hiD 6610 S311 R1.0 User Manual
Contents
1. default X Fig 8 5 In Case External Packets Enter under Layer 2 environment 1 A50010 Y3 B100 2 7619 181 UMN CLI default Fig 8 6 182 User Manual SURPASS hiD 6610 S311 R1 0 To transmit the untagged packet from uplink port to subscriber a new VLAN should be created including all subscriber ports and uplink ports This makes the uplink ports to rec ognize all other ports FID helps this packet forwarding FDB is MAC Address Table that recorded in CPU FDB table is made of FID FDB Identification Because the same FID is managed in the same MAC table it can recognize how to process packet forwarding If the FID is not same the system cannot know the information from MAC table and floods the packets Outer Network br2 SWITCH bridge show vlan u untagged port t tagged port 1 2 2 4 Name 1123456789012345678901234567890123456789012 default u uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu br2 aeia a e rada a Be is eae 4 ole 1908366 eee robe amp br3 eU 0 EE Be od eg ooh ed oS br4 KT DITE Lia do od wea a E REOR A bro A e ge ote se a oe ata ee lists ade enka ace Wm NAR we br6 uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu SWITCH bridge In Case External Packets Enter under Layer 2 environment 2 In conclusion to use the hiD 6610 S311 as Layer 2 switch user should add the uplink port to all VLANs and create new VLAN2. EE en ee Port Based VAN Creating VAN Specilyihg PVID EE Assigning Port to VLAN Deleting VLAN eeus Displaying VLAN DEEN Protocol Based VI AN User Manual SURPASS hiD 6610 S311 R1 0 A50010 Y3 B100 2 7619 SURPASS hiD 6610 S311 R1 0 8 1 3 8 1 4 8 1 5 8 1 6 8 1 6 1 8 1 6 2 8 1 6 3 8 1 7 8 1 7 1 8 1 7 2 8 1 8 8 1 9 8 2 8 2 1 8 2 1 1 8 2 1 2 8 2 1 3 8 2 2 8 2 2 1 8 2 2 2 8 2 2 3 8 2 2 4 8 2 2 5 8 2 2 6 8 2 2 8 2 2 8 8 2 2 9 8 3 8 3 1 8 3 2 8 3 3 8 3 4 8 3 5 8 3 5 1 8 3 5 2 8 3 5 3 8 3 5 4 8 3 5 5 8 3 5 6 8 3 5 8 3 5 8 8 3 5 9 8 3 6 8 3 6 1 8 3 6 2 8 3 6 3 8 3 6 4 8 3 7 8 3 8 8 3 9 8 3 9 1 A50010 Y3 B100 2 7619 UMN CLI Tagged VLAN ue UT teastalvannud en saaiatecauan dca aleneeatenntiantvsaadatiacy 175 VELAN DESC PIO a bas e tall sl ie 176 Displaying VLAN Information ratita 177 CO EE 177 Double Tagging Opera ios 178 Double Tagging Configuration ooccccooccnccconcnnconanoncnnoncnnononnnonnanonnononnnnnnnanennos 179 EENEG 179 Layer 2 ISO Oir a 180 ROMS OO EE 180 ohared VEAN soria adobo 181 VEAN INANSI ATION aaa 182 Sample Cohtlgubsllori ca od o ot de 183 io Late ee e eric ab 187 FOIE id EE 187 CoOntTgurAAd POF EFIE s us soi o ia 187 BISabINd POR Rutt 188 Displaying Port Trunk Configuration eaannenenneesenneennnnsnnensnrnnsrnnrnsnrnesrneenn 188 Link Aggregation Control P
3. Encapsulates the packet in Register message and unicasts Decapsulates capsule of Register message and transmits it Ge Ge Fig 9 7 In Case Multicast Source not Directly Connected to Multicast Group A50010 Y3 B100 2 7619 287 UMN CLI 288 9 2 7 9 2 8 User Manual SURPASS hiD 6610 S311 R1 0 When the Register message is transmitted the range of Checksum in header conforms to header part as RFC standard but whole packet is included in the range of checksum in case of Cisco router For compatibility with Cisco router you should configure the range of Checksum of Register message as whole packet To configure the range of Checksum of Register message as whole packet for compatibil ity with Cisco router use the following command e me See Configures Join Prune timer value whole packet checksum l PIM 1 65535 interval unit second no whole packet checksum Disables TX interval configuration This command is disabled by default And Register Checksum is calculated only over the header by default Interval of Cache check RP receives packet from multicast source and transmits it to receiver However it there is no packet received from source for certain period it is not necessary to keep multicast item Therefore RP checks whether packet is received from source at regular interval and this function is named Cache check In order to configure the interval of Cache check use the foll
4. unicast 5 OUE So SOLE unicast m in prefix filter multicast in multicast in prefix filter multicast out multicast soft multicast soft in multicast soft out in out soft soft in 5 gt soft n 5 gt soft out 5 gt vpnv4 5 gt vpnv4 5 gt vpnv4 unicast in unicast out nicast soft It is not possible to input clear ip bgp ipv4 unicast in You should input like clear ip bgp ipv4 unicast multicast in A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 The commands starting with the same character are applied by inputting only the starting commands For example if you input show all the commands starting with show are applied To delete a configured security level use the following command no privilege Deletes all configured security levels no privilege bgp level lt 0 15 gt COMMAND all no privilege bridge level lt 0 15 gt COMMAND all no privilege configure level lt 0 15 gt COMMAND all no privilege dhcp option82 level lt 0 15 gt COMMAND all no privilege dhcp pool level lt 0 15 gt COMMAND all no privilege enable level 0 15 COMMAND all no privilege interface level 0 15 COMMAND all no privilege ospf level 0 15 COMMAND all no privilege pim level 0 15 Delete a configured security level on each mode COMMAND all no privilege rip level 0 152 COMMAN
5. lecseesesseesseseeeeeee eene nennen nenne nnne nn nnn nnn 303 Creating Default FROULe EE 304 Routing Information Filtering ccccoonccccooncnnonocnnnonnnnnnonnanonnnnonennnnnarononnnnnnss 304 ROH Bir r coasdhasbiaen at dazd sa aa nana egbtoee an ena anon 305 SPINOZO rm 305 Managing Authentication key REENEN RENE 306 Monitoring and Managing RIP unica id 306 PAOD LOW ION Sada 308 15 UMN CLI 16 User Manual SURPASS hiD 6610 S311 R1 0 Illustrations Fig 2 1 Network Structure with hiD 6610 S311 ooooccoonnccccncccnconoconnnoncnnnnnanenonnoncnnnnnos 22 Fig 3 1 Selen tele Eer 26 Fig 4 1 Process of 802 1x Authentication E 59 Fig 4 2 Multiple Authentication Servers cccccecccccsseseeeceeeeeeeaeeeeeeeeeeeeeaeeeeeeseeeeeesaees 60 Fig 5 1 hib 6610 5311 Interact oi ais 68 Fig 5 2 PROTEINA e 14 Fig 6 1 Ping Test for Network Status ooooccccoconcnccoccnnconoconconononnnnnnnnnnonanennnnonrononnos 88 Fig 6 2 IP Source ROUNO rn 89 Fig 7 1 Weighted Round Robin kk 139 Fig 7 2 Weighted Fair Queuing enne 140 Fig 7 3 egre side EIER 141 Fig 7 4 NetBIOS Pla cs 148 Fig 8 1 Port based VAN EE 173 Fig 8 2 Example of QinQ Confguraton nennen 177 Fig 8 3 A Ee Ma Sudan een c e 178 Fig 8 4 In Case Packets Going Outside in Layer 2 environment 181 Fig 8 5 In Case External Packets Enter under Layer 2 environment 1 181 Fig 8 6 In Case External Packets Enter
6. Sample Configuration The following is an example of configuration to accept Jumbo frame under 2200 bytes in port 1 10 SWITCH configure terminal SWITCH config bridge SWITCH bridge jumbo frame 1 10 2200 SWITCH bridge show jumbo frame Name Current Default portol 2200 1518 port 2 22007 1518 ports 4 220047 1518 port04 2200 1518 port05 2200 1518 port0e 22007 1518 port07 2200 1518 ports 22007 1518 ports 3 2200 1518 Porel s 2200 1518 DUOEXtld 15157 LSG port l2 3 1518 1518 porets 3 er T518 port1i4 1518 1518 DOrtl 3 15187 1518 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 port16 1518 1518 ENEE s 1518 1518 Skipped SWITCH bridge 8 13 Maximum Transmission Unit MTU Maximum value for the length of the data payload can be transmitted User can control Maximum Transmission Unit MTU with below command e me See mtu lt 64 17940 gt Configures maximum MTU size Interface Returns to the default MTU size The following is an example of configuration to mtu size as 100 SWITCH config if mtu 100 SWITCH config if show running config interface 1 l interface default mtu 100 bandwidth 1m ip address 10 27 41 181 24 SWITCH config if A50010 Y3 B100 2 7619 267 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 9 IP Multicast Traditional IP network provided unicast transmission a host to send p
7. oam remote alarm optical lt 1 3 gt lt 0 65535 gt PORTS oam remote alarm temperature lt 0 255 gt PORTS oam remote alarm voltage min max lt 0 65535 gt PORTS oam remote electrical mode full half PORTS oam remote general autonego lt 1 4 gt enable disable PORTS oam remote general forwarding lt 3 4 gt enable disable PORTS Shows the information of peer host using OAM func oam remote general speed lt 1 Bridge ie 4 gt lt 0 4294967295 gt PORTS oam remote general user lt 1 4 gt STRING PORTS oam remote system interface unforced forceA forceB PORTS oam remote system interval lt 0 255 POHTS oam remote system mode master slave PORTS oam remote system reset PORTS 7 2 5 Displaying OAM Configuration To display OAM configuration use the following command e e rees E show oam remote variable lt 0 Global Shows remote OAM variable 255 gt lt 0 255 gt PORTS Bridge show oam remote variable spe cific 0 255 0 255 0 4 Shows remote OAM specific variable PORTS A50010 Y3 B100 2 7619 113 UMN CLI 114 User Manual SURPASS hiD 6610 S311 R1 0 The following is to configure to enable OAM loopback function through 25 port of the switch and operate once SWITCH bridge oam local admin enable 25 SWITCH bridge oam remote loopback enable 25 SWITCH bridge show oam local 25 LOCAL PORT 25 mux action par action variable link e
8. Description Deletes configured bandwidth of interface enter the no bandwidth BANDWIDTH Interface value The following is an example of configuration to bandwidth as 1000 SWITCH config if 4 bandwidth 1000 SWITCH config if show running config interface 1 l interface default bandwidth 1m ip address V0 2 7 41 181 24 l SWITCH config if A50010 Y3 B100 2 7619 231 UMN CLI 232 8 8 User Manual SURPASS hiD 6610 S311 R1 0 Dynamic Host Configuration Protocol DHCP Dynamic host configuration protocol DHCP is a TCP IP standard for simplifying the ad ministrative management of IP address configuration by automating address configura tion for network clients The DHCP standard provides for the use of DHCP servers as a way to manage dynamic allocation of IP addresses and other related configuration details to DHCP enabled clients on the network Every device on a TCP IP network must have a unique IP address in order to access the network and its resources The IP address together with its related subnet mask identi fies both the host computer and the subnet to which it is attached When you move a computer to a different subnet the IP address must be changed DHCP allows you to dy namically assign an IP address to a client from a DHCP server IP address database on the local network The DHCP provides the following benefits a Saving Cost Numerous users can access the IP network with a small a
9. IGMP filtering controls only group specific query and membership reports including join and leave reports It does not control general IGMP queries IGMP filtering has no rela tionship with the function that directs the forwarding of IP multicast traffic Creating IGMP Profile You can create or modify the IGMP profile to be used for filtering IGMP join requests from a port The system prompt will be changed to SWITCH config igmp profile 1 from SWITCH config To create delete IGMP profile use the following command ena a HN 77 NN SEN Creates IGMP profile ip igmp profile 1 4294967295 l Global 1 4294967295 profile number no ip igmp profile lt 1 4294967295 gt Deletes IGMP profile A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 9 1 6 2 9 1 6 3 9 1 6 4 To display the IGMP profile use the following command ee ee show ip igmp profile Enable Shows IGMP profile lt 1 4294967295 gt Global Group Range of IGMP Profile Configure the group range of IGMP Profile using the following command e me es Configures a group range of IGMP profile range A B C D1 4 B C D2 IGMP A B C D1 Start IP multicast address Profile A B C D2 End IP multicast address no range A B C D1 4 B C D2 Deletes a configured group range IGMP Profile Policy Configure the action to permit deny access to the IP multicast addresses using the follow ing command e e See IGMP Con
10. Invalid port port will be displayed and if you input wrong number the message 9o Invalid range 100 1 42 will be displayed SWITCH bridge show port port el uvalid port port SWITCH bridge show port 100 Invalid range 100 1 42 SWITCH bridge A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 9 2 9 2 1 9 2 2 Ethernet Port Configuration Enabling Ethernet Port To enable disable a port use the wa T Ha o command a port enter a port number port enable disable PORTS Bridge Default enable The following is an example of disabling the Ethernet port 1 to 3 SWITCH config bridge SWITCH bridge show port 1 5 NO TYPE PVID STATUS MODE FLOWCTRL INSTALLED ADMIN OPER 1 Ethernet 1 Up Down Auto Half 0 Off N 2 Ethernet 1 to Half 0 Off N 3 Ethernet 1 Up Down Auto Half 0 Off N 4 Ethernet 1 Up Down Auto Half 0 Off N 5 Ethernet 1 Up Down Auto Half 0 Off N SWITCH bridge port disable 1 3 SWITCH bridge show port 1 5 NO TYPE PVID STATUS MODE FLOWCTRL INSTALLED ADMIN OPER 1 Ethernet 1 Down Down Auto Half 0 Off N 2 Ethernet 1 Down Down Auto Half 0 Off N 3 Ethernet 1 Down Down Auto Half 0 Off N 4 Ethernet 1 Up Down Auto Half 0 Off N 5 Ethernet 1 Up Down Auto Half 0 Off N SWITCH bridge Auto negotiation Auto negotiation is a mechanism that takes control of the cable whe
11. STP Guard Alarm Severity To configure a severity of alarm for STP guard status use the following command e me NN snmp alarm severity stp bpdu TP l l i Sends alarm notification with the severity when there is guard critical major minor f stp bpdu guard problem warning intermediate Global snmp alarm severity stp root ENS SW i Sends alarm notification with the severity when there is guard critical major minor i e stp root guard problem warning intermediate To delete a configured severity of alarm for STP guard status use the following command INE emen no snmp alarm severity stp bpdu guard TN Deletes a configured severity of alarm for STP guard oba no snmp alarm LM EM stp status root LM EM Displaying SNMP Configuration To display all configurations of SNMP use the T ET command Enable Shows all configurations of SNMP Global A50010 Y3 B100 2 7619 109 UMN CLI 110 7 1 11 User Manual SURPASS hiD 6610 S311 R1 0 To display a configured severity of alarm use the following commands e me See Enable show snmp alarm severity tal Shows a configured severity of alarm oba To deletes a recorded alarm in the system use the following command na owe ten Enable snmp clear alarm history T Deletes a recorded alarm in the system oba The following is an example of showing the transmitted alarm and delete the records SWITCH config s
12. A50010 Y3 B100 2 7619 79 UMN CLI 80 6 1 9 6 1 10 User Manual SURPASS hiD 6610 S311 R1 0 If a specific domain name is registered instead of IP address user can do telnet FTP TFTP and ping command to the hosts on the domain with domain name To configure DNS domain name use the following command e e See dns search DOMAIN Searches a domain name Global It is possible to delete DNS server and domain name at the same time with the below command IU se Global Deletes DNS server and domain name Fan Operation In hiD 6610 S311 it is possible to control fan operation To control fan operation use the following command na owe ten fan operation on off Global Configures fan operation Itis possible to configure to start and stop fan operation according to the system tempera ture To configure this refer the Section 6 1 11 3 To display fan status and the temperature for fan operation use the following command mana on Enable Shows the fan status and the temperature for the fan show status fan Global operation Disabling Daemon Operation You can disable the daemon operation unnecessarily occupying CPU To disable certain daemon operation use the following command e e en halt PID Disables the daemon operation You can display PID of daemon with the show process command SWITCH show process USER S lt CPU MEM Vol Ros TTY STAT START TIME COMMAND a
13. Ss e See route P ADDRESS M Creates static route available only for RIP Transmitting Routing Information The hiD 6610 S311 can redistribute routing information from a source route entry into the RIP tables For example you can instruct the router to re advertise connected kernel or static routes as well as routing protocol derived routes This capability applies to all the IP based routing protocols To redistribute routing information from a source route entry into the RIP table use the following command e me Se redistribute kernel connected E Registers transmitted routing information in another outer static ospf bgp isis router s RIP table You may also conditionally control the redistribution of routes between the two domains using route map command To define a route map for redistribution use the following command e e See route map WORD deny permit Creates route map lt 1 65535 gt 1 65535 sequence number no route map WORD EES Deletes route map ble cadi 1 655352 1 65535 sequence number One or more match and set commands typically follow route map command If there are no match commands then everything matches If there are no set commands nothing is done Therefore you need at least one match or set command A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 10 3 6 10 3 7 To define conditions for redistributing routes from a source ro
14. UMN CLI 76 6 1 6 1 1 6 1 2 User Manual SURPASS hiD 6610 S311 R1 0 System Environment Environment Configuration You can configure a system environment of the hiD 6610 S311 with the following items e Host Name e Time and Date e Time Zone e Network Time Protocol e Simple Network Time Protocol SNTP e Terminal Configuration e Login Banner e DNS Server e Fan Operation e Disabling Daemon Operation e System Threshold Host Name Host name displayed on prompt is necessary to distinguish each device connected to network To set a new host name use the following command e owe Se hostname NAME Creates a host name of the switch enter the name Global no hostname NAME Deletes a configured host name enter the name To see a new host name use the following command Se Tee show running config hostname Global Shows the host name Time and Date To set system time and date use the following command na owe en clock DATETIME Enable Sets system time and date Global The following is an example of setting system time and date as 10 20pm July 4th 2005 SWITCH clock 06 Mar 2006 10 20 Mon 6 Mar 2006 10 20 00 GMT 0000 SWITCH A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 6 1 3 6 1 4 Time Zone The hiD 6610 S311 provides three kinds of time zone GMT UCT and UTC The time zone of the switch is predefined as GMT Greenwich Mean Time Als
15. The key is authentication information between the authenticator and RADIUS server The authenticator and RADIUS server must have a same key value and you can use alpha betic characters and numbers for the key value The space or special character is not al lowed You can configure the priority for the radius server that have configured by user e e res dotix radius server move P Configures the priority of radius server ADDRESS NAME priority PRI Global IP ADDRESS Ip address of radius server ORITY NAME host name Configuring Authentication Mode You can change the authentication mode from the port based to the MAC based To change the authentication mode use the following command e me ees dotix auth mode mac base Sets the authentication mode to the MAC based PORTS Global no pm auth mode mac base pm Roses the autnentcazon mode othe poroase the authentication mode to the Roses the autnentcazon mode othe portes based Before setting the authentication mode to the MAC based you need to set a MAC filtering policy to deny them for all the Ethernet ports To configure a MAC filtering policy see Sec tion 7 12 1 A50010 Y3 B100 2 7619 61 UMN CLI 62 4 5 1 4 4 5 1 5 4 5 1 6 User Manual SURPASS hiD 6610 S311 R1 0 Authentication Port After configuring 802 1x authentication mode you should select the authentication port e e ee dot1x nas port PORTS Designates 802 1x authentication por
16. To configure alarm severity criteria in CLI use the following command e me NN snmp alarm severity criteria l Configures the severity criterion critical major minor warning Global default warning intermediate The order of alarm severity is critical gt major gt minor gt warning gt intermediate The alarm severity option is valid only in ACI E Generic Alarm Severity A50010 Y3 B100 2 7619 105 User Manual SURPASS hiD 6610 S311 R1 0 To configure generic alarm severity use the following command snmp alarm severity fan fail critical major minor warning intermediate snmp alarm severity cold start critical major minor warning intermediate snmp alarm severity broadcast over critical major minor warning intermediate snmp alarm severity cpu load over critical major minor warning intermediate snmp alarm severity dhcp lease critical ma jor minor warning intermediate snmp alarm severity dhcp illegal critical major minor warning intermediate snmp alarm severity fan remove critical major minor warning intermediate snmp alarm severity ipconflict critical major minor warning intermediate snmp alarm severity memory over critical major minor warning intermediate snmp alarm severity mfgd block critical major minor warning intermediate snmp alarm severity port link down critical major m
17. To set configuration ID use the following command e e ten Designate the name for the region stp mst config id name NAME name set the MST region name NAME enter name to give the MST region Configure the range of VLAN that is going to be group TM ing as a region stp mst config id map 1 64 VLAN RANGE 1 64 select an instance ID number VLAN RANGE enter a number of the VLANs to be mapped to the specified instance n E Configure the switches in the same MST boundary as stp mst config id revision lt 0 65535 same number 0 65535 set the MST configuration revision number In case of configuring STP and RSTP you don t need to configure configuration ID If it is configured error message is displayed To delete configuration ID use the following command mn wm es no stp mst no stp mst config id nostpmstconfipid Delete the entire configured configuration ID Deletes the name of region enter the MST region no stp mst config id name name on Bridge Deletes entire VLAN map or part of it select the in no stp mst config id map lt 1 64 gt VLAN RANGE stance ID number and the number of the VLANs to remove from the specified instance no stp mst config id revision Deletes the configured revision number After configuring configuration ID in the hiD 6610 S311 you should apply the configura tion to the switch After changing or deleting the configuration you must apply it to th
18. alarm report Otherwise ACI E would not recognize any traps set from the hiD 6610 S311 A50010 Y3 B100 2 7619 101 UMN CLI 102 7 1 8 3 i User Manual SURPASS hiD 6610 8311 R1 0 Enabling SNMP Trap The system provides various kind of SNMP trap but it may inefficiently work if all these trap messages are sent very frequently Therefore you can select each SNMP trap sent to an SNMP trap host The system is configured to send all the SNMP traps as default e authentication failure is shown to inform wrong community is input when user trying to access to SNMP inputs wrong community e cold start is shown when SNMP agent is turned off and restarts again e link up down is shown when network of port specified by user is disconnected or when the network is connected again e memory threshold is shown when memory usage exceeds the threshold specified by user Also when memory usage falls below the threshold trap message will be shown to notify it e cpu threshold is shown when CPU utilization exceeds the threshold specified by user Also when CPU load falls below the threshold trap message will be shown to notify it e port threshold is shown when the port traffic exceeds the threshold configured by user Also when port traffic falls below the threshold trap message will be shown e temperature threshold is shown when the system temperature exceeds the thresh old configured by user Also when system temperatur
19. 7 4 2 9 7 4 2 10 User Manual SURPASS hiD 6610 S311 R1 0 To configure the first alarm to occur when object is firstly more than threshold or less than threshold use the following command e owe een Ko Configures the first Alarm to occur when object is firstly startup type rising and falling RMON more than threshold or less than threshold Interval of Sample Inquiry The interval of sample inquiry means time interval to compare selected sample data with upper bound of threshold or lower bound of threshold in terns of seconds To configure interval of sample inquiry for RMON alarm use the following command e e ees Configures interval of sample inquiry sample interval lt 0 65535 gt RMON unit second Activating RMON Alarm After finishing all configurations you need to activate RMON alarm To activate RMON alarm use the following command e e ees Deleting Configuration of RMON Alarm When you need to change a configuration of RMON alarm you should delete an existing RMON alarm To delete RMON alarm use the following command e owe ten Deletes RMON history of specified number enter the no rmon alarm lt 1 65535 gt Global value for deleting Displaying RMON Alarm To display RMON alarm use the following command e me See show running config rmon All Shows a configured RMON alarm alarm A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0
20. 7 4 3 7 4 3 1 7 4 3 2 7 4 3 3 7 4 3 4 RMON Event RMON event identifies all operations such as RMON alarm in the switch You can config ure event or trap message to be sent to SNMP management server when sending RMON alarm You need to open RMON Event Configuration mode to configure RMON event es e sees Opens RMON Event Configuration mode rmon event lt 1 65535 gt Global 1 65535 index number Event Community When RMON event is happened you need to input community to transmit SNMP trap message to host Community means a password to give message transmission right To configure community for trap message transmission use the following command e me ees Configures password for trap message transmission community NAME right NAME community name Event Description It is possible to describe event briefly when event is happened However the description will not be automatically made Thus administrator should make the description To make a description about event use the following command mana e en description DESCRIPTION RMON Describes the event Subject of RMON Event You need to configure event and identify subject using various data from event To identify subject of RMON event use the following command ana e een Identifies subject of event You can use maximum 126 owner NAME RMON characters and this subject should be same with the subject of RMON alarm Event Type Whe
21. A B C D M any icmp 0 255 any lt 0 255 gt any ip A B C D A B C D M any A B C D A B C D M any tcp udp ip 4 B C D A B C D M any A B C D A B C D M any tcp udp 1 655355 65535 gt any any lt 1 ip A B C D A B C D M any A B C D A B C D M any tcp lt 0 65535 gt any lt 0 65535 gt any TCP FLAG any A50010 Y3 B100 2 7619 Admin rule Classifies an IP address A B C D source destination IP address A B C D M source destination IP address with mask any any source destination IP address 0 255 IP protocol number Classifies an IP protocol ICMP A B C D source destination IP address A B C D M source destination IP address with mask any any source destination IP address icmp ICMP Classifies an IP protocol ICMP A B C D source destination IP address A B C D M source destination IP address with mask any any source destination IP address icmp ICMP 0 255 ICMP message type number 0 255 ICMP message code number Classifies an IP protocol TCP UDP A B C D source destination IP address A B C D M source destination IP address with mask any any source destination IP address tcp TCP udp UDP Classifies an IP protocol TCP UDP A B C D source destination IP address A B C D M source destination IP address with mask any any source destination IP address tcp TCP udp UDP 0 65535 TCP UDP source destination port nu
22. CIRCUIT ID a mt mt no remote id P aiuti HEXSTRING circuit id all OA no remote id ip A B C D circuit id hex HEX STRING pool Deletes Remote ID and Circuit ID which no remote id ip A B C D circuit id index lt 0 65535 gt pool Option 82 will be permitted to be assigned IP ad no remote id ip A B C D circuit id text CIRCUIT ID pool dress no remote id ip A B C D circuit id all pool no remote c text REMOTE ID circuit id hex HEXSTRING c no remote id text REMOTE ID circuit id index lt 0 65535 gt pool no remote a text REMOTE ID circuit id text CIRCUIT ID a no remote ee ne text REMOTE ID circuit id all AS 8 8 6 5 Option 82 Trust Policy This feature prevents to be exhausted DHCP pool s IP addresses from DHCP packet with unexpected option 82 field information After issuing the trust default deny command you can control which option 82 field information is valid or not Default Trust Policy To configure the default trust policy use the following command e e ees trust default deny permit Option82 Configures DHCP Option82 Trust function 246 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 8 6 6 H Trust Policy for Remote ID To configure the trust option82 use the following command mena Me Tr trust remote id hex HEXSTRING trust remote id ip P ADDRESS trust remote id text REMOTE D no trust remote id hex HEXSTRING no trust remote id ip P
23. KEY auth port PORT acct port KEY authentication key value PORT auth_port Enters authentication port number optional acct_port Enters accounting port number optional login radius server del 4 B C D Deletes an added RADIUS server You can add up to 5 RADIUS servers RADIUS Server Priority To specify the priority of a registered RADIUS server use the following command e m Se Specifies the priority of RADIUS server Global A B C D IP address 1 5 priority of RADIUS server login radius server move A B C D lt 1 5 gt Timeout of Authentication Request After the authentication request the hiD 6610 S311 waits for the response from the RA DIUS server for specified time To specify a timeout value use the following command ee args i opecifies a timeout value login radius timeout 1 100 Global PIENE 1 100 waiting time for the response default 3 Frequency of Retransmit If there is no response from RADIUS server the hiD 6610 S311 is supposed to retransmit an authentication request To set the frequency of retransmitting an authentication re quest use the following command e e res i Sets the frequency of retransmit login radius retransmit 1 10 Global l 1 10 Enters the times of retry default 3 A50010 Y3 B100 2 7619 49 UMN CLI 50 4 2 5 4 2 5 1 4 2 5 2 4 2 5 3 4 2 5 4 User Manual SURPASS hiD 6610 8311 R1 0 TACACS Server TACACS Server for Syste
24. SURPASS hiD 6610 S311 R1 0 Tracing Packet Route You can discover the routes that packets will actually take when traveling to their destina tions To do this the traceroute command sends probe datagram and displays the round trip time for each node If the timer goes off before a response comes in an asterisk is printed on the screen es e see traceroute ADDRESS E Traces packet routes through the network nable traceroute ip ADDRESS ADDRESS IP address or host name The following is the basic information to trace packet routes EN A eee Protocol ip Protocol ip Supports ping test Default is IP Sends ICMP echo message by inputting IP address or host name of Target IP address destination in order to check network status with relative Source address address Source IP address which other side should make a response IP address which other side should make a Source IP address which other side should make a response E display n Hop is displayed the number instead of indications or statistics i It is considered as successful ping test if reply returns within the con Timeout in seconds 2 EE l figured time interval Default is 2 seconds Probe count 3 Set the frequency of probing UDP packets The TTL field is reduced by one on every hop Set the time to trace Maximum time to live 30 hop transmission The number of maximum hops Default is 30 sec onds Selects general UDP port
25. UMN CLI SURPASS hiD 6610 311 R1 0 8 8 2 10 be strength security by blocking ARP responses from unauthorized users at the DHCP server The following is the commands of blocking the user who uses IP address as fixed e e See ip dhcp authorized arp default lease time half lease Enables dynamic ARP learning time max lease time no ip dhcp authorized arp Disables dynamic ARP learning You can check the information of valid IP and invalid IP after enabling authorized ARP function using the following command es owe See 008 show ip dhcp authorized arp Shows the assigned IP addresses through the proper valid Enable process show ip ee authorized arp Global Shows MAC address using the fixed IP and the used ee IP address and the time of blocking IP address To clear the data of fixed IP use the following command e me See Enable Global Deletes a data of fixed IP Bridge clear ip dhcp authorized arp invalid Displaying Configuration To display DHCP pool configuration use the following command mane e rees show ip dhcp pool POOL NAME Enable Shows IP Pool configuration IP Pool Shows IP Pool configuration show ip dhcp pool summary Global Shows IP addresses assigned from DHCP of each IP POOL NAME Bridge pool To display lease data of IP address which is assigned to the IP Pool use the following command ana e een show ip dhcp lease all bound Shows the list o
26. User Manual UMN CLI SURPASS hiD 6610 311 R1 0 10 3 10 10 3 11 Routing Timer Routing protocols use several timers that determine such variables as the frequency of routing updates the length of time before a route becomes invalid and other parameters You can adjust these timers to tune routing protocol performance to better you re your internet needs The default settings for the timers are as follows e The update timer is 30 seconds Every update timer seconds the RIP process is awakened to send an unsolicited response message containing the complete routing table to all neighboring RIP routers e The timeout timer is 180 seconds Upon expiration of the timeout the route is no longer valid however it is retained in the routing table for a short time so that neighbors can be notified that the route has been dropped e The garbage collect timer is 120 seconds Upon expiration of the garbage collection timer the route is finally removed from the routing table To adjust the timers use the following command e e See timers basic UPDATE TIMEOUT l l Router Adjusts routing protocol timers GARBAGE Split horizon Normally routers that are connected to broadcast type IP networks and that use distance vector routing protocols employ the split horizon mechanism to reduce the possibility of routing loops Split horizon blocks information about routes from being advertised by a router out any interface from which that i
27. You can input ge and le optionally and they are used when you configure more than one network If you do use neither ge nor le network range is more clearly configured When only ge attribute us configured network range is configured from ge value and when only le attribute is configured network range is configured from netmask to le value Displaying Prefix List Policy To display information about prefix table use the following command e owe See Shows the prefix list show ip prefix list detail sum detail detail list mary NAME summary brief list NAME enter the prefix name Enable Shows a policy of the prefix list applied to the specified show ip prefix list NAME Global network A B C D M longer first match longer all policies first match first applied policy show ip prefix list VAME seq 1 u Shows a policy of the specified number 4294967295 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 10 1 2 10 1 2 1 Deleting Number of Inquiring Prefix List By default system records number how many times prefix list is inquired To delete the number use the following command e me ees clear ip prefix list NAME Enable Deletes the number how many times prefix list is in A B C D M Global quired Advanced Configuration After finishing basic configuration it is possible to do advanced configuration It contains the following sections BGP Community Fi
28. cand bsr Configures information for candidate BSR wm Lemma EEGEN mw Lemmer Gives compatibility with Cisco router when transmitting Register mes whole packet checksum sage Tab 3 10 Main Commands of PIM Configuration Mode Router Configuration Mode To open Houter Configuration mode use the following command The system prompt is changed from SWITCH config to SWITCH config router Commen a Deplen router P PROTOCOL Global Opens Houter Configuration mode According to routing protocol way Houter Configuration mode is divided into BGP RIP and OSPF They are used to configure each IP routing protocol Tab 3 11 shows a couple of main commands of Houter Configuration mode distance Configures distance value to find better route neighbor Configures neighbor router Configures network to operate each routing protocol redistribute Registers transmitted routing information to another router s table Tab 3 11 Main Commands of Router Configuration Mode A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 3 1 12 3 1 13 VRRP Configuration Mode To open VRAP Configuration mode use the following command The system prompt is changed from SWITCH config to SWITCH config router router vrrp NTERFACE GROUP 1D Global Opens VRAP Configuration mode Tab 3 12 shows a couple of main commands of Router Configuration mode authentication Configures password
29. excluded excludes sub tree era Oi OID number MASK Mask value e g ff ff ff i Deletes a created SNMP view record Ee VIEW view record name To display a created SNMP view record use the ee command Enable oba The following is an example of creating an SNMP view record SWITCH config snmp view TEST included 410 SWITCH config show snmp view View list view TEST included 410 SWITCH config Permission to Access SNMP View Record To grant an SNMP group to access a specific SNMP view record use the following com mand e owe See 00 snmp access GROUP v1 v2c Grants an SNMP group to access a specific SNMP READ VIEW WRITE VIEW NO view record TIFY VIEW GROUP group name snmp access GROUP v3 no Sisha Grants an SNMP version 3 group to access a specific auth auth priv READ VIEW SNMP view record WRITE VIEW NOTIFY VIEW GROUP group name Deletes a granted SNMP group to access a specific no snmp access GROUP l SNMP view record A50010 Y3 B100 2 7619 99 UMN CLI 100 7 1 7 7 1 8 User Manual SURPASS hiD 6610 S311 R1 0 To display a granted an SNMP group to access a specific SNMP view record use the fol lowing command na e en Enable Shows a granted an SNMP group to access a specific show snmp access l Global SNMP view record The following is an example of permission to accessing an SNMP view record SWITCH config SWITCH config snmp access r
30. mediately accepted For example suppose that root switch is disconnected to SWITCH B Then SWITCH B is considered to be root because of the disconnection and forwards BPDU However SWITCH C recognizes root existing so it transmits BPDU including information of root to Bridge B Thus SWITCH B configures a port connected to SWITCH C as new root port Switch A New Root x Port Low BPDU Switch B BPDU including Root information Fig 8 15 Example of Receiving Low BPDU Rapid Network Convergence A new link is connected between SWITCH A and root Root and SWITCH A is not directly connected but indirectly through SWITCH D After SWITCH A is newly connected to root packet cannot be transmitted between the ports because state of two switches becomes listening and no loop is created In this state if root transmits BPDU to SWITCH A SWITCH A transmits new BPDU to SWITCH A and SWITCH C switch C transmits new BPDU to SWITCH D SWITCH D which received BPDU from SWITCH C makes port connected to SWITCH C Blocking state to prevent loop after new link A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 ROOT 1 New link created Switch A i 7 NI B zs 2 Transmit BPDU Ve Ns at listening state Switch C Switch B prevent loop BPDU Flow Switch D Fig 8 16 Convergence of 802 1d Network This is very an epochal way o
31. preempt enable disable VRRP Enables or disables Preempt default enable The following is an example of disabling Preempt SWITCH config vrrp preempt disable SWITCH config vrrp exit SWITCH config show vrrp default virtuali router 1 state master virtual mac address 00 007 5E2007 01701 preemption Priority master down interval 3 624 sec 1 associate address 10 0 0 5 SWITCH config A50010 Y3 B100 2 7619 227 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 Also to make Preempt enable as default setting use the following command on VRRP configuration mode e owe re Deletes the former configuration of Preempt to enable no preempt VRRP it it 8 4 1 7 VRRP Statistics To display the VRRP statistics that packets have been sent and received use the follow ing command e e See Enable show vrrp stat Global Shows statistics of packets in Virtual Router Group VRRP The following is an example of viewing statistics of packets in Virtual Router Group SWITCH config show vrrp stat VRRP statistics VRRP packets rcvd with invalid TTL 0 VRRP packets rcvd with invalid version 0 VRRP packets rcvd with invalid VRID 0 VRRP packets rcvd with invalid size 0 VRRP packets rcvd with invalid checksum 0 VRRP packets rcvd with invalid auth type 0 VRRP packets rcvd with interval mismatch 0 SWITCH config To clear the VRRP statistics informat
32. privilege vrrp level lt 0 15 gt COMMAND all Uses the specific command of RMON Configuratio mode in the level Uses the specific command of Route map Configura tion mode in the level Uses the specific command of Rule Configuration mode in the level Uses the specific command of User EXEC mode in the level Uses the specific command of VRRP Configuratio mode in the level The commands that are used in low level can be also used in the higher level For exam ple the command in level O can be used in from level 0 to level 14 The commands should be input same as the displayed commands by show list There fore it is not possible to input the commands in the bracket separately arp inspection mapping counter arp inspection statistics cpu statistics N A A A A A A in ipv4 ipv4 ipv4 ipv4 ipv4 ipv4 out SOZt soft soft vpnv4 vpnv4 vpnv4 vpnv4 TOSS 109353 T 6553 159323 599 9 109393 L 6 902 SWITCH show list clear clear clear clear ip bgp clear ip bgp clear ip bgp clear ip bgp clear ip bgp clear ip bgp clear ip bgp clear ip bgp clear ip bgp clear ip bgp clear ip bgp clear ip bgp clear ip bgp clear ip bgp clear ip bgp clear ip bgp clear ip bgp clear ip bgp clear ip bgp clear ip bgp clear ip bgp clear ip bgp clear ip bgp clear ip bgp E E e Omitted PORT S E ZS in out unicast unicast unicast
33. use the following command e e ees interface noshutdown P Global Enables the interface on Global Configuration mode INTERFACE For multiple interfaces use or at INTERFACES Interface Configuration Mode To open Interface Configuration mode of the interface you are about to enable interface use the following command ana owe een interface INTERFACE Global Opens Interface Configuration mode of the interface To enable the interface use the following command e e See noshudown Interface Enables the intriace on interace Configuration mode A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 4 3 2 4 3 3 The following is an example of enabling interface on Global Configuration mode or Inter face Configuration mode SWITCH configure terminal SWITCH config interface noshutdown 1 SWITCH config SWITCH configure terminal SWITCH config interface 1 SWITCH config if no shutdown SWITCH config if Disabling Interface To disable the interface use the following commands on each mode Global Configuration Mode To disable interface on Global Configuration mode use the following command e e see f Disables a specified interface on Global Configuration interface shutdown INTERFACE Global g mode Interface Configuration Mode You also can disable interface on Interface Configuration mode Before disabling interface on Inter
34. w 16 e Finish Time Packet C L a UP s Fig 7 2 Weighted Fair Queuing A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 H Strict Priority Queuing SP SPQ processes first more important data than the others Since all data are processed by their priority data with high priority can be processed fast but data without low priority might be delayed and piled up This method has a strong point of providing the distin guished service with a simple way However if the packets having higher priority enter the packets having lower priority are not processed The processing order in Strict Priority Queuing in case of entering packets having the Queue numbers as below Lowest priority TIE Output Scheduler highest priority Fig 7 3 Strict Priority Queuing To select a packet scheduling mode use the following command e wm ees Selects a packet scheduling mode for a ports qos scheduling mode sp wrr sp strict priority queuing wfq wrr weighted round robin Global wfq weighted fair queuing Selects a scheduling mode for handling CPU packets qos cpu scheduling mode sp wir sp strict priority queuing wrr weighted round robin The default scheduling mode is WRR And it is possible to assign a different scheduling mode to each port A50010 Y3 B100 2 7619 141 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 7 6 3 2 Qos Weight To set
