SFTOS Configuration Guide - Dell Force10 Configuration Guide, Version 2.2.0 3 Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

SFTOS Configuration Guide

Version 2.2.0 August 2005 100-00028-03

Copyright 2005 Force10 NetworksAll rights reserved. Printed in the USA. August 2005.Force10 Networks reserves the right to change, modify, revise this publication without notice.

TrademarksCopyright 2005 by Force10 Networks, Inc. All rights reserved. Force10, the Force10 logo, E1200, E600, E300, EtherScale, TeraScale and FTOS are trademarks of Force10 Networks, Inc. All other brand and product names are registered trademarks or trademarks of their respective holders.

Statement of ConditionsIn the interest of improving internal design, operational function, and/or reliability, Force10 Networks reserves the right to make changes to products described in this document without notice.Force10 Networks does not assume any liability that may occur due to the use or application of the product(s) described herein.

USA

Federal Communications Commission (FCC) StatementThis equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC rules. These limits are designated to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy. If it is not installed and used in accordance to the instructions, it may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to take whatever measures necessary to correct the interference at their own expense.

Canadian Department of Communication StatementThe digital apparatus does not exceed the Class A limits for radio noise emissions from digital apparatus set out in the Radio Interference Regulations of the Canadian Department of Communications. Attention: Le present appareil numerique n’ emet pas de perturbations radioelectriques depassant les normes applicables aux appareils numeriques de la Class A prescrites dans le Reglement sur les interferences radioelectriques etabli par le ministere des Communications du Canada.

VCCI Compliance for Class A Equipment (Japan)

This is Class A product based on the standard of the Voluntary Control Council For Interference by Information Technology Equipment (VCCI). If this equipment is used in a domestic environment, radio disturbance may arise. When such trouble occurs, the user may be required to take corrective actions.

Caution: This device is a Class A product. In a domestic environment, this device can cause radio interference, in which case, the user may be required to take appropriate measures.

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 1About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Functions Supported by the S-Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Chapter 2SFTOS Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Basic Routing and Switching Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13QOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Multicast Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Security and Packet Control Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Layer 3 Package Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Extended Routing and Switching Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Routing Protocol Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Multicast Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 3Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Connecting a Cable to the Console Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Viewing Software Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Downloading Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Uploading Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Upgrading the Software Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Contents

SFTOS Configuration Guide, Version 2.2.0 3

Contents

CLI Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Universal Access to Switch/router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24CLI Command Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Getting Help From the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Creating a User and Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Showing and Removing Created Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Setting the Hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Setting the Enable Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Clearing the Running Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Displaying Supported Features and System Uptime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Verifying Switch Numbers and OS Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Deleting Configuration File to Access System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Read/Write Access Using SNMP V3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Port Naming Convention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Setting Network Parms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Showing Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Resetting the Pre-configured System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Configuring an Interface with an IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Show IP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Saving the Startup Configuration to the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Setting Up a Management VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Important Points to Remember - VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Configuring from the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Transferring Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Displaying Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Trap Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Enabling Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Displaying Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Using Configuration Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Creating a Configuration Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Viewing a Configuration Script File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Uploading a Configuration Script to a TFTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Deleting a Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Downloading a Configuration Script from a TFTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Applying a Configuration Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Listing Configuration Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Chapter 4Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Creating the Management Port IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Changing the Management VLAN from Default VLAN 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

4 Contents

Contents

Verifying Management Port Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Verifying Management Port Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Checking Interface Counters Per Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Management Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Hardware Management Preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Administrative Management Preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Unsetting Management Preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Management Preference and MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Chapter 5Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Persistent Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Interpreting Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48CLI Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Example #1: show logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Example #2: show logging buffered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Example #3: show logging traplogs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Example #4: show logging hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Example #5: logging port configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Chapter 6Stackability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Stackability Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Management Unit Selection Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Unit Number Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Stackability Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Chapter 7Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Choosing TACACS+ as an Authentication Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59TACACS+ Server Host Configuring Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Enabling Secure Management with Secure Shell or Secure Sockets Layer . . . . . . . . . . . . . . . . . . 61Enabling SSL/HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Chapter 8Spanning Tree and MSTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Switching Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Forwarding, Aging, and Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Spanning Tree Protocol (IEEE 802.1d) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Forceversion Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

CLI Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68


Contents

CLI Port Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Verify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Multiple Spanning-Tree Protocol (MSTP, IEEE 802.1s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78MSTP Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79MST Regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79MST Interactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79MSTP Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79MST CLI Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80MSTP Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Chapter 9Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Link Aggregation—IEEE 802.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85LAG Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Static LAGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Link Aggregation—MIB Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Link Aggregation CLI Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86LAG Configuration CLI Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Static LAG CLI Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Configuring a Port Channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Configuring LAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Before Configuring LAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89LAG Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Displaying Port-channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Adding a Port-channel to a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Chapter 10Access Control Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Common ACL Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Access Control List Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Chapter 11DiffServ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Deploying DiffServ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Creating Class-maps/DiffServ Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Creating a Policy-Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Applying Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Enabling Differentiated Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Monitoring DiffServ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Using the “show class-map” Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

6 Contents

Contents

Using the “show policy-map” Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Using the “show service-policy ” Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112Using the “show diffserv” Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114

Configuring Differentiated Services by Department . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115Configuring Differentiated Services for Voice over IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118

Chapter 12IEEE 802.1Q VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121VLANs Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122VLAN CLI Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123VLAN Database Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123VLAN Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Viewing VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Ingress Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Setting the VLAN ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Configuring VLAN Participation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Clearing/resetting VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Tagged Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Showing VLAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

S50 and E-Series Differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Chapter 13GARP Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

GARP VLAN Registration Protocol (GVRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133GARP Multicast Registration Protocol (GMRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133GARP Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134GARP Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134GARP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134GARP CLI Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Privileged Exec Mode Command for Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Global Config Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Interface Config Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135GARP Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Chapter 14GVRP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Test Setup Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Enabling and Verifying GVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Chapter 15VLAN-Stack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

VLAN-stack commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145


Contents

Chapter 16IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Enabling IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Chapter 17Port Mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Port Mirroring Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Chapter 18Layer 3 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Port Routing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Port Routing Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

RIP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155RIP Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

OSPF Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157OSPF Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Virtual LANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162VLAN Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

VLAN Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164VLAN Routing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164VLAN Routing RIP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167VLAN Routing OSPF Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Link Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Link Aggregation Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Virtual Router Redundancy Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Configuring VRRP: Master Router (Router 1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175Configuring VRRP: Backup Router (Router 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

8 Contents

This chapter covers the following topics:

• Objectives on page 9• Audience on page 9• Related Documents on page 9• Conventions on page 10

ObjectivesThis document provides configuration instructions and examples for the S-Series (S50). It includes information on the protocols and features found in SFTOS®. Background on networking protocols is included to describe the capabilities of SFTOS.

For more complete information on protocols, refer to other documentation and IETF RFCs.

AudienceThis document is intended for system administrators who are responsible for configuring or maintaining networks. This guide assumes you are knowledgeable in Layer 2 and Layer 3 networking technologies.

Related Documents For more information about the Force10 Networks SFTOS software, refer to the following documents:

• S50 Hardware Installation Guide • SFTOS Command Reference Guide

Chapter 1 About this Guide

Note: Please note that BGP and bandwidth allocation are not supported in this release but may appear in the command output examples in this document.


ConventionsThis document uses the following conventions to describe command syntax:

IntroductionThis guide provides examples of the use of the S-Series in a typical network. It will describe the use and advantages of specific functions provided by the S-Series, and will include instructions on how to configure those functions using the Command Line Interface (CLI).

The S-Series can operate as a Layer 2 switch, a Layer 3 router or a combination switch/router. The switch also includes support for network management and Quality of Service functions such as Access Control Lists and Differentiated Services. Which functions you choose to activate will depend on the size and complexity of your network: this document provides detailed information on some of the most-used functions.

Functions Supported by the S-SeriesThe available functions supported by the S-Series running SFTOS software include:

• Access Control Lists, used to control access to specified resources (see Chapter 10, Access Control Lists)

• Differentiated Services, which you can use to define traffic classes and how they will be treated, including traffic acceptance, transmission and bandwidth guarantees.

• Layer 2 Switching:• Bridging support (the default) for IEEE 802.1D -- Spanning Tree plus IEEE 802.1w -- Rapid

Reconfiguration and IEEE 802.1s -- Multiple Spanning Tree (see Chapter 8, Spanning Tree and MSTP)

• Virtual LAN (VLAN) operation conforming to IEEE 802.1Q, including Generic Attribute Registration Protocol (GARP), GARP Multicast Registration Protocol (GMRP) and GARP VLAN Registration Protocol (GVRP) (see Chapter 12, IEEE 802.1Q VLANs)

Convention Description

keyword Keywords are in bold and should be entered in the CLI as listed.

parameter Parameters are in italics and require a number or word to be entered in the CLI. Occasionally shown in brackets: <parameter>

{X} Keywords and parameters within braces must be entered in the CLI.

[X] Keywords and parameters within brackets are optional.

x | y Keywords and parameters separated by bar require you to choose one.

10 About this Guide

• Support for extensions to the Ethernet protocol: — VLAN tagging, required for VLAN support (formerly IEEE 802.3ac, now included in

IEEE 802.3-2002)— Link Aggregation, which you may choose to implement to improve bandwidth and

reliability for critical connections (formerly IEEE 802.3ad) (see Chapter 9, Link Aggregation) (see also Chapter 18, Layer 3 Routing, for use of LAGs in Layer 3)

— Flow Control at the MAC layer: you may configure the switch or a port to temporarily halt traffic when necessary to prevent overload (formerly IEEE 802.3x)

• Additional functions you can use to manage the network including IGMP Snooping (see Chapter 16, IGMP Snooping), Port Mirroring (see Chapter 17, Port Mirroring), and Broadcast Storm Recovery

• Layer 3 Routing (see Chapter 18, Layer 3 Routing)• Base routing protocols, including support for the Address Resolution Protocol (ARP), IP

Mapping, the Internet Control Message Protocol (ICMP) and Classless Inter-Domain Routing (CIDR)

• Support for protocols used by routers to exchange network topology information:— Routing Information Protocol (RIP) versions 1 and 2, recommended for use in small

to medium sized networks— Open Shortest Path First (OSPF) version 2, used in larger, more complex networks

• Support for the Virtual Router Redundancy Protocol (VRRP) used to improve the reliability of network connections

• Support for the MD5 Message-Digest Algorithm defined in RFC 1321 used for digital signature applications

• Support for the use of Dynamic Host Configuration Protocol (DHCP) to assign IP addresses, including the Relay Agent Information option defined in RFC 3046

• VLAN Routing (see Chapter 18, Layer 3 Routing): Allows traffic received on a VLAN port to be processed by the Layer 3 routing function


12 About this Guide

The SFTOS software is available in two packages—the “Layer 2 Package” (“Switching”) and the “Layer 3 Package” (“Routing”). The Layer 2 Package contains only the core software that comes installed on the S50, while the Layer 3 Package includes both the core software and software that supports Layer 3 of the OSI 7-Layer Model.

The core software provides support for the following features:

Basic Routing and Switching Support• BootP (RFC951, 1542)• BootP/DHCP Relay and Server (RFC 2131)• Host Requirements (RFC 1122)• UDP (RFC 768)• IP (RFC 791)• ICMP (RFC 792)• TCP (RFC 793)• STP (Spanning Tree Protocol) (IEEE 802.1d)• Rapid Spanning Tree (IEEE 802.1w)• MSTP (IEEE 802.1s)• 10 GigE (IEEE 802.3ae)• 1000 Base-T (IEEE 802.3ab)• Flow Control (IEEE 802.3x)• IEEE 802.3ad• 16k MAC Address Table• Jumbo Frame Support

QOS• Priority Queues• Layer 2 Classification• 802.1p Priority Marking• Layer 3 DSCP• Bandwidth-based Rate Limiting• Wirespeed ACLs (L2/L3/L4)• ACL Entries (L2 + L3)

Chapter 2 SFTOS Features


VLAN• Supported Number of VLANs• IEEE 802.1q Support• Port-based VLANs• Frame Extensions (IEEE 802.3ac)• Protocol-based VLANs• GVRP, GARP, GMRP

Multicast Protocols• IGMP Snooping• Layer 2 Multicast Forwarding

Security and Packet Control Features• Ingress Rate Limiting• Login Access Control• RADIUS• IEEE 802.1x• SSH2 Server Support• Port Mirroring• Access Profiles on Routing Protocols• DOS Protection• MAC-based Port Security

Management• Telnet (RFC 854)• SSHv2• TFTP (RFC 783)• Syslog• SNMP v1/v2c• RMON Groups• HTML-based Management• External Redundant Power System• SNTP• HTTPS/SSL

14 SFTOS Features

Stacking• Stacking Multiple Units• LAG across Units in a Stack• Hot Insertion and Removal of Units in a Stack• Auto Master Election• Auto Configuration

Layer 3 Package FeaturesThe optional “Layer 3 Package” (“Routing”) version of SFTOS includes all of the features listed above, along with the following features.

Extended Routing and Switching Support• IPv4 (RFC 1812)• CIDR (RFC 1519)• IPv4 Router Discovery (RFC 1256)• ARP (RFC 826)• VRRP (RFC 2338)• Proxy ARP (RFC 1027)• 4k IPv4 Routing Table Entry

Routing Protocol Support• RIPv1/v2• OSPF (RFC 2328, 1587, 1765, 2370)• Static Routes

Multicast Protocols• IGMP v1/v2 (RFC 1112, 2236)• PIM-SM-edge• DVMRP• PIM-DM

Management• ECMP


16 SFTOS Features

This chapter discusses the following topics regarding SFTOS:• Important Points to Remember on page 18• Connecting a Cable to the Console Port on page 19• Viewing Software Version on page 20• Downloading Files on page 21• Uploading Files on page 21• Upgrading the Software Image on page 22• CLI Overview on page 25• Creating a User and Password on page 26• Setting the Enable Password on page 27• Setting the Hostname on page 27• Showing and Removing Created Users on page 26• Clearing the Running Configuration on page 27• Displaying Supported Features and System Uptime on page 28• Verifying Switch Numbers and OS Version on page 29• Deleting Configuration File to Access System on page 30• Read/Write Access Using SNMP V3 on page 30• Port Naming Convention on page 31• Setting Network Parms on page 31• Showing Network Settings on page 32• Resetting the Pre-configured System on page 32• Configuring an Interface with an IP Address on page 33• Saving the Startup Configuration to the Network on page 34• Setting Up a Management VLAN on page 34• Important Points to Remember - VLANs on page 35• Configuring from the Network on page 35• Transferring Files on page 36• Displaying Logs on page 36• Trap Management on page 36• Displaying Statistics on page 37• Using Configuration Scripts on page 38

Chapter 3 Getting Started


Important Points to RememberThere are two options for upgrading image:

• Method 1: Download the image from a TFTP server. From Privileged Exec mode, enter the command copy tftp://ip address/file name system:image. For details, see Upgrading the Software Image on page 22.

• Method 2: Use XMODEM to retrieve the software image. From Privileged Exec mode, enter the command reload. You have 2 seconds to choose option 2, as shown below. Then, from the boot menu, you may choose the “xmodem” option. This loads the operational code.

Each procedure above automatically loads the image copied to the S50, and sets the filename of the image.

If the copy process is incomplete or the copied file is corrupt, the user is still able to revert to the previous OS version, if it was intact and working. If corruption is detected in the new image before it downloads the current image into flash memory, the original image remains intact in flash. CRC fails once the image is downloaded into memory or a packet's checksum fails during download.

If the image gets corrupted in flash, the only recourse is to download a new image using Method 2.

(Force10 S50) #reloadManagement switch has unsaved changes.Would you like to save them now? (y/n) n

Configuration Not Saved!Are you sure you want to reload the stack? (y/n) y

Reloading all switches.Force10 Boot Code...Version 01.00.26 06/03/2005

Select an option. If no selection in 2 seconds thenoperational code will start.

1 - Start operational code.2 - Start Boot Menu.Select (1, 2):2Boot Menu Version 01.00.26 06/03/2005Options available1 - Start operational code2 - Change baud rate3 - Retrieve event log using XMODEM (64KB).4 - Load new operational code using XMODEM5 - Display operational code vital product data6 - Update Boot Code7 - Delete operational code8 - Reset the system9 - Restore Configuration to factory defaults (delete config files)[Boot Menu] 4

18 Getting Started

Connecting a Cable to the Console PortTo access the console port, follow the procedures below:

Step Task

1. Install a straight-through RJ-45 copper cable into the console port, or an Ethernet cable.

Note: If connecting to a terminal server and using an Ethernet crossover cable, you must connect another crossover cable to effectively get a straight-through cable connection.

2. Connect the RJ-45/DB-9 adapter that is shipped with the S50 system to the RJ-45 cable. Note: The console port pinout:

Pin 1 = NCPin 1 = NCPin 1 = RXDPin 1 = GNDPin 1 = GNDPin 1 = TXDPin 1 = NCPin 1 = NC

3. Connect the adapter to a laptop.

4. Once connection is established, ensure terminal settings (default settings) of: 9600 baud rate, no parity, 8 data bits, 1 stop bit, no flow control (console port only).

fn00162s50


Viewing Software VersionThe command show switch shows the running code version.

:

You can also use the show hardware command to display the running code version. See the sample output in the section Upgrading the Software Image on page 22.

5. Enter “lineconfig” mode by entering config, then lineconfig. In “lineconfig” mode, issue a serial command to configure the parameters:

6. To display serial (console) port configuration, enter the command show serial:

Step Task (continued)

(s50) (Line)#?

exit To exit from the mode. serial Configure EIA-232 parameters and inactivity timeout.

(s50) (Line)#serial timeout 30

(s50) (Line)# (s50) #show run !Current Configuration: <output deleted>!lineconfig serial timeout 30 exit

(Force10 S50) #show serial

Serial Port Login Timeout (minutes)............ 30Baud Rate (bps)................................ 9600Character Size (bits).......................... 8Flow Control................................... DisableStop Bits...................................... 1Parity......................................... none

(Force10 s50) #show switch

Management Preconfig Plugged-in Switch CodeSwitch Status Model ID Model ID Status Version------ ------------ ------------- ------------- --------------------- --------1 Mgmt Switch SA-01-GE-48T SA-01-GE-48T OK 2.2.1(Force10 s50) #

20 Getting Started

Also, the show version command displays version details of both the software and hardware present on the system. This command provides the details shown by the show hardware and show sysinfo commands, along with interface information, the u-boot version number, and the system image file version. The following excerpt from the report shows the listing for the software version.

Downloading FilesTo download certain files, reference the list below for these Privileged Exec-mode commands:

• copy <url> system:image

Configuration:

• copy <url> nvram:startup-config

XMODEM:

• xmodem:filepath/fileName

Uploading FilesTo upload certain files, reference the list below for these Privileged Exec-mode commands:

• Code: — copy system:image <url>

• Configuration:— copy system:image <url>

• Logs: — copy nvram:errorlog <url>— copy nvram:msglog <url>

• XMODEM:— xmodem:filepath/fileName


Upgrading the Software ImageAfter you have set up the hardware, determine if you need a software upgrade.

1. Using the CLI, gain access to the S50 system by logging in and issuing the enable command:

2. Set the management IP address and the gateway address. Issue the network parms command to :

3. Ping the default gateway to ensure the access to the server you wish to download the software image.

4. Ping the IP server from which you wish to download the software image:

(s50)User:adminPassword:

NOTE: Enter '?' for Command Help. Command help displays all options that are valid for the 'normal' and 'no' command forms. For the syntax of a particular command form, please con-sult the documentation.

(s50) >enablePassword:

(s50) #network parms 172.17.1.133 255.255.255.0 172.17.1.254

(s50) #show network

IP Address..................................... 172.17.1.133Subnet Mask.................................... 255.255.255.0Default Gateway................................ 172.17.1.254Burned In MAC Address.......................... 00:D0:95:B7:CD:2ELocally Administered MAC Address............... 00:00:00:00:00:00MAC Address Type............................... Burned InNetwork Configuration Protocol Current......... NoneManagement VLAN ID............................. 1Web Mode....................................... EnableJava Mode...................................... Enable

(s50) #ping 172.17.1.254

Send count=3, Receive count=3 from 172.16.1.254

(s50) #ping 172.16.1.56

Send count=3, Receive count=3 from 172.16.1.56

22 Getting Started

5. Load the image by using the copy command:

Figure 1 Uploading new code

6. Issue show hardware to view currently running software version:

Figure 2 Displaying the current software version

(s50) #copy tftp://172.16.1.56/f10r1v1m6.opr system:image

Mode........................................... TFTPSet TFTP Server IP............................. 172.16.1.56TFTP Path...................................... ./TFTP Filename.................................. f10r1v1m6.oprData Type...................................... Code

Are you sure you want to start? (y/n) yTFTP code transfer startingTFTP receive complete... storing in Flash File System...

File transfer operation completed successfully.

(s50) #

Note the “.opr” file name extensionAddress of TFTP server

(s50) #show hardware

Switch: 1

System Description............................. Force10 S50Vendor ID...................................... 07Plant ID....................................... 01Country Code................................... 04Date Code......................................Serial Number.................................. 114Part Number....................................Revision.......................................Catalog Number................................. SA-01-GE-48TBurned In MAC Address.......................... 00:D0:95:B7:CD:2ESoftware Version............................... F.5.6

Additional Packages............................ Force10 QOS Force10 Stacking


7. Save the current configuration to NVRAM. The easy way is to enter the write command (no parameters; the command defaults to write memory.) An alternative is to use the copy command shown in the following sample:

Figure 3 Saving the current configuration to NVRAM

8. Reload all switches:

Figure 4 Upgrading the OS

Note: You can only save the startup config to the NVRAM (the running configuration cannot be saved to the network).

(s50) #copy system:running-config nvram:startup-config

This operation may take few minutes.Management interfaces will not be available during this time.

Are you sure you want to save? (y/n) y

Configuration Saved!

(s50) #reload

Management switch has unsaved changes.Would you like to save them now? (y/n) yConfiguration Saved!Are you sure you want to reload the stack? (y/n) y

Reloading all switches.

Force10 Boot Code...Version 01.00.26 06/03/2005

Select an option. If no selection in 2 seconds then operational code will start.

1 - Start operational code.2 - Start Boot Menu.Select (1, 2):1

Operational Code Date: Thu Jul 7 16:37:32 2005Uncompressing..... 50% 100%||||||||||||||||||||||||||||||||||||||||||||||||||Attaching interface lo0...done

Adding 31485 symbols for standalone.PCI device attached as unit 0.PCI device attached as unit 1.PCI device attached as unit 2.PCI device attached as unit 3.PCI device attached as unit 4.PCI device attached as unit 5.PCI device attached as unit 6.Configuring CPUTRANS TXConfiguring CPUTRANS RXst_state(0) = 0x0st_state(1) = 0x2(Unit 1)>This switch is manager of the stack. STACK: attach 5 units on 1 cpu

24 Getting Started

CLI Overview

Universal Access to Switch/router• Through a console port• Management Ethernet—Telnet, SSH

CLI Command Modes

The main CLI command modes and prompts are as follows:

• User Exec: (S50)>• Privileged Exec: (S50) #• Global Config: (S50) (Config)#

Here is an example of navigating to these modes:

Getting Help From the CLI

The following help commands are the same as those found in the E-Series:

• Use “?” at prompt.• Use “?” with partial command: “Force10# i?”• Use “?” after a command: “Force10# ip ?”

User Management• The default user, admin, has Read/Write attributes.

(S50) >enablePassword:(S50) #configure(S50) (Config)#exit(S50) #


Creating a User and PasswordThe username passwd command replaces the users name and users passwd commands. It creates the user name and password in one statement. Another difference from the use of the two previous commands is that changing a password now requires removing the user and then adding him again, along with the new password, as shown below.

Figure 5 Creating a User and a Password

Showing and Removing Created UsersAn alternative to the no username command shown above is to use the clear pass command to delete all created user. The following example is of the show users command and the clear pass command:

Figure 6 Showing Created Users

Note: The user has ReadOnly access for local login.

(S50) (Config)#username w_turner passwd willspwdUser login name and password are set.

(S50) (Config)#no username w_turner

(S50) (Config)#username w_turner passwd newpwdUser login name and password are set.Password Changed!

(S50) #show usersSNMPv3 SNMPv3 SNMPv3

User Name User Access Mode Access Mode Authentication Encryption---------- ---------------- ----------- -------------- ----------admin Read/Write Read/Write None Nonew_turner Read Only Read Only None None

(S50) #clear passAre you sure you want to reset all passwords? (y/n)yPasswords Reset!

26 Getting Started

Setting the HostnameThe hostname command has replaced the set prompt command for setting the hostname prompt:

Figure 7 Setting the Hostname

Setting the Enable PasswordTo change the Privileged Exec password, you now must first enter Privileged Exec mode. Then type the command enable passwd, then press ENTER or RETURN:

:

Figure 8 Setting the Enable Password

Clearing the Running ConfigurationThe following example is of the clear config command for clearing the running configuration:

Figure 9 Clearing the Running Configuration

Note: The user has ReadOnly access for local login.

(S50) #hostname Force10_S50(Force10_S50) #

(Force10_S50) #enable passwdEnter new password:*******Confirm new password:*******Password Changed!

(Force10_S50) #clear configAre you sure you want to clear the configuration? (y/n)yClearing configuration. Please wait for login rompt.(Force10_S50) #(Unit 1)>


Displaying Supported Features and System UptimeThe following is an example of using show version to display all supported features and system uptime:

Figure 10 Displaying All Supported Features and System Uptime

(Force10 (S50) #show version Switch: 1System Description............................. Force10 S50Vendor ID...................................... 07Plant ID....................................... 01Country Code................................... 04Date Code...................................... 062005Serial Number.................................. DE4000126Part Number.................................... 759-00001-00Revision....................................... 0ACatalog Number................................. SA-01-GE-48TBurned In MAC Address.......................... 0001.E8D5.A151Software Version............................... 2.2.3Additional Packages............................ Force10 QOS Force10 Stacking10/100 Ethernet/802.3 interface(s)............. 0Gig Ethernet/802.3 interface(s)................ 210Gig Ethernet/802.3 interface(s).............. 0Virtual Ethernet/802.3 interface(s)............ 0System Name....................................

System Location................................ System Contact................................. System Object ID............................... force10System Up Time................................. 1 days 22 hrs 55 mins 34 secs

MIBs Supported:RFC 1907 - SNMPv2-MIB The MIB module for SNMPv2 entitiesRFC 2819 - RMON-MIB Remote Network Monitoring Management Information BaseFORCE10-REF-MIB Force10 Reference MIBSNMP-COMMUNITY-MIB This MIB module defines objects to help support coexistence between SNMPv1, SNMPv2, and SNMPv3.SNMP-FRAMEWORK-MIB The SNMP Management Architecture MIBSNMP-MPD-MIB The MIB for Message Processing and DispatchingSNMP-NOTIFICATION-MIB The Notification MIB ModuleSNMP-TARGET-MIB The Target MIB ModuleSNMP-USER-BASED-SM-MIB The management information definitions for the SNMP User-based Security Model.SNMP-VIEW-BASED-ACM-MIB The management information definitions for the View-based Access Control Model for SNMP.

USM-TARGET-TAG-MIB SNMP Research, Inc.F10OS-POWER-ETHERNET-MIB F10OS Power Ethernet Extensions MIBPOWER-ETHERNET-MIB Power Ethernet MIBLAG-MIB The Link Aggregation module for managing IEEE 802.3adRFC 1213 - RFC1213-MIB Management Information Base for Network Management of TCP/IP-based internets: MIB-IIRFC 1493 - BRIDGE-MIB Definitions of Managed Objects for Bridges (dot1d)RFC 2674 - P-BRIDGE-MIB The Bridge MIB Extension module for managing Priority and Multicast Filtering, defined by IEEE 802.1D-1998.RFC 2674 - Q-BRIDGE-MIB The VLAN Bridge MIB module for managing Virtual Bridged Local Area NetworksRFC 2737 - ENTITY-MIB Entity MIB (Version 2)RFC 2863 - IF-MIB The Interfaces Group MIB using SMIv2RFC 3635 - Etherlike-MIB Definitions of Managed Objects for the Ethernet-like Interface TypesF10OS-SWITCHING-MIB F10OS Switching - Layer 2F10OS-INVENTORY-MIB F10OS Unit and Slot configuration.F10OS-PORTSECURITY-PRIVATE-MIB Port Security MIB.

--More-- or (q)uit

28 Getting Started

Verifying Switch Numbers and OS VersionThe following example is of the show switch command for verifying switch number and OS version:

Figure 11 Verifying Switch Number and OS Version

(Force10_S50) #show switch

Management Preconfig Plugged-in Switch CodeSwitch Status Model ID Model ID Status Version------ ------------ ------------- ------------- --------------------- --------1 Mgmt Switch SA-01-GE-48T SA-01-GE-48T OK 2.2.1

(Force10_S50) #show switch 1Switch............................ 1Management Status................. Management SwitchHardware Management Preference.... UnassignedAdmin Management Preference....... 1Switch Type....................... 0x56950202Preconfigured Model Identifier.... SA-01-GE-48TPlugged-in Model Identifier....... SA-01-GE-48TSwitch Status..................... OKSwitch Description................ Expected Code Type................ 0x100b000Detected Code Version............. 2.2.1Detected Code in Flash............ 2.2.1Serial Number..................... DE4000106Up Time........................... 0 days 10 hrs 11 mins 52 secs


Deleting Configuration File to Access System1. When the system boots up, select 2 to start the Boot Menu.

2. Select 10 to restore the configuration to factory defaults (deletes configuration file).

Figure 12 Restoring Configuration to Factory Defaults

Read/Write Access Using SNMP V3The command users snmpv3 accessmode <username> <readonly | readwrite> and show user enables you to view read and write privileges on specific users:

Force10 Boot Code...Version 01.00.04 01/15/2005

Select an option. If no selection in 2 seconds thenoperational code will start.

1 - Start operational code.2 - Start Boot Menu.Select (1, 2):2

Boot Menu Version 01.00.04 01/15/2005

Options available1 - Start operational code2 - Change baud rate3 - Retrieve event log using XMODEM (64KB).4 - Load new operational code using XMODEM5 - Display operational code vital product data6 - Run Flash Diagnostics7 - Update Boot Code8 - Delete operational code9 - Reset the system10 - Restore Configuration to factory defaults (delete config files)[Boot Menu] 10

(Force10_S50) (Config)#users snmpv3 accessmode student2 readwrite(Force10_S50) #show users

SNMPv3 SNMPv3 SNMPv3User Name User Access Mode Access Mode Authentication Encryption---------- ---------------- ----------- -------------- ----------admin Read/Write Read/Write None Nonestudent1 Read Only Read Only None Nonestudent2 Read Only Read/Write None None

30 Getting Started

Port Naming ConventionThe port naming convention, “x/y/z”, designatesunit/slot/port. The physical entities that define this convention are as follows:

• Unit—one switch in a stack of switches (begins with the number 1).• Slot—slot numbers for physical entities (begin with number 0).• Port—physical interface (port numbers are sequential starting at 1 for each slot).

Logical entities are defined as follows:

• Also use unit/slot/port numbers.• Unit numbers are a 0.• Logical slot numbers

— Slot numbers are sequential and start with a 1.• Logical interface numbers

— Interface numbers are sequential starting at 1 for each slot.

VLAN Routing Interfaces, port-channels, and LAGs are logical entities.

Setting Network ParmsThe command network parms sets the IP address of the switch and the gateway.

Note: This is done from Privileged Exec mode, not Global Config mode.

(Force10_S50) #network parms 172.17.1.33 255.255.255.0 172.17.1.254

IP Address of the Switch Mask Default Gateway


Showing Network SettingsUse the command show network to display network information such as IP address, Mask, Default Gateway, MAC information, etc., as shown below:

Resetting the Pre-configured SystemIf you are bringing up a system that had been previously configured in a stack, you must ensure the system is set to the correct unit number if installing into a new stack. If the system is not reconfigured to the correct unit number, it will come up as their switch number from the previous stack.

To ensure the unit comes up with the correct unit number in the new stack, use the switch renumber command to change the unit number.

Command Syntax Command Mode Purpose

switch oldunit renumber newunit Global Config This command changes the switch identifier for a switch in the stack. The oldunit is the current switch identifier on the switch whose identifier is to be changed. The newunit is the updated value of the switch identifier.

Note: When a switch unit is renumbered the "old" number is kept around as a detached unit until a 'no member' CLI is executed. Note: The RPC timeouts may happen when units are renumbered or management is moved from one unit to another unit.

(Force10_S50) #show network

IP Address..................................... 172.17.1.33Subnet Mask.................................... 255.255.255.0Default Gateway................................ 172.17.1.254Burned In MAC Address.......................... 00:03:E8:0D:20:00Locally Administered MAC Address............... 00:00:00:00:00:00MAC Address Type............................... Burned InNetwork Configuration Protocol Current......... NoneManagement VLAN ID............................. 1Web Mode....................................... DisableJava Mode...................................... Enable

32 Getting Started

Configuring an Interface with an IP AddressTo configure an UP address to an interface, use the following commands:

IP configuration takes precedence over VLAN configuration on a port. Therefore, configuring an IP Address and ‘routing’ on an interface, disables participation in VLANs on that interface.

Show IP Interface

Use the show ip interface command to display information:


ip routing GLOBAL Enables routing for an interface.

ip address INTERFACE Configures an IP address on an interface. The IP address may be a secondary IP address.

Note: You must configure ip routing at a global level, AND ‘routing’ at an interface level for you to be able to ping from, and to, the address.

Note: You must have the optional SFTOS Layer 3 software package installed to configure routing commands and to set IP addressing an interface.

(S50) #configure(S50) (Config)#ip routing(S50) (Config)#interface 1/0/3(S50) (Interface 1/0/3)#ip address 50.0.0.2 255.255.255.0(S50) (Interface 1/0/3)#routing

(S50) #show ip interface 1/0/3

IP Address..................................... 50.0.0.2Subnet Mask.................................... 255.255.255.0Routing Mode................................... EnableAdministrative Mode............................ EnableForward Net Directed Broadcasts................ DisableActive State................................... ActiveLink Speed Data Rate........................... 1000 FullMAC Address.................................... 00:03:E8:0D:20:01Encapsulation Type............................. EthernetIP Mtu......................................... 1500

(S50) #


Use the show ip interface brief command to display information.

Saving the Startup Configuration to the NetworkThe following is an example on how to save the startup configuration to a TFTP site on the network.

Setting Up a Management VLANThe following is an example on how to set up a management VLAN:

Note: It is possible to set the Management VLAN to a VLAN that doesn’t exist. If you can’t reach anything from the management address, check the mgmt_vlan with a show net or show run.

(S50) #show ip interface brief

Netdir MultiInterface IP Address IP Mask Bcast CastFwd--------- --------------- --------------- -------- --------1/0/3 50.0.0.2 255.255.255.0 Disable Disable1/0/4 66.1.1.1 255.255.255.0 Disable Disable

(S50) #

(s50) #copy nvram:startup-config tftp://172.16.1.56/s50_1

Mode........................................... TFTPSet TFTP Server IP............................. 172.16.1.56TFTP Path...................................... ./TFTP Filename.................................. s50_1Data Type...................................... Config File

Are you sure you want to start? (y/n) y


(S50) #network mgmt_vlan 20

34 Getting Started

Important Points to Remember - VLANs• Default Management VLAN is 1 by default• By default ALL ports are members of VLAN 1 untagged• Command to change the Management VLAN ID

— (S50) #network mgmt_vlan 20

• It is possible to set the Management VLAN to a VLAN that doesn’t exist.• If you can’t reach anything from the management address, check the mgmt_vlan using show net or

show run.

Configuring from the NetworkThe following is an example of configuring from the network.

Important Points to Remember• The configuration file is binary.• The configuration file is not human-readable.• Copies saved to the network are binary.• You cannot cut and paste the configuration file.• You can cut and paste show run output into a text file, and paste it in through Telnet or console.

For a sample of the output from the show run output, see the show running-config command in the SFTOS Command Reference Guide, or see Viewing VLANs on page 125 in this guide.

(S50) #copy tftp://172.16.1.56/s50_1 nvram:startup-config

Mode........................................... TFTPSet TFTP Server IP............................. 172.16.1.56TFTP Path...................................... ./TFTP Filename.................................. s50_1Data Type...................................... Config

Download configuration file. Current configuration will be cleared.

Are you sure you want to start? (y/n) yTFTP config transfer starting

TFTP download operation completed successfully.

(S50) #(Unit 1)>User:

You are now logged off


Transferring FilesTo download code or configuration:

• Code:— Overwrites existing code in flash memory

• Configuration: — Configuration is stored in NVRAM— Active configuration is distinct from the stored configuration— Changes to active configuration not retained across resets unless explicitly saved— Download replaces the stored configuration— Download stopped if a configuration error is found

• Upload code, configuration or logs• File transfer uses XMODEM or TFTP depending on platform• Specify the following TFTP server information

— IP address— File path (up to 31 characters)— File name (up to 31 characters)

• Progress of the TFTP transfer is displayed

Displaying LogsThe switch maintains three logs:• Messages – system trace information, cleared on switch reset

— show logging buffered

• Events – error messages, not cleared on switch reset— show eventlog

• Traps – enabled trap events, cleared on switch reset — show logging

Trap Management• Traps can be enabled for the following features:

— Authentication— Link Up/Down — Multiple Users— Spanning Tree— OSPF— DVMRP— PIM (both DM and SM with one command)

• There is a separate set of CLI commands, and one Web screen.• Trap events are logged and sent out via SNMP

36 Getting Started

Enabling Traps.

Commands to [disable] enable traps are as follows:

Global Config Mode— [no] snmp-server enable traps: This command sets the Authentication flag.— [no] snmp-server enable traps linkmode: This command sets the Link Up/Down flag.— [no] snmp-server enable traps multiusers: This command sets the Multiple Users flag.— [no] snmp-server enable traps stpmode: This command sets the Spanning Tree flag.— [no] ip dvmrp trapflags: This command sets the DVMRP Traps flag.— [no] ip pim-trapflags: This command sets the PIM Traps flag.

Router OSPF Config Mode — [no] trapflags: This command sets the OSPF Traps flag.

Privileged Exec Mode— show trapflags: This command displays the status of each of the SNMP trap flags noted above.

Displaying StatisticsPrivileged Exec-mode commands to display statistics:

• Switch summary statistics:— show interface switchport

• Interface summary statistics:— show interface unit/slot/port

• Switch detailed statistics:— show interface ethernet switchport

• Interface detailed statistics:— show interface ethernet unit/slot/port

Note: The DVMRP, OSPF, and PIM traps and associated commands are not supported in the Layer 2 software image of SFTOS.


Using Configuration ScriptsConfiguration scripts are ‘flat’ configuration files stored in the NVRAM. Their file names are appended with the “.scr” extension.

The configuration scripts are editable text files (unlike binary configuration files) that can be uploaded and downloaded to, or from, a TFTP server.

Creating a Configuration Script

To create a “config script,” use a variation of the show running-config command.

Viewing a Configuration Script File

To view a “config script,” use the script show test.scr command.


show running-config <scriptname>.scr

Privileged Exec Create a configuration script by specific name.


script show scriptname.scr Privileged Exec To view a configuration script by specific name.

(s50) #show running-config test.scr

Config script created successfully.

(s50) #script show test.scr

1 : !Current Configuration:2 : !3 : set prompt "s50"4 : network parms 172.17.1.33 255.255.255.0 172.17.1.2545 : vlan database6 : vlan 117 : exit8 : configure9 : !System Description "Force10 S50"10 : !System Description F.5.6.2...

38 Getting Started

Uploading a Configuration Script to a TFTP Server

To upload a “config script” to a TFTP server, use the copy command.

Deleting a Script

To delete a “config script”, use the script delete command.


copy nvram:script scriptname.scr tftp://x.x.x.x/scriptname.scr

Privileged Exec Copies the config script from the NVRAM to a TFTP server.


script delete <scriptname.scr> Privileged Exec

(s50) #copy nvram:script test.scr tftp://172.16.1.56/test.scr

Mode........................................... TFTPSet TFTP Server IP............................. 172.16.1.56TFTP Path......................................TFTP Filename.................................. test.scrData Type...................................... Config ScriptSource Filename................................ test.scr



(s50) #script delete test.scr

Are you sure you want to delete the configuration script(s)? (y/n)y

1 configuration script(s) deleted.


Downloading a Configuration Script from a TFTP Server

To download a “config script”, use the copy command, as in the following.

Troubleshooting a Downloaded Script

While attempting to download a config script, the system validates the downloaded file. If the validation fails an error message like the following will appear:


copy tftp://x.x.x.x/scriptname.scr nvram:script scriptname.scr

Privileged Exec To download a “config script” from a TFTP server.

(s50) #copy tftp://172.16.1.56/test.scr nvram:script test.scr

Mode........................................... TFTPSet TFTP Server IP............................. 172.16.1.56TFTP Path......................................TFTP Filename.................................. test.scrData Type...................................... Config ScriptDestination Filename........................... test.scr


Validating configuration script...

set prompt "s50"

network parms 172.17.1.33 255.255.255.0 172.17.1.254

vlan database

vlan 11<output deleted>

Configuration script validation failed.Following lines in the script may have problem:Line 29:: permit 01:80:c2:00:00:00 any assign-queue 4Line 30:: permit any 01:80:c2:00:00:ff assign-queue 3 redirect 1/0/10Line 31:: permit 01:80:c2:00:00:ee any assign-queue 4Line 36:: match cos 5Line 44:: police-simple 500000 64 conform-action transmit violate-action dropLine 45:: police-simple 500000 64 conform-action transmit violate-action drop

Total error Lines :: 6The file being downloaded has potential problems. Do you want to save this file?

40 Getting Started

Applying a Configuration ScriptTo apply a “config script”, use the script apply command, as in the following.

Applying a configuration script on a machine with certain previously configured features may result in an error. This is because the syntax for entering the configuration mode that allows for editing the feature may be different than the syntax that exists in the configuration (and was used to create the feature initially). There are several such features.

For example, the command to create a class-map called “cm-1” is class-map match-all cm-1, while the command to edit cm-1 later is class-map cm-1 (For more on class-map, see the DiffServ chapter.) Attempting to apply an unmodified config script containing cm-1 to a machine that already has a class-map called cm-1 results in an error similar to the following example (see Figure 13 on page 41).

Figure 13 Example of a scripting error


script apply scriptname.scr Privileged Exec To do

(Force10 S50) #script apply test.scr

Are you sure you want to apply the configuration script? (y/n)y

The system has unsaved changes.Would you like to save them now? (y/n) n

Configuration Not Saved!

set prompt "s50"

network parms 172.17.1.33 255.255.255.0 172.17.1.254<output deleted>interface 0/1/2

exit

exit

Configuration script 'test.scr' applied.

class-map match-all cm-1This Diffserv class already exists.

Error in configuration script file at line number 33.CLI Command :: class-map match-all cm-1.Aborting script.Execution of configuration script 'test.scr' could not be completed.

WARNING: The running configuration may not be the desired configuration. You might want to reload the saved configuration.


Failure to apply a config script can be resolved by one of the following solutions:

• Issue the clear config command before applying the script.

• Edit the script to use the proper syntax to edit the structure (ACL, map etc.). • Edit the script by adding the no form of a command to delete a feature, then add a command to

reconfigure the same feature.

Listing Configuration Scripts

The script list command lists the configured scripts in a system:

Note: Do not issue the clear config command if you telnet into the system, otherwise you will lose contact with the system. This command should be issued at the console port.

(s50) #script list

Configuration Script Name Size(Bytes)-------------------------------- -----------test.scr 2689

1 configuration script(s) found.2045 Kbytes free.

(s50) #

42 Getting Started

This chapter displays sample configurations for the following management tasks using SFTOS:

• Creating the Management Port IP on page 43• Changing the Management VLAN from Default VLAN 1 on page 44• Verifying Management Port Network on page 44• Verifying Management Port Connectivity on page 44• Checking Interface Counters Per Port on page 45• Management Preferences on page 46• Unsetting Management Preference on page 46• Management Preference and MAC Address on page 46

Creating the Management Port IP

Figure 14 Creating the Management Port IP Address

Chapter 4 Management

(Force10 S50) #network parms 192.168.0.50 255.255.255.0 192.168.0.11

(Force10 S50) #show networkIP Address..................................... 192.168.0.50Subnet Mask.................................... 255.255.255.0Default Gateway................................ 192.168.0.11Burned In MAC Address.......................... 00:01:E8:0D:30:9ALocally Administered MAC Address............... 00:00:00:00:00:00MAC Address Type............................... Burned InNetwork Configuration Protocol Current......... NoneManagement VLAN ID............................. 1Web Mode....................................... DisableJava Mode...................................... Enable


Changing the Management VLAN from Default VLAN 1

Figure 15 Changing Management VLAN from Default

Verifying Management Port Network

Figure 16 Verifying Management Port Network

Verifying Management Port Connectivity

Figure 17 Verifying Management Port Connectivity

network mgmt_vlan 5vlan databasevlan 5vlan name 5 "management_vlan“

interface 1/0/43vlan pvid 5vlan ingressfiltervlan participation exclude 1vlan participation include 5exit

(Force10 S50) #show network

IP Address..................................... 192.168.0.50Subnet Mask.................................... 255.255.255.0Default Gateway................................ 192.168.0.11Burned In MAC Address.......................... 00:01:E8:0D:30:9ALocally Administered MAC Address............... 00:00:00:00:00:00MAC Address Type............................... Burned InNetwork Configuration Protocol Current......... NoneManagement VLAN ID............................. 5Web Mode....................................... DisableJava Mode...................................... Enable

(Force10 S50) #ping 192.168.0.100Send count=3, Receive count=3 from 192.168.0.100 Verify management port connectivity

44 Management

Checking Interface Counters Per Port

Figure 18 Checking Interface Counters Per Port

(Force10 S50) #show interface ethernet 1/0/43

Total Packets Received (Octets)................ 16217658Packets Received > 1522 Octets................. 0Packets RX and TX 64 Octets.................... 3260Packets RX and TX 65-127 Octets................ 11968Packets RX and TX 128-255 Octets............... 6329Packets RX and TX 256-511 Octets............... 4812Packets RX and TX 512-1023 Octets.............. 338Packets RX and TX 1024-1518 Octets............. 7710Packets RX and TX 1519-1522 Octets............. 0Packets RX and TX 1523-2047 Octets............. 0Packets RX and TX 2048-4095 Octets............. 0Packets RX and TX 4096-9216 Octets............. 0

Total Packets Received Without Errors.......... 34091Unicast Packets Received....................... 30641Multicast Packets Received..................... 2010Broadcast Packets Received..................... 1440Total Packets Received with MAC Errors......... 0Jabbers Received............................... 0Fragments/Undersize Received................... 0Alignment Errors............................... 0--More-- or (q)uitFCS Errors..................................... 0Overruns....................................... 0

Total Received Packets Not Forwarded........... 0Local Traffic Frames........................... 0802.3x Pause Frames Received................... 0Unacceptable Frame Type........................ 0Multicast Tree Viable Discards................. 0Reserved Address Discards...................... 0Broadcast Storm Recovery....................... 0CFI Discards................................... 0Upstream Threshold............................. 0

Total Packets Transmitted (Octets)............. 52084Max Frame Size................................. 1518

Total Packets Transmitted Successfully......... 326Unicast Packets Transmitted.................... 105Multicast Packets Transmitted.................. 0Broadcast Packets Transmitted.................. 221Total Transmit Errors.......................... 0FCS Errors..................................... 0--More-- or (q)uitTx Oversized................................... 0Underrun Errors................................ 0

Total Transmit Packets Discarded............... 0Single Collision Frames........................ 0Multiple Collision Frames...................... 0Excessive Collision Frames..................... 0Port Membership Discards....................... 0

802.3x Pause Frames Transmitted................ 0GVRP PDUs received............................. 0GVRP PDUs Transmitted.......................... 0GVRP Failed Registrations...................... 0GMRP PDUs Received............................. 0GMRP PDUs Transmitted.......................... 0GMRP Failed Registrations...................... 0

STP BPDUs Transmitted.......................... 0STP BPDUs Received............................. 0RSTP BPDUs Transmitted......................... 0RSTP BPDUs Received............................ 0MSTP BPDUs Transmitted......................... 0MSTP BPDUs Received............................ 0--More-- or (q)uit

EAPOL Frames Transmitted....................... 0EAPOL Start Frames Received.................... 0

Time Since Counters Last Cleared............... 0 day 5 hr 7 min 16 sec


Management PreferencesThe command show switch number (See Verifying Switch Numbers and OS Version on page 29) displays a field called "Hardware Management Preference" and one called “Admin Management Preferences.” The attribute for “Hardware Management Preferences” cannot be changed through the CLI. The attribute for “Admin Management Preferences” can be changed through the command switch number priority value.

Hardware Management Preference

The “Hardware Management Preference” field indicates whether the device is capable of becoming a management unit. The value for “Hardware Management Preference” always displays as “Unassigned.” The valid values for this field are “Disabled” and “Unassigned” (default).

Administrative Management Preference

The “Administrative Management Preference” indicates the preference given to this unit over another units by an administrator when the management unit fails. The default value is “1.” A value of “0” means the unit cannot become a management unit.

This field indicates the administrative management preference value assigned to the switch. This preference value indicates how likely the switch is to be chosen as the Primary Management Unit.

Unsetting Management PreferenceThere is no CLI command to set management preference back to “unassigned”. The management preference information is stored locally on each box, and can be erased using the boot menu option that deletes all configuration files including the unit number.

Management Preference and MAC AddressThe role of each switch in a stack as either manager or member can be changed by setting the management preference and MAC address. Management preference is considered before the MAC address. The higher the management preference value is makes it more likely for that switch to become manager. Likewise, the higher the MAC address value is makes it more likely for that switch to become manager.

The preference decision is made only when the current manager fails and a new manager needs to be selected, or when a stack of units is powered up with none of the units previously holding the management role. If two managers are connected together, then management preference has no effect.

46 Management

This chapter describes the Syslog (system log) feature.

OverviewA syslog can:

• Store system messages and/or errors • Store to local files on the switch or a remote server running a syslog daemon• Collect message logs from many systems

Persistent Log Files• There are currently three log files — one for each of the last three sessions.• Each log has two parts:

• The startup log is the first 32 messages after system startup.• The operational log is the last 32 messages received after the startup log is full.

• Files are stored in ASCII format:• slog0.txt - slog2.txt• olog0.txt - olog2.txt

Where 0 is for the boot, 1 is for the last boot, 2 is for the boot before that, and the third one falls off.

• Logs can be saved to a local server to monitor at a later point in time.

Chapter 5 Syslog


Interpreting Log Files<130> JAN 01 00:00:06 0.0.0.0-1 UNKN[Ox800023]: bootos.c(386) 4 %% Event(0xaaaaaaaa)----- ----------------------- - ---- -------- -------- --- - ---------- A B C D E F G H I

Legend:

A. PriorityB. TimestampC. Stack IDD. Component NameE. Thread IDF. File NameG. Line NumberH. Sequence NumberI. Message

CLI ExamplesThe following are examples of the commands used in the Syslog feature.

Example #1: show logging

Figure 19 Using the show logging Command

(Force10 S50)#show logging

Logging Client Local Port: 514CLI Command Logging: disabledConsole Logging: disabledConsole Logging Severity Filter: alertBuffered Logging: enabled

System Logging: disabled

Log Messages Received: 66Log Messages Dropped: 0Log Messages Relayed: 0Log Messages Ignored: 0

48 Syslog

Example #2: show logging buffered

Figure 20 Using the show logging buffered Command

Example #3: show logging traplogs

Figure 21 Using the show logging traplogs Command

(Force10 S50)#show logging buffered ?

<cr> Press Enter to execute the command.

(Force10 S50)#show logging buffered

Buffered (In-Memory) Logging: enabledBuffered Logging Wrapping Behavior: OnBuffered Log Count: 66

<1> JAN 01 00:00:02 0.0.0.0-0 UNKN[268434944]: usmdb_sim.c(1205) 1 %% Error 0 (0x0)<2> JAN 01 00:00:09 0.0.0.0-1 UNKN[268434944]: bootos.c(487) 2 %% Event (0xaaaaaaaa)<6> JAN 01 00:00:09 0.0.0.0-1 UNKN[268434944]: bootos.c(531) 3 %% Starting code...<6> JAN 01 00:00:16 0.0.0.0-3 UNKN[251627904]: cda_cnfgr.c(383) 4 %% CDA: Creating new STK file.<6> JAN 01 00:00:39 0.0.0.0-3 UNKN[233025712]: edb.c(360) 5 %% EDB Callback: Unit Join: 3.<6> JAN 01 00:00:40 0.0.0.0-3 UNKN[251627904]: sysapi.c(1864) 6 %% File user_mgr_cfg: same version (6) but the sizs (2312->7988) differ

(Force10 S50)#show logging traplogs ?

<cr> Press Enter to execute the command.

(Force10 S50)#show logging traplogs

Number of Traps Since Last Reset............6Number of Traps Since Log Last Viewed.......6

Log System Up Time Trap--- -------------- ----------------------------------------------0 0 days 00:00:46 Link Up: Unit: 3 Slot: 0 Port: 21 0 days 00:01:01 Cold Start: Unit: 02 0 days 00:21:33 Failed User Login: Unit: 1 User ID: admin3 0 days 18:33:31 Failed User Login: Unit: 1 User ID: \4 0 days 19:27:05 Multiple Users: Unit: 0 Slot: 3 Port: 15 0 days 19:29:57 Multiple Users: Unit: 0 Slot: 3 Port: 1


Example #4: show logging hosts

Figure 22 Using the show logging hosts Command

Example #5: logging port configuration

Figure 23 Using the show logging hosts Command

(Force10 S50)#show logging hosts ?

<unit> Enter switch ID in the range of 1 to 8.

(Force10 S50)#show logging hosts 1 ?

<cr> Press Enter to execute command.

(Force10 S50)#show logging hosts 1

Index IP Address Severity Port Status----- -------------- -------- ----- ------1 192.168.77.151 critical 514 Active

(Force10 S50)#config(Force10 S50)(Config)#logging ?buffered Buffered (In-Memory) Logging Configuration.cli-command CLI Command Logging Configuration.console Console Logging Configuration.host Enter IP Address for Logging Host.syslog Syslog Configuration.

(Force10 S50)(Config)#logging syslog ?

<cr> Press Enter to execute the command.port Logging Port Configuration.

(Force10 S50)Config)#logging host 192.168.77.151 ?

<cr> Press Enter to execute the command.<port> Enter Port ID.

(Force10 S50)(Config)#logging host 192.168.77.151 port ?<cr> Press Enter to execute the command.<severitylevel>Enter Logging Severity Level (emergency|0, alert|1, critical|2, error|3, warning|4 notice|5, info|6, debug|7).(Force10 S50)(Config)#logging host 192.168.77.151 port 1 ?<cr> Press Enter to execute the command.

(Force10 S50)(Config)#logging host 192.168.77.151 port 1Incorrect input! User ‘logging host <ipaddress> [portid> [<severitylevel>]]’.

50 Syslog

This chapter contains the following sections:

• Stackability Features on page 51• Important Points to Remember on page 52• Management Unit Selection Algorithm on page 52• Unit Number Assignment on page 52• Stackability Commands on page 53

Stackability Features• Stacking cable length availability

— Short Length stacking cable (60 cm)— Long Length stacking cable (4 meters)

• Stack manager selection algorithm• Stacking commands

How to connect each S50 with stacking cables:

Figure 24 Stacking Cabling Methods

Chapter 6 Stackability

A BSwitch 1

A BSwitch 2

A BSwitch 3

Ring Connection Cascade Connection

A BSwitch 1

A BSwitch 2

A BSwitch 3

A BSwitch 4


Important Points to Remember• Manage the whole stack unit as a single unit.• In the current release, each switch need to have the same OS version.• Issue CLI commands at the management unit only.• Upgrading the stack manager automatically upgrades other units in the stack.• Configuration and images can be distributed to all units from the Management unit.

Management Unit Selection Algorithm• If the unit is configured to be a Management Unit, but another Management Unit is already active, then

the unit changes its configured value to disable the Primary Management Unit function.• If the Management Unit function is unassigned and there is another Management Unit in the system

then the unit changes its configured value to disable the Primary Management Unit function.• If the Management Unit function is enabled or unassigned and there is no other Primary Management

unit in the system, then the unit becomes the Primary Management Unit.• If the Primary Management Unit function is disabled then the unit remains a non-primary management

unit.• The priority is only used to select the next manager when the current manager fails.• In the case when two units come up at the same time, then whichever has the higher priority or higher

MAC address becomes the management unit• The last Management Unit has the highest preference for becoming the manager after a reboot.

Unit Number Assignment• If the unit number is configured, but another unit already uses that number, the unit changes its

configured unit number to the lowest unassigned unit number.• If the unit number is unassigned then the unit sets its configured unit number to the lowest unassigned

unit number.• If the unit number is configured and no other device uses the unit number, then the unit starts using the

configured unit number.• If a unit detects the maximum number of units already exist, the unit sets its unit number to

"unassigned“ and stays in the Initialization state.

52 Stackability

Stackability CommandsThe following are stacking commands:


show switch Privileged Exec; User Exec

This command displays information about all units in the stack.

show switch unit Privileged Exec; User Exec

This command displays information for a specific unit in the stack.

show supported switchtype

Privileged Exec; User Exec

This commands displays information about all supported switch types.

show supported switchtype switchindex

Privileged Exec; User Exec

This commands displays information about a requested switch type.

stack Global Config Enables user to enter Stacking Config mode (The prompt is “(config-stack)#”.)

switch oldunit renumber newunit

Global Config This command changes the switch identifier for a switch in the stack.

switch unit priority value Global Config This command configures the ability of a switch to become the Primary Management Unit.

[no] member unit switchindex

Stacking Config This command configures a switch. The unit is the switch identifier of the switch to be added/removed from the stack. The switchindex (SID) is the index into the database of the supported switch types, indicating the type of the switch being preconfigured.

movemanagement fromunit tounit

Stacking Config This command moves the Primary Management Unit functionality from one switch to another.

archive copy-sw destination-system unit

Stacking Config This command replicates the STK file from the Primary Management Unit to the other switch(es) in the stack.

archive download-sw url Stacking Config This command downloads the STK file to the switch.


To show information about MAC addresses in a stack, use the show mac-addr-table command:

Figure 25 show mac-addr-table Command Example

To show information about port status in a stack, use the show stack-port command:

Figure 26 show stack-port Command Example

(Force10 S50) #show mac-addr-tableMac Address Interface IfIndex Status ----------------------- --------- ------- ------------00:01:00:01:00:00:00:01 2/0/37 87 Learned 00:01:00:01:00:00:00:37 1/0/1 1 Learned 00:01:00:03:00:00:00:03 1/0/2 2 Learned 00:01:00:03:00:00:00:39 2/0/38 88 Learned 00:01:00:04:00:00:00:45 2/0/45 95 Learned 00:01:00:04:00:00:00:46 1/0/45 45 Learned 00:01:00:06:00:00:00:47 2/0/46 96 Learned 00:01:00:06:00:00:00:48 1/0/46 46 Learned 00:01:00:D0:95:B7:CD:2E 0/3/1 401 Management

(Force10 S50) #show stack-portConfigured Running Stack Stack Link LinkUnit Interface Mode Mode Status Speed (Gb/s)---- ---------------- ---------- ---------- ------------ ------------1 HiGig 1 N/A Stack Link Up 10 1 HiGig 2 N/A Stack Link Down 10 2 HiGig 1 N/A Stack Link Down 10 2 HiGig 2 N/A Stack Link Up 10 3 HiGig 1 N/A Stack Link Up 10 3 HiGig 2 N/A Stack Link Up 10

54 Stackability

For a summary of all the units in a stack, use the show switch command:

Figure 27 show switch Command Example

To add a unit to the stack, use the member command:

Figure 28 Using the member Command to Add a Unit

(Force10 S50) #show switch

Management Preconfig Plugged-in Switch Code Switch Status Model ID Model ID Status Version------ ------------ ------------- ------------- --------------------- --------1 Mgmt Switch SA-01-GE-48T SA-01-GE-48T OK 2.2.1 3 Stack Member SA-01-GE-48T SA-01-GE-48T OK 2.2.1 4 Stack Member SA-01-GE-48T SA-01-GE-48T OK 2.2.1

(Force10 S50) #show switch 1

Switch............................ 1Management Status................. Management SwitchHardware Management Preference.... UnassignedAdmin Management Preference....... UnassignedSwitch Type....................... 0x56950202Preconfigured Model Identifier.... SA-01-GE-48TPlugged-in Model Identifier....... SA-01-GE-48TSwitch Status..................... OKSwitch Description................ Expected Code Type................ 0x100b000Detected Code Version............. 2.2.1Detected Code in Flash............ 2.2.1Serial Number..................... DE40047Up Time........................... 0 days 0 hrs 33 mins 55 secs

Stack ManagerMemberMember

(Force10 S50) #show supported switchtype

Mgmt CodeSID Switch Model ID Pref Type--- -------------------------------- ------------ ---------1 SA-01-GE-48T 1 0x100b0002 SA-01-GE-48T 1 0x100b000

(Force10 S50) #configure (Force10 S50) (Config)#stack (Force10 S50) (config-stack)#member 5 1(Force10 S50) (config-stack)#exit(Force10 S50) (Config)#exit(Force10 S50) #show switch

Management Preconfig Plugged-in Switch Code Switch Status Model ID Model ID Status Version------ ------------ ------------- ------------- --------------------- --------1 Mgmt Switch SA-01-GE-48T SA-01-GE-48T OK F.4.21 3 Stack Member SA-01-GE-48T SA-01-GE-48T OK F.4.21 4 Stack Member SA-01-GE-48T SA-01-GE-48T OK F.4.21 5 Unassigned SA-01-GE-48T Not Present 0.0.0

(Force10 S50) #

Unit 5 added


To remove a unit from the stack, use the member command:

Figure 29 Using the member Command to Remove a Unit

To change the priority of a switch within a stack, use the switch unit priority value command:

Figure 30 Changing Switch Unit Priority

(Force10 S50) (config-stack)#no member 5(Force10 S50) (config-stack)#exit(Force10 S50) (Config)#exit(Force10 S50) #show switch

Management Preconfig Plugged-in Switch Code Switch Status Model ID Model ID Status Version------ ------------ ------------- ------------- --------------------- --------1 Mgmt Switch SA-01-GE-48T SA-01-GE-48T OK F.4.21 3 Stack Member SA-01-GE-48T SA-01-GE-48T OK F.4.21 4 Stack Member SA-01-GE-48T SA-01-GE-48T OK F.4.21

(Force10 S50) #Unit 5 removed

(Force10 S50) (Config)#switch 4 priority 2(Force10 S50) (Config)#exit(Force10 S50) #show switch

Management Preconfig Plugged-in Switch Code Switch Status Model ID Model ID Status Version------ ------------ ------------- ------------- --------------------- --------1 Stack Member SA-01-GE-48T SA-01-GE-48T OK 2.2.1 3 Mgmt Switch SA-01-GE-48T SA-01-GE-48T OK 2.2.1 4 Stack Member SA-01-GE-48T SA-01-GE-48T OK 2.2.1

(Force10 S50) #show switch 4

Switch............................ 4Management Status................. Stack MemberHardware Management Preference.... UnassignedAdmin Management Preference....... 2Switch Type....................... 0x56950202Preconfigured Model Identifier.... SA-01-GE-48TPlugged-in Model Identifier....... SA-01-GE-48TSwitch Status..................... OKSwitch Description................ Expected Code Type................ 0x100b000Detected Code Version............. 2.2.1Detected Code in Flash............ 2.2.1Serial Number..................... DE400347Up Time........................... 0 days 0 hrs 56 mins 51 secs

Value is now set to priority 2

56 Stackability

To move the management unit from one unit to another within a stack, use the movemanagement command:

Figure 31 Moving the Management Unit within a Stack

(Unit 3)>(Unit 3)>This switch is manager of the stack.STACK: attach 5 units on 1 cpu

User:Trying to attach more units.....This switch is manager of the stack.STACK: attach 5 units on 1 cpuTrying to attach more units.....This switch is manager of the stack.STACK: attach 5 units on 1 cpu

User:

User:*****Password:(Force10 S50) >enablePassword:

(Force10 S50) #show switch

Management Preconfig Plugged-in Switch CodeSwitch Status Model ID Model ID Status Version------ ------------ ------------- ------------- --------------------- --------1 Stack Member SA-01-GE-48T SA-01-GE-48T OK F.4.213 Mgmt Switch SA-01-GE-48T SA-01-GE-48T OK F.4.214 Stack Member SA-01-GE-48T SA-01-GE-48T OK F.4.21

(Force10 S50) #

Management Switch is now Unit 3

(Force10 S50) (config-stack)#movemanagement 1 3Moving stack management will unconfigure entire stack including all interfaces.Are you sure you want to move stack management? (y/n) y

(Force10 S50) (config-stack)#(Unit 1)>This switch is not manager of the stack.STACK: detach 15 units

(Unit 1)>Unit 1 no longer has CLI

Log into Unit 3


58 Stackability

SFTOS supports several security methods, including local (see Creating a User and Password on page 26), port security, RADIUS, Secure Shell (SSH), and Terminal Access Controller Access Control System (TACACS+). Using TACACS+ is provided here as an example of a client-server security setup. RADIUS configuration is similar. Enabling SSH and SSL (for use with the Web interface) are also described.

Choosing TACACS+ as an Authentication MethodTo use TACACS+ to authenticate users, you must specify at least one TACACS+ server with which the S-Series to communicate, then identify TACACS+ as one of your authentication methods. To select TACACS as the login authentication method, use these commands in the following sequence in the Global Config mode:

TACACS would generally not be the last method specified in order to avoid a situation where the final authentication option depends on a server that might be offline. Generally, you would specify local as the final method. For example, in the command string “authentication login listone tacacs local”, “listone” is the name given to the method list, followed by the selected sequence of authentication methods—“tacacs” and then “local”. For details on setting local passwords, see Creating a User and Password on page 26.

TACACS+ includes a group of configurable settings that you can also leave in their default settings. You can configure some global settings (for all TACACS+ servers), or you can configure settings at the individual server level. See the Security chapter in the SFTOS Command Line Interface Reference for details on global settings. See the following section for more on configuring one host.

Chapter 7 Security

Step Command Syntax Command Mode Purpose

1 tacacs-server host ip-address Global Config Configure a TACACS+ server host. Enter the IP address or host name of the TACACS+ server.You can use this command multiple times to configure multiple TACACS+ server hosts.

2 authentication login listname {method1 [method2 [method3]]]

Global Config Create a method-list name and specify that TACACS is one method for login authentication.


To specify the IP address of the TACACS host, use the tacacs-server host command in the Privileged Exec mode, as shown here. In this example, the user then changes the local timeout to 5 seconds:

Figure 32 Setting the IP Address of a TACACS+ Server

To view the TACACS configuration, use the show tacacs command in the Privileged Exec mode.

Figure 33 Settings for Multiple TACACS+ Servers

To specify the sequence of user authentication methods, use the authentication login command. This example shows the creation of three lists, each one with a different priority sequence. The list called “one” sets the TACACS+ server as the second authentication method; list “two” defaults to local authentication; list “three” sets the TACACS+ server as the first method :

Figure 34 Setting the Authentication Method

Force10#show tacacs(S50-TAC-5) (Config)#tacacs-server host 1.1.1.1

(S50-TAC-5) (Tacacs)#timeout 5

(S50-TAC-5) (Tacacs)#exit

(S50-TAC-5) (Config)#

Force10#show tacacs

IP address Status Port Single Timeout Priority Connection--------------- ------------ ----- ---------- ------- --------1.1.1.1 Disconnected 49 No Global 0 172.16.1.58 Disconnected 49 No Global 0

Global values--------------Timeout: 10

(S50-TAC-5) (Config)#authentication login one local tacacs(S50-TAC-5) (Config)#authentication login two(S50-TAC-5) (Config)#authentication login three tacacs

60 Security

TACACS+ Server Host Configuring OptionsTo configure a TACACS+ server host, you must first configure its IP address with the tacacs-server host command, as described above. After you identify the host, you are put in the TACACS Configuration mode for that particular host. In that mode, you can override global and default settings of the communication parameters. You can also use the following commands for the particular TACACS host:

To delete a TACACS+ server host, use the no tacacs-server host ip-address command.

Enabling Secure Management with Secure Shell or Secure Sockets Layer

Secure SHell (SSH) and Secure Sockets Layer (SSL/HTTPS) both provide secure management through an encrypted transport session between the management station and switch.

Enabling secure management via SSH and SSL on the S50 is a four step process:

1. Generate the SSH keys or SSL certificates offline.

2. Copy the SSH keys or SSL certificates to the switch using TFTP.

3. Enable the secure management server (SSH or HTTPS) on the switch.

4. Disable the insecure version of the management server (Telnet or HTTP).


key key-string TACACS Configuration

Specify the authentication and encryption key for all communications between the client and the particular TACACS server. This key must match the key configured on the server. Range: 1 to 128 characters

port port-number TACACS Configuration

Specify a server port number for that TACACS host. Range: zero (0) to 65535. Default = 49

priority priority TACACS Configuration

Determine the order in which the servers will be used, with 0 being the highest priority. Range: zero (0) to 65535. Default = 0

single-connection TACACS Configuration

Configure the client to maintain a single open connection with the TACACS server. Default = multiple connections

timeout TACACS Configuration

Range: 1 to 30 seconds. Default = global setting


The SSH keys and SSL certificates are in a .zip file that you get from your Force10 account team. The .zip file contains two directories—ssh and ssl:

• The ssh directory has example RSA1, RSA2, and DSA keys and a shell script called “generate-keys.sh” that can be used to generate your own SSH keys.

• The ssl directory has example certificates and a shell script called “generate-pem.sh” that can be used to generate your own SSL certificates.

The scripts provided use OpenSSH (http://www.openssh.org/) and OpenSSL (http://www.openssl.org/) for key and certificate generation. Other free and commercial tools exist that can provide the same functionality, and you can use them if you like.

For additional options and commands related to the Telnet, SSH, and HTTP/HTTPS features, see Chapter 3, Getting Started.

Enabling SSH1. Generate the SSH keys using the script in the ssh directory, or copy the example keys (which end in

.key) to your TFTP server.

2. Copy the keys to NVRAM with TFTP as follows from this example, using the IP address of your TFTP server. For SSHv1, copy the RSA1 key; for SSHv2, copy the RSA2 and DSA keys.

Figure 35 Copying RSA1 key to NVRAM for SSHv1

(Force10 S50) #copy tftp://192.168.0.10/rsa1.key nvram:sshkey-rsa1Mode........................................... TFTPSet TFTP Server IP............................. 192.168.0.10TFTP Path......................................TFTP Filename.................................. rsa1.keyData Type...................................... SSH RSA1 keyAre you sure you want to start? (y/n) yTFTP SSH key receive complete... updating key file...Key file transfer operation completed succesfully

62 Security

Figure 36 Copying RSA2 and DSA keys to NVRAM for SSHv2

3. Enable the SSH server with the ip ssh enable server command.

4. To verify that the server has started, use the show ip ssh command to show the SSH server status, and check the log file for the following messages.

Figure 37 Using the show ip ssh command to show SSH server status

Figure 38 Using the show logging buffered command to show SSH server status

5. Using an SSH client, connect to the switch and login to verify that the SSH server is working.

(Force10 S50) #copy tftp://192.168.0.10/rsa2.key nvram:sshkey-rsa2Mode........................................... TFTPSet TFTP Server IP............................. 192.168.0.10TFTP Path......................................TFTP Filename.................................. rsa2.keyData Type...................................... SSH RSA2 keyAre you sure you want to start? (y/n) yTFTP SSH key receive complete... updating key file...Key file transfer operation completed succesfully

(S50) #copy tftp://192.168.0.10/dsa.key nvram:sshkey-dsaMode........................................... TFTPSet TFTP Server IP............................. 192.168.0.10TFTP Path......................................TFTP Filename.................................. dsa.keyData Type...................................... SSH DSA keyAre you sure you want to start? (y/n) yTFTP SSH key receive complete... updating key file...Key file transfer operation completed succesfully

(Force10 S50) #show ip sshSSH ConfigurationAdministrative Mode: .......................... EnabledProtocol Levels: .............................. Versions 1 and 2SSH Sessions Currently Active: ................ 0Max SSH Sessions Allowed: ..................... 5SSH Timeout: .................................. 5

(Force10 S50) #show logging bufferedJAN 01 00:31:54 192.168.0.34-1 UNKN[222273672]: sshd_control.c(444) 15 %% SSHD: sshdListenTask startedJAN 01 00:31:54 192.168.0.34-1 UNKN[209305936]: sshd_main.c(596) 16 %% SSHD: successfully opened file ssh_host_dsa_keyJAN 01 00:31:54 192.168.0.34-1 UNKN[209305936]: sshd_main.c(609) 17 %% SSHD: successfullyloaded DSA keyJAN 01 00:31:54 192.168.0.34-1 UNKN[209305936]: sshd_main.c(631) 18 %% SSHD: successfullyopened file ssh_host_rsa_keyJAN 01 00:31:54 192.168.0.34-1 UNKN[209305936]: sshd_main.c(643) 19 %% SSHD: successfullyloaded RSA2 keyJAN 01 00:31:56 192.168.0.34-1 UNKN[209305936]: sshd_main.c(353) 20 %% SSHD: Done generating


6. Once you have verified that you can connect to the switch with an SSH client, the Telnet server can be disabled with the no telnet command for additional security. The Telnet server is enabled by default.

Enabling SSL/HTTPS1. Generate the SSL certificates using the script in the ssl directory, or copy the example certificates

(which end in .pem) to your TFTP server.

2. Copy the certificates to NVRAM with TFTP as shown in the following example, using the IP address of your TFTP server.

Figure 39 Copying SSL certificates to NVRAM

3. Enable the HTTPS server with the ip http secure-server command.

4. To verify that the server has started, use the show ip http command to show the HTTPS server status, and check the log file for the following messages.

(Force10 S50) #copy tftp://192.168.0.10/dh512.pem nvram:sslpem-dhweakMode........................................... TFTPSet TFTP Server IP............................. 192.168.0.10TFTP Path......................................TFTP Filename.................................. dh512.pemData Type...................................... SSL DH weakAre you sure you want to start? (y/n) yTFTP SSL certificate receive complete... updating certificate file...Certificate file transfer operation completed succesfully

(Force10 S50) #copy tftp://192.168.0.10/dh1024.pem nvram:sslpem-dhstrongMode........................................... TFTPSet TFTP Server IP............................. 192.168.0.10TFTP Path......................................TFTP Filename.................................. dh1024.pemData Type...................................... SSL DH strongAre you sure you want to start? (y/n) yTFTP SSL certificate receive complete... updating certificate file...Certificate file transfer operation completed succesfully

(S50) #copy tftp://192.168.0.10/server.pem nvram:sslpem-serverMode........................................... TFTPSet TFTP Server IP............................. 192.168.0.10TFTP Path......................................TFTP Filename.................................. server.pemData Type...................................... SSL Server certAre you sure you want to start? (y/n) yTFTP SSL certificate receive complete... updating certificate file...Certificate file transfer operation completed succesfully(S50) #copy tftp://192.168.0.10/rootcert.pem nvram:sslpem-rootMode........................................... TFTPSet TFTP Server IP............................. 192.168.0.10TFTP Path......................................TFTP Filename.................................. rootcert.pemData Type...................................... SSL Root certAre you sure you want to start? (y/n) yTFTP SSL certificate receive complete... updating certificate file...Certificate file transfer operation completed successfully

64 Security

Figure 40 Using the show ip http command to show HTTPS server status

5. Using a Web browser, connect to the switch using an https:// URL, and login to verify that the SSL server is working. The padlock icon on your browser should indicate an encrypted connection.

If you used the example certificates, your browser will display a warning that it cannot verify the authenticity of the certificate. This is because the example certificates have not been certified by a Certification Authority. When certificates are acquired from a Certification Authority and loaded on the switch, this warning will not occur.

6. Once you have verified that you can connect to the switch with a Web browser, the HTTP server can be disabled with the no ip http server command for additional security if it was enabled previously. The HTTP server is disabled by default.

(Force10 S50) #show ip httpHTTP Mode (Unsecure): DisabledHTTP Mode (Secure): EnabledSecure Port: 443Secure Protocol Level(s): TLS1 SSL3

(Force10 S50) #show logging bufferedJAN 01 01:16:19 192.168.0.34-1 UNKN[209189968]: sslt_util.c(321) 39 %% SSLT: Successfullyloaded all required SSL PEM files


66 Security

SFTOS supports the following features:

• Switching Features on page 67• Forwarding, Aging, and Learning on page 67• Spanning Tree Protocol (IEEE 802.1d) on page 68• Forceversion Command on page 68• Multiple Spanning-Tree Protocol (MSTP, IEEE 802.1s) on page 78

Switching Features• Switching applications and protocols, including:• Forwarding, Aging and Learning• Spanning Tree, IVL and STP per VLAN• IEEE 802.1d Spanning Tree• IEEE 802.1w Rapid Spanning Tree• IEEE 802.1s Multiple Spanning Tree

Forwarding, Aging, and Learning• Forwarding

— At Layer 2, frames are forwarded according to their MAC address.• Aging

— SFTOS supports a user-configurable address aging timeout parameter as defined in IEEE 802.1d.• Learning

— SFTOS learns and manages MAC addresses as specified in IEEE 802.1d and IEEE 802.1q.— SFTOS supports Shared VLAN Learning (SVL), although Independent VLAN Learning (IVL) is

the default.

Chapter 8 Spanning Tree and MSTP


Spanning Tree Protocol (IEEE 802.1d)STP uses a spanning tree algorithm to provide path redundancy while preventing undesirable loops in a network.

• SFTOS switching can be configured to run with STP enabled or disabled.• Without STP, a path failure causes a loss of connectivity.• STP allows only one active path at a time between any two network devices, but allows for backup

paths.• When a topology change occurs, accelerated aging is used on the forwarding database(s).

SFTOS Spanning-Tree Protocol (STP) conforms to IEEE 802.1D and RFC 1493 Bridge MIB. STP allows port costs to be configured as zero, which causes the port to use IEEE 802.1D-recommended values. In addition, per-port Administrative Mode affects sequence when link comes up:

• IEEE 802.1D mode—follows the standard.• Fast mode—listening and learning timers set to two seconds (this is recommended to avoid time-outs

during reconfiguration).• Off/manual mode—port is always in forwarding mode (this is recommended, but only when no loops

are possible).

Forceversion CommandThe Global Configuration command spanning-tree forceversion sets the protocol Version parameter to a new value. The Force Protocol Version can be one of the following:

• 802.1d - STP BPDUs are transmitted rather than MST BPDUs (IEEE 802.1d functionality supported)• 802.1w - RST BPDUs are transmitted rather than MST BPDUs (IEEE 802.1w functionality supported)• 802.1s - MST BPDUs are transmitted (IEEE 802.1s functionality supported)

— spanning-tree forceversion <802.1d | 802.1w | 802.1s>

CLI Management

Privileged and User Exec Mode CLI commands:

• Display STP settings and parameters for the switch— show spanning-tree summary

• Display STP settings and parameters for the bridge instance— show spanning-tree [brief]

Global Config Mode CLI commands:

• [Disable] enable spanning tree for the switch:

68 Spanning Tree and MSTP

— [no] spanning-tree

• Set maximum time for discarding STP configuration messages, default 20 seconds— [no] spanning-tree max-age <6-40>

• Set time between STP config messages, default 2 seconds— [no] spanning-tree hellotime <1-10>

• Set time spent in listening and learning, default 15 seconds— [no] spanning-tree forward-times <4-30>

CLI Port Management

Privileged and User Exec Mode CLI command:

• Display STP settings and parameters for an interface— show spanning-tree interface <unit/slot/port>

Global Config Mode CLI command:

• [Disable] enable STP administrative mode for all interfaces— [no] spanning-tree port mode all

Interface Config Mode CLI command:

• [Disable] enable STP administrative mode for an interface— [no] spanning-tree port mode

Configuration Example

STP: (default FP STP disable, edge port disable)

• no edge port is used for switch to switch• Switch 2 is used for switching.• Switch1 is the root bridge.• If using spanning-tree forceversion 802.1w to change the protocol, then, when this switch

changes back to 802.1s, its peers has to use spanning-tree bpdumigrationcheck all to initialize their own protocol. Or just reset the peers.— For instance, when Switch 2 runs spanning-tree forceversion 802.1w, Switch 1 and Switch 3

will auto adjust their protocols to 802.1w. When Switch 2 reconfigures back to 802.1s (spanning-tree forceversion 802.1s), Switch 1 and Switch 3 must run spanning-tree bpdumigrationcheck all.


Procedure1.Configure the STP switch using below CLI.2.Check the STP status.3.Set Switch 2 forceversion 802.1w.4.Verify the STP status.

Verify• show spanning-tree

• show spanning-tree mst port summary 0 all

• show spanning-tree mst port detailed 0/0/3

Switch2_r421:

vlan database vlan routing 1exit

set prompt Switch2_r421

config lineconfig serial timeout 0 exit

spanning-tree spanning-tree port mode all

int 0/1 no span edge exit int 0/3 no span edge exit exit

config spanning-tree forceversion 802.1w

config


Switch1_A_H2 : (use port 0/1 and 0/12)

Switch3_H2 : (use port 0/3 & 0/12)


set prompt Switch1_A_H2



int 0/1 no span edge exit

int 0/12 no span edge exit exit

*Switch1 is rootconfig spanning-tree mst priority 0 30000


set prompt Switch3_H2



int 0/3 no span edge exit int 0/12 no span edge exit exit


Commands

root bridge

(Switch1_A_H2) #show spanning-tree mst port summary 0 all

STP STP PortInterface Mode Type State Role--------- -------- ------- ----------------- ----------0/1 Enabled Forwarding Designated0/2 Enabled Disabled Disabled0/3 Enabled Disabled Disabled0/4 Enabled Disabled Disabled0/5 Enabled Disabled Disabled0/6 Enabled Disabled Disabled0/7 Enabled Disabled Disabled0/8 Enabled Disabled Disabled0/9 Enabled Disabled Disabled0/10 Enabled Disabled Disabled0/11 Enabled Disabled Disabled0/12 Enabled Forwarding Designated0/13 Enabled Disabled Disabled0/14 Enabled Disabled Disabled0/15 Enabled Disabled Disabled--More-- or (q)uit

(Switch1_A_H2) #show spanning-tree

Bridge Priority................................ 28672Bridge Identifier.............................. 70:00:00:10:18:82:03:35Time Since Topology Change..................... 0 day 0 hr 14 min 37 secTopology Change Count.......................... 3Topology Change in progress.................... FALSEDesignated Root................................ 70:00:00:10:18:82:03:35Root Path Cost................................. 0Root Port Identifier........................... 00:00Bridge Max Age................................. 20Bridge Forwarding Delay........................ 15Hello Time..................................... 2Bridge Hold Time............................... 3CST Regional Root.............................. 70:00:00:10:18:82:03:35Regional Root Path Cost........................ 0

Associated FIDs Associated VLANs --------------- ---------------- 1 1


switch2:

(Switch2_r421) #show spanning-tree

Bridge Priority................................ 32768Bridge Identifier.............................. 80:00:00:10:18:82:02:CATime Since Topology Change..................... 0 day 0 hr 0 min 4 secTopology Change Count.......................... 0Topology Change in progress.................... FALSEDesignated Root................................ 80:00:00:10:18:82:02:CARoot Path Cost................................. 0Root Port Identifier........................... 00:00Bridge Max Age................................. 20Bridge Forwarding Delay........................ 15Hello Time..................................... 2Bridge Hold Time............................... 3CST Regional Root.............................. 80:00:00:10:18:82:02:CARegional Root Path Cost........................ 0



Bridge Priority................................ 32768Bridge Identifier.............................. 80:00:00:10:18:82:02:CATime Since Topology Change..................... 0 day 0 hr 1 min 12 secTopology Change Count.......................... 4Topology Change in progress.................... FALSEDesignated Root................................ 70:00:00:10:18:82:03:35Root Path Cost................................. 200000Root Port Identifier........................... 80:03Bridge Max Age................................. 20Bridge Forwarding Delay........................ 15Hello Time..................................... 2Bridge Hold Time............................... 3CST Regional Root.............................. 80:00:00:10:18:82:02:CARegional Root Path Cost........................ 0



Switch2 switching switch

(Switch2_r421) #show spanning-tree mst port summary 0 all

STP STP PortInterface Mode Type State Role--------- -------- ------- ----------------- ----------0/1 Enabled Forwarding Designated0/2 Enabled Disabled Disabled0/3 Enabled Forwarding Root0/4 Enabled Disabled Disabled0/5 Enabled Disabled Disabled0/6 Enabled Disabled Disabled0/7 Enabled Disabled Disabled0/8 Enabled Disabled Disabled0/9 Enabled Forwarding Designated0/10 Enabled Disabled Disabled0/11 Enabled Discarding Backup0/12 Enabled Disabled Disabled0/13 Enabled Disabled Disabled0/14 Enabled Disabled Disabled0/15 Enabled Disabled Disabled--More-- or (q)uit

(Switch2_r421) #show hard

Switch: 1

System Description............................. Force10 SwitchingMachine Type................................... XXXMachine Model.................................. XGS SwitchSerial Number.................................. 1431FRU Number.....................................Part Number.................................... XXXMaintenance Level.............................. AManufacturer................................... 0xbc00Burned In MAC Address.......................... 00:10:18:82:02:CASoftware Version............................... H.11.11.1Operating System............................... Switch25.5.1Network Processing Device...................... REV 3

Additional Packages............................ SFTOS QOS


(Switch2_r421) (Config)#spanning-tree forceversion 802.1w(Switch2_r421) #show span







(Switch2_r421) #show spanning-tree mst port detailed 0 0/3

Port Identifier................................ 80:03Port Priority.................................. 128Port Forwarding State.......................... ForwardingPort Role...................................... RootAuto-calculate Port Path Cost.................. EnabledPort Path Cost................................. 200000Designated Root................................ 70:00:00:10:18:82:03:35Designated Port Cost........................... 0Designated Bridge.............................. 70:00:00:10:18:82:03:35Designated Port Identifier..................... 80:01Topology Change Acknowledge.................... FALSEHello Time..................................... 2Edge Port...................................... FALSEEdge Port Status............................... FALSEPoint to Point MAC Status...................... TRUECST Regional Root.............................. 70:00:00:10:18:82:03:35CST Path Cost.................................. 0


Port Identifier................................ 80:01Port Priority.................................. 128Port Forwarding State.......................... ForwardingPort Role...................................... DesignatedAuto-calculate Port Path Cost.................. EnabledPort Path Cost................................. 200000Designated Root................................ 70:00:00:10:18:82:03:35Designated Port Cost........................... 200000Designated Bridge.............................. 80:00:00:10:18:82:02:CADesignated Port Identifier..................... 80:01Topology Change Acknowledge.................... FALSEHello Time..................................... 2Edge Port...................................... FALSEEdge Port Status............................... FALSEPoint to Point MAC Status...................... TRUECST Regional Root.............................. 80:00:00:10:18:82:02:CACST Path Cost.................................. 0


802.1w


Port Identifier................................ 80:09Port Priority.................................. 128Port Forwarding State.......................... ForwardingPort Role...................................... DesignatedAuto-calculate Port Path Cost.................. EnabledPort Path Cost................................. 20000Designated Root................................ 70:00:00:10:18:82:03:35Designated Port Cost........................... 200000Designated Bridge.............................. 80:00:00:10:18:82:02:CADesignated Port Identifier..................... 80:09Topology Change Acknowledge.................... FALSEHello Time..................................... 2Edge Port...................................... FALSEEdge Port Status............................... FALSEPoint to Point MAC Status...................... TRUECST Regional Root.............................. 80:00:00:10:18:82:02:CACST Path Cost.................................. 0


Port Identifier................................ 80:0BPort Priority.................................. 128Port Forwarding State.......................... DiscardingPort Role...................................... BackupAuto-calculate Port Path Cost.................. EnabledPort Path Cost................................. 20000Designated Root................................ 70:00:00:10:18:82:03:35Designated Port Cost........................... 200000Designated Bridge.............................. 80:00:00:10:18:82:02:CADesignated Port Identifier..................... 80:09Topology Change Acknowledge.................... FALSEHello Time..................................... 2Edge Port...................................... FALSEEdge Port Status............................... FALSEPoint to Point MAC Status...................... TRUECST Regional Root.............................. 80:00:00:10:18:82:02:CACST Path Cost.................................. 0

(Switch2_r421) #show spanning-tree summary

Spanning Tree Adminmode........... EnabledSpanning Tree Version............. IEEE 802.1wConfiguration Name................ 00-10-18-82-02-CAConfiguration Revision Level...... 0Configuration Digest Key.......... 0xac36177f50283cd4b83821d8ab26de62Configuration Format Selector..... 0No MST instances to display.


Multiple Spanning-Tree Protocol (MSTP, IEEE 802.1s)Multiple Spanning Tree Protocol (MSTP) allows LAN traffic to be channelled over different interfaces. MSTP also allows load balancing without increasing CPU usage.

Rapid Reconfiguration minimizes the time to recover from network outages, and increases network availability.

SFTOS supports IEEE 802.1s and IEEE 802.1w:

(Switch2_r421) #show spanning-tree mst port summary 0 all

STP STP PortInterface Mode Type State Role--------- -------- ------- ----------------- ----------0/1 Enabled Forwarding Designated0/2 Enabled Disabled Disabled0/3 Enabled Forwarding Root0/4 Enabled Disabled Disabled0/5 Enabled Disabled Disabled0/6 Enabled Disabled Disabled0/7 Enabled Disabled Disabled0/8 Enabled Disabled Disabled0/9 Enabled Forwarding Designated0/10 Enabled Disabled Disabled0/11 Enabled Discarding Backup0/12 Enabled Disabled Disabled0/13 Enabled Disabled Disabled0/14 Enabled Disabled Disabled0/15 Enabled Disabled Disabled--More-- or (q)uit





• The overall Root bridge for 802.1s is calculated in the same way as for 802.1D or 802.1w.• IEEE 802.1s bridges can interoperate with IEEE 802.1D and IEEE 802.1w bridges

MSTP Implementation

MSTP is part of the SFTOS switching package. Either IEEE 802.1D or IEEE 802.1s operates at any given time. The following is the SFTOS implementation of MSTP:

• One Common Instance (CIST) and 4 additional Multiple Instances (MSTIs)• VLANs are associated with one and only one instance of Spanning Tree• Multiple VLANs can be associated with an Instance of Spanning Tree• Each port supports multiple STP states, one state per instance. (Hence a port could be Forwarding in

one instance while Blocking in another instance.)

MST Regions

Multiple Spanning Tree region is a collection of MST bridges that share the same VLAN to STP instance mappings. They are administratively configured on each MST Bridge in the network.

MST regions are identified by:

• 32-byte alphanumeric configuration name• Two-byte configuration revision number• The mapping of VLAN IDs to STP instance numbers

MST Interactions

Bridge Protocol Data Units (BPDU) considerations:

• MSTP instances can only exist within in a region• MSTP instances never interact outside a region• MSTP BPDUs appear as normal BPDUs for the CIST while including information for the MSTIs (one

record for each MSTP Instance)• The CIST is mapped to Instance 0• Both ends of a link may send BPDUs at the same time, as they may be the designated ports for

different instances

MSTP Standards• Conforms to IEEE 802.1s• Compatible with IEEE 802.1w and IEEE 802.1D• SNMP management via a private MIB, as no standard MIB exists


MST CLI Management

Privileged and User Exec Mode display commands:• Display STP settings and parameters for the switch

— show spanning-tree summary

• Display settings and parameters for all MST instances— show spanning-tree mst summary

• Display settings and parameters for one MST instance— show spanning-tree mst detailed <mstid>

• Display settings and parameters for the CIST— show spanning-tree [brief]

• Display the association between an MST instance and a VLAN— show spanning-tree vlan <vlanid>

• Display settings and parameters for a port within an MST instance— show spanning-tree mst port summary <mstid> {<unit/slot/port> | all}— show spanning-tree mst port detailed <mstid> <unit/slot/port>

• Display settings and parameters for a port within the CIST— show spanning-tree interface <unit/slot/port>

Global Config Mode CLI commands:• [Disable] enable STP operational state for the switch

— [no] spanning-tree

• [Disable] enable STP administrative state for all ports— [no] spanning-tree port mode all

• [Reset] set the STP protocol version for the switch— spanning-tree forceversion <802.1d | 802.1w | 802.1s>

• [Reset] set a configuration name to identify the switch— [no] spanning-tree configuration name <name>

• [Reset] set the configuration revision level for the switch— [no] spanning-tree configuration revision <0-65535>

• [Reset] set max-age for the CIST— [no] spanning-tree max-age <6-40>

• [Reset] set forward-time for the CIST— [no] spanning-tree forward-time <4-30>

• [Reset] set hellp-time for the CIST— [no] spanning-tree hello-time <1-10>

• [Remove] add an MST instance— [no] spanning-tree mst <mstid>

• [Reset] set the bridge priority for an MST instance— [no] spanning-tree mst priority <mstid> <0-61440>


• [Remove] add a VLAN to an MST instance— [no] spanning-tree mst vlan <mstid> <vlanid>

Interface Config Mode CLI commands:[Disable] enable administrative state for the port

— [no] spanning-tree port mode

• [Reset] set the path cost for this port for the MST instance, or for the CST if the mstid is 0. Auto sets the cost based on the link speed.— [no] spanning-tree mst <mstid> cost {<1-200000000> | auto}

• [Reset] set the port priority for this port for the MST instance, or for the CST, in increments of 16— [no] spanning-tree mst <mstid> port-priority <0-240>

• [Reset] set a port as an edge port within the CST— [no] spanning-tree edgeport

MSTP Configuration Example

Example topology:

• Switch B: 0/9 and 0/10 is VLAN 50. MST ID 50• Switch B: 0/11 and 0/12 is VLAN 60 MST ID 60• Switch A: 0/9 and 0/10 is VLAN 50 MST ID 50• Switch A: 0/11 and 0/12 is VLAN 50 MST ID 60

Steps1. Configure both switches B (root bridge)

2. Configure Switch A MST instance, assign the instance to the VLAN

3. Check STP state

4. Lower the priority of MST 50 which you want to discard (128 > 240)

5. Check STP state

HostHost

S50 A S50 B1/0/9 1/0/10

1/0/111/0/12

1/0/91/0/10

1/0/121/0/11


Verify

Configuration of Switch A: (non root bridge)

1. Switch A 50/60 Vlan0.10 F/D(forwarding/discarding)0.11 F/D(forwarding/discarding)

2. After lower the priority of MST 50, MST50 will change his STP state Switch A 50/60 Vlan

0.10 F/D(forwarding/discarding)0.11 D/F(discarding/forwarding)

set prompt "Switch A"config lineconfig serial timeout 0 exitexit

config spanning-tree spanning-tree port mode allexit

vlan database vlan 50 vlan 60exitw

config spanning-tree mst instance 50 spanning-tree mst vlan 50 50 spanning-tree mst instance 60 spanning-tree mst vlan 60 60exit

show spanning-tree mst port summary 50 allshow spanning-tree mst port summary 60 all config interface 1/0/10

spanning-tree mst 50 port-priority 240 exitexit

show spanning-tree mst port summary 50 allshow spanning-tree mst port summary 60 all

* disable spanning-tree :config

no spanning-tree


Command Examples

After lowering the priority of MST 50 :

Figure 41

(F10 S50) #show spanning-tree mst port summary 50 all

STP STP PortInterface Mode Type State Role--------- -------- ------- ----------------- ----------0/1 Enabled Disabled Disabled0/2 Enabled Disabled Disabled0/3 Enabled Disabled Disabled0/4 Enabled Disabled Disabled0/5 Enabled Disabled Disabled0/6 Enabled Disabled Disabled0/7 Enabled Disabled Disabled0/8 Enabled Disabled Disabled0/9 Enabled Disabled Disabled0/10 Enabled Forwarding Designated0/11 Enabled Discarding Backup0/12 Enabled Disabled Disabled0/13 Enabled Disabled Disabled0/14 Enabled Disabled Disabled0/15 Enabled Disabled Disabled--More-- or (q)uit

(F10 S50) #show spanning-tree mst port summary 50 all

STP STP PortInterface Mode Type State Role--------- -------- ------- ----------------- ----------0/1 Enabled Disabled Disabled0/2 Enabled Disabled Disabled0/3 Enabled Disabled Disabled0/4 Enabled Disabled Disabled0/5 Enabled Disabled Disabled0/6 Enabled Disabled Disabled0/7 Enabled Disabled Disabled0/8 Enabled Disabled Disabled0/9 Enabled Disabled Disabled0/10 Enabled Discarding Backup0/11 Enabled Forwarding Designated0/12 Enabled Disabled Disabled0/13 Enabled Disabled Disabled0/14 Enabled Disabled Disabled0/15 Enabled Disabled Disabled--More-- or (q)uit



Link Aggregation—IEEE 802.3Link Aggregation Groups (LAG), or Trunking, allows IEEE 802.3 MAC interfaces to be grouped logically to appear as one physical link. LAG provides automatic redundancy between two devices. Each link of a LAG must run at the same speed and must be in full-duplex mode.

LAGs also provide the following:

• Behave like any other Ethernet link to VLAN.• Can be a member of a VLAN.• Is treated as a physical port with the same configuration parameters, spanning tree port priority, path

cost, etc.• A router port may be a member of a LAG, but routing will be disabled while it is a member.

LAG Implementation

Interface restrictions:

• LAG speed may not be changed• Routing is not supported on links in a LAG• An interface can belong to only one LAG• 32 LAGs, maximum of eight members each

SFTOS supports IEEE 802.3 Clause 43 with minor exceptions:

• No optional features supported, e.g. Marker Generator/Receiver• Mux machine implemented as coupled not independent control• Some MIB variables not supported.

Chapter 9 Link Aggregation


Static LAGs

Manual Aggregation

If the partner does not respond with LACPDUs, the system will wait three seconds and aggregate manually.

The static LAG configuration should only be enabled if both parties are 802.3ad-compliant and have the protocol enabled.

LAGs should be configured and STP enabled on both devices before connecting cables.

Manual aggregation uses the following default values:

• If an LACPDU is received with different values the link will drop out• When all member links have dropped out, the group will re-aggregate with the new information

Manual aggregation is disabled by default, and when enabled, applies to all LAG interfaces.

Link Aggregation—MIB Support

IEEE 802.3 Annex 30c MIB objects not supported:

• dot3adAggPortDebugTable• dot3adAggPortStatsMarkerResponsePDUsRx• dot3adAggPortStatsMarkerPDUsTx• dot3adAggPortActorAdminSystemPriority• dot3adAggPortActorOperSystemPriority• dot3adAggPortPartnerAdminSystemPriority• dot3adAggPortPartnerOperSystemPriority• dot3adTablesLastChanged

Link Aggregation CLI Management

CLI commands in the Global Config mode used to create a LAG:

• Configure the LAG:— port-channel {<logical unit/slot/port> | all | brief}

• (Use show port-channel all to display the logical unit/slot/port)— port-channel name {<logical unit/slot/port> | all} <name>— [no] port-channel linktrap {<logical unit/slot/port} | all}— spanning-tree stpmode {<logical unit/slot/port} | all} {off | 802.1d | fast}

• [Disable] enable the LAG:— [no] port-channel adminmode {<logical unit/slot/port> | all}

86 Link Aggregation

• Delete all ports from a LAG:— deleteport <logical unit/slot/port> all

• Delete a LAG:— no port-channel {<logical unit/slot/port> | all}

LAG Configuration CLI Management

CLI commands in Interface Config mode used to configure a LAG:

• Add ports:— addport <logical unit/slot/port>

• Delete ports:— deleteport <logical unit/slot/port>

• Delete one or all LAGs:— delete interface {<logical unit/slot/port> | all}

Privileged Exec mode CLI command to display LAG information:

• Returns mode information • Lists members -- slot.port notation, link speed

— show port-channel {<logical unit/slot/port> | all | brief}

Static LAG CLI Management

Global Config Mode commands to disable/enable static capability for the switch:

• port-channel staticcapability— All LAGs with configured members but no active members will now aggregate statically on link

up interfaces— No effect on dynamic LAGs

• no port-channel staticcapability — Active members of static LAGs will drop. A LAG with no active members will go down

Privileged Exec mode and User Exec mode display command:

• show port-channel brief

— Displays whether static capability is enabled


Configuring a Port ChannelThe following are examples on configuring a port-channel. \

To configure a port channel, issue the port channel command from Privileged Exec mode:

Figure 42 Configuring a Port Channel Example

The switch autonumbers the logical <unit/slot/port> (the first port-channel might be 0/1/1, and the second port-channel may be 0/1/2, etc.)

Configuring LAGLink Aggregation (LAG) allows multiple physical links between two end-points to be treated as a single logical link. All the physical links in a given LAG must operate in full duplex mode at the same speed.

1. Create LAGs:

2. Query LAGs:

Note: A port-channel cannot have an IP address.

Note: This command will return the logical interface IDs that are used to identify the LAGs in subsequent commands. Assume that Lag_10 is assigned ID “1/1/1” and Lag_20 is assigned ID “1/1/2”.

port-channel <name>

ConfigurePort-channel Lag_10

Show port-channel all

88 Link Aggregation

3. Add Ports to the appropriate LAGs:

4. Enable both LAGs:

5. Create static LAGs:

Before Configuring LAG

Note: Link Trap Notification will be enabled by default. By default Dynamic LAGs will be created.

ConfigureInterface 1/0/2Addport 1/1/1ExitInterface 1/0/3Addport 1/1/1Exit

Inteface 1/0/8Addport “1/1/2”ExitInterface 1/0/9Addport “1/1/2”

ConfigurePort-channel adminmode all

ConfigurePort-channel staticcapabilityexit

(GSM7312) #show port-channel all

Log. Port- LinkSlot/ Channel Admin Trap STP Mbr Port PortPort Name Link Mode Mode Mode Type Ports Speed Active----- --------------- ---- ----- ---- ------ ------- ------ --------- ------


LAG Configuration Example

Displaying Port-channels

config port-channel lag-10 port-channel lag_20exit

show port-channel all

config interface 1/0/2 addport 1/1/1 exit interface 1/0/3 addport 1/1/1 exitexit

config interface 1/0/8 addport 1/1/2 exit interface 1/0/9 addport 1/1/2 exitexit

config port-channel adminmode all

exit

(GSM7312) #show port-channel all

Log. Port- LinkSlot/ Channel Admin Trap STP Mbr Port PortPort Name Link Mode Mode Mode Type Ports Speed Active----- --------------- ---- ----- ---- ------ ------- ------ --------- ------1/1/1 lag-10 Down En. En. En. Dynamic 0/2 Auto False

0/3 Auto False1/1/2 lag_20 Down En. En. En. Dynamic 0/8 Auto False

0/9 Auto False

90 Link Aggregation

Adding a Port-channel to a VLAN

To add a port-channel to a VLAN, use the vlan participation command:

Figure 43 Adding a Port-channel to a VLAN

MAC AddressesTo view MAC addresses, issue the show mac-addr-table command:

Figure 44 Viewing Port-channel Configuration

(S50) (Config)#interface 0/2/1 (S50) (Interface 0/2/1)#vlan participation include 11

(Force10 S50) #show mac-addr-table

Mac Address Interface IfIndex Status ----------------------- --------- ------- ------------00:01:00:01:00:00:00:01 2/0/37 87 Learned 00:01:00:01:00:00:00:37 1/0/1 1 Learned 00:01:00:03:00:00:00:03 1/0/2 2 Learned 00:01:00:03:00:00:00:39 2/0/38 88 Learned 00:01:00:04:00:00:00:45 2/0/45 95 Learned 00:01:00:04:00:00:00:46 1/0/45 45 Learned 00:01:00:06:00:00:00:47 2/0/46 96 Learned 00:01:00:06:00:00:00:48 1/0/46 46 Learned 00:01:00:D0:95:B7:CD:2E 0/3/1 401 Management


92 Link Aggregation

Access Control Lists (ACLs) are used to control the traffic entering a network. They are normally used in a firewall router or in a router connecting two internal networks. You may selectively admit or reject inbound traffic, thereby controlling access to your network, or to specific resources on your network.

Each of the 100 available ACLs is a set of one to nine rules applied to inbound traffic. Eight rules are useable per interface, and the other rule is an implicit deny. Each rule specifies whether the contents of a given field should be used to permit or deny access to the network, and may apply to one or more of the following six fields within a packet:

• Source IP address• Destination IP address• Source Layer 4 port• Destination Layer 4 port• TOS byte• Protocol number

Note that the order of the rules is important: when a packet matches multiple rules, the first rule takes precedence. Also, once you define an ACL for a given port, all traffic not specifically permitted by the ACL will be denied access.

SFTOS supports two types of filtering: extended MAC access lists and IP access lists. For both types, the general process for using them is the same:

1. Create the access list.

2. Apply the access list either globally to all ports, or to an individual interface.

Chapter 10 Access Control Lists


Common ACL Commandsmac access-list extended

This command creates a MAC Access Control List (ACL) identified by name, consisting of classification fields defined for the Layer 2 header of an Ethernet frame.

mac access-list extended name

(s50) (Config)#mac access-list extended ml-1

mac access-list extended rename

This command changes the name of a MAC Access Control List (ACL). This command fails if a MAC ACL by the name newname already exists.

mac access-list extended rename name newname

{deny|permit}

This command creates a new rule for the current MAC access list. Each rule is appended to the list of configured rules for the list. Note that an implicit 'deny all' MAC rule always terminates the access list.

{deny | permit} {{srcmac} {{dstmac} [ethertypekey | 0x0600-0xFFFF] [vlan {{eq 0-4095}} [cos 0-7] [assign-queue queue-id] [redirect interface]

mac access-group

This command attaches a specific MAC Access Control List (ACL) identified by name to an interface in a given direction. The name parameter must be the name of an existing MAC ACL.

• mac access-group name {in} [sequence 1-4294967295]• no mac access-group name {in}

(s50) (Config)#interface 1/0/2

(s50) (Interface 1/0/2)#mac access-group ml-1 in

Note: Although you can add new deny/permit list items to an existing list, you cannot remove previously configured deny/permit list items. You must delete the list, and then recreate it in the desired fashion.

(s50) (Config)#mac access-list extended ml-1(s50) (Config-mac-access-list)#permit 01:80:c2:00:00:00 any assign-queue 4(s50) (Config-mac-access-list)#permit any 01:80:c2:00:00:FF assign-queue 3 redi-rect 1/0/10

94 Access Control Lists

show mac access-list

The show mac access-list name command displays a MAC access list and all of the rules that are defined for the ACL. The name parameter is used to identify a specific MAC ACL to display.

Figure 45 Sample output from show mac access-list command

show mac access-lists

The show mac access-lists command displays a summary of all defined MAC access lists in the system.

(Force10 s50) #show mac access-listRule Number: 1Action......................................... permitSource MAC Address............................. 01:80:C2:00:00:00Assign Queue................................... 4

Rule Number: 2Action......................................... permitDestination MAC Address........................ 01:80:C2:00:00:FFAssign Queue................................... 3Redirect Interface............................. 1/0/10

(Force10 s50) #

(s50) #show mac access-listsCurrent number of all ACLs: 3 Maximum number of all ACLs: 100

MAC ACL Name Rules Interface(s) Direction------------------------------- ----- ------------------------- ---------ml-1 2 1/0/2 inbound(s50) (Config-mac-access-list)#permit any 01:80:c2:00:00:FF assign-queue 3 redirect 1/0/10


access-list

The access-list command creates an Access Control List (ACL) that is identified by the parameter accesslistnumber.

access-list {( 1-99 {deny | permit} srcip srcmask) | ( {100-199 {deny | permit} {evry | {{icmp | igmp | ip | tcp | udp | number} srcip srcmask [{eq {portkey | portvalue}] dstip dstmask [{eq {portkey | portvalue}] [precedence precedence] [tos tos tosmask] [dscp dscp]}})}

Access lists are of two types—normal access lists and extended access lists.

Normal Access Lists

A normal access list uses a list number in the range of 1-99, matches source ip address, then takes the action of assigning the packet to a queue and / or redirecting the packet to a destination port.

access-list 1-99 {deny | permit} {srcip srcmask | every } (assign-queue queue-number) (redirect unit/slot/port)

Extended Access Lists

An extended access list uses a list number in the range of 100-199, matches protocol-type, then matches source and/or destination ip address/port, additionally matches ip-precedence, tos, dscp, then takes the action of assigning the packet to a queue and / or redirecting the packet to a destination port.. The command has the general form:

access-list 100-199 {deny | permit} protocol source/destination addr & port{precedence | tos | dscp} (assign-queue) (redirect)

ip access-group

When the ip access-group command is used in Interface Config mode, it attaches a specified access-control list to the particular interface.

ip access-group accesslistnumber in

(s50) (Config)#interface 1/0/21

(s50) (Interface 1/0/21)#ip access-group 100 in 1

Note: You cannot edit a list once it is created, you must delete the list and create one as desired.

(Force 10 s50) (Config)#access-list 100 permit ip any eq 80 any assign-queue 2 redirect 1/0/40(Force 10 s50) (Config)#


When the ip access-group command is used in Global Config mode, it attaches a specified access-control list to all interfaces.

• ip access-group accesslistnumber in

show ip access-lists

This command displays an Access Control List (ACL) and all of the rules that are defined for the ACL. The accesslistnumber is the number used to identify the ACL.

• show ip access-lists accesslistnumber

Figure 46 Example: show ip access-lists command output

(Force10 s50) #show ip access-listsCurrent number of ACLs: 2 Maximum number of ACLs: 100ACL ID Rules Interface(s) Direction------ ----- ------------------------- ---------1 1100 1 1/0/21 inbound

(s50) #show ip access-lists 100ACL ID: 100Interface: 1/0/21

Rule Number: 1Action......................................... permitMatch All...................................... FALSEProtocol....................................... 255(ip)Source L4 Port Keyword......................... 80(www/http)Assign Queue................................... 2Redirect Interface............................. 1/0/40

(Force10 s50) #


Access Control List Configuration ExampleThe example in this section shows you how to set up an ACL with two rules, one applicable to TCP traffic and one to UDP traffic. The content of the two rules is the same. TCP and UDP packets will only be accepted by the S-Series if the source and destination stations have IP addresses that fall within the defined sets.

Figure 47 ACL example network diagram

1. Create ACL 101. Define the first rule: it will permit packets with a match on the specified Source IP address, after the mask has been applied, that are carrying TCP traffic, and are sent to the specified Destination IP address.

Port 0/2ACL 1

192.168.77.1 192.168.77.2192.168.77.9192.168.77.4

TCP packet to192.178.77.3 accepted:

Dest. IP in range

TCP packet to192.178.88.3 rejected:Dest. IP not in range

Layer 2 Switch

Layer 3 Switch

(Force10 s50) #config(Force10 s50) (Config)#access-list 101 permit tcp 192.168.77.0 0.0.0.255 92.178.77.0 0.0.0.255(Force10 s50) (Config)#


2. Define the second rule for ACL 101. Define the rule to set similar conditions for UDP traffic as for TCP traffic.

3. Apply the rule to inbound traffic on port 0/2. Only traffic matching the criteria will be accepted.

(Force10 s50) #config(Force10 s50) (Config)#access-list 101 permit udp 192.168.77.0 0.0.0.255 192.178.77.0 0.0.0.255(Force10 s50) (Config)#

(Force10 s50) (Config)#interface 0/2(Force10 s50) (Interface 0/2)#ip access-group 101 in(Force10 s50) (Interface 0/2)#exit



Differentiated Services (DiffServ) is one technique for implementing Quality of Service (QoS) policies. Using DiffServ in your network allows you to directly configure the relevant parameters on the switches and routers rather than using a resource reservation protocol.This section will explain how to configure the S-Series to identify which traffic class a packet belongs to, and how it should be handled to provide the desired quality of service. As implemented on the S-Series, DiffServ allows you to control what traffic is accepted, what traffic is transmitted, and what bandwidth guarantees are provided.

How you configure DiffServ support on the S-Series will likely vary depending on the role of the switch in your network:• Edge device: An edge device handles ingress traffic, flowing towards the core of the network, and

egress traffic, flowing away from the core. An edge device will segregate inbound traffic into a small set of traffic classes, and is responsible for determining a packet’s classification. Classification will be primarily based on the contents of the Layer 3 and Layer 4 headers, and will be recorded in the Differentiated Services Code Point (DSCP) added to a packet’s IP header.

• Interior node: A switch in the core of the network is responsible for forwarding packets, rather than for classifying them. It will decode the DSCP in an incoming packet, and provide buffering and forwarding services using the appropriate queue management algorithms.

To configure DiffServ on a particular S-Series router, you first determine the QoS (quality of service) requirements for the network as a whole. The requirements are expressed in terms of rules, which are used to classify either inbound or outbound traffic on a particular interface. Rules are defined in terms of classes, policies, and services:• Class: A class consists of a set of rules that identify which packets belong to the class. Inbound traffic

is separated into traffic classes based on Layer 3 and 4 header data and the VLAN ID, and marked with a corresponding DSCP value. Outbound traffic is grouped into forwarding classes based on the DSCP value, and allocated priority and bandwidth accordingly. One type of class is supported:— All: Every match criterion defined for the class must be true for a match to occur.

• Policy: Defines the QoS attributes for one or more traffic classes. An example of an attribute is the specification of minimum or maximum bandwidth in terms of kbps or percent of link capacity. The S-Series supports two policy types:

• Traffic Conditioning Policy: This type of policy is associated with an inbound traffic class and specified the actions to be performed on packets meeting the class rules:

— Marking the packet with a given DSCP code point— Policing packets by dropping or re-marking those that exceed the assigned data rate of

the class— Counting the traffic within the class

• Service Provisioning Policy: This type of policy is associated with an outbound traffic class and affects how packets are transmitted.

Chapter 11 DiffServ


• Service: Assigns a policy to an interface for either inbound or outbound traffic

The user configures Differentiated Services (Diffserv) in the stages described above by specifying:

• Class— Creating and deleting classes— Defining match criteria for a class. Note: The only way to remove an individual match criterion

from an existing class definition is to delete the class and re-create it.• Policy

— Creating and deleting policies— Associating classes with a policy— Defining policy statements for a policy/class combination

• Service— Adding and removing a policy to/from a directional (i.e., inbound, outbound) interface

Packets are filtered and processed based on defined criteria. The filtering criteria is defined by a class. The processing is defined by a policy’s attributes. Policy attributes may be defined on a per-class instance basis, and it is these attributes that are applied when a match occurs.

Packet processing begins by testing the match criteria for a packet. A policy is applied to a packet when a class match within that policy is found.

Note that the type of class — all, any, or ACL — has a bearing on the validity of match criteria specified when defining the class. A class type of ‘any’ processes its match rules in an ordered sequence; additional rules specified for such a class simply extend this list. A class type of ‘acl’ obtains its rule list by interpreting each ACL rule definition at the time the Diffserv class is created. Differences arise when specifying match criteria for a class type ‘all’, since only one value for each non-excluded match field is allowed within a class definition.

The following class restrictions are imposed by the DiffServ design:

• Nested class support limited to:— any within any

— all within all

— No nested not conditions— No nested acl class types— Each class contains at most one referenced class

Note: SFTOS currently supports the inbound direction only.

Note: If a field is already specified for a class, all subsequent attempts to specify the same field fail, including the cases where a field can be specified multiple ways through alternative formats. The exception to this is when the ‘exclude’ option is specified, in which case this restriction does not apply to the excluded fields.

102 DiffServ

• Hierarchical service policies not supported in a class definition• Access list matched by reference only, and must be sole criterion in a class

— I.e., ACL rules copied as class match criteria at time of class creation, with class type any

— Implicit ACL deny all rule also copied— No nesting of class type acl

Regarding nested classes, referred to here as class references, a given class definition can contain at most one reference to another class, which can be combined with other match criteria. The referenced class is truly a reference and not a copy, since additions to a referenced class affect all classes that reference it. Changes to any class definition currently referenced by any other class must result in valid class definitions for all derived classes otherwise the change is rejected. A class reference may be removed from a class definition.

The user can display summary and detailed information for classes, policies and services. All configuration information is accessible via the CLI, Web, and SNMP user interfaces.

This command sets the DiffServ operational mode to active. While disabled, the DiffServ configuration is retained and can be changed, but it is not activated. When enabled, Diffserv services are activated.

Deploying DiffServFour steps are necessary to deploy DiffServ:

1. Create class-maps.

A class-map is used to differentiate between types of traffic based on a packet’s match to defined rules in the class-map. For information on using a class-map in configuration scripting, see Using Configuration Scripts on page 31.

2. Create a policy-map.

A policy-map references a class-map and defines the actions to be taken for traffic in a referenced class.

3. Apply the policy to interfaces.

Apply the policy to the interfaces in an ingress or egress capacity.

4. Enable DiffServ globally.

Creating Class-maps/DiffServ Classes

The first step in deploying DiffServ is to create a DiffServ class. From the Global Config mode, use the command class-map match-all classname.

The match-all class type indicates that all of the individual match conditions must be true for a packet to be considered a member of the class.


The classname parameter is a case-sensitive alphanumeric string from 1 to 31 characters that uniquely identifies the class.

For example, entering “class-map match-all Dallas” means “Create a class named ‘Dallas’ that must match all statements in the policy.”

After entering the command, and a new classname is defined, this command invokes the Class Map Config mode — “(Config-classmap)#”. Within that mode, you can continue to refine the definition of the class.

After exiting the Class Map Config mode, you can reenter the mode to edit the named class by using the command class-map existing_classname, where existing_classname is the classname that you defined earlier.

The example below creates a class named “cl-map-1”. The map requires that all rules in the list must be matched. If any of the rules are not a match for the traffic, the traffic is not a member of that class. In this case, the traffic must carry a destination IP address in the 10.1.1.0 network and have a destination port of 7:

Note that the example below, looks for packets with an ip-precedence of ‘1’, but also references another class map (cl-map-1):

To delete an existing class, use the command no class-map existing_classname from the Global Config mode. This command may be issued at any time; if the class is currently referenced by one or more policies or by any other class, this deletion attempt shall fail.

Note: The word “default” is reserved and must not be used as a class name.

Note: Class match conditions are obtained from the referenced access list (ACL) at the time of class creation. Thus, any subsequent changes to the referenced ACL definition do not affect the DiffServ class. To pick up the latest ACL definition, delete and recreate the class.

class-map match-all cl-map-1match dstip 10.1.1.0 255.255.255.0match dstl4port 7exit

class-map match-all cm-3match ip precedence 1match class-map cl-map-1exit

104 DiffServ

Creating a Policy-Map

The second step in deploying DiffServ is to create a policy-map. From the Global Config mode, use the policy-map command to define:

• Traffic Conditioning—Specify traffic conditioning actions (policing, marking, shaping) to apply to traffic classes

• Service Provisioning—Specify bandwidth and queue depth management requirements of service levels (EF, AF, etc.)

The policy commands associate a traffic class, which was defined by the class command set, with one or more QoS policy attributes. This association is then assigned to an interface to form a service. The user specifies the policy name when the policy is created.

The DiffServ CLI does not necessarily require that users associate only one traffic class to one policy. In fact, multiple traffic classes can be associated with a single policy, each defining a particular treatment for packets that match the class definition. When a packet satisfies the conditions of more than one class, preference is based on the order in which the classes were added to the policy, with the foremost class taking highest precedence.

This set of commands consists of policy creation/deletion, class addition/removal, and individual policy attributes.

Note that the only way to remove an individual policy attribute from a class instance within a policy is to remove the class instance and re-add it to the policy. The values associated with an existing policy attribute can be changed without removing the class instance.

The policy-map command establishes a new DiffServ policy. The syntax is policy-map policyname in, where policyname is a case-sensitive alphanumeric string from 1 to 31 characters uniquely identifying the policy. The in keyword indicates that the policy is specific to inbound traffic, because SFTOS supports only the inbound (ingress) direction.

Note: Class instances are always added to the end of an existing policy. While existing class instances may be removed, their previous location in the policy is not reused, so the number of class instance additions/removals is limited. In general, significant changes to a policy definition require that the entire policy be deleted and re-created with the desired configuration.

Note: The policy type dictates which of the individual policy attribute commands are valid within the policy definition.

Note: The CLI mode is changed to Policy-Map Config when this command is successfully executed.


The following example shows the use of the policy-map command:

Figure 48 policy-map Command Example

In the above example, we have created a policy-map with the name of “pm-1”. This policy-map is meant to affect inbound traffic. Traffic that is part of the class cl-map-1 (created in the previous example) is affected. Traffic that falls into this class will be assigned to queue ‘3’. Traffic that is a match for class cl-map-2 will have ip-precedence marked as “1”.

Applying Policies

Policy maps may be applied globally, to all interfaces, or on a per-interface basis. This is accomplished with the service-policy in policyname command. The in keyword indicates that the policy is specific to inbound traffic, because SFTOS supports only the inbound (ingress) direction. The policyname parameter is the name of an existing DiffServ policy (shown defined, above). Note that this command causes a service to create a reference to the policy.

The command can be used in the Interface Config mode to attach a policy to a specific interface. Alternatively, the command can be used in the Global Config mode to attach this policy to all system interfaces.

There is no separate interface administrative mode command for DiffServ.

Example (global):

Figure 49 service-policy Global Command Example

Note: This command effectively enables DiffServ on an interface (in a particular direction).

Note: This command shall fail if any attributes within the policy definition exceed the capabilities of the interface. Once a policy is successfully attached to an interface, any attempt to change the policy definition such that it would result in a violation of said interface capabilities shall cause the policy change attempt to fail.

policy-map pm-1 inclass cl-map-1assign-queue 3exit

class cl-map-2mark ip-precedence 1exit

(s50) #config(s50) (Config)#service-policy in pm-1(s50) (Config)#

106 DiffServ

Example (per interface):

Figure 50 service-policy Interface Command Example

Enabling Differentiated Services

To use DiffServ, it must be enabled globally with the command diffserv. This command sets the DiffServ operational mode to active. While disabled, the DiffServ configuration is retained and can be changed, but it is not activated. When enabled, Diffserv services are activated.

Note: When applied globally, a service-policy command appears under each interface, as if the command were applied one interface at a time. The commands then can be removed from individual interfaces, or from all interfaces simultaneously, using the ‘no’ form of the command.

Command Syntax Command Mode Usage

[no] diffserv GLOBAL Config This command sets the DiffServ operational mode to inactive. While disabled, the DiffServ configuration is retained and can be changed, but it is not activated. When enabled, Diffserv services are activated.

(s50) #config(s50) (Config)#interface 1/0/4(s50) (Interface 1/0/4)#service-policy in pm-1(s50) (Interface 1/0/4)#


Monitoring DiffServ

Using the “show class-map” Command

Displaying class-map information:

Figure 51 show class-map Command Example

show class-map

If the class name is specified, the following fields are displayed:

Class Name—The name of this class.

Class Type—The class type (All, any, or acl) indicating how the match criteria are evaluated for this class. A class type of All means every match criterion defined for the class is evaluated simultaneously. They must all be true to indicate a class match. For a type of any each match criterion is evaluated sequentially and only one need be true to indicate a class match. Class type acl rules are evaluated in a hybrid manner, with those derived from each ACL Rule grouped and evaluated simultaneously, while each such grouping is evaluated sequentially.

Match Criteria—The Match Criteria fields are only be displayed if they have been configured. They are displayed in the order entered by the user. The fields are evaluated in accordance with the class type. The possible Match Criteria fields are: Class of Service, Destination IP Address, Destination Layer 4 Port, Destination MAC Address, Every, IP DSCP, IP Precedence, IP TOS, Protocol Keyword, Reference Class, Source IP Address, Source Layer 4 Port, Source MAC Address, CoS, Secondary CoS, and VLAN, Secondary VLAN, and Ethertype.


show class-map classname Privileged Exec and User Exec

This command displays all configuration information for the specified class. The classname is the name of an existing DiffServ class.

(s50) #show class-map cm-3

Class Name..................................... cm-3Class Type..................................... All

Match Criteria Values---------------------------- -------------------------------------IP Precedence 1Reference Class cl-map-2

(s50) #show class-map cl-map-2

Class Name..................................... cl-map-2Class Type..................................... All

Match Criteria Values---------------------------- -------------------------------------Destination Layer 4 Port 7(echo)

(s50) #

108 DiffServ

Values—This field displays the values of the Match Criteria.

Excluded—This field indicates whether or not this Match Criteria is excluded.

Figure 52 show class-map Command Example

If classname is not specified, this command displays a list of all defined DiffServ classes. The following fields are displayed:

Class Name—The name of this class. (Note that the order in which classes are displayed is not necessarily the same order in which they were created.)

Class Type—(as above)

ACL Number—The ACL number used to define the class match conditions at the time the class was created. This field is only meaningful if the class type is acl.

Ref Class Name—The name of an existing DiffServ class whose match conditions are being referenced by the specified class definition.

Using the “show policy-map” Command

show policy-map

The command displays all configuration information for the specified policy.

Conform CoS—The action to be taken on conforming packets per the policing metrics.

Conform Secondary CoS—The action to be taken on packets conforming with the secondary class of service value per the policing metrics.

Note: The contents of the ACL may have changed since this class was created.


show policy-map [policyname] Policy-classmap Config

This command displays all configuration information for the specified policy. The policyname is the name of an existing DiffServ policy.

(s50) #show class-map

Class Class Name Type Reference Class Name------------------------------- ----- -------------------------------cl-map-1 Allcl-map-2 Allcm-3 All cl-map-2

(s50) #


Exceed CoS—The action to be taken on excess packets per the policing metrics.

Exceed Secondary CoS—The action to be taken on excess packets conforming with the secondary class of service value per the policing metrics.

Non-Conform CoS—The action to be taken on violating packets per the policing metric.

Non-Conform Secondary CoS—The action to be taken on violating packets conforming with the secondary class of service per the policing metric.

Assign Queue—Directs traffic stream to the specified QoS queue. This allows a traffic classifier to specify which one of the supported hardware queues are used for handling packets belonging to the class.

Drop—Drop a packet upon arrival. This is useful for emulating access control list operation using DiffServ, especially when DiffServ and ACL cannot co-exist on the same interface.

Redirect—Forces a classified traffic stream to a specified egress port (physical or LAG). This can occur in addition to any marking or policing action. It may also be specified along with a QoS queue assignment.

If policyname is specified, the following fields are displayed:

Policy Name—The name of this policy.

Type—The policy type, namely whether it is an inbound or outbound policy definition.

The following information is repeated for each class associated with this policy (only those policy attributes actually configured are displayed):

Class Name—The name of this class.

Mark CoS—Denotes the class of service value that is set in the 802.1p header of outbound packets. This is not displayed if the mark cos was not specified.

Mark IP DSCP—Denotes the mark/re-mark value used as the DSCP for traffic matching this class. This is not displayed if policing is in use for the class under this policy.

Mark IP Precedence—Denotes the mark/re-mark value used as the IP Precedence for traffic matching this class. This is not displayed if either mark DSCP or policing is in use for the class under this policy.

Policing Style—This field denotes the style of policing, if any, used (police-simple, if any).

Committed Rate (Kbps)—This field displays the committed rate used in simple policing.

Committed Burst Size (KB)—This field displays the committed burst size used in simple policing.

Conform Action—The current setting for the action taken on a packet considered to conform to the policing parameters. This is not displayed if policing is not in use for the class under this policy.

Conform DSCP Value—This field shows the DSCP mark value if the conform action is markdscp.

Conform IP Precedence Value—This field shows the IP Precedence mark value if the conform action is markprec.

Exceed Action—The current setting for the action taken on a packet considered to exceed to the policing parameters. This is not displayed if policing not in use for the class under this policy.

Exceed DSCP Value—This field shows the DSCP mark value if this action is markdscp.

Exceed IP Precedence Value—This field shows the IP Precedence mark value if this action is markprec.

110 DiffServ

Non-Conform Action—The current setting for the action taken on a packet considered to not conform to the policing parameters. This is not displayed if policing not in use for the class under this policy.

Non-Conform DSCP Value—This field displays the DSCP mark value if this action is markdscp.

Non-Conform IP Precedence Value—This field displays the IP Precedence mark value if this action is markprec.

Bandwidth—This field displays the minimum amount of bandwidth reserved in either percent or kilobits-per-second.

Expedite Burst Size (KBytes)—This field displays the maximum guaranteed amount of bandwidth reserved in either percent or kilobits-per-second format.

Shaping Average—This field is displayed if average shaping is in use. Indicates whether average or peak rate shaping is in use, along with the parameters used to form the traffic shaping criteria, such as CIR and PIR. This is not displayed if shaping is not configured for the class under this policy.

Shape Committed Rate (Kbps)—This field is displayed if average or peak rate shaping is in use. It displays the shaping committed rate in kilobits-per-second.

The following is sample output from show policy-map:

Figure 53 show policy-map Command Example

If the Policy Name is not specified this command displays a list of all defined DiffServ policies. The following fields are displayed:

Policy Name—The name of this policy.

Policy Type—The policy type, namely whether it is an inbound or outbound policy definition.

Class Members—List of all class names associated with this policy.

show policy-map policy-map-name

Note: The order in which the policies are displayed is not necessarily the same order in which they were created.

(s50) #show policy-map

Policy Name Policy Type Class Members------------------------------- ----------- -------------------------------pm-1 In cl-map-1 cl-map-2

(s50) #


The following is sample output from show policy-map policy-map-name:

Figure 54 show policy-map Command Example

Figure 55 show policy-map interface unit/slot/port Command Example

Using the “show service-policy ” Commandshow service-policy


show service-policy in Privileged Exec This command displays a summary of policy-oriented statistics information for all interfaces in the specified direction. The direction parameter indicates the interface direction of interest. This command enables or disables the route reflector client. A route reflector client relies on a route reflector to re-advertise its routes to the entire AS. The possible values for this field are enable and disable.

(s50) #show policy-map pm-1

Policy Name.................................... pm-1Policy Type.................................... In

Class Name..................................... cl-map-1Assign Queue................................... 3

--More-- or (q)uit

Class Name..................................... cl-map-2Mark IP Precedence............................. 1

(s50) #show policy-map interface 1/0/5 in

Interface...................................... 1/0/5

Direction...................................... InOperational Status............................. DownPolicy Name.................................... pm-1

Interface Summary:

Class Name..................................... cl-map-1In Discarded Packets........................... 0

Class Name..................................... cl-map-2In Discarded Packets........................... 0

(s50) #

112 DiffServ

The following information is repeated for each interface and direction (only those interfaces configured with an attached policy are shown):

Intf—Interface: Valid unit, slot and port number separated by forward slashes.

Oper Stat—Operational Status: The current operational status of this DiffServ service interface.

Offered Packets—A count of the total number of packets offered to all class instances in this service before their defined DiffServ treatment is applied. These are overall per-interface perdirection counts.

Discarded Packets—A count of the total number of packets discarded for all class instances in this service for any reason due to DiffServ treatment. These are overall per-interface perdirection counts.

Sent Packets A count of the total number of packets forwarded for all class instances in this service after their defined DiffServ treatments were applied. In this case, forwarding means the traffic stream was passed to the next functional element in the data path, such as the switching or routing function or an outbound link transmission element. These are overall per-interface per-direction counts.

Policy Name—The name of the policy attached to the interface.

Figure 56 show service-policy Command Example

Note: None of the counters listed here are guaranteed to be supported on all platforms. Only supported counters are shown in the display output.

Service Policy

(s50) #show service-policy in

Oper Policy Intf Stat Name------- ---- -------------------------------1/0/1 Up pm-11/0/2 Down pm-11/0/3 Down pm-1<output deleted>(s50) #


Using the “show diffserv” Commandshow diffserv

DiffServ Admin mode—The current value of the DiffServ administrative mode.

Class Table Size—The current number of entries (rows) in the Class Table.

Class Table Max—The maximum allowed entries (rows) for the Class Table.

Class Rule Table Size—The current number of entries (rows) in the Class Rule Table.

Class Rule Table Max—The maximum allowed entries (rows) for the Class Rule Table.

Policy Table Size—The current number of entries (rows) in the Policy Table.

Policy Table Max—The maximum allowed entries (rows) for the Policy Table.

Policy Instance Table Size—The current number of entries (rows) in the Policy Instance Table.

Policy Instance Table Max—The maximum allowed entries (rows) for the Policy Instance Table.

Policy Attribute Table Size—The current number of entries (rows) in the Policy Attribute Table.

Policy Attribute Table Max—The maximum allowed entries (rows) for the Policy Attribute Table.

Service Table Size—The current number of entries (rows) in the Service Table.

Service Table Max—The maximum allowed entries (rows) for the Service Table.

The following is sample output from the show diffserv command:


show diffserv Privileged Exec This command displays the DiffServ General Status Group information, which includes the current administrative mode setting as well as the current and maximum number of rows in each of the main DiffServ private MIB tables. This command takes no options.

(s50) #show diffserv

DiffServ Admin mode............................ EnableClass Table Size Current/Max................... 3 / 25Class Rule Table Size Current/Max.............. 4 / 150Policy Table Size Current/Max.................. 1 / 64Policy Instance Table Size Current/Max......... 2 / 576Policy Attribute Table Size Current/Max........ 2 / 1728Service Table Size Current/Max................. 48 / 400(s50) #

(s50) #show diffserv service brief

DiffServ Admin mode............................ Enable Interface Direction OperStatus Policy Name----------- ----------- ---------- -------------------------------1/0/1 In Up pm-11/0/2 In Down pm-11/0/3 In Down pm-1<output deleted>(s50) #

114 DiffServ

Configuring Differentiated Services by DepartmentThe following example shows how a network administrator can provide equal access to the Internet (or other external network) to different departments within a company. Each of four departments in this example has its own VLAN, and each VLAN is allocated 25% of the available bandwidth on the port accessing the Internet.

Figure 57 DiffServ Internet access example network diagram

1. Ensure DiffServ operation is enabled for the switch.

VLAN 10:Finance

Internet

Port 0/5:Outbound

Layer 3 Switch

VLAN 20:Marketing

VLAN 30:Test

VLAN 40:Development

Port 0/2Port 0/1

Port 0/3

Port 0/4

(Force10 S50) #config(Force10 S50) (Config)#diffserv


2. Create a DiffServ class of type “all” for each of the departments, and name them. Define the match criteria—VLAN ID—for the new classes. .

Figure 58 Example of using class-map command

3. Create a DiffServ policy for inbound traffic named 'internet_access', adding the previously created department classes as instances within this policy. This policy uses the assign-queue attribute to put each department's traffic on a different egress queue. This is how the DiffServ inbound policy connects to the CoS queue settings established below..

Figure 59 Example of using policy-map command

(Force10 S50) (Config)#class-map match-all finance_dept(Force10 S50) (Config class-map)#match vlan 10(Force10 S50) (Config class-map)#exit(Force10 S50) (Config)#(Force10 S50) (Config)#class-map match-all marketing_dept(Force10 S50) (Config class-map)#match vlan 20(Force10 S50) (Config class-map)#exit(Force10 S50) (Config)#(Force10 S50) (Config)#class-map match-all test_dept(Force10 S50) (Config class-map)#match vlan 30(Force10 S50) (Config class-map)#exit(Force10 S50) (Config)#(Force10 S50) (Config)#class-map match-all development_dept(Force10 S50) (Config class-map)#match vlan 40(Force10 S50) (Config class-map)#exit

(Force10 S50) (Config)#policy-map internet_access in(Force10 S50) (Config-policy-map)#class finance_dept(Force10 S50) (Config-policy-classmap)#assign-queue 1(Force10 S50) (Config-policy-classmap)#exit(Force10 S50) (Config-policy-map)#class marketing_dept(Force10 S50) (Config-policy-classmap)#assign-queue 2(Force10 S50) (Config-policy-classmap)#exit(Force10 S50) (Config-policy-map)#class test_dept(Force10 S50) (Config-policy-classmap)#assign-queue 3(Force10 S50) (Config-policy-classmap)#exit(Force10 S50) (Config-policy-map)#class development_dept(Force10 S50) (Config-policy-classmap)#assign-queue 4(Force10 S50) (Config-policy-classmap)#exit(Force10 S50) (Config-policy-map)#exit(Force10 S50) (Config)#

116 DiffServ

4. DiffServ inbound configuration: Attach the defined policy to interfaces 0/1 through 0/4 in the inbound direction.

Figure 60 Example of using service-policy command

5. Set the CoS queue configuration for the (presumed) egress interface 0/5 such that each of queues 1, 2, 3, and 4 get a minimum guaranteed bandwidth of 25%. All queues for this interface use weighted round-robin scheduling by default. The DiffServ inbound policy designates that these queues are to be used for the departmental traffic through the assign-queue attribute. It is presumed that the switch will forward this traffic to interface 0/5, based on a normal destination address lookup for internet traffic.

Figure 61 Example of using cos-queue command

(Force10 S50) (Config)#interface 0/1(Force10 S50) (Interface 0/1)#service-policy in internet_access(Force10 S50) (Interface 0/1)#exit(Force10 S50) (Config)#interface 0/2(Force10 S50) (Interface 0/2)#service-policy in internet_access(Force10 S50) (Interface 0/2)#exit(Force10 S50) (Config)#interface 0/3(Force10 S50) (Interface 0/3)#service-policy in internet_access(Force10 S50) (Interface 0/3)#exit(Force10 S50) (Config)#interface 0/4(Force10 S50) (Interface 0/4)#service-policy in internet_access(Force10 S50) (Interface 0/4)#exit

(Force10 S50) (Config)#interface 0/5(Force10 S50) (Interface 0/5)#cos-queue min-bandwidth 0 25 25 25 25 0 0 0(Force10 S50) (Interface 0/5)#exit(Force10 S50) (Config)#exit


Configuring Differentiated Services for Voice over IPOne of the most valuable uses of DiffServ is to support Voice over IP (VoIP). VoIP traffic is inherently time-sensitive. For a network to provide acceptable service, a guaranteed transmission rate is vital. This example shows one way to provide the necessary quality of service: how to set up a class for UDP traffic, have that traffic marked on the inbound side, and then expedite the traffic on the outbound side. The configuration sequence is for Router 1 in the accompanying diagram: a similar configuration should be applied to Router 2.

Figure 62 DiffServ VoIP example network diagram

1 2 3

4 5 67 8 9

* 8 #

Port 0/2

Port 0/3

Lauer 3 Switchoperating as

Router 1

Layer 3 Switchoperating as

Router 2

Internet

118 DiffServ

1. Enter Global Config mode. Set queue 5 on all ports to use strict priority mode. This queue shall be used for all VoIP packets. Activate DiffServ for the switch.

2. Create a DiffServ classifier named 'class_voip' and define a single match criterion to detect UDP packets. The class type "match-all" indicates that all match criteria defined for the class must be satisfied in order for a packet to be considered a match.

3. Create a second DiffServ classifier named 'class_ef', and define a single match criterion to detect a DiffServ code point (DSCP) of 'EF' (expedited forwarding). This handles incoming traffic that was previously marked as expedited somewhere in the network.

4. Create a DiffServ policy for inbound traffic named 'pol_voip', then add the previously created classes 'class_ef' and 'class_voip' as instances within this policy. This policy handles incoming packets already marked with a DSCP value of 'EF' (per 'class_ef' definition), or marks UDP packets per the 'class_voip' definition) with a DSCP value of 'EF'. In each case, the matching packets are assigned internally to use queue 5 of the egress port to which they are forwarded.

5. Attach the defined policy to an inbound service interface.

(Force10 S50)#config(Force10 S50) (Config)#cos-queue strict 5(Force10 S50) (Config)#diffserv

(Force10 S50) (Config)#class-map match-all class_voip(Force10 S50) (Config class-map)#match protocol udp(Force10 S50) (Config class-map)#exit(Force10 S50) (Config)#

(Force10 S50) (Config)#class-map match-all class_ef(Force10 S50) (Config class-map)#match ip dscp ef(Force10 S50) (Config class-map)#exit(Force10 S50) (Config)#

(Force10 S50) (Config)#policy-map pol_voip in(Force10 S50) (Config-policy-map)#class class_ef(Force10 S50) (Config-policy-class-map)#assign-queue 5(Force10 S50) (Config-policy-class-map)#exit(Force10 S50) (Config-policy-map)#class class_voip(Force10 S50) (Config-policy-class-map)#mark ip-dscp ef(Force10 S50) (Config-policy-class-map)#assign-queue 5(Force10 S50) (Config-policy-class-map)#exit(Force10 S50) (Config-policy-map)#exit

(Force10 S50) (Config)#interface 0/2(Force10 S50) (Interface 0/2)#service-policy in pol_voip(Force10 S50) (Interface 0/2)#exit(Force10 S50) (Config)#exit(Force10 S50)#


120 DiffServ

IEEE 802.1Q VLAN support allows a network to be logically segmented without regard to the physical location of devices on the network—one physical network becomes multiple logical networks. These logical networks may, or may not, correspond to subnets.

Network segmentation provides:

• Better administration• Better security• Better management of multicast traffic• While maintaining Layer 2 forwarding speed

The VLAN tag in frames optionally carries priority information, and traffic between VLANs must be routed.

Important Points to Remember• Default VLAN is VLAN 1.• If a port is untagged, it can be member of multiple VLANs.• If a port is a member of multiple VLANs, it can be tagged in one VLAN and untagged in another.• If a port is a member of any VLAN, the port is implicitly included as part of the default VLAN 1

unless you explicitly exclude it using the command, vlan participation exclude 1.• If a port is untagged in VLAN 2, the port VLAN ID (PVID) number must be explictly configured

using the command vlan pvid 2 to be assigned to port 2. Therefore, any untagged packet coming into the port is treated as if it’s a member of VLAN 2. You must explicitly assign the PVID for the port; otherwise the default PVID for the port remains as 1.

• A packet with tag 2 coming into a port that is not a member of VLAN 2, is forwarded if the destination is known, or is flooded in VLAN 2 if its destination is unknown. Instead, to set this tag 2 packet so it is dropped when it comes into a port that is not a member of VLAN 2, you must enable vlan ingressfilter on that port. Note: vlan ingressfilter is enabled by default.

• When an untagged packet comes into a tagged port, by default this packet is treated as a member of whatever PVID is set for that port. Instead, to set this untagged packet so it is dropped when it comes into a tagged port, you must add vlan acceptframe vlan only on that port.

Chapter 12 IEEE 802.1Q VLANs


• For tagged ports:

For an untagged port that is a member of a VLAN:

VLANs ImplementationWith the SFTOS VLAN implementation, ports may belong to multiple VLANs, and VLAN membership may be based on port or protocol.

Switching is capable with VLAN-routing—the internal bridging and routing functions can act as logical ports of each other.

You may configure 1024 VLANs, of which can have any VLAN ID up to 3965. The top 129 VLANs are reserved.

When an individual port is added to a LAG, any VLAN membership is suspended, however the membership is automatically restored when the port is removed from the LAG.

Ingress Rules• Acceptable Frame Types parameter defaults to Admit All Frames• Port VLAN ID—default is 1, can be assigned by port or protocol

Step Command Syntax Command Mode Usage

1 vlan acceptframe vlan only INTERFACE So untagged packets are dropped when it comes into a tagged port.

2 vlan ingressfilter INTERFACE So tagged packets are dropped when it comes into a port that is not a member of a VLAN with the same numeric value as the tag of that packet.

3 vlan participation exclude number

INTERFACE To exclude a port from a VLAN.

Step Command Syntax Command Mode Usage

1 vlan ingressfilter INTERFACE So tagged packets are dropped when it comes into a port that is not a member of a VLAN with the same numeric value as the tag of that packet.

2 vlan pvid number INTERFACE To assign a VLAN to a port by number.

3 vlan participation exclude number

INTERFACE To exclude a port from a VLAN.

122 IEEE 802.1Q VLANs

• Ingress filtering defaults to disabled

Forwarding Rules

Forwarding rules are based on the following attributes:

• VLAN membership• Spanning tree state (forwarding)• Frame type (unicast or multicast)• Filters

Egress Rules• Spanning tree state (forwarding)• VLAN membership• Untagged frames only forwarded if embedded addresses are canonical

Exempt Frames• Spanning tree BPDUs• GVRP BPDUs• Frames used for control purposes, e.g. LAG PDUs, flow control

VLAN CLI ManagementPrivileged and User Exec Mode commands:

• Display summary information for all configured VLANs— show vlan brief

• Display detailed information for a specific VLAN— show vlan <1-4094>

• Display port-specific information for one or more VLANs— show vlan port {<slot/port | all>}

VLAN Database Mode Commands• [Delete] create a new VLAN and assign an ID

— [no] vlan <2-4094>

• Change a dynamically created VLAN to a static VLAN (permanently configure)— vlan makestatic <2-4094>


• [Reset] assign a name to a VLAN, VLAN 1 is always named Default, default for other VLANs is a blank string— [no] vlan name <2-4094> <name>

VLAN Configuration ExamplesTo create a VLAN, you must enter ENABLE mode, enter VLAN database mode, create the VLAN using the vlan command, then name it using vlan name:

1. Creating a VLAN.

2. Creating an IP VLAN:

3. Enable virtual router function:

Force10#vlan databasevlan 5vlan 10exit

configureinterface 0/2vlan participation exclude 1vlan participation include 5vlan pvid 5

interface 0/4vlan participation exclude 1vlan participation include 10vlan pvid 10exit

Force10#

vlan databaserouting 5routing 10exit

Force10#configureip routingexit


4. Configuring a Virtual Interface. This example assumes you have assigned IP addresses to interfaces “x/1” and “x/2”:

5. Enabling a Routing Protocol (example: for RIP):

Viewing VLANs

To view VLANs, use the command show run and show brief. Note in the show brief output that VLAN 1 exists even though it was not configured:

Force10#configure

interface x/1 <---- (query the virtual interface created from step 2)ip address 192.168.1.1 255.255.255.0exit

interface x/2 ip address 182.168.1.2 255.255.255.0exit

router ripenableexit

interface x/1 (virtual interface from step 2)ip ripexit

interface x/2ip rip

(S50) #show run!Current Configuration:!

set prompt "S50"network parms 172.17.1.33 255.255.255.0 172.17.1.254vlan databasevlan 2vlan name 2 "v-2"vlan 3vlan name 3 "v-3"vlan 50exit(S50) #show vlan brief

VLAN ID VLAN Name VLAN Type------- -------------------------------- ---------1 Default Default2 v-2 Static3 v-3 Static50 Static


VLAN 1 is the default VLAN, and all interfaces are members of VLAN 1 by default.

Ingress Filtering

When ingress filtering is disabled, frames received with VLAN IDs that do not match the VLAN membership of the receiving interface are admitted and forwarded to ports that are members of that VLAN. To enable ingress filtering, use the command vlan ingressfilter (enabled by default):

Figure 63 vlan ingressfilter Command Example

Setting the VLAN ID

To set the VLAN ID for an interface, use the command vlan pvid. When the PVID is not explictly configured, the default setting is 1:

Figure 64 Configuring a VLAN PVID

Configuring VLAN Participation

The command vlan participation include includes the VLAN on the interface:

Figure 65 Configuring VLAN Participation

The following are the three options for participation:

• include—the interface is always a member of this VLAN. (Equivalent to registration fixed.)• exclude—the interface is never a member of this VLAN. (Equivalent to registration forbidden.)

Note: By default, SFTOS drops any frames that do not match the configured VLANs of an interface.

Note: An untagged port may include multiple VLANs.

(S50) (Interface 1/0/4)#vlan ingressfilter

(S50) (Interface 1/0/4)#vlan pvid 2

(S50) (Interface 1/0/4)#vlan participation include 2


• auto—the interface is dynamically registered in this VLAN by GVRP. The interface will not participate in this VLAN unless a join request is received on this interface. (Equivalent to registration normal.)

The command vlan participation exclude excludes the VLAN on the interface:

Figure 66 Configuring VLAN Participation

Below is an example configuration of an untagged VLAN interface with its participation configuration:

Figure 67 Untagged VLAN Interface Configuration Example

Clearing/resetting VLAN

To clear the VLAN configuration parameters to the factory defaults, issue the clear vlan command from Privileged Exec mode:

Figure 68 Clearing a VLAN Example

This command removes all VLAN information from the running configuration.

Note: Since VLAN 1 is the default VLAN, and all interfaces are members of VLAN 1 by default, excluding VLAN 1 from an interface allows for E-Series-type (standard) behavior.

Note: Recovery of VLAN information requires reloading the switch.

(S50) (Interface 1/0/4)#vlan participation exclude 1

!interface 1/0/4vlan pvid 2vlan ingressfiltervlan participation exclude 1vlan participation include 2vlan participation include 3exit

(S50) #clear vlan


Tagged Ports

To configure a tagged port for VLANs 10 and 11 only, on port 1/0/1:

Figure 69 Configuring a Tagged Port for VLANs

To configure an untagged port for VLAN 10 on port 1/0/1:

Figure 70 Configuring a Tagged Port for VLANs

(S50) (Config)#interface 1/0/1! Only accept tagged frames(S50) (Interface 1/0/1)#vlan acceptframe all vlanonly! Only forward traffic in configured VLANs(S50) (Interface 1/0/1)#vlan ingressfilter ! Exclude VLAN 1(S50) (Interface 1/0/1)#vlan participation exclude 1! Include VLAN 10(S50) (Interface 1/0/1)#vlan participation include 10! Transmit tagged frames for VLAN 10(S50) (Interface 1/0/1)#vlan port tagging 10 ! Include VLAN 11(S50) (Interface 1/0/1)#vlan participation include 11! Transmit tagged frames for VLAN 11(S50) (Interface 1/0/1)#vlan port tagging 11

(S50) (Config)#interface 1/0/1! Only forward traffic in configured VLANs(S50) (Interface 1/0/1)#vlan ingressfilter! Set the VLAN ID to 10(S50) (Interface 1/0/1)#vlan pvid 10 ! Exclude VLAN 1(S50) (Interface 1/0/1)#vlan participation exclude 1! Include VLAN 10(S50) (Interface 1/0/1)#vlan participation include 10


Showing VLAN Configuration

Use the show vlan command to view VLAN configuration:

Figure 71 show vlan Example

S50 and E-Series DifferencesThere are differences between the S-Series (S50) and the E-Series hardware.

Table 1 Differences Between the S50 and E-Series

S50 E-SeriesUntagged ports can be a member of many VLANs.

Untagged ports can be a member of one VLAN.

A port can be tagged in one VLAN and untagged in another VLAN.

If a port is member of multiple VLANs, it has to be tagged.

A port is a member of VLAN 1 until explicitly excluded.

When a port is assigned a VLAN, the port is implicitly excluded from VLAN 1 (the default VLAN).

A port forwards traffic in VLAN 1 even when assigned a VLAN, until configured with the vlan pvid command.

When a port is assigned a VLAN, all traffic on the port is forwarded in that VLAN.

(s50) #show vlan 1

VLAN ID: 1VLAN Name: DefaultVLAN Type: Default

Interface Current Configured Tagging---------- -------- ----------- --------1/0/1 Include Include Untagged1/0/2 Include Include Untagged1/0/3 Include Include Untagged1/0/4 Include Include Untagged1/0/5 Include Include Untagged1/0/6 Include Include Untagged1/0/7 Include Include Untagged1/0/8 Include Include Untagged1/0/9 Include Include Untagged1/0/10 Include Include Untagged1/0/11 Include Include Untagged1/0/12 Include Include Untagged1/0/13 Include Include Untagged1/0/14 Include Include Untagged1/0/15 Include Include Untagged1/0/16 Include Include Untagged...


The following examples demonstrate how to configure a tagged and untagged port on the S50 to behave the same way as on the E-Series.

Traffic received on a port for a VLAN that is not configured on the port is forwarded if the destination is known, or flooded in that VLAN if the destination is unknown. The vlan ingressfilter command can only be used to forward traffic for VLANs that are configured on the port.

Traffic received on a port for a VLAN that is not configured on the port is dropped.

Untagged traffic is forwarded in the VLAN configured with the vlan pvid command. To only accept tagged frames on the port, use the vlan acceptframe vlan only command.

Untagged traffic received on a port that is configured as a tagged port is dropped.

S50 E-SeriesTo configure a tagged port for VLANs 10 and 11 on port 1/0/1:

(S50) (Config)#interface 1/0/1! Only accept tagged frames(S50) (Interface 1/0/1)#vlan acceptframe vlanonly ! Only forward traffic in configured VLANs(S50) (Interface 1/0/1)#vlan ingressfilter ! Exclude VLAN 1(S50) (Interface 1/0/1)#vlan participation exclude 1! Include VLAN 10(S50) (Interface 1/0/1)#vlan participation include 10! Transmit tagged frames for VLAN 10(S50) (Interface 1/0/1)#vlan tagging 10 ! Include VLAN 11(S50) (Interface 1/0/1)#vlan participation include 11! Transmit tagged frames for VLAN 11(S50) (Interface 1/0/1)#vlan tagging 11

To configure a tagged port for VLANs 10 and 11 on port g0/1:

Force10(conf)#interface g0/1Force10(conf-if-gi-0/1)#switchport Force10(conf-if-gi-0/1)#interface vlan 10Force10(conf-if-vl-10)#tagged g0/1Force10(conf-if-gi-0/1)#interface vlan 11Force10(conf-if-vl-11)#tagged g0/1

To configure an untagged port for VLAN 10 on port 1/0/1:

(S50) (Config)#interface 1/0/1! Only forward traffic in configured VLANs(S50) (Interface 1/0/1)#vlan ingressfilter! Set the VLAN ID to 10(S50) (Interface 1/0/1)#vlan pvid 10 ! Exclude VLAN 1(S50) (Interface 1/0/1)#vlan participation exclude 1! Include VLAN 10(S50) (Interface 1/0/1)#vlan participation include 10

To configure an untagged port for VLAN 10 on port g0/1:

Force10(conf)#interface g0/1Force10(conf-if-gi-0/1)#switchport Force10(conf-if-gi-0/1)#interface vlan 10Force10(conf-if-vl-10)#untagged g0/1

Table 1 Differences Between the S50 and E-Series

S50 E-Series


To configure the S50 to have functionality of the E-series, the following tasks must be executed:

• For tagged ports:

1.VLAN acceptframe VLAN only

2.VLAN ingressfilter

3.VLAN participation exclude 1

• For untagged ports (for example, the port is member of VLAN 4):

1.VLAN ingressfilter

2.VLAN PVID 4

3.VLAN participation exclude 1



Generic Attribute Registration Protocol (GARP) provides a generic attribute dissemination protocol used to support other protocols such as GVRP. GARP is used to register and deregister attribute values with other GARP participants within bridged LANs. When a GARP participant declares or withdraws a given attribute, the attribute value is recorded with the applicant state machine for the port from which the declaration or withdrawal was made.

• There exists a GARP participant per port per GARP application (e.g. GVRP)

GARP VLAN Registration Protocol (GVRP)• GVRP propagates VLAN membership throughout a network• GVRP allows end stations and SFTOS™ Switching devices to issue and revoke declarations relating

to VLAN membership• VLAN registration is made in the context of the port that receives the GARP PDU and is propagated to

the other active ports• GVRP is disabled by default -- user must enable GVRP for the switch and then for individual ports• Dynamic VLANs are aged out after the LeaveAllTimer expires three times without receipt of a join

message

SFTOS™ Switching complies with:

• IEEE 802.1D • IEEE 802.1Q

GARP Multicast Registration Protocol (GMRP)• GMRP propagates group membership throughout a network.• GMRP allows end stations and SFTOS™ Switching devices to issue and revoke declarations relating

to group membership.• (De)registration updates the Multicast Forwarding Database—multicast packets only forwarded

through ports with a GMRP registration.• GMRP is disabled by default—user must enable GMRP for the switch and then for individual ports.

Chapter 13 GARP Timers


GARP Implementation• GMRP is part of the SFTOS Switching package

— Interacts with the Spanning Tree Protocol , GARP and the Multicast Forwarding Database— Requires Independent VLAN Learning

• There is an instance of GMRP for each VLAN• MAC addresses are qualified by the two byte VLAN ID

• SFTOS GMRP complies with:— IEEE 802.1D Clause 10— GMRP Port configuration and Status Table from RFC 2674

• SFTOS limitations— Default filtering behavior is not supported— Static entries are not coordinated

GARP TimersThe following are GARP timers:

• JoinTimer— Controls the interval of GMRP PDU transmission— Default value: 20 centiseconds

• LeaveTimer— Controls the time period after the de-registration process is started for a registered attribute— Default value: 60 centiseconds

• Should be at least twice the JoinTimer• LeaveAllTimer

— Controls the frequency with which LeaveAll event GARP PDU is transmitted— Default value: 1000 centiseconds

• Should be considerably longer than LeaveTimer

GARP Commands1. Enable GARP VLAN Registration Protocol (GVRP) or GARP Multicast Registration Protocol

(GMRP) for the switch:

set {gvrp | gmrp} adminmode

134 GARP Timers

2. Enable GVRP or GMRP for all ports (Note: Global Config Mode)

configure

set {gvrp | gmrp} interfacemode

3. [Reset] sets the timer values for all ports in centiseconds. Note that these commands can be applied globally or at interface level. For interface, go to the individual interfaces and apply the changes.

configure

set garp timer all <10-100>

The default is 20.

set garp timer leaveall <20-600>

The default is 60.

set garp timer leaveall all <200-6000>

The default is 1000.

GARP CLI Management

Privileged Exec Mode Command for Configuration• Enable GVRP or GMRP for the switch

— set {gvrp | gmrp} adminmode

Global Config Mode Commands• Enable GVRP or GMRP for all ports

— set {gvrp | gmrp} interfacemode

• [Reset] set the timer values for all ports in centiseconds— [no] set garp timer all <10-100>—default 20— [no] set garp timer leaveall <20-600> -- default 60— [no] set garp timer leaveall all <200-6000> -- default 1000

Interface Config Mode Commands• Enable GVRP or GMRP for specific ports

— set {gvrp | gmrp} interfacemode• [Reset] set the timer values for specific ports

— [no] set garp timer <10-100> -- default 20


— [no] set garp timer leave <20-600> -- default 60— [no] set garp timer leaveall <200-6000> -- default 1000

GARP Properties

This is a list of Privileged and User Exec mode commands that displays GARP information for the switch:

• show garp info

— Admin mode for GVRP and GMRP

This is a list of Privileged and User Exec mode commands that displays GARP/GVRP information for the switch:

• show gmrp configuration {<unit/slot/port> | all}

• show gvrp configuration {<unit/slot/port> | all}

— Port admin mode for GVRP and GMRP— Timer values

136 GARP Timers

The following example shows how to enable GVRP for all ports in switch:

Figure 72 Enabling GVRP Example

Summary: GVRP is used to exchange the VLAN number, in this case is VLAN 10

Test Setup Configuration Example• Two switches link by port 0/2• Both switches enable GVRP. • Switch1 has 1/0/1 and 1/0/2 belong to VLAN 10.• Send GVRP join_in from Switch1 1/0/1, Switch2 2/0/2 becomes VLAN 10.• Send GVRP join_in from Switch2 0/10. • Check that VLAN 10's traffic goes through Switch1 1/0/1 to Switch2 2/0/10. Creating a VLAN.

Enabling and Verifying GVRP1. Enable GVRP.

2. Create VLAN and add the daisy chain port (1/0/2) to all VLANs.

3. Verify the VLAN learned by the command show vlan brief.

4. Verify the GARP admin mode by the command show garp.

5. Verify the GARP interface by the command show gvrp configuration all.

Chapter 14 GVRP

set gvrp adminmode config set gvrp interfacemode all

exit


• Switch2 learns VLAN 10.• Port 0/2 will become VLAN 10 and VLAN 10 traffic can go through.

138 GVRP

Switch1

Switch2

set prompt "Switch1"config lineconfig serial timeout 0 exitexit

vlan database vlan 10exit

config interface 0/1 vlan participation include 10 vlan pvid 10 exit interface 0/2 vlan participation include 10 exitexit

set gvrp adminmode config set gvrp interfacemode allexit

set prompt "Switch2"config lineconfig serial timeout 0 exitexit

config interface 0/10 vlan participation exclude 1 exitexit

set gvrp adminmode config set gvrp interfacemode all

exit


show vlan brief

vlan participation exlude 1

(F10 Routing) #show vlan brief

VLAN ID VLAN Name VLAN Type------- -------------------------------- ---------1 Default Default

(F10 Routing) #set prompt "Switch2"

(Switch2) #config

(Switch2) (Config)#lineconfig

(Switch2) (Line) #serial timeout 0

(Switch2) (Line) #exit

(Switch2) (Config)#exit

(Switch2) (Config)#interface 0/10

(Switch2) (Interface 0/10)#vlan participation exclude 1

(Switch2) (Interface 0/10)#exit


(Switch2) #set gvrp adminmode

Change will be applied in the next 10 seconds.

(Switch2) #config

(Switch2) (Config)#set gvrp interfacemode all

Change will be applied in the next 10 seconds.


140 GVRP

show garp

(Switch2) #show garp

GMRP Admin Mode................................ DisableGVRP Admin Mode................................ Enable

(Switch2) #show gvrp configuration all

Join Leave LeaveAll Port Slot/Port Timer Timer Timer GVRP Mode----------- ------- ------- ---------- -----------0/1 20 60 1000 Enabled0/2 20 60 1000 Enabled0/3 20 60 1000 Enabled0/4 20 60 1000 Enabled0/5 20 60 1000 Enabled0/6 20 60 1000 Enabled0/7 20 60 1000 Enabled0/8 20 60 1000 Enabled0/9 20 60 1000 Enabled0/10 20 60 1000 Enabled0/11 20 60 1000 Enabled0/12 20 60 1000 Enabled0/13 20 60 1000 Enabled0/14 20 60 1000 Enabled0/15 20 60 1000 Enabled0/16 20 60 1000 Enabled0/17 20 60 1000 Enabled0/18 20 60 1000 Enabled0/19 20 60 1000 Enabled--More-- or (q)uit


show vlan 1

show vlan brief

• Switch1 port 0/1 sends in GVRP join_in packet.• Switch2 port 0/2 becomes the dynamic VLAN 10. • Port 0/10 won't get it, because it is not included in VLAN 1.

(Switch2) #show vlan 1

VLAN ID: 1VLAN Name: DefaultVLAN Type: Default

slot/port Current Configured Tagging---------- -------- ----------- -------- 0/1 Include Include Untagged 0/2 Include Include Untagged 0/3 Include Include Untagged 0/4 Include Include Untagged 0/5 Include Include Untagged 0/6 Include Include Untagged 0/7 Include Include Untagged 0/8 Include Include Untagged 0/9 Include Include Untagged 0/10 Exclude Exclude Untagged 0/11 Include Include Untagged 0/12 Include Include Untagged 0/13 Include Include Untagged 0/14 Include Include Untagged 0/15 Include Include Untagged 0/16 Include Include Untagged--More-- or (q)uit

(Switch2) #show vlan brief

VLAN ID VLAN Name VLAN Type------- -------------------------------- ---------1 Default Default10 Dynamic

142 GVRP

show vlan 10

• Send GVRP v10 from Switch2 0/10


VLAN ID: 10VLAN Name:VLAN Type: Dynamic

slot/port Current Configured Tagging---------- -------- ----------- -------- 0/1 Exclude Autodetect Untagged 0/2 Include Autodetect Tagged 0/3 Exclude Autodetect Untagged 0/4 Exclude Autodetect Untagged 0/5 Exclude Autodetect Untagged 0/6 Exclude Autodetect Untagged 0/7 Exclude Autodetect Untagged 0/8 Exclude Autodetect Untagged 0/9 Exclude Autodetect Untagged 0/10 Exclude Autodetect Untagged 0/11 Exclude Autodetect Untagged 0/12 Exclude Autodetect Untagged 0/13 Exclude Autodetect Untagged 0/14 Exclude Autodetect Untagged 0/15 Exclude Autodetect Untagged 0/16 Exclude Autodetect Untagged--More-- or (q)uit


show vlan 10

Verify VLAN 10 traffic, if Switch1 sends the VLAN 10 packet, then Switch2 0/10 will recieve it.


VLAN ID: 10VLAN Name:VLAN Type: Dynamic

slot/port Current Configured Tagging---------- -------- ----------- -------- 0/1 Exclude Autodetect Untagged 0/2 Include Autodetect Tagged 0/3 Exclude Autodetect Untagged 0/4 Exclude Autodetect Untagged 0/5 Exclude Autodetect Untagged 0/6 Exclude Autodetect Untagged 0/7 Exclude Autodetect Untagged 0/8 Exclude Autodetect Untagged 0/9 Exclude Autodetect Untagged 0/10 Include Autodetect Tagged 0/11 Exclude Autodetect Untagged 0/12 Exclude Autodetect Untagged 0/13 Exclude Autodetect Untagged 0/14 Exclude Autodetect Untagged 0/15 Exclude Autodetect Untagged 0/16 Exclude Autodetect Untagged--More-- or (q)uit

144 GVRP

VLAN-stack commands1. Enable VLAN-stack for a specific interface:

mode dvlan-tunnel

mode dot1q-tunnel

2. Configure the customer ID for an interface

dvlan-tunnel customer-id <0-4095>

3. Configure the ether-type for an interface

dvlan-tunnel ethertye {802.1Q | vman | custom} [0-65535]

4. Display DVLANs enabled vlan tagging.

show dvlan-tunnel or

show dot1q-tunnel

— Shows all interfaces that have DVLAN tagging enabled.

5. Display detailed information for a specific interface

show dvlan-tunnel interface {<unit/slot/port> | all}

show dot1q-tunnel interface {<unit/slot/port> | all}

Chapter 15 VLAN-Stack

Note: For more on VLAN configuration, see Chapter 12, IEEE 802.1Q VLANs. Chapter 18, Layer 3 Routing also contains configuration examples involving VLANs.


146 VLAN-Stack

Typically, a switch employing IGMP snooping forwards multicast packets out all ports in a VLAN until it receives an IGMP membership report.

Enabling IGMP Snooping 1. Enable IGMP Snooping

set igmp <vlanid>

— When inputting the variable <vlan id>, command must be typed from VLAN database mode, and not from the Interface Config mode.

2. Enable IGMP Snooping on all interfaces

set igmp interfacemode

3. Commands to configure timers:

set igmp groupmembership-interval <vlanid> <2-3600>

— Default 125 seconds— When inputting the variable <vlan id>, command must be typed from VLAN database

mode, and not from the Interface Config mode.

set igmp maxresponse <vlanid> <1-less than group membership interval>

— Default 10 seconds— When inputting the variable <vlan id>, command must be typed from VLAN database

mode, and not from the Interface Config mode.

set igmp mcrtexpiretime <vlanid> <0-3600>

— Default 0 seconds (no expiration)— If the command is used from the Global Config mode, it sets the time for all routers.

Monitoring IGMP Snooping As shown in the following sample Telnet output, use the show igmpsnooping command from the Privileged Exec mode to inspect your settings.

Chapter 16 IGMP Snooping


For IGMP details on a specific interface, use the show igmp interface unit/slot/port command.

Use the show mac-address-table igmpsnooping command to display the IGMP Snooping entries in the Multicast Forwarding Database (MFDB) table.

(Force10 s50) #show igmpsnooping ?

<cr> Press Enter to execute the command.<unit/slot/port> Enter interface in unit/slot/port format.mrouter Display IGMP Snooping Multicast Router information.<1-3965> Display IGMP Snooping valid VLAN ID information.

(Force10 s50) #show igmpsnooping

Admin Mode................................EnableMulticast Control Frame Count.............0Interfaces Enabled for IGMP Snooping......1/0/10Vlans enabled for IGMP snooping...........20

(Force10 s50) #show igmp interface ?

<unit/slot/port> Enter interface in unit/slot/port format.membership Display interfaces subscribed to the multicast group.stats Display IGMP statistical information.

(Force10 s50) #show igmp interface 1/0/10

Slot/Port......................................1/0/10IGMP Admin Mode................................EnableInterface Mode.................................DisableIGMP Version...................................3Query Interval (secs)..........................125Query Max Response Time (1/10 of a second......100Robustness.....................................2Startup Query Interval (secs)..................31Startup Query Count............................2Last Member Query Interval (1/10 of a second)..10Last Member Query Count........................2

(Force10 s50) #show mac-address-table igmpsnooping interface ?

MAC Address Type Description Interfaces----------------------- ------- -------------- -----------00:01:01:00:5E:00:01:16 Dynamic Network Assist Fwd: 1/0/4700:01:01:00:5E:00:01:18 Dynamic Network Assist Fwd: 1/0/4700:01:01:00:5E:37:96:D0 Dynamic Network Assist Fwd: 1/0/4700:01:01:00:5E:7F:FF:FA Dynamic Network Assist Fwd: 1/0/4700:01:01:00:5E:7F:FF:FE Dynamic Network Assist Fwd: 1/0/47

148 IGMP Snooping

Port Mirroring:

• Enables you to monitor network traffic with an external network analyzer

• Forwards a copy of each incoming and outgoing packet to a specific port

• Is used as a diagnostic tool, debugging feature or means of fending off attacks

• Assigns a specific port to which to copy all packets

Inbound or outbound packets will switch to their destination and will be copied to the mirrored port.

The following are common port mirroring commands:

• Configure probe port and mirrored port:

monitor session source 1/0/43 destination 1/0/47

• Enable monitor session mode (default is disable):

monitor session mode

• Disable monitor session mode before unconfiguring probe and mirrored port:

no monitor session mode

Chapter 17 Port Mirroring

Switch

Port 1/0/2Port 1/0/1

Port 1/0/3

Mirrored


Typically, before configuring mirroring sessions, you would inspect existing conditions.

First, to show existing probe ports and mirrored ports, use show port all:

Show the monitored session with show monitor session 1.

From the Privileged Exec mode, use the show port interface command for information on whether a specific port is the mirror or probe port and what is enabled or disabled on it.

(Force10 s50) #show port all

Admin Physical Physical Link Link LACPIntf Type Mode Mode Status Status Trap Mode---- ---- ------ -------- -------- ------ ---- ----1/0/1 Enable Auto Down Enable Enable1/0/2 Enable Auto Down Enable Enable1/0/3 Enable Auto Down Enable Enable1/0/4 Mirror Enable Auto Down Enable Enable1/0/5 Probe Enable Auto Down Enable Enable1/0/6 Enable Auto Down Enable Enable1/0/7 Enable Auto Down Enable Enable1/0/8 Enable Auto Down Enable Enable1/0/10 Enable Auto Down Enable Enable

(Force10 s50) #show monitor session 1

Session ID Admin Mode Probe Port Mirrored Port---------- ---------- ---------- -------------1 Enable 1/0/5 1/0/4

(Force10 s50) #

(Force10 s50) #show port 1/0/4Admin Physical Physical Link Link LACP

Intf Type Mode Mode Status Status Trap Mode---- ---- ------ -------- -------- ------ ---- ----1/0/4 Mirror Enable Auto Down Enable Enable

(Force10 s50)#show port 1/0/5Admin Physical Physical Link Link LACP

Intf Type Mode Mode Status Status Trap Mode---- ---- ------ -------- -------- ------ ---- ----1/0/5 Probe Enable Auto Down Enable Enable

150 Port Mirroring

Port Mirroring Configuration ExamplesThe following are port mirroring configuration examples:

Unconfigure the probe and mirrored ports

Verify that the Probe port is not network connected

Verify monitor session status

Configuration example

The probe and monitored ports must be configured before monitor session (port monitoring) can be enabled. When enabled, the probe port monitors all traffic received and transmitted on the physical monitored port. It is not necessary to disable port monitoring before modifying the probe and monitored ports.

A session is operationally active if and only if both a destination port and at least one source port is configured. If neither is true, the session is inactive.

Note: The Probe port will not forward any traffic and will not receive any traffic.SFTOS supports one-to-one monitoring.

(Force10 S50) (Config)#no monitor session

monitor session source 1/0/43 destination 1/0/47monitor session mode

(Force10 S50) #show vlan port 1/0/47

Port Acceptable Ingress DefaultInterface VLAN ID Frame Types Filtering GVRP Priority--------- ------- ------------ ----------- ------- --------

(Force10 S50) #show monitor

Port Monitor Mode.............................. EnableProbe Port..................................... 1/0/47Mirrored Port.................................. 1/0/39


A port configured as a destination port acts as a mirroring port when the session is operationally active. If it is not, the port acts as a normal port and participates in all normal operation with respect to transmitting traffic.

Specify the source and destination ports.

Enable port security. Access the Interface Config mode for the specific interface by entering Interface unit/slot/port.

(Force10 S50)(Config) #monitor session 1 source interface 1/0/4(Force10 S50)(Config) #monitor session 1 destination interface 1/0/5

(Force10 S50)(Config) #

(Force10 S50)(Interface 1/0/4) #port-security ?

<cr> Press Enter to execute the command.mac-address Add Static MAC address to the interface.max-dynamic Set Dynamic Limit for the interface.max-static Set Static Limit for the interface.

(Force10 (S50)(Config)(Interface 1/0/4)#port-security max-static ?

<0-20> Set Static Limit for the interface.

(Force10 (S50)(Interface 1/0/4)#port-security max-static 5(Force10 (S50)(Interface 1/0/4)#port-security max-dynamic 10

152 Port Mirroring

This chapter provides examples of how to configure your S-Series with the optional Layer 3 software in some typical network scenarios. The examples begin with support for port routing in a simple network, and explain how to activate the most common routing protocols. A discussion of the use of VLANs with and without VLAN routing is followed by sections on Link Aggregation and Virtual Router Redundancy Protocol. For an introduction to the use of services related to Layer 3, such as Access Control Lists and Differentiated Services, see their specific chapters later in this guide.

An end station specifies the destination station’s Layer 3 address in the packet’s IP header, but sends the packet to the MAC address of a router. When the Layer 3 router receives the packet, it will minimally:

• Look up the Layer 3 address in its address table to determine the outbound port • Update the Layer 3 header • Recreate the Layer 2 header

The router’s IP address is often statically configured in the end station, although the S-Series supports protocols such as DHCP that allow the address to be assigned dynamically. Likewise, you may assign some of the entries in the routing tables used by the router statically, but protocols such as RIP and OSPF allow the tables to be created and updated dynamically as the network configuration changes.

Port Routing ConfigurationThe S-Series always provides Layer 2 bridging, but Layer 3 routing must be explicitly enabled, first for the S-Series router as a whole, and then for each port which is to participate in the routed network.

The configuration commands used in the example in this section enable IP routing on ports 0/2, 0/3, and 0/5. The router ID will be set to the S-Series’ management IP address, or to that of any active router interface if the management address is not configured.

After the routing configuration commands have been issued, the following functions will be active:

• IP Forwarding, responsible for forwarding received IP packets• ARP Mapping, responsible for maintaining the ARP Table used to correlate IP and MAC addresses.

The table contains both static entries and entries dynamically updated based on information in received ARP frames.

• Routing Table Object, responsible for maintaining the common routing table used by all registered routing protocols

Chapter 18 Layer 3 Routing


You may then activate RIP or OSPF, used by routers to exchange route information, on top of IP Routing. RIP is more often used in smaller networks, while OSPF was designed for larger and more complex topologies.

Port Routing Configuration Example

The diagram in this section shows a Layer 3 switch configured for port routing. It connects three different subnets, each connected to a different port. The example shows the commands you would use to configure the S-Series to provide the port routing support shown in the diagram.

Figure 73 Port routing example network diagram

1. Enable routing for the switch. IP forwarding will then be enabled by default.

Subnet 3

Subnet 5Subnet 2

Port 0/2192.150.2.2

Port 0/3192.130.3.1

Port 0/5192.64.4.1

Layer 3 Switchacting as a router

(Force10 s50) #config(Force10 s50) (Config)#ip routing (Force10 s50) (Config)#exit

154 Layer 3 Routing

2. Enable routing for the ports on the switch. The default link-level encapsulation format is Ethernet. Configure the IP addresses and subnet masks for the ports. Network-directed broadcast frames will be dropped and the maximum transmission unit (MTU) size will be 1500 bytes.

Figure 74 Using the ip address command

RIP ConfigurationRouting Information Protocol (RIP) is one of the protocols that routers can use to exchange network topology information. RIP is called as an “interior” gateway protocol, and is typically used in small to medium-sized networks.

A router running RIP will send the contents of its routing table to each of its adjacent routers every 30 seconds. When a route is removed from the routing table it will be flagged as unusable by the receiving routers after 180 seconds, and removed from their tables after an additional 120 seconds.

There are two versions of RIP, both supported by SFTOS and the S-Series:

• RIPv1 defined in RFC 1058 • Routes are specified by IP destination network and hop count.• The routing table is broadcast to all stations on the attached network.

• RIPv2 defined in RFC 1723• Route specification is extended to include subnet mask and gateway.• The routing table is sent to a multicast address, reducing network traffic.• An authentication method is used for security.

You may configure a given port:

• To receive packets in either or both formats • To transmit packets formatted for RIPv1 or RIPv2 or to send RIPv2 packets to the RIPv1 broadcast

address• To prevent any RIP packets from being received• To prevent any RIP packets from being transmitted

(Force10 s50) #config(Force10 s50) (Config)#interface 0/2(Force10 s50) (Config)#routing(Force10 s50) (Config)#ip address 192.150.2.1 255.255.255.0(Force10 s50) (Config)#exit(Force10 s50) (Config)#interface 0/5(Force10 s50) (Interface 0/5)#routing(Force10 s50) (Interface 0/5)#ip address 192.150.5.1 255.255.255.0(Force10 s50) (Interface 0/5)#exit(Force10 s50) (Config)#exit


RIP Configuration Example

The configuration commands used in the following example enable RIP on ports 0/2 and 0/3:

1. Enable routing for the switch.

Figure 75 Using the ip routing command

2. Enable routing and assign the IP for ports 0/2 and 0/3.

Figure 76 Using the interface, routing, and ip address commands

3. Enable RIP for the switch. The route preference will default to 15.

Figure 77 Using the router rip command

(Force10 s50)#config(Force10 s50) (Config)#ip routing(Force10 s50) (Config)#exit

(Force10 s50) #config(Force10 s50) (Config)#interface 0/2 (Force10 s50) (Interface 0/2)#routing(Force10 s50) (Interface 0/2)#ip address 192.150.5.2 255.255.255.0(Force10 s50) (Interface 0/2)#exit(Force10 s50) (Config)#interface 0/3 (Force10 s50) (Interface 0/3)#routing(Force10 s50) (Interface 0/3)#ip address 192.150.5.3 255.255.255.0(Force10 s50) (Interface 0/3)#exit(Force10 s50) (Config)#exit

(Force10 s50) #config(Force10 s50) (Config)#router rip(Force10 s50) (Config router)#enable(Force10 s50) (Config router)#exit(Force10 s50) (Config)#exit(Force10 s50)#

156 Layer 3 Routing

4. Enable RIP for ports 0/2 and 0/3. Authentication will default to none, and no default route entry will be created. Specify that both ports will receive both RIPv1 and RIPv2 frames, but will send only RIPv2 formatted frames.

Figure 78 Using the ip rip command

OSPF ConfigurationFor larger networks, Open Shortest Path First (OSPF) is generally used in preference to RIP. OSPF offers several benefits to the administrator of a large and/or complex network:

• Less network traffic:• Routing table updates are sent only when a change has occurred.• Only changed part of the table is sent.• Updates are sent to a multicast, not a broadcast, address.

• Hierarchical management, allowing the network to be subdivided

The top level of the hierarchy of an OSPF network is known as an autonomous system (AS) or routing domain, and is a collection of networks with a common administration and routing strategy. The AS is divided into areas: intra-area routing is used when a source and destination address are in the same area, and inter-area routing across an OSPF backbone is used when they are not. An inter-area router communicates with border routers in each of the areas to which it provides connectivity.

The S-Series operating as a router, and running OSPF will determine the best route, using the assigned cost and the type of the OSPF route. The order for choosing a route, if more than one type of route exists, is as follows:

1. Intra-area

2. Inter-area

3. External Type 1: The route is external to the AS.

4. External Type 2: The route was learned from other protocols such as RIP.

(Force10 s50)#config(Force10 s50) (Config)#interface 0/2(Force10 s50) (Interface 0/2)#ip rip(Force10 s50) (Interface 0/2)#ip rip receive version both(Force10 s50) (Interface 0/2)#ip rip send version rip2(Force10 s50) (Interface 0/2)#exit(Force10 s50) (Config)#interface 0/3(Force10 s50) (Interface 0/3)#ip rip(Force10 s50) (Interface 0/3)#ip rip receive version both(Force10 s50) (Interface 0/3)#ip rip send version rip2(Force10 s50) (Interface 0/3)#exit(Force10 s50) (Config)#exit


OSPF Configuration Examples

The examples in this section show you how to configure the S-Series first as an inter-area router and then as a border router. They show two areas, each with its own border router connected to one inter-area router.

Configuring OSPF on an S-Series operating as an inter-area router

The first diagram shows a network segment with an inter-area router connecting areas 0.0.0.2 and 0.0.0.3. The example shows the commands used to configure the S-Series as the inter-area router in the diagram by enabling OSPF on port 0/2 in area 0.0.0.2 and port 0/3 in area 0.0.0.3.

Figure 79 OSPF example network diagram: inter-area router


Port 0/2192.150.2.1

Port 0/3192.150.3.1

Layer 3 Switch acting as anInter-area Router

Border RouterBorder Router

Area 3

Area 2

(Force10 s50)#config(Force10 s50) (Config)#ip routing(Force10 s50) (Config)#exit(Force10 s50)#

158 Layer 3 Routing

2. For ports 0/2 and 0/3, enable routing, and assign the IP.

3. Specify the router ID and enable OSPF for the switch. Disable “1583compatibility” to prevent the routing loop.

4. Enable OSPF for the ports and set the OSPF priority and cost for the ports.

Figure 80 Using the ospf priority command

(Force10 s50)#config(Force10 s50) (Config)#interface 0/2(Force10 s50) (Interface 0/2)#routing(Force10 s50) (Interface 0/2)#ip address 192.150.5.2 255.255.255.0(Force10 s50) (Interface 0/3)#exit(Force10 s50) (Config)#interface 0/3 (Force10 s50) (Interface 0/3)#routing(Force10 s50) (Interface 0/3)#ip address 192.150.5.3 255.255.255.0(Force10 s50) (Interface 0/3)#exit(Force10 s50) (Config)#exit

(Force10 s50)#config(Force10 s50) (Config)#router ospf(Force10 s50) (Config router)#enable(Force10 s50) (Config router)#router-id 192.150.9.9(Force10 s50) (Config router)#no 1583compatibility(Force10 s50) (Config router)#exit(Force10 s50) (Config)#

(Force10 s50) (Config)#interface 0/2(Force10 s50) (Interface 0/2)#ip ospf(Force10 s50) (Interface 0/2)#ip ospf areaid 0.0.0.2(Force10 s50) (Interface 0/2)#ip ospf priority 128(Force10 s50) (Interface 0/2)#ip ospf cost 32(Force10 s50) (Interface 0/2)#exit(Force10 s50) (Config)#interface 0/3(Force10 s50) (Interface 0/3)#ip ospf(Force10 s50) (Interface 0/3)#ip ospf areaid 0.0.0.3(Force10 s50) (Interface 0/3)#ip ospf priority 255(Force10 s50) (Interface 0/3)#ip ospf cost 64(Force10 s50) (Interface 0/3)#exit


Configuring OSPF on an S-Series operating as a border router

The next diagram shows the same network segment with the S-Series operating as the border router in area 0.0.0.2. The example shows the commands used to configure the switch with OSPF enabled on port 0/2 for communication with the inter-area router in the OSPF backbone, and on ports 0/3 and 0/4 for communication with subnets within area 0.0.0.2.

Figure 81 OSPF example network diagram: border router


Port 0/2192.150.2.1

Port 0/4192.64.4.1

Inter-area Router

Border Router

Area 3

Area 2

Layer 3 Switch acting as aBorder Router Port 0/2

192.150.2.2

Port 0/2192.150.2.2

Port 0/3192.130.3.1


160 Layer 3 Routing

2. Enable routing and assign the IP for ports 0/2, 0/3, and 0/4.

3. Specify the router ID and enable OSPF for the switch. Set disable 1583compatibility to prevent the routing loop.

4. Enable OSPF for the ports and set the OSPF priority and cost for the ports.

(Force10 s50) #config(Force10 s50) (Config)#interface 0/2 (Force10 s50) (Interface 0/2)#routing(Force10 s50) (Interface 0/2)#ip address 192.150.2.2 255.255.255.0(Force10 s50) (Interface 0/2)#exit(Force10 s50) (Config)#interface 0/3 (Force10 s50) (Interface 0/3)#routing(Force10 s50) (Interface 0/3)#ip address 192.150.3.1 255.255.255.0(Force10 s50) (Interface 0/3)#exit(Force10 s50) (Config)#interface 0/4 (Force10 s50) (Interface 0/3)#routing(Force10 s50) (Interface 0/3)#ip address 192.150.4.1 255.255.255.0(Force10 s50) (Interface 0/3)#exit(Force10 s50) (Config)#exit

(Force10 s50)#config(Force10 s50) (Config)#router ospf(Force10 s50) (Config router)#enable(Force10 s50) (Config router)#router-id 192.130.1.1(Force10 s50) (Config router)#no 1583compatibility(Force10 s50) (Config router)#exit(Force10 s50) (Config)#

(Force10 s50) (Config)#interface 0/2(Force10 s50) (Interface 0/2)#ip ospf(Force10 s50) (Interface 0/2)#ip ospf areaid 0.0.0.2(Force10 s50) (Interface 0/2)#ip ospf priority 128(Force10 s50) (Interface 0/2)#ip ospf cost 32(Force10 s50) (Interface 0/2)#exit(Force10 s50) (Config)#interface 0/3(Force10 s50) (Interface 0/3)#ip ospf(Force10 s50) (Interface 0/3)#ip ospf areaid 0.0.0.3(Force10 s50) (Interface 0/3)#ip ospf priority 255(Force10 s50) (Interface 0/3)#ip ospf cost 64(Force10 s50) (Interface 0/3)#exit(Force10 s50) (Config)#interface 0/4(Force10 s50) (Interface 0/4)#ip ospf(Force10 s50) (Interface 0/4)#ip ospf areaid 0.0.0.2(Force10 s50) (Interface 0/4)#ip ospf priority 255(Force10 s50) (Interface 0/4)#ip ospf cost 64(Force10 s50) (Interface 0/4)#exit(Force10 s50) (Config)#exit(Force10 s50)#exit


Virtual LANsAdding Virtual LAN (VLAN) support to a Layer 2 switch offers some of the benefits of both bridging and routing. Like a bridge, a VLAN switch forwards traffic based on the Layer 2 header, which is fast, and like a router, it partitions the network into logical segments, which provides better administration, security and management of multicast traffic.

A VLAN is a set of end stations and the switch ports that connect them. You may have many reasons for the logical division, such as department or project membership. The only physical requirement is that the end station and the port to which it is connected both belong to the same VLAN.

Each VLAN in a network has an associated VLAN ID, which appears in the IEEE 802.1Q tag in the Layer 2 header of packets transmitted on a VLAN. An end station may omit the tag, or the VLAN portion of the tag, in which case the first switch port to receive the packet may either reject it or insert a tag using its default VLAN ID. A given port may handle traffic for more than one VLAN, but it can only support one default VLAN ID.

VLAN Configuration Example

The diagram in this section shows an S-Series with four ports configured to handle the traffic for two VLANs. Port 0/2 handles traffic for both VLANs, while port 0/1 is a member of VLAN 2 only, and ports 0/3 and 0/4 are members of VLAN 3 only. The example following the diagram shows the commands you would use to configure the switch as shown in the diagram.

Figure 82 VLAN example network diagram

Port 0/1VLAN 2

Port 0/2VLANs 2 & 3

Port 0/3VLAN 3

Port 0/4VLAN 3

Layer 3 Switch

VLAN 2 VLAN 3

162 Layer 3 Routing

1. Create two VLANs and assign the VLAN IDs, leaving the names blank.

2. Assign the ports that will belong to VLAN 2, specify that frames will always be transmitted tagged from all member ports, and specify that untagged frames will be rejected on receipt.

3. Assign the ports that will belong to VLAN 3. Note that port 0/2 belongs to both VLANs and that port 0/5 can never belong to VLAN 3. Specify that untagged frames will be accepted on ports 0/4 and 0/5.

4. Specify the router ID and enable OSPF for the switch. Set disable 1583compatibility to prevent the routing loop.

(Force10 s50)#config(Force10 s50) (Config)#vlan database(Force10 s50) (VLAN)# vlan 2(Force10 s50) (VLAN)# vlan 3(Force10 s50) (VLAN)# exit

(Force10 s50) #config(Force10 s50) (Config)#interface 0/1(Force10 s50) (Interface 0/1)#vlan participation include 2(Force10 s50) (Interface 0/1)#vlan acceptframe vlanonly(Force10 s50) (Interface 0/1)#exit(Force10 s50) (Config)#interface 0/2(Force10 s50) (Interface 0/2)#vlan participation include 2(Force10 s50) (Interface 0/2)#vlan acceptframe vlanonly(Force10 s50) (Interface 0/2)#exit(Force10 s50) (Config)#vlan port tagging all 2(Force10 s50) (Config)#exit(Force10 s50) #

(Force10 s50) (Config)#interface 0/2(Force10 s50) (Interface 0/2)#vlan participation include 3(Force10 s50) (Interface 0/2)#exit(Force10 s50) (Config)#interface 0/3(Force10 s50) (Interface 0/3)#vlan participation include 3(Force10 s50) (Interface 0/3)#exit(Force10 s50) (Config)#interface 0/4(Force10 s50) (Interface 0/4)#vlan participation include 3(Force10 s50) (Interface 0/4)#exit(Force10 s50) (Config)#exit(Force10 s50) (Config)#interface 0/5(Force10 s50) (Interface 0/5)#vlan participation exclude 3(Force10 s50) (Interface 0/5)#exit(Force10 s50) (Config)#

(Force10 s50) (Config)#interface 0/4(Force10 s50) (Interface 0/4)#vlan acceptframe all(Force10 s50) (Interface 0/4)#exit(Force10 s50) (Config)#interface 0/5(Force10 s50) (Interface 0/5)#vlan acceptframe all(Force10 s50) (Interface 0/5)#exit(Force10 s50) (Config)#


5. Assign VLAN 3 as the default VLAN for port 0/2.

VLAN RoutingYou can configure the S-Series with some ports supporting VLANs and some supporting routing. You can also configure it to allow traffic on a VLAN to be treated as if the VLAN were a router port.

When a port is enabled for bridging (the default) rather than routing, all normal bridge processing is performed for an inbound packet, which is then associated with a VLAN. Its MAC Destination Address (MAC DA) and VLAN ID are used to search the MAC address table. If routing is enabled for the VLAN and the MAC DA of an inbound unicast packet is that of the internal bridge-router interface, the packet will be routed. An inbound multicast packet will be forwarded to all ports in the VLAN, plus the internal bridge-router interface if it was received on a routed VLAN.

Since a port can be configured to belong to more than one VLAN, VLAN routing might be enabled for all of the VLANs on the port, or for a subset. VLAN Routing can be used to allow more than one physical port to reside on the same subnet. It could also be used when a VLAN spans multiple physical networks, or when additional segmentation or security is required.

The next section will show you how to configure the S-Series to support VLAN routing and how to use RIP and OSPF. A port may be either a VLAN port or a router port, but not both. However, a VLAN port may be part of a VLAN that is itself a router port.

VLAN Routing Configuration

This section provides an example of how to configure the S-Series to support VLAN routing. The configuration of the VLAN router port is similar to that of a physical port. The main difference is that, after the VLAN has been created, you use the show ip vlan command to determine the VLAN’s interface ID so that you can use it in the router configuration commands.

VLAN Routing Configuration Example

The diagram in this section shows a Layer 3 switch configured for port routing. It connects two VLANs, with two ports participating in one VLAN, and one port in the other. The example shows the commands you would use to configure the S-Series to provide the VLAN routing support shown in the diagram.

(Force10 s50) (Config)#interface 0/2(Force10 s50) (Interface 0/2)#vlan pvid 3(Force10 s50) (Interface 0/3)#exit(Force10 s50) (Config)#exit

164 Layer 3 Routing

Figure 83 VLAN routing example network diagram

1. Create two VLANs with egress frame tagging enabled.

Physical Port 0/2VLAN Router Port 3/1

192.150.3.1


192.150.4.1

Layer 3 Switch

Layer 2 SwitchLayer 2 Switch

VLAN 20

VLAN 10

PhysicalPort 0/1

(Force10 s50)#config(Force10 s50) (Config)#vlan database(Force10 s50) (VLAN)#vlan 10(Force10 s50) (VLAN)#vlan 20(Force10 s50) (VLAN)#exit(Force10 s50) (Config)#interface 0/1(Force10 s50) (Interface 0/1)#vlan participation include 10(Force10 s50) (Interface 0/1)#exit(Force10 s50) (Config)#interface 0/2(Force10 s50) (Interface 0/2)#vlan participation include 10(Force10 s50) (Interface 0/2)#exit(Force10 s50) (Config)#interface 0/3(Force10 s50) (Interface 0/3)#vlan participation include 20(Force10 s50) (Interface 0/3)#exit(Force10 s50) (Config)#vlan port tagging all 10(Force10 s50) (Config)#vlan port tagging all 20


2. Specify the VLAN ID assigned to untagged frames received on the ports.

3. Enable routing for the VLANs.

4. Run the show ip vlan command to retrieve the logical interface IDs that will be used instead of slot/port in subsequent routing commands. Assume that VLAN 10 is assigned ID 3/1 and VLAN 20 is assigned ID 3/2.


6. Configure the IP addresses and subnet masks for the virtual router ports.

(Force10 s50) (Config)#interface 0/1(Force10 s50) (Interface 0/1)#vlan pvid 10(Force10 s50) (Interface 0/1)#exit(Force10 s50) (Config)#interface 0/2(Force10 s50) (Interface 0/2)#vlan pvid 10(Force10 s50) (Interface 0/2)#exit(Force10 s50) (Config)#interface 0/3(Force10 s50) (Interface 0/3)#vlan pvid 10(Force10 s50) (Interface 0/3)#exit(Force10 s50) (Config)#

(Force10 s50) (Config)#vlan database(Force10 s50) (VLAN)#vlan routing 10(Force10 s50) (VLAN)#vlan routing 20(Force10 s50) (VLAN)#exit(Force10 s50) (Config)#exit(Force10 s50)#


(Force10 s50)#config(Force10 s50) (Config)#interface 3/1(Force10 s50) (Interface 3/1)#ip address 192.150.3.1 255.255.255.0(Force10 s50) (Interface 3/1)#exit(Force10 s50) (Config)#interface 3/2(Force10 s50) (Interface 3/2)#ip address 192.150.4.1 255.255.255.0(Force10 s50) (Interface 3/2)#exit(Force10 s50) (Config)#exit(Force10 s50)#

166 Layer 3 Routing

VLAN Routing RIP Configuration

The two versions of the Routing Information Protocol (RIP) are described in RIP Configuration on page 155. The following example demonstrates how to add support for RIPv2 to the configuration created in the previous base VLAN routing example. A second router, using port routing rather than VLAN routing, has been added to the network.

Figure 84 RIP for VLAN routing example network diagram


192.150.3.1


192.150.4.1

Layer 3 Switch


VLAN 20

VLAN 10

Router Port 0/5192.150.5.1

Router


1. As done previously, create the VLANs and enable VLAN routing.

2. Enable RIP for the switch. The route preference will default to 15.

3. Configure the IP address and subnet mask for a non-virtual router port.

4. Enable RIP for the VLAN router ports. Authentication will default to none, and no default route entry will be created.

(Force10 s50)#config(Force10 s50) (Config)#vlan database(Force10 s50) (VLAN)#vlan 10(Force10 s50) (VLAN)#vlan 20(Force10 s50) (VLAN)#exit(Force10 s50) (Config)#interface 0/2(Force10 s50) (Interface 0/2)#vlan participation include 10(Force10 s50) (Interface 0/2)#exit(Force10 s50) (Config)#interface 0/3(Force10 s50) (Interface 0/3)#vlan participation include 20(Force10 s50) (Interface 0/3)#exit(Force10 s50) (Config)#vlan port tagging all 10(Force10 s50) (Config)#vlan port tagging all 20(Force10 s50) (Config)#interface 0/2(Force10 s50) (Interface 0/2)#vlan pvid 10(Force10 s50) (Interface 0/2)#exit(Force10 s50) (Config)#interface 0/3(Force10 s50) (Interface 0/3)#vlan pvid 20(Force10 s50) (Interface 0/3)#exit(Force10 s50) (Config)#vlan database(Force10 s50) (VLAN)#vlan routing 10(Force10 s50) (VLAN)#vlan routing 20(Force10 s50) (VLAN)#exit(Force10 s50) (Config)#show ip vlan! display of output removed!

(Force10 s50) (Config)#ip routing(Force10 s50) (Config)#interface 3/1(Force10 s50) (Interface 3/1)#ip address 192.150.3.1 255.255.255.0(Force10 s50) (Interface 3/1)#exit(Force10 s50) (Config)#interface 3/2(Force10 s50) (Interface 3/2)#ip address 192.150.4.1 255.255.255.0(Force10 s50) (Interface 3/2)#exit

(Force10 s50) (Config)#router rip(Force10 s50) (Config router)#enable(Force10 s50) (Config router)#exit(Force10 s50) (Config)#

(Force10 s50) (Config)#interface 0/5(Force10 s50) (Interface 0/5)#ip address 192.150.5.1 255.255.255.0(Force10 s50) (Interface 0/5)#exit(Force10 s50) (Config)#

(Force10 s50) (Config)#interface 3/1(Force10 s50) (Interface 3/1)#ip rip(Force10 s50) (Interface 3/1)#exit(Force10 s50) (Config)#interface 3/2(Force10 s50) (Interface 3/2)#ip rip(Force10 s50) (Interface 3/2)#exit

168 Layer 3 Routing

VLAN Routing OSPF Configuration

As described in OSPF Configuration on page 157, Open Shortest Path First (OSPF) is generally used in preference to RIP for routing in larger networks. This section provides an example of configuring VLAN Routing using OSPF. The example adds support for OSPF to the configuration created in the base VLAN routing example (VLAN Routing on page 164). The example shows the commands you would use to configure the S-Series as an inter-area router.

Figure 85 Example of configuring OSPF on an S50 acting as an inter-area router running VLAN routing


192.150.3.1


192.150.4.1

Layer 3 Switch


VLAN 20

VLAN 10

Router Port 0/5192.150.5.1

Router


1. As above, create the VLANs and enable VLAN routing.

2. As done previously, run the show ip vlan command.


4. Configure the IP addresses and subnet masks for the virtual router ports.

5. Specify the router ID and enable OSPF for the switch.

(Force10 s50)#config(Force10 s50) (Config)#vlan database(Force10 s50) (VLAN)#vlan 10(Force10 s50) (VLAN)#vlan 20(Force10 s50) (VLAN)#exit(Force10 s50) (Config)#interface 0/2(Force10 s50) (Interface 0/2)#vlan participation include 10(Force10 s50) (Interface 0/2)#exit(Force10 s50) (Config)#interface 0/3(Force10 s50) (Interface 0/3)#vlan participation include 20(Force10 s50) (Interface 0/3)#exit(Force10 s50) (Config)#vlan port tagging all 10(Force10 s50) (Config)#vlan port tagging all 20(Force10 s50) (Config)#interface 0/2(Force10 s50) (Interface 0/2)#vlan pvid 10(Force10 s50) (Interface 0/2)#exit(Force10 s50) (Config)#interface 0/3(Force10 s50) (Interface 0/3)#vlan pvid 20(Force10 s50) (Interface 0/3)#exit(Force10 s50) (Config)#vlan database(Force10 s50) (VLAN)#vlan routing 10(Force10 s50) (VLAN)#vlan routing 20(Force10 s50) (VLAN)# exit(Force10 s50) (Config)#exit(Force10 s50)#


(Force10 s50)#config(Force10 s50) (Config)#interface 3/1(Force10 s50) (Interface 3/1)#ip address 192.150.3.1 255.255.255.0(Force10 s50) (Interface 3/1)#exit(Force10 s50) (Config)#interface 3/2(Force10 s50) (Interface 3/2)#ip address 192.150.4.1 255.255.255.0(Force10 s50) (Interface 3/2)#exit(Force10 s50) (Config)#exit(Force10 s50)#

(Force10 s50)#config(Force10 s50) (Config)#router ospf(Force10 s50) (Config router)#router-id 192.150.9.9(Force10 s50) (Config router)#enable(Force10 s50) (Config router)#exit(Force10 s50) (Config)#exit(Force10 s50)#

170 Layer 3 Routing

6. Enable OSPF for the VLAN and physical router ports.

7. Set the OSPF priority and cost for the VLAN and physical router ports.

Link AggregationLink Aggregation (LAG) allows multiple physical links between two end-points to be treated as a single logical link. All of the physical links in a given LAG must operate in full-duplex mode at the same speed.

Link Aggregation is often used to directly connect two switches when the traffic between them requires high bandwidth and reliability, or to provide a higher bandwidth connection to a public network. LAG can offer the following benefits:

• Increased reliability and availability — if one of the physical links in the LAG goes down, traffic will be dynamically and transparently reassigned to one of the other physical links

• Better use of physical resources — traffic can be load-balanced across the physical links• Increased bandwidth — the aggregated physical links deliver higher bandwidth than each individual

link. • Incremental increase in bandwidth — LAG may be used when a physical upgrade would produce a

10-times increase in bandwidth, but only a two- or five-times increase is required.

A LAG will be treated by management functions as if it were a single physical port. It may be included in a VLAN. More than one LAG may be configured for a given switch.

(Force10 s50)#config(Force10 s50) (Config)#interface 3/1(Force10 s50) (Interface 3/1)#ip ospf areaid 0.0.0.2(Force10 s50) (Interface 3/1)#ip ospf(Force10 s50) (Interface 3/1)#exit(Force10 s50) (Config)#interface 3/2(Force10 s50) (Interface 3/2)#ip ospf areaid 0.0.0.3(Force10 s50) (Interface 3/2)#ip ospf(Force10 s50) (Interface 3/2)#exit(Force10 s50)(Config)#

(Force10 s50) (Config)#interface 3/1(Force10 s50) (Interface 3/1)#ip ospf priority 128(Force10 s50) (Interface 3/1)#ip ospf cost 32(Force10 s50) (Interface 3/1)#exit(Force10 s50) (Config)#interface 3/2(Force10 s50) (Interface 3/2)#ip ospf priority 255(Force10 s50) (Interface 3/2)#ip ospf cost 64(Force10 s50) (Interface 3/2)#exit(Force10 s50)(Config)#exit(Force10 s50)#exit


Link Aggregation Configuration Example

This section provides an example of configuring the S-Series to support Link Aggregation (LAG) to a server and to a Layer 2 switch.

Figure 86 LAG example network diagram

1. Create two LAGs.

2. Run the show port-channel command. This command will return the logical interface ids that will be used to identify the LAGs in subsequent commands. Assume that lag_10 is assigned ID 1/1 and lag_20 is assigned ID 1/2.

Subnet3

Port 0/8LAG_20

Layer 2 Switch

Port 0/9LAG_20

Server

Port 0/2LAG_10

Port 0/3LAG_10

Layer 3 Switch

Subnet 3Subnet 2

(Force10 s50)#config(Force10 s50) (Config)#port-channel lag_10(Force10 s50) (Config)#port-channel lag_20

172 Layer 3 Routing

3. Add the ports to the appropriate LAG.

4. Enable both LAGs. Link trap notification will be enabled by default.

5. At this point the LAGs could be added to VLANs.

(Force10 s50) (Config)#interface 0/2(Force10 s50) (Interface 0/2)#addport 1/1(Force10 s50) (Interface 0/2)#exit(Force10 s50) (Config)#interface 0/3(Force10 s50) (Interface 0/3)#addport 1/1(Force10 s50) (Interface 0/3)#exit(Force10 s50) (Config)#interface 0/8(Force10 s50) (Interface 0/8)#addport 1/2(Force10 s50) (Interface 0/8)#exit(Force10 s50) (Config)#interface 0/9(Force10 s50) (Interface 0/9)#addport 1/2(Force10 s50) (Interface 0/9)#exit

(Force10 s50) (Config)#port-channel adminmode all(Force10 s50) (Config)#exit


Virtual Router Redundancy ProtocolWhen an end station is statically configured with the address of the router that will handle its routed traffic, a single point of failure is introduced into the network. If the router goes down, the end station is unable to communicate. Since static configuration is a convenient way to assign router addresses, Virtual Router Redundancy Protocol (VRRP) was developed to provide a backup mechanism.

VRRP eliminates the single point of failure associated with static default routes by enabling a backup router to take over from a “master” router without affecting the end stations using the route. The end stations will use a “virtual” IP address that will be recognized by the backup router if the master router fails. Participating routers use an election protocol to determine which router is the master router at any given time. A given port may appear as more than one virtual router to the network. Also, more than one port on the S-Series router may be configured as a virtual router. Either a physical port or a routed VLAN may participate.

The following example shows how to configure an S-Series router to support VRRP. Router 1 will be the default master router for the virtual route, and Router 2 will be the backup router.

Figure 87 VRRP example network configuration

Port 0/2192.150.2.1

Virtual Router ID 20Virtual Addr. 192.150.2.1

Port 0/4192.150.4.1

Virtual Router ID 20Virtual Addr. 192.150.2.1

Hosts

Layer 3 Switch actingas Router 1

Layer 2 Switch

Layer 3 Switch actingas Router 2

174 Layer 3 Routing

Configuring VRRP: Master Router (Router 1)1. Enable routing for the switch. IP forwarding will then be enabled by default.

2. Configure the IP addresses and subnet masks for the port that will participate in the protocol.

3. Enable VRRP for the switch.

4. Assign virtual router IDs to the port that will participate in the protocol.

5. Specify the IP address that the virtual router function will recognize. Note that the virtual IP address on port 0.2 is the same as the port’s actual IP address, therefore this router will always be the VRRP master when it is active. And the priority default is 255.

6. Enable VRRP on the port.

(Force10 s50) # config(Force10 s50) (Config)#ip routing(Force10 s50) (Config)#exit

(Force10 s50) #config(Force10 s50) (Config)#interface 0/2(Force10 s50) (Interface 0/2)#routing(Force10 s50) (Interface 0/2)#ip address 192.150.2.1 255.255.255.0(Force10 s50) (Interface 0/2)#exit

(Force10 s50) (Config)#ip vrrp(Force10 s50) (Config)#exit

(Force10 s50) #config(Force10 s50) (Config)#interface 0/2(Force10 s50) (Interface 0/2)#ip vrrp(Force10 s50) (Interface 0/2)#exit

(Force10 s50) (Config)#ip vrrp 20 ip 192.150.2.1

(Force10 s50) (Config)#ip vrrp 20 mode(Force10 s50) (Config)#exit


Configuring VRRP: Backup Router (Router 2)1. Enable routing for the switch. IP forwarding will then be enabled by default.

2. Configure the IP addresses and subnet masks for the port that will participate in the protocol.

3. Enable VRRP for the switch.

4. Assign virtual router IDs to the port that will participate in the protocol.

5. Specify the IP address that the virtual router function will recognize. Since the virtual IP address on port 0/4 is the same as Router 1’s port 0/2 actual IP address, this router will always be the VRRP backup when Router 1 is active.

6. Set the priority for the port. The default priority is 100.

7. Enable VRRP on the port.

(Force10 s50) #config(Force10 s50) (Config)#ip routing (Force10 s50) (Config)#exit

(Force10 s50) #config(Force10 s50) (Config)#interface 0/4(Force10 s50) (Interface 0/4)#routing(Force10 s50) (Interface 0/4)#ip address 192.150.4.1 255.255.255.0(Force10 s50) (Interface 0/4)#exit

(Force10 s50) (Config)#ip vrrp 20(Force10 s50) (Config)#exit

(Force10 s50) #config(Force10 s50) (Config)#interface 0/4(Force10 s50) (Interface 0/4)#ip vrrp 20

(Force10 s50) (Interface 0/4)#ip vrrp 20 ip 192.150.2.1

(Force10 s50) (Interface 0/4)#ip vrrp 20 priority 254

(Force10 s50) (Interface 0/4)#ip vrrp 20 mode(Force10 s50) (Interface 0/4)#exit

176 Layer 3 Routing

Index

Symbols{deny|permit} 94

Numerics1583compatibility 159, 161

AAccess Control Lists (ACLs) 93access-list 96ACL 93ACL Commands 94Adding a Port-channel to a VLAN 91addport 173Applying Policies 106archive copy-sw 53archive download-sw 53audience 9authentication methods 59autonomous system (AS) 157

Bborder router 157, 160bridge 162

CChanging the Management VLAN from Default VLAN 144Checking Interface Counters Per Port 45Class 102class-map 40class-map match-all 40clear config command 41Clearing the Running Configuration 26Clearing/resetting, VLAN 127CLI Overview 24Configuration Example, GVRP 137Configuring a Port Channel 88Configuring an Interface with an IP Address 32Configuring from the Network 34Configuring LAG 88Connecting a Cable to the Console Port 18copy command 38copy nvram 38copy tftp 62Creating a Policy-Map 105Creating a User and Password 25Creating the Management Port IP 43

Ddefinitions of unit, slot, port 30Deleting Configuration File to Access System 29deny permit, QoS 94Deploying DiffServ 103Differentiated Services (DiffServ) 101, 102Differentiated Services Code Point (DSCP) 101Differentiated Services for Voice over IP 118DiffServ, managing 108Displaying Logs 35Displaying Statistics 36Displaying Supported Features 27Displaying System Uptime 27Document conventions 10documents, related 9dot3adTablesLastChanged 86Downloading Files 20DSA 62DSCP 101, 119

EEgress Rules, VLAN 123Enable routing 175Enabling and Verifying, GVRP 137Enabling Differentiated Services 107Enabling IGMP Snooping 147Enabling Secure Management with SSH or SSL 61Enabling Traps 36encapsulation, link-level 155end station 162Exempt Frames, VLAN 123exit 155expedited forwarding (EF) 119External Type 1 157External Type 2 157

Fflags, trap 36Forceversion Command 68Forwarding Rules, VLAN 123Forwarding, Aging, and Learning 67

GGARP 134GARP CLI Management 135GARP Multicast Registration Protocol (GMRP) 134GARP Properties, GARP 136GARP VLAN Registration Protocol (GVRP) 134


generate-keys.sh 62generate-pem.sh 62generating SSL certificates 62Global Config Mode 36Global Config Mode Commands, GARP 135GVRP 134

HHierarchical management 157HTTPS 61

IIEEE 802.1Q tag 162IEEE 802.1Q VLANs 121Ingress Filtering, VLAN 126Ingress Rules 122Inter-area 157inter-area router 157, 158interface 155, 156, 161, 163, 165, 166, 168, 170, 171, 173, 175Interface Config Mode Commands, GARP 135Intra-area 157inventory 53, 97ip access-group 96, 97ip address 155, 156, 161, 166, 168, 175ip dvmrp trapflags 36IP forwarding 154ip http secure-server command 64ip ospf 159, 161ip ospf areaid 159, 161ip ospf cost 159, 161ip ospf priority 159, 161ip pim-trapflags 36ip rip 157ip routing 154, 156, 160, 175ip ssh command 63ip vrrp 175, 176

LLAG Configuration CLI Management 87LAG Implementation 85Layer 2 header 162Layer 3 Routing 153Link Aggregation (LAG) 88, 171Link Aggregation CLI Management 86Link Aggregation MIB Support 86Link Aggregation—IEEE 802.3 85Link trap notification 173logical segments 162

MMAC Access Control List (ACL) 94

mac access-group 94mac access-list extended 94mac access-list extended rename 94MAC Addresses 91MAC DA 164MAC Destination Address (DA) 164Management Preference and MAC Address 46Management Preferences 46Management Unit Selection Algorithm 52maximum transmission unit (MTU) 155member 53modes, Global Config 36modes, Privileged Exec 36modes, Router OSPF Config 36monitor session 1 152monitor session mode 149monitor session source 149Monitoring DiffServ 108Monitoring IGMP Snooping 147movemanagement 53MSTP Configuration Example 81Multiple Spanning-Tree Protocol 78

Nno monitor session 151no monitor session mode 149

Oobjectives 9Open Shortest Path First (OSPF) 157OpenSSH URL 62OpenSSL URL 62OSPF 158, 170OSPF priority 171ospf priority command 159

Ppartitions 162physical port 164Policy 102port 162Port defined 30Port Mirroring Configuration 151Port Naming Convention 30port routing 154Port Routing Configuration 153port-security 152Privileged Exec Mode 36pvid 164, 166, 168

QQuality of Service (QoS) 101

178 Index

RRADIUS 59Read/Write Access Using SNMP V3 29Related Documents 9RFC 1058 155RFC 1723 155RIPv1 155RIPv2 155router ospf 159, 161Router OSPF Config Mode 36router rip 156, 168router-id 159, 161routing 155, 156, 161, 175routing domain 157Routing Information Protocol (RIP) 155RSA1 62RSA2 62

SS50 and E-Series Differences 129Saving the Startup Config to the Network 33script apply command 40script delete command 38script list command 41script show scriptname.scr 37Secure SHell (SSH) 59, 61Secure Sockets Layer (SSL) 61Service 102service-policy 106Setting Network Parms 30Setting the Enable Password 26Setting the Hostname 26Setting the VLAN ID 126Setting Up a Management VLAN 33shell script, generate-keys.sh 62shell script, generate-pem.sh 62show commands

show inventory 53, 97show igmp interface 148show igmpsnooping 147, 148show igmpsnooping interface 148show interface 36show interface ethernet 36show interface ethernet switchport 36show interface switchport 36show ip access-lists 97show ip http command 64show ip ssh command 63show ip vlan 164, 166show logging buffered command 63show mac access-list 95show mac access-lists 95show monitor 151

show monitor session 1 150show port 150show port all 150show port-channel command 172show running-config 37show supported switchtype 53show switch 53show trapflags 36show vlan port 151Showing Created Users 25Showing Network Settings 31Slot defined 30snmp-server enable traps 36snmp-server enable traps linkmode 36snmp-server enable traps multiusers 36snmp-server enable traps stpmode 36Spanning Tree Protocol (IEEE 802.1d) 68S-Series 157SSH keys 61SSL certificates 61stack 53Stackability Commands 53Stackability Features 51Static LAG CLI Management 87Static LAGs 86subnets 154switch inventory 53, 97switch priority 53switch renumber 53Switching Features 67

TTACACS Server Host Configuration Options 61TACACS+

Choosing TACACS+ as an Authentication Method59

deleting a server host 61Tagged Ports 128TFTP 61Transferring Files 35Trap Management 35trapflags 36

UUnit defined 30Unit Number Assignment 52Unsetting Management Preference 46Upgrading the Software Image 21Uploading Files 20user authentication methods 59Using the “show class-map” Command 108Using the “show diffserv” Command 114Using the “show policy-map” Command 109


Using the “show service-policy” Command 112

VVerifying Management Port Connectivity 44Verifying Management Port Network 44Verifying Switch Numbers and OS Version 28Viewing Software Version 20Viewing VLANs 125Virtual LAN (VLAN) 162virtual router ports 170Virtual Router Redundancy Protocol (VRRP) 174vlan 163, 168vlan acceptframe 163VLAN CLI Management 123VLAN Configuration Examples 124VLAN Configuration, Showing 129vlan database 163, 165, 166, 168VLAN Database Mode Commands 123

VLAN interface ID 164vlan participation 163vlan participation include 163, 165, 168VLAN Participation, Configuring 126vlan port tagging 163, 165, 168vlan pvid 164, 166, 168VLAN router port 164vlan routing 166, 168VLAN routing, enable 168VLAN switch 162VLANs Implementation 122VLAN-stack commands 145VoIP support 118VRRP 174

Zzip file, SSH and SSL 62

180 Index