Part No. 031729-00, Rev. A
June 2005
*03172900*
*A*
OmniSwitch 6600 Family
OmniSwitch 7700/7800
OmniSwitch 8800
User Guide Supplement
Release 5.1.6.R02
www.alcatel.com
This user guide documents OmniSwitch 6600 Family, OmniSwitch 7700/7800, and OmniSwitch 8800
hardware and software.
The information described in this guide are subject to change without notice.
Copyright © 2005 by Alcatel Internetworking, Inc. All rights reserved. This document may not be reproduced in whole or in part without the express written permission of Alcatel Internetworking, Inc.
®
Alcatel
and Alcatel OmniVista
and the Alcatel logo are registered trademarks of Alcatel. Xylan®, OmniSwitch®, OmniStack®,
®
are registered trademarks of Alcatel Internetworking, Inc.
OmniAccess™, Omni Switch/Router™, PolicyView™, RouterView™, SwitchManager™, VoiceView™,
WebView™, X-Cell™, X-Vision™, and the Xylan logo are trademarks of Alcatel Internetworking, Inc.
This OmniSwitch product contains components which may be covered by one or more of the following
U.S. Patents:
• U.S. Patent No. 6,339,830
• U.S. Patent No. 6,070,243
• U.S. Patent No. 6,061,368
• U.S. Patent No. 5,394,402
• U.S. Patent No. 6,047,024
• U.S. Patent No. 6,314,106
• U.S. Patent No. 6,542,507
26801 West Agoura Road
Calabasas, CA 91301
(818) 880-3500 FAX (818) 880-3505
info@ind.alcatel.com
US Customer Support—(800) 995-2696
International Customer Support—(818) 878-4507
Internet—http://eservice.ind.alcatel.com
ii Release 5.1.6.R02 User Guide Supplement June 2005
Contents
Chapter 1 User Documentation Addendum ...........................................................................1-1
OmniSwitch CLI Reference Guide .................................................................................1-1
Chapter 40, “High Availability VLAN Commands” ...............................................1-1
mac-address-table port-mac vlan mac ...............................................................1-2
vlan port-mac bandwidth ..........................................................................................1-3
Chapter 42, “802.1X Commands” ............................................................................1-5
802.1x guest-vlan .....................................................................................................1-6
802.1x supp-polling retry .........................................................................................1-8
show 802.1x non-supp ............................................................................................1-10
Chapter 22, “IP Commands” ..................................................................................1-11
OmniSwitch 7700/7800/8800 Network Configuration Guide ......................................1-11
Chapter 13, “Configuring IP” .................................................................................1-11
New Section, page 13-9 ...................................................................................1-11
Configuring a Loopback0 Interface .................................................................1-11
Chapter 22, “Configuring 802.1X” ........................................................................1-12
Quick Steps for Configuring 802.1X ...............................................................1-12
New Section, page 22-7 ...................................................................................1-13
Guest VLANs for Non-802.1x Supplicants .....................................................1-14
New Section, page 22-11 .................................................................................1-14
Configuring a Guest VLAN ............................................................................1-14
Chapter 28, “Configuring High Availability VLANs” ..........................................1-15
OmniSwitch 7700/7800/8800 Advanced Routing Configuration Guide ......................1-15
Chapter 2, “Configuring BGP” ..............................................................................1-15
New Section, page 2-29 ...................................................................................1-15
Configuring a BGP Peer with the Loopback0 Interface ..................................1-15
OmniSwitch 6600 Family Network Configuration Guide ............................................1-16
Chapter 21, “Configuring 802.1X” ........................................................................1-16
Quick Steps for Configuring 802.1X ...............................................................1-16
New Section, page 21-5 ...................................................................................1-17
Guest VLANs for Non-802.1x Supplicants .....................................................1-17
New Section, page 21-10 .................................................................................1-18
Configuring a Guest VLAN ............................................................................1-18
Chapter 2 IPv6 Commands ..........................................................................................................2-1
ipv6 interface ............................................................................................................2-3
ipv6 address ..............................................................................................................2-6
ipv6 interface tunnel source destination ...................................................................2-8
ipv6 dad-check .........................................................................................................2-9
ipv6 hop-limit .........................................................................................................2-10
ipv6 pmtu-lifetime ..................................................................................................2-11
ipv6 host .................................................................................................................2-12
ipv6 neighbor ..........................................................................................................2-13
Release 5.1.6.R02 User Guide Supplement June 2005 iii
Contents
ipv6 prefix ..............................................................................................................2-14
ipv6 route ................................................................................................................2-16
ping6 .......................................................................................................................2-17
traceroute6 ..............................................................................................................2-19
debug ipv6 packet ...................................................................................................2-21
debug ipv6 trace-category ......................................................................................2-24
show ipv6 hosts ......................................................................................................2-26
show ipv6 icmp statistics ........................................................................................2-27
show ipv6 interface ................................................................................................2-30
show ipv6 pmtu table .............................................................................................2-35
clear ipv6 pmtu table ..............................................................................................2-37
show ipv6 neighbors ...............................................................................................2-38
clear ipv6 neighbors ...............................................................................................2-40
show ipv6 prefixes .................................................................................................2-41
show ipv6 routes .....................................................................................................2-43
show ipv6 tcp ports ................................................................................................2-45
show ipv6 traffic .....................................................................................................2-47
clear ipv6 traffic .....................................................................................................2-50
show ipv6 tunnel ....................................................................................................2-51
show ipv6 udp ports ...............................................................................................2-53
ipv6 load rip ...........................................................................................................2-55
ipv6 rip status .........................................................................................................2-56
ipv6 rip invalid-timer .............................................................................................2-57
ipv6 rip garbage-timer ............................................................................................2-58
ipv6 rip holddown-timer .........................................................................................2-59
ipv6 rip jitter ...........................................................................................................2-60
ipv6 rip route-tag ....................................................................................................2-61
ipv6 rip update-interval ..........................................................................................2-62
ipv6 rip triggered-sends ..........................................................................................2-63
ipv6 rip interface ....................................................................................................2-64
ipv6 rip interface metric .........................................................................................2-66
ipv6 rip interface recv-status ..................................................................................2-67
ipv6 rip interface send-status ..................................................................................2-68
ipv6 rip interface horizon .......................................................................................2-69
ipv6 rip debug-level ...............................................................................................2-70
ipv6 rip debug-type ................................................................................................2-71
show ipv6 rip ..........................................................................................................2-73
show ipv6 rip interface ...........................................................................................2-75
show ipv6 rip peer ..................................................................................................2-78
show ipv6 rip routes ...............................................................................................2-80
show ipv6 rip debug ...............................................................................................2-83
Chapter 3 Configuring High Availability VLANs ...................................................................3-1
In This Chapter ................................................................................................................3-1
High Availability VLANs Specifications .......................................................................3-2
High Availability Default Values ....................................................................................3-2
Quick Steps for Creating High Availability VLANs ......................................................3-3
High Availability VLAN Overview ................................................................................3-5
Ingress and Egress Traffic Flows .............................................................................3-6
iv Release 5.1.6.R02 User Guide Supplement June 2005
Contents
High Availability Firewall Clusters .........................................................................3-6
Traditional Firewall Implementation .................................................................3-7
Configuring High Availability VLANs on a Switch .......................................................3-8
Creating and Deleting VLANs .................................................................................3-9
Creating a VLAN ..............................................................................................3-9
Deleting a VLAN ............................................................................................3-10
Assigning and Removing Ingress Ports .................................................................3-10
Assigning Ingress Ports ...................................................................................3-10
Removing Ingress Ports ...................................................................................3-11
Assigning and Removing Egress Ports ..................................................................3-12
Assigning Egress Ports ....................................................................................3-12
Removing Egress Ports ....................................................................................3-12
Assigning and Removing MAC Addresses ............................................................3-13
Assigning MAC Addresses .............................................................................3-13
Removing MAC Addresses .............................................................................3-14
Configuring Inter-switch Ports for HA VLANs .....................................................3-14
Configuring the Flood Queue Bandwidth ..............................................................3-15
Application Example 1: Firewall Cluster ......................................................................3-16
Application Example 2: Inter-Switch HA VLANs .......................................................3-17
Displaying High Availability VLAN Status and Statistics ...........................................3-19
Release 5.1.6.R02 User Guide Supplement June 2005 v
Contents
vi Release 5.1.6.R02 User Guide Supplement June 2005
1 User Documentation
Addendum
This chapter includes information that should be added to or changed in the 5.1.6 release of the set of user
guides for the OmniSwitch 6600 Family, OmniSwitch 7700/7800, and OmniSwitch 8800.
OmniSwitch CLI Reference Guide
The following modifications should be made:
IPv6 Commands
Please refer to Chapter 2, “IPv6 Commands,” in this addendum for CLI commands pertaining to IPv6.
Chapter 40, “High Availability VLAN Commands”
On page 40-2 the following two bullet items should be added to the Usage Guidelines section for the
vlan port-mac ingress-port command:
• Note that removing the last ingress/egress port from an HA VLAN is not allowed. Deleting the VLAN
is required when there is only one ingress/egress port left in the VLAN.
• All HA VLAN related ports must first belong to the same default VLAN before they are configured as
ingress, egress, or inter-switch ports for the HA VLAN.
On page 40-3 the MIB Objects section for the vlan port-mac ingress-port command should be replaced
with the following:
vlanHAPortTable
vlanHAPortVlanId
vlanHAPortType
vlanHAPortIfIndex
On page 40-4 the following two bullet items should be added to the Usage Guidelines section for the
vlan port-mac egress-port command:
• Note that removing the last ingress/egress port from an HA VLAN is not allowed. Deleting the VLAN
is required when there is only one ingress/egress port left in the VLAN.
• All HA VLAN related ports must first belong to the same default VLAN before they are configured as
ingress, egress, or inter-switch ports for the HA VLAN.
Release 5.1.6.R02 User Guide Supplement June 2005 page 1-1
User Documentation Addendum
On page 40-5 the MIB Objects section for the vlan port-mac egress-port command should be replaced
with the following:
vlanHAPortTable
vlanHAPortVlanId
vlanHAPortType
vlanHAPortIfIndex
mac-address-table port-mac vlan mac
On page 40-6 the following bullet should be added to the Usage Guidelines section for the
mac-address-table port-mac vlan mac command:
• Note that removing the last MAC address from an HA VLAN is not allowed. Deleting the VLAN is
required when there is only one MAC address left.
On page 40-7 the following MIB information should be added to the MIB Objects section for the mac-
address-table port-mac vlan mac command:
vlanHAPortVlanId
The following new command should be included in this chapter:
page 1-2 Release 5.1.6.R02 User Guide Supplement June 2005
User Documentation Addendum vlan port-mac bandwidth
vlan port-mac bandwidth
Configures the bandwidth for the ingress flood queue associated with high availability (HA) VLANs.
vlan vid port-mac bandwidth mbps
Syntax Definitions
vid An existing HA VLAN ID number (1–4094).
mbps Bandwidth value for the specified HA VLAN flood queue (1mbps –
1000mbps).
Defaults
By default, the flood queue bandwidth for an HA VLAN is set to 15 mbps.
Platforms Supported
OmniSwitch 7700, 7800, 8800
Usage Guidelines
• The VLAN ID specified with this command must be the ID for an HA VLAN. An HA VLAN contains
at least one ingress or egress port and one MAC address.
