STCS3526 Series Routing Switches Configuration Guide Manual

Transcription

1 STCS3526 Series Routing Switches Configuration Guide Manual VER:1.0.1 STEPHEN TECHNOLOGIES CO.,LIMITED ALL RIGHTS RESERVED

2 About This Manual Release Notes This manual applies to STCS3526 Series Routing Switches. Related Manuals The related manuals are listed in the following table. STCS3526 Series Routing Switches Installation Manu STCS3526 Series Routing Switches Configuration Guide Manu Intended Audience The manual is intended for the following readers: Network engineers Network administrators Customers who are familiar with network fundamentals Conventions The manual uses the following conventions: I. General conventions Convention Arial Arial Narrow Boldface Courier New Description Normal paragraphs are in Arial. Warnings, Cautions, Notes and Tips are in Arial Narrow. Headings are in Boldface. Terminal Display is in Courier New. II. conventions Convention Boldface Description The keywords of a command line are in Boldface. italic arguments are in italic. [] Items (keywords or arguments) in square brackets [] are optional. { x y... } Alternative items are grouped in braces and separated by vertical bars. One is selected. [ x y... ] Optional alternative items are grouped in square brackets and separated by vertical bars. One or none is selected.

3 III. GUI conventions Convention Description < > Button names are inside angle brackets. For example, click the <OK> button. [] Window names, menu items, data table and field names are inside square brackets. For example, pop up the [New User] window. / Multi-level menus are separated by forward slashes. For example, [File/Create/Folder]. IV. Keyboard operation Format <Key> <Key1+Key2> <Key1, Key2> Description Press the key with the key name inside angle brackets. For example, <Enter>, <Tab>, <Backspace>, or <A>. Press the keys concurrently. For example, <Ctrl+Alt+A> means the three keys should be pressed concurrently. Press the keys in turn. For example, <Alt, A> means the two keys should be pressed in turn. V. Mouse operation Action Click Double Click Drag Description Press the left button or right button quickly (left button bydefault). Press the left button twice continuously and quickly. Press and hold the left button and drag it to a certain position. VI. Symbols Eye-catching symbols are also used in the manual to highlight the points worthy of special attention during the operation. They are defined as follows: Caution: Means reader be extremely careful during the operation. Note: Means a complementary description.

4 1 Product Overview Product Overview Function Features Logging in Switch Setting up Configuration Environment via the Console Port Setting up Configuration Environment through Telnet Connecting a PC to the Switch through Telnet Telneting a Switch through another Switch Line Interface Line Interface Line configure mode Features and Functions of Line Online Help of Line Displaying Characteristics of Line History of Line Common Line Error Messages Editing Characteristics of Line Basic Configuration Console Connection Setting Console Baud Rate Creating user and setting password Setting system clock Setting system service Setting system contact/name/location information for SNMP Management firmware Management configuration file Saving configuration file Restore system to default configuration Reboot system Port Configuration Ethernet Port Overview Ethernet Port Configuration Enabling/Disabling an Ethernet Port Setting the Duplex Attribute and speed of the Ethernet Port Enabling/Disabling Flow Control for the Ethernet Port Setting the Ethernet Port Broadcast/multicast/dlf Suppression Setting Port Mirroring Setting rate limits Link Aggregation Configuration Overview Statically Configuring a Trunk Dynamic Link Aggregation configuration VLAN Configuration

5 7.1 VLAN Overview Configuring VLAN Creating/Deleting a VLAN Setting vlan port pvid Specifying/removing a VLAN port VLAN Configuration Example GVRP Configuration GVRP Overview Enabling/Disabling Global GVRP Enabling/Disabling Port GVRP GVRP Configuration Example STP Configuration STP Overview Spanning-Tree Topology and BPDUs Bridge ID, Switch Priority, and Extended System ID Spanning-Tree Interface States Blocking State Listening State Learning State Forwarding State Disabled State How a Switch or Port Becomes the Root Switch or Root Port Spanning Tree and Redundant Connectivity Spanning-Tree Address Management Accelerated Aging to Retain Connectivity Configuring STP Features Configure the STP Running Mode Configure the Bridge Priority for a Switch Configure the Time Parameters of a Switch Configure Port Priority Enable/Disable STP on the Device Enable/Disable STP on a Port RSTP Configuration RSTP Overview Spanning-Tree Topology and BPDUs Bridge ID, Switch Priority, and Extended System ID Spanning-Tree Interface States Blocking State Listening State Learning State Forwarding State Disabled State How a Switch or Port Becomes the Root Switch or Root Port

6 10.6 Spanning Tree and Redundant Connectivity Spanning-Tree Address Management Accelerated Aging to Retain Connectivity Configuring RSTP Features Configure the STP Running Mode Configure the Bridge Priority for a Switch Configure the Time Parameters of a Switch Configure Port Priority Configure a Port as an Edge Port Configure the Path Cost of a Port Configure the mcheck Variable of a Port Configure the Port (not) to connect with the Point-to-Point Link Enable/Disable RSTP on the Device IP Address Configuration IP Address Overview IP Address Classification and Indications Subnet and Mask Configuring IP Address Configuring the AUX port IP Address Configuring the IP Address of the VLAN Interface IP Address Configuration Example Troubleshooting IP Address Configuration ARP Configuration Introduction to ARP Configuring ARP Manually Adding/Deleting Static ARP Mapping Entries Clear up ARP Mapping Entries Configuring IP Routing Introduction to IP Route and Routing Table IP Route and Route Segment Route Selection through the Routing Table Routing Management Policy Routing protocols and the preferences of the corresponding routes Supporting Load Sharing and Route Backup Routes Shared between Routing Protocols Static Route Configuration Introduction to Static Route Static Route Configuration Typical Static Route Configuration Example Static Route Fault Diagnosis and Troubleshooting RIP Configuration Brief Introduction to RIP RIP Configuration

7 Typical RIP Configuration Example OSPF Configuration OSPF Overview OSPF Configuration Displaying and Debugging OSPF Typical OSPF Configuration Example OSPF Fault Diagnosis and Troubleshooting IP Multicast Protocol IP Multicast Overview Problems with Unicast/Broadcast Advantages of Multicast Application of Multicast Implementation of IP Multicast Multicast Addresses IP Multicast Protocols IP Multicast Packet Forwarding IGMP Snooping Configuration IGMP Snooping Overview IGMP Snooping Configuration IGMP Snooping Configuration Example Static Multicast Group Configuration Introduction to Static Multicast Group Configuration Static Multicast Group Configuration IGMP Configuration IGMP Overview IGMP Configuration PIM-SM Configuration PIM-SM Overview PIM-SM Configuration ACL Configuration ACL Overview configuring ACL Defining ACL Activating ACL configuring Default ACL ACL Configuration Example QoS Configuration Setting the Queue Mode Setting the Priority for Port Mapping IP Precedence Changing Priorities Based on ACL Rules x Configuration x Overview

8 x Standard Overview x System Architecture x Authentication Process Implement 802.1x on Ethernet Switch x Configuration Enabling/Disabling 802.1x Setting port authentication state Setting Supplicant Number on a Port x Configuration Example RADIUS Protocol Configuration RADIUS Protocol Overview Implementing RADIUS on Ethernet Switch Configuring RADIUS Protocol Enable/disable radius client service Setting radius client ip address Setting a Real-time Accounting Interval Setting IP Address of RADIUS Server Setting Port of RADIUS Server Setting RADIUS Packet Encryption Key RADIUS Protocol Configuration Examples DHCP Protocol Configuration DHCP Relay configuration Brief Introduction to DHCP Relay Configuring DHCP Relay DHCP Server configuration Configuring DHCP Relay DHCP Protocol Configuration Example DHCP Relay Configuration Example DHCP Server Configuration Example SNMP Configuration SNMP Overview SNMP Versions and Supported MIB Configure SNMP Setting Community Name Setting the Destination Address of Trap Setting Trap Parameters SNMP Configuration Example Configuring System Message Logging System Message Logging Introduction Enabling Message Logging Setting the Message Display Destination Device Setting lowest level of log messages to a console terminal Configuration example of sending log to syslog server

9 22 SNTP Configuration Brief Introduction to SNTP Configuring SNTP Configuring SNTP client operate mode Enabling/disabling SNTP client service Configuring SNTP client parameters Configuring SNTP server operate mode Enabling/disabling SNTP server service Configuring SNTP server parameters Displaying SNTP

10 1 Product Overview 1.1 Product Overview STCS3526 Ethernet Switches are type of box-shaped L2/L3 wire speed Ethernet Switches, applied on the convergence layer of the medium- and small-sized enterprise networks, IP Metropolitan Area Network (MAN) and Ethernet residential areas STCS3526 series routing switches support the following services: Internet broadband access MAN, enterprise/campus networking Providing multicast service and multicast routing and supporting multicast audioand video services. 1.2 Function Features Table 1-1 Function features Features VLAN STP protocol Flow control Broadcast Suppression Multicast IP routing DHCP Link aggregation Features Implementation Supports VLAN compliant with IEEE 802.1Q Standard Supports GARP VLAN Registration Protocol (GVRP) Supports Spanning Tree Protocol (STP) Supports Rapid Spanning Tree Protocol (RSTP) Supports IEEE 802.3x flow control (full-duplex) Supports back-pressure based flow control (half-duplex) Supports Broadcast Suppression Supports Internet Group Management Protocol Snooping (IGMP Snooping) Supports Internet Group Management Protocol (IGMP) Supports Protocol-Independent Multicast-Sparse Mode (PIM-SM) Supports static routing Supports Routing Information Protocol (RIP) v1/v2 Supports Open Shortest Path First (OSPF) Supports Dynamic Host Configuration Protocol (DHCP) Relay Supports Dynamic Host Configuration Protocol (DHCP) Server Supports link aggregation Implementation

11 Mirror Supports the port-based mirror Supports the ACL-based mirror Quality of Service (QoS) Security features Management and Maintenance Loading and updating Supports traffic classification Supports bandwidth control Supports queues of different priority on the port Queue scheduling: supports Strict Priority Queuing (SP), Weighted Round Robin (WRR), and SP+WRR Supports Multi-level user management and password protect Supports 802.1X authentication Supports Packet filtering Supports Line Interface configuration Supports local configuration via Console port and AUX port Supports Local and remote configuration through Telnet on Ethernet port Supports SNMP management (Supports RMON MIB Group 1, 2, 3 and 9) Supports output of the debugging information Supports PING Supports the remote maintenance via Telnet Supports to load and upgrade software via File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP)

12 2 Logging in Switch 2.1 Setting up Configuration Environment via the Console Port Step 1: As shown in the figure below, to set up the local configuration environment, connect the serial port of a PC (or a terminal) to the Console port of the switch with the Console cable. Figure 2-1 Setting up the local configuration environment via the Console port Step 2: Run terminal emulator (such as Terminal on Windows 3X or the Hyper Terminal on Windows 9X) on the Computer. Set the terminal communication parameters as follows: Set the baud rate to 9600, databit to 8, parity check to none, stopbit to 1, flow control to none and select the terminal type as VT

13 Figure 2-2 Setting up new connection Figure 2-3 Configuring the port for connection

14 Figure 2-4 Setting communication parameters Step 3: The switch is powered on. Display self-test information of the switch and prompt you to press Enter to show the command line prompt such as switch>. Step 4: Input a command to configure the switch or view the operation state. Input a? or an immediate help. For details of specific commands, refer to the following chapters. 2.2 Setting up Configuration Environment through Telnet Connecting a PC to the Switch through Telnet After you have correctly configured IP address of a VLAN interface for an switch via Console port, and added the port to this VLAN (using port command in VLAN view), you can telnet this switch and configure it. Step 1: Authenticate the Telnet user via the Console port before the user logs in by Telnet. Step 2: To set up the configuration environment, connect the Ethernet port of the PC to that of the switch via the LAN. Figure 2-5 Setting up configuration environment through telnet Step 3: Run Telnet on the PC and input the IP address of the VLAN connected to the PC port

15 Figure 2-6 Running Telnet Step 4: The terminal displays Login: and prompts the user to input the logon user name and password. After you input the correct user name and password, it displays the command line prompt (such as switch#). Step 5: Use the corresponding commands to configure the switch or to monitor the running state. Enter? to get the immediate help. For details of specific commands,refer to the following chapters Telnet a Switch through another Switch After a user has logged into a switch, he or she can configure another switch through the switch via Telnet. The local switch serves as Telnet client and the peer switch serves as Telnet server. If the ports connecting these two switches are in a same local network, their IP addresses must be configured in the same network segment. Otherwise, the two switches must establish a route that can reach each other. As shown in the figure below, after you telnet to a switch, you can run telnet command to log in and configure another switch. Figure 2-7 Providing Telnet Client service Step 1: Authenticate the Telnet user via the Console port on the Telnet Server (switch) before login. Step 2: The user logs in the Telnet Client (switch). For the login process, refer to the section describing Connecting a PC to the Switch through Telnet. Step 3: Perform the following operations on the Telnet Client: Step 4: Enter the preset login password and you will see the prompt such switch#. Step 5: Use the corresponding commands to configure the switch or view it running state. Enter? to get the immediate help. For details of specific commands, refer to the following chapters

16 3 Line Interface STCS3526 Series Layer 3 Switch User Guide 3.1 Line Interface Switches provide a series of configuration commands and command line interfaces for configuring and managing the switch. The command line interface has the following characteristics: Local configuration via the Console port and AUX port. Local or remote configuration via Telnet. Hierarchy command protection to avoid the unauthorized users accessing switch.enter a? to get immediate online help. Provide network testing commands, such as Ping, to fast troubleshoot the network. Log in and manage other switch directly, using the Telnet command. Provide FTP service for the users to upload and download files. Provide the function similar to Doskey to execute a history command. The command line interpreter searches for target not fully matching the keywords. It is ok for you to key in the whole keyword or part of it, as long as it is unique and not ambiguous. 3.2 Line configure mode The command line provides the following configure mode: Normal EXEC mode privileged EXEC mode Global configuration mode VLAN interface configuration mode OSPF configuration mode The following table describes the function features of different views and the ways to enter or quit. Table 3-1 Function feature of command configure mode. mode Function Prompt to enter to exit Normal EXEC mode Show the basic information about operation Switch> Enter right user name and password exit

17 and statistics privileged EXEC mode Show the basic information about operation and statistics Switch# Enter <enable> and right password Exit returns to normal EXEC mode Global configuration mode VLAN interface configure mode OSPF configuration mode Configure system parameters Configure ospf area parameters Configure OSPF parameters Switch(config)# Switch(config-if)# Key in config in user user configure mode Key in Interface vint x in system configure mode Switch(config-ospf)# Key in Router ospf in system configure mode Exit returns to user configure mode Exit returns to system configure mode Exit returns to system configure mode 3.3 Features and Functions of Line Online Help of Line The command line interface provides the following online help modes. Full help Partial help You can get the help information through these online help commands, which are described as follows. Input? in any configure mode to get all the commands in it and corresponding descriptions. switch#? clear Clear the screen. config Config system's setting. debug Debugging functions download Download file for software upgrade or load user config. exit Exit current mode and shift to previous mode. help Description of the interactive help system. history Config history command. kill Kill some unexpected things. logout Disconnect from switch and quit

18 no Negate a command or set its defaults. ping Ping command to test if the net is correct. quit Disconnect from switch and quit. reboot Reboot the switch. remove Remove system configuration. sendmsg Send message to online user. show Show running system information. telnet Telnet to other host or switch. terminal Set terminal line parameters. upload Upload file for software upgrade or upload user config. who Display who is connected to the switch. write Save current running configuration to flash. 1) Input a command with a? separated by a space. If this position is for keywords, all the keywords and the corresponding brief descriptions will be listed. switch(config)# port? speed Set port speed. state Set port state. type Set port type. 3) Input a command with a? separated by a space. If this position is for parameters,all the parameters and their brief descriptions will be listed. switch(config)# router? hw-sync Dynamic route synchronize with hardware route table ospf OSPF specific commands rip Set Rip config parameters. switch(config)# router ospf? <cr> Just Press <Enter> to Execute command! <cr> indicates no parameter in this position. The next command line repeats the command, you can press <Enter> to execute it directly. 4) Input a character string with a?, then all the commands with this character string as their initials will be listed

19 switch(config)# a? access-list Set access-list parameters. arp Config system's setting. authentication Config information of authentication. 5) Input a command with a character string and?, then all the key words with this character string as their initials in the command will be listed. switch# show ve? version Display SPROS version. 6) Input the first letters of a keyword of a command and press <Tab> key. If no other keywords are headed by this letters, then this unique keyword will be displayed automatically Displaying Characteristics of Line line interface provides the following display characteristics: For users convenience, the instruction and help information can be displayed in both English and Chinese. For the information to be displayed exceeding one screen, pausing function is provided. In this case, users can have three choices, as shown in the table below. Table 3-2 Functions of displaying Key or Press <Q> when the display pauses Press any key when the display pauses Press <Enter> when the display pauses Function Stop displaying and executing command. Continue to display the next screen of information. Continue to display the next line of information History of Line line interface provides the function similar to that of DosKey. The commands entered by users can be automatically saved by the command line interface and you can invoke and execute them at any time later. History command buffer is defaulted as 10. That is, the command line interface can store 10 history commands for each user.the operations are shown in the table below. Table 3-3 Retrieving history command

20 Operation Key Result Display history command history Display history command by user inputting Retrieve the previous history command Up cursor key < > or <Ctrl+P> command, if there is any. Retrieve the next history command Down Down cursor key < > or <Ctrl+N> Retrieve the next history command, if there is any Common Line Error Messages All the input commands by users can be correctly executed, if they have passed the grammar check. Otherwise, error messages will be reported to users. The common error messages are listed in the following table. Table 3-4 Common command line error messages Error messages Unrecognized command Causes Cannot find the command. Cannot find the keyword. Wrong parameter type. The value of the parameter exceeds the range. Incomplete command Too many parameters Ambiguous command The input command is incomplete. Enter too many parameters. The parameters entered are not specific Editing Characteristics of Line line interface provides the basic command editing function and supports to edit multiple lines. A command cannot longer than 256 characters. See the table below. Table 3-5 Editing functions

21 Key Function Common keys Insert from the cursor position and the cursor moves to the right, if the edition buffer still has free space. Backspace Move the cursor a character backward Leftwards cursor key < > or <Ctrl+B> Move the cursor a character backward Rightwards cursor key < > or <Ctrl+F> Move the cursor a character forward Up cursor key < > or <Ctrl+P> Down cursor key < > or <Ctrl+N> Retrieve the history command. <Tab> Press <Tab> after typing the incomplete key word and the system will execute the partial help: If the key word matching the typed one is unique, the system will replace the typed one with the complete key word and display it in a new line; if there is not a matched key word or the matched key word is not unique, the system will do no modification but display the originally typed word in a new line. 4 Basic Configuration 4.1 Console Connection The CLI program provides two different command levels normal access level (Normal Exec) and privileged access level (Privileged Exec). The commands available at the Normal Exec level are a limited subset of those available at the Privileged Exec level and allow you to only display information and use basic utilities. To fully configure the switch parameters, you must access the CLI at the Privileged Exec level. Access to both CLI levels are controlled by user names and passwords

22 The switch has a default user name and password for each level. To log into the CLI at the Privileged Exec level using the default user name and password, perform these steps: 1. To initiate your console connection, press <Enter>. The User Access Verification procedure starts. 2. At the <Login:> prompt, enter admin. 3. At the Password prompt, direct press enter (The default password not set.) 4. The session is opened and the CLI displays the switch> prompt indicating you have access at the Normal Exec level. 5. At the switch> prompt,enter enable. 6. At the Password prompt, direct press enter (The default password not set.) 7. The session is opened and the CLI displays the switch# prompt indicating you have access at the Privileged Exec level. 4.2 Setting Console Baud Rate Beginning in privileged EXEC mode, follow these steps to set console baud rate. Step 2 serial speed rate Setting console baud rate. Rate : By default,rate is Step 3 exit Return to privileged EXEC mode. Step 4 show serial Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. 4.3 Creating user and setting password When you create new user,the default user is deleted automatically. Beginning in privileged EXEC mode, follow these steps to create user and set password. Step 2 Step 3 user add user-name login-password login-password user login-password user-name <CR> Input new login password for user abc please. Create user and set login password. (optional) Change login password

23 Step 4 Step 5 New Password: Confirm Password: user enable-password user-name <CR> Input new enable password for user abc please. New Password: Confirm Password: user role user-name {NORMA ADMIN enable-password enable-password} (optional) Set or change enable password. (optional) Change user access level. Step 6 exit Return to privileged EXEC mode. Step 7 user list Verify your entries. Step 8 write (Optional) Save your entries in the configuration file. 4.4 Setting system clock Beginning in privileged EXEC mode, follow these steps to set system clock. Step 2 time year month date Setting system clock. hour:minutes:seconds Step 3 exit Return to privileged EXEC mode. Step 4 show system configuration Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. 4.5 Setting system service The system provide SNMP telnet and webserver services, you can enable or disable these service. Beginning in privileged EXEC mode, follow these steps to set system service. Step 2 service snmp {enable disable } Step 3 service telnet {enable disable } Enabling/disabling SNMP service. Enabling/disabling telnet service

24 Step 4 webserver service {enable disable} Enabling/disabling webserver service. When webserver service enabled, you can management the switch through WEB. STCS3526 Series Layer 3 Switch User Guide Step 5 webserver password reset (optional) Reset web password to default. By default the web login user name is admin, login password is password. You can change the password through WEB. Step 6 exit Return to privileged EXEC mode. Step 7 show services Verify your entries. Step 8 write (Optional) Save your entries in the configuration file. 4.6 Setting system contact/name/location information for SNMP Beginning in privileged EXEC mode, follow these steps to set system contact/name/location information. Step 2 system contact string Setting system contact information for SNMP. Step 3 system name string Setting system name for SNMP. Step 4 system location string Setting system location information for SNMP. Step 5 exit Return to privileged EXEC mode. Step 6 show system config Verify your entries. Step 7 write (Optional) Save your entries in the configuration file. 4.7 Management firmware You can download firmware from a FTP or TFTP server. After download the new firmware, when the switch next start, the system use the new firmware. Note: Before you down load firmware from a FTP or TFTP server, you must confirm follow items: You have configured IP address for a VLAN interface or AUX port. The FTP or TFTP server can communicate with the Switch correctly. You have run the FTP or TFTP program on the FTP or TFTP server. You have set the correct user name and password for FTP server, and specified the correct directory. You have specified the correct directory for TFTP server

25 Beginning in privileged EXEC mode, follow these steps to download firmware from FTP or TFTP server. Step 2 down ftp image ip-address Download firmware from FTP server. user-name password filename Step 3 down tftp image ip-address Download firmware from FTP server. filename Step 4 reboot (optional) Restart the system. Step 5 exit Return to privileged EXEC mode. Step 6 show version Verify your entries. Step 7 write (Optional) Save your entries in the configuration file. 4.8 Management configuration file You can upload/download firmware to or from a FTP or TFTP server. After download the new configuration file, when the switch next start, the system use the new configuration. Beginning in privileged EXEC mode, follow these steps to upload/download configuration file to or from FTP or TFTP server. Step 2 upload ftp config ip-address user-name password filename Up load configuration file to FTP server. Step 3 upload tftp config ip-address filename down ftp config ip-address user-name password filename Up load configuration file to TFTP server. Download configuration file from FTP server. down tftp config ip-address filename Download configuration file from TFTP server. Step 4 reboot (optional) Restart the system. Step 5 exit Return to privileged EXEC mode. Step 6 show version Verify your entries. Step 7 write (Optional) Save your entries in the configuration file

26 4.9 Saving configuration file Use the write command to save the current-configuration in the Flash Memory, and the configurations will become the startup-configuration when the system is powered on for the next time. Beginning in privileged EXEC mode, follow these steps to save configuration to the FLASH Memory. Step 1 write Save your entries in the configuration file Restore system to default configuration You can use remove command to resume the startup-configuration to default configuration, after that you must reboot the system. Beginning in privileged EXEC mode, follow these steps to restore system to default configuration. Step 1 remove Save your entries in the configuration file. Step 2 reboot Reboot the system Reboot system Beginning in privileged EXEC mode, follow these steps to restart the system. Step 1 reboot Reboot the system

27 5 Port Configuration 5.1 Ethernet Port Overview STCS3526 Series Routing Switches Configurations include: STCS3526A: 24 10/100Mbps Ethernet ports and 2 extend slots STCS3526F: 6 modules slots and 2 extend slots For STCS3526F, provide 2 types modules: 4 10/100Mbps Ethernet ports module 4 100Base-FX ports module STCS3526 Series Routing Switches support the following optional interface modules for extend slots: 1000Base-SX module 1000Base-LX module 1000Base-T module 100Base-FX Multi-mode module 100Base-FX Single Mode module The 10/100Mbps electrical ports support MDI/MDI-X auto-sensing and can work in half duplex, full duplex or auto-negotiation mode. They can negotiate with other network devices to choose optimum duplex mode and speed. The Gigabit optical ports work in Gigabit full duplex mode, which need not configuring. 5.2 Ethernet Port Configuration Ethernet port configuration includes: Enabling/disabling an Ethernet port Setting the duplex attribute for the Ethernet port Setting speed for the Ethernet port Setting the Ethernet port broadcast suppression ratio Setting port mirror Setting rate Limits

