Alcatel-Lucent OMNISTACK LS 6200 User Manual

Part No. 060202-10 , Rev. D June 2007

Alcatel OS-LS-6200

User Guide

www.alcatel.com

An Alcatel service agreement brings your company the assurance of 7x24 no-excuses technical support. You’ll also receive regular software updates to maintain and maximize your Alcatel product’s features and functionality and on-site hardware replacement through our global network of highly qualified service delivery partners. Additionally, with 24-hour-a-day access to Alcatel’s Service and Support web page, you’ll be able to vi ew and update any case (open or clos ed) that you have reported to Alcatel’s technical support, open a new case or access helpful release notes, technical bulletins, and manuals. For more information on Alcatel’s Service Programs, see our web page at www.ind.alcatel.com, call us at 1-800-995-2696, or email us at support@ind.alcatel.com.

This Manual documents Alcatel 6200 hardware and software.

The functionality described in this Manual is subject to change without notice.

Alcatel OmniSwitch SwitchExpert are trademarks of their respective companies.

and the Alcatel logo are registered trademarks of Compagnie Financiére Alcatel, Paris, France.

and OmniStack® are registered trademarks of Alcatel Internetworking, Inc. Omni Switch/Router™,

, the Xylan logo are trademarks of Alcatel Internetworking, Inc. All other brand and product names

26801 West Agoura Road

Calabasas, CA 91301

(818) 880-3500 FAX (818) 880-3505

info@ind.alcatel.com

US Customer Support-(800) 995-2696

International Customer Support-(818) 878-4507

Internet-http://eservice.ind.alcatel.com

Warning

This equipment has been tested and found to comply with the limits for Class A digital device pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions in this guide, may cause interference to radio communications. Operation of this equipment in a residential area is likely to cause interference, in which case the user will be required to correct the interference at his own expense.

The user is cautioned that changes and modifications made to the equipment without approval of the manufacturer could void the user’s authority to operate this equipment. It is suggested that the user use only shielded and grounded cables to ensure compliance with FCC Rules.

This digital apparatus does not exceed the Class A limits for radio noise emissions from digital apparatus set out in the radio interference regulations of the Canadian department of communications.

Le present appareil numerique níemet pas de bruits radioelectriques depassant les limites applicables aux appareils numeriques de la Class A prescrites dans le reglement sur le brouillage radioelectrique edicte par le ministere des communications du Canada.

Utilice sólo adaptadores con las siguientes características eléctricas y que estén debidamente certificados de acuerdo a la legislación vigente. El uso de otros adaptadores podría dañar el dispositivo y anular la garantía además de provocar riesgos al usuario.

OS-LS-6224P AC100/115/220/230V; 50/60Hz; 2.0/1.7/0.9/ OS-LS-6248P AC100/115/220/230V; 50/60Hz; 4.0/3.4/1.8/ OS-LS-6224 AC 100/115/220/230V; 50/60Hz; 0.4/0.4/0.2/ OS-LS-6248 AC100/115/220/230V; 50/60Hz; 0.6/0.6/0.4/ OS-LS-6224U AC 100/115/220/230V 50/60Hz 1.0/1.0/0.5/

Adaptador:

OS-LS-6224P OS-LS-62BP-P 3Y Power OS-LS-6248P OS-LS-62BP-P Alcatel OS-LS-6248 OS-LS-62BP-DC & OS-LS-62BP Accton & 3Y Power OS-LS-6224 OS-LS-62BP-DC & OS-LS-62BP Accton & 3Y Power

Características de entrada: Características de salida:

0.9A; Clase I

1.8A; Clase I

0.2A; Clase I

0.4A; Clase I

0.5A Clase I

Modelo: Marca comercial:

DC 12V, 4.0A; -50V, 3.6A DC 12V, 7.5A; -50V, 7.5A DC 12V, 4.5A DC 12V, 4.5A DC 12V , 4.5A

Contents

Chapter 1: Introduction 1

Key Features ........................................................................................................1

Description of Software Features .........................................................................3

System Defaults .............................................................. ... ................................. .9

Chapter 2: Initial Configuration 13

General Configuration Information .....................................................................14

Auto-Negotiation 15

Device Port Default Settings 15

Booting the Switch ..............................................................................................16

Configuration Overview ......................................................................................18

Initial Configuration .............................................................................................18

Static IP Address and Subnet Mask 18

User Name 19

SNMP Community Strings 19

Advanced Configuration .....................................................................................21

Retrieving an IP Address From a DHCP Server 21

Receiving an IP Address From a BOOTP Server 22

Security Management and Password Configuration ..........................................23

Configuring Security Passwords Introduction 23

Configuring an Initial Console Password 24

Configuring an Initial Telnet Password 24

Configuring an Initial SSH password 24

Configuring an Initial HTTP Password 25

Configuring an initial HTTPS Password 25

Software Download and Reboot .........................................................................25

Software Download through XModem 25

Software Download Through TFTP Server 26

Boot Image Download 27

Startup Menu Functions .....................................................................................28

Chapter 3: Configuring the Switch 33

Using the Web Interface .....................................................................................33

Navigating the Web Browser Interface ...............................................................33

Home Page 33

Configuration Options 34

Panel Display 35

Main Menu 35

Managing Device Information ............................................................................. 36

Managing Stacking .............................................................................................37

Understanding the Stack Topology 38

Stacking Failover Topology 38

Contents

Stacking Members and Unit ID 38 Removing and Replacing Stacking Members 39 Exchanging Stacking Members 40 Switching between the Stacking Master and the Secondary Master 40 Configuring Stacking 41 Resetting the Stack 42

Managing System Logs ......................................................................................43

Enabling System Logs 43 Viewing Memory Logs 45 Viewing the Device FLASH Logs 47 Remote Log Configuration 48

Configuring SNTP ................................................................. ..............................51

Polling for Unicast Time Information 51 Polling for Anycast Time Information 51 Polling For Broadcast Time Information 52 Defining SNTP Global Settings 52 Defining SNTP Authentication 53 Defining SNTP Servers 54 Defining SNTP Interface Settings 56

Configuring System Time ...................................................................................57

Configuring Daylight Savings Time 57

Managing System Files ......................................................................................61

Downloading System Files 62 Uploading System Files 64 Copying Files 65

Active Image 66

TCAM Resources ...............................................................................................67

Configuring Interfaces .........................................................................................69

Configuring Interface Connections 69

Creating Trunks (LAGs) 72

Configuring LACP 73

Displaying Port Statistics ................................................ ... .................................75

Interface Statistics 76

Etherlike Statistics 77

Configuring IP Information ..................................................................................80

Defining IP Addresses 80

Defining Default Gateways 81

Configuring DHCP 82

Configuring ARP 83

Configuring Domain Name Service ....................................................................85

Configuring General DNS Server Parameters 86

Configuring Static DNS Host to Address Entries 87

Configuring SNMP ....................................................... ... ... .................................88

Enabling SNMP 89

Defining SNMP Users 90

Contents

Defining SNMP Group Profiles 92 Defining SNMP Views 93 Defining SNMP Communities 95 Defining SNMP Notification Recipients 96 Defining SNMP Notification Global Parameters 98 Defining SNMP Notification Filters 100

Configuring User Authentication .......................................................................101

Defining Local Users Passwords 101 Defining Line Passwords 102 Defining Enable Passwords 103

Configuring Authentication Methods ................................................................104

Defining Access Profiles 104 Defining Profile Rules 107 Defining Authentication Profiles 109 Mapping Authentication Methods 112 Defining TACACS+ Methods 114 Defining RADIUS Settings 115

Managing RMON Statistics ..............................................................................118

Viewing RMON Statistics 118 Defining RMON History Control 120 Viewing the RMON History Table 121 Defining RMON Events Control 124 Viewing the RMON Events Logs 125 Defining RMON Alarms 126

Alcatel Mapping Adjacency Protocol (AMAP) ...................................................128

Configuring AMAP 128 Viewing Adjacent Devices 130

Configuring LLDP .............................................................................................131

Defining LLDP Port Settings 132 Defining Media Endpoint Discovery Network Policy 133 Defining LLDP MED Port Settings 134 Viewing the LLDP Neighbor Information 135 Viewing Neighbor Information Details 136

Managing Power-over-Ethernet Devices .......................................................... 139

Defining PoE System Information 139 Defining PoE Interfaces 140

Device Diagnostic Tests ...................................................................................142

Configuring Port Mirroring 142 Viewing Integrated Cable Tests 144 Viewing Optical Transceivers 145 Viewing Device Health 147

Configuring Traffic Control ...............................................................................149

Enabling Storm Control 149 Configuring Port Security 151

802.1X Port-Based Authentication ...................................................................153

vii

Contents

Advanced Port-Based Authentication 154

Defining Network Authentication Properties 155

Defining Port Authentication 157

Modify Port Authentication Page 158

Configuring Multiple Hosts 160

Defining Authentication Hosts 162

Viewing EAP Statistics 164

Defining Access Control Lists ...........................................................................167

Configuring Access Control Lists 167

Binding Device Security ACLs 168

Defining IP Based Access Control Lists 169

Defining MAC Based Access Control Lists 171

DHCP Snooping ...............................................................................................173

DHCP Snooping Properties 174

Defining DHCP Snooping on VLANs 175

Defining Trusted Interfaces 176

Binding Addresses to the DHCP Snooping Database 177

Configuring Option 82 .......................................................................................178

Dynamic ARP Inspection ..................................................................................179

ARP Inspection Properties 180

ARP Inspection Trusted Interface Settings 181

Defining ARP Inspection List 182

Assigning ARP Inspection VLAN Settings 183

IP Source Guard ...............................................................................................184

Configuring IP Source Guard Properties 185

Defining IP Source Guard Interface Settings 185

Adding Interfaces to the IP Source Guard Database 186

Defining the Forwarding Database ...................................................................188

Defining Static Forwarding Database Entries 188

Defining Dynamic Forwarding Database Entries 189

Configuring Spanning Tree ...............................................................................191

Defining Spanning Tree 192

Defining STP on Interfaces 194

Defining Rapid Spanning Tree 197

Defining Multiple Spanning Tree 199

Defining MSTP Instance Settings 200

Defining MSTP Interface Settings 201

Configuring VLANs .......................................................................... ... .. ............204

Assigning Ports to VLANs 204

Tagged/Untagged VLANs 206

Displaying Basic VLAN Information 206

Defining VLAN Membership 207

Defining VLAN Interface Settings 210

Defining Customer Mapping for Multicast TV 211

Mapping CPE VLANs 212

viii

Contents

Defining VLAN Groups ...................................... ... .. ..................................... .....213

Configuring MAC Based VLAN Groups 213 Configuring Subnet Based VLAN Groups 214 Configuring Protocol Based VLAN Groups 215 Mapping Groups to VLANs 216 Defining GARP 217 Defining GVRP 219 Viewing GVRP Statistics 220

Multicast Filtering ............................................................................................223

Defining IGMP Snooping 223 Specifying Static Interfaces for a Multicast Group 225 Displaying Interfaces Attached to a Multicast Router 227 Configuring Multicast TV 228

Defining Multicast TV Membership 229

Configuring Triple Play .....................................................................................230

Configuring Quality of Service ..........................................................................231

Access Control Lists 232

Mapping to Queues 233

QoS Modes 234

Enabling QoS 235

Defining Global Queue Settings 236

Defining Bandwidth Settings 237

Configuring VLAN Rate Limit 239

Mapping CoS Values to Queues 240

Mapping DSCP Values to Queues 241

Defining Basic QoS Settings 242

Defining QoS DSCP Rewriting Settings 243

Defining QoS DSCP Mapping Settings 244

Defining QoS Class Maps 245

Defining Policies 246

Defining Tail Drop 248

Viewing the Policy Table 248

Viewing Policy Bindings 250

Chapter 4: Command Line Interface 253

Using the Command Line Interface ..................................................................253

Accessing the CLI 253

Console Connection 253

Telnet Connection 253

Entering Commands .........................................................................................255

Keywords and Arguments 255

Minimum Abbreviation 255

Command Completion 255

Getting Help on Commands 255

Contents

Partial Keyword Lookup 257 Negating the Effect of Commands 257 Using Command History 257 Understanding Command Modes 257 Exec Commands 258 Configuration Commands 258 Command Line Processing 259

Command Groups ................................. ... ........................................................261

802.1x Commands .................................... ........................................................263

aaa authentication dot1x 264 dot1x system-auth-control 265 dot1x port-control 266 dot1x re-authentication 267 dot1x timeout re-authperiod 268 dot1x re-authenticate 269 dot1x timeout quiet-period 269 dot1x timeout tx-period 270 dot1x max-req 271 dot1x timeout supp-timeout 272 dot1x timeout server-timeout 273 show dot1x 274 show dot1x users 277 show dot1x statistics 279 ADVANCED FEATURES 281 dot1x auth-not-req 281 dot1x multiple-hosts 282 dot1x single-host-violation 283 dot1x guest-vlan 284 dot1x guest-vlan enable 285 dot1x mac-authentication 285 show dot1x advanced 2 86

AAA Commands ...............................................................................................288

aaa authentication login 288 aaa authentication enable 290 login authentication 291 enable authentication 292 ip http authentication 293 ip https authentication 294 show authentication methods 294 password 296 enable password 296 username 297 show users accounts 298

ACL Commands ...............................................................................................300

ip-access-list 300

Contents

permit (ip) 301 deny (IP) 304 mac access-list 306 permit (MAC) 307 deny (MAC) 308 service-acl 310 show access-lists 310 show interfaces access-lists 311

Address Table Commands ...................................................... .........................313

bridge address 314 bridge multicast filtering 315 bridge multicast address 316 bridge multicast forbidden address 317 bridge multicast forward-all 318 bridge multicast forbidden forward-all 319 bridge aging-time 320 clear bridge 320 port security 321 port security mode 321 port security max 322 port security routed secure-address 323 show bridge address-table 324 show bridge address-table static 325 show bridge address-table count 326 show bridge multicast address-table 327 show bridge multicast address-table static 328 show bridge multicast filtering 329 show ports security 330 show ports security addresses 331

LLDP Commands .............................................................................................333

lldp optional-tlv 333 lldp med enable 334 lldp med network-policy (global) 334 lldp med network-policy (interface) 335 lldp med location 335 clear lldp rx 336 show lldp configuration 337 show lldp med configuration 337 show lldp local 338 show lldp neighbors 340

AMAP Commands ................................................ ............................................345

amap enable 345 amap discovery time 346 amap common time 346 show amap 346

Contents

Clock Commands .............................................................................................348

349 clock set 349 clock source 350 clock timezone 350 clock summer-time 351 sntp authentication-key 353 sntp authenticate 353 sntp trusted-key 354 sntp client poll timer 355 sntp broadcast client enable 356 sntp anycast client enable 357 sntp client enable (Interface) 357 sntp unicast client enable 358 sntp unicast client poll 359 sntp server 360 show clock 361 show sntp configuration 362 show sntp status 363

Configuration and Image File Commands ........................................................365

copy 365 delete 368 dir 369 more 370 rename 371 boot system 372 show running-config 373 show startup-config 373 show bootvar 374

Ethernet Configuration Commands ..................................................................376

interface ethernet 376 interface range ethernet 377 shutdown 378 description 379 speed 380 duplex 381 negotiation 382 flowcontrol 383 mdix 383 back-pressure 384 clear counters 385 set interface active 386 show interfaces advertise 386 show interfaces configuration 388 show interfaces status 390

xii

Contents

show interfaces description 392 show interfaces counters 392 port storm-control broadcast enable 395 port storm-control broadcast rate 396 show ports storm-control 397

GVRP Commands ................................................ ............................................399

gvrp enable (Global) 399 gvrp enable (Interface) 400 garp timer 401 gvrp vlan-creation-forbid 402 gvrp registration-forbid 402 clear gvrp statistics 403 show gvrp configuration 404 show gvrp statistics 405 show gvrp error-statistics 406

IGMP Snooping Commands .............................................................................408

ip igmp snooping (Global) 408 ip igmp snooping (Interface) 409 ip igmp snooping host-time-out 410 ip igmp snooping mrouter-time-out 410 ip igmp snooping leave-time-out 411 ip igmp snooping multicast-tv 412 ip igmp snooping querier enable 413 ip igmp snooping querier address 413 ip igmp snooping querier version 414 show ip igmp snooping mrouter 414 show ip igmp snooping interface 415 show ip igmp snooping groups 416

IP Addressing Commands ................................................................................418

ip address 418 ip address dhcp 419 ip default-gateway 420 show ip interface 421 arp 422 arp timeout 423 clear arp-cache 424 show arp 424 ip domain-lookup 425 ip domain-name 426 ip name-server 426 ip host 427 clear host 428 clear host dhcp 429 show hosts 429

LACP Commands ...................................................... .................................. ... ..431

xiii

Contents

lacp system-priority 431 lacp port-priority 432 lacp timeout 4 32 show lacp ethernet 433 show lacp port-channel 435

Line Commands ................................................................................................437

line 437 speed 438 autobaud 439 exec-timeout 439 history 440 history size 440 terminal history 441 terminal history size 442 show line 443

Management ACL Commands .........................................................................445

management access-list 445 permit (Management) 446 deny (Management) 447 management access-class 448 show management access-list 449 show management access-class 450

PHY Diagnostics Commands ................................. .. ..................................... ...451

test copper-port tdr 451 show copper-ports tdr 452 show copper-ports cable-length 452 show fiber-ports optical-transceiver 453

Port Channel Commands .................................................................................455

interface port-channel 455 interface range port-channel 455 channel-group 456 show interfaces port-channel 457

Port Monitor Commands ...................................................................................458

port monitor 458 show ports monitor 459

Power over Ethernet Commands ......................................................................460

power inline 460 power inline powered-device 461 power inline priority 462 power inline usage-threshold 462 power inline traps enable 463 show power inline 464

QoS Commands ......................................... .................................. ... ... ..............467

qos 468 show qos 469

xiv

Contents

class-map 469 show class-map 470 match 471 policy-map 472 class 472 rate-limit 473 rate-limit (VLAN) 474 show policy-map 474 trust cos-dscp 475 set 476 police 477 service-policy 478 qos aggregate-policer 478 show qos aggregate-policer 480 police aggregate 481 wrr-queue cos-map 481 priority-queue out num-of-queues 482 traffic-shape 483 show qos interface 484 qos wrr-queue threshold 486 qos map dscp-dp 487 qos map policed-dscp 487 qos map dscp-queue 488 qos trust (Global) 489 qos trust (Interface) 490 qos cos 490 qos dscp-mutation 491 qos map dscp-mutation 492 show qos map 493

RADIUS Commands ........................................................................................495

radius-server host 495 radius-server key 497 radius-server retransmit 497 radius-server source-ip 498 radius-server timeout 499 radius-server deadtime 500 show radius-servers 501

RMON Commands ...........................................................................................503

show rmon statistics 503 rmon collection history 505 show rmon collection history 506 show rmon history 507 rmon alarm 510 show rmon alarm-table 511 show rmon alarm 512

Contents

rmon event 514 show rmon events 514 show rmon log 515 rmon table-size 517

SNMP Commands ...................................................................................... ... ...518

snmp-server community 519 snmp-server view 520 snmp-server group 521 snmp-server user 522 snmp-server engineID local 523 snmp-server enable traps 525 snmp-server filter 525 snmp-server host 526 snmp-server v3-host 528 snmp-server trap authentication 529 snmp-server contact 529 snmp-server location 530 snmp-server set 531 show snmp 531 show snmp engineid 533 show snmp views 534 show snmp groups 535 show snmp filters 536 show snmp users 536

Spanning-Tree Commands ..................................... .. ..................................... ...538

spanning-tree 539 spanning-tree mode 540 spanning-tree forward-time 541 spanning-tree hello-time 542 spanning-tree max-age 543 spanning-tree priority 544 spanning-tree disable 544 spanning-tree cost 545 spanning-tree port-priority 546 spanning-tree portfast 547 spanning-tree link-type 548 spanning-tree pathcost method 549 spanning-tree bpdu 550 clear spanning-tree detected-protocols 551 spanning-tree mst priority 551 spanning-tree mst max-hops 552 spanning-tree mst port-priority 553 spanning-tree mst cost 554 spanning-tree mst configuration 556 instance (mst) 556

xvi

Contents

name (mst) 558 revision (mst) 558 show (mst) 559 exit (mst) 561 abort (mst) 561 spanning-tree guard root 562 spanning-tree bpduguard 563 dot1x bpdu 563 show dot1x bpdu 564 show spanning-tree 564

SSH Commands ...............................................................................................580

ip ssh port 580 ip ssh server 581 crypto key generate dsa 581 crypto key generate rsa 582 ip ssh pubkey-auth 583 crypto key pubkey-chain ssh 584 user-key 585 key-string 586 show ip ssh 587 show crypto key mypubkey 588 show crypto key pubkey-chain ssh 589

Syslog Commands ............................................................... ............................591

logging on 591 logging 592 logging console 593 logging buffered 594 logging buffered size 595 clear logging 595 logging file 596 clear logging file 597 aaa logging 597 file-system logging 598 management logging 598 show logging 599 show logging file 601 show syslog-servers 603

System Management Commands ...................................... .. ............................604

ping 604 traceroute 606 telnet 608 resume 611 reload 612 hostname 612 stack master 613

xvii

Contents

stack reload 614 stack display-order 614 show stack 615 show users 617 show sessions 617 show system 618 show version 619 service cpu-utilization 620 show cpu utilization 6 21

TACACS+ Commands ......................................................................................622

tacacs-server host 622 tacacs-server key 623 tacacs-server timeout 624 tacacs-server source-ip 625 show tacacs 625

Triple Play Commands .....................................................................................627

switchport customer vlan 627 switchport customer multicast-tv vlan 627 ip igmp snooping map cpe vlan 628 show ip igmp snooping cpe vlans 629 show ip igmp snooping interface 629

DHCP Snooping, IP Source Guard and ARP Inspection Commands ..............631

ip dhcp snooping 632 ip dhcp snooping vlan 633 ip dhcp snooping trust 634 ip dhcp information option allowed-untrusted 634 ip dhcp information option 635 ip dhcp snooping verify 635 ip dhcp snooping database 636 ip dhcp snooping database update-freq 636 ip dhcp snooping binding 637 clear ip dhcp snooping database 638 show ip dhcp snooping 638 show ip dhcp snooping binding 639 ip source-guard (global) 640 ip source-guard (interface) 640 ip source-guard binding 641 ip source-guard tcam retries-freq 642 ip source-guard tcam locate 643 show ip source-guard 643 show ip source-guard inactive 644 ip arp inspection 645 ip arp inspection vlan 646 ip arp inspection trust 646 ip arp inspection validate 647

xviii

Contents

ip arp inspection list create 648 ip mac 648 ip arp inspection list assign 649 ip arp inspection logging interval 650 show ip arp inspection 650 show ip arp inspection list 651

User Interface Commands ...................................................... ... ......................652

do 652 enable 653 disable 654 login 654 configure 655 exit (Configuration) 655 exit 656 end 657 help 657 terminal datadump 658 show history 659 show privilege 659

VLAN Commands ................................................... .................................. ... ... ..661

vlan database 662 vlan 663 default-vlan vlan 664 interface vlan 664 interface range vlan 665 name 666 map protocol protocols-group 666 switchport general map protocols-group vlan 667 switchport mode 668 switchport access vlan 669 switchport trunk allowed vlan 670 switchport trunk native vlan 671 switchport general allowed vlan 672 switchport general pvid 673 switchport general ingress-filtering disable 674 switchport general acceptable-frame-type tagged-only 675 switchport forbidden vlan 676 map mac macs-group 677 switchport general map macs-group vlan 677 map subnet subnets-group 678 switchport general map subnets-group vlan 679 switchport protected 680 ip internal-usage-vlan 681 show vlan 682 show vlan internal usage 683

xix

Contents

show interfaces switchport 684 switchport access multicast-tv vlan 687 show vlan protocols-groups 688 show vlan macs-groups 688 show vlan subnets-groups 689 show vlan multicast-tv 690

Web Server Commands ...................................................................................691

ip http server 691 ip http port 692 ip http exec-timeout 693 ip https server 693 ip https port 694 ip https exec-timeout 695 crypto certificate generate 695 crypto certificate request 6 96 crypto certificate import 698 ip https certificate 699 show crypto certificate mycertificate 699 show ip http 700 show ip https 701

Appendix A. Configuration Examples 703

Configuring QinQ ...................................................... ........................................704

Configuring Customer VLANs using the CLI ....................................................707

Configuring Multicast TV ..................................................................................709

Configuring Customer VLANs ...........................................................................716

Configuring Customer VLANs Using the Web Interface ...................................716

Appendix B. Software Specifications 721

Software Features ............................................................................................721

Management Features ......................................................................................722

Standards .........................................................................................................722

Management Information Bases .......................................................................723

Appendix C. Troubleshooting 725

Problems Accessing the Management Interface ..............................................725

Using System Logs ................................... ........................................................726

Appendix D. Glossary 727

Figures

Figure 2-1. Installation and Configuration 14 Figure 2-2. Send File window 29 Figure 3-3. Home Page 34 Figure 3-4. Ports Panel 35 Figure 3-5. System Information Page 37 Figure 3-6. Stack Management Topology Page 41 Figure 3-7. Stack Management - Reset Page 42 Figure 3-8. Logs Settings Page 44 Figure 3-9. Memory Page 46 Figure 3-10. FLASH Logs Page 48 Figure 3-11. Remote Log Page 49 Figure 3-12. SNTP Configuration Page 53 Figure 3-13. SNTP Authentication Page 54 Figure 3-14. SNTP Servers Page 55 Figure 3-15. SNTP Interface Page 56 Figure 3-16. Clock Time Zone Page 61 Figure 3-17. File Download Page 63 Figure 3-18. File Upload Page 65 Figure 3-19. Copy Files Page 66 Figure 3-20. Active image Page 67 Figure 3-21. TCAM Resources Page 69 Figure 3-22. Interface Configuration Page 71 Figure 3-23. LAG Membership Page 73 Figure 3-24. Interface LACP Configuration Page 75 Figure 3-25. Statistics Interface Page 77 Figure 3-26. Statistics Etherlike Page 78 Figure 3-27. IP Interface Page 81 Figure 3-28. Default Gateway Page 82 Figure 3-29. DHCP Page 83 Figure 3-30. ARP Page 84 Figure 3-31. DNS Server Page 86 Figure 3-32. DNS Host Mapping Page 88 Figure 3-33. Engine ID Pag e 90 Figure 3-34. SNMP Users Page 92 Figure 3-35. SNMP Groups Page 93 Figure 3-36. SNMP Views Page 94 Figure 3-37. SNMP Communities Page 96 Figure 3-38. SNMP Trap Station Management Page 98 Figure 3-39. SNMP Global Trap Settings Page 99 Figure 3-40. Trap Filter Settings Page 100 Figure 3-41. Local Users Page 102 Figure 3-42. Line Page 103

xxi

Figures

Figure 3-43. Enable Page 104 Figure 3-44. Access Profiles Page 107 Figure 3-45. Profiles Rules Page 109 Figure 3-46. Authentication Profiles Page 110 Figure 3-47. Authentication Mapping Page 113 Figure 3-48. TACACS+ Page 115 Figure 3-49. RADIUS Page 117 Figure 3-50. RMON Statistics Page 119 Figure 3-51. History Control Page 121 Figure 3-52. History Table Page 122 Figure 3-53. Events Control Page 125 Figure 3-54. Events Logs Page 126 Figure 3-55. Alarm Page 128 Figure 3-56. AMAP Settings Page 129 Figure 3-57. AMAP Adjacencies Page 130 Figure 3-58. LLDP Properties Page 132 Figure 3-59. LLDP Port Settings Page 133 Figure 3-60. MED Networking Policy Page 134 Figure 3-61. MED Port Settings Page 135 Figure 3-62. LLDP Neighbor Information Page 136 Figure 3-63. Details Neighbor Information Page 138 Figure 3-64. Properties Page 140 Figure 3-65. PoE Interface Page 142 Figure 3-66. Port Mirroring Page 144 Figure 3-67. Copper Cable Page 145 Figure 3-68. Optical Transceiver Page 146 Figure 3-69. Health Page 148 Figure 3-70. Storm Control Page 150 Figure 3-71. Port Security Page 153 Figure 3-72. System Information Page 156 Figure 3-73. Port Authentication Page 160 Figure 3-74. Multiple Hosts Page 162 Figure 3-75. Authentication Host Page 163 Figure 3-76. Statistics Page 166 Figure 3-77. ACL Binding Page 169 Figure 3-78. IP Based ACL Page 171 Figure 3-79. MAC Based ACL Page 173 Figure 3-80. DHCP Snooping Properties Page 175 Figure 3-81. VLAN Settings Page 176 Figure 3-82. Trusted Interface Page 177 Figure 3-83. Binding Database Page 178 Figure 3-84. DHCP Option 82 Page 179 Figure 3-85. ARP Inspection Properties Page 181 Figure 3-86. ARP Inspection Trusted Interface Page 182 Figure 3-87. ARP Inspection List Page 183

xxii

Figures

Figure 3-88. VLAN Settings Page 184 Figure 3-89. IP Source Guard Properties Page 185 Figure 3-90. Interface Settings Page 186 Figure 3-91. IP Source Guard Binding Database Page 187 Figure 3-92. Static Addresses Page 189 Figure 3-93. Dynamic Addresses Page 190 Figure 3-94. STP General Page 194 Figure 3-95. Interface Configuration Page 197 Figure 3-96. RSTP Page 199 Figure 3-97. MSTP General Page 200 Figure 3-98. MSTP Instance Settings Page 201 Figure 3-99. MSTP Interface Settings Page 203 Figure 3-100. VLAN Basic Information Page 207 Figure 3-101. Current Table Page 209 Figure 3-102. Interface Configuration Page 211 Figure 3-103. Customer Multicast TV VLAN Page 212 Figure 3-104. CPE VLANs Mapping Page 213 Figure 3-105. MAC-Based Groups Page 214 Figure 3-106. Subnet-Based Groups Page 215 Figure 3-107. Protocol Based Groups Page 216 Figure 3-108. Mapping Groups to VLAN Page 217 Figure 3-109. GARP Configuration Page 218 Figure 3-110. GVRP Parameters Page 220 Figure 3-111. GVRP Statistics Page 221 Figure 3-112. IGMP Snooping Page 225 Figure 3-113. Multicast Group Page 226 Figure 3-114. Multicast Forward All Page 228 Figure 3-115. IGMP Snooping Mapping Page 229 Figure 3-116. Multicast TV Membership Page 230 Figure 3-117. CoS Mode Page 236 Figure 3-118. Queue Priority Page 237 Figure 3-119. Bandwidth Configuration Page 239 Figure 3-120. VLAN Rate Limit Page 240 Figure 3-121. CoS to Queue Page 241 Figure 3-122. DSCP Priority Page 242 Figure 3-123. QoS General Page 243 Figure 3-124. DSCP Rewrite Page 244 Figure 3-125. DSCP Mapping Page 245 Figure 3-126. Class Map Page 246 Figure 3-127. Aggregate Policer Page 247 Figure 3-128. Tail Drop Page 248 Figure 3-129. Policy Table Page 249 Figure 3-130. Policy Binding Page 251 Figure 1. VLAN Basic Information Page 704 Figure 2. Add 802.1q VLAN Page 705

xxiii

Figures

Figure 3. VLAN Interface Configuration Page 705 Figure 4. Modify VLAN Interface Configuration Page 706 Figure 5. VLAN Current Table 707 Figure 6. QinQ Configuration Example 707 Figure 7. Triple Play Configuration 709 Figure 8. Add VLAN Membership Page 712 Figure 9. CPE VLAN Mapping Page 713 Figure 10. CPE VLAN Mapping Page 714 Figure 11. VLAN Interface Settings Page 715 Figure 12. Customer Multicast TV VLAN Page 716 Figure 13. VLAN Basic Information Page 717 Figure 14. Add VLAN Page 717 Figure 15. VLAN Interface Configuration Page 718 Figure 16. Modify VLAN Interface Configuration Page 718 Figure 17. VLAN Current Table 719

xxiv

Chapter 1: Introduction

The OmniStack® 62 00 series has seven platforms:

• OS-LS-6212 – combo uplink ports (with SFP or 10/100/1000Base-TX interfaces) and two ports full-duplex Gigabit stacking

• OS-LS-6212P –

standard-based Power over Ethernet, two Gigabit combo uplink ports (with SFP or 10/ 100/1000Base-TX interfaces) and two ports full-duplex Gigabit stacking

• OS-LS-6224 – Ethernet based switch with 24 RJ-45 10/100Base-TX ports, two Gigabit combo uplink ports (with SFP or 10/1 00/1000Base-TX interf aces) and two ports full-duplex Gigabit stacking (optional DC power source)

• OS-LS-6224P – Ethernet based switch with 24 RJ-45 10/100Base-TX ports providing standard-based Power over Ethernet, two Gigabit combo uplink ports (with SFP or 10/100/1000Base-TX interfaces) and two ports full-duplex Gigabit stacking

• OS-LS-6248 – Ethernet based switch with 48 RJ-45 10/100Base-TX ports, two Gigabit combo uplink ports (with SFP or 10/1 00/1000Base-TX interf aces) and two ports full-duplex Gigabit stacking (optional DC power source)

• OS-LS-6248P – Ethernet based switch with 48 RJ-45 10/100Base-TX ports providing standard-based Power over Ethernet, two Gigabit combo uplink ports (with SFP or 10/100/1000Base-TX interfaces) and two ports full-duplex Gigabit stacking

• OS-LS-6224U – Ethernet based switch with 24 100Base-FX external SFP ports, two Gigabit combo ports with assicuated Mini-GBIC slots or RJ-45 ports and two 1000Base-T stacking ports

All devices have a management port which is used for debuggi ng an d manag ement purposes.

This switch provides a broad range of features for switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by t his switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.

Ethernet based switch with 12 RJ-45 10/100Base-TX ports, two Gigabit

Ethernet based switch with 12 RJ-45 10/100Base-TX ports providing

Key Features

Feature Description

Configuration Backup and Restore

Backup to TFTP server

Table1-1. Key Features

Introduction

Table1-1. Key Features

Feature Description

Authentication Console, Telnet, web – User name / password, RADIUS, TACACS+

Web – HTTPS; Telnet – SSH SNMP v1/2c - Community strings SNMP version 3 – MD5 or SHA password

Port – IEEE 802.1x Access Control Lists Supports up to 1K IP or MAC ACLs DHCP Client Supported DNS Server Supported Port Configuration Speed, duplex mode and flow control Rate Limiting Input and output rate limiting per port Port Mirroring One or more ports mirrored to single analysis port Port Trunking Supports up to 8 trunks using either static or dynamic trunking (LACP) Broadcast Storm

Control Static Address Up to 16K MAC addresses in the forwarding table IEEE 802.1D Bridge Supports dynamic data switching and addresses learning Store-and-Forward

Switching Spanning Tree

Protocol Virtual LANs Up to 255 using IEEE 802.1Q, port-based, protocol-based, or private VLANs GVRP Traffic Prioritization Default port priority, traffic class map, queue scheduling, IP Precedence, or

STP Root Guard Prevents devices outside the network core from being assigned the

STP BPDU Guard Used as a security mechanism to protect the network from invalid configurations.

802.1x - MAC Authentication

DHCP Snooping Expands network security by providing a firewall security between untrusted

DHCP Option 82 Enables to add information for the DHCP server on request. IP Source Address

Guard

ARP Inspection Classic Address Resolution Protocol is a TCP/IP protocol that translates IP

Supported

Supported to ensure wire-speed switching while eliminating bad frames

Supports standard STP, Rapid Spanning Tree Protocol (RSTP), Multiple Spanning

Trees (MSTP).

Differentiated Services Code Point (DSCP) and TCP/UDP Port

spanning tree root.

MAC authentication ensures that end-user stations meet security policies criteria,

and protects networks from viruses.

interfaces and DHCP servers.

Restricts IP traffic on non-routed, Layer 2 interfaces by f ilterin g traffic. This feature

is based on the DHCP snooping binding database and on manually configured IP

source bindings.

addresses into MAC addresses.

Description of Software Features

Table1-1. Key Features

Feature Description

LLDP-MED Increases network flexibility by allowing different IP systems to co-exist on a single

QoS Supports Quality of Service (QoS). Multicast Filtering Supports IGMP snooping and query. Power over Ethernet Enables PoE support. Multicast TV VLAN Supplies multicast transmissions to L2-isolated subscribers, without replicating the

IP Subnet-Based VLANs

MAC-Based VLANs Packets are classified according to MAC address Jumbo Frames Support of mini jumbo frames allows forwarding of packets up to 1632 bytes. QinQ Allows network managers to add an additional tag to previously tagged packets

network.

multicast transmissions for each subscriber VLAN. Packets are classified according to the packet’s source IP subnet in its IP header

Description of Software Features

The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network. Port-based and protocol-based VLANs, plus support for automatic GVRP VLAN registration provide traffic security and efficient use of network bandwidth. CoS priority queueing ensures the minimum delay for moving real-time multimedia data across the network. While multicast filtering provides support for real-time network applications. Some of the management features are briefly described below.

Configuration Backup and Restore – You can save the current configuration settings to a file on a TFTP server, and later download this file to restore the switch configuration settings.

Authentication – This switch authenticates management access via the console port, T eln et or web browser . User names and pa sswords can be configured locally or can be verified via a remote authentication server (i.e., RADIUS or TACACS+). Port-based and MAC-based authentication is also supported via the IEEE 802.1x protocol. This protocol uses the Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.1x client, and then verifies the client’s right to access the network via an authentication server.

Other authentication options include HTTPS for secure management ac cess via t he web, SSH for secure management access over a Telnet-e quivalent connection, SNMP version 3, IP address filtering for SNMP/web/Telnet management access, and MAC address filtering for port access.

Introduction

MAC Address Capacity Support – The device supports up to 16K MAC addresses. The device reserves specific MAC addresses for system use.

Self-Learning MAC Addresses – The device enables automatic MAC addresses learning from incoming packets.

Automatic Aging for MAC Addresses – MAC addresses from which no traffic is received for a given period are aged out. This prevents the Bridging Table from overflowing.

Static MAC Entries – User defined static MAC entries are stored in the Bridging Table, in addition to the Self Learned MAC addresses.

VLAN-Aware MAC-based Switching – Packets arriving from an unknown source address are sent to the CPU. When source addresses are added to the Hardware Table, packets addressed to this address are then forwarded straight to corresponding port.

MAC Multicast Support – Multicast service is a limited broadcast service, which allows one-to-many and many-to-many connections for information distribut ion. Layer 2 multicast service is where a single frame is address ed to a speci fic multicast address, and copies of the frame transmitted to relevant all relevan t ports.

Address Resolution Protocol – switches to inter-communicate using various routing protocols to discover network topology and define Routing tables. Device Next-Hop MAC addresses are automatically derived by ARP. This includes directly attached end systems. Users can override and supplement this by defining additional ARP Table entries.

QinQ tagging – QinQ tagging allows network managers to add an additional tag to previously tagged packets. Adding additional tags to the packets helps create more VLAN space. The added tag provides an VLAN ID to each customer, this ensures private and segregated network traffic.

Port Configuration – You can manually configure the speed, duplex mode, and flow control used on specific ports, or use auto-negotiation to detect the connection settings used by the attached device. Use the full-duplex mode on ports whenever possible to double the throughput of switch connecti ons. Flow control should also be enabled to control network traffic during periods of congestion and prevent the loss of packets when port buff er thresholds are exceeded. The switch supports flow control based on the IEEE 802.3x standard.

Rate Limiting – This feature controls the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into o r out of the network. T r affic th at falls within t he rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.

Port Mirroring – The switch can unobtrusively mirror traffic from any port to a monitor port. You can then attach a protocol analyzer or RMON probe to this port to perform traffic analysis and verify connection integrity.

Port Trunking – Ports can be combined into an aggregate connection. Trunks can be manually set up or dynamically configured using I EEE 802. 3ad Lin k Ag gregatio n

IP routing generally utilizes routers and Layer 3

Description of Software Features

Control Protocol (LACP). The additional ports dramatically increase the throughput across any connection, and provide redundancy by taking over the load if a port in the trunk should fail. The switch supports up to 6 trunks.

Broadcast Storm Control – Broadcast s uppress ion preve nts broadcast traffic from overwhelming the network. When enabled on a port, the level of broadcast traffic passing through the port is restricted. If broadcast traffic rises above a pre-defined threshold, it will be throttled until the level falls back beneath the threshold.

Static Addresses – A st atic MAC address ca n be assigned to a specific inte rface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to th e a ddress table. Static addresses can be used to provide network security by restricting access for a known host to a specific port.

STP BPDU Guard – Bridge Protocol Data Units (BPDU) Guard expands network adminstrator’s ablility to enforce STP borders and maintain STP top ologies realibility. BPDU is utilized when Fast Link ports is enabled and/or if the Spanning Tree Protocol is disabled on ports. If a BPDU message is sent to a port on which STP is disabled, BPDU Guard shuts down the port, and generates a SNMP message.

STP Root Guard – Spanning Tree Root Guard is used to prevent an unauthorized device from becoming the root of a spanning tree. Root guard functionality enables detection and resolution of misconfigurations, while preventing loops or loss of connectivity.

802.1x - MAC Authentication – MAC authentication like the 802.1X allows network access to a device, for example, printers and IP phones, that do not have the 802.1X supplicant capability. MAC authentication uses the MAC address of the connecting device to grant or deny network access.

To support MAC authentication, the RADIUS authentication server maintains a database of MAC addresses for devices that require access to th e netwo rk. In order for the feature to be active, 802.1x must be in auto-mode.

User then can enable the MAC authentication feature in one of following modes:

• MAC Only – Where only MAC authentication is enabled

• MAC + 802.1x (In that case 802.1x takes precedence) The feature can be enabled per port. The port must be a member of a guest VLAN

prior of activating the feature. DHCP Snooping – DHCP Snooping expands network security by providing a

firewall security between untrusted interfaces and DHCP serv ers. By enabling DHCP Snooping network administrators can identify between trusted interfaces connected to end-users or DHCP Servers, and untrusted interface located beyond the network firewall. DHCP Snooping creates and maintains a DHCP Snooping Table which contains information received from untrusted packets. Interfaces are untrusted if the packet is received from an interface from out side the network or from a interface beyond the network firewall.

Introduction

DHCP Option 82 – DHCP server can insert information into DHCP requests. The DHCP information is used to assign IP addresses to network interfaces.

IP Source Address Guard – IP source guard stops malignant network users from using unallocated network IP addresses. IP Sou rce Guard ensures that only packet s with an IP address stored in the DHCP Database are forwarded. IP address stored in the DHCP Snooping Database are either statically configured by the network administrator or are retrieved using DHCP. IP source guard can be enabled only on DHCP snooping untrusted interface.

Dynamic ARP Inspection – ARP Inspection eliminates man-in-the-middle attacks, where false ARP packets are inserted into the s ubnet. ARP req uests and responses are inspected, and their MAC Address to IP Address binding is checked. Packets with invalid ARP Inspection Bindings are logged and dro pped. Packet s are classified as:

• Trusted — Indicates that the interface IP and MAC address are recognized, and recorded in the ARP Inspec-tion List. Trusted packets are forward without ARP Inspection.

• Untrusted — Indicates that the packet arrived fro m an interface that does no t have a recognized IP and MAC addresses. The packet is checked for:

• Source MAC — Compares the packet’s source MAC address against the sender’s MAC address in the ARP request. This check is performed on both ARP requests and responses.

• Destination MAC — Compares the packet’s destination MAC address again st the destination interface’s MAC address. This check is performed for ARP responses.

• IP Addresses — Compares the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.25 5, a nd al l I P Multi cas t addresses. If the packet’s IP address was not found in the ARP Inspection List, and DHCP snooping is enabled for a VLAN, a search of the DHCP Snooping Database is performed. If the IP address i s found the packet is valid, and is forwarded. ARP inspection is performed only on untrusted interfaces.

LLDP - The Link Layer Discovery Protocol (LLDP) allows network managers to troubleshoot and enhance network management by discovering and maintaining network topologies over multi-vendor environments. LLDP discovers network neighbors by standardizing methods for network devices to advertise themselves to other system, and to store discovered information. Device discovery information includes:

• Device Identification

• Device Capabilities

• Device Configuration The advertising device transmits multiple advertisement message sets in a single

LAN packet. The multiple advertisement sets are sent in the packet Type Length Val ue (TLV) field. LLDP devices must support chassis and port ID advertisement, as well as system name, system ID, system description, and system capability

+ 732 hidden pages