• The ingress flood queue is created when the first HA VLAN is configured on the switch, and deleted
when the last HA VLAN is removed from the switch.
Examples
-> vlan 10 port-mac bandwidth 50
-> vlan 200 port-mac bandwidth 1000
Release History
Release 5.1.6; command was introduced.
Related Commands
vlan port-mac ingress-port Adds and removes ingress ports from an HA VLAN.
vlan port-mac egress-port Adds and removes egress ports from an HA VLAN.
mac-address-table port-mac
Adds and removes MAC addresses from an HA VLAN.
vlan mac
MIB Objects
vlanTable
vlanNumber
vlanHABandwidth
Release 5.1.6.R02 User Guide Supplement June 2005 page 1-3
vlan port-mac bandwidth User Documentation Addendum
On page 40-9 and 40-10 the Examples section for the show mac-address-table port-mac command
should be replaced with the following:
-> show mac-address-table port-mac
Port mac configuration for vlan 10
Bandwidth : 15 MB/sec
Ingress Port list:
3/5 3/7
Egress Port list:
3/9 3/6
Mac Address list:
00:DA:95:3C:44:55
00:13:14:34:5E:78
01:23:45:C1:17:21
Port mac configuration for vlan 20
Bandwidth : 15 MB/sec
Ingress Port list:
1/4 8/2
Egress Port list:
4/9 4/6
Mac Address list:
00:11:22:33:44:05
07:23:14:34:31:25
00:23:45:67:43:04
-> show mac-address-table port-mac vlan 10
Port mac configuration for vlan 10
Bandwidth : 15 MB/sec
Ingress Port list:
3/5 3/7
Egress Port list:
3/9 3/6
Mac Address list:
00:DA:95:3C:44:55
00:13:14:34:5E:78
01:23:45:C1:17:21
On page 40-10 the following new field definition should be added to the Output Definitions table for the
show mac-address-table port-mac command:
Bandwidth The bandwidth size for the HA VLAN ingress flood queue. You can
change this value with the vlan port-mac bandwidth.
On page 40-10 the following line should be added to the Release History section for the show mac-
address-table port-mac command:
Release 5.1.6; bandwidth field added.
On page 40-10 the MIB Objects section for the show mac-address-table port-mac command should be
replaced with the following:
page 1-4 Release 5.1.6.R02 User Guide Supplement June 2005
User Documentation Addendum vlan port-mac bandwidth
vlanHAPortTable
vlanHAPortVlanId
vlanHAPortType
vlanHAPortIfIndex
slMacToPortMacTable
vlanHAPortVlanId
slMacToPortMacAddress
vlanTable
vlanNumber
Chapter 42, “802.1X Commands”
On page 42-11 replace the Examples section for the show 802.1x command with the following:
-> show 802.1x 1/13
802.1x configuration for slot 1 port 13:
direction = both,
operational directions = both,
port-control = auto,
quiet-period (seconds) = 60,
tx-period (seconds) = 30,
supp-timeout (seconds) = 30,
server-timeout (seconds) = 30,
max-req = 2,
re-authperiod (seconds) = 3600,
reauthentication = no
Guest Vlan ID = 20,
Supplicant polling retry count = 2
On page 42-12 the following two new field definitions should be added to the Output Definitions table
for the show 802.1x command:
Guest VLAN ID
Indicates if a guest VLAN is configured for non-802.1x traffic received
on the port. If so, a VLAN ID number appears in this field. Configured
through the 802.1x guest-vlan command This field does not appear on
an OmniSwitch 6800.
Supplicant polling retry
count
The number of times a device is polled for EAP frames to determine
whether or not the device is an 802.1x client. Configured through the
802.1x supp-polling retry command. This field does not appear on an
OmniSwitch 6800.
On page 42-13 the following MIB information should be added to the MIB Objects section for the
show 802.1x command:
alaDot1xGuestVlanConfTable
alaDot1xGuestVlanNumber
alaDot1xSuppPollingCnt
The following three new commands should be included in this chapter:
Release 5.1.6.R02 User Guide Supplement June 2005 page 1-5
802.1x guest-vlan User Documentation Addendum
802.1x guest-vlan
Configures a guest VLAN for an 802.1x port. When non-802.1x traffic is received on the specified port, it
is assigned to the guest VLAN.
802.1x slot/port guest-vlan {vid | disable}
Syntax Definitions
slot The slot number of the 802.1x port.
port The 802.1x port number.
vid The VLAN ID number that will serve as a guest VLAN for the 802.1x
port.
disable Disables the guest VLAN functionality for the 802.1x port.
Defaults
By default a guest VLAN is not configured for 802.1x ports.
Platforms Supported
OmniSwitch 6624, 6648, 7700, 7800, 8800
Usage Guidelines
• If a guest VLAN is already configured for the specified 802.1x port, the existing VLAN ID is overwrit-
ten with the new value. For example, if VLAN 10 is configured as a guest VLAN for 802.1x port 10/24
and this command is entered specifying VLAN 20, then VLAN 20 becomes the new guest VLAN for
the port.
• Using the disable pulmotor also removes the guest VLAN association from the 802.1x port. The func-
tionality is enabled again when a new guest VLAN is configured.
• The guest VLAN option is only available for 802.1x ports operating in the auto mode.
• Only one guest VLAN per 802.1x port is allowed.
• The VLAN ID specified with this command must already exist. VLANs are created using the vlan
command.
• Note that on an OmniSwitch 6624/6648, non-802.1x clients learned on the guest VLAN are dropped if
an 802.1x client successfully accesses the same port.