35. 0 The service filed of QoS Quality Of Service in Layer 3 application It e of service 0 i is possible to designate the priority for IP Packet Decides whether Don t Fragment DB bit is applied to Ping packet or not Default is no If the user choose yes when the packets pass Set DF bit in IP header no through the segment compromised with the smaller data unit it pre vents the packet to be Fragment Therefore there could be error mes sage Data pattern OxABCD Configures data pattern Default is OXABCD Tab 6 3 Options for Ping for Multiple IP Addresses A50010 Y3 B100 2 7619 87 UMN CLI 6 3 2 88 User Manual SURPASS hiD 6610 S311 R1 0 SWITCH ping Protocol ipl Target IP address 172 16 1 254 Repeat count 5 5 Datagram size 100 100 Timeout in seconds 2 2 Extended commands n y Source address or interface 172 16 157 100 Type of service 0 0 Set DF bit in IP header no no Data pattern OxABCD PATTERN Oxabcd PING 172 16 1 254 1 2 16 1 251 from 172 106 157 100 10 108 bytes from 172 16 1 254 icmp seq 1 ttl 255 time 30 4 108 bytes from 172 16 1 254 icmp seq 2 ttl 255 time 11 9 108 bytes from 172 16 1 254 icmp_seg 3 ttl 255 time 21 9 ms 108 bytes from 172 16 1 254 icmp seq 4 ttl 255 time 11 9 108 bytes from 172 16 1 254 icmp seq 5 ttl1 255 time 30 1 172 16 1 254 ping statistics 5
36. 1 5 Rule Configuration Mode occccocccccccoccncoconcnccnncnnconononcononennnnoncnnnonarnnnnnancnnnnnanononas 29 3 1 6 DHCP Configuration Mode ciaci n 30 3 1 7 DHCP Option 82 Configuration Mode ooccccooccnccconccnccnoccconononnconanonnonanenonnncnnnnnos 30 3 1 8 interface Configuration Mode iia 31 3 1 9 RMON Configuration Mode concurso mene rat evan a peek osa vetus det uuo a 31 3 1 10 PIM Configuration Mode 32 3 1 11 Router Configuration Mode enne nnne nnn nnn nnn nnns 32 3 1 12 VRRP e ele Te ee ge Le 33 3 1 13 Route Map Configuration Mode ooocccccccoccncccoccnccnoconconoconnononnnnnnnannnnonarencnnnnens 33 3 2 USC MOS acid ti adn 34 912 1 Listing Available Commande AA 34 3 2 2 Calling Command Htstonm nnne 36 32 9 Using ADD CUM os 36 3 2 4 Using Command of Privileged EXEC Enable Mode 3 3 2 5 Exit Current Command MOG iii oP eege 37 4 System Connection and IP Address AE 38 4 1 System Come inst diia 38 4 1 1 NG A o E a saad a ens 38 4 1 2 Password for Privileged EXEC Mode 39 4 1 3 Changing Login Password EE 40 4 1 4 Management for System Account 40 4 1 4 1 Creating System dX COUPE ss erected o en Eva Dias dile obras Us Snc uo pe en pete n rap Ue in 40 4 1 4 2 Configuring Security Level 41 4 1 5 Bi ces Number or E EE 45 4 1 6 TENG ACCESS T rp rm 45 4 1 7 AUTO LO OHO MD ieoasa 46 4 1 8 oystemT eDOOLg ardido 46 4 1 8 1 Manual System Rebooting nennen 46 4 1 8 2 Auto System EE Leet e BEE 47 4 2 System A th
37. 3 7 13 3 1 7 13 3 2 To delete registered IP address range of ARP alias use the following command e me ees no arp alias START IP ADDRESS Global Deletes a registered IP address range of ARP alias END IP ADDRESS To display ARP alias use the following command e e See i Enable show arp alias Shows a registered ARP alias Global ARP Inspection ARP provides IP communication by mapping an IP address to a MAC address However a malicious user can attack ARP caches of systems by intercepting the traffic intended for other hosts on the subnet For example Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP ad dress of Host A If Host C responses with an IP address of Host A or B and a MAC ad dress of Host C Host A and Host B can use Host C s MAC address as the destination MAC address for traffic intended for Host A and Host B ARP Inspection is a security feature that validates ARP packets in a network lt discards ARP packets with invalid IP MAC address binding Enabling ARP Inspection To enable and disable ARP Inspection on the hiD 6610 S311 system use the following command e e See arp inspection enable Ebo Enables ARP inspection function oba arp inspection disable Disables ARP inspection function ARP Inspection mapping policy You can configure the policy to permit or deny ARP packets by arp inspection mapping
38. 4 9 2 0 9 2 6 9 2 1 9 2 8 9 3 6 1 6 1 1 6 1 2 6 1 3 6 1 4 6 1 5 6 1 6 6 1 7 6 1 8 6 1 9 6 1 10 6 1 11 6 1 11 1 6 1 11 2 6 1 11 3 6 1 11 4 6 1 11 5 6 2 6 2 1 6 2 2 6 2 3 6 2 4 6 2 5 6 3 6 3 1 6 3 2 6 3 3 6 3 4 6 3 5 6 3 6 6 3 7 6 3 8 6 3 9 6 3 10 6 3 11 6 3 12 A50010 Y3 B100 2 7619 UMN CLI Sample Configuration et 66 Port Contigua a 68 A asso anda A N 68 Ethernet Port ConflguraltloL 2 da pn eoo heed een 69 Enabling Ethene PO said a nos 69 FAULO ME GOUATION Mr a 69 Reen De io MERE Eus rst ardua gu ace quan Er tu Eur e EVI Eco put S cU ud 70 DUPIEX ENEE EM 70 FOW COMO E 71 POM DES CIDUOM NEE 12 Trani Staltlstes TR 72 Beie EE EE 73 POE MITON Ocera E 73 System ENVIO MEN 76 Environment Configuration cccccoonccncccoccncononcnnononcnconanencnnonennnnnaronnnnnncnnonnannnnnos 76 S E un E 76 Time ana Date eeepc 76 Title ZOMG nao ai o oo T Network Time Protocol EEN 17 Simple Network Time Protocol NIT 78 Terminal Contigua lO oasis 79 Beie Bamba ada 79 DNS SerVel caius De UI M ws t mU MOM MN TQ I EM M LEE 79 HUA NER 80 Disabling Daemon Operation ccccooccnconoccnnccnoncnconanoncnnonenononnnnnnnnnnnnonanennonanennnnnas 80 System Tres hol dla da 81 GRUA ee 81 POI AMG ee arc cznl eect cue M EN aia tip Dd TU D DES DSCIE 81 e EE Eeer 82 System Re cia oc 82 Sl T T 82 Configuration Management 83 Displaying System Configuration sees 83 Saving System COMTGULAU ON
39. 4 Request the Multicast Packet Fig 9 4 IP Multicasting A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 9 1 2 1 9 1 2 2 IGMP Snooping is a function that finds port which sends Join message to join in specific multicast group to receive multicast packet or Leave message to get out of the multicast group because it does not need packets Only when the switch is connected to multicast router IGMP Snooping can be enabled IGMP v2 Snooping Fast Leave If the Multicast client sends the leave massage to leave out Multicast group Multicast router sends IGMP Query massage to the client again and when the client does not re spond delete the client from the Multicast group In IGMP v2 even after Host sent Leave Message it receives Multicast Traffic until send ing Specific Query In Snooping Fast Leave Enable mode it sends no more Multicast Traffic immediately by deleting from Membership Table at the time of receiving Leave Message without sending Specific Query e me ees m Takes away the host from Multicast group right after ip igmp snooping fast leave sending the leave message m Global Removes the host from Multicast group right after ip igmp snooping fast leave vlan sending the leave message on a VLAN interface VLAN ID VLAN ID 1 4094 To disable IGMP snooping fast leave use the following command aman Mee en no ip igmp snooping fast leave Disables IGMP snooping
40. 6 1 6 6 1 7 6 1 8 Terminal Configuration By default the hiD 6610 S311 is configured to display 24 lines composed by 80 charac ters on console terminal The maximum line displaying is 512 lines To set the number of line displaying on terminal screen use the command A the number of line displaying on console terminal terminal length lt 0 512 gt Global enter the value no no terminal length no terminal length Restores a default line displaying a default line Restores a default line displaying Login Banner It is possible to set system login and log out banner Administrator can leave a message to other users with this banner To set system login and log out banner use the following command L INT HE Sets a banner before login the system eh login Global Sets a banner when successfully log in the system banner login fail Sets a banner when failing to login the system To restore a default banner use the following command ana e een no banner no banner login Global Restores a default banner no banner login fail To display a current login banner use the following command ICI E Enable show banner Shows a current login banner Global DNS Server To set a DNS server use the following command Emm We tn dns server A B C D SesaDNSseve SesaDNSseve DNS server Global no dns server A B C D Removes a DNS server Enable Shows a DNS server Global
41. 97 LINK Failure ISecoVely EE 255 A50010 Y3 B100 2 7619 User Manual SURPASS hiD 6610 S311 R1 0 Fig Fig Fig Fig Fig Fig Fig Fig Fig A50010 Y3 B100 2 7619 8 38 8 39 9 1 9 2 9 3 9 4 9 5 9 6 9 7 UMN CLI RINO Se n EN T O 256 Example RI Le d Le E 260 IGMP Snooping Configuration Network s nsssannensnnnesennnnsnrnesnnnnnsnrresnnnenne 268 PIM SM Configuration Network n 268 IGMP Snooping and PIM SM Configuration Network 269 L e nie WEE 270 RPT OF PIMS Mission ooo 281 RR Ge GE WEE 281 In Case Multicast Source not Directly Connected to Multicast Group 287 17 UMN CLI 18 Tables Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab Tab 1 1 1 2 3 1 3 2 3 3 3 4 3 5 3 6 3 3 8 3 9 3 10 3 11 3 12 3 13 3 14 6 1 6 2 6 3 6 4 7 1 1 2 7 3 8 1 8 2 8 3 User Manual SURPASS hiD 6610 S311 R1 0 Overview of KEE ee e dun d i Ee ELE 19 Command Notation of Guide Book 20 Main Commands of Privileged EXEC View Mode 27 Main Commands of Privileged EXEC Enable Mode ooooccccccccccccnoccccnnncnnos 27 Main Commands of Global Configuration Mode ooooooooocccccnnnccccnnnccccccnnnnnnos 28 Main Commands of Bridge Configuration Mode oooooooooccncncnccccnnnncccccnnnnnno 29 Main Commands of Rule Configuration Mode esses 29 Main Comman
42. ADDRESS Changes the type of remote id of a trust option82 Option82 Disables DHCP Option82 Trust func tion no trust remote id text REMOTE ID Trust Policy for Physical Port To specify a trust policy for physical port use the following command ana owe een trust port PORTS Specifies a trust policy for physical ports Option82 no trust port all PORTS Disables DHCP Option82 Trust function Simplified DHCP Option 82 in Layer 2 Usually DHCP relay is used in Layer 3 network But in Layer 2 network if you want to configure DHCP relay with option 82 use the simplified option 82 In case of a DHCP option 82 environment when forwarding DHCP messages to a DHCP server a DHCP relay agent normally adds a relay agent information option to the DHCP messages and replaces a gateway address in the DHCP messages with a relay agent address On the other hand in case of a simplified DHCP option 82 environment a DHCP relay agent adds a relay agent information option to the DHCP messages without replacement of a gateway address field in the DHCP messages This allows an enhanced security and efficient ID assignment in the Layer 2 environment with a relay agent information option To enable and disable the simplified opion82 use the following command men EI ip dhcp active simplified f Enables a simplified DHCP option 82 option82 Global no ip dhcp active simplified Destes sinned DHCP pon s2 a Destes sinned DHC
43. Auto Log out For security reasons of the hiD 6610 S311 if no command is entered within the config ured inactivity time the user is automatically logged out of the system Administrator can configure the inactivity timer To enable auto logout function use the following command e e ees Enables auto log out exec timeout lt 1 35791 gt lt 0 59 gt 1 35791 time unit in minutes by default 10 minutes Global 0 59 time unit in seconds To display a configuration of auto logout function use the following command e me See Enable Gegen Shows a configuration of auto logout function oba The following is an example of configuring auto logout function as 60 seconds and view ing the configuration SWITCH config exec timeout 60 SWITCH config show exec timeout Log out time 60 seconds SWITCH config System Rebooting Manual System Rebooting When installing or maintaining the system some tasks require rebooting the system by various reasons Then you can reboot the system with a selected system OS To restart the system manually use the following command e me Se reload os1 os2 Restarts the system If you reboot the system without saving new configuration new configuration will be de leted So you have to save the configuration before rebooting Not to make that mistake hiD 6610 S311 is supported to print the following message to ask if user really wants to reboot and save c
44. D M any icmp 0 255 any 0 255 any ip A B C D A B C D M any A B C D A B C D M any tcp udp ip A B C D ARC DM any A B C D A B C D M any tcp udp lt 0 65535 gt any lt 0 65535 gt any ip A B C D A B C D M any A B C D A B C D M any tcp lt 0 65535 gt any lt 0 65535 gt any 7CP FLAG any Classifies an IP protocol ICMP A B C D source destination IP address A B C D M source destination IP address with mask any any source destination IP address icmp ICMP Classifies an IP protocol ICMP A B C D source destination IP address A B C D M source destination IP address with mask any any source destination IP address icmp ICMP 0 255 ICMP message type number 0 255 ICMP message code number Classifies an IP protocol TCP UDP A B C D source destination IP address A B C D M source destination IP address with mask any any source destination IP address tcp TCP udp UDP Classifies an IP protocol TCP UDP A B C D source destination IP address A B C D M source destination IP address with mask any any source destination IP address tcp TCP udp UDP 0 65535 TCP UDP source destination port number any any TCP UDP source destination port Classifies an IP protocol TCP A B C D source destination IP address A B C D M source destination IP address with mask any any source destination IP address tcp TCP 0 65535 TCP
45. Force Full 100 Off Y 8 Ethernet 8 Up Up ForcefFull 100 Off Y SWITCH bridge Transmit Rate To set transmit rate of Ethernet port use the following command ana tne Sets transmit rate of Ethernet port as port speed PORTS 10 100 1000 10 100 1000Mbps enter the port num ber When auto nego is activated it is impossible to change transmit rate Duplex Mode Only unidirectional communication is practicable on half duplex mode and bidirectional communication is practicable on full duplex mode By transmitting packet for two ways Ethernet bandwidth is enlarged two times 10Mbps to 20Mbps 100Mbps to 200Mbps To set duplex mode use the following command e e Se Sets full or half duplex mode of specified port enter the port duplex PORTS full half Bridge port number A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 5 2 9 The following is an example of configuring duplex mode of port 1 as half mode and show ing it SWITCH bridge f show port 1 NO TYPE PVID STATUS MODE FLOWCTRL INSTALLED ADMIN OPER 1 Ethernet L Up Up Force GI E Off Y SWITCH bridge port duplex 1 half SWITCH bridge show port 1 NO TYPE PVID STATUS MODE FLOWCTRL INSTALLED ADMIN OPER 1 Ethernet 1 Up Down Force sai eoo Off Y SWITCH bridge Flow Control Ethernet ports on the switches use flow control to restrain the transmission of packets to the port for a period time Typ
46. Forces a renewal of a DHCP lease renew dhcp INTERFACE Enable M INTERFACE enters specified Interface name Displaying DHCP Client Configuration To display a DHCP client configuration use the following command e e See Enable show ip dhcp client INTERFACE Global Shows a configuration of DHCP client Interface DHCP Snooping The hiD 6610 S311 switch offers an DHCP security feature called DHCP snooping that allows network administrator to be able to utilize and configure the certain ports to restrict access of only authorized traffic Enabling DHCP snooping on a port will only permit authorized traffic and filter out all other traffics which are not recorded in DHCP snooping table For instance once a user gets A50010 Y3 B100 2 7619 249 UMN CLI 250 8 8 8 1 8 8 8 2 8 8 8 3 8 8 8 4 User Manual SURPASS hiD 6610 S311 R1 0 DHCP address from the server his IP address MAC address and Lease Time are stored in the DHCP snooping table Only this IP address traffic is permitted and all other users who have static IP address or don t have dynamic assigned IP address will be denied This feature is designed for isolating malicious activity and disallowing possible attacks from unauthorized users Enabling DHCP Snooping To enable DHCP snooping globally use the following command e owe res ip dhcp snooping Enables the DHCP snooping on the system Global no ip dhcp snooping Disables the DHCP snoop
47. HN Deletes the configured IP address range no range A B C D1 A B C D2 DHCP Pool A B C D1 Start IP address A B C D2 End IP address IP Lease Time Basically the DHCP server leases an IP address in the DHCP pool to DHCP clients which will be automatically returned to the DHCP pool when it is no longer in use or ex pired by IP lease time To specify IP lease time use the following command ano e See Sets default IP lease time in the unit of lease time default lt 120 2147483637 gt second default 3600 een aue Sets maximum IP lease time in the unit of second default 3600 lease time max lt 120 2147483637 gt The default is one hour 3600 seconds and the maximum is two hours And the configu ration is applicable only to appropriate IP Pool To delete configured lease time use the following command e owe res no lease time default max DHCP Pool Deletes specified IP lease time A50010 Y3 B100 2 7619 235 UMN CLI 236 8 8 2 6 8 8 2 7 8 8 2 8 8 8 2 9 User Manual SURPASS hiD 6610 S311 R1 0 DNS Server To specify a DNS server to inform DHCP clients use the following command cornet NUN 7T NN Specifies a DNS server Up to 3 DNS dns server A B C D1 A B C D2 A B C D3 servers are possible DHCP Pool A B C D DNS server IP address no dns server A B C D1 A B C D2 A B C DS Deletes a specified DNS server If you want to specify a DNS server for all the D
48. MAC address for the port 1 16384 Maximum number of addresses default 1 port security PORTS maximum lt 1 16384 gt Step 3 Set the violation mode and the action to be taken port security PORTS violation Bridge Selects a violation mode shutdown protect restrict When configuring port security note that the following information about port security vio lation modes e protect drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value e restrict drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the Security Violation counter to increment shutdown puts the interface into the error disabled state immediately and sends an SNMP trap notification A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 Step 4 Enter a secure MAC address for the port e e See Sets a secure MAC address for the port port security PORTS mac PORTS select the port number address MACADDR vlan NAME MACADDR enter the MAC address NAME vlan name To disable the configuration of port secure use the following command mes rm n no port security PORTS Disables port security on the port Deletes a secure MAC address for the port no port security PORTS mac PORTS enter the port number address MACADDR vlan NAME MACADDR e
49. SWITCH A config ft stack device default SWITCH A config stack add 00 d0 cb 22 00 11 Step 3 Configure VLAN in order to belong to the same switch group in Switch B registered by Master switch as Slave switch and configure as a Slave switch Switch B Slave Switch SWITCH B config t stack slave SWITCH B config ft stack device default Step 4 Check the configuration The information you can check in Master switch and Slave switch is different as below Switch A Master Switch SWITCH A config t show stack device default node ID 1 node MAC address status type name port 1 00 qd0 cb 0a 00 aa active SURPASS hiD 6610 S311 SWITCH A 24 2 Ee E 00 11 active SURPASS hiD 6610 S5311 SWITOH B 24 SWITCH_A config Switch B Slave Switch SWITCH B config t show stack device default node ID 2 SWITCH_B config A50010 Y3 B100 2 7619 263 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 Sample Configuration 2 Accessing from Master Switch to Slave Switch The following is an example of accessing to Slave switch from Master switch configured in Sample Configuration 1 If you show the configuration of Slave switch in Sample Configuration 1 you can recognize node number is 2 SWITCH bridge rcommand 2 Tying eo OL CS WE Connected to 127 1 0 1 Escape character is SWITCH login admin Password SWITCH To disconnect input as below SWITCH exit Connection closed by foreign ho
50. Shows the syslog messages from the latest one non volatile reverse clear syslog local volatile non Enable l Removes a received syslog message volatile Global 7 5 7 Displaying Syslog Configuration To display a configuration of the syslog use the following command e e See show syslog show syslog ERG nable a Shows a configuration of the syslog show syslog volatile non Global g ysiog volatile information 130 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 6 7 6 1 N Rule and QoS The hiD 6610 S311 provides rule and QoS feature for traffic management The rule clas sifies incoming traffic and then processes the traffic according to user defined policies You can use the physical port 802 1p priority CoS VLAN ID DSCP and so on to clas sify incoming packets You can configure the policy in order to change some data fields within a packet or to re lay packets to a mirror monitor by a Rule function QoS Quality of Service is one of useful functions to provide the more convenient service of network traffic for users It is very serviceable to prevent overloading and delaying or failing of sending traffic by giving priority to traffic By the way you need to be careful for other traffics not to be failed by the traffic config ured as priority by user QoS can give a priority to a specific traffic by basically offering the priority to the traffic or limitin
51. Switch Switch B Priority 9 Path cost E 100 Path cost 100 Path 1 Path 2 Switch D PATH 1 50 100 150 PATH 2 100 100 200 PATH 1 lt PATH 2 PATH 1 selected Fig 8 11 Designated Switch In case of the above picture showing SWITCH C sends packet path cost of PATH 1 is 150 and path cost of PATH 2 is total 200 100 100 path cost of SWITCH C to B path cost of SWITCH B to C Therefore lower path cost PATH 1 is chosen In this case port connected to Root switch is named Root port In the above picture port of SWITCH C connected to SWITCH A as Root switch is Root port There can be only one Root port on equipment The standard to decide designated switch is total root path cost which is added with path cost to root Switch with lower path cost is selected to be designated switch When root path costs are same bridge ID is compared A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 Designated Port and Root Port A Root Port is the port in the active topology that provides connectivity from the Desig nated Switch toward the root A Designated Port is a port in the active topology used to forward traffic away from the root onto the link for which this switch is the Designated Switch That is except root port in each switch selected port to communicate is desig nated port Port Priority Meanw
52. To encrypt the password not to be displayed use the following command e e een service password encryption Global Encrypts system password A50010 Y3 B100 2 7619 39 UMN CLI 40 4 1 4 4 1 4 1 User Manual SURPASS hiD 6610 S311 R1 0 To disable password encryption use the following command e e See no service password encryption Global Disables password encryption Changing Login Password To configure a password for created account use the following command ana owe on passwd NAME Global Configures a password for created account The following is an example of changing password SWITCH config passwd Siemens Changing password for Siemens Enter the new password minimum of 5 maximum of 8 characters Please use a combination of upper and lower case letters and numbers Enter new password junior95 Re enter new password junior95 Password changed SWITCH config The password you are entering won t be seen in the screen so please be careful not to make mistake Management for System Account Creating System Account For the hiD 6610 S311 the administrator can create a system account In addition it is possible to set the security level from O to 15 to enhance the system security To create a system account use the following command nd rs en user add NAME DESCRIPTION Creates a system account user add NAME level lt 0 15 gt Global Creates a system account with a
53. a gratuitous ARP arp patrol 7 ME COUNT TIME TIME transmit interval Global COUNT transmit count no arp patrol Disables a gratuitous ARP The following is an example of configuring the transmission interval as 10 sec and trans mission times as 4 and showing it SWITCH config arp patrol 10 4 SWITCH config show running config Building configuration Current configuration hostname SWITCH Omitted arp patrol 10 4 l no snmp SWITCH config Proxy ARP To configure Proxy ARP you need to enter Interface configuration mode and use the fol lowing command e owe res no ip proxy arp Removes the configured proxy ARP from the interface ip proxy arp Sets proxy ARP at specified Interface ICMP Message Control ICMP stands for Internet Control Message Protocol When it is impossible to transmit data or configure route for data ICMP sends error message about it to host The first 4 bytes of all ICMP messages are same but the other parts are different ac cording to type field value and code field value There are fifteen values of field to distinguish each different ICMP message and code field value helps to distinguish each type in detail A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 14 1 The following table shows explanation for fifteen values of ICMP message type ICMP_ECHOREPLY ICMP_DEST_UNREACH ICMP SOURCE QUENCH ICMP REDIRECT ICMP ECHO ICMP TIM
54. access rule use the following command e e es apply Applies an admin access rule to the system 1 The switch performs a detailed plausibility check and rejects the rule if the configuration is incomplete contains bad or unsupported values or conflicts to other rules In this case the switch informs about the reason and the operator may correct the values 2 The switch may reject a rule with the message Already exist rule allthough the name will not be listed by command show rule Unfortunately the entered name in this case interferes with the name of an internally managed rule Remedy Select another name for the rule e g add a prefix 3 All previously entered values remain valid after successful or unsuccessful A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 6 4 6 7 6 4 7 execution of command apply That is if several rules being different only in one value should be created then only the one changed value needs to be entered again Modifying and Deleting Rule To modify a rule use the following command zs owe See 00 rule NAME modify admin Global Modifies an admin access rule enter a rule name To delete a rule use the following command Deletes all rules and admin access rules all rules and admin Deletes all rules and admin access rules rules an admin access rule enter a rule name op no rule admin Global tionally Dis
55. alert crit err warning notice info debug console no syslog output emerg alert crit err warning notice info m i Global Deletes a specified syslog output debug local volatile non volatile no syslog output emerg alert crit err warning notice info debug remote P ADDRESS A50010 Y3 B100 2 7619 127 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 Syslog Output Level with a Priority To set a user defined syslog output level with a priority use the following command mena a RUN 7T NN syslog output priority auth authpriv cron daemon kern local1 local2 local3 local4 local5 local6 local7 Ipr mail news sys log user uucp emerg alert crit err warning notice info console syslog output priority auth authpriv cron daemon kern local1 local2 local3 local4 local5 local6 local7 lpr mail news sys log user uucp emerg alert crit err warning notice info local volatile non volatile syslog output priority auth authpriv cron daemon kern local1 local2 local3 local4 local5 local6 local7 lpr mail news sys log user uucp emerg alert crit err Global Generates a user defined syslog mes sage with a priority and forwards it to the console Generates a user defined syslog mes sage with a priority in the system mem Ory volatile del
56. all crash info Save the contents of tech support in a specified ad remote P ADDRESS ftp tftp dress Tech support contents displayed on console are showed at once regardless of the num ber of display lines of terminal screen A50010 Y3 B100 2 7619 95 UMN CLI 96 7 1 7 1 1 User Manual SURPASS hiD 6610 S311 R1 0 Network Management Simple Network Management Protocol SNMP Simple Network Management Protocol SNMP system is consisted of three parts SNMP manager a managed device and SNMP agent SNMP is an application layer protocol that allows SNMP manager and agent stations to communicate with each other SNMP pro vides a message format for sending information between SNMP manager and SNMP agent The agent and MIB reside on the switch In configuring SNMP on the switch you define the relationship between the manager and the agent According to community you can give right only to read or right both to read and to write The SNMP agent has MIB variables to reply to request from SNMP administrator And SNMP administrator can ob tain data from the agent and save data in the agent The SNMP agent gets data from MIB which saves information on system and network SNMP agent sends trap to administrator for specific cases Trap is a warning message to alert network status to SNMP administrator The hiD 6610 S311 enhances accessing management of SNMP agent more and limit the range of OID opened to agents The followi
57. based m mac based a authenticated u unauthenticated SWTICH config The following is configuring a term of re authentication as 1800 and a tem of re authentication as 1000 sec SWTICH config dotlx timeout quiet period 1000 4 SWTICH config dotlx timeout reauth period 1800 4 SWTICH config dotlx reauth enable 4 SWTICH config show dotlx 4 Port 4 SystemAuthControl Enabled ProtocolVersion 0 PortControl Force Authorized PortStatus Unauthorized ReauthEnabled True QuietPeriod 1000 ReauthPeriod 1800 SWTICH config A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 The following is an example of showing the configuration after configuring the authentica tion based on MAC address SWTICH config dotlx auth mode mac base 4 SWTICH config show dotlx 802 1x authentication is enabled RADIUS Server 10 1 1 1 Auth key test S02 LX 12345678 90123456 1890123456718 90123456 189012 a EE or E o KEE Mach mei be nino lulio be M Mee EE p port based m mac based a authenticated u unauthenticated SWTICH config A50010 Y3 B100 2 7619 67 UMN CLI 68 5 1 User Manual SURPASS hiD 6610 8311 R1 0 Port Configuration It is possible for user to configure basic environment such as auto negotiate transmit rate and flow control of the hiD 6610 S311 port Also it includes instructions how to configure port mirroring an
58. cia 83 AUTOS VINO a de 84 System Configuration File ca eoi aree o eye au nee oy esa ova us been 84 Restoring Default Configuration ccccooocncccoccnnconoccnnononennnnnncnnonanonnononnnnnonarenoos 85 System Managermeni 2 it ee 86 NetWork Connect 86 PUE MP SOUGE ROUTING aa A at 88 Tracing Packet E EE 90 Displaying User Connecting to System cccccccccseeeeeeeeeeeeeeeeeeeeeaeeeeeseeeeeesaees 90 MAC Tal osa o cba 91 Running Time of System sica ii A ewes eee 91 Systemimo malo aio 92 System Memory Information sees 92 Average E Ee DEE 92 ee ee EN abs od a a 93 RUNNING PIOCBSSu under os alas 94 Displaying System Image AE 94 7 UMN CLI 6 3 13 6 3 14 6 3 15 6 3 16 7 1 7 1 1 7 1 2 7 1 3 7 1 4 7 1 5 7 1 6 1 1 7 7 1 8 7 1 8 1 7 1 8 2 7 1 8 3 7 1 8 4 7 1 8 5 7 1 9 1 1 9 1 7 1 9 2 7 1 9 3 7 1 9 4 TADS 7 1 9 6 7 1 9 7 7 1 10 7 1 11 7 2 7 2 1 7 2 2 7 2 3 7 2 4 7 2 5 7 3 7 3 1 7 3 2 7 3 3 7 3 4 7 3 5 7 3 6 7 3 7 1 4 7 4 1 7 4 1 1 1 4 1 2 7 4 1 3 7 4 1 4 7 4 1 5 User Manual SURPASS hiD 6610 S311 R1 0 Displaying installed OS EE 95 Default OS EE 95 SIGN AUS nod doi 95 TEEN 95 Network Management asta do dada 96 Simple Network Management Protocol NM 96 SNM COMMUNI EE 96 Information of SNMP Agent 97 SNMP ln 98 SNMP Ee Mie EE 98 SNMEVISW Recon ad andes iu cabal 99 Permission to Access SNMP View Hecord 99 SNMP Version 3 SGre e o et ob eate debut uus t
59. consists of two or more switches One of the nodes on the ring is designated as redundancy manager RM and the two ring ports on the RM node are configured as primary port and secondary port respectively The RM blocks the secondary port for all non control traffic belongs to this ERP domain Here if Line failure occurs the Nodes detecting Link Failure transmit Link Down message and Link Failure port becomes Blocking status When the RM nodes receive this link down message it immediately declares failed state and opens the logically blocked pro tected VLANs on the secondary port Then Ethernet Ring restarts the communication The following is ERP operation when Link Failure occurs 3 Nodes detecting Link Failure 3 Nodes detecting Link Failure Transmit Link Down message Transmit Link Down message Normal Node Normal Node 2 Link Failure Normal Node RM Node 1 Secondary port of RM node is blocking in Normal state Fig 8 35 Ethernet Ring Protocol Operation in Failure State A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 Normal Node Normal Node LS Y Down Message Normal Node 4 RM Node 2 Send Link 1 Secondary port of RM node is Down Message changed as unblocking state Fig 8 36 Ring Protection When a Link Failure is recovered a temporary loop may occur To rectify this condition ERP sends a link up message to the RM The RM
60. eege 127 Pa Gilly COG TCR 129 oyslog Bind Address i EE 129 Debug Message for Remote Temmma 130 EHablibid 9ySIDO edu tuc E aeq cde tun anta e mri E 130 Displaying Syslog Message esses nne nennen nnns nnne nnn 130 Displaying Syslog Confguraton 130 RUS MAS rec cT Rx Mx 131 How to Operate Rule and Oo 131 S IER ei e H tOM enea e a e a vie ade 132 S IER le EE 132 RUS PROV e 132 Packet Classification EE 133 RUS ACI dona 135 Alle dl teg RUIG aida 137 Modifying and Deleting Rule A 137 BIS AMO EE A 137 EE 139 Schedulinc Al ORM EE 139 MA a a 142 Maximum and Minimum Bandwidth ooccccoocccconcncccncnncnnnncnnanonnncncnnnnnnnos 142 Random Early Discard REI 143 Biel 143 AGMINACCCSS TE 144 Rule Gre alo E 144 AAA ORC 144 Packet Classification EE 145 Ke de WEE 146 EE 146 UMN CLI 10 7 6 4 6 7 6 4 7 1 1 7 8 7 9 7 9 1 7 10 7 10 1 7 10 2 7 11 7 12 7 12 1 7 12 2 7 12 3 7 12 4 7 12 5 7 13 7 13 1 7 13 1 1 7 13 1 2 7 13 2 7 13 3 7 13 3 1 7 13 3 2 7 13 3 3 7 13 3 4 7 13 3 5 7 13 4 7 13 5 7 14 7 14 1 7 14 2 7 14 3 7 15 7 15 1 7 15 2 7 16 7 16 1 7 16 1 1 7 16 1 2 7 16 2 8 1 8 1 1 8 1 1 1 8 1 1 2 8 1 1 3 8 1 1 4 8 1 1 5 8 1 2 Modifying and Deleting Rule Displaying Rule NetBIOS Filtering Martian Filtering sss
61. enne nnnm nnns nnns 234 IF Address Rango TEE 235 E Lease TIMO dolido 235 Ri KEE 236 WAU ANE IGN e tcr 236 Recognition of DHCP Client A 236 Authorized ARP EE 236 Displaying Configura BEER 237 Registering Global DNS Genver sess nennen nennen nnns 238 Setting global lease Time esee nnns 238 Bai EN et ue PER 239 Enable DHCP Re ay AG Gis sis cis toits tetto Riese words casae og tun Edda eie 239 Smart Relay Agent Fopwardimg enne 240 DIC PO ei O2 HE c EM E 240 Enabling DHCP Option D 241 Beidel Re et e ada 242 Option 82 Reforwarding Policy 242 Configuring option 82 information sees 243 ODBOrns52 TUSE PONY EE 246 Simplified DHCP Option 82 in aver 247 DIG P CHG DTE 248 Enabling DHCP Client eoured 248 A50010 Y3 B100 2 7619 SURPASS hiD 6610 S311 R1 0 8 8 7 2 8 8 7 3 8 8 7 4 8 8 7 5 8 8 7 6 8 8 8 8 8 8 1 8 8 8 2 8 8 8 3 8 8 8 4 8 8 9 8 8 10 8 8 11 8 8 11 1 8 8 11 2 8 8 12 8 9 8 9 1 8 9 2 8 9 3 8 9 3 1 8 9 3 2 8 9 3 3 8 9 3 4 8 9 3 5 8 9 3 6 8 9 3 7 8 9 3 8 8 9 3 9 8 9 3 10 8 10 8 10 1 8 10 2 8 10 3 8 10 4 8 10 5 8 10 6 8 11 8 12 8 13 9 1 9 1 1 9 1 2 9 1 2 1 9 1 2 2 9 1 2 3 9 1 2 4 9 1 2 5 9 1 3 A50010 Y3 B100 2 7619 UMN CLI DHCP Ke qudd 248 e ee A totes ieee eect octets eel taut a 248 Lease Time of Cinta 249 Forcing a Release or Renewal of DHCP Cent 249 Displaying DHCP Client Configuration ooocccccoocccncoccnnncconcnnconanonnnnoncn
62. enters a data object ID ex ifindex n1 port1 Subject of RMON History To identify subject using RMON history use the following command Identifies subject using related data enter the name owner NAME RMON max 32 characters Number of Sample Data To configure the number of sample data of RMON history use the following command e e res Defines a bucket count for the interval enter the num requested buckets lt 1 65535 gt ber of buckets 1 65535 bucket number default 50 A50010 Y3 B100 2 7619 119 UMN CLI 120 7 4 1 4 7 4 1 5 7 4 1 6 7 4 1 7 User Manual SURPASS hiD 6610 S311 R1 0 Interval of Sample Inquiry To configure the interval of sample inquiry in terms of second use the following command e e ee i Defines the time interval for the history in seconds interval lt 1 3600 gt RMON enter the value default 1800 1 sec is the minimum time which can be selected But the minimum sampling interval currently is 30 sec i e all intervals will be round up to a multiple of 30 seconds Activating RMON History To activate RMON history use the following command Command Mode Description Before activating RMON history check if your configuration is correct After RMON history is activated you cannot change its configuration If you need to change configuration you need to delete the RMON history and configure it again Deleting Configuration of RMON History When yo
63. fast leave function no ip igmp snooping fast leave Global Disables IGMP snooping fast leave function on a VLAN vlan VLAN ID interface To display IGMP snooping Immediate Leave configuration use the following command e me ee show ip igmp snooping fast Enable Shows that the IGMP snooping Immediate leave is leave vlan VLAN NAME Global enabled IGMP v2 Snooping Querier You can use the hiD 6610 S311 as IGMP querier without multicast router because IGMP query daemon has been installed in the hiD 6610 S311 Legacy equipments used IGMP Querier of PIM but not developed Querier for IGMP Snooping Because of this to operate Querier on IGMP Snooing IP Address was mandatory and Specific Query was operated by IGMP Querier The hiD 6610 S311 implemented IGMP Snooping Querier and it operates differently with IGMP Query IGMP Snooping Querier can send General Query from Snooping Switch and it should be distinguished with Specific Query IGMP Snooping Querier also uses Source IP Address 0 0 0 0 if there is no IP Address on Switch A50010 Y3 B100 2 7619 2 1 UMN CLI 2 2 9 1 2 3 D User Manual SURPASS hiD 6610 S311 R1 0 Enabling IGMP Snooping Querier To enable the IGMP Snooping querier use the following command ee ip igmp snooping querier igmp snooping querier Enables the IGMP snooping querier on the system the IGMP snooping querier on the Enables the IGMP snooping querier on the system a
64. following order e System Login e Password for Privileged EXEC Mode e Changing Login Password Management for System Account e Limiting Number of User e Telnet Access e Auto Log out System Rebooting System Login After installing the hiD 6610 S311 finally make sure that each port is correctly connected to PC for network and management And then turn on the power and boot the system as follow Step 1 When you turn on the switch booting will be automatically started and login prompt will be displayed SWITCH login Step 2 When you enter login ID at the login prompt password prompt will be displayed And en ter password to open Privileged EXEC View mode By default setting login ID is config ured as admin and it is possible to access without password SWITCH login admin Password SWITCHS Step 3 In Privileged EXEC View mode you can check only the configuration for the switch To configure and manage the switch you should begin Privileged EXEC Enable mode The following is an example of beginning Privileged EXEC Enable mode SWITCH gt enable SWITCH A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 4 1 2 Password for Privileged EXEC Mode You can configure a password to enhance the security for Privileged EXEC Enable mode To configure a password for Privileged EXEC Enable mode use the following command e me See Configures a password to begin Privileged EXE
65. group P ADDRESS Shows IGMP Snooping statistics information of Multi show ee igmp snooping state Enable cast group or ports or VLAN port ee cpu Global PORTS enters port number show peice Arce igmp snooping state IP ADDRESS Multicast group IP address peice Arce VLAN ID IP ADDRESS Multicast packets Filtering When the switch receives multicast packets the switch is supposed to transmit these packets according to IGMP table registration If you would like to block multicast packets when the packets are not registered on IGMP table use the following command e e See Blocks whole packets if they are not registered on ip igmp multicast filter IGMP Table Permits whole packets whether a are registered on a Table or not no Lo Imp matices igmp Lo Imp matices filter IGMP Static Join Setting If there is no group member on a network segment and you want to transmit multicast packet to that network segment you can configure to pull multicast traffic down to a net work segment using the ip igmp static group command With this command the switch does not accept the packets but forwards them The outgoing interface appears in the IGMP cache but the switch is not a member Therefore it can support fast switching A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 To configure IGMP static Join use the following command e e ees Configures IGMP static join setting A B C D1 IGMP grou
66. including all ports If the communication between each VLAN is needed FID should be same To configure FID use the following command e owe res 8 Configures FID vlan fid VLANS FID Bridge VLANS enters VLAN name FID enters FID value VLAN Translation VLAN Translation is simply an action of Rule This function is to translate the value of specific VLAN ID which classified by Rule The switch makes Tag adding PVID on Untagged packets and use Tagged Packet as it is That is all packets are tagged in the Switch and VLAN Translation is to change the VLAN ID value of Tagged Packet in the Switch This function is to adjust traffic flow by changing the VLAN ID of packet Step 1 Open Rule Configuration mode using rule NAME create command A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 8 1 9 Step 2 Classify the packet that VLAN Translation will be applied by Rule Step 3 Designate the VLAN ID that will be changed in the first step by the match vlan lt 1 4094 gt command Step 4 Open Bridge Configuration mode using the bridge command Step 5 Add the classified packet to VLAN members of the VLAN ID that will be changed Sample Configuration Sample Configuration 1 Configuring Port based VLAN The following is assigning vlan id of 2 3 and 4 to port 2 port 3 and port 4 SWITCH bridge vlan create 2 SWITCH bridge vlan create 5 SWITCH bridge vlan create 4 SWITCH bridge vlan
67. information BGP con sists of network number which packet is passed through and autonomous system num ber The hiD 6610 S311 supports BGP version 4 defined in RFC 1771 BGP version 4 provides Aggregate route by using Classless Inter domain Routing CIDR to reduce size of routing table CIDR provides IP prefix which is network address instead of IP address on BGP network OSPF and RIP can also transmit CIDR path Switch which takes BGP protocol is intended to exchange AS and path reaching to AS between BGP equipments By doing it user can prevent routing Loop and take the most effective AS information You can configure Multi Exit Discriminator MED by using route map When new routing information is transmitted to neighbor BGP MED is passed without any change Thus BGP routers located in same AS can select path with same standard Basic Configuration BGP configuration is roughly divided into basic configuration and advanced configuration Basic configuration includes the following BGP Routing e AS Route Filtering e BGP Filtering through Prefix Lists BGP Routing To activate the BGP router use the following command e me Se Assigns AS number to configure BGP routing enter the router bgp lt 1 65535 gt Global AS number AS number is an identification of autonomous system used for detecting the BGP connec tion AS number 65512 through 65535 are defined as private AS number Private number cannot be advertised on
68. informs there s any major minor warning intermediate problem on the power WW Sends alarm notification with the sever snmp alarm severity adva temperature critical i ity when ADVA informs there is any major minor warning intermediate problem in temperature Wi Sends alarm notification with the sever snmp alarm severity adva voltage high criti l l f B i f f ity when ADVA informs the voltage is cal major minor warning intermediate T igh x Sends alarm notification with the sever snmp alarm severity adva voltage low critical j i i f ity when ADVA informs the voltage is major minor warning intermediate OW If you want to clear a configured ADVA alarm prioirity use the following command no snmp alarm severity adva fan fail no snmp alarm severity adva if misconfig no snmp alarm severity adva if opt thres no snmp alarm severity adva if rcv fail no snmp alarm severity adva if sfp mismatch Clears a configured ADVA alarm no snmp alarm severity adva if trans fault dn prioirity no snmp alarm severity adva psu fail no snmp alarm severity adva temperature no snmp alarm severity adva voltage high no snmp alarm severity adva voltage low 7 1 9 6 ERP Alarm Severity To configure a severity of alarms for ERP status use the following command eene See Sends alarm notification with the sever snmp alarm severity erp domain lotp critical ity when no test packet has been