28 5.2.1 Enabling/Disabling an Ethernet Port The following command can be used for disabling or enabling the port. Beginning in privileged EXEC mode, follow these steps to enable an Ethernet port. Step 2 port state port-number enable Enable an Ethernet port. Step 3 exit Return to privileged EXEC mode. Step 4 show port port-number Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. By default, the port is enabled Setting the Duplex Attribute and speed of the Ethernet Port To configure a port to send and receive data packets at the same time, set it to full-duplex. To configure a port to either send or receive data packets at a time, set it to half-duplex. If the port has been set to auto-negotiation mode, the local and peer ports will automatically negotiate about the duplex mode. You can use the following command to set the speed on the Ethernet port. If the speed is set to auto-negotiation mode, the local and peer ports will automatically negotiate about the port speed. Beginning in privileged EXEC mode, follow these steps to setting the duplex attribute and speed of the Ethernet port. Step 2 Step 3 port speed portnumber {100f 100h 10f 10h Auto} port speed portnumber {1000f 1000h 100f 100h 10f 10h Auto} Setting the duplex attribute and speed for fast Ethernet port Setting the duplex attribute and speed for Gigabit Ethernet port Step 4 exit Return to privileged EXEC mode. Step 5 show port port-number Verify your entries. Step 6 write (Optional) Save your entries in the configuration file. Note that, 10/100Mbps electrical Ethernet port can operate in full-duplex, half-duplex or auto-negotiation mode. The Gigabit electrical Ethernet port can operate in full duplex,half duplex or auto-negotiation mode. When the port operates at 1000Mbps, the duplex mode can be set to full (full duplex) or auto (auto-negotiation). The optical 100M/Gigabit Ethernet ports work in full duplex

29 mode, which need not configuring. The port defaults the auto (auto-negotiation) mode. Note that, the 10/100Mbps electrical Ethernet port can operate at 10Mbps and 100Mbps as per different requirements. The electrical Gigabit Ethernet port can operate at 10Mbps, 100Mbps, or 1000Mbps as per different requirements. However in half duplex mode, the port cannot operate at 1000Mbps. The 100M optical Ethernet port supports 100Mbps; the Gigabit optical Ethernet port supports1000mbps, which need not configuring. By default, the speed of the port is in auto mode Enabling/Disabling Flow Control for the Ethernet Port After enabling flow control in both the local and the peer switch, if congestion occurs in the local switch, the switch will inform its peer to pause packet sending. Once the peer switch receives this message, it will pause packet sending, and vice versa. In this way,packet loss is reduced effectively. The flow control function of the Ethernet port can be enabled or disabled through the following command. Beginning in privileged EXEC mode, follow these steps to enable flow control for the Ethernet port. Step 2 control flow enable Enable Ethernet port flow control Step 3 exit Return to privileged EXEC mode. Step 4 show control flow Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To disable flow control, use the control flow disable global configuration command Setting the Ethernet Port Broadcast/multicast/dlf Suppression You can use the following commands to restrict the broadcast/multicast/dlf traffic. Once the broadcast/multicast/dlf traffic exceeds the value set by the user, the system will maintain an appropriate broadcast/multicast/dlf packet number by discarding the overflow traffic, so as to suppress broadcast/multicast/dlf storm, avoid suggestion and ensure the normal service. The parameter is taken the maximum wire speed ratio of the broadcast/multicast/dlf traffic allowed on the port. The smaller the packet number is, the smaller the broadcast/multicast/dlf traffic is allowed. Beginning in privileged EXEC mode, follow these steps to set the Ethernet Port Broadcast/multicast/dlf Suppression

30 Step 2 control rate speed packets broadcast enable multicast enable dlf enable Enable Broadcast/multicast/dlf Suppression Packets indicate packet number per second. Step 3 exit Return to privileged EXEC mode. Step 4 show control rate Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To disable the Ethernet Port Broadcast/multicast/dlf Suppression, use the control rate speed packets broadcast disable multicast disable dlf disable global configuration command Setting Port Mirroring Port mirroring duplicates data on the monitored port to the designated monitoring port, for purpose of data analysis and supervision. The switch supports multiple-to-one mirroring, that is, you can duplicate packets from multiple ports to a monitoring port. Beginning in privileged EXEC mode, follow these steps to set port mirroring. Step 2 Step 3 Step 4 mirror mirrored-to port-number mirror link-group set index port-list [both ingress egress] Set target port mirror link-group enable index Enable mirroring. Create source port group. Index is source port group index, range is 1 to 26. Port-list is source port group member list, format is port-number + m, such as 01m. Step 5 exit Return to privileged EXEC mode. Step 6 show mirror all Verify your entries. Step 7 write (Optional) Save your entries in the configuration file. To delete mirror source port group, use no mirror link-group index global configuration command

31 Note: Monitor port speed should match or exceed source port speed, otherwise traffic may be dropped from the monitor port. All mirror sessions have to share the same destination port. When mirroring port traffic, the target port must be included in the same VLAN as the source port Setting rate limits This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the switch. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports or trunks. When an interface is configured with this feature, the traffic rate will be monitored by the hardware to verify conformity. Non-conforming traffic is dropped, conforming traffic is forwarded without any changes. Beginning in privileged EXEC mode, follow these steps to set rate limits. Step 2 Step 3 traffic-limit link-group set group-id port-list ingress [ingress-rate default] [egress [egress-rate default]] traffic-limit link-group enable group-id Create rate limits group. Group-id is bandwidth management rule index, range is 1 to 64. Ingress-rate and egress-rate are bandwidth granularity, for fast Ethernet port is 1M/s, for gigabit port is 8M/s. Default indicate no limit. Enable rate limits. Step 4 exit Return to privileged EXEC mode. Step 5 show traffic-limit link-group Verify your entries. Step 6 write (Optional) Save your entries in the configuration file. To disable rate limits, use traffic-limit link-group disable group-id global configuration command. To delete rate limits group, use no traffic-limit link-group group-id global configuration command

32 6 Link Aggregation Configuration STCS3526 Series Layer 3 Switch User Guide This chapter describes how to configure trunk groups and 802.3ad link aggregation. Trunk groups are manually-configured aggregate links containing multiple ports ad link aggregation is a protocol that dynamically creates and manages trunk groups. 6.1 Overview Link aggregation means aggregating several ports together to implement the outgoing/incoming payload balance among the member ports and enhance the connection reliability. In terms of load sharing, link aggregation may be load sharing aggregation and non-load sharing aggregation. You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices. You can create up to six trunks at a time. The switch supports both static trunk and dynamic Link Aggregation Control Protocol (LACP). Static trunks have to be manually configured at both ends of the link. On the other hand, LACP configured ports can automatically negotiate a trunked link with LACP-configured ports on another device. You can configure any number of ports on the switch as LACP, as long as they are not already configured as part of a static trunk. If ports on another device are also configured as LACP, the switch and the other device will negotiate a trunk link between them. Should one link in the trunk fail, one of the standby ports will automatically be activated to replace it. One switch can support up to six aggregation groups, with each group containing a maximum of eight ports. Besides balancing the load across each port in the trunk, the other ports provide redundancy by taking over the load if a port in the trunk fails. However, before making any physical connections between devices, use the web interface or CLI to specify the trunk on the devices at both ends. When using a port trunk, take note of the following points: Finish configuring port trunks before you connect the corresponding network cables between switches to avoid creating a loop. You can create up to six trunks on the switch, with up to eight ports per trunk. The ports at both ends of a connection must be configured as trunk ports. The ports at both ends of a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings. All the ports in a trunk have to be treated as a whole when moved from/to, added or deleted from a VLAN. STP, VLAN, and IGMP settings can only be made for the entire trunk

33 6.2 Statically Configuring a Trunk When configuring static trunks, you may not be able to link switches of different types, depending on the manufacturer s implementation. However, note that the static trunks on this switch are Cisco Ether Channel compatible. To avoid creating a loop in the network, be sure you add a static trunk via the configuration interface before connecting the ports, and also disconnect the ports before removing a static trunk via the configuration interface. Beginning in privileged EXEC mode, follow these steps to configure a statically trunk. Step 2 channel-group add group-number port-list [smac dmac sdmac sip dip sdip] Configure a statically trunk. Group-number range is 1 to 6. Port-list is trunk member, format is port-number+ m, such as 01m. Step 3 exit Return to privileged EXEC mode. Step 4 show channel-group Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To delete a statically trunk, use the channel-group delete group-number global configuration command. 6.3 Dynamic Link Aggregation configuration The software supports the IEEE 802.3ad standard for link aggregation. This standard describes the Link Aggregation Control Protocol (LACP), a mechanism for allowing ports on both sides of a redundant link to configure themselves into a trunk link (aggregate link), without the need for manual configuration of the ports into trunk groups. When you enable link aggregation on a group of switch ports, the switch ports can negotiate with the ports at the remote ends of the links to establish trunk groups Enabling Link Aggregation Control Protocol Link aggregation support is disabled by default. You can enable the feature on a switch. When you enable link aggregation, the switch port can exchange standard LACP Protocol Data Unit (LACPDU) messages to negotiate trunk group configuration with the port on the other side of the link. In addition, the switch port actively sends LACPDU messages on the link to search for a link aggregation partner at the other end of the link, and can initiate an LACPDU exchange to negotiate link aggregation parameters with an appropriately configured remote port

34 Beginning in privileged EXEC mode, follow these steps to enable Link Aggregation Control Protocol (LACP) on a switch. Step 2 lacp enable Enable Link Aggregation Control Protocol Step 3 exit Return to privileged EXEC mode. Step 4 show link-aggregation <1-6> Verify your entries. neighbors Step 5 write (Optional) Save your entries in the configuration file. To disable Link Aggregation Control Protocol (LACP) on a switch, use the lacp disable global configuration command Link Aggregation Parameters configuration You can change the settings for the following link aggregation parameters, on an individual port basis: Port priority Key Port Priority: The port priority determines the active and standby links. When a group of ports is negotiating with a group of ports on another device to establish a trunk group, the switch port with the highest priority becomes the default active port. The other ports (with lower priorities) become standby ports in the trunk group. You can specify a priority from A higher value indicates a lower priority. The default is 128. Caution: This parameter is not supported in the current software release. The primary port in the port group becomes the default active port. The primary port is the lowest-numbered port in a valid trunk-port group. Key: Every port that is 802.3ad-enabled has a key. The key identifies the group of potential trunk ports to which the port belongs. Ports with the same key are called a key group and are eligible to be in the same trunk group. When you enable link-aggregation on a switch, the software assigns a default key to the port. The default key is 1 of the port Notice that the keys between one device and another do not need to match. The only requirement for key matching is that all the ports within an aggregate link on a given device must have the same key

35 Beginning in privileged EXEC mode, follow these steps to set link aggregation parameters. STCS3526 Series Layer 3 Switch User Guide Step 2 Step 3 Step 4 interface ethernet <portnum> [to <portnum>] link-aggregation port-priority < > link-aggregation admin-key < > Enter physical port configuration mode (Optional) Specifies an individual port's priority within the port group. A higher value indicates a lower priority. You can specify a priority from The default is 128. (Optional) identifies the group of ports that are eligible to be aggregated into a trunk group. You can change a port group's key to a value from Step 5 exit Return to privileged EXEC mode Step 6 show link-aggregation ethernet Verify your entries. Step 7 write (Optional) Save your entries in the configuration file Setting the criteria for load balancing Beginning in privileged EXEC mode, follow these steps to set the criteria for load balancing. Step 2 lacp <1-6> [smac dmac sdmac sip dip sdip] Set the criteria for load balancing Step 3 exit Return to privileged EXEC mode Step 4 show link-aggregation trunks Verify your entries. Step 5 write (Optional) Save your entries in the configuration file Displaying and Determining the Status of Aggregate Links To display the link aggregation information on which link aggregation is enabled, enter show link-aggregation trunks command at privileged EXEX mode. To display the link aggregation information for all ports on which link aggregation is enabled, enter show link-aggregation ethernet [<portnum> <cr>] command at privileged EXEX mode. To display the link aggregation neighbor information on which link aggregation is enabled, enter show link-aggregation <1-6> neighbors command at privileged EXEX mode. To display the link aggregation system id, enter show link-aggregation sys-id command at privileged EXEX mode

36 7 VLAN Configuration STCS3526 Series Layer 3 Switch User Guide 7.1 VLAN Overview Virtual Local Area Network (VLAN) groups the devices of a LAN logically but not physically into segments to implement the virtual workgroups. IEEE issued the IEEE 802.1Q in 1999, which was intended to standardize VLAN implementation solutions. Through VLAN technology, network managers can logically divide the physical LAN into different broadcast domains. Every VLAN contains a group of workstations with the same demands. The workstations of a VLAN do not have to belong to the same physical LAN segment. With VLAN technology, the broadcast and unicast traffic within a VLAN will not be forwarded to other VLAN, therefore, it is very helpful in controlling network traffic, saving device investment, simplifying network management and improving security. 7.2 Configuring VLAN VLAN configuration includes: Creating/deleting a VLAN Setting vlan port pvid Specifying/removing a VLAN port To configure a VLAN, first create a VLAN according to the requirements Creating/Deleting a VLAN You can use the following command to create/delete a VLAN. Beginning in privileged EXEC mode, follow these steps to create a VLAN. Step 2 vlan static add vid vid port-list Create a VLAN. Vid:1~4096 Port-list: port-number+u m, u indicate untag port and m indicate tag port Step 3 exit Return to privileged EXEC mode. Step 4 show vlan table Verify your entries. Step 5 write (Optional) Save your entries in the configuration file

37 7.2.2 Setting vlan port pvid You can use the following command to setting vlan port pvid. Beginning in privileged EXEC mode, follow these steps to set VLAN port PVID. Step 2 Vlan port pvid port-number pvid Setting VLAN port PVID. pvid:1~4096 Step 3 exit Return to privileged EXEC mode. Step 4 show vlan port Verify your entries. Step 5 write (Optional) Save your entries in the configuration file Specifying/removing a VLAN port You can use the following command to specifying/removing a vlan port. Beginning in privileged EXEC mode, follow these steps to set VLAN port PVID. Step 2 vlan static set vid vid port-list Specifying/removing a VLAN port Step 3 exit Return to privileged EXEC mode. Step 4 show vlan table Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. 7.3 VLAN Configuration Example I. Networking requirements Remove port1, port2, port3, port4 from vlan1;create VLAN2 and VLAN3. Add port1 and port2 to VLAN2 and add Port3 and port4 to VLAN

38 II. Networking diagram Figure 7-1 VLAN configuration example III. Configuration procedure # Remove port1, port2, port3, port4 from default VLAN (VLAN1). switch(config)#vlan static set vid # Create VLAN 2 switch(config)#vlan static add vid 201u02u # setting vlan port pvid of port1 and port2 switch(config)#vlan port pvid 12 switch(config)#vlan port pvid 22 # Create VLAN 3 switch(config)#vlan static add vid 303u04u # setting vlan port pvid of port3 and port4 switch(config)#vlan port pvid 33 switch(config)#vlan port pvid

39 8 GVRP Configuration STCS3526 Series Layer 3 Switch User Guide 8.1 GVRP Overview GARP VLAN Registration Protocol (GVRP) is a GARP application. Based on GARP operating mechanism, GVRP provides maintenance of the dynamic VLAN registration information in the switch and propagates the information to other switches. All the GVRP-supporting switches can receive VLAN registration information from other switches and dynamically update the local VLAN registration information including the active members and through which port those members can be reached. All the GVRP-supporting switches can propagate their local VLAN registration information to other switches so that the VLAN information can be consistent on all GVRP-supporting devices in one switching network. The VLAN registration information propagated by GVRP includes both the local static registration information configured manually and the dynamic registration information from other switches. GVRP is described in details in the IEEE 802.1Q standard. SPEED series switches fully support the GARP compliant with the IEEE standards. Main GVRP configuration includes: Enabling/disabling global GVRP Enabling/disabling port GVRP 8.2 Enabling/Disabling Global GVRP You can use the following command to enable/disable global GVRP. Beginning in privileged EXEC mode, follow these steps to enable global GVRP. Step 2 system gvrp enable Enable global GVRP. Step 3 exit Return to privileged EXEC mode. Step 4 show system configuration Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. By default, global GVRP is disabled. To disable global GVRP, use system gvrp disable global configuration command

40 8.3 Enabling/Disabling Port GVRP You can use the following command to enable/disable the GVRP on a port. Beginning in privileged EXEC mode, follow these steps to enable port GVRP. Step 2 vlan port gvrp port-number Enable port GVRP. enable Step 3 exit Return to privileged EXEC mode. Step 4 show vlan port Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. By default, port GVRP is enabled. To disable port GVRP, use vlan port gvrp port-number disable global configuration command. 8.4 GVRP Configuration Example I. Networking requirements To dynamically register and update VLAN information among switches, GVRP needs to be enabled on the switches. II. Networking diagram Figure 8-1 GVRP configuration example III. Configuration procedure Configure Switch A: # Enable GVRP globally. Switch(config)#system gvrp enable Configure Switch B: # Enable GVRP globally. Switch(config)#system gvrp enable

41 9 STP Configuration 9.1 STP Overview The switch supports STP (spanning tree protocol) and RSTP (rapid spanning tree protocol). STP is a Layer 2 link management protocol that provides path redundancy while preventing loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two stations. Multiple active paths among end stations cause loops in the network. If a loop exists in the network, end stations might receive duplicate messages. Switches might also learn end-station MAC addresses on multiple Layer 2 interfaces. These conditions result in an unstable network. Spanning-tree operation is transparent to end stations, which cannot detect whether they are connected to a single LAN segment or a switched LAN of multiple segments. The STP uses a spanning-tree algorithm to select one switch of a redundantly connected network as the root of the spanning tree. The algorithm calculates the best loop-free path through a switched Layer 2 network by assigning a role to each port based on the role of the port in the active topology: Root A forwarding port elected for the spanning-tree topology Designated A forwarding port elected for every switched LAN segment Alternate A blocked port providing an alternate path to the root port in the spanning tree Backup A blocked port in a loop back configuration Switches that have ports with these assigned roles are called root or designated switches. Spanning tree forces redundant data paths into a standby (blocked) state. If a network segment in the spanning tree fails and a redundant path exists, the spanning-tree algorithm recalculates the spanning-tree topology and activates the standby path. Switches send and receive spanning-tree frames, called bridge protocol data units (BPDUs), at regular intervals. The switches do not forward these frames but use them to construct a loop-free path. BPDUs contain information about the sending switch and its ports, including switch and MAC addresses, switch priority, port priority, and path cost. Spanning tree uses this information to elect the root switch and root port for the switched network and the root port and designated port for each switched segment. When two ports on a switch are part of a loop, the spanning-tree port priority and path cost settings control which port is put in the forwarding state and which is put in the blocking state. The spanning-tree port priority value represents the location of a port in the network topology and how well it is located to pass traffic. The path cost value represents the media speed. 9.2 Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is controlled by these elements:

42 The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch. In a switch stack, all switches use the same bridge ID for a given spanning-tree instance. The spanning-tree path cost to the root switch. The port identifier (port priority and MAC address) associated with each Layer 2 interface. When the switches in a network are powered up, each functions as the root switch. Each switch sends a configuration BPDU through all of its ports. The BPDUs communicate and compute the spanning-tree topology. Each configuration BPDU contains this information: The unique bridge ID of the switch that the sending switch identifies as the root switch The spanning-tree path cost to the root The bridge ID of the sending switch Message age The identifier of the sending interface Values for the hello, forward delay, and max-age protocol timers When a switch receives a configuration BPDU that contains superior information (lower bridge ID, lower path cost, and so forth), it stores the information for that port. If this BPDU is received on the root port of the switch, the switch also forwards it with an updated message to all attached LANs for which it is the designated switch. If a switch receives a configuration BPDU that contains inferior information to that currently stored for that port, it discards the BPDU. If the switch is a designated switch for the LAN from which the inferior BPDU was received, it sends that LAN a BPDU containing the up-to-date information stored for that port. In this way, inferior information is discarded, and superior information is propagated on the network. A BPDU exchange results in these actions: One switch in the network is elected as the root switch (the logical center of the spanning-tree topology in a switched network). In a switch stack, one stack member is elected as the stack root switch. The stack root switch contains the outgoing root port (Switch 1), as shown in Figure 8-1. For each VLAN, the switch with the highest switch priority (the lowest numerical priority value) is elected as the root switch. If all switches are configured with the default priority (32768), the switch with the lowest MAC address in the VLAN becomes the root switch. The switch priority value occupies the most significant bits of the bridge ID, as shown in Table 9-1. A root port is selected for each switch (except the root switch). This port provides the best path (lowest cost) when the switch forwards packets to the root switch. When selecting the root port on a switch stack, spanning tree follows this sequence: Selects the lowest root bridge ID Selects the lowest path cost to the root switch Selects the lowest designated bridge ID Selects the lowest designated path cost Selects the lowest port ID

43 Only one outgoing port on the stack root switch is selected as the root port. The remaining switches in the stack become its designated switches (Switch 2 and Switch 3) as shown in Figure 9-1. The shortest distance to the root switch is calculated for each switch based on the path cost. A designated switch for each LAN segment is selected. The designated switch incurs the lowest path cost when forwarding packets from that LAN to the root switch. The port through which the designated switch is attached to the LAN is called the designated port. Figure 9-1 Spanning-Tree Port States in a Switch Stack All paths that are not needed to reach the root switch from anywhere in the switched network are placed in the spanning-tree blocking mode. 9.3 Bridge ID, Switch Priority, and Extended System ID The IEEE 802.1D standard requires that each switch has an unique bridge identifier (bridge ID), which controls the selection of the root switch. Because each VLAN is considered as a different logical bridge with PVST+ and rapid PVST+, the same switch must have as many different bridge IDs as VLANs configured on it. Each VLAN on the switch has a unique 8-byte bridge ID. The two most-significant bytes are used for the switch priority, and the remaining six bytes are derived from the switch MAC address. The SPEED 3224A switch supports the 802.1t spanning-tree extensions, and some of the bits previously used for the switch priority

44 are now used as the VLAN identifier. The result is that fewer MAC addresses are reserved for the switch, and a larger range of VLAN IDs can be supported, all while maintaining the uniqueness of the bridge ID. As shown in Table 9-1, the two bytes previously used for the switch priority are reallocated into a 4-bit priority value and a 12-bit extended system ID value equal to the VLAN ID. Table 9-1 Switch Priority Value and Extended System ID Spanning tree uses the extended system ID, the switch priority, and the allocated spanning-tree MAC address to make the bridge ID unique for each VLAN. Because the switch stack appears as a single switch to the rest of the network, all switches in the stack use the same bridge ID for a given spanning tree. If the stack master fails, the stack members recalculate their bridge IDs of all running spanning trees based on the new MAC address of the new stack master. Support for the extended system ID affects how you manually configure the root switch, the secondary root switch, and the switch priority of a VLAN. For example, when you change the switch priority value, you change the probability that the switch will be elected as the root switch. Configuring a higher value decreases the probability; a lower value increases the probability. 9.4 Spanning-Tree Interface States Propagation delays can occur when protocol information passes through a switched LAN. As a result, topology changes can take place at different times and at different places in a switched network. When an interface transitions directly from nonparticipation in the spanning-tree topology to the forwarding state, it can create temporary data loops. Interfaces must wait for new topology information to propagate through the switched LAN before starting to forward frames. They must allow the frame lifetime to expire for forwarded frames that have used the old topology. Each Layer 2 interface on a switch using spanning tree exists in one of these states: Blocking The interface does not participate in frame forwarding. Listening The first transitional state after the blocking state when the spanning tree decides that the interface should participate in frame forwarding. Learning The interface prepares to participate in frame forwarding. Forwarding The interface forwards frames. Disabled The interface is not participating in spanning tree because of a shutdown port, no link on the port, or no spanning-tree instance running on the port. An interface moves through these states: From initialization to blocking From blocking to listening or to disabled

45 From listening to learning or to disabled From learning to forwarding or to disabled From forwarding to disabled Figure 9-2 illustrates how an interface moves through the states. Figure 9-2 Spanning-Tree Interface States When you power up the switch, spanning tree is enabled by default, and every interface in the switch, VLAN, or network goes through the blocking state and the transitory states of listening and learning. Spanning tree stabilizes each interface at the forwarding or blocking state. When the spanning-tree algorithm places a Layer 2 interface in the forwarding state, this process occurs: 1. The interface is in the listening state while spanning tree waits for protocol information to transition the interface to the blocking state. 2. While spanning tree waits the forward-delay timer to expire, it moves the interface to the learning state and resets the forward-delay timer. 3. In the learning state, the interface continues to block frame forwarding as the switch learns end-station location information for the forwarding database. 4. When the forward-delay timer expires, spanning tree moves the interface to the forwarding state, where both learning and frame forwarding are enabled Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to each switch interface. A switch initially functions as the root until it exchanges BPDUs with other switches. This exchange establishes which switch in the network is the root or root switch. If there is only one switch in the network, no exchange occurs, the forward-delay

46 timer expires, and the interface moves to the listening state. An interface always enters the blocking state after switch initialization. An interface in the blocking state performs these functions: Discards frames received on the interface Discards frames switched from another interface for forwarding Does not learn addresses Receives BPDUs Listening State The listening state is the first state a Layer 2 interface enters after the blocking state. The interface enters this state when the spanning tree decides that the interface should participate in frame forwarding. An interface in the listening state performs these functions: Discards frames received on the interface Discards frames switched from another interface for forwarding Does not learn addresses Receives BPDUs Learning State A Layer 2 interface in the learning state prepares to participate in frame forwarding. The interface enters the learning state from the listening state. An interface in the learning state performs these functions: Discards frames received on the interface Discards frames switched from another interface for forwarding Learns addresses Receives BPDUs Forwarding State A Layer 2 interface in the forwarding state forwards frames. The interface enters the forwarding state from the learning state. An interface in the forwarding state performs these functions: Receives and forwards frames received on the interface Forwards frames switched from another interface Learns addresses Receives BPDUs

47 9.4.5 Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational. A disabled interface performs these functions: Discards frames received on the interface Discards frames switched from another interface for forwarding Does not learn addresses Does not receive BPDUs 9.5 How a Switch or Port Becomes the Root Switch or Root Port If all switches in a network are enabled with default spanning-tree settings, the switch with the lowest MAC address becomes the root switch. In Figure 9-3, Switch A is elected as the root switch because the switch priority of all the switches is set to the default (32768) and Switch A has the lowest MAC address. However, because of traffic patterns, number of forwarding interfaces, or link types, Switch A might not be the ideal root switch. By increasing the priority (lowering the numerical value) of the idealswitch so that it becomes the root switch, you force a spanning-tree recalculation to form a new topology with the ideal switch as the root. Figure 9-3 Spanning-Tree Topology When the spanning-tree topology is calculated based on default parameters, the path between source and destination end stations in a switched network might not be ideal. For instance, connecting higher-speed links to an interface that has a higher number than the root port can cause a root-port change. The goal is to make the fastest link the root port. For example, assume that one port on Switch B is a Gigabit Ethernet link and that another port on Switch B (a 10/100 link) is the root port. Network traffic might be more efficient over the Gigabit Ethernet link. By changing the spanning-tree port priority on the Gigabit Ethernet port to a higher priority (lower numerical value) than the root port, the Gigabit Ethernet port becomes the new root port

48 9.6 Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device or to two different devices, as shown in Figure 8-4. Spanning tree automatically disables one interface but enables it if the other one fails. If one link is high-speed and the other is low-speed, the low-speed link is always disabled. If the speeds are the same, the port priority and port ID are added together, and spanning tree disables the link with the lowest value. Figure 9-4 Spanning Tree and Redundant Connectivity You can also create redundant links between switches by using Channel groups. 9.7 Spanning-Tree Address Management IEEE 802.1D specifies 17 multicast addresses, ranging from 0x0180C to 0x0180C , to be used by different bridge protocols. These addresses are static addresses that cannot be removed. Regardless of the spanning-tree state, each switch in the stack receives but does not forward packets destined for addresses between 0x0180C and 0x0180C200000F. If spanning tree is enabled, the CPU on each switch in the stack receives packets destined for 0x0180C and 0x0180C If spanning tree is disabled, each switch in the stack forwards those packets as unknown multicast addresses. 9.8 Accelerated Aging to Retain Connectivity The default for aging dynamic addresses is 5 minutes, the default setting of the mac address-table aging-time global configuration command. However, a spanning-tree reconfiguration can cause many station locations to change. Because these stations could be

49 unreachable for 5 minutes or more during a reconfiguration, the address-aging time is accelerated so that station addresses can be dropped from the address table and then relearned. The accelerated aging is the same as the forward-delay parameter value when the spanning tree reconfigures. 9.9 Configuring STP Features These sections describe how to configure spanning-tree features: Configure the STP running mode Configure the Bridge priority for a switch Configure the time parameters of a switch Configure the priority of a port Enable/disable STP on the device Enable/disable STP on a port Configure the STP Running Mode You can use the follow command specify STP running mode. Beginning in privileged EXEC mode, follow these steps to specify STP running mode. Step 2 spanning-tree mode stp Specify STP running mode is STP.. Step 3 exit Return to privileged EXEC mode. Step 4 show spanning-tree mode Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To specify STP running mode is rstp, use spanning-tree mode rstp global configuration command Configure the Bridge Priority for a Switch Whether a switch can be elected as the spanning tree root depends on its Bridge priority. The switch configured with a smaller Bridge priority is more likely to become the root. Beginning in privileged EXEC mode, follow these steps to configure the Bridge priority for a switch

50 Step 2 spanning-tree bridge priority Configure the Bridge priority of the Designated priority bridge. Step 3 exit Return to privileged EXEC mode. Step 4 show spanning-tree bridge Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. Note: For priority, the range is 1 to 65535; the default is The lower the number, the more likely the switch will be chosen as the root switch. Caution: In the process of spanning tree root election, of two or more switches with the lowest Bridge priorities, the one has a smaller MAC address will be elected as the root Configure the Time Parameters of a Switch The switch has three time parameters, Forward Delay, Hello Time, and Max Age. Forward Delay is the switch state transition mechanism. The spanning tree will be recalculated upon link faults and its structure will change accordingly. However, the configuration BPDU recalculated cannot be immediately propagated throughout the network. The temporary loops may occur if the new root port and designated port forward data right after being elected. Therefore the protocol adopts a state transition mechanism. It takes a Forward Delay interval for the root port and designated port to transit from the learning state to forwarding state. The Forward Delay guarantees a period of time during which the new configuration BPDU can be propagated throughout the network. The switch sends Hello packet periodically at an interval specified by Hello Time to check if there is any link fault. Max Age specifies when the configuration BPDU will expire. The switch will discard the expired configuration BPDU. You can use the following command to configure the time parameters for the switch. Beginning in privileged EXEC mode, follow these steps to configure the Bridge priority for a switch

51 Step 2 spanning-tree bridge forward centiseconds Configure Forward Delay on the switch. For forward delay, the range is 400 to 3000; the default is Step 3 Step 4 spanning-tree bridge hellotime centiseconds spanning-tree bridge maxage centiseconds Configure Hello Time on the switch. For hello time, the range is 100 to 1000; the default is 200. Configure Max Age on the switch. For Max Age, the range is 10 to ; the default is Step 5 exit Return to privileged EXEC mode. Step 6 show spanning-tree bridge Verify your entries. Step 7 write (Optional) Save your entries in the configuration file. Note: The Forward Delay configured on a switch depends on the switching network diameter. Generally, the Forward Delay is supposed to be longer when the network diameter is longer. Note that too short a Forward Delay may redistribute some redundant routes temporarily, while too long a Forward Delay may prolong the network connection resuming. The default value is recommended. A suitable Hello Time ensures the switch to detect the link fault on the network but occupy moderate network resources. The default value is recommended. If you set too long a Hello Time, when there is packet dropped over a link, the switch may consider it as link fault and the network device will recalculate the spanning tree accordingly. However, for too short a Hello Time, the switch frequently sends configuration BPDU, which adds its burden and wastes the network resources. Too short a Max Age may cause the network device frequently calculate the spanning tree and mistake the congestion as link fault. However, if the Max Age is too long, the network device may not be able to discover the link fault and recalculate the spanning tree in time, which will weaken the auto-adaptation capacity of the network. The default value is recommended. To avoid frequent network flapping, the values of Hello Time, Forward Delay and Maximum Age should guarantee the following formulas equal. 2 *(forward-delay - 1seconds) >= maximum-age maximum-age >= 2 *(hello seconds) You are recommended to use the stp root primary command to specify the network diameter and Hello Time of the switching network, thus MSTP will automatically calculate and give the rather desirable values

52 9.9.4 Configure Port Priority If a loop occurs, spanning tree uses the port priority when selecting an interface to put into the forwarding state. You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last. If all interfaces have the same priority value, spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. Beginning in privileged EXEC mode, follow these steps to configure the port priority. Step 2 spanning-tree port port-number priority priority Configure port priority For priority, the range is 1 to 255; the default is 128. Step 3 exit Return to privileged EXEC mode. Step 4 show spanning-tree bridge Verify your entries. Step 5 write (Optional) Save your entries in the configuration file Enable/Disable STP on the Device You can use the following command to enable STP on the device. Beginning in privileged EXEC mode, follow these steps to enable stp on the device. Step 2 system span enable Enable STP on a device Step 3 exit Return to privileged EXEC mode. Step 4 show system config Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To disable STP on a device, use ssystem span disable global configuration command. Only if STP has been enabled on the device will other STP configurations take effect. By default, STP is disabled

53 9.9.6 Enable/Disable STP on a Port You can use the following command to enable/disable STP on a port. You may disable STP on some Ethernet ports of a switch to spare them from spanning tree calculation. This is a measure to flexibly control STP operation and save the CPU resources of the switch. Beginning in privileged EXEC mode, follow these steps to enable STP on a port. Step 2 spanning-tree port port-number Enable STP on a device enable Step 3 exit Return to privileged EXEC mode. Step 4 show spanning-tree ports Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To disable STP on a port, use spanning-tree port port-number disable global configuration command. Note that redundant route may be generated after STP is disabled. By default, STP is enabled on all the ports after it is enabled on the device. 10 RSTP Configuration 10.1 RSTP Overview The switch supports STP (spanning tree protocol) and RSTP (rapid spanning tree protocol). RSTP can converge fast, but still has the drawback, that is, all the network bridges in a VLAN share a spanning tree and the redundant links cannot be blocked by VLAN. STP is a Layer 2 link management protocol that provides path redundancy while preventing loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two stations. Multiple active paths among end stations cause loops in the network. If a loop exists in the network, end stations might receive duplicate messages. Switches might also learn end-station MAC addresses on multiple Layer 2 interfaces. These conditions result in an unstable network.spanning-tree operation is transparent to end stations, which cannot detect whether they are connected to a single LAN segment or a switched LAN of multiple segments

54 The STP uses a spanning-tree algorithm to select one switch of a redundantly connected network as the root of the spanning tree. The algorithm calculates the best loop-free path through a switched Layer 2 network by assigning a role to each port based on the role of the port in the active topology: Root A forwarding port elected for the spanning-tree topology Designated A forwarding port elected for every switched LAN segment Alternate A blocked port providing an alternate path to the root port in the spanning tree Backup A blocked port in a loop back configuration Switches that have ports with these assigned roles are called root or designated switches. Spanning tree forces redundant data paths into a standby (blocked) state. If a network segment in the spanning tree fails and a redundant path exists, the spanning-tree algorithm recalculates the spanning-tree topology and activates the standby path. Switches send and receive spanning-tree frames, called bridge protocol data units (BPDUs), at regular intervals. The switches do not forward these frames but use them to construct a loop-free path. BPDUs contain information about the sending switch and its ports, including switch and MAC addresses, switch priority, port priority, and path cost. Spanning tree uses this information to elect the root switch and root port for the switched network and the root port and designated port for each switched segment. When two ports on a switch are part of a loop, the spanning-tree port priority and path cost settings control which port is put in the forwarding state and which is put in the blocking state. The spanning-tree port priority value represents the location of a port in the network topology and how well it is located to pass traffic. The path cost value represents the media speed Spanning-Tree Topology and BPDUs The stable, active spanning-tree topology of a switched network is controlled by these elements: The unique bridge ID (switch priority and MAC address) associated with each VLAN on each switch. In a switch stack, all switches use the same bridge ID for a given spanning-tree instance. The spanning-tree path cost to the root switch. The port identifier (port priority and MAC address) associated with each Layer 2 interface. When the switches in a network are powered up, each functions as the root switch. Each switch sends a configuration BPDU through all of its ports. The BPDUs communicate and compute the spanning-tree topology. Each configuration BPDU contains this information: The unique bridge ID of the switch that the sending switch identifies as the root switch The spanning-tree path cost to the root The bridge ID of the sending switch Message age The identifier of the sending interface Values for the hello, forward delay, and max-age protocol timers

55 When a switch receives a configuration BPDU that contains superior information (lower bridge ID, lower path cost, and so forth), it stores the information for that port. If this BPDU is received on the root port of the switch, the switch also forwards it with an updated message to all attached LANs for which it is the designated switch. If a switch receives a configuration BPDU that contains inferior information to that currently stored for that port, it discards the BPDU. If the switch is a designated switch for the LAN from which the inferior BPDU was received, it sends that LAN a BPDU containing the up-to-date information stored for that port. In this way, inferior information is discarded, and superior information is propagated on the network. A BPDU exchange results in these actions: One switch in the network is elected as the root switch (the logical center of the spanning-tree topology in a switched network). In a switch stack, one stack member is elected as the stack root switch. The stack root switch contains the outgoing root port (Switch 1), as shown in Figure For each VLAN, the switch with the highest switch priority (the lowest numerical priority value) is elected as the root switch. If all switches are configured with the default priority (32768), the switch with the lowest MAC address in the VLAN becomes the root switch. The switch priority value occupies the most significant bits of the bridge ID, as shown in Table A root port is selected for each switch (except the root switch). This port provides the best path (lowest cost) when the switch forwards packets to the root switch. When selecting the root port on a switch stack, spanning tree follows this sequence: Selects the lowest root bridge ID Selects the lowest path cost to the root switch Selects the lowest designated bridge ID Selects the lowest designated path cost Selects the lowest port ID Only one outgoing port on the stack root switch is selected as the root port. The remaining switches in the stack become its designated switches (Switch 2 and Switch 3) as shown in Figure The shortest distance to the root switch is calculated for each switch based on the path cost. A designated switch for each LAN segment is selected. The designated switch incurs the lowest path cost when forwarding packets from that LAN to the root switch. The port through which the designated switch is attached to the LAN is called the designated port

56 Figure 10-1 Spanning-Tree Port States in a Switch Stack All paths that are not needed to reach the root switch from anywhere in the switched network are placed in the spanning-tree blocking mode Bridge ID, Switch Priority, and Extended System ID The IEEE 802.1D standard requires that each switch has an unique bridge identifier (bridge ID), which controls the selection of the root switch. Because each VLAN is considered as a different logical bridge with PVST+ and rapid PVST+, the same switch must have as many different bridge IDs as VLANs configured on it. Each VLAN on the switch has a unique 8-byte bridge ID. The two most-significant bytes are used for the switch priority, and the remaining six bytes are derived from the switch MAC address. The SPEED 3224A switch supports the 802.1t spanning-tree extensions, and some of the bits previously used for the switch priority are now used as the VLAN identifier. The result is that fewer MAC addresses are reserved for the switch, and a larger range of VLAN IDs can be supported, all while maintaining the uniqueness of the bridge ID. As shown in Table 10-1, the two bytes previously used for the switch priority are reallocated into a 4-bit priority value and a 12-bit extended system ID value equal to the VLAN ID. Table 10-1 Switch Priority Value and Extended System ID

57 Spanning tree uses the extended system ID, the switch priority, and the allocated spanning-tree MAC address to make the bridge ID unique for each VLAN. Because the switch stack appears as a single switch to the rest of the network, all switches in the stack use the same bridge ID for a given spanning tree. If the stack master fails, the stack members recalculate their bridge IDs of all running spanning trees based on the new MAC address of the new stack master. Support for the extended system ID affects how you manually configure the root switch, the secondary root switch, and the switch priority of a VLAN. For example, when you change the switch priority value, you change the probability that the switch will be elected as the root switch. Configuring a higher value decreases the probability; a lower value increases the probability Spanning-Tree Interface States Propagation delays can occur when protocol information passes through a switched LAN. As a result, topology changes can take place at different times and at different places in a switched network. When an interface transitions directly from nonparticipation in the spanning-tree topology to the forwarding state, it can create temporary data loops. Interfaces must wait for new topology information to propagate through the switched LAN before starting to forward frames. They must allow the frame lifetime to expire for forwarded frames that have used the old topology. Each Layer 2 interface on a switch using spanning tree exists in one of these states: Blocking The interface does not participate in frame forwarding. Listening The first transitional state after the blocking state when the spanning tree decides that the interface should participate in frame forwarding. Learning The interface prepares to participate in frame forwarding. Forwarding The interface forwards frames. Disabled The interface is not participating in spanning tree because of a shutdown port, no link on the port, or no spanning-tree instance running on the port. An interface moves through these states: From initialization to blocking From blocking to listening or to disabled From listening to learning or to disabled From learning to forwarding or to disabled From forwarding to disabled Figure 10-2 illustrates how an interface moves through the states

58 Figure 10-2 Spanning-Tree Interface States When you power up the switch, spanning tree is enabled by default, and every interface in the switch, VLAN, or network goes through the blocking state and the transitory states of listening and learning. Spanning tree stabilizes each interface at the forwarding or blocking state. When the spanning-tree algorithm places a Layer 2 interface in the forwarding state, this process occurs: 1. The interface is in the listening state while spanning tree waits for protocol information to transition the interface to the blocking state. 2. While spanning tree waits the forward-delay timer to expire, it moves the interface to the learning state and resets the forward-delay timer. 3. In the learning state, the interface continues to block frame forwarding as the switch learns end-station location information for the forwarding database. 4. When the forward-delay timer expires, spanning tree moves the interface to the forwarding state, where both learning and frame forwarding are enabled Blocking State A Layer 2 interface in the blocking state does not participate in frame forwarding. After initialization, a BPDU is sent to each switch interface. A switch initially functions as the root until it exchanges BPDUs with other switches. This exchange establishes which switch in the network is the root or root switch. If there is only one switch in the network, no exchange occurs, the forward-delay timer expires, and the interface moves to the listening state. An interface always enters the blocking state after switch initialization. An interface in the blocking state performs these functions: Discards frames received on the interface

59 Discards frames switched from another interface for forwarding Does not learn addresses Receives BPDUs Listening State The listening state is the first state a Layer 2 interface enters after the blocking state. The interface enters this state when the spanning tree decides that the interface should participate in frame forwarding. An interface in the listening state performs these functions: Discards frames received on the interface Discards frames switched from another interface for forwarding Does not learn addresses Receives BPDUs Learning State A Layer 2 interface in the learning state prepares to participate in frame forwarding. The interface enters the learning state from the listening state. An interface in the learning state performs these functions: Discards frames received on the interface Discards frames switched from another interface for forwarding Learns addresses Receives BPDUs Forwarding State A Layer 2 interface in the forwarding state forwards frames. The interface enters the forwarding state from the learning state. An interface in the forwarding state performs these functions: Receives and forwards frames received on the interface Forwards frames switched from another interface Learns addresses Receives BPDUs

60 Disabled State A Layer 2 interface in the disabled state does not participate in frame forwarding or in the spanning tree. An interface in the disabled state is nonoperational. A disabled interface performs these functions: Discards frames received on the interface Discards frames switched from another interface for forwarding Does not learn addresses Does not receive BPDUs 10.5 How a Switch or Port Becomes the Root Switch or Root Port If all switches in a network are enabled with default spanning-tree settings, the switch with the lowest MAC address becomes the root switch. In Figure 10-3, Switch A is elected as the root switch because the switch priority of all the switches is set to the default (32768) and Switch A has the lowest MAC address. However, because of traffic patterns, number of forwarding interfaces, or link types, Switch A might not be the ideal root switch. By increasing the priority (lowering the numerical value) of the ideal switch so that it becomes the root switch, you force a spanning-tree recalculation to form a new topology with the ideal switch as the root. Figure 10-3 Spanning-Tree Topology When the spanning-tree topology is calculated based on default parameters, the path between source and destination end stations in a switched network might not be ideal. For instance, connecting higher-speed links to an interface that has a higher number than the root port can cause a root-port change. The goal is to make the fastest link the root port. For example, assume that one port on Switch B is a Gigabit Ethernet link and that another port on Switch B (a 10/100 link) is the root port. Network traffic might be more efficient over the Gigabit Ethernet link. By changing the spanning-tree port priority on the Gigabit Ethernet port to a higher priority (lower numerical value) than the root port, the Gigabit Ethernet port becomes the new

61 root port Spanning Tree and Redundant Connectivity You can create a redundant backbone with spanning tree by connecting two switch interfaces to another device or to two different devices, as shown in Figure Spanning tree automatically disables one interface but enables it if the other one fails. If one link is high-speed and the other is low-speed, the low-speed link is always disabled. If the speeds are the same, the port priority and port ID are added together, and spanning tree disables the link with the lowest value. Figure 10-4 Spanning Tree and Redundant Connectivity You can also create redundant links between switches by using Channel groups Spanning-Tree Address Management IEEE 802.1D specifies 17 multicast addresses, ranging from 0x00180C to 0x0180C , to be used by different bridge protocols. These addresses are static addresses that cannot be removed. Regardless of the spanning-tree state, each switch in the stack receives but does not forward packets destined for addresses between 0x0180C and 0x0180C200000F. If spanning tree is enabled, the CPU on each switch in the stack receives packets destined for 0x0180C and 0x0180C If spanning tree is disabled, each switch in the stack forwards those packets as unknown multicast addresses

62 10.8 Accelerated Aging to Retain Connectivity The default for aging dynamic addresses is 5 minutes, the default setting of the mac address-table aging-time global configuration command. However, a spanning-tree reconfiguration can cause many station locations to change. Because these stations could be unreachable for 5 minutes or more during a reconfiguration, the address-aging time is accelerated so that station addresses can be dropped from the address table and then relearned. The accelerated aging is the same as the forward-delay parameter value when the spanning tree reconfigures Configuring RSTP Features These sections describe how to configure spanning-tree features: Configure the STP running mode Configure the Bridge priority for a switch Configure the time parameters of a switch Configure the priority of a port Configure a port as an edge port Configure the Path Cost of a port Configure the mcheck variable of a port Configure the port (not) to connect with the point-to-point link Enable/disable STP on the device Configure the STP Running Mode You can use the follow command specify STP running mode. Beginning in privileged EXEC mode, follow these steps to specify STP running mode. Step 2 spanning-tree mode rstp Specify STP running mode is RSTP.. Step 3 exit Return to privileged EXEC mode. Step 4 show spanning-tree mode Verify your entries. Step 5 write (Optional) Save your entries in the configuration file

63 To specify STP running mode is rstp, use spanning-tree mode stp global configuration command Configure the Bridge Priority for a Switch Whether a switch can be elected as the spanning tree root depends on its Bridge priority. The switch configured with a smaller Bridge priority is more likely to become the root. Beginning in privileged EXEC mode, follow these steps to configure the Bridge priority for a switch. Step 2 rstp bridge priority priority Configure the Bridge priority of the Designated bridge. Step 3 exit Return to privileged EXEC mode. Step 4 show rstp bridge Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. Note: For priority, the range is 0 to 61440; the default is The lower the number, the more likely the switch will be chosen as the root switch. Caution: In the process of spanning tree root election, of two or more switches with the lowest Bridge priorities, the one has a smaller MAC address will be elected as the root Configure the Time Parameters of a Switch The switch has three time parameters, Forward Delay, Hello Time, and Max Age. Forward Delay is the switch state transition mechanism. The spanning tree will be recalculated upon link faults and its structure will change accordingly. However, the configuration BPDU recalculated cannot be immediately propagated throughout the network. The temporary loops may occur if the new root port and designated port forward data right after being elected. Therefore the protocol adopts a state transition

64 mechanism. It takes a Forward Delay interval for the root port and designated port to transit from the learning state to forwarding state. The Forward Delay guarantees a period of time during which the new configuration BPDU can be propagated throughout the network. The switch sends Hello packet periodically at an interval specified by Hello Time to check if there is any link fault. Max Age specifies when the configuration BPDU will expire. The switch will discard the expired configuration BPDU. You can use the following command to configure the time parameters for the switch. Beginning in privileged EXEC mode, follow these steps to configure the Bridge priority for a switch. Step 2 Step 3 rstp bridge forwarddelay seconds Configure Forward Delay on the switch. For forward delay, the range is 4 to 30; the default is 15. rstp bridge hellotime seconds Configure Hello Time on the switch. For hello time, the range is 1 to 10; the default is 2. Step 4 rstp bridge maxage seconds Configure Max Age on the switch. For Max Age, the range is 6 to 40; the default is 20. Step 5 exit Return to privileged EXEC mode. Step 6 show spanning-tree bridge Verify your entries. Step 7 write (Optional) Save your entries in the configuration file. Note: The Forward Delay configured on a switch depends on the switching network diameter. Generally, the Forward Delay is supposed to be longer when the network diameter is longer. Note that too short a Forward Delay may redistribute some redundant routes temporarily, while too long a Forward Delay may prolong the network connection resuming. The default value is recommended. A suitable Hello Time ensures the switch to detect the link fault on the network but occupy moderate network resources. The default value is recommended. If you set too long a Hello Time, when there is packet dropped over a link, the switch may consider it as link fault and the network device will recalculate the spanning tree accordingly. However, for too short a Hello Time, the switch frequently sends configuration BPDU, which adds its burden and wastes the network resources. Too short a Max Age may cause the network device frequently calculate the spanning tree and mistake the congestion as link fault. However, if the Max Age is too long, the network device may not be able to discover the link fault and recalculate the spanning tree in time, which will weaken the auto-adaptation capacity of the network. The default value is recommended

65 To avoid frequent network flapping, the values of Hello Time, Forward Delay and Maximum Age should guarantee the following formulas equal. 2 *(forward-delay - 1seconds) >= maximum-age maximum-age >= 2 *(hello seconds) You are recommended to use the stp root primary command to specify the network diameter and Hello Time of the switching network, thus MSTP will automatically calculate and give the rather desirable values Configure Port Priority If a loop occurs, spanning tree uses the port priority when selecting an interface to put into the forwarding state. You can assign higher priority values (lower numerical values) to interfaces that you want selected first and lower priority values (higher numerical values) that you want selected last. If all interfaces have the same priority value, spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces. Beginning in privileged EXEC mode, follow these steps to configure the port priority. Step 2 rstp port {port-number all} priority priority Configure port priority For priority, the range is 0 to 240; the default is 128. Step 3 exit Return to privileged EXEC mode. Step 4 show rstp port {port-number all} Verify your entries. Step 5 write (Optional) Save your entries in the configuration file Configure a Port as an Edge Port An edge port refers to the port not directly connected to any switch or indirectly connected to a switch over the connected network. After configured as an edge port, the port can fast transit from blocking state to forwarding state without any delay. In the case that BPDU protection has not been enabled on the switch, the configured edge port will turn into non-edge port again when it receives BPDU from other port. In the case that BPDU protection is enabled, the port will be disabled. Beginning in privileged EXEC mode, follow these steps to configure a port as a edge port

66 Step 2 rstp port {port-number all} edged-port enable Configure a port as an edge port. By default, all the Ethernet ports of the switch have been configured as non-edge ports. Step 3 exit Return to privileged EXEC mode. Step 4 show rstp port {port-number all} Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To disable a port as an edge port, use rstp port {port-number all} edged-port disable global configuration command. Note: It is better to configure the port directly connected with terminal as the edged port, and enable the BPDU function on the port. That is to realize fast state-transition and prevent the switch from being attacked Configure the Path Cost of a Port Path Cost is related to the speed of the link connected to the port. You can configure the path cost of a port in the following ways. Beginning in privileged EXEC mode, follow these steps to configure a port as a edge port. Step 2 rstp port {port-number all} pathcost value Configure the Path Cost of a port. Value range is 0 to 240, by default value is auto. Step 3 exit Return to privileged EXEC mode. Step 4 show rstp port {port-number all} Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. Upon the change of path cost of a port, MSTP will recalculate the port role and transit the state. By default, RSTP is responsible for calculating the port path cost

67 Configure the mcheck Variable of a Port The port of a switch operates in either STP or RSTP mode. You can use the following measure to perform mcheck operation on a port. Beginning in privileged EXEC mode, follow these steps to configure the mcheck variable of a port. Step 2 rstp port {port-number all} mcheck Perform mcheck operation on a port. Step 3 exit Return to privileged EXEC mode. Step 4 show rstp port {port-number all} Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. Note that the command can be used only if the switch runs RSTP. The command does not make any sense when the switch runs in STP mode Configure the Port (not) to connect with the Point-to-Point Link The point-to-point link directly connects two switches. You can configure the port (not) to connect with the point-to-point link in the following ways. Beginning in privileged EXEC mode, follow these steps to configure the port (not).to connect with the point-to point link. Step 2 rstp port {port-number all} point-to-point [force-true force-false auto] Configure the port (not) to connect with the point-to-point link. Force-true indicate the port connect with the point-to-point link. Force-false indicate the port not connect with the point-to-point link. Step 3 exit Return to privileged EXEC mode. Step 4 show rstp port {port-number all} Verify your entries. Step 5 write (Optional) Save your entries in the configuration file

68 For the ports connected with the point-to-point link, upon some port role conditions met, they can transit to forwarding state fast through transmitting synchronization packet, thereby reducing the unnecessary forwarding delay. If the parameter is configured as auto mode, RSTP will automatically detect if the current Ethernet port is connected with the point-to-point link. By default, the parameter is configured as auto Enable/Disable RSTP on the Device You can use the following command to enable STP on the device. Beginning in privileged EXEC mode, follow these steps to enable RSTP on the device. Step 2 system span enable Enable STP on a device Step 3 exit Return to privileged EXEC mode. Step 4 show system config Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To disable STP on a device, use system span disable global configuration command. Only if STP has been enabled on the device will other STP configurations take effect. By default, STP is disabled

69 11 IP Address Configuration STCS3526 Series Layer 3 Switch User Guide 11.1 IP Address Overview IP Address Classification and Indications IP address is a 32-bit address allocated to the devices which access into the Internet. It consists of two fields: net-id field and host-id field. There are five types of IP address. See the following figure. Figure 11-1 Five classes of IP address Where, Class A, Class B and Class C are unicast addresses, while Class D addresses are multicast ones and class E addresses are reserved for special applications in future. The first three types are commonly used. The IP address is in dotted decimal format. Each IP address contains 4 integers in dotted decimal notation. Each integer corresponds to one byte, e.g When using IP addresses, it should also be noted that some of them are reserved for special uses, and are seldom used. The IP addresses you can use are listed in the following table. Table 11-1 IP address classes and ranges

70 Network class Address range IP network range Note A to to Host ID with all the digits being 0 indicates that the IP address is the network address, and is used for network routing. Host ID with all the digits being 1 indicates the broadcast address, i.e.broadcast to all hosts on the network. IP address is used for the host that is not put into use after starting up. The IP address with network number as 0 indicates the current network and its network can be cited by the router without knowing its network number. Network ID with the format of 127.X.Y.Z is reserved for self-loop test and the packets sent to this address will not be output to the line. The packets are processed internally and regarded as input packets. B to to Host ID with all the digits being 0 indicates that the IP address is the network address, and is used for network routing. Host ID with all the digits being 1 indicates the broadcast address, i.e.broadcast to all hosts on the network. C to to Host ID with all the digits being 0 indicates that the IP address is the network address, and is used for network routing. Host ID with all the digits being 1 indicates the broadcast address, i.e.broadcast to all hosts on the network. D to None Addresses of class D are multicast addresses. E to None The addresses are reserved for futureuse

71 Other addresses is used as LAN broadcast address Subnet and Mask Nowadays, with rapid development of the Internet, IP addresses are depleting very fast. The traditional IP address allocation method wastes IP addresses greatly. In order to make full use of the available IP addresses, the concept of mask and subnet is proposed. A mask is a 32-bit number corresponding to an IP address. The number consists of 1s and 0s. Principally, these 1s and 0s can be combined randomly. However, the first consecutive bits are set to 1s when designing the mask. The mask divides the IP address into two parts: subnet address and host address. The bits 1s in the address and the mask indicate the subnet address and the other bits indicate the host address. If there is no sub-net division, then its sub-net mask is the default value and the length of "1" indicates the net-id length. Therefore, for IP addresses of classes A, B and C, the default values of corresponding sub-net mask are , and respectively. The mask can be used to divide a Class A network containing more than 16,000,000 hosts or a Class B network containing more than 60,000 hosts into multiple small networks. Each small network is called a subnet. For example, for the Class B network address , the mask can be used to divide the network into 8 subnets: , , , , , , and (Refer to the following figure). Each subnet can contain more than 8000 hosts. Figure 11-2 Subnet division of IP address

72 11.2 Configuring IP Address The IP address configuration includes: Configuring the AUX port IP Address Configuring the IP Address of the VLAN Interface Configuring the AUX port IP Address When you use the applications like telnet or http locally, you can use IP address Beginning in privileged EXEC mode, follow these steps to configure the AUX port IP address. Step 2 interface aux ipaddress set ip-address net-mask Configure the AUX port IP address. By default AUX port IP address is Step 3 exit Return to privileged EXEC mode. Step 4 show interface aux Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To delete AUX port IP address, use interface aux ipaddress delete ip-address global configuration commad Configuring the IP Address of the VLAN Interface You can configure an IP address for every VLAN interface of the switch. Generally, it is enough to configure one IP address for an interface. You can also configure thirty two IP addresses for an interface at most, so that it can be connected to several subnets. Beginning in privileged EXEC mode, follow these steps to configure the IP address of the VLAN interface

73 Step 2 ip address add vint interface-id ip-address net-mask vid vlan-id [description string] Configure the IP address of the VLAN interface. Interface-id is virtual interface number, range is 0 to 32. By default, the IP address of a VLAN interface is null. Step 3 exit Return to privileged EXEC mode. Step 4 show ip address Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To delete the IP address of the VLAN interface, use ip address delete ip-address global configuration command IP Address Configuration Example I. Networking requirements Configure the IP address as and sub-net mask as for the VLAN 1 of the switch. II. Networking diagram Figure 11-3 IP address configuration networking III. Configuration procedure Switch(config)#ip address add vint vid

74 11.4 Troubleshooting IP Address Configuration Fault 1: The switch cannot ping through a certain host in the LAN. Troubleshooting can be performed as follows: Check the configuration of the switch. Use show arp command to view the ARP entry table that the Switch maintains. Troubleshooting: First check which VLAN includes the port of the switch used to connect to the host. Check whether the VLAN has been configured with the VLAN interface. Then check whether the IP address of the VLAN interface and the host is on the same network segment. 12 ARP Configuration 12.1 Introduction to ARP I. Necessity of ARP An IP address cannot be directly used for communication between network devices because network devices can only identify MAC addresses. An IP address is only an address of a host in the network layer. To send the data packets transmitted through the network layer to the destination host, physical address of the host is required. So the IP address must be resolved into a physical address. II. ARP implementation procedure When two hosts on the Ethernet communicate, they must know the MAC addresses of each other. Every host will maintain the IP-MAC address translation table, which is known as ARP mapping table. A series of maps between IP addresses and MAC addresses of other hosts which were recently used to communicate with the local host are stored in the ARP mapping table. When a dynamic ARP mapping entry is not in use for a specified period of time, the host will remove it from the ARP mapping table so as to save the memory space and shorten the interval for switch to search ARP mapping table. Suppose there are two hosts on the same network segment: Host A and Host B. The IP address of Host A is IP_A and the IP address of Host B is IP_B. Host A will transmit messages to Host B. Host A checks its own ARP mapping table first to make sure whether there are corresponding ARP entries of IP_B in the table. If the corresponding MAC address is detected, Host A will use the MAC address in the ARP mapping table to encapsulate the IP packet in frame and send it to Host B. If the corresponding MAC address is not detected, Host A will store the IP packet in the queue waiting for transmission, and broadcast it throughout the Ethernet. The ARP request packet contains the IP address of Host B and IP address and MAC address of Host A. Since the ARP request packet is broadcast, all hosts on the network segment can receive the request. However, only the requested host (i.e., Host B) needs to process the request

75 Host B will first store the IP address and the MAC address of the request sender (Host A) in the ARP request packet in its own ARP mapping table. Then Host B will generate an ARP reply packet into which, it will add MAC address of Host B, and then send it to Host A. The reply packet will be directly sent to Host A in stead of being broadcast. Receiving the reply packet, Host A will extract the IP address and the corresponding MAC address of Host B and add them to its own ARP mapping table. Then Host A will send Host B all the packets standing in the queue. Normally, dynamic ARP executes and automatically searches for the resolution from the IP address to the Ethernet MAC address without the administrator Configuring ARP The ARP mapping table can be maintained dynamically or manually. Usually, the manually configured mapping from the IP addresses to the MAC addresses is known as static ARP. The user can display, add or delete the entries in the ARP mapping table through relevant manual maintenance commands. The static ARP configuration includes: Manually adding/deleting static ARP Mapping Entries Clear up the ARP table Manually Adding/Deleting Static ARP Mapping Entries Beginning in privileged EXEC mode, follow these steps to add static ARP mapping entries. Step 2 arp add ip-address mac-address Add static ARP mapping entries. Step 3 exit Return to privileged EXEC mode. Step 4 show arp Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To delete static ARP mapping entries, use arp delete ip-address global configuration command. By default, the ARP mapping table is empty and the address mapping is obtained through dynamic ARP

76 Clear up ARP Mapping Entries Beginning in privileged EXEC mode, follow these steps to clear up ARP mapping entries. Step 2 arp flush Clear up ARP mapping entries. Step 3 exit Return to privileged EXEC mode. Step 4 show arp Verify your entries. Step 5 write (Optional) Save your entries in the configuration file

77 13 Configuring IP Routing STCS3526 Series Layer 3 Switch User Guide This chapter describes how to configure IP routing on the switch. A switch operates and appears as a single router to the rest of the routers in the network. Basic routing functions: including static routing, the Routing Information Protocol (RIP) and Open Shortest Path First protocol (OSPF) Introduction to IP Route and Routing Table IP Route and Route Segment Routers are implemented for route selection in the Internet. A router works in the following way: It selects an appropriate path (through a network) according to the destination address of its received packet and forwards the packet to the next router. It works in this way hop by hop and the last router in the path is responsible for submitting the packet to the destination host to complete the IP packet forwarding and the routing across network segments. In a network, the router regards a path for sending a packet as a logical route unit, and calls it a Hop. For example, in the figure below, a packet sent from Host A to Host C, a packet should go through 2 routers and the packet is transmitted through two hops and router segments. Therefore, when a node is connected to another node through a network, there is a hop between these two nodes and these two nodes are deemed as adjacent in the Internet. In the same principle, the adjacent routers refer to two routers connected to the same network. The number of route segments between a router and hosts in the same network counted as zero. In the following figure, the bold arrows represent the hops. A router can be connected to any physical link that constitutes a route segment for routing packets via the network

78 Figure 13-1 About hops As the networks may have different sizes, the segment lengths connected between two different pairs of routers are also different. The number of route segments multiplies a weighted coefficient can serve as a weighted measurement for the actual length of the signal transmission path. If a router in a network is regarded as a node and a route segment in the Internet is regarded as a link, message routing in the Internet works in a similar way as the message routing in a conventional network. Message routed through the shortest route may not always be the optimal way route. For example, routing through 3 LAN route segments may be much faster than that through 2 WAN route segments Route Selection through the Routing Table The key for a router to forward packets is the routing table. Each router saves a routing table in its memory, and each entry of this table specifies the physical port of the router through which the packet is sent to a subnet or a host. Therefore, it can reach the next router in via a particular path or reach a destination host via directly connected network. A routing table has the following key entries: Destination address: It is used to identify the destination IP address or thedestination network of IP packet, which is 32 bits in length. Network mask: It is made up of several consecutive "1"s, which can be expressed either in the dotted decimal format or by the number of the consecutive "1" s in the mask. Combining with the destination address, it is used to identify the network address of the destination host or router. If the destination address is ANDed with the network mask, you will get the address of the network segment where the destination host or router is located. For example, if the destination address is , the

79 address of the network where the host or the router with the mask is located will be Output interface: It indicates an interface through which an IP packet should be forwarded. Next hop address: Indicates the next router that an IP packet will pass through. Priority added to the IP routing table for a route: There may be different next hops to the same destination. These routes may be discovered by different routing protocols, or they can just be the static routes configured manually. The one with the highest priority (the smallest numerical value) will be selected as the current optimal route. According to different destinations, the routes can be divided into the following: Subnet route: The destination is a subnet. Host route: The destination is a host In addition, according to whether the network of the destination host is directly connected to the router, there are the following types of routes: Direct route: The router is directly connected to the network where the destination locates. Indirect route: The router is not directly connected to the network where the destination locates. In order to limit the size oft the routing table, an option is available to set a default route.all the packets that fail to find the suitable entry will be forwarded through this default route. In a complicated Internet as shown in the following figure, the number in each network is the network address. The router R8 is connected with three networks, so it has three IP addresses and three physical ports, and its routing table is shown in the diagram below: Figure 13-2 The routing table 13.2 Routing Management Policy The Routing Switches support the configuration of a series of dynamic routing protocols such as RIP, OSPF, as well as the static routes. The static routes configured by the user are managed together with the dynamic routes as detected by the routing protocol

80 The static routes and the routes learned or configured by different routing protocols can also be shared with each other Routing protocols and the preferences of the corresponding routes Different routing protocols (as well as the static configuration) may generate different routes to the same destination, but not all these routes are optimal. In fact, at a certain moment, only one routing protocol can determine a current route to a specific destination. Thus, each of these routing protocols (including the static configuration) is set a preference, and when there are multiple routing information sources, the route discovered by the routing protocol with the highest preference will become the current route. Routing protocols and the default preferences (the smaller the value, the higher the preference is) of the routes learned by them are shown in the following table. Table 13-1 Routing protocols and the default preferences for the routes learned by them Routing protocol or route type The preference of the corresponding route DIRECT 0 OSPF 10 STATIC 60 RIP 100 UNKNOWN 255 In the table, 0 indicates a direct route. 255 Indicates any route from unreliable source. Except for direct routing, the preferences of various dynamic routing protocols can be manually configured to meet the user requirements. In addition, the preferences for individual static routes can be different Supporting Load Sharing and Route Backup I. Load sharing Load sharing: Support multi-route mode, permitting to configure multiple routes that reach the same destination and use the same precedence. The same destination can be reached via multiple different paths, whose precedence are equal. When there is no route that can reach the same destination with a higher precedence, the multiple routes will be adopted by IP, which will forward the packets to the destination via these paths so as to implement load sharing

81 For the same destination, a specified routing protocol may find multiple different routes. If the routing protocol has the highest precedence among all active routing protocols, these multiple routes will be regarded as currently valid routes. Thus, load sharing of IP traffic is ensured in terms of routing protocols. II. Route backup Route backup: Support route backup. When main route is in failure, the system will automatically switch to a backup route to improve the network reliability. In order to achieve route backup, the user can configure multiple routes to the same destination according to actual situation. One of the routes has the highest precedence and is called as main route. The other routes have descending precedence and are called as backup routes. Normally, the router sends data via main route. When the line is in failure, the main route will hide itself and the router will choose one from the left routes as a backup route whose precedence is higher than others to send data. In this way, the switchover from the main route to the backup route is realized. When the main route recovers, the router will restore it and re-select route. As the main route has the highest precedence, the router will choose the main route to send data. This process is the automatic switchover from the backup route to the main route Routes Shared between Routing Protocols As the algorithms of various routing protocols are different, different protocols may generate different routes, thus bringing about the problem of how to resolve the differences when different routes are generated by different routing protocols. The SPEED series switches can import the information of another routing protocol. Each protocol has its own route redistribution mechanism Static Route Configuration Introduction to Static Route Attributes and Functions of Static Route A static route is a special route. You can set up an interconnecting network with the static route configuration. The problem for such configuration is when a fault occurs to the network, the static route cannot change automatically to steer away from the node causing the fault, if without the help of an administrator. In a relatively simple network, you only need to configure the static routes to make the router work normally. The proper configuration and usage of the static route can improve the network performance and ensure the bandwidth of the important applications

82 Default Route A default route is a static route, too. A default route is a route used only when no suitable routing table entry is matched and when no proper route is found, the default route is used. In a routing table, the default route is in the form of the route to the network (with the mask ). You can see whether it has been set via the output of the command display ip routing-table. If the destination address of a packet fails in matching any entry of the routing table, the router will select the default route to forward this packet. If there is no default route and the destination address of the packet fails in matching any entry in the routing table, this packet will be discarded, and an Internet Control Message Protocol (ICMP) packet will be sent to the originating host to inform that the destination host or network is unreachable. Default route is very useful in the networks. Suppose that there is a typical network, which consists of hundreds of routers. In that network, far from less bandwidth would be consumed if you put all kinds of dynamic routing protocols into use without configuring a default route. Using the default route could provide an appropriate bandwidth, even not achieving a high bandwidth, for communications between large numbers of users Static Route Configuration Static Route Configuration includes: Configuring a static route Configuring a default route Configuring a static route Perform the following configurations in global configuration mode. Beginning in privileged EXEC mode, follow these steps to configure a static route. Step 2 ip route static add dst-ipaddress net-mask next-hop [description string usehw {yes no} gateway {yes no} mac Configuring a static route

83 mac-address port port-number vid vlan-id] Step 3 exit Return to privileged EXEC mode. Step 4 show ip route static Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To delete a static route use ip route static delete dst-ipaddress global configuration command. The parameters are explained as follows: dst-ipaddress and net-mask The dst-ipaddress and net-mask are in a dotted decimal format. As "1"s in the 32-bit mask is required to be consecutive, the dotted decimal mask can also be replaced by the mask-length (which refers to the digits of the consecutive "1"s in the mask). Next-hop address When configuring a static route, you can specify the gateway-address to decide the next hop address, depending on the actual conditions. In fact, for all the routing items, the next hop address must be specified. When IP layer transmits a packet, it will first search the matching route in the routing table according to the destination address of the packet. Only when the next hop address of the route is specified can the link layer find the corresponding link layer address, and then forward the packet according to this address Configuring a default route Perform the following configurations in global configuration mode. Beginning in privileged EXEC mode, follow these steps to configure a default route. Step 2 ip route static add Configuring default route next-hop [description string usehw {yes no} gateway {yes no} mac mac-address port port-number vid vlan-id] Step 3 exit Return to privileged EXEC mode

84 Step 4 show ip route static Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To delete a static route use ip route static delete global configuration command. The meanings of parameters in the command are the same as those of the static route Typical Static Route Configuration Example I. Networking requirements As shown in the figure below, the masks of all the IP addresses in the figure are It is required that all the hosts or Routing Switches can be interconnected in pairs by configuring static routes. II. Networking diagram Figure 13-3 Networking diagram of the static route configuration example III. Configuration procedure # Setting switch A VLAN and specifying IP address for VLAN switcha(config)#vlan static set vid switcha(config)#vlan static set vid 201u switcha(config)#vlan static set vid 302u

85 switcha(config)#vlan port pvid 12 switcha(config)#vlan port pvid 23 switcha(config)#ip address add vint vid 2 switcha(config)#ip address add vint vid 3 # Setting default route for switch A switcha(config)#ip route static add # Setting switch B VLAN and specifying IP address for VLAN switchb(config)#vlan static set vid switchb(config)#vlan static set vid 201u switchb(config)#vlan static set vid 302u switchb(config)#vlan port pvid 12 switchb(config)#vlan port pvid 23 switchb(config)#ip address add vint vid 2 switchb(config)#ip address add vint vid 3 # Setting default route for switch B switchb(config)#ip route static add # Setting switch C VLAN and specifying IP address for VLAN switchc(config)#vlan static set vid switchc(config)#vlan static set vid 201u switchc(config)#vlan static set vid 302u switchc(config)#vlan static set vid 403u switchc(config)#vlan port pvid 12 switchc(config)#vlan port pvid 23 switchc(config)#vlan port pvid 34 switchc(config)#ip address add vint vid 2 switchc(config)#ip address add vint vid 3 switchc(config)#ip address add vint vid 3 # Setting static route for switch C switchc(config)#ip route static add switchc(config)#ip route static add

86 Static Route Fault Diagnosis and Troubleshooting Fault: The S3526 Series Switch is not configured with the dynamic routing protocol and both the physical status and the link layer protocol status of the interface is UP, but the IP packets cannot be forwarded normally. Troubleshooting: Use the show ip route static command to view whether the corresponding static route is correctly configured. Use the show ip route table command to view whether the corresponding route is valid RIP Configuration Brief Introduction to RIP Routing Information Protocol (RIP) is a relatively simple dynamic routing protocol, but it has a wide application. RIP is a kind of Distance-Vector (D-V) algorithm-based protocol and exchanges routing information via UDP packets. It employs Hop Count to measure the distance to the destination host, which is called Routing Cost. In RIP, the hop count from a router to its directly connected network is 0, and that to a network which can be reached through another router is 1, and so on. To restrict the time to converge, RIP prescribes that the cost value is an integer ranging 0 and 15. The hop count equal to or exceeding 16 is defined as infinite, that is to say, the destination network or the host is unreachable. RIP sends routing refreshing message every 30 seconds. If no routing refreshing message is received from one network neighbor in 180 seconds, RIP will tag all routes of the network neighbor to be unreachable. If no routing refreshing message is received from one network neighbor in 300 seconds, RIP will finally remove the routes of the network neighbor from the routing table. To improve the performances and avoid route loop, RIP supports Split Horizon, Poison Reverse and allows importing the routes discovered by other routing protocols Each router running RIP manages a route database, which contains routing entries to all the reachable destinations in the network. These routing entries contain the following information: Destination address: IP address of a host or network. Next hop address: The address of the next router that an IP packet will pass through for reaching the destination. Output interface: The interface through which the IP packet should be forwarded. Cost: The cost for the router to reach the destination, which should be an integer in the range of 0 to 16. Timer: Duration from the last time that the routing entry is modified till now. The timer is reset to 0 whenever a routing entry is modified. Route tag: Discriminate whether the route is generated by an interior routing protocol or by an exterior routing protocol. The whole process of RIP startup and running can be described as follows: 1) If RIP is enabled on a router for the first time, the router will broadcast or multicast the request packet to the adjacent routers. Upon receiving the request packet, the adjacent routers (on which, RIP should have been enabled) respond to the request by