Examples
-> 802.1x 3/1 guest-vlan 5
-> 802.1x 3/1 guest-vlan disable
Release History
Release 5.1.6; command was introduced.
page 1-6 Release 5.1.6.R02 User Guide Supplement June 2005
User Documentation Addendum 802.1x guest-vlan
Related Commands
802.1x Configures 802.1X parameters on a particular slot/port.
802.1x supp-polling retry Configures the number of times a device is polled for EAP frames.
show 802.1x Displays information about ports configured for 802.1X.
show 802.1x non-supp Displays non-802.1x devices learned on the switch and their guest
VLAN assignments.
MIB Objects
alaDot1xGuestVlanConfTable
alaDot1xGuestVlanNumber
Release 5.1.6.R02 User Guide Supplement June 2005 page 1-7
802.1x supp-polling retry User Documentation Addendum
802.1x supp-polling retry
Configures the number of times to poll a device for EAP frames to determine whether or not the device is
an 802.1x client.
802.1x slot/port supp-polling retry retries
Syntax Definitions
slot The slot number of the 802.1x port.
port The 802.1x port number.
retries The number of times a device is polled for EAP frames (1–99).
Defaults
By default, the number of retries is set to 2.
Platforms Supported
OmniSwitch 6624, 6648, 7700, 7800, 8800
Usage Guideline
• The polling interval is 0.5 seconds between each retry.
• If no EAP frames are received from a device connected to an 802.1x port, the device is considered a
non-802.1x client (non-supplicant).
• If a guest VLAN is configured on the 802.1x port, the non-802.1x client is assigned to the guest
VLAN. If a guest VLAN does not exist, the device is blocked from accessing the 802.1x port.
Examples
-> 802.1x 3/1 supp-polling retry 5
-> 802.1x 3/1 supp-polling retry 10
Release History
Release 5.1.6; command was introduced.
page 1-8 Release 5.1.6.R02 User Guide Supplement June 2005
User Documentation Addendum 802.1x supp-polling retry
Related Commands
802.1x guest-vlan Configures a guest VLAN to carry non-802.1x traffic that is received on
an 802.1x port.
show 802.1x Displays information about ports configured for 802.1X.
show 802.1x non-supp Displays non-802.1x devices learned on the switch and their guest
VLAN assignments.
MIB Objects
alaDot1xGuestVlanConfTable
alaDot1xSuppPollingCnt
Release 5.1.6.R02 User Guide Supplement June 2005 page 1-9
show 802.1x non-supp User Documentation Addendum
show 802.1x non-supp
Displays a list of all non-802.1x supplicants learned on all 802.1x ports.
show 802.1x non-supp [slot/port]
Syntax Definitions
slot The slot of the port for which you want to display information.
port The port for which you want to display 802.1X information.
Defaults
N/A.
Platforms Supported
OmniSwitch 6624, 6648, 7700, 7800, 8800
Usage Guidelines
If you do not specify a particular slot/port, all non-802.1x supplicants associated with all 802.1X ports are
displayed.
Examples
->show 802.1x non-supp
Slot MAC Vlan
Port Address Learned
-----+-----------------+---------3/1 00:61:4f:11:22:33 2
3/1 00:61:4f:44:55:66 2
3/1 00:61:4f:77:88:99 2
3/3 00:61:22:15:22:33 5
3/3 00:61:22:44:75:66 5
->show 802.1x non-supp 3/3
Slot MAC Vlan
Port Address Learned
-----+-----------------+---------3/3 00:61:22:15:22:33 5
3/3 00:61:22:44:75:66 5
output definitions
Slot/Port
The 802.1X slot and port number that provides access to the
non-802.1x device.
MAC Address
The source MAC address of the non-802.1x device connected to the
802.1x port.
VLAN Learned
The VLAN ID of the guest VLAN in which the source MAC address of
the non-802.1x device was learned.
page 1-10 Release 5.1.6.R02 User Guide Supplement June 2005
User Documentation Addendum show 802.1x non-supp
Release History
Release 5.1.6; command was introduced.
Related Commands
show 802.1x Displays information about ports configured for 802.1X.
MIB Objects
alaDot1xPortTable
alaDot1xNonSupplicantSlotNum
alaDot1xNonSupplicantPortNum
alaDot1xNonSupplicantMACAddress
alaDot1xNonSupplicantVlanID
Chapter 22, “IP Commands”
On page 22-6 the following bullet should be added to the Usage Guidelines section for the ip interface
command:
• To create an IP interface for network management purposes, specify Loopback0 (case sensitive) as the
name of the interface. The Loopback0 interface is not bound to any VLAN, so it will always remain
operationally active.
OmniSwitch 7700/7800/8800 Network Configuration Guide
The following modifications should be made:
Chapter 13, “Configuring IP”
New Section, page 13-9
The following section should be added to page 13-9:
Configuring a Loopback0 Interface
Loopback0 is the name assigned to an IP interface to identify a consistent address for network management purposes. The Loopback0 interface is not bound to any VLAN, so it will always remain operationally active. This differs from other IP interfaces in that if there are no active ports in the VLAN, all IP
interface associated with that VLAN are not active. In addition, the Loopback0 interface provides a unique
IP address for the switch that is easily identifiable to network management applications.
This type of interface is created in the same manner as all other IP interfaces, using the ip interface
command. To identify a Loopback0 interface, enter Loopback0 for the interface name. For example, the
following command creates the Loopback0 interface with an IP address of 10.11.4.1:
-> ip interface Loopback0 address 10.11.4.1
Release 5.1.6.R02 User Guide Supplement June 2005 page 1-11
show 802.1x non-supp User Documentation Addendum
Note the following when configuring the Loopback0 interface:
• The interface name, “Loopback0”, is case sensitive.
• The admin parameter is the only configurable parameter supported with this type of interface.
• The Loopback0 interface is always active and available.
• Only one Loopback0 interface per switch is allowed.
• Creating this interface does not deduct from the total number of IP interfaces allowed per VLAN or
switch.
Loopback0 Address Advertisement
The Loopback0 IP interface address is automatically advertised by the IGP protocols RIP and OSPF when
the interface is created. There is no additional configuration necessary to trigger advertisement with these
protocols.
Note the following regarding Loopback0 advertisement:
• RIP advertises the host route to the Loopback0 IP interface as a redistributed (directhost) route.
• OSPF advertises the host route to the Loopback0 IP interface in its Router-LSAs (as a Stub link) as an
internal route into all its configured areas.
Configuring a BGP Peer Session with Loopback0
It is possible to create BGP peers using the Loopback0 IP interface address of the peering router and binding the source (i.e., outgoing IP interface for the TCP connection) to its own configured Loopback0 interface. The Loopback0 IP interface address can be used for both Internal and External BGP peer sessions.
For EBGP sessions, if the External peer router is multiple hops away, the ebgp-multihop parameter may
need to be used.
The following example command configures a BGP peering session using a Loopback0 IP interface
address:
-> ip bgp neighbor 2.2.2.2 update-source Loopback0
See the OmniSwitch 7700/7800/8800 Advanced Routing Configuration Guide for more information.
Chapter 22, “Configuring 802.1X”
Quick Steps for Configuring 802.1X
On page 22-3 the following two new steps should be added to this section:
6 (Optional) Configure a guest VLAN for the 802.1x port using the 802.1x guest-vlan command.
-> 802.1x 3/1 guest-vlan 5
7 (Optional) Configure the number of times supplicant devices are polled for identification using the
802.1x supp-polling retry command.
-> 802.1x 3/1 supp-polling retry 10
On page 22-3 of this section replace the Note information about how to display 802.1x configuration and
user information with the following:
page 1-12 Release 5.1.6.R02 User Guide Supplement June 2005
User Documentation Addendum show 802.1x non-supp
Note. Verify the 802.1X port configuration using the show 802.1x command:
-> show 802.1x 1/13
802.1x configuration for slot 1 port 13:
direction = both,
operational directions = both,
port-control = auto,
quiet-period (seconds) = 60,
tx-period (seconds) = 30,
supp-timeout (seconds) = 30,
server-timeout (seconds) = 30,
max-req = 2,
re-authperiod (seconds) = 3600,
reauthentication = no
Guest Vlan ID = 20,
Supplicant polling retry count = 2
Optional. To display the number of 802.1x users on the switch, use the show 802.1x users command:
->show 802.1x users
Slot MAC Port User
Port Address State Name
-----+------------------+--------------------+------------------------3/1 00:60:4f:11:22:33 Connecting user50
3/1 00:60:4f:44:55:66 Held user51
3/1 00:60:4f:77:88:99 Authenticated user52
3/3 00:60:22:15:22:33 Force-authenticated N/A
3/3 00:60:22:44:75:66 Force-authenticated N/A
3/3 00:60:22:37:98:09 Force-authenticated N/A
Optional. To display the number of non-802.1x users learned on the switch, use the show 802.1x non-
supp command:
->show 802.1x non-supp
Slot MAC Vlan
Port Address Learned
-----+-----------------+---------3/1 00:61:4f:11:22:33 2
3/1 00:61:4f:44:55:66 2
3/1 00:61:4f:77:88:99 2
3/3 00:61:22:15:22:33 5
3/3 00:61:22:44:75:66 5
See the OmniSwitch CLI Reference Guide for information about the fields in this display.
New Section, page 22-7
The following section should be added to page 22-7:
Release 5.1.6.R02 User Guide Supplement June 2005 page 1-13
show 802.1x non-supp User Documentation Addendum
Guest VLANs for Non-802.1x Supplicants
For those supplicants that are not 802.1x devices—do not send/receive EAP frames—an optional guest
VLAN feature is available to allow traffic from these devices on an 802.1x port. If the user-defined guest
VLAN is not available, then traffic from a non-802.1x device is dropped.
The switch determines whether or not a device is an 802.1x supplicant by sending EAP-Request/Identity
frames on the 802.1x port every 0.5 seconds for a configurable number of times. If no EAP frames are
received from a device after the specified number of attempts, the device is determined to be a non-802.1x
supplicant and is learned on the guest VLAN configured for that port. If no guest VLAN is available, then
the non-802.1x supplicant is blocked from accessing the 802.1x port and no further attempts are made to
solicit EAP frames from the device.
Note the following when using guest VLANs:
• 802.1x supplicants that fail authentication are not eligible for guest VLAN access. This type of VLAN
access is only for those devices identified as non-802.1x supplicants that have not made any attempt to
authenticate.
• Once a non-802.1x supplicant is learned on a guest VLAN, it is no longer eligible for Group Mobility
classification and assignment.
• If a non-802.1x supplicant device becomes 802.1x capable when it is a member of a guest VLAN, upon
authentication the device is automatically moved from the guest VLAN to the appropriate 802.1x specified VLAN. Disconnecting the device from the 802.1x port is not required in this scenario.
• If an authenticated 802.1x supplicant becomes non-802.1x capable, the device is moved to an existing
guest VLAN after the device is rebooted.
By default a guest VLAN is not configured on an 802.1x port. For information about how to configure a
guest VLAN, see “Configuring a Guest VLAN” on page 1-14. For information about how to set the
number of times an unknown device is polled for identification, see “Configuring the Supplicant Polling
Retry Count” on page 1-15.
