Code : STM#510-1 Samsung Electronics Co., Ltd. OfficeServ7400 Layer2 Protocol Overview Distribution EnglishED01

Code : STM#510-1Code : STM#510-1

Samsung Electronics Co., Ltd.

OfficeServ7400 Layer2 Protocol OverviewOfficeServ7400 Layer2 Protocol Overview

Distribution

EnglishED01

© Samsung Electronics Co., Ltd. 2

ObjectivesObjectives

After successful completion of the course the trainees should be able to execute the following activities.


ContentsContents

STP & RSTPSTP & RSTP

Port TrunkingPort Trunking

IGMP SnoopingIGMP Snooping

VLANVLAN

Layer2 QoSLayer2 QoS

SecuritySecurity

AuthenticationAuthentication


STP and RSTPSTP and RSTP


Rapid Spanning Tree ProtocolRapid Spanning Tree Protocol

Bridge Parameter

Bridge Priority : Decides the priority of Bridges

Hello Time : Sets the transmission cycle of BPDU

Max Age Time : Sets the Message Age Time

Forward Time : The time that the state of each port is changed by level

Port Parameter

Priority : Standard to select the port to be blocked when the switch loop is established

Force Version : Communication is progressed via the switch connected to the corresponding port and the BP 여 that a user specifies.

Path Cost : The path cost according to the bandwidth when the connection with the opponent is established

Portfast

Link Type : The link is connected as point-to-point in RSTP



①

① Designated Bridge Identifier The upper 4 digits represent the bridge priority and the remaining lower digits are expressed as the system

MAC address

② Root Bridge Identifier Among the connected switched, it indicates the identifier of the switch equipment selected as the root

bridge. Therefore, if there is no connection between switched, the Root Bridge Identifier displays the same information as the Designated Bridge Identifier.

③ Root Path Cost When the root bridge is decided, it displays the calculated cost for the path to the root switch

④ Root Port If the current equipment is not the root switch, it indicates the ID of the port corresponding to the root port.

⑤ Last Topology changed

②③④

⑤



0x8002

The role of the port that selected via the BDPU exchange between switches.

Disable, Alternative, Backup, Designated, Root

If a switch connected to the corresponding port is more close to the root switch, the Designated Root shows the Bridge identifier of the connected switch. Otherwise, Designated Root shows its own Bridge identifier

Port priorityPort Index

Discarding, Learning, Forwarding, Blocking


Port TrunkingPort Trunking


Port Trunking - GPLIMPort Trunking - GPLIM

The packet is transferred to a port among members included to the trunk group. Select an algorithm to select a port for transfer.

Up to 8 groups can be generated, and up to 4 ports can be included to a group as members.

In addition, a member included to a group cannot be included anther group simultaneously.

Displayed when selecting the trunk configuration as ‘LACP’.

For the Active, a LACP packet is transferred to the opposite party first, based on the system.

For the Passive, it is responded only when receiving a packet from the opposite system.

If the user system and opposite system are all set up as Active, a system that has higher priority is used as a reference.


Port Trunking - GSIMPort Trunking - GSIM

LACP is distinguished with Static Trunking in that the configuration as the LACP port automatically forms bandwidth

GSIM The LACP Configuration window can configure trunk groups and add or delete members

The selection of the algorithm to select the port to sent out the packets.

Select [Port Trunking] [Status] menu to specify the configuration related to Port Trunking





According to VLANs, the IGMP Snooping can be operated respectively



Select the VLAN and the Category to configure, enter the time and click the [OK] button to store the configuration

Group Membership The time to exit from the multicast forwarding database list when new report does not exist Last Member Query Timeout The time to wait a response report after sending a query to check if the host is the last host when multicast router receives a leave message from a host. If the report is not replied until the time is elapsed, the host is deleted from the group. Max Response The maximum time until its response when IGMP Snooping query is received Other Query The time until the operation as a querier starts when a query from the multicast router doest not exist



Querier and Immediate Leave can be set of each VLAN, but Cross VLAN and Flood DPM can be set on a bridge basis.

Querier The operation as IGMP querier when the multicast router does not exist. Immediate Leave Deletes a host from the group immediately when receiving the Leave Message. Cross VLAN Forwards multicast packets to all ports regardless of VLAN. Flood DPM If no member exists in the IGMP group, sets whether to forward multicast packets.

In GSIM board, it is supported using [IGMP snooping] -> [Multicast Filter] menu.



In GSIM board, it is supported Cross VLAN and Flood DPM function in GPLIM board as shown in the figure below:

Forward group Always forwards multicast packets Filter unregistered group Drops multicast packets when any member pertaining to IGMP group doesn’t exit Forward unregistered group Forwards multicast packets when any member pertaining to IGMP group doesn’t exit

GSIM



224. 1. 1. 20

Display the information on the members registered in IGMP Group.

Click the [Refresh] button to update the information displayed on the web screen into the latest information.


VLANVLAN


SpecificationsSpecifications

GPLIM 256 VLANs

ModeMAC based VLANPort based VLAN802.1Q Tag based VLAN

GSIM1024 VLANs

ModePort based VLANMAC based VLANIP based VLANProtocol based VLAN


VLAN - GPLIM(1)VLAN - GPLIM(1)

MAC based VLANVLAN is configured for each MAC address

A MAC based VLAN does not basically contain port information.

The port serves as a VLAN member by receiving packets.

The ARP packet must be transmitted to the switch to enable members of a VLAN to exchange packets.



MAC based VLAN (cont’d)Select ‘MAC’ from VLAN Operation Mode

Select the corresponding VLAN and enter VLAN Name and VLAN ID

Enter the MAC address into [Classification] menu



Port Based VLANA single port can be assigned to multiple VLANs.

Broadcast packets transmitted by the port is transmitted to all VLANs containing the port.

Ports not assigned to any VLANs serve as a single VLAN.



Port based VLAN (cont’d)Select ‘Port’ from VLAN Operation Mode

Select the corresponding VLAN and enter VLAN Name and VLAN ID



802.1Q (IVL/SVL)Member set

Untagged set

PVID (Port VLAN ID)

(Note) If you change the VLAN operation mode, the previous VLAN setting is cleared.


ConfigurationIn the [Port]→[VLAN] →[Port VID] menu, set the operation method when an untagged frame is received

VLAN - GPLIM(6)VLAN - GPLIM(6)Send a frame to VLAN registered in the Port VID‘1’ is a default VLAN that includes all ports

Set drop/pass when an untagged frame is delivered.For drop, tick off the checkbox



802.1Q (IVL/SVL) (cont’d)IVL (Independent VLAN Learning)

One FDB per each VLAN IDif individual MAC address learned in one VLAN, learned information NOT

used in forwarding decisions relative to all other VLANs

SVL (Shared VLAN Learning)One single FDBif individual MAC address learned in one VLAN, learned information used

in forwarding decisions relative to all other VLANs

IVL vs SVL



ClassificationIf the VLAN mode is ‘802.1Q’, VLAN ID is decided depending on the protocol of the packet received.

Classification ModeIn case of MAC based VLAN, ‘MAC’ is selected.In case of 802.1Q based VLAN, ‘proto’ is selected.


VLAN - GSIM(1)VLAN - GSIM(1)

Port based VLANVLAN Create

VLAN EditAdd/Delete membersEgress-Tagged

Egress-TaggedThe packet that sends out to the outside via a port is sent out as Tagged-Packet



The trunk port is set (Static Trunk)

The member port of each group should have always the same VLAN characteristics.

The ports with the different VLAN characteristics cannot be involved in the trunk group.

In case of LACP, if the link of its member port is not connected, the trunk device (po1, po2, …) is hidden.



Port SetupSet Port ID

Ingress-FilterFor SecurityThe type of packets coming from the port can be limited via the Frame-

Type.

Frame TypeConfigure Ingress Packet

(All-Packet/Tagged-Packet)



VLAN ClassificationMAC-based VLANConfiguration in accordance with the source MAC address of the

Untagged packet arriving to the port

IP-based VLANConfigure VLAN depending on the IP subnet of the Untagged packet

coming in the port

Protocol-based VLANConfigure VLAN depending on the protocol type of the Untagged packet

coming in the corresponding port selectedIf the port is set as the trunk group, the same setting is to be made in all

number ports of the trunk group


VLAN configuration by CLIVLAN configuration by CLI

CLI commandIf you can’t connect to a GPLIM/GSIM board because of VLAN configuration, you have to configure using cli command.

CommandEnter “show vlan all bridge 1” command

Display current configurations of VLAN.


VLAN configuration by CLIVLAN configuration by CLI

Enter “configure terminal” command Enter “vlan database” command to configure vlan databaseEnter “no vlan 2 bridge 1” command to clear information about VLAN 2Return ‘enable mode’Enter “show vlan all bridge 1” command to display current configurations

of VLAN


Layer 2 QoSLayer 2 QoS


802.1p tag based L2 QoS802.1p tag based L2 QoS

Assumption for configuration ExampleSet L2 QoS for MP, MGI, and IP Phone (ITP).

MP and MGI are not provided with 802.1p and connected to P1, P7, respectively.

If the IP Phone is connected to P3, P4, P5, and P6, the 802.1p Tag priority function is provided.

The IP Phone connected to P3, P4 is provided with 802.1p, and a tag value is set to 5.The IP Phone connected to P5, P6 is also provided with 802.1p, and a tag value is set to 1.


802.1p tag based L2 QoS802.1p tag based L2 QoS

MP

MGI

IP Phone with 5 value of 802.1p tag field

IP Phone with 1 value of 802.1p tag field

Cannot support the 802.1p function

GPLIM


802.1p Configuration802.1p Configuration

ConfigurationFrom the [Port] [QoS] menu, select the QoS mode as ‘Weight Round Robin’ or ‘All High before Low’.

Since the Tag information with a high priority is 1 and 7, tick off Level1 and 7.

Process 3 packets with a high priority and then one packet with a low priority

If QoS Mode is set to ‘All High before Low’, set the maximum time when a packet with a low priority is not processedIf the set time is reached, packets are first processed

Set this value to high priority

GPLIM


802.1p Configuration802.1p Configuration

From the [Port] [Config] menu, set the priority of a port to which MP and MGI are connected as High. If set as High, set to ensure that a port with a high priority can be operated even if there is no value in the Tag field.

Always, set a high priority for MP and MGI for which 802.1p is not provided

GPLIM


Port based L2 QoSPort based L2 QoS

Assumption for configuration ExampleSet L2 QoS for MP, MGI and IP Phone (ITP).

MP and MGI are not provided with 802.1p, and connected to P1, P7, respectively.

The IP Phone (ITP) is connected to P3, P4, P5, and P6.802.1p is not supported


Port based L2 QoSPort based L2 QoS

ITP(IP Phone) Without the 802.1p Function

MP

MGI

GPLIM


Port Based QoS ConfigurationPort Based QoS Configuration

ConfigurationTo use the Priority function in the [Port] [QoS] menu, the QoS mode should be set to ‘Weighted Round Robin’ or ‘All High before Low’. Thus, set the QoS mode as shown in the figure below:

GPLIM


Port Based QoS ConfigurationPort Based QoS Configuration

In the [Port] [Config] menu, set the priority of the port to which MP, MGI and IP Phone are connected as High.

GPLIM


SecuritySecurity


MAC AuthenticationMAC Authentication

Assumption for Configuration ExampleFour PCs has the following MAC addresses:PC#1 : 00-00-F0-12-34-56PC#2 : 00-00-F0-AB-CD-EFPC#3 : 00-00-F0-56-78-9APC#4 : 00-00-F0-65-43-21

PC#1 is used to connect to P7 only.PC#2 is used to connect to P5 only.PC#3 is used to connect to P12 only.PC#4 is not available.


MAC AuthenticationMAC Authentication

MP

MGI

GPLIM

PC#2

×○

×

○

PC#1 is used to connect to P7 onlyPC#4 is not authorized

PC#2 and PC#3 are authorized.

PC#4 PC#3

PC#1


Configure MAC AuthenticationConfigure MAC Authentication

ConfigurationIn the [Port] [Config] menu, tick off the “Security” of a port whose security is requested.

Disable MAC learningGPLIM


Configure MAC AuthenticationConfigure MAC Authentication

In the [Port] [MAC]->[Static Address] menu, enter a MAC address of PC and information on the port.

MAC address of PC#1, #2, and #3

port 4

port 3

port 6

GPLIM


Port MirroringPort Mirroring

Assumption for Configuration ExampleCapture the IP packet information in the Management PC connected to P10.

Capture all Tx/Rx data generated from MP.

An address of the MP network is 192.168.10.1/24.

Check and store the capture information using the Ethereal program in PC.(Refer to http://www.ethereal.com/download.html )

http://www.ethereal.com/


Port MirroringPort Mirroring

MP

MGI

GPLIM

MP IP : 192.168.10.1/24 MGI IP : 192.168.20.1/24

Management PC

MP ↔ MGI Data Traffic

Data Traffic Mirrored From P1 to P10


Configure Port MirroringConfigure Port Mirroring

ConfigurationFrom the [Port] [MISC] menu, select information on Mode, Monitoring Port, Monitored Port.

Monitoring Port: A port to which a PC terminal for viewing data to be captured is connected.

Monitored Port: A port to which a terminal sends/ receives data to be captured is connected.

Port to which MP is connected

Information on a port to which PC is connected

Ingress: Select packet information only received from the Monitored Port to the selected port

Egress: Select packet information only transmitted from the Monitored Port to the selected port

Both: Select packet information only transmitted/received from the Monitored Port to the selected port



Select [Port] [Mirror Config] menu to perform the port mirroring. To apply the configurations specified to the system,

GSIM

Port to which MP is connected

Information on a port to which PC is connected



Start the Ethereal program in the PC connected to the Monitoring Port.

Enter ‘ip host 192.168.10.1’ in the Filter field. Then, MP IP is 192.168.10.1.

If you enter as shown below and press OK, only packets with an MP IP are captured, among data monitored from the port to which MP is connected.


AuthenticationAuthentication


Configure Authentication (802.1x)Configure Authentication (802.1x)

Select [Authentication] [Management] to activate/deactivate the authentication of system. When executing [Run] of Action if Activity is set to Stop, items of [Authentication] [Configuration] can be set.

The host IP address, host, and key should be registered of the Radius server to be used. The default of the Radius Host Port is 1812 port. Click the [OK] button after the setting. Then, the setting is applied.


Configure Authentication (802.1x)Configure Authentication (802.1x)

Re-authentication setting and the cycle setting are applied only when setting is changed because there is default value

Control None : Authentication is not performed for the port Force-Authorized : Admits the port forcibly Force-Unauthorized : Block the port forcibly. Auto : Allows the port through authentication from the Radius server and blocks the port


Why IVL? (1)Why IVL? (1)

SVL would not work! (A learned from both port 1 and 4) no STP in the example


Why IVL? (2)Why IVL? (2)

SVL would not work! (A learned from both port 1 and 3) STP enabled, VLAN-aware connector


Why SVL?Why SVL?

Samsung Electronics Co., Ltd.

Documents

Code : STM#510-1 Samsung Electronics Co., Ltd. OfficeServ7400 Layer2 Protocol Overview Distribution EnglishED01