Upload
netplus
View
492
Download
4
Embed Size (px)
Citation preview
Marvell Confidential
General Features
AT-8000S
Marvell Confidential
Agenda
• Speed/duplex auto negotiation
• Flow Control
• Back pressure
• MDI/MDIX
• Storm Control
• Port Security
• Port Mirroring
• Combo Ports
• VCT
Marvell Confidential
Speed/ Duplex Auto Negotiation
Marvell Confidential
Auto Negotiation
• The purpose of auto negotiation is to allow a device to advertise modes of operation.
• User can set the speed, duplex mode and flow control advertisement
• Speed-duplex capabilities to be advertised can be any combination of the following: 10h, 10f, 100h, 100f, 1000f
Marvell Confidential
CLI – Auto negotiation
• Use the following interface mode command to allow auto negotiation on a given interface or to advertise link capabilities. Use the no form of this command to disable negotiation:
negotiation {10h} {10f} {100h} {100f} {1000f} no negotiation
console(config)# interface ethernet 1/e1console(config-if)# negotationconsole(config-if)# negotation 10h
Marvell Confidential
CLI – Show advertisement• Use the following show command to view:
– device interface advertisement– Connected link partner advertisement– resolution
console# show interfaces advertise ethernet 1/e1Port: 1/e1Type: 100M-CopperLink state: UpAuto negotiation: Enabled
1000f 1000h 100f 100h 10f 10h..... ..... .... .... ... ...
Admin Local link Advertisement no no no no no yesOper Local link Advertisement no no no no no yesOper Remote link Advertisement no no yes yes yes yesPriority Resolution - - - - - yes
Marvell Confidential
CLI – Speed and Duplex
• Use the following interface mode command to define the speed of an interface, when auto-negotiation is disabled. Use the no form of this command to return to default:
speed {10|100|1000}no speed • Use the following interface mode command to define the
duplex mode (full/half)of an interface, when auto-negotiation is disabled. Use the no form of this command to return to default (full duplex):
duplex {half|full} no duplex
console(config)# interface ethernet 1/e1console(config-if)# no negotiationconsole(config-if)# speed 100console(config-if)# duplex full
Marvell Confidential
Flow control
Marvell Confidential
Flow Control
• The system supports flow control on all ports including Aggregate Links.
• Default state on all ports is flow control set to OFF.
• The user may enable or disable this feature on a per-port basis.
Marvell Confidential
CLI - Flow Control
• Use the following interface mode command to configure the flow control of a given interface. To restore the default (flow control off), use the no form of this command.
flowcontrol { auto | on | off}no flowcontrol
– auto Auto negotiation– on Enable– off Disable
console(config-if)# flowcontrol auto
Marvell Confidential
Back Pressure
Marvell Confidential
Back Pressure
• The system supports backpressure on all ports (when in half duplex mode).
• The user may enable or disable this feature on a per-port basis.
• Default status on all ports is set to OFF.
Marvell Confidential
CLI - Back Pressure
• Use the following interface mode command to enable the back pressure of a given interface. To disable it, use the no form of this command.back-pressure no back-pressure
console(config-if)# back-pressure
Marvell Confidential
MDI/MDIX
Marvell Confidential
MDI/MDIX - Preview
• Normally, Twisted Pair ports must be connected so that the Transmit pair on one end is connected to the Receive pair on the other end, and vice versa.
• Hubs and switches are deliberately wired opposite to the way end stations are wired, so that when a hub or switch is connected to an end station, a "straight through" Ethernet cable can be used, and the pairs will match up properly.
• When two hubs/switches are connected to each other, or two end stations are connected to each other, a "crossover" cable is used to make sure that the correct pairs are connected.
• The standard wiring for end stations is known as MDI (Media Dependent Interface), and the standard wiring for hubs and switches is known as MDIX (Media Dependent Interface with Crossover)
Marvell Confidential
MDI/MDIX
• The device can automatically correct errors in cable selection, and make the distinction between a "straight through" cable and a "crossover" cable irrelevant. This capability is known as Auto Cross.
• Auto MDI/MDIX works only on copper ports.
• Port can be set to either MDI, MDIX or automatic crossover
• Auto-crossover is the default setting for all ports.
• MDI/MDIX setting is separate to that of the speed/Duplex auto-negotiation
Marvell Confidential
CLI - MDI/MDIX
• Use mdix command to enable cable crossover on a given interface. To disable cable crossover, use the no form of this command.
mdix {on | auto}no mdix– on - Manual MDIX– Auto - Auto MDI/MDIX– No – manual MDI
console(config-if)# mdix auto
Marvell Confidential
Storm Control
Marvell Confidential
Storm Control – broadcast Rate Limiting
• The device can measure the rate of incoming broadcast frames on each port separately, and discard frames when the rate exceeds a user-set desired rate.
• Storm control feature is enabled/disabled separately for each port.
• The desired broadcast rate limit in is applied separately to each port.
• Rate is set in Kbits/sec. The default is 100Kbps
• User can define if storm control will be applied only to Broadcast packets or to multicast (and unknown) as well
Marvell Confidential
CLI - Storm Control
• Use the following Interface Configuration Mode command to enable broadcast rate limiting on a certain interface. Use the no form of this command to return to default (rate limiting disabled).port storm-control broadcast enableno port storm-control broadcast enable
console(config)# interface ethernet 1/e3console(config-if)# port storm-control broadcast enableconsole(config-if)#
Marvell Confidential
CLI - Storm Control
• Use the following Interface Configuration Mode command to set the maximum rate of broadcast. Use the no form of this command to return to default .port storm-control broadcast rate rateno port storm-control broadcast rate
• Use the following interface Configuration Mode command to count multicast (and unknown unicast) packets in the port storm-control broadcast rate command. Use the no form the command to disable counting of multicastsport storm-control include-multicast [unknown-unicast]no port storm-control include-multicast console(config-if)# port storm-control include-multicast unknown-unicast
console(config)# interface ethernet 1/e5console(config-if)# port storm-control broadcast rate 70000
Marvell Confidential
Show - Storm Control
• Use the following EXEC Mode command to see the storm control configutation on the device .Show ports storm-control
console# show ports storm-controlPort State Rate [Kbits/Sec] Included-------- -------- ---------------- -------------------------------------1/e1 Disabled 100 Broadcast1/e2 Disabled 100 Broadcast1/e3 Enabled 100 Broadcast1/e4 Disabled 100 Broadcast1/e5 Enabled 70000 Broadcast, Multicast, Unknown unicast1/e6 Disabled 100 Broadcast1/e7 Disabled 100 Broadcast1/e8 Disabled 100 Broadcast
Marvell Confidential
Port security
Marvell Confidential
Port Security• A control mechanism which monitors received and learned
packets on a port. • Packets received on a locked port, whose source address
was not found in MAC forwarding table (not learned previously dynamically or not entered statically), are treated in one of the following ways, which can be configured per port– Forward (Frame is forwarded, but its address is not
learned)– Discard– Discard and and disable the port– send an SNMP trap (together with one of the
previous options)• When a port becomes a locked port, all the current
addresses that were learned dynamically by the switch on that specific port, are transformed to a “secure” status. They are kept after reset if running config was copied to startup
Marvell Confidential
Port Security – Number of MACs
• A port security feature to increase security by limiting access on a specific port to a limited user-defined number of hosts
• A frame with a new Source MAC arriving on port after limit is reached invokes the port lock mechanism
• Addresses learned on port are still subject to aging.
• A port can be defined either with classic port lock or with number of MAC port lock
Marvell Confidential
Port security - Configuration
• Port security can be enabled only on ports which have been define as dot1x multiple hosts.
• Define type of port security– Regular lock– Number of MAC based lock (and the value)
• Define the per-port action to be carried out once intrusion detection has been discovered, as defined above.