New Section, page 22-11
The following section should be added to page 22-11:
Configuring a Guest VLAN
To configure a guest VLAN for an 802.1x port, use the 802.1x guest-vlan command with the relevant slot/
port number and specify an existing VLAN ID. For example:
-> 802.1x 3/1 guest-vlan 5
This command associates guest VLAN 5 with 802.1x port 3/1. When a non-802.1x supplicant is identified
on this port, the source MAC address of the supplicant is learned in VLAN 5. This MAC address is then
aged according to the aging timer value for VLAN 5.
To remove a guest VLAN from an 802.1x port, use the disable option with the 802.1x guest-vlan
command. Note that it is not necessary to specify the guest VLAN ID with this command. For example:
-> 802.1x 3/1 guest-vlan disable
Note the following when configuring a guest VLAN:
• The guest VLAN option is only available for 802.1x ports operating in the auto mode.
page 1-14 Release 5.1.6.R02 User Guide Supplement June 2005
User Documentation Addendum show 802.1x non-supp
• Only one guest VLAN is allowed per 802.1x port.
• The VLAN ID specified must already exist in the switch configuration. Use the vlan command to
create a VLAN before configuring it as an 802.1x guest VLAN.
• If a guest VLAN is already configured for the specified 802.1x port when the 802.1x guest-vlan
command is used, the existing VLAN ID is overwritten with the new value.
Configuring the Supplicant Polling Retry Count
To configure the number of times the switch polls an unknown device connected to an 802.1x port, use the
802.1x supp-polling retry command. For example,
-> 802.1x 3/1 supp-polling retry 10
If after the number of polling attempts specified the device has not responded with EAP frames, then the
device is learned as a non-802.1x supplicant in a guest VLAN. If a guest VLAN was not configured for
the 802.1x port, the device is blocked from accessing that port and no other attempts are made to solicit
EAP frames from the device.
Note that the polling interval is set to 0.5 seconds between each retry and is not a configurable at this time.
Chapter 28, “Configuring High Availability VLANs”
Replace all the contents of Chapter 28 with the contents of Chapter 3, “Configuring High Availability
VLANs,” in this addendum.
OmniSwitch 7700/7800/8800 Advanced Routing Configuration Guide
The following modifications should be made:
Chapter 2, “Configuring BGP”
New Section, page 2-29
The following section should be added to page 2-29:
Configuring a BGP Peer with the Loopback0 Interface
Loopback0 is the name assigned to an IP interface to identify a consistent address for network management purposes. The Loopback0 interface is not bound to any VLAN, so it will always remain operationally active. This differs from other IP interfaces in that if there are no active ports in the VLAN, all IP
interface associated with that VLAN are not active. In addition, the Loopback0 interface provides a unique
IP address for the switch that is easily identifiable to network management applications.
It is possible to create BGP peers using the Loopback0 IP interface address of the peering router and binding the source (i.e., outgoing IP interface for the TCP connection) to its own configured Loopback0 interface. The Loopback0 IP interface address can be used for both Internal and External BGP peer sessions.
For EBGP sessions, if the External peer router is multiple hops away, the ebgp-multihop parameter may
need to be used.
Release 5.1.6.R02 User Guide Supplement June 2005 page 1-15
show 802.1x non-supp User Documentation Addendum
The following example command configures a BGP peering session using a Loopback0 IP interface
address:
-> ip bgp neighbor 2.2.2.2 update-source Loopback0
See the OmniSwitch 7700/7800/8800 Network Configuration Guide for more information about configuring an IP Loopback0 interface.
OmniSwitch 6600 Family Network Configuration Guide
The following modifications should be made:
Chapter 21, “Configuring 802.1X”
Quick Steps for Configuring 802.1X
On page 21-3 the following two new steps should be added to this section:
6 (Optional) Configure a guest VLAN for the 802.1x port using the 802.1x guest-vlan command.
-> 802.1x 3/1 guest-vlan 5
7 (Optional) Configure the number of times supplicant devices are polled for identification using the
802.1x supp-polling retry command.
-> 802.1x 3/1 supp-polling retry 10
On page 22-3 of this section replace the Note information about how to display 802.1x configuration and
user information with the following:
Note. Verify the 802.1X port configuration using the show 802.1x command:
-> show 802.1x 1/13
802.1x configuration for slot 1 port 13:
direction = both,
operational directions = both,
port-control = auto,
quiet-period (seconds) = 60,
tx-period (seconds) = 30,
supp-timeout (seconds) = 30,
server-timeout (seconds) = 30,
max-req = 2,
re-authperiod (seconds) = 3600,
reauthentication = no
Guest Vlan ID = 20,
Supplicant polling retry count = 2
Optional. To display the number of 802.1x users on the switch, use the show 802.1x users command:
page 1-16 Release 5.1.6.R02 User Guide Supplement June 2005
User Documentation Addendum show 802.1x non-supp
->show 802.1x users
Slot MAC Port User
Port Address State Name
-----+------------------+--------------------+------------------------3/1 00:60:4f:11:22:33 Connecting user50
3/1 00:60:4f:44:55:66 Held user51
3/1 00:60:4f:77:88:99 Authenticated user52
3/3 00:60:22:15:22:33 Force-authenticated N/A
3/3 00:60:22:44:75:66 Force-authenticated N/A
3/3 00:60:22:37:98:09 Force-authenticated N/A
Optional. To display the number of non-802.1x users learned on the switch, use the show 802.1x non-
supp command:
->show 802.1x non-supp
Slot MAC Vlan
Port Address Learned
-----+-----------------+---------3/1 00:61:4f:11:22:33 2
3/1 00:61:4f:44:55:66 2
3/1 00:61:4f:77:88:99 2
3/3 00:61:22:15:22:33 5
3/3 00:61:22:44:75:66 5
See the OmniSwitch CLI Reference Guide for information about the fields in this display.
New Section, page 21-5
The following section should be added to page 21-5:
Guest VLANs for Non-802.1x Supplicants
For those supplicants that are not 802.1x devices—do not send/receive EAP frames—an optional guest
VLAN feature is available to allow traffic from these devices on an 802.1x port. If the user-defined guest
VLAN is not available, then traffic from a non-802.1x device is dropped.
The switch determines whether or not a device is an 802.1x supplicant by sending EAP-Request/Identity
frames on the 802.1x port every 0.5 seconds for a configurable number of times. If no EAP frames are
received from a device after the specified number of attempts, the device is determined to be a non-802.1x
supplicant and is learned on the guest VLAN configured for that port. If no guest VLAN is available, then
the non-802.1x supplicant is blocked from accessing the 802.1x port and no further attempts are made to
solicit EAP frames from the device.
Note the following when using guest VLANs:
• Non-802.1x clients learned on a guest VLAN are dropped if an 802.1x client successfully authenti-
cates on the same port. This is due to a one VLAN per port restriction (either 802.1x VLAN or guest
VLAN assignment but not both) As a result, using a hub connection to provide access for multiple
users to an 802.1x port is not recommended.
• 802.1x supplicants that fail authentication are not eligible for guest VLAN access. This type of VLAN
access is only for those devices identified as non-802.1x supplicants that have not made any attempt to
authenticate.
Release 5.1.6.R02 User Guide Supplement June 2005 page 1-17
show 802.1x non-supp User Documentation Addendum
• Once a non-802.1x supplicant is learned on a guest VLAN, it is no longer eligible for Group Mobility
classification and assignment.
• If a non-802.1x supplicant device becomes 802.1x capable when it is a member of a guest VLAN, upon
authentication the device is automatically moved from the guest VLAN to the appropriate 802.1x specified VLAN. Disconnecting the device from the 802.1x port is not required in this scenario.
• If an authenticated 802.1x supplicant becomes non-802.1x capable, the device is moved to an existing
guest VLAN after the device is rebooted.
By default a guest VLAN is not configured on an 802.1x port. For information about how to configure a
guest VLAN, see “Configuring a Guest VLAN” on page 1-14. For information about how to set the
number of times an unknown device is polled for identification, see “Configuring the Supplicant Polling
Retry Count” on page 1-15.
New Section, page 21-10
The following section should be added to page 21-10:
Configuring a Guest VLAN
To configure a guest VLAN for an 802.1x port, use the 802.1x guest-vlan command with the relevant slot/
port number and specify an existing VLAN ID. For example:
-> 802.1x 3/1 guest-vlan 5
This command associates guest VLAN 5 with 802.1x port 3/1. When a non-802.1x supplicant is identified
on this port, the source MAC address of the supplicant is learned in VLAN 5. This MAC address is then
aged according to the aging timer value for VLAN 5.
To remove a guest VLAN from an 802.1x port, use the disable option with the 802.1x guest-vlan
command. Note that it is not necessary to specify the guest VLAN ID with this command. For example:
-> 802.1x 3/1 guest-vlan disable
Note the following when configuring a guest VLAN:
• The guest VLAN option is only available for 802.1x ports operating in the auto mode.
• Only one VLAN is allowed per 802.1x port. If a client successfully authenticates on the port, all guest
VLAN users are dropped.
• The VLAN ID specified must already exist in the switch configuration. Use the vlan command to
create a VLAN before configuring it as an 802.1x guest VLAN.
• If a guest VLAN is already configured for the specified 802.1x port when the 802.1x guest-vlan
command is used, the existing VLAN ID is overwritten with the new value.
Configuring the Supplicant Polling Retry Count
To configure the number of times the switch polls an unknown device connected to an 802.1x port, use the
802.1x supp-polling retry command. For example,
-> 802.1x 3/1 supp-polling retry 10
If after the number of polling attempts specified the device has not responded with EAP frames, then the
device is learned as a non-802.1x supplicant in a guest VLAN. If a guest VLAN was not configured for the
page 1-18 Release 5.1.6.R02 User Guide Supplement June 2005
User Documentation Addendum show 802.1x non-supp
802.1x port, the device is blocked from accessing that port and no other attempts are made to solicit EAP
frames from the device.
Note that the polling interval is set to 0.5 seconds between each retry and is not a configurable at this time.
Release 5.1.6.R02 User Guide Supplement June 2005 page 1-19
show 802.1x non-supp User Documentation Addendum
page 1-20 Release 5.1.6.R02 User Guide Supplement June 2005
2 IPv6 Commands
This chapter details Internet Protocol Version 6 (IPv6) commands for the switch (including RIPng
commands). IPv6 (documented in RFC 2460) is designed as a successor to IPv 4. The changes from IPv4
to IPv6 fall primarily into the following categories:
Expanded Routing and Addressing Capabilities - IPv6 increases the IP address size from 32 bits to 128
bits, to support more levels of addressing hierarchy and a much greater number of addressable nodes, and
simpler auto-configuration of addresses. The scalability of multicast routing is improved by adding a
"scope" field to multicast addresses.
Header Format Simplification - Some IPv4 header fields were dropped or made optional, to reduce the
common-case processing cost of packet handling and to keep the bandwidth cost of the IPv6 header as low
as possible despite the increased size of the addresses. Even though the IPv6 addresses are four times
longer than the IPv4 addresses, the IPv6 header is only twice the size of the IPv4 header.
Anycast Addressing - A new type of address called a "anycast address" is defined, to identify sets of
nodes where a packet sent to an anycast address is delivered to one of the nodes. The use of anycast
addresses in the IPv6 source route allows nodes to control the path which their traffic flows.
Improved Support for Options - Changes in the way IP header options are encoded allows for more efficient forwarding, less stringent limits on the length of options, and greater flexibility for introducing new
options in the future.
Authentication and Privacy Capabilities - IPv6 includes the definition of extensions which provide
support for authentication, data integrity, and confidentiality. This is included as a basic element of IPv6
and will be included in all implementations.
IPv6 is supported on 6600/7700/7800/8800 series switches running software Release 5.1.6 and up.
MIB information for the IPv6 and RIPng commands is as follows:
Filename: Ipv6.mib
Module: Ipv6-MIB, Ipv6-TCP-MIB, Ipv6-UDP-MIB
Filename: AlcatelIND1Ipv6.mib
Module: alcatelIND1IPv6MIB
Filename: AlcatelIND1Ripng.mib
Module: alcatelIND1RipngMIB
Release 5.1.6.R02 User Guide Supplement June 2005 page 2-1
A summary of the IPv6 commands is listed here:
IPv6 ipv6 interface
ipv6 address
ipv6 hop-limit
ipv6 interface tunnel source destination
ipv6 hop-limit
ipv6 pmtu-lifetime
ipv6 host
ipv6 neighbor
ipv6 prefix
ipv6 route
ping6
traceroute6
debug ipv6 packet
debug ipv6 trace-category
show ipv6 hosts
show ipv6 icmp statistics
show ipv6 interface
show ipv6 pmtu table
clear ipv6 pmtu table
clear ipv6 neighbors
show ipv6 prefixes
show ipv6 routes
show ipv6 tcp ports
show ipv6 traffic
clear ipv6 traffic
show ipv6 tunnel
show ipv6 udp ports
IPv6 RIP ipv6 load rip
ipv6 rip status
ipv6 rip invalid-timer
ipv6 rip garbage-timer
ipv6 rip holddown-timer
ipv6 rip jitter
ipv6 rip route-tag
ipv6 rip update-interval
ipv6 rip triggered-sends
ipv6 rip interface metric
ipv6 rip interface recv-status
ipv6 rip interface send-status
ipv6 rip interface horizon
ipv6 rip debug-level
ipv6 rip debug-type
show ipv6 rip
show ipv6 rip interface
show ipv6 rip peer
show ipv6 rip routes
show ipv6 rip debug
IPv6 Commands
page 2-2 Release 5.1.6.R02 User Guide Supplement June 2005
IPv6 Commands ipv6 interface
ipv6 interface
Configures an IPv6 interface on a VLAN or IPv6 tunnel.
ipv6 interface if_name [vlan vid | tunnel {tid | 6to4}] [enable | disable]
[mtu size]
[ra-send {yes | no}]
[ra-max-interval interval]
[ra-managed-config-flag {true | false}]
[ra-other-config-flag {true | false}]
[ra-reachable-time time]
[ra-retrans-timer time]
[ra-default-lifetime time | no ra-default-lifetime]
[ra-send-mtu] {yes | no}
no ipv6 interface if_name
Syntax Definitions
if_name IPv6 interface name.
vlan Creates a VLAN interface.
vid VLAN ID number.
tunnel Creates a tunnel interface.
tid Tunnel ID number.
6to4 Enables 6to4 tunneling.
mtu size Maximum Transmission Unit for the interface.
ra-send Specifies whether the router advertisements are sent on this interface.
ra-max-interval interval Maximum time, in seconds, allowed between the transmission of unso-
licited multicast router advertisements in this interface. The range is 4 1,800.
ra-managed-config-flag Value to be placed in the managed address configuration flag field in
router advertisements sent on this interface.
ra-other-config-flag
Value to be placed in the other stateful configuration flag in
router advertisements sent on this interface.
ra-reachable-time time Value, in milliseconds, to be placed in the reachable time field in router
advertisements sent on this interface. The range is 0 - 3,600,000). The
special value of zero indicates that this time is unspecified by the router.
ra-retrans-timer time Value, in milliseconds, to be placed in the retransmit timer field in
router advertisements sent on this interface. The value zero indicates
that the time is unspecified by the router.
Release 5.1.6.R02 User Guide Supplement June 2005 page 2-3
ipv6 interface IPv6 Commands
ra-default-lifetime time Value, in seconds, to be placed in the router lifetime field in router
advertisements sent on this interface. The time must be zero or between
the value of “ra-max-interval” and 9,000 seconds. A value of zero indicates that the router is not to be used as a default router. The “no radefault-lifetime” option will calculate the value using the formula (3 *
ra-max-interval).
enable | disable Administratively enable or disable the interface.
ra-send-mtu Specifies whether the MTU option is included in the router advertise-
ments sent on the interface.
Defaults
parameter default
ra-send yes
ra-max-interval 600
ra-managed-config-flag false
ra-reachable-time 0
ra-retrans-timer 0
ra-default-lifetime no
ra-send-mtu no
Platforms Supported
OmniSwitch 6624, 6648, 7700, 7800, 8800
Usage Guidelines
• When you create an IPv6 interface it is enabled by default.
• Use the “no” form of the command to delete an interface.
• All IPv6 VLAN and tunnel interfaces must have a name.
• When creating an IPv6 interface you must specify a VLAN ID, Tunnel ID, or 6to4. When modifying or
deleting an interface, you do not need to specify one of these options unless the name assigned to the
interface is being changed. If it is present with a different value from when the interface was created,
the command will be in error.
• A 6to4 interface cannot send advertisements (ra-send).
• To enable IPv6 routing you must first create a VLAN, then create an IPv6 interface on the VLAN. See
Chapter 21, “VLAN Management Commands,” for information on creating VLANs.
• To route IPv6 traffic over an IPv4 network, you must create an IPv6 tunnel using the ipv6 interface
tunnel source destination command.
page 2-4 Release 5.1.6.R02 User Guide Supplement June 2005
Loading...