87 returning the response packets containing information of their local routing tables. 2) After receiving the response packets, the router, which has sent the request, will modify its own routing table. 3) At the same time, RIP broadcasts its routing table to the adjacent routers every 30 seconds. The adjacent routers will maintain their own routing table after receiving the packets and will select an optimal route, and then advertise the modification information to their respective adjacent network so as to make the updated route globally known. Furthermore, RIP uses the timeout mechanism to handle the out-timed routes so as to ensure the real-timeliness and validity of the routes. With these mechanisms, RIP, an interior routing protocol, enables the router to learn the routing information of the whole network. RIP has become one of the actual standards of transmitting router and host routes by far. It can be used in most of the campus networks and the regional networks that are simple yet extensive. For larger and more complicated networks, RIP is not recommended RIP Configuration The RIP configuration includes: Enabling RIP Interface Specifying RIP Version of the Interface Setting RIP Packet Authentication Setting Additional Routing Cost Enable/disable RIP protocol Enabling RIP interface To flexibly control RIP operation, you can specify the interface and configure the network where it is located to the RIP network, so that these interfaces can send and receive RIP packets. Beginning in privileged EXEC mode, follow these steps to enable rip interface. Step 2 router rip network Enable RIP on the specified network. network-address Step 3 exit Return to privileged EXEC mode. Step 4 show router rip config Verify your entries. Step 5 write (Optional) Save your entries in the configuration file

88 To disable rip on the specified network, use router rip no network network-address global configuration command Specifying RIP Version of the Interface RIP has two versions, RIP-1 and RIP-2. You can specify the version of the RIP packet processed by the interface. RIP-1 broadcasts the packets. RIP-2 can transmit packets by both broadcast and multicast. By default, multicast is adopted for transmitting packets. In RIP-2, the multicast address is The advantage of transmitting packets in the multicast mode is that the hosts not operating RIP in the same network can avoid receiving RIP broadcast packets. In addition, this mode can also make the hosts running RIP-1 avoid incorrectly receiving and processing the routes with subnet mask in RIP-2. When an interface is running RIP-2 broadcast, the RIP-1 packets can also be received. Beginning in privileged EXEC mode, follow these steps to specify RIP version of the interface. Step 2 router rip entry interface-id Specified receive message type of the interface. recvtype [rip1 rip2 rip1orrip2 donotreceive ] Step 3 router rip entry interface-id Specified send message type of the interface. sendtype [ripversion1 ripversion2 ripv1demand ripv2demand rip1compatible donotsend] Step 4 exit Return to privileged EXEC mode. Step 5 show router rip config Verify your entries. Step 6 write (Optional) Save your entries in the configuration file Setting RIP-2 Packet Authentication RIP-1 does not support packet authentication. But when the interface operates RIP-2, the packet authentication can be configured. RIP-2 supports two authentication modes: Simple authentication and MD5 authentication. MD5 authentication uses two packet formats: One follows RFC2453 and another one follows the RFC2082. The simple authentication does not ensure security. The authentication key not encrypted is sent together with the packet, so the simple authentication cannot be applied to the case with high security requirements

89 Beginning in privileged EXEC mode, follow these steps to set rip-2 packet authentication. Step 2 router rip entry interface-id authtype [md5 simplepass noauth] Setting authentication type. Step 3 router rip entry interface-id password string Setting authentication password.. Step 4 exit Return to privileged EXEC mode. Step 5 show router rip config Verify your entries. Step 6 write (Optional) Save your entries in the configuration file. The usual packet format follows RFC2453 and nonstandard follows RFC Setting Additional Routing Metric Additional routing metric is the input or output routing metric added to an RIP route. It does not change the metric value of the route in the routing table, but adds a specified metric value when the interface receives or sends a route. Beginning in privileged EXEC mode, follow these steps to set additional routing metric. Step 2 router rip entry interface-id Setting additional routing metric. metric vlaue Step 3 exit Return to privileged EXEC mode. Step 4 show router rip config Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. By default, the additional routing metric added to the route when RIP sends the packet is 1. The additional routing metric when RIP receives the packet is 0 by default

90 Enable/disable RIP protocol Beginning in privileged EXEC mode, follow these steps to enable RIP protocol. Step 2 router rip enable Enabling RIP protocol. By default the RIP protocol disabled. Step 3 exit Return to privileged EXEC mode. Step 4 show router rip config Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To disable RIP protocol, use router rip disable global configuration command Typical RIP Configuration Example Networking requirements As shown in the following figure, the Routing Switches C connects to the subnet through the Ethernet port. The Ethernet ports of Routing Switches A and Switch B are respectively connected to the network and Switch C, Switch A and Switch B are connected via Ethernet Correctly configure RIP to ensure that Switch C, Switch A and Switch B can interconnect

91 Networking diagram Figure 13-4 RIP configuration networking Configuration procedure Note: The following configuration only shows the operations related to RIP. Before performing the following configuration, please make sure the Ethernet link layer can work normally. # Configure Switch A switcha(config)#router rip network switcha(config)#router rip network switcha(config)#router rip enable # Configure Switch B switchb(config)#router rip network switchb(config)#router rip network switchb(config)#router rip enable

92 # Configure Switch C switchc(config)#router rip network switchc(config)#router rip network switchc(config)#router rip enable 13.5 OSPF Configuration OSPF Overview Introduction to OSPF Open Shortest Path First (OSPF) is an Interior Gateway Protocol based on the link state developed by IETF. At present, OSPF version 2 (RFC2328) is used, which is available with the following features: Applicable scope: It can support networks in various sizes and can support several hundred routers at maximum. Fast convergence: It can transmit the update packets instantly after the network topology changes so that the change is synchronized in the AS. Loop-free: Since the OSPF calculates routes with the shortest path tree algorithm according to the collected link states, it is guaranteed that no loop routes will be generated from the algorithm itself. Area partition: It allows the network of AS to be divided into different areas for the convenience of management so that the routing information transmitted between the areas is abstracted further, hence to reduce the network bandwidth consumption. Equal-cost multi-route: Support multiple equal-cost routes to a destination. Routing hierarchy: OSPF has a four-level routing hierarchy. It prioritizes the routes to be intra-area, inter-area, external type-1, and external type-2 routes. Authentication: It supports the interface-based packet authentication so as to guarantee the security of the route calculation. Multicast transmission: Support multicast address to receive and send packets Process of OSPF Route Calculation The routing calculation process of the OSPF protocol is as follows: Each OSPF-capable router maintains a Link State Database (LSDB), which describes the topology of the whole AS. According to the network topology around itself, each router generates a Link State Advertisement (LSA). The routers on the network transmit the LSAs among them by transmitting the protocol packets to each others. Thus, each router receives the LSAs of other

93 routers and all these LSAs compose its LSDB. LSA describes the network topology around a router, so the LSDB describes the network topology of the whole network. Routers can easily transform the LSDB to a weighted directed graph, which actually reflects the topology architecture of the whole network. Obviously, all the routers get a graph exactly the same. A router uses the SPF algorithm to calculate the shortest path tree with itself as the root, which shows the routes to the nodes in the autonomous system. The external routing information is leave node. A router, which advertises the routes, also tags them and records the additional information of the autonomous system. Obviously, the Routing tables obtained by different routers are different. Furthermore, suppose that the routers are directly connected without other in-between routing devices in a broadcast network. To enable the individual routers to broadcast the information of their local statuses to the whole AS, any two routers in the environment should establish adjacency between them. In this case, however, the changes that any router takes will result in multiple transmissions, which are not only unnecessary but also waste the precious bandwidth resources. To solve this problem, Designated Router (DR) is defined in the OSPF. Thus, all the routers only send information to the DR for broadcasting the network link states in the network. Thereby, the number of router adjacent relations on the multi-access network is reduced. OSPF supports interface-based packet authentication to guarantee the security of route calculation. Also, it transmits and receives packets by IP multicast OSPF Packets OSPF uses five types of packets: Hello Packet: It is the commonest packet, which is periodically sent by a router to its neighbor. It contains the values of some timers, DR, BDR and the known neighbor. Database Description (DD) Packet: When two routers synchronize their databases, they use the DD packets to describe their own LSDBs, including the digest of each LSA. The digest refers to the HEAD of an LSA, which can be used to uniquely identify the LSA. Such reduces the traffic size transmitted between the routers, since the HEAD of a LSA only occupies a small portion of the overall LSA traffic. With the HEAD, the peer router can judge whether it already has had the LSA. Link State Request (LSR) Packet: After exchanging the DD packets, the two routers know which LSAs of the peer routers are lacked in the local LSDBs. In this case, they will send LSR packets requesting for the needed LSAs to the peers. The packets contain the digests of the needed LSAs. Link State Update (LSU) Packet: The packet is used to transmit the needed LSAs to the peer router. It contains a collection of multiple LSAs (complete contents). Link State Acknowledgment (LSAck) Packet The packet is used for acknowledging the received LSU packets. It contains the HEAD(s) of LSA(s) requiring acknowledgement

94 Basic Concepts Related to OSPF I. Router ID To run OSPF, a router must have a router ID. If no ID is configured, the system will automatically select an IP address from the IP addresses of the current interface as the Router ID. Way to choose a router ID: if the Loop Back interface address exists, the system chooses the Loop Back address with the greatest IP address value as the router ID; if no Loop Back interface configured, then the address of the physical interface with the greatest IP address value will be the router ID. II. DR and BDR Designated Router (DR) In multi-access networks, if any two routers are neighbors, the same LSA will be transmitted repeatedly, wasting bandwidth resources. To solve this problem, the OSPF protocol regulates that a DR must be elected in a multi-access network and only the DR (and the BDR in the following content) can be the neighbor of other routers in this network. Two non-dr routers or BDR routers cannot be neighbors and exchange routing information. Which router can be the DR in its segment is not manually specified. Instead, DR is elected by all the routers in the segment. Backup Designated Router (BDR) If the DR fails for some faults, a new DR must be elected and synchronized with the other routers on the segment. This process will take a relatively long time, during which, the route calculation is incorrect. To shorten the process, BDR is brought forth in OSPF. In fact, BDR is a backup for DR. DR and BDR are elected in the meantime. The adjacencies are also established between the BDR and all the routers on the segment, and routing information is also exchanged between them. After the existing DR fails, the BDR will become a DR immediately. III. Area The network size grows increasingly larger. If all the routers on a huge network are running OSPF, the large number of routers will result in an enormous LSDB, which will consume an enormous storage space, complicate the SPF algorithm, and add the CPU load as well. Furthermore, as a network grows larger, the topology becomes more likely to take changes. Hence, the network will always in turbulence, and a great deal of OSPF packets will be generated and transmitted in the network. This will lower the network bandwidth utility. In addition, each change will cause all the routes on the network to recompute the route. OSPF solves the above problem by partition an AS into different areas. Areas logically group the routers. The borders of areas are formed by routers. Thus, some routers may belong to different areas. A router connects the backbone area and a non-backbone area is called Area Border Router (ABR). An ABR can connect to the backbone area physically or logically. IV. Backbone area and virtual link

95 Backbone Area After the area division of OSPF, not all the areas are equal. In which, an area is different from all the other areas. Its area-id is 0 and it is usually called the backbone area. Virtual link Since all the areas should be connected to the backbone area, virtual link is adopted so that the physically separated areas can still maintain the logic connectivity to the backbone area. V. Route summary AS is divided into different areas that are interconnected via OSPF ABRs. The routing information between areas can be reduced through route summary. Thus, the size of routing table can be reduced and the calculation speed of the router can be improved. After calculating an intra-area route of an area, the ABR summarizes multiple OSPF routes into an LSA and sends it outside the area according to the configuration of summary OSPF Configuration In various configurations, you must first enable OSPF, specify the interface and area ID before configuring other functions. But the configuration of the functions related to the interface is not restricted by whether the OSPF is enabled or not. It should be noted that after OSPF is disabled, the OSPF-related interface parameters also become invalid. OSPF configuration includes: Entering the OSPF configuration mode Enabling OSPF Process Specifying Interface Configuring the Cost for Sending Packets on an Interface Setting the Interface Priority for DR Election Setting the Interval of Hello Packet Transmission Setting a dead timer for the neighboring routers Configuring an Interval required for sending LSU packets Setting an Interval for LSA Retransmission between Neighboring Routers Setting a Shortest Path First (SPF) Calculation Interval for OSPF Configuring STUB Area of OSPF Configuring the Route Summarization of OSPF Area Configuring OSPF Virtual Link Configuring OSPF Packet Authentication Disabling the Interface to Send OSPF Packets

96 Enter OSPF Configuration Mode Beginning in privileged EXEC mode, follow these steps to enter OSPF configuration mode. Step 2 router ospf Enter OSPF configuration mode Enabling OSPF Process Beginning in OSPF configuration mode, follow these steps to enable OSPF Process. Step 1 service enable Enable OSPF Process. By default, OSPF is not enabled. Step 2 exit Return to global configuration mode. Step 3 exit Return to privileged EXEC mode. Step 4 show ip ospf Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To disable OSPF process, use service disable OSPF configuration command Specifying interface OSPF further divides the AS into different areas. An area logically groups the routers. Some routers belong to different areas (such routers are called ABRs), but one segment can only belong to an area. In other words, you must specify each OSPF interface to belong to a particular area identified by area ID. The areas transfer routing information between them via the ABRs. In addition, parameters of all the routers in the same area should be identical. Therefore, when configuring the routers in the same area, please note that most configurations should be based upon the area. Wrong configuration may disable the neighboring routers to transmit information between them, and even lead to congestion or self-loop of the routing information. Beginning in OSPF configuration mode, follow these steps to specify interface

97 Step 1 network ip-address valid-mask Specify interface to run OSPF area area-id Step 2 exit Return to global configuration mode. Step 3 exit Return to privileged EXEC mode. Step 4 show ip ospf Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To delete specified network, use no network ip-address valid-mask area area-id OSPF configuration command. You must specify the segment to which the OSPF will be applied after enabling the OSPF Configuring the Cost for Sending Packets on an Interface The user can control the network traffic by configuring different message sending costs for different interfaces. Otherwise, OSPF will automatically calculate the cost according to the baud rate on the current interface. Beginning in privileged EXEC mode, follow these steps to configure the cost for sending packets on an interface. Step 2 Interface vint interface-id Enter interface configuration mode. Step3 ip ospf cost value Configure the cost for sending packets on Interface Step 4 exit Return to global configuration mode. Step 5 exit Return to privileged EXEC mode. Step 6 show ip ospf interface [vint interface-id] Verify your entries. Step 7 write (Optional) Save your entries in the configuration file. To restore the default cost for packet transmission on the Interface, use no ip ospf cost OSPF configuration command. By default, the interface automatically calculates the costs for running OSPF protocol according to the current Baud rate. The calculation formula is: 100 Mbps/ Interface current baud rate Setting the Interface Priority for DR Election The priority of the router interface determines the qualification of the interface in DR election, and the router of higher priority will

98 be considered first if there is a collision in the election. DR is not designated manually; instead, it is elected by all the routers on the segment. Routers with the priorities > 0 in the network are eligible candidates. Among all the routers self-declared to be the DR, the one with the highest priority will be elected. If two routers have the same priority, the one with the highest router ID will be elected as the DR. Votes are the hello packets. Each router writes the expected DR in the packet and sends it to all the other routers on the segment. If two routers attached to the same segment concurrently declare themselves to be the DR, choose the one with higher priority. If the priorities are the same, choose the one with greater router ID. If the priority of a router is 0, it will not be elected as DR or BDR. If DR fails due to some faults, the routers on the network must elect a new DR and synchronize with the new DR. The process will take a relatively long time, during which, the route calculation is incorrect. In order to speed up this process, OSPF puts forward the concept of BDR. In fact, BDR is a backup for DR. DR and BDR are elected in the meantime. The adjacencies are also established between the BDR and all the routers on the segment, and routing information is also exchanged between them. When the DR fails, the BDR will become the DR instantly. Since no re-election is needed and the adjacencies have already been established, the process is very short. But in this case, a new BDR should be elected. Although it will also take a quite long period of time, it will not exert any influence upon the route calculation. But please note: The DR on the network is not necessarily the router with the highest priority. Likewise, the BDR is not necessarily the router with the second highest priority. If a new router is added after DR and BDR election, it is impossible for the router to become the DR even if it has the highest priority. DR is based on the router interface in a certain segment. Maybe a router is a DR on one interface, but can be a BDR or DR Other on the other interface. Beginning in privileged EXEC mode, follow these steps to set the Interface Priority for DR Election. Step 2 Interface vint interface-id Enter interface configuration mode. Step 3 ip ospf priority priority_num Configure the interface with a priority for DR election. By default, the priority of the Interface is 1 in the DR election. The value can be taken from 0 to 255. Step 4 exit Return to global configuration mode. Step 5 exit Return to privileged EXEC mode. Step 6 show ip ospf interface [vint Verify your entries. interface-id] Step 7 write (Optional) Save your entries in the configuration file

99 To restore the default interface priority, use no ip ospf priority interface configuration command. STCS3526 Series Layer 3 Switch User Guide Setting the Interval of Hello Packet Transmission Hello packets are a kind of most frequently used packets, which are periodically sent to the adjacent router for discovering and maintaining the adjacency, and for electing DR and BDR. The user can set the hello timer. According to RFC2328, the consistency of hello intervals between network neighbors should be kept. The hello interval value is in inverse proportion to the route convergence rate and network load. Beginning in privileged EXEC mode, follow these steps to set the interval of hello packet transmission. Step 2 Interface vint interface-id Enter interface configuration mode. Step 3 ip ospf hello-interval seconds Set the hello interval of the interface By default, send Hello packets every 10 seconds. Step 4 exit Return to global configuration mode. Step 5 exit Return to privileged EXEC mode. Step 6 show ip ospf interface [vint Verify your entries. interface-id] Step 7 write (Optional) Save your entries in the configuration file. To restore the default hello of the interface, use no ip ospf hello-interval interface configuration command Setting a dead timer for the neighboring routers The dead timer of neighboring routers refers to the interval in which a router will regard the neighboring router as dead if no Hello packet is received from it. The user can set a dead timer for the neighboring routers. Beginning in privileged EXEC mode, follow these steps to set a dead timer for the neighboring routers. Step 2 Interface vint interface-id Enter interface configuration mode

100 Step 3 ip ospf dead-interval seconds Configure a dead timer for the neighboring routers By default, the dead interval for the neighboring routers is 40 seconds. Step 4 exit Return to global configuration mode. Step 5 exit Return to privileged EXEC mode. Step 6 show ip ospf interface [vint Verify your entries. interface-id] Step 7 write (Optional) Save your entries in the configuration file. To restore the default dead interval of the neighboring routers, use no ip ospf hello-interval interface configuration command configuring an Interval required for sending LSU packets Trans-delay seconds should be added to the aging time of the LSA in an LSU packet. Setting the parameter like this mainly considers the time duration that the interface requires for transmitting the packet. The user can configure the interval of sending LSU message. Obviously, more attention should be paid on this item over low speed network. Beginning in privileged EXEC mode, follow these steps to configure an Interval required for sending LSU packets. Step 2 Interface vint interface-id Enter interface configuration mode. Step 3 ip ospf transmit-delay seconds Configure an interval for sending LSU packets By default, the LSU packets are transmitted per second. Step 4 exit Return to global configuration mode. Step 5 exit Return to privileged EXEC mode. Step 6 show ip ospf interface [vint Verify your entries. interface-id] Step 7 write (Optional) Save your entries in the configuration file. To restore the default interval of sending LSU packets, use no ip ospf transmit-delay interface configuration command

101 Setting an Interval for LSA Retransmission between Neighboring Routers STCS3526 Series Layer 3 Switch User Guide If a router transmits an LSA (Link State Advertisements) to the peer, it requires the acknowledgement packet from the peer. If it does not receive the acknowledgement packet within the retransmit, it will retransmit this LSA to the neighbor. The value of retransmit is user-configurable. Beginning in privileged EXEC mode, follow these steps to set an Interval for LSA Retransmission between Neighboring Routers. Step 2 Interface vint interface-id Enter interface configuration mode. Step 3 ip ospf retransmit-interval seconds Configure the interval of LSA retransmission for the neighboring routers By default, the interval for neighboring routers to retransmit LSAs is five seconds. Step 4 exit Return to global configuration mode. Step 5 exit Return to privileged EXEC mode. Step 6 show ip ospf interface [vint interface-id] Verify your entries. Step 7 write (Optional) Save your entries in the configuration file. To restore the default LSA retransmission interval for the neighboring routers, use no ip ospf retransmit-interval interface configuration command. The value of interval should be bigger than the interval in which a packet can be transmitted and returned between two routers. Note that you should not set the LSA retransmission interval too small. Otherwise, unnecessary retransmission will be caused Setting a Shortest Path First (SPF) Calculation Interval for OSPF Whenever the LSDB of OSPF takes changes, the shortest path requires recalculation. Calculating the shortest path upon change will consume enormous resources as well as affect the operation efficiency of the router. Adjusting the SPF calculation interval, however, can restrain the resource consumption due to frequent network changes. Beginning in OSPF configuration mode, follow these steps to set a Shortest Path First (SPF) Calculation Interval for OSPF

102 Step 1 timers spf delay-seconds hold-seconds Set the SPF calculation interval By default, the interval of SPF recalculation is 5 seconds. Step 2 exit Return to global configuration mode. Step 3 exit Return to privileged EXEC mode. Step 4 show ip ospf Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To restore the SPF calculation interval, use no timers spf OSPF configuration command Configuring STUB Area of OSPF STUB areas are some special LSA areas, in which the ABRs do not propagate the learned external routes of the AS. In these areas, the routing table sizes of routers and the routing traffic are significantly reduced. The STUB area is an optional configuration attribute, but not every area conforms to the configuration condition. Generally, STUB areas, located at the AS boundaries, are those non-backbone areas with only one ABR. Even if this area has multiple ABRs, no virtual links are established between these ABRs. To ensure that the routes to the destinations outside the AS are still reachable, the ABR in this area will generate a default route ( ) and advertise it to the non-abr routers in the area. Please pay attention to the following items when configuring a STUB area: The backbone area cannot be configured to be the STUB area and the virtual link cannot pass through the STUB area. If you want to configure an area to be the STUB area, then all the routers in this area should be configured with this attribute. No ASBR can exist in a STUB area. In other words, the external routes of the AS cannot be propagated in the STUB area. Beginning in OSPF configuration mode, follow these steps to configure STUB Area of OSPF. Step 1 area area-id stub [CR no-summary] Configure an area to be the STUB area Step 2 area area-id default-cost value Configure the cost of the default route transmitted by OSPF to the STUB area Step 3 exit Return to global configuration mode. Step 4 exit Return to privileged EXEC mode

103 Step 5 show ip ospf Verify your entries. Step 6 write (Optional) Save your entries in the configuration file. To remove the configured STUB area, use no area area-id stub [CR no-summary] OSPF configuration command. To remove the cost of the default route to the STUB area, use no area area-id default-cost value OSPF configuration command. By default, the STUB area is not configured, and the cost of the default route to the STUB area is Configuring the Route Summarization of OSPF Area Route summary means that ABR can aggregate information of the routes of the same prefix and advertise only one route to other areas. An area can be configured with multiple aggregate segments, thereby OSPF can summarize them. When the ABR transmits routing information to other areas, it will generate Sum_net_Lsa (type-3 LSA) per network. If some continuous networks exist in this area, you can use the abr-summary command to summarize these segments into one segment. Thus, the ABR only needs to send an aggregate LSA, and all the LSAs in the range of the aggregate segment specified by the command will not be transmitted separately. Once the aggregate segment of a certain network is added to the area, all the internal routes of the IP addresses in the range of the aggregate segment will no longer be separately advertised to other areas. Only the route summary of the whole aggregate network will be advertised. But if the range of the segment is restricted by the keyword "not-advertise", the route summary of this segment will not be advertised. This segment is represented by IP address and mask. Route summarization can take effect only when it is configured on ABRs. Beginning in OSPF configuration mode, follow these steps to configure the Route Summarization of OSPF Area. Step 1 summary-address ip-address Configure the Route Summarization of OSPF Area mask [CR not-advertise tag value] Step 2 exit Return to global configuration mode. Step 3 exit Return to privileged EXEC mode. Step 4 show ip ospf Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To cancel route summarization of OSPF Area, use no summary-address ip-address mask OSPF configuration command. By default, the inter-area routes will not be summarized

104 Configuring OSPF Virtual Link According to RFC2328, after the area division of OSPF, not all the areas are equal. In which, an area is different from all the other areas. Its area-id is and it is usually called the backbone Area. The OSPF routes between non-backbone areas are updated with the help of the backbone area. OSPF stipulates that all the non-backbone areas should maintain the connectivity with the backbone area. That is, at least one interface on the ABR should fall into the area If an area does not have a direct physical link with the backbone area , a virtual link must be created. If the physical connectivity cannot be ensured due to the network topology restriction, a virtual link can satisfy this requirement. The virtual link refers to a logic channel set up through the area of a non-backbone internal route between two ABRs. Both ends of the logic channel should be ABRs and the connection can take effect only when both ends are configured. The virtual link is identified by the ID of the remote router. The area, which provides the ends of the virtual link with a non-backbone area internal route, is called the transit area. The ID of the transit area should be specified when making configuration. The virtual link is activated after the route passing through the transit area is calculated,which is equivalent to a p2p connection between two ends. Therefore, similar to the physical interfaces, you can also configure various interface parameters on this link, such as hello timer. The "logic channel" means that the multiple routers running OSPF between two ABRs only take the role of packet forwarding (the destination addresses of the protocol packets are not these routers, so these packets are transparent for them and the routers forward them as common IP packets). The routing information is directly transmitted between the two ABRs. The routing information herein refers to the type-3 LSAs generated by the ABRs, for which the synchronization mode of the routers in the area will not be changed. Beginning in OSPF configuration mode, follow these steps to configure OSPF Virtual Link. Step 1 area area-id virtual-link Create and configure a virtual link router-id [CR hello-interval seconds retransmit-interval seconds transmit-delay seconds dead-interval seconds authentication-simple password authentication-md5 keyid key ] Step 2 exit Return to global configuration mode. Step 3 exit Return to privileged EXEC mode. Step 4 show ip ospf Verify your entries. Step 5 write (Optional) Save your entries in the configuration file

105 To remove the created virtual link, use no area area-id virtual-link router-id [ CR hello-interval seconds retransmit-interval seconds transmit-delay seconds dead-interval seconds authentication-simple password authentication-md5 keyid key ] OSPF configuration command. area-id and router-id have no default value. By default, hello timer is 10 seconds, retransmit 5 seconds, trans-delay 1 second, and the dead 40 seconds Configuring OSPF Packet Authentication OSPF supports simple authentication or MD5 authentication between neighboring routers. All the routers in one area must use the same authentication mode (no authentication,simple text authentication or MD5 cipher text authentication). If the mode of supporting authentication is configured, all routers on the same segment must use the same authentication key. To configure a simple text authentication key, use the ospf authentication-mode simple command. And, use the ospf authentication-mode md5 command to configure the MD5 cipher text authentication key if the area is configured to support MD5 cipher text authentication mode. Beginning in privileged EXEC mode, follow these steps to configure OSPF Packet Authentication. Step 2 Interface vint interface-id Enter interface configuration mode. Step 3 Step 4 ip ospf authentication-simple password ip ospf authentication-md5 key_id key Specify a password for OSPF simple text authentication Specify the key-id and key for OSPF MD5 authentication Step 5 exit Return to global configuration mode. Step 6 exit Return to privileged EXEC mode. Step 7 show ip ospf interface [vint interface-id] Verify your entries. Step 8 write (Optional) Save your entries in the configuration file. To Cancel simple authentication on the interface, use no ip ospf authentication-simple interface configuration command. To Cancel the interface to use MD5 authentication, use no ip ospf authentication-md5 interface configuration command. By default, the interface is not configured with either simple authentication or MD5 authentication

106 Disabling the Interface to Send OSPF Packets To prevent OSPF routing information from being acquired by the routers on a certain network, use the passive command to disable the interface to transmit OSPF packets. Beginning in privileged EXEC mode, follow these steps to disable the Interface to Send OSPF Packets. Step 2 Interface vint interface-id Enter interface configuration mode. Step 3 ip ospf passive Disable the interface to send OSPF packets Step 4 exit Return to global configuration mode. Step 5 exit Return to privileged EXEC mode. Step 6 show ip ospf interface [vint Verify your entries. interface-id] Step 7 write (Optional) Save your entries in the configuration file. To enable the interface to send OSPF packets, use no ip ospf passive interface configuration mode. By default, all the interfaces are allowed to transmit and receive OSPF packets. After an OSPF interface is set to be in silent status, the interface can still advertise its direct route. However, the OSPF hello packets of the interface will be blocked, and no neighboring relationship can be established on the interface. Thereby, the capability for OSPF to adapt to the networking can be enhanced, which will hence reduce the consumption of system resources. On a switch, this command can disable/enable the specified VLAN interface to send OSPF packets Displaying and Debugging OSPF After the above configuration, execute show command in privileged EXEC mode to display the running of the OSPF configuration, and to verify the effect of the configuration. Table Displaying and debugging OSPF Operation

107 Display the brief information of the OSPF routing process Display OSPF neighbor information Display OSPF routing table Display OSPF virtual links Display OSPF statistics Display LSDB information of OSPF Display OSPF interface information show ip ospf show ip ospf neighbor show ip ospf routing show ip ospf virtual-links show ip ospf database show ip ospf lsa show ip ospf interface Typical OSPF Configuration Example I. Networking requirements In the following figure, Area 2 and Area 0 are not directly connected. Area 1 is required to be taken as transit area for connecting Area 2 and Area 0.Enable OSPF service on switch and Correctly configure a virtual link between Switch B and Switch C in Area 1. II. Networking diagram

108 Figure 13-6 OSPF virtual link configuration networking III. Configuration procedure OSPF Fault Diagnosis and Troubleshooting Fault 1: OSPF has been configured in accordance with the above-mentioned steps, but OSPF on the router cannot run normally. Troubleshooting: Please check according to the following procedure. Troubleshooting locally: Check whether the protocol between two directly connected routers is in normal operation. The normal sign is the peer state machine between the two routers reaches the FULL state. (Note: On a broadcast or NBMA network, if the interfaces for two routers are in DROther state, the peer state machine for the two routers are in 2-way state, instead of FULL state. The peer state machine between DR/BDR and all the other routers is in FULL state. Execute the show ip ospf neighbour command to view neighbours. Execute the show ip ospf interface command to view OSPF information in the interface. Check whether the physical connections and the lower level protocol operate normally. You can execute the ping command to test. If the local router cannot ping the peer router, it indicates that faults have occurred to the physical link and the lower level protocol. If the physical link and the lower layer protocol are normal, please check the OSPF parameters configured on the interface. The parameters should be the same parameters configured on the router adjacent to the interface. The same area ID should be used, and the networks and the masks should also be consistent. (The p2p or virtually linked segment can have different segments and masks.) Ensure that the dead timer on the same interface is at least four times the value of the hello timer. If the network type is broadcast or NBMA, there must be at least one interface with a priority greater than zero. If an area is set as the STUB area, to which the routers are connected. The area on these routers must be also set as the STUB area. The same interface type should be adopted for the neighboring routers. If more than two areas are configured, at least one area should be configured as the backbone area (that is to say, the area ID is 0). Ensure the backbone area to connect with all the areas. The virtual links cannot pass through the STUB area. Troubleshooting globally: If OSPF cannot discover the remote routes yet in the case that the above steps are correctly performed, proceed to check the

109 following configurations. If more than two areas are configured on a router, at least one area should be configured as the backbone area. As shown in the following figure: RTA and RTD are configured to belong to only one area, whereas RTB (area0 and area1) and RTC (area1 and area 2) are configured to belong to two areas. In which, RTB also belongs to area0, which is compliant with the requirement. However, none of the areas to which RTC belongs is area0. Therefore, a virtual link should be set up between RTC and RTB. Ensure that area2 and area0 (backbone area) is connected. Figure 13-7 OSPF areas The backbone area (area 0) cannot be configured as the STUB area and the virtual link cannot pass through the STUB area. That is, if a virtual link has been set up between RTB and RTC, neither area1 nor area0 can be configured as a stub area. In the above figure, only area 2 can be configured as stub area. Routers in the STUB area cannot redistribute the external routes. Backbone area must guarantee the connectivity of all nodes

110 14 IP Multicast Protocol STCS3526 Series Layer 3 Switch User Guide 14.1 IP Multicast Overview Problems with Unicast/Broadcast The constant development of the Internet and increasing interaction of versatile data, voice and video information over the network, has promoted the emergence of new services like e-commerce, network conference, online auction, video on demand (VoD), and tele-education. These services require higher information security and greater rewards. I. Unicast In unicast mode, every user that needs the inforamtion receives a copy through the channels the system separately establishes for them. See Figure Figure 14-1 Data transmission in unicast mode Suppose that Users B, D, and E need the information, the information source Server establishes transmission channels with every of them. Since the traffic in transmission increases with the number of users, excessive copies of the information would spread over the network if the there is a large number of users in need of this information. As the bandwidth would turn short, the unicast mode is incapable of massive transmission. II. Broadcast In broadcast mode, every user on the network receives the information regardless of their needs. See Figure 14-2 Data transmission in broadcast mode

111 Figure 14-2 Data transmission in broadcast mode Suppose the Users B, D, and E need the information, the information source Server broadcasts the information through the router; User A and User C can also receive the information. In that case, information security and rewards to services are not guaranteed. Moreover, bandwidth is terribly wasted when only a few part of users are in need of the information. In short, the unicast mode is useful in networks with scattered users, and the multicast mode is suitable for networks with dense users. When the number of users is uncertain, the adoption of unicast or multicast mode results in low efficiency Advantages of Multicast I. Multicast IP multicast technology solves those problems. It allows the multicast source to send the information once only, and ensures that the information will not be duplicated or distributed unless it reaches a fork in the tree route established by the multicast routing protocol. See Figure 1-3 Data transmission in multicast mode

112 Figure 14-3 Data transmission in multicast mode STCS3526 Series Layer 3 Switch User Guide Suppose the Users B, D, and E need the information, they need to be organized into a receiver group to ensure that the information can reach them smoothly. The routers on the network duplicate and forward the information according to the distribution of these users in the group. In multicast mode, the information sender is called the "multicast source", the receiver is called the "multicast group", and the routers for multicast information transmission are called "multicast routers". Members of a multicast group can scatter around the network; the multicast group therefore has no geographical limitation. It should be noted that a multicast source does not necessarily belong to a multicast group. It sends data to multicast groups but is not necessarily a receiver. Multiple sources can send packets to a multicast group simultaneously. II. Advantages The main advantages of multicast are: Enhanced efficiency: It reduces network traffic and relieves server and CPU of loads. Optimized performance: It eliminates traffic redundancy. Distributed application: It enables multipoint application Application of Multicast IP multicast technology effectively implements point to multi-point forwarding with high speed, as saves network bandwidth a lot and can relieve network loads. It facilitates also the development of new value-added services in the Internet information service area that include online live show, Web TV, tele-education, telemedicine, network radio station and real-time audio/video conferencing. It takes a positive role in: Multimedia and streaming media application Occasional communication for training and cooperation Data storage and finance (stock) operation Point-to-multipoint data distribution With the increasing popularity of multimedia services over IP network, multicast is gaining its marketplace

113 14.2 Implementation of IP Multicast Multicast Addresses In multicast mode, there are questions about where to send the information, how to locate the destination or know the receiver. All these questions can be narrowed down to multicast addressing. To guarantee the communication between a multicast source and a multicast group, the network layer multicast address (namely the IP multicast address) is required, along with the technique to correlate it with the link layer MAC multicast address. Following is the introduction to these two kinds of addresses. I. IP Multicast Addresses According to the definition in Internet Assigned Number Authority (IANA), IP addresses fall into four types: Class A, Class B, Class C and Class D. Unicast packets use IP addresses of Class A, Class B or Class C, depending on specific packet scales.multicast packets use IP addresses of Class D as their destination addresses, but Class D IP addresses cannot be contained in the source IP field of IP packets. During unicast data transmission, a packet is transmitted "hop-by-hop" from the source address to the destination address. However, in IP multicast environment, a packet has more than one destination address, or a group of addresses. All the information receivers are added to a group. Once a receiver joins the group, the data for this group of addresses start flowing to this receiver. All members in the group can receive the packets. Membership here is dynamic, and a host can join or leave the group at any time. A multicast group can be permanent or temporary. Some multicast group addresses are allocated by IANA, and the multicast group is called permanent multicast group. The IP addresses of a permanent multicast group are unchangeable, but its membership is changeable, and the number of members is arbitrary. It is quite possible for a permanent group to not a single member. Those not reserved for permanent multicast groups can be used by temporary multicast groups. Class D multicast addresses range from to More information is listed in Table 14-1 Ranges and meanings of Class D addresses. Table 14-1 Ranges and meanings of Class D addresses Class D address range Description Reserved multicast addresses (addresses of permanent groups). All but can be allocated by routing protocols. Multicast addresses available for users (addresses of temporary groups). They are valid in the entire network. Multicast addresses for local management. They are valid only in the specified local range

114 Reserved multicast addresses that are commonly used are described in the following table. STCS3526 Series Layer 3 Switch User Guide Table 14-2 Reserved multicast address list Class D address range Description Base Address (Reserved) Addresses of all hosts Addresses of all multicast routers Not for allocation DVMRP routers OSPF routers OSPF DR ST routers ST hosts RIP-2 routers IGRP routers Active agents DHCP server/relay agent All PIM routers RSVP encapsulation All CBT routers Specified SBM All SBMS VRRP II. Ethernet Multicast MAC Addresses When a unicast IP packet is transmitted on the Ethernet, the destination MAC address is the MAC address of the receiver. However, for a multicast packet, the destination is no longer a specific receiver but a group with unspecific members. Therefore, the multicast

115 MAC address should be used. As Internet Assigned Number Authority (IANA) provisions, the high 24 bits of a multicast MAC address are 0x01005e and the low 23 bits of a MAC address are the low 23 bits of a multicast IP address. Figure 14-4 Mapping between a multicast IP address and an Ethernet MAC address The first four bits of the multicast address are 1110, representing the multicast identifier. Among the rest 28 bits, only 23 bits are mapped to the MAC address, and the other five bits are lost. This may results in that 32 IP addresses are mapped to the same MAC address IP Multicast Protocols Multicast involves multicast group management protocols and multicast routing protocols. Their application positions are shown in Figure Application positions of multicast-related protocols. Figure Application positions of multicast-related protocols

116 I. Multicast group management protocol Multicast groups use Internet group management protocol (IGMP) as the management protocols. IGMP runs between the switch and multicast router and defines the membership establishment and maintenance mechanism between them. II. Multicast routing protocols A multicast routing protocol runs between multicast routers to create and maintain multicast routes for correct and efficient forwarding of multicast packet. The multicast routing creates a loop-free data transmission path from one source to multiple receivers. The task of multicast routing protocols is to build up the distribution tree architecture. A multicast router can use multiple methods to build up a path for data transmission, that is, a distribution tree. As in unicast routing, the multicast routing can also be intra-domain or inter-domain. Intra-domain multicast routing is rather mature and protocol independent multicast (PIM) is the most wildly used intra-domain protocol, which can work in collaboration with unicast routing protocols. The inter-domain routing first needs to solve how to transfer routing information between ASs. Since the ASs may belong to different telecom carriers, the inter-domain routing information must contain carriers policies, in addition to distance information. Currently, inter-domain routing protocols include multicast source discovery protocol (MSDP) and MBGP multicast extension IP Multicast Packet Forwarding To ensure that multicast packets reach a router along the shortest path, the multicast router must check the receiving interface of multicast packets depending on the unicast routing table or a unicast routing table independently provided for multicast. This check mechanism is the basis for most multicast routing protocols to perform multicast forwarding, and is known as Reverse Path Forwarding (RPF) check. A multicast router uses the source address of a received multicast packet to query the unicast routing table or the independent multicast routing table to determine that the receiving interface is on the shortest path from the receiving station to the source. If a source tree is used, the source address is the address of the source host sending the multicast packet. If a shared tree is used, the source address is the RP address of the shared tree. A multicast packet arriving at the router will be forwarded according to the multicast forwarding entry if it passes the RPF check, or else, it will be discarded

117 14.4 IGMP Snooping Configuration IGMP Snooping Overview IGMP Snooping Principle IGMP Snooping (Internet Group Management Protocol Snooping) is a multicast control mechanism running on the Layer 2 Ethernet switch and it is used for multicast group management and control. IGMP Snooping runs on the link layer. When receiving the IGMP messages transmitted between the host and router, the Layer 2 Ethernet switch uses IGMP Snooping to analyze the information carried in the IGMP messages. If the switch hears IGMP host report message from an IGMP host, it will add the host to the corresponding multicast table. If the switch hears IGMP leave message from an IGMP host, it will remove the host from the corresponding multicast table. The switch continuously listens to the IGMP messages to create and maintain MAC multicast address table on Layer 2. And then it can forward the multicast packets transmitted from the upstream router according to the MAC multicast address table. When IGMP Snooping is disabled, the packets are multicast on Layer 2. See the following figure: Figure 14-6 Multicast packet transmission without IGMP Snooping When IGMP Snooping runs, the packets are not broadcast on Layer 2. See the following figure:

118 Figure 13-7 Multicast packet transmission when IGMP Snooping runs Implement IGMP Snooping I. Related concepts of IGMP Snooping To facilitate the description, this section first introduces some related switch concepts of IGMP Snooping: Router Port: The port of the switch, directly connected to the multicast router. Multicast member port: The port connected to the multicast member. The multicast member refers to a host joined a multicast group. MAC multicast group: The multicast group is identified with MAC multicast address and maintained by the Ethernet switch. Router port aging time: Time set on the router port aging timer. If the switch has not received any IGMP general query message before the timer times out, it considers the port no longer as a router port. Multicast group member port aging time: When a port joins an IP multicast group, the aging timer of the port will begin timing. The multicast group member port aging time is set on this aging timer. If the switch has not received any IGMP report message before the timer times out, it transmits IGMP specific query message to the port. Maximum response time: When the switch transmits IGMP specific query message to the multicast member port, the Ethernet switch starts a response timer, which times before the response to the query. If the switch has not received any IGMP report message before the timer times out, it will remove the port from the multicast member ports II. Implement Layer 2 multicast with IGMP Snooping

119 The Ethernet switch runs IGMP Snooping to listen to the IGMP messages and map the host and its ports to the corresponding multicast group address. To implement IGMP Snooping, the Layer 2 Ethernet switch processes different IGMP messages in the way illustrated in the figure below: Figure 14-8 Implement IGMP Snooping 1) IGMP general query message: Transmitted by the multicast router to the multicast group members to query which multicast group contains member. When an IGMP general query message arrives at a router port, the Ethernet switch will reset the aging timer of the port. When a port other than a router port receives the IGMP general query message, the Ethernet switch will notify the multicast router that a port is ready to join a multicast group and starts the aging timer for the port. 2) IGMP specific query message: Transmitted from the multicast router to the multicast members and used for querying if a specific group contains any member. When received IGMP specific query message, the switch only transmits the specific query message to the IP multicast group which is queried. 3) IGMP report message: Transmitted from the host to the multicast router and used for applying to a multicast group or responding to the IGMP query message. When received the IGMP report message, the switch checks if the MAC multicast group, corresponding to the IP multicast group the packet is ready to join exists. If the corresponding MAC multicast group does not exist, the switch only notifies the router that a member is ready to join a multicast group, creates a new MAC multicast group, adds the port received the message to the group, starts the port aging timer, and then adds all the router ports in the native VLAN of the port into the MAC multicast forwarding table, and meanwhile creates an IP multicast group and adds the port received the report message to it. If the corresponding MAC multicast group exists but does not contains the port received the report message, the switch adds the port into the multicast

120 group and starts the port aging timer. And then the switch checks if the corresponding IP multicast group exists. If it does not exist, the switch creates a new IP multicast group and adds the port received the report message to it. If it exists, the switch adds the port to it. If the MAC multicast group corresponding to the message exists and contains the port received the message, the switch will only reset the aging timer of the port. 4) IGMP leave message: Transmitted from the multicast group member to the multicast router to notify that a router host left the multicast group. When received a leave message of an IP multicast group, the Ethernet switch transmits the specific query message concerning that group to the port received the message, in order to check if the host still has some other member of this group and meanwhile starts a maximum response timer. If the switch has not receive any report message from the multicast group, the port will be removed from the corresponding MAC multicast group. If the MAC multicast group does not have any member, the switch will notify the multicast router to remove it from the multicast tree IGMP Snooping Configuration The main IGMP Snooping configuration includes: Enabling/disabling IGMP Snooping Configuring the aging time of multicast group member port Among the above configuration tasks, enabling IGMP Snooping is required, while others are optional for your requirements Enabling/Disabling IGMP Snooping You can use the following commands to enable/disable IGMP Snooping to control whether MAC multicast forwarding table is created and maintained on Layer 2. Beginning in privileged EXEC mode, follow these steps to enable IGMP snooping. Step 2 sys igmp-snooping enable Enable IGMP Snooping Step 3 exit Return to privileged EXEC mode. Step 4 show system config Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To disable IGMP snooping, use sys igmp-snooping disable global configuration command

121 By default, IGMP Snooping is disabled Configuring Aging Time of Multicast Group Member This task is to manually set the aging time of the multicast group member port. If the switch receives no multicast group report message during the member port aging time, it will transmit the specific query message to that port and starts a maximum response timer. Beginning in privileged EXEC mode, follow these steps to configure Aging Time of Multicast Group Member. Step 2 igmp-snooping timeout Configure aging time seconds Step 3 exit Return to privileged EXEC mode. Step 4 how igmp-snooping timeout Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. By default, the aging time of the multicast member is 300 seconds IGMP Snooping Configuration Example Enable IGMP Snooping I. Networking requirements To implement IGMP Snooping on the switch, first enable it. The switch is connected with the router via the router port, and with user PC through the non-router ports. II. Networking diagram

122 Figure 14-9 IGMP Snooping configuration networking III. Configuration procedure # Enable IGMP snooping on switch switch(config)#system igmp-snooping enable 14.5 Static Multicast Group Configuration Introduction to Static Multicast Group Configuration The static multicast group configuration is a mode of the multicast group management, it specified the multicast forwarding table, etc Static Multicast Group Configuration Static multicast group configuration includes: Add/delete static multicast group. Beginning in privileged EXEC mode, follow these steps to add static multicast group

123 Step 2 multicast-group static add vid vlan-id mac-address port-list Add static multicast group. Mac-address is multicast group address. Port-list is port member list, format is port-number+m,such as 01m Step 3 exit Return to privileged EXEC mode. Step 4 show multicast-group Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To delete a static multicast group, use multicast-group static add vid vlan-id mac-address global configuration command IGMP Configuration IGMP Overview Introduction to IGMP Internet Group Management Protocol (IGMP) is a protocol in the TCP/IP suite responsible for management of IP multicast members. It is used to establish and maintain multicast membership among IP hosts and their directly connected neighboring routers. IGMP excludes transmitting and maintenance of membership information among multicast routers, which are completed by multicast routing protocols. All hosts participating in multicast must implement IGMP. Hosts participating in IP multicast can join and leave a multicast group at any time. The number of members of a multicast group can be any integer and the location of them can be anywhere. A multicast router does not need and cannot keep the membership of all hosts. It only uses IGMP to learn whether receivers (i.e., group members) of a multicast group are present on the subnet connected to each interface. A host only needs to keep which multicast groups it has joined. IGMP is not symmetric on hosts and routers. Hosts need to respond to IGMP query messages from the multicast router, i.e., report the group membership to the router. The router needs to send membership query messages periodically to discover whether hosts join the specified group on its subnets according to the received response messages. When the router receives the report that hosts leave the group, the router will send a group-specific query packet (IGMP Version 2) to discover whether no member exists in the group. Up to now, IGMP has three versions, namely, IGMP Version 1 (defined by RFC1112), IGMP Version 2 (defined by RFC2236) and IGMP Version 3. At present, IGMP Version 2 is the most widely used version. IGMP Version 2 boasts the following improvements over IGMP Version 1: I. Election mechanism of multicast routers on the shared network segment

124 A shared network segment means that there are multiple multicast routers on a network segment. In this case, all routers running IGMP on the network segment can receive the membership report from hosts. Therefore, only one router is necessary to send membership query messages. In this case, the router election mechanism is required to specify a router as the querier. In IGMP Version 1, selection of the querier is determined by the multicast routing protocol. While IGMP Version 2 specifies that the multicast router with the lowest IP address is elected as the querier when there are multiple multicast routers on the same network segment. II. Leaving group mechanism In IGMP Version 1, hosts leave the multicast group quietly without informing the multicast router. In this case, the multicast router can only depend on the timeout of the response time of the multicast group to confirm that hosts leave the group. In Version 2, when a host is intended to leave, it will send a leave group message if it is the host who responds to the latest membership query message. III. Specific group query In IGMP Version 1, a query of a multicast router is targeted at all the multicast groups on the network segment, which is known as General Query. In IGMP Version 2, Group-Specific Query is added besides general query. The destination IP address of the query packet is the IP address of the multicast group. The group address domain in the packet is also the IP address of the multicast group. This prevents the hosts of members of other multicast groups from sending response messages. IV. Max response time The Max Response Time is added in IGMP Version 2. It is used to dynamically adjust the allowed maximum time for a host to response to the membership query message IGMP Configuration 1) IGMP basic configuration includes: Enabling multicast routing Enabling IGMP on an interface 2) IGMP advanced configuration includes: Configuring the IGMP version Configuring the interval of sending IGMP Group-Specific Query packet Configuring the times of sending IGMP Group-Specific Query packet Configuring the limit of IGMP groups on an interface Configuring a router to join specified multicast group

125 Controlling the access to IP multicast groups Configuring the IGMP query message interval Configuring the IGMP querier present timer Configuring the maximum query response time Deleting IGMP Groups Joined on an Interface Enabling Multicast routing Enable multicast first before enabling IGMP and the multicast routing protocol. Beginning in privileged EXEC mode, follow these steps to enable IP multicast routing. Step 2 ip multicast-routing enable Enable IP multicast routing. Step 3 exit Return to privileged EXEC mode. Step 4 show ip mroute Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. By default, multicast is disabled. To disable multicast routing, use the ip multicast-routing disable global configuration command Enabling Igmp on a interface Only multicast function is enabled can the ip multicast-routing enable command be executed. After this, you can initiate IGMP feature configuration. Beginning in privileged EXEC mode, follow these steps to enable igmp on a interface. Step 2 ip pim interface interface-id Enable IP multicast routing. sparse-mode enable Step 3 exit Return to privileged EXEC mode. Step 4 show ip igmp interface Verify your entries

126 interface-id Step 5 write (Optional) Save your entries in the configuration file. By default, multicast is disabled. To disable multicast routing, use the ip pim interface interface-id sparse-mode disable global configuration command Configuring the IGMP Version Beginning in privileged EXEC mode, follow these steps to configuring the igmp version. Step 2 ip igmp interface interface-id version { 1 2 } Specify the IGMP version that the switch uses. Note: If you change to Version 1, you cannot configure the ip igmp query-interval or the ip igmp query-max-response-time interface configuration commands. Step 3 exit Return to privileged EXEC mode. Step 4 show ip igmp interface Verify your entries. interface-id Step 5 write (Optional) Save your entries in the configuration file. By default, IGMP Version 2 is used. Caution: All routers on a subnet must support the same version of IGMP. After detecting the presence of IGMP Version 1 system, a router cannot automatically switch to Version Configuring the Interval to Send IGMP Query Message Multicast routers send IGMP query messages to discover which multicast groups are present on attached networks. Multicast routers send query messages periodically to refresh their knowledge of members present on their networks

127 Beginning in privileged EXEC mode, follow these steps to configuring the Interval to Send IGMP Query Message. Step 2 ip igmp query-interval seconds Configure the interval to send IGMP query message By default, the interval is 60 seconds. Seconds is range from 1 to Step 3 exit Return to privileged EXEC mode. Step 4 write (Optional) Save your entries in the configuration file. When there are multiple multicast routers on a network segment, the querier is responsible for sending IGMP query messages to all hosts on the LAN Configuring the Interval of Querying IGMP Packets On the shared network, it is the query router (querier) that maintains IGMP membership on the interface. When an IGMP querier receives an IGMP Leave Group message from a host, the last member query interval can be specified for Group-Specific Queries. The host sends the IGMP Leave message. Upon receiving the message, IGMP querier sends the designated group IGMP query message for specified times (defined by the robust-value in igmp robust-count, with the default value as 1 second) and at a time interval (defined by the seconds in igmp lastmember-query interval, with the default value as 2). When other hosts receiver the message from the IGMP querier and are interested in this group, they return the IGMP Membership Report message within the defined maximum response time. If IGMP querier receives the report messages from other hosts within the period equal to robust-value seconds, it continues membership maintenance for this group. If it receives no report message from any other host within this period, it reckons this as timeout and ends membership maintenance for this group. This command can be used only when the querier runs IGMP version 2, since a host running IGMP Version 1 does not send IGMP Leave Group message when it leaves a group. Beginning in privileged EXEC mode, follow these steps to configuring the Interval of Querying IGMP Packets Step 2 ip igmp last-query-interval senconds Configure interval for querying IGMP packets By default, the interval is 1 seconds

128 Seconds is range from 1 to 65. Step 3 exit Return to privileged EXEC mode. Step 4 write (Optional) Save your entries in the configuration file Changing the IGMP Query Timeout for IGMPv2 If you are using IGMPv2, you can specify the period of time before the switch takes over as the querier for the interface. By default, the switch waits twice the query interval controlled by the ip igmp query-interval interface configuration command. After that time, if the switch has received no queries, it becomes the querier. You can configure the query interval by entering the show ip igmp interface interface-id privileged EXEC command. Beginning in privileged EXEC mode, follow these steps to change the IGMP query timeout. This procedure is optional. Step 2 ip igmp querier-timeout senconds Specify the IGMP query timeout. The default is 60 seconds (twice the query interval). The range is 60 to 300. Step 3 exit Return to privileged EXEC mode. Step 4 write (Optional) Save your entries in the configuration file Changing the Maximum Query Response Time for IGMPv2 If you are using IGMPv2, you can change the maximum query response time advertised in IGMP queries. The maximum query response time enables the switch to quickly detect that there are no more directly connected group members on a LAN. Decreasing the value enables the switch to prune groups faster. Beginning in privileged EXEC mode, follow these steps to change the maximum query response time. This procedure is optional. Step 2 ip igmp query-max-response seconds Change the maximum query response time advertised in IGMP queries. The default is 10 seconds. The range is 1 to

129 Step 3 exit Return to privileged EXEC mode. Step 4 write (Optional) Save your entries in the configuration file Configuring a Router to Join Specified Multicast Group Usually, the host operating IGMP will respond to IGMP query packet of the multicast router. In case of response failure, the multicast router will consider that there is no multicast member on this network segment and will cancel the corresponding path. Configuring one interface of the router as multicast member can avoid such problem. When the interface receives IGMP query packet, the router will respond, thus ensuring that the network segment where the interface is connected can normally receive multicast packets. For an Ethernet switch, you can configure a port in a VLAN interface to join a multicast group. Beginning in privileged EXEC mode, follow these steps to configure a router to join specified multicast group. Step 2 ip igmp interface interface-id join-group group-address Configure a router to join specified multicast group By default, a router joins no multicast group. Step 3 exit Return to privileged EXEC mode. Step 4 write (Optional) Save your entries in the configuration file. To leave a group, use ip igmp interface interface-id leave-group group-address global configuration command Configuring the Switch as a Statically Connected Member Sometimes there is either no group member on a network segment or a host cannot report its group membership by using IGMP. However, you might want multicast traffic to go to that network segment. These are ways to pull multicast traffic down to a network segment: Use the ip igmp interface interface-id join-group Global configuration command. With this method, the switch accepts the multicast packets in addition to forwarding them. Accepting the multicast packets prevents the switch from fast switching. Use the ip igmp interface interface-id static-group global configuration command. With this method, the switch does not accept the packets itself, but only forwards them. This method enables fast switching. The outgoing interface appears in the IGMP cache, but the switch itself is not a member, as evidenced by lack of an L (local) flag in the multicast route entry

130 Beginning in privileged EXEC mode, follow these steps to configure the switch itself to be a statically connected member of a group (and enable fast switching). This procedure is optional. Step 2 ip igmp interface interface-id static-group add group-address Configure the switch as a statically connected member of a group. By default, this feature is disabled. Step 3 exit Return to privileged EXEC mode. Step 4 write (Optional) Save your entries in the configuration file. To remove the switch as a member of the group, use ip igmp interface interface-id static-group delete group-address globle configuration command PIM-SM Configuration PIM-SM Overview Introduction to PIM-SM PIM-SM (Protocol Independent Multicast, Sparse Mode) belongs to sparse mode multicast routing protocols. PIM-SM is mainly applicable to large-scale networks with broad scope in which group members are relatively sparse. Different from the flood & prune principle of the dense mode, PIM-SM assumes that all hosts do not need to receive multicast packets, unless there is an explicit request for the packets. PIM-SM uses the RP (Rendezvous Point) and the BSR (Bootstrap Router) to advertise multicast information to all PIM-SM routers and uses the join/prune information of the router to build the RP-rooted shared tree (RPT), thereby reducing the bandwidth occupied by data packets and control packets and reducing the process overhead of the router. Multicast data flows along the shared tree to the network segments the multicast group members are on. When the data traffic is sufficient, the multicast data flow can switch over to the SPT (Shortest Path Tree) rooted on the source to reduce network delay. PIM-SM does not depend on the specified unicast routing protocol but uses the present unicast routing table to perform the RPF check. Running PIM-SM needs to configure candidate RPs and BSRs. The BSR is responsible for collecting the information from the candidate RP and advertising the information

131 PIM-SM Working Principle The PIM-SM working process is as follows: neighbor discovery, building the RP-rooted shared tree (RPT), multicast source registration and SPT switchover etc. The neighbor discovery mechanism is the same as that of PIM-DM, which will not be described any more. I. Build the RP shared tree (RPT) When hosts join a multicast group G, the leaf routers that directly connect with the hosts send IGMP messages to learn the receivers of multicast group G. In this way, the leaf routers calculate the corresponding rendezvous point (RP) for multicast group G and then send join messages to the node of a higher level toward the rendezvous point (RP). Each router along the path between the leaf routers and the RP will generate (*, G) entries in the forwarding table, indicating that all packets sent to multicast group G are applicable to the entries no matter from which source they are sent. When the RP receives the packets sent to multicast group G, the packets will be sent to leaf routers along the path built and then reach the hosts. In this way, an RP-rooted tree (RPT) is built as shown in the following figure. Figure RPT schematic diagram II. Multicast source registration When multicast source S sends a multicast packet to the multicast group G, the PIM-SM multicast router directly connected to S will encapsulate the received packet into a registration packet and send it to the corresponding RP in unicast form. If there are multiple PIM-SM multicast routers on a network segment, the Designated Router (DR) will be responsible for sending the multicast packet Preparations before Configuring PIM-SM I. Configuring candidate RPs

132 In a PIM-SM network, multiple RPs (candidate-rps) can be configured. Each Candidate-RP (C-RP) is responsible for forwarding multicast packets with the destination addresses in a certain range. Configuring multiple C-RPs is to implement load balancing of the RP. These C-RPs are equal. All multicast routers calculate the RPs corresponding to multicast groups according to the same algorithm after receiving the C-RP messages that the BSR advertises. It should be noted that one RP can serve multiple multicast groups or all multicast groups. Each multicast group can only be uniquely correspondent to one RP at a time rather than multiple RPs. II. Configuring BSRs The BSR is the management core in a PIM-SM network. Candidate-RPs send announcement to the BSR, which is responsible for collecting and advertising the information about all candidate-rps. It should be noted that there can be only one BSR in a network but you can configure multiple candidate-bsrs. In this case, once a BSR fails, you can switch over to another BSR. A BSR is elected among the C-BSRs automatically. The C-BSR with the highest priority is elected as the BSR. If the priority is the same, the C-BSR with the largest IP address is elected as the BSR. III. Configuring static RP The router that serves as the RP is the core router of multicast routes. If the dynamic RP elected by BSR mechanism is invalid for some reason, the static RP can be configured to specify RP. As the backup of dynamic RP, static RP improves network robusticity and enhances the operation and management capability of multicast network PIM-SM Configuration 1) PIM-SM basic configuration includes: Enabling Multicast Enabling PIM-SM Configuring the PIM-SM domain border Configuring candidate-bsrs Configuring candidate-rps Configuring static RP 2) PIM-SM advanced configuration includes: Configuring the sending interval for the Hello packets of the interface Configuring the filtering of multicast source/group Configuring the filtering of PIM neighbor Configuring the maximum number of PIM neighbor on an interface

133 Configuring RP to filter the register messages sent by DR Clearing multicast route entries from PIM routing table Clearing PIM neighbor It should be noted that at least one router in an entire PIM-SM domain should be configured with Candidate-RPs and Candidate-BSRs Enabling Multicast Refer to Enabling PIM-SM This configuration can be effective only after multicast is enabled. Beginning in privileged EXEC mode, follow these steps to enable PIM-SM. Step 2 ip pim interface interface-id Enable IP multicast routing. sparse-mode enable Step 3 exit Return to privileged EXEC mode. Step 4 show ip igmp interface Verify your entries. interface-id Step 5 write (Optional) Save your entries in the configuration file. Repeat this configuration to enable PIM-SM on other interfaces. Only one multicast routing protocol can be enabled on an interface at a time Configuring Candidate-BSRs In a PIM domain, one or more candidate BSRs should be configured. A BSR (Bootstrap Router) is elected among candidate BSRs. The BSR takes charge of collecting and advertising RP information. The automatic election among candidate BSRs is described as follows: One interface which has started PIM-SM must be specified when configuring the router as the candidate BSR. At first, each candidate BSR considers itself as the BSR of the PIM-SM domain, and sends Bootstrap message by taking the IP address

134 of the interface as the BSR address. When receiving Bootstrap messages from other routers, the candidate BSR will compare the BSR address of the newly received Bootstrap message with that of itself. Comparison standards include priority and IP address. The bigger IP address is considered better when the priority is the same. If the new BSR address is better, the candidate BSR will replace its BSR address and stop regarding itself as the BSR. Otherwise, the candidate BSR will keep its BSR address and continue to regard itself as the BSR. Beginning in privileged EXEC mode, follow these steps to configure Candidate-BSRs. Step 2 ip pim bsr-candidate interface-id [ priority priority ] Configure a candidate-bsr By default, no BSR is set. The default priority is 0. Priority range is 0 to 255. Step 3 exit Return to privileged EXEC mode. Step 4 show ip pim bsr-router Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. Candidate-BSRs should be configured on the routers in the network backbone Caution: One router can only be configured with one candidate-bsr. When a candidate-bsr is configured on another interface, it will replace the previous configuration Configuring Candidate-RPs In PIM-SM, the shared tree built by the multicast routing data is rooted at the RP. There is a mapping from a multicast group to an RP. A multicast group can be mapped to an RP. Different groups can be mapped to one RP. Beginning in privileged EXEC mode, follow these steps to configure Candidate-RPs. Step 2 ip pim rp-candidate interface-id [ priority priority ] Configure a candidate-rp The default priority is 0.Priority range is 0 to

135 Step 3 exit Return to privileged EXEC mode. Step 4 show ip pim rp Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. When configuring RP, if the range of the served multicast group is not specified, the RP will serve all multicast groups. Otherwise, the range of the served multicast group is the multicast group in the specified range. It is suggested to configure Candidate RP on the backbone router Configuring Static RP Static RP serves as the backup of dynamic RP, so as to improve network robusticity. Beginning in privileged EXEC mode, follow these steps to configure static RP. Step 2 ip pim rp-address set ip-address Configure static RP Step 3 exit Return to privileged EXEC mode. Step 4 show ip pim rp Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. If static RP is in use, all routers in the PIM domain must adopt the same configuration. If the configured static RP address is the interface address of the local router whose state is UP, the router will function as the static RP. It is unnecessary to enable PIM on the interface that functions as static RP. When the RP elected from BSR mechanism is valid, static RP does not work Modifying the PIM Router-Query Message Interval PIM routers and multilayer switches send PIM router-query messages to find which device will be the DR for each LAN segment (subnet). The DR is responsible for sending IGMP host-query messages to all hosts on the directly connected LAN. With PIM SM operation, the DR is the device that is directly connected to the multicast source. It sends PIM register messages to notify the RP that multicast traffic from a source needs to be forwarded down the shared tree. In this case, the DR is the device with the highest IP address

136 Beginning in privileged EXEC mode, follow these steps to modify the router-query message interval. This procedure is optional. Step 2 ip pim query-interval seconds Configure the frequency at which the switch sends PIM router-query messages. The default is 30 seconds. The range is 1 to Step 3 exit Return to privileged EXEC mode. Step 4 show ip igmp interface interface-id Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. 15 ACL Configuration 15.1 ACL Overview A series match rules must be configured to recognize the packets before they are filtered. Only when packets are identified, can the network take corresponding actions, allowing or prohibiting them to pass, according to the preset policies. Access control list (ACL) is targeted to achieve these functions. ACLs classify packets using a series of matching rules, which can be source addresses, destination addresses and port IDs. ACLs can be used globally on the switch or just at a port, through which the switch determines whether to forward or drop the packets. The matching rules defined in ACLs can also be imported to differentiate traffic in other situations, for example, defining traffic classification rules in QoS. An ACL rule can include many sub-rules, which may be defined for packets of different size. Matching order involves in matching an ACL configuring ACL The ACL configuration tasks include: Define ACL Activate ACL

137 You are recommended to run the configuration tasks in order, that is, first define ACL and last activate the ACL. STCS3526 Series Layer 3 Switch User Guide Defining ACL The switch supports several types of ACLs, which are described in this section. Follow these steps to define an ACL. 1) Enter the corresponding ACL configuration mode. 2) Define ACL sub-rules. Note: The ACL will be effective at any time after being activated. You can define multiple rules for the ACL by using the rule command several times. The switch does not support the explicit deny any any rule for the egress IP ACL or the egress MAC ACLs. Beginning in privileged EXEC mode, follow these steps to define ACL. Step 2 access-list ruleid rule-id [deny permit] priority priority [port-list default] Step 3 Enter the corresponding ACL configuration mode. Rule-id range is 1 to 999. Priority range is 0 to 8, 8 is the highest level. Port-list indicate the rule binding port member, format is port-number + m, such as 01m. Default indicate all ports. subset ip {any source-add source-mask} [dst-add dst-mask] Setting based ip ACL rule. subset mac {any dst-mac} {any source-mac} subset protocol {type-number igmp ipinip ospf pim icmp tcp [src-port src-port dst-port dst-port established [src-port src-port dst-port dst-port]] udp [src-port src-port dst-port dst-port ]} Setting based MAC ACL rule. Setting based protocol ACL rule. subset vlan-id vlan-id Setting based VLAN ID ACL rule. Step 4 exit Return to privileged EXEC mode. Step 4 show access-list ruleid rule-id Verify your entries

138 Step 5 write (Optional) Save your entries in the configuration file. To delete a ACL, use no access-list ruleid rule-id global configuration command. Attributes: Source-add/Dest-add Specifies the source or destination IP address. Use Any to match any address. Source-mask/dst-mask Source or destination address of rule must match this subnet mask. When source or destination IP address is a host, the mask must be ; when source or destination IP address is network address, the mask must be corresponding subnet mask. Source-mac/dst-mac Source or destination MAC address, Use Any to include all possible addresses Type-number - indicates a specific protocol number (0-255). Source-port/Dest-Port Source/destination port number for the specified protocol type. (Range: ) Activating ACL After activating an ACL, you must activate it. This configuration activates those ACLs to filter or classify the packets forwarded by hardware. Beginning in privileged EXEC mode, follow these steps to active ACLs. Step 2 packet-filter enable ruleid Activating ACL. rule-id Step 3 exit Return to privileged EXEC mode. Step 4 show access-list ruleid rule-id Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To inactive a ACL, use packet-filter disable ruleid rule-id global configuration command configuring Default ACL When you configured a ACL on a port, the system auto create a default ACL on the port and the default ACL s rule permit any packet. So when you need the switch deny any packet on a port you should configure the default ACL manually

139 Beginning in privileged EXEC mode, follow these steps to configure default ACL. Step 2 access-list default set port-list Configuring default ACL. {deny permit} Step 3 exit Return to privileged EXEC mode. Step 4 show access-list default Verify your entries. Step 5 write (Optional) Save your entries in the configuration file ACL Configuration Example I. Networking requirement The intranet is connected through 100 Mbps ports between departments. The server of the financial department is connected through the port 1 (subnet address ). With proper ACL configuration, the CEO s office can access the server, but other departments can not access it. II. Networking diagram Figure 15-1 Networking for advanced ACL configuration

140 III. Configuration procedure 16 QoS Configuration Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with four priority queues for each port. Data packets in a port s high-priority queue will be transmitted before those in the lower-priority queues. You can set the priority for each interface, and configure the mapping of frame priority tags to the switch s priority queues. Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using four priority queues for each port, with service schedules based on strict or Weighted Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p standard as shown in the following table. Table 16-1 Egress Queue Priority Mapping Queue Priority The priority levels recommended in the IEEE 802.1p standard for various network applications are shown in the following table. Table 16-2 CoS Priority Levels 0 Best Effort 1 Background 2 (Spare) 3 Excellent Effort 4 Controlled Load 5 Video, less than 100 milliseconds latency and jitter 6 Voice, less than 10 milliseconds latency and jitter 7 Network Control

141 16.1 Setting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, or use Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue. WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing. Beginning in privileged EXEC mode, follow these steps to set the Queue mode. Step 2 traffic-policy running-mode Setting the Queue running mode. {strict-queue weighted-queue } Step 3 exit Return to privileged EXEC mode. Step 4 show traffic-policy all Verify your entries. Step 5 write (Optional) Save your entries in the configuration file Setting the Priority for Port You can specify the port priority for each port on the switch. All untagged packets entering the switch are tagged with the specified port priority, and then sorted into the appropriate priority queue at the output port. This switch provides four priority queues for each port. It uses Weighted Round Robin to prevent head-of-queue blockage. The t priority applies for an untagged frame received on a port set to accept all frame types (i.e, receives both untagged and tagged frames). This priority does not apply to IEEE 802.1Q VLAN tagged frames. If the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used. If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission. Beginning in privileged EXEC mode, follow these steps to set port priority. Step 2 traffic-policy link-group set group-id port list local-precedence priority Creating the link-group to set priority for the port. Group-id - range is 1 to 26. Port-list format is port-number + m, such as 01m. Priority range is 0 to 7, 7 is the highest precedence

142 Step 3 traffic-policy link-group enable group-id Enable the traffic policy to set priority for the port. Step 4 exit Return to privileged EXEC mode. Step 5 show traffic-policy all Verify your entries. Step 6 write (Optional) Save your entries in the configuration file. To delete the link-group, use no traffic-policy link-group group-id global configuration command. To disable traffic policy to set the priority for the port, use traffic-policy link-group disable group-id global configuration command Mapping IP Precedence The Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic. The default IP Precedence values are mapped one-to-one to Class of Service values (i.e., Precedence value 0 maps to CoS value 0, and so forth). Bits 6 and 7 are used for network control, and the other bits for various application types. ToS bits are defined in the following table. Table 16-3 Mapping IP Precedence Priority Level Traffic Type 0 Routine 1 Priority 2 Immediate 3 Flash 4 Flash Override 5 Critical 6 Internetwork Control 7 Network Control Beginning in privileged EXEC mode, follow these steps to enable IP precedence to map to local precedence. Step 2 traffic-policy tos set default [port-list] Creating IP precedence one-to-one map to local precedence policy for port. Port-list format is port-number + m, such as 01m

143 Step 3 traffic-policy tos enable Enable the traffic policy of mapping IP precedence. Step 4 exit Return to privileged EXEC mode. Step 5 show traffic-policy all Verify your entries. Step 6 write (Optional) Save your entries in the configuration file. To disable traffic policy of mapping IP precedence, use traffic-policy tos disable global configuration command Changing Priorities Based on ACL Rules You can change traffic priorities for frames matching the defined ACL rule. Note: Before initiating any of these QoS configuration tasks, you should first define the corresponding ACL. Then you can achieve packet filtering just by activating the right ACL. Beginning in privileged EXEC mode, follow these steps to change priorities Based on ACL rules. Step 2 Step 3 traffic-policy acl-group set group-id access-list ruleid rule-id local-precedence precedence traffic-policy acl-group enable group-id Creating Based on ACL rules traffic policy. Group-id Based on ACL rules traffic policy group ID (range: 0 to 999). Precedence range : 0 to 7, 7 is the highest precedence. Enable the traffic policy Based on ACL rules. Step 4 exit Return to privileged EXEC mode. Step 5 show traffic-policy all Verify your entries. Step 6 write (Optional) Save your entries in the configuration file. To disable traffic policy Based on ACL rules, use traffic-policy acl-group disable group-id global configuration command

144 x Configuration STCS3526 Series Layer 3 Switch User Guide x Overview x Standard Overview IEEE 802.1x (hereinafter simplified as 802.1x) is a Port Based Network Access Control protocol. IEEE issued it in 2001 and suggested the related manufacturers should use the protocol as the standard protocol for LAN user access authentication. The 802.1x originated from the IEEE standard, which is the standard for wireless LAN user access. The initial purpose of 802.1x was to implement the wireless LAN user access authentication. Since its principle is commonly applicable to all the LANs complying with the IEEE 802 standards, the protocol finds wide application in wired LANs.In the LANs complying with the IEEE 802 standards, the user can access the devices and share the resources in the LAN through connecting the LAN access control device like the LAN Switch. However, in telecom access, commercial LAN (a typical example is the LAN in the office building) and mobile office etc., the LAN providers generally hope to control the user s access. In these cases, the requirement on the above-mentioned Port Based Network Access Control originates. As the name implies, Port Based Network Access Control means to authenticate and control all the accessed devices on the port of LAN access control device. If the user s device connected to the port can pass the authentication, the user can access the resources in the LAN. Otherwise, the user cannot access the resources in the LAN. It equals that the user is physically disconnected x defines port based network access control protocol and only defines the point-to-point connection between the access device and the access port. The port can be either physical or logical. The typical application environment is as follows: Each physical port of the LAN Switch only connects to one user workstation (based on the physical port) and the wireless LAN access environment defined by the IEEE standard (based on the logical port), etc x System Architecture The system using the 802.1x is the typical C/S (Client/Server) system architecture. It contains three entities, which are illustrated in the following figure: Supplicant System, Authenticator System and Authentication Sever System. The LAN access control device needs to provide the Authenticator System of 802.1x.The devices at the user side such as the computers need to be installed with the 802.1x client Supplicant software, for example, the 802.1x client provided by CHIMA (or by Microsoft Windows XP). The 802.1x Authentication Sever system normally stays in the carrier s AAA center. Authenticator and Authentication Sever exchange information through EAP (Extensible Authentication Protocol) frames. The Supplicant and the Authenticator exchange information through the EAPoL (Extensible Authentication Protocol over LANs) frame

145 defined by IEEE 802.1x. Authentication data are encapsulated in the EAP frame, which is to be encapsulated in the packets of other AAA upper layer protocols (e.g. RADIUS) so as to go through the complicated network to reach the Authentication Server. Such procedure is called EAP Relay. There are two types of ports for the Authenticator. One is the Uncontrolled Port, and the other is the Controlled Port. The Uncontrolled Port is always in bi-directional connection state. The user can access and share the network resources any time through the ports. The Controlled Port will be in connecting state only after the user passes the authentication. Then the user is allowed to access the network resources. Figure x system architecture x Authentication Process 802.1x configures EAP frame to carry the authentication information. The Standard defines the following types of EAP frames: EAP-Packet: Authentication information frame, used to carry the authentication information. EAPoL-Start: Authentication originating frame, actively originated by the Supplicant. EAPoL-Logoff: Logoff request frame, actively terminating the authenticated state. EAPoL-Key: Key information frame, supporting to encrypt the EAP packets. EAPoL-Encapsulated-ASF-Alert: Supports the Alerting message of Alert Standard Forum (ASF). The EAPoL-Start, EAPoL-Logoff and EAPoL-Key only exist between the Supplicant and the Authenticator. The EAP-Packet information is re-encapsulated by the Authenticator System and then transmitted to the Authentication Server System. The EAPoL-Encapsulated-ASF-Alert is related to the network management information and terminated by the Authenticator x provides an implementation solution of user ID authentication. However, 802.1x itself is not enough to implement the scheme. The administrator of the access device should configure RADIUS or local authentication so as to assist 802.1x to implement the user ID authentication

146 Implement 802.1x on Ethernet Switch Switches not only support the port access authentication method regulated by 802.1x, but also extend and optimize it in the following way: Support to connect several End Stations in the downstream via a physical port. The access control (or the user authentication method) can be based on MAC address. In this way, the system becomes much securer and easier to manage x Configuration The Main 802.1x configuration includes: Enabling/Disabling 802.1x Setting port authentication state Setting maximum number of users via each port Enabling/Disabling 802.1x The following command can be used to enable/disable the 802.1x on globally. Beginning in privileged EXEC mode, follow these steps to enable/disable 802.1x. Step 2 dot1x system-auth-control Enable 802.1x. enable Step 3 exit Return to privileged EXEC mode. Step 4 show dot1x Verify your entries. system-auth-control Step 5 write (Optional) Save your entries in the configuration file. To disable 802.1x,use dot1x system-auth-control disable global configuration command

147 Setting port authentication state The following command can be used to set port authentication state. Beginning in privileged EXEC mode, follow these steps to set port authentication state. Step 2 dot1x ports port-list Set port authentication state. Port-list: format is port-number+ m/- ; m indicate member, - indicate not a member. Step 3 exit Return to privileged EXEC mode. Step 4 show dot1x ports Verify your entries. Step 5 write (Optional) Save your entries in the configuration file Setting Supplicant Number on a Port The following commands are used for setting number of users allowed by 802.1x on specified port. When no port is specified, all the ports accept the same number of supplicants. Beginning in privileged EXEC mode, follow these steps to set maximum number of users via each port. Step 2 dot1x multiple-host-num Set maximum number of users via each port. number Number range is 1 to 256. Step 3 exit Return to privileged EXEC mode. Step 4 show dot1x ports Verify your entries. Step 5 write (Optional) Save your entries in the configuration file x Configuration Example I. Networking requirements As shown in the following figure, the workstation of a user is connected to the port 1 of the Switch. The switch administrator will enable 802.1x on all the ports to authenticate the supplicants so as to control their access to the Internet. The access control mode is configured as based on the MAC address

148 A server group, consisting of two RADIUS servers at and respectively, is connected to the switch. The former one acts as the primary-authentication/accounting server. The latter one acts as the secondary-authentication/ ccounting server. Set the encryption key as test when the system exchanges packets with the RADIUS server. Configure the system to transmit a real-time accounting packet to the RADIUS server every 15 minutes. The user name of the local 802.1x access user is local user and the password is local pass (input in plain text). II. Networking diagram Figure 17-2 Enabling 802.1x and RADIUS to perform AAA on the supplicant III. Configuration procedure Note: The following examples concern most of the RADIUS configuration commands. For details, refer to the chapter RADIUS Protocol Configuration. # Configure 802.1x switch(config)#dot1x system-auth-control enable switch(config)#dot1x ports 01m # Configure radius client service switch(config)#radiusclient ipaddress switch(config)#radiusclient service enable

149 switch(config)#radiusclient accounting interval 1 #Configure radius server switch(config)#radiusserver master_ipaddress switch(config)#radiusserver slave_ipaddress switch(config)#radiusserver master_port switch(config)#radiusserver slave_port switch(config)#radiusserver master_key test switch(config)#radiusserver slave_key test

150 18 RADIUS Protocol Configuration STCS3526 Series Layer 3 Switch User Guide 18.1 RADIUS Protocol Overview I. What is RADIUS Remote Authentication Dial-In User Service, RADIUS for short, is a kind of distributed information switching protocol in Client/Server architecture. RADIUS can prevent the network from interruption of unauthorized access and it is often used in the network environments requiring both high security and remote user access. For example, it is often used for managing a large number of scattering dial-in users who use serial ports and modems. RADIUS system is the important auxiliary part of Network Access Server (NAS). After RADIUS system is started, if the user wants to have right to access other network or consume some network resources through connection to NAS (dial-in access server in PSTN environment or Ethernet switch with access function in Ethernet environment), NAS, namely RADIUS client end, will transmit user AAA request to the RADIUS server. RADIUS server has a user database recording all the information of user authentication and network service access. When receiving user s request from NAS, RADIUS server performs AAA through user database query and update and returns the configuration information and accounting data to NAS. Here, NAS controls supplicant and corresponding connections, while RADIUS protocol regulates how to transmit configuration and accounting information between NAS and RADIUS. NAS and RADIUS exchange the information with UDP packets. During the interaction, both sides encrypt the packets with keys before uploading user configuration information (like password etc.) to avoid being intercepted or stolen. II. RADIUS operation RADIUS server generally uses proxy function of the devices like access server to perform user authentication. The operation process is as follows: First, the user send request message (the client username and encrypted password is included in the message) to RADIUS server. Second, the user will receive from RADIUS server various kinds of response messages in which the ACCEPT message indicates that the user has passed the authentication, and the REJECT message indicates that the user has not passed the authentication and needs to input username and password again, otherwise he will be rejected to access Implementing RADIUS on Ethernet Switch By now, we understand that in the above-mentioned RADIUS framework, SPEED Series Ethernet Switches, serving as the user access device or NAS, is the client end of RADIUS. In other words, the RADIUS concerning client-end is implemented on SPEED Series

151 Ethernet Switches Configuring RADIUS Protocol RADIUS protocol configuration includes: Enable/disable radius client service Setting radius client ip address Setting a real-time accounting interval Setting IP Address of RADIUS Server Setting Port Number of RADIUS Server Setting RADIUS packet encryption key Enable/disable radius client service Beginning in privileged EXEC mode, follow these steps to enable radius client service. Step 2 radiusclient service enable Enable radius client service. Step 3 exit Return to privileged EXEC mode. Step 4 show radiusclient service Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To disable radius client service,use radiusclient service disable global configuration command Setting radius client ip address Beginning in privileged EXEC mode, follow these steps to setting radius client ip address. Step 2 radiusclient ipaddress ip-address Setting radius client ip address. Ip-address is vlan interface ip address

152 Step 3 exit Return to privileged EXEC mode. Step 4 show radiusclient ipaddress Verify your entries. Step 5 write (Optional) Save your entries in the configuration file Setting a Real-time Accounting Interval To implement real-time accounting, it is necessary to set a real-time accounting interval. After the attribute is set, NAS will transmit the accounting information of online users to the RADIUS server regularly. You can use the following command to set a real-time accounting interval. Beginning in privileged EXEC mode, follow these steps to setting a real-time accounting interval. Step 2 radiusclient accounting interval minutes Setting a real-time accounting interval. Minutes must be same as radius server setting. When minutes is set to 0,the radius client does not sent update message to radius server. Step 3 exit Return to privileged EXEC mode. Step 4 show radiusclient accounting interval Verify your entries. Step 5 write (Optional) Save your entries in the configuration file Setting IP Address of RADIUS Server Set IP addresses for the RADIUS servers, including primary/second authentication/authorization servers and accounting servers. You can use the following commands to configure the IP address for RADIUS servers. Beginning in privileged EXEC mode, follow these steps to setting ip address for radius server. Step 2 Step 3 radiusserver master_ipaddress ip-address radiusserver slave_ipaddress ip-address Setting ip address for master radius server. (optional) Setting ip address for slave radius server

153 Step 4 show radiusserver master_ipaddress Step 5 show radiusserver slave_ipaddress Verify your entries. Verify your entries. Step 6 write (Optional) Save your entries in the configuration file. By default, all the IP addresses of primary/second authentication/authorization and accounting servers are Setting Port of RADIUS Server Set port for the RADIUS servers, including primary/second authentication/authorization servers and accounting servers. You can use the following commands to configure the port number for RADIUS servers. Beginning in privileged EXEC mode, follow these steps to setting port for radius server. Step 2 Step 3 Step 4 radiusserver master_port Setting port for master radius server. authentication-port account-port radiusserver slave_port (optional) Setting port for slave radius server authentication-port account-port show radiusserver master_port Verify your entries. Step 5 show radiusserver slave_port Verify your entries. Step 6 write (Optional) Save your entries in the configuration file Setting RADIUS Packet Encryption Key RADIUS client (switch system) and RADIUS server use MD5 algorithm to encrypt the exchanged packets. The two ends verify the packet through setting the encryption key.only when the keys are identical can both ends to accept the packets from each other end and give response. You can use the following commands to set the encryption key for RADIUS packets

154 Beginning in privileged EXEC mode, follow these steps to setting radius packet encryption key. Step 2 radiusserver master_key string Setting encryption key for master radius server. Step 3 radiusserver slave_key string (optional) Setting encryption key for slave radius server Step 4 show radiusserver master_key Verify your entries. Step 5 show radiusserver slave_key Verify your entries. Step 6 write (Optional) Save your entries in the configuration file. By default, the keys of RADIUS authentication/authorization and accounting packets are all test RADIUS Protocol Configuration Examples For the hybrid configuration example of RADIUS protocol and 802.1x protocol, refer to Configuration Example in 802.1x Configuration. It will not be detailed here

155 19 DHCP Protocol Configuration STCS3526 Series Layer 3 Switch User Guide This chapter describes how to configure DHCP Server and DHCP Relay features on the switch DHCP Relay configuration Brief Introduction to DHCP Relay With the extension of network and improving of network complexity, network configuration is becoming more and more complex. Dynamic Host Configuration Protocol (DHCP) is issued to ease user s fast accessing and exiting the network and improve utilization of the IP addresses in places where computers should be often moved (e.g., portable computer or wireless network is used) or the host number exceeds the number of IP addresses which can be allocated. DHCP works in Client/Server mode. With this protocol, the DHCP Client can dynamically request configuration information and the DHCP Server can configure the information for the Client conveniently. In the early days, the DHCP was only suitable for the case, when the DHCP Client and DHCP Server locate on the same subnet, and could not work across the network segments. If the early DHCP is used to dynamically configure the host, each subnet should be equipped with a DHCP Server, which is obviously uneconomical. The introduction of DHCP relay solves this difficulty. The DHCP relay serves as relay between the DHCP Client and the DHCP Server located on different subnets. The DHCP packets can be relayed to the destination DHCP Server (or Client) across network segments. Thereby, the DHCP clients on different networks can use the same DHCP Server. This is economical and convenient for centralized management. Figure 19-1 DHCP Relay typical application

156 DHCP Relay work on this principle: In the startup and DHCP initialization, DHCP Client advertises configuration request messages to the local network. If there is a DHCP Server in the local network, you can initiate DHCP configuration directly, with DHCP Relay unnecessary. Otherwise, when a device with DHCP Relay enabled which is connected with the local network receives the messages, it will make necessary processing and forward them to the designated DHCP Server on other network. DHCP Server makes configurations according to the information from DHCP Client and sends the configuration result via DHCP Relay back to DHCP Client. In practice, several times of interaction behaviors may be required in the dynamic configuration of DHCP Client Configuring DHCP Relay DHCP relay configuration includes: Specifying VLAN interface to forward DHCP packets. Configuring the IP Address of a DHCP Server. Enabling/disabling DHCP Relay service Specifying VLAN interface to forward DHCP packets Beginning in privileged EXEC mode, follow these steps to specify VLAN interface to forward DHCP packets. Step 2 dhcpr listen add index Specifying VLAN interface to forward DHCP packets vlan-interface Vlan-interface format is vint+interface-id Step 3 exit Return to privileged EXEC mode. Step 4 show dhcpr listen Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To delete VLAN interface of forwarding DHCP packets, use dhcpr listen delete index global configuration command Configuring the IP Address of a DHCP Server Beginning in privileged EXEC mode, follow these steps to configure the IP Address of a DHCP Server

157 Step 2 dhcpr targetip add index Configuring the IP address of a DHCP Server. server-ipaddress Step 3 exit Return to privileged EXEC mode. Step 4 show dhcpr targetip Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To delete the IP address of a DHCP Server, use dhcpr targetip del index global configuration command Enabling/disabling DHCP Relay service Beginning in privileged EXEC mode, follow these steps to enable DHCP Relay service. Step 2 dhcpr service enable Enable DHCP Relay service. Step 3 exit Return to privileged EXEC mode. Step 4 show dhcpr service Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To disable DHCP Relay service, use dhcpr service disable global configuration command DHCP Server configuration The switch can act as a DHCP server. This switch includes a Dynamic Host Configuration Protocol (DHCP) server that can assign temporary IP addresses to any attached host requesting service. It can also provide other network settings such as the domain name, default gateway, Domain Name Servers (DNS) etc. Addresses can be assigned to clients from a common address pool configured for a specific IP interface on this switch Configuring DHCP Relay DHCP Server configuration includes: Specifying VLAN interface to forward DHCP packets. Enabling/disabling DHCP Server service

158 Add IP address pool. Setting DNS for DHCP Server (optional) Setting lease time for DHCP Server (optional) Specifying VLAN interface to forward DHCP packets Beginning in privileged EXEC mode, follow these steps to specify VLAN interface to forward DHCP packets. Step 2 dhcps listen add index Specifying VLAN interface to forward DHCP packets vlan-interface Vlan-interface format is vint+interface-id Step 3 exit Return to privileged EXEC mode. Step 4 show dhcps listen Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To delete VLAN interface of forwarding DHCP packets, use dhcps listen delete index global configuration command Enabling/disabling DHCP Server service Beginning in privileged EXEC mode, follow these steps to enable DHCP Server service. Step 2 dhcps service enable Enable DHCP Relay service. Step 3 exit Return to privileged EXEC mode. Step 4 show dhcps service Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To disable DHCP Server service, use dhcps service disable global configuration command

159 Add IP address pool Beginning in privileged EXEC mode, follow these steps to add IP address pool. Step 2 dhcps addresspool add name Add IP address pool start-ip end-ip gate-way net-mask [dns1 dns1-ip dns2 dns2-ip leasetime seconds parameters string] Step 3 exit Return to privileged EXEC mode. Step 4 show dhcps addresspool Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To delete IP address pool, use dhcps addresspool del name global configuration command Setting DNS for DHCP Server (optional) Beginning in privileged EXEC mode, follow these steps to set DNS for DHCP Server. Step 2 dhcps dns dns-ip Setting DNS for DHCP Server. Step 3 exit Return to privileged EXEC mode. Step 4 show dhcps dns Verify your entries. Step 5 write (Optional) Save your entries in the configuration file Setting lease time for DHCP Server (optional) Beginning in privileged EXEC mode, follow these steps to set DNS for DHCP Server. Step 2 dhcps leasetime seconds Setting lease time for DHCP Server. By default seconds is

160 Step 3 exit Return to privileged EXEC mode. Step 4 show dhcps dns Verify your entries. Step 5 write (Optional) Save your entries in the configuration file DHCP Protocol Configuration Example DHCP Relay Configuration Example I. Networking requirements The segment address for DHCP Client is , which is connected to a port in the VLAN2 on the switch. The IP address of DHCP Server is The DHCP packets should be forwarded via the switch with DHCP Relay enabled. DHCP Client can get IP address and other configuration information from DHCP Server. II. Networking diagram Figure 19-2 Networking diagram of configuring DHCP relay III. Configuration procedure # Configure VLAN and specify IP address for VLAN switch(config)#vlan static set vid 101- switch(config)#vlan static add vid 201u switch(config)#vlan port pvid 12 switch(config)#ip address add vint vid

161 switch(config)#ip address add vint vid 2 # Configure DHCP Relay switch(config)#dhcpr listen add 1 vint1 switch(config)#dhcpr listen add 2 vint2 switch(config)#dhcpr targetip add switch(config)#dhcpr service enable DHCP Server Configuration Example I. Networking requirements The segment address for DHCP Client is , which is connected to a port in the VLAN2 on the switch. When DHCP Server service enabled. DHCP Client can get IP address and other configuration information from DHCP Server. II. Networking diagram Figure 19-3 Networking diagram of configuring DHCP Server III. Configuration procedure # Configure VLAN and specify IP address for VLAN switch(config)#vlan static set vid 101- switch(config)#vlan static add vid 201u switch(config)#vlan port pvid

162 switch(config)#ip address add vint vid 2 # Configure DHCP Server switch(config)#dhcps listen add 1 vint2 switch(config)#dhcps service enable switch(config)#dhcps addresspool add pool dns dns

163 20 SNMP Configuration STCS3526 Series Layer 3 Switch User Guide 20.1 SNMP Overview By far, the Simple Network Management Protocol (SNMP) has gained the most extensive application in the computer networks. SNMP has been put into use and widely accepted as an industry standard in practice. It is used for ensuring the transmission of the management information between any two nodes. In this way, network administrators can easily search and modify the information on any node on the network. In the meantime, they can locate faults promptly and implement the fault diagnosis, capacity planning and report generating. SNMP adopts the polling mechanism and provides the most basic function set. It is most applicable to the small-sized, fast-speed and low-cost environment. It only requires the unverified transport layer protocol UDP; and is thus widely supported by many other products. In terms of structure, SNMP can be divided into two parts, namely, Network Management Station and Agent. Network Management Station is the workstation for running the client program. At present, the commonly used NM platforms include Sun Net Manager and IBM NetView. Agent is the server software operated on network devices. Network Management Station can send GetRequest, GetNextRequest and SetRequest messages to the Agent. Upon receiving the requests from the Network Management Station, Agent will perform Read or Write operation according to the message types, generate and return the Response message to Network Management Station. On the other hand, Agent will send Trap message on its own initiative to the Network Management Station to report the events whenever the device encounters any abnormalities such as new device found and restart SNMP Versions and Supported MIB To uniquely identify the management variables of a device in SNMP messages, SNMP adopts the hierarchical naming scheme to identify the managed objects. It is like a tree.a tree node represents a managed object, as shown in the figure below. Thus the object can be identified with the unique path starting from the root

164 Figure 20-1 Architecture of the MIB tree The MIB (Management Information Base) is used to describe the hierarchical architecture of the tree and it is the set defined by the standard variables of the monitored network device. In the above figure, the managed object B can be uniquely specified by a string of numbers { }. The number string is the Object Identifier of the managed object. The current SNMP Agent of Ethernet switch supports SNMP V1, V2C and V3. The MIBs supported are listed in the following table. Table 20-1 MIBs supported by the Ethernet Switch MIB attribute MIB content References Public MIB MIB II based on TCP/IP network device RFC1213 BRIDGE MIB RIP MIB RFC1493 RFC2675 RFC1724 RMON MIB RFC2819 Ethernet MIB RFC2665 OSPF MIB RFC1253 IF MIB RFC1573 Private MIB VLAN MIB Device management

165 20.3 Configure SNMP The main configuration of SNMP includes: Set community Name Set the Destination Address of Trap Set Trap parameters Setting Community Name SNMP V1 and SNMPV2C adopt the community name authentication scheme. The SNMP message incompliant with the community name accepted by the device will be discarded. SNMP Community is named with a character string, which is called Community Name. The various communities can have read-only or read-write access mode. The community with read-only authority can only query the device information, whereas the community with read-write authority can also configure the device. Beginning in privileged EXEC mode, follow these steps to set Community Name. Step 2 snmp community set index string {read-only read-write } Set community string. Index: range is 1 to 8. Step 3 exit Return to privileged EXEC mode. Step 4 show snmp community Verify your entries. Step 5 write (Optional) Save your entries in the configuration file. To delete community string,use snmp community delete index global configuration command Setting the Destination Address of Trap You can use the following commands to set or delete the destination address of the trap. Beginning in privileged EXEC mode, follow these steps to set the Destination Address of Trap

166 Step 2 snmp traps host host-number hostaddr ip-address [port udp-port] Set the destination address of trap. Host-number: range is 1 to 3. Step 3 exit Return to privileged EXEC mode. Step 4 show snmp traps Verify your entries. Step 5 write (Optional) Save your entries in the configuration file Setting Trap Parameters You can use the following commands to set trap parameters. Beginning in privileged EXEC mode, follow these steps to set trap parameters. Step 2 snmp traps parameters index Set trap parameters. mpmodel {v1 v2c v3} securemodel {v1 v2c usm} securename string securelevel {AuthNoPriv AuthPriv noauthnopriv } Step 3 exit Return to privileged EXEC mode. Step 4 show snmp traps Verify your entries. Step 5 write (Optional) Save your entries in the configuration file SNMP Configuration Example I. Networking requirements Network Management Station and the Ethernet switch are connected via the Ethernet. The IP address of Network Management Station is and that of the VLAN interface on the switch is Perform the following configurations on the switch: setting the community name and set trap host address. II. Networking diagram

167 Figure 20-2 SNMP configuration example III. Configuration procedure # Configure community string switch(config)#snmp community set 1 public read-write # Configure trap host switch(config)#snmp traps host 1 hostaddr Configuring System Message Logging This chapter describes how to configure system message logging on switch System Message Logging Introduction The function of syslog massage is to inform the troubles that occurred in user s switch, to the network manager. The syslog massage is to be classified into 7 levels, [ emergencyㅣalertㅣcriticalㅣerror ㅣwarningㅣnoticeㅣinfo], according to priority. Emergency is the highest priority and Info is the lowest priority. The level of the syslog massage can be assign by user, and it is impossible that the massage of the lower than assigned level transmits to user. For example, if you want to receive all level s massage, you have to choose the Info level. And if you choose the Error level, you can receive the Error, Critical, Alert and Emergency massage, they are higher than Error