Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

ISCOM S2600 (A) Series Configuration Guide (CLI) (Rel_02)

Download as pdf or txt
Download as pdf or txt
You are on page 1of 498

www.raisecom.

com

ISCOM S2600 (A) Series


Configuration Guide (CLI)
(Rel_02)
Raisecom Technology Co., Ltd. provides customers with comprehensive technical support and services. For any
assistance, please contact our local office or company headquarters.
Website: http://www.raisecom.com
Tel: 8610-82883305
Fax: 8610-82883056
Email: export@raisecom.com
Address: Raisecom Building, No. 11, East Area, No. 10 Block, East Xibeiwang Road, Haidian District, Beijing,
P.R.China
Postal code: 100094

-----------------------------------------------------------------------------------------------------------------------------------------

Notice
Copyright ©2024
Raisecom
All rights reserved.
No part of this publication may be excerpted, reproduced, translated, or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in Writing from Raisecom
Technology Co., Ltd.

is the trademark of Raisecom Technology Co., Ltd.


All other trademarks and trade names mentioned in this document are the property of their respective holders.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Preface

Preface

Objectives
This document describes features supported by the ISCOM S2600 (A), and related
configurations, including basic configurations, basic principles and configuration procedures
of Ethernet, ring network protection, reliability, security, and QoS, and related configuration
examples.
The appendix lists terms, acronyms, and abbreviations involved in this document.
By reading this document, you can master principles and configurations of the device, and
how to network with the device.

Versions
The following table lists the product versions related to this document.

Product name Software version Hardware version


ISCOM S2600 (A) series switch V7.01 A

Conventions
Symbol conventions
The symbols that may be found in this document are defined as below.

Symbol Description
Indicate a hazard with a medium or low level of risk which, if
not avoided, could result in minor or moderate injury.

Indicate a potentially hazardous situation that, if not avoided,


could cause equipment damage, data loss, and performance
degradation, or unexpected results.

Raisecom Proprietary and Confidential


i
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Preface

Symbol Description
Provide additional information to emphasize or supplement
important points of the main text.

Indicate a tip that may help you solve a problem or save time.

General conventions
Convention Description
Times New Roman Normal paragraphs are in Times New Roman.
Arial Paragraphs in Warning, Caution, Notes, and Tip are in Arial.
Boldface Buttons and navigation paths are in Boldface.
Italic Book titles are in italics.
Lucida Console Terminal display is in Lucida Console.

Book Antiqua Heading 1, Heading 2, Heading 3, and Block are in Book


Antiqua.

Command conventions
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[ ] Items (keywords or arguments) in square brackets [ ] are
optional.
{ x | y Alternative items are grouped in braces and separated by
| ... } vertical bars. One is selected.
[ x | y Optional alternative items are grouped in square brackets and
| ... ] separated by vertical bars. One or none is selected.
{ x | y Alternative items are grouped in braces and separated by
| ... } * vertical bars. A minimum of one or a maximum of all can be
selected.
[ x | y The parameter before the & sign can be repeated 1 to n times.
| ... ] *

Raisecom Proprietary and Confidential


ii
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Preface

Change history
Updates between document versions are cumulative. Therefore, the latest document version
contains all updates made to previous versions.

Issue 02 (2024-07-05)
Second commercial release

Issue 01 (2023-12-10)
Initial commercial release

Raisecom Proprietary and Confidential


iii
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Contents

Contents

1 Basic configurations ..................................................................................................................... 1


1.1 Accessing device .............................................................................................................................................. 1
1.1.1 Introduction ............................................................................................................................................. 1
1.1.2 Accessing through the Console interface ................................................................................................ 1
1.1.3 Accessing through Telnet ........................................................................................................................ 4
1.1.4 Accessing through SSH ........................................................................................................................... 7
1.1.5 Accessing from Web ............................................................................................................................... 9
1.1.6 Managing users ..................................................................................................................................... 10
1.1.7 Restoring the user password.................................................................................................................. 12
1.1.8 Configuring terminal properties ............................................................................................................ 12
1.1.9 Configuring the Bootrom password ...................................................................................................... 13
1.1.10 Modifying the login mode (weak password loophole solution) .......................................................... 13
1.2 Loading and upgrade ...................................................................................................................................... 15
1.2.1 Introduction ........................................................................................................................................... 15
1.2.2 Upgrading system software through TFTP CLI .................................................................................... 15
1.2.3 Upgrading system software through FTP CLI ...................................................................................... 15
1.2.4 Specifying the startup OS ..................................................................................................................... 16
1.2.5 Showing the system version .................................................................................................................. 16
1.2.6 Checking configurations ....................................................................................................................... 16
1.3 Time management .......................................................................................................................................... 17
1.3.1 Introduction ........................................................................................................................................... 17
1.3.2 Preparing for configurations ................................................................................................................. 19
1.3.3 Default configurations........................................................................................................................... 19
1.3.4 Configuring NTP .................................................................................................................................. 20
1.3.5 Checking configurations ....................................................................................................................... 21
1.3.6 Example for configuring NTP ............................................................................................................... 22
1.4 PTP ................................................................................................................................................................. 24
1.4.1 Introduction ........................................................................................................................................... 24
1.4.2 Default configurations........................................................................................................................... 26
1.4.3 Configuring global attributes ................................................................................................................ 26
1.4.4 Configuring interface attributes ............................................................................................................ 27
1.5 Interface management .................................................................................................................................... 27

Raisecom Proprietary and Confidential


iv
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Contents

1.5.1 Introduction ........................................................................................................................................... 27


1.5.2 Default configurations of interface management .................................................................................. 28
1.5.3 Configuring basic attributes of interfaces ............................................................................................. 28
1.5.4 Configuring interface rate statistics ...................................................................................................... 29
1.5.5 Configuring flow control on interfaces ................................................................................................. 30
1.5.6 Shutting down/Restarting the interface ................................................................................................. 30
1.5.8 Showing the priority of management packets ....................................................................................... 31
1.5.9 Showing the priority of management packets ....................................................................................... 31
1.5.10 Checking configurations ..................................................................................................................... 32

2 Ethernet ......................................................................................................................................... 33
2.1 MAC address table ......................................................................................................................................... 33
2.1.1 Introduction ........................................................................................................................................... 33
2.1.2 Preparing for configurations ................................................................................................................. 35
2.1.3 Default configurations of MAC address table ....................................................................................... 36
2.1.4 Configuring the static MAC address ..................................................................................................... 36
2.1.5 Configuring the blackhole MAC address .............................................................................................. 36
2.1.6 Configuring MAC address learning ...................................................................................................... 36
2.1.7 Configuring MAC address learning based on VLAN ........................................................................... 37
2.1.8 Configuring the MAC address limit ...................................................................................................... 37
2.1.9 Configuring the aging time of MAC addresses ..................................................................................... 37
2.1.10 MAC address flapping detection and protection ................................................................................. 38
2.1.11 Checking configurations ..................................................................................................................... 38
2.1.12 Maintenance ........................................................................................................................................ 39
2.1.13 Example for configuring the MAC address table ................................................................................ 39
2.2 VLAN ............................................................................................................................................................. 41
2.2.1 Introduction ........................................................................................................................................... 41
2.2.2 Preparing for configurations ................................................................................................................. 44
2.2.3 Default configurations of VLAN .......................................................................................................... 44
2.2.4 Configuring VLAN attributes ............................................................................................................... 45
2.2.5 Configuring the interface mode ............................................................................................................ 45
2.2.6 Configuring the VLAN on the Access interface ................................................................................... 45
2.2.7 Configuring the VLAN on the Trunk interface ..................................................................................... 46
2.2.8 Configuring the VLAN based on the Hybrid interface ......................................................................... 47
2.2.9 Configuring the VLAN based on MAC address ................................................................................... 47
2.2.10 Configuring the VLAN based on IP subnet ........................................................................................ 48
2.2.11 Configuring the VLAN based on protocol .......................................................................................... 48
2.2.12 Checking configurations ..................................................................................................................... 49
2.2.13 Querying VLAN statistics ................................................................................................................... 49
2.2.14 Example for configuring VLANs ........................................................................................................ 50
2.3 Voice VLAN ................................................................................................................................................... 52
2.3.1 Introduction ........................................................................................................................................... 52

Raisecom Proprietary and Confidential


v
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Contents

2.3.2 Preparing for configurations ................................................................................................................. 53


2.3.3 Default configurations of the voice VLAN ........................................................................................... 53
2.3.4 Configuring the OUI ............................................................................................................................. 54
2.3.5 Enabling the voice VLAN ..................................................................................................................... 54
2.3.6 Checking configurations ....................................................................................................................... 55
2.3.7 Example for adding interfaces to the voice VLAN ............................................................................... 55
2.3.8 Example for configuring the IP phone to access voice VLAN packets through LLDP ........................ 56
2.4 QinQ ............................................................................................................................................................... 58
2.4.1 Introduction ........................................................................................................................................... 58
2.4.2 Preparing for configurations ................................................................................................................. 59
2.4.3 Default configurations of QinQ ............................................................................................................ 60
2.4.4 Configuring basic QinQ ........................................................................................................................ 60
2.4.5 Configuring selective QinQ .................................................................................................................. 60
2.4.6 Configuring the network-side interface to Trunk mode ........................................................................ 61
2.4.7 Configuring the TPID ........................................................................................................................... 61
2.4.8 Checking configurations ....................................................................................................................... 61
2.4.9 Example for configuring basic QinQ .................................................................................................... 62
2.4.10 Example for configuring selective QinQ ............................................................................................ 63
2.5 VLAN mapping .............................................................................................................................................. 65
2.5.1 Introduction ........................................................................................................................................... 65
2.5.2 Preparing for configurations ................................................................................................................. 65
2.5.3 Default configurations of VLAN mapping ........................................................................................... 66
2.5.4 Configuring VLAN mapping ................................................................................................................ 66
2.5.5 Checking configurations ....................................................................................................................... 67
2.5.6 Example for configuring VLAN mapping ............................................................................................ 67
2.6 MRP/VRP ...................................................................................................................................................... 69
2.6.1 Introduction ........................................................................................................................................... 69
2.6.2 Preparing for configurations ................................................................................................................. 72
2.6.3 Default configurations........................................................................................................................... 72
2.6.4 Configuring basic functions of MVRP.................................................................................................. 72
2.6.5 Checking configurations ....................................................................................................................... 73
2.6.6 Example for configuring MVRP ........................................................................................................... 73

3 IP services ..................................................................................................................................... 77
3.1 IP basis ........................................................................................................................................................... 77
3.1.1 Introduction ........................................................................................................................................... 77
3.1.2 Preparing for configurations ................................................................................................................. 77
3.1.3 Default configurations of VLAN interface ........................................................................................... 77
3.1.4 Configuring the IPv4 adress of the VLAN interface ............................................................................. 78
3.1.5 Configuring the IPv6 address of the interface ....................................................................................... 78
3.1.6 Checking configurations ....................................................................................................................... 79
3.1.7 Example for configuring the VLAN interface to interconnect with the host ........................................ 79

Raisecom Proprietary and Confidential


vi
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Contents

3.2 Loopback interface ......................................................................................................................................... 81


3.2.1 Introduction ........................................................................................................................................... 81
3.2.2 Preparing for configurations ................................................................................................................. 81
3.2.3 Default configurations of the Loopback interface ................................................................................. 81
3.2.4 Configuring the IP address of the Loopback interface .......................................................................... 81
3.2.5 Checking configurations ....................................................................................................................... 82
3.3 SLAAC........................................................................................................................................................... 82
3.3.1 Introduction ........................................................................................................................................... 82
3.3.2 Preparing for configurations ................................................................................................................. 82
3.3.3 Default configurations of SLAAC ........................................................................................................ 83
3.3.4 Enabling SLAAC .................................................................................................................................. 83
3.3.5 Example for configuring SLAAC. ........................................................................................................ 83
3.4 ARP ................................................................................................................................................................ 83
3.4.1 Introduction ........................................................................................................................................... 83
3.4.2 Preparing for configurations ................................................................................................................. 84
3.4.3 Default configurations of ARP .............................................................................................................. 84
3.4.4 Configuring static ARP entries .............................................................................................................. 84
3.4.5 Configuring dynamic ARP entries ........................................................................................................ 84
3.4.6 Checking configurations ....................................................................................................................... 85
3.4.7 Maintenance .......................................................................................................................................... 85
3.4.8 Example for configuring ARP ............................................................................................................... 85
3.5 NDP................................................................................................................................................................ 87
3.5.1 Introduction ........................................................................................................................................... 87
3.5.2 Preparing for configurations ................................................................................................................. 88
3.5.3 Default configurations of NDP ............................................................................................................. 88
3.5.4 Configuring static neighbor entries ....................................................................................................... 89
3.5.5 Configuring the aging time of dynamic NDPs ...................................................................................... 89
3.5.6 Checking configurations ....................................................................................................................... 89
3.5.7 Maintenance .......................................................................................................................................... 89
3.6 Static route ..................................................................................................................................................... 90
3.6.1 Introduction ........................................................................................................................................... 90
3.6.2 Preparing for configurations ................................................................................................................. 90
3.6.3 Configuring the static route................................................................................................................... 90
3.6.4 Checking configurations ....................................................................................................................... 91
3.6.5 Example for configuring the static route ............................................................................................... 91
3.7 Policy routing ................................................................................................................................................. 93
3.7.1 Introduction ........................................................................................................................................... 93
3.7.2 Preparing for configurations ................................................................................................................. 94
3.7.3 Configuring policy routing .................................................................................................................... 94
3.7.4 Checking configurations ....................................................................................................................... 95
3.7.5 Example for configuring policy routing based on ACL ........................................................................ 95

Raisecom Proprietary and Confidential


vii
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Contents

4 DHCP ............................................................................................................................................. 97
4.1 ZTP................................................................................................................................................................. 97
4.1.1 Introduction ........................................................................................................................................... 97
4.1.2 Preparing for configuration ................................................................................................................... 98
4.1.3 Default configurations of ZTP .............................................................................................................. 98
4.1.4 Configuring ZTP ................................................................................................................................... 99
4.1.5 Checking configurations ....................................................................................................................... 99
4.2 DHCP Client .................................................................................................................................................. 99
4.2.1 Introduction ........................................................................................................................................... 99
4.2.2 Preparing for configurations ............................................................................................................... 102
4.2.3 Default configurations of DHCP Client .............................................................................................. 102
4.2.4 Configuring DHCP Client ................................................................................................................... 102
4.2.5 Configuring DHCPv6 Client ............................................................................................................... 103
4.2.6 Checking configurations ..................................................................................................................... 104
4.2.7 Example for configuring DHCP Client ............................................................................................... 104
4.3 DHCP Server ................................................................................................................................................ 106
4.3.1 Introduction ......................................................................................................................................... 106
4.3.2 Preparing for configurations ............................................................................................................... 108
4.3.3 Creating and configuring the IPv4 address pool ................................................................................. 109
4.3.4 Enabling DHCP Server on the interface .............................................................................................. 109
4.3.5 Recycling the IP address pool ............................................................................................................. 110
4.3.6 Configuring DHCPv4 Server PING .................................................................................................... 110
4.3.7 Creating and configuring the IPv6 address pool ................................................................................. 110
4.3.8 Enabling DHCPv6 Server on the interface ......................................................................................... 111
4.3.9 Recycling the IPv6 address pool ......................................................................................................... 111
4.3.10 Checking configurations ................................................................................................................... 111
4.3.11 Maintenance ...................................................................................................................................... 112
4.3.12 Example for configuring DHCPv4 Server ........................................................................................ 112
4.4 DHCP Relay ................................................................................................................................................. 114
4.4.1 Introduction ......................................................................................................................................... 114
4.4.2 Preparing for configurations ............................................................................................................... 115
4.4.3 Default configurations of DHCP Relay............................................................................................... 115
4.4.4 Configuring interface DHCP Relay .................................................................................................... 116
4.4.5 Configuring interface DHCPv6 Relay ................................................................................................ 116
4.4.6 Configuring DHCP Relay to support Option 82 ................................................................................. 116
4.4.7 Configuring DHCP Relay to support Option 18/37 ............................................................................ 117
4.4.8 Checking configurations ..................................................................................................................... 117
4.4.9 Maintenance ........................................................................................................................................ 118
4.4.10 Example for configuring DHCPv4 Relay ......................................................................................... 118

5 QoS ............................................................................................................................................... 120


5.1 Introduction .................................................................................................................................................. 120

Raisecom Proprietary and Confidential


viii
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Contents

5.1.1 Service models .................................................................................................................................... 120


5.2 Priority mapping ........................................................................................................................................... 121
5.2.1 Introduction ......................................................................................................................................... 121
5.2.2 Preparing for configurations ............................................................................................................... 122
5.2.3 Default configurations of basic QoS ................................................................................................... 123
5.2.4 Configuring types of priorities trusted by the ingress interface .......................................................... 127
5.2.5 Configuring the diffserv profile .......................................................................................................... 128
5.2.6 Configuring IEEE 802.1p/DSCP remarking on the egress interface ................................................... 129
5.2.7 Checking configurations ..................................................................................................................... 129
5.3 Queue scheduling ......................................................................................................................................... 129
5.3.1 Introduction ......................................................................................................................................... 129
5.3.2 Preparing for configurations ............................................................................................................... 131
5.3.3 Default configurations of queue scheduling ........................................................................................ 131
5.3.4 Configuring SP queue scheduling ....................................................................................................... 132
5.3.5 Configuring WRR or SP+WRR queue scheduling ............................................................................. 132
5.3.6 Configuring DRR or SP+WFQ queue scheduling .............................................................................. 132
5.3.7 Configuring queue bandwidth guarantee ............................................................................................ 133
5.3.8 Checking configurations ..................................................................................................................... 133
5.3.9 Maintenance ........................................................................................................................................ 133
5.3.10 Example for configuring queue scheduling....................................................................................... 134
5.4 Congestion avoidance .................................................................................................................................. 135
5.4.1 Introduction ......................................................................................................................................... 135
5.4.2 Preparing for configurations ............................................................................................................... 136
5.4.3 Default configurations of congestion avoidance ................................................................................. 136
5.4.4 Configuring WRED ............................................................................................................................ 136
5.4.5 Checking configurations ..................................................................................................................... 137
5.5 Rate limiting ................................................................................................................................................. 137
5.5.1 Introduction ......................................................................................................................................... 137
5.5.2 Preparing for configurations ............................................................................................................... 138
5.5.3 Configuring rate limiting based on physical interface ........................................................................ 138
5.5.4 Example for configuring rate limiting based on interface ................................................................... 138

6 Multicast ..................................................................................................................................... 140


6.1 Multicast....................................................................................................................................................... 140
6.2 IGMP Snooping............................................................................................................................................ 145
6.2.1 Introduction ......................................................................................................................................... 145
6.2.2 Preparing for configurations ............................................................................................................... 146
6.2.3 Default configurations of IGMP Snooping ......................................................................................... 146
6.2.4 Configuring basic functions of IGMP Snooping ................................................................................. 147
6.2.5 Configuring IGMP Snooping Querier ................................................................................................. 147
6.2.6 Configuring IGMP Snooping packet suppression ............................................................................... 148
6.2.7 Configuring IGMP Snooping multicast copy ...................................................................................... 148

Raisecom Proprietary and Confidential


ix
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Contents

6.2.8 Configuring the static multicast member of IGMP Snooping ............................................................. 149
6.2.9 Configuring IGMP Snooping Proxy.................................................................................................... 149
6.2.10 Configuring the limit on the number of IGMP Snooping interface multicast groups ....................... 150
6.2.11 Configuring the multicast policy of IGMP Snooping ........................................................................ 150
6.2.12 Configuring IGMP Snooping SSM Mapping .................................................................................... 151
6.2.13 Configuring the static router interface of IGMP Snooping ............................................................... 151
6.2.14 Checking configurations ................................................................................................................... 152
6.2.15 Maintenance ...................................................................................................................................... 152
6.2.16 Example for configuring basic functions of IGMP Snooping ........................................................... 152
6.2.17 Example for configuring the static member of IGMP Snooping ....................................................... 154
6.2.18 Example for configuring IGMP Snooping multicast copy ................................................................ 157
6.2.19 Example for configuring IGMP Snooping Proxy .............................................................................. 159
6.2.20 Example for configuring the multicast policy of IGMP Snooping .................................................... 161
6.3 MLD Snooping............................................................................................................................................. 163
6.3.1 Introduction ......................................................................................................................................... 163
6.3.2 Preparing for configurations ............................................................................................................... 164
6.3.3 Default configurations of MLD Snooping .......................................................................................... 164
6.3.4 Configuring basic functions of MLD Snooping .................................................................................. 165
6.3.5 Configuring MLD Snooping Querier .................................................................................................. 165
6.3.6 Configuring MLD Snooping packet suppression ................................................................................ 166
6.3.7 Configuring MLD Snooping multicast copy ....................................................................................... 166
6.3.8 Configuring the static multicast member of MLD Snooping .............................................................. 167
6.3.9 Configuring MLD Snooping Proxy .................................................................................................... 167
6.3.10 Configuring the limit on the number of MLD Snooping interface multicast groups ........................ 167
6.3.11 Configuring the multicast policy of MLD Snooping......................................................................... 168
6.3.12 Configuring MLD Snooping SSM Mapping ..................................................................................... 168
6.3.13 Checking configurations ................................................................................................................... 169
6.3.14 Maintenance ...................................................................................................................................... 169
6.3.15 Example for configuring basic functions of MLD Snooping ............................................................ 169
6.3.16 Example for configuring the static member of MLD Snooping ........................................................ 171
6.3.17 Example for configuring MLD Snooping multicast copy ................................................................. 174
6.3.18 Example for configuring MLD Snooping Proxy ............................................................................... 176
6.3.19 Example for configuring the multicast policy of MLD Snooping ..................................................... 178

7 OAM ............................................................................................................................................ 181


7.1 Introduction .................................................................................................................................................. 181
7.2 EFM ............................................................................................................................................................. 183
7.2.1 Introduction ......................................................................................................................................... 183
7.2.2 Preparing for configurations ............................................................................................................... 183
7.2.3 Default configurations of EFM ........................................................................................................... 183
7.2.4 Configuring basic functions of EFM ................................................................................................... 184
7.2.5 Configuring CFM interface loopback ................................................................................................. 185

Raisecom Proprietary and Confidential


x
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Contents

7.2.6 Configuring EFM link fault detection ................................................................................................. 186


7.2.7 Checking configurations ..................................................................................................................... 186
7.3 Link-state tracking ....................................................................................................................................... 187
7.3.1 Introduction ......................................................................................................................................... 187
7.3.2 Preparing for configurations ............................................................................................................... 187
7.3.3 Default configurations of link-state tracking ...................................................................................... 187
7.3.4 Configuring link-state tracking ........................................................................................................... 187
7.3.5 Checking configurations ..................................................................................................................... 188
7.3.6 Example for configuring link-state tracking ....................................................................................... 188
7.4 VRRP ........................................................................................................................................................... 190
7.4.1 Introduction ......................................................................................................................................... 190
7.4.2 Preparing for configurations ............................................................................................................... 193
7.4.3 Default configurations of VRRP ......................................................................................................... 193
7.4.4 Configuring the VRRP backup group ................................................................................................. 194
7.4.5 Configuring the VRRP6 backup group ............................................................................................... 195
7.4.6 Configuring VRRP Trap...................................................................................................................... 197
7.4.7 Configuring the VRRP monitoring interface ...................................................................................... 197
7.4.8 Configuring BFD for VRRP ............................................................................................................... 197
7.4.9 Checking configurations ..................................................................................................................... 198
7.4.1 Example for configuring VRRP master/backup .................................................................................. 199
7.5 CFM ............................................................................................................................................................. 201
7.5.1 Introduction ......................................................................................................................................... 201
7.5.2 Preparing for configurations ............................................................................................................... 203
7.5.3 Defaul configurations of CFM ............................................................................................................ 204
7.5.4 Configuring basic functions of CFM .................................................................................................. 204
7.5.5 Configuring fault detection ................................................................................................................. 205
7.5.6 Configuring fault acknowledgement ................................................................................................... 206
7.5.7 Configuring fault location ................................................................................................................... 206
7.5.8 Configuring alarm inhibition (configurable in Y.1731 mode only) ..................................................... 206
7.5.9 Configuring the one-way packet loss test (configurable in Y.1731 mode only) .................................. 207
7.5.10 Configuring the round-trip delay test (configurable in Y.1731 mode only) ...................................... 207
7.5.11 Checking configurations ................................................................................................................... 208
7.5.12 Example for configuring CFM .......................................................................................................... 208

8 Security........................................................................................................................................ 214
8.1 ACL .............................................................................................................................................................. 214
8.1.1 Introduction ......................................................................................................................................... 214
8.1.2 Preparing for configurations ............................................................................................................... 215
8.1.3 Configuring the ACL .......................................................................................................................... 215
8.1.4 Configuring the ACL .......................................................................................................................... 216
8.1.5 Applying the ACL ............................................................................................................................... 221
8.1.6 Configuring statistics .......................................................................................................................... 221

Raisecom Proprietary and Confidential


xi
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Contents

8.1.7 Configuring rate limiting .................................................................................................................... 222


8.1.8 Configuring the time range ................................................................................................................. 222
8.1.9 Checking configurations ..................................................................................................................... 223
8.1.10 Maintenance ...................................................................................................................................... 224
8.1.11 Example for configuring ACL ........................................................................................................... 224
8.2 AAA ............................................................................................................................................................. 227
8.2.1 Introduction ......................................................................................................................................... 227
8.2.2 Preparing for configurations ............................................................................................................... 228
8.2.3 Default configurations of AAA ........................................................................................................... 228
8.2.4 Configuring the RADIUS server ......................................................................................................... 229
8.2.5 Configuring the TACACS+ server ...................................................................................................... 229
8.2.6 Configuring the AAA server group ..................................................................................................... 230
8.2.7 Configuring the AAA mode ................................................................................................................ 230
8.2.8 Checking configurations ..................................................................................................................... 231
8.2.9 Example for configuring AAA ............................................................................................................ 231
8.3 802.1x........................................................................................................................................................... 234
8.3.1 Introduction ......................................................................................................................................... 234
8.3.2 Preparing for configruations ............................................................................................................... 236
8.3.3 Default configurations of 802.1x ........................................................................................................ 237
8.3.4 Configuring basic functions of 802.1x ................................................................................................ 237
8.3.5 Configuring 802.1x re-authentication ................................................................................................. 238
8.3.6 Configuring 802.1x timers .................................................................................................................. 239
8.3.7 Checking configurations ..................................................................................................................... 239
8.3.8 Example for configuring 802.1x ......................................................................................................... 240
8.4 Port security MAC ....................................................................................................................................... 242
8.4.1 Introduction ......................................................................................................................................... 242
8.4.2 Preparing for configurations ............................................................................................................... 243
8.4.3 Default configurations of port security MAC ..................................................................................... 243
8.4.4 Configuring basic functions of port security MAC ............................................................................. 243
8.4.5 Configuring the sticky secure MAC address ....................................................................................... 244
8.4.6 Checking configurations ..................................................................................................................... 245
8.4.7 Maintenance ........................................................................................................................................ 245
8.4.8 Example for configuring port security MAC ...................................................................................... 245
8.5 PPPoE+ ........................................................................................................................................................ 247
8.5.1 Introduction ......................................................................................................................................... 247
8.5.2 Preparing for configurations ............................................................................................................... 249
8.5.3 Default configurations of PPPoE+ ...................................................................................................... 249
8.5.4 Configuring basic functions of PPPoE+.............................................................................................. 250
8.5.5 Configuring PPPoE+ packets .............................................................................................................. 250
8.5.6 Checking configurations ..................................................................................................................... 252
8.5.7 Maintenance ........................................................................................................................................ 252
8.5.8 Example for configuring PPPoE+ ....................................................................................................... 253

Raisecom Proprietary and Confidential


xii
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Contents

8.6 Storm suppression ........................................................................................................................................ 255


8.6.1 Introduction ......................................................................................................................................... 255
8.6.2 Preparing for configurations ............................................................................................................... 256
8.6.3 Default configurations of storm suppression ...................................................................................... 256
8.6.4 Configuring storm suppression ........................................................................................................... 256
8.6.5 Checking configurations ..................................................................................................................... 257
8.6.6 Example for configuring storm suppression ....................................................................................... 257
8.7 ARP attack protection ................................................................................................................................... 259
8.7.1 Preparing for configurations ............................................................................................................... 259
8.7.2 Default configurations of ARP attack protection ................................................................................ 259
8.7.3 Configuring ARP ................................................................................................................................ 259
8.7.4 Checking configurations ..................................................................................................................... 261
8.7.5 Example for configuring ARP attack protection ................................................................................. 261
8.8 ND Snooping ................................................................................................................................................ 263
8.8.1 Introduction ......................................................................................................................................... 263
8.8.2 Preparing for configurations ............................................................................................................... 264
8.8.3 Default configurations of ND Snooping ............................................................................................. 264
8.8.4 Configuring ND Snooping .................................................................................................................. 264
8.8.5 Checking configurations ..................................................................................................................... 265
8.8.6 Maintenance ........................................................................................................................................ 265
8.8.7 Example for configuring ND Snooping .............................................................................................. 265
8.9 DHCP Snooping ........................................................................................................................................... 267
8.9.1 Introduction ......................................................................................................................................... 267
8.9.2 Preparing for configurations ............................................................................................................... 268
8.9.3 Default configurations of DHCP Snooping ......................................................................................... 269
8.9.4 Configuring DHCP Snooping ............................................................................................................. 269
8.9.5 Configure DHCP Snooping to support Option 82 ............................................................................... 270
8.9.6 Configuring DHCPv6 Snooping ......................................................................................................... 271
8.9.7 Checking configurations ..................................................................................................................... 271
8.9.8 Maintenance ........................................................................................................................................ 272
8.9.9 Example for configuring DHCP Snooping.......................................................................................... 272
8.10 IP Source Guard ......................................................................................................................................... 274
8.10.1 Introduction ....................................................................................................................................... 274
8.10.2 Preparing for configurations ............................................................................................................. 275
8.10.3 Default configurations of IP Source Guard ....................................................................................... 275
8.10.4 Configuring IP Source Guard binding............................................................................................... 276
8.10.5 Configuring the interface trust status of IP Source Guard ................................................................. 276
8.10.6 Checking configurations ................................................................................................................... 276
8.10.7 Example for configuring IP Source Guard ........................................................................................ 277
8.11 CPU attack protection ................................................................................................................................ 278
8.11.1 Preparing for configurations .............................................................................................................. 278
8.11.2 Configuring CPU attack protection ................................................................................................... 279

Raisecom Proprietary and Confidential


xiii
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Contents

8.11.3 Checking configurations ................................................................................................................... 279


8.11.4 Maintenance ...................................................................................................................................... 279
8.12 MAC address authentication ...................................................................................................................... 280
8.12.1 Introduction ....................................................................................................................................... 280
8.12.2 Default configurations ....................................................................................................................... 280
8.12.3 Configuring MAC address authentication......................................................................................... 281
8.12.4 Example for configuring MAC address authentication ..................................................................... 282
8.13 DOS attack prevention ............................................................................................................................... 284
8.13.1 Introduction ....................................................................................................................................... 284
8.13.2 Preparing for configurations ............................................................................................................. 285
8.13.3 Default configurations of DOS attack prevention ............................................................................. 286
8.13.4 Configuring abnormal packet attack prevention ............................................................................... 286
8.13.5 Configuring fragmented packet attack prevention ............................................................................ 286
8.13.6 Configuring TCP SYN flood attack prevention ................................................................................ 287
8.13.7 Configuring UDP flood attack prevention ........................................................................................ 287
8.13.8 Configuring ICMP flood attack prevention ....................................................................................... 287
8.13.9 Checking configurations ................................................................................................................... 288
8.13.10 Example for configuring DOS attack prevention ............................................................................ 288

9 Reliability ................................................................................................................................... 291


9.1 Link aggregation .......................................................................................................................................... 291
9.1.1 Introduction ......................................................................................................................................... 291
9.1.2 Preparing for configurations ............................................................................................................... 292
9.1.3 Default configurations of link aggregation ......................................................................................... 292
9.1.4 Configuring manual link aggregation ................................................................................................. 293
9.1.5 Configuring manual master/slave link aggregation ............................................................................. 293
9.1.6 Configuring static LACP link aggregation .......................................................................................... 294
9.1.7 Configuring the load balancing algorithm for the LAG ...................................................................... 295
9.1.8 Checking configurations ..................................................................................................................... 296
9.1.9 Example for configuring static LACP link aggregation ...................................................................... 297
9.2 G.8031 .......................................................................................................................................................... 299
9.2.1 Introduction ......................................................................................................................................... 299
9.2.2 Preparing for configurations ............................................................................................................... 300
9.2.3 Default configurations of G.8031 ....................................................................................................... 300
9.2.4 Creating a G.8031 protection group .................................................................................................... 301
9.2.5 (Optional) configuring G.8031 switching control ............................................................................... 302
9.2.6 Checking configurations ..................................................................................................................... 302
9.2.7 Example for configuring G.8031 ........................................................................................................ 302
9.3 G.8032 .......................................................................................................................................................... 304
9.3.1 Introduction ......................................................................................................................................... 304
9.3.2 Preparing for configurations ............................................................................................................... 309
9.3.3 Default configurations of G.8032 ....................................................................................................... 310

Raisecom Proprietary and Confidential


xiv
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Contents

9.3.4 Creating a G.8032 ring ........................................................................................................................ 310


9.3.5 Creating a G.8032 tributary ring ......................................................................................................... 312
9.3.6 Configuring G.8032 switching control................................................................................................ 313
9.3.7 Checking configurations ..................................................................................................................... 313
9.3.8 Maintenance ........................................................................................................................................ 314
9.3.9 Example for configuring single ring G.8032 ...................................................................................... 315
9.3.10 Example for configuring intersecting G.8032 ................................................................................... 317
9.4 STP/RSTP .................................................................................................................................................... 320
9.4.1 Introduction ......................................................................................................................................... 320
9.4.2 Preparation for configuration .............................................................................................................. 323
9.4.3 Default configurations of STP ............................................................................................................ 323
9.4.4 Enabling STP ...................................................................................................................................... 324
9.4.5 Configuring STP parameters ............................................................................................................... 324
9.4.6 Configuring the RSTP edge interface ................................................................................................. 325
9.4.7 Configuring the RSTP link type .......................................................................................................... 325
9.4.8 Checking configurations ..................................................................................................................... 326
9.4.9 Example for configuring STP ............................................................................................................. 326
9.5 MSTP ........................................................................................................................................................... 329
9.5.1 Introduction ......................................................................................................................................... 329
9.5.2 Preparation for configuration .............................................................................................................. 332
9.5.3 Default configurations of MSTP ......................................................................................................... 332
9.5.4 Enabling MSTP ................................................................................................................................... 333
9.5.5 Configuring the MST region and its maximum number of hops ........................................................ 333
9.5.6 Configuring the interface priority and system priority ........................................................................ 334
9.5.7 Configuring the path cost of the interface ........................................................................................... 335
9.5.8 Configuring the maximum transmission rate on interface .................................................................. 335
9.5.9 Configuring the MSTP timer............................................................................................................... 336
9.5.10 Configuring the edge interface .......................................................................................................... 336
9.5.11 Configuring BPDU filtering .............................................................................................................. 337
9.5.12 Configuring BPDU Guard................................................................................................................. 337
9.5.13 Configuring STP/RSTP/MSTP mode switching ............................................................................... 338
9.5.14 Configuring the link type .................................................................................................................. 339
9.5.15 Configuring root interface protection ................................................................................................ 339
9.5.16 Configuring interface loop protection ............................................................................................... 340
9.5.17 Configuring TC packet suppression .................................................................................................. 340
9.5.18 Configuring TC protection ................................................................................................................ 341
9.5.19 Checking configurations ................................................................................................................... 341
9.5.20 Maintenance ...................................................................................................................................... 342
9.5.21 Example for configuring MSTP ........................................................................................................ 342
9.6 Loop detection .............................................................................................................................................. 346
9.6.1 Introduction ......................................................................................................................................... 346
9.6.2 Preparing for configurations ............................................................................................................... 347

Raisecom Proprietary and Confidential


xv
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Contents

9.6.3 Default configurations of loop detection ............................................................................................. 348


9.6.4 Configuring loop detection ................................................................................................................. 348
9.6.5 Checking configurations ..................................................................................................................... 348
9.6.6 Example for configuring inner loop detection .................................................................................... 349
9.7 Interface backup ........................................................................................................................................... 350
9.7.1 Introduction ......................................................................................................................................... 350
9.7.2 Preparing for configurations ............................................................................................................... 352
9.7.3 Default configurations of interface backup ......................................................................................... 353
9.7.4 Configuring basic functions of interface backup ................................................................................ 353
9.7.5 Configuring FS on interfaces .............................................................................................................. 354
9.7.6 Checking configurations ..................................................................................................................... 354
9.7.7 Example for configuring interface backup .......................................................................................... 354
9.8 Interface isolation ......................................................................................................................................... 356
9.8.1 Introduction ......................................................................................................................................... 356
9.8.2 Preparing for configurations ............................................................................................................... 357
9.8.3 Default configurations of interface isolation ....................................................................................... 357
9.8.4 Configuring interface isolation ........................................................................................................... 357
9.8.5 Checking configurations ..................................................................................................................... 357
9.8.6 Example for configuring interface isolation ........................................................................................ 358
9.9 L2CP ............................................................................................................................................................ 359
9.9.1 Introduction ......................................................................................................................................... 359
9.9.2 Preparing for configurations ............................................................................................................... 359
9.9.3 Default configurations......................................................................................................................... 360
9.9.4 Configuring L2CP ............................................................................................................................... 360
9.9.5 Checking configurations ..................................................................................................................... 361
9.9.6 Example for configuring BPDU Tunnel.............................................................................................. 361
9.10 BFD ............................................................................................................................................................ 362
9.10.1 Introduction ....................................................................................................................................... 362
9.10.2 Preparing for configurations ............................................................................................................. 362
9.10.3 Default configurations ....................................................................................................................... 362
9.10.4 Configuring one-arm echo for BFD .................................................................................................. 363
9.10.5 Checking configurations ................................................................................................................... 363
9.10.6 Example for configuring single-hop BFD ......................................................................................... 363
9.11 Link flap protection .................................................................................................................................... 365
9.11.1 Introduction ....................................................................................................................................... 365
9.11.2 Preparing for configurations .............................................................................................................. 365
9.11.3 Default configurations of link flap protection ................................................................................... 365
9.11.4 Configuring link flap protection ........................................................................................................ 365
9.11.5 Checking configurations ................................................................................................................... 366
9.11.6 Example for configuring link flap protection .................................................................................... 366
9.12 Interface loopback ...................................................................................................................................... 367
9.12.1 Introduction ....................................................................................................................................... 367

Raisecom Proprietary and Confidential


xvi
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Contents

9.12.2 Preparing for configurations ............................................................................................................. 367


9.12.3 Default configurations of interface loopback .................................................................................... 367
9.12.4 Configuring interface loopback......................................................................................................... 367
9.12.5 Checking configurations ................................................................................................................... 367
9.12.1 Example for configuring interface loopback ..................................................................................... 368

10 System management ............................................................................................................... 369


10.1 SNMP ......................................................................................................................................................... 370
10.1.1 Introduction ....................................................................................................................................... 370
10.1.2 Preparing for configurations ............................................................................................................. 371
10.1.3 Default configurations of SNMP ...................................................................................................... 371
10.1.4 Configuring basic functions of SNMPv1/SNMPv2c ........................................................................ 372
10.1.5 Configuring basic functions of SNMPv3 .......................................................................................... 373
10.1.6 Configuring other information about SNMP .................................................................................... 374
10.1.7 Configuring Trap ............................................................................................................................... 375
10.1.8 Checking configurations ................................................................................................................... 376
10.1.9 Example for configuring SNMPv1/SNMPv2c and Trap ................................................................... 376
10.1.10 Example for configuring SNMPv3 and Trap .................................................................................. 378
10.2 RMON ........................................................................................................................................................ 380
10.2.1 Introduction ....................................................................................................................................... 380
10.2.2 Preparing for configurations ............................................................................................................. 382
10.2.3 Default configurations of RMON ..................................................................................................... 382
10.2.4 Configuring RMON statistics ........................................................................................................... 382
10.2.5 Configuring RMON history statistics ............................................................................................... 383
10.2.6 Configuring the RMON alarm group ................................................................................................ 383
10.2.7 Configuring the RMON event group ................................................................................................ 384
10.2.8 Checking configurations ................................................................................................................... 384
10.2.9 Example for configuring the RMON alarm group ............................................................................ 385
10.3 LLDP .......................................................................................................................................................... 387
10.3.1 Introduction ....................................................................................................................................... 387
10.3.2 Preparing for configurations ............................................................................................................. 389
10.3.3 Default configurations of LLDP ....................................................................................................... 389
10.3.4 Enabling global LLDP ...................................................................................................................... 390
10.3.5 Enabling interface LLDP .................................................................................................................. 390
10.3.6 Configuring basic functions of global LLDP .................................................................................... 391
10.3.7 Configuring basic functions of interface LLDP ................................................................................ 391
10.3.8 Configuring the LLDP alarm ............................................................................................................ 392
10.3.9 Configuring TLV ............................................................................................................................... 392
10.3.10 Checking configurations ................................................................................................................. 394
10.3.11 Maintenance .................................................................................................................................... 394
10.3.12 Example for configuring LLDP ...................................................................................................... 394
10.4 Port mirroring ............................................................................................................................................. 397

Raisecom Proprietary and Confidential


xvii
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Contents

10.4.1 Introduction ....................................................................................................................................... 397


10.4.2 Preparing for configurations ............................................................................................................. 398
10.4.3 Default configurations of port mirroring ........................................................................................... 398
10.4.4 Configuring port mirroring ............................................................................................................... 399
10.4.5 Default configurations of VLAN mirroring ...................................................................................... 399
10.4.6 Configuring VLAN mirroring ........................................................................................................... 399
10.4.7 Checking configurations ................................................................................................................... 400
10.4.8 Example for configuring port mirroring ............................................................................................ 401
10.4.9 Example for configuring remote port mirroring ................................................................................ 402
10.5 Cable diagnosis .......................................................................................................................................... 403
10.5.1 Introduction ....................................................................................................................................... 403
10.5.2 Preparing for configurations ............................................................................................................. 403
10.5.3 Configuring cable diagnosis .............................................................................................................. 403
10.5.4 Checking configurations ................................................................................................................... 404
10.6 UDLD......................................................................................................................................................... 404
10.6.1 Introduction ....................................................................................................................................... 404
10.6.2 Preparing for configurations ............................................................................................................. 404
10.6.3 Default configurations of UDLD ...................................................................................................... 405
10.6.4 Configuring UDLD ........................................................................................................................... 405
10.6.5 Checking configurations ................................................................................................................... 406
10.7 Optical module DDM ................................................................................................................................. 407
10.7.1 Introduction ....................................................................................................................................... 407
10.7.2 Preparing for configurations ............................................................................................................. 407
10.7.3 Default configurations of optical module DDM ............................................................................... 407
10.7.4 Enabling optical module DDM ......................................................................................................... 407
10.7.5 Enabling optical module DDM Trap ................................................................................................. 408
10.7.6 Checking configurations ................................................................................................................... 409
10.8 System log .................................................................................................................................................. 409
10.8.1 Introduction ....................................................................................................................................... 409
10.8.2 Preparing for configurations ............................................................................................................. 410
10.8.3 Default configurations of system log ................................................................................................ 410
10.8.4 Configuring basic information about the system log ........................................................................ 411
10.8.5 Configuring system log output .......................................................................................................... 411
10.8.6 Configuring system log output to Telnet/SSH terminals ................................................................... 412
10.8.7 Checking configurations ................................................................................................................... 412
10.8.8 Maintenance ...................................................................................................................................... 413
10.8.9 Example for configuring outputting system logs to the log host ....................................................... 413
10.9 Alarm management .................................................................................................................................... 415
10.9.1 Introduction ....................................................................................................................................... 415
10.9.2 Preparing for configurations ............................................................................................................. 415
10.9.3 Configuring basic functions of alarm management .......................................................................... 415
10.9.4 Checking configurations ................................................................................................................... 416

Raisecom Proprietary and Confidential


xviii
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Contents

10.10 CPU monitoring ....................................................................................................................................... 416


10.10.1 Introduction ..................................................................................................................................... 416
10.10.2 Preparing for configurations ........................................................................................................... 417
10.10.3 Default configurations of CPU monitoring ..................................................................................... 417
10.10.4 Configuring the CPU monitoring alarm .......................................................................................... 417
10.10.5 Checking configurations ................................................................................................................. 418
10.11 Memory monitoring ................................................................................................................................. 418
10.11.1 Preparing for configurations ............................................................................................................ 418
10.11.2 Configuring memory monitoring .................................................................................................... 418
10.11.3 Checking configurations ................................................................................................................. 419
10.12 PING ........................................................................................................................................................ 419
10.12.1 Introduction ..................................................................................................................................... 419
10.12.2 Configuring PING ........................................................................................................................... 420
10.13 Trace ......................................................................................................................................................... 421
10.13.1 Introduction ..................................................................................................................................... 421
10.13.2 Configuring IPv4 Trace ................................................................................................................... 421
10.13.3 Configuring IPv6 Trace ................................................................................................................... 422
10.14 Hardware monitoring ............................................................................................................................... 422
10.14.1 Introduction ..................................................................................................................................... 422
10.14.2 Configuring temperature monitoring .............................................................................................. 422
10.14.3 Configuring power supply monitoring ............................................................................................ 423
10.14.4 Checking configurations ................................................................................................................. 423
10.15 Fan monitoring ......................................................................................................................................... 424
10.15.1 Introduction ..................................................................................................................................... 424
10.15.2 Preparing for configurations ........................................................................................................... 424
10.15.3 Configuring fan monitoring ............................................................................................................ 424
10.15.4 Checking configurations ................................................................................................................. 425
10.16 ISF ............................................................................................................................................................ 425
10.16.1 Introduction ..................................................................................................................................... 425
10.16.2 Default configurations ..................................................................................................................... 427
10.16.3 Configuring ISF .............................................................................................................................. 428
10.16.4 Example for configuring ISF .......................................................................................................... 428
10.17 MAD ........................................................................................................................................................ 430
10.17.1 Introduction ..................................................................................................................................... 430
10.17.2 Preparing for configurations ........................................................................................................... 431
10.17.3 Configuring MAD ........................................................................................................................... 431
10.17.4 Example for configuring MAD ....................................................................................................... 432
10.18 NQA ......................................................................................................................................................... 434
10.18.1 Introduction ..................................................................................................................................... 434
10.18.2 Preparing for configurations ........................................................................................................... 434
10.18.3 Default configurations ..................................................................................................................... 434
10.18.4 Configure the ICMP-echo test ........................................................................................................ 434

Raisecom Proprietary and Confidential


xix
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Contents

10.18.5 Configuring the UDP-echo test ....................................................................................................... 435


10.18.6 Configuring the TCP test................................................................................................................. 436
10.18.7 Configuring the DNS test ................................................................................................................ 437
10.18.8 Configuring the HTTP test .............................................................................................................. 438
10.18.9 Configuring the FTP test ................................................................................................................. 438
10.18.10 Configuring the SNMP test ........................................................................................................... 439
10.18.11 Configuring test history recording ................................................................................................ 440
10.18.12 Configuring test statistics .............................................................................................................. 440
10.18.13 Configuring test Trap .................................................................................................................... 441
10.18.14 Checking results ............................................................................................................................ 441
10.18.15 Maintenance .................................................................................................................................. 441
10.18.16 Example for configuring the ICMP-echo test ............................................................................... 442
10.19 POE .......................................................................................................................................................... 444
10.19.1 Introduction ..................................................................................................................................... 444
10.19.2 Preparing for configurations ........................................................................................................... 444
10.19.3 Default configurations of PoE ......................................................................................................... 444
10.19.4 Enabling PoE .................................................................................................................................. 444
10.19.5 Configuring the maximum output power of PoE ............................................................................ 445
10.19.6 Configuring power-on and power-off of PoE.................................................................................. 445
10.19.7 Configuring the PD description ...................................................................................................... 446
10.19.8 Checking configurations ................................................................................................................. 446
10.19.9 Example for configuring PoE .......................................................................................................... 446
10.20 USB flash disk deployment ...................................................................................................................... 448
10.20.1 Introduction ..................................................................................................................................... 448
10.20.2 Flow for USB flash disk deployment .............................................................................................. 449
10.20.3 Preparing for configurations ........................................................................................................... 449
10.20.4 Default configurations of USB flash disk deployment.................................................................... 449
10.20.5 Making USB flash disk for fast deployment ................................................................................... 449
10.21 Patching .................................................................................................................................................... 450
10.21.1 Introduction ..................................................................................................................................... 450
10.21.2 Preparing for configurations ........................................................................................................... 451
10.21.3 Loading the patch file ..................................................................................................................... 451
10.21.4 Activating the patch file .................................................................................................................. 451
10.21.5 Deactivating the patch file .............................................................................................................. 451
10.21.6 Deleting the patch file ..................................................................................................................... 451
10.21.7 Checking configurations ................................................................................................................. 452
10.21.8 Example for configuring patching................................................................................................... 452
10.22 Periodically backing up configurations .................................................................................................... 453
10.22.1 Introduction ..................................................................................................................................... 453
10.22.2 Preparing for configurations ........................................................................................................... 453
10.22.3 Configuring time range ................................................................................................................... 453
10.22.4 Configuring automatic uploading ................................................................................................... 454

Raisecom Proprietary and Confidential


xx
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Contents

10.22.5 Checking configurations ................................................................................................................. 455


10.22.6 Example for configuring periodic backup ....................................................................................... 455

11 Appendix .................................................................................................................................. 457


11.1 Terms .......................................................................................................................................................... 457
11.2 Acronyms and abbreviations ...................................................................................................................... 462

Raisecom Proprietary and Confidential


xxi
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Figures

Figures

Figure 1-1 Accessing device through PC connected with RJ45 Console interface ................................................ 2
Figure 1-2 Configuring communication parameters in Hyper Terminal ................................................................ 3

Figure 1-3 Networking with device as Telnet server .............................................................................................. 5

Figure 1-4 Networking with device as Telnet client ............................................................................................... 5


Figure 1-5 Basic principles of NTP ...................................................................................................................... 18

Figure 1-6 NTP networking ................................................................................................................................. 22

Figure 2-1 Forwarding packets according to the MAC address table .................................................................. 34

Figure 2-2 MAC networking ................................................................................................................................ 40

Figure 2-3 VLAN partitions ................................................................................................................................. 42

Figure 2-4 VLAN and interface isolation networking .......................................................................................... 50

Figure 2-5 Networking for IP phone to connect to switch ................................................................................... 53

Figure 2-6 Networking with adding interface to voice VLAN and configuring it to work in manual mode ....... 55

Figure 2-7 Configuring IP phone to access voice VLAN packets through LLDP................................................ 57

Figure 2-8 Principles of basic QinQ ..................................................................................................................... 58

Figure 2-9 Basic QinQ networking ...................................................................................................................... 62

Figure 2-10 Selective QinQ networking .............................................................................................................. 64

Figure 2-11 Principles of VLAN mapping ........................................................................................................... 65

Figure 2-12 VLAN mapping networking ............................................................................................................. 68

Figure 2-13 Principles of MVRP ......................................................................................................................... 71


Figure 2-14 MVRP networking ............................................................................................................................ 73

Figure 3-1 VLAN interface networking ............................................................................................................... 79

Figure 3-2 Configuring ARP networking ............................................................................................................. 86

Figure 3-3 Principles of NDP address resolution ................................................................................................. 88

Figure 3-4 Configuring the static route ................................................................................................................ 92

Figure 3-5 Policy routing networking .................................................................................................................. 95


Figure 4-1 ZTP server networking ....................................................................................................................... 98

Raisecom Proprietary and Confidential


xxii
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Figures

Figure 4-2 DHCP typical networking................................................................................................................. 100

Figure 4-3 Structure of a DHCP packet ............................................................................................................. 100


Figure 4-4 DHCP Client networking .................................................................................................................. 102

Figure 4-5 DHCP Client networking .................................................................................................................. 104

Figure 4-6 DHCP Server and Client networking ................................................................................................ 107


Figure 4-7 Structure of a DHCP packet ............................................................................................................. 107

Figure 4-8 DHCP Server networking ................................................................................................................. 113

Figure 4-9 Typical application of DHCP Relay ................................................................................................. 115


Figure 4-10 DHCP Relay networking ................................................................................................................ 118

Figure 5-1 SP scheduling ................................................................................................................................... 130

Figure 5-2 WRR scheduling ............................................................................................................................... 130


Figure 5-3 DRR scheduling................................................................................................................................ 131

Figure 5-4 Queue scheduling networking .......................................................................................................... 134

Figure 5-5 Rate limiting based on interface ....................................................................................................... 139


Figure 6-1 Multicast transmission networking ................................................................................................... 141

Figure 6-2 Basic concepts in multicast ............................................................................................................... 142

Figure 6-3 Mapping between IPv4 multicast address and multicast MAC address ........................................... 143

Figure 6-4 Operating of IGMP and Layer 2 multicast features .......................................................................... 144

Figure 6-5 IGMP Snooping networking ............................................................................................................. 146

Figure 6-6 Configuring basic functions of IGMP Snooping .............................................................................. 153

Figure 6-7 Configuring the static member of IGMP Snooping .......................................................................... 155

Figure 6-8 Configuring IGMP Snooping multicast copy ................................................................................... 157

Figure 6-9 Configuring IGMP Snooping Proxy ................................................................................................. 159

Figure 6-10 Configuring the multicast policy of IGMP Snooping ..................................................................... 161

Figure 6-11 MLD Snooping networking ............................................................................................................ 164

Figure 6-12 Configuring basic functions of MLD Snooping ............................................................................. 170

Figure 6-13 Configuring the static member of MLD Snooping ......................................................................... 172

Figure 6-14 Configuring MLD Snooping multicast copy .................................................................................. 174

Figure 6-15 Configuring MLD Snooping Proxy ................................................................................................ 176

Figure 6-16 Configuring the multicast policy of MLD Snooping ...................................................................... 178

Figure 7-1 OAM loopback ................................................................................................................................. 182

Figure 7-2 Link-state tracking networking ......................................................................................................... 189

Figure 7-3 VRRP principles ............................................................................................................................... 191

Raisecom Proprietary and Confidential


xxiii
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Figures

Figure 7-4 Principles of VRRP load balancing .................................................................................................. 192

Figure 7-5 Configuring VRRP master/backup ................................................................................................... 199


Figure 7-6 MDs at different levels ..................................................................................................................... 201

Figure 7-7 MEP and MIP ................................................................................................................................... 202

Figure 7-8 Typical CFM networking .................................................................................................................. 209


Figure 8-1 ACL networking ............................................................................................................................... 224

Figure 8-2 Domain-based authentication application networking ...................................................................... 232

Figure 8-3 802.1x structure ................................................................................................................................ 234


Figure 8-4 Dot1x networking ............................................................................................................................. 240

Figure 8-5 Port security MAC networking ......................................................................................................... 246

Figure 8-6 Accessing the network through PPPoE authentication ..................................................................... 248
Figure 8-7 PPPoE+ networking.......................................................................................................................... 253

Figure 8-8 Storm suppression networking ......................................................................................................... 258

Figure 8-9 DAI networking ................................................................................................................................ 262


Figure 8-10 ND Snooping networking ............................................................................................................... 266

Figure 8-11 DHCP Snooping ............................................................................................................................. 268

Figure 8-12 DHCP Snooping networking .......................................................................................................... 273

Figure 8-13 Principles of IP Source Guard ........................................................................................................ 275

Figure 8-14 Configuring IP Source Guard ......................................................................................................... 277

Figure 8-15 MAC address authentication networking ....................................................................................... 283

Figure 8-16 DOS attack prevention.................................................................................................................... 288

Figure 9-1 Static LACP mode Link aggregation networking ............................................................................. 297

Figure 9-2 G.8031 networking ........................................................................................................................... 302

Figure 9-3 G.8032 ring networking .................................................................................................................... 305

Figure 9-4 Idle state ........................................................................................................................................... 307

Figure 9-5 Protecting state ................................................................................................................................. 307

Figure 9-6 Tributary ring .................................................................................................................................... 308

Figure 9-7 Single ring G.8032 networking......................................................................................................... 315

Figure 9-8 Intersecting ring G.8032 networking ................................................................................................ 318

Figure 9-9 Network storm due to loopback ........................................................................................................ 321

Figure 9-10 Loop networking with STP ............................................................................................................. 322

Figure 9-11 Failure in forwarding VLAN packets due to RSTP ........................................................................ 323

Figure 9-12 STP networking .............................................................................................................................. 326

Raisecom Proprietary and Confidential


xxiv
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Figures

Figure 9-13 Basic concepts of the MSTI network .............................................................................................. 330

Figure 9-14 MSTI concepts................................................................................................................................ 331


Figure 9-15 Networking with multiple spanning trees instances in MST region ............................................... 332

Figure 9-16 MSTP networking ........................................................................................................................... 342

Figure 9-17 Loop detection networking ............................................................................................................. 346


Figure 9-18 Loop detection networking ............................................................................................................. 349

Figure 9-19 Principles of interface backup ........................................................................................................ 351

Figure 9-20 Networking with interface backup in different VLANs ................................................................. 352
Figure 9-21 Interface backup networking .......................................................................................................... 355

Figure 9-22 Interface isolation networking ........................................................................................................ 358

Figure 9-23 L2CP topology ................................................................................................................................ 360


Figure 9-24 Single-hop BFD networking ........................................................................................................... 364

Figure 10-1 Principles of SNMP ........................................................................................................................ 370

Figure 10-2 SNMPv3 authentication mechanism ............................................................................................... 373


Figure 10-3 SNMPv1/SNMPv2c networking .................................................................................................... 377

Figure 10-4 SNMPv3 and Trap networking ....................................................................................................... 378

Figure 10-5 RMON networking ......................................................................................................................... 381

Figure 10-6 RMON networking ......................................................................................................................... 385

Figure 10-7 Structure of a LLDPDU .................................................................................................................. 387

Figure 10-8 Structure of a TLV packet ............................................................................................................... 387

Figure 10-9 LLDP networking ........................................................................................................................... 395

Figure 10-10 Principles of port mirroring .......................................................................................................... 398

Figure 10-11 Port mirroring networking ............................................................................................................ 401

Figure 10-12 Remote port mirroring networking ............................................................................................... 402

Figure 10-13 Networking of outputting system log to log host ......................................................................... 414

Figure 10-14 Principles of PING........................................................................................................................ 420

Figure 10-15 Principles of Trace ........................................................................................................................ 421

Figure 10-16 Chain topology with 2 member devices ....................................................................................... 426

Figure 10-17 Ring topology with 2 member devices ......................................................................................... 427

Figure 10-18 Chain topology with 2 devices for ISF ......................................................................................... 429

Figure 10-19 Direction connection mode of MAD ............................................................................................ 430

Figure 10-20 Proxy mode of MAD .................................................................................................................... 431

Figure 10-21 ICMP-echo test networking .......................................................................................................... 442

Raisecom Proprietary and Confidential


xxv
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Figures

Figure 10-22 Flow for fast deployment with the USB flash disk ....................................................................... 449

Raisecom Proprietary and Confidential


xxvi
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) Tables

Tables

Table 2-1 Interface mode and packet processing.................................................................................................. 42


Table 4-1 Fields of a DHCP packet .................................................................................................................... 100

Table 4-2 Fields of a DHCP packet .................................................................................................................... 107


Table 5-1 Default mapping from the IEEE 802.1p ingress direction to local priority and color ........................ 123

Table 5-2 Default mapping from the IEEE 802.1p egress direction to local priority and color ......................... 123

Table 5-3 Default mapping from the DSCP ingress direction to local priority and color .................................. 124

Table 5-4 Default mapping from the DSCP egress direction to local priority and color .................................... 126

Table 10-1 TLV types ......................................................................................................................................... 387

Table 10-2 IEEE 802.1 organization-defined TLVs ........................................................................................... 388

Table 10-3 IEEE 802.3 organization-defined TLVs ........................................................................................... 388

Table 10-4 Log levels ......................................................................................................................................... 410

Raisecom Proprietary and Confidential


xxvii
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

1 Basic configurations

This chapter describes basic configurations and configuration procedures of the device, and
provides related configuration examples, including the following sections:
 Accessing device
 Loading and upgrade
 Time management
 PTP
 Interface management

1.1 Accessing device


1.1.1 Introduction
The device can be configured and managed in Command Line Interface (CLI) mode, or Web
mode.
The device CLI mode has a variety of configuration modes:
 Console mode: it must use Console mode in the first configuration. The Raisecom device
supports the Console interface of the RJ45, M12, Micro USB, and Mini-USB types.
 Telnet mode: the default IP address of the device is 192.168.0.1. To modify it, log on
through the Console mode, open Telnet service on the device, configure the IP address,
configure the user name and password, use the new IP address, and then take remote
Telnet configuration.
 SSH mode: before accessing the device through SSH, you need to log in to the device
and start SSH services through the Console interface.
When configuring the device in Web mode, you must first configure the IP address of the
VLAN interface on CLI, and then configure the device through the NView NNM system.

1.1.2 Accessing through the Console interface

 The device supports the RJ45 Console interface.

Raisecom Proprietary and Confidential


1
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

 The device uses the black wiring Console cable. If you are not sure, see the
corresponding User Manual or Product Description for this device, or consult our
technical personnel.
 The following sections take the RJ45 Console interface for example.

Introduction
The Console interface is commonly used to connect the network device with a PC running
terminal emulation programs. You can use this interface to configure and manage local
devices. In this management mode, devices can communicate with each other independent
from the network, so it is called out-of-band management. You can also perform configuration
and management on the device through the Console interface when the network fails.
In the following two conditions, you can only log in to the device and configure it through the
Console interface:
 The device is powered on to start for the first time.
 Accessing the device through Telnet fails.

Default configurations of the Console interface


Default configurations of the Console interface are as below.

Function Default value


Transmission rate 115200 baud
Flow control mode None
Authentication mode No authentication
Stop bit 1
Data bit 8

Accessing device through Console interface


If you want to access the device through PC through the Console interface, connect Console
interface and PC RS-232 serial port, as shown in Figure 1-1; then run the terminal emulation
program, such as Hyper Terminal in the Microsoft Windows XP, in PC to configure
communication parameters as shown in Figure 1-2, and then log in to the device.

Figure 1-1 Accessing device through PC connected with RJ45 Console interface

Raisecom Proprietary and Confidential


2
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

Figure 1-2 Configuring communication parameters in Hyper Terminal

By default, the baud rate of the serial interface is 115200.

Configuring the Console interface


Configure the Console interface for the device as below.

Step Command Description


1 Raisecom#configure Modify the baud
Raisecom(config)#line console rate of the serial
Raisecom(config-line-console)#baudrate interface.
{ 115200 | 9600 }

Configuring the password and authentication mode of the Console interface


Configure the password and authentication mode of the Console interface for the device as
below.

Step Command Description


1 Raisecom#configure Configure the Console interface
Raisecom(config)#line console password.
password

Raisecom Proprietary and Confidential


3
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

Step Command Description


2 Raisecom(config)#line console Configure the authentication mode
Raisecom(config-line- of the Console interface.
console)#login authentication
 Local: user name password
{ aaa | local | password |
 Password: console interface
none }
password
 None: no authentication

Checking configurations
Use the following commands to check the configuration results.

No. Command Description


1 Raisecom#show line console Show configurations of the baud rate on the
information Console interface.

1.1.3 Accessing through Telnet

Introduction

By default, the default management IP address of the device, and the subnet mask is
255.255.255.0. To modify the IP address, log in to the device and configure it. Both
the default user name and password are raisecom. In Telnet connection status, if you
enter the password incorrectly for three 3 times, the Telnet connection will be
automatically disconnected.
You can use a PC to log in to the device remotely through Telnet. You can log in to a device
from PC at first, then Telnet another device on the network. You do not need to connect a PC
to each device.
If there is an SNMP interface on the device, use it to log in through Telnet. If there is not, use
any interface to enter the management VLAN, and log in through Telnet.
Telnet services provided by the device are as below:
 Telnet Server: run the Telnet client program on a PC to log in to the device, and take
configuration and management. As shown in Figure 1-3, the device is providing Telnet
Server service at this time.

Raisecom Proprietary and Confidential


4
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

Figure 1-3 Networking with device as Telnet server

The maximum number of Telnet users supported by the device is 10.


 Telnet Client: when you connect to the device through the PC terminal emulation
program or Telnet client program on a PC, then telnet other device and configure/manage
them. As shown in Figure 1-4, Switch A not only acts as Telnet server but also provides
Telnet client service.

Figure 1-4 Networking with device as Telnet client

Default configurations of Telnet Server


Default configurations of Telnet Server are as below.

Function Default value


Telnet Server status Enable
Telnet Server listening port number 23
Interface enabled with Telnet Server All interfaces
Maximum number of Telnet connections 10

When you configure the device through Telnet, do not modify the IP address
frequently; otherwise, the current Telnet connection may be disconnected. Then, you
have to re-establish the Telnet connection with the new IP address.

Raisecom Proprietary and Confidential


5
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

Configuring Telnet Server


Before accessing the device through Telnet, you need to log in to the device through the
Console interface and start the Telnet service. Take the following configurations on the device
that needs to start Telnet service.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter VLAN interface configuration
vlan vlan-id mode or out-of-band network
Raisecom(config)#interface management interface configuration
ge 1/0/1 mode. Take VLAN interface
configuration mode for example.
3 Raisecom(config-vlan*)#ip Configure the IP address of the device.
address ip-address [ ip-
mask ] [ sub ]
Raisecom(config-vlan*)#ipv6
address ipv6-address/prefix-
length [ eui-64 ]
Raisecom(config-vlan*)#exit
4 Raisecom(config)#telnet Enable Telnet Server.
server start
5 Raisecom(config)#telnet Release the specified Telnet connection.
server stop
6 Raisecom(config)#telnet Enable IPv4 Telnet Server.
server start
7 Raisecom(config)#telnet-ipv6 Close the specified IPv6 Telnet
server stop connection.

Configuring the port number of the Telnet Server


The default port number of the Telnet Server is 23. Modify it on the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#telnet Modify the port number of the Telnet
server port {port-number | IPv4 Server.
default }
3 Raisecom(config)#telnet-ipv6 Enable IPv6 Telnet Server.
server start
4 Raisecom(config)#telnet-ipv6 Modify the port number of the Telnet
server port { port-number | IPv6 Server.
default}

Configuring Telnet Client


Configure Telnet Client on the device as below.

Raisecom Proprietary and Confidential


6
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

Step Command Description


1 Raisecom#telnet ipv4-address [ -p port- Log in to another device
id | -s source-ipv4-address ] * through Telnet.
Raisecom#telnet-ipv6 ipv6-address [ -p
port-id | -s source-ipv6-address ] *

Checking configurations
Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show running-config Show configurations of Telnet Server.

1.1.4 Accessing through SSH

Introduction
Telnet is lack of security authentication and it transports messages through Transmission
Control Protocol (TCP) which exists with big potential security hazard. Telnet service may
cause hostile attacks, such as Deny of Service (DoS), host IP spoofing, and routing spoofing.
The traditional Telnet and File Transfer Protocol (FTP) transmit password and data in plain
text, which cannot satisfy users' security demands. SSHv2 is a network security protocol,
which can effectively prevent the disclosure of information in remote management through
data encryption, and provides greater security for remote login and other network services in
network environment.
SSHv2 allows data to be exchanged through TCP and it establishes a secure channel over TCP.
Besides, SSHv2 supports other service ports besides standard port 22, avoiding illegal attacks
from the network.
Before accessing the device through SSHv2, you must log in to the device through the
Console interface and start SSH service.
The device supports password authentication and public key authentication.
 Password authentication: share the same database with the login authentication. The SSH
client only needs to enter the user name and password for remote login to the SSH server.
All the data to be transmitted are encrypted, but it cannot prevent attacks from rogue
servers.
 Public key authentication: the SSHv2 client is authenticated by the user name, password,
and key. Before login, a key pair is generated on the client side, including a host public
key and a host private key. The former is stored in the SSH server. The data used for
authentication and transmission are encrypted, which prevents attacks from rogue servers.

Default configurations of SSHv2


Default configurations for accessing the device through SSHv2 are as below.

Raisecom Proprietary and Confidential


7
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

Function Default value


SSH server status Disable
Local SSH key pair length 512 bits
Key renegotiation period 0h
SSH authentication method password
SSH authentication timeout 600s
SSH snooping port number 22
SSH session status Disable
SSH version v2
SSH security algorithm mode Disable

Configuring the SSH server


Configure the SSH server for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#ssh Enable IPv4 SSH Server.
server start
3 Raisecom(config)#ssh Disable IPv4 SSH Server.
server stop
4 Raisecom(config)#ssh- Enable IPv6 SSH Server.
ipv6 server start
5 Raisecom(config)#ssh- Disable IPv6 SSH Server.
ipv6 server stop

Checking configurations
Use the following commands to check the configuration results.

No. Command Description


1 Raisecom#show ssh config Show SSH configurations.

Raisecom Proprietary and Confidential


8
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

1.1.5 Accessing from Web

Introduction
To facilitate users to configure and maintain the device, it supports Web network management.
Users can use the Web network management to intuitively manage and configure devices
under the graphical interface.
The web network management supports the following two text transmission protocols:
 Hypertext Transfer Protocol (HTTP): used to transmit information on Web pages on the
network. After HTTP is enabled on the device, the user can log in to the device through
HTTP, and access and control the device on the Web interface.
 Secure Hypertext Transfer Protocol (HTTPS): it uses the Secure Sockets Layer (SSL)
protocol to ensure that legal clients can access the device in a secure mode. The data
exchanged between the client and the device needs to be encrypted to ensure the security
and integrity of data transmission, so as to realize security management of the device.
After Web network management is enabled, remote users can log in to the device through the
Web browser and manage it. After Web network management is disabled, all established
HTTP/HTTPS connections are disconnected.

Default configurations of Web network management


Default configurations of Web network management are as below.

Function Default value


HTTP status Enable

Configuring Web network management


Configure Web network management for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#http server Enable HTTP. Use the stop form of
{ start | stop } this command to disable this function.
3 Raisecom(config)#https server Enable HTTPS. Use the stop form of
{ start | stop } this command to disable this function.

Checking configurations
Use the following commands to check the configuration results.

No. Command Description


1 Raisecom#show running-config Show configurations of the device.

Raisecom Proprietary and Confidential


9
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

1.1.6 Managing users

Introduction
When you start the device for the first time, connect the PC through Console interface to the
device, enter the initial user name and password in HyperTerminal to log in and configure the
device.

By default, both the user name and password are raisecom.


If there is no privilege restriction, any remote user can log in to the device through Telnet or
access network by establishing a Point to Point Protocol (PPP) connection when service
interfaces are configured with IP addresses. This is unsafe to the device and network. Creating
user accounts for the device and configuring password and privilege help manage login users
and ensures network and device security.

Default configurations of user management


Default configurations of user management are as below.

Function Default value


 User name: raisecom
Local user information
 Password: raisecom
 Privilege: 15

New user privilege 15


New user activation status Activate
New user service type Console, telnet, SSH, FTP, and HTTP
Password complexity 3
User name complexity 1
Maximum length of the user name 64
Maximum length of the password 64
Special characters supported by default `~!@#$%^&*()_-+={}[]|\:;'<>",./

Configuring local user management


Configure local user management for the device as below.

Raisecom Proprietary and Confidential


10
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

Step Command Description


1 Raisecom(config)#username user- Create or modify the user name and
name password { cipher | ciphertext password for login.
reversible-cipher | plain }
password group { administrators |
operators | users | guests }
domain [ telnet | ssh | http | ftp
| console | default | all ] ] *
2 Raisecom(config)#username user- Modify the user group domain.
name domain [ telnet | ssh | http
| ftp | console | default | all ]
*
3 Raisecom(config)#username user- Modify the user group.
name group { administrators |
operators | users | guests }
4 Raisecom(config)#user password- Configure the password complexity.
complex { complex | default } By default, it is 3.
4 Raisecom(config)#user password- Configure the minimum length of
length { length | default } the password. By default, it is 8.
5 Raisecom(config)#user name-complex Configure the user name
{ complex | default } complexity. By default, it is 1.
6 Raisecom(config)#user name-length Configure the length of the user
{ length | default } name. By default, it is 1.
7 Raisecom(config)#username user- Configure the type of user locking
name { login-lock | manual-lock | to login-lock, which allows you to
unlock } [ reauth-interval configure the login failure times and
{ interval | default } | fail- re-authentication interval.
count { count | default ] *
8 Raisecom#show user name user-name Show information about the user.
9 Raisecom#user special-characters Configure the special characters that
CHARLIST can be contained in the user name
and password.

 Besides the default user, you can create up to 30 local user accounts.
 After configuring the type of user locking to login-lock, you can configure the login
failure times and re-authentication interval. By default, the login failure times is 3,
and the re-authentication interval is 10s. When the login failure times reaches the
upper limit in the silence period, the device is in login locking status, so it cannot
be logged in to. After the silence period expires, the locking will be released. Or
you can use the unlock command to manually release the locking.
 If you manually lock login, the device will be permanently locked from login,
regardless of the login failure times and re-authentication interval. You can use the
unlock command to manually release the locking.

Raisecom Proprietary and Confidential


11
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

1.1.7 Restoring the user password

Introduction
When you forget the password for loggin to the device, connect a PC to the Console interface
on the device. In the Hyper Terminal interface, enter the temporary password view, obtain the
temporary Serial Number (SN), and generate a temporary password according to the
temporary SN. After logging to the device with the temporary password, you need to modify
the user password again.

The operation for restoring the password can be done on the Console terminal only.
On the login interface, press Ctrl+P to enter the temporary password view.
By default, restoring the temperorary password is enabled.

Restoring the temporary password


Restore the temporary password for the device as below.

Step Command Description


1 Press Ctrl+P Press Ctrl+P on the login interface
through the Console interface.
2 Raisecom(key)#get temporary- Obtain the temporary password SN.
password-serial
3 Raisecom(key)#check temporary- Check the temporary password.
password password
4 Raisecom(config)#temporary- Enable or disable temporary
password { enable | disable } password restoration.

1.1.8 Configuring terminal properties

Introduction
You can configure the properties of the Console, Telnet, and SSH terminals, such as the
timeout, page scrolling control, terminal color, case-sensitivity, and interaction mode.

Configuring terminal properties


Configure terminal properties for the device as below.

Step Command Description


1 Raisecom(config)#termin Configure the number of lines to be scrolled per
al length { 0 | length page on the screen.
| default }
0: no page scrolling, but outputting all lines
By default, the number is 24.

Raisecom Proprietary and Confidential


12
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

Step Command Description


2 Raisecom(config)#termin Configure the terminal timeout.
al timeout { 0 |
timeout } 0: no timeout
By default: the terminal timeout is 10min.
3 Raisecom(config)#termin Enable or disable terminal monitoring.
al monitor
Raisecom(config)#no
terminal monitor
4 Raisecom(config)#termin Enable or disable MMI mode.
al mmi-mode { enable |
disable }
5 Raisecom(config)#case- Enable or disable case-sensitivity.
sensitive { enable |
disable }

1.1.9 Configuring the Bootrom password

Introduction
You can configure the BootROM password.

Configuring terminal properties


Configure terminal properties for the device as below.

Step Command Description


1 Raisecom(config)#bootro Configure the BootROM password.
m password PASSWORD
2 Raisecom(config)#no Clear the BootROM password.
bootrom password
3 Raisecom(config)#show Show the BootROM password.
bootrom password

1.1.10 Modifying the login mode (weak password loophole solution)

Introduction
The login mode is modified since v7.01.50 to solve the weak password loophole problem:
 The default login mode for the Console interface is Console interface password, without
a default user name.
 The first login of the Telnet and web (not supported by SSH) mode supports configuring
users.
Login through the Console interface
The default login mode is serial interface login with password. After the system starts, it
prompts whether to configure the password for the serial interface.
Raisecom Proprietary and Confidential
13
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

INFO: the console password is empty.For security purpose,please set


password,Yes?(y/n)

 Type "n": enter the system without configuring the password. After the system is
restarted, the prompt will appear again.
 Type "y": configure the password for the serial interface, which is automatically saved
and required by next login.

Telnet/Web login
By default, there is no user account on the device. To remotely log in to the device, create a
user account first.

 Log in to the device through the Console interface. Create a user account (see the
previous part).
 For the first login through Telnet/Web, create a user account directly according to prompt.

First login means that there is no configuration file on the device and the device is
connected through the out-of-band management interface and its default IP address.

Telnet login

INFO:The device has no user,please create a new user now.


New password length must be 8-64 characters,password complexity must be
at least 3 classes(eg.uppercase,lowercase,digits,other special
characters...)
New username:

Web login

Raisecom Proprietary and Confidential


14
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

1.2 Loading and upgrade


1.2.1 Introduction

Loading
Traditionally, configuration files are loaded through the serial interface, which takes a long
time due to low rate and unavailable remote loading. FTP and TFTP loading modes can solve
those problems and make operation more convenient.
The device provides several methods to confirm configuration file name on the TFTP server,
such as manually entering, obtaining through DHCP, and using default name of the
configuration file. Besides, you can assign certain naming conventions for configuration files,
and then the device confirms the name according to naming conventions and its attributes
(device type, MAC address, software version, and so on).

Upgrade
The device needs to be upgraded if you want to add new features, optimize functions, or fix
bugs in the current software version.
The device supports the following upgrade mode:
 Upgrade through CLI

1.2.2 Upgrading system software through TFTP CLI


Before upgrading system software through CLI, you should establish a TFTP environment,
and use a PC as the TFTP server and the device as the client. Basic requirements are as below.
 Connect the Ethernet interface on the TFTP server to the interface on the device. The
default IP address of the interface is 192.168.0.1 by default.
 Configure the TFTP server, and ensure that the server is available.
 Configure the IP address of the TFTP server; keep it in the same network segment with
that of the device so that the device can access the TFTP server.
Upgrade system software through CLI for the device as below.

Step Command Description


1 Raisecom# { tftp | tftp-ipv6 } Download the system boot file
get { ipv4-address | ipv6- through TFTP. This command
address } remote-file-name supports the IPv6 address.
[ localfile local-file-name ]
2 Raisecom#upgrade os [ localfile Upgrade the system software.
local-file-name ]
3 Raisecom#reboot Restart the device.

1.2.3 Upgrading system software through FTP CLI


Before upgrading system software through CLI, you should establish an FTP environment,
and use a PC as the FTP server and the device as the client. Basic requirements are as below.

Raisecom Proprietary and Confidential


15
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

 Connect the Ethernet interface on the FTP server to the interface on the device. The
default IP address of the interface is 192.168.0.1 by default.
 Configure the FTP server, and ensure that the server is available.
 Configure the IP address of the FTP server; keep it in the same network segment with
that of the device so that the device can access the FTP server.
Upgrade system software through CLI for the device as below.

Step Command Description


1 Raisecom# { ftp | ftp-ipv6 } get Download the system boot file
{ ipv4-address | ipv6-address } user- through FTP. This command
name user-password remote-file-name supports the IPv6 address.
[ localfile local-file-name ]
2 Raisecom#upgrade os [ localfile local- Upgrade the system software.
file-name ]
3 Raisecom#reboot Restart the device.

1.2.4 Specifying the startup OS


Specify the startup OS for the device as below.

Step Command Description


1 Raisecom#boot Specify the main image or backup image as the startup OS.
os { main | This configuration takes effect on the next startup, and can be
bckup} performed only when the device supports dual systems.
By default, the system starts with the main image.

1.2.5 Showing the system version


Show the system version for the device as below.

Step Command Description


1 Raisecom#show Show information about the system version, including the
os-package versions of the main image and backup image, version size,
and complied time.

1.2.6 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show Show information about the startup configuration file.
startup-config
2 Raisecom#show Show information about the running configuration file.
running-config

Raisecom Proprietary and Confidential


16
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

No. Command Description


3 Raisecom#show Show the system version.
version

1.3 Time management


1.3.1 Introduction
With development and extension of Internet in all aspects, multiple applications involved in
time need accurate and reliable time, such as online realtime transaction, distributed network
calculation and processing, transport and flight management, and data management.
To ensure precise system time, the device provides complete time management functions,
including manually configuring system time and time zone, manually configuring Daylight
Saving Time (DST), Network Time Protocol (NTP), and Simple Network Time Protocol
(SNTP).

Time and time zone


The device time is usually configured to the local time of the device while the time zone is
configured to the local time zone based on Greenwich Mean Time (GMT) (for example,
China Beijing is in the eastern eight zone based on GMT, so its time zone is configured to
+08:00).
The device supports displaying time in the format of "year-month-day hour:minute:second"
and offset of the time zone. You can manually configure the time and time zone of the device.

DST
DST is a kind of artificially regulated local time system for saving energy. Time is usually
advanced one hour in summer to make people sleep early and rise early to save energy, but
different countries have different stipulations for DST. In this case, you should consider local
conditions when configuring DST.
The device supports configuring the start time, end time, offset of the DST.

NTP
Network Time Protocol (NTP) is a standard Internet protocol for time synchronization, used
to synchronize time between the distributed time servers and clients. NTP transmits data
based on UDP, using UDP port 123 and guaranteeing high precision (error around 10ms).
Figure 1-5 shows basic principles of NTP. Clock synchronization works as below:
Step 1 Switch A sends Switch B a NTP message which carries the timestamp of leaving Switch A.
The timestamp is 10:00:00am and recorded as t1.
Step 2 When the message reaches Switch B, it is added with the timestamp of reaching Switch B,
which is 11:00:01am and recorded as t2.
Step 3 When the message leaves Switch B, it is added with the timestamp of leaving Switch B,
which is 11:00:02am and recorded as t3.
Raisecom Proprietary and Confidential
17
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

Step 4 When switch A receives the response message, it adds a new timestamp, which is 11:00:03am
and recorded as t4.
At present, Switch A has enough information to calculate two important parameters:
 Round-trip delay of the NTP message: delay = (t4 - t1) - ( t3 - t2)
 Time offset between Switch A and Switch B: offset = ((t2 - t1) + (t3 - t4))/2
Switch A configures its clock based on previous two parameters to synchronize clock with
Switch B.

Figure 1-5 Basic principles of NTP

The device adopts multiple NTP working modes for time synchronization:
 Client/Server mode
In this mode, the client sends clock synchronization messages to different servers. After
receiving the synchronization message, the server sends the response message. The client
receives response messages, performs clock filtering and selection, and is synchronized to the
preferred server.
In this mode, the client can be synchronized to the server time only but the server cannot be
synchronized to the client time. The device cannot work as both a client and a server.
 Symmetric mode

Raisecom Proprietary and Confidential


18
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

In this mode, you can configure the device to be synchronized to a higher-stratum device or
server.
The device configured as the NTP server cannot be configured with the symmetric mode.

SNTP
Simple Network Time Protocol (SNTP) is used to synchronize the system time of the device
to the GMT and transmit the GMT to local time according to the system settings of time zone.
When the SNTP client and server are in different time zones, the SNTP client will be
synchronized to the GMT and then translated into the local time according to system settings
of time zone.
The SNTP client obtains time in two modes: actively sending a request packet or passively
monitoring the packet. They are implemented as below:
 Unicast mode: the SNTP client actively sends a request packet. After being configured
with the IP address of the SNTP unicast server, the device tries to obtain clock signals
every 10s from the SNTP server. The maximum timeout for obtaining clock signals from
the SNTP server is 3s.
 Multicast or broadcast mode: SNTP client passively monitors the packet.
– After being configured to multicast mode, the device monitors the multicast IP
address of 224.0.1.1 in real time and obtain clock signals from the SNTP multicast
server. The maximum timeout for obtaining clock signals from the SNTP server is
1.5 multiples of the server sending period.
– After being configured to broadcast mode, the device monitors the broadcast IP
address of 255.255.255.255 in real time and obtain clock signals from the SNTP
broadcast server. The maximum timeout for obtaining clock signals from the SNTP
server is 1.5 multiples of the server sending period.

1.3.2 Preparing for configurations

Scenario
Configure the system time of the device, and guarantee precision of the system time.
 The time and time zone that is manually configured take effect immediately.
 After NTP or SNTP is enabled, the synchronized time will override the current system
time after a synchronization period.
 NTP and SNTP are mutually exclusive, so they cannot be concurrently configured.

Prerequisite
N/A

1.3.3 Default configurations

NTP
Default configurations of NTP are as below.

Raisecom Proprietary and Confidential


19
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

Function Default value


Whether the device is NTP master clock No
Global NTP server Inexistent
Global NTP equity Inexistent
Reference clock source 0.0.0.0
Identity authentication Disable
Identity authentication key ID Untrusted
Trusted key N/A

SNTP
Default configurations of SNTP are as below.

Function Default value


IP address of the SNTP server N/A

1.3.4 Configuring NTP

Configuring basic functions of NTP


Configure NTP for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#ntp Configure the update interval of the NTP client.
client update-interval
{ interval | default }
interval: update interval, ranging from 3s to 17s
By default, it is 6s.
3 Raisecom(config)#ntp Configure the broadcast interval of the NTP
server broadcast- server.
interval { interval |
default } interval: broadcast interval, ranging from 3s to
17s
By default, it is 6s.
4 Raisecom(config)#ntp Configure the master clock.
master
5 Raisecom(config)#ntp Configure the stratum of the system clock.
stratum value
value: stratum value, ranging from 1 to 16
By default, it is 16.

Raisecom Proprietary and Confidential


20
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

Step Command Description


6 Raisecom(config)#ntp Configure the specified IPv4 peer.
unicast-peer peer-ipv4
 peer-ipv4: peer IPv4 address
{ version version-id |
 version-id: NTP version
authentication-keyid
 key-value: in-used authentication index
key-value | port port-
 port-id: in-use UDP port number
id }
7 Raisecom(config)#ntp Configure the specified IPv4 server.
unicast-server sserver-
 peer-ipv4: server IPv4 address
ipv4 { version version-
 version-id: NTP version
id | authentication-
 key-value: in-used authentication index
keyid key-value | port
 port-id: in-use UDP port number
port-id }

If the device is configured as the NTP reference clock source, it cannot be configured
as the NTP server or NTP symmetric peer; if the device is configured as the NTP
server or symmetric peer, it cannot be configured as the NTP reference clock source.

Configuring NTP identity authentication


A network with high requirements for security requires identity authentication when NTP is
used. After enabled with identity authentication, a NTP client synchronizes with the NTP
server that passes identity authentication, thus guaranteeing network security. Only after the
NTP client is enabled with identity authentication can it authenticate the NTP server. If it is
disabled with identity authentication, it will directly synchronize time with the NTP server
without authentication regardless of that the NTP server carries key information.
Configure NTP identity authentication for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#ntp (Optional) enable global NTP authentication.
authentication
 Enable: enabled
{ enable | disable }
 Disable: disabled
3 Raisecom(config)#ntp (Optional) add the NTP authentication key.
authentication-keyid
 Key-value: key index
key-value md5 key
 Cipher: cipher text
{ cipher | plain }
 Plain: plaintext
string
 string: key string

4 Raisecom(config)#ntp (Optional) specify the created key to be trustful.


trusted-keyid key-
 Key-value: key index
value

1.3.5 Checking configurations


Use the following commands to check configuration results.

Raisecom Proprietary and Confidential


21
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

No. Command Description


1 Raisecom#show ntp Show local information about NTP.
information
2 Raisecom#show ntp peer Show peer information about NTP.
3 Raisecom#show ntp key Show key information about NTP.
4 Raisecom#show ntp session Show session information about NTP.

1.3.6 Example for configuring NTP

Networking requirements
Establish a clock synchronization system in a company to keep consistency and precision of
the system time. Basic planning is as below:
 Configure Switch A as the master clock source of the clock synchronization system.
 Configure Switch B as the client of the clock synchronization system. Configure the
upper-layer Switch A as the NTP server.
 Configure Switch C as the NTP entity of Switch B so that Switch C receives downlink
synchronization data from Switch B.

Figure 1-6 NTP networking

Configuration steps
Step 1 Configure Switch A.

Raisecom Proprietary and Confidential


22
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

Raisecom#hostname SwitchA
SwitchA#configure
SwitchA(config)#ntp master
SwitchA(config-ntp)#stratum 2

Step 2 Configure Switch B.

Raisecom#hostname SwitchB
SwitchB#config
SwitchB(config)#ntp unicast-server 172.16.0.1
SwitchB(config)#ntp unicast-peer 172.16.0.3
SwitchB(config-ntp)#stratum 3

Step 3 Configure Switch C.

Raisecom#hostname SwitchC
SwitchC#config
SwitchC(config)#ntp unicast-peer 172.16.0.2
SwitchC(config-ntp)#stratum 4

Checking results
 Check Switch A.
Use the show ntp config command to view configurations of Switch A.

SwitchA#show ntp config

 Check Switch B.
Use the show ntp config command to view configurations of Switch B.

SwitchB#show ntp config

Use the show ntp session command to view information about NTP sessions of Switch B.

SwitchB#show ntp session

 Check Switch C.
Use the show ntp config command to view configurations of Switch C.

Raisecom Proprietary and Confidential


23
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

Raisecom#show ntp config

Use the show ntp session command to view information about NTP sessions of Switch C.

Raisecom#show ntp session

1.4 PTP
1.4.1 Introduction
On modern communication networks, the normal operation of most telecommunication
services requires that the frequency or time differences among all network devices be
maintained within a reasonable level of error, namely, network clock synchronization.
Network clock synchronization includes two concepts: frequency synchronization and phase
synchronization.

Frequency synchronization
Frequency synchronization, also called clock synchronization, refers to the condition where
the frequency of signals remains consistent but the phase is inconsistent with a certain phase
difference. The average rate of the signals is consistent, which can keep all devices on the
network running at the same rate.

Phase synchronization
Phase synchronization, also called time synchronization, refers to the condition where both
the frequency and phase of signals remains consistent. In other words, the phase difference of
the signals is permanently zero.

IEEE1588V2
The full name of IEEE1588 is Precision Clock Synchronization Protocol Standard for
Network Measurement and Control Systems, which is a universal specification for improving
the timing synchronization capability of network systems. During the drafting process,
IEEE1588 mainly refers to Ethernet to develop a distributed communication network with
strict timing synchronization, and is applied to industrial automation systems. IEEE1588
mainly records the sending time and receiving time of synchronous clock information through
software and hardware coordination, and adds time labels to each message. With time records,
the receiver can calculate its own clock error and delay on the network, thus implementing
synchronization between the internal clock of the slave device and the master clock of the
master device on the network. The synchronization establishment time can reach nanosecond
level accuracy. Compared with the Ethernet delay time of 1ms that does not support
IEEE1588, IEEE1588 has greatly improved the timing synchronization index of the entire
network.
The initial IEEE1588 standard was mainly developed for LAN multicast environments (such
as Ethernet), and its application are limited in the complex environment of
telecommunications networks. Therefore, IEEE began developing a new version of IEEE1588,
also known as IEEE1588v2, in 2005. The main feature of this version is opening the

Raisecom Proprietary and Confidential


24
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

application interface of IEEE1588, which allows other standard organizations (such as ITU-T
and IETF) to define application parameters, namely, different PTP profiles, such as Telecom
Profile. In March 2008, the IEEE Standards Committee approved v2 of the IEEE1588
standard (1588v2). IEEE1588v2 can provide time synchronization with accuracy better than
1ns, fully meeting future applications in fields, such as telecommunications, industrial control,
and artificial intelligence (AI).

PTP domain
The network that applies PTP is called the PTP domain. A network can contain multiple PTP
domains, each with only one clock source. All devices in the domain are synchronized with
that clock source. At different times, each clock domain has its own synchronization time and
is independent of each other.

Clock nodes
 Ordinary clock (OC) node
In the same PTP domain, the node with only one physical interface participating in PTP time
synchronization is called the OC. The device synchronizes time from upstream nodes or
advertises time to downstream nodes through this interface.
 Boundary clock (BC) node
In the same PTP domain, the node with two or more physical interfaces participating in PTP
time synchronization is called the BC. The device synchronizes time from upstream nodes
through one interface and advertises time to downstream nodes through other interfaces.
In addition, when the clock node serves as the clock source and simultaneously releases time
to downstream clock nodes through multiple PTP interface, it is also known as a BC.
 Transparent Clock (TC)
The TC node has multiple PTP interfaces, but it only forwards PTP packets between these
interfaces and performs forwarding delay correction on them, without synchronizing time
through any interface. The BC/OC node needs to synchronize time with other clock nodes
while the TC clock does not. TC includes the following two types:
– End to End Transparent Clock (E2ETC): directly forward non Peer to Peer (non-P2P)
PTP packets on the network, and participate in calculating the delay of the entire link.
– Peer to Peer Transparent Clock (P2PTC): forward Sync packets, Follow_ Up packets,
and Announcement packets, terminate other PTP packets, and participate in
calculating the delay of each segment of the entire link.

Master-slave relation
The node devices in the PTP domain synchronize time according to a certain master-slave
relation. The master-slave relation is relative: the node device that advertises time is called the
master node while the node device that synchronizes time is called the slave node; the clock
on the master node is called the master clock while the clock on the slave node is called the
slave clock; the interface that advertises the synchronization time is called the master interface
while the interface that receives the synchronization time is called the slave interface.
A device can both synchronize time from upstream node devices and advertise time to
downstream node devices.

Raisecom Proprietary and Confidential


25
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

Optimal clock
All clock nodes in the PTP domain are organized in a certain stratum. The reference clock for
the entire domain is the optimal clock Grandmaster Clock (GMC), which is the clock at the
highest stratum. Through the exchange of 1588v2 packets between clock nodes, the time of
the optimal clock are synchronized throughout the entire PTP domain, so the optimal clock is
also known as the clock source of the PTP domain. The optimal clock can be statically
specified through manual configuration or dynamically elected through the Best Master Clock
(BMC) algorithm.

Selecting the clock source


The device supports two methods: static source selection and BMC source selection:
 Static source selection: select the specified clock source as the main clock source of the
device through manual configuration
 BMC source selection: dynamically select the optical master clock on the network
through the BMC algorithm to ensure the clock accuracy of the device.

Delay mechanism
The device supports the E2E delay mechanism and P2P delay mechanism, used to calculate
the delay at both ends of the link.

1.4.2 Default configurations


Function Default value
Global PTP Disable
Interface PTP Disable
Clock node type E2ETC
Form of sending packets by the interface Multicast
Interval for sending Announce packets 2s
Interval for sending Sync packets 1s

1.4.3 Configuring global attributes


Step Command Description
1 Raisecom(config)#ptp start Enable PTP.
2 Raisecom(config)#ptp device-type type Configure the device type.

Raisecom Proprietary and Confidential


26
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

1.4.4 Configuring interface attributes


Step Command Description
1 Raisecom#config Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface
interface-type interface-number configuration mode.
3 Raisecom(config-ge-1/0/1)#ptp Enable interface PTP.
enable
4 Raisecom(config-ge-1/0/1)#ptp Configure the mode for sending
cast-mode { multicast | packets.
unicast }
5 Raisecom(config-ge-1/0/1)#ptp Configure the asymmetric delay
delay-asymmetry delay correction time for the interface to
send packets.
6 Raisecom(config-ge-1/0/1)#ptp Configure the transmission protocol
transport-protocol { ipv4 | ipv6 of interface PTP.
| ethernet | default }
7 Raisecom(config-ge-1/0/1)#ptp Configure the mode for
mac-egress dst-mac mac-address encapsulating packets sent by the
interface to MAC encapsulation.
8 Raisecom(config-ge-1/0/1)#ptp Configure the mode for
udp-egress source-ip ip-address encapsulating packets sent by the
interface to UDP encapsulation.

1.5 Interface management


1.5.1 Introduction

Ethernet interface
Ethernet is a very important LAN networking technology which is flexible, simple, and easy
to implement. The Ethernet interface includes the Ethernet electrical interface and Ethernet
optical interface.
The device supports both Ethernet electrical and optical interfaces.
 Auto-negotiation
Auto-negotiation is used to make the devices at both ends of a physical link automatically
choose the same working parameters by exchanging information. The auto-negotiation
parameters include duplex mode, interface rate, and flow control. Once successful in
negotiation, the devices at both ends of the link can work in the same duplex mode and
interface rate.
 Cable connection

Raisecom Proprietary and Confidential


27
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

Generally, the Ethernet cable can be categorized as the Medium Dependent Interface (MDI)
cable and Medium Dependent Interface crossover (MDI-X) cable. MDI provides physical and
electrical connection from terminal to network relay device while MDI-X provides connection
between devices of the same type (terminal to terminal). Hosts and routers use MDI cables
while hubs and switches use MDI-X interfaces. Usually, the connection of different devices
should use the MDI cable while devices of the same type should use the MDI-X cable.
Devices in auto-negotiation mode can be connected by the MDI or MDI-X cable.
The Ethernet cable of the device supports auto-MDI/MDIX.

VLAN interface
The VLAN interface is a logical interface and is used to implement layer 3 interconnection
between VLANs. Each VLAN corresponds to a VLAN interface. After being configured with
an IP address, the VLAN interface can work as the gateway of devices inside the VLAN, and
forward layer 3 packets based on IP address across network segments.

Loopback interface
The Loopback interface is a logical virtual interface. Its physical layer status and link layer
status are Up, so it is stable and can be configured with the IP address. It is usually used in
dynamic routing protocol as the router ID of the device.

Null interface
The Null interface is a logical virtual interface, is always Up, but cannot forward packets and
be configured with the IP address and link layer protocol. It can filter packets, so you can send
needless network traffic to it to avoid complex operations of configuring the ACL. For
example, if you specify the next hop for reaching a network segment as the Null interface in a
network protocol, the Null interface will discard all data packets sent to the network segment.

1.5.2 Default configurations of interface management


Default configurations of interface management are as below.

Function Default value


Duplex mode of interface Auto-negotiation
Interface rate Auto-negotiation
Interface rate statistics status Disable
Interface flow control status Disable
Interface status Enable

1.5.3 Configuring basic attributes of interfaces


The interconnected devices cannot communicate normally if their interface attributes (such as
MTU, duplex mode, and rate) are inconsistent, and then you have to adjust the interface
attributes to make the devices at both ends match each other.
The Ethernet physical layer works in three modes as below:

Raisecom Proprietary and Confidential


28
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

 Half duplex: devices can receive or send messages at a time.


 Full duplex: devices can receive and send messages concurrently.
 Auto-negotiation: devices can automatically choose duplex mode by exchanging
information. Once successful in negotiation, the devices at both ends of the link can
work in the same duplex mode, interface rate, and flow control mode.
Configure the basic attributes of interface for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface configuration
interface-type interface- mode.
number
3 Raisecom(config-ge- Configure the description of the interface.
1/0/*)#description string
4 Raisecom(config-ge- Configure the MTU of the interface.
1/0/*)#mtu max-frame-length
5 Raisecom(config-ge- Enable or disable interface auto-
1/0/*)#negotiation auto negotiation.
{ enable | disable }
6 Raisecom(config-ge- Configure the duplex mode of the
1/0/*)#duplex { full | half interface.
| default }
7 Raisecom(config-ge- Configure the interface rate.
1/0/*)#speed { 10 | 100 |
1000 | default }
8 Raisecom(config-ge- Configure the connection mode of the SFP
1/0/*)#transceiver type interface.
{ 1000BASE-T | 1000BASE-X |
100GBASE-COPPER | 100GBASE-
FIBER | 10GBASE-COPPER |
10GBASE-FIBER }
9 Raisecom(config-ge- Configure the delayed time for processing
1/0/*)#port up-hold-time when the interface status becomes Up.
delay-time-value
10 Raisecom(config-ge- Configure the delayed time for processing
1/0/*)#port down-hold-time when the interface status becomes Down.
delay-time-value

1.5.4 Configuring interface rate statistics


Configure interface rate statistics for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.

Raisecom Proprietary and Confidential


29
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

Step Command Description


2 Raisecom(config)#flow- Configure the period for information statistics
statistic interval on all interfaces.
time-value
This command takes effect on all interfaces.
You can also configure the period for the
specific interface to override the period for all
interfaces.
3 Raisecom(config)#interf Enter physical interface configuration mode.
ace interface-type
interface-number
4 Raisecom(config-ge- Configure the period for information statistics
1/0/*)#port flow- on the interface.
statistic interval
time-value This command can override the configuration
of the period for all interfaces.
5 Raisecom(config-ge- Clear interface statistics.
1/0/*)#reset statistics

1.5.5 Configuring flow control on interfaces


IEEE 802.3x is a flow control method for full duplex on the Ethernet data layer. When the
client sends a request to the server, it will send the PAUSE frame to the server if there is
system or network jam. Then, it delays data transmission from the server to the client.
Configure flow control on interfaces for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface
interface-type interface-number configuration mode.
3 Raisecom(config-ge-1/0/*)#flow- Configure flow control on the
control { enable | disable } interface.
4 Raisecom#show interface interface- Show detailed information about
type interface-number the interface and the status of flow
control.

1.5.6 Shutting down/Restarting the interface


Shut down/Restart the interface for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#inte Enter physical interface configuration mode,
rface interface-type VLAN interface configuration mode, or link
interface-number aggregation configuration mode.

Raisecom Proprietary and Confidential


30
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

Step Command Description


3 Raisecom(config-ge- Shut down the current interface.
1/0/*)#shutdown
Use the no shutdown command to re-enable the
disabled interface.

1.5.7 Configuring the type of tagged packets allowed to pass by the


interface
Configure the type of tagged packets allowed to pass by the interface for the device as below.

Step Command Description


1 Raisecom#config Enter global configuration mode.
2 Raisecom(config)#interfa Enter physical interface configuration mode or
ce interface-type link aggregation interface configuration mode.
interface-number

3 Raisecom(config-ge- Configure the type of tagged packets allowed to


1/0/1)#accept-frame-type pass by the interface.
{ all | only-tagged }  All: configure the interface to allow all tagged
and untagged packets to pass.
 Only-tagged: configure the interface to allow

only tagged packets to pass.


By default, it is all.

1.5.8 Showing the priority of management packets


Show the priority of management packets for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter VLAN interface configuration mode.
vlan vlan-id
3 Raisecom(config-vlanif- Configure the priority of management
*)#packet-priority 8021p packets.
value
4 Raisecom(config-vlanif-*)#no Restore the default priority of management
packet-priority 8021p packets.

1.5.9 Showing the priority of management packets


Show the priority of management packets for the device as below.

Raisecom Proprietary and Confidential


31
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 1 Basic configurations

Step Command Description


1 Raisecom#show interface Enter global configuration mode.
interface-type interface-
number
2 Raisecom#show interface Show statistics on all Ethernet interfaces.
ethernet [ statistics ]
3 Raisecom#show interface vlan Show statistics on all VLAN interfaces.
[ statistics ]

1.5.10 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show interface Show brief information about the interface list.
2 Raisecom#show interface Show detailed information about the interface
verbose list.
3 Raisecom#show interface Show detailed information about the specific
interface-type interface- interface.
number
4 Raisecom#show interface Show configurations of the interface.
interface-type interface-
number config

Raisecom Proprietary and Confidential


32
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

2 Ethernet

This chapter describes basic principles and configuration procedures for Ethernet, and
provides related configuration examples, including the following sections:
 MAC address table
 VLAN
 Voice VLAN
 QinQ
 VLAN mapping
 MRP/VRP

2.1 MAC address table


2.1.1 Introduction
The MAC address table records mappings between MAC addresses and interfaces. It is the
basis for an Ethernet device to forward packets. When the Ethernet device forwards packets
on Layer 2, it searches the MAC address table for the forwarding interface, implements
expedited forwarding of packets, and reduces broadcast traffic.
The MAC address table contains the following information:
 Destination MAC address
 Destination MAC address related interface ID
 Interface VLAN ID
 Flag bits
The device supports showing MAC address information by device, interface, or VLAN.

Forwarding modes of MAC addresses


When forwarding packets, based on the information about MAC addresses, the device adopts
the following modes:
 Unicast: when a MAC address entry, related to the destination MAC address of a packet,
is listed in the MAC address table, the device will directly forward the packet to the
receiving interface through the egress interface of the MAC address entry. If the entry is
Raisecom Proprietary and Confidential
33
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

not listed, the device broadcasts the packet to all interfaces except the receiving interface,
as shown in Figure 2-1.

Figure 2-1 Forwarding packets according to the MAC address table

 Multicast: when the device receives a packet of which the destination MAC address is a
multicast address, it will broadcast the packet. If multicast is enabled and storm control
over unknown packets is also enabled, the packet will be sent to the specified Report
interface. If no Report interface is specified, the packet will be discarded.
 Broadcast: when the device receives an all-F packet, or the MAC address is not listed in
the MAC address table, the device forwards the packet to all interfaces except the
interface that receives this packet. Broadcast addresses are special multicast addresses.

Classification of MAC addresses


MAC address table is divided into static address entry and dynamic address entry.
 Static MAC address entry: also called permanent address, added and removed by the
user manually, not aged with time. For a network with small changes of devices, adding
static address entry manually can reduce the network broadcast flow, improve the
security of the interface, and prevent entries from being lost after the system is reset.
 Dynamic MAC address entry: the device can add dynamic MAC address entries through
MAC address learning. The entries are aged according to the configured aging time, and
will be empty after the system is reset.

Aging time of MAC addresses


There is limit on the capacity of the MAC address table on the device. To maximize the use of
the MAC address table, the device uses the aging mechanism to update the MAC address
table. For example, when the device creates a dynamic entry, it starts the aging timer. If it

Raisecom Proprietary and Confidential


34
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

does not receive packets from the MAC address in the entry during the aging time, the device
will delete the entry.
The device supports automatic aging of MAC addresses. The aging time ranges from 60s to
1000000s and can be 0. The value 0 indicates no aging.

The aging mechanism takes effect on dynamic MAC addresses.

Forwarding policies of MAC addresses


The MAC address table has two forwarding policies:
When receiving packets on an interface, the device searches the MAC address table for the
interface related to the destination MAC address of packets.
 If it is successful, and the interface corresponding with the destination MAC address is
different from the ingress interface, it forwards packets, records the source MAC
addresses of packets, interface ID of ingress packets, and VLAN ID in the MAC address
table. If packets from other interface are sent to the MAC address, the device can send
them to the related interface.
 If it fails, it broadcasts packets to all interfaces except the source interface, and records
the source MAC address in the MAC address table.

MAC address limit


The MAC address limit is used to limit the number of MAC addresses, avoid extending the
searching time of forwarding entry caused by a too large MAC address table and degrading
the forwarding performance of the Ethernet switch, and it is effective to manage the MAC
address table.
The MAC address limit improves the speed of forwarding packets.

2.1.2 Preparing for configurations

Scenario
Configure the static MAC address table in the following situations:
 The static MAC address can be configured for a fixed server, special persons (manager,
financial staff), fixed and important hosts to ensure that all data flow forwarding to these
MAC addresses are forwarded from static MAC address related interface in priority.
 For the interface with fixed static MAC address, you can disable MAC address learning
to avoid other hosts visiting LAN data from the interface.
Configure the aging time of dynamic MAC addresses to avoid saving excessive MAC address
entries in the MAC address table and running out of MAC address table resources, and to
achieve aging of dynamic MAC addresses.

Prerequisite
N/A

Raisecom Proprietary and Confidential


35
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

2.1.3 Default configurations of MAC address table


Default configurations of the MAC address table are as below.

Function Default value


MAC address learning status Enable
MAC address aging time 300s
MAC address limit Unlimited
MAC address flapping detection Enable
MAC address flapping protection Disable

2.1.4 Configuring the static MAC address


Configure the static MAC address for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#mac-address Configure static unicast MAC
static vlan vlan-id mac mac- addresses.
address interface-type interface-
number

The MAC address of the source device, multicast MAC address, FFFF.FFFF.FFFF,
and 0000.0000.0000 cannot be configured as static unicast MAC address.

2.1.5 Configuring the blackhole MAC address


Configure blackhole MAC addresses for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#mac-address Configure blackhole MAC
blackhole mac-address vlan vlan-id addresses.

2.1.6 Configuring MAC address learning


Configure MAC address learning for the device as below.

Raisecom Proprietary and Confidential


36
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

Step Command Description


1 Raisecom#configure Enter global configuration
mode.
2 Raisecom(config)#interface interface- Enter physical interface
type interface-number configuration mode.
3 Raisecom(config-ge-1/0/1)#mac-address Enable or disable MAC
learning { disable | enable } address learning.

2.1.7 Configuring MAC address learning based on VLAN


Configure MAC address learning based on VLAN for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#vlan vlan-id Enter VLAN configuration mode.
3 Raisecom(config-vlan-10)#mac Enable or disable MAC address
learning { disable | enable } learning.

2.1.8 Configuring the MAC address limit


Configure the MAC address limit for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interfac Enter Layer 2 physical interface
e vlan vlan-id configuration mode or VLAN interface
configuration mode. The following steps
take VLAN interface configuration interface
for example.
3 Raisecom(config- Configure the interface-based MAC address
vlan*)#mac-address limit.
threshold threshold-value

2.1.9 Configuring the aging time of MAC addresses


Configure the aging time of MAC addresses for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.

Raisecom Proprietary and Confidential


37
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

Step Command Description


2 Raisecom(config)#mac-address Configure the aging time of MAC
aging-time { 0 | default | addresses.
period }

2.1.10 MAC address flapping detection and protection


Configure MAC address flapping detection and protection for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#mac-address Enable or disable MAC address
flapping detection { enable | flapping detection.
disable }
3 Raisecom(config)#mac-address Configure the VLANs excluded from
flapping detection exclude- MAC address flapping detection.
vlan vlan-list
4 Raisecom(config)#mac-address Configure the VLANs for MAC
flapping detection vlan vlan- address flapping detection, and
list security-level { high | configure the security level for
middle | low } triggering MAC address flapping
protection. The higher the security level
is, the smaller the times of MAC
address flapping for triggering flapping
protection is.
5 Raisecom(config)#mac-address Configure the auto-recovery interval
flapping error-down recovery- for triggering the interface error-down
interval period by MAC address flapping.
6 Raisecom(config)#mac-address Configure the auto-recovery interval
flapping quit-vlan recover- for triggering the interface quit-vlan by
time period MAC address flapping.
7 Raisecom(config)#interface Enter physical interface configuration
interface-type interface- mode.
number
8 Raisecom(config-ge- Configure the action for MAC address
1/0/*)#mac-address flapping flapping on the interface.
action { error-down | quit-
vlan }
9 Raisecom(config-ge- Configure the priority of the action for
1/0/1)#mac-address flapping MAC address flapping on the interface.
action priority priority The higher the priority is, the
protection action is more preferentially
triggered.

2.1.11 Checking configurations


Use the following commands to check configuration results.
Raisecom Proprietary and Confidential
38
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

No. Command Description


1 Raisecom#show mac-address Show information about MAC address entries.
2 Raisecom#show mac-address Show information about MAC address entries
vlan vlan-id for the specified VLAN.
3 Raisecom#show mac-address Show information about MAC address entries
interface interface-type for the specified interface.
interface-number
4 Raisecom#show mac-address Show information about the
{ static | dynamic | static/dynamic/blackhole MAC address
blackhole } [ vlan vlan- entries.
id ]
5 Raisecom#show mac-address Show the aging time of MAC addresses.
aging-time
6 Raisecom#show mac-address Show records on MAC address flapping
flapping record detection.
7 Raisecom#show mac-limit Show the configured MAC address limit.
[ interface interface-type
interface-number ]

2.1.12 Maintenance
Maintain the device as below.

Command Description
Raisecom(config)#no mac-address Clear MAC addresses of the specified
{ [ vlan vlan-id ] [ mac mac- parameter.
address ] | all }
Raisecom(config)#no mac-address Clear MAC addresses of the specified
interface-type interface-number interface.
Raisecom(config)#no mac-address Clear static/dynamic/blackhole MAC
{ static | dynamic | blackhole } addresses of the specified parameter.
[ vlan vlan-id ] [ mac mac-address ]
Raisecom(config)#no mac-address Clear static/dynamic MAC addresses of
{ static | dynamic } [ interface-type the specified interface.
interface-number ]
Raisecom(config)#reset mac-address Clear records on MAC address flapping
flapping record detection.

2.1.13 Example for configuring the MAC address table

Networking requirements
As shown in Figure 2-2, configure Switch A as below:
 Configure a static unicast MAC address 0001.0203.0405 on GE 1/0/2 and configure its
VLAN to VLAN 10.

Raisecom Proprietary and Confidential


39
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

 Configure the aging time to 500s.

Figure 2-2 MAC networking

Configuration steps
Step 1 Create VLAN 10, and activate it, and add GE 1/0/2 to VLAN 10.

Raisecom#configure
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type access
Raisecom(config-ge-1/0/2)#port default vlan 10
Raisecom(config-ge-1/0/2)#quit

Step 2 Configure a static unicast MAC address 0001.0203.0405 on GE 1/0/2, which belongs to
VLAN 10.

Raisecom(config)#mac-address static unicast 0001.0203.0405 vlan 10 ge


1/0/2

Step 3 Configure the aging time to 500s.

Raisecom(config)#mac-address static vlan 10 mac 00:01:02:03:04:05 ge


1/0/2

Raisecom Proprietary and Confidential


40
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

Checking results
Use the show mac-address to show configurations of MAC addresses.
Raisecom#show mac-address
MacAddress VLAN/VSI/BD
Learned-From Type Valid
----------------------------------------------------------------------
0001:0203:0405 10/--/-- ge-1/0/2 static
yes
----------------------------------------------------------------------
Total:1 Static:1 Dynamic:0 Blackhole:0
Sticky:0 Security:0 Snooping:0

2.2 VLAN
2.2.1 Introduction

Overview
Virtual Local Area Network (VLAN) is a protocol to solve Ethernet broadcast and security
problem. It is a Layer 2 isolation technique that partitions a LAN into different broadcast
domains logically rather than physically, and then the different broadcast domains can work as
virtual groups without any influence from one another. In terms of functions, VLAN has the
same features as LAN, but members in one VLAN can access one another without restriction
by physical location.

VLAN partitions
There are multiple ways of VLAN partitions, such as by interface, by MAC address, by IP
subnet, and by protocol, as shown in Figure 2-3.

Raisecom Proprietary and Confidential


41
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

Figure 2-3 VLAN partitions

VLAN technique can partition a physical LAN into different broadcast domains logically.
Hosts without intercommunication requirements can be isolated by VLAN, so VLAN
partitions improve network security, and reduce broadcast flow and broadcast storm.
The device complies with IEEE 802.1Q standard VLAN and supports 4094 concurrent
VLANs.
 VLAN partitions by interface
The device supports VLAN partitions by interface. The device has two interface modes:
Access mode and Trunk mode. The method for processing packets for the two modes is
shown as below.

Table 2-1 Interface mode and packet processing


Interface Processing ingress packets Processing egress packets
type
Untagged Tagged packets
packets
 If the VLAN ID of the  If the VLAN ID of the packet
Access Add the
Access packet is equal to the is equal to the Access VLAN
VLAN Tag Access VLAN ID, the ID, the interface will remove
to the interface will receive the Tag and send the packet.
the packet.  If the VLAN ID of the packet
packet.
 If the VLAN ID of the is excluded from the list of
packet is not equal to VLANs of which packets are
the Access VLAN ID, allowed to pass by the
the interface will interface, the interface will
discard the packet. discard the packet.

Raisecom Proprietary and Confidential


42
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

Interface Processing ingress packets Processing egress packets


type
Untagged Tagged packets
packets
 If the VLAN ID of the  If the VLAN ID of the packet
Trunk Add the
Native packet is included in the of the packet is equal to the
VLAN Tag list of VLANs of which Native VLAN ID, the interface
to the packets are allowed to will remove the Tag and send
packet. pass by the interface, the packet.
the interface will  If the VLAN ID of the packet

receive the packet. is not equal to the Native


 If the VLAN ID of the VLAN ID and the interface
packet is excluded from allows packets of the VLAN to
the list of VLANs of pass, the interface will keep the
which packets are original Tag and send the
allowed to pass by the packet.
interface, the interface
will discard the packet.
 If the VLAN ID of the  If the VLAN ID of the packet
Hybrid Add the
Native packet is included in the of the packet is included in the
VLAN Tag list of VLANs of which VLAN ID list allowed by the
to the packets are allowed to interface, the interface allows
packet. pass by the interface, the packet of the VLAN to
the interface will pass, and whether to remove
receive the packet. the Tag can be configured by
 If the VLAN ID of the the command.
packet is excluded from  If the VLAN ID of the packet

the list of VLANs of of the packet is excluded from


which packets are the VLAN ID list allowed by
allowed to pass by the the interface, the interface
interface, the interface discards the packet of the
will discard the packet. VLAN.

 VLAN partitions by MAC address


This refers to VLAN partitions by the source MAC address of the packet.
– When an interface receives an untagged packet, it matches the source MAC address
of the packet with the VLAN MAC addresses. If they are the same, the match is
successful. In this case, the interface adds the VLAN ID specified by VLAN MAC
addresses, and forwards the packet. If they are different, the interface continues to
match the packet with the IP address-based VLAN and interface-based VLAN.
– When a tagged packet reaches an interface, if its VLAN ID is in the VLAN ID list
allowed to pass by the interface, the interface receives it. Otherwise, the interface
discards it.
 VLAN partitions by IP subnet
This refers to VLAN partitions by the source IP subnet of the packet.
– When an interface receives an untagged packet, it determines the VLAN of the
packet by the source IP subnet of the packet, and then transmits the packet in the
specified VLAN.

Raisecom Proprietary and Confidential


43
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

– When a tagged packet reaches an interface, if its VLAN ID is in the VLAN ID list
allowed to pass by the interface, the interface receives it. Otherwise, the interface
discards it.
 VLAN partitions by protocol
This refers to VLAN partitions by the protocol type carried in the packet and encapsulation
format.
 After receiving an untagged packet from an interface, the device according to the
protocol domain of the packet determines the VLAN to which the packet belongs, and
sends the packet to the specified VLAN for later transmission.
 When receiving a tagged packet from an interface, the device receives the packet if the
VLAN ID is in the list of VLANs of which packets are allowed to pass by the interface,
or discards the packet if the VLAN ID is not in the list of VLANs of which packets are
allowed to pass by the interface.

2.2.2 Preparing for configurations

Scenario
The main function of VLAN is to partition logic network segments. There are 2 typical
application modes:
 One kind is that in a small LAN several VLANs are created on a device, the hosts that
connect to the device are divided by VLAN. So hosts in the same VLAN can
communicate, but hosts between different VLANs cannot communicate. For example,
the financial department needs to be separated from other departments and they cannot
access each other. Generally, the interface to connect host is in Access mode.
 The other kind is that in bigger LAN or enterprise network multiple devices connect to
multiple hosts and the devices are cascaded, and data packets carry VLAN Tag for
forwarding. The interfaces in the same VLAN on multiple devices can communicate, but
the interfaces in different VLANs cannot communicate. This mode is used in enterprise
that has many employees and needs a large number of hosts, in the same department but
different position, the hosts in one department can access one another, so users have to
partition VLANs on multiple devices. Layer 3 devices, such as routers, are required if
users want to communicate among different VLANs. The cascaded interfaces among
devices are configured in Trunk mode.
When configuring the IP address for VLAN, you can associate a Layer 3 interface for it. Each
Layer 3 interface corresponds to one IP address and one VLAN.

Prerequisite
N/A

2.2.3 Default configurations of VLAN


Default configurations of VLAN are as below.

Function Default value


Create VLAN VLAN 1
Interface mode Hybrid

Raisecom Proprietary and Confidential


44
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

Function Default value


PVID 1
VLAN of Trunk interface VLAN 1
VLAN of Access interface VLAN 1

2.2.4 Configuring VLAN attributes


Configure VLAN attributes for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#v Create a VLAN.
lan vlan-list
The command can also be used to create VLANs in
batches.
3 Raisecom(config)#v Enter VLAN configuration mode.
lan vlan-id

 The VLAN created by the vlan vlan-id command is in active status.


 All configurations of VLAN do not take effect until the VLAN is activated.

2.2.5 Configuring the interface mode


Configure the interface mode for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#inter Enter Layer 2 physical interface configuration
face interface-type mode or link aggregation configuration mode.
interface-number The following steps take Layer 2 physical
interface configuration mode for example.
3 Raisecom(config-ge- Configure the interface to Access, Trunk, Hybrid,
1/0/*)#port link-type or dot1q-tunnel mode.
{ access | default |
dot1q-tunnel | hybrid
| trunk }

2.2.6 Configuring the VLAN on the Access interface


Configure the VLAN on the Access interface for the device as below.

Raisecom Proprietary and Confidential


45
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter Layer 2 physical interface
interface-type interface- configuration mode, or aggregation
number group configuration mode. Take Layer 2
physical interface configuration mode for
example.
3 Raisecom(config-ge-1/0/*)#port Configure the interface to Access mode,
link-type access and add the Access interface to the
Raisecom(config-ge-1/0/*)#port VLAN.
default vlan vlan-id

 The interface allows Access VLAN packets to pass regardless of configuration for
VLAN allowed by the Access interface. The forwarded packets do not carry the
VLAN Tag.
 Configuring the Access VLAN will fail if you have not created and activated the
VLAN in advance.
 If you delete or suspend the Access VLAN manually, the system will not
automatically configure the interface Access VLAN as the default VLAN.
 When you configure the interface Access VLAN as the non-default Access VLAN,
the default Access VLAN 1 is the VLAN allowed by the Access the egress
interface, you can delete Access VLAN 1 from the allowed VLAN list of the egress
Access interface.
 If the configured Access VLAN is not the default VLAN and there is no default
VLAN in the allowed VLAN list of the Access interface, the interface does not
allow packets of the default VLAN to pass.

2.2.7 Configuring the VLAN on the Trunk interface


Configure the VLAN on the Trunk interface for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter Layer 2 physical interface
interface-type interface-number configuration mode, or aggregation
group configuration mode. Take Layer
2 physical interface configuration
mode for example.
3 Raisecom(config-ge-1/0/*)#port Configure the interface to Trunk
link-type trunk mode.
4 Raisecom(config-ge-1/0/*)#port Configure the PVID of the interface.
trunk pvid vlan-id
5 Raisecom(config-ge-1/0/*)#port Configure VLANs allowed to pass by
trunk allowed-pass vlan { all | the Trunk interface.
vlan-list }

Raisecom Proprietary and Confidential


46
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

 No matter how the VLAN list allowed to pass by the interface is configured, the
interface allows packets of the VLAN to pass and forward packets without the
corresponding PVID.
 The system will not create and activate the VLAN if no VLAN is created and
activated in advance when configuring the Native VLAN.
 The system will not configure the interface Trunk Native VLAN as default VLAN if
you have deleted or blocked Native VLAN manually.
 The interface allows incoming and outgoing VLAN packet allowed by the Trunk
interface.
 If the configured Native VLAN is not the default VLAN, and the VLAN list allowed
to pass by the Trunk interface does not include the default VLAN, the interface will
disallow packets of the default VLAN to pass.
 The VLAN list allowed by the Trunk interface is only effective to static VLAN, and
ineffective for cluster VLAN, MVRP dynamic VLAN.

2.2.8 Configuring the VLAN based on the Hybrid interface


Configure the VLAN based on the Hybrid interface for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface configuration
interface-type interface- mode, or aggregation group configuration
number mode. Take physical interface
configuration mode for example.
3 Raisecom(config-ge- Configure the interface mode to Hybrid.
1/0/*)#port link-type hybrid
4 Raisecom(config-ge- Configure the interface PVID.
1/0/*)#port hybrid pvid
vlan-id
5 Raisecom(config-ge- Configure the VLANs allowed to pass in
1/0/*)#port hybrid vlan tagged or untagged mode by the Hybrid
{ all | vlan-list } { tagged interface.
| untagged }

The Hybrid interface can work in different modes as configured. In untagged mode,
its working mode is the same as that in the Access mode, but it can be configured
with multiple allowed VLANs. In tagged mode, its working mode is the same as that
in the Trunk mode.

2.2.9 Configuring the VLAN based on MAC address


Configure the VLAN based on MAC address for the device as below.

Raisecom Proprietary and Confidential


47
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#mac-vlan mac- Associate a MAC address and mask
address vlan-id with a VLAN
3 Raisecom(config)#interface Enter Layer 2 physical interface
interface-type interface-number configuration mode.
4 Raisecom(config-ge-1/0/*)#mac- Enable MAC-VLAN.
vlan enable

 If the IP address or subnet mask is invalid, the configuration will fail.


 If you associate a created IP subnet to a VLAN but this association conflict with an
existing association (for example, the IP subnet or VLAN is already associated),
the association will fail.

2.2.10 Configuring the VLAN based on IP subnet


Configure the VLAN based on IP subnet for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#ip-subnet-vlan ip- Associate a MAC address with an
address [ ip-mask ] vlan vlan-id IP subnet.
3 Raisecom(config)#interface Enter Layer 2 physical interface
interface-type interface-number configuration mode.
4 Raisecom(config-ge-1/0/*)#ip- Enable VLAN partitions based on
subnet-vlan enable IP subnet.

 If the IP address or subnet mask is invalid, the configuration will fail.


 If you associate a created IP subnet to a VLAN but this association conflict with an
existing association (for example, the IP subnet is associated with different
VLANs), the association will fail.

2.2.11 Configuring the VLAN based on protocol


Configure the VLAN based on protocol for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.

Raisecom Proprietary and Confidential


48
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

Step Command Description


2 Raisecom(config)#protocol-vlan Configure the rule for associating the
protocol-index { ethernet2 | protocol VLAN with Ethernet packets.
llc | snap protocol-id }
3 Raisecom(config)#interface Enter Layer 2 physical interface
interface-type interface- configuration mode.
number
4 Raisecom(config-ge- Configure the rule for associating the
1/0/*)#protocol-vlan protocol- interface with the protocol VLAN.
index vid vlan-id

2.2.12 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show vlan Show VLAN configurations.
[ vlan-list | vlan-id ]
2 Raisecom#show port vlan Show configurations of the VLAN on the
interface.
3 Raisecom#show mac-vlan Show configurations of the MAC VLAN.
[ vlan-id ]
4 Raisecom#show ip-subnet- Show configurations of the IP subnet VLAN.
vlan [ vlan-id ]
5 Raisecom#show protocol- Show configurations of all protocol VLANs.
vlan [ instance-id ]
6 Raisecom#show protocol- Show configurations of the protocol VLAN on
vlan interface the interface.

2.2.13 Querying VLAN statistics


Query VLAN statistics for the device as below.

Step Command Description


1 Raisecom(config-vlan-*)#statistics Enable VLAN statistics.
{ enable | disable }
2 Raisecom#show vlan [vlan-id] statistics Show VLAN statistics.
3 Raisecom(config)#reset vlan [vlan-id] Clear VLAN statistics.
statistics

Raisecom Proprietary and Confidential


49
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

2.2.14 Example for configuring VLANs

Networking requirements
As shown in Figure 2-4, PC 1, PC 2, and PC 5 belong to VLAN 10, PC 3 and PC 4 belong to
VLAN 20; Switch A and Switch B are connected by the Trunk interface; PC 3 and PC 4
cannot communicate because VLAN 20 is not allowed to pass in the link; PC 1 and PC 2
under the same Switch B are enabled with interface isolation function so that they cannot
communicate with each other, but can respectively communicate with PC 5.

Figure 2-4 VLAN and interface isolation networking

Configuration steps
Step 1 Create VLAN 10 and VLAN 20 on the two switches respectively, and activate them.
Configure Switch A.
Raisecom#hostname SwitchA
SwitchA#configure
SwitchA(config)#vlan 10,20

Configure Switch B.

Raisecom#hostname SwitchB
SwitchB#configure
SwitchB(config)#vlan 10,20

Step 2 Add GE 1/0/2 and GE 1/0/3 in Access mode on Switch B to VLAN 10, add GE 1/0/4 as
Access mode to VLAN 20, configure GE 1/0/1 to Trunk mode, and allow VLAN 10 to pass.

Raisecom Proprietary and Confidential


50
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

SwitchB(config)#interface ge 1/0/2
SwitchB(config-ge-1/0/2)#port link-type access
SwitchB(config-ge-1/0/2)#port default vlan 10
SwitchB(config-ge-1/0/2)#exit
SwitchB(config)#interface ge 1/0/3
SwitchB(config-ge-1/0/3)#port link-type access
SwitchB(config-ge-1/0/3)#port default vlan 10
SwitchB(config-ge-1/0/3)#exit
SwitchB(config)#interface ge 1/0/4
SwitchB(config-ge-1/0/4)#port link-type access
SwitchB(config-ge-1/0/4)#port default vlan 20
SwitchB(config-ge-1/0/4)#exit
SwitchB(config)#interface ge 1/0/1
SwitchB(config-ge-1/0/1)#port link-type trunk
SwitchB(config-ge-1/0/1)#port trunk allow-pass vlan 10
SwitchB(config-ge-1/0/1)#exit

Step 3 Add GE 1/0/2 as Access mode on Switch A to VLAN 10, add GE 1/0/3 as Access mode to
VLAN 20, configure GE 1/0/1 to Trunk mode, and allow VLAN 10 to pass.

SwitchA(config)#interface ge 1/0/2
SwitchA(config-ge-1/0/2)#port link-type access
SwitchA(config-ge-1/0/2)#port access vlan 10
SwitchA(config-ge-1/0/2)#exit
SwitchA(config)#interface ge 1/0/3
SwitchA(config-ge-1/0/3)#port mode trunk
SwitchA(config-ge-1/0/3)#port trunk pvid 20
SwitchA(config-ge-1/0/3)#port trunk allow-pass 20
SwitchA(config-ge-1/0/3)#exit
SwitchA(config)#interface ge 1/0/1
SwitchA(config-ge-1/0/1)#port link-type trunk
SwitchA(config-ge-1/0/1)#port trunk allowed-pass vlan 10

Checking results
Use the show vlan command to show VLAN configurations.
Take Switch B for example.

SwitchB#show vlan
S: supervlan P: pvlan N:
normal

Vlan Type Ports('M': member , '-': not member)


-------------------------------------------------------------------------
1 N/static untagged: ge-1/0/1 <->ge-
1/0/16 M---MMMM MMMMMMMM
ge-
1/0/17<->ge-1/0/24 MMMMMMMM
10ge-1/0/25<->10ge-1/0/30 MMMMMM

Raisecom Proprietary and Confidential


51
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

10 N/static tagged: ge-1/0/1<->ge-1/0/16 M------- --------


untagged: ge-1/0/1<->ge-1/0/16 -MM----- --------
20 N/static untagged: ge-1/0/1<->ge-1/0/16 ---M--
-- --------
-------------------------------------------------------------------------
Total: 3 Static: 3 Dynamic: 0

Use the show interface interface-type interface-number command to show configurations of


the interface VLAN.
Take Switch B for example.

SwitchB#show interface ge 1/0/2 config


!
interface ge 1/0/2
port link-type access
port default vlan 10

Check whether the Trunk interface permitting VLAN passing is correct by making PC 1 ping
PC 5, PC 2 ping PC 5, and PC 3 ping PC 4.
 PC 1 can ping through PC 5, so VLAN 10 communication is normal.
 PC 2 can ping through PC 5, so VLAN 10 communication is normal.
 PC 3 fails to ping through PC 4, so VLAN 20 communication is abnormal.

2.3 Voice VLAN


2.3.1 Introduction
With increasing growth of voice technologies, voice devices are more and more widely used,
especially in broadband residential communities. The network usually transmits voice traffic
and data traffic concurrently, but voice traffic requires a higher priority than data traffic in
transmission to avoid delay and packet loss.
A voice VLAN is especially partitioned for voice traffic of users. By partitioning voice
VLANs and add interfaces of the voice device to voice VLANs, you can configure QoS of
voice traffic to increase the priority of transmitting voice traffic and guarantee call quality.
Compared with other methods for managing voice traffic, the voice VLAN has the following
advantages:
 Easy configuration: after you configure the voice device in global configuration mode
and interface configuration mode and enable the voice VLAN, the voice device can
classify and process voice traffic.
 Easy maintenance: you can modify rules (voice VLAN OUI address) for matching voice
traffic in global configuration mode. When a new IP voice device joins the network, its
interfaces can rapidly identify voice traffic by updated matching rules.
 Flexible implementation: The voice VLAN supports safe mode and common mode in
global configuration mode and automatic mode and manual mode on the interface, so it

Raisecom Proprietary and Confidential


52
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

is flexible in implementation. You can combine these modes as required to meet users'
requirements to the maximum extent.
Figure 2-5 shows the networking mode for IP phone (with its interfaces transmitting voice
traffic only) to connect to the switch. This mode enables these interfaces to transmit voice
traffic only, thus minimizing the impact on voice traffic from data traffic.

Figure 2-5 Networking for IP phone to connect to switch

2.3.2 Preparing for configurations

Scenario
A specific voice VLAN can transmit voice traffic. If a voice device becomes faulty or exits
the network in a period, the interface connecting the voice device will automatically exit the
voice VLAN.

Prerequisite
Create a VLAN, and configure its parameters.

2.3.3 Default configurations of the voice VLAN


Default configurations of Organizationally Unique Identifier (OUI) of the voice VLAN are as
below.

OUI-Address Mask address Description


0001.E300.0000 FFFF.FF00.0000 Siemens-phone
0003.6B00.0000 FFFF.FF00.0000 Cisco-phone
0004.0D00.0000 FFFF.FF00.0000 Avaya-phone
00D0.1E00.0000 FFFF.FF00.0000 Pingtel-phone
0060.B900.0000 FFFF.FF00.0000 Philips/NEC-phone
00E0.7500.0000 FFFF.FF00.0000 Verilink-phone
00E0.BB00.0000 FFFF.FF00.0000 NBX-phone

Other default configurations of the voice VLAN are as below.

Raisecom Proprietary and Confidential


53
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

Function Default value


Voice VLAN Disable
Voice VLAN secure working mode Enable
Voice VLAN common working mode Disable
Automatic mode for the interface to join the voice VLAN Enable
Manual mode for the interface to join the voice VLAN Disable
CoS and DSCP of Voice VLAN packets 6 and 46 respectively
QoS trust priority of Voice VLAN N/A
Aging time of the Voice VLAN 5min

2.3.4 Configuring the OUI


Configure the OUI for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#voice-vlan oui Configure the OUI of the voice
mac-address [ mask-address ] VLAN.
[ description word ]

2.3.5 Enabling the voice VLAN


Enable the voice VLAN for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface
interface-type interface-number configuration mode.
3 Raisecom(config-ge-1/0/*)#voice- Enable the voice VLAN.
vlan vlan-id enable
4 Raisecom(config-ge-1/0/*)#voice- Configure the working mode of
vlan mode { enable | disable } the interface to join the voice
VLAN.
5 Raisecom(config)#voice-vlan Configure the aging time of the
aging-time time interface to leave the voice VLAN
in automatic mode.
6 Raisecom(config)#interface Configure the working mode of
interface-type interface-number the voice VLAN to security.
Raisecom(config-ge-1/0/*)#voice-
vlan security enable

Raisecom Proprietary and Confidential


54
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

2.3.6 Checking configurations


Use the following commands check configuration results.

No. Command Description


1 Raisecom#show voice- Show the OUI address, its mask, and description
vlan oui on the current device.
2 Raisecom#show voice- Show the status of the voice VLAN on the current
vlan interface device.

2.3.7 Example for adding interfaces to the voice VLAN


Example for adding interfaces to the voice VLAN and configuring it to work in manual mode

Networking requirements
GE 1/1/1 on the Switch connects the IP phone and PC to the Internet. It is required to
concurrently forward and isolate voice traffic and data traffic.
You can configure GE 1/0/1 as a Trunk interface, making the Native VLAN forward data
traffic and voice VLAN forward voice traffic. The PC sends untagged packets which are
transmitted in the Native VLAN of GE 1/0/1. Configure VLAN 100 as the Native VLAN to
transmit data traffic sent from the PC. The IP phone also sends untagged packets. Configure
the source MAC address to the OUI address of the voice VLAN so that the device can add
voice VLAN Tag when these packets pass the voice VLAN interface. Configure VLAN 200
as the voice VLAN to transmit voice traffic sent from the IP phone.

Figure 2-6 Networking with adding interface to voice VLAN and configuring it to work in manual
mode

Configuration steps
Step 1 Configure the MAC address (supporting the mask) of the IP phone as the OUI address of the
voice VLAN on the switch, namely, 0001.ED00.0000. Configure the mask to
FFFF.FF00.0000. For the OUI supported by the device by default, see section 2.3.3 Default
configurations of the voice VLAN.

Raisecom Proprietary and Confidential


55
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

Raisecom(config)#voice-vlan oui 00:01:ED:00:00:00/24

Step 2 Create VLAN 100 and VLAN 200, activate them, and configure VLAN 200 as the voice
VLAN.

Raisecom(config)#vlan 100,200
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 100
Raisecom(config-ge-1/0/1)#voice-vlan 200 enable

Checking configurations
Use the show voice-vlan interface command to view the current interface status of the voice
VLAN.

Raisecom(config)#show voice-vlan interface


Support max interface :64
Current enable interface :1
Interface VID Mode Security RemainTime(s)
------------------------------------------------------------
ge-1/0/1 200 auto enable N/A
------------------------------------------------------------

2.3.8 Example for configuring the IP phone to access voice VLAN


packets through LLDP

Networking requirements
As shown in Figure 2-7, when the IP phone supports LLDP, it can obtain the voice VLAN
through LLDP. You can configure LLDP and voice VLAN on the switch to connect the IP
phone. Configure LLDP on the switch to advertise the voice VLAN of the interface to the IP
phone. To guarantee call quality, configure the voice VLAN to prioritize voice packets.
GE 1/1/1 on the Switch connects the IP phone and PC to the Internet. It is required to
concurrently forward and isolate voice traffic and data traffic.
You can configure GE 1/0/1 as a Trunk interface, making the Native VLAN forward data
traffic and voice VLAN forward voice traffic. The PC sends untagged packets which are
transmitted in the Native VLAN of GE 1/0/1. Configure VLAN 100 as the Native VLAN to
transmit data traffic sent from the PC. Configure VLAN 200 as the voice VLAN to transmit
voice traffic sent from the IP phone. The IP phone obtains the voice VLAN through LLDP and
sends packets with the voice VLAN Tag.

Raisecom Proprietary and Confidential


56
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

Figure 2-7 Configuring IP phone to access voice VLAN packets through LLDP

Configuration steps
Step 1 Configure the MAC address (supporting the mask) of the IP phone as the OUI address of the
voice VLAN on the switch, namely, 0001.ED00.0000. Configure the mask to
FFFF.FF00.0000. For the OUI supported by the device by default, see section 2.3.3 Default
configurations of the voice VLAN.

Raisecom(config)#voice-vlan oui 0001.ED00.0000/24

Step 2 Create VLAN 100 and VLAN 200, activate them, and configure VLAN 200 as the voice
VLAN.

Raisecom(config)#vlan 100,200
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 100
Raisecom(config-ge-1/0/1)#voice-vlan 200 enable
Raisecom(config-ge-1/0/1)#exit

Step 3 Enable global LLDP and interface LLDP to advertise the voice VLAN of the interface to the
IP phone.

Raisecom(config)#lldp start
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#lldp admin-status rx-tx

Checking configurations
Use the show voice-vlan interface command to view the interface status of the voice VLAN.

Raisecom(config)#show voice-vlan interface

Raisecom Proprietary and Confidential


57
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

Support max interface :64


Current enable interface :1
Interface VID Mode Security RemainTime(s)
------------------------------------------------------------
ge-1/0/1 200 auto enable N/A
------------------------------------------------------------

2.4 QinQ
2.4.1 Introduction
QinQ (also known as Stacked VLAN or Double VLAN) technique is an extension to 802.1Q
defined in IEEE 802.1ad standard.

Basic QinQ
Basic QinQ is a simple Layer 2 VPN tunnel technique, which encapsulates outer VLAN Tag
for user private network packets at carrier access end, then the packet with double VLAN Tag
traverse backbone network (public network) of the carrier. On the public network, packets are
transmitted according to outer VLAN Tag (namely, the public network VLAN Tag), the user
private network VALN Tag is transmitted as data in packets.

Figure 2-8 Principles of basic QinQ

Typical networking of basic QinQ is shown as Figure 2-8; the device is the PE.
Packets are transmitted from the user device to the PE, and the VLAN ID of packet tag is 100.
Packet will be added with outer tag with VLAN 1000 when traversing from the PE device at
the network side interface to the carrier network.
Packets with the VLAN 1000 outer Tag are transmitted to PE device on the other side by the
carrier, and then the PE will remove the outer tag VLAN 1000 and send packets to the user
device. Now the packets return to carrying only one tag VLAN 100.
This technique can save public network VLAN ID resources. You can plan private network
VLAN ID to avoid conflict with public network VLAN ID.

Raisecom Proprietary and Confidential


58
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

Selective QinQ
Selective QinQ is an enhancement to basic QinQ, which classifies flow according to user data
features, then encapsulates different types flow into different outer VLAN Tags. This
technique is implemented through combination of interface and VLAN. Selective QinQ can
perform different actions on different VLAN Tags received by one interface and add different
outer VLAN IDs for different inner VLAN IDs. According to configured mapping rules for
inner and outer Tags, you can encapsulate different outer Tags for different inner tagged
packets. The inner priority can be copied to the outer priority.
Selective QinQ makes structure of the carrier network more flexible. You can classify
different terminal users on the access device interface by VLAN Tag and then, encapsulate
different outer Tags for users in different classes. On the public network, you can configure
QoS policy according to outer Tag and configure data transmission priority flexibly to make
users in different classes receive corresponding services.

2.4.2 Preparing for configurations

Scenario
Basic QinQ configuration and selective QinQ configuration for the device are based on
different service requirements.
 Basic QinQ
With application of basic QinQ, you can add outer VLAN Tag to plan the private VLAN ID
freely to make the user device data at both ends of carrier network transparently transmitted
without conflicting with VLAN ID on the service provider network.
 Selective QinQ
Different from basic QinQ, outer VLAN Tag of selective QinQ can be selectable according to
different services. There are multiple services and different private VLAN ID on the user
network which are divided by adding different outer VLAN Tag for voice, video, and data
services, then implementing different distributaries and inner and outer VLAN mapping for
forwarding different services.

Prerequisite
 Connect the interface.
 Configure its physical parameters to make it Up.
 Create VLANs.

 Basic QinQ and 1:1 VLAN mapping can be concurrently configured. VLAN
mapping functions normally before or after basic QinQ is enabled.
 Selective QinQ and 1:1 VLAN mapping can be concurrently configured. When
they are concurrently configured, they function normally. They also function
normally when basic QinQ is enabled or disable. When one of them is disabled,
other configurations function normally.
 Basic QinQ, selective QinQ, and 2:2 VLAN mapping are mutually exclusive. When
selective QinQ and 1:1 VLAN mapping are currently configured, their matching
VLANs cannot be the same, and VLANs after mapping cannot be the same.

Raisecom Proprietary and Confidential


59
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

2.4.3 Default configurations of QinQ


Default configurations of QinQ are as below.

Function Default value


Outer VLAN Tag TPID 0x8100
Basic QinQ status Disable
Selective QinQ status Disable

2.4.4 Configuring basic QinQ


Configure basic QinQ on the ingress interface for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#i Enter physical interface configuration mode, or
nterface aggregation group configuration mode. Take physical
interface-type interface configuration mode for example.
interface-number
3 Raisecom(config- Enable basic QinQ on the interface.
ge-1/0/1)#port
link-type dot1q-
tunnel
4 Raisecom(config- Configure basic QinQ, add double Tags, and specify the
ge-1/0/1)#port PVID used by the CVLAN and SVLAN.
hybrid pvid vlan-
id
5 Raisecom(config- Configure the TPID of the VLAN Tag on the interface.
ge-1/0/1)#tpid It is used identify the inner VLAN, or is used to identify
tpid the outer VLAN when QinQ is enabled.
 tpid: TPID value, in dotted hexadecimal notation, an
integer, being 0x8100, 0x88a8, or 0x9100
6 Raisecom(config- Configure the TPID of the inner VLAN Tag on the
ge-1/0/1)#inner interface. It is used identify the inner VLAN, or is used
tpid tpid to identify the outer VLAN when QinQ is enabled.

When basic QinQ is enabled on the interface, all packets are processed as untagged
packets. If you configure the untagged packets to be discarded, tagged packets are
also discarded.

2.4.5 Configuring selective QinQ


Configure selective QinQ on the ingress interface for the device as below.

Raisecom Proprietary and Confidential


60
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface
interface-type interface-number configuration mode, or
aggregation group configuration
mode. Take physical interface
configuration mode for example.
3 Raisecom(config-ge-1/0/*)#vlan- Configure selective QinQ.
stacking vlan vlan-id stack-vlan
vlan-id [ remark-8021p cos-id ]

2.4.6 Configuring the network-side interface to Trunk mode


Configure the network-side interface to Trunk mode for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#inte Enter physical interface configuration mode, or
rface interface-type aggregation group configuration mode. Take
interface-number physical interface configuration mode for example.
3 Raisecom(config-ge- Configure interface trunk mode, permit double-
1/0/*)#port link-type tagged packet to pass.
trunk

2.4.7 Configuring the TPID


Configure the TPID on the network side interface for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#inte Enter physical interface configuration mode, or
rface interface-type aggregation group configuration mode. Take
interface-number physical interface configuration mode for example.
3 Raisecom(config-ge- Configure the TPID of the outer VLAN Tag on the
1/0/*)#tpid tpid interface.

2.4.8 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show vlan-stacking Show configurations of basic QinQ.
config
Raisecom Proprietary and Confidential
61
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

No. Command Description


2 Raisecom#show vlan-stacking Show QinQ configurations of the
interface interface.

2.4.9 Example for configuring basic QinQ

Networking requirements
As shown in Figure 2-9, Switch A and Switch B are connected to two branches of Department
C, which are in different locations. Department C uses VLAN 100, and needs to communicate
through VLAN 1000 of the carrier network. The carrier TPID is 9100.
Configure basic QinQ on Switch A and Switch B to enable normal communication inside a
department through the carrier's network.

Figure 2-9 Basic QinQ networking

Configuration steps
Configure Switch A and Switch B.
Configurations of Switch A are the same with those of Switch B. Take Switch A for example.
Step 1 Create VLAN 100 and VLAN 1000, and activate them. TPID is 9100.

Raisecom#configure
Raisecom(config)#vlan 100,1000
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 1000

Raisecom Proprietary and Confidential


62
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

Raisecom(config-ge-1/0/1)#tpid 0x9100
Raisecom(config-ge-1/0/1)#exit

Step 2 Configure basic QinQ on the interface.

Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type dot1q-tunnel
Raisecom(config-ge-1/0/2)#port default vlan 1000
Raisecom(config-ge-1/0/2)#exit

Checking results
Use the show interface interface-type interface-number config command to show QinQ
configurations.

Raisecom#show interface ge 1/0/2 config


!
interface ge 1/0/2
port link-type dot1q-tunnel

port default vlan 1000

2.4.10 Example for configuring selective QinQ

Networking requirements
As shown in Figure 2-10, the carrier network contains common PC Internet access services
and IP phone services. PC Internet access services are assigned to VLAN 1000, and IP phone
services are assigned to VLAN 2000.
Configure Switch A and Switch B as below to make the user and server communicate through
the carrier network:
 Add outer Tag VLAN 1000 to VLAN 100 assigned to PC Internet access services.
 Add outer Tag 2000 to VLAN 200 for IP phone services.
 The carrier TPID is 9100.

Raisecom Proprietary and Confidential


63
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

Figure 2-10 Selective QinQ networking

Configuration steps
Configure Switch A and Switch B.
Configurations of Switch A are the same with those of Switch B. Take Switch A for example.
Step 1 Create and activate VLAN 100, VLAN 200, VLAN 1000, and VAN 2000. The TPID is 9100.

Raisecom#hostname SwitchA
SwitchA#configure
SwitchA(config)#vlan 100,200,1000,2000
SwitchA(config)#interface ge 1/0/1
SwitchA(config-ge-1/0/1)#port link-type trunk
SwitchA(config-ge-1/0/1)#port trunk allow-pass vlan 1000,2000
SwitchA(config-ge-1/0/1)#tpid 0x9100
SwitchA(config-ge-1/0/1)#exit

Step 2 Enable selective QinQ on GE 1/0/2.

SwitchA(config)#interface ge 1/0/2
SwitchA(config-ge-1/0/2)#port link-type trunk
SwitchA(config-ge-1/0/2)#port trunk allow-pass vlan 100,200,1000,2000
SwitchA(config-ge-1/0/2)#vlan-stacking enable
SwitchA(config-ge-1/0/2)#vlan-stacking vlan 100 stack-vlan 1000
SwitchA(config-ge-1/0/2)#vlan-stacking vlan 200 stack-vlan 2000
SwitchA(config-ge-1/0/2)#exit

Checking results
Use the show vlan-stacking interface command to show configurations of selective QinQ.
Take Switch A for example.

Raisecom Proprietary and Confidential


64
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

SwitchA#show vlan-stacking interface


Interface MatchVlan(outer/8021p)
StackVlan(inner/outer/8021p)
-------------------------------------------------------------------------
-------
ge-1/0/2 100/- -/1000/-

ge-1/0/2 200/- -/2000/-

2.5 VLAN mapping


2.5.1 Introduction
VLAN mapping is used to replace the private VLAN Tag of Ethernet packets with carrier's
VLAN Tag, making packets transmitted according to carrier's VLAN forwarding rules. When
packets are sent to the peer private network from the ISP network, the VLAN Tag is restored
to the original private VLAN Tag according to the same VLAN forwarding rules. Therefore
packets are correctly sent to the destination.
Figure 2-11 shows principles of VLAN mapping.

Figure 2-11 Principles of VLAN mapping

After receiving a user private network packet with a VLAN Tag, the device matches the
packet according to configured VLAN mapping rules. If successful, it maps the packet
according to configured VLAN mapping rules.
By supporting 1: 1 VLAN mapping, the device replaces the VLAN Tag carried by a packet
from a specified VLAN to the new VLAN Tag.
Different from QinQ, VLAN mapping does not encapsulate packets with multiple layers of
VLAN Tags, but needs to modify VLAN Tag so that packets are transmitted according to the
carrier's VLAN forwarding rule.

2.5.2 Preparing for configurations

Scenario
Different from QinQ, VLAN mapping is used to change the VLAN Tag without encapsulating
multilayer VLAN Tag so that packets are transmitted according to the carrier's VLAN
Raisecom Proprietary and Confidential
65
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

mapping rules. VLAN mapping does not increase the frame length of the original packet. It
can be used in the following scenarios:
 A user service needs to be mapped to a carrier's VLAN ID.
 Multiple user services need to be mapped to a carrier's VLAN ID.

Prerequisite
 Connect the interface.
 Configure its physical parameters to make it Up.
 Create VLANs.

2.5.3 Default configurations of VLAN mapping


Default configurations of VLAN mapping are as below.

Function Default value


VLAN mapping status Disable

2.5.4 Configuring VLAN mapping


Configure VLAN mapping for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface
interface-type interface-number configuration mode.
3 Raisecom(config-ge-1/0/*)#vlan- Enable VLAN mapping.
mapping enable
4 Raisecom(config-ge-1/0/*)#vlan- Configure the single-tagged 1:1
mapping vlan vlan-id map-vlan VLAN mapping rule.
vlan-id [ remark-8021p cos-id ]
5 Raisecom(config-ge-1/0/*)#vlan- Configure the mapping rule for
mapping vlan vlan-id 8021p cos- single-tagged 1:1 VLAN to match
id map-vlan vlan-id [ remark- CoS.
8021p cos-id ]
6 Raisecom(config-ge-1/0/*)#vlan- Configure the inner and outer 2:2
mapping vlan vlan-id inner-vlan VLAN mapping rule.
vlan-id map-vlan vlan-id map-
inner-vlan vlan-id [ remark-
8021p cos-id ]
7 Raisecom(config-ge-1/0/*)#vlan- Configure the inner and outer 2:1
mapping vlan vlan-id inner-vlan VLAN mapping rule.
vlan-id map-vlan vlan-id
[ remark-8021p cos-id ]
8 Raisecom(config-ge-1/0/*)#vlan- Configure the mapping rule for
mapping 8021p vlan-id map-vlan matching CoS.
vlan-id [ remark-8021p cos-id ]

Raisecom Proprietary and Confidential


66
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

 Basic QinQ and 1:1 VLAN mapping can be concurrently configured. VLAN
mapping functions normally before or after basic QinQ is enabled.
 Selective QinQ and 1:1 VLAN mapping can be concurrently configured. When
they are concurrently configured, they function normally. They also function
normally when basic QinQ is enabled or disable. When one of them is disabled,
other configurations function normally.
 Basic QinQ, selective QinQ, and 2:2 VLAN mapping are mutually exclusive. When
selective QinQ and 1:1 VLAN mapping are currently configured, their matching
VLANs cannot be the same, and VLANs after mapping cannot be the same.

2.5.5 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show vlan-mapping Show configurations of VLAN mapping
interface rules on the interface.

2.5.6 Example for configuring VLAN mapping

Scenario
As shown in Figure 2-12, GE 1/0/2 and GE 1/0/3 on Switch A are connected to Department E
using VLAN 100 and Department F using VLAN 200; GE 1/0/2 and GE 1/0/3 on Switch A
are connected to Department C using VLAN 100 and Department D using VLAN 200. The
carrier's network uses VLAN 1000 to transmit services between Department E and
Department C and uses VLAN 2008 to transmit services between Department F and
Department D.
Configure 1:1 VLAN mapping between Switch A and Switch B to implement normal
communication inside each department.

Raisecom Proprietary and Confidential


67
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

Figure 2-12 VLAN mapping networking

Configuration steps
Configure Switch A and Switch B.
Configuration steps for Switch A and Switch B are the same. Take Switch A for example.
Step 1 Create VLANs 100, 200, 1000, and 2008, and activate them.

Raisecom#hostname SwitchA
SwitchA#configure
SwitchA(config)#vlan 100,200,1000,2008

Step 2 Configure GE 1/0/1 to Trunk mode, allowing packets of VLAN 1000 and VLAN 2008 to pass.
SwitchA(config)#interface ge 1/0/1
SwitchA(config-ge-1/0/1)#port link-type trunk
SwitchA(config-ge-1/0/1)#port trunk allow-pass vlan 1000,2008
SwitchA(config-ge-1/0/1)#exit

Step 3 Configure GE 1/0/2 to Trunk mode, allowing packets of VLAN 100 to pass. Configure
VLAN mapping rules.

SwitchA(config)#interface ge 1/0/2
SwitchA(config-ge-1/0/2)#port link-type trunk
SwitchA(config-ge-1/0/2)#port trunk allow-pass vlan 100
SwitchA(config-ge-1/0/2)#vlan-mapping vlan 100 map-vlan 1000
SwitchA(config-ge-1/0/2)#exit

Raisecom Proprietary and Confidential


68
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

Step 4 Configure GE 1/0/3 to Trunk mode, allowing packets of VLAN 200 to pass. Configure
VLAN mapping rules.

SwitchA(config)#interface ge 1/0/3
SwitchA(config-ge-1/0/3)#port link-type trunk
SwitchA(config-ge-1/0/3)#port trunk allow-pass vlan 100
SwitchA(config-ge-1/0/3)#vlan-mapping vlan 200 map-vlan 2008

Checking results
Use the show vlan-mapping both interface command to show configurations of 1:1 VLAN
mapping.

SwitchA#show vlan-mapping interface


Interface MatchVlan(vlan/8021p) MapVlan(vlan/8021p)
-------------------------------------------------------------------------
--
ge-1/0/2 inner: - inner: -/-
outer: 100/- outer: 1000/-
ge-1/0/3 inner: - inner: -/-
outer: 200/- outer: 2008/-
-------------------------------------------------------------------------
--

2.6 MRP/VRP
2.6.1 Introduction
Multiple Registration Protocol (MRP) is an attribute registration protocol, which can be used
to transfer attribute information. Multiple VLAN Registration Protocol (MVRP) is an
application of MRP, which is used to advertise and learn VLAN configurations between
devices. Through MVRP, devices in the LAN can automatically synchronize VLAN
configurations, greatly reducing VLAN configuration work by the network administrator.

MRP messages
MRP messages include the Join message, New message, Leave message, and LeaveAll
message.
 Join message: when an MRP entity is configured with certain attributes and requires the
peer entity to register its attribute information, it will send a Join message to the peer
entity. When the MRP peer entity receives a Join message, it registers the attributes in
the Join message and advertises the Join message to other entities of the device. After
receiving the advertised Join message, other entities send a Join message to their peer
entities.

Raisecom Proprietary and Confidential


69
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

 New message: the functions of a New message are similar to that of a Join message.
Both messages are used to declare attributes. The difference is that the New message is
used for Multiple Spanning Tree Protocol (MSTP) topology changes.
 Leave message: when an MRP entity deregisters certain attributes and needs to
synchronously deregister these attributes to the peer entity, it will send a Leave message
to the peer entity. When the MRP peer entity receives the Leave message from the entity,
it will deregister the attributes in the Leave message and advertises the Leave message to
other entities on the device. After receiving the advertised Leave message, other entities
will use the attributes in the Leave message to determine their status on the device and
decide whether to send the Leave message to their peer entities (for example, if the
attribute in the Leave message is a VLAN, the VLAN is a dynamic VLAN, and there are
no entities registered with the VLAN on this device, the peer entity deletes the VLAN on
the device and sends the Leave message to the entity; if the VLAN is a static VLAN, the
peer entity does not send the Leave message to the peer entity).
 LeaveAll message: each MRP entity starts its own LeaveAll timer when it starts. When
the LeaveAll timer expires, the MRP entity will send a LeaveAll message to the peer
entity. When an MRP entity sends or receives a LeaveAll message, it starts the Leave
timer and determines whether to send a Join message based on its own attribute status
and require the peer entity to re-register a certain attribute. Before the Leave timer
expires, the entity re-registers the attributes in the Join message received from the peer
entity. After the Leave timer expires, all unregistered attributes are deregistered, thereby
periodically clearing the garbage attributes on the network.
The Leave message or LeaveAll message cooperates with the Join message to deregister or
reregister attributes. Through message exchange, all attributes to be registered can be
transmitted to all MRP entities in the same LAN.

MRP timers
The interval for sending the MRP message is controlled by timers. MRP defines four timers to
control the interval.
 Periodic timer: each MRP entity starts its own Periodic timer when it starts to control the
periodic sending of MRP messages. Before the Periodic timer expires, the MRP entity
collects the MRP messages that need to be sent. After the Periodic timer expires, the
MRP entity encapsulates all the MRP messages that need to be sent into as few messages
as possible and sends them out, thereby reducing the number of messages sent. Then, the
MRP entity restarts the Periodic timer to start a new cycle.
 Join timer: it is used to control the sending of Join messages. To ensure that Join
messages can be reliably sent to the peer entity, the MRP entity starts the Join timer
when sending Join messages. If the entity receives a JoinIn message from the peer entity
before the timer expires, and the properties in the JoinIn message match those in the sent
Join message, the entity will not resend the Join message; otherwise, after the timer
expires, when the Periodic timer also expires, the entity will send the Join message once.
 Leave timer: it is used to control attribute deregistration. When an MRP entity receives a
Leave message (or sends or receives a LeaveAll message) from the peer entity, it starts
the Leave timer. If it receives a Join message from the peer entity before the leave timer
expires, and the properties in the Join message match those in the received Leave
message (or match some properties in the LeaveAll message received or sent), these
properties will not be deregistered in the current entity, and other properties will be
deregistered after the timer expires.
 LeaveAll timer: each MRP entity starts its own LeaveAll timer when it starts. When the
LeaveAll timer expires, the MRP entity will send a LeaveAll message to the peer entity,

Raisecom Proprietary and Confidential


70
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

and then restart the LeaveAll timer to start a new cycle. The peer entity also restarts the
LeaveAll timer after receiving the LeaveAll message.

MVRP
Multiple VLAN Registration Protocol (MVRP) is an MRP application. Based on MRP
working mechanism, it maintains VLAN dynamic registration information about the switch,
and sends the information to other switches.
All MRP-supportive switches can receive VLAN registration information from other switches,
and dynamically update local VLAN registration information. In addition, all MRP-supportive
switches can send local VLAN registration information to other switches so that they have
consistent VLAN registration information in the same VLAN. VLAN registration information
sent by MVRP includes manually configured local static registration information and dynamic
registration information from other switches.
MRP has three registration modes:
 Normal: in this mode, MVRP allows dynamic registration and deregistration of VLANs,
and sends dynamic and static VLAN information.
 Fixed: in this mode, MVRP forbids dynamic registration and deregistration of VLANs,
and sends static VLAN information rather than dynamic VLAN information to other
MVRP members.
 Forbidden: in this mode, MVRP forbids dynamic registration and deregistration of
VLANs, forbids creating static VLANs on the interface, deletes all VLANs except
VLAN 1, allows packets of the default VLAN (VLAN 1) to pass, and transmits packets
of the default VLAN to other MVRP members.
As shown in Figure 2-13, to configure VLANs on multiple devices on a network and allow
packets of the specified VLAN to pass are complex. By using MVRP to dynamically register
and transmit the specified VLAN, the network administrator can improve working efficiency
and accuracy.

Figure 2-13 Principles of MVRP

As shown in Figure 2-13, GE 1/0/1 on Switch 1, GE 1/0/1 and GE 1/0/2 on Switch 2, and GE
1/0/1 on Switch N are Trunk interfaces. Create VLANs 5–50 on Switch 1, and then these
VLANs will be dynamically registered on the Rx interface along the red direction until
Switch N is registered. Create VLANs 51–100 on Switch N, and then these VLANs will be
dynamically registered on the Rx interface along the blue direction so that each switch can
completely process packets of VLANs 5–100.

Raisecom Proprietary and Confidential


71
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

2.6.2 Preparing for configurations

Scenario
MVRP enables configurations of a MVRP member to fast spread to all MVRP-enabled
devices in the LAN.
The values of the Join timer, Leaver timer, and LeaveAll timer configured through MVRP
will be applied to all MVRP applications in the LAN.

Prerequisite
N/A

2.6.3 Default configurations


Default configurations of MVRP are as below.

Function Default value


Global MVRP status Disable
Interface MVRP status Disable
MVRP registration mode Normal

2.6.4 Configuring basic functions of MVRP


Configure basic functions of MVRP for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#mvrp start Enable global MVRP.
3 Raisecom(config)#interface Enter physical interface
interface-type interface-number configuration mode.
4 Raisecom(config-ge-1/0/*)#port Configure the interface to Trunk
link-type trunk mode.
5 Raisecom(config-ge-1/0/*)#mvrp Configure the MVRP registration
registration { fixed | forbidden | mode.
normal }
6 Raisecom(config-ge-1/0/*)#mvrp Enable interface MVRP.
enable

 Interface MVRP can be enabled only after the interface is configured to Trunk
mode.

Raisecom Proprietary and Confidential


72
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

 We do not recommend enabling MVRP on a LAG member interface.

2.6.5 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show mvrp config Show MVRP configurations.
2 Raisecom#show mvrp Show the interface status of MVRP.
3 Raisecom#show mvrp interface Show configurations of the MVRP
interface-type interface- timer.
number vlan vlan-id

2.6.6 Example for configuring MVRP

Networking requirements
As shown in Figure 2-14, to dynamically register, deregister, and update VLAN information
between switches, configure MVRP on these switches. Detailed requirements are as below:
 Configure static VLANs 5–10 on Switch A and Switch C.
 Configure static VLANs 15–20 on Switch D.
 Configure static VLANs 25–30 on Switch E.
 Configure the interfaces that are connected to other switches to Trunk mode, and enable
MVRP on these interfaces.
 Configure the Join timer, Leave timer, and LeaveAll timer of MVRP on each interface to
3000, 15000, and 20000, in units of 10ms.

Figure 2-14 MVRP networking

Configuration steps
Step 1 Create VLANs and enable global MVRP.

Raisecom Proprietary and Confidential


73
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

Configure Switch A.

Raisecom#hostname SwitchA
SwitchA#configure
SwitchA(config)#vlan 5-10
SwitchA(config)#mvrp start

Configure Switch B.

Raisecom#hostname SwitchB
SwitchB#configure
SwitchB(config)#mvrp start

Configure Switch C.

Raisecom#hostname SwitchC
SwitchC#configure
SwitchC(config)#vlan 5-10
SwitchC(config)#mvrp start

Configure Switch D.

Raisecom#hostname SwitchD
SwitchD#configure
SwitchD(config)#vlan 15-20
SwitchD(config)#mvrp start

Configure Switch E.

Raisecom#hostname SwitchE
SwitchE#configure
SwitchE(config)#vlan 25-30
SwitchE(config)#mvrp start

Step 2 Configure GE 1/0/1, GE 1/0/2, and GE 1/0/3 on Switch A, GE 1/0/1, GE 1/0/2, and GE 1/0/3
on Switch B, GE 1/0/1 on Switch C, and GE 1/0/1 on Switch D to Trunk mode, and enable
MVRP on them. Take GE 1/0/1 on Switch A for example. Configurations of other interfaces
are the same.

SwitchA(config)#interface ge 1/0/1
SwitchA(config-ge-1/0/1)#port link-type trunk

Raisecom Proprietary and Confidential


74
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

SwitchA(config-ge-1/0/1)#port trunk allow-pass vlan all


SwitchA(config-ge-1/0/1)#mvrp enable
SwitchA(config-ge-1/0/1)#exit

Step 3 Configure MVRP timers of GE 1/0/1, GE 1/0/2, and GE 1/0/3 on Switch A, GE 1/0/1, GE
1/0/2, and GE 1/0/3 on Switch B, GE 1/0/1 on Switch C, and GE 1/0/1 on Switch D, and
enable MVRP on them. Take GE 1/0/1 on Switch A for example. Configurations of other
interfaces are the same.

SwitchA(config)#interface ge 1/0/1
SwitchA(config-ge-1/0/1)#mvrp timer join 3000
SwitchA(config-ge-1/0/1)#mvrp timer leave 15000
SwitchA(config-ge-1/0/1)#mvrp timer leave-all 20000

Checking results
Use the show mvrp command to show MVRP configurations on the interface.
Take Switch A for example.

SwitchA#show mvrp

Version : MVRP_Vl3.10.00.00
Compliance-GVRP : disable
Interface JoinTime(ms) LeaveTime(ms) LeaveAllTime(ms)
PeriodicTime(ms) Mode State
-------------------------------------------------------------------------
--------------------------------
ge 1/0/1 3000 15000 20000 --
normal enable

Use the show vlan command to view information about VLANs on the device. Take Switch A
for example.

SwitchA#show vlan
NOTE:
S: supervlan P: pvlan N: normal

Vlan Type Ports('M': member , '-': not member)


-------------------------------------------------------------------------
-------
1 N/static untagged: ge-1/0/1<->ge-1/0/16 MMMMMMMM
MMMMMMMM
ge-1/0/17<->ge-1/0/32 MMMMMMMM MMMMMMMM
ge-1/0/33<->ge-1/0/48 MMMMMMMM MMMMMMMM
10ge-1/0/49<->10ge-1/0/54 MMMMMM
2 N/mvrp tagged: ge-1/0/1<->ge-1/0/16 M------- --------

Raisecom Proprietary and Confidential


75
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 2 Ethernet

3 N/mvrp tagged: ge-1/0/1<->ge-1/0/16 M------- --------


4 N/mvrp tagged: ge-1/0/1<->ge-1/0/16 M------- --------
5 N/mvrp tagged: ge-1/0/1<->ge-1/0/16 M------- --------
6 N/mvrp tagged: ge-1/0/1<->ge-1/0/16 M------- --------
7 N/mvrp tagged: ge-1/0/1<->ge-1/0/16 M------- --------
8 N/mvrp tagged: ge-1/0/1<->ge-1/0/16 M------- --------
9 N/mvrp tagged: ge-1/0/1<->ge-1/0/16 M------- --------
10 N/mvrp tagged: ge-1/0/1<->ge-1/0/16 M------- --------
20 N/mvrp tagged: ge-1/0/1<->ge-1/0/16 M------- --------
-------------------------------------------------------------------------
-------
Total: 11 Static: 1 Dynamic: 10

Raisecom Proprietary and Confidential


76
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 3 IP services

3 IP services

This chapter describes basic principles and configuration procedures for IP services, and
provides related configuration examples, including the following sections:
 IP basis
 Loopback interface
 SLAAC
 ARP
 NDP
 Static route
 Policy routing

3.1 IP basis
3.1.1 Introduction
The IP interface is a virtual interface based on VLAN, so it is applied when the device needs
to be managed by the NMS or multiple devices needs to be routed and connected.
The device supports the double-tagged management VLAN packets, and it can send and
process double-tagged packets.

3.1.2 Preparing for configurations

Scenario
Configure the IP address of each VLAN interface, SNMP interface, or loopback interface.

Prerequisite
 Create VLANs.
 Activate them.

3.1.3 Default configurations of VLAN interface


Default configurations of the VLAN interface are as below.
Raisecom Proprietary and Confidential
77
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 3 IP services

Function Default value


Management VLAN inner TPID 0x8100
Management VLAN inner VLAN 1
Initial IP address of the device 192.168.0.1

3.1.4 Configuring the IPv4 adress of the VLAN interface


Configure the IPv4 address of the VLAN interface for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#vla Create a VLAN.
n vlan-id
3 Raisecom(config)#int Enter VLAN interface configuration mode.
erface vlan vlan-id
4 Raisecom(config- Configure the primary IP address of the VLAN
vlanif-*)#ip address interface.
ip-address [ ip-
mask ] Use the no ip address ip-address command to
delete the configuration of the primary IP address.
5 Raisecom(config- Configure the secondary IP address of the VLAN
vlanif-*)#ip address interface.
ip-address [ ip-
mask ] sub Use the no ip address ip-address command to
delete the configuration of the secondary IP
address.

3.1.5 Configuring the IPv6 address of the interface


Configure the IPv6 address of the interface for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#vlan vlan-id Create a VLAN.
3 Raisecom(config)#interface vlan Enter VLAN interface configuration
vlan-id mode.
4 Raisecom(config-vlanif-*)#ipv6 Enable the IPv6 address of the VLAN
enable interface.
5 Raisecom(config-vlanif-*)#ipv6 Configure the IPv6 address of the
address ipv6-address/prefix- VLAN interface.
length
Raisecom(config-vlanif-*)#ipv6
address ipv6-address link-local

Raisecom Proprietary and Confidential


78
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 3 IP services

Step Command Description


6 Raisecom(config-vlanif-*)#ipv6 Enable the function of automatically
address auto global generating the global IPv6 interface
from the stateless IPv6 interface of
the vlanif interface.

3.1.6 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show ip interface Show configurations of the IP address of
brief the VLAN interface.
2 Raisecom#show ipv6 interface Show configurations of the IPv6 address
brief of the VLAN interface.

3.1.7 Example for configuring the VLAN interface to interconnect


with the host

Networking requirements
As shown in Figure 3-1, configure the VLAN interface to the switch so that the host and the
device can ping each other.

Figure 3-1 VLAN interface networking

Configuration steps
Step 1 Create a VLAN, and add the interface to the VLAN.

Raisecom#configure
Raisecom(config)#vlan 10
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port hybrid pvid 10
Raisecom(config-ge-1/0/1)#port hybrid vlan 10 untagged
Raisecom(config-ge-1/0/1)#quit

Raisecom Proprietary and Confidential


79
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 3 IP services

Step 2 Create a Layer 3 interface 10 on the device, configure its IP address, and associate it with the
VLAN.

Raisecom(config)#interface vlan 10
Raisecom(config-vlan10)#ip address 192.168.1.2 255.255.255.0

Checking results
Use the show vlan command to show mapping between the physical interface and VLAN.

Raisecom#show vlan 10

vlan-10 information:
------------------------------------------------------------
Description :
Admin state : up
Operation state : down
Vlan type : normal
Vlan status : static
Unknown multicast state : forward
Unknown unicast state : forward
IPv4 address total number : 0
IPv6 address total number : 0

Ports :
Interface Tagged
--------------------------------------
ge-1/0/1 Untag
------------------------------------------------------------

Use the show ip interface to show configurations of the Layer 3 interface.

Raisecom#show ip interface
Total number:
2
Interface State(a/o) Addr/Prefix Role Type Vpn-
instance
-------------------------------------------------------------------------
---------------------------
loopback-0 up/up 127.0. 0.1/8 primary
auto N/A
vlan-10 up/up 192.168.1.2 /24
primary static N/A
-------------------------------------------------------------------------
---------------------------

Use the ping command to check whether the device and PC can ping each other.

Raisecom Proprietary and Confidential


80
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 3 IP services

Raisecom#ping 192.168.1.3
PING 192.168.1.3 : 64 data bytes
Reply from 192.168.1.3: bytes=64 time=0ms TTL=64 icmp_seq=1
Reply from 192.168.1.3: bytes=64 time=0ms TTL=64 icmp_seq=2
Reply from 192.168.1.3: bytes=64 time=0ms TTL=64 icmp_seq=3
Reply from 192.168.1.3: bytes=64 time=0ms TTL=64 icmp_seq=4
Reply from 192.168.1.3: bytes=64 time=0ms TTL=64 icmp_seq=5
PING Statistics for 192.168.1.3
5 packets transmitted, 5 packets received, 0% packet loss
round-trip (ms) min/avg/max = 0/0/0

3.2 Loopback interface


3.2.1 Introduction
The loopback interface is a virtual interface and can be classified into two types:
 Loopback interface automatically created by the system: the IP address is fixed to
127.0.0.1. This type of interfaces receives packets sent to the device. It does not
broadcast packets through routing protocols.
 Loopback interface created by users: without affecting physical interface configurations,
configure a local interface with a specified IP address, and make the interface Up
permanently so that packets can be broadcasted through routing protocols.
The loopback interface status is independent from the physical interface status (Up/Down). As
long as the device is working normally, the loopback interface will not become Down. Thus, it
is used to identify the physical device as a management address.

3.2.2 Preparing for configurations

Scenario
Use the IP address of the loopback interface to log in through Telnet so that the Telnet
operation does not become Down due to change of physical status. To enable the PC to ping
through the IP address of the loopback interface, configure the corresponding static route
entry on the PC. The loopback interface ID is also used as the router ID of dynamic routing
protocols, such as OSPF, to uniquely identify a device.

Prerequisite
N/A

3.2.3 Default configurations of the Loopback interface


N/A

3.2.4 Configuring the IP address of the Loopback interface


Configure the IP address of the Loopback interface for the device as below.

Raisecom Proprietary and Confidential


81
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 3 IP services

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface loopback Enter Loopback interface
loopback-number configuration mode.
3 Raisecom(config-loopback-*)#ip Configure the IP address of the
address ip-address [ ip-mask ] Loopback interface.
[ sub ]
4 Raisecom(config-loopback-*)#ipv6 Enable the IPv6 address of the
enable Loopback interface.
4 Raisecom(config-loopback*)#ipv6 Configure the IPv6 address of
address ipv6-address/prefix-length the Loopback interface.
Raisecom(config-loopback-*)#ipv6
address ipv6-address link-local

3.2.5 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show interface loopback Show configurations of the
[ loopback-number ] Loopback interface.

3.3 SLAAC
3.3.1 Introduction
Stateless Address Autoconfiguration (SLAAC) is the process for automatically configuring
the IPv6 address of the interface by the IPv6 node (host or router). It automatically
implements some tasks of the network administrator.

3.3.2 Preparing for configurations

Scenario
The node generates various IPv6 addresses based on the combination of the address prefix
and the identity derivative from the MAC address of the node or the interface ID specified by
the user. The prefixes include the local link prefix (fe80::/10) and the prefix with the length of
64 advertised by the local IPv6 router (if existing).

Prerequisuites
N/A

Raisecom Proprietary and Confidential


82
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 3 IP services

3.3.3 Default configurations of SLAAC


Default configurations of SLAAC are as below.

Function Default value


SLAAC Disable

3.3.4 Enabling SLAAC


Step Command Description
1 Raisecom(config)#interface Enter vlanif configuration mode.
vlan vlan-id
2 Raisecom(config-vlanif- Enable SLAAC.
*)#ipv6 address auto global

3.3.5 Example for configuring SLAAC.


Enable SLAAC.

Raisecom(config-vlanif-*)#ipv6 enable
Raisecom(config-vlanif-*)#ipv6 address auto global

3.4 ARP
3.4.1 Introduction
In TCP/IP network environment, each host is assigned with a 32-bit IP address that is a logical
address used to identify hosts between networks. To transmit packets in physical link, you
must know the physical address of the destination host, which requires mapping the IP
address to the physical address. In Ethernet environment, the physical address is 48-bit MAC
address. The system has to transfer the 32-bit IP address of the destination host to the 48-bit
Ethernet address for transmitting packet to the destination host correctly. Then Address
Resolution Protocol (ARP) is applied to resolve IP address to MAC address and configure
mapping between IP address and MAC address.
The ARP address table contains the following two types:
 Static entry: bind the IP address and MAC address to avoid ARP dynamic learning
cheating.
− The static ARP address entry needs to be added/deleted manually.
− The static ARP address entry is not aged.
 Dynamic entry: MAC address automatically learned through ARP.

Raisecom Proprietary and Confidential


83
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 3 IP services

− This dynamic ARP address entry is automatically generated by switch. You can adjust
partial parameters of it manually.
− The dynamic ARP address entry will be aged after the aging time if not used.

3.4.2 Preparing for configurations

Scenario
The mapping of the IP address and MAC address is saved in the ARP address table.
Generally, the ARP address table is dynamically maintained by the device. The device
searches for the mapping between IP address and MAC address automatically according to
ARP. You just need to configure the device manually for preventing ARP dynamic learning
from cheating and adding static ARP address entries.

Prerequisite
N/A

3.4.3 Default configurations of ARP


Default configurations of ARP are as below.

Function Default value


Static ARP entry N/A
Aging time of dynamic ARP entries 1200s

3.4.4 Configuring static ARP entries

 The IP address in static ARP entry must belong to the IP network segment of
Layer 3 interface on the switch.
 The static ARP entry needs to be added and deleted manually.
Configure static ARP entries for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration
mode.
2 Raisecom(config)#arp static ip- Configure static ARP entry.
address mac-address interface-type
interface-number

3.4.5 Configuring dynamic ARP entries


Configure dynamic ARP entries for the device as below.

Raisecom Proprietary and Confidential


84
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 3 IP services

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#arp Configure the aging time of dynamic ARP
aging-time time entries.

3.4.6 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show arp Show information about entries in the ARP address table.

3.4.7 Maintenance
Maintain the device as below.

Command Description
Raisecom(config)#flush arp [ all | Clear all entries in the ARP address table.
dynamic | static ]

3.4.8 Example for configuring ARP

Networking requirements
As shown in Figure 3-2, the device is connected to the host, and is also connected to the
upstream Router through GE 1/1/1. For the Router, the IP address and submask are
192.168.1.10/24, and the MAC address is 0050-8d4b-fd1e.
To improve communication security between the Switch and Router, you need to configure
related static ARP entry on the device.

Raisecom Proprietary and Confidential


85
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 3 IP services

Figure 3-2 Configuring ARP networking

Configuration steps
Step 1 Create VLAN 3.

Raisecom#configure
Raisecom(config)#vlan 3

Step 2 Add interface GE 1/0/1 to VLAN 3.

Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port hybrid pvid 3
Raisecom(config-ge-1/0/1)#port hybrid vlan 3 untagged
Raisecom(config-ge-1/0/1)#quit

Step 3 Create interface VLANIF3.

Raisecom(config)#interface vlan 3

Step 4 Configure the IP address of the interface VLANIF3.

Raisecom(config-vlanif-3)#ip address 192.168.1.1/24


Raisecom(config-vlanif-3)#quit

Step 5 Add a static ARP entry.

Raisecom Proprietary and Confidential


86
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 3 IP services

Raisecom#configure
Raisecom(config)#arp static 192.168.1.10 00:50:8d:4b:fd:1e ge 1/0/1

Checking results
Use the show arp command to show configurations of the ARP address table.

Raisecom#show arp
Arp aging time: 1200 (s)
Arp entry types: D-Dynamic , S-Static, I-
Interface , DH-Dhcp, B-Bgp, INV-Invalid

IP-addr Mac-addr Type Aging Vlan(O/I) Interface Vpn-


instance

-------------------------------------------------------------------------
----------------------------------

192.168.1.1 0002:5600:0001 I - -/- vlan-3


N/A

192.168.1.10 0050:8d4b:fd1e S - 3/- ge-1/0


/1 N/A

-------------------------------------------------------------------------
----------------------------------

Total: 2 Dynamic: 0 Static: 1 Bgp: 0 Other: 1

3.5 NDP
3.5.1 Introduction
Neighbor Discovery Protocol (NDP) is a neighbor discovery mechanism used on IPv6 devices
in the same link. It is used to discover neighbors, obtain MAC addresses of neighbors, and
maintain neighbor information.
NDP obtains data link layer addresses of neighbor devices in the same link, namely, MAC
address, through the Neighbor Solicitation (NS) message and Neighbor Advertisement (NA)
message.

Raisecom Proprietary and Confidential


87
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 3 IP services

Figure 3-3 Principles of NDP address resolution

As shown in Figure 3-3, take Switch A for example. Switch A obtains the data link layer
address of Switch B as below:
Step 1 Switch A sends a NS message in multicast mode. The source address of the NS message is the
IPv6 address of the VLAN interface on Switch A, and the destination address of the NS
message is the multicast address of the requested node of the Switch B. The NS message even
contains the data link layer address of Switch A.
Step 2 After receiving the NS message, Switch B judges whether the destination address of the NS
message is the multicast address of the request node corresponding to the IPv6 address of
Switch B. If yes, Switch B can obtain the data link layer address of Switch A, and sends a NA
message which contains its data link layer address in unicast mode.
Step 3 After receiving the NA message from Switch B, Switch A obtains the data link layer address
of Switch B.
By sending ICMPv6 message, IPv6 NDP even has the following functions:
 Verify whether the neighbor is reachable.
 Detect duplicated addresses.
 Discover routers or prefix.
 Automatically configure addresses.
 Support redirection.

3.5.2 Preparing for configurations

Scenario
IPv6 NDP not only implements IPv4 ARP, ICMP redirection, and ICMP device discovery, but
also supports detecting whether the neighbor is reachable.

Prerequisite
 Connect interfaces.
 Configure physical parameters to make interfaces Up at the physical layer.
 Configure the IPv6 address of the VLAN interface.

3.5.3 Default configurations of NDP


Default configurations of NDP are as below.

Raisecom Proprietary and Confidential


88
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 3 IP services

Function Default value


Aging time of dynamic NDPs 1200s

3.5.4 Configuring static neighbor entries


To resolute the IPv6 address of a neighbor into the data link layer address, you can use the NS
message and NA message, or manually configure static neighbor entries.
Configure static neighbor entries for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config-vlanif-*)#ipv6 Configure static neighbor entries.
neighbor ipv6-address mac-
address interface-type
interface-number

3.5.5 Configuring the aging time of dynamic NDPs


NDP entries are not permanently valid but valid for only a period. After the period expires, a
NDP entry will be deleted if it is not updated. The period is called the aging time.
Configure the aging time of dynamic NDPs for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#ipv6 nd lifetime Configure the aging time of
{ aging-time | default } dynamic NDPs.

3.5.6 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show ipv6 Show information about all NDP neighbors.
neighbor

3.5.7 Maintenance
Maintain the device as below.

Raisecom Proprietary and Confidential


89
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 3 IP services

Command Description
Raisecom(config)#flush ipv6 neighbor Clear information about all IPv6
[ all | dynamic | static ] neighbors.

3.6 Static route


3.6.1 Introduction
A route is required for communication among different devices in one VLAN, or different
VLANs. The route is used to transmit packets through network to destination, which adopts
routing table for forwarding packets.

Default route
The default route is a special route that can be used only when there is no matched item in the
routing table. The default route appears as a route to network 0.0.0.0 (with mask 0.0.0.0) in
the routing table. You can show configurations of the default route by using the show ip route
command. If the device has not been configured with default route and the destination IP of
the packet is not in the routing table, the device will discard the packet and return an ICMP
packet to the Tx end to inform that the destination address or network is unavailable.

Static route
A static route is the route configured manually, thus bringing low requirements on the system.
It is available to simple, small, and stable network. The disadvantage is that it cannot adapt to
network topology changes automatically and needs manual intervention.

3.6.2 Preparing for configurations

Scenario
Configure the static route for simple network topology manually to establish an
intercommunication network.

Prerequisite
Configure the IP address of the VLAN interface correctly.

3.6.3 Configuring the static route


Configure the static route for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration
mode.

Raisecom Proprietary and Confidential


90
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 3 IP services

Step Command Description


2 Raisecom(config)#ip route-static ip- Configure the IPv4 static
address mask-address nexthop-address route.
{ preference preference-value }
3 Raisecom(config)#ipv6 route-static ipv6- Configure the IPv6 static
address mask-length ipv6-nexthop-address route.
{ preference preference-value }

3.6.4 Checking configurations


Use the following commands to check configuration results.

No. Item Description


1 Raisecom#show ip route Show information about the
Raisecom#show ipv6 route routing table.
2 Raisecom#show { ip | ipv6 } route Show route statistics.
statistics

3.6.5 Example for configuring the static route

Networking requirements
Configure the static route to enable any two hosts or devices successfully to ping through each
other, as shown in Figure 3-4.

Raisecom Proprietary and Confidential


91
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 3 IP services

Figure 3-4 Configuring the static route

Configuration steps
Step 1 Configure the IP address of each device. Detailed configurations are omitted.
Step 2 Configure the static route on Switch A.

Raisecom#hostname SwitchA
SwitchA#configure
SwitchA(config)#ip route-static 10.1.1.0 255.255.255.0 10.1.2.4
SwitchA(config)#ip route-static 10.1.4.0 255.255.255.0 10.1.3.4

Step 3 Configure the default gateway on Switch B.

Raisecom#hostname SwitchB
SwitchB#configure
SwitchB(config)#ip route-static 0.0.0.0 0.0.0.0 10.1.2.3

Step 4 Configure the default gateway on Switch C.

Raisecom#hostname SwitchC
SwitchC#configure
SwitchC(config)#ip route-static 0.0.0.0 0.0.0.0 10.1.3.3

Raisecom Proprietary and Confidential


92
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 3 IP services

Step 5 Configure the default gateway of host A to 10.1.5.3. Detailed configurations are omitted.
Configure the default gateway of host B to 10.1.1.3. Detailed configurations are omitted.
Configure the default gateway of host C to 10.1.4.3. Detailed configurations are omitted.

Checking results
Use the ping command to check whether any two of all devices can ping through each other.

SwitchA#ping 10.1.1.3
PING 10.1.1.3 : 64 data bytes
Reply from 10.1.1.3: bytes=64 time=0ms TTL=64 icmp_seq=1
Reply from 10.1.1.3: bytes=64 time=0ms TTL=64 icmp_seq=2
Reply from 10.1.1.3: bytes=64 time=0ms TTL=64 icmp_seq=3
Reply from 10.1.1.3: bytes=64 time=0ms TTL=64 icmp_seq=4
Reply from 10.1.1.3: bytes=64 time=0ms TTL=64 icmp_seq=5
PING Statistics for 10.1.1.3
5 packets transmitted, 5 packets received, 0% packet loss
round-trip (ms) min/avg/max = 0/0/0

3.7 Policy routing


3.7.1 Introduction

Overview
Traditionally, common packet forwarding is implemented by querying the forwarding table
based on the destination IP address of the packet. When the packet needs to be forwarded
based on the source IP address, packet length, or other attribute of the packet, a new routing
mechanism is required to control, namely, policy routing.
The so-called policy routing, as the name suggests, refers to forwarding packets based on a
certain policy. Therefore, policy routing is a more flexible routing mechanism than destination
routing. When forwarding a data packet by a router, the packet is first filtered according to the
configured rules. If the match is successful, the packet is forwarded according to a certain
forwarding policy. This rule can be based on standard ACL, extended ACL, or packet length.
The forwarding policy is to control the packet to be forwarded according to the specified
policy routing table, and it can also modify the IP precedence of the packet. Therefore, policy
routing is an effective enhancement to traditional IP routing.

Technical principle
Policy routing can meet the requirements of routing based on source IP address, destination IP
address, protocol field, TCP source port number, TCP destination port number, UDP source
port number, or UDP destination port number. Any IP standard/extended ACL that can be
configured can be used as a matching rule for policy routing for forwarding.
Policy routing determine the next hop forwarding address or default IP address of an IP
packet, not simply based on the destination IP address but rather a comprehensive

Raisecom Proprietary and Confidential


93
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 3 IP services

consideration of multiple factors. For example, policy routing can select the path for the data
packet based on the Differential Service Code Point (DSCP) field, source port number,
destination port number, and source IP address. Policy routing can implement traffic
engineering to some extent, allowing flows of different Quality of Service (QoS) or data of
different properties (voice and FTP) to take different paths.
Policy routing provides network managers with stronger control over packet forwarding and
storage than traditional routing protocols. Traditionally, the router uses the routing tables
derived from routing protocols to forward packets based on the destination address. Policy
routing has stronger capabilities and is more flexible to use than traditional routing. It allows
network managers to choose forwarding paths based on not only the destination address but
also protocol type, packet size, application, or IP source address. A policy can be defined as
the QoS for packet forwarding on the network based on load balancing across multiple routers
or total traffic.
The implementation of policy routing relies on the support of the chip. Policy routing converts
software entries into hardware entries, and stores them on the chip through the commands or
other configuration interfaces. When traffic passes the chip, the chip will filter traffic
according to the policy routing hardware table.

3.7.2 Preparing for configurations

Scenario
Policy routing can meet the requirements of routing based on source IP address, destination IP
address, protocol field, TCP source port number, TCP destination port number, UDP source
port number, or UDP destination port number.

Prerequisite
Configure the IP address of the VLAN interface and ACL.

3.7.3 Configuring policy routing


Configure policy routing for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#policy-route name Create a policy routing profile.
{ permit | deny } node node-id
3 Raisecom(config-policy-route-xxx- Configure the matching rule of
1)#if-match acl-ipv4 acl-ipv4- the ACL.
number
4 Raisecom(config-policy-route-xxx- Configure the next hop of the
1)#apply ip-address next-hop ip- packet.
address
5 Raisecom(config-ge-1/0/*)#policy- Apply policy routing to the
route bind-policy policy-name physical interface.

Raisecom Proprietary and Confidential


94
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 3 IP services

3.7.4 Checking configurations


Use the following commands to check configuration results.

No. Item Description


1 Raisecom#show policy-route name Show configurations of policy routing
policy-name

3.7.5 Example for configuring policy routing based on ACL

Networking requirements
As shown below, define a policy route named aaa. GE interface 1/0/2 sends the IP packets
received from GE interface 1/0/1, with the IP address of the next hop as 192.168.1.2. Other
packets are forwarded according to the result of querying the routing table.

Figure 3-5 Policy routing networking

192.168.1.2/24 Switch B

GE1/0/1 GE1/0/2

Switch A GE1/0/3
Switch C

Configuration steps
Step 1 Define the ACL, making ACL filter 1 match IP packets.

switch(config)#acl-ipv4 1001
switch(configure-acl-ipv4-1001)#rule 1 src-ip any dst-ip any
switch(configure-acl-ipv4-1001)#rule 1 action permit

Step 2 Define the rule and action of the policy.

switch(config)#policy-route policy1 permit node 1


switch(config-policy-route-aaa-1)#if-match acl-ipv4 1001
switch(config-policy-route-aaa-1)#apply ip-address next-hop 192.168.1.2
switch(config-policy-route-aaa-1)#quit

Raisecom Proprietary and Confidential


95
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 3 IP services

Step 3 Enable the policy on the interface.

Raisecom(config-ge-1/0/*)#policy-route bind-policy policy1

Checking results

switch(config-ge-1/0/1)#show policy-route policy1


policy-route : policy1
Node 1 : permit
if-match acl-ipv4 1001
apply ip-address next-hop 192.168.1.2
enabled port : ge-1/0/1

Raisecom Proprietary and Confidential


96
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

4 DHCP

This chapter describes basic principles and configurations procedures of DHCP, and providing
related configuration examples, including the following sections:
 ZTP
 DHCP Client
 DHCP Server
 DHCP Relay

4.1 ZTP
4.1.1 Introduction
Zero Touch Provisioning (ZTP) refers to that the device needs no manual configurations; it
automatically sends DHCP packets for applying for an IP address to the ZTP server, and
automatically downloads the configurations file from the ZTP server to update its
configurations after obtaining the IP address from the ZTP server. Figure 4-1 shows ZTP
server networking.

Raisecom Proprietary and Confidential


97
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

Figure 4-1 ZTP server networking

By default, ZTP is enabled on the device. To disable it, configure the device to
common client mode.

4.1.2 Preparing for configuration

Scenario
To enable the remote device to automatically apply for the IP address after being powered on,
configure ZTP. To configure ZTP parameters, see the following section.

Prerequisite
 Connect the device to the DHCP server correctly. Configure the DHCP server correctly.
 Configure the interface connected to the ZTP server to be Up.
 Configure the upstream switch to allow packets of a VLAN of the remote device to pass.
 Leave no configurations on the device.

4.1.3 Default configurations of ZTP


Default configurations of ZTP are as below.

Function Default value


ZTP mode Enable

Raisecom Proprietary and Confidential


98
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

4.1.4 Configuring ZTP


Configure ZTP for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)# Configure ZTP.
ztp client start By default, the DHCP client works in ZTP mode.
{ startup-config |
image | uboot |
reboot-delaytime-
after-upgraded
To disable ZTP, use the ztp client stop
delay-time }*
command to disable ZTP.
Raisecom(config)#
ztp client stop

4.1.5 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show dhcp client Show configurations and
[ interface-type interface-number | information automatically
vlan vlan-id ] obtained by the DHCP client.

4.2 DHCP Client


4.2.1 Introduction
Dynamic Host Configuration Protocol (DHCP) refers to the protocol which assigns
configurations, such as the IP address, to users on the TCP/IP network. Based on BOOTP
(Bootstrap Protocol) protocol, it has additional features, such as automatically assigning
available network addresses, reusing network addresses, and other extended configuration
features.
With the enlargement of network scale and development of network complexity, the number
of PCs on a network usually exceeds the maximum number of distributable IP addresses.
Meanwhile, the widely use of laptops and wireless networks lead to frequent changes of
locations and also related IP addresses must be updated frequently. As a result, network
configurations become more and more complex. DHCP is developed to solve these problems.
DHCP adopts client/server communication mode. A client applies for configurations to the
server (including the IP address, subnet mask, and default gateway), and the server replies
with IP address to the client and other related configurations to implement dynamic
configurations.

Raisecom Proprietary and Confidential


99
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

Typical applications of DHCP usually include a set of DHCP server and multiple clients (such
as the PC or laptop), as shown in Figure 4-2.

Figure 4-2 DHCP typical networking

DHCP ensures rational allocation, avoid waste, and improve the utilization rate of IP
addresses on the entire network.
Figure 4-3 shows the structure of a DHCP packet. The DHCP packet is encapsulated in a UDP
data packet.

Figure 4-3 Structure of a DHCP packet

Table 4-1 describes fields of DHCP packets.

Table 4-1 Fields of a DHCP packet


Field Length Description
OP 1 Packet type
 1: a request packet
 2: a reply packet
Hardware type 1 Hardware address type of a DHCP client
Hardware length 1 Hardware address size of a DHCP client

Raisecom Proprietary and Confidential


100
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

Field Length Description


Hops 1 Number of DHCP hops passed by a DHCP packet
This field increases by 1 every time the DHCP request
packet passes a DHCP hop.
Transaction ID 4 The client chooses a number at random when starting a
request, used to mark process of address request.
Seconds 2 Passing time for the DHCP client after starting DHCP
request. It is unused now, fixed as 0.
Flags 2 Bit 1 is the broadcast reply flag, used to mark whether
the DHCP server replies packets in unicast or broadcast
mode.
 0: unicast
 1: broadcast
Other bits are reserved.
Client IP address 4 DHCP client IP address, only filled when the client is in
bound, updated or re-bind status, used to reply ARP
request.
Your (client) IP 4 IP address of the client distributed by the DHCP server
address
Server IP 4 IP address of the DHCP server
address
Relay agent IP 4 IP address of the first DHCP hop after the DHCP client
address sends request packets.
Client hardware 16 Hardware address of the DHCP client
address
Server host name 64 Name of the DHCP server
File 128 Name of the startup configuration file of the DHCP
client and path assigned by the DHCP server
Options Modifiable A modifiable option field, including packet type,
available lease period, IP address of the DNS server,
and IP address of the WINS server

The device can be used as a DHCP client to obtain the IP address from the DHCP server for
future management, as shown in Figure 4-4.

Raisecom Proprietary and Confidential


101
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

Figure 4-4 DHCP Client networking

4.2.2 Preparing for configurations

Scenario
As a DHCP client, the device obtains the IP address from the DHCP server.
The IP address assigned by the DHCP client is limited with a certain lease period when
adopting dynamic assignment of IP addresses. The DHCP server will take back the IP address
when it is expired. The DHCP client has to renew the IP address for continuous use. The
DHCP client can release the IP address if it does not want to use the IP address before
expiration.
We recommend configuring the number of DHCP relay devices smaller than 4 if the DHCP
client needs to obtain IP address from the DHCP server through multiple DHCP relay devices.

Prerequisite
 Create a VLAN. Add the Layer 3 interface to the VLAN.
 DHCP Snooping is disabled.

4.2.3 Default configurations of DHCP Client


Default configurations of DHCP Client are as below.

Function Default value


hostname Host name of the device
class-id Specified by the startup parameters
client-id 01 MAC

4.2.4 Configuring DHCP Client


Before a DHCP client applies for an IP address, you must create a VLAN. Meanwhile you
must configure the DHCP server; otherwise, the interface will fail to obtain the IP address
through DHCP.
Raisecom Proprietary and Confidential
102
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

Configure DHCP Client for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interfa Enter Layer 3 physical interface configuration
ce vlan vlan-id mode or VLAN interface configuration mode.
The following sections take VLAN interface
configuration mode for example.
3 Raisecom(config-vlanif- Configure information about the DHCP client,
*)#dhcp client { class- including the type identifier, client identifier,
id ascii class-id | and host name.
client-id ascii client-
id | hostname ascii
host-name }

After the IP address is obtained by a


DHCP client, client information cannot be
modified.
4 Raisecom(config-vlanif- Configure the DHCP client to obtain IP
*)#ip address dhcp address through DHCP.
enable
5 Raisecom(config- Renew the IP address.
vlan*)#ip address dhcp
renew
If the VLAN interface of the DHCP client has
obtained an IP address through DHCP, the IP
address will automatically be renewed when
the lease period expires.
6 Raisecom(config- Release the IP address.
vlan*)#ip address dhcp
release

4.2.5 Configuring DHCPv6 Client


Before the DHCPv6 client applies for an IPv6 interface, create a VLAN, and configure the
DHCPv6 server. Otherwise, the DHCPv6 client will fail to obtain the IPv6 address from the
interface through DHCPv6.
Configure DHCPv6 Client for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
Raisecom(config)#interfa Enter Layer 3 physical interface configuration
2 ce vlan vlan-id mode or VLAN interface configuration mode.
The following sections take VLAN interface
configuration mode for example.
3 Raisecom (config-vlanif- Configure the DHCPv6 PD Client. Configure
*)# dhcpv6 client pd the interface as the uplink interface of the
prefix-name prefix-name DHCPv6 PD client. Configure the prefix name
of the interface.

Raisecom Proprietary and Confidential


103
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

Step Command Description


4 Raisecom(config-vlanif- Renew the IPv6 prefix address.
*)#dhcpv6 client pd
renew
5 Raisecom(config-vlanif- Release the IPv6 prefix address.
*)#dhcpv6 client pd
release
6 Raisecom (config-vlanif- Configure the interface as the downlink
*)#dhcpv6 client address interface of the DHCPv6 PD client. Configure
prefix-name prefix-name the prefix name and interface ID of the
prefix ipv6- interface. The prefix name of the downlink
prefix/prefix-len interface must be same as that of the uplink
interface.

4.2.6 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show dhcp client [ interface- Show configurations of DHCP
type interface-number | vlan vlan-id ] Client.
2 Raisecom#show dhcpv6 config Show DHCPv6 configurations.

4.2.7 Example for configuring DHCP Client

Networking requirements
As shown in Figure 4-5, the Switch is used as a DHCP client, and the host name is raisecom.
The Switch is connected to the DHCP server and NMS. The DHCP server should assign IP
addresses to the SNMP interface on the Switch and make NMS manage the Switch.

Figure 4-5 DHCP Client networking

Raisecom Proprietary and Confidential


104
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

Configuration steps
Step 1 Configure the DHCP client.

Raisecom#configure
Raisecom(config)#interface vlan 1
Raisecom(config-vlanif-1)#dhcp client hostname ascii raisecom

Step 2 Configure the function of applying for IP addresses through DHCP.

Raisecom(config-vlanif-1)#ip address dhcp enable

Checking results
Use the show dhcp client command to show configurations of DHCP Client.

Raisecom#show dhcp client


Interface vlan-1 dhcp client
information :

------------------------------------------------------------
Current state : Bound
Allocated IP : 192.168.1.2
Subnet Mask : 255.255.255.0

Server IP : 192.168.1.1

Allocated lease : 86400 seconds


Lease T1 time : 43200 seconds
Lease T2 time : 75600 seconds
Lease Obtained : 2023/07/18 Tue 18:49:37

Lease timeout : 2023/07/19 Wed 18:49:37


Transaction ID : 0x5558ec
Client ID :
Class ID :
Hostname : raisecom
DNS :
Getway :
Domain :
Lease: 0 days 23 hours 59 minutes 49 seconds.
------------------------------------------------------------

Raisecom Proprietary and Confidential


105
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

4.3 DHCP Server


4.3.1 Introduction
Dynamic Host Configuration Protocol (DHCP) refers to assigning IP address configurations
dynamically for users on the TCP/IP network. It is based on BOOTP (Bootstrap Protocol)
protocol, and automatically adds the specified available network address, network address re-
use, and other extended configuration options over BOOTP protocol.
With the enlargement of network scale and development of network complexity, the number
of PCs on a network usually exceeds the maximum number of distributable IP addresses.
Meanwhile, the widely use of laptops and wireless networks lead to frequent change of PC
positions and also related IP addresses must be updated frequently. As a result, network
configurations become more and more complex. DHCP is developed to solve these problems.
DHCP adopts client/server communication mode. A client applies configuration to the server
(including IP address, subnet mask, and default gateway), and the server replies with an IP
address for the client and other related configurations to implement dynamic configurations of
IP address.
In DHCP Client/Server communication mode, a specific host is configured to assign IP
addresses, and send network configurations to related hosts. The host is called the DHCP
server.

DHCP application
Under normal circumstances, use the DHCP server to assign IP addresses in following
situations:
 The network scale is large. It requires much workload for manual configurations, and is
difficult to manage the entire network intensively.
 The number of hosts on the network is greater than that of IP addresses, which makes it
unable to assign a fixed IP address for each host and restricts the number of users
connected to network simultaneously.
 Only the minority of hosts on the network need fixed IP addresses, most of hosts have no
requirement for fixed IP address.
After a DHCP client obtains the IP address from the DHCP server, it cannot use the IP address
permanently but in a fixed period, which is called the lease period. You can specify the
duration of the lease period.
DHCP ensures rational allocation, avoids waste of IP addresses, and improves the utilization
rate of IP addresses on the entire network.
The device, as the DHCP server, assigns dynamic IP addresses to clients, as shown in Figure
4-6.

Raisecom Proprietary and Confidential


106
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

Figure 4-6 DHCP Server and Client networking

DHCP packets
Figure 4-7 shows the structure of a DHCP packet. The DHCP packet is encapsulated in a UDP
data packet.

Figure 4-7 Structure of a DHCP packet

Table 4-2 describes fields of a DHCP packet.

Table 4-2 Fields of a DHCP packet


Field Length Description
OP 1 Packet type
 1: a request packet
 2: a reply packet
Hardware type 1 Hardware address type of a DHCP client
Hardware length 1 Hardware address length of a DHCP client
Hops 1 Number of DHCP hops passing by the DHCP packet
This field increases 1 every time the DHCP request
packet passes a DHCP relay.

Raisecom Proprietary and Confidential


107
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

Field Length Description


Transaction ID 4 A random number selected by the client to initiate a
request, used to identify an address request process
Seconds 2 Duration after the DHCP request for the DHCP client,
fixed to 0, being idle currently
Flags 2 Bit 1 is the broadcast reply flag, used to mark that the
DHCP server response packet is transmitted in unicast
or broadcast mode.
 0: unicast
 1: broadcast
Other bits are reserved.
Client IP address 4 IP address of the DHCP client, only filled when the
client is in bound, updated or re-bound status, used to
respond to ARP request
Your (client) IP 4 IP address of the DHCP client assigned by the DHCP
address server
Server IP 4 IP address of the DHCP server
address
Relay agent IP 4 IP address of the first DHCP relay passing by the
address request packet sent by the DHCP client
Client hardware 16 Hardware address of the DHCP client
address
Server host name 64 Name of the DHCP server
File 128 Startup configuration file name and path assigned by the
DHCP server to the DHCP client
Options Modifiable A modifiable option field, including packet type,
available lease period, IP address of the DNS server, IP
address of the WINS

DHCPv6
DHCPv6 is a protocol that runs between clients and servers. Like DHCP in IPv4, all protocol
packets are based on UDP. However, because there are no broadcast packets in IPv6, when
DHCPv6 uses multicast packets, clients do not need to be configured with the server's IPv6
address.

4.3.2 Preparing for configurations

Scenario
When working as the DHCPv4 server, the device can assign IP addresses to DHCPv4 clients.

Raisecom Proprietary and Confidential


108
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

Prerequisite
 Configure the IP address of the interface.
 Disable DHCP Client and DHCP Relay on the interface.

4.3.3 Creating and configuring the IPv4 address pool


Configure the IPv4 address pool for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#dhcp start Enable global DHCP.
3 Raisecom(config)#dhcp server Create an IPv4 address pool, and enter
pool pool-name address pool configuration mode.
4 Raisecom(config-dhcp-pool- Configure the range of IP addresses in the
*)#ip range start-ip-address IPv4 address pool.
end-ip-address mask mask
5 Raisecom(config-dhcp-pool- Configure the range of excluded IP
*)#dhcp server exclude-ip addresses in the IPv4 address pool.
start-ip-address [ end-ip-
address ]
6 Raisecom(config-dhcp-pool- Configure the lease period for the IPv4
*)#lease-time { hour | day address pool.
day hour hour minute minute |
unlimited | default }
7 Raisecom(config-dhcp-pool- Configure the DNS server address of the
*)#dns ip-address [ backup ] IPv4 address pool.
8 Raisecom(config-dhcp-pool- Configure the default gateway of the IPv4
*)#gateway ip-address address pool.
9 Raisecom(config-pool)#option Configure information carried by the
43 [ sub-option option-code ] option.
{ ascii ascii-string | hex
hex-string }
10 Raisecom(config)#dhcp server Bind the IP address in the IPv4 address
static-bind ip-address mac- pool with the MAC address of the user.
address

4.3.4 Enabling DHCP Server on the interface


Enable DHCP Server on the interface for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter VLAN interface configuration mode or
vlan vlan-id Layer 3 physical interface configuration
mode. The following steps take VLAN
interface configuration mode for example.

Raisecom Proprietary and Confidential


109
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

Step Command Description


3 Raisecom(config-vlanif- Enable DHCP Server on the interface.
*)#dhcp server enable

4.3.5 Recycling the IP address pool


Recycle the IP address pool for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#no dhcp Recycle the IP address pool.
server pool pool-name
3 Raisecom(config)#no dhcp Recycle the bound address table of the DHCPv4
server user-bind server.
4 Raisecom(config)#no dhcp Recycle the IP address bound with the MAC
server dynamic-bind ip- address of the user.
address

4.3.6 Configuring DHCPv4 Server PING


Configure DHCPv4 Server PING for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#dhcp Configure the timeout time for waiting for checking
server address- whether the IP address assigned by the DHCP Server
check-time { period is occupied before assignment.
| default }
The value 0 indicates that no check is conducted. By
default, the timeout time is 500ms.

4.3.7 Creating and configuring the IPv6 address pool


Configure the IPv6 address pool for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#dhcpv6 start Enable global DHCPv6.
3 Raisecom(config)#dhcpv6 Create an IPv6 address pool, and enter
server pool pool-name address pool configuration mode.
4 Raisecom(config-dhcpv6-pool- Configure the prefix and prefix length of
*)#address-delegation prefix the IPv6 address pool.
prefix/prefix-len

Raisecom Proprietary and Confidential


110
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

Step Command Description


5 Raisecom(config-dhcpv6-pool- Configure the DNS server of the IPv6
*)#dns-server ipv6-address address pool.
6 Raisecom(config-dhcpv6-pool- Configure the domain name server of the
*)#domain-name domain-name IPv6 address pool.
7 Raisecom(config-dhcpv6-pool- Configure the SNTP server of the IPv6
*)#sntp-server ipv6-address address pool.

4.3.8 Enabling DHCPv6 Server on the interface


Enable DHCPv6 Server on the interface for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter VLAN interface configuration mode or
vlan vlan-id Layer 3 physical interface configuration
mode. The following steps take VLAN
interface configuration mode for example.
3 Raisecom(config-vlanif- Enable DHCPv6 Server on the interface.
*)#dhcpv6 enable server
4 Raisecom(config-vlanif- Configure the address pool used by the
*)#dhcpv6 server bind-pool interface on the DHCPv6 server.
pool-name

4.3.9 Recycling the IPv6 address pool


Recycle the IPv6 address pool for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#no dhcpv6 Recycle the IPv6 address pool.
server pool pool-name

4.3.10 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show dhcp server Show configurations of DHCP Server.
config
2 Raisecom#show dhcp Show detailed information about DHCP Server.
information

Raisecom Proprietary and Confidential


111
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

No. Command Description


3 Raisecom#show dhcp server Show assigned IPv4 addresses and clients
user-bind information.
4 Raisecom#show dhcp server Show packet statistics on the DHCP Server.
statistics
5 Raisecom#show dhcp server Show configurations of the address pool of
pool DHCP Server.
6 Raisecom#show dhcpv6 Show configurations of DHCPv6 Server.
config
7 Raisecom#show dhcpv6 Show statistics on DHCPv6 packets.
statistics
8 Raisecom#show dhcpv6 Show assigned IPv6 addresses and clients
server user-bind information.
9 Raisecom#show dhcpv6 Show configurations of the address pool of
server pool DHCPv6 Server.

4.3.11 Maintenance
Maintain the device as below.

Command Description
Raisecom(config)#reset dhcp server Clear statistics on DHCP Server.
statistics
Raisecom(config)#reset dhcpv6 Clear statistics on DHCPv6 Server.
statistics

4.3.12 Example for configuring DHCPv4 Server

Networking requirements
As shown in Figure 4-8, the switch as a DHCP server assigns IP addresses to DHCP clients.
The lease period is 8h. The name of the IP address pool is pool. The range of IP addresses is
172.31.1.2–172.31.1.100. The IP address of the DNS server is 172.31.100.1.

Raisecom Proprietary and Confidential


112
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

Figure 4-8 DHCP Server networking

Configuration steps
Step 1 Create an IP address pool, and configure it.

Raisecom#configure
Raisecom(config)#dhcp start
Raisecom(config-dhcp-pool-1)#dhcp server pool 1
Raisecom(config-dhcp-pool-1)#ip range 172.31.1.2 172.31.1.100 mask
255.255.255.0
Raisecom(config-dhcp-pool-1)#lease-time day 0 hour 8 minute 0
Raisecom(config-dhcp-pool-1)#dns 172.31.100.1
Raisecom(config-dhcp-pool-1)#exit

Step 2 Configure interface DHCP Server.

Raisecom(config)#interface vlan 1
Raisecom(config-vlanif-1)#ip address 172.31.1.1/24
Raisecom(config-vlanif-1)#dhcp enable server

Checking results
Use the show dhcp server config command to show configurations of DHCP Server.

Raisecom#show dhcp server config


!
dhcp start
dhcp server pool 1
ip range 172.31.1.2 172.31.1.100 mask 255.255.255.0
dns 172.31.100.1

Raisecom Proprietary and Confidential


113
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

lease-time day 0 hour 8 minute 0


!
interface vlan 1
dhcp enable server

Use the show dhcp server pool command to show configurations of the address pool of the
DHCP server.

Raisecom#show dhcp server pool

DHCP Pool 1 information :


------------------------------------------------------------
IP range : 172.31.1.2 to 172.31.1.100
Mask : 255.255.255.0
Gateway : 0.0.0.0
DNS : main :
172.31.100.1 , backup : 0.0 .0.0
Lease : 0 days 8 hours 0 minutes
Total Number :
99
Used Number : 0
------------------------------------------------------------

4.4 DHCP Relay


4.4.1 Introduction
At the beginning, DHCP requires the DHCP server and clients to be in the same segment,
instead of different segments. As a result, a DHCP server is configured for all segments for
dynamic host configuration, which is not economic.
DHCP Relay is introduced to solve this problem. It can provide relay service between DHCP
clients and the DHCP server that are in different segments. It relays packets across segments
to the DHCP server or clients.
Figure 4-9 shows typical application of DHCP Relay.

Raisecom Proprietary and Confidential


114
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

Figure 4-9 Typical application of DHCP Relay

When a DHCP client sends a request packet to the DHCP server through a DHCP relay, the
DHCP relay processes the request packet and sends it to the DHCP server in the specified
segment. The DHCP server sends required information to the DHCP client through the DHCP
relay according to the request packet, thus implementing dynamic configuration of the DHCP
client.

4.4.2 Preparing for configurations

Scenario
When DHCP Client and DHCP Server are not in the same segment, you can use DHCP Relay
function to make DHCP Client and DHCP Server in different segments carry relay service,
and relay DHCP protocol packets across segment to destination DHCP server, so that DHCP
Client in different segments can share the same DHCP server.

Prerequisite
N/A

4.4.3 Default configurations of DHCP Relay


Default configurations of DHCP Relay are as below.

Function Default value


Global DHCP Relay Disable
Interface DHCP Relay Disable
Global DHCPv6 Relay Disable
Interface DHCPv6 Relay Disable

Raisecom Proprietary and Confidential


115
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

4.4.4 Configuring interface DHCP Relay


Configure interface DHCP Relay for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#dhcp start Enable global DHCP Relay.
3 Raisecom(config)#interface vlan Enter VLAN interface configuration
vlan-id mode or Layer 3 physical interface
configuration mode. The following
steps take VLAN interface
configuration mode for example.
4 Raisecom(config-vlanif-*)#dhcp Enable interface DHCP Relay.
enable relay
5 Raisecom(config-vlanif-*)#dhcp Configure the IP address of the
relay server-ip ip-address DHCP server.

4.4.5 Configuring interface DHCPv6 Relay


Configure interface DHCPv6 Relay for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#dhcpv6 start Enable global DHCPv6 Relay.
3 Raisecom(config)#interface vlan Enter VLAN interface configuration
vlan-id mode or Layer 3 physical interface
configuration mode. The following
steps take VLAN interface
configuration mode for example.
4 Raisecom(config-vlanif-*)#dhcpv6 Enable interface DHCPv6 Relay.
enable relay
5 Raisecom(config-vlanif-*)#dhcpv6 Configure the IPv6 address of the
relay destination ipv6-address DHCPv6 server.

4.4.6 Configuring DHCP Relay to support Option 82


Configure DHCP Relay to support Option 82 for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.

Raisecom Proprietary and Confidential


116
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

Step Command Description


2 Raisecom(config)#interface Enter VLAN interface configuration
vlan vlan-id mode or Layer 3 physical interface
configuration mode. The following
steps take VLAN interface
configuration mode for example.
3 Raisecom(config-vlanif-*)#dhcp Configure DHCP Relay to support
relay option82 enable Option 82.
4 Raisecom(config-vlanif-*)#dhcp Configure the policy for DHCP Relay to
relay option82 { drop | keep | process Option 82 request packets.
replace }
5 Raisecom(config-vlanif-*)#dhcp Configure contents of the Circuit ID of
relay option82 circuit-id DHCP Relay Option 82.
format { default | user-
defined format-string }
6 Raisecom(config-vlanif-*)#dhcp Configure contents of the Remote ID of
relay option82 remote-id DHCP Relay Option 82.
format { default | user-
defined format-string }

4.4.7 Configuring DHCP Relay to support Option 18/37


Configure DHCP Relay to support Option 18/37 for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#dhcpv6 relay Configure the format of the interface-id
interface-id format { default (Option 18) in DHCPv6 packets.
| user-defined format-string }
3 Raisecom(config)#dhcpv6 relay Configure the format of the interface-id
remote-id format { default | (Option 37) in DHCPv6 packets.
user-defined format-string }
4 Raisecom(config)#interface Enter VLAN interface configuration
vlan vlan-id mode or Layer 3 physical interface
configuration mode. The following
steps take VLAN interface
configuration mode for example.
5 Raisecom(config-vlanif- Configure DHCPv6 Relay to support
*)#dhcpv6 relay interface-id Option 18.
enable
6 Raisecom(config-vlanif- Configure DHCPv6 Relay to support
*)#dhcpv6 relay remote-id Option 37.
enable

4.4.8 Checking configurations


Use the following commands to check configuration results.

Raisecom Proprietary and Confidential


117
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

No. Command Description


1 Raisecom#show dhcp relay Show configurations of DHCP Relay.
config
2 Raisecom#show dhcp relay Show binding information about DHCP Relay.
user-bind
3 Raisecom#show dhcp relay Show statistics on DHCP Relay packets.
statistics
4 Raisecom#show dhcpv6 Show configurations of DHCPv6 Relay.
config
5 Raisecom#show dhcpv6 Show statistics on DHCPv6 Relay packets.
statistics

4.4.9 Maintenance
Maintain the device as below.

Command Description
Raisecom(config)#reset dhcp relay Clear statistics on DHCP Relay.
statistics
Raisecom(config)#reset dhcpv6 statistics Clear statistics on DHCPv6 Relay.

4.4.10 Example for configuring DHCPv4 Relay

Networking requirements
As shown in Figure 4-10, the switch works as the DHCP relay device. The host name is
raisecom. The switch is connected to the DHCP server through a service interface. The DHCP
server assigns IP addresses to clients so that the NMS can discover and manage these clients.

Figure 4-10 DHCP Relay networking

Raisecom Proprietary and Confidential


118
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 4 DHCP

Configuration steps
Step 1 Enable interface DHCP Relay.

Raisecom#configure
Raisecom(config)#dhcp start
Raisecom(config)#interface vlan 1
Raisecom(config-vlanif-1)#ip address 192.168.1.1/24
Raisecom(config-vlanif-1)#dhcp enable relay
Raisecom(config-vlanif-1)#dhcp relay server-ip 10.0.0.1
Raisecom(config-vlanif-1)#exit

Checking results
Use the show dhcp relay config command to show configurations of DHCP Relay.

Raisecom#show dhcp rekat config


!
dhcp start
!
interface vlan 1
dhcp enable relay
dhcp relay server-ip 10.0.0.1

Raisecom Proprietary and Confidential


119
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 5 QoS

5 QoS

This chapter describes basic principles and configuration procedures for QoS, and provides
related configuration examples, including the following sections:
 Introduction
 Priority mapping
 Queue scheduling
 Congestion avoidance
 Rate limiting

5.1 Introduction
When network applications become more and more versatile, users bring forward different
Quality of Service (QoS) requirements on them. In this case, the network should distribute
and schedule resources for different network applications as required. When network is
overloaded or congested, QoS can ensure service timeliness and integrity and make the entire
network run efficiently.
QoS is composed of a group of flow management technologies:
 Service model
 Priority trust
 Traffic classification
 Traffic policy
 Priority mapping
 Congestion management

5.1.1 Service models


QoS technical service models:
 Best-effort Service
 Differentiated Services (DiffServ)

Raisecom Proprietary and Confidential


120
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 5 QoS

Best-effort
Best-effort service is the most basic and simplest service model on the Internet (IPv4 standard)
based on storing and forwarding mechanism. In Best-effort service model, the application can
send a number of packets at any time without being allowed in advance and notifying the
network. For the Best-effort service, the network will send packets as possible as it can, but it
does not guarantee the delay and reliability.
Best-effort is the default Internet service model now, suitable to most network applications,
such as FTP and Email. It is implemented by First In First Out (FIFO) queue.

DiffServ
The DiffServ model is a multi-service model, which can satisfy different QoS requirements.
The DiffServ model does not need to maintain state for each flow. It provides differentiated
services according to the QoS classification of each packet. Many different methods can be
used for classifying QoS packets, such as IP packet priority (IP precedence), the packet source
address or destination address.
Generally, DiffServ is used to provide end-to-end QoS services for a number of important
applications, which is implemented through the following techniques:
 Committed Access Rate (CAR): CAR refers to classifying the packets according to the
preconfigured packet matching rules, such as IP packets priority, the packet source
address or destination address. The system continues to send the packets if the flow
complies with the rules of token bucket. Otherwise, it discards the packets or remarks IP
precedence, DSCP, EXP CAR can not only control the flows, but also mark and remark
the packets.
 Queuing technology: the queuing technologies of SP, WRR, WFQ, SP+WRR, and
SP+WFQ cache and schedule the congestion packets to implement congestion
management.

5.2 Priority mapping


5.2.1 Introduction

Priority mapping
Class of Service (CoS) refers to the quality of service of a packet within a device, which
determines the type of queue that the message belongs to within the device. There are 8 values
for CoS, namely, 8 Per Hop Behaviors (PHBs), with priority ranking from high to low as CS7,
CS6, EF, AF4, AF3, AF2, AF1, and BE. For a detailed description of PHB behavior, refer to
the PHB behavior section.

Raisecom Proprietary and Confidential


121
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 5 QoS

The color refers to the priority for discarding packets within the device, used to determine the
order in which packets are discarded within the same queue when congestion occurs. There
are three values for colors, with IEEE-defined priorities ranging from low to high being Green,
Yellow, and Red. The priority of discarding actually depends on the configuration of the
corresponding parameters.
The processing of packets on each DS node is called PHB. PHB describes the externally
visible forwarding behavior adopted by DS nodes for packets. PHB can be defined by priority
or by visible service characteristics, such as packet delay, jitter, and packet loss rate. PHB
defines some externally visible forwarding behaviors only and does not specify specific
implementation methods.
RFC defines four standard PHBs: Class Selector (CS), Expedited Forwarding (EF), Assured
Forwarding (AF), and Best Effort (BE). Wherein, BE is the default PHB.
In RFC 2474, CS is further divided into two levels, namely, CS6 and CS7. In RFC 2597, AF
is further divided into four levels, namely, AF1 to AF4. At this point, PHB has a total of 8 sub-
levels, and each PHB has a corresponding CoS within the device. Different CoSs determine
the congestion management policies for different flows. At the same time, each PHB is further
divided into three colors (color, also known as discarding priority), represented by Green,
Yellow, and Red respectively. Different colors determine the congestion avoidance policies
for different flows.

Priority trust
Priority trust means that the device uses priority of packets for classification and performs
QoS management.
The device supports packet priority trust based on interface, including:
 Differentiated Services Code Point (DSCP) priority
 IEEE 802.1p inner priority
 IEEE 802.1p outer priority

5.2.2 Preparing for configurations

Scenario
You can choose to trust the priority carried by packets from an upstream device, or process
packets with untrusted priority through the traffic class and traffic policy. After being
configured to priority trust mode, the device processes packets according to their priorities
and provides services accordingly.

Raisecom Proprietary and Confidential


122
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 5 QoS

To specify local priority for packets is the prerequisite for queue scheduling. For packets from
the upstream device, you can not only map the external priority carried by packets to different
local priorities, but also configure local priority for packets based on interface. Then the
device will conduct queue scheduling according to local priority of packets. Generally, IP
packets need to be configured with mapping from IP precedence/DSCP to local priority; while
VLAN packets need to be configured with mapping from IEEE 802.1p inner priority to local
priority.

Prerequisite
N/A

5.2.3 Default configurations of basic QoS


Default configurations of basic QoS are as below.

Function Default value


Global QoS status Enable
Interface trust priority type Trust IEEE 802.1p outer priority.
Remarking egress interface priority Disable

Table 5-1 Default mapping from the IEEE 802.1p ingress direction to local priority and color
IEEE 802.1p priority PHB Color
0 BE green
1 AF1 green
2 AF2 green
3 AF3 green
4 AF4 green
5 EF green
6 CS6 green
7 CS7 green

Table 5-2 Default mapping from the IEEE 802.1p egress direction to local priority and color
PHB Color IEEE 802.1p priority
BE green 0
BE yellow 0
BE red 0
AF1 green 1

Raisecom Proprietary and Confidential


123
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 5 QoS

PHB Color IEEE 802.1p priority


AF1 yellow 1
AF1 red 1
AF2 green 2
AF2 yellow 2
AF2 red 2
AF3 green 3
AF3 yellow 3
AF3 red 3
AF4 green 4
AF4 yellow 4
AF4 red 4
EF green 5
EF yellow 5
EF red 5
CS6 green 6
CS6 yellow 6
CS6 red 6
CS7 green 7
CS7 yellow 7
CS7 red 7

Table 5-3 Default mapping from the DSCP ingress direction to local priority and color
DHCP PHB Color
0 BE green
32 AF4 green
1 BE green
33 BE green
2 BE green
34 AF4 green
3 BE green
35 BE green

Raisecom Proprietary and Confidential


124
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 5 QoS

DHCP PHB Color


4 BE green
36 AF4 yellow
5 BE green
37 BE green
6 BE green
38 AF4 red
7 BE green
39 BE green
8 AF1 green
40 EF green
9 BE green
41 BE green
10 AF1 green
42 BE green
11 BE green
43 BE green
12 AF1 yellow
44 BE green
13 BE green
45 BE green
14 AF1 red
46 EF green
15 BE green
47 BE green
16 AF2 green
48 CS6 green
17 BE green
49 BE green
18 AF2 green
50 BE green
19 BE green

Raisecom Proprietary and Confidential


125
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 5 QoS

DHCP PHB Color


51 BE green
20 AF2 yellow
52 BE green
21 BE green
53 BE green
22 AF2 red
54 BE green
23 BE green
55 BE green
24 AF3 green
56 CS7 green
25 BE green
57 BE green
26 AF3 green
58 BE green
27 BE green
59 BE green
28 AF3 yellow
60 BE green
29 BE green
61 BE green
30 AF3 red
62 BE green
31 BE green
63 BE green

Table 5-4 Default mapping from the DSCP egress direction to local priority and color
PHB Color DSCP
BE green 0
BE yellow 0
BE red 0

Raisecom Proprietary and Confidential


126
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 5 QoS

PHB Color DSCP


AF1 green 10
AF1 yellow 12
AF1 red 14
AF2 green 18
AF2 yellow 20
AF2 red 22
AF3 green 26
AF3 yellow 28
AF3 red 30
AF4 green 34
AF4 yellow 36
AF4 red 38
EF green 46
EF yellow 46
EF red 46
CS6 green 48
CS6 yellow 48
CS6 red 48
CS7 green 56
CS7 yellow 56
CS7 red 56

5.2.4 Configuring types of priorities trusted by the ingress interface


Configure types of priorities trusted by the ingress interface for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter Layer 2 physical interface
interface-type interface- configuration mode, or aggregation group
number configuration mode. Take physical
interface configuration mode for example.

Raisecom Proprietary and Confidential


127
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 5 QoS

Step Command Description


3 Raisecom(config-ge- Configure types of priorities trusted by the
1/0/*)#trust { 8021p | interface.
diffserv | dscp | mpls-exp |
none }

5.2.5 Configuring the diffserv profile


Configure the diffserv profile for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#diffs Create a diffserv domain profile, or enter the
erv domain default default profile.
 default: default profile
3 Raisecom(config- Configure the mapping between the IEEE 802.1p
dsdomain-ds1)#8021p- priority and PHB of VLAN packets in the ingress
inbound 8021p-value direction in the DiffServ domain, and configure the
phb { { BE | AF1 | AF2 color of packets.
| AF3 | AF4 | EF | CS6
 8021p-value: IEEE 802.1p priority
| CS7 } [ green |
 BE | AF1 | AF2 | AF3 | AF4 | EF | CS6 | CS7:
yellow | red ] |
default } queue
 green | yellow | red: color
Raisecom(config-
dsdomain-ds1)#8021p-
inbound default
4 Raisecom(config- Configure the mapping between the IEEE 802.1p
dsdomain-ds1)#8021p- priority and PHB behavior/color of VLAN packets
outbound { BE | AF1 | in the egress direction in the DiffServ domain.
AF2 | AF3 | AF4 | EF |
 8021p-value: IEEE 802.1p priority
CS6 | CS7 } map
 BE | AF1 | AF2 | AF3 | AF4 | EF | CS6 | CS7:
{ 8021p-value |
default } queue
 green | yellow | red: color

5 Raisecom(config- Configure the mapping between the DSCP priority


dsdomain-ds1)#ip-dscp- and PHB of IP packets in the ingress direction in
inbound dscp-value phb the DiffServ domain, and configure the color of
{ BE | AF1 | AF2 | AF3 packets.
| AF4 | EF | CS6 |
 dscp-value: DSCP priority
CS7 } [ green | yellow
 BE | AF1 | AF2 | AF3 | AF4 | EF | CS6 | CS7:
| red ]
queue
 green | yellow | red: color

6 Raisecom(config- Configure the mapping between the DSCP priority


dsdomain-ds1)#ip-dscp- and PHB behavior/color of IP packets in the egress
outbound { BE | AF1 | direction in the DiffServ domain.
AF2 | AF3 | AF4 | EF |
 dscp-value: DSCP priority
CS6 | CS7 } [ green |
 BE | AF1 | AF2 | AF3 | AF4 | EF | CS6 | CS7:
yellow | red ] map
dscp-value queue
 green | yellow | red: color

Raisecom Proprietary and Confidential


128
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 5 QoS

5.2.6 Configuring IEEE 802.1p/DSCP remarking on the egress


interface
Configure CoS remarking for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#inter Enter Layer 2 physical interface configuration
face interface-type mode, or aggregation group configuration mode.
interface-number Take Layer 2 physical interface configuration
mode for example.
3 Raisecom(config-ge- Enable/Disable the remarking from the inner
1/0/*)#qos phb marking priority to outer priority on the egress interface.
{ 8021p | dscp }
 8021p: remark the IEEE 802.1p priority.
{ enable | disable }
 dscp: remark the DSCP priority.

5.2.7 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show differv domain Show configurations of the diffserv
[ config | name default ] domain profile.
2 Raisecom#show differv domain Show configurations of the interface
interface interface-type in the diffserv domain profile.
interface-number

5.3 Queue scheduling


5.3.1 Introduction
The device needs to perform queue scheduling when delay-sensitive services need better QoS
services than non-delay-sensitive services and when the network is congested once in a while.
Queue scheduling adopts different scheduling algorithms to send packets in a queue.
Scheduling algorithms supported by the device include Strict-Priority (SP), Weight Round
Robin (WRR), Weighted Fair Queueing (WRQ), SP+WRR, and SP+WFQ. All scheduling
algorithms are designed for addressing specified traffic problems. And they have different
effects on bandwidth distribution, delay, and jitter.
 SP: the device strictly schedules packets in a descending order of priority. Packets with
lower priority cannot be scheduled until packets with higher priority are scheduled, as
shown in Figure 5-1.

Raisecom Proprietary and Confidential


129
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 5 QoS

Figure 5-1 SP scheduling

 WRR: on the basis of scheduling packets cyclically according to the priority, the device
schedules packets by the weight of each queue in units of bit, as shown in Figure 5-2.

Figure 5-2 WRR scheduling

 WFQ: similar with WRR, on the basis of scheduling packets in a polling manner
according to the scheduling sequence, the device schedules packets according to the
weight of the queue (based on packet), as shown in DRR scheduling

Raisecom Proprietary and Confidential


130
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 5 QoS

Figure 5-3 DRR scheduling

 SP+WRR: a scheduling mode combining the SP scheduling and WRR scheduling. In this
mode, queues on an interface are divided into 2 groups. You can specify some queues
with SP scheduling and others with WRR scheduling.
 SP+WFQ: a scheduling mode combining the SP scheduling and WFQ scheduling. In this
mode, queues on an interface are divided into 2 groups. You can specify some queues
with SP scheduling and others with WFQ scheduling.

5.3.2 Preparing for configurations

Scenario
When the network is congested, you can configure queue scheduling if you want to:
 Balance delay and delay jitter of various packets, preferentially process packets of key
services (such as video and voice).
 Fairly process packets of secondary services (such as Email) with identical priority.
 Process packets of different priorities according to respective weight values.
The scheduling algorithm to be chosen depends on the current service condition and customer
requirements.

Prerequisite
Enable global QoS.

5.3.3 Default configurations of queue scheduling


Default configurations of queue scheduling are as below.

Function Default value


Queue scheduling mode SP
 WRR weight for scheduling 8 queues is 1.
Queue weight
 WFQ weight for scheduling 8 queues is 81.

Raisecom Proprietary and Confidential


131
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 5 QoS

5.3.4 Configuring SP queue scheduling


Configure SP queue scheduling for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter Layer 2 physical interface
interface-type interface- configuration mode, or aggregation group
number configuration mode. Take Layer 2 physical
interface configuration mode for example.
3 Raisecom(config-ge- Configure the queue scheduling mode to SP
1/0/*)#queue scheduling sp on the interface.

5.3.5 Configuring WRR or SP+WRR queue scheduling


Configure WRR or SP+WRR for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter Layer 2 physical interface
interface-type interface- configuration mode, or aggregation group
number configuration mode. Take Layer 2 physical
interface configuration mode for example.
3 Raisecom(config-ge- Configure the queue scheduling mode to
1/0/*)#queue scheduling wrr WRR on the interface.
4 Raisecom(config-ge- Configure the weight of each queue.
1/0/*)#queue queue-id weight
weight-value

5.3.6 Configuring DRR or SP+WFQ queue scheduling


Configure DRR or SP+WFQ for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter Layer 2 physical interface
interface-type interface- configuration mode, or aggregation group
number configuration mode. Take Layer 2 physical
interface configuration mode for example.
3 Raisecom(config-ge- Configure the queue scheduling mode to
1/0/*)#queue scheduling wfq WFQ on the interface.

Raisecom Proprietary and Confidential


132
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 5 QoS

Step Command Description


4 Raisecom(config-ge- Configure the weight for each queue.
1/0/*)#queue queue-id
weight weight-value

5.3.7 Configuring queue bandwidth guarantee


Configure queue bandwidth guarantee for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter Layer 2 physical interface
interface-type interface-number configuration mode, or aggregation
group configuration mode. Take
Layer 2 physical interface
configuration mode for example.
3 Raisecom(config-ge-1/0/1)# queue Configure queue bandwidth
queue-id { min-bandwidth | max- guarantee on the interface.
bandwidth } { kbps | mbps | gbps }
bandwidth
Raisecom(config-ge-1/0/1)# queue
queue-id priority { priority |
default }
Raisecom(config-ge-1/0/1)# queue
queue-id weight { weight |
default }

5.3.8 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show queue interface interface-type Show the queue on the
interface-number interface
2 Raisecom#show queue statistics interface Show statistics about
interface-type interface-number queues on the
Raisecom#show queue statistics interface all interface.

5.3.9 Maintenance
Maintain the device as below.

Raisecom Proprietary and Confidential


133
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 5 QoS

Command Description
Raisecom(config)#reset queue statistics interface Clear statistics on
interface-type interface-number packets on the interface.
Raisecom#(config)#reset queue statistics
interface all

5.3.10 Example for configuring queue scheduling

Networking requirements
As shown in Figure 5-4, the user uses voice, video and data services.
The CoS of voice services is 5, the CoS of video services is 4, and the CoS of data services is
2.
Congestion can easily occur on Switch A. To reduce network congestion, make the following
rules according to different services types:
 For voice services, perform SP scheduling to assign voice services with a high priority.
 For video services, perform WRR scheduling, with weight of 50.
 For data services, perform WRR scheduling, with weight of 20.

Figure 5-4 Queue scheduling networking

Configuration steps
Step 1 Configure interface packets to be mapped into inner priority according to IEEE 802.1p.

SwitchA(config)#interface ge 1/0/2
SwitchA(config-ge-1/0/2)#trust 8021p outer

Step 2 Conduct SP+WRR queue scheduling in the egress direction of GE 1/0/2.

SwitchA(config)#interface ge 1/0/2
SwitchA(config-ge-1/0/2)#queue scheduling sp+wrr queue 5
SwitchA(config-ge-1/0/2)#queue 4 weight 50
SwitchA(config-ge-1/0/2)#queue 2 weight 20
SwitchA(config-ge-1/0/2)#quit

Raisecom Proprietary and Confidential


134
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 5 QoS

Checking results
Use the following command to show the priority trust mode on the interface.

Raisecom#show queue interface ge 1/0/2


Current scheduling algorithm is 'sp+wrr',queue list 5
'Max-BW' means 'Max Bandwidth'
'Min-BW' means 'Min Bandwidth'
Interface Queue Max-BW Min-BW Weight
-----------------------------------------------------------------
ge-1/0/2 0 0M 0M 1
ge-1/0/2 1 0M 0M 1
ge-1/0/2 2 0M 0M 20
ge-1/0/2 3 0M 0M 1
ge-1/0/2 4 0M 0M 50
ge-1/0/2 5 0M 0M --
ge-1/0/2 6 0M 0M 1
ge-1/0/2 7 0M 0M 1
-----------------------------------------------------------------

5.4 Congestion avoidance


5.4.1 Introduction
By monitoring utilization of network resources (queues/memory buffer), congestion
avoidance can discard packets actively when congestion occurs or network traffic increases. It
is a traffic control mechanism that is used to resolve network overload by adjusting network
traffic.
The traditional packet loss policy uses the Tail-Drop mode to process all packets equally
without differentiating class of services. When congestion occurs, packets at the end of a
queue are discarded until congestion is resolved.
This Tail-Drop policy may cause TCP global synchronization, making network traffic change
between heavy and low and affecting link utilization.

RED
Random Early Detection (RED) discards packets randomly and prevents multiple TCP
connection from reducing transmission rate simultaneously to avoid TCP global
synchronization.
The RED algorithm configures a minimum threshold and maximum threshold for length of
each queue. In addition:
 Packets are not discarded when the queue length is smaller than the minimum threshold.
 All received packets are discarded when the queue length is greater than the maximum
threshold.

Raisecom Proprietary and Confidential


135
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 5 QoS

 Packets to be received are discarded randomly when the queue length is between the
minimum and maximum thresholds. The greater the queue size is, the higher the packet
drop probability is.

WRED
Weighted Random Early Detection (WRED) also avoids TCP global synchronization by
randomly discarding packets. However, the random discarding parameters generated by this
technology are based on the priority of the queue, which can distinguish discarding strategies
based on the different colors of packets, prioritising high-priority packets and making their
discarding probability small.

5.4.2 Preparing for configurations

Scenario
To avoid network congestion and solve the problem of TCP global synchronization, you can
configure congestion avoidance to adjust network flow and relieve network overload.

Prerequisite
N/A

5.4.3 Default configurations of congestion avoidance


Default configurations of congestion avoidance are as below.

Function Default value


Interface WRED status Disable

5.4.4 Configuring WRED


Configure WRED for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#dro Create a WRED profile, and enter WRED
p-profile drop- configuration mode.
profile-name

Raisecom Proprietary and Confidential


136
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 5 QoS

Step Command Description


Raisecom(config-  { green | non-tcp | red | yellow }: configure the
3
drop-profile)#color WRED parameters of the green/non-
{ green | non-tcp | TCP/red/yellow packets.
red | yellow } low-  low-threshold-percentage: low threshold

threshold { low- percentage of WRED discarding, namely,


threshold-percentage percentage of low-threshold packets discarded by
| default } high- WRED to the queue length
threshold { high-  high-threshold-percentage: high threshold

threshold-percentage percentage of WRED discarding, namely,


| default } discard- percentage of high-threshold packets discarded by
percentage WRED to the queue length
{ discard-percentage  discard-percentage: maximum discarding

| default } probability of WRED


By default, the discarding percentage of WRED is
100, and the maximum discarding probability is 100.
4 Raisecom(config)#int Enter Layer 2 physical interface configuration mode,
erface interface- or aggregation group configuration mode. Take
type interface- Layer 2 physical interface configuration mode for
number example.
5 Raisecom(config-ge- Apply the WRED profile to the interface.
1/0/*)#qos wred
drop-profile-name
6 Raisecom(config-ge- Apply the discarding profile to the interface queue.
1/0/*)#qos queue
 queue-index: interface queue indexes 0–7
queue-index wred
drop-profile-name correspond with BE, AF1, AF2, AF3, AF4, EF,
CS6, and CS7.
 drop-profile-name: name of the discarding profile

to be applied

5.4.5 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show drop-profile Show information about WRED profiles.
{ all | name }

5.5 Rate limiting


5.5.1 Introduction
The device supports rate limiting both based on traffic policy, interface, or VLAN ID. Similar
to rate limiting based on traffic policy, the device discards the excess traffic.

Raisecom Proprietary and Confidential


137
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 5 QoS

5.5.2 Preparing for configurations

Scenario
When the network is congested, you want to restrict burst flow on an interface or VLAN to
make packets transmitted at a well-proportioned rate to remove network congestion. In this
case, you need to configure rate limiting.

Prerequisite
N/A

5.5.3 Configuring rate limiting based on physical interface


Configure rate limiting based on physical interface for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface
interface-type interface-number configuration mode.
3 Raisecom(config-ge-1/0/*)#rate- Configure rate limiting based on
limit { ingress | egress } { gbps | interface in the ingress or egress
kbps | mbps | percent } cir-value direction.

 By default, no interface-based rate limiting is configured.


 Adopt the drop processing mode for packets on the ingress interface if they
exceed the configured rate limit.
 The number of packets discarded due to rate limiting on the egress interface is
added to the statistics on discarded packets on the ingress interface.

5.5.4 Example for configuring rate limiting based on interface

Networking requirements
As shown in Figure 5-5, User A, User B, and User C are respectively connected to the device
by Switch A, Switch B, and Switch C.
User A uses voice and video services. User B uses voice, video and data services. User C uses
video and data services.
According to service requirements, make rules as below.
 Provide User A with 25 Mbit/s guaranteed bandwidth, discarding excess flow.
 Provide User B with 35 Mbit/s guaranteed bandwidth, discarding excess flow.
 Provide User C with 30 Mbit/s guaranteed bandwidth, discarding excess flow.

Raisecom Proprietary and Confidential


138
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 5 QoS

Figure 5-5 Rate limiting based on interface

Configuration steps
Configure rate limiting based on interface.

Raisecom#configure
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#rate-limit in kbps 25000
Raisecom(config-ge-1/0/1)#exit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#rate-limit in kbps 35000
Raisecom(config-ge-1/0/2)#exit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#rate-limit in kbps 30000
Raisecom(config-ge-1/0/3)#exit

Raisecom Proprietary and Confidential


139
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

6 Multicast

This chapter describes basic principles and configuration procedures for multicast, and
provides related configuration examples, including the following sections:
 Multicast
 IGMP Snooping
 MLD Snooping

6.1 Multicast
With the continuous development of Internet, more and more interactive data, voice, and
video of various types emerge on the network. On the other hand, the emerging e-commerce,
online meetings, online auctions, video on demand, remote learning, and other services also
rise gradually. These services bring higher requirements on network bandwidth, information
security, and paid feature. Traditional unicast and broadcast cannot meet these requirements
well, while multicast has met them timely.
Multicast is a point-to-multipoint data transmission method. The method can effectively solve
the single point sending and multipoint receiving problems. During transmission of packets on
the network, multicast can save network resources and improve information security.

Comparison among unicast, broadcast, and multicast


Multicast is a kind of packets transmission method which is parallel with unicast and
broadcast.
 Unicast: the system establishes a data transmission path for each user who needs the
information, and sends separate copy information about them. Through unicast, the
amount of information transmitted over the network is proportional to the number of
users, so when the number of users becomes huge, there will be more identical
information on the network. In this case, bandwidth will become a bottleneck, and
unicast will not be conducive to transmission of large-scale information.
 Broadcast: the system sends information to all users regardless of whether they need or
not, so any user will receive it. Through broadcast, the information source delivers
information to all users in the segment, which fails to guarantee information security and
paid service. In addition, when the number of users who require this kind of information
decreases, the utilization of network resources will be very low, and the bandwidth will
be wasted seriously.

Raisecom Proprietary and Confidential


140
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

 Multicast: when some users in the network need specific information, the sender only
sends one piece of information, then the transmitted information can be reproduced and
distributed in fork junction as far as possible.
As shown in Figure 6-1, assume that User B and User C need information, you can use
multicast transmission to combine User B and User C to a receiver set, then the information
source just needs to send one piece of information. Each switch on the network will establish
their multicast forwarding table according to IGMP packets, and finally transmits the
information to the actual receiver User B and User C.

Figure 6-1 Multicast transmission networking

In summary, the unicast is for a network with sparse users and broadcast is for a network with
dense users. When the number of users in the network is uncertain, unicast and broadcast will
present low efficiency. When the number of users are doubled and redoubled, the multicast
mode does not need to increase backbone bandwidth, but sends information to the user in
need. These advantages of multicast make itself become a hotspot in study of the current
network technology.

Advantages and application of multicast


Compared with unicast and broadcast, multicast has the following advantages:
 Improve efficiency: reduce network traffic, relieve server and CPU load.
 Optimize performance: reduce redundant traffic and guarantee information security.
 Support distributed applications: solve the problem of point-point data transmission.
The multicast technology is used in the following aspects:
 Multimedia and streaming media, such as, network television, network radio, and
realtime video/audio conferencing
 Training, cooperative operations communications, such as: distance education,
telemedicine
 Data warehousing and financial applications (stock)
 Any other point-to-multipoint applications

Raisecom Proprietary and Confidential


141
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Basic concepts in multicast


 Multicast group
A multicast group refers to the recipient set using the same IP multicast address identification.
Any user host (or other receiving device) will become a member of the group after joining the
multicast group. They can identify and receive multicast data with the destination address as
IP multicast address.
 Multicast group members
Each host joining a multicast group will become a member of the multicast group. Multicast
group members are dynamic, and hosts can join or leave multicast group at any time. Group
members may be widely distributed in any part of the network.
 Multicast source
A multicast source refers to a server which regards multicast group address as the destination
address to send IP packet. A multicast source can send data to multiple multicast groups;
multiple multicast sources can send to a multicast group.
 Multicast router
A multicast router is a router that supports Layer 3 multicast. The multicast router can achieve
multicast routing and guide multicast packet forwarding, and provide multicast group member
management to distal segment connecting with users.
 Routed interface
A routed interface refers to the interface towards the multicast router between a multicast
router and a host. The device receives multicast packets from this interface.
 Member interface
Known as the Rx interface, a member interface is the interface towards the host between
multicast router and the host. The device sends multicast packets from this interface.
Figure 6-2 shows basic concepts in multicast.

Figure 6-2 Basic concepts in multicast

Raisecom Proprietary and Confidential


142
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Multicast address
To make multicast source and multicast group members communicate across the Internet, you
need to provide network layer multicast address and link layer multicast address, namely, the
IP multicast address and multicast MAC address.
 IP multicast address
Internet Assigned Numbers Authority (IANA) assigns Class D address space to IPv4 multicast;
the IPv4 multicast address ranges from 224.0.0.0 to 239.255.255.255.
 Multicast MAC address
When the Ethernet transmits unicast IP packets, it uses the MAC address of the receiver as the
destination MAC address. However, when multicast packets are transmitted, the destination is
no longer a specific receiver, but a group with an uncertain number of members, so the
Ethernet needs to use the multicast MAC address.
The multicast MAC address identifies receivers of the same multicast group on the link layer.
According to IANA, high bit 24 of the multicast MAC address are 0x01005E, bit 25 is fixed
to 0, and the low bit 23 corresponds to low bit 23 of the IPv4 multicast address.
Figure 6-3 shows mapping between the IPv4 multicast address and MAC address.

Figure 6-3 Mapping between IPv4 multicast address and multicast MAC address

The first 4 bits of IP multicast address are 1110, indicating multicast identification. In the last
28 bits, only 23 bits are mapped to the multicast MAC address, and the missing of 5 bits
makes 32 IP multicast addresses mapped to the same multicast MAC address. Therefore, in
Layer 2, the device may receive extra data besides IPv4 multicast group, and these extra
multicast data needs to be filtered by the upper layer on the device.

Basis of multicast protocol


To implement complete set of multicast services, you need to deploy a variety of multicast
protocols in various positions of network and make them cooperate with each other.
Typically, IP multicast working at network layer is called Layer 3 multicast, so the
corresponding multicast protocol is called Layer 3 multicast protocol, including Internet
Group Management Protocol (IGMP). IP multicast working at data link layer is called Layer 2
multicast, so the corresponding multicast protocol is called Layer 2 multicast protocol,
including Internet Group Management Protocol (IGMP) Snooping.
Figure 6-4 shows operating of IGMP and Layer 2 multicast features.

Raisecom Proprietary and Confidential


143
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Figure 6-4 Operating of IGMP and Layer 2 multicast features

IGMP, a protocol in TCP/IP protocol suite, is responsible for managing IPv4 multicast
members. IGMP runs between the multicast router and host, defines the establishment and
maintenance mechanism of multicast group membership between hosts and the multicast
router. IGMP is not involved in transmission and maintenance of group membership between
multicast routers, which is completed by the multicast routing protocol.
IGMP manages group members through interaction of IGMP packets between the host and
multicast router. IGMP packets are encapsulated in IP packets, including Query packets,
Report packets, and Leave packets. Basic functions of IGMP are as below:
 The host sends Report packets to join the multicast group, sends Leave packets to leave
the multicast group, and automatically determines which multicast group packets to
receive.
 The multicast router sends Query packets periodically, and receives Report packets and
Leave packets from hosts to understand the multicast group members in connected
segment. The multicast data will be forwarded to the segment if there are multicast group
members, and not forward if there are no multicast group members.
Up to now, IGMP has three versions: IGMPv1, IGMPv2, and IGMPv3. The newer version is
fully compatible with the older version. Currently the most widely used version is IGMPv2,
while IGMPv1 does not support the Leave packet.
Layer 2 multicast runs on Layer 2 devices between the host and multicast router.
Layer 2 multicast manages and controls multicast groups by monitoring and analyzing IGMP
packets exchanged between hosts and multicast routers to implement forwarding multicast
data at Layer 2 and suppress multicast data diffusion at Layer 2.

Basic functions of Layer 2 multicast


Basic functions of Layer 2 multicast are as below:
 Assign the multicast router interface.
 Enable immediate leave.
 Configure multicast forwarding entries and the aging time of router interfaces.
Basic functions of Layer 2 multicast provide Layer 2 multicast common features, which must
be used on the device enabled with IGMP Snooping or IGMP MVR.

Raisecom Proprietary and Confidential


144
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Configurations of basic function take effect on IGMP Snooping or IGMP MVR


concurrently.
The concepts related to IGMP basic functions are as below.

Multicast router interface


The router interface can be learnt dynamically (learnt through IGMP query packets, on the
condition that the multicast routing protocol is enabled on multicast routers) on Layer 2
multicast switch, or configured manually to forward downstream multicast report and leave
packets to the router interface.
The router interface learnt dynamically has an aging time, while the router interface
configured manually will not be aged.

Aging time
The configured aging time takes effect on both multicast forwarding entries and the router
interface.
On Layer 2 switch running multicast function, each router interface learnt dynamically starts a
timer, of which the expiration time is the aging time of IGMP Snooping. The router interface
will be deleted if no IGMP Query packets are received in the aging time. The timer of the
router interface will be updated when an IGMP Query packet is received.
Each multicast entry starts a timer, namely, the aging time of a multicast member. The
expiration time is IGMP Snooping aging time. The multicast member will be deleted if no
IGMP Report packets are received in the aging time. Update timeout for multicast entry when
receiving IGMP Report packets. The timer of the multicast entry will be updated when an
IGMP Report packet is received.

Immediate leave
On Layer 2 switch running multicast function, the system will not delete the corresponding
multicast entry immediately, but wait until the entry is aged after sending Leave packets. You
can enable this function to delete the corresponding multicast entry quickly when there are a
large number of downstream users and adding or leaving is more frequently required.

6.2 IGMP Snooping


6.2.1 Introduction
IGMP Snooping is a multicast constraining mechanism running on Layer 2 devices, used for
managing and controlling multicast groups, and implementing Layer 2 multicast.
IGMP Snooping allows the device to monitor IGMP sessions between the host and multicast
router. When monitoring the IGMP Report packet from the host to a group, the device will
add host-related interface to the forwarding entry of this group. Similarly, when a forwarding
entry reaches the aging time, the device will delete host-related interface from the forwarding
table.

Raisecom Proprietary and Confidential


145
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

IGMP Snooping forwards multicast data through Layer 2 multicast entries. When receiving
multicast data, the device will forward them directly according to the corresponding receiving
interface of the multicast entry, instead of flooding them to all interfaces, to save bandwidth of
the device effectively.
IGMP Snooping establishes a Layer 2 multicast forwarding table, of which entries can be
learnt dynamically or configured manually.

6.2.2 Preparing for configurations

Scenario
As shown in Figure 6-5, multiple hosts belonging to a VLAN receive data from the multicast
source. You can enable IGMP Snooping on the Switch that connects the multicast router and
hosts. By listening IGMP packets transmitted between the multicast router and hosts, creating
and maintaining the multicast forwarding table, you can implement Layer 2 multicast.

Figure 6-5 IGMP Snooping networking

Prerequisite
 Create VLANs.
 Add related interfaces to the VLANs.

6.2.3 Default configurations of IGMP Snooping


Default configurations of IGMP Snooping are as below.

Function Default value


Global IGMP Snooping status Disable
VLAN IGMP Snooping status Disable
Interface IGMP Snooping status Disable

Raisecom Proprietary and Confidential


146
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Function Default value


IGMP Snooping version V2
IGMP query interval 60s
Maximum response time 10s
Aging time of the router interface 180s
Limitation on the maximum number 1000
of multicast groups on the interface

6.2.4 Configuring basic functions of IGMP Snooping


Configure basic functions of IGMP Snooping for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#igmp-snooping Enable global IGMP Snooping.
{ start | stop }
3 Raisecom(config)#igmp-snooping (Optional) configure the aging time of
router-aging-time aging-time the router interface.
4 Raisecom(config)#vlan vlan-id Enter VLAN configuration mode.
5 Raisecom(config-vlan-*)#igmp- Enable IGMP Snooping on all
snooping enable VLANs.
6 Raisecom(config-vlan-*)#igmp- (Optional) configure the protocol
snooping version { v1 | v2 | version.
V3 }
7 Raisecom(config-vlan-*)#igmp- (Optional) configure the forwarding
snooping forwarding-mode { ip | mode of multicast entries to IP or
mac } MAC.
8 Raisecom(config-vlan-*)#igmp- (Optional) configure the router alert
snooping require-router-alert check.
{ enable | disable }
9 Raisecom(config)#interface Enter physical interface configuration
interface-type interface-number mode.
10 Raisecom(config-ge-1/0/*)#igmp- Enable interface IGMP Snooping.
snooping enable
11 Raisecom(config-vlan-10)#igmp- (Optional) configure the 802.1p
snooping 8021p priorit { default priority of the IGMP VLAN.
| priority }

6.2.5 Configuring IGMP Snooping Querier


Configure IGMP Snooping Querier for the device as below.

Raisecom Proprietary and Confidential


147
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#igmp- (Optional) configure the common query
snooping query-interval interval.
interval
3 Raisecom(config)#igmp- (Optional) configure the robustness.
snooping robust-count count
4 Raisecom(config)#vlan vlan- Enter VLAN configuration mode.
id
5 Raisecom(config-vlan- Enable IGMP Snooping Querier.
*)#igmp-snooping querier
{ enable | disable }
After IGMP Snooping Querier is enabled,
the device can send the common query
packets and specific group query packets.
6 Raisecom(config-vlan- (Optional) configure the source IP address
*)#igmp-snooping send-query of query packets sent by the device.
source-address ip-address
7 Raisecom(config-vlan- (Optional) configure the maximum
*)#igmp-snooping max- response time for query packets.
response-time response-time
8 Raisecom(config-vlan- (Optional) configure the interval for
*)#igmp-snooping lastmember- sending specific group query packets.
query-interval interval
9 Raisecom(config-vlan- (Optional) configure the number of
*)#igmp-snooping lastmember- specific group query packets to be sent.
query-number number

6.2.6 Configuring IGMP Snooping packet suppression


Configure IGMP Snooping packet suppression for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
4 Raisecom(config)#vlan vlan-id Enter VLAN configuration mode.
8 Raisecom(config-vlan-*)#igmp- Configure suppression of Report and
snooping report-suppres Leave packets.
{ enable | disable }

6.2.7 Configuring IGMP Snooping multicast copy


Configure IGMP Snooping multicast copy for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#vlan vlan-id Enter VLAN configuration
mode.

Raisecom Proprietary and Confidential


148
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

3 Raisecom(config-vlan-*)#igmp- Configure the forwarding mode


snooping forwarding-mode ip to IP.
4 Raisecom(config-vlan-*)#igmp- Enable multicast copy.
snooping multicast-duplicate
{ enable | disable }
5 Raisecom(config-vlan-*)#igmp- Configure the user VLAN
snooping multicast user-vlan vlan- associated with multicast copy.
list

6.2.8 Configuring the static multicast member of IGMP Snooping


Step Command Description
1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface
interface-type interface-number configuration mode.
3 Raisecom(config-ge-1/0/*)#igmp- Configure the interface as a static
snooping static-group group- multicast member.
address group-address [ source-
address source-address ] vlan
vlan-id [ user-vlan vlan-list ]

 To configure the static multicast member of the source address, you need to
configure the protocol version to v3.
 To configure the user VLAN, you need to configure multicast copy.

6.2.9 Configuring IGMP Snooping Proxy


Configure IGMP Snooping Proxy for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#vlan vlan-id Enter VLAN configuration mode.
3 Raisecom(config-vlan-*)#igmp- Configure the working mode to Proxy.
snooping workmode igmp-proxy
4 Raisecom(config-vlan-*)#igmp- Enable IGMP Snooping Querier.
snooping querier enable
The IGMP Snooping Querier must be
enabled in Proxy mode; otherwise,
multicast entries may be aged.
5 Raisecom(config-vlan-*)#igmp- (Optional) configure the IP address of
snooping proxy-ip ip-address the Proxy in Proxy mode.

Raisecom Proprietary and Confidential


149
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

6.2.10 Configuring the limit on the number of IGMP Snooping


interface multicast groups
Configure the limit on the number of IGMP Snooping interface multicast groups for the
device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface
interface-type interface-number configuration mode.
3 Raisecom(config-ge-1/0/*)#igmp- Configure the limit on the number
snooping group-limit number of interface multicast groups.
[ action { delay | replace } ]

6.2.11 Configuring the multicast policy of IGMP Snooping


Configure the multicast policy of IGMP Snooping for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#acl-ipv4 list-id Create an ACL policy profile, and
Raisecom(configure-acl-ipv4- configure it.
*)#rule rule-id ip src-ip any
dst-ip dst-ip-address | dst-ip- The policy takes effect on the
mask permit and deny actions only of the
Raisecom(configure-acl-ipv4- destination IP address.
*)#rule rule-id action { permit |
deny }
3 Raisecom(config)#interface Enter physical interface
interface-type interface-number configuration mode.
4 Raisecom(config-ge-1/0/*)#igmp- Bind the interface multicast policy
snooping group-policy acl-ipv4 with the ACL profile.
list-id
5 Raisecom(config)#vlan vlan-id Enter VLAN configuration mode.
6 Raisecom(config-vlan-*)#igmp- Bind the VLAN multicast policy
snooping group-policy acl-ipv4 with the ACL profile.
list-id

If a VLAN multicast policy and an interface multicast policy are concurrently


configured, and the VLAN multicast policy is deny, the policy of the interface will not
be checked.

Raisecom Proprietary and Confidential


150
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

6.2.12 Configuring IGMP Snooping SSM Mapping


Configure IGMP Snooping SSM Mapping for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#acl-ipv4 list-id Create an ACL policy profile, and
Raisecom(configure-acl-ipv4- configure it.
*)#rule rule-id ip src-ip any
dst-ip dst-ip-address | dst-ip- The policy takes effect on the
mask permit and deny actions only of the
Raisecom(configure-acl-ipv4- destination IP address.
*)#rule rule-id action { permit |
deny }
3 Raisecom(config)#vlan vlan-id Enter physical interface
configuration mode.
4 Raisecom(config-vlan-*)#igmp- Configure the forwarding mode to
snooping forwarding-mode ip IP.
5 Raisecom(config-vlan-*)#igmp- Configure the protocol version to
snooping version v3 v3.
6 Raisecom(config-vlan-*)#igmp- Enable SSM Mapping.
snooping ssm-mapping { enable |
disable }
7 Raisecom(config-vlan-*)#igmp- Map the multicast address into the
snooping ssm-mapping acl-ipv4 source address.
list-id source-addres ip-address
The command takes effect on the
group address of which the ACL
action is permit.

6.2.13 Configuring the static router interface of IGMP Snooping


Configure the static router interface of IGMP Snooping for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#vlan vlan-id Enter VLAN configuration mode.
3 Raisecom(config-vlan-10)#igmp- Configure the static router interface.
snooping router-port interface-
type interface-number
4 Raisecom(config-vlan-10)#igmp- Configure the static router interface
snooping router-port drop-report to discard Report packets.
{ enable | disable }
5 Raisecom(config-vlan-10)#igmp- Configure the maximum number of
snooping router-port-limit static router interfaces.
{ default | value }

Raisecom Proprietary and Confidential


151
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

6.2.14 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show igmp- Show configurations of IGMP Snooping.
snooping config
2 Raisecom#show igmp- Show information about IGMP Snooping
snooping interface interfaces.
3 Raisecom#show igmp- Show information about IGMP Snooping
snooping vlan multicast VLANs.
4 Raisecom#show igmp- Show multicast entries of IGMP Snooping.
snooping forwarding-table

6.2.15 Maintenance
Maintain the device as below.

Command Description
Raisecom(config)#reset igmp- Clear dynamically learnt multicast entries.
snooping forwarding-table
Raisecom(config)#reset igmp- Clear statistics on IGMP Snooping packets.
snooping statistics

6.2.16 Example for configuring basic functions of IGMP Snooping

Networking requirements
As shown below, switch interface GE 1/0/1 is connected to the multicast router. Switch
interfaces GE 1/0/2 and GE 1/0/3 are connected to user devices, which are in VLAN 10.
Configure the switch with IGMP Snooping.

Raisecom Proprietary and Confidential


152
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Figure 6-6 Configuring basic functions of IGMP Snooping

Configuration steps
Step 1 Create a VLAN. Add interfaces to it.

Raisecom#configure
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 10
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type access
Raisecom(config-ge-1/0/2)#port default vlan 10
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#port link-type access
Raisecom(config-ge-1/0/3)#port default vlan 10
Raisecom(config-ge-1/0/3)#quit

Step 2 Enable IGMP Snooping.

Raisecom(config)#igmp-snooping start
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#igmp-snooping enable
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#igmp-snooping enable
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#igmp-snooping enable
Raisecom(config-ge-1/0/2)#quit

Raisecom Proprietary and Confidential


153
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#igmp-snooping enable
Raisecom(config-ge-1/0/3)#quit

Checking results
Use the following command to show configurations of the IGMP Snooping.

Raisecom#show igmp-snooping config


!
igmp-snooping start
!
vlan 10
igmp-snooping enable
!
interface ge 1/0/1
igmp-snooping enable
!
interface ge 1/0/2
igmp-snooping enable
!
interface ge 1/0/3
igmp-snooping enable

6.2.17 Example for configuring the static member of IGMP


Snooping

Networking requirements
As shown below, switch interface GE 1/0/1 is connected to the multicast router. Switch
interfaces GE 1/0/2 and GE 1/0/3 are connected to user devices, which are in VLAN 10.
Configure the switch with IGMP Snooping.
The user under interface GE 1/0/2 wants to permanently receive multicast data from 225.1.1.1
to 225.1.1.3 stably.

Raisecom Proprietary and Confidential


154
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Figure 6-7 Configuring the static member of IGMP Snooping

Configuration steps
Step 1 Create a VLAN. Add interfaces to it.

Raisecom#configure
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 10
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type access
Raisecom(config-ge-1/0/2)#port default vlan 10
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#port link-type access
Raisecom(config-ge-1/0/3)#port default vlan 10
Raisecom(config-ge-1/0/3)#quit

Step 2 Enable IGMP Snooping.

Raisecom(config)#igmp-snooping start
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#igmp-snooping enable
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#igmp-snooping enable
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#igmp-snooping enable
Raisecom(config-ge-1/0/2)#quit

Raisecom Proprietary and Confidential


155
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#igmp-snooping enable
Raisecom(config-ge-1/0/3)#quit

Step 3 Configure the static multicast member of IGMP Snooping.

Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/1)#igmp-snooping static-group group-address
225.1.1.1 vlan 10
Raisecom(config-ge-1/0/1)#igmp-snooping static-group group-address
225.1.1.2 vlan 10
Raisecom(config-ge-1/0/1)#igmp-snooping static-group group-address
225.1.1.3 vlan 10

Checking results
Use the following command to show configurations of IGMP Snooping.

Raisecom#show igmp-snooping config


!
igmp-snooping start
!
vlan 10
igmp-snooping enable
!
interface ge 1/0/1
igmp-snooping enable
!
interface ge 1/0/2
igmp-snooping enable
igmp-snooping static-group group-address 225.1.1.1 vlan 10
igmp-snooping static-group group-address 225.1.1.2 vlan 10
igmp-snooping static-group group-address 225.1.1.3 vlan 10
!
interface ge 1/0/3
igmp-snooping enable

Use the following command to show configurations of static entries of IGMP Snooping.

Raisecom#show igmp-snooping forwarding-table


S:Static, D:dynamic, E:Exclude, I:Include
Vlan (Source,Group) Port OutVlan Flag
Expires
10 (*,225.1.1.1) ge-1/0/2 10 S/E --
10 (*,225.1.1.2) ge-1/0/2 10 S/E --
10 (*,225.1.1.3) ge-1/0/2 10 S/E --
Total Group Number: 3

Raisecom Proprietary and Confidential


156
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

6.2.18 Example for configuring IGMP Snooping multicast copy

Networking requirements
As shown below, switch interface GE 1/0/1 is connected to the multicast router. Switch
interfaces GE 1/0/2 and GE 1/0/3 are connected to user devices, which are in VLAN 10. The
multicast VLAN is different from the user VLAN. Configure IGMP Snooping multicast copy.
Add interface GE 1/0/1 to VLAN 6. Add user 1 to VLAN 10. Add user 2 to VLAN 20.

Figure 6-8 Configuring IGMP Snooping multicast copy

Configuration steps
Step 1 Create a VLAN. Add interfaces to it.

Raisecom#configure
Raisecom(config)#vlan 6,10,20
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 6
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type access
Raisecom(config-ge-1/0/2)#port default vlan 10
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#port link-type access
Raisecom(config-ge-1/0/3)#port default vlan 20
Raisecom(config-ge-1/0/3)#quit

Step 2 Enable IGMP Snooping.

Raisecom(config)#igmp-snooping start
Raisecom(config)#vlan 6

Raisecom Proprietary and Confidential


157
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Raisecom(config-vlan-6)#igmp-snooping enable
Raisecom(config-vlan-6)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#igmp-snooping enable
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#igmp-snooping enable
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#igmp-snooping enable
Raisecom(config-ge-1/0/3)#quit

Step 3 Enable IGMP Snooping multicast copy.

Raisecom(config)#vlan 6
Raisecom(config-vlan-6)#igmp-snooping forwarding-mode ip
Raisecom(config-vlan-6)#igmp-snooping multicast-duplicate enable
Raisecom(config-vlan-6)#igmp-snooping multicast user-vlan 10,20
Raisecom(config-vlan-6)#quit

Checking results
Use the following command to show configurations of IGMP Snooping.

Raisecom#show igmp-snooping config


!
igmp-snooping start
!
vlan 6
igmp-snooping enable
igmp-snooping forwarding-mode ip
igmp-snooping multicast-duplicate enable
igmp-snooping multicast user-vlan 10,20
!
interface ge 1/0/1
igmp-snooping enable
!
interface ge 1/0/2
igmp-snooping enable
!
interface ge 1/0/3
igmp-snooping enable

Raisecom Proprietary and Confidential


158
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

6.2.19 Example for configuring IGMP Snooping Proxy

Networking requirements
As shown below, switch interface GE 1/0/1 is connected to the multicast router. Switch
interfaces GE 1/0/2 and GE 1/0/3 are connected to user devices, which are in VLAN 10.
Configure IGMP Snooping.
Enable IGMP Proxy on the switch to reduce the communication between the host and
multicast router, without affecting implementation of multicast functions.
When the PC and STB are added to the same multicast group, the switch receives two copies
of IGMP Report packets, and sends one copy of IGMP Report packets to the multicast router.
The IGMP Query packet sent by the multicast router is not forwarded downstream, but is
periodically sent by the switch.

Figure 6-9 Configuring IGMP Snooping Proxy

Configuration steps
Step 1 Create a VLAN. Add interfaces to it.

Raisecom#configure
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 10
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type access
Raisecom(config-ge-1/0/2)#port default vlan 10
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#port link-type access
Raisecom(config-ge-1/0/3)#port default vlan 10

Raisecom Proprietary and Confidential


159
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Raisecom(config-ge-1/0/3)#quit

Step 2 Enable IGMP Snooping.

Raisecom(config)#igmp-snooping start
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#igmp-snooping enable
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#igmp-snooping enable
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#igmp-snooping enable
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#igmp-snooping enable
Raisecom(config-ge-1/0/3)#quit

Step 3 Enable IGMP Proxy.

Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#igmp-snooping workmode igmp-proxy
Raisecom(config-vlan-10)#igmp-snooping querier enable
Raisecom(config-vlan-10)#quit

Checking results
Use the following command to show configurations of IGMP Snooping.

Raisecom#show igmp-snooping config


!
igmp-snooping start
!
vlan 10
igmp-snooping enable
igmp-snooping workmode igmp-proxy
igmp-snooping querier enable
!
interface ge 1/0/1
igmp-snooping enable
!
interface ge 1/0/2
igmp-snooping enable
!
interface ge 1/0/3
igmp-snooping enable

Raisecom Proprietary and Confidential


160
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

6.2.20 Example for configuring the multicast policy of IGMP


Snooping

Networking requirements
As shown below, switch interface GE 1/0/1 is connected to the multicast router. Switch
interfaces GE 1/0/2 and GE 1/0/3 are connected to user devices, which are in VLAN 10.
Configure IGMP Snooping.
Enable the multicast policy on the switch to allow the user under interface GE 1/0/2 to join
225.1.1.1to 225.1.1.3 and the user under interface GE 1/0/3 to join 225.1.1.4 to 225.1.1.6.

Figure 6-10 Configuring the multicast policy of IGMP Snooping

Configuration steps
Step 1 Create a VLAN. Add interfaces to it.

Raisecom#configure
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 10
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type access
Raisecom(config-ge-1/0/2)#port default vlan 10
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#port link-type access
Raisecom(config-ge-1/0/3)#port default vlan 10
Raisecom(config-ge-1/0/3)#quit

Raisecom Proprietary and Confidential


161
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Step 2 Enable IGMP Snooping.

Raisecom(config)#igmp-snooping start
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#igmp-snooping enable
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#igmp-snooping enable
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#igmp-snooping enable
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#igmp-snooping enable
Raisecom(config-ge-1/0/3)#quit

Step 3 Configure the ACL profile of the GE 1/0/2 user.

Raisecom(config)#acl-ipv4 1001
Raisecom(configure-acl-ipv4-1001)#rule 1 src-ip any dst-ip 225.1.1.1/32
Raisecom(configure-acl-ipv4-1001)#rule 1 action permit
Raisecom(configure-acl-ipv4-1001)#rule 2 src-ip any dst-ip 225.1.1.2/32
Raisecom(configure-acl-ipv4-1001)#rule 2 action permit
Raisecom(configure-acl-ipv4-1001)#rule 3 src-ip any dst-ip 225.1.1.3/32
Raisecom(configure-acl-ipv4-1001)#rule 3 action permit
Raisecom(configure-acl-ipv4-1001)#quit

Step 4 Configure the ACL profile of the GE 1/0/3 user.

Raisecom(config)#acl-ipv4 1002
Raisecom(configure-acl-ipv4-1002)#rule 1 src-ip any dst-ip 225.1.1.4/32
Raisecom(configure-acl-ipv4-1002)#rule 1 action permit
Raisecom(configure-acl-ipv4-1002)#rule 2 src-ip any dst-ip 225.1.1.5/32
Raisecom(configure-acl-ipv4-1002)#rule 2 action permit
Raisecom(configure-acl-ipv4-1002)#rule 3 src-ip any dst-ip 225.1.1.6/32
Raisecom(configure-acl-ipv4-1002)#rule 3 action permit
Raisecom(configure-acl-ipv4-1002)#quit

Step 5 Bind the interface with the multicast policy ACL profile.

Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#igmp-snooping group-policy acl-ipv4 1001
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#igmp-snooping group-policy acl-ipv4 1002
Raisecom(config-ge-1/0/3)#quit

Raisecom Proprietary and Confidential


162
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Checking results
Use the following command to show configurations of IGMP Snooping.

Raisecom#show igmp-snooping config


!
igmp-snooping start
!
vlan 10
igmp-snooping enable
!
interface ge 1/0/2
igmp-snooping enable
igmp-snooping group-policy acl-ipv4 1001 version 1-3
!
interface ge 1/0/3
igmp-snooping enable
igmp-snooping group-policy acl-ipv4 1002 version 1-3

Use the following command to show configurations of the ACL profile.

Raisecom#show acl config


!
acl-ipv4 1001
rule 1 src-ip any dst-ip 225.1.1.1/32
rule 1 action permit
rule 2 src-ip any dst-ip 225.1.1.2/32
rule 2 action permit
rule 3 src-ip any dst-ip 225.1.1.3/32
rule 3 action permit
acl-ipv4 1002
rule 1 src-ip any dst-ip 225.1.1.4/32
rule 1 action permit
rule 2 src-ip any dst-ip 225.1.1.5/32
rule 2 action permit
rule 3 src-ip any dst-ip 225.1.1.6/32
rule 3 action permit

6.3 MLD Snooping


6.3.1 Introduction
MLD Snooping is an IPv6 Layer 2 multicast protocol, which listens to multicast protocol
packets sent between Layer 3 multicast devices and user hosts, maintains the information
about the egress interface of the group broadcast packet, and then manage and control the
forwarding of multicast data packets.

Raisecom Proprietary and Confidential


163
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

6.3.2 Preparing for configurations

Scenario
As shown in Figure 6-11, multiple hosts receive data from multicast sources and belong to the
same VLAN. You can run MLD Snooping on the switch connecting the multicast router and
the host. By listening to the MLD packets between the multicast router and the host, you can
establish and maintain the multicast forwarding table, and implement Layer 2 multicast.

Figure 6-11 MLD Snooping networking

Prerequisite
 Create VLANs.
 Add related interfaces to the VLANs.

6.3.3 Default configurations of MLD Snooping


Default configurations of MLD Snooping are as below.

Function Default value


Global MLD Snooping status Disable
VLAN MLD Snooping status Disable
Interface MLD Snooping status Disable
MLD Snooping version V1
MLD query interval 60s
MLD robustness factor 2
Maximum response time for sending Query packets 10s
Aging time of the router interface 180s

Raisecom Proprietary and Confidential


164
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Function Default value


Limitation on the maximum number of multicast groups on the 1000
interface

6.3.4 Configuring basic functions of MLD Snooping


Configure basic functions of MLD Snooping for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#mld-snooping Enable global MLD Snooping.
{ start | stop }
3 Raisecom(config)#mld-snooping (Optional) configure the aging time of
router-aging-time aging-time the router interface.
4 Raisecom(config)#vlan vlan-id Enter VLAN configuration mode.
5 Raisecom(config-vlan-*)#mld- Enable MLD Snooping on all
snooping { enable | disable } VLANs.
6 Raisecom(config-vlan-*)#mld- (Optional) configure the protocol
snooping version { v1 | v2 } version.
7 Raisecom(config-vlan-*)#mld- (Optional) configure the forwarding
snooping forwarding-mode { ip | mode of multicast entries to IP or
mac } MAC.
8 Raisecom(config-vlan-*)#mld- (Optional) configure the router alert
snooping require-router-alert check.
{ enable | disable }
9 Raisecom(config)#interface Enter physical interface configuration
interface-type interface-number mode.
10 Raisecom(config-ge-1/0/*)#mld- Enable interface MLD Snooping.
snooping { enable | disable }

6.3.5 Configuring MLD Snooping Querier


Configure MLD Snooping Querier for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#mld- (Optional) configure the common query
snooping query-interval interval.
interval
3 Raisecom(config)#mld- (Optional) configure the robustness.
snooping robust-count count
4 Raisecom(config)#vlan vlan- Enter VLAN configuration mode.
id

Raisecom Proprietary and Confidential


165
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

5 Raisecom(config-vlan-*)#mld- Enable MLD Snooping Querier.


snooping querier enable
After MLD Snooping Querier is enabled,
the device can send the common query
packets and specific group query packets.
6 Raisecom(config-vlan-*)#mld- (Optional) configure the source IP address
snooping send-query source- of query packets sent by the device.
address ipv6-address
7 Raisecom(config-vlan-*)#mld- (Optional) configure the maximum
snooping max-response-time response time for query packets.
response-time
8 Raisecom(config-vlan-*)#mld- (Optional) configure the interval for
snooping lastmember-query- sending specific group query packets.
interval interval
9 Raisecom(config-vlan-*)#mld- (Optional) configure the number of
snooping lastmember-query- specific group query packets to be sent.
number number

6.3.6 Configuring MLD Snooping packet suppression


Configure MLD Snooping packet suppression for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#vlan vlan-id Enter VLAN configuration mode.
3 Raisecom(config-vlan-*)#mld- Configure suppression of Report and
snooping report-suppres Leave packets.
{ enable | disable }

6.3.7 Configuring MLD Snooping multicast copy


Configure MLD Snooping multicast copy for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#vlan vlan-id Enter VLAN configuration
mode.
3 Raisecom(config-vlan-*)#mld-snooping Configure the forwarding mode
forwarding-mode ip to IP.
4 Raisecom(config-vlan-*)#mld-snooping Enable multicast copy.
multicast-duplicate { enable |
disable }
5 Raisecom(config-vlan-*)#mld-snooping Configure the user VLAN
multicast user-vlan vlan-list associated with multicast copy.

Raisecom Proprietary and Confidential


166
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

6.3.8 Configuring the static multicast member of MLD Snooping


Step Command Description
1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface
interface-type interface-number configuration mode.
3 Raisecom(config-ge-1/0/*)#mld- Configure the interface as a static
snooping static-group group- multicast member.
address group-address vlan vlan-id
[ user-vlan vlan-list ]

To configure the user VLAN, you need to configure multicast copy.

6.3.9 Configuring MLD Snooping Proxy


Configure MLD Snooping Proxy for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#vlan vlan-id Enter VLAN configuration mode.
3 Raisecom(config-vlan-*)#mld- Configure the working mode to Proxy.
snooping workmode mld-proxy
4 Raisecom(config-vlan-*)#mld- Enable MLD Snooping Querier.
snooping querier { enable |
disable } The MLD Snooping Querier must be
enabled in Proxy mode; otherwise,
multicast entries may be aged.
5 Raisecom(config-vlan-10)#mld- (Optional) configure the IPv6 address of
snooping proxy-ip ipv6- the Proxy in Proxy mode.
address

6.3.10 Configuring the limit on the number of MLD Snooping


interface multicast groups
Configure the limit on the number of MLD Snooping interface multicast groups for the device
as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface
interface-type interface-number configuration mode.

Raisecom Proprietary and Confidential


167
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

3 Raisecom(config-ge-1/0/1)#mld- Configure the limit on the number


snooping group-limit number of interface multicast groups of
[ action { delay | replace } ] MLD Snooping.

6.3.11 Configuring the multicast policy of MLD Snooping


Configure the multicast policy of MLD Snooping for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#acl-ipv6 list-id Create an ACL policy profile, and
Raisecom(configure-acl-ipv6- configure it.
*)#rule rule-id src-ip any dst-ip
dst-ip-address | dst-ip-mask The policy takes effect on the
Raisecom(configure-acl-ipv6- permit and deny actions only of
*)#rule rule-id action { permit | the destination IP address.
deny }
3 Raisecom(config)#interface Enter physical interface
interface-type interface-number configuration mode.
4 Raisecom(config-ge-1/0/1)#mld- Bind the interface multicast policy
snooping group-policy acl-ipv6 with the ACL profile.
list-id
5 Raisecom(config)#vlan vlan-id Enter VLAN configuration mode.
6 Raisecom(config-vlan-*)#mld- Bind the VLAN multicast policy
snooping group-policy acl-ipv6 with the ACL profile.
list-id

If a VLAN multicast policy and an interface multicast policy are concurrently


configured, and the VLAN multicast policy is deny, the policy of the interface will not
be checked.

6.3.12 Configuring MLD Snooping SSM Mapping


Configure MLD Snooping SSM Mapping for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#acl-ipv6 Create an ACL policy profile, and
list-id configure it.
The policy takes effect on the permit and
deny actions only of the destination IP
address.

Raisecom Proprietary and Confidential


168
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

3 Raisecom(config)#vlan vlan- Enter physical interface configuration


id mode.
4 Raisecom(config-vlan- Configure the forwarding mode to IP.
10)#mld-snooping forwarding-
mode ip
5 Raisecom(config-vlan- Configure the protocol version to v3.
10)#mld-snooping version v2
6 Raisecom(config-vlan-*)#mld- Enable SSM Mapping.
snooping ssm-mapping
{ enable | disable }
7 Raisecom(config-vlan- Map the multicast address into the source
10)#mld-snooping ssm-mapping address.
acl-ipv6 list-id source-
address ipv6-address The command takes effect on the group
address of which the ACL action is permit.

6.3.13 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show mld- Show configurations of MLD Snooping.
snooping config
2 Raisecom#show mld- Show information about MLD Snooping
snooping interface interfaces.
3 Raisecom#show mld- Show information about MLD Snooping
snooping vlan multicast VLANs.
4 Raisecom#show mld- Show multicast entries of MLD Snooping.
snooping forwarding-table

6.3.14 Maintenance
Maintain the device as below.

Command Description
Raisecom(config)#reset mld- Clear dynamically learnt multicast entries.
snooping forwarding-table

6.3.15 Example for configuring basic functions of MLD Snooping

Networking requirements
As shown below, switch interface GE 1/0/1 is connected to the multicast router. Switch
interfaces GE 1/0/2 and GE 1/0/3 are connected to user devices, which are in VLAN 10.
Configure the switch with MLD Snooping.

Raisecom Proprietary and Confidential


169
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Figure 6-12 Configuring basic functions of MLD Snooping

Configuration steps
Step 1 Create a VLAN. Add interfaces to it.

Raisecom#configure
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 10
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type access
Raisecom(config-ge-1/0/2)#port default vlan 10
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#port link-type access
Raisecom(config-ge-1/0/3)#port default vlan 10
Raisecom(config-ge-1/0/3)#quit

Step 2 Enable MLD Snooping.

Raisecom(config)#mld-snooping start
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#mld-snooping enable
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#mld-snooping enable
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#mld-snooping enable
Raisecom(config-ge-1/0/2)#quit

Raisecom Proprietary and Confidential


170
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#mld-snooping enable
Raisecom(config-ge-1/0/3)#quit

Checking results
Use the following command to show configurations of the MLD Snooping.

Raisecom#show mld-snooping config


!
mld-snooping start
!
vlan 10
mld-snooping enable
!
interface ge 1/0/1
mld-snooping enable
!
interface ge 1/0/2
mld-snooping enable
!
interface ge 1/0/3
mld-snooping enable

6.3.16 Example for configuring the static member of MLD Snooping

Networking requirements
As shown below, switch interface GE 1/0/1 is connected to the multicast router. Switch
interfaces GE 1/0/2 and GE 1/0/3 are connected to user devices, which are in VLAN 10.
Configure the switch with MLD Snooping.
The user under interface GE 1/0/2 wants to permanently receive multicast data from ff1e::1 to
ff1e::3 stably.

Raisecom Proprietary and Confidential


171
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Figure 6-13 Configuring the static member of MLD Snooping

Configuration steps
Step 1 Create a VLAN. Add interfaces to it.

Raisecom#configure
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 10
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type access
Raisecom(config-ge-1/0/2)#port default vlan 10
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#port link-type access
Raisecom(config-ge-1/0/3)#port default vlan 10
Raisecom(config-ge-1/0/3)#quit

Step 2 Enable MLD Snooping.

Raisecom(config)#mld-snooping start
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#mld-snooping enable
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#mld-snooping enable
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#mld-snooping enable
Raisecom(config-ge-1/0/2)#quit

Raisecom Proprietary and Confidential


172
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#mld-snooping enable
Raisecom(config-ge-1/0/3)#quit

Step 3 Configure the static multicast member of MLD Snooping.

Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/1)#mld-snooping static-group group-address ff1e::1
vlan 10
Raisecom(config-ge-1/0/1)#mld-snooping static-group group-address ff1e::2
vlan 10
Raisecom(config-ge-1/0/1)#mld-snooping static-group group-address ff1e::3
vlan 10

Checking results
Use the following command to show configurations of MLD Snooping.

Raisecom#show mld-snooping config


!
mld-snooping start
!
vlan 10
mld-snooping enable
!
interface ge 1/0/1
mld-snooping enable
mld-snooping static-group group-address ff1e::1 vlan 10
mld-snooping static-group group-address ff1e::2 vlan 10
mld-snooping static-group group-address ff1e::3 vlan 10
!
interface ge 1/0/2
mld-snooping enable
!
interface ge 1/0/3
mld-snooping enable

Use the following command to show configurations of static entries of MLD Snooping.

Raisecom#show mld-snooping forwarding-table


S:Static, D:dynamic, E:Exclude, I:Include
Vlan (Source,Group) Port OutVlan Flag Expires
-------------------------------------------------------------------------
-------------------------------------
10 (*,ff1e::1) ge-1/0/1 10 S/E --
10 (*,ff1e::2) ge-1/0/1 10 S/E --
10 (*,ff1e::3) ge-1/0/1 10 S/E --

Raisecom Proprietary and Confidential


173
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

-------------------------------------------------------------------------
-------------------------------------
Total Group Number: 3

6.3.17 Example for configuring MLD Snooping multicast copy

Networking requirements
As shown below, switch interface GE 1/0/1 is connected to the multicast router. Switch
interfaces GE 1/0/2 and GE 1/0/3 are connected to user devices, which are in VLAN 10. The
multicast VLAN is different from the user VLAN. Configure MLD Snooping multicast copy.
Add interface GE 1/0/1 to VLAN 6. Add user 1 to VLAN 10. Add user 2 to VLAN 20.

Figure 6-14 Configuring MLD Snooping multicast copy

Configuration steps
Step 1 Create a VLAN. Add interfaces to it.

Raisecom#configure
Raisecom(config)#vlan 6,10,20
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 6
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type access
Raisecom(config-ge-1/0/2)#port default vlan 10
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#port link-type access
Raisecom(config-ge-1/0/3)#port default vlan 20
Raisecom(config-ge-1/0/3)#quit

Raisecom Proprietary and Confidential


174
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Step 2 Enable MLD Snooping.

Raisecom(config)#mld-snooping start
Raisecom(config)#vlan 6
Raisecom(config-vlan-6)#mld-snooping enable
Raisecom(config-vlan-6)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#mld-snooping enable
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#mld-snooping enable
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#mld-snooping enable
Raisecom(config-ge-1/0/3)#quit

Step 3 Enable MLD Snooping multicast copy.

Raisecom(config)#vlan 6
Raisecom(config-vlan-6)#mld-snooping forwarding-mode ip
Raisecom(config-vlan-6)#mld-snooping multicast-duplicate enable
Raisecom(config-vlan-6)#mld-snooping multicast user-vlan 10,20
Raisecom(config-vlan-6)#quit

Checking results
Use the following command to show configurations of MLD Snooping.

Raisecom#show mld-snooping config


!
mld-snooping start
!
vlan 10
mld-snooping enable
mld-snooping forwarding-mode ip
mld-snooping multicast-duplicate enable
mld-snooping multicast user-vlan 10,20
!
interface ge 1/0/1
mld-snooping enable
!
interface ge 1/0/2
mld-snooping enable
!
interface ge 1/0/3
mld-snooping enable

Raisecom Proprietary and Confidential


175
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

6.3.18 Example for configuring MLD Snooping Proxy

Networking requirements
As shown below, switch GE interface 1/0/1 is connected to the multicast router. Switch GE
interfaces 1/0/2 and 1/0/3 are connected to user devices, which are in VLAN 10. Configure
MLD Snooping.
Enable MLD Proxy on the switch to reduce the communication between the host and
multicast router, without affecting implementation of multicast functions.

Figure 6-15 Configuring MLD Snooping Proxy

Configuration steps
Step 1 Create a VLAN. Add interfaces to it.

Raisecom#configure
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 10
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type access
Raisecom(config-ge-1/0/2)#port default vlan 10
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#port link-type access
Raisecom(config-ge-1/0/3)#port default vlan 10
Raisecom(config-ge-1/0/3)#quit

Step 2 Enable MLD Snooping.

Raisecom Proprietary and Confidential


176
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Raisecom(config)#mld-snooping start
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#mld-snooping enable
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#mld-snooping enable
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#mld-snooping enable
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#mld-snooping enable
Raisecom(config-ge-1/0/3)#quit

Step 3 Enable MLD Proxy.

Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#mld-snooping workmode mld-proxy
Raisecom(config-vlan-10)#mld-snooping querier enable
Raisecom(config-vlan-10)#quit

Checking results
Use the following command to show configurations of MLD Snooping.

Raisecom#show mld-snooping config


!
mld-snooping start
!
vlan 10
mld-snooping enable
mld-snooping workmode mld-proxy
mld-snooping querier enable
!
interface ge 1/0/1
mld-snooping enable
!
interface ge 1/0/2
mld-snooping enable
!
interface ge 1/0/3
mld-snooping enable

Raisecom Proprietary and Confidential


177
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

6.3.19 Example for configuring the multicast policy of MLD


Snooping

Networking requirements
As shown below, switch interface GE 1/0/1 is connected to the multicast router. Switch
interfaces GE 1/0/2 and GE 1/0/3 are connected to user devices, which are in VLAN 10.
Configure MLD Snooping.
Enable the multicast policy on the switch to allow the user under interface GE 1/0/2 to join
ff1e::1 to ff1e::3 and the user under interface GE 1/0/3 to join ff1e::4 to ff1e::6.

Figure 6-16 Configuring the multicast policy of MLD Snooping

Configuration steps
Step 1 Create a VLAN. Add interfaces to it.

Raisecom#configure
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 10
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type access
Raisecom(config-ge-1/0/2)#port default vlan 10
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#port link-type access
Raisecom(config-ge-1/0/3)#port default vlan 10
Raisecom(config-ge-1/0/3)#quit

Raisecom Proprietary and Confidential


178
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Step 2 Enable MLD Snooping.

Raisecom(config)#mld-snooping start
Raisecom(config)#vlan 10
Raisecom(config-vlan-10)#mld-snooping enable
Raisecom(config-vlan-10)#quit
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#mld-snooping enable
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#mld-snooping enable
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#mld-snooping enable
Raisecom(config-ge-1/0/3)#quit

Step 3 Configure the ACL profile of the GE 1/0/2 user.

Raisecom(config)#acl-ipv6 3001
Raisecom(configure-acl-ipv6-3001)#rule 1 src-ip any dst-ip ff1e::1/128
Raisecom(configure-acl-ipv6-3001)#rule 1 action permit
Raisecom(configure-acl-ipv6-3001)#rule 2 src-ip any dst-ip ff1e::2/128
Raisecom(configure-acl-ipv6-3001)#rule 2 action permit
Raisecom(configure-acl-ipv6-3001)#rule 3 src-ip any dst-ip ff1e::3/128
Raisecom(configure-acl-ipv6-3001)#rule 3 action permit
Raisecom(configure-acl-ipv6-3001)#quit

Step 4 Configure the ACL profile of the GE 1/0/3 user.

Raisecom(config)#acl-ipv6 3002
Raisecom(configure-acl-ipv6-3002)#rule 1 src-ip any dst-ip ff1e::4/128
Raisecom(configure-acl-ipv6-3002)#rule 1 action permit
Raisecom(configure-acl-ipv6-3002)#rule 2 src-ip any dst-ip ff1e::5/128
Raisecom(configure-acl-ipv6-3002)#rule 2 action permit
Raisecom(configure-acl-ipv6-3002)#rule 3 src-ip any dst-ip ff1e::6/128
Raisecom(configure-acl-ipv6-3002)#rule 3 action permit
Raisecom(configure-acl-ipv6-3002)#quit

Step 5 Bind the interface with the multicast policy ACL profile.

Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#mld-snooping group-policy acl-ipv6 3001
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#mld-snooping group-policy acl-ipv6 3002
Raisecom(config-ge-1/0/3)#quit

Raisecom Proprietary and Confidential


179
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 6 Multicast

Checking results
Use the following command to show configurations of MLD Snooping.

Raisecom#show mld-snooping config


!
mld-snooping start
!
vlan 10
mld-snooping enable
!
interface ge 1/0/2
mld-snooping enable
mld-snooping group-policy acl-ipv6 3001 version 1-2
!
interface ge 1/0/3
mld-snooping enable
mld-snooping group-policy acl-ipv6 3002 version 1-2
!

Use the following command to show configurations of the ACL profile.

Raisecom#show acl config


!
acl- ipv6 3001
rule 1 src-ip any dst-ip ff1e::1/128
rule 1 action permit
rule 2 src-ip any dst-ip ff1e::2/128
rule 2 action permit
rule 3 src-ip any dst-ip ff1e::3/128
rule 3 action permit
acl- ipv6 3002
rule 1 src-ip any dst-ip ff1e::4/128
rule 1 action permit
rule 2 src-ip any dst-ip ff1e::5/128
rule 2 action permit
rule 3 src-ip any dst-ip ff1e::6/128
rule 3 action permit

Raisecom Proprietary and Confidential


180
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

7 OAM

This chapter describes basic principles and configuration procedures for OAM and provide
related configuration examples, including the following sections:
 Introduction
 EFM
 Link-state tracking
 VRRP
 CFM

7.1 Introduction
Initially, Ethernet is designed for LAN. Operation, Administration and Maintenance (OAM) is
weak because of its small size and a NE-level administrative system. With continuous
development of Ethernet technology, the application scale of Ethernet in Telecom network
becomes wider and wider. Compared with LAN, the link length and network size of Telecom
network is bigger and bigger. The lack of effective management and maintenance mechanism
has seriously obstructed Ethernet technology applying to the Telecom network.
To confirm connectivity of Ethernet virtual connection, effectively detect, confirm, and locate
faults on network, balance network utilization, measure network performance, and provide
service according Service Level Agreement (SLA), implementing OAM on Ethernet has
becoming an inevitable developing trend.

OAM mode
The interface enabled with EFM OAM is called the OAM entity. EFM OAM supports the
following two connection modes:
 Active mode: the OAM entity in active mode can initiate OAM connection.
 Passive mode: the OAM entity in passive mode just waits for connection request of the
active OAM entity. If the OAM entities on both ends of the link are in passive mode,
they cannot establish OAM connection.

Raisecom Proprietary and Confidential


181
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

OAM discovery
In the OAM discovery phase, an OAM entity discovers a remote OAM entity and establishes
a session with it.
This phase is initiated by the OAM entity in the active mode. Both OAM entities inform the
other of its OAM configurations and Ethernet OAM capabilities supported by the local node
by exchanging information OAM PDU, and decide whether to establish the OAM connection.
If both ends agree on establishment of the OAM connection, Ethernet OAM protocol will
work on the link layer.
After the OAM connection is established, both ends keep connected by exchanging
information OAM PDU. If an OAM entity does not receive information OAM PDU within
the timeout time, it judges that connection expires and reconnection is required.

Peer fault notification


When a device fails or becomes unavailable, it will cause network interruption. Therefore, the
OAM PDU defines a flag bit (Flag domain) that allows the OAM entity to continuously send
Information OAM PDU to the peer, informing them of this fault information.
 Link Fault: the peer link signal is lost, so the OAM PDU is sent once per second.
 Dying Gasp: unpredictable failure of the device occurs, which causes the system to be
unable to recover, such as power failure, so the device continuously sends OAM PDUs.
 Critical Event: when an uncertain emergency occurs on the device, such as abnormal
temperature, the OAM PDU is continuously sent.

Remote loopback
Remote loopback can be used to locate the area where the fault occurs, and the quality of the
link can also be tested with the help of instruments. Regular loopback detection can detect
network faults in a timely manner, and locate the specific area where the fault occurs through
segmented loopback detection, which helps users clear faults.
OAM loopback occurs only after the Ethernet OAM connection is established. When
connected, the active OAM entity initiates OAM loopback command, and the peer OAM
entity responds to the command. When the remote OAM entity is in loopback mode, all
packets but OAM PDU packets are sent back.
As shown in Figure 7-1, local Switch A in the active mode determines the link status by
sending packets back.

Figure 7-1 OAM loopback

Raisecom Proprietary and Confidential


182
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

7.2 EFM
7.2.1 Introduction
Complying with IEEE 802.3ah protocol, Ethernet in the First Mile (EFM) is a link-level
Ethernet OAM technology. It provides link connectivity detection, link fault monitoring, and
remote fault notification for a link between two directly connected devices. EFM is mainly
used for Ethernet links on edges of the network accessed by users.

7.2.2 Preparing for configurations

Scenario
Deploying EFM feature between directly connected devices can efficiently improve Ethernet
link management and maintenance capability and ensure stable network operation.

Prerequisite
 Connect interfaces.
 Configure physical parameters to make interfaces Up at the physical layer.

7.2.3 Default configurations of EFM


Default configurations of EFM are as below.

Function Default value


EFM working mode Active
Period for sending packets 10×100ms
Link timeout 5s
EFM remote loopback status No responding
Errored frame event monitoring window 1s
Errored frame event monitoring threshold 1 errored frame
Errored frame period event monitoring window 1000ms
Errored frame period event monitoring threshold 1 errored frame
Link errored frame second event monitoring window 100s
Link errored frame second event monitoring threshold 1s
Errored symbol period event monitoring window 1s
Errored symbol period event monitoring threshold 1s
Fault indication status Enable

Raisecom Proprietary and Confidential


183
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

7.2.4 Configuring basic functions of EFM


Configure basic functions of EFM for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interf Enter physical interface configuration mode.
ace interface-type
 interface-type: interface type
interface-number
 interface-number: interface ID
Example:
Raisecom(config)#interf
ace ge 1/0/1
3 Raisecom(config-ge- (Optional) configure the maximum
1/0/*)#efm max-rate transmission rate, which limits the bandwidth
value occupied by EFM, ensuring that a maximum of
Example: a certain number of EFM PDUs can be sent
Raisecom(config-ge- within a certain interval. The range is 1 to 10.
1/0/1)#efm max-rate The default value is 10.
max-rate
 value: number of sent PDUs per unit time
4 Raisecom(config-ge- (Optional) if the local EFM entity does not
1/0/*)#efm min-rate receive the EFM PDU from the peer within the
min-rate discovery timeout, it judges that the discovery
Example: connection has failed and the discovery process
Raisecom(config-ge- is restarted. The range is 1 to 10. The default
1/0/1)#efm min-rate 5 value is 10s.
 value: timeout time
5 Raisecom(config-ge- Configure the working mode of EFM OAM.
1/0/*)#efm mode
{ active | passive }
At least one end is in active mode before
Raisecom(config-ge- configuration; otherwise, link detection cannot
1/0/1)#exit proceed.
Example:  active: in the active mode, the interface
Raisecom(config-ge- actively sends OAM PDUs to initiate end-to-
1/0/1)#efm active end discovery or remote loopback processes.
 passive: in the passive mode, the interface

passively waits for the OAM PDU sent by the


peer end.
6 Raisecom(config-ge- Enter global configuration mode.
1/0/*)#exit
7 Raisecom(config-ge- Enable interface EFM OAM.
1/0/*)#efm { enable |
 Enable: enable interface EFM OAM.
disable }
 Disable: disable interface EFM OAM.
Example:
Raisecom(config-ge-
1/0/1)#efm enable

Raisecom Proprietary and Confidential


184
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

7.2.5 Configuring CFM interface loopback

Configuring OAM remote loopback


OAM provides a link-layer remote loopback mechanism for locating link faults and
measuring performance and quality. In link loopback status, the switch sends back all packets
except OAM packets received by the link to the peer device. The local device initiates or
disables remote loopback through the OAM remote loopback command. The remote device,
through the loopback configuration command, controls whether to respond to the loopback
command.
Configure OAM remote loopback as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface configuration
interface-type interface- mode.
number
3 Raisecom(config-ge- (Optional) configure the local waiting
1/0/*)#efm remote-loopback time for response, which is the response
timeout timeout timeout time. If no response from the
Example: peer is received within this time, the
Raisecom(config-ge- configuration will fail. The range is 1s to
1/0/1)#efm remote-loopback 10s. The default value is 10s.
timeout 5
value: timeout time
4 Raisecom(config-ge- Configure remote loopback to be
1/0/*)#efm remote-loopback supported or unsupported.
{ supported | unsupported }
 Supported: supported
 Unsupported: unsupported
5 Raisecom(config-ge- (Optional) if the local EFM entity fails to
1/0/*)#efm min-rate min-rate receive the peer EFMPDU within the
timeout time, it determines that the
discovery connection has failed. In this
case, it restarts the discovery process.
The range is 1s to 10s. The default value
is 10s.
value: timeout time
6 Raisecom(config-ge- Start remote loopback. To avoid the link
1/0/*)#efm remote-loopback being unable to forward service data
start holdtime { hold-time | normally for a long time due to user
default } forgetting to stop EFM remote loopback,
Example: EFM remote loopback has an automatic
Raisecom(config-ge- cancellation function upon timeout. The
1/0/1)#efm remote-loopback holdtime represents the duration of the
start holdtime 100 remote loopback. By default, the
duration of remote loopback is 20min.
When this time expires, the remote
loopback is automatically cancelled.

Raisecom Proprietary and Confidential


185
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

Step Command Description


7 Raisecom(config-ge- Stop remote loopback.
1/0/*)#efm mode remote-
loopback stop
Example:
Raisecom(config-ge-
1/0/1)#efm mode remote-
loopback stop

7.2.6 Configuring EFM link fault detection


Configure EFM link fault detection as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface
interface-type interface-number configuration mode.
Example:
 interface-type: interface type
Raisecom(config)#interface ge
 interface-number: interface ID
1/0/1
3 Raisecom(config-ge-1/0/*)#efm Configure EFM emergency event
critical-event { supported | detection.
unsupported }
 supported: supported
Example:
 unsupported: not supported
Raisecom(config-ge-1/0/1)#efm
critical-event supported

7.2.7 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show efm session { all | Show information about EFM
interface interface-type sessions at both ends.
interface-number }
2 Raisecom#show efm status { all | Show EFM configurations at both
interface interface-type ends.
interface-number }
4 Raisecom#show efm fault-logs Show information about EFM
interface interface-type error logs at both ends.
interface-number
5 Raisecom#show efm { config | Show summary of all EFM-
fault-logs | interface | enabled interfaces.
session }

Raisecom Proprietary and Confidential


186
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

7.3 Link-state tracking


7.3.1 Introduction
Link-state tracking is used to provide interface linkage scheme for specific application and it
can extend range of link backup. By monitoring uplinks and synchronizing downlinks, add
uplink and downlink interfaces to a link-state group. Therefore, the fault of the upstream
device can be informed to the downstream device to trigger switching. Link-state tracking can
be used to prevent traffic loss due to failure in sensing the uplink fault by the downstream
device.
When all uplink interfaces fail, down link interfaces are configured to Down status. When at
least one uplink interface recovers, the downlink interface recovers to Up status. Therefore,
the fault of the upstream device can be informed to the downlink device immediately. Uplink
interfaces are not influenced when the downlink interface fail.

7.3.2 Preparing for configurations

Scenario
When uplink fails, traffic cannot be switched to the standby link if the downlink device fails
to be notified in time. Then traffic will be disrupted.
Link-state tracking can be used to add downlink interfaces and uplink interfaces of the middle
device to a link-state group and monitor uplink interfaces. When all uplink interfaces fails, the
fault of the upstream device can be informed to the downstream device to trigger switching.

Prerequisite
N/A

7.3.3 Default configurations of link-state tracking


Default configurations of link-state tracking are as below.

Function Default value


Link-state group N/A
Action for processing faults on the interface N/A
Link-state group Trap Disable

7.3.4 Configuring link-state tracking

Link-state tracking supports being configured on the physical interface and LAG
interface.
Configure link-state tracking for the device as below.

Raisecom Proprietary and Confidential


187
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#monitor-link Create a link-state group, and
group group-number enable link-state tracking.
3 Raisecom(config-monitorlink- Configure link-state tracking
*)#snmp-trap { enable | disable } group Trap.
4 Raisecom(config-monitorlink-*)#add Configure the uplink.
interface interface-type
interface-number role uplink
5 Raisecom(config-monitorlink-*)#add Configure the downlink.
interface interface-type
interface-number role downlink

 One link-state group can contain several uplink interfaces. Link-state tracking will
not be performed when at least one uplink interface is Up. Only when all uplink
interfaces are Down will link-state tracking occur.
 On the link-state tracking node, use the remove interface interface-type
interface-number command to delete an interface.
 In physical interface configuration mode, use the no monitor-link group group-
number command to delete an interface from the link-state group.

7.3.5 Checking configurations


Use the following commands to check configuration results.

Step Command Description


1 Raisecom#show monitor-link group Show configurations and
group-number status of the link-state group.
Raisecom#show monitor-link group

7.3.6 Example for configuring link-state tracking

Networking requirements
As shown in Figure 7-2, to improve network reliability, Link 1 and Link 2 of Switch B are
connected to Switch A and Switch C respectively. Link 1 is the active link and Link 2 is the
standby link. Link 2 will not be used to forward data until Link 1 is faulty.
Switch A and Switch C are connected to the uplink network in link aggregation mode. When
all uplink interfaces on Switch A and Switch C fails, Switch B needs to sense the fault in time
and switches traffic to the standby link. Therefore, you should deploy link-state tracking on
Switch A and Switch C.

Raisecom Proprietary and Confidential


188
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

Figure 7-2 Link-state tracking networking

Configuration steps
Configurations of Switch A and Switch C are the same. Take Switch A for example.
Step 1 Create a LAG. Add uplink interfaces GE 1/0/1 and GE 1/0/2 to the LAG.

Raisecom#configure
Raisecom(config)#int eth-trunk 1
Raisecom(config-eth-trunk-1)#add interface ge 1/0/1
Raisecom(config-eth-trunk-1)#add interface ge 1/0/2

Step 2 Create link-state group 1. Add LAG interfaces to the link-state group.

Raisecom(config)#monitor-link group 1
Raisecom(config-monitorlink-1)#add interface eth-trunk 1 role uplink

Step 3 Add downlink interface GE 1/0/3 to the link-state group.

Raisecom(config-monitorlink-1)#add interface ge 1/0/3 role downlink

Raisecom Proprietary and Confidential


189
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

Checking results
Take Switch A for example. Use the show monitor-link group command to show
configurations of the link-state group.

SwitchA#show monitor-link group 1


Mlink group 1 :
--------------------------------------------------------
------------------------
Snmp trap : enable
HoldOff time : 3
Uplink-select : first-up
Member Role State Status Linkstate
ge-1/0/3 downlink forward active up/up
eth-trunk-1 uplink forward active up/up
-------------------------------------------------------------------------
-------

Use the show monitor-link group command to show configurations of the link-state group
after all uplinks of Switch A fails. In this case, you can learn that link-state tracking is
performed.

SwitchA#show link-state-tracking group 1


Mlink group 1 :
-------------------------------------------------------------------------
-------
Snmp trap : enable
HoldOff time : 3
Uplink-select : first-up
Member Role State Status Linkstate
ge-1/0/3 downlink block active up/down
eth-trunk-1 uplink block active up/down
-------------------------------------------------------------------------
-------

7.4 VRRP
7.4.1 Introduction
All hosts in the internal network are configured with the same default route, pointing to the
exit gateway, to achieve communication between the hosts and the external network. If the
gateway fails, the host with that gateway as the default route will not be able to communicate
with the external network.
Virtual Router Redundancy Protocol (VRRP) is a master/standby mode protocol designed to
eliminate network failures caused by single point of failure of the default routing device in a
static default routing environment. It effectively avoids network disconnection caused by

Raisecom Proprietary and Confidential


190
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

single link failures, and does not need to modify the corresponding routing protocol and other
configurations.

VRRP backup group


VRRP virtualizes two or more routing devices in a local area network into a single device
(including a master device and several backup devices), forming a VRRP backup group. The
VRRP backup group is functionally equivalent to a virtual router, providing the IP address of
the virtual routing device externally.
 Master device: if a device with an external IP address is working properly, it is the
master device or elected through algorithm. The master device implements various
network functions for IP addresses of virtual routing device. When VRRP is running, the
master device sends a VRRP notification packet to the backup device regularly,
indicating that it is working normally.
 Backup device: if a device has no external IP address or has a low priority, it is a backup
device. The backup device receives notification packets only and do not send them.
When the master device fails, VRRP re-elect the master device from the backup devices.
The new master device takes over the network functions of the original master device.
When configuring VRRP, configure a backup group number and priority for each routing
device. The backup group number is used to group devices, and devices with the same backup
group number belong to the same group. Devices in the same group elect the master devices
by priority; the one with highest priority becomes the master device, as shown in the
following figure.

Figure 7-3 VRRP principles

In the previous figure, Switch A and Switch B form a virtual routing device, which has its
own IP address. The host within the local area network take the virtual routing device as the
default gateway. The device with the highest priority among Switch A and Switch B is the
master device, which carries out the gateway functions, while the other device is the backup
device.

Working mode of VRRP


In the VRRP backup group, devices have the following two working modes:
 Non-preemptive mode: as long as the master device is functioning properly, even if the
backup device is configured with a higher priority, the backup device will not become
the master device.

Raisecom Proprietary and Confidential


191
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

 Preemptive mode: In the VRRP backup group, once a device discovers that its priority is
higher than the current master device, it will send a VRRP notification packet to the
external network, causing the devices in the backup group to re-elect the master device.
Finally, it replaces the original master device. Correspondingly, the original master
device will become a backup device.

Working flow of VRRP


VRRP works as below:
Step 1 After being enabled with VRRP the device determines its role in the VRRP backup group
based on priority. The device with the highest priority is the master while the device with
lower priority is the backup. The master device regularly sends VRRP notification packets to
notify other devices in the backup group that they are working normally. The backup device
starts the timer and waits for the notification packet to arrive.
Step 2 In pre-emptive mode, after receiving the VRRP notification packet, the backup device
compares its own priority with the priority in the notification packet. If its priority is lower
than the priority in the notification packet, the backup status will be maintained; otherwise, it
will become the master device.
Step 3 In non-pre-emptive mode, as long as the master device does not fail, the device status in the
backup group remains unchanged.
Step 4 If the timer of the backup device times out, VRRP considers that the master device is no
longer functioning properly. At this time, the backup device will consider itself as the master
device and send a VRRP notification packet to the external network for a new round of master
device election. The newly elected master device will take over the network functions of the
original master device and carry out the functions of forwarding packets.

Load balancing
VRRP load balancing refers to establishing two or more VRRP backup groups, with multiple
devices simultaneously carrying services. It allows one device to back up multiple backup
groups, with different priorities in different backup groups. Load sharing can be implemented
through multiple virtual devices. The master devices in each backup group can be different, as
shown in the following figure.

Figure 7-4 Principles of VRRP load balancing

Wherein:

Raisecom Proprietary and Confidential


192
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

 Switch A is the master device in VRRP backup group 1 and the backup device in VRRP
backup group 2.
 Switch B is the master device in VRRP backup group 2 and the backup device in VRRP
backup group 1.
Some hosts on the network use backup group 1 as the gateway, such as host A and host B.
Some hosts on the network use backup group 2 as the gateway, such as host C. In this way,
hosts back up each other and also balance load on the network.

7.4.2 Preparing for configurations

Scenario
Generally, a default route to the breakout gateway is configured for all devices in a LAN, so
these devices can communicate with the external network. If the gateway fails, the connection
will fail.
VRRP combines multiple routers to form a backup group. By configuring a virtual IP address
for the backup group, you can configure the default gateway to the virtual IP address of the
backup group to make devices in the LAN communicate with the external network.
VRRP helps improve network reliability by preventing network interruption caused by failure
of a single link and prevents changing routing configurations due to link failure.

Prerequisite
N/A

7.4.3 Default configurations of VRRP


Default configurations of VRRP are as below.

Function Default value


VRRP status Enable
VRRP trap status Disable
VRRP group on the interface no
VRRP backup group description no
VRRP backup group status Disable
Device priority 100
IP owner priority 255
VRRP working mode Preemption mode
Preemption delay of the VRRP group 0s
Packet sending interval of the VRRP group 1s

Raisecom Proprietary and Confidential


193
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

7.4.4 Configuring the VRRP backup group


Configure the VRRP backup group for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#inte Enter VLAN interface configuration mode.
rface vlan vlan-id
3 Raisecom(config- Configure the virtual IPv4 address of the VRRP
vlanif-*)#vrrp group- backup group.
id virtual-ip ipv4-
address
4 Raisecom(config- (Optional) configure the interval for sending VRRP
vlanif-*)#vrrp group- packets.
id advertise-interval
 group-id: VRRP instance ID
{ interval |
 interval: interval for sending VRRP packets, in
default }
units of second, ranging from 1 to 4000, being 1
by default
 default: default interval for sending protocol

packets
5 Raisecom(config- (Optional) configure the TTL of the detection
vlanif-*)#vrrp group- VRRP packet.
id check-ttl { enable
 group-id: VRRP instance ID
| disable }
 enable: enabled
 disable: disabled

By default, it is enabled.
6 Raisecom(config- (Optional) configure the VRRP instance priority.
vlanif-*)#vrrp group-
 group-id: VRRP instance ID
id priority { value |
 (value | default): priority, being 100 by default
default }
7 Raisecom(config- (Optional) bind BFD.
vlanif-*)#vrrp group-
 group-id: VRRP instance ID
id bfd bfd-session
 bfd-id: bfd instance ID
increased
 (Optional) increased: increase the priority.
{ increased-value |
 (Optional) reduced: reduce the priority.
default }
 (Optional) value | default: configure the VRRP
Raisecom(config-
vlanif-*)#vrrp group- instance priority to be reduced when the BFD
id bfd bfd-session status is down. It is 10 by default.
reduced { reduced-
value | default }
Raisecom(config-
vlan*)#vrrp group-id
bfd bfd-session
8 Raisecom(config- (Optional) bind the VLAN interface.
vlanif-*)#vrrp group-
 group-id: VRRP instance ID
id track interface
 vlan-id: index of the VLAN
vlan vlan-id

Raisecom Proprietary and Confidential


194
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

Step Command Description


9 Raisecom(config- (Optional) bind the management VRRP group.
vlanif-*)#vrrp group-
 group-id: VRRP instance ID
id track admin-vrrp
 vlan-id: index of the bound VLAN
interface vlan vlan-
 vrrp-id: management VRRP instance ID
id vrrp-id
Raisecom(config-
vlanif-*)#vrrp group-
id track admin-vrrp
interface interface-
type interface-number
vrid vrid-id
10 Raisecom(config- (Optional) configure the version of sent VRRP
vlanif-*)#vrrp group- packets.
id send-packet-mode
{ v2 | v3 | v2v3 } group-id: VRRP instance ID
 v2: send v2 packets.
 v3: send v2 packets.
 v2v3: send both v2 and v3 packets.

11 Raisecom(config- (Optional) configure VRRP authentication, which


vlanif-*)#vrrp group- takes effect on v2 instances.
id authentication-
 group-id: VRRP instance ID
mode { simple | md5 }
 simple: simple character authentication
{ cipher | plain }
 md5: md5 authentication
key
 cipher: shown in cipher text
 plain: shown in plain text
 key: authentication character

12 Raisecom(config- (Optional) configure the VRRP backup timeout


vlanif-*)#vrrp group- multiplier.
id holding-multiplier
 group-id: VRRP instance ID
[ holding-multiplier-
 holding-multiplier-value: timeout multiplier (3–
value ]
10), being 3 by default
13 Raisecom(config- (Optional) configure VRRP role management.
vlanif-*)#vrrp group-
 group-id: VRRP instance ID
id role admin

7.4.5 Configuring the VRRP6 backup group


Configure the VRRP6 backup group for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#inte Enter VLAN interface configuration mode.
rface vlan vlan-id
3 Raisecom(config- Enable VRRP6.
vlanif-*)#ipv6 enable

Raisecom Proprietary and Confidential


195
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

Step Command Description


4 Raisecom(config- Configure the virtual IPv6 address of the VRRP6
vlanif-*)#vrrp-ipv6 backup group.
group-id associate-
address ipv6-address Only after the first virtual IP address is configured
[link-local] with the link local address can other virtual IP
addresses (virtual gateway addresses) be
configured. The link local address cannot be the
virtual gateway address.
5 Raisecom(config- (Optional) configure the interval for sending
vlanif-*)#vrrp-ipv6 VRRP6 packets.
group-id advertise-
 group-id: VRRP6 instance ID
interval { interval |
 (interval | default): interval for sending VRRP6
default }
packets, in units of second, being 100 by default
6 Raisecom(config- (Optional) configure the TTL of the detection
vlanif-*)#vrrp-ipv6 VRRP6 packet.
group-id check-ttl
 group-id: VRRP6 instance ID
{ enable | disable }
 enable: enabled
 disable: disabled

By default, it is enabled.
7 Raisecom(config- (Optional) configure the VRRP6 instance priority.
vlanif-*)#vrrp-ipv6
 group-id: VRRP6 instance ID
group-id priority
 (value | default): priority, being 100 by default
{ value | default }
8 Raisecom(config- (Optional) bind BFD.
vlanif-*)#vrrp-ipv6
 group-id: VRRP6 instance ID
group-id track bfd
 bfd-id: bfd instance ID
bfd-id [ { increased
 (Optional) increased: increase the priority.
| reduced } { value |
 (Optional) reduced: reduce the priority.
default } ]
 (Optional) value | default: configure the VRRP6

instance priority to be reduced when the BFD


status is down. It is 10 by default.
9 Raisecom(config- (Optional) bind the VLAN interface.
vlanif-*)#vrrp-ipv6
 group-id: VRRP6 instance ID
group-id track
 vlan-id: index of the VLAN
interface vlan vlan-
id
10 Raisecom(config- (Optional) bind the management VRRP6 group.
vlanif-*)#vrrp-ipv6
 group-id: VRRP6 instance ID
group-id track admin-
 vlan-id: index of the bound VLAN
vrrp interface vlan
 VRRP6-id: management VRRP6 instance ID
vlan-id vrid vrrp-id
11 Raisecom(config- (Optional) configure the VRRP6 backup timeout
vlanif-*)#vrrp-ipv6 multiplier.
group-id holding-
 group-id: VRRP6 instance ID
multiplier { holding-
 holding-multiplier-value: timeout multiplier (3–
multiplier-value |
default } 10), being 3 by default
12 Raisecom(config- (Optional) configure VRRP6 role management.
vlanif-*)#vrrp-ipv6
 group-id: VRRP6 instance ID
group-id role admin

Raisecom Proprietary and Confidential


196
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

7.4.6 Configuring VRRP Trap


Configure VRRP Trap for the device as below.

Step Command Description


1 Raisecom#configu Enter global configuration mode.
re
2 Raisecom(config) Enable or disable the ping function of the virtual IP
#vrrp snmp-trap address of the VRRP backup group.
{ enable |
disable } By default, it is enabled.

7.4.7 Configuring the VRRP monitoring interface


Configure the VRRP monitoring interface for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface vlan Enter VLAN interface
vlan-id configuration mode.
3 Raisecom(config-vlanif-*)#vrrp Configure the monitoring
group-id track { interface-type interface of VRRP.
interface-number | vlan vlan-id }
[ { increased | reduced } { value |
default } ]

reduced priority: it is the reduced priority when the monitored interface changes from
the Up status to Down status, an integer, ranging from 1 to 255, needless of manual
configuration. The priority of the device in the backup group is reduced by 10, namely,
1–254.
When the monitored interface changes from the Down status to Up status, the
original priority is restored. We recommend configuring this parameter on the master
device.

7.4.8 Configuring BFD for VRRP


Configure BFD for VRRP for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface vlan Enter VLAN interface
vlan-id configuration mode.

Raisecom Proprietary and Confidential


197
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

Step Command Description


3 Raisecom(config-vlanif-*)#vrrp Configure the VRRP backup
group-id track bfd bfd-id group to monitor the BFD
[ { increased | reduced } { value | session to implement expedited
default } ] switching.

 increased priority: it is the increased priority when the monitored BFD session
changes to Down status, an integer, ranging from 1 to 255. The range of priority
after increment is 1–254. When the monitored BFD session changes from the
Down status to Up status, the original priority is restored. We recommend
configuring this parameter on the backup device.
 reduced priority: it is the reduced priority when the monitored BFD session
changes to Down status, an integer, ranging from 1 to 255. The range of priority
after reduction is 1–254. When the monitored BFD session changes from the
Down status to Up status, the original priority is restored. We recommend
configuring this parameter on the master device.

7.4.9 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show vrrp session { role Show the basic status of
{ admin | member | normal } } VRRP.
2 Raisecom#show vrrp admin-vrrp Show information about
management VRRP.
3 Raisecom#show vrrp statistics Show VRRP statistics.
4 Raisecom#show vrrp interface vlan vlan- Show VRRP information
id about the interface.
Raisecom#show vrrp interface interface-
type interface-number
5 Raisecom#show vrrp associate interface Show VRRP information
vlan vlan-id [ vrid group-id ] about the specified group
Raisecom#show vrrp associate interface on the interface.
interface-type interface-number [ vrid
group-id ]
Raisecom#show vrrp associate interface
6 Raisecom#show vrrp binding admin-vrrp Show binding information
interface vlan vlan-id vrid group-id about the VRRP
Raisecom#show vrrp binding admin-vrrp management group.
interface interface-type interface-
number vrid group-id

Raisecom Proprietary and Confidential


198
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

7.4.1 Example for configuring VRRP master/backup

Networking requirements
As shown in Figure 7-5, host 1 is dual-homed to switch 1 and switch 2 through the L2 switch.
To ensure sustainable transmission of various services of the user on the network, configure
VRRP master/backup backup.
Under normal conditions, host 1 accesses the Internet through switch 1 as the default gateway.
When switch 1 fails, switch 2 replaces switch 1, thus implementing gateway backup.

Figure 7-5 Configuring VRRP master/backup

Configuration steps
Step 1 Configure Layer 2 forwarding on the L2 Swtich.

L2switch(config)#vlan 100
L2switch(config)#interface ge 1/0/2
L2switch(config-ge-1/0/2)#port hybrid pvid 100
L2switch(config-ge-1/0/2)#port hybrid vlan 100 untagged
L2switch(config)#vlan 100
L2switch(config)#interface ge 1/0/3
L2switch(config-ge-1/0/3)#port hybrid pvid 100
L2switch(config-ge-1/0/3)#port hybrid vlan 100 untagged

Step 2 Configure Switch 1.

Raisecom Proprietary and Confidential


199
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

switch1(config)#vlan 100
switch1(config)#interface vlan 100
switch1(config-vlanif-100)#ip address 10.0.0.1/24
switch1(config)#vlan 300
switch1(config)#interface vlan 300
switch1(config-vlanif-300)#ip address 192.168.1.1/24
switch1 (config)#interface ge 1/0/1
switch1(config-ge-1/0/1)#port hybrid pvid 100
switch1(config-ge-1/0/1)#port hybrid vlan 100 untagged
switch1 (config)#interface ge 1/0/2
switch1(config-ge-1/0/2)#port hybrid pvid 300
switch1(config-ge-1/0/2)#port hybrid vlan 300 untagged
switch1(config)#interface vlan 100
switch1(config-vlanif-100)#vrrp 1 virtual-ip 10.0.0.100
switch1(config-vlanif-100)#vrrp 1 priority 120

Step 3 Configure Switch 2.

switch2(config)#vlan 100
switch2(config)#interface vlan 100
switch2(config-vlanif-100)#ip address 10.0.0.1/24
switch2(config)#vlan 500
switch2(config)#interface vlan 500
switch2(config-vlanif-500)#ip address 192.168.2.1/24
switch2(config)#interface ge 1/0/1
switch2(config-ge-1/0/1)#port hybrid pvid 100
switch2(config-ge-1/0/1)#port hybrid vlan 100 untagged
switch2(config)#interface ge 1/0/2
switch2(config-ge-1/0/2)#port hybrid pvid 500
switch2(config-ge-1/0/2)#port hybrid vlan 500 untagged
switch2(config)#interface vlan 100
switch2(config-vlanif-100)#vrrp 1 virtual-ip 10.0.0.100

Checking results

switch1#show vrrp session


Interface VRID Role Version VR-State Pri IP-Count State
Auth-Mode Auth-Key
-------------------------------------------------------------------------
--------------------------------
vlan-100 1 normal 2 Master 120 1 Active
none N/A
switch2#show vrrp session
Interface VRID Role Version VR-State Pri IP-Count State
Auth-Mode Auth-Key
-------------------------------------------------------------------------
--------------------------------
vlan-100 1 normal 2 Backup 100 1 Active
none N/A

Raisecom Proprietary and Confidential


200
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

-------------------------------------------------------------------------
--------------------------------

7.5 CFM
7.5.1 Introduction
Connectivity Fault Management (CFM) is a network-level Ethernet OAM technology,
providing end-to-end connectivity fault detection, fault notification, fault judgement, and fault
location. It is used to diagnose fault actively for Ethernet Virtual Connection (EVC), provide
cost-effective network maintenance solution, and improve network maintenance through the
fault management function.
The device complies with IEEE 802.1ag and ITU-T Y.1731.

CFM concepts
 MD
Maintenance Domain (MD), also called Maintenance Entity Group (MEG), is a network that
runs CFM. It defines network range of OAM management. MD has a level property, with 8
levels (level 0 to level 7). The bigger the number is, the higher the level is and the larger the
MD range is. Protocol packets in a lower-level MD will be discarded after entering a higher-
level MD. If no Maintenance association End Point (MEP) but a Maintenance association
Intermediate Point (MIP) is in a high-level MD, the protocol can traverse the higher-level MD.
However, packets in a higher-level MD can traverse lower-level MDs. In the same VLAN
range, different MDs can be adjacent, embedded, but not crossed.
As shown in Figure 7-6, MD 2 is in MD 1. Packets in MD 1 need to traverse MD 2. Configure
MD 1 to be at level 6, and MD 2 to be at level 3. Then packets in MD 1 can traverse MD 2
and implement connectivity fault management of the whole MD 1. However, packets in MD 2
cannot diffuse into MD 1. MD 2 is a server layer while MD 1 is a client layer.

Figure 7-6 MDs at different levels

 MA
The Maintenance Association (MA) is part of a MD. One MD can be divided into one or
multiple MAs. An MA is identified by MD name + MA name.

Raisecom Proprietary and Confidential


201
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

The MAs can serve the specified VLAN or no VLAN, which are called the MA with VLAN
attributes and MA without VLAN attributes respectively.
 MEP
As shown in the following figure, the Maintenance Association End Point (MEP) determines
the boundary of an MA, identified by the "MEP ID". The MEP has directionality and can be
divided into two types: inward MEP and outward MEP.
The inward MEP sends CFM packets outward through all interfaces except the one it belongs
to; in other words, it broadcasts in the VLAN served by its MA.
The outward MEP directly sends CFM packets outward through its interface.

Figure 7-7 MEP and MIP

 MIP
As shown in Figure 7-7, the MIP is the internal node of a service instance, which cannot
actively send CFM packets but can process and response to LinkTrace Message (LTM) and
LoopBack Message (LBM) packets. The MIP is automatically created by the device, and can
cooperate with the MEP to implement functions like PING and Tracert.
 MP
The MEP and MIP are called the Maintenance Point (MP).

CFM functions
 Fault detection (Continuity Check, CC)
The function is implemented by periodically sending Continuity Check Messages (CCMs).
One MEP sends CCM and other MEPs in the same service instance can verify the RMEP
status when receiving this packet. If the device fails or a link is incorrectly configured, MEPs
cannot properly receive or process CCMs sent by RMEPs. If no CCM is received by a MEP
during 3.5 CCM intervals, it is believed that the link fails. Then a fault Trap will be sent
according to configured alarm priority.
 Fault acknowledgement (LoopBack, LB)
This function is used to verify the connectivity between two MPs through the source MEP
sending LoopBack Message (LBM) and the destination MP sending LoopBack Reply (LBR).
The source MEP sends a LBM to a MP who needs to acknowledge a fault. When receiving the
LBM, the MP sends a LBR to the source MEP. If the source MEP receives this LBR, it is
believed that the route is reachable. Otherwise, a connectivity fault occurs.
 Fault location (LinkTrace, LT)

Raisecom Proprietary and Confidential


202
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

The source MEP sends LinkTrace Message (LTM) to the destination MP and all MPs on the
LTM transmission route will send a LinkTrace Reply (LTR) to the source MEP. By recording
valid LTR and LTM, this function can be used to locate faults.
Y. 1731 is an OAM protocol proposed by the ITU-T standard organization. It not only
includes the content specified in IEEE802.1ag, but also adds more OAM message
combinations, providing the following OAM functions.
 Alarm inhibition
Alarm inhibition is used to reduce the number of MEP fault alarms. If the MEP does not
receive the CCMs from the remote MEP within 3.5 CCM sending periods, it immediately
starts to periodically send Alarm Indication Signal (AIS) message, which are sent in the
opposite direction to the CCM. After receiving AIS message, other MEPs will suppress local
fault alarms and continue to send AIS messages. Afterwards, if the MEP receives a CCM, it
stops sending AIS messages and clears the fault alarm. AIS messages are multicast messages.
 One-way packet loss testing function
One-way Loss measurement (LM) is used to detect one-way packet loss between MEPs. Its
implementation is as below: the source MEP sends a Loss Measurement Message (LMM) to
the target MEP; after receiving the LMM, the target MEP sends a Loss Measurement Reply
(LMR) message to the source MEP. The source MEP calculates the number of lost packets
between the source MEP and the target MEP based on two consecutive LMR messages; in
other words, starting from receiving the second LMR message, the source MEP calculates the
number of lost packets between the source MEP and the target MEP based on the statistics on
current LMR messages and previous LMR messages. Both the LMM and LMR messages are
unicast messages.
 Delay Measurement (DM)
DM is used to detect the delay of message transmission between MEPs. It is divided into one-
way delay test and round-trip delay test, and currently supports the bidirectional delay test
only. The implementation of the round-trip delay test is as below: the source MEP sends a
Delay Measurement Message (DMM) to the target MEP, which carries its sending time. After
receiving the DMM, the target MEP records its receiving time, and then sends a Delay
Measurement Reply (DMR) message to the source MEP. This message contains the sending
time and receiving time of the DMM message, and the sending time of the DMR message.
After receiving the DMR message, the source MEP records its receiving time and calculates
the delay and jitter of the link transmission based on it.
In summary, CFM has implemented OAM technologies at the end-to-end service level,
reducing the operation and maintenance costs for service providers, and to some extent
improving their competitive advantage.

7.5.2 Preparing for configurations

Scenario
To expand application of Ethernet technologies at a carrier-grade network, the Ethernet must
ensure the same QoS as the carrier-grade transport network. CFM solves this problem by
providing overall OAM tools for the carrier-level Ethernet.

Prerequisite
 Connect interfaces.
 Configure physical parameters to make interfaces Up at the physical layer.

Raisecom Proprietary and Confidential


203
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

 Create VLANs.
 Add interfaces to the VLAN.

7.5.3 Defaul configurations of CFM


Default configurations of CFM are as below.

Function Default value


Global CFM status Disable
Interval for sending CCMs 1s
Sending CCM by the MEP Disable
Priority of CFM OAM packets 0

7.5.4 Configuring basic functions of CFM


Configure basic functions of CFM for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#c Enable global CFM.
fm start
3 Raisecom(config)#c Create a MD, and enter the MD view. If a name is
fm md md-name specified for a MD, the format and contents of the
level level format MD name in the sent CCM are specified, and the MD
{ dns dns-format- name and the name and contents of the MD used in
string | mac mac- sent packets must be unique in global. Otherwise, the
format-string | MD will fail to be configured.
string string |
none }
Raisecom(config)#c
fm md md-name
[ level level ]
4 Raisecom(config- Configure the MIP creation rules for the current MA.
cfm-md-*-ma-*)#mip
 Default: if a higher-level MEP does not exist on the
create-type
{ default | interface and a lower-level MIP does not exist, a
explicit | none } MIP can be created on the interface. In this case, the
MIP can be created without configuring the MEP on
the interface.
 Explicit: if there is a lower-level MEP on the

interface without higher-level MEP, and there is no


lower-level MIP, a MIP can be created. In this case,
a MIP can be created only when a lower-level MEP
has been configured on the interface.
 None: the MIP is not automatically created.

Raisecom Proprietary and Confidential


204
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

Step Command Description


5 Raisecom(config- Create a MA in a MD, and enter the MA view. This
cfm-md-*)#ma ma- command specified the MA name and the format and
name format contents of the MA name in the sent CCM. The MAs
{ string | icc } in the same MD must be unique (when the MD format
format-string is none and the MA format is icc, the mode is Y.1731
mode).
6 Raisecom(config- Configure the VLAN associated with the MA.
cfm-md-*-ma-*)#map
vlan vlan-id
7 Raisecom(config- Create a MEP within a MA.
cfm-md-*-ma-*)#mep
mep-id mep-id
The requirements for the number and type of MEPs
interface created within the same MA are as below:
interface-type  The inward ordinary MEP and outward ordinary
interface-number MEP cannot exist concurrently.
{ inward |  Only one outward interface-type MEP can be

outward } created, and multiple inward interface-type MEPs


can be created, but only one inward interface-type
MEP can be created on the same interface.

7.5.5 Configuring fault detection


Configure fault detection on the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#cfm md md- Enter the MD view.
name
3 Raisecom(config-cfm-md-*)#ma Enter the MA view.
ma-name
4 Raisecom(config-cfm-md-*-ma- Configure the interval for sending
*)#ccm interval { 3.3ms | 10ms CCMs by the MEP in the current MA.
| 100ms | 1s | 10s | 1min |
10min | default } When the interval is configured to be
smaller than 1s, the switching chip
must support CFM.
5 Raisecom(config-cfm-md-*-ma- Enable MEPs to send CCMs.
*)#ccm send [ mep-id mep-id ]
enable
6 Raisecom(config-cfm-md-*-ma- Configure the static RMEP. This
*)#rmep mep-id mep-id mac mac- function is used with the CCM packet
address detection.
7 Raisecom(config-cfm-md-*-ma- Configure the priority of sending
*)#ccm send [ mep-id mep-id ] CCMs by the MEP in the MA.
priority { priority |
default }

Raisecom Proprietary and Confidential


205
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

7.5.6 Configuring fault acknowledgement


Configure fault acknowledgement for the device as below.

Step Command Description


1 Raisecom#configure Enter global
configuration mode.
2 Raisecom(config)#cfm md md-name Enter the MD view.
3 Raisecom(config-cfm-md-*)#ma ma-name Enter the MA view.
4 Raisecom(config-cfm-md-*-ma-*)#ping mep-id Perform Layer 2 PING
mep-id rmep-id mep-id [ count count | tlv- for acknowledging
type { null | null-crc | prbs | prbs-crc } faults.
| tlv-len len | priority priority ] *
Raisecom(config-cfm-md-*-ma-*)#ping mep-id
mep-id mac mac-address [ count count | tlv-
type { null | null-crc | prbs | prbs-crc }
| tlv-len len | priority priority ] *
Raisecom(config-cfm-md-*-ma-*)#ping mep-id
mep-id mac multicast [ count count | tlv-
type { null | null-crc | prbs | prbs-crc }
| tlv-len len | priority priority ] *

7.5.7 Configuring fault location


Configure fault location for the device as below.

Step Command Description


1 Raisecom#configure Enter global
configuration mode.
2 Raisecom(config)#cfm md md-name Enter the MD view.
3 Raisecom(config-cfm-md-*)#ma ma-name Enter the MA view.
4 Raisecom(config-cfm-md-*-ma-*)#trace mep-id Perform Layer 2
mep-id mac mac-address [ ttl ttl | fdb <0- Traceroute for
1> ] * acknowledging faults.
Raisecom(config-cfm-md-*-ma-*)# trace mep-id
mep-id rmep-id mep-id [ ttl ttl | fdb <0-
1> ] *

7.5.8 Configuring alarm inhibition (configurable in Y.1731 mode


only)
Configure alarm inhibition for the device as below.

Raisecom Proprietary and Confidential


206
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#cfm md md-name Enter the MD view.
3 Raisecom(config-cfm-md-*)#ma ma- Enter the MA view.
name
4 Raisecom(config-cfm-md-*-ma- Configure the interval for the MEP in
*)#ais [ mep mep-id ] interval the current MA to send AIS packets
{ 1s | 1min | default } to the MEP in the higher-level MA.
5 Raisecom(config-cfm-md-*-ma- Configure the level of the AIS
*)#ais [ mep mep-id ] md-level packets to be sent by the MEP in the
{ level | default } current MA.
6 Raisecom(config-cfm-md-*-ma- Configure the priority of the AIS
*)#ais [ mep mep-id ] priority packets to be sent by the MEP in the
{ priority | default } current MA.
7 Raisecom(config-cfm-md-*-ma- Enable the MEP to send AIS packets.
*)#ais [ mep mep-id ] enable

7.5.9 Configuring the one-way packet loss test (configurable in


Y.1731 mode only)
Configure the one-way packet loss test for the device as below.

Step Command Description


1 Raisecom#configure Enter global
configuration mode.
2 Raisecom(config)#cfm md md-name Enter the MD view.
3 Raisecom(config-cfm-md-*)#ma ma-name Enter the MA view.
4 Raisecom(config-cfm-md-*-ma-*)#loss-measure Perform the one-way
mep-id mep-id rmep-id mep-id [ interval packet loss test to test
{ 100ms | 1s } | priority priority | count the one-way lost
<1-100> ] * packets between
Raisecom(config-cfm-md-*-ma-*)#loss-measure MEPs.
mep-id mep-id mac mac-address [ interval
{ 100ms | 1s } | priority priority | count
<1-100> ] *

7.5.10 Configuring the round-trip delay test (configurable in Y.1731


mode only)
Configure the round-trip delay test for the device as below.

Raisecom Proprietary and Confidential


207
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

Step Command Description


1 Raisecom#configure Enter global
configuration mode.
2 Raisecom(config)#cfm md md-name Enter the MD view.
3 Raisecom(config-cfm-md-*)#ma ma-name Enter the MA view.
4 Raisecom(config-cfm-md-*-ma-*)#delay-measure Perform the round-trip
mep-id mep-id rmep-id mep-id [ interval delay test to test the
{ 100ms | 1s } | priority priority | frame- delay of packet
len len | count count ] * transmission between
Raisecom(config-cfm-md-*-ma-*)#delay-measure MEPs.
mep-id mep-id mac mac-address [ interval
{ 100ms | 1s } | priority priority | frame-
len len | count count ] *

7.5.11 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show cfm config Show CFM configurations.
2 Raisecom#show cfm md Show configurations of CFM MDs.
3 Raisecom#show cfm ma Show configurations of CFM MAs.
4 Raisecom#show cfm mep Show configurations of CFM MEPs.
5 Raisecom#show cfm rmep Show configurations of CFM RMEPs.
6 Raisecom#show cfm mip Show configurations of CFM MIPs.

7.5.12 Example for configuring CFM

Networking requirements
As shown in Figure 7-8:
The network composed of five devices is divided into MD_A and MD_B, of which the MD
levels are 5 and 3 respectively. All interfaces on each device belong to VLAN 100. The MAs
in each MD serve the VLAN. It is assumed that the MAC addresses of Device A to Device E
are 00:03:56:00:00:01, 00:03:56:00:00:02, 00:03:56:00:00:03, 00:03:56:00:00:04, and
00:03:56:00:05 respectively.
The boundary interfaces on MD_A are GE1/0/1 of Device A, GE1/0/3 on Device D, and
GE1/0/4 on Device E. All these interfaces are inward MEPs. The boundary interfaces on
MD_B are GE1/0/3 on Device B and GE1/0/1 on Device D. All these interfaces are outward
MEPs.

Raisecom Proprietary and Confidential


208
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

Plan the MIP for MD_A on Device B. This is only configured when there is a low-level MEP
on the interface. According to this plan, due to the configuration of the MIP of MD_B on
GE1/0/3 on Device B, therefore use the explicit rule to create the MIPs of MD_A on Device B,
and use the none rule on other devices.
Plan the MIP for MD_B on Device C. This is configured on all its interfaces. According to
this plan, due to the configuration of the MIP of MD_B on Device C, therefore use the default
rule, and use the none rule on other devices.
Use CCM to detect the connection status of MEPs in MD_A and MD_B. When a link fault is
detected, use the loopback function to locate the fault, use the alarm inhibition function and
Ethernet alarm inhibition function to reduce the number of fault alarms.
After obtaining the status of the entire network, use link tracking, one-way packet loss test,
and round-trip delay test to detect links for various links.

Figure 7-8 Typical CFM networking

Configuration steps
Step 1 Configure the VLAN and interfaces.
Create VLAN 100 on each device as previously shown. Configure interfaces GE 1/0/1 to GE
1/0/4 to belong to VLAN 100.
Step 2 Enable basic functions of CFM.

DeviceA#configure
DeviceA(config)#cfm start
DeviceA(config)#cfm md MD_A level 5 format none
DeviceA(config-cfm-md-MD_A)#mip create-type none
DeviceA(config-cfm-md-MD_A)#ma 1 format icc 1
DeviceA(config-cfm-md-MD_A-ma-1)#map vlan 100
DeviceA(config-cfm-md-MD_A-ma-1)#mep mep-id 1001 interface ge 1/0/1
inward
DeviceA(config-cfm-md-MD_A-ma-1)#end
DeviceB#configure
DeviceB(config)#cfm start
DeviceB(config)#cfm md MD_A level 5 format none

Raisecom Proprietary and Confidential


209
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

DeviceB(config-cfm-md-MD_A)#mip create-type explicit


DeviceB(config-cfm-md-MD_A)#ma 1 format icc 1
DeviceB(config-cfm-md-MD_A-ma-1)#map vlan 100
DeviceB(config-cfm-md-MD_A-ma-1)#end
DeviceB#configure
DeviceB(config)#cfm md MD_B level 3 format none
DeviceB(config-cfm-md-MD_B)#ma 2 format icc 2
DeviceB(config-cfm-md-MD_B-ma-2)#map vlan 100
DeviceB(config-cfm-md-MD_B-ma-2)#mep mep-id 2001 interface ge 1/0/3
outward
DeviceB(config-cfm-md-MD_B-ma-2)#end

DeviceC#configure
DeviceC(config)#cfm start
DeviceC(config)#cfm md MD_B level 3 format none
DeviceC(config-cfm-md-MD_B)#ma 2 format icc 2
DeviceC(config-cfm-md-MD_B-ma-2)#map vlan 100
DeviceC(config-cfm-md-MD_B-ma-2)#end

DeviceD#configure
DeviceD(config)#cfm start
DeviceD(config)#cfm md MD_A level 5 format none
DeviceD(config-cfm-md-MD_A)#mip create-type none
DeviceD(config-cfm-md-MD_A)#ma 1 format icc 1
DeviceD(config-cfm-md-MD_A-ma-1)#map vlan 100
DeviceD(config-cfm-md-MD_A-ma-1)#mep mep-id 4002 interface ge 1/0/3
inward
DeviceD(config-cfm-md-MD_A-ma-1)#end
DeviceD#configure
DeviceD(config)#cfm md MD_B level 3 format none
DeviceD(config-cfm-md-MD_B)#mip create-type none
DeviceD(config-cfm-md-MD_B)#ma 2 format icc 2
DeviceD(config-cfm-md-MD_B-ma-2)#map vlan 100
DeviceD(config-cfm-md-MD_B-ma-2)#mep mep-id 4001 interface ge 1/0/1
outward
DeviceD(config-cfm-md-MD_B-ma-2)#end

DeviceE#configure
DeviceE(config)#cfm start
DeviceE(config)#cfm md MD_A level 5 format none
DeviceE(config-cfm-md-MD_A)#mip create-type none
DeviceE(config-cfm-md-MD_A)#ma 1 format icc 1
DeviceE(config-cfm-md-MD_A-ma-1)#map vlan 100
DeviceE(config-cfm-md-MD_A-ma-1)#mep mep-id 5001 interface ge 1/0/4
inward
DeviceE(config-cfm-md-MD_A-ma-1)#end

Step 3 Configure CCM.

DeviceA#configure
DeviceA(config)#cfm md MD_A
DeviceA(config-cfm-md-MD_A)#ma 1
DeviceA(config-cfm-md-MD_A-ma-1)#ccm-send mep-id 1001 enable

Raisecom Proprietary and Confidential


210
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

DeviceA(config-cfm-md-MD_A-ma-1)#end

DeviceB#configure
DeviceB(config)#cfm md MD_B
DeviceB(config-cfm-md-MD_B)#ma 2
DeviceB(config-cfm-md-MD_B-ma-2)#ccm-send mep-id 2001 enable
DeviceB(config-cfm-md-MD_B-ma-2)#end

DeviceD#configure
DeviceD(config)#cfm md MD_A
DeviceD(config-cfm-md-MD_A)#ma 1
DeviceD(config-cfm-md-MD_A-ma-1)#ccm-send mep-id 4002 enable
DeviceD(config-cfm-md-MD_A-ma-1)#end
DeviceD#configure
DeviceD(config)#cfm md MD_B
DeviceD(config-cfm-md-MD_B)#ma 2
DeviceD(config-cfm-md-MD_B-ma-2)#ccm-send mep-id 4001 enable
DeviceD(config-cfm-md-MD_B-ma-2)#end

DeviceE#configure
DeviceE(config)#cfm md MD_A
DeviceE(config-cfm-md-MD_A)#ma 1
DeviceE(config-cfm-md-MD_A-ma-1)#ccm-send mep-id 5001 enable
DeviceE(config-cfm-md-MD_A-ma-1)#end

Step 4 Verify loopback.


Enable loopback on Device A. Check the link status of MEPs 1001 to 5001 in MA 1.

DeviceA#configure
DeviceA(config)#cfm md MD_A
DeviceA(config-cfm-md-MD_A)#ma 1
DeviceA(config-cfm-md-MD_A-ma-1)#ping mep-id 1001 rmep-id 5001 count 5
tlv-type null tlv-len 50 priority 0

Pinging 00-03-56-00-00-05 with tlv len 50 of data:


Reply from 00-03-56-00-00-05: bytes=59 time=2ms
Reply from 00-03-56-00-00-05: bytes=59 time=3ms
Reply from 00-03-56-00-00-05: bytes=59 time=2ms
Reply from 00-03-56-00-00-05: bytes=59 time=3ms
Reply from 00-03-56-00-00-05: bytes=59 time=2ms

Packets: Sent = 5, Received = 5, Lost = 0 <0.00% loss>


Minimum = 2ms, Maximum = 3ms, Average = 2ms

Step 5 Verify linktrace.


Search for the path of MEPs 1001 to 5001 in MA 1 on Device A.

DeviceA#configure
DeviceA(config)#cfm md MD_A

Raisecom Proprietary and Confidential


211
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

DeviceA(config-cfm-md-MD_A)#ma 1
DeviceA(config-cfm-md-MD_A-ma-1)#trace mep-id 1001 rmep-id 5001 ttl 16
fdb 0

Tracing the route to 00-03-56-00-00-05 over a maximum of 16 hops:


Hop-Num TTL MAC Last-MAC Ismep Relay Action
1 15 0003:5600:0005 0003:5600:0001 IsMep Hit

Step 6 Perform the one-way packet loss test.


Perform the one-way packet loss test on MEPs 1001 to 4002 in MA 1 on Device A.

DeviceA#configure
DeviceA(config)#cfm md MD_A
DeviceA(config-cfm-md-MD_A)#ma 1
DeviceA(config-cfm-md-MD_A-ma-1)#loss-measure mep-id 1001 rmep-id 4002
interval 1s priority 0 count 5
Info: Single-ended loss measurement will take some time.

Single-ended loss measurement statistics for remote mep 4002 in md MD_A


ma 1:
Packets: Sent = 5, Received = 5, Lost = 0
Far-end frame loss rate : Minimum = 0%, Maximum = 0%, Average = 0%
Near-end frame loss rate: Minimum = 0%, Maximum = 0%, Average = 0%

Step 7 Perform the round-trip delay test.


Perform the round-trip delay test on MEPs 1001 to 4002 in MA 1 on Device A.

DeviceA#configure
DeviceA(config)#cfm md MD_A
DeviceA(config-cfm-md-MD_A)#ma 1
DeviceA(config-cfm-md-MD_A-ma-1)#delay-measure mep-id 1001 rmep-id 4002
interval 1s priority 0 frame-len 64 count 5
Info: Two-way delay measurement will take some time.

Two-way delay measurement statistics for remote mep 4002 in md MD_A ma 1:


Packets: Sent = 5, Received = 5, Lost = 0
Delay Time : Minimum = 1396455us, Maximum = 2219010us, Average =
1785922us
Delay variation: Minimum = 146221us, Maximum = 707088us, Average =
436789us

Checking results
Use the show cfm config command to show CFM configurations.

Raisecom Proprietary and Confidential


212
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 7 OAM

DeviceA#show cfm config


!
cfm start
cfm md MD_A level 5 format none
mip create-type none
ma 1 format icc 1
map vlan 100
mep mep-id 1001 interface ge 1/0/1 inward
ccm send mep-id 1001 enable

Raisecom Proprietary and Confidential


213
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

8 Security

This chapter describes basic principles and configuration procedures for security, and
provides related configuration examples, including the following sections.
 ACL
 AAA
 802.1x
 Port security MAC
 PPPoE+
 Storm suppression
 ARP attack protection
 ND Snooping
 DHCP Snooping
 IP Source Guard
 CPU attack protection
 MAC address authentication
 DOS attack prevention

8.1 ACL
8.1.1 Introduction
Access Control List (ACL) is a set of ordered rules, which can control the device to receive or
refuse some data packets.
You need to configure rules on the network to prevent illegal packets from affecting network
performance and determine the packets allowed to pass. These rules are defined by ACL.
ACL is a series of rule composed of permit | deny sentences. The rules are described
according to source address, destination address, and port number of data packets. The device
judges receiving or rejecting packets according to the rules.
Management ACL is a collection of ordered software rules that control devices to receive or
reject certain IP address access by applying these rules. It works at the application layer of the
network.

Raisecom Proprietary and Confidential


214
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

To control illegal IP access (telnet, SSH, FTP, web, and so on) on the network, configure a
series of rules on the device to determine the IP addresses that can pass and the IP addresses
that cannot pass. These rules are defined by management ACLs.

8.1.2 Preparing for configurations

Scenario
ACL can help a network device recognize filter data packets. The device recognizes special
objects and then permits/denies packets to pass according to the configured policy. The
discarding action includes sending packets to the CPU. When the ACL denies a destination
MAC address, the source MAC address of the corresponding packet will not be learnt and
shown.
 L2 ACL: define classification rules according to attributes carried in the header of Layer
2 frames, such as the source MAC address, destination MAC address, and Layer 2
protocol type. When ACL denies packets with a destination MAC address, the device
will not learn and show the source MAC address.
 IPv4 ACL: define classification rules according to attributes carried in the header of IP
packets, such as the source IP address, destination IP address, bearing protocol type, and
TCP or UDP port number (being 0 by default).
 IPv6 ACL: define classification rules according to attributes carried in the header of IP
packets, such as the source IPv6 address, destination IPv6 address, IPv6 bearing protocol
type, and TCP or UDP port number (being 0 by default).
 Hybrid ACL: define classification rules according to attributes carried in the header of
Layer 2 frames, such as the source MAC address and destination MAC address, and
attributed carried in the header of IP packets, such as the source IP address and
destination IP address.
 User defined ACL: use the header of the packet as a benchmark to specify the number of
bytes from which the AND operation is performed with the mask. The string extracted
from the packet can be compared with the user-defined string to find a matching packet.
The user defined ACL supports the matching any field in the first 64 bytes of the
Ethernet frame.
There are 4 ACL modes according to different application environments:
 ACL based on ingress or egress direction of the interface
 ACL based on ingress or egress direction of the VLAN

Prerequisite
N/A

8.1.3 Configuring the ACL


Configure ACL for the device as below. Steps 3–7 are optional.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#management-acl Enable or disable management
{ start | stop } ACL.

Raisecom Proprietary and Confidential


215
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


3 Raisecom(config)#management-acl Configure the management ACL
src-ip source-ip/mask protocol rule.
{ telnet | ssh | ftp | tftp |
http } action { permit | deny }
4 Raisecom(config)#no management-acl Delete the management ACL rule.
src-ip source-ip/mask protocol
{ telnet | ssh | ftp | tftp |
http }
5 Raisecom#show management-acl Show the management ACL rule.

8.1.4 Configuring the ACL


Configure ACL for the device as below. Steps 3–7 are optional.

Step Command Description


1 Raisecom#configure Enter global configuration
mode.
2 Raisecom(config)#acl-l2 acl-number [ name Create an ACL, and enter
acl-name ] ACL configuration mode.
Raisecom(config)#acl-ipv4 acl-number
 When the ACL number
[ name acl-name ]
Raisecom(config)#acl-ipv6 acl-number is 1–1000, this
[ name acl-name ] configuration enters
Raisecom(config)#acl-hybrid acl-number basic MAC ACL
[ name acl-name ] configuration mode.
 When the ACL number
Raisecom(config)#acl-userdefined acl-
number [ name acl-name ] is 1001–2000, this
configuration enters
basic IPv4 ACL
configuration mode.
 When the ACL number

is 2001–3000, this
configuration enters
extended hybrid ACL
configuration mode.
 When the ACL number

is 3001–4000, this
configuration enters
IPv6 ACL configuration
mode.
 When the ACL number

is 5001–6000, this
configuration enters
user defined ACL
configuration mode.

Raisecom Proprietary and Confidential


216
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


3 Raisecom(configure-acl-ipv4-*)#rule rule- Configure the matching
id src-ip ip-address dst-ip ip-address rules for IP ACL.
[dscp dscp-value | tos tos-vakue | ttl
ttl-value | precedence precedence-value |
fragment | proto-type proto-type-value ]
Raisecom(configure-acl-ipv4-*)#rule rule-
id arp { request | response | any } src-ip
{ ip-address/ip-address-mask | ip-
address/ip-address-masklength | any } dst-
ip { ip-address/ip-address-mask | ip-
address/ip-address-masklength |
any }Raisecom(configure-acl-ipv4-*)#rule
rule-id action { 8021p 8021p-value | cos
cos-value | counter counter-id | cpu |
deny | dscp dscp-value | insert-inner-vid
vlan-id | insert-outer-id vlan-id | mirror
group group-id | permit | precedence
precedence-value | redirect interface-type
interface-number | replace-inner–vid vlan-
id | replace-outer-vid vlan-id | tos tos-
value }
Raisecom(configure-acl-ipv4-*)#rule rule-
id cir { gbps | kbps | mbps } value
outaction drop
Raisecom(configure-acl-ipv4-*)#rule rule-
id meter meter-id outaction { red-drop
[ yellow-drop ] | yellow-drop [ red-
drop ] }
Raisecom(configure-acl-ipv4-*)#rule rule-
id time-range index
Raisecom(configure-acl-ipv4-*)#rule rule-
id icmp src-ip ip-address dst-ip ip-
address icmp-type icmp-type icmp-code
icmp-code [fragment]
Raisecom(configure-acl-ipv4-*)#rule rule-
id tcp src-ip ip-address src-port port
dst-ip ip-address dst-port port
{ syn|synack|ack|fin } [fragment]
Raisecom(configure-acl-ipv4-*)#rule rule-
id igmp src-ip ip-address dst-ip ip-
address [fragment]
Raisecom(configure-acl-ipv4-*)#rule rule-
id udp src-ip (ip-address src-port port
dst-ip ip-address dst-port port [fragment]

Raisecom Proprietary and Confidential


217
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


4 Raisecom(configure-acl-l2-*)#rule rule-id Configure the matching
src-mac mac-address dst-mac mac-address rules for MAC ACL.
[ outer-vlan vlan 8021p 8021p-value |
inner-vlan vlan 8021p 8021p-value ]
Raisecom(configure-acl-l2-*)#rule rule-id
src-mac mac-address dst-mac mac-address
eth-type { ip|arp|<0x0600-0xfffe> }
Raisecom(configure-acl-l2-*)#rule rule-id
src-mac mac-addr dst-mac mac-address
{inner-vlan|outer-vlan} vlan-id 8021p cos
Raisecom(configure-acl-l2-*)#rule rule-id
action { 8021p 8021p-value | cos cos-value
| counter counter-id | cpu | deny | dscp
dscp-value | insert-inner-vid vlan-id |
insert-outer-id vlan-id | mirror group
group-id | permit | precedence precedence-
value | redirect interface-type interface-
number | replace-inner inner–vid vlan-id |
replace-outer-vid vlan-id | tos tos-
value }
Raisecom(configure-acl-l2-*)#rule rule-id
cir { gbps | kbps | mbps } value outaction
drop
Raisecom(configure-acl-l2-*)#rule rule-id
meter meter-id outaction { red-drop
[ yellow-drop ] | yellow-drop [ red-
drop ] }
Raisecom(configure-acl-l2-*)#rule rule-id
time-range index

Raisecom Proprietary and Confidential


218
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


5 Raisecom(configure-acl-ipv6-*)#rule rule- Configure the matching
id src-ip ipv6-address dst-ip ipv6-address rule for IPv6 ACL.
[ hop-limit hot-limit-value | next-header
next-header-value | traffic-class traffic-
class-value ]
Raisecom(configure-acl-ipv6-*)#rule rule-
id tcp src-ip ipv6-address src-port port
dst-ip ipv6-address dst-port port
[ syn|synack|ack|fin | fragment ]
Raisecom(configure-acl-ipv6-*)# rule rule-
id udp src-ip ipv6-address src-port port
dst-ip ipv6-address dst-port port
[ fragment ]
Raisecom(configure-acl-ipv6-*)#rule rule-
id icmp src-ip { ipv6-address | any } dst-
ip { ipv6-address | any } icmp-type icmp-
type icmp-code icmp-code [fragment]
Raisecom(configure-acl-ipv6-*)#rule rule-
id igmp src-ip { ipv6-address | any } dst-
ip { ipv6-address | any } [fragment]
Raisecom(configure-acl-ipv6-*)#rule rule-
id action { 8021p 8021p-value | cos cos-
value | counter counter-id | cpu | deny |
dscp dscp-value | insert-inner-vid vlan-id
| insert-outer-id vlan-id | mirror group
group-id | permit | precedence precedence-
value | redirect interface-type interface-
number | replace-inner–vid vlan-id |
replace-outer-vid vlan-id | tos tos-
value }
Raisecom(configure-acl-ipv6-*)#rule rule-
id cir { gbps | kbps | mbps } value
outaction drop
Raisecom(configure-acl-ipv6-*)#rule rule-
id meter meter-id outaction { red-drop
[ yellow-drop ] | yellow-drop [ red-
drop ] }
Raisecom(configure-acl-ipv6-*)#rule rule-
id time-range index

Raisecom Proprietary and Confidential


219
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


6 Raisecom(configure-acl-hybrid-*)#rule Configure the matching
rule-id action { 8021p 8021p-value | cos rule for hybrid ACL.
cos-value | counter counter-id | cpu |
deny | dscp dscp-value | insert-inner-vid
vlan-id | insert-outer-id vlan-id | mirror
group group-id | permit | precedence
precedence-value | redirect interface-type
interface-number | replace-inner–vid vlan-
id | replace-outer-vid vlan-id | tos tos-
value }
Raisecom(configure-acl-hybrid-*)#rule
rule-id arp { request | response | any }
src-ip { ip-address/ip-address-mask | ip-
address/ip-address-masklength | any } dst-
ip { ip-address/ip-address-mask | ip-
address/ip-address-masklength | any }
Raisecom(configure-acl-hybrid-*)#rule
rule-id cir { gbps | kbps | mbps } value
outaction drop
Raisecom(configure-acl-hybrid-*)#rule
rule-id icmp src-ip ip-address dst-ip ip-
address icmp-type icmp-type icmp-code
icmp-code [fragment]
Raisecom(configure-acl-hybrid-*)#rule
rule-id igmp src-ip ip-address dst-ip ip-
address [fragment]
Raisecom(configure-acl-hybrid-*)#rule
rule-id meter meter-id outaction { red-
drop [ yellow-drop ] | yellow-drop [ red-
drop ] }
Raisecom(configure-acl-hybrid-*)#rule
rule-id src-ip ip-address dst-ip ip-
address [dscp dscp-value | tos tos-vakue |
ttl ttl-value | precedence precedence-
value | fragment | proto-type proto-type-
value ]
Raisecom(configure-acl-hybrid-*)#rule
rule-id src-mac mac-address dst-ip mac-
address eth-type {<0x0600-0xfffe> | arp |
ip | any } outer-vlan vlan-id 8021p dot1p-
value inner-vlan inner-vlan-id 8021p
dot1p-value src-ip srp-ip-address dst-ip
dst-ip-address proto-type { { value |
any } | { tcp | udp } src-port { source-
number | any } dst-port { destination-
number | any } }
Raisecom(configure-acl-hybrid-*)#rule
rule-id src-mac mac-address dst-ip mac-
address inner-vlan { inner-vlan-id | any }
8021p { dot1p-value | any }
Raisecom(configure-acl-hybrid-*)#rule
rule-id src-mac mac-address dst-ip mac-
address outer-vlan { outer-vlan-id | any }
8021p { dot1p-value | any } [ inner-vlan
{ inner-vlan-id | any } 8021p { dot1p-
Raisecom Proprietary and Confidential
value | any } ] 220
Copyright © Raisecom Technology Co., Ltd.
Raisecom(configure-acl- hybrid -*)#rule
rule-id tcp src-ip ip-address src-port
port dst-ip ip-address dst-port port
[ { syn|synack|ack|fin } [fragment] ]
Raisecom(configure-acl- hybrid -*)#rule
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


7 Raisecom(configure-acl-userdefined-*)#rule Configure the action for
rule-id action { 8021p 8021p-value | cos user defined ACL.
cos-value | counter counter-id | cpu |
deny | dscp dscp-value | insert-inner-vid
vlan-id | insert-outer-id vlan-id | mirror
group group-id | permit | precedence
precedence-value | redirect interface-type
interface-number | replace-inner –vid
vlan-id | replace-outer-vid vlan-id | tos
tos-value }
Raisecom(configure-acl-userdefined-*)#rule
rule-id cir { gbps | kbps | mbps } value
outaction drop
Raisecom(configure-acl-userdefined-*)#rule
rule-id meter meter-id outaction { red-
drop [ yellow-drop ] | yellow-drop [ red-
drop ] }
Raisecom(configure-acl-ipv4-*)#rule rule-
id time-range index
7 Raisecom(configure-acl-ipv4-*)#rule rule- Configure the action for
id action { permit | deny | mirror | basic IP ACL.
redirect | counter }

8.1.5 Applying the ACL


Apply the ACL for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface configuration
interface-type interface- mode, or VLAN configuration mode.
number Take physical interface configuration
mode for example.
3 Raisecom(config-ge-1/0/*)#acl- Apply ACL to the interface.
l2 { in | out } acl-num
Raisecom(config-ge-1/0/*)#acl- Apply ACL to the interface.
l2 { in | out } name
4 Raisecom(config-ge-1/0/*)#exit Return to global configuration mode.

8.1.6 Configuring statistics


Configure statistics for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.

Raisecom Proprietary and Confidential


221
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


2 Raisecom(config)#counter counter- Create a statistic rule.
id { packet | byte | all } sort
{ green | greenred | greenyellow |
red | redyellow | total }
3 Raisecom(configure-acl-l2-*)#rule Apply the statistic rule to the
rule-id action counter counter-id ACL.

8.1.7 Configuring rate limiting


Configure rate limiting for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#meter <1-128> pps Create a rate limiting profile based
<1-1000000> color { aware | on the number of packets.
blind }
3 Raisecom(config)#meter <1-128> cir Create a single-rate three-color
{ kbps | mbps | gbps } cir-value rate limiting profile.
cbs { bytes | kbytes | mbytes }
cbs-value ebs { bytes | kbytes |
mbytes } ebs-value color { aware |
blind }
4 Raisecom(config)#meter <1-128> cir Create a dual-rate three-color rate
{ kbps | mbps | gbps } cir-value limiting profile.
cbs { bytes | kbytes | mbytes }
cbs-value pir { kbps | mbps |
gbps } pir-value
pbs { bytes | kbytes | mbytes }
pbs-value color { aware | blind }
3 Raisecom(configure-acl-l2-*)#rule Apply the rate limiting profile to
rule-id meter meter-id outaction the ACL.
{ red-drop | yellow-drop }

8.1.8 Configuring the time range


Configure the time range for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration
mode.
2 Raisecom(config)#time-range list id Create a time range.

Raisecom Proprietary and Confidential


222
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


3 Raisecom(config-timerange-*)#time- Create a time range, and apply
range timerange-id absolute from <0- it to the ACL rule.
23>:<0-59>:<0-59> <2001-2036>/<1-
12>/<1-31> to <0-23>:<0-59>:<0-59>
<2001-2036>/<1-12>/<1-31>
Raisecom(config-timerange-*)#time-
range timerange-id everyhour <0-
59>:<0-59> to <0-59>:<0-59>
Raisecom(config-timerange-*)#time-
range timerange-id everyday <0-
23>:<0-59>:<0-59> to <0-23>:<0-
59>:<0-59>
Raisecom(config-timerange-*)#time-
range timerange-id everyweek <0-
23>:<0-59>:<0-59> { mon | tue | wed |
thu | fri | sat | sun } to <0-23>:<0-
59>:<0-59> { mon | tue | wed | thu |
fri | sat | sun }
Raisecom(config-timerange-*)#time-
range timerange-id everymonth <0-
23>:<0-59>:<0-59> <1-31> to <0-
23>:<0-59>:<0-59> <1-31>
Raisecom(config-timerange-*)#time-
range timerange-id everyweekend <0-
23>:<0-59>:<0-59> to <0-23>:<0-
59>:<0-59>
Raisecom(config-timerange-*)#time-
range timerange-id everyyear <0-
23>:<0-59>:<0-59> <1-12>/<1-31> to
<0-23>:<0-59>:<0-59> <1-12>/<1-31>
4 Raisecom(configure-acl-l2-*)#rule Apply the time range to the
rule-id time-range timerange-list-id ACL.

8.1.9 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show acl config Show ACL configurations.
2 Raisecom#show acl interface Show ACL configurations on the interface.
3 Raisecom#show acl Show ACL statistics.
statistics
4 Raisecom#show time-range Show period configurations.
list

Raisecom Proprietary and Confidential


223
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

8.1.10 Maintenance
Maintain the device as below.

Command Description
Raisecom(config)#reset acl statistics [ acl acl- Clear statistics on global
id | rule rule-id | direction { in | out } ] ACL.
Raisecom(config)#reset acl statistics interface Clear statistics on
interface-type interface-number [ acl acl-id | interface ACL.
rule rule-id | direction { in | out } ]

8.1.11 Example for configuring ACL

Networking requirement 1
As shown below, the network requirements are as below:
 Deny the Internet access from switch A between 00:00 and 08:00 every day.
 Limit the rate for accessing the Internet from switch A between 08:00 and 12:00 every
day to 10000 pps.

Figure 8-1 ACL networking

Configuration steps
Step 1 Configure the time range.

Raisecom#configure
Raisecom(config)#timerange list 1
Raisecom(config-timerange-1)#time-range 1 everyday 00:00:00 to 08:00:00
Raisecom(config-timerange-1)#configure
Raisecom(config)#timerange list 2
Raisecom(config-timerange-1)#time-range 1 everyday 08:00:00 to 12:00:00

Step 2 Configure the meter.

Raisecom Proprietary and Confidential


224
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Raisecom#configure
Raisecom(config)#meter 1 pps 10000 color blind

Step 3 Configure the ACL rule and action.

Raisecom#configure
Raisecom(config)#acl-l2 1 name test
Raisecom(configure-acl-l2-1)#rule 1 src-mac any dst-mac any
Raisecom(configure-acl-l2-1)#rule 1 time-range 1
Raisecom(configure-acl-l2-1)#rule 1 action deny
Raisecom(configure-acl-l2-1)#rule 2 src-mac any dst-mac any
Raisecom(configure-acl-l2-1)#rule 2 time-range 2
Raisecom(configure-acl-l2-1)#rule 2 meter 1 outaction red-drop yellow-
drop

Step 4 Apply the ACL to the interface.

Raisecom#configure
Raisecom(config)#interface ge 1/0/1 to ge 1/0/2
Raisecom(config-ge-1/0/1->ge-1/0/2)#acl-l2 in 1

Checking results

Raisecom#show acl config


!
acl-l2 1 name test
rule 1 src-mac any dst-mac any
rule 1 time-range 1
rule 1 action deny
rule 2 src-mac any dst-mac any
rule 2 time-range 2
rule 2 meter 1 outaction red-drop yellow-drop
!
interface ge 1/0/1
acl-l2 in name test
!
interface ge 1/0/2
acl-l2 in name test

Networking requirement 2
The network requirements are as below:
 The customer wants to classify traffic of different interfaces, VLANs, and 802.1p
priorities on switch A, and execute differnet actions accordingly.
Raisecom Proprietary and Confidential
225
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

 Modify the DSCP of traffic from GE 1/0/1 to 46.


 Modify the 802.1p of traffic of VLAN 100 from GE 1/0/2 to 7.

Configuration steps
Step 1 Configure the ACL rule and action.

Raisecom#configure
Raisecom(config)#acl-l2 1 name test
Raisecom(configure-acl-l2-1)#rule 1 src-mac any dst-mac any
Raisecom(configure-acl-l2-1)#rule 1 action dscp 46
Raisecom(configure-acl-l2-1)#configure
Raisecom(config)#acl-l2 2 name test2
Raisecom(configure-acl-l2-2)#rule 1 src-mac any dst-mac any outer-vlan
100 8021p any
Raisecom(configure-acl-l2-2)#rule 1 action 8021p 7

Step 2 Apply the ACL to the interface.

Raisecom#configure
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#acl-l2 in 1
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#acl-l2 in 2

Checking results

Raisecom#show acl config


!
acl-l2 1 name test
rule 1 src-mac any dst-mac any
rule 1 action dscp 46
acl-l2 2 name test2
rule 1 src-mac any dst-mac any outer-vlan 100 8021p any
rule 1 action 8021p 7
!
interface ge 1/0/1
acl-l2 in name test
!
interface ge 1/0/2
acl-l2 in name test2

Raisecom Proprietary and Confidential


226
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

8.2 AAA
8.2.1 Introduction

AAA
Authentication, Authorization, and Accounting (AAA) is a management mechanism for
network security. AAA adopts a client/server structure and provides three security functions of
authentication, authorization, and accounting.
 Authentication: confirm the identity of the remote user accessing the network, and
determine whether the visitor is a legitimate network user.
 Authorization: grant different permissions to different users to limit the services that
users can use. For example, the administrator authorizes office users to access and print
files on the server, but other temporary visitors do not have this permission.
 Accounting: record all operations during the user's use of network services, including the
type of service used, starting time, data flow, to collect and record the user's use of
network resources, and implement the accounting for time and traffic. It also has a
monitoring effect on the network.
AAA adopts a client/server structure. The client runs on the NAS (Network Access Server),
which is responsible for verifying user identity and managing user access. The server centrally
manages user information.
AAA can be implemented through multiple protocols that specify how user information is
communicated between the NAS and the server. Currently, the device supports the Remote
Authentication Dial-In User Service (RADIUS) protocol and Terminal Access Controller
Access Control System (TACACS+).

RADIUS
Remote Authentication Dial In User Service (RADIUS) is a standard communication protocol
that provides centralized authentication of remote access users. RADIUS uses UDP as the
transmission protocol (port 1812 and port 1813) which has a good instantaneity; at the same
time, RADIUS features good reliability by supporting retransmission mechanism and standby
server mechanism.
 RADIUS authentication
RADIUS adopts client/server mode. The network access device is used as client of RADIUS
server. The RADIUS server receives user connection requests, authenticates users, and replies
them with configurations for providing services. In this way, RADIUS can control user to
access devices and network, thus improving network security.
Communication between clients and RADIUS server is authenticated by the shared key,
which will not be transmitted on the network. Besides, any user password to be transmitted
between clients and RADIUS server must be encrypted to prevent it from being intercepted
through sniffing through any insecure network.
 RADIUS accounting
RADIUS accounting is used on users that have passed RADIUS authentication. When a user
logs in, the device sends an Account-Start packet to the RADIUS accounting server. During
user login, the device sends Account-Update packets to the RADIUS accounting server
according to the accounting policy. When the user logs off, the device sends an Account-Stop

Raisecom Proprietary and Confidential


227
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

packet, which contains user online time, to the RADIUS accounting server. The RADIUS
accounting server can record the access time and operations of each user through these
packets.

TACACS+
Terminal Access Controller Access Control System (TACACS+) is a kind of network access
authentication protocol similar to RADIUS. The differences between them are:
 TACACS+ uses TCP port 49, which has higher transmission reliability compared with
UPD port used by RADIUS.
 TACACS+ encrypts the holistic of packets except the standard head of TACACS+, and
there is a field to show whether the data packets are encrypted in the head of packet.
Compared to RADIUS user password encryption, the TACACS+ is much safer.
 TACACS+ authentication function is separated from authorization and accounting
functions; it is more flexible in deployment.
In a word, TACACS+ is safer and more reliable than RADIUS; however, as an open protocol,
RADIUS is more widely used.

8.2.2 Preparing for configurations

Scenario
To control users' access to devices and the network, you can deploy the RADIUS/TACACS+
server to authenticate and account users. The device can work as an agent of the
RADIUS/TACACS+ server, and authorize users with access rights according to the feedback
by the RADIUS/TACACS+ server. TACACS+ is more secure and reliable than RADIUS.

Prerequisite
N/A

8.2.3 Default configurations of AAA


Function Default value
Response timeout time of the RADIUS authentication server 60s
Times for retransmitting RADIUS packets 3
Interval for retransmitting RADIUS packets 2s
Response timeout time of the TACACS+ authentication server 60s
TCP connection timeout time and packet receiving timeout time 2s
of the TACACS+ authentication server

Raisecom Proprietary and Confidential


228
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

8.2.4 Configuring the RADIUS server


Step Command Description
1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#aaa Enter AAA configuration mode.
3 Raisecom(config-aaa)#radius- Configure the response timeout time of
server deadtime { second | the RADIUS authentication server,
default } ranging from 3 to 4294967290, in units
of second, being 60 by default.
4 Raisecom(config-aaa)#radius- Configure the times for retransmitting
server max-retransmit { count RADIUS packets, ranging from 1 to 5,
| default } being 3 by default.
5 Raisecom(config-aaa)#radius- Configure the global interval for
server retransmit-interval retransmitting RADIUS packets,
{ interval | default } ranging from 1 to 10, being 2s by
default.
6 Raisecom(config-aaa)#radius- Create an IPv4 RADIUS server.
server host server-name ip-
address ip-address key key
[ acct-port port-id | auth-
port port-id | deadtime
{ second | default } | max-
retransmit { count |
default } | retransmit-
interval { interval |
default } | source-ip ip-
address ]
7 Raisecom(config-aaa)#radius- Create an IPv6 RADIUS server.
server host server-name ip6-
address ipv6-address key key
[ acct-port port-id | auth-
port port-id | deadtime
{ second | default } | max-
retransmit { count |
default } | retransmit-
interval { interval |
default } | source-ip6 ipv6-
address ]

8.2.5 Configuring the TACACS+ server


Step Command Description
1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#aaa Enter AAA configuration mode.

Raisecom Proprietary and Confidential


229
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


3 Raisecom(config-aaa)#tacacs- Configure the response timeout time of
server deadtime { second | the TACACS+ authentication server,
default } ranging from 3 to 4294967290, in units
of second, being 60 by default.
4 Raisecom(config-aaa)#tacacs- Configure the TCP connection timeout
server timeout { second | time and packet receiving timeout time
default } of the TACACS+ authentication server,
being 2s by default.
5 Raisecom(config-aaa)#tacacs- Create an IPv4 TACACS+ server.
server host server-name ip-
address ip-address key key
[ deadtime { second |
default } | port port-id |
single-connection { enable |
disable } | timeout { second
| default } | source-ip ip-
address ]
6 Raisecom(config-aaa)#tacacs- Create an IPv6 TACACS+ server.
server host server-name ip6-
address ipv6-address key key
[ deadtime { second |
default } | port port-id |
single-connection { enable |
disable } | timeout { second
| default } | source-ip6
ipv6-address ]

8.2.6 Configuring the AAA server group


Step Command Description
1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#aaa Enter AAA configuration mode.
3 Raisecom(config-aaa)#server-group Create an AAA server group, or
group-name { radius-server | add servers to the AAA server
tacacs-server } server-name group.

8.2.7 Configuring the AAA mode


Step Command Description
1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#aaa Enter AAA configuration mode.

Raisecom Proprietary and Confidential


230
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


3 Raisecom(config-aaa)#aaa Configure the AAA authentication
authentication { dot1x | modes.
login | mac-authen | enable }
method method-name first
{ group-name | local } second
{ group-name | local | none }
Up to 2 modes can be configured
third { group-name | local |
for an AAA server group.
none }
4 Raisecom(config-aaa)#aaa Configure the AAA authorization
authorization { login | cmd } modes.
method method-name first
{ group-name | local } second
{ group-name | local | none }
third { group-name | local |
Up to 2 modes can be configured
none }
for an AAA server group.
5 Raisecom (config-aaa)#aaa Configure the AAA accounting modes.
accounting { dot1x | login |
mac-authen } method method-
name first { group-name |
local } second { group-name |
Up to 2 modes can be configured
local | none } third { group-
for an AAA server group.
name | local | none }

8.2.8 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show aaa config Show AAA configurations.
2 Raisecom#show aaa Show global information about AAA.
information
3 Raisecom#show aaa server Show information about AAA servers.
4 Raisecom#show aaa Show information about AAA server groups.
server-group
5 Raisecom#show aaa method Show information about AAA modes.

8.2.9 Example for configuring AAA

Networking requirement
As shown in Figure 8-2, to make access users and the administrator user to access different
servers, configurations are as below:
 Configure the IP address, VLAN, and route on the switch for user connection and
authentication.

Raisecom Proprietary and Confidential


231
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

 Create a local user account. Configure the AAA template and scheme for the
administrator user. Use TACACS server 3 for authentication and authorization. Use
RADIUS server 2 for accounting.
 Enable Dot1x. Configure the AAA template and scheme for access users. Use RADIUS
server 1 for authentication, accounting, and authorization.

Figure 8-2 Domain-based authentication application networking

Configuration steps
Step 1 Configure the IP address.

Raisecom#configure
Raisecom(config)#interface vlan 1
Raisecom(config-vlanif-1)#ip address 10.1.0.254/24
Raisecom(config-vlanif-1)#exit
Raisecom(config)ip route-static 0.0.0.0 0.0.0.0 10.1.0.1

Step 2 Configure the AAA server.

Raisecom(config)#aaa
Raisecom(config-aaa)#radius-server host Server1 ip-address 10.1.1.2
Raisecom(config-aaa)#radius-server host Server2 ip-address 10.1.2.2
Raisecom(config-aaa)#tacacs-server host Server3 ip-address 10.1.3.2

Step 3 Configure the AAA server group.


Raisecom(config-aaa)#server-group Group1 radius-server Server1
Raisecom(config-aaa)#server-group Group2 radius-server Server2
Raisecom(config-aaa)#server-group Group3 tacacs-server Server3

Raisecom Proprietary and Confidential


232
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step 4 Configure the AAA mode.

Raisecom(config-aaa)#aaa authentication login method Method1 first Group3


Raisecom(config-aaa)#aaa authorization login method Method2 first Group3
Raisecom(config-aaa)#aaa accounting login method Method3 first Group2
Raisecom(config-aaa)#aaa authentication dot1x method Method4 first Group1
Raisecom(config-aaa)#aaa accounting dot1x method Method5 first Group1
Raisecom(config-aaa)#exit

Step 5 Configure the authentication mode, authorization mode, and accounting mode for
management users.

Raisecom(config)#line vty 1 2
Raisecom(config-line)#login authentication aaa method Method1
Raisecom(config-line)#login authorization aaa method Method2
Raisecom(config-line)#login accounting aaa method Method3
Raisecom(config-line)#exit

Step 6 Configure the authentication mode, authorization mode, and accounting mode for access users.

Raisecom(config)#dot1x start
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#dot1x enable
Raisecom(config-ge-1/0/1)#dot1x aaa-authentication method Method4
Raisecom(config-ge-1/0/1)#dot1x aaa-accounting method Method5
Raisecom(config-ge-1/0/1)#exit

Checking results
Use the show aaa config command to show configurations of the RADIUS server.

Raisecom#show aaa config


Version : AAA_V7.00.00.00
!
aaa
radius-server host Server1 ip-address 10.1.1.2
radius-server host Server2 ip-address 10.1.2.2
tacacs-server host Server3 ip-address 10.1.3.2
server-group Group1 radius-server Server1
server-group Group2 radius-server Server2
server-group Group3 tacacs-server Server3
aaa authentication login method Method1 first Group3
aaa authorization login method Method2 first Group3
aaa accounting login method Method3 first Group2
aaa authentication dot1x method Method4 first Group1

Raisecom Proprietary and Confidential


233
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

aaa accounting dot1x method Method5 first Group1

8.3 802.1x
8.3.1 Introduction
802.1x, based on IEEE 802.1x, is a VLAN-based network access control technology. It is
used to solve authentication and security problems for LAN users.
It is used to authenticate and control access devices at the physical later of the network device.
It defines a point-to-point connection mode between the device interface and user devices.
User devices, connected to the interface, can access resources in the LAN if they are
authenticated. Otherwise, they cannot access resources in the LAN through the switch.

802.1x structure
As shown in Figure 8-3, 802.1x authentication uses Client/Server mode, including the
following 3 parts:
 Supplicant: a user-side device installed with the 802.1x client software (such as Windows
XP 802.1x client), such as a PC
 Authenticator: an access control device supporting 802.1x authentication, such as a
switch
 Authentication Server: a device used for authenticating, authorizing, and accounting
users. Generally, the RADIUS server is taken as the 802.1x authentication server.

Figure 8-3 802.1x structure

Interface access control modes


The authenticator uses the authentication server to authenticate clients that need to access the
LAN and controls interface authorized/ unauthorized status through the authentication results.
You can control the access status of an interface by configuring access control modes on the
interface. 802.1x authentication supports the following 3 interface access control modes:
 Protocol authorized mode (auto): the protocol state machine determines the authorization
and authentication results. Before clients are successfully authenticated, only EAPoL
packets are allowed to be received and sent. Users are disallowed to access network
resources and services provided by the switch. If clients are authorized, the interface is
switched to the authorized state, allowing users to access network resources and services
provided by the switch.

Raisecom Proprietary and Confidential


234
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

 Force interface authorized mode (authorized-force): the interface is in authorized state,


allowing users to access network resources and services provided by the switch without
being authorized and authenticated.
 Force interface unauthorized mode (unauthorized-force): the interface is in unauthorized
mode. Users are disallowed to access network resources and services provided by the
switch; in other words, users are disallowed to be authenticated.

802.1x authentication procedure


The 802.1x system supports the authentication process between the supplicant and the
RADIUS server through EAP relay and EAP termination.
 EAP relay
The supplicant and the authentication server exchange information through the Extensible
Authentication Protocol (EAP) packet while the supplicant and the authenticator exchange
information through the EAP over LAN (EAPoL) packets. The EAP packet is encapsulated
with authentication data. This authentication data will be encapsulated into the RADIUS
packet to be transmitted to the authentication server through a complex network. This
procedure is called EAP relay.
Both the authenticator and the suppliant can initiate the 802.1x authentication procedure. This
document takes the suppliant for example, as shown below:
Step 1 The user enters the user name and password. The supplicant sends an EAPoL-Start packet to
the authenticator to start the 802.1x authentication.
Step 2 The authenticator sends an EAP-Request/Identity to the suppliant, asking the user name of the
suppliant.
Step 3 The suppliant replies an EAP-Response/Identity packet to the authenticator, which includes
the user name.
Step 4 The authenticator encapsulates the EAP-Response/Identity packet to the RADIUS packet and
sends the RADIUS packet to the authentication server.
Step 5 The authentication server compares the received user name with the one in the database, finds
the password for the user, and encrypts the password with a randomly-generated encryption
word. Meanwhile it sends the encryption word to the authenticator who then sends the
encryption word to the suppliant.
Step 6 The suppliant encrypts the password with the received encryption password, and sends the
encrypted password to the authentication server.
Step 7 The authentication server compares the received encrypted password with the one generated
by itself. If identical, the authenticator modifies the interface state to authorized state,
allowing users to access the network through the interface and sends an EAP-Success packet
to the suppliant. Otherwise, the interface is in unauthorized state and sends an EAP-Failure
packet to the suppliant.
 EAP termination
Terminate the EAP packet at the device and map it to the RADIUS packet. Use standard
RADIUS protocol to finish the authorization, authentication, and accounting procedure. The
device and RADIUS server adopt Password Authentication Protocol (PAP)/Challenge
Handshake Authentication Protocol (CHAP) to perform authentication.

Raisecom Proprietary and Confidential


235
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

In the EAP termination mode, the random encryption character, used for encrypting the
password, is generated by the device. And then the device sends the user name, random
encryption character, and encrypted password to the RADIUS server for authentication.

802.1x timers
802.1x authentication involves the following 5 timers:
 Reauth-period: re-authorization t timer. After the period is exceeded, the device re-
initiates authorization.
 Quiet-period: quiet timer. When user authorization fails, the device needs to keep quiet
for a period. After the period is exceeded, the device re-initiates authorization. During
the quiet time, the device does not process authorization packets.
 Tx-period: transmission timeout timer. When the device sends a Request/Identity packet
to users, the device will initiate the timer. If users do not send an authorization response
packet during the tx-period, the device will re-send an authorization request packet. The
device sends this packet three times in total.
 Supp-timeout: Supplicant authorization timeout timer. When the device sends a
Request/Challenge packet to users, the device will initiate supp-timeout timer. If users do
not send an authorization response packet during the supp-timeout, the device will re-
send the Request/Challenge packet. The device sends this packet twice in total.
 Server-timeout: authentication server timeout timer. The timer defines the total timeout
of sessions between the authorizer and RADIUS server. When the configured time
expires, the authenticator will end the session with the RADIUS server and start a new
authorization process.

802.1x guest VLAN


On the network, users not authenticated by 802.1x can access limited resources. When the
guest VLAN is configured, the device adds the guest VLAN tag to the untagged packet and
allows it to pass the interface.
 Authentication based on interface: after authentication is successful, the device deletes
the guest VLAN of the interface.
 Authentication based on user: after authentication is successful, the device reserves the
guest VLAN of the interface.
 The guest VLAN cannot be the super VLAN or the voice VLAN.

8.3.2 Preparing for configruations

Scenario
To realize access authentication on LAN users and ensure access user security, you need to
configure 802.1x authentication on the device.
If users are authenticated, they are allowed to access network resources. Otherwise, they
cannot access network resources. By performing authentication control on user access
interface, you can manage the users.

Prerequisite
If RADIUS authentication server is used, you need to perform following operations before
configuring 802.1x authentication:
Raisecom Proprietary and Confidential
236
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

 Configure the IP address of the RADIUS server and the RADIUS shared key.
 The device can ping through the RADIUS server successfully.

8.3.3 Default configurations of 802.1x


Default configurations of 802.1x are as below.

Function Default value


Global 802.1x Disable
Interface 802.1x Disable
Global authentication mode Chap
Interface access control mode Auto
Authentication method macbased
RADIUS server expiration timer 10s
Re-authentication Enable
802.1x re-authentication timer 3600s
802.1x quiet timer 60s
Transmission timeout timer 30s
Maximum number of users 128

8.3.4 Configuring basic functions of 802.1x

Only one user authentication request is processed on an interface at a time.


Configure basic functions of 802.1x for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#dot1x Enable or disable global 802.1x.
{ start | stop }
3 Raisecom(config)#dot1x aaa Configure the AAA mode for global 802.1x
authentication method authentication.
method-name
4 Raisecom(config)#interface Enter Layer 2 physical interface
interface-type interface- configuration mode.
number
5 Raisecom(config-ge- Enable interface 802.1x.
1/0/*)#dot1x enable

Raisecom Proprietary and Confidential


237
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


6 Raisecom(config-ge- Configure access control mode on the
1/0/*)#dot1x port-control interface.
{ auto | force-auth |
force-unauth }
7 Raisecom(config-ge- Configure the interface authentication
1/0/*)#dot1x port-method mode.
{ mac | port }
8 Raisecom(config-ge- Configure the maximum number of users
1/0/*)#dot1x max-user allowed to be authenticated by the 802.1x
user-number interface.
9 Raisecom(config-ge- Configure the Guest VLAN of the specified
1/0/*)#nac guest-vlan interface, which takes effect on both 802.1x
vlan-id and MAC authentication.
10 Raisecom(config-ge- Configure the critical VLAN of 802.1x on
1/0/*)#dot1x critical-vlan the specified interface.
vlan-id
11 Raisecom(config-ge- Configure the restrict VLAN of 802.1x on
1/0/*)#dot1x restrict-vlan the specified interface.
vlan-id
12 Raisecom(config-ge- Manually trigger reauthentication of 802.1x
1/0/*)#dot1x users on the specified interface.
reauthenticate all user
13 Raisecom(config-ge- Force 802.1x users on the interface to be
1/0/*)#dot1x delete all offline.
user
14 Raisecom(config-ge- Enable or disable silence of 802.1x users on
1/0/*)#dot1x quiet the interface.
{ disable | enable }
15 Raisecom(config-ge- Configure the times of authentication
1/0/*)#dot1x quiet-times failures for 802.1x users to trigger silence,
times being 3 by default.

If 802.1x is disabled in global/interface configuration mode, it cannot be enabled on


the interface.

8.3.5 Configuring 802.1x re-authentication

Re-authentication is initiated for authorized users. Before enabling re-authentication,


you must ensure that global/interface 802.1x is enabled. Authorized interfaces are
still in this mode during re-authentication. If re-authentication fails, the interfaces are
in unauthorized state.
Configure 802.1x re-authentication for the device as below.

Raisecom Proprietary and Confidential


238
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter Layer 2 physical interface
interface-type interface-number configuration mode.
3 Raisecom(config-ge-1/0/*)#dot1x Enable 802.1x re-authentication.
reauthenticate { enable | disable }

8.3.6 Configuring 802.1x timers


Configure 802.1x timers for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interfa Enter Layer 2 physical interface configuration
ce interface-type mode.
interface-number
3 Raisecom(config-ge- Configure the time of the re-authentication
1/0/*)#dot1x timer, an integer, ranging from 60 to 3600, in
reauthenticate period units of second, being 60 by default.
{ time | default }
4 Raisecom(config-ge- Configure the time of the quiet timer, an
1/0/*)#dot1x timer integer, ranging from 10 to 3600, in units of
quiet-period { time | second, being 60 by default.
default }
5 Raisecom(config-ge- Configure the Request/MD5 Challenge
1/0/*)#dot1x supp period request packet timeout timer, an integer,
time ranging from 6 to 60, in units of second, being
5 by default.
6 Raisecom(config-ge- Configure the authentication server timeout
1/0/*)#dot1x server- timer, an integer, ranging from 60 to 600, in
timeout period { time | units of second, being 120 by default.
default }
7 Raisecom(config-ge- Configure the Request/Identity request packet
1/0/*)#dot1x tx period timeout timer, an integer, ranging from 30 to
{ time | default } 60, in units of second, being 30 by default.

8.3.7 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show dot1x config Show all 802.1x configurations.
2 Raisecom#show dot1x Show 802.1x statistics.
information

Raisecom Proprietary and Confidential


239
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

No. Command Description


3 Raisecom#show dot1x user Show user information about 802.1x
authentication.
4 Raisecom#show dot1x Show statistics and configurations of 802.1x
interface-type interface- authentication on the interface.
number

8.3.8 Example for configuring 802.1x

Networking requirements
As shown in Figure 8-4, the network administrator configures 802.1x to control the PC to
access the Internet.
 For the switch: the IP address is 10.10.0.1, the mask is 255.255.0.0, and default gateway
is 10.10.0.2.
 The RADIUS server works to authenticate and authorize PCs. Its IP address is
192.168.0.1, and the password is raisecom.
 After the PC passes authentication, the Switch will start reauthentication every 600s.

Figure 8-4 Dot1x networking

Configuration steps
Step 1 Configure the IP addresses of the Switch and RADIUS server.

Raisecom#configure
Raisecom(config)#interface vlan 1
Raisecom(config-vlan1)#ip address 10.10.0.1/16
Raisecom(config-vlan1)#exit
Raisecom(config)#ip route 0.0.0.0 0.0.0.0 10.10.0.2
Raisecom(config)#exit
Raisecom(config)#aaa
Raisecom(config-aaa)#radius-server host server1 ip-address 192.168.0.1
key 12345
Raisecom(config-aaa)#server-group grp1 radius- server server1
Raisecom(config-aaa)#aaa authentication dot1x method d1 first grp1

Raisecom Proprietary and Confidential


240
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step 2 Enable global 802.1x and interface 802.1x.

Raisecom#configure
Raisecom(config)#dot1x start
Raisecom(config)#dot1x aaa authentication method d1
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#dot1x enable
Raisecom(config-ge-1/0/1)#dot1x reauthenticate period 600

Checking results
Use the show dot1x command to show 802.1x configurations on the interface.

Raisecom#show dot1x interface ge 1/0/1


Interface ge 1/0/1 dot1x information:
------------------------------------------------------------
Authentication Guest Vlan : n/a
Max User Num : 128
Default Max User Num : 128
Current User Num : 0
Authen Success User Num : 0
Authen Fail User Num : 0
Authen Timeout User Num : 0
Authenting User Num : 0
Authentication Method : Method4
Accounting Method : Method5
Quiet : Disable
Reauthentication : Enable
Reauthentication Period : 600
Mac Bypass : Disable
Offline Detect : Disable
Restrict Vlan : n/a
Critical Vlan : n/a
TX Period : 30
Supp Timeout Period : 5
Server time Period : 120
Port Control : Auto
Port Method : Mac Based
Port Auth State : Unauthenticated
Auth Method : Chap
Not Eapol Trigger : Disable
Trigger Authen Type : None
Trigger Auth Pkt Type : ARP NDP DHCP DHCP6
Rx Eapol Start Pkt Num : 0
Rx Eapol Logoff Pkt Num : 0
Rx Eap Idenitity Pkt Num : 0
Rx Eap MD5 Pkt Num : 0
Tx Eap Success Pkt Num : 0
Tx Eap Fail Pkt Num : 0
Tx Eap Idenitity Pkt Num : 0
Tx Eap MD5 Pkt Num : 0

Raisecom Proprietary and Confidential


241
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

8.4 Port security MAC


8.4.1 Introduction
Port security MAC is used for the switching device on the edge of the network user side. It
can ensure security of accessed data on an interface, and control the incoming packets
according to the source MAC address.
You can enable port security MAC to limit and distinguish which users can access the
network through secure interfaces. Only secure MAC addresses can access the network,
unsecure MAC addresses will be dealt with as configured interface access violation mode.

Secure MAC address classification


Secure MAC addresses supported by the device are divided into the following three categories:
 Secure MAC address
The dynamic secure MAC address is learnt by the device. You can configure the learnt MAC
address to secure MAC address in the range of the maximum number of learnt MAC address.
The dynamic secure MAC addresses are aged and does not support configuration load.
The dynamic secure MAC address can be converted to the sticky secure MAC address if
necessary, so as not to be aged and supports auto-loading.
 Sticky secure MAC address
The sticky secure MAC address is generated from the manual configuration of user in secure
interface or converted from secure MAC address. Different from the secure MAC address, the
sticky secure MAC address needs to be used in conjunction with sticky learning:
 When sticky learning is enabled, the sticky secure MAC address will take effect and this
address will not be aged.
 When sticky learning is disabled, the sticky secure MAC address will become invalid
and be saved only in the system.

 When sticky learning is enabled, all secure MAC addresses learnt from an
interface will be converted to sticky secure MAC addresses.
 When sticky learning is disabled, all sticky secure MAC addresses on an interface
will be converted to secure MAC addresses.

Processing mode for violating port security MAC


When the number of secure MAC addresses has already reached the maximum number,
inputting of packets from a strange source MAC address will be regarded as a violation
operation. For the illegal user access, there are different processing modes for configuring the
switch according to secure MAC violation policy:
 Protect mode: for illegal access users, the secure interface will discard the user's packets
directly.
 Restrict mode: for illegal access users, the secure interface will discard the user's packets,
and the console will print Syslog information and send an alarm to the NMS.

Raisecom Proprietary and Confidential


242
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

 Shutdown mode: for illegal access users, the secure interface will discard the user's
packets, and the console will print Syslog information, send an alarm to the NMS, and
then shut down the secure interface.

When the MAC address is flapping, in other words, secure interface A is accessed by
a user corresponding to a secure MAC address that is already on secure interface B,
secure interface A will process the access as violation.

8.4.2 Preparing for configurations

Scenario
To ensure the security of data accessed by the interface of the switch, you can control the
incoming packets according to source MAC address. With port security MAC, you can
configure the feature of permitting specified users to access the interface, or permitting
specified number of users to access from this interface only. However, when the number of
users exceeds the limit, the accessed packets will be processed in accordance with port
security MAC violation policies.

Prerequisite
N/A

8.4.3 Default configurations of port security MAC


Default configurations of port security MAC are as below.

Function Default value


Interface secure MAC Disable
Dynamic secure MAC sticky learning Disable
Port secure MAC Trap Disable
Processing mode for port secure MAC violation Restrict
Maximum number of port security MAC 1024

8.4.4 Configuring basic functions of port security MAC

 We do not recommend enabling port security MAC on member interfaces of the


LAG.
 We do not recommend using the MAC address management function to configure
static MAC addresses when port security MAC is enabled.
 When the 802.1x interface adopts a MAC address-based authentication mode,
port security MAC and 802.1x are mutually exclusive. We do not recommend co-
configuring them concurrently.

Raisecom Proprietary and Confidential


243
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

 Port security MAC and interface-/interface VLAN-based MAC number limit are
mutually exclusive, which cannot be configured concurrently.
Configure basic functions of port security MAC for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter Layer 2 physical interface
interface-type interface- configuration mode.
number
3 Raisecom(config-ge- Enable port security MAC.
1/0/*)#port-security enable
4 Raisecom(config-ge- Configure the maximum number of secure
1/0/*)#port-security MAC addresses, an integer, ranging from 1
maximum { maximum | to 1024, being 1 by default.
default }
5 Raisecom(config-ge- Configure the secure MAC violation
1/0/*)#port-security mode.
protect-action { protect |
restrict | shutdown }
6 Raisecom(config-ge- Re-enable the interface which is shut down
1/0/*)#shutdown due to violating port security MAC.
Raisecom(config-ge-
1/0/*)#no shutdown
7 Raisecom(config)# port- (Optional) configure the restoration time
security error-down of port security MAC, an integer, in units
recovery-interval { second of second, ranging from 3 to 86400, being
| default } 0 by default.

When secure MAC violation policy is in Shutdown mode, you can use this command
to re-enable this interface which is shut down due to violating port security MAC.
When the interface is Up, the configured secure MAC violation mode will continue to
be valid.

8.4.5 Configuring the sticky secure MAC address

We do not recommend configuring sticky secure MAC addresses when port sticky
security MAC is disabled. Otherwise, port sticky security MAC may malfunction.
Configure the sticky secure MAC address for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter Layer 2 physical interface
interface-type interface-number configuration mode.

Raisecom Proprietary and Confidential


244
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


3 Raisecom(config-ge-1/0/*)#port- Enable port security MAC.
security { enable | disable }
4 Raisecom(config-ge-1/0/*)#port- Enable sticky secure MAC
security mac-address sticky learning.
{ enable | disable }
5 Raisecom(config-ge-1/0/*)#port- Manually configure sticky secure
security mac-address sticky vlan MAC addresses.
vlan-id mac mac-address

After sticky secure MAC address learning is enabled, the dynamic secure MAC
address will be converted to the sticky secure MAC address; the manually configured
sticky secure MAC address will take effect.

8.4.6 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show mac-address Show configurations of port security
config MAC.
2 Raisecom#show mac-address Show information about entries of secure
{ security | sticky } MAC addresses.

8.4.7 Maintenance
Maintain the device as below.

Command Description
Raisecom(config)#no mac-address Clear the specified type of secure
{ security | sticky } [ interface-type MAC addresses.
interface-number ]

8.4.8 Example for configuring port security MAC

Networking requirements
As shown in Figure 8-5, the Switch connects 3 user networks. To ensure security of data
accessed from the interface, configure the Switch as below.
 GE 1/1/1 allows up to 3 users to access the network. One of specified user MAC
addresses is 0000.0000.0001. The other two users are in dynamic learning mode. The
violation mode is Protect mode.

Raisecom Proprietary and Confidential


245
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

 GE 1/1/2 allows up to 2 users to access the network. MAC addresses of the 2 users are
determined through learning. The violation mode is Restrict mode.
 GE 1/1/3 allows up to 1 user to access the network. The specified user MAC address is
0000.0000.0002. The violation mode is Shutdown mode.

Figure 8-5 Port security MAC networking

Configuration steps
Step 1 Configure the secure MAC address on GE 1/0/1.

Raisecom#configure
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port-security enable
Raisecom(config-ge-1/0/1)#port-security maximum 3
Raisecom(config-ge-1/0/1)#port-security mac-address sticky enable
Raisecom(config-ge-1/0/1)#port-security mac-address sticky vlan 1 mac
00:00:00:00:00:01
Raisecom(config-ge-1/0/1)#quit

Step 2 Configure the secure MAC address on GE 1/0/2.

Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port-security enable
Raisecom(config-ge-1/0/2)#port-security maximum 2
Raisecom(config-ge-1/0/2)#port-security protect-action restrict
Raisecom(config-ge-1/0/2)# quit

Step 3 Configure the secure MAC address for GE 1/0/3.

Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#port-security enable
Raisecom(config-ge-1/0/3)#port-security maximum 1

Raisecom Proprietary and Confidential


246
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Raisecom(config-ge-1/0/3)#port-security protect-action shutdown


Raisecom(config-ge-1/0/3)#port-security mac-address sticky enable
Raisecom(config-ge-1/0/3)#port-security mac-address sticky vlan 1
mac 00:00:00:00:00:02
Raisecom(config-ge-1/0/3)#quit

Checking results
Use the show mac-address config command to show configurations of port security MAC.

Raisecom#show mac-address config


!
mac-address aging-time 500
!
interface ge 1/0/1
port-security enable
port-security maximum 3
port-security mac-address sticky enable
!
interface ge 1/0/2
port-security enable
port-security maximum 2
!
interface ge 1/0/3
port-security enable
port-security protect-action shutdown
port-security mac-address sticky enable

Use the show mac-address sticky command to show configurations and learning of secure
MAC addresses.

Raisecom(config)#show mac-address sticky


MacAddress VLAN/VSI/BD Learned-From Type Valid
----------------------------------------------------------------------
0000:0000:0001 1/--/-- ge-1/0/1 sticky yes
0000:0000:0002 1/--/-- ge-1/0/3 sticky yes
----------------------------------------------------------------------
Total:2

8.5 PPPoE+
8.5.1 Introduction
PPPoE Intermediate Agent (PPPoE+) is used to process authentication packets. PPPoE+ adds
more information about access devices into the authentication packet to bind account and

Raisecom Proprietary and Confidential


247
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

access device so that the account is not shared and stolen, and the carrier's and users' interests
are protected. This provides the server with enough information to identify users, avoiding
account sharing and theft and ensuring the network security.
In PPPoE dial-up mode, you can access the network through various interfaces on the device
as long as authentication by the authentication server is successful.
However, the server cannot accurately differentiate users just by the authentication
information, which contains the user name and password. With PPPoE+, besides the user
name and the password, other information, such as the interface ID, is included in the
authentication packet for authentication. If the interface ID identified by the authentication
server cannot match with the configured one, authentication will fail. This helps prevent
illegal users from stealing accounts of other legal users for accessing the network.
The PPPoE protocol adopts Client/Server mode, as shown in Figure 8-6. The Switch acts as a
relay agent. Users access the network through PPPoE authentication. If the PPPoE server
needs to locate users, more information should be contained in the authentication packet.

Figure 8-6 Accessing the network through PPPoE authentication

To access the network through PPPoE authentication, you need to pass through the following
2 stages: discovery stage (authentication stage) and session stage. PPPoE+ is used to process
packets at the discovery stage. The following steps show the whole discovery stage.
Step 2 To access the network through PPPoE authentication, the client sends a broadcast packet
PPPoE Active Discovery Initiation (PADI). This packet is used to query the authentication
server.
Step 3 After receiving the PADI packet, the authentication server replies a unicast packet PPPoE
Active Discovery Offer (PADO).
Step 4 If multiple authentication servers reply PADO packets, the client selects one from them and
then sends a unicast PPPoE Active Discovery Request (PADR) to the authentication server.
Step 5 After receiving the PADR packet, if the authentication server believes that the user is legal, it
sends a unicast packet PPPoE Active Discovery Session-confirmation (PADS) to the client.
PPPoE is used to add user identification information in to PADI and PADR. Therefore, the
server can identify whether the user identification information is identical to the user account
for assigning resources.

Raisecom Proprietary and Confidential


248
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

8.5.2 Preparing for configurations

Scenario
To prevent illegal client access during PPPoE authentication, you need to configure PPPoE+
to add additional user identification information in PPPoE packets for network security.
Because the added user identification information is related to the specified switch and
interface, the authentication server can bind the user with the switch and interface to
effectively prevent account sharing and theft. In addition, this helps users enhance network
security.

Prerequisite
N/A

8.5.3 Default configurations of PPPoE+


Default configurations of I PPPoE+ are as below.

Function Default value


Global PPPoE Disable
Interface PPPoE Disable
Global policy for processing replace
received PPPoE+ Tag packets
Padding mode of Circuit ID SwitchCommon
Circuit ID information Interface ID/Outer VLAN ID/Inner VLAN ID
Attached string of Circuit ID N/A
Padded MAC address of Remote ID MAC address of the switch
Padding mode of Remote ID Binary
Interface trusted status Untrusted
Global policy for processing replace
received PPPoE+ Tag packets

By default, PPPoE packets are forwarded without being attached with any
information.

Raisecom Proprietary and Confidential


249
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

8.5.4 Configuring basic functions of PPPoE+

PPPoE+ is used to process PADI and PADR packets. It is designed for the PPPoE
client. Generally, PPPoE+ is only enabled on interfaces that are connected to the
PPPoE client. Trusted interfaces are interfaces through which the switch is connected
to the PPPoE server. PPPoE+ and trusted interface are exclusive; in other words, an
interface enabled with PPPoE+ cannot be configured as a trusted interface.

Enabling PPPoE+
After global PPPoE+ and interface PPPoE+ is enabled, PPPoE authentication packets sent to
the interface will be attached with user information and then are forwarded to the trusted
interface.
Enable PPPoE+ for the device as below.

Step Command Description


1 Raisecom#config Enter global configuration mode.
2 Raisecom(config)#pppoeplus start Enable global PPPoE+.
3 Raisecom(config)#interface Enter Layer 2 physical interface
interface-type interface-number configuration mode.
4 Raisecom(config-ge- Enable interface PPPoE+.
1/0/1)#pppoeplus enable

Configuring the PPPoE trusted interface


The PPPoE trusted interface can be used to reduce the CPU utilization. The packets received
by the trusted interface are not sent to the CPU for processing, but directly forwarded by the
switching chip. The PPPoE trusted interface is configured on the interface connected to the
PPPoE server.
Configure the PPPoE trusted interface for the device as below.

Step Command Description


1 Raisecom#config Enter global configuration mode.
2 Raisecom(config)#interface Enter Layer 2 physical interface
interface-type interface-number configuration mode.
3 Raisecom(config-ge- Configure the PPPoE trusted
1/0/1)#pppoeplus trust interface.

8.5.5 Configuring PPPoE+ packets


PPPoE is used to process a specified Tag in PPPoE packets. This Tag contains Circuit ID and
Remote ID.
Raisecom Proprietary and Confidential
250
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

 Circuit ID: is padded with the ID of the interface receiving client request packets, VLAN
IDs (outer VLAN ID and inner VLAN ID).
 Remote ID: is padded with the MAC address of the interface receiving client request
packets.

Configuring the Circuit ID


The Circuit ID has 3 padding modes:
 ascii: pad the Circuit ID with the character string configured by the command.
 default: pad the Circuit ID with the default value.
 User-define: pad the Circuit ID with the user-defined format.
Configure the Circuit ID for the device as below.

Step Command Description


1 Raisecom#config Enter global configuration mode.
2 Raisecom(config)#pppoeplus Configure the Circuit ID of the switch (no
default circuit-id format string needs to be configured in the default
{ ascii | default | user- mode).
define } string
3 Raisecom(config)#interface Enter physical interface configuration mode.
interface-type interface-
number
4 Raisecom(config-ge- Configure the Circuit ID on the interface (no
1/0/1)#pppoeplus circuit-id string needs to be configured in the default
format { ascii | default | mode; if both the interface Circuit ID and
user-define } string global Circuit ID are configured, the
configuration of the interface Circuit-ID
prevails).

Configuring the Remote ID


The Remote ID has 3 padding modes:
 ascii: pad the Remote ID with the character string configured by the command.
 default: pad the Remote ID with the default value.
 User-define: pad the Remote ID with the user-defined format.
Configure the Remote ID for the device as below.

Step Command Description


1 Raisecom#config Enter global configuration mode.
2 Raisecom(config)#pppoeplus Configure the Remote ID of the switch (no
default remote-id format string needs to be configured in the default
{ ascii | default | user- mode).
define } string
3 Raisecom(config)#interface Enter Layer 2 physical interface
interface-type interface- configuration mode.
number
Raisecom Proprietary and Confidential
251
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


4 Raisecom(config-ge- Configure the Remote ID on the interface
1/0/1)#pppoeplus remote-id (no string needs to be configured in the
format { ascii | default | default mode; if both the interface Remote
user-define string } ID and global Remote ID are configured,
the configuration of the interface Circuit-
ID prevails).

Configuring the policy for processing PPPoE+ Tag


Tags of some fields may be forged by the client because of some reasons, thus replacing the
original Tags in the message is required.
 If the policy for processing received PPPoE+ Tag packets to replace, and the PPPoE
packet already carries the information field Tag, the Tag will be replaced.
 If the policy for processing received PPPoE+ Tag packets to keep, and the PPPoE packet
already carries the information field Tag, the original tag will be retained.
 If the policy for processing received PPPoE+ Tag packets is configured to drop, and the
PPPoE packet already carries the information field Tag, the original tag will be discarded.
Configure Tag overriding for the device as below.

Step Command Description


1 Raisecom#config Enter global configuration mode.
2 Raisecom(config)#pppoeplus Configure the global policy for processing
default policy { drop | received PPPoE+ Tag packets.
keep | replace }
3 Raisecom(config-ge-1/0/1)# Configure the interface policy for processing
pppoeplus policy { drop | received PPPoE+ Tag packets. If both the
keep | replace } global policy and interface policy are
configured, the interface policy prevails.

8.5.6 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show pppoeplus Show PPPoE+ configurations.
config
2 Raisecom#show pppoeplus Show current global PPPoE+ configurations,
information including default configurations.

8.5.7 Maintenance
Maintain the device as below.

Raisecom Proprietary and Confidential


252
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Command Description

Raisecom(config)#reset pppoeplus Clear PPPoE+ statistics. The device supports


statistic [interface interface- clearing PPPoE+ statistics on the specified
type interface-number] interface.
Raisecom#show pppoeplus interface Show configurations and statistics on the
[ interface-type interface- PPPoE+ interface.
number ]

8.5.8 Example for configuring PPPoE+

Networking requirements
As shown in Figure 8-7, to prevent illegal clients from accessing and managing legal users,
you can configure PPPoE+ on the Switch.
 GE 1/0/1 and GE 1/0/2 are connected to Client 1 and Client 2 respectively. GE 1/0/3 is
connected to the PPPoE server.
 Enable global PPPoE+, and PPPoE on GE 1/0/1, GE 1/0/2, and GE 1/0/3. Configure GE
1/0/3 as the trusted interface.
 Configure the Circuit ID mode to user-defined, and configure the format is the interface
name + outer VLAN ID + device name. Configure the Remote ID to ascii, and configure
the content to 01:02:03:04:05:06.
 Configure the policy for processing received PPPoE+ packets on GE 1/0/1 and GE 1/0/2.

Figure 8-7 PPPoE+ networking

Configuration steps
Step 1 Enable global PPPoE+. Enable PPPoE+ on GE 1/0/1, GE 1/0/2, and GE 1/0/3.

Raisecom(config)#pppoeplus start
Raisecom(config)#interface ge 1/0/1

Raisecom Proprietary and Confidential


253
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Raisecom(config-ge-1/0/1)#pppoeplus enable
Raisecom(config-ge-1/0/1)#exit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#pppoeplus enable
Raisecom(config-ge-1/0/2)#exit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#pppoeplus enable
Raisecom(config-ge-1/0/3)#exit

Step 2 Configure GE 1/0/3 as the trusted interface.

Raisecom#configure
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#pppoeplus trust
Raisecom(config-ge-1/0/3)#exit

Step 3 Configure the format of the Circuit ID and Remote ID.

Raisecom(config)#pppoeplus default circuit-id format user-


defined %portname:%svlan:%devicename
Raisecom(config)#pppoeplus default remote-id format ascii
01:02:03:04:05:06

Step 4 Configure the policy for processing received PPPoE+ Tag packets on GE 1/0/1 and GE 1/0/2.

Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#pppoeplus policy keep
Raisecom(config-ge-1/0/1)#exit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#pppoeplus policy drop
Raisecom(config-ge-1/0/2)#exit

Checking results
Use the show pppoeplus config command to show PPPoE+ configurations.

Raisecom#show pppoeplus config


!
pppoeplus start
pppoeplus default remote-id format ascii 01:02:03:04:05:06
pppoeplus default circuit-id format user-
defined %portname:%svlan:%devicename
!
interface ge 1/0/1

Raisecom Proprietary and Confidential


254
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

pppoeplus enable
pppoeplus policy keep
!
interface ge 1/0/2
pppoeplus enable
pppoeplus policy drop
!
interface ge 1/0/3
pppoeplus enable
pppoeplus trust

8.6 Storm suppression


8.6.1 Introduction
The Layer 2 network is a broadcast domain. When an interface receives excessive broadcast,
unknown multicast, and unknown unicast packets, broadcast storm occurs. If you do not
control broadcast packets, broadcast storm may occur and occupy much network bandwidth.
Broadcast storm can degrade network performance and impact forwarding of unicast packets
or even lead to communication halt.
Storm suppression can restricting broadcast flow generated from network and prevent
broadcast storm from occurring when the broadcast flow increases sharply, thus ensuring
normal forwarding of common packets.

Occurrence of broadcast storm


The following flows may cause broadcast flow:
 Unknown unicast packets: unicast packets of which the destination MAC is not in the
MAC address table, namely, the Destination Lookup Failure (DLF) packets. If these
packets are excessive in a period, the system floods them and broadcast storm may occur.
 Unknown multicast packets: the device neither supports multicast nor has a multicast
MAC address table, so it processes received multicast packets as unknown multicast
packets.
 Broadcast packets: packets of which the destination MAC is a broadcast address. If these
packets are excessive in a period, broadcast storm may occur.

Principles of storm suppression


Storm suppression allows an interface to filter broadcast packets received by the interface.
After storm suppression is enabled, when the number of received broadcast packets reaches
the pre-configured threshold, the device will take the corresponding action.

Types of storm suppression


Storm suppression is performed in the following forms:
 Bits Per Second (BPS): the number of bits allowed to pass per second
 Packet Per Second (PPS): the number of packets allowed to pass per second

Raisecom Proprietary and Confidential


255
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

 Percent: the percentage of the maximum interface rate allowed to pass, supported by the
physical interface only

8.6.2 Preparing for configurations

Scenario
Configuring storm control on Layer 2 devices can prevent broadcast storm from occurring
when broadcast packets increase sharply on the network. In this case, normal packets can be
properly forwarded.

Prerequisite
N/A

8.6.3 Default configurations of storm suppression


Default configurations of storm suppression are as below.

Function Default value


Broadcast storm suppression status Disable
Unknown unicast storm suppression status Disable
Unknown multicast storm suppression status Disable
Action for storm control on the interface N/A
Restoration period of the interface 30s
Interface storm control Trap Disable

8.6.4 Configuring storm suppression

Storm suppression and VLAN-based rate limiting are exclusive. We do not


recommend enabling them on the same interface concurrently.
Configure storm suppression for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter Layer 2 physical interface
interface-type interface-number configuration mode.

Raisecom Proprietary and Confidential


256
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


3 Raisecom(config-ge-1/0/1)#storm- Enable storm suppression on the
suppression { unknown-unicast | physical interface, and configure the
unknown-multicast | broadcast } BPS storm suppression threshold.
min-rate { kbps | mbps } rate-
value max-rate { kbps | mbps }
rate-value
Raisecom(config-port- Enable storm suppression on the
channel*)#storm-suppression physical interface, and configure the
{ unknown-unicast | unknown- percentage storm suppression
multicast | broadcast } min-rate threshold.
percent rate-value max-rate
percent rate-value
4 Raisecom(config-ge-1/0/1)#storm- Configure the action for storm
suppression action { block | suppression on the interface.
error-down | none }
5 Raisecom(config-ge-1/0/1)#storm- Configure the restoration period of
suppression interval { interval the shutdown interface.
| default }
6 Raisecom(config-ge-1/0/1)#storm- Enable storm suppression Trap on
suppression snmp-trap enable the interface. Use the disable form
of this command to disable this
function.
7 Raisecom(config-ge-1/0/1)#exit Return to global configuration
mode.

8.6.5 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show storm-suppression Show configurations of storm
interface [ interface-type suppression on the interface.
interface-number ]
2 Raisecom#show storm-suppression Show global configurations of
information storm suppression.

8.6.6 Example for configuring storm suppression

Networking requirements
As shown in Figure 8-8, when GE 1/1/1 and GE 1/1/2 on the Switch receive excessive
unknown unicast packets or broadcast packets, Switch A forwards these packets to all
interfaces except the Rx interface, which may cause broadcast storm and lower forwarding
performance of Switch A.

Raisecom Proprietary and Confidential


257
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

To restrict impacts on Switch A caused by broadcast storm, you need to configure storm
suppression on Switch A to restrict broadcast packets from user networks 1 and 2, with the
threshold of 640 pps.

Figure 8-8 Storm suppression networking

Configuration steps
Enable storm suppression, and configure the threshold for storm suppression.

Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#storm-suppression broadcast min-rate kbps 320
max-rate kbps 640
Raisecom(config-ge-1/0/1)#storm-suppression action error-down
Raisecom(config-ge-1/0/1)#exit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#storm-suppression broadcast min-rate kbps 320
max-rate kbps 640
Raisecom(config-ge-1/0/2)#storm-suppression action error-down

Checking results
Use the show storm-suppression interface command to show configurations of storm
suppression.

Raisecom(config-ge-1/0/2)#show storm-suppression interface


NOTE :
UNMC: unknown multicast ; BC: broadcast ; UNC: unknown unicast
Interface Type State RateMode Min/MaxRate
Action/Status Interval

-------------------------------------------------------------------------
----------------------
ge-1/0/1 UNC disable bps n/a none/normal
5
UNMC disable bps n/a none/normal
5

Raisecom Proprietary and Confidential


258
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

BC enable bps 320/640 (kbit/s) none/errordown


5
ge-1/0/2 UNC disable bps n/a
none/normal 5
UNMC disable bps n/a none/normal
5
BC enable bps 320/640 (kbit/s)
none/errordown 5
-------------------------------------------------------------------------
----------------------

8.7 ARP attack protection


8.7.1 Preparing for configurations

Scenario
ARP is simple and easy to use, but vulnerable to attacks due to no security mechanism.
Attackers can forge ARP packets from users or gateways to alter the ARP table of the gateway
or host. When they send excessive IP packets, whose IP addresses cannot be resolved, to the
device, they will cause the following harms:
 The device sends excessive ARP request packets to the destination network segment, so
this network segment is overburdened.
 The device repeatedly resolves destination IP addresses, so the CPU is overburdened.
To prevent theses harms due to attacks on IP packets, the device supports ARP attack
protection.

Prerequisite
N/A

8.7.2 Default configurations of ARP attack protection


N/A

8.7.3 Configuring ARP


Configure ARP for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.

Raisecom Proprietary and Confidential


259
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


2 Raisecom(config)#arp Configure ARP conflict detection for ARP source IP
-antiattack src-ip addresses. By searching the ARP table using the
{ enable | disable } source IP address in the ARP packet, if the
corresponding ARP table entry is found and the
corresponding MAC address in the ARP table entry
is inconsistent with the source MAC address in the
ARP packet, it is considered an ARP conflict. The
ARP packet will be discarded to prevent attackers
from tampering with the MAC address in the ARP
table.
3 Raisecom(config)#arp Configure ARP conflict detection for ARP source
-antiattack src-mac MAC addresses. By searching the ARP table using
{ enable | disable } the source MAC address in the ARP packet, if the
corresponding ARP table entry is found and the
corresponding IP address in the ARP table entry is
inconsistent with the source IP address in the ARP
packet, it is considered an ARP conflict. The ARP
packet will be discarded to prevent attackers from
tampering with the IP address in the ARP table.
4 Raisecom(config)#arp Configure ARP spoofing detection of counterfeiting
-antiattack arp- the device. After the detection device receives the
cheat { enable | source or destination IP address, and the source
disable } MAC address and ARP packet type in the ARP
packet, it determines whether the ARP packet is an
attack packet counterfeiting the device. If it detects
the packet as an attack packet, it will discard the
ARP packet and sends a gratuitous ARP of the
device.
5 Raisecom(config)#arp Configure gratuitous ARP packets to be actively
-antiattack discarded. After this function is enabled, the device
gratuitous-arp directly discards gratuitous ARP packets, which can
{ enable | disable } prevent the device from processing a large number of
gratuitous ARP packets, resulting in CPU overload
and inability to process other services.
6 Raisecom(config)#arp Configure ARP gateway anti-conflict. This function
-antiattack gateway- can prevent users from impersonating the gateway to
cheat { enable | send ARP packets and illegally modifying ARP
disable } entries of other users on the network. ARP gateway
anti-conflict and dynamic ARP inspection cannot be
configured concurrently.

Raisecom Proprietary and Confidential


260
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


7 Raisecom(config-ge- Configure Dynamic ARP Inspection (DAI). Enable
*/*/*)# arp- three items of DAI, which can be combined freely.
antiattack check By default, they are all selected. After DAI is
user-bind enable enabled and the device receives an ARP packet, the
device compares the information about the packet,
such as the source IP address, source MAC address,
the receiving interface, and VLAN of the packet with
the information in the DHCP Snooping binding
table. If the information matches, the device
determines that the user is legal and allows the ARP
packet to pass; otherwise, the device determines that
the ARP packet is an attack packet and discards the
ARP packet. This function is application to the
DHCP Snooping scenario only.
8 Raisecom(config-ge- Configure DAI items. The three DAI items can be
1/0/1)#arp- combined freely. By default, they are all selected.
antiattack check
user-bind check-item
{ vlan | ip-address
| mac-address }

8.7.4 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show arp-antiattack Show configurations of ARP attack
config protection.
2 Raisecom#show arp-antiattack Show dynamic ARP entries.
interface
3 Raisecom#show arp-antiattack Show statistics on ARP attack protection.
information

8.7.5 Example for configuring ARP attack protection

Networking requirements
To prevent ARP attacks shown below, configure ARP attack protection on Switch A with the
following requirements:
 Disallow gratuitous ARP messages to pass. Enable ARP conflict detection for ARP
source IP addresses and source MAC addresses, and the ARP spoofing detection for
impersonating this device.
 Switch A serves as the gateway for User A. Enable ARP gateway anti-conflict.
 Clear configurations of the ARP gateway anti-conflict on Switch A. Switch A provides
Layer 2 accessibility from User B to the DHCP server. Configure DAI on GE 1/1/2.

Raisecom Proprietary and Confidential


261
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Figure 8-9 DAI networking

Step 1 Configure ARP conflict detection for ARP source IP addresses.

Raisecom#configure
Raisecom(config)#arp-antiattack src-ip enable

Step 2 Configure ARP conflict detection for ARP source MAC addresses.

Raisecom(config)#arp-antiattack src-mac enable

Step 3 Enable ARP spoofing impersonating the device.

Raisecom(config)#arp-antiattack arp-cheat enable

Step 4 Enable active discarding of gratuitous ARP packets.

Raisecom(config)#arp-antiattack gratuitous-arp enable

Step 5 Enable ARP gateway anti-conflict.

Raisecom(config)#arp-antiattack gateway-cheat enable

Step 6 Enable DAI. To enable DAI, disable ARP gateway anti-conflict in advance.

Raisecom(config)#arp-antiattack gateway-cheat disable


Raisecom Proprietary and Confidential
262
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#arp-antiattack check user-bind enable
Raisecom(config-ge-1/0/2)#exit
Raisecom(config)#

Checking results
Use the show arp-antiattack config command to show configurations of ARP attack
protection.

Raisecom#show arp-antiattack config


Version: ANTIARP_VL2.10.00.00
!
arp-antiattack src-ip enable
arp-antiattack src-mac enable
arp-antiattack arp-cheat enable
arp-antiattack gratuitous-arp enable
arp-antiattack gateway-cheat enable

Raisecom#show arp-antiattack config


Version: ANTIARP_VL2.10.00.00
!
arp-antiattack src-ip enable
arp-antiattack src-mac enable
arp-antiattack arp-cheat enable
arp-antiattack gratuitous-arp enable
!
interface ge 1/0/2
arp-antiattack check user-bind enable

8.8 ND Snooping
8.8.1 Introduction
Neighbor Discovery (ND) is a group of messages or processes for determining relations
between neighboring nodes. Its messages replace IPv4 Address Resolution Protocol (ARP),
ICMP Router Discovery (RD), and ICMP Redirect messages, and it also supports the
following functions:
 Detecting address conflicts
 Resolving the neighbor address
 Determining neighbor reachability
 Configuring the IP address of the host
ND Snooping is used on the switch to check user validity. It normally forwards ND packets of
authorized users and discards those of unauthorized users, thus preventing attacks from
pseudo users and gateways.

Raisecom Proprietary and Confidential


263
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

User validity check is used to determine whether a user is an authorized user of the VLAN to
which the interface receiving the ND packet belongs, according to the source IPv6 address
and source MAC address carried in the ND packet.
ND Snooping divides interfaces of the access device into the following two types:
 ND trusted interface: this interface does not check user validity, but normally forward
ND packets.
 ND untrusted interface: the device takes RA packets received by the ND untrusted
interface illegal and thus discards them directly. The device checks NA/RS/NS packets
received by the ND untrusted interface and matches them with the binding table; when
they do not comply with the binding table relation, the device takes them illegal and
discards them. The device normally forward packets of other types received by the ND
untrusted interface.

8.8.2 Preparing for configurations

Scenarios
ND Snooping is used to prevent common ND spoofing attacks on the network, thus able to
isolate ND packets from unauthorized sources. You can configure the trusted status of an
interface to trust ND packets or not and configure the binding table to determine whether ND
packets comply with requirements.

Prerequisite
N/A

8.8.3 Default configurations of ND Snooping


Default configurations of ND Snooping are as below.

Function Default value


Interface trusted status of ND Snooping Untrusted
Global ND Snooping status Disable
Interface ND Snooping status Disable
RA Snooping interface trusted status Disable

8.8.4 Configuring ND Snooping


Enable static binding of ND Snooping for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#nd-snooping Enable global ND Snooping.
start

Raisecom Proprietary and Confidential


264
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


3 Raisecom(config)#interface Enter Layer 2 physical interface
interface-type interface- configuration mode or VLAN interface
number configuration mode.
4 Raisecom(config-ge- Enable ND Snooping on the interface that
1/0/*)#nd-snooping { enable is connected to the gateway.
| disable }
5 Raisecom(config-ge- Configure the interface that is connected to
1/0/*)#nd-snooping trust the gateway as a trusted interface.
6 Raisecom(config)#nd-snooping Enable validity check on NS/NA/RS
check { na | ns | rs } packets by ND Snooping.
{ enable | disable }

8.8.5 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show nd-snooping Show configurations of ND Snooping.
config
2 Raisecom#show nd-snooping Show the user binding table of ND Snooping.
user-bind
3 Raisecom#show nd-snooping Show the prefix table of ND Snooping.
prefix

8.8.6 Maintenance
Maintain the device as below.

No. Command Description


1 Raisecom(config)#clear ipv6 nd Clear statistics on ND Snooping
snooping statistics [ interface user packets received by the device.
interface-type interface-number ]
2 Raisecom(config)#clear ipv6 nd Delete entries dynamically learnt by
snooping ip-address ipv6-address ND Snooping in a specified VLAN.
vlan vlan-id

8.8.7 Example for configuring ND Snooping

Networking requirements
As shown in Figure 8-10, the host of a LAN user is connected to the gateway by Switch A. It
has to obtain the IPv6 address through stateless automatic configuration according to the
prefix assigned by the gateway to the user network because no DHCPv6 server is deployed on
the network. To prevent illegal users from sending NA/NS/RS/RA packets, which causes legal

Raisecom Proprietary and Confidential


265
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

hosts to fail to obtain IPv6 addresses, enable ND Snooping on Switch A to intercept illegal
packets.

Figure 8-10 ND Snooping networking

Configuration steps
Step 1 Create VLAN 10 on Switch A, and activate it.
Configure Switch.

Raisecom#configure
Raisecom(config)#hostname SwitchA
SwitchA(config)#vlan 10

Step 2 Add GE 1/0/2 on Switch A to VLAN 10 in Access mode. Configure it to Trunk mode,
allowing packets of VLAN 10 to pass.

SwitchA(config)#interface ge 1/0/2
SwitchA(config-ge-1/0/2)#port link-type access
SwitchA(config-ge-1/0/2)#port default vlan 10
SwitchA(config-ge-1/0/2)#exit
SwitchA(config)#interface ge 1/1/0
SwitchA(config-ge-1/0/1)#port link-type trunk
SwitchA(config-ge-1/0/1)#port trunk allow-pass vlan 10
SwitchB(config-ge-1/0/1)#exit

Step 3 Enable global ND Snooping and enable ND Snooping in VLAN 10. Configure GE 1/0/1 as
the trusted interface.

SwitchA(config)#nd-snooping start
SwitchA(config)#vlan 10
SwitchA(config-vlan-10)#nd-snooping enable

Raisecom Proprietary and Confidential


266
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

SwitchA(config-vlan-10)#exit
SwitchA(config)#interface ge 1/0/1
SwitchA(config-ge-1/0/1)#nd-snooping enable
SwitchA(config-ge-1/0/1)#nd-snooping trust
SwitchA(config-ge-1/0/1)#exit

Step 4 Enable validity check on ND packets.

SwitchA(config)#nd-snooping check na enable


SwitchA(config)#nd-snooping check ns enable
SwitchA(config)#nd-snooping check rs enable

Checking results
Use show nd-snooping config command to check configurations of ND Snooping.

Raisecom#show nd-snooping config


!
nd-snooping start
nd-snooping check na enable
nd-snooping check ns enable
nd-snooping check rs enable
!
vlan 10
nd-snooping enable
!
interface ge 1/0/1
nd-snooping enable
nd-snooping trust

8.9 DHCP Snooping


8.9.1 Introduction
DHCP Snooping is a security feature of DHCP with the following functions:
 Make the DHCP client obtain the IP address from a legal DHCP server.
If a false DHCP server exists on the network, the DHCP client may obtain incorrect IP address
and network configuration parameters, but cannot communicate normally. As shown in Figure
8-11, to make DHCP client obtain the IP address from a legal DHCP server, the DHCP
Snooping security system permits you to configure an interface as the trusted interface or
untrusted interface: the trusted interface forwards DHCP packets normally; the untrusted
interface discards reply packets from the DHCP server.

Raisecom Proprietary and Confidential


267
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Figure 8-11 DHCP Snooping

 Record mapping between DHCP client IP address and MAC address.


DHCP Snooping records entries through monitor request and reply packets received by the
trusted interface, including client MAC address, obtained IP address, DHCP client connected
interface and VLAN of the interface. Then implement following by the record information:
– ARP detection: judge legality of a user that sends ARP packet and avoid ARP attack
from illegal users.
– IP Source Guard: filter packets forwarded by interfaces by dynamically getting
DHCP Snooping entries to avoid illegal packets to pass the interface.
– VLAN mapping: modify mapped VLAN of packets sent to users to original VLAN
by searching IP address, MAC address, and original VLAN information in DHCP
Snooping entry corresponding to the mapped VLAN.
The Option field in DHCP packet records position information about DHCP clients. The
Administrator can use this Option filed to locate DHCP clients and control client security and
accounting.
If the device is configured with DHCP Snooping to support Option function:
 When the device receives a DHCP request packet, it processes packets according to
Option field included or not, filling mode, and processing policy configured by user, then
forwards the processed packet to DHCP server.
 When the device receives a DHCP reply packet, it deletes the Optional field and
forwards the rest part of the packet to the DHCP client if the packet contains the Option
field, or it forwards the packet directly if the packet does not contain the Option field.

8.9.2 Preparing for configurations

Scenario
DHCP Snooping is a security feature of DHCP, used to make DHCP client obtain its IP
address from a legal DHCP server and record mapping between IP address and MAC address
of a DHCP client.
The Option field of a DHCP packet records location of a DHCP client. The administrator can
locate a DHCP client through the Option field and control client security and accounting. The
Raisecom Proprietary and Confidential
268
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

device configured with DHCP Snooping and Option can perform related process according to
Option field status in the packet.

Prerequisite
N/A

8.9.3 Default configurations of DHCP Snooping


Default configurations of DHCP Snooping are as below.

Function Default value


Global DHCP Snooping status Disable
Interface DHCP Snooping status Disable
Interface trusted/untrusted status Untrust
DHCP Snooping in support of Option 82 Disable

8.9.4 Configuring DHCP Snooping


Generally, you must ensure that the device interface connected to DHCP server is in trusted
status while the interface connected to the user is in untrusted status.
If enabled with DHCP Snooping but without the feature of DHCP Snooping supporting DHCP
Option, the device will do nothing to Option fields in packets. For packets without Option
fields, the device does not conduct the insertion operation.
By default, DHCP Snooping is enabled on all interfaces, but only when global DHCP
Snooping is enabled can interface DHCP Snooping take effect.
Configure DHCP Snooping for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#dhcp- Enable global DHCP Snooping.
snooping { start | stop }
3 Raisecom(config)#interface Enter physical interface configuration
interface-type interface- mode or VLAN configuration mode.
number
Raisecom(config)#vlan vlan-
id
4 Raisecom(config-ge- Enable interface DHCP Snooping. This
1/0/*)#dhcp-snooping function supports the QinQ interface.
{ enable | disable }
5 Raisecom(config-ge- Configure the trusted interface of DHCP
1/0/*)#dhcp-snooping trust Snooping.
6 Raisecom(config-vlan- Configure the trusted interface of DHCP
*)#dhcp-snooping trust Snooping. This takes effect in VLAN
interface interface-type configuration mode only.
interface-number
Raisecom Proprietary and Confidential
269
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


7 Raisecom(config-ge- Configure the maximum number of entries
1/0/*)#dhcp-snooping max- in the DHCP Snooping binding table.
user-number number
8 Raisecom(config-ge- Configure DHCP Snooping to trust server
1/0/*)#dhcp-snooping server- configurations.
filter { enable | disable }
9 Raisecom(config-ge- Configure matching detection between
1/0/*)#dhcp-snooping check DHCP packets and binding table.
user-bind { enable |
disable }
10 Raisecom(config-ge- Check whether the MAC address in the
1/0/*)#dhcp-snooping check header of request packets sent by DHCP
mac-address { enable | users.
disable }
11 Raisecom(config-ge- Configure DHCP Snooping to support
1/0/*)#dhcp-snooping Option 82.
option82 { enable |
disable }
12 Raisecom(config)#exit Return to global configuration mode.

8.9.5 Configure DHCP Snooping to support Option 82


Configure DHCP Snooping to support Option 82 for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#dhcp-snooping Enable global DHCP Snooping.
{ start | stop }
3 Raisecom(config)#interface Enter physical interface configuration
interface-type interface-number mode or VLAN configuration mode.
Raisecom(config)#vlan vlan-id
4 Raisecom(config-ge-1/0/*)#dhcp- Enable interface DHCP Snooping.
snooping { enable | disable }
5 Raisecom(config-ge-1/0/*)#dhcp- Configure global DHCP Snooping to
snooping option82 { enable | support Option 82.
disable }
6 Raisecom(config-ge-1/0/*)#dhcp- Configure Option 82 as the default
snooping option82 { circuit-id format.
| remote-id } format default
7 Raisecom(config-ge-1/0/*)#dhcp- Configure the user-defined content of
snooping option82 { circuit-id Option 82.
| remote-id } format user-
defined
8 Raisecom(config-ge-1/0/*)#exit Return to global configuration mode.

Raisecom Proprietary and Confidential


270
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

8.9.6 Configuring DHCPv6 Snooping


Configure DHCPv6 Snooping for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#dhcp-snooping Enable global DHCPv6 Snooping.
{ start | stop }
3 Raisecom(config)#interface Enter physical interface
interface-type interface-number configuration mode or VLAN
Raisecom(config)#vlan vlan-id configuration mode.
4 Raisecom(config-ge-1/0/*)#dhcpv6- Enable interface DHCPv6
snooping { enable | disable } Snooping.
5 Raisecom(config-ge-1/0/*)#dhcpv6- Configure the trusted interface of
snooping trust DHCPv6 Snooping.
6 Raisecom(config-vlan-*)#dhcpv6- Configure the trusted interface of
snooping trust interface DHCPv6 Snooping. This takes
interface-type interface-number effect in VLAN configuration
mode only.
7 Raisecom(config-ge-1/0/*)#dhcpv6- Configure the maximum number
snooping max-user-number { number of entries in the DHCPv6
| default } Snooping binding table.
8 Raisecom(config-ge-1/0/*)#dhcpv6- Enable DHCP Snooping to support
snooping option18 { enable | Option 18.
disable }
9 Raisecom(config-ge-1/0/*)#dhcpv6- Configure the user-defined content
snooping option18 format user- of Option 18.
defined txt
10 Raisecom(config-ge-1/0/*)#dhcpv6- Configure Option 18 as the default
snooping option18 format default format.
11 Raisecom(config-ge-1/0/*)#dhcpv6- Configure DHCPv6 Snooping to
snooping option37 { enable | support Option 37.
disable }
12 Raisecom(config-ge-1/0/*)#dhcpv6- Configure the user-defined content
snooping option37 format user- of Option 37.
defined
13 Raisecom(config-ge-1/0/*)#dhcpv6- Configure Option 37 as the default
snooping option37 format default format.

8.9.7 Checking configurations


Use the following commands to check configuration results.

Step Command Description


1 Raisecom#show dhcp- Show configurations of DHCP Snooping.
snooping config

Raisecom Proprietary and Confidential


271
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


2 Raisecom#show dhcp- Show configurations of the DHCP Snooping
snooping user-bind binding table.
3 Raisecom#show dhcp- Show statistics on DHCP Snooping statistics.
snooping statistics
4 Raisecom#show dhcp- Show configurations of DHCP Snooping
snooping interface interfaces.
5 Raisecom#show dhcpv6- Show configurations of DHCPv6 Snooping.
snooping config
6 Raisecom#show dhcpv6- Show configurations of the DHCPv6 Snooping
snooping user-bind binding table.
7 Raisecom#show dhcpv6- Show statistics on DHCPv6 Snooping statistics.
snooping statistics
8 Raisecom#show dhcpv6- Show configurations of DHCPv6 Snooping
snooping interface interfaces.

8.9.8 Maintenance
Maintain the device as below.

Command Description
Raisecom(config)#reset dhcp-snooping user-bind Clear information about
[ ip-address | interface interface-type the IPv4 binding table.
interface-number | vlan vlan-id ]
Raisecom(config)#reset dhcpv6-snooping user-bind Clear information about
[ ipv6-address | interface interface-type the IPv6 binding table.
interface-number | vlan vlan-id ]

8.9.9 Example for configuring DHCP Snooping

Networking requirements
As shown in Figure 8-12, the Switch is used as the DHCP Snooping device. The network
requires DHCP clients to obtain the IP address from a legal DHCP server and support Option
82 to facilitate client management. You can configure padding information about circuit ID
sub-option to raisecom on GE 1/0/3, and padding information about remote ID sub-option to
user01.

Raisecom Proprietary and Confidential


272
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Figure 8-12 DHCP Snooping networking

Configuration steps
Step 1 Configure global DHCP Snooping.

Raisecom#configure
Raisecom(config)#dhcp-snooping start

Step 2 Configure the trusted interface.

Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#dhcp-snooping enable
Raisecom(config-ge-1/0/1)#dhcp-snooping trust
Raisecom(config-ge-1/0/1)#exit

Step 3 Configure DHCP Relay to support Option 82 field and configure Option 82 field.

Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#dhcp-snooping enable
Raisecom(config-ge-1/0/3)#dhcp-snooping option82 enable
Raisecom(config-ge-1/0/3)#dhcp-snooping option82 remote-id format user-
defined 'user01'
Raisecom(config-ge-1/0/3)#dhcp-snooping option82 circuit-id format user-
defined 'raisecom'
Raisecom(config-ge-1/0/3)#exit

Checking results
Use the show dhcp-snooping config command to show configurations of DHCP Snooping.
Raisecom Proprietary and Confidential
273
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Raisecom#show dhcp-snooping config


Version : DHCPSNOOP_V7.00.03.00
!
dhcp-snooping start
!
interface ge 1/0/1
dhcp-snooping enable
dhcp-snooping trust
!
interface ge 1/0/3
dhcp-snooping enable
dhcp-snooping option82 enable
dhcp-snooping option82 remote-id format user-defined 'user01'
dhcp-snooping option82 circuit-id format user-defined 'raisecom'
……

8.10 IP Source Guard


8.10.1 Introduction
IP Source Guard is used to filter and control the packets received by the interface, usually
configured on the interface of the access user side to prevent illegal user packets from passing
through, thereby limiting the illegal use of network resources (such as illegal hosts
impersonating legitimate user IPs to access the network) and improving the security of the
interface.

IP Source Guard binding entry


IP Source Guard is used to match packet characteristics, including source IP address, source
MAC address, and VLAN tags, and can support the interface to be combined with the
following characteristics (hereinafter referred to as binding entries):
 Interface+IP
 Interface+IP+MAC
 Interface+IP+VLAN
 Interface+IP+MAC+VLAN
According to the generation mode of binding entries, IP Source Guard can be divided into
static binding and dynamic binding:
 Static binding: configure binding information manually and generate binding entry to
complete the interface control, which fits for the case where the number of hosts is small
or where you need to perform separate binding on a single host.
 Dynamic binding: obtain binding information automatically from DHCP Snooping to
complete the interface control, which fits for the case where there are many hosts and
you need to adopt DHCP to perform dynamic host configurations. Dynamic binding can
effectively prevent IP address conflict and embezzlement.

Raisecom Proprietary and Confidential


274
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Principles of IP Source Guard


Principles of IP Source Guard are to create an IP source binding table within the device. The
IP source binding table is taken as the basis for each interface to test received data packets.
Figure 8-13 shows principles of IP Source Guard.
 If the received IP packets meet the relationship of Port/IP/MAC/VLAN binding entries
in IP source binding table, forward these packets.
 If the received IP packets are DHCP data packets, forward these packets.
 Otherwise, discard these packets.

Figure 8-13 Principles of IP Source Guard

Before forwarding IP packets, the device compares the source IP address, source MAC
address, interface ID, and VLAN ID of the IP packets with the binding table. If the
information matches, it indicates that the user is legal and the packets are permitted to forward
normally. Otherwise, the user is an attacker and the IP packets are discarded.

8.10.2 Preparing for configurations

Scenario
There are often some IP source spoofing attacks on the network. For example, the attacker
forges legal users to send IP packets to the server, or the attacker forges the source IP address
of another user to communicate. This prevents legal users from accessing network services
normally.
With IP Source Guard binding, you can filter and control packets forwarded by the interface,
prevent the illegal packets from passing through the interface, thus to restrict the illegal use of
network resources and improve the interface security.

Prerequisite
Enable DHCP Snooping if there are DHCP users.

8.10.3 Default configurations of IP Source Guard


Default configurations of IP Source Guard are as below.

Raisecom Proprietary and Confidential


275
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Function Default value


Interface IP Source Guard status Disable

8.10.4 Configuring IP Source Guard binding


Configure IP Source Guard static binding for the device as below.

Step Command Description


1 Raisecom#configure Enter global
configuration mode.
2 Raisecom(config)#user-bind static ip ip- Configure static
address/any mac mac-address/any [ interface binding.
interface-type interface-number ] vlan vlan-
id/any
Raisecom(config)#user-bind static ip6 ipv6- Configure IPv6 static
address/any mac mac-address/any [ interface binding.
interface-type interface-number ] vlan vlan-
id/any

8.10.5 Configuring the interface trust status of IP Source Guard


Configure the interface trust status of IP Source Guard for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface
interface-type interface-number configuration mode.
3 Raisecom(config-ge-1/0/*)#ip Enable interface IP Source Guard.
source check user-bind enable

8.10.6 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show ip Show configurations of IP Source Guard.
source check config
2 Raisecom#show ip Show information about the interface enabled
source check interface with IP Source Guard.

Raisecom Proprietary and Confidential


276
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

8.10.7 Example for configuring IP Source Guard

Networking requirements
As shown in Figure 8-14, to prevent IP address embezzlement, you need to configure IP
Source Guard on the Switch.
 The Switch permits all IP packets on GE 1/0/1 to pass.
 GE 1/0/2 permits those IP packets to pass, of which the IP address is 10.10.10.1, the
subnet mask is 255.255.255.0, and the status meets the dynamic binding learnt by DHCP
Snooping.
 Other interfaces only permit the packets meeting DHCP Snooping learnt dynamic
binding to pass.

Figure 8-14 Configuring IP Source Guard

Configuration steps
Step 1 Configure IP Source Guard.

Raisecom#configure
Raisecom(config)#int ge 1/0/2
Raisecom(config-ge-1/0/2)#ip source check user-bind enable
Raisecom(config-ge-1/0/2)#exit
Raisecom(config)#int ge 1/0/1
Raisecom(config-ge-1/0/1)#ip source check user-bind enable
Raisecom(config-ge-1/0/1)#exit

Step 2 Configure static binding entries.

Raisecom Proprietary and Confidential


277
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Raisecom(config)#user-bind static ip 10.10.10.1 mac any interface ge


1/0/2 vlan any

Step 3 Configure DHCP Snooping on interface GE 1/0/2 and other interfaces.

Checking results
Use the show ip source check config command to show configurations of IP Source Guard.

Raisecom#show ip source check config


!
user-bind static ip 10.10.10.1 mac any interface ge 1/0/2 vlan any
!
interface ge 1/0/2
ip source check user-bind enable
!
interface ge 1/0/1
ip source check user-bind enable

Use the show ip source check interface command to show information about the interface
enabled with IP Source Guard.

Raisecom#show ip source check interface


Interface Check-Item Alarm Limit DropPkts
---------------------------------------------------------------------
ge-1/0/2 ip,mac,vlan disable 100 0
ge-1/0/1 ip,mac,vlan disable 100 0
---------------------------------------------------------------------

8.11 CPU attack protection


8.11.1 Preparing for configurations

Scenario
When the device receives massive attacking packets in a short period, the CPU will run with
full load and the CPU utilization rate will reach 100%. This will cause device malfunction.
CPU attack protection helps efficiently limit the rate of packets which enters the CPU.

Prerequisite
N/A

Raisecom Proprietary and Confidential


278
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

8.11.2 Configuring CPU attack protection

Configurations of CPU protection affect other protocol modules, so we do not


recommend modifying them. Only professional personnel can modify them.
Step Command Description
1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)# cpu- Configure the policy of CPU attack
defend policy name protection. When the device is started, the
default policy is issued and bound. The
default policy cannot be modified, but the
policy bound with the device can be
modified.
3 Raisecom(config)#cpu-defend Configure the rate limit of the specified
policy test protocol packet type in the policy, an
Raisecom(config-cpudefend- integer, ranging from 1 to 3000, being 256
policy-test)#car packet- by default. The protocol packet types
type { arp | bfd | supported by the device depend on
dhcpreply | dhcprequest | protocols supported by the device.
igmp | lacp | lldp | mld |
stp-customer | telnet
| ... } pps { pps-value |
default }
4 Raisecom(config)# cpu- Configure the name of CPU attack
defend bind-policy name protection, a string of less than 31
characters. The bound policy cannot be
modified. To modify it, cancel the binding
in advance.

8.11.3 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show cpu-defend Show configurations of CPU attack
config protection.
2 Raisecom#show cpu-defend Show statistics on CPU attack protection.
statistics

8.11.4 Maintenance
Maintain the device as below.

Raisecom Proprietary and Confidential


279
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Command Description
Raisecom(config)#reset Clear global statistics on CPU attack protection.
cpu-defend statistics

8.12 MAC address authentication


8.12.1 Introduction
MAC address authentication is an authentication mode that controls the network access
permissions of users based on interface and MAC address, without the need to install client
software. After the device detects the user's MAC address for the first time on the interface
enabled with MAC address authentication, it initiates the authentication operation for the user.
During the authentication process, the user does not need to manually enter the user name and
password. If the user authentication is successful, he/she is allowed to access network
resources through the interface; otherwise, the MAC address is configured as the silent MAC
address. During the silence period, when user packets from this MAC address arrive, the
device directly discards them to prevent the illegal MAC address from repeated authentication
in a short period.
 Format of the user name for MAC address authentication
– MAC address user account: the device uses the source MAC address as the user name
and password for user authentication, or uses the MAC address as the user name and
configures the password.
– Fixed user name account: all MAC address authentication users use a fixed user
name and password specified on the device to replace the user's MAC address as
identity for authentication.
 Authentication mode
– RADOIS server authentication for MAC address authentication: when using the
radius server authentication for MAC address authentication, the device works as a
RADIUS client and cooperates with the RADIUS server to implement MAC address
authentication.
– Local authentication for MAC address authentication: when using local
authentication MAC address authentication, the device directly authenticates the user
on the device. Configure the local user name and password on the device.
 Re-authentication
MAC address re-authentication refers to the periodic authentication of MAC address
authentication users on the interface by the device, to detect changes in the user's connection
status and ensure their normal online status.

8.12.2 Default configurations


Default configurations of MAC address authentication are as below.

Function Default value


Global MAC address authentication status Disable
Interface MAC address authentication status Disable

Raisecom Proprietary and Confidential


280
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Function Default value


Global authentication mode pap
802.1x re-authentication status Permit
802.1x re-authentication timer time 1800s
MAC address authentication silence timer time 60s
Maximum number of users 256

8.12.3 Configuring MAC address authentication


Step Command Description
1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#mac-authen Enable or disable global MAC address
{ start | stop } authentication.
3 Raisecom(config)#mac-authen aaa Configure the AAA mode name for
authentication method method- global MAC address authentication, a
name string of less than 63 characters.
5 Raisecom(config)#interface Enter layer 2 physical interface
interface-type interface-number configuration mode.
6 Raisecom(config-ge-1/0/*)#mac- Enable interface MAC address
authen enable authentication.
7 Raisecom(config-ge-1/0/*)#mac- Configure the maximum number of
authen max-user { user-number | users allowed by the interface for
default } MAC address authentication, an
integer, ranging from 1 to 128, being
128 by default.
8 Raisecom(config-ge-1/0/*)#nac Configure the guest VLAN of the
guest-vlan vlan-id specified interface, an integer, ranging
from 1 to 4094. It takes effect on both
802.1x and MAC address
authentication.
9 Raisecom(config-ge-1/0/*)#mac- Configure the critical VLAN of the
authen critical-vlan vlan-id specified interface for MAC address
authentication, an integer, ranging
from 1 to 4094.
10 Raisecom(config-ge-1/0/*)#mac- Configure the restrict VLAN of the
authen restrict-vlan vlan-id specified interface for MAC address
authentication, an integer, ranging
from 1 to 4094.
11 Raisecom(config-ge-1/0/*)#mac- Manually re-authenticate the 802.1x
authen reauthenticate all user user of the specified interface.

Raisecom Proprietary and Confidential


281
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


12 Raisecom(config-ge-1/0/*)#mac- Force the MAC address authentication
authen delete all user user to be offline on the interface.
13 Raisecom(config-ge-1/0/*)#mac- Enable or disable the silence function
authen quiet { disable | of the MAC address authentication
enable } user on the interface.
14 Raisecom(config-ge-1/0/*)#mac- Configure the times of authentication
authen quiet-times { times | failure for triggering the silence
default } function for the MAC address
authentication user on the interface.
15 Raisecom(config-ge-1/0/*)#mac- Enable or disable the aging of aged
authen critical-vlan user aging users of MAC address authentication
{ disable | enable } on the interface.
16 Raisecom(config-ge-1/0/*)#mac- Enable or disable re-authentication of
authen critical-vlan user aged users of MAC address
reauthenticate { disable | authentication on the interface.
enable }
17 Raisecom(config-ge-1/0/*)#mac- Enable or disable re-authentication of
authen restrict-vlan user aging failing users by MAC address
{ disable | enable } authentication on the interface.
18 Raisecom(config-ge-1/0/*)#mac- Enable or disable re-authentication of
authen restrict-vlan user failing users by MAC address
reauthenticate { disable | authentication on the interface.
enable }
19 Raisecom(config)#show mac- Show configurations of MAC address
authen config authentication.
20 Raisecom(config)#show mac- Show global information about MAC
authen information address authentication.
21 Raisecom(config)#show mac- Show information about MAC address
authen interface-type authentication on the specified
interface-number interface.
22 Raisecom(config)#show mac- Show the current user for MAC
authen user address authentication.

8.12.4 Example for configuring MAC address authentication

Networking requirements
As shown below, the user needs to be authentication through MAC address authentication.
The user is directed connected to the device which can access the authentication server.

Raisecom Proprietary and Confidential


282
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Figure 8-15 MAC address authentication networking

Configuration steps
Step 1 Configure the device as below.

Raisecom(config)#aaa
Raisecom(config-aaa)#radius-server host server1 ip-address 192.168.5.66
key 12345
Raisecom(config-aaa)#server-group grp1 radius-server server1
Raisecom(config-aaa)#aaa authentication mac-authen method m1 first grp1
Raisecom(config-aaa)#quit
Raisecom(config)#mac-authen start
Raisecom(config)#mac-authen aaa authentication method m1
Raisecom(config)#mac-authen mode fixed-user username wwf password plain
12345
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#mac-authen enable

Step 2 Use the show mac-authen information command to show information about MAC address
authentication.

Raisecom(config)#show mac-authen information


Max User Number : 128
Default Max User Number : 128
Current User Number : 0
Auth Success User Number : 0
Auth Fail User Number : 0
Auth Timeout User Number : 0
UserName Passwor Format : Fixed
MacAdress UpperCase : Disable
MacAdress With Hypen : Disable
Mac Auth Method : Pap
AAA Authentication Method : m1
AAA Accounting Method : n/a
Fixed User Name : wwf
Fixed Password : 12345

Checking results
Use the show mac-authen user command to show the current user for MAC address
authentication.

Raisecom Proprietary and Confidential


283
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Raisecom(config)# show mac-authen user


S:Success, F:Fail, T:Timeout, J:Join, A:Authenticate, O:Origin, C:Current,
L:Last
Interface Mac-Address AuthNum(S/F/T) Vlan(J/A/O) Result(C/L)
ge 1/0/1 0010:9400:0001 1/0/0 11/0/11 Success/None

8.13 DOS attack prevention


8.13.1 Introduction

Abnormal packet attack prevention


Abnormal packet attack is the process of sending defective IP packets to the target device,
causing errors and crashes in processing such IP packets, resulting in losses to the target
device. Abnormal packet attack prevention refers to the realtime detection and discarding of
abnormal packets by the device, in order to protect the device.

Fragmented packet attack prevention


Fragmented packet attack is a method of sending errored fragmentation packets to the target
device, causing it to crash or restart or consuming a large amount of CPU resources while
processing the errored fragmentation packets, resulting in losses to the target device.
Fragmented packet attack prevention refers to the realtime detection of fragmented packets by
devices and discarding or rate limiting of packets, in order to protect the device.

Flood attack prevention


Flood attack refers to the attacker sending a large number of false packets to the target device
in a short period, causing the target device to be busy processing useless packets and unable to
provide normal services to users.
Flood attack prevention refers to the realtime detection of flood packets by devices and the
discarding or rate limiting of packets, in order to protect the device.
Flood attacks are divided into TCP SYN flood attacks, UDP flood attacks, and ICMP flood
attacks.
 TCP SYN flood attack
The TCP SYN attack exploits a vulnerability in the TCP three-way handshake. During the
three-way handshake in TCP, when the receiving end receives the initial SYN packet from the
sending end, it returns a SYN+ACK packet to the sending end. The connection remains in a
semi-connected status while the receiving end is waiting for the final ACK packet from the
sending end. If the receiving end finally does not receive the ACK packet, then it resends a
SYN+ACK packet to the sending end. If the sender does not return an ACK packet after
multiple retries, the receiver will close the session and refresh it from memory. It takes
approximately 30 seconds from transmitting the first SYN+ACK to closing the session.
During this period, the attacker may send hundreds of thousands of SYN packets to open
ports without responding to SYN+ACK packets from the receiving end. The memory of the
receiving end will soon exceed its load and it will no longer be able to accept any new
connections, and the existing connections will be disconnected.
Raisecom Proprietary and Confidential
284
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

The method for handling TCP SYN attacks by the device is to limit the rate of TCP SYN
packets after enabling TCP SYN flood attack prevention, ensuring that device resources are
not exhausted under attack.
 UDP flood attack
The UDP flood attack refers to the attacker sending a large number of UDP packets to the
target device in a short period, causing the target device to be overloaded and unable to
process normal services. UDP flood attacks can be divided into the following two categories:
– Fraggle attack
The principle of fraggle attack is that the attacker sends UDP packets with the source address
being the target host address, the destination address being the broadcast address, and the
destination port number being 7. If many hosts in the broadcast network have been activated
with UDP response request service, the destination host will receive excessive response
packets, causing the system to be busy. In this way, the attack effect is implemented.
After flood attack prevention is enabled, the device takes packets with the UDP port number
of 7 as attack packets and discards them directly.
– UDP diagnostic port attack
The attacker sends packets to diagnostic UDP ports (such as 7-echo, 13 day time, and 19
Charge). If a large number of packets are sent simultaneously, they can cause flood and
potentially affect the normal operation of network devices.
After flood attack prevention is enabled, the device takes packets with UDP ports of 7, 13,
and 19 as attack packets and discards them directly.
 ICMP flood attack
Usually, the network administrator uses the Ping program to monitor and troubleshoot the
network. The general process is as follows:
1. The source device sends an ICMP response request packet to the receiving device.
2. After receiving the ICMP response request packet, the receiving device will respond with
an ICMP reply packet to the source device.
If the attacker sends a large number of ICMP response request packets to the target device, the
target device will be busy processing these requests and unable to continue to process other
data packets, causing an impact on normal services.
The device implements Committed Access Rate (CAR) rate limiting against ICMP flood
attacks to ensure that the CPU is not attacked and to ensure the normal operation of the
network.

8.13.2 Preparing for configurations

Scenario
Devices are often subjected to different types of network attacks, which can lead to high
resource utilization and affect network services. To ensure the provision of secure network
services to users, deply attack prevention on devices to prevent the following types of attacks:
 Abnormal packet attack prevention: prevent abnormal packet attacks.
 Fragmented packet attack prevention: limit the rate of fragmented packets, preventing
them from attacking the CPU and occupying too much CPU and device resources.

Raisecom Proprietary and Confidential


285
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

 Flood attack prevention includes the following three types:


− TCP SYN flood attack: limit the rate of TCP SYN packets, and preventing the CPU
from processing TCP SYN packets to consume too many resources.
− UDP flood attack prevention: directly discard UDP packets sent on specific ports.
− ICMP flood attack prevention: limit the uploading rate of ICMP flood attack packets
to prevent the CPU from processing ICMP flood attack packets and occupying too
many resources.

Prerequisites
N/A

8.13.3 Default configurations of DOS attack prevention


Default configurations of DOS attack prevention are as below.

Function Default value


Global DOS attack prevention status Disable
Abnormal packet attack prevention Disable
Fragmented packet attack prevention Disable
Rate for sending fragmented packets 155000000 bit/s
TCP Syn attack prevention Disable
Rate for sending TCP Syn flood packets 155000000 bit/s
UDP flood attack prevention Disable
ICMP flood attack prevention Disable
Rate for sending ICMP flood packets 155000000 bit/s

8.13.4 Configuring abnormal packet attack prevention


Configure abnormal packet attack prevention for the device as below.

Step Command Description


1 Raisecom#config Enter global configuration mode.
2 Raisecom(config)#dos-antiattack Enable abnormal packet attack
pkt-limit abnormal enable prevention.

8.13.5 Configuring fragmented packet attack prevention


Configure fragmented packet attack prevention for the device as below.

Raisecom Proprietary and Confidential


286
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


1 Raisecom#config Enter global configuration mode.
2 Raisecom(config)#dos-antiattack pkt- Enable fragmented packet attack
limit fragment enable prevention.
3 Raisecom(config)#dos-antiattack pkt- Configure the rate for receiving
limit fragment cir fragmented packets.
{ kbps|mbps|gbps } cir-number
Raisecom(config)#dos-antiattack pkt-
limit fragment pps pps-number

8.13.6 Configuring TCP SYN flood attack prevention


Configure TCP SYN flood attack prevention for the device as below.

Step Command Description


1 Raisecom#config Enter global configuration mode.
2 Raisecom(config)#dos-antiattack pkt- Enable TCP SYN flood attack
limit tcp-syn enable prevention.
3 Raisecom(config)#dos-antiattack pkt- Configure the rate for receiving
limit tcp-syn cir { kbps|mbps|gbps } TCP SYN packets.
cir-number
Raisecom(config)#dos-antiattack pkt-
limit tcp-syn pps pps-number

8.13.7 Configuring UDP flood attack prevention


Configure UDP flood attack prevention for the device as below.

Step Command Description


1 Raisecom#config Enter global configuration mode.
2 Raisecom(config)#dos-antiattack pkt- Enable UDP flood attack
limit udp-flood enable prevention.

8.13.8 Configuring ICMP flood attack prevention


Configure ICMP flood attack prevention for the device as below.

Step Command Description


1 Raisecom#config Enter global configuration mode.
2 Raisecom(config)#dos-antiattack pkt- Enable ICMP flood attack
limit icmp-flood enable prevention.

Raisecom Proprietary and Confidential


287
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Step Command Description


3 Raisecom(config)#dos-antiattack pkt- Configure the rate for receiving
limit icmp-flood cir ICMP packets.
{ kbps|mbps|gbps } cir-number
Raisecom(config)#dos-antiattack pkt-
limit icmp-flood pps pps-number

8.13.9 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show dos- Show configurations of DOS attack
antiattack config prevention.
2 Raisecom#show dos- Show statistics of DOS attack prevention.
antiattack statistics

8.13.10 Example for configuring DOS attack prevention

Networking requirements
If hackers launch abnormal packet attacks, fragmented packet attacks, and flood attacks on
Switch A within the LAN, this will cause SwitchA to crash. To prevent this situation, the
administrator hopes to deploy various attack prevention measures on Switch A to provide
users with a secure network environment and ensure normal network services.

Figure 8-16 DOS attack prevention

Switch A

User User Hacker

Configuration steps
Step 1 Configure DOS attack prevention.
Raisecom Proprietary and Confidential
288
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

Raisecom#config
Raisecom(config)#dos-antiattack pkt-limit enable

Step 2 Configure abnormal packet attack prevention.

Raisecom(config)#dos-antiattack pkt-limit abnormal enable

Step 3 Configure fragmented packet attack prevention. Configure the rate for receiving fragmented
packets to 15 kbit/s.

Raisecom(config)#dos-antiattack pkt-limit fragment enable


Raisecom(config)#dos-antiattack pkt-limit fragment cir kbps 15

Step 4 Configure TCP SYN attack prevention. Configure the rate for receiving TCP SYN packets
to 15 kbit/s.

Raisecom(config)#dos-antiattack pkt-limit tcp-syn enable


Raisecom(config)#dos-antiattack pkt-limit tcp-syn cir kbps 15

Step 5 Configure UDP flood attack prevention.

Raisecom(config)#dos-antiattack pkt-limit udp-flood enable

Step 6 Configure ICMP flood attack prevention. Configure the rate for receiving ICMP flood
packets to 15 kbit/s.

Raisecom(config)#dos-antiattack pkt-limit icmp-flood enable


Raisecom(config)#dos-antiattack pkt-limit icmp-flood cir kbps 15

Checking results
Use the show dos-antiattack config command to show configurations of DOS attack prevention.

Raisecom#show dos-antiattack config


!
!
dos-antiattack pkt-limit enable
!
dos-antiattack pkt-limit abnormal enable
Raisecom Proprietary and Confidential
289
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 8 Security

dos-antiattack pkt-limit fragment enable


dos-antiattack pkt-limit fragment cir kbps 15
dos-antiattack pkt-limit tcp-syn enable
dos-antiattack pkt-limit tcp-syn cir kbps 15
dos-antiattack pkt-limit udp-flood enable
dos-antiattack pkt-limit icmp-flood enable
dos-antiattack pkt-limit icmp-flood cir kbps 15

Raisecom Proprietary and Confidential


290
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

9 Reliability

This chapter describes basic principles and configuration procedures for reliability, and
provides related configuration examples, including the following sections:
 Link aggregation
 G.8031
 G.8032
 STP/RSTP
 MSTP
 Loop detection
 Interface backup
 Interface isolation
 L2CP
 BFD
 Link flap protection
 Interface loopback

9.1 Link aggregation


9.1.1 Introduction
Link aggregation refers to aggregating multiple physical Ethernet interfaces to a Link
Aggregation Group (LAG) and taking multiple physical links in the same LAG as one logical
link. Link aggregation helps share traffic among members in the LAG. Besides effectively
improving reliability on links between two devices, link aggregation helps gain higher
bandwidth without upgrading hardware.
Generally, the link aggregation consists of manual link aggregation, static Link Aggregation
Control Protocol (LACP) link aggregation, and dynamic LACP link aggregation.
 Manual link aggregation
All interfaces in the aggregation group forward data and share the load traffic equally. This is
applicable to two directly connected devices of which one cannot use LACP.
 Manual master/slave link aggregation

Raisecom Proprietary and Confidential


291
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

There are two interfaces in the aggregation group. They back up each other. One is in the
Active status, and the other is in the shutdown status. This is applicable when one end cannot
use LACP.
 Static LACP aggregation
The aggregation group selects the active end and active interface through LACP protocol. The
Active interface is used for forwarding data while the inactive interface is used for backing up
links. This is applicable when LACP is supported by devices at both ends.
 Static LACP active/standby link aggregation
There are two interfaces in the aggregation group. They back up each other. One is in the
Active status, and the other is in the Shutdown status. This is applicable when both devices
support LACP.

9.1.2 Preparing for configurations

Scenario
To provide higher bandwidth and reliability for a link between two devices, configure link
aggregation.

Prerequisite
 Configure physical parameters of interfaces and make them Up.
 In the same LAG, member interfaces that share loads must be identically configured.
Otherwise, data cannot be forwarded properly. These configurations include QoS, QinQ,
VLAN, interface properties, and MAC address learning.
– QoS: traffic policing, traffic shaping, congestion avoidance, rate limit, SP queue,
WRR queue scheduling, interface priority and interface trust mode
– QinQ: QinQ enabling/disabling status on the interface, added outer VLAN tag,
policies for adding outer VLAN Tags for different inner VLAN IDs
– VLAN: the allowed VLAN, default VLAN and the link type (Trunk or Access) on
the interface, subnet VLAN configurations, protocol VLAN configurations, and
whether VLAN packets carry Tag
– Port properties: whether the interface is added to the isolation group, interface rate,
duplex mode, and link Up/Down status
– MAC address learning: whether MAC address learning is enabled and whether the
interface is configured with MAC address limit.

9.1.3 Default configurations of link aggregation


Default configurations of link aggregation are as below.

Function Default value


Load balancing mode src-dst-mac
LACP system priority 32768

LACP interface priority 32768


LACP interface mode active

Raisecom Proprietary and Confidential


292
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Function Default value


LACP timeout mode slow
Minimum number of active interfaces 1
Maximum number of active interfaces 8

9.1.4 Configuring manual link aggregation


Configure manual link aggregation for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#int eth- Enter aggregation group configuration
trunk trunk-number mode.
3 Raisecom(config-eth-trunk- Configure the working mode of the
*)#mode manual LAG to manual link aggregation.
4 Raisecom(config-eth-trunk- Configure the maximum or minimum
*)#active-linknumber { max | number of active links in LACP LAG.
min } { link-number |
default } By default, the maximum number is 8
while the minimum is 1.
5 Raisecom(config-eth-trunk- Add the interface to the LAG.
*)#add interface interface-
type interface-number
6 Raisecom(config-eth-trunk- Remove the interface from the LAG.
*)#remove interface
interface-type interface-
number
7 Raisecom(config-ge- Add the interface to the LAG.
1/0/*)#join eth-trunk trunk-
id
8 Raisecom(config-ge-1/0/*)#no Remove the interface from the LAG.
join eth-trunk trunk-id
6 Raisecom(config-eth-trunk- Enter global configuration mode.
*)#exit

9.1.5 Configuring manual master/slave link aggregation


Configure manual master/slave link aggregation for the device as below.

Step Command Description


1 Raisecom#config Enter global configuration mode.
2 Raisecom(config)#int eth- Enter aggregation group configuration
trunk trunk-number mode.

Raisecom Proprietary and Confidential


293
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Step Command Description


3 Raisecom(config-eth-trunk- Configure the working mode of the
*)#mode manual active-standby LAG to manual master/slave link
aggregation.
4 Raisecom(config-eth-trunk- Add the master interface to the LAG.
*)#add primary interface
interface-type interface-
number
5 Raisecom(config-eth-trunk- Add the slave interface to the LAG.
*)#add secondary interface
interface-type interface-
number
6 Raisecom(config-eth-trunk- Remove the interface from the LAG.
*)#remove interface
interface-type interface-
number
7 Raisecom(config-eth-trunk- Configure the revertive status of
*)#revert {enable|disable} master/slave link aggregation.
8 Raisecom(config-eth-trunk- Configure the WTR time of
*)#wait-to-restore time- master/slave link aggregation, in units
interval of second.

9.1.6 Configuring static LACP link aggregation


Configure static LACP link aggregation for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#lacp Configure the system LACP priority. The device
system-priority with higher priority is the active end. LACP
system-priority chooses active and backup interfaces according
to configurations of the active end. The smaller
the number is, the higher the priority is. The
device with the smaller MAC address will be
chosen as the active end if system LACP
priorities of the two devices are identical.
By default, the system LACP priority is 32768.
3 Raisecom(config)#int Enter aggregation group configuration mode.
eth-trunk trunk-
number
4 Raisecom(config-eth- Configure the working mode of the LAG to static
trunk-*)#mode lacp- LACP LAG.
static
5 Raisecom(config-eth- Configure the LACP timeout mode.
trunk-*)#lacp timeout
{ fast | slow } By default, it is slow.

Raisecom Proprietary and Confidential


294
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Step Command Description


6 Raisecom(config-eth- Configure maximum or minimum number of
trunk-*)#active- active links in LACP LAG.
linknumber { max |
min } { link-number | By default, the maximum number is 8 while the
default } minimum number is 1.
7 Raisecom(config-eth- Enable priority preempt on the LAG.
trunk-*)#lacp preempt
enable
8 Raisecom(config-eth- Configure the WTR time on the interface.
trunk-*)#lacp preempt
delay time
9 Raisecom(config-eth- Add the interface to the LAG.
trunk-*)#add
interface interface-
type interface-number
10 Raisecom(config-eth- Remove the interface from the LAG.
trunk-*)#remove
interface interface-
type interface-number
11 Raisecom(config-ge- Add the interface to the LAG.
1/0/*)#join eth-trunk
trunk-id
12 Raisecom(config-ge- Remove the interface from the LAG.
1/0/*)#no join eth-
trunk trunk-id
10 Raisecom(config-ge- Configure the interface LACP priority. The
1/0/*)#lacp priority priority affects election for the default interface
priority for LACP. The smaller the value is, the higher
the priority is.
By default, it is 32768.
11 Raisecom(config-ge- Return to global configuration mode.
1/0/*)#exit

 In a static LACP LAG, a member interface can be an active/standby one. Both the
active interface and standby interface can receive and send LACPDU. However,
the standby interface cannot forward user packets.
 The system chooses default interface in the order of neighbor discovery, interface
maximum speed, interface highest LACP priority, and interface minimum ID. The
interface is in active status by default, the interface with identical speed, identical
peer and identical device operation key is also in active status; other interfaces
are in standby status.

9.1.7 Configuring the load balancing algorithm for the LAG


Configure the load balancing algorithm for the LAG for the device as below.

Raisecom Proprietary and Confidential


295
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Step Command Description


1 Raisecom#configure Enter global configuration
mode.
2 Raisecom(config)#int eth-trunk trunk- Enter aggregation group
number configuration mode.
3 Raisecom(config-eth-trunk-*)#load- Configure the load
balance-profile default balancing algorithm for
Raisecom(config-load-balance-profile- the LAG globally.
default)#l2 field { src-mac | dst-mac |
l2-protocol | vlan | src-port | dst- By default, the system
port | eth-type | outer-vlan | srcdst- adopts the src-mac or dst-
mac | all | default } mac field to implement
Raisecom(config-load-balance-profile- load balancing in L2
default)#l3 field { src-ip | dst-ip | mode and all fields to
srcdst-ip | vlan | l4-srcport | l4- implement load balancing
dstport | protocol | src-port | dst- in L3 mode.
port | src-mac | dst-mac | all |
default }

The load balancing mode of the LAG takes effect on known unicast packets only.

9.1.8 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show Show the local system LACP interface status, flag,
lacp eth-trunk interface priority, administration key, operation key, and
trunk-number interface status machine status. The information about
LACP neighbors include the tag, interface priority, device
ID, Age, operation key value, interface ID, and interface
status machine status.
2 Raisecom#show Show statistics about interface LACP, including the total
lacp number of received/sent LACP packets, the number of
statistics received/sent Marker packets, the number of received/sent
interface eth- Marker Response packets, and the number of errored
trunk trunk- Marker Response packets.
number
3 Raisecom#show Show the global LACP status of the local system, MAC
lacp addresses, and time of each timer.
information

Raisecom Proprietary and Confidential


296
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

No. Command Description


4 Raisecom#show Show link aggregation status of the current system, load
interface eth- balancing mode of link aggregation, all LAG member
trunk trunk- interfaces, and active member interfaces.
number

The active member interface refers to the one


whose interface status is Up.

9.1.9 Example for configuring static LACP link aggregation

Networking requirements
As shown in Figure 9-1, to improve link reliability between Switch A and Switch B, you can
configure static LACP link aggregation. That is to add GE 1/0/1, GE 1/0/2, and GE 1/0/3 to
one LAG.

Figure 9-1 Static LACP mode Link aggregation networking

Configuration steps
Step 1 Create static LACP link aggregation on Switch A. Configure Switch A as the active end.

Raisecom#hostname SwitchA
SwitchA#configure
SwitchA(config)#lacp system-priority 1000
SwitchA(config)#int eth-trunk 1
SwitchA(config-eth-trunk-1)#mode lacp-static
SwitchA(config-eth-trunk-1)#add interface ge 1/0/1
SwitchA(config-eth-trunk-1)#add interface ge 1/0/2
SwitchA(config-eth-trunk-1)#add interface ge 1/0/3
SwitchA(config-eth-trunk-1)#exit

Raisecom Proprietary and Confidential


297
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Step 2 Configure static LACP LAG on Switch B.

Raisecom#hostname SwitchB
SwitchB#configure
SwitchB(config)#int eth-trunk 1
SwitchB(config-eth-trunk-1)#mode lacp-static
SwitchB(config-eth-trunk-1)#add interface ge 1/0/1
SwitchB(config- eth-trunk-1)#add interface ge 1/0/2
SwitchB(config-eth-trunk-1)#add interface ge 1/0/3
SwitchB(config-eth-trunk-1)#exit

Checking results
Use the show lacp eth-trunk 1 command to show global configurations of the static LACP
link aggregation on Switch A.

SwitchA#show lacp eth-trunk 1


-------------------------------------------------------------------------
------------
LACP Status : master
System Priority : 1000
System Mac Address : f0:f1:f2:f3:01:01
Member ports number : 3
Max Active ports number : 8
LACP timeout : slow
Preempt state : disable
Preempt delay : 30(s)

ge-1/0/1 :
Port Status : Up and bind
Local information:
Mode Flags PortPri AdminKey OperKey PortId State Status
active slow 32768 1 1 449 0x3d selected
Partner information:
SysPri Flags PortPri AdminKey OperKey PortId State DeviceID
32768 slow 32768 0 1 449 0x3d
0xf0f1f2f30201

ge-1/0/2 :
Port Status : Up and bind
Local information:
Mode Flags PortPri AdminKey OperKey PortId State Status
active slow 32768 1 1 450 0x3d selected
Partner information:
SysPri Flags PortPri AdminKey OperKey PortId State DeviceID
32768 slow 32768 0 1 450 0x3d
0xf0f1f2f30201

ge-1/0/3 :
Port Status : Up and bind
Local information:

Raisecom Proprietary and Confidential


298
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Mode Flags PortPri AdminKey OperKey PortId State Status


active slow 32768 1 1 451 0x3d selected
Partner information:
SysPri Flags PortPri AdminKey OperKey PortId State DeviceID
32768 slow 32768 0 1 451 0x3d
0xf0f1f2f30201
-------------------------------------------------------------------------
------------

9.2 G.8031
9.2.1 Introduction
G.8031 is a linear protection switching standard defined by ITU-T based on VLAN Ethernet
technologies. In the protection switching mechanism, corresponding protection resources are
allocated to all work resources, such as paths and bandwidth. Compared with the spanning
tree protection technology defined by IEEE, the protection technology defined by G.8031 is
simple and fast, implementing network resource switching in a predictable way, making it
easier for carriers to effectively plan the network and understand the network's activity status
and to achieve carrier-grade operations.
G.8031 defines two protection structures, 1+1 and 1:1. In the 1+1 structure, each protection
resource corresponds to a working resource. In the protection domain, the 1+1 structure
adopts the double-transmitting single-receiving protection mechanism. The 1:1 structure
adopts a mechanism of switching between protecting resources and working resources.
 Fault detection mechanism
G.8031 uses Continuity Check (CC) defined in Y.1731 or IEEE 802.1ag for bidirectional link
forwarding detection, which can locate the fault point and detect whether the fault is
unidirectional or bidirectional. In protection conversion, the default transmission period of CC
messages is 3.33ms (in other words, the transmission rate is 300 frames per second).
Two adjacent nodes periodically send CC messages from the physical interface to detect faults.
When a node detects the loss of CC messages within a specific period, it regards this as a fault.
The node sends a Remote Defect Indication (RDI) frame from the interface where the fault is
detected. If it is a unidirectional fault, the downstream node of the link will detect the RDI
frame.
 1+1 protection structure
In the 1+1 structure, the protection line is dedicated to each working line, and the working
line and protection line are bridged at the source end of the protection domain. The services
are simultaneously sent to the host of the protection domain on both the working line and
protection line. At the host, the selector selects to receive the business from the work or
protection line based on defect indications.
The switching types of 1+1 Ethernet linear protection include unidirectional switching and
bidirectional switching. For unidirectional switching, only the affected line direction is
switched to the protection line, and the selectors at both ends are independent and do not
require APS signaling support. The mechanism of bidirectional switching is similar to
unidirectional, usually requiring APS signaling to be coordinated at both ends. Unidirectional
protection can prevent unidirectional faults in two independent directions.
Raisecom Proprietary and Confidential
299
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

The operation types of 1+1 Ethernet linear protection can be either non-revertive or revertive.
In revertive mode, when the faulty link is restored, the WTR timer is started. After the WTR
times out, the selector switches services to the working line. In non-revertive mode, even if
the faulty link is restored, the selector is still connected to the protection line.
 1:1 protection structure
In a 1:1 structure, the protected line is dedicated to each working line, and the protected work
services are transmitted by either the working line or protection line. The method for selecting
the work line and protection line is based on defect indication mechanism.
The switching types of 1:1 Ethernet linear protection also include unidirectional switching
and bidirectional switching. The operation types can be revertive or non-revertive. During
bidirectional switching, both the affected line direction and unaffected line direction are
switched to the protected line, but unidirectional switching only switches the affected line
direction to the protection line. In switching, the source connector and destination connector
need to switch to the same line, so Automatic Protection Switching (APS) is required to
coordinate both ends of the line.
In 1:1 protection switching mode, based on local or nearby information and APS protocol
information from the other end or remote end, protection switching is implemented by the
source selector bridge and the destination selector of the protection domain together.
The CC message is used to detect faults in the working line and protection line. When the
working is faulty, the selector at the detected end switches services to the protection line and
sends APS notification to the other end. The source end receives APS notification and
synchronizes switching.

9.2.2 Preparing for configurations

Scenario
N/A

Prerequisite
 Connect the interface, configure its physical parameters, and make it Up at the physical
layer.
 Create VLANs.
 Add the interface to VLANs.

9.2.3 Default configurations of G.8031


Default configurations of G.8031 are as below.

Function Default value


G.8031 mode Revertive
WTR timer 5min
Hold-off timer 0

Raisecom Proprietary and Confidential


300
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

9.2.4 Creating a G.8031 protection group


Step Command Description
1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#g8031 Create a G.8031 instance, and enter the
instance instance-id configuration node.
3 Raisecom(config-g8031- Specify the control VLAN.
instance-*)#control-vlan
vlan-id The protection group is in non-revertive mode
if you configure the revertive disable
parameter.
 In revertive mode, when the working line
recovers from a fault, traffic is switched
from the protection line to the working line.
 In non-revertive mode, when the working
line recovers from a fault, traffic is not
switched from the protection line to the
working line.
4 Raisecom(config-g8031- Specify the data VLAN.
instance-*)#data-vlan
vlan-id
5 Raisecom(config-g8031- Configure the interface, and specify it as the
instance-*)# working interface.
working-port interface
interface-type interface-
number
6 Raisecom(config-g8031- Configure the interface, and specify it as the
instance-*)# protection interface.
protection-port
interface interface-type
interface-number
7 Raisecom(config-g8031- Configure the WTR timer. In revertive mode,
instance-*)#wtr-timer when the working line recovers from a fault,
wtr-time traffic is not switched to the working line
unless the WTR timer times out.
8 Raisecom(config-g8031- Configure the Hold-off timer. When the
instance-*)#holdoff-timer working line is faulty, the system delays the
holdoff-time fault reporting and thus switches services to
the protection line after a period. This
prevents frequent switching of lines due to the
flapping of the working line.

If the Hold-off timer value is over great,


it may influence 50ms switching
performance. Therefore, we
recommend configuring the Hold-off
timer value to 0.

Raisecom Proprietary and Confidential


301
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

9.2.5 (Optional) configuring G.8031 switching control


Step Command Description
1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config-g8031- Configure forcible switch (FS) of the traffic
instance-*)#protection- from the working line to the protection line.
switch force-switch
FS can be configured on multiple interfaces on
multiple ring nodes.
3 Raisecom(config-g8031- Configure manual switch (MS) of the traffic
instance-*)#protection- from the working line to the protection line. Its
switch manual-switch priority is lower than that of FS and APS.
FS can be configured on only one interface on
only one ring node.
4 Raisecom(config-g8031- Configure traffic switching clearing.
instance-*)#protection-
switch clear

9.2.6 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show g8031 interface Show the status of the G.8031 interface.
2 Raisecom#show g8031 instance Show the status of G.8031

9.2.7 Example for configuring G.8031

Networking requirements
As shown below, to improve Ethernet reliability, switches A, B, and C form G.8031 protection
lines.
The protocol control VLAN is VLAN 2. The blocked VLANs are the default ones: VLANs 2–
10.

Figure 9-2 G.8031 networking

Raisecom Proprietary and Confidential


302
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Configuration steps
Step 1 Add interfaces to VLANs 2–10.
Configure switch A.
Raisecom#hostname SwitchA
SwitchA#config
SwitchA(config)#interface ge 1/0/1 to ge 1/0/2
SwitchA(config-ge-1/0/1->ge-1/0/2)#port link-type trunk
SwitchA(config-ge-1/0/1->ge-1/0/2)#port trunk allow-pass vlan 2-10
SwitchA(config-ge-1/0/1->ge-1/0/2)#exit

Configure switch B with the same configurations of switch A.


Configure switch C.

Raisecom#hostname SwitchC
SwitchC#config
SwitchC(config)#interface ge 1/0/1 to ge 1/0/4
SwitchC(config-ge-1/0/1->ge-1/0/4)#port link-type trunk
SwitchC(config-ge-1/0/1->ge-1/0/4)#port trunk allow-pass vlan 2-10
SwitchC(config-ge-1/0/1->ge-1/0/4)#exit

Step 2 Create a protection group.


Configure switch A.

SwitchA(config)#g8031 instance 1
SwitchA(config-g8031-instance-1)#control-vlan 2
SwitchA(config-g8031-instance-1)#data-vlan 2-10
SwitchA(config-g8031-instance-1)#working-port interface ge 1/0/1
SwitchA(config-g8031-instance-1)#protection-port interface ge 1/0/2

Configure switch B.

SwitchC(config)#g8031 instance 1
SwitchC(config-g8031-instance-1)#control-vlan 2
SwitchC(config-g8031-instance-1)#data-vlan 2-10
SwitchC(config-g8031-instance-1)#working-port interface ge 1/0/1
SwitchC(config-g8031-instance-1)#protection-port interface ge 1/0/2

Checking results
Use the show g8031 interface command on the device to check whether G.8031 protection
has taken effect.

Raisecom Proprietary and Confidential


303
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Take switch A for example. The status information is as below:

SwitchA#show g8031 interface


Instance Interface Role Active Operate Forward RxCount
TxCount
-------------------------------------------------------------------------
---------------------------
1 ge-1/0/1 working active working forwarding 0 0
1 ge-1/0/2 protection standby working blocking 0 6
-------------------------------------------------------------------------
---------------------------

Manually disconnect the link to emulate a fault. Use the command on switch A again to check
the G.8031 protection status.

SwitchA#show g8031 interface


Instance Interface Role Active Operate Forward RxCount
TxCount
-------------------------------------------------------------------------
---------------------------
1 ge-1/0/1 working standby failed blocking 0 0
1 ge-1/0/2 protection active working forwarding 0 6
-------------------------------------------------------------------------
---------------------------

9.3 G.8032
9.3.1 Introduction
G.8032 Ethernet Ring Protection Switching (ERPS) is an APS protocol based on the ITU-T
G.8032 recommendation. It is a link-layer protocol specially used in Ethernet rings. Generally,
ERPS can avoid broadcast storm caused by data loopback in Ethernet rings. When a
link/device on the Ethernet ring fails, traffic can be quickly switched to the backup link to
ensure restoring services quickly.
G.8032 uses the control VLAN on the ring network to transmit ring network control
information. Meanwhile, combining with the topology feature of the ring network, it
discovers network fault quickly and enable the backup link to restore service fast.

Raisecom Proprietary and Confidential


304
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

G.8032 concepts

Figure 9-3 G.8032 ring networking

The basic concepts of G.8032 Ethernet Ring Protection Switching as shown in Figure 9-3
include:
 RPL (Ring Protection Link): a link between RPL nodes. Under normal conditions, the
nodes at both ends of the link are blocked to prevent loops on the ring. There can be only
one RPL for each ring.
 RPL Owner: a node connected to the RPL. It is specified by the user to block or unblock
the traffic at one end of the RPL. Under normal conditions, RPL Owners are responsible
for blocking traffic on the RPL interface to prevent service loops.
 RPL Neighbor: a node connected to the other end of the RPL. It cooperates with the RPL
Owner to complete protection switching.
 Protocol VLAN: an independent VLAN path adopted by the G.8032 for the delivery of
R-APS packets.
 Block VLAN: different from the protocol VLAN which carries R-APS packets, it is a
service VLAN used for the delivery of service information.
 R-APS messages: the fast-switching protocol packets in the G.8032 standard, including
the following types:
– FS (Forced Switch): message sent regularly by the FS node to implement forced
switching.
– SF (Signal Failed): message sent regularly by the fault node to report error
information.
– MS (Manual Switch): message sent regularly by the MS node for executing manual
switching.
– NR, RB (No Request Request Block): message sent regularly by RPL Owner to
notify other nodes on the link when there are no faults or manual commands. When
RPL is blocked by the RPL Owner, this message will be sent regularly.
– NR (No Request): when faults or management commands are cleared, this message is
sent
Four timers including Guard Timer, Wait To Restore (WTR) Timer, (Wait To Block) (WTB)
Timer, and Holdoff Timer, will be used in the ring protection switching.

Raisecom Proprietary and Confidential


305
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

 Guard Timer: used for filtering invalid R-APS packets which may cause incorrect
protection switching of nodes on the ring. Especially in a large ring network, the
immediate restoration after the node failure may trigger a fault notification from the
neighboring node. Then, the link will be Down again. If the notification is caused by this
node, the problem can be solved by configuring ring Guard Timer.
 WTR Timer: when the working path is back to normal, the WTR Timer on the RPL
Owner starts. When WTR Timer expires, the service is recovered to the working path.
WTR Timer is used to avoid frequent switching caused by the instability of the working
path.
 WTB Timer: it is used to delay RPL interface blocking when clearing manual commands
in the revertive mode. In this way, the interface shock caused by re-blocking can be
avoided.
 Holdoff Timer: when one or more faults are detected, initiate the Holdoff Timer if the
configured value of Holdoff is not 0. The system will delay sending fault notification
before the Holdoff Timer expires; namely, the ring protection switching is delayed for a
period so that the frequent switching caused by the link shock can be avoided. When the
Holdoff Timer expires, the link will be checked no matter whether the fault that triggers
the start of this timer exists or not. If faults are detected, the notification will be sent to
the protection switch.

Ring states
G.8032 defines five node states on the ring network.
 Idle State: the normal working state without faults.
 Protecting State: a state when the link fault is detected. The automatic switching process
is triggered by detection of the Operation, Administration and Maintenance (OAM)
CCM.
 Pending State: a state before the faults are recovered.
 FS State: a state when issuing the forced switching command.
 MS State: a state when issuing the manual switching command
G.8032 Ethernet ring is in Idle state when there are no faults in the system or the faults are
being corrected, as shown in Figure 9-4.

Raisecom Proprietary and Confidential


306
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Figure 9-4 Idle state

As shown in Figure 9-4, the link in idle state has the following features.
 All the nodes are connected in a ring topology.
 G.8032 sends NR-RB messages constantly to show that no faults exist. It blocks RPL
link to prevent loops within a ring.
 The neighboring nodes monitor each link by using CCM in the Ethernet OAM.
 G.8032 triggers ring protection switching through SF (Signal Faults) when the faults are
detected on the ring.

Figure 9-5 Protecting state

As shown in Figure 9-5, the protection switching is initiated automatically when the faults are
detected on the ring.
 When the Holdoff Timer expires, the nodes at both ends of the failed link are triggered
by the RPL Owner to block this link, and send SF messages to other nodes on the ring to

Raisecom Proprietary and Confidential


307
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

report the fault. As shown in Figure 9-5, Node C and Node D send SF messages to other
nodes when the link between them fails.
 Triggered by SF messages, the RPL Owner unblocks all the blocked interfaces and all
the nodes start to clear FDB. Then the ring is in the protecting state.
When the faults are recovered, the link is switched to faults recovery.
 The nodes at both ends of the failed link remain blocked. When the Guard Timer expires,
Node C and Node D send R-APS NR messages to other nodes, indicating no local
requests.
 The WTR Timer is started immediately when the RPL Owner receives the first NR
message.
 When the WTR expires, RPL Owner blocks RPL and sends a R-APS (NR, RB) message.
This means that no local request exists and RPL is blocked.
 After receiving the message, other nodes will refresh the MAC address and forward FDB.
The node that sends NR messages stop sending packets periodically, and unblocks the
blocked interfaces.
 All the nodes on the link are back to the idle state.

Tributary ring
The revised edition of G.8032 has added Ethernet multi-ring protection solutions. Through
interconnected nodes (that connect multiple rings), the tributary ring is connected to other
rings or networks as an affiliate to the existing ring network. The tributary ring is not closed
and the interconnected nodes do not belong to the tributary ring.

Figure 9-6 Tributary ring

As shown in Figure 9-6, the path between the interconnected nodes B and C is called R-APS
virtual path which is designed for the interconnected nodes in the interconnected topology. If
the interconnected ring has a R-APS virtual path, the main ring will act as a virtual path,
which means the APS messages of the tributary ring will be sent to the main ring. If not, the
main ring will not provide a virtual path for the tributary ring, which means the messages will
be terminated at the interconnected nodes. The main ring and the tributary ring act
independently, with each of them setting its own RPL Owner. The protection of multiple rings
is similar to that of the single ring, with each of them tackling the failures within each ring.
When the shared link between interconnected nodes fails, the main ring is switched to the
Protecting State while the tributary ring remains unchanged.

Raisecom Proprietary and Confidential


308
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Because the data of a tributary ring is sent through the main ring, the MAC address table of
the tributary ring will be stored on the device of the main ring. When a tributary ring fails, it
notifies the main ring through the Propagate switch of the immediate need to update FDB to
avoid traffic loss.

Ring mode
The difference between the revertive mode and the non-revertive mode is as below:
 Revertive mode: when WTR Timer expires, the traffic is forwarded over the link of
previous state (the one before the failure).
 Non-revertive mode: when WTR Timer expires, the traffic is not forwarded over the link
of previous state (the one before the failure). By default, the protection ring is configured
to this mode.
The virtual path of a tributary ring is as below:
 With mode: the tributary ring supports R-APS virtual path. The main ring provides a
channel for APS messages of the tributary ring. The APS messages are received by the
interconnected nodes in the tributary ring and sent to the main ring. The communication
between interconnected nodes in the tributary ring is implemented through the main ring.
 Without mode: the tributary ring does not support R-APS virtual path. The APS
messages of the tributary ring are terminated at the interconnected nodes and will not be
sent to the main ring. In this mode, the tributary ring cannot block the tributary protocol
VLAN so that packets of the tributary ring can pass the owner.

9.3.2 Preparing for configurations

Scenario
With the development of Ethernet to Telecom-grade network, voice and video multicast
services have higher requirements on Ethernet redundant protection and fault-recovery time.
The existing STP has a second-level fault clearance time, which is far from meeting reliability
requirement. By defining different roles for nodes on a ring, G.8032 can block a loopback to
avoid broadcast storm in normal condition. Therefore, the traffic can be quickly switched to
the protection line when working lines or nodes on the ring fail. This helps eliminate the loop,
perform protection switching, and automatically recover from faults. In addition, the
switching time is shorter than 50ms.
The device supports the single ring, intersecting ring, and tangent ring.
G.8032 provides a mode for detecting faults based on physical interface. The device learns
link fault quickly and switches services immediately, so this mode is suitable for detecting the
fault between neighboring devices.

Prerequisite
 Connect the interface.
 Configure its physical parameters to make it Up.
 Create VLANs.
 Add interfaces to VLANs.

Raisecom Proprietary and Confidential


309
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

9.3.3 Default configurations of G.8032


Default configurations of G.8032 are as below.

Function Default value


Protection ring mode Revertive
Ring WTR timer 5min
Ring protocol version 2
Guard timer 500ms
Ring Hold-off timer 0ms
ERPS fault reported to NMS Enable
Tributary ring virtual channel mode in intersecting node With
Ring Propagate switch in crossing node Disable

9.3.4 Creating a G.8032 ring


Configure the G.8032 ring for the device as below.

 Only one device on the protection ring can be configured as the Ring Protection
Link (RPL) Owner and only one device is configured as the RPL Neighbor. Other
devices are configured as ring forwarding nodes.
 The tangent ring consists of 2 independent single rings. Configurations of the
tangent ring are identical to those of the common single ring. The intersecting ring
consists of a main ring and a tributary ring. Configurations of the main ring are
identical to those of the common single ring. For detailed configurations of the
tributary ring, see section 9.3.5 Creating a G.8032 tributary ring.
 The ERPS ring interface must work in switch mode.
Step Command Description
1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#g80 Create a G.8032 instance, and enter the G.8032 node.
32 instance
instance-id
3 Raisecom(config- Specify the control VLAN. If the revertive disable
g8032-instance- parameter is configured, the protection ring becomes
*)#control-vlan the non-revertive mode. When the working link is
vlan-id recovered in revertive mode, traffic is switched back
to the working link from the protection link, while
the traffic will not be switched in non-revertive
mode. By default, the protection link is in revertive
mode.

Raisecom Proprietary and Confidential


310
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Step Command Description


4 Raisecom(config- Specify the data VLAN.
g8032-instance-
*)#data-vlan vlan-id
5 Raisecom(config- Configure the RPL interface and RPL role.
g8032-instance-*)#
add interface
interface-type
interface-number
[ rpl { owner |
neighbor } ]
6 Raisecom(config- Configure the protocol version. The protocol version
g8032-instance- of all nodes on a protection ring should be identical.
*)#version { v1 |
v2 }
In protocol version 1, protection rings are
distinguished based on the protocol VLAN.
Therefore, you need to configure different protocol
VLANs for protection rings.
We recommend configuring different protocol
VLANs for protection rings even if protocol version
2 is used.
7 Raisecom(config- After the ring Guard timer is configured, the failed
g8032-instance- node does not process APS packets during a period.
*)#guard-timer In a bigger ring network, if the failed node recovers
guard-time from a fault immediately, it may receive the fault
notification sent by the neighboring node on the
protection ring. Therefore, the node is in Down
status again. You can configure the ring Guard timer
to solve this problem.
8 Raisecom(config- Configure the ring WTR timer. In revertive mode,
g8032-instance- when the working line recovers from a fault, traffic
*)#wtr-timer wtr- is not switched to the working line unless the WTR
time timer times out.
9 Raisecom(config- Configure the ring Hold-off timer. After the Hold-off
g8032-instance- timer is configured, the system will delay processing
*)#holdoff-timer the fault when the working line fails. In other words
holdoff-time traffic is delayed to be switched to the protection
line. This helps prevent frequent switching caused by
working line vibration.

If the ring Hold-off timer value is too great, it


may influence 50ms switching performance.
Therefore, we recommend configuring the ring
Hold-off timer value to 0.

Raisecom Proprietary and Confidential


311
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

9.3.5 Creating a G.8032 tributary ring

 Only the intersecting ring consists of a main ring and a tributary ring.
 Configurations of the main ring are identical to those of the single/tangent ring. For
details, see section 9.3.4 Creating a G.8032 ring.
 For the intersecting ring, configure its main ring and then the tributary ring,
otherwise the tributary ring will fail to find the interface of the main ring, thus failing
to establish the virtual channel of the tributary ring.
 The instance ID of the tributary ring must be greater than that of that main ring.
 Configurations of non-intersecting nodes of the intersecting ring are identical to
those of the single/tangent ring. For details, see section 9.3.4 Creating a G.8032
ring.
 The ERPS ring interface must work in switch mode.
Configure the G.8032 tributary ring for device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)# g8032 Create an instance.
instance instance-id
3 Raisecom(config-g8032- Specify the control VLAN. If the revertive
instance-*)#control-vlan disable parameter is configured, the protection
vlan-id ring becomes the non-revertive mode.
If the not-revertive parameter is used, the
protection ring changes to non-revertive mode.
When the working link is recovered in
revertive mode, traffic is switched back to the
working link from the protection link, while the
traffic will not be switched in non-revertive
mode. By default, the protection link is in
revertive mode.

The link between the two intersecting


nodes belongs to the main ring, so you
can configure only one of interface 1 and
interface 2 when configuring the tributary
ring.
4 Raisecom(config-g8032- Specify the data VLAN.
instance-*)#data-vlan
vlan-id
5 Raisecom(config-g8032- Specify the virtual channel VLAN.
instance-*)#virtual-
control-vlan vlan-id
6 Raisecom(config-g8032- Configure the RPL interface and RPL role.
instance-*)#
add interface interface-
type interface-number
[ rpl { owner |
neighbor } ]

Raisecom Proprietary and Confidential


312
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Step Command Description


7 Raisecom(config-g8032- Configure the RPL interface, and specify it as
instance-*)# the VC MEP.
add interface interface-
type interface-number vc- In the tangent ring, the public link has already
mep been occupied by the main ring, and the
tributary ring cannot use the public link to send
and receive packets. The vc-mep interface is
used for tributary ring instances to send packets
to the other end of the public link through the
virtual interface. The vc-mep interface is
configured on two devices on the public link as
a tributary ring interface on the non-public link.

9.3.6 Configuring G.8032 switching control


Configure G.8032 switching control for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config- Configure FS of the traffic on the protection ring.
g8032-instance-
*)#force-switch FS can be configured on multiple interfaces of
interface-type multiple ring nodes.
interface-number
3 Raisecom(config- Configure MS of the traffic on the protection ring to
g8032-instance- the interface 1 or 2. Its priority is lower than the one
*)#manual-switch of FS and APS.
interface-type
interface-number MS can be configured on only one interface one only
one ring node.

By default, traffic is automatically switched to the other line when the current line fails
to forward traffic.

9.3.7 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show g8032 Show the interface status of the G.8032 ring.
interface
2 Raisecom#show g8032 instance Show the status of the G.8032 ring.

Raisecom Proprietary and Confidential


313
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

9.3.8 Maintenance
Maintain the device as below.

Command Description
Raisecom(config)#g8032 Clear the effect of the ring protection control command
instance instance-id (force-switch, manual-switch, WTR timer timeout, and
Raisecom(config-g8032- WTB timer timeout).
instance-*)#clear

Raisecom Proprietary and Confidential


314
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

9.3.9 Example for configuring single ring G.8032

Networking requirements
As show in Figure 9-7, to improve Ethernet reliability, Switch A, Switch B, Switch C, and
Switch D build up a G.8032 single ring.
 Switch A is the RPL Owner; Switch B is the RPL Neighbor; the RPL link between
Switch A and Switch B is blocked.
 The ID of protocol VLAN is 1 and the blocked VLANs range from 2 to 10.

Figure 9-7 Single ring G.8032 networking

Configuration steps
Step 1 Add interfaces to VLANs 2–10.
Configure Switch A.

Raisecom#hostname SwitchA
SwitchA#configure
SwitchA(config)#interface ge 1/1/1 to ge 1/1/2
SwitchA(config-ge-1/1/1->ge-1/1/2)#port link-type trunk
SwitchA(config-ge-1/1/1->ge-1/1/2)#port trunk allow-pass vlan 2-10
SwitchA(config-ge-1/1/1->ge-1/1/2)#exit

Configurations of Switch B, Switch C, and Switch D are the same as those of Switch A.

Step 2 Create ERPS protection ring.


Configure Switch A.

SwitchA(config)#g8032 instance 1
SwitchA(config-g8032-instance-1)#control-vlan 1
SwitchA(config-g8032-instance-1)#data-vlan 2-10
Raisecom Proprietary and Confidential
315
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

SwitchA(config-g8032-instance-1)#add interface ge 1/0/1 rpl owner


SwitchA(config-g8032-instance-1)#add interface ge 1/0/2

Configure Switch B.

SwitchB(config)#g8032 instance 1
SwitchB(config-g8032-instance-1)#control-vlan 1
SwitchB(config-g8032-instance-1)#data-vlan 2-10
SwitchA(config-g8032-instance-1)#add interface ge 1/0/1 rpl neighbor
SwitchA(config-g8032-instance-1)#add interface ge 1/0/2

Configure Switch C.

SwitchC(config)#g8032 instance 1
SwitchC(config-g8032-instance-1)#control-vlan 1
SwitchC(config-g8032-instance-1)#data-vlan 2-10
SwitchC(config-g8032-instance-1)#add interface ge 1/0/1
SwitchC(config-g8032-instance-1)#add interface ge 1/0/2

Configure Switch D.

SwitchD(config)#g8032 instance 1
SwitchD(config-g8032-instance-1)#control-vlan 1
SwitchD(config-g8032-instance-1)#data-vlan 2-10
SwitchD(config-g8032-instance-1)#add interface ge 1/0/1
SwitchD(config-g8032-instance-1)#add interface ge 1/0/2

Checking results
Use the show g8032 interface command to show configurations of the G.8032 protection ring
on the switch.
Take Switch A for example. RPL link is blocked to avoid loops. After the WTR timer expires,
information about ring status is as below.

SwitchA#show g8032 interface

Instance Interface Role Type Operate Forward Rx-


Count Tx-Count

-------------------------------------------------------------------------
---------------------------
1 ge 1/0/1 port1 rpl working blocking 0 15

Raisecom Proprietary and Confidential


316
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

1 ge 1/0/2 port2 normal working forwarding 0:::


11
-------------------------------------------------------------------------
---------------------------

Manually disconnect the link between Switch B and Switch C to emulate a fault. Use the
following command to show G.8032 protection ring status on Switch A again. The RPL link
switches to the forwarding status.

SwitchA#show g8032 interface


:::Instance Interface Role Type Operate Forward
Rx-Count Tx-Count
-------------------------------------------------------------------------
---------------------------
1 ge 1/0/1 port1 rpl working forwarding 16 41
1 ge 1/0/2 port2 normal failed blocking 18 42
-------------------------------------------------------------------------
---------------------------

9.3.10 Example for configuring intersecting G.8032

Networking requirements
As shown in Figure 9-8, to improve Ethernet reliability, Switch A, Switch B, Switch C,
Switch D, Switch E, and Switch F form an intersecting ERPS network.
 Switch A, Switch B, Switch C, and Switch D form the main ring. Switch D is the main
ring RPL Owner, Switch C is main ring RPL Neighbor. The blocked interface is GE
1/0/1 on Switch D. The ID of the protocol VLAN is 1.
 Switch A, Switch B, Switch E, and Switch F form a tributary ring. Switch F is the
tributary ring RPL Owner. Switch A is tributary ring RPL Neighbor. The blocked
interface is GE 1/3/1 on Switch F. The protocol VLAN is 4094.
 The blocked VLANs for the main ring and tributary ring range from VLANs 1 to 4094
by default.

Raisecom Proprietary and Confidential


317
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Figure 9-8 Intersecting ring G.8032 networking

Configuration steps
Step 1 Create a 4094 and add interfaces to the VLAN.
Configure Switches A and B.

Switch#configure
Switch(config)#vlan 1-4094
Switch(config)#interface ge 1/0/1 to ge 1/0/3
Switch(config- ge-1/0/1->ge-1/0/3)#port link-type trunk
Switch(config-ge-1/0/1->ge-1/0/3)#port trunk allow-pass vlan all
Switch(config-ge-1/0/1->ge-1/0/3)#exit

Configure Switches C, D, E, and F.

Switch#configure
Switch(config)#vlan 1-4094
Switch(config)#interface ge 1/0/1 to ge 1/0/2
Switch(config-ge-1/0/1->ge-1/0/2)#port link-type trunk
Switch(config-ge-1/0/1->ge-1/0/2)#port trunk allow-pass vlan all
Switch(config-ge-1/0/1->ge-1/0/2)#exit

Step 2 Create a main ring for G.8032 protection ring.


Configure Switches A and B.

Switch(config)#g8032 instance 1
Switch(config-g8032-instance-1)#control-vlan 1
Switch(config-g8032-instance-1)#data-vlan 1-4094
Switch(config-g8032-instance-1)#add interface ge 1/0/1

Raisecom Proprietary and Confidential


318
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Switch(config-g8032-instance-1)#add interface ge 1/0/2

Switch(config)#g8032 instance 1
Switch(config-g8032-instance-1)#control-vlan 1
Switch(config-g8032-instance-1)#data-vlan 1-4094
Switch(config-g8032-instance-1)#add interface ge 1/0/1
Switch(config-g8032-instance-1)#add interface ge 1/0/2 rpl neighbour

Configure Switch D.

Switch(config)#g8032 instance 1
Switch(config-g8032-instance-1)#control-vlan 1
Switch(config-g8032-instance-1)#data-vlan 1-4094
Switch(config-g8032-instance-1)#add interface ge 1/0/1 rpl owner
Switch(config-g8032-instance-1)#add interface ge 1/0/2

Step 3 Configure a tributary ring for G.8032.


Configure Switch A.

Switch(config)#g8032 instance 2
Switch(config-g8032-instance-2)#control-vlan 4094
Switch(config-g8032-instance-2)#data-vlan 1-4094
Switch(config-g8032-instance-2)#add interface ge 1/0/3 rpl owner
Switch(config-g8032-instance-2)#virtual-control-vlan 3
Switch(config-g8032-instance-2)#add interface ge 1/0/3 vc-mep

Configure Switch B.

Switch(config)#g8032 instance 2
Switch(config-g8032-instance-2)#control-vlan 4094
Switch(config-g8032-instance-2)#data-vlan 1-4094
Switch(config-g8032-instance-2)#add interface ge 1/0/3
Switch(config-g8032-instance-2)virtual-control-vlan 3
Switch(config-g8032-instance-2)#add interface ge 1/0/3 vc-mep

Configure Switch E.

Switch(config)#g8032 instance 2
Switch(config-g8032-instance-2)#control-vlan 4094
Switch(config-g8032-instance-2)#data-vlan 1-4094
Switch(config-g8032-instance-2)#add interface ge 1/0/1
Switch(config-g8032-instance-2)#add interface ge 1/0/2

Raisecom Proprietary and Confidential


319
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Configure Switch F.

Switch(config)#g8032 instance 2
Switch(config-g8032-instance-2)#control-vlan 4094
Switch(config-g8032-instance-2)#data-vlan 1-4094
Switch(config-g8032-instance-2)#add interface ge 1/0/1 rpl neighbour
Switch(config-g8032-instance-2)#add interface ge 1/0/2

Checking results
Use the show g8032 interface command to show configurations of the G.8032 protection ring
on the switch.
Use the command on Switch A, Switch D, and Switch F respectively. The result should be as
below after the WTR timer expires.

SwitchD#show g8032 interface

Instance Interface Role Type Operate Forward Rx-


Count Tx-Count

-------------------------------------------------------------------------
---------------------------
1 ge 1/0/1 port1 rpl working blocking 0 :::
15
1 ge 1/0/2 port2 normal working forwarding
0 ::: 11
-------------------------------------------------------------------------
---------------------------

9.4 STP/RSTP
9.4.1 Introduction

STP
With the increasing complexity of network structure and growing number of switches on the
network, the Ethernet network loops become the most prominent problem. Because of the
packet broadcast mechanism, a loop causes the network to generate storms, exhaust network
resources, and have serious impact to forwarding normal data. The network storm caused by
the loop is shown in Figure 9-9.

Raisecom Proprietary and Confidential


320
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Figure 9-9 Network storm due to loopback

Spanning Tree Protocol (STP) is compliant to IEEE 802.1d standard and used to remove data
physical loop in data link layer in the LAN.
The device running STP can process Bridge Protocol Data Unit (BPDU) with each other for
the election of root switch and selection of root port and designated port. It also can block
loop interface on the device logically according to the selection results, and finally trims the
loop network structure to tree network structure without loop which takes a device as root.
This prevents the continuous proliferation and limitless circulation of packet on the loop
network from causing broadcast storms and avoids declining packet processing capacity
caused by receiving the same packets repeatedly.
Figure 9-10 shows loop networking with STP.

Raisecom Proprietary and Confidential


321
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Figure 9-10 Loop networking with STP

Although STP can eliminate loop network and prevent broadcast storm well, its shortcomings
are still gradually exposed with thorough application and development of network technology.
The major disadvantage of STP is the slow convergence speed.

RSTP
For improving the slow convergent speed of STP, IEEE 802.1w establishes Rapid Spanning
Tree Protocol (RSTP), which increases the mechanism to change interface blocking state to
forwarding state, speed up the topology convergence rate.
The purpose of STP/RSTP is to simplify a bridged LAN to a unitary spanning tree in logical
topology and to avoid broadcast storm.
The disadvantages of STP/RSTP are exposed with the rapid development of VLAN
technology. The unitary spanning tree simplified from STP/RSTP leads to the following
problems:
 The whole switching network has only one spanning tree, which will lead to longer
convergence time on a larger network.
 After a link is blocked, it does not carry traffic any more, causing waste of bandwidth.
 Packet of partial VLAN cannot be forwarded when network structure is unsymmetrical.
As shown in Figure 9-11, Switch B is the root switch; RSTP blocks the link between
Switch A and Switch C logically and makes that the VLAN 100 packet cannot be
transmitted and Switch A and Switch C cannot communicate.

Raisecom Proprietary and Confidential


322
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Figure 9-11 Failure in forwarding VLAN packets due to RSTP

9.4.2 Preparation for configuration

Networking situation
In a big LAN, multiple devices are concatenated for accessing each other among hosts. They
need to be enabled with STP to avoid loop among them, MAC address learning fault, and
broadcast storm and network down caused by quick copy and transmission of data frame. STP
calculation can block one interface in a broken loop and ensure that there is only one path
from data flow to the destination host, which is also the best path.

Preconditions
N/A

9.4.3 Default configurations of STP


Default configurations of STP are as below.

Function Default value


Global STP status Disable
Interface STP status Enable
STP priority of device 32768
STP priority of interface 128
Path cost of interface 0
Max Age timer 20s
Hello Time timer 2s

Raisecom Proprietary and Confidential


323
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Function Default value


Forward Delay timer 15s

9.4.4 Enabling STP


Enable STP for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#stp mode Configure spanning tree mode.
{ stp | rstp | mstp |
default }
3 Raisecom(config)#interface Enter physical interface configuration mode,
interface-type interface- or aggregation group configuration mode.
number Take physical interface configuration mode
for example.
4 Raisecom(config-ge- Enable interface STP.
1/0/*)#stp { enable |
disable }

9.4.5 Configuring STP parameters


Configure STP parameters for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration
mode.
2 Raisecom(config)#stp priority Configure device priorities.
priority-value
3 Raisecom(config)#interface interface- Configure interface priorities
type interface-number on the device.
Raisecom(config-ge-1/0/*)#stp priority
priority-value
4 Raisecom(config-ge-1/0/*)#stp path- Configure the path cost of the
cost cost-value interface on the device.
5 Raisecom(config)#stp hello-time value Configure the value of Hello
Time.
6 Raisecom(config)#stp forward-delay Configure forward delay.
value
7 Raisecom(config)#stp max-age value Configure the maximum age.
8 Raisecom(config)#stp pathcost-standard Configure the standard for
{ dot1d-1998 | dot1t } calculating path cost of the
panning tree.

Raisecom Proprietary and Confidential


324
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

9.4.6 Configuring the RSTP edge interface


The edge interface indicates that the interface neither directly connects to any devices nor
indirectly connects to any device through the network.
The edge interface can change the interface status to forward quickly without any waiting
time. You had better configure the Ethernet interface connected to user client as edge interface
to make it quick to change to forward status.
The real port will change to false edge interface after receiving BPDU when it is in force-true
mode; when the interface is in enable mode, whether it is true or false edge interface in real
operation, it will maintain the disable mode until the configuration is changed.
By default, all interfaces on the device are configured to disable.
Configure the edge interface for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface configuration mode,
interface-type interface- or aggregation group configuration mode.
number Take physical interface configuration mode
for example.
3 Raisecom(config-ge- Configure attributes of the RSTP edge
1/0/*)#stp edge-port interface.
{ enable | disable }

9.4.7 Configuring the RSTP link type


Two interfaces connected by a point-to-point link can quickly transit to forward status by
transmitting synchronization packets. By default, RSTP configures the link type of interfaces
according to duplex mode. The full duplex interface is considered as the point-to-point link,
and the half duplex interface is considered as the shared link.
You can manually configure the current Ethernet interface to connect to a point-to-point link,
but the system will fail if the link is not point to point. Generally, we recommend configuring
this item in auto status and the system will automatically detect whether the interface is
connected to a point-to-point link.
Configure the link type for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface configuration
interface-type interface- mode, or aggregation group configuration
number mode. Take physical interface
configuration mode for example.
3 Raisecom(config-ge- Configure the link type for interface.
1/0/*)#stp point-to-point
{ force-true | force-false |
auto }

Raisecom Proprietary and Confidential


325
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

9.4.8 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show stp Show basic configurations of STP.
information
2 Raisecom#show stp Show configurations of the spanning tree on the
interface interface.
3 Raisecom#show stp Show information about the root bridge of STP.
bridge

9.4.9 Example for configuring STP

Networking requirements
As shown in Figure 9-12, Switch A, Switch B, and Switch C form a ring network, so the loop
must be eliminated in the situation of a physical link forming a ring. Enable STP on them,
configure the priority of Switch A to 0, and path cost from Switch B to Switch A to 10.

Figure 9-12 STP networking

Configuration steps
Step 1 Enable STP on Switch A, Switch B, and Switch C.
Configure Switch A.

Raisecom#hostname SwitchA
SwitchA#configure
SwitchA(config)#stp mode stp

Configure Switch B.

Raisecom#hostname SwitchB

Raisecom Proprietary and Confidential


326
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

SwitchB#configure
SwitchB(config)#stp mode stp

Configure Switch C.

Raisecom#hostname SwitchC
SwitchC#configure
SwitchC(config)#stp mode stp

Step 2 Configure interface modes on three switches.


Configure Switch A.

SwitchA(config)#interface ge 1/0/1
SwitchA(config-ge-1/0/1)#port link-type trunk
SwitchA(config-ge-1/0/1)#stp enable
SwitchA(config-ge-1/0/1)#exit
SwitchA(config)#interface ge 1/0/2
SwitchA(config-ge-1/0/2)#port link-type trunk
SwitchA(config-ge-1/0/2)#stp enable
SwitchA(config-ge-1/0/2)#exit

Configure Switch B.

SwitchB(config)#interface ge 1/0/1
SwitchB(config-ge-1/0/1)#port link-type trunk
SwitchB(config-ge-1/0/1)#stp enable
SwitchB(config-ge-1/0/1)#exit
SwitchB(config)#interface ge 1/0/2
SwitchB(config-ge-1/0/2)#port link-type trunk
SwitchB(config-ge-1/0/2)#stp enable
SwitchB(config-ge-1/0/2)#exit

Configure Switch C.

SwitchC(config)#interface ge 1/0/1
SwitchC(config-ge-1/0/1)#port link-type trunk
SwitchC(config-ge-1/0/1)#stp enable
SwitchC(config-ge-1/0/1)#exit
SwitchC(config)#interface ge 1/0/2
SwitchC(config-ge-1/0/2)#port link-type trunk
SwitchC(config-ge-1/0/2)#stp enable
SwitchC(config-ge-1/0/2)#exit

Raisecom Proprietary and Confidential


327
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Step 3 Configure priority of spanning tree and interface path cost.


Configure Switch A.

SwitchA(config)#stp priority 0
SwitchA(config)#interface ge 1/0/2
SwitchA(config-ge-1/0/2)#stp path-cost 10

Configure Switch B.

SwitchB(config)#interface ge 1/0/1
SwitchB(config-ge-1/0/1)#stp path-cost 10

Checking results
Use the show stp command to show bridge status.
Take Switch A for example.

SwitchA#show stp information


-------------------------------------------------------------------------
-------
Mode : stp
Trap state : disable
Bridge type : customer
BPDU Guard state : disable
TC protection state : disable
TC protection threshold : 2
Hello time : 2
Max age : 20
Forward delay : 15
Max hops : 20
Time factor : 6
Format selector : 0
Revision level : 0
Config name : region
TC flush arp state : disable
Migration time : 3
Pathcost standard : dot1t
TC holdoff time : 10
Transmit limit : 6 (packets/s)
Link detection state : enable
Edge
default state : disable
-------------------------------------------------------------------------
-------

Raisecom Proprietary and Confidential


328
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Use the show stp interface command to show the interface status.
Take Switch A for example.

SwitchA#show stp interface


MSTID Port Role State Protection Region
-------------------------------------------------------------------------
------------
0 ge-1/0/1 designated
forward -- different
0 ge-1/0/2 designated
forward -- different

9.5 MSTP
9.5.1 Introduction
Multiple Spanning Tree Protocol (MSTP) is defined by IEEE 802.1s. Recovering the
disadvantages of STP and RSTP, the MSTP implements fast convergence and distributes
different VLAN flow following its own path to provide an excellent load balancing
mechanism.
MSTP divides a switch network into multiple regions, called MST region. Each MST region
contains several spanning trees but the trees are independent from each other. Each spanning
tree is called a Multiple Spanning Tree Instance (MSTI).
MSTP protocol introduces Common Spanning Tree (CST) and Internal Spanning Tree (IST)
concepts. CST refers to taking MST region as a whole to calculate and generating a spanning
tree. IST refers to generating spanning tree in internal MST region.
Compared with STP and RSTP, MSTP also introduces total root (CIST Root) and region root
(MST Region Root) concepts. The total root is a global concept; all switches running
STP/RSTP/MSTP can have only one total root, which is the CIST Root. The region root is a
local concept, which is relative to an instance in a region. As shown in Figure 9-13, all
connected devices only have one total root, and the number of region root contained in each
region is associated with the number of instances.

Raisecom Proprietary and Confidential


329
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Figure 9-13 Basic concepts of the MSTI network

There can be different MST instance in each MST region, which associates VLAN and MSTI
by configuring the VLAN mapping table (relationship table of VLAN and MSTI). The
concept sketch map of MSTI is shown in Figure 9-14.

Raisecom Proprietary and Confidential


330
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Figure 9-14 MSTI concepts

Each VLAN can map to one MSTI; in other words, data of one VLAN can only be
transmitted in one MSTI but one MSTI may correspond to several VLANs.
Compared with STP and RSTP mentioned previously, MSTP has obvious advantages,
including cognitive ability of VLAN, load balancing, similar RSTP interface status switching,
and binding multiple VLAN to one MST instance, to reduce resource occupancy rate. In
addition, devices running MSTP on the network are also compatible with the devices running
STP and RSTP.

Raisecom Proprietary and Confidential


331
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Figure 9-15 Networking with multiple spanning trees instances in MST region

Apply MSTP to the network as shown in Figure 9-15. After calculation, there are two
spanning trees generated at last (two MST instances):
 MSTI 1 takes B as the root switch, forwarding packet of VLAN 100.
 MSTI 2 takes F as the root switch, forwarding packet of VLAN 200.
In this case, all VLANs can communicate internally, different VLAN packets are forwarded in
different paths to share loading.

9.5.2 Preparation for configuration

Scenario
In a big LAN or residential region aggregation, the aggregation devices make up a ring for
link backup, avoiding loop and realizing load balancing. MSTP can select different and
unique forwarding paths for each one or a group of VLANs.

Prerequisite
N/A

9.5.3 Default configurations of MSTP


Default configurations of MSTP are as below.

Raisecom Proprietary and Confidential


332
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Function Default value


Global MSTP status Disable
Interface MSTP status Enable
Maximum number of hops in the MST region 20
MSTP priority of the device 32768
MSTP priority of the interface 128
Path cost of the interface 0

Maximum number of packets sent within each Hello time 3


Max Age timer 20s
Hello Time timer 2s
Forward Delay timer 15s
Revision level of the MST region 0
TC protection Disable
TC protection threshold 1

9.5.4 Enabling MSTP


Enable MSTP for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#stp Configure the spanning tree mode to MSTP.
mode mstp
3 Raisecom(config)#inter Enter physical interface configuration mode or
face interface-type aggregation group configuration mode. Take
interface-number physical interface configuration mode for example.
4 Raisecom(config-ge- Enable interface STP.
1/0/*)#stp { enable |
disable }

9.5.5 Configuring the MST region and its maximum number of hops
You can configure region information about the device when it is running in MSTP mode. The
device MST region is determined by the region name, VLAN mapping table and
configuration of MSTP revision level. You can configure current device in a specific MST
region through following configuration.
The MST region scale is restricted by the maximum number of hops. Starting from the root
bridge of spanning tree in the region, the number of forwarding hops decreases by 1 when the
configuration message (BPDU) passes a device; the device discards the configuration

Raisecom Proprietary and Confidential


333
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

message whose number of hops is 0. The device exceeding the maximum number of hops
cannot join spanning tree calculation, so the MST region scale is restricted.
Configure the MSTP region and its maximum number of hops for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#stp instance Configure mapping from the MST
instance-id vlan vlan-list region VLAN to instance.
3 Raisecom(config)#stp config- Configure the MST region name.
name name
4 Raisecom(config)#stp revision- Configure the revision level for the
level level-value MST region.
5 Raisecom(config)#stp max-hops Configure the maximum number of
hops-value hops for the MST region.

Only when the configured device is the region root can the configured maximum
number of hops be used as the maximum number of hops for MST region; other non-
region root cannot be configured this item.

9.5.6 Configuring the interface priority and system priority


Whether the interface is elected as the root interface depends on interface priority. Under the
same condition, the interface with smaller priority will be elected as the root interface. An
interface may have different priorities and play different roles in different instances.
The Bridge ID determines whether the device can be elected as the root of the spanning tree.
Configuring smaller priority helps obtain smaller Bridge ID and designate the device as the
root. If priorities of two devices are identical, the device with lower MAC address will be
elected as the root.
Similar to configuring root and backup root, priority is mutually independent in different
instances. You can confirm priority instance through the instance instance-id parameter.
Configure bridge priority for CIST if instance-id is 0 or the instance instance-id parameter is
omitted.
Configure the interface priority and system priority for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface configuration
interface-type interface- mode or aggregation group
number configuration mode. Take physical
interface configuration mode for
example.

Raisecom Proprietary and Confidential


334
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Step Command Description


3 Raisecom(config-ge-1/0/*)#stp Configure the interface priority for a
[ instance instance-id ] STP instance.
priority priority-value
Raisecom(config-ge-1/0/*)#exit
4 Raisecom(config)#stp Configure the system priority for a STP
[ instance instance-id ] instance.
priority priority-value

The value of priorities must be multiples of 4096, such as 0, 4096, and 8192. It is
32768 by default.

9.5.7 Configuring the path cost of the interface


When selecting the root interface and designated interface, the smaller the path cost of the
interface is, the easier it is to be selected as the root interface or designated interface. The path
cost of the interface is independently mutually in different instances. You can configure
internal path cost for instance through the instance instance-id parameter. Configure internal
path cost of interface for CIST if instance-id is 0 or the instance instance-id parameter is
omitted.
By default, the interface cost often depends on the physical features:
 10 Mbit/s: 2000000
 100 Mbit/s: 200000
 1000 Mbit/s: 20000
 10 Gbit/s: 2000
Configure the internal path cost for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface configuration
interface-type interface- mode or aggregation group configuration
number mode. Take physical interface
configuration mode for example.
3 Raisecom(config-ge-1/0/*)#stp Configure the path cost of the interface.
[ instance instance-id ] path-
cost cost-value

9.5.8 Configuring the maximum transmission rate on interface


The maximum transmission rate on an interface means the maximum number of transmitted
BPDUs allowed by MSTP in each Hello Time. This parameter is a relative value and of no
unit. The greater the parameter is configured, the more packets are allowed to be transmitted
in a Hello Time, the more device resources it takes up. Similar with the time parameter, only
the configurations on the root device can take effect.
Raisecom Proprietary and Confidential
335
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Configure the maximum transmission rate on the interface for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#stp Configure the maximum transmission rate
transmit-limit value on the interface.

9.5.9 Configuring the MSTP timer


 Hello Time: the interval for the device to send BPDUs. It is used to detect whether a link
fails on the device. The device sends Hello packets to other devices around in the Hello
time to check if there is fault in the link. The default value is 2s. You can adjust the
interval value according to network conditions. Reduce the interval when network link
changes frequently to enhance the stability of STP. However, increasing the interval
reduces CPU utilization rate for STP.
 Forward Delay: the time parameter to ensure the safe transit of device status. Link fault
causes the network to recalculate spanning tree, but the new configuration message
recalculated cannot be transmitted to the whole network immediately. There may be
temporary loop if the new root interface and designated interface start transmitting data
at once. This protocol adopts status remove system: before the root interface and
designated interface starts forwarding data, it needs a medium status (learning status);
after delay for the interval of Forward Delay, it enters forwarding status. The delay
guarantees the new configuration message to be transmitted through whole network. You
can adjust the delay according to actual condition; in other words, reduce it when
network topology changes infrequently and increase it under opposite conditions.
 Max Age: the bridge configurations used by STP have a life time that is used to judge
whether the configurations are outdated. The device will discard outdated configurations
and STP will recalculate spanning tree. The default value is 20s. Over short age may
cause frequent recalculation of the spanning tree, while a too great age value will make
STP not adapt to network topology change timely.
All devices in the whole switching network adopt the three time parameters on CIST root
device, so only the root device configuration is valid.
Configure the MSTP timer for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#stp hello-time Configure the Hello Time.
value
3 Raisecom(config)#stp forward-delay Configure the Forward Delay.
value
4 Raisecom(config)#stp max-age value Configure the Max Age.

9.5.10 Configuring the edge interface


The edge interface indicates the interface neither directly connecting to any devices nor
indirectly connecting to any device through the network.
Raisecom Proprietary and Confidential
336
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

The edge interface can change the interface status to forward quickly without any waiting
time. You had better configure the Ethernet interface connected to user client as edge interface
to make it quick to change to forward status.
The edge interface attribute depends on actual condition when it is in auto-detection mode;
the real port will change to false edge interface after receiving BPDU when it is in force-true
mode; when the interface is in force-false mode, whether it is true or false edge interface in
real operation, it will maintain the force-false mode until the configuration is changed.
By default, all interfaces on the device are configured in auto-detection attribute.
Configure the edge interface for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#inter Enter physical interface configuration mode or
face interface-type aggregation group configuration mode. Take
interface-number physical interface configuration mode for example.
3 Raisecom(config-ge-1 Configure attributes of the edge interface.
/1/*)#stp edge-port
{ enable | disable }

9.5.11 Configuring BPDU filtering


After being enabled with BPDU filtering, the edge interface does not send BPDU packets nor
process received BPDU packets.
Configure BPDU filtering for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#inte Enter physical interface configuration mode or
rface interface-type aggregation group configuration mode. Take
interface-number physical interface configuration mode for example.
3 Raisecom(config-ge- Configure BPDU filtering on the edge interface.
1/0/*)#stp bpdu-
filter { enable |
disable }

9.5.12 Configuring BPDU Guard


On a switch, interfaces directly connected with non-switch devices, such as terminals (such as
a PC) or file servers, are configured as edge interfaces to implement fast transition of these
interfaces.
In normal status, these edge interfaces do not receive BPDUs. If forged BPDU attacks the
switch, the switch will configure these edge interfaces to non-edge interfaces when these edge
interfaces receive forged BPDUs and re-perform spanning tree calculation. This may cause
network vibration.

Raisecom Proprietary and Confidential


337
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

BPDU Guard provided by MSTP can prevent this type of attacks. After BPDU Guard is
enabled, edge interfaces can avoid attacks from forged BPDU packets.
After BPDU Guard is enabled, the switch will shut down the edge interfaces if they receive
BPDUs and notify the NView NNM system of the case. The blocked edge interface is restored
only by the administrator through the CLI.
Configure BPDU Guard for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#stp bpdu- Enable BPDU Guard.
protection { enable |
disable }
3 Raisecom(config)#interface Enter physical interface configuration
interface-type interface- mode or aggregation group configuration
number mode. Take physical interface
configuration mode for example.
4 Raisecom(config-ge-1/0/*)#stp Configure the recovery interval of BPDU
bpdu-protection error-down Guard.
recovery-interval interval

When the edge interface is enabled with BPDU filtering and the device is enabled
with BPDU Guard, BPDU Guard takes effect first. Therefore, an edge interface is
shut down if it receives a BPDU.

9.5.13 Configuring STP/RSTP/MSTP mode switching


When STP is enabled, three spanning tree modes are supported as below:
 STP compatible mode: the device does not implement fast switching from the
replacement interface to the root interface and expedited forwarding by a specified
interface; instead it sends STP configuration BPDU and STP Topology Change
Notification (TCN) BPDU. After receiving MST BPDU, it discards unidentifiable part.
 RSTP mode: the device implements fast switching from the replacement interface to the
root interface and expedited forwarding by a specified interface. It sends RST BPDUs.
After receiving MST BPDUs, it discards unidentifiable part. If the peer device runs STP,
the local interface is switched to STP compatible mode. If the peer device runs MSTP,
the local interface remains in RSTP mode.
 MSTP mode: the device sends MST BPDU. If the peer device runs STP, the local
interface is switched to STP compatible mode. If the peer device runs MSTP, the local
interface remains in RSTP mode, and process packets as external information about
region.
Configure the STP/RSTP/MSTP mode switching for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.

Raisecom Proprietary and Confidential


338
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Step Command Description


2 Raisecom(config)#stp mode Configure the spanning tree mode.
{ stp | rstp | mstp }
3 Raisecom(config-ge-1/0/*)#stp (Optional) forcibly configure the
mcheck interface to MSTP mode.

9.5.14 Configuring the link type


Two interfaces connected by a point-to-point link can quickly transit to forward status by
transmitting synchronization packets. By default, MSTP configures the link type of interfaces
according to duplex mode. The full duplex interface is considered as the point-to-point link,
and the half duplex interface is considered as the shared link.
You can manually configure the current Ethernet interface to connect to a point-to-point link,
but the system will fail if the link is not point to point. Generally, we recommend configuring
this item in auto status and the system will automatically detect whether the interface is
connected to a point-to-point link.
Configure the link type for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface configuration
interface-type interface- mode or aggregation group configuration
number mode. Take physical interface
configuration mode for example.
3 Raisecom(config-ge-1/0/*)#stp Configure the link type of the interface.
point-to-point { force-true |
force-false | auto }

9.5.15 Configuring root interface protection


The bridge will re-elect a root interface when it receives a packet with higher priority, which
influents network connectivity and also consumes CPU resource. For the MSTP network, if
someone sends BPDUs with higher priority, the network may become unstable due to
continuous election.
Generally, priority of each bridge has already been configured in network planning phase. The
nearer a bridge is to the edge, the lower the bridge priority is. So the downlink interface
cannot receive the packets higher than bridge priority unless under someone attacks. For these
interfaces, you can enable rootguard to refuse to process packets with priority higher than
bridge priority and block the interface for a period to prevent other attacks from attacking
sources and damaging the upper layer link.
Configure root interface protection for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.

Raisecom Proprietary and Confidential


339
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Step Command Description


2 Raisecom(config)#interface Enter physical interface
interface-type interface-number configuration mode.
3 Raisecom(config-ge-1/0/*)#stp Enable/Disable root interface
root-protection { enable | protection.
disable }

9.5.16 Configuring interface loop protection


The spanning tree has two functions: loop protection and link backup. loop protection requires
carving up the network topology into tree structure. There must be redundant links in the
topology if link backup is required. Spanning tree can avoid loop by blocking the redundant
link and enable link backup function by opening redundant link when the link breaks down.
The spanning tree module exchanges packets periodically, and the link has failed if it has not
received packet in a period. Then select a new link and enable backup interface. In actual
networking, the cause to failure in receiving packets may not link fault. In this case, enabling
the backup interface may lead to loop.
Loopguard is used to keep the original interface status when it cannot receive packet in a
period.

Loopguard and link backup are mutually exclusive; in other words, loopguard is
implemented on the cost of disabling link backup.
Configure interface loop protection for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface configuration
interface-type interface- mode or aggregation group configuration
number mode. Take physical interface
configuration mode for example.
3 Raisecom(config-ge-1/0/*)#stp Enable interface loop protection.
loop-protection enable

9.5.17 Configuring TC packet suppression


When the topology of the user access network is changed, the forward address of the core
network will be updated. When the topology becomes unstable, it will affect the core network.
To avoid unstable topology, you can configure TC packet suppression on the interface. In this
case, after the interface receives a TC packet, it will not forward the TC packet to other
interfaces.
Configure TC packet suppression for the device as below.

Raisecom Proprietary and Confidential


340
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface configuration
interface-type interface- mode or aggregation group configuration
number mode. Take physical interface
configuration mode for example.
3 Raisecom(config-ge-1/0/*)#stp Configure TC packet suppression.
tc-restriction { enable |
disable }

9.5.18 Configuring TC protection


TC protection prevents BPDU attacks related to topology change, thus enhancing security of
the device and network.
 After TC protection is enabled, the device receives TC packets of which the number is
within the threshold in the Hello Time of STP, and discards TC packets beyond the
threshold in the Hello Time. The device recalculates the number of received TC packets
from the next Hello Time.
 After TC protection is disabled, the device will process all TC packets. When it is
attacked by massive TC packets, services may be interrupted, and the device may
malfunction due to too high CPU utilization.
Configure TC protection for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#stp tc-protection Configure the TC protection
threshold threshold-value threshold.
3 Raisecom(config)#stp tc-protection Configure TC protection.
{ enable | disable }

9.5.19 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show stp Show basic configurations of STP.
information
2 Raisecom#show stp Show STP configurations on the interface.
interface
3 Raisecom#show stp Show information about the STP root bridge.
bridge
4 Raisecom#show stp Show configurations of the MST region.
instance

Raisecom Proprietary and Confidential


341
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

9.5.20 Maintenance
Maintain the device as below.

Command Description
Raisecom(config-ge- Clear statistics about spanning tree on the
1/0/*)#reset stp statistics interface.

9.5.21 Example for configuring MSTP

Networking requirements
As shown in Figure 9-16, three devices are connected to form a ring network through MSTP,
with the region name aaa. Switch B, connected with a PC, belongs to VLAN 3. Switch C,
connected with another PC, belongs to VLAN 4. Instance 3 is associated with VLAN 3.
Instant 4 is associated with VLAN 4. Configure the priorities so that the root bridge of
instance 3 is Switch A and the root bridge of instance 4 is Switch B. In this way, packets of
VLAN 3 and VLAN 4 are forwarded respectively in two paths, which eliminates loops and
implements load balancing.

Figure 9-16 MSTP networking

Configuration steps
Step 1 Create VLAN 3 and VLAN 4 on Switch A, Switch B, and switch C respectively, and activate
them.
Configure Switch A.

Raisecom#hostname SwitchA
SwitchA#configure
SwitchA(config)#vlan 3,4

Raisecom Proprietary and Confidential


342
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Configure Switch B.

Raisecom#hostname SwitchB
SwitchB#configure
SwitchB(config)#vlan 3,4

Configure Switch C.

Raisecom#hostname SwitchC
SwitchC#configure
SwitchC(config)#vlan 3,4

Step 2 Configure GE 1/0/1 and GE 1/0/2 on Switch A to allow packets of all VLAN to pass in Trunk
mode. Configure GE 1/0/1 and GE 1/0/2 on Switch B to allow packets of all VLANs to pass
in Trunk mode. Configure GE 1/0/1 and GE 1/0/2 on Switch C to allow packets of all VLANs
to pass in Trunk mode. Configure GE 1/0/3 and GE 1/3/4 on Switch B and Switch C to allow
packets of VLAN 3 and VLAN 4 to pass in Access mode.
Configure Switch A.

SwitchA(config)#interface ge 1/0/1
SwitchA(config-ge-1/0/1)#port link-type trunk
SwitchA(config-ge-1/0/1)#port trunk allow-pass vlan all
SwitchA(config-ge-1/0/1)#exit
SwitchA(config)#interface ge 1/0/2
SwitchA(config-ge-1/0/2)#port link-type trunk
SwitchA(config-ge-1/0/1)#port trunk allow-pass vlan all
SwitchA(config-ge-1/0/2)#exit

Configure Switch B.

SwitchB(config)#interface ge 1/0/1
SwitchB(config- ge-1/0/1)#port link-type trunk
SwitchB(config-ge-1/0/1)#port trunk allow-pass vlan all
SwitchB(config-ge-1/0/1)#exit
SwitchB(config)#interface ge 1/0/2
SwitchB(config-ge-1/0/2)#port link-type trunk
SwitchB(config-ge-1/0/2)#port trunk allow-pass vlan all
SwitchB(config-ge-1/0/2)#exit
SwitchB(config)#interface ge 1/0/3
SwitchB(config-ge-1/0/3)#switchport access vlan 3
SwitchB(config-ge-1/0/3)#exit
SwitchB(config)#interface ge 1/0/4
SwitchB(config-ge-1/0/4)#switchport access vlan 4
SwitchB(config-ge-1/0/4)#exit

Raisecom Proprietary and Confidential


343
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Configure Switch C.

SwitchC(config)#interface ge 1/0/1
SwitchC(config-ge-1/0/1)#port link-type trunk
SwitchC(config-ge-1/0/1)#port trunk allow-pass vlan all
SwitchC(config-ge-1/0/1)#exit
SwitchC(config)#interface ge 1/0/2
SwitchC(config-ge-1/0/2)#port link-type trunk
SwitchC(config-ge-1/0/2)#port trunk allow-pass vlan all
SwitchC(config-ge-1/0/2)#exit
SwitchC(config)#interface ge 1/0/3
SwitchC(config-ge-1/0/3)#switchport access vlan 3
SwitchC(config-ge-1/0/3)#exit
SwitchC(config)#interface ge 1/0/4
SwitchC(config-ge-1/0/4)#switchport access vlan 4
SwitchC(config-ge-1/0/4)#exit

Step 3 Configure spanning tree mode of Switch A, Switch B, and Switch C to MSTP, and enable
STP. Enter MSTP configuration mode, and configure the region name to aaa and revision
version to 0. Map instance 3 to VLAN 3, and instance 4 to VLAN 4. Exit MST configuration
mode.
Configure Switch A.

SwitchA(config)#stp mode mstp


SwitchA(config)#stp config-name aaa
SwitchA(config)#stp revision-level 0
SwitchA(config)#stp instance 3 vlan 3
SwitchA(config)#stp instance 4 vlan 4
SwitchA(config)#stp instance 3 priority 0
SwitchA(config)#interface ge 1/0/1
SwitchA(config-ge-1/0/1)#stp enable
SwitchA(config-ge-1/0/1)#exit
SwitchA(config)#interface ge 1/0/2
SwitchA(config-ge-1/0/2)#stp enable

Configure Switch B.

SwitchB(config)#interface ge 1/0/1
SwitchB(config-ge-1/0/1)#port link-type trunk
SwitchB(config-ge-1/0/1)#port trunk allow-pass vlan all
SwitchB(config-ge-1/0/1)#exit
SwitchB(config)#interface ge 1/0/2
SwitchB(config-ge-1/0/2)#port link-type trunk
SwitchB(config-ge-1/0/2)#port trunk allow-pass vlan all
SwitchB(config-ge-1/0/2)#exit
SwitchB(config)#interface ge 1/0/3
SwitchB(config-ge-1/0/3)#port link-type access
SwitchB(config-ge-1/0/3)#port default vlan 3

Raisecom Proprietary and Confidential


344
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

SwitchB(config-ge-1/0/3)#exit
SwitchB(config)#interface ge 1/0/4
SwitchB(config-ge-1/0/4)#port link-type access
SwitchB(config-ge-1/0/4)#port default vlan 4
SwitchB(config-ge-1/0/4)#exit

Configure Switch C.

SwitchC(config)#interface ge 1/0/1
SwitchC(config-ge-1/0/1)#port link-type trunk
SwitchC(config-ge-1/0/1)#port trunk allow-pass vlan all
SwitchC(config-ge-1/0/1)#exit
SwitchC(config)#interface ge 1/0/2
SwitchC(config-ge-1/0/2)#port link-type trunk
SwitchC(config-ge-1/0/2)#port trunk allow-pass vlan all
SwitchC(config-ge-1/0/2)#exit
SwitchC(config)#interface ge 1/0/3
SwitchC(config-ge-1/0/3)#port link-type access
SwitchC(config-ge-1/0/3)#port default vlan 3
SwitchC(config)#interface ge 1/0/4
SwitchC(config-ge-1/0/4)#port link-type access
SwitchC(config-ge-1/0/4)#port default vlan 4
SwitchC(config-ge-1/0/4)#exit

Step 4 Configure the internal path cost of GE 1/0/1 of spanning tree instance 3 to 500000 on Switch
B.

SwitchB(config)#interface ge 1/0/1
SwitchB(config-ge-1/0/1)#stp instance 3 path-cost 500000

Checking results
Use the show stp interface command to show the interface status of the MST region.
Take Switch C for example.

SwitchA#show stp interface


MSTID Port Role State Protection Region
-------------------------------------------------------------------------
--------
0 ge-1/0/1 root forward -- same
0 ge-1/0/2 alternate discarding -- same
3 ge-1/0/1 root forward -- same
3 ge-1/0/2 alternate discarding -- same
4 ge-1/0/1 alternate discarding -- same
4 ge-1/0/2 root forward -- same
------------------------------------------------------------------------

Raisecom Proprietary and Confidential


345
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

-----------------------------

9.6 Loop detection


9.6.1 Introduction
Loop detection can address the influence on network caused by a loop, providing the self-
detection, fault-tolerance, and robustness.
During loop detection, an interface enabled with loop detection periodically sends loop
detection packets (Hello packets). Under normal conditions, the edge interface should not
receive any loop detection packets because loop detection is applied to the edge interface.
However, if the edge interface receives a loop detection packet, it is believed that a loop
occurs on the network. There are two conditions that an edge interface receives a loop
detection packet: receiving a loop detection packet from itself or receiving a loop detection
packet from other devices, which can be told by comparing the MAC address of the device
and the MAC address carried in the packet.

Loop types
Common loop types include self-loop and inner loop.
As shown in Figure 9-17, Switch B and Switch C are connected to the user network.
 Self-loop: a user loop on the same Ethernet interface of the same device. User network B
has a loop, which forms self-loop on GE 1/0/2 on Switch B.
 Inner loop: a loop forming on different Ethernet interfaces of the same device. GE 1/0/1
and GE 1/0/3 on Switch C forms an inner loop with the user network A.

Figure 9-17 Loop detection networking

Principles for processing loops


The device processes loops as below:
 If the device sending the loop detection packet is the one receiving the packet but the
interface sending the packet and the interface receiving the packet are different, process
the interface with the smaller interface ID to eliminate the loop (inner loop).

Raisecom Proprietary and Confidential


346
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

 If the interface sending the packet and the interface receiving the packet are the same,
process the interface to eliminate the loop (self-loop).
In Figure 9-17, assume that both Switch B and Switch C connect user network interfaces
enabled with loop detection. The system processes loops for the three loop types as below:
 Self-loop: the interface sending the packet and the interface receiving the packet on
Switch B are the same, the configured loop detection action will be taken to eliminate the
loop on GE 1/0/2.
 Inner loop: Switch C receives the loop detection packets sent by it and the interface
sending the packet and the interface receiving the packet are the same, the configured
loop detection action will be taken to eliminate the loop on the interface with a bigger
interface ID, namely, GE 1/0/1.

Action for processing loops


The action for processing loops is the method for the device to use upon loop detection. You
can define different actions on the specified interface according to actual situations, including:
 Block: block the interface and send a Trap.
 Trap-only: send a Trap only.
 Shutdown: shut down the interface and send a Trap.
 Shutdown-restore: send a Trap, shut down the interface, and wait to restore.

Loop detection modes


The loop detection mode is port mode.
When a loop occurs, the system blocks the interface and sends Trap in the loopback
processing mode of Block, or shuts down the physical interface and sends Trap information in
the loopback processing mode of shutdown.
If the loop detection processing mode is Trap-only, the device sends Traps only.

Loop restoration
After an interface is shut down, you can configure automatic restoration after a specified
period.

9.6.2 Preparing for configurations

Scenario
On the network, hosts or Layer 2 devices connected to access devices may form a loop
intentionally or involuntarily. Enable loop detection on downlink interfaces on all access
devices to avoid the network congestion generated by unlimited copies of data traffic. Once a
loopback is detected on an interface, the interface will be blocked.

Prerequisite
Loopback interface, interface backup, STP, and G.8032 affect each other. We do not
recommend configuring two or more of them concurrently.

Raisecom Proprietary and Confidential


347
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

9.6.3 Default configurations of loop detection


Default configurations of loop detection are as below.

Function Default value


Loop detection status Disable
Automatic recovery time for the blocked interface 5s
Mode for processing detected loops Block
Loop detection period 1s
Loop detection mode vlan mode

9.6.4 Configuring loop detection

 Loop detection and STP are exclusive, so only one can be enabled at a time.
 Loop detection cannot be concurrently enabled on both two directly-connected
devices.
Configure loop detection based on interface+VLAN for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter Layer 2 physical interface
interface-type interface-number configuration mode.
3 Raisecom(config-ge- Configure loop detection based on
1/0/*)#loopback-detect mode vlan VLAN.
4 Raisecom(config-ge- Configure the VLAN for sending
1/0/*)#loopback-detect vlan packets.
vlan-list
5 Raisecom(config-ge- Configure the action taken for loops.
1/0/*)#loopback-detect action
block
6 Raisecom(config)#loopback-detect Configure the interval for sending
interval interval packets, in units of second.
7 Raisecom(config)#loopback-detect Configure the recovery interval, in
recovery-interval interval units of second.

9.6.5 Checking configurations


Use the following commands to check configuration results.

Raisecom Proprietary and Confidential


348
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

No. Command Description


1 Raisecom#show loopback-detection Show configurations of
[ interface-type interface interface- loop detection on the
number ] [ detail ] interface.

9.6.6 Example for configuring inner loop detection

Networking requirements
As shown in Figure 9-18, GE 1/0/2 and GE 1/0/3 on Switch A are connected to the user
network. To avoid loops on the user network, enable loop detection on Switch A to detect
loops on user network, and then take actions accordingly. Detailed requirements are as below:
 Enable loop detection on GE 1/0/2 and GE 1/0/3.
 Configure the interval for sending loop detection packets to 3s.
 Configure the VLAN for sending loop detection packets to VLAN 3.
 Configure the loop detection processing action to discarding, namely, sending Trap and
blocking the interface.

Figure 9-18 Loop detection networking

Configuration steps
Step 1 Create VLAN 3, and add interfaces to VLAN 3.

Raisecom#configure
Raisecom(config)#vlan 3

Raisecom Proprietary and Confidential


349
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type hybrid
Raisecom(config-ge-1/0/1)#port hybrid vlan 3 untagged
Raisecom(config-ge-1/0/1)#exit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/1)#port link-type hybrid
Raisecom(config-ge-1/0/2)#port hybrid vlan 3 untagged
Raisecom(config-ge-1/0/2)#exit

Step 2 Configure the VLAN for sending loop detection packets, action taken for detected loops, and
period for sending loop detection packets.

Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#loopback-detect enable
Raisecom(config-ge-1/0/1)#loopback-detect action block
Raisecom(config-ge-1/0/1)#loopback-detect vlan 3
Raisecom(config-ge-1/0/1)#loopback-detect interval 3
Raisecom(config-ge-1/0/1)#exit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#loopback-detect enable
Raisecom(config-ge-1/0/2)#loopback-detect action block
Raisecom(config-ge-1/0/2)#loopback-detect vlan 3
Raisecom(config-ge-1/0/2)#loopback-detect interval 3

Checking results
Use the show loopback-detect interface command to show loop detection status.

Raisecom#show loopback-detect interface


Interface Enable Action Loop-
Status
------------------------------------------------------------
ge-1/0 /1 enable block
none-loop
ge-1/0/2 enable block none-loop

------------------------------------------------------------

9.7 Interface backup


9.7.1 Introduction
In dual uplink networking, Spanning Tree Protocol (STP) is used to block the redundancy link
and implements backup. Though STP can meet users' backup requirements, it fails to meet
switching requirements. Though Rapid Spanning Tree Protocol (RSTP) is used, the

Raisecom Proprietary and Confidential


350
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

convergence is second level only. This is not a satisfying performance parameter for high-end
Ethernet switch which is applied to the core of the carrier-grade network.
Interface backup, targeted for dual uplink networking, implements redundancy backup and
quick switching through working and protection lines. It ensures performance and simplifies
configurations.
Interface backup is another STP solution. When STP is disabled, you can realize basic link
redundancy by manually configuring interfaces. If the switch is enabled with STP, you should
disable interface backup because STP has provided similar functions.
When the primary link fails, traffic is switched to the backup link. In this way, not only 50ms
fast switching is ensured, but also configurations are simplified.

Principles of interface backup


Interface backup is implemented by configuring the interface backup group. Each interface
backup group contains a primary interface and a backup interface. The link, where the
primary interface is, is called a primary link while the link, where the backup interface is, is
called the backup interface. Member interfaces in the interface backup group supports
physical interfaces and LAGs. However, they do not support Layer 3 interfaces.
In the interface backup group, when an interface is in Forward status, the other interface is in
Block status. At any time, only one interface is in Forward status. When the Forward interface
fails, the Block interface is switched to the Forward status.

Figure 9-19 Principles of interface backup

As shown in Figure 9-19, GE 1/0/1 and GE 1/0/2 on Switch A are connected to their uplink
devices respectively. The interface forwarding states are shown as below:
 Under normal conditions, GE 1/0/1 is the primary interface while GE 1/0/2 is the backup
interface. GE 1/0/1 and the uplink device forward packet while GE 1/0/2 and the uplink
device do not forward packets.
 When the link between GE 1/0/1 and its uplink device fails, the backup GE 1/0/2 and its
uplink device forward packets.
 When GE 1/0/1 restores normally and keeps Up for a period (restore-delay), GE 1/0/1
restores to forward packets and GE 1/0/2 restores standby status.
When a switching between the primary interface and the backup interface occurs, the switch
sends a Trap to the NView NNM system.
Raisecom Proprietary and Confidential
351
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Application of interface backup in different VLANs


By applying interface backup to different VLANs, you can enable two interfaces to share
service load in different VLANs, as shown in Figure 9-20.

Figure 9-20 Networking with interface backup in different VLANs


In different VLANs, the forwarding status is shown as below:
 Under normal conditions, configure Switch A in VLANs 100–150.
 In VLANs 100–150, GE 1/0/1 is the primary interface and GE 1/0/2 is the backup
interface.
 In VLANs 151–200, GE 1/0/2 is the primary interface and GE 1/0/1 is the backup
interface.
 GE 1/0/1 forwards traffic of VLANs 100–150, and GE 1/0/2 forwards traffic of VLANs
151–200.
 When GE 1/0/1 fails, GE 1/0/2 forwards traffic of VLANs 100–200.
 When GE 1/0/1 restores normally and keeps Forward for a period (restore-delay), GE
1/0/1 forwards traffic of VLANs 100–150, and GE 1/0/2 forwards VLANs 151–200.
Interface backup is used to balance service load in different VLANs without depending on
configurations of uplink switches, thus facilitating users' operation.

9.7.2 Preparing for configurations

Scenario
By configuring interface backup in a dual uplink network, you can realize redundancy backup
and fast switching of the primary/backup link, and load balancing between different interfaces.
Compared with STP, interface backup not only ensures millisecond-level switching, also
simplifies configurations.

Prerequisite
N/A

Raisecom Proprietary and Confidential


352
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

9.7.3 Default configurations of interface backup


Default configurations of interface backup are as below.

Function Default value


Interface backup group N/A
Restore-delay 15s
Restoration mode Revertive mode

9.7.4 Configuring basic functions of interface backup


Configure basic functions of interface backup for the device as below.

Interface backup may interfere with STP, loop detection, and G.8032. We do not
recommend configuring them concurrently on the same interface.
Step Command Description
1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#protect-link Create a backup group.
group group-id
3 Raisecom(config-protectlink- Configure the specified VLAN list.
*)#protect-vlan vlan-list
4 Raisecom(config-protectlink- Specify the master interface.
*)#add interface interface-type
interface-number role master
5 Raisecom(config-protectlink- Specify the backup interface.
*)#add interface interface-type
interface-number role slave
6 Raisecom(config-protectlink- Configure restoration mode.
*)#reverse { enable | disable }
7 Raisecom(config-protectlink- Configure the restoration time.
*)#reverse time interval

 In an interface backup group, an interface is either a primary interface or a backup


interface.
 In a VLAN, an interface or a LAG cannot be a member of two interface backup
groups simultaneously.

Raisecom Proprietary and Confidential


353
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

9.7.5 Configuring FS on interfaces

After FS is successfully configured, the primary/backup link will be switched; in other


words, the current link is switched to the backup link.
Configure FS on interfaces for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#prot Enter physical interface configuration mode or
ect-link group group- aggregation group configuration mode. Take
id physical interface configuration mode for example.
3 Raisecom(config- Configure FS on the interface.
protectlink-
*)#manual-switch

9.7.6 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show protect- Show status information about interface backup.
link interface
2 Raisecom#show protect- Show configurations of the interface backup
link group group.

9.7.7 Example for configuring interface backup

Networking requirements
As shown in Figure 9-21, the PC accesses the server through the Switch. To implement a
reliable remote access from the PC to the server, configure an interface backup group on
Switch A and specify the VLAN list so that the two interfaces concurrently forward services
in different VLANs and balance load. Configure Switch A as below:
 Add GE 1/0/1 to VLANs 100–150 as the primary interface and GE 1/0/2 as the backup
interface.
 Add GE 1/0/2 to VLANs 151–200 as the primary interface and GE 1/0/1 as the backup
interface.
When GE 1/0/1 or its link fails, the system switches traffic to the backup interface GE 1/0/2 to
resume the link.
Switch A is required to support interface backup while other switches are not.

Raisecom Proprietary and Confidential


354
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Figure 9-21 Interface backup networking

Configuration steps
Step 1 Create VLANs 100–400, and add GE 1/0/1 and GE 1/0/2 to these VLANs.

Raisecom#configure
Raisecom(config)#vlan 100-200
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-type trunk
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 100-200
Raisecom(config-ge-1/0/1)#exit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port link-type trunk
Raisecom(config-ge-1/0/2)#port trunk allow-pass vlan 100-200
Raisecom(config-ge-1/0/2)#exit

Step 2 Configure GE 1/0/1 as the primary interface of VLANs 100–150 and GE 1/0/2 as the backup
interface.

Raisecom(config)#protect-link group 1
Raisecom(config-protectlink-1)#protect-vlan 100-150
Raisecom(config-protectlink-1)#add interface ge 1/0/1 role master
Raisecom(config-protectlink-1)#add interface ge 1/0/2 role slave

Step 3 Configure GE 1/0/2 as the primary interface of VLANs 151–200 and GE 1/0/1 as the backup
interface.

Raisecom(config)#protect-link group 2
Raisecom(config-protectlink-1)#protect-vlan 151-200
Raisecom(config-protectlink-1)#add interface ge 1/0/2 role master

Raisecom Proprietary and Confidential


355
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Raisecom(config-protectlink-1)#add interface ge 1/0/1 role slave

Checking results
Use the show protect-link interface command to show status of interface backup under
normal or faulty conditions.
When both GE 1/0/1 and GE 1/0/2 are Forward, GE 1/0/1 forwards traffic of VLANs 100–
150, and GE 1/0/2 forwards traffic of VLANs 151–200.

Raisecom#show protect-link interface

Interface Group Role State Status Linkstate


-------------------------------------------------------------------------
-------
ge-1/0/1 1 master forward active up/up
ge-1/0/2 1 slave block active up/up
ge-1/0/1 2 slave block active up/up
ge-1/0/2 2 master forward active up/up
-------------------------------------------------------------------------
-------

Manually disconnect the link between Switch A and Switch B to emulate a fault. Then, GE
1/0/1 becomes Down, and GE 1/0/2 forwards traffic of VLANs 100–200.

Raisecom#show protect-link interface

Interface Group Role State Status Linkstate


-------------------------------------------------------------------------
-------
ge-1/0/1 1 master block active up/down
ge-1/0/2 1 slave forward active up/up
ge-1/0/1 2 slave block active up/down
ge-1/0/2 2 master forward active up/up
-------------------------------------------------------------------------
-------

9.8 Interface isolation


9.8.1 Introduction
With interface isolation, you can add an interface, which needs to be controlled, to an
interface isolation group, isolating Layer 2/Layer 3 data in the interface isolation group. This
can provide physical isolation between interfaces, enhance network security, and provide
flexible networking scheme for users.

Raisecom Proprietary and Confidential


356
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

After being configured with interface isolation, interfaces in an interface isolation group
cannot transmit packets to each other. Interfaces in and out of the interface isolation group can
communicate with each other.

9.8.2 Preparing for configurations

Scenario
Interface isolation can implement mutual isolation of interfaces in the same VLAN, enhance
network security and provide flexible networking solutions for you.

Prerequisite
N/A

9.8.3 Default configurations of interface isolation


Default configurations of interface isolation are as below.

Function Default value


Interface isolation status of each interface Disable

9.8.4 Configuring interface isolation


Configure interface isolation for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#port-isolate Create an interface isolation group.
group group-id
3 Raisecom(config-isolate-group- Add interfaces to the interface
1)#add interface interface-type isolation group.
interface-number

9.8.5 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show port- Show configurations of interface isolation.
isolate information
2 Raisecom#show port- Show configurations of the interface isolation group.
isolate group

Raisecom Proprietary and Confidential


357
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

9.8.6 Example for configuring interface isolation

Networking requirements
As shown in Figure 9-22, to prevent PC 1 and PC 2 from interconnecting with each other and
to enable them to interconnect with PC 3 respectively, enable interface isolation on GE 1/0/4
and GE 1/0/2 on Switch A.

Figure 9-22 Interface isolation networking

Configuration steps
Step 1 Create an interface isolation group.

Raisecom#configure
Raisecom(config)#port-isolate group 1

Step 2 Add interfaces to the interface isolation group.

Raisecom(config-isolate-group-1)#add interface ge 1/0/4


Raisecom(config-isolate-group-1)#add interface ge 1/0/2

Checking results
Use the show port-isolate group command to show configurations of interface isolation.

Raisecom#show port-isolate group


GroupId Ports

Raisecom Proprietary and Confidential


358
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

-------------------------------------------------------------------------
-------
1 ge-1 /1/2 ge-1/ 1/4
------------------------------------------------------------------
--------------

Check whether PC 1 and PC 2 can ping PC 3 successfully.


 PC 1 can ping PC 3 successfully.
 PC 2 can ping PC 3 successfully.
Check whether PC 1 can ping PC 2 successfully.
PC 1 fails to ping PC 2, so interface isolation has taken effect.

9.9 L2CP
9.9.1 Introduction
Metro Ethernet Forum (MEF) introduces service concepts, such as EPL, EVPL, EP-LAN, and
EVP-LAN. Different service types have different processing modes for Layer 2 Control
Protocol (L2CP) packets.
MEF6.1 defines processing modes for L2CP as below.
 Discard: discard the packet.
 Peer: send packets to the CPU.
 Tunnel: send packets to the MAN. It is more complex than discard and peer mode, and
combines the matching rule at network side interface and tunnel terminal at the carrier-
side interface to allow packets to pass through the carrier network.

9.9.2 Preparing for configurations

Scenario
As shown below, switch 1 and switch 2 work as the carrier network access devices, and CE 1
and CE 3 work as the user network access devices. CE 1 and CE 3 are connected with GE
1/0/1 on switch 1 and GE 1/0/2 on switch 2 respectively.
Through transparent transmission of L2 protocol packets of different user networks, the
devices on the user networks can jointly implement functions of the spanning tree.

Raisecom Proprietary and Confidential


359
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Figure 9-23 L2CP topology

Prerequisites
N/A

9.9.3 Default configurations


Default configurations of L2CP are as below.

Function Default value


L2CP Disable

9.9.4 Configuring L2CP


Step Command Description
1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter interface configuration mode.
interface-type interface-
number
3 Raisecom(config-ge- Enable L2CP.
1/0/1)#l2cp { uni | nni |
 Uni: user-side interface
disable }
 Nni: network-side interface
 Disable: disable the interface role.

By default, there is no role.


4 Raisecom(config-ge-1/0/1)# Configure the swapping rule on the UNI.
l2cp known-protocol {cdp|e
 known-protocol: matching protocol
oam3ah|gmrp |gvrp|hgmp|lac
 mac-address: swapped multicast MAC
p|lldp|pagp|stp |udld|vtp|
lamp|esmc |dot1x|elmi|pvs address
 vlan-id: match the VLAN ID.
t} [ vlan vlan-id ] action
tunnel group-mac mac-addre
ss
5 Raisecom(config-ge-1/0/1)# Configure the swapping rule on the UNI.
l2cp protocol-mac dst-mac-
 dst-mac-address: matching destination
address [ vlan vlan-id ] a
ction tunnel group-mac mac MAC address
 mac-address: swapped multicast MAC
-address
address
 vlan-id: match the VLAN ID.

Raisecom Proprietary and Confidential


360
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Step Command Description


6 Raisecom(config-ge-1/0/1)# Configure the uploading or discarding rule on
l2cp known-protocol {cdp|e the UNI.
oam3ah|gmrp |gvrp|hgmp|lac
 Known-protocol: the matching protocol
p|lldp|pagp|stp |udld|vtp|
lamp|esmc |dot1x|elmi|pvs name
 Peer: send packets to the CPU.
t} action { peer | discard
 Discard: discards packets.
}
7 Raisecom(config-ge-1/0/1)# Configure the uploading or discarding rule on
l2cp protocol-mac dst-mac- the UNI.
address action { peer | di
 dst-mac-address: the matching protocol
scard }
name
 Peer: send packets to the CPU.
 Discard: discards packets.

9.9.5 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show l2cp Show global information about L2CP.
2 Raisecom#show l2cp config Show L2CP configurations.
3 Raisecom#show protocol Show statistics on L2CP pakcets sent to the
statistics rx with-value CPU.

9.9.6 Example for configuring BPDU Tunnel

Configuration steps
Step 1 Configure CE 1.

Raisecom(config)#stp enable

Step 2 Configure CE 3.

Raisecom(config)#stp enable

Step 3 Configure switch 1.

Raisecom Proprietary and Confidential


361
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Raisecom(config-ge-1/0/1)#l2cp known-protocol stp action tunnel group-mac


01:00:0c:cd:cd:d0
Raisecom(config-ge-1/0/6)#l2cp nni

Step 4 Configure switch 2.

Raisecom(config-ge-1/0/2)#l2cp uni
Raisecom(config-ge-1/0/2)#l2cp known-protocol stp action tunnel group-mac
01:00:0c:cd:cd:d0
Raisecom(config-ge-1/0/8)#l2cp nni

Checking results
On CE 1 and CE 3, you can see information about the peer spanning tree.

9.10 BFD
9.10.1 Introduction
Bidirectional Forwarding Detection (BFD) is a unified network-wide detection mechanism
used to quickly detect and monitor the forwarding connectivity status of links or IP routers on
a network.

9.10.2 Preparing for configurations

Scenario
BFD establishes a session on two network devices to detect bidirectional forwarding paths
between network devices and serve upper-layer applications. BFD does not have a neighbor
discovery mechanism, but relies on the upper layer application being served to notify its
neighbor information to establish a session. After the session is established, it will periodically
and quickly send BFD packets. If the BFD packet is not received within the detection time, it
judges that the bidirectional forwarding path has failed, and the upper layer application being
served is notified to take corresponding actions.

Prerequisite
N/A

9.10.3 Default configurations


Default configurations of BFD are as below.

Function Default value


Global BFD Disable

Raisecom Proprietary and Confidential


362
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Function Default value


Sending interval 1000ms
Receiving interval 1000ms
Local detection multiples 3

9.10.4 Configuring one-arm echo for BFD


Configure one-arm echo for BFD for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration
mode.
2 Raisecom(config)#bfd start Enable global BFD.
3 Raisecom(config)#bfd track track-id Configure the BFD session of
remote-ip remote-ip local-ip local-ip one-arm echo.
interface vlan vlan-id one-arm-echo
4 Raisecom(config)#bfd track 1 remote- Configure session
ip6 remote-ipv6 local-ip6 local-ipv6 parameters.
interface vlan vlan-id one-arm-echo

9.10.5 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show bfd Show the BFD session.
session
2 Raisecom#show bfd track Show the BFD track.

9.10.6 Example for configuring single-hop BFD

Networking requirements
As shown below, configure the BFD single-hop session to detect the link status between
device A and device B.

Raisecom Proprietary and Confidential


363
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Figure 9-24 Single-hop BFD networking

Configuration steps
Step 1 Configure the IP address and session parameters on device A.

Raisecom#configure
Raisecom(config)#interface vlan 1
Raisecom(config)#ip address 10.1.1.1/24
Raisecom(config)#bfd track 1 remote-ip 10.1.1.2 local-ip 10.1.1.1
Raisecom(config)#bfd track 1 min-tx 500 min-rx 600 multiplier 3

Step 2 Configure the IP address and session parameters on device B

Raisecom#configure
Raisecom(config)#interface vlan 1
Raisecom(config)#ip address 10.1.1.1/24
Raisecom(config)#bfd track 1 remote-ip 10.1.1.1 local-ip 10.1.1.2
Raisecom(config)#bfd track 1 min-tx 500 min-rx 600 multiplier 4

Checking results
Use the show bfd session command to show the session status.

Raisecom#show bfd session


Interface State Local-Discr Remote-Discr local-addr remote-
addr
-------------------------------------------------------------------------
------------------
vlan-1 up 1 1 10.1.1.1 10.1.1.2
-------------------------------------------------------------------------
------------------------------------

Raisecom Proprietary and Confidential


364
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

9.11 Link flap protection


9.11.1 Introduction
Link flap protection is a function which shuts down the interface frequently being UP and
Down, makes the interface Down, and prevents network topology from changing rapidly.

9.11.2 Preparing for configurations

Scenario
Network jitter or link line failures can cause frequent up/down changes in the physical status
of local device interfaces, leading to link flaps and frequent changes in network topology,
which can affect user communication. To solve the above problems, you can configure link
flap protection by shutting down interfaces with frequent up/down physical statuss, making
them in a down status, and stopping frequent changes in the network topology structure.
Link flap times: the interface status switches between up and down once, which is recorded as
one flap.
Interval for detecting link flaps: the system needs to count the number of link flaps within a
specified interval.
If the number of link flaps reaches the threshold during the interval for detecting link flaps,
the interface will be shut down.

Prerequisites
N/A

9.11.3 Default configurations of link flap protection


Default configurations of link flap protection are as below.

Function Default value


Link flap protection status Disable
Interval for detecting link flaps 10s
Link flap times 5

9.11.4 Configuring link flap protection


Configure link flap protection for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface
interface-type interface-number configuration mode.

Raisecom Proprietary and Confidential


365
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

Step Command Description


3 Raisecom(config-ge-1/0/*)#port Enable or disable link flap
link-flap protection { enable | protection.
disable }
4 Raisecom(config)#port link-flap Configure the interval for detecting
interval { 60 | default} link flaps.
5 Raisecom(config)#port link-flap Configure the link flap threshold.
threshold { 7 | default}

9.11.5 Checking configurations


Use the following commands to check configuration results.

Step Command Description

1 Raisecom#show link-flap Show configurations of link flap


config protection.
2 Raisecom#show link-flap Show information about interfaces of
interface link flap protection.

9.11.6 Example for configuring link flap protection

Configuration steps
Configure related parameters of link flap protection on device A.

Raisecom#configure
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port link-flap protection enable
Raisecom(config-ge-1/0/1)#port link-flap interval 60
Raisecom(config-ge-1/0/1)#port link-flap threshold 7

Checking results
Use the show link-flap interface command to show configurations of link flap protection.

Raisecom#show link-flap interface


Error-down recovery interval : 0
Interface Status Interval Threshold
----------------------------------------------------------------------
ge-1/0/1 enable 60 7

----------------------------------------------------------------------

Raisecom Proprietary and Confidential


366
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

9.12 Interface loopback


9.12.1 Introduction
Before the network fails or a device provides services, the connectivity and network quality
between the device and other devices can be detected thorugh the interface loopback
command on the device.

9.12.2 Preparing for configurations

Scenario
Before the device provides services, to ensure the connectivity of the link, you can configure
interface loopback on the device. Test packets can be sent from the testing instrument to the
testing interface on the device, and the device swaps the source MAC address and destination
MAC in the test packets, loop back the test packets from the interface to the testing instrument,
and then obtain network connectivity and network quality information between the device and
the testing instrument.

Prerequisite
N/A

9.12.3 Default configurations of interface loopback


Default configurations of interface loopback are as below.

Function Default value


Interface loopback Disable
Interface loopback period N/A

9.12.4 Configuring interface loopback


Configure interface loopback for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface
interface-type interface-number configuration mode.
3 Raisecom(config-ge- Configure the interface loopback
1/0/*)#loopback-mode {none | mode and test duaration.
remote} [ interval interval ]

9.12.5 Checking configurations


Use the following commands to check configuration results.
Raisecom Proprietary and Confidential
367
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 9 Reliability

No. Command Description


1 Raisecom#show Show configurations and the status of interface
interface loop- loopback.
status

9.12.1 Example for configuring interface loopback

Configuration steps
Configure interface loopback.

Raisecom#configure
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#loopback-mode remote

Checking results
Use the show interface loop-status command to show information about interface loopback.

Raisecom(config-ge-1/0/1)#show interface loop-status


Interface Mode HoldTime(min)
------------------------------------------------------------
ge-1/0/1 remote forever
ge-1/0/2 none forever
ge-1/0/3 none forever
ge-1/0/4 none forever
ge-1/0/5 none forever
ge-1/0/6 none forever
ge-1/0/7 none forever
ge-1/0/8 none forever
ge-1/0/9 none forever
ge-1/0/10 none forever
ge-1/0/11 none forever
ge-1/0/12 none forever
------------------------------------------------------------

Raisecom Proprietary and Confidential


368
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10 System management

This chapter describes basic principles and configuration procedures for system management
and maintenance, and provides related configuration examples, including the following
sections:
 SNMP
 RMON
 LLDP
 Port mirroring
 Cable diagnosis
 UDLD
 Optical module DDM
 System log
 Alarm management
 CPU monitoring
 Memory monitoring
 PING
 Trace
 Hardware monitoring
 Fan monitoring
 ISF
 MAD
 NQA
 POE
 USB flash disk deployment
 Patching
 Periodically backing up configurations

Raisecom Proprietary and Confidential


369
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.1 SNMP
10.1.1 Introduction
Simple Network Management Protocol (SNMP) is designed by the Internet Engineering Task
Force (IETF) to resolve problems in managing network devices connected to the Internet.
Through SNMP, a network management system that can manage all network devices that
support SNMP, including monitoring network status, modifying configurations of a network
device, and receiving network alarms. SNMP is the most widely used network management
protocol in TCP/IP networks.

Principles
A SNMP system consists of two parts: Agent and the NView NNM system. The Agent and the
NView NNM system communicate through SNMP packets sent through UDP. Figure 10-1
shows the SNMP principle.

Figure 10-1 Principles of SNMP

The Raisecom NView NNM system can provide friendly Human Machine Interface (HMI) to
facilitate network management. The following functions can be implemented through it:
 Send request packets to the managed device.
 Receive reply packets and Trap packets from the managed device, and show result.
The Agent is a program installed on the managed device, implementing the following
functions:
 Receive/Reply request packets from the NView NNM system
 To read/write packets and generate replay packets according to the packets type, then
return the result to the NView NNM system
 Define trigger condition according to protocol modules, enter/exit system or restart the
device when conditions are satisfied; replying module sends Trap packets to the NView
NNM system through agent to report current status of the device.

An Agent can be configured with several versions, and different versions


communicate with different NMSs. But SNMP version of the NMS must be consistent
with that of the connected agent so that they can intercommunicate properly.

Raisecom Proprietary and Confidential


370
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Version of protocol
Till now, SNMP has three versions: v1, v2c, and v3, described as below.
 SNMPv1 uses community name authentication mechanism. The community name, a
string defined by an agent, acts like a secret. The network management system can visit
the agent only by specifying its community name correctly. If the community name
carried in a SNMP packet is not accepted by the device, the packet will be discarded.
 Compatible with SNMPv1, SNMPv2c also uses community name authentication
mechanism. SNMPv2c supports more operation types, data types, and errored codes, and
thus better identifying errors.
 SNMPv3 uses User-based Security Model (USM) authentication mechanism. You can
configure whether USM authentication is enabled and whether encryption is enabled to
provide higher security. USM authentication mechanism allows authenticated senders
and prevents unauthenticated senders. Encryption is used to encrypt packets transmitted
between the network management system and agents, thus preventing interception.
The device supports v1, v2c, and v3 of SNMP.

MIB
Management Information Base (MIB) is the collection of all objects managed by the NMS. It
defines attributes for the managed objects:
 Name
 Access right
 Data type
The device-related statistic contents can be reached by accessing data items. Each proxy has
its own MIB. MIB can be taken as an interface between NMS and Agent, through which NMS
can read/write every managed object in Agent to manage and monitor the device.
MIB stores information in a tree structure, and its root is on the top, without name. Nodes of
the tree are the managed objects, which take a uniquely path starting from root (OID) for
identification. SNMP packets can access network devices by checking the nodes in MIB tree
directory.
The device supports standard MIB and Raisecom-customized MIB.

10.1.2 Preparing for configurations

Scenario
To log in to the device through NMS, configure SNMP basic functions for the device in
advance.

Prerequisite
Configure the routing protocol and ensure that the route between the device and NMS is
reachable.

10.1.3 Default configurations of SNMP


Default configurations of SNMP are as below.

Raisecom Proprietary and Confidential


371
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Function Default value


SNMP service Disabled by default. You need to enable it.
SNMP view Internet views (default)
SNMP community public and private communities (default)
SNMP access group Not existing (default)
SNMP user Not existing (default)
Mapping relationship between N/A
SNMP user and access group
Logo and the contact method of support@Raisecom.com
the administrator
Device physical location World China Raisecom
Trap Enable
SNMP target host address N/A
SNMP engine ID 800022B603000000111233

10.1.4 Configuring basic functions of SNMPv1/SNMPv2c


To protect itself and prevent its MIB from unauthorized access, the SNMP Agent proposes the
concept of community. Management stations in the same community must use the community
name in all Agent operations, or their requests will not be accepted.
The community name is used by different SNMP strings to identify different groups. Different
communities can have read-only or read-write access permission. Groups with read-only
permission can only query the device information, while groups with read-write access
permission can configure the device in addition to querying the device information.
SNMPv1/SNMPv2c uses the community name authentication scheme, and the SNMP packets
of which the names are inconsistent to the community name will be discarded.
Configure basic functions of SNMPv1/SNMPv2c for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#snmp server Start SNMP Server.
{ start | stop }
3 Raisecom(config)#snmp mib- Create an SNMP view, and configure
view view-name { included | MIB variable range.
excluded } oid-tree { mask
subtree-mask } The default view is internet view. The
MIB variable range contains all MIB
variables below "1.3.6" node of MIB
tree.

Raisecom Proprietary and Confidential


372
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


4 Raisecom(config)#snmp Create a community name, and configure
community { read | write } the corresponding view and authority.
{ cipher | plain } Use default view internet if mib view
community-name { mib-view view-name option is empty.
view-name | acl-ipv4 acl-
ipv4-number | acl-ipv6 acl-
ipv6-number }

10.1.5 Configuring basic functions of SNMPv3


SNMPv3 uses USM over user authentication mechanism. USM comes up with the concept of
access group: one or more users correspond to one access group, each access group configures
the related read, write and announce view; users in access group have access permission in
this view. The user access group to send Get and Set request must have permission
corresponding to the request, otherwise the request will not be accepted.
As shown in Figure 10-2, the network management station uses the normal access from
SNMPv3 to switch and the configuration is as below.
 Configure users.
 Check the access group to which the user belongs.
 Configure view permission for access groups.
 Create views.

Figure 10-2 SNMPv3 authentication mechanism

Configure basic functions of SNMPv3 for the device as below.

Raisecom Proprietary and Confidential


373
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#snmp mib-view Create an SNMP view, and
view-name { included | excluded } configure MIB variable range.
oid-tree { mask subtree-mask } The default view is internet view.
The MIB variable range contains
all MIB variables below "1.3.6"
node of MIB tree.
3 Raisecom(config)#snmp group group- Configure the access group.
name { authentication | privacy |
noauthentication } { read-view
read-view-name | write-view write-
view-name | notify-view notify-
view-name }
4 Raisecom(config)#snmp user user- Create a user account, bind it to a
name group group-name group, and configure the
authentication { md5 | sha } authentication and encryption.
authpassword privacy { des | aes }
privkeypassword
5 Raisecom(config)#snmp user user- Create a user account, bind it to a
name group group-name group, and configure the
authentication { md5 | sha } authentication mode.
authpassword
6 Raisecom(config)#snmp user user- Create a user account, and bind it
name group group-name { acl-ipv4 to an access group.
acl-ipv4-number | acl-ipv6 acl-
ipv6-number }

10.1.6 Configuring other information about SNMP


SNMPv1, SNMPv2c, and SNMPv3 support configuring the following information.
Configure other information about SNMP for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#snmp Configure the contact method.
contact string
3 Raisecom(config)#snmp Specify the physical location of the
location location-string device.
4 Raisecom(config)#snmp auth- Configure whether to send the SNMP
fail-reply { enable | response packet upon authentication
disable } failure.
5 Raisecom(config)#snmp auth- Configure whether to enable
trap { enable | disable } authentication Trap.
6 Raisecom(config)#snmp fail- Configure the times of SNMP
count fail-count-value authentication times.

Raisecom Proprietary and Confidential


374
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


7 Raisecom(config)#snmp Configure the SNMP re-authentication
reauth-interval reauth- time.
interval-value
8 Raisecom(config)#snmp packet Configure the maximum length of
max-size { size-value | received and sent SNMP packets.
default }
9 Raisecom(config)#snmp reply- Configure the IP address to be input as
source-ip { enable | the source IP address of the response
disable } packet.
10 Raisecom(config)#snmp udp- Configure the SNMP port number.
port { port-number |
default }

10.1.7 Configuring Trap

Trap configurations on SNMPv1, SNMPv2c, and SNMPv3 are identical except for
Trap target host configurations. Configure Trap as required.
The device supports sending Trap to multiple target hosts after they are configured
on the device.
Trap is unrequested information sent by the device to the NMS automatically, which is used to
report some critical events.
Before configuring Trap, you need to perform the following configurations:
 Configure basic functions of SNMP. For SNMPv1/v2c, configure the community name;
for SNMPv3, configure the user name and SNMP view.
 Configure the routing protocol and ensure that the route between the device and NMS is
available.
Configure SNMP Trap for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#snmp server Start SNMP Server.
{ start | stop }
3 Raisecom(config)#snmp trap-host Configure the SNMPv1 or
ip-address { v1 | v2 } [ port SNMPv2c Trap target host (IPv4).
port-id | securityname security-
name ] *
4 Raisecom(config)#snmp-ipv6 trap- Configure the SNMPv1 or
host ipv6-address { v1 | v2 } SNMPv2c Trap target host (IPv6).
[ port port-id | securityname
security-name ] *
5 Raisecom(config)#snmp trap-host Configure the SNMPv3 Trap
ip-address v3 { authentication | target host (IPv4).
privacy } securityname security-
name [ port port-id ]

Raisecom Proprietary and Confidential


375
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


6 Raisecom(config)#snmp-ipv6 trap- Configure the SNMPv3 Trap
host ipv6-address v3 target host (IPv6).
{ authentication | privacy }
securityname security-name [ port
port-id ]

10.1.8 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show Show SNMP basic configurations, including the local
snmp information SNMP engine ID, logo and contact method of the
administrator, physical location of the device, Trap
status, SNMP service status, and SNMP service port
number.
2 Raisecom#show Show configurations of the SNMP access group.
snmp group
3 Raisecom#show Show configurations of the SNMP community.
snmp community
4 Raisecom#show Show basic configurations of SNMP.
snmp config
5 Raisecom#show Show Trap target host information.
snmp trap-host
6 Raisecom#show Show SNMP statistics.
snmp statistics
7 Raisecom#show Show information about SNMP users.
snmp user
8 Raisecom#show Show information about SNMP views.
snmp mib-view

10.1.9 Example for configuring SNMPv1/SNMPv2c and Trap

Networking requirements
As shown in Figure 10-3, the route between the NView NNM system and the device is
available. The NView NNM system can check the MIB under view corresponding to the
remote Switch by SNMPv1/SNMPv2c, and the device can send Trap automatically to the
NView NNM system in emergency.

Raisecom Proprietary and Confidential


376
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Figure 10-3 SNMPv1/SNMPv2c networking

Configuration steps
Step 1 Configure the IP address of the device.

Raisecom#configure
Raisecom(config)#interface meth 0/0/0
Raisecom(config-meth-0/0/0)#ip address 192.168.62.100/24
Raisecom(config-meth-0/0/0)#quit

Step 2 Start SNMP Server.

Raisecom(config)#snmp server start

Step 3 Configure Trap sending.

Raisecom(config)#snmp trap-host 192.168.62.1 v2

Checking results
Use the show ip interface command to show configurations of the IP address.

Raisecom#show ip interface
Total number:
2
Interface State(a/o) Addr/Prefix Role Type Vpn-
instance
-------------------------------------------------------------------------
---------------------------
loopback-0 up/up 127.0. 0.1/8 primary
auto N/A
meth-0/0/0 up/up
192.168.62.100/24 primary static N/A
-------------------------------------------------------------------------
---------------------------

Raisecom Proprietary and Confidential


377
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Use the show snmp config command to show SNMP configurations.

Raisecom#show snmp config

Software Version: SNMP_VL3.00.00.00


!
snmp server start
snmp trap-host 192.168.62.1 securityname
AJ35Grrnpx3xRv_UdbJBiGsl3Dwxp932il5pfsKvs8X-GN6R49ihEydRaxBXkM5V-w

Use the show snmp trap-host command to show configurations of the target host.

Raisecom#show snmp trap-host

Trap-host : 192.168.62.1
----------------------------------------------------
----------------------------
Status : ACTIVE
Udp Port : 162
MP Modle : V2
Security Level : None
Security Name :
AJ35Grrnpx3xRv_UdbJBiGsl3Dwxp932il5pfsKvs8X-GN6R49ihEydRaxBXkM5V-w
Vpn Instance Name : public
-------------------------------------------------------------------------
-------

10.1.10 Example for configuring SNMPv3 and Trap

Networking requirements
As shown in Figure 10-4, the route between the NView NNM system and device is available,
the NView NNM system monitors the Agent through SNMPv3, and the device can send Trap
automatically to the NView NNM system when the Agent is in emergency.
By default, there is VLAN 1 on the device and all physical interfaces belong to VLAN 1.

Figure 10-4 SNMPv3 and Trap networking

Configuration steps
Step 1 Configure the IP address of the device.

Raisecom Proprietary and Confidential


378
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Raisecom#configure
Raisecom(config)#interface meth 0/0/0
Raisecom(config-meth-0/0/0)#ip address 192.168.62.100/24
Raisecom(config-meth-0/0/0)#quit

Step 2 Configure SNMPv3 access.


Start SNMP Server.

Raisecom(config)#snmp server start

Create an access group named g1. The security level is authentication without encryption.

Raisecom(config)#snmp group g1 authentication

Create a user named u1. The security level is authentication without encryption. Bind it with
group g1. Use the MD5 algorithm. The password is raisecom.

Raisecom(config)#snmp user u1 group g1 authentication md5 raisecom

Step 3 Configure Trap sending. The trap-host type must be consistent with the user authentication
type, without containing relation.

Raisecom(config)#snmp trap-host 192.168.62.1 v3 authentication


securityname u1

Checking results
Use the show snmp group command to show configurations of the SNMP access group.

Raisecom#show snmp group


Group Security ReadView
WriteView NotifyView
-------------------------------------------------------------------------
----------------------------------------------------
g1 authNoPriv internet -
-
-------------------------------------------------------------------------
----------------------------------------------------

Raisecom Proprietary and Confidential


379
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Use the show snmp user command to show mapping between users and access groups.

Raisecom#show snmp user


User Group
Auth Priv Filter
-------------------------------------------------------------------------
---------------------------
u1 g1 MD5 no-priv N/A
-------------------------------------------------------------------------
---------------------------

Use the show snmp trap-host command to show configurations of the Trap target host.

Raisecom#show snmp trap-host


Trap-host : 192.168.62.1
-------------------------------------------------------------------------
-------
Status : ACTIVE
Udp Port : 162
MP Modle : V3
Security Level : Auth
Security Name : u1

Vpn Instance Name : public


-------------------------------------------------------------------------
-------

Use the show snmp config command to show all configurations.

Raisecom#show snmp config


Software Version: SNMP_VL3.00.00.00
!
snmp server start
snmp trap-host 192.168.62.1 v3 authentication securityname u1
snmp group g1 authentication
snmp user u1 group g1 authentication md5
ACs87nMCx4RbzvvPS5lo3zDtbzu5xyzSZaDGmHOuqsc0

10.2 RMON
10.2.1 Introduction
Remote Network Monitoring (RMON) is a standard stipulated by Internet Engineering Task
Force (IETF) for network data monitoring through different network Agents and NMS.

Raisecom Proprietary and Confidential


380
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

RMON is achieved based on SNMP architecture, including the NView NNM system and the
Agent running on network devices. On the foundation of SNMP, increase the subnet flow,
statistics, and analysis used to achieve the monitoring to one segment and the whole network,
while SNMP only can monitor the partial information about a single device and it is difficult
for it to monitor one segment.
The RMON Agent is commonly referred to as the probe program. The RMON Probe can take
the communication subnet statistics and performance analysis. Whenever it finds network
failure, RMON Probe can report the NView NNM system, and describes the capture
information under unusual circumstances so that the NView NNM system does not need to
poll the device constantly. Compared with SNMP, RMON can monitor remote devices more
actively and more effectively, network administrators can track the network, segment or
device malfunction more quickly. This method reduces the data flows between the NView
NNM system and Agent, makes it possible to manage large networks simply and powerfully,
and makes up the limitations of SNMP in growing distributed Internet.
RMON Probe collects data in the following modes:
 Distributed RMON. The NMS obtains network management information and controls
network resources directly from RMON Probe through dedicated RMON Probe
collection data.
 Embedded RMON. Embed RMON Agent directly to network devices (such as switches)
to make them with RMON Probe function. The NMS will collect network management
information through the basic operation of SNMP and the exchange data information
about RMON Agent.
The Raisecom device is embedded with RMON. As shown in Figure 10-5, the device
implements RMON Agent function. Through this function, the management station can obtain
the overall flow, error statistics and performance statistics about this segment connected to the
managed network device interface so as to achieve the monitoring to one segment.

Figure 10-5 RMON networking

RMON MIB can be divided into nine groups according to function. Currently, there are four
function groups achieved: statistics group, history group, alarm group, and event group.
 Statistic group: collect statistics on each interface, including receiving packets accounts
and size distribution statistics.
 History group: similar with statistic group, it only collects statistics in an assigned
detection period.
 Alarm group: monitor an assigned MIB object and configure upper threshold and lower
threshold in assigned interval, trigger an event if the monitor object receives threshold
value.
 Event group: cooperating with alarm group. When an alarm triggers an event, it records
the event, such as sending Trap, and writes the event into log.

Raisecom Proprietary and Confidential


381
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.2.2 Preparing for configurations

Scenario
RMON helps monitor and account network traffics.
Compared with SNMP, RMON is a more high-efficient monitoring method. After you
specifying the alarm threshold, the device actively sends alarms when the threshold is
exceeded without obtaining variable information. This helps reduce traffic of Central Office
(CO) and managed devices and facilitates network management.

Prerequisite
The route between the device and the NView NNM system is reachable.

10.2.3 Default configurations of RMON


Default configurations of RMON are as below.

Function Default value


Statistics group N/A
History group Disable
Alarm group N/A
Event group N/A

10.2.4 Configuring RMON statistics


RMON statistics is used to gather statistics on an interface, including the number of received
packets, undersized/oversized packets, collision, CRC and errors, discarded packets,
fragments, unicast packets, broadcast packets, multicast packets, and received packet size.
Configure RMON statistics for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter interface configuration
interface-type interface-number mode.
3 Raisecom(config-ge-1/0/*)#rmon Enable RMON statistics on an
statistics index-number [ owner interface and configure related
owner-name ] parameters.

Raisecom Proprietary and Confidential


382
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

When using the no rmon statistics index-number command on the interface to


disable RMON statistics on an interface, you cannot continue to obtain the interface
statistics, but the interface can still count data.

10.2.5 Configuring RMON history statistics


Configure RMON history statistics for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter interface configuration
interface-type interface-number mode.
2 Raisecom(config-ge-1/0/*)#rmon Enable RMON history statistics
history index-number bucket buckets- on an interface and configure
number interval sampling-interval related parameters.
[ owner owner-name ]

When you use the no rmon history index-number command on the interface to
disable RMON historical statistics on an interface, the interface will not count data
and clear all historical data collected previously.

10.2.6 Configuring the RMON alarm group


Configure one RMON alarm group instance (alarm-id) to monitor one MIB variable (object-
id). When the value of monitoring data exceeds the defined threshold, an alarm event will
generate. Record the log to send Trap to network management station according to the
definition of alarm event.
The monitored MIB variable must be real, and the data value type is correct.
 If the configured variable does not exist or value type variable is incorrect, return error.
 In the successfully configured alarm, if the variable cannot be collected later, close the
alarm; reconfigure the alarm if you want to monitor the variable again.
An alarm will be triggered as long as matching the condition when the upper or lower limit
for one of the events is configured in the event table. If there is no configuration for the upper
and lower limits related alarm event (rising-event-id, falling-event-id) in the event table, no
alarm will not be generated even alarm conditions are met.
Configure the RMON alarm group for the device as below.

Step Command Description


1 Raisecom#configure Enter global
configuration mode.

Raisecom Proprietary and Confidential


383
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


2 Raisecom(config)#rmon alarm alarm-id Add alarm instances to
object-id query-interval { absolute | the RMON alarm group
delta } rising-threshold rising- and configure related
threshold rising-event falling-threshold parameters.
falling- threshold falling-event
{ startup-alarm { rising | falling |
risingorfalling } | owner owner-name }

10.2.7 Configuring the RMON event group


Configure the RMON event group for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#rmon event Add events to the RMON event
event-id { log | trap | both } group and configure processing
{ description string | owner modes of events.
owner-name }

10.2.8 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show rmon Show RMON configurations.
config
2 Raisecom#show rmon Show information about RMON alarm groups.
alarm
3 Raisecom#show rmon Show information about RMON event groups.
event
4 Raisecom#show rmon Show information about RMON statistics groups.
statistics
5 Raisecom#show rmon Show information about RMON history statistics
history groups.
6 Raisecom#show rmon Show information about the specified RMON history
history index-number statistics group.
7 Raisecom#show rmon Show statistics on the specified RMON history
history statistics statistics group.
8 Raisecom#show rmon Show log information about the RMON event group.
log

Raisecom Proprietary and Confidential


384
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.2.9 Example for configuring the RMON alarm group

Networking requirements
As shown in Figure 10-6, the device is the Agent, connected to terminal through the Console
interface, connected to remote NView NNM system through Internet. Enable RMON statistics
and gather performance statistic on GE 1/0/1. When packets received on GE 1/0/1 exceeds the
threshold in a period, logs are recorded and Trap is sent.

Figure 10-6 RMON networking

Configuration steps
Step 1 Create an event with index ID 1, used to record and send logs with description string of
Falling-etherStatsBroadcastPkts. The owner of logs is system.

Raisecom#configure
Raisecom(config)#rmon event 1 both description Falling-
etherStatsBroadcastPkts owner system

Step 2 Create a statistics table on interface GE 1/0/1. Its owner is system.

Raisecom(config-ge-1/0/1)#rmon statistics 1 owner system

Step 3 Create an alarm item with index ID 10, used to monitor MIB variable
etherStatsBroadcastPkts.1, namely, 1.3.6.1.2.1.16.1.1.1.6.1, every 20s. If the variable
increases to be greater than 100 or smaller than 15, the Trap alarm will be triggered. The
owner of alarm message is also system.

Raisecom(config)#rmon alarm 10 1.3.6.1.2.1.16.1.1.1.6.1 20 absolute


rising-threshold 100 1 falling-threshold 15 1 owner system

Raisecom Proprietary and Confidential


385
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Checking results
Use the show rmon alarm command to check whether there is information about event group
events on the device.

Raisecom#show rmon alarm


RMON Alarm :10
Interval:20
Source OID:1.3.6.1.2.1.16.1.1 .1.6.1
Sample Type:absolute value
Alarm Value:0
Startup Alarm:risingOrFallingAlarm
Rising Threshold:100
Rising Event:1
Falling Threshold:15
Falling Event:1
Owner:system
Status:valid

Use the show rmon event command to check whether there is information about alarm group
on the device.

Raisecom#show rmon event


RMON Event :1
Type:trap&log
Status:valid
Lastsent time:0 days 12 hours 6 minutes 1 seconds
Description:Falling-etherStatsBroadcastPkts
Owner:system

Use the show rmon log command to check whether there is log information about event
records on the device.

Raisecom#show rmon log


RMON Log:1/1
Time:0 days 12 hours 6 minutes 1 seconds
Description:alarm falling 10,1.3.6.1.2.1.16.1.1.1.6.1,1,0,15

When an alarm event is triggered, you can also check related information in the alarm
management part of the NView NNM system.

Raisecom Proprietary and Confidential


386
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.3 LLDP
10.3.1 Introduction
With the enlargement of network scale and increase of network devices, the network topology
becomes more and more complex and network management becomes more important. A lot of
network management software adopts auto-detection function to trace changes of network
topology, but most of the software can only analyze the Layer 3 network and cannot ensure
the interfaces to be connected to other devices.
Link Layer Discovery Protocol (LLDP) is based on IEEE 802.1ab standard. The NMS can
fast grip the Layer 2 network topology and changes.
LLDP organizes the local device information in different Type Length Value (TLV) and
encapsulates in Link Layer Discovery Protocol Data Unit (LLDPDU) to transmit to straight-
connected neighbour. It also saves the information from neighbour as standard Management
Information Base (MIB) for the NMS querying and judging link communication.

LLDP packet
The LLDP packet is used to encapsulate LLDPDU Ethernet packet in data unit and
transmitted by multicast.
LLDPDU is the data unit of LLDP. The device encapsulates local information in TLV before
forming LLDPDU, then several TLV fit together in one LLDPDU and encapsulated in
Ethernet data for transmission.
As shown in Figure 10-7, LLDPDU is made by several TLV, including 4 mandatory TLV and
several optional TLV.

Figure 10-7 Structure of a LLDPDU

As shown in Figure 10-8, each TLV denotes a piece of information at local. For example, the
device ID and interface ID correspond with the Chassis ID TLV and Port ID TLV respectively,
which are fixed TLVs.

Figure 10-8 Structure of a TLV packet

Table 10-1 lists TLV types. At present only types 0–8 are used.

Table 10-1 TLV types


TLV type Description Optional/Required
0 End Of LLDPDU Required

Raisecom Proprietary and Confidential


387
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

TLV type Description Optional/Required


1 Chassis ID Required
2 Interface number Required
3 Time To Live Required
4 Interface description Optional
5 System name Optional
6 System description Optional
7 System capabilities Optional
8 Management address Optional

Organization-defined TLVs are optional TLVs and are advertised in the LLDPDU as required.
Table 10-2 and Table 10-3 list common organization-defined TLVs.

Table 10-2 IEEE 802.1 organization-defined TLVs


Type Description
Port VLAN ID TLV VLAN ID on the interface
Port And Protocol VLAN ID TLV Protocol VLAN ID on the interface
VLAN Name TLV VLAN name on the interface
Protocol Identity TLV Type of the protocol supported by the interface

Table 10-3 IEEE 802.3 organization-defined TLVs


Type Description
MAC/PHY Rate and duplex mode of the interface, whether auto-
Configuration//Status TLV negotiation is supported or enabled
Power Via MDI TLV Power supply capability on the interface
Link Aggregation TLV Link aggregation capability on the interface and current
link aggregation status
Maximum Frame Size TLV Size of the maximum frame able to be transmitted by the
interface

Principles
LLDP is a kind of point-to-point one-way issuance protocol, which notifies local device link
status to peer end by sending LLDPDU (or sending LLDPDU when link status changes)
periodically from the local end to the peer end.

Raisecom Proprietary and Confidential


388
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

The procedure of packet exchange:


 When the local device transmits packet, it gets system information required by TLV from
the NMS and gets configurations from LLDP MIB to generate TLV and form LLDPDU
to transmit to peer.
 The peer receives LLDPDU and analyzes TLV information. If there is any change, the
information will be updated in neighbor MIB table of LLDP and notifies the NView
NNM system.
When the device status is changed, the device sends a LLDP packet to the peer. To avoid
sending LLDP packet continuously because of frequency change of device status, you can
configure a delay timer for sending the LLDP packet.
The aging time of Time To Live (TTL) in local device information about the neighbour node
can be adjusted by modifying the parameter values of aging coefficient, sends LLDP packets
to neighbour node, after receiving LLDP packets, neighbour node will adjust the aging time of
its neighbour nodes (sending side) information. Aging time formula, TTL = Min { 65535,
(interval × hold-multiplier) }:
 Interval indicates the time period to send LLDP packets from neighbor node.
 Hold-multiplier refers to the aging coefficient of device information in neighbor node.

10.3.2 Preparing for configurations

Scenario
When you obtain connection information between devices through NView NNM system for
topology discovery, the device needs to enable LLDP, notify their information to the
neighbours mutually, and store neighbour information to facilitate the NView NNM system
queries.

Prerequisite
N/A

10.3.3 Default configurations of LLDP


Default configurations of LLDP are as below.

Function Default value


Global LLDP status Disable
LLDP interface status Enable
Delay timer 2s
Period timer 30s
Aging coefficient 4
Restart timer 2s
LLDP alarm status Enable
Alarm notification timer 5s

Raisecom Proprietary and Confidential


389
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Function Default value


Destination MAC address of LLDP packets 0180.c200.000e

10.3.4 Enabling global LLDP

After global LLDP is disabled, you cannot re-enable it immediately. Global LLDP
cannot be enabled unless the restart timer times out.
When you obtain connection information between devices through the NView NNM system
for topology discovery, the device needs to enable LLDP, sends their information to the
neighbours mutually, and stores neighbour information to facilitate query by the NView NNM
system.
Enable global LLDP for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#lldp Enable or disable global LLDP.
{ start | stop }
 Start: enable global LLDP.
 stop: disable global LLDP.

10.3.5 Enabling interface LLDP


Enable interface LLDP for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface configuration
interface-type interface-number mode.
3 Raisecom(config-ge-1/0/*)#lldp Enable or disable interface LLDP.
admin-status { tx-only | rx-only
 Tx-only: send LLDP packets only.
| rx-tx | disable }
 Rx-only: receive LLDP packets
Example:
Raisecom(config-ge-1/0/*)#lldp only.
 Rx-tx: send and receive LLDP
admin-status tx-only
packets.
 Disable: disable LLDP.

Raisecom Proprietary and Confidential


390
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.3.6 Configuring basic functions of global LLDP

When configuring the delay timer and period timer, the value of the delay timer
should be smaller than or equal to a quarter of the period timer value.
Configure basic functions of global LLDP for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#lldp tx- (Optional) configure the period timer of the
interval { interval | LLDP packet.
default }
 Second: period for sending LLDP packets,
Example:
Raisecom(config)#lldp tx- an integer, ranging from 5 to 32768, in units
interval 10 of second
 Default: 2s

3 Raisecom(config)#lldp tx- (Optional) configure the delay timer of the


delay { tx-delay | LLDP packet.
default }
 Second: period for delaying to send LLDP
Example:
Raisecom(config)#lldp tx- packets, an integer, ranging from 1 to 8192,
delay 5 in units of second
 Default: 2s

4 Raisecom(config)#lldp (Optional) configure the restart timer. After


reinit-delay { delay | global LLDP is disabled, you can re-enable
default } global LLDP only after the delay timer
Example: expires.
Raisecom(config)#lldp
 Second: period for delaying to re-enable
reinit-delay 5
LLDP, an integer, ranging from 1 to 10, in
units of second
 Default: 2s

5 Raisecom(config)#lldp tx- (Optional) configure the restart timer. After


hold-multiple { multiple global LLDP is disabled, you can re-enable
| default } global LLDP only after the delay timer
Example: expires.
Raisecom(config)#lldp tx-
 Multiple: multiple, an integer, ranging from
hold-multiple 2
2 to 10
 Default: 4

10.3.7 Configuring basic functions of interface LLDP


Configure basic functions of interface LLDP for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.

Raisecom Proprietary and Confidential


391
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


2 Raisecom(config)#inte (Optional) configure the period timer of the
rface interface-type LLDP packet.
interface-number
 Second: period for sending LLDP packets, an
Example:
Raisecom(config)#inte integer, ranging from 5 to 32768, in units of
rface ge 1/0/1 second
 Default: 2s

3 Raisecom(config-ge- (Optional) configure the management address of


1/0/*)#lldp LLDP on the interface.
management-address
 A.B.C.D: management address
ip-address { enable |
 Enable: enabled
disable }
 Disable: disabled

10.3.8 Configuring the LLDP alarm


When the network changes, you need to enable LLDP alarm notification function to send
topology update alarm to the NView NNM system immediately.
Configure the LLDP alarm for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#lldp Enable or disable LLDP Trap.
trap { enable |
disable }
3 Raisecom(config)#lldp (Optional) configure the LLDP neighbor change
trap-interval notification period timer.
{ interval | default }
 Second: period for notifying LLDP neighbor
Example:
Raisecom(config)#lldp change, an integer, ranging from 5 to 3600, in
trap-interval 10 units of second
 Default: 5s

10.3.9 Configuring TLV


Configure TLV for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#inter Enter physical interface configuration mode.
face interface-type
interface-number

Raisecom Proprietary and Confidential


392
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


3 Raisecom(config-ge- (Optional) configure the basic TLV of LLDP
1/0/*)#lldp basic-tlv- packets on the interface.
tx { port-description
 Port-description: interface description
| system-name |
 System-name: system name
system-description |
 System-description: system description
system-capability |
 All: all
all } { enable |
 Enable: enabled
disable }
 Disable: disabled

4 Raisecom(config-ge- (Optional) configure the TLV defined by IEEE


1/0/*)#lldp dot1-tlv- 802.1 on the interface.
tx port-vid { enable |
 Port-id: interface VLAN ID
disable }
 Protocol-vid: protocol VLAN ID
Raisecom(config-ge-
 Vlan-name: VLAN name
1/0/1)#lldp dot1-tlv-
 Enable: enabled
tx protocol-vid vlan-
 Disable: disabled
list { enable |
disable }
Raisecom(config-ge-
1/0/*)#lldp dot1-tlv-
tx vlan-name vlan-list
{ enable | disable }
5 Raisecom(config-ge- (Optional) configure the TLV defined by IEEE
1/0/*)#lldp dot3-tlv- 802.3 on the interface.
tx { mac-phy | power |
 Mac-phy: interface rate
link-aggregation |
 Power: interface power supply capability
max-frame-size | all }
 Link-aggregation: link aggregation
{ enable | disable }
 Max-frame-size: maximum framelength
 All: all
 Enable: enabled
 Disable: disabled

6 Raisecom(config-ge- (Optional) configure MED on the interface.


1/0/1)# lldp med-tlv-
 Capabilities: capabilities
tx { capabilities |
 Network-policy: supported applications
network-policy |
 Location: location of the interface
location | extended-
 Extended-pse: power supply capability
pse | extended-pd |
 Extended-pd: power supply capability
inventory | all }
 Inventory: detailed directory
{ enable | disable }
 All: all
 Enable: enabled
 Disable: disabled

7 Raisecom(config-ge- (Optional) configure the voice VLAN


1/0/1)# lldp voice- encapsulated by the network-policy TLV on the
vlan { untagged | interface.
vlan vlan-id [cos
 Untagged: remove the VLAN ID tag when the
{cos-value | default}
| dscp {dscp-value | terminal sends voice traffic.
 Vlan-id: voice VLAN ID
default}] }
 Cos-value: CoS priority, being 5 by default
 Dscp-value: DSCP priority, being 46 by

default

Raisecom Proprietary and Confidential


393
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.3.10 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show lldp config Show LLDP configurations.
2 Raisecom#show lldp information Show information about the
LLDP local system.
3 Raisecom#show lldp remote Show information about the
[ interface-type interface-number ] LLDP neighbor.
4 Raisecom#show lldp statistics Show statistics about LLDP
[ interface-type interface-number ] packets.
5 Raisecom#show lldp interface Show information about
[ interface-type interface-number ] LLDP interfaces.

10.3.11 Maintenance
Maintain the device as below.

Command Description
Raisecom(config-ge-1/0/*)#reset lldp port Clear LLDP statistics on the
statistics interface.

10.3.12 Example for configuring LLDP

Networking requirements
As shown in Figure 10-9, the Switch is connected to the NView NNM system; enable LLDP
between Switch A and Switch B, query Layer 2 link change through the NView NNM system.
The neighbor aging, new neighbor and neighbor information changes will be reported as
LLDP alarms to the NView NNM system.

Raisecom Proprietary and Confidential


394
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Figure 10-9 LLDP networking

Configuration steps
Step 1 Enable global LLDP and LLDP alarm.
Configure Switch A.

Raisecom#hostname SwitchA
SwitchA#configure
SwitchA(config)#lldp start

Configure Switch B.

Raisecom#hostname SwitchB
SwitchB#configure
SwitchB(config)#lldp start

Step 2 Configure the management IP address.


Configure Switch A.

SwitchA(config)#vlan 10
SwitchA(config)#interface vlan 10
SwitchA(config)#interface ge 1/0/1
SwitchA(config-ge-1/0/1)#port hybrid vlan 10 tagged
SwitchA(config-ge-1/0/1)#port hybrid pvid 10
SwitchA(config-ge-1/0/1)#exit
SwitchA(config)#interface vlan 10
SwitchA(config-vlan1024)#ip address 10.0.0.1/24
SwitchA(config-vlan1024)#exit

Raisecom Proprietary and Confidential


395
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Configure Switch B.

SwitchB(config)#vlan 10
SwitchB (config)#interface vlan 10
SwitchB (config)#interface ge 1/0/1
SwitchB (config-ge-1/0/1)#port hybrid vlan 10 tagged
SwitchB (config-ge-1/0/1)#port hybrid pvid 10
SwitchB (config-ge-1/0/1)#exit
SwitchB (config)#interface vlan 10
SwitchB (config-vlan1024)#ip address 10.0.0.2/24
SwitchB (config-vlan1024)#exit

Step 3 Configure LLDP attributes.


Configure Switch A.

SwitchA(config)#lldp tx-interval 60
SwitchA(config)#lldp tx-delay 9
SwitchA(config)#lldp trap-interval 10

Configure Switch B.

SwitchB(config)#lldp tx-interval 60
SwitchB(config)#lldp tx-delay 9
SwitchB(config)#lldp trap-interval 10

Checking results
Use the show lldp information command to show local configurations.

SwitchA#show lldp information


LLDP local:
Message tx-interval:60(s)
Message tx-hold:4
Reinit delay:2(s)
Tx delay:9(s)
Notification interval:10(s)
Chassis type:MAC Address
Chassis ID:f0f1:f2f3:0101
System name:SIM-MPU

System desc: SWITCH


System supported:Bridge/Switch,Router
System capenabled:Bridge/Switch,Router

Port ge-1/0/1:

Raisecom Proprietary and Confidential


396
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Admin status:TxRx
Trap enable:no
Support tlv:port-description,system-name,system-description,system-
capability
Enabled tlv:port-description,system-name,system-description,system-
capability
Port type:interface name
Port ID:GE1/0/1
Port description:GE1/0/1 SNMP-Index:537397249
Number of remote system:1
Number of MED remote system:0
……

Use the show lldp remote command to show neighbor information.

SwitchA#show lldp remote


Interface Index TTL(s) ChassId PortId
SysName Vlan
ge-1/0/1 1 116 f0f1:f2f3:0201 GE1/0/1
SIM-MPU 10
ge-1/0/2 2 116 f0f1:f2f3:0201 GE1/0/2
SIM-MPU --

……

10.4 Port mirroring


10.4.1 Introduction
Port mirroring refers to mirroring some packets from a specified source port to the destination
port, namely, the monitor port, without affecting normal packet forwarding. You can monitor
the sending and receiving status of packets on a port through this function and analyze the
related network conditions.

Raisecom Proprietary and Confidential


397
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Figure 10-10 Principles of port mirroring

Figure 10-10 shows principles of port mirroring. PC 1 is connected to the external network by
the GE 1/0/1; PC 3 is the monitor PC, connecting the external network by GE 1/0/2.
When monitoring packets from the PC 1, you need to assign GE 1/0/1 to connect to PC 1 as
the mirror source port, enable port mirroring on the ingress port and assign GE 1/0/2 as
monitor port to mirror packets to destination port.
When service packets from PC 1 enter the device, the device will forward and copy them to
monitor port (GE 1/0/2). The monitor device connected to the monitor port can receive and
analyze these mirrored packets.
The device supports traffic mirroring on the ingress port and egress port. The packets on the
ingress/egress mirroring port will be copied to the monitor port after the switch is enabled
with port mirroring. The monitor port and mirroring port cannot be the same one.

10.4.2 Preparing for configurations

Scenario
Port mirroring is used to monitor the type and flow of network data regularly for the network
administrator.
Port mirroring copies the port flow monitored to a monitor port or CPU to obtain the
ingress/egress port failure or abnormal flow of data for analysis, discovers the root cause, and
solves them timely.

Prerequisite
N/A

10.4.3 Default configurations of port mirroring


Default configurations of port mirroring are as below.

Raisecom Proprietary and Confidential


398
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Function Default value


Port mirroring status Disable
Mirroring the source port N/A

10.4.4 Configuring port mirroring


Configure port mirroring for the device as below.

Step Configure Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#mirror Configure the port mirroring group.
group group-number
 group-number: group ID, ranging from 1 to 4
interface-type
 interface-type: interface type
interface-number { rspan
 interface-number: in the form of unit/slot/port,
vlan-id tpid { standard
| protocol-id } } with the range depending on the interface type
 vlan-id: VLAN ID of the remote mirroring,

ranging from 1 to 4094


 standard: specified to the standard value 0x8100
 protocol-id: protocol ID of the outer tag of the

current interface, ranging from 0x0 to 0xffff


3 Raisecom(config)#interfa Enter physical interface configuration mode.
ce interface-type
interface-number
4 Raisecom(config-ge- Configure the port mirroring rule.
1/0/*)#mirror { inbound
 { ingress | egress | both } : ingress, egress, or
| outbound | both }
group group-number both directions of the mirroring
 Group-number: mirroring group ID, ranging

from 1 to 4

10.4.5 Default configurations of VLAN mirroring


Default configurations of VLAN mirroring are as below.

Function Default value


VLAN mirroring status Disable
Mirroring the source port N/A

10.4.6 Configuring VLAN mirroring


Configure VLAN mirroring for the device as below.

Raisecom Proprietary and Confidential


399
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Configure Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#mirror Configure the VLAN mirroring group.
group group-number
 group-number: group ID, ranging from 1 to 4
interface-type
 interface-type: interface type
interface-number { rspan
 interface-number: in the form of unit/slot/port,
vlan-id tpid { standard
| protocol-id } } with the range depending on the interface type
 vlan-id: VLAN ID of the remote mirroring,

ranging from 1 to 4094


 standard: specified to the standard value 0x8100
 protocol-id: protocol ID of the outer tag of the

current interface, ranging from 0x0 to 0xffff


3 Raisecom(config)#interfa Enter VLAN interface configuration mode.
ce vlan vlan-id
4 Raisecom(config-vlanif- Configure the port mirroring rule.
*)#mirror { inbound |
 { ingress | egress | both }: ingress, egress, or both
outbound | both } group
group-number directions of the mirroring
 Group-number: mirroring group ID, ranging

from 1 to 4

 Before enabling remote port mirroring, disable MAC address learning of the
remote mirroring VLAN on the devices so as to enable the mirroring function to
work properly.
 Ensure that mirroring packets between the source device and destination device
can be forwarded on Layer 2. The intermediate device interfaces connecting to
the source device and destination device must allow packets of the remote
mirroring VLAN to pass.
 When configuring the source mirroring port, you cannot add it to the remote
mirroring VLAN; otherwise, port mirroring will malfunction.
 The created remote mirroring VLAN cannot be used as the service VLAN;
otherwise, port mirroring will malfunction.

10.4.7 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show mirror Show configurations of mirroring groups.
group
2 Raisecom#show mirror Show mirroring configurations on the interface.
interface

Raisecom Proprietary and Confidential


400
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.4.8 Example for configuring port mirroring

Networking requirements
As shown in Figure 10-11, the network administrator wants to monitor user network 1
through the monitor device, then to catch the fault or abnormal data flow for analyzing and
discovering faults and then solve them in time.
The device is disabled with storm control and automatic packets sending. User network 1
accesses the device through GE 1/0/1, user network 2 accesses the device through GE 1/0/2,
and the data monitor device is connected to GE 1/0/3.

Figure 10-11 Port mirroring networking

Configuration steps
Enable port mirroring on the Switch.

Raisecom#configure
Raisecom(config)#mirror group 1 interface ge 1/0/3
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#mirror ingress group 1

Checking results
Use the show mirror command to show configurations of port mirroring.

Raisecom#show mirror group


Group Observe-port Rspan(vlan/tpid)
----------------------------------------------------------------------
1 ge-1/0/3 n/a
----------------------------------------------------------------------

Raisecom Proprietary and Confidential


401
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.4.9 Example for configuring remote port mirroring

Networking requirements
As shown in Figure 10-12, the network administrator wants to monitor the user PC through
the remote monitor device, then to catch the fault or abnormal data flow for analyzing and
discovering faults and then solve them in time.
The device is disabled with storm control and automatic packets sending. The user PC
accesses switch A through GE 1/0/1, and the data monitor device is connected to GE 1/0/1 on
switch B.

Figure 10-12 Remote port mirroring networking

Configuration steps
Step 1 Enable port mirroring on switch A.

Raisecom#configure
Raisecom(config)#mirror group 1 ge 1/0/2 rspan 10 tpid 0x8100
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#mirror inbound group 1

Step 2 Configure VLAN forwarding on switch B.

Raisecom Proprietary and Confidential


402
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Raisecom#configure
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#port trunk allow-pass vlan 10
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#port trunk allow-pass vlan 10

10.5 Cable diagnosis


10.5.1 Introduction
The device supports cable diagnosis, which helps you detect lines.
Cable diagnosis contains the following results:
 Detection result of the Tx cable
 Errored location of the Tx cable
 Detection result of the Rx cable
 Errored location of the Rx cable

10.5.2 Preparing for configurations

Scenario
After cable diagnosis is enabled, you can learn the running status of cables, locate and clear
faults, if any, in time.

Prerequisite
N/A

10.5.3 Configuring cable diagnosis


Configure cable diagnosis for the device as below.

Step Command Description


1 Raisecom(config)#virtual- Enable global cable diagnosis. This command
cable-test force-detect conducts cable diagnosis on all supportive
interfaces.
2 Raisecom(config-ge- Enable interface cable diagnosis.
1/0/*)#virtual-cable-test

When you enable the function of not restarting the interface upon cable diagnosis,
the interface that is in Up status will be restarted once and then obtain cable
diagnosis data. Then, when cable diagnosis is ongoing, the interface that is in Up

Raisecom Proprietary and Confidential


403
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

status will not be restarted but directly read cable diagnosis data saved in the buffer,
and the interface that is in Down status will obtain the length to the faulty point during
cable diagnosis. The newly inserted interface will automatically execute cable
diagnosis and save results in the buffer.

10.5.4 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom(config)#show virtual- Show configurations of cable
cable-test config diagnosis.
2 Raisecom(config)#show virtual- Show results of cable diagnosis
cable-test on all interfaces.
3 Raisecom(config)#show virtual- Show results of cable diagnosis
cable-test interface interface- on the specified interface.
type primary-interface-number
4 Raisecom(config)#show virtual- Show results of cable diagnosis
cable-test link-down on all Down interfaces.

10.6 UDLD
10.6.1 Introduction
UniDirectional Link Detection (UDLD) is used to monitor configurations of the physical
connection by the fiber or Ethernet cable. When a unidirectional link (transmitting data in
only one direction) is present, UDLD can detect it, shut down the corresponding interface, and
send a Trap. The unidirectional link may cause various problems, such as the spanning tree
problems which may cause a loop.

10.6.2 Preparing for configurations

Scenario
When a unidirectional link (transmitting data in only one direction) is present, UDLD can
detect the fault, shut down the corresponding interface, and send a Trap.
UDLD identifies peer devices and detects unidirectional links through the interaction protocol
message (DLDPDU) with the other party. It has seven statuses: Init, Linkdown, Linkup,
Advertisement, Detect, and Disable.

Prerequisite
Devices at both ends of the link should support UDLD.

Raisecom Proprietary and Confidential


404
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.6.3 Default configurations of UDLD


Default configurations of UDLD are as below.

Function Default value


UDLD Disable

10.6.4 Configuring UDLD


Configure UDLD for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#udld error- Enable or disable unidirectional link
down recovery { disable | recovery.
enable }
3 Raisecom(config)#udld error- Configure the recovery time for the
down recovery-interval unidirectional link.
interval
By default, it is 45s.
4 Raisecom(config)#udld work- Configure the UDLD working mode to
mode { aggressive | normal } aggressive or normal.
5 Raisecom(config)#udld Configure the interval for sending
advertise-interval interval advertise packet events by UDLD.
By default, it is 7s.
6 Raisecom(config)#udld Configure the global time for the
default-up-delay { time | interface to delay to be Up when the
default } unidirectional link is restored.
7 Raisecom(config)#udld snmp- Enable or disable UDLP Trap.
trap { disable | enable }
8 Raisecom(config)#udld Configure the mode for shutting down
unidirection-shutdown { auto the faulty interface upon detection of the
| manual } interface being unidirectionally
connected by UDLD.
9 Raisecom(config)#interface Enable or disable UDLD on the
interface-type primary- interface.
interface-number
Raisecom(config-ge-
1/0/*)#udld { disable |
enable }
10 Raisecom(config-ge- Enable or disable the aggressive UDLD
1/0/*)#udld aggressive working mode of the interface.
{ disable | enable }
11 Raisecom(config-ge- Configure whether to perform the error-
1/0/*)#udld rx-mode { normal down or Up action by focusing the
| rxloss } RXLOS and other messages of the
optical module.

Raisecom Proprietary and Confidential


405
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


12 Raisecom(config-ge- Configure the time for the interface to
1/0/*)#udld up-delay time delay to be Up when the unidirectional
link is restored.

10.6.5 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show udld config Show UDLD configurations.
2 Raisecom#show udld Show the protocol status of all interface
interface enabled with UDLD.
3 Raisecom#show udld local Show local information about UDLD.
4 Raisecom#show udld peer Show neighbor information about UDLD.

Raisecom Proprietary and Confidential


406
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.7 Optical module DDM


10.7.1 Introduction
Optical module Digital Diagnostics Monitoring (DDM) on the device supports Small Form-
factor Pluggable (SFP) and 10GE SFP+ diagnosis.
The fault diagnostics function of SFP provides the system a performance monitor method.
The network administrator analysis the monitor data provided by SFP to predict the age of
transceiver, isolate system fault and authenticate modules compatibility during installation.
The performance parameters of optical module which are monitored by optical module DDM
are as below:
 Modular temperature
 Inner power voltage
 Tx offset current
 Tx optical power
 Rx optical power
When the performance parameters reach alarm threshold or status information changes, the
corresponding Trap alarm will be generated.

10.7.2 Preparing for configurations

Scenario
Fault diagnostics f optical modules provide a method for detecting SFP performance
parameters. You can predict the service life of optical module, isolate system fault and check
its compatibility during installation through analyzing monitoring data.

Prerequisite
The optical module used on the device is required to be certified by Raisecom. If the optical
module of other manufacturers is used, it may lead to unstable services, lack of support for
diagnosis, or inaccurate diagnostic information.

10.7.3 Default configurations of optical module DDM


Default configurations of optical module DDM are as below.

Function Default value


Interface optical module DDM Trap Disable

10.7.4 Enabling optical module DDM


Enable optical module DDM for the device as below.

Raisecom Proprietary and Confidential


407
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#transceiver Configure the polling interval for
monitor interval interval optical module DDM.

10.7.5 Enabling optical module DDM Trap


Enable optical module DDM Trap for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interfa Enter physical interface configuration mode.
ce interface-type
interface-number
3 Raisecom(config 10ge Enable interface optical module DDM Trap.
1/0/*)#transceiver snmp-
trap { enable |
disable }
4 Raisecom(config 10ge Configure the high threshold and low
1/0/*)#transceiver rx- threshold of optical module Rx optical power.
power low-threshold low- When the Rx optical power is smaller than the
threshold-value high- low threshold or higher than the high
threshold high- threshold, the optical module can send an
threshold-value alarm.
5 Raisecom(config 10ge Configure the high threshold and low
1/0/*)#transceiver tx- threshold of optical module Tx optical power.
power low-threshold low- When the Tx optical power is smaller than the
threshold-value high- low threshold or higher than the high
threshold high- threshold, the optical module can send an
threshold-value alarm.
6 Raisecom(config 10ge Configure the high threshold and low
1/0/*)#transceiver threshold of optical module temperature.
temperature low- When the temperature is smaller than the low
threshold low-threshold- threshold or higher than the high threshold,
value high-threshold the optical module can send an alarm.
high-threshold-value
7 Raisecom(config 10ge Configure the high threshold and low
1/0/*)#transceiver threshold of optical module voltage. When the
voltage low-threshold voltage is smaller than the low threshold or
low-threshold-value higher than the high threshold, the optical
high-threshold high- module can send an alarm.
threshold-value
8 Raisecom(config 10ge Configure the high threshold and low
1/0/*)#transceiver bias- threshold of optical module current. When the
current low-threshold current is smaller than the low threshold or
low-threshold-value higher than the high threshold, the optical
high-threshold high- module can send an alarm.
threshold-value

Raisecom Proprietary and Confidential


408
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


9 Raisecom(config 10ge Configure the high threshold and low
1/0/*)#transceiver tec- threshold of optical module TEC current.
current low-threshold When the TEC current is smaller than the low
low-threshold-value threshold or higher than the high threshold,
high-threshold high- the optical module can send an alarm.
threshold-value

10.7.6 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show Show configurations of the current optical
transceiver config module.
2 Raisecom#show Show the approximate DDM information about
transceiver interface the optical module, including real-time
information such as the Tx optical power, Rx
optical power, temperature, voltage, and bias
current of the optical module.
3 Raisecom#show Show configurations of the current optical
transceiver interface- module on the specified interface.
type primary-
interface-number
4 Raisecom#show Show the threshold of the optical module on the
transceiver interface- specified interface.
type primary-
interface-number
[ threshold ]

10.8 System log


10.8.1 Introduction
The system log refers that the device records the system information and debugging
information in a log and sends the log to the specified destination. When the device fails to
work, you can check and locate the fault easily.
The system information and some scheduling output will be sent to the system log to deal
with. According to the configuration, the system will send the log to various destinations. The
destinations that receive the system log are divided into:
 Console: send the log message to the local console through Console interface.
 Monitor: send the log message to the monitor, such as Telnet terminal.
 Logfile: send the log message to the Flash of the device.
 Buffer: send the log message to the buffer.

Raisecom Proprietary and Confidential


409
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

 Trapbuffer: send the log message to the Trap buffer.


 SNMP server: convert logs to Trap and then outputs Trap to the SNMP server.
 Syslog server: send the log message to the Syslog server.
 Smtp Email: send the log message to the SMTP Email.
According to the severity level, the log is identified by 8 severity levels, as listed in Table 10-
4.

Table 10-4 Log levels


Severity Level Description
Emergency 0 The system cannot be used.
Alert 1 Need to deal immediately.
Critical 2 Serious status
Error 3 Errored status
Warning 4 Warning status
Notification 5 Normal but important status
Information 6 Informational event
Debugging 7 Debugging information

The severity of output information can be manually configured. When you send
information according to the configured severity, you can just send the information
whose severity is less than or equal to that of the configured information. For
example, when the information is configured with the level 3 (or the severity is error),
the information whose level ranges from 0 to 3, in other words, the severity ranges
from emergencies to error, can be sent.

10.8.2 Preparing for configurations

Scenario
The device generates the login successes or failures, key information, debugging information,
and error information to system log, outputs them as log files, and sends them to the logging
host, Console interface, or control console to facilitate checking and locating faults.

Prerequisite
N/A

10.8.3 Default configurations of system log


Default configurations of system log are as below.

Raisecom Proprietary and Confidential


410
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Function Default value


System log Enable
Output log information to Console Enable. The default level is warning (4).
Output log information to files Enable. The default level is debugging (7).
Output log information to monitor Enable. The default level is warning (4).
Output log information to buffer Enable. The default level is debugging (7).
Output log information to SNMP server Disable. The default level is debugging (7).
Output log information to trapbuffer Disable. The default level is information (6).
Output log information to syslog server Disable. The default level is information (6).
Output log information to SNMP Email Disable. The default level is warning (4).

10.8.4 Configuring basic information about the system log


Configure basic information about the system log for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#logging { start Enable system logs.
| stop }
3 Raisecom(config)#logging file Configure the maximum number
max-number { max-num | default } of log files of the system logs.
4 Raisecom(config)#logging file Configure the size of the system
size kbytes { size-value | logs.
default }

10.8.5 Configuring system log output


Configure system log output for the device as below.

Step Command Description


1 Raisecom#configure Enter global
configuration mode.
2 Raisecom(config)#logging module module- Configure the output
name action { console | monitor | logfile direction of module
| buffer | trap | trapbuffer | syslog | logs, output enabling
smtp } { log | debug | trap } [ state status, and output
{ enable | disable | default } | level level.
{ emergencies | alert | critical | error |
warning | notification | information |
debugging | default }

Raisecom Proprietary and Confidential


411
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.8.6 Configuring system log output to Telnet/SSH terminals


Configure system log output to Telnet/SSH terminals for the device as below.

Step Command Description


1 Raisecom#terminal monitor Enable or disable information output to
Raisecom#no terminal monitor Telnet/SSH terminals.
2 Raisecom#terminal log Enable or disable log output to
Raisecom#no terminal log Telnet/SSH terminals.
By default, it is enabled.
3 Raisecom#terminal trap Enable or disable Trap output to
Raisecom#no terminal trap Telnet/SSH terminals.
By default, it is enabled.
4 Raisecom#terminal debug Enable or disable debugging information
Raisecom#no terminal debug output to Telnet/SSH terminals.
By default, it is disabled.

10.8.7 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show logging Show global log configurations.
information
2 Raisecom#show logging { buffer | Show log or trap buffer information.
trap }
3 Raisecom#show logging { buffer | Show log or trap buffer information
trap } { include | exclude | and specify string filtering
begin } string string conditions.
4 Raisecom#show logging { buffer | Show log or trap buffer information
trap } size size-number and specify the number of entries.
5 Raisecom#show logging { buffer | Show the logs or trap buffer
trap } module module-name information of the specified module.
6 Raisecom#show logging { buffer | Show log or trap buffer information,
trap } size size-number specify the number of entries and
{ include | exclude | begin } string filtering conditions.
string string
7 Raisecom#show logging { buffer | Show log or trap buffer information
trap } start-time start-time and specify the time range for log
{ end-time end-time } generation.
8 Raisecom#show logging action Show the action information of all
modules in the log.

Raisecom Proprietary and Confidential


412
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

No. Command Description


9 Raisecom#show logging action Show the specified action
{ console | monitor | logfile | information of all modules in the log.
buffer | trap | trapbuffer |
syslog | smtp }
10 Raisecom#show logging error Show error code information for all
module logs.
11 Raisecom#show logging event Show event information for all
module logs.
12 Raisecom#show logging file file- Show the content of the specified log
name file.
13 Raisecom#show logging file file- Show the specified content of the
name { include | exclude | specified log file and specify string
begin } string string filtering conditions.
14 Raisecom#show logging module Show the information of all module
logs, including the module name,
module ID, log file name, number of
events, and number of error code
entries.
15 Raisecom#show logging statistics Show statistics on log modules.

10.8.8 Maintenance
Maintain the device as below.

Command Description
Raisecom(config)#clear logging Clear log information in the log or trap buffer.
{ buffer | trap }
Raisecom(config)#clear logging Clear log statistics.
statistics
Raisecom(config)#clear logging Clear all log files.
file all
Raisecom(config)#clear logging Clear log statistics of the specified module.
module module-name

10.8.9 Example for configuring outputting system logs to the log


host

Networking requirements
As shown in Figure 10-13, configure the system log, and output device log information to the
log host for users to check.

Raisecom Proprietary and Confidential


413
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Figure 10-13 Networking of outputting system log to log host

Configuration steps
Step 1 Configure the IP address of the device.

Raisecom#configure
Raisecom(config)#interface vlan 1
Raisecom(config-vlanif-1)#ip address 20.0.0.6 255.0.0.0
Raisecom(config-vlanif-1)#quit

Step 2 Configure the system log to be output to the terminal.

Raisecom(config)#terminal monitor

Step 3 Configure the debugging information to be output to the terminal.

Raisecom(config)#terminal debug

Checking results
Use the show logging information command to show global configurations of system log.
Raisecom#show logging
information
------------------------------------------------------------
Logging : on
Module number : 125
Logfile path : "/ram/log"
Logfile max size : 3072 Kb
Logfile max number : 3
Logbuffer Max number : 2000
Logbuffer Current number : 201

Logbuffer history number : 216


------------------------------------------------------------

Raisecom Proprietary and Confidential


414
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.9 Alarm management


10.9.1 Introduction
An alarm refers to the information that the system can produce according to different fault
types and different alarm sources when the device fails or some working status changes.
The alarm is used to report some urgent and important events, notify network administrators
in time, and provide strong support for monitoring device operation and fault diagnosis.
The alarm is stored in the alarm buffer of the device, and its log is generated at the same time.
If the NMS is configured, the alarm is sent to it through SNMP. The information sent to the
NMS is called Trap.

10.9.2 Preparing for configurations

Scenario
When the device fails, alarm management module will collect fault information and output
alarm occurrence time, alarm name and description information in log format to help users
locate problem quickly.
If the device is configured with the NMS, alarm can be reported directly to the NMS,
providing possible alarm causes and treatment recommendations to help users deal with fault.
If the device is configured with hardware monitoring, it will record the hardware monitoring
alarm table, generated Syslog, and sent Trap when the operation environment of the device
becomes abnormal, and notify the user of taking actions accordingly and prevent faults.
Alarm management facilitates alarm suppression, alarm auto-reporting, alarm monitoring,
alarm reverse, alarm delay, alarm memory mode, alarm clear and alarm view directly on the
device.

Prerequisite
Hardware environment monitoring alarm output:
 In Syslog output mode: alarms will be generated into system logs. To send alarm to the
system log host, configure the IP address of the system log host for the device.
 In Trap output mode: configure the IP address of the NMS for the device.

10.9.3 Configuring basic functions of alarm management


Configure basic information about alarm management for the device as below.
All following steps are optional and no sequence between them.

Step Command Description


1 Raisecom#configure Enter global configuration mode.

Raisecom Proprietary and Confidential


415
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.9.4 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show alarm Show the entries of the alarm management
information module.
2 Raisecom#show alarm Show information about all alarms in the alarm
description management module.
This includes the alarm ID, alarm name, alarm
level, corresponding Trap-OID, and description.
3 Raisecom#show alarm Show information about the specified alarm and
{ active | history | arrange it in chronological order (active alarm,
all } time-order history alarm, and all alarms).
[ object object-name ]
4 Raisecom#show alarm Show information about the specified alarm
{ active | history | (active alarm, history alarm, and all alarms).
all } [ object object-
name ]
6 Raisecom#show alarm Show information about the alarm object.
object
7 Raisecom#show event Show information about all events of the alarm
description management module.
This includes the event ID, event name, event
level, corresponding Trap-OID, and description.
8 Raisecom#show event Show all current events in the alarm
[ object object-name ] management module.

10.10 CPU monitoring


10.10.1 Introduction
The device supports CPU monitoring. It can monitor state, CPU utilization rate, and
application of stacking of each task in real time in the system. It helps locate faults.
CPU monitoring can provide the following functions:
 Viewing CPU utilization rate
It can be used to view unitization of CPU in each period (5s, 1min, and 5min).
It can be used to view the operational status of all tasks.
 Threshold alarm of CPU unitization
If CPU utilization of the system is more than configured upper threshold or less than
preconfigured lower threshold in specified sampling period, Trap will be sent, and Trap will
provide serial number of 5 tasks whose unitization rate of CPU is the highest in the latest
period (5s, 1min, and 5min) and their CPU utilization rate.
Raisecom Proprietary and Confidential
416
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.10.2 Preparing for configurations

Scenario
CPU monitoring can provide realtime monitoring to the task status, CPU utilization rate and
stack usage in the system, provide CPU utilization rate threshold alarm, detect and eliminate
hidden dangers, or help administrator for fault location.

Prerequisite
When the CPU monitoring alarm needs to be output in Trap mode, configure Trap output
target host address, which is IP address of NView NNM system.

10.10.3 Default configurations of CPU monitoring


Default configurations of CPU monitoring are as below.

Function Default value


CPU utilization rate alarm Trap output Enable
Upper threshold of CPU utilization alarm 80%
Sampling period of CPU utilization 10s

10.10.4 Configuring the CPU monitoring alarm


Configure CPU monitoring alarm for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#cpu Configure the rising threshold of all CPU entries
{ all | cpu-index } or the specified CPU entry.
high-threshold
high-threshold-value
3 Raisecom(config)#cpu Configure the description of all CPU entries or
{ all | cpu-index } the specified CPU entry.
description
description-string
4 Raisecom(config)#cpu Enable or disable Trap sending for all CPU
{ all | cpu-index } entries or the specified CPU entry.
snmp-trap { disable |
enable }
5 Raisecom(config)#cpu Configure the interval for sampling CPU
monitor interval utilization.
interval-value
6 Raisecom(config)#cpu Enable or disable CPU utilization monitoring.
monitor { disable |
enable }

Raisecom Proprietary and Confidential


417
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.10.5 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show cpu Show CPU utilization.
2 Raisecom#show cpu verbose Show detailed CPU utilization.
3 Raisecom#show cpu task Show CPU utilization of each task.

10.11 Memory monitoring


10.11.1 Preparing for configurations

Scenario
Memory monitoring enables you to learn the memory utilization in real time, and provides
memory utilization threshold alarms, thus facilitating you to locate and clear potential risks
and help network administrator to locate faults.
Memory monitoring enables you to learn the memory utilization in real time, and provides
memory utilization threshold alarms, thus facilitating you to locate and clear potential risks.

Prerequisite
To output memory utilization threshold alarms as Trap, configure the IP address of the target
host, namely, the IP address of the NMS server.

10.11.2 Configuring memory monitoring


Configure memory monitoring for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#memory { all Configure the memory monitoring
| memory-index } high- alarm threshold of all memory entries
threshold high-threshold- or the specified memory entry.
value
3 Raisecom(config)#memory { all Configure the description of all
| memory-index } description memory entries or the specified
description-string memory entry.
4 Raisecom(config)#memory { all Enable or disable Trap sending for all
| memory-index } snmp-trap memory entries or the specified
{ disable | enable } memory entry.

Raisecom Proprietary and Confidential


418
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


5 Raisecom(config)#memory Configure the interval for sampling
monitor interval interval- memory utilization.
value
6 Raisecom(config)#memory Enable or disable memory utilization
monitor { disable | enable } monitoring.

10.11.3 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show Show memory utilization.
memory
2 Raisecom#show Show detailed memory utilization.
memory verbose
3 Raisecom#show Show memory utilization of each process.
memory task

10.12 PING
10.12.1 Introduction
Packet Internet Groper (PING) derives from the sonar location operation, which is used to
detect whether the network is normally connected. PING is achieved with ICMP echo packets.
If an Echo Reply packet is sent back to the source address during a valid period after the Echo
Request packet is sent to the destination address, it indicates that the route between source and
destination address is reachable. If no Echo Reply packet is received during a valid period and
timeout information is displayed on the sender, it indicates that the route between source and
destination addresses is unreachable.
Figure 10-14 shows principles of PING.

Raisecom Proprietary and Confidential


419
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Figure 10-14 Principles of PING

10.12.2 Configuring PING


Configure PING for the device as below.

Step Command Description


1 Raisecom#ping { ipv4-address | hostname } [ -n Test the
nvalue | -system-time | -t | -q | -f | -h connectivity of
hvalue | -l lengthvalue | -w waitvalue | -tos the IPv4 network
tosvalue | -m mvalue | -dscp dscpvalue | - by the ping
8021p 8021pvalue | -range rangevalue | -s command.
source-ipv4-address | -nexthop next-ipv4-
address | -eth-trunk trunk-number | -loopback
loopback-number | -vlan vlan-id | -ge
interface-number1 | -10ge interface-number2 |
-meth meth-number ]
2 Raisecom#ping-ipv6 { ipv6-address | hostname } Test the
[ -n nvalue | -system-time | -t | -q | -f | -h connectivity of
hvalue | -l lengthvalue | -w waitvalue | -m the IPv6 network
mvalue | -tc tcvalue | -8021p 8021pvalue | - by the ping
range rangevalue | -s source-ipv6-adress | - command.
nexthop next-ipv6-address | -eth-trunk trunk-
number | -loopback loopback-number | -vlan
vlan-id | -ge interface-number1 | -10ge
interface-number2 | -meth meth-number ]

The device cannot perform other operations in the process of PING. It can perform
other operations only when PING is finished or break off PING by pressing Ctrl+C.

Raisecom Proprietary and Confidential


420
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.13 Trace
10.13.1 Introduction
Similar with PING, Trace is a commonly-used maintenance method in network management.
Trace is often used to test the network nodes of packets from sender to destination, detect
whether the network connection is reachable, and analyze network fault
Trace works as below:
Step 1 Send a piece of TTL1 sniffer packet (where the UDP port number of the packet is unavailable
to any application programs in destination side).
Step 2 TTL deducts 1 when reaching the first hop. Because the TTL value is 0, in the first hop the
device returns an ICMP timeout packet, indicating that this packet cannot be sent.
Step 3 The sending host adds 1 to TTL and resends this packet.
Step 4 Because the TTL value is reduced to 0 in the second hop, the device will return an ICMP
timeout packet, indicating that this packet cannot be sent.
The previous steps continue until the packet reaches the destination host, which will not return
ICMP timeout packets. Because the port number of destination host is not be used, the
destination host will send the port unreachable packet and finish the test. Thus, the sending
host can record the source address of each ICMP TTL timeout packet and analyze the path to
the destination according to the response packet.
Figure 10-15 shows principles of traceroute.

Figure 10-15 Principles of Trace

10.13.2 Configuring IPv4 Trace


Before using Trace, you should configure the IP address and default gateway of the device.
Configure IPv4 Trace for the device as below.

Raisecom Proprietary and Confidential


421
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


1 Raisecom#trace ip-address [ -n number | -r | -q Test the
| -f | -fh first-ttl-value | -h max-ttl-value | connectivity of
-l length-value | -w wait-for-each-value | -tos the IPv4
tosvalue | -m wait-for-send-value | -dscp network and
dscpvalue | -8021p 8021p-value | -range range- view nodes
value | -s source-ip-address | -nexthop next- passed by the
ip-address | -eth-trunk trunk-number | - packet by the
loopback loopback-number | -vlan vlan-id | -ge trace
interface-number1 | -10ge interface-number2 | - command.
meth meth-number ]

10.13.3 Configuring IPv6 Trace


Before using Trace, you should configure the IP address and default gateway of the device.
Configure IPv6 Trace for the device as below.

Step Command Description


1 Raisecom#trace-ipv6 ipv6-address [ -n number | Test the
-r | -q | -f | -fh first-ttl-value | -h max- connectivity of
ttl-value | -l length-value | -w wait-for-each- the IPv6
value | -m wait-for-send-value | -tc traffic- network and
class-value | -8021p 8021p-value | -range pkt- view nodes
length-value | -s source-ipv6-address | - passed by the
nexthop next-ipv6-address | -eth-trunk trunk- packet by the
number | -loopback loopback-number | -vlan trace
vlan-id | -ge interface-number1 | -10ge command.
interface-number2 | -meth meth-number ]

10.14 Hardware monitoring

Not all device models support temperature alarms, which depend on the specific
device.

10.14.1 Introduction
Hardware environment monitoring mainly refers to monitor the running environment of the
device. The monitoring alarm events include the temperature and power supply.

10.14.2 Configuring temperature monitoring


Configure temperature monitoring for the device as below.

Raisecom Proprietary and Confidential


422
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#temperature Enable or disable temperature
monitor { disable | enable } monitoring.
3 Raisecom(config)#temperature Configure the description of all or
{ all | temperature-index } specified temperature monitoring
description description- entries.
string
4 Raisecom(config)#temperature Configure the high threshold and low
{ all | temperature-index } threshold for all or specified
low-threshold low-threshold- temperature monitoring entries. When
value high-threshold high- the temperature is smaller than the low
threshold-value threshold or higher than the high
threshold, the device can send an alarm.
5 Raisecom(config)#temperature Enable or disable Trap sending for all
{ all | temperature-index } or specified temperature monitoring
snmp-trap { disable | entry.
enable }

10.14.3 Configuring power supply monitoring


Configure power supply monitoring for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#power monitor Enable or disable power supply
{ disable | enable } monitoring.
3 Raisecom(config)#power monitor Configure the period of power
interval interval-value supply monitoring.
By default, it is 25s.
4 Raisecom(config)#power { all | Configure the description of all or
power-index } description specified power supply entry.
description-string
5 Raisecom(config)#power { all | Enable or disable Trap sending for
power-index } snmp-trap all or specified power supply entry.
{ disable | enable }

10.14.4 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show Show configurations of temperature monitoring.
temperature config

Raisecom Proprietary and Confidential


423
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

No. Command Description


2 Raisecom#show power Show configurations of power supply monitoring.
config

10.15 Fan monitoring

This section is applicable to the models with fans.

10.15.1 Introduction
The device supports monitoring the fan, including the rotational speed and temperature. It
sends Trap when the rotational speed or temperature is abnormal.
The device monitors the fan in two modes:
 Fixed speed mode: forcibly configure the rotational speed of the fan.
 Temperature control mode: the fan adjusts its rotational speed by temperature.
In temperature control mode, when the temperature of the fan is detected to exceed the high
threshold, the speed level of the fan will be increased by one gear. If the temperature of the
fan is detected to be below the low threshold value, the speed level of the fan will be reduced
by one gear.

10.15.2 Preparing for configurations

Scenario
In hot environment, too high temperature affects heat dissipation of the device. Thus fan
monitoring must be configured so that the rotational speed is automatically adjusted according
to environment temperature and the device runs properly.

Precondition
N/A

10.15.3 Configuring fan monitoring


Configure fan monitoring for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#fan Enable or disable fan monitoring.
monitor { disable |
enable }

Raisecom Proprietary and Confidential


424
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


3 Raisecom(config)#fan Configure the fan monitoring period.
monitor interval
interval-value
4 Raisecom(config)#fan Configure the mode of all fans or specified
{ all | fan-index } mode fan.
{ speed-level |
 Speed-level: fixed speed level mode
temperature-control }
 Temperature-control: temperature control
mode
5 Raisecom(config)#fan Configure the description of all fans or
{ all | fan-index } specified fan.
description description-
string
6 Raisecom(config)#fan Configure the speed level of all fans or
{ all | fan-index } level specified fan.
level-value
7 Raisecom(config)#fan Enable or disable TRAP sending for all fans
{ all | fan-index } snmp- or specified fan.
trap { disable | enable }

10.15.4 Checking configurations


Use the following commands to check configuration results.

Step Command Description


1 Raisecom#show fan Show information fan monitoring, including
the current speed and speed level.
2 Raisecom#show fan verbose Show basic information about the fan.
3 Raisecom#show fan config Show configurations of fan monitoring.

10.16 ISF
10.16.1 Introduction
Intelligent Stacking Frame (ISF) refers to the combination of two or more switches that
support stacking to logically form one switch. This virtualization technology can integrate the
hardware resource capabilities and software processing capabilities of multiple devices, and
implement collaborative work, unified management, and uninterrupted maintenance of
multiple devices.

Basic concepts
 Operating modes
An ISF device supports two operating modes:

Raisecom Proprietary and Confidential


425
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

– Common mode: it cannot form an ISF with other devices.


– ISF mode: it can be configured with stacking and form an ISF device with other
devices.
When the ISF device switches between these two modes, it will be restarted.
 Roles of member devices
Each ISF device in the ISF is a member device, which may be in different roles according to
the negotiation result.
– Master: it manages and controls the entire ISF.
– Slave: it processes services and forwards packets; meanwhile it works as a backup for
the master device. In other words, when the master device fails, the ISF will
automatically elect a new master device from all slave devices to replace the original
master device.
 Member device ID
The ISF uses the member device ID to identify and manage member devices. When
configuring the ISF, you must ensure that the member device IDs are unique. If the member
device IDs of two devices are the same, negotiation will fail, and establishing the ISF will fail.
 Member priority
The member priority is an attribute of a member device. By default, the member priority of
the device is 1. In the process of stacking negotiation, the member priority will affect whether
the member device can be elected as the master device. To make a device be elected as the
master device of the ISF, you can configure the member priority to a greater value.
 ISF interface
An ISF interface is a logical interface specifically used for connecting stacked member
devices. Each member device can be configured with two ISF interfaces, which need to be
bound to the physical interface before they can take effect.
 ISF domain
The ISF domain is a logical concept. An ISF system corresponds with an ISF domain. Only
member devices with the same ISF domain ID can establish an ISF. The member devices in
different ISF domains cannot establish an ISF even if they can receive ISF packets from the
peer device.

ISF topology
Two switches in this series support forming an ISF in the chain or ring topology.

Figure 10-16 Chain topology with 2 member devices

Raisecom Proprietary and Confidential


426
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Figure 10-17 Ring topology with 2 member devices

When member devices form a ring topology, the ISF interface IDs of adjacent
stacked member devices are different. As shown in Figure 10-16, ISF interface 1/1 on
ISF member device 1 is connected to ISF interface 2/2 on ISF member device 2. If
two connected devices have the same ISF IDs, the ISF will fail to synchronize during
switching between the master device and slave device.

Role election
Role election occurs when the ISF changes as below:
 The ISF is established.
 The ISF is split; in other words, the stacking link is disconnected.
 Two independent ISFs are merged.
Roles are elected in the following roles in descending order:
3. The current master device prevails. If two independent ISFs are merged, the new master
device is elected between the master devices of these two independent ISFs.
4. The device that has been forcibly configured as the master device.
5. The device running for a long time (the device with the longest time prevails if multiple
devices has been running for over 1min)
6. The device with a lowest bridge MAC address
The optimal device elected according to previous rules is the master device while other
devices are slave devices.

10.16.2 Default configurations


Default configurations of ISF are as below.

Function Default value


Stacking Disable
ISF member priority 1
ISF member ID 1
ISF member domain ID 1
Interval for sending ISF packets by the ISF member 3s

Raisecom Proprietary and Confidential


427
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.16.3 Configuring ISF


Configure the ISF for the device as below.

Step Command Description


1 Raisecom(config)#interface Create an ISF interface.
stack-port number
2 Raisecom(config-stack- Add a physical interface to the ISF
port-number)#add interface interface.
interface-type interface-
number
3 Raisecom(config)#hvs Configure the interval for sending ISF
hello-interval { hello- packets, in units of second, ranging from 1
time | default } to 10, being 3 by default.
4 Raisecom(config)#hvs Forcibly configure the ISF member as
master
the master device in stacking
negotiation.
5 Raisecom(config)#hvs Configure the ISF member ID.
member-id id
6 Raisecom(config)#hvs Configure the priority of the ISF member.
priority value
7 Raisecom(config)#hvs Configure the ISF to switch between the
switch-master member master device and a slave device.
{ myself | id }
8 Raisecom(config)#hvs mode Configure the ISF member device to
{ normal | stack } switch its mode. Then, it will be
automatically restarted.
9 Raisecom(config)#show hvs Show the members and roles in the current
member ISF.
10 Raisecom(config)#show hvs Show topology information about the ISF.
topo
11 Raisecom(config)#show hvs Show information about ISF interfaces on
interface the local device.
12 Raisecom(config)#show hvs Show stacking configurations of the
config
local device.

10.16.4 Example for configuring ISF

Networking requirements
As shown below, to configure 2 devices to form an ISF in chain topology, configure them as
below.

Raisecom Proprietary and Confidential


428
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Figure 10-18 Chain topology with 2 devices for ISF

Configuration steps
Step 1 Configure member 1.

Raisecom(config)#interface stack-port 1
Raisecom(config-stack-port-1)#add interface ge 1/0/1
Raisecom(config-stack-port-1)#add interface ge 1/0/2
Raisecom(config-stack-port-2)#quit
Raisecom(config)#hvs member-id 1
Raisecom(config)#hvs mode stack

Step 2 Configure member 2.

Raisecom(config)#interface stack-port 1
Raisecom(config-stack-port-1)#add interface ge 1/0/1
Raisecom(config-stack-port-1)#add interface ge 1/0/2
Raisecom(config-stack-port-1)#quit
Raisecom(config)#hvs member-id 2
Raisecom(config)#hvs mode stack

Step 3 After 2 member devices are restarted, they start to negotiate. You can then check whether the
ISF is established by the command.

Checking results
Use the show hvs member command on member 2 to check the result.

Raisecom(config)#show hvs member


NOTE: '*' indicates the device is myself

SysId Role/ConfRole State/Pri Mac Uptime


-------------------------------------------------------------------------
1 master/no done/1 f0f1:f2f3:0101 12d:18h:16m:06s
* 2 slave/no done/1 f0f1:f2f3:0201 12d:18h:16m:04s
-------------------------------------------------------------------------

Use the show hvs topo command. The result is as below.


Raisecom(config)#show hvs topo
Interface: stack-port-2/1, State: up, MAC: f0:f1:f2:f3:02:01

Raisecom Proprietary and Confidential


429
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Hop SysId MAC


---------------------------------------------
0 2 f0:f1:f2:f3:02:01
1 1 f0:f1:f2:f3:01:01
---------------------------------------------

10.17 MAD
10.17.1 Introduction
When the link between member devices in an ISF is disconnected, this may cause the ISF to
split into multiple new ISFs with the same Layer 3 configurations, such as the IP address. As a
result, the IP addresses may conflict and the network may fail. The Multi-Active Detection
(MAD) protocol is used for stacking splitting detection, conflict processing, and fault
clearance to improve system availability.
There are several working modes for detecting conflicts in MAD.
 Direct connection mode
In direct connection mode, an additional physical interface needs to be allocated between the
stacked member devices to be configured with MAD and to receive MAD packets. The
topology can be established as shown in Figure 10-18.
 Proxy mode
In proxy mode, another device needs to be enabled with MAD. Establish a cross-device
aggregation link between the device and the stacked member devices. Then, enable MAD on
the aggregation interface to establish a topology, as shown in Figure 10-19.
 Out-of-band interface detection mode
In this mode, enable MAD on the out-of-band interface, and connect the out-of-band interface
on all stacked member devices to the same switch, and ensure normal communication
between all out-of-band interfaces.

Figure 10-19 Direction connection mode of MAD

Raisecom Proprietary and Confidential


430
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Figure 10-20 Proxy mode of MAD

10.17.2 Preparing for configurations

Scenario
 Backup management IP address
In addition to configuring the working mode of interfaces, MAD can also configure a backup
IP address for each stack member. When MAD detects multiple devices, it automatically
configures the backup IP address as the IP address of the out-of-band interface.
 Reserved interface
When MAD detects multiple devices, it compares them. If it finds that a device is not the
preferred device, it will shut down device's own interface. If you do not want the interface to
be shut down when MAD detects multiple hosts, you can configure the interface as a reserved
interface.

Prerequisites
N/A

10.17.3 Configuring MAD


Configure MAC for the device as below.

Step Command Description


1 Raisecom(config)#multi- Configure the backup management
active-detect backup ip IPv4 address for the specified ISF
address ip-address member member device.
{ all | member-id }
2 Raisecom(config)#multi- Configure the backup management
active-detect backup ipv6 IPv6 address for the specified ISF
address ipv6-address member member device.
{ all | member-id }

Raisecom Proprietary and Confidential


431
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


3 Raisecom(config)#interface ge Configure the working mode of MAD
1/0/0/* on the interface.
Raisecom(config-ge-
1/1/0/*)#multi-active-detect
mode direct
4 Raisecom(config)#interface Configure the working mode of MAD
eth-trunk 1 on the LAG interface.
Raisecom(config-eth-trunk-
1)#multi-active-detect mode
relay
5 Raisecom(config)#interface Enable or disable MAD on the
meth 0/0/0 interface.
Raisecom(config-meth-
0/0/0)#multi-active-detect
{ disable | enable }
Raisecom(config)#interface ge
1/0/0/*
Raisecom(config-ge-
1/1/0/*)#multi-active-detect
{ disable | enable }
6 Raisecom(config-meth- Enable the reserved interface of MAD
0/0/0)#multi-active-exclude on the interface.
{ disable | enable }
7 Raisecom(config)#show multi- Show MAD configurations on the
active-detect config current device.
8 Raisecom(config)#show multi- Show MAD information about the
active-detect information current device.

10.17.4 Example for configuring MAD

Networking requirements
As shown in Figure 10-18, configure the ISF to make two devices form an ISF. Then,
configure MAD.

Configuration steps
Step 1 Configure member 1.

Raisecom(config)#interface stack-port 1
Raisecom(config-stack-port-1)#add interface ge 1/0/1
Raisecom(config-stack-port-1)#quit
Raisecom(config)#hvs member-id 1
Raisecom(config)#hvs mode stack

Step 2 Configure member 2.

Raisecom Proprietary and Confidential


432
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Raisecom(config)#interface stack-port 1
Raisecom(config-stack-port-1)#add interface ge 1/0/1
Raisecom(config-stack-port-1)#quit
Raisecom(config)#hvs member-id 2
Raisecom(config)#hvs mode stack

Step 3 After two member devices form an ISF, configure MAD.

Raisecom(config)#interface GE 1/0/0/2
Raisecom(config-ge-1/1/0/2))#stp disable
Raisecom(config-ge-1/1/0/2))#multi-active-detect mode direct
Raisecom(config-ge-1/1/0/2)#quit
Raisecom(config)#interface ge 2/1/0/2
Raisecom(config-ge-1/1/0/2))#stp disable
Raisecom(config-ge-2/1/0/2))#multi-active-detect mode direct

Checking results
Use the show multi-active-detect information command to show the MAD status.
Status of member 1:

Raisecom(config)#show multi-active-detect information


Current status : normal
Direct detect information:
ge-1/1/0/2 up
Excluded ports(configurable):
ge-1/1/0/5
Excluded ports(can not be configured):
ge-1/1/0/1

Status of member 2:

Raisecom(config)#show multi-active-detect information


Current status : conflict
Direct detect information:
ge-2/1/0/2 up
Excluded ports(configurable):
ge-2/1/0/5
Excluded ports(can not be configured):
ge-2/1/0/1

Raisecom Proprietary and Confidential


433
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.18 NQA
10.18.1 Introduction
Network Quality Analysis (NQA) is a realtime network performance detection and statistical
technology that can gather statistics about network information, such as response time,
network jitter, and packet loss rate. NQA can monitor network QoS in real time and provide
effective fault diagnosis and localization in the event of network failures.

10.18.2 Preparing for configurations

Scenario
To make the network QoS visible, you can check whether the network QoS meets the
requirements. In this case, you need to deploy probe devices on the network to monitor the
network QoS.
When the device provides NQA, there is no need to deploy specialized probe devices, which
can effectively save costs. NQA can implement accurate testing of network operation status
and output statistics.
NQA monitors the performance of various protocols running on the network, enabling users
to collect realtime network performance indicators, such as the total HTTP delay, TCP
connection delay, DNS resolution delay, file transmission rate, FTP connection delay, and
DNS resolution error rate.

Prerequisites
N/A

10.18.3 Default configurations


Default configurations of NQS are as below.

Function Default value


NQS Disable

10.18.4 Configure the ICMP-echo test


Configure the ICMP-echo test for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#nqa test- Configure the test instance to icmp-
instance admin-name operate- echo.
tag type icmp-echo
3 Raisecom(nqa-admin-test-icmp- Configure the destination IP address.
echo)#destination ip ip-
address

Raisecom Proprietary and Confidential


434
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


4 Raisecom(nqa-admin-test-icmp- Configure the test frequency, in units of
echo)#frequency freq-ms millisecond.
5 Raisecom(nqa-admin-test-icmp- Configure the count of probes in each
echo)#probe count count test.
6 Raisecom(nqa-admin-test-icmp- Configure the waiting time for each
echo)#probe timeout timeout- test, in units of millisecond.
time-ms
7 Raisecom(config)#nqa schedule Configure the scheduling policy is
admin-name operate-tag start- immediate start with permanent
time now life-time forever cycling.
Select one of this configuration and
binding the time range.
8 Raisecom(config)#nqa schedule Configure the scheduling policy to be
admin-name operate-tag time- bound with the time range.
range timer-range-list
Select one of this configuration and
starting policy.

10.18.5 Configuring the UDP-echo test


Configure the UDP-echo test for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#nqa server Enable NQA Server.
enable
3 Raisecom(config)#nqa server Configure UDP Server.
udp-connect ip-address udp-
port

Configure the client as below.

Step Command Description


1 Raisecom#config Enter global configuration mode.
2 Raisecom(config)#nqa test- Configure the test instance to udp-echo.
instance admin-name operate-
tag type udp-echo
3 Raisecom(nqa-admin-test-udp- Configure the destination IP address.
echo)#destination ip ip-
address
4 Raisecom(nqa-admin-test-udp- Configure the destination UDP port
echo)#destination port udp- number.
port
5 Raisecom(nqa-admin-test-udp- Configure the test frequency, in units of
echo)#frequency freq-ms millisecond.

Raisecom Proprietary and Confidential


435
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


6 Raisecom(nqa-admin-test-udp- Configure the count of probes in each
echo)#probe count count test.
7 Raisecom(nqa-admin-test-udp- Configure the waiting time for each
echo)#probe timeout timeout- test, in units of millisecond.
time-ms
8 Raisecom(config)#nqa schedule Configure the scheduling policy is
admin-name operate-tag start- immediate start with permanent
time now life-time forever cycling.
Select one of this configuration and
binding the time range.
9 Raisecom(config)#nqa schedule Configure the scheduling policy to be
admin-name operate-tag time- bound with the time range.
range timer-ange-list
Select one of this configuration and
starting policy.

10.18.6 Configuring the TCP test


Configure the server as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#nqa server Enable NQA Server.
enable
3 Raisecom(config)#nqa server tcp- Configure TCP Server.
connect ip-address tcp-port

Configure the client as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#nqa test- Configure the test instance to tcp.
instance admin-name operate-tag
type tcp
3 Raisecom(nqa-admin-test- Configure the destination IP
tcp)#destination ip ip-address address.
4 Raisecom(nqa-admin-test- Configure the destination TCP port
tcp)#destination port tcp-port number.
5 Raisecom(nqa-admin-test- Configure the test frequency, in
tcp)#frequency freq-ms units of millisecond.
6 Raisecom(nqa-admin-test- Configure the count of probes in
tcp)#probe count count each test.

Raisecom Proprietary and Confidential


436
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


7 Raisecom(nqa-admin-test- Configure the waiting time for each
tcp)#probe timeout timeout-time- test, in units of millisecond.
ms
8 Raisecom(config)#nqa schedule Configure the scheduling policy is
admin-name operate-tag start- immediate start with permanent
time now life-time forever cycling.
Select one of this configuration and
binding the time range.
9 Raisecom(config)#nqa schedule Configure the scheduling policy to
admin-name operate-tag time- be bound with the time range.
range timer-ange-list
Select one of this configuration and
starting policy.

10.18.7 Configuring the DNS test


Configure the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#nqa test- Configure the test instance to dns.
instance admin-name operate-tag
type dns
3 Raisecom(nqa-admin-test- Configure the IP address of the
dns)#destination ip ip-address DNS server.
4 Raisecom(nqa-admin-test- Configure the name of the domain
dns)#resolve-target domain-name to be resolved.
5 Raisecom(nqa-admin-test- Configure the test frequency, in
tcp)#frequency freq-ms units of millisecond.
6 Raisecom(nqa-admin-test- Configure the count of probes in
tcp)#probe count count each test.
7 Raisecom(nqa-admin-test- Configure the waiting time for each
tcp)#probe timeout timeout-time- test, in units of millisecond.
ms
8 Raisecom(config)#nqa schedule Configure the scheduling policy is
admin-name operate-tag start- immediate start with permanent
time now life-time forever cycling.
Select one of this configuration and
binding the time range.
9 Raisecom(config)#nqa schedule Configure the scheduling policy to
admin-name operate-tag time- be bound with the time range.
range timer-ange-list
Select one of this configuration and
starting policy.

Raisecom Proprietary and Confidential


437
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.18.8 Configuring the HTTP test


Configure the HTTP test for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#nqa test- Configure the test instance to http.
instance admin-name operate-
tag type http
3 Raisecom(nqa-admin-test- Configure the IP address of the HTTP
http)#destination ip ip- server.
address
4 Raisecom(nqa-admin-test- Configure the probe URL.
http)#url url-path
5 Raisecom(nqa-admin-test- Configure the test frequency, in units of
http)#frequency freq-ms millisecond.
6 Raisecom(nqa-admin-test- Configure the count of probes in each
http)#probe count count test.
7 Raisecom(nqa-admin-test- Configure the waiting time for each
http)#probe timeout timeout- test, in units of millisecond.
time-ms
8 Raisecom(config)#nqa schedule Configure the scheduling policy is
admin-name operate-tag start- immediate start with permanent
time now life-time forever cycling.
Select one of this configuration and
binding the time range.
9 Raisecom(config)#nqa schedule Configure the scheduling policy to be
admin-name operate-tag time- bound with the time range.
range timer-ange-list
Select one of this configuration and
starting policy.

10.18.9 Configuring the FTP test


Configure the FTP test for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#nqa test- Configure the test instance to http.
instance admin-name operate-tag
type ftp
3 Raisecom(nqa-admin-test- Configure the IP address of the FTP
ftp)#destination ip ip-address server.
4 Raisecom(nqa-admin-test- Configure the FTP user name.
ftp)#username ftp-username
5 Raisecom(nqa-admin-test- Configure the FTP password.
ftp)#password ftp-password

Raisecom Proprietary and Confidential


438
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


6 Raisecom(nqa-admin-test- Configure the name of the file for
ftp)#filename ftp-filename probe.
7 Raisecom(nqa-admin-test- (Optional) configure the FTP
ftp)#operation { get | put } operation. By default, it is get.
8 Raisecom(nqa-admin-test- Configure the test frequency, in
ftp)#frequency freq-ms units of millisecond.
9 Raisecom(nqa-admin-test- Configure the count of probes in
ftp)#probe count count each test.
10 Raisecom(nqa-admin-test- Configure the waiting time for each
ftp)#probe timeout timeout-time- test, in units of millisecond.
ms
11 Raisecom(config)#nqa schedule Configure the scheduling policy is
admin-name operate-tag start- immediate start with permanent
time now life-time forever cycling.
Select one of this configuration and
binding the time range.
12 Raisecom(config)#nqa schedule Configure the scheduling policy to
admin-name operate-tag time- be bound with the time range.
range timer-ange-list
Select one of this configuration and
starting policy.

10.18.10 Configuring the SNMP test


Configure the SNMP test for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#nqa test- Configure the test instance to snmp.
instance admin-name operate-tag
type snmp
3 Raisecom(nqa-admin-test- Configure the IP address of the
snmp)#destination ip ip-address SNMP server.
4 Raisecom(nqa-admin-test- Configure the test frequency, in
snmp)#frequency freq-ms units of millisecond.
5 Raisecom(nqa-admin-test- Configure the count of probes in
snmp)#probe count count each test.
6 Raisecom(nqa-admin-test- Configure the waiting time for each
snmp)#probe timeout timeout- test, in units of millisecond.
time-ms

Raisecom Proprietary and Confidential


439
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


7 Raisecom(config)#nqa schedule Configure the scheduling policy is
admin-name operate-tag start- immediate start with permanent
time now life-time forever cycling.
Select one of this configuration and
binding the time range.
8 Raisecom(config)#nqa schedule Configure the scheduling policy to
admin-name operate-tag time- be bound with the time range.
range timer-ange-list
Select one of this configuration and
starting policy.

10.18.11 Configuring test history recording


Configure test history recording for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#nqa test- Enter any NQA test instance.
instance admin-name operate-tag
[ type { icmp-echo | udp-echo |
tcp | dns | http | ftp |
snmp } ]
3 Raisecom(nqa-admin-test-icmp- Enable test history recording.
echo)#history-record enable
4 Raisecom(nqa-admin-test-icmp- (Optional) configure the period for
echo)#history-record keep-time saving history records, in units of
time-minutes minute.

10.18.12 Configuring test statistics


Configure test statistics for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#nqa test- Enter any NQA test instance.
instance admin-name operate-tag
[ type { icmp-echo | udp-echo |
tcp | dns | http | ftp |
snmp } ]
3 Raisecom(nqa-admin-test-icmp- Enable test statistics.
echo)#statistics enable
4 Raisecom(nqa-admin-test-icmp- (Optional) configure the statistic
echo)#statistics interval period.
interval-minutes

Raisecom Proprietary and Confidential


440
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.18.13 Configuring test Trap


Configure test Trap for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#nqa test-instance Enter any NQA test instance.
admin-name operate-tag [ type
{ icmp-echo | udp-echo | tcp | dns
| http | ftp | snmp } ]
3 SwitchA(nqa-admin-test-icmp- Configure NQA to send a Trap
echo)#reaction trap probe-failure when each probe encounters n
fail-count consecutive failures.
4 SwitchA(nqa-admin-test-icmp- Configure NQA to send a Trap
echo)#reaction trap test-failure when each probe encounters n
fail-count total failures.
5 SwitchA(nqa-admin-test-icmp- Configure NQA to send a Trap
echo)#reaction trap test-complete when each probe is complete.

10.18.14 Checking results


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show nqa config Show NQA configurations.

10.18.15 Maintenance
Maintain the device as below.

Command Description
Raisecom#show nqa agent Show information about NQA clients.
Raisecom#show nqa server Show information about the NQA server.
Raisecom#show nqa result admin- Show the test result of NQA clients.
name operate-tag
Raisecom#show nqa history admin- Show the history test result of NQA clients.
name operate-tag
Raisecom#show nqa statistics Show statistics on test results of NQA clients.
admin-name operate-tag

Raisecom Proprietary and Confidential


441
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.18.16 Example for configuring the ICMP-echo test

Networking requirements
As shown in Figure 10-21, enable the ICMP-echo test on switch A to detect the IP layer
connectivity between switch A and switch B.

Figure 10-21 ICMP-echo test networking

Configuration steps
Step 1 Configure IP layer connectivity.
Configure Switch A.

Raisecom#hostname SwitchA
SwitchA#config
SwitchA(config)#vlan 10
SwitchA(config-vlan-10)#quit
SwitchA(config)#interface ge 1/0/1
SwitchA(config-ge-1/0/1)#port hybrid vlan 10 tagged
SwitchA(config-ge-1/0/1)#quit
SwitchA(config)#interface vlan 10
SwitchA(config-vlanif-10)#ip address 10.1.1.1/24

Configure Switch B.

Raisecom#hostname SwitchB
SwitchB#config
SwitchB(config)#vlan 10
SwitchB(config-vlan-10)#quit
SwitchB(config)#interface ge 1/0/1
SwitchB(config-ge-1/0/1)#port hybrid vlan 10 tagged
SwitchB(config-ge-1/0/1)#quit
SwitchB(config)#interface vlan 10
SwitchB(config-vlanif-10)#ip address 10.1.1.2/24

Raisecom Proprietary and Confidential


442
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step 2 Configure the icmp-echo probe instance of NQA.


Configure Switch A.

SwitchA(config)#nqa test-instance admin test type icmp-echo


SwitchA(nqa-admin-test-icmp-echo)#destination ip 10.1.1.2
SwitchA(nqa-admin-test-icmp-echo)#frequency 10000
SwitchA(nqa-admin-test-icmp-echo)#probe count 3
SwitchA(nqa-admin-test-icmp-echo)#history-record enable
SwitchA(nqa-admin-test-icmp-echo)#reaction trap probe-failure 3
SwitchA(config)#nqa schedule admin test start-time now life-time forever

Checking results
Use the show nqa config command to show local configurations.

SwitchA(config)#show nqa config


!
nqa test-instance admin test type icmp-echo
frequency 10000
history-record enable
statistics enable
reaction trap probe-failure 3
probe count 3
destination ip 10.1.1.2
nqa schedule admin test start-time now life-time forever
……

Use the show nqa history admin test command to show history test results.

SwitchA(config)#show nqa history admin test


Index Response Status Time
-------------------------------------------------------------------------
1 9 successed 2023-11-10 17:05:05
2 8 successed 2023-11-10 17:05:05
3 11 successed 2023-11-10 17:05:05
4 9 successed 2023-11-10 17:05:16
5 7 successed 2023-11-10 17:05:16
6 12 successed 2023-11-10 17:05:16
7 10 successed 2023-11-10 17:05:26
8 7 successed 2023-11-10 17:05:26
9 11 successed 2023-11-10 17:05:26

-------------------------------------------------------------------------

Raisecom Proprietary and Confidential


443
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.19 POE
10.19.1 Introduction
Power over Ethernet (PoE) refers to the power supply through an Ethernet network, also
known as a power supply system Power over LAN (PoL) or Active Ethernet.

10.19.2 Preparing for configurations

Scenario
With the increasing popularity of IP phones, network video monitoring, and wireless Ethernet
applications on the network, the demand for power support through Ethernet is becoming
increasingly urgent. In most cases, the Access Point (AP) device requires direct current power
supply, and it is usually installed on the ceiling or outdoors. It is difficult to reach power
sockets nearby. Even if there are sockets, the AC/DC converters required by the AP device are
difficult to locate. In many large-scale LAN applications, the administrator need to manage
multiple AP devices simultaneously, which require unified power supply and management and
cause great inconvenience to power supply management. PoE precisely solves this problem.
PoE is a wired Ethernet powering technology and is currently the most widely used
technology in LANs. PoE allows electrical power to be transmitted to terminal devices
through data transmission lines or idle lines. When the terminal devices are powered by
10BASE-T, 100BASE-TX, and 1000BASE-T Ethernet networks, the reliable power supply
distance can reach up to 100 m. Through this method, the centralized power supply of
terminals can be available, such as IP phones, wireless APs, portable device chargers, card
readers, cameras, and data collectors. For these terminals, there is no need to consider the
issue of indoor power system wiring, and they can be powered on while being connected to
the network.

Prerequisite
N/A

10.19.3 Default configurations of PoE


Default configurations of PoE are as below.

Function Default value


PoE status Enable
Working mode of the PoE interface Auto

10.19.4 Enabling PoE


Enable PoE for the device as below:

Step Command Description


1 Raisecom#configure Enter global configuration mode.

Raisecom Proprietary and Confidential


444
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


2 Raisecom(config)#interface Enter physical interface
interface-type interface-number configuration mode.
The physical interface to be used
must support PoE.
3 Raisecom(config-ge-1/0/*)#poe Enable or disable PoE.
{ enable | disable }
4 Raisecom(config-ge-1/0/*)#poe Configure the working mode of PoE.
power-management { auto |
manual | default }

10.19.5 Configuring the maximum output power of PoE


Configure the maximum output power of PoE for the device as below:

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interfac Enter physical interface configuration mode.
e interface-type
interface-number The physical interface to be used must
support PoE.
3 Raisecom(config-ge- Configure the maximum output power of
1/0/*)#poe max-power PoE.
power-value

10.19.6 Configuring power-on and power-off of PoE


Configure power-on and power-off of PoE for the device as below:

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface configuration
interface-type interface- mode.
number
The physical interface to be used must
support PoE.
3 Raisecom(config-ge- Configure the power supply priority of the
1/0/*)#poe power-priority PoE interface.
{ critical | high | low |
default }

Some devices do not support this


function. See the descriptions.
4 Raisecom(config-ge- Configure manual power-on and power-off
1/0/*)#poe { power-on | of the PoE interface.
power-off }

Raisecom Proprietary and Confidential


445
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


5 Raisecom(config-ge- Configure the power-off period of the PoE
1/0/*)#poe shutdown time- interface.
range timer-range-list
6 Raisecom(config-ge- Configure the power standard of the PoE
1/0/*)#poe inrush { af | interface.
af-high | at | bt3 | bt4 |
default | pre-at | pre-bt3
| pre-bt4 }
7 Raisecom(config-ge- Configure the high inrush current of the
1/0/*)#poe high-inrush PD upon power-on by the PoE interface
{ enable | disable }

10.19.7 Configuring the PD description


Configure the PD description for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#interface Enter physical interface configuration
interface-type interface- mode.
number
The physical interface to be used must
support PoE.
3 Raisecom(config-ge- Configure the PD description.
1/0/*)#poe description
descr-str

10.19.8 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show poe config Show PoE configurations.

10.19.9 Example for configuring PoE

Networking requirements
Configure PoE interfaces GE1/0/1, GE1/0.2, and GE1/0/3 to be connected to three PDs
respectively.

Configuration steps
Step 1 Configure the working mode to auto.

Raisecom Proprietary and Confidential


446
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Raisecom#configure
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#poe power-management auto
Raisecom(config-ge-1/0/1)#quit
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#poe power-management auto
Raisecom(config-ge-1/0/2)#quit
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#poe power-management auto
Raisecom(config-ge-1/0/3)#quit

Step 2 Configure the maximum output power of the PoE interfaces.

Raisecom#configure
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#poe max-power 1500
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#poe max-power 1500
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#poe max-power 1500

Step 3 Configure power supply priorities of the PoE interfaces.

Raisecom#configure
Raisecom(config)#interface ge 1/0/1
Raisecom(config-ge-1/0/1)#poe power-priority critical
Raisecom(config)#interface ge 1/0/2
Raisecom(config-ge-1/0/2)#poe power-priority high
Raisecom(config)#interface ge 1/0/3
Raisecom(config-ge-1/0/3)#poe power-priority high

Checking results
Use the show poe config command to show local PoE configurations.

Raisecom#show poe config


!
interface ge 1/0/1
poe power-priority critical
poe max-power 1500
!
interface ge 1/0/2
poe power-priority high
poe max-power 1500
!
interface ge 1/0/3
poe power-priority high

Raisecom Proprietary and Confidential


447
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

poe max-power 1500


……

Use the show poe interface command to show history test results.

Raisecom#show poe interface

Interface State PowerMode PowerPri DetectStatus PowerClass


CurrentPower(mW) Descr
-------------------------------------------------------------------------
-----------------------------------------------
ge-1/0/1 enable auto critical deliveringPower class4
24000 -
ge-1/0/2 enable auto high searching -- 0
-
ge-1/0/3 enable auto high deliveringPower class4
24000 -
ge-1/0/4 enable auto low searching -- 0
-
ge-1/0/5 enable auto low searching -- 0
-
ge-1/0/6 enable auto low searching -- 0
-
ge-1/0/7 enable auto low searching -- 0
-
ge-1/0/8 enable auto low searching -- 0
-
-------------------------------------------------------------------------
-----------------------------------------------

10.20 USB flash disk deployment


10.20.1 Introduction
With the expansion of the network scale, more and more devices need to be deployed on the
network, and the number of initial deployment is also increasing. Compared with the
traditional mode of deploying devices one by one through professional engineers, the USB
flash disk deployment function only requires professional engineers to store all deployment
files on the USB flash disk, and the specific deployment tasks can be performed by on-site
non-professional personnel. This not only simplifies the initial deployment process, but also
reduces the initial deployment cost.
At the initial deployment with the USB flash disk, the user stores the deployment files
(system software, configuration files, and ODM file) in the USB flash disk in advance, and
then inserts the USB flash disk into the device. The device downloads the deployment files
from the USB flash disk to deploy the target software version and related services.

Raisecom Proprietary and Confidential


448
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.20.2 Flow for USB flash disk deployment


Before fast deployment with USB flash disk, you need to first create the fast deployment USB
flash disk, and save the deployment file to be loaded to the root directory on the USB flash
disk. Insert the USB flash disk into the device, and the device will automatically load the
deployment file according to the index file. Figure 10-22 shows the specific flow.

Figure 10-22 Flow for fast deployment with the USB flash disk

10.20.3 Preparing for configurations

Scenario
This configuration is used to implement USB flash disk deployment.

Prerequisite
N/A

10.20.4 Default configurations of USB flash disk deployment


Default configurations of USB flash disk deployment

Function Default value


USB flash disk deployment status Disable

10.20.5 Making USB flash disk for fast deployment


Step 1 Insert a blank USB flash disk into the PC with the Linux OS or the device that supports USB
flash disk for fast deployment (we recommend inserting it to the device directly).
Step 2 Format the USB flash disk into the FAT32 format, as shown below.
Raisecom Proprietary and Confidential
449
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

1. Delete the current partition (on the device, the USB flash disk is shown as /dev/sda. In
the Linux OS, operate with the actual drive).

2. Create a new partition.

3. Format the partition.

Step 3 Remove the USB flash disk. Making the USB flash disk is complete.

10.21 Patching
10.21.1 Introduction
The patching function can fix system loopholes online with a patch without updating the
system software and fix software defects. The system supports up to 32 patches.

Raisecom Proprietary and Confidential


450
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

10.21.2 Preparing for configurations

Scenario
The problem found in the system can be solved by patching, needless of device restart.

Prerequisite
Prepare the patch file.

10.21.3 Loading the patch file


Load the patch file for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#patch 1 load Load the patch file.
filename

10.21.4 Activating the patch file


Activate the patch file for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#patch 1 active Activate the patch file.

10.21.5 Deactivating the patch file


Deactivate the patch file for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.
2 Raisecom(config)#patch 1 deactive Deactivate the patch file.

10.21.6 Deleting the patch file


Delete the patch file for the device as below.

Step Command Description


1 Raisecom#configure Enter global configuration mode.

Raisecom Proprietary and Confidential


451
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


2 Raisecom(config)#patch 1 delete Delete the patch file to make it
invalid.

10.21.7 Checking configurations


Use the following commands to check configuration results.

No. Command Description


1 Raisecom#show patch information Show the patch of the device.

10.21.8 Example for configuring patching

Networking requirements
The problem found in the system can be solved by patching.
The SNMP interface on the device is connected to the PC, which is installed with the TFTP
software. The device downloads the patch file from the PC.

Configuration steps
Step 1 Download the patch file from the PC to the device through TFTP.

Raisecom(config)#tftp get 22.1.1.1 libmspaaa_patch.pat localfile


libmspaaa_patch.pat

Step 2 Load the patch file.

Raisecom(config)#patch 1 load libmspaaa_patch.pat

Step 3 Activate the patch file.

Raisecom(config)#patch 1 active

Checking results
Use the show patch information command to show the patch status.

Raisecom Proprietary and Confidential


452
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Raisecom(config)#show patch information


Patch max number : 32
Patch current number : 1
Seq ProcName State Type Valid EffetiveTime PatchName
------------------------------------------------------------------------
1 mspaaa ACTIVE REP YES 2024-03-20 17:08:52 libmspaaa_patch.pat

10.22 Periodically backing up configurations


10.22.1 Introduction
This function is implemented by the combination of automatic configuration uploading and
time range.

10.22.2 Preparing for configurations

Scenario
Periodically back up configurations to the specified server.

Prerequisite
The device and PC can ping each other. Enable the TFTP or FTP server on the PC.

10.22.3 Configuring time range


Configure a time range list for the device as below.

Step Command Description

1 Raisecom#config Enter global configuration


mode.
2 Raisecom(config)#time-range list id Create a time range list.

Raisecom Proprietary and Confidential


453
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


3 Raisecom(config-timerange-*)#time- Create a time range for
range timerange-id absolute from automatic uploading.
hour:minute:second
 Relative time range (periodic
year/month/monthday to
hour:minute:second time range): periodic time
year/month/monthday range of one week described
Raisecom(config-timerange-*)#time- by the everyxxx parameter. It
range timerange-id everyhour can be indicated by an
minute:second to minute:second absolute time range to
Raisecom(config-timerange-*)#time- indicate the effective date of
range timerange-id everyday the time range.
 Absolute time range: a
hour:minute:second to
hour:minute:second specific time range specified
Raisecom(config-timerange-*)#time- by the absolute parameter.
range timerange-id everyweek You can limit the relative
hour:minute:second { mon | tue | wed time range (periodic time
| thu | fri | sat | sun } to { mon | range) to take effect within a
tue | wed | thu | fri | sat | sun } specific time range specified
Raisecom(config-timerange-*)#time- by the absolute time range.
range timerange-id everymonth If multiple effective times are
hour:minute:second monthday to configured for this time range,
hour:minute:second monthday the effective principle is to
Raisecom(config-timerange-*)#time- perform OR between periodic
range timerange-id everyweekend time ranges, and to perform
hour:minute:second to AND between the periodic
hour:minute:second time range and absolute time
Raisecom(config-timerange-*)#time- range.
range timerange-id everyyear
hour:minute:second month/monthday
to hour:minute:second month/monthday

10.22.4 Configuring automatic uploading


Configure automatic uploading for the device as below.

Step Command Description

1 Raisecom#config Enter global configuration mode.


2 Raisecom(config)#auto-upload Enable automatic uploading.
start
3 Raisecom(config)#auto-upload Configure the attributes of the TFTP
tftp server {ipv4-address|ipv6- server for automatic uploading, and
address} remotefile specify the file to be uploaded and
{config|running-config|log} the bound time range list.
[interval interval-value| port
port-number|time-range list-
number]*

Raisecom Proprietary and Confidential


454
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step Command Description


4 Raisecom(config)#auto-upload ftp Configure the attributes of the FTP
server {ipv4-address|ipv6- server for automatic uploading, and
address} username password specify the file to be uploaded and
remotefile {config|running- the bound time range list.
config|log} [interval interval-
value| port port-number|time-
range list-number]*

10.22.5 Checking configurations


Use the following commands to check configuration results.

Step Command Description


1 Raisecom#show auto-upload Show configured automatic uploading
server entries.
2 Raisecom#show auto-upload Show configurations of automatic
config uploading.

10.22.6 Example for configuring periodic backup

Networking requirements
Configure the device to automatically back up current configurations through TFTP to the PC.
The device and PC are connected by the SNMP interface. Enable the TFTP server on the PC.

Configuration steps
Step 1 Configure time range list 1, and configure rule 1 (take the 1h periodic backup for example).

Raisecom(config)#time-range list 1
Raisecom(config-timerange-1)#time-range 1 everyhour 3:10 to 13:10

Step 2 Configure properties of automatic uploading. Enable automatic uploading. Create an entry
(the IP address of the TFTP server is 192.168.62.1, the local file is the running configuration
file, and the file to be uploaded to the TFTP server is config.txt), and bound time range list 1.

Raisecom(config)#auto-upload start
Raisecom(config)#auto-upload tftp server 192.168.62.1 config.txt running-
config time-range 1

Raisecom Proprietary and Confidential


455
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 10 System management

Step 3 After configurations are complete, the device automatically uploads the configuration file to
the TFTP server on the PC every 1h3min10s.

Checking results
Use the show auto-upload server command to show configurations of automatic uploading.

Raisecom(config)#show auto-upload server


Type Server Port Interval(min) Localfile Vpn
TimerangeId
-------------------------------------------------------------------------
---------------------------
tftp 192.168.62.1 69 10 running-config n/a
1
-------------------------------------------------------------------------
---------------------------
Raisecom(config)#

Raisecom Proprietary and Confidential


456
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 11 Appendix

11 Appendix

This chapter list terms, acronyms, and abbreviations involved in this document, including the
following sections:
 Terms
 Acronyms and abbreviations

11.1 Terms
A
A series of ordered rules composed of permit | deny sentences. These
Access
rules are based on the source MAC address, destination MAC address,
Control List
source IP address, destination IP address, and interface ID. The device
(ACL)
determines to receive or refuse the packets based on these rules.
Automatic
The technology that is used for automatically shutting down the laser to
Laser
avoid the maintenance and operation risks when the fiber is pulled out or
Shutdown
the output power is too great.
(ALS)
The interface automatically chooses the rate and duplex mode according
to the result of negotiation. The auto-negotiation process is: the interface
Auto-
adapts its rate and duplex mode to the highest performance according to
negotiation
the peer interface; in other words, both ends of the link adopt the highest
rate and duplex mode they both support after auto-negotiation.
Automatic APS is used to monitor transport lines in real time and automatically
Protection analyze alarms to discover faults. When a critical fault occurs, through
Switching APS, services on the working line can be automatically switched to the
(APS) protection line, thus the communication is recovered in a short period.

Raisecom Proprietary and Confidential


457
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 11 Appendix

CHAP is a widely supported authentication method in which a


representation of the user's password, rather than the password itself, is
sent during the authentication process. With CHAP, the remote access
server sends a challenge to the remote access client. The remote access
client uses a hash algorithm (also known as a hash function) to compute
Challenge a Message Digest-5 (MD5) hash result based on the challenge and a
Handshake hash result computed from the user's password. The remote access client
Authentication sends the MD5 hash result to the remote access server. The remote
Protocol access server, which also has access to the hash result of the user's
(CHAP) password, performs the same calculation using the hash algorithm and
compares the result to the one sent by the client. If the results match, the
credentials of the remote access client are considered authentic. A hash
algorithm provides one-way encryption, which means that calculating
the hash result for a data block is easy, but determining the original data
block from the hash result is mathematically infeasible.

D
A security feature that can be used to verify the ARP data packets in the
Dynamic ARP
network. With DAI, the administrator can intercept, record, and discard
Inspection
ARP packets with invalid MAC address/IP address to prevent common
(DAI)
ARP attacks.
Dynamic Host A technology used for assigning IP address dynamically. It can
Configuration automatically assign IP addresses for all clients in the network to reduce
Protocol workload of the administrator. In addition, it can implement centralized
(DHCP) management of IP addresses.

E
Complying with IEEE 802.3ah protocol, EFM is a link-level Ethernet
Ethernet in the OAM technology. It provides the link connectivity detection, link fault
First Mile monitoring, and remote fault notification for a link between two directly-
(EFM) connected devices. EFM is mainly used for the Ethernet link on edges of
the network accessed by users.
It is an APS protocol based on ITU-T G.8032 standard, which is a link-
Ethernet Ring layer protocol specially used for the Ethernet ring. In normal conditions,
Protection it can avoid broadcast storm caused by the data loop on the Ethernet
Switching ring. When the link or device on the Ethernet ring fails, services can be
(ERPS) quickly switched to the backup line to enable services to be recovered in
time.

F
In a communication link, both parties can receive and send data
Full duplex
concurrently.

Raisecom Proprietary and Confidential


458
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 11 Appendix

The cable to connect the device to ground, usually a yellow/green


coaxial cable. Connecting the ground cable properly is an important
Ground cable
guarantee to lightning protection, anti-electric shock, and anti-
interference.

H
Half duplex In a communication link, both parties can receive or send data at a time.

I
Institute of
A professional society serving electrical engineers through its
Electrical and
publications, conferences, and standards development activities. The
Electronics
body responsible for the Ethernet 802.3 and wireless LAN 802.11
Engineers
specifications.
(IEEE)
Internet The organization operated under the IAB. IANA delegates authority for
Assigned IP address-space allocation and domain-name assignment to the NIC and
Numbers other organizations. IANA also maintains a database of assigned
Authority protocol identifiers used in the TCP/IP suite, including autonomous
(IANA) system numbers.
A worldwide organization of individuals interested in networking and
the Internet. Managed by the Internet Engineering Steering Group
Internet (IESG), the IETF is charged with studying technical problems facing the
Engineering Internet and proposing solutions to the Internet Architecture Board
Task Force (IAB). The work of the IETF is carried out by various working groups
(IETF) that concentrate on specific topics, such as routing and security. The
IETF is the publisher of the specifications that led to the TCP/IP
protocol standard.

L
Label Symbols for cable, chassis, and warnings
With link aggregation, multiple physical Ethernet interfaces are
combined to form a logical aggregation group. Multiple physical links in
one aggregation group are taken as a logical link. Link aggregation helps
Link
share traffic among member interfaces in an aggregation group. In
Aggregation
addition to effectively improving the reliability on links between
devices, link aggregation can help gain greater bandwidth without
upgrading hardware.
Link
Aggregation
A protocol used for realizing link dynamic aggregation. The LACPDU is
Control
used to exchange information with the peer device.
Protocol
(LACP)

Raisecom Proprietary and Confidential


459
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 11 Appendix

Link-state tracking provides an interface linkage scheme, extending the


range of link backup. Through monitoring upstream links and
Link-state synchronizing downstream links, faults of the upstream device can be
tracking transferred quickly to the downstream device, and primary/backup
switching is triggered. In this way, it avoids traffic loss because the
downstream device does not sense faults of the upstream link.

M
Multi-Mode
In this fiber, multi-mode optical signals are transmitted.
Fiber (MMF)

N
A time synchronization protocol defined by RFC1305. It is used to
synchronize time between distributed time server and clients. NTP is
Network Time
used to perform clock synchronization on all devices that have clocks in
Protocol
the network. Therefore, the devices can provide different applications
(NTP)
based on a unified time. In addition, NTP can ensure a very high
accuracy with an error of 10ms or so.

O
Open Shortest
An internal gateway dynamic routing protocol, which is used to
Path First
determine the route in an Autonomous System (AS)
(OSPF)
A distribution connection device between the fiber and a communication
Optical
device. It is an important part of the optical transmission system. It is
Distribution
mainly used for fiber splicing, optical connector installation, fiber
Frame (ODF)
adjustment, additional pigtail storage, and fiber protection.

P
Password PAP is an authentication protocol that uses a password in Point-to-Point
Authentication Protocol (PPP). It is a twice handshake protocol and transmits
Protocol unencrypted user names and passwords over the network. Therefore, it is
(PAP) considered unsecure.
Point-to-point
PPPoE is a network protocol for encapsulating PPP frames in Ethernet
Protocol over
frames. With PPPoE, the remote access device can control and account
Ethernet
each access user.
(PPPoE)

Raisecom Proprietary and Confidential


460
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 11 Appendix

QinQ is (also called Stacked VLAN or Double VLAN) extended from


802.1Q, defined by IEEE 802.1ad recommendation. Basic QinQ is a
simple Layer 2 VPN tunnel technology, encapsulating outer VLAN Tag
QinQ for client private packets at carrier access end, the packets take double
VLAN Tag passing through trunk network (public network). In public
network, packets only transmit according to outer VLAN Tag, the
private VLAN Tag are transmitted as data in packets.
A network security mechanism, used to solve problems of network delay
and congestion. When the network is overloaded or congested, QoS can
Quality of ensure that packets of important services are not delayed or discarded
Service (QoS) and the network runs high efficiently. Depending on the specific system
and service, it may relate to jitter, delay, packet loss ratio, bit error ratio,
and signal-to-noise ratio.

R
Rapid
Spanning Tree Evolution of the Spanning Tree Protocol (STP), which provides
Protocol improvements in the speed of convergence for bridged networks
(RSTP)
Remote RADIUS refers to a protocol used to authenticate and account users in
Authentication the network. RADIUS works in client/server mode. The RADIUS server
Dial In User is responsible for receiving users' connection requests, authenticating
Service users, and replying configurations required by all clients to provide
(RADIUS) services for users.

A network management protocol defined by Internet Engineering Task


Simple Force (IETF) used to manage devices in the Internet. SNMP can make
Network the network management system to remotely manage all network
Management devices that support SNMP, including monitoring network status,
Protocol modifying network device configurations, and receiving network event
(SNMP) alarms. At present, SNMP is the most widely-used network management
protocol in the TCP/IP network.

Simple
Network Time
SNTP is mainly used for synchronizing time of devices in the network.
Protocol
(SNTP)
Single-Mode
In this fiber, single-mode optical signals are transmitted.
Fiber (SMF)
Spanning Tree STP can be used to eliminate network loops and back up link data. It
Protocol blocks loops in logic to prevent broadcast storms. When the unblocked
(STP) link fails, the blocked link is re-activated to act as the backup link.

Raisecom Proprietary and Confidential


461
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 11 Appendix

VLAN is a protocol proposed to solve broadcast and security issues for


Virtual Local
Ethernet. It divides devices in a LAN into different segments logically
Area Network
rather than physically, thus implementing multiple virtual work groups
(VLAN)
which are based on Layer 2 isolation and do not affect each other.
VLAN mapping is mainly used to replace the private VLAN Tag of the
Ethernet service packet with the ISP's VLAN Tag, making the packet
transmitted according to ISP's VLAN forwarding rules. When the packet
VLAN
is sent to the peer private network from the ISP network, the VLAN Tag
mapping
is restored to the original private VLAN Tag according to the same
VLAN forwarding rules. Thus, the packet is sent to the destination
correctly.

11.2 Acronyms and abbreviations


A
AAA Authentication, Authorization and Accounting
ABR Area Border Router
AC Alternating Current
ACL Access Control List
ANSI American National Standards Institute
APS Automatic Protection Switching
ARP Address Resolution Protocol
AS Autonomous System
ASCII American Standard Code for Information Interchange
ASE Autonomous System External
ATM Asynchronous Transfer Mode
AWG American Wire Gauge

B
BC Boundary Clock
BDR Backup Designated Router
BITS Building Integrated Timing Supply System
BOOTP Bootstrap Protocol
BPDU Bridge Protocol Data Unit
BTS Base Transceiver Station

Raisecom Proprietary and Confidential


462
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 11 Appendix

C
CAR Committed Access Rate
CAS Channel Associated Signaling
CBS Committed Burst Size
CE Customer Edge
CHAP Challenge Handshake Authentication Protocol
CIDR Classless Inter-Domain Routing
CIR Committed Information Rate
CIST Common Internal Spanning Tree
CLI Command Line Interface
CoS Class of Service
CPU Central Processing Unit
CRC Cyclic Redundancy Check
CSMA/CD Carrier Sense Multiple Access/Collision Detection
CST Common Spanning Tree

D
DAI Dynamic ARP Inspection
DBA Dynamic Bandwidth Allocation
DC Direct Current
DHCP Dynamic Host Configuration Protocol
DiffServ Differentiated Service
DNS Domain Name System
DRR Deficit Round Robin
DS Differentiated Services
DSL Digital Subscriber Line

E
EAP Extensible Authentication Protocol
EAPoL EAP over LAN
EFM Ethernet in the First Mile
EMC Electro Magnetic Compatibility
EMI Electro Magnetic Interference

Raisecom Proprietary and Confidential


463
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 11 Appendix

EMS Electro Magnetic Susceptibility


ERPS Ethernet Ring Protection Switching
ESD Electro Static Discharge
EVC Ethernet Virtual Connection

F
FCS Frame Check Sequence
FE Fast Ethernet
FIFO First Input First Output
FTP File Transfer Protocol

G
MVRP Generic Attribute Registration Protocol
GE Gigabit Ethernet
GMRP MVRP Multicast Registration Protocol
GPS Global Positioning System
MVRP Generic VLAN Registration Protocol

H
HDLC High-level Data Link Control
HTTP Hyper Text Transfer Protocol

I
IANA Internet Assigned Numbers Authority
ICMP Internet Control Message Protocol
IE Internet Explorer
IEC International Electro technical Commission
IEEE Institute of Electrical and Electronics Engineers
IETF Internet Engineering Task Force
IGMP Internet Group Management Protocol
IP Internet Protocol
IS-IS Intermediate System to Intermediate System Routing Protocol
ISP Internet Service Provider

Raisecom Proprietary and Confidential


464
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 11 Appendix

ITU-T International Telecommunications Union - Telecommunication


Standardization Sector

L
LACP Link Aggregation Control Protocol
LACPDU Link Aggregation Control Protocol Data Unit
LAN Local Area Network
LCAS Link Capacity Adjustment Scheme
LLDP Link Layer Discovery Protocol
LLDPDU Link Layer Discovery Protocol Data Unit

M
MAC Medium Access Control
MDI Medium Dependent Interface
MDI-X Medium Dependent Interface cross-over
MIB Management Information Base
MSTI Multiple Spanning Tree Instance
MSTP Multiple Spanning Tree Protocol
MTBF Mean Time Between Failure
MTU Maximum Transmission Unit
MVR Multicast VLAN Registration

N
NMS Network Management System
NNM Network Node Management
NTP Network Time Protocol
NView NNM NView Network Node Management

O
OAM Operation, Administration and Management
OC Ordinary Clock
ODF Optical Distribution Frame
OID Object Identifiers

Raisecom Proprietary and Confidential


465
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 11 Appendix

Option 82 DHCP Relay Agent Information Option


OSPF Open Shortest Path First

P
P2MP Point to Multipoint
P2P Point-to-Point
PADI PPPoE Active Discovery Initiation
PADO PPPoE Active Discovery Offer
PADS PPPoE Active Discovery Session-confirmation
PAP Password Authentication Protocol
PDU Protocol Data Unit
PE Provider Edge
PIM-DM Protocol Independent Multicast-Dense Mode
PIM-SM Protocol Independent Multicast-Sparse Mode
PING Packet Internet Grope
PPP Point to Point Protocol
PPPoE PPP over Ethernet
PTP Precision Time Protocol

Q
QoS Quality of Service

R
RADIUS Remote Authentication Dial In User Service
RCMP Raisecom Cluster Management Protocol
RED Random Early Detection
RH Relative Humidity
RIP Routing Information Protocol
RMON Remote Network Monitoring
ROS Raisecom Operating System
RPL Ring Protection Link
RRPS Raisecom Ring Protection Switching
RSTP Rapid Spanning Tree Protocol

Raisecom Proprietary and Confidential


466
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 11 Appendix

RSVP Resource Reservation Protocol

S
SCADA Supervisory Control And Data Acquisition
SF Signal Fail
SFP Small Form-factor Pluggable
SFTP Secure File Transfer Protocol
SLA Service Level Agreement
SNMP Simple Network Management Protocol
SNTP Simple Network Time Protocol
SP Strict-Priority
SPF Shortest Path First
SSHv2 Secure Shell v2
STP Spanning Tree Protocol

T
TACACS+ Terminal Access Controller Access Control System
TC Transparent Clock
TCP Transmission Control Protocol
TFTP Trivial File Transfer Protocol
TLV Type Length Value
ToS Type of Service
TPID Tag Protocol Identifier
TTL Time To Live

U
UDP User Datagram Protocol
UNI User Network Interface
USM User-Based Security Model

V
VLAN Virtual Local Area Network
VRRP Virtual Router Redundancy Protocol

Raisecom Proprietary and Confidential


467
Copyright © Raisecom Technology Co., Ltd.
Raisecom
ISCOM S2600 (A) Series Configuration Guide (CLI) 11 Appendix

W
WAN Wide Area Network
WRR Weight Round Robin

Raisecom Proprietary and Confidential


468
Copyright © Raisecom Technology Co., Ltd.
Address: Raisecom Building, No. 11, East Area, No. 10 Block, East Xibeiwang Road, Haidian
District, Beijing, P.R.China Postal code: 100094 Tel: +86-10-82883305
Fax: 8610-82883056 http://www.raisecom.com Email: export@raisecom.com

You might also like