69. interval seconds SES PORTS enters port number no dotix timeout quiet period l l n l Disables the interval for requesting identity PORTS A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 4 5 2 4 4 5 3 4 5 4 4 5 5 4 5 6 802 1x Re authentication In 4 5 2 2 Configuring the Interval of Re Authentication it is described even though the user is accessible to network he should be authenticated so that the changed database is applied to Besides because of various reasons managing RADIUS server and 802 1x authentica tion port the user is Supposed to be re authenticated every regular time To implement re authentication immediately regardless of configured time interval user the following command e e See Implement re authentication regardless of the config dot1x reauthenticate PORTS Global SR ured time interval Initializing Authentication Status The user can initialize the entire configuration on the port Once the port is initialized the supplicants accessing to the port should be re authenticated mmm Was Gems dot1x initialize PORTS Global Initializes the authentication status on the port Applying Default Value To apply the default value to the system use the following command Se es em dot1x default PORTS Global Applies the default value Displaying 802 1x Configuration To display 802 1x configuration use the eye command Enable show do
70. l stop measures stop point only both measures start and stop point both Displaying System Authentication To display a configured system authentication use the following command na e See Enable NT Shows a configured system authentication Global A50010 Y3 B100 2 7619 91 UMN CLI 92 4 3 4 3 1 User Manual SURPASS hiD 6610 S311 R1 0 Assigning IP Address The switch uses only the data s MAC address to determine where traffic needs to come from and which ports should receive the data Switches do not need IP addresses to transmit packets However if you want to access to the hiD 6610 S311 from remote place with TCP IP through SNMP or telnet it requires IP address You can enable interface to communicate with switch interface on network and assign IP address as the following e Enabling Interface e Disabling Interface e Assigning IP Address to Network Interface e Static Route and Default Gateway e Displaying Interface Enabling Interface To assign an IP address to an interface you need to enable the interface first If the inter face is not enabled you cannot access it from a remote place even though an IP address has been assigned To display if interface is enabled use the command show running config There are two ways to enable interface on Global Configuration mode and on Interface Configuration mode Global Configuration Mode To enable interface on Global Configuration mode
71. leasing temporary IP address In layer 3 network DHCP request packet can be sent to DHCP server via DHCP A50010 Y3 B100 2 7619 23 UMN CLI 24 User Manual SURPASS hiD 6610 S311 R1 0 relay and Option 82 function Spanning Tree Protocol STP To prevent loop and preserve backup route in layer 2 network the hiD 6610 S311 sup ports STP 802 1D Between STP enabled switches a root bridge is automatically se lected and the network remains in tree topology But the recovery time in STP is very slow about 30 seconds RSTP Rapid Spanning Tree Protocol is also provided IEEE 802 1W defines the recovery time as 2 seconds If there is only one VLAN in the network traditional STP works However in more than one VLAN network STP cannot work per VLAN To avoid this problem the hiD 6610 S311 supports Multiple Spanning Tree Proto col MSTP Link Aggregation Trunking The hiD 6610 S311 aggregates several physical interfaces into one logical port aggre gate port Port trunk aggregates interfaces with the standard of same speed same du plex mode and same VLAN ID According to IEEE 802 3ad the hiD 6610 S311 can con figure maximum 8 aggregate ports and up to 12 trunk groups LACP The hiD 6610 S311 supports Link Aggregation Control Protocol LACP complying with IEEE 802 3ad which aggregates multiple links of equipments to use more enlarged bandwidth System Management based on CLI It is easy for users who administer sys
72. lt 100 10000 gt after sending Join message on the system unit ms ip igmp snooping last member Global i Configures the time of registering in multicast group query interval lt 100 10000 gt vlan after sending Join message on a VLAN interface VLAN ID If you configure ip igmp snooping fast leave it is meaningless to set the time as multi cast group A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 9 1 2 4 To release the waiting time for respond after sending IGMP Query message use the fol lowing command e owe See igmp snooping last Returns to the default time of registering Join message EEN in multicast group after sending it no ip igmp snooping last E l Returns to the default time of registering Join message member query interval vlan after sending it on a VLAN interface VLAN ID To display IGMP query parameter use the following command e me ees show ip igmp snooping last member query interval Sh the IGMP snooping q interval configuration ip i i s ows the snooping query interval configuration show ip igmp snooping last Global g query g member query interval vlan VLAN ID Mrouter Port Configuring the Mrouter Port per VLAN You can designate to which port the multicast router is connected If you designate mul ticast router is connected to where it is possible to transmit multicast packet or message only to that port To designate the port con
73. m E OC CU ere 56 Sale leie SSH SN lla 56 Displaying On line SSH Cent 56 Disconnecting SSH Client ura il isii 56 Displaying Connection History of SSH Cent 56 A A ee esas 57 Beete Se Vettel a 57 Fl COP EE 57 Selling access e FT Pruna ind 57 Configuring Authentication Key oooccccccoccnccccccnconocnnnononcnnonnnnnnoonanonnnnnnononnnnonnss 57 802 1x Authentication uk o9 802 TX AUINGMUCATION EE DU SS leif fe COZ IX EE DU Configuring RADIUS Server ENEE 60 Configuring Authentication Mode 61 Autrienlcadol FP ON EE 62 e A E 62 Configuring Interval for Retransmitting Request Identity Packet 62 Configuring Number of Request to RADIUS Genver 63 Configuring Interval of Request to RADIUS Genver 63 G02 1X Re AUINENT CATION iaa ia 63 Enabling 802 1x Re Authentication cccconccccoccnccnccnconcnnnncnnnoncnononcnnnnnnnnonanons 64 Configuring the Interval of He Autbentcaton 64 Configuring the Interval of Requesting Re authentication 64 802 1x Ise authen caliOr E 65 Initializing Authentication Status ooooccncococncccoccnnconononcnnononnnnoncnnnnnannnnnnanenennnns 65 Applying Default Vallle u ou iei eta ia 65 Displaying 802 1x CGonfguraton eene 65 802 1x User Authentication Statistic ooccocoonncnccoccnnoconnnnoonaroncnnarenononcnnnnnos 65 A50010 Y3 B100 2 7619 User Manual SURPASS hiD 6610 S311 R1 0 4 5 7 5 1 5 2 9 2 1 9 2 2 9 2 3 9 2
74. means source ad dress and G means multicast group 4 optimized route by deleting unnecessary A hops when traffic exceeds certain limit 2 Ask RP for 1 Multicast packet multicast packet transmitted to RP IS Source 3 RP transmits multicast N F packet for the request Fig 9 6 STP of PIM SM A50010 Y3 B100 2 7619 281 UMN CLI 282 9 2 1 9 2 2 9 2 2 1 User Manual SURPASS hiD 6610 S311 R1 0 Enables PIM Configuration To activate the PIM SM use the following command II we ean Enables PIM SM and enters PIM configuration mode Global Disables PIM SM PIM SM supports both IGMP queries and IGMP Snooping therefore you re not able con figure them at the same time no router pim BSR and RP There are two ways to decide RP as central of PIM SM on multicast network One is that network administrator manually decides RP and the other way is that RP is automatically decided by exchanging information between multicast routers installed on network The information transmitted between multicast routers in the automatic way is called Bootstrap message and the router which sends this Bootstrap message is called BSR Bootstrap Router All PIM routers existing on multicast network can be BSR Routers that want to be BSP are named as candidate BSR and one router which has the highest priority becomes BSR among them If there are routers which have same priority then one router which has t
75. member port configure the mode of member port There are two kinds of mode Active mode and Passive mode in member port The port of Passive mode starts LACP when there s Active mode on the port of opposite switch The priority of Active mode is higher that that of Passive mode so that the port of Passive mode follows the port of Active mode If each member port of the connected switch is configured as Active mode and Passive mode Active mode is the standard If both switches are configured as Passive mode link for member ports of two switches is not realized A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 8 2 2 4 8 2 2 5 To configure the mode of member port use the following command es e ees lacp port activity PORTS active a Configure the mode of member port select the mem ridge passive S ber port number default active To delete an operating mode of configured member port use the ee command Deletes operation mode of NEM member port no lacp port activity PORTS Bridge select the member port number Identifying Member Ports within LACP The port configured as member port is basically configured to aggregate to LACP How ever even though the configuration as member port is not released they could operate as independent port without being aggregated to LACP These independent ports cannot be configured as trunk port because they are independent from being aggregated to
76. neighbor router To display IP PIM packet statistics use the following command ma m NN show ip pim statistics Enable Shows IP PIM statistics of multicast packets show ip pim neighbor Global Shows PIM neighbor routers 9 2 10 5 PIM Debug To activate PIM SM debugging use the following command Activates PIM EES all all PIM debugging Enables the PIM igmp debugging Enables the PIM neighbor s information debugging Enable Enables multicast routing table debugging Shows the information of PIM packets transmission Shows the PIM packets route how to be transmitted Enables the PIM timer s debugging debug pim register Enables the PIM SM register timer s debugging To release PIM debugging configuration use the following command ma m ee no debug pim all igmp mrt neighbors proto proto detail Enable Disables PIM debugging timer register To show debugging information of PIM use the following command show debugging pim Show the configured information for PIM debugging A50010 Y3 B100 2 7619 291 UMN CLI 292 10 10 1 10 1 1 10 1 1 1 User Manual SURPASS hiD 6610 S311 R1 0 IP Routing Protocol Border Gateway Protocol BGP Border Gateway Protocol BGP is as defined in RFC 1163 1267 Exterior Gateway Pro tocol EGP to connect to exterior Network BGP manages routing information in network so that Autonomous System AS can transmit and receive routing
77. network as a unified system The hiD 6610 311 provides the stacking technology s benefits for the customer It is possible to configure stacking function for switches from 2 to 16 The following is an example of the network where stacking is configured Switch Internet Switch A Master Switch Switch Switch Switch B Slave Switch Switch C Slave Switch Fig 8 39 Example of Stacking A switch which is supposed to manage the other switches in stacking is named as Mas ter switch and the other switches managed by Master switch are named as Slave switch Regardless of installed place or connection state Master switch can check and manage all Slave switches The below steps are provided to configure stacking A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 10 1 8 10 2 8 10 3 Switch Group You should configure all the switches configured with stacking function to be in the same VLAN To configure the switches as a switch group belongs in the same VLAN use the following command es e ees stack device NAME Global Configures device name or VID For managing the stacking function the port connecting Master switch and Slave switch must be in the same VLAN Designating Master and Slave Switch Designate Mater switch using the following command ana e een stack master Global Designates Master switch After designating Master switch re
78. new hosts system learned on the system To display configured max new hosts use the following command e me ees Enable show max new hosts Global Shows the configured Max new hosts Bridge If MAC that already counted disappears before passing 1 second and starts learning again it is not counted In case the same MAC is detected on the other port also it is not counted again For example if MAC that was learned on port 1 is detected on port 2 it is supposed that MAC moved to the port 2 So it is deleted from the port 1 and learned on the port 2 but it is not counted A50010 Y3 B100 2 7619 151 UMN CLI 152 User Manual SURPASS hiD 6610 S311 R1 0 7 10 Port Security 7 10 1 You can use the port security feature to restrict input to an interface by limiting and identi fying MAC addresses of the PCs that are allowed to access the port When you assign secure MAC addresses to a secure port the port does not forward packets with source addresses outside the group of defined addresses If you limit the number of secure MAC addresses to one and assign a single secure MAC address the PC attached to that port is assured the full bandwidth of the port Port Security on Port Step 1 Enable port security on the port A A port security on the port port security PORTS Bridge PORT selects port number Step 2 Set the maximum number of secure MAC address for the port nn e tos Sets a maximum number of secure
79. not occur in a switch which belongs to the non dual path LAN environment Root Switch To establish STP RSTP or MSTP function first of all root switch should be decided In STP or RSTP it is named as root switch and in MSTP it is as IST root switch Each switch has its own bridge ID and root switch on same LAN is decided by comparing their bridge ID However the user can modify root switch by configuring priority for it The switch hav ing the lowest priority is decided as root switch To change root switch by configuring priority for it use the following command na owe on Configures the priority of the switch MSTID RANGE select instance number 0 Bridge 0 61440 priority value in steps of 4096 default 32768 no stp mst priority MST D Clears the Priority of the switch enter the instance RANGE number Path cost stp mst priority MSTID RANGE lt 0 61440 gt After deciding root switch you need to decide to which route you will forward the packet To do this the standard is path cost Generally path cost depends on transmission speed of LAN interface in the switch The following table shows path cost according to transmit rate of LAN interface You can use same commands to configure STP and RSTP but their path costs are to tally different Please be careful not to make mistake A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 3 5 4 250 Tab 8 2 STP Path cost a
80. note that you must make one space after inputting SWITCH write file Write to file memory Write to NV memory terminal Write to terminal lt cr gt SWITCH write A50010 Y3 B100 2 7619 35 UMN CLI 36 3 2 2 3 2 3 User Manual SURPASS hiD 6610 S311 R1 0 Calling Command History In case of installed command shell you do not have to enter repeated command again When you need to call command history use this arrow key 1 When you press the ar row key the latest command you used will be displayed one by one The following is an example of calling command history after using several commands After using these commands in order show clock configure terminal interface 7 exit press the arrow key 1 and then you will see the commands from latest one exit interface 7 configure terminal show clock SWITCHconfig exit SWITCH show clock Mon 5 Jan 1970 23 50 12 GMT 0000 SWITCH configure terminal SWITCH config interface 1 SWITCH config 1f exit SWITCH config exit SWITCH press the arow key Ti de SWITCH exit arrow key 7 y SWITCH interface 1 arrow key 7 y SWITCH configure terminal arrow key 1 y SWITCH show clock arrow key 1 The hiD 6610 S311 also provides the command that shows the commands used before up to 100 lines e me See show history Shows a command history Using Abbreviation Most of the commands can be used also with abbr
81. of SNMP information trap host IP ADDRESS COMMUNITY You need to configure an SNMP trap host with the snmp trap2 host command if you manage the switch via the ACI E To delete a specified SNMP trap host use the following command Se e See RN no snmp trap host P ADDRESS Deletes a specified SNMP trap host no snmp no snmp trap2 host P ADDRESS no snmp trap2 host P ADDRESS IP ADDRESS Global no snmp no snmp inform trap host P ADDRESS no snmp inform trap host P ADDRESS IP ADDRESS Deletes a specified information trap host a Deletes a specified information trap host information trap host You can set maximum 16 SNMP trap hosts with inputting one by one The following is an example of setting an SNMP trap host SWITCH config snmp trap host 10 1 1 3 SWITCH config snmp trap host 20 1 1 5 SWITCH config snmp trap host 30 1 1 2 SWITCH config SNMP Trap Mode To select an SNMP trap mode use the following command es me ees snmp trap mode alarm report iba Selects SNMP trap mode according to user s network oba event environment alarm report or event e event trap mode is set by default It means that Dasan trap OID will be used upon sending the trap if the trap mode is event e alarm report trap mode will be used form SLE MIB OID which is Siemens private OID In order to manage hiD 6610 S311 using ACI E the trap mode must be set as
82. operates with MSTP B will send its BPDU to CST root and IST root in order to request itself to be CST root However if any BPDU having higher priority than that of B is sent B cannot be CST root For the hiD 6610 S311 the commands configuring MSTP are also used to configure STP and RSTP Configuring STP RSTP MSTP PVSTP PVRSTP Mode Required First of all you need to configure force version to decide the mode before STP is config ured To decide force version of the switch use the following command e me See stp force version stp rstp o Bridge Configures Force version in the bridge mstp pvstp pvrstp To delete STP configuration from the switch use the following command e e een no stp force version Removes force version configuration A50010 Y3 B100 2 7619 205 UMN CLI 206 8 3 5 8 3 5 1 8 3 5 2 8 3 5 3 User Manual SURPASS hiD 6610 S311 R1 0 Configuring STP RSTP MSTP To configure STP and RSTP use the following steps Step 1 Decide STP mode using the stp force version stp rstp command Step 2 Activate MST daemon using the stp mst enable command Step 3 Configure detail options if specific commands are required Activating STP RSTP MSTP To enable disable STP RSTP and MSTP in the force version use the following command e owe See stp mst enable disable Enables disables STP RSTP or MSTP function Even though STP function does not operated loop event does
83. or TACACS server To designate an authentication interface use the following command ee owe Se Designates an authentication interface radius selects RADIUS authentication login radius tacacs interface INTERFACE A B C D Global tacacs selects TACACS authentication INTERFACE interface name A B C D IP address optional Primary Authentication Method You can set the order of the authentication method with giving the priority to each authen tication method To set the primary authentication method use the following command e me NN Set the primary authentication method local authentication for console access login local remote radius Global remote authentication for telnet access oba tacacs host primary radius selects RADIUS authentication tacacs selects TACACS authentication host selects nominal system authentication default A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 4 2 4 4 2 4 1 4 2 4 2 4 2 4 3 4 2 4 4 RADIUS Server RADIUS Server for System Authentication To add delete the RADIUS server for system authentication use the following command e me Se Adds the RADIUS server with its information A B C D RADIUS server address KEY authentication key value login radius server add A B C D KEY Adds the RADIUS server with its information login radius server add A B C D Global A B C D RADIUS server address
84. packets transmitted 5 received 0 packet loss time 8050ms rtt min avg max mdev 11 972 21 301 30 411 8 200 ms SWITCH IP ICMP Source Routing C Request Fig 6 1 Ping Test for Network Status The following is to verify network status between 172 16 157 100 and 172 16 1 254 when IP address of the switch is configured as 172 16 157 100 bytes of data If you implement PING test to verify the status of network connection icmp request ar rives at the final destination as the closest route according to the routing theory A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 In the above figure if you perform ping test from PC to C it goes through the route of A gt B gt C This is the general case But the hiD 6610 S311 can enable to perform ping test from PC as the route of A gt E gt D gt C_ D Fig 6 2 IP Source Routing To perform ping test as the route which the manager designated use the following steps Step 1 Enable IP source routing function from the equipment connected to PC which the PING test is going to be performed To enable disable IP source routing in the hiD 6610 S311 use the following command ana e een Enable IP source routing function Global no ip icmp source route Disable IP source routing function Step 2 Performs the ping test from PC as the designate route with the ping command A50010 Y3 B100 2 7619 89 UMN CLI 90 6 3 3 6 3 4 User Manual
85. passing through RP Rendezvous Point For instance even though F needs multicast packet the packet is passed through A5B C D C F not A gt B gt C gt F Like this route made with focusing on RP is RPT Rendezvous Point Tree or shared tree There is only one RP in one multicast group RPT has G entry because receiver can send a message to RP without knowing source G means multicast group A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 1 Multicast packet B transmitted toRP A 2 Ask RP for D multicast packet esri SS e 2 Ask RP for multicast packet 3 RP transmits multicast packet for the request gt C F 4 RP 4 Rendezvous Point D rr 3 RP transmits multicast packet for the request Fig 9 5 RPT of PIM SM Also routers on packet route automatically optimize route by deleting unnecessary hops when traffic exceeds certain limit After route to source and multicast group connected to the source are constituted all sources have route to connect to receiver directly In the below figure packets are usually transmitted through A B C D but packets are transmitted through faster route A C F when traffic is increased SPT Shortest Path Tree selects the shortest route between source and receiver regardless of RP it is called source based tree or short path tree SPT has S G entry S
86. port By default it is disabled The BPDU filter enabled port acts as if STP is disabled on the port This feature can be used for the ports that are usually connected to an end system or the port that you don t want to receive and send unwanted BPDU packets Be cautious about using this feature on STP enabled uplink or trunk port If the port is removed from VLAN membership correspond BPDU filter will be automatically deleted BPDU Guard BPDU guard has been designed to allow network designers to enforce the STP domain borders and keep the active topology predictable The devices behind the ports with STP enabled are not allowed to influence the STP topology This is achieved by disabling the port upon receipt of BPDU This feature prevents Denial of Service DoS attack on the network by permanent STP recalculation That is caused by the temporary introduction and subsequent removal of STP devices with low zero bridge priority A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 3 9 7 To configure BPDU guard in the switch perform the following procedure Step 1 Configure the specific port as edge port e me See stp edge port PORTS Bas Configures the port as Edge port ridge no stp edge port PORTS Disables Edge port configuration Step 2 Configure BPDU Guard rs es Reim stp bpdu guard geg Configures BPDU Guard function on switch ridge no stp bpdu guard Disables BPDU Guard function
87. pvst max age VLAN RANGE lt 6 40 gt It is recommended that max age is configured less than twice of forward delay and more than twice of hello time A50010 Y3 B100 2 7619 215 UMN CLI 216 8 3 9 4 8 3 9 5 8 3 9 6 User Manual SURPASS hiD 6610 S311 R1 0 To delete a configured max age use the following command ee emen Returns to the default max age value of STP RSTP no stp mst max age and MSTP Bridge no stp pvst max age VLAN Returns to the default max age value of PVSTP and RANGE PVRSTP BPDU Hop In MSTP it is possible to configure the number of hop in order to prevent BPDU from wandering BPDU passes the switches as the number of hop by this function To configure the number of hop of BPDU in MSTP use the following command e owe re Configures the number of hop for BPDU set the num stp mst max hops lt 1 40 gt l l l Bridge ber of possible hops in the region no stp mst max hops Deletes the number of hop for BPDU in MSTP BPDU Filter BPDU filtering allows you to avoid transmitting on the ports that are connected to an end system If the BPDU Filter feature is enabled on the port then incoming BPDUs will be fil tered and BPDUs will not be sent out of the port To set the BPDU filter on the port use the following command e me es Forbids all STP BPDUs to go out the specific port and not to recognize incoming STP BPDUs the specific stp bpdu filter enable disable PORTS
88. re major minor warning intermediate ceived within 3 test packet intervals in Global ERP mechanism snmp alarm severity erp domain multi rm sends alarm notification with the sever critical major minor warning intermedi ity when a Multiple RM node is created ate 108 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 1 9 7 7 1 10 ena Me snmp alarm severity erp domain reach fail Sends alarm notification with the sever critical major minor warning intermedi ity when there is disconnection between ate ERP domains Sends alarm notification with the sever ity when no test packet has been re snmp alarm severity erp domain ulotp critical ceived within 3 test packet intervals in major minor warning intermediate one ERP port while test packets are received in the other port with ERP state To delete a configured severity of alarm for ERP status use the following command cement re amen no snmp alarm severity erp domain lotp Global Deletes a configured severity of alarm no snmp no snmp alarm severity erp domain multi rm no snmp alarm severity erp domain multi rm erp domain multi rm no snmp no snmp alarm severity erp domain reach fail no snmp alarm severity erp domain reach fail erp domain reach fail for ERP status no snmp no snmp alarm severity erp domain ulotp severity erp domain no snmp alarm severity erp domain ulotp
89. security level DESCRIPTION The account of level 0 to level 14 without any configuring authority only can use exit and help in Privileged EXEC View mode and cannot access to Privileged EXEC Enable mode The account with the highest level 15 has a read write authority A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 4 1 4 2 To delete the created account use the following command e e Se user del NAME Global Delete the created account To display the created account use the following command men Is Som show veer Enable Global Shows the created account Configuring Security Level For the hiD 6610 S311 it is possible to configure the security level from O to 15 for a sys tem account The level 15 as the highest level has a read write authority The adminis trator can configure from level O to level 14 The administrator decides which level user uses which commands in which level As the basic right from level O to level 14 it is pos sible to use exit and help command in Privileged EXEC Enable mode and it is not possi ble to access to Privileged EXEC Enable mode To define the security level and its authority use the following command e CTO re privilege bgp level lt 0 15 gt Uses the specific command of BGP Configuration mode COMMAND all in the level privilege bridge level lt 0 15 gt Uses the specific command of Bridge Configuratio COMMAND all mode in the leve
90. share IP address from 10 1 1 1 to 10 1 1 10 Here if client 1 and client 2 are not blocked from client 3 of DHCP server client 1 and cli ent 2 will request and receive IP from client 3 so that communication blockage will be oc curred Therefore the filtering function should be configured between client 1 and client 3 client 2 and client 3 in order to make client 1 and client 2 receive IP without difficulty from DHCP server A To enable the DHCP server packet filtering use the following command e e es dhcp server filter PORTS ER Enables the DHCP server packet filtering Bridge no dhcp server filter PORTS Disables the DHCP server packet filtering A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 DHCP Server A 192 168 10 1 192 1 68 10 10 IP assigned Client 3 i Request from The equipment that can Client 1 2 is be a DHCP server transmitted to Client 3 DEE dee eee UT E inni aes PU QNSE ws P IP assigned by Client 3 not by DHCP sever A 10 1 1 10 IP assigned To prevent IP assignment from Client 3 DHCP filtering is needed for the port Fig 8 34 DHCP Server Packet Filtering To see DHCP server filtering status use the following command INE emen Enable show dhcp server filter Ea Displays the status of DHCP server filtering of all ports oba 8 8 12 Debugging DHCP To enable and disable the debugging DHCP us
91. show port statistics avg pps PORTS l Global cast traffic average of specified port show port statistics interface PORTS Bridge Shows MIB data of specified port ME Shows RMON statistic counters of show port statistics rmon PORTS specified port enter the port number The following is an example of displaying traffic average of port 1 SWITCH bridge show port statistics avg pkt 1 Slot Port Tx Rx Time pkts s bits s pkts s bits s DOTE L ee EE 5 sec 1 608 120 61 848 1 min 3 3 242 122 62 240 10 min 0 440 39 zv a SWITCH bridge The following is an example of displaying RMON statistic counters of port 1 SWITCH bridge show port statistics rmon 1 Port1 EtherStatsDropEvents 0 EtherStatsOctets 5 669 264 EtherStatsPkts JO ses EtherStatsBroadcastPkts 36 368 EtherStatsMulticastPkts 32 916 EtherStatsCRCAlignErrors 0 EtherStatsUndersizePkts 0 EtherStatsOversizePkts 0 EtherStatsFragments 0 EtherStatsJabbers 0 EtherStatsCollisions 0 12 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 5 2 8 9 3 EtherStatsPkts 4Octets 165 438 EtherStatsPkts65tol270ctets 12 949 EtherStatsPkts128to255Octets 1 662 EtherStatsPkts256tob5bllOctets Sub qu EtherStatsPkts512to10230ctets 12 EtherStatsPkts1024to15180ctets 64 SWITCH bridge Otherwise to clear all recorded statistics of port and initiate use the following command na e een Enabl
92. simultaneous tagged and untagged traffic An 802 1q port is assigned a default port VLAN ID PVID and all untagged traffic is assumed to belong to the port default PVID Thus the ports participat ing in the VLANs accept packets bearing VLAN tags and transmit them to the port VLAN ID The below functions are explained e Creating VLAN e Specifying PVID e Assigning Port to VLAN e Deleting VLAN e Displaying VLAN A50010 Y3 B100 2 7619 173 UMN CLI 8 1 1 1 8 1 1 2 8 1 1 3 8 1 1 4 174 User Manual SURPASS hiD 6610 S311 R1 0 Creating VLAN To configure VLAN on user s network use the following command ee ee Creates new VLAN by assigning VLAN ID vlan create VLANS Bridge VLANS enter the number of VLAN ID from 1 to 4094 The variable VLANS is a particular set of bridged interfaces Frames are bridged only among interfaces in the same VLAN Specifying PVID By default PVID 1 is specified to all ports You can also configure PVID To configure PVID in a port use the following command e owe res Configures VLAN PVID PORTS enter the port numbers PVIDS enter the PV IDs 1 to 4094 multiple entries possible vlan pvid PORTS PVIDS Assigning Port to VLAN To assign a port to VLAN use the following command e e Se Assigns a port to VLAN VLANS enter the VLAN ID PORTS enter the port number vlan add VLANS PORTS tagged untagged Deletes associated ports from specifie
93. source destination port number any any TCP source destination port TCP FLAG TCP flag e g S SYN F FIN any any TCP flag To delete a specified packet classifying pattern use the following command e me See no ethtype Deletes a specified packet classifying pattern for each option A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 6 2 4 Rule Action To specify a rule action match for the packets matching configured classifying patterns use the following command e e See match deny Denies a packet f Redirects to specified egress port match redirect PORT l PORT uplink port number match mirror Sends a copy to mirror monitoring port match dscp lt 0 63 gt Changes DSCP field enter DSCP value Changes 802 1p class of service enter CoS value match cos lt 0 7 gt 0 7 CoS value Overwrites 802 1p CoS field in the packet match cos lt 0 7 gt overwrite 0 7 CoS value match cos same as tos Overwrites 802 1p CoS field in the packet same as IP overwrite ToS precedence bits Changes IP ToS precedence bits in the packet match ip prec 0 77 Rule 0 7 ToS precedence value f Changes IP ToS precedence bits in the packet same match ip prec same as cos as 802 1p CoS value match bandwidth BANDWIDTH Determines maximum allowed bandwidth Mbps Specifies matched packet VLAN ID match vlan lt 1 4094 gt 1 4094 VLAN ID match copy to cpu Copies to CPU C
94. specified IP pool at the same time Use the following command e e rees deeg FAING POOLNAME Sets Remote ID and IP Pool which will remote id ip P ADDRESS pool NAME Option 82 be permitted to be assigned IP address remote id text REMOTE ID pool NAME To remove above configurations use the following command es re rem Option 82 Deletes Remote ID and IP pool configu Configuring Remote ID amp Circuit ID After you set remote id and circuit id the switch is configured to permit the packets with these remote id and circuit id only To configure Remote id and Circuit id for limitation of the number of IP addresses Use the following command Seene See remote id hex HEXSTRING circuit id hex HEX STRING lease limit NUMBER remote id hex HEXSTRING circuit id index lt 0 65535 gt lease limit NUMBER Sets Remote ID and circuit ID which will remote id hex HEXSTRING circuit id text C R be permitted to be assigned and limits CUIT ID lease limit NUMBER the numbers of IP address remote id ip A B C D circuit id hex HEXSTRING HEXSTRING Remote id of hexadect lease limit NUMBER mal string style REMOTE ID Remote id of ASCII string Option 82 style CIRCUIT ID Circuit id of ASCII string style remote id ip A B C D circuit id index lt 0 65535 gt lease limit NUMBER remote id ip A B C D circuit id text C RCUIT ID lease limit NUMBER A B C D Remote id IP address remote id text REMOTE ID circuit id hex HEX NUMBER the numb
95. stp point to point mac PORTS auto auto detect auto force true force false force true force to point to point MAC force false force to shared MAC not point to point MAC True means the MAC is connected to a point to point LAN i e there is at most one other system attached to the LAN False means the MAC is connected to a non point to point LAN i e there can be more than one other system attached to the LAN To delete the point to point configuration use the following command e e ees Deletes point to point MAC configuration no stp point to point mac PORT Bridge PORT select the port number Edge Ports Edge ports are used for connecting end devices There are no switches or spanning tree bridges after the edge port To configure edge port mode use the following command na e een Sets port edge mode stp edge port PORTS Bridge PORTS select the port number A50010 Y3 B100 2 7619 209 UMN CLI 210 8 3 5 9 a 5 User Manual SURPASS hiD 6610 S311 R1 0 To delete the edge port mode use the following command e e ees Deletes port edge mode no stp edge port PORTS Bridge PORTS select the port number Displaying Configuration To display the configuration after configuring STP RSTP and MSTP use the following command DNI Was men Shows the configuration of STP RSTP MSTP Shows the configuration when it is configured as MSTP Shows the configuration of specific Inst
96. the Filter Port 279 Max Number of IGMP Join Group 280 PIM SM Protocol Independent Multicast Sparse Mode 280 Enables PIM ContflgBrallopsssss si e ente caue en pides etus ama td ase duet Gd esca 282 Seel Lab EE 282 Cotritigurnd Stalo EE 282 Bootstrap Router BSR Iotormmaton 283 IP Address of Ccandidate BSR EE 283 Priority of candidate BSR ccccssccccseseeeceeseecceseeceeseeeceeseeessageeessaneeesseaes 283 Fash mask of candidate BSR iia 283 RE MTOM Mat ON mL rrt 284 IP address of Candidate E 284 Multicast Group Registration ccoooccococcnnocccocnnnnconnncononnnnononcnnnnnanononanoss 284 Priority of Gandidate RP EE 285 Interval Of Candid ate RP iuri etas laa 285 Candidate RP Message of other members 285 Assert Message Intormaton nennen 286 MSM a 286 A pcs 286 Configuring Assert Message on specified interface 286 Cisco Router Interoperability AAA 287 Checksum of Full PIM Register Message nnnnnnnnnnennnnnnnnnnennnnnnnnnnnnnnnennne 287 Interval Of Gache ChecKk geet 288 Multicast Routing Table 288 PIM SM on Ethernet Interface AAA 289 PIM SM and Sparse Mode RENE 289 Blocking Multicast ee TE 289 Blocking Bootstrap message cccooccccoccnccnncnccnccncnncncnnnnnonnnnnnnncnnnnnrnnnnnrncnnannnonoos 289 Displaying PIM SM Information n 290 M lticast Routing WEE 290 RP Ela 290 PIM SM of Ethernet Interface 290 Statistics and neig
97. the config Internet A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 10 1 1 2 10 1 1 3 AS Route Filtering As filtering information with network address on BGP network it is possible to filter infor mation going through AS Policies applied to decide route are registered in access list To filter routing information with AS standard configure filtering policy in access list and ap ply the policy to neighbor router Define specific AS in access list e me ees Defines specific AS in access list ip as path access list WORD permit deny LINE Global WORD enter the access list number LINE enter the expression BGP Filtering through Prefix Lists When you restrict BGP route prefix list is preferred than access list because of the follow ing reasons e Saving time to search and apply data in case of massive filter lists e Unlimited registration in filter lists Easy to use Before applying prefix list user should configure prefix list User can assign number to each policy registered in prefix list Traffic Filtering Operation through Prefix Lists Filtering through prefix list processes routing information in specific order by applying pol icy defined in filter list It is similar to access list but there are more detail rules as follow e Allows all network information if there is no defined policy in prefix list e Rejects specified network information unless policy applie
98. the following command SSES Shows system memory information Shows system memory information memory information Enable Global show memory bgp dhcp imi lib nsm ospf pim rip Shows system memory information with a specific option It is possible to display average of CPU load using the following command mn e See View 6 3 9 Average of CPU Load Shows threshold of CPU utilization and average of CPU utilization show cpuload Enable Global 92 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 6 3 10 Statistics of CPU Load It is possible to display CPU load statistics using the following command e owe See Shows the CPU statistics of the average of multi Enable cast broadcast packets Global Shows the CPU statistics of all the packets of uni cast multicast broadcast The following is an example of displaying the statistics of CPU load SWITCH show cpu statistics total 26 Port Tx RX EE WE E Time pkts bits pkts bits POLE 26 EE Ucast 961 623 816 1 310 672 192 Mcast O O 32 548 16 677 064 Bcast O O E 507688 176 SWITCH show cpu statistics avg pkt 26 Port Tx RX Z LE E E T Time pkts s bits s pkts s bits s POLE 2600 Ve Ucast 5 sec l 512 1 920 1 min 3 2 092 3 14952 10 min 0 688 1 520 Mcast ASCO 0 0 0 200 1I min 0 0 0 256 10 min 0 0 0 256 Bcast 5 sec 0 0 2 1 480 1 min 0 0 0 544 10 min 0 0 1 1 02
99. the interface is not able to access to Master Router In the condition that Link to VRRP s master router is down as the figure shown below or the link of Master Router cannot be recognized the communication would be impossible For the hiD 6610 S311 you can configure Master Router to be changed by giving lower Priority to Master Router when the link of Mater Router is disconnected This function is VRRP Track 225 UMN CLI 226 8 4 1 5 User Manual SURPASS hiD 6610 S311 R1 0 Internet Virtual Router Associate IP 10 0 0 5 24 Router 2 0 0 1 24 Master Router 1 Backup Router 1 Backup IP 10 0 0 3 24 IP 10 0 0 2 24 IP 10 1 Link Down E KE e Mi Default Gateway 10 0 0 5 24 RA 2 If the interface doesn t recognize to I be Link down it is supposed to be LIN inaccessible to Master Router Therefore the users on the interface are not able to communicate Counter measure 3 If Link down happens by giving low priority automatically to Master Router Master Router will be changed at the same time with Link down Fig 8 29 VRRP Track To configure VRRP Track use the following command mana rem track interface NTERFACE pri RRE Configures VRRP Track The Priority becomes lower ority lt 1 254 gt as the configured value To release VRRP Track configuration use the following command e owe en no track interface INTER
100. the level to debug 128 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 5 2 7 5 3 The following is an example of configuring syslog message to send all logs higher than notice to remote host 10 1 1 1 and configuring local1 info to transmit to console SWITCH config syslog output notice remote 10 1 1 1 SWITCH config syslog output priority locall info console SWITCH config show syslog System logger on running info local volatile info local non volatile notice remote 10 1 1 1 Local 1 sito console SWITCH config Facility Code You can set a facility code of the generated syslog message This code make a syslog message distinguished from others so network administrator can handle various syslog messages efficiently To set a facility code use the following command es owe See 8 syslog local code lt 0 7 gt Sets a facility code boetes a species fac code no syslog local code Deletes a specified facility code The following is an example of configuring priority of all syslog messages which is trans mitted to remote host 10 1 1 1 as the facility code 0 SWITCH config syslog output err remote 10 1 1 1 SWITCH config syslog local code 0 SWITCH config show syslog System logger on running info local volatile info local non volatile err remote 10 1 1 1 local_code 0 SWITCH config Syslog Bind Address You can specify IP address
101. to the maximum rate of the port as a default threshold port PORTS THRESHOLD 5 60 600 rx Global To show a configured threshold of port traffic use the es command Enable show port threshold Giota Shows a configured threshold of port traffic oba A50010 Y3 B100 2 7619 81 UMN CLI 6 1 11 3 6 1 11 4 6 1 11 5 82 User Manual SURPASS hiD 6610 S311 R1 0 Fan Operation The system fan will operate depending on a configured fan threshold To set a threshold of port traffic use the following command e e Se Sets a threshold of fan operation in the unit of centi threshold fan START TEMP grade C STOP TEMP Global START TEMP starts fan operation default 30 STOP TEMP stops fan operation default 0 no threshold fan Deletes a configured threshold of fan operation When you set a threshold of fan operation START TEMP must be higher than STOP TEMP To show a ea aa threshold of fan operation use the command Command BsHpon um a status and configured threshold of fan opera show status fan Enable Global Bridge tion System Temperature To set a threshold of system temperature use the following command e e Se Sets a threshold of system temperature in the unit of centigrade C threshold temp OVERLOAD OVERLOAD Overload Threshold temperature be UNDERLOAD Global tween 40 100 default 80 UNDERLOAD Underload Threshold temperature be
102. tween 40 100 no threshold temp Deletes a configured threshold of system temperature To show a configured threshold of system temperature use the following command ees rem h eeh Enable Shows a status and configured threshold of system show status tem P Global temperature System Memory To set a threshold of system memory in use use the following command e me Se Sets a threshold of system memory in the unit of per threshold memory lt 20 100 gt Global cent 20 100 system memory in use A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 6 2 6 2 1 6 2 2 N Configuration Management You can verify if the system configurations are correct and save them in the system This section contains the following functions e Displaying System Configuration e Saving System Configuration e Auto Saving e System Configuration File e Restoring Default Configuration Displaying System Configuration To display a current running configuration of the system use the following command IN We II show running config Shows a configuration of the system show running config admin rule arp bridge dns full hostname instance interface INTERFACE login pm qos Shows a configuration of the system with the specific rmon alarm rmon event rmon option history router bgp pim rip ospf vrrp rule snmp syslog time out time zone tim
103. use the following com mand ana e en clear ip dhcp snooping PORTS Enable Deletes IP address on DHCP Snooping table ADDRESS M Global A B C D M IP address of DHCP snoop entry Displaying DHCP Statistics and Configuration In the hiD 6610 S311 user can verify and delete DHCP packet statistics that transmitted to other switches with below command II EI show ip dhcp statistics Enable Shows DHCP packet statistics Global clear ip dhcp statistics Bridge Deletes DHCP packet statistics information Lease Database Back up 8 Reset For the hiD 6610 S311 it is possible to save DHCP lease database To back up DHCP lease database use the following command mana e een Backs up DHCP lease database and configure the ip dhcp leasedb backup JP ADDRESS lt 1 2147483637 gt Global interval 1 2147483637 Interval time for back Unit is second no ip dhcp leasedb backup Deletes Back up lease database To reset the DHCP lease database use the following commands e e een clear ip dhcp leasedb IP ADDRESS M Enable Resets a DHCP lease database per subnet clear ip dhcp leasedb pool Global POOL NAME Bridge Resets a DHCP lease database per IP pool clear ip dhcp leasedb all Resets entire DHCP lease database A50010 Y3 B100 2 7619 251 UMN CLI 252 8 8 11 8 8 11 1 8 8 11 2 User Manual SURPASS hiD 6610 S311 R1 0 DHCP Filtering DHCP Packet Filtering For the hiD 6610 it is possible to bloc
104. use the following command ee Soe snmp alarm severity adva fan fail critical Sends alarm notification with the sever major minor warning intermediate ity when ADVA informs fan fail TP TA Sends alarm notification with the sever snmp alarm severity adva if misconfig critical l l l l ity when ADVA informs there s any mis major minor warning intermediate configuration m Sends alarm notification with the sever snmp alarm severity adva if opt thres critical l s ity when ADVA informs traffic is over major minor warning intermediate Global threshold on optical interface i d Sends alarm notification with the sever snmp alarm severity adva if rcv fail critical l l i j ity when ADVA informs to fail to receive major minor warning intermediate the packets snmp alarm severity adva if sfp mismatch Sends alarm notification with the sever critical major minor warning intermedi ity when ADVA informs SFP module is ate mismatched A50010 Y3 B100 2 7619 107 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 conned name Tn f Ke Sends alarm notification with the sever snmp alarm severity adva if trans fault criti l l l l ity when ADVA informs to fail to transmit cal major minor warning intermediate the packets i GC Sends alarm notification with the sever snmp alarm severity adva psu fail critical l l ity when ADVA
105. when object used for sample inquiry is less than lower bound of threshold you should configure lower bound of threshold To configure lower bound of threshold use the following command ma e en falling threshold NUMBER RMON Configures lower bound of threshold After configuring lower bound of threshold configure to generate RMON event when ob ject is less than configured threshold Use the following command e me See Configures to generate RMON alarm when object is falling event lt 1 65535 gt RMON less than configured threshold Configuring Standard of the First Alarm It is possible for users to configure the standard the first time alarm is occurred The user can select the first point when object is more than threshold or the first point when object is less than threshold or the first point when object is more than threshold or less than threshold To configure the first RMON alarm to occur when object is less than lower bound of threshold first use the following command the first RMON Alarm to occur when object startup type falling RMON is less than lower bound of threshold first To configure the first alarm to occur when object is firstly more than upper bound of threshold use the following command the first Alarm to occur when object is firstly startup type rising RMON more than upper bound of threshold A50010 Y3 B100 2 7619 123 UMN CLI 124 7 4 2 7 7 4 2 8
106. will logically block the protected VLANs on its secondary port and generate a RM link up packet to make sure that all transit nodes are properly reconfigured This completes fault restoration and the ring is back in normal state 2 Nodes detecting Link Failure 2 Nodes detecting Link Failure send Link Down message send Link Down message lt Normal Node Normal Node 1 Link Failure recover blocks the port recovered from Link Failure Normal Node RM Node Fig 8 37 Link Failure Recovery A50010 Y3 B100 2 7619 255 UMN CLI 256 8 9 2 8 9 3 8 9 3 1 User Manual SURPASS hiD 6610 S311 R1 0 Normal Node Normal Node port recovered from Link Failure 2 Send RM Link Up message 1 Block RM Node of secondary port Normal Node 2 Send RM Link RM Node Up message Fig 8 38 Ring Recovery Loss of Test Packet LOTP ERP recognizes the Link Failure using Loss of Test Packet LOTP RM Node regularly sends RM Test Packet message If the message is not retransmitted to RM Node through Ethernet Ring it means that Loop doesn t occur Therefore RM Node unblocks Secon dary port The condition that RM Test Packet from RM Node doesn t return is LOTP state On the other hand if RM Test Packet is retransmitted to RM Note through Ethernet Ring Loop may ocaur In this condition RM Node blocks Secondary port Configuring ERP ERP Domain To realize ERP you should f
107. 0010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 9 7 9 1 Syslog The syslog is a function that allows the network element to generate the event notification and forward it to the event message collector like a syslog server This function is enabled as default so even though you disable this function manually the syslog will be enabled again This section contains the following contents e Syslog Output Level e Facility Code e Syslog e Enabling Syslog e Displaying Syslog Message e Displaying Syslog Configuration Syslog Output Level Syslog Output Level without a Priority To set a syslog output level use the following command e e See syslog output emerg alert crit err warning notice info debug console Generates a syslog message of selected level or higher and forwards it to the console syslog output emerg alert crit Generates a syslog message of selected level or err warning notice info ciba higher in the system memory oba debug local volatile non volatile deletes a syslog message after restart volatile non volatile reserves a syslog message syslog output emerg alert crit err warning notice info debug remote P ADDRESS Generates a syslog message of selected level or higher and forwards it to a remote host To disable a specified syslog output use the following command e me ees no syslog output emerg
108. 0010 Y3 B100 2 7619 177 UMN CLI 178 8 1 6 1 User Manual SURPASS hiD 6610 S311 R1 0 TPID 5100 Iz identifier VLAN Ethernet Frame TPID 8100 9100 12 bit identifier TPID 8100 12 bit identifier Ethernet Frame using 802 1Q Tunneling Fig 8 3 QinQ Frame Port which connected with Service Provider is Uplink port internal and which connected with customer is Access port external Tunnel Port By tunnel port we mean a LAN port that is configured to offer 802 1Q tunneling support A tunnel port is always connected to the end customer and the input traffic to a tunnel port is always 802 1Q tagged traffic The different customer VLANs existing in the traffic to a tunnel port shall be preserved when the traffic is carried across the network Trunk Port By trunk port we mean a LAN port that is configured to operate as an interswitch link port able of carrying double tagged traffic A trunk port is always connected to another trunk port on a different switch Switching shall be performed between trunk ports and tunnels ports and between different trunk ports Double Tagging Operation Step 1 If there is no SPVLAN Tag on received packet SPVLAN Tag is added SPVLAN Tag TPID Configured TPID VID PVID of input port Step 2 If received packet is tagged with CVLAN the switch transmits it to uplink port changing to SPVLAN CVLAN When TPID value of received packet is same with TPID of port it recognizes a
109. 1 8 4 1 2 8 4 1 3 8 4 1 4 8 4 1 5 8 4 1 6 8 4 1 7 8 5 8 5 1 8 5 2 8 6 8 6 1 8 6 2 8 7 8 8 8 8 1 8 8 2 8 8 2 1 8 8 2 2 8 8 2 3 8 8 2 4 8 8 2 5 8 8 2 6 8 8 2 7 8 8 2 8 8 8 2 9 8 8 2 10 8 8 3 8 8 4 8 8 5 8 8 5 1 8 8 5 2 8 8 6 8 8 6 1 8 8 6 2 8 8 6 3 8 8 6 4 8 8 6 5 8 8 6 6 8 8 7 8 8 7 1 User Manual SURPASS hiD 6610 S311 R1 0 FO Ward Delay ET 215 Max e aa er 215 P 08 polo PA o o et teen oa ice ee 216 SA ettet e oM M E DE LLL E MA ELE 216 Ee 216 ee ele BIS leise ic 217 Displaying BPDU Contguraton 218 Sample COntIgura lO a MT 219 VRRP Virtual Router Redundancy Hrotocolt 221 Gontigurnhg VRRP EE 222 Associated IP Address 222 Access to Associated IP Address oooccconnccoconocononccconnccnanocona nono nncnnnnnonanos 223 Master Router and Backup Router aannannnannennnnnnsnnnennsnnrnnnnnnnrrrsrrnnrrsnrrnnene 223 VRRP Track FUNCION ceea O E 225 Authentication PassWord cintas oo lio idad 226 A o E O cae ee eat ne eas de pen ee 227 VRRP SAISIO S MGR PRENNE E NR NE REUS Pr pen 228 ECH Le UE 229 Contiguling Rate Limusina o e gets leaves access EQ ge nes 229 Salnple COmNGUPALIOMN EE 229 lOO KEEN 230 Configuring Flood Guard 230 Sample Configura thoni eege eats eas 230 size e er eedvaaiesess 231 Dynamic Host Configuration Protocol OHCR 232 Bis IEN 233 Bis L ee EE 233 UA D EM 233 Bis lei Ge Meint EE 234 Subnet Default Gateway
110. 11 R1 0 9 1 You can configure IGMP Snooping with PIM SM as Fig 9 3 If more than one port are on the same interface and the hiD 6610 S311 is located in Layer 3 boundary IGMP Snoop ing and PIM SM should be configured at the same time More than one port on same interface Layer 3 Network Set top Box IN Be hiD 6610 PIM SM Set top Box IGMP Snooping Fig 9 3 IGMP Snooping and PIM SM Configuration Network Internet Group Management Protocol IGMP Internet Group Management Protocol IGMP depends on hosts and routers that support multicasting Whole system on a network is Known which hosts belong to multicast groups IGMP is not multicast routing protocol but group management protocol Multicast routers can receive the thousands of multicast packets from other group If a router does not have any information of host membership it has to broadcast the packets This is bandwidth waste To solve this problem one group list of members is updated IGMP helps multicast router to create and renew the list Enabling IGMP Snooping per VLAN The hiD 6610 S311 supports 256 Snooping Membership Group Table that are managed by each VLAN Snooping supports Enable Disable by VLAN independently By default IGMP snooping is globally disabled on the switch To enable disable global IGMP use the following steps Step 1 Open Global Configuration mode using configure terminal command Step 2 Enable IGMP snooping in all e
111. 19 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 8 1 7 2 Shared VLAN This chapter is only for Layer 2 switch operation The hiD 6610 S311 is Layer 3 switch but it can be used for Layer 2 also Because there is no routing information in Layer 2 switch each VLAN cannot communicate Especially the uplink port should receive pack ets from all VLANs Therefore when you configure the hiD 6610 S311 as Layer 2 switch the uplink ports have to be included in all VLANs a c m t SWITCH bridge show vlan u untagged port t tagged port 2 3 4 Name VID FID 123456789012345678901234567890123456789012 default d T s WUUUUUUUUUUU ART br2 2 2 EE KE EEN S pics 3 3 E EE EE e E br4 4 4 D EE EE GER default Bro 5 5 EE DEE E Ee EE SWITCH bridge Fig 8 4 In Case Packets Going Outside in Layer 2 environment As above configuration with untagged packet if an untagged packet comes into port 1 it is added with tag 1 for PVID 1 And the uplink port 24 is also included in the default VLAN it can transmit to port 24 However a problem is possible to occur for coming down untagged packets to uplink ports If an untagged packet comes to uplink ports from outer network the system does not know which PIVD it has and where should it forward Ke Que Network Untagged packets comes from the uplink ports The packets should be forwarded to br3 but the system cannot know which PVID added to the packet
112. 4 SWITCH A50010 Y3 B100 2 7619 93 UMN CLI 94 6 3 11 6 3 12 User Manual SURPASS hiD 6610 S311 R1 0 Running Process The hiD 6610 S311 provides a function that shows information of the running processes The information with this command can be very useful to manage the switch To display information of the running processes use the following command n See Enable Global Shows information of the running processes oba The following is an example of displaying information of the running processes SWITCH show process USER PID SCPU SMEM VSZ RSS TTY STAT START TIME COMMAND admin 1 0 2 0 2 1448 596 S 20412 005 Init 3 admin 2 0 0 0 0 0 0O S 20 12 0 00 keventd admin 3 0 0 0 0 0 0 SN 20 12 0 00 ksoftirqd_ CPUO0 admin 4 Ech 0 0 0 0O S 20 12 0 00 kswapd admin 5 0 0 0 0 0 D E S 20 12 0 00 bdflush admin 6 0 0 0 0 0 O X S 20 12 0 00 kupdated admin 7 0 0 0 0 0 0 S 20 12 0 00 mtdblockd admin 8 0 0 0 0 0 0 SW 20 12 0 00 bcmDPC admin 9 1 4 0 0 0 0 SW 20 12 0 29 bomcNIR 0 admin 10 1 4 0 0 0 Qn E SW 20 12 0 29 bcmCNTR 1 admin 17 0 0 0 0 0 0 SWN 20 12 0 00 jffs2_gcd_mtd3 admin 149 0 0 0 3 1784 d Sr 2 S Jan01 0 00 sbin syslogd m admin 151 0 0 sz 1428 544 S Jan01 0 00 sbin klogd c 1 admin 103 Za 2 0 20552 5100 S 20 12 0 53 usr sbin swchd more Omitted SWITCH Displaying System Image To check a current system image version use the follo
113. 62 eth01 00 14 c2 dqd9 8a b5 OK 56762 eth01 00 01 02 5017 d6 p9 OK 72 62 eth01 00 0d 9d 8c 00 ee OK ee Oe eth01 00 15 00 39 4d 2e OK 92 62 eth01 00 0e e8 8b 24 ae OK 115 48 eth01 00 14 c2 qd9 4c f0 OK 115 48 eth01 00 0bpb 5d 53 4d 96 OK 124 62 eth01 00 13 20 4b 05 af OK T3262 eth01 00 0e e8 f0 b3 63 OK T2292 skipped SWITCH config 6 3 6 Running Time of System To display running time of the system use the following command na e en Enable c Shows running time of the system Global The following is an example of displaying running time of the system SWITCHf show uptime O34 lam up 15 days 10 55 0 users load average 0 05 0 07 0 01 SWITCH A50010 Y3 B100 2 7619 91 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 6 3 7 System Information To display the system information use the following command e e en Enable l l show system Shows the system information Global The following is an example of displaying the system information of hiD 6610 8311 SWITCH config show system SysInfo System Information Model Name SURPASS hiD6610 311 Main Memory Size 128 MB Flash Memory Size 8 MB INTEL 28F640J3 32 MB INTEL 28F256J3 S W Compatibility 3 7 H W Revision DS T3 07F 4A2 NOS Version 3 06 B L Version 4 69 H W Address 00 d0 cb 27 01 66 PLD Version 0x10 Serial Number N A SWITCH config 6 3 8 System Memory Information To display a system memory status use
114. 9 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 3 9 2 8 3 9 3 H To clear configured hello time use the following command e me ees Returns to the default hello time value of STP RSTP and MSTP Bridge no stp pvst hellow time VLAN Returns to the default hello time value of PVSTP and RANGE PVRSTP Forward Delay no stp mst hello time It is possible to configure forward delay which means time to take port status from listen ing to forwarding To configure forward delay use the following command ana e een Modifies forward delay in STP RSTP or MSTP enter a stp mst forward delay lt 4 30 gt delay time value default 15 Bridge stp pvst forward E Modifies forward E in PVSTP and PVRSTP enter a VLAN E 4 30 E time value of VLAN default 15 To delete a configured forward delay use the following command e e rees no stp mst forward delay Returns to the default value of STP RSTP and MSTP no stp pvst forward delay VLAN Returns to the default value of PVSTP and PVRSTP RANGE per VLAN Max Age Max age shows how long path message is valid To configure max age to delete useless messages use the following command ana e HN Configures max age of route message of STP RSTP stp mst max age lt 6 40 gt l or MSTP enter a max age time value default 20 Configures max age of route message of PVSTP PVRSTP enter a max age time value of VLAN de fault 20 stp
115. ACH e BPDU Transmission Rate e Key value of Member Port e Priority e Displaying LACP Configuration Configuring LACP Step 1 Activate LACP function using the following command e me ees Enables LACP of designated Aggregator number AGGREGATIONS select aggregator ID that should be enabled for LACP valid value from 0 to 13 lacp aggregator AGGREGATIONS Disables LACP for designated Aggregator number no lacp aggregator select the aggregator ID that should be disabled for AGGREGATIONS LACP Step 2 Configure the physical port that is a member of aggregated port In order to configure the member port use the following command e e res Configures physical port that is member port of aggre lacp port PORTS gator select the port number s that should be enabled Bridge for LACP Deletes member port of Aggregator select the port no lacp port PORTS number s that should be disabled for LACP A50010 Y3 B100 2 7619 189 UMN CLI 190 8 2 2 2 8 2 2 3 User Manual SURPASS hiD 6610 S311 R1 0 Packet Route When packets enter to logical port integrating several ports if there s no process to de cide the packet route it is not possible to use logical port effectively from focusing pack ets on a particular member port If these packets enter to logical port aggregating several ports and there s no way to de cide packet route the packets could be gathered on particular member port so that it i
116. C Siemens AG 2005 2006 Issued by the Communications Group Hofmannstra e 51 D 81359 M nchen Technical modifications possible Technical specifications and features are binding only insofar as they are specifically and expressly agreed upon in a written contract 2 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 Reason for Update Summary Updated for Issue 2 Details 9828 Padress Asinment witout CID added ess sou ed eses mze TamtPecketadded esee impies DHCP opio ed esr nar ot es ess ss 9912 m A50010 Y3 B100 2 7619 3 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 Issue History Issue Date of Issue Reason for Update Number 02 2005 Initial release 04 2006 Updated for version 2 4 A50010 Y3 B100 2 7619 User Manual SURPASS hiD 6610 S311 R1 0 UMN CLI This document consists of a total of 310 pages All pages are issue 2 Contents 1 Iedeere tee EE 19 1 1 Auden a 19 1 2 Document Sucre naa a a 19 1 3 DocUmentCGOA VEO ia 20 1 4 Document Nota lo nta ia ca 20 1 5 GE Declaration of Conformado 20 1 6 GPL LGPL Warranty and Liability Exclusion eeeeee esses 21 2 SNES aO n 22 2 1 SA a eee awa 23 3 Command Line Interface CIE 25 3 1 Command Mod St ocios 25 3 1 1 Privileged EXEC View Mode AA 27 3 1 2 Privileged EXEC Enable Mode 27 3 1 3 Global Configuration Mode 27 3 1 4 Bridge Configuration Mode 28 3
117. C En passwd enable PASSWORD Global able mode passwd enable 8 PASSWORD Configures an encrypted password password enable does not support encryption at default value Therefore it shows the string or password as it is when you use the show running config command In this case the user s password shown to everyone and has insecure environment To encrypt the password which will be shown at running config you should use the ser vice password encryption command And to represent the string password is en crypted input 8 before the encrypted string When you use the password enable command with 8 and the string you will make into Privileged EXEC Enable mode with the encrypted string Therefore to log in the system you should do it with the encrypted string as password that you configured after 8 In short according to using the 8 option or not the next string is encrypted or not The following is an example of configure the password in Privileged EXEC Enable mode as testpassword SWITCH configure terminal SWITCH config passwd enable testpassword SWITCH config The following is an example of accessing after configuring the password SWITCH login admin Password SWITCH gt enable Password SWITCH To delete the configured password use the following command e e ees no passwd enable Global Deletes the password The created password can be displayed with the command show running config
118. Configures the system to send SNMP trap when the snmp trap fan l Global fan begins to operate or stops Configures the system to send SNMP trap when any snmp trap power l problem occurs in power Configures the system to send SNMP trap when there snmp trap module l l is any problem in module 7 1 8 4 Disabling SNMP Trap To disable SNMP trap use the following command Command EC Bempn no snmp trap auth fail no snmp trap cold start no snmp trap link up PORTS NODE no snmp trap link down PORTS NODE Global Disables each SNMP trap no snmp trap dhcp lease When you use the no snmp command all configurations concerning SNMP will be deleted A50010 Y3 B100 2 7619 103 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 7 1 8 5 Displaying SNMP Trap To display a configuration of SNMP trap use the following command a ee Enable show snmp trap GE Shows a configuration of SNMP trap oba The following is an example of configuring IP address 10 1 1 1 as trap host 20 1 1 1 as trap2 host and 30 1 1 1 as inform trap host SWITCH config SWITCH SWITCH config SWITCH config snmp trap host 10 1 1 1 config snmp trap2 host 20 1 1 1 snmp inform trap host 30 1 1 1 show snmp trap Trap Host List IHnrorm trapenost Ue eech 104 trap2 host ZU El Liop nost LOST 1 1 Trap List Irap type status auth fail enable cold sStart enable cpu threshold enable po
119. D all no privilege rmon alarm level 0 15 COMMAND all no privilege rmon event level 0 15 COMMAND all no privilege rmon history level 0 15 COMMAND all no privilege route map level 0 15 COMMAND all no privilege rule level 0 15 COMMAND all no privilege view level 0 15 COMMAND all no privilege vrrp level 0 15 COMMAND all A50010 Y3 B100 2 7619 43 UMN CLI 44 User Manual SURPASS hiD 6610 S311 R1 0 To display a configured security level use the following command Cmm Wa Gem show privilege View Shows a configured security level Enable show privilege now Global Shows a security level of current mode The following is an example of creating the system account festO having a security level 10 and test having a security level 1 without password SWITCH config user add test0 level 0 level0user Changing password for testO0 Enter the new password minimum of 5 maximum of 8 characters Please use a combination of upper and lower case letters and numbers Enter new password Enter Bad password too short Warning weak password continuing Re enter new password Enter Password changed SWITCH config user add testl level 1 levelluser Changing password for testl Enter the new password minimum of 5 maximum of 8 characters Please use a combination of upper and lower case letters and numbers Enter new password Enter Bad
120. D and Root switch on same LAN is decided by compar ing their Bridge ID However the user can change Root switch by configuring Priority for it The switch having the lowest priority is decided as Root switch To change Root switch by configuring Priority for it use the following command mn we O stp pvst priority VLAN RANGE a l Configures a priority of switch lt 0 61440 gt Bridge no stp pvst priority Clears a priority of switch VLAN RANGE Path cost After deciding Root switch you need to decide to which route you will forward the packet To do this the standard is path cost Generally path cost depends on transmission speed of LAN interface in switch In case the route is overload based on Path cost it is better to take another route By considering the situation the user can configure Path cost of Root port in order to des ignate the route on ones own To configure Path cost use the following command O e 7 NN stp pvst path cost VLAN RANGE PORTS Configures path cost to configure route lt 1 200000000 gt Bridge on user s own no stp pvst path cost VLAN RANGE PORTS Clears path cost configuration Port priority When all conditions of two switches are same the last standard to decide route is port priority It is also possible to configure port priority so that user can configure route manu ally To configure port priority use the following command e e NN stp pvst port priority vo Configur
121. DHCP packets to a DHCP server The DHCP server can use this information to implement security and IP address assignment policies There are 2 sub options for the DHCP option 82 information as the follows s Remote ID This sub option may be added by DHCP relay agents which terminate switched or permanent circuits and have mechanisms to identify the remote host of the circuit Note that the remote ID must be globally unique e Circuit ID This sub option may be added by DHCP relay agents which terminate switched or permanent circuits It encodes an agent local identifier of the circuit from which a DHCP client to server packet was received It is intended for use by DHCP relay agents in forwarding DHCP responses back to the proper circuit To specify a remote ID use the following command IN Maie Bein system remote id hex HEXSTRING Option 82 Specifies a remote ID system remote id ip A B C D remote system remote id ip A B C D ip A B C D default system MAC address system remote id text REMOTE ID remote system remote id text REMOTE ID text REMOTE ID To specify a circuit ID use the following command Ser nm ra system circuit id PORTS hex HEXSTRING Option 82 Specifies a circuit ID system circuit id PORTS index lt 0 65535 gt circuit system circuit id PORTS index lt 0 65535 gt PORTS index lt 0 65535 gt system circuit id PORTS text CIRCUITID circuit system circuit id PORTS
122. E EXCEEDED ICMP PARAMETERPROB 12 ICMP TIMESTAMP ICMP TIMESTAMPREPLY 14 ICMP INFO REQUEST ICMP INFO REPLY 16 ICMP ADDRESS Tab 7 1 ICMP Message Type The following figure shows simple ICMP message construction 0 7 15 16 31 8 bit Type 8 bit Code 16 bit Checksum Contents Depend on Type and Code It is possible to control ICMP message through user s configuration You can configure to block the echo reply message to the partner who is doing ping test to device and interval to transmit ICMP message Blocking Echo Reply Message It is possible to configure block echo reply message to the partner who is doing ping test to switch To block echo reply message use the following commands e me ee Blocks echo reply message to all partners who are ip icmp ignore echo all taking ping test to device Global SN f Blocks echo reply message to partner who is taking ip icmp ignore echo broadcast l broadcast ping test to device To release the blocked echo reply message use the following commands a me ees m Releases blocked echo reply message to all partners no ip icmp ignore echo all l l who are taking ping test to device no ip icmp ignore echo broad Releases blocked echo reply message to partner who cast is taking broadcast ping test to device A50010 Y3 B100 2 7619 165 UMN CLI 166 7 14 2 User Manual SURPASS hiD 6610 S311 R1 0 Interval for Transmit ICMP Message User can configure the inte
123. E Gigabit Ethernet hiD Access Products in SURPASS Product Family HW Hardware FC Inter Integrated Circuit interface ID Identifier IEC International Electro technical Commission IEEE 802 Standards for Local and Metropolitan Area Networks IEEE 802 1 Glossary Network Management MAC Bridges and Internetworking A50010 Y3 B100 2 7619 SURPASS hiD 6610 S311 R1 0 IEEE IETF IGMP IRL ISP ITU ITU T L2 LACP LAN LCT LLC LLDP LOF LOL LOS LPR MAC NE OAM ORL OS OSPF PC PPP PPPoE Qos RFC RIP RSTP RTC A50010 Y3 B100 2 7619 UMN CLI Institute of Electrical and Electronic Engineers Internet Engineering Task Force Internet Group Management Protocol Internet Protocol Input Rate Limiter Internet Service Provider International Telecommunication Union International Telecommunication Union Telecommunications standardization sector Layer 2 Link Aggregation Control Protocol Local Area Network Local Craft Terminal Logical Link Control Link Layer Discover Protocol Loss of Frame Loss of Link Loss of Signal Loss of Power Medium Access Control Network Element Operation Administration and Maintenance Output Rate Limiter Operating System Open Shortest Path First Personal Computer Point to Point Protocol PPP over Ethernet Quality of Service Request for Comments Routing Information Protocol Rapid Spanning Tree Protocol Real Time Clock 309 UMN CLI 310 SA SFP SNMP STP SW TCP
124. ET MASK Configures static route GATEWAY null lt 1 255 gt A B C D destination IP prefix ip route A B C D M SUBNET MASK null lt 1 GATEWAY Ip gateway address 255 src IP ADDRESS 1 255 Distance value Global no ip route A B C D SUBNET MASK GATEWAY null lt 1 255 gt Deletes configured static route no ip route P ADDRESS M SUBNET MASK null lt 1 255 gt To configure default gateway use the following command on Global Configuration mode e e See RN Configures default gateway ip route default GATEWAY null lt 1 255 gt Global GATEWAY Ip gateway address no ip route default GATEWAY null lt 1 255 gt Deletes default gateway The following is an example of configuring static route to reach three destinations which are not directly connected SWITCH contig ip route 100 1 1 0 24 10 1 1 2 SWITCH Contig ip route 200 1 1 0 24 20 1 12 SWITCH config ip route 172 16 1 0 24 30 1 1 2 To display configured static route use the following command Command Mode Description show ip route 4 B C D l f Shows configured routing information A B C D M summary static Enable Global Shows configured routing information with IP routing show ip route database static table database A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 4 3 5 Displaying Interface To display interface status and configuration use the following co
125. Enables the IGMP snooping querier on a VLAN inter ip igmp snooping querier vlan Global VLAN ID face VLAN ID 1 4094 To disable IGMP querier use the following command a Wm Denm no ip igmp snooping querier Disables the IGMP snooping querier the IGMP Disables the IGMP snooping querier querier Global Disables the IGMP snooping querier on a VLAN inter no ip igmp snooping querier vlan VLAN ID face VLAN ID 1 4094 To display IGMP query parameter use the following command e me NN show ip igmp snooping querier show ip igmp snooping querier igmp snooping querier nable show ip igmp snooping querier Shows the IGMP snooping querier is enabled Global vlan VLAN ID IGMP v2 Snooping Last Member Interval When receive Leave Message from host in IGMP v2 Queries sends Specific Query and check whether there is Multicast Group Member Basically if Membership Report about First Specify Query does not come after 1 second send second Specific Query If there is no response also it deleted from Membership Table Last member interval is the value to regulate gap between first Specific Query and second Specific Query By limiting Inter val value IGMP v2 function and fast Leave can be implemented To send IGMP Query message and configure the respond time use the following com mand es me NN ip igmp snooping last member Configures the time of registering in multicast group query interval
126. FACE VRRP Disables VRRP Track configuration Authentication Password If anyone knows Group ID and Associated ID address he can configure another device as a Virtual Router To prevent this user needs to configure a password named authenti cation password that can be used only in Virtual Router user configured A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 4 1 6 To configure an authentication password for security of Virtual Router use the following command on VRRP configuration mode ss e See authentication clear_text ESR Configures an authentication password PASSWORD VRRP no authentication Deletes a configured authentication password Authentication password can be configured with maximum 7 digits The following is an example of configuring Authentication password in Virtual Router as network and showing it SWITCH config router authentication clear_text network SWITCH config router show running config Burlding EE RE EE Omitted vrro default 1 authentication clear text network associate 10 0 0 no snmp SWITCH config router Preempt Preempt is a function that an added device with the highest Priority user gave is auto matically configured as Master Router without rebooting or specific configuration when you add an other device after Virtual Router is configured To configure Preempt use the following command on VRRP configuration mode e e res
127. HCP pool use the following command e e res default gateway A B C D1 KE Specifies a default gateway of the DHCP pool 00 A B C D2 A B C D8 A B C D default gateway IP address The following is an example for configuring subnet default gateway SWITCH config ip dhcp pool test SWITCH config dhcp test SWITCH config dhcp test subnet 100 1 1 0 24 SWITCH config dhcp test default gateway 100 1 1 254 SWITCH config dhcp test To delete the configured default gateway use the following command emm Wu meses no default gateway A B C D Deletes a specified default gateway DHCP Pool no default gateway all Deletes all the configured default gateways A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 8 2 4 8 8 2 5 IP Address Range After configuring DHCP subnet you need to configure IP address range used in the sub net To configure IP address range use the following command e me ees Configures IP address range range A B C D1 A B C D2 DHCP Pool A B C D1 Start IP address A B C D2 End IP address You can also specify several inconsecutive ranges of IP addresses in a single DHCP pool e g 100 1 1 1 to 100 1 1 62 and 100 1 1 129 to 100 1 1 190 When specifying a range of IP address the start IP address must be prior to the end IP address To delete the configured IP address range use the following command e e
128. HCP pools use the dns server command For more information see Section 6 1 8 Manual Binding To manually assign a static IP address to a DHCP client who has a specified MAC ad dress use the following command e me es Assigns a static IP address to a DHCP client DHCP Pool A B C D static IP address MACADDR MAC address fixed address A DCD MACADDR To delete the fixed address use the following command a e See no fixed address A B C D DHCP Pool Deletes a specified static IP assignment Recognition of DHCP Client Actually the hiD 6610 S311 DHCP server is supposed to prohibit assigning IP address when DHCP packets have no CID However Linux client sends discover message with out CID For this reason hiD 6610 S311 is added the condition of DHCP server which it can assign IP address without CID In hardware address option the switch decides IP assignment based on MAC address only without checking particular CID but in client ID option the switch checks MAC address and particular client ID to assign IP address Use the following command to configure DHCP server for checking the MAC address or CID e owe res ip dhcp database key client id TT Configures to recognize a client with a client ID only or oba hardware address both of hardware address and CID Authorized ARP DHCP Authorized ARP is to limit the leasing of IP addresses to authorized users It can A50010 Y3 B100 2 7619 User Manual
129. However if IGMP snooping and MVR are both enabled MVR reacts only to join and leave mes sages from multicast groups configured under MVR Join and leave messages from all other multicast groups are managed by IGMP snooping Enabling MVR To enable disable MVR use the following steps Step 1 Enable IGMP snooping in the existing VLAN interfaces Step 2 Enable MVR function with the following command e eege Enables MVR on the system Global Disables MVR on the system no mvr MVR Group Address Statically configure a VLAN interface to receive multicast traffic sent to the multicast VLAN and the IP multicast address An interface statically configured as a member of a group remains a member of the group until statically removed e e re Configures MVR group address Global GROUP ADDR specific group address ex a b c d or a b c d x y z w mvr vlan VLAN ID group GROUP ADDR A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 9 1 5 3 9 1 5 4 To delete the statically configured MVR group address use the following command e me ees Deletes a MVR group address Global GROUP ADDR specific group address ex a b c d or a b c d x y z w no mvr vlan VLAN D group GROUP ADDR MVR IP Address Statically configure a VLAN interface to receive multicast traffic sent to the multicast VLAN and the IP multicast address An interface statically configured as a member of a group rema
130. However BPDU Guard can be corrupted by unexpected cause In this case the edge port is blocked immediately and remains at this state until user recovers it To prevent this problem the hiD 6610 S311 switch provides BPDU guard auto recovery function When an edge port is down for BPDU packet which came from other switch the port is recov ered automatically after configured time To configure BPDU Guard auto recovery use the following command naa We en stp bpdu guard auto recovery Configures BPDU Guard auto recovery on switch stp bpdu guard auto recovery l l Configures BPDU Guard auto recovery time time lt 10 1000000 gt no stp bpdu guard auto Bridge recovery Disables BPDU Guard auto recovery function no stp bpdu guard auto recovery time To recover a blocked port by manually use the following command e me ees stp bpdu guard err recovery Bridge Recovers a blocked port by manually POHTS Self Loop Detection Although there is no double path in user s equipment loop can be caused by network en vironment and cable condition connected to equipment To prevent this the hiD 6610 311 has self loop detection to perceive that outgoing packet is got back Through the self loop detection you can prevent packet which comes back because it blocks the port A50010 Y3 B100 2 7619 217 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 To enable disable self loop detection use the following command
131. LACP under the condition of being configured as member port To configure member port to aggregate to LACP use the following command e me See Designates whether a member port joins LACH or not lacp port aggregation PORTS A select the member port should be included default faggregatable individual aggregatable To clear aggregated to LACP of configured member port use the following command IN emen i Deletes the configured member port in LACP select no lacp port aggregation PORTS Bridge the member port BPDU Transmission Rate Member port transmits BPDU with its information For the hiD 6610 S311 it is possible to configure the BPDU transmission rate use the following command e me ees Configures BPDU transmission rate lacp port timeout PORTS short PORTS select the port number long short fast rate once every 1 sec long slow rate 30 sec default A50010 Y3 B100 2 7619 191 UMN CLI 192 8 2 2 6 8 2 2 7 8 2 2 8 User Manual SURPASS hiD 6610 S311 R1 0 To clear BPDU transmission rate use the following command clear means long timeout e me See i Deletes BPDU transmission rate of configured member no lacp port timeout PORTS Bridge port select the port number Key value of Member Port Member port of LACP has key value All member ports in one aggregator have same key values To make an aggregator consisted of specified member ports configure different ke
132. Loopback is excepted r FILE Read packets from the file which created by w option This is used to configure sample packet except the 68 byte default value The 68 byte is appropriate value for IP ICMP TCP and UDP but it can truncate protocol information of 4s SNAPLEN Name server or NFS packets If sample size is long the system should take more time to inspect and packets can be dropped for small buffer size On the contrary if the sample size is small information can be leaked as the amount Therefore user should adjust the size as header size of protocol Display the selected packets by conditional expression as the intended type rpc Remote Procedure Call rtp Real time Transport Protocol rtcp Real time Transport Control Protocal vat Visual Audio Tool wb distributed White Board EXPRESSION Conditional expression Tab 7 3 Options for Packet Dump A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 16 2 Debug Packet Dump The hiD 6610 S311 provides network debugging function to prevent system overhead for unknown packet inflow Monitoring process checks CPU load per 5 seconds If there is more traffic than threshold user can capture packets using TCP Dump and save it to file User can download the dump file with the name of file number dump after FP connection to the system Verify the dumped packet contents with a packet analyze promgram To debug packet dump use the follo
133. M and Sparse Mode To activate PIM SM after opening the Interface Configuration mode use the following command ana owe een 8 ip pim sparse mode Activates PIM SM on specified interface To disable PIM SM use the following command mana Toe en no ip pim sparse mode Disables PIM SM from specified interface Blocking Multicast packets It may happen that some of receivers in multicast group cannot receive packet because of not satisfying terms to receive multicast packet It is possible to configure not to receive multicast packets that can not be sent to receiver To block transmitting packet to specified multicast group use the following command e me See Blocks the packets which tying to transmit from speci ip pim access list A B C D A fied multicast group Interface A B C D A Multicast group address prefix mn Release blocked multicast group no ip pim access list 4 B C D A l l A B C D A Multicast group address prefix Blocking Bootstrap message When all switches configured PIM are considered as one big PIM domain it may cause that unnecessary Bootstrap messages can be transmitted between group members which are operated as different service and then it results to confuse to decide RP A50010 Y3 B100 2 7619 289 UMN CLI 290 9 2 10 9 2 10 1 9 2 10 2 9 2 10 3 User Manual SURPASS hiD 6610 S311 R1 0 To prevent this problem you can prohibit transmitting Bootstrap message between mu
134. P pon s2 DHCP option 82 option82 To enable DHCP Option 82 function in Layer 2 network DHCP server or DHCP relay agent should be disabled previously in the system A50010 Y3 B100 2 7619 247 UMN CLI 248 8 8 7 8 8 7 1 8 8 7 2 8 8 7 3 User Manual SURPASS hiD 6610 S311 R1 0 DHCP Client The interfaces of the hiD 6610 S311 can be assigned IP addresses from DHCP server dynamically If the hiD 6610 S311 is configured as DHCP client itself it works as trans parent switch in Layer 2 network However the switch can t be configured as DHCP server and DHCP relay agent in DHCP client environment Enabling DHCP Client Required To request an IP address on an interface from a DHCP server use the following com mand This command allows the interface to receive its IP address Use the following command on Interface configuration mode e e ees ip address dhcp Enables a DHCP client on an interface Interface no ip no ip address dhcp no ip address dhcp Disables a DHCP client DHCP Client ID To specify a client ID use the following command men rm oe ip dhcp client client id hex B HEXSTRING Specifies a client ID Interface CLIENT ID client id of ASCII string type ip dhcp client client id ascii HEXSTRING client id of HEX string type CLIENT ID To remove the configuration use the following command E R a NR no ip dhcp client client id Removes a client ID of DHCP client DHCP Class ID
135. RP candidate RP candidate Interval of Candidate RP Use this command to give the router the candidate RP status using the IP address of the specified interface ana owe een 8 Configures C RP advertisement interval for a RP can didate 1 165535 Interval in seconds Default value 60 sec cand rp interval lt 1 65535 gt onds no cand rp interval Deletes interval to transmit candidate RP message Candidate RP Message of other members One network may include different multicast groups and routers that are not members of multicast group Therefore it can happen that routers which are members of another network or not members of multicast group apply for RP and transmit candidate RP message In order to prevent this case user can block candidate RP message of another router by making only candidate RP in multicast group communicate In order to block candidate RP message from routers which are not members perform the below tasks Step 1 Use the following command to deny all packets which trying to transmit on network Omm We II cand rp access deny A B C D A Blocks all packets transmission on specified network no cand rp access deny PIM Removes the blocking configuration A B C D A Step 2 Allow only the transmitted packets by routers that exchange candidate RP massage e e See no cand rp access permit A B C D A Releases allowed packet configuration Allows only packets transmission by r
136. SIEMENS User Manual SURPASS hiD 6610 S311 R1 0 UMN CLI A50010 Y3 B100 2 7619 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 A Important Notice on Product Safety Elevated voltages are inevitably present at specific points in this electrical equipment Some of the parts may also have elevated operating temperatures Non observance of these conditions and the safety instructions can result in personal injury or in property damage Therefore only trained and qualified personnel may install and maintain the system The system complies with the standard EN 60950 1 IEC 60950 1 All equipment connected has to comply with the applicable safety standards The same text in German Wichtiger Hinweis zur Produktsicherheit In elektrischen Anlagen stehen zwangsl ufig bestimmte Teile der Ger te unter Spannung Einige Teile k nnen auch eine hohe Betriebstemperatur aufweisen Eine Nichtbeachtung dieser Situation und der Warnungshinweise kann zu K rperverletzungen und Sachsch den f hren Deshalb wird vorausgesetzt dass nur geschultes und qualifiziertes Personal die Anlagen installiert und wartet Das System entspricht den Anforderungen der EN 60950 1 IEC 60950 1 Angeschlossene Ger te m ssen die zutreffenden Sicherheitsbestimmungen erf llen Trademarks All designations used in this document can be trademarks the use of which by third parties for their own purposes could violate the rights of their owners Copyright
137. SS any DST MAC ADDRESS any ip A B C D A B C D M any A B C D A B C D M any 0 255 A50010 Y3 B100 2 7619 Classifies a physical port SRC PORT source port number DST PORT destination port number cpu CPU port any any physical port ignore Classifies a VLAN VLAN 1 4094 any any VLAN ignore Classifies a DSCP value 0 63 DSCP value any any DSCP ignore Classifies the IEEE 802 1p priority 0 7 802 1p priority value any any 802 1p priority value ignore Classifies all ToS field 0 255 ToS value any any ToS value ignore Classifies an IP precedence 0 7 IP precedence value any any IP precedence value ignore Classifies a packet length 21 65535 IP packet length any any IP packet length ignore Classifies the Ethernet type TYPE NUM Ethernet type field hex e g 0800 for IPv4 arp address resolution protocol any any Ethernet type ignore Classifies MAC address SRC MAC ADDRESS source MAC address DST MAC ADDRESS destination MAC address any any source destination MAC address ignore Classifies an IP address A B C D source destination IP address A B C D M source destination IP address with mask any any source destination IP address 0 255 IP protocol number 133 UMN CLI 134 User Manual SURPASS hiD 6610 S311 R1 0 e e Se ip A B C D A B C D M any A B C D A B C D M any icmp ip A B C D A B C D M any A B C D A B C
138. SURPASS hiD 6610 S311 R1 0 Sample Configuration 5 Configuring Shared VLAN with FID Configure br2 br3 br4 in the hiD 6610 S311 configured Layer 2 environment and 24 ports as Uplink port is configured To transmit untagged packet through Uplink port rightly follow below configuration Outer Network default lt vlan fid 1 5 5 show vlan SWITCH bridge vlan create br2 SWITCH bridge vlan create br3 SWITCH bridge vlan create br4 SWITCH bridge vlan del default 3 8 SWITCH bridge vlan add br2 3 4 untagged SWITCH bridge vlan add br3 5 6 untagged SWITCH bridge vlan add br4 7 8 untagged SWITCH bridge vlan add br2 24 untagged SWITCH bridge vlan add br3 24 untagged SWITCH bridge vlan add br4 24 untagged SWITCH bridge vlan create br5 SWITCH vlan add br5 1 42 untagged u untagged port t tagged port default 1 5 Kate EE uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu BEZA 2 5 Ms e 28 936 a VS br3l 3 5 G ea ee ae a deri ao la a db ap Su 3 99 9 23 9 bra 4 Dr TexzXx3i A E EE Usos BESA 5 5 uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu SWITCH bridge 186 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 2 8 2 1 8 2 1 1 LE Link Aggregation Link Aggregation Control Protocol LACP complying with IEEE 802 3ad bundles several physical ports together to one logical port so that user can
139. TCP is a random packet dropping function when traffic reaches the user designated threshold even before it reaches maximum buffer size If traffic usage reaches maximum buffer size all packets can be dropped which makes packet loss Therefore in order to prevent packet loss or unstable traffic transmission user can restrict excessive traffic over buffer size by setting up a threshold With RED function packet loss is reduced and stable packet transmission can be ac quired To apply RED function RED function needs to be enabled To utilize RED function start queue length value and drop probability are necessary Start queue length represents the starting point of random packet dropping and drop probabil ity indicates the percentage of packet dropping from the starting point of random packet dropping to the point of complete dropping If probability is large value large amount of packets would be dropped Therefore complete dropping point is slowly reached On the other hand if probability is little little amount of packets would be dropped Therefore complete dropping point is quickly reached If the probability value is 1 dropping packet would be none and the value is 15 all packets would be dropped from the point of start queue length value is reached To enable disable qos RED function in the system use the following command e me ees qos red enable Enables RED function Global qos red disable Disables RED function To set
140. TDM TFTP TMN TOS UDP UMN VID VLAN VoD VPI VPN xTU C xTU R User Manual SURPASS hiD 6610 S311 R1 0 Source Address Small Form Factor Pluggable Simple Network Management Protocol Spanning Tree Protocol Software Transmission Control Protocol Time Division Multiplexing Trivial FTP Telecommunication Management Network Type of Service User Datagram Protocol User Manual VLAN ID Virtual Local Area Network Video on Demand Virtual Path Identifier Virtual Private Network xDSL Terminal Unit Central xDSL Terminal Unit Remote A50010 Y3 B100 2 7619
141. TP part of BPDU does not rest when it is out of Region e Hello Time Hello time decides an interval time when a switch transmits BPDU It can be config ured from 1 to 10 seconds The default is 2 seconds e Max Age Root switch transmits new information every time based on information from another switches However if there are many switches on network it takes lots of time to transmit BPDU And if network status is changed while transmitting BPDU this in formation is useless To get rid of useless information max age is identified in each information e Forward Delay Switches find location of another switches connected to LAN though received BPDU and transmit packets Since it takes certain time to receive BPDU and find the loca tion before transmitting packet switches send packet at regular interval This interval time is named forward delay The configuration for BPDU is applied as selected in force version The same commands are used for STP RSTP MSTP PVSTP and PVRSTP Hello Time Hello time decides an interval time when a switch transmits BPDU To configure hello time use the following command e e See Configures hello time to transmit the message in STP stp mst hello time lt 1 10 gt RSTP and MSTP 1 10 set the hello time default 2 Configures hello time to transmit the message in PVSTP and PVRSTP 1 10 set the hello time default 2 stp pvst hello time VLAN RANGE lt 1 10 gt A50010 Y3 B100 2 761
142. The class identifier depends on vendors to specify the type of device that is requesting an IP address To specify the class identifier use the following command SCC ip dhcp client class id hex HEX STRING Interface Specifies a class ID of the client ip A client class id text A A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 8 8 7 4 8 8 7 5 8 8 7 6 8 8 8 To remove the configuration use the following command e e ees no ip dhcp client class id Removes the class ID of the client Lease Time of Client To specify IP lease time that is requested to a DHCP server use the following command IC We Demi Specifies IP lease time in the unit of ip dhcp client lease 120 2147483637 Interface second default 3600 no ip no ip dhcp client lease no ip dhcp client lease lease Deletes a specified IP lease time a Deletes a specified IP lease time IP lease time Forcing a Release or Renewal of DHCP Client The DHCP release and renew commands support two independent operation immediate release a DHCP lease for a DHCP client and force DHCP renewal of a lease for a DHCP client To force a release of a DHCP release for a DHCP client use the Ge command a release of a DHCP lease release dhcp INTERFACE Enable INTERFACE enters specified Interface name To force a renewal of a DHCP release for a DHCP client use the following command e e See
143. User Manual SURPASS hiD 6610 S311 R1 0 Displaying and Managing BGP You can delete all factors of cache table and database In addition it is possible to dis play specific statistics Deleting Cache Table and Database You can delete all contents of specific cache table and database when some factors are Invalid or unreliable To delete cache table or database use the following command e e Se clear ip bgp ip address Enable Reconfigures information about BGP neighbor router asnumber in out soft in Global AS group all BGP connections out Displaying System and Network Statistics You can display specific statistics such as contents of BGP routing table cache and da tabase Information provided can be used to determine resource utilization and solve network problems You can also display information about node reach ability and discover the routing path your device s packets are taking through the network To display various routing statistics use the following command ee e Se show ip bgp prefix list NAME ip show ip bgp prefix list NAME prefix list NAME Shows peers to which the prefix has been advertised Shows all BGP routes including subnetwork and upper show ip bgp cidr only S network show ip bgp community num E Shows route belonged in specific community Commu ber local AS no advertise no nity Number is formed as AA NN export show ip
144. V that is sent in the port tion sysname sysdescription portdescription Port s description syscap syscap System s capablility sysname System s name sysdescription System s description lldp disable PORTS portde scription sysname sysde Disables basic TLV configured to be sent in the port scription syscap LLDP Message In hiD 6610 S311 it is possible to configure the interval time and times of sending LLDP message To configure the interval time and times of LLDP message use the following command e e See Configures the interval of sending LLDP message The lldp msg txinterval lt 5 32768 gt n unit is second Ildp msg txhold 2 10 Configures the periodic times of LLDP message Default for sending LLDP message is 4 times in every 30 seconds Interval and Delay Time In hiD 6610 S311 the administrator can configure the interval time of enabling LLDP frame after configuring LLDP operation type To configure the interval time of enabling LLDP frame after configuring LLDP operation type use the following command e owe Se Configures the interval time of enabling LLDP frame Ildp reinitdelay lt 1 10 gt from the time of configuring not to process LLDP frame default 2 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 To configure delay time of transmitting LLDP frame use the following command e me ees Configures delay time of transmitting LLDP fr
145. a en tei 100 ds s Ta rz o ec 100 NE Ta e e EE 101 SI cust ipe tank aout odes tma cU Ope tS etui d orbes tooth nth enn 101 Enabling SNMP EE 102 Disabling S NMP Tap EE 103 Displaying SNMP e DEE 104 KT PAA EE 105 Enabling Alarm Notification osse 105 Default Alam Seven id beverage EE ANE A ede ulabhe 105 Alarm Severity CLrtferon nne 105 Generic Alarm Seve O is 105 ADVA nn Re std dildos 107 ERP Alanin Severny EE 108 gt DP Guar Alarm SEVEn EE 109 Displaying SNMP Configuration coooccccccocncccnncnnccnnccnnononennnnnnconnonnnnnononcnnnnnos 109 Disablihg SNMP ui E N aia 110 Operation Administration and Maintenance OAM esses 111 OPAC OD ACK qe ERR T EUM 111 Loca OAM Rule e LEE 112 BR Beie RE CUOR sas E a E Naa 112 REMOS OAM asc 112 Displaying OAM ConflIguratiODi 2 2 re Dade va inten Pes ed una fides 113 Link Layer Discovery Protocol TD 115 BEP EO cus ee T eee ee aie ee ce 115 JA salsh owraaitiowtenid a vanced tats 115 A O A 115 mcr eM P pcr 116 BR UO dr ost e EE cent E Lc 116 Interval and Delay Time 1 eeeseeeeeeeeeeeeeeeneeee nnne nnne nnn nnns 116 Displaying LLDP Contgouraton 117 Remote Monitoring RMON mnnera 118 RMON Nu P 118 Source Port or statistical Data oia 119 Subject of RMON History AE 119 Number of Sample Data 119 Interval Of Sample INQuiTY ooccccoccnccocnnccccnnccocononanononanononannn
146. a weight for WRR scheduling mode only use the following command ee ee Sets a weight for each port and queue PORTS port numbers 0 7 queue number qos weight PORTS lt 0 7 gt lt 1 15 gt unlimited 1 15 weight value default 1 unlimited strict priority queuing Sets a weight of CPU packet according to queue qos cpu weight lt 0 7 gt lt 1 15 gt 0 7 queue number unlimited w 1 15 weight value default 1 unlimited strict priority queuing 7 6 3 3 Maximum and Minimum Bandwidth To set a maximum bandwidth use the following command e me See Sets a maximum bandwidth for each port and queue PORTS port numbers Global 0 7 queue number BANDWIDTH bandwidth in the unit of MB unlimited unlimited bandwidth qos max bandwidth PORTS lt 0 7 gt BANDWIDTH unlimited i A maximum bandwidth can be set only in WFQ and WRR scheduling mode To set a maximum bandwidth use the following command e owe See Sets a minimum bandwidth for each port and queue PORTS port numbers Global 0 7 queue number BANDWIDTH bandwidth in the unit of MB default 0 unlimited unlimited bandwidth qos min bandwidth PORTS lt 0 7 gt BANDWIDTH unlimited 1 A minimum bandwidth can be set only in WFQ and WRR scheduling mode 142 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 6 3 4 7 6 3 5 Random Early Discard RED RED which utilizes end to end flow control of
147. ackets to a single host or broadcast transmission However multicast provides group transmission a host to send packets to a group of all hosts In the multicast environment multicast packets are delivered to a group by duplicating multicast packets Multicasting is divided into Layer 3 multicast routing and Layer 2 IGMP snooping The hiD 6610 S311 supports PIM SM SSM of multicast routing and V1 V2 and V3 of IGMP snooping Fig 9 1 shows the example of IGMP snooping configuration network In Layer 2 network the hiD 6610 S311 is configured only for IGMP Snooping Layer 2 Network Layer 3 Network et MSPS 990250090906090990690209090200699999090 90909092066696969990999099999 94 Lee eB BEER EHO HH HEHEHE OSES H HHH HERE HG D IGMP Join Leave message e Multicast data t Multicast Server Zeeeeeeeeeeeeeseneeeeeeeeeeeeeeeeeseesereeeeeseeeeseseeeeeeeeeeeee t 6 6000609 6 600900690600600000009090090900000900049040990499000 Fig 9 1 IGMP Snooping Configuration Network If the hiD 6610 S311 is within Layer 3 network PIM SM should be configured Below the hiD 6610 S311 there is a switch that performs IGMP snooping function for subscribers Layer 2 Network Layer 3 Network d ra IGMP Join Leave d Set top Box message Set top Box EI IGMP Snooping PIM SM Fig 9 2 PIM SM Configuration Network 268 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 3
148. ad BPDU of SWITCH C Then SWITCH C can read BPDU of SWITCH A and accepts SWITCH A as designated switch Switch A Switch B Switch C 802 1w 802 1w 802 1d STP BPDU Fig 8 21 Compatibility with 802 1d 2 MSTP Operation To operate the network more effectively the hiD 6610 S311 uses MSTP Multiple Span ning Tree Protocol It constitutes the network with VLAN subdividing existing LAN do main logically and configure the route by VLAN or VLAN group instead of existing routing protocol A50010 Y3 B100 2 7619 203 UMN CLI 204 User Manual SURPASS hiD 6610 S311 R1 0 Operation Here explains how STP MSTP differently operates on the LAN Suppose to configure 100 of VLAN from Switch A to B C In case of STP there s only a STP on all of VLAN and it does not provide multiple instances While existing STP is a protocol to prevent Loop in a LAN domain establishes STP per VLAN in order to realize routing suitable to VLAN environment It does not need to calculate all STP for several VLAN so that traffic overload could be reduced By reducing unnecessary overload and providing multiple transmission route for data forwarding it realizes load balancing and provides many VLAN through Instances MSTP In MSTP VLAN is classified to groups with same Configuration ID Configuration ID is composed of Revision name Region name and VLAN Instance mapping Therefore to have same configuration ID all of these tree conditions should be
149. address Configuring Authentication Key SSH client can access to server through authentication key after configuring authentica tion key and informing it to server It is safer to use authentication key than inputting password every time for login and it is also possible to connect to several SSH servers with using one authentication key To configure authentication key in the hiD 6610 S311 use the following command e e res Configures authentication key rsa1 SSH ver 1 public key for the authentication ssh keygen rsa1 rsa dsa Global rsa SSH ver 2 public key for the authentication dsa SSH ver 2 public key for the authentication A50010 Y3 B100 2 7619 57 UMN CLI 98 User Manual SURPASS hiD 6610 S311 R1 0 To configure authentication key and connect to SSH server with the authentication key perform the following procedure Step 1 Configure the authentication key in the switch SWITCH_A config ssh keygen dea Generating public private dsa key pair Enter file in which to save the key etc ssh id_dsa Enter passphrase empty for no passphrase networks Enter same passphrase again networks Your identification has been saved in etc ssh id_dsa Your public key has been saved in etc ssh id_dsa pub The key fingerprint is d9 26 8e 3d fa 06 31 95 f8 fe f6 59 24 42 47 7e root hiD6610 SWITCH_A config Step 2 Copy the generated authentication key to SSH server Step 3 Connect to SSH se
150. al Deletes all the contents of ARP table enter the inter clear arp INTERFACE face name Displaying ARP Table To display ARP table registered in switch use one of the following command ees We rem Enable Shows ARP table for specified interface enter the in show arp INTERFACE A B C D Global terface name or IP address br1 br2 The following is an example of registering 10 1 1 1 as IP address and 00 d0 cb 00 00 01 as MAC address This command displays ARP table SWITCH config arp 10 1 1 1 00 d0 cb 00 00 01 SWITCH config show arp Address HWaddress Type Interface 1 04 2592 2 994 105 00 bb cc dd ee 05 DYNAMIC br4094 CALA OOS00 26a KREE 060 DYNAMIC br2 SWITCH config ARP Alias Although clients are joined in same client switch it may be impossible to communicate between clients for their private security When you need to make them communicate each other the hiD 6610 S311 supports ARP alias which responses ARP request from client net through concentrating switch To register address of client net range in ARP alias use the following command a e Se arp alias A B C D A B C D DER Registers ID address range and MAC address in ARP oba MACADDH alias to make user s equipment response ARP request Unless you input MAC address MAC address of user s equipment will be used for ARP response A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 13
151. allocate By using the DHCP option 82 a DHCP relay agent can include additional information about itself when forwarding client originated DHCP packets to a DHCP server The DHCP relay agent will automatically add the circuit ID and the remote ID to the option 82 field in the DHCP packets and forward them to the DHCP server The DHCP option 82 resolves the following issues in an environment in which untrusted hosts access the internet via a circuit based public network Broadcast Forwarding The DHCP option 82 allows a DHCP relay agent to reduce unnecessary broadcast flood ing by forwarding the normally broadcasted DHCP response only on the circuit indicated in the circuit ID DHCP Address Exhaustion In general a DHCP server may be extended to maintain a DHCP lease database with an IP address hardware address and remote ID The DHCP server should implement poli cies that restrict the number of IP addresses to be assigned to a single remote ID Static Assignment A DHCP server may use the remote ID to select the IP address to be assigned It may permit static assignment of IP addresses to particular remote IDs and disallow an ad dress request from an unauthorized remote ID A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 8 6 1 IP Spoofing A DHCP client may associate the IP address assigned by a DHCP server in a forwarded DHCP ACK message with the circuit to which it was forwarded The circuit acce
152. ame Ildp txdelay lt 1 8192 gt Bridge default 2 7 3 7 Displaying LLDP Configuration To display LLDP configuration use the following command e e rees To delete an accumulated statistics on the port use the following command Global clear Ildp statistics PORTS Bn Deletes an accumulated statistics on the port ridge The following is to configure to enable LLDP function on Bridge Configuration mode through port number 10 of the switch and operate it SWITCH bridge show lldp config 10 GLOBL MsgTxInterval 30 MsgTxHold 4 gt txTTL 120 ReInitDelay 2 IxDelay 2 PORTS active adminStat opt TLVs 10 disable Tx lt gt Rx 0xf PortDesc SysName SysDesc SysCap SWITCH bridge lldp enable 10 SWITCH bridge lldp disable 10 portdescription SWITCH bridge lldp adminstatus 10 tx_only SWITCH bridge lldp msg txinterval 50 SWITCH bridge lldp msg txhold 6 SWITCH bridge show lldp config 10 GLOBL MsgTxInterval 50 MsgTxHold 8 gt txTTL 400 ReInitDelay 2 TxDelay 2 PORTS active adminStat optTLVs 10 enable Tx only Oxe SysName SysDesc SysCap SWITCH bridge A50010 Y3 B100 2 7619 117 UMN CLI 118 7 4 7 4 1 User Manual SURPASS hiD 6610 S311 R1 0 Remote Monitoring RMON Remote Monitoring RMON is a function to monitor communication status of devices connected to Ethernet at remote place While SNMP can give information only abo
153. ance enter the show stp mst MSTID RANGE Enable instance number Sopal Shows the configuration of the specific Instance for the Bridge l ports show stp mst MSTID RANGE all MSTID_RANGE select the MST instance number PORTS detail all select all ports PORTS select port number detail show detail information as option In case STP or RSTP is configured in the SURPASS hiD 6610 8311 you should config ure MSTID RANGE as O To display a configured MSTP of the switch use the following command e owe See Shows the MSTP configuration identifier Enable show stp mst config id current ba current shows the current configuration as it is used to oba pending l run MST Bridge pending shows the edited configuration For example after the user configures configuration ID if you apply it to the switch with stp mst config id commit command you can check configuration ID with the show stp mst config id current command However if the user did not use the stp mst config id commit command in order to ap ply to the switch after configuration the configuration could be checked with the show stp mst config id pending command A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 8 3 6 8 3 6 1 Configuring PVSTP PVRSTP SIP and RSPT are designed with one VLAN in the network If a port becomes blocking state the physical port itself is blocked But PVSTP Per VLAN Spanning Tree Proto
154. and e me es Configures version to transmit one of RIP 1 type packet version 1 2 and RIP 2 type packet Router Returns to default mode after specified RIP version is no version 1 2 deleted eleted The preceding task controls default RIP version settings You can override the routers RIP version by configuring a particular interface to behave differently To control which RIP version an interface sends perform one of the following tasks after opening RIP Router Configuration mode e EC See ip rip send version 1 Sends RIP version 1 type packet to the interface ip rip send version 2 Interface Sends RIP version 2 type packet to the interface ip rip send version 1 2 Sends RIP version 1 and 2 type packets A50010 Y3 B100 2 7619 301 UMN CLI 302 10 3 4 10 3 5 User Manual SURPASS hiD 6610 S311 R1 0 Similarly to control how packets received from an interface are processed perform one of the following tasks e owe Se ip rip receive version 1 Receives RIP version 1 type packet from the interface ip rip receive version 2 Interface Receives RIP version 2 type packet from the interface ip rip receive version 1 2 Receives RIP version 1 and 2 type packets Creating Static Route Available for RIP This feature is provided only by Siemens route command creates static route available only for RIP If you are not familiar with RIP protocol you would better use redistribute static command
155. ard PORTS lt 1 Limits the number of packets which can be transmitted 2000000 gt Bridge to the port for 1 second no mac flood guard PORTS Clears the configured Flood Guard To display a configuration of flood guard use the following command na owe en show mac flood guard macs Shows the configured Flood Guard Sample Configuration The following is an example of showing the configuration after limiting the number of packets transmitted to the port number 1 as 10 000 SWITCH bridge mac flood guard 1 10000 SWITCH bridge show mac flood guard Port Rate fps Port Rate fps ee ee 1 10000 2 Unlimited A50010 Y3 B100 2 7619 User Manual SURPASS hiD 6610 S311 R1 0 UMN CLI 3 Unlimited 4 Unlimited 5 Unlimited 6 Unlimited 7 Unlimited 8 Unlimited 9 Unlimited 10 Unlimited 11 Unlimited 12 Unlimited 13 Unlimited 14 Unlimited 15 Unlimited 16 Unlimited Omitted SWITCH bridge 8 Bandwidth Routing protocol uses bandwidth information to measure routing distance value To con figure bandwidth of interface use the following command e e res f Configures bandwidth of interface enter the value of bandwidth BANDWIDTH Interface bandwidth D The bandwidth can be from 1 to 10 000 000 Kbits This bandwidth is for routing informa tion implement and it does not concern physical bandwidth To delete a configured bandwidth use the EE command
156. as administrator location and address that confirm its own identity To set basic information of SNMP agent use the following command ee See snmp contact NAME i contact snmp contact NAME i Sets a name of administrator snmp location LOCATION Sets a location of SNMP agent snmp agent address P ADDRESS Sa Sets an IP address of SNMP agent oba no snmp contact f Deletes specified basic information for no snmp location no snmp agent address P ADDRESS each item The following is an example of specifying basic information of SNMP agent SWITCH config snmp contact Brad SWITCH config snmp location Germany SWITCH config To display basic information of SNMP agent use the following command II Wwe Femme show snmp contact show snmp contact contact Shows a name of administrator Enable show snmp location loba Shows a location of SNMP agent oba show snmp agent address Shows an IP address of SNMP agent A50010 Y3 B100 2 7619 97 UMN CLI 98 7 1 3 7 1 4 User Manual SURPASS hiD 6610 S311 R1 0 SNMP Com2sec SNMP v2 authorizes the host to access the agent according to the identity of the host and community name The command com2sec specifies the mapping from the identity of the host and community name to security name To configure an SNMP security name use the following command e e sees Specifies the mapping from the identity of the host and snmp com2sec SECURITY comm
157. assification and rule action s can be configured for each rule 1 The rule name must be unique Its size is limited to 63 significant characters The order in which the following configuration commands will be entered is arbitrary 3 The configuration of a rule being configured can be changed as often as wanted inclusive rule type until the command apply will be entered 4 Use the command show rule profile to display the configuration entered up to now Rule Priority If rules that are more than two match the same packet then the rule having a higher prior ity will be processed first To set a priority for an admin access rule use the following command e me See priority low medium high l e Admin rule Sets a priority for a rule highest The default rule priority is low for an admin access rule A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 6 4 3 Packet Classification After configuring a packet classification for a rule then configure how to process the packets To specify a packet classifying pattern use the following command When specifying a source and destination IP address as a packet classifying pattern the destination IP address must be after the source IP address ana e en N ip A B C D A B C D M any A B C D A B C D M any 0 255 ip A B C D A B C D M any A B C D A B C D M any icmp ip A B C D A B C D M any A B C D
158. at every layer of the network The Ethernet layer has not traditionally offered inherent management capabilities so the IEEE 802 3ah Ethernet in the First Mile EFM task force added the Operations Admini stration and Maintenance OAM capabilities to Ethernet like interfaces These manage ment capabilities were introduced to provide some basic OAM function on Ethernet media EFM OAM is complementary not competitive with SNMP management in that it provides some basic management functions at Layer 2 rather than using Layer 3 and above as required by SNMP over an IP infrastructure OAM provides single hop functionality in that it works only between two directly connected Ethernet stations SNMP can be used to manage the OAM interactions of one Ethernet station with another OAM Loopback For OAM loopback function both the switch and the host should support OAM function OAM loopback function enables Loopback function from the user s device to the host which connected to the user s device and operates it To enable disable local OAM function use the following command e me ees oam local admin enable PORTS Bas Enables local OAM ridge oam local admin disable PORTS Disables local OAM To configure loopback function of the host connected to the switch use the following command eme We o See Enables loopback function of peer oam remote loopback enable PORTS GES evice Bridge Disables loopback function of peer oam r
159. ber of user accessing the switch use the following command e me NN i Sets the number of user accessing the switch login connect lt 1 8 gt Global Default 8 Telnet Access To connect to the host through telnet at remote place use the following command e me See Connects to a remote host telnet DESTINATION TCP PORT Enable DESTINATION IP address or host name In case of telnet connection you should wait for OK message when you save a system configuration Otherwise all changes will be deleted when the telnet session is discon nected SWITCH write memory OK SWITCH The system administrator can disconnect users connected from remote place To discon nect a user connected through telnet use the following command e e ees disconnect 77 Y NUMBER Disconnects a user connected through telnet The following is an example of disconnecting a user connected from a remote place SWITCH where admin at from console for 4 days 22 hours 15 minutes 24 88 seconds admin at ttyp0 from 10 0 1 4 1670 for 4 days 17 hours 53 minutes 28 76 seconds admin at ttypl from 147 54 140 133 49538 for 6 minutes 34 12 seconds SWITCH disconnect ttypO SWITCH where admin at from console for 4 days 22 hours 15 minutes 34 88 seconds admin at ttypl from 147 54 140 133 49538 for 6 minutes 44 12 seconds SWITCH A50010 Y3 B100 2 7619 45 UMN CLI 46 4 1 7 4 1 8 1 User Manual SURPASS hiD 6610 S311 R1 0
160. bgp community list Shows all routes that are permitted by the community WORD exact match list enter the WORD value show ip bgp community info Enable Shows all information of BGP community Global Shows routes that are matched by the specified show ip bgp filter list WORD autonomous system route in access list enter the WORD value Shows routes that match the specified regular expres show ip bgp regexp L NE sion entered on the command line enter the LINE value show ip bgp attribute info Shows all information of BGP attributes show ip bgp neighbors ip Shows detail information on TCP and BGP connections address to individual neighbors A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 10 2 10 2 1 10 2 2 e e Se Shows information about the TCP and BGP connec tions to neighbors The advertised routes option dis show ip bgp neighbors ip plays all the routes the router has advertised to the address advertised routes neighbor The received routes option displays all re Enable Global received routes routes ceived routes both accepted and rejected from the specified neighbor The routes option displays all routes that are received and accepted show ip bgp paths Shows all BGP routes in database show ip bgp summary Shows all BGP connections Open Shortest Path First OSPF Open Shortest Path First OSPF is an interior gateway protocol developed by the OSPF working g
161. ccnccnnccnnccnnononcnnnnnconcnnnconnonannnnonancnnnnas 267 eat OU aE fo OEP AA E ae Ree ou erie ee MEET SUE 268 Internet Group Management Protocol GM 269 Enabling IGMP Snooping per VAN 269 IOMP Y2 SMOODING EE 270 IGMP v2 Snooping Fast Leave oooccccccoccnccccncnnccnnoncnnnncnnononennononnnnonnnnnnnonaninoss 271 IGMP y2 Snoobilig QUE rasca 271 IGMP v2 Snooping Last Member Interval occccconccncccocconoconcnncnnnononnanonnos 272 Klee gi Mise t E 273 Displaying IGMP Snooping Statistics oooccnccconcnnnoncnnnonaronconanonnononcnnnnas 274 Multicast packets a le Le EE 274 13 UMN CLI 14 9 1 4 9 1 5 9 1 5 1 9 1 5 2 9 1 5 3 9 1 5 4 9 1 5 5 9 1 6 9 1 6 1 9 1 6 2 9 1 6 3 9 1 6 4 9 1 6 5 9 2 9 2 1 9 2 2 9 2 2 1 9 2 3 9 2 3 1 9 2 3 2 9 2 9 9 9 2 4 9 2 4 1 9 2 4 2 9 2 4 3 9 2 4 4 9 2 4 5 9 2 5 9 2 5 1 9 2 5 2 9 2 5 3 9 2 6 9 2 6 1 9 2 1 9 2 8 9 2 9 9 2 9 1 9 2 9 2 9 2 9 3 9 2 10 9 2 10 1 9 2 10 2 9 2 10 3 9 2 10 4 9 2 10 5 10 10 1 10 1 1 10 1 1 1 10 1 1 2 User Manual SURPASS hiD 6610 S311 R1 0 IGMP Static JOA End e uie o deus id 274 Multicast VLAN Registration MV 276 ENADINO WIN E 276 MVR Group Ade cb 276 VINA le NCL SS TES e 211 Send and Receive Poland 217 Displaying MVR Contguraton nennen 278 IGMP Filtering Eiere EE 278 Creating IGMP le EE 278 Group Range of IGMP Profile EE 279 e lude 279 Applying IGMP Profile to
162. ch sends this Bootstrap message is called BSR Bootstrap Router All PIM routers existing on multicast network can be BSR Routers which want to be BSP are named candidate BSR and one router which has the highest priority becomes BSR among them If there are routers which have same priority then one router which has the highest IP address becomes BSR It is possible to configure the following messages which are included in candidate BSR message Since it is possible to assign several IP addresses in hiD 6610 S311 the switch may have several IP addresses assigned User can select one IP address among several IP ad dresses to be used in switch as candidate BSR IP Address of candidate BSR To configure candidate BSR use the following command e me ees cand bsr address P ADDRESS PIM Assigns IP address for using at Candidate BSR To disable assigned IP address in candidate BSR use the following command re rem no cand bsr address PIM Disables the configuration for bsr candidate Priority of candidate BSR If you decide BSR among candidate BSRs priority in Bootstrap message is compared to decide it The highest priority of candidate BSR becomes BSR To configure priority of Bootstrap message use the following command e me ees cand bsr priority 0 255 En Configures the priority of Bootstrap message no cand bsr priority Hash mask of candidate BSR Delete the priority configuration of Bootstrap
163. ched packets are com ing into the system it might cause slow down the system operation Not to bring these messages back to source IP address on a specific interface use the following command on nterface Configuration mode e e res Configures not to bring unreached messages back to ip unreachables their source IP address on interface Interface all unreached messages back to their source IP no emm emm EEN on interface A50010 Y3 B100 2 7619 167 UMN CLI 168 7 15 7 15 1 7 15 2 7 16 User Manual SURPASS hiD 6610 S311 R1 0 IP TCP Flag Control TCP Transmission Control Protocol header includes six kinds of flags that are URG ACK PSH RST SYN and FIN For the hiD 6610 S311 you can configure RST and SYN as the below RST Configuration RST sends a message when TCP connection can not be done to a person who tries to make it However it is also possible to configure to block the message This function will help prevent that hackers can find impossible connections To configure not to send the message that informs TCP connection can not be done use the following command e me See Configures to block the message that informs TCP Responds the message again that informs TCP con no ip tcp ignore rst unknown OH nection is not possible ip tcp ignore rst unknown l connection can not be done SYN Configuration SYN sets up TCP connection The hiD 6610 8311 transmits cookies wit
164. ckets are forwarded The hiD 6610 ARP saves IP MAC addresses mappings in ARP table for quick search Re ferring to the information in ARP table packets attached IP address is transmitted to net work When configuring ARP table it is possible to do it only in some specific interfaces Registering ARP Table The contents of ARP table are automatically registered when MAC address corresponds to MAC address is founded The network administrator could use MAC address of spe cific IP address in Network by registering on ARP table To make specific IP address to be accorded with MAC address use the following com mand e me es Sets a static ARP entry enter the IP address and the arp A B C D MACADDR MAC address MACADDR enter the MAC address Sets a static ARP entry enter the IP address the MAC arp A B C D MACADDR INTER address and enter an interface name FACE INTERFACE enter an interface name MACADDR enter the MAC address A50010 Y3 B100 2 7619 159 UMN CLI 160 7 13 1 2 7 13 2 D User Manual SURPASS hiD 6610 S311 R1 0 To delete registered IP address and MAC address or change all the contents of ARP table use one of the following command e owe re 00 Negates a command or set sets its default enter the IP no arp A B C D address Negates a command or set sets its default enter the IP no arp A B C D INTERFACE address and enter the interface name Deletes all the contents of ARP table Enable Glob
165. cluding server advertisements will propagate to all members of the VLAN so that they can communicate freely among themselves A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 1 1 Port Based VLAN The simplest implicit mapping rule is known as port based VLAN A frame is assigned to a VLAN based solely on the switch port on which the frame arrives In the example de picted in Figure frames arriving on ports 1 through 4 are assigned to VLAN 1 frame from ports 5 through 8 are assigned to VLAN 2 and frames from ports 9 through 12 are as signed to VLAN 3 Stations within a given VLAN can freely communicate among themselves using either unicast or multicast addressing No communication is possible at the Data Link layer be tween stations connected to ports that are members of different VLANs Communication among devices in separate VLANs can be accomplished at higher layers of the architec ture for example by using a Network layer router with connections to two or more VLANs Multicast traffic or traffic destined for an unknown unicast address arriving on any port will be flooded only to those ports that are part of the same VLAN This provides the de sired traffic isolation and bandwidth preservation The use of port based VLANs effec tively partitions a single switch into multiple sub switches one for each VLAN VLAN 1 Fig 8 1 Port based VLAN The IEEE 802 1q based ports on the switches support
166. cnnanonnos 249 DFICP SBOODIFG EE 249 Enabling DACP SnOOpING BEE 250 DACE SAHOO DING OM ee La 250 DHCP Rate Limit on Layer 2 250 Displaying DHCP Snooping Configuration oocccccooccnncconcnnconononononcnncnnanonnos 250 Displaying DHCP Statistics and Configuration ooonccccccoccncoconcnononnnnnonanenoss 251 Lease Database Back upSHeset ooccccoccccccccccccccnconcncconcnnononononononononononenonos 251 AGP FIGINO DEE 252 DHCP Packet Filtering avid enden ds 252 DHCP Server Packet Filtering E 252 DSC OIG DP E 253 Ethernet Ring Protection EH 254 Se RET cT 254 LOSS 0F Test Racke EEN EE 256 Comigurind EE 256 ERP Biel NIE 206 S Be Tale 207 Porto EISP dotrmalpisiee dde oa etc t oiv Ata 257 Protectea LAIN EE 257 Protected Wee EE 257 Manual Switch to Secondary cccccooccncccoccnnccnncnncnnononononennnnnncnnnonaronnnnancnnonancnnonas 258 Vait tO RESIO IM 258 Learning Disable TINE o a a Ee 258 TESLE AGI ANS UE 258 Displaying ERP Configuration are E 259 SACKING BEE 260 e tee D EE 261 Designating Master and Slave Switch 261 DiSaDIING StACKING ajos accio 261 Displaying Stacking Status oocccoonccccccocnnoconcnnconaconcononennonnnnnnnonanennnnonrnnonanenoss 262 Accessing to Slave Switch from Master Switch cccccceecceeeeeeseeeeeeeeeeees 262 Sample COMMOUGAUIOM etario diodos 262 Broadcast Storm Control a ai ad eem oeste en ig ciate 265 Jumbo frame AN cia 266 Maximum Transmission Unit MTU ooocc
167. col and PVRSTP Per VLAN Rapid Spanning Tree Protocol maintains spanning tree in stance for each VLAN in the network Because PVSTP treats each VLAN as a separate network it has the ability to load balance traffic by forwarding some VLANs on one trunk and other VLANs PVRSTP provides the same functionality as PVSTP with enhancement Switch C Fig 8 24 Example of PVSTP Activating PVSTP PVRSTP To configure PVSTP or PVRSTP configure force version in order to decide the mode In order to decide force version use the following command e me ee Activates PVSTP or PVRSTP function stp pvst enable VLAN RANGE Bridge VLAN RANGE Vlan name PVSTP is activated after selecting PVSTP in Force version using the above command and PVRSTP is activated after selecting PVRSTP using the above commands In PVSTP and PVRSTP it is possible to configure only the current VLAN If you input VLAN that does not exist error message is displayed For the switches in LAN where dual path doesn t exist Loop does not generate even though STP function is not configured To disable configured PVSTP PVRSTP use the following command e e een stp pvst disable Disables PVSTP or PVRSTP in VLAN A50010 Y3 B100 2 7619 211 UMN CLI 212 8 3 6 2 8 3 6 3 8 3 6 4 User Manual SURPASS hiD 6610 S311 R1 0 Root Switch In order establish PVSTP PVRSTP function first of all Root switch should be decided Each switch has its own Bridge I
168. command es e ees Configures the policy to permit ARP packets when arp inspection mapping A B C D A B C D M any MACADDR any permit they meet the requirements A B C D IP Address for inspection Global MACADDR Mac Address arp inspection mapping A B C D Configures the policy to deny ARP packets when A B C D M any MACADDR any they meet the requirements deny A B C D IP Address for inspection A50010 Y3 B100 2 7619 161 UMN CLI 162 7 13 3 3 7 13 3 4 User Manual SURPASS hiD 6610 S311 R1 0 To remove the policy of ARP packets use the following command comment wm Pom no arp inspection mapping A B C D Deletes the configured policy of ARP packets for A B C D M any MACADDR any specified condition Global Deletes the eee policy of ARP packets for all no arp inspection mapping all Configuring IP address validation eee If arp inspection address validation function is enabled hiD 6610 S311 drops ARP pack ets in the following cases e If ARP Request packet s IP address is 0 0 0 0 or 255 255 255 255 these ARP Re quest packets are dropped If ARP Reply packets source IP address is 0 0 0 0 or 255 255 255 255 these ARP Reply packets are dropped You can configure the switch to perform additional checks on the destination MAC ad dress the sender and target IP address and the source MAC address SEKR oe Inspects specific check on incoming arp inspec
169. d VLAN vlan del VLANS PORTS VLANS enter the VLAN ID PORTS enter the port number to be deleted When you assign several ports to VLAN you have to enter each port separated by a comma without space or use dash mark to arrange port range Deleting VLAN To delete VLAN use the following command na owe en no vian VLANS Deletes VLAN enter the VLAN ID to be deleted When you delete VLAN all ports must be removed from VLAN before see the below procedure A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 1 1 5 8 1 2 Displaying VLAN To display a configuration of VLAN use the following command a ee Enable l m Shows the configuration for specific VLAN enter VLAN ID show vlan VLANS Global Bridge Protocol Based VLAN User can use a VLAN mapping that associates a set of processes within stations to a VLAN rather than the stations themselves Consider a network comprising devices sup porting multiple protocol suites Each device may have an IP protocol stack an AppleTalk protocol stack an IPX protocol stack and so on If we configure VLAN aware switches such that they can associate a frame with a VLAN based on a combination of the stations MAC source address and the protocol stack in use we can create separate VLANs for each set of protocol specific applications To configure protocol based VLAN follow these steps 1 Configure VLAN groups for the prot
170. d name 1 SWITCH bridge stp mst config id revision 1 SWITCH bridge stp mst config id commit SWITCH bridge show stp mst Status enabled bridge id 8000 00qd0cb000183 designated root 8000 00d0cb000183 root port 0 path cost D max age 20 00 bridge max age 20 00 hello time 2 00 bridge hello time 2 00 forward delay 15 00 bridge forward delay 1500 CIST regional root 8000 00d0cbO00018 CIST path cost 0 max hops 20 name TEST revision 1 instance vlans CIST 51 4094 2 L gt 50 SWITCH bridge 220 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 8 4 VRRP Virtual Router Redundancy Protocol VRRP Virtual Router Redundancy Protocol is configuring Virtual router VRRP Group consisted of VRRP routers to prevent network failure caused by one dedicated router You can configure maximum 255 VRRP routers in VRRP group of hiD 6610 311 First of all you need to decide the router which plays a roll as Master Virtual Router The other routers will be Backup Virtual Routers After you give the priority to these backup routers the routers serve for Master Virtual Router when there are some problems in Master Virtual router After you configure VRRP configure all routers in VRRP with unified Group ID and assign unified Associated IP address to them After that decide Master Vir tual Router and Backup Virtual Router A router which has the highest priority is supposed to be Master and Backup Virtual Routers al
