Upload
others
View
14
Download
0
Embed Size (px)
Citation preview
Technical Knowledge Transfer John Mead & Tam Nguyen
cnMatrix
cnMatrix Features
L2 Switching Features L2 Switching Features
2017 Copyright Cambium Networks, Ltd. All Rights Reserved2
• 802.1Q VLAN and Trunking Support• 802.1d STP, 802.1w RSTP, 802.1s MST• PVRST (Per VLAN RSTP)• STP Enhancements: BPDU guard, BPDU Edge,
Root Guard• ACL QoS: Mapping/Marking ToS/DSCP, 802.1p,
Priority Queue• Inbound Traffic Policing, and Outbound Traffic
Shaping• Storm Control• Flow Control Per Port• 802.1ab Link Layer Discovery Protocol (LLDP,
LLDP-MED)• 802.3ad Link Aggregation
• Policy Based Automation• IGMP Snooping v1/v2/v3 (v3*)• IGMP Proxy• Private Vlan Edge• 802.3af/at• Mirroring: Port-based, ACL-based• SNTP• Port Statistics• RMON• Dynamic Voice VLAN assignment*• RSPAN**• sFlow**
* Available in 2.1 Release** Available in Future Release
cnMatrix Features
L3 Switching Features
2017 Copyright Cambium Networks, Ltd. All Rights Reserved3
• Routing Between Directly Connected Subnets• Routed Interfaces• IPv4 and IPv6* static routes• Host routes• DHCP Relay• RIP v1/v2*• OSPF v2*• Route Policy and Redistribution*
• ECMP**• VRRP**• Policy Based Routing**• Layer 3/Layer 4 ACLs**
* Available in 2.1 Release** Available in Future Release
cnMatrix Features
Management Features Security Features
2017 Copyright Cambium Networks, Ltd. All Rights Reserved4
• CnMaestro Cloud-based Management• Industry-standard Command Line Interface (CLI)• Web Management• IPv6 Host• Zero Touch
• Initial Deployment with cnMaestro• Dynamic configuration w/ Policy Based Automation
• SNMPv1/v2c/v3• Telnet Client/Server• Out-of-band Ethernet Management• SSH/SSH v2• DHCP Client, Server• USB File Management and Storage*• Local/Remote Syslog• System Resource Monitoring
• 802.1x Authentication• Radius/TACACS+• DHCP Snooping• MAC-Based and IP-Based ACLs• Static MAC• IGMP Filtering• Local Management User Name Password• Dynamic ARP Inspection*
• Protection against Denial of Service (DoS) Attacks**
• Black-hole Routing**• Neighbor Discovery (ND) Inspection**
* Available in 2.1 Release** Available in Future Release
Getting Started cnMatrix
cnMatrix - Getting Connected
Access via Console• Connect RJ-45 Serial cable to cnMatrix’s console port and PC• Terminal Settings on PC
• Speed = 115200, Data bits = 8, Stop bits = 1, Parity = None, Flow Control = XON/XOFF• cnMatrix’s Login: admin/admin
Access via SSH• Connect RJ-45 Ethernet cable to cnMatrix’s OOB port and PC• Set PC’s IP address to 192.168.0.10/24• From PC, SSH to 192.168.0.1• cnMatrix’s Login: admin/admin
Access via Web Browser • Connect RJ-45 Ethernet cable to cnMatrix’s OOB port and PC• Set PC’s IP address to 192.168.0.10/24• From PC, launch IE/Chrome/Netscape and enter https://192.168.0.1• cnMatrix’s Login: admin/admin
2017 Copyright Cambium Networks, Ltd. All Rights Reserved6
cnMatrix – Initial IP Address
• Initial IP Address• OOB/MGMT Port
• IP address is 192.168.0.1 (Factory Default)• DHCP is disabled (Factory Default)
• In Band Network Ports• There is no default IP address (on default VLAN 1)• DHCP is enabled by default
2017 Copyright Cambium Networks, Ltd. All Rights Reserved7
Essential Operations
Image Download from TFTP ServercnMatrix# download agent tftp://192.168.0.10/uImage_agent
Save Configuration• Save in Flash memorycnMatrix# write startup-config• Save on TFTP servercnMatrix# copy startup-config tftp://192.168.0.10/cnMatrix.conf
Boot and Boot DefaultcnMatrix# boot –yescnMatrix# boot default
Configure IP Address on VLAN 1cnMatrix(config)# interface vlan 1cnMatrix(config-if)# ip address 10.10.10.1 255.255.255.0cnMatrix(config-if)# no shut
Configure VLAN 1 to obtain IP Address from DHCPcnMatrix(config)# interface vlan 1cnMatrix(config-if)# ip address dhcp
2017 Copyright Cambium Networks, Ltd. All Rights Reserved8
Trouble Shooting cnMatrix
LED Indicators
cnMatrix Logo (Power) LED• BLINKING – Switch is initializing• SOLID BLUE – Switch is operational
cnMaestro (Cloud) LED • OFF – Cloud Management is Disabled• BLINKING – Discovering cnMaestro on Cloud • SOLID GREEN – Onboarded
Data Port LED – Link Activity (Copper, SFP)• SOLID GREEN – Link Up• BLINKING – Traffic Activity
Data Port LED – Link Activity (SFP+)• GREEN (LEFT SIDE) – Link Up with 10Gbps• AMBER (RIGHT SIDE) – Link Up with 1Gbps• BLINKING – Traffic Activity
Data Port LED – PoE Status (Copper)• OFF – No PoE Load• SOLID AMBER – Active PoE with Load
2017 Copyright Cambium Networks, Ltd. All Rights Reserved10
Useful CLI ‘show’ Commands
Display system info. such as Software version, System Description etc.cnMatrix# show system information
Display system resource utilization: CPU, RAM, FlashcnMatrix# show env all
Display Base MAC Address, Default IP Address, IP Address Config Mode etc.cnMatrix# show nvram
Display Port’s MAC Address, Speed, Rx/Tx Counters, Link Status, StatisticscnMatrix# show interfacescnMatrix# show interface statuscnMatrix# show interface descriptioncnMatrix# show interface counters
Display Current Configuration on cnMatrixcnMatrix# show running-config
Display MAC Address TablecnMatrix# show mac-address-table
2017 Copyright Cambium Networks, Ltd. All Rights Reserved11
Useful CLI ‘show’ Commands (Cont’)
Display VLAN Information, VLAN’s port membership, PVID etc.cnMatrix# show vlancnMatrix# show vlan port gigabitethernet 0/2
Display Spanning Tree InformationcnMatrix# show spanning-tree
Display Port Channel InformationcnMatrix# show etherchannelcnMatrix# show etherchannel 10 detail
Display PoE InformationcnMatrix# show power inlinecnMatrix# show power inline gigabitethernet 0/1
Display LLDP Info, Neighbors, CounterscnMatrix# show lldpcnMatrix# show lldp neighborscnMatrix# show lldp traffic
Display Local IP Interfaces, ARP tablecnMatrix# show ip interfacecnMatrix# show ip arp
2017 Copyright Cambium Networks, Ltd. All Rights Reserved12
cnMatrix – Trouble Shooting
• Trace Route• Ping• Port Mirroring• Statistics• RMON• SNMP Traps• More to come!!!
2017 Copyright Cambium Networks, Ltd. All Rights Reserved13
Typical Switch Deployment
Technical Knowledge Transfer
cnMatrix
cnMatrix – Typical Switch Deployment
• Plug in switch• Get connectivity
• OOB – Default IP• InBand – DHCP
• Update to latest image• Initial configuration
• Port channel – 802.3ad• Port type – Trunk, Hybrid, Access• VLANs
• Port membership• 802.1x
• Radius Server• Create Policies ( Policy Based Automation)• Static Routes
• Web GUI
2017 Copyright Cambium Networks, Ltd. All Rights Reserved15
cnMatrix – Typical Switch Deployment (cont)
• Port Channel configurationcnMatrix(config)# load-balance src-dest-ipcnMatrix(config)# interface port-channel 10cnMatrix(config-if)# no shutcnMatrix(config-if)# switchport mode trunk
cnMatrix(config)# interface range extreme-ethernet 0/1-4cnMatrix(config-if-range)# channel-group 10 mode active
• VLAN configurationcnMatrix(config)# vlan 2cnMatrix(config-vlan)# port add gigabitethernet 0/10 untagged gigabitethernet 0/10cnMatrix(config)# interface gigabitethernet 0/10cnMatrix(config-if)# switchport pvid 2
2017 Copyright Cambium Networks, Ltd. All Rights Reserved16
cnMatrix – Typical Switch Deployment (cont)
• 802.1x ConfigurationcnMatrix(config)# aaa authentication dot1x default group radiuscnMatrix(config)# radius-server host 10.100.200.10 key my_key_9745cnMatrix(config)# dot1x system-auth-controlcnMatrix(config)# interface gigabitethernet 0/10cnMatrix(config-if)# dot1x port-control autocnMatrix(config-if)# dot1x host-mode multi-host
• Static Route configurationcnMatrix(config)# interface vlan 2cnMatrix(config-if)# ip address 10.10.10.2 255.255.255.0cnMatrix(config-if)# no shutcnMatrix(config)# ip route 0.0.0.0 0.0.0.0 10.10.10.3
2017 Copyright Cambium Networks, Ltd. All Rights Reserved17
Detailed Feature Description
Technical Knowledge Transfer
cnMatrix
cnMatrix – Detailed Feature Description Contents
• Section 1 – L2• Section 2 – L3• Section 3 – Management• Section 4 - Security
2017 Copyright Cambium Networks, Ltd. All Rights Reserved19
Detailed Feature Description -L2 Features
Technical Knowledge Transfer
cnMatrix
cnMatrix – L2 Features covered in this section
L2 Switching Features L2 Switching Features
2017 Copyright Cambium Networks, Ltd. All Rights Reserved21
• 802.1Q VLAN and Trunking Support• 802.1d STP, 802.1w RSTP, 802.1s MST• PVSTP (Per VLAN RSTP)• STP Enhancements: BPDU guard, BPDU Edge,
Root Guard• QoS: Priority Maps, Metering, Policing, Shaper,
Scheduler, Rate Limiting, ACL• Storm Control• Flow Control • Jumbo Frames• 802.1ab Link Layer Discovery Protocol (LLDP,
LLDP-MED)• 802.3ad Link Aggregation
• Auto-Attach – Policy Based Automation• IGMP Snooping/IGMP Proxy• Private Vlan Edge• PoE - 802.3af/at• Mirroring: Port-based, ACL-based• SNTP• Port Statistics• RMON
* Available in Future Release
VLAN – IEEE 802.1Q
2017 Copyright Cambium Networks, Ltd. All Rights Reserved22
• IEEE 802.1Q, often referred to as Dot1q, is the networking standard that supports virtual LANs (VLANs) onan IEEE 802.3 Ethernet network.
• The standard defines a system of VLAN tagging for Ethernet frames and the accompanying procedures to beused by bridges and switches in handling such frames.
• VLANs define broadcast domains in a Layer 2 network. A broadcast domain is the set of all devices that willreceive broadcast frames originating from any device within the set. Cambium Networks VLAN componentsupports 4066 VLANs creation for EX-2028 series and 4084 VLANs for EX-2010 series.
• VLAN configurations can be made from CLI, SNMP or WEB GUI.• The VLAN application supports the following types of VLANs:
1. Port-based VLAN2. Port and Protocol-based VLAN
1. Port-based VLAN• In port-based VLAN, frames are processed based on the PVID assigned to a port depending to which VLAN that
particular port was mapped to. If an untagged frames (no 802.1q tag present) ingresses a port, the frame is automaticallytagged with a VLAN ID equal to the PVID configured on the ingress port. The VLAN tag of the frames will be kept ordiscarded at egress based on how that particular port was configured as tagged or untagged on egress side.
VLAN – IEEE 802.1Q
• A port can be set to three different modes of operation, i.e., access, trunk and hybrid. These operation modesdefines the way of handing of traffic in the VLANs.
• access – The access port accepts and sends only untagged frames. This kind of port is added as a member to a specific VLAN only and carriestraffic only for the VLAN to which the port is assigned;
• trunk – The trunk port accepts and sends only tagged frames. This kind of port is automatically added as member of all existing VLANs and forany new VLAN created, and carries traffic for all VLANs. The trunk port accepts untagged frames too, if the acceptable frame type is set as all.
• hybrid – The hybrid port accepts and sends both tagged and untagged frames.
2. Port and Protocol-based VLAN• A protocol-based VLAN processes traffic based on protocol group created on the switch. A protocol
group represents a mapping between a specific protocol and an encapsulation frame. The protocolgroup can be further bound to multiple VLAN-PORT pairs in order to achieve port and protocol-based VLAN classification in the switch.
• The available protocols that can be configured are the following:• IP, Novel or other manually configurable protocols;
• The available encapsulation frames that can be mapped to the above protocols are the following:• Enet-v2, SNAP, LLCother;
2017 Copyright Cambium Networks, Ltd. All Rights Reserved23
VLAN – IEEE 802.1Q – Port-based VLAN configuration and troubleshooting
1. Scenario: Have three interfaces (Gi 0/1, Gi 0/2 and Gi 0/3) of three different operation modes, e.g., Gi 0/1 an access port, Gi 0/2 a trunk port and Gi 0/3 a hybrid one. Also configure three different VLANs, with VIDs 1, 2 an 3.
2. Configuration: PORT creation:
• cnMatrix(config)# interface gigabitethernet 0/1• cnMatrix(config-if)# switchport acceptable-frame-type untaggedAndPrioritytagged - the acceptable frame type has to be configured to untaggedAndPrioritytagged the access
port prior to actually make it an access port
• cnMatrix(config-if)# switchport mode access • cnMatrix(config)# interface gigabitethernet 0/2• cnMatrix(config-if)# switchport mode trunk – will be automatically added to the existent and newly created VLANs
• cnMatrix(config)# interface gigabitethernet 0/3• cnMatrix(config-if)# switchport mode hybrid• cnMatrix(config-if)# switchport pvid 3 – set the PVID of the hybrid port to 3, the VLAN to which it will belong;
VLAN creation and port assignment:• cnMatrix(config)# vlan 1 – create VLAN 1 and make it active
• cnMatrix(config-vlan)# ports add gigabitethernet 0/1 untagged gigabitethernet 0/1 – assign port Gi 0/1 to VLAN 1
• cnMatrix(config)# vlan 3 – create VLAN 3 and make it active
• cnMatrix(config-vlan)# ports add gigabitethernet 0/3 untagged gigabitethernet 0/3– assign port Gi 0/3 to VLAN 3
• cnMatrix(config)# vlan 2 – create VLAN 2 and make it active
3. Troubleshooting:• cnMatrix# show vlan brief – check the VLAN created an ports’ membership;
• cnMatrix# show vlan port Gigabitethernet 0/2 - check the operation mode of each interface;
• cnMatrix# show interface status – check the interface status;
• cnMatrix# show interface counters – check ingress/egress counters on each interface;
2017 Copyright Cambium Networks, Ltd. All Rights Reserved24
VLAN – IEEE 802.1Q – Port and Protocol-based VLAN configuration and troubleshooting
1. Scenario: Have a single hybrid interface (Gigabitethernet 0/2 – PVID 1) assigned to two different VLANs (VLAN 1 and 10). Create a protocol group (IP-EtherenetV2) and map it to VLAN 10 and interface Gigabitethernet 0/2.
2. Configuration:• cnMatrix(config)# protocol-vlan – enable Protocol-based VLAN classification globally;• cnMatrix(config)# interface gigabitethernet 0/2• cnMatrix(if-config)# port protocol-vlan – enable Protocol-based VLAN particular on interface Gi 0/2;• cnMatrix(config)# map protocol ip enet-v2 protocol-group 1 – create protocol group 1 having IP as protocol and Ethernet-v2 as encapsulation frame type;• cnMatrix(config)# interface gigabitethernet 0/2• cnMatrix(config-if)# switchport map protocol-group 1 vlan 10 – map protocol group 1 to VLAN 10 and interface Gi 0/2;
3. Results:• Frames sent on interface Gi 0/2 matching the protocol and encapsulation type configured on protocol group 1 will be assigned to
VLAN 10 for forwarding;• Frames sent on interface Gi 0/2 NOT matching the protocol and encapsulation type configured on protocol group 1 will be
assigned to VLAN 1 for forwarding;
4. Troubleshooting:• cnMatrix# show vlan brief – check the VLAN created an ports’ membership;• cnMatrix# show vlan port Gigabitethernet 0/2 - check the protocol-based status on a particular interface;• cnMatrix# show vlan protocols-group - check the protocol group table containing the created protocol groups;• cnMatrix# show protocol-vlan – check the Interface-Protocol Group-VLAN mapping;• cnMatrix# show interface status – check the interface status;
2017 Copyright Cambium Networks, Ltd. All Rights Reserved25
Spanning-Tree Protocol
2017 Copyright Cambium Networks, Ltd. All Rights Reserved26
• Spanning-Tree protocol is a mechanism used by switches to prevent Layer2 loops by disabling one or more links leaving a single active path between two or more switches.
• STP is defined in 803.1D standard.
• cnMatrix support Spanning-Tree Protocol only in compatibility mode which allows it to interact with legacy bridges who supports legacy Spanning-Tree Protocol.
• Spanning Tree Operation:1.Determine Root Bridge
The Switch advertising the lowest priority becomes the root
2.Select Root PortEach switch selects its primary port facing the root
3.Select Designated portsOne designated port is selected per segment
4.Block ports with loops All non-root port and non-designated ports are blocked
Spanning-Tree Protocol– Port States
2017 Copyright Cambium Networks, Ltd. All Rights Reserved27
• Blocking - A port that would cause a switching loop if it were active. No user data is sent or received over a blocking port, but it may go into forwarding mode if the other links in use fail and the spanning tree algorithm determines the port may transition to the forwarding state. BPDU data is still received in blocking state. Prevents the use of looped paths.
• Listening - Processes BPDUs and awaits possible new information that would cause it to return to the blocking state. It does not populate the MAC address table and it does not forward frames.
• Forwarding - A port receiving and sending data in Ethernet frames, normal operation. The Forwarding port monitors incoming BPDUs that would indicate it should return to the blocking state to prevent a loop
Spanning-Tree Protocol – Port Roles
2017 Copyright Cambium Networks, Ltd. All Rights Reserved28
• Root Port – Each switch selects this state on port towards the root.
• Designated Port – Root has all its ports in this state. Also this is a forwarding port for every LAN segment
• Blocking Port - A backup/redundant path to a segment where another switch port already connects
• Disabled Port – A port has this role if spanning-tree is not running on that port
Spanning-Tree Protocol – BPDU Guard
2017 Copyright Cambium Networks, Ltd. All Rights Reserved29
• BPDU guard prevents the receiving of rogue BPDU packets.
• BPDUs should never be received because that indicates that another switch is connected to the port, potentially causing a spanning tree loop or STP topology change.
• When it is enabled, BPDU guard puts the port in an error-disabled state upon receipt of a BPDU.
• To re-enable the port, user must eliminate the BPDU packets ingressing the port and shutdown / no shutdown the port.
• BPDU filtering will disable sending and receiving BPDU packets. Loops may occur if the unit is linked to another unit in a STP loop topology
Spanning-Tree Protocol – Root Guard
2017 Copyright Cambium Networks, Ltd. All Rights Reserved30
• The root guard feature provides a way to enforce the root bridge placement in the network.
• If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state (listening state).
• No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge.
Spanning-Tree Protocol – Edge Port
2017 Copyright Cambium Networks, Ltd. All Rights Reserved31
• An edge port connects directly to an end device therefore, the switch assumes that no other switch is connected to it.
• Edge ports should immediately transition to the forwarding state. Edge ports do not generate topology changes.
• An edge port that receives a BPDU immediately loses edge port status and becomes a normal spanning tree port.
Spanning-Tree Protocol – Configuration and Troubleshooting
2017 Copyright Cambium Networks, Ltd. All Rights Reserved32
• Useful commands for STP:• Spanning-tree priority – sets the bridge priority• Spanning-tree hello-time – Sets the interval (in seconds) between the transmission of BPDUs.• Spanning-tree disable – Disables Spanning-Tree on a particular port
• Useful commands for troubleshooting STP:• show spanning-tree • show spanning-tree detail • show spanning-tree root • show spanning-tree interface • show spanning-tree vlan
Rapid Spanning-Tree
• Rapid spanning-tree protocol (RSTP – 802.1w) is used to guarantee a loop-free network topology
• It guarantees a significantly improved convergence time over the standard spanning-tree protocol (STP – 802.1d)
• RST is the default STP operating mode• Default values for timers are:
• Hello – 2sec• Max Age – 20sec• Forward Delay – 15sec
• Common used options:• Portfast – configurable per-port. Automatically sets the port in forwarding-mode. Used for edge ports which are expected
to have directly connected end-devices• BpduGuard – configurable per-port. Automatically puts the port in a disabled state (error-disabled) if BPDUs are received
on that port. Used for edge ports which are expected to have directly connected end-devices.• BpduFilter – configurable per-port. Filter all BPDUs on that port, both sent and received
2017 Copyright Cambium Networks, Ltd. All Rights Reserved33
Rapid Spanning-Tree – Config examples
• Change spanning-tree operation mode• cnMatrix(config)#spanning-tree mode { mst | pvrst | rst }
• Configure port-fast on an interface• cnMatrix(config)#interface gigabitethernet 0/1• cnMatrix(config-if)#spanning-tree portfast
• Configure bpdu-guard on an interface• cnMatrix(config)#interface gigabitethernet 0/1• cnMatrix(config-if)#spanning-tree bpduguard enable
• Configure bpdu-filter on an interface• cnMatrix(config)#interface gigabitethernet 0/1• cnMatrix(config-if)#spanning-tree bpdufilter enable
• Show spanning-tree global info• cnMatrix#show spanning-tree
• Show spanning-tree per-port info• cnMatrix#show spanning-tree interface gigabitethernet 0/1
• Show spanning-tree• cnMatrix#show spanning-tree summary
2017 Copyright Cambium Networks, Ltd. All Rights Reserved34
Multiple Spanning-Tree Protocol
2017 Copyright Cambium Networks, Ltd. All Rights Reserved35
• Multiple Spanning-Tree protocol is a STP mode which uses BPDUs to exchange information between spanning-tree compatible devices to prevent loops in each MSTI (Multiple Spanning Tree Instances) and in the CIST (Common and Internal Spanning Tree), by selecting active and blocked paths .
• MSTP is defined in 802.1s standard.
• MSTP uses Rapid Spanning-tree algorithm
• Default Timers are: • Hello – 2 sec• Forward Delay – 15 Sec• Max Age – 20 sec
Multiple Spanning-Tree Protocol
2017 Copyright Cambium Networks, Ltd. All Rights Reserved36
• MSTP protocol works in close association with VLANs. The bridges in the topology can be configured to support different VLANs and these VLANS are in turn mapped to different Spanning Tree instances. Based on the VLAN membership, a port on a bridge may be a part of more than one spanning tree.
• When the MSTP protocol operates, the Port Role and Port State are calculated for the Common Internal Spanning Tree Context and also separately for each instance of which the current port is a member.
Multiple Spanning-Tree Protocol
2017 Copyright Cambium Networks, Ltd. All Rights Reserved37
• As MSTP enables grouping and mapping VLANs into different spanning tree instances, there's an urge of determining a group or set of VLANs, which are all using the same spanning tree, this is what we come to know as a MSTI.
• Each instance defines a single forwarding topology for an exclusive set of VLANs, by contrast, STP or RSTP networks contains only a single spanning tree instance for the entire network, which contains all the VLANs. A region can include:
• Internal Spanning-Tree Instance (IST): Default spanning tree instance in any MST region. All VLANs in this IST instance conform a single spanning tree topology, allowing only one forwarding path between any two nodes. It also provides the root switch for any VLAN configured switches which are not specifically assigned to a MSTI.
• Multiple Spanning Tree Instance (MSTI): Unlike IST, this kind of instance comprises all static VLANs specifically assigned to it and at least, must include one VLAN.
• While each MSTI can have multiple VLANs, each VLAN can be associated with only one MSTI.
Multiple Spanning-Tree Protocol
2017 Copyright Cambium Networks, Ltd. All Rights Reserved38
• Root• Provides the minimum cost path from the Bridge to the MSTI Regional Root.
• Designated• Provides the least cost path from the attached LANs through the Bridge to the Regional Root.
• Master• Provides connectivity from the Region to a CIST Root that lies outside the Region. The Bridge Port that is the CIST Root port for
the CIST Regional Root is the Master port for all MSTI.
• Alternate or Backup• Provides connectivity if other Bridges, Bridges ports or LANs fail or are erased.
Spanning-Tree Protocol – Configuration and Troubleshooting
2017 Copyright Cambium Networks, Ltd. All Rights Reserved39
• Useful commands for MSTP:• spanning-tree mode mst - Sets spanning tree operating mode to multiple spanning-tree protocol• spanning-tree mst configuration - Enter in mstp configuration submode• instance 5 vlan 10 – Maps vlan 10 in mstp instance 5
• Useful commands for troubleshooting MSTP:• show spanning-tree mst - displays multiple spanning tree information
• show spanning-tree mst detail
• show spanning-tree mst interface
Per VLAN Spanning-Tree
• PVRST is used to have a different instance of STP running on each VLAN• This way, ports can have different states for different VLANs, i.e. a port can be blocking in one
VLAN and forwarding in another VLAN• PVRST supports a number of 32 maximum instances, i.e. it can run independently on a maximum
of 32 VLANs• PVRST is NOT the default STP operating mode
• Enable PVRST mode• cnMatrix(config)#spanning-tree mode pvrst
• Show spanning-tree per-vlan info• cnMatrix#show spanning-tree vlan 1
• Show spanning-tree per-port per-vlan info• cnMatrix#show spanning-tree vlan 1 interface gigabitethernet 0/1
2017 Copyright Cambium Networks, Ltd. All Rights Reserved40
Quality of Service (QoS)
• QoS provides means of doing the following
• Traffic policing on ingress and egress• Priority remarking - either direct (based on the initial priority) or via traffic policers• Class-based queueing and scheduling• Traffic shaping• Although implemented in different hardware functional blocks, QoS works in tight
conjunction with the ACL module, which provides a way for the user to classify traffic using custom parameters and feed it to the QoS module.
2017 Copyright Cambium Networks, Ltd. All Rights Reserved41
QoS – priority maps
• A “Priority Map” allows the user to remap an incoming priority (802.1p or DSCP) to a new “regenerated” value.
cnMatrix(config)# priority-map 11cnMatrix(config-pri-map)# map in-priority-type vlanPri in-priority 2 regen-priority 4
cnMatrix(config)# class-map 10cnMatrix(config-cls-map)# match access-group priority-map 11cnMatrix(config-cls-map)# set class 10
cnMatrix(config)# policy-map 11cnMatrix(config-ply-map)# set policy class 10 default-priority-type nonecnMatrix(config-ply-map)# exitcnMatrix(config)#
2017 Copyright Cambium Networks, Ltd. All Rights Reserved42
QoS – priority maps
• Default queue assignment can be changed using queue-map command
Ex: packets with User Priority set to 3 will be mapped to queue 5cnMatrix(config)# priority-map 11cnMatrix(config-pri-map)# map in-priority-type vlanPri in-priority 3 regen-priority 3
cnMatrix(config)# class-map 10cnMatrix(config-cls-map)# match access-group priority-map 11cnMatrix(config-cls-map)# set class 10
cnMatrix(config)# queue-map CLASS 10 queue-id 5
cnMatrix(config)# policy-map 11cnMatrix(config-ply-map)# set policy class 10 default-priority-type none
2017 Copyright Cambium Networks, Ltd. All Rights Reserved43
QoS – metering
• Policers work in conjunction with metering and color marking tools to increase granularity. Metering measures the traffic arrival rate and assigns different colors to the traffic according to that rate.
• 2 types of meters are supported: srTCM and trTCMcnMatrix(config)# meter 1 cnMatrix(config-meter)# meter-type srTCM cir 100000 cbs 1024 ebs 2048cnMatrix(config)# meter 2 cnMatrix(config-meter)# meter-type trTCM cir 200000 cbs 2048 ebs 4096 eir 220000
cnMatrix(config)# class-map 10cnMatrix(config-cls-map)# match access-group mac-access-list 12cnMatrix(config-cls-map)# set class 10
cnMatrix(config)# policy-map 11cnMatrix(config-ply-map)# set policy class 10 default-priority-type nonecnMatrix(config-ply-map)# set meter 1 conform-action cos-transmit-set 2 exceed-action cos-transmit-set 0 violate-action drop
2017 Copyright Cambium Networks, Ltd. All Rights Reserved44
QoS – Policing
• Policers can be used to remark traffic for a specific flow (vlan prio or ipdscp)
cnMatrix(config)# class-map 10cnMatrix(config-cls-map)# match access-group ip-access-list 1cnMatrix(config-cls-map)# set class 10
cnMatrix(config)# policy-map 11cnMatrix(config-ply-map)# set policy class 10 default-priority-type ipDscp 20 cnMatrix(config-ply-map)# exitcnMatrix(config)#
2017 Copyright Cambium Networks, Ltd. All Rights Reserved45
QoS – Shaper
• Shapers support only cir and cbs parameters
cnMatrix(config)# shape-template 1 cir 100000 cbs 1024
cnMatrix(config)# queue 1 interface gi 0/1 shaper 1
2017 Copyright Cambium Networks, Ltd. All Rights Reserved46
QoS – Scheduler
• 4 types of scheduling algorithms are supported: strict-priority, round robin, weighted round robin, strict-wrr
• Default algorithm is strict-priority cnMatrix(config)# scheduler 1 interface gi 0/1 sched-algo rrcnMatrix(config)# scheduler 2 interface gi 0/2 sched-algo wrrcnMatrix(config)# scheduler 3 interface gi 0/3 sched-algo strict-prioritycnMatrix(config)# scheduler 4 interface gi 0/4 sched-algo strict-wrr
• Configure weight for a queuecnMatrix(config)# queue 2 interface gi 0/2 weight 40cnMatrix(config)# queue 8 interface gi 0/4 weight 0
0 value means strict priority; Modifying the Queue weight is applicable to all the ports where the scheduler is mapped
2017 Copyright Cambium Networks, Ltd. All Rights Reserved47
QoS – Verification
cnMatrix# show priority-mapcnMatrix# show class-mapcnMatrix# show policy-mapcnMatrix# show queue-mapcnMatrix# show qos queue-statscnMatrix# show qos queue-stats interface gi 0/1cnMatrix# show metercnMatrix# show meter 1cnMatrix# show shape-template cnMatrix# show shape-template 1cnMatrix# show schedulercnMatrix# show scheduler interface gi 0/2cnMatrix# show queuecnMatrix# show queue interface gi 0/3
2017 Copyright Cambium Networks, Ltd. All Rights Reserved48
Rate Limiting
• Rate limiting is used to control the rate of traffic sent or received by a network interface controller and is used to prevent denial of service ( DOS attacks )
• Benefits:• You implement rate limiting primarily to prevent a denial of service (intentional or
otherwise) • To limit the impact (or potential) of cascading failure.• To restrict or meter resource usage.
Note: Rate-limiting is not supported on the port-channel interface.
2017 Copyright Cambium Networks, Ltd. All Rights Reserved49
Access Control Lists (ACL)
• The ACL feature provides the means for the user create rules to match specific traffic based on the information in the packets. The packets matched by the rules can then be dropped, allowed or redirected, or they can be fed to the QoS engine to have them policed. Also, matched packets can be mirrored to a specific interface in order for them to be analyzed by a network administrator.
• An ACL consists of three parts: • The rule – a set of fields from the packet, and a set of values that the selected fields have to match• The action – what to do with the packets that match the rule (permit, deny, redirect)• The interface on which the rule is applied (on ingress or egress direction)
• There are three types of ACLs:• IP ACLs – the rule can consist of the source IP and the destination IP• MAC ACLs – the rule can consist of the source and destination MAC addresses , Ethernet type and the VLAN
information• IP extended ACLs – the rule can consist of the source IP and the destination IP, as well as Layer-4 information for
protocols such as UDP (source/destination ports), TCP (ports, TCP flags), ICMP (message code, message type) or any IP type, specified by the IP protocol number, as defined by the Internet Assigned Numbers Authority (IANA).
2017 Copyright Cambium Networks, Ltd. All Rights Reserved50
Access Control Lists (ACL)
• To configure an ACL rule, first decide the type of ACL needed, based on the fields that need top be matched. This example illustrates a rule to block pings coming from port 0/5.
Set the access-list type and Id:cnMatrix(config)# ip access-list extended 1001
Action is deny, protocol is ICMP, message type and message code are specific to ICMP requests packets. The rule will match any IP source and IP destination.
cnMatrix(config-ext-nacl)# deny icmp any any message-type 0 message-code 8
cnMatrix(config-ext-nacl)# exit
Go to the target interface:
cnMatrix(config)# interface gigabitethernet 0/5
Bind the ACL to the interface’s ingress
cnMatrix(config-if)# ip access-group 1001 in
2017 Copyright Cambium Networks, Ltd. All Rights Reserved51
Access Control Lists (ACL)
There are two modes of configuring the ACL feature:• Consolidated – the user configures the entire set of rules, then he commits them to the hardware.• Immediate – the user configures the rules, and they are committed to hardware one-by-one, as the
user inputs them.In the immediate mode, the priorities assigned by the users are ignored by the switch and are assigned in the order in which they are configured. This mode is not recommended for scenarios with complex rules, in which priorities are relevant.
Let’s modify the previous example to make it a little more complex:• ping requests coming in on port 0/5 are blocked• ping requests are however permitted to the subnet’s gateway:
We will accomplish this by using prioritized rules in the ACL. We will create a rule that will drop all ping packets coming in on port 0/5, but we will also create a higher priority rule that will allow ping packets going to a specific IP.
2017 Copyright Cambium Networks, Ltd. All Rights Reserved52
Access Control Lists (ACL)
Set the provisioning mode to consolidated. In this mode, all rules are committed to the hardware at the end.
cnMatrix(config)# access-list provision mode consolidatedcnMatrix(config)# ip access-list extended 1002Create a rule that will drop ICMP requests:cnMatrix(config-ext-nacl)# deny icmp any any message-type 0 message-code 8 priority 2
Create a higher priority rule that will allow pings to the gateway to be allowed.cnMatrix(config-ext-nacl)# permit icmp any host 192.168.0.1 message-type 0 message-code 8 priority 1
cnMatrix(config-ext-nacl)# exitcnMatrix(config)# interface gigabitethernet 0/5
Bind the ACL to the ingress of port 0/5:cnMatrix(config-if)# ip access-group 1002 incnMatrix(config-if)# access-list commit
2017 Copyright Cambium Networks, Ltd. All Rights Reserved53
Access Control Lists (ACL)
• MAC access lists can help securing the environment by restricting the access of certain devices to the network, or by restricting obsolete or unwanted L2 protocols
cnMatrix(config)# mac access-list extended 1cnMatrix(config-ext-macl)# deny any any netbioscnMatrix(config-ext-macl)# exitcnMatrix(config)# mac access-list extended 2cnMatrix(config-ext-macl)# deny host 00:00:00:01:02:03 any cnMatrix(config-ext-macl)# exitcnMatrix(config)# interface gigabitethernet 0/1 cnMatrix(config)# mac access-group 1 in
• Note: MAC access list only work when they are applied to the ingress of a port.2017 Copyright Cambium Networks, Ltd. All Rights Reserved54
Access Control Lists (ACL)
• Note 1: If it is necessary to configure multiple ACL types on the same port, note that their priorities will not be respected in this case. Priorities only assign higher or lower precedence of rules of the same type.
• Note 2: The maximum number of ACLs that can be configured on a system is 128 extended and 128 standard. Also, take into consideration that applying one ACL to 2 ports uses 2 entries.
• Note 3: For an example that uses ACLs to classify traffic into flows to be fed to the QoS engine, please refer to de QoS slides.
2017 Copyright Cambium Networks, Ltd. All Rights Reserved55
Rate Limiting – Config Example
INTERFACE commands :
Configure the rate limiting setting:
Rate-value varies depending on port type:
For 1Gb/s ports, the value is 1.000.000 Kbps.For 10Gb/s ports, the value is 10.000.000 Kbps.Burst size value is in multiples of 4096 KBytes and can be configured from 0 to 4095.
cnMatrix(config)# interface gigabitethernet 0/1cnMatrix(config-if)# rate-limit output rate-value (1-10000000) burst-value (0 - 4095)
cnMatrix(config)# interface extreme-ethernet 0/1cnMatrix(config-if)# rate-limit output rate-value (1-10000000) burst-value (0 - 4095)
Reset the rate limiting setting:
cnMatrix(config)# interface gigabitethernet 0/1cnMatrix(config-if)# no rate-limit output
cnMatrix(config)# interface extreme-ethernet 0/1cnMatrix(config-if)# no rate-limit output
2017 Copyright Cambium Networks, Ltd. All Rights Reserved56
Rate Limiting - Verification
• cnMatrix# show interfaces gigabitethernet 0/1 rate-limit• cnMatrix# show interfaces extreme-ethernet 0/1 rate-limit• cnMatrix# show interfaces rate-limit
2017 Copyright Cambium Networks, Ltd. All Rights Reserved57
Storm Control
• The Storm Control feature protects the switch from packet flooding from malicious users. Traffic that exceeds a configured threshold traffic rate must be dropped.
• Storm control can be applied on unknown Unicast, Multicast (both registered and unregistered) and Broadcast traffic.
• A unique Storm control rate value cannot be configured for different types of traffic on a port. The configured value on port will be applicable for all types of traffic for which Storm control is enabled
• Storm Control can be applied on physical interfaces and on port-channel.• Threshold level is counted in pkts/s, and depends on the speed of the link:
- 10M: effective rate will be the highest multiple of 64 pkts/s lower than configured level- 100M: effective rate will be the highest multiple of 640 pkts/s lower than configured level- 1G: effective rate will be the highest multiple of 6400 pkts/s lower than configured level- 10G: effective rate will be the highest multiple of 64000 pkts/s lower than configured level
• Example for 1G port:• Any configured level between 0-6399 will not have any impact; traffic will not be limited.• For any configured level between 6400-12799, effective rate will be 6400 pkts/s• For any configured level between 12800-19199, effective rate will be 12800 pkts/s
2017 Copyright Cambium Networks, Ltd. All Rights Reserved58
Storm Control – Config Example
INTERFACE commands :
Configure the storm-control settings:
cnMatrix(config)# interface gigabitethernet 0/1cnMatrix(config-if)# storm-control dlf level (1-262143)
cnMatrix(config)# interface extreme-ethernet 0/1cnMatrix(config-if)# storm-control broadcast level (1-262143)
cnMatrix(config)# interf port-channel 1cnMatrix(config-if)# storm-control multicast level (1-262143)
Reset the storm-control settings:
cnMatrix(config)# interface gigabitethernet 0/1cnMatrix(config-if)# no storm-control broadcast levelcnMatrix(config-if)# no storm-control dlf levelcnMatrix(config-if)# no storm-control multicast level
2017 Copyright Cambium Networks, Ltd. All Rights Reserved59
Storm Control- Verification
• cnMatrix# show interfaces gigabitethernet 0/1 storm-control• cnMatrix# show interfaces extreme-ethernet 0/1 storm-control• cnMatrix# show interfaces storm-control
2017 Copyright Cambium Networks, Ltd. All Rights Reserved60
Flow Control
• Flow Control is a per-port feature that detects packet congestion at its end and notifies the link partner by sending a pause frame.
• By enabling Flow Control, both the Tx (sending of pause frames) and Rx (receiving and obeying pause frames originating from a partner) are enabled.
• To enable Flow Control on an interface:• cnMatrix(config-if)# flowcontrol { on | off}
• Note 1: This feature requires that the port is down while the setting is changed.• Note 2: This feature only works in full-duplex mode.• Example:
2017 Copyright Cambium Networks, Ltd. All Rights Reserved61
Jumbo Frames
• Jumbo frames improve data transmission efficiency by sending a bigger frame of data instead of the standard one.
• The standard data frame has 1500 MTU size and the jumbo frame is typically set at 9000 MTU value size when enabled.
• Jumbo frame improves data transmission in two ways:• More data is sent out without increasing the overhead• Decreases the amount of interrupted frames which improves CPU usage
• Jumbo frames can be configured via CLI, SNMP, WEB(future release), and cnMaestro(future)
2017 Copyright Cambium Networks, Ltd. All Rights Reserved62
Jumbo frames- Configuration and Troubleshooting
• To configure jumbo frames for all interfaces call “system mtu” command• Example: cnMatrix(config)# system mtu 9000
• To configure jumbo frames on a vlan or on a single port, enter that interface and call “mtu” command
• Example:cnMatrix(config-if)# shutcnMatrix(config-if)# mtu 9000cnMatrix(config-if)# no shu
• Every single node within a jumbo frame enabled network needs to support jumbo frame. Otherwise there is no performance increase
• For information on jumbo frames status, call the following command:• cnMatrix# show interfaces mtu
2017 Copyright Cambium Networks, Ltd. All Rights Reserved63
LLDP
• LLDP (Link Layer Discovery Protocol) is a link-layer protocol used by devices to advertise their identity and capabilities to their neighbors on a LAN.
• The communication is done through LLDP Data Units which contain three or more TLVs (type-length-value structures).
• LLDPUs are consumed by the network device that receives it, i.e. frames received by a switch are not bridged to other devices.
• The TLVs advertised by the switch are configurable by the user on a per-port basis.• The values advertised in the TLVs are also configurable• The transmission timers for LLPDUs can be finely tuned.• The switch maintains a table with all the information advertised by the neighbors.• The configuration and the neighbors table are accessible via CLI, SNMP and WebUi.• The default LLDP version is v2.
• The protocol is standardized as IEEE 802.1ab and IEEE 802.3-2012 section 6 clause 79.• A maximum number of 256 neighbors are supported in this release.
2018 Copyright Cambium Networks, Ltd. All Rights Reserved64
LLDP-Configuration
• To enable LLDP on the switch:• For the basic functionality, no user configuration is necessary• The protocol is enabled by default, however it can be enabled and disabled globally with the following
command:• cnMatrix(config)# set lldp {enable | disable}• The protocol can also be enabled on a per-port base.• cnMatrix(config)# lldp {transmit | receive}
• To set local LLDP information (what is advertised to other devices):
• cnMatrix(config-if)# lldp port-id-subtype { if-alias | port-comp <string(255)> | mac-addr | if-name | local <string(255)> } to configure how the port is identified to other devices (by its management interface, its MAC address, or a locally assigned name)
• cnMatrix(config)# lldp chassis-id-subtype { chassis-comp <string(255)> | if-alias | port-comp <string(255)> | mac-addr | nw-addr | if-name | local <string(255)> } to configure how the chassis is identified to other devices (by its management interface, its MAC address, or a locally assigned name)
• To set advertised TLVs:• cnMatrix(config-if)# lldp tlv-select basic-tlv { port-descr | sys-name | sys-descr | sys-capab | mgmt-addr {all
| ipv4 <ucast_addr> | ipv6 <ipv6_addr>}} • cnMatrix(config-if)# lldp tlv-select dot1tlv {port-vlan-id | protocol-vlan-id {all |<vlan-id>} | vlan-name {all
| <vlan-id>} | vid-usage-digest | mgmt-vid | link-aggregation} [mac-address <mac_addr>]• cnMatrix(config-if)# lldp tlv-select dot3tlv {macphy-config | link-aggregation | max-framesize}• BY default, port-description, system name, system description and system capabilities are enabled on all ports.
2017 Copyright Cambium Networks, Ltd. All Rights Reserved65
LLDP-Configuration (Continued)
• To fine-tune the LLDP transmission timers:• cnMatrix(config)# lldp transmit-interval <seconds(5-32768)>• cnMatrix(config)# lldp holdtime-multiplier <value(2-10)>• cnMatrix(config)# lldp reinitialization-delay <seconds(1-10)>• cnMatrix(config)# lldp tx-delay <seconds(1-8192)>• cnMatrix(config)# lldp txCreditMax <value (1-10)>• cnMatrix(config)# lldp MessageFastTx <seconds(1-3600)>
• To display the LLDP status and configuration:• cnMatrix# show running-config lldp• cnMatrix# show lldp• cnMatrix# show lldp interface
2017 Copyright Cambium Networks, Ltd. All Rights Reserved66
LLDP – Neighbors
• To display LLDP neighbors• cnMatrix# show lldp neighbors
• TIP: To display all the available information about the neighbors, add the “detail” token to the command
2017 Copyright Cambium Networks, Ltd. All Rights Reserved67
LLDP - peers
• To display specific LLDP peers:
• cnMatrix# show lldp peers [chassis-id <string(255)> port-id <string(255)>] <interface-type> <interface-id>[[mac-address <mac_addr>] [detail]]
• This command allows the user to display only certain peers, filtered by the interface they were learned on, or just a specific peer identified by a chassis-id. The “detail” token can also be added to show complete information.
2017 Copyright Cambium Networks, Ltd. All Rights Reserved68
Port Channel
2017 Copyright Cambium Networks, Ltd. All Rights Reserved69
• Port Channel or Link Aggregation Group (LAG) is a way of bundling multiple Ethernet links together so they act like a single logical link.
• Benefits:• Increased reliability and availability – Traffic is reassigned to other links when one link
goes down• Traffic can be load-balanced across the physical links• Deliver higher bandwidth than individual link
• Link Aggregation Control Protocol (802.3ad LACP) – Allows switch to negotiate an automatic bundle by periodically sending LACP packets to the peer.
Port Channel
2017 Copyright Cambium Networks, Ltd. All Rights Reserved70
• Number of Port-Channels: 8 • Number of links per port-channel: Configurable per port-channel (8 max.)• Port-channel modes: Dynamic (Passive/Active) and Static (On).• Load-Balancing
• Hash function based on Src MAC, Dest MAC, Src IP, Dest IP, Scr-Dest MAC (Default), Src-Dest IP
• Setting applied to all port-channels
Port Channel – Config Example
2017 Copyright Cambium Networks, Ltd. All Rights Reserved71
cnMatrix(config)# load-balance src-dest-ipcnMatrix(config)# interface port-channel 10cnMatrix(config-if)# no shutcnMatrix(config-if)# max-ports 4 (default = 8)
cnMatrix(config)# interface range extreme-ethernet 0/1-4cnMatrix(config-if-range)# channel-group 10 mode active
cnMatrix(config)# vlan 2cnMatrix(config-if)# port add port-channel 10
cnMatrix(config)# interface port-channel 10cnMatrix(config)# switchport pvid 2
cnMatrix(config)# interface range gigabitethernet 0/1-4cnMatrix(config-if-range)# lacp port-priority 10
Port Channel - Troubleshooting
2017 Copyright Cambium Networks, Ltd. All Rights Reserved72
• Link members must be the same Speed or Autonegotiate.• Link members must be Full Duplex• Long and Short Timers must be same among the peer connections.
• cnMatrix# show etherchannel 10 detail• cnMatrix# show LACP counters• cnMatrix# show LACP neighbors• cnMatrix# show running-config la• cnMatrix# show interface description• cnMatrix# show vlan brief• cnMatrix# show interface descriptor• cnMatrix# show interface status
Auto-Attach
• Auto-Attach (AA) supports automatic switch configuration based on discovery of connected devices
• Dynamically configures commonly updated port settings (e.g., VLAN membership, default VLAN) when a device is discovered
• Existing port settings (e.g., QoS, VLAN membership) remain unchanged• Device discovery is port-independent (automate moves, adds and changes)• Minimal administrator configuration required• Leverages standard Logical Link Discovery Protocol (802.1ab LLDP) data for device
discovery/identification/status
• Dynamic settings cleared and previous settings restored following device disconnect (expiration, link down) and system reset
• Auto-Attach controlled through CLI for first release
2018 Copyright Cambium Networks, Ltd. All Rights Reserved73
Auto-Attach
• Global and per-port control of Auto-Attach operation• Enabled by default globally and on all access ports
• Administrator identifies device detection data and settings to be updated upon device discovery using AA policies, rules and actions
• Device detection data: LLDP fields to examine, device identification string data• Dynamic settings to be updated on port on which device is detected
• VLAN membership (up to 20 VLANs). VLANs dynamically created if necessary• Native VLAN (for received untagged traffic)• Port Mode (Hybrid, Access, Trunk)
• Detection policy supports precedence and enable/disable for precise administrator control
• Initial support for 50 administrator-defined AA policies, rules and actions• Precedence range 1..100 (default precedence 50) with policies at the same precedence
level evaluated "simultaneously"
2018 Copyright Cambium Networks, Ltd. All Rights Reserved74
Auto-Attach – Configuration Example
cnMatrix(config)# auto-attach policy cnPilot match LLDP-ANY cnPilot set vlan 10,20,30 pvid 30cnMatrix(config)# auto-attach policy wlan match LLDP-CAP wlan set vlan 100,200 prec 50
cnMatrix(config)# auto-attach rule cnPilotDetect LLDP-SYS-DESC "cnPilot E430W"cnMatrix(config)# auto-attach rule "All WLANs" LLDP-CAP wlancnMatrix(config)# auto-attach action cnPilotVlans vlan 10,20,30 pvid 30cnMatrix(config)# auto-attach action lowPriorityVlans vlan 100,200 pvid 100cnMatrix(config)# auto-attach policy cnPilot match rule cnPilotDetect
action cnPilotVlans precedence 10cnMatrix(config)# auto-attach policy "All WLANs" match rule "All WLANs"
action lowPriorityVlans precedence 20
cnMatrix(config)# no auto-attachcnMatrix(config-if)# no auto-attach
2018 Copyright Cambium Networks, Ltd. All Rights Reserved75
Auto-Attach - Troubleshooting
• Verify feature operation is enabled globally and on access ports• cnMatrix# show auto-attach global• cnMatrix# show auto-attach interface
• Verify local LLDP and connected device LLDP status• cnMatrix# show lldp• cnMatrix# show lldp traffic• cnMatrix# show lldp neighbor detail
• Verify device detection and action criteria• cnMatrix# show auto-attach rule• cnMatrix# show auto-attach action• cnMatrix# show auto-attach policy
• Clear current settings to start fresh (global or port-based)• cnMatrix(config)# no auto-attach• cnMatrix(config)# auto-attach• cnMatrix(config-if)# no auto-attach• cnMatrix(config-if)# auto-attach
2018 Copyright Cambium Networks, Ltd. All Rights Reserved76
Internet Group Management Protocol (IGMP)
• Internet Group Management Protocol is a protocol used by adjacent routers on IPv4 network and hosts to establish multicast group membership. This protocol can be used for one to many networking application.
• Various IGMP Modes are supported:• IGMP Snooping• Timing: Query Interval, Init Value• Querier, Query Interval, Send Query • Proxy Reporting, Report-Suppression-Interval, Proxy• Filter – Profile• Fast Leave• mRouter• Display Commands
• IGMP modes are configurable via CLI, WEB, cnMaestro (Future)• IGMP must be enabled globally prior to mode configuration
2017 Copyright Cambium Networks, Ltd. All Rights Reserved77
Internet Group Management Protocol (IGMP)
• IGMP Snooping:• Enabling IGMP Snooping feature globally on the switch with the following
command:• cnMatrix(config)# ip igmp snooping enable
• To enable the IGMP Snooping only on a desired VLAN use the following commands:• cnMatrix(config)# ip igmp snooping vlan 10
• Disable IGMP Snooping feature globally:• cnMatrix(config)# no ip igmp snooping
• Disable IGMP snooping on a specific VLAN:• cnMatrix(config)# no ip igmp snooping vlan 1
2017 Copyright Cambium Networks, Ltd. All Rights Reserved78
Internet Group Management Protocol (IGMP)
• Init Value: • Startup-query-Count: The initial value startup-query-count is used to set up a
number of query messages to be sent when the switch boots up, configured as a querier. The interval you can choose is between 2 and 5. The following commands can help to do that:
• cnMatrix(config)# vlan 1• cnMatrix(config-vlan)# ip igmp snooping startup-query-count 5• Startup-query-Interval: The initial value startup-query-interval is used to set the
time period in which the general queries are sent by the switch when it boots up, configured as a querier. The interval is between 15 and 150 and it must be less than query interval divided by 4.
• cnMatrix(config)# vlan 2• cnMatrix(config-vlan)# ip igmp snooping startup-query-interval 30
2017 Copyright Cambium Networks, Ltd. All Rights Reserved79
Internet Group Management Protocol (IGMP)
• Querier• If the switch is configured as a querier, it will send IGMP query messages. It will send general query
messages with chosen IP, switch IP or vlan IP. • cnMatrix(config)# vlan1
• Unicast IP:• cnMatrix(config-vlan)# ip igmp snooping querier 1.1.1.1
• Vlan Interface IP• cnMatrix(config-vlan)# ip igmp snooping querier address
• Switch IP• cnMatrix(config-vlan)# ip igmp snooping querier
• Query Interval:• This feature makes possible to tune the query interval time to do not flood the network with query
messages to discover. The interval to tune the value is between 60 and 600.• cnMatrix(config)# vlan 1• cnMatrix(config-vlan)# ip igmp snooping query-interval 125
• Send Query:• With this feature enabled, the switch will be able to generate IGMP general query messages to relearn the
topology if the hosts changed, using the following command: • cnMatrix(config)# ip igmp snooping send-query enable2017 Copyright Cambium Networks, Ltd. All Rights Reserved80
Internet Group Management Protocol (IGMP)
• IGMP Proxy-Reporting is mutually exclusive with Report-Suppression-Interval, so it must be enabled together in order to work.
• With proxy-reporting enabled, the switch will support the multicast router to learn the hosts information of the multicast group. It will forward the packets based of group information.
• cnMatrix(config)# ip igmp snooping proxy-reporting• Report-Suppression-Interval: the switch will forward IGMP report messages to the multicast
group. A timer will start immediately after forwarding the report. In this interval the switch will not forward another IGMP report message to the same multicast group. The interval is between 1 and 25.
• cnMatrix(config)# ip igmp report-suppression-interval 10.
• Proxy:• This feature is used for learning group membership information from hosts in downstream
interface then forwards the multicast packages with the substitution of information to upstream interfaces. The switch sends general query to all downstream interfaces at the query interval and collects information about the member ports.
• cnMatrix(config)# ip igmp snooping proxy
2017 Copyright Cambium Networks, Ltd. All Rights Reserved81
Internet Group Management Protocol (IGMP)
• IGMP Filter• Enable:
• This following command will help to enable the IGMP filter feature on the switch:• cnMatrix(config)# ip igmp snooping filter
• Max – Groups:• Setting up maximum number of multicast groups to be learned on the interface:• cnMatrix(config)# interface gigabitethernet 0/2• cnMatrix(config-if)# ip igmp max-groups 5
• Enter a profile:• With the following command you can enter a profile of filtering to modify parameters:• cnMatrix(config)# ip igmp profile 10
• Range: • Range helps to filter the traffic, the following commands will help the switch to permit / deny
(allow / drop packets) in the specified range:• cnMatrix(config)# ip igmp profile 10• cnMatrix(config-profile)# range 226.0.1.2 227.3.3.4
2017 Copyright Cambium Networks, Ltd. All Rights Reserved82
Internet Group Management Protocol (IGMP)
• Permit profile• The following command will permit (allow) multicast traffic (packages) to go through the
switch:• cnMatrix(config-profile)# permit
• Deny profile• The following command will deny (drop) multicast traffic (packages) to go through the
switch:• cnMatrix(config-profile)# deny
• Activate profile• The following command will activate the profile; if edited, a profile should be re-activated to
take effect:• cnMatrix(config-profile)# profile active
• Add interface to filter:• With the following commands you can add a multicast profile to an interface:• cnMatrix(config)# interface gigabitethernet 0/2• cnMatrix(config-if)# ip igmp filter 10
2017 Copyright Cambium Networks, Ltd. All Rights Reserved83
Internet Group Management Protocol (IGMP)
• Fast Leave • The following commands will process the leaving messages using the Fast Leave
Mechanism:• cnMatrix(config)# interface gigabitethernet 0/4• cnMatrix(config-if)# ip igmp snooping leavemode fastLeave
• mRouter:• To configure a list of multicast ports for a desired VLAN, when IGMP snooping is globally enabled. This
can be done with the following commands:• cnMatrix(config)# vlan 10• cnMatrix(config-vlan)# ip igmp snooping mrouter gigabitethernet 0/1
2017 Copyright Cambium Networks, Ltd. All Rights Reserved84
Internet Group Management Protocol (IGMP)
• Display IGMP snooping global information:• cnMatrix# show ip igmp snooping globals
• Display IGMP snooping information:• cnMatrix# show ip igmp snooping
• Display IGMP snooping statistics:• cnMatrix# show ip igmp snooping statistics.
• Display IGMP snooping statistics:• cnMatrix# show ip igmp snooping statistics
• Display IGMP snooping group information:• cnMatrix# show ip igmp snooping groups
• Display IGMP snooping forwarding database information:• cnMatrix# show ip igmp snooping forwarding-database
2017 Copyright Cambium Networks, Ltd. All Rights Reserved85
PVLAN-Edge
• PVLAN-edge is used to better control the flow of L2 traffic on the switch.
• When a port has protected status it no longer forwards any traffic (unicast, multicast, broadcast) to any other port that is also protected and on the same switch.
• The feature only has local significance; there is no isolation between ports on different switches.
• Between two protected ports only L2 traffic is restricted.
2017 Copyright Cambium Networks, Ltd. All Rights Reserved86
PVLAN-Edge – Config Example
• Configuring ports as protected:• cnMatrix(config)# interface range Gigabitethernet 0/1-24• cnMatrix(config-if)# switchport protected
• Disabling protected status:• cnMatrix(config)# interface range Gigabitethernet 0/1-24• cnMatrix(config-if)# no switchport protected
2017 Copyright Cambium Networks, Ltd. All Rights Reserved87
PVLAN-Edge – Show command
• Show port protected status:• cnMatrix# show vlan port gig 0/1
Vlan Port configuration table--------------------------------------------------------------Port Gi0/1Port Vlan ID : 1Port Acceptable Frame Type : Admit AllPort Mac Learning Status : EnabledPort Ingress Filtering : EnabledPort Mode : HybridPort-and-Protocol Based Support : EnabledDefault Priority : 0Port Protected Status : EnabledIngress EtherType : 0x8100Egress EtherType : 0x8100---------------------------------------------------------------
2017 Copyright Cambium Networks, Ltd. All Rights Reserved88
Power Over Ethernet
• PoE (Power Over Ethernet) is used to power various devices connected directly to the switch via the copper ports (like Wireless Access Points, IP Cameras, VoIP Phones etc) over standard Ethernet CAT5 or CAT6 cables
• It supports 802.3af and 802.3at standards, offering thus the possibility to deliver up to 30W per port• The PoE power budget, or available power, depends on the model of the switch:
• 400W for EX2028-P• 100W for EX2010-P
• PoE is enabled by default, both globally and per-port• Devices will be powered-up regardless of the administrative state of the port, i.e. PoE works even if
the port is in shutdown state• PoE configurations can be done only from the CLI for the moment• PoE priority can be configured on a per-port basis. Available options are: critical, high and low. Low
is also the default• When power budget is exceeded, ports will be denied power based on their priority. If the decision
has to be made between ports with equal priority, the biggest port number will be denied power
2017 Copyright Cambium Networks, Ltd. All Rights Reserved89
Power Over Ethernet – Config Examples
• Modify priority on a port• cnMatrix(config)#interface gigabitethernet 0/1• cnMatrix(config-if)#power inline priority critical
• Disable PoE on a port• cnMatrix(config)#interface gigabitethernet 0/1• cnMatrix(config-if)#power inline never
• Enable PoE on a port• cnMatrix(config)#interface gigabitethernet 0/1• cnMatrix(config-if)#power inline auto
• Display PoE per-port info• cnMatrix(config)#show power inline
• Display PoE global details• cnMatrix#show power detail
• Display PoE per-port measurements info• cnMatrix#show power inline measurements
2017 Copyright Cambium Networks, Ltd. All Rights Reserved90
Port Mirroring
• Port mirroring is used on the switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port.
• Various Mirroring Modes are supported:• Port Based Mirroring, RX/TX or Both• Many To One Mirroring, RX/TX or Both• VLAN – Source VLAN, Destination Port• Src/Dest MAC Mirroring through use of ACL • Src/Dest IP Mirroring through use of ACL
• Number of monitor sessions: 7 (Only one session can use ACL)• Monitor session is configurable via CLI, WEB (Future), cnMaestro (Future)• Mirroring must be enabled globally prior to mode configuration• Port-channel can NOT be source or destination in monitor session• Only one ACL based mirroring session is supported
2017 Copyright Cambium Networks, Ltd. All Rights Reserved91
Port Mirroring – Config Examples
• Enable Mirroring on the switch• cnMatrix(config)# set mirroring enable
• Port Based:• cnMatrix(config)# monitor session 1 source interface gigabitethernet 0/3 tx (rx, both)• cnMatrix(config)# monitor session 1 destination interface gigabitethernet 0/4
• Many-To-One:• cnMatrix(config)# monitor session 2 source interface gigabitethernet 0/1 both• cnMatrix(config)# monitor session 2 source interface gigabitethernet 0/2 both• cnMatrix(config)# monitor session 2 source interface gigabitethernet 0/3 both• cnMatrix(config)# monitor session 2 source interface gigabitethernet 0/4 both• cnMatrix(config)# monitor session 2 source interface gigabitethernet 0/5 both• cnMatrix(config)# monitor session 2 source interface gigabitethernet 0/6 both• cnMatrix(config)# monitor session 2 destination interface gigabitethernet 0/10
• VLAN Based:• cnMatrix(config)# monitor session 1 source vlan 2 rx (tx, Both)• cnMatrix(config)# monitor session 1 destination interface gigabitethernet 0/2
2017 Copyright Cambium Networks, Ltd. All Rights Reserved92
Port Mirroring – Config Examples
• Src/Dest MAC address through use of ACL example:• Configure a mac based ACL to permit unicast traffic from a host with a source MAC
address of 00:00:00:00:00:10 to a host MAC destination address of 00:00:00:00:00:20:• cnMatrix(config)# mac access-list extended 1 • cnMatrix(config-ext-macl)# permit host 00:00:00:00:00:10 host 00:00:00:00:00:20 priority 1• cnMatrix(config)# interface Gigabitethernet 0/6• cnMatrix(config-if)# mac access-group 1 in
• Create Monitoring configuration• cnMatrix(config)#monitor session 3 source mac-acl 1• cnMatrix(config)#monitor session 3 destination interface gigabitethernet 0/5
• Src/Dest IP through use of ACL example:• Configure an IP Based ACL to permit unicast traffic from a host with an source IP address
of 10.0.0.1 to a host IP destination address of 10.0.0.2:• cnMatrix(config)#ip access-list standard 1• cnMatrix(config-ext-macl)# permit host 10.0.0.1 host 10.0.0.2 priority 1 • cnMatrix(config)# interface Gigabitethernet 0/6• cnMatrix(config)# ip access-group 1 in
• Create Monitoring Configuration• cnMatrix(config)#monitor session 1 source ip-acl 1• cnMatrix(config)#monitor session 1 destination interface gigabitethernet 0/2
• Display All Monitor Sessions:• cnMatrix# show monitor session all
2017 Copyright Cambium Networks, Ltd. All Rights Reserved93
SNTP client
• The SNTP (Simple Network Time Protocol) is a simplified version or subset of the NTP protocol. It is used to synchronize the time and date in cnMatrix by contacting a SNTP Server. The administrator can choose whether to set the system clock manually or to enable SNTP. If SNTP is enabled, the SNTP implementation discovers the SNTP server and gets the time from the server.
• cnMatrix has only the SNTP client feature• SNTP operates in any of the following modes.
• Unicast addressing mode –SNTP client will send unicast SNTP requests and synchronize the clock with the response received from the SNTP server.
• Broadcast addressing mode –SNTP client will not send any SNTP request. It will wait for SNTP response messages from broadcast servers and will synchronize the clock from the response received from one of the broadcast servers.
• Manycast addressing mode – SNTP client will first send a SNTP request for the broadcast/multicast address configured. Then it will synchronize the clock timing from the first response received. Once the response is received the operation of Manycast addressing mode is same as unicast addressing mode.
2017 Copyright Cambium Networks, Ltd. All Rights Reserved94
SNTP client –Config Examples
• SNTP is not enabled by default. To enable and use SNTP client, the following steps must be taken:
• Step1: Set client addressing mode:• The recommended setting is unicast mode because of the better security .To use unicast
addressing mode the following steps must be take:• Step1.1: Set an unicast server:
• Example: cnMatrix(config-sntp)# set sntp unicast-server ipv4 20.0.0.1 • Step1.2: Set the SNTP client addressing mode to unicast:
• cnMatrix(config-sntp)# set sntp client addressing-mode unicast• Step2: Enable sntp client:
• cnMatrix(config-sntp)# set sntp client enabled• Step3: Set NTP as source for the system clock
• cnMatrix(config)# clock time source ntp
2017 Copyright Cambium Networks, Ltd. All Rights Reserved95
SNTP client – Troubleshooting
• To view the clock call:• cnMatrix# show clockOr• cnMatrix# show sntp clock
• For information regarding SNTP packets, issue the following command:• cnMatrix# show sntp statistics
• For information regarding the SNTP client status, issue the following command:
• cnMatrix# show sntp status• For information regarding the SNTP client unicast addressing mode call;
• cnMatrix# show sntp unicast-mode status
2017 Copyright Cambium Networks, Ltd. All Rights Reserved96
RMON
• Remote monitoring (RMON) provides the summary information on the network traffic, including error statistics and performance statistics
• RMON operates in a client/server model• RMON probes support the following RMON groups:
• Ethernet Statistics Group• Ethernet History Group• Alarm Group• Event Group
• The feature is supported in CLI and Web.
2017 Copyright Cambium Networks, Ltd. All Rights Reserved97
RMON – Config Examples
• Configure a device to log an event when the alarm threshold that monitors the ifInUcastPkts exceeds an absolute value of 1000000:
• cnMatrix(config)# rmon enable• cnMatrix(config)# rmon event 2 description "High Ucast Packets" log owner user1• cnMatrix(config)# rmon alarm 1 1.3.6.1.2.1.2.2.1.11.1 60 absolute rising-threshold
1000000 falling-threshold 900000
2017 Copyright Cambium Networks, Ltd. All Rights Reserved98
RMON – Config Examples
• Show commands• cnMatrix# show rmon events
Event 1 is active, owned by user1Description is High Ucast PacketsEvent firing causes log,Time last sent is Mar 25 00:12:00 2018
• cnMatrix# show rmon alarmsRMON is enabledAlarm 1 is active, owned byMonitors 1.3.6.1.2.1.2.2.1.11.1 every 60 second(s)Taking absolute samples, last value was 0Rising threshold is 1000000, assigned to event 1Falling threshold is 900000, assigned to event 1On startup enable rising or falling alarmLogging Event With Description : High Ucast Packets
2017 Copyright Cambium Networks, Ltd. All Rights Reserved99
RMON – Config Examples
• Configure statistics monitoring on an interface:• cnMatrix(config-if)# rmon collection stats 1 owner user 1• cnMatrix# show rmon statistics 1
RMON is enabledCollection 1 on Gi0/1 is active, and owned by user1,Monitors by Gi0/1 interface which hasReceived 111331701 octets, 1739527 packets,8 broadcast and 11 multicast packets,0 undersized and 0 oversized packets,0 fragments and 0 jabbers,0 CRC alignment errors and 0 collisions.0 out FCS errors and 0 Drop events,# of packets received of length (in octets):64: 1739603, 65-127: 7, 128-255: 17,256-511: 1, 512-1023: 0, 1024-1518: 0,1519-1522: 0
2017 Copyright Cambium Networks, Ltd. All Rights Reserved100
RMON – Config Examples
• Configure history collection on an interface• cnMatrix(config-if)# rmon collection history 1 interval 10 owner user1• cnMatrix# show rmon history overview
RMON is enabledEntry 1 is active, and owned by user1Monitors ifEntry.1.1 every 10 second(s)Requested # of time intervals, ie buckets, is 50,Granted # of time intervals, ie buckets, is 50,Number of history collection on interface: 1
2017 Copyright Cambium Networks, Ltd. All Rights Reserved101
Detailed Feature Description -L3 Features
Technical Knowledge Transfer
cnMatrix
cnMatrix – L3 Features covered in this section
L3 Switching Features
2017 Copyright Cambium Networks, Ltd. All Rights Reserved103
• Routing Between Directly Connected Subnets• Routed Interfaces• IPv4 static routes• DHCP Relay
* Available in Future Release
Inter-Vlan Routing
• inter-VLAN routing is a feature that allows traffic to move from one network segment to another based on a Layer 3 process that can either be implemented using a router or a Layer 3 switch interface.
• Benefits:• The use of Inter-VLAN routing ( layer 3 device ) provides a method for controlling the flow of
traffic between network segments, including network segments created by VLANs.
• Inter-VLAN routing features:• Routing - is the process of selecting a path for traffic in a network, or between or across
multiple networks.
• IP echo-reply - operates by sending Internet Control Message Protocol (ICMP) echo request packets to the target host and waiting for an ICMP echo reply.
• IP redirects - are used by routers to notify the hosts on the same Ethernet segment that a better route is available for a particular destination.
2017 Copyright Cambium Networks, Ltd. All Rights Reserved104
Inter-Vlan Routing
• IP directed broadcast - This command enables forwarding of directed broadcasts. The IP directed broadcast is an IP packet whose destination is a valid IP subnet address, but the source is from a node outside the destination subnet.
• IP mask-reply - This command enables sending ICMP Mask Reply messages. The IP mask reply is an ICMP message sent by the router to the host informing the subnet mask of the network. This reply is in correspondence to a request sent by the host seeking the subnet mask of the network.
• IP unreachables - This command enables the router to send an ICMP unreachable message to the source if the router receives a packet that has an unrecognized protocol or no route to the destination address. ICMP provides a mechanism that enables a router or destination host to report an error in data traffic processing to the original source of the packet. This informs the source that the packet is dropped.
2017 Copyright Cambium Networks, Ltd. All Rights Reserved105
Inter-Vlan Routing – Config Example
cnMatrix# configure terminalcnMatrix(config)# vlan 20cnMatrix(config-vlan)# name VLAN_ITcnMatrix(config-vlan)# exitcnMatrix(config)# vlan 30cnMatrix(config-vlan)# name VLAN_AccountingcnMatrix(config-vlan)# exitcnMatrix(config)# interface vlan 20cnMatrix(config-if)# ip address 20.20.20.1 255.255.255.0cnMatrix(config-if)# no shutdowncnMatrix(config-if)# exitcnMatrix(config)# interface vlan 30cnMatrix(config-if)# ip address 30.30.30.1 255.255.255.0cnMatrix(config-if)# no shutdown
2017 Copyright Cambium Networks, Ltd. All Rights Reserved106
Inter-Vlan Routing – Config Example
cnMatrix(config-if)# exitcnMatrix(config)# ip echo-replycnMatrix(config)# ip routingcnMatrix(config)# ip mask-replycnMatrix(config)# ip redirectscnMatrix(config)# ip unreachablescnMatrix(config)# interface vlan 200cnMatrix(config-if)# ip directed-broadcast
Reset the settings
cnMatrix(config)# no ip echo-replycnMatrix(config)# no ip routingcnMatrix(config)# no ip mask-replycnMatrix(config)# no ip redirectscnMatrix(config)# no ip unreachablescnMatrix(config)# interface vlan 200cnMatrix(config-if)# no ip directed-broadcastcnMatrix(config-if)# no ip address 20.20.20.1 255.255.255.0cnMatrix(config)#no interface vlan 20
2017 Copyright Cambium Networks, Ltd. All Rights Reserved107
Inter-Vlan Routing - Troubleshooting
• cnMatrix# show running-config • cnMatrix# show ip route• cnMatrix# show ip route connected• cnMatrix# show ip route static• cnMatrix# show ip interface• cnMatrix# show ip interface Extreme-Ethernet• cnMatrix# show ip interface Gigabitethernet• cnMatrix# show ip interface vlan• cnMatrix# show vlan brief• cnMatrix# show vlan ascending
2017 Copyright Cambium Networks, Ltd. All Rights Reserved108
ARP
• The Address Resolution Protocol is used to dynamically discover and maintain the mapping between a layer 3 (protocol) and a layer 2 (hardware) address.
• ARP entries are cached to the ARP Table• Switch is able to learn ARP entries from the ARP Requests for his own IP
addresses, also from ARP Replies in response to his own ARP Requests• Static ARP entries are also configurable
2017 Copyright Cambium Networks, Ltd. All Rights Reserved109
ARP – Config Example
• Maximum number of ARP request retriescnMatrix(config)# ip arp max-retries (2-10)
• ARP cache timeoutcnMatrix(config)# arp timeout (30-86400)
• Configure static ARP on SVIcnMatrix(config)# arp 1.1.1.1 00:00:01:02:03:04 vlan 1
• Configure static ARP on routed portcnMatrix(config)# arp 2.2.2.2 00:00:11:22:33:44 gigabitethernet 0/2
• Delete an static ARP entrycnMatrix(config)# no arp 1.1.1.1
• Clear ARP tablecnMatrix(config)# clear ip arp
2017 Copyright Cambium Networks, Ltd. All Rights Reserved110
ARP- Verification
• cnMatrix# show ip arp• cnMatrix# show ip arp summary• cnMatrix# show ip arp information• cnMatrix# show ip arp vlan 1• cnMatrix# show ip arp gigabitethernet 0/2• cnMatrix# show ip arp 00:00:11:22:33:44• cnMatrix# show ip arp statistics
2017 Copyright Cambium Networks, Ltd. All Rights Reserved111
ARP Proxy
• The Proxy ARP capability makes the router answers ARP requests intended for another node in the network. By faking its identity, the router accepts responsibility for routing packets to the real destination. The Proxy ARP capability helps machines on a subnet reach remote subnets, without the need to configure routing or a default gateway.
• Router acts as a proxy for ARP requests to target IP addresses in which the network address is the same as any of the IP addresses of the interfaces configured.
• Proxy ARP capability can be enable or disabled per IP interface. By default, the Proxy ARP is disabled on all the interfaces.
• On any interface, the router does not send a reply, and silently ignores ARP requests to any IP addresses other than its own, when the Proxy ARP capability is disabled on the receiving interface, or on the interface on which the target IP address lies.
2017 Copyright Cambium Networks, Ltd. All Rights Reserved112
ARP Proxy – Config Example
• Enable proxy arp on a SVIcnMatrix(config)# interface vlan 1cnMatrix(config-if)# ip proxy-arp
• Enable proxy arp on a routed portcnMatrix(config)# interface gigabitethernet 0/2cnMatrix(config-if)# ip proxy-arp
• Disable proxy arpcnMatrix(config-if)# no ip proxy-arp
2017 Copyright Cambium Networks, Ltd. All Rights Reserved113
ARP Proxy- Verification
• cnMatrix# show ip proxy-arp
2017 Copyright Cambium Networks, Ltd. All Rights Reserved114
Static Routes – Config Example
• to route IP traffic destined for the network 10.10.20.0/24 via next-hop 192.168.1.1, can be used the following command
cnMatrix(config)#ip route 10.10.20.0 255.255.255.0 192.168.1.1
• static routes can be added using next-hop the SVI already configured or a routed port:
cnMatrix(config)# ip route 10.10.20.0 255.255.255.0 Vlan20
cnMatrix(config)# ip route 10.10.20.0 255.255.255.0 Gigabitethernet 0/1
• static route configured with administrative distance:
cnMatrix(config)#ip route 10.10.20.0 255.255.255.0 192.168.1.1 10cnMatrix(config)#ip route 10.10.20.0 255.255.255.0 192.168.2.1 15
2017 Copyright Cambium Networks, Ltd. All Rights Reserved115
Static Routes- Verification
• cnMatrix# show ip route• cnMatrix# show ip route static• cnMatrix# show ip route details• cnMatrix# show ip route connected• cnMatrix# show ip route summary
2017 Copyright Cambium Networks, Ltd. All Rights Reserved116
DHCP Relay
• DHCP relay allows the DHCP client and DHCP server in different subnets to communicate with each other, so that the DHCP client can obtain its configuration information.
• The relay agent receives packets from the client, inserts information such as network details, and forwards the modified packets to the server. The server identifies the client’s network from the received packets, allocates the IP address accordingly, and sends reply to the relay. The relay strips the information inserted by the server and broadcasts the packets to the client’s network.
2017 Copyright Cambium Networks, Ltd. All Rights Reserved117
DHCP Relay – Configuration
• Enable DHCP Relay• First make sure DHCP Server service is disabled
cnMatrix# show ip dhcp relay informationcnMatrix(config)# no service dhcp-server
• Start DHCP Relay service and verify the statuscnMatrix(config)# service dhcp-relaycnMatrix# show ip dhcp relay information
• Configure DHCP Server addresscnMatrix(config)# ip dhcp server 10.100.200.10
• Configure circuit-id and remote-id optionscnMatrix(config)# ip dhcp relay information optioncnMatrix(config)# ip dhcp relay circuit-id option vlanidcnMatrix(config-if)# ip dhcp relay remote-id "vlan50_clients"
2017 Copyright Cambium Networks, Ltd. All Rights Reserved118
Detailed Feature Description -Management Features
Technical Knowledge Transfer
cnMatrix
cnMatrix – Management Features covered in this section
Management Features
2017 Copyright Cambium Networks, Ltd. All Rights Reserved120
• Image Download• Config Save/Restore/Download• HTTPS/SSL• Out-of-band Ethernet Management• SSH/SSH v2• DHCP Client, Server• Local/Remote Syslog• System Resource Monitoring
* Available in Future Release
Image download
• Image download is a feature created for the purpose of cnMatrix upgrade• Image download obtains the agent from a remote source and burns it into the
switch flash, so that at next system reboot, the image becomes active• Image download offers the capability to obtain the agent from a TFTP server, a
SFTP server, and cnMaestro. In the next release, download will be available from an USB device as well
• Image download can be called from CLI, SNMP, Web and cnMaestro
2017 Copyright Cambium Networks, Ltd. All Rights Reserved121
Image download – Usage and Troubleshooting
• To download an agent from a tftp server issue “download agent” command with tftp option:• Example: cnMatrix# download agent tftp://20.0.0.1/cnMatrix.img
• To download an agent from a sftp server issue “download agent” command with sftp option:• Example: cnMatrix# download agent sftp://John:[email protected]/cnMatrix.img
• SFTP offers a secure file transmission compared to TFTP, but as a tradeoff it takes a little bit longer to complete
• Downloading from a remote server with TFTP needs the TFTP server service to be working on that remote server, and the agent needs to be in the server tftp directory, and have third-party reading permission
• Downloading from a remote server with SFTP needs the SFTP server service to be working on that remote server, the agent path to be accessible from the user directory, and the agent needs to have reading permission for that user.
2017 Copyright Cambium Networks, Ltd. All Rights Reserved122
Config save/restore/download
• To preserve cnMatrix configurations after the system resets, its settings have to be saved in a file on the flash. This file is referred to as a configuration file, or config file for short.
• Config save is a feature that assures the preservation of configurations by writing them either locally on the flash or on a remote host. These remote hosts can be either a TFTP server, or a SFTP server. In the next release config save will also be able to write to an USB device
• Config restore handles the restoration of settings found within the config file at system start-up
• Config download offers the capability of retrieving a config file from an external source. These sources can be either a TFTP server, or a SFTP server. In the next release config download will also be able to retrieve a file from an USB device
• All config related operations are accessible from CLI,SNMP and Web
2017 Copyright Cambium Networks, Ltd. All Rights Reserved123
Config save – Usage Examples
• To request a local config save, one of the following commands have to be called:
• cnMatrix# write startup-configor
• cnMatrix# copy running-config startup-config
• To request a remote config save to a tftp server without saving the configlocally as well, issue the “write” command with the tftp option
• Example: cnMatrix# write tftp://20.0.0.1/config.conf
• To request a remote config save to a sftp server without saving the configlocally as well, issue the “write” command with the sftp option
• Example: cnMatrix# write sftp://John:[email protected]/config.conf
2017 Copyright Cambium Networks, Ltd. All Rights Reserved124
Config save – Usage Examples
• To save on a tftp server a copy of the local saved config, issue a local configsave by calling “write startup-config” or “copy running-config startup-config” and then the “copy startup-config tftp” command
• Example:• cnMatrix# write startup-config• cnMatrix# copy startup-config tftp://20.0.0.1/config.conf
• To save on a sftp server a copy of the local saved config, issue a local configsave by calling “write startup-config” or “copy running-config startup-config” and then the “copy startup-config sftp” command
• Example:• cnMatrix# write startup-config• cnMatrix# copy startup-config sftp://John:[email protected]/config.conf
2017 Copyright Cambium Networks, Ltd. All Rights Reserved125
Config save - Troubleshooting
• SFTP offers a secure file transmission compared to TFTP, but as a tradeoff it takes a little bit longer to complete
• Config save to a remote server with TFTP needs the TFTP server service to be working on that remote server, and the server tftp directory needs to have third party write permission. If the file exists already on the server, it has to have third party write permission.
• Config save to a remote server with SFTP needs the SFTP server service to be working on that remote server, and the config path needs to be accessible from the user directory, and has to have write permission for that user. If the file exists already on the server, it has to have write permission for that user.
2017 Copyright Cambium Networks, Ltd. All Rights Reserved126
Autosave
• Autosave is a subfeature of config save. Its purpose is to ensure local config saves take place every time a change in the settings occurs. Therefore, all config modifications are preserved without the user having to call a manual save.
• Autosave is not enabled by default. To enable it, the following commands have to be called:• cnMatrix(config)# incremental-save enable • cnMatrix(config)# auto-save trigger enable
and then reset the system so that they can take effect• Incremental save makes sure that only the config changes are written into the config file• Auto-save trigger enables the autosave task. But autosave needs incremental save because
off its triggering mechanism which determines when a configuration change has happened.• To see the autosave status issue the “show nvram” command
• Example: cnMatrix# show nvram:Auto Save : EnableIncremental Save : Enable:
2017 Copyright Cambium Networks, Ltd. All Rights Reserved127
Config download – Usage Examples
• To trigger a config download from a remote TFTP server, the “copy tftp startup-config” command needs to be called:
• Example cnMatrix# copy tftp://20.0.0.1/config.conf startup-config
• To trigger a config download from a remote SFTP server, the “copy sftpstartup-config” command needs to be called:
• Example cnMatrix# copy sftp://John:[email protected]/config.conf startup-config
• Downloaded configs will take effect after system restart
2017 Copyright Cambium Networks, Ltd. All Rights Reserved128
Config download - Troubleshooting
• SFTP offers a secure file transmission compared to TFTP, but as a tradeoff it takes a little bit longer to complete
• Config download from a remote server with TFTP needs the TFTP server service to be working on that remote server, and the requested file has to have third-party read permission
• Config download from a remote server with SFTP needs the SFTP server service to be working on that remote server, and the requested file has to have write permission for that user.
2017 Copyright Cambium Networks, Ltd. All Rights Reserved129
Config restore
• Config restore is not enabled by default. For it to work, it needs a config file to be present at system boot up.
• Config restore will read every mib-value pair found in the config file, and apply it at system start-up
• To enable config restore, a local config save or a config download has to be issued.
• To disable config restore, issue the following command:• cnMatrix# config-restore norestore
• To see the config restore status, issue the “show nvram command”• cnMatrix# show nvram
:Config Restore Option : Restore:
2017 Copyright Cambium Networks, Ltd. All Rights Reserved130
HTTPS/SSL server
• SSL (Secure Sockets Layer), is a protocol developed for transmitting private information through an Internet connection. It works by using a public-private key mechanism to encrypt/decrypt data that is transferred over the connection.
• HTTPS (Hypertext Transfer Protocol Secure) is an extension of HTTP for secure communication over an encrypted SSL/TLS connection.
• cnMatrix offers capabilities for SSLv3 and TLS1.0• The HTTPS/SSL server can be configured via CLI, SNMP, WEB, and
cnMaestro(future)
2017 Copyright Cambium Networks, Ltd. All Rights Reserved131
HTTPS/SSL server –Configuration Examples
• HTTPS/SSL server is not enabled by default. To enable it, the following steps must be taken:
• Step1: Create a RSA key pair• cnMatrix(config)# ip http secure crypto key rsa 1024
• Step2: Generate a certificate request with the key from Step1• cnMatrix# ssl gen cert-req algo rsa sn JohnCert-----BEGIN CERTIFICATE REQUEST-----
MIIBUDCBugIBADARMQ8wDQYDVQQDEwZPYmlXYW4wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAKeJyfV/g0KbEzW9d+GrOLr3zOG93NIUZvX0R2fFnsZEFlmegmF4
bKAYMFU6uA/kqOX7SFkuQBXpKEZc21JOOLSPu+a8KQ4HjIpeO/H0eIeLgQl0SN3J
Ye1+eBFGhO2xSPb/9ROkorUoAP55Pf5/ZbsWPwZCu0P8+WxHGL/IOp4VAgMBAAGg
ADANBgkqhkiG9w0BAQsFAAOBgQCihxXm915sEoqlY31kpvCKLHghK6vJ0k9jJ3NW
Nu2gP3pZWaautv3Ih84hotEt5sqHSrjSt76froMfou5OSeIGpUUvTgW2KweED5Ic
px9f/c5fc8yLAMIkIRpz7NH6s1q65QQ9V7I4TNiEFBQkDUIcLZqN8HU7xrJlP61U
zEUEXw==
-----END CERTIFICATE REQUEST-----
• Step3: Take the CR obtained at Step2, give it to a CA to sign it
2017 Copyright Cambium Networks, Ltd. All Rights Reserved132
HTTPS/SSL server –Configuration Examples
• Step4: Get the certificate from the CA and give it to cnMatrix (* no need to copy the ---BEGIN CERTIFICATE--- / ---END CERTIFICATE--- , and make sure that you do not copy any new lines):
• cnMatrix# ssl server-cert Enter Cert: MIIEqzCCApOgAwIBAgICEB8wDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCUk8xCzAJBgNVBAgMAlJPMQswCQYDVQQHDAJSTzELMAkGA1UECgwCUk8xCzAJBgNVBAsMAlJPMQswCQYDVQQDDAJSTzEYMBYGCSqGSIb3DQEJARYJcm9Acm8uY29tMB4XDTE4MDkwNjExMjQwMloXDTE5MDkxNjExMjQwMlowETEPMA0GA1UEAxMGT2JpV2FuMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnicn1f4NCmxM1vXfhqzi698zhvdzSFGb19EdnxZ7GRBZZnoJheGygGDBVOrgP5Kjl+0hZLkAV6ShGXNtSTji0j7vmvCkOB4yKXjvx9HiHi4EJdEjdyWHtfngRRoTtsUj2//UTpKK1KAD+eT3+f2W7Fj8GQrtD/PlsRxi/yDqeFQIDAQABo4IBODCCATQwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUWGS/YN1grRbj/oLWCh9gVX/rtIkwgZoGA1UdIwSBkjCBj4AUdIrVVeIobRiLQdCEIefOMnbTdnChbKRqMGgxCzAJBgNVBAYTAlJPMQswCQYDVQQIDAJSTzELMAkGA1UEBwwCUk8xCzAJBgNVBAoMAlJPMQswCQYDVQQLDAJSTzELMAkGA1UEAwwCUk8xGDAWBgkqhkiG9w0BCQEWCXJvQHJvLmNvbYIJANJW2vEaeHt6MA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEA0tP1D4pMua20f9muJJ5TTIpnOofIth+IVCv8zUOykHGt833uKycjt/gc+Z43xxeif2orydOXR5aiRRJRGoeywZygkuV7dzbZ7VzVVtx/hpm7T5K5D4IlLB3Whaw9HNfsBi9RlKnJfHTqgL0oPF0gNI1NJ1XWlFU+yUHuzsY/XiHV25sfrujLX/jR3as6SZAOMK6cH6lsHoEe6btODrLWryAownNFiZI1P7dzskElF9F06WYMfkpRsupQ52heWjQ1F+EmNT5vqMn01oDseKpNO2lVDuU/RGWmH4pEnBSuMZ3JRp51lnRXsfiydHK4CmvGxelwcsIljR8tb9CWWM23/GRWrNI7Sul75nExY1zuACtmSvJtDbGIS+tbuFv4pF5WkTw0PnAuDBuPCk1qkZ7yDb5MEat7EsTF6hOHbRmO73DjLhI3ordZzB0jAZGmtbRi2BQ5BeUvaftGVyS/OPcv0YFOhYVRhPOg2hyzFl712kniJyEAqG1vuweuCbEwdo2C3EkJRzw42EEtpYng8OPqP6JQG4emdI529lOHXx1U6TZN0NeVciz0AkEBqqbPJqXP6bJGNFSs+k/UJrpoLIAoaYdTL55ipmVCw4CzZHLdLesQEdXLwpiMOkAqppiA9wxb6uRrgZ60HN6YpSG1H0JBA6S27E+bG51LrVe0zF/GoDA=
• Step5: Enable https/ssl server on cnMatrix:• cnMatrix(config)# ip http secure server
• To check the server, open a web browser and enter the cnMatrix ip with HTTPS(Example https://20.0.0.1)
• To change the various cipher suits used when establishing a SSL connection, the following command should be issued:
• cnMatrix(config)# ip http secure ciphersuite
2017 Copyright Cambium Networks, Ltd. All Rights Reserved133
HTTPS/SSL -Troubleshooting
• For a SSL connection to be established, the remote client, and the cnMatrixSSL server must use same cipher suits for encryption, and the client must be TLS1.0 or SSLv3 compatible
• For information regarding the certificate issue the command:• cnMatrix# show ssl server-cert
• For information regarding the HTTPS/SSL server issue the command:• cnMatrix# show ip http secure server status
2017 Copyright Cambium Networks, Ltd. All Rights Reserved134
SSH
• SSH (Secure Shell) is a protocol for secure remote login and other secure network services over an insecure network. It consists of three major components:
• The Transport Layer Protocol which provides server authentication, confidentiality and integrity.• The User Authentication Protocol which authenticates the client-side user to the server. It runs
over the transport layer protocol.• The Connection Protocol which multiplexes the encrypted tunnel into several logical channels. It
runs over the user authentication protocol.
• The client sends a service request once a secure transport layer connection has been established. A second service request is sent after user authentication is complete.
• cnMatrix offers both SSH client and SSH server capabilities• SSH client and server can be configured via CLI, SNMP, WEB, and CnMaestro(future)
2017 Copyright Cambium Networks, Ltd. All Rights Reserved135
OOB
2017 Copyright Cambium Networks, Ltd. All Rights Reserved136
• The Out Of Band (OOB) dedicated port provides management connectivity isolated from user – data plane - traffic.
• Benefits:• Separating user and management traffic provides extra security and reliability for the
management traffic• Offers redundancy in management connectivity (dedicated network resources)• Prevents data plane misconfiguration from impacting management connectivity
• Disadvantages of using OOB rather than in-band ports for management:• Extra cost and effort are required for maintaining a separate network for management
purposes only.• IPv6 not supported yet on OOB port.
OOB
2017 Copyright Cambium Networks, Ltd. All Rights Reserved137
• A few examples of operations available via the OOB port• SSH access to CLI• Web UI access• SNMP management• Software image download• TFTP/SFTP file transfer (configuration/logs)• SNTP synchronization• Device authentication via Radius• Remote syslog
OOB
2017 Copyright Cambium Networks, Ltd. All Rights Reserved138
Configuration commands applicable to the OOB interface:• Enable OOB interface
cnMatrix(config)# interface mgmt0cnMatrix(config-if)# no shutcnMatrix(config-if)# end
• Disable OOB interfacecnMatrix(config)# interface mgmt0cnMatrix(config-if)# shutcnMatrix(config-if)# end
• Configure static IP addresscnMatrix(config)# interface mgmt0cnMatrix(config-if)# ip address 192.168.1.1 255.255.0.0cnMatrix(config-if)# end
• Configure as DHCP clientcnMatrix(config)# interface mgmt0cnMatrix(config-if)# ip address dhcpcnMatrix(config-if)# end
OOB
2017 Copyright Cambium Networks, Ltd. All Rights Reserved139
Commands for trouble shooting the operation of the OOB interface:• cnMatrix# show interface status• cnMatrix# show interface mgmt0• cnMatrix# show ip interface• cnMatrix# show ip dhcp client stats• cnMatrix# show ip route
Default IP address on OOB port is 192.168.0.1.
SSH
• SSH (Secure Shell) is a protocol for secure remote login and other secure network services over an insecure network. It consists of three major components:
• The Transport Layer Protocol which provides server authentication, confidentiality and integrity.• The User Authentication Protocol which authenticates the client-side user to the server. It runs
over the transport layer protocol.• The Connection Protocol which multiplexes the encrypted tunnel into several logical channels. It
runs over the user authentication protocol.
• The client sends a service request once a secure transport layer connection has been established. A second service request is sent after user authentication is complete.
• cnMatrix offers both SSH client and SSH server capabilities• SSH client and server can be configured via CLI, SNMP, WEB, and CnMaestro(future)
2017 Copyright Cambium Networks, Ltd. All Rights Reserved140
SSH client – Configuration and usage examples
• The ssh client needs no configuration. It is enabled by default • Example: cnMatrix# ssh 20.0.0.1 -1 Forces ssh to try protocol version 1 only
-2 Forces ssh to try protocol version 2 only
-4 Forces ssh to use IPv4 addresses only
-6 Forces ssh to use IPv6 addresses only
-A Enables forwarding of the authentication agent connection
-C Requests compression of all data
-N Do not execute a remote command
-T Disables pseudo-tty allocation
-V print version information and exit
-a Disables forwarding of the authentication agent connection
-l To specify login name
-s The subsystem is specified as the remote command(SSH-2 only)
-t Enables force pseudo-tty allocation
-v show verbose messages
<CR> Establish SSH client session
<string> Remote command to be executed. If it is more than one argument use double quotes
• Example of establishing a ssh client connection with default options:• cnMatrix# ssh 20.0.0.1
• To disable SSH client, issue the following command:• cnMatrix# set ssh-client disable
2017 Copyright Cambium Networks, Ltd. All Rights Reserved141
SSH server – Configuration and usage examples
• SSH server is enabled by default• To disable it, issue the following command:
• cnMatrix(config)# ssh disable• To change the SSH server address or the port it listens to, issue the “ssh server-address ” command:
• Example: cnMatrix(config)# ssh server-address 20.0.0.2 port 22• To change SSH server parameters issue “ip ssh” command
• This command can: Change the public key authentication mechanism
By default it is hmac-sha1 Change the ciphers used in encryption
By default the ciphers used are: 3DES-CBC, DES-CBC, AES128-CBC, AES256-CBC Change the maximum bytes allowed in a SSH transport connection
By default it is 32768 Make the server compatible with older version
By default it is only version 2 compatible• Example of SSH connection from remote to cnMatrix: ssh [email protected]
2017 Copyright Cambium Networks, Ltd. All Rights Reserved142
SSH - Troubleshooting
• Ciphers and public key mechanism used by remote host must be among the ones used by cnMatrix
• For SSH server, make sure that the remote client logs to the port cnMatrix has set
• For ssh client information the following command exist:• cnMatrix# show ssh-client
• For ssh server information the following commands exist:• cnMatrix# show ip ssh• cnMatrix# show ssh-configurations
2017 Copyright Cambium Networks, Ltd. All Rights Reserved143
DHCP Client
2017 Copyright Cambium Networks, Ltd. All Rights Reserved144
DHCP Client uses DHCP to temporarily receive a unique IP address for it from the DHCP server. It also receives other network configuration information such as default gateway, from the DHCP server.
DHCP Client configuration cnMatrix(config)# interface vlan 1 cnMatrix(config-if)# ip address dhcp cnMatrix(config-if)# no shutdown
DHCP Client renew address cnMatrix# renew dhcp vlan 1
DHCP Client release address cnMatrix# release dhcp vlan 1
DHCP Client show commands cnMatrix# show ip dhcp client stats cnMatrix# show ip dhcp client option
DHCP Server
DHCP server is responsible for dynamically assigning unique IP address and other configuration parameters such as gateway, to interfaces of a DHCP client.
The IP address is leased to the interface only for a particular time period as mentioned in the DHCP lease. The interface should renew the DHCP lease once it expires.
The DHCP server contains a pool of IP address from which one address is assigned to the interface. The following options can be configured per each pool of IP addresses:
Default router DNS server Domain name Lease time NTP server Custom options
2017 Copyright Cambium Networks, Ltd. All Rights Reserved145
DHCP Server – Config Examples
Assign IP address to L3 interface cnMatrix(config)#interface vlan 1
cnMatrix(config-if)# ip address 10.100.200.60 255.255.255.0
cnMatrix(config-if)# no shutdown
•
Enable DHCP Server cnMatrix(config)# service dhcp-server
Configure DHCP pool cnMatrix(config)# ip dhcp pool 1 lan1
cnMatrix(dhcp-config)#network 10.100.200.100 255.255.255.0 10.100.200.199
cnMatrix(dhcp-config)#default-router 10.100.200.1
cnMatrix(dhcp-config)#lease 100
cnMatrix(dhcp-config)#dns-server 10.100.200.60
cnMatrix(dhcp-config)#ntp-server 10.100.200.60
2017 Copyright Cambium Networks, Ltd. All Rights Reserved146
DHCP Server – Show commands
Display DHCP Server bindings cnMatrix# show ip dhcp server binding
Display DHCP Server statistics cnMatrix# show ip dhcp server statistics
Display DHCP Server general information cnMatrix# show ip dhcp server information
Display DHCP Server pools cnMatrix# show ip dhcp server pools
2017 Copyright Cambium Networks, Ltd. All Rights Reserved147
Syslog
• Syslog offers users a way for network devices to send event messages to a logging server.• Syslog messages include information such as: ip address, timestamp and the actual log message.• Source of messages can be determined by configuring the local facilities (local0…local7).• Local0 is the default facility.• 8 severity levels are available:
• debugging Debugging messages• informational Information messages• notification Normal but significant messages• warnings Warning conditions• errors Error conditions• alerts Immediate action needed• critical Critical conditions• emergencies System is unusable
• Only UDP protocol is supported for sending messages
2017 Copyright Cambium Networks, Ltd. All Rights Reserved148
Syslog – Config example
• Enable logging:• cnMatrix(config)# logging on
• Choose facility to configure:• cnMatrix(config)# logging facility local0
• Configure logging for facility local0:• cnMatrix(config)# logging 128 ipv4 10.0.0.1 port 514• cnMatrix(config)# logging 129 ipv4 10.0.0.1 port 514• cnMatrix(config)# logging 130 ipv4 10.0.0.1 port 514• cnMatrix(config)# logging 131 ipv4 10.0.0.1 port 514• cnMatrix(config)# logging 132 ipv4 10.0.0.1 port 514• cnMatrix(config)# logging 133 ipv4 10.0.0.1 port 514• cnMatrix(config)# logging 134 ipv4 10.0.0.1 port 514• cnMatrix(config)# logging severity debugging
• Local buffer size can be changed if desired:• cnMatrix(config)# logging buffered 100
2017 Copyright Cambium Networks, Ltd. All Rights Reserved149
Syslog – Show commands
• Show logging info:• cnMatrix# show logging
System Log Information-------------------------------------Syslog logging : enabled(Number of messages 0)Console logging : enabled(Number of messages 4)TimeStamp option : enabledSeverity logging : DebuggingFacility : Default (local0)Buffered size : 100 Entries
• cnMatrix# show syslog informationSystem Log Information----------------------Syslog Localstorage : DisabledSyslog Port : 514Syslog Role : Device
2017 Copyright Cambium Networks, Ltd. All Rights Reserved150
Syslog – Show commands
• Show logging info:• cnMatrix# show logging-server
Syslog Forward Table Information--------------------------------Priority Address-Type IpAddress Port Trans-Type-------- ------------ --------- ---- --------128 ipv4 10.0.0.1 514 udp129 ipv4 10.0.0.1 514 udp130 ipv4 10.0.0.1 514 udp131 ipv4 10.0.0.1 514 udp132 ipv4 10.0.0.1 514 udp133 ipv4 10.0.0.1 514 udp134 ipv4 10.0.0.1 514 udp
2017 Copyright Cambium Networks, Ltd. All Rights Reserved151
Environmentals
• Offers users the ability to monitor the devices’ general status.• Available information:
• Maximum CPU threshold• Current CPU usage• Maximum RAM threshold• Current RAM usage• Maximum flash threshold• Current flash usage• Maximum temperature threshold• Minimum temperature threshold• Current temperature value• Fan status• Status for routing on mgmt port
• Information is available in CLI and WEB.• Only EX2028-P is equipped with fans
2017 Copyright Cambium Networks, Ltd. All Rights Reserved152
Environmentals – Config example
• Configure maximum threshold for CPU, RAM and flash:• cnMatrix(config)# set switch maximum CPU threshold 40• cnMatrix(config)# set switch maximum RAM threshold 80• cnMatrix(config)# set switch maximum flash threshold 80
• Show command:• cnMatrix(config)# show env all
Current RAM Usage : 36%Current CPU Usage : 0%Fan Status 1 : OperationalFan Status 2 : OperationalCurrent Temperature : 26CCurrent Flash Usage : 0%Mgmt Port Routing : Disabled
2017 Copyright Cambium Networks, Ltd. All Rights Reserved153
Detailed Feature Description -Security Features
Technical Knowledge Transfer
cnMatrix
cnMatrix – Security Features covered in this section
Security Features
2017 Copyright Cambium Networks, Ltd. All Rights Reserved155
* Available in Future Release
• 802.1x Authentication• Radius • TACACS+• DHCP Snooping• Static MAC• Local Management User Name Password
802.1X
Configure RADIUS based authentication.cnMatrix(config)# aaa authentication dot1x default group radiuscnMatrix(config)# radius-server host 10.100.200.10 key my_key_9745
Enable 802.1X globallycnMatrix(config)# dot1x system-auth-control
Enable 802.1X per interfacecnMatrix(config-if)# dot1x port-control autocnMatrix(config-if)# dot1x host-mode single-hostorcnMatrix(config-if)# dot1x host-mode multi-host
Display 802.1X informationcnMatrix# show dot1xcnMatrix# show dot1x interface gigabitethernet 0/2cnMatrix# show dot1x statistics interface gi 0/2
2017 Copyright Cambium Networks, Ltd. All Rights Reserved156
Radius client
• Radius (Remote Authentication Dial-In User Service) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA or Triple A) management for users who connect and use a network service
• Radius client is a security feature that offers the ability for a remote access server(cnMatrix in our case) to communicate with a Radius central server for the purpose of authenticating users and authorizing their access to the system or a specific service.
• Radius client is used with the login and PNAC features.• The radius client can be configured via CLI, SNMP, WEB(future release), and
CnMaestro(future)
2017 Copyright Cambium Networks, Ltd. All Rights Reserved157
Radius client – Config Examples
• Configuring the radius client on the switch means to populate the local database with RADIUS server credentials:
• Example: cnMatrix(config)# radius-server host 20.0.0.1 auth-port 1812 timeout 2 retransmit 3 key cnKey primary host specifies the RADIUS server IPv4, IPV6 or DNS host name auth-port specifies the authentication port on which the server listens for request.
By default it is 1812 timeout specifies the time period in seconds for which a client waits for a response from the server before
re-transmitting the request By default it is 3
retransmit specifies the maximum number of attempts to be tried by a client to get a response from the server for a request. By default it is 10
key configures the per-server encryption key which specifies the authentication and encryption key for all RADIUS communications between the authenticator and the RADIUS server
primary configures this server to be the primary one used in RADIUS authentication; There are a total of maximum 5 RADIUS servers whose credentials can be stored locally at a time
2017 Copyright Cambium Networks, Ltd. All Rights Reserved158
Radius client – Config Examples
• Example of configuring a radius server with the default options:• cnMatrix(config)# radius-server host 20.0.0.1 key cnKey
• Configuring user LOGIN feature to use RADIUS:• cnMatrix(config)# login authentication radius
• Configuring user LOGIN feature to use RADIUS, but use the local database in case of RADIUS failure:
• cnMatrix(config)# login authentication radius local
• Configuring PNAC feature to use RADIUS:• cnMatrix(config)# aaa authentication dot1x default group radius
2017 Copyright Cambium Networks, Ltd. All Rights Reserved159
Radius server – Config Examples
• For the radius feature to work properly, the unit must be identified as a client on the server side, and the user must be added on the server database
• Example :• Adding the switch as a client in clients.conf
client cnMatrix {ipaddr = 20.0.0.2secret = cnKey
}• Adding user bob with administrative credentials in users
bob Cleartext-Password := "Boby"Service-Type = Administrative-User
2017 Copyright Cambium Networks, Ltd. All Rights Reserved160
Radius client –Troubleshooting
• The Key set must be the one the server has for this radius client• The server must be accessible and must have the RADIUS server service
turned on• The clients and their passwords must be present in the RADIUS server
database
• For radius information the following commands exist:• cnMatrix # show radius server• cnMatrix # show radius statistics
2017 Copyright Cambium Networks, Ltd. All Rights Reserved161
TACACS+ client
• TACACS(Terminal Access Controller Access-Control System) is a protocol used in handling remote authentication and other related services for network access control through a centralized server.
• TACACS+ client is a security feature that offers the ability for a remote access server, cnMatrix in our case, to communicate with a TACACS+ central server for the purpose of authenticating users.
• TACACS+ uses TCP for transport to ensure reliable delivery• TACACS+ client is used with the login feature.• The TACACS+ client can be configured via CLI, SNMP, WEB(future release),
and CnMaestro(future)
2017 Copyright Cambium Networks, Ltd. All Rights Reserved162
TACACS+ client - Config Examples
• Configuring the TACACS+ client on the switch means to populate the local database with TACACS+ server credentials:
• Example: cnMatrix(config)# tacacs-server host 20.0.0.1 single-connection port 49 timeout 2 key cnKey host specifies the TACACS+ server IPv4, IPV6 or DNS host name single-connection allows multiple sessions to be established over a single TCP connection port specifies the TCP port number in which the multiple sessions are established.
By default it is 49 timeout specifies the time period (in seconds) till which a client waits for a response from the server before
closing the TCP connection By default it is 5
key specifies the authentication and encryption key for all TACACS communications between the authenticator and the TACACS+ server
• Example of configuring a TACACS+ server with the default options:• cnMatrix(config)# tacacs-server host 20.0.0.1 key cnKey
2017 Copyright Cambium Networks, Ltd. All Rights Reserved163
TACACS+ client - Config Examples
• cnMatrix can contain up to 5 TACACS+ servers credentials in its local database. To select a certain server to be the one used in all TACACS related communication, the “tacacs use-server” command must be issued:
• Example: cnMatrix(config)# tacacs use-server address 20.0.0.1
• Configuring user LOGIN feature to use TACACS:• cnMatrix(config)# login authentication tacacs
• Configuring user LOGIN feature to use TACACS, but use the local database in case of TACACS failure:
• cnMatrix(config)# login authentication tacacs local
• TACACS user will be given root privilege by default or local user privilege if the user exists in local database
2017 Copyright Cambium Networks, Ltd. All Rights Reserved164
TACACS+ server - Config Examples
• For the TACACS feature to work properly the user must be added on the server database
• Example :• Adding the switch as a client in tac_plus.confkey = “cnKey"user = John {
pap = cleartext “JohnPassword"}
• TACACS client uses PAP(password authentication protocol) for user authentication
2017 Copyright Cambium Networks, Ltd. All Rights Reserved165
TACACS+ client –Troubleshooting
• The key set on the switch must be the one the server uses• The server must be accessible and must have the TACACS+ server service
turned on• The clients and their passwords must be present in the TACACS+ server
database
• For TACACS information the following commands exist:• cnMatrix # show tacacs server• cnMatrix # show tacacs statistics
2017 Copyright Cambium Networks, Ltd. All Rights Reserved166
DHCP snooping
• DHCP snooping is a feature who filters untrusted DHCP messages and builds a DHCP snooping binding database. It acts as a firewall between untrusted hosts and DHCP servers. These untrusted messages are sent from devices outside a network and are usually sources of traffic attacks.
• DHCP snooping intercepts all DHCP packets from untrusted ports and after inserting the port specific information (option 82), forwards the DHCP client side packets on trusted ports. This option 82 will be used to redirect the DHCP responses from server to the appropriate untrusted port.
• DHCP snooping binding database maintains a table which contains MAC address, IP address, lease time, binding type, VLAN number and interface information of the local untrusted interfaces of the switch. This table is updated when a valid IP address is allocated for a host
2017 Copyright Cambium Networks, Ltd. All Rights Reserved167
DHCP snooping – Config Examples
• DHCP snooping is not enabled by default. To enable it, the following steps need to be taken:
• Step1: Set the ports connected to trusted DHCP servers as trusted• Example:
• cnMatrix(config)# int gigabitethernet 0/1• cnMatrix(config-if)# ip dhcp snooping trust
By default all ports are set as untrusted
• Step2: Enable dhcp snooping globally• cnMatrix(config)# ip dhcp snooping
• Step3: Enable dhcp snooping on the desired vlan.• Example: cnMatrix(config)# ip dhcp snooping vlan 1
2017 Copyright Cambium Networks, Ltd. All Rights Reserved168
DHCP snooping – Troubleshooting
• To be sure that a the DHCP snooping feature works, check the binding table:• cnMatrix# show ip binding dhcp
Host Binding Information------------------------
1 00:01:0a:c8:e0:07 20.0.0.183 Gi0/23 20.0.0.1 dhcp
The entry above states that host 00:01:0a:c8:e0:07 connected to vlan 1 from untrusted port gi0/23 was issued ip 20.0.0.183 from a trusted DHCP server.
• For information regarding packet statistics, issue command “show ip dhcp snooping” for the desired vlan
• Example: cnMatrix# show ip dhcp snooping vlan 1• For information regarding port trust/untrust status, issue the following command:
• cnMatrix# show ip dhcp snooping port-security-state • For dhcp snooping status issue the following command:
• cnMatrix# sho ip dhcp snooping globals
2017 Copyright Cambium Networks, Ltd. All Rights Reserved169
Static MAC Address table
• The static MAC address table is a 256 unicast MAC entries wide table, eachentry being manually added by the user. A static entry maps a MAC address toparticular Port-VLAN pair. The statically created entries can reside in the staticMAC address table for a limited amount of time, until the switch is rebooted orthey can reside even after the switch reboots.
• A dynamic entry having the same MAC address and belonging to the sameVLAN as an already existent statically added entry, but received on a differentport as compared to the port on which static entry was configured, will not belearned on the switch. Due to this matter, the static MAC address table ismore of a security feature since, an intruder cannot be able to spoof an exactsame MAC address to the one statically added.
2017 Copyright Cambium Networks, Ltd. All Rights Reserved170
Static MAC address table – Configuration and troubleshooting
1. Scenario: Create 3 static entries on 3 different ports in VLAN 1 with three different states.2. Configuration:
• cnMatrix(config)# mac-address-table static unicast 00:00:00:00:00:01 vlan 1 interface gi 0/1 status permanent – the entry will remain in the MAC address table even after the switch is rebooted;
• cnMatrix(config)# mac-address-table static unicast 00:00:00:00:00:02 vlan 1 interface gi 0/2 status – deleteOnReset – the entry will remain in the MAC address table until the switch is rebooted;
• cnMatrix(config)# mac-address-table static unicast 00:00:00:00:00:03 vlan 1 interface gi 0/3 status – deleteOnTimeout - the entry will remain in the MAC address table until the configured aging time is reached out on the switch;
3. Troubleshooting:• cnMatrix# show vlan brief – check the VLAN created an ports’ membership;• cnMatrix# show vlan port Gigabitethernet 0/1 - check the status on a particular interface;• cnMatrix# show mac-address-table static unicast – check the static MAC address table;• cnMatrix# show mac-address-table aging time – check the configured aging time relevant for the “deleteOnTimeout” static entries;
2017 Copyright Cambium Networks, Ltd. All Rights Reserved171
Local Users and Passwords
Create user with RW rightscnMatrix(config)# username RW_user password PA$$word1234 privilege 15
Create user with RO rightscnMatrix(config)# username RO_user password PA$$word1234 privilege 1
Change password for default admin usercnMatrix(config)# username admin password PA$$word1234 privilege 15
Display local userscnMatrix# listuser
USER MODE PRIVILEGE
admin / 15
guest / 1
RO_user / 1
RW_user / 15
Display logged in userscnMatrix# show users
Line User Peer-Address
0 con admin Local Peer
1 ssh RW_user 10.110.200.12
2017 Copyright Cambium Networks, Ltd. All Rights Reserved172