igmp snooping
To show Layer 2 multicast entries under overall mode, including those learned by IGMP SNOOPING and those added by hand:
show multicast
Chapter 8.Configuration AAA
This Chapter describes how to configure 802.1x and RADIUS of iSpirit 3026 switch to prevent unauthorized users to connect to Internet. For 802.1x supplicant system and HyperBoss please refer to individual operation manual. This Chapter mainly includes:
1. Introduction to 802.1x 2. Introduction to RADIUS 3. 802.1x configuration 4. RADIUS configuration
AAA is the abbreviation for “ Authentication, Authorization, and Accounting". It provides an accordant frame to configure these three safe functions i.e. Authentication, Authorization, and Accounting. AAA configuration in fact has protect net safety that means visit control, including which kind of users can visit the internet, which kind of services will be authorized to whom, and how to keep accounts for users using net resources?
Authentication: to check if users can be authorized to visit Authorization: to authorize users with which kind of services Accounting: to record the usage of net resources by users
UTStarcom Corporation, Ltd. has provided a set of AAA solutions, including 802.1x supplicant system, various authentication switch, and authentication accounting system HyperBoss. 802.1X supplicant system is installed in PC for users' visiting internet, only authenticated by 802.1 x supplicant system who can visit internet. ISpirit 3026 is a switch that support authentication, which accepts authentication request by supplicant system and forward user' s name and password to the HyperBoss, in fact the switch itself does not carry out authentication. HyperBoss receives the request sent by switch and carries out actual authentication and makes accounting for authenticated user. Communications between 802.1x supplicant system and switch uses 802.1xprotocol and between switch and HyperBoss uses RADIUS protocol.
8.1 Introduction to 802.1x
802.1x protocol is a kind of visit control and authentication protocol based on ports that is the logic port including physical port, MAC Add. Or Vlan ID. Switch of UTStarcom implements 802.1x protocol based on MAC Add. 802.1X is a layer-2 protocol, authentication switch and user' s PC must be in the same subnet, and the protocol pack should not cross net- band. 802. 1X authentication makes uses of model of supplicants' server. There must be a server to carry out authentication for all users. Before authenticated only authentication flow can pass through the port of switch, and after authenticated data flow can pass through the port of switch, that is say only after authenticated users can visit internet.
This sectionmainly includes: Framework for 802.1x devices Introduction on Protocol packets Internation of protocol packets 802.1x port status
1. Framework for 802.1x devices
A 802.1x system consists of three parts: Supplicant System, Authenticator System, and Authentication Server System. Please refer to following Figure
Figure 8-1. 802.1 x equipments The supplicant carries to point of is the equipments that claim visit network, and generally is a supplicant terminal system, such as the supplicant's PC machine, must install on the supplicant terminal system a 802.1 x supplicants carry the software, that software to realize 802.1 x the supplicant in the agreement carry the part. Supplicant System is a kind of device to ask to visit internet, commonly as user end system, e.g. user’s PC. 802.1x supplicant system must be installed in user end system that complete the part of supplicant system in 802.1x protocol. If 802.1x authentication requested from supplicant system, authentication server system will check user’s name and password, authenticated by which user can visit internet. Authenticator system refers to the device to carry out authentication such as iSpirit 3026 switch. Authenticator system controls user for if he/she can visit internet through user’s logic port (MAC Add.), user cannot visit internet if whose logic port is not authenticated, instead he/she can make visit. Authenticator system is a relay between supplicant system and authentication server system. Authenticator system requests user’s ID info. and forward that to authentication server system, and transmit results authenticated by authentication server system to supplicant system. Authenticator system should realize service system of 802.1x protocol near user system and realize supplicant system of RADIUS protocol near authentication server system, RADIUS protocol supplicant
system of Authenticator system pack EAP info. from 802.1x supplicant system into RADIUS and send to authentication server system, and unpack EAP info. in RADIUS protocol from authentication server system and send to 802.1x supplicant system through 802.1x service system. Authentication server system indicates the actual device to make authentication for supplicants. Authentication server system accepts and checks user’s ID info. from authenticator system. If it is successful authentication server system will authenticate to authenticator system and allow user to visit internet, instead authentication server system will inform user that is failure and who cannot visit internet. Communications between authentication server system and authenticator system are completed through RADIUS protocol extended by EAP. UTStarcom provides authenticator accounting system HyperBoss to make authentication and accounting. 2. Protocol packet introduction
Authentication data flow forwarded by 802.1x rpotocol on internet is in EAPOL (EAP Over LAN) framen format, all users’ ID info. (Including users’ names and passwords) are packed in EAP (Extended authentication protocol), and the EAP is packed into EAPOL frame. Users’ names exist in EAP in public, but passwords exist in MD5 enciphered form. EAPOL frame format please refer to Figure 8-2. PAE Ethernet Type is for EAPOL, whose value is 0x888E, Protocol Version is for EAPOL, whose value is 1. Packet Type means the size of EAPOL frame. Packet Body Length means the total length of EAPOL frame content. Packet Body means the content of EAPOL frame.
Figrure. 8-2 EAPOL Frame Format
The switch makes use of three kinds of EAPOL protocol frame, including EAPOL-Start: Packet Type value is 1, as the EAPOL-Start frame, firstly initicate this frame and supplicant system forward it to switch if user need to be authenticated; EAPOL-Logoff:Packet Type value is 2, as the EAPOL-Logoff frame, users can send this frame to inform switch if they need not internet; EAP-Packet: Packet Type value is 0, as the authenticated info. frame, used for loading authenticated info. About EAP packet format please refer to Figure 8-3. Code indicates the type of EAP packet, including Request, Response, Success and Failure. Identifier Identifier is for indentifying purpose, used for match Response and Request. Length means the total length of EAP packet, including packet head. Data means EAP packet data. EAP packet includes following four types: EAP-Request, the code value is 1, as the EAP-Request packet, request user’s name and/or password from switch to suppliant system. EAP-Success:Code value is 3, as the EAP-Success packet, to send to supplicant system from switch to inform whom it is successful. EAP-Failure: Code value is 4, as the EAP-Failure packet, to send to supplicant system from switch to inform whom it is failed.
Figure 8-3. EAP Packet Format
3. Internation of Protocol Flow
All users should after be authenticated can visit the internet if the switch make use of 802.1x and the port is in Auto status. About Protocol Internation please refer to Figure8-4
Figure 8-4.Authenticated Protocol Internation Started from Supplicant System
If user needs to visit internet, supplicant system will firstly send EAPOL-Start to switch for authentication requested, after which is received by switch that will send EAP-Request to request user’s name, and supplicant system will send back EAP-Response, switch picks up EAP info. and packs it into RADIUS packet to send to authentication server system, who will request user’s password, switch send EAP-Request request user’s password from supplicant system, who will send back EAP-Response, and switch will pack EAP info. into RADIUS packet to send to authentication server system that will check the user based on whose name and password. If it successful authentication server system will inform switch that will send EAP-Success to supplicant system and authorize user’s logic end. EAP-Success received by supplicant system means it is successful and user can visit Internet. Supplicant system will send EAPOL-Logoff to switch if user needs not Internet, the switch will forward user’s logic end into un-authentication status when user cannot visit Internet. To protect user’s abnormal leave, iSpirit 3026 switch provides re-authentication system, which can set interval for re-authentication. Switch will start a new authentication at set-up time, if it is successful user can continue on using Internet, instead user cannot use Internet. About protocol Internation please refer to Figure 8-5
Figure 8-5. Re-authenticated Protocol Internation
4. 802.1x Ports Status
Ports Status here indicates physical ports status of switch, which include four statuses: N/A status, Auto stauts, Force-authorized status, and Force-unauthorized status. All ports will be in N/A status if switch does not unpack 802.1x. 802.1x of switch must be used first if ports of switch need to be set into Auto, Force-authorized, and Force-unauthorized statuses. All users can visit Internet without authentification if switch’s port is in N/A status. Please throw away 802. 1x protocol packets if received from this port. All users can visit Internet without authentification if switch’s port is in Force-authorized status. Switch will send back EAP-Success packet if it receive EAPOL-Start packet from this port. Please throw away other 802. 1x protocol packets if received from this port. All users cannot visit Internet if switch’s port is in Force-unauthorized status, authenrization request cannot pass forever. Please throw away 802. 1x protocol packets if received from this port. All users can visit Internet only with authentification if switch’s port is in Auto status. About 802.1x protocol Internation please refer to Figure 8-4. The port generally needs to be set into Auto status if user need authenticaiton. Switch should engage an item in RULE List of FFP if its port is set into Auto status.
8.2 Introduction to RADIUS
RADIUS protocol that support EAP extention should be used for Internation between switch and authentication server system when user is being authenticated. RADIUS protocol is use of supplicant/server model, switch needs implement RADIUS supplicant system, but authentication server system needs implement RADIUS service system. In order to ensure safe Internation between switch and authentication server system and prevent unauthorized Internation, there must be a mutual authentication between switch and authentication server system. Both of them need the same key, and all protocol packets should accounding to password use of HMAC calculation to make information summary if switch and authentication server system send RADIUS protocol packet, after switch and authentication server system receive RADIUS protocol packet, all information summary of protocol packet should be checked by password, if successful it is legal RADIUS protocol packet, instead it is illegal RADIUS protocol packet that will be thrown away. In this Section following contents included:
Introduction to protocol packet Internation of Protocol Flow Users validation ways
1. Introduction to protocol packet
RADIUS is a kind of protocol built on UDP, and RADIUS can pack authentication info. and accounting info. Early RADIUS authentication port is 1645, but now is 1812, and early RADIUS accounting port is 1646, but now is 1813. For RADIUS is loaded on UDP, so RADIUS should be equipped with overtime-recurrent system. Meantime in order to improve reliability of authenticator system and RADIUS server communications, generally two RADIUS server schemes are used that is to say use of standby server system. About RADIUS packet format please refer to Figure 8-6. Code means the RADIUS protocol packet type. Identifier is for identifying purpose, used for matching request and response. Length indicates the total length of the whole packet (including head). Authenticator is a string including 16 byte, which is a random number for request packet, and the message summary
generated by MD5 for response packet. Attribute indicates the attribute in RADIUS protocol packet.
Figure 8-6. RADIUS Packet Format
Ideal network uses of following RADIUS protocol packets:
Ac cess-Request: Code value is 1, authentication request paket from authenticator system to authentication server system is packed into Ac cess-Request through user’s name and password.
Acc ess-Acc ept: Code value is 2, response packet from authentication server system to authenticator system indicates that user has been authenticated.
Acc ess-Reject: Code value is 3, response packet from authentication server system to authenticator system indicates that user was not authenticated.
Access-Challenge: Code value is 11, response packet from authentication server system to authenticator system indicates that authentication server system need further user’s info. e.g. password etc.
Accounting-Request: Code value is 4, authenticator system send accounting request packet (including accounting starting and finish) to authentication server system, and accounting info. is packed into this packet.
Ac counting-Response: Code value is 5, accounting response packet from authentication server system to authenticator system indicates that accounting info. has been received.
2. Internation of Protocol Flow
Internation happens between authenticator system and authentication server system through RADIUS protocol after user sends out his/her authentication request. About Internation of Protocol Flow of RADIUS accounting packet authenticator system dis-send by authenticator system please refer to Figure8-4. Generally after authentication or user has left Internet, authenticator system should send RADIUS accounting packet to authentication server system. Please refer to Figure 8-7 for Internation of Protocol Flow iSpirit 3026 authentication server system
Figure 8-7. Internation of Protocol Flow Switch packs user’s name into Access-Reques packet and send to authentication server system when user is being authenticated, server should response Access-Challenge to request user’s password, switch requests user’s password in supplicant system that will pack the password into EAP, switch will pack the EAP into Access-Request after obtain it and send it to authentication server system that will make authentication for user, if successful, then send back Access-Accept to switch that will inform supplicant system it is successful after receive this packet, meanwhile send Accounting-Request to inform authentication server system to start
accounting, and authentication server system send back Accounting-Response. It will inform switch user will leave Internet if who do not want visit Internet, switch send Accounting-Request to inform authentication server system to stop accounting, accounting info. will be packed into this packet, and authentication server system send back Accounting-Response. 3. Users validation ways
RADIUS has following thee validation ways: PAP (Password Authentication Protocol) . User transers his/her user name and password to switch. Switch forwards user name and password to RADIUS server through RADIUS protocol packet, and RADIUS server find data bank, the same name and password are found out, which means validation passed, instead it is failed. CHAP(Challenge Handshake Authentication Protocol). Switch will generate a 16-byte random code and send to user if who request for visiting Internet. User makes encryption for random code, password, and other realms and a response will be generated, and then forward user’s name and response to switch. Switch forwards user’s name, response, and original 16-byte random code to RADIUS server. RADIU according to user’s name will search for data bank and obtain the same password with that of supplicant system, and then according to the 16-byte random code to make encryption, to compare the results with the response, the same results indicate validation passed, instead it is failed. EAP(Extensible Authentication Protocol). In this validation way, switch in fact does not carry out validation, only as the relay between user and RADIUS server. Switch requests user’s name and forward it to RADIUS server when user requests for visiting Internet, RADIUS server will generate a 16-byte random code to send to user and meantime store it, user will encrypt for random code, password, and other realms to generate a response, forward user’s name and response to switch, and which will forward it to RADIUS server. RADIU according to user’s name searchs in data bank from switch end to obtain the same password with supplicant system, and then according to the 16-byte random code to make encryption, to compare the results with the response, the same results indicate validation passed, instead it is failed. Authentication accounting scheme of UTStarcom make use of EAP user validation way.
8.3 Configuration of 802.1x
In this Section Configuration of 802.1x is described in detail, including: 802.1x default configuration Start and close 802.1x Configure 802.1x Port status Configure re-authentication system Configuration ports connect to Max. host computers Configuration intervals and resend times Show 802.1x info.
1. 802.1x default configuration
802.1x default configuration of iSpirit 3026 switch is as follows 802.1x is closed All ports are in N/A status Re-authentication system is closed, and the interval is 3600 seconds Max. 100 ports connect to host computers Overtime interval to re-send EAP-Request is 30 seconds 3 times to re-send EAP-Request Stand-by time of failed authentication is 60 seconds Overtime interval to re-send by server is 10 seconds
Switch in global CONFIG mode provides an command to make all configurations return to default atatus, commands as follows: dot1x default 2. Start and close 802.1x
The first step to configure 802.1x is to start 802.1x. Under global CONFIG mode to I nput following command to start 802.1x:dot1x
All ports status should return to N/A status when close 80 2.1 x. Under global CONFI G mode input following command to close 80 2.1 x: no dot1x
3. Configure 802.1x ports status
802.1x must be started before configuring 802.1x. The port must be configured into Auto status if
all users under this port only after authenticated can visit Internet.
The following command under global CONFIG mode sets the port into Auto status: dot1x control auto {<port>|<port1-port2>} [<port>|<port1-port2>] …
The following command under PORT RANGE mode sets the port into Auto status: dot1x control auto
The following command under CONFIG mode sets the port into Force-authorized status: dot1x control force-authorized {<port>|<port1-port2>} [<port>|<port1-port2>] …
The following command under PORT RANGE mode sets the port into Force-authorized status: dot1x control force-authorized
The following command under global CONFIG mode sets the port into Force-unauthorized status: dot1x control force-unauthorized {<port>|<port1-port2>} [<port>|<port1-port2>] …
The following command under PORT RANGE mode sets the port into Force-unauthorized status dot1x control force-unauthorized
The following command under global CONFIG mode sets the port into N/A status no dot1x control {<port>|<port1-port2>} [<port-|<port1-port2>] …
The following command under PORT RANGE mode sets the port into N/A status no dot1x control
Notes: The port cannot be set into Auto, Force-authorized, and Force-unauthorized mode if the port has been bound with MAC Add. 4. Configure re-authentication system
In order to prevent switch and authentication server system from being unaware of supplicant system’s abnormal leave, iSpirit 3026 switch provides re-authentication system, after every interval the switch starts an authentication.
The following command under global CONFIG mode starts re-authentication system dot1x reauthenticate
The following command under global CONFIG mode closes re-authentication system no dot1x reauthenticate
The following command under global CONFIG mode set the interval for
re-authentication dot1x timeout re-authperiod <interval>
Notes: The interval for re-authentication should not be much short, otherwise CPU resource of net bandwidth and swithch is much consumable. 5. Configuration ports connect to Max. host computers
All ports of iSpirit 3026 switch can control Max. host computers, which may restrict user from using many host computers connect to network illegally. The max. default is 100 to connect to host computer, it can be set into 100 Max. The port refuses any other users to connect if it is set into 0. dot1x support-host <number> Following command under global PORT RANGE mode set the port about Max. host computer connecting to. 6. Configure intervals and re-sent times
In 802.1x protocol standard interval and re-send times of protocol Internation and protocol status are regulated, iSpirit 3026 switch uses of standard intervals and re-send times. It is suggested that users should not change intervals and re-send times when using. tx-period indicates the interval that switch re-send the EAP-Request protocol; max-req indicates the times that switch re-send the EAP-Request; quiet-period indicates that users wait for re-authentication interval if the first authentication is failed; server-timeout indicates the interval that switch re-send RADIUS packet to authentication server system. Following command under globle CONFIG mode configure these intervals and re-send times:
dot1x timeout tx-period <interval> dot1x max-req <number> dot1x timeout quiet-period <interval> dot1x timeout server-timeout <interval>
7. Show 802.1x info.
Following commands under global CONFIG mode or PORT RANGE mode shows 802.1x info., all 802.1x configuration info. including that of all ports if port parameter is not input, but instead it shows all connected users’ infor. show dot1x [m/p]
8.4 Configure RADIUS
In this Section configuration of RADIUS is described in detail, including: RADIUS default configuration Configure IP Add. of authentication server system Configure share key Start and close accounting Configure RADIUS port and attribute info. Shows RADIUS info.
1. RADIUS default configuration
RADIUS default configuration of iSpirit 3026 switch is as follows: IP Add. without host authentication server system and alternate authentication server system, i.e. IP Add. is 0.0.0.0. There is not share key configured, i.e. character string of share key is null. Accounting default is under operation. RADIUS authentication UDP port is 1812, and accounting UDP port is 1813. The value of RADIUS attribute NASPort is 0xc353, the value of NASPortType is 0x0f, and the value of NASPortServer is 0x02. 2. Configure IP Add. of authentication server system
In order to ensure RADIUS communications between switch and authentication server system, IP Add. of authentication server system should be configured in switch. In practical application an authentication server system or two authentication server system can be used, one of them is as host authentication server system and another is as alternate authentication server system. If the switch is equipped with IP Add. of two authentication servers system, communication will realize between switch and alternate authentication server system if communication between switch and host authentication server system is cut off.
Following command under global CONFIG mode configure IP Add. of host authentication server system radius-server host <ip-address>
Following command under global CONFIG mode configure IP Add. of alternate
authentication server system radius-server option-host <ip-address>
3. Configure share key
Switch and authentication server system should be identified mutually and a same share key should be set separately. Please pay attention that share key of switch must be the same with that of authentication server system. Following command under global CONFIG mode configure the share key of switch: radius-server key <string> 4. Start and close accounting
Switch after authenticated or users leave the Internet should not send RADIUS accounting packet to authentication server system if the accounting system is closed. Generally in practical application accounting system is opened.
Following command under global CONFIG mode start accounting system radius-server accounting
Following command under global CONFIG mode close accounting system
no radius-server accounting 5. Configure RADIUS port and attribute info.
It is suggested that users should not change RADIUS port and attribute info. configuration Following command under global CONFIG mode change RADIUS authentication UDP
port radius-server udp-port <port-number>
Following command under global CONFIG mode change RADIUS attribute info. radius-server attribute nas-portnum <number> radius-server attribute nas-porttype <number> radius-server attribute service-type <number>
6. Show RADIUS info.
Following command under global CONFIG mode shows RADIUS configuration info.
Chapter 9.Configure MAC Binding
In actual network, user’s safe connection is a focus regarded by administrator. iSpirit 3026 switch provides kinds of methods to ensure users’ safe connection, including MAC binding method. This Chapter introduces how to configure MAC binding function, including:
1. Introduction to MAC binding 2. Configuration of MAC binding 3. Example for MAC binding configuration
9.1 Introduction to MAC binding
MAC binding ensures that users can be safely connected into Internet through switch. Special MAC Add. is legal if some ports of switch is bound with special MAC Add, and switch allow these legal MAC Add. users to connect to Internet through the port, but does not allow illegal MAC Add. users to connect to the Internet, so users’ safe connection is ensured. Switch will always check the data flow input from the port binding with MAC Add. the data flow is allowed to be forwarded if source MAC Add. of data flow is bound with legal MAC Add., but the data flow will be thrown away if illegal MAC Add.is bound with. To prevent illegal users connect to the Internet via throw away data. IEEE802.1Q standard supports two kinds of MAC Add. study modes (SVL and IVL). SVL means that MAC and VLAN are separate, MAC Add. in all VLAN must be only one, disregard VLAN when study MAC Add. IVL means that MAC is related with VLAN, MAC Add. can be the same in different VLAN, but in the same VLAN MAC should be only one, MAC Add. belongs which VLAN must be known when study MAC Add. iSpirit 3026 switch supports IVL mode, but MAC Add. belongs which VLAN must be specified when do MAC binding.
Figure 9-1. Connect to Internet from binding ports
Figure 9-1 is an example about MAC binding, port 1 of iSpirit 3026 switch is bound with MAC Add. 00:10:5C:00:00:01, under this port there are two users want to connect to to Internet from this port, MAC Add. of user 1 is 00:10:5C:00:00:01, and MAC Add. of user 2 is 00:10:5C: 00:00:02. Ports 1 of user 1, user 2, and switch belong to one sub-net. Only user 1 can be connected to Internet through port 1, but not user 2. Data flow p1 given by user 1 can be forwarded through port 1 of switch, but data flow p2 given by user 2 will be thrown away in the port 1. All of these MAC Add. visit Internet only through the port bound with MAC Add. instead of any other ports. Different ports of switch cannot be bound with the same MAC Add. in the same VLAN. Users with the MAC Add. cannot visit Internet through Port B if Port A is bound with a MAC Add. but Port B is not bound with MAC Add. however there are in the same VLAN. Please refer to Figure 9-1, suppose that Port 1 is bound with MAC Add. 00:10:5C:00:00:01, but Port 2 is not bound with MAC. Add, however Port 1 and Port 2 belong to the same VLAN, user 1 cannot visit the Internet through Port 2, but only through Port 1. One Port bound with one or more MAC Add. does not influence the forwarding efficiency of data flow input from this port, which can be speedly forwarded. One port can be only bound with 128 MAC Add. max. Port bound with MAC Add. is exclusive from 802.1x port status. The Port cannot be bound with MAC Add. if 802.1x has been set into Auto, Force-authorized, and Force-unauthorized status.
9.2 MAC binding configuration
iSpirit 3026 switch supports both manual and auto binding MAC Add. Manual binding refers to that user inputs MAC Add. one by one to be bound with port according to commands. Auto binding refers to that find out existed items in ARL Table to carry out MAC Add. binding. Auto binding with MAC Add. is invalid if the port has been bound with MAC Add. but manual binding with MAC Add. is allowed. Auto binding with MAC Add. can be only carried out when the port is not bound with MAC. Auto binding with MAC Add. is invalid if there are not items in ARL Table when the port is not bound with any MAC Add. If there are more than 128 items is ARL Table only 128 items can be automatically bound with. All ports under iSpirit 3026 switch default status are not be found with MAC Add.
Following command under global CONFIG mode one port is bound with MAC Add. If vlanid and mac-address parameter are not input it will carry out auto binding with MAC Add, to make relative items in ARL Table be bound with MAC Add. If vlanid and mac-address parameter are input to carry out manual binding with MAC Add, if you want to bind with more MAC Add. mac bind <port> [<vlanid> <mac-address>] should be repeated. Notes: For auto binding with MAC Add. invalid or failed binding with MAC maybe caused by follows:
802.1x has been set into Auto, Force-authorized or Force-unauthorized There are not items for this port in ARL Table
For manual binding with MAC Add., invalid or failed binding with MAC maybe caused by follows:
802.1x has been set into Auto, Force-authorized or Force-unauthorized This port has been bound with items with the same VLAN and MAC This port has been bound with 128 MAC Add.
Folloing command under global CONFIG mode to release MAC Add. binding, if vlanid
and mac-address parameter are not input, release all MAV binding under this port. If vlanid and mac-address parameter are input release one appointed MAC Add binding under this port: no mac bind <port> [<vlanid> <mac-address>]
Following command under global CONFIG mode shows MAC Add binding info. If port parameter is not input, all ports’ MAC Add binding info will be shown. If port paramter is input, appointed port’s MAC Add binding info. as show mac bind [port] will be shown
9.3 MAC Binding Configuration Showing
Figure 9-2. MAC Binding Showing One user connects to the port 1 of 3026 switch, and the MAC Add. is 00:10:5c:af:ba:a9, for safe considering, to control the link layer of this port, PC with this MAC Add only can be made data forwarding through Port 1, and use MAC binding function in the switch. Switch# mac bind 1 1 00:10:5c:af:ba:a9 Switch# show mac bind module/port VLAN macAddress STATUS
1 1 00:10:5c:af:ba:a9 Active If vlanud and mac-address parameter has not been input when to carry out auto binding MAC Add. to bind relative items in ARL Table. For auto binding MAC Add, invalid or failed MAC Add binding maybe caused by follows: 802.1x status of this port has been set into Auto, Force-authorized or Force-unauthorized; this port has been bound with MAC Add.; there is not relative item in ARL Table. For manual binding with MAC Add., invalid or failed MAC Add. binding maybe caused by follows: 802.1x status of this port has been set into Auto, Force-authorized or Force-unauthorized; this port has been bound with items with the same VLAn and MAC Add; this port has been bound with 128b MAC Add.
Chapter 10.Configuration IP Binding
In actual Internet, user’s safety is the focus point attentioned by the administrator. iSpirit 3026 switch provide kinds of ways to ensure user’s safety, including IP binding ways. In this Chapter how to configure IP binding function is introduced, including:
1. Introduction to IP Binding 2. Configuration of IP Binding 3. Sample of IP Binding Configuration
10.1 Introduction to IP Binding
IP Binding ensures user’s safety. User is connected to Internet through switch. If some port of the switch is bound with special IP Add. that is he valid IP Add. Switch allows theses users with valid IP Add. to connect to the Internet through this port, but not allow invalid users with IP Add to be connected to the Internet, so which has ensured users’ safe connection to the Internet. If some port of the switch is bound with IP Add. the switch will always check data flow through this port. The data fow can be forwarded if resource IP Add of data flow is bound with legal IP Add, otherwise it will be thrown away, which has protected that illegal users to connect to the Internet. Figure 10-1 is an example for IP binding, port 1 of iSpirit 3026 switch is bound with IP Add. of 192.168.0.100. under this port there are two users want to be connected to the Internet, IP Add. of user 1 is 192.168.0.100, and IP Add of user 2 is 192.168.0.101. only user 1 can be connected to the Internet throught the port of switch instead of user 2. Data flow P1 given out by user 1 can be forwarded by port 1 of switch, but data flow p2 given out by user 2 will be thrown away through Port 1
Figure 10-1.Connect to Internet from binding ports
IP binding only control the safety of switch port. Different ports of the switch can be bound with the same IP Add. If Port A is bound with one IP Add. instead of Port B, the user with this IP Add
can visit Internet through Port B. Refer to Figure 1 suppose that port 1 is bound with IP Add of 192.168.0.100 but port 2 is not bound with IP Add., user 1 can visit the Internet through port 2.
The switch realizes the IP Add. binding through FFP of the port, which will not influence the forwarding efficiency of data flow of the IP Add. the data flow can be speed fordwarded. For there is limited volume of FFP, IP Add to be bound is limited accordingly. One port can be only bound with 127 IP Add max. but if FFP is applied by others, the IP Add is even less. IP Binding is exclusive against ACLfiltration and Untrust port of QoS. The port cannot be bound if it has been carries out with Acl filtration. Also the port cannot be bound if it is Untrust port of QoS. IP binding available but without 127 IP Add. indicates that FFP resource is applied by others, which maybe trust port of QoS, IGMP SNOOPING protocol and 802.1x protocol.
10.2 Configuration of IP Binding
iSpirit 3026 switch only supports manual binding with IP Add, i.e. one port bound with one or more IP Add are all input by manual work. Under iSpirit 3026 Switch default condition no port is bound with IP Add. ip bind <port> <ip-address> Following command under global CONFIG mode one port is bound with IP Add., this command (ip bind <port> <ip-address>) should be repeated if one port needs to be bound with more Add.
Notes: If this port was not bound with IP Add before this command is input, maybe caused by:
1. This port has been carried out with ACL filtration 2. The port has been the Untrust port of QoS
If this port was bound with IP Add before this command is input, maybe caused by:
1. The IP address has been bound with this port 2. FFP resource is not enough maybe the port is the trust port of QoS or/and IGMP
SNOOPING protocol has started or/and this port is under Auot mode of 802.1x.
● Following under global CONFIG mode releases IP Add binding of one port, all IP Add binding will be released if ip-address parater is not input; specific IP Add binding will be released if ip-addre ss parameter is input: no ip bind <port> [ip-address] ● Following under global CONFIG mode showing IP Add binding info. All IP Add binding info of all ports will be shown if Port paramter was not input. show ip bind [port] as that of the specific port will be shown if Port parameter was input.
10.3 Sample of IP Binding Configuration
Figure 10-2.Sample of IP Binding One user is connected to the port 1 of 3026 switch, whose IP Add is 192.168.1.100, for safe considering to carry out IP control in this port, only this IP Add can be carried out with data communication through Port 1, and use of IP Binding function as Switch# ip bind 1 192.168.1.100 Switch# show ip bind ip bind port information port ipAddr 1 192.168.1.100 in the switch
Chapter 11.Configuration of ACL
Actually safe visit is especially focused on by administrator. iSpirit 3026 switch supports ACL filtration to ensure that safe visit. Switch based on configuration ACL regulation filtrates the data flow to ensure safe visit. In this Chapter how to configure ACL is introduced, including:
1. Introduction to ACL resource bank 2. Introduction to ACL filtration 3. Configuration of ACL resource bank 4. Configuration of ACL filtration
11.1 Introduction to ACL resource bank
ACL (Access list control) resource bank is integration with multi-visit regulations, ACL resource bank does not equipped with forwarding function to control data, but only an regulated integration with conflicted command. After ACL resource bank is applied it can control the forwarding of data packet of switch: control the data packet through regulated “deny” and “permit”. ACL can be applied to filtrate port visit, service visit and QOS. ACL resource bank has the standard IP regulation group (No.1-199), extend IP regulation group (No. 200-399), extend MAC regulation group (No. 400-599), totally 599 groups, every group regulation supports 128 regulations. Every regulation automatically carries out conflication regulation command in priority. Switch will make comparison for all fields in all regulations and data packets when one data packet passes through one port: the last matched regulation is valid when there are many regulations are completely matched; the last matched regulation decides that if the data packet can be forwarded or deleted. Complete match is that field value in regulation should be totally equal to that in data packet. The regulation can be decided to be denied or permitted only this regulation of ACL will be totally matched. For iSpirit 3026, regulations in the same group are automatically arranged, which is much complex. Regulation with large range will be arranged in the very front, but that with small range will be arranged in the last. Size of range will be determined by restrictions of the regulation: the range will be larger with little restrictions, otherwise the range will be samller. Restriction is mainly shown in the “wildcard” of the address and numbers of non-address field. Wildcard is the bit series. IP address is 4-byte, MAC address is 6-byte. Bits being “1” indicates that it needs not to be matched, bits being “0” indicates that it needs to be matched. Non-address field indicates the “vlanId”, protocol type, IP protocol type, and protocol port, in which a “wildcard” is hidden. Their length is the byte length of relative fields, so the length of the same field is the same, and you need only make account about fields. The more bits being “0” of wildcard there are the more restrictions there are. The follows to cite the port visit filtration as an example to show that the necessary regulated command and the advantages of auto command. Suppose that user needs to refuse the source address as 192.168.0.0/ 16 to be forwarded, but allow that source address as 192.168.1.0/24 to be forwarded, the following two regulations can be configured:
access-list 1 deny 192.168.0.0 0.0.255.255-regulation 1 access-list 1 permit 192.168.1.0 0.0.0.255-regulation 2 Hereunder referred as regulation 1 and regulation 2
Both of these regulations are conflicted: address of regulation 2 is included in that of regulation 1, and one is “deny”, and the other is s”permit”. Different command has different results based on ACL filtration principle. If you want to realize the aforesaid requests, the command of these two regulations must be as follows: regulation 1 should be arranged in the very front but regulation 2 should be arranged in the last. iSpirit 3026 has automatically realize the aforesaid command function, no matter what command that user configure the aforesaid regulations, regulation 1 will be arranged in front of regulation 2. When there is an address packet whose source address is 192.168.1.1 needs to be forwarded, please firstly compare the first regulation, and then compare the second regulation, the latter regulation will be valid (can be tranferred) only after these two regulations are well matched; if the source address is 192.168.0.1 only the first the regulation is well matched please deny it (cannot be tranferred). If there are not arranged, user maybe firstly configure the regulation 2 and then configure regulation 1, so regulation 1 will be arranged in the last but regulation 1 will be in the front.
access-list 1 permit 192.168.1.0 0.0.0.255 -regulation 2 access-list 1 deny 192.168.0.0 0.0.255.255 -regulation 1
For the latter regulation 1 has included the regulation 2, so following condition will be caused: data packet matched with regulation 2 also is well matched with regulation 1 that will be always valid, but required demands will not be achieved. For iSpirit 3026, ‘0.0.255.255’ is Wildcard bits, bits being “1” indicates that it needs not to be matched, but being “0” indicates that it needs to be matched. From which you may learn that Wildcard bits of regulation 1 is ‘0.0.255.255’, and it needs to be matched with 2 bytes (16 bits); for regulation 2 Wildcard bits is ‘0 0.0.0.255’, and it needs to be matched with 3 bytes (24 bits); “range” of regulation 1 is larger, so it will be arranged in the front. In extended IP more regulation fields should be considered, e.g. IP protocol type and communiation ports etc. All their command regulations are the same, i.e. the more restrictions there are the range is smaller, instead it will be larger. Arrangement of regulation will be realized in background, user’s command can only be shown according to commands of user’s configuration.
Filtration field supported by ACL includes resource MAC address, purpose MAC address, ,VLANID, protocol type (e.g IP,ARP), resource IP, purpose IP, IP protocol type (e.g. TCP, UDP,
OSPF), resource ports (e.g. 161), and purpose port. Users can be based ondifferent demands to configure different regulations to control the visit. For iSpirit 3026 one-group regulation can be applied for many purposes, e.g. one group regulation at the same time is cited by port visit filtration and service visit filtration or at the same time cited by port visit filtration of the two ports. Once one group regulation is cited by one or more applications, which cannot be added, modified or deleted; aforesaid can be only operated when the group of regulation is not cited. Accounting of the group will be showd when carry out access-list. In all ACL regulations defaulted hide the regulation that refuses all IP protocol (0x0800) packet regulations. The hidden regulation will not be existed if there is a regulation denies or permits all IP protocol (0x0800) packet.
11.2 Introduction to ACL filtration
ACL filtration is carried out in the input port of the switch, and match with the data flow in this port to realize filtration for the port. ACL filtration is processed by the hardware of the switch, which will not influence the tranference efficiency of data flow. All data flow input from this port will not be matched in regulation if the port of the switch is not configured with Acl filtrator, but it can be forwarded through this port. All data flow input from this port will be matched in regulation if the port of the switch is configured with Acl filtrator, and the data flow can be forwarded if the matched movement is “permit”, but if it is the “deny” it cannot be forwarded but will be thrown away. One port can only choose one ACL regulation group when configure port ACL filtration, after which lead the group into port FFP. If there are not regulations that refuse or permit all IP protocol (0x0800) packet, one regulation that refuse all IP protocol (0x0800) should be added when write into FFP. For example there is only one regulation: access-list 1 permit 192.168.1.0 0.0.0.255, default will hide a regulation that refuse all IP protocol (0x0800) packet, in fact there will be two regulation to lead inot FFP of port. Only the data flow from 192.168. 1.0 to 192.168.1.255 by source address can be forwarded through this port when make filtration for data flow, and all other data flows will be deleted.
For example there are two regulations in one group of regulation: access-list 1 deny 192.168.1.0 0.0.0.255 and access-list 1 permit any. When there is a regulation that permits all IP protocol (0x0800) packet, the hidden regulation is not existed, in fact there are two regulations to lead to the FFP of the port. During the data flow is filtrated only the data flow from 192.168.1.0 to 192.168.1.255 by source address will be deleted and all other data flow can be traferred.
Please refer to Figure 11-1 that is an example of ACL filtration. Port 1 of iSpirit 3026 switch selects an ACL regulation group 11, in which there is only one regulation of access-list 1 permit 192.168.0.100. Under port 1 of switch there are two users want to connect to the Internet through this port, IP address of user 1 is 192.168.0.100, and the IP address of user 2 is 192.168.0.101. Only user 1 can be connected to Internet through port 1 of switch instead of user 2. Data flow p1 given out by user 1 can be forwarded through port 1, but data flow p2 given by user 2 will be deleted in port 1.
Figure 11-1.onnect to Internet from Port ACL Filtration
ACL filteration is exclusive from IP binding, if one port has been bound with IP Add., the port cannot be carried out with ACL filteration. There is certain command in configuration between ACL filtration and QoS Untrust port, the port must be firstly configured with ACL filteration, and then configured with QoS Untrust port. If one port has been configured with QoS Untrust port,
when this port cannot be configured with ACL filteration, and only after QoS configuration is cleared ACL filteration can be carried out. ACL filteration needs FFP resources of port, failed configuration with ACL filtrator maybe caused by deficient FFP resources and many regulations in ACL group, or FFP resources have been used by QoS and other applications. The same ACL regulation group can be used for ACL filtration for many ports with the same filtration regulations. ACL filtration for one port and QoS Untrust port can be used with the same regulations.
11.3 Configuration of ACL Resource Bank
iSpirit 3026 switch default has no anyother regulations. Resource bank in iSpirit 3026 supports three kinds of ACL regulations: standard IP regulation, extended IP regulation, and extended MAC regulation. Hereunder introduce the ACL configuration by following three regulations: ● Standard IP Regulation: it control the forwarding of data packet through resource IP address. Command format: access-list <groupId> {deny|permit} <source> parameter instruction: groupId: visit control list number, standard IP ACL support groups from 1-199. Regulation number is increased one by one, which generated by the system automatically. deny/permit: the data packet can be denied or permitted to be forwarded if they are well matched. Source: resouce IP has three kinds of input ways: A.B.C.D wildcard can control the IP address from one network: Any is equal to A.B.C.D 0.0.0.0 Wildcard: to determine that what bits need to be matched, “0” indicates that it needs match, and “1” indicates that it needs not match. ●Extended IP Regulation: it is extended from standard IP regulation, which can be controlled through resource IP, purpose IP, IP protocol type, and service ports. Forwarding of Data Packet. Command format: access-list <groupId> {deny|permit} <protocol> <source> [eq srcPort] {destination}[destPort] parameter instruction: groupId: visit control list number, extended IP ACL supports groups from 200 to 399. Regulation number increased one by one, which is generated by the system automatically. deny/permit: the data packet can be denied or permitted to be forwarded if they are well matched. Protocol: the protocol upper than IP layer, e.g. icmp, cp, and udp, relative data 6(tcp) can be input also. If it is unnecessary to control these protocols, you may input ip or 0. Source: resource IP has three input ways: (1)
A.B.C.D wildcard can control the IP address come from a network; (2) Any is equal to A.B.C.D 255.255.255.255; (3) host A.B.C.D is equal to A.B.C.D 0.0.0.0, srcPort: it is for the condition that protocol is tcp or udp, resource port of data packet can be controlled, some familiar port service name can be used as input ways to be input, e.g. www, or data such as 80. destination: there are 3 kinds of input methods: (1) A.B.C.D wildcard can control the IP address come from a network; (2) Any is equal to A.B.C.D 255.255.255.255; (3) host A.B.C.D is equal to A.B.C.D 0.0.0.0, srcPort: it is for the condition that protocol is tcp or udp, purpose port of data packet can be controlled, and the input is the same with that of srcPort.
● Extended Mac Regulation: it controls the forwarding of data packet through mac address, purpose mac address, vlan ld, and protocol type. Command format: access-list <groupId> {deny|permit} <vlanId> <type> <source> <destination> parameter instruction: groupId: visit control list number, extended MAC ACL supports groups from 400 to 599. regulation number is increased one by one, which is generated by the system automatically. deny/permit: the data packet can be denied or permitted to be forwarded if they are well matched. vlanId: you can input the “0” if it needs not to be matched. Type: it means he protocol type such as ip, arp, and rarp etc. you may also input hexadecimal data such as 0806(ip). Source: resource IP has two kinds of input methods: 1) AA:BB:CC:DD:EE:FF wildcard, network of MAC address can be controlled (the similar with IP address); 2) any is equal with AA:BB:CC:DD:EE:FF FF:FF:FF:FF:FF:FF, destination: purpose IP has two kinds of input ways: 1)AA:BB:CC:DD:EE:FF wildcard, network of MAC address can be controlled (the similar with IP address); 2) any is equal with AA:BB:CC:DD:EE:FF FF:FF:FF:FF:FF:FF. Other Command List Show access-list [group id]
Shows that configured regulation list in current ACL. Regulation list in current group should be deleted if groupId is input, otherwise all regulation lists will be shown. no access-list <groupId> [ruleId] Delete appointed regulation list. Appointed regulation should be deleted if “ruleId” is input, otherwise all regulations in “groupId” group should be deleted. If which is failed maybe caused by that the regulation is used by other applications.
11.4 Configuration of ACL Filtration
All ports defaulted by iSpirit 3026 switch are not carried out with ACL filtration.
Command list: 1.acl-filter <groupId>
Mode:PORT CONFIGURATION Parameter: groupId:ACL number bound with port Function: configure with ACL port filtration Notes: Failed or invalid configuration maybe caused by follows: Regulation group “groupId” is not exist or the status is not active This port has been carried out with ACL filtration This port has been carried out with IP binding This port has been the QoS Untrust port Many regulations are in ACL group or FFP has been used by QoS and other applications 2.Show acl-filter [port]
Mode:PORT CONFIGURATION/CONFIGURATION Parameter: M/P:menu item, only ACL group of current port can be shown Function:Filtration configuration of ACL ports can be shown 3.no acl-filter <groupId>
Mode:PORT CONFIGURATION Parameter: groupId:ACL number bound with the port Function:delete current port and relative configuration with ACL port
Chapter 12.Configuration of QoS
In this Chapter following contents are introduced:
1. Introduction to QoS 2. Configuration of QoS 3. Sample of QoS configuration
In this Section how to configure iSpirit 3026 switch with QoS service according to QoS command The switch forwards all data flow through switch with the same priority when the switch is not configured with QoS to ensure the reliability, delay and throughput. Some applications need low delay, some applications need to be improved with reliability, and some applications need to be equipped with steady throughput, when QoS function of switch needs to be started, and switch can carry out different PRI processing for different data flow.
Notes: please refer to the Command Reference introduced in this Section if you need detail info of QoS command
12.1 Introduction to QoS
iSpirit 3026 switch realizes powerful QoS function. iSpirit 3026 switch realizes powerful QoS function. With the QoS function you can make the important data forwarded by the switch be processed, and make bandwidth limitation for some data, which make your bandwidth of network is more reasonable for using, and network performance can be forecasted. iSpirit 3026 switch realizes QoS function of DiffServ System based on IETF standard, make classification for data flow in the bcommandline of QoS field, indicate DSCP value for all data, and make PRI processing based on the DSCP value of data flow in QoS field. iSpirit 3026 switch not only realize the QoS of DiffServ, but also realize the QoS of 802.1p and QoS of IP Precedence applied in early times. Different QoS makes use of different PRI signs, and three kinds of QoS signs are introduced
● QoS of 802.1p QoS of 802.1p makes use of the highest three digits in TAG sign with 2 bytes in Ethernet frame as its PRI, please refer to Figure 12-1. the range of PRI is from 0 to 7. If you use of QoS of 802.1p in QoS field, all data packets forwarded in the Internet should be signed with TAG, and a small range local Internet is available.
Figure 12-1.802.1 QoS of 802.1p
● QoS of IP Precedence QoS of IP Precedence makes use of the highest three digits in TOS of IP data packet head as its PRI, please refer to Figure 12-2. The range of IP Precedence is from 0 to 7. QoS of IP Precedence was used more in early times, but now it has been replaced by DiffServ. ● QoS of DiffServ QoS of DiffServ makes use of DSCP as its PRI sign, DSCP locates the highest 6 digits of TOS field in IP data packet head.
Figure 12-2 PRI Digit of IP Precedence and DiffServ
At the bounerline of QoS field, to sign different PRI signs in different data flow based on QoS configuration policy of the switch, i.e. the operation sign, in QoS field all devices according to operation signs tranfer to the data flow. Thus devices in QoS field needs not to be carried out with complex flow classification and complex QoS policy, to carry out PRU processing with operation signs is OK. Switch in QoS field bcommandline can not only put the data flow into operation but also carry out bandwidth processing for operation when data flow enter into the bcommandline of QoS field, for example obligate bandwidth resources or limite the bandwidth, which can ensure that bandwidth resources in QoS field can be fully used.
In order to ensure the port-to-port service quality, in QoS field all devices should be equipped with relative QoS function. Switch in QoS field bcommandline needs to be equipped with powerful QoS function, which can according to multi-field of IP data packet make classification for data flow, based on operation type make classification for bandwidth, and support multi-scheduling policies. Switch in QoS field can only based on operation signs carry out PRI processing. iSpirit 3026 can be used as field bcommandline switch and that within field.
In this Section following contents are introduced: ● General Terms ● QoS Model ● Operation Classification ● QoS Policy ● QoS Scheduling ● FFP Introduction
1. General Terms
QoS field: integration of network and device, all devices in the field make use of the same QoS policy, which ensure port-to-port service quality. Class: integration of data flow using of the same QoS policy in QoS field, either one data flow or more data flows can be included. Class information: make sign on class, which can be COS value, IP Precedence value, and DSCP value. COS: class information of 802.1p, the value is from 0 to 7, every value indicates one class type. IP Precedence: class information used by early IP network, and the value is from 0 to 7. every value indicates one class type. DSCP: class information of DiffServ, whose value is from 0 to 63, every value incates one class type. Internal DSCP: DSCP value inside the switch that make QoS policy based on this value. Classification: at QoS field bcommandline according to one or more fields in IP data packet makes classification for data flow, mapping with one internal DSCP value. QoS Policing: used for class (internal DSCP), including whether it needs bandwidth processing, PRI alignment used, and whether the class information of IP data packet should be modified. Trust Port of QoS: input port of switch with QoS processing based on class information is the Trust Port. Class information maybe the COS, IP Precedence, and DSCP, separately called as Trust COS, Trust IP_Precedence, and Trust DSCP. Port of switch in QoS field is the Trust Port. Untrust Port of QoS: make classification for IP data packet, switch input port with QoS processing after classification is the Untrust Port. Switch port in QoS field bcommandline is the Untrust Port. In Profile: data flow of one class is within bandwidth limited value. Out of Profile:
data flow of one class is over bandwidth limited value. Mark: processing on data flow of “In Profile” and “Out of Profile”, throw away the data flow of “Out of Profile”. Scheduling: make PRI processing for IP data packet in all PRI queues of switch output port based on scheduling policy, and send out data packet. FFP(Fast Filtering Processor): speedy filtration processor, hareware of iSpirit 3026 switch make classification and QoS policy with FFP. 2. QoS Model
Please refer to Figure12-3 that shows QoS model. At input port realize classification, policing, and mark, introduction as follows: classification: make classification for IP data packet received, to generate inner DSCP value to make preparation for QoS policy. QoS policing: carry out QoS processing for inner DSCP value generated from classification, including bandwidth limitation mapping into a PRI queue to generate class information. Mark: throw away the data of “Out of Profile”, to determine that if the class information of data flow of “In Profile” should be modified or not. At output port realize the Queuing and Scheduling, as follows: Queuing: according to the results from QoS policy to put IP data packet into relative output PRI queue for temporary saving. Scheduling: carry out PRI processing for IP data packet saved in queue according to adjusting policy.
Figure 12-3 .QoS Model
3. Classification
Classification is used for dividing different data flow based on one or more field matching, and mapped into one internal DSCP value. The classification can be carried out only after QoS switch port is started and data packet received, the classification cannot be carried out if one port is not started with QoS and forward in best-effort way. For QoS trust port, classification is much simple according to class information, and mapped into internal DSCP value. Please refer to Figure 12-4 that provides detail description for classification flow.
For Trust COS port, to make classification according to 3-digit PRI in TAG information of data frame, generate internal DSCP value according to COS-DSCP Mapping Table, and all data flow can be classified into 8 kinds max. according to 3-digit PRI. Note: COS PRI is 0 instead of port default PRI (PPD-COS) if there is no TAG information in data frame, COS PRI is the default PRI of input port if data frame with information is sent out through output port. For Trust IP_Precedence port, to make classification according to the highest 3-digit of TOS field in IP data packet, generate internal DSCP value according to PREC-DSCP Mapping Table, and all data flow can be classified into 8 kinds max. according to 3-digit IP_Precedence value.
For Trust DSCP port, to make classification according to the highest 6-digit of TOS field in IP data packet, generate internal DSCP value according to DSCP-DSCP Mapping Table, and all data flow can be classified into 64 kinds max. according to 6-digit DSCP value. For QoS untrust port, classification is much complex based on one or more fields of data flow, and more different data flows can be mapped into one class. iSpirit 3026 provides CLASS and POLICY configuration mode to classify the data flow. In CLASS mode select those data flow to group one class, and in POLICY mode map every class into one internal DSCP value. One POLICY can include one or more CLASS. Please refer to Figure 12-4 that provide detail description for classification flow.
Figure 12-4.Classification Flow.
In CLASS mode, following selections can be grouped into one class: Select one or more COS (8 at max.) to group one class, which is called as COS Select one or more IP Precedence (8 at max.) to group one class, which is called as PREC Select one or more DSCP (at max.) to group one class, which is called as DSCP. Select one (only one) ACL to group one class, which is called as ACL class For classification based on ACL, every ACL is grouped one class, there are 1 and 128 regulations in one ACL group, but only the regulation whose movement is Permit in QoS is valid, but whose movement is Deny in QoS is invalid. ACL group can be standard IP group, extended IP group, and extended MAC group. In POLICY mode every class can be mapped into one class information value that will generate one internal DSCP value according to Mapping Table, as follows: Class Maps into COS class information, and generate into internal DSCP value according to COS-DSCP Mapping Table Class Maps into IP Precedence class information, and generate into internal DSCP value according toPREC-DSCP Mapping Table Class Maps into DSCP class information, and generate into internal DSCP value according to
DSCP-DSCP Mapping Table 4. QoS Policy
QoS policy includes two parts that is Policing and Mark. After data flow classified, certain QoS policies needed to realize class QoS processing purpose. QoS policy mainly includes Determine bandwidth limitation of class to find whether it is within or beyond bandwidth limitation Determine PRI queue of class Determine that whether or how to modify the data packet of class information All input ports of iSpirit 3026 switch support that bandwidth limitation for all data flows, it can realize class bandwidth limitation process in bucket algorithm, please refer to Figure 12-5. Bucketsize indicates that the max. burst data flow size supported. If there are matched data flow release from output port, it is equal to that release from bucket, Bucketcount moves down until arrive at the lower than Threshold when matched data flow inflow from input port is limited to “Out of Profile” status. Every 8 us the system will according to certain bandwidth limitation value add flux of Refreshcount into bucket, Bucketcount increases until arrive at the upper than Threshold, data flow will be permitted to release out when it is in “In Profile” status. When some class is in Out of Profile status, throw away succeeding data flow, or to do further processing if it is in In Profile status.
Figure 12-5. Bucket Algorithm For Bandwidth Limitation
Further processing can be carried out to determine that PRI queue of class in-output ports when the data flow is in In Profile status. Every class through classification steps will obtain one internal DSCP value, and through DSCP-QUEUE Mapping Table will obtain PRI queue of output port. All output ports of iSpirit 3026 switch support 4 PRI queues. Class information value has been obtained at classification phase, there are three kinds of class informations: COS class information, IP Precedence class information, and DSCP class information. At output port need to modify data pazket relative field and add the class information into data packet. QoS trust port and untrust port on QoS policy have great differences, QoS trust port only need to determine the PRI queue of data flow instead of any bandwidth limitations or generation of class information values or modifying IP data packet head either. But QoS untrust port should do QoS policy processing according to configuration of system ports to determine class information value, and it is necessary to determine the PRI queue, but bandwidth limitations can be avoided. 5. QoS Scheduling
Output ports of iSpirit 3026 switch support 4 PRI queues, PRI of queue 1 is the lowest and that of queue 4 is the highest. After the data flow is briefly kept in output queue, output port should according to QoS scheduling do PRI processing for data flow to determine that the sending command. Output ports of iSpirit 3026 switch support 3 kinds of QoS scheduling methods, as follows: SPQ: strictly based on PRI make scheduling for data flow, only after all data in high PRI queue was sent out that in low PRI queue can be sent out, and the disadvantage is that data flow in low PRI queue can be processed after a long time. RR: data flows of queue 1 and queue 4 according to the same weight carry out scheduling, in fact PRI of queue 1 and queue 4 is the same, and the disadvantage is that service quality of important data can be ensured, in fact it is the same with that without QoS. WRR: weight can be configured according to actual requirement, output port according to the configured weight to make scheduling for data flow. Which has remedied the deficiencies of SPQ and RR to ensure the service quality of important data. 6. FFP Introduction
All port input of iSpirit 3026 switch has one FFP. FFP realizes classification and QoS policy. FFP exists in the hardware logic, which will not influence the tranference efficiency of data flow when the port is started with QoS configuration.
FFP is a kind of share resource, kinds of applications will use FFP, including: ACL filtration, IP address binding, QoS, IGMP SNOOPING protocol, and 802.1x protocol. In FFP there is limitations for the items, there are 128 items in RULE meter that can be classified at max. If FFP is used by other applications data will be restively reduced. There are 63 items in METER in FFP that can be classified at max. (Each class can include many data flow) to do bandwidth limitations. Please do pay attention to that use FFP resource properly. RULE of every port of the system will cover one item if the system is started with IGMP SNOOPING protocol. RULE of the port will cover one item if the port is started with 802. 1x protocol. If the port is started with ACL filtration it will cover the item in RULE according to regulated ones in ACL group. If the port is bound with IP address, items bound with IP address are the covered ones in RULE.
12.2 QoS Configuration
Before QoS configuration please pat attention to that: Administrator firstly should be known of practical applications in Internet and the switch location in QoS field, according to actual requirement to do QoS configuration. iSpirit 3026 switch based on every port starts QoS, before which using condition of the FFP should be known, whether the port has been configured with 802.1x and ACL filtration, whether the system is started with IGMP SNOOPING protocol. In this Section QoS configuration is described, including: ● QoS Default Configuration ● Configure QoS Mapping Table ● Configure QoS Trust Port ● Configure QoS Class ● Configure QoS Policy ● Configure QoS Untrust Port ● Configure QoS Scheduling
1. QoS Default Configuration
Under iSpirit 3026 switch default condition all ports are not started with QoS, all data flows are forwarded in best-effort method. Default COS PRI of the port is 0. Please refer to Figure12-6 for
COS-DSCP Mapping Table Default Value, Figure 12-7 for PREC-DSCP Mapping Table Default Value, Figure 12-8 for DSCP-DSCP Mapping Table Default Value, and Figure 12-9 for DSCP-QUEUE Mapping Table Default Value. QoS scheduling default of output port is SPQ.
Figure 12-6. COS-DSCP Mapping Table Default Value
Figure12-7.PREC-DSCP Mapping Table Default Value
Figure 12-8. DSCP-DSCP Mapping Table Default Value
Figure 12-9. DSCP-QUEUE Mapping Table Default Value
2. Configure QoS Mapping Table
Configuration showing commands of all QoS Mapping Table are under CLI global input. ● Following two commands are used for configuring and showing COS-DSCP Mapping
Table: qos cos-dscp <cos-value> <internal-dscp-value> show qos cos-dscp For example map COS value of “0” into internal DSCP value of “40”: Switch# qos cos-dscp 0 40 Switch# show qos cos-dscp ● Following two commands are used for configuring and showing PREC-DSCP Mapping
Table: qos prec-dscp <ip-precendence-value> <internal-dscp-value> show qos prec-dscp For example map IP Precedence value of “0” into internal DSCP value of “40”: Switch# qos prec-dscp 0 40 Switch# show qos prec-dscp ● Following two commands are used for configuring and showing DSCP-DSCP Mapping Table: qos dscp-dscp <dscp-value> <internal-dscp-value> show qos dscp-dscp For example map DSCP value of “0” into internal DSCP value of “40”: Switch# qos dscp-dscp 0 40 Switch# show qos dscp-dscp ● Following two commands are used for configuring and showing DSCP-QUEUE
Mapping Table: qos interdscp-queue <internal-dscp-value> <queue-id> show qos interdscp-queue For example map internal DSCP value of “40” into queue 2: Switch# qos interdscp-queue 40 2 Switch# show qos interdscp-queue Notes: Mapping Table Mapping Table Configuration is only valid for QoS started in succeeding port, for the port started
with QoS the Mapping Table before modified is used. 3. Configure QoS Trust Port
QoS Trust Port includes Trust COS port, Trust IP_Precedence port, and Trust DSCP port. Configuration and showing command of QoS trust port is under PORT RANGE configuration mode input. ● Following command is used for configuring Trust COS port:
qos trust cos For example port 2 and 3 are configured into Trust COS port: Switch(port 2-3)# qos trust cos Switch(port 2-3)# show qos ● Following command is used for configuring Trust IP_Precedence port:
qos trust ip_precedence For example port 2 and 3 are configured into Trust IP_Precedence port: Switch(port 2-3)# qos trust ip_precedence Switch(port 2-3)# show qos ● Following command is used for configuring Trust DSCP port:
qos trust dscp For example port 2 and 3 are configured into Trust DSCP port: Switch(port 2-3)# qos trust dscp Switch(port 2-3)# show qos ● Following command is used for clearing Qo S configuration:
no qos For example port 2 and 3 clear the QoS configuration: Switch(port 2-3)# no qos Switch(port 2-3)# show qos
Notes: If it is failed to configure QoS trust port, there are three possibilities: the port has been configured with QoS (QoS configuration should be firstly cleared and make QoS configuration for port), FFP of this port has been mostly covered by ACL filtration, or the port is bound with IP address. Trust COS needs 8 items in RULE of FFP, Trust IP_Precedence needs 8 items in RULE of FFP, and Trust DSCP needs 64 items in RULE of FFP.
One port can be at the same time configured into QoS trust port and provided with ACL filtration. ACL filtration can be configured firstly and then with QoS trust port, and so does QoS trust port first and then ACL filtration. 4. Configure QoS Class
QoS class includes:COS class, PREC class, DSCP class, and ACL class
Before selecting one class a QoS should be created, in global CONFIG mode input following command to create a QoS and enter into CLASS configuration mode. class-id is from 1 to 1000. qos class <class-id> under CLASS mode you can add a name for QoS for identifying purpose: name <class-name> for example create a QoS, class-id is 3, the name is abc: Switch# qos class 3 Switch(class-3)# name abc Switch(class-3)# show qos class 3, under CLASS configuration mode select one kind of class flow for QoS. ● Following command chooses COS class flow for QoS to form COS class, at most only 8 COS values can be input. For the condition the same value you input:
match cos <cos-value> [cos-value] …
● Following command chooses IP Precedence class flow for QoS to form PREC class, at most only 8 IP Precednece values can be input. For the condition the same value you input:
match ip_precedence <ip-precedence-value> [ip-precedence-value] …
● Following command chooses DSCP class flow for QoS to form DSCP class, at most only 8 DSCP values can be input. For the condition the same value you input:
match dscp <dscp-value> [dscp-value] …
● Following command chooses ACL class flow for QoS to form ACL class, and one Qo S can only choose one ACL group that must be exsited:
match acl <acl-id> For example one QoS 3 chooses DSCP value 20, 40, 45, and 60 as one DSCP class: Switch(class-3)# match dscp 20 40 45 60 Switch(class-3)# show qos class 3 Under global CONFIG mode input following command to delete one QoS class:
no qos class <class-id> For example delete class 3: Switch# no qos class 3 Switch# show qos class 3 Notes: One QoS can be only one of the COS class, PREC class, DSCP class, and ACL class One QoS class can be cited by many Policies The QoS class should not be deleted or modified when one QoS class is used by one or more Policies 5. Configure QoS Policy
iSpirit 3026 switch totally support 26 QoS policies, each QoS policy can choose one or more QoS classes, for each QoS the class configures relative policy. Under global CONFIG mode input the following command to choose one QoS policy, to enter into POLICY mode. policy-id is from 1 to 26: qos policy <policy-id> under POLICY configuration mode input the following command to choose one class, to enter POLICY CLASS mode, the class chosen must be existed and the mode should be active: class <class-id> Under POLICY CLASS mode configure policy for class chosen, including configure class information and bandwidth limitation. Class information includes three kinds: COS class information, IP Precedence class information, and DSCP class information. ● The following command configures COS class information for class sort: set cos <cos-value> ● The following command configures IP Precedence class information for class sort: set ip_precedence <ip-precedence-value> ● The following command configures DSCP class information for class sort: set dscp <dscp-value>
One class when carrying out QoS policy configuration can be configured with bandwidth policy as you like. The least bandwidth limited value is 1Mbps, the grading is 1Mbps.Following command under POLICY CLASS mode configure class bandwidth limitation: meter <bandwidth-value> <burst-size>
● Following command is used for deleting class bandwidth limitation, i.e. class is not configured with bandwidth limitation policy: “no meter” under global CONFIG mode input the following command clear out one or all classes in QoS policy, if the class-id is not input, clear out all classes in QoS policy,but specific classes should be cleared out if the “class-id” is input: no qos policy <policy-id> [class-id] ● As follows is the sample for QoS policy configuration: Policy 2 includes two classes: Class 3 and Class 4. Both of them are ACL classes, separately matched with IP standard ACL group 3 and IP extended ACL group 203. Class 3 is configured with DSCP class information,whose value is 40, limited bandwidth is 2Mbps, and Class 4 is configured with IP Precedence class information, whose value is 6, but the bandwidth is not limited. Configuration as follows:
Switch# qos class 3(Create class 3) Switch(class-3)# match acl 3(class 3 is the ACL class, choose ACL group 3, suppose ACL group 3 has been existed) Switch(class-3)# qos class 4(Create class 4 ) Switch(class-4)# match acl 203(class 4 is ACL class, choose ACL group 203, suppose that ACL group 203 has been existed) Switch(class-4)# exit(exit from CLASS configuration mode) Switch# show qos class(shows class configuration) Switch# qos policy 2(enter into POLICY configuration mode) Switch(policy-2)# class 3(choose class 3, enter into POLICY CLASS mode, provide QoS policy configuration for class 3) Switch(policy-map-class 3)# set dscp 40(set DSCP class information) Switch(policy-map-class 3)# meter 20(set the bandwidth limitations for class3) Switch(policy-map-class 3)# exit(exit from POLICY CLASS mode) Switch(policy-2)# class 4(Choose class 4, enter into POLICY CLASS mode, provide QoS policy configuration for class 4) Switch(policy-map-class 4)# set ip_precedence 6(set IP Precedence class information) Switch(policy-map-class 4)# show qos policy 2(shows configuration of Policy 2)
Notes: One QoS policy can choose one or more QoS classes, at most 128 classes can be chosen. One class in one QoS policy can only be configured with one of the COS class information, IP
Precedence class information, and DSCP class information. One QoS policy can be cited by one or more untrust ports. The QoS policy cannot be deleted and modified when it is cited by one or more untrust ports. 6. Configure QoS Port
To configure QoS untrust port in fact is that ports select one QoS policy. Following command is used under PORT RANGE mode for configuring untrust port, and selected policy-id must be existed and the stauts must be active: qos service-policy <policy-id> for example port 2 and 3, select Policy 2 to configure untrust port:
Switch(port 2-3)# qos service-policy 2 Switch(port 2-3)# show qos
Fialed configuration for untrust port maybe caused by: the port has been configured with QoS trust port or QoS untrust port; selected QoS policy is not existed or the status is not active; the port has been bound with one or more IP addresses. Insufficient RULE of the FFP maybe caused by: the port has been carried out with ACL filtration or excess data flow classified by QoS. There are 128 items in RULE of each FFP. Insufficient METER of the FFP maybe caused by excess classes with bandwidth limitations in QoS policy and more than 63, which is not very usual. There are 63 items in METER of FFP. There are two or more ACL classes in QoS policy, each of which is matched with one ACL group, in which there are the same two-filtration regulations. For the sixth point for example: ACL group 2 configured with 2 regulations:
Switch# access-list 2 permit 192.168.0.0 0.0.0.255 Swtich# access-list 2 permit 192.168.1.0 0.0.0.255 ACL group 3 configured with 1 regulation that is the same with that of ACL group 2 Switch# access-list 3 permit 192.168.0.0 0.0.0.255 QoS class 2 configured as ACL class, ACL group is 2: Switch# qos class 2 Switch(class-2)# match acl 2 QoS class 3 configured as ACL class, ACL group is 3: Switch(class-2)# qos class 3 Switch(class-3)# match acl 3 Configure QoS policy 2, choose class 2 and class 3: Switch(class-3)# qos policy 2 Switch(policy-2)# class 2 Switch(policy-map-class 2)# set dscp 30 Switch(policy-map-class 2)# exit Switch(policy-2)# class 3
Switch(policy-map-class 3)# set dscp 40 Set port 2 is untrust port, choose Policy 2: Switch(port 2)# qos service-policy 2
When QoS untrust port cannot be successfully configured, for ACL group 2 and group 3 have the same ACL regulation. ● Following command under PORT RANGE mode clear out QoS configuration of the
port: no qos ● Port 2 and 3 originally were configured as untrust port, choose P olic y 2 as its policy,
and now clear out the QoS configuration of the port: Switch(port 2-3)# no qos Switch(port 2-3)# show qos
Notes: Each port can be only configured as one of the Trust COS, Trust IP_Precedence, Trust DSCP, and untrust port, only one QoS policy can be chosen if it configured as untrust port. One port can be configured with QoS untrust port at the same time with ACL filtration, but ACK filtration must be configured firstly and then configure with QoS untrust port. ACL filtration will be failed if QoS untrust port has been configured, so QoS configuration should be deleted firstly, and then configure with ACL filtration. ACL regulation of “permit” action will be written into FFP if one port has been configured as QoS untrust port, but ACL regulation of “deny ” action cannot be written into FFP, i.e. ACL regulation of “deny ” action does not carry out with QoS for data flow. If there are two or mre classes with the same matched value in one QoS policy, the first matched value carres out QoS, but instead of following matched value. The other COS class has the same COS value of 5 to match if one COS class has a matched COS value as 5, the first configured COS value of 5 will carry out QoS. It is suggested that users should not repeatedly configure matched value. 7. Configure QoS Scheduling
iSpirit 3026 provides the same QoS scheduling for all ports output, iSpirit 3026 switch supports 3 kinds of scheduling ways: SPQ, RR, and WRR. For WRR, every PRI should be with one weight, and default weight of queue 1 to 4 seperately is 1, 2, 3, and 4. You may configure the weight of
PRI queue and the weight is from 1 to 15. Under PORT RANGE mode configure QoS scheduling ways. ● Following command configures QoS scheduling in the way of SP Q: qos schedule spq ● Following command configures QoS scheduling in the way of RR: qos schedule rr
● Following command configures QoS scheduling in the way of WRR, the weight can be
not inpu, but if you has input it, you should input all from queue 1 to queue4: qos schedule wrr [<queue1-weight> <queue2-weight>… <queue4-weight>] for example configure the port in the way of WRR scheduling, the weight from queue 1 to 4 seperately as 1, 3, 5, and 7: Switch# qos schedule wrr 1 3 5 7 Switch# show schedule
12.3 Sample for QoS Configuration
Figure 12-10 Sample of QoS Configuration
Here has three 3 02 6 devices, the first is bcommandline switch with Qo S field, the second is inner switch with Qo S field, the third is bcommandline switch with QoS field. There are three
users separately being FTP processing, W W W processing, and VOIP processing. For all servers need different Internet resources, so characters of different application process, IP address, and IP packet should be classified an ensure specific bandwidth and PRI. For example the bandwidth covered by FTP is much high, but it is not much sensitive for time delaying;it is not much strict for bandwidth and time delaying asked by WWW service; VOIP requires the least bandwidth of the least time delaying is 1 0M.
Configuration Procedures: Input ports of switch 1 is port 1, 2, and 3 1.Class Flow Classification
● Set extended visit control list 200, allow FTP data packet of 192.168.2.1 can be passed ● Set extended visit control list 201, allow W WW service data packet of 192.168.2.2 的W WW can be passed ● Set extended visit control list 202, allow IP data packet of resource 192.168.1.3 to 192.168.2.3 can be passed And then according to these three visit control list to classify the data flow Switch# access-list 200 permit tcp any 192.168.2.1 0.0.0.255 ftp Switch# access-list 201 permit tcp any 192.168.2.2 0.0.0.255 www Switch# access-list 202 permit ip host 192.168.1.3 host 192.168.2.3 Switch# qos class 1 classId 1 added Switch(class-1)# match acl 200 Switch# qos class 2 classId 2 added Switch(class-2)# match acl 201
2.Configuration of QoS Policy
● Set QoS policy and make the DSC P value of data flow of FTP is 1 (correspondence as the lowest PRI queue 1) and control bandwidth and buffering is 10M. ● Set QoS policy and make the DSC P value of data flow of W W W is 10 (correspondence as hypo- PRI queue 3), no limitations for bandwidth. ● Set DSCP QoS policy and make the DSCP value of data flow of VOI P is 60 (correspondence as the highest PRI queue 8), no limitations for bandwidth.
3.Apply QoS Policy to Input Port of Switch (i.e. QoS untrust port)
Switch# qos policy 1 Switch(policy-1)# class 1 Switch(policy-map-class 1)# set dscp 1 Switch(policy-map-class 1)# meter 10 0 Switch(policy-map-class 2)# set dscp 10 Switch(policy-map-class 2)# exit Switch(policy-1)# class 3 Switch(policy-map-class 3)# set dscp 60 Switch# port 1-3 Switch(port 1-3)# qos service-policy 1 Switch(port 1-3)# show qos port :1 flag :Policy Flag policy id:1 Status :active port :2 flag :Policy Flag policy id :1 Status :active port :3 flag :Policy Flag policy id:1 Status :active
Output port of switch is 4, and set scheduling default of output is S P Q, i.e. data flow with high PRI has the priority to pass through, but other data flows can be forwarded only after data flow with high PRI has been forwarded. In order to make all applied class have the chance to be forwarded, modify the scheduling of output port to W RR, i.e. forward data packet in certain ratio. Weight of default queue is queue: 1234 weight: 1234 Switch# qos schedule wrr Set Switch 1 Set the 4th port of switch is QoS trust port
Switch(port 4)# qos trust dscp Set scheduling of port 1, 2, and 3 of the switch is W R R
Switch# qos schedule wrr
Set Swithc 2 Set the 4th port of switch is QoS trust port Set scheduling of port 1 of switch is W RR Set the 4th port of switch is QoS trust port Switch(port 4)# qos trust dscp Set scheduling of port 1 of switch is W RR Switch# qos schedule wrr
Chapter 13.Configure IP Route
In this Chapter how to configure IP Route in iSpirit 3026 switch is introduced, including:
1. Introduction to IP Route 2. Introduction to ARP 3. Configure static route
13.1 Introduction to IP Route
Route function is one of the important functions of three-layer switch, which can realize the speedy route forwarding in different IP network. iSpirit 3026 is a kind of double-layer switch without three-layer forwarding function, but it can visit different network devices through other three-layer device. There are three ways to realize route ● Default Route: lead the data flow to some specific exit when the data flow’s purpose address is unknown ● Static Route ● Configured route appointed by user, which make the data flow be output to some Internet from specific port along single route ● Dynamic Route: make account for the best route through dynamic route protocol and tranfer the data flow
1. Interface Configuration
For configuring IP route, there must be three-interface to distribute IP address, after that the host machine in the three-interface can be communicated with host machine in other three-layer interface. Some specific address cannot be distributed to the three-layer interface. For details please refer to Table 13-1:
Classification Address or Address Range Whether it can be distributed or not
A 0.0.0.0
1.0.0.0-126.0.0.0 127.0.0.0
NO YES NO
B 128.0.0.0-191.254.0.0
191.255.0.0 YES NO
C 192.0.0.0
192.0.1.0-223.255.254.0 223.255.255.0
NO YES NO
D 224.0.0.0-239.255.255.255 Multicast address
E 240.0.0.0-255.255.255.254
255.255.255.255 NO
multicast address
2. Command
● Enter into some “interface vlan” configuration mode:
Switch# interface vlan <vlan id> ● Configure ip sub-net for some interfac e vlan, i.e. set interface ip address:
Switch(interface-vlan)# ip address <ipaddress> <subnetmask> ● Delete ip sub-net related with some interface vlan:
Switch# no interface vlan <vlan id> ● Shows some or more vlan interface information of the switch:
Switch# show interface vlan [<vlan_id>|<vlan_id_min-vlan_id_max>] 3. Samples
● Configure sub-net 193.1.1.0 for interface vlan 3, the ip address of interface is 193.1.1.1: Switch(interface-vlan 3)# ip address 193.1.1.1 255.255.255.0 ● Now sub-net of the interface vlan supposed to be deleted:
Switch# no interface vlan 3 or Switch(interface-vlan 3)# no interface vlan 3
13.2 ARP Configuration
1.ARP Summary
ARP (Address Resolution Protocol) is a kind of protocol to provide mapping from IP address to relative hardware address. It determines the purpose interface based on 48-digit Ethernet address if the resource end forwards the Ethernet data frame to the purpose end in the same local net. Device driving programme never check the purpose IP address in IP data packet. So it is necessary to get Ethernet address relative with IP address through ARP protocol.
2. ARP High-speed Delaying Memory
Each device is equipped with one ARP high-speed delaying memory, which has stored with themapping record from the latest IP address to hardware address. In it every item has its own living life. Who will be deleted if it has not been used for a long time.
3. ARP Classification
Static ARP: users configure the ARP in manual work, and the system cannot carry out auto refreshing or deletion. Dynamic ARP: the system will automatically detect the relative relationshio between IP address and Ethernet address, and carry out real-time refreshing and maintenance. 4. ARP Command
● Set static A R P : Switch# arp <ip> <mac>
● Delete static A R P: Switch# no arp <ip> ● Show contents in system A RP: Switch# show arp
Sample: Set purpose ip is 200.1.1.2, mac address is static ARP of 00:10:5f:01:02:03 Switch# arp 200.1.1.2 00:10:5f:01:02:03 Delete static ARP: Switch# no arp 200.1.1.2
13.3 Configure Static Route
1. Summary
Users under route mode configure the static route information of switch. Static route is defined by user, which is the route to make data packet arrive at puopose address from source address through specific route. Static route is more important if dynamic route protocol does not create a route to the spefic purpose address. Some static route also can be set into default route that will send the data packet without certain route to the defaulted gateway. Static route is configured by administrator in manual work, applied to the Internet whose structure is much simple and there is only one way to the purpose address, and administrator
needs only configure static route that the switch can be operated normally. Static route will not cover valuable network bandwidth for there is not route refreshing. Default route is also a kind of static route. Simply default route is only used of there are not any matched routes, i.e. default route can be used only there are not any proper routes. In route table default route will be found in the form of Internet 0.0.0.0 (the mask is 0.0.0.0). You can check if it is set through “show ip route table”. If the destination of packet is not in route table and there are not default routes in route table, the packet will be thrown away at the same time it will return resource end with an ICMP message to indicate that the purpose address or network cannot be reached. Default route is much useful in network. In the network including hundred switches dynamic route selection protocol maybe consume great bandwidth resource, but with default route bandwidth resource used by route election and tranference will be saved, so in a degree great users can be satisfied and communication requirements will be achieved. 2. Command
● Set up static route Switch(route-config)# ip route <dst> <subnet> <nexthop> ● Delete static route Switch(route-config)# no ip route <dst> <subnet> ● Show the contents of static route table: Switch(route-config)# show ip static route ● Show all contents in route table(including dynamic and static routes): Switch(route-config)# show ip route
3. Sample
● Set purpose address ip is 200.1.1.0, sub-net mask is 255.255.255.0, the next is static route of 10.1.1.2: Switch(route-config)# ip route 200.1.1.0 255.255.255.0 10.1.1.2 ● Delete purpose address ip is 200.1.1.0, sub-net mask is 255.255.255.0, the next is staticroute of 10.1.1.2: Switch(route-config)# no ip route 200.1.1.0 255.255.255.0
Chapter 14.Configure IGMP
IGMP protocol mainly manage multicast users group, the host machine through IGMP protocol tell router that he wants to enter into or exit some group, and the multicast router through IGMP protocol can decide that if there is multicast members in the relative sub-net. In this Chapter the main definitions of IGMP, IGMP protocl realization, and IGMP configuration are introduced, including:
1、 Definitions of IGMP 2、IGMP Protocl Realization 3、IGMP Configuration
14.1 Definitions of IGMP
In traditional Internet, Unicast was used to send the data packet all receivers in the Internet, then together with increased nodes in the Internet, the packets sent out will increase in linearity. The same transmission (e.g. Internet video conference and live program for different nodes receive the same data) will increase the possibilities by host machine, route devices, and bandwidth resource. Together with increased Internet video conference and living video, in order to improve resource using rate, multicast has been the transmission method in multipoint communications more and more. Under the condition that need send multimedia information (such as living audio and video) for several host machines, it is not the best way to send data for each supplicant separately, but if you make use of broadcast the transmission host machine and that of supplicant are not in the same sub-net, so it is not a good solution. The following Figure14-1 makes comparison for Unicast and Multicast
Figure 14-1 Comparison Between Unicast and Multicast Information Tranference
From Figure 14-1 you can see that get use of Unicast to forward data to three ends, but Multicast just needs one data packet to Multicast group if there are three same data packets, in
complex surroundings which will improve resource using rate. Mlticast technology is mainly realized by IGMP protocol and multicast route protocol, among which IGMP protocol mainly manages users about their entry and exit, but Multicastroute protocol is used for constructing Multicast route between routers. In this section definitions of IGMP are introduced, including: ● Multicast Address ● Multicast MAC Address ● Two Special Multicast Address ● Message Format of IGMPV2
1. Multicast Address
In the Internet, the communication forwarded between host machines in following different three addresses: ● Unicast address: it is the sole address of host machine in sub-net. e.g. IP address: 10.10.1. 9 or MA C address: 01:00: 5C: A0: 4A:B 1 。 ● Broadcast address: it is used for sending data to all host machines in sub-net. e.g. broadcast IP address is 192.168.100.255, MAC broadcast address: FF:FF:FF:FF:FF 。 ● Multicast address: through it to send data in packet to several host machines. IP address is divided into three kinds of A, B, and C. The fouth i.e. D address is saved as multicast address. In the IP protocol of Edition IV (IPv4), all IP addresses from 224.0.0.0 to 239.255.255.255 belong to the address D. The high 4-digit of multicast address is the “1110” address, corresponding to decimalism is 224 to 239, other 28 digits are saved as multicast information, please refer to Figure 14-2: the lower 28-digit is the multicast information.
Figure 14-2. Multicast Address
2. Multicast MAC Address
Multicast address of IPv4 in Internet layer will be converted into Internet physic address (MAC Address). For an unicast Internet address, through ARP protocol it can obtain the physic address related with IP address. But under multicast mode ARP protocol cannot achieve this kind of funtion, and you should in other ways to obtain physic address. The way to achieve this convertion is described in following RFC document: ● RFC1112:Multicast IPv4 to Ethernet physical address correspondence ● RFC1390:Correspondence to FDDI ● RFC1469:Correspondence to Token-Ring networks
In the most Ethernet address, the conversion is like this: determine the first 24-digit of physic address of Ethernet (MAC address) as 01:00: 5E, which is the important information digit. The very next is determined into 0, other 23 digits are filled by the lower 23-digit in IPv4 multicast address. About this convesion please refer to Figure 14-3:
Figure 14-3 Conversion From Multicast IP Address to Multicast MAC Address
for example: multicast address is 224.0.0.5, and its Ethernet physic address is (MAC address) 01:00:5E:00:00:05. 3. Two Special Multicast Addresses
224.0.0.1: identify all host machines in sub-net. In the same sub-net all host machines with multicast function are the members. 224.0.0.2: this address is used for identifying all routers with multicast function in the Internet.
4. Message Format of IGMPV2
Figure 14-4 IGMPV2 Message Format Type (Type): 0x11 = Membership Query inquire about sub-type with two members relationship: General Query, used for knowing of that if there are members in bcommand Internet. Group-Specific Query, used for knowing of that if there are members in specific group in bcommand Internet 0x16 = Edition 2 Member Relation Report 0x17 =Out Group 0x12 =Edition 1 Member Report, ensure it is compatible with IGMP v1 MRT, Max Response Time: The Max. response time field is only valid in membership query. It is specified the Max. response time to send a response packet (Unit: 1/10 second). In all other messages, sender set it into, but receiver ignores the field. Checksum: It is the message length of IGMP (the whole effect load of IP packet) 16-digit inspection. The field is set into 0, please together with this field packet to make account about the field packet. If you want to send out packet, the Checksum must be accounted and inserted into the field. The Checksum must be inspected before processing this packet. GDA: In membership query message, group address field when send General Query should be set into 0. Group address should be set when send one Group-Specific Query. In the message of Member Report and Out Group, group address field should be set into the address of Report-Desire or Out-Desire.
14.2 IGMP Protocol Realization
Figure 14-5. IGMP To the Group Protocol Process
IGMP router sends Membership Query to 224.0.0.1 (All host machines group address) in a period. The host machine will set a delaying timer (Host1 and Host2) for all groups (query received and interface members existed), every timer is separately set with a random value, which is generated the highest clock frequency in the host machine. The host machine groups a member report (Edition 2, TTL is 1) into this group when the timer comes to the time (Ref Host1 Sending Report in Figure 14-5). The host machine will stop timming of its special group and not send report if it has received a report from another host machine but its own timer has not come to the specific time (Ref Host2 in the Figure), which will reduce repeat report. The host machine will send a report to the group if it needs to enter into some specific group (Ref Host3 in Figure). IGMP will add the group report into multicast group memberships list after it receives the port. Repeat report will refresh this timer. Router will suppose that there is no local member if it does not receive the specific report before the timer come to the time, and it needs not forward group message in neighboring network.
Figure 14-6 IGMP Out Of Group Protocol Process
According to the RFC2236 definition the host machine can send a message to IGMP router if it leave the multicast (Ref Figure Host1 of 14-6), and the address is 224.0.0.2 (all IGMP router). IGMP router in equery status after receive Out Message of member in its interface will in the last Last Member Query Interval send Last Member Query Count and specific membership message to the Out-Desire group. These specific group equerry has the max. response time (set into the Last Member Query Interval). Router will suppose that there are not local members in this group if no report messeages are received after the last query response time. One host machine can be added with two different groups, such as Host2 and Host3 in above Figure For they are members of 238.5.5.5, so they will send Report to response general query of router in a certain period.
14.3 IGMP Configuration
● User’s Command:enable igmpinterface Input:user input interface IP address Function:enable the support given by interface to IGMP, after which the switch will sent out inquire packet to all host machines connected with this interface Command’s Format:
Switch# en igmp IGMP Interface Enable Interface IP Address(e.g. 192.168.0.1):
Interface Closes Command ● User’s Command:disable igmpinterface Input:user inputs interface IP address Function:close the support given by interface to IGMP, after which switch will not send inquire packet in periodicity Command’s Format: Switch# dis igmp IGMP Interface Enable Interface IP Address(e.g. 192.168.0.1): Shows Multicast group command ● User’s Command: show igmp group Input: NULL Function:shows Multicast group information currently existed Command’s Format: Switch# show igmp g IGMP Connected Group Membership Group Address Interface Last Reporter Uptime Expires 238.1.2.9 200.1.1.1 200.1.1.20 7 350 224.0.0.9 200.1.1.1 200.1.1.1 35 350 224.0.0.9 192.168.0.1 192.168.0.1 22 350 Group Address:Multicast group information Interface: Interface Address Last Reporter: the last resource IP address to send report packet Uptime: group living time, unit: seconds Expires: group lifetime, unit: second, shows interface information command
● User’s Command show igmp interface Input: NULL Function: Shows Interface Information Command’s Format:
Switch# show igmp I Show IGMP Interface State: Interface Byte_In Byte_Out Pkt_In Pkt_Out 200.1.1.1 900 0 15 0 192.168.0.1 0 0 0 0
Interface: Interface IP Address Byte_In: Size of Packet Entered Into, unit: Byte Byte_Out: Size of Packet Sent Out, unit: Byte Pkt_In: Numbes of Packet Entered Into Pkt_Out: Numbes of Packet Sent Out
Chapter 15.Configure Management Service
In this Chapter how to configure the management service is introduced, including:
1. Introduction to management service 2. Configure management service
15.1 Introduction to Management Service
In network, safety of the switch itself is the most important, also focused on by administrator. iSpirit 3026 switch provide not only user’s name and password, but also provide management service to ensure that safety of switch. iSpirit 3026 switch provide TELNET, WEB, and SNMP service to realize remote management for switch, e.g. close or start and connect the service to ACL resource bank to ensure safe management. Switch management besides serial-port has other visit control methods as TELNET, WEB, and SNMP, which can control switch in remote, avoid any time and area limitations, so it is well welcomed administrator. But the safety problem should not be ignored, especially where it needs high safety performance. Besides central operator's lab personnel, other users do not permitted to operate the switch, or only specific users can be admitted to operate the switch when it is much important to control management services. Based on different demands, administrator can close TELNET, WEB, or/and SNMP services, administrator or users cannot through these closed service visit the switch. For example switch close TELNET service, so all users cannot through TELNET to enter into the switch. The device can obtain good safety if management service of switch has been closed. Which is mainly based on communication principle between supplicant end and service end and identify users’ management information. For above three kinds of entries to identify that whether the administrator has started with relative services, if not the user cannot with this kind of service to enter into the switch. If the administrator needs TELNET, WEB or/and SNMP services, which must be started, when the user with user’s name and password can manage switch in any switch end with these services. When the switch is in unsafe status, user’s name and password will be embezzled by attacker who can damage the device by entering into the switch. iSpirit 3026 switch through management service and ACL realize the safety of management service. The switch uses of standard IP regulation in ACL resource bank to control the visit, only the service from legal IP address is admitted but not that from illegal IP address.
BY using ACL to ensure device safety if the management service of switch is started. Which is mainly realized based on communications between supplicant and service ends, to make identification for users’ management information. For above three kinds of ways to judge that if the administrator has started with relative services, if it is started judge that if it has configured with ACL, and then make judgement for resource IP address based on ACL regulation. If resource IP address can be visited the service management switch can be used, but if resource IP address canot be visited the service management switch cannot be used.
Before using ACL ACL regulation in ACL resource bank should be configured, management service choose ACL regulation in ACL resource bank, and one management service can only choose one standard IP regulation group. Please refer to Figure 15-1 that is an example for management service control, suppose that user 1 and user 2 know of switch’s name and password. If TELNET service is started, user 1 and user 2 can manage the switch through TELNET service. If the WEB service is closed, user 1 and user 2 cannot through WEB service manege the switch. If SNMP service is started, but one standard IP regulation group in ACL resource bank is used, this regulation only permit source address of 192.168.0.100 to be passed, only user 1 can manage the switch through SNMP service, but user 2 cannot manage the switch through SNMP service.
Figure 15-1 Device Management Service Control
15.2 Management Service Configuration
iSpirit 3026 Switch under default mode TELNET, WEB, and SNMP services are started ● Following command under global CONFIG mode is started with TELNET service. TELNET service is started but without ACL regulation control if the group-id parameter is not input, and user can enter into the switch through any ends by TELNET service. TELNET service is started with ACL regulation control if group-id parameter is input. Only the IP address end admitted by ACL can enter into the switch through TELNET service. group-id is from 1 to 1 9 9: enable telnet [group-id] ● Following command under global CONFIG mode close TELNET service, when the user cannot enter into the switch through TELNET: disable telnet ● Following command under global CONFIG mode configure with TELNET service port: Switch# set telnet port <port-num> ● Following command under global CONFIG mode configure with TELNET entry password: Switch# set telnet password <password> ● Following command under global CONFIG mode starts W EB service. W EB service is started but without ACL regulation control if the group-id parameter is not input, the user can manage the switch from any ends by W EB service. W EB is started also with ACL regulation control if the group-id parameter is input, only the IP address end admitted by ACL can manage the switch through W EB service. group-id is from 1 to 199: enable web [group-id] ● Following command under global CONFIG mode close W EB service, when user cannot manage the switch through the W EB service: disable web ● Following command under global CONFIG mode configured with W EB service port: Switch# set web port [port-num] ● Following command under global CONFIG mode is started with SNMP service. SNMP service is started without ACL regulation control if the group-id parameter is not input, user
can manage the switch through any end by SNMP service. SNMP service is started also with ACL regulation control if the group-id parameter is input, only IP address end permitted by ACL can manage the switch through SNMP service. group-id is from 1 to 199: enable snmp [group-id] ● Following command under global CONFIG mode close SNMP service, when the user cannot manage the switch through SNMP service: disable snmp ● Following command under CONFIG mode shows TELNET, WEB, and SNMP service configuration: show manage-safety
Chapter 16.Configure SNMP and RMON
iSpirit 3026 switch provides SNMP and RMON to control the switch in remote. In this Chapter how to configure SNMP and RMON is introduced, including:
1. Introduction to SNMP 2. Introduction to RMON 3. SNMP Configuration 4. RMON Configuration
16.1 Introduction to SNMP
SNMP is a kind of simple network management protocol and the most popular protocol with five functions i.e.: failure control, accounting management, configuration management, performance management, and safety management. It provides communication format between network-management application software and agent. There are 4 elements in SNMP network management protocol: management workstation, agent, information bank, and network management protocol. The agent is in switch, is the service end to visit the switch by workstation whose information presents in MIB format, to form management information bank. There are three operation for SNMP: GET operation, SET operation, and TRAP operation. GET operation gets the object value agented for workstation. SET operation sets the object value for workstation. TRAP operation helps agent to inform important events for workstation. TRAP message is automatically sent to the workstation when something happens in swithch, including cold-start, hot-start, link up and link down for the port, failed certification of share name, STP status conversion, and trigger information of EVENT of RMON. At present there are three editions for SNMP: SNMPV1, SNMPV2, and SNMPV3, the latter edition is the upgrading edition for the front edition, functions are increased and the safety performance is improved. iSpirit 3026 switch supports all three SNMP editions, and can make analysis for SNMP protocol packet of the three editions. One of the SNMPV1, SNMPV2 and SNMPV3 can be used for sending TRAP messages. iSpirit 3026 switch supports MIB1 and MIB2, and supports great RFC, BRIDGE, and private MIB object, and the switch can be managed through SNMP. Following has listed some MIB supported by iSpirit 3026 switch: RFC 1213 RFC1213-MIB MIB II All groups except egp and transmission. RFC 1493 BRIDGE-MIB dot1dBase and dot1dStp groups. RFC 1724 RIPv2-MIB Conformance groups 1, 2, 3. RFC 1757 RMON-MIB RMON-Lite (4 RMON1 groups)1-statistics, 2-history, 3-alarm, and 9-event. RFC 1850 OSPF-MIB OSPFv2 MIB. Conformance groups 1to 4 and 6 to 13 (traps are notsupported). RFC 1907 SNMPv2-MIB Conformance groups 5, 6, 7, 8, 9.Also used for SNMPv3. RFC 2233 IF-MIB Interface group extension for SMIv2CG= 4, 5, 6, 7, 10, 11, 13. RFC 2571 SNMP-FRAMEWORK-MIB SNMPv3 MIB. SNMP ManagementFrameworks. CG=1. RFC 2572 SNMP-MPD-MIB SNMPv3 MIB. SNMP Message Processing and Scheduling. CG=1. RFC 2573 SNMP-TARGET-MIB SNMPv3 MIB. Define management targets. CG=1, 2, 3. SNMP-NOTIFICATION-MIB SNMPv3 MIB. Notification generation configuration. CG=1, 2.
RFC 2574 SNMP-USER-BASED-SM-MIB SNMPv3 MIB. Define SNMP USM.CG=1. RFC 2575 SNMP-VIEW-BASED-ACM-MIB SNMPv3 MIB. Define SNMP VACM.CG=1. RFC 2665 EtherLike-MIB dot3StatsTable group for SMIv2. RFC 2674 P-BRIDGE-MIB Conformance groups 1, 2, 3, 4, 6, 8, 9. Q-BRIDGE-MIB Conformance groups 1, 3, 4, ? of 5, 6,7, 8. Please refer to Figure 16-1 that is a sample for SNMP protocol Internation between management workstation and agent. The workstation can visit the agent of switch by sending Get Request, Get_next Request, and SNMP message of Set Request, obtain or set the MIB object value, and the agent will send back SNMP message of Get Response to the workstation. The agent can also automatically send SNMP TRAP message to the workstation when something happens in the switch.
Figure 16-1 SNMP protocol Internation between management workstation and agent
16.2 Introduction to RMON
RMON(Remote Network Monitoring, remote network monitor) applied defined standard network monitoring function and interface, make communications between management end and remote monitor based on SNMP. RMON provides two kinds of control characteristics: configuration and operation scheduling.
1. Configuration
Data collection should be configured by remote monitor, but the data type and format should be specified. RMON MIB is divided into certain functional groups, there is one or more control tables and one or more data tables inside one of which. Control table is typical readable and writable table, including information parameter of data table, but data table is readable. During configuration management end should be configured with proper configuration parameter to configure remote monitor to collect the required data.
2. Operation Scheduling
Operation scheduling is that SNMP sends one command through set operation. Operation of RMON table includes: Add, Delete, Modify, and Read. RMON under table operation refers to line and field operations. EtherStatsStatus in statistics group, historyControlStatus in history group, alarmStatus in alarm group and eventStatus in event group.
All of their valus are: valid (1), createRequest(2),UnderCreation(3) and invalid(4) Add: Operate createRequest for line field (2)Operation, After operation line field automatically is tranferred to underCreation (3) After configured other valid field carry out Valid for line field(1) Operation, line field is changed into valid (1)Modify: firstly configure line field into underCreation before modify table (3)And then modify other fields, after which carry out Valid for line field(1) Operation,line field changes into valid (1)under the status line field changed into valid (1 )other line field cannot be modified. Delete: configure line field into invalid status(4) delete one line. iSpirit 3026 switch supports RMON MIB of 1, 2, 3, 9 groups , seperately is statistics group, history group, alarm group and event group
16.3 SNMP Configuration
SNMP configuration includes community configuration and TRAP workstation configuration of switch. iSpirit 3026 switch default has a read-only union that is “public”. The switch can be configured with 8 unions at most. iSpirit 3026 switch default is not configured with TRAP workstation, and the switch can be configured with 8 TRAP workstations at most.
SNMP Commands as follows: ● snmp community mode:CONFIGURATION parameter:input with Community Name in Internation way:the union name is Permission:read-write authority,1) read-write 2) read-write function: configure with the union name to visit network administrator, which is an Internation command. Users based on cues input required union name and read-write authority. ● snmp trap mode:CONFIGURATION parameter:input with trap name in Internation way:trap name Target Ip Addr:purpose IP address sent by Trap Version:Edition v1, v2, and v3 sent by Trap:Add or modify snmp trap purpose. It is an Internation command. Trap name is only one, if existed Name is modified, the trap can be modified to send purpose subject. Target ip addr is the purpose address to send trap ;version is sent in snmpV1, snmpV2,
and snmpV3 mode. The command default is configured with purpose port of 162. ● show snmp trap Mode:CONFIGURATION Function:show all trap configuration ● no snmp trap <trap-name> Mode:CONFIGURATION Function:delete trap of appointed name ● snmp trap ip <trap-name> <ip-address> Mode:CONFIGURATION Parameter: trap-name:Trap Name ip-address:Purpose IP address Function:modify purpose IP address of appointed trap-name is ip-address
● snmp trap port <trap-name> <port> Mode:CONFIGURATION Parameter: trap-name:Trap name port:purpose port Function:modify the purpose port of appointed trap-name ● snmp trap retries <trap-name> <retries> Mode:CONFIGURATION Parameter: trap-name:trap name retries :re-send times Function:modify specify re-send times of trap of trap-name is retries. SnmpV1 does not support the parameter. ● snmp trap timeout<trap-name> <timeout> Mode:CONFIGURATION Parameter: trap-name:Trap name retries :overtime Function: modify specify overtimes of trap of trap-name is timeout, unit of timeout is 1/100 seconds,SnmpV1 does not support the parameter. For there is not confirmation system in
udp, each trap will be sent retries times every timeout/100 seconds when configure retries and timeout. ● snmp trap version <trap-name><version> Mode:CONFIGURATION Parameter: Trap-name:Trap name Retries:overtime Function: Modify sent-edition of trap item in appointed trap-name
16.4 RMON Configuration
Commands of RMON as follows: ● rmon statistics [index] mode:CONFIGURATION parameter: index:Index is an option,
if system default is not input and an index value in generated. Function: Configure basic data of monitored port of statistics group. Each line is corresponding with a monitored interface. iSpirit 3026 default is configured with 12 subjects. In Internation input etherStatsDataSource indicates the interface index of monitored port is objectId。
● rmon alarm [index] Mode:CONFIGURATION Parameter: index:Index is an option, if there is not input system default to generate an index value. rmon alarm command is an Internation command, if index is input the appointed group should be added or modified. Alarm Internation input field is introduced: Interval : interval sampling time,the unit is second.(suppoes that sample 2 seconds)Variable:node monitored. The type must be INTEGER (INTEGER, Counter, Gauge,or TimeTicks) SampleType: if the sampling of the subject is absoluteValue (1), selected variable sampling is compared with valve value. If the sampling of the subject is deltaValue(2), subtract the current value from the last value and compare the D-value with valve value. StartupAlarm: the value is risingAlarm(1), fallingAlarm(2), risingOrFallingAlarm(3). Appoint after one line is valid, when risingThreshold the fisrst sampling is larger or equal, when fallingThreshold it is smaller or equal, if when both of them generate warning. RisingThreshold:upper-limit valve value of sampling statistic. RisingEventIndex:eventEntry index when the upper limit is exceeded. FallingThreshold : lower-limit of valve value of sampling statistic. FallingEventIndex: eventEntry index when the lower limit is exceeded. Function: serial
valve value in alarm group is used for defining network performance. Warning will be generated if valve value is exceeded in some field.
Alarm group consists of a table alarmtable. Every item in table has been specified with special variable need to be monitored, sampling interval and valve value parameter. ● rmon event [index] mode:CONFIGURATION parameter: index: index,Index is anoption, if there is input system default to generate an index value. Function: event group supprts event definition. Event is generated by other conditions of MIB. Event can also cause record information in this group, or give SNMP Trap message. rmon event command is an Internation command, if the index is input appointed group is added or modified. EventType in event Internation input field is introduced as follows: event type, none(1), log(2), snmp-trap(3), and log-and-trap(4). ● no rmon alarm <index> Mode:CONFIGURATION Parameter: index: Function:delete Alarm Configuration Entry of appointed index ● no rmon event <index> Mode:CONFIGURATION Parameter: index: Function:delete Event Configuration Entry of appointed index ● no rmon statistics <index> Mode:CONFIGURATION Parameter: index: Function:delete Statistics Configuration Entry of appointed index ● show rmon configuration alarm [index] Mode:CONFIGURATION Parameter: index: Function:show configuration table of alarm, appointed index configuration will be shown if input index, otherwise all configurations will be shown. ● show rmon configuration even [index] mode:CONFIGURATION parameter: index :
Function:show configuration table of event, appointed index configuration will be shown if index is input, otherwise all configurations will be shown. ● show rmon table even [index] mode:CONFIGURATION parameter: index : Function:show the data table of event, appointed index configuration will be shown if index is input, otherwise all configurations will be shown. ● show rmon table statistics [index] mode:CONFIGURATION parameter: index : Function:show the data table of statistics, appointed index configuration will be shown if index is input, otherwise all configurations will be shown.
Chapter 17.Configure –debugging instrument
There will be some malfunctions and errors in Internet during real application, so we need some instruments to trace and orientate, iSpirit 3026 switch supply with several debugging instruments to trace and orientate some problems of the switch and internet. And in this chapter we will describe the using and configure of these instruments in detail, the main content is as follows::
1. Introduction to debugging instrument 2. The configure of debugging instruments
17.1 The Introduction to Debugging Instruments
iSpirit 3026 switch supply with several kinds of debugging instruments, such as: IP DEBUG instruments, PING instruments, TRACEROUTE instruments and TELNET instruments in the end of client. In this chapter we will describe the using and configure of these instruments in detail, the main content is as follows:: ● introduction to IP DEBUG instruments ● introduction to PING instruments ● introduction to TRACEROUTE instruments introduction to ● introduction to TELNET instruments in the end of client
1. Introduction to IP DEBUG Instrument
IP DEBUG instrument is used to display the basic information of the data flow received and sent by the switch in the terminal and to capture the basic information of ARP data flow. If there is relevant thing happed or data flow received and sent, it will display the information through the relevant command configured in the terminal, so we can debug and diagram the malfunction and problems of the switch and internet. Through these IP DEBUG command, the manager can affirm whether the switch has received or sent the protocol packet. It will display some relevant information such as TCP protocol packet, TCP purpose port and resource port, and so on. iSpirit 3026 switch support a serial end and 5 TELNET end. And all of these ends can configure with IP DEBUG command. When a end open the DEBUG configure, the relevant information will be displayed in this end, but not affecting another ends. if a end A open the ARP DEBUG, the other end B open TCP DEBUG, the information of ARP will be displayed in end A, and the information of TCP will be displayed in end B. if two or more ends open the same DEBUG, the relevant debug information will be displayed in all opened ends. For example, the end A and end B will display ARP DEBUG, the ARP configures information will displayed in end A and end B. When you open DEBUG, the performance of the switch will be affected, especially for the performance of receiving and sending. So we advice the user open the DEBUG only when diagnosis for the switch and Internet, when finished please close all DEBUG.
Because the TELNET end need PC’s communication with the switch, so we can’t open the IP and TCP DEBUG configure in TELNET, or there will be dead circle of data flow which will use up all the sources. 2. The introduction to PING instruments
The iSpirit 3026 switch supplies with the PING instrument to test the connection of switch with destination equipment, the PING instrument use ICMP protocol, when the switch PING a destination equipment, the switch will send an ICMP echoplex requesting packet to wait for a matched ICMP answer packet. If you received the answer packet, it means that the switch and the destination has been connected, if not and then send for times set and even not receive the answer packet, it means than they have not been connected.
The iSpirit 3026 switch supply with a simple PING command and a complex PING command, the simple PING command is used to check the connection between the switch and the destination equipment, the switch will send 5 ICMP echoplex requesting packet to indicate whether the ICMP received is answered or not. And the complex PING command not only checks the connection between the switch and the destination equipment, but also has functions as follows:
Can set the number of ICMP echoplex-requesting packet sent Can set the over time interval of waiting for ICMP echoplex-requesting packet sent. Can set the magnitude of the data field of ICMP echoples-requesting packet sent. Can set the source address of ICMP echoples-requesting packet sent. Can set the route with note of ICMP echoples-requesting packet sent, and can take a note of the equipment address in this route between the switch and the destination equipment Can set that there is no regular route in ICMP echoples-requesting packet sent, and can set the connection of the route between the switch and the destination equipment Can set that there is regular route in ICMP echoples-requesting packet sent, and can set the connection of the route between the switch and the destination equipment Can set that there is time note in ICMP echoples-requesting packet sent, and can take a note of the equipment address and the time of the route between the switch and the destination equipment.
3. Introduction to TRACEROUTE instrument
The iSpirit 3026 switch supplies with a TRACEROUTE instrument to find out each route equipment between the switch and the destination equipment and to ascertain the route
between the switch and the destination equipment, and can position the equipment which is of error if the switch and destination equipment has not been connected. The TRACEROUTE instrument of the iSpirit 3026 switch use UDP protocol packet to detect, after the switch sent the UDP packet according to the TCL , and detect the state through receiving the ICMP error packet sent back until the switch find out the ICMP packet which can’t receive the UDP destination end. And will be displayed the state information between the switch and the destination equipment in switch, and through these information, you can position the problems of Internet. The iSpirit 3026 supplies with a simple TRACEROUTE command and a complex TRACEROUTE command. The simple TRACEROUTE command can only detect the status of equipment between the switch and the destination equipment, and the complex TRACEROUTE command has functions as follows: can set the source address UDP packet sent, can set the overtime interval after sending UDP packet, can set the detecting times for each middle equipment, can set the max and min TTL, can set the end number of UDP, can set UDP packet with note route, can set take a note of equipment address between the switch and the destination equipment, can set that there is no regular route in ICMP echoples-requesting packet sent, and can set the connection of the route between the switch and the destination equipment, can set that there is regular route in ICMP echoples-requesting packet sent, and can set the connection of the route between the switch and the destination equipment, can set that there is time note in ICMP echoples-requesting packet sent, and can take a note of the equipment address and the time of the route between the switch and the destination equipment.
4. Introduction to TELNET Instruments In The End of Client The iSpirit 3026 switch supplies with TELNET instrument in the end of client to configure and manage the equipment between the TELNET in the switch and another equipment. The iSpirit 3026 switch has a serial port end and 5 TELNET ends to carry out TELNET command in TELNET to land in the destination equipment, and manage the destination equipment, the iSpirit 3026 switch support a TELNET client end, when a TELNET client end is used by another client end, another client end can’t use the TELNET client end, and till the TELNET client end drop from the client end.
17.2 the configure of debug instruments
In this chapter, we will introduce the debug instruments such as: ● the configure of IP DEBUG instrument ● the configure of PING instrument ● the configure of TRACEROUTE instrument
● the configure of TELNET instrument
1. The configure of IP DEBUG instrument
Under default, a serial port end and 5 TELNET ends of the iSpirit 3026 switch are closed. ● under global CONFIG mode, the following command can open the IP DEBUG configure: debug ip ● under global CONFIG mode, the following command can open the IP DEBUG configure: no debug ip Notes: The two commands above only can be used in serial port end rather than in TELNET end. ● under global CONFIG mode, the following command can open the ARP DEBUG configure: debug ip arp ● under global CONFIG mode, the following command can close the ARP DEBUG configure: no debug ip arp ● under global CONFIG mode, the following command can open the TCP DEBUG configure: debug ip tcp ● under global CONFIG mode, the following command can open the TCP DEBUG configure: no debug ip tcp
Notes: The two commands above only can be used in serial port end rather than in TELNET end. ● under global CONFIG mode, the following command can open the UDP DEBUG configure:: debug ip udp ● under global CONFIG mode, the following command can close the UDP DEBUG configure: no debug ip udp ● under global CONFIG mode, the following command can open the ICMP DEBUG
configure: debug ip icmp ● under global CONFIG mode, the following command can close the ICMP DEBUG configure: no debug ip icmp ● under global CONFIG mode, the following command can open the SNMP DEBUG configure: debug ip snmp ● under global CONFIG mode, the following command can close the SNMP DEBUG configure: no debug ip snmp ● under global CONFIG mode, the following command can open the IGMP DEBUG configure:: debug ip igmp ● under global CONFIG mode, the following command can close the IGMP DEBUG configure: no debug ip igmp ● under global CONFIG mode, the following command can open the IGMP SNOOPING DEBUG configure: debug ip igmpsnooping ● under global CONFIG mode, the following command can close the IGMP SNOOPING DEBUG configure: no debug ip igmpsnooping ● under global CONFIG mode, the following command can open all the DEBUG configures: no debug all ● under global CONFIG mode, it will display all open DEBUG configure information. show ip debug-on
2. The Configure of PING Instrument
The iSpirit 3026 switch supplies with one simple and one complex PING command. A serial port end and 5 TELNET ends can carry out PING command to test the connection between the switch and the destination equipment. ● following command will be carried out under EXEC mode and global CONFIG mode, and these are simple PING commands, and can be used to test the connection between the switch and the destination equipment.
ping <ip-address>
● following command will be carried out under EXEC mode and global CONFIG mode, and these are complex PING commands, and not only can be used to test the connection between the switch and the destination equipment, but also carry out different functions through inputting different configure in interaction mode. ping input corresponding configure according to the clew in interaction mode. 3. The Configure of TRACEROUTE Instrument
The iSpirit 3026 switch supplies with one simple and one complex TRACEROUTE command. A serial port end and 5 TELNET ends can carry out TRACEROUTE command to test the state of the intermediate equipment between the switch and the destination equipment. ● following command will be carried out under TRACEROUTE mode and global CONFIG mode, and these are simple TRACEROUTE commands, and can be used to test the state of the intermediate equipment between the switch and the destination equipment.
traceroute <ip-address> ● following command will be carried out under TRACEROUTE mode and global CONFIG mode, and these are simple TRACEROUTE commands, and not only can be used to test the state of the intermediate equipment between the switch and the destination equipment, but also carry out different functions through inputting different configure in interaction mode.
traceroute input corresponding configure according to the clew in interaction mode
4. The Configuration of TELNET Client End Instrument
The iSpirit 3026 switch supplies with a TELNET command, 1 serial port end or 5 TELNET end can carry out the TELNET command to land in the destination equipment, but the TELNET client end only can be used by a end at the same time. Under the global CONFIG mode we can land in the destination equipment:
telnet <ip-address>
Chapter 18.WEB page configuration
The followings are described in the chapter
1. WEB page summarization 2. Detailed introduction of each page
18.1 WEB Page Summary
1. WEB access character
iSpirit3026 switch provide Web access service for user. User can access switch through Web browser and control and configure switch. Main character of WEB access is:
Easy to be accessed: user can access switch from everywhere of internet.
User can access the WEB page of iSpirit 3026 switch by familiar browsers such as Nestscape Communicator and Microsoft Internet Explorer; WEB page is displayed in graphics and tabular form.
iSpirit3026 switch provide rich WEB page by which user can configure and administrate most function of switch. For the WEB page supporting Chinese-English, user can select Chinese or English version WEB to control the switch. Classification and conformity of WEB page function contribute to the convenient of finding relevant page for configuration and administration.
2. WEB browser system requirement
Table 18-1 shows the WEB browser system requirement Table 18-1:
Hardware & software System requirement CPU Pentium mask
Memory Above 32MB
Resolution Above 800*600 Color Above 256
Browser Above IE4.0 or Netscape 4.0
Operation System Microsoft®, Windows95®, Windows98®,
WindowsNT®, Windows2000®, WindowsXP®, Windows ME®
Note: Microsoft®, Windows95®, Windows98®, WindowsNT®, Windows2000®, WindowsXP®, Windows ME® are registered trade mark of Microsoft; all the other product names, trade marks, registered trade mark & service mark and copyright are to be held respectively
3. WEB browses dialog access
User should confirm before startup Web browses dialog access:
IP confirmation have been performed on switch which IP address of VLAN1 port is 192.168.0.1,sub-hidden code is 255.255. 255.0。 have connected the mainframe equipped with Web browser, and the mainframe can PING switch. After that, user input switch address on browser address column and press Enter, then you can enter into switch Web entry page (see Figure18-1). Defaulted user name of iSpirit3026 switch is admin with empty defaulted password.
Figure 18-1 Entry Interface
4. Basic Structure of WEB page
Figure 18-2, WEB consists of three parts: topic page, guidance tree page and homepage Topic page is used to display logo For WEB crunode of guidance tree page, user can open the file on the tree and select the page to be open Homepage is used to display page user selected from navigation tree.
Figure 18-2 Web Page Structure
5. Navigation tree structure
Figure 18-3 shows the organized structure of navigation tree. It lies in low-left of page and is displayed in the form of tree; user can find the WEB to be administrated easily. It can be divided into different group according to function of page and each group contain one or more page. Most web names of guidance tree are the abbreviation of web title on relevant web.
Figure 18-3 Guidance Tree Structure 6. Button introduction of page
There are some universal buttons on the page, generally speaking, the function of the buttons are the same; detailed function introduction is described in sheet.18-2.
Button Function
Refresh Update all-field on the page
Apply Save the updated value in the memory.
Save Apply and Save current record
Delete Delete current record
7. Error message
If errors happen when WEB sever of switch administrate the request from user, relevant error message will be displayed in a dialog box.
Figure 18-4 Error Message 8. Entry
There is an Entry on the very left of sheet on some page, (see Figure18-5); different lines can be accessed through the Entry. When you select some value on the Entry relevant information about the line will be shown on the first line, and only the line can be compiled at that moment; the line is can be called active line. When one page is added for the first time, new is displayed on entry, and active line is empty. If new line is to be added, new should be selected from under-menu of entry, and input new message, then press SAVE or APPLY key. If you compile the exist line, you should select relevant line NO. from under-menu of entry, and compile and change the line according to the requirement, then press SAVE and APPLY key, at last you will see relevant change displayed in the form. If you want to delete a line, you should select relevant line NO. from under-menu of Entry, and press Delete key, then the line will disappear from the form.
Figure 18-5 Entry 9. Status Field
There is a Status on the very right of form of some page, (see Figure 18-6), and the Status display the status of the line. The amendment of status of all line is performed interiorly, so the Status is read-only. Once all messages in a line become effective, the Status of the line become active.
Figure 18-6 Status
18.2 Introduction to WEB page
For WEB organized structure of iSpirit3026 switch, each group contains one or more WEB page. Detailed introduction of each page is as followings:
1. Entry dialog box
Figure18-7 shows the entry dialog box which will be displayed when user for enter into the page the first. User input user name and password in relevant field, and press OK key, then can enter into the Web server of switch. Capital & lowercase are to be differentiated, and at most 16 characters can be set up. Default name of iSpirit3026 switch is admin and default password is empty.
Figure 18-7 Entry Dialog Box 2. Homepage
Figure18-8 shows WEB homepage of iSpirit 3026 switch which will be displayed after user enter into the page or click iSpirit3026 crunode of guidance tree.
Figure 18-8 Homepage
3. Management Configuration
(1) Switch configuration page Figure18-9 shows the switch configuration page by which user can perform configuration of basic message of switch. User can perform configuration of default gateway of switch (default route). User can read MAC address of the VLAN1 subnet of switch but can not perform configuration. User can startup or close some basic protocol, such as STP and IGMP SNOOPING protocol. User can re-start the switch through the page; select reset or factory defaults from under-menu of Reset, then press APLLY or Save key. Before startup of switch, user will be reminded to confirm selection. If user select reset, it means restart switch only; if user select reset factory defaults, it means restart switch and make switch return to the default status of leaving factory.
Figure 18-9 Switch Configuration Page (2) System configuration page Figure 18-10 shows system configuration page which provides user with system message of switch and allows user perform configuration of some of the system message. User can read the system description of switch, system OID, quantity of system port and startup time of system through the page. User can perform configuration of system name, system position, system connection and production name.
Figure 18-10 System Structure Configuration Page
(3) Serial Port Configuration Page Figure 18-11 shows serial port configuration page which displays the baud rate of serial port and information relevant to other serial port. When mainframe administrate switch through terminal of serial port (such as Windows super-termination), COM port configuration on serial port termination should be in accordance with the message on the page.
Figure 18-11 Serial Port Configuration Page
(4) Password amendment page Figure 18-12 shows password amendment page by which user can change the administration password of switch; serial port, TELENT and WEB share the same password. Capital & lowercase are to be differentiated, and at most 16 characters can be set up. If user wants to change the password, you should input the new password twice, and the inputted password for each time should be the same If user do not press APPLY or SAVE, new password will be activated, and entry dialog box will be displayed (see Figure 18-7), then user should enter into the page again by pressing new password.
Figure 18-12 Password Amendment Page 4. Port configuration
(1) Port configuration/Stat. message page Figure 18-13 shows the Port configuration/Stat. message page by which user can startup or close the page, perform configuration of port speed, or check basic message of port and Stat. message page. To configure or check a special port, user should select relevant port NO. from under-menu of Port. Default status of port is enable, so you can select disable in under-menu to close it. User can select speed under-menu to perform configuration of port speed, such as performance of compel half- semiduplex 100M and so on. User can read through the page other basic message of port, and Stat. message of receive-send package.
Figure 18-13 Port Configuration/Stat. Message Page (2) Port aggregation configuration page Figure 18-14 shows Port aggregation configuration page which allow user perform configuration of port aggregation; it consists of three parts: port aggregation group NO. selection, Port list selection and Port aggregation manner selection. To set up or amend port aggregation, user should select a port aggregation group NO which covers from 0 to 5. User clicks relevant port aggregation NO. in dialog box with port aggregation message displaying in the active line on which user can select port aggregation manner and aggregate port list. After configuration, user should press Apply or SAVE key. The switch provides 6 types of ports: based on original MAC address, based on purpose MAC address, based on combined original & purpose MAC address, based on original IP address, based on purpose IP address, all of which can be adopted to second-class transmission of data Package, but only the last three can be adopted to third-class transmission. At most 6 groups of port aggregation can be supported by iSpirit3026 switch with at most 8 100M ports can be supported by each group of ports
Figure 18-24 Port Aggregation Configuration Page (3) Port enantiomorphous configuration page Figure 18-15 shows port enantiomorph configuration page which allow user to perform enantiomorp configuration, consists of three parts: enantiomorph port, outputted port list by enantiomorph and inputted port list by enantiomorph. Port enantiomorph is the data package outputted by enantiomorph port through monitor of enantiomorph port and the data package inputted by input port of enantiomorph. Only one enantiomorph port can be selected, but the I/O ports by enantiomorph can be selected.
Figure 18-15 Port Enantiomorph Configuration Page (4) Port isolation configuration page Figure 18-16 shows port isolation configuration page which allow user to perform configuration of port isolation. When configuration is to succeed, it will be displayed in the following configuration form. If you want to delete a page you can click current small dialog, then click deletion key; or you can click select all key, then click deletion key.
Figure 18-16 Port Isolation Configuration Page 5. VLAN configuration
(1) current VLAN configuration page Figure 18-17 shows current VLAN configuration page which is read-only and display all current VLAN configuration message including VID and port list.
A port may not be a member of VLAN, but it may be VLAN tagged member or untagged member. Character meaning on port of page is as described in Table 18-3 Table 18-3
Character Full name Meaning - Non-member Port is not member of it M Member Port is member of it U Untagged Port is member of it
Figure 18-17 Current VLAN Configuration Page (2) Static VLAN configuration page Figure 18-18 shows static VLAN configuration page which allow user to set up a VLAN and configure a VLAN port member, consists of two parts: active line and list box. Active line is on the first line which is programmable; list box under the active line contains a series of static LVAN with VID and VLSN name. If you want to set up a new VLAN, you should input VIC, VLAN name and Port list message into the active line, then press APPLY or SAVE key, the VID & VLAN name of VLAN set up by user can be displayed in the list box. If you want to amend an exist VLAN, you should click relevant VLAN in the list box which will be displayed in the active line,after that you should press APPLY or SAVE key If you want to delete a VLAN, you can click relevant VLAN in list box which will be displayed in the active line, then press Delete key to delete the VLAN and the message in the VLAN will be deleted at the same time. iSpirit3026 switch support 4094 VLAN at most. A port may not be a member of VLAN, but it may be VLAN tagged member or untagged member. When you amend VLAN port list, you should click mouse at each port; switch can be perform between U and M. Meaning of characters on the port of page is as described in Table 18-4
Table 18-4
Character Full name Meaning - Non-member Port is not member of it M Member Port is member of it U Untagged Port is member of it
Figure 18-18 Static VLAN Configuration Page (3) Private VLSN configuration page Figure 18-19 is private VLSN configuration page by which user can perform configuration of a private VLAN group VLAN and port. iSpirit3026 supports 12 private VLAN group; when you configure private VLAN you should select VLAN group number first, then perform configuration of private VLAN group VLSN and port A private VLAN group VLAN contains three parts: minimum VLSN, maximum VLAN and main VLAN. VLSN between different VLAN group cannot be overlapped. VLAN with the range of VLAN in private VLAN group can not be occupied by general VLAN, if so, configuration of private VLAN group can not be achieved. Port in a private VLAN group can be divided into three types: isolation port, sharing port, and
mixed port. Isolation port can communicate with mixed port; sharing port can be divided into groups and 6 groups can be supported; sharing port can communicate with other ports in mixed port and sharing port group. Mixed port can communicate with all isolation port, sharing port and other mixed port. When you perform configuration of private VLAN group port, isolation port in private VLAN group, sharing port and mixed port can not be overlapped, and can not be overlapped with other private VLAN group ports; mixed port must be exist in private VLAN group; Both isolation port and sharing port should be exist in private VLAN group, if so, configuration of private VLAN can not be succeeded. After achievement of configuration of private VLAN group VLAN and port message, you should press APPLY or SAVE key; if configuration of private VLAN group succeeded, the status of private VLAN is active, otherwise, private VLAN group status display the reason of failure. If you want to delete private VLAN group, you should select VLAN group number and press Delete key.
Figure 18-19 Private VLAN Configuration Page 6. Configuration of Multi-broadcast Group
(1) Page of current multi-broadcast group See the page of current multi-broadcast group on Fig 18-20, which is the read-only page displaying all the current multi-broadcast groups including the multi-broadcast from IGMP SNOOPING and the multi-broadcast with static configuration. Each of the entry on the page
contains three parts: VID, multi-MAC address and port list. VID and multi-broadcast MAC is the index of entry. A port might be a member of multi-broadcast group, and it might not be. The meaning of characters on the port of page is shown in Table 18-5: Table 18-5
Character Full name Meaning
- Non-member The port is not the member of this M Member The port is the member of this
Fig 18-20 Page Of Current Multi-Broadcast Group Configuration
(2) Static multi-broadcast group configuration page Fig 18-21 display the static multi-broadcast group configuration page which allows the user to set up one multi-broadcast group configuration page and install many ports for the multi-broadcast group. The page consists of two parts: active line and list box, both of which can be complied; the list box under the active line contain a series of static multi-broadcast group with identifier of VID and MAC address To configure a new multi-broadcast group, user should input VID, multi-broadcast MAC address and data of port list, then press Apply or Save Key, and the VID and MAC address of
multi-broadcast group configured by user display in the box list. If the VLAN does not exist or the MAC address is not the MAC the multi-broadcast group can not be set up. See the wrong indication happened when MAC is not the multi-broadcast group on Fig 18-22 To change the existing multi-broadcast group, user should click relevant multi-broadcast group in the box list which is displayed in the active line, then the list data of port of multi-broadcast group can be amended, after that user should press APPLY or SAVE key. To delete the multi-broadcast group, user should click relevant multi-broadcast group in the list box which is displayed in the active line, then press Delete key to delete the multi-broadcast group and the data in the box list is to be deleted, too. 255 multi-broadcast groups can be supported by Switch iSpirit3026 at most. A port might not be a member of the multi-broadcast group, and it might be. To amend the port list of multi-broadcast group, user should click mouse at each port and switch between – and M. Meaning of the characters on the port of page is displayed in Table 18-6 Table 18-6
Character Full Name Meaning
- Non-member The port is not the member of this M Member The port is the member of this
Figure 18-21 Static Multi-Broadcast Group Configuration Page
Current multi-broadcast group configuration page (Fig 18-22)
7. SNMP configuration
(1) SNMP TRAP configuration page SNMP TRAP configuration page (see Fig 18-23) allow the user configuration to receive IP address of TRAP news workstation and some parameters of TRAP protocol packet, and 8 entries can be set up. 3 entries exist in the page when default; they are inactive, which means they can not be used; 2 entries out of the 3 can be deleted instead of all, which means at least 1 item should be saved. When set up the entries, and the number of purposed port of default parameter of TRAP is 162, TRAP wrap can not be re-sent; if time of re-sent exceed with 15 seconds intervals and SNMP version is SNMPV1 version. User can change all the parameters; if setup can be done active will be displayed in the entry; if configuration can be done, SNMP TRAP function can work; if Link up or Link down happen, switch send TRAP wrap to the purpose address automatically.
Figure 18-23 SNMP TRAP Page Of Configuration (2) SNMP sharing page of configuration SNMP sharing page of configuration (see 18-24) allow user to set up the name and read limit of sharing of switch, and 8 entries is allowed to be set up. The switch has a sharing with name public in default and read-only purview; compared to this the page has only one active entry with sharing name public and read-only purview. When the switch controls the network system through SNMP, user should set up a sharing with read-write-able purview.
Figure 18-24 SNMP Sharing Configuration Page
8. Configuration of STP
(1) Parameter configuration page of Bridge Parameter configuration page of Bridge (Fig 18-25) allow the user check the appointed information of Bridge and configuration information of Bridge which can be amended. User can amend the priority of Bridge with the default number is 32768. The lower the priority is, the bigger the possibility of Bridging. Do not change the time parameter on the page in normal condition because the parameter value is the defaulted standard value of STP protocol
Figure 18-25 Parameter Configuration Page Of Bridge
(2) Parameter configuration page of Port Parameter configuration page of Port (Fig 18-26) allow user check parameter of all the Port and is capable of configuration of STP status on the port and priority. The page covers many examples and 255 samples can be set up at most; all the defaulted ports is a member of sample 1 which can be deleted, but can not be amended. User can change the STP status of port into disable, which can prevent the STP from being calculated. User can change the priority of port (default is 128); the lower the priority, the bigger the possibility of Root-port.
Figure 18-26 Parameter Configuration Page Of Port
(3) Multi-sample configuration page Multi-sample configuration page (Figure 18-27) allow user to check all the configuration of samples.
Figure 18-27 Multi-sample configuration page
STP protocol should be opened before setting up the multi-sample configuration, otherwise the setup can not be performed, and the indicated page is as follows:
Figure 18-28. Alarm Page
When configuration is performed (Figure18-29), VLAN must exist and the port should be in VLAN, otherwise here give an alarm as follows:
Figure 18-29 Alarm Page
9. ACL Configuration of Resource Bank
(1) ACL extension MAC Configuration page Figure18-30 is the configuration page of ACL extension MAC, by which user can set up ACL extension MAC protocol-storage. User can choose an ACL group NO. (From 400 to 599), among which one or more protocols can be set up (128 protocols are supported in one group at most). The matched field contains Original MAC address (with hidden code), Purposed MAC address (with hidden code) , Ethernet network-frame-type (such as IP, ARP and so on) and VLAN ID NO. Hidden code can be attached to Original MAC address and purposed MAC address when user performs configuration of protocol which can match the venue of MAC. Reversed-code is adopted to denote the hidden code of address; if the range of MAC addresses to be matched by protocol is from 00:11:22:33:44:00 to 00:11:22:33:44:FF, the MAC addresses is 00:11:22:33:44:55 with the hidden code 00:00:00:00:00:FF. When user perform protocol of configuration, a filter-mode must be set up for each protocol which contains four types: permission, rejection, permit all and reject all. If user selects “permit
all” and “reject all”, the original MAC address and purposed MAC address being set up do not work (In fact, all the matched fields do not work) and they can be unified as: 00:00:00:00:00:00 with hidden code: FF:FF:FF:FF:FF:FF. If no field to be matched, which means empty, “Rejection” equals “reject all” and “Permission” equals “permit all”. There is a referenced field in each group of protocol on pages, but it is read-only and can not be configured. The field tells the user the quantity of current application of applying the protocol; Application of applying the protocol contains the ACL filtration and QoS Operation. When the referenced field is 0, which indicate no application adopted in the protocol, the protocol can be configured, such as adding some protocol, deleting some protocol or amending some protocol. When the referenced field is not 0, the protocol can not be configured. When a protocol is set up in a group of protocol, system provide the protocol with a protocol NO. automatically; when a protocol is deleted, others do not change and the system will arrange the protocol in a group automatically.
Figure 18-30.ACL Extension MAC Configuration Page
(3) ACL extension IP configuration page. ACL extension IP configuration page is shown in Fig 18-31, by which protocol-storage for ACL extension IP protocol can be configured. User may select an ACL group NO. (From 200 to 399), among which one or more protocols can be set up (128 protocols can be supported in one
group). The matched field in one group contains Original IP address (with hidden code), Purposed MAC address (with hidden code), type of protocol (such as ICMP, TCP, UDP and so on), original port and purposed port (for the TCP and UDP protocol).
Figure 18-31. ACL Extension IP Configuration Page
Hidden code can be attached to Original IP address and purposed IP address when user performs configuration of protocol which can match the venue of IP. Reversed-code is adopted to denote the hidden code of address; if the range of IP addresses to be matched by protocol is from 192.168.0.0 to 192.168.0.255, the IP address is 192.168.0.1 with the hidden code 0.0.0.255. When user perform protocol of configuration, a filter-mode must be set up for each protocol which contains four types: permission, rejection, permit all and reject all. If user selects “permit all” and “reject all”, the original IP address and purposed IP address being set up do not work (In fact, all the matched fields do not work) and they can be unified as: 00:00:00:00:00:00 with hidden code: FF:FF:FF:FF:FF:FF. If no field to be matched, which means empty, “Rejection” equals “reject all” and “Permission” equals “permit all”. There is a referenced field in each group of protocol on pages, but it is read-only and can not be configured. The field tells the user the quantity of current application of applying the protocol; Application of applying the protocol contains the ACL filtration and QoS Operation. When the
referenced field is 0, which indicate no application adopted in the protocol, the protocol can be configured, such as adding some protocol, deleting some protocol or amending some protocol. When the referenced field is not 0, the protocol can not be configured. When a protocol is set up in a group of protocol, system provide the protocol with a protocol NO. automatically; when a protocol is deleted, others do not change and the system will arrange the protocol in a group automatically.
(3) ACL standard IP configuration page ACL standard IP configuration page is shown in Fig 18-31, by which protocol-storage for ACL standard IP protocol can be configured. User may select an ACL group NO. (From 1 to 199), among which one or more protocols can be set up (128 protocols can be supported in one group), and only the original IP address can be matched (with hidden code). Hidden code can be attached to Original IP address when user performs configuration of protocol which can match the venue of IP. Reversed-code is adopted to denote the hidden code of address; if the range of IP addresses to be matched by protocol is from 192.168.0.0 to 192.168.0.255, the IP address is 00:11:22:33:44:55 with the hidden code 00:00:00:00:00:FF. When user perform protocol of configuration, a filter-mode must be set up for each protocol which contains four types: permission, rejection, permit all and reject all. If user selects “permit all” and “reject all”, the original IP address and purposed IP address being set up do not work (In fact, all the matched fields do not work) and they can be unified as: 0.0. 0.0 with hidden code: 255.255.255.255. If no field to be matched, which means empty, “Rejection” equals “reject all” and “Permission” equals “permit all”. There is a referenced field in each group of protocol on pages, but it is read-only and can not be configured. The field tells the user the quantity of current application of applying the protocol; Application of applying the protocol contains the ACL filtration and QoS Operation. When the referenced field is 0, which indicate no application adopted in the protocol, the protocol can be configured, such as adding some protocol, deleting some protocol or amending some protocol. When the referenced field is not 0, the protocol can not be configured. When a protocol is set up in a group of protocol, system provide the protocol with a protocol NO. automatically; when a protocol is deleted, others do not change and the system will arrange the protocol in a group automatically.
Figure 18-32 ACL Standard IP Configuration Page
10. Configuration of plied page
(1) Configuration Page of pile parameters Configuration Page of pile parameters (Figure18-23) allows user set up switch such as alternate switch, main switch and excluded-pile-group. Intervals of hello packet, name of pile switch and confirmation of affiliating to pile groupautomatically can be set up.
Port list can be set up and be sure the parameters should be divided by comma.
Figure 18-33 Pile Parameter Configuration Page
(2) Member management configuration page Pile member management configuration page is shown in Figure18-34; when the switch works as the member switch it is the read-only page which display the data of current configuration and status of switch.
Fi
gure 18-34 Pile Member Management Configuration Page Figure18-25 shows the configuration page when the switch works as the main switch, from which you can see an alternated switch can be set up or deleted on the main switch compulsively
Figure 18-35. Pile Member Page
11. Super-safety configuration
(1) IP address binding configuration page IP address binding configuration page (Figure18-36) allows the user to bind one or more IP address on one port (at most 128 IP addressed; it depends on the application of FFP). Only mainframe with the bound IP address instead of un-bounded IP address can access the internet. When user performs the IP address binding, IP address port should be selected first, then input IP address into the port to perform binding. When there is no entries on the page, it means that no IP address is bound on the port; when there are many entries in the list, it means that IP address is bound. When user unbinds the port, you can mark on small frame in front of IP address need to be unbound, then click key of unbinding to unbind. If users want to unbind all the IP address on the port, you can click key of select all and select binding key. If IP address is wrong when binding an IP address, system will give the alarm message that reminding user the wrong IP address as shown in Figure 18-27 When user input MAC address, the port allows the data with the same IP address and same MAC address to be transmitted. Whether MAC address is input is selectable. But the alarm message (Figure 18-23) is still shown if MAC address is wrong.
Fi
gure 18-36. Address Binding Configuration Page
Figure 18-37. Indication Of Wrong IP Address
Figure 18-38. Alarm Message
(2) MAC address manual binding configuration page MAC address manual binding configuration page (Fig 18-39) allow user to bind one or more MAC address on one port (at most 128 MAC address can be bound). Only the mainframe with bound MAC address instead of the mainframe without MAC address can access the internet
through the port. When user perform MAC binding, first you select port of MAC address to be bound in which VLAN NO. and MAC address can be input, then bind to port. If no entry exists on page, it means no MAC address binding; if one or more entries in the list, it means MAC address is bound. When user unbinds the port, you can mark on small frame in front of IP address need to be unbound, then click key of unbinding to unbind. If users want to unbind all the MAC address on the port, you can click key of select all and select binding key. No indication is shown if user failed in setup.
Figure 18-39.MAC Address Manual Binding Configuration Page.
(4) MAC address automatic binding configuration page MAC address (Figure 18-40) automatic binding configuration page allow user to bind the MAC address learn from a port to the port automatically; when binding MAC address to a port is finished, Only the mainframe with bound MAC address instead of the mainframe without MAC address can access the internet through the port. When user performs the MAC address, you select Port of MAC address need to be bound; if no MAC address bound to the port there is no small frame in front of entries of form; if no MAC address bound to the port, system put the MAC address learn by port into the form with on small frame in front of each entry. User can mark on small frame in front of MAC address to be bound, then select the binding key to bind MAC address. If user wants to bind all the learnt MAC address, you can click Select All key then select binding key. Figure 18-41 shows the page after
binding to MAC automatically.
Figure 18-40 MAC Address Automatic Binding Configuration Page
(4) Safe configuration page for user management Figure 18-41 shows safe configuration page for user management by which the administrator can control the internet management service TELNET, WEB and SNMP, turn on or turn off the service, connect the service to IP standard ACL group, and control the access of service of mainframe. TELNET、WEB and SNMP service is on when switch is default, and no ALC filtrate, which means all the mainframes can access the three services of switch. If administrator does not provide one or several service for other users for the sake of security, you can close one or several services. If only special mainframe can access one or several service, user can perform ACL filtration for one or several services. When some service need ACL filtration it should be opened and select an IP standard ACL group, and ACL group should be exist in active. You should know that if administrator controls WEB service (such as close WEB service) on the page, which may cause the impossibility of use of WEB page by user, and WEB page may become grey, then you can access switch through other way and control WEB service to allow the user to use WEB page (such as open WEB service).
Figure 18-41 Safe Configuration Page For User Administration
(5) Port ACL Filtration configuration page Figure18-42 is port ACL filtration configuration page, by which user can select an ACL group for a port, and write the protocol of ACL group into the port hardware FFP logic, which enable the port to perform ACL flirtation on received data package. When select ACL group on port, you can select IP standard, IP extension and MAC group, selected ACL group should be exist in active, otherwise alarm happen.
Figure 18-42 Safe Configuration Page For User Administration
Figure 18-43 Safe Configuration Page For User Administration 12. Qos configuration
(1) COS-DSCP mapping form configuration page Fig 18-44 shows the COS-DSCP mapping form configuration page, by which user can check mapping relationship between COS value and inner DSCP value and amend the mapping form. When user set up COS value of data package adopted by some port which is used to divide the data-flow, the COS-DSCP mapping form should be adopted; according to the COS value on the data package the data package can be mapped into an inner DSCP value and perform QoS strategy based on inner DSCP value. There is a defaulted mapping relationship in COS-DSCP form which can be amended by user, but no need to amend the mapping relationship of the form in common condition.
Figure 18-44 Configuration Page For COS-DSCP Mapping Form
(2) Configuration page for PREC-DSCP mapping form Figure 18-45 shows Configuration page for PREC-DSCP mapping form, by which user can check mapping relationship between ip precedence value and inner DSCP value and amend the mapping form. When user set up ip precedence value of data package adopted by some port which is used to divide the data-flow, the PREC-DSCP mapping form should be adopted; according to ip precedence value on the data package the data package can be mapped into an inner DSCP value and perform QoS strategy based on inner DSCP value. There is a defaulted mapping relationship in PREC-DSCP form which can be amended by user, but no need to amend the mapping relationship of the form in common condition.
Figure 18-45 PREC-DSCP Mapping Form Configuration Page
(3) DSCP-DSCP mapping form configuration page Figure18-46 shows Configuration page for DSCP-DSCP mapping form, by which user can check mapping relationship between DSCP value and inner DSCP value and amend the mapping form. When user set up DSCP value of data package adopted by some port which is used to divide the data-flow, the DSCP-DSCP mapping form should be adopted; according to DSCP value on the data package the data package can be mapped into an inner DSCP value and perform QoS strategy based on inner DSCP value. There is a defaulted mapping relationship in DSCP-DSCP form which can be amended by user, but no need to amend the mapping relationship of the form in common condition.
Figure 18-46 DSCP-DSCP Mapping Form Configuration Page
(4) DSCP-QUEUE mapping form configuration page Figure 18-47 shows Configuration page for DSCP-QUEUE mapping form, by which user can check mapping relationship between DSCP value and priority group and amend the mapping form. After data-flow is divided and performance of QoS strategy, DSCP-QUEUE mapping form is adopted; calculate the PRI queue value according to inner DSCP value of data package and put the data package into the PRI queue corresponded to output. There is a defaulted mapping relationship in DSCP-QUEUE form which can be amended by user, but no need to amend the mapping relationship of the form in common condition. Each port of iSpirit3026 switch support 8 PRI queue.
Figure 18-47DSCP-QUEUE Mapping Form Configuration Page (5) QoS classification configuration page Fig 18-48 shows QoS classification configuration page, by which user can define one or more operation. iSpirit3026 switch support 1000 operations which contain COS, PREC, DSCP and ACL. When user perform configuration of operation, you select operation group number, then select type of operation which configuration of operation match is different. One or more value can be selected from 0 to 7 for COS operation (at least 8 value should be selected and should be divided by blank). One or more value can be selected from 0 to 7 for PREC operation (at least 8 value should be selected and should be divided by blank); One or more value can be selected from 0 to 63 for DSCP operation (at least 8 value should be selected and should be divided by blank); one ACL group can be selected from 1 to 599 for ACL operation which should be exist and available, and it may have a name.
Figure 18-48 Qos Classification Configuration Page
(6) QoS strategy configuration page Fig 18-49 shows QoS strategy configuration page by which one or more3 QoS strategy can be defined. iSpirit3026 supports 12 QoS strategy in which one or more operation is included, and strategy should be set up for each operation. For each operation in QoS strategy, operation sign type and operation sign value can be set up; operation sign type contains COS, ip precedence and DSCP; value of COS and ip precedence is from 0 to 7 and value of DSCP is from 0 to 63. PRI queue of data flow can be got from operation sign type value through mapping form, and head of data-flow should be amended according to the operation sign. Bandwidth restriction can be done for each operation in QoS strategy (or no need to be done); the minimum value for bandwidth restriction iSpirit3026 switch is 1Mbps with the minimum granularity of 1Mbps User can not only increase strategy in QoS strategy, but also delete all the operation with strategy; if user want to delete all the QoS strategy, you can delete all the operation in QoS strategy.
Figure 18-49 Qos Strategy Configuration Page (7) QoS strategy configuration page Figure 18-50 shows configuration page for QoS strategy name in which user can define a name for QoS strategy, delete a QoS strategy and check message in QoS strategy. Each QoS strategy has a referenced accounting field in form of the page which is read-only and can not be configured. The field inform user how many applications is now using the QoS strategy; application of using QoS strategy is QoS un-trust port. When referenced account is 0, it means no application to use the QoS strategy. Then you can perform configuration for QoS strategy. When referenced account is not 0, you cannot perform configuration for the QoS strategy.
Figure 18-50 Qos Strategy Configuration Page
(8) Port QoS configuration page Figure 18-51 shows the QoS configuration page by which user can select a QoS strategy for port on the page and input data-flow from port to perform QoS, to classify the data-flow and to adopt QoS strategy, which ensure the service quality of important data-flow. QoS on port can be divided into two: one is QoS trust port, the other is QoS un-trust port; QoS trust port can be divided into: three types: TRUST COS,TRUST ip_precedence and TRUST DSCP When user perform QoS configuration for some port, you can select any one of COS、ip precedence、and DSCP policy from value sign; Port configuration is TRUST COS when COS is selected; Port configuration is TRUST DSCP when DSCP is selected; Port configuration is un-trust when Policy is selected and a Policy strategy code is needed (from 1 to 12). QoS configuration of port can be deleted on the page.
Figure 18-51 Port Qos Configuration Page
13. ARP configuration
(1) ARP configuration page Figure 18-52 shows configuration page on which all information in ARP form of switch can be displayed, and by which user can perform configuration of static ARP entry or perform deletion of ARP entries. When user performs configuration of a static ARP entry, you should input IP address and MAC address; when user delete an ARP entry you should input IP address also.
Figure 18-52 ARP Configuration Page
14. IP Route configuration
(1) IP sub-internet configuration page Figure 18-53 shows IP sub-internet configuration page by which user can perform configuration of VLAN sub-internet interface, deletion of VLAN sub-internet interface and information check of sub-internet.
Figure 18-53 IP Sub-Internet Confirmation Page
iSpirit3026 switch default has a sub-internet interface of VLAN1 which can not be deleted. At most 16 sub-internet interfaces can be supported by iSpirit3026. One sub-internet can be set up on only one VLAN. When status of sub-internet interface shows active, it means the sub-internet interface is available. When IP address or hidden code is wrong, alarm indication of error happen:
Figure 18-54 Alarm Indication Of Error (2) Static route configuration page Figure 18-55 shows the static route configuration page by which user can add, delete or amend static route of switch. No static route is set up on switch when in default, and user can set up defaulted route with purpose address and hidden code of 0 through the page
When input next leap, the inputted address should be at the same field with a sub-internet interface of switch, otherwise configuration of static route can not be achieved. When the inputted internet address or hidden code by configuration, together with next IP address is wrong, error indication will be shown. See Figure12-2a, inputted purpose address is internet address. Next one and interface should be at the same field.
Figure 18-55 Static Route Configuration Page
Figure 18-56 Indication Error Of Alarm (3) Showing page for Route form Figure 18-57 shows Showing page for Route form through which user can read all route message on switch, all the route contain route of static configuration and route learn from RIP and OSPF.
Figure 18-57 Showing Page For Route Form
15 Authentication, Authorization, Accounting (AAA)
(1) RADIUS configuration page Figure 18-58 shows RADIUS configuration page by which user can set up message relevant to RADIUS; message that can be set up contains: IP address of RADIUS server which should be set up for the authentication and accounting. Standby RADIUS server IP address can be set up if the standby RADIUS server is available. Authentication UDP interface with Windows default of 1812 does not need to be amended generally. Whether accounting should be startup or not; it is startup in default; accounting should be start-up when authentication accounting is performed. Accounting UDP interface with Windows default of 1812 does not need to be amended generally. Sharing secret key is used to set up encrypt sharing password between switch and RADIUS server, and the field should be set up for authentication account and should have the same configuration with RADIUS. Special news of manufacturer does not need to be amended generally. NAS interface, NAS interface type, NAS service type which should not be amended generally.
Note: when RADIUS server and standby server IP address are the same, alarm will indicate that the inputted IP address is wrong.
Figure 18-58 RADIUS configuration page
Figure 18-59 Alarm Indication Errors
(2) 802.1X configuration page Figure 18-60 shows 802.1x configuration page on which user can set up information about 802.1x, it contains: Whether startup 802.1x protocol or not; 802.1x protocol should be set up when authentication accounting is performed. whether open the re-authentication function or not, and default is not on; performance of
authentication accounting depends on actual condition. To open the re-authentication function make it much safer to use the authentication accounting, but the flux of internet might be a little heavier. Configuration of time intervals of re-configuration, which is available only when the function of re-authentication is startup, with default of 3600 seconds, the value of which should be set up during the course of authentication accounting according to actual condition, but the value should not be too small. Quiet Period timer should not be amended generally. Tx-Period timer should not be amended generally. Server timeout timer should not be amended generally. supplicant timeout timer should not be amended generally. Quantity of Max Request should not be amended generally.
(3) 802.1x Port configuration page Figure 18-61 shows 802.1x port configuration page by which user can perform confirmation for 802.1x port status and maximum quantity of mainframe being supported and check the 802.1x confirmation condition of each port. Status of 802.1xport contains four types: N/A status, Auto status, Force-authorized status and Force-unauthorized status. When 802.1x authentication need to be done on some port, the port should be set up into Auto status; user can access the internet without authentication and the port should be in N/A status; the other two statuses are seldom adopted actually. When 802.1xauthentication is performed, the maximum quantity of mainframe connected from port default is 9 which field can be amended with 250 being supported at most.
Figure 18-60 802.1 X Configuration Page
Figure 18-61 802.1 X Port Configuration Page
(4) 802.1 x user display page
Fig 18-62 shows 802.1 x user displays page through which user can read status of all the users connected from certain port, in this way information of users with authentication can be read all the time.
Figure 18-62. 802.1x User Display Page
Appendix A.Parameters Of Product Character
This part gives a detailed explanation of detailed explanation of working condition for iSpirit 3026 switch.
Sheet A-1 iSpirit 3026 switch technical guideline.
Port 24 10Base-T/100/1000Base-TX RJ-45 UTP-5 ports 2 extension insertion 1 UART control port
Physics character:
Weight: 5KG Size: 444mm × 44.45mm × 348mm(W × H × L)
Environment requirement: Temperature Operation 00C to 400C (320F to 1040F)
Save -200C to 700C (-40F to 1580F) Humidity Operation 10 to 90RH
Save 5% to 90% RH Altitude Operation: maximum height is 3000 meters (10,000 inches)
Save: maximum 4570 meters (15,000 inches)
Internet media 10Base-T: UTP Category 3, Category 4 or Category 5 reticle 100Base-TX: UTP Category 5 reticle 1000Base-X: 1000Base-SX,1000Base-LX/LH or 1000Base-ZX filber 10/100/1000Base-T: UTP Category 5 reticle or UTP Category 5 Enhanced reticle Control port: special Seton
Requirement for power supply
Scope of Voltage 36-72v DC power supply input
Appendix B.Interface And Reticle Technical
Instructions
This part gives a detailed explanation of internet-port and reticle technical instruction for iSpirit 3026 switch
I
nterface instruction 10/100Base-T Port Standard RJ-45 connecter is adopted on 10/100Base-T ethernet port. Inside of TD and RD of the port is to be intercrossed. The self-arrangement between direct reticle and intercrossed reticle can be realized by switch, so both connected reticle and intercrossed reticle can be adopted when switch connected to these ports
Figure B-1. Pin Arrange Of 10/100 Base-T Port 10/100/1000 Base-T port Standard RJ-45 interface and inside pin arrangement are adopted on 10/100/1000 Base-T port. Inside of TD and RD of the port is to be intercrossed. The self-arrangement between direct reticle and intercrossed reticle can be realized by inner hardware, so both connected reticle and intercrossed reticle can be adopted when it is connected to these ports. 10/100/1000Base-T port pin is shown in Fig B-1.
Control port Standard 9 pin UART interface is adopted on switch. Picture of Pin on UART port is shown in Figure B-2.
5 4 3 2 1
9 8 7 6
Figure B-2 .Pin of UART Port
Pin instruction of special cable of control port is shown in sheet B-3. Sheet B-3 Pin instruction of special cable of control port
Signal on a port of cable
Pin 9-pin Signal on the other
cable
DCD 1 1 DCD RXD 2 3 TXD TXD 3 2 RXD DTR 4 4 DTR
SIG GND 5 5 SIG GND DSR 6 6 DSR RTS 7 7 RTS CTS 8 8 CTS RI 9 9 RI
Internet instruction Intercrossed and direct twisted-pair pin instruction 1. Sketch map of intercrossed and direct twisted-pair pin instruction is shown in FigureB-3.
Figure B-3. RJ-45 Twisted-Pair Pin Sketch Map 2. International standard of direct twisted-pair Connecting manner of direct twisted-pair is described in Figure B-4; main character of the connecting manner lies in that sequence of connecting lines between SIDE1 and SIDE2 of twisted-pair are the same, and share the same twisted-pair connecting to RJ-4 5 head 2, 6 pin.
Figure B-4. RJ-45 International Standard Of Direct Twisted-Pair 3. International standard of cross-link twisted-pair Figure B-5 shows the International standard of connecting manner of cross-link twisted-pair; main character of the connecting manner lies in that sequence of connecting lines between SIDE1 and SIDE2 of twisted-pair are not the same and connecting manner is displayed in the following picture.
Figure B-5. International Standard Of RJ-45 Cross Link Twist-Pair