Академический Документы
Профессиональный Документы
Культура Документы
Training Modules
Service and Support Overview.................................................................................. 8 Hardware Overview........................................................................................................... 26 Operations................................................................................................................................. 32 Layer 2 Switching................................................................................................................... 74 VLAN - Virtual LANs......................................................................................................... 96 VCStacking - Virtual Chassis Stacking...................................................................... 122 Link Aggregation..................................................................................................................... 150 Spanning-Tree / Rapid Spanning-Tree..................................................................... 168 EPSR - Ethernet Protection Switched Rings...................................................... 192 IP Routing / Layer 3 Switching...................................................................................... 212 RIP Routing................................................................................................................................. 228 ACL ........................................................................................................................................... 240 Queue Weighting and QoS........................................................................................... 250 Event logging / troubleshooting................................................................................... 286
Introduction
CAP/ENT
Course Objectives
This 3 day technical training course gives the core knowledge to work with Allied Telesis products running the AlliedWare Plus operating system. Course participants should have a good knowledge of networking fundamentals before attending this course. Students are encouraged to take part in the online pre-test course, to be certain that they currently have the required prerequisites.
slide 2
Course Objectives
Upon completion of this course, the attendees will be able to: Have a good basic knowledge of the command structure and operations of products based on AlledWare Plus, which are standards based. Have an equivalent background understanding of the standard based CLI. Create and troubleshoot configurations for Layer 3 devices running AlliedWare Plus. Modify an existing configuration to enhance the network performance or provide new or improved services on AlliedWare Plus devices.
Modules List
Service and Support Overview Hardware Overview Operations Layer 2 Switching VLAN Stacking Link Aggregation Spanning-Tree / Rapid Spanning-Tree EPSR IP Routing / Layer 3 Switching RIP ACL QoS Event logging / troubleshooting
Agenda
Day 1
Service and Support Overview Hardware Overview Operations Layer 2 Switching VLAN Lab sessions spread throughout the day Day 2 Virtual Chassis Stacking Link Aggregation Spanning Tree EPSR IP Routing / Layer 3 Switching Lab sessions spread throughout the day Day 3 RIP ACL QoS Event Login Final Exam Lab sessions spread throughout the day
slide 5
Before Starting
Breaks and lunch schedule Rest rooms Emergency exit(s) and procedures Fill forms in Course material.
slide 6
Services EMEA
2010 / 2011
slide 8
Network Diagnostic
slide 11
Netcover_Europe@alliedtelesis.com
10
slide 12
11
12
slide 15
13
slide 16
Question/Problem
Level 3
Drives Engineering for Solution
slide 17
14
slide 18
15
slide 20
16
slide 21
17
Net.Cover Service
Allied Telesis Net.Cover Basic
Includes: Global access to Allied Telesis Technical Assistance Center (TAC) by phone, e-Mail and Web 8hrs x 5days a week all year Full access to the knowledgebase on the web portal Prioritized incident handling with 2 severity levels Replacement of faulty products as Repair & Return with a 30 calendar day turn around, the same as under warranty Providing new major firmware releases for units as upgrades (to enhance the feature set)
18
slide 24
19
Net.Cover Service
Allied Telesis Net.Cover Basic Plus
Includes: Global access to Allied Telesis Technical Assistance Center (TAC) by phone, e-Mail and Web 8hrs x 5days a week all year Full access to the knowledgebase on the web portal Prioritized incident handling with 2 severity levels Replacement of faulty products as advanced replacement, with same day shipping from the central warehouse Providing new major firmware releases for units as upgrade (to enhance the feature set)
slide 25
Net.Cover Service
Allied Telesis Net.Cover Silver
(Please check the availability of NC Silver with Allied Telesis in your region!) Includes additional: Highest priority incident handling by system experts for all levels of support Onsite support by a field engineer next business day with a spare part Onsite installation of the replacement by a system expert, including setting up the customer provided configuration Health check of the replacement unit to ensure a fully operational network again Onsite engineer takes the faulty unit back to Allied Telesis
slide 26
Net.Cover Service
Allied Telesis Net.Cover Gold
(Please check the availability of NC Gold with Allied Telesis in your region!) Includes additional: Onsite support by a field engineer, not only next business day but within 4hrs during business hours For example: A failure raised at 10 a.m. to Allied Telesis will be fixed no later than 2 p.m. by the onsite engineer
20
slide 27
21
Net.Cover Service
Allied Telesis Net.Cover Platinum
(Please check the availability of NC Platinum with Allied Telesis in your region!) Includes additional: Onsite support by an engineer in 4 hours for 365days a year with a spare part to fix your failed device Perfect solution for all highly demanding networks that require 24 x 7 x 365 access
slide 28
Net.Cover Service
Contracts
The Net.Cover Service contract is purchased just like a product from your reseller or distributor. The following is true for Net.Cover contracts, independent of whether they have been purchased as a bundle or as single products: The Net.Cover contract only becomes effective after it has been registered. Until registration, the standard guarantee conditions remain in place. Please note that a product can be registered by the end-user or the partner. However a RMA or Net.Cover request can only be raised by this previously entered contact.
slide 29
Net.Cover Service
Registration of Net.Cover Contracts
To register your Net.Cover contract in EMEA please go to http://www.alliedtelesis.co.uk/ support/netcover/register
22
slide 30
23
Net.Cover Service
Registration of Net.Cover Contracts
You have several products that you want to register and registration on the web is too slow? Then use this option. Send an email to: Europe_Netcover@alliedtelesyn.com Necessary information: Net.Cover contract number, if not bundled Company with service : Name and address Contact details: Name, Telephone number and email Location where the product is installed, if different Reseller information: Name and address
slide 31
24
25
Hardware Overview
Media Converters
Switches
Routers
iMAP
Wireless
SNMP
Solutions
slide 33
Services
Services
ToIP; Enterprise; Banks; Data; MAN; Video-surveillance; Education; Television over IP ; Defense , Hospitality, SMB; Security; ...
Connectivity
Network Interface Cards
Copper Fast Ethernet Gigabit Desktop and Laptop options Fiber Fast Ethernet Gigabit Desktop and Laptop options
Media Conversion
Non-managed Single channel Multiple channels VDSL conversion Manageable Single channel Multiple channels
26
slide 34
27
Switching
Small Business
Fast Ethernet and Gigabit Broad choice of nonmanaged or Websmart switches
Enterprise/Convergent Networks
Stackable Chassis Scalability Fast Ethernet, Gigabit, 10 Gigabit Advanced Services: Routing, high availability, QoS, security features
slide 35
Routers
SoHo SMB and Central Office
Internet
AR400 and AR700 Series Built-in switch WAN slot (PIC) VPN / firewall Advanced QoS Gigabit routing (AR770S)
slide 36
ISP
Mulitple services chassis-based solution Available in 3, 7 or 17 slot configurations xDSL (ADSL,VDSL2, SDSL), Ethernet, GbE, 10GbE, E1 Created and optimized for IP converged networks Hotels Hospitality MAN Campus
28
slide 37
29
Wireless Solutions
Point To Point Multipoint/Access Point Access Point Concentrator
AT -WR4541
AT -WR4562
Bridged or routed P2P link Bridged or routed multipoint links Mesh networks Access Point features Hot Spot features
Extricom Series
Wireless clients, no-roaming Concentrator + ultra light radios 4th generation Across sites, floors, buildings solution
slide 38
Global Solution
AlliedView NMS
Monitoring Management Reporting Inventory Upgrades and configuration provisioning
Extricom Management
EXNM-2000
Provisioning Monitoring Management
AlliedView UM (EoL)
slide 39
30
31
Operations
slide 41
Initial connection
32
33
slide 43
DB9 RJ45
slide 44
34
35
Baud Rate 9600 bits/sec 8 data bits Party none 1 stop bit Flow control none
4) By default the AlliedWare PlusTM OS supports VT100 compatible terminals on the console port. This means that the terminal size is 80 columns by 24 rows.
slide 47
Start-up
36
37
slide 49
Start-up: bootloader
The Bootloader menu:
Boot Menu: 0. Restart -----------------------------------------------------1. Perform one-off boot from alternate source 2. Change the default 4. Adjust the console baud rate 5. Special boot options 6. System information 7. Restore Bootloader factory settings -----------------------------------------------------9. Quit and continue booting Enter selection ==>
slide 50
Start-up: bootloader
1. Perform one-off boot from alternate source This option allows the system to boot up (loading the AlliedWare Plus system) from a number of sources: Flash SD Card TFTP YMODEM This allows several options for updates and debugging equipment. When the equipment has started up from an alternative source, after login there is an automatic option of copying the booted SW version to Flash memory, and to select it as the default boot version. One of the following 4 possible options can be selected as the default. ONLY RECOMMENDED METHOD: FLASH (activated by default)
slide 51
38
39
Start-up: bootloader
3. Update Bootloader
Allows the equipment bootloader to be updated (if requested by technical support). 4. Adjust the console baud rate For altering the baud rate of console port.
Start-up: bootloader
6. System information
For displaying system information on the hardware: CPU, memory, MAC address, etc.
7. Restore Bootloader factory settings For reconfiguring the bootloader as a whole with its factory settings.
slide 53
Start-up: stages
The switch starts up in this sequence:
Loading the bootloader A brief pause to give the user the option to press Ctrl+B to access the
Bootloader menu
40
slide 54
41
OK
slide 55
[ OK ] : Shows that the module is correctly loaded [ INFO ] : Displays an error that doesn't affect the operation [ ERROR ] : Displays an error that affects the operation of the module
slide 56
Default parameters
Passwords are encrypted. Logs are activated. Support for jumbo frames is activated on all ports. Telnet access is activated. Rapid Spanning Tree (RSTP) is activated (ports are not in Portfast mode). All ports are untagged in VLAN 1. All RJ45 ports support auto-negotiation and auto MDI/X.
42
slide 57
43
exit
Other sub-modes
slide 59
In this mode, the user has access to a restricted set of commands that do not affect the operation of the switch, but are used to perform some diagnostic tests. The prompt appears on screen as follows:
awplus>
44
slide 60
45
In this mode, all system commands are accessible, including file system management, protocol function display, ping, traceroute, telenet etc. Enter the command " enable" from user mode to activate this mode. Use "disable" to quit this mode. The prompt appears on screen as follows:
awplus#
slide 61
This mode gives access to all configuration commands for the equipment. Enter the command "configure terminal" from privilege mode to activate this mode. Use "end" to quit this mode. The prompt appears on screen as follows:
awplus(config)#
Privilege mode commands can be executed from this mode by prefixing them with "do":
sh + <TAB> = show
46
slide 63
47
On the "Out of Band" administration Ethernet port, eth0 (only available on Or on a VLAN for "In Band" administration (VLAN1 is default)
x900 series/AT-SBx908) awplus> enable awplus# configure terminal awplus(config)# interface vlan1 (or eth0) awplus(config-if)# ip address <address/mask> awplus(config-if)# end awplus# show ip interface Interface IP-Address Status Protocol vlan1 x.x.x.x admin up down
slide 64
slide 65
Basic Operations
48
49
Creation/Modification:
Only users with privilege 15 have access to privilege and configuration modes. The 'no form of the command removes a user:
awplus(config)# no username <name>
slide 67
The graphical interface file (.jar file) has to be present in the equipment's Flash memory. Show connected users:
awplus#show users Line User Host(s) Idle con 0 manager vty 0 guiuser idle idle Location Priv 15 15 Idletime Timeout 10 10 N/A N/A
50
slide 69
51
Running-configuration management
Show the running configuration (from the memory) You have to be in privilege mode: Display configuration:
awplus> enable
Startup-configuration management
Show the start-up configuration (from flash)
You have to be in privilege mode: Display configuration:
awplus> enable
Startup-configuration management
Save configuration (Privilege mode): Save in default start-up file
The start-up configuration is stored in the flash memory by default in the default.cfg file with the alias startup-config
Save to another file:
52
slide 72
53
Startup-configuration management
Show the boot settings (Privilege mode): The default alias startup-config is associated with the default.cfg file Display: awplus# show boot Boot configuration ---------------------------------------------------Current software : r1-5.3.4-0.5.rel Current boot image: flash:/r1-5.3.4-0.5.rel Backup boot image: Not set Default boot config: flash:/default.cfg Current boot config: flash:/default.cfg (file exists)
slide 73
Startup-configuration management
Changing the boot startup script (Configuration mode): The file associated with the alias startup-config can be change via: awplus(config)# boot config-file test.cfg awplus(config)# end awplus#show boot Boot configuration ---------------------------------------------------Current software : r1-5.3.4-0.5.rel Current boot image: flash:/r1-5.3.4-0.5.rel Backup boot image: Not set Default boot config: flash:/default.cfg Current boot config: flash:/test.cfg (file exists) From then on, the command: awplus# copy running-config startup-config will save to the file test.cfg
slide 74
Startup-configuration management
Restore to factory configuration Reset the startup-config alias to its default value default.cfg (Mode Config):
awplus(config)# no boot config-file awplus(config)# do sh boot
Remove start-up file (Privilege mode): awplus# erase startup-config Reboot (Privilege mode): awplus# reload awplus# reboo
54
slide 75
55
awplus# show system environment awplus# show system serialnumber awplus# show system pluggable
slide 76
Apply a banner: awplus(config)#banner motd Welcome to Main Distributor Setting up a default banner: awplus(config)#banner motd default Removal of banner awplus(config)#no banner motd
slide 77
Outputs a banner of the form: AlliedWare Plus (TM) 5.3.4 10/29/10 12:44:12
Configuration of NTP:
56
57
awplus(config)# clock summer-time ZONENAME recurring START-WEEK START-DAY START-MONTH START-TIME END-WEEK END-DAY END-MONTH END-TIME <1-180> awplus(config)# clock summer-time <timezone name> recurring 5 Sun Mar 02:00 5 Sun Oct 03:00 60
slide 79
Managing files
58
59
awplus# copy r1-5.3.4-0.5.rel r1-5.3.4-0.5.back.rel awplus# configure terminal awplus(config)# boot backup r1-5.3.4-0.5.back.rel awplus(config)# do show boot
60
slide 84
61
Port management
slide 86
62
slide 87
63
Disabling switch ports: Not available for packet reception and transmission Will not send or receive any frames Incoming STP BPDU packets are discarded Administrative status in the Interfaces MIB is DOWN
slide 89
COLLISIONS
Actual:
100M HALF
slide 90
100M FULL
64
65
slide 91
slide 92
To force the port to MDI mode, use the no form of this command. awplus(config)# interface port1.0.1 awplus(config-if)# no mdix
66
slide 93
67
Interface port1.0.1 Scope: both Link is UP, administrative state is UP Hardware is Ethernet, address is 0000.cd24.daeb (bia 0000.cd24.daeb) VRRP Master of : VRRP is not configured on this interface. index 5001 metric 1 mtu 1500 duplex-full speed 1000 polarity auto <UP,BROADCAST,RUNNING,MULTICAST> VRF Binding: Not bound Bandwidth 1g input packets 2396, bytes 324820, dropped 0, multicast packets 2370 output packets 73235, bytes 4906566, multicast packets 73218 broadcast packets 7
slide 94
AlliedWare Plus TM
Feature Licensing
Licensing Overview
Products ship with the base software release enabled for use
Licensing system is only for additional feature licenses For example, the Advanced Layer 3 feature bundle includes:
BGP OSPF PIM VLAN Double Tagging
Feature licenses are obtained from authorized distributor or reseller. If a license key expires or a proper key is not installed, some software features will not be available.
68
slide 96
69
<key> <index-number>
Web management
This following slides describe how to install, configure and use the Graphical User Interface (GUI) on switches running the AlliedWare Plus OS
70
slide 99
71
awplus(config-if)# exit awplus(config)# ip route 0.0.0.0/0 <gateway address> awplus# copy tftp://<server-address>/<filename.jar> flash:/
slide 101
72
73
L2 Switching
slide 104
L2 Switching Basics
74
75
There are specific types of addresses that are essential for some of the higher layer protocols:
Multicast Address - a multi-destination address, a packet forwarded to multiple nodes Broadcast Address - a single Multicast address intended for all nodes
slide 106
slide 107
76
slide 108
77
Forwarding Database
When a switch is first powered up, its FDB is, of course, empty. The switch cannot possibly know in advance all the MAC addresses in use in the network, and which VLANs all those MAC addresses reside in. So, it needs to learn all the MACaddress/VLAN combinations as packets start to flow through it. In essence, this learning process is very simple. If the switch sees a packet arrive on VLAN X on port Y with source MAC A, it says: I have now learned that the host with MAC address A can be reached on VLAN X via port Y. I will store that information in the FDB. The exception to this is if learning is disabled using port security.
slide 110
ARP A
20
00-0A
IP 1.11 1.10
78
79
20
00-0B
ARP B
IP 1.11 1.10
Data Packets D.MAC 00-0B D.IP 1.11 S.MAC 00-0A S.IP 1.10 PCA MAC 00-0A 00-0B IP 1.10 1.11 slide 113 L2 Switch MAC Table D.MAC 00-0A 00-0B Port 1 20
PCB
data A
IP 1.11 1.10
80
81
slide 116
Introduction
The device can measure the rate of incoming broadcast frames on each port separately, and discard frames when the rate exceeds a user-set threshold. Storm control feature is enabled/disabled separately for each port. It can be applied separately to broadcast, multicast or DLF (Destination Lookup Failure) traffic. The desired rate threshold is applied separately to each port. The threshold is set as a percentage of the ports bandwidth.
82
slide 117
83
Port Mirroring
Port Mirroring
Overview
This feature allows traffic flowing through a switch port to be sent to another switch port (mirror port) It can be used to capture data with a protocol analyzer Either traffic received from, traffic transmitted on a port or both can be mirrored
Analyzer
84
slide 120
85
Port Mirroring
Overview
One mirror port for traffic monitoring is supported system-wide (tx and rx). User can choose whether to mirror only RX traffic, only Tx traffic, or both. It is often possible to specify several ports to be monitored by a single target port. However, in these cases, any excess traffic will silently be discarded (and user will not know which packets were discarded). Port Mirroring is only relevant to Physical ports.
slide 121
Example Configuration
Before the mirror port can be set, it must be: removed from all VLANs except the default VLAN The mirror port cannot be part of a aggregated link. A Mirror port will not participate in any switching Configuration: Mirroring ports 2 & 4 to port 23: awplus(config)# interface port1.0.23
Outgoing port (capture)
Source ports
slide 122
End mirror:
Display mirror:
86
87
Example Configuration
awplus# show mirror interface port1.0.2 Mirror Test Port Name: port1.0.23 Mirror option: Enabled Mirror direction: both Monitored Port Name: port1.0.2 Source ports
Analyzer
Layer 2 Filtering
Layer 2 Filtering
Configuration
To insert a static lookup entry, simply use: awplus# config terminal awplus(config)# mac address-table static 2222.2222.2222 forward interface port1.0.4 vlan 1 The static entry may be either forward or discard
88
slide 126
89
Port Security
Port Security
Overview
The port security feature allows control over which stations may send data into each switch port, by analyzing MAC addresses Some switches offer a feature which defines a limit on the number of MAC addresses the switch will learn on certain ports. For a given port, once the limit is reached, the switch will lock out all other source MAC addresses arriving on that port. Depending on the switch hardware, the number of MAC addresses that can be stored, to compare them with the MAC addresses of the attached systems, can differ.
slide 128
Port Security
Overview
When an unknown MAC is detected on a locked port the switch will take one of these actions: Discard the packet and take no further action Discard the packet and notify management with an SNMP trap Discard the packet, notify the management with an SNMP trap and disable the port
90
slide 129
91
Port Security
Configuration Example
Configure the maximum number of MAC addresses for a port and whether aging is enabled before the violation occurs: awplus# config terminal awplus(config)# interface port1.0.1 awplus(config-if)# switchport port-security aging awplus(config-if)# switchport port-security max 1 To remove the max parameter, and return to no max limit on the port: awplus(config-if)# no switchport port-security max
slide 131
If you save the running-config to startup-config, those would behave as static MAC entries upon the next reboot.
slide 132
92
93
Port Security
Configuration Example
The port security configuration can been shown by the following:
awplus> show port-security interface port1.0.1 Port Security configuration -----------------------------------------------------------: YES Security Enabled Port Status : ENABLED Violation Mode : DISABLE Aging : ON Maximum MAC Addresses : 1 Current Learned Addresses : 1 Lock Status : LOCKED Security Violation Count : 0 Last Violation Source Address : 00-15-0c-52-54-ff
slide 133
94
95
Virtual LANs
slide 135
BroadCast
96
slide 136
97
BroadCast
VLAN 2: Staff Ports: 1-16
Data
VLAN 4: Faculty Ports: 33-48
Separate a single physical LAN into multiple Virtual LANs Multiple broadcast domains
slide 137
Benefits of VLANs
Increased security
Ports in a VLAN can be configured to have limited access to resources Switches can be configured to inform a network management station of any unauthorized access to network resources Able to place restrictions on hardware addresses, protocols, and applications Users can be added to a workgroup regardless of their location When a VLAN has a large number of users, broadcasts can reduce performance, but it is a simple process to implement further VLANs
Flexibility
Capacity
Ports: 1-16
VLAN 3: Students
Ports: 17-32
VLAN 4: Faculty
Ports: 33-48
Limitations:
Data
Data
Data
Sharing network resources, such as servers and printers, across multiple VLANs can be difficult. A VLAN that spans several switches requires a port on each switch for the interconnection of the various parts of the VLAN.
Data
VLAN 2: Staff
Data
VLAN 3: Students
VLAN 4: Faculty
Ports: 33-48
Ports: 1-16
Ports: 17-32
Data
slide 139
98
99
Tagging
Tagging is used to make a remote device understand the destination VLAN
Local device Remote device
D/A 6 bytes
S/A 6 bytes
802.1q 4 bytes
Type 2 bytes
FCS 4 bytes
Rules
A port can transmit either untagged packets or VLAN tagged packets to a VLAN of which it is a member, but not both (because in that VLAN the port is tagged or untagged, not both) A port can be tagged for more than one VLAN, so that a single port can be used to uplink several VLANs to another compatible switch A VLAN can contain a mixture of VLAN tagged and untagged ports By assigning a port to two different VLANs, to one as an untagged port and to another as a tagged port, it is possible for the port to transmit both VLAN-tagged and untagged frames A port can be untagged for zero or one VLAN, and can be tagged for zero or more different VLANs A port must belong to a VLAN at all times unless the port has been set as the mirror port for the switch
slide 142
100
101
VLAN Awareness
The switch is VLAN aware, in that it can accept VLAN tagged frames, and it supports VLAN switching required by such tags A network can contain a mixture of VLAN aware devices, for instance other 802.1Q compatible switches, and VLAN unaware devices, for instance, workstations and legacy switches that do not support VLAN tagging The switch can be configured to send VLAN tagged or untagged frames on each port, depending on whether or not the devices connected to the port are VLAN aware
slide 143
Ports: 1-16
VLAN 3: Students
Ports: 17-32
VLAN 4: Faculty
Ports: 33-48
49
Port 49 Tagged for Staff, Students & Faculty (802.1Q-compliant)
One port on the switch can be configured as an uplink to another 802.1Qcompatible switch By using VLAN tagging, this one port can carry traffic from all VLANs on the switch
49
Data
VLAN 2: Staff
Data
VLAN 3: Students
VLAN 4: Faculty
Ports: 33-48
Ports: 1-16
Ports: 17-32
Data
slide 144
Ports: 1-16
VLAN 3: Students
Ports: 17-32
VLAN 4: Faculty
Ports: 33-48
49
Port 49 Tagged for Staff, Students & Faculty (802.1Q-compliant) 49
Server
Port 50 Tagged for Staff and Students
50
Data
VLAN 2: Staff VLAN 3: Students
VLAN 4: Faculty
Ports: 33-48
Ports: 1-16
Ports: 17-32
102
slide 145
103
Ports: 1-16
VLAN 3: Students
Ports: 17-32
VLAN 4: Faculty
Ports: 33-48
49
Port 49 Tagged for Staff, Students & Faculty (802.1Q-compliant) 49
Router
Port 50 Tagged for Staff and Students
50
Data
VLAN 2: Staff VLAN 3: Students
VLAN 4: Faculty
Ports: 33-48
Ports: 1-16
Ports: 17-32
slide 146
Ingress Rules
The Ingress Rules for the port: check the VLAN tagging in the frame to determine whether it will be discarded or forwarded to the Learning Process Acceptable Frames parameter set to:
Admit All Frames (default) or Admit Only VLAN Tagged Frames
If Ingress Filtering is enabled, frames are admitted only if they have the VID of a VLAN to which the port belongs Ingress Filtering is enabled by default.
slide 147
Tagged Link
The uplink port is tagged for VLAN 100 on both devices
Mac 0A 0B
49
port 16 49
49
Mac 0A 0B
port 49 25
16
D S 0B 0A
100
25
D S 0B 0A
D S 0B 0A
slide 148
104
105
Wrong configuration
The uplink port is tagged for VLAN 100 on only one device
Mac 0A
Port 49 untagged 16
VLAN 100(U)
port 16
Mac 0B
VLAN 100(U)
port 25
49
Ingress Rule D S 0B 0A
X
25
D S 0B 0A
slide 149
L3
slide 150
106
slide 151
107
VLAN Ports
VLAN ports have two mode options: Access allows only untagged frames i.e. a normal untagged port Trunk This is normal 802.1Q ports where you add the VLANs to the port tagged and then set the native VLAN as the untagged VLAN.
console# configure console(config)# interface port1.0.1 console(config-if)# switchport mode access console(config-if)# switchport mode trunk
slide 152
VLAN Configuration
To create or delete a VLAN
awplus# configure terminal awplus(config)# vlan database awplus(config-vlan)# vlan 2 name test1 awplus(config-vlan)# vlan 3 awplus(config-vlan)# vlan 4-6 awplus(config-vlan)# no vlan 5 awplus(config-vlan)# exit
slide 153
108
109
slide 155
slide 156
Display the trunked and access VLANs from the previous slide
awplus# sho vlan brief VLAN ID Name Type State Member ports (u)-Untagged, (t)-Tagged ======= ================ ======= ======= ==================================== 1 default STATIC ACTIVE port1.0.2(u) port1.0.3(u) port1.0.4(u) port1.0.5(u) port1.0.6(u) port1.0.7(u) port1.0.8(u) port1.0.9(u) port1.0.10(u) port1.0.11(u) port1.0.12(u) port1.0.13(u) port1.0.14(u) port1.0.15(u) port1.0.16(u) port1.0.17(u) port1.0.18(u) port1.0.19(u) port1.0.20(u) port1.0.21(u) port1.0.22(u) port1.0.23(u) port1.0.24(u) 2 my2 STATIC ACTIVE port1.0.1(t) 3 my3 STATIC ACTIVE port1.0.1(t) 4 my4 STATIC ACTIVE port1.0.1(u)
110
slide 157
111
Private VLANs
Overview
A Private VLAN is a VLAN which contains ports that are prevented from communicating with each other at Layer 2 Also known as port-protected VLANs
Switch
slide 159
Private VLANs
One customer is not able to snoop on the traffic from any other, yet each customer is able to access another network (usually the Internet).
Ports 1.0.2 to 1.0.4 Community VLAN 21 plus Primary VLAN 20
Internet
WEB Server
112
slide 160
113
slide 161
Primary VLAN
This is the VLAN to which the associations are made
Isolated
This VLAN contains ports that will have complete layer 2 segregation from each other, but can still communicate with the nominated promiscuous ports
Community
This VLAN contains ports that can communicate with other ports in their community or with the promiscuous ports
114
slide 163
115
Promiscuous port
These ports are usually connected to routers, printers and file servers
slide 164
slide 165
Internet
Not members of the private VLAN Not members of the private VLAN Ports 1.0.2 to 1.0.4 Community VLAN 21 plus Primary VLAN 20
WEB Server
116
slide 166
117
Set the private VLAN types Set the VLANs to be private and either primary, community, or isolated.
awplus(config-vlan)#private-vlan awplus(config-vlan)#private-vlan awplus(config-vlan)#private vlan awplus(config-vlan)#private vlan
slide 167
20 21 22 23
slide 168
On the promiscuous port, map the primary VLAN to each of the secondary VLANs
awplus(config-vlan)#exit awplus(config)#interface port1.0.1 awplus(config-if)#switchport private-vlan mapping 20 add 21 awplus(config-if)#switchport private-vlan mapping 20 add 22 awplus(config-if)#switchport private-vlan mapping 20 add 23
slide 169
118
119
Associate the isolated host ports with the isolated VLAN 23.
slide 170
120
121
slide 172
122
123
Cluster Stack
slide 174
Stack A switch made of several units A single IP address to manage the whole stack High speed stacking link All functionalities can be configured across the stack Switching tables across stack members Centrally managed ports across stack members created as a continuous set It is what we call Virtual Chassis Stacking
slide 175
124
125
Simplified Configuration
Often redundancy protocols like VRRP & STP are not needed
Therefore reduces management traffic on the network
Resiliency
Aggregated links configured across different switches in the stack
Full bandwidth from all links available for maximum throughput In the event of failure, a connection to the network core is maintained
slide 177
slide 178
126
127
slide 180
slide 181
128
slide 182
129
AT-XEM-STK
slide 183
slide 184
130
slide 185
131
slide 186
VCStack Configuration
How the stack communicates The stack management uses a specific VLAN ID and an IP subnet, default values are : VLAN 4094 Subnet 192.168.255.0/28 You may need to change these values if they clash with a VLAN ID or subnet that is already in use in the network. awplus(config)#stack management subnet <ip-address> awplus(config)#stack management vlan <2-4094> The management traffic is queued to egress queue 7 on the stack link
132
slide 188
133
VCStack Configuration
Roles of each switch in a stack
Each switch in a stack acts in one role backup member (also called stack member) stack master (normally as the active master) The stack members are controlled by the stack master. The stack master performs a number of tasks that a stack member does not perform: It controls all switch management activity It synchronizes boot release and configuration files with stack members All routing protocol packets are processed by the stack master. The stack master then transfers any requisite table updates to the stack members.
slide 189
VCStack Configuration
Stack Master selection
Master selection is based on two parameters Firstly - stack members priority setting Secondly - MAC address The switch with the lowest priority become Master Priority default is 128 - can change to select specific master awplus(config)#stack <switch stack ID> priority <0-255> If several switches have the same priority, the one with the lowest MAC@ become Master Master selection is not related with unit ID ((ie master need not to be 1) Any switches in a stack can potentially be Stack Master
slide 190
VCStack Configuration
Stack Member ID
Each switch in a stack has an ID number, which can be an integer between 1 and 8. The default on each switch is a stack ID of 1. The stack IDs on each switch within a stack are unique. The system can automatically assign a unique ID number to each stack member Each members configuration is associated with its ID
Allows putting the stack in a pre-defined configuration
In case of conflict, system automatically modifies ID of the unit with the higher MAC@ From software release 5.3.3, the MAC address is virtual, so when mastership changes, the MAC address stays the same.
slide 191
134
135
VCStack Configuration
Assigning stack IDs Manual assignment on a switch before stacking awplus(config)#stack 1 renumber <1-8> Automatic assignment as switches joins the stack The stack master will be assigned stack ID 1, and the other switches will be automatically assigned other IDs. Manual renumbering of a switch after stacking awplus(config)#stack 1 renumber <1-8>
slide 192
VCStack Configuration
Assigning stack IDs
Starts the stack numbering with a specified ID from a specified switch awplus(config)#stack 3 renumber cascade 1
By pushing the Select button on a XEM-STK of a switch you renumber the whole stack (starting from ID 1)
slide 193
VCStack Configuration
Displaying the stack IDs
8 segment display on XEM-STK indicates the member ID By connecting on the console port of any unit, you can see the ID in the login prompt On x600 Series switches, you can use the command: awplus#show stack indicator <1-8>|all [time <1-500>] This causes the master LED on the switch to flash in a sequence which indicates the stack ID number
1 will flash on and off without pausing * * * * * * * * * * * * * 2 will flash twice then pause * * * * * * * * * * 3 will flash three times then pause * * * * * * * * * 4 will flash four times then pause * * * * * * * * * * * *
slide 194
136
137
VCStack Configuration
Stack Maintenance Adding a stack member A switch can be added to an existing stack (hot-swapped in) Power down the new switch Connect its ports to the stack Power on Removing a stack member A member can be removed from a stack (hot-swapped out) Power down the member Disconnect its stacking ports Reconnect the remaining stack members
slide 195
VCStack Configuration
Stack Maintenance Replacing a stack member You can seamlessly swap a switch into the stack to replace another Configure new switch with the same member ID as its replacement Optional auto-upgrade Auto-upgrade will copy the master's software release onto new member If a new member joins a stack and has a SW release that is different Auto-upgrade works when the master and new-member releases are similar (for example 5.3.2-0.1 and 5.3.2-0.2) Auto-upgrade is enabled by default If disabled, a new member with different SW release cannot join stack
slide 196
VCStack Configuration
Provisioning Provisioning provides the ability to pre-configure ports that are not yet present in a switch or in a stack. Provisioning keeps a 'placeholder' for a XEM or switch which has been hot-swapped out. Switch provisionning awplus(config)#switch 2 provision x900-24 XEM provisionning awplus(config)#switch 2 bay 2 provision xem-12
138
slide 197
139
Files synchronization
A VCStack requires that the software version and the configuration files on all stack members are the same. The following files are synchronised by the stack master:
Software release auto-synchronisation Shared running configuration Shared startup configuration Scripts
Note : licences are not synchronized. For optionnal feature (ie IPv6) each
switch in the stack must have his own feature licence
slide 199
Files synchronization
Software release auto-synchronisation
when a new member joins a stack and has a software release that is different to the active master, then the active master's software release is copied onto the new member. The new member then reboots and comes up on that release The software auto-synchronization feature is enabled on all switches by default. You can enable or disable it using the command: awplus(config)#(no) stack <1-8> software-autosynchronization
140
slide 200
141
Rolling Reboot
Rolling Reboot
This command allows a stack to be rebooted in a rolling sequence so that no more than one unit of the stack is in reboot at any given time. First, the stack master is rebooted causing the remaining stack members to failover and elect a new master As soon as the rebooted Active Master has reloaded, it becomes the Active Master again. Immediately after the Active Master has reloaded and assumed its role again, all of the other switches in the stack are rebooted at the same time.
slide 202
Rolling Reboot
awplus#reboot rolling
The stack master will reboot immediately and boot up with the configuration file settings. The remaining stack members will then reboot once the master has finished re-configuring. Continue the rolling reboot of the stack? (y/n):y awplus#22:11:07 awplus VCS[995]: Automatically rebooting stack member-4 (MAC: 00.15.77.c9.73.cb) due to Rolling reboot URGENT: broadcast message: System going down IMMEDIATELY! ... Rebooting at user request ...
142
slide 203
143
Rolling Reboot
Managing Stack Members file system
To perform an action on another stack member's file system: <stack-member-name>/flash:[/]<file name> The <stack-member-name> = <hostname>-<stack ID If the hostname of the stack is BlueCore, then the stack-member-name for switch 2 in the stack is: BlueCoreExample: BlueCore# dir BlueCore-2/flash:/ BlueCore# delete BlueCore-2/flash:/example.cfg
If you do not use the stack-member-name prefix, then the command refers to a file that resides on the stack master.
slide 205
144
145
slide 207
slide 208
146
slide 209
147
slide 210
slide 211
148
149
Link Aggregation
slide 213
Link Aggregation
Introduction
150
151
Link Aggregation
Introduction
Link aggregation allows two or more links to be bundled (or "aggregated") together to form a logical link called a channel group A channel group provides: Higher Bandwidth Resiliency Load Sharing Links aggregated into a channel group must: Originate and terminate on same device or the same stack Must be member of the same VLANs Have same data rate Have same admin port key (channel-group mode command) Be in full-duplex mode
slide 215
Link Aggregation
Introduction
slide 216
Link Aggregation
Link Aggregation Types
152
153
slide 218
Link Aggregation
Load Balancing
154
155
Load Balancing
Hashing of information in the L2, 3, and 4 packet headers divides data between the aggregation group ports Because of hashing, an aggregation group provides higher bandwidth between switches but usually not between hosts (Load Balancing per communication flow)
DEST
MAC
SOURCE MAC
SOURCE IP
DEST IP
SOURCE PORT
L2
L3
L4
slide 221
Load Balancing
DEST
MAC
slide 222
Link Aggregation
Static Link Aggregation Configuration
156
157
slide 224
158
159
Link Aggregation
LACP Link Aggregation Configuration
slide 228
160
slide 229
161
slide 230
162
slide 232
163
awplus(config)# interface port1.0.1-1.0.3 awplus(config-if)# channel-group 1 mode active awplus(config-if) awplus(config)# interface port1.0.2-1.0.4 awplus(config-if)# channel-group 1 mode active awplus(config-if)#
On switch 2
slide 233
How to see active ports of the po interface awplus# show etherchannel summary % Aggregator po1 % Admin Key: 0001 - Oper Key 0001 % Link: port1.0.1 (5001) disabled % Link: port1.0.2 (5002) sync: 1
164
slide 235
165
166
167
slide 238
168
slide 239
169
A
Port 2 Both Computer A computers has moved! have moved Port 2
1A-2B-3C-4D-5E-6F
L2 Switch
A A A A
Port 1
A A A A
Port 1
L2 Switch
A A
Alpha Segment
68-C9-CF-E0-AB-13
slide 240
Root Bridge P1 P2
Switch C Switch A
P2 P1 P3
P1 P2
Switch C
P1
P3
P1
Switch B
P2 P2 P1 P4 P1 P2 P3
P3
Switch B Switch D
P1 P2 P4 P1 P2 P3 P1 P3 P1
P2
P3 P4
P4 P1
P3
Switch D
P2
Switch E
P2
Switch E
Switch F
Switch F
Loop-free tree topology of active links calculated by spanning tree slide 242
170
171
Designated Port
Root Port
slide 243
Listening
slide 244
Forwarding Switches data frames. Learns MAC addresses and includes them in the FDB. Receives, processes and transmits BPDUs. Receives and processes topology change notifications (TCN).
172
slide 245
173
Bravo Segment
A A
Port 2
Priority MAC MAC Address Address Priority Cost 32768 20000 A7-8E-5F-51-0B-7C A7-8E-5F-51-0B-7C 2/128 2/0
Designated Port
Port 2
Priority
Root Bridge
Priority MAC Address Priority Cost 32768 20000 A7-8E-5F-51-0B-7C 1/128 1/0 Port 1
A
Root Port
Port 1
Switch B
Priority MAC Address Priority Cost 1/10 32768 5F-00-03-DE-B1-9A 1/128
A A A
Alpha Segment
slide 246
Today it is recommended not to change any of those values (to improve recovery times, one should consider using RSTP nowadays)
slide 247
Root Bridge
Forwarding Blocking
174
slide 248
175
slide 249
Alternate ports alternate path to Root Bridge Backup ports alternate path to a segment currently served by a Designated port
slide 250
RP
RP
Backup Port RP
176
slide 251
177
slide 252
N N N N Y
N N N Y Y
slide 253
178
179
Alternate ports
If a Root Port on a switch goes down, an Alternate Port goes to Forwarding state, and becomes the new Root Port.
slide 255
When a port becomes a Designated port, it negotiates a fast transition with the opposite port.
slide 256
Root
180
slide 257
181
Recommended values 20,000,000-200,000,000 2,000,000-20,000,000 200,000-2,000,000 20,000-200,000 2,000-20,000 200-2,000 20-200 2-200 2-20
SpanningTree configuration
Spanning Tree
Rapid Spanning Tree is activated by default on all ports of the switch. Therefore, nothing needs to be done to have the following behavior. As all switches have the same configuration, it is the switch with the lowest MAC address that becomes the root bridge.
Bridge priority = 32768 00-00-cd-24-02-26 Bridge priority = 32768 00-00-cd-24-03-31 Forwarding Blocking
Root Bridge
Bridge priority = 32768 00-00-cd-12-78-08
182
slide 260
183
Spanning Tree
To explicitly force a switch to be Root Bridge, you simply need to change the priority. This operation takes place in Config mode: awplus(config)# spanning-tree priority 8192
Root Bridge
Bridge priority = 8192 00-00-cd-24-03-31 Passing Blocking
slide 261
Spanning Tree
To change the default cost of a port (refer to the RSTP port cost table): awplus(config-if)# spanning-tree path-cost <cost> To improve convergence time, it is essential to configure all ports intended to connect end devices as "Portfast" ports: awplus(config)# interface port1.0.1-1.0.23 awplus(config-if)# spanning-tree portfast Spanning-Tree can be disabled on a per-port basis, if needed (careful, loops behind those ports would be unaccounted for) : awplus(config)# interface port1.0.24 awplus(config-if)# spanning-tree portfast bpdu-filter enable
slide 262
Spanning Tree
Changing the Spanning Tree operational mode:
Spanning Tree mode
awplus(config)# spanning-tree mode stp
184
slide 263
185
slide 264
slide 265
VLAN 1-1000
Switch A
slide 266
186
187
Switch A
slide 267
Switch D1
Switch D2
Switch A
slide 268
VLAN 1-1000
Switch A
slide 269
188
189
Switch A
slide 270
Switch A
slide 271
190
slide 272
191
slide 274
EPSR Introduction
Overview
A ring of switches at the network core increases resilience No single point of failure The ring must be protected from Layer 2 loops Traditionally, STP-based technologies are used Relatively slow to recover from link failure Creates problems for applications with strict loss requirements such as voice and video The solution is Ethernet Protection Switched Rings (EPSR)
slide 275
192
193
EPSR Introduction
Overview Delivering services is the focus of modern network communications Voice over IP (VoIP) Video on demand (VoD) Internet access These services demand a high level of performance, as customers expect uninterrupted delivery Network downtime must be minimised
slide 276
EPSR Introduction
Overview Ethernet Protection Switched Rings (EPSR) Prevents loops in ring-based Ethernet networks Minimizes the impact of failure with sub 50ms recovery Interoperates with standard Ethernet functions including:
High availability for mission critical traffic, preventing loss of voice, video or data in the event of failure Avoid down-time in your core enterprise or service provider network
slide 277
EPSR Introduction
Example
10 GbE EPSR ring with 50ms failover provides uninterrupted voice and video on breaks in ring Interoperability with iMAP and x900 Resiliency for the Metro or Enterprise core
194
slide 278
195
EPSR Introduction
Products Supporting EPSR
AlliedWare Operating System 8900 & x900-48 series 9900 series x900-24X series AlliedWare Plus Operating System x600 x900-12XT/S x900-24X series SwitchBlade x908 iMAP
slide 279
slide 280
196
slide 281
197
Control VLAN
Transit Node 4
Transit Node 1
Transit Node 2
slide 283
198
slide 284
199
5. Master node generates a new Health message when the Hello timer expires
slide 285
slide 286
slide 287
200
201
Control VLAN
Transit Node 4
Transit Node 1
1 Master Node Health Message 2 Transit Node LinkDown Message 3 Ring-Down Flush-DB Message
Transit Node 3
Transit Node 2
slide 289
202
slide 290
203
slide 292
EPSR Configuration
Example
A simple 3-switch ring with one data VLAN Control packets use VLAN 1000 Data packets use VLAN 2
Master Node( A)
Transit Node( C)
slide 293
Ring Port1.0.2
Transit Node( B)
204
205
EPSR Configuration
Example Master node configuration 1)
awplus(config)#vlan database awplus(config-vlan)#vlan 1000 name epsr-control awplus(config-vlan)#vlan 2 name data awplus(config-vlan)#interface port1.0.1-port1.0.2 awplus(config-if)#switchport mode trunk awplus(config-if)#switchport trunk allowed vlan add 1000,2 awplus(config-if)#switchport trunk native vlan none
slide 294
2)
EPSR Configuration
Example Master node configuration
3) Configure the EPSR domain
awplus(config-if)#epsr configuration awplus(config-epsr)# epsr awplus mode master controlvlan 1000 primaryport port1.0.1 awplus(config-epsr)#epsr awplus datavlan 2
4) Enable EPSR
awplus(config-epsr)#epsr awplus state enabled
slide 295
EPSR Configuration
Monitoring EPSR show epsr EPSR Information -------------------------------------------------Name ........................ test Mode .......................... Master Status ........................ Enabled State ......................... Complete Control Vlan .................. 1000 Data VLAN(s) .................. 2 Primary Port .................. port1.0.1 Primary Port Status ........... Forwarding Secondary Port ................ port1.0.2 Secondary Port Status ......... Blocked Hello Time .................... 1 s Failover Time ................. 2 s Ring Flap Time ................ 0 s Trap .......................... Enabled --------------------------------------------------
206
slide 296
207
EPSR Configuration
Monitoring EPSR
show epsr <epsr-name> count EPSR Counters ----------------------------------------------------------------Name: domain1 Receive: Transmit: Total EPSR Packets 1093 Total EPSR Packets 1093 Health 1092 Health 1092 Ring Up 1 Ring Up 1 Ring Down 0 Ring Down 0 Link Down 0 Link Down 0 Invalid EPSR Packets 0 -----------------------------------------------------------------
slide 297
EPSR Configuration
Debugging EPSR To enable debugging, enter the commands:
awplus# terminal monitor awplus# debug epsr all
The terminal monitor command causes the switch to display terminal logging messages on the console The master node transmits Health messages every second by default Recommend that you capture the debugging output for separate analysis
slide 298
EPSR Implementation
Ports and Recovery Times The following ports report that they are down immediately Tri-speed copper at 10 or 100M, Fiber 1000M, 10G Recovery time generally between 50 and 100ms For tri-speed copper operating at 1000M, there is a short delay 350ms or 750ms - before the port reports that it is down IEEE standard specifies a port must wait after a link goes down For most networks, this slight delay in recovery is no problem For 1000M networks with extremely stringent failover requirements use fiber 1000M ports instead of copper
slide 299
208
209
EPSR Implementation
Health Message Priority Health messages are sent to the highest priority egress queue on the switch port (queue 7) This ensures they are forwarded even if the network is congested It is recommended that you: Leave queue 7 as highest priority Leave it using strict priority scheduling Only send essential control traffic to it
slide 300
210
211
L3 / IP Overview
slide 302
IP Concepts
Introduction IP is the short form of the protocol called Internet Protocol IP datagrams are sent from one host to another, possibly through interconnecting routers IP service is unreliable, connectionless, best-effort packet delivery system IP provides network level services
Host addressing Routing Packet fragmentation and reassembly (if necessary) All other higher layer protocols use IP services
slide 303
212
213
IP Concepts
IP Version 4 Current default IP is version 4
Defined in 1981 with RFC-791 32 Bit address. This is limited. Therefore Private Addresses are widely used via Network Address Translation (NAT). Variable length IP Header Extra protocol: Address Resolution Protocol (ARP) needed in LANs Octets described in Decimal notation Originally based on Network Classes (A-E), now Classless (CIDR) is often used
Problems
Lack of addresses. Therefore private networks are necessary Lacks Auto-Configuration, Quality-of-Service, Real-Time options defined in protocol
slide 304
IP Concepts
IP Version 6 IP Version 6 is becoming important because of problems in Asia, due to lack of addresses
Defined in 1998 with RFC-2460 128 Bit address. Not yet widely used, but increasing quickly Fixed length header, with defined extensions. No IP checksum. Host address (part of address) can be generated from MAC ARP replaced by concept called Neighbour Detection (ND) Octets always described in Hexadecimal notation Always Classless notation Typically several IP addresses per Interface
slide 305
IP Address
IP Subnet Definition
A subnetwork consists of all systems that can directly communicate with each other using homogeneous technologies An Ethernet segment can contain more than one separate subnet Often different subnets are placed on individual VLANs, for administration ease. IP V4 communication between hosts within an Ethernet subnet uses the ARP (Address Resolution Protocol) mechanism IP V6 has an improved mechanism for communication inside the Ethernet subnet called ND (Neighbour Detection)
slide 306
214
215
IPv4 Address
Entry and Subnet Detection
v4 IP Address is 32 bits and expressed in dotted decimal The complete entry requires the following data: Host Address: e.g. 192.168.10.123 Network Mask Dotted decimal: e.g. 255.255.255.0 Binary bit value: e.g. 192.168.10.123 /24 Defines which packets being processed are considered to be in the host subnet, or must be forwarded via to a gateway Defines which parts of the 32 bits are: Network address part Host address part Often entered wrong, which causes network outages
slide 307
IPv4 Address
Network Information
This part of the Host IP address entry is calculated in simple configurations, but will need to be entered manually when non-standard subnets are used. Network Address is often calculated automatically. Network part = Network part of Host address + Host part = all zeros Network Broadcast Is often calculated automatically Network part = Network part of Host address + Host part = all ones
slide 308
ARP Mechanism
IPv4 Data Transfer within a Subnet Decision is made depending on the subnet mask Each host has a local IP Address to MAC Address translation cache When it needs to send an IP datagram, then:
If entry is in cache, the datagram will be sent to the MAC address directly If NOT in cache, then send a ARP broadcast packet and wait for answer from the host.
Problems due to delays occuring Problems due to broadcast traffic to all hosts in VLAN Problems due to old entries in cache from now non-existent hosts
When debugging L3 problems, the ARP cache can give helpful information
216
slide 309
217
IP Gateway / Router
IPv4 Data Transfer to another Subnet Decision is made depending on the subnet mask - that the destination address in not in the current subnetwork Must have a host entry with the information as to which neighbour host in the current subnet to send the packet to, so that it is forwarded to the destination subnet (NOTE: it has no information on the destination host, only the destination subnet):
Entry is called a gateway, or a route entry Special subnet 0.0.0.0 is called a default gateway, and will be used when no other gateway is found.
If no matching entry is found then the packet will be discarded Gateway or routing entries are made:
Manually, and are then called static routes Automatically from routing software. E.g. RIP, OSPF
slide 310
IPv4 Classes
v4 Class Concept
Classes were defined in the original concept, but are now slowly being replaced by a newer class-less system (CIDR)
8 bits Class A Class B Class C Class D Class E Class Class A Class B Class C Network Network Network Multicast Reserved Address range (High octet) 0.127 128-191 192-223 slide 311 Mask 255.0.0.0 255.255.0.0 255.255.255.0 8 bits Host Network Network 8 bits Host Host Network 8 bits Host Host Host
Special Addresses
Loopback and Private addresses
Local loopback subnet within each host address 127.0.0.1 / 32 Private addresses are needed due to shortage of public addresses Private addresses, which should never be used in a public network Access to private addresses from the public network is typically via NAT (Network address translation)
Address Class Class A Class B Class C Reserved address space 10.0.0.0 through 10.255.255.255 172.16.0.0 through 172.31.255.255 192.168.0.0 through 192.168.255.255 slide 312
218
219
IPv4 Subnets
Typical Subnet Error
Administrator is using addresses from the private class B area in this example Uses host address: 172.16.1.254/24 (but it should be /16) Wants to communicate with 172.16.2.223 What happens to the packets?
Due to the wrong mask, they are not defined as being in the same subnet The host will look for a gateway for the network 172.16.2.0, which is probably not entered The host will look for a default gateway, and send the packet to this host address. This host will probably not have an entry for this subnet either, and will therefore throw the packets away. If no default gateway entered either, then the host will throw the packets away
slide 313
L3 Switching
Introduction
slide 314
L3 Switching
Switch Setup Step 2: Assigning IP Addresses to VLANs
220
slide 315
221
L3 Switching
Switch Setup Step 3: Adding routes to the outside
slide 316
Routing Introduction
Overview IP routing is the process of moving packets from one network to another network using routers
The route that is taken to the remote network is decided by the route found in the local router database The local router only moves the packet to the neighbour which is marked as the gateway for the destination. The router does not have any knowledge what happens after that A data connection probably requires packets to move in both directions within the data flow. The remote routers must therefore know a route:
to the remote network from the remote network back to the local
slide 317
Routing Introduction
Route Entries
Routes from local interfaces/VLANs will be automatically inserted when they are created. Routes of networks not directly connected to the local router will need to be inserted:
Static routes must be inserted manually. Routes must be inserted for every subnetwork that should be reachable from this router this can be a large management overhead A default route will route any unknown packets to the gateway address, and can simplify management but be a security risk In networks with multiple subnetworks, static routes become very complex to administer Changes in the network will need to be manually entered as new static routes Dynamic routes are inserted by routing software, running on the routers. The routes are continuously maintained, and will automatically learn about any changes in the complete network The routing protocol sends control packets to other routers with the routing function, and therefore load the network
slide 318
222
223
IPv4 Configuration
Setting an IP address On switch ports, the Interface address is defined per VLAN
awplus# configure terminal Enter configuration commands, one per line. awplus(config)# vlan database awplus(config-vlan)# vlan 2 [name myvlan] End with CNTL/Z.
awplus(config)# interface port1.0.3-port1.0.10 awplus(config-if)# switchport access vlan 2 awplus(config-if)# interface vlan2 awplus(config-if)# ip address 192.168.30.250/24
slide 319
IPv4 Configuration
Displaying IP Interfaces Status Show IPv4 status of all interfaces.
Note: VLAN1 (the default VLAN) is shown in default state The management ethernet port (etho) does not have a VLAN and IP address here. Route definitions, not shown here, will govern whether traffic is routed between VLAN1 and VLAN2
awplus# sho ip inter Interface eth0 lo vlan1 vlan2 awplus# IP-Address unassigned unassigned 192.168.1.1 192.168.30.250
slide 320
IPv4 Configuration
ARP cache Contents The ARP cache is being continually maintained from information learnt from the Ethernet interfaces Displaying the ARP entries can give a lot of help when troubleshooting Ethernet problems. Command to display the ARP cache contents.
as can be seen there are two different hosts attached (probably via a switch) to the port 1.0.3 No hosts have been seen on the ports on VLAN1
MAC Address 0009.6be3.d55f 000e.a690.7c5d Interface vlan2 vlan2
slide 321
224
225
IPv4 Configuration
Default and Static Route Entry Check that forwarding is enabled
awplus# sho ip forwarding IP forwarding is on
Add a default route to route anything, not otherwise defined, outside this subnet to a host in this subnet which will route the traffic
awplus# config terminal Enter configuration commands, one per line. End with CNTL/Z. awplus(config)# ip route 0.0.0.0/0 192.168.30.252
Add the static route to the network 192.168.40.0/24 by forwarding packets to the host in this subnet at 192.168.30.252
awplus# config terminal Enter configuration commands, one per line. End with CNTL/Z. awplus(config)# ip route 192.168.40.0/24 192.168.30.252 awplus#
slide 322
IPv4 Configuration
Displaying IPv4 Routes Routes in RIB (Routing Information Base), that are not active, are not shown
awplus# sho ip route Codes: C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 * - candidate default S 0.0.0.0/0 [1/0] via 192.168.30.254, vlan2 C 192.168.30.0/24 is directly connected, vlan2 S 192.168.40.0/24 [1/0] via 192.168.30.252, vlan2 awplus#
slide 323
IPv4 Configuration
Displaying IPv4 Routes
Show all routes, including those on inactive links
awplus# sho ip route database Codes: C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 > - selected route, * - FIB route, p - stale info S *> C *> S *> S awplus# 0.0.0.0/0 [1/0] 192.168.30.0/24 192.168.40.0/24 192.168.60.0/24 via 192.168.30.254, vlan2 is directly connected, vlan2 [1/0] via 192.168.30.252, vlan2 [1/0] via 192.168.50.250 inactive
slide 324
226
227
RIP Routing
RIP Introduction
RIP Version 1 Very old standard Broadcasts routing updates extremely heavy LAN usage RFC 1058 and STD 56 No authentication of routing data therefore unsafe Classful RIP V2 RFC 2453 (in addition to RFC 1058) Uses multicast - address 224.0.0.9 (Class D), therefore less LAN load UDP port 520 Provides MD5 or plain text authentication of routing updates Classless RIPng for IPv6 RFC 2080 Is closely aligned to RIP V2 (multicast, and authentication)
slide 326
RIP updates
RIP Database Router 1 Destination 192.168.2.0 192.168.3.0 Mask 255.255.255.0 255.255.255.0 Nexthop 192.1.1.2 192.1.1.2 Metric 1 2 Destination 192.168.1.0 192.168.3.0 RIP Database Router 2 Mask 255.255.255.0 255.255.255.0 Nexthop 192.1.1.1 192.1.2.1 Metric 1 1
Router 1
192.1.1.0
Router 2
RIP update
192.1.2.0
RIP update
RIP update
192.168.1.0
192.168.2.0
Router 3
192.168.3.0
228
slide 327
229
Router 4 Router 4
Router 3 Router 3
2 3
The metric increases at each hop The route with the lowest metric is used.
Router 2
Router 1
Metric: 2
Router 3
Metric: 3 2
slide 328
Metric: 1
Router 4
RIP Commands
Enter the router rip configuration mode :
awplus# config terminal awplus(config)# router rip
In this example interfaces VLAN2 and VLAN3 send and receive RIP updates, and these updates contain routing information about the IP networks associated with VLAN 2 and VLAN3.
slide 329
RIP Commands
AlliedWare Plus uses RIPv2 by default. If RIPv1 must be used (not advised), you can change the RIP version, either globally or on specific interfaces. Globally:
awplus#configure terminal awplus(config)#router rip awplus(config-router)#version 1 awplus#configure terminal awplus(config)#interface VLAN3 awplus(config-if)#ip rip send version 1
On a given interface:
230
slide 330
231
RIP Commands
RIP can be used to communicate with specific neighbors:
Non-passive mode
RIP updates to these neighbors are sent as unicast, and IP unicast updates from these neighbors are also accepted. It doesnt automatically deactivate broadcasting/multicasting of RIP updates. To deactivate broadcasting/multicasting of RIP updates, the interface must be set to passive mode.
awplus(config)#passive-interface VLAN2
slide 331
RIP upd
L2 Switch
RIP Commands
Other useful commands: To redistribute static routes through RIP (all static routes except any default-route): awplus(config)#router rip awplus(config-router)#redistribute static To redistribute any default-route information: awplus(config)#router rip awplus(config-router)#default-information originate To deactivate reception/transmission of RIP updates (have RIP communicate in one-way only): awplus(config)#interface VLAN4 awplus(config-if)#no ip rip send-packet awplus(config-if)#no ip rip receive-packet
slide 332
RIP Timers
RIP Update RIP Update
Route will be removed
UPDATE
TIMEOUT
GARBAGE
232
slide 333
233
RIP timers
To modify RIP timers :
awplus(config)#router rip
Default values :
Lower values can be used in networks where bandwidth is not an issue (LANs).
slide 334
All routes including those with higher metrics which might not yet be used:
awplus#show ip rip database full
slide 335
Router A
192.168.1.1/24
Router B
192.168.1.2/24 192.168.10.1/24
Router C
Router C
Router B
192.168.10.2/24
234
slide 336
235
Router B
192.168.1.1/24
192.168.1.2/24 192.168.10.1/24
Router C
Router C
Router B
192.168.10.2/24
slide 337
Update
192.168.1.0 192.168.2.0
Router A Router B Update Sending this route back violates split horizon
slide 338 192.168.1.0
192.168.3.0
Update
192.168.1.0 192.168.2.0
Router A Router B
192.168.1.0 16 16 1
192.168.3.0
Update
236
slide 339
237
Single key (clear text or MD5) Multiple key (clear text or MD5)
slide 340
Router A
192.168.11.0 VLAN2
Authentication Router B
awplus#configure terminal awplus(config)#router rip awplus(config-router)#network 192.168.11.0/24 awplus(config-router)#interface vlan2 awplus(config-if)#ip rip authentication string secret awplus(config-if)#ip rip authentication mode md5
192.168.10.0 VLAN2
Router B
awplus#configure terminal awplus(config)#router rip awplus(config-router)#network 192.168.10.0/24 awplus(config-router)#interface vlan2 awplus(config-if)#ip rip authentication string secret awplus(config-if)#ip rip authentication mode md5
slide 341
238
239
Access Lists
Once VLANs are configured and IP interfaces are defined, theres no restriction on communications : one only needs the proper gateway to get IP communication with all devices. In order to get some control over the communications, it is necessary to set up some Access Lists.
Green tag traffic Yellow tag traffic
slide 343
ACLs
AlliedWare Plus provides several types of Access Lists :
Some are software-based. Others are hardware-based.
Software ACLs are used when filtering information relating to dynamic routing protocols. They are not to be used to filter user traffic, which is the job of hardware ACLs. The filtering process is in hardware, through the switching ASICs. This process has no impact on performance or latency.
240
slide 344
241
Hardware ACLs
Hardware ACLs are implemented in two different ways : Numbered ACLs : they are created with a number based on the ranges below. They are active on traffic ingressing switch ports to which theyve been associated. The order in which they are applied to the port plays a critical role in the final result. Once they are created any modification is not too easy, they are therefore only recommended for QoS classification.
awplus(config)#access-list ? <3000-3699> Hardware IP access list <4000-4699> Hardware MAC access list
Named ACLs : a named ACL is a list of several rules, each of them is numbered. It is easier to insert/delete a rule inside such an ACL. A named ACL is active once it is associated to one or several ports of the switch.
slide 345
Actions
Permit Permit
Match
Deny
Actions
Deny Deny
Actions
Permit Permit
Match
Deny
Match
Deny
242
243
IP addresses
Source and destination IP addresses can use the following values:
any A.B.C.D/M : network address with its subnet mask. Use a /32 mask to identify a host. host A.B.C.D : same as above with /32 mask.
If other criteria are needed then the rule becomes a TCP or UDP rule.
slide 349
The logic operators used with source and/or destination ports are
244
slide 350
245
Maintaining rules
An ACL can contain several rules of different types. A given ACL can therefore contain IP, TCP and UDP rules. When a new rule is created, its number will determine its position inside the ACL. If no number is given, the rule will be placed at the end of the ACL (its number = last known number + 10). Those rule numbers dont show up in the configuration file, or in the running-config. When the configuration is saved and the device is rebooted, the numbering is automatically recreated, using 10 increments. This doesnt change, of course, the switch behavior.
slide 351
slide 352
Modifying an ACL
Once it is created, an ACL must be associated with one or more ports. This can be done to individual ports or port ranges. An ACL can also be applied to a static aggregator interface. When filtering traffic ingressing a LACP aggregator, the ACL must be applied to ports belonging to the po interface, not the po interface itself. To apply to a port : awplus(config)#interface portx.y.z awplus(config-if)#access-group <nom_acl> To apply to a static aggregator : awplus(config)#interface <static_agg_name> awplus(config-if)#access-group <nom_acl>
246
slide 353
247
Example
149.35.65.49 Port 9
Only Telnet communications from A to B must be allowed. All other communication must be denied.
B Port 24 192.168.1.2
slide 354
ACL
awplus(config)#access_list hardware telnet_only awplus(config-ip-hw-acl)#10 permit tcp 192.168.1.2/32 149.35.65.49/32 eq 23 awplus(config-ip-hw-acl)#20 permit tcp 149.35.65.49/32 eq 23 192.168.1.2/32 awplus(config-ip-hw-acl)#30 deny ip any any awplus(config)#interface port1.0.24,port1.0.9 awplus(config-if)#access-group telnet_only
slide 355
248
249
Table of contents
What is QoS? Principles of switching
Queues Mechanisms for emptying queues
Priority signaling
802.1p (VLAN User Priority) Differentiated Services Code Point (DiffServ, DSCP)
What is QoS?
250
251
Data
Continuous transmission of segments, with bandwidth peaks. Some delay may be tolerated, but no loss of packets. Continuous flow. Loss of packets not tolerated (visible degradation). Slight delay acceptable, in both multicast and unicast, except in real-time applications (video-conferencing) where constraints are similar to voice.
Forwarding packets with error control (TCP). The emphasis is on reliable transfer rather than on speed. Emphasis on reliability of transfer rather than speed, although error checking and retransmission are not possible in multicast.
Video
slide 360
Priority management
There are different mechanisms available, depending on the type of equipment. The most sophisticated functions (dynamic congestion management, "traffic shaping", etc.) are normally reserved for network core switches (Layer 3, such as x600, x900, SBx908) All manageable switches include priority management, but with variations in the available options. This course will therefore concentrate on priority management.
252
slide 361
253
Principles of switching
Frame forwarding
Frames received (ingressing frames) at a port are forwarded to their destination port (egressing frames), on the principle of FIFO (First-in, First-out). They are first stored in buffer memory, to:
Enable forwarding via ports operating at different speeds, Allow an integrity check on each frame.
ingress
egress
Packet buffering
Frames
- priority + priority In fact there is not just one buffer memory per port, but several. Thus before transmission from a port, the frames may possibly be stored in one of multiple egress buffers. Value: to be able to queue frames to one buffer or others according to particular criteria.
Packets are buffered in one of multiple egress queues egress
Queues
- priority + priority
ingress
ingress
254
slide 364
255
Packet buffering
Frames
- priority + priority
ingress egress Packets stored in multiple egress queues
Queues
- priority + priority
ingress The prioritization of traffic is achieved by the way in which each queue is emptied, relative to the others. There are two mechanisms available on most devices: Strict Priority Queuing (SPQ) : Always send packets with the highest priority, not-empty, queue. Weighted round robin (WRR): This is a cyclical process. Each queue is emptied in proportion to its importance (weight).
slide 365
Architectural rules
Setting up priority management makes sense when other rules have been observed:
The network has enough bandwidth to easily forward the average volume of traffic.
Links between devices providing satisfactory bandwidth (1 Gbps minimum)
256
257
Priority management must always be implemented for VoIP or any other real-time application.
TRUE/FALSE: this only applies if this traffic has to take precedence over another kind (e.g. traditional data). What is the point of giving preference to one kind of traffic on an Ethernet network used exclusively for one type of traffic (VoIP)?
slide 369
In practice
258
259
If there is no priority value, any incoming frame is assigned to a default queue. It is then processed by Best-Effort. If no QoS configuration is provided, all traffic is processed according to this principle.
The queue assigned to a port can still be modified, so all traffic entering a given port can be assigned to a particular priority.
slide 371
Priority marking
An L2 switch such as the AT-8000S can read a priority value in an incoming frame and process it accordingly. Something still has to write a value into the 802.1p field. Marking may be applied at various levels:
By the terminal equipment (e.g.: IP telephone), By the access switch, if it can do this, By the L3 backbone switch (e.g.: AT-x900).
A consistent architecture needs equipment that can handle this priority and apply marking as early as possible on the path of this traffic.
Nowadays, the most widely-used architectures apply priority marking on the terminal equipment. Foe example, all IP telephones on the market at the moment for example can do this. but which mechanism should you choose: 802.1p or DiffServ?
slide 372
802.1p
Priority management by 802.1p is an extension of VLAN Tagging (802.1Q). Marking is therefore applied in the Ethernet header of a frame. The 802.1p priority field is 3 bits in an Ethernet frame. There are therefore 8 possible priority levels.
4 Bytes
Source Address
Type/Len
Data
Frame Check
2 Bytes (Tag Control Information) User Priority (3 Bits) Canonical Format Indicator (1 Bit) VLAN ID (12 Bits)
260
slide 373
261
802.1p
Although each value can be assigned to the traffic of your choice, there are IEEE recommendations for this.
CoS value 1 2 0 3 4 5 6 7 Recommended use Background (Non-sensitive traffic) Spare (reserve value) Best Effort (default, unmarked traffic) Excellent Effort (> Best Effort) Controlled Load (Applications subject to reserved bandwidth) Video (any application characterized by less than 100ms delay and jitter) Voice (any application characterized by less than 10 ms delay and jitter) Network Control (network protocol traffic such as Spanning Tree)
slide 374
slide 375
Within a LAN, DiffServ can be used to replace or supplement CoS priority. Its position in layer 3 (IP header) means it has universal presence in a full LAN-WAN architecture.
262
slide 376
263
Classify by source IP address Mark with DSCP=40 Limit bandwidth Classify by DSCP=40 Limit bandwidth
Unmarked packets
slide 378
Per-Hop-Behavior processing is only found on advanced Layer 3 routers or switches (such as x600, x900 and SBx908).
264
slide 379
265
CoS 0 1 2 3 4 5 6 7
Queue 0 1 2 3 4 5 6 7
Summary
Ethernet Frame
IP Packet
slide 381
Pros:
Standard Ethernet : understandable and usable by any manageable Ethernet switch. Automatic use: little or no configuration required on switches
Cons:
Located in Ethernet header: information is lost in IP routing (loss of Ethernet encapsulation). Extension of VLAN Tagging: can only be used on Trunk type links. In IP telephony, a link between the IP telephone and the switch must therefore be tagged for the Voice VLAN. This also excludes use of VLAN 1 (by default) as the Voice VLAN.
266
slide 382
267
x600 switches
268
269
x600
There are simple priority management options (association between 802.1p / DSCP priority value and queue) But you can also:
Measure the bandwidth consumed by the traffic, and then decide which option to adopt Mark traffic with a 802.1p or DSCP value Etc.
The x900/x908 switches provide further options (not covered in this training):
Advanced traffic smoothing, using RED Curves mechanisms in particular.
slide 386
x600
2 others are "internal" and are carried with the packet, inside the switch:
Egress queue value Bandwidth Class, which corresponds to the traffic's conformance to a predefined bandwidth metering, using 3 colors: green, yellow, red.
They are likely to change their value at various stages of QoS processing.
slide 387
x600
There are several successive stages in full QoS processing of the x600/x900/SBx908 switches:
At the input to a port, a packet marked with a CoS priority is automatically associated with the corresponding queue. Otherwise a defined queue can be associated with the input port. A classification phase is then used to select different parts of the incoming traffic, according to several criteria, for different processing. A premarking phase is used for initially modifying the markers. A policing phase is used to control bandwidth consumed by the classified traffic. A remarking phase is used for modifying the markers again, depending on the results of the policing. Alternatively, some of the traffic may also be rejected. The final values of the DSCP and 802.qp markers are written into the packet. The packets are finally switched to the output port and the correct queues.
270
slide 388
271
x600
Ingress
Tagged: priority mapped to queue Untagged: mapped to default queue Classification using ACLs Premarking Remarking Limiting (dropping non-conformant) Policing
Egress
In detail: Classification
The classification phase separates incoming flows according to a number of criteria. The more accurate the classification, the more specific the flows targeted.
x600
None of the 4 markers is modified at this point, since the classification simply determines the way the packet will be subsequently processed.
slide 390
In detail: Premarking
x600
On the x600s, the premarking stage plays the same role as in the x900/x908, but with fewer options:
The queue cannot be modified at this stage. Other markers may be modified with the premark-dscp map table, depending on the DSCP value marked in the incoming traffic.
272
slide 391
273
In detail: Policing
x600
The policing phase involves measuring bandwidth consumed by the incoming traffic, and determining which traffic types are and are not conforming to their configured bandwidth limits. The bandwidth class marker of the traffic is then updated:
Green: full conformity Yellow: partial conformity Red: non-conformity
slide 392
In detail: Remarking
x600
The options are basically the same on the x600 at this stage, although they are implemented differently:
Reject traffic whose bandwidth class is now red Recognize the new bandwidth class of the traffic and determine from this the new values of the DSCP and bandwidth-class, using the remark-map table. Mark a new CoS value in the packet, and/or send the packet to a new queue. This action is performed independently of the traffic bandwidth-class.
slide 393
In detail: Egressing
x600
After a possible traffic shaping phase (not in the training), the traffic is then sent to the queues at the output ports, from where it will be egressed:
Either by the strict priority queuing (SPQ) mechanism. Or by the Weighted Round-Robin mechanism. The weighting of each queue is therefore configurable.
274
slide 394
275
x600
Traffic classification mainly involves access-lists (see course on ACLs) These ACLs are then associated with a class-map. A class-map can also be associated with traffic properties that ACLs do not classify (e.g.: CoS or DSCP values, etc.). One or more class-maps are then associated with a policy-map. Premarking and remarking actions are defined in the class-map once it is associated with the policy-map. The policers can also be associated with a class-map and define the properties of the bandwidth to be measured during the policing phase. A policy-map is then associated with one or more ports. QoS treatment is then activated on traffic entering these ports.
slide 395
QoS diagram
Port
x600
policy-map
slide 396
x600
The simplest configuration, assuming traffic has previously been marked with an 802.1p value, involves having it automatically recognized by the switch. To do this:
Activate QoS (deactivated by default):
awplus(config)# mls qos enable
The no mls qos enable command deactivates the QoS and deletes any existing QoS configuration.
276
slide 397
277
x600
Queue
2 0 1 3 4 5 6 7
x600
Create a class-map:
awplus(config)# class-map <name>
As many match criteria as needed can be specified. If a class-map contains no match criterion, it covers all incoming traffic.
slide 399
x600
There is a default class-map: it is implicit, and covers all traffic not covered by other class-maps associated with the policy-map. This default class-map can be configured just like any other class-map.
278
slide 400
279
x600
awplus(config)# mls qos map premark-dscp <0-63> to {[new-dscp <063>][new-cos<0-7>][new-bandwidth-class{green|yellow|red}]} There is no need to create all 64 inputs on the table if you aren't going to use them all Then you configure the class-map to use this table: awplus(config-pmap-c)# trust dscp The DSCP values of the incoming traffic then act as indices into the table, to determine the new values of these markers
slide 401
x600
Parameters:
CIR (Committed Information Rate): permitted bandwidth value (in kbps) CBS (Committed Burst Size): minimum burst value (in octets) EBS (Excess Burst Size): maximum burst value (in octets) Action:
Drop-red: rejects all traffic with bandwidth class red after policing remark-transmit: marker values will be modified according to the remark map table.
slide 402
x600
A remark-transmit action is a function of the remark map table. This is created with the following command:
awplus(config)# remark-map [bandwidth-class {green|yellow|red}] to {[new-dscp <0-63>][new-bandwidth-class {green|yellow|red}]}
Unlike the x900/x908, this table does not allow CoS and Queue markers to be modified. They can be modified on a class-map associated with a policy-map using the remark new-cos command:
awplus(config-pmap-c)# remark new-cos <0-7> [internal|external|both]
Internal: only the queue value is changed according to the CoS and queue number mapping table. External: traffic is marked with the specified CoS value. Both : both actions take place simultaneously.
slide 403
280
281
x600
After passing through the policer mill, the bandwidth class marker for the traffic concerned is changed according to the following criteria:
Bandwidth measured below or slightly above CIR and <total number of octets over CIR> < CBS
Green
Bandwidth measured higher than CIR and <total number of octets over CIR> < EBS
Yellow
Bandwidth measured higher than CIR and <total number of octets over CIR> > EBS
Red
slide 404
x600
QoS treatment is activated by associating the policy-map with the port(s) involved (input ports). awplus(config)# interface <interface name> awplus(config-if)# service-policy input <policy-map> The traffic then simply has to be transmitted by the output port, by emptying queues (SPQ or WRR). awplus(config)# interface <interface name> awplus(config-if)# priority-queue {1}[2][3][4][5][6][7][8] awplus(config)# interface <interface name> awplus(config-if)# wrr-queue weight <6-255> queues [0][1][2]3][4][5][6][7]
slide 405
x600
282
slide 406
283
x600
slide 407
Bandwidth metering
Core configuration:
awplus(config)# mls qos enable awplus(config)# access-list 3001 permit udp 10.0.0.20/32 any awplus(config)# class-map garbage awplus(config-cmap)# match access-group 3001 awplus(config-cmap)# exit awplus(config)# policy pgarbage awplus(config-pmap)# class garbage awplus(config-pmap-c)# police single-rate 25000 512 1024 action drop-red awplus(config-pmap-c)# exit awplus(config-pmap)# exit awplus(config)# interface port1.0.2 awplus(config-if)# service-policy input pgarbage
x600
slide 408
284
285
slide 410
Troubleshooting Introduction
Overview Think in layers.
A problem originating in Layer 2 will also be seen at layer 3, but cannot be corrected there!!!!
286
slide 411
287
Logging
Concepts 1 Console: The default log setup is to the console port. Default setting: critical level Buffered: Rotating data is set to store up to 50kb in RAM. Default setting: notice level. Is deleted after a reboot. Permanent: Log writes to NVS storage (if available) Is kept after a reboot Default setting: warning level
slide 412
Logging
Concepts 11 Host: Sends logs to remote syslog server No default filters. No data kept on device. Email: Send SMTP email to a remote SMTP server No default filters No data kept on device
slide 413
Logging Configuration
awplus# sho log config Buffered log: Status ......... enabled Maximum size ... 50kb Filters: *1 Level ...... notices Program .... any Facility ... any Msg text ... any Statistics ..... 6 messages received, 2 accepted by filter (2008 Jul 29 10:14:44) .. More text follows
288
slide 414
289
Logging Configuration
Logging Levels The minimum severity of message to send to the log. The level can be specified as one of the following numbers or level names, where 0 is the highest severity and 7 is the lowest severity: 0 1 2 3 4 5 6 7 emergencies: alerts critical errors warnings Notices Informational Debugging System is unusable Action must be taken immediately Critical conditions Error conditions Warning conditions Normal, but significant, conditions Informational messages Debug-level messages
slide 415
Logging Configuration
Displaying Logging Entries in Buffered Log awplus# sho log <date> <time> <facility>.<severity> <program[<pid>]>: <message> -----------------------------------------------------------------------2008 Jul 29 09:41:20 user.notice (none) kernel: klogd started: BusyBox v1.2.2 (2008.03.11-00:47+0000) 2008 Jul 29 09:41:20 user.notice (none) kernel: Linux version 2.6.19-at5 (maker@awpmaker04-dl) (gcc version 4.1.1) #1 Tue Mar 11 13:22:15 NZDT 2008 2008 Jul 29 09:41:20 user.notice (none) kernel: Kernel command line: console=ttyS0,9600 releasefile=r1-5.2.1-0.4.rel ramdisk=10584 bootversion=1.0.9-rc2 loglevel=1 extraflash=00000000
slide 416
Logging Configuration
Displaying Contents of Permanent Log awplus# sho log permanent <date> <time> <facility>.<severity> <program[<pid>]>: <message> -----------------------------------------------------------------------2008 Jul 6 15:07:56 user.err awplus NSM[1472]: [IGMP-ENCODE] : sendto() failed on port1.0.3: Network is down(100) 2008 Jul 6 15:07:56 user.err awplus NSM[1472]: [IGMP-ENCODE] : sendto() failed on port1.0.4: Network is down(100) 2008 Jul 6 15:07:56 user.err awplus NSM[1472]: [IGMP-ENCODE] : sendto() failed on port1.0.5: Network is down(100) More data follows
290
slide 417
291
Logging Configuration
Host Logging Setup Dumps log entries to a remote syslog server.
No authentication No encryption No delivery guarantee No local copy kept in host filter No error when remote server rejects datagram
Logging Configuration
Email Logging Setup Important: Messages are not retained on the switch device An SMTP server must also be setup as follows:
The server must accept incoming unencrypted/unauthorized SMTP from the switch IP-address.
awplus(config)# mail smtpserver 192.168.30.12 awplus(config)# mail from training@abc.de
Debugging Configuration
Debugging Concept Debugging can be enabled in many modules The output is sent to the logging system with the level debug
awplus(config)# debug rip all awplus# sho debug rip RIP debugging status: RIP event debugging is on RIP packet detail debugging is on RIP NSM debugging is on awplus(config)# awplus(config)#
292
293
Debugging Configuration
Display RIP Debug
awplus(config)# log buff level 7 awplus(config)# exit awplus# sho log tail <date> <time> <facility>.<severity> <program[<pid>]>: <message> ------------------------------------------------------------------------2008 Aug 6 09:14:33 user.info awplus RIP[1555]: SEND[vlan1]: Send to 224.0.0.9:520 2008 Aug 6 09:14:34 user.info awplus RIP[1555]: UPDATE: Triggered update! 2008 Aug 6 09:14:34 user.info awplus RIP[1555]: UPDATE[eth0]: Update RIPv2 routes to 224.0.0.9:520 2008 Aug 6 09:14:34 user.info awplus RIP[1555]: SEND[eth0]: Send to 224.0.0.9:520 2008 Aug 6 09:14:34 user.info awplus RIP[1555]: SEND[eth0]: RESPONSE version 2 packet size 24
slide 421
slide 422
SNMP Introduction
Elements
Network Management System GET / SET / GET-NEXT
Agent
TRAP / RESPONSE
Manager
294
slide 423
295
SNMP Introduction
SNMP Versions SNMP V1 SNMP V2c (typically referred to as SNMP V2)
Uses UDP protocol not guaranteed transfer Minimal security community string in clear text (password) Management data described in MIBs (Management Information Base). Language used is ASN.1 V2c has added functions for improved efficiency (GET-BULK) Simple to use Uses UDP not guaranteed transfer Strong authentication possible Strong encryption possible Complex to use
slide 424
SNMP V3
SNMP Introduction
Concepts SNMP GET and SET transfers
Includes the MIB address (and perhaps the new value) Includes a community string in clear text Is MIB known? Is community known? Does this community allow this access? If access allowed, then respond with a UDP packet
SNMP TRAP
Agent setup via management commands Unsolicited event on the agent Agent sends UDP TRAP
MIB value Community string
slide 425
SNMP Configuration
SNMP V1/V2c Commands awplus# sho snmp SNMP enable ........ No SNMPv3 engine ID (configured) ....... Not set SNMPv3 engine ID (actual)............ Not set awplus(config)# snmp-server community private rw awplus(config)# snmp-server community public ro awplus(config)# exit awplus# sho snmp SNMP enable ........ Yes SNMPv3 engine ID (configured) ....... Not set SNMPv3 engine ID (actual)............ 0x80001f88807095fd04489958cd
296
slide 426
297
SNMP Configuration
Additional Support Information Extra info that can be used by the manager NMS system to identify switches
awplus(config)# snmp-server contact Fred Bloggs awplus(config)# snmp-server location Munich
General Troubleshooting
General Useful Information
Displays the CPU load now and over various periods. This can indicate that the CPU is overloaded with additional functions not running in switch engine.
awplus# show cpu CPU averages: 1 second: 4%, 20 seconds: 0%, 60 seconds: 0% System load averages: 1 minute: 0.00, 5 minutes: 0.00, 15 minutes: 0.00 Current CPU load: userspace: 2%, kernel: 1%, interrupts: 0% iowaits: 0% user processes ============== pid name hrds 1282 hostd 1 962 automount 1 1109 exfx 19 1 init 1
..
pri 20 20 20 20
sleep% 0 0 0 0
slide 428
General Troubleshooting
Interface Counters The counters at the end of the printout display the standard Ethernet receive and send parameters and reflect the quality of the cabling, etc.
awplus# show inter eth0 Interface eth0 Scope: both Link is UP, administrative state is UP Hardware is Ethernet, address is 0000.cd24.fafe IPv4 address 192.168.30.252/24 broadcast 192.168.30.255 index 1 metric 1 mtu 1500 current duplex full, current speed 100, polarity auto configured duplex auto, configured speed auto <UP,BROADCAST,RUNNING,MULTICAST> VRF Binding: Not bound Bandwidth 1g input packets 1828, bytes 139448, dropped 0, multicast packets 0 output packets 755, bytes 61336, multicast packets 0 broadcast packets 0 awplus#
298
slide 429
299
General Troubleshooting
System and Platform Information Very useful general faultfinding commands: Show tech-support
This command saves useful information to tech-support.txt.gz. You should retrieve this file and send it to our technical support team, whatever the problem might be. General system counts Status of complete platform.
slide 430
System Start-up
Start-up Sequence Additional specific information accompanies an INFO or ERROR
Bootloader 1.0.8 loaded Press <Ctrl+B> for the Boot Menu Reading filesystem... Error: Release filename is invalid (should be <release>.rel) Error: There is no backup release file set Error: Boot failed. Please recover the system using the Boot Menu Restarting... Bootloader 1.0.8 loaded Press <Ctrl+B> for the Boot Menu
slide 431
300
301
Company Details
Americas Headquarters | 19800 North Creek Parkway | Suite 100 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895 Asia-Pacific Headquarters | 11 Tai Seng Link | Singapore | 534182 | T: +65 6383 3832 | F: +65 6383 3830 EMEA Headquarters | Via Motta 24 | 6830 Chiasso | Switzerland | T: +41 91 69769.00 | F: +41 91 69769.11
alliedtelesis.com
2011 Allied Telesis, Inc. All rights reserved. Information in this document is subject to change without notice. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners.