QTech QSW-2900 User Manual

Download

1-1

QSW-2900 Ethernet Switch

User’s Manual

1-2

QSW-2900 Intelligent L2+ Switch

Configuration Manual

1. Accessing Switch

2. Switch Management and Maintenance

3. Port Configuration

4. VLAN configuration

5. Multicast Configuration

6. DHCP Configuration

7. ARP configuration

8. ACL Configuration

9. QOS Configuration

10. STP Configuration

11. 802.1X Configuration Command

12. SNTP Client Configuration

13. Syslog Configuration

14. SSH Configuration

15. LLDP Configuration

16. ERRP Configuration

17. PPPoE Plus Configuration

18. CFM Configuration

1-1

Content

Content 1-1

Chapter 1 Accessing Switch.............................................................................................................1-11

1.1 Command Line Interface....................................................................................................1-11

1.1.1 Command Line Configuration Mode.................................................................1-11

1.1.2 Command Syntax Comprehension...................................................................1-12

1.1.3 Syntax Help.......................................................................................................1-13

1.1.4 History command..............................................................................................1-14

1.1.5 Symbols in command........................................................................................1-14

1.2 Command Symbols Description.........................................................................................1-14

1.2.1 Command Parameter Categories.....................................................................1-15

1.3 User management.............................................................................................................1-15

1.3.1 System default user name................................................................................1-16

1.3.2 Add user............................................................................................................1-16

1.3.3 Modify password...............................................................................................1-16

1.3.4 Modify privilege.................................................................................................1-17

1.3.5 Remove user name...........................................................................................1-17

1.3.6 View system user information...........................................................................1-17

1.4 Remote authentication of administrator..............................................................................1-18

1.4.1 Start RADIUS remote authentication................................................................1-18

1.4.2 Display authentication configuration.................................................................1-18

1.5 Ways of managing switch...................................................................................................1-18

1.5.1 Manage switch by hyper terminal.....................................................................1-18

1.5.2 Manage switch by telnet...................................................................................1-19

Chapter 2 Switch Manage and Maintenance...................................................................................2-21

2.1 Configuration Files Management........................................................................................2-21

2.1.1 Edit configuration files.......................................................................................2-21

2.1.2 Modify and save current configuration..............................................................2-21

2.1.3 Erase configuration...........................................................................................2-21

2.1.4 Execute saved configuration.............................................................................2-21

2.1.5 Display saved configuration..............................................................................2-21

2.1.6 Display current configuration............................................................................2-22

2.1.7 Configure file executing mode shift...................................................................2-22

2.2 Online Loading Upgrade Program......................................................................................2-22

2.2.1 Upload and download files by TFTP.................................................................2-23

2.2.2 Upload and download files by FTP...................................................................2-23

2.2.3 Download files by Xmodem..............................................................................2-24

2.3 MAC address table management.......................................................................................2-25

2.3.1 Brief introduction of MAC address table management.....................................2-25

2.3.2 MAC address table management list................................................................2-25

2.3.3 Configure system MAC address aging time.....................................................2-25

2.3.4 Configure MAC address item............................................................................2-26

2.3.5 Reboot...............................................................................................................2-28

2.4 System Maintenance..........................................................................................................2-28

2.4.1 Use show command to check system information...........................................2-28

2.4.2 Basic Configuration and Management.............................................................2-29

1-2

2.4.3 Network connecting test command...................................................................2-29

2.4.4 Loopback test command...................................................................................2-30

2.4.5 Administration IP address restriction................................................................2-30

2.4.6 The number of Telnet user restriction...............................................................2-31

2.4.7 Routing tracert command..................................................................................2-31

2.4.8 cpu-car command.............................................................................................2-32

2.5 Monitor system by SNMP...................................................................................................2-32

2.5.1 Brief introduction of SNMP................................................................................2-32

2.6 SNMP Mechanism.............................................................................................................2-33

2.7 SNMP Protocol Version......................................................................................................2-33

2.8 MIB Overview....................................................................................................................2-33

2.9 Configuration.....................................................................................................................2-34

2.9.1 Configure community name and accessing right.............................................2-34

2.9.2 Configure sysContact........................................................................................2-35

2.9.3 Configure Trap destination host adress............................................................2-35

2.9.4 Configure sysLocation......................................................................................2-36

2.9.5 Configure sysName..........................................................................................2-36

2.9.6 Configure notify.................................................................................................2-37

2.9.7 Configure engine id...........................................................................................2-37

2.9.8 Configure view..................................................................................................2-38

2.9.9 Configure group................................................................................................2-38

2.9.10 Configure user...................................................................................................2-39

2.10 System IP configuration.....................................................................................................2-40

2.10.1 Configure manage VLAN..................................................................................2-40

2.10.2 Configuration ip address by manual operation.................................................2-40

2.10.3 BOOTP..............................................................................................................2-41

2.10.4 DHCP................................................................................................................2-41

2.10.5 Display ip address.............................................................................................2-41

2.11 Enable/disable dlf forword packet.......................................................................................2-42

2.12 CPU Alarm Configuration...................................................................................................2-42

2.12.1 Brief introduction of CPU alarm........................................................................2-42

2.12.2 CPU alarm configuration list.............................................................................2-42

2.12.3 Enable/disable CPU alarm................................................................................2-43

2.12.4 Configure CPU busy or unbusy threshold........................................................2-43

2.12.5 Display CPU alarm information.........................................................................2-43

2.13 Anti-DOS Attack.................................................................................................................2-44

2.13.1 IP segment anti-attack......................................................................................2-44

Chapter 3 Port Configuration............................................................................................................3-45

3.1 Port configuration introduction............................................................................................3-45

3.1.1 Introduction to Bridging.....................................................................................3-45

3.1.2 Major Functionalities of Bridges........................................................................3-45

3.2 Port Configuration..............................................................................................................3-49

3.2.1 Port related configuration..................................................................................3-49

3.2.2 Enter interface configuration mode...................................................................3-50

3.2.3 Enable/disable specified interface....................................................................3-50

3.2.4 Configure interface duplex mode and speed rate............................................3-50

3.2.5 Interface Prioruty Configuration........................................................................3-51

3.2.6 Interface description configuration....................................................................3-51

3.2.7 Ingress/egress bandwidth-control configuration...............................................3-51

1-3

3.2.8 Enable/disable VLAN filtration of receiving packet of interface........................3-52

3.2.9 Interface ingress acceptable-frame configuration............................................3-52

3.2.10 Enable/disable interface flow-control................................................................3-52

3.2.11 Port mode configuration....................................................................................3-53

3.2.12 Trunk allowed VLAN configuration...................................................................3-53

3.2.13 The default vlan-id of trunk port configuration..................................................3-53

3.2.14 Add access port to specified VLAN..................................................................3-54

3.2.15 Display interface information............................................................................3-54

3.2.16 Display/ clear interface statistics information....................................................3-54

3.3 Interface mirror...................................................................................................................3-55

3.3.1 Brief introduction of interface mirror..................................................................3-55

3.3.2 Interface mirror configuration............................................................................3-55

3.4 Port LACP convergent configuration...................................................................................3-56

3.4.1 Brief introduction of port convergence..............................................................3-56

3.4.2 LACP.................................................................................................................3-57

3.5 Approaches to Link Aggregation.........................................................................................3-57

3.5.1 Manual Link Aggregation..................................................................................3-57

3.5.2 Static LACP link aggregation............................................................................3-58

3.6 Load Sharing in a Link Aggregation Group.........................................................................3-59

3.7 Aggregation Port Group.....................................................................................................3-59

3.8 Link aggregation configuration............................................................................................3-59

3.9 Interface CAR configuration...............................................................................................3-61

3.9.1 Brief introduction of interface CAR...................................................................3-61

3.9.2 Port CAR configuration command list...............................................................3-61

3.9.3 Enable/disable interface globally......................................................................3-61

3.9.4 Enable/disable interface CAR on interface.......................................................3-62

3.9.5 Configure the reopen time of the port shutdown by port-car............................3-62

3.9.6 Configure the port-car-rate................................................................................3-62

3.9.7 Display port-car information..............................................................................3-62

3.10 Port Alarm Configuration....................................................................................................3-63

3.10.1 Brief introduction of port alarm configuration....................................................3-63

3.10.2 Port alarm configuration list..............................................................................3-63

3.10.3 Enable/disable port alarm globally....................................................................3-63

3.10.4 Enable/disable port alarm on the port...............................................................3-63

3.10.5 Configure the exceed threshold and normal threshold of port alarm...............3-64

3.10.6 Display port alarm.............................................................................................3-64

3.11 Interface shutdown-control Configuration............................................................................3-65

3.11.1 Brief introduction of shutdown-control..............................................................3-65

3.11.2 Interface shutdown-control Configuration list...................................................3-65

3.11.3 shutdown-control Configuration........................................................................3-65

3.11.4 Configure shutdown-control open-time.............................................................3-65

3.11.5 Display shutdown-control..................................................................................3-66

Chapter 4 VLAN Configuration.........................................................................................................4-67

4.1 Introduction to VLAN..........................................................................................................4-67

4.1.1 VLAN Overview.................................................................................................4-67

4.1.2 VLAN Fundamental...........................................................................................4-68

4.2 VLAN Classification............................................................................................................4-68

4.3 VLAN Interface..................................................................................................................4-69

1-4

4.4 Port-Based and 802.1Q VLAN............................................................................................4-69

4.4.1 Port link type.....................................................................................................4-69

4.4.2 Default VLAN....................................................................................................4-69

4.5 Policy-Based VLAN............................................................................................................4-69

4.6 Super VLAN.......................................................................................................................4-70

4.7 Isolate-User-VLAN.............................................................................................................4-70

4.8 VLAN interface type...........................................................................................................4-71

4.9 Default VLAN.....................................................................................................................4-71

4.10 VLAN configuration............................................................................................................4-71

4.10.1 VLAN configuration list......................................................................................4-71

4.10.2 Create/delete VLAN..........................................................................................4-72

4.10.3 Add/delete VLAN interface...............................................................................4-72

4.10.4 Specify/restore VLAN description.....................................................................4-73

4.10.5 Configure interface type....................................................................................4-73

4.10.6 Configure interface default vlan ID...................................................................4-73

4.10.7 Configure tag vlan.............................................................................................4-73

4.10.8 Display VLAN information.................................................................................4-74

4.11 PVLAN...............................................................................................................................4-74

4.12 GVRP configuration...........................................................................................................4-74

4.12.1 Brief introduction of GVRP................................................................................4-74

4.12.2 GARP................................................................................................................4-74

4.12.3 GVRP................................................................................................................4-77

4.12.4 GVRP Configuration list....................................................................................4-77

4.12.5 Enable/disable global GVRP............................................................................4-77

4.12.6 Enable/disable GVRP on a port........................................................................4-77

4.12.7 Display GVRP...................................................................................................4-78

4.12.8 Add/delete vlan that can be dynamic learnt by GVRP.....................................4-78

4.12.9 Display vlan that can be learnt by GVRP.........................................................4-78

4.12.10 Examples for GVRP configuration....................................................................4-79

4.13 QinQ configuration.............................................................................................................4-79

4.13.1 Brief introduction of QinQ..................................................................................4-79

4.13.2 Introduction to QinQ..........................................................................................4-79

4.13.3 Implementations of QinQ..................................................................................4-80

4.13.4 Adjustable TPID Value of QinQ Frames...........................................................4-80

4.13.5 QinQ configuration list.......................................................................................4-81

4.13.6 Configure global QinQ......................................................................................4-81

4.13.7 Configure QinQ mode of interface....................................................................4-81

4.13.8 Configure interface dynamic QinQ....................................................................4-82

4.13.9 Enable/disable vlan-swap.................................................................................4-82

4.13.10 Configure global vlan-swap..............................................................................4-83

4.13.11 Configure rewrite-outer-vlan.............................................................................4-83

4.13.12 Display dynamic QinQ......................................................................................4-83

4.13.13 Display vlan-swap.............................................................................................4-84

4.13.14 Display rewrite-outer-vlan.................................................................................4-84

Chapter 5 Multicast Protocol Configuration......................................................................................5-85

5.1 Multicast overview..............................................................................................................5-85

5.1.1 Multicast Address..............................................................................................5-85

5.2 GMRP Overview................................................................................................................5-87

1-5

5.3 GMRP Configuration..........................................................................................................5-88

5.3.1 GMRP Configuration list...................................................................................5-88

5.3.2 Enable/disable global GMRP............................................................................5-88

5.3.3 Enable/disable GMRP on a port.......................................................................5-88

5.3.4 Display GMRP...................................................................................................5-89

5.3.5 Add/delete multicast that can be dynamic learnt by GMRP.............................5-89

5.3.6 Display multicast that can be learnt by GMRP.................................................5-89

5.4 IGMP Snooping Configuration............................................................................................5-90

5.4.1 IGMP Snooping Overview.................................................................................5-90

5.4.2 Basic Concepts in IGMP Snooping...................................................................5-90

5.4.3 How IGMP Snooping Works.............................................................................5-92

5.4.4 Processing of Multicast Protocol Messages.....................................................5-93

5.4.5 Protocols and Standards...................................................................................5-96

5.4.6 IGMP Snooping configuration...........................................................................5-96

5.4.7 IGMP Snooping multicast interface aging time configuration...........................5-96

5.4.8 IGMP Snooping max-response-time configuration...........................................5-97

5.4.9 IGMP Snooping interface fast-leave configuration...........................................5-97

5.4.10 Configure the number of the multicast group allowed learning........................5-97

5.4.11 IGMP Snooping permit/deny group configuration.............................................5-97

5.4.12 IGMP Snooping route-port forward configuration.............................................5-98

5.4.13 Enable/disable IGMP Snooping querier............................................................5-98

5.4.14 Configure IGMP Snooping query-interval.........................................................5-98

5.4.15 Configure IGMP Snooping querier vlan............................................................5-99

5.4.16 Configure IGMP Snooping query max response..............................................5-99

5.4.17 Configure IGMP Snooping query source IP.....................................................5-99

5.4.18 Configure IGMP Snooping route port aging.....................................................5-99

5.4.19 Add IGMP Snooping route port.......................................................................5-100

5.5 Static Multicast Configuration...........................................................................................5-100

5.5.1 Brief introduction of Static Multicast................................................................5-100

5.5.2 Static Multicast Configuration.........................................................................5-100

5.5.3 Create multicast group....................................................................................5-101

5.5.4 Add interfaces to multicast group...................................................................5-101

5.5.5 Display multicast group information................................................................5-101

5.5.6 Delete interface members from multicast group.............................................5-102

5.5.7 Delete multicast group....................................................................................5-102

5.6 Cross-VLAN multicast Configuration................................................................................5-102

5.6.1 Brief Introduction of Cross-Vlan multicast......................................................5-102

5.6.2 Cross-VLAN Multicast Configuration..............................................................5-102

5.6.3 Enable/disable cross-vlan multicast................................................................5-103

5.6.4 Configure tag/untag attribution of multicast packet transmission and

vlan-id of the tagged attribution.......................................................................................5-103

5.6.5 Display cross-vlan multicast...........................................................................5-103

Chapter 6 DHCP Configuration......................................................................................................6-104

6.1 Brief introduction of DHCP...............................................................................................6-104

6.2 Introduction to DHCP.......................................................................................................6-104

6.3 DHCP IP Address Assignment..........................................................................................6-105

6.3.1 IP Address Assignment Policy........................................................................6-105

6.3.2 Obtaining IP Addresses Dynamically..............................................................6-105

6.3.3 Updating IP Address Lease............................................................................6-106

6.4 DHCP Packet Format.......................................................................................................6-106

1-6

6.5 DHCP Packet Processing Modes.....................................................................................6-107

6.6 Protocols and Standards..................................................................................................6-108

6.7 DHCP Relay Agent...........................................................................................................6-108

6.7.1 Usage of DHCP Relay Agent..........................................................................6-108

6.7.2 DHCP Relay Agent Fundamentals.................................................................6-108

6.7.3 Option 82 Supporting......................................................................................6-109

6.8 DHCP relay Configuration list...........................................................................................6-111

6.8.1 Enable DHCP relay..........................................................................................6-111

6.8.2 Configure vlan interface...................................................................................6-111

6.9 DHCP snooping...............................................................................................................6-112

6.9.1 Introduction to DHCP Snooping......................................................................6-112

6.10 Configuration DHCP snooping..........................................................................................6-113

6.10.1 Enable DHCP snooping..................................................................................6-113

6.10.2 Configure trust ports.......................................................................................6-113

6.10.3 Configure max host number...........................................................................6-113

6.10.4 Configure IP source guard..............................................................................6-114

6.10.5 Show DHCP snooping of ports.......................................................................6-114

6.10.6 Show DHCP snooping configuration of VLANs..............................................6-114

6.10.7 Show information of clients.............................................................................6-114

Chapter 7 ARP Configuration (Dynamic ARP Inspection).............................................................7-115

7.1 Brief Introduction of ARP..................................................................................................7-115

7.2 ARP configuration............................................................................................................7-115

7.2.1 Display ARP table item....................................................................................7-115

7.2.2 Enable/disable ARP anti-flood attack..............................................................7-116

7.2.3 Configure deny action and threshold of ARP anti-flood..................................7-116

7.2.4 Configure ARP anti-flood recover-time.........................................................7-116

7.2.5 ARP anti-flood MAC recover...........................................................................7-117

7.2.6 Display ARP anti-flood attack information....................................................7-117

7.2.7 Bind blackhole mac generated by arp anti-flood to be general......................7-117

7.2.8 Enable/disable ARP anti-spoofing..................................................................7-118

7.2.9 Configure unknown ARP packet handling strategy........................................7-118

7.2.10 Enable/disable ARP anti-spoofing valid-check...............................................7-119

7.2.11 Enable/disable ARP anti-spoofing deny-disguiser..........................................7-119

7.2.12 Display ARP anti-spoofing............................................................................7-119

7.2.13 Configure trust port of ARP anti-attack...........................................................7-120

Chapter 8 ACL Configuration.........................................................................................................8-121

8.1 ACL Overview..................................................................................................................8-121

8.1.1 ACL Match Order............................................................................................8-121

8.1.2 Ways to Apply ACL on a Switch......................................................................8-122

8.1.3 ACLs Based on Time Ranges.........................................................................8-122

8.2 Configuring ACL...............................................................................................................8-123

8.2.1 Matching order configuration..........................................................................8-123

8.2.2 ACL support....................................................................................................8-123

8.3 ACL configuration.............................................................................................................8-124

8.3.1 Configuration list.............................................................................................8-124

8.3.2 Configure time range......................................................................................8-124

8.3.3 Standard ACL..................................................................................................8-125

8.3.4 Define extended ACL......................................................................................8-126

1-7

8.3.5 Define layer 2 ACL..........................................................................................8-127

8.3.6 User-defined ACL............................................................................................8-128

8.3.7 Activate ACL....................................................................................................8-129

8.4 Monitor and maintanence of ACL......................................................................................8-129

Chapter 9 QOS Configuration........................................................................................................9-131

9.1 Brief introduction of QOS.................................................................................................9-131

9.2 QOS Configuration...........................................................................................................9-133

9.2.1 QoS Configuration list.....................................................................................9-133

9.2.2 Packet redirection configuration.....................................................................9-133

9.2.3 Priority configuration.......................................................................................9-133

9.2.4 Queue-scheduler configuration.......................................................................9-134

9.2.5 The cos-map relationship of hardware priority queue and priority of

IEEE802.1p protocol........................................................................................................9-134

9.2.6 Flow mirror configuration................................................................................9-135

9.2.7 Flow statistic configuration..............................................................................9-135

9.2.8 Traffic rewrite vlan configuration.....................................................................9-135

9.2.9 Traffic-insert-vlan configuration.......................................................................9-136

9.3 Monitor and maintenance of QoS.....................................................................................9-136

9.4 Port isolation....................................................................................................................9-137

9.4.1 Brief introduction of port isolation...................................................................9-137

9.4.2 Port isolation configuration..............................................................................9-137

9.5 Strom control....................................................................................................................9-138

9.5.1 Brief introduction of strom control...................................................................9-138

9.5.2 Strom control configuration.............................................................................9-138

Chapter 10 STP Configuration.......................................................................................................10-139

10.1 Brief introduction of STP Configuration...........................................................................10-139

10.1.1 Introduction to STP.......................................................................................10-139

10.1.2 Introduction to MSTP....................................................................................10-146

10.1.3 Protocols and Standards...............................................................................10-151

10.2 STP Configuration..........................................................................................................10-152

10.2.1 STP Configuration list...................................................................................10-152

10.2.2 Enable/disable STP......................................................................................10-152

10.2.3 Enable/disable interface STP.......................................................................10-152

10.2.4 Configure STP priority...................................................................................10-153

10.2.5 Configure switch Forward Delay...................................................................10-153

10.2.6 Configure Hello Time....................................................................................10-154

10.2.7 Configure Max Age.......................................................................................10-154

10.2.8 Configure path cost of specified interfaces...................................................10-154

10.2.9 Configure STP priority od specified port.......................................................10-155

10.2.10 Configure spanning-tree root-guard..............................................................10-155

10.2.11 Configure interface to force to send rstp packet...........................................10-155

10.2.12 Configure link type of specified interface......................................................10-156

10.2.13 Configure the current port as an edge port...................................................10-156

10.2.14 Configure the speed limit of sending BPDU of specified interface...............10-156

10.2.15 STP monitor and maintainenance................................................................10-157

10.2.16 Enable/disable STP remote-loop-detect.......................................................10-158

10.3 Brief Introduction of MSTP.............................................................................................10-158

10.4 MSTP Configuration.......................................................................................................10-158

10.4.1 MSTP configuration list.................................................................................10-158

1-8

10.4.2 Configure MSTP timer parameter.................................................................10-159

10.4.3 Configure MSTP configuration mark.............................................................10-159

10.4.4 Configure MSTP netbridge priority...............................................................10-160

10.4.5 Configure MSTP interface edge interface status..........................................10-160

10.4.6 Configure MSTP interface link type..............................................................10-160

10.4.7 Configure MSTP interface path cost.............................................................10-160

10.4.8 Configure MSTP interface priority.................................................................10-161

10.4.9 Configure spanning-tree mst root-guard.......................................................10-161

10.4.10 Display MSTP configuration information.......................................................10-161

10.4.11 Enable/disable digest snooping....................................................................10-162

10.4.12 Configure Ignore of VLAN.............................................................................10-162

Chapter 11 802.1X Configuration Command.................................................................................11-163

11.1 Brief introduction of 802.1X configuration.......................................................................11-163

11.2 802.1X Configuration.....................................................................................................11-163

11.2.1 AAA configuration mode...............................................................................11-163

11.2.2 RADIUS Server Configuration......................................................................11-163

11.2.3 Domain Configuration...................................................................................11-165

11.2.4 802.1X Configuration....................................................................................11-167

Chapter 12 SNTP Client Configuration..........................................................................................12-169

12.1 Brief introduction of SNTP protocol.................................................................................12-169

12.2 SNTP client configuration...............................................................................................12-169

12.2.1 Enable/disable SNTP client..........................................................................12-169

12.2.2 SNTP client working mode configuration......................................................12-170

12.2.3 SNTP client unicast server configuration......................................................12-170

12.2.4 SNTP client broadcast delay configuration...................................................12-170

12.2.5 SNTP client multicast TTL configuration.......................................................12-170

12.2.6 SNTP client poll interval configuration..........................................................12-171

12.2.7 SNTP client retransmit configuration............................................................12-171

12.2.8 SNTP client valid server configuration..........................................................12-171

12.2.9 SNTP client MD5 authentication configuration.............................................12-172

Chapter 13 Syslog Configiration.....................................................................................................13-173

13.1 Brief introduction of Syslog.............................................................................................13-173

13.2 Syslog Configiration.......................................................................................................13-173

13.2.1 Enable/disable Syslog...................................................................................13-174

13.2.2 Syslog sequence number configuration.......................................................13-174

13.2.3 Syslog time stamps configuration.................................................................13-174

13.2.4 Syslog terminal outputting configuration.......................................................13-174

13.2.5 Syslog logging buffered outputting configuration..........................................13-175

13.2.6 Syslog Flash storage outputting configuration..............................................13-176

13.2.7 Syslog logging host outputting configuration................................................13-176

13.2.8 Syslog SNMP Agent outputting configuration...............................................13-177

13.2.9 Module debug configuration.........................................................................13-178

Chapter 14 SSH Configuration.......................................................................................................14-179

14.1 Brief introduction of SSH................................................................................................14-179

14.2 SSH Configuration.........................................................................................................14-179

14.2.1 Enable/disable SSH function of the device...................................................14-179

14.2.2 SSH key configuration..................................................................................14-179

14.2.3 Others............................................................................................................14-180

1-9

Chapter 15 LLDP configuration......................................................................................................15-182

15.1 Brief introduction of LLDP protocol.................................................................................15-182

15.2 Introduction to LLDP......................................................................................................15-182

15.2.1 LLDP Overview.............................................................................................15-182

15.3 LLDP configuration.........................................................................................................15-183

15.3.1 LLDP configuration list..................................................................................15-183

15.3.2 Enable/disable global LLDP..........................................................................15-183

15.3.3 Configure LLDP hello-time............................................................................15-183

15.3.4 Configure LLDP hold-time.............................................................................15-184

15.3.5 Interface LLDP packet receiving/sending mode configuration.....................15-184

15.3.6 Display LLDP information.............................................................................15-184

Chapter 16 ERRP Command Configuration..................................................................................16-186

16.1 Brief introduction of ERRP..............................................................................................16-186

16.2 ERRP Overview.............................................................................................................16-186

16.3 Basic Concepts in ERRP................................................................................................16-186

16.3.1 ERRP domain...............................................................................................16-186

16.3.2 ERRP ring.....................................................................................................16-187

16.3.3 Control VLAN and data VLAN......................................................................16-187

16.3.4 Node..............................................................................................................16-187

16.3.5 Primary port and secondary port..................................................................16-187

16.3.6 Common port and edge port.........................................................................16-188

16.3.7 Multi-domain intersection common port........................................................16-188

16.3.8 Timers...........................................................................................................16-188

16.3.9 ERRP Packets..............................................................................................16-189

16.4 Typical ERRP Networking..............................................................................................16-189

16.4.1 Single ring.....................................................................................................16-189

16.4.2 Multi-domain tangent rings............................................................................16-190

16.4.3 Single-domain intersecting rings...................................................................16-191

16.4.4 Dual homed rings..........................................................................................16-191

16.4.5 Multi-domain intersecting rings.....................................................................16-192

16.5 How ERRP Works..........................................................................................................16-192

16.5.1 Polling mechanism........................................................................................16-192

16.5.2 Link down alarm mechanism........................................................................16-193

16.5.3 Ring recovery................................................................................................16-193

16.5.4 Broadcast storm suppression mechanism in a multi-homed subring in

case of primary ring link failure......................................................................................16-193

16.5.5 Protocols and Standards...............................................................................16-193

16.6 ERRP Configuration.......................................................................................................16-193

16.6.1 ERRP Configuration list................................................................................16-193

16.6.2 ERRP configuration.......................................................................................16-194

16.6.3 Configure ERRP timer..................................................................................16-194

16.6.4 Enter ERRP configuration mode...................................................................16-194

16.6.5 Configure control-vlan of ERRP domain.......................................................16-194

16.6.6 Create ERRP ring.........................................................................................16-195

16.6.7 Enable/disable ERRP ring............................................................................16-196

16.6.8 Display ERRP domain and ring information.................................................16-196

Chapter 17 PPPoE Plus Configuration..........................................................................................17-197

17.1 Brief Introduction of PPPoE Plus....................................................................................17-197

17.2 PPPoE Plus Configuration..............................................................................................17-197

1-10

17.2.1 PPPoE Plus Configuration list......................................................................17-197

17.2.2 Enable/disable PPPoE Plus..........................................................................17-197

17.2.3 Configure PPPoE Plus type..........................................................................17-198

Chapter 18 CFM Configuration......................................................................................................18-199

18.1 Brief introduction of CFM................................................................................................18-199

18.2 Connectivity fault management overview........................................................................18-199

18.3 Basic Concepts in Connectivity Fault Detection..............................................................18-199

18.3.1 Maintenance domain.....................................................................................18-199

18.3.2 Maintenance association..............................................................................18-199

18.3.3 Maintenance point.........................................................................................18-199

18.3.4 Basic Functions of Connectivity Fault Management....................................18-201

18.3.5 Protocols and Standards...............................................................................18-201

18.4 CFM Configuration.........................................................................................................18-201

18.4.1 CFM Configuration list..................................................................................18-201

18.4.2 Configure cfm domain...................................................................................18-202

18.4.3 Configure cfm mep level...............................................................................18-202

18.4.4 Configure cfm mip level................................................................................18-203

18.4.5 Configure remote cfm rmep level..................................................................18-203

18.4.6 Configure cfm cc interval..............................................................................18-203

18.4.7 Enable/disable VLAN sending cfm cc enable level......................................18-204

18.4.8 cfm ping.........................................................................................................18-204

18.4.9 cfm traceroute...............................................................................................18-205

18.4.10 Display cfm domain.......................................................................................18-205

18.4.11 Display cfm maintenance-points local..........................................................18-205

18.4.12 Display cfm maintenance-points remote......................................................18-206

18.4.13 Display cfm cc database...............................................................................18-206

18.4.14 Display cfm errors.........................................................................................18-207

1-11

Chapter 1 Accessing Switch

This chapter is the basic knowledge for system management, including:

· Command line interface

· Command syntax comprehension

· Syntax help

· History command

· Symbols in command

· Parameter in command

· User management

· Ways for switch management

1.1 Command Line Interface

System provides a series of configuration command and command line interface. User can configure and

manage switch by command line. Command line interface has the features as following:

· Local configuration by Console interface

· Local or remote configuration by TelNet

· Configure command classification protection to guarantee unauthorized user illegal accessing.

· Input “?”at any moment to obtain help information

· Provide such network test command as ping to diagnose network fault

· Provide FTP, TFTP, Xmodem to download and upload files

· Keywords partial matching searching is adopted by command line convertor for user to input

non-conflicting key words, such as: interface command can only input “interf”

1.1.1 Command Line Configuration Mode

System command line adopts classification protection to prevent illegal accessing of unauthorized user. Each command mode is for different configuration with the connection and distinction. For example, after successful accessing, user of all level can enter common user mode which can only see the system operation information; administrator can input “enable” to enter privileged mode; input “configure terminal” to enter global configuration mode from privileged mode which can enter related configuration mode according to inputting different configuration command. For example:

Command line provides command mode as following:

· User mode

· Privileged mode

· Global configuration mode

· Interface configuration mode

· VLAN configuration mode

· AAA configuration mode

1-12

· RADIUS configuration mode

· Domain configuration mode

The function and details of each command mode are as following:

Table 1. Command Line Configuration Mode

Command line mode

Function Prompt

character

Command for entering Command for exiting

User mode See switch

operation information

QTECH>

Connect with switch after inputting user name and password

exit disconnect with switch

Privileged mode See switch

operation information and manage system

QTECH#

Input enable in user mode exit return to user mode

quit disconnect with switch

Global configuration mode

Configure global parameter

QTECH(con fig)#

Input configure terminal in privileged mode

exit, end return to privileged mode

quit disconnect with switch

Interface configuration mode

Configure interface parameter

QTECH(con fig-if-etherne t-0/1)#

Input “interface Ethernet 0/1” in global configuration mode, interface configuration can enter other interface mode and VLAN configuration mode without inputting “exit”.

VLAN configuration mode

Configure VLAN parameter

QTECH(con

fig-if-vlan)#

Input “vlan 2” in global configuration mode, VLAN configuration mode can enter other VLAN mode and interface configuration mode without inputting “exit”.

AAA configuration mode

Create domain

QTECH(con fig-aaa)#

Input “aaa” in global configuration mode

end return to privileged mode

exit return to global configuration

mode

quit disconnect with switch

RADIUS configuration mode

Configure RADIUS server parameter

QTECH(con fig-radius-de fault)#

Input “radius host default” in global configuration mode

Domain configuration mode

Configure domain parameter

QTECH(con fig-aaa-test.c om)#

Input “domain test.com” in AAA configuration mode

end return to privileged mode

exit return to AAA configuration

mode

quit disconnect with switch

1.1.2 Command Syntax Comprehension

This chapter describes the steps needed for command configuration. Please read this section and related detail information of command line interface in the following sections carefully.

The logging in identity verification of the system console of this switch is used to verify the identity of the operating user. It permits and refuses the logging in by matching recognizing user name and password.

Step 1. Following are showed when entering command line interface,

Username(1-32 chars):

Please input user name, press Enter button, and then the prompt is as following:

Password (1-16 chars):

Input password. If it is correct, enter the user mode with the following prompt:

QTECH>

& Note: Defaulted login and password is admin/123456.

1-13

In switch system, there are 2 different privileges. One is administrator, and the other is common user. Common user only can see the configuration information of switch without right to modify it but administrator can manage and configure the switch by specified command.

Logging in as administrator can enter privileged mode from user mode.

QTECH>enable

Step 2: Input command

Skip to step 3, if the command needs input the parameter. Continue this step if the command need input the parameter.

If the command needs a parameter, please input it. When inputting a parameter, keyword is needed.

The parameter of the command is specified which is the number or character string or IP address in a certain range. Input “?” when you are uncomprehending, and input the correct keyword according to the prompt. Keyword is what is to be operated in command.

If more than one parameter are needed, please input keywords and each parameter in turn according to the prompt until “<enter>”is showed in prompt to press enter button.

Step 3: Press enter button after inputting complete command.

For example:

! User need not input parameter

QTECH#quit

“quit” is a command without parameter. The name of the command is quit. Press enter button after inputting it to execute this command.

! User need input parameter

QTECH(config)#vlan 3

“vlan 3”is a command with parameter and keyword, vlan of which is command keyword and 3 of which is parameter.

1.1.3 Syntax Help

There is built-in syntax help in command line interface. If you are not sure about the syntax of some command, obtain all command and its simple description of the current mode by inputting “?” or help command; list all keywords beginning with the current character string by inputting “?” closely after the command character string; input “?” after space, if “?” is in the same location of the keyword, all keywords and its simple description will be listed, if “?”is in the same location of parameter, all the parameter description will be listed, and you can

continue to input command according to the prompt until the prompt command is “〈enter〉” to press enter button to execute command.

For example:

Directly input “?”in privileged mode

QTECH#?

System mode commands:

cls clear screen

help description of the interactive help

ping ping command

quit disconnect from switch and quit

……

Input “?” closely after keyword

1-14

QTECH(config)#interf?

interface

Input “?”after command character string and space

QTECH(config)#spanning-tree ?

forward-time config switch delaytime

hello-time config switch hellotime

max-age config switch max agingtime

priority config switch priority

<enter> The command end.

· Parameter range and form

QTECH(config)#spanning-tree forward-time ?

INTEGER<4-30> switch delaytime: <4-30>(second)

· Command line end prompt

QTECH(config)#spanning-tree ?

<enter> The command end.

1.1.4 History command

Command line interface will save history command inputted by user automatically so that user can invoke history command saved by command line interface and re-execute it. At most 100 history commands can be saved by command line interface for each user. Input “Ctrl+P” to access last command, and “Ctrl+N” for next command.

1.1.5 Symbols in command

There are all kinds of symbols in command syntax which is not a part of command but used to describe how to input this command. Table 1-2 makes a brief description of these symbols.

1.2 Command Symbols Description

Symbol Description

Vertical bars | Vertical bars (|) means coordinate, together using with braces ({ }) and

square brackets ([ ]).

Square brackets [ ] Square brackets ([ ]) mean optional elements.

For example:

show vlan [ vlan-id ]

Braces { }

Braces ({ }) group required choices, and vertical bars ( | ) separate the alternative elements. Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optional element.

1-15

1.2.1 Command Parameter Categories

There are 5 categories command parameter as following:

· Scale

Two numerical value linked by hyphen in angle brackets (< >) means this parameter is some number in the range of those two numbers.

For example:

INTEGER<1-10> means user can input any integer between 1 and 10 (include 1 and 10), such as 8 is a

valid number.

· IP address

The prompt which is in the form of A.B.C.D. means the parameter is an IP address. A valid IP address is needed to input.

For example:

192.168.0.100 is a valid IP address.

· MAC address

The prompt which is in the form of H:H:H:H:H:H means the parameter is a MAC address. A valid MAC address is needed to input. If a multicast MAC address is needed, there will be related prompt.

For example:

01:02:03:04:05:06 is a valid MAC address.

· Interface list

The prompt of interface list is STRING<3-4>. Interface parameter interface-num is in the form of interface-type + interface-number. Interface-type is Ethernet and interface-number is slot-num/port-num, in which slot-num is in the range of 0 to 2, and port-num is in the range of 1 to 24. Seriate interfaces with the same type can be linked by to keyword, but the port number to the right of the to keyword must be larger than the one to the left of the keyword, and this argument only can be repeated for up to 3 times. The special declaration of interface parameter interface list will be displayed in the command.

For example:

show spanning-tree interface ethernet 0/1 ethernet 0/3 to ethernet 0/5

means displaying spanning-tree information of interface ethernet 0/1 ethernet 0/3 to ethernet 0/5

· Character string

The prompt which is in the form of STRING<3-4> means the parameter is a character string which is in the form of 1 to 19 characters. “?”can be inputted to display the concrete command description.

1.3 User management

There are 2 privileges for user:

· administrator

· normal user

Normal user can only enter user mode not privileged mode after logging in, so that he can only see system information but not to configure it. Administrator has the right to enter all modes, and query and configure all parameters.

1-16

1.3.1 System default user name

There is a system default built-in user name called admin, and the initial password is 123456. It is suggested modifying password when logging in switch for the first time to avoid leaking it. This user name cannot be deleted and the privilege cannot be modified either. It also possesses the right to manage other users. Please remember your modified password.

1.3.2 Add user

Log in with the identity of system administrator admin to enter privileged mode, then global configuration mode by using username command. Input user name, user’s privilege, password to add new user according to system prompt or by using the following command.

username username [ privilege level ] { password encryption-type password }

username:User name of new users and existed users ranges from 1 to 32 printable characters excluding such wildcards as '/', ':', '*', '?', '\\', '<', '>', '|', '"' etc.

privilege:Privilege of new user ranges from 0 to 15. 0 to 1 means user while 2 to 15 means administrator.

encryption-type: the value of it is 0 or 7. 0 means non-encryption and 7 means encryption (It is not supported now).

password:Log in password for new user and modified password of the existed user ranges from 1 to 16 characters or numbers.

If the privilege doesn’t configure, the default privilege is ordinary user. At most 8 users are supported.

Caution: User name supports case insensitivity while password doesn’t support case sensitivity.

! Add a new administrator “red”, configure privilege to be 3, and password to be 1234

QTECH(config)#username red privilege 3 password 0 1234

1.3.3 Modify password

In global configuration mode, system administrator admin can use the following command to modify password of his or other user. Other user can only modify his own password.

username change-password

For example:

! Modify the password of user “red” to be 123456

QTECH(config)#username change-password

please input you login password : ******

please input username :red

Please input user new password :******

Please input user comfirm password :******

change user red password success.

1-17

1.3.4 Modify privilege

In global configuration mode, only administrator admin can use following command to modify the privilege of other user.

username username [ privilege level ] { password encryption-type password }

username:User name of new users and existed users ranges from 1 to 32 printable characters excluding such wildcards as '/', ':', '*', '?', '\\', '<', '>', '|', '"' etc.

privilege:Privilege of new user or the modified privilege of existed user ranges from 0 to 15. 0 to 1 means user while 2 to 15 means administrator. Caution: the privilege of administrator cannot be modified.

encryption-type: the value of it is 0 or 7. 0 means non-encryption and 7 means encryption (It is not supported now).

password:Log in password for new user and modified password of the existed user ranges from 1 to 16 characters or numbers.

If inputting nothing to modify the privilege of existed user, the privilege doesn’t modify.

& Caution: User name supports case insensitivity while password doesn’t support case sensitivity.

For example:

! Modify the privilege of administrator “red” to be 1, and password to be 1234

QTECH(config)#username red privilege 1 password 0 1234

1.3.5 Remove user name

System administrator admin can use following command to remove user name in global configuration mode

no username username

Username is the user name to be deleted.

For example:

! Remove user red

QTECH(config)#no username red

1.3.6 View system user information

View user list, and input

show username

command or

show username [ username ]

command in any configuration mode to display information of all users.

For example:

! Display information of user red

QTECH(config)#show username red

display user information

user name role

1-18

____________________________________________________________

red ADMIN

1.4 Remote authentication of administrator

After authentication, user’s default privilege is normal user. Only when there is Service-Type field in authentication accepting packet the value of which is Administrative, user’s privilege is administrator.

Caution: Admin user only supports local database authentication.

1.4.1 Start RADIUS remote authentication

Use following command in globa configuration mode:

muser { local | { radius radiusname { pap | chap } [ local ] } }

It can be configured to authenticate only by RADIUS remote authentication or by local database authentication after no response of RADIUS server caused by failing connection.

1.4.2 Display authentication configuration

Use following command to display authentication configuration.

show muser

1.5 Ways of managing switch

System provides following ways of management:

· By hyper terminal accessing command-line interface(CLI)

· By telnet managing system

· By SNMP managing software management system

· By Web browser such as Internet Explorer managing system

1.5.1 Manage switch by hyper terminal

Use hyper terminal (or simulation terminal software) connect to Console to access system command line interface (CLI) by hyper terminal.

Configuration: Open “file” -> “attribute” menu, popping up a window. Enter configuration to restore it to default value, and click “setting” and then choose “auto-detect” in the pulldown list of “terminal simulation” and click [ok]. After the successful connection and seeing logging in interface of operation system in terminal, configure switch by command line interface. The steps are as following:

Step 1: Connect switch Console with computer serial port;

Step 2: After the switch power on and system successful booting, logging in prompt can be seen:

Username(1-32 chars):

1-19

Step 3: Input correct user name, press enter button, then input corresponding password. If it is the first time

to logging in switch, use default user name admin and its password 123456 to log in and operate as system administrator. If your own user name and password exist, log in with your own user name and password;

Step 4: After successfully logging in, following information is displayed:

QTECH>

Step 5: As administrator, after entering privileged mode, use copy running-config startup-config command to save configuration.

QTECH#copy running-config startup-config

When following information is displayed:

Startup config in flash will be updated, are you sure(y/n)? [n]y

Building, please wait...

It means system is saving configuration. Please wait, then the prompt is:

Build successfully.

It means current configuration is saved successfully.

Following information is displayed when system booting:

Ready to load startup-config, press ENTER to run or CTRL+C to cancel:

Press enter button to make saved configuration be effective, and press CTRL+C to restore system default configuration.

Step 6: Administrator can use stop connection when overtime, while normal user can use this function in user

mode. Input timeout command to configure the overtime of user’s logging in to be 20 minutes. And use no timeout command to configure overtime to be non-over timing.

Step 7: Input following command after finishing operation to switch:

QTECH#quit

It is used to exit user interface.

1.5.2 Manage switch by telnet

Step 1: Establish configuration environment by connecting computer by network to switch interface;

Step 2: Run Telnet program in computer;

Step 3: After switch is power on, input switch IP address to connect to switch, and input configured logging

in password according to the prompt, then the command line prompt is displayed (such as QTECH>). It will be disconnected after 1 minute when there is not any input before successfully logging in or wrong inputting of user name and password for 5 times. If there is such prompt as “Sorry, session limit reached.”, please connect later (At most 2 telnet users are allowed to log in at the same time.);

Step 4: Use related command to configure switch system parameter or view switch operation. If you want to

enter privileged mode, user must possess the privilege of administrator. If you need any help, please input “?”at any moment. For concrete command, please refer to following chapters.

1-20

Step 5: If you want to exit telnet, use quit or exit command to exit in user mode, and quit command to exit in

other mode. Administrator can use stop username command in privileged mode to exit logging in.

2-21

Chapter 2 Switch Manage and Maintenance

2.1 Configuration Files Management

2.1.1 Edit configuration files

Configuration files adopts text formatting which can be upload to PC from devices by FTP and TFTP protocol. Use text edit tool (such as windows nootbook) to edit uploaded configuration files.

System is defaulted to execute configuration files in global configuration mode, so there are two initial commands: “enable”, and “configure terminal”. There is entering symbol after each command.

2.1.2 Modify and save current configuration

User can modify and save system current configuration by command line interface to make current configuration be initial configuration of system next booting.

copy running-config startup-config

This command is needed to save current configuration. When executing configuration files, if there is un-executed command, it will be displayed as “[Line:xxxx]invalid: commandString”. If there is command with executing failure, it will be displayed as “[Line:xxxx]failed: commandString”. If there is a command beyond 512 characters, it will be displayed as “[Line:xxxx]failed: too long command: commandString”, and only first 16 characters of this command will be displayed, and end up with …, in which “xxxx”means the line number of the command, and commandString means command character string. Un-executive command includes command with grammar fault and un-matching pattern. Use following command in privileged mode.

QTECH#copy running-config startup-config

2.1.3 Erase configuration

Use clear startup-config command to clear saved configuration. After using this command to clear saved configuration and reboot switch. The switch will restore to original configuration. Use this command in privileged mode.

QTECH#clear startup-config

2.1.4 Execute saved configuration

User can restore saved configuration by commang line interface by using copy startup-config running-config command in privileged mode to execute saved configuration.

QTECH#copy startup-config running-config

2.1.5 Display saved configuration

User can display syatem saved configuration information in the form of text by command line interface. Use following command to display system saved configuration:

2-22

show startup-config [ module-list ]

module-list: Optional module. If the module name is unoptioned, all information of configuration files will be displayed. If choose one or same of the modules, the specified information will be displayed. This command can be used in any configuration mode.

For example:

! Display all saved configuration

QTECH#show running-config

! Display saved configuration of GARP and OAM module

QTECH#show running-config garp oam

2.1.6 Display current configuration

User can display syatem current configuration information in the form of text by command line interface. Use following command to display system current configuration:

show running-config [ module-list ]

For example:

! Display all configurations

QTECH#show running-config

! Display configuration of GARP and OAM module

QTECH#show running-config garp oam

2.1.7 Configure file executing mode shift

User can change executing mode of configuration file by command line interface. System saved configuration filescan be executed in stop and continue mode. When coming across errors, the executing will not stop; it will

display errors and continue executing. It is defaulted to be non-stop mode. Use buildrun mode stop to configure executing mode to be stopped. Use buildrun mode continue command to configure buildrun mode to be

continune. Use these commands in privileged mode.

For example:

! Configure buildrun mode to be stop.

QTECH#buildrun mode stop

! Configure buildrun mode to be continune

QTECH#buildrun mode continue

2.2 Online Loading Upgrade Program

System can upgrade application program and load configuration files on line by TFTP, FTP, Xmodem, and can upload configuration files, logging files, alarm information by TFTP and FTP.

2-23

2.2.1 Upload and download files by TFTP

Use following command to upload files by TFTP:

upload { alarm | configuration | logging } tftp tftpserver-ip filename

Use following command to download files by TFTP:

load {application | configuration | whole-bootrom } tftp tftpserver-ip filename

tftpserver-ip is the IP address of TFTP server. Filename is the file name to be loaded which cannot be system key words (such as con cannot be file name in windows operation system). Open TFTP server and set file upload path before use this command.

Suppose IP address of TFTP server is 192.168.0.100, file name is abc. Open TFTP server to configure upload and download path in privileged mode.

For example:

! Upload configuration to 192.168.0.100 by FTP and saved as abc

QTECH#upload configuration ftp 192.168.0.100 abc username password

Configuration information saved when uploading is successful.

! Download configuration program abc to 192.168.0.100 by TFTP

QTECH#load configuration ftp 192.168.0.100 abc

Reboot the switch after successful download and run new configuration program.

! Upload alarm to 192.168.0.100 by TFTP and saved as abc

QTECH#upload alarm tftp 192.168.0.100 abc

! Upload logging to 192.168.0.100 by TFTP and saved as abc

QTECH#upload logging tftp 192.168.0.100 abc

! Download application program app.arj to 192.168.0.100 by TFTP

QTECH#load application tftp 192.168.0.100 app.arj

Reboot the switch after successful download and run new application program.

! Download whole-bootrom abc to 192.168.0.100 by TFTP

QTECH#load whole-bootrom tftp 192.168.0.100 rom3x26.bin

2.2.2 Upload and download files by FTP

Use following command to upload files by FTP:

upload { alarm | configuration | logging } ftp ftpserver-ip filename username userpassword

Use following command to download files by FTP:

load { application | configuration | whole-bootrom} ftp ftpserver-ip filename username userpassword

ftpserver-ip is the IP address of FTP server. Filename is the file name to be loaded which cannot be system key words (such as con cannot be file name in windows operation system). Open FTP server and set username, password and file upload path before use this command.

Suppose IP address of TFTP server is 192.168.0.100, file name is abc. Open TFTP server to configure username to be user, password to be 1234 and file download path in privileged mode.

For example:

! Upload configuration to 192.168.0.100 by FTP and saved as abc

2-24

QTECH#upload configuration ftp 192.168.0.100 abc user 1234

Configuration information saved when uploading is successful.

! Download configuration program abc to 192.168.0.100 by FTP

QTECH#load configuration ftp 192.168.0.100 abc user 1234

Reboot the switch after successful download and run new configuration program.

! Download application program abc to 192.168.0.100 by FTP

QTECH#load application ftp 192.168.0.100 abc user 1234

Reboot the switch after successful download and run new application program.

! Upload alarm to 192.168.0.100 by FTP and saved as abc

QTECH#upload alarm ftp 192.168.0.100 abc user 1234

! Upload logging to 192.168.0.100 by FTP and saved as abc

QTECH#upload logging ftp 192.168.0.100 abc user 1234

! Download whole-bootrom abc to 192.168.0.100 by FTP

QTECH#load whole-bootrom ftp 192.168.0.100 abc user 1234

2.2.3 Download files by Xmodem

Use load application xmodem command to load application program by Xmodem protocol.

load application xmodem

Input following command in privileged mode:

QTECH#load application xmodem

Choose “send” -> “send file” in super terminal, and input full path and filename of the file in filename dialog box, and choose Xmodem protocol in “protocol” , then click 【send】.

Reboot the switch after successful download and run new application program.

Use load configuration xmodem command to load configuration program by Xmodem protocol.

load configuration xmodem

Input following command in privileged mode:

QTECH#load configuration xmodem

Choose “send” -> “send file” in super terminal, and input full path and filename of the file in filename dialog box, and choose Xmodem protocol in “protocol”, then click 【send】.

Reboot the switch after successful download and run new application program.

Use load whole-bootrom xmodem command to load whole bootrom by xmodem protocol.

load whole-bootrom xmodem

Input following command in privileged mode:

QTECH#load whole-bootrom xmodem

Choose “send” -> “send file” in super terminal, and input full path and filename of the file in filename dialog box, and choose Xmodem protocol in “protocol”, then click 【send】.

Reboot the switch after successful download and run new BootRom program.

2-25

2.3 MAC address table management

2.3.1 Brief introduction of MAC address table

management

System maintains a MAC address table which is used to transfer packet. The item of this table contains MAC address, VLAN ID and interface number of packet entering. When a packet entering switch, switch will look up the MAC address tablke according to destination MAC and VLAN ID of the packet. If it is found out, send packet according to the specified interface in the item of MAC address table, or the packet will be broadcasted in this VLAN. In SVL learning mode, look up the table only according to MAC in packet and neglect VLAN ID.

System possesses MAC address learning. If the source MAC address of the received packet does not existed in MAC address table, system will add source MAC address, VLAN ID and port number of receiving this packet as a new item to MAC address table.

MAC address table can be manual configured. Administrator can configure MAC address table according to the real situation of the network. Added or modified item can be static, permanent, blackhole and dynamic.

System can provide MAC address aging. If a device does not receive any packet in a certain time, system will delete related MAC address table item. MAC address aging is effective on (dynamic) MAC address item which can be aging by learning or user configuration.

2.3.2 MAC address table management list

MAC address table management

· Configure system MAC address aging time

· Configure MAC address item

· Enable/disable MAC address learning

· Modify MAC address learning mode

2.3.3 Configure system MAC address aging time

Use mac-address-table age-time command in global configuration mode to configure MAC address aging time. Use no mac-address age-time command to restore it to default time.

mac-address-table age-time { agetime | disable }

no mac-address-table age-time

Agetime means MAC address aging time which ranges from 1 to 1048575 seconds. Default MAC address aging time is 300 seconds. Disable means MAC address not aging. Use no command to restore the default MAC address aging time.

For example:

! Configure MAC address aging time to be 3600 seconds

QTECH(config)#mac-address-table age-time 3600

! Restore MAC address aging time to be 300 seconds

QTECH(config)#no mac-address-table age-time

Display MAC address aging time

2-26

show mac-address-table age-time

Use show mac-address-table age-time command to display MAC address aging time.

show mac-address-table age-time

For example:

! Display MAC address aging time.

QTECH(config)#show mac-address-table aging-time

2.3.4 Configure MAC address item

a) Add MAC address

MAC address table can be added manually besides dynamically learning.

mac-address-table { dynamic | permanent | static } mac interface interface-num vlan vlan-id

Parameter mac, vlan-id and interface-num corresponded to the three attributions of the new MAC address table item.

MAC address attribution can be configured to be dynamic, permanent and static. Dynamic MAC address can be aging; permanent MAC address will not be aging and this MAC address will exist after rebooting; static MAC address will not be aging, but it will be lost after rebooting.

For example:

! Add mac address 00:01:02:03:04:05 to be static address table.

QTECH(config)#mac-address-table static 00:01:02:03:04:05 interface ethernet 0/1 vlan 1

b) Add blackhole MAC address

System can configure MAC address table item to be blackhole item. When the source address or destination address is blackhole MAC address, it will be dropped.

mac-address-table blackhole mac vlan vlan-id

For example:

! When tagged head of the packet is VLAN 1, forbid packet with its source address or destination address being 00:01:02:03:04:05 to go through system

QTECH(config)#mac-address-table blackhole 00:01:02:03:04:05 vlan 1

c) Delete MAC address item

Use no mac-address-table command to remove mac address table.

no mac-address-table [ blackhole | dynamic | permanent | static ] mac vlan vlan-id

no mac-address-table [ dynamic | permanent | static ] mac interface interface-num vlan vlan-id

no mac-address-table [dynamic | permanent | static ] interface interface-num

no mac-address-table [ blackhole | dynamic | permanent | static ] vlan vlan-id

no mac-address-table

Vlan means delete MAC address table item according to vlan-id; mac means deleting a specified MAC address table item; interface-num means delete MAC address table item according to interface number; command no mac-address-table means delete all MAC address.

For example:

! Delete all MAC address table item

2-27

QTECH(config)#no mac-address-table

d) Display MAC address table

Use show mac-address command to display MAC address table.

show mac-address-table

show mac-address-table { interface-num [ vlan vlan-id ] | cpu }

show mac-address-table mac [ vlan vlan-id ]

show mac-address-table { blackhole | dynamic | permanent | static } [ vlan vlan-id ]

show mac-address-table { blackhole | dynamic | permanent | static } interface interface-num [ vlan vlan-id ]

show mac-address-table vlan vlan-id

The parameter meaning is the same as that of add/delete MAC address table item.

e) Enable/disable MAC address learning

This command is a batch command in global configuration mode to configure all interfaces to be the same; in interface configuration mode, it can configure interface MAC address learning. When MAC address learning is forbidden in an interface, packet with unknown destination address received from other interface will not be transmitted to this interface; and packet from this interface whose source address is not in this interface will not be transmitted. By default, all interface MAC address learning enable.

mac-address-table learning

no mac-address-table learning

For example:

! Enable MAC address learning on interface Ethernet 0/7.

QTECH(config-if-ethernet-0/7)#no mac-address-table learning

f) Display MAC address learning

show mac-address learning [ interface [ interface-num ] ]

Use show mac-address-table learning command to display MAC address learning.

g) Modify MAC address learning mode

System suppoets SVL and IVL learning modes. The default one is SVL. User can configure MAC learning mode in global configuration mode. It will be effective after rebooting.

mac-address-table learning mode { svl | ivl }

show mac-address-table learning mode

For example:

! Modify MAC address to be IVL

QTECH(config)#mac-address-table learning mode ivl

! Display MAC address learning mode.

QTECH(config)#show mac-address-table learning mode

2-28

2.3.5 Reboot

Use reboot command in privileged mode to reboot switch:

QTECH#reboot

2.4 System Maintenance

2.4.1 Use show command to check system information

show command can be divided into following categories:

· Command of displaying system configuration

· Command of displaying system opeation

· Command of displaying system statistics

Show command related to all protocols and interfaces refers to related chapters. Followings are system show commands.

Use following commands in any configuration mode:

show version Display system version

show username Display administrator can be logged in

show users Display administrators logged in

show system Display system information

show memory Display memory

show clock Display system clock

show cpu Display cpu information

For example:

! Display system version

QTECH>show version

software platform : Broadband NetWork Platform Software

software version : QTECH QSW-2900 V100R001B01D001P001SP5

compiled time : Apr 09 2008 20:30:00

processor : ARM9, 180MHz

SDRAM (bytes) : 32M

flash memory (bytes) : 4096k

MAC address : 00:1f:ce:10:14:f1

product serial number : 123456789

hardware version : V3.0

2-29

bootrom version : V1.6

2.4.2 Basic Configuration and Management

System basic configuration and management includes:

a) Configure host name

Use hostname command in global configuration mode to configure system command line interface prompt. Use no hostname command to restore default host name.

Configure system command line interface prompt.

hostname hostname

hostname:character strings range from 1 to 32, these strings can be printable, excluding such wildcards as '/', ':', '*', '?', '\\', '<', '>', '|', '"'etc.

Use no hostname command in global configuration mode to restore default host name to be QTECH.

For example:

! Configure hostname to be QSW-2900

QTECH(config)#hostname QSW-2900

QSW-2900(config)#

b) Configure system clock

Use clock set command in privileged mode to configure system clock.

clock set HH:MM:SS YYYY/MM/DD

For example:

! Configure system clock to be 2001/01/01 0:0:0

QTECH#clock set 0:0:0 2001/01/01

2.4.3 Network connecting test command

Use ping command in privileged mode or user mode to check the network connection.

ping [-c count] [-s packetsize] [-t timeout] host

Parameter:

-c count:The number of packet sending.

-s packetsize:The length of packet sending, with the unit of second

-t timeout:the time of waiting for replying after packet is sent, with the unit of second

For example:

! Ping 192.168.0.100

QTECH#ping 192.168.0.100

PING 192.168.0.100: with 32 bytes of data:

reply from 192.168.0.100: bytes=32 time<10ms TTL=127

2-30

reply from 192.168.0.100: bytes=32 time<10ms TTL=127

----192.168.0.100 PING Statistics----

5 packets transmitted, 5 packets received, 0% packet loss

round-trip (ms) min/avg/max = 0/0/0

2.4.4 Loopback test command

In global configuration mode, loopback command is used to test exterior of all interfaces; in interface configuration mode, loopback command is used to test whether the interface is normal, and it can be divided into interior and exterior. When exterior testing, exterior wire must be inserted (receiving and sending lines of RJ 45 connected directly). Use 4 diferent wires when the speed is less than 100M.

Using loopback command to do the loopback test, interface cannot transmit data packet correctly, and it will be automatically ended after a certain time. If shutdown command is executed, loopback test fails; when loopback test is executing, speed, duplex, mdi, vct and shutdown operations are forbidden. After exterior test, pull out the exterior wire to avoid abnormal communication.

Loopback on all interfaces:

loopback { internal | external }

Loopback on specified interface:

loopback { external | internal }

External means external loopback and internal means internal loopback

For example:

! Loopback on interface Ethernet 0/1

QTECH(config-if-ethernet-0/1)#loopback external

! Loopback on all interfaces

QTECH(config)#loopback internal

2.4.5 Administration IP address restriction

Managed ip address restriction can restrict host IP address or some network interface of switch by restricting web, telnet and snmp agent, but other IP address without configuration cannot manage switch. By default, three server possess an address interface of 0.0.0.0, so users of any IP address can manage switch. Different IP address and mask mean different information. The mask in reverse which is 0.0.0.0 means host address, or it means network interface. 255.255.255.255 means all hosts. When enabling a configuration, an item of 0.0.0.0 must be deleted. When receiving a packet, judge the IP address whether it is in the range of managed IP address. If it does not belong to it, drop the packet and shutdown telnet connection.

Web means accessing IP address restriction of web server; snmp means accessing IP address restriction of snmp agent; telnet means accessing IP address restriction of telnet; ipaddress means IP address; wildcard means mask wildcard which is in the form of mask in reverse. 0 means mask this bit, and 1 meams does not mask this bit.

2-31

When mask in reserve is 0.0.0.0, it means host address, and 255.255.255.255 means all hosts. Use the no command to delete corresponding item.

For example:

! Configure ip address allowed by telnet management system to be 192.168.0.0/255.255.0.0

QTECH(config)#login-access-list telnet 192.168.0.0 0.0.255.255

QTECH(config)#no login-access-list telnet 0.0.0.0 255.255.255.255

Use show login-access-list command to display all ip address allowed by web, snmp, telnet management system.

show login-access-list

2.4.6 The number of Telnet user restriction

Configure the max number of Telnet users. This function can restrict the number of Telnet user (0-5) to enter privileged mode at the same time. The user logged in without entering privileged mode will not be restricted but restricts by the max number. Administrator and super user will not be restricted and can be logged in through series interface. Display the configuration by show users command.

Configure it in global configuration mode:

no login-access-list telnet-limit

Example:

! Configure only 2 Telnet users can enter privileged mode

QTECH(config)#login-access-list telnet-limit 2

2.4.7 Routing tracert command

Tracert is used for routing detecting and network examination. Configure it in privileged mode:

tracert [ -u | -c ] [ -p udpport | -f first_ttl | -h maximum_hops | -w time_out ] target_name

Parameter:

-u means sending udp packet,

-c means sending echo packet of icmp. It is defaulted to be -c;

-p udpport:destination interface address for sending udp packet which is in the range of 1 to 65535 and

defaulted to be 62929;

-f first_ttl:initial ttl of sending packet which is in the range of 1 to 255 and defaulted to be 1;

-h maximum_hops:the max ttl of sending packet which is in the range of 1 to 255 and defaulted to be 30;

-w time_out:the overtime of waiting for the response which is in the range of 10 to 60 with the unit of second and

default to be 10 seconds;

target_name:destination host or router address

Example:

! Tracert 192.168.1.2

QTECH#tracert 192.168.1.2

2-32

Tracing route to 192.168.1.2 [192.168.1.2]

over a maximum of 30 hops:

1 20 ms <10 ms <10 ms 192.168.0.1

1 20 ms <10 ms 30 ms 192.168.1.2

tracert complete.

2.4.8 cpu-car command

cpu-car is used to configure cpu rate for receiving packet. no cpu-car is used to restore to default cpu rate for receiving packet. Configure it in global configuration mode:

cpu-car target-rate

no cpu-car

Parameter:

target-rate: cpu rate for receiving packet , which is in the range of 1 to 1000pps and the default rate is 50pps..

Example:

! Configure cpu rate for receiving packet to be 100pps

QTECH(config)#cpu-car 100

2.5 Monitor system by SNMP

2.5.1 Brief introduction of SNMP

SNMP(Simple Network Management Protocol)is an important network management protocol in TCP/IP network. It realizes network management by exchanging information packets. SNMP protocol provides possibility of concentrated management to large sized network. Its aim is guaranteeing packet transmission between any two points to be convenient for network administrator to search information, modify and search fault, finish fault diagnosising, capacity planning and creation reporting at any network node. It consists of NMS and Agent. NMS (Network Management Station), is the working station of client program running, and Agent is server software running in network devices. NMS can send GetRequest, GetNextRequest and SetRequest packet to Agent. After receiving requirement packet of NMS, Agent will Read or Write management variable according to packet type and create Response packet, and return it to NMS. On the other hand, the Trap packet of abnormity of cold boot or hot boot of devices will send to NMS.

QTECH company is present it own QTECH NMS and Agent server. Please refer to the

http://www.qtech.ru/support/software.htm

System supports SNMP version of v1, v2c and v3. v1 provides simple authentication mechanism which does not support the communication between administrator to administrator and v1 Trap does not possess authentication mechanism. V2c strengthens management model (security), manages information structure, protocol operation, the communications between managers, and it can create and delete table, and strengthen communication capacity of managers, and reduce the storage operation of agency. V3 realizes user distinguishing mechanism and packet encryption mechanism, and greatly improves security of SNMP protocol.

Simple Network Management Protocol (SNMP) offers a framework to monitor network devices through TCP/IP protocol suite. It provides a set of basic operations in monitoring and maintaining the Internet and has the following characteristics:

· Automatic network management: SNMP enables network administrators to search information, modify

2-33

information, find and diagnose network problems, plan for network growth, and generate reports on network nodes.

· SNMP shields the physical differences between various devices and thus realizes automatic management of

products from different manufacturers. Offering only the basic set of functions, SNMP makes the management tasks independent of both the physical features of the managed devices and the underlying networking technology. Thus, SNMP achieves effective management of devices from different manufactures, especially so in small, fast and low cost network environments.

2.6 SNMP Mechanism

An SNMP enabled network is comprised of network management station (NMS) and Agent.

· NMS is a station that runs the SNMP client software. It offers a user friendly human computer interface,

making it easier for network administrators to perform most network management tasks. Currently, the most commonly used NMSs include Quidview, Sun NetManager, and IBM NetView.

· Agent is a program on the device. It receives and handles requests sent from the NMS. Only under certain

circumstances, such as interface state change, will the Agent inform the NMS.

· NMS manages an SNMP enabled network, whereas Agent is the managed network device. They exchange

management information through the SNMP protocol.

SNMP provides the following four basic operations:

· Get operation: NMS gets the value of a certain variable of Agent through this operation.

· Set operation: NMS can reconfigure certain values in the Agent MIB (Management Information Base) to

make the Agent perform certain tasks by means of this operation.

· Trap operation: Agent sends Trap information to the NMS through this operation.

· Inform operation: NMS sends Trap information to other NMSs through this operation.

2.7 SNMP Protocol Version

Currently, SNMP agents support SNMPv3 and are compatible with SNMPv1 and SNMPv2c.

SNMPv1 and SNMPv2c authenticate by means of community name, which defines the relationship between an SNMP NMS and an SNMP Agent. SNMP packets with community names that did not pass the authentication on the device will simply be discarded. A community name performs a similar role as a key word and can be used to regulate access from NMS to Agent.

SNMPv3 offers an authentication that is implemented with a User-Based Security Model (USM for short), which could be authentication with privacy, authentication without privacy, or no authentication no privacy. USM regulates the access from NMS to Agent in a more efficient way.

2.8 MIB Overview

Management Information Base (MIB) is a collection of all the objects managed by NMS. It defines the set of characteristics associated with the managed objects, such as the object identifier (OID), access right and data type of the objects.

MIB stores data using a tree structure. The node of the tree is the managed object and can be uniquely identified by a path starting from the root node. As illustrated in the following figure, the managed object B can be uniquely identified by a string of numbers {1.2.1.1}. This string of numbers is the OID of the managed object B.

2-34

Figure 1 MIB tree

2.9 Configuration

SNMP configuration command list includes:

· Configure community

· Configure sysContact

· Configure Trap destination host adress

· Configure sysLocation

· Configure sysName

· Configure notify

· Configure engine id

· Configure view

· Configure group

· Configure user

· Configure community

SNMP adopts community authentication. The SNMP packets which are not matching the authenticated community name will be dropped. SNMP community name is a character string. Different community can possess the accessing right of read-only or read-write. Community with the riht of read-only can only query system information, but the one with the right of read-write can configure system. System can configure at most 8 community names. It is defaulted to configure without community name. Configure it in global configuratiob mode.

2.9.1 Configure community name and accessing right.

This command can also used to modify community attribution with character string community-name being the same.

snmp-server community community-name { ro | rw } { deny | permit } [ view view-name ]

community-name is a printable character string of 1 to 20 characters; ro|rw means read only or can be read and write; permit, deny means community can or cannot be activated;

View-name is view configured for community. The default configuration view is iso.

· Delete community name and accessing right

no snmp-server community community-name

community-name is existed community name.

For example:

! Add community red, and configure privilege to be rw, and permit

2-35

QTECH(config)#snmp-server community red rw permit

! Remove community red

QTECH(config)#no snmp-server community red

· Display community name in any mode

show snmp community

For example:

! Display SNMP community information

QTECH(config)#show snmp community

2.9.2 Configure sysContact

sysContact is a managing variable in system group in MIB , the content of which is the contact way of the administrator. Configure it in global configuration mode:

snmp-server contact syscontact

no snmp-server contact

syscontact:Contact way to administrator ranges from 1 to 255 printable characters. Use the no command to restore default way of contacting to administrator.

For example:

! Configure administrator contact way to be support@qtech.ru

QTECH(config)#snmp-server contact support@qtech.ru

Caution: Use quotation mark to quote space in charater string.

Use show snmp contact command in any configuration mode to display how to contact to administrator:

show snmp contact

For example:

! Display how to contact with administrator

QTECH(config)#show snmp contact

manager contact information : support@qtech.ru

2.9.3 Configure Trap destination host adress

Use this configuration to configure or delete IP address of destination host. Configure it in global configuration mode.

Configure notify destination host address

snmp-server host host-addr [version {1 | 2c | 3 [auth | noauth | priv]}] community-string [udp-port port] [ notify-type [ notifytype-list ] ]

Delete notify destination host address

no snmp-server host ip-address community-string { 1 | 2c | 3 }

ip-address and snmp-server means IP address in SNMP server notify sending list. community-string means the security name IP corresponded in snmp-server notify table item. Security name is the community name for snmpvi and snmp v2c, and username for snmpv3. 1, 2c, 3 mean SNMP versions. Port means the port number sent to.

2-36

Notifytype-list means optional notify list. If it is unoptioned, default to choose all type. Only optionaed type will be sent to destination host.

For example:

! Configure SNMP server, the IP address is configured to be 192.168.0.100, and SNMP version to be 2c, and community name to be user

QTECH(config)#snmp-server host 192.168.0.100 version 2c user

! Delete the item with the notify destination host being 192.168.0.100 and community name being user

QTECH(config)#no snmp-server host 192.168.0.100 user

Display snmp-server notify item in any configuration mode::

show snmp host

! Display Trap information of snmp

QTECH(config)#show snmp host

2.9.4 Configure sysLocation

sysLocation is a managing variable in system group of MIB which is used to denote location of devices be managed. Configure it in global configuration mode:

snmp-server location syslocation

Syslocation is the charater string of system location ranges from 1 to 255 printable characters.

For example:

! Configure system location to be sample sysLocation factory.

QTECH(config)#snmp-server location “sample sysLocation factory”

Use quotation mark to quote space in charater string.

Use show snmp location command in any configuration mode to display system location:

show snmp location

2.9.5 Configure sysName

sysName is a managing variable in system group of MIB which is switch name. Configure it in global configuiration mode:

snmp-server name sysname

no snmp-server name

Sysname means the charater string of system name ranges from 1 to 255 printable characters.

For example:

! Configure system name to be QSW-2900

QTECH(config)#snmp-server name "QSW-2900"

Caution: Use quotation mark to quote space in charater string.

2-37

2.9.6 Configure notify

Enable/disable sending all kinds of notify types by configuring notify sending. The defaulted notify sending is trap. After disabling notify sending, trap will not be sent. Notify sending is defaulted to disable. Configure it in global configuration mode:

snmp-server enable traps [ notificationtype-list ]

no snmp-server enable traps [ notificationtype-list ]

notificationtype-list:Notificationtype list defined by system. To enable or disable specified notification type by choose one or serval type. If the keyword is vacant, all types of notification are enabled or disabled.

Notify types are as following:

· bridge:Enable/disable STP

· interfaces:interface LinkUp/LinkDown

· snmp:accessing control; cold boot/heat boot of system

· gbnsavecfg:save configuration

· rmon:RMON trap

· gbn:self-define Trap, such as interface Blocking, CAR, loopback detect

For example:

! Enable notificationtype gbn

QTECH(config)# snmp-server enable traps gbn

2.9.7 Configure engine id

This configuration is used to configure local engine-id or recognizable remote engine-id.

Default local engine id is 275140000000000000000000 which cannot be deleted but modified. It is defaulted to have no recognizable remote engine-id which can be added and deleted. Once delete a recognizable remote engine the corresponded user can also be deleted. At most 32 engines can be configured. Use no snmp-server engineID command to restore default local engine-id or remove remote engine-id. Configure it in global configuration mode:

snmp-server engineID { local engineid-string | remote ip-address [udp-port port-number] engineid-string }

no snmp-server engineID { local | remote ip-address [udp-port port-number] }

Display current engine configuration in any configuration mode:

show snmp engineID [local | remote]

engineid-string is an engine id that can only be recognized in a network. This system only supports printable

characters of engine id which excludes space.

Ip-address is remote engine ip address. Local ip address is not allowed to input.

Port-number is remote engine port number. Default port number is 162

For example:

! Configure local engine id to be 12345

QTECH(config)# snmp-server engineid local 12345

! Configure remote engine that can be recognized locally. Configure remote engine ip to be 1.1.1.1, and port number to be 888, and id to be 1234

QTECH(config)# snmp-server engineid remote 1.1.1.1 udp-port 888 1234

2-38

! Display local engine configuration

QTECH(config)# show snmp engineid local

2.9.8 Configure view

Use snmp-server view command to configure view and its subtree. Iso, internet and sysview are the default views. At most 64 views can be configured. View Internet must not delete and modify. Configure it in global configuration mode:

snmp-server view view-name oid-tree { included | excluded }

no snmp-server view view-name [ oid-tree ]

View-name means the name of the view to be added. It ranges from 1 to 32, excluding space.

Oid-tree means the subtree of the view which corresponds to such a mib node as “1.3.6.1”; The substring of OID must be the integer between 0 and 2147483647.

In the view name string of character contains the character integer adds on which OID to contain the node

integer adds on 2 again and do not surpass 64.

The sum of the number of characters in view name string and the number of oid nodes should not be more than 62.

When configuring view subtree to be exclude, the node in this subtree cannot be accesed which does not mean the node excluded this subtree can be accessed. When configuring notify destination host, if the security name is the community, sending notify is not effected on view; if the user with the security name being SNMPv3, sending notify is controlled by notify view of this user. What this notify view controlled is the accessing of the node that variable belongs to and it is not influence accessing attribution of trap OID that notify belonged to. If notify does not contain binded variable, sending notify is not effected on view.

For example:

! Add view “view1”, and configure it to have a subtree “1.3.6.1”

QTECH(config)# snmp-server view view1 1.3.6.1 include

! Add a subtree “1.3.6.2” for existed view “view1”

QTECH(config)# snmp-server view view1 1.3.6.2 include

! Remove existed view “view1”

QTECH(config)# no snmp-server view view1

! Display configured view

QTECH(config)# show snmp view

2.9.9 Configure group

Use this configuration to configure a accessing conreol group. Folowing groups are default to exist: (1) security model is v3, the security level is differentiated group initial ; (2) security model is v3, the security level is differentiated encrypt group initial. At most 64 groups can be configured. Configure it in global configuiration mode:

snmp-server group groupname { 1 | 2c | 3 [auth | noauth | priv] [context context-name]} [read readview] [ write writeview] [notify notifyview]

no snmp-server group groupname {1 | 2c | 3 [auth | noauth | priv] [context context-name]}

Display configured group in any configuration mode:

show snmp group

2-39

groupname means group name, which ranges from 1 to 32 characters, excluding space.

Readview is a view name, which means the right to read in the view. If the keyword is vacant, it is default not to include readable view.

Writeview is a view name, which means the right to read and write in the view. If the keyword is vacant, it is default not to include readable and writable view.

Notifyview is a view name, which means the right to send notification in the view. If the keyword is vacant, it is default not to include notify sending view.

Context-name is facility context. If the keyword is vacant, it is default to be local facility.

For example:

! Add group “group1” to local facility, using security model 1, and configure read, write, and notify view to be internet

QTECH(config)# snmp-server group group1 1 read internet write internet notify Internet

! Remove group “group1” from local facility

QTECH(config)# no snmp-server group group1 1

! Display current group configuration.

QTECH(config)# show snmp group

2.9.10 Configure user

Use this configuration to configure user for local engine and recognizable remote engine. Following users are default to exist: (1)initialmd5(required md5 authentication), (2) initialsha(required sha authentication), (3) initialnone(non- authentication). The above three users are reserved for system not for user. The engine the user belonged to must be recognizable. When deleting recognizable engine, contained users are all deleted. At most 64 users can be configured. Configure it in global configuration mode:

snmp-server user username groupname [ remote host [ udp-port port ] ] [ auth { md5 | sha } { authpassword { encrypt-authpassword authpassword | authpassword } | authkey { encrypt-authkey authkey | authkey } } [ priv des { privpassword { encrypt-privpassword privpassword | privpassword } | privkey { encrypt-privkey privkey | privkey } } ]

no snmp-server user username [ remote host [ udp-port port ] ]

Display configured user in any configuration mode:

show snmp user

Username is the username to be configured. It ranges from 1 to 32 characters, excluding space.

Groupname is the groupname that user going to be added. It ranges from 1 to 32 characters, excluding space.

Host is remote engine ip address. If it is vacant, it is default to be local engine.

Port is the port number of remote engine. If it is vacant, it is default to be 162.

Authpassword is authentication password. Unencrypted password ranges from 1 to 32 characters. To avoid disclosing, this password should be encrypted. To configured encrypted password needs client-side which supports encryption to encrypt password, and use encrypted cryptograph to do the configuration. Cryptograph is different by different encryption. Input cryptograph in the form of hexadecimal system, such as “a20102b32123c45508f91232a4d47a5c”

Privpassword is encryption password. Unencrypted password ranges from 1 to 32 characters. To avoid disclosing, this password should be encrypted. To configured encrypted password needs client-side which supports encryption to encrypt password, and use encrypted cryptograph to do the configuration. Cryptograph is different by different encryption. Input cryptograph in the form of hexadecimal system, such as “a20102b32123c45508f91232a4d47a5c”

Authkey is authentication key. Unauthenticated key is in the range of 16 byte (using md5 key folding) or 20

2-40

byte (using SHA-1 key folding). Authenticated key is in the range of 16 byte (using md5 key folding) or 24 byte (using SHA-1 key folding).

Privkey is encrpted key. Unencypted key ranes from 16 byte, and encrypted key ranes from 16 byte.

Keyword encrypt-authpassword, encrypt-authkey, encrypt-privpassword, encrypt-privkey are only used in command line created by compile to prevent leaking plain text password and key. When deconfiguring SNMP, user cannot use above keywords.

For example:

! Add user “user1” for local engine to group “grp1”, and configure this user not to use authentication and encryption.

QTECH(config)# snmp-server user user1 grp1

! Add user “user2” for local engine to group “grp2”, and configure this user to use md5 authentication and non-encryption with the auth-password to be 1234

QTECH(config)# snmp-server user user2 grp2 auth md5 auth-password 1234

! Add user “user3” for local engine to group “grp3”, and configure this user to use md5 authentication and des encryption with the auth-password to be 1234 and privpassword to be 4321

QTECH(config)# snmp-server user user3 grp3 auth md5 auth-password 1234 priv des priv-password 4321

2.10 System IP configuration

IP address means a unique address of 32 bits which is distributed to host in Internet. IP address consists of network number and host number. The structure of IP address can make us easy to address in Internet. The ways to obtain IP address are by DHCP (dynamic host configuration protocol), whose client can dynamically require to configuration information to DHCP server, including: distributed IP address, netmask, default gateway; BOOTP (Ip address configuration for statistic host) and manual operation by ipaddress command. Only one can be choosed to obtain IP address.

2.10.1 Configure manage VLAN

Manage VLAN means only users in specified VLAN can communicate with switch. At most 26 managed vlan can be configured. By default, VLAN with its id being 1 is included.

ipaddress vlan vlan-id

no ipaddress vlan vlan-id

Use these commands to add or delete managed VLAN. vlan-id ranges from 1to 4094. It must be existed VLAN.

2.10.2 Configuration ip address by manual operation

Use ipaddress command in global configuration mode to configuration ip address, netmask, and gateway or default gateway by manual operation:

ipaddress ip-address mask [ gateway ]

ip-address means system ip address. Mask means netmask. gateway:If only IP address and netmask are configured, and gateway is not, the gateway will be default to be 0.

For example:

! Configure IP address to be 192.168.0.100, netmask to be 255.255.0.0.

2-41

QTECH(config)#ipaddress 192.168.0.100 255.255.0.0

Disable DHCP or BOOTP to configure IP address before manual operation of it will prompt error.

2.10.3 BOOTP

Use following command in global configuration mode to obtain IP address by DHCP:

Use bootp command to enable bootp way to obtaining ip address.

bootp

Use no bootp command to disable bootp.

no bootp

If DHCP is configured, disable DHCP before configure BOOTP

2.10.4 DHCP

Use following command in global configuration mode to obtain IP address by DHCP:

Use dhcp command to configure to enable DHCP to obtain IP address.

dhcp

Use no dhcp command to disable DHCP to obtain IP address.

no dhcp

Examples for IP address configuration:

The original way is DHCP, change it into BOOTP way to obtain IP address, then, configure IP address to be

192.168.0.100, mask to be 255.255.0.0 and the gateway to be 192.168.0.254.

Configure it in global configuration mode:

Enable DHCP to obtainn IP address

QTECH(config)#dhcp

Disable DHCP to obtainn IP address

QTECH(config)#no dhcp

Enable BOOTP to obtainn IP address

QTECH(config)#bootp

Disable BOOTP to obtainn IP address

QTECH(config)#no bootp

Manual configuration

QTECH(config)#ipaddress 192.168.0.100 255.255.0.0 192.168.0.254

2.10.5 Display ip address

Use show ip command in any configuration mode to display ip address and its obtaining mode, netmask, and gateway:

show ip

For example:

2-42

! Display ip address information

QTECH(config)#show ip

switch configuration

ip obtained : MANUAL

ip address : 192.168.0.100

netmask : 255.255.0.0

gateway : 192.168.0.254

MAC address : 00:1f:ce:47:00:00

2.11 Enable/disable dlf forword packet

Use dlf-forward command to enable dlf forword.

dlf-forward { multicast | unicast }

no dlf-forward { multicast | unicast }

Use dlf-forward command in global configuration mode or interface configuration mode to enable dlf forword. Use no dlf-forward command to disable dlf forward:

dlf-forward { multicast | unicast }

no dlf-forward { multicast | unicast }

For example:

! Disable dlf forward for unicast

QTECH(config)#no dlf-forward unicast

! Disable dlf forward for multicast

QTECH(config)#no dlf-forward multicast

2.12 CPU Alarm Configuration

2.12.1 Brief introduction of CPU alarm

System can monitor CPU usage. If CPU usage rate is beyond cpu busy threshold, cpu busy alarm is sent

because the cpu is busy. In this status, if cpu is below cpu unbusy threshold, cpu unbusy alarm is sent. This function

can report current CPU usage to user.

2.12.2 CPU alarm configuration list

CPU alarm configuration command includes:

· Enable/disable CPU alarm

· Configure CPU busy or unbusy threshold

· Display CPU alarm information

2-43

2.12.3 Enable/disable CPU alarm

Configure it in global configuration mode:

Enable CPU alarm

alarm cpu

Disable CPU alarm

no alarm cpu

by default, CPU alarm enables.

For example:

! Enable CPU alarm

QTECH(config)#alarm cpu

2.12.4 Configure CPU busy or unbusy threshold

Use alarm cpu threshold command in global configuration mode to configure CPU busy or unbusy threshold:

Configure CPU busy or unbusy threshold

alarm cpu threshold [ busy busy ] [ unbusy unbusy ]

busy > unbusy. Default CPU busy threshold is 90%, and CPU unbusy threshold is 60%.

For example:

! Configure CPU busy threshold to be 30%, and CPU unbusy threshold to be 10%

QTECH(config)#alarm cpu threshold busy 30 unbusy 10

2.12.5 Display CPU alarm information

Use show alarm cpu command in any mode to display cpu alarm information:

show alarm cpu

For example:

! Display CPU alarm information

QTECH(config)#show alarm cpu

CPU status alarm : enable

CPU busy threshold(%) : 90

CPU unbusy threshold(%) : 60

CPU status : unb

2-44

2.13 Anti-DOS Attack

2.13.1 IP segment anti-attack

The IP segment packet number which can be received by system do not occupy resources of all receiving packets, which can normally handle other non-segment packets when receiving IP segment attack and the range of IP segment receiving number can be configured. 0 means system will not handle IP segment packet so that system can avoid the influence on segment attack.

Configure it in global configuration mode

anti-dos ip fragment maxnum

Display related information

show anti-dos

3-45

Chapter 3 Port Configuration

3.1 Port configuration introduction

System can provide 24 10/100Base-T Ethernet interfaces, 2 1000Base-TX(LX/SX) Ethernet interfaces and a Console interface. Ethernet interface can work in half duplex and full duplex mode, and can negotiate other working mode and speed rate with other network devices to option the best working mode and speed rate automatically to predigest system configuration and management.

3.1.1 Introduction to Bridging

A bridge is a store-and-forward device that connects and transfers traffic between local area network (LAN) segments at the data-link layer. In some small-sized networks, especially those with dispersed distribution of users, the use of bridges can reduce the network maintenance costs, without requiring the end users to perform special configurations on the devices.

In applications, there are four major kinds of bridging technologies: transparent bridging, source-route bridging (SRB), translational bridging, and source-route translational bridging (SR/TLB).

Transparent bridging is used to bridge LAN segments of the same physical media type, primarily in Ethernet environments. Typically, a transparent bridging device keeps a bridge table, which contains mappings between destination MAC addresses and outbound interfaces.

Presently the devices support the following transparent bridging features:

· Bridging over Ethernet

· Bridging over point-to-point (PPP) and high-level data link control (HDLC) links

· Bridging over X.25 links

· Bridging over frame relay (FR) links

· Inter-VLAN transparent bridging

· Routing and bridging are simultaneously supported

3.1.2 Major Functionalities of Bridges

a) Maintaining the bridge table

A bridge relies on its bridge table to forward data. A bridge table consists two parts: MAC address list and interface list. Once connected to a physical LAN segment, a bridge listens to all Ethernet frames on the segments. When it receives an Ethernet frame, it extracts the source MAC address of the frame and creates a mapping entry between this MAC address and the interface on which the Ethernet frame was received.

As shown in I. Figure 1, Hosts A, B, C and D are attached to two LAN segments, of which LAN segment 1 is attached to bridge interface 1 while LAN segment 2 is connected with bridge interface 2. When Host A sends an Ethernet frame to Host B, both bridge interface 1 and Host B receive this frame.

3-46

Figure 1. Host A sends an Ethernet frame to Host B on LAN segment 1

As the bridge receives the Ethernet frame on bridge interface 1, it determines that Host A is attached to bridge interface 1 and creates a mapping between the MAC address of Host A and bridge interface 1 in its bridge table, as shown in Figure 2.

Figure 2 The bridge determines that Host A is attached to interface 1

When Host B responds to Host B, the bridge also hears the Ethernet frame from Host B. As the frame is received on bridge interface 1, the bridge determines that Host B is also attached to bridge interface 1, and creates a mapping between the MAC address of Host B and bridge interface 1 in its bridge table, as shown in Figure 3.

3-47

Figure 3 The bridge determines that Host B is also attached to interface 1

Finally, the bridge obtains all the MAC-interface mappings (assume that all hosts are in use), as shown in Figure 4.

Figure 4 The final bridge table

b) Forwarding and filtering

The bridge makes data forwarding or filtering decisions based on the following scenarios:

When Host A sends an Ethernet frame to Host C, the bridge searches its bridge table and finds out that Host C is attached to bridge interface 2, and forwards the Ethernet frame out of bridge interface 2, as shown in II. Figure 5.

3-48

Figure 5 Forwarding

When Host A sends an Ethernet frame to Host B, as Host B is on the same LAN segment with Host A, the bridge filters the Ethernet frame instead of forwarding it, as shown in II. Figure 6.

Figure 6 Filtering

When Host A sends an Ethernet frame to Host C, if the bridge does not find a MAC-to-interface mapping about Host C in its bridge table, the bridge forwards the Ethernet frame to all interfaces except the interface on which the frame was received, as shown in Figure 7.

3-49

Figure 7 The proper MAC-to-interface mapping is not found in the bridge table

& Note:

When a bridge receives a broadcast or multicast frame, it forwards the frame to all interfaces other than the receiving interface.

3.2 Port Configuration

3.2.1 Port related configuration

Configure related feature parameter of ports should enter interface configuration mode first, and then configure.

Interface configuration list is as following:

· Enter interface configuration mode

· Enable /disable specified interface

· Configure duplex mode and speed rate

· Configure interface privilege

· Configure interface limited speed

· Configure type of receiving frame

· Configure interface type

· Configure default VLAN ID of trunk port

· Add access port to specified VLAN

· Display interface information

3-50

3.2.2 Enter interface configuration mode

Enter interface configuration mode before configuration.

Configure as following in global configuration mode:

Enter interface configuration mode

interface ethernet interface-number

Interface-num is Ethernet interface number which is in the form of slot-num/port-num, in which slot-num is in the range of 0 to 2, and port-num is in the range of 1 to 24.

3.2.3 Enable/disable specified interface

After system booting, all the interfaces are defaulted to be enable, and each interface can be configured according to real situation.

Use following commands to enable/disable an Ethernet port.

shutdown

no shutdown

Shutdown means disable a port, while no shutdown means enable a port.

For example:

! Enable Ethernet interface 1

QTECH(config-if-ethernet-0/1)#no shutdown

! Disable Ethernet interface 25

QTECH(config-if-ethernet-1/1)#shutdown

When interface is shutdown, the physical link is working for diagnosis.

3.2.4 Configure interface duplex mode and speed rate

100 BASE TX supports the speed of 10Mbps and 100Mbps, while 100 BASE FX supports the speed of 100Mbps. 1000 BASE TX supports the speed of 10Mbps, 100Mbps and 1000Mbps, while 1000 BASE FX supports the speed of 1000Mbps. 100 BASE TX and 1000 BASE TX support the duplex mode of half, full duplex and auto-negotiation mode. 100 BASE FX and 1000 Base FX only support the duplex mode of full duplex. By default, 100 Base FX is in the mode of 100M and full duplex, and other interfaces are auto-negotiation. User can configure the working mode by himself. Use speed command to configure the speed and duplex command to configure duplex.

Command form in interface mode

speed { 10 | 10auto | 100 | 100 auto | 1000 | 1000 auto | auto }

no speed

duplex { auto | full | half }

no duplex

For example:

! Configure the speed of Ethernet 0/1 to 100Mbps and duplex mode to be full duplex

QTECH(config-if-ethernet-0/1)#speed 100

QTECH(config-if-ethernet-0/1)#duplex full

In system, which ofthe speed or duplex setup to auto , and the another will be setup to auto too.

3-51

3.2.5 Interface Prioruty Configuration

There are 8 priorities from 0 to 7, and the default interface priority is 0. The larger the priority value is, the higher the priority is. And the packet with the higher priority will be quickly handled. If there are too much packet to be handled in some interface or the packet is urgent to be handled, priority of this interface can be configured to be high-priority.

Use following command in interface configuration mode:

Configure priority of Ethernet 0/5 to be 1

QTECH(config-if-ethernet-0/5)#priority 1

Restore the default priority of Ethernet 0/5

QTECH(config-if-ethernet-0/5)#no priority

3.2.6 Interface description configuration

Use following command to describe interface to distinguish each interface from others. Configure it in interface configuration mode.

description description-list

For example:

! Configure description string “red” for the Ethernet 0/3

QTECH(config-if-ethernet-0/3)#description red

! Display description of Ethernet 0/3

QTECH(config)#show description interface ethernet 0/3

3.2.7 Ingress/egress bandwidth-control configuration

Egress/ingress bandwidth-control is to restrict the total speed rate of all sending and receiving packets.

Use following command to configure engress/ingress bandwidth-control.

Configure it in interface configuration mode:

Interface engress/ingress bandwidth-control

bandwidth-control { ingress | egress } target-rate

Cancel engress/ingress bandwidth-control

no bandwidth-control { ingress | egress }

Detailed description of this command please refer to the corresponding command reference.

3-52

3.2.8 Enable/disable VLAN filtration of receiving packet of

interface

When enabling VLAN ingress filtration, received 802.1Q packet which doesn’t belong to the VLAN where the interface locates will be dropped. The packet will not be dropped if it is disabled.

Use this command in interface configuration mode.

ingress filtering

no ingress filtering

Example:

! Enable VLAN ingress filtration of e0/5

QTECH(config-if-ethernet-0/5)#ingress filtering

! Disable VLAN ingress filtration of e0/5

QTECH(config-if-ethernet-0/5)#no ingress filtering

3.2.9 Interface ingress acceptable-frame configuration

Configure ingress acceptable frame mode to be all types or only tagged.

Use following command in interface configuration mode to configure or cancel the restriction to ingress acceptable-frame:

ingress acceptable-frame { all | tagged }

no ingress acceptable-frame

For example:

! Configure Ethernet 0/5 only to receive tagged frame

QTECH(config-if-ethernet-0/5)#ingress acceptable-frame tagged

3.2.10 Enable/disable interface flow-control

If the port is crowded, it needs controlling to avoid congestion and data loss. Use flow-control command to control the flow. Use following command to enable/disable flow-control on current Ethernet port.

flow-control

no flow-control

For example:

! Enable flow control on Ethernet 0/5

QTECH(config-if-ethernet-0/5)#flow-control

! Disable flow control on Ethernet 0/5

QTECH(config-if-ethernet-0/5)#no flow-control

Use following command in any configuration mode to display interface flow-control:

show flow-control [ interface-num ]

For example:

3-53

! Display flow-control of Ethernet 0/5

QTECH(config-if-ethernet-0/5)#show flow-control ethernet 0/5

3.2.11 Port mode configuration

Use this command to configure port mode. If a port configures to be a trunk port, the vlan mode changes untagged into tagged, and if a port configures to be an access one, the vlan mode changes tagged into untagged. Configure it in interface configuration mode:

Configure port mode

switchport mode { trunk | access }

Restore default port mode: access port

no switchport mode

For example:

! Configure Ethernet 0/1 to be trunk port

QTECH(config-if-ethernet-0/1)#switchport mode trunk

3.2.12 Trunk allowed VLAN configuration

Use switchport trunk allowed vlan command to add trunk port to specified VLAN. Use no switchport trunk allowed vlan command to remove trunk port from specified vlan.

Add trunk port to specified vlan

switchport trunk allowed vlan { vlan-list | all }

Remove trunk port from specified vlan

no switchport trunk allowed vlan { vlan-list | all }

For example:

! Add trunk ports Ethernet0/1 to VLAN 3, 4, 70 to 150

QTECH(config-if-ethernet-0/1)# switchport trunk allowed vlan 3, 4, 70- 150

3.2.13 The default vlan-id of trunk port configuration

Use switchport trunk native vlan command to configure the default vlan-id (pvid) of trunk port. When receiving untagged packet, it will be transferred to VLAN defaulted VLAN ID. Packet receiving and sending follow IEEE 802.1Q. Configure it in interface configuration:

Configure default VLAN ID of trunk port

switchport trunk native vlan vlan-id

Restore default VLAN ID of trunk port

no switchport trunk native

Caution: above configuration is effective to trunk port. By default, default VLAN ID is 1. If this port is not in VLAN 1, configuration fails.

3-54

3.2.14 Add access port to specified VLAN

Use switchport access command to add access port to specified VLAN, and the default VLAN-ID is configured to be the specified VLAN. Configure it in interface configuration mode:

Add current port to specified VLAN, and the default VLAN-ID is configured to be the specified VLAN

switchport access vlan vlan-id

Remove current port from specified VLAN, if the default vlan-id of the current port is the specified VLAN and this port also belongs to VLAN 1, the default vlan-id of the current port restores to be 1, or the default VLAN ID will not be changed.

no switchport access vlan vlan-id

The precondition to use this command is the current port is access port and the VLAN to be added is not default VLAN 1.

3.2.15 Display interface information

Use show interface [ interface-num ] to display information of specified interface or all interfaces:

· Interface state (enable/disable)

· Connection

· Working mode (full duplex, half duplex or auto-negotiation)

· Default VLAN ID

· Interface priority

· Port mode (trunk/access port)

If no parameter is input in show interface [interface-num ] command, information of all interfaces will be displayed.

3.2.16 Display/ clear interface statistics information

Use show statistics interface [interface-num ] command in any configuration mode to display information of specified interface or all interfaces:

· Byte receiving

· Unicast packet receiving

· Non-unicast packet receiving

· Unicast packet sending

· Non-unicast packet sending

Use clear interface [interface-num | slot-num ] command in global configuration mode to clear information of specified interface or all interfaces in specified slot or all interfaces. Use clear interface command in interface configuration mode to clear information of current interface.

3-55

3.3 Interface mirror

3.3.1 Brief introduction of interface mirror

System provides mirror based on interface, that is, copy packet in a or more specified interface to monitor interface to analyze and monitor packet. For example, copy packet of Ethernet 0/2 to specified monitor interface Ethernet 0/3 so that test and keep record by protocols linked by monitor interface Ethernet 0/3.

System also provides packet mirror for specified source/destination MAC address. For example, mirror packet from Ethernet 0/3 with the destination MAC address of 00:1f:ce:10:14:f1.

System also provides mirror divider, that is, sample packet that can be mirrored and send it to mirror destination interface to reduce the number of packet to mirror destination interface.

3.3.2 Interface mirror configuration

Interface Mirror configuration command includes:

· Configure mirror destination interface

· Configure mirror source interface

· Display interface mirror

a) Configure mirror interface

Configure mirror destination interface in global configuration mode:

mirror destination-interface interface-num

This command will cancel original mirror destination interface.

Remove mirror interface:

no mirror destination-interface interface-num

For example:

! Configure Ethernet 0/1 to be mirror interface

QTECH(config)# mirror destination-interface ethernet 0/1

b) Configure mirror source interface

Configure mirror source-interface of switch in global configuration mode:

Configure mirror source-interface

mirror source-interface { interface-list | cpu } { both | egress | ingress }

interface-list is in the form of interface-num [ to interface-num ], which can be repeated for 3 times. Cpu interface is in the form og character string “cpu”, both means mirroregress and ingress interfaces, egress means mirror interface egress and ingress means mirror interface ingress.

Remove mirror source interface

no mirror source-interface { interface-list | cpu }

For example:

! Configure Ethernet 0/1 to Ethernet 0/12 to be mirror source interfaces

QTECH(config)# mirror source-interface ethernet 0/1 to ethernet 0/12 both

! Remove Ethernet 0/10 to Ethernet 0/12 from mirror source interfaces

3-56

QTECH(config)#no mirror source-interface ethernet 0/10 to ethernet 0/12

c) Display interface mirror

Use show mirror command to display system configuration of current mirror interface, including monitor port and mirrored port list. Use this command in any configuration mode:

show mirror

For example:

! Display monitor port and mirrored port list

QTECH#show mirror

3.4 Port LACP convergent configuration

3.4.1 Brief introduction of port convergence

Port convergence is a channel group formed by many ports convergence to realize flow load sharing for each member. When a link cannot be used, flow of this link will be transferred to another link to guarantee the smoothness of the flow.

Basic configurations are:

1. 13 static or dynamic channel groups can be configured and at most 12 interface members can be configured in each group, and at most 8 interfaces can be convergent at the same time in each group which is determined by up/down status, interface number, LACP priority. Each group is defined to be a channel group, and the command line is configured around it.

2. Load balance strategy of each group can be divided into source MAC, destination MAC, source and destination MAC, source IP, destination IP, and source and destination IP. The default strategy is source MAC.

3. System and interface LACP priority can be configured. The default system priority is 32768, and interface priority is 128. To remove system and interface priority is to restore them to default ones.

4. LACP protocol of each interface can be configured. In static mode, interface is static convergent, and LACP protocol does not run; in active mode, interface will initiate LACP negotiation actively; in passive mode, interface only can response LACP negotiation. When interconnecting with other device, static mode only can interconnect with static mode; active can interconnect with active and passive mode, but passive mode only can interconnect with active mode. The default mode of interface is ACTIVE mode.

Each convergent interface need same layer 2 features, so there are following restrictions to interfaces in a

channel group:

Static convergent interfaces and dynamic convergent interfaces can not be in a same channel group, but there

can be static convergent channel as well as dynamic convergent channel.

Each interface in a same channel group must possess the same features as following: interface speed rate, working mode of full duplex, STP/GVRP/GMRP function, STP cost, STP interface priority, VLAN features (interface mode, PVID, VLAN belonged to, tag vlan list of access interface, allowed vlan list of trunk interface) and layer 2 multicast group belonged to.

If modifying the feature of one interface in the channel group, other interfaces will be modified automatically in the same place. The feature refers to point 2.

After convergence, static hardware item (ARL, MARL, PTABLE, VTABLE) will be modified, but there will be delay.

After convergence, only host interface can send CPU packet. If STP changes status of some interface, the status of the whole channel group will be changed.

After convergence, when transferring layer 2 protocol packet, STP/GARP/GNLINK will not transfer packet to

3-57

the current channel grou. If transferring to other channel group, only one packet will be transferred.

If there are members in the channel group, this channel group cannot be deleted. Delete interface members first.

Influence on choosing link redundancy caused by LACP system and interface priority. LACP provides link redundancy mechanism which needs to guarantee the redundancy consistency of two interconnected switches and user can configure redundancy link which is realized by system and interface priority. The redundancy choosing follows the following steps:

First, determine which switch is the choosing standard. For LACP packets interaction, each of the two switches knows each other’s LACP system priority and system MAC and compares the LACP system priority to choose the smaller one; if the system priority is the same, compare MAC and choose the smaller one.

Then, choose redundancy link according to the interface parameter of the chosen switch. Compare interface LACP priority, and choose the inferior one to be redundant. If the priorities are the same, choose the interface whose interface number is larger to be redundant.

Link aggregation aggregates multiple physical Ethernet ports into one logical link, also called a logical group, to increase reliability and bandwidth.

3.4.2 LACP

The link aggregation control protocol (LACP) is defined in IEEE 802.3ad. Link aggregation control protocol data unit (LACPDU) is used for exchanging information among LACP-enabled devices.

After LACP is enabled on a port, the port sends LACPDUs to notify the remote system of its system LACP priority, system MAC address, port LACP priority, port number, and operational key. Upon receipt of an LACPDU, the remote system compares the received information with the information received on other ports to determine the ports that can operate as selected ports. This allows the two systems to reach agreement on the states of the related ports

When aggregating ports, link aggregation control automatically assigns each port an operational key based on its rate, duplex mode, and other basic configurations. In an LACP aggregation group, all ports share the same operational key; in a manual or static LACP aggregation, the selected ports share the same operational key.

3.5 Approaches to Link Aggregation

3.5.1 Manual Link Aggregation

a) Overview

Manual aggregations are created manually. Member ports in a manual aggregation are LACP-disabled.

b) Port states in a manual aggregation

In a manual aggregation group, ports are either selected or unselected. Selected ports can receive and transmit data frames whereas unselected ones cannot. Among all selected ports, the one with the lowest port number is the master port and others are member ports.

When setting the state of ports in a manual aggregation group, the system considers the following:

· Select a port from the ports in up state, if any, in the order of full duplex/high speed, full duplex/low speed, half duplex/high speed, and half duplex/low speed, with the full duplex/high speed being the most preferred. If two ports with the same duplex mode/speed pair are present, the one with the lower port number wins out. Then, place those ports in up state with the same speed/duplex pair, link state and basic configuration in selected state and all others in unselected state.

· When all ports in the group are down, select the port with the lowest port number as the master port and set all ports (including the master) in unselected state.

3-58

· Place the ports that cannot aggregate with the master in unselected state, for example, as the result of the cross-board aggregation restriction.

Manual aggregation limits the number of selected ports in an aggregation group. When the limit is exceeded, the system changes the state of selected ports with greater port numbers to unselected until the number of selected ports drops under the limit.

In addition, unless the master port should be selected, a port that joins the group after the limit is reached will not be placed in selected state even if it should be in normal cases. This is to prevent the ongoing service on selected ports from being interrupted. You need to avoid the situation however as the selected/unselected state of a port may become different after a reboot.

c) Port Configuration Considerations in manual aggregation

As mentioned above, in a manual aggregation group, only ports with configurations consistent with those of the master port can become selected. These configurations include port rate, duplex mode, link state and other basic configurations.

You need to maintain the basic configurations of these ports manually to ensure consistency. As one configuration change may involve multiple ports, this can become troublesome if you need to do that port by port. As a solution, you may add the ports into an aggregation port group where you can make configuration for all member ports.

When the configuration of some port in a manual aggregation group changes, the system does not remove the aggregation; instead, it re-sets the selected/unselected state of the member ports and re-selects a master port.

3.5.2 Static LACP link aggregation

a) Overview

Static aggregations are created manually. After you add a port to a static aggregation, LACP is enabled on it automatically.

b) Port states in static aggregation

In a static aggregation group, ports can be selected or unselected, where both can receive and transmit LACPDUs but only selected ports can receive and transmit data frames. The selected port with the lowest port number is the master port and all others are member ports.

All member ports that cannot aggregate with the master are placed in unselected state. These ports include those using the basic configurations different from the master port or those located on a board different from the master port because of the cross-board aggregation restriction.

Member ports in up state can be selected if they have the configuration same as that of the master port. The number of selected ports however, is limited in a static aggregation group. When the limit is exceeded, the local and remote systems negotiate the state of their ports as follows:

1) Compare the actor and partner system IDs that each comprises a system LACP priority plus a

system MAC address as follow:

· First compare the system LACP priorities. The system with lower system LACP priority wins out.

· If they are the same, compare the system MAC addresses. The system with the smaller ID has higher

priority. (the lower the LACP priority, the smaller the MAC address, and the smaller the device ID)

2) Compare the port IDs that each comprises a port LACP priority and a port number on the

system with higher ID as follows:

· Compare the port LACP priorities. The port with lower port LACP priority wins out.

· If two ports with the same port LACP priority are present, compare their port numbers. The state of

the ports with lower IDs then change to selected and the state of the ports with higher IDs to unselected, so does the state of their corresponding remote ports. (the lower the LACP priority, the smaller the port number, and the smaller the port ID)

3-59

c) Port configuration considerations in static aggregation

Like in a manual aggregation group, in a static LACP aggregation group, only ports with configurations consistent with those of the master port can become selected. You need to maintain the basic configurations of these ports manually to ensure consistency. As one configuration change may involve multiple ports, this can become troublesome if you need to do that port by port. As a solution, you may add the ports into an aggregation port group where you can make configuration for all member ports.

When the configuration of some port in a static aggregation group changes, the system does not remove the aggregation; instead, it re-sets the selected/unselected state of the member ports and re-selects a master port.

3.6 Load Sharing in a Link Aggregation Group

Link aggregation groups fall into load sharing aggregation groups and non-load sharing aggregation groups depending on their support to load sharing.

A load sharing aggregation group can contain at least one selected port but a non-load sharing aggregation group can contain only one.

Link aggregation groups perform load sharing depending on availability of hardware resources. When hardware resources are available, link aggregation groups created containing at least two selected ports perform load sharing, while link aggregation groups created with only one selected port perform load sharing depending on the model of your device. After hardware resources become depleted, link aggregation groups work in non-load sharing mode.

3.7 Aggregation Port Group

As mentioned earlier, in a manual or static aggregation group, a port can be selected only when its configuration is the same as that of the master port in terms of duplex/speed pair, link state, and other basic configurations. Their configuration consistency requires administrative maintenance, which is troublesome after you change some configuration.

To simplify configuration, port-groups are provided allowing you to configure for all ports in individual groups at one time. One example of port-groups is aggregation port group.

Upon creation or removal of a link aggregation group, an aggregation port-group which cannot be administratively created or removed is automatically created or removed. In addition, you can only assign/remove a member port to/from an aggregation port-group by assigning/removing it from the corresponding link aggregation group.

3.8 Link aggregation configuration

Port LACP configuration command includes channel group configuration

Please configure it in global configuration mode:

channel-group channel-group-number

Parameter “channel-group-number” is range from 0 to 5.

For example:

! Create a channel group with the group number being 0

QTECH(config)#channel-group 0

Delete channel group

no channel-group channel-group-number

Add add port members to the group

channel-group channel-group-number mode {active | passive | on}

3-60

In interface configuration mode, add current interface to channel group and specify the mode of interface. If the channel group doesn’t exist, create it.

For example:

! Add Ethernet 0/3 to channel-group 3 and specify the port to be active mode

QTECH(config-if-ethernet-0/3)#channel-group 3 mode active

Delete interface member in channel group

no channel-group channel-group-number

In interface configuration mode, delete current interface from channel group.

For example:

! Delete interface Ethernet 0/3 from channel group 3

QTECH(config-if-ethernet-0/3)#no channel-group 3

Configure load balance of switch

channel-group load-balance {dst-ip|dst-mac|src-dst-ip|src-dst-mac|src-ip|src-mac}

For example:

! Specify load-balance of channel-group 0 is destination mac

QTECH(config)#channel-group load-balance dst-mac

Configure system LACP priority

lacp system-priority priority

For example:

! Configure LACP system priority is 40000

QTECH(config)#lacp system-priority 40000

Delete system LACP priority

no lacp system-priority

Use this command to restore system default LACP priority to be 32768.

Configure interface LACP priority

lacp port-priority priority

Use this command in interface configuration mode to configure LACP priority of the current interface

For example:

! Configure lacp port-priority of Ethernet 0/2 to be 12345

QTECH(config-if-ethernet-0/2)#lacp port-priority 12345

Delete interface LACP priority

no lacp port-priority

Use this command to restore interface default LACP priority to be 128.

Display system LACP ID

show lacp sys-id

System id is in the form of 16 characters of system priority and 32 characters of system MAC address.

For example:

! Display lacp system id

QTECH(config)#show lacp sys-id

3-61

Display local information of channel group

show lacp internal [channel-group-number]

Use show lacp interval command to display the information of group members, if the there is no keywords, all groups are displayed.

For example: Display the member information of channel group 2.

QTECH#show lacp internal 2

Display information of neighbour interface of channel group

show lacp neighbor [channel-group-number]

Use show lacp neighbor command to display the information of the neighbour port in the group. If there is no keyword, the neighbor ports of all the groups are displayed.

For example: Display the information of the neighbour port of the group 2

QTECH#show lacp neighbor 2

3.9 Interface CAR configuration

3.9.1 Brief introduction of interface CAR

Interface CAR is used to restrict the speed rate impacted CPU of single interface. CPU can make speed rate statistics of each interface. If the speed rate is larger than the configured threshold (it is defaulted to be 300 packet/second), disable this interface and send trap of interface being abnormal. After a certain time (it is defaulted to be 480 seconds), re-enable the interface. If this interface will not be re-disabled by interface CAR in 2 seconds, the storm of impacting CPU by interface is over, and the interface recovers, and sends the trap of interface being normal. Caution: If the re-enabled interface is disable again by impacting CPU packet in 2 seconds, no trap of interface being abnormal is sent.

3.9.2 Port CAR configuration command list

Port CAR configuration command includes:

· Enable/disable interface CAR globally

· Enable/disable interface CAR on a port

· Configure interface CAR re-enable time

· Configure interface CAR

· Display interface CAR status

3.9.3 Enable/disable interface globally

Configure it in global configuration mode

Enable global interface

port-car

Disable global interface

no port-car

By default, port-car globally enables

3-62

For example:

! Enable port-car globally

QTECH(config)#port-car

3.9.4 Enable/disable interface CAR on interface

Please configure it in interface configuration mode:

Enable interface CAR

port-car

Disable interface CAR

no port-car

For example:

! Enable port-car of Ethernet 0/8

QTECH(config-if-ethernet-0/8)#port-car

3.9.5 Configure the reopen time of the port shutdown by

port-car

Please configure it in global configuration mode:

Configure the reopen time of the port shutdown by port-car

port-car-open-time time

By default, port-car-open-time is 480 seconds

For example:

! Configure port-car-open-time to be 10 seconds

QTECH(config)#port-car-open-time 10

3.9.6 Configure the port-car-rate

Please configure it in global configuration mode:

Configure the port-car-rate

port-car-rate rate

Default port-car-rate is 300 packet/second

For example:

! Configure port-car-rate to be 200 packet/second

QTECH(config)#port-car-rate 200

3.9.7 Display port-car information

Input following command in any configuration mode to display port-car information:

3-63

show port-car

For example:

! Display port-car information

QTECH(config)#show port-car

3.10 Port Alarm Configuration

3.10.1 Brief introduction of port alarm configuration

System can monitor port packet receiving rate. If the rate of receiving packet is beyond the interface flow

exceed threshold, send alarm of large interface flow and the interface is in the status of large interface flow. In this

status, if the rate of receiving packet is lower than the interface flow normal threshold, send alarm of normal

interface flow. This function can actively report the rate of receiving packet to user.

3.10.2 Port alarm configuration list

Port alarm configuration command includes:

· Enable/disable port alarm globally

· Enable/disable port alarm on the port

· Configure the exceed threshold and normal threshold of port alarm

· Display port alarm

3.10.3 Enable/disable port alarm globally

Please configure it in global configuration mode:

Enable port alarm globally

alarm all-packets

Disable port alarm globally

no alarm all-packets

By default, alarm all-packets enable.

For example:

! Enable global alarm all-packets

QTECH(config)#alarm all-packets

3.10.4 Enable/disable port alarm on the port

Please configure it in interface configuration mode:

Enable port alarm on the port

alarm all-packets

Disable port alarm on the port

3-64

no alarm all-packets

For example:

! Enable alarm all-packets of Ethernet 0/8

QTECH(config-if-ethernet-0/8)# alarm all-packets

3.10.5 Configure the exceed threshold and normal threshold

of port alarm

Configure the exceed threshold and normal threshold of port alarm

alarm all-packets threshold [ exeed rate] [ normal rate]

Caution: Exceed > normal. By default, 100 BASE exceed threshold is 85, normal

threshold is 60

For example:

! Configure alarm all-packets exceed threshold to be 500, and normal threshold to be 300

QTECH(config)#alarm all-packets threshold exceed 500 normal 300

3.10.6 Display port alarm

Input following command in any configuration mode to display global interface alarm:

show alarm all-packets

For example:

! Display global alarm all-packets information

QTECH(config)#show alarm all-packets interface ethernet 0/1

Input following command in any configuration mode to display interface alarm on the port:

show alarm all-packets interface [ interface-list ]

Keyword “interface-list” is alternative. If there is no keyword, the alarm all-packets of all the interfaces are displayed, or the information of specified port is displayed.

For example:

! Display the alarm all-packets interface information of Ethernet 0/1

QTECH(config)#show alarm all-packets interface ethernet 0/1

e0/1 port alarm information

Port alarm status : enable

Port alarm exceed threshold(Mbps) : 85

Port alarm normal threshold(Mbps) : 60

Total entries: 1.0

3-65

3.11 Interface shutdown-control Configuration

3.11.1 Brief introduction of shutdown-control

Interface shutdown-control is used to restrict the speed rate of unicast\ multicast\broadcast of single interface. If the rate is beyond the configured restricted value (that can be configured) the interface will be shut down and failure trap will be sent. After a while (it is defaulted to be 480 seconds, which can be configured) it may reopen. If the interface will not reshutdown-control in 2 seconds, it turns normal and normal trap will be sent. If the interface reshutdown-control in 2 seconds, the failure trap will not be sent.

3.11.2 Interface shutdown-control Configuration list

Interface shutdown-control Configuration list is as following:

· Configuration shutdown-control

· Configure shutdown-control open-time

· Display shutdown-control

3.11.3 shutdown-control Configuration

Configure it in interface configuration mode:

Enable shutdown-control

shutdown-control [ broadcast | multicast | unicast ] target-rate

Disable shutdown-control

no shutdown-control [ broadcast | multicast | unicast ]

By default, shutdown-control is disabled.

Example:

! Enable shutdown-control of e0/8 for broadcast and speed rate is 100pps.

QTECH(config-if-ethernet-0/8)#shutdown-control broadcast 100

3.11.4 Configure shutdown-control open-time

Configure it in global configuration mode:

Configure shutdown-control open-time

shutdown-control-open-time time

The default shutdown-control open-time is 480 seconds.

Example:

! Configure shutdown-control-open-time of CAR is 20 seconds

QTECH(config)# shutdown-control-open-time 20

3-66

3.11.5 Display shutdown-control

Configure it in any configuration mode:

show shutdown-control

Example:

! Display interface shutdown-control information

QTECH(config)#show shutdown-control

4-67

Chapter 4 VLAN Configuration

4.1 Introduction to VLAN

4.1.1 VLAN Overview

Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect (CSMA/CD) mechanism. As the medium is shared in an Ethernet, network performance may degrade as the number of hosts on the network is increasing. If the number of the hosts in the network reaches a certain level, problems caused by collisions, broadcasts, and so on emerge, which may cause the network operating improperly. In addition to the function that suppresses collisions (which can also be achieved by interconnecting LANs), virtual LAN (virtual LAN) can also isolate broadcast packets. VLAN divides a LAN into multiple logical LANs with each being a broadcast domain. Hosts in the same VLAN can communicate with each other like in a LAN. However, hosts from different VLANs cannot communicate directly. In this way, broadcast packets are confined to a single VLAN, as illustrated in the following figure.

Figure 1 A VLAN diagram

A VLAN is not restricted by physical factors, that is to say, hosts that reside in different network segments may belong to the same VLAN, users in a VLAN can be connected to the same switch, or span across multiple switches or routers.

VLAN technology has the following advantages:

1) Broadcast traffic is confined to each VLAN, reducing bandwidth utilization and improving network performance.

2) LAN security is improved. Packets in different VLANs cannot communicate with each other directly. That is, users in a VLAN cannot interact directly with users in other VLANs, unless routers or Layer 3 switches are used.

3) A more flexible way to establish virtual working groups. With VLAN technology, clients can be allocated to different working groups, and users from the same group do not have to be within the same physical area, making network construction and maintenance much easier and more flexible.

4-68

4.1.2 VLAN Fundamental

To enable packets being distinguished by the VLANs they belong to, a field used to identifying VLANs is added to packets. As common switches operate on Layer 2, they only process Layer 2 encapsulation information and the field thus needs to be inserted to the Layer 2 encapsulation information of packets.

The format of the packets carrying the fields identifying VLANs is defined in IEEE 802.1Q, which is issued in

1999.

In the header of a traditional Ethernet packet, the field following the destination MAC address and the source MAC address is protocol type, which indicates the upper layer protocol type. Figure 2 illustrates the format of a traditional Ethernet packet, where DA stands for destination MAC address, SA stands for source MAC address, and Type stands for upper layer protocol type.

Figure 2 The format of a traditional Ethernet packet

IEEE802.1Q defines a four-byte VLAN Tag field between the DA&SA field and the Type field to carry VLAN-related information, as shown in Figure 3.

Figure 3 The position and the format of the VLAN Tag field

The VLAN Tag field comprises four sub-fields: the TPID field, the Priority field, the CFI field, and the VLAN ID field.

· The TPID field, 16 bits in length and with a value of 0x8100, indicates that a packet carries a VLAN tag

with it.

· The Priority field, three bits in length, indicates the priority of a packet. For information about packet

priority, refer to QoS Configuration in QoS Volume.

· The CFI field, one bit in length, specifies whether or not the MAC addresses are encapsulated in standard

format when packets are transmitted across different medium. This field is not described here.

· The VLAN ID field, 12 bits in length and with its value ranging from 0 to 4095, identifies the ID of the

VLAN a packet belongs to. As VLAN IDs of 0 and 4095 are reserved by the protocol, the actual value of this field ranges from 1 to 4094.

A network device determines the VLAN to which a packet belongs to by the VLAN ID field the packet carries. The VLAN Tag determines the way a packet is processed.

4.2 VLAN Classification

Based on different criteria, VLANs can be classified into different categories. The following types are the most commonly used:

· Port-based

· 802.1Q

· Policy-based

· Other types

This chapter will focus on the port-based VLANs and policy-based VLANs, and 802.1Q VLANs.

4-69

4.3 VLAN Interface

VLAN interfaces are virtual interfaces used for communications between different VLANs. Each VLAN can have one VLAN interface. Packets of a VLAN can be forwarded on network layer through the corresponding VLAN interface. As each VLAN forms a broadcast domain, a VLAN can be an IP network segment and the VLAN interface can be the gateway to enable IP address-based Layer 3 forwarding.

4.4 Port-Based and 802.1Q VLAN

This is the simplest yet the most effective way of classifying VLANs. It groups VLAN members by port. After added to a VLAN, a port can forward the packets of the VLAN.

4.4.1 Port link type

Based on the tag handling mode, a port’s link type can be one of the following three:

· Access or Hybryd port: the port can belong to multiple VLANs, can receive or send packets for multiple

VLANs, used to connect either user or network devices;

· Trunk port: the port can belong to multiple VLANs, can receive/send packets for multiple VLANs, normally

used to connect network devices;

The differences between Access and Trunk port:

· A Access port allows packets of multiple VLANs to be sent with or without the Tag label;

· A Trunk port only allows packets from the default VLAN to be sent without the Tag label.

4.4.2 Default VLAN

You can configure the default VLAN for a port. By default, VLAN 1 is the default VLAN for all ports. However, this can be changed as needed.

· An Access port only belongs to one VLAN. Therefore, its default VLAN is the VLAN it resides in and

cannot be configured.

· You can configure the default VLAN for the Trunk port or the Hybrid port as they can both belong to

multiple VLANs.

4.5 Policy-Based VLAN

In this approach, inbound packets are assigned with different VLAN IDs based on ACL policy. For example, TPID that can be used to categorize VLANs include: IP, IPX, and AppleTalk (AT). A port can be associated to multipleACL. An untagged packet (that is, packet carrying no VLAN tag) reaching a port associated with a policy-based VLAN will be processed as follows.

· If the packet matches ACL, the packet will be tagged with the VLAN ID of the policy-based VLAN defined

by theACL.

· If the packet matches no ACL template, the packet will be tagged with the default VLAN ID of the port.

A tagged packet (that is, a packet carrying VLAN tags) reaching the port is processed in the same way as that of port-based VLAN.

· If the port is configured to permit packets with the VLAN tag, the packet is forwarded.

· If the port is configured to deny packets with the VLAN tag, the packet is dropped.

This feature is mainly used to bind the any type of traffic with VLAN for easy of management and maintenance. Please refer to the “Traffic rewrite vlan configuration”.

4-70

4.6 Super VLAN

With the development of networks, network address resource has become more and more scarce. The concept of Super VLAN was introduced to save the IP address space. Super VLAN is also named as VLAN aggregation. A super VLAN involves multiple sub-VLANs. It has a VLAN interface with an IP address, but no physical ports can be added to the super VLAN. A sub-VLAN can has physical ports added but has no IP address and VLAN interface. All ports of sub-VLANs use the VLAN interface’s IP address of the super VLAN. Packets cannot be forwarded between sub-VLANs at Layer 2.

If Layer 3 communication is needed from a sub-VLAN, it will use the IP address of the super VLAN as the gateway IP address. Thus, multiple sub-VLANs share the same gateway address and thereby save IP address resource.

The local Address Resolution Protocol (ARP) proxy function is used to realize Layer 3 communications between sub-VLANs and between sub-VLANs and other networks. It works as follows: after creating the super VLAN and the VLAN interface, enable the local ARP proxy function to forward ARP response and request packets.

Caution: SuperVLAN is only supported in the QSW-3900, please refer to the

http://www.qtech.ru

4.7 Isolate-User-VLAN

The isolate-user-VLAN adopts a two-tier VLAN structure. In this approach, two types of VLANs, isolate-user-VLAN and secondary VLAN, are configured on the same device.

The isolate-user-VLAN is mainly used for upstream data exchange. An isolate-user-VLAN can have multiple secondary VLANs associated to it. The upstream device only knows the isolate-user-VLAN, how the secondary VLANs are working is not its concern. In this way, network configurations are simplified and VLAN resources are saved.

Secondary VLANs are used for connecting users. Secondary VLANs are isolated from each other on Layer 2. To allow users from different secondary VLANs under the same isolate-user-VLAN to communicate with each other, you can enable ARP proxy on the upstream device to realize Layer 3 communication between the secondary VLANs.

One isolate-user-VLAN can have multiple secondary VLANs, which are invisible to the corresponding upstream device.

As illustrated in the following figure, the isolate-user-vlan function is enabled on Switch B. VLAN 10 is the isolate-user-VLAN, and VLAN 2, VLAN 5, and VLAN 8 are secondary VLANs that are mapped to VLAN 10 and are invisible to Switch A.

QSW-2900

QSW-3500

` ` `

VLAN 2 VLAN 5 VLAN 8

VLAN 10

4-71

Figure 1 An isolate-user-vlan example

4.8 VLAN interface type

System supports IEEE 802.1Q which possesses two types of VLAN interfaces. One is tagged, and the other

is untagged.

Tagged interface can ad VLAN ID, priority and other VLAN information to the head of the packet which is out of the interface. If the packet has included IEEE 802.1Q information when entering the switch, the mark information will not be changed; if the packet has not includes IEEE 802.1Q mark information, system will determine the VLAN it belongs to according to the default VLAN ID of the receiving interface. Network devices supported IEEE 802.1Q will determine whether or not to transmit this packet by the VLAN information in the mark.

Untagged interface can drop the mark information from all the packets which are out of the interface. When a frame is out of a untagged interface, it will not contain IEEE 802.1Q mark information. The function of dropping the mark makes the packet can be transferred from the network device supported mark to the one which doesn’t support it.

Now, only the switch supported IEEE 802.1Q can be recognize IEEE 802.1Q frame so only a port linking to a switch supported IEEE 802.1Q can be configured to be Tagged port.

4.9 Default VLAN

There is a default VLAN of production, which possesses following features:

· The name of this VLAN is Default which can be modified.

· It includes all ports which can be added and deleted.

· All the port mode of default VLAN is untagged which can be modified to be tagged.

· VLAN ID of default VLAN is 1 which cannot be deleted.

4.10 VLAN configuration

4.10.1 VLAN configuration list

Configure VLAN should create VLAN according to the need first, then configure VLAN interface and its

parameter.

VLAN configuration list is as following:

· Create/delete VLAN

· Add/delete VLAN interface

· Specify/delete VLAN description

· Configure interface type

· Configure interface default vlan ID

· Configure tag vlan

· Display VLAN information

4-72

4.10.2 Create/delete VLAN

Configure it in global configuration mode:

Enter VLAN configuration mode or create VLAN and enter it

vlan vlan-list

Delete created VLAN or specified VLAN except VLAN 1

no vlan { vlan-list | all }

VLAN-ID allowed to configure by system is in the range of 1 to 4094. vlan-list can be in the form of discrete number, a sequence number, or the combination of discrete and sequence number, discrete number of which is separate by comma, and sequence number of which is separate by subtraction sign, such as: 2, 5, 8, 10-20. Use the vlan command to enter VLAN configuration mode. If the vlan identified by the vlan-id keyword exists, enter VLAN configuration mode. If not, this command creates the VLAN and then enters VLAN configuration mode. For example, if VLAN 2 is not existed, system will create VLAN 2 first, then enter VLAN configuration mode; if VLAN 2 has existed, enter VLAN configuration mode.

When deleting VLAN, if the vlan-list is specified, delete corresponding VLAN. If choosing all, delete all existed VLAN except default VLAN. If deleting interface in VLAN, and default VLAN id is the same as the VLAN to be deleted, restore interface default VLAN ID to be default VLAN ID.isted VLAN except default VLAN. orresponding VLAN. has existed, enter VLAN configuration mode.. errperrp

If the VLAN to be removed exists in the multicast group, remove the related multicast group first.

4.10.3 Add/delete VLAN interface

Use the switchport command to add a port or multiple ports to current VLAN. Use the no switchport command to remove a port or multiple ports from current VLAN. Use following commands in VLAN configuration mode:

Add interface to specified VLAN

switchport { interface-list | all }

Delete some interface from specified VLAN

no switchport { interface-list | all }

Interface-list is the optioned interface list which means a or more interfaces. If choose all, add all ports to current VLAN; if choosing all when deleting interface, all ports in current VLAN will be deleted. When deleting interface from VLAN 1, if the PVID of interface is 1, modify the PVID to be other VLAN ID before deleting this interface. When deleting interface in other VLAN ID, port PVID should be the same as the VLAN ID, and the port is also in VLAN 1, delete it. If this port is not in VLAN 1, modify port PVID to be other VLAN ID, delete the port.

There are two status of the interface in VLAN, one is tagged and the other is untagged. If the port is access

port, add it to VLAN with the status of being untagged. If it is trunk port, change it to be tagged in VLAN.

For example:

! Add Ethernet 1, 3, 4, 5, 8 to current VLAN

QTECH(config-if-vlan)#switchport ethernet 0/1 ethernet 0/3 to ethernet 0/5 ethernet 0/8

! Remove Ethernet 3, 4, 5, 8 from current VLAN

QTECH(config-if-vlan)#no switchport ethernet 0/3 to ethernet 0/5 ethernet 0/8

Command switchport access vlan and its no command can also add and delete port to or from VLAN. Please refer to interface configuration of chapter 2.

4-73

4.10.4 Specify/restore VLAN description

The description string is used to distinguish each VLAN. Please configure it in VLAN configuration mode:

Specify a description string to specified VLAN

description string

Delete description string of specified VLAN

no description

string:It is in the range of 1 to 32 characters to describe the current VLAN. The characters can be printable, excluding such wildcards as '/', ':', '*', '?', '\\', '<', '>', '|', '"'etc.

For example:

! Specify the description string of the current VLAN as “market”

QTECH (config-if-vlan)#description market

! Delete the description string of VLAN

QTECH(config-if-vlan)#no description

4.10.5 Configure interface type

Use switchport mode command to configure port type. Please refer to interface configuration in chapter 2.

4.10.6 Configure interface default vlan ID

System supports IEEE 802.1Q. When receiving a untagged packet, system would add a tag to the packet, in which the VLAN ID is determined by the default VLAN ID of the receiving port. The command to configure default VLAN of trunk port is switchport trunk native vlan; for acess port, use switchport access vlan command to configure default VLAN of specified interface. The detailed introduction of the corresponding no command is in chapter 2.

For example:

! Configure default vlan-id of Ethernet interface 1 to be 2

QTECH(config-if-ethernet-0/1)#switchport mode access

QTECH(config-if-ethernet-0/1)#switchport access vlan 2

Caution: To use switchport trunk native vlan vlan-id must guarantee the specified interface to be trunk,

and belongs to specified VLAN, and the VLAN ID is not 1. Use switchport access vlan vlan-id to configure interface default VLAN and add it to the VLAN. The specified interface is access, and the VLAN is existed and is not the default VLAN.

4.10.7 Configure tag vlan

When the port is access without tag vlan configuration, it can only send untagged packet. If it wants to send tagged packet, use

tag vlan vlan-list

command. Use its no command to disable this function. The interface must be access, and configure it in

interface configuration mode.

4-74

For example:

! Configure Ethernet interface 1 to send IEEE 802.1Q packet with tag VLAN 5, VLAN 7-10

QTECH(config-if-ethernet-0/1)#tag vlan 5, 7-10

4.10.8 Display VLAN information

VLAN information is VLAN description string, vlan-id, VLAN status and interface members in it, tagged interfaces, untagged interfaces and dynamic tagged interfaces. Interface members consist of tagged and untagged members.

show vlan [ vlan-id ]

If the VLAN with specified keyword exists, this command displays the information of the specified VLAN. If no keyword is specified, this command displays the list of all the existing VLANs

For example:

! Display the information of existed VLAN 2.

QTECH(config)#show vlan 2

4.11 PVLAN

PVLAN means private VLAN which is used to realize interface isolation function. These private VLANs are unknown to uplink devices to save the resource of public VLAN. Nowadays, factories in this field use SVL to realize PVLAN and provide corresponding configuration command. But there is some shortage by using SVL, such as: the uplink and downlink interfaces are access, and MAC address wasting. Our company uses redirection technology to realize PVLAN and overcome the shortage of SVL, any interface can be access or trunk, which entirely realize PVLAN. The detailed information of PVLAN configuration can refer to interface isolation configuration.

4.12 GVRP configuration

4.12.1 Brief introduction of GVRP

GVRP (GARP VLAN Registration Protocol) is a kind of application of GARP. It is based on GARP working mechanism to maintain VLAN dynamic register information in switch and transfer it to other switch. All switch that support GVRP can receive VLAN register information from other switches and dynamically upgrade local VLAN register information which includes: current VLAN members, and by which interface can reach VLAN members. And all switches supported GVRP can transfer local VLAN register information to other switches to make the consistency of the VLAN information of devices which support GVRP. VLAN register information transferred by GVRP includes local munal configuration of static register information and the dynamic register information of other switch.

GARP VLAN Registration Protocol (GVRP) is a GARP application. It functions based on the operating mechanism of GARP to maintain and propagate dynamic VLAN registration information for the GVRP devices on the network.

4.12.2 GARP

Generic Attribute Registration Protocol (GARP) provides a mechanism that allows participants in a GARP application to distribute, propagate, and register with other participants in a bridged LAN the attributes specific to the GARP application, such as the VLAN or multicast address attribute.

4-75

GARP itself does not exist on a device as an entity. GARP-compliant application entities are called GARP applications. One example is GVRP. When a GARP application entity is present on a port on your device, this port is regarded a GARP application entity.

a) GARP messages and timers

1) GARP messages

GARP participants exchange attributes primarily by sending the following three types of messages:

· Join to announce the willingness to register some attribute with other participants.

· Leave to announce the willingness to deregister with other participants. Together with Join

messages, Leave messages help GARP participants complete attribute reregistration and deregistration.

· LeaveAll to deregister all attributes. A LeaveAll message is sent upon expiration of a LeaveAll

timer, which starts upon the startup of a GARP application entity.

· Through message exchange, all attribute information that needs registration propagates to all

GARP participants throughout a bridged LAN.

2) GARP timers

GARP sets interval for sending GARP messages by using these four timers:

· Hold timer –– When a GARP application entity receives the first registration request, it starts a

hold timer and collects succeeding requests. When the timer expires, the entity sends all these requests in one Join message. This can thus help you save bandwidth.

· Join timer –– Each GARP application entity sends a Join message twice for reliability sake and

uses a join timer to set the sending interval.

· Leave timer –– Starts upon receipt of a Leave message sent for deregistering some attribute

information. If no Join message is received before this timer expires, the GARP application entity removes the attribute information as requested.

· LeaveAll timer –– Starts when a GARP application entity starts. When this timer expires, the

entity sends a LeaveAll message so that other entities can re-register its attribute information. Then, a LeaveAll timer starts again.

& Note:

· The settings of GARP timers apply to all GARP applications, such as GVRP, on a LAN.

· Unlike other three timers, which are set on a port basis, the LeaveAll timer is set in system

view and takes effect globally.

· A GARP application entity may send LeaveAll messages at the interval set by its LeaveAll

timer or the LeaveAll timer on another device on the network, whichever is smaller. This is because each time a device on the network receives a LeaveAll message it resets its LeaveAll timer.

b) Operating mechanism of GARP

The GARP mechanism allows the configuration of a GARP participant to propagate throughout a LAN quickly. In GARP, a GARP participant registers or deregisters its attributes with other participants by making or withdrawing declarations of attributes and at the same time, based on received declarations or withdrawals handles attributes of other participants.

GARP application entities send protocol data units (PDU) with a particular multicast MAC address as destination. Based on this address, a device can identify to which GVRP application, GVRP for example, should a GARP PDU be delivered.

4-76

c) GARP message format

The following figure illustrates the GARP message format.

Figure 1 GARP message format

The following table describes the GARP message fields.

Table 1 Description on the GARP message fields

Field Description Value

Protocol ID Protocol identifier for GARP 1

Message One or multiple messages, each

containing an attribute type and an attribute list

––

Attribute Type Defined by the concerned GARP

application

0x01 for GVRP, indicating the VLAN ID attribute

Attribute List Contains one or multiple attributes ––

Attribute Consists of an Attribute Length, an

Attribute Event, and an Attribute Value

––

Attribute Length Number of octets occupied by an

attribute, inclusive of the attribute length field

2 to 255 (in bytes)

Attribute Event Event described by the attribute 0: LeaveAll

1: JoinEmpty

2: JoinIn

3: LeaveEmpty

4: LeaveIn

5: Empty

Attribute Value Attribute value VLAN ID for GVRP

If the Attribute Event is LeaveAll, Attribute Value is omitted.

4-77

Field Description Value

End Mark Indicates the end of PDU ––

4.12.3 GVRP

GVRP enables a device to propagate local VLAN registration information to other participant devices and dynamically update the VLAN registration information from other devices to its local database about active VLAN members and through which port they can be reached. It thus ensures that all GVRP participants on a bridged LAN maintain the same VLAN registration information. The VLAN registration information propagated by GVRP includes both manually configured local static entries and dynamic entries from other devices.

GVRP is described in IEEE 802.1Q.

4.12.4 GVRP Configuration list

In all configurations, enable global GVRP first before enable GVRP on a port. GVRP must be enabled in the two ends of trunk link which follows IEEE 802.1Q standard.

GVRP Configuration list is as following:

· Enable/disable global GVRP

· Enable/disable GVRP on a port

· Display GVRP

· Add/delete vlan that can be dynamic learnt by GVRP

· Display vlan that can be learnt by GVRP

4.12.5 Enable/disable global GVRP

Please configure it in global configuration mode:

Enable global GVRP

gvrp

Disable global GVRP

no gvrp

By default, GVRP globally disabled.

For example:

! Enable GVRP globally

QTECH(config)#gvrp

4.12.6 Enable/disable GVRP on a port

Please configure it in interface configuration mode:

Enable GVRP on a port

4-78

gvrp

Disable GVRP on a port

no gvrp

For example:

! Enable GVRP on Ethernet port 8

QTECH(config-if-ethernet-0/8)#gvrp

Caution: Enable global GVRP before enable GVRP on a port. By default, global GVRP deisables and

GVRP on a port can be enabled in trunk mode interface.

4.12.7 Display GVRP

Use following command in any configuration mode to display global GVRP:

show gvrp

Use following command in any configuration mode to display GVRP on a port:

show gvrp interface [ interface-list ]

Interface-list keyword is optional. If this keyword unspecified, the command displays GVRP information for all the Ethernet ports. If specified, the command displays GVRP information on specified Ethernet port.

For example:

! Display GVRP information on interface Ethernet 0/1

QTECH(config)#show gvrp interface ethernet 0/1

4.12.8 Add/delete vlan that can be dynamic learnt by

GVRP

Use garp permit vlan command to add configured static vlan to GVRP module for other switches to learn.

Configure it in global configuration mode:

garp permit vlan vlan-list

no garp permit vlan [ vlan-list ]

For example: ! Add vlan 2, 3, 4 to GVRP

QTECH(config)#garp permit vlan 2-4

4.12.9 Display vlan that can be learnt by GVRP

Use show garp permit vlan command to display current static vlan permitted learning by GVRP

show garp permit vlan

For example:

Display current static vlan permitted learning by GVRP

QTECH(config)#show garp permit vlan

4-79

4.12.10 Examples for GVRP configuration

! Enable GVRP on Ethernet port 2

QTECH(config-if-ethernet-0/2)#gvrp

! Disable GVRP on Ethernet port 2

QTECH(config-if-ethernet-0/2)#no gvrp

4.13 QinQ configuration

4.13.1 Brief introduction of QinQ

QinQ is used for the commnunication between discrete client vlan whose service model is the interconnection of one or more switches supported QinQ by service provider interfaces which are in service provider vlan. The interface linking client vlan is called customer interface. Packet with client vlan tag will add a tag head with the vlan id being service provider vlan when passing through the customer interface. The tag head will be stripped when passing through service provider vlan.

4.13.2 Introduction to QinQ

In the VLAN tag field defined in IEEE 802.1Q, only 12 bits are used for VLAN IDs, so a device can support a maximum of 4, 094 VLANs. In actual applications, however, a large number of VLAN are required to isolate users, especially in metropolitan area networks (MANs), and 4, 094 VLANs are far from satisfying such requirements.

The port QinQ feature provided by the device enables the encapsulation of double VLAN tags within an Ethernet frame, with the inner VLAN tag being the customer network VLAN tag while the outer one being the VLAN tag assigned by the service provider to the customer. In the backbone network of the service provider (the public network), frames are forwarded based on the outer VLAN tag only, while the customer network VLAN tag is shielded during data transmission.

Figure 1 shows the structure of 802.1Q-tagged and double-tagged Ethernet frames. The QinQ feature enables a device to support up to 4, 094 x 4, 094 VLANs to satisfy the requirement for the amount of VLANs in the MAN.

Figure 1 802.1Q-tagged frame structure vs. double-tagged Ethernet frame structure

Advantages of QinQ:

· Addresses the shortage of public VLAN ID resource

· Enables customers to plan their own VLAN IDs, with running into conflicts with public network VLAN

IDs.

4-80

· Provides a simple Layer 2 VPN solution for small-sized MANs or intranets.

Note: The QinQ feature requires configurations only on the service provider network, and not on the customer network.

4.13.3 Implementations of QinQ

There are two types of QinQ implementations: basic QinQ and selective QinQ.

1) Basic QinQ

Basic QinQ is a port-based feature, which is implemented through VLAN VPN.

With the VLAN VPN feature enabled on a port, when a frame arrives at the port, the port will tag it with the port’s default VLAN tag, regardless of whether the frame is tagged or untagged. If the received frame is already tagged, this frame becomes a double-tagged frame; if it is an untagged frame, it is tagged with the port’s default VLAN tag.

2) Selective QinQ

Selective QinQ is a more flexible, VLAN-based implementation of QinQ

4.13.4 Adjustable TPID Value of QinQ Frames

A VLAN tag uses the tag protocol identifier (TPID) field to identify the protocol type of the tag. The value of this field, as defined in IEEE 802.1Q, is 0x8100.

Figure 2 shows the 802.1Q-defined tag structure of an Ethernet frame.

Figure 2 VLAN Tag structure of an Ethernet frame

On devices of different vendors, the TPID of the outer VLAN tag of QinQ frames may have different default values. You can set and/or modify this TPID value, so that the QinQ frames, when arriving at the public network, carries the TPID value of a specific vendor to allow interoperation with devices of that vendor.

The TPID in an Ethernet frame has the same position with the protocol type field in a frame without a VLAN tag. To avoid chaotic packet forwarding and receiving, you cannot set the TPID value to any of the values in the table below.

Table 1 Reserved protocol type values

Protocol type Value

ARP 0x0806

PUP 0x0200

RARP 0x8035

IP 0x0800

IPv6 0x86DD

PPPoE 0x8863/0x8864

MPLS 0x8847/0x8848

4-81

IPX/SPX 0x8137

IS-IS 0x8000

LACP 0x8809

802.1x 0x888E

Cluster 0x88A7

Reserved 0xFFFD/0xFFFE/0xFFFF

4.13.5 QinQ configuration list

1) Configure global QinQ

2) Configure interface QinQ mode

3) Configure interface dynamic QinQ

4) Enable/disable vlan-swap

5) Configure interface switching vlan

6) Display dynamic QinQ

7) Display switching vlan

4.13.6 Configure global QinQ

QSW-2900 supports three QinQ:

1) Static QinQ. Vlan protocol number in this mode can be configured but cannot be configured to ignore tag

head of ingress packet. If vlan protocol number is not the same as the port configuration value or the port is configured to ignore tag head, there will be a new tag head between the 12th and 13th bit;

2) Flexible QinQ. Configure port vlan protocol number and the ignorance attribution of the tag head of ingress

port. Only when vlan protocol number of ingress packet is not the same as the port configuration value and not the default value 8100, a new tag head will be added. If egress is TAG, TPID of TAG head is configured TPID.

3) Traffic-based QinQ. It used ACL policy for implementing second tag. Firstly, need to enable flexible QinQ

and ACL. Then can use traffic-insert-vlan command for enable double tagging.

! Use dtag command to enable/disable QinQ globally in global configuration mode.

dtag { [ flexible-qinq ] | outer-tpid tpid }

no dtag

For example:

! Configure QinQ global TPID to be non dot1q-in-dot1q

QTECH(config)dtag outer-tpid 9100

4.13.7 Configure QinQ mode of interface

There are two kinds of interface modes: one is service provider port, the other is customer port. The former do not permit ignoring tag head of ingress packet and the latter permits.

! It is in the interface configuration mode.

4-82

dtag mode { customer | service-provider }

Example:

Configure interface to be customer

QTECH(config-if-ethernet-0/1)#dtag mode customer

4.13.8 Configure interface dynamic QinQ

1. Configure a series vlan to be dynamic QinQ with the start vlan and destination vlan. In the precondition of all vlan tag packets between start vlan are not transparent transmitted, they will transmit in the form of double tag head with destination vlan.

! The command mode is global configuration mode

dtag insert startvlanid endvlanid targetvlanid

Example:

Configure all vlan tag packets to add a tag head with destination vlan3 from the start vlan1 to end vlan2

QTECH(config-if-ethernet-0/1)#dtag insert 1 2 3

2. Delete a consecultive vlan in configured dynamic QinQ on the form of start vlan and destination vlan, in which the parameter imputed start vlan and the destination vlan must be the same as configuring a vlan series.

! The command mode is global configuration mode

no dtag insert startvlanid endvlanid

Example:

Delete all configured vlan tag packets to add a tag head with destination vlan3 from the start vlan1 to end vlan2.

QTECH(config)#no dtag insert 1 2 3

3. Configure a series vlan to be transparent transmitted in dynamic QinQ in the form of start vlan. All vlan tag packets can be transmitted from start vlan without adding new tag head because the priority of transparent transmission id superior than adding tag head, transparent transmission will not be influenced by svlan inset command.

! Command mode is global configuration mode

dtag pass-through startvlanid endvlanid

Example:

Configure all vlan tag packet to be transparent transmission from start vlan1 to end vlan2

QTECH(config-if-ethernet-0/1)#dtag pass-through 1 2

4. Delete all configured all vlan tag packet to be transparent transmission in the form of start vlan, in which the parameter imputed start vlan must be the same as configuring a vlan series.

! Command mode is global configuration mode

no dtag pass-through startvlanid endvlanid

Example:

Delete all configured all vlan tag packet to be transparent transmission from start vlan1 to end vlan2

QTECH(config-if-ethernet-0/1)#no dtag pass-through 1 2

4.13.9 Enable/disable vlan-swap

Configure it in global configuration mode:

4-83

Enable vlan-swap

vlan-swap

Disable vlan-swap

no vlan-swap

By default, vlan-swap is disabled.

Example:

! Enable vlan-swap

QTECH(config)#vlan-swap

4.13.10 Configure global vlan-swap

1. Configure vlan in the tag to be repaced by configured vlan

! Command mode is global configuration mode

vlan-swap [original vlanID ] [ swap vlan ID ]

Example:

Configure vlan1 in tag head to be replaced by vlan2

QTECH(config)#vlan-swap vlan1 vlan2

2.Delete configured vlan swap parameter

! Command mode is global configuration mode

no vlan-swap [original vlanID ] [ swap vlan ID ]

Example:

Delete configured vlan1 in tag to be repaced by vlan2

QTECH(config)#no vlan-swap vlan1 vlan2

4.13.11 Configure rewrite-outer-vlan

Configure rewrite-outer-vlan. After configuration, all packets from this port without inner vlan ID being specified range and with outer vlan ID being specified one(this condition can be optioned), the outer vlan ID will be modified to be new.

! Command mode is interface configuration mode

rewrite-outer-vlan start-inner-vid end-inner-vid [ outer-vlan outer-vid ] new-outer-vlan new-outer-vid

no rewrite-outer-vlan start-inner-vid end-inner-vid [ outer-vlan outer-vid ]

Example:

Configure rewrite-outer-vlan of e0/1 with inner vlan ID being the range of 1~50, outer vlan ID being 3 and new outer vlan ID being 100

QTECH(config-if-ethernet-0/1)# rewrite-outer-vlan 1 50 outer-vlan 3 new-outer-vlan 100

4.13.12 Display dynamic QinQ

1. Display dynamic vlan

4-84

! Command mode is global configuration mode

show dtag

Example:

Display QinQ

QTECH(config)#show dtag

2. Display transparent transmission vlan

! Command mode is global configuration mode

show dtag pass-through

Example:

Display transparent transmission vlan

QTECH(config)#show dtag pass-through

4.13.13 Display vlan-swap

Display vlan swap status

! Command mode is global configuration mode

show vlan-swap

Example:

Display vlan swap status

QTECH(config)#show vlan-swap

4.13.14 Display rewrite-outer-vlan

1. Display rewrite-outer-vlan

! Command mode is global configuration mode

show rewrite-outer-vlan

Example:

Display rewrite-outer-vlan

QTECH(config)#show rewrite-outer-vlan

5-85

Chapter 5 Multicast Protocol Configuration

5.1 Multicast overview

5.1.1 Multicast Address

As receivers are multiple hosts in a multicast group, you should be concerned about the following questions:

· What destination should the information source send the information to in the multicast mode?

· How to select the destination address, that is, how does the information source know who the user is?

These questions are about multicast addressing. To enable the communication between the information source

and members of a multicast group (a group of information receivers), network-layer multicast addresses, namely, IP

multicast addresses must be provided. In addition, a technology must be available to map IP multicast addresses to

link-layer MAC multicast addresses. The following sections describe these two types of multicast addresses:

a) IP multicast address

Internet Assigned Numbers Authority (IANA) categorizes IP addresses into five classes: A, B, C, D, and E.

Unicast packets use IP addresses of Class A, B, and C based on network scales. Class D IP addresses are used as

destination addresses of multicast packets. Class D address must not appear in the IP address field of a source IP

address of IP packets. Class E IP addresses are reserved for future use.

In unicast data transport, a data packet is transported hop by hop from the source address to the destination

address. In an IP multicast environment, there are a group of destination addresses (called group address), rather than

one address. All the receivers join a group. Once they join the group, the data sent to this group of addresses starts to

be transported to the receivers. All the members in this group can receive the data packets. This group is a multicast

group.

A multicast group has the following characteristics:

· The membership of a group is dynamic. A host can join and leave a multicast group at any time.

· A multicast group can be either permanent or temporary.

· A multicast group whose addresses are assigned by IANA is a permanent multicast group. It is also

called reserved multicast group.

Note that:

· The IP addresses of a permanent multicast group keep unchanged, while the members of the group

can be changed.

· There can be any number of, or even zero, members in a permanent multicast group.

· Those IP multicast addresses not assigned to permanent multicast groups can be used by temporary

multicast groups.

Class D IP addresses range from 224.0.0.0 to 239.255.255.255. For details, see Table 1-1.

Table 1-1 Range and description of Class D IP addresses

Class D address range Description

5-86

224.0.0.0 to 224.0.0.255

Reserved multicast addresses (IP addresses for

permanent multicast groups). The IP address

224.0.0.0 is reserved. Other IP addresses can be

used by routing protocols.

224.0.1.0 to 231.255.255.255

233.0.0.0 to 238.255.255.255

Available any-source multicast (ASM) multicast

addresses (IP addresses for temporary groups).

They are valid for the entire network.

232.0.0.0 to 232.255.255.255

Available source-specific multicast (SSM)

multicast group addresses.

239.0.0.0 to 239.255.255.255

Local management multicast addresses, which

are for specific local use only.

As specified by IANA, the IP addresses ranging from 224.0.0.0 to 224.0.0.255 are reserved for network

protocols on local networks. The following table lists commonly used reserved IP multicast addresses:

Table 1-2 Reserved IP multicast addresses

Class D address range Description

224.0.0.1 Address of all hosts

224.0.0.2 Address of all multicast routers

224.0.0.3 Unassigned

224.0.0.4

Distance vector multicast routing protocol (DVMRP)

routers

224.0.0.5 Open shortest path first (OSPF) routers

224.0.0.6 Open shortest path first designated routers (OSPF DR)

224.0.0.7 Shared tree routers

224.0.0.8 Shared tree hosts

224.0.0.9 RIP-2 routers

224.0.0.11 Mobile agents

224.0.0.12 DHCP server/relay agent

224.0.0.13 All protocol independent multicast (PIM) routers

224.0.0.14 Resource reservation protocol (RSVP) encapsulation

224.0.0.15 All core-based tree (CBT) routers

224.0.0.16

The specified subnetwork bandwidth management

(SBM)

224.0.0.17 All SBMS

224.0.0.18 Virtual router redundancy protocol (VRRP)

224.0.0.19 to 224.0.0.255 Other protocols

& Note:

Like having reserved the private network segment 10.0.0.0/8 for unicast, IANA has also reserved the network segments ranging from 239.0.0.0 to 239.255.255.255 for multicast. These are administratively scoped addresses. With the administratively scoped addresses, you can define the range of multicast domains flexibly to isolate IP addresses between

5-87

different multicast domains, so that the same multicast address can be used in different multicast domains without causing collisions.

b) Ethernet multicast MAC address

When a unicast IP packet is transported in an Ethernet network, the destination MAC address is the MAC

address of the receiver. When a multicast packet is transported in an Ethernet network, a multicast MAC address is

used as the destination address because the destination is a group with an uncertain number of members.

As stipulated by IANA, the high-order 24 bits of a multicast MAC address are 0x01005e, while the low-order

23 bits of a MAC address are the low-order 23 bits of the multicast IP address. Figure 1-5 describes the mapping

relationship:

Figure 1-5 Mapping relationship between multicast IP address and multicast MAC address

The high-order four bits of the IP multicast address are 1110, representing the multicast ID. Only 23 bits of the

remaining 28 bits are mapped to a MAC address. Thus, five bits of the multicast IP address are lost. As a result, 32 IP

multicast addresses are mapped to the same MAC address.

5.2 GMRP Overview

GMRP (GARP Multicast Registration Protocol), based on GARP, is used for maintaining multicast

registration information of the switch. All GMRP-capable switches can receive multicast registration information

from other switches, dynamically update local multicast registration information, and send their own local multicast

registration information to other switches. This information switching mechanism keeps consistency of the multicast

information maintained by every GMRP-supporting device in the same switching network.

A host sends a GMRP Join message, if it is interested in joining a multicast group. After receiving the message,

the switch adds the port on which the message was received to the multicast group, and broadcasts the message

throughout the VLAN where the receiving port resides. In this way, the multicast source in the VLAN gets aware of

the existence of the multicast group member. When the multicast source sends multicast packets to a group, the

switch only forwards the packets to ports connected to the members of that group, thereby implementing Layer 2

multicast in the VLAN.

5-88

5.3 GMRP Configuration

5.3.1 GMRP Configuration list

In all configurations, enable global GMRP first before enable GMRP on a port. GMRP Configuration list is as

following:

· Enable/disable global GMRP

· Enable/disable GMRP on a port

· Display GMRP

· Add/delete multicast that can be dynamic learnt by GMRP

· Display multicast that can be learnt by GMRP

5.3.2 Enable/disable global GMRP

Please configure it in global configuration mode:

· Enable global GMRP

gmrp

· Disable global GMRP

no gmrp

By default, GMRP globally disables

For example:

! Enable GMRP globally

QTECH(config)#gmrp

5.3.3 Enable/disable GMRP on a port

Enable global GMRP before enable GMRP on a port. Please configure it in interface configuration mode:

· Enable GMRP on a port

gmrp

· Disable GMRP on a port

no gmrp

For example:

! Enable GMRP on Ethernet port 3

QTECH(config-if-ethernet-0/3)#gmrp

Caution: Enable global GMRP before enable GMRP on a port. By default, global

GMRP deisables and GMRP on a port can be enabled in trunk mode interface.

5-89

5.3.4 Display GMRP

· Use following command in any configuration mode to display global GMRP:

show gmrp

· Use following command in any configuration mode to display GMRP on a port:

show gmrp interface [ interface-list ]

Interface-list keyword is optional. If this keyword unspecified, the command displays GMRP information for

all the Ethernet ports. If specified, the command displays GMRP information on specified Ethernet port.

For example:

! Display GMRP information of Ethernet 0/2 to ethernet 0/4 ethernet 2/1

QTECH(config)#show gmrp interface ethernet 0/2 to ethernet 0/4 ethernet 2/1

port GMRP status

e0/2 enable

e0/3 enable

e0/4 enable

e2/1 enable

Total entries: 4.

5.3.5 Add/delete multicast that can be dynamic learnt by

GMRP

Add configured static multicast group to GMRP for other switch learning it.

garp permit multicast [ mac-address mac vlan vlan-id ]

Example:

Add multicast group 01:00:5e:00:01:01 vlan 1 to GMRP

QTECH(config)#garp permit multicast mac-address 01:00:5e:00:01:01 vlan 1

5.3.6 Display multicast that can be learnt by GMRP

Display multicast group can be statically learnt by GMRP.

show garp permit multicast

For example: Display multicast group that can be statically learnt by GMRP

QTECH(config)#show garp permit multicast

5-90

5.4 IGMP Snooping Configuration

5.4.1 IGMP Snooping Overview

Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast constraining mechanism that

runs on Layer 2 devices to manage and control multicast groups.

By listening to and analyzing IGMP messages, a Layer 2 device running IGMP Snooping establishes

mappings between ports and multicast MAC addresses and forwards multicast data based on these mappings.

As shown in Figure 1, when IGMP Snooping is not running on the switch, multicast packets are broadcast to

all devices at Layer 2. When IGMP Snooping is running on the switch, multicast packets for known multicast groups

are multicast to the receivers, rather than broadcast to all hosts, at Layer 2.

Figure 1 Before and after IGMP Snooping is enabled on the Layer 2 device

5.4.2 Basic Concepts in IGMP Snooping

a) IGMP Snooping related ports

As shown in Figure 2, Router A connects to the multicast source, IGMP Snooping runs on Switch A and

Switch B, Host A and Host C are receiver hosts (namely, multicast group members).

5-91

Figure 2 IGMP Snooping related ports

Ports involved in IGMP Snooping, as shown in Figure 2, are described as follows:

· Router port: A router port is a port on the Ethernet switch that leads switch towards the Layer 3

multicast device (DR or IGMP querier). In the figure, Ethernet 1/0 of Switch A and Ethernet 1/0 of

Switch B are router ports. The switch registers all its local router ports (including static and dynamic

router ports) in its router port list.

· Member port: A member port is a port on the Ethernet switch that leads switch towards multicast

group members. In the figure, Ethernet 1/1 and Ethernet 1/2 of Switch A and Ethernet 1/1 of Switch B

are member ports. The switch registers all the member ports (including static and dynamic member

ports) on the local device in its IGMP Snooping forwarding table.

& Note:

l Whenever mentioned in this document, a router port is a port on the switch that

leads the switch to a Layer 3 multicast device, rather than a port on a router.

l An IGMP-snooping-enabled switch deems that all its ports on which IGMP general

queries with the source address other than 0.0.0.0 or PIM hello messages are received to be router ports.

b) Port aging timers in IGMP Snooping and related messages and actions

Table 1 Port aging timers in IGMP Snooping and related messages and actions

Timer Description

Message before expiry

Action after expiry

5-92

Timer Description

Message before expiry

Action after expiry

Router port aging timer

For each router port, the switch sets a timer initialized to the aging time of the route port.

IGMP general query of which the source address is not 0.0.0.0 or PIM hello

The switch removes this port from its router port list.

Member port aging timer

When a port joins a multicast group, the switch sets a timer for the port, which is initialized to the member port aging time.

IGMP membership report

The switch removes this port from the multicast group forwarding table.

& Note:

The port aging mechanism of IGMP Snooping works only for dynamic ports; a static port will never age out.

5.4.3 How IGMP Snooping Works

A switch running IGMP Snooping performs different actions when it receives different IGMP messages, as

follows:

a) When receiving a general query

The IGMP querier periodically sends IGMP general queries to all hosts and routers (224.0.0.1) on the local

subnet to find out whether active multicast group members exist on the subnet.

Upon receiving an IGMP general query, the switch forwards it through all ports in the VLAN except the

receiving port and performs the following to the receiving port:

l If the receiving port is a router port existing in its router port list, the switch resets the

aging timer of this router port.

l If the receiving port is not a router port existing in its router port list, the switch adds it

into its router port list and sets an aging timer for this router port.

b) When receiving a membership report

A host sends an IGMP report to the multicast router in the following circumstances:

l Upon receiving an IGMP query, a multicast group member host responds with an IGMP

report.

l When intended to join a multicast group, a host sends an IGMP report to the multicast

router to announce that it is interested in the multicast information addressed to that group.

Upon receiving an IGMP report, the switch forwards it through all the router ports in the VLAN, resolves the

address of the reported multicast group, and performs the following:

l If no forwarding table entry exists for the reported group, the switch creates an entry, adds

the port as member port to the outgoing port list, and starts a member port aging timer for that port.

l If a forwarding table entry exists for the reported group, but the port is not included in the

outgoing port list for that group, the switch adds the port as a member port to the outgoing port list, and starts a member port aging timer for that port.

5-93

l If a forwarding table entry exists for the reported group and the port is included in the

outgoing port list, which means that this port is already a member port, the switch resets the member port aging timer for that port.

& Note:

A switch does not forward an IGMP report through a non-router port. The reason is as follows: Due to the IGMP report suppression mechanism, if the switch forwards a report message through a member port, all the attached hosts listening to the reported multicast address will suppress their own reports upon hearing this report, and this will prevent the switch from knowing whether any hosts attached to that port are still active members of the reported multicast group.

c) When receiving a leave group message

When an IGMPv1 host leaves a multicast group, the host does not send an IGMP leave group message, so the switch cannot know immediately that the host has left the multicast group. However, as the host stops sending IGMP reports as soon as it leaves a multicast group, the switch deletes the forwarding entry for the member port corresponding to the host from the forwarding table when its aging timer expires.

When an IGMPv2 or IGMPv3 host leaves a multicast group, the host sends an IGMP leave group message to the multicast router.

When the switch hears a group-specific IGMP leave group message on a member port, it first checks whether a forwarding table entry for that group exists, and, if one exists, whether its outgoing port list contains that port.

l If the forwarding table entry does not exist or if its outgoing port list does not contain the

port, the switch discards the IGMP leave group message instead of forwarding it to any port.

l If the forwarding table entry exists and its outgoing port list contains the port, the switch

forwards the leave group message to all router ports in the VLAN. Because the switch does not know whether any other hosts attached to the port are still listening to that group address, the switch does not immediately removes the port from the outgoing port list of the forwarding table entry for that group; instead, it resets the member port aging timer for the port.

Upon receiving the IGMP leave group message from a host, the IGMP querier resolves from the message the address of the multicast group that the host just left and sends an IGMP group-specific query to that multicast group through the port that received the leave group message. Upon hearing the IGMP group-specific query, the switch forwards it through all its router ports in the VLAN and all member ports for that multicast group, and performs the following:

l If any IGMP report in response to the group-specific query is heard on a member port

before its aging timer expires, this means that some host attached to the port is receiving or expecting to receive multicast data for that multicast group. The switch resets the aging timer of the member port.

l If no IGMP report in response to the group-specific query is heard on a member port

before its aging timer expires, this means that no hosts attached to the port are still listening to that group address: the switch removes the port from the outgoing port list of the forwarding table entry for that multicast group when the aging timer expires.

5.4.4 Processing of Multicast Protocol Messages

With Layer 3 multicast routing enabled, an IGMP Snooping switch processes multicast protocol messages differently under different conditions, specifically as follows:

1) If only IGMP is enabled, or both IGMP and PIM are enabled on the switch, the switch handles multicast

protocol messages in the normal way.

5-94

2) In only PIM is enabled on the switch:

l The switch broadcasts IGMP messages as unknown messages in the VLAN.

l Upon receiving a PIM hello message, the switch will maintain the corresponding router

port.

3) When IGMP is disabled on the switch, or when IGMP forwarding entries are cleared (by using the reset

igmp group command):

l If PIM is disabled, the switch clears all its Layer 2 multicast entries and router ports.

l If PIM is enabled, the switch clears only its Layer 2 multicast entries without deleting its

router ports.

4) When PIM is disabled on the switch:

l If IGMP is disabled, the switch clears all its router ports.

l If IGMP is enabled, the switch maintains all its Layer 2 multicast entries and router ports.

5-95

Table 2-3 IGMP Snooping messages

Message Sender Receiver Purpose Switch action

If yes, reset the aging timer of the router port

IGMP general query message

Multicast router and multicast switch

Multicast member switch and host

Query if the multicast groups contain any member

Check if the message comes from the original router port

If not, notify the multicast router that a member is in a multicast group and start the aging timer for the router port

IGMP group-speci fic query message

Multicast router and multicast switch

Multicast member switch and host

Query if a specific IGMP multicast group contains any member

Send an IGMP group-specific query message to the IP multicast group being queried.

If yes, add the IP multicast group address to the MAC multicast group table.

If yes, add the port to the IP multicast group.

If yes, check if the port exists in the MAC multicast group

If not, add the port to the MAC multicast group, reset the aging timer of the port and check if the corresponding IP multicast group exists.

If not, create an IP multicast group and add the port to

it. If not: Create a MAC multicast group and notify the multicast router that a member is ready to join the

multicast group. Add the port to the MAC multicast group and start the aging timer of the port. Add all ports in the VLAN owning this port to the forward port list of the MAC multicast group.

IGMP host report message

Host Multicast

router and multicast switch

Apply for joining a multicast group, or respond to an IGMP query message

Check if the IP multicast group has a corresponding MAC multicast group

Add the port to the IP multicast group.

If no response is received from the port before the timer times out, the switch will check whether the port corresponds to a single MAC multicast group. If yes, remove the corresponding MAC multicast group and IP multicast group

If no, remove only those entries that correspond to this port in the MAC multicast group, and remove the corresponding IP multicast group entries

IGMP leave message

Host Multicast

router and multicast switch

Notify the multicast router and multicast switch that the host is leaving its multicast group.

Multicast router and multicast switch send IGMP group-specific query packet(s) to the multicast group whose member host sends leave packets to check if the multicast group has any members and enable the corresponding query timer.

If no response is received from the multicast group before the timer times out, notify the router to remove this multicast group node from the multicast tree

5-96

Caution:

An IGMP-Snooping-enabled Ethernet switch judges whether the multicast group exists when it receives an IGMP leave packet sent by a host in a multicast group. If this multicast group does not exist, the switch will drop the IGMP leave packet instead of forwarding it.

5.4.5 Protocols and Standards

IGMP Snooping is documented in:

RFC 4541: Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener

Discovery (MLD) Snooping Switches

5.4.6 IGMP Snooping configuration

Use following command to control IGMP Snooping to establish the MAC address multicast transmission table

in layer 2.

Use following command in global configuration mode:

· Enable IGMP Snooping

igmp-snooping

· Disable IGMP Snooping

no igmp-snooping

By default, IGMP Snooping disables.

· Display IGMP Snooping

Use following command in any mode to see IGMP Snooping:

For example:

! Display IGMP snooping information

QTECH(config)#show igmp-snooping

5.4.7 IGMP Snooping multicast interface aging time

configuration

Use following command in global configuration mode to configure host-aging-time dynamic multicast group

learnt by igmp-snooping:

igmp-snooping host-aging-time

Use following command to display host-aging-time dynamic multicast group learnt by igmp-snooping:

show igmp-snooping

For example:

5-97

! Configure host-aging-time of the dynamic multicast group learnt by igmp-snooping to be 10 seconds

QTECH(config)#igmp-snooping host-aging-time 10

5.4.8 IGMP Snooping max-response-time configuration

Configure the max response time to delete group interface when receiving a leave packet:

igmp-snooping max-response-time seconds

Use this command in global configuration mode.

For example:

! Configure the max-response-time of igmp-snooping is 13 seconds

QTECH(config)#igmp-snooping max-response-time 13

5.4.9 IGMP Snooping interface fast-leave configuration

Configure interface fast-leave when fast-leave enables, if the fast-leave packet is received, the interface leaves

the aging group, or the time to leave is determined by the max-response-time:

igmp-snooping fast-leave

Use this command in interface configuration mode.

For example:

! Enable igmp-snooping fast-leave

QTECH(config-if-ethernet-0/1)#igmp-snooping fast-leave

5.4.10 Configure the number of the multicast group

allowed learning

Use igmp-snooping group-limit command to configure the number of the multicast group allowed learning.

igmp-snooping group-limit limit

Use this command in global configuration mode.

For example:

! Configure the igmp-snooping group-limit to be 10

QTECH(config-if-ethernet-0/1)#igmp-snooping group-limit 10

5.4.11 IGMP Snooping permit/deny group configuration

Configure igmp-snooping permit/deny group and default group learning regulation.

Configure igmp-snooping permit/deny group in interface configuration mode:

igmp-snooping permit/deny group group-address

5-98

Configure igmp-snooping default group learning regulation in global configuration mode:

igmp-snooping deny/permit group all

For example:

! Configure Ethernet 0/1 not to learn multicast 01:00:5e:00:01:01

QTECH(config-if-ethernet-0/1)#igmp-snooping deny group 01:00:5e:00:01:01

! Configure the learning regulation of default group to allow all multicast group

QTECH(config)#igmp-snooping permit group all

5.4.12 IGMP Snooping route-port forward configuration

Multicast routers interface is the interface received IGMP inquiring packet (It is also called mix router

interface.).

Use igmp-snooping route-port forward command to configure whether to add router interface to IGMP

snooping learning group. By default, router interface to IGMP snooping learning group is not added.

Use following command in global configuration mode:

igmp-snooping route-port forward

no igmp-snooping route-port forward

For example:

! Enable igmp-snooping route-port forward

QTECH(config)#igmp-snooping route-port forward

5.4.13 Enable/disable IGMP Snooping querier

To set up multicast route table, send IGMP query packet. The unit to send the packet is called querier.

Enable or disable querier sending IGMP query packet. It is defaulted not to send.

Configure it in global configuration mode:

igmp-snooping querier

no igmp-snooping querier

Example:

! Enable igmp-snooping querier

QTECH(config)# igmp-snooping querier

5.4.14 Configure IGMP Snooping query-interval

Configure interval of sending IGMP query. It is defaulted to be 60s.

Configure it in global configuration mode:

igmp-snooping query-interval seconds

no igmp-snooping query-interval

Example:

! Configure interval of sending IGMP query to be 90s

QTech QSW-2900 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual