ISCOM S2600 (A) Series Configuration Guide (CLI) (Rel_02)
ISCOM S2600 (A) Series Configuration Guide (CLI) (Rel_02)
ISCOM S2600 (A) Series Configuration Guide (CLI) (Rel_02)
com
-----------------------------------------------------------------------------------------------------------------------------------------
Notice
Copyright ©2024
Raisecom
All rights reserved.
No part of this publication may be excerpted, reproduced, translated, or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in Writing from Raisecom
Technology Co., Ltd.
Preface
Objectives
This document describes features supported by the ISCOM S2600 (A), and related
configurations, including basic configurations, basic principles and configuration procedures
of Ethernet, ring network protection, reliability, security, and QoS, and related configuration
examples.
The appendix lists terms, acronyms, and abbreviations involved in this document.
By reading this document, you can master principles and configurations of the device, and
how to network with the device.
Versions
The following table lists the product versions related to this document.
Conventions
Symbol conventions
The symbols that may be found in this document are defined as below.
Symbol Description
Indicate a hazard with a medium or low level of risk which, if
not avoided, could result in minor or moderate injury.
Symbol Description
Provide additional information to emphasize or supplement
important points of the main text.
Indicate a tip that may help you solve a problem or save time.
General conventions
Convention Description
Times New Roman Normal paragraphs are in Times New Roman.
Arial Paragraphs in Warning, Caution, Notes, and Tip are in Arial.
Boldface Buttons and navigation paths are in Boldface.
Italic Book titles are in italics.
Lucida Console Terminal display is in Lucida Console.
Command conventions
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[ ] Items (keywords or arguments) in square brackets [ ] are
optional.
{ x | y Alternative items are grouped in braces and separated by
| ... } vertical bars. One is selected.
[ x | y Optional alternative items are grouped in square brackets and
| ... ] separated by vertical bars. One or none is selected.
{ x | y Alternative items are grouped in braces and separated by
| ... } * vertical bars. A minimum of one or a maximum of all can be
selected.
[ x | y The parameter before the & sign can be repeated 1 to n times.
| ... ] *
Change history
Updates between document versions are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Issue 02 (2024-07-05)
Second commercial release
Issue 01 (2023-12-10)
Initial commercial release
Contents
2 Ethernet ......................................................................................................................................... 33
2.1 MAC address table ......................................................................................................................................... 33
2.1.1 Introduction ........................................................................................................................................... 33
2.1.2 Preparing for configurations ................................................................................................................. 35
2.1.3 Default configurations of MAC address table ....................................................................................... 36
2.1.4 Configuring the static MAC address ..................................................................................................... 36
2.1.5 Configuring the blackhole MAC address .............................................................................................. 36
2.1.6 Configuring MAC address learning ...................................................................................................... 36
2.1.7 Configuring MAC address learning based on VLAN ........................................................................... 37
2.1.8 Configuring the MAC address limit ...................................................................................................... 37
2.1.9 Configuring the aging time of MAC addresses ..................................................................................... 37
2.1.10 MAC address flapping detection and protection ................................................................................. 38
2.1.11 Checking configurations ..................................................................................................................... 38
2.1.12 Maintenance ........................................................................................................................................ 39
2.1.13 Example for configuring the MAC address table ................................................................................ 39
2.2 VLAN ............................................................................................................................................................. 41
2.2.1 Introduction ........................................................................................................................................... 41
2.2.2 Preparing for configurations ................................................................................................................. 44
2.2.3 Default configurations of VLAN .......................................................................................................... 44
2.2.4 Configuring VLAN attributes ............................................................................................................... 45
2.2.5 Configuring the interface mode ............................................................................................................ 45
2.2.6 Configuring the VLAN on the Access interface ................................................................................... 45
2.2.7 Configuring the VLAN on the Trunk interface ..................................................................................... 46
2.2.8 Configuring the VLAN based on the Hybrid interface ......................................................................... 47
2.2.9 Configuring the VLAN based on MAC address ................................................................................... 47
2.2.10 Configuring the VLAN based on IP subnet ........................................................................................ 48
2.2.11 Configuring the VLAN based on protocol .......................................................................................... 48
2.2.12 Checking configurations ..................................................................................................................... 49
2.2.13 Querying VLAN statistics ................................................................................................................... 49
2.2.14 Example for configuring VLANs ........................................................................................................ 50
2.3 Voice VLAN ................................................................................................................................................... 52
2.3.1 Introduction ........................................................................................................................................... 52
3 IP services ..................................................................................................................................... 77
3.1 IP basis ........................................................................................................................................................... 77
3.1.1 Introduction ........................................................................................................................................... 77
3.1.2 Preparing for configurations ................................................................................................................. 77
3.1.3 Default configurations of VLAN interface ........................................................................................... 77
3.1.4 Configuring the IPv4 adress of the VLAN interface ............................................................................. 78
3.1.5 Configuring the IPv6 address of the interface ....................................................................................... 78
3.1.6 Checking configurations ....................................................................................................................... 79
3.1.7 Example for configuring the VLAN interface to interconnect with the host ........................................ 79
4 DHCP ............................................................................................................................................. 97
4.1 ZTP................................................................................................................................................................. 97
4.1.1 Introduction ........................................................................................................................................... 97
4.1.2 Preparing for configuration ................................................................................................................... 98
4.1.3 Default configurations of ZTP .............................................................................................................. 98
4.1.4 Configuring ZTP ................................................................................................................................... 99
4.1.5 Checking configurations ....................................................................................................................... 99
4.2 DHCP Client .................................................................................................................................................. 99
4.2.1 Introduction ........................................................................................................................................... 99
4.2.2 Preparing for configurations ............................................................................................................... 102
4.2.3 Default configurations of DHCP Client .............................................................................................. 102
4.2.4 Configuring DHCP Client ................................................................................................................... 102
4.2.5 Configuring DHCPv6 Client ............................................................................................................... 103
4.2.6 Checking configurations ..................................................................................................................... 104
4.2.7 Example for configuring DHCP Client ............................................................................................... 104
4.3 DHCP Server ................................................................................................................................................ 106
4.3.1 Introduction ......................................................................................................................................... 106
4.3.2 Preparing for configurations ............................................................................................................... 108
4.3.3 Creating and configuring the IPv4 address pool ................................................................................. 109
4.3.4 Enabling DHCP Server on the interface .............................................................................................. 109
4.3.5 Recycling the IP address pool ............................................................................................................. 110
4.3.6 Configuring DHCPv4 Server PING .................................................................................................... 110
4.3.7 Creating and configuring the IPv6 address pool ................................................................................. 110
4.3.8 Enabling DHCPv6 Server on the interface ......................................................................................... 111
4.3.9 Recycling the IPv6 address pool ......................................................................................................... 111
4.3.10 Checking configurations ................................................................................................................... 111
4.3.11 Maintenance ...................................................................................................................................... 112
4.3.12 Example for configuring DHCPv4 Server ........................................................................................ 112
4.4 DHCP Relay ................................................................................................................................................. 114
4.4.1 Introduction ......................................................................................................................................... 114
4.4.2 Preparing for configurations ............................................................................................................... 115
4.4.3 Default configurations of DHCP Relay............................................................................................... 115
4.4.4 Configuring interface DHCP Relay .................................................................................................... 116
4.4.5 Configuring interface DHCPv6 Relay ................................................................................................ 116
4.4.6 Configuring DHCP Relay to support Option 82 ................................................................................. 116
4.4.7 Configuring DHCP Relay to support Option 18/37 ............................................................................ 117
4.4.8 Checking configurations ..................................................................................................................... 117
4.4.9 Maintenance ........................................................................................................................................ 118
4.4.10 Example for configuring DHCPv4 Relay ......................................................................................... 118
6.2.8 Configuring the static multicast member of IGMP Snooping ............................................................. 149
6.2.9 Configuring IGMP Snooping Proxy.................................................................................................... 149
6.2.10 Configuring the limit on the number of IGMP Snooping interface multicast groups ....................... 150
6.2.11 Configuring the multicast policy of IGMP Snooping ........................................................................ 150
6.2.12 Configuring IGMP Snooping SSM Mapping .................................................................................... 151
6.2.13 Configuring the static router interface of IGMP Snooping ............................................................... 151
6.2.14 Checking configurations ................................................................................................................... 152
6.2.15 Maintenance ...................................................................................................................................... 152
6.2.16 Example for configuring basic functions of IGMP Snooping ........................................................... 152
6.2.17 Example for configuring the static member of IGMP Snooping ....................................................... 154
6.2.18 Example for configuring IGMP Snooping multicast copy ................................................................ 157
6.2.19 Example for configuring IGMP Snooping Proxy .............................................................................. 159
6.2.20 Example for configuring the multicast policy of IGMP Snooping .................................................... 161
6.3 MLD Snooping............................................................................................................................................. 163
6.3.1 Introduction ......................................................................................................................................... 163
6.3.2 Preparing for configurations ............................................................................................................... 164
6.3.3 Default configurations of MLD Snooping .......................................................................................... 164
6.3.4 Configuring basic functions of MLD Snooping .................................................................................. 165
6.3.5 Configuring MLD Snooping Querier .................................................................................................. 165
6.3.6 Configuring MLD Snooping packet suppression ................................................................................ 166
6.3.7 Configuring MLD Snooping multicast copy ....................................................................................... 166
6.3.8 Configuring the static multicast member of MLD Snooping .............................................................. 167
6.3.9 Configuring MLD Snooping Proxy .................................................................................................... 167
6.3.10 Configuring the limit on the number of MLD Snooping interface multicast groups ........................ 167
6.3.11 Configuring the multicast policy of MLD Snooping......................................................................... 168
6.3.12 Configuring MLD Snooping SSM Mapping ..................................................................................... 168
6.3.13 Checking configurations ................................................................................................................... 169
6.3.14 Maintenance ...................................................................................................................................... 169
6.3.15 Example for configuring basic functions of MLD Snooping ............................................................ 169
6.3.16 Example for configuring the static member of MLD Snooping ........................................................ 171
6.3.17 Example for configuring MLD Snooping multicast copy ................................................................. 174
6.3.18 Example for configuring MLD Snooping Proxy ............................................................................... 176
6.3.19 Example for configuring the multicast policy of MLD Snooping ..................................................... 178
8 Security........................................................................................................................................ 214
8.1 ACL .............................................................................................................................................................. 214
8.1.1 Introduction ......................................................................................................................................... 214
8.1.2 Preparing for configurations ............................................................................................................... 215
8.1.3 Configuring the ACL .......................................................................................................................... 215
8.1.4 Configuring the ACL .......................................................................................................................... 216
8.1.5 Applying the ACL ............................................................................................................................... 221
8.1.6 Configuring statistics .......................................................................................................................... 221
Figures
Figure 1-1 Accessing device through PC connected with RJ45 Console interface ................................................ 2
Figure 1-2 Configuring communication parameters in Hyper Terminal ................................................................ 3
Figure 2-1 Forwarding packets according to the MAC address table .................................................................. 34
Figure 2-6 Networking with adding interface to voice VLAN and configuring it to work in manual mode ....... 55
Figure 2-7 Configuring IP phone to access voice VLAN packets through LLDP................................................ 57
Figure 6-3 Mapping between IPv4 multicast address and multicast MAC address ........................................... 143
Figure 6-4 Operating of IGMP and Layer 2 multicast features .......................................................................... 144
Figure 6-7 Configuring the static member of IGMP Snooping .......................................................................... 155
Figure 6-10 Configuring the multicast policy of IGMP Snooping ..................................................................... 161
Figure 6-13 Configuring the static member of MLD Snooping ......................................................................... 172
Figure 6-16 Configuring the multicast policy of MLD Snooping ...................................................................... 178
Figure 8-6 Accessing the network through PPPoE authentication ..................................................................... 248
Figure 8-7 PPPoE+ networking.......................................................................................................................... 253
Figure 9-1 Static LACP mode Link aggregation networking ............................................................................. 297
Figure 9-11 Failure in forwarding VLAN packets due to RSTP ........................................................................ 323
Figure 9-20 Networking with interface backup in different VLANs ................................................................. 352
Figure 9-21 Interface backup networking .......................................................................................................... 355
Figure 10-13 Networking of outputting system log to log host ......................................................................... 414
Figure 10-18 Chain topology with 2 devices for ISF ......................................................................................... 429
Figure 10-22 Flow for fast deployment with the USB flash disk ....................................................................... 449
Tables
Table 5-2 Default mapping from the IEEE 802.1p egress direction to local priority and color ......................... 123
Table 5-3 Default mapping from the DSCP ingress direction to local priority and color .................................. 124
Table 5-4 Default mapping from the DSCP egress direction to local priority and color .................................... 126
1 Basic configurations
This chapter describes basic configurations and configuration procedures of the device, and
provides related configuration examples, including the following sections:
Accessing device
Loading and upgrade
Time management
PTP
Interface management
The device uses the black wiring Console cable. If you are not sure, see the
corresponding User Manual or Product Description for this device, or consult our
technical personnel.
The following sections take the RJ45 Console interface for example.
Introduction
The Console interface is commonly used to connect the network device with a PC running
terminal emulation programs. You can use this interface to configure and manage local
devices. In this management mode, devices can communicate with each other independent
from the network, so it is called out-of-band management. You can also perform configuration
and management on the device through the Console interface when the network fails.
In the following two conditions, you can only log in to the device and configure it through the
Console interface:
The device is powered on to start for the first time.
Accessing the device through Telnet fails.
Figure 1-1 Accessing device through PC connected with RJ45 Console interface
Checking configurations
Use the following commands to check the configuration results.
Introduction
By default, the default management IP address of the device, and the subnet mask is
255.255.255.0. To modify the IP address, log in to the device and configure it. Both
the default user name and password are raisecom. In Telnet connection status, if you
enter the password incorrectly for three 3 times, the Telnet connection will be
automatically disconnected.
You can use a PC to log in to the device remotely through Telnet. You can log in to a device
from PC at first, then Telnet another device on the network. You do not need to connect a PC
to each device.
If there is an SNMP interface on the device, use it to log in through Telnet. If there is not, use
any interface to enter the management VLAN, and log in through Telnet.
Telnet services provided by the device are as below:
Telnet Server: run the Telnet client program on a PC to log in to the device, and take
configuration and management. As shown in Figure 1-3, the device is providing Telnet
Server service at this time.
When you configure the device through Telnet, do not modify the IP address
frequently; otherwise, the current Telnet connection may be disconnected. Then, you
have to re-establish the Telnet connection with the new IP address.
Checking configurations
Use the following commands to check configuration results.
Introduction
Telnet is lack of security authentication and it transports messages through Transmission
Control Protocol (TCP) which exists with big potential security hazard. Telnet service may
cause hostile attacks, such as Deny of Service (DoS), host IP spoofing, and routing spoofing.
The traditional Telnet and File Transfer Protocol (FTP) transmit password and data in plain
text, which cannot satisfy users' security demands. SSHv2 is a network security protocol,
which can effectively prevent the disclosure of information in remote management through
data encryption, and provides greater security for remote login and other network services in
network environment.
SSHv2 allows data to be exchanged through TCP and it establishes a secure channel over TCP.
Besides, SSHv2 supports other service ports besides standard port 22, avoiding illegal attacks
from the network.
Before accessing the device through SSHv2, you must log in to the device through the
Console interface and start SSH service.
The device supports password authentication and public key authentication.
Password authentication: share the same database with the login authentication. The SSH
client only needs to enter the user name and password for remote login to the SSH server.
All the data to be transmitted are encrypted, but it cannot prevent attacks from rogue
servers.
Public key authentication: the SSHv2 client is authenticated by the user name, password,
and key. Before login, a key pair is generated on the client side, including a host public
key and a host private key. The former is stored in the SSH server. The data used for
authentication and transmission are encrypted, which prevents attacks from rogue servers.
Checking configurations
Use the following commands to check the configuration results.
Introduction
To facilitate users to configure and maintain the device, it supports Web network management.
Users can use the Web network management to intuitively manage and configure devices
under the graphical interface.
The web network management supports the following two text transmission protocols:
Hypertext Transfer Protocol (HTTP): used to transmit information on Web pages on the
network. After HTTP is enabled on the device, the user can log in to the device through
HTTP, and access and control the device on the Web interface.
Secure Hypertext Transfer Protocol (HTTPS): it uses the Secure Sockets Layer (SSL)
protocol to ensure that legal clients can access the device in a secure mode. The data
exchanged between the client and the device needs to be encrypted to ensure the security
and integrity of data transmission, so as to realize security management of the device.
After Web network management is enabled, remote users can log in to the device through the
Web browser and manage it. After Web network management is disabled, all established
HTTP/HTTPS connections are disconnected.
Checking configurations
Use the following commands to check the configuration results.
Introduction
When you start the device for the first time, connect the PC through Console interface to the
device, enter the initial user name and password in HyperTerminal to log in and configure the
device.
Besides the default user, you can create up to 30 local user accounts.
After configuring the type of user locking to login-lock, you can configure the login
failure times and re-authentication interval. By default, the login failure times is 3,
and the re-authentication interval is 10s. When the login failure times reaches the
upper limit in the silence period, the device is in login locking status, so it cannot
be logged in to. After the silence period expires, the locking will be released. Or
you can use the unlock command to manually release the locking.
If you manually lock login, the device will be permanently locked from login,
regardless of the login failure times and re-authentication interval. You can use the
unlock command to manually release the locking.
Introduction
When you forget the password for loggin to the device, connect a PC to the Console interface
on the device. In the Hyper Terminal interface, enter the temporary password view, obtain the
temporary Serial Number (SN), and generate a temporary password according to the
temporary SN. After logging to the device with the temporary password, you need to modify
the user password again.
The operation for restoring the password can be done on the Console terminal only.
On the login interface, press Ctrl+P to enter the temporary password view.
By default, restoring the temperorary password is enabled.
Introduction
You can configure the properties of the Console, Telnet, and SSH terminals, such as the
timeout, page scrolling control, terminal color, case-sensitivity, and interaction mode.
Introduction
You can configure the BootROM password.
Introduction
The login mode is modified since v7.01.50 to solve the weak password loophole problem:
The default login mode for the Console interface is Console interface password, without
a default user name.
The first login of the Telnet and web (not supported by SSH) mode supports configuring
users.
Login through the Console interface
The default login mode is serial interface login with password. After the system starts, it
prompts whether to configure the password for the serial interface.
Raisecom Proprietary and Confidential
13
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations
Type "n": enter the system without configuring the password. After the system is
restarted, the prompt will appear again.
Type "y": configure the password for the serial interface, which is automatically saved
and required by next login.
Telnet/Web login
By default, there is no user account on the device. To remotely log in to the device, create a
user account first.
Log in to the device through the Console interface. Create a user account (see the
previous part).
For the first login through Telnet/Web, create a user account directly according to prompt.
First login means that there is no configuration file on the device and the device is
connected through the out-of-band management interface and its default IP address.
Telnet login
Web login
Loading
Traditionally, configuration files are loaded through the serial interface, which takes a long
time due to low rate and unavailable remote loading. FTP and TFTP loading modes can solve
those problems and make operation more convenient.
The device provides several methods to confirm configuration file name on the TFTP server,
such as manually entering, obtaining through DHCP, and using default name of the
configuration file. Besides, you can assign certain naming conventions for configuration files,
and then the device confirms the name according to naming conventions and its attributes
(device type, MAC address, software version, and so on).
Upgrade
The device needs to be upgraded if you want to add new features, optimize functions, or fix
bugs in the current software version.
The device supports the following upgrade mode:
Upgrade through CLI
Connect the Ethernet interface on the FTP server to the interface on the device. The
default IP address of the interface is 192.168.0.1 by default.
Configure the FTP server, and ensure that the server is available.
Configure the IP address of the FTP server; keep it in the same network segment with
that of the device so that the device can access the FTP server.
Upgrade system software through CLI for the device as below.
DST
DST is a kind of artificially regulated local time system for saving energy. Time is usually
advanced one hour in summer to make people sleep early and rise early to save energy, but
different countries have different stipulations for DST. In this case, you should consider local
conditions when configuring DST.
The device supports configuring the start time, end time, offset of the DST.
NTP
Network Time Protocol (NTP) is a standard Internet protocol for time synchronization, used
to synchronize time between the distributed time servers and clients. NTP transmits data
based on UDP, using UDP port 123 and guaranteeing high precision (error around 10ms).
Figure 1-5 shows basic principles of NTP. Clock synchronization works as below:
Step 1 Switch A sends Switch B a NTP message which carries the timestamp of leaving Switch A.
The timestamp is 10:00:00am and recorded as t1.
Step 2 When the message reaches Switch B, it is added with the timestamp of reaching Switch B,
which is 11:00:01am and recorded as t2.
Step 3 When the message leaves Switch B, it is added with the timestamp of leaving Switch B,
which is 11:00:02am and recorded as t3.
Raisecom Proprietary and Confidential
17
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations
Step 4 When switch A receives the response message, it adds a new timestamp, which is 11:00:03am
and recorded as t4.
At present, Switch A has enough information to calculate two important parameters:
Round-trip delay of the NTP message: delay = (t4 - t1) - ( t3 - t2)
Time offset between Switch A and Switch B: offset = ((t2 - t1) + (t3 - t4))/2
Switch A configures its clock based on previous two parameters to synchronize clock with
Switch B.
The device adopts multiple NTP working modes for time synchronization:
Client/Server mode
In this mode, the client sends clock synchronization messages to different servers. After
receiving the synchronization message, the server sends the response message. The client
receives response messages, performs clock filtering and selection, and is synchronized to the
preferred server.
In this mode, the client can be synchronized to the server time only but the server cannot be
synchronized to the client time. The device cannot work as both a client and a server.
Symmetric mode
In this mode, you can configure the device to be synchronized to a higher-stratum device or
server.
The device configured as the NTP server cannot be configured with the symmetric mode.
SNTP
Simple Network Time Protocol (SNTP) is used to synchronize the system time of the device
to the GMT and transmit the GMT to local time according to the system settings of time zone.
When the SNTP client and server are in different time zones, the SNTP client will be
synchronized to the GMT and then translated into the local time according to system settings
of time zone.
The SNTP client obtains time in two modes: actively sending a request packet or passively
monitoring the packet. They are implemented as below:
Unicast mode: the SNTP client actively sends a request packet. After being configured
with the IP address of the SNTP unicast server, the device tries to obtain clock signals
every 10s from the SNTP server. The maximum timeout for obtaining clock signals from
the SNTP server is 3s.
Multicast or broadcast mode: SNTP client passively monitors the packet.
– After being configured to multicast mode, the device monitors the multicast IP
address of 224.0.1.1 in real time and obtain clock signals from the SNTP multicast
server. The maximum timeout for obtaining clock signals from the SNTP server is
1.5 multiples of the server sending period.
– After being configured to broadcast mode, the device monitors the broadcast IP
address of 255.255.255.255 in real time and obtain clock signals from the SNTP
broadcast server. The maximum timeout for obtaining clock signals from the SNTP
server is 1.5 multiples of the server sending period.
Scenario
Configure the system time of the device, and guarantee precision of the system time.
The time and time zone that is manually configured take effect immediately.
After NTP or SNTP is enabled, the synchronized time will override the current system
time after a synchronization period.
NTP and SNTP are mutually exclusive, so they cannot be concurrently configured.
Prerequisite
N/A
NTP
Default configurations of NTP are as below.
SNTP
Default configurations of SNTP are as below.
If the device is configured as the NTP reference clock source, it cannot be configured
as the NTP server or NTP symmetric peer; if the device is configured as the NTP
server or symmetric peer, it cannot be configured as the NTP reference clock source.
Networking requirements
Establish a clock synchronization system in a company to keep consistency and precision of
the system time. Basic planning is as below:
Configure Switch A as the master clock source of the clock synchronization system.
Configure Switch B as the client of the clock synchronization system. Configure the
upper-layer Switch A as the NTP server.
Configure Switch C as the NTP entity of Switch B so that Switch C receives downlink
synchronization data from Switch B.
Configuration steps
Step 1 Configure Switch A.
Raisecom#hostname SwitchA
SwitchA#configure
SwitchA(config)#ntp master
SwitchA(config-ntp)#stratum 2
Raisecom#hostname SwitchB
SwitchB#config
SwitchB(config)#ntp unicast-server 172.16.0.1
SwitchB(config)#ntp unicast-peer 172.16.0.3
SwitchB(config-ntp)#stratum 3
Raisecom#hostname SwitchC
SwitchC#config
SwitchC(config)#ntp unicast-peer 172.16.0.2
SwitchC(config-ntp)#stratum 4
Checking results
Check Switch A.
Use the show ntp config command to view configurations of Switch A.
Check Switch B.
Use the show ntp config command to view configurations of Switch B.
Use the show ntp session command to view information about NTP sessions of Switch B.
Check Switch C.
Use the show ntp config command to view configurations of Switch C.
Use the show ntp session command to view information about NTP sessions of Switch C.
1.4 PTP
1.4.1 Introduction
On modern communication networks, the normal operation of most telecommunication
services requires that the frequency or time differences among all network devices be
maintained within a reasonable level of error, namely, network clock synchronization.
Network clock synchronization includes two concepts: frequency synchronization and phase
synchronization.
Frequency synchronization
Frequency synchronization, also called clock synchronization, refers to the condition where
the frequency of signals remains consistent but the phase is inconsistent with a certain phase
difference. The average rate of the signals is consistent, which can keep all devices on the
network running at the same rate.
Phase synchronization
Phase synchronization, also called time synchronization, refers to the condition where both
the frequency and phase of signals remains consistent. In other words, the phase difference of
the signals is permanently zero.
IEEE1588V2
The full name of IEEE1588 is Precision Clock Synchronization Protocol Standard for
Network Measurement and Control Systems, which is a universal specification for improving
the timing synchronization capability of network systems. During the drafting process,
IEEE1588 mainly refers to Ethernet to develop a distributed communication network with
strict timing synchronization, and is applied to industrial automation systems. IEEE1588
mainly records the sending time and receiving time of synchronous clock information through
software and hardware coordination, and adds time labels to each message. With time records,
the receiver can calculate its own clock error and delay on the network, thus implementing
synchronization between the internal clock of the slave device and the master clock of the
master device on the network. The synchronization establishment time can reach nanosecond
level accuracy. Compared with the Ethernet delay time of 1ms that does not support
IEEE1588, IEEE1588 has greatly improved the timing synchronization index of the entire
network.
The initial IEEE1588 standard was mainly developed for LAN multicast environments (such
as Ethernet), and its application are limited in the complex environment of
telecommunications networks. Therefore, IEEE began developing a new version of IEEE1588,
also known as IEEE1588v2, in 2005. The main feature of this version is opening the
application interface of IEEE1588, which allows other standard organizations (such as ITU-T
and IETF) to define application parameters, namely, different PTP profiles, such as Telecom
Profile. In March 2008, the IEEE Standards Committee approved v2 of the IEEE1588
standard (1588v2). IEEE1588v2 can provide time synchronization with accuracy better than
1ns, fully meeting future applications in fields, such as telecommunications, industrial control,
and artificial intelligence (AI).
PTP domain
The network that applies PTP is called the PTP domain. A network can contain multiple PTP
domains, each with only one clock source. All devices in the domain are synchronized with
that clock source. At different times, each clock domain has its own synchronization time and
is independent of each other.
Clock nodes
Ordinary clock (OC) node
In the same PTP domain, the node with only one physical interface participating in PTP time
synchronization is called the OC. The device synchronizes time from upstream nodes or
advertises time to downstream nodes through this interface.
Boundary clock (BC) node
In the same PTP domain, the node with two or more physical interfaces participating in PTP
time synchronization is called the BC. The device synchronizes time from upstream nodes
through one interface and advertises time to downstream nodes through other interfaces.
In addition, when the clock node serves as the clock source and simultaneously releases time
to downstream clock nodes through multiple PTP interface, it is also known as a BC.
Transparent Clock (TC)
The TC node has multiple PTP interfaces, but it only forwards PTP packets between these
interfaces and performs forwarding delay correction on them, without synchronizing time
through any interface. The BC/OC node needs to synchronize time with other clock nodes
while the TC clock does not. TC includes the following two types:
– End to End Transparent Clock (E2ETC): directly forward non Peer to Peer (non-P2P)
PTP packets on the network, and participate in calculating the delay of the entire link.
– Peer to Peer Transparent Clock (P2PTC): forward Sync packets, Follow_ Up packets,
and Announcement packets, terminate other PTP packets, and participate in
calculating the delay of each segment of the entire link.
Master-slave relation
The node devices in the PTP domain synchronize time according to a certain master-slave
relation. The master-slave relation is relative: the node device that advertises time is called the
master node while the node device that synchronizes time is called the slave node; the clock
on the master node is called the master clock while the clock on the slave node is called the
slave clock; the interface that advertises the synchronization time is called the master interface
while the interface that receives the synchronization time is called the slave interface.
A device can both synchronize time from upstream node devices and advertise time to
downstream node devices.
Optimal clock
All clock nodes in the PTP domain are organized in a certain stratum. The reference clock for
the entire domain is the optimal clock Grandmaster Clock (GMC), which is the clock at the
highest stratum. Through the exchange of 1588v2 packets between clock nodes, the time of
the optimal clock are synchronized throughout the entire PTP domain, so the optimal clock is
also known as the clock source of the PTP domain. The optimal clock can be statically
specified through manual configuration or dynamically elected through the Best Master Clock
(BMC) algorithm.
Delay mechanism
The device supports the E2E delay mechanism and P2P delay mechanism, used to calculate
the delay at both ends of the link.
Ethernet interface
Ethernet is a very important LAN networking technology which is flexible, simple, and easy
to implement. The Ethernet interface includes the Ethernet electrical interface and Ethernet
optical interface.
The device supports both Ethernet electrical and optical interfaces.
Auto-negotiation
Auto-negotiation is used to make the devices at both ends of a physical link automatically
choose the same working parameters by exchanging information. The auto-negotiation
parameters include duplex mode, interface rate, and flow control. Once successful in
negotiation, the devices at both ends of the link can work in the same duplex mode and
interface rate.
Cable connection
Generally, the Ethernet cable can be categorized as the Medium Dependent Interface (MDI)
cable and Medium Dependent Interface crossover (MDI-X) cable. MDI provides physical and
electrical connection from terminal to network relay device while MDI-X provides connection
between devices of the same type (terminal to terminal). Hosts and routers use MDI cables
while hubs and switches use MDI-X interfaces. Usually, the connection of different devices
should use the MDI cable while devices of the same type should use the MDI-X cable.
Devices in auto-negotiation mode can be connected by the MDI or MDI-X cable.
The Ethernet cable of the device supports auto-MDI/MDIX.
VLAN interface
The VLAN interface is a logical interface and is used to implement layer 3 interconnection
between VLANs. Each VLAN corresponds to a VLAN interface. After being configured with
an IP address, the VLAN interface can work as the gateway of devices inside the VLAN, and
forward layer 3 packets based on IP address across network segments.
Loopback interface
The Loopback interface is a logical virtual interface. Its physical layer status and link layer
status are Up, so it is stable and can be configured with the IP address. It is usually used in
dynamic routing protocol as the router ID of the device.
Null interface
The Null interface is a logical virtual interface, is always Up, but cannot forward packets and
be configured with the IP address and link layer protocol. It can filter packets, so you can send
needless network traffic to it to avoid complex operations of configuring the ACL. For
example, if you specify the next hop for reaching a network segment as the Null interface in a
network protocol, the Null interface will discard all data packets sent to the network segment.
2 Ethernet
This chapter describes basic principles and configuration procedures for Ethernet, and
provides related configuration examples, including the following sections:
MAC address table
VLAN
Voice VLAN
QinQ
VLAN mapping
MRP/VRP
not listed, the device broadcasts the packet to all interfaces except the receiving interface,
as shown in Figure 2-1.
Multicast: when the device receives a packet of which the destination MAC address is a
multicast address, it will broadcast the packet. If multicast is enabled and storm control
over unknown packets is also enabled, the packet will be sent to the specified Report
interface. If no Report interface is specified, the packet will be discarded.
Broadcast: when the device receives an all-F packet, or the MAC address is not listed in
the MAC address table, the device forwards the packet to all interfaces except the
interface that receives this packet. Broadcast addresses are special multicast addresses.
does not receive packets from the MAC address in the entry during the aging time, the device
will delete the entry.
The device supports automatic aging of MAC addresses. The aging time ranges from 60s to
1000000s and can be 0. The value 0 indicates no aging.
Scenario
Configure the static MAC address table in the following situations:
The static MAC address can be configured for a fixed server, special persons (manager,
financial staff), fixed and important hosts to ensure that all data flow forwarding to these
MAC addresses are forwarded from static MAC address related interface in priority.
For the interface with fixed static MAC address, you can disable MAC address learning
to avoid other hosts visiting LAN data from the interface.
Configure the aging time of dynamic MAC addresses to avoid saving excessive MAC address
entries in the MAC address table and running out of MAC address table resources, and to
achieve aging of dynamic MAC addresses.
Prerequisite
N/A
The MAC address of the source device, multicast MAC address, FFFF.FFFF.FFFF,
and 0000.0000.0000 cannot be configured as static unicast MAC address.
2.1.12 Maintenance
Maintain the device as below.
Command Description
Raisecom(config)#no mac-address Clear MAC addresses of the specified
{ [ vlan vlan-id ] [ mac mac- parameter.
address ] | all }
Raisecom(config)#no mac-address Clear MAC addresses of the specified
interface-type interface-number interface.
Raisecom(config)#no mac-address Clear static/dynamic/blackhole MAC
{ static | dynamic | blackhole } addresses of the specified parameter.
[ vlan vlan-id ] [ mac mac-address ]
Raisecom(config)#no mac-address Clear static/dynamic MAC addresses of
{ static | dynamic } [ interface-type the specified interface.
interface-number ]
Raisecom(config)#reset mac-address Clear records on MAC address flapping
flapping record detection.
Networking requirements
As shown in Figure 2-2, configure Switch A as below:
Configure a static unicast MAC address 0001.0203.0405 on GE 1/0/2 and configure its
VLAN to VLAN 10.
Configuration steps
Step 1 Create VLAN 10, and activate it, and add GE 1/0/2 to VLAN 10.
Raisecom#configure
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type access
Raisecom(config-ge-1/0/2)#port default vlan 10
Raisecom(config-ge-1/0/2)#quit
Step 2 Configure a static unicast MAC address 0001.0203.0405 on GE 1/0/2, which belongs to
VLAN 10.
Checking results
Use the show mac-address to show configurations of MAC addresses.
Raisecom#show mac-address
MacAddress VLAN/VSI/BD
Learned-From Type Valid
----------------------------------------------------------------------
0001:0203:0405 10/--/-- ge-1/0/2 static
yes
----------------------------------------------------------------------
Total:1 Static:1 Dynamic:0 Blackhole:0
Sticky:0 Security:0 Snooping:0
2.2 VLAN
2.2.1 Introduction
Overview
Virtual Local Area Network (VLAN) is a protocol to solve Ethernet broadcast and security
problem. It is a Layer 2 isolation technique that partitions a LAN into different broadcast
domains logically rather than physically, and then the different broadcast domains can work as
virtual groups without any influence from one another. In terms of functions, VLAN has the
same features as LAN, but members in one VLAN can access one another without restriction
by physical location.
VLAN partitions
There are multiple ways of VLAN partitions, such as by interface, by MAC address, by IP
subnet, and by protocol, as shown in Figure 2-3.
VLAN technique can partition a physical LAN into different broadcast domains logically.
Hosts without intercommunication requirements can be isolated by VLAN, so VLAN
partitions improve network security, and reduce broadcast flow and broadcast storm.
The device complies with IEEE 802.1Q standard VLAN and supports 4094 concurrent
VLANs.
VLAN partitions by interface
The device supports VLAN partitions by interface. The device has two interface modes:
Access mode and Trunk mode. The method for processing packets for the two modes is
shown as below.
– When a tagged packet reaches an interface, if its VLAN ID is in the VLAN ID list
allowed to pass by the interface, the interface receives it. Otherwise, the interface
discards it.
VLAN partitions by protocol
This refers to VLAN partitions by the protocol type carried in the packet and encapsulation
format.
After receiving an untagged packet from an interface, the device according to the
protocol domain of the packet determines the VLAN to which the packet belongs, and
sends the packet to the specified VLAN for later transmission.
When receiving a tagged packet from an interface, the device receives the packet if the
VLAN ID is in the list of VLANs of which packets are allowed to pass by the interface,
or discards the packet if the VLAN ID is not in the list of VLANs of which packets are
allowed to pass by the interface.
Scenario
The main function of VLAN is to partition logic network segments. There are 2 typical
application modes:
One kind is that in a small LAN several VLANs are created on a device, the hosts that
connect to the device are divided by VLAN. So hosts in the same VLAN can
communicate, but hosts between different VLANs cannot communicate. For example,
the financial department needs to be separated from other departments and they cannot
access each other. Generally, the interface to connect host is in Access mode.
The other kind is that in bigger LAN or enterprise network multiple devices connect to
multiple hosts and the devices are cascaded, and data packets carry VLAN Tag for
forwarding. The interfaces in the same VLAN on multiple devices can communicate, but
the interfaces in different VLANs cannot communicate. This mode is used in enterprise
that has many employees and needs a large number of hosts, in the same department but
different position, the hosts in one department can access one another, so users have to
partition VLANs on multiple devices. Layer 3 devices, such as routers, are required if
users want to communicate among different VLANs. The cascaded interfaces among
devices are configured in Trunk mode.
When configuring the IP address for VLAN, you can associate a Layer 3 interface for it. Each
Layer 3 interface corresponds to one IP address and one VLAN.
Prerequisite
N/A
The interface allows Access VLAN packets to pass regardless of configuration for
VLAN allowed by the Access interface. The forwarded packets do not carry the
VLAN Tag.
Configuring the Access VLAN will fail if you have not created and activated the
VLAN in advance.
If you delete or suspend the Access VLAN manually, the system will not
automatically configure the interface Access VLAN as the default VLAN.
When you configure the interface Access VLAN as the non-default Access VLAN,
the default Access VLAN 1 is the VLAN allowed by the Access the egress
interface, you can delete Access VLAN 1 from the allowed VLAN list of the egress
Access interface.
If the configured Access VLAN is not the default VLAN and there is no default
VLAN in the allowed VLAN list of the Access interface, the interface does not
allow packets of the default VLAN to pass.
No matter how the VLAN list allowed to pass by the interface is configured, the
interface allows packets of the VLAN to pass and forward packets without the
corresponding PVID.
The system will not create and activate the VLAN if no VLAN is created and
activated in advance when configuring the Native VLAN.
The system will not configure the interface Trunk Native VLAN as default VLAN if
you have deleted or blocked Native VLAN manually.
The interface allows incoming and outgoing VLAN packet allowed by the Trunk
interface.
If the configured Native VLAN is not the default VLAN, and the VLAN list allowed
to pass by the Trunk interface does not include the default VLAN, the interface will
disallow packets of the default VLAN to pass.
The VLAN list allowed by the Trunk interface is only effective to static VLAN, and
ineffective for cluster VLAN, MVRP dynamic VLAN.
The Hybrid interface can work in different modes as configured. In untagged mode,
its working mode is the same as that in the Access mode, but it can be configured
with multiple allowed VLANs. In tagged mode, its working mode is the same as that
in the Trunk mode.
Networking requirements
As shown in Figure 2-4, PC 1, PC 2, and PC 5 belong to VLAN 10, PC 3 and PC 4 belong to
VLAN 20; Switch A and Switch B are connected by the Trunk interface; PC 3 and PC 4
cannot communicate because VLAN 20 is not allowed to pass in the link; PC 1 and PC 2
under the same Switch B are enabled with interface isolation function so that they cannot
communicate with each other, but can respectively communicate with PC 5.
Configuration steps
Step 1 Create VLAN 10 and VLAN 20 on the two switches respectively, and activate them.
Configure Switch A.
Raisecom#hostname SwitchA
SwitchA#configure
SwitchA(config)#vlan 10,20
Configure Switch B.
Raisecom#hostname SwitchB
SwitchB#configure
SwitchB(config)#vlan 10,20
Step 2 Add GE 1/0/2 and GE 1/0/3 in Access mode on Switch B to VLAN 10, add GE 1/0/4 as
Access mode to VLAN 20, configure GE 1/0/1 to Trunk mode, and allow VLAN 10 to pass.
SwitchB(config)#interface ge 1/0/2
SwitchB(config-ge-1/0/2)#port link-type access
SwitchB(config-ge-1/0/2)#port default vlan 10
SwitchB(config-ge-1/0/2)#exit
SwitchB(config)#interface ge 1/0/3
SwitchB(config-ge-1/0/3)#port link-type access
SwitchB(config-ge-1/0/3)#port default vlan 10
SwitchB(config-ge-1/0/3)#exit
SwitchB(config)#interface ge 1/0/4
SwitchB(config-ge-1/0/4)#port link-type access
SwitchB(config-ge-1/0/4)#port default vlan 20
SwitchB(config-ge-1/0/4)#exit
SwitchB(config)#interface ge 1/0/1
SwitchB(config-ge-1/0/1)#port link-type trunk
SwitchB(config-ge-1/0/1)#port trunk allow-pass vlan 10
SwitchB(config-ge-1/0/1)#exit
Step 3 Add GE 1/0/2 as Access mode on Switch A to VLAN 10, add GE 1/0/3 as Access mode to
VLAN 20, configure GE 1/0/1 to Trunk mode, and allow VLAN 10 to pass.
SwitchA(config)#interface ge 1/0/2
SwitchA(config-ge-1/0/2)#port link-type access
SwitchA(config-ge-1/0/2)#port access vlan 10
SwitchA(config-ge-1/0/2)#exit
SwitchA(config)#interface ge 1/0/3
SwitchA(config-ge-1/0/3)#port mode trunk
SwitchA(config-ge-1/0/3)#port trunk pvid 20
SwitchA(config-ge-1/0/3)#port trunk allow-pass 20
SwitchA(config-ge-1/0/3)#exit
SwitchA(config)#interface ge 1/0/1
SwitchA(config-ge-1/0/1)#port link-type trunk
SwitchA(config-ge-1/0/1)#port trunk allowed-pass vlan 10
Checking results
Use the show vlan command to show VLAN configurations.
Take Switch B for example.
SwitchB#show vlan
S: supervlan P: pvlan N:
normal
Check whether the Trunk interface permitting VLAN passing is correct by making PC 1 ping
PC 5, PC 2 ping PC 5, and PC 3 ping PC 4.
PC 1 can ping through PC 5, so VLAN 10 communication is normal.
PC 2 can ping through PC 5, so VLAN 10 communication is normal.
PC 3 fails to ping through PC 4, so VLAN 20 communication is abnormal.
is flexible in implementation. You can combine these modes as required to meet users'
requirements to the maximum extent.
Figure 2-5 shows the networking mode for IP phone (with its interfaces transmitting voice
traffic only) to connect to the switch. This mode enables these interfaces to transmit voice
traffic only, thus minimizing the impact on voice traffic from data traffic.
Scenario
A specific voice VLAN can transmit voice traffic. If a voice device becomes faulty or exits
the network in a period, the interface connecting the voice device will automatically exit the
voice VLAN.
Prerequisite
Create a VLAN, and configure its parameters.
Networking requirements
GE 1/1/1 on the Switch connects the IP phone and PC to the Internet. It is required to
concurrently forward and isolate voice traffic and data traffic.
You can configure GE 1/0/1 as a Trunk interface, making the Native VLAN forward data
traffic and voice VLAN forward voice traffic. The PC sends untagged packets which are
transmitted in the Native VLAN of GE 1/0/1. Configure VLAN 100 as the Native VLAN to
transmit data traffic sent from the PC. The IP phone also sends untagged packets. Configure
the source MAC address to the OUI address of the voice VLAN so that the device can add
voice VLAN Tag when these packets pass the voice VLAN interface. Configure VLAN 200
as the voice VLAN to transmit voice traffic sent from the IP phone.
Figure 2-6 Networking with adding interface to voice VLAN and configuring it to work in manual
mode
Configuration steps
Step 1 Configure the MAC address (supporting the mask) of the IP phone as the OUI address of the
voice VLAN on the switch, namely, 0001.ED00.0000. Configure the mask to
FFFF.FF00.0000. For the OUI supported by the device by default, see section 2.3.3 Default
configurations of the voice VLAN.
Step 2 Create VLAN 100 and VLAN 200, activate them, and configure VLAN 200 as the voice
VLAN.
Raisecom(config)#vlan 100,200
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 100
Raisecom(config-ge-1/0/1)#voice-vlan 200 enable
Checking configurations
Use the show voice-vlan interface command to view the current interface status of the voice
VLAN.
Networking requirements
As shown in Figure 2-7, when the IP phone supports LLDP, it can obtain the voice VLAN
through LLDP. You can configure LLDP and voice VLAN on the switch to connect the IP
phone. Configure LLDP on the switch to advertise the voice VLAN of the interface to the IP
phone. To guarantee call quality, configure the voice VLAN to prioritize voice packets.
GE 1/1/1 on the Switch connects the IP phone and PC to the Internet. It is required to
concurrently forward and isolate voice traffic and data traffic.
You can configure GE 1/0/1 as a Trunk interface, making the Native VLAN forward data
traffic and voice VLAN forward voice traffic. The PC sends untagged packets which are
transmitted in the Native VLAN of GE 1/0/1. Configure VLAN 100 as the Native VLAN to
transmit data traffic sent from the PC. Configure VLAN 200 as the voice VLAN to transmit
voice traffic sent from the IP phone. The IP phone obtains the voice VLAN through LLDP and
sends packets with the voice VLAN Tag.
Figure 2-7 Configuring IP phone to access voice VLAN packets through LLDP
Configuration steps
Step 1 Configure the MAC address (supporting the mask) of the IP phone as the OUI address of the
voice VLAN on the switch, namely, 0001.ED00.0000. Configure the mask to
FFFF.FF00.0000. For the OUI supported by the device by default, see section 2.3.3 Default
configurations of the voice VLAN.
Step 2 Create VLAN 100 and VLAN 200, activate them, and configure VLAN 200 as the voice
VLAN.
Raisecom(config)#vlan 100,200
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 100
Raisecom(config-ge-1/0/1)#voice-vlan 200 enable
Raisecom(config-ge-1/0/1)#exit
Step 3 Enable global LLDP and interface LLDP to advertise the voice VLAN of the interface to the
IP phone.
Raisecom(config)#lldp start
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#lldp admin-status rx-tx
Checking configurations
Use the show voice-vlan interface command to view the interface status of the voice VLAN.
2.4 QinQ
2.4.1 Introduction
QinQ (also known as Stacked VLAN or Double VLAN) technique is an extension to 802.1Q
defined in IEEE 802.1ad standard.
Basic QinQ
Basic QinQ is a simple Layer 2 VPN tunnel technique, which encapsulates outer VLAN Tag
for user private network packets at carrier access end, then the packet with double VLAN Tag
traverse backbone network (public network) of the carrier. On the public network, packets are
transmitted according to outer VLAN Tag (namely, the public network VLAN Tag), the user
private network VALN Tag is transmitted as data in packets.
Typical networking of basic QinQ is shown as Figure 2-8; the device is the PE.
Packets are transmitted from the user device to the PE, and the VLAN ID of packet tag is 100.
Packet will be added with outer tag with VLAN 1000 when traversing from the PE device at
the network side interface to the carrier network.
Packets with the VLAN 1000 outer Tag are transmitted to PE device on the other side by the
carrier, and then the PE will remove the outer tag VLAN 1000 and send packets to the user
device. Now the packets return to carrying only one tag VLAN 100.
This technique can save public network VLAN ID resources. You can plan private network
VLAN ID to avoid conflict with public network VLAN ID.
Selective QinQ
Selective QinQ is an enhancement to basic QinQ, which classifies flow according to user data
features, then encapsulates different types flow into different outer VLAN Tags. This
technique is implemented through combination of interface and VLAN. Selective QinQ can
perform different actions on different VLAN Tags received by one interface and add different
outer VLAN IDs for different inner VLAN IDs. According to configured mapping rules for
inner and outer Tags, you can encapsulate different outer Tags for different inner tagged
packets. The inner priority can be copied to the outer priority.
Selective QinQ makes structure of the carrier network more flexible. You can classify
different terminal users on the access device interface by VLAN Tag and then, encapsulate
different outer Tags for users in different classes. On the public network, you can configure
QoS policy according to outer Tag and configure data transmission priority flexibly to make
users in different classes receive corresponding services.
Scenario
Basic QinQ configuration and selective QinQ configuration for the device are based on
different service requirements.
Basic QinQ
With application of basic QinQ, you can add outer VLAN Tag to plan the private VLAN ID
freely to make the user device data at both ends of carrier network transparently transmitted
without conflicting with VLAN ID on the service provider network.
Selective QinQ
Different from basic QinQ, outer VLAN Tag of selective QinQ can be selectable according to
different services. There are multiple services and different private VLAN ID on the user
network which are divided by adding different outer VLAN Tag for voice, video, and data
services, then implementing different distributaries and inner and outer VLAN mapping for
forwarding different services.
Prerequisite
Connect the interface.
Configure its physical parameters to make it Up.
Create VLANs.
Basic QinQ and 1:1 VLAN mapping can be concurrently configured. VLAN
mapping functions normally before or after basic QinQ is enabled.
Selective QinQ and 1:1 VLAN mapping can be concurrently configured. When
they are concurrently configured, they function normally. They also function
normally when basic QinQ is enabled or disable. When one of them is disabled,
other configurations function normally.
Basic QinQ, selective QinQ, and 2:2 VLAN mapping are mutually exclusive. When
selective QinQ and 1:1 VLAN mapping are currently configured, their matching
VLANs cannot be the same, and VLANs after mapping cannot be the same.
When basic QinQ is enabled on the interface, all packets are processed as untagged
packets. If you configure the untagged packets to be discarded, tagged packets are
also discarded.
Networking requirements
As shown in Figure 2-9, Switch A and Switch B are connected to two branches of Department
C, which are in different locations. Department C uses VLAN 100, and needs to communicate
through VLAN 1000 of the carrier network. The carrier TPID is 9100.
Configure basic QinQ on Switch A and Switch B to enable normal communication inside a
department through the carrier's network.
Configuration steps
Configure Switch A and Switch B.
Configurations of Switch A are the same with those of Switch B. Take Switch A for example.
Step 1 Create VLAN 100 and VLAN 1000, and activate them. TPID is 9100.
Raisecom#configure
Raisecom(config)#vlan 100,1000
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 1000
Raisecom(config-ge-1/0/1)#tpid 0x9100
Raisecom(config-ge-1/0/1)#exit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type dot1q-tunnel
Raisecom(config-ge-1/0/2)#port default vlan 1000
Raisecom(config-ge-1/0/2)#exit
Checking results
Use the show interface interface-type interface-number config command to show QinQ
configurations.
Networking requirements
As shown in Figure 2-10, the carrier network contains common PC Internet access services
and IP phone services. PC Internet access services are assigned to VLAN 1000, and IP phone
services are assigned to VLAN 2000.
Configure Switch A and Switch B as below to make the user and server communicate through
the carrier network:
Add outer Tag VLAN 1000 to VLAN 100 assigned to PC Internet access services.
Add outer Tag 2000 to VLAN 200 for IP phone services.
The carrier TPID is 9100.
Configuration steps
Configure Switch A and Switch B.
Configurations of Switch A are the same with those of Switch B. Take Switch A for example.
Step 1 Create and activate VLAN 100, VLAN 200, VLAN 1000, and VAN 2000. The TPID is 9100.
Raisecom#hostname SwitchA
SwitchA#configure
SwitchA(config)#vlan 100,200,1000,2000
SwitchA(config)#interface ge 1/0/1
SwitchA(config-ge-1/0/1)#port link-type trunk
SwitchA(config-ge-1/0/1)#port trunk allow-pass vlan 1000,2000
SwitchA(config-ge-1/0/1)#tpid 0x9100
SwitchA(config-ge-1/0/1)#exit
SwitchA(config)#interface ge 1/0/2
SwitchA(config-ge-1/0/2)#port link-type trunk
SwitchA(config-ge-1/0/2)#port trunk allow-pass vlan 100,200,1000,2000
SwitchA(config-ge-1/0/2)#vlan-stacking enable
SwitchA(config-ge-1/0/2)#vlan-stacking vlan 100 stack-vlan 1000
SwitchA(config-ge-1/0/2)#vlan-stacking vlan 200 stack-vlan 2000
SwitchA(config-ge-1/0/2)#exit
Checking results
Use the show vlan-stacking interface command to show configurations of selective QinQ.
Take Switch A for example.
After receiving a user private network packet with a VLAN Tag, the device matches the
packet according to configured VLAN mapping rules. If successful, it maps the packet
according to configured VLAN mapping rules.
By supporting 1: 1 VLAN mapping, the device replaces the VLAN Tag carried by a packet
from a specified VLAN to the new VLAN Tag.
Different from QinQ, VLAN mapping does not encapsulate packets with multiple layers of
VLAN Tags, but needs to modify VLAN Tag so that packets are transmitted according to the
carrier's VLAN forwarding rule.
Scenario
Different from QinQ, VLAN mapping is used to change the VLAN Tag without encapsulating
multilayer VLAN Tag so that packets are transmitted according to the carrier's VLAN
Raisecom Proprietary and Confidential
65
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet
mapping rules. VLAN mapping does not increase the frame length of the original packet. It
can be used in the following scenarios:
A user service needs to be mapped to a carrier's VLAN ID.
Multiple user services need to be mapped to a carrier's VLAN ID.
Prerequisite
Connect the interface.
Configure its physical parameters to make it Up.
Create VLANs.
Basic QinQ and 1:1 VLAN mapping can be concurrently configured. VLAN
mapping functions normally before or after basic QinQ is enabled.
Selective QinQ and 1:1 VLAN mapping can be concurrently configured. When
they are concurrently configured, they function normally. They also function
normally when basic QinQ is enabled or disable. When one of them is disabled,
other configurations function normally.
Basic QinQ, selective QinQ, and 2:2 VLAN mapping are mutually exclusive. When
selective QinQ and 1:1 VLAN mapping are currently configured, their matching
VLANs cannot be the same, and VLANs after mapping cannot be the same.
Scenario
As shown in Figure 2-12, GE 1/0/2 and GE 1/0/3 on Switch A are connected to Department E
using VLAN 100 and Department F using VLAN 200; GE 1/0/2 and GE 1/0/3 on Switch A
are connected to Department C using VLAN 100 and Department D using VLAN 200. The
carrier's network uses VLAN 1000 to transmit services between Department E and
Department C and uses VLAN 2008 to transmit services between Department F and
Department D.
Configure 1:1 VLAN mapping between Switch A and Switch B to implement normal
communication inside each department.
Configuration steps
Configure Switch A and Switch B.
Configuration steps for Switch A and Switch B are the same. Take Switch A for example.
Step 1 Create VLANs 100, 200, 1000, and 2008, and activate them.
Raisecom#hostname SwitchA
SwitchA#configure
SwitchA(config)#vlan 100,200,1000,2008
Step 2 Configure GE 1/0/1 to Trunk mode, allowing packets of VLAN 1000 and VLAN 2008 to pass.
SwitchA(config)#interface ge 1/0/1
SwitchA(config-ge-1/0/1)#port link-type trunk
SwitchA(config-ge-1/0/1)#port trunk allow-pass vlan 1000,2008
SwitchA(config-ge-1/0/1)#exit
Step 3 Configure GE 1/0/2 to Trunk mode, allowing packets of VLAN 100 to pass. Configure
VLAN mapping rules.
SwitchA(config)#interface ge 1/0/2
SwitchA(config-ge-1/0/2)#port link-type trunk
SwitchA(config-ge-1/0/2)#port trunk allow-pass vlan 100
SwitchA(config-ge-1/0/2)#vlan-mapping vlan 100 map-vlan 1000
SwitchA(config-ge-1/0/2)#exit
Step 4 Configure GE 1/0/3 to Trunk mode, allowing packets of VLAN 200 to pass. Configure
VLAN mapping rules.
SwitchA(config)#interface ge 1/0/3
SwitchA(config-ge-1/0/3)#port link-type trunk
SwitchA(config-ge-1/0/3)#port trunk allow-pass vlan 100
SwitchA(config-ge-1/0/3)#vlan-mapping vlan 200 map-vlan 2008
Checking results
Use the show vlan-mapping both interface command to show configurations of 1:1 VLAN
mapping.
2.6 MRP/VRP
2.6.1 Introduction
Multiple Registration Protocol (MRP) is an attribute registration protocol, which can be used
to transfer attribute information. Multiple VLAN Registration Protocol (MVRP) is an
application of MRP, which is used to advertise and learn VLAN configurations between
devices. Through MVRP, devices in the LAN can automatically synchronize VLAN
configurations, greatly reducing VLAN configuration work by the network administrator.
MRP messages
MRP messages include the Join message, New message, Leave message, and LeaveAll
message.
Join message: when an MRP entity is configured with certain attributes and requires the
peer entity to register its attribute information, it will send a Join message to the peer
entity. When the MRP peer entity receives a Join message, it registers the attributes in
the Join message and advertises the Join message to other entities of the device. After
receiving the advertised Join message, other entities send a Join message to their peer
entities.
New message: the functions of a New message are similar to that of a Join message.
Both messages are used to declare attributes. The difference is that the New message is
used for Multiple Spanning Tree Protocol (MSTP) topology changes.
Leave message: when an MRP entity deregisters certain attributes and needs to
synchronously deregister these attributes to the peer entity, it will send a Leave message
to the peer entity. When the MRP peer entity receives the Leave message from the entity,
it will deregister the attributes in the Leave message and advertises the Leave message to
other entities on the device. After receiving the advertised Leave message, other entities
will use the attributes in the Leave message to determine their status on the device and
decide whether to send the Leave message to their peer entities (for example, if the
attribute in the Leave message is a VLAN, the VLAN is a dynamic VLAN, and there are
no entities registered with the VLAN on this device, the peer entity deletes the VLAN on
the device and sends the Leave message to the entity; if the VLAN is a static VLAN, the
peer entity does not send the Leave message to the peer entity).
LeaveAll message: each MRP entity starts its own LeaveAll timer when it starts. When
the LeaveAll timer expires, the MRP entity will send a LeaveAll message to the peer
entity. When an MRP entity sends or receives a LeaveAll message, it starts the Leave
timer and determines whether to send a Join message based on its own attribute status
and require the peer entity to re-register a certain attribute. Before the Leave timer
expires, the entity re-registers the attributes in the Join message received from the peer
entity. After the Leave timer expires, all unregistered attributes are deregistered, thereby
periodically clearing the garbage attributes on the network.
The Leave message or LeaveAll message cooperates with the Join message to deregister or
reregister attributes. Through message exchange, all attributes to be registered can be
transmitted to all MRP entities in the same LAN.
MRP timers
The interval for sending the MRP message is controlled by timers. MRP defines four timers to
control the interval.
Periodic timer: each MRP entity starts its own Periodic timer when it starts to control the
periodic sending of MRP messages. Before the Periodic timer expires, the MRP entity
collects the MRP messages that need to be sent. After the Periodic timer expires, the
MRP entity encapsulates all the MRP messages that need to be sent into as few messages
as possible and sends them out, thereby reducing the number of messages sent. Then, the
MRP entity restarts the Periodic timer to start a new cycle.
Join timer: it is used to control the sending of Join messages. To ensure that Join
messages can be reliably sent to the peer entity, the MRP entity starts the Join timer
when sending Join messages. If the entity receives a JoinIn message from the peer entity
before the timer expires, and the properties in the JoinIn message match those in the sent
Join message, the entity will not resend the Join message; otherwise, after the timer
expires, when the Periodic timer also expires, the entity will send the Join message once.
Leave timer: it is used to control attribute deregistration. When an MRP entity receives a
Leave message (or sends or receives a LeaveAll message) from the peer entity, it starts
the Leave timer. If it receives a Join message from the peer entity before the leave timer
expires, and the properties in the Join message match those in the received Leave
message (or match some properties in the LeaveAll message received or sent), these
properties will not be deregistered in the current entity, and other properties will be
deregistered after the timer expires.
LeaveAll timer: each MRP entity starts its own LeaveAll timer when it starts. When the
LeaveAll timer expires, the MRP entity will send a LeaveAll message to the peer entity,
and then restart the LeaveAll timer to start a new cycle. The peer entity also restarts the
LeaveAll timer after receiving the LeaveAll message.
MVRP
Multiple VLAN Registration Protocol (MVRP) is an MRP application. Based on MRP
working mechanism, it maintains VLAN dynamic registration information about the switch,
and sends the information to other switches.
All MRP-supportive switches can receive VLAN registration information from other switches,
and dynamically update local VLAN registration information. In addition, all MRP-supportive
switches can send local VLAN registration information to other switches so that they have
consistent VLAN registration information in the same VLAN. VLAN registration information
sent by MVRP includes manually configured local static registration information and dynamic
registration information from other switches.
MRP has three registration modes:
Normal: in this mode, MVRP allows dynamic registration and deregistration of VLANs,
and sends dynamic and static VLAN information.
Fixed: in this mode, MVRP forbids dynamic registration and deregistration of VLANs,
and sends static VLAN information rather than dynamic VLAN information to other
MVRP members.
Forbidden: in this mode, MVRP forbids dynamic registration and deregistration of
VLANs, forbids creating static VLANs on the interface, deletes all VLANs except
VLAN 1, allows packets of the default VLAN (VLAN 1) to pass, and transmits packets
of the default VLAN to other MVRP members.
As shown in Figure 2-13, to configure VLANs on multiple devices on a network and allow
packets of the specified VLAN to pass are complex. By using MVRP to dynamically register
and transmit the specified VLAN, the network administrator can improve working efficiency
and accuracy.
As shown in Figure 2-13, GE 1/0/1 on Switch 1, GE 1/0/1 and GE 1/0/2 on Switch 2, and GE
1/0/1 on Switch N are Trunk interfaces. Create VLANs 5–50 on Switch 1, and then these
VLANs will be dynamically registered on the Rx interface along the red direction until
Switch N is registered. Create VLANs 51–100 on Switch N, and then these VLANs will be
dynamically registered on the Rx interface along the blue direction so that each switch can
completely process packets of VLANs 5–100.
Scenario
MVRP enables configurations of a MVRP member to fast spread to all MVRP-enabled
devices in the LAN.
The values of the Join timer, Leaver timer, and LeaveAll timer configured through MVRP
will be applied to all MVRP applications in the LAN.
Prerequisite
N/A
Interface MVRP can be enabled only after the interface is configured to Trunk
mode.
Networking requirements
As shown in Figure 2-14, to dynamically register, deregister, and update VLAN information
between switches, configure MVRP on these switches. Detailed requirements are as below:
Configure static VLANs 5–10 on Switch A and Switch C.
Configure static VLANs 15–20 on Switch D.
Configure static VLANs 25–30 on Switch E.
Configure the interfaces that are connected to other switches to Trunk mode, and enable
MVRP on these interfaces.
Configure the Join timer, Leave timer, and LeaveAll timer of MVRP on each interface to
3000, 15000, and 20000, in units of 10ms.
Configuration steps
Step 1 Create VLANs and enable global MVRP.
Configure Switch A.
Raisecom#hostname SwitchA
SwitchA#configure
SwitchA(config)#vlan 5-10
SwitchA(config)#mvrp start
Configure Switch B.
Raisecom#hostname SwitchB
SwitchB#configure
SwitchB(config)#mvrp start
Configure Switch C.
Raisecom#hostname SwitchC
SwitchC#configure
SwitchC(config)#vlan 5-10
SwitchC(config)#mvrp start
Configure Switch D.
Raisecom#hostname SwitchD
SwitchD#configure
SwitchD(config)#vlan 15-20
SwitchD(config)#mvrp start
Configure Switch E.
Raisecom#hostname SwitchE
SwitchE#configure
SwitchE(config)#vlan 25-30
SwitchE(config)#mvrp start
Step 2 Configure GE 1/0/1, GE 1/0/2, and GE 1/0/3 on Switch A, GE 1/0/1, GE 1/0/2, and GE 1/0/3
on Switch B, GE 1/0/1 on Switch C, and GE 1/0/1 on Switch D to Trunk mode, and enable
MVRP on them. Take GE 1/0/1 on Switch A for example. Configurations of other interfaces
are the same.
SwitchA(config)#interface ge 1/0/1
SwitchA(config-ge-1/0/1)#port link-type trunk
Step 3 Configure MVRP timers of GE 1/0/1, GE 1/0/2, and GE 1/0/3 on Switch A, GE 1/0/1, GE
1/0/2, and GE 1/0/3 on Switch B, GE 1/0/1 on Switch C, and GE 1/0/1 on Switch D, and
enable MVRP on them. Take GE 1/0/1 on Switch A for example. Configurations of other
interfaces are the same.
SwitchA(config)#interface ge 1/0/1
SwitchA(config-ge-1/0/1)#mvrp timer join 3000
SwitchA(config-ge-1/0/1)#mvrp timer leave 15000
SwitchA(config-ge-1/0/1)#mvrp timer leave-all 20000
Checking results
Use the show mvrp command to show MVRP configurations on the interface.
Take Switch A for example.
SwitchA#show mvrp
Version : MVRP_Vl3.10.00.00
Compliance-GVRP : disable
Interface JoinTime(ms) LeaveTime(ms) LeaveAllTime(ms)
PeriodicTime(ms) Mode State
-------------------------------------------------------------------------
--------------------------------
ge 1/0/1 3000 15000 20000 --
normal enable
Use the show vlan command to view information about VLANs on the device. Take Switch A
for example.
SwitchA#show vlan
NOTE:
S: supervlan P: pvlan N: normal
3 IP services
This chapter describes basic principles and configuration procedures for IP services, and
provides related configuration examples, including the following sections:
IP basis
Loopback interface
SLAAC
ARP
NDP
Static route
Policy routing
3.1 IP basis
3.1.1 Introduction
The IP interface is a virtual interface based on VLAN, so it is applied when the device needs
to be managed by the NMS or multiple devices needs to be routed and connected.
The device supports the double-tagged management VLAN packets, and it can send and
process double-tagged packets.
Scenario
Configure the IP address of each VLAN interface, SNMP interface, or loopback interface.
Prerequisite
Create VLANs.
Activate them.
Networking requirements
As shown in Figure 3-1, configure the VLAN interface to the switch so that the host and the
device can ping each other.
Configuration steps
Step 1 Create a VLAN, and add the interface to the VLAN.
Raisecom#configure
Raisecom(config)#vlan 10
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port hybrid pvid 10
Raisecom(config-ge-1/0/1)#port hybrid vlan 10 untagged
Raisecom(config-ge-1/0/1)#quit
Step 2 Create a Layer 3 interface 10 on the device, configure its IP address, and associate it with the
VLAN.
Raisecom(config)#interface vlan 10
Raisecom(config-vlan10)#ip address 192.168.1.2 255.255.255.0
Checking results
Use the show vlan command to show mapping between the physical interface and VLAN.
Raisecom#show vlan 10
vlan-10 information:
------------------------------------------------------------
Description :
Admin state : up
Operation state : down
Vlan type : normal
Vlan status : static
Unknown multicast state : forward
Unknown unicast state : forward
IPv4 address total number : 0
IPv6 address total number : 0
Ports :
Interface Tagged
--------------------------------------
ge-1/0/1 Untag
------------------------------------------------------------
Raisecom#show ip interface
Total number:
2
Interface State(a/o) Addr/Prefix Role Type Vpn-
instance
-------------------------------------------------------------------------
---------------------------
loopback-0 up/up 127.0. 0.1/8 primary
auto N/A
vlan-10 up/up 192.168.1.2 /24
primary static N/A
-------------------------------------------------------------------------
---------------------------
Use the ping command to check whether the device and PC can ping each other.
Raisecom#ping 192.168.1.3
PING 192.168.1.3 : 64 data bytes
Reply from 192.168.1.3: bytes=64 time=0ms TTL=64 icmp_seq=1
Reply from 192.168.1.3: bytes=64 time=0ms TTL=64 icmp_seq=2
Reply from 192.168.1.3: bytes=64 time=0ms TTL=64 icmp_seq=3
Reply from 192.168.1.3: bytes=64 time=0ms TTL=64 icmp_seq=4
Reply from 192.168.1.3: bytes=64 time=0ms TTL=64 icmp_seq=5
PING Statistics for 192.168.1.3
5 packets transmitted, 5 packets received, 0% packet loss
round-trip (ms) min/avg/max = 0/0/0
Scenario
Use the IP address of the loopback interface to log in through Telnet so that the Telnet
operation does not become Down due to change of physical status. To enable the PC to ping
through the IP address of the loopback interface, configure the corresponding static route
entry on the PC. The loopback interface ID is also used as the router ID of dynamic routing
protocols, such as OSPF, to uniquely identify a device.
Prerequisite
N/A
3.3 SLAAC
3.3.1 Introduction
Stateless Address Autoconfiguration (SLAAC) is the process for automatically configuring
the IPv6 address of the interface by the IPv6 node (host or router). It automatically
implements some tasks of the network administrator.
Scenario
The node generates various IPv6 addresses based on the combination of the address prefix
and the identity derivative from the MAC address of the node or the interface ID specified by
the user. The prefixes include the local link prefix (fe80::/10) and the prefix with the length of
64 advertised by the local IPv6 router (if existing).
Prerequisuites
N/A
Raisecom(config-vlanif-*)#ipv6 enable
Raisecom(config-vlanif-*)#ipv6 address auto global
3.4 ARP
3.4.1 Introduction
In TCP/IP network environment, each host is assigned with a 32-bit IP address that is a logical
address used to identify hosts between networks. To transmit packets in physical link, you
must know the physical address of the destination host, which requires mapping the IP
address to the physical address. In Ethernet environment, the physical address is 48-bit MAC
address. The system has to transfer the 32-bit IP address of the destination host to the 48-bit
Ethernet address for transmitting packet to the destination host correctly. Then Address
Resolution Protocol (ARP) is applied to resolve IP address to MAC address and configure
mapping between IP address and MAC address.
The ARP address table contains the following two types:
Static entry: bind the IP address and MAC address to avoid ARP dynamic learning
cheating.
− The static ARP address entry needs to be added/deleted manually.
− The static ARP address entry is not aged.
Dynamic entry: MAC address automatically learned through ARP.
− This dynamic ARP address entry is automatically generated by switch. You can adjust
partial parameters of it manually.
− The dynamic ARP address entry will be aged after the aging time if not used.
Scenario
The mapping of the IP address and MAC address is saved in the ARP address table.
Generally, the ARP address table is dynamically maintained by the device. The device
searches for the mapping between IP address and MAC address automatically according to
ARP. You just need to configure the device manually for preventing ARP dynamic learning
from cheating and adding static ARP address entries.
Prerequisite
N/A
The IP address in static ARP entry must belong to the IP network segment of
Layer 3 interface on the switch.
The static ARP entry needs to be added and deleted manually.
Configure static ARP entries for the device as below.
3.4.7 Maintenance
Maintain the device as below.
Command Description
Raisecom(config)#flush arp [ all | Clear all entries in the ARP address table.
dynamic | static ]
Networking requirements
As shown in Figure 3-2, the device is connected to the host, and is also connected to the
upstream Router through GE 1/1/1. For the Router, the IP address and submask are
192.168.1.10/24, and the MAC address is 0050-8d4b-fd1e.
To improve communication security between the Switch and Router, you need to configure
related static ARP entry on the device.
Configuration steps
Step 1 Create VLAN 3.
Raisecom#configure
Raisecom(config)#vlan 3
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port hybrid pvid 3
Raisecom(config-ge-1/0/1)#port hybrid vlan 3 untagged
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface vlan 3
Raisecom#configure
Raisecom(config)#arp static 192.168.1.10 00:50:8d:4b:fd:1e ge 1/0/1
Checking results
Use the show arp command to show configurations of the ARP address table.
Raisecom#show arp
Arp aging time: 1200 (s)
Arp entry types: D-Dynamic , S-Static, I-
Interface , DH-Dhcp, B-Bgp, INV-Invalid
-------------------------------------------------------------------------
----------------------------------
-------------------------------------------------------------------------
----------------------------------
3.5 NDP
3.5.1 Introduction
Neighbor Discovery Protocol (NDP) is a neighbor discovery mechanism used on IPv6 devices
in the same link. It is used to discover neighbors, obtain MAC addresses of neighbors, and
maintain neighbor information.
NDP obtains data link layer addresses of neighbor devices in the same link, namely, MAC
address, through the Neighbor Solicitation (NS) message and Neighbor Advertisement (NA)
message.
As shown in Figure 3-3, take Switch A for example. Switch A obtains the data link layer
address of Switch B as below:
Step 1 Switch A sends a NS message in multicast mode. The source address of the NS message is the
IPv6 address of the VLAN interface on Switch A, and the destination address of the NS
message is the multicast address of the requested node of the Switch B. The NS message even
contains the data link layer address of Switch A.
Step 2 After receiving the NS message, Switch B judges whether the destination address of the NS
message is the multicast address of the request node corresponding to the IPv6 address of
Switch B. If yes, Switch B can obtain the data link layer address of Switch A, and sends a NA
message which contains its data link layer address in unicast mode.
Step 3 After receiving the NA message from Switch B, Switch A obtains the data link layer address
of Switch B.
By sending ICMPv6 message, IPv6 NDP even has the following functions:
Verify whether the neighbor is reachable.
Detect duplicated addresses.
Discover routers or prefix.
Automatically configure addresses.
Support redirection.
Scenario
IPv6 NDP not only implements IPv4 ARP, ICMP redirection, and ICMP device discovery, but
also supports detecting whether the neighbor is reachable.
Prerequisite
Connect interfaces.
Configure physical parameters to make interfaces Up at the physical layer.
Configure the IPv6 address of the VLAN interface.
3.5.7 Maintenance
Maintain the device as below.
Command Description
Raisecom(config)#flush ipv6 neighbor Clear information about all IPv6
[ all | dynamic | static ] neighbors.
Default route
The default route is a special route that can be used only when there is no matched item in the
routing table. The default route appears as a route to network 0.0.0.0 (with mask 0.0.0.0) in
the routing table. You can show configurations of the default route by using the show ip route
command. If the device has not been configured with default route and the destination IP of
the packet is not in the routing table, the device will discard the packet and return an ICMP
packet to the Tx end to inform that the destination address or network is unavailable.
Static route
A static route is the route configured manually, thus bringing low requirements on the system.
It is available to simple, small, and stable network. The disadvantage is that it cannot adapt to
network topology changes automatically and needs manual intervention.
Scenario
Configure the static route for simple network topology manually to establish an
intercommunication network.
Prerequisite
Configure the IP address of the VLAN interface correctly.
Networking requirements
Configure the static route to enable any two hosts or devices successfully to ping through each
other, as shown in Figure 3-4.
Configuration steps
Step 1 Configure the IP address of each device. Detailed configurations are omitted.
Step 2 Configure the static route on Switch A.
Raisecom#hostname SwitchA
SwitchA#configure
SwitchA(config)#ip route-static 10.1.1.0 255.255.255.0 10.1.2.4
SwitchA(config)#ip route-static 10.1.4.0 255.255.255.0 10.1.3.4
Raisecom#hostname SwitchB
SwitchB#configure
SwitchB(config)#ip route-static 0.0.0.0 0.0.0.0 10.1.2.3
Raisecom#hostname SwitchC
SwitchC#configure
SwitchC(config)#ip route-static 0.0.0.0 0.0.0.0 10.1.3.3
Step 5 Configure the default gateway of host A to 10.1.5.3. Detailed configurations are omitted.
Configure the default gateway of host B to 10.1.1.3. Detailed configurations are omitted.
Configure the default gateway of host C to 10.1.4.3. Detailed configurations are omitted.
Checking results
Use the ping command to check whether any two of all devices can ping through each other.
SwitchA#ping 10.1.1.3
PING 10.1.1.3 : 64 data bytes
Reply from 10.1.1.3: bytes=64 time=0ms TTL=64 icmp_seq=1
Reply from 10.1.1.3: bytes=64 time=0ms TTL=64 icmp_seq=2
Reply from 10.1.1.3: bytes=64 time=0ms TTL=64 icmp_seq=3
Reply from 10.1.1.3: bytes=64 time=0ms TTL=64 icmp_seq=4
Reply from 10.1.1.3: bytes=64 time=0ms TTL=64 icmp_seq=5
PING Statistics for 10.1.1.3
5 packets transmitted, 5 packets received, 0% packet loss
round-trip (ms) min/avg/max = 0/0/0
Overview
Traditionally, common packet forwarding is implemented by querying the forwarding table
based on the destination IP address of the packet. When the packet needs to be forwarded
based on the source IP address, packet length, or other attribute of the packet, a new routing
mechanism is required to control, namely, policy routing.
The so-called policy routing, as the name suggests, refers to forwarding packets based on a
certain policy. Therefore, policy routing is a more flexible routing mechanism than destination
routing. When forwarding a data packet by a router, the packet is first filtered according to the
configured rules. If the match is successful, the packet is forwarded according to a certain
forwarding policy. This rule can be based on standard ACL, extended ACL, or packet length.
The forwarding policy is to control the packet to be forwarded according to the specified
policy routing table, and it can also modify the IP precedence of the packet. Therefore, policy
routing is an effective enhancement to traditional IP routing.
Technical principle
Policy routing can meet the requirements of routing based on source IP address, destination IP
address, protocol field, TCP source port number, TCP destination port number, UDP source
port number, or UDP destination port number. Any IP standard/extended ACL that can be
configured can be used as a matching rule for policy routing for forwarding.
Policy routing determine the next hop forwarding address or default IP address of an IP
packet, not simply based on the destination IP address but rather a comprehensive
consideration of multiple factors. For example, policy routing can select the path for the data
packet based on the Differential Service Code Point (DSCP) field, source port number,
destination port number, and source IP address. Policy routing can implement traffic
engineering to some extent, allowing flows of different Quality of Service (QoS) or data of
different properties (voice and FTP) to take different paths.
Policy routing provides network managers with stronger control over packet forwarding and
storage than traditional routing protocols. Traditionally, the router uses the routing tables
derived from routing protocols to forward packets based on the destination address. Policy
routing has stronger capabilities and is more flexible to use than traditional routing. It allows
network managers to choose forwarding paths based on not only the destination address but
also protocol type, packet size, application, or IP source address. A policy can be defined as
the QoS for packet forwarding on the network based on load balancing across multiple routers
or total traffic.
The implementation of policy routing relies on the support of the chip. Policy routing converts
software entries into hardware entries, and stores them on the chip through the commands or
other configuration interfaces. When traffic passes the chip, the chip will filter traffic
according to the policy routing hardware table.
Scenario
Policy routing can meet the requirements of routing based on source IP address, destination IP
address, protocol field, TCP source port number, TCP destination port number, UDP source
port number, or UDP destination port number.
Prerequisite
Configure the IP address of the VLAN interface and ACL.
Networking requirements
As shown below, define a policy route named aaa. GE interface 1/0/2 sends the IP packets
received from GE interface 1/0/1, with the IP address of the next hop as 192.168.1.2. Other
packets are forwarded according to the result of querying the routing table.
192.168.1.2/24 Switch B
GE1/0/1 GE1/0/2
Switch A GE1/0/3
Switch C
Configuration steps
Step 1 Define the ACL, making ACL filter 1 match IP packets.
switch(config)#acl-ipv4 1001
switch(configure-acl-ipv4-1001)#rule 1 src-ip any dst-ip any
switch(configure-acl-ipv4-1001)#rule 1 action permit
Checking results
4 DHCP
This chapter describes basic principles and configurations procedures of DHCP, and providing
related configuration examples, including the following sections:
ZTP
DHCP Client
DHCP Server
DHCP Relay
4.1 ZTP
4.1.1 Introduction
Zero Touch Provisioning (ZTP) refers to that the device needs no manual configurations; it
automatically sends DHCP packets for applying for an IP address to the ZTP server, and
automatically downloads the configurations file from the ZTP server to update its
configurations after obtaining the IP address from the ZTP server. Figure 4-1 shows ZTP
server networking.
By default, ZTP is enabled on the device. To disable it, configure the device to
common client mode.
Scenario
To enable the remote device to automatically apply for the IP address after being powered on,
configure ZTP. To configure ZTP parameters, see the following section.
Prerequisite
Connect the device to the DHCP server correctly. Configure the DHCP server correctly.
Configure the interface connected to the ZTP server to be Up.
Configure the upstream switch to allow packets of a VLAN of the remote device to pass.
Leave no configurations on the device.
Typical applications of DHCP usually include a set of DHCP server and multiple clients (such
as the PC or laptop), as shown in Figure 4-2.
DHCP ensures rational allocation, avoid waste, and improve the utilization rate of IP
addresses on the entire network.
Figure 4-3 shows the structure of a DHCP packet. The DHCP packet is encapsulated in a UDP
data packet.
The device can be used as a DHCP client to obtain the IP address from the DHCP server for
future management, as shown in Figure 4-4.
Scenario
As a DHCP client, the device obtains the IP address from the DHCP server.
The IP address assigned by the DHCP client is limited with a certain lease period when
adopting dynamic assignment of IP addresses. The DHCP server will take back the IP address
when it is expired. The DHCP client has to renew the IP address for continuous use. The
DHCP client can release the IP address if it does not want to use the IP address before
expiration.
We recommend configuring the number of DHCP relay devices smaller than 4 if the DHCP
client needs to obtain IP address from the DHCP server through multiple DHCP relay devices.
Prerequisite
Create a VLAN. Add the Layer 3 interface to the VLAN.
DHCP Snooping is disabled.
Networking requirements
As shown in Figure 4-5, the Switch is used as a DHCP client, and the host name is raisecom.
The Switch is connected to the DHCP server and NMS. The DHCP server should assign IP
addresses to the SNMP interface on the Switch and make NMS manage the Switch.
Configuration steps
Step 1 Configure the DHCP client.
Raisecom#configure
Raisecom(config)#interface vlan 1
Raisecom(config-vlanif-1)#dhcp client hostname ascii raisecom
Checking results
Use the show dhcp client command to show configurations of DHCP Client.
------------------------------------------------------------
Current state : Bound
Allocated IP : 192.168.1.2
Subnet Mask : 255.255.255.0
Server IP : 192.168.1.1
DHCP application
Under normal circumstances, use the DHCP server to assign IP addresses in following
situations:
The network scale is large. It requires much workload for manual configurations, and is
difficult to manage the entire network intensively.
The number of hosts on the network is greater than that of IP addresses, which makes it
unable to assign a fixed IP address for each host and restricts the number of users
connected to network simultaneously.
Only the minority of hosts on the network need fixed IP addresses, most of hosts have no
requirement for fixed IP address.
After a DHCP client obtains the IP address from the DHCP server, it cannot use the IP address
permanently but in a fixed period, which is called the lease period. You can specify the
duration of the lease period.
DHCP ensures rational allocation, avoids waste of IP addresses, and improves the utilization
rate of IP addresses on the entire network.
The device, as the DHCP server, assigns dynamic IP addresses to clients, as shown in Figure
4-6.
DHCP packets
Figure 4-7 shows the structure of a DHCP packet. The DHCP packet is encapsulated in a UDP
data packet.
DHCPv6
DHCPv6 is a protocol that runs between clients and servers. Like DHCP in IPv4, all protocol
packets are based on UDP. However, because there are no broadcast packets in IPv6, when
DHCPv6 uses multicast packets, clients do not need to be configured with the server's IPv6
address.
Scenario
When working as the DHCPv4 server, the device can assign IP addresses to DHCPv4 clients.
Prerequisite
Configure the IP address of the interface.
Disable DHCP Client and DHCP Relay on the interface.
4.3.11 Maintenance
Maintain the device as below.
Command Description
Raisecom(config)#reset dhcp server Clear statistics on DHCP Server.
statistics
Raisecom(config)#reset dhcpv6 Clear statistics on DHCPv6 Server.
statistics
Networking requirements
As shown in Figure 4-8, the switch as a DHCP server assigns IP addresses to DHCP clients.
The lease period is 8h. The name of the IP address pool is pool. The range of IP addresses is
172.31.1.2–172.31.1.100. The IP address of the DNS server is 172.31.100.1.
Configuration steps
Step 1 Create an IP address pool, and configure it.
Raisecom#configure
Raisecom(config)#dhcp start
Raisecom(config-dhcp-pool-1)#dhcp server pool 1
Raisecom(config-dhcp-pool-1)#ip range 172.31.1.2 172.31.1.100 mask
255.255.255.0
Raisecom(config-dhcp-pool-1)#lease-time day 0 hour 8 minute 0
Raisecom(config-dhcp-pool-1)#dns 172.31.100.1
Raisecom(config-dhcp-pool-1)#exit
Raisecom(config)#interface vlan 1
Raisecom(config-vlanif-1)#ip address 172.31.1.1/24
Raisecom(config-vlanif-1)#dhcp enable server
Checking results
Use the show dhcp server config command to show configurations of DHCP Server.
Use the show dhcp server pool command to show configurations of the address pool of the
DHCP server.
When a DHCP client sends a request packet to the DHCP server through a DHCP relay, the
DHCP relay processes the request packet and sends it to the DHCP server in the specified
segment. The DHCP server sends required information to the DHCP client through the DHCP
relay according to the request packet, thus implementing dynamic configuration of the DHCP
client.
Scenario
When DHCP Client and DHCP Server are not in the same segment, you can use DHCP Relay
function to make DHCP Client and DHCP Server in different segments carry relay service,
and relay DHCP protocol packets across segment to destination DHCP server, so that DHCP
Client in different segments can share the same DHCP server.
Prerequisite
N/A
4.4.9 Maintenance
Maintain the device as below.
Command Description
Raisecom(config)#reset dhcp relay Clear statistics on DHCP Relay.
statistics
Raisecom(config)#reset dhcpv6 statistics Clear statistics on DHCPv6 Relay.
Networking requirements
As shown in Figure 4-10, the switch works as the DHCP relay device. The host name is
raisecom. The switch is connected to the DHCP server through a service interface. The DHCP
server assigns IP addresses to clients so that the NMS can discover and manage these clients.
Configuration steps
Step 1 Enable interface DHCP Relay.
Raisecom#configure
Raisecom(config)#dhcp start
Raisecom(config)#interface vlan 1
Raisecom(config-vlanif-1)#ip address 192.168.1.1/24
Raisecom(config-vlanif-1)#dhcp enable relay
Raisecom(config-vlanif-1)#dhcp relay server-ip 10.0.0.1
Raisecom(config-vlanif-1)#exit
Checking results
Use the show dhcp relay config command to show configurations of DHCP Relay.
5 QoS
This chapter describes basic principles and configuration procedures for QoS, and provides
related configuration examples, including the following sections:
Introduction
Priority mapping
Queue scheduling
Congestion avoidance
Rate limiting
5.1 Introduction
When network applications become more and more versatile, users bring forward different
Quality of Service (QoS) requirements on them. In this case, the network should distribute
and schedule resources for different network applications as required. When network is
overloaded or congested, QoS can ensure service timeliness and integrity and make the entire
network run efficiently.
QoS is composed of a group of flow management technologies:
Service model
Priority trust
Traffic classification
Traffic policy
Priority mapping
Congestion management
Best-effort
Best-effort service is the most basic and simplest service model on the Internet (IPv4 standard)
based on storing and forwarding mechanism. In Best-effort service model, the application can
send a number of packets at any time without being allowed in advance and notifying the
network. For the Best-effort service, the network will send packets as possible as it can, but it
does not guarantee the delay and reliability.
Best-effort is the default Internet service model now, suitable to most network applications,
such as FTP and Email. It is implemented by First In First Out (FIFO) queue.
DiffServ
The DiffServ model is a multi-service model, which can satisfy different QoS requirements.
The DiffServ model does not need to maintain state for each flow. It provides differentiated
services according to the QoS classification of each packet. Many different methods can be
used for classifying QoS packets, such as IP packet priority (IP precedence), the packet source
address or destination address.
Generally, DiffServ is used to provide end-to-end QoS services for a number of important
applications, which is implemented through the following techniques:
Committed Access Rate (CAR): CAR refers to classifying the packets according to the
preconfigured packet matching rules, such as IP packets priority, the packet source
address or destination address. The system continues to send the packets if the flow
complies with the rules of token bucket. Otherwise, it discards the packets or remarks IP
precedence, DSCP, EXP CAR can not only control the flows, but also mark and remark
the packets.
Queuing technology: the queuing technologies of SP, WRR, WFQ, SP+WRR, and
SP+WFQ cache and schedule the congestion packets to implement congestion
management.
Priority mapping
Class of Service (CoS) refers to the quality of service of a packet within a device, which
determines the type of queue that the message belongs to within the device. There are 8 values
for CoS, namely, 8 Per Hop Behaviors (PHBs), with priority ranking from high to low as CS7,
CS6, EF, AF4, AF3, AF2, AF1, and BE. For a detailed description of PHB behavior, refer to
the PHB behavior section.
The color refers to the priority for discarding packets within the device, used to determine the
order in which packets are discarded within the same queue when congestion occurs. There
are three values for colors, with IEEE-defined priorities ranging from low to high being Green,
Yellow, and Red. The priority of discarding actually depends on the configuration of the
corresponding parameters.
The processing of packets on each DS node is called PHB. PHB describes the externally
visible forwarding behavior adopted by DS nodes for packets. PHB can be defined by priority
or by visible service characteristics, such as packet delay, jitter, and packet loss rate. PHB
defines some externally visible forwarding behaviors only and does not specify specific
implementation methods.
RFC defines four standard PHBs: Class Selector (CS), Expedited Forwarding (EF), Assured
Forwarding (AF), and Best Effort (BE). Wherein, BE is the default PHB.
In RFC 2474, CS is further divided into two levels, namely, CS6 and CS7. In RFC 2597, AF
is further divided into four levels, namely, AF1 to AF4. At this point, PHB has a total of 8 sub-
levels, and each PHB has a corresponding CoS within the device. Different CoSs determine
the congestion management policies for different flows. At the same time, each PHB is further
divided into three colors (color, also known as discarding priority), represented by Green,
Yellow, and Red respectively. Different colors determine the congestion avoidance policies
for different flows.
Priority trust
Priority trust means that the device uses priority of packets for classification and performs
QoS management.
The device supports packet priority trust based on interface, including:
Differentiated Services Code Point (DSCP) priority
IEEE 802.1p inner priority
IEEE 802.1p outer priority
Scenario
You can choose to trust the priority carried by packets from an upstream device, or process
packets with untrusted priority through the traffic class and traffic policy. After being
configured to priority trust mode, the device processes packets according to their priorities
and provides services accordingly.
To specify local priority for packets is the prerequisite for queue scheduling. For packets from
the upstream device, you can not only map the external priority carried by packets to different
local priorities, but also configure local priority for packets based on interface. Then the
device will conduct queue scheduling according to local priority of packets. Generally, IP
packets need to be configured with mapping from IP precedence/DSCP to local priority; while
VLAN packets need to be configured with mapping from IEEE 802.1p inner priority to local
priority.
Prerequisite
N/A
Table 5-1 Default mapping from the IEEE 802.1p ingress direction to local priority and color
IEEE 802.1p priority PHB Color
0 BE green
1 AF1 green
2 AF2 green
3 AF3 green
4 AF4 green
5 EF green
6 CS6 green
7 CS7 green
Table 5-2 Default mapping from the IEEE 802.1p egress direction to local priority and color
PHB Color IEEE 802.1p priority
BE green 0
BE yellow 0
BE red 0
AF1 green 1
Table 5-3 Default mapping from the DSCP ingress direction to local priority and color
DHCP PHB Color
0 BE green
32 AF4 green
1 BE green
33 BE green
2 BE green
34 AF4 green
3 BE green
35 BE green
Table 5-4 Default mapping from the DSCP egress direction to local priority and color
PHB Color DSCP
BE green 0
BE yellow 0
BE red 0
WRR: on the basis of scheduling packets cyclically according to the priority, the device
schedules packets by the weight of each queue in units of bit, as shown in Figure 5-2.
WFQ: similar with WRR, on the basis of scheduling packets in a polling manner
according to the scheduling sequence, the device schedules packets according to the
weight of the queue (based on packet), as shown in DRR scheduling
SP+WRR: a scheduling mode combining the SP scheduling and WRR scheduling. In this
mode, queues on an interface are divided into 2 groups. You can specify some queues
with SP scheduling and others with WRR scheduling.
SP+WFQ: a scheduling mode combining the SP scheduling and WFQ scheduling. In this
mode, queues on an interface are divided into 2 groups. You can specify some queues
with SP scheduling and others with WFQ scheduling.
Scenario
When the network is congested, you can configure queue scheduling if you want to:
Balance delay and delay jitter of various packets, preferentially process packets of key
services (such as video and voice).
Fairly process packets of secondary services (such as Email) with identical priority.
Process packets of different priorities according to respective weight values.
The scheduling algorithm to be chosen depends on the current service condition and customer
requirements.
Prerequisite
Enable global QoS.
5.3.9 Maintenance
Maintain the device as below.
Command Description
Raisecom(config)#reset queue statistics interface Clear statistics on
interface-type interface-number packets on the interface.
Raisecom#(config)#reset queue statistics
interface all
Networking requirements
As shown in Figure 5-4, the user uses voice, video and data services.
The CoS of voice services is 5, the CoS of video services is 4, and the CoS of data services is
2.
Congestion can easily occur on Switch A. To reduce network congestion, make the following
rules according to different services types:
For voice services, perform SP scheduling to assign voice services with a high priority.
For video services, perform WRR scheduling, with weight of 50.
For data services, perform WRR scheduling, with weight of 20.
Configuration steps
Step 1 Configure interface packets to be mapped into inner priority according to IEEE 802.1p.
SwitchA(config)#interface ge 1/0/2
SwitchA(config-ge-1/0/2)#trust 8021p outer
SwitchA(config)#interface ge 1/0/2
SwitchA(config-ge-1/0/2)#queue scheduling sp+wrr queue 5
SwitchA(config-ge-1/0/2)#queue 4 weight 50
SwitchA(config-ge-1/0/2)#queue 2 weight 20
SwitchA(config-ge-1/0/2)#quit
Checking results
Use the following command to show the priority trust mode on the interface.
RED
Random Early Detection (RED) discards packets randomly and prevents multiple TCP
connection from reducing transmission rate simultaneously to avoid TCP global
synchronization.
The RED algorithm configures a minimum threshold and maximum threshold for length of
each queue. In addition:
Packets are not discarded when the queue length is smaller than the minimum threshold.
All received packets are discarded when the queue length is greater than the maximum
threshold.
Packets to be received are discarded randomly when the queue length is between the
minimum and maximum thresholds. The greater the queue size is, the higher the packet
drop probability is.
WRED
Weighted Random Early Detection (WRED) also avoids TCP global synchronization by
randomly discarding packets. However, the random discarding parameters generated by this
technology are based on the priority of the queue, which can distinguish discarding strategies
based on the different colors of packets, prioritising high-priority packets and making their
discarding probability small.
Scenario
To avoid network congestion and solve the problem of TCP global synchronization, you can
configure congestion avoidance to adjust network flow and relieve network overload.
Prerequisite
N/A
to be applied
Scenario
When the network is congested, you want to restrict burst flow on an interface or VLAN to
make packets transmitted at a well-proportioned rate to remove network congestion. In this
case, you need to configure rate limiting.
Prerequisite
N/A
Networking requirements
As shown in Figure 5-5, User A, User B, and User C are respectively connected to the device
by Switch A, Switch B, and Switch C.
User A uses voice and video services. User B uses voice, video and data services. User C uses
video and data services.
According to service requirements, make rules as below.
Provide User A with 25 Mbit/s guaranteed bandwidth, discarding excess flow.
Provide User B with 35 Mbit/s guaranteed bandwidth, discarding excess flow.
Provide User C with 30 Mbit/s guaranteed bandwidth, discarding excess flow.
Configuration steps
Configure rate limiting based on interface.
Raisecom#configure
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#rate-limit in kbps 25000
Raisecom(config-ge-1/0/1)#exit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#rate-limit in kbps 35000
Raisecom(config-ge-1/0/2)#exit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#rate-limit in kbps 30000
Raisecom(config-ge-1/0/3)#exit
6 Multicast
This chapter describes basic principles and configuration procedures for multicast, and
provides related configuration examples, including the following sections:
Multicast
IGMP Snooping
MLD Snooping
6.1 Multicast
With the continuous development of Internet, more and more interactive data, voice, and
video of various types emerge on the network. On the other hand, the emerging e-commerce,
online meetings, online auctions, video on demand, remote learning, and other services also
rise gradually. These services bring higher requirements on network bandwidth, information
security, and paid feature. Traditional unicast and broadcast cannot meet these requirements
well, while multicast has met them timely.
Multicast is a point-to-multipoint data transmission method. The method can effectively solve
the single point sending and multipoint receiving problems. During transmission of packets on
the network, multicast can save network resources and improve information security.
Multicast: when some users in the network need specific information, the sender only
sends one piece of information, then the transmitted information can be reproduced and
distributed in fork junction as far as possible.
As shown in Figure 6-1, assume that User B and User C need information, you can use
multicast transmission to combine User B and User C to a receiver set, then the information
source just needs to send one piece of information. Each switch on the network will establish
their multicast forwarding table according to IGMP packets, and finally transmits the
information to the actual receiver User B and User C.
In summary, the unicast is for a network with sparse users and broadcast is for a network with
dense users. When the number of users in the network is uncertain, unicast and broadcast will
present low efficiency. When the number of users are doubled and redoubled, the multicast
mode does not need to increase backbone bandwidth, but sends information to the user in
need. These advantages of multicast make itself become a hotspot in study of the current
network technology.
Multicast address
To make multicast source and multicast group members communicate across the Internet, you
need to provide network layer multicast address and link layer multicast address, namely, the
IP multicast address and multicast MAC address.
IP multicast address
Internet Assigned Numbers Authority (IANA) assigns Class D address space to IPv4 multicast;
the IPv4 multicast address ranges from 224.0.0.0 to 239.255.255.255.
Multicast MAC address
When the Ethernet transmits unicast IP packets, it uses the MAC address of the receiver as the
destination MAC address. However, when multicast packets are transmitted, the destination is
no longer a specific receiver, but a group with an uncertain number of members, so the
Ethernet needs to use the multicast MAC address.
The multicast MAC address identifies receivers of the same multicast group on the link layer.
According to IANA, high bit 24 of the multicast MAC address are 0x01005E, bit 25 is fixed
to 0, and the low bit 23 corresponds to low bit 23 of the IPv4 multicast address.
Figure 6-3 shows mapping between the IPv4 multicast address and MAC address.
Figure 6-3 Mapping between IPv4 multicast address and multicast MAC address
The first 4 bits of IP multicast address are 1110, indicating multicast identification. In the last
28 bits, only 23 bits are mapped to the multicast MAC address, and the missing of 5 bits
makes 32 IP multicast addresses mapped to the same multicast MAC address. Therefore, in
Layer 2, the device may receive extra data besides IPv4 multicast group, and these extra
multicast data needs to be filtered by the upper layer on the device.
IGMP, a protocol in TCP/IP protocol suite, is responsible for managing IPv4 multicast
members. IGMP runs between the multicast router and host, defines the establishment and
maintenance mechanism of multicast group membership between hosts and the multicast
router. IGMP is not involved in transmission and maintenance of group membership between
multicast routers, which is completed by the multicast routing protocol.
IGMP manages group members through interaction of IGMP packets between the host and
multicast router. IGMP packets are encapsulated in IP packets, including Query packets,
Report packets, and Leave packets. Basic functions of IGMP are as below:
The host sends Report packets to join the multicast group, sends Leave packets to leave
the multicast group, and automatically determines which multicast group packets to
receive.
The multicast router sends Query packets periodically, and receives Report packets and
Leave packets from hosts to understand the multicast group members in connected
segment. The multicast data will be forwarded to the segment if there are multicast group
members, and not forward if there are no multicast group members.
Up to now, IGMP has three versions: IGMPv1, IGMPv2, and IGMPv3. The newer version is
fully compatible with the older version. Currently the most widely used version is IGMPv2,
while IGMPv1 does not support the Leave packet.
Layer 2 multicast runs on Layer 2 devices between the host and multicast router.
Layer 2 multicast manages and controls multicast groups by monitoring and analyzing IGMP
packets exchanged between hosts and multicast routers to implement forwarding multicast
data at Layer 2 and suppress multicast data diffusion at Layer 2.
Aging time
The configured aging time takes effect on both multicast forwarding entries and the router
interface.
On Layer 2 switch running multicast function, each router interface learnt dynamically starts a
timer, of which the expiration time is the aging time of IGMP Snooping. The router interface
will be deleted if no IGMP Query packets are received in the aging time. The timer of the
router interface will be updated when an IGMP Query packet is received.
Each multicast entry starts a timer, namely, the aging time of a multicast member. The
expiration time is IGMP Snooping aging time. The multicast member will be deleted if no
IGMP Report packets are received in the aging time. Update timeout for multicast entry when
receiving IGMP Report packets. The timer of the multicast entry will be updated when an
IGMP Report packet is received.
Immediate leave
On Layer 2 switch running multicast function, the system will not delete the corresponding
multicast entry immediately, but wait until the entry is aged after sending Leave packets. You
can enable this function to delete the corresponding multicast entry quickly when there are a
large number of downstream users and adding or leaving is more frequently required.
IGMP Snooping forwards multicast data through Layer 2 multicast entries. When receiving
multicast data, the device will forward them directly according to the corresponding receiving
interface of the multicast entry, instead of flooding them to all interfaces, to save bandwidth of
the device effectively.
IGMP Snooping establishes a Layer 2 multicast forwarding table, of which entries can be
learnt dynamically or configured manually.
Scenario
As shown in Figure 6-5, multiple hosts belonging to a VLAN receive data from the multicast
source. You can enable IGMP Snooping on the Switch that connects the multicast router and
hosts. By listening IGMP packets transmitted between the multicast router and hosts, creating
and maintaining the multicast forwarding table, you can implement Layer 2 multicast.
Prerequisite
Create VLANs.
Add related interfaces to the VLANs.
To configure the static multicast member of the source address, you need to
configure the protocol version to v3.
To configure the user VLAN, you need to configure multicast copy.
6.2.15 Maintenance
Maintain the device as below.
Command Description
Raisecom(config)#reset igmp- Clear dynamically learnt multicast entries.
snooping forwarding-table
Raisecom(config)#reset igmp- Clear statistics on IGMP Snooping packets.
snooping statistics
Networking requirements
As shown below, switch interface GE 1/0/1 is connected to the multicast router. Switch
interfaces GE 1/0/2 and GE 1/0/3 are connected to user devices, which are in VLAN 10.
Configure the switch with IGMP Snooping.
Configuration steps
Step 1 Create a VLAN. Add interfaces to it.
Raisecom#configure
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 10
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type access
Raisecom(config-ge-1/0/2)#port default vlan 10
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#port link-type access
Raisecom(config-ge-1/0/3)#port default vlan 10
Raisecom(config-ge-1/0/3)#quit
Raisecom(config)#igmp-snooping start
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#igmp-snooping enable
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#igmp-snooping enable
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#igmp-snooping enable
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#igmp-snooping enable
Raisecom(config-ge-1/0/3)#quit
Checking results
Use the following command to show configurations of the IGMP Snooping.
Networking requirements
As shown below, switch interface GE 1/0/1 is connected to the multicast router. Switch
interfaces GE 1/0/2 and GE 1/0/3 are connected to user devices, which are in VLAN 10.
Configure the switch with IGMP Snooping.
The user under interface GE 1/0/2 wants to permanently receive multicast data from 225.1.1.1
to 225.1.1.3 stably.
Configuration steps
Step 1 Create a VLAN. Add interfaces to it.
Raisecom#configure
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 10
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type access
Raisecom(config-ge-1/0/2)#port default vlan 10
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#port link-type access
Raisecom(config-ge-1/0/3)#port default vlan 10
Raisecom(config-ge-1/0/3)#quit
Raisecom(config)#igmp-snooping start
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#igmp-snooping enable
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#igmp-snooping enable
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#igmp-snooping enable
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#igmp-snooping enable
Raisecom(config-ge-1/0/3)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/1)#igmp-snooping static-group group-address
225.1.1.1 vlan 10
Raisecom(config-ge-1/0/1)#igmp-snooping static-group group-address
225.1.1.2 vlan 10
Raisecom(config-ge-1/0/1)#igmp-snooping static-group group-address
225.1.1.3 vlan 10
Checking results
Use the following command to show configurations of IGMP Snooping.
Use the following command to show configurations of static entries of IGMP Snooping.
Networking requirements
As shown below, switch interface GE 1/0/1 is connected to the multicast router. Switch
interfaces GE 1/0/2 and GE 1/0/3 are connected to user devices, which are in VLAN 10. The
multicast VLAN is different from the user VLAN. Configure IGMP Snooping multicast copy.
Add interface GE 1/0/1 to VLAN 6. Add user 1 to VLAN 10. Add user 2 to VLAN 20.
Configuration steps
Step 1 Create a VLAN. Add interfaces to it.
Raisecom#configure
Raisecom(config)#vlan 6,10,20
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 6
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type access
Raisecom(config-ge-1/0/2)#port default vlan 10
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#port link-type access
Raisecom(config-ge-1/0/3)#port default vlan 20
Raisecom(config-ge-1/0/3)#quit
Raisecom(config)#igmp-snooping start
Raisecom(config)#vlan 6
Raisecom(config-vlan-6)#igmp-snooping enable
Raisecom(config-vlan-6)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#igmp-snooping enable
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#igmp-snooping enable
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#igmp-snooping enable
Raisecom(config-ge-1/0/3)#quit
Raisecom(config)#vlan 6
Raisecom(config-vlan-6)#igmp-snooping forwarding-mode ip
Raisecom(config-vlan-6)#igmp-snooping multicast-duplicate enable
Raisecom(config-vlan-6)#igmp-snooping multicast user-vlan 10,20
Raisecom(config-vlan-6)#quit
Checking results
Use the following command to show configurations of IGMP Snooping.
Networking requirements
As shown below, switch interface GE 1/0/1 is connected to the multicast router. Switch
interfaces GE 1/0/2 and GE 1/0/3 are connected to user devices, which are in VLAN 10.
Configure IGMP Snooping.
Enable IGMP Proxy on the switch to reduce the communication between the host and
multicast router, without affecting implementation of multicast functions.
When the PC and STB are added to the same multicast group, the switch receives two copies
of IGMP Report packets, and sends one copy of IGMP Report packets to the multicast router.
The IGMP Query packet sent by the multicast router is not forwarded downstream, but is
periodically sent by the switch.
Configuration steps
Step 1 Create a VLAN. Add interfaces to it.
Raisecom#configure
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 10
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type access
Raisecom(config-ge-1/0/2)#port default vlan 10
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#port link-type access
Raisecom(config-ge-1/0/3)#port default vlan 10
Raisecom(config-ge-1/0/3)#quit
Raisecom(config)#igmp-snooping start
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#igmp-snooping enable
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#igmp-snooping enable
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#igmp-snooping enable
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#igmp-snooping enable
Raisecom(config-ge-1/0/3)#quit
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#igmp-snooping workmode igmp-proxy
Raisecom(config-vlan-10)#igmp-snooping querier enable
Raisecom(config-vlan-10)#quit
Checking results
Use the following command to show configurations of IGMP Snooping.
Networking requirements
As shown below, switch interface GE 1/0/1 is connected to the multicast router. Switch
interfaces GE 1/0/2 and GE 1/0/3 are connected to user devices, which are in VLAN 10.
Configure IGMP Snooping.
Enable the multicast policy on the switch to allow the user under interface GE 1/0/2 to join
225.1.1.1to 225.1.1.3 and the user under interface GE 1/0/3 to join 225.1.1.4 to 225.1.1.6.
Configuration steps
Step 1 Create a VLAN. Add interfaces to it.
Raisecom#configure
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 10
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type access
Raisecom(config-ge-1/0/2)#port default vlan 10
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#port link-type access
Raisecom(config-ge-1/0/3)#port default vlan 10
Raisecom(config-ge-1/0/3)#quit
Raisecom(config)#igmp-snooping start
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#igmp-snooping enable
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#igmp-snooping enable
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#igmp-snooping enable
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#igmp-snooping enable
Raisecom(config-ge-1/0/3)#quit
Raisecom(config)#acl-ipv4 1001
Raisecom(configure-acl-ipv4-1001)#rule 1 src-ip any dst-ip 225.1.1.1/32
Raisecom(configure-acl-ipv4-1001)#rule 1 action permit
Raisecom(configure-acl-ipv4-1001)#rule 2 src-ip any dst-ip 225.1.1.2/32
Raisecom(configure-acl-ipv4-1001)#rule 2 action permit
Raisecom(configure-acl-ipv4-1001)#rule 3 src-ip any dst-ip 225.1.1.3/32
Raisecom(configure-acl-ipv4-1001)#rule 3 action permit
Raisecom(configure-acl-ipv4-1001)#quit
Raisecom(config)#acl-ipv4 1002
Raisecom(configure-acl-ipv4-1002)#rule 1 src-ip any dst-ip 225.1.1.4/32
Raisecom(configure-acl-ipv4-1002)#rule 1 action permit
Raisecom(configure-acl-ipv4-1002)#rule 2 src-ip any dst-ip 225.1.1.5/32
Raisecom(configure-acl-ipv4-1002)#rule 2 action permit
Raisecom(configure-acl-ipv4-1002)#rule 3 src-ip any dst-ip 225.1.1.6/32
Raisecom(configure-acl-ipv4-1002)#rule 3 action permit
Raisecom(configure-acl-ipv4-1002)#quit
Step 5 Bind the interface with the multicast policy ACL profile.
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#igmp-snooping group-policy acl-ipv4 1001
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#igmp-snooping group-policy acl-ipv4 1002
Raisecom(config-ge-1/0/3)#quit
Checking results
Use the following command to show configurations of IGMP Snooping.
Scenario
As shown in Figure 6-11, multiple hosts receive data from multicast sources and belong to the
same VLAN. You can run MLD Snooping on the switch connecting the multicast router and
the host. By listening to the MLD packets between the multicast router and the host, you can
establish and maintain the multicast forwarding table, and implement Layer 2 multicast.
Prerequisite
Create VLANs.
Add related interfaces to the VLANs.
6.3.14 Maintenance
Maintain the device as below.
Command Description
Raisecom(config)#reset mld- Clear dynamically learnt multicast entries.
snooping forwarding-table
Networking requirements
As shown below, switch interface GE 1/0/1 is connected to the multicast router. Switch
interfaces GE 1/0/2 and GE 1/0/3 are connected to user devices, which are in VLAN 10.
Configure the switch with MLD Snooping.
Configuration steps
Step 1 Create a VLAN. Add interfaces to it.
Raisecom#configure
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 10
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type access
Raisecom(config-ge-1/0/2)#port default vlan 10
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#port link-type access
Raisecom(config-ge-1/0/3)#port default vlan 10
Raisecom(config-ge-1/0/3)#quit
Raisecom(config)#mld-snooping start
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#mld-snooping enable
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#mld-snooping enable
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#mld-snooping enable
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#mld-snooping enable
Raisecom(config-ge-1/0/3)#quit
Checking results
Use the following command to show configurations of the MLD Snooping.
Networking requirements
As shown below, switch interface GE 1/0/1 is connected to the multicast router. Switch
interfaces GE 1/0/2 and GE 1/0/3 are connected to user devices, which are in VLAN 10.
Configure the switch with MLD Snooping.
The user under interface GE 1/0/2 wants to permanently receive multicast data from ff1e::1 to
ff1e::3 stably.
Configuration steps
Step 1 Create a VLAN. Add interfaces to it.
Raisecom#configure
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 10
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type access
Raisecom(config-ge-1/0/2)#port default vlan 10
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#port link-type access
Raisecom(config-ge-1/0/3)#port default vlan 10
Raisecom(config-ge-1/0/3)#quit
Raisecom(config)#mld-snooping start
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#mld-snooping enable
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#mld-snooping enable
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#mld-snooping enable
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#mld-snooping enable
Raisecom(config-ge-1/0/3)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/1)#mld-snooping static-group group-address ff1e::1
vlan 10
Raisecom(config-ge-1/0/1)#mld-snooping static-group group-address ff1e::2
vlan 10
Raisecom(config-ge-1/0/1)#mld-snooping static-group group-address ff1e::3
vlan 10
Checking results
Use the following command to show configurations of MLD Snooping.
Use the following command to show configurations of static entries of MLD Snooping.
-------------------------------------------------------------------------
-------------------------------------
Total Group Number: 3
Networking requirements
As shown below, switch interface GE 1/0/1 is connected to the multicast router. Switch
interfaces GE 1/0/2 and GE 1/0/3 are connected to user devices, which are in VLAN 10. The
multicast VLAN is different from the user VLAN. Configure MLD Snooping multicast copy.
Add interface GE 1/0/1 to VLAN 6. Add user 1 to VLAN 10. Add user 2 to VLAN 20.
Configuration steps
Step 1 Create a VLAN. Add interfaces to it.
Raisecom#configure
Raisecom(config)#vlan 6,10,20
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 6
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type access
Raisecom(config-ge-1/0/2)#port default vlan 10
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#port link-type access
Raisecom(config-ge-1/0/3)#port default vlan 20
Raisecom(config-ge-1/0/3)#quit
Raisecom(config)#mld-snooping start
Raisecom(config)#vlan 6
Raisecom(config-vlan-6)#mld-snooping enable
Raisecom(config-vlan-6)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#mld-snooping enable
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#mld-snooping enable
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#mld-snooping enable
Raisecom(config-ge-1/0/3)#quit
Raisecom(config)#vlan 6
Raisecom(config-vlan-6)#mld-snooping forwarding-mode ip
Raisecom(config-vlan-6)#mld-snooping multicast-duplicate enable
Raisecom(config-vlan-6)#mld-snooping multicast user-vlan 10,20
Raisecom(config-vlan-6)#quit
Checking results
Use the following command to show configurations of MLD Snooping.
Networking requirements
As shown below, switch GE interface 1/0/1 is connected to the multicast router. Switch GE
interfaces 1/0/2 and 1/0/3 are connected to user devices, which are in VLAN 10. Configure
MLD Snooping.
Enable MLD Proxy on the switch to reduce the communication between the host and
multicast router, without affecting implementation of multicast functions.
Configuration steps
Step 1 Create a VLAN. Add interfaces to it.
Raisecom#configure
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 10
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type access
Raisecom(config-ge-1/0/2)#port default vlan 10
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#port link-type access
Raisecom(config-ge-1/0/3)#port default vlan 10
Raisecom(config-ge-1/0/3)#quit
Raisecom(config)#mld-snooping start
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#mld-snooping enable
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#mld-snooping enable
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#mld-snooping enable
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#mld-snooping enable
Raisecom(config-ge-1/0/3)#quit
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#mld-snooping workmode mld-proxy
Raisecom(config-vlan-10)#mld-snooping querier enable
Raisecom(config-vlan-10)#quit
Checking results
Use the following command to show configurations of MLD Snooping.
Networking requirements
As shown below, switch interface GE 1/0/1 is connected to the multicast router. Switch
interfaces GE 1/0/2 and GE 1/0/3 are connected to user devices, which are in VLAN 10.
Configure MLD Snooping.
Enable the multicast policy on the switch to allow the user under interface GE 1/0/2 to join
ff1e::1 to ff1e::3 and the user under interface GE 1/0/3 to join ff1e::4 to ff1e::6.
Configuration steps
Step 1 Create a VLAN. Add interfaces to it.
Raisecom#configure
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 10
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type access
Raisecom(config-ge-1/0/2)#port default vlan 10
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#port link-type access
Raisecom(config-ge-1/0/3)#port default vlan 10
Raisecom(config-ge-1/0/3)#quit
Raisecom(config)#mld-snooping start
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#mld-snooping enable
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#mld-snooping enable
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#mld-snooping enable
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#mld-snooping enable
Raisecom(config-ge-1/0/3)#quit
Raisecom(config)#acl-ipv6 3001
Raisecom(configure-acl-ipv6-3001)#rule 1 src-ip any dst-ip ff1e::1/128
Raisecom(configure-acl-ipv6-3001)#rule 1 action permit
Raisecom(configure-acl-ipv6-3001)#rule 2 src-ip any dst-ip ff1e::2/128
Raisecom(configure-acl-ipv6-3001)#rule 2 action permit
Raisecom(configure-acl-ipv6-3001)#rule 3 src-ip any dst-ip ff1e::3/128
Raisecom(configure-acl-ipv6-3001)#rule 3 action permit
Raisecom(configure-acl-ipv6-3001)#quit
Raisecom(config)#acl-ipv6 3002
Raisecom(configure-acl-ipv6-3002)#rule 1 src-ip any dst-ip ff1e::4/128
Raisecom(configure-acl-ipv6-3002)#rule 1 action permit
Raisecom(configure-acl-ipv6-3002)#rule 2 src-ip any dst-ip ff1e::5/128
Raisecom(configure-acl-ipv6-3002)#rule 2 action permit
Raisecom(configure-acl-ipv6-3002)#rule 3 src-ip any dst-ip ff1e::6/128
Raisecom(configure-acl-ipv6-3002)#rule 3 action permit
Raisecom(configure-acl-ipv6-3002)#quit
Step 5 Bind the interface with the multicast policy ACL profile.
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#mld-snooping group-policy acl-ipv6 3001
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#mld-snooping group-policy acl-ipv6 3002
Raisecom(config-ge-1/0/3)#quit
Checking results
Use the following command to show configurations of MLD Snooping.
7 OAM
This chapter describes basic principles and configuration procedures for OAM and provide
related configuration examples, including the following sections:
Introduction
EFM
Link-state tracking
VRRP
CFM
7.1 Introduction
Initially, Ethernet is designed for LAN. Operation, Administration and Maintenance (OAM) is
weak because of its small size and a NE-level administrative system. With continuous
development of Ethernet technology, the application scale of Ethernet in Telecom network
becomes wider and wider. Compared with LAN, the link length and network size of Telecom
network is bigger and bigger. The lack of effective management and maintenance mechanism
has seriously obstructed Ethernet technology applying to the Telecom network.
To confirm connectivity of Ethernet virtual connection, effectively detect, confirm, and locate
faults on network, balance network utilization, measure network performance, and provide
service according Service Level Agreement (SLA), implementing OAM on Ethernet has
becoming an inevitable developing trend.
OAM mode
The interface enabled with EFM OAM is called the OAM entity. EFM OAM supports the
following two connection modes:
Active mode: the OAM entity in active mode can initiate OAM connection.
Passive mode: the OAM entity in passive mode just waits for connection request of the
active OAM entity. If the OAM entities on both ends of the link are in passive mode,
they cannot establish OAM connection.
OAM discovery
In the OAM discovery phase, an OAM entity discovers a remote OAM entity and establishes
a session with it.
This phase is initiated by the OAM entity in the active mode. Both OAM entities inform the
other of its OAM configurations and Ethernet OAM capabilities supported by the local node
by exchanging information OAM PDU, and decide whether to establish the OAM connection.
If both ends agree on establishment of the OAM connection, Ethernet OAM protocol will
work on the link layer.
After the OAM connection is established, both ends keep connected by exchanging
information OAM PDU. If an OAM entity does not receive information OAM PDU within
the timeout time, it judges that connection expires and reconnection is required.
Remote loopback
Remote loopback can be used to locate the area where the fault occurs, and the quality of the
link can also be tested with the help of instruments. Regular loopback detection can detect
network faults in a timely manner, and locate the specific area where the fault occurs through
segmented loopback detection, which helps users clear faults.
OAM loopback occurs only after the Ethernet OAM connection is established. When
connected, the active OAM entity initiates OAM loopback command, and the peer OAM
entity responds to the command. When the remote OAM entity is in loopback mode, all
packets but OAM PDU packets are sent back.
As shown in Figure 7-1, local Switch A in the active mode determines the link status by
sending packets back.
7.2 EFM
7.2.1 Introduction
Complying with IEEE 802.3ah protocol, Ethernet in the First Mile (EFM) is a link-level
Ethernet OAM technology. It provides link connectivity detection, link fault monitoring, and
remote fault notification for a link between two directly connected devices. EFM is mainly
used for Ethernet links on edges of the network accessed by users.
Scenario
Deploying EFM feature between directly connected devices can efficiently improve Ethernet
link management and maintenance capability and ensure stable network operation.
Prerequisite
Connect interfaces.
Configure physical parameters to make interfaces Up at the physical layer.
Scenario
When uplink fails, traffic cannot be switched to the standby link if the downlink device fails
to be notified in time. Then traffic will be disrupted.
Link-state tracking can be used to add downlink interfaces and uplink interfaces of the middle
device to a link-state group and monitor uplink interfaces. When all uplink interfaces fails, the
fault of the upstream device can be informed to the downstream device to trigger switching.
Prerequisite
N/A
Link-state tracking supports being configured on the physical interface and LAG
interface.
Configure link-state tracking for the device as below.
One link-state group can contain several uplink interfaces. Link-state tracking will
not be performed when at least one uplink interface is Up. Only when all uplink
interfaces are Down will link-state tracking occur.
On the link-state tracking node, use the remove interface interface-type
interface-number command to delete an interface.
In physical interface configuration mode, use the no monitor-link group group-
number command to delete an interface from the link-state group.
Networking requirements
As shown in Figure 7-2, to improve network reliability, Link 1 and Link 2 of Switch B are
connected to Switch A and Switch C respectively. Link 1 is the active link and Link 2 is the
standby link. Link 2 will not be used to forward data until Link 1 is faulty.
Switch A and Switch C are connected to the uplink network in link aggregation mode. When
all uplink interfaces on Switch A and Switch C fails, Switch B needs to sense the fault in time
and switches traffic to the standby link. Therefore, you should deploy link-state tracking on
Switch A and Switch C.
Configuration steps
Configurations of Switch A and Switch C are the same. Take Switch A for example.
Step 1 Create a LAG. Add uplink interfaces GE 1/0/1 and GE 1/0/2 to the LAG.
Raisecom#configure
Raisecom(config)#int eth-trunk 1
Raisecom(config-eth-trunk-1)#add interface ge 1/0/1
Raisecom(config-eth-trunk-1)#add interface ge 1/0/2
Step 2 Create link-state group 1. Add LAG interfaces to the link-state group.
Raisecom(config)#monitor-link group 1
Raisecom(config-monitorlink-1)#add interface eth-trunk 1 role uplink
Checking results
Take Switch A for example. Use the show monitor-link group command to show
configurations of the link-state group.
Use the show monitor-link group command to show configurations of the link-state group
after all uplinks of Switch A fails. In this case, you can learn that link-state tracking is
performed.
7.4 VRRP
7.4.1 Introduction
All hosts in the internal network are configured with the same default route, pointing to the
exit gateway, to achieve communication between the hosts and the external network. If the
gateway fails, the host with that gateway as the default route will not be able to communicate
with the external network.
Virtual Router Redundancy Protocol (VRRP) is a master/standby mode protocol designed to
eliminate network failures caused by single point of failure of the default routing device in a
static default routing environment. It effectively avoids network disconnection caused by
single link failures, and does not need to modify the corresponding routing protocol and other
configurations.
In the previous figure, Switch A and Switch B form a virtual routing device, which has its
own IP address. The host within the local area network take the virtual routing device as the
default gateway. The device with the highest priority among Switch A and Switch B is the
master device, which carries out the gateway functions, while the other device is the backup
device.
Preemptive mode: In the VRRP backup group, once a device discovers that its priority is
higher than the current master device, it will send a VRRP notification packet to the
external network, causing the devices in the backup group to re-elect the master device.
Finally, it replaces the original master device. Correspondingly, the original master
device will become a backup device.
Load balancing
VRRP load balancing refers to establishing two or more VRRP backup groups, with multiple
devices simultaneously carrying services. It allows one device to back up multiple backup
groups, with different priorities in different backup groups. Load sharing can be implemented
through multiple virtual devices. The master devices in each backup group can be different, as
shown in the following figure.
Wherein:
Switch A is the master device in VRRP backup group 1 and the backup device in VRRP
backup group 2.
Switch B is the master device in VRRP backup group 2 and the backup device in VRRP
backup group 1.
Some hosts on the network use backup group 1 as the gateway, such as host A and host B.
Some hosts on the network use backup group 2 as the gateway, such as host C. In this way,
hosts back up each other and also balance load on the network.
Scenario
Generally, a default route to the breakout gateway is configured for all devices in a LAN, so
these devices can communicate with the external network. If the gateway fails, the connection
will fail.
VRRP combines multiple routers to form a backup group. By configuring a virtual IP address
for the backup group, you can configure the default gateway to the virtual IP address of the
backup group to make devices in the LAN communicate with the external network.
VRRP helps improve network reliability by preventing network interruption caused by failure
of a single link and prevents changing routing configurations due to link failure.
Prerequisite
N/A
packets
5 Raisecom(config- (Optional) configure the TTL of the detection
vlanif-*)#vrrp group- VRRP packet.
id check-ttl { enable
group-id: VRRP instance ID
| disable }
enable: enabled
disable: disabled
By default, it is enabled.
6 Raisecom(config- (Optional) configure the VRRP instance priority.
vlanif-*)#vrrp group-
group-id: VRRP instance ID
id priority { value |
(value | default): priority, being 100 by default
default }
7 Raisecom(config- (Optional) bind BFD.
vlanif-*)#vrrp group-
group-id: VRRP instance ID
id bfd bfd-session
bfd-id: bfd instance ID
increased
(Optional) increased: increase the priority.
{ increased-value |
(Optional) reduced: reduce the priority.
default }
(Optional) value | default: configure the VRRP
Raisecom(config-
vlanif-*)#vrrp group- instance priority to be reduced when the BFD
id bfd bfd-session status is down. It is 10 by default.
reduced { reduced-
value | default }
Raisecom(config-
vlan*)#vrrp group-id
bfd bfd-session
8 Raisecom(config- (Optional) bind the VLAN interface.
vlanif-*)#vrrp group-
group-id: VRRP instance ID
id track interface
vlan-id: index of the VLAN
vlan vlan-id
By default, it is enabled.
7 Raisecom(config- (Optional) configure the VRRP6 instance priority.
vlanif-*)#vrrp-ipv6
group-id: VRRP6 instance ID
group-id priority
(value | default): priority, being 100 by default
{ value | default }
8 Raisecom(config- (Optional) bind BFD.
vlanif-*)#vrrp-ipv6
group-id: VRRP6 instance ID
group-id track bfd
bfd-id: bfd instance ID
bfd-id [ { increased
(Optional) increased: increase the priority.
| reduced } { value |
(Optional) reduced: reduce the priority.
default } ]
(Optional) value | default: configure the VRRP6
reduced priority: it is the reduced priority when the monitored interface changes from
the Up status to Down status, an integer, ranging from 1 to 255, needless of manual
configuration. The priority of the device in the backup group is reduced by 10, namely,
1–254.
When the monitored interface changes from the Down status to Up status, the
original priority is restored. We recommend configuring this parameter on the master
device.
increased priority: it is the increased priority when the monitored BFD session
changes to Down status, an integer, ranging from 1 to 255. The range of priority
after increment is 1–254. When the monitored BFD session changes from the
Down status to Up status, the original priority is restored. We recommend
configuring this parameter on the backup device.
reduced priority: it is the reduced priority when the monitored BFD session
changes to Down status, an integer, ranging from 1 to 255. The range of priority
after reduction is 1–254. When the monitored BFD session changes from the
Down status to Up status, the original priority is restored. We recommend
configuring this parameter on the master device.
Networking requirements
As shown in Figure 7-5, host 1 is dual-homed to switch 1 and switch 2 through the L2 switch.
To ensure sustainable transmission of various services of the user on the network, configure
VRRP master/backup backup.
Under normal conditions, host 1 accesses the Internet through switch 1 as the default gateway.
When switch 1 fails, switch 2 replaces switch 1, thus implementing gateway backup.
Configuration steps
Step 1 Configure Layer 2 forwarding on the L2 Swtich.
L2switch(config)#vlan 100
L2switch(config)#interface ge 1/0/2
L2switch(config-ge-1/0/2)#port hybrid pvid 100
L2switch(config-ge-1/0/2)#port hybrid vlan 100 untagged
L2switch(config)#vlan 100
L2switch(config)#interface ge 1/0/3
L2switch(config-ge-1/0/3)#port hybrid pvid 100
L2switch(config-ge-1/0/3)#port hybrid vlan 100 untagged
switch1(config)#vlan 100
switch1(config)#interface vlan 100
switch1(config-vlanif-100)#ip address 10.0.0.1/24
switch1(config)#vlan 300
switch1(config)#interface vlan 300
switch1(config-vlanif-300)#ip address 192.168.1.1/24
switch1 (config)#interface ge 1/0/1
switch1(config-ge-1/0/1)#port hybrid pvid 100
switch1(config-ge-1/0/1)#port hybrid vlan 100 untagged
switch1 (config)#interface ge 1/0/2
switch1(config-ge-1/0/2)#port hybrid pvid 300
switch1(config-ge-1/0/2)#port hybrid vlan 300 untagged
switch1(config)#interface vlan 100
switch1(config-vlanif-100)#vrrp 1 virtual-ip 10.0.0.100
switch1(config-vlanif-100)#vrrp 1 priority 120
switch2(config)#vlan 100
switch2(config)#interface vlan 100
switch2(config-vlanif-100)#ip address 10.0.0.1/24
switch2(config)#vlan 500
switch2(config)#interface vlan 500
switch2(config-vlanif-500)#ip address 192.168.2.1/24
switch2(config)#interface ge 1/0/1
switch2(config-ge-1/0/1)#port hybrid pvid 100
switch2(config-ge-1/0/1)#port hybrid vlan 100 untagged
switch2(config)#interface ge 1/0/2
switch2(config-ge-1/0/2)#port hybrid pvid 500
switch2(config-ge-1/0/2)#port hybrid vlan 500 untagged
switch2(config)#interface vlan 100
switch2(config-vlanif-100)#vrrp 1 virtual-ip 10.0.0.100
Checking results
-------------------------------------------------------------------------
--------------------------------
7.5 CFM
7.5.1 Introduction
Connectivity Fault Management (CFM) is a network-level Ethernet OAM technology,
providing end-to-end connectivity fault detection, fault notification, fault judgement, and fault
location. It is used to diagnose fault actively for Ethernet Virtual Connection (EVC), provide
cost-effective network maintenance solution, and improve network maintenance through the
fault management function.
The device complies with IEEE 802.1ag and ITU-T Y.1731.
CFM concepts
MD
Maintenance Domain (MD), also called Maintenance Entity Group (MEG), is a network that
runs CFM. It defines network range of OAM management. MD has a level property, with 8
levels (level 0 to level 7). The bigger the number is, the higher the level is and the larger the
MD range is. Protocol packets in a lower-level MD will be discarded after entering a higher-
level MD. If no Maintenance association End Point (MEP) but a Maintenance association
Intermediate Point (MIP) is in a high-level MD, the protocol can traverse the higher-level MD.
However, packets in a higher-level MD can traverse lower-level MDs. In the same VLAN
range, different MDs can be adjacent, embedded, but not crossed.
As shown in Figure 7-6, MD 2 is in MD 1. Packets in MD 1 need to traverse MD 2. Configure
MD 1 to be at level 6, and MD 2 to be at level 3. Then packets in MD 1 can traverse MD 2
and implement connectivity fault management of the whole MD 1. However, packets in MD 2
cannot diffuse into MD 1. MD 2 is a server layer while MD 1 is a client layer.
MA
The Maintenance Association (MA) is part of a MD. One MD can be divided into one or
multiple MAs. An MA is identified by MD name + MA name.
The MAs can serve the specified VLAN or no VLAN, which are called the MA with VLAN
attributes and MA without VLAN attributes respectively.
MEP
As shown in the following figure, the Maintenance Association End Point (MEP) determines
the boundary of an MA, identified by the "MEP ID". The MEP has directionality and can be
divided into two types: inward MEP and outward MEP.
The inward MEP sends CFM packets outward through all interfaces except the one it belongs
to; in other words, it broadcasts in the VLAN served by its MA.
The outward MEP directly sends CFM packets outward through its interface.
MIP
As shown in Figure 7-7, the MIP is the internal node of a service instance, which cannot
actively send CFM packets but can process and response to LinkTrace Message (LTM) and
LoopBack Message (LBM) packets. The MIP is automatically created by the device, and can
cooperate with the MEP to implement functions like PING and Tracert.
MP
The MEP and MIP are called the Maintenance Point (MP).
CFM functions
Fault detection (Continuity Check, CC)
The function is implemented by periodically sending Continuity Check Messages (CCMs).
One MEP sends CCM and other MEPs in the same service instance can verify the RMEP
status when receiving this packet. If the device fails or a link is incorrectly configured, MEPs
cannot properly receive or process CCMs sent by RMEPs. If no CCM is received by a MEP
during 3.5 CCM intervals, it is believed that the link fails. Then a fault Trap will be sent
according to configured alarm priority.
Fault acknowledgement (LoopBack, LB)
This function is used to verify the connectivity between two MPs through the source MEP
sending LoopBack Message (LBM) and the destination MP sending LoopBack Reply (LBR).
The source MEP sends a LBM to a MP who needs to acknowledge a fault. When receiving the
LBM, the MP sends a LBR to the source MEP. If the source MEP receives this LBR, it is
believed that the route is reachable. Otherwise, a connectivity fault occurs.
Fault location (LinkTrace, LT)
The source MEP sends LinkTrace Message (LTM) to the destination MP and all MPs on the
LTM transmission route will send a LinkTrace Reply (LTR) to the source MEP. By recording
valid LTR and LTM, this function can be used to locate faults.
Y. 1731 is an OAM protocol proposed by the ITU-T standard organization. It not only
includes the content specified in IEEE802.1ag, but also adds more OAM message
combinations, providing the following OAM functions.
Alarm inhibition
Alarm inhibition is used to reduce the number of MEP fault alarms. If the MEP does not
receive the CCMs from the remote MEP within 3.5 CCM sending periods, it immediately
starts to periodically send Alarm Indication Signal (AIS) message, which are sent in the
opposite direction to the CCM. After receiving AIS message, other MEPs will suppress local
fault alarms and continue to send AIS messages. Afterwards, if the MEP receives a CCM, it
stops sending AIS messages and clears the fault alarm. AIS messages are multicast messages.
One-way packet loss testing function
One-way Loss measurement (LM) is used to detect one-way packet loss between MEPs. Its
implementation is as below: the source MEP sends a Loss Measurement Message (LMM) to
the target MEP; after receiving the LMM, the target MEP sends a Loss Measurement Reply
(LMR) message to the source MEP. The source MEP calculates the number of lost packets
between the source MEP and the target MEP based on two consecutive LMR messages; in
other words, starting from receiving the second LMR message, the source MEP calculates the
number of lost packets between the source MEP and the target MEP based on the statistics on
current LMR messages and previous LMR messages. Both the LMM and LMR messages are
unicast messages.
Delay Measurement (DM)
DM is used to detect the delay of message transmission between MEPs. It is divided into one-
way delay test and round-trip delay test, and currently supports the bidirectional delay test
only. The implementation of the round-trip delay test is as below: the source MEP sends a
Delay Measurement Message (DMM) to the target MEP, which carries its sending time. After
receiving the DMM, the target MEP records its receiving time, and then sends a Delay
Measurement Reply (DMR) message to the source MEP. This message contains the sending
time and receiving time of the DMM message, and the sending time of the DMR message.
After receiving the DMR message, the source MEP records its receiving time and calculates
the delay and jitter of the link transmission based on it.
In summary, CFM has implemented OAM technologies at the end-to-end service level,
reducing the operation and maintenance costs for service providers, and to some extent
improving their competitive advantage.
Scenario
To expand application of Ethernet technologies at a carrier-grade network, the Ethernet must
ensure the same QoS as the carrier-grade transport network. CFM solves this problem by
providing overall OAM tools for the carrier-level Ethernet.
Prerequisite
Connect interfaces.
Configure physical parameters to make interfaces Up at the physical layer.
Create VLANs.
Add interfaces to the VLAN.
Networking requirements
As shown in Figure 7-8:
The network composed of five devices is divided into MD_A and MD_B, of which the MD
levels are 5 and 3 respectively. All interfaces on each device belong to VLAN 100. The MAs
in each MD serve the VLAN. It is assumed that the MAC addresses of Device A to Device E
are 00:03:56:00:00:01, 00:03:56:00:00:02, 00:03:56:00:00:03, 00:03:56:00:00:04, and
00:03:56:00:05 respectively.
The boundary interfaces on MD_A are GE1/0/1 of Device A, GE1/0/3 on Device D, and
GE1/0/4 on Device E. All these interfaces are inward MEPs. The boundary interfaces on
MD_B are GE1/0/3 on Device B and GE1/0/1 on Device D. All these interfaces are outward
MEPs.
Plan the MIP for MD_A on Device B. This is only configured when there is a low-level MEP
on the interface. According to this plan, due to the configuration of the MIP of MD_B on
GE1/0/3 on Device B, therefore use the explicit rule to create the MIPs of MD_A on Device B,
and use the none rule on other devices.
Plan the MIP for MD_B on Device C. This is configured on all its interfaces. According to
this plan, due to the configuration of the MIP of MD_B on Device C, therefore use the default
rule, and use the none rule on other devices.
Use CCM to detect the connection status of MEPs in MD_A and MD_B. When a link fault is
detected, use the loopback function to locate the fault, use the alarm inhibition function and
Ethernet alarm inhibition function to reduce the number of fault alarms.
After obtaining the status of the entire network, use link tracking, one-way packet loss test,
and round-trip delay test to detect links for various links.
Configuration steps
Step 1 Configure the VLAN and interfaces.
Create VLAN 100 on each device as previously shown. Configure interfaces GE 1/0/1 to GE
1/0/4 to belong to VLAN 100.
Step 2 Enable basic functions of CFM.
DeviceA#configure
DeviceA(config)#cfm start
DeviceA(config)#cfm md MD_A level 5 format none
DeviceA(config-cfm-md-MD_A)#mip create-type none
DeviceA(config-cfm-md-MD_A)#ma 1 format icc 1
DeviceA(config-cfm-md-MD_A-ma-1)#map vlan 100
DeviceA(config-cfm-md-MD_A-ma-1)#mep mep-id 1001 interface ge 1/0/1
inward
DeviceA(config-cfm-md-MD_A-ma-1)#end
DeviceB#configure
DeviceB(config)#cfm start
DeviceB(config)#cfm md MD_A level 5 format none
DeviceC#configure
DeviceC(config)#cfm start
DeviceC(config)#cfm md MD_B level 3 format none
DeviceC(config-cfm-md-MD_B)#ma 2 format icc 2
DeviceC(config-cfm-md-MD_B-ma-2)#map vlan 100
DeviceC(config-cfm-md-MD_B-ma-2)#end
DeviceD#configure
DeviceD(config)#cfm start
DeviceD(config)#cfm md MD_A level 5 format none
DeviceD(config-cfm-md-MD_A)#mip create-type none
DeviceD(config-cfm-md-MD_A)#ma 1 format icc 1
DeviceD(config-cfm-md-MD_A-ma-1)#map vlan 100
DeviceD(config-cfm-md-MD_A-ma-1)#mep mep-id 4002 interface ge 1/0/3
inward
DeviceD(config-cfm-md-MD_A-ma-1)#end
DeviceD#configure
DeviceD(config)#cfm md MD_B level 3 format none
DeviceD(config-cfm-md-MD_B)#mip create-type none
DeviceD(config-cfm-md-MD_B)#ma 2 format icc 2
DeviceD(config-cfm-md-MD_B-ma-2)#map vlan 100
DeviceD(config-cfm-md-MD_B-ma-2)#mep mep-id 4001 interface ge 1/0/1
outward
DeviceD(config-cfm-md-MD_B-ma-2)#end
DeviceE#configure
DeviceE(config)#cfm start
DeviceE(config)#cfm md MD_A level 5 format none
DeviceE(config-cfm-md-MD_A)#mip create-type none
DeviceE(config-cfm-md-MD_A)#ma 1 format icc 1
DeviceE(config-cfm-md-MD_A-ma-1)#map vlan 100
DeviceE(config-cfm-md-MD_A-ma-1)#mep mep-id 5001 interface ge 1/0/4
inward
DeviceE(config-cfm-md-MD_A-ma-1)#end
DeviceA#configure
DeviceA(config)#cfm md MD_A
DeviceA(config-cfm-md-MD_A)#ma 1
DeviceA(config-cfm-md-MD_A-ma-1)#ccm-send mep-id 1001 enable
DeviceA(config-cfm-md-MD_A-ma-1)#end
DeviceB#configure
DeviceB(config)#cfm md MD_B
DeviceB(config-cfm-md-MD_B)#ma 2
DeviceB(config-cfm-md-MD_B-ma-2)#ccm-send mep-id 2001 enable
DeviceB(config-cfm-md-MD_B-ma-2)#end
DeviceD#configure
DeviceD(config)#cfm md MD_A
DeviceD(config-cfm-md-MD_A)#ma 1
DeviceD(config-cfm-md-MD_A-ma-1)#ccm-send mep-id 4002 enable
DeviceD(config-cfm-md-MD_A-ma-1)#end
DeviceD#configure
DeviceD(config)#cfm md MD_B
DeviceD(config-cfm-md-MD_B)#ma 2
DeviceD(config-cfm-md-MD_B-ma-2)#ccm-send mep-id 4001 enable
DeviceD(config-cfm-md-MD_B-ma-2)#end
DeviceE#configure
DeviceE(config)#cfm md MD_A
DeviceE(config-cfm-md-MD_A)#ma 1
DeviceE(config-cfm-md-MD_A-ma-1)#ccm-send mep-id 5001 enable
DeviceE(config-cfm-md-MD_A-ma-1)#end
DeviceA#configure
DeviceA(config)#cfm md MD_A
DeviceA(config-cfm-md-MD_A)#ma 1
DeviceA(config-cfm-md-MD_A-ma-1)#ping mep-id 1001 rmep-id 5001 count 5
tlv-type null tlv-len 50 priority 0
DeviceA#configure
DeviceA(config)#cfm md MD_A
DeviceA(config-cfm-md-MD_A)#ma 1
DeviceA(config-cfm-md-MD_A-ma-1)#trace mep-id 1001 rmep-id 5001 ttl 16
fdb 0
DeviceA#configure
DeviceA(config)#cfm md MD_A
DeviceA(config-cfm-md-MD_A)#ma 1
DeviceA(config-cfm-md-MD_A-ma-1)#loss-measure mep-id 1001 rmep-id 4002
interval 1s priority 0 count 5
Info: Single-ended loss measurement will take some time.
DeviceA#configure
DeviceA(config)#cfm md MD_A
DeviceA(config-cfm-md-MD_A)#ma 1
DeviceA(config-cfm-md-MD_A-ma-1)#delay-measure mep-id 1001 rmep-id 4002
interval 1s priority 0 frame-len 64 count 5
Info: Two-way delay measurement will take some time.
Checking results
Use the show cfm config command to show CFM configurations.
8 Security
This chapter describes basic principles and configuration procedures for security, and
provides related configuration examples, including the following sections.
ACL
AAA
802.1x
Port security MAC
PPPoE+
Storm suppression
ARP attack protection
ND Snooping
DHCP Snooping
IP Source Guard
CPU attack protection
MAC address authentication
DOS attack prevention
8.1 ACL
8.1.1 Introduction
Access Control List (ACL) is a set of ordered rules, which can control the device to receive or
refuse some data packets.
You need to configure rules on the network to prevent illegal packets from affecting network
performance and determine the packets allowed to pass. These rules are defined by ACL.
ACL is a series of rule composed of permit | deny sentences. The rules are described
according to source address, destination address, and port number of data packets. The device
judges receiving or rejecting packets according to the rules.
Management ACL is a collection of ordered software rules that control devices to receive or
reject certain IP address access by applying these rules. It works at the application layer of the
network.
To control illegal IP access (telnet, SSH, FTP, web, and so on) on the network, configure a
series of rules on the device to determine the IP addresses that can pass and the IP addresses
that cannot pass. These rules are defined by management ACLs.
Scenario
ACL can help a network device recognize filter data packets. The device recognizes special
objects and then permits/denies packets to pass according to the configured policy. The
discarding action includes sending packets to the CPU. When the ACL denies a destination
MAC address, the source MAC address of the corresponding packet will not be learnt and
shown.
L2 ACL: define classification rules according to attributes carried in the header of Layer
2 frames, such as the source MAC address, destination MAC address, and Layer 2
protocol type. When ACL denies packets with a destination MAC address, the device
will not learn and show the source MAC address.
IPv4 ACL: define classification rules according to attributes carried in the header of IP
packets, such as the source IP address, destination IP address, bearing protocol type, and
TCP or UDP port number (being 0 by default).
IPv6 ACL: define classification rules according to attributes carried in the header of IP
packets, such as the source IPv6 address, destination IPv6 address, IPv6 bearing protocol
type, and TCP or UDP port number (being 0 by default).
Hybrid ACL: define classification rules according to attributes carried in the header of
Layer 2 frames, such as the source MAC address and destination MAC address, and
attributed carried in the header of IP packets, such as the source IP address and
destination IP address.
User defined ACL: use the header of the packet as a benchmark to specify the number of
bytes from which the AND operation is performed with the mask. The string extracted
from the packet can be compared with the user-defined string to find a matching packet.
The user defined ACL supports the matching any field in the first 64 bytes of the
Ethernet frame.
There are 4 ACL modes according to different application environments:
ACL based on ingress or egress direction of the interface
ACL based on ingress or egress direction of the VLAN
Prerequisite
N/A
is 2001–3000, this
configuration enters
extended hybrid ACL
configuration mode.
When the ACL number
is 3001–4000, this
configuration enters
IPv6 ACL configuration
mode.
When the ACL number
is 5001–6000, this
configuration enters
user defined ACL
configuration mode.
8.1.10 Maintenance
Maintain the device as below.
Command Description
Raisecom(config)#reset acl statistics [ acl acl- Clear statistics on global
id | rule rule-id | direction { in | out } ] ACL.
Raisecom(config)#reset acl statistics interface Clear statistics on
interface-type interface-number [ acl acl-id | interface ACL.
rule rule-id | direction { in | out } ]
Networking requirement 1
As shown below, the network requirements are as below:
Deny the Internet access from switch A between 00:00 and 08:00 every day.
Limit the rate for accessing the Internet from switch A between 08:00 and 12:00 every
day to 10000 pps.
Configuration steps
Step 1 Configure the time range.
Raisecom#configure
Raisecom(config)#timerange list 1
Raisecom(config-timerange-1)#time-range 1 everyday 00:00:00 to 08:00:00
Raisecom(config-timerange-1)#configure
Raisecom(config)#timerange list 2
Raisecom(config-timerange-1)#time-range 1 everyday 08:00:00 to 12:00:00
Raisecom#configure
Raisecom(config)#meter 1 pps 10000 color blind
Raisecom#configure
Raisecom(config)#acl-l2 1 name test
Raisecom(configure-acl-l2-1)#rule 1 src-mac any dst-mac any
Raisecom(configure-acl-l2-1)#rule 1 time-range 1
Raisecom(configure-acl-l2-1)#rule 1 action deny
Raisecom(configure-acl-l2-1)#rule 2 src-mac any dst-mac any
Raisecom(configure-acl-l2-1)#rule 2 time-range 2
Raisecom(configure-acl-l2-1)#rule 2 meter 1 outaction red-drop yellow-
drop
Raisecom#configure
Raisecom(config)#interface ge 1/0/1 to ge 1/0/2
Raisecom(config-ge-1/0/1->ge-1/0/2)#acl-l2 in 1
Checking results
Networking requirement 2
The network requirements are as below:
The customer wants to classify traffic of different interfaces, VLANs, and 802.1p
priorities on switch A, and execute differnet actions accordingly.
Raisecom Proprietary and Confidential
225
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security
Configuration steps
Step 1 Configure the ACL rule and action.
Raisecom#configure
Raisecom(config)#acl-l2 1 name test
Raisecom(configure-acl-l2-1)#rule 1 src-mac any dst-mac any
Raisecom(configure-acl-l2-1)#rule 1 action dscp 46
Raisecom(configure-acl-l2-1)#configure
Raisecom(config)#acl-l2 2 name test2
Raisecom(configure-acl-l2-2)#rule 1 src-mac any dst-mac any outer-vlan
100 8021p any
Raisecom(configure-acl-l2-2)#rule 1 action 8021p 7
Raisecom#configure
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#acl-l2 in 1
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#acl-l2 in 2
Checking results
8.2 AAA
8.2.1 Introduction
AAA
Authentication, Authorization, and Accounting (AAA) is a management mechanism for
network security. AAA adopts a client/server structure and provides three security functions of
authentication, authorization, and accounting.
Authentication: confirm the identity of the remote user accessing the network, and
determine whether the visitor is a legitimate network user.
Authorization: grant different permissions to different users to limit the services that
users can use. For example, the administrator authorizes office users to access and print
files on the server, but other temporary visitors do not have this permission.
Accounting: record all operations during the user's use of network services, including the
type of service used, starting time, data flow, to collect and record the user's use of
network resources, and implement the accounting for time and traffic. It also has a
monitoring effect on the network.
AAA adopts a client/server structure. The client runs on the NAS (Network Access Server),
which is responsible for verifying user identity and managing user access. The server centrally
manages user information.
AAA can be implemented through multiple protocols that specify how user information is
communicated between the NAS and the server. Currently, the device supports the Remote
Authentication Dial-In User Service (RADIUS) protocol and Terminal Access Controller
Access Control System (TACACS+).
RADIUS
Remote Authentication Dial In User Service (RADIUS) is a standard communication protocol
that provides centralized authentication of remote access users. RADIUS uses UDP as the
transmission protocol (port 1812 and port 1813) which has a good instantaneity; at the same
time, RADIUS features good reliability by supporting retransmission mechanism and standby
server mechanism.
RADIUS authentication
RADIUS adopts client/server mode. The network access device is used as client of RADIUS
server. The RADIUS server receives user connection requests, authenticates users, and replies
them with configurations for providing services. In this way, RADIUS can control user to
access devices and network, thus improving network security.
Communication between clients and RADIUS server is authenticated by the shared key,
which will not be transmitted on the network. Besides, any user password to be transmitted
between clients and RADIUS server must be encrypted to prevent it from being intercepted
through sniffing through any insecure network.
RADIUS accounting
RADIUS accounting is used on users that have passed RADIUS authentication. When a user
logs in, the device sends an Account-Start packet to the RADIUS accounting server. During
user login, the device sends Account-Update packets to the RADIUS accounting server
according to the accounting policy. When the user logs off, the device sends an Account-Stop
packet, which contains user online time, to the RADIUS accounting server. The RADIUS
accounting server can record the access time and operations of each user through these
packets.
TACACS+
Terminal Access Controller Access Control System (TACACS+) is a kind of network access
authentication protocol similar to RADIUS. The differences between them are:
TACACS+ uses TCP port 49, which has higher transmission reliability compared with
UPD port used by RADIUS.
TACACS+ encrypts the holistic of packets except the standard head of TACACS+, and
there is a field to show whether the data packets are encrypted in the head of packet.
Compared to RADIUS user password encryption, the TACACS+ is much safer.
TACACS+ authentication function is separated from authorization and accounting
functions; it is more flexible in deployment.
In a word, TACACS+ is safer and more reliable than RADIUS; however, as an open protocol,
RADIUS is more widely used.
Scenario
To control users' access to devices and the network, you can deploy the RADIUS/TACACS+
server to authenticate and account users. The device can work as an agent of the
RADIUS/TACACS+ server, and authorize users with access rights according to the feedback
by the RADIUS/TACACS+ server. TACACS+ is more secure and reliable than RADIUS.
Prerequisite
N/A
Networking requirement
As shown in Figure 8-2, to make access users and the administrator user to access different
servers, configurations are as below:
Configure the IP address, VLAN, and route on the switch for user connection and
authentication.
Create a local user account. Configure the AAA template and scheme for the
administrator user. Use TACACS server 3 for authentication and authorization. Use
RADIUS server 2 for accounting.
Enable Dot1x. Configure the AAA template and scheme for access users. Use RADIUS
server 1 for authentication, accounting, and authorization.
Configuration steps
Step 1 Configure the IP address.
Raisecom#configure
Raisecom(config)#interface vlan 1
Raisecom(config-vlanif-1)#ip address 10.1.0.254/24
Raisecom(config-vlanif-1)#exit
Raisecom(config)ip route-static 0.0.0.0 0.0.0.0 10.1.0.1
Raisecom(config)#aaa
Raisecom(config-aaa)#radius-server host Server1 ip-address 10.1.1.2
Raisecom(config-aaa)#radius-server host Server2 ip-address 10.1.2.2
Raisecom(config-aaa)#tacacs-server host Server3 ip-address 10.1.3.2
Step 5 Configure the authentication mode, authorization mode, and accounting mode for
management users.
Raisecom(config)#line vty 1 2
Raisecom(config-line)#login authentication aaa method Method1
Raisecom(config-line)#login authorization aaa method Method2
Raisecom(config-line)#login accounting aaa method Method3
Raisecom(config-line)#exit
Step 6 Configure the authentication mode, authorization mode, and accounting mode for access users.
Raisecom(config)#dot1x start
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#dot1x enable
Raisecom(config-ge-1/0/1)#dot1x aaa-authentication method Method4
Raisecom(config-ge-1/0/1)#dot1x aaa-accounting method Method5
Raisecom(config-ge-1/0/1)#exit
Checking results
Use the show aaa config command to show configurations of the RADIUS server.
8.3 802.1x
8.3.1 Introduction
802.1x, based on IEEE 802.1x, is a VLAN-based network access control technology. It is
used to solve authentication and security problems for LAN users.
It is used to authenticate and control access devices at the physical later of the network device.
It defines a point-to-point connection mode between the device interface and user devices.
User devices, connected to the interface, can access resources in the LAN if they are
authenticated. Otherwise, they cannot access resources in the LAN through the switch.
802.1x structure
As shown in Figure 8-3, 802.1x authentication uses Client/Server mode, including the
following 3 parts:
Supplicant: a user-side device installed with the 802.1x client software (such as Windows
XP 802.1x client), such as a PC
Authenticator: an access control device supporting 802.1x authentication, such as a
switch
Authentication Server: a device used for authenticating, authorizing, and accounting
users. Generally, the RADIUS server is taken as the 802.1x authentication server.
In the EAP termination mode, the random encryption character, used for encrypting the
password, is generated by the device. And then the device sends the user name, random
encryption character, and encrypted password to the RADIUS server for authentication.
802.1x timers
802.1x authentication involves the following 5 timers:
Reauth-period: re-authorization t timer. After the period is exceeded, the device re-
initiates authorization.
Quiet-period: quiet timer. When user authorization fails, the device needs to keep quiet
for a period. After the period is exceeded, the device re-initiates authorization. During
the quiet time, the device does not process authorization packets.
Tx-period: transmission timeout timer. When the device sends a Request/Identity packet
to users, the device will initiate the timer. If users do not send an authorization response
packet during the tx-period, the device will re-send an authorization request packet. The
device sends this packet three times in total.
Supp-timeout: Supplicant authorization timeout timer. When the device sends a
Request/Challenge packet to users, the device will initiate supp-timeout timer. If users do
not send an authorization response packet during the supp-timeout, the device will re-
send the Request/Challenge packet. The device sends this packet twice in total.
Server-timeout: authentication server timeout timer. The timer defines the total timeout
of sessions between the authorizer and RADIUS server. When the configured time
expires, the authenticator will end the session with the RADIUS server and start a new
authorization process.
Scenario
To realize access authentication on LAN users and ensure access user security, you need to
configure 802.1x authentication on the device.
If users are authenticated, they are allowed to access network resources. Otherwise, they
cannot access network resources. By performing authentication control on user access
interface, you can manage the users.
Prerequisite
If RADIUS authentication server is used, you need to perform following operations before
configuring 802.1x authentication:
Raisecom Proprietary and Confidential
236
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security
Configure the IP address of the RADIUS server and the RADIUS shared key.
The device can ping through the RADIUS server successfully.
Networking requirements
As shown in Figure 8-4, the network administrator configures 802.1x to control the PC to
access the Internet.
For the switch: the IP address is 10.10.0.1, the mask is 255.255.0.0, and default gateway
is 10.10.0.2.
The RADIUS server works to authenticate and authorize PCs. Its IP address is
192.168.0.1, and the password is raisecom.
After the PC passes authentication, the Switch will start reauthentication every 600s.
Configuration steps
Step 1 Configure the IP addresses of the Switch and RADIUS server.
Raisecom#configure
Raisecom(config)#interface vlan 1
Raisecom(config-vlan1)#ip address 10.10.0.1/16
Raisecom(config-vlan1)#exit
Raisecom(config)#ip route 0.0.0.0 0.0.0.0 10.10.0.2
Raisecom(config)#exit
Raisecom(config)#aaa
Raisecom(config-aaa)#radius-server host server1 ip-address 192.168.0.1
key 12345
Raisecom(config-aaa)#server-group grp1 radius- server server1
Raisecom(config-aaa)#aaa authentication dot1x method d1 first grp1
Raisecom#configure
Raisecom(config)#dot1x start
Raisecom(config)#dot1x aaa authentication method d1
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#dot1x enable
Raisecom(config-ge-1/0/1)#dot1x reauthenticate period 600
Checking results
Use the show dot1x command to show 802.1x configurations on the interface.
When sticky learning is enabled, all secure MAC addresses learnt from an
interface will be converted to sticky secure MAC addresses.
When sticky learning is disabled, all sticky secure MAC addresses on an interface
will be converted to secure MAC addresses.
Shutdown mode: for illegal access users, the secure interface will discard the user's
packets, and the console will print Syslog information, send an alarm to the NMS, and
then shut down the secure interface.
When the MAC address is flapping, in other words, secure interface A is accessed by
a user corresponding to a secure MAC address that is already on secure interface B,
secure interface A will process the access as violation.
Scenario
To ensure the security of data accessed by the interface of the switch, you can control the
incoming packets according to source MAC address. With port security MAC, you can
configure the feature of permitting specified users to access the interface, or permitting
specified number of users to access from this interface only. However, when the number of
users exceeds the limit, the accessed packets will be processed in accordance with port
security MAC violation policies.
Prerequisite
N/A
Port security MAC and interface-/interface VLAN-based MAC number limit are
mutually exclusive, which cannot be configured concurrently.
Configure basic functions of port security MAC for the device as below.
When secure MAC violation policy is in Shutdown mode, you can use this command
to re-enable this interface which is shut down due to violating port security MAC.
When the interface is Up, the configured secure MAC violation mode will continue to
be valid.
We do not recommend configuring sticky secure MAC addresses when port sticky
security MAC is disabled. Otherwise, port sticky security MAC may malfunction.
Configure the sticky secure MAC address for the device as below.
After sticky secure MAC address learning is enabled, the dynamic secure MAC
address will be converted to the sticky secure MAC address; the manually configured
sticky secure MAC address will take effect.
8.4.7 Maintenance
Maintain the device as below.
Command Description
Raisecom(config)#no mac-address Clear the specified type of secure
{ security | sticky } [ interface-type MAC addresses.
interface-number ]
Networking requirements
As shown in Figure 8-5, the Switch connects 3 user networks. To ensure security of data
accessed from the interface, configure the Switch as below.
GE 1/1/1 allows up to 3 users to access the network. One of specified user MAC
addresses is 0000.0000.0001. The other two users are in dynamic learning mode. The
violation mode is Protect mode.
GE 1/1/2 allows up to 2 users to access the network. MAC addresses of the 2 users are
determined through learning. The violation mode is Restrict mode.
GE 1/1/3 allows up to 1 user to access the network. The specified user MAC address is
0000.0000.0002. The violation mode is Shutdown mode.
Configuration steps
Step 1 Configure the secure MAC address on GE 1/0/1.
Raisecom#configure
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port-security enable
Raisecom(config-ge-1/0/1)#port-security maximum 3
Raisecom(config-ge-1/0/1)#port-security mac-address sticky enable
Raisecom(config-ge-1/0/1)#port-security mac-address sticky vlan 1 mac
00:00:00:00:00:01
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port-security enable
Raisecom(config-ge-1/0/2)#port-security maximum 2
Raisecom(config-ge-1/0/2)#port-security protect-action restrict
Raisecom(config-ge-1/0/2)# quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#port-security enable
Raisecom(config-ge-1/0/3)#port-security maximum 1
Checking results
Use the show mac-address config command to show configurations of port security MAC.
Use the show mac-address sticky command to show configurations and learning of secure
MAC addresses.
8.5 PPPoE+
8.5.1 Introduction
PPPoE Intermediate Agent (PPPoE+) is used to process authentication packets. PPPoE+ adds
more information about access devices into the authentication packet to bind account and
access device so that the account is not shared and stolen, and the carrier's and users' interests
are protected. This provides the server with enough information to identify users, avoiding
account sharing and theft and ensuring the network security.
In PPPoE dial-up mode, you can access the network through various interfaces on the device
as long as authentication by the authentication server is successful.
However, the server cannot accurately differentiate users just by the authentication
information, which contains the user name and password. With PPPoE+, besides the user
name and the password, other information, such as the interface ID, is included in the
authentication packet for authentication. If the interface ID identified by the authentication
server cannot match with the configured one, authentication will fail. This helps prevent
illegal users from stealing accounts of other legal users for accessing the network.
The PPPoE protocol adopts Client/Server mode, as shown in Figure 8-6. The Switch acts as a
relay agent. Users access the network through PPPoE authentication. If the PPPoE server
needs to locate users, more information should be contained in the authentication packet.
To access the network through PPPoE authentication, you need to pass through the following
2 stages: discovery stage (authentication stage) and session stage. PPPoE+ is used to process
packets at the discovery stage. The following steps show the whole discovery stage.
Step 2 To access the network through PPPoE authentication, the client sends a broadcast packet
PPPoE Active Discovery Initiation (PADI). This packet is used to query the authentication
server.
Step 3 After receiving the PADI packet, the authentication server replies a unicast packet PPPoE
Active Discovery Offer (PADO).
Step 4 If multiple authentication servers reply PADO packets, the client selects one from them and
then sends a unicast PPPoE Active Discovery Request (PADR) to the authentication server.
Step 5 After receiving the PADR packet, if the authentication server believes that the user is legal, it
sends a unicast packet PPPoE Active Discovery Session-confirmation (PADS) to the client.
PPPoE is used to add user identification information in to PADI and PADR. Therefore, the
server can identify whether the user identification information is identical to the user account
for assigning resources.
Scenario
To prevent illegal client access during PPPoE authentication, you need to configure PPPoE+
to add additional user identification information in PPPoE packets for network security.
Because the added user identification information is related to the specified switch and
interface, the authentication server can bind the user with the switch and interface to
effectively prevent account sharing and theft. In addition, this helps users enhance network
security.
Prerequisite
N/A
By default, PPPoE packets are forwarded without being attached with any
information.
PPPoE+ is used to process PADI and PADR packets. It is designed for the PPPoE
client. Generally, PPPoE+ is only enabled on interfaces that are connected to the
PPPoE client. Trusted interfaces are interfaces through which the switch is connected
to the PPPoE server. PPPoE+ and trusted interface are exclusive; in other words, an
interface enabled with PPPoE+ cannot be configured as a trusted interface.
Enabling PPPoE+
After global PPPoE+ and interface PPPoE+ is enabled, PPPoE authentication packets sent to
the interface will be attached with user information and then are forwarded to the trusted
interface.
Enable PPPoE+ for the device as below.
Circuit ID: is padded with the ID of the interface receiving client request packets, VLAN
IDs (outer VLAN ID and inner VLAN ID).
Remote ID: is padded with the MAC address of the interface receiving client request
packets.
8.5.7 Maintenance
Maintain the device as below.
Command Description
Networking requirements
As shown in Figure 8-7, to prevent illegal clients from accessing and managing legal users,
you can configure PPPoE+ on the Switch.
GE 1/0/1 and GE 1/0/2 are connected to Client 1 and Client 2 respectively. GE 1/0/3 is
connected to the PPPoE server.
Enable global PPPoE+, and PPPoE on GE 1/0/1, GE 1/0/2, and GE 1/0/3. Configure GE
1/0/3 as the trusted interface.
Configure the Circuit ID mode to user-defined, and configure the format is the interface
name + outer VLAN ID + device name. Configure the Remote ID to ascii, and configure
the content to 01:02:03:04:05:06.
Configure the policy for processing received PPPoE+ packets on GE 1/0/1 and GE 1/0/2.
Configuration steps
Step 1 Enable global PPPoE+. Enable PPPoE+ on GE 1/0/1, GE 1/0/2, and GE 1/0/3.
Raisecom(config)#pppoeplus start
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#pppoeplus enable
Raisecom(config-ge-1/0/1)#exit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#pppoeplus enable
Raisecom(config-ge-1/0/2)#exit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#pppoeplus enable
Raisecom(config-ge-1/0/3)#exit
Raisecom#configure
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#pppoeplus trust
Raisecom(config-ge-1/0/3)#exit
Step 4 Configure the policy for processing received PPPoE+ Tag packets on GE 1/0/1 and GE 1/0/2.
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#pppoeplus policy keep
Raisecom(config-ge-1/0/1)#exit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#pppoeplus policy drop
Raisecom(config-ge-1/0/2)#exit
Checking results
Use the show pppoeplus config command to show PPPoE+ configurations.
pppoeplus enable
pppoeplus policy keep
!
interface ge 1/0/2
pppoeplus enable
pppoeplus policy drop
!
interface ge 1/0/3
pppoeplus enable
pppoeplus trust
Percent: the percentage of the maximum interface rate allowed to pass, supported by the
physical interface only
Scenario
Configuring storm control on Layer 2 devices can prevent broadcast storm from occurring
when broadcast packets increase sharply on the network. In this case, normal packets can be
properly forwarded.
Prerequisite
N/A
Networking requirements
As shown in Figure 8-8, when GE 1/1/1 and GE 1/1/2 on the Switch receive excessive
unknown unicast packets or broadcast packets, Switch A forwards these packets to all
interfaces except the Rx interface, which may cause broadcast storm and lower forwarding
performance of Switch A.
To restrict impacts on Switch A caused by broadcast storm, you need to configure storm
suppression on Switch A to restrict broadcast packets from user networks 1 and 2, with the
threshold of 640 pps.
Configuration steps
Enable storm suppression, and configure the threshold for storm suppression.
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#storm-suppression broadcast min-rate kbps 320
max-rate kbps 640
Raisecom(config-ge-1/0/1)#storm-suppression action error-down
Raisecom(config-ge-1/0/1)#exit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#storm-suppression broadcast min-rate kbps 320
max-rate kbps 640
Raisecom(config-ge-1/0/2)#storm-suppression action error-down
Checking results
Use the show storm-suppression interface command to show configurations of storm
suppression.
-------------------------------------------------------------------------
----------------------
ge-1/0/1 UNC disable bps n/a none/normal
5
UNMC disable bps n/a none/normal
5
Scenario
ARP is simple and easy to use, but vulnerable to attacks due to no security mechanism.
Attackers can forge ARP packets from users or gateways to alter the ARP table of the gateway
or host. When they send excessive IP packets, whose IP addresses cannot be resolved, to the
device, they will cause the following harms:
The device sends excessive ARP request packets to the destination network segment, so
this network segment is overburdened.
The device repeatedly resolves destination IP addresses, so the CPU is overburdened.
To prevent theses harms due to attacks on IP packets, the device supports ARP attack
protection.
Prerequisite
N/A
Networking requirements
To prevent ARP attacks shown below, configure ARP attack protection on Switch A with the
following requirements:
Disallow gratuitous ARP messages to pass. Enable ARP conflict detection for ARP
source IP addresses and source MAC addresses, and the ARP spoofing detection for
impersonating this device.
Switch A serves as the gateway for User A. Enable ARP gateway anti-conflict.
Clear configurations of the ARP gateway anti-conflict on Switch A. Switch A provides
Layer 2 accessibility from User B to the DHCP server. Configure DAI on GE 1/1/2.
Raisecom#configure
Raisecom(config)#arp-antiattack src-ip enable
Step 2 Configure ARP conflict detection for ARP source MAC addresses.
Step 6 Enable DAI. To enable DAI, disable ARP gateway anti-conflict in advance.
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#arp-antiattack check user-bind enable
Raisecom(config-ge-1/0/2)#exit
Raisecom(config)#
Checking results
Use the show arp-antiattack config command to show configurations of ARP attack
protection.
8.8 ND Snooping
8.8.1 Introduction
Neighbor Discovery (ND) is a group of messages or processes for determining relations
between neighboring nodes. Its messages replace IPv4 Address Resolution Protocol (ARP),
ICMP Router Discovery (RD), and ICMP Redirect messages, and it also supports the
following functions:
Detecting address conflicts
Resolving the neighbor address
Determining neighbor reachability
Configuring the IP address of the host
ND Snooping is used on the switch to check user validity. It normally forwards ND packets of
authorized users and discards those of unauthorized users, thus preventing attacks from
pseudo users and gateways.
User validity check is used to determine whether a user is an authorized user of the VLAN to
which the interface receiving the ND packet belongs, according to the source IPv6 address
and source MAC address carried in the ND packet.
ND Snooping divides interfaces of the access device into the following two types:
ND trusted interface: this interface does not check user validity, but normally forward
ND packets.
ND untrusted interface: the device takes RA packets received by the ND untrusted
interface illegal and thus discards them directly. The device checks NA/RS/NS packets
received by the ND untrusted interface and matches them with the binding table; when
they do not comply with the binding table relation, the device takes them illegal and
discards them. The device normally forward packets of other types received by the ND
untrusted interface.
Scenarios
ND Snooping is used to prevent common ND spoofing attacks on the network, thus able to
isolate ND packets from unauthorized sources. You can configure the trusted status of an
interface to trust ND packets or not and configure the binding table to determine whether ND
packets comply with requirements.
Prerequisite
N/A
8.8.6 Maintenance
Maintain the device as below.
Networking requirements
As shown in Figure 8-10, the host of a LAN user is connected to the gateway by Switch A. It
has to obtain the IPv6 address through stateless automatic configuration according to the
prefix assigned by the gateway to the user network because no DHCPv6 server is deployed on
the network. To prevent illegal users from sending NA/NS/RS/RA packets, which causes legal
hosts to fail to obtain IPv6 addresses, enable ND Snooping on Switch A to intercept illegal
packets.
Configuration steps
Step 1 Create VLAN 10 on Switch A, and activate it.
Configure Switch.
Raisecom#configure
Raisecom(config)#hostname SwitchA
SwitchA(config)#vlan 10
Step 2 Add GE 1/0/2 on Switch A to VLAN 10 in Access mode. Configure it to Trunk mode,
allowing packets of VLAN 10 to pass.
SwitchA(config)#interface ge 1/0/2
SwitchA(config-ge-1/0/2)#port link-type access
SwitchA(config-ge-1/0/2)#port default vlan 10
SwitchA(config-ge-1/0/2)#exit
SwitchA(config)#interface ge 1/1/0
SwitchA(config-ge-1/0/1)#port link-type trunk
SwitchA(config-ge-1/0/1)#port trunk allow-pass vlan 10
SwitchB(config-ge-1/0/1)#exit
Step 3 Enable global ND Snooping and enable ND Snooping in VLAN 10. Configure GE 1/0/1 as
the trusted interface.
SwitchA(config)#nd-snooping start
SwitchA(config)#vlan 10
SwitchA(config-vlan-10)#nd-snooping enable
SwitchA(config-vlan-10)#exit
SwitchA(config)#interface ge 1/0/1
SwitchA(config-ge-1/0/1)#nd-snooping enable
SwitchA(config-ge-1/0/1)#nd-snooping trust
SwitchA(config-ge-1/0/1)#exit
Checking results
Use show nd-snooping config command to check configurations of ND Snooping.
Scenario
DHCP Snooping is a security feature of DHCP, used to make DHCP client obtain its IP
address from a legal DHCP server and record mapping between IP address and MAC address
of a DHCP client.
The Option field of a DHCP packet records location of a DHCP client. The administrator can
locate a DHCP client through the Option field and control client security and accounting. The
Raisecom Proprietary and Confidential
268
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security
device configured with DHCP Snooping and Option can perform related process according to
Option field status in the packet.
Prerequisite
N/A
8.9.8 Maintenance
Maintain the device as below.
Command Description
Raisecom(config)#reset dhcp-snooping user-bind Clear information about
[ ip-address | interface interface-type the IPv4 binding table.
interface-number | vlan vlan-id ]
Raisecom(config)#reset dhcpv6-snooping user-bind Clear information about
[ ipv6-address | interface interface-type the IPv6 binding table.
interface-number | vlan vlan-id ]
Networking requirements
As shown in Figure 8-12, the Switch is used as the DHCP Snooping device. The network
requires DHCP clients to obtain the IP address from a legal DHCP server and support Option
82 to facilitate client management. You can configure padding information about circuit ID
sub-option to raisecom on GE 1/0/3, and padding information about remote ID sub-option to
user01.
Configuration steps
Step 1 Configure global DHCP Snooping.
Raisecom#configure
Raisecom(config)#dhcp-snooping start
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#dhcp-snooping enable
Raisecom(config-ge-1/0/1)#dhcp-snooping trust
Raisecom(config-ge-1/0/1)#exit
Step 3 Configure DHCP Relay to support Option 82 field and configure Option 82 field.
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#dhcp-snooping enable
Raisecom(config-ge-1/0/3)#dhcp-snooping option82 enable
Raisecom(config-ge-1/0/3)#dhcp-snooping option82 remote-id format user-
defined 'user01'
Raisecom(config-ge-1/0/3)#dhcp-snooping option82 circuit-id format user-
defined 'raisecom'
Raisecom(config-ge-1/0/3)#exit
Checking results
Use the show dhcp-snooping config command to show configurations of DHCP Snooping.
Raisecom Proprietary and Confidential
273
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security
Before forwarding IP packets, the device compares the source IP address, source MAC
address, interface ID, and VLAN ID of the IP packets with the binding table. If the
information matches, it indicates that the user is legal and the packets are permitted to forward
normally. Otherwise, the user is an attacker and the IP packets are discarded.
Scenario
There are often some IP source spoofing attacks on the network. For example, the attacker
forges legal users to send IP packets to the server, or the attacker forges the source IP address
of another user to communicate. This prevents legal users from accessing network services
normally.
With IP Source Guard binding, you can filter and control packets forwarded by the interface,
prevent the illegal packets from passing through the interface, thus to restrict the illegal use of
network resources and improve the interface security.
Prerequisite
Enable DHCP Snooping if there are DHCP users.
Networking requirements
As shown in Figure 8-14, to prevent IP address embezzlement, you need to configure IP
Source Guard on the Switch.
The Switch permits all IP packets on GE 1/0/1 to pass.
GE 1/0/2 permits those IP packets to pass, of which the IP address is 10.10.10.1, the
subnet mask is 255.255.255.0, and the status meets the dynamic binding learnt by DHCP
Snooping.
Other interfaces only permit the packets meeting DHCP Snooping learnt dynamic
binding to pass.
Configuration steps
Step 1 Configure IP Source Guard.
Raisecom#configure
Raisecom(config)#int ge 1/0/2
Raisecom(config-ge-1/0/2)#ip source check user-bind enable
Raisecom(config-ge-1/0/2)#exit
Raisecom(config)#int ge 1/0/1
Raisecom(config-ge-1/0/1)#ip source check user-bind enable
Raisecom(config-ge-1/0/1)#exit
Checking results
Use the show ip source check config command to show configurations of IP Source Guard.
Use the show ip source check interface command to show information about the interface
enabled with IP Source Guard.
Scenario
When the device receives massive attacking packets in a short period, the CPU will run with
full load and the CPU utilization rate will reach 100%. This will cause device malfunction.
CPU attack protection helps efficiently limit the rate of packets which enters the CPU.
Prerequisite
N/A
8.11.4 Maintenance
Maintain the device as below.
Command Description
Raisecom(config)#reset Clear global statistics on CPU attack protection.
cpu-defend statistics
Networking requirements
As shown below, the user needs to be authentication through MAC address authentication.
The user is directed connected to the device which can access the authentication server.
Configuration steps
Step 1 Configure the device as below.
Raisecom(config)#aaa
Raisecom(config-aaa)#radius-server host server1 ip-address 192.168.5.66
key 12345
Raisecom(config-aaa)#server-group grp1 radius-server server1
Raisecom(config-aaa)#aaa authentication mac-authen method m1 first grp1
Raisecom(config-aaa)#quit
Raisecom(config)#mac-authen start
Raisecom(config)#mac-authen aaa authentication method m1
Raisecom(config)#mac-authen mode fixed-user username wwf password plain
12345
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#mac-authen enable
Step 2 Use the show mac-authen information command to show information about MAC address
authentication.
Checking results
Use the show mac-authen user command to show the current user for MAC address
authentication.
The method for handling TCP SYN attacks by the device is to limit the rate of TCP SYN
packets after enabling TCP SYN flood attack prevention, ensuring that device resources are
not exhausted under attack.
UDP flood attack
The UDP flood attack refers to the attacker sending a large number of UDP packets to the
target device in a short period, causing the target device to be overloaded and unable to
process normal services. UDP flood attacks can be divided into the following two categories:
– Fraggle attack
The principle of fraggle attack is that the attacker sends UDP packets with the source address
being the target host address, the destination address being the broadcast address, and the
destination port number being 7. If many hosts in the broadcast network have been activated
with UDP response request service, the destination host will receive excessive response
packets, causing the system to be busy. In this way, the attack effect is implemented.
After flood attack prevention is enabled, the device takes packets with the UDP port number
of 7 as attack packets and discards them directly.
– UDP diagnostic port attack
The attacker sends packets to diagnostic UDP ports (such as 7-echo, 13 day time, and 19
Charge). If a large number of packets are sent simultaneously, they can cause flood and
potentially affect the normal operation of network devices.
After flood attack prevention is enabled, the device takes packets with UDP ports of 7, 13,
and 19 as attack packets and discards them directly.
ICMP flood attack
Usually, the network administrator uses the Ping program to monitor and troubleshoot the
network. The general process is as follows:
1. The source device sends an ICMP response request packet to the receiving device.
2. After receiving the ICMP response request packet, the receiving device will respond with
an ICMP reply packet to the source device.
If the attacker sends a large number of ICMP response request packets to the target device, the
target device will be busy processing these requests and unable to continue to process other
data packets, causing an impact on normal services.
The device implements Committed Access Rate (CAR) rate limiting against ICMP flood
attacks to ensure that the CPU is not attacked and to ensure the normal operation of the
network.
Scenario
Devices are often subjected to different types of network attacks, which can lead to high
resource utilization and affect network services. To ensure the provision of secure network
services to users, deply attack prevention on devices to prevent the following types of attacks:
Abnormal packet attack prevention: prevent abnormal packet attacks.
Fragmented packet attack prevention: limit the rate of fragmented packets, preventing
them from attacking the CPU and occupying too much CPU and device resources.
Prerequisites
N/A
Networking requirements
If hackers launch abnormal packet attacks, fragmented packet attacks, and flood attacks on
Switch A within the LAN, this will cause SwitchA to crash. To prevent this situation, the
administrator hopes to deploy various attack prevention measures on Switch A to provide
users with a secure network environment and ensure normal network services.
Switch A
Configuration steps
Step 1 Configure DOS attack prevention.
Raisecom Proprietary and Confidential
288
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security
Raisecom#config
Raisecom(config)#dos-antiattack pkt-limit enable
Step 3 Configure fragmented packet attack prevention. Configure the rate for receiving fragmented
packets to 15 kbit/s.
Step 4 Configure TCP SYN attack prevention. Configure the rate for receiving TCP SYN packets
to 15 kbit/s.
Step 6 Configure ICMP flood attack prevention. Configure the rate for receiving ICMP flood
packets to 15 kbit/s.
Checking results
Use the show dos-antiattack config command to show configurations of DOS attack prevention.
9 Reliability
This chapter describes basic principles and configuration procedures for reliability, and
provides related configuration examples, including the following sections:
Link aggregation
G.8031
G.8032
STP/RSTP
MSTP
Loop detection
Interface backup
Interface isolation
L2CP
BFD
Link flap protection
Interface loopback
There are two interfaces in the aggregation group. They back up each other. One is in the
Active status, and the other is in the shutdown status. This is applicable when one end cannot
use LACP.
Static LACP aggregation
The aggregation group selects the active end and active interface through LACP protocol. The
Active interface is used for forwarding data while the inactive interface is used for backing up
links. This is applicable when LACP is supported by devices at both ends.
Static LACP active/standby link aggregation
There are two interfaces in the aggregation group. They back up each other. One is in the
Active status, and the other is in the Shutdown status. This is applicable when both devices
support LACP.
Scenario
To provide higher bandwidth and reliability for a link between two devices, configure link
aggregation.
Prerequisite
Configure physical parameters of interfaces and make them Up.
In the same LAG, member interfaces that share loads must be identically configured.
Otherwise, data cannot be forwarded properly. These configurations include QoS, QinQ,
VLAN, interface properties, and MAC address learning.
– QoS: traffic policing, traffic shaping, congestion avoidance, rate limit, SP queue,
WRR queue scheduling, interface priority and interface trust mode
– QinQ: QinQ enabling/disabling status on the interface, added outer VLAN tag,
policies for adding outer VLAN Tags for different inner VLAN IDs
– VLAN: the allowed VLAN, default VLAN and the link type (Trunk or Access) on
the interface, subnet VLAN configurations, protocol VLAN configurations, and
whether VLAN packets carry Tag
– Port properties: whether the interface is added to the isolation group, interface rate,
duplex mode, and link Up/Down status
– MAC address learning: whether MAC address learning is enabled and whether the
interface is configured with MAC address limit.
In a static LACP LAG, a member interface can be an active/standby one. Both the
active interface and standby interface can receive and send LACPDU. However,
the standby interface cannot forward user packets.
The system chooses default interface in the order of neighbor discovery, interface
maximum speed, interface highest LACP priority, and interface minimum ID. The
interface is in active status by default, the interface with identical speed, identical
peer and identical device operation key is also in active status; other interfaces
are in standby status.
The load balancing mode of the LAG takes effect on known unicast packets only.
Networking requirements
As shown in Figure 9-1, to improve link reliability between Switch A and Switch B, you can
configure static LACP link aggregation. That is to add GE 1/0/1, GE 1/0/2, and GE 1/0/3 to
one LAG.
Configuration steps
Step 1 Create static LACP link aggregation on Switch A. Configure Switch A as the active end.
Raisecom#hostname SwitchA
SwitchA#configure
SwitchA(config)#lacp system-priority 1000
SwitchA(config)#int eth-trunk 1
SwitchA(config-eth-trunk-1)#mode lacp-static
SwitchA(config-eth-trunk-1)#add interface ge 1/0/1
SwitchA(config-eth-trunk-1)#add interface ge 1/0/2
SwitchA(config-eth-trunk-1)#add interface ge 1/0/3
SwitchA(config-eth-trunk-1)#exit
Raisecom#hostname SwitchB
SwitchB#configure
SwitchB(config)#int eth-trunk 1
SwitchB(config-eth-trunk-1)#mode lacp-static
SwitchB(config-eth-trunk-1)#add interface ge 1/0/1
SwitchB(config- eth-trunk-1)#add interface ge 1/0/2
SwitchB(config-eth-trunk-1)#add interface ge 1/0/3
SwitchB(config-eth-trunk-1)#exit
Checking results
Use the show lacp eth-trunk 1 command to show global configurations of the static LACP
link aggregation on Switch A.
ge-1/0/1 :
Port Status : Up and bind
Local information:
Mode Flags PortPri AdminKey OperKey PortId State Status
active slow 32768 1 1 449 0x3d selected
Partner information:
SysPri Flags PortPri AdminKey OperKey PortId State DeviceID
32768 slow 32768 0 1 449 0x3d
0xf0f1f2f30201
ge-1/0/2 :
Port Status : Up and bind
Local information:
Mode Flags PortPri AdminKey OperKey PortId State Status
active slow 32768 1 1 450 0x3d selected
Partner information:
SysPri Flags PortPri AdminKey OperKey PortId State DeviceID
32768 slow 32768 0 1 450 0x3d
0xf0f1f2f30201
ge-1/0/3 :
Port Status : Up and bind
Local information:
9.2 G.8031
9.2.1 Introduction
G.8031 is a linear protection switching standard defined by ITU-T based on VLAN Ethernet
technologies. In the protection switching mechanism, corresponding protection resources are
allocated to all work resources, such as paths and bandwidth. Compared with the spanning
tree protection technology defined by IEEE, the protection technology defined by G.8031 is
simple and fast, implementing network resource switching in a predictable way, making it
easier for carriers to effectively plan the network and understand the network's activity status
and to achieve carrier-grade operations.
G.8031 defines two protection structures, 1+1 and 1:1. In the 1+1 structure, each protection
resource corresponds to a working resource. In the protection domain, the 1+1 structure
adopts the double-transmitting single-receiving protection mechanism. The 1:1 structure
adopts a mechanism of switching between protecting resources and working resources.
Fault detection mechanism
G.8031 uses Continuity Check (CC) defined in Y.1731 or IEEE 802.1ag for bidirectional link
forwarding detection, which can locate the fault point and detect whether the fault is
unidirectional or bidirectional. In protection conversion, the default transmission period of CC
messages is 3.33ms (in other words, the transmission rate is 300 frames per second).
Two adjacent nodes periodically send CC messages from the physical interface to detect faults.
When a node detects the loss of CC messages within a specific period, it regards this as a fault.
The node sends a Remote Defect Indication (RDI) frame from the interface where the fault is
detected. If it is a unidirectional fault, the downstream node of the link will detect the RDI
frame.
1+1 protection structure
In the 1+1 structure, the protection line is dedicated to each working line, and the working
line and protection line are bridged at the source end of the protection domain. The services
are simultaneously sent to the host of the protection domain on both the working line and
protection line. At the host, the selector selects to receive the business from the work or
protection line based on defect indications.
The switching types of 1+1 Ethernet linear protection include unidirectional switching and
bidirectional switching. For unidirectional switching, only the affected line direction is
switched to the protection line, and the selectors at both ends are independent and do not
require APS signaling support. The mechanism of bidirectional switching is similar to
unidirectional, usually requiring APS signaling to be coordinated at both ends. Unidirectional
protection can prevent unidirectional faults in two independent directions.
Raisecom Proprietary and Confidential
299
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability
The operation types of 1+1 Ethernet linear protection can be either non-revertive or revertive.
In revertive mode, when the faulty link is restored, the WTR timer is started. After the WTR
times out, the selector switches services to the working line. In non-revertive mode, even if
the faulty link is restored, the selector is still connected to the protection line.
1:1 protection structure
In a 1:1 structure, the protected line is dedicated to each working line, and the protected work
services are transmitted by either the working line or protection line. The method for selecting
the work line and protection line is based on defect indication mechanism.
The switching types of 1:1 Ethernet linear protection also include unidirectional switching
and bidirectional switching. The operation types can be revertive or non-revertive. During
bidirectional switching, both the affected line direction and unaffected line direction are
switched to the protected line, but unidirectional switching only switches the affected line
direction to the protection line. In switching, the source connector and destination connector
need to switch to the same line, so Automatic Protection Switching (APS) is required to
coordinate both ends of the line.
In 1:1 protection switching mode, based on local or nearby information and APS protocol
information from the other end or remote end, protection switching is implemented by the
source selector bridge and the destination selector of the protection domain together.
The CC message is used to detect faults in the working line and protection line. When the
working is faulty, the selector at the detected end switches services to the protection line and
sends APS notification to the other end. The source end receives APS notification and
synchronizes switching.
Scenario
N/A
Prerequisite
Connect the interface, configure its physical parameters, and make it Up at the physical
layer.
Create VLANs.
Add the interface to VLANs.
Networking requirements
As shown below, to improve Ethernet reliability, switches A, B, and C form G.8031 protection
lines.
The protocol control VLAN is VLAN 2. The blocked VLANs are the default ones: VLANs 2–
10.
Configuration steps
Step 1 Add interfaces to VLANs 2–10.
Configure switch A.
Raisecom#hostname SwitchA
SwitchA#config
SwitchA(config)#interface ge 1/0/1 to ge 1/0/2
SwitchA(config-ge-1/0/1->ge-1/0/2)#port link-type trunk
SwitchA(config-ge-1/0/1->ge-1/0/2)#port trunk allow-pass vlan 2-10
SwitchA(config-ge-1/0/1->ge-1/0/2)#exit
Raisecom#hostname SwitchC
SwitchC#config
SwitchC(config)#interface ge 1/0/1 to ge 1/0/4
SwitchC(config-ge-1/0/1->ge-1/0/4)#port link-type trunk
SwitchC(config-ge-1/0/1->ge-1/0/4)#port trunk allow-pass vlan 2-10
SwitchC(config-ge-1/0/1->ge-1/0/4)#exit
SwitchA(config)#g8031 instance 1
SwitchA(config-g8031-instance-1)#control-vlan 2
SwitchA(config-g8031-instance-1)#data-vlan 2-10
SwitchA(config-g8031-instance-1)#working-port interface ge 1/0/1
SwitchA(config-g8031-instance-1)#protection-port interface ge 1/0/2
Configure switch B.
SwitchC(config)#g8031 instance 1
SwitchC(config-g8031-instance-1)#control-vlan 2
SwitchC(config-g8031-instance-1)#data-vlan 2-10
SwitchC(config-g8031-instance-1)#working-port interface ge 1/0/1
SwitchC(config-g8031-instance-1)#protection-port interface ge 1/0/2
Checking results
Use the show g8031 interface command on the device to check whether G.8031 protection
has taken effect.
Manually disconnect the link to emulate a fault. Use the command on switch A again to check
the G.8031 protection status.
9.3 G.8032
9.3.1 Introduction
G.8032 Ethernet Ring Protection Switching (ERPS) is an APS protocol based on the ITU-T
G.8032 recommendation. It is a link-layer protocol specially used in Ethernet rings. Generally,
ERPS can avoid broadcast storm caused by data loopback in Ethernet rings. When a
link/device on the Ethernet ring fails, traffic can be quickly switched to the backup link to
ensure restoring services quickly.
G.8032 uses the control VLAN on the ring network to transmit ring network control
information. Meanwhile, combining with the topology feature of the ring network, it
discovers network fault quickly and enable the backup link to restore service fast.
G.8032 concepts
The basic concepts of G.8032 Ethernet Ring Protection Switching as shown in Figure 9-3
include:
RPL (Ring Protection Link): a link between RPL nodes. Under normal conditions, the
nodes at both ends of the link are blocked to prevent loops on the ring. There can be only
one RPL for each ring.
RPL Owner: a node connected to the RPL. It is specified by the user to block or unblock
the traffic at one end of the RPL. Under normal conditions, RPL Owners are responsible
for blocking traffic on the RPL interface to prevent service loops.
RPL Neighbor: a node connected to the other end of the RPL. It cooperates with the RPL
Owner to complete protection switching.
Protocol VLAN: an independent VLAN path adopted by the G.8032 for the delivery of
R-APS packets.
Block VLAN: different from the protocol VLAN which carries R-APS packets, it is a
service VLAN used for the delivery of service information.
R-APS messages: the fast-switching protocol packets in the G.8032 standard, including
the following types:
– FS (Forced Switch): message sent regularly by the FS node to implement forced
switching.
– SF (Signal Failed): message sent regularly by the fault node to report error
information.
– MS (Manual Switch): message sent regularly by the MS node for executing manual
switching.
– NR, RB (No Request Request Block): message sent regularly by RPL Owner to
notify other nodes on the link when there are no faults or manual commands. When
RPL is blocked by the RPL Owner, this message will be sent regularly.
– NR (No Request): when faults or management commands are cleared, this message is
sent
Four timers including Guard Timer, Wait To Restore (WTR) Timer, (Wait To Block) (WTB)
Timer, and Holdoff Timer, will be used in the ring protection switching.
Guard Timer: used for filtering invalid R-APS packets which may cause incorrect
protection switching of nodes on the ring. Especially in a large ring network, the
immediate restoration after the node failure may trigger a fault notification from the
neighboring node. Then, the link will be Down again. If the notification is caused by this
node, the problem can be solved by configuring ring Guard Timer.
WTR Timer: when the working path is back to normal, the WTR Timer on the RPL
Owner starts. When WTR Timer expires, the service is recovered to the working path.
WTR Timer is used to avoid frequent switching caused by the instability of the working
path.
WTB Timer: it is used to delay RPL interface blocking when clearing manual commands
in the revertive mode. In this way, the interface shock caused by re-blocking can be
avoided.
Holdoff Timer: when one or more faults are detected, initiate the Holdoff Timer if the
configured value of Holdoff is not 0. The system will delay sending fault notification
before the Holdoff Timer expires; namely, the ring protection switching is delayed for a
period so that the frequent switching caused by the link shock can be avoided. When the
Holdoff Timer expires, the link will be checked no matter whether the fault that triggers
the start of this timer exists or not. If faults are detected, the notification will be sent to
the protection switch.
Ring states
G.8032 defines five node states on the ring network.
Idle State: the normal working state without faults.
Protecting State: a state when the link fault is detected. The automatic switching process
is triggered by detection of the Operation, Administration and Maintenance (OAM)
CCM.
Pending State: a state before the faults are recovered.
FS State: a state when issuing the forced switching command.
MS State: a state when issuing the manual switching command
G.8032 Ethernet ring is in Idle state when there are no faults in the system or the faults are
being corrected, as shown in Figure 9-4.
As shown in Figure 9-4, the link in idle state has the following features.
All the nodes are connected in a ring topology.
G.8032 sends NR-RB messages constantly to show that no faults exist. It blocks RPL
link to prevent loops within a ring.
The neighboring nodes monitor each link by using CCM in the Ethernet OAM.
G.8032 triggers ring protection switching through SF (Signal Faults) when the faults are
detected on the ring.
As shown in Figure 9-5, the protection switching is initiated automatically when the faults are
detected on the ring.
When the Holdoff Timer expires, the nodes at both ends of the failed link are triggered
by the RPL Owner to block this link, and send SF messages to other nodes on the ring to
report the fault. As shown in Figure 9-5, Node C and Node D send SF messages to other
nodes when the link between them fails.
Triggered by SF messages, the RPL Owner unblocks all the blocked interfaces and all
the nodes start to clear FDB. Then the ring is in the protecting state.
When the faults are recovered, the link is switched to faults recovery.
The nodes at both ends of the failed link remain blocked. When the Guard Timer expires,
Node C and Node D send R-APS NR messages to other nodes, indicating no local
requests.
The WTR Timer is started immediately when the RPL Owner receives the first NR
message.
When the WTR expires, RPL Owner blocks RPL and sends a R-APS (NR, RB) message.
This means that no local request exists and RPL is blocked.
After receiving the message, other nodes will refresh the MAC address and forward FDB.
The node that sends NR messages stop sending packets periodically, and unblocks the
blocked interfaces.
All the nodes on the link are back to the idle state.
Tributary ring
The revised edition of G.8032 has added Ethernet multi-ring protection solutions. Through
interconnected nodes (that connect multiple rings), the tributary ring is connected to other
rings or networks as an affiliate to the existing ring network. The tributary ring is not closed
and the interconnected nodes do not belong to the tributary ring.
As shown in Figure 9-6, the path between the interconnected nodes B and C is called R-APS
virtual path which is designed for the interconnected nodes in the interconnected topology. If
the interconnected ring has a R-APS virtual path, the main ring will act as a virtual path,
which means the APS messages of the tributary ring will be sent to the main ring. If not, the
main ring will not provide a virtual path for the tributary ring, which means the messages will
be terminated at the interconnected nodes. The main ring and the tributary ring act
independently, with each of them setting its own RPL Owner. The protection of multiple rings
is similar to that of the single ring, with each of them tackling the failures within each ring.
When the shared link between interconnected nodes fails, the main ring is switched to the
Protecting State while the tributary ring remains unchanged.
Because the data of a tributary ring is sent through the main ring, the MAC address table of
the tributary ring will be stored on the device of the main ring. When a tributary ring fails, it
notifies the main ring through the Propagate switch of the immediate need to update FDB to
avoid traffic loss.
Ring mode
The difference between the revertive mode and the non-revertive mode is as below:
Revertive mode: when WTR Timer expires, the traffic is forwarded over the link of
previous state (the one before the failure).
Non-revertive mode: when WTR Timer expires, the traffic is not forwarded over the link
of previous state (the one before the failure). By default, the protection ring is configured
to this mode.
The virtual path of a tributary ring is as below:
With mode: the tributary ring supports R-APS virtual path. The main ring provides a
channel for APS messages of the tributary ring. The APS messages are received by the
interconnected nodes in the tributary ring and sent to the main ring. The communication
between interconnected nodes in the tributary ring is implemented through the main ring.
Without mode: the tributary ring does not support R-APS virtual path. The APS
messages of the tributary ring are terminated at the interconnected nodes and will not be
sent to the main ring. In this mode, the tributary ring cannot block the tributary protocol
VLAN so that packets of the tributary ring can pass the owner.
Scenario
With the development of Ethernet to Telecom-grade network, voice and video multicast
services have higher requirements on Ethernet redundant protection and fault-recovery time.
The existing STP has a second-level fault clearance time, which is far from meeting reliability
requirement. By defining different roles for nodes on a ring, G.8032 can block a loopback to
avoid broadcast storm in normal condition. Therefore, the traffic can be quickly switched to
the protection line when working lines or nodes on the ring fail. This helps eliminate the loop,
perform protection switching, and automatically recover from faults. In addition, the
switching time is shorter than 50ms.
The device supports the single ring, intersecting ring, and tangent ring.
G.8032 provides a mode for detecting faults based on physical interface. The device learns
link fault quickly and switches services immediately, so this mode is suitable for detecting the
fault between neighboring devices.
Prerequisite
Connect the interface.
Configure its physical parameters to make it Up.
Create VLANs.
Add interfaces to VLANs.
Only one device on the protection ring can be configured as the Ring Protection
Link (RPL) Owner and only one device is configured as the RPL Neighbor. Other
devices are configured as ring forwarding nodes.
The tangent ring consists of 2 independent single rings. Configurations of the
tangent ring are identical to those of the common single ring. The intersecting ring
consists of a main ring and a tributary ring. Configurations of the main ring are
identical to those of the common single ring. For detailed configurations of the
tributary ring, see section 9.3.5 Creating a G.8032 tributary ring.
The ERPS ring interface must work in switch mode.
Step Command Description
1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#g80 Create a G.8032 instance, and enter the G.8032 node.
32 instance
instance-id
3 Raisecom(config- Specify the control VLAN. If the revertive disable
g8032-instance- parameter is configured, the protection ring becomes
*)#control-vlan the non-revertive mode. When the working link is
vlan-id recovered in revertive mode, traffic is switched back
to the working link from the protection link, while
the traffic will not be switched in non-revertive
mode. By default, the protection link is in revertive
mode.
Only the intersecting ring consists of a main ring and a tributary ring.
Configurations of the main ring are identical to those of the single/tangent ring. For
details, see section 9.3.4 Creating a G.8032 ring.
For the intersecting ring, configure its main ring and then the tributary ring,
otherwise the tributary ring will fail to find the interface of the main ring, thus failing
to establish the virtual channel of the tributary ring.
The instance ID of the tributary ring must be greater than that of that main ring.
Configurations of non-intersecting nodes of the intersecting ring are identical to
those of the single/tangent ring. For details, see section 9.3.4 Creating a G.8032
ring.
The ERPS ring interface must work in switch mode.
Configure the G.8032 tributary ring for device as below.
By default, traffic is automatically switched to the other line when the current line fails
to forward traffic.
9.3.8 Maintenance
Maintain the device as below.
Command Description
Raisecom(config)#g8032 Clear the effect of the ring protection control command
instance instance-id (force-switch, manual-switch, WTR timer timeout, and
Raisecom(config-g8032- WTB timer timeout).
instance-*)#clear
Networking requirements
As show in Figure 9-7, to improve Ethernet reliability, Switch A, Switch B, Switch C, and
Switch D build up a G.8032 single ring.
Switch A is the RPL Owner; Switch B is the RPL Neighbor; the RPL link between
Switch A and Switch B is blocked.
The ID of protocol VLAN is 1 and the blocked VLANs range from 2 to 10.
Configuration steps
Step 1 Add interfaces to VLANs 2–10.
Configure Switch A.
Raisecom#hostname SwitchA
SwitchA#configure
SwitchA(config)#interface ge 1/1/1 to ge 1/1/2
SwitchA(config-ge-1/1/1->ge-1/1/2)#port link-type trunk
SwitchA(config-ge-1/1/1->ge-1/1/2)#port trunk allow-pass vlan 2-10
SwitchA(config-ge-1/1/1->ge-1/1/2)#exit
Configurations of Switch B, Switch C, and Switch D are the same as those of Switch A.
SwitchA(config)#g8032 instance 1
SwitchA(config-g8032-instance-1)#control-vlan 1
SwitchA(config-g8032-instance-1)#data-vlan 2-10
Raisecom Proprietary and Confidential
315
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability
Configure Switch B.
SwitchB(config)#g8032 instance 1
SwitchB(config-g8032-instance-1)#control-vlan 1
SwitchB(config-g8032-instance-1)#data-vlan 2-10
SwitchA(config-g8032-instance-1)#add interface ge 1/0/1 rpl neighbor
SwitchA(config-g8032-instance-1)#add interface ge 1/0/2
Configure Switch C.
SwitchC(config)#g8032 instance 1
SwitchC(config-g8032-instance-1)#control-vlan 1
SwitchC(config-g8032-instance-1)#data-vlan 2-10
SwitchC(config-g8032-instance-1)#add interface ge 1/0/1
SwitchC(config-g8032-instance-1)#add interface ge 1/0/2
Configure Switch D.
SwitchD(config)#g8032 instance 1
SwitchD(config-g8032-instance-1)#control-vlan 1
SwitchD(config-g8032-instance-1)#data-vlan 2-10
SwitchD(config-g8032-instance-1)#add interface ge 1/0/1
SwitchD(config-g8032-instance-1)#add interface ge 1/0/2
Checking results
Use the show g8032 interface command to show configurations of the G.8032 protection ring
on the switch.
Take Switch A for example. RPL link is blocked to avoid loops. After the WTR timer expires,
information about ring status is as below.
-------------------------------------------------------------------------
---------------------------
1 ge 1/0/1 port1 rpl working blocking 0 15
Manually disconnect the link between Switch B and Switch C to emulate a fault. Use the
following command to show G.8032 protection ring status on Switch A again. The RPL link
switches to the forwarding status.
Networking requirements
As shown in Figure 9-8, to improve Ethernet reliability, Switch A, Switch B, Switch C,
Switch D, Switch E, and Switch F form an intersecting ERPS network.
Switch A, Switch B, Switch C, and Switch D form the main ring. Switch D is the main
ring RPL Owner, Switch C is main ring RPL Neighbor. The blocked interface is GE
1/0/1 on Switch D. The ID of the protocol VLAN is 1.
Switch A, Switch B, Switch E, and Switch F form a tributary ring. Switch F is the
tributary ring RPL Owner. Switch A is tributary ring RPL Neighbor. The blocked
interface is GE 1/3/1 on Switch F. The protocol VLAN is 4094.
The blocked VLANs for the main ring and tributary ring range from VLANs 1 to 4094
by default.
Configuration steps
Step 1 Create a 4094 and add interfaces to the VLAN.
Configure Switches A and B.
Switch#configure
Switch(config)#vlan 1-4094
Switch(config)#interface ge 1/0/1 to ge 1/0/3
Switch(config- ge-1/0/1->ge-1/0/3)#port link-type trunk
Switch(config-ge-1/0/1->ge-1/0/3)#port trunk allow-pass vlan all
Switch(config-ge-1/0/1->ge-1/0/3)#exit
Switch#configure
Switch(config)#vlan 1-4094
Switch(config)#interface ge 1/0/1 to ge 1/0/2
Switch(config-ge-1/0/1->ge-1/0/2)#port link-type trunk
Switch(config-ge-1/0/1->ge-1/0/2)#port trunk allow-pass vlan all
Switch(config-ge-1/0/1->ge-1/0/2)#exit
Switch(config)#g8032 instance 1
Switch(config-g8032-instance-1)#control-vlan 1
Switch(config-g8032-instance-1)#data-vlan 1-4094
Switch(config-g8032-instance-1)#add interface ge 1/0/1
Switch(config)#g8032 instance 1
Switch(config-g8032-instance-1)#control-vlan 1
Switch(config-g8032-instance-1)#data-vlan 1-4094
Switch(config-g8032-instance-1)#add interface ge 1/0/1
Switch(config-g8032-instance-1)#add interface ge 1/0/2 rpl neighbour
Configure Switch D.
Switch(config)#g8032 instance 1
Switch(config-g8032-instance-1)#control-vlan 1
Switch(config-g8032-instance-1)#data-vlan 1-4094
Switch(config-g8032-instance-1)#add interface ge 1/0/1 rpl owner
Switch(config-g8032-instance-1)#add interface ge 1/0/2
Switch(config)#g8032 instance 2
Switch(config-g8032-instance-2)#control-vlan 4094
Switch(config-g8032-instance-2)#data-vlan 1-4094
Switch(config-g8032-instance-2)#add interface ge 1/0/3 rpl owner
Switch(config-g8032-instance-2)#virtual-control-vlan 3
Switch(config-g8032-instance-2)#add interface ge 1/0/3 vc-mep
Configure Switch B.
Switch(config)#g8032 instance 2
Switch(config-g8032-instance-2)#control-vlan 4094
Switch(config-g8032-instance-2)#data-vlan 1-4094
Switch(config-g8032-instance-2)#add interface ge 1/0/3
Switch(config-g8032-instance-2)virtual-control-vlan 3
Switch(config-g8032-instance-2)#add interface ge 1/0/3 vc-mep
Configure Switch E.
Switch(config)#g8032 instance 2
Switch(config-g8032-instance-2)#control-vlan 4094
Switch(config-g8032-instance-2)#data-vlan 1-4094
Switch(config-g8032-instance-2)#add interface ge 1/0/1
Switch(config-g8032-instance-2)#add interface ge 1/0/2
Configure Switch F.
Switch(config)#g8032 instance 2
Switch(config-g8032-instance-2)#control-vlan 4094
Switch(config-g8032-instance-2)#data-vlan 1-4094
Switch(config-g8032-instance-2)#add interface ge 1/0/1 rpl neighbour
Switch(config-g8032-instance-2)#add interface ge 1/0/2
Checking results
Use the show g8032 interface command to show configurations of the G.8032 protection ring
on the switch.
Use the command on Switch A, Switch D, and Switch F respectively. The result should be as
below after the WTR timer expires.
-------------------------------------------------------------------------
---------------------------
1 ge 1/0/1 port1 rpl working blocking 0 :::
15
1 ge 1/0/2 port2 normal working forwarding
0 ::: 11
-------------------------------------------------------------------------
---------------------------
9.4 STP/RSTP
9.4.1 Introduction
STP
With the increasing complexity of network structure and growing number of switches on the
network, the Ethernet network loops become the most prominent problem. Because of the
packet broadcast mechanism, a loop causes the network to generate storms, exhaust network
resources, and have serious impact to forwarding normal data. The network storm caused by
the loop is shown in Figure 9-9.
Spanning Tree Protocol (STP) is compliant to IEEE 802.1d standard and used to remove data
physical loop in data link layer in the LAN.
The device running STP can process Bridge Protocol Data Unit (BPDU) with each other for
the election of root switch and selection of root port and designated port. It also can block
loop interface on the device logically according to the selection results, and finally trims the
loop network structure to tree network structure without loop which takes a device as root.
This prevents the continuous proliferation and limitless circulation of packet on the loop
network from causing broadcast storms and avoids declining packet processing capacity
caused by receiving the same packets repeatedly.
Figure 9-10 shows loop networking with STP.
Although STP can eliminate loop network and prevent broadcast storm well, its shortcomings
are still gradually exposed with thorough application and development of network technology.
The major disadvantage of STP is the slow convergence speed.
RSTP
For improving the slow convergent speed of STP, IEEE 802.1w establishes Rapid Spanning
Tree Protocol (RSTP), which increases the mechanism to change interface blocking state to
forwarding state, speed up the topology convergence rate.
The purpose of STP/RSTP is to simplify a bridged LAN to a unitary spanning tree in logical
topology and to avoid broadcast storm.
The disadvantages of STP/RSTP are exposed with the rapid development of VLAN
technology. The unitary spanning tree simplified from STP/RSTP leads to the following
problems:
The whole switching network has only one spanning tree, which will lead to longer
convergence time on a larger network.
After a link is blocked, it does not carry traffic any more, causing waste of bandwidth.
Packet of partial VLAN cannot be forwarded when network structure is unsymmetrical.
As shown in Figure 9-11, Switch B is the root switch; RSTP blocks the link between
Switch A and Switch C logically and makes that the VLAN 100 packet cannot be
transmitted and Switch A and Switch C cannot communicate.
Networking situation
In a big LAN, multiple devices are concatenated for accessing each other among hosts. They
need to be enabled with STP to avoid loop among them, MAC address learning fault, and
broadcast storm and network down caused by quick copy and transmission of data frame. STP
calculation can block one interface in a broken loop and ensure that there is only one path
from data flow to the destination host, which is also the best path.
Preconditions
N/A
Networking requirements
As shown in Figure 9-12, Switch A, Switch B, and Switch C form a ring network, so the loop
must be eliminated in the situation of a physical link forming a ring. Enable STP on them,
configure the priority of Switch A to 0, and path cost from Switch B to Switch A to 10.
Configuration steps
Step 1 Enable STP on Switch A, Switch B, and Switch C.
Configure Switch A.
Raisecom#hostname SwitchA
SwitchA#configure
SwitchA(config)#stp mode stp
Configure Switch B.
Raisecom#hostname SwitchB
SwitchB#configure
SwitchB(config)#stp mode stp
Configure Switch C.
Raisecom#hostname SwitchC
SwitchC#configure
SwitchC(config)#stp mode stp
SwitchA(config)#interface ge 1/0/1
SwitchA(config-ge-1/0/1)#port link-type trunk
SwitchA(config-ge-1/0/1)#stp enable
SwitchA(config-ge-1/0/1)#exit
SwitchA(config)#interface ge 1/0/2
SwitchA(config-ge-1/0/2)#port link-type trunk
SwitchA(config-ge-1/0/2)#stp enable
SwitchA(config-ge-1/0/2)#exit
Configure Switch B.
SwitchB(config)#interface ge 1/0/1
SwitchB(config-ge-1/0/1)#port link-type trunk
SwitchB(config-ge-1/0/1)#stp enable
SwitchB(config-ge-1/0/1)#exit
SwitchB(config)#interface ge 1/0/2
SwitchB(config-ge-1/0/2)#port link-type trunk
SwitchB(config-ge-1/0/2)#stp enable
SwitchB(config-ge-1/0/2)#exit
Configure Switch C.
SwitchC(config)#interface ge 1/0/1
SwitchC(config-ge-1/0/1)#port link-type trunk
SwitchC(config-ge-1/0/1)#stp enable
SwitchC(config-ge-1/0/1)#exit
SwitchC(config)#interface ge 1/0/2
SwitchC(config-ge-1/0/2)#port link-type trunk
SwitchC(config-ge-1/0/2)#stp enable
SwitchC(config-ge-1/0/2)#exit
SwitchA(config)#stp priority 0
SwitchA(config)#interface ge 1/0/2
SwitchA(config-ge-1/0/2)#stp path-cost 10
Configure Switch B.
SwitchB(config)#interface ge 1/0/1
SwitchB(config-ge-1/0/1)#stp path-cost 10
Checking results
Use the show stp command to show bridge status.
Take Switch A for example.
Use the show stp interface command to show the interface status.
Take Switch A for example.
9.5 MSTP
9.5.1 Introduction
Multiple Spanning Tree Protocol (MSTP) is defined by IEEE 802.1s. Recovering the
disadvantages of STP and RSTP, the MSTP implements fast convergence and distributes
different VLAN flow following its own path to provide an excellent load balancing
mechanism.
MSTP divides a switch network into multiple regions, called MST region. Each MST region
contains several spanning trees but the trees are independent from each other. Each spanning
tree is called a Multiple Spanning Tree Instance (MSTI).
MSTP protocol introduces Common Spanning Tree (CST) and Internal Spanning Tree (IST)
concepts. CST refers to taking MST region as a whole to calculate and generating a spanning
tree. IST refers to generating spanning tree in internal MST region.
Compared with STP and RSTP, MSTP also introduces total root (CIST Root) and region root
(MST Region Root) concepts. The total root is a global concept; all switches running
STP/RSTP/MSTP can have only one total root, which is the CIST Root. The region root is a
local concept, which is relative to an instance in a region. As shown in Figure 9-13, all
connected devices only have one total root, and the number of region root contained in each
region is associated with the number of instances.
There can be different MST instance in each MST region, which associates VLAN and MSTI
by configuring the VLAN mapping table (relationship table of VLAN and MSTI). The
concept sketch map of MSTI is shown in Figure 9-14.
Each VLAN can map to one MSTI; in other words, data of one VLAN can only be
transmitted in one MSTI but one MSTI may correspond to several VLANs.
Compared with STP and RSTP mentioned previously, MSTP has obvious advantages,
including cognitive ability of VLAN, load balancing, similar RSTP interface status switching,
and binding multiple VLAN to one MST instance, to reduce resource occupancy rate. In
addition, devices running MSTP on the network are also compatible with the devices running
STP and RSTP.
Figure 9-15 Networking with multiple spanning trees instances in MST region
Apply MSTP to the network as shown in Figure 9-15. After calculation, there are two
spanning trees generated at last (two MST instances):
MSTI 1 takes B as the root switch, forwarding packet of VLAN 100.
MSTI 2 takes F as the root switch, forwarding packet of VLAN 200.
In this case, all VLANs can communicate internally, different VLAN packets are forwarded in
different paths to share loading.
Scenario
In a big LAN or residential region aggregation, the aggregation devices make up a ring for
link backup, avoiding loop and realizing load balancing. MSTP can select different and
unique forwarding paths for each one or a group of VLANs.
Prerequisite
N/A
9.5.5 Configuring the MST region and its maximum number of hops
You can configure region information about the device when it is running in MSTP mode. The
device MST region is determined by the region name, VLAN mapping table and
configuration of MSTP revision level. You can configure current device in a specific MST
region through following configuration.
The MST region scale is restricted by the maximum number of hops. Starting from the root
bridge of spanning tree in the region, the number of forwarding hops decreases by 1 when the
configuration message (BPDU) passes a device; the device discards the configuration
message whose number of hops is 0. The device exceeding the maximum number of hops
cannot join spanning tree calculation, so the MST region scale is restricted.
Configure the MSTP region and its maximum number of hops for the device as below.
Only when the configured device is the region root can the configured maximum
number of hops be used as the maximum number of hops for MST region; other non-
region root cannot be configured this item.
The value of priorities must be multiples of 4096, such as 0, 4096, and 8192. It is
32768 by default.
Configure the maximum transmission rate on the interface for the device as below.
The edge interface can change the interface status to forward quickly without any waiting
time. You had better configure the Ethernet interface connected to user client as edge interface
to make it quick to change to forward status.
The edge interface attribute depends on actual condition when it is in auto-detection mode;
the real port will change to false edge interface after receiving BPDU when it is in force-true
mode; when the interface is in force-false mode, whether it is true or false edge interface in
real operation, it will maintain the force-false mode until the configuration is changed.
By default, all interfaces on the device are configured in auto-detection attribute.
Configure the edge interface for the device as below.
BPDU Guard provided by MSTP can prevent this type of attacks. After BPDU Guard is
enabled, edge interfaces can avoid attacks from forged BPDU packets.
After BPDU Guard is enabled, the switch will shut down the edge interfaces if they receive
BPDUs and notify the NView NNM system of the case. The blocked edge interface is restored
only by the administrator through the CLI.
Configure BPDU Guard for the device as below.
When the edge interface is enabled with BPDU filtering and the device is enabled
with BPDU Guard, BPDU Guard takes effect first. Therefore, an edge interface is
shut down if it receives a BPDU.
Loopguard and link backup are mutually exclusive; in other words, loopguard is
implemented on the cost of disabling link backup.
Configure interface loop protection for the device as below.
9.5.20 Maintenance
Maintain the device as below.
Command Description
Raisecom(config-ge- Clear statistics about spanning tree on the
1/0/*)#reset stp statistics interface.
Networking requirements
As shown in Figure 9-16, three devices are connected to form a ring network through MSTP,
with the region name aaa. Switch B, connected with a PC, belongs to VLAN 3. Switch C,
connected with another PC, belongs to VLAN 4. Instance 3 is associated with VLAN 3.
Instant 4 is associated with VLAN 4. Configure the priorities so that the root bridge of
instance 3 is Switch A and the root bridge of instance 4 is Switch B. In this way, packets of
VLAN 3 and VLAN 4 are forwarded respectively in two paths, which eliminates loops and
implements load balancing.
Configuration steps
Step 1 Create VLAN 3 and VLAN 4 on Switch A, Switch B, and switch C respectively, and activate
them.
Configure Switch A.
Raisecom#hostname SwitchA
SwitchA#configure
SwitchA(config)#vlan 3,4
Configure Switch B.
Raisecom#hostname SwitchB
SwitchB#configure
SwitchB(config)#vlan 3,4
Configure Switch C.
Raisecom#hostname SwitchC
SwitchC#configure
SwitchC(config)#vlan 3,4
Step 2 Configure GE 1/0/1 and GE 1/0/2 on Switch A to allow packets of all VLAN to pass in Trunk
mode. Configure GE 1/0/1 and GE 1/0/2 on Switch B to allow packets of all VLANs to pass
in Trunk mode. Configure GE 1/0/1 and GE 1/0/2 on Switch C to allow packets of all VLANs
to pass in Trunk mode. Configure GE 1/0/3 and GE 1/3/4 on Switch B and Switch C to allow
packets of VLAN 3 and VLAN 4 to pass in Access mode.
Configure Switch A.
SwitchA(config)#interface ge 1/0/1
SwitchA(config-ge-1/0/1)#port link-type trunk
SwitchA(config-ge-1/0/1)#port trunk allow-pass vlan all
SwitchA(config-ge-1/0/1)#exit
SwitchA(config)#interface ge 1/0/2
SwitchA(config-ge-1/0/2)#port link-type trunk
SwitchA(config-ge-1/0/1)#port trunk allow-pass vlan all
SwitchA(config-ge-1/0/2)#exit
Configure Switch B.
SwitchB(config)#interface ge 1/0/1
SwitchB(config- ge-1/0/1)#port link-type trunk
SwitchB(config-ge-1/0/1)#port trunk allow-pass vlan all
SwitchB(config-ge-1/0/1)#exit
SwitchB(config)#interface ge 1/0/2
SwitchB(config-ge-1/0/2)#port link-type trunk
SwitchB(config-ge-1/0/2)#port trunk allow-pass vlan all
SwitchB(config-ge-1/0/2)#exit
SwitchB(config)#interface ge 1/0/3
SwitchB(config-ge-1/0/3)#switchport access vlan 3
SwitchB(config-ge-1/0/3)#exit
SwitchB(config)#interface ge 1/0/4
SwitchB(config-ge-1/0/4)#switchport access vlan 4
SwitchB(config-ge-1/0/4)#exit
Configure Switch C.
SwitchC(config)#interface ge 1/0/1
SwitchC(config-ge-1/0/1)#port link-type trunk
SwitchC(config-ge-1/0/1)#port trunk allow-pass vlan all
SwitchC(config-ge-1/0/1)#exit
SwitchC(config)#interface ge 1/0/2
SwitchC(config-ge-1/0/2)#port link-type trunk
SwitchC(config-ge-1/0/2)#port trunk allow-pass vlan all
SwitchC(config-ge-1/0/2)#exit
SwitchC(config)#interface ge 1/0/3
SwitchC(config-ge-1/0/3)#switchport access vlan 3
SwitchC(config-ge-1/0/3)#exit
SwitchC(config)#interface ge 1/0/4
SwitchC(config-ge-1/0/4)#switchport access vlan 4
SwitchC(config-ge-1/0/4)#exit
Step 3 Configure spanning tree mode of Switch A, Switch B, and Switch C to MSTP, and enable
STP. Enter MSTP configuration mode, and configure the region name to aaa and revision
version to 0. Map instance 3 to VLAN 3, and instance 4 to VLAN 4. Exit MST configuration
mode.
Configure Switch A.
Configure Switch B.
SwitchB(config)#interface ge 1/0/1
SwitchB(config-ge-1/0/1)#port link-type trunk
SwitchB(config-ge-1/0/1)#port trunk allow-pass vlan all
SwitchB(config-ge-1/0/1)#exit
SwitchB(config)#interface ge 1/0/2
SwitchB(config-ge-1/0/2)#port link-type trunk
SwitchB(config-ge-1/0/2)#port trunk allow-pass vlan all
SwitchB(config-ge-1/0/2)#exit
SwitchB(config)#interface ge 1/0/3
SwitchB(config-ge-1/0/3)#port link-type access
SwitchB(config-ge-1/0/3)#port default vlan 3
SwitchB(config-ge-1/0/3)#exit
SwitchB(config)#interface ge 1/0/4
SwitchB(config-ge-1/0/4)#port link-type access
SwitchB(config-ge-1/0/4)#port default vlan 4
SwitchB(config-ge-1/0/4)#exit
Configure Switch C.
SwitchC(config)#interface ge 1/0/1
SwitchC(config-ge-1/0/1)#port link-type trunk
SwitchC(config-ge-1/0/1)#port trunk allow-pass vlan all
SwitchC(config-ge-1/0/1)#exit
SwitchC(config)#interface ge 1/0/2
SwitchC(config-ge-1/0/2)#port link-type trunk
SwitchC(config-ge-1/0/2)#port trunk allow-pass vlan all
SwitchC(config-ge-1/0/2)#exit
SwitchC(config)#interface ge 1/0/3
SwitchC(config-ge-1/0/3)#port link-type access
SwitchC(config-ge-1/0/3)#port default vlan 3
SwitchC(config)#interface ge 1/0/4
SwitchC(config-ge-1/0/4)#port link-type access
SwitchC(config-ge-1/0/4)#port default vlan 4
SwitchC(config-ge-1/0/4)#exit
Step 4 Configure the internal path cost of GE 1/0/1 of spanning tree instance 3 to 500000 on Switch
B.
SwitchB(config)#interface ge 1/0/1
SwitchB(config-ge-1/0/1)#stp instance 3 path-cost 500000
Checking results
Use the show stp interface command to show the interface status of the MST region.
Take Switch C for example.
-----------------------------
Loop types
Common loop types include self-loop and inner loop.
As shown in Figure 9-17, Switch B and Switch C are connected to the user network.
Self-loop: a user loop on the same Ethernet interface of the same device. User network B
has a loop, which forms self-loop on GE 1/0/2 on Switch B.
Inner loop: a loop forming on different Ethernet interfaces of the same device. GE 1/0/1
and GE 1/0/3 on Switch C forms an inner loop with the user network A.
If the interface sending the packet and the interface receiving the packet are the same,
process the interface to eliminate the loop (self-loop).
In Figure 9-17, assume that both Switch B and Switch C connect user network interfaces
enabled with loop detection. The system processes loops for the three loop types as below:
Self-loop: the interface sending the packet and the interface receiving the packet on
Switch B are the same, the configured loop detection action will be taken to eliminate the
loop on GE 1/0/2.
Inner loop: Switch C receives the loop detection packets sent by it and the interface
sending the packet and the interface receiving the packet are the same, the configured
loop detection action will be taken to eliminate the loop on the interface with a bigger
interface ID, namely, GE 1/0/1.
Loop restoration
After an interface is shut down, you can configure automatic restoration after a specified
period.
Scenario
On the network, hosts or Layer 2 devices connected to access devices may form a loop
intentionally or involuntarily. Enable loop detection on downlink interfaces on all access
devices to avoid the network congestion generated by unlimited copies of data traffic. Once a
loopback is detected on an interface, the interface will be blocked.
Prerequisite
Loopback interface, interface backup, STP, and G.8032 affect each other. We do not
recommend configuring two or more of them concurrently.
Loop detection and STP are exclusive, so only one can be enabled at a time.
Loop detection cannot be concurrently enabled on both two directly-connected
devices.
Configure loop detection based on interface+VLAN for the device as below.
Networking requirements
As shown in Figure 9-18, GE 1/0/2 and GE 1/0/3 on Switch A are connected to the user
network. To avoid loops on the user network, enable loop detection on Switch A to detect
loops on user network, and then take actions accordingly. Detailed requirements are as below:
Enable loop detection on GE 1/0/2 and GE 1/0/3.
Configure the interval for sending loop detection packets to 3s.
Configure the VLAN for sending loop detection packets to VLAN 3.
Configure the loop detection processing action to discarding, namely, sending Trap and
blocking the interface.
Configuration steps
Step 1 Create VLAN 3, and add interfaces to VLAN 3.
Raisecom#configure
Raisecom(config)#vlan 3
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type hybrid
Raisecom(config-ge-1/0/1)#port hybrid vlan 3 untagged
Raisecom(config-ge-1/0/1)#exit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/1)#port link-type hybrid
Raisecom(config-ge-1/0/2)#port hybrid vlan 3 untagged
Raisecom(config-ge-1/0/2)#exit
Step 2 Configure the VLAN for sending loop detection packets, action taken for detected loops, and
period for sending loop detection packets.
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#loopback-detect enable
Raisecom(config-ge-1/0/1)#loopback-detect action block
Raisecom(config-ge-1/0/1)#loopback-detect vlan 3
Raisecom(config-ge-1/0/1)#loopback-detect interval 3
Raisecom(config-ge-1/0/1)#exit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#loopback-detect enable
Raisecom(config-ge-1/0/2)#loopback-detect action block
Raisecom(config-ge-1/0/2)#loopback-detect vlan 3
Raisecom(config-ge-1/0/2)#loopback-detect interval 3
Checking results
Use the show loopback-detect interface command to show loop detection status.
------------------------------------------------------------
convergence is second level only. This is not a satisfying performance parameter for high-end
Ethernet switch which is applied to the core of the carrier-grade network.
Interface backup, targeted for dual uplink networking, implements redundancy backup and
quick switching through working and protection lines. It ensures performance and simplifies
configurations.
Interface backup is another STP solution. When STP is disabled, you can realize basic link
redundancy by manually configuring interfaces. If the switch is enabled with STP, you should
disable interface backup because STP has provided similar functions.
When the primary link fails, traffic is switched to the backup link. In this way, not only 50ms
fast switching is ensured, but also configurations are simplified.
As shown in Figure 9-19, GE 1/0/1 and GE 1/0/2 on Switch A are connected to their uplink
devices respectively. The interface forwarding states are shown as below:
Under normal conditions, GE 1/0/1 is the primary interface while GE 1/0/2 is the backup
interface. GE 1/0/1 and the uplink device forward packet while GE 1/0/2 and the uplink
device do not forward packets.
When the link between GE 1/0/1 and its uplink device fails, the backup GE 1/0/2 and its
uplink device forward packets.
When GE 1/0/1 restores normally and keeps Up for a period (restore-delay), GE 1/0/1
restores to forward packets and GE 1/0/2 restores standby status.
When a switching between the primary interface and the backup interface occurs, the switch
sends a Trap to the NView NNM system.
Raisecom Proprietary and Confidential
351
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability
Scenario
By configuring interface backup in a dual uplink network, you can realize redundancy backup
and fast switching of the primary/backup link, and load balancing between different interfaces.
Compared with STP, interface backup not only ensures millisecond-level switching, also
simplifies configurations.
Prerequisite
N/A
Interface backup may interfere with STP, loop detection, and G.8032. We do not
recommend configuring them concurrently on the same interface.
Step Command Description
1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#protect-link Create a backup group.
group group-id
3 Raisecom(config-protectlink- Configure the specified VLAN list.
*)#protect-vlan vlan-list
4 Raisecom(config-protectlink- Specify the master interface.
*)#add interface interface-type
interface-number role master
5 Raisecom(config-protectlink- Specify the backup interface.
*)#add interface interface-type
interface-number role slave
6 Raisecom(config-protectlink- Configure restoration mode.
*)#reverse { enable | disable }
7 Raisecom(config-protectlink- Configure the restoration time.
*)#reverse time interval
Networking requirements
As shown in Figure 9-21, the PC accesses the server through the Switch. To implement a
reliable remote access from the PC to the server, configure an interface backup group on
Switch A and specify the VLAN list so that the two interfaces concurrently forward services
in different VLANs and balance load. Configure Switch A as below:
Add GE 1/0/1 to VLANs 100–150 as the primary interface and GE 1/0/2 as the backup
interface.
Add GE 1/0/2 to VLANs 151–200 as the primary interface and GE 1/0/1 as the backup
interface.
When GE 1/0/1 or its link fails, the system switches traffic to the backup interface GE 1/0/2 to
resume the link.
Switch A is required to support interface backup while other switches are not.
Configuration steps
Step 1 Create VLANs 100–400, and add GE 1/0/1 and GE 1/0/2 to these VLANs.
Raisecom#configure
Raisecom(config)#vlan 100-200
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 100-200
Raisecom(config-ge-1/0/1)#exit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type trunk
Raisecom(config-ge-1/0/2)#port trunk allow-pass vlan 100-200
Raisecom(config-ge-1/0/2)#exit
Step 2 Configure GE 1/0/1 as the primary interface of VLANs 100–150 and GE 1/0/2 as the backup
interface.
Raisecom(config)#protect-link group 1
Raisecom(config-protectlink-1)#protect-vlan 100-150
Raisecom(config-protectlink-1)#add interface ge 1/0/1 role master
Raisecom(config-protectlink-1)#add interface ge 1/0/2 role slave
Step 3 Configure GE 1/0/2 as the primary interface of VLANs 151–200 and GE 1/0/1 as the backup
interface.
Raisecom(config)#protect-link group 2
Raisecom(config-protectlink-1)#protect-vlan 151-200
Raisecom(config-protectlink-1)#add interface ge 1/0/2 role master
Checking results
Use the show protect-link interface command to show status of interface backup under
normal or faulty conditions.
When both GE 1/0/1 and GE 1/0/2 are Forward, GE 1/0/1 forwards traffic of VLANs 100–
150, and GE 1/0/2 forwards traffic of VLANs 151–200.
Manually disconnect the link between Switch A and Switch B to emulate a fault. Then, GE
1/0/1 becomes Down, and GE 1/0/2 forwards traffic of VLANs 100–200.
After being configured with interface isolation, interfaces in an interface isolation group
cannot transmit packets to each other. Interfaces in and out of the interface isolation group can
communicate with each other.
Scenario
Interface isolation can implement mutual isolation of interfaces in the same VLAN, enhance
network security and provide flexible networking solutions for you.
Prerequisite
N/A
Networking requirements
As shown in Figure 9-22, to prevent PC 1 and PC 2 from interconnecting with each other and
to enable them to interconnect with PC 3 respectively, enable interface isolation on GE 1/0/4
and GE 1/0/2 on Switch A.
Configuration steps
Step 1 Create an interface isolation group.
Raisecom#configure
Raisecom(config)#port-isolate group 1
Checking results
Use the show port-isolate group command to show configurations of interface isolation.
-------------------------------------------------------------------------
-------
1 ge-1 /1/2 ge-1/ 1/4
------------------------------------------------------------------
--------------
9.9 L2CP
9.9.1 Introduction
Metro Ethernet Forum (MEF) introduces service concepts, such as EPL, EVPL, EP-LAN, and
EVP-LAN. Different service types have different processing modes for Layer 2 Control
Protocol (L2CP) packets.
MEF6.1 defines processing modes for L2CP as below.
Discard: discard the packet.
Peer: send packets to the CPU.
Tunnel: send packets to the MAN. It is more complex than discard and peer mode, and
combines the matching rule at network side interface and tunnel terminal at the carrier-
side interface to allow packets to pass through the carrier network.
Scenario
As shown below, switch 1 and switch 2 work as the carrier network access devices, and CE 1
and CE 3 work as the user network access devices. CE 1 and CE 3 are connected with GE
1/0/1 on switch 1 and GE 1/0/2 on switch 2 respectively.
Through transparent transmission of L2 protocol packets of different user networks, the
devices on the user networks can jointly implement functions of the spanning tree.
Prerequisites
N/A
Configuration steps
Step 1 Configure CE 1.
Raisecom(config)#stp enable
Step 2 Configure CE 3.
Raisecom(config)#stp enable
Raisecom(config-ge-1/0/2)#l2cp uni
Raisecom(config-ge-1/0/2)#l2cp known-protocol stp action tunnel group-mac
01:00:0c:cd:cd:d0
Raisecom(config-ge-1/0/8)#l2cp nni
Checking results
On CE 1 and CE 3, you can see information about the peer spanning tree.
9.10 BFD
9.10.1 Introduction
Bidirectional Forwarding Detection (BFD) is a unified network-wide detection mechanism
used to quickly detect and monitor the forwarding connectivity status of links or IP routers on
a network.
Scenario
BFD establishes a session on two network devices to detect bidirectional forwarding paths
between network devices and serve upper-layer applications. BFD does not have a neighbor
discovery mechanism, but relies on the upper layer application being served to notify its
neighbor information to establish a session. After the session is established, it will periodically
and quickly send BFD packets. If the BFD packet is not received within the detection time, it
judges that the bidirectional forwarding path has failed, and the upper layer application being
served is notified to take corresponding actions.
Prerequisite
N/A
Networking requirements
As shown below, configure the BFD single-hop session to detect the link status between
device A and device B.
Configuration steps
Step 1 Configure the IP address and session parameters on device A.
Raisecom#configure
Raisecom(config)#interface vlan 1
Raisecom(config)#ip address 10.1.1.1/24
Raisecom(config)#bfd track 1 remote-ip 10.1.1.2 local-ip 10.1.1.1
Raisecom(config)#bfd track 1 min-tx 500 min-rx 600 multiplier 3
Raisecom#configure
Raisecom(config)#interface vlan 1
Raisecom(config)#ip address 10.1.1.1/24
Raisecom(config)#bfd track 1 remote-ip 10.1.1.1 local-ip 10.1.1.2
Raisecom(config)#bfd track 1 min-tx 500 min-rx 600 multiplier 4
Checking results
Use the show bfd session command to show the session status.
Scenario
Network jitter or link line failures can cause frequent up/down changes in the physical status
of local device interfaces, leading to link flaps and frequent changes in network topology,
which can affect user communication. To solve the above problems, you can configure link
flap protection by shutting down interfaces with frequent up/down physical statuss, making
them in a down status, and stopping frequent changes in the network topology structure.
Link flap times: the interface status switches between up and down once, which is recorded as
one flap.
Interval for detecting link flaps: the system needs to count the number of link flaps within a
specified interval.
If the number of link flaps reaches the threshold during the interval for detecting link flaps,
the interface will be shut down.
Prerequisites
N/A
Configuration steps
Configure related parameters of link flap protection on device A.
Raisecom#configure
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-flap protection enable
Raisecom(config-ge-1/0/1)#port link-flap interval 60
Raisecom(config-ge-1/0/1)#port link-flap threshold 7
Checking results
Use the show link-flap interface command to show configurations of link flap protection.
----------------------------------------------------------------------
Scenario
Before the device provides services, to ensure the connectivity of the link, you can configure
interface loopback on the device. Test packets can be sent from the testing instrument to the
testing interface on the device, and the device swaps the source MAC address and destination
MAC in the test packets, loop back the test packets from the interface to the testing instrument,
and then obtain network connectivity and network quality information between the device and
the testing instrument.
Prerequisite
N/A
Configuration steps
Configure interface loopback.
Raisecom#configure
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#loopback-mode remote
Checking results
Use the show interface loop-status command to show information about interface loopback.
10 System management
This chapter describes basic principles and configuration procedures for system management
and maintenance, and provides related configuration examples, including the following
sections:
SNMP
RMON
LLDP
Port mirroring
Cable diagnosis
UDLD
Optical module DDM
System log
Alarm management
CPU monitoring
Memory monitoring
PING
Trace
Hardware monitoring
Fan monitoring
ISF
MAD
NQA
POE
USB flash disk deployment
Patching
Periodically backing up configurations
10.1 SNMP
10.1.1 Introduction
Simple Network Management Protocol (SNMP) is designed by the Internet Engineering Task
Force (IETF) to resolve problems in managing network devices connected to the Internet.
Through SNMP, a network management system that can manage all network devices that
support SNMP, including monitoring network status, modifying configurations of a network
device, and receiving network alarms. SNMP is the most widely used network management
protocol in TCP/IP networks.
Principles
A SNMP system consists of two parts: Agent and the NView NNM system. The Agent and the
NView NNM system communicate through SNMP packets sent through UDP. Figure 10-1
shows the SNMP principle.
The Raisecom NView NNM system can provide friendly Human Machine Interface (HMI) to
facilitate network management. The following functions can be implemented through it:
Send request packets to the managed device.
Receive reply packets and Trap packets from the managed device, and show result.
The Agent is a program installed on the managed device, implementing the following
functions:
Receive/Reply request packets from the NView NNM system
To read/write packets and generate replay packets according to the packets type, then
return the result to the NView NNM system
Define trigger condition according to protocol modules, enter/exit system or restart the
device when conditions are satisfied; replying module sends Trap packets to the NView
NNM system through agent to report current status of the device.
Version of protocol
Till now, SNMP has three versions: v1, v2c, and v3, described as below.
SNMPv1 uses community name authentication mechanism. The community name, a
string defined by an agent, acts like a secret. The network management system can visit
the agent only by specifying its community name correctly. If the community name
carried in a SNMP packet is not accepted by the device, the packet will be discarded.
Compatible with SNMPv1, SNMPv2c also uses community name authentication
mechanism. SNMPv2c supports more operation types, data types, and errored codes, and
thus better identifying errors.
SNMPv3 uses User-based Security Model (USM) authentication mechanism. You can
configure whether USM authentication is enabled and whether encryption is enabled to
provide higher security. USM authentication mechanism allows authenticated senders
and prevents unauthenticated senders. Encryption is used to encrypt packets transmitted
between the network management system and agents, thus preventing interception.
The device supports v1, v2c, and v3 of SNMP.
MIB
Management Information Base (MIB) is the collection of all objects managed by the NMS. It
defines attributes for the managed objects:
Name
Access right
Data type
The device-related statistic contents can be reached by accessing data items. Each proxy has
its own MIB. MIB can be taken as an interface between NMS and Agent, through which NMS
can read/write every managed object in Agent to manage and monitor the device.
MIB stores information in a tree structure, and its root is on the top, without name. Nodes of
the tree are the managed objects, which take a uniquely path starting from root (OID) for
identification. SNMP packets can access network devices by checking the nodes in MIB tree
directory.
The device supports standard MIB and Raisecom-customized MIB.
Scenario
To log in to the device through NMS, configure SNMP basic functions for the device in
advance.
Prerequisite
Configure the routing protocol and ensure that the route between the device and NMS is
reachable.
Trap configurations on SNMPv1, SNMPv2c, and SNMPv3 are identical except for
Trap target host configurations. Configure Trap as required.
The device supports sending Trap to multiple target hosts after they are configured
on the device.
Trap is unrequested information sent by the device to the NMS automatically, which is used to
report some critical events.
Before configuring Trap, you need to perform the following configurations:
Configure basic functions of SNMP. For SNMPv1/v2c, configure the community name;
for SNMPv3, configure the user name and SNMP view.
Configure the routing protocol and ensure that the route between the device and NMS is
available.
Configure SNMP Trap for the device as below.
Networking requirements
As shown in Figure 10-3, the route between the NView NNM system and the device is
available. The NView NNM system can check the MIB under view corresponding to the
remote Switch by SNMPv1/SNMPv2c, and the device can send Trap automatically to the
NView NNM system in emergency.
Configuration steps
Step 1 Configure the IP address of the device.
Raisecom#configure
Raisecom(config)#interface meth 0/0/0
Raisecom(config-meth-0/0/0)#ip address 192.168.62.100/24
Raisecom(config-meth-0/0/0)#quit
Checking results
Use the show ip interface command to show configurations of the IP address.
Raisecom#show ip interface
Total number:
2
Interface State(a/o) Addr/Prefix Role Type Vpn-
instance
-------------------------------------------------------------------------
---------------------------
loopback-0 up/up 127.0. 0.1/8 primary
auto N/A
meth-0/0/0 up/up
192.168.62.100/24 primary static N/A
-------------------------------------------------------------------------
---------------------------
Use the show snmp trap-host command to show configurations of the target host.
Trap-host : 192.168.62.1
----------------------------------------------------
----------------------------
Status : ACTIVE
Udp Port : 162
MP Modle : V2
Security Level : None
Security Name :
AJ35Grrnpx3xRv_UdbJBiGsl3Dwxp932il5pfsKvs8X-GN6R49ihEydRaxBXkM5V-w
Vpn Instance Name : public
-------------------------------------------------------------------------
-------
Networking requirements
As shown in Figure 10-4, the route between the NView NNM system and device is available,
the NView NNM system monitors the Agent through SNMPv3, and the device can send Trap
automatically to the NView NNM system when the Agent is in emergency.
By default, there is VLAN 1 on the device and all physical interfaces belong to VLAN 1.
Configuration steps
Step 1 Configure the IP address of the device.
Raisecom#configure
Raisecom(config)#interface meth 0/0/0
Raisecom(config-meth-0/0/0)#ip address 192.168.62.100/24
Raisecom(config-meth-0/0/0)#quit
Create an access group named g1. The security level is authentication without encryption.
Create a user named u1. The security level is authentication without encryption. Bind it with
group g1. Use the MD5 algorithm. The password is raisecom.
Step 3 Configure Trap sending. The trap-host type must be consistent with the user authentication
type, without containing relation.
Checking results
Use the show snmp group command to show configurations of the SNMP access group.
Use the show snmp user command to show mapping between users and access groups.
Use the show snmp trap-host command to show configurations of the Trap target host.
10.2 RMON
10.2.1 Introduction
Remote Network Monitoring (RMON) is a standard stipulated by Internet Engineering Task
Force (IETF) for network data monitoring through different network Agents and NMS.
RMON is achieved based on SNMP architecture, including the NView NNM system and the
Agent running on network devices. On the foundation of SNMP, increase the subnet flow,
statistics, and analysis used to achieve the monitoring to one segment and the whole network,
while SNMP only can monitor the partial information about a single device and it is difficult
for it to monitor one segment.
The RMON Agent is commonly referred to as the probe program. The RMON Probe can take
the communication subnet statistics and performance analysis. Whenever it finds network
failure, RMON Probe can report the NView NNM system, and describes the capture
information under unusual circumstances so that the NView NNM system does not need to
poll the device constantly. Compared with SNMP, RMON can monitor remote devices more
actively and more effectively, network administrators can track the network, segment or
device malfunction more quickly. This method reduces the data flows between the NView
NNM system and Agent, makes it possible to manage large networks simply and powerfully,
and makes up the limitations of SNMP in growing distributed Internet.
RMON Probe collects data in the following modes:
Distributed RMON. The NMS obtains network management information and controls
network resources directly from RMON Probe through dedicated RMON Probe
collection data.
Embedded RMON. Embed RMON Agent directly to network devices (such as switches)
to make them with RMON Probe function. The NMS will collect network management
information through the basic operation of SNMP and the exchange data information
about RMON Agent.
The Raisecom device is embedded with RMON. As shown in Figure 10-5, the device
implements RMON Agent function. Through this function, the management station can obtain
the overall flow, error statistics and performance statistics about this segment connected to the
managed network device interface so as to achieve the monitoring to one segment.
RMON MIB can be divided into nine groups according to function. Currently, there are four
function groups achieved: statistics group, history group, alarm group, and event group.
Statistic group: collect statistics on each interface, including receiving packets accounts
and size distribution statistics.
History group: similar with statistic group, it only collects statistics in an assigned
detection period.
Alarm group: monitor an assigned MIB object and configure upper threshold and lower
threshold in assigned interval, trigger an event if the monitor object receives threshold
value.
Event group: cooperating with alarm group. When an alarm triggers an event, it records
the event, such as sending Trap, and writes the event into log.
Scenario
RMON helps monitor and account network traffics.
Compared with SNMP, RMON is a more high-efficient monitoring method. After you
specifying the alarm threshold, the device actively sends alarms when the threshold is
exceeded without obtaining variable information. This helps reduce traffic of Central Office
(CO) and managed devices and facilitates network management.
Prerequisite
The route between the device and the NView NNM system is reachable.
When you use the no rmon history index-number command on the interface to
disable RMON historical statistics on an interface, the interface will not count data
and clear all historical data collected previously.
Networking requirements
As shown in Figure 10-6, the device is the Agent, connected to terminal through the Console
interface, connected to remote NView NNM system through Internet. Enable RMON statistics
and gather performance statistic on GE 1/0/1. When packets received on GE 1/0/1 exceeds the
threshold in a period, logs are recorded and Trap is sent.
Configuration steps
Step 1 Create an event with index ID 1, used to record and send logs with description string of
Falling-etherStatsBroadcastPkts. The owner of logs is system.
Raisecom#configure
Raisecom(config)#rmon event 1 both description Falling-
etherStatsBroadcastPkts owner system
Step 3 Create an alarm item with index ID 10, used to monitor MIB variable
etherStatsBroadcastPkts.1, namely, 1.3.6.1.2.1.16.1.1.1.6.1, every 20s. If the variable
increases to be greater than 100 or smaller than 15, the Trap alarm will be triggered. The
owner of alarm message is also system.
Checking results
Use the show rmon alarm command to check whether there is information about event group
events on the device.
Use the show rmon event command to check whether there is information about alarm group
on the device.
Use the show rmon log command to check whether there is log information about event
records on the device.
When an alarm event is triggered, you can also check related information in the alarm
management part of the NView NNM system.
10.3 LLDP
10.3.1 Introduction
With the enlargement of network scale and increase of network devices, the network topology
becomes more and more complex and network management becomes more important. A lot of
network management software adopts auto-detection function to trace changes of network
topology, but most of the software can only analyze the Layer 3 network and cannot ensure
the interfaces to be connected to other devices.
Link Layer Discovery Protocol (LLDP) is based on IEEE 802.1ab standard. The NMS can
fast grip the Layer 2 network topology and changes.
LLDP organizes the local device information in different Type Length Value (TLV) and
encapsulates in Link Layer Discovery Protocol Data Unit (LLDPDU) to transmit to straight-
connected neighbour. It also saves the information from neighbour as standard Management
Information Base (MIB) for the NMS querying and judging link communication.
LLDP packet
The LLDP packet is used to encapsulate LLDPDU Ethernet packet in data unit and
transmitted by multicast.
LLDPDU is the data unit of LLDP. The device encapsulates local information in TLV before
forming LLDPDU, then several TLV fit together in one LLDPDU and encapsulated in
Ethernet data for transmission.
As shown in Figure 10-7, LLDPDU is made by several TLV, including 4 mandatory TLV and
several optional TLV.
As shown in Figure 10-8, each TLV denotes a piece of information at local. For example, the
device ID and interface ID correspond with the Chassis ID TLV and Port ID TLV respectively,
which are fixed TLVs.
Table 10-1 lists TLV types. At present only types 0–8 are used.
Organization-defined TLVs are optional TLVs and are advertised in the LLDPDU as required.
Table 10-2 and Table 10-3 list common organization-defined TLVs.
Principles
LLDP is a kind of point-to-point one-way issuance protocol, which notifies local device link
status to peer end by sending LLDPDU (or sending LLDPDU when link status changes)
periodically from the local end to the peer end.
Scenario
When you obtain connection information between devices through NView NNM system for
topology discovery, the device needs to enable LLDP, notify their information to the
neighbours mutually, and store neighbour information to facilitate the NView NNM system
queries.
Prerequisite
N/A
After global LLDP is disabled, you cannot re-enable it immediately. Global LLDP
cannot be enabled unless the restart timer times out.
When you obtain connection information between devices through the NView NNM system
for topology discovery, the device needs to enable LLDP, sends their information to the
neighbours mutually, and stores neighbour information to facilitate query by the NView NNM
system.
Enable global LLDP for the device as below.
When configuring the delay timer and period timer, the value of the delay timer
should be smaller than or equal to a quarter of the period timer value.
Configure basic functions of global LLDP for the device as below.
default
10.3.11 Maintenance
Maintain the device as below.
Command Description
Raisecom(config-ge-1/0/*)#reset lldp port Clear LLDP statistics on the
statistics interface.
Networking requirements
As shown in Figure 10-9, the Switch is connected to the NView NNM system; enable LLDP
between Switch A and Switch B, query Layer 2 link change through the NView NNM system.
The neighbor aging, new neighbor and neighbor information changes will be reported as
LLDP alarms to the NView NNM system.
Configuration steps
Step 1 Enable global LLDP and LLDP alarm.
Configure Switch A.
Raisecom#hostname SwitchA
SwitchA#configure
SwitchA(config)#lldp start
Configure Switch B.
Raisecom#hostname SwitchB
SwitchB#configure
SwitchB(config)#lldp start
SwitchA(config)#vlan 10
SwitchA(config)#interface vlan 10
SwitchA(config)#interface ge 1/0/1
SwitchA(config-ge-1/0/1)#port hybrid vlan 10 tagged
SwitchA(config-ge-1/0/1)#port hybrid pvid 10
SwitchA(config-ge-1/0/1)#exit
SwitchA(config)#interface vlan 10
SwitchA(config-vlan1024)#ip address 10.0.0.1/24
SwitchA(config-vlan1024)#exit
Configure Switch B.
SwitchB(config)#vlan 10
SwitchB (config)#interface vlan 10
SwitchB (config)#interface ge 1/0/1
SwitchB (config-ge-1/0/1)#port hybrid vlan 10 tagged
SwitchB (config-ge-1/0/1)#port hybrid pvid 10
SwitchB (config-ge-1/0/1)#exit
SwitchB (config)#interface vlan 10
SwitchB (config-vlan1024)#ip address 10.0.0.2/24
SwitchB (config-vlan1024)#exit
SwitchA(config)#lldp tx-interval 60
SwitchA(config)#lldp tx-delay 9
SwitchA(config)#lldp trap-interval 10
Configure Switch B.
SwitchB(config)#lldp tx-interval 60
SwitchB(config)#lldp tx-delay 9
SwitchB(config)#lldp trap-interval 10
Checking results
Use the show lldp information command to show local configurations.
Port ge-1/0/1:
Admin status:TxRx
Trap enable:no
Support tlv:port-description,system-name,system-description,system-
capability
Enabled tlv:port-description,system-name,system-description,system-
capability
Port type:interface name
Port ID:GE1/0/1
Port description:GE1/0/1 SNMP-Index:537397249
Number of remote system:1
Number of MED remote system:0
……
……
Figure 10-10 shows principles of port mirroring. PC 1 is connected to the external network by
the GE 1/0/1; PC 3 is the monitor PC, connecting the external network by GE 1/0/2.
When monitoring packets from the PC 1, you need to assign GE 1/0/1 to connect to PC 1 as
the mirror source port, enable port mirroring on the ingress port and assign GE 1/0/2 as
monitor port to mirror packets to destination port.
When service packets from PC 1 enter the device, the device will forward and copy them to
monitor port (GE 1/0/2). The monitor device connected to the monitor port can receive and
analyze these mirrored packets.
The device supports traffic mirroring on the ingress port and egress port. The packets on the
ingress/egress mirroring port will be copied to the monitor port after the switch is enabled
with port mirroring. The monitor port and mirroring port cannot be the same one.
Scenario
Port mirroring is used to monitor the type and flow of network data regularly for the network
administrator.
Port mirroring copies the port flow monitored to a monitor port or CPU to obtain the
ingress/egress port failure or abnormal flow of data for analysis, discovers the root cause, and
solves them timely.
Prerequisite
N/A
from 1 to 4
from 1 to 4
Before enabling remote port mirroring, disable MAC address learning of the
remote mirroring VLAN on the devices so as to enable the mirroring function to
work properly.
Ensure that mirroring packets between the source device and destination device
can be forwarded on Layer 2. The intermediate device interfaces connecting to
the source device and destination device must allow packets of the remote
mirroring VLAN to pass.
When configuring the source mirroring port, you cannot add it to the remote
mirroring VLAN; otherwise, port mirroring will malfunction.
The created remote mirroring VLAN cannot be used as the service VLAN;
otherwise, port mirroring will malfunction.
Networking requirements
As shown in Figure 10-11, the network administrator wants to monitor user network 1
through the monitor device, then to catch the fault or abnormal data flow for analyzing and
discovering faults and then solve them in time.
The device is disabled with storm control and automatic packets sending. User network 1
accesses the device through GE 1/0/1, user network 2 accesses the device through GE 1/0/2,
and the data monitor device is connected to GE 1/0/3.
Configuration steps
Enable port mirroring on the Switch.
Raisecom#configure
Raisecom(config)#mirror group 1 interface ge 1/0/3
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#mirror ingress group 1
Checking results
Use the show mirror command to show configurations of port mirroring.
Networking requirements
As shown in Figure 10-12, the network administrator wants to monitor the user PC through
the remote monitor device, then to catch the fault or abnormal data flow for analyzing and
discovering faults and then solve them in time.
The device is disabled with storm control and automatic packets sending. The user PC
accesses switch A through GE 1/0/1, and the data monitor device is connected to GE 1/0/1 on
switch B.
Configuration steps
Step 1 Enable port mirroring on switch A.
Raisecom#configure
Raisecom(config)#mirror group 1 ge 1/0/2 rspan 10 tpid 0x8100
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#mirror inbound group 1
Raisecom#configure
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 10
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port trunk allow-pass vlan 10
Scenario
After cable diagnosis is enabled, you can learn the running status of cables, locate and clear
faults, if any, in time.
Prerequisite
N/A
When you enable the function of not restarting the interface upon cable diagnosis,
the interface that is in Up status will be restarted once and then obtain cable
diagnosis data. Then, when cable diagnosis is ongoing, the interface that is in Up
status will not be restarted but directly read cable diagnosis data saved in the buffer,
and the interface that is in Down status will obtain the length to the faulty point during
cable diagnosis. The newly inserted interface will automatically execute cable
diagnosis and save results in the buffer.
10.6 UDLD
10.6.1 Introduction
UniDirectional Link Detection (UDLD) is used to monitor configurations of the physical
connection by the fiber or Ethernet cable. When a unidirectional link (transmitting data in
only one direction) is present, UDLD can detect it, shut down the corresponding interface, and
send a Trap. The unidirectional link may cause various problems, such as the spanning tree
problems which may cause a loop.
Scenario
When a unidirectional link (transmitting data in only one direction) is present, UDLD can
detect the fault, shut down the corresponding interface, and send a Trap.
UDLD identifies peer devices and detects unidirectional links through the interaction protocol
message (DLDPDU) with the other party. It has seven statuses: Init, Linkdown, Linkup,
Advertisement, Detect, and Disable.
Prerequisite
Devices at both ends of the link should support UDLD.
Scenario
Fault diagnostics f optical modules provide a method for detecting SFP performance
parameters. You can predict the service life of optical module, isolate system fault and check
its compatibility during installation through analyzing monitoring data.
Prerequisite
The optical module used on the device is required to be certified by Raisecom. If the optical
module of other manufacturers is used, it may lead to unstable services, lack of support for
diagnosis, or inaccurate diagnostic information.
The severity of output information can be manually configured. When you send
information according to the configured severity, you can just send the information
whose severity is less than or equal to that of the configured information. For
example, when the information is configured with the level 3 (or the severity is error),
the information whose level ranges from 0 to 3, in other words, the severity ranges
from emergencies to error, can be sent.
Scenario
The device generates the login successes or failures, key information, debugging information,
and error information to system log, outputs them as log files, and sends them to the logging
host, Console interface, or control console to facilitate checking and locating faults.
Prerequisite
N/A
10.8.8 Maintenance
Maintain the device as below.
Command Description
Raisecom(config)#clear logging Clear log information in the log or trap buffer.
{ buffer | trap }
Raisecom(config)#clear logging Clear log statistics.
statistics
Raisecom(config)#clear logging Clear all log files.
file all
Raisecom(config)#clear logging Clear log statistics of the specified module.
module module-name
Networking requirements
As shown in Figure 10-13, configure the system log, and output device log information to the
log host for users to check.
Configuration steps
Step 1 Configure the IP address of the device.
Raisecom#configure
Raisecom(config)#interface vlan 1
Raisecom(config-vlanif-1)#ip address 20.0.0.6 255.0.0.0
Raisecom(config-vlanif-1)#quit
Raisecom(config)#terminal monitor
Raisecom(config)#terminal debug
Checking results
Use the show logging information command to show global configurations of system log.
Raisecom#show logging
information
------------------------------------------------------------
Logging : on
Module number : 125
Logfile path : "/ram/log"
Logfile max size : 3072 Kb
Logfile max number : 3
Logbuffer Max number : 2000
Logbuffer Current number : 201
Scenario
When the device fails, alarm management module will collect fault information and output
alarm occurrence time, alarm name and description information in log format to help users
locate problem quickly.
If the device is configured with the NMS, alarm can be reported directly to the NMS,
providing possible alarm causes and treatment recommendations to help users deal with fault.
If the device is configured with hardware monitoring, it will record the hardware monitoring
alarm table, generated Syslog, and sent Trap when the operation environment of the device
becomes abnormal, and notify the user of taking actions accordingly and prevent faults.
Alarm management facilitates alarm suppression, alarm auto-reporting, alarm monitoring,
alarm reverse, alarm delay, alarm memory mode, alarm clear and alarm view directly on the
device.
Prerequisite
Hardware environment monitoring alarm output:
In Syslog output mode: alarms will be generated into system logs. To send alarm to the
system log host, configure the IP address of the system log host for the device.
In Trap output mode: configure the IP address of the NMS for the device.
Scenario
CPU monitoring can provide realtime monitoring to the task status, CPU utilization rate and
stack usage in the system, provide CPU utilization rate threshold alarm, detect and eliminate
hidden dangers, or help administrator for fault location.
Prerequisite
When the CPU monitoring alarm needs to be output in Trap mode, configure Trap output
target host address, which is IP address of NView NNM system.
Scenario
Memory monitoring enables you to learn the memory utilization in real time, and provides
memory utilization threshold alarms, thus facilitating you to locate and clear potential risks
and help network administrator to locate faults.
Memory monitoring enables you to learn the memory utilization in real time, and provides
memory utilization threshold alarms, thus facilitating you to locate and clear potential risks.
Prerequisite
To output memory utilization threshold alarms as Trap, configure the IP address of the target
host, namely, the IP address of the NMS server.
10.12 PING
10.12.1 Introduction
Packet Internet Groper (PING) derives from the sonar location operation, which is used to
detect whether the network is normally connected. PING is achieved with ICMP echo packets.
If an Echo Reply packet is sent back to the source address during a valid period after the Echo
Request packet is sent to the destination address, it indicates that the route between source and
destination address is reachable. If no Echo Reply packet is received during a valid period and
timeout information is displayed on the sender, it indicates that the route between source and
destination addresses is unreachable.
Figure 10-14 shows principles of PING.
The device cannot perform other operations in the process of PING. It can perform
other operations only when PING is finished or break off PING by pressing Ctrl+C.
10.13 Trace
10.13.1 Introduction
Similar with PING, Trace is a commonly-used maintenance method in network management.
Trace is often used to test the network nodes of packets from sender to destination, detect
whether the network connection is reachable, and analyze network fault
Trace works as below:
Step 1 Send a piece of TTL1 sniffer packet (where the UDP port number of the packet is unavailable
to any application programs in destination side).
Step 2 TTL deducts 1 when reaching the first hop. Because the TTL value is 0, in the first hop the
device returns an ICMP timeout packet, indicating that this packet cannot be sent.
Step 3 The sending host adds 1 to TTL and resends this packet.
Step 4 Because the TTL value is reduced to 0 in the second hop, the device will return an ICMP
timeout packet, indicating that this packet cannot be sent.
The previous steps continue until the packet reaches the destination host, which will not return
ICMP timeout packets. Because the port number of destination host is not be used, the
destination host will send the port unreachable packet and finish the test. Thus, the sending
host can record the source address of each ICMP TTL timeout packet and analyze the path to
the destination according to the response packet.
Figure 10-15 shows principles of traceroute.
Not all device models support temperature alarms, which depend on the specific
device.
10.14.1 Introduction
Hardware environment monitoring mainly refers to monitor the running environment of the
device. The monitoring alarm events include the temperature and power supply.
10.15.1 Introduction
The device supports monitoring the fan, including the rotational speed and temperature. It
sends Trap when the rotational speed or temperature is abnormal.
The device monitors the fan in two modes:
Fixed speed mode: forcibly configure the rotational speed of the fan.
Temperature control mode: the fan adjusts its rotational speed by temperature.
In temperature control mode, when the temperature of the fan is detected to exceed the high
threshold, the speed level of the fan will be increased by one gear. If the temperature of the
fan is detected to be below the low threshold value, the speed level of the fan will be reduced
by one gear.
Scenario
In hot environment, too high temperature affects heat dissipation of the device. Thus fan
monitoring must be configured so that the rotational speed is automatically adjusted according
to environment temperature and the device runs properly.
Precondition
N/A
10.16 ISF
10.16.1 Introduction
Intelligent Stacking Frame (ISF) refers to the combination of two or more switches that
support stacking to logically form one switch. This virtualization technology can integrate the
hardware resource capabilities and software processing capabilities of multiple devices, and
implement collaborative work, unified management, and uninterrupted maintenance of
multiple devices.
Basic concepts
Operating modes
An ISF device supports two operating modes:
ISF topology
Two switches in this series support forming an ISF in the chain or ring topology.
When member devices form a ring topology, the ISF interface IDs of adjacent
stacked member devices are different. As shown in Figure 10-16, ISF interface 1/1 on
ISF member device 1 is connected to ISF interface 2/2 on ISF member device 2. If
two connected devices have the same ISF IDs, the ISF will fail to synchronize during
switching between the master device and slave device.
Role election
Role election occurs when the ISF changes as below:
The ISF is established.
The ISF is split; in other words, the stacking link is disconnected.
Two independent ISFs are merged.
Roles are elected in the following roles in descending order:
3. The current master device prevails. If two independent ISFs are merged, the new master
device is elected between the master devices of these two independent ISFs.
4. The device that has been forcibly configured as the master device.
5. The device running for a long time (the device with the longest time prevails if multiple
devices has been running for over 1min)
6. The device with a lowest bridge MAC address
The optimal device elected according to previous rules is the master device while other
devices are slave devices.
Networking requirements
As shown below, to configure 2 devices to form an ISF in chain topology, configure them as
below.
Configuration steps
Step 1 Configure member 1.
Raisecom(config)#interface stack-port 1
Raisecom(config-stack-port-1)#add interface ge 1/0/1
Raisecom(config-stack-port-1)#add interface ge 1/0/2
Raisecom(config-stack-port-2)#quit
Raisecom(config)#hvs member-id 1
Raisecom(config)#hvs mode stack
Raisecom(config)#interface stack-port 1
Raisecom(config-stack-port-1)#add interface ge 1/0/1
Raisecom(config-stack-port-1)#add interface ge 1/0/2
Raisecom(config-stack-port-1)#quit
Raisecom(config)#hvs member-id 2
Raisecom(config)#hvs mode stack
Step 3 After 2 member devices are restarted, they start to negotiate. You can then check whether the
ISF is established by the command.
Checking results
Use the show hvs member command on member 2 to check the result.
10.17 MAD
10.17.1 Introduction
When the link between member devices in an ISF is disconnected, this may cause the ISF to
split into multiple new ISFs with the same Layer 3 configurations, such as the IP address. As a
result, the IP addresses may conflict and the network may fail. The Multi-Active Detection
(MAD) protocol is used for stacking splitting detection, conflict processing, and fault
clearance to improve system availability.
There are several working modes for detecting conflicts in MAD.
Direct connection mode
In direct connection mode, an additional physical interface needs to be allocated between the
stacked member devices to be configured with MAD and to receive MAD packets. The
topology can be established as shown in Figure 10-18.
Proxy mode
In proxy mode, another device needs to be enabled with MAD. Establish a cross-device
aggregation link between the device and the stacked member devices. Then, enable MAD on
the aggregation interface to establish a topology, as shown in Figure 10-19.
Out-of-band interface detection mode
In this mode, enable MAD on the out-of-band interface, and connect the out-of-band interface
on all stacked member devices to the same switch, and ensure normal communication
between all out-of-band interfaces.
Scenario
Backup management IP address
In addition to configuring the working mode of interfaces, MAD can also configure a backup
IP address for each stack member. When MAD detects multiple devices, it automatically
configures the backup IP address as the IP address of the out-of-band interface.
Reserved interface
When MAD detects multiple devices, it compares them. If it finds that a device is not the
preferred device, it will shut down device's own interface. If you do not want the interface to
be shut down when MAD detects multiple hosts, you can configure the interface as a reserved
interface.
Prerequisites
N/A
Networking requirements
As shown in Figure 10-18, configure the ISF to make two devices form an ISF. Then,
configure MAD.
Configuration steps
Step 1 Configure member 1.
Raisecom(config)#interface stack-port 1
Raisecom(config-stack-port-1)#add interface ge 1/0/1
Raisecom(config-stack-port-1)#quit
Raisecom(config)#hvs member-id 1
Raisecom(config)#hvs mode stack
Raisecom(config)#interface stack-port 1
Raisecom(config-stack-port-1)#add interface ge 1/0/1
Raisecom(config-stack-port-1)#quit
Raisecom(config)#hvs member-id 2
Raisecom(config)#hvs mode stack
Raisecom(config)#interface GE 1/0/0/2
Raisecom(config-ge-1/1/0/2))#stp disable
Raisecom(config-ge-1/1/0/2))#multi-active-detect mode direct
Raisecom(config-ge-1/1/0/2)#quit
Raisecom(config)#interface ge 2/1/0/2
Raisecom(config-ge-1/1/0/2))#stp disable
Raisecom(config-ge-2/1/0/2))#multi-active-detect mode direct
Checking results
Use the show multi-active-detect information command to show the MAD status.
Status of member 1:
Status of member 2:
10.18 NQA
10.18.1 Introduction
Network Quality Analysis (NQA) is a realtime network performance detection and statistical
technology that can gather statistics about network information, such as response time,
network jitter, and packet loss rate. NQA can monitor network QoS in real time and provide
effective fault diagnosis and localization in the event of network failures.
Scenario
To make the network QoS visible, you can check whether the network QoS meets the
requirements. In this case, you need to deploy probe devices on the network to monitor the
network QoS.
When the device provides NQA, there is no need to deploy specialized probe devices, which
can effectively save costs. NQA can implement accurate testing of network operation status
and output statistics.
NQA monitors the performance of various protocols running on the network, enabling users
to collect realtime network performance indicators, such as the total HTTP delay, TCP
connection delay, DNS resolution delay, file transmission rate, FTP connection delay, and
DNS resolution error rate.
Prerequisites
N/A
10.18.15 Maintenance
Maintain the device as below.
Command Description
Raisecom#show nqa agent Show information about NQA clients.
Raisecom#show nqa server Show information about the NQA server.
Raisecom#show nqa result admin- Show the test result of NQA clients.
name operate-tag
Raisecom#show nqa history admin- Show the history test result of NQA clients.
name operate-tag
Raisecom#show nqa statistics Show statistics on test results of NQA clients.
admin-name operate-tag
Networking requirements
As shown in Figure 10-21, enable the ICMP-echo test on switch A to detect the IP layer
connectivity between switch A and switch B.
Configuration steps
Step 1 Configure IP layer connectivity.
Configure Switch A.
Raisecom#hostname SwitchA
SwitchA#config
SwitchA(config)#vlan 10
SwitchA(config-vlan-10)#quit
SwitchA(config)#interface ge 1/0/1
SwitchA(config-ge-1/0/1)#port hybrid vlan 10 tagged
SwitchA(config-ge-1/0/1)#quit
SwitchA(config)#interface vlan 10
SwitchA(config-vlanif-10)#ip address 10.1.1.1/24
Configure Switch B.
Raisecom#hostname SwitchB
SwitchB#config
SwitchB(config)#vlan 10
SwitchB(config-vlan-10)#quit
SwitchB(config)#interface ge 1/0/1
SwitchB(config-ge-1/0/1)#port hybrid vlan 10 tagged
SwitchB(config-ge-1/0/1)#quit
SwitchB(config)#interface vlan 10
SwitchB(config-vlanif-10)#ip address 10.1.1.2/24
Checking results
Use the show nqa config command to show local configurations.
Use the show nqa history admin test command to show history test results.
-------------------------------------------------------------------------
10.19 POE
10.19.1 Introduction
Power over Ethernet (PoE) refers to the power supply through an Ethernet network, also
known as a power supply system Power over LAN (PoL) or Active Ethernet.
Scenario
With the increasing popularity of IP phones, network video monitoring, and wireless Ethernet
applications on the network, the demand for power support through Ethernet is becoming
increasingly urgent. In most cases, the Access Point (AP) device requires direct current power
supply, and it is usually installed on the ceiling or outdoors. It is difficult to reach power
sockets nearby. Even if there are sockets, the AC/DC converters required by the AP device are
difficult to locate. In many large-scale LAN applications, the administrator need to manage
multiple AP devices simultaneously, which require unified power supply and management and
cause great inconvenience to power supply management. PoE precisely solves this problem.
PoE is a wired Ethernet powering technology and is currently the most widely used
technology in LANs. PoE allows electrical power to be transmitted to terminal devices
through data transmission lines or idle lines. When the terminal devices are powered by
10BASE-T, 100BASE-TX, and 1000BASE-T Ethernet networks, the reliable power supply
distance can reach up to 100 m. Through this method, the centralized power supply of
terminals can be available, such as IP phones, wireless APs, portable device chargers, card
readers, cameras, and data collectors. For these terminals, there is no need to consider the
issue of indoor power system wiring, and they can be powered on while being connected to
the network.
Prerequisite
N/A
Networking requirements
Configure PoE interfaces GE1/0/1, GE1/0.2, and GE1/0/3 to be connected to three PDs
respectively.
Configuration steps
Step 1 Configure the working mode to auto.
Raisecom#configure
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#poe power-management auto
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#poe power-management auto
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#poe power-management auto
Raisecom(config-ge-1/0/3)#quit
Raisecom#configure
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#poe max-power 1500
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#poe max-power 1500
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#poe max-power 1500
Raisecom#configure
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#poe power-priority critical
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#poe power-priority high
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#poe power-priority high
Checking results
Use the show poe config command to show local PoE configurations.
Use the show poe interface command to show history test results.
Figure 10-22 Flow for fast deployment with the USB flash disk
Scenario
This configuration is used to implement USB flash disk deployment.
Prerequisite
N/A
1. Delete the current partition (on the device, the USB flash disk is shown as /dev/sda. In
the Linux OS, operate with the actual drive).
Step 3 Remove the USB flash disk. Making the USB flash disk is complete.
10.21 Patching
10.21.1 Introduction
The patching function can fix system loopholes online with a patch without updating the
system software and fix software defects. The system supports up to 32 patches.
Scenario
The problem found in the system can be solved by patching, needless of device restart.
Prerequisite
Prepare the patch file.
Networking requirements
The problem found in the system can be solved by patching.
The SNMP interface on the device is connected to the PC, which is installed with the TFTP
software. The device downloads the patch file from the PC.
Configuration steps
Step 1 Download the patch file from the PC to the device through TFTP.
Raisecom(config)#patch 1 active
Checking results
Use the show patch information command to show the patch status.
Scenario
Periodically back up configurations to the specified server.
Prerequisite
The device and PC can ping each other. Enable the TFTP or FTP server on the PC.
Networking requirements
Configure the device to automatically back up current configurations through TFTP to the PC.
The device and PC are connected by the SNMP interface. Enable the TFTP server on the PC.
Configuration steps
Step 1 Configure time range list 1, and configure rule 1 (take the 1h periodic backup for example).
Raisecom(config)#time-range list 1
Raisecom(config-timerange-1)#time-range 1 everyhour 3:10 to 13:10
Step 2 Configure properties of automatic uploading. Enable automatic uploading. Create an entry
(the IP address of the TFTP server is 192.168.62.1, the local file is the running configuration
file, and the file to be uploaded to the TFTP server is config.txt), and bound time range list 1.
Raisecom(config)#auto-upload start
Raisecom(config)#auto-upload tftp server 192.168.62.1 config.txt running-
config time-range 1
Step 3 After configurations are complete, the device automatically uploads the configuration file to
the TFTP server on the PC every 1h3min10s.
Checking results
Use the show auto-upload server command to show configurations of automatic uploading.
11 Appendix
This chapter list terms, acronyms, and abbreviations involved in this document, including the
following sections:
Terms
Acronyms and abbreviations
11.1 Terms
A
A series of ordered rules composed of permit | deny sentences. These
Access
rules are based on the source MAC address, destination MAC address,
Control List
source IP address, destination IP address, and interface ID. The device
(ACL)
determines to receive or refuse the packets based on these rules.
Automatic
The technology that is used for automatically shutting down the laser to
Laser
avoid the maintenance and operation risks when the fiber is pulled out or
Shutdown
the output power is too great.
(ALS)
The interface automatically chooses the rate and duplex mode according
to the result of negotiation. The auto-negotiation process is: the interface
Auto-
adapts its rate and duplex mode to the highest performance according to
negotiation
the peer interface; in other words, both ends of the link adopt the highest
rate and duplex mode they both support after auto-negotiation.
Automatic APS is used to monitor transport lines in real time and automatically
Protection analyze alarms to discover faults. When a critical fault occurs, through
Switching APS, services on the working line can be automatically switched to the
(APS) protection line, thus the communication is recovered in a short period.
D
A security feature that can be used to verify the ARP data packets in the
Dynamic ARP
network. With DAI, the administrator can intercept, record, and discard
Inspection
ARP packets with invalid MAC address/IP address to prevent common
(DAI)
ARP attacks.
Dynamic Host A technology used for assigning IP address dynamically. It can
Configuration automatically assign IP addresses for all clients in the network to reduce
Protocol workload of the administrator. In addition, it can implement centralized
(DHCP) management of IP addresses.
E
Complying with IEEE 802.3ah protocol, EFM is a link-level Ethernet
Ethernet in the OAM technology. It provides the link connectivity detection, link fault
First Mile monitoring, and remote fault notification for a link between two directly-
(EFM) connected devices. EFM is mainly used for the Ethernet link on edges of
the network accessed by users.
It is an APS protocol based on ITU-T G.8032 standard, which is a link-
Ethernet Ring layer protocol specially used for the Ethernet ring. In normal conditions,
Protection it can avoid broadcast storm caused by the data loop on the Ethernet
Switching ring. When the link or device on the Ethernet ring fails, services can be
(ERPS) quickly switched to the backup line to enable services to be recovered in
time.
F
In a communication link, both parties can receive and send data
Full duplex
concurrently.
H
Half duplex In a communication link, both parties can receive or send data at a time.
I
Institute of
A professional society serving electrical engineers through its
Electrical and
publications, conferences, and standards development activities. The
Electronics
body responsible for the Ethernet 802.3 and wireless LAN 802.11
Engineers
specifications.
(IEEE)
Internet The organization operated under the IAB. IANA delegates authority for
Assigned IP address-space allocation and domain-name assignment to the NIC and
Numbers other organizations. IANA also maintains a database of assigned
Authority protocol identifiers used in the TCP/IP suite, including autonomous
(IANA) system numbers.
A worldwide organization of individuals interested in networking and
the Internet. Managed by the Internet Engineering Steering Group
Internet (IESG), the IETF is charged with studying technical problems facing the
Engineering Internet and proposing solutions to the Internet Architecture Board
Task Force (IAB). The work of the IETF is carried out by various working groups
(IETF) that concentrate on specific topics, such as routing and security. The
IETF is the publisher of the specifications that led to the TCP/IP
protocol standard.
L
Label Symbols for cable, chassis, and warnings
With link aggregation, multiple physical Ethernet interfaces are
combined to form a logical aggregation group. Multiple physical links in
one aggregation group are taken as a logical link. Link aggregation helps
Link
share traffic among member interfaces in an aggregation group. In
Aggregation
addition to effectively improving the reliability on links between
devices, link aggregation can help gain greater bandwidth without
upgrading hardware.
Link
Aggregation
A protocol used for realizing link dynamic aggregation. The LACPDU is
Control
used to exchange information with the peer device.
Protocol
(LACP)
M
Multi-Mode
In this fiber, multi-mode optical signals are transmitted.
Fiber (MMF)
N
A time synchronization protocol defined by RFC1305. It is used to
synchronize time between distributed time server and clients. NTP is
Network Time
used to perform clock synchronization on all devices that have clocks in
Protocol
the network. Therefore, the devices can provide different applications
(NTP)
based on a unified time. In addition, NTP can ensure a very high
accuracy with an error of 10ms or so.
O
Open Shortest
An internal gateway dynamic routing protocol, which is used to
Path First
determine the route in an Autonomous System (AS)
(OSPF)
A distribution connection device between the fiber and a communication
Optical
device. It is an important part of the optical transmission system. It is
Distribution
mainly used for fiber splicing, optical connector installation, fiber
Frame (ODF)
adjustment, additional pigtail storage, and fiber protection.
P
Password PAP is an authentication protocol that uses a password in Point-to-Point
Authentication Protocol (PPP). It is a twice handshake protocol and transmits
Protocol unencrypted user names and passwords over the network. Therefore, it is
(PAP) considered unsecure.
Point-to-point
PPPoE is a network protocol for encapsulating PPP frames in Ethernet
Protocol over
frames. With PPPoE, the remote access device can control and account
Ethernet
each access user.
(PPPoE)
R
Rapid
Spanning Tree Evolution of the Spanning Tree Protocol (STP), which provides
Protocol improvements in the speed of convergence for bridged networks
(RSTP)
Remote RADIUS refers to a protocol used to authenticate and account users in
Authentication the network. RADIUS works in client/server mode. The RADIUS server
Dial In User is responsible for receiving users' connection requests, authenticating
Service users, and replying configurations required by all clients to provide
(RADIUS) services for users.
Simple
Network Time
SNTP is mainly used for synchronizing time of devices in the network.
Protocol
(SNTP)
Single-Mode
In this fiber, single-mode optical signals are transmitted.
Fiber (SMF)
Spanning Tree STP can be used to eliminate network loops and back up link data. It
Protocol blocks loops in logic to prevent broadcast storms. When the unblocked
(STP) link fails, the blocked link is re-activated to act as the backup link.
B
BC Boundary Clock
BDR Backup Designated Router
BITS Building Integrated Timing Supply System
BOOTP Bootstrap Protocol
BPDU Bridge Protocol Data Unit
BTS Base Transceiver Station
C
CAR Committed Access Rate
CAS Channel Associated Signaling
CBS Committed Burst Size
CE Customer Edge
CHAP Challenge Handshake Authentication Protocol
CIDR Classless Inter-Domain Routing
CIR Committed Information Rate
CIST Common Internal Spanning Tree
CLI Command Line Interface
CoS Class of Service
CPU Central Processing Unit
CRC Cyclic Redundancy Check
CSMA/CD Carrier Sense Multiple Access/Collision Detection
CST Common Spanning Tree
D
DAI Dynamic ARP Inspection
DBA Dynamic Bandwidth Allocation
DC Direct Current
DHCP Dynamic Host Configuration Protocol
DiffServ Differentiated Service
DNS Domain Name System
DRR Deficit Round Robin
DS Differentiated Services
DSL Digital Subscriber Line
E
EAP Extensible Authentication Protocol
EAPoL EAP over LAN
EFM Ethernet in the First Mile
EMC Electro Magnetic Compatibility
EMI Electro Magnetic Interference
F
FCS Frame Check Sequence
FE Fast Ethernet
FIFO First Input First Output
FTP File Transfer Protocol
G
MVRP Generic Attribute Registration Protocol
GE Gigabit Ethernet
GMRP MVRP Multicast Registration Protocol
GPS Global Positioning System
MVRP Generic VLAN Registration Protocol
H
HDLC High-level Data Link Control
HTTP Hyper Text Transfer Protocol
I
IANA Internet Assigned Numbers Authority
ICMP Internet Control Message Protocol
IE Internet Explorer
IEC International Electro technical Commission
IEEE Institute of Electrical and Electronics Engineers
IETF Internet Engineering Task Force
IGMP Internet Group Management Protocol
IP Internet Protocol
IS-IS Intermediate System to Intermediate System Routing Protocol
ISP Internet Service Provider
L
LACP Link Aggregation Control Protocol
LACPDU Link Aggregation Control Protocol Data Unit
LAN Local Area Network
LCAS Link Capacity Adjustment Scheme
LLDP Link Layer Discovery Protocol
LLDPDU Link Layer Discovery Protocol Data Unit
M
MAC Medium Access Control
MDI Medium Dependent Interface
MDI-X Medium Dependent Interface cross-over
MIB Management Information Base
MSTI Multiple Spanning Tree Instance
MSTP Multiple Spanning Tree Protocol
MTBF Mean Time Between Failure
MTU Maximum Transmission Unit
MVR Multicast VLAN Registration
N
NMS Network Management System
NNM Network Node Management
NTP Network Time Protocol
NView NNM NView Network Node Management
O
OAM Operation, Administration and Management
OC Ordinary Clock
ODF Optical Distribution Frame
OID Object Identifiers
P
P2MP Point to Multipoint
P2P Point-to-Point
PADI PPPoE Active Discovery Initiation
PADO PPPoE Active Discovery Offer
PADS PPPoE Active Discovery Session-confirmation
PAP Password Authentication Protocol
PDU Protocol Data Unit
PE Provider Edge
PIM-DM Protocol Independent Multicast-Dense Mode
PIM-SM Protocol Independent Multicast-Sparse Mode
PING Packet Internet Grope
PPP Point to Point Protocol
PPPoE PPP over Ethernet
PTP Precision Time Protocol
Q
QoS Quality of Service
R
RADIUS Remote Authentication Dial In User Service
RCMP Raisecom Cluster Management Protocol
RED Random Early Detection
RH Relative Humidity
RIP Routing Information Protocol
RMON Remote Network Monitoring
ROS Raisecom Operating System
RPL Ring Protection Link
RRPS Raisecom Ring Protection Switching
RSTP Rapid Spanning Tree Protocol
S
SCADA Supervisory Control And Data Acquisition
SF Signal Fail
SFP Small Form-factor Pluggable
SFTP Secure File Transfer Protocol
SLA Service Level Agreement
SNMP Simple Network Management Protocol
SNTP Simple Network Time Protocol
SP Strict-Priority
SPF Shortest Path First
SSHv2 Secure Shell v2
STP Spanning Tree Protocol
T
TACACS+ Terminal Access Controller Access Control System
TC Transparent Clock
TCP Transmission Control Protocol
TFTP Trivial File Transfer Protocol
TLV Type Length Value
ToS Type of Service
TPID Tag Protocol Identifier
TTL Time To Live
U
UDP User Datagram Protocol
UNI User Network Interface
USM User-Based Security Model
V
VLAN Virtual Local Area Network
VRRP Virtual Router Redundancy Protocol
W
WAN Wide Area Network
WRR Weight Round Robin