• Set the frequency of SNMP traps sent • To release a port disabled by port security:
– Either use the exec mode “set interface active” command, or– Reload (reboot) device
Marvell Confidential
CLI - Port Security
• Use the following interface configuration mode command to allow multiple hosts on a certain interface. The “no” form of commands disables multiple hosts (the default)
dot1x multiple-hostsno dot1x multiple-hosts
console(config)# interface ethernet 1/e1console(config-if)# dot1x multiple-hosts
Marvell Confidential
CLI – Basic Port Security
• Use the following interface mode command to lock learning of new addresses on an interface. Use the no form of this command to enable learning of new addresses.
port security [ forward | discard | discard-shutdown ] [trap seconds]
no port security
console(config)# interface ethernet 1/e1console(config-if)# port security discard-shutdown
Marvell Confidential
CLI – Lock Port Addresses
console# show bridge address-tableAging time is 300 sec
Vlan Mac Address Port Type-------- --------------------- ------ ----------
1 00:00:09:00:00:00 1/e1 secure //locked port addresses1 00:00:09:00:00:01 1/e1 secure1 00:00:09:00:00:02 1/e1 secure1 00:00:09:00:00:03 1/e1 secure1 00:00:09:00:00:04 1/e1 secure1 00:00:09:00:00:05 1/e1 secure1 00:00:09:00:00:06 1/e1 secure1 00:00:09:00:00:07 1/e1 secure1 00:00:09:00:00:08 1/e1 secure1 00:00:09:00:00:09 1/e1 secure
g13 00:00:e2:86:f4:f2 1/e13 dynamic //regular learned address
Marvell Confidential
CLI – Enabling a Port Shutdown• Use the following Privileged EXEC mode command to enable a
port that was shut down by port security feature:set interface active {ethernet interface | port-channel port-
channel-number}
//sending traffic with new addresses to locked portconsole# 01-Jan-2000 02:15:43 %LINK-W-Down: 1/e1console# sh interfaces status
Flow Link Back MdixPort Type Duplex Speed Neg ctrl State Pressure Mode........ ............ ...... ..... ........ .... ........... ........ .......1/e1 100M-Copper -- -- -- -- Down* -- --1/e2 100M-Copper Full 100 Enabled Off Up Disabled On…*: The interface was suspended by the system.console#
Marvell Confidential
CLI – Enabling a Port Shutdown (cont’)
• …Enabling a port that was shut down by port security feature
console# set interface active ethernet 1/e1console# 01-Jan-2000 01:50:27 %LINK-I-Up: 1/e1
console# show interfaces statusFlow Link Back Mdix
Port Type Duplex Speed Neg ctrl State Pressure Mode........ ............ ...... ..... ........ .... ........... ........ .......
1/e1 100M-Copper Full 100 Enabled Off Up Disabled On1/e2 100M-Copper Full 100 Enabled Off Up Disabled On1/e3 100M-Copper Full 100 Enabled Off Up Disabled On……
Marvell Confidential
CLI – port security mode
• Use the following Interface Configuration mode command to configure the port security mode.
• To return to the default configuration, use the no form of this command.
port security mode {lock | max-addresses}no port security mode
console(config-if)# port security mode max-addresses
Marvell Confidential
CLI – port security max
• The following Interface Configuration mode command configures the maximum number of addresses that can be learned on the port while the port is in port security mode.
• To return to the default configuration, use the no form of this command.
port security max maxno port security max
console(config-if)# port security max 23
Marvell Confidential
CLI – port security routed secure-address
• Use the following interface configuration mode command to adds a MAC-layer secure address to a routed port:
port security routed secure-address mac-address
Console(config)# interface ethernet 1/e1Console(config-if)# ip address dhcpConsole(config-if)# port security routed secure-address 66:66:66:66:66:66
Marvell Confidential
CLI – Show Port Security
• Use the following privilege EXEC mode command to view port security settings:
show ports security [ethernet interface | port-channel port-channel-number]
console# show ports securityPort status Learning Action Maximum Trap Frequency------- -------- ------------- ----------------- --------- -------- ---------1/e1 Disabled Max-addresses - 23 - -1/e2 Disabled Lock - 1 - -
Marvell Confidential
Port Mirroring
Marvell Confidential
Port Mirroring• One session of traffic monitoring is supported system-wide (tx and
rx).
• User can choose if to mirror only RX traffic, only Tx frames or both.
• At ingress - the frames arriving at the target port are copies of the frames passing through the source port at ingress, prior to any in-switch action.
• It is possible to specify up to 8 ports to be monitored by a single target port. However, in these cases, any excess traffic will silently be discarded (and user will not know which).
• Port Mirroring is only relevant to Physical ports. In LAGs, the member ports have to be specified individually as sources.
• It is possible to specify up to 24 source ports to be monitored by a single target port .
• The user may set the monitored traffic to be send tagged or untagged.
Marvell Confidential
Port Mirroring
• Target ports:– Cannot be a member of a LAG.– Cannot be a source of a mirror session.– Cannot be a member of a VLAN (except for default VLAN)– Cannot be GVRP enabled– Cannot be configured with IP address
• Port monitor is supported across the stack
Marvell Confidential
CLI - Configuring Port Mirroring
• Use the following Interface mode command to define port mirroring (interface mode is that of the target port). Use the “no” form of command to remove monitor session(s):
port monitor src-interface [rx | tx]no port monitor src-interface
• Use the following EXEC mode command to view port monitor settings:
show ports monitor
Marvell Confidential
CLI - Configuring Port Mirroring
• Use the following Interface Configuration mode command to transmit tagged ingress mirrored packets.
• To transmit untagged ingress mirrored packets, use the no form of this command.
port monitor vlan-taggingno port monitor vlan-tagging
Marvell Confidential
Combo ports
Marvell Confidential
Combo Ports Overview
• A single logical port that has two physical connections:a) RJ45 Connectorb) SFP port.
• Only one of the two physical connections may be used at a time.
• Some port features and port controls available for user are affected by the actual physical connection used.
• The system will automatically detect the media that is in use on a combo port, and will utilize this knowledge in all operations and control interfaces.
Marvell Confidential
Combo Ports
• If both RJ45 and SFP are present (link up in both connections), the SFP will be active, and the RJ45 physical port will be disabled and ignored.
• It is possible to switch from the RJ45 to the SFP (or vice-versa) without a system reboot or reset.
• When the link changes from copper to fiber and vice-versa, or the SFP module is exchanged, the system attempts to configure the new link as the “old” one was. If this configuration fails for any reason, the ports are configured with factory default values.
Marvell Confidential
VCT
Virtual Cable Test
Marvell Confidential
VCT - Functional description
• Virtual Cable Test (VCT) technology provides the mechanism to detect and report potential cabling issues, such as cable open circuit, cable short circuit, Etc.
• Cable analysis is available only on Copper Cables.• Cable analysis can only be done when the link is down. • Cable Length, on the other hand, can be measured only
when the link is up. • The following parameters are detected:
1) Cable Type/Status2) Cable length – per cable (50 Meter minimum; 30 meter
resolution) 3) Fault–Distance, in case of fault (may deviate 1-2
meters)• Only short circuits across wires within a pair are reported.
Marvell Confidential
CLI - VCT Configuration
• Use the following EXEC privilege mode command to activate VCT on a certain port:
test copper-port tdr interface
console(config)# interface ethernet 1/e9console(config-if)# shutdown01-Jan-2000 01:48:56 %LINK-W-Down: Vlan 1console(config-if)# 01-Jan-2000 01:48:56 %LINK-W-Down: 1/e9console(config-if)# exitconsole(config)# exitconsole# test copper-port tdr 1/e9..Cable on port 1/e9 is goodconsole#
Marvell Confidential
CLI - VCT Show command
• Use the following EXEC privilege mode command to show VCT results:
Show copper-port tdr interface
console# show copper-ports tdr 1/e9
Port Result Length [meters] Date----------- ----------- ---------------- --------------------------
1/e9 Open cable 01-Apr-2004 01:57:14
console#
Marvell Confidential