171. d port as basic Port Basic It is possible to configure default environment of port such as port state speed To con figure port you need to open Bridge Configuration mode by using the command bridge on Global Configuration mode When you begin Bridge Configuration mode system prompt will be changed from SWITCH config to SWITCH bridge SWITCH config bridge SWITCH bridge The hiD 6610 S311 can have 24 ports of 10 100Base TX Ethernet interfaces and 4 Giga Ethernet uplink ports The direction to configure each port is different depending on its features Read the below instruction carefully and follow it before you configure Port Number The hiD 6610 S311 has 1 24 ports of Fast Ethernet interface support 10 100Base TX RJ 45 type 2 ports of 10 100 1000Base TX have the port number of 25 to 26 2 ports of 1000Base X with SFP module have the port number of 27 and 28 These interfaces can be used as uplink towards the core network Refer to below figure for front interfaces of hiD 6610 311 1234567015 117 8 GE o ooQ0c0000000Q0O0 00 w 949990009000009 90 1900000000000 OO 9900000000000 00 7821117259 2921222 4 za Fig 5 1 hiD 6610 S311 Interface To display the configuration of the physical port use the following command e me NN Enable show port PORTS Global Shows port configuration Bridge When you use the command show port command if you input letter at port number the message
172. d port is for warded only promiscuous ports e Community Community ports communicate among themselves and with their pro miscuous ports These interfaces separate at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN The difference between Private VLAN and Private VLAN edge is that PVLAN edge guar antees security for the ports in a VLAN using protected port and PVLAN guarantees port security by creating sub VLAN with the three types Promiscuous Isolation and Commu nity And because PVLAN edge can work on local switch the isolation between two switches is impossible The hiD 6610 S311 provides Private VLAN function like Private VLAN edge of Cisco product Because it does not create any sub VLAN port security is provided by port isola tion If you want to configure Private VLAN on the hiD 6610 S311 switch refer to Port Iso lation configuration Port Isolation The Port Isolation feature is a method that restricts L2 switching between isolated ports in a VLAN Nevertheless flows between isolated port and non isolated port are not re stricted If you use the port protected command packet cannot be transmitted between protected ports However to non protected ports communication is possible To configure Port Isolation use the following command e e See port protected PORTS Enables port isolation Bridge no port protected PORTS Disables port isolation A50010 Y3 B100 2 76
173. d s 50 interval time s 1800 owner none status under create SWITCH config To open RMON history mode use the following command e e Se f Opens RMON history Configuration mode rmon history lt 1 65535 gt Global 1 65535 index number The following is an example of opening RMON history Configuration mode with index number 5 SWITCH config rmon history 5 SWITCH config rmonhistory 5 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 4 1 1 7 4 1 2 7 4 1 3 Input a question mark lt gt at the system prompt on RMON Configuration mode if you want to list available commands The following is an example of listing available commands on RMON Configuration mode SWITCH config rmonhistory 5 RMON history configuration commands active Activate the history data source Set data source port do To run exec commands in config mode exit End current mode and down to previous mode help Description of the interactive help system interval Define the time interval for the history owner Assign the owner who define and is using the history resources requested buckets Define the bucket count for the interval show Show running system information SWITCH config rmonhistory 5 Source Port of Statistical Data To specify a source port of statistical data use the following command e me Se Specifies a data object ID data source NAME RMON l T NAME
174. d to network is defined in prefix list e Distinguishes each policy with the assigned number and applies policy which has the lowest number when there are more than one policy applied to one network Routers search policy in prefix list from the top in order When they find required policy they stop searching For faster operation user can make quick search list on the top of the list by using seq provided from ip prefix list In order to view assigned number to pol icy use the command show ip prefix list Policies configured by user are automatically assigned number If you do not configure it you should assign number to each policy by using the command ip prefix list seq A50010 Y3 B100 2 7619 293 UMN CLI 294 User Manual SURPASS hiD 6610 S311 R1 0 Creating Prefix List To create prefix list use the following command ena a Tor ip prefix list NAME deny permit any A B C D M ge lt 0 32 gt le lt 0 32 gt men m Adds a description to a created prefix ip prefix list NAME description DESCRIPTION a ist To create prefix list you should select permit or deny Creates a prefix list to be applied Creating Prefix List Policy You can add policy to prefix list one by one Use the following command Som EC Sms ip prefix list NAME seq lt 1 4294967295 gt deny T Configures policy of prefix list and as oba permit any A B C D M ge lt 0 32 gt le lt 0 32 gt signs number to the policy
175. d with specified IP pool at the same time Use the fol lowing command mane e See remote id hex HEXSTRING circuit id hex HEX STRING pool NAME remote id hex HEXSTRING circuit id index O 65535 gt pool NAME remote id hex HEXSTRING circuit id text C R CUIT ID pool NAME remote id ip A B C D circuit id hex HEXSTRING pool NAME Sets Remote ID and circuit ID with specified IP Pool which will be permitted to be assigned IP address HEXSTRING Remote id of hexadeci mal string style REMOTE ID Remote id of ASCII string remote id ip A B C D circuit id index 0 65535 DEE style ption pool NAME CIRCUIT ID Circuit id of ASCII string remote id ip 4 B C D circuit id text C RCU T D style pool NAME A B C D Remote id IP address NUMBER the number of IP addresses lt 0 2147483637 gt 0 65535 Circuit id of numeric style NAME enters the pool name remote id text REMOTE ID circuit id hex HEX STRING pool NAME remote id text REMOTE ID circuit id index lt 0 65535 gt pool NAME remote id text REMOTE ID circuit id text C R CUIT ID pool NAME A50010 Y3 B100 2 7619 245 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 To delete the configuration of remote id and circuit id with specified DHCP pool use the following command ees tase on no remote id hex HEXSTRING circuit id hex HEXSTRING pool no remote id hex HEXSTRING circuit id index lt 0 65535 gt pool no remote a mt mt hex HEXSTRING circuit id text
176. del default 2 4 SWITCH bridge vlan add 2 2 untagged vlan add 4 4 untagged SWITCH bridge SWITCH bridge SWITCH SWITCH bridge vlan pvid 2 2 vlan pvid 5 5 vlan pvid 4 4 SWITCH bridge vlan add 3 3 untagged show vlan u untagged port t tagged port Name VID FID 123456789012345678901234567890123456789012 default 1 1 is UA Aa DEZA 2 2 A ee ee bre 3 3 EE EES br4 4 A haw Ml eo ie oo se Se dee Ee wees SWITCH bridge A50010 Y3 B100 2 7619 183 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 Sample Configuration 2 Deleting Port based VLAN The following is deleting vian id 3 among configured VLAN SWITCH bridge vlan del 3 3 SWITCH bridge exit SWITCH config interface 3 SWITCH interface shutdown SWITCH interface exit SWITCH config bridge SWITCH bridge no vlan 3 SWITCH bridge show vlan u untagged port t tagged port default 1 T u u uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu DEZ 2 2 I EE br4 4 4 WEE EE SWITCH bridge Sample Configuration 3 Configuring Protocol based VLAN The following is an example of configuring protocol based VLAN on the port 2 and port 4 0x900 packet among the packets entering to Port 4 0x800 packet among the packets entering to Port 2 SWITCH bridge vlan pvid 2 ethertype 0x800 5 SWITCH bridge vlan pvid 4 ethert
177. dhcp server filter Configures packet filtering of DHCP server Tab 3 4 Main Commands of Bridge Configuration Mode Rule Configuration Mode You can open Rule Configuration mode using the command rule NAME create on Global Configuration mode If you open Rule Configuration mode the system prompt is changed from SWITCH config to SWITCH config rule name men wm rule NAME create Global Opens Rule Configuration mode On the Rule Configuration mode it is possible to configure the condition and operational method for the packets to which the rule function is applied Tab 3 5 shows a couple of important main commands of Rule Configuration mode apply Configures rule configuration and applies it to the switch mee Configures a packet condition by MAC address Configures an operational condition which meets the packet condition priority Configures the priority for rule vlan Configures VLAN mon Configures a packet condition by port number Tab 3 5 Main Commands of Rule Configuration Mode A50010 Y3 B100 2 7619 29 UMN CLI 30 3 1 6 User Manual SURPASS hiD 6610 S311 R1 0 DHCP Configuration Mode To open DHCP Configuration mode use the command ip dhcp pool POOL on Global Configuration mode as follow Then the prompt is changed from SWITCH config to SWITCH config dhcp POOL e e ees ip dhcp pool POOL Global Opens DHCP Configuration mode to configure DHCP DHCP Configuration mode i
178. dmin 110 0 0 5 1448 592 S T5356 005 ana ES admin z qp 0 0 0 S L52256 0 00 keventd admin C2 Os0 070 0 E p Ger 0 00 ksoftirqd_CPUO0 admin 410 0 0 0 0 0 S 152755 0 00 kswapd More A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 6 1 11 6 1 11 1 6 1 11 2 System Threshold You can configure the switch with various kinds of the system threshold like CPU load traffic temperature etc Using this threshold the hiD 6610 S311 generates syslog mes sages sends SNMP traps or performs a related procedure CPU Load To set a threshold of CPU load use the following command e me Se Sets a threshold of CPU load in the unit of percent 20 100 CPU load default 50 5 60 600 time Interval second no threshold cpu Deletes a configured threshold of CPU load To show a configured threshold of CPU load use the following command Seen wee meses show cpuload Shows a configured threshold of CPU load Port Traffic threshold cpu 21 100 5 60 600 lt 20 100 gt 5 60 600j Global To set a threshold of port traffic use the following command e me See Sets a threshold of port traffic PORTS port number 1 1 1 2 2 1 THRESHOLD threshold value unit kbps 5 60 600 time Interval unit second no threshold port PORTS rx l tx Deletes a configured threshold of port traffic x The threshold of the port is set
179. ds of DHCP Configuration Mode esses 30 Main Commands of DHCP Option 82 Configuration Mode 30 Main Commands of Interface Configuration Mode 31 Main Commands of RMON Configuration Mode 31 Main Commands of PIM Configuration Mode eeseeseeeesss 32 Main Commands of Router Configuration Mode esses 32 Main Commands of VRRP Configuration Mode esses 33 Main Commands of Route map Configuration Mode 33 Command Abbreviation EE 36 World TME Zone idad di 17 OPTIONS Tor PIDO uiu ierat ond ir 86 Options for Ping for Multiple IP Addresees 87 Options for Tracing Packet Route oocccoocccnccccccccccnconconoconconnnnnonnnnononnanonnonanens 90 ICMP Message Type uit See 165 Mask Calculation of Default Value 166 Options for Packet Dump cccooccccoccnccoccncccccncconononocnnonnnnnonnnnnnnnnnnonenononenononos 170 Advantages and Disadvantages of Tagged VI AN 176 ee A COS tantra ts 207 A A O EE 207 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 1 1 1 1 2 Introduction Audience This manual is intended for SURPASS hiD 6610 S311 single board Fast Ethernet switch operators and maintenance personnel for providers of Ethernet services This manual as sumes that you are familiar with the following e Ethernet networking technology and standards e Internet topologies and protocols e Usage and functions of graphical user interfaces Docum
180. e clear port statistics PORTS all Global Clears all recorded port statistics Bridge Port Status To display a port status use the following command show port PORTS Shows configured state of port enter the port number Enable show port PORTS description Global Shows port specific description max number of char oba PORTS acters is 100 enter the port number Bridge show port module info PORTS Shows port module information Port Mirroring Port mirroring is the function of monitoring a designated port Here one port to monitor is called monitor port and a port to be monitored is called mirrored port Traffic transmitted from mirrored port is sent to monitor port so that user can monitor network traffic The following is a network structure to analyze the traffic by port mirroring It analyzes traf fic on the switch and network status by configuring Mirrored port and Monitor port con necting the computer that the watch program is installed to the port configured as Moni tor port A50010 Y3 B100 2 7619 73 UMN CLI 74 User Manual SURPASS hiD 6610 S311 R1 0 Mirrored Ports 1 2 3 Monitor Port Monitoring Fig 5 2 Port Mirroring To configure port mirroring designate mirrored ports and monitor port Then enable port mirroring function Monitor port should be connected to the watch program installed PC You can designate only one monitor port but many mirrored ports for
181. e e Displaying Installed OS e Default OS e Switch Status e Tech Support Network Connection To verify if your system is correctly connected to the network use the command ping For IP network this command transmits echo message to ICMP Internet Control Mes sage Protocol ICMP is internet protocol that notifies fault situation and provides informa tion on the location where IP packet is received When ICMP echo message is received at the location its replying message is returned to the place where it came To perform a ping test to verify network status use the following command ping P ADDRESS Performs a ping test to verify network status The following is the basic information to operate ping test toms fromm Protocol ip Supports ping test Default is IP Sends ICMP echo message by inputting IP address or host name of Target IP address ONE l l destination in order to check network status with relative Repeat count 5 Sends ICMP echo message as many as count Default is 5 Datagram size 100 Ping packet size Default is 100 bytes It is considered as successful ping test if reply returns within the con Timeout in seconds 2 l W iee figured time interval Default is 2 seconds Extended commands n Shows the additional commands Default is no Tab 6 2 Options for Ping A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 The following is an example of ping test 5 times to ver
182. e e Compatibility with 802 1d Port States RSTP defines port states as discarding learning and forwarding Blocking of 802 1d and listening is combined into discarding Same as STP root port and designated port are de cided by port state But a port in blocking state is divided into alternate port and backup port Alternate port means a port blocking BPDUs of priority of high numerical value from other switches and backup port means a port blocking BPDUs of priority of high numeri cal value from another port of same equipment Switch A Switch D Fig 8 14 Alternate Port and Backup port The difference of between alternate port and backup port is that alternate port can alter nate path of packet when there is a problem between Root switch and SWITCH C but Backup port cannot provide stable connection in that case A50010 Y3 B100 2 7619 199 UMN CLI 200 User Manual SURPASS hiD 6610 S311 R1 0 BPDU Policy 802 1d forwards BPDU following Hello time installed in root switch and the other switch except root switch its own BPDU only when receiving BPDU from root switch However in 802 1w not only root switch but also all the other switches forward BPDU following Hello time BPDU is more frequently changed than the interval root switch exchanges but with 802 1w it becomes faster to be master of the situation of changing network By the way when low BPDU is received from root switch or designated switch it is im
183. e switch If not it does not being injected into the switch To apply the configuration to the switch after configuring configuration ID use the follow ing command e e Se stp mst config id commit Commits the configuration of the region After deleting the configured configuration ID apply it to the switch using the above com mand A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 3 5 6 8 3 5 7 8 3 5 8 MSTP Protocol MSTP protocol has a backward compatibility MSTP is compatible with STP and RSTP If some other bridge runs with STP mode and send BPDU version of STP or RSTP MSTP automatically changes to STP mode STP mode can not be changed to MSTP mode automatically If administrator wants to change network topology to MSTP mode adminis trator has to clear previous detected protocol manually To configure the protocol use the following command e me ees Clears detected protocol and trys administrative proto stp clear detected protocol PORTS col PORTS select the port number Point to point MAC Parameters The internal sub layer service makes available a pair of parameters that permit inspection of and control over the administrative and operational state of the point to point status of the MAC entity by the MAC relay entity To configure the point to point status use the following command na e een Sets point to point MAC PORTS select the port number
184. e checked and the rule be comes activated within the system An already applied rule can not be modified It needs to be deleted and then created again with changed values A50010 Y3 B100 2 7619 131 UMN CLI 132 7 6 2 7 6 2 1 7 6 2 2 User Manual SURPASS hiD 6610 S311 R1 0 e Scheduling Algorithm To handle overloading of traffics you need to configure differently processing orders of graphic by using scheduling algorithm The hiD 6610 S311 provides Strict Priority Queuing SPQ Weighted Round Robin WRR Weighted Fair Queuing WFQ e Queue Weight Queue weight can be used to additionally adjust the scheduling mode per queue in WRR or WFQ mode Queue weight controls the scheduling precedence of the internal packet queues The higher the weight value the higher the scheduling precedence of this queue Rule Configuration Rule Creation For the hiD 6610 S311 you need to open Rule Configuration mode first To open Rule Configuration mode use the following command e owe Se rule NAME create Global Opens Rule Configuration mode enter rule name After opening Rule Configuration mode the prompt changes from SWITCH config to SWITCH config rule name After opening Rule Configuration mode a rule can be configured by user The rule priority rule match rule action and action parameter s can be configured for each rule 1 The rule name must be unique lts size is limited to 63 significan
185. e falls below the threshold trap message will be shown e dhcp lease is shown when there is no more IP address can be assigned in subnet of DHCP server Even if only one subnet does not have IP address to assign when there are several subnets this trap message will be seen e fan power module is shown when there is any status change of fan power and module To enable SNMP trap use the following command e e es Configures the system to send SNMP trap when SNMP snmp trap auth fail MAE authentication is fail Configures the system to send SNMP trap when SNMP snmp trap cold start agent restarts snmp trap link up PORTS Configures the system to send SNMP trap when a port NODE is connected to network snmp trap link down PORTS dba Configures the system to send SNMP trap when a port oba NODE is disconnected from network Configures the system to send SNMP trap when CPU snmp trap cpu threshold load exceeds or falls below the threshold Configures the system to send SNMP trap when the snmp trap port threshold l port traffic exceeds or falls below the threshold Configures the system to send SNMP trap when sys snmp trap temp threshold tem temperature exceeds or falls below the threshold A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 e e ees Configures the system to send SNMP trap when no snmp trap dhcp lease more IP address that can be assigned in the subnet of DHCP server is left
186. e me See self loop detect enable dis able Bridge Enables disables self loop detection function e To display a configuration for BPDU use the following command na owe en show self loop detect Enable Global show self loop detect all Bridge PORTS 8 3 9 8 Displaying BPDU Configuration Shows status of self loop detection and a port where loop is happed Shows self loop detection status on specified ports all all the ports PORTS selected port To display the configuration for BPDU use the following command show stp mst MSTID HANGE fall PORTS detail show stp mst MST D RANGE all Enable Global Bridge detail show stp mst MSTID RANGE PORTS detail show stp pvst VLAN RANGE all PORTS detail 218 Shows a configuration for BPDU for STP RSTP and MSTP Shows a configuration for BPDU for PVSTP and PVRSTP A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 8 3 10 Sample Configuration Backup Route When you design layer 2 network you must consider backup route for stable STP net work This is to prevent network corruption when just one additional path exits Switch B 4 Switch C NA TS a Aggregation Switch a T M JS AIS PC A Fig 8 26 Example of Layer 2 Network Design in RSTP Environment In ordinary case data packets go to Root switch A through the bl
187. e out The following is an example to display a configuration of syslog SWITCH show running config syslog syslog start syslog output info local volatile syslog output info local non volatile SWITCH Saving System Configuration If you change a configuration of the system you need to save the changes in the system flash memory To save all changes of the system use the following command e e See All Saves all changes in the system flash memory When you use the command write memory make sure there is no key input until OK message appears A50010 Y3 B100 2 7619 83 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 6 2 3 Auto Saving In hiD 6610 S311 it is possible to save the configuration automatically To configure the con figuration periodically use the following command ee ere Saves auto configuration periodically write interval lt 10 1440 gt aM Wes Global 10 1440 auto saving interval unit minute no no write interval no write interval Disables auto saving function 6 2 4 System Configuration File To manage a system configuration file use the following command e me es Copies a running configuration file copy running config FILENAME i FILENAME configuration file name startup config startup config startup configuration file i Copies a startup configuration file copy startup config FILENAME l A FILENAME configuration file name Enabl Copies a
188. e tee See ip ospf authentication message digest null Interface Enables Authentification on OSPF interface ip ospf A B C D authentication message digest null message digest uses MD5 to encode for authentication null means not using any of au thentication Use the following command to release the configured authentication of OSPF router for security e e ees no ip ospf authentication mes sage digest null Interface Disables Authentification on OSPF interface no ip ospf A B C D authentication message digest null A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 10 2 3 2 Configuring Authentication Key If authentication enables on OSPF router interface the password is needed for authenti cation The authentication key works as a password The authentication key must be con sistent across all routers in an attached network Use the following command to configure the authentication key which is based on text encoding Se e See ip ospf authentication key first second active ip ospf authentication key KEY first second active Configures the authentication which is based Interface ip ospf authentication key KEY A B C D first on text encoding second ip ospf message digest key lt 1 255 gt md5 KEY f Configures the authentication which is based active Interface on text encoding ip ospf message digest key lt 1 255 gt md5 A B C D active ip os
189. e the following command eg rm n debug dhcp filter lease l Enables a debugging DHCP packet service all Enable no debug dhcp filter lease i Disables a debugging DHCP packet service all A50010 Y3 B100 2 7619 253 UMN CLI 254 8 9 8 9 1 User Manual SURPASS hiD 6610 S311 R1 0 Ethernet Ring Protection ERP The ERP is a Siemens protection protocol and procedure to protect Ethernet ring topolo gies It is a fast failure detection and recovery so that it decreases the time to prevent Loop under 50ms The main characteristics of the ERP are the follows e It required no additional underlying protection mechanism within the ring configuration the complete functionality is implemented on the interface units of the system and does not require additional dedicated hardware which may raise network complexity and costs e It is a unique robustness functionality which runs on every network element involved in the ring configurations It means each system is active part of the ring protection mechanism Therefore it guarantees a maximum of 50 ms to switch over towards a new configuration after link or system failures e ERP and STP cannot be configured at once ERP Operation Ethernet Ring Protection ERP is a concept and protocol optimized for fast failure detec tion and recovery on Ethernet ring topologies The Protection of fast failure detection and recovery occurs on RM Node An Ethernet ring
190. ease A CEN the lease time to use IP address time default 7 ME ena TIME 120 2147483637 Default 3600 seconds oba ip EE default config lease E the maximum lease time to use IP address time max bdo ac bd TIME 120 2147483637 E 3600 seconds To delete the configured lease time use the following command Some Tome no ip dhcp default config lease time default Global Deletes the configured lease time no ip ro default config lease ro max A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 8 5 8 8 5 1 DHCP Relay Agent A DHCP relay agent is any host that forwards DHCP packets between clients and servers The DHCP relay agents are used to forward DHCP requests and replies between clients and servers when they are not on the same physical subnet The DHCP relay agent for warding is distinct from the normal forwarding of an IP router where IP datagrams are switched between networks somewhat transparently By contrast DHCP relay agents receive DHCP messages and then generate a new DHCP message to send out on another interface The DHCP relay agent sets the gate way address and if configured adds the DHCP option 82 information in the packet and forwards it to the DHCP server The reply from the server is forwarded back to the client after removing the DHCP option 82 information DHCP Server Subnet 1 Subnet 2 PC DHCP Client Fig 8 32 Example of DHCP Relay Agent Enable DHCP Re
191. egroup vl test none none SWITCH config show snmp access Access List GroupName SecModel SecLevel ReadView WriteView NotifyView rogroup v1 noauth TEST none none SWITCH config SNMP Version 3 User In SNMP version 3 you can register an SNMP agent as user If you register SNMP ver sion 3 user you should configure it with the authentication key To create delete SNMP version 3 user use the following command ee e See Creates SNMP version 3 user snmp user USER md5 sha USER enters user name AUTH KEY des PRIVATE KEY Global AUTH KEY Authentication passphrase min length 8 PRIVATE KEY Privacy passphrase min length 8 no snmp user USER Deletes a registered SNMP version 3 user To display SNMP version 3 user use the s KA command Enable Displays SNMP version 3 user Global SNMP Trap SNMP trap is an alert message that SNMP agent notifies SNMP manager about certain problems If you configure SNMP trap switch transmits pertinent information to network management program In this case trap message receivers are called trap host A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 1 8 1 7 1 8 2 il SNMP Trap Host To set an SNMP trap host use the following command e e ee snmp trap host IP ADDRESS COMMUNITY Specifies IP address of an SNMP trap host snmp trap2 host Global IP ADDRESS COMMUNITY snmp inform trap host Specifies IP address
192. emote loopback disable PORTS device oam remote loopback start PORTS Operates loopback A50010 Y3 B100 2 7619 111 UMN CLI 112 7 2 2 7 2 3 7 2 4 User Manual SURPASS hiD 6610 S311 R1 0 Local OAM Mode To configure Local OAM use the following command e owe See oam local mode active Bridge Configures the mode of local OAM passive PORTS Both request and loopback are possible for local OAM active However request or loop back is impossible for local OAM passive OAM Unidirection When RX is impossible in local OAM it is possible to send the information by using TX To enable disable the function use the following command es owe See oam local unidirection enable l l Sends the information by using TX PORTS Bridge oam local unidirection disable l l l l Disables to transmit the information by using TX PORTS Remote OAM To enable disable remote OAM use the following command SCC oam remote oam admin lt 1 2 gt Enables remote OAM enable PORTS Bridge oam remote oam admin 1 2 Disables remote OAM disable PORTS To configure the mode of remote OAM use the following command e me NN oam remote oam mode lt 1 2 gt i Bridge Configures the mode of remote OAM active passive PORTS A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 To display the information of peer host using OAM function use the following command e me See
193. en 1 Paths SE mo 2o Y owm ome a mom m Anm Tab 8 3 RSTP Path cost When the route decided by path cost gets overloading you would better take another route Considering these situations it is possible to configure path cost of root port so that user can configure route manually To configure path cost use the following command e e res Sets the path cost to configure route MSTID_RANGE select instance number 0 64 PORTS select the port number 1 200000000 enter the path cost value stp mst path cost MSTID RANGE PORTS lt 1 200000000 gt no stp mst path cost Deletes the configured path cost enter the instance MSTID RANGE PORTS number and the port number Port priority When all conditions of two switches are same the last standard to decide route is port priority It is also possible to configure port priority so that user can configure route manu ally In order to configure port priority use the command stp mst port priority Configures port priority MSTID RANGE PORTS lt 0 240 gt Bridge no mst port priority RANGE PORTS EN port priority EN A50010 Y3 B100 2 7619 207 UMN CLI 208 8 3 5 5 D User Manual SURPASS hiD 6610 S311 R1 0 MST Region If MSTP is established in the hiD 6610 S311 decide which MST region the switch is going to belong to by configuring MST configuration ID Configuration ID contains region name revision VLAN map
194. ent Structure Tab 1 1 briefly describes the structure of this document 1 Introduction Introduces the overall information of the document Introduces the hiD 6610 S311 system It also lists the features of 2 System Overview the system 3 Command Line Interface CLI Describes how to use the Command Line Interface CLI 4 System Connection and IP Address Describes how to manage the system account and IP address 5 Port Configuration Describes how to configure the Ethernet ports 7 Network Management Describes how to configure the network management functions 8 System Main Functions Describes how to configure the system main functions 9 IP Multicast Describes how to configure the IP multicast packets 10 IP Routing Protocol Describes how to configure IP routing protocol Ke Lists all abbreviations and acronyms which appear in this docu 11 Abbreviations Describes how to configure the system environment and manage 6 System Environment l ment functions ment Tab 1 1 Overview of Chapters A50010 Y3 B100 2 7619 19 UMN CLI 20 1 3 1 4 1 5 User Manual SURPASS hiD 6610 S311 R1 0 Document Convention This guide uses the following conventions to convey instructions and information Information This information symbol provides useful information when using commands to configure and means reader take note Notes contain helpful suggestions or references Warning This warning symbol means danger Yo
195. enticatON T 48 A50010 Y3 B100 2 7619 UMN CLI 4 2 1 4 2 2 4 2 3 4 2 4 4 2 4 1 4 2 4 2 4 2 4 3 4 2 4 4 4 2 5 4 2 5 1 4 2 5 2 4 2 5 3 4 2 5 4 4 2 6 4 2 7 4 3 4 3 1 4 3 2 4 3 3 4 3 4 4 3 5 4 4 4 4 1 4 4 1 1 4 4 1 2 4 4 1 3 4 4 1 4 4 4 2 4 4 2 1 4 4 2 2 4 4 2 3 4 4 2 4 4 5 4 5 1 4 5 1 1 4 5 1 2 4 5 1 3 4 5 1 4 4 5 1 5 4 5 1 6 4 5 1 7 4 5 1 8 4 5 2 4 5 2 1 4 5 2 2 4 5 2 3 4 5 2 4 4 5 3 4 5 4 4 5 5 4 5 6 User Manual SURPASS hiD 6610 S311 R1 0 Authentication Melodias ao 48 Authentication Interface sins dico 48 Primary Authentication Method 48 SS A A A DU dRu ED LION LEE 49 RADIUS Server for System Authentication ccooooccncoconcnnconcnnconanoncnnanennnnonons 49 RADIUS Server PHOFI EE 49 Timeout of Authentication Heouest 49 Frequency OF Retransmlt eL 49 TACACS EE 50 TACACS Server for System Aufbhentcaton sees 50 TACACS Server Hriortty A 50 Timeout of Authentication Heouest 50 Additional TACACS Configuration occcccoccncoconcnnoconccnconononononnnnnnonnnnnonanenonnnnos 50 Accounting Mode EP p 51 Displaying System Authentication cccoooccccoconcnncccncnncnononnononcnnonnnrononnanonnnnnnons 51 ei Me Leef e 52 A ante a Lor ERN 52 Disabling Interface tac is 53 Assigning IP Address to Network Interface ccccccccseeeeeeseeeeeeeeeeeesaeeeeeenaees 53 Static Route and Default Gateway eene 54 Displaying Interface ee 55 So Hi Secure ER EE 56 SSH SONGO
196. er You can create various DHCP pools that can be configured with a different network default gateway and range of IP addresses This allows the network administra tors to effectively handle multiple DHCP environments e DHCP Pool Creation e DHCP Subnet e Subnet Default Gateway e IP Address Range e IP Lease Time e DNS Server e Manual Binding e Displaying Configuration e Recognition of DHCP Client e Lease Database Back up Reset DHCP Pool Creation In Global Configuration mode you can create the IP pool To create DHCP Pool use the following command e me ees Creates a DHCP pool and open DHCP Pool Configura ip dhcp pool POOL NAME Global tion mode no ip dhcp pool POOL NAME Deletes a created DHCP pool A50010 Y3 B100 2 7619 233 UMN CLI 234 8 8 2 2 8 8 2 3 User Manual SURPASS hiD 6610 S311 R1 0 The following is an example of creating the DHCP pool as sample SWITCH config ip dhcp pool sample SWITCH config dhcp sample DHCP Subnet To specify a subnet of the DHCP pool use the following command e e See Specifies a subnet of the DHCP pool subnet A B C D M DHCP Pool A B C D M network address For the hiD 6610 S311 it is possible to specify several subnets in a single DHCP Pool To delete the DHCP subnet use the following command mana eme no subnet A B C D M DHCP Pool Deletes a specified subnet Subnet Default Gateway To specify a default gateway of the D
197. er of IP addresses STRING lease limit NUMBER lt 0 2147483637 gt remote id text REMOTE ID circuit id index lt 0 0 65535 Circuit id of numeric style 65535 gt lease limit NUMBER remote id text REMOTE ID circuit id text C R CUIT ID lease limit NUMBER A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 To delete the configuration of remote id and circuit id for IP address limit use the follow ing command eS e een no remote id hex HEXSTRING circuit id hex HEXSTRING lease limit no remote id hex HEXSTRING circuit id index lt 0 65535 gt lease limit no remote id hex HEXSTRING circuit id text C RCUIT D lease limit Deletes Remote ID and no remote id hex HEXSTRING circuit id all lease limit Circuit ID which to be no remote id ip A B C D circuit id hex HEXSTRING lease limit assigned and limits the numbers of IP address Option 82 REMOTE ID IP address or Mac address no remote id ip A B C D circuit id all lease limit NUMBER the number no remote id text REMOTE ID circuit id hex HEXSTRING of IP addresses lt 0 lease limit 2147483637 no remote id ip A B C D circuit id index lt 0 65535 gt lease limit no remote id ip 4 B C D circuit id text C RCUIT ID lease limit no remote id text REMOTE ID circuit id index lt 0 65535 gt lease limit no remote id text REMOTE ID circuit id text C RCUIT ID lease limit no remote id text REMOTE ID circuit id all lease limit To configure Remote id and circuit i
198. ers of the VLAN associated with that multicast or unknown unicast traffic Cost Effective Way When you use VLAN to prevent unnecessary traffic loading because of broadcast you can get cost effective network composition since switch is not needed Strengthened Security When using a shared bandwidth LAN there is no inherent protection provided against unwanted eavesdropping In addition to eavesdropping a malicious user on a shared LAN can also induce problems by sending lots of traffic to specific targeted users or net work as a whole The only cure is to physically isolate the offending user By creating logical partitions with VLAN technology we further enhance the protections against both unwanted eavesdropping and spurious transmissions As depicted in Figure a properly implemented port based VLAN allows free communication among the members of a given VLAN but does not forward traffic among switch ports associated with members of different VLANs That is a VLAN configuration restricts traffic flow to a proper subnet comprising exactly those links connecting members of the VLAN Users can eavesdrop only on the multicast and unknown unicast traffic within their own VLAN presumably the configured VLAN comprises a set of logically related users User Mobility By defining a VLAN based on the addresses of the member stations we can define a workgroup independent of the physical location of its members Unicast and multicast traffic in
199. es port priority VLAN RANGE PORTS lt 0 240 gt Bridge no stp pvst port priority i ee Disables port priority configuration VLAN RANGE PORTS A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 3 7 8 3 8 Root Guard The standard STP does not allow the administrator to enforce the position of the root bridge as any bridge in the network with lower bridge ID will take the role of the root bridge Root guard feature is designed to provide a way to enforce the root bridge place ment in the network Even if the administrator sets the root bridge priority to zero in an ef fort to secure the root bridge position there is still no guarantee against bridge with prior ity zero and a lower MAC address Service provider Customer Switch A Switch B Root Switch Root Guard Configuration Fig 8 25 Root Guard Software based bridge applications launched on PCs or other switches connected by a customer to a service provider network can be elected as root switches If the priority of bridge B is zero or any value lower than that of the root bridge device B will be elected as a root bridge for this VLAN As a result network topology could be changed This may lead to sub optimal switching But by configuring root guard on switch A no switches be hind the port connecting to switch A can be elected as a root for the service provider s switch network In which case switch A will bl
200. est in order Designate as default RADIUS server Response J 100 1 1 1 Fig 4 2 Multiple Authentication Servers If you register in several servers the authentication server starts form RADIUS server registered as first one then requests the second RADIUS server in case there s no re sponse According to the order of registering the authentication request the authentica tion request is tried and the server which responds to it becomes the default server from the point of response time A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 4 5 1 3 H After default server is designated all requests start from the RADIUS server If there s no response from default server again the authentication request is tried for RADIUS server designated as next one To configure IP address of RADIUS server and key value use the following command e me ees Registers RADIUS server with key value and UDP port of radius server IP ADDRESS Ip address of radius server NAME host name 0 65535 UDP port number KEY the value of key dotix radius server host P ADDRESS NAME auth port lt 0 65535 gt key KEY Global dotix radius server host P Configures IP address of RADIUS server and key ADDRESS NAME key KEY value no dot1x radius server host P Deletes a registered RADIUS server ADDRESS NAME You can designate up to 5 RADIUS servers as authenticator
201. etes a syslog message after restart non volatile reserves a syslog mes sage Generates a user defined syslog mes sage with a priority and forwards it to a remote host warning notice info remote P ADDHESS To disable a user defined syslog output level use the following command ne e ten no syslog output priority auth authpriv cron daemon kern local1 local2 local3 local4 local5 local6 local7 Ipr mail news sys log user uucp emerg alert crit err warning notice info console no syslog output priority auth authpriv cron daemon kern local1 local2 local3 local4 local5 local6 local7 lpr mail news sys log user uucp emerg alert crit err warning notice info local volatile non Global Deletes a specified user defined syslog oba output level with a priority volatile no syslog output priority auth authpriv cron daemon kern local1 local2 local3 local4 local5 local6 local7 lpr mail news sys log user uucp emerg alert crit err warning notice info remote P ADDHESS The order of priority is emergency gt alert gt critical gt error gt warning gt notice gt info gt D debug If you set a specific level of syslog output you will receive only a syslog message for selected level or higher lf you want receive a syslog message for all the levels you need to set
202. eviated form The following table shows some examples of abbreviated commands Mock 0000000 edo CO CO mam Jm configure terminal con te Tab 3 14 Command Abbreviation A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 3 2 4 3 2 9 N Using Command of Privileged EXEC Enable Mode You can execute the commands of Privileged EXEC Enable mode as show ping telnet traceroute and so on regardless of which mode you are located on To execute the commands of Privileged EXEC Enable mode on another mode use the following command e e sees do COMMAND All Executes the commands of Privileged EXEC mode Exit Current Command Mode To exit to the previous command mode use the following command e me ees et Exits to the previous command mode All a 4 Exis to Privileged EXEC enable mode If you use the command exit on Privileged EXEC View mode or Privileged EXEC En able mode you will be logged out A50010 Y3 B100 2 7619 37 UMN CLI 38 4 1 4 1 1 User Manual SURPASS hiD 6610 S311 R1 0 System Connection and IP Address System Connection After installing switch the hiD 6610 S311 is supposed to examine that each port is rightly connected to network and management PC And then user connects to system to config ure and manage the hiD 6610 S311 This section provides instructions how to change password for system connection connect to system through telnet as the
203. f assigned IP address abandon offer fixed free all all IP addresses POOL NAME Enable bound assigned IP address Global abandon illegally assigned IP address show ip dhcp lease detail P Bridge offer IP address being ready to be assigned ADDRESS fixed manually assigned IP address free remaining IP address A50010 Y3 B100 2 7619 237 UMN CLI 238 8 8 3 8 8 4 User Manual SURPASS hiD 6610 S311 R1 0 Registering Global DNS Server User is able to register not only DNS server that is applied whole DHCP pools in Global Configuration Mode but also DNS server configured in particular DHCP Pool configuration mode To register the DNS server of entire DHCP Pools globally use the following command ip dhcp default config dns server IP ADDRESS1 P Global Registers the basic DNS server of all DHCP Pools ADDRESS 2 IP ADDRESS3 To remove the registered DNS server use the following command II ECO NNNM ip dhcp default config dns server ADDRESS Global Deletes the global DNS server no ip no ip dhcp default config dns server no ip dhcp default config dns server config dns server Setting global lease Time User is able to set not only lease time that is applied whole DHCP pools in Global Con figuration Mode but also lease time configured in particular DHCP Pool configuration mode To set the global lease time of entire DHCP Pools use the R command ip dhcp default config l
204. f preventing a loop The matter is that communication is disconnected during two times of BPDU Forward delay till a port connected to switch D and SWITCH C is blocked Then right after the connection it is possible to transmit BPDU although packet cannot be transmitted between switch A and root ROOT 1 New link created Switch A d EA LIN 2 Negotiate between Switch A and ROOT Traffic Blocking Switch B Switch C Wi Fig 8 17 Network Convergence of 802 1w 1 Switch D A50010 Y3 B100 2 7619 201 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 SWITCH A negotiates with root through BPDU To make link between SWITCH A and root port state of non edge designated port of SWITCH is changed to blocking Although SWITCH A is connected to root loop will not be created because SWITCH A is blocked to SWITCH Band C In this state BPDU form root is transmitted to SWITCH B and C through SWITCH A To configure forwarding state of SWITCH A SWITCH A negotiates with SWITCH B and SWITCH C ROOT 3 Forwarding _ UIN _ EI d aK ES 3 Negotiate between Switch A and Switch C Traffic Blocking Switch C 3 Negotiate between Switch A and Switch B Traffic Blocking Switch B IN A Fig 8 18 Network Convergence of 802 1w 2 Switch D SWITCH B has only edge designated port Edge designated does not cause loop so it is defined in 802 1w to be changed to forwarding sta
205. face Configuration mode you should open the mode and then use the follow command ren Wu rem shutdown Interface Disables an interface on nterface Configuration mode Assigning IP Address to Network Interface After enabling interface you need to assign IP address To assign IP address to specified network interface use the following command e e See NN ip address P ADDRESS M Assigns IP address to an interface Interface Assigns secondary IP address to an ip address P ADDRESS M secondary ee interface To disable the assigned IP address use the following command II EC no ip address P ADDRESS M Removes assigned IP address to an interface no ip address P ADDRESS M Interface Removes assigned secondary IP address to an inter secondary face A50010 Y3 B100 2 7619 53 UMN CLI 54 4 3 4 User Manual SURPASS hiD 6610 8311 R1 0 To display an assigned IP address use the following command e e ees shovip 1 Interface Shows an assigned IP address of the interface Static Route and Default Gateway It is possible to configure the static route Static route is a route which user configures manually Packets are transmitted to the destination through static route Static route in cludes destination address neighbor router to receive packet the number of routes that packets have to go through To configure static route use the following command men ra rem ip route A B C D SUBN
206. fer to the each configuration chapter Packet Dump by Protocol You can see packets about BOOTPS DHCP ARP and ICMP using the following com mand es me ees debug packet interface NTER FACE port PORTS protocol bootps dhcp arp icmp src ip A B C D dest ip A B C D Shows packet dump by protocol debug packet interface NTER FACE port PORTS host src ip A B C D dest ip A B C D src Shows host packet dump port lt 1 65535 gt dest port lt 1 65535 gt Enable debug packet interface NTER FACE port PORTS multicast Shows multicast packet dump src ip A B C D dest ip A B C D debug packet interface NTER FACE port PORTS src ip A B C D dest ip A B C D Show packet dump by source IP address or destination debug packet interface NTER IP address FACE port PORTS dest ip A B C D Packet Dump with Option You can verify packets with TCP dump options using the following command e me ees debug packet OPTION Shows packet dump using options A50010 Y3 B100 2 7619 169 UMN CLI 170 User Manual SURPASS hiD 6610 S311 R1 0 Tab 7 3 shows the options for packet dump Buffer output data in line This is useful when other application tries to receive data from tcpdump Desinate the interface where the intended packets are transmitted If not designated it i INTERFACE automatically select a interface which has the lowest number within the system interfaces
207. fied static MAC address NAME enter the bridge name PORT enter the port number MACADDR enter the MAC address no mac NAME PORT MACADDR A50010 Y3 B100 2 7619 155 UMN CLI 156 7 12 7 12 1 User Manual SURPASS hiD 6610 S311 R1 0 To display a MAC table in the switch use the following command e e Se Shows switch MAC address selection by port number Enable show mac NAME PORT Global Bridge subscriber port only NAME enter the bridge name PORT select the port number There are more than a thousand of MAC addresses in MAC table And it is difficult to find information you need at one sight So the system shows certain amount of addresses displaying more on standby status Press any key to search more After you find the in formation you can go back to the system prompt without displaying the other table by pressing lt q gt MAC Filtering It is possible to forward frame to MAC address of destination Without specific perform ance degradation maximum 4 096 MAC addresses can be registered Default Policy of MAC Filtering The basic policy of filtering based on system is set to allow all packets for each port However the basic policy can be changed for user s requests After configuring basic policy of filtering for all packets use the following command on Bridge mode to show the configuration mac filter default policy deny SE PP basic policy of MAC Filtering in specified ri pe
208. figuration of specified interface INTERFACE VRRP To return to Global Configuration mode or Privileged EXEC Enable mode use the follow ing commands e e sees a 1 Relums to Global Configuration mode VRRP md Goes back right to Privilege EXEC mode To delete the VRRP configuration use the following command ma Mee Deep Configures Virtual Router VRRP Group no router vrrp 1 255 Global 1 255 group ID Associated IP Address After configuring Virtual Router you need to assign Associated IP address in Virtual Router Assign unified IP address to routers in one Group To assign Associate IP address to routers in Virtual Router or delete configured Associate IP address use the following command e owe See associate P ADDRESS Assigns an associated IP address to Virtual Router VRRP Deletes an assigned associated IP address to Virtual no associate P ADDRESS Router The following is an example of assigning IP address 10 0 0 5 to Virtual Router SWITCH config router associate 10 0 0 5 SWITCH config router A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 4 1 2 8 4 1 3 Access to Associated IP Address If you configure the function of accessing Associated IP address you can access to As sociated IP address by the commands such as ping To configure the function of accessing Associated IP address use the following command e me ees f Co
209. figures the action of IGMP profile policy whether it permit deny Profile denies permits the matching addresses Applying IGMP Profile to the Filter Port To apply the configured IGMP Profile to the filter port use the following command e m ees Configures IGMP profile Global PORTS port number 1 4294967295 number of configured IGMP profile ip igmp filter port PORTS profile lt 1 4294967295 gt To cancel the applying of the profile use the SE command Disables an A AI IGMP profile no ip igmp filter port PORTS Global PORTS port number To display the IGMP filter configuration use the following command e me See Enable show ip igmp filter port PORTS ien Shows a configuration oba A50010 Y3 B100 2 7619 279 UMN CLI 280 9 1 6 5 9 2 User Manual SURPASS hiD 6610 S311 R1 0 Max Number of IGMP Join Group You can configure the maximum number of IGMP groups that a Layer 2 interface can join To configure the maximum number of IGMP groups per port use the following command e e See Configures the maximum number of IGMP groups ip igmp max groups port PORTS PORTS port number count lt 0 4294967295 gt 0 4294967295 maximum number of IGMP groups that the port can join To return to the default setting use the following command e me es no ip igmp max groups port DER Returns to the default of no maximum oba PORTS PORTS the number of port PIM SM Protocol Indepe
210. figures the priority of port thread over alarm Configures the priority of power fail alarm Configures the priority of power remove alarm Configures the priority of RMON alarm rising alarm Configures the priority of RMON alarm falling alarm Configures the priority of system restart alarm Configures the priority of module remove alarm Configures the priority of temperature high alarm A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 If you want to delete a configured alarm severity use the following command no snmp alarm severity fan fail no snmp alarm severity cold start no snmp alarm severity broadcast over no snmp alarm severity cpu load over no snmp alarm severity dhcp lease no snmp alarm severity dhcp illegal no snmp alarm severity fan remove no snmp alarm severity ipconflict no snmp alarm severity memory over no snmp alarm severity mfgd block Global Deletes a configured alarm severity no snmp alarm severity port link down no snmp alarm severity port remove no snmp alarm severity port thread over no snmp alarm severity power fail no snmp alarm severity power remove no snmp alarm severity rmon alarm rising no snmp alarm severity rmon alarm falling no snmp alarm severity system restart no snmp alarm severity module remove no snmp alarm severity temperature high 7 1 9 5 ADVA Alarm Severity To configure a severity of alarms for ADVA status
211. formation The following figure explains the process of 802 1x authentication EAPOL EAP over LAN EAP over RADIUS RADIUS Server Suppliant Authenticator Authentication Server EAPOL Start EAP Request Identity EAP Response Identity RADIUS Access Request EAP Request RADIUS Access Challenge EAP Response RADIUS Access Request EAP Success RADIUS Access Accept Fig 4 1 Process of 802 1x Authentication To enable 802 1x authentication on port of the hiD 6610 S311 you should be able to per form the following tasks A50010 Y3 B100 2 7619 99 UMN CLI 60 4 5 1 4 5 1 1 4 5 1 2 User Manual SURPASS hiD 6610 S311 R1 0 802 1x Authentication Enabling 802 1x To configure 802 1x the user should enable 802 1x daemon first In order to enable 802 1x daemon use the following command ee e See Enables 802 1x daemon Global Disables 802 1x daemon Configuring RADIUS Server As RADIUS server is registered in authenticator authenticator also can be registered in RADIUS server Here authenticator and RADIUS server need extra data authenticating each other be sides they register each other s IP address The data is the key and should be the same value for each other For the key value every kinds of character can be used except for the space or special character RADIUS 2 Server Suppliant Authenticator Authentication Server Authentication requ
212. g the others When processing data data are usually supposed to be processed in time order like first in first out This way not processing specific data first might lose all data in case of overloading traf fics However in case of overloading traffics QoS can apply processing order to traffic by reorganizing priorities according to its importance By favor of QoS you can predict net work performance in advance and manage bandwidth more effectively How to Operate Rule and QoS For the hiD 6610 S311 rules operate as follows e Rule Creation To classify the packets according to the specific basis configure the policies about them first The basis used to classify the packets is 802 1p priority CoS VLAN ID DSCP and port number Additionally a unique name needs to be assigned to each rule e Rule Priority Assigns a priority to a rule precedence to other rules e Packet Classification Configures the policy to adjust how and what is to be classified within transmitted packets e Rule Match Configures the policy classifying the action s to be performed if the configured rule classification fits transmitted packet s mirror transmits the classified traffic to monitor port redirect transmits the classified traffic to specified port permit allows traffic matching given characteristics deny blocks traffic matching given characteristics e Rule Apply Applies the just configured rule Configured values will b
213. get enlarged bandwidth Bandwidth with 1 port Enlarged bandwidth with many ports bech A logical port that can be made by aggregating a number of the ports Fig 8 7 Link Aggregation The hiD 6610 S311 supports two kinds of link aggregation as port trunk and LACP There s a little difference in these two ways In case of port trucking it is quite trouble some to set the configuration manually and the rate to adjust to the network environment changes when connecting to the switch using logical port However if the user configures physical port aggregated with the logical port in each switches the switches are con nected as the configuration Therefore it is easier for user to configure comparing to the port trunk and could quickly respond to the environmental changes Port Trunk Port trucking enables you to dynamically group similarly configured interfaces into a sin gle logical link aggregated port to increase bandwidth while reducing the traffic conges tion Configuring Port Trunk To make logical port by aggregating the ports use the following command e me ees i Adds a port to the aggregation group and designates trunk add lt 0 13 gt PORTS dstip l l physical port as logical port and decide which packets dstmac srcdstip srcdstmac Bridge srcip srcmac are transmitted to the aggregated port 1 13 Trunk Group ID It is possible to input trunk group ID from O t
214. gh point to multipoint function so that network management cost can be saved Two routers that are not directly connected should transmit and receive routing information A50010 Y3 B100 2 7619 297 UMN CLI 298 10 2 3 10 2 3 1 User Manual SURPASS hiD 6610 S311 R1 0 through intermediate router So you do not have to configure neighbor router anymore The followings are features of OSPF point to multipoint type e IP source is economized because you do not have to assign Neighbor router and there is no additional process to configure designated router e Management cost is saved because it does not need to be linked with all router on network like a spider s thread e It can provide more stable network service since it can communicate even when vir tual circuit is disconnected To configure OSPF network type use the following command e me See ip ospf network broadcast non broadcast point to Interface Configures OSPF network type in OSPF interface multipoint point to point OSPF Interface OSPF configuration can be changed Users are not required to alter all of these parame ters but some interface parameters must be consistent across all routers in an attached network Configuring Authentication Authentication encodes communications among the routers This function is for security of information in OSPF router Use the following command to configure authentication of OSPF router for security
215. gister Slave switch for Master switch To register Slave switch or delete the registered Slave switch use the following command na e een stack add MACADDH DE Registers slave switch SCRIPTION Global MACADDR MAC address stack del MACADDR Deletes slave switch To make stacking operate well it is required to enable the interface of Slave switch The switches in different VLANs can not be added to the same switch group You should designate Slave switch registered in Master Switch as Slave Switch To des ignate Slave switch use the following command ICI Wwe Te Global Designates as a slave switch Disabling Stacking To disable stacking use the following command e e See pnostack Global Disables the stacking function A50010 Y3 B100 2 7619 261 UMN CLI 262 8 10 4 8 10 5 8 10 6 User Manual SURPASS hiD 6610 S311 R1 0 Displaying Stacking Status e me Se Enable l Shows a configuration of stacking Global Accessing to Slave Switch from Master Switch After configuring all stacking configurations it is possible to configure and mange by ac cessing to Slave switch from Master switch To access to Slave switch from Mater switch use the following command in Bridge con figuration mode e e res Accesses to a slave switch rcommand NODE Global NODE node number NODE means node ID from configuring stacking in Slave switch If you input the above command in Mater switch Telne
216. guring auto restarting function in case CPU load or Interrupt load maintains over 70 during 60 seconds and viewing the configuration SWITCH config SWITCH bridge auto reset cpu 70 70 1 SWITCH bridge show auto reset cpu auto reset on cpu load 70 interrupt load 70 continuation time 1 SWITCH bridge A50010 Y3 B100 2 7619 47 UMN CLI 48 4 2 4 2 1 4 2 2 4 2 3 User Manual SURPASS hiD 6610 S311 R1 0 System Authentication For the enhanced system security the hiD 6610 S311 provides two authentication meth ods to access the switch using Remote Authentication Dial In User Service RADIUS and Terminal Access Controller Access Control System Plus TACACS Authentication Method To set the system authentication method use the following command ee owe See Set the system authentication method local authentication for console access remote authentication for telnet access login local remote radius radius selects RADIUS authentication tacacs host all enable is Global tacacs selects TACACS authentication host selects nominal system authentication default all selects all the authentication methods login local remote radius aor Disables a configured system authentication method tacacs host all disable Authentication Interface If more than 2 interfaces are specified to the hiD 6610 S311 you can designate one spe cific interface to access RADIUS
217. h SYN to a person who tries to make TCP connection And only when transmitted cookies are returned it is possible to permit TCP connection This function prevents connection overcrowding be cause of accessed users who are not using and helps the other users use service To permit connection only when transmitted cookies are returned after sending cookies with SYN use the following command e e Se Permits only when transmitted cookies are returned Disables configuration to permit only when transmitted no ip tcp syncookies l l l l cookies are returned after sending cookies with SYN ip tcp syncookies i after sending cookies with SYN opc 8 Packet Dump Failures in network can occur by certain symptom Each symptom can trace to one or more problems by using specific troubleshooting tools The hiD 6610 S311 switch pro vides the debug command to dump packet Use debug commands only for problem isola tion Do not use it to monitor normal network operation The debug commands produce a large amount of processor overhead A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 16 1 7 16 1 1 7 16 1 2 Verifying Packet Dump You can configure a packet dump type to verify dumped packets as the follows s Packet Dump by Protocol e Packet Dump with Option The hiD 6610 S311 also provides debug command for Layer 3 routing protocols BGP OSPF RIP and PIM If you want to debug about them re
218. have any joined client Otherwise mac address table command help the switch send directly this information to the port as soon as the subscriber joins specified multicast group A50010 Y3 B100 2 7619 275 UMN CLI 2 6 9 1 5 1 9 1 5 2 User Manual SURPASS hiD 6610 S311 R1 0 To see IGMP static Join group use the following command e e See show mac address table multi Enable Shows multicast group addresses on the IGMP table cast vlan VLANS Global Multicast VLAN Registration MVR Multicast VLAN Registration MVR is for applications using wide scale deployment of multicast traffic across an Ethernet ring based service provider network MVR allows a subscriber on a port to subscribe or not to a multicast stream on the network wide multi cast VLAN lt allows the single multicast VLAN to be shared in the network with subscrib ers remaining in separate VLANs MVR helps to continuously send multicast streams in the multicast VLAN but to isolate the streams from the subscriber VLANs for bandwidth and security reasons MVR assumes that subscribers subscribe or not join and leave these multicast streams by sending out IGMP join and leave messages These messages can originate from an IGMP version 2 compatible host Although MVR operates on the underlying mechanism of IGMP snooping the two features operate independently of each other One of them can be enabled or disabled without affecting the behavior of the other features
219. hbor routier 291 PIN DEDU EE 291 i ROUINO Ee elen DEE 292 Border Gateway Protocol BGP ooocccccooccccccocccnconoconcononcnncnnncononnnononnnncnnnnnos 292 Basic COmMGUPAU ON td A dio 292 BGR ROUMING capis i A A eels 292 AS RO te In e EE 293 A50010 Y3 B100 2 7619 User Manual SURPASS hiD 6610 S311 R1 0 10 1 1 3 10 1 2 10 1 2 1 10 1 2 2 10 2 10 2 1 10 2 2 10 2 3 10 2 3 1 10 2 3 2 10 3 10 3 1 10 3 2 10 3 3 10 3 4 10 3 5 10 3 6 10 3 7 10 3 8 10 3 9 10 3 10 10 3 11 10 3 12 10 3 13 11 A50010 Y3 B100 2 7619 UMN CLI BGP Filtering through Prefix Lists sees 293 Advanced Rei le EE 295 BGP Community lu e EE 295 Displaying and Managing BOP ooocccccnnccnccnncnnccnnccncononennnnnanonconannnnononcnncnnanenoss 296 Open Shortest Path First OSPF nies ENNEN Eeer 297 sigle lio Oe EE 297 OSPF NGIWONKG ENEE ata a Een 297 Sci Gg et 298 Configuring Authentication ooonccccccccncococcnncnnnnonconanononnnnnonnanonconanennnnannnnnnnas 298 Configuring Authentication ey 299 Routing Information Protocol HIP 300 Enabling RI T E ads 300 FSI INCIOMDOF Se EEN 301 UA nor a 301 Creating Static Route Available for HIR 302 Transmitting Routing Information cccooccnnccccnnncnoccnnononnnnnnnnnononnanonconanennononons 302 Metrics for Redistributed Routes cocooccccccccccncococcnononcnnconaroncononnnnononcnncnnanenoss 303 Administrative Distance
220. he NTP algorithm is much more complicated than the SNTP algorithm NTP normally uses multiple time servers to verify the time and then controls the rate of adjustment or slew rate of the PC which provides a very high degree of accuracy The algorithm deter mines if the values are accurate by identifying time server that doesn t agree with other time servers It then speeds up or slows down the PC s drift rate so that the PC s time is always correct and there won t be any subsequent time jumps after the initial correction Unlike NTP SNTP usually uses just one Ethernet Time Server to calculate the time and then it jumps the system time to the calculated time It can however have back up Ethernet Time Servers in case one is not available To configure the switch in SNTP use the following commands e e es sntp SERVER 1 SERVER 2 Specifies the IP address of the SNTP server It is pos SERVER 3 sible up to three number of server SERVER server IP address To display SNTP configuration use the SS Se command Enable Show SNTP configuration Global The following is to register SNTP server as 203 255 112 96 and enable it SWITCH Contig sntp 2037255 112 96 SWITCH config show sntp SWITCH config You can configure up to 3 servers so that you use second and third servers as backup use in case the first server is down A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0
221. he following is an example of displaying a list of configuration files SWITCH config copy running config SURPASShiD6610 SWITCH config show config list 13 default SURPASShiD6610 SWITCH config 6 2 5 Restoring Default Configuration To restore a default configuration of the system use the following command se me Se restore factory defaults Restores a factory default configuration restore layer2 defaults Global Restores an L2 default configuration restore layer3 defaults Restores an L3 default configuration D After restoring a default configuration you need to restart the system to initiate The following is an example of restoring a default configuration of the system SWITCH config restore factory defaults OK SWITCH config A50010 Y3 B100 2 7619 85 UMN CLI 86 6 3 6 3 1 User Manual SURPASS hiD 6610 S311 R1 0 System Management When there is any problem in the system you must find what the problem is and its solu tion Therefore you should not only be aware of a status of the system but also verify that the system is configured properly This section includes the following functions with CLI command e Network Connection e P ICMP Source Routing e Tracing Packet Route e Displaying User Connecting to e MAC Table e Running Time of System e System Information e System Memory Information e Average of CPU Load e Running Process e Displaying System Imag
222. he highest IP address becomes BSR Bootstrap message in cludes priority to decide BSR hash mark to be used in Hash and RP information After deciding BSR routers which support RP transmit candidate RP message to BSR Can didate RP message includes priority IP address and multicast group Then BSR adds candidate RP message to Bootstrap message and transmits it to another PIM router Through this transmitted Bootstrap message RP of multicast group is decided User s equipment belonged in PIM SM network can be candidate BSR and BSR is decided among them Candidate BSR transmits Bootstrap message to decide BSR You can con figure priority to decide BSR among Bootstrap messages and Hash mask Configuring Static RP To configure static RP manually use the following command e me ees Configures RP of multicast group static rp A B C D M A B C D A B C D M Group prefix A B C D IP address of RP no static rp A B C D M A B C D Deletes RP configured by network administrator To delete rp mapping use the following command e Y es Deletes RP mapping of specific IP address or all of clear rp mapping A B C D all them A B C D IP address of RP A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 9 2 3 9 2 3 1 9 2 3 2 9 2 3 3 Bootstrap Router BSR Information The information transmitted between multicast routers in the automatic way is called Bootstrap message and the router whi
223. he information of the other switches The information received from other switches is aged Enabling LLDP To enable LLDP use the following command ze me ees Ildp enable PORTS mgmtaddr Enables LLDP function on a port A B C D A B C D IP address that is given to LLDP packet Bridge Ildp disable PORTS mgmtaddr A B C D LLDP Operation Type Disables LLDP function If you activated LLDP on a port configure LLDP operation type Each LLDP operation type works as the follow e both sends and receive LLDP frame e tx only only sends LLDP frame e rx only only receives LLDP frame e disable does not process any LLDP frame To configure how to operate LLDP use the following command e me ees lidp adminstatus PORTS both Bas Configurs LLDP operation type ridge tx only rx only disable S default disable A50010 Y3 B100 2 7619 115 UMN CLI 116 7 3 4 7 3 5 7 3 6 User Manual SURPASS hiD 6610 S311 R1 0 Basic TLV LLDP is transmitted through TLV There are mandatory TLV and optional TLV In optional TLV there are basic TLV and organizationally specific TLV Basic TLV must be in the switch where LLDP is realized specific TLV can be added according to the feature of the switch In hiD 6610 311 the administrator can enable and disable basic TLV by selecting it To enable basic TLV by selecting it use the following command e e es Ildp enable PORTS portdescrip Selects basic TL
224. hile when path costs of two paths are same port priority is compared As the be low picture suppose that two switches are connected Since the path costs of two paths are 100 same their port priorities are compared and port with smaller port priority is se lected to transmit packet D All these functions are automatically performed by BPDU which is the information of switch It is also possible to configure BPDU to modify root switch or path manually Path cost 100 Port priority 7 Port 1 Path 1 be 2 ES Path cost 100 Port priority 8 Port 2 path cost of PATH 1 path cost of PATH 2 100 unable to compare PATH 1 port priority 7 PATH 2 port priority 8 PATH 1 lt PATH 2 PATH 1 is chosen Fig 8 12 Port Priority A50010 Y3 B100 2 7619 197 UMN CLI 198 User Manual SURPASS hiD 6610 S311 R1 0 Port States Each port on a switch can be in one of five states ec Listening jJ BPDUS or timeout indicate Forwarding timer Potential to become active E expired BPDUS indicate port H should not be active BPDUS indicate port Blocking should not be active lt Learning BPDUS indicate port Forwaraing amer expired should not be active Forwarding j q Disabled KR Fig 8 13 Port State Blocking a port that is enabled but that is neither a Designated port nor a Root port will be in the blocking state A blocking port will not rece
225. how snmp alarm history cold start minor Fri Mar 25 15 30 56 2005 System booted SWITCH config snmp clear alarm history SWITCH config show snmp alarm history SWITCH config To display a current alarm report use the following command e e See Enable show snmp alarm report ger Shows a current alarm report oba Disabling SNMP To disable SNMP feature use the following command e e en msnmp Global Disables SNMP feature When you use the above command all configurations concerning SNMP will be deleted A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 2 7 2 1 Operation Administration and Maintenance OAM In the enterprise Ethernet links and networks have been managed via Simple Network Management Protocol SNMP Although SNMP provides a very flexible management so lution it is not always efficient and is sometimes inadequate to the task First using SNMP assumes that the underlying network is operational because SNMP re lies on IP connectivity however you need management functionality even more when the underlying network is non operational Second SNMP assumes every device is IP ac cessible This requires provisioning IP on every device and instituting an IP overlay net work even if the ultimate end user service is an Ethernet service This is impractical in a carrier environment For these reasons carriers look for management capabilities
226. howing the configuration after setting the bandwidth of 64Mbps to port number 1 and 128Mbps to the port number 2 SWTICH bridge rate 1 64 SWTICH bridge rate 2 128 SWTICH bridge show rate E unit kbps Enhanced Port Ingress Egress Port Ingress Egress ERE eee RR eee sesos stss EINE 1 64 64 2 28 28 3 N A N A 4 N A N A 5 N A N A 6 N A N A 7 N A N A 8 l N A N A Omitted SWTICH bridge A50010 Y3 B100 2 7619 229 UMN CLI 230 8 6 8 6 1 8 6 2 User Manual SURPASS hiD 6610 S311 R1 0 Flood Guard Flood guard limits number of packets how many packets can be transmitted in config ured bandwidth whereas Rate limit controls packets through configuring width of band width which packets pass through This function prevents receiving packets more than configured amount without enlarging bandwidth lt Rate Limit gt lt Flood Guard gt Configure Flood guard to Configure Rate Limit on port allow packets as many as n per a second 1 gt 2 3 Control d EJ bandwidth l oot n packets allowed for l Un a second n 1 Packets over thrown n 2 away Bandwidth Fig 8 30 Rate Limit and Flood Guard Configuring Flood Guard To configure the number of packets which can be transmitted in a second use the follow ing command mac flood gu
227. ically if the receive buffer becomes full the port transmits a pause packet that tells remote ports to delay sending more packets for a specified period time In addition the Ethernet ports can receive and act upon pause packets from other devices To configure flow control of the Ethernet port use the following command e me ees port flow control PORTS on Bua Configures flow control for a specified port enter the ridge off S port number default off The following is an example of configuring flow control to port 4 SWITCH bridge show port 25 NO TYPE PVID STATUS MODE FLOWCTRL INSTALLED ADMIN OPER 25 Ethernet 1 Up Down Auto Half 0 Off Y SWITCH bridge port flow control 25 on SWITCH bridge show port 25 NO TYPE PVID STATUS MODE FLOWCTRL INSTALLED ADMIN OPER 25 Ethernet 1 Up Down Auto Half 0 Y SWITCH bridge A50010 Y3 B100 2 7619 71 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 5 2 6 Port Description To specify a description of an Ethernet port use the following command e owe See 0 port description PORTS s Bridge Specifies a description of an Ethernet port DESCHIPTION 5 2 7 Traffic Statistics To display traffic statistic of each port or interface with MIB or RMON MIB data defined use the following commands eene See MS Shows traffic average of specified port show port statistics avg pkt PORTS enter port number Enable Shows Unicast Multicast and Broad
228. identifier within the frame itself VLAN Tag A VLAN tag is a predefined field in a frame that carries the VLAN identifier for that frame VLAN tags are always applied by a VLAN aware device VLAN tagging provides a num ber of benefits but also carries some disadvantages Advantages Disadvantages VLAN association rules only need to be applied Tags can only be interpreted by VLAN aware devices once Only edge switches need to know the VLAN as Edge switches must strip tags before forwarding sociation rules frames to legacy devices or VLAN unaware domains Core switches can get higher performance by Insertion or removal of a tag requires recalculation of operating on an explicit VLAN identifier the FCS possibly compromising frame integrity VLAN aware end stations can further reduce the Tag insertion may increase the length of a frame be performance load of edge switches yond the maximum allowed by legacy equipment Tab 8 1 Advantages and Disadvantages of Tagged VLAN Mapping Frames to VLAN From the perspective the VLAN aware devices the distinguishing characteristic of a VLAN is the means used to map a given frame to that VLAN In the case of tagged frame the mapping is simple the tag contains the VLAN identifier for the frame and the frame is assumed to belong to the indicated VLAN That s all there is to it To configure the tagged VLAN use the following command e owe Se Configures tagged VLAN on a po
229. identity packet use the following command e e Se Sets reattempt interval for requesting request identity dotix timeout tx period lt 1 packet Global 1 65535 retransmit interval default 30 no dotix timeout tx period Disables the interval for requesting identity PORTS 65535 gt PORTS A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 4 5 1 7 4 5 1 8 4 5 2 Configuring Number of Request to RADIUS Server After 802 1x authentication configured as explained above and the user tries to connect with the port the process of authentication is progressed among user s PC and the equipment as authenticator and RADIUS server It is possible to configure how many times the device which will be authenticator requests for authentication to RADIUS server To configure times of authentication request in the hiD 6610 S311 please use the com mand in Global Configuration mode e me See Configure times of authentication request to RADIUS dot1x radius server retries lt 1 10 gt Global server 1 10 retry number Configuring Interval of Request to RADIUS Server For the hiD 6610 S311 it is possible to set the time for the retransmission of packets to check RADIUS server If there s a response from other packets the switch waits for a re sponse from RADIUS server during the configured time before resending the request To set the interval of request to RADIUS server use the fo
230. ify network status with IP address 172 16 1 254 SWITCH ping Protocol 1p 2p Target IP address 172 16 1 254 Repeat count 5 5 Datagram size 100 100 Timeout in seconds 2 2 Extended commands n n PING 172 16 1 254 172 16 1 254 100 128 bytes of data Warning time of day goes back 394us taking countermeasures 108 bytes from 172 16 1 254 icmp seq 1 ttl1 255 time 0 058 ms 108 bytes from 172 16 1 254 icmp seq 2 ttl1 255 time 0 400 ms 108 bytes from 172 16 1 254 icmp seq 3 ttl1 255 time 0 403 ms 108 bytes from 172 16 1 254 icmp seq 4 ttl1 255 time 1 63 ms 108 bytes from 172 16 1 254 icmp seq 5 ttl 255 time 0 414 ms HS ATAR Lao ping statistics 5 packets transmitted 5 received 0 packet loss time 8008ms rtt min avg max mdev 0 058 0 581 1 632 0 542 ms SWITCH When multiple IP addresses are assigned to the switch sometimes you need to verify the connection status between the specific IP address and network status In this case use the same process as ping test and then input the followings after ex tended commands It is possible to verify the connection between specific IP address and network using the following command The following is the information to use ping test for multiple IP addresses AAA CCC EE ses f Designates the address where the relative device should respond in Source address or interface l source ip address T f ice
231. iguration mode 1 65535 index number rmon alarm lt 1 65535 gt Global The following is an example of listing available commands on RMON alarm Configuration mode SWITCH config rmon alarm 1 SWITCH config rmonalarm 1 RMON alarm configuration commands active Activate the event do To run exec commands in config mode exit End current mode and down to previous mode falling event Associate the falling threshold with an existing RMON event falling threshold Define the falling threshold help Description of the interactive help system owner Assign the owner who define and is using the history resources rising event Associate the rising threshold with an existing RMON event rising threshold Define the rising threshold sample interval Specify the sampling interval for RMON alarm sample type Define the sampling type sample variable Define the MIB Object for sample variable show Show running system information A50010 Y3 B100 2 7619 121 UMN CLI 122 7 4 2 1 7 4 2 2 7 4 2 3 7 4 2 4 User Manual SURPASS hiD 6610 S311 R1 0 startup type Define startup alarm type default rising write Write running configuration to memory or terminal SWITCH config rmonalarm 1 Subject of RMON Alarm User needs to configure RMON alarm and identify subject using many kinds of data from alarm To identify subject of alarm use the following command e me es Identifies subject using related data enter
232. in Ethernet interface and to activate or deactivate interface Tab 3 8 shows a couple of main commands of Interface Configuration mode Tab 3 8 Main Commands of Interface Configuration Mode RMON Configuration Mode To open RMON Alarm Configuration mode enter rmon alarm lt 1 65534 gt To open RMON Event Configuration mode input rmon event lt 1 65534 gt And to open RMON History Configuration mode enter rmon history lt 1 65534 gt Tab 3 9 shows a couple of important main commands of RMON Configuration mode i Configures to generate RMON alarm when object is less than config falling event ured threshold falling threshold Defines the falling threshold Shows the subject which configures each RMON and uses related information SCH Configures to generate RMON alarm when object is more than config rising event ured threshold requested buckets Defines a bucket count for the interval Tab 3 9 Main Commands of RMON Configuration Mode A50010 Y3 B100 2 7619 31 UMN CLI 32 3 1 10 3 1 11 User Manual SURPASS hiD 6610 S311 R1 0 PIM Configuration Mode To open PIM Configuration mode enter the following command The system prompt is changed from SWITCH config to SWITCH config router e e Se muerpm oui Opens PIM Configuration mode Tab 3 10 shows a couple of important main commands of P M Configuration mode Configures the interval that checks packet transmission result from source
233. ing on the system default DHCP snooping on port To assign the port of DHCP Snooping function use the following command ICI we Gem ip dhcp verify source port Configures DHCP snooping function to specified port POHRTS PORTS enters port number Global no ip dhcp verify source port l m Removes DHCP function from specified port PORTS DHCP Rate Limit on Layer 2 Limit Rate To set the number of DHCP packet per second pps that an interface can receive use the following command ena Tte or ip dhcp snooping limit rate PORTS lt 1 255 gt Sets a rate limit for DHCP packets Global no ip dhcp snooping limit rate PORTS Deletes a rate limit for DHCP packets Normally the DHCP rate limit is specified to untrusted interfaces and 15 pps is recom mended for a proper value However if you want to set a rate limit for trusted interfaces keep in mind that trusted interfaces aggregate all DHCP traffic in the switch and you will need to adjust the rate limit to a higher value Displaying DHCP Snooping Configuration The DHCP snooping table contains IP address MAC address and Lease Time that corre spond to the authorized IP address A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 8 9 8 8 10 To display DHCP snooping table use the following command e e See show ip dhcp snoop PORTS Global Shows DHCP Snooping table To remove specific IP address from the DHCP Snooping table
234. inor warning intermediate snmp alarm severity port remove critical major minor warning intermediate snmp alarm severity port thread over critical major minor warning intermediate snmp alarm severity power fail critical major minor warning intermediate snmp alarm severity power remove critical major minor warning intermediate snmp alarm severity rmon alarm rising criti cal major minor warning intermediate snmp alarm severity rmon alarm falling criti cal major minor warning intermediate snmp alarm severity system restart critical major minor warning intermediate snmp alarm severity module remove critical major minor warning intermediate snmp alarm severity temperature high critical major minor warning intermediate Global Description Configures the priority of fan fail alarm Configures the priority of cold start alarm Configures the priority of broadcast over alarm Configures the priority of cpu load over alarm Configures the priority of DHCP lease alarm Configures the priority of DHCP illegal alarm Configures the priority of fan remove alarm Configures the priority of IP conflict alarm Configures the priority of memory over alarm Configures the priority of MFGD block alarm Configures the priority of port link down alarm Configures the priority of port remove alarm Con
235. ins a member of the group until statically removed When a multicast server belongs to different network from user s network a multicast router operates as Layer 3 forwarding for each MVR VLAN In this case when an IGMP packet of a subscriber is transmitted to the multicast server a source address of the IGMP packet may not match the network address of MVR VLAN To handle such a prob lem you can replace a source address of an IGMP packet with one of the IP addresses of MVR VLAN To configure a helper address to replace a source address of an IGMP packet use the following command mvr vlan VLAN ID helper P Sep A MVR Ip address O ADDRESS IP ADDRESS specific IP address of MVR VLAN helper To delete the configured MVR VLAN helper IP address use the following command mana Tm en no mvr vian VLAN D helper Global Deletes a MVR Ip address Send and Receive Port Statically configure a VLAN interface to receive multicast traffic sent to the multicast VLAN and the IP multicast address An interface statically configured as a member of a group remains a member of the group until statically removed m See Identifies the logical ports type either MVR receiver mvr port PORTS type receiver Global port or source port source PORTS logical port number e Source This configures uplink ports that receive and send multicast data as source ports Subscribers cannot be directly connected to source ports All source por
236. ion The Siemens product SURPASS hiD 6610 S311 contains both proprietary software and Open Source Software The Open Source Software is licensed to you at no charge un der the GNU General Public License GPL and the GNU Lesser General Public License LGPL This Open Source Software was written by third parties and enjoys copyright pro tection You are entitled to use this Open Source Software under the conditions set out in the GPL and LGPL licenses indicated above In the event of conflicts between Siemens license conditions and the GPL or LGPL license conditions the GPL and LGPL conditions shall prevail with respect to the Open Source portions of the software The GPL can be found under the following URL http www gnu org copyleft gpl html The LGPL can be found under the following URL http www gnu org copyleft lgpl html The Open Source Software source code including related copyright notices can be found under the following URL http now portal c lab de projects In addition if the source code to the Open Source Software has not been delivered with this product you may obtain the source code including the related copyright notices by sending your request to the following e mail address opensrc dasannetworks com You will however be required to reimburse Siemens for its costs of postage and copying Any source code request made by you must be sent within 3 years of your purchase of the product Please include a co
237. ion use the following command e e See Global clear vrrp stat VRRP Clears statistics of packets in Virtual Router Group 228 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 5 8 5 1 8 5 2 Rate Limit User can customize port bandwidth according to user s environment By this configuration you can prevent a certain port to monopolize whole bandwidth so that all ports can use bandwidth equally Egress and ingress can be configured both to be same and to be dif ferent The hiD 6610 S311 can apply the rate limit and support ingress policing and egress shap ing Configuring Rate Limit To set a port bandwidth use the following command e me See Sets port bandwidth If you input egress or ingress you rate PORTS RATE egress in gress can configure outgoing packet or incoming packet The unit is 64 Kbps Bridge no no rate PORTS no rate PORTS Clears rate configuration of a specific port rate Clears rate configuration of a specific port of a specific port Clears rate configuration of a specific port by transmit no rate PORTS egress ingress ting direction Unless you input neither egress nor ingress they are configured to be same To switch egress is incoming packet To display the configured bandwidth use the following com mand e e Se show ae Global Shows the configured bandwidth Sample Configuration The following is an example of s
238. iption clear arp inspection Enable l Ges l mE Clears ARP Inspection statistics or mapping counts statistics mapping counter Global Sample Configuration The following is an example of configuring to drop or permit the ARP Request and Reply packets according to their MAC address and IP address inspection SWITCH config SWITCH config f arp inspection enable SWITCH config arp inspection mapping 10 1 1 1 32 00 00 01 00 00 01 deny arp inspection mapping any 00 00 01 00 00 01 permit SWITCH config SWITCH config arp inspection mapping 10 1 1 0 27 any deny db dc Se db e show arp inspection mapping IP MAC Action Counter LOL rd VOT 0070070070070 deny 0 any l 0000r 0l 00 lt DOS0t permit 0 T0 Es 072 S i any deny 0 SWITCH config A50010 Y3 B100 2 7619 163 UMN CLI 164 7 13 4 7 13 5 7 14 User Manual SURPASS hiD 6610 S311 R1 0 Gratuitous ARP Gratuitous ARP is a broadcast packet like an ARP request It containing IP address and MAC address of gateway and the network is accessible even though IP addresses of specific host s gateway are repeatedly assigned to the other Configure Gratuitous ARP interval and transmission count using following commands And configure transmission delivery start in order to transmit Gratuitous ARP after ARP reply Gratuitous ARP is transmitted after some time from transmitting ARP reply e e rees NN Configures
239. ist configure domain for ERP To configure the domain use the following command e me NN Creates ERP domain erp domain DOMAIN ID l Bridge DOMAIN ID control VLAN ID of domain lt 1 4094 gt no erp domain all DOMAIN ID Deletes ERP domain To specify a description for configured domain use the following command m See erp description DOMAIN ID l 8 l Bridge Specifies a description of domain DESCRIPTION A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 8 9 3 2 RM Node To configure RM Node use the following command e m ee erp rmnode DOMAIN ID Configures RM node of ERP node mode Bridge no erp rmnode DOMAIN D Configures ERP node mode as normal node 8 9 3 3 Port of ERP domain To configure Primary Port and Secondary port of RM Node use the following command na e een erp port DOMAIN ID primary Bridge Configures ports of ERP domain PORT secondary PORT D Primary port and secondary port should be different 8 9 3 4 Protected VLAN To configure Protected VLAN of ERP domain use the M command protected VLAN of ERP domain erp protections DOMAIN ID VID Bridge VID VLAN ID To delete the configured Protected VLAN use the following command eg n Deletes protected VLAN of ERP domain no erp protections V D Bridge VID VLAN ID 8 9 3 5 Protected Activation To configure ERP Protected Activation use the following command rm ere
240. ive or forward data frames nor will it transmit BPDUs but instead it will listen for other s BPDUs to determine if and when the port should consider becoming active in the spanning tree e Listening the port is still not forwarding data traffic but is listening to BPDUs in order to compute the spanning tree The port is comparing its own information path cost Bridge Identifier Port Identifier with information received from other candidates and deciding which is best suited for inclusion in the spanning tree e Learning the port is preparing to forward data traffic The port waits for a period of time to build its MAC address table before actually forwarding data traffic This time is the forwarding delay e Forwarding After some time learning address it is allowed to forward data frame This is the steady state for a switch port in the active spanning tree e Disabled When disabled a port will neither receive nor transmit data or BPDUs A port is in this state because it is broken or disabled by administrator A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 8 3 2 RSTP Operation SIP or RSTP is configured on network where Loop can be created However RSTP is more rapidly progressed than STP at the stage of reaching to the last topology This sec tion describes how the RSTP more improved than STP works It contains the below sec tions e Port States e BPDU Policy e Rapid Network Convergenc
241. k the specific client with MAC address If the blocked MAC address by administrator requests IP address the server does not assign IP This function is to strength the security of DHCP server The following is the function of blocking to assign IP address on a port zs e Se ip dhcp filter port PORTS Send Configures a port in order not to assign IP oba no ip dhcp filter port PORTS Disables DHCP packet filtering The following is to designate MAC address which IP address is not assigned mana rm en ip dhcp filter address MAC Blocks a MAC address in case of requesting IP ad ADDHESS dress Global no ip dhcp filter address m Disables DHCP MAC filtering MAC ADDRESS DHCP Server Packet Filtering DHCP Dynamic Host Configuration Protocol makes DHCP server assign IP address to DHCP clients automatically and manage the IP address Most ISP operators provide the service as such a way At this time if a DHCP client connects with the equipment that can be the other DHCP server such as Internet access gateway router communication failure might be occurred DHCP filtering helps to operate DHCP service by blocking DHCP REQUEST which enters through subscriber s port and goes out into uplink port or the other subscriber s port and DHCP REPLY which enters to the subscriber s port In the Fig 8 34 server A has the IP area from 192 168 10 1 to 192 168 10 10 Suppose a user connects with client 3 that can be DHCP server to A in order to
242. l privilege configure level lt 0 15 gt Uses the specific command of Global Configuratio COMMAND all mode in the level privilege dhcp option82 level Uses the specific command of DHCP Option 82 Con lt 0 15 gt COMMAND all figuration mode in the level privilege dhcp pool level 0 15 Uses the specific command of DHCP Configuratio COMMAND all mode in the level privilege enable level lt 0 15 gt Uses the specific command of Privileged EXEC mode COMMAND all in the level privilege interface level lt 0 15 gt Uses the specific command of Interface Configuratio COMMAND all mode in the level privilege ospf level 0 15 Uses the specific command of OSPF Configuratio COMMAND all mode in the level privilege pim level 0 15 Uses the specific command of P M Configuration mode COMMAND all in the level privilege rip level 0 15 Uses the specific command of RIP Configuration mode COMMAND all in the level privilege rmon alarm level 0 15 COMMAND allj Uses the specific command of RMON Configuratio privilege rmon event level mode in the level 0 15 COMMAND all A50010 Y3 B100 2 7619 41 UMN CLI 42 User Manual SURPASS hiD 6610 S311 R1 0 es e Fee privilege rmon history level lt 0 15 gt COMMAND all privilege route map level lt 0 15 gt COMMAND all privilege rule level lt 0 15 gt COMMAND all privilege view level lt 0 15 gt COMMAND all
243. l UMN CLI SURPASS hiD 6610 311 R1 0 4 2 6 4 2 7 Authentication Type To select the authentication type for TACACS use the following command e ww ee Selects the authentication type for TACACS login tacacs auth type ascii Aes ascii plain text oba pap chap pap password authentication protocol chap challenge handshake authentication protocol Priority Level You can define a priority level of user According to the defined priority level the user has different authorization to access the DSLAM This priority should be defined in the TA CACS server in the same way To define the priority level of user use the following command e e ees login tacacs priority level min Sidi Defines the priority level of user refer the below infor oba user max root mation for the order of priority The order of priority is root max gt user gt min Accounting Mode The hiD 6610 S311 provides the accounting function of AAA Authentication Authoriza tion and Accounting Accounting is the process of measuring the resources a user has consumed Typically accounting measures the amount of system time a user has used or the amount of data a user has sent and received To set an accounting mode use the following command e me See Sets an accounting mode i none disables an accounting function login accounting mode none Global start measures start point only start stop both
244. l can be configured from O to 4 294 967 295 It can be configured from 1 to 16 for RIP Administrative Distance Distance value represents confidence of routing information created by router In large scaled network some routing protocols or routing information may be more confident than other protocols or routers Therefore although a router has many routing protocols the most confident route can receive routing information When user configures distance value router can find where routing information is created Router always selects route created by routing protocol of the smallest distance value Each network has its own fea tures So there is no general rule for distance configuration You should consider overall network to configure distance value A50010 Y3 B100 2 7619 303 UMN CLI 304 10 3 8 10 3 9 User Manual SURPASS hiD 6610 S311 R1 0 To configure distance value use the following command conned meme Jr distance lt 1 255 gt IP ADDRESS M ACCESS Router Configures distance value LIST NAME Creating Default Route You can force an autonomous system boundary router to generate a default route into an RIP routing domain Whenever you specifically configure redistribution of routes into an RIP routing domain the router automatically becomes an autonomous system boundary router However an autonomous system boundary router does not by default generate a default route into the RIP routing domain To f
245. lay Agent To configure the hiD 6610 S311 as a relay agent use the following command in Global Configuration mode e me See ip dhcp active relay lt 1 4094 gt Registers DHCP server and configures the switch as a A B C D relay agent Global A B C D IP address of DHCP server VENDOR ID Vendor ID e g XX XX XX ip bibo active relay lt 1 4094 gt bibo ID A B C D A50010 Y3 B100 2 7619 239 UMN CLI 240 8 8 5 2 8 8 6 User Manual SURPASS hiD 6610 S311 R1 0 To delete registered DHCP server and release the relay agent configuration use the fol lowing command e e res no ip dhcp active relay lt 1 Delete DHCP server and release the switch as a relay 4094 gt SERVERS agent Global Deletes all of the registered DHCP servers and the no ip dhcp active relay all l switch as a relay agent Smart Relay Agent Forwarding If there is no DHCP offer message from a DHCP server the DHCP relay agent switches the gateway address to secondary address To help DHCP relay agent switch gateway address to secondary address you need to enable DHCP smart relay function Use the following command e me See iD dh ei Makes DHCP relay agent to switch gateway address to i cp smart rela d Global secondary address automatically no ip dhcp smart relay Disables smart relay function DHCP Option 82 In some networks it is necessary to use additional information to further determine which IP addresses to
246. learning disable time as default value 8 9 3 9 Test Packet Interval To configure ERP Test Packet Interval use the following command e owe re erp test packet interval DO SH Configures ERP test packet interval ridge MAIN ID lt 10 500 gt S 10 500 packet interval unit millisecond 258 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 To return ERP Test Packet Interval as Default use the following command e me Se no erp test packet interval DO l MAIN ID Bridge Configures ERP test packet interval as default value 8 9 3 10 Displaying ERP Configuration To display a configuration for ERP use the following command mn me ees Enable show erp all DOMAIN ID Global Shows the information of ERP Bridge A50010 Y3 B100 2 7619 259 UMN CLI 260 8 10 User Manual SURPASS hiD 6610 S311 R1 0 Stacking It is possible to manage several switches with one IP address by using stacking If there s a limitation for using IP addresses and there are too many switches which you must man age you can manage a number of switches with a IP address using this stacking function Switch stacking technology available in the industry today provides two main benefits to customers The first benefit is the ability to manage a group of switches using a single IP address The second benefit is the ability to interconnect two or more switches to create a distributed fabric which behaves in the
247. lient To disconnect an SSH client connected to SSH server use the following command mana we Reim Disconnects SSH clients connected to SSH server ssh disconnect P D Global PID SSH client number Displaying Connection History of SSH Client To display the connection history of SSH client use the following command e e See h deb Enable Shows the connection history of SSH clients who are ssh debu S Global connected to SSH server up to now A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 4 4 2 4 4 2 1 4 4 2 2 4 4 2 3 4 4 2 4 SSH Client The hiD 6610 S311 can be used as SSH client with the following procedure e Login to SSH Server e File Copy e Configuring Authentication Key Login to SSH Server To login to SSH server after configuring the hiD 6610 S311 as SSH client use the follow ing command e e NN Logins to SSH server ssh login DESTINATION Enable DESTINATION IP address of SSH server or hostname and account File Copy To copy a file from to SSH server use the following command m See Downloads or uploads a file to through SSH server SOURCE source file DESTINATION destination file ssh copy SOURCE DESTINA Enable TION Global Getting access to FTP To use for securely getting access to a FTP service through SSH use the following com mand Enable Access to FTP E SSH server ssh ftp DESTINATION Global DESTINATION FTP
248. llowing command e owe res 08 dotix radius server timeout lt 1 Global Configures the interval of request to RADIUS server oba 120 gt 1 120 1 120 seconds Default value 1 You should consider the distance from the server for configuring the interval of requesting the authentication to RADIUS server If you configure the interval too short the authenti cation couldn t be realized If it happens you d better to reconfigure the interval longer 802 1x Re Authentication In hiD 6610 S311 it is possible to update the authentication status on the port periodically To enable re authentication on the port you should perform the below procedure Step 1 Enable 802 1x re authentication Step 2 Configure the interval of re authentication Step 3 Configuring the interval of requesting re authentication in case of re authentication fails Step 4 Executing 802 1x re authenticating regardless of the interval A50010 Y3 B100 2 7619 63 UMN CLI 64 4 5 2 1 4 5 2 2 4 5 2 3 User Manual SURPASS hiD 6610 S311 R1 0 Enabling 802 1x Re Authentication To enable 802 1x re authentication using the following command ee e See dot1x reauth enable PORTS Enables 802 1x re authentication Global no dot1x reauth enable PORTS Disables 802 1x re authentication Configuring the Interval of Re Authentication RAIDIUS server contains the database about the user who has access right The data base is real time upgraded so i
249. ltering e Displaying and Managing BGP BGP Community Filtering BGP supports transmit policy distributing routing information Distributing routing informa tion is operated based on not only community list but also IP address and AS route Community list makes community according to each destination and routing policy is ap plied based on community standard It helps configure BGP speaker that distributes routing information Community is destination group that shares some common attributes One destination can be belonged to more than one community As administrator can configure to which community destination is belonged By default all destinations are configured to be in internet community The other defined and well known communities are as the below s no export Do not distribute this route to exterior BGP neighbor router e no advertise either exterior or interior Do not distribute this route to neighbor router e local as Distribute this information to neighbor routers of low level AS located on BGP united network Do not distribute it to exterior router To create community list use the following command na owe See 00 ip community list NAME permit deny community local AS Global Creates a community list no advertise no expert community is notated with a form AA NN as defined in RFC AA is AS number and NN is number of 2 bytes A50010 Y3 B100 2 7619 295 UMN CLI 296 10 1 2 2
250. lti cast groups which are operated as different service To prohibit transmitting Bootstrap message between multicast groups which are operated as different service use the following command e e See Blocks the Bootstrap message which tying to be ip pim border Interface transmitted no ip pim border Release blocked Bootstrap message Displaying PIM SM Information Multicast Routing Table To display the information of multicast routing table use the following command mes Was an show ip pim mrt detail Shows multicast routing table in detail Shows multicast routing table of specified multicast show ip pim mrt group A B C D Enable group Global A B C D group address show ip pim mrt summary Shows the summary of multicast routing table show ip pim mroute Shows PIM multicast router information RP Table To see RP table registered by the switch use the following command men rm Som EE EE Shows PIM RP table which has been registered show ip pim r sd T A B C D multicast group address Enable Global Shows the registered RP table in specified multicast show ip pim rp group A B C D group A B C D group address PIM SM of Ethernet Interface To see the information of PIM on Ethernet interface use the following command e me NN KSE Enable show pim interface M Shows PIM interface information oba A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 9 2 10 4 Statistics and
251. ly deleting the existing secure MAC addresses while still ee the number of secure addresses on a port port security PORTS aging Enables aging for configured secure addresses static Bridge security PORTS aging time lt 1 GE aging time in minutes for the port All the secure addresses age out caramba noob cd after the time ae security PORTS aging type rengen ures aging type ae inactivity rengen ging typ e absolute all the secure addresses on this port age out exactly after the time min utes specified lapses and are removed from the secure address list e inactivity the secure addresses on this port age out only if there is no data traffic from the secure source addresses for the specified time period To disable the configuration of port secure aging use the following command e e en no port security PORTS aging Disables aging for only statistically configured secure static addresses no port security PORTS aging Brid Disables port secure aging for all secure addresses on ridge time 3 a port no port security PORTS aging i Returns to the default condition absolute ype To display the configuration of port security use the following command e owe See Enable show port security PORTS Global Shows port security on the port Bridge 154 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 11 MAC Table A dynamic MAC address is automatical
252. ly registered in the MAC table and it is removed if there is no access to from the network element corresponding to the MAC address during the specified MAC aging time On the other hand a static MAC address is manually reg istered by user This will not removed regardless of the MAC aging time before removing it manually To manage MAC table in the switch use the following command e e res Specifies a static MAC address in the MAC table NAME enter the bridge name PORT enter the port number MACADDR enter the MAC address f opecifies MAC aging time mac aging time lt 10 21474830 gt Ge 10 21474830 aging time default 300 To remove registered dynamic MAC addresses from the MAC table use the following command E LER Clears dynamic MAC addresses mac NAME PORT MACADDR N mac NAME Clears dynamic MAC addresses Clears dynamic MAC addresses clear mac NAME PORT NAME enter the bridge name PORT enter the port number Clears dynamic MAC addresses clear mac NAME PORT NAME enter the bridge name MACADDR PORT enter the port number MACADDR enter the MAC address To remove static MAC addresses manually registered by user from the MAC table use the following command na e een Deletes static MAC addresses no mac NAME Deletes static MAC addresses enter the bridge name Deletes static MAC addresses no mac NAME PORT NAME enter the bridge name PORT enter the port number Deletes a speci
253. m erp activation DOMAIN D Configures ERP Protected Activation To disable ERP Protected Activation use the following command e owe een no erp activation DOMAIN ID Disables ERP Protected Activation A50010 Y3 B100 2 7619 257 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 8 9 3 6 Manual Switch to Secondary To configure Manual Switch to Secondary use the following command ee wm ee erp ms s DOMAIN ID Configures ERP manual switch to secondary To disable Manual Switch to Secondary use the following command Seen Wu men no erp ms s DOMAIN ID Disables ERP manual switch to secondary 8 9 3 7 Wait to Restore Time To configure Wait to Restore Time use the dor EE command erp wait to restore DOMAIN ID SN ee ERP wait to restore time ridge lt 1 720 gt S 1 720 Wait to restore time in second To return the configured Wait to Restore Time as Default use the following command ee e ets no erp wait to restore DOMAIN 1D Bridge Configures ERP wait to restore time as default value 8 9 3 8 Learning Disable Time To configure ERP Learning Disable Time use the following command ee owe res erp learn dis time DOMAIN D G Configures ERP learning disable time ridge lt 0 500 gt S 0 500 learning disabling time unit millisecond To return the configured Learning Disable Time as Default use the following command IN Wa Denm no erp learn dis time DOMAIN ID Configures ERP
254. m Authentication To add delete the TACACS server for system authentication use the following command e e Se Adds the TACACS server with its information A B C D IP address login tacacs server add A B C D KEY OR Global KEY authentication key value i Deletes an added TACACS server login tacacs server del A B C D A B C D IP address You can add up to 5 TACACS servers TACACS Server Priority To specify the priority of a registered TACACS server use the following command e e Se Specifies the priority of RADIUS server Global A B C D TACACS server address 1 5 the priority of TACACS server login tacacs server move A B C D lt 1 5 gt Timeout of Authentication Request After the authentication request the hiD 6610 S311 waits for the response from the TA CACS server for specified time To specify a timeout value use the following command ee owe een f opecifies a timeout value login tacacs timeout 1 100 Global MNA 1 100 waiting time for the response default 5 Additional TACACS Configuration The hiD 6610 S311 provides several additional options to configure the system authenti cation via TACACS server TCP Port for the Authentication To specify TCP port for the system authentication use the following command e e sees login tacacs socket port Global Specifies TCP port for the authentication oba lt 1 65535 gt 1 65535 TCP port A50010 Y3 B100 2 7619 User Manua
255. mber any any TCP UDP source destination port Classifies an IP protocol TCP A B C D source destination IP address A B C D M source destination IP address with mask any any source destination IP address tcp TCP 0 65535 TCP source destination port number any any TCP source destination port TCP FLAG TCP flag e g S SYN F FIN any any TCP flag UMN CLI 146 7 6 4 4 7 6 4 5 User Manual SURPASS hiD 6610 S311 R1 0 Rule Action To specify a rule action match for the packets matching configured classifying patterns use the following command Command Mode Description match deny Denies a packet Admin rule Permits a packet To delete a specified rule action match use the following command e owe Se 000 no match deny Admin rule Deletes a specified rule action no match permit To specify a rule action no match for the packets not matching configured classifying patterns use the following command Omm Was em no match deny Denies a packet Admin rule no match permit Permits a packet To delete a specified rule action no match use the following command e me Se no no match deny Admin rule Deletes a specified rule action no no match permit Applying Rule After configuring rule using the above commands apply it to the system with the following command If you do not apply a rule to the system all specified rules will be lost To save and apply an admin
256. message When there are same priorities to compare candidate BSR IP address is compared through Hash User can configure Hash mask to apply Hash When hiD 6610 S311 becomes the candidate BSR user can configure Hash mask in cluded in Bootstrap message Use the following command e e ees cand bsr hash mask lt 0 32 gt EM Configures Hash mask on Bootstrap message no cand bsr hash mask Removes Hash mask on Bootstrap message A50010 Y3 B100 2 7619 283 UMN CLI 284 9 2 4 9 2 4 1 9 2 4 2 User Manual SURPASS hiD 6610 S311 R1 0 RP Information After deciding BSR on multicast network candidate RP routers send RP message to BSR Candidate RP message includes priority IP address and multicast group Then BSR adds the received candidate RP information to Bootstrap message and transmit to an other PIM router Through this Bootstrap message RP of multicast group is decided All routers belonged in multicast network can become candidate RP and routers which gen erally consist candidate BSR are supposed to consist candidate RP It is possible to con figure the following information which is included in candidate RP message IP address of Candidate RP You can configure several IP addresses on the hiD 6610 S311 Therefore you need to decide which IP address to be used as candidate RP This command is used to statically configure the RP address for multicast groups To configure IP address to be used in candidate RP
257. mmand e e See Enable show interface NTERFACE Global Shows interface status and configuration INTERFACE interface name Interface show ip interface NTERFACE Enable Shows brief information of interface brief Global INTERFACE interface name A50010 Y3 B100 2 7619 99 UMN CLI 96 4 4 4 4 1 4 4 1 1 4 4 1 2 4 4 1 3 4 4 1 4 User Manual SURPASS hiD 6610 S311 R1 0 SSH Secure Shell Network security is getting more important according to using network has been general ized between users However typical FTP and telnet service has weakness for security SSH Secure Shell is security shell for login Through SSH all data are encoded traffic is compressed So transmit rate becomes faster and tunnel for existing ftp and pop which are not safe in security is supported SSH Server The hiD 6610 S311 can be operated as SSH server You can configure the switch as SSH server with the following procedure e Enabling SSH Server e Displaying On line SSH Client e Disconnecting SSH Client e Displaying Connection History of SSH Client Enabling SSH Server To enable disable SSH server use the following command ome wm See Global ssh server disable Disables SSH server Displaying On line SSH Client To display SSH clients connected to SSH server use the following command cmm wem mem showssh Enable Global Shows SSH clients connected to SSH server Disconnecting SSH C
258. mount of IP resources in the environment that most users do not have to access the IP network at the same time all day long This allows the network administrators to save the cost and IP resources Q Effective Network Management By deploying DHCP in a network this entire process is automated and centrally managed The DHCP server maintains a pool of IP addresses and leases an address to any DHCP enabled client when it logs on to the network Because the IP addresses are dynamic leased rather than static permanently assigned addresses no longer in use are auto matically returned to the pool for reallocation IP Packet Broadcast DHCP Packet pm J gt Unicast ll DHCP Server or Relay Agent Subnet 2 20 90 00 E eee e s Sie Bu eege Na x PC DHCP Client Fig 8 31 DHCP Service Construction A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 8 1 8 8 2 8 8 2 1 DHCP Server To provide DHCP server by configuring the switch as DHCP server open Global Configu ration mode To activate the DHCP Server in the system use the following command e e See ip dhcp active server Global Activates the switch as DHCP server To disable the DHCP server use the following command e e een no ip dhcp active server Global Disables the DHCP server function DHCP Pool The DHCP pool is a group of IP addresses that will be assigned to DHCP clients by DHCP serv
259. n the above case NetBIOS filtering is necessary netbios filter PORTS Configures NetBIOS filtering to a specified port To disable NetBIOS filtering according to user s request use the following command e rem no netbios filter PORTS Disables NetBlOS filtering from a specified port To display a configuration of NetBlOS filtering use the following command n See Global show netbios filter Shows a configuration of NetBlOS filtering ridge A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 The following is an example of configuring NetBIOS filtering in port 1 5 and showing it SWITCH bridge netbios filter 1 5 SWITCH bridge show netbios filter o enable disable SWITCH bridge 7 8 Martian Filtering It is possible to block packets which trying to bring different source IP out from same network If packet brings different IP address not its source IP address then it is impos sible to know it makes a trouble Therefore you would better prevent this kind of packet outgoing from your network This function is named as Martian filter To block packets which try to bring different source IP out from same network use the fol lowing command e me ee Blocks packets which bring different source IP address ip martian filter VTERFACE Global from specified interface INTERFACE enter the interface name H It is not possible to configure both QoS and Martian filter at
260. n RMON event happened you need to configure event type to arrange where to send event A50010 Y3 B100 2 7619 125 UMN CLI 126 7 4 3 5 7 4 3 6 7 4 3 7 User Manual SURPASS hiD 6610 S311 R1 0 To configure event type use the following command SCC i l Configures event type as log type Event of log type is elo Nee sent to the place where the log file is made beneiden event type as trap type Event of trap type type tra etm p SE is sent to beneiden administrator and PC o typelogand rap typelogand rap trap Configures event type as both log type and trap type event type as Configures event type as both log type and trap type log type and trap type type none none Configures none event type none Configures none event type type Activating RMON Event After finishing all configurations you should activate RMON event To activate RMON event use the following command mn Y ees Deleting Configuration of RMON Event Before changing the configuration of RMON event you should delete RMON event of the number and configure it again To delete RMON event use the following command ss e See no rmon event lt 1 65535 gt Global Delete RMON event of specified number Displaying RMON Event To display RMON alarm use the following command e e See show running config rmon All Shows a configured RMON event even A5
261. n a connection is es tablished to a network device Auto negotiation detects the various modes that exist in the network device on the other end of the wire and advertises it own abilities to automatically configure the highest performance mode of interoperation As a standard technology this allows simple automatic connection of devices that support a variety of modes from a va riety of manufacturers To enable disable the auto negotiation on an Ethernet port use the following command e e res Configures the auto negotiation of the specified port port nego PORTS on off Bridge enter the port number A50010 Y3 B100 2 7619 69 UMN CLI 70 5 2 3 9 2 4 User Manual SURPASS hiD 6610 S311 R1 0 For the hiD 6610 S311 you can configure transmit rate and duplex mode as standard to configure transmit rate or duplex mode of connected equipment even when auto negotiation is enabled For example when you configure transmit rate as 10Mbps with configured auto negotiation a port is worked by the standard 10Mbps full duplex mode By default auto negotiation is activated in 10 100 1000Base TX port of the hiD 6610 S311 However you cannot configure auto nego in fiber port The following is an example of deleting auto negotiate of port 7 and 8 and showing it SWITCH bridge SWITCH bridge port nego 7 8 off SWITCH bridge show port 7 8 NO d PVID STATUS MODE FLOWCTRL INSTALLED ADMIN OPER 7 Ethernet 7 Up Up
262. n create o Already exist rule SWITCH config show rule rule jean priority low port any amy match copy to cpu SWITCH config rule jean modify SWITCH config rule jean no match copy to cpu SWITCH config rule jean show rule rule jean priority low port any any SWITCH config rule jean 138 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 6 3 7 6 3 1 QoS For hiD 6610 S311 it is possible to use Strict Priority Queuing Weighted Round Robin and Weighted Fair Queuing for a packet scheduling mode The following steps explain how QoS can be configured e Scheduling Algorithm e Qos Weight e Maximum and Minimum Bandwidth e Random Early Discard RED e Displaying QoS Scheduling Algorithm To process incoming packets by the queue scheduler the hiD 6610 S311 provides the scheduling algorithm as Strict Priority Queuing SP Weighted Round Robin WRR and Weighted Fair Queuing WFQ Weighted Round Robin WRR WRR processes packets as much as weight Processing the packets that have higher priority is the same way as strict priority queuing However it passes to next stage after processing as configured weight so that it is possible to configure for packet process not to be partial to the packets having higher priority However there is a limitation of provid ing differentiated service from those existing service The process in WRR when packets having the Queue number
263. n text authentication Do not use plain text authentication in RIP packets for security purposes because the unencrypted authentication key is sent in every RIP Version 2 packet Use plain text au thentication when security is not an issue for example to ensure that wrongly configured hosts do not participate in routing To configure RIP authentication use the following command e e See ip rip authentication KEY CHAIN NAME Activates RIP authentication ip rip authentication mode text m Configures the interface to use MD5 digest authentica nterface md5 tion or let it default to simple password authentication ip rip authentication string Configures the interface with plain text authentication STRING The string must be shorter than 16 characters Monitoring and Managing RIP You can display specific router statistics such as the contents of IP routing tables and da tabases Information provided can be used to determine resource utilization and solve network problems You can also discover the routing path your router s packets are taking through the network To display various router statistics use the following command Omm We pem Shows RIP information being used in router show ip route rip Enable Shows routing table information concerned with RIP Global i Shows current status of using RIP protocol and the show ip protocols rip information To quickly diagnose problems the command debuggi
264. n this mode and variables following after the commands The following is the available commands on Privileged EXEC Enable mode of the hiD 6610 S311 SWITCH Exec commands clear Reset functions clock Manually set the system clock configure Enter configuration mode copy Copy from one file to another debug Debugging functions see also undebug enable Turn on privileged mode command exit End current mode and down to previous mode help Description of the interactive help system no Negate a command or set its defaults ping Send echo messages show Show running system information telnet Open a telnet connection terminal Set terminal line parameters traceroute Trace route to destination where List active user connections write Write running configuration to memory network or terminal SWITCH Question mark lt gt will not be seen in the screen and you do not need to press lt ENTER gt key to display commands list If you need to find out the list of available commands of the current mode in detail use the following command es rm rem showlit Shows available commands of the current mode Shows available commands of the current mode with tree structure A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 The following is an example of displaying list of available commands of Privileged EXEC Enable mode SWITCH show list lear arp IFNAME lear arp inspection mapping cou
265. nd automatically decide optimized path to communicate with the root switch Root Switch The most important information to decide the root switch is bridge ID Bridge ID is com posed of 2 bytes priority and 6 bytes MAC address The root switch is decided with the lowest bridge ID Switch A Priority 8 ROOT RP Switch B ie Priority 9 Priority 10 DP RP Root Port DP Designated Port Switch D Fig 8 10 Root Switch A50010 Y3 B100 2 7619 195 UMN CLI 196 User Manual SURPASS hiD 6610 S311 R1 0 After configuring STP these switches exchange their information The priority of SWITCH A is 8 the priority of SWITCH B is 9 and the priority of SWITCH C is 10 In this case SWITCH A is automatically configured as a root switch Designated Switch After deciding a root switch while SWITCH A transmits packets to SWITCH C SWITCH A compares exchanged BPDU to decide the path The most important information to decide path is the path cost Path cost depends on transmission rate of LAN interface and path with lower path cost is selected The standard to decide designated switch is total root path cost which is added with path cost to root Path cost depends on transmit rate of switch LAN interface and switch with lower path cost is selected to be designated switch Switch A Priority 8 Root Switch 7 Path cost NW 100 Switch C Priority 10 Path cost 50 Designated Es
266. ndent Multicast Sparse Mode IGMP is the protocol to help multicast communication between switch and host but PIM is the protocol for multicast communication between router and router There are two kinds of PIM PIM DM Protocol Independent Multicast Dense Mode and PIM SM Pro tocol Independent Multicast Sparse Mode the hiD 6610 S311 supports PIM SM only Protocol of dense mode can send information about data packet and member to interface which is not connected to multicast source or receiver and multicast router saves con nection state to all the nodes In this case when most hosts are belonged to multicast group and there is enough bandwidth to support flow of controlling message between constituent members these overheads are acceptable but the other cases are inefficient Contrary to dense mode PIM SM receives multicast packet only when request comes from specific host in multicast group Therefore PIM SM is proper when constituent mem bers of group are dispersed in wide area or bandwidth used for the whole is small Sparse mode is the most useful on WAN and can be used on LAN For standard of PIM SM you can refer to RFC 2362 RPT and SPT RP Rendezvous Point works in a central role for PIM SM Viewing the below chart mul ticast packet is transmitted to D as RP from A as source through B and C And D RP transmits multicast packet after receiving join message from E or F That is all multicast packets are transmitted with
267. nected to multicast router use the following command e e res Designates the port where multicast router is con ip igmp snooping mrouter port nected to on the system PORTS cpu PORTS logical port number ID to use lobal eve cpu identifies the cpu port to use ip igmp snooping mrouter port Designates the port where multicast router is con PORTS cpu vlan VLAN D nected to on a VLAN interface To disable the port where multicast router is connected use the following command na e een no ip igmp snooping mrouter Disables the port where multicast router is connected port PORTS cpu on the system no ip igmp snooping mrouter Disables the port where multicast router is connected port PORTS cpu vian VLAN D on a VLAN interface A50010 Y3 B100 2 7619 273 UMN CLI 214 9 1 2 5 User Manual SURPASS hiD 6610 S311 R1 0 To display IGMP snooping mrouter configuration use the following command m See show ip igmp snooping mrouter show ip igmp snooping mrouter igmp snooping mrouter End Shows the mrouter configuration on the system the mrouter Shows the mrouter configuration on the system on the system nable show ip igmp snooping mrouter Global Shows the mrouter configuration and detail information vlan VLAN ID on a VLAN interface Displaying IGMP Snooping Statistics To display an IGMP snooping statistics table use the following command e e See show ip igmp snooping state
268. network to operate as RIP The command network P ADDRESS enables RIP interfaces between certain numbers of a special network address For example if the network for 10 0 0 0 24 is RIP enabled this would result in all the addresses from 10 0 0 0 to 10 0 0 255 being enabled for RIP RIP packet is transmitted to port specified with the command network INTERFACE e RIP Neighbor Router e RIP Version e Creating Static Route Available for RIP e Transmitting Routing Information e Metrics for Redistributed Routes A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 10 3 2 10 3 3 e Administrative Distance e Creating Default Route e Routing Information Filtering e Routing Time e SOplit horizon e Managing Authentication Key e Monitoring and Managing RIP RIP Neighbor Router Since RIP is broadcast protocol routers should be connected to transmit routing informa tion of RIP to non broadcast network To configure neighbor router to transmit RIP information use the following command e e See Configures neighbor router to transmit routing informa neighbor P ADDRESS Router i ion You can block routing information to specific interface by using passive interface com mand RIP Version Siemens routers basically support RIP version 1 and 2 However you can configure to receive only version 1 type packet or only version 2 type packet To configure RIP version use the following comm
269. nfigures the function of accessing associated IP vip access enable disable VRRP m address Master Router and Backup Router The hiD 6610 S311 can be configured as Master Router and Backup Router by compar ing Priority and IP address of devices in Virtual Router First of all it compares Priority A device which has higher Priority is to be higher precedence And when devices have same Priority then it compares IP address A device which has lower IP address is to be higher precedence If a problem occurs on Master Router and there are more than two routers one of them is selected as new Master Router according to their precedence To configure Priority of Virtual Router or delete the configuration use the following com mands e e See Configures Priority of Virtual Router vr priority lt 1 254 gt ae VRRP 1 254 VRRP priority number default 100 no vr priority Deletes configured Priority of Virtual Router Priority of Virtual Backup Router can be configured from 1 to 254 To set VRRP timers or delete the configuration use the following command n Se i Sets VRRP timers vr timers advertisement lt 1 10 gt VRRP 1 10 advertisement time in the unit of second no vr timers advertisement Clears a configured VRRP time A50010 Y3 B100 2 7619 223 UMN CLI 224 User Manual SURPASS hiD 6610 S311 R1 0 The following is an example of configuring Master Router and Backup Router by compar ing their Pri
270. nformation originated This behavior usually op timizes communications among multiple routers particularly when links are broken How ever with non broadcast networks such as Frame Relay situations can arise for which this behavior is less than ideal For these situations you might want to disable split hori zon If an interface is configured with secondary IP addresses and split horizon is enabled up dates might not be sourced by every secondary address One routing update is sourced per network number unless split horizon is disabled To activate or deactivate or disable split horizon perform the following tasks in interface configuration mode e e See ip split horizon Activates Split horizon Interface Deactivates Split horizon no ip split horizon A50010 Y3 B100 2 7619 305 UMN CLI 306 10 3 12 10 3 13 User Manual SURPASS hiD 6610 S311 R1 0 Managing Authentication Key RIP Version 1 does not support authentication If you are sending and receiving RIP Ver sion 2 packets you can enable RIP authentication on an interface The key chain determines the set of keys that can be used on the interface If a key chain is not configured plain text authentication can be performed using string command We support two modes of authentication on an interface for which RIP authentication is enabled plain text authentication and MD5 authentication The default authentication in every RIP Version 2 packet is plai
271. ng is how to configure SNMP e SNMP Community e Information of SNMP Agent e SNMP Com2sec e SNMP Group e SNMP View Record e Permission to Access SNMP View Record e SNMP Version 3 User SNMP Trap e SNMP Alarm e Displaying SNMP Configuration e Disabling SNMP SNMP Community Only an authorized person can access an SNMP agent by configuring SNMP community with a community name and additional information To configure an SNMP community to allow an authorized person to access use the fol lowing command on Global configuration mode ees e RN snmp community ro rw COMMUNITY Creates SNMP community P ADDRESS OID COMMUNITY community name Globa Deletes a created community no snmp community ro rw COMMUNITY COMMUNITY community name You can configure up to 3 SNMP communities for each read only and read write A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 7 1 2 To display a configured SNMP community use the following command e me ees Enable show snmp community Cria Shows a created SNMP community oba The following is an example of creating 2 SNMP communities SