Page 1
M4500 Intelligent Fully Managed Switches
Software Version 7.0.0
Model M4500-32C
Model M4500-48XF8C
July 2020
202-12039-02
NETGEAR, Inc.
350 E. Plumeria Drive
San Jose, CA 95134, USA
Page 2
Publication Part
Publish Date
Comments
202-12039-02
July 2020
We added the PTP End-to-End Transparent Clock feature.
202-12039-01
September 2019
First publication.
Support and Community
Visit netgear.com/support to get your questions answered and access the latest downloads.
You can also check out our NETGEAR Community for helpful advice at community.netgear.com.
Regulatory and Legal
Si ce produit est vendu au Canada, vous pouvez accéder à ce document en français canadien à
https://www.netgear.com/support/download/.
(If this product is sold in Canada, you can access this document in Canadian French at
https://www.netgear.com/support/download/.)
For regulatory compliance information including the EU Declaration of Conformity, visit
https://www.netgear.com/about/regulatory/.
See the regulatory compliance document before connecting the power supply.
For NETGEAR’s Privacy Policy, visit https://www.netgear.com/about/privacy-policy.
By using this device, you are agreeing to NETGEAR’s Terms and Conditions at
https://www.netgear.com/about/terms-and-conditions. If you do not agree, return the device to your
place of purchase within your return period.
Trademarks
© NETGEAR, Inc., NETGEAR, and the NETGEAR Logo are trademarks of NETGEAR, Inc. Any non-NETGEAR
trademarks are used for reference purposes only.
Revision History
Number
NETGEAR M4500 Series Switches Software Administration Manual 2
Page 3
Contents
1. Supported Features on the M4500 Series Switches .................... 12
1.1. Switching Features Introduction ................................................................................... 12
1.1.1. VLAN Support ................................................................................................................................................ 12
1.1.2. Double VLANs ................................................................................................................................................ 12
1.1.3. Switching Modes ........................................................................................................................................... 12
1.1.4. Spanning Tree Protocols (STP) ...................................................................................................................... 12
1.1.5. Rapid Spanning Tree ..................................................................................................................................... 12
1.1.6. Multiple Spanning Tree ................................................................................................................................. 13
1.1.7. Bridge Protocol Data Unit (BPDU) Guard ...................................................................................................... 13
1.1.8. Port-channel .................................................................................................................................................. 13
1.1.9. Link Aggregate Control Protocol (LACP) ........................................................................................................ 13
1.1.10. Multi Chassis Link Aggregation Group (MLAG) ............................................................................................. 13
1.1.11. Flow Control Support (IEEE 802.3x) .............................................................................................................. 13
1.1.12. Asymmetric Flow Control .............................................................................................................................. 14
1.1.13. Alternate Store and Forward (ASF) ............................................................................................................... 14
1.1.14. Jumbo Frames Support ................................................................................................................................. 14
1.1.15. Auto-MDI/MDIX Support .............................................................................................................................. 14
1.1.16. Unidirectional Link Detection (UDLD) ........................................................................................................... 14
1.1.17. Expandable Port Configuration ..................................................................................................................... 14
1.1.18. VLAN-aware MAC-based Switching .............................................................................................................. 15
1.1.19. Back Pressure Support .................................................................................................................................. 15
1.1.20. Auto Negotiation ........................................................................................................................................... 15
1.1.21. Storm Control ................................................................................................................................................ 15
1.1.22. Port Mirroring ............................................................................................................................................... 15
1.1.23. sFlow ............................................................................................................................................................. 16
1.1.24. Static and Dynamic MAC Address Tables ...................................................................................................... 16
1.1.25. Link Layer Discovery Protocol (LLDP) ............................................................................................................ 16
1.1.26. Link Layer Discovery Protocol (LLDP) for Media Endpoint Device ................................................................ 16
1.1.27. DHCP Layer 2 Relay ....................................................................................................................................... 16
1.1.28. MAC Multicast Support ................................................................................................................................. 16
1.1.29. IGMP Snooping ............................................................................................................................................. 17
1.1.30. SDVoE ............................................................................................................................................................ 17
1.1.31. Source Specific Multicasting (SSM) ............................................................................................................... 17
1.1.32. Control Packet Flooding ................................................................................................................................ 17
NETGEAR M4500 Series Switches Software Administration Manual 3
Page 4
1.1.33.
Flooding to mRouter Ports ............................................................................................................................ 17
1.1.34. IGMP Snooping Querier ................................................................................................................................ 17
1.1.35. Management and Control Plane ACLs .......................................................................................................... 18
1.1.36. Remote Switched Port Analyzer (RSPAN) ..................................................................................................... 18
1.1.37. Link Dependency ........................................................................................................................................... 18
1.1.38. IPv6 Router Advertisement Guard ................................................................................................................ 18
1.1.39. FIP Snooping .................................................................................................................................................. 19
1.1.40. ECN Support .................................................................................................................................................. 19
1.2. Security Features .......................................................................................................... 20
1.2.1. Configurable Access and Authentication Profiles ......................................................................................... 20
1.2.2. AAA Command Authorization ....................................................................................................................... 20
1.2.3. Password-protected Management Access .................................................................................................... 20
1.2.4. Strong Password Enforcement ...................................................................................................................... 20
1.2.5. MAC-based Port Security .............................................................................................................................. 20
1.2.6. RADIUS Client ................................................................................................................................................ 20
1.2.7. TACACS+ Client .............................................................................................................................................. 20
1.2.8. Dot1x Authentication (IEEE 802.1X) .............................................................................................................. 21
1.2.9. MAC Authentication Bypass .......................................................................................................................... 21
1.2.10. DHCP Snooping ............................................................................................................................................. 21
1.2.11. DHCPv6 Snooping .......................................................................................................................................... 21
1.2.12. Dynamic ARP Inspection ............................................................................................................................... 22
1.2.13. IP Source Address Guard ............................................................................................................................... 22
1.3. Quality of Service Features ........................................................................................... 22
1.3.1. Access Control Lists (ACL) ............................................................................................................................. 22
1.3.2. ACL Remarks ................................................................................................................................................. 22
1.3.3. ACL Rule Priority............................................................................................................................................ 22
1.3.4. Differentiated Service (DIffServ) ................................................................................................................... 23
1.3.5. Class of Service (CoS) .................................................................................................................................... 23
1.4. Management Features .................................................................................................. 23
1.4.1. Management Options ................................................................................................................................... 23
1.4.2. Management of Basic Network Information ................................................................................................ 23
1.4.3. File Management .......................................................................................................................................... 23
1.4.4. Malicious Code Detection ............................................................................................................................. 24
1.4.5. Automatic Installation of Firmware and Configuration ................................................................................ 24
1.4.6. Warm Reboot ................................................................................................................................................ 24
1.4.7. SNMP Alarms and Trap Logs ......................................................................................................................... 24
NETGEAR M4500 Series Switches Software Administration Manual 4
Page 5
1.4.8.
Remote Monitoring (RMON) ......................................................................................................................... 24
1.4.9. Statistics Application ..................................................................................................................................... 24
1.4.10. Log Messages ................................................................................................................................................ 25
1.4.11. System Time Management ........................................................................................................................... 25
1.4.12. Source IP Address Configuration ................................................................................................................... 25
1.4.13. Multiple Linux Routing Tables ....................................................................................................................... 25
1.4.14. Open Network Install Environment Support ................................................................................................. 25
1.4.15. Interface Error Disable and Auto Recovery ................................................................................................... 25
1.4.16. CLI Scheduler ................................................................................................................................................. 26
1.5. Routing Features ........................................................................................................... 26
1.5.1. IP Unnumbered ............................................................................................................................................. 26
1.5.2. Open Shortest Path First (OSPF) ................................................................................................................... 26
1.5.3. Border Gateway Protocol (BGP) .................................................................................................................... 26
1.5.4. VLAN Routing ................................................................................................................................................ 27
1.5.5. IP Configuration ............................................................................................................................................ 27
1.5.6. Address Resolution Protocol (ARP) Table Management ............................................................................... 28
1.5.7. BOOTP/DHCP Relay Agent ............................................................................................................................ 28
1.5.8. IP Helper and UDP Relay ............................................................................................................................... 28
1.5.9. Routing Table ................................................................................................................................................ 28
1.5.10. Virtual Router Redundancy Protocol (VRRP) ................................................................................................ 28
1.5.11. Algorithmic Longest Prefix Match (ALPM) .................................................................................................... 28
1.5.12. Bidirectional Forwarding Detection .............................................................................................................. 28
1.5.13. VRF Lite Operation and Configuration .......................................................................................................... 29
1.6. Layer 3 Multicast Features ............................................................................................ 29
1.6.1. Internet Group Management Protocol ......................................................................................................... 29
1.6.2. Protocol Independent Multicast ................................................................................................................... 29
1.6.3. MLD/MLDv2 (RFC2710/RFC3810) ................................................................................................................. 30
1.7. Data Center Features .................................................................................................... 30
1.7.1. Priority-Based Flow Control .......................................................................................................................... 30
1.7.2. Data Center Bridging Exchange Protocol ...................................................................................................... 30
1.7.3. CoS Queuing and Enhanced Transmission Selection .................................................................................... 30
1.7.4. VXLAN Gateway ............................................................................................................................................ 30
2. Getting Started .......................................................................... 32
2.1. Accessing the switch Command-Line Interface .............................................................. 32
2.1.1. Connecting to the Switch Console ................................................................................................................ 32
2.1.2. Login User ID and Password .......................................................................................................................... 33
NETGEAR M4500 Series Switches Software Administration Manual 5
Page 6
2.1.3.
Accessing the Switch CLI through the Network ............................................................................................ 33
2.1.4. Using the Service Port or Management VLAN Interface for Remote Management ..................................... 34
2.1.5. DHCP Option 61 ............................................................................................................................................ 35
2.2. Understanding the User Interfaces................................................................................ 36
2.2.1. Using the Command-Line Interface .............................................................................................................. 37
2.2.2. Using SNMP ................................................................................................................................................... 37
3. Configuring L2 Switching Features .............................................. 43
3.1. Port Configuration ........................................................................................................ 43
3.1.1. 100G Port-mode Command .......................................................................................................................... 43
3.2. Virtual Local Area Networks .......................................................................................... 44
3.2.1. VLAN Tagging ................................................................................................................................................ 45
3.2.2. Double-VLAN Tagging ................................................................................................................................... 46
3.2.3. Default VLAN Behavior .................................................................................................................................. 47
3.2.4. VLAN Configuration Example ........................................................................................................................ 47
3.3. Switchport Modes ......................................................................................................... 51
3.4. Port-channels – Operation and Configuration ............................................................... 53
3.4.1. Static and Dynamic Port-channel .................................................................................................................. 53
3.4.2. Port-channel Hashing .................................................................................................................................... 54
3.4.3. Port-channel Interface Overview .................................................................................................................. 55
3.4.4. Port-channel Interaction with Other Features .............................................................................................. 56
3.4.5. Port-channel Configuration Guidelines ......................................................................................................... 57
3.5. LACP Fallback Configuration .......................................................................................... 60
3.5.1. Configuring Dynamic Port-channels .............................................................................................................. 60
3.5.2. Configuring Static Port-channels ................................................................................................................... 61
3.6. MLAG – Operation and Configuration ........................................................................... 62
3.6.1. Overview ....................................................................................................................................................... 62
3.6.2. Deployment Scenarios .................................................................................................................................. 63
3.6.3. MLAG Fast Failover ....................................................................................................................................... 67
3.6.4. MLAG Configuration ...................................................................................................................................... 67
3.7. Unidirectional Link Detection (UDLD) ............................................................................ 70
3.7.1. UDLD Modes ................................................................................................................................................. 71
3.7.2. UDLD and Port-channel Interfaces ................................................................................................................ 71
3.7.3. Configuring UDLD .......................................................................................................................................... 71
3.8. Port Mirroring ............................................................................................................... 73
3.8.1. Configuring Port Mirroring ............................................................................................................................ 73
NETGEAR M4500 Series Switches Software Administration Manual 6
Page 7
3.8.2.
Configuring RSPAN ........................................................................................................................................ 74
3.8.3. VLAN-based Mirroring .................................................................................................................................. 76
3.8.4. Flow-based Mirroring .................................................................................................................................... 76
3.9. Spanning Tree Protocol ................................................................................................. 77
3.9.1. Classic STP, Multiple STP, and Rapid STP ...................................................................................................... 77
3.9.2. STP Operation ............................................................................................................................................... 77
3.9.3. MSTP in the Network .................................................................................................................................... 78
3.9.4. Optional STP Features ................................................................................................................................... 81
3.9.5. STP Configuring Examples ............................................................................................................................. 83
3.10. IGMP Snooping ............................................................................................................. 84
3.10.1. IGMP Snooping Querier ................................................................................................................................ 84
3.10.2. Configuring IGMP Snooping .......................................................................................................................... 85
3.10.3. IGMPv3/SSM Snooping ................................................................................................................................. 88
3.11. SDVoE ........................................................................................................................... 88
3.11.1. IGMP & IGMP Snooping Enhancements for IGMP V1 & V2 .......................................................................... 88
3.11.2. SDVoE Configuration Example ...................................................................................................................... 91
3.12. MLD Snooping ............................................................................................................... 93
3.12.1. MLD Snooping Configuration Example ......................................................................................................... 93
3.12.2. MLD Snooping First Leave Configuration Example ....................................................................................... 96
3.12.3. MLD Snooping Querier Configuration Example ............................................................................................ 97
3.13. LLDP and LLDP-MED ...................................................................................................... 98
3.13.1. LLDP and Data Center Application ................................................................................................................ 99
3.13.2. Configuring LLDP ........................................................................................................................................... 99
3.14. sFlow .......................................................................................................................... 101
3.14.1. sFlow Sampling............................................................................................................................................ 102
3.14.2. Configuring sFlow ........................................................................................................................................ 103
3.15. Link Dependency ......................................................................................................... 104
3.16. FIP Snooping ............................................................................................................... 105
3.17. ECN ............................................................................................................................. 109
3.17.1. Enabling ECN in Microsoft Windows ........................................................................................................... 110
3.17.2. Example 1: SLA Example ............................................................................................................................. 110
3.17.3. Example 2: Data Center TCP (DCTCP) Configuration ................................................................................... 113
3.18. Storm Control ............................................................................................................. 114
3.18.1. Storm Control Configuration Example ........................................................................................................ 114
3.19. Jumbo Frames ............................................................................................................. 115
NETGEAR M4500 Series Switches Software Administration Manual 7
Page 8
3.19.1.
Jumbo Frame Configuration Example ......................................................................................................... 115
3.20. Port-Backup ................................................................................................................ 116
3.20.1. Port-Backup Configuration Example ........................................................................................................... 116
3.21. PTP End-to-End Transparent Clock .............................................................................. 117
3.21.1. PTP Time Stamp Operation ......................................................................................................................... 118
3.21.2. PTP Transparent Clocks ............................................................................................................................... 119
3.21.3. Manage the PTP End-to-End Transparent Clock ......................................................................................... 119
3.21.4. Globally Reenable PTP End-to-End Transparent Clock ............................................................................... 120
3.21.5. Reenable PTP End-to-End Transparent Clock for an Interface.................................................................... 120
3.21.6. Display the PTP End-to-End Transparent Clock Status ................................................................................ 120
4. Configuring Security Features ................................................... 122
4.1. Controlling Management Access ................................................................................. 122
4.1.1. Using RADIUS Servers for Management Security ....................................................................................... 122
4.1.2. Using TACACS+ to Control Management Access......................................................................................... 123
4.1.3. Configuring and Applying Authentication Profiles ...................................................................................... 124
4.1.4. Configuring the Primary and Secondary RADIUS Servers ........................................................................... 126
4.1.5. Configuring an Authentication Profile ........................................................................................................ 126
4.2. Configuring DHCP Snooping, DAI, and IPSG ................................................................. 128
4.2.1. DHCP Snooping Overview ........................................................................................................................... 128
4.2.2. IP Source Guard Overview .......................................................................................................................... 130
4.2.3. Dynamic ARP Inspection Overview ............................................................................................................. 131
4.2.4. Increasing Security with DHCP Snooping, DAI, and IPSG ............................................................................ 131
4.2.5. Configuring DHCP Snooping ........................................................................................................................ 132
4.2.6. Configuring IPSG ......................................................................................................................................... 133
4.3. Configuring DHCPv6 Snooping .................................................................................... 134
4.3.1. DHCPv6 Snooping Configuration Example .................................................................................................. 134
4.4. ACLs ............................................................................................................................ 136
4.4.1. MAC ACLs .................................................................................................................................................... 137
4.4.2. IP ACLs ......................................................................................................................................................... 137
4.4.3. ACL Redirect Function ................................................................................................................................. 138
4.4.4. ACL Mirror Function .................................................................................................................................... 138
4.4.5. ACL Logging ................................................................................................................................................. 138
4.4.6. Time-based ACLs ......................................................................................................................................... 138
4.4.7. ACL Rule Remarks ....................................................................................................................................... 139
4.4.8. ACL Rule Priority.......................................................................................................................................... 139
4.4.9. ACL Limitations ............................................................................................................................................ 140
NETGEAR M4500 Series Switches Software Administration Manual 8
Page 9
4.4.10.
ACL Configuration Process .......................................................................................................................... 140
4.4.11. Preventing False ACL Matches .................................................................................................................... 140
4.4.12. IPv6 ACL Qualifies........................................................................................................................................ 141
4.4.13. ACL Configuration Examples ....................................................................................................................... 142
4.5. Control Plane Policing (CoPP) ...................................................................................... 146
4.5.1. CoPP Configuration Examples ..................................................................................................................... 146
5. Configuring Quality of Service .................................................. 149
5.1. CoS .............................................................................................................................. 149
5.1.1. Trusted and Untrusted Port Modes ............................................................................................................ 149
5.1.2. Traffic Shaping on Egress Traffic ................................................................................................................. 149
5.1.3. Defining Traffic Queues ............................................................................................................................... 150
5.2. DiffServ ....................................................................................................................... 152
5.2.1. DiffServ Functionality and Switch Roles ...................................................................................................... 153
5.2.2. Elements of DiffServ Configuration ............................................................................................................. 153
5.2.3. Configuration DiffServ to Provide Subnets Equal Access to External Network........................................... 154
6. Configuring Switch Management Features ............................... 156
6.1. Managing Images and Files ......................................................................................... 156
6.1.1. Supported File Management Methods ....................................................................................................... 157
6.1.2. Uploading and Downloading Files ............................................................................................................... 157
6.1.3. Managing Configuration Files ..................................................................................................................... 157
6.1.4. Saving the Running Configuration ............................................................................................................... 159
6.1.5. File and Image Management Configuration Examples ............................................................................... 159
6.2. Enabling Automatic System Configuration .................................................................. 163
6.2.1. DHCP Auto Install Process ........................................................................................................................... 163
6.2.2. Monitoring and Completing the DHCP Auto Install Process ....................................................................... 164
6.2.3. DHCP Auto Install Dependencies ................................................................................................................ 165
6.2.4. Default Auto Install Values .......................................................................................................................... 165
6.2.5. Enabling DHCP Auto Install ......................................................................................................................... 165
6.3. Configuring System Log Example ................................................................................. 166
6.3.1. Example 1 to Add Syslog Host ..................................................................................................................... 166
6.3.2. Example 2 to Verify Syslog Host Configuration ........................................................................................... 166
6.4. Configuring CLI Scheduler (Kron) ................................................................................. 169
6.4.1. CLI Scheduler Policy Lists ............................................................................................................................ 169
6.4.2. CLI Scheduler Occurrences .......................................................................................................................... 170
6.4.3. Configuration Example ................................................................................................................................ 170
NETGEAR M4500 Series Switches Software Administration Manual 9
Page 10
7. Configuring Routing ................................................................. 171
7.1. Basic Routing and Features ......................................................................................... 171
7.1.1. VLAN Routing .............................................................................................................................................. 171
7.1.2. IP Routing Configuration Example .............................................................................................................. 172
7.1.3. IP Unnumbered Configuration Example ..................................................................................................... 175
7.2. OSPF ........................................................................................................................... 177
7.2.1. Configuring an OSPF Border Router and Setting Interface Costs ................................................................ 178
7.3. VRRP ........................................................................................................................... 180
7.3.1. VRRP Operation in the Network ................................................................................................................. 180
7.3.2. VRRP Configuration Example ...................................................................................................................... 182
7.4. IP Helper ..................................................................................................................... 187
7.4.1. Relay Agent Configuration Example ............................................................................................................ 189
7.5. Border Gateway Patrol (BGP) ...................................................................................... 191
7.5.1. BGP Topology .............................................................................................................................................. 192
7.5.2. BGP Behavior .............................................................................................................................................. 193
7.5.3. BGP Configuration Example ........................................................................................................................ 194
7.6. IPv6 Routing ................................................................................................................ 199
7.6.1. How Does IPv6 Compare with IPv6 ............................................................................................................. 199
7.6.2. How are IPv6 Interface Configured ............................................................................................................. 200
7.6.3. Default IPv6 Routing Values ........................................................................................................................ 200
7.6.4. Configuring IPv6 Routing Features .............................................................................................................. 201
7.7. ECMP Hash Selection .................................................................................................. 205
7.8. Bidirectional Forwarding Detection............................................................................. 206
7.8.1. Configuring BFD .......................................................................................................................................... 206
7.9. VRF Lite Operation and Configuration ......................................................................... 207
7.9.1. Route Leaking .............................................................................................................................................. 208
7.9.2. Adding Leaked Routes ................................................................................................................................. 208
7.9.3. Using Leaked Routes ................................................................................................................................... 208
7.9.4. CPU-Originated Traffic ................................................................................................................................ 208
7.9.5. VRF Features Support ................................................................................................................................. 209
7.9.6. VRF Lite Development Scenarios ................................................................................................................ 211
7.9.7. VRF Configuration Example ......................................................................................................................... 213
8. Configuring Multicast Routing .................................................. 215
8.1. L3 Multicast Overview ................................................................................................ 215
8.1.1. IP Multicast Traffic ...................................................................................................................................... 215
NETGEAR M4500 Series Switches Software Administration Manual 10
Page 11
8.1.2.
Multicast Protocol Switch Support ............................................................................................................. 215
8.1.3. Multicast Protocol Roles ............................................................................................................................. 216
8.1.4. Multicast Switch Requirements .................................................................................................................. 216
8.1.5. Determining which Multicast Protocols to Enable ...................................................................................... 216
8.1.6. Multicast Routing Tables ............................................................................................................................. 216
8.1.7. Multicast Tunneling .................................................................................................................................... 216
8.1.8. IGMP ........................................................................................................................................................... 217
8.1.9. MLD Protocol .............................................................................................................................................. 217
8.1.10. PIM Protocol ............................................................................................................................................... 218
8.2. Default L3 Multicast Values ........................................................................................ 219
8.3. L3 Multicast Configuration Examples .......................................................................... 221
8.3.1. Configuring Multicast VLAN Routing with IGMP and PIM-SM .................................................................... 221
8.3.2. Example 1: MLDv1 Configuration ................................................................................................................ 223
8.3.3. Example 2: MLDv2 Configuration ................................................................................................................ 224
8.3.4. Example 3: MLD Configuration Verification ................................................................................................ 225
9. Configuring Data Center Features ............................................ 226
9.1. Data Center Technology Overview .............................................................................. 226
9.2. Priority-based Flow Control ........................................................................................ 226
9.2.1. PFC Operation and Behavior ....................................................................................................................... 227
9.2.2. Configuring PFC ........................................................................................................................................... 227
9.3. Data Center Bridging Exchange Protocol ..................................................................... 228
9.3.1. Interoperability with IEEE DCBX .................................................................................................................. 229
9.3.2. DCBX and Port Roles ................................................................................................................................... 229
9.3.3. Configuration Source Port Selection Process .............................................................................................. 230
9.3.4. Configuring DCBX ........................................................................................................................................ 231
9.4. CoS Queuing ............................................................................................................... 232
9.4.1. CoS Queuing Function and Behavior ........................................................................................................... 233
9.4.2. Configuring CoS Queuing and ETS ............................................................................................................... 235
9.5. Enhanced Transmission Selection ............................................................................... 237
9.5.1. ETS Operation and Dependencies ............................................................................................................... 237
9.6. VXLAN Gateway Operation and Configuration ............................................................ 238
9.6.1. Overview ..................................................................................................................................................... 238
9.6.2. Functional Description ................................................................................................................................ 239
9.6.3. VXLAN Configuration Examples .................................................................................................................. 244
Appendix A: Term and Acronyms .................................................... 249
NETGEAR M4500 Series Switches Software Administration Manual 11
Page 12
1. Supported Features on the M4500 Series Switches
This section provides a brief overview of the supported features on the M4500 Series Switches. The features
are categorized as follows:
1.1. Switching Features Introduction
1.1.1. VLAN Support
VLANs are collections of switching ports that comprise a single broadcast domain. Packets are classified as
belonging to a VLAN based on either the VLAN tag or a combination of the ingress port and packet contents.
Packets sharing common attributes can be groups in the same VLAN. The switch software is in full compliance
with IEEE 802.1Q VLAN tagging.
1.1.2. Double VLANs
The Double VLAN feature (IEEE 802.1QinQ) allows the use of a second tag on network traffic. The additional
tag helps differentiate between customers in the Metropolitan Area Networks (MAN) while preserving
individual customer’s VLAN identification when they enter their own 802.1Q domain.
1.1.3. Switching Modes
The switchport mode feature helps to minimize the potential for configuration errors. The feature also makes
VLAN configuration easier by reducing the amount of commands needed for port configuration. For example,
to configure a port connected to an end user, you can configure the port in Access mode. Ports connected to
other switches can be configured in Trunk mode. VLAN assignments and tagging behavior are automatically
configured as appropriate for the connection type.
1.1.4. Spanning Tree Protocols (STP)
Spanning Tree Protocol (IEEE 802.1D) is a standard requirement of Layer 2 switches that allows bridges to
automatically prevent and resolve L2 forwarding loops. The STP feature supports a variety of per-port settings
including path cost, priority settings, Port Fast mode, STP Root Guard, Loop Guard, TCN Guard, and Auto
Edge. These settings are also configurable per-Port-channel.
1.1.5. Rapid Spanning Tree
Rapid Spanning Tree Protocol (RSTP) detects and uses network topologies to enable faster spanning tree
convergence after a topology change, without creating forwarding loops. The port settings supported by STP
are also supported by RSTP.
NETGEAR M4500 Series Switches Software Administration Manual 12
Page 13
1.1.6. Multiple Spanning Tree
Multiple Spanning Tree (MSTP) operation maps VLANs to spanning tree instances. Packets assigned to
various VLANs are transmitted along different paths within MSTP Regions (MST Regions). Regions are one or
more interconnected MSTP bridges with identical MSTP settings. The MSTP standard lets administrators
assign VLAN traffic to unique paths.
The switch supports IEEE 802.1Q-2005, which is a version of corrects problems associated with the previous
version, provides for faster transition-to-forwarding, and incorporates new features for a port (restricted role
and restricted TCN).
1.1.7. Bridge Protocol Data Unit (BPDU) Guard
Spanning Tree BPDU Guard is used to disable the port in case a new device tries to enter the already existing
topology of STP. Thus devices, which were originally not a part of STP, are not allowed to influence the STP
topology.
1.1.8. Port-channel
Up to 32 ports can combine to form a single Port-Channel. This enables fault tolerance protection from
physical link disruption, higher bandwidth connections and improved bandwidth granularity.
A Port-channel is composed of ports of the same speed, set to full-duplex operation.
1.1.9. Link Aggregate Control Protocol (LACP)
Link Aggregate Control Protocol (LACP) uses peer exchanges across links to determine, on an ongoing basis,
the aggregation capability of various links, and continuously provides the maximum level of aggregation
capability achievable between a given pair of systems. LACP automatically determines, configures, binds, and
monitors the binding of ports to aggregators within the system.
1.1.10. Multi Chassis Link Aggregation Group (MLAG)
This feature enables a Port-channel to be created across two independent units, which creates a scenario
where some member ports of the MLAG can reside on one unit and the other members of the MLAG can
reside on the other unit. The partner device on the remote side can be a MLAG unaware unit. For the MLAG
unaware unit, the MLAG appears to be a single Port-channel connected to a single unit.
1.1.11. Flow Control Support (IEEE 802.3x)
Flow control enables lower speed switches to communicate with higher speed switches by requesting that
the higher speed switch refrains from sending packets. Transmissions are temporarily halted to prevent
buffer overflows.
NETGEAR M4500 Series Switches Software Administration Manual 13
Page 14
1.1.12. Asymmetric Flow Control
When in asymmetric flow control mode, the switch responds to PAUSE frames received from peers by
stopping packet transmission, but the switch does not initiate MAC control PAUSE frames.
When the switch is configured in asymmetric flow control (or no flow control mode), the device is placed in
egress drop mode. Egress drop mode maximizes the throughput of the system at the expense of packet loss
in a heavily congested system, and this mode avoids head of line blocking.
Asymmetric flow control is not supported on Fast Ethernet platforms because support was introduced to the
physical layer with the Gigabit PHY specifications.
1.1.13. Alternate Store and Forward (ASF)
The Alternate Store and Forward (ASF) feature, which is also known as cut-through mode, reduces latency for
large packets. When ASF is enabled, the memory management unit (MMU) can forward a packet to the
egress port before it has been entirely received on the Cell Buffer Pool (CBP) memory.
1.1.14. Jumbo Frames Support
Jumbo frames enable transporting data in fewer frames to ensure less overhead, lower processing time, and
fewer interrupts. The maximum transmission unit (MTU) size is configurable per-port.
1.1.15. Auto-MDI/MDIX Support
Your switch supports auto-detection between crossed and straight-through cables. Media-Dependent
Interface (MDI) is the standard wiring for end stations, and the standard wiring for hubs and switches is
known as Media- Dependent Interface with Crossover (MDIX).
1.1.16. Unidirectional Link Detection (UDLD)
The UDLD feature detects unidirectional links physical ports by exchanging packets containing information
about neighboring devices. The purpose of the UDLD feature is to detect and avoid unidirectional links. A
unidirectional link is a forwarding anomaly in a Layer 2 communication channel in which a bidirectional link
stops passing traffic in one direction.
1.1.17. Expandable Port Configuration
Expandable ports allow you to configure a 100GbE port in either 4×25/10GbE mode or 1×40GbE mode. When
the 100GbE port is operating in 4×25/10GbE mode, the port operates as four 25/10GbE ports, each on a
separate lane. This mode requires the use of a suitable 4×25GbE to 1×100GbE pigtail cable.
Expandable port capability can be enabled on 100G ports using the CLI command [no] port-mode. A change
to the port mode is made effective immediately.
NETGEAR M4500 Series Switches Software Administration Manual 14
Page 15
1.1.18. VLAN-aware MAC-based Switching
Packets arriving from an unknown source address are sent to the CPU and added to the Hardware Table.
Future packets addressed to or from this address are more efficiently forwarded.
1.1.19. Back Pressure Support
On half-duplex links, a receiver may prevent buffer overflows by jamming the link so that it is unavailable for
additional traffic. On full duplex links, a receiver may send a PAUSE frame indicating that the transmitter
should cease transmission of frames for a specified period.
When flow control is enabled, the switch will observe received PAUSE frames or jamming signals, and will
issue them when congested.
1.1.20. Auto Negotiation
Auto negotiation allows the switch to advertise modes of operation. The auto negotiation function provides
the means to exchange information between two switches that share a point-to-point link segment, and to
automatically configure both switches to take maximum advantage of their transmission capabilities.
The switch enhances auto negotiation by providing configuration of port advertisement. Port advertisement
allows the system administrator to configure the port speeds that are advertised.
1.1.21. Storm Control
When Layer 2 frames are forwarded, broadcast, unknown unicast, and multicast frames are flooded to all
ports on the relevant virtual local area network (VLAN). The flooding occupies bandwidth, and loads all nodes
connected on all ports. Storm control limits the amount of broadcast, unknown unicast, and multicast frames
accepted and forwarded by the switch.
Per-port and per-storm control type (broadcast, multicast, or unicast), the storm control feature can be
configured to automatically shut down a port when a storm condition is detected on the port; or to send a
trap to the system log. When configured to shut down, the port is put into a diagnostic-disabled state. The
user must manually re-enable the interface for it to be operational. When configured to send a trap, the trap
is sent once in every 30 seconds. When neither action is configured, the switch rate-limits the traffic when
storm conditions occur.
1.1.22. Port Mirroring
Port mirroring monitors and mirrors network traffic by forwarding copies of incoming and outgoing packets
from up to four source ports to a monitoring port. The switch also supports flow-based mirroring, which
allows you to copy certain types of traffic to a single destination port. This provides flexibility—instead of
mirroring all ingress or egress traffic on a port the switch can mirror a subset of that traffic. You can configure
the switch to mirror flows based on certain kinds of Layer 2, Layer 3, and Layer 4 information.
The switch supports up to four monitor sessions. Port mirroring, flow based mirroring, RSPAN, and VLAN
mirroring can be configured at the same time on the switch using different sessions IDs and in any
NETGEAR M4500 Series Switches Software Administration Manual 15
Page 16
combinations. Any two sessions cannot be identical. Multiple mirroring sessions are supported for all types of
mirroring.
A given interface can be used as a source interface for different sessions. For example a mirroring session can
be created with source interface as port A and destination interface as port B. Another session can be
created with source interface as port A and destination interface as port C. An interface cannot be configured
as a destination interface for more than one session.
An IP/MAC access-list can be attached to any mirroring session or to all sessions at the same time.
1.1.23. sFlow
sFlow is the standard for monitoring high-speed switched and routed networks. sFlow technology is built into
network equipment and gives complete visibility into network activity, enabling effective management and
control of network resources. The switch supports sFlow version 5.
1.1.24. Static and Dynamic MAC Address Tables
You can add static entries to the switch’s MAC address table and configure the aging time for entries in the
dynamic MAC address table. You can also search for entries in the dynamic table based on several different
criteria.
1.1.25. Link Layer Discovery Protocol (LLDP)
The IEEE 802.1AB defined standard, Link Layer Discovery Protocol (LLDP), allows the switch to advertise
major capabilities and physical descriptions. This information can help you identify system topology and
detect bad configurations on the LAN.
1.1.26. Link Layer Discovery Protocol (LLDP) for Media Endpoint Device
The Link Layer Discovery Protocol for Media Endpoint Devices (LLDP-MED) provides an extension to the LLDP
standard for network configuration and policy, device location, Power over Ethernet management, and
inventory management.
1.1.27. DHCP Layer 2 Relay
This feature permits Layer 3 Relay agent functionality in Layer 2 switched networks. The switch supports L2
DHCP relay configuration on individual ports, Port-channels and VLANs.
1.1.28. MAC Multicast Support
Multicast service is a limited broadcast service that allows one-to-many and many-to-many connections. In
Layer 2 multicast services, a single frame addressed to a specific multicast address is received, and copies of
the frame to be transmitted on each relevant port are created.
NETGEAR M4500 Series Switches Software Administration Manual 16
Page 17
1.1.29. IGMP Snooping
Internet Group Management Protocol (IGMP) Snooping is a feature that allows a switch to forward multicast
traffic intelligently on the switch. Multicast IP traffic is traffic that is destined to a host group. Host groups are
identified by class D IP addresses, which range from 224.0.0.0 to 239.255.255.255. Based on the IGMP query
and report messages, the switch forwards traffic only to the ports that request the multicast traffic. This
prevents the switch from broadcasting the traffic to all ports and possibly affecting network performance.
1.1.30. SDVoE
SDVoE (Software Defined Video-over-Ethernet) is the latest high-performance, software-based AV-over-IP
platform for control and distribution of audio and video over Ethernet and fiber networks.
1.1.31. Source Specific Multicasting (SSM)
This mechanism provides the ability for a host to report interest in receiving a particular multicast stream
only from among a set of specific source addresses, or its interest in receiving a multicast stream from any
source other than a set of specific source addresses.
1.1.32. Control Packet Flooding
This feature enhances the MGMD Snooping functionality to flood multicast packets with DIP=224.0.0.x to all
members of the incoming VLAN irrespective of the configured filtering behavior. This enhancement depends
on the ability of the switch to flood packets with DIP=224.0.0.x irrespective of the entries in the L2 Multicast
Forwarding Tables.
1.1.33. Flooding to mRouter Ports
This feature enhances the MGMD Snooping functionality to flood unregistered multicast streams to all
mRouter ports in the VLAN irrespective of the configured filtering behavior. This enhancement depends on
the ability of the switch to flood packets to specific ports in the incoming VLAN when there are no entries in
the L2 Multicast Forwarding Tables for the specific stream. In platforms that do not have the hardware
capability, incoming multicast streams are always flooded in the ingress VLAN when the switch supports an
“L2 multicast miss.”
1.1.34. IGMP Snooping Querier
When Protocol Independent Multicast (PIM) and IGMP are enabled in a network with IP multicast routing,
the IP multicast router acts as the IGMP querier. However, if it is desirable to keep the multicast network
Layer 2 switched only, the IGMP Snooping Querier can perform the query functions of a Layer 3 multicast
router.
NETGEAR M4500 Series Switches Software Administration Manual 17
Page 18
1.1.35. Management and Control Plane ACLs
This feature provides hardware-based filtering of traffic to the CPU. An optional 'management' feature is
available to apply the ACL on the CPU port. Currently, control packets like BPDU are dropped because of the
implicit 'deny all' rule added at the end of the list. To overcome this rule, you must add rules that allow the
control packets.
Support for user-defined simple rate limiting rule attributes for inbound as well as outbound traffic is also
available. This attribute is supported on all QoS capable interfaces - physical, Port-channel, and control-plane.
1.1.36. Remote Switched Port Analyzer (RSPAN)
Along with the physical source ports, the network traffic received/transmitted on a VLAN can be monitored.
A port mirroring session is operationally active if and only if both a destination (probe) port and at least one
source port or VLAN is configured. If neither is true, the session is inactive. The switch supports remote port
mirroring. The switch also supports VLAN mirroring. Traffic from/to all the physical ports which are members
of that particular VLAN is mirrored.
Note: The source for a port mirroring session can be either physical ports or VLAN.
For Flow-based mirroring, ACLs are attached to the mirroring session. The network traffic that matches the ACL
is only sent to the destination port. This feature is supported for remote monitoring also. IP/MAC access-list can
be attached to the mirroring session.
Note: Flow-based mirroring is supported only if QoS feature exists in the package.
Up to four RSPAN sessions can be configured on the switch and up to four RSPAN VLANs are supported. An
RSPAN VLAN cannot be configured as a source for more than one session at the same time. To configure four
RSPAN mirroring sessions, it is required to configure 4 RSPAN VLANs.
1.1.37. Link Dependency
The Link Dependency feature supports enabling/disabling ports based on the link state of other ports (i.e.,
making the link state of some ports dependent on the link state of others). In the simplest form, if port A is
dependent on port B and switch detects link loss on B, the switch automatically brings down link on port A.
When the link is restored to port B, the switch automatically restores link to port A. The link action command
option determines whether link A will come up/go down, depending upon the state of link B.
1.1.38. IPv6 Router Advertisement Guard
The switch support IPv6 Router Advertisement Guard (RA-Guard) to protect against attacks via rogue Router
Advertisements in accordance with RFC 6105. RA Guard supports Stateless RA-Guard, for which you can
configure the interface to allow received router advertisements and router redirect message to be
processed/forwarded or dropped.
By default, RA-Guard is not enabled on any interfaces. RA-Guard is enabled/disabled on physical interfaces or
Port-channels. RA-Guard does not require IPv6 routing to be enabled.
NETGEAR M4500 Series Switches Software Administration Manual 18
Page 19
1.1.39. FIP Snooping
The FCoE Initialization Protocol (FIP) is used to perform the functions of FC_BB_E device discovery,
initialization, and maintenance. FIP uses a separate EtherType from FCoE to distinguish discovery,
initialization, and maintenance traffic from other FCoE traffic. FIP frames are standard Ethernet size (1518
Byte 802.1q frame), whereas FCoE frames are a maximum of 2240 bytes.
FIP snooping is a frame inspection method used by FIP Snooping Bridges to monitor FIP frames and apply
policies based upon the L2 header information in those frames.
FIP snooping allows for:
• Auto-configuration of Ethernet ACLs based on information in the Ethernet headers of FIP frames.
• Emulation of FC point-to-point links within the DCB Ethernet network.
• Enhanced FCoE security/robustness by preventing FCoE MAC spoofing.
• The role of FIP snooping-enabled ports on the switch falls under one of the following types:
o Perimeter or Edge port (connected directly to a Fiber Channel end node or ENode).
o Fiber Channel forwarder (FCF) facing port (that receives traffic from FCFs targeted to the
ENodes).
Note: The FIP Snooping Bridge feature supports the configuration of the perimeter port role and FCF-
facing port roles and is intended for use only at the edge of the switched network.
The default port role in an FCoE-enabled VLAN is as a perimeter port. FCF-facing ports are configured by the
user.
1.1.40. ECN Support
Explicit Congestion Notification (ECN) is defined in RFC 3168. Conventional TCP networks signal congestion by
dropping packets. A Random Early Discard scheme provides earlier notification than tail drop by dropping
packets already queued for transmission. ECN marks congested packets that would otherwise have been
dropped and expects an ECN capable receiver to signal congestion back to the transmitter without the need
to retransmit the packet that would have been dropped. For TCP, this means that the TCP receiver signals a
reduced window size to the transmitter but does not request retransmission of the CE marked packet.
The switch implements ECN capability as part of the WRED configuration process. It is configured as
parameter in the random-detect command. Eligible packets are marked by hardware based upon the WRED
configuration. You can configure any CoS queue to operate in ECN marking mode and can configure different
discard thresholds for each color.
NETGEAR M4500 Series Switches Software Administration Manual 19
Page 20
1.2. Security Features
1.2.1. Configurable Access and Authentication Profiles
You can configure rules to limit access to the switch management interface based on criteria such as access
type and source IP address of the management host. You can also require the user to be authenticated locally
or by an external server, such as a RADIUS server.
1.2.2. AAA Command Authorization
This feature enables AAA Command Authorization on the switch.
1.2.3. Password-protected Management Access
Access to the CLI and SNMP management interfaces is password protected, and there are no default users on
the system.
1.2.4. Strong Password Enforcement
The Strong Password feature enforces a baseline password strength for all locally administered users.
Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force
attacks. The strength of a password is a function of length, complexity and randomness. Using strong
passwords lowers overall risk of a security breach.
1.2.5. MAC-based Port Security
The port security feature limits access on a port to users with specific MAC addresses. These addresses are
manually defined or learned on that port. When a frame is seen on a locked port, and the frame source MAC
address is not tied to that port, the protection mechanism is invoked.
1.2.6. RADIUS Client
The switch has a Remote Authentication Dial In User Service (RADIUS) client and can support up to 32
authentication and accounting RADIUS servers.
1.2.7. TACACS+ Client
The switch has a TACACS+ client. TACACS+ provides centralized security for validation of users accessing the
switch. TACACS+ provides a centralized user management system while still retaining consistency with RADIUS
and other authentication processes.
NETGEAR M4500 Series Switches Software Administration Manual 20
Page 21
1.2.8. Dot1x Authentication (IEEE 802.1X)
Dot1x authentication enables the authentication of system users through a local internal server or an external
server. Only authenticated and approved system users can transmit and receive data. Supplicants are
authenticated using the Extensible Authentication Protocol (EAP). Also supported are PEAP, EAP-TTL, EAPTTLS, and EAP-TLS.
The switch supports RADIUS-based assignment (via 802.1X) of VLANs, including guest and unauthenticated
VLANs. The Dot1X feature also supports RADIUS-based assignment of filter IDs as well as MAC-based
authentication, which allows multiple supplicants connected to the same port to each authenticate
individually.
1.2.9. MAC Authentication Bypass
The switch supports the MAC-based Authentication Bypass (MAB) feature, which provides 802.1x- unaware
clients (such as printers and fax machines) controlled access to the network using the devices' MAC address
as an identifier. This requires that the known and allowable MAC address and corresponding access rights be
pre-populated in the authentication server. MAB works only when the port control mode of the port is MACbased.
1.2.10. DHCP Snooping
DHCP Snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP server. It
filters harmful DHCP messages and builds a bindings database of (MAC address, IP address, VLAN ID, port)
tuples that are specified as authorized. DHCP snooping can be enabled globally and on specific VLANs. Ports
within the VLAN can be configured to be trusted or untrusted. DHCP servers must be reached through trusted
ports. This feature is supported for both IPv4 and IPv6 packets.
1.2.11. DHCPv6 Snooping
In an IPv6 domain, a node can obtain an IPv6 address using the following mechanisms:
• IPv6 address auto-configuration using router advertisements
• The DHCPv6 protocol
In a typical man-in-the-middle (MiM) attack, the attacker can snoop or spoof the traffic act as a rogue
DHCPv6 server. To prevent such attacks, DHCPv6 snooping helps to secure the IPv6 address configuration in
the network.
DHCPv6 snooping enables the Brocade device to filter untrusted DHCPv6 packets in a subnet on an IPv6
network. DHCPv6 snooping can ward off MiM attacks, such as a malicious user posing as a DHCPv6 server
sending false DHCPv6 server reply packets with the intention of misdirecting other users. DHCPv6 snooping
can also stop unauthorized DHCPv6 servers and prevent errors due to user misconfiguration of DHCPv6
servers.
NETGEAR M4500 Series Switches Software Administration Manual 21
Page 22
1.2.12. Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. The feature
prevents a class of
by poisoning the ARP caches of its unsuspecting neighbors. The malicious station sends ARP requests or
responses mapping another station's IP address to its own MAC address.
man-in-the-middle
attacks, where an unfriendly station intercepts traffic for other stations
1.2.13. IP Source Address Guard
IP Source Guard and Dynamic ARP Inspection use the DHCP snooping bindings database. When IP Source
Guard is enabled, the switch drops incoming packets that do not match a binding in the bindings database. IP
Source Guard can be configured to enforce just the source IP address or both the source IP address and source
MAC address. Dynamic ARP Inspection uses the bindings database to validate ARP packets. This feature is
supported for both IPv4 and IPv6 packets.
1.3. Quality of Service Features
1.3.1. Access Control Lists (ACL)
Access Control Lists (ACLs) ensure that only authorized users have access to specific resources while blocking
off any unwarranted attempts to reach network resources. ACLs are used to provide traffic flow control,
restrict contents of routing updates, decide which types of traffic are forwarded or blocked, and above all
provide security for the network. The switch supports the following ALC types:
• IPv4 ACLs
• IPv6 ACLs
• MAC ACLs
For all ACL types, you can apply the ACL rule when the packet enters or exits the physical port, Port-channel,
or VLAN interface.
1.3.2. ACL Remarks
Users can use ACL remarks to include comments for ACL rule entries in any MAC ACL. Remarks assist the user
in understanding ACL rules easily.
1.3.3. ACL Rule Priority
This feature allows user to add sequence numbers to ACL rule entries and re-sequence them. When a new
ACL rule entry is added, the sequence number can be specified so that the new ACL rule entry is placed in the
desired position in the access list.
NETGEAR M4500 Series Switches Software Administration Manual 22
Page 23
1.3.4. Differentiated Service (DIffServ)
The QoS Differentiated Services (DiffServ) feature allows traffic to be classified into streams and given certain
QoS treatment in accordance with defined per-hop behaviors. The switch supports both IPv4 and IPv6 packet
classification.
1.3.5. Class of Service (CoS)
The Class of Service (CoS) queueing feature lets you directly configure certain aspects of switch queuing. This
provides the desired QoS behavior for different types of network traffic when the complexities of DiffServ are
not required. CoS queue characteristics, such as minimum guaranteed bandwidth and transmission rate
shaping, are configurable at the queue (or port) level.
1.4. Management Features
1.4.1. Management Options
You can use the following methods to manage the switch:
• Use a telnet client, SSH client, or a direct console connection to access the CLI. The CLI syntax and
semantics conform as much as possible to common industry practice.
• Use a network management system (NMS) to manage and monitor the system through SNMP. The
switch supports SNMP v1/v2c/v3 over the UDP/IP transport protocol.
1.4.2. Management of Basic Network Information
The DHCP client on the switch allows the switch to acquire information such as the IP address and default
gateway from a network DHCP server. You can also disable the DHCP client and configure static network
information. Other configurable network information includes a Domain Name Server (DNS), host name to IP
address mapping, and a default domain name.
The switch also includes a DHCPv6 client for acquiring IPv6 addresses, prefixes, and other IPv6 network
configuration information.
1.4.3. File Management
You can upload and download files such as configuration files and system images by using TFTP, Secure FTP
(SFTP), or Secure Copy (SCP). Configuration file uploads from the switch to a server are a good way to back up
the switch configuration. You can also download a configuration file from a server to the switch to restore the
switch to the configuration in the downloaded file.
NETGEAR M4500 Series Switches Software Administration Manual 23
Page 24
1.4.4. Malicious Code Detection
This feature provides a mechanism to detect the integrity of the image, if the software binary is corrupted or
tampered with while end user attempts to download the software image to the switch. This release
addresses this problem by using digital signatures to verify the integrity of the binary image. It also provides
flexibility to download a digitally signed configuration script and verify the digital signature to ensure the
integrity of the downloaded configuration file.
1.4.5. Automatic Installation of Firmware and Configuration
The Auto Install feature allows the switch to upgrade the configuration file automatically during device
initialization with limited administrative configuration on the device. The switch can obtain the necessary
information from a DHCP server on the network.
1.4.6. Warm Reboot
The Warm Reboot feature reduces the time it takes to reboot the switch thereby reducing the traffic
disruption in the network during a switch reboot. For a typical switch, the traffic disruption is reduced from
about two minutes for a cold reboot to about 20 seconds for a warm reboot.
1.4.7. SNMP Alarms and Trap Logs
The system logs events with severity codes and timestamps. The events are sent as SNMP traps to a trap
recipient list.
1.4.8. Remote Monitoring (RMON)
RMON is a standard Management Information Base (MIB) that defines current and historical MAC-layer
statistics and control objects, allowing real-time information to be captured across the entire network. The
data collected is defined in the RMON MIB, RFC 2819 (32-bit counters), RFC 3273 (64-bit counters), and RFC
3434 (High Capacity Alarm Table).
1.4.9. Statistics Application
The statistics application collects the statistics at a configurable time interval. The user can specify the port
number(s) or a range of ports for statistics to be displayed. The configured time interval applies to all ports.
Detailed statistics are collected between the specified time range in date and time format. The time range can
be defined as having an absolute time entry and/or a periodic time. For example, a user can specify the statistics
to be collected and displayed between 9:00 12 NOV 2011 (START) and 21:00 12 NOV 2011 (END) or schedule it
on every MON, WED and FRI 9:00 (START) to 21:00 (END).
The user receives these statistics in a number of ways as listed below:
• Use
• User can configure the device to display statistics using syslog or email alert. The syslog or email alert
r requests through CLI for a set of counters.
messages are sent by statistics application at END time.
NETGEAR M4500 Series Switches Software Administration Manual 24
Page 25
Note: The statistics are presented on the console at END time.
1.4.10. Log Messages
The switch
so that the switch sends log messages to a remote log server. You can also configure the switch to send log
messages to a configured SMTP server. This allows you to receive the log message in an e-mail account of your
choice. Switch auditing messages, CLI command logging, and SNMP logging can be enabled or disabled.
maintains in-memory
log
messages
as well as
persistent
logs. You can also
configure
remote logging
1.4.11. System Time Management
The switch will obtain the system time and date through NTP (Network Time Protocol) service of Linux
server, or you can set the time and date locally or configure the time zone on the switch via Linux.
1.4.12. Source IP Address Configuration
Syslog, TACACS, SNTP, sFlow, SNMP Trap, RADIUS, and DNS Clients allow the IP Stack to select the source IP
address while generating the packet. This feature provides an option for the user to select an interface for the
source IP address while the management protocol transmits packets to management stations. The source
address is specified for each protocol.
1.4.13. Multiple Linux Routing Tables
On Linux systems, local and default IPv4 routes for the service port and network port are installed in routing
tables dedicated to each management interface.
the source IP address of the packet matches an address on one of these interfaces. This feature allows the
Linux IP stack to use default routes for different interfaces simultaneously.
Locally-originated
IPv4 packets use these routing tables when
1.4.14. Open Network Install Environment Support
Open Network Install Environment (ONIE) allows customers to install their choice of network operating
system (NOS) onto a switch. When the switch boots, ONIE enables the switch to fetch a NOS stored on a
remote server. The remote server can hold multiple NOS images, and you can specify which NOS to load and
run on the switch. ONIE support in the switch software facilitates automated data center provisioning by
enabling a bare-metal network switch ecosystem.
ONIE is a small operating system. It is preinstalled as firmware and requires an ONIE-compliant boot loader
(U-Boot/BusyBox), a kernel (Linux) and the ONIE discovery and execution application. For more information
about ONIE, see http://onie.github.io/onie
.
1.4.15. Interface Error Disable and Auto Recovery
If the switch detects an error condition for an interface, it places the interface in the diagnostic disabled state
by shutting down the interface. The error-disabled interface does not allow any traffic until it is reenabled. You
NETGEAR M4500 Series Switches Software Administration Manual 25
Page 26
can manually reenable the interface, or, if the Auto Recovery feature is enabled, the interface can be reenabled
automatically after a configurable time-out period.
There are multiple reasons that may cause the switch to place an interface in the
Recovery can be configured to take effect if an interface is error-disabled for any reason, or for some reasons
but not others.
error-disabled
state. Auto
1.4.16. CLI Scheduler
The CLI scheduler allows customers to schedule fully-qualified EXEC mode CLI commands to run once, at
specified intervals, at specified calendar dates and times, or upon system startup.
CLI scheduler has two basic processes. A policy list is configured containing lines of fully-qualified EXEC CLI
commands to be run at the same time or same interval. One or more policy lists are then scheduled to run
after a specified interval of time, at a specified calendar date and time, or upon system startup. Each
scheduled occurrence can be set to run either once only or on a recurring basis.
1.5. Routing Features
1.5.1. IP Unnumbered
Each routing interface can be configured to borrow the IP address from the loopback interfaces and use this
IP for all routing activities.
The IP Unnumbered feature was initially developed to avoid wasting an entire subnet on point-to-point serial
links.
The IP Unnumbered feature can also be used in situations where adjacencies are transient and adjacent
interfaces cannot be easily configured with IPv4 addresses in the same subnet. It also helps in reducing the
configuration overhead in large scale Data-Center deployments.
1.5.2. Open Shortest Path First (OSPF)
Open Shortest Path First (OSPF) is a dynamic routing protocol commonly used within medium-to-large
enterprise networks. OSPF is an interior gateway protocol (IGP) that operates within a single autonomous
system.
1.5.3. Border Gateway Protocol (BGP)
BGP is an exterior routing protocol used in large-scale networks to transport routing information between
autonomous systems (AS). As an interdomain routing protocol, BGP is used when AS path information is
required to provide partial or full Internet routing downstream. The switch supports BGP version 4.
NETGEAR M4500 Series Switches Software Administration Manual 26
Page 27
The following BGP features are supported:
• Proprietary BGP MIB support for reporting status variables and internal counters.
• Additional route map support:
o Match as-path
o Set as-path
o Set local-preference
o Set metric
• Supports for inbound and outbound neighbor-specific route maps.
• Handles the BGP RTO full condition.
• Supports for the show ip bgp command.
• Supports for the show ip bgp traffic command.
• Supports for the bgp always-compare-med command.
• Supports for the maximum number of BGP neighbors: 128.
• A prefix list is supported to filter the output of the show ip bgp command.
• Configurable maximum length of a received AS_PATH.
• Show command to list the routes accepted from a specific neighbor.
• Show command to list the routes rejected from a specific neighbor.
• Supports for BGP communities.
• Supports for IPv6.
• IPv6 Transport and Prefix list
Supports for BGP peer templates to simplify neighbor configuration.
1.5.4. VLAN Routing
The switch supports VLAN routing. You can also configure the software to allow traffic on a VLAN to be
treated as if the VLAN were a router port.
1.5.5. IP Configuration
The switch IP configuration settings to allow you to configure network information for VLAN routing
interfaces such as IP address and subnet mask, MTU size, and ICMP redirects. Global IP configuration settings
for the switch allow you to enable or disable the generation of several types of ICMP messages and enable or
disable the routing mode.
NETGEAR M4500 Series Switches Software Administration Manual 27
Page 28
1.5.6. Address Resolution Protocol (ARP) Table Management
You can create static ARP entries and manage many settings for the dynamic ARP table, such as age time for
entries, retries, and cache size.
1.5.7. BOOTP/DHCP Relay Agent
The switch BOOTP/DHCP Relay Agent feature relays BOOTP and DHCP messages between DHCP clients and
DHCP servers that are located in different IP subnets.
1.5.8. IP Helper and UDP Relay
The IP Helper and UDP Relay features provide the ability to relay various protocols to servers on a different
subnet.
1.5.9. Routing Table
The routing table displays information about the routes that have been dynamically learned. You can
configure static and default routes and route preferences. A separate table shows the routes that have been
manually configured.
1.5.10. Virtual Router Redundancy Protocol (VRRP)
VRRP provides hosts with redundant routers in the network topology without any need for the hosts to
reconfigure or know that there are multiple routers. If the primary (master) router fails, a secondary router
assumes control and continues to use the virtual router IP (VRIP) address.
VRRP Route Interface Tracking extends the capability of VRRP to allow tracking of specific route/interface IP
states within the router that can alter the priority level of a virtual router for a VRRP group.
1.5.11. Algorithmic Longest Prefix Match (ALPM)
Algorithmic Longest Prefix Match (ALPM) is a protocol used by routers to select an entry from a forwarding
table. When an exact match is not found in the forwarding table, the match with the longest subnet mask,
also called longest prefix match, is chosen. It is called the longest prefix match because it is also the entry
where the largest number of leading address bits of the destination address match those in the table entry.
ALPM enables support for large number of routes. (For BGP, 32k IPv4 routes and 24k IPv6 are supported.)
The SDM template, “dual-ipv4-and-ipv6 alpm” is available to accommodate a large number of routes.
1.5.12. Bidirectional Forwarding Detection
Bidirectional Forwarding Detection (BFD) is presented as a service to its user applications, providing the
options to create and destroy a session with a peer device and reporting upon the session status. On the
NETGEAR M4500 Series Switches Software Administration Manual 28
Page 29
switch, OSPF and BGP can use BFD for monitoring of their neighbors' availability in the network and for fast
detection of connection faults with them.
1.5.13. VRF Lite Operation and Configuration
The Virtual Routing and Forwarding feature enables a router to function as multiple routers. Each virtual
router manages its own routing domain, with its own IP routes, routing interfaces, and host entries. Each
virtual router makes its own routing decisions, independent of other virtual routers. More than one virtual
routing table may contain a route to a given
the router's interfaces to be associated with each virtual router. The router routes packets according to the
virtual routing table associated with the packet's ingress interface. Eac
most one virtual router.
destination.
The
network administrator
h interface can be associated with at
can
configure
a subset of
1.6. Layer 3 Multicast Features
1.6.1. Internet Group Management Protocol
The Internet Group Management Protocol (IGMP) is used by IPv4 systems (hosts and routers) to report their
IP multicast group memberships to any neighboring multicast routers. The switch performs the “multicast
router part” of the IGMP protocol, which means it collects the membership information needed by the active
multicast router.
1.6.2. Protocol Independent Multicast
1.6.2.1. Spare Mode (PIM-SM)
Protocol Independent Multicast-Sparse Mode (PIM-SM) is used to efficiently route multicast traffic to
multicast groups that may span wide area networks, and where bandwidth is a constraint. PIM-SM uses
shared trees by default and implements source-based trees for efficiency. This data threshold rate is used to
toggle between trees.
1.6.2.2. Source Specific Multicast (PIM-SSM)
Protocol Independent Multicast—Source Specific Multicast (PIM-SSM) is a subset of PIM-SM and is used for
one-to-many multicast routing applications, such as audio or video broadcasts. PIM-SSM does not use shared
trees.
1.6.2.3. PIM IPv6 Support
PIM-DM and PIM-SM support IPv6 routes.
NETGEAR M4500 Series Switches Software Administration Manual 29
Page 30
1.6.3. MLD/MLDv2 (RFC2710/RFC3810)
MLD is used by IPv6 systems (listeners and routers) to report their IP multicast addresses memberships to
any neighboring multicast routers. The implementation of MLD v2 is backward compatible with MLD v1.
MLD protocol enables the IPv6 router to discover the presence of multicast listeners, the nodes that want to
receive the multicast data packets, on its directly attached interfaces. The protocol specifically discovers
which multicast addresses are of interest to its neighboring nodes and provides this information to the
multicast routing protocol that make the decision on the flow of the multicast data packets.
1.7. Data Center Features
1.7.1. Priority-Based Flow Control
The Priority-Based Flow Control (PFC) feature allows the user to pause or inhibit transmission of individual
priorities within a single physical link. By configuring PFC to pause a congested priority (priorities)
independently, protocols that are highly loss sensitive can share the same link with traffic that has different
loss tolerances. Priorities are differentiated by the priority field of the 802.1Q VLAN header.
An interface that is configured for PFC is automatically disabled for 802.3x flow control.
1.7.2. Data Center Bridging Exchange Protocol
The Data Center Bridging Exchange Protocol (DCBX) is used by data center bridge devices to exchange
configuration information with directly-connected peers. The protocol is also used to detect misconfiguration
of the peer DCBX devices and optionally, for configuration of peer DCBX devices.
1.7.3. CoS Queuing and Enhanced Transmission Selection
The CoS Queuing feature allows the switch administrator to directly configure certain aspects of the device
hardware queuing to provide the desired QoS behavior for different types of network traffic. The priority of a
packet arriving at an interface can be used to steer the packet to the appropriate outbound CoS queue
through a mapping table. CoS queue characteristics such as minimum guaranteed bandwidth, transmission
rate shaping, etc. are user configurable at the queue (or port) level.
Enhanced Transmission Selection (ETS) allows Class of Service (CoS) configuration settings to be advertised to
other devices in a data center network through DCBX ETS TLVs. CoS information is exchanged with peer DCBX
devices using ETS TLVs.
1.7.4. VXLAN Gateway
Logically segregated virtual networks in a data center are sometimes referred to as data center VPNs. The
VXLAN Gateway is a solution that allows VXLAN to communicate with another network, particularly a VLAN.
It offers VXLAN Tunnel Endpoint (VTEP) functionality for VXLAN tunnels on the switch.
NETGEAR M4500 Series Switches Software Administration Manual 30
Page 31
VXLAN is a layer-3 function, IP-based technologies that prepend an existing layer-2 frame with a new IP
header, providing layer-3 based tunneling capabilities for layer-2 frames. This essentially enables a layer-2
domain to extend across a layer-3 boundary.
For the traffic from a VXLAN to use services on physical devices in a distant network, the traffic must pass
through a VXLAN Gateway.
The VXLAN Gateway feature is configurable through the CLI. It also offers an Overlay API to facilitate
programming from external agents.
NETGEAR M4500 Series Switches Software Administration Manual 31
Page 32
2. Getting Started
2.1. Accessing the switch Command-Line Interface
The command-line interface (CLI) provides a text-based way to manage and monitor the switch features. You
can access the CLI by using a direct connection to the console port or by using a Telnet or SSH client.
To access the switch by using Telnet or Secure Shell (SSH), the switch must have an IP address configured on
either the service port or the management VLAN interface, and the management station you use to access the
device must be able to ping the switch IP address. DHCP is enabled by default on the service port. It is
disabled on the management VLAN interface.
Note: For information about changing the default settings for Telnet and SSH access methods, see “Configuring
and Applying Authentication Profiles”.
2.1.1. Connecting to the Switch Console
To connect to the switch and configure or view network information, use the following steps:
1. Using a straight-through modem cable, connect a VT100/ANSI terminal or a workstation to the console
(serial) port.
If you attached a PC, Apple, or UNIX workstation, start a terminal-emulation program, such as
HyperTerminal or TeraTerm.
2. Configure the terminal-emulation program to use the following settings:
• Baud rate: 115200 bps
• Data bits: 8
• Parity: none
• Stop bit: 1
• Flow control: none
3. Power on the switch:
After the system completes the boot cycle, the switch login
prompt appears.
NETGEAR M4500 Series Switches Software Administration Manual 32
Page 33
2.1.2. Login User ID and Password
You can log in to the switch using any of the following methods:
• Serial Console
• SSH (Secure Shell)
• Telnet, using special port 1224
The default login name is admin and the default password is EndGame.
After you are log in to the switch, to access the switch CLI, you must provide a user name and password. The
default user name is admin, but the first time that you access the switch CLI, no default password is required.
That is, just press the Enter button. When you log in for the first time, the switch CLI prompts you to change
the switch CLI password.
The switch CLI lets you access all switch configuration commands.
When you access the switch using the serial console or SSH method, press <Ctrl> + z or enter logout at the
switch CLI prompt to exit the switch CLI and display the following menu options.
=====================================
NETGEAR M4500 Menu
=====================================
1: CLI Console
2: Firmware update using SCP
3: Firmware update using TFTP
4: Reboot
=====================================
Enter your menu option:
Enter menu option 1 to access the switch CLI.
2.1.3. Accessing the Switch CLI through the Network
Note: The telnet port number is 1223. The SSH port number is 1234.
Remote management of the switch is available through the service port or through the management VLAN
interface. To use telnet, SSH, or SNMP for switch management, the switch must be connected to the
network, and you must know the IP or IPv6 address of the management interface. The switch has no IP
address by default. The DHCP client on the service port is enabled, and the DHCP client on the management
VLAN interface is disabled.
After you configure or view network information, configure the authentication profile for telnet or SSH (see
“Configuring and Applying Authentication Profiles”) and physically and logically connect the switch to the
network, you can manage and monitor the switch remotely. You can also continue to manage the switch
through the terminal interface via the console port.
NETGEAR M4500 Series Switches Software Administration Manual 33
Page 34
2.1.4. Using the Service Port or Management VLAN Interface for Remote Management
The service port is a dedicated Ethernet port for out-of-band management. We recommend that you use
the service port to manage the switch. Traffic on this port is segregated from operational network traffic on
the switch ports and cannot be switched or routed to the operational network. Additionally, if the
production network is experiencing problems, the service port still allows you to access the switch
management interface and troubleshoot issues. Configuration options on the service port are limited, which
makes it difficult to accidentally cut off management access to the switch.
Alternatively, you can choose to manage the switch through the production network, which is known as inband management. Because in-band management traffic is mixed in with production network traffic, it is
subject to all of the filtering rules usually applied on a switched/routed port such as ACLs and VLAN tagging.
You can access the in-band network management interface through a connection to any front-panel port.
2.1.4.1. Configuring Service Port Information
To disable DHCP and manually assign an IPv4 address, enter:
serviceport protocol none
serviceport ip ipaddress netmask [gateway]
For example, serviceport ip 192.168.2.23 255.255.255.0 192.168.2.1
To disable DHCP and manually assign an IPv6 address and (optionally) default gateway, enter:
serviceport protocol none
serviceport ipv6 address address/prefix-length [eui64]
serviceport ipv6 gateway gateway
To view the assigned or configured network address, enter:
show serviceport
To enable the DHCP client on the service port, enter:
serviceport protocol dhcp
2.1.4.2. Configuring the In-Band Management Interface
To use a DHCP server to obtain the IP address, subnet mask, and default gateway information, enter:
(Switch) (Config)#interface vlan 1
(Switch) (if-vlan1)#ip address dhcp
To manually configure the IPv4 address, subnet mask, and (optionally) default gateway, enter:
(Switch)(config)#interface vlan 1
(Switch)(if-vlan 1)#ip address ipaddress netmask
NETGEAR M4500 Series Switches Software Administration Manual 34
Page 35
(Switch)(if-vlan 1)#exit
(Switch)(Config)#ip default-gateway gateway
For example:
(Switch)(if-vlan 1)#ip address 192.168.1.253 255.255.255.0
(Switch)(Config)#ip default-gateway 192.168.1.254
To manually configure the IPv6 address, subnet mask, enter:
(Switch)(config)#interface vlan 1
(Switch)(if-vlan 1)#ipv6 address address/prefix-length [eui64]
To view the In-Band management information, enter:
show ip interface.
show ipv6 interface
To save these changes so they are retained during a switch reset, enter the following command:
copy running-config startup-config
2.1.5. DHCP Option 61
DHCP Option 61 (client Identifier) allows the DHCP server to be configured to provide an IP address to a switch
based on its Media Access Control (MAC) Address or an ID entered into the system. DHCP servers use this
value to index their database of address bindings. This value is expected to be unique for all clients in an
administrative domain. This option allows the system to move from one part of the network to another while
maintaining the same IP address.
DHCP client Identifier (Option 61) is used by DHCP clients to specify their unique identifier. The client identifier
option is optional and can be specified while configuring the DHCP on the interfaces. DHCP Option 61 is
enabled by default.
2.1.5.1. Configuring DHCP Option 61
Configuring the DHCP with client-id (option 61) differs depending on the port or interface. See the
following information:
Service Port:
To enable DHCP with client-id (option 61) on from the service port, issue the following command:
(Switch) #serviceport protocol dhcp client-id
NETGEAR M4500 Series Switches Software Administration Manual 35
Page 36
In-Band management Port:
To enable DHCP with client-id (option 61) on from the In-Band management port, issue the following
command:
(Switch) (Config)#interface vlan 1
(Switch) (if-vlan1)#ip address dhcp client-id
Routing Enabled Interface:
To enable DHCP with client-id (option 61) on from on the routing enabled interface, issue the
following
command
in interface configuration mode.
(Switch) (Interface 0/1)#ip address dhcp client-id
Physical Interface:
To enable DHCP with client-id (option 61) on from on the physical interface, issue the commands as
shown below:
(Switch) #config
(Switch) (Config)#interface 0/4
(Switch) (Interface 0/4)#ip address dhcp client-id
VLAN Interface:
To enable DHCP with client-id (option 61) on from on the VLAN interface, issue the commands as shown
below:
(Switch) #config
(Switch) (Config)#interface vlan 10
(Switch) (Interface vlan 10)#ip address dhcp client-id
2.2. Understanding the User Interfaces
The switch includes a set of comprehensive management functions for configuring and monitoring the system
by using one of the following two methods:
• Command-Line Interface (CLI)
• Simple Network Management Protocol (SNMP)
These standards-based management methods allow you to configure and monitor the components of the
software. The method you use to manage the system depends on your network size and requirements, and
on your preference.
NETGEAR M4500 Series Switches Software Administration Manual 36
Page 37
2.2.1. Using the Command-Line Interface
The command-line interface (CLI) is a text-based way to manage and monitor the system. You can access the
CLI by using a direct serial connection or by using a remote logical connection with telnet or SSH.
The CLI groups commands into modes according to the command function. Each of the command modes
supports specific software commands. The commands in one mode are not available until you switch to that
particular mode, with the exception of the User EXEC mode commands. You can execute the User EXEC mode
commands in the Privileged EXEC mode.
To display the commands available in the current mode, enter a question mark (?) at the command prompt. To
display the available command keywords or parameters, enter a question mark (?) after each word you type
at the command prompt. If there are no additional command keywords or parameters, or if additional
parameters are optional, the following message appears in the output:
<cr> Press Enter to execute the command
For more information about the CLI, see the M4500 Intelligent Fully Managed Switches CLI Command
Reference Manual.
The M4500 Intelligent Fully Managed Switches CLI Command Reference Manual lists each command available
from the CLI by the command name and provides a brief description of the command. Each command
reference also contains the following information:
• The command keywords and the required and optional parameters.
• The command mode you must be in to access the command.
• The default value, if any, of a configurable setting on the device.
show
The
commands in the document also include a description of the information that the command shows.
2.2.2. Using SNMP
SNMP is enabled by default. The show
SNMP manager to access the switch. You can configure SNMP groups and users that can manage traps that
the SNMP agent generates.
The switch uses both standard public MIBs for standard functionality and private MIBs that support additional
switch functionality. All private MIBs begin with a “-” prefix. The main object for interface configuration is in SWITCHING-MIB, which is a private MIB. Some interface configurations also involve objects in the public MIB,
IF-MIB.
2.2.2.1. SNMPv3
sysinfo
command displays the information you need to configure an
SNMP version 3 (SNMPv3) adds security and remote configuration enhancements to SNMP. You can configure
SNMP server, users, and traps for SNMPv3. Any user can connect to the switch using the SNMPv3 protocol,
but for authentication and encryption, you need to configure a new user profile. To configure a profile by using
the CLI, see the SNMP section in the M4500 Intelligent Fully Managed Switches CLI Command Reference
Manual.
NETGEAR M4500 Series Switches Software Administration Manual 37
Page 38
2.2.2.2. SNMP Configuration example
Figure 2-1: SNMP Configuration Topology
SNMPv1, v2c community and trap configuration example
1. Add new community testRO for read only and testRW for read-write.
(Switch) (Config)#snmp-server community testRO ro
(Switch) (Config)#snmp-server community testRW rw
2. Setup SNMP trap host IP address.
(Switch) (Config)#snmp-server host 172.16.1.100 traps version 1 testRO
(Switch) (Config)#snmp-server host 172.16.2.100 traps version 2 testRO
3. Verify the configuration.
(Switch) #show snmp
Community-String Community-Access View Name IP Address
------------------ ---------------- --------------- ----------------
private Read/Write Default All
public Read Only Default All
testRO Read Only Default All
testRW Read/Write Default All
Community-String Group Name IP Address
------------------ ---------------------------- ----------------
private DefaultWrite All
NETGEAR M4500 Series Switches Software Administration Manual 38
Page 39
public DefaultRead All
testRO DefaultRead All
testRW DefaultWrite All
Traps are enabled.
Authentication trap is enabled.
Version 1,2 notifications
Target Address Type Community Version UDP Filter TO Retries
Port name Sec
--------------- ------- ------------------- ------- ------ -------- --- ------
172.16.1.100 Trap testRO 1 162
172.16.2.100 Trap testRO 2 162
Version 3 notifications
Target Address Type Username Security UDP Filter TO Retries
Level Port name Sec
---------------- ------- ----------------- -------- ------ -------- --- -------
System Contact:
System Location:
SNMPv3 configuration example
1. Configure a view and oid-tree included iso.
(Switch) (Config)#snmp-server view testVIEW iso included
2. Configure a group which use testVIEW for read, write and notify (trap).
(Switch) (Config)#snmp-server group testGROUP v3 noauth read testVIEW write testVIEW notify
testVIEW
3. Add a user named testUSER and assign to testGROUP.
(Switch) (Config)#snmp-server user testUSER testGROUP
4. Setup SNMPv3 trap host IP address.
(Switch) (Config)#snmp-server host 172.16.1.102 traps version 3 testUSER noauth
NETGEAR M4500 Series Switches Software Administration Manual 39
Page 40
5. Verify the configuration.
(Switch) #show snmp views
Name OID Tree Type
--------------------------- ------------------------------ ----------
Default iso Included
Default snmpVacmMIB Excluded
Default usmUser Excluded
Default snmpCommunityTable Excluded
testVIEW iso Included
DefaultSuper iso Included
(Switch) #show snmp group
Name Context Security Views
Prefix Model Level Read Write Notify
------------------ ---------- ----- ------------- -------- -------- --------
testGROUP "" V3 NoAuth-NoPriv testVIEW testVIEW testVIEW
DefaultRead "" V1 NoAuth-NoPriv Default "" Default
DefaultRead "" V2 NoAuth-NoPriv Default "" Default
DefaultRead "" V3 NoAuth-NoPriv Default "" Default
DefaultRead "" V3 Auth-NoPriv Default "" Default
DefaultRead "" V3 Auth-Priv Default "" Default
DefaultSuper "" V1 NoAuth-NoPriv DefaultS DefaultS DefaultS
uper uper uper
DefaultSuper "" V2 NoAuth-NoPriv DefaultS DefaultS DefaultS
uper uper uper
DefaultSuper "" V3 NoAuth-NoPriv DefaultS DefaultS DefaultS
uper uper uper
DefaultWrite "" V1 NoAuth-NoPriv Default Default Default
DefaultWrite "" V2 NoAuth-NoPriv Default Default Default
DefaultWrite "" V3 NoAuth-NoPriv Default Default Default
DefaultWrite "" V3 Auth-NoPriv Default Default Default
DefaultWrite "" V3 Auth-Priv Default Default Default
NETGEAR M4500 Series Switches Software Administration Manual 40
Page 41
(Switch) #show snmp user
Name Group Name Auth Priv
Meth Meth Remote Engine ID
----------------- -------------- ---- ---- -------------------------
testUSER testGROUP 80001c4c03000000000004
(Switch) #show snmp
Community-String Community-Access View Name IP Address
------------------ ---------------- ---------------- ----------------
private Read/Write Default All
public Read Only Default All
testRO Read Only Default All
testRW Read/Write Default All
Community-String Group Name IP Address
------------------ ------------------------------ ----------------
private DefaultWrite All
public DefaultRead All
testRO DefaultRead All
testRW DefaultWrite All
Traps are enabled.
Authentication trap is enabled.
Version 1,2 notifications
Target Address Type Community Version UDP Filter TO Retries
Port name Sec
--------------- ------- ------------------ ------ ------ -------- --- ------
172.16.1.100 Trap testRO 1 162
172.16.2.100 Trap testRO 2 162
NETGEAR M4500 Series Switches Software Administration Manual 41
Page 42
Version 3 notifications
Target Address Type Username Security UDP Filter TO Retries
Level Port name Sec
--------------- ------- -------------- -------- ------ -------- --- -------
172.16.1.102 Trap testUSER NoAuth-N 162 15 3
System Contact:
System Location:
NETGEAR M4500 Series Switches Software Administration Manual 42
Page 43
3. Configuring L2 Switching Features
3.1. Port Configuration
You can configure the ports on the switch to support speeds from 1G/10G/40G to 25/50/100G. You can use
the software to change a port from one mode to another. When the port is configured in 40/100Gbps mode,
the four 10/25Gbps ports at the same physical interface are disabled.
3.1.1. 100G Port-mode Command
Use the port-mode command to configure a 25G/100G QSFP port in either 4x10/25G mode, 2x50G or
1x40/100G mode. This command can only be executed on the original 25G/100G interface. Entering the
command on any other type of interface will give an error. This command does not operate in interface
range mode.
3.1.1.1. 100G Port Mode Configuration Example
The following example guide you how to configure port 1 as 40G, port 2 fan-out to 4x25G and port 3 fan-out
to 2x50G on 100G ports.
1. Enter interface mode of port 1, and configure to 40G port.
(Switch) (Config)#interface 0/1
(Switch) (Interface 0/1)#port-mode 1x40G
(Switch) (Interface 0/1)#exit
2. Enter interface mode of port 2, and configure to 4x25G port.
(Switch) (Config)#interface 0/2
(Switch) (Interface 0/2)#port-mode 4x25G
(Switch) (Interface 0/2)#exit
3. Enter interface mode of port 3, and configure to 2x50G port.
(Switch) (Config)#interface 0/3
(Switch) (Interface 0/3)#port-mode 2x50G
(Switch) (Interface 0/3)#exit
4. Using show interface port-mode to check the hardware profile information for the all ports.
(Switch) #show interface port-mode
100G/40G Configured Operating Expandable Expanded
Interface Mode Mode Option(s) Interfaces
--------------------------------------------------------------
NETGEAR M4500 Series Switches Software Administration Manual 43
Page 44
0/1 1x40G 1x40G 4x10G 0/33-36
4x25G 0/33-36
2x50G 0/161-162
0/2 4x25G 4x25G 4x10G 0/37-40
4x25G 0/37-40
2x50G 0/163-164
0/3 2x50G 2x50G 4x10G 0/41-44
4x25G 0/41-44
2x50G 0/165-166
0/4 1x100G 1x100G 4x10G 0/45-48
4x25G 0/45-48
2x50G 0/167-168
...
3.2. Virtual Local Area Networks
By default, all switchports on the switch are in the same broadcast domain. This means when one host
connected to the switch broadcasts traffic, every device connected to the switch receives that broadcast. All
ports in a broadcast domain also forward multicast and unknown unicast traffic to the connected host. Large
broadcast domains can result in network congestion, and end users might complain that the network is slow. In
addition to latency, large broadcast domains are a greater security risk since all hosts receive all broadcasts.
Virtual Local Area Networks (VLANs) allow you to divide a broadcast domain into smaller, logical networks. Like
a bridge, a VLAN switch forwards traffic based on the Layer 2 header, which is fast, and like a router, it partitions
the network into logical segments, which provides better administration, security, and management of
multicast traffic.
Network adm
inistrators have many reasons for creating logical divisions, such as department or project
membership. Because VLANs enable logical groupings, members do not need to be physically connected to
the same switch or network segment. Some network administrators use VLANs to segregate traffic by type so
that the time-sensitive traffic, like voice traffic, has priority over other traffic, such as data. Administrators
also use VLANs to protect network resources. Traffic sent by authenticated clients might be assigned to one
VLAN, while traffic sent from unauthenticated clients might be assigned to a different VLAN that allows limited
network access.
When one host in a VLAN sends a broadcast, the switch forwards traffic only to other members of that VLAN.
For traffic to go from a host in one VLAN to a host in a different VLAN, the traffic must be forwarded by a layer
3 device, such as a router. VLANs work across multiple switches, so there is no requirement for the hosts to be
located near each other to participate in the same VLAN.
Note: The s
witch supports VLAN routing. When you configure VLAN routing, the switch acts as a layer 3
device and can forward traffic between VLANs. For more information, see “VLAN Routing”.
Each VLAN has a unique number, called the VLAN ID. The switch supports a configurable VLAN ID range of 2–
4093. A VLAN with VLAN ID 1 is configured on the switch by default. You can associate a name with the VLAN
NETGEAR M4500 Series Switches Software Administration Manual 44
Page 45
ID. In a tagged frame, the VLAN is identified by the VLAN ID in the tag. In an
untagged
frame, the VLAN identifier
is the Port VLAN ID (PVID) specified for the port that received the frame. For information about tagged and
untagged frames, see “VLAN Tagging”.
You can add individual ports and Port-channels as VLAN members.
The following figure shows an example of a network with three VLANs that are department-based. The file
server and end stations for the department are all members of the same VLAN.
Figure 3-1: Simple VLAN Topology
In this example, each port is manually configured so that the end station attached to the port is a member of
the VLAN configured for the port. The VLAN membership for this network is port-based or static.
3.2.1. VLAN Tagging
The switch supports IEEE 802.1Q tagging. Ethernet frames on a tagged VLAN have a 4-byte VLAN tag in the
header. VLAN tagging is required when a VLAN spans multiple switches, which is why trunk ports transmit and
receive only tagged frames.
Tagging may be required when a single port supports multiple devices that are members of different VLANs. For
example, a single port might be connected to an IP phone, a PC, and a printer (the PC and printer are connected
via ports on the IP phone). IP phones are typically configured to use a tagged VLAN for voice traffic, while the
PC and printers typically use the untagged VLAN.
When a port
the PVID (also called the native VLAN) of the port. If the port is added to a VLAN as an untagged member, the
port does not add a tag to a packet in that VLAN when it exits the port. Configuring the PVID for an interface is
useful when untagged and tagged packets will be sent and received on that port and a device connected to the
interface does not support VLAN tagging.
is added to a VLAN as an untagged member, untagged packets entering the switch are tagged with
NETGEAR M4500 Series Switches Software Administration Manual 45
Page 46
When ingress filtering is on, the frame is dropped if the port is not a member of the VLAN identified by the
VLAN ID in the tag. If ingress filtering is off, all tagged frames are forwarded. The port decides whether to
forward or drop the frame when the port receives the frame.
3.2.2. Double-VLAN Tagging
For trunk ports, which are ports that connect one switch to another switch, the switch supports double-VLAN
tagging. This feature allows service providers to create Virtual Metropolitan Area Networks (VMANs). With
double-VLAN tagging, service providers can pass VLAN traffic from one customer domain to another through
a metro core in a simple and cost-effective manner. By using an additional tag on the traffic, the switch can
differentiate between customers in the MAN while preserving an individual customer’s VLAN identification
when the traffic enters the customer’s 802.1Q domain.
With the introduction of this second tag, customers are no longer required to divide the 4-byte VLAN ID space
to send traffic on an
Ethernet-based
double- VLAN tag attached, while every packet that is received from an interface has a tag removed (if one or
more tags are present).
MAN. That is, every frame that is transmitted from an interface has a
In the following figure, two cus
tomers share the same metro core. The service provider assigns each
customer a unique ID so that the provider can distinguish between the two customers and apply different
rules to each. When the configurable EtherType is assigned to something different than the 802.1Q (0x8100)
EtherType, it allows the traffic to have added security from
misconfiguration
while exiting the metro core. For
example, if the edge device on the other side of the metro core is not stripping the second tag, the packet
would never be classified as an 802.1Q tag, so the packet would be dropped rather than forwarded in the
incorrect VLAN.
Figure 3-2: Double VLAN Tagging Network Example
NETGEAR M4500 Series Switches Software Administration Manual 46
Page 47
3.2.3. Default VLAN Behavior
One VLAN exists on the switch by default. The VLAN ID is 1, and all ports are included in the VLAN as access
ports, which are untagged. This means when a device connects to any port on the switch, the port forwards the
packets without inserting a VLAN tag. If a device sends a tagged frame to a port, the frame is dropped. Since
all ports are members of this VLAN, all ports are in the same broadcast domain and receive all broadcast and
multicast traffic received on any port.
When you add a new VLAN to the VLAN database, no ports are members.
The configurable VLAN range is 2–4093. VLANs 4094 and 4095 are reserved.
The following table sho
ws the default values or maximum values for VLAN features.
Table 3-1: VLAN default and maximum values
3.2.4. VLAN Configuration Example
A network administrator wants to create the VLANs that are listed in the following table.
Table 3-2: Example VLAN
The following figure shows the network topology for this example. As the figure shows, there are two switches,
two file servers, and many hosts. One switch has an uplink port that connects it to a layer 3 device and the rest
of the corporate network.
NETGEAR M4500 Series Switches Software Administration Manual 47
Page 48
Figure 3-3: Network Topology for VLAN Configuration
The network in the previous figure has the following characteristics:
• Each connection to a host represents multiple ports and hosts.
• The Payroll and File servers are connected to the switches through a Port-channel.
• Some of the Marketing hosts connect to Switch 1, and some connect to Switch 2.
• The Engineering and Marketing departments share the same file server.
• Because security is a concern for the Payroll VLAN, the ports and Port-channel that are members of this
VLAN will accept and transmit only traffic tagged with VLAN 300.
The following table shows the port assignments on the switches.
NETGEAR M4500 Series Switches Software Administration Manual 48
Page 49
Table 3-3: Switch Port Configuration
3.2.4.1. Configuring the VLANs and Ports on Switch 1
Use the following steps to configure the VLANs and ports on Switch 1. None of the hosts that connect to
Switch 1 use the Engineering VLAN (VLAN 100), so it is not necessary to create it on that switch. To configure
Switch 1:
1. Create VLANs 200 (Marketing), 300 (Payroll), and associate the VLAN ID with the appropriate name.
(Switch) (Config)#vlan database
(Switch) (Vlan)#vlan 200,300
(Switch) (Vlan)#vlan name 200 Marketing (Switch) (Vlan)#vlan name 300 Payroll
(Switch) (Vlan)#exit
2. Assign ports 16–20 to the Marketing VLAN.
(Switch) #configure
(Switch) (Config)#interface range 0/16-0/20
(Switch) (Interface 0/16-0/20)#switchport allowed vlan add 200
(Switch) (Interface 0/16-0/20)#switchport native vlan 200
(Switch) (Interface 0/16-0/20)#exit
3. Assign ports 2–15 to the Payroll VLAN
(Switch) (Config)#interface range 0/2-0/15
(Switch) (Interface 0/2-0/15)#switchport allowed vlan add 300
(Switch) (Interface 0/2-0/15)#switchport native vlan 300
(Switch) (Interface 0/2-0/15)#exit
4. Assign Port-channel1 to the Payroll VLAN and configure the frames to always be transmitted tagged with a
PVID of 300.
(Switch) (Config)#interface port-channel 1
(Switch) (if-port-channel ch1)#switchport allowed vlan add tagged 300
(Switch) (if-port-channel ch1)#switchport native vlan 300
(Switch) (if-port-channel ch1)#exit
5. Configure port 1 as a trunk port and add VLAN 200 and VLAN 300 as members. Trunk ports accept and
transmits tagged frames only and have ingress filtering enabled.
(Switch) (Config)#interface 0/1
(Switch) (Interface 0/1)#switchport acceptable-frame-types tagged
(Switch) (Interface 0/1)#switchport allowed vlan add tagged 200,300
(Switch) (Interface 0/1)#switchport ingress-filtering
(Switch) (Interface 0/1)#exit
NETGEAR M4500 Series Switches Software Administration Manual 49
Page 50
Interface
Current
Configured
Tagging
----------
--------
-----------
--------
0/1 Include
Include
Tagged
0/2 Include
Include
Untagged
0/3 Include
Include
Untagged
0/4 Include
Include
Untagged
0/5 Include
Include
Untagged
(Switch) (Config)#exit
6. To save the configuration so that it persists across a system reset, use the following command:
(Switch) #copy running-config startup-config
7. View the VLAN settings.
(Switch) #show vlan
VLAN ID VLAN Name VLAN Type Interface(s)
------- -------------------------------- ---------- -------------------------
1 default Default 0/1,0/2,0/3,0/4,0/5,0/6,
0/7,0/8,0/9,0/10,0/11,
0/12,0/13,0/14,0/15,0/16,
...
200 Marketing Static 0/1,0/16,0/17,0/18,0/19,
0/20
300 Payroll Static 0/1,0/2,0/3,0/4,0/5,0/6,
0/7,0/8,0/9,0/10,0/11,
0/12,0/13,0/14,0/15,ch1
(Switch) #show vlan id 300
VLAN ID: 300
VLAN Name: Payroll
VLAN Type: Static
--More-- or (q)uit
8. View the VLAN information for a
port.
(Switch) #show interface switchport 0/1
Interface...................................... 0/1
Native VLAN.................................... 1
Mode........................................... General
Ingress Filtering.............................. Enable
NETGEAR M4500 Series Switches Software Administration Manual 50
Page 51
Acceptable Frame Type.......................... VLAN Only
Interface is member in:
VLAN ID VLAN Name VLAN Type Egress rule
------- -------------------------------- ----------------- -----------
1 default Default Untagged
200 Marketing Static Tagged
300 Payroll Static Tagged
3.2.4.2. Configuring the VLANs and Ports on Switch 2
Use the following steps to configure the VLANs and ports on Switch 2. Many of the procedures in this section
are the same as procedures used to configure Switch 1. For more information about specific procedures, see
the details and figures in the previous section.
To configure Switch 2:
1. Create the Engineering, Marketing, and Payroll VLANs.
Although the Payroll hosts do not connect to this switch, traffic from the Payroll department must use Switch 2
to reach the rest of the network and Internet through the uplink port. For that reason, Switch 2 must be
aware of VLAN 300 so that traffic is not rejected by the trunk port.
2. Configure ports 2-10 to participate in VLAN 200.
3. Confi
gure ports 11–30 to participate in VLAN 100.
4. Configure Port-channel 1 to participate in VLAN 100 and VLAN 200.
5. Configure port 1 and Port-channel 2 as participants in ports and add VLAN 100, VLAN 200, and VLAN 300
that accept and transit tagged frames only.
6. Enable ingress filtering on port 1 and Port-channel 2.
7. If desired, copy the running configuration to the startup configuration.
8. View VLAN information for the switch and ports.
3.3. Switchport Modes
You can configure each port on the switch to be in one of the following modes:
Access —
•
are incapable of generating VLAN tags. Access ports support a single VLAN (the PVID). Packets received
Access ports are intended to connect end-stations to the system, especially when the end- stations
NETGEAR M4500 Series Switches Software Administration Manual 51
Page 52
untagged are processed as if they are tagged with the access port PVID. Packets received that are tagged with
the PVID are also processed. Packets received that are tagged with a VLAN other than the PVID are dropped. If
the VLAN associated with an access port is deleted, the PVID of the access port is set to VLAN 1. VLAN 1 may
not be deleted.
•
Trunk —
Trunk-mode ports are intended for switch-to-switch links. Trunk ports can receive both tagged and
untagged packets. Tagged packets received on a trunk port are forwarded on the VLAN contained in the tag if
the trunk port is a member of the VLAN. Untagged packets received on a trunk port are forwarded on the
native VLAN. Packets received on another interface belonging to the native VLAN are transmitted untagged
on a trunk port.
General —
•
General ports can act like access or trunk ports or a hybrid of both. VLAN membership rules that
apply to a port are based on the switchport mode configured for the port.
The following table shows the behavior of the three switchport modes.
Table 3-4: Switchport Mode Behavior
When a port is in General mode (by default all interfaces are in general mode), all VLAN features are
configurable. When ingress filtering is on, the frame is dropped if the port is not a member of the VLAN
identified by the VLAN ID in the tag. If ingress filtering is off, all tagged frames are forwarded. The port decides
whether to forward or drop the frame when the port receives the frame.
The fo
llowing example configures a port in Access mode with a single VLAN membership in VLAN 10:
(Switch) #config
(Switch) (Config)#interface 0/5
(Switch) (Interface 0/5)#switchport mode access
(Switch) (Interface 0/5)#switchport access vlan 10
(Switch) (Interface 0/5)#exit
The following example configures a port in Trunk mode. The switchport trunk allowed vlan command with the
add keyword adds the list of VLANs that can receive and send traffic on the interface in tagged format when in
trunking mode. Alternatively, the all keyword can be used to specify membership in all VLANs, the remove
keyword can be used to remove membership. If this command is omitted, the port is a member of all
configured VLANs. The native VLAN specifies the VLAN on which the port forwards untagged packets it
receives.
(Switch) #config
(Switch) (Config)#interface 0/8
(Switch) (Interface 0/8)#switchport mode trunk
(Switch) (Interface 0/8)#switchport trunk allowed vlan add 10,20,30
(Switch) (Interface 0/8)#switchport trunk native vlan 100
NETGEAR M4500 Series Switches Software Administration Manual 52
Page 53
(Switch) (Interface 0/8)#exit
The General mode port can then be configured as a tagged or untagged member of any VLAN, as shown in
“VLAN Configuration Example”.
3.4. Port-channels – Operation and Configuration
Port-channel allows one or more full-duplex (FDX) Ethernet links of the same speed to be aggregated
together to form a Port-channel. This allows the switch to treat the Port-channel as if it is a single link. The
primary purpose of Port-channels is to increase the overall bandwidth between two switches. This is
accomplished by effectively
the two switches. Port-channels also provide redundancy. If a link fails, traffic is automatically redistributed
across the remaining links.
The switch supports industry-standard Port-channels that adhere to the IEEE 802.3ad specification. Both static
and dynamic Port-channels are supported. Each Port-channel can have a maximum of 32 ports as members (as
long as the switch can support it). You can configure Port-channels until all switch ports are assigned to a Portchannel.
aggregating
multiple ports together that act as a single, logical
connection
between
The following figure sho
center by a Port-channel that consists of four physical 10 Gbps links. The Port-channel provides full-duplex
bandwidth of 40 Gbps between the two switches.
ws an example of a switch in the wiring closet connected to a switch in the data
Figure 3-4: Port-channel Configuration
3.4.1. Static and Dynamic Port-channel
Port-channel can be configured as either dynamic or static. Dynamic configuration is supported using the IEEE
802.3ad standard, which is known as Link Aggregation Control Protocol (LACP). Static configuration is used
when connecting the switch to an external Gigabit Ethernet switch that does not support LACP.
One advant
configured for Port-channel. When using static configuration, a cabling or
local switch or the external switch could go
static and dynamic Port-channels (via LACP) can detect physical link failures within the Port-channel and
continue forwarding traffic through the other connected links within that same Port-channel. LACP can also
detect switch or port failures that do not result in loss of link. This provides a more resilient Port-channel. Best
practices suggest using dynamic link aggregation instead of static link aggregation. When a port is added to a
t-channel as a static member, it neither transmits nor receives LACP PDUs.
Por
age of LACP is that the protocol enables the switch to confirm that the external switch is also
undetected
and thus cause
configuration
undesirable
mistake involving the
network
behavior.
Both
NETGEAR M4500 Series Switches Software Administration Manual 53
Page 54
3.4.2. Port-channel Hashing
The switch supports the configuration of hashing algorithms for each Port-channel interface. The hashing
algorithm is used to distribute traffic load among the physical ports of the Port-channel while preserving the
per-flow packet order.
The hashing algorithm uses various packet attributes to determine the outgoing physical port. The switch
supports the following set of packet attributes to be used for hash computation:
• Source MAC, VLAN, EtherType, and incoming port.
• Destination MAC, VLAN, EtherType, and incoming port.
• Source IP and Source TCP/UDP port numbers.
• Destination IP and Destination TCP/UDP port numbers.
• Source/Destination MAC, VLAN, EtherType, and incoming port.
• Source/Destinatio
n IP and Source/Destination TCP/UDP port numbers.
• Enhanced hashing mode
Enhanced hashing mode has following advantages:
• MODULO-N operation based on the number of ports in the Port-channel.
• Packet attributes selection based on the packet type. For L2 packets, Source and Destination
MAC
address are used for hash computation. For IP packets, Source IP, Destination IP address, TCP/UDP
ports are used.
• Non-Unicast traffic and Unicast traffic is hashed using a common hash algorithm.
• Excellent load balancing performance.
3.4.2.1. Resilient Hashing
Resilient Hashing (RH) supports an extra level of indirection between the hash value and the selected output
port for a layer-2 Port-channel or a layer-3 ECMP route. In a typical non-RH configuration, the output port
can change for all flows when the number of ports changes, even if the flow was on a port that was not
affected. This can cause degraded performance due to frame reordering. With RH, the hash value is used to
index into a table of ports. If a port goes down, then only the entries that use that port are rewritten. Other
ports are left untouched and, therefore, do not suffer degraded performance.
Resilient hashing is globally enabled on switch ports by default. It can be globally enabled (or disabled) in
Global Config mode using the (no) port-channel
resilient-hashing
command for Port-channels or the (no) ip
resilient-hashing command for ECMP routes. The new setting takes effect after a system reboot.
NETGEAR M4500 Series Switches Software Administration Manual 54
Page 55
3.4.2.2. Hash Prediction with ECMP and Port-channel
The Hash Prediction feature provides a utility to predict how packets will be forwarded over a Port-channel or to
the next- hop device when Equal-Cost Multipath (ECMP) is the destination. Given the Port-channel method,
ingress physical port, and values of various packet fields, the utility predicts an egress physical port for the
packet.
An ECMP group is identified by the IP address of one of its members. By entering the IP address in the form
<prefix/prefix-length>, the utility predicts the packet's physical egress port based on the destination ECMP
group. To predict the an egress physical port when the egress objects are VLAN routing interfaces with Portchannel or port interfaces as members of the VLANs, the utility requires the PVID to be configured on the
interfaces and the next hops to be fully installed in hardware.
If an ECMP
group is comprised of VLAN routing interfaces and each VLAN has a Port-channel that contains
multiple ports, the utility requires the PVID to be configured on the Port-channels. In this configuration, the
utility first predicts which VLAN routing interface the packet is forwarded to and finds the Port-channel by
matching the VLAN ID of the VLAN routing interface to the PVID of the Port-channel. Then, it predicts which
physical port in the Port-channel the packet is forwarded to.
To make correct prediction when Port-channels are used as egress interfaces, the utility requires the enhanced
hashing mode to be set on the Port-channels.
Hash prediction is supported for unicast packets only.
3.4.3. Port-channel Interface Overview
The show interface port-channel brief command provides summary information about all Port-channels
available on the system. In the following output, Port-channel 3/1 has been configured as a dynamic Portchannel with five member ports. No other Port-channels have been configured.
(M4500-48XF8C) #show interface port-channel brief
Channel Port-Channel Name Min Link State Trap Type Mbr Ports Active Ports
ID Flag
--------- ----------------- --- ---------- -------- ------- --------- ------------
1 ch1 1 Down Disabled Static
2 ch2 1 Down Disabled Static
3 ch3 1 Down Disabled Static
4 ch4 1 Down Disabled Static
5 ch5 1 Down Disabled Static
6 ch6 1 Down Disabled Static
7 ch7 1 Down Disabled Static
NETGEAR M4500 Series Switches Software Administration Manual 55
Page 56
8 ch8 1 Down Disabled Static
9 ch9 1 Down Disabled Static
10 ch10 1 Down Disabled Static
11 ch11 1 Down Disabled Static
12 ch12 1 Down Disabled Static
13 ch13 1 Down Disabled Static
14 ch14 1 Down Disabled Static
15 ch15 1 Down Disabled Static
16 ch16 1 Down Disabled Static
17 ch17 1 Down Disabled Static
18 ch18 1 Down Disabled Static
19 ch19 1 Down Disabled Static
3.4.4. Port-channel Interaction with Other Features
From a system perspective, a Port-channel is treated just as a physical port, with the same configuration
parameters for administrative enable/disable, spanning tree port priority, path cost as may be for any other
physical port.
3.4.4.1. VLAN
When members are added to a Port-channel, they are removed from all existing VLAN membership. When
members are removed from a Port-channel they are added back to the VLANs that they were previously
members of as per the configuration file. Note that a port’s VLAN membership can still be configured when
it's a member of a Port-channel. However this configuration is only actually applied when the port leaves the
Port-channel.
The Port-channel interface can be a member of a VLAN complying with IEEE 802.1Q.
3.4.4.2. STP
Spanning tree does not maintain state for members of a Port-channel, but the Spanning Tree does maintain
state for the Port-channel interface. As far as STP is concerned, members of a Port-channel do not exist.
(Internally, the STP state of the Port-channel interface is replicated for the member links.)
When members are deleted from a Port-channel they become normal links, and spanning tree maintains their
state information.
NETGEAR M4500 Series Switches Software Administration Manual 56
Page 57
3.4.4.3. Statistics
Statistics are maintained for all Port-channel interfaces as they are done for the physical ports, besides
statistics maintained for individual members as per the 802.3ad MIB statistics.
3.4.5. Port-channel Configuration Guidelines
Ports to be aggregated must be configured so that they are compatible with the Port-channel feature and
with the partner switch to which they connect.
Ports to be added to a Port-channel must meet the following requirements:
• Interface must be a physical Ethernet link.
• Each member of the Port-channel must be running at the same speed and must be in full duplex
mode.
• The port cannot be a mirrored port
The following are the interface restrictions
• The configured speed of a Port-channel member cannot be changed.
• An interface can be a member of only one Port-channel.
3.4.5.1. Port-channel Configuration Examples
This section contains the following examples:
• Configuring Dynamic Port-channels
• Configuring Static Port-channels
Note: The examples in this section show the configuration of only one switch. Because Port-channels
involve physical links between two switches, the Port-channel settings and member ports must be
configured on both switches.
3.4.5.2. Configuration Dynamic Port-channels
The commands in this example show how to configure a dynamic Port-channel on a switch. The Port-channel
number is 1 (ch1), and the member ports are 1, 2, 3, 6, and 7.
To configure the switch:
1. Enter interface configuration mode for the ports that are to be configured as Port-channel members.
(Switch) #config
(Switch) (Config)#interface range 0/1-0/3,0/6-0/7
NETGEAR M4500 Series Switches Software Administration Manual 57
Page 58
2. Add the ports to Port-channel 1 with LACP.
(Switch) (Interface 0/1-0/3,0/6-0/7)#channel-group 1 mode active
(Switch) (Interface 0/1-0/3,0/6-0/7)#exit
3. View information about Port-channel 1.
(Switch) #show interface port-channel 1
Port Channel ID................................ 1
Channel Name................................... ch1
Link State..................................... Down
Admin Mode..................................... Enabled
Link Trap Mode................................. Enabled
STP Mode....................................... Enabled
Type........................................... Dynamic
Port-channel Min-links......................... 1
Load Balance Option............................ 3
(Src/Dest MAC, VLAN, EType, incoming port)
LACP Min. Links................................ 1
Mbr Device/ Port Port
Ports Timeout Speed Active
------ ------------- --------- -------
0/1 actor/long 10G Full False
partner/long
0/2 actor/long 10G Full False
partner/long
0/3 actor/long 10G Full False
partner/long
0/6 actor/long 10G Full False
partner/long
0/7 actor/long 10G Full False
partner/long
3.4.5.3. Configuration Static Port-channels
The commands in this example show how to configure a static Port-channel on a switch. The Port-channel
number is 3 (ch3), and the member ports are 10, 11, 14, and 17. To configure the switch:
1. Enter interface configuration mode for the ports that are to be configured as Port-channel members.
(Switch) (Config)#interface range 0/10-0/12,0/14,0/17
NETGEAR M4500 Series Switches Software Administration Manual 58
Page 59
2. Add the ports to Port-channel 3 without LACP.
(Switch) (Interface 0/10-0/12,0/14,0/17)#channel-group 3 mode on
(Switch) (Interface 0/10-0/12,0/14,0/17)#exit
(Switch) (Config)#exit
3. View information about Port-channel 3.
(Switch) #show interface port-channel 3
Port Channel ID................................ 3
Channel Name................................... ch3
Link State..................................... Down
Admin Mode..................................... Enabled
Link Trap Mode................................. Enabled
STP Mode....................................... Enabled
Type........................................... Static
Port-channel Min-links......................... 1
Load Balance Option............................ 3
(Src/Dest MAC, VLAN, EType, incoming port)
LACP Min. Links................................ 1
Mbr Device/ Port Port
Ports Timeout Speed Active
------ ------------- --------- -------
0/10 actor/long 10G Full False
partner/long
0/11 actor/long 10G Full False
partner/long
0/12 actor/long 10G Full False
partner/long
0/14 actor/long 10G Full False
partner/long
0/17 actor/long 10G Full False
partner/long
NETGEAR M4500 Series Switches Software Administration Manual 59
Page 60
3.5. LACP Fallback Configuration
3.5.1. Configuring Dynamic Port-channels
The commands in this example show how to configure a dynamic Port-channel on a switch. The Port-channel
number is 1 (ch1), and the member ports are 1, 2, 3, 6, and 7.
To configure the switch:
1. Enter interface configuration mode for the ports that are to be configured as Port-channel members.
(Switch) #config
(Switch) (Config)#interface range 0/1-0/3,0/6-0/7
2. Add the ports to Port-channel 1 with LACP.
(Switch) (Interface 0/1-0/3,0/6-0/7)#channel-group 1 mode active
(Switch) (Interface 0/1-0/3,0/6-0/7)#exit
3. View information about Port-channel 1.
(Switch) #show interface port-channel 1
Port Channel ID................................ 1
Channel Name................................... ch1
Link State..................................... Down
Admin Mode..................................... Enabled
Link Trap Mode................................. Enabled
STP Mode....................................... Enabled
Type........................................... Dynamic
Port-channel Min-links......................... 1
Load Balance Option............................ 3
(Src/Dest MAC, VLAN, EType, incoming port)
LACP Min. Links................................ 1
Mbr Device/ Port Port
Ports Timeout Speed Active
------ ------------- --------- -------
0/1 actor/long 10G Full False
partner/long
0/2 actor/long 10G Full False
partner/long
0/3 actor/long 10G Full False
partner/long
NETGEAR M4500 Series Switches Software Administration Manual 60
Page 61
0/6 actor/long 10G Full False
partner/long
0/7 actor/long 10G Full False
partner/long
4. (Optional) Enable LACP Fallback feature which enabled the switch keep one LACP member port link up even if
LACP port doesn’t receive the LACP message from the other side.
(Switch) #(if-port-channel ch1)#lacp fallback
5. (Optional) Verify LACP Fallback feature of Port-channel 1.
(Switch) #show interface port-channel 1
Port Channel ID................................ 1
Channel Name................................... ch1
Link State..................................... Down
Admin Mode..................................... Enabled
Link Trap Mode................................. Disabled
STP Mode....................................... Enabled
Type........................................... Dynamic
Port-channel Min-links......................... 1
Load Balance Option............................ 3
(Src/Dest MAC, VLAN, EType, incoming port)
LACP Fallback Mode............................. Enabled
LACP Fallback Timeout.......................... 5
LACP Min. Links................................ 1
Mbr Device/ Port Port Fallback
Ports Timeout Speed Active
------ ------------- --------- ------- ---------
0/1 actor/long 10G Full False None
partner/long
0/2 actor/long 10G Full False None
3.5.2. Configuring Static Port-channels
The commands in this example show how to configure a static Port-channel on a switch. The Port-channel
number is 3 (ch3), and the member ports are 10, 11, 14, and 17. To configure the switch:
1. Enter interface configuration mode for the ports that are to be configured as Port-channel members.
(Switch) (Config)#interface range 0/10-0/12,0/14,0/17
NETGEAR M4500 Series Switches Software Administration Manual 61
Page 62
2. Add the ports to Port-channel 3 without LACP.
(Switch) (Interface 0/10-0/12,0/14,0/17)#channel-group 3 mode on
(Switch) (Interface 0/10-0/12,0/14,0/17)#exit
(Switch) (Config)#exit
3. View information about Port-channel 3.
(Switch) #show interface port-channel 3
Port Channel ID................................ 3
Channel Name................................... ch3
Link State..................................... Down
Admin Mode..................................... Enabled
Link Trap Mode................................. Enabled
STP Mode....................................... Enabled
Type........................................... Static
Port-channel Min-links......................... 1
Load Balance Option............................ 3
(Src/Dest MAC, VLAN, EType, incoming port)
LACP Min. Links................................ 1
Mbr Device/ Port Port
Ports Timeout Speed Active
------ ------------- --------- -------
0/10 actor/long 10G Full False
partner/long
0/11 actor/long 10G Full False
partner/long
0/12 actor/long 10G Full False
partner/long
0/14 actor/long 10G Full False
partner/long
0/17 actor/long 10G Full False
partner/long
3.6. MLAG – Operation and Configuration
3.6.1. Overview
In a typical layer-2 network, the Spanning Tree Protocol (STP) is deployed to avoid packet storms due to loops
in the network. To perform this function, STP sets ports into either a forwarding state or a blocking state.
NETGEAR M4500 Series Switches Software Administration Manual 62
Page 63
Ports in the blocking state do not carry traffic. In the case of a topology change, STP reconverges to a new
loop-free network and updates the port states. STP is relatively successful mitigating packet storms in the
network, but redundant links in the network are blocked from carrying traffic by the spanning tree protocol.
In some network deployments, redundant links between two switches are bundled together in a Port-channel
and appear as a single link in the spanning tree topology. The advantage is that all Port-channel member links
can be in the forwarding state and a link failure can be recovered in
milliseconds.
This allows the bandwidth on
the redundant links to be utilized. However, Port-channels are limited to connecting multiple links between
two partner switches, which leaves the switch as a single point of failure in the topology.
The MLAG e
xtends the Port-channel bandwidth advantage across multiple switches connected to a Portchannel partner device. The Port-channel partner device is oblivious to the fact that it is connected over a
Port-channel to two peer switches; instead, the two switches appear as a single switch to the partner with a
single MAC address. All links can carry data traffic across a physically diverse topology and in the case of a link
or switch failure, traffic can continue to flow with minimal disruption.
3.6.2. Deployment Scenarios
MLAG is intended to support higher bandwidth utilization in scenarios where a redundant layer-2 network is
desired. In such scenarios the effects of STP on link utilization are profound. Large percentages of links do not
carry data because they are blocked and only a single path through the network carries traffic.
Figure 3-5: STP Blocking
MLAG reduces some of the bandwidth shortcomings of STP in a layer-2 network. It provides a reduced
convergence period when a port-channel link goes down and provides more bandwidth because all links can
forward traffic. In the figure below, if SW1 and SW2 form a MLAG with SW3 and SW4, none of the links are
blocked, which means traffic can flow over both links from SW4 through to SW1 and SW2 over both links from
SW1 and SW2 to SW3.
NETGEAR M4500 Series Switches Software Administration Manual 63
Page 64
3.6.2.1. Definitions
Figure 3-6: MLAG in a Layer-2 Network
Refer to the following figure for the definitions that follow the figure.
Figure 3-7: MLAG Components
MLAG switches: MLAG-aware switches running switch firmware. No more than two MLAG aware switches
can pair to form one end of the Port-channel. In the previous figure, SW1 and SW2 are MLAG peer switches.
These two switches form a single logical end point for the MLAG from the perspective of switch A.
MLAG interfaces: MLAG functionality is a property of Port-channels. Port-channels configured as MLAGs are
called MLAG interfaces. Administrators can configure multiple instances of MLAG interfaces on the peer
NETGEAR M4500 Series Switches Software Administration Manual 64
Page 65
MLAG switches. Port-channel limitations and capabilities such as min-links and maximum number of ports
supported per Port-channel also apply to MLAG interfaces.
MLAG member ports: Ports on the peer MLAG switches that are part of the MLAG interface (P1 on SW1 and S1
on SW2).
MLAG peer-link: A link between the two MLAG peer switches (ports P2, P3, S2, S3). Only one peer-link can be
configured per device. The peer-link is crucial for the operation of the MLAG component. A Port-channel
must be configured as the peer-link. All VLANs configured on MLAG interfaces must be configured on the
peer-link as well.
MLAG Dual Control Plane Detection link: A virtual link that is used to advertise the Dual Control Plane
Detection Protocol (DCPDP) packets between the two MLAG switches (ports P4, S4). DCPDP is optional but
should be used with caution. The protocol is used as a secondary means of detecting the presence of the
peer switch in the network. The DCPDP protocol must not be configured on MLAG interfaces.
3.6.2.2. Configuration Consistency
MLAG is operational only if the MLAG domain ID, MLAG system MAC address, and MLAG system priority are
the same on both the MLAG peer switches.
Note: Configuring a MLAG domain ID is mandatory; the MLAG system MAC address and MLAG system
priority are optional (these values are auto generated if not configured)
You must ensure that the neighboring devices connected to MLAG switches perceive the two switches as a
single spanning tree and Link Aggregation Control Protocol (LACP) entity. To achieve this end, the following
configuration settings must be identical for MLAG links on the MLAG peer switches:
1. Port-channel
• Hashing mode
• Minimum links
• Static/dynamic Port-channel
• LACP parameters
– Actor parameters
– Admin key
Collector max-delay
–
– Partner parameters
NETGEAR M4500 Series Switches Software Administration Manual 65
Page 66
2. STP
The default STP mode is MSTP. The following STP configuration parameters must be the identical on both
MLAG peers.
• Spanning-tree version (RSTP)
• Bpdufilter
• Bpduflood
• Auto-edge
• TCN-guard
• Cost
• Edgeport
• STP Version
• Root guard
• Loop guard
3. Port-channel interface
The following Port-channel attributes must be identical for MLAG Port-channels:
• Port-channel mode
• Link speed
• Duplex mode
• MTU
• Bandwidth
• VLAN configuration
You must also ensure that the following are identical before enabling MLAG:
• FDB entry aging timers
• Static MAC entries.
• ACL configuration
4. Interface
Configuration
NETGEAR M4500 Series Switches Software Administration Manual 66
Page 67
• PFC configuration
• CoS queue assignments
5. VLAN configuration
• MLAG VLANs must span the MLAG topology and be configured on both MLAG peers. This means that
every MLAG VLAN must connect to two partner Port-channels.
• VLAN termination of a MLAG VLAN on a MLAG peer is not supported.
6. Switch firmware versions
Except during firmware upgrade, the peer switch firmware versions must be identical, as subtle differences
between versions may cause instability.
You must ensure that the above configuration items are configured identically on the MLAG interfaces on
both of the MLAG peers before enabling the MLAG feature. If the configuration settings are not in sync, the
MLAG behavior is undefined. Once the above configuration is in place and consistent, the two switches will
form a MLAG that operates in the desired manner. The MLAG may form even if the configuration is not
consistent, however, it may not operate consistently in all situations.
3.6.3. MLAG Fast Failover
If a switch does not support MLAG fast failover, when the primary switch fails, the secondary switch restarts
the LACP protocol on its MLAG member ports. STP is also restarted on the secondary device’s MLAG member
ports. Until the LACP and STP reconverges, the partner device is disconnected from the MLAG domain.
With fast failover support, neither LACP reconvergence nor STP reconvergence occurs, and minimal traffic
loss is observed when primary device fails. During the failover, traffic that is being forwarded using the links
connected to primary device will failover to links connected to the secondary device. The traffic disruption is
limited to the time required for the partner devices dual-attached to the MLAG domain to detect the link
down (links connected to primary device) and redistribute the traffic using the links connected to the
secondary device.
3.6.4. MLAG Configuration
Refer to the following figure for a visual overview of the MLAG configuration steps that follow the figure.
NETGEAR M4500 Series Switches Software Administration Manual 67
Page 68
To configure MLAG:
Figure 3-8: MLAG Configuration Diagram
1. Enter VLAN data base mode and create the MLAG VLANs.
(Switch) (Config)#vlan database
(Switch) (Vlan)#vlan 1-100
2. Enable the MLAG feature.
(Switch) #config
(Switch) (Config)#mlag
3. Create the MLAG domain ID. The domain ID configured on both the MLAG peer switches should be same.
In a two-tier MLAG topology, each pair should have different domain ID.
(Switch) (Config)#mlag domain 1
4. Configure the MLAG system MAC address and/or MLAG system priority (optional).
(Switch) (Config)#mlag system-mac C4:54:44:01:01:01
5. Enable the keepalive protocol.
(Switch) (Config)#mlag peer-keepalive enable
6. Configure the MLAG role priority (optional).
(Switch) (Config)#mlag role priority 10
7. Create Port-channel 1.
(Switch) (Config)#interface port-channel 1
(Switch) (if-port-channel ch1)#description "MLAG-Peer-Link"
NETGEAR M4500 Series Switches Software Administration Manual 68
Page 69
8. Allow the Port-channel to participate in all VLANs and accept and send tagged frames only. This is similar
to configuring a port in trunk mode.
(Switch) (if-port-channel ch1)#switchport allowed vlan add tagged 1-99
(Switch) (if-port-channel ch1)#switchport acceptable-frame-types tagged
(Switch) (if-port-channel ch1)#mlag peer-link
(Switch) (if-port-channel ch1)#exit
9. Create the peer link.
(Switch) (Config)#interface range 0/1-0/2
(Switch) (Interface 0/1-0/2)#channel-group 1 mode active
(Switch) (Interface 0/1-0/2)#description "MLAG-Peer-Link"
10. Enable UDLD (if required).
(Switch) (Interface 0/1-0/2)#udld enable
(Switch) (Interface 0/1-0/2)#udld port aggressive
(Switch) (Interface 0/1-0/2)#exit
11. Configure Dual Control Plane detection Protocol Configuration (if required):
a. Con
figure the peer-switch IP address (the destination IP address, serviceport is recommended). This
command configures the IP address of the peer MLAG switch. This configuration is used by the dual
control plane detection protocol (DCPDP) on the MLAG switches. The UDP port on which the MLAG switch
listens to the DCPDP messages can also be configured with this command. The configurable range for the
UDP port 1 to 65535 (Default is 60000).
(Switch) (Config)#serviceport protocol none
(Switch) (Config)#serviceport ip 192.168.0.2 255.255.255.0 192.168.0.254
b. Configure the keepalive source and destination IP address.
(Switch) #config
(Switch) (Config)#mlag peer-keepalive destination 192.168.0.1 source 192.168.0.2
12. Configure a Port-channel as MLAG interface. The configurable range for the MLAG ID is 1 to 63.
(Switch) (Config)#interface range 0/3-0/6
(Switch) (Interface 0/3-0/6)#channel-group 2 mode active
(Switch) (Interface 0/3-0/6)#exit
(Switch) (Config)#interface range 0/7-0/10
(Switch) (Interface 0/7-0/10)#channel-group 3 mode active
(Switch) (Interface 0/7-0/10)#exit
(Switch) (Config)#interface port-channel 2
(Switch) (if-port-channel ch2)#switchport allowed vlan add tagged 1-99
(Switch) (if-port-channel ch2)#switchport acceptable-frame-types tagged
(Switch) (if-port-channel ch2)#mlag 1
NETGEAR M4500 Series Switches Software Administration Manual 69
Page 70
(Switch) (if-port-channel ch2)#exit
(Switch) (Config)#interface lag 3
(Switch) (if-port-channel ch3)#switchport allowed vlan add tagged 1-99
(Switch) (if-port-channel ch3)#switchport acceptable-frame-types tagged
(Switch) (if-port-channel ch3)#mlag 2
(Switch) (if-port-channel ch3)#exit
13. MLAG can support to work with RSTP to provide the loop prevention mechanism. To prevent the user
error connection and lead the network environment crash by broadcast storm.
(Switch) (Config)#spanning-tree mode rstp
(Switch) (Config)#spanning-tree
14. IGMP snooping support is provided. If the network environment need multicast traffic, MLAG can enable
IGMP snooping, and IGMP snooping and MLAG can cooperate.
(Switch) (Config)#vlan database
(Switch) (Vlan)#vlan 40
(Switch) (Vlan)#set igmp 40
(Switch) (Vlan)#exit
(Switch) (Config)#ip igmp snooping
You must ensure that the port channel configurations on both devices are in sync before enabling MLAG.
After the MLAG interfaces are enabled, the MLAG interfaces are operationally shut down. The MLAG
component exchanges information regarding the port members that constitute the Port-channel on each
device. Once this information is populated on both devices, the MLAG interfaces are operationally up and
traffic forwarding on MLAG interfaces is allowed. Port-channels must be configured on both devices as MLAG
interfaces for the MLAG interface to be enabled. Also, the port-channel-number: MLAG-Id pair must be the
same on both the primary and secondary devices.
Member ports can be added or removed from the MLAG interface. If a port is added as a port member to a
MLAG interface, the Primary allows the port member if the maximum criteria is satisfied. When a port
member is removed from the MLAG interface, the Primary decides if the minimum criteria is satisfied. If it is
not, it will shut down the MLAG interface on both the devices. Shutting down the MLAG interface on the
Secondary is not allowed. The MLAG interface can only be shut down on the Primary.
FDB entries learned on MLAG interfaces are synced between the two devices. In the case where all MLAG
member ports are UP, data traffic does not traverse the peer link.
3.7. Unidirectional Link Detection (UDLD)
The UDLD feature detects unidirectional links on physical ports. UDLD must be enabled on the both sides of
the link in order to detect a unidirectional link. The UDLD protocol operates by exchanging packets containing
information about neighboring devices.
NETGEAR M4500 Series Switches Software Administration Manual 70
Page 71
The purpose of UDLD feature is to detect and avoid unidirectional links. A unidirectional link is a forwarding
anomaly in a Layer 2 communication channel in which a bidirectional link stops passing traffic in one
direction.
3.7.1. UDLD Modes
The UDLD supports two modes: normal and aggressive.
In normal mode, a port's state is classified as undetermined if an anomaly exists. An anomaly might be the
absence of its own information in received UDLD messages or the failure to receive UDLD messages. An
undetermined state has no effect on the operation of the port. The port is not disabled and continues
operating. When operating in UDLD normal mode, a port will be put into a disabled state (D-Disable) only in
the following situations:
• The UDLD PDU received from a partner does not have its own details (echo).
• When there is a loopback, and information sent out on a port is received back exactly as it was sent.
When operati
in normal mode. Additionally, a port in UDLD aggressive mode can be disabled if the port does not receive any
UDLD echo packets even after
packets suddenly stop coming from partner device, the UDLD aggressive-mode port assumes that link has
become unidirectional.
ng in UDLD aggressive mode, a port is put into a disabled state for the same reasons that it occurs
bidirectional connection
was
established.
If a
bidirectional
link is
established,
and
3.7.2. UDLD and Port-channel Interfaces
UDLD is supported on individual physical ports that are members of a Port-channel. If any of the aggregated
links becomes unidirectional, UDLD detects it and disables the individual link, but not the entire Port-channel.
This improves the fault tolerance of the Port-channel.
3.7.3. Configuring UDLD
A network administrator decides to use the UDLD feature while building a loop-free topology with the use of
STP. You must configure the ports on both side of the link to use UDLD in aggressive mode to ensure that
ports with unidirectional links will be shut down, and no loops will be introduced into topology. This example
shows the steps to configure UDLD on Switch 1 only. The same configuration must be performed on all ports
that form partner links with the ports on Switch 1.
NETGEAR M4500 Series Switches Software Administration Manual 71
Page 72
Port
Admin Mode
UDLD Mode
UDLD Status
-----
----------
-----------
--------------
0/1 Disabled
Normal
Not Applicable
0/2 Enabled
Aggressive
Bidirectional
0/3 Disabled
Normal
Not Applicable
0/4 Disabled
Normal
Not Applicable
0/5 Enabled
Aggressive
Bidirectional
0/6 Disabled
Normal
Not Applicable
0/7 Disabled
Normal
Not Applicable
0/8 Enabled
Aggressive
Bidirectional
To configure the ports on Switch 1:
Figure 3-9: UDLD Configuration Example
1. Globally enable UDLD on the switch.
(Switch) #configure
(Switch) (Config)#udld enable
2. Enter interface configuration mode for the ports that are connected to other switches and enable UDLD on
the ports.
(Switch) (Config)#interface range 0/2,0/5,0/8
(Switch) (Interface 0/2,0/5,0/8)#udld enable
3. Configure the UDLD mode on the ports to be aggressive.
(Switch) (Interface 0/2,0/5,0/8)#udld port aggressive
(Switch) (Interface 0/2,0/5,0/8)#exit
(Switch) (Config)#exit
1. After configuring UDLD on Switch 2, Switch, 3, and Switch 4, view the UDLD status for the ports.
(Switch) #show udld all
NETGEAR M4500 Series Switches Software Administration Manual 72
Page 73
0/9 Disabled
Normal
Not Applicable
--More-- or (q)uit
Note: If a port has become disabled by the UDLD feature and you want to re-enable the port, use the udld
reset
command in Privileged EXEC mode.
3.8. Port Mirroring
Port mirroring is used to monitor the network traffic that a port sends and receives. The Port Mirroring
feature creates a copy of the traffic that the source port handles and sends it to a destination port. The
source port is the port that is being monitored. The destination port is monitoring the source port. The
destination port is where you would connect a network protocol analyzer to learn more about the traffic that is
handled by the source port.
A port monitoring session includes one or more source ports that mirror traffic to a single destination port. The
switch supports a single port monitoring session. Port-channels cannot be used as the source or destination
ports.
For each source
port, you can specify whether to mirror ingress traffic (traffic the port receives, or RX), egress
traffic (traffic the port sends, or TX), or both ingress and egress traffic.
The packet that is copied to the destination port is in the same format as the original packet on the wire. This
means that if the mirror is copying a received packet, the copied packet is VLAN tagged or untagged as it was
received on the source port. If the mirror is copying a transmitted packet, the copied packet is VLAN tagged or
untagged as it is being transmitted on the source port.
After you configure the port mirroring session, you can enable or disable the administrative mode of the
session to start or stop the probe port from receiving mirrored traffic.
3.8.1. Configuring Port Mirroring
In this example, traffic from ports 1 and 4 is mirrored to probe port 10.
1. Configure the source ports. Traffic received and transmitted on by these ports will be mirrored.
(Switch) #configure
(Switch) (Config)#port-monitor session 1 source interface 0/1
2. Configure the destination (probe) port.
3. Enable port mirroring on the switch.
4. View summary information about the port mirroring configuration.
(Switch) (Config)#port-monitor session 1 destination interface 0/10
(Switch) (Config)#port-monitor session 1 mode
(Switch) (Config)#exit
NETGEAR M4500 Series Switches Software Administration Manual 73
Page 74
(M4500-48XF8C) (Config)#show port-monitor session 1
Session Admin Probe Src Mirrored Ref. Src Dst Type IP MAC
ID Mode Port VLAN Port Port RVLAN RVLAN ACL ACL
------- ------- ------ ---- ------------------------ ------ ----- ----- ----- ------- -------
1 Enable 0/10 0/1 Rx,Tx
3.8.2. Configuring RSPAN
This example mirrors traffic from port 6 on a source switch (SW1) to a probe port on a remote switch (port
12 on SW3). The mirrored traffic is carried in the RSPAN VLAN and VLAN 100, which traverses an
intermediate switch (SW2). The commands in this example show how to configure port mirroring on the
source, intermediate, and destination switches.
The following figure provides a visual overview of the RSPAN configuration example.
Figure 3-10: RSPAN Configuration Example
3.8.2.1. Configuration on the Source Switch (SW1)
To configure the source switch:
1. Access the VLAN configuration mode and create VLAN 100, which will be the RSPAN VLAN.
(Switch) #configure
(Switch) (Config)#vlan database
(Switch) (Vlan)#vlan 100 (Switch) (Vlan)#exit
2. Configure VLAN 100 as the RSPAN VLAN.
NETGEAR M4500 Series Switches Software Administration Manual 74
Page 75
(Switch) #configure
(Switch) (Config)#vlan 100
(Switch) (Config)(vlan 100)#remote-span
(Switch) (Config)(vlan 100)#exit
3. Configure the RSPAN VLAN as the destination port and the reflector port as port 0/48.
(Switch) #configure
(Switch) (Config)#port-monitor session 1 destination remote vlan 100 reflector-port 0/48
4. Configure the source interface port as port 0/6.
(Switch) (Config)#port-monitor session 1 source interface 0/6
5. Enable the port mirroring session on the switch.
(Switch) (Config)#port-monitor session 1 mode
(Switch) #exit
3.8.2.2. Configuration on the Intermediate Switch (SW2)
To configure the intermediate switch:
1. Access the VLAN configuration mode and create VLAN 100.
(Switch) #configure
(Switch) (Config)#vlan database
(Switch) (Vlan)#vlan 100
(Switch) (Vlan)#exit
2. Enable RSPAN on vlan 100.
(Switch) #configure
(Switch) (Config)#vlan 100
(Switch) (Config)(vlan 100)#remote-span
(Switch) (Config)(vlan 100)#exit
3. Configure VLAN participation so the interface is always a member of the VLAN.
(Switch) (Config)#interface 0/10
(Switch) (Interface 0/10)#switchport allowed vlan add tagged 100
(Switch) (Interface 0/10)#exit
4. Configure VLAN participation so the interface is always a member of the VLAN.
(Switch) (Config)#interface 0/48
(Switch) (Interface 0/48)#switchport allowed vlan add tagged 100
(Switch) (Interface 0/48)#exit
NETGEAR M4500 Series Switches Software Administration Manual 75
Page 76
3.8.2.3. Configuration on the Destination Switch (SW3)
3.8.3. VLAN-based Mirroring
In this example, traffic from all ports that are members of VLAN 10 is mirrored to port 0/18. To configure
VLAN based mirroring:
1. Access VLAN Config mode and create VLAN 10.
(Switch) (Config)#vlan database
(Switch) (Vlan)#vlan 10
(Switch) (Vlan)#exit
2. Configure the destination interface port as port 0/18.
(Switch) #configure
(Switch) (Config)#port-monitor session 1 destination interface 0/18
3. Configure VLAN 10 as the source interface for the port mirroring session.
(Switch) (Config)#port-monitor session 1 source vlan 10
4. Enable the port mirroring session on the switch.
(Switch) (Config)#port-monitor session 1 mode
(Switch) (Config)#exit
3.8.4. Flow-based Mirroring
In this example, traffic from port 1 is mirrored to port 18 if it matches the criteria defined in the IP ACL or
MAC ACL that are associated with the port mirroring session.
To configure flow based mirroring:
1. Create the extended IP access list IPACL.
(Switch) #configure
(Switch) (Config)#ip access-list IPACL
(Switch) (Config-ipv4-acl)#permit ip 1.1.1.1 0.0.0.0 any
(Switch) (Config-ipv4-acl)#exit
2. Create the mac access list MACL.
(Switch) #configure
(Switch) (Config)#mac access-list extended MACL
(Switch) (Config-mac-access-list)#permit 00:00:00:00:00:11 00:00:00:00:00:00 any
(Switch) (Config-mac-access-list)#exit
3. Configure the destination port as port 0/18.
NETGEAR M4500 Series Switches Software Administration Manual 76
Page 77
(Switch) (Config)#port-monitor session 1 destination interface 0/18
4. Configure the source port as port 0/2.
(Switch) (Config)#port-monitor session 1 source interface 0/2
5. Enable the port mirroring session.
(Switch) (Config)#port-monitor session 1 mode
6. To filter L3 traffic so only flows that match the rules in the IP ACL called IPACL are mirrored to the
destination port, add the IPACL ACL.
(Switch) (Config)#port-monitor session 1 filter ip access-group IPACL
7. To filter L2 traffic so only flows that match the rules in the MAC-based ACL called MACL are mirrored to
the destination port, add the MACL ACL.
(Switch) (Config)#port-monitor session 1 filter mac access-group MACL
(Switch) (Config)#exit
Note: Both IP ACL and MAC ACL cannot be configured for one session at the same time.
3.9. Spanning Tree Protocol
Spanning Tree Protocol (STP) is a layer 2 protocol that provides a tree topology for switches on a bridged
LAN. STP allows a network to have redundant paths without the risk of network loops. STP uses the
spanning-tree algorithm to provide a single path between end stations on a network.
The switch supports Multiple STP and Rapid STP.
3.9.1. Classic STP, Multiple STP, and Rapid STP
Classic STP provides a single path between end stations, avoiding and eliminating loops. Multiple Spanning
Tree Protocol (MSTP) is specified in IEEE 802.1s and supports multiple instances of Spanning Tree to
efficiently channel VLAN traffic over different interfaces. Each instance of the Spanning Tree behaves in the
manner specified in IEEE 802.1w, Rapid Spanning Tree (RSTP), with slight modifications in the working but
not the end effect (chief among the effects, is the rapid transitioning of the port to Forwarding). The
difference between the RSTP and the traditional STP (IEEE 802.1D) is the ability to configure and recognize
full-duplex connectivity and ports which are connected to end stations, resulting in rapid transitioning of the
port to the Forwarding state and the suppression of Topology Change Notifications.
MSTP is compatible to both RSTP and STP. It behaves appropriately to STP and RSTP bridges. A MSTP bridge
can be configured to behave entirely as a RSTP bridge or a STP bridge.
3.9.2. STP Operation
The switches (bridges) that participate in the spanning tree elect a switch to be the root bridge for the
spanning tree. The root bridge is the switch with the lowest bridge ID, which is computed from the unique
identifier of the bridge and its configurable priority number. When two switches have an equal bridge ID
value, the switch with the lowest MAC address is the root bridge.
NETGEAR M4500 Series Switches Software Administration Manual 77
Page 78
After the root bridge is elected, each switch finds the lowest-cost path to the root bridge. The port that
connects the switch to the lowest-cost path is the root port on the switch. The switches in the spanning tree
also determine which ports have the lowest-path cost for each segment. These ports are the designated
ports. Only the root ports and designated ports are placed in a forwarding state to send and receive traffic.
All other ports are put into a blocked state to prevent redundant paths that might cause loops.
To determine the root path costs and maintain topology information, switches that participate in the
spanning tree use Bridge Protocol Data Units (BPDUs) to exchange information.
3.9.3. MSTP in the Network
In the following diagram of a small 802.1D bridged network, STP is necessary to create an environment with full
connectivity and without loops.
Figure 3-11: STP in a Small Bridged Network
Assume that Switch A is elected to be the Root Bridge, and Port 1 on Switch B and Switch C are calculated to
be the root ports for those bridges, Port 2 on Switch B and Switch C would be placed into the Blocking state.
This creates a loop-free topology. End stations in VLAN 10 can talk to other devices in VLAN 10, and end
stations in VLAN 20 have a single path to communicate with other VLAN 20 devices.
The following figure shows the logical single STP network topology.
NETGEAR M4500 Series Switches Software Administration Manual 78
Page 79
Figure 3-12: Single STP Topology
For VLAN 10 this single STP topology is fine and presents no limitations or inefficiencies. On the other hand,
VLAN 20's traffic pattern is inefficient. All frames from Switch B will have to traverse a path through Switch A
before arriving at Switch C. If the Port 2 on Switch B and Switch C could be used, these inefficiencies could be
eliminated. MSTP does just that, by allowing the configuration of MSTIs based upon a VLAN or groups of
VLANs. In this simple case, VLAN 10 could be associated with Multiple Spanning Tree Instance (MSTI)1 and
VLAN 20 could be associated with MSTI 2 where Port 1 on both Switch A and Switch B begin discardin
g and all
others forwarding. This simple modification creates an active topology with a better distribution of network
traffic and an increase in available bandwidth.
logical representation of the MSTP environment for these three switches is shown in the following figure.
The
NETGEAR M4500 Series Switches Software Administration Manual 79
Page 80
Figure 3-13: Logical MSTP Environment
For MSTP to correctly establish the different MSTIs as above, some additional changes are required. For
example, the configuration would have to be the same on each and every bridge. That means that Switch B
would have to add VLAN 10 to its list of supported VLANs. This is necessary with MSTP to allow the
formation of Regions made up of all switches that exchange the same MST Configuration Identifier. It is within
only these MST Regions that multiple instances can exist. It will also allow the election of Regional Root
Bridges for each instance. One common and internal spanning tree (CIST) Regional Root for the CIST and an
MSTI Regional Root Bridge per instance will enable the possibility of alternate paths through e
ach Region.
Above Switch A is elected as both the MSTI 1 Regional Root and the CIST Regional Root Bridge, and after
adjusting the Bridge Priority on Switch C in MSTI 2, it would be elected as the MSTI 2 Regional Root.
NETGEAR M4500 Series Switches Software Administration Manual 80
Page 81
To further illustrate the full connectivity in an MSTP active topology, the following rules apply:
1. Each Bridge or LAN is in only one Region.
2. Every frame is associated with only one VID.
3. Frames are allocated either to the IST or MSTI within any given Region.
4. The internal spanning tree (IST) and each MSTI provides full and simple connectivity between all LANs and
Bridges in a Region.
5. All Bridges within a Region reach a consistent agreement as to which ports interconnect that Region to a
different Region and label those as Boundary Ports.
6. At the Boundary Ports, frames allocated to the CIST or MSTIs are forwarded or not forwarded alike.
7. The CIST provides f
ull and simple connectivity between all LANs and Bridges in the network.
3.9.4. Optional STP Features
The switch supports the following optional STP features:
• BPDU flooding
• Edge Port
• Root guard
• Loop guard
• BPDU protection
3.9.4.1. BPDU Flooding
The BPDU flooding feature determines the behavior of the switch when it receives a BPDU on a port that is
disabled for spanning tree. If BPDU flooding is configured, the switch will flood the received BPDU to all the
ports on the switch which are similarly disabled for spanning tree.
3.9.4.2. Edge Port
The Edge Port feature reduces the STP convergence time by allowing ports that are connected to end devices
(such as a desktop computer, printer, or file server) to transition to the forwarding state without going
through the listening and learning states.
NETGEAR M4500 Series Switches Software Administration Manual 81
Page 82
3.9.4.3. Root Guard
Enabling root guard on a port ensures that the port does not become a root port or a blocked port. When a
switch is elected as the root bridge, all ports are designated ports unless two or more ports of the root bridge
are connected together. If the switch receives superior STP BPDUs on a root-guard enabled port, the root
guard feature moves this port to a root-inconsistent STP state, which is effectively equal to a listening state.
No traffic is forwarded across this port. In this way, the root guard feature enforces the position of the root
bridge.
When the STP mode is MSTP, the port may be a designated port in one MSTI and an alternate port in the
CIST, and so on. Root guard is a per-port configuration (not a per-port per-instance command), so that all the
MSTP instances that this port participates in are not in a root role.
3.9.4.4. Loop Guard
Loop guard protects a network from forwarding loops induced by BPDU packet loss. The reasons for failing to
receive packets are numerous, including heavy traffic, software problems, incorrect configuration, and
unidirectional link failure. When a non-designated port no longer receives BPDUs, the spanning-tree
algorithm considers that this link is loop free and begins transitioning the link from blocking to forwarding.
Once in forwarding state, the link may create a loop in the network.
Enabling loop guard prevents such accidental loops. When a port is no longer receiving BPDUs and the max
age timer expires, the port is moved to a
loop-inconsistent
blocking state. In the
loop-inconsistent
blocking state,
traffic is not forwarded so the port behaves as if it is in the blocking state. The port will remain in this state
until it
receives a BPDU. It will then transition through the normal spanning tree states based on the
information in the received BPDU.
Note: Loop Guard should be
configured
only on
non-designated
ports. These include ports in alternate or backup
roles. Root ports and designated ports should not have loop guard enabled so that they can forward traffic
3.9.4.5. BPDU Protection
When the switch is used as an access layer device, most ports function as edge ports that connect to a device
such as a desktop computer or file server. The port has a single, direct connection and is configured as an edge
port to implement the fast transition to a forwarding state. When the port receives a BPDU packet, the
system sets it to non-edge port and recalculates the spanning tree, which causes network topology flapping. In
normal cases, these ports do not receive any BPDU packets. However, someone may forge BPDU to maliciously
attack the switch and cause network flapping.
BPDU protection can be enabled in RSTP to prevent such attacks. When BPDU protection is enabled, the
switch disables an edge port that has received BPDU and notifies the network manager about it.
NETGEAR M4500 Series Switches Software Administration Manual 82
Page 83
3.9.5. STP Configuring Examples
3.9.5.1. Configuring MSTP
This example shows how to configure IEEE 802.1s Multiple Spanning Tree (MST) protocol on the switches
shown in the following figure.
Figure 3-14: MSTP Configuration Example
To make multiple switches be part of the same MSTP region, make sure the STP operational mode for all
switches is MSTP. Also, make sure the MST region name and revision level are the same for all switches in the
region.
To configure the switches:
1. Create VLAN 10 and VLAN 20 (all switches).
Note: Even Switch B does not have any ports that are members of VLAN 10, this VLAN must be
created to
allow the formation of MST regions made up of all bridges that exchange the same MST Configuration
Identifier. It is only within these MST Regions that multiple instances can exist.
(Switch) #config
(Switch) (Config)#vlan database
(Switch) (Vlan)#vlan 10,20
(Switch) (Vlan)#exit
2. Set the STP operational mode to MSTP.
(Switch) #config
(Switch) (Config)#spanning-tree mode mstp
NETGEAR M4500 Series Switches Software Administration Manual 83
Page 84
3. Create MST instance 10 and associate it to VLAN 10.
(Switch) (Config)#spanning-tree mst instance 10
(Switch) (Config)#spanning-tree mst vlan 10 10
4. Create MST instance 20 and associate it to VLAN 20.
(Switch) (Config)#spanning-tree mst instance 20
(Switch) (Config)#spanning-tree mst vlan 20 20
5. Change the region name so that all the bridges that want to be part of the same region can form the
region.
(Switch) (Config)#spanning-tree configuration name NETGEAR
6. (Switch A only) Make Switch A the Regional Root for MSTI 1 by configuring a higher priority for MST ID 10.
(Switch) (Config)#spanning-tree mst priority 10 12288
7. (Switch A only) Change the priority of MST ID 20 to ensure Switch C is the Regional Root bridge for this
MSTI.
(Switch) (Config)#spanning-tree mst priority 20 61440
8. (Switch C only) Change the priority of Switch C to force it to be the root bridge for MST 20.
(Switch) (Config)#spanning-tree mst priority 20 12288
(Switch) (Config)#exit
3.10. IGMP Snooping
IGMP Snooping is a layer-2 feature that allows the switch to dynamically add or remove ports from IP
multicast groups by listening to IGMP join and leave requests. By “snooping” the IGMP packets transmitted
between hosts and routers, the IGMP Snooping feature enables the switch to forward IP multicast traffic
more intelligently and help conserve bandwidth.
Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request the
multicast traffic. This prevents the switch from broadcasting the traffic to all ports and possibly affecting
network performance. The switch uses the information in the IGMP packets as they are being forwarded
throughout the network to determine which segments should receive packets directed to the group address.
3.10.1. IGMP Snooping Querier
When PIM and IGMP are enabled in a network with IP multicast routing, the IP multicast router acts as the IGMP
querier. However, if the IP-multicast traffic in a VLAN needs to be Layer 2 switched only, an IP-multicast router
is not required. The IGMP Snooping Querier can perform the IGMP snooping functions on the VLAN.
Without an IP-multicast router on a VLAN, you must configure another switch as the IGMP querier so that it can
send queries.
NETGEAR M4500 Series Switches Software Administration Manual 84
Page 85
When the IGMP snooping querier is enabled, the IGMP snooping querier sends out periodic IGMP queries that
trigger IGMP report messages from the switch that wants to receive IP multicast traffic. The IGMP snooping
feature listens to these IGMP reports to establish appropriate forwarding.
3.10.2. Configuring IGMP Snooping
This example configures IGMP snooping on the switch to limit multicast traffic and to allow L2 multicast
forwarding on a single VLAN. The IP-multicast traffic in VLAN 100 needs to be Layer 2 switched only, so the
IGMP snooping querier is enabled on the switch to perform the IGMP snooping functions on the VLAN, if
necessary. The switch can send queries even if it is not the IGMP snooping querier and will use 0.0.0.0 as the
source IP address. This will not cause any disruption to the operation of external querier.
In this configuration, an IP-multicast router is not required.
In the following figure, the three hosts are connected to ports that are enabled for IGMP snooping and are
members of VLAN 100. Port 24 is a trunk port and connects the switch to the data center, where the L3
multicast router is located.
Figure 3-15: Switch with IGMP Snooping
To configure the switch:
1. Enable IGMP snooping globally.
(Switch) #configure
(Switch) (Config)#ip igmp snooping
2. Enable the IGMP snooping querier on the switch. If there are no other IGMP snooping queriers, this switch
will become the IGMP snooping querier for the local network. If an external querier is discovered, this switch
will not be a querier.
(Switch) (Config)#ip igmp snooping querier
NETGEAR M4500 Series Switches Software Administration Manual 85
Page 86
3. Create VLAN 100
(Switch) (Config)#vlan database
(Switch) (Vlan)#vlan 100
4. Enable IGMP snooping on VLAN 100.
(Switch) (Vlan)#set igmp 100
5. Enable the IGMP snooping querier on VLAN 100.
(Switch) (Config)#ip igmp snooping querier vlan 100
6. View the VLAN routing interface information.
(Switch) #show ip interface brief
Netdir Multi
Interface State IP Address IP Mask Method Bcast CastFwd
---------- ----- --------------- --------------- --------------- -------- -------- --------
vlan 1 Down 0.0.0.0 0.0.0.0 Primary None Disable Disable
vlan 100 Down 0.0.0.0 0.0.0.0 Primary None Disable Disable
7. Configure an IP address for VLAN 100. This address will be used as the IGMP snooping querier address if
this switch becomes the querier.
(Switch) #configure
(Switch) (Config)#interface vlan 100
(Switch) (if-vlan100)#ip address 192.168.10.2 255.255.255.0
(Switch) (if-vlan100)#exit
8. Specify the address to use as the source address for IGMP queries sent from any interface. The global
querier address is the IP address of VLAN 100.
(Switch) (Config)#ip igmp snooping querier address 192.168.10.2
9. Enable IGMP snooping on ports 1–3.
(Switch) (Config)#interface range 0/1-0/3
(Switch) (Interface 0/1-0/3)#ip igmp snooping interfacemode
10. Configure ports 1–3 as members of VLAN 100.
(Switch) (Interface 0/1-0/3)#switchport allowed vlan add 100
(Switch) (Interface 0/1-0/3)#exit
11. Enable IGMP on port 24, and configure the port as a trunk port that connects to the data center switch.
(Switch) (Config)#interface 0/24
(Switch) (Interface 0/24)#ip igmp snooping interfacemode
(Switch) (Interface 0/24)#switchport allowed vlan add tagged 100
NETGEAR M4500 Series Switches Software Administration Manual 86
Page 87
100
01:00:5E:01:01:01
IGMP
Dynamic Network Assist
0/1
0/1
100 01:00:5E:01:01:02
IGMP Dynamic Network Assist
0/2 0/2
(Switch) (Interface 0/24)#exit
(Switch) (Config)#exit
12. Verify the IGMP snooping configuration.
(Switch) #show igmp snooping
Admin Mode..................................... Enable
Multicast Control Frame Count................. 0
IGMP Snooping Router-Alert check.............. Disabled
Interfaces Enabled for IGMP Snooping.......... 0/1
0/2
0/3
0/24
VLANs enabled for IGMP snooping............... 100
VLANs Block enabled for snooping.............. None
(Switch) #show igmp snooping querier vlan 100
VLAN 100 :IGMP Snooping querier status
----------------------------------------------
IGMP Snooping Querier VLAN Mode................ Enable
Querier Election Participate Mode.............. Disable
Querier VLAN Address........................... 0.0.0.0
Operational State.............................. Querier
Operational version............................ 2
Operational Max Resp Time...................... 10
After performing the configuration in this example, Host A sends a join message for multicast group
225.1.1.1. Host B sends a join message for group 225.1.1.2. Because IGMP snooping is enabled on the switch
and on VLAN 100, the switch listens to the messages and dynamically adds Ports 1 and 2 to the multicast
address table. Port 3 did not send a join message, so it does not appear in the table, as the following show
command indicates.
(Switch) #show mac-address-table multicast
Fwd
VLAN ID MAC Address Source Type Description InterfaceInterface
------- ---------------- ------- ------- --------------- --------- ---------
NETGEAR M4500 Series Switches Software Administration Manual 87
Page 88
When the video server sends multicast data to group 225.1.1.1, Port 1 participates and receives multicast
traffic, but Port 2 does not participate because it is a member of a different multicast group. Without IGMP
snooping, all ports that are members of VLAN 100 would be flooded with traffic for all multicast groups,
which would greatly increase the amount of traffic on the switch.
3.10.3. IGMPv3/SSM Snooping
IGMPv3 adds support for source filtering, which is the ability for a system to report interest in receiving
packets only from specific source addresses, or from all but specific source addresses sent to a particular
multicast address. This information is used by snooping switches to avoid delivering multicast packets from
specific sources to networks where there are no interested receivers.
No additional configuration is required to enable IGMPv3/SSM snooping. It is enabled or disabled when
snooping is enabled on a VLAN/interface. The forwarding database built using IGMPv3 reports is based on
the Source IP address, the Multicast Group address, and VLAN. Consider the above configuration example.
When Host A sends IGMPv3 IS_IN a report for Group 225.1.1.1 and Sources 192.168.10.1 and 192.168.20.1.
As snooping is enabled globally on the switch and also on VLAN 100, two entries are added to MFDB so that
multicast traffic with group IP = 225.1.1.1 and if Source Ip=192.168.10.1 or 192.168.20.1 is forwarded to port
1. All other multicast traffic destined to group 225.1.1.1 is dropped. The following command is used to
display the SSM forwarding database.
(M4500-48XF8C) #show ip igmp snooping ssm entries
VLAN Source
ID Group Source Ip Filter Mode Interfaces
---- ---------------------- ---------------------- ----------- --------------
10 239.1.1.1 * include 0/7
10 239.1.1.1 80.1.1.1 include 0/5
10 239.1.1.1 80.1.1.1 exclude 0/7
3.11. SDVoE
SDVoE (Software Defined Video-over-Ethernet) is the latest high-performance, software-based AV-over-IP
platform for control and distribution of audio and video over Ethernet & Fiber networks.
3.11.1. IGMP & IGMP Snooping Enhancements for IGMP V1 & V2
Note: All these enhancements are applicable for L2 multicast only, L3 multicast should behave as per
the standard.
Note: This enhancement is applicable only to IGMP version 1 and version 2. Version 3 works very
differently and is not part of this enhancement.
Note: This function only enabled on VLAN 1 by default and all interfaces in the system by default are
part of VLAN 1.
NETGEAR M4500 Series Switches Software Administration Manual 88
Page 89
When a VLAN is configured with SDVoE enabled, the following operation happens:
• All unknown data multicast will be blocked by default on VLAN 1.
• IGMP Snooping enabled by default for VLAN 1.
• IGMP snooping Fast-leave operation automatic:
o Fast-leave is enabled on spanning-tree edge ports where encoders and decoders are connected.
o Fast-leave is disabled on spanning-tree non-edge ports when connected to another switch.
• Flooding of IGMP (v1/v2) Join and Leave messages in a Switch.
Note: This function is disable by default, user need to enable manually.
o As per RFC 4541 all IGMP Join and Leave PDUs are processed by IGMP Snooping application and
also forwarded through the mrouter port(s). Non-mrouter ports don’t get to receive IGMP
Join/Leave PDUs.
o The intention of this part of the enhancement is to have a controlled way at a system level to
flood an IGMP Join/Leave PDU received on a downstream port (from a host) to all other ports,
given the boundary of the associated VLAN.
o In a deployment where switches are connected in a star-like topology with one switch or stack
connecting all others, this enables creating forwarding table entries across multiple switches and
enables an Rx device on a switch to receive multicast data stream transmitted by a Tx device
connected to another switch.
• Mrouter port to block all known (downstream hosts) and unknown Multicast data streams.
o As per RFC 4541, a designated mrouter port (either detected dynamically or configured by user)
forwards the following to the upstream router:
1. All IGMP (v1/v2/v3) PDUs.
2. All unknown Multicast streams – streams for which the switch has not received IGMP
membership.
3. All known Multicast streams – streams for which switch has received IGMP membership (from
the hosts connected to it) and has its HW MFDB (Multicast Forwarding Data Base) table
populated.
o This enhancement aims at blocking the 2nd and 3rd points, only leaving 1st. Therefore, barring
IGMP PDU forwarding, the mrouter port is to behave as any other host port. It forwards multicast
data stream only if an IGMP membership (v1/v2) has been received through this port.
• Hardware forwarding of specific Multicast addresses.
o The multicast addresses in the range 224.0.0.1 to 224.0.0.255 are considered as “Reserved”
multicast addresses and are processed or forwarded by CPU, i.e., SW control plane. This
enhancement is aimed to let a specific multicast addresses from this range and a few others to be
forwarded by HW (ASICs) instead.
NETGEAR M4500 Series Switches Software Administration Manual 89
Page 90
Address
Description
The Routing Information Protocol (RIP) version 2 group address is used to
224.0.0.18
Virtual Router Redundancy Protocol (VRRP).
Precision Time Protocol (PTP) version 2 peer delay measurement
224.0.0.251
Multicast DNS (mDNS) address.
224.0.0.252
Link-local Multicast Name Resolution (LLMNR) address.
Network Time Protocol clients listen on this address for protocol
Precision Time Protocol (PTP) version 1 messages (Sync, Announce, etc.)
239.255.255.250
Simple Service Discovery Protocol address.
239.255.255.253
Service Location Protocol version 2 address.
Here is the list of all Multicast destination addresses that are put under HW forwarding:
224.0.0.5
224.0.0.6
224.0.0.9
224.0.0.107
224.0.1.1
224.0.1.129–132
The Open Shortest Path First (OSPF). All OSPF Routers address is used
to send Hello packets to all OSPF routers on a network segment.
The OSPF All Designated Routers ""(DR)"" address is used to send
OSPF routing information to designated routers on a network segment.
send routing information to all RIP2-aware routers on a network
segment.
messaging.
messages when operating in multicast mode.
except peer delay measurement.
Table 3-5: Specific Multicast addresses
When Switch receives multicast packet with any of the above address as destination address, switch installs a
MFDB entry into HW so that all subsequent packets get forwarded at data plane. Switch places all physical
ports and port-channels as part of the forwarding list of this entry for the VLAN packet has been received.
NETGEAR M4500 Series Switches Software Administration Manual 90
Page 91
3.11.2. SDVoE Configuration Example
Figure 3-16: SDVoE Topology
The following example guide you how to setup SDVoE for VLAN 100.
1. Create VLAN 100 on Switch A, B and C, then enable SOVoE on both of switches.
(Switch) #configure
(Switch) (Config)#vlan database
(Switch) (Vlan)#vlan 100
(Switch) (Vlan)#exit
(Switch) (Config)#
(Switch) (Config)#sdvoe 100
2. Check the SDVoE status on Switch A, B and C.
(Switch) #show ip igmp snooping
Admin Mode..................................... Enable
Operation Mode................................. Enable
NETGEAR M4500 Series Switches Software Administration Manual 91
Page 92
Multicast Control Frame Count.................. 0
IGMP Snooping Router-Alert check............... Disabled
Interfaces Enabled for IGMP Snooping........... None
VLANs enabled for IGMP snooping................ 1
100
VLANs Block enabled for snooping............... None
(Switch) #show ip igmp snooping interface vlan 100
VLAN ID........................................ 100
IGMP Snooping Admin Mode....................... Enabled
Fast Leave Mode................................ Enabled
Flood IGMP Report and Leave PDU................ Disabled
Group Membership Interval (secs)............... 260
Max Response Time (secs)....................... 10
Multicast Router Block Mode.................... Enabled
Multicast Router Expiry Time (secs)............ 300
Report Suppression Mode........................ Disabled
Vlan Block Mode................................ Disabled
3. Configure IGMP Snooping Querier on Switch A.
(Switch-A) #configure
(Switch-A) (Config)#ip igmp snooping querier
(Switch-A) (Config)#ip igmp snooping querier vlan 100
(Switch-A) (Config)#ip igmp snooping querier vlan 100 address 192.168.10.253
4. Enable flooding IGMP PDUs on Switch A.
(Switch-A) #configure
(Switch-A) (Config)#vlan database
(Switch-A) (Vlan)#set igmp flood-report 100
5. Check the Querier Status.
(Switch-A) #show ip igmp snooping querier vlan 100
VLAN 100 : IGMP Snooping querier status
NETGEAR M4500 Series Switches Software Administration Manual 92
Page 93
----------------------------------------------
IGMP Snooping Querier VLAN Mode................ Enable
Querier Election Participate Mode.............. Disable
Querier VLAN Address........................... 192.168.10.253
Operational State.............................. Querier
Operational version............................ 2
Operational Max Resp Time...................... 10
6. Check the flooding IGMP PDUs is enabled on Switch A.
(Switch) (Config)#show ip igmp snooping interface vlan 100
VLAN ID........................................ 100
IGMP Snooping Admin Mode....................... Enabled
Fast Leave Mode................................ Enabled
Flood IGMP Report and Leave PDU................ Enabled
Group Membership Interval (secs)............... 260
Max Response Time (secs)....................... 10
Multicast Router Block Mode.................... Enabled
Multicast Router Expiry Time (secs)............ 300
Report Suppression Mode........................ Disabled
Vlan Block Mode................................ Disabled
3.12. MLD Snooping
3.12.1. MLD Snooping Configuration Example
When MLD Snooping is enabled on the switch, the switch can examine MLD packets and make forwarding
decisions based on the MLD control packets content. You can configure the MLD snooping querier on the
switch to support a subnet that does not have any multicast router interfaces. The MLD snooping querier
periodically sends general MLD queries that the switch forwards through all ports in the VLAN.
NETGEAR M4500 Series Switches Software Administration Manual 93
Page 94
There are three types of MLDv1 Message:
• Multicast Listener Query (Type = decimal 130)
There are two subtypes of Multicast Listener Query messages:
- General Query: used to learn which multicast addresses have listeners on an attached link.
- Multicast-Address-Specific Query: used to learn if a particular multicast address has any listeners on
an attached link.
• Multicast Listener Report (Type = decimal 131)
• Multicast Listener Done (Type = decimal 132)
There are three types of MLDv2 Queries Message:
- General Query: to learn which multicast address have multicast listeners.
- Multicast address specific query: to learn if a particular multicast address has any listeners.
- Multicast Address and Source Specific Queries: to learn if any of sources from the specified list for
the particular multicast address has any listeners.
There are a number of different types of Multicast Address Records that can be included in an MLDv2 Report
message:
• "Current State Record": is sent by a node in response to a Query received on an interface.
• "Filter Mode Change Record": is sent by a node whenever a local invocation of IPv6MulticastListen
causes a change of the filter mode (i.e., a change from INCLUDE to EXCLUDE, or from EXCLUDE to
INCLUDE) of the interface-level state entry for a particular multicast address, whether the source list
changes at the same time or not.
• "Source List Change Record": is sent by a node whenever a local invocation of IPv6MulticastListen
causes a change of source list that is *not* coincident with a change of filter mode, of the interfacelevel state entry for a particular multicast address.
NETGEAR M4500 Series Switches Software Administration Manual 94
Page 95
3.12.1.1. MLD Snooping Configuration Example
Figure 3-17: MLD Snooping Topology
Switch-1 MLD Snooping Configuration
Step 1. Enable MLD Snooping on admin mode
(Switch-1) (Config)#ipv6 mld snooping
Step 2. Enable MLD Snooping on VLAN 1.
(Switch-1) (Config)#vlan database
(Switch-1) (Vlan)#set mld 1
OR
Step 2. Enable MLD snooping on all interface and all VLANs
(Switch-1) (Config)#ipv6 mld snooping interfacemode all
OR
Step 2. Enable MLD snooping on specific interface 0/3-0/9
(Switch-1) (Config)#interface range 0/3-0/9
(Switch-1) (Interface 0/3-0/9)#ipv6 mld snooping interfacemode
3.12.1.2. MLD Snooping Verification Example
Switch-1 MLD Snooping Verification
Verify MLD snooping configuration on vlan 1
(Switch-1) (Config)#show ipv6 mld snooping interface vlan 1
VLAN ID........................................ 1
NETGEAR M4500 Series Switches Software Administration Manual 95
Page 96
MLD Snooping Admin Mode........................ Enabled
Fast Leave Mode................................ Disabled
Group Membership Interval (secs)............... 260
Max Response Time (secs)....................... 10
Multicast Router Expiry Time (secs)............ 0
Vlan Block Mode................................ Disabled
Verify MLD snooping configuration on interface 0/3
(Switch-1) (Config)#show ipv6 mld snooping interface 0/3
MLD Snooping Admin Mode........................ Enable
Fast Leave Mode................................ Disable
Group Membership Interval (secs)............... 260
Multicast Router Expiry Time (secs)............ 0
3.12.2. MLD Snooping First Leave Configuration Example
When MLD Fast Leave is enabled, a switch port will be removed immediately upon receiving an MLD done
message as IGMP Leave message. The multicast clients leave from the multicast group quickly to reduce
superfluous network traffic. According to the MLD v1 and v2 standard implementation, an MLD client may
request to leave a multicast group by sending a Done message.
3.12.2.1. MLD Snooping Configuration
Figure 3-18: MLD Snooping Leave Configuration Topology
Step 1. Enable MLD Snooping on VLAN 1.
NETGEAR M4500 Series Switches Software Administration Manual 96
Page 97
(Switch-1) (Config)#vlan database
(Switch-1) (Vlan)#set mld 1
(Switch-1) (Vlan)#set mld fast-leave 1
OR
Step 1. Enable MLD snooping on all interface and all VLANs
(Switch-1) (Config)#ipv6 mld snooping interfacemode all
(Switch-1) (Config)#ipv6 mld snooping fast-leave
OR
Step 1. Enable MLD snooping on specific interface 0/3-0/7
(Switch-1) (Config)#interface range 0/3-0/7
(Switch-1) (Interface 0/3-0/7)#ipv6 mld snooping interfacemode
(Switch-1) (Interface 0/3-0/7)#ipv6 mld snooping fast-leave
3.12.3. MLD Snooping Querier Configuration Example
If there is no mcast router in the network, then one of the switches should enable MLD snooping querier.
If there is no querier, then switch can’t maintain mcast client information.
Figure 3-19: MLD Snooping Querier Configuration Example
MLD Snooping Querier Configuration
(Switch-1) (Config)#vlan database
(Switch-1) (Vlan)#set mld 1
(Switch-1) (Vlan)#exit
(Switch-1) (Config)#ipv6 mld snooping
NETGEAR M4500 Series Switches Software Administration Manual 97
Page 98
(Switch-1) (Config)#ipv6 mld snooping querier address fe80::AAA
(Switch-1) (Config)#ipv6 mld snooping querier
(Switch-1) (Config)#ipv6 mld snooping querier vlan 1
Display MLD Snooping Querier detailed information.
(Switch-1) (Config)#show ipv6 mld snooping querier detail
VLAN ID Last Querier Address MLD Version
------- ---------------------------------------- -----------
Global MLD Snooping querier status
----------------------------------
MLD Snooping Querier Mode...................... Enable
Querier Address................................ fe80::aaa
MLD Version.................................... 1
Querier Query Interval......................... 60
Querier Expiry Interval........................ 125
VLAN 1 : MLD Snooping querier status
----------------------------------------------
MLD Snooping Querier VLAN Mode................. Enable
Querier Election Participate Mode.............. Disable
Querier VLAN Address........................... ::
Operational State.............................. Querier
Operational version............................ 1
Operational Max Resp Time...................... 10
3.13. LLDP and LLDP-MED
LLDP is a standardized discovery protocol defined by IEEE 802.1AB. It allows stations residing on an 802 LAN to
advertise major capabilities physical descriptions, and management information to physically adjacent devices
allowing a network management system (NMS) to access and display this information.
LLDP is a one-way protocol; there are no request/response sequences. Information is advertised by stations
implementing the transmit function, and is received and processed by stations implementing the receive
function. The transmit-and-receive functions can be enabled/disabled separately on each switch port.
LLDP-MED is an extension of the LLDP standard. LLDP-MED uses LLDP's organizationally-specific TypeLength-Value (TLV) extensions and defines new TLVs that make it easier for a VoIP deployment in a wired or
wireless LAN/MAN environment. It also makes mandatory a few optional TLVs from LLDP and recommends
not transmitting some TLVs.
The TLVs only communicate information; these TLVs do not automatically translate into configuration. An
external application may query the MED MIB and take management actions in configuring functionality.
NETGEAR M4500 Series Switches Software Administration Manual 98
Page 99
LLDP and LLDP-MED are used primarily in conjunction with network management tools to provide information
about network topology and configuration, and to help troubleshoot problems that occur on the network.
The discovery protocols can also facilitate inventory management within a company.
LLDP and the LLDP-MED extension are vendor-neutral discovery protocols that can discover devices made by
numerous vendors. LLDP-MED is intended to be used on ports that connect to VoIP phones. Additional
applications for LLDP-MED include device location (including for Emergency Call Service/E911) and Power
over Ethernet management.
3.13.1. LLDP and Data Center Application
DCBX uses TLV information elements over LLDP to exchange information, so LLDP must be enabled on the
port to enable the information exchange.
3.13.2. Configuring LLDP
This example shows how to configure LLDP settings for the switch and to allow port 0/3 to transmit all LLDP
information available.
To configure the switch:
1. Configure the transmission interval, hold multiplier, and reinitialization delay for LLDP PDUs sent from the
switch.
(Switch) #configure
(Switch) (Config)#lldp timers interval 60 hold 5 reinit 3
2. Enable port 0/3 to transmit and receive LLDP PDUs.
(Switch) (Config)#interface 0/3
(Switch) (Interface 0/3)#lldp transmit (Switch) (Interface 0/3)#lldp receive
3. Enable port 0/3 to transmit management address information in the LLDP PDUs and to send topology
change notifications if a device is added or removed from the port.
(Switch) (Interface 0/3)#lldp transmit-mgmt
(Switch) (Interface 0/3)#lldp notification
4. Specify the TLV information to be included in the LLDP PDUs transmitted from port 0/3.
(Switch) (Interface 0/3)#lldp transmit-tlv sys-name sys-desc sys-cap port-desc
5. Set the port description to be transmitted in LLDP PDUs.
(Switch) (Interface 0/3)#description “Test Lab Port”
6. Exit to Privileged EXEC mode.
(Switch) (Interface 0/3)# <CTRL + Z>
7. View global LLDP settings on the switch.
NETGEAR M4500 Series Switches Software Administration Manual 99
Page 100
(Switch) #show lldp
LLDP Global Configuration
Transmit Interval..................... 60 seconds
Transmit Hold Multiplier.............. 5
Reinit Delay.......................... 3 seconds
Notification Interval................. 5 seconds
8. View summary information about the LLDP configuration on port 0/3.
(Switch) #show lldp interface 0/3
LLDP Interface Configuration
Interface Link Transmit Receive Notify TLVs Mgmt
--------- ------ -------- -------- -------- ------- ----
0/3 Down Enabled Enabled Enabled 0,1,2,3 Y
TLV Codes: 0- Port Description, 1- System Name
2- System Description, 3- System Capabilities
4- Organization Specific
9. View detailed information about the LLDP configuration on port 0/3.
(Switch) #show lldp local-device detail 0/3
LLDP Local Device Detail
Interface: 0/3
Chassis ID Subtype: MAC Address
Chassis ID: 2C:60:0C:52:18:3F
Port ID Subtype: MAC Address
Port ID: 2C:60:0C:52:18:41
System Name: NETGEAR
System Description: LY8, Runtime Code 5.4.00.37, Linux 3.8.13-rt9, U-Boot 2010.12
(Oct 03 2014 - 14:38:07) – ONIE 2014.05.03-7
Port Description: Test Lab Port
System Capabilities Supported: bridge, router
System Capabilities Enabled: bridge
Management Address:
Type: IPv4
Address: 172.16.1.71
NETGEAR M4500 Series Switches Software Administration Manual 100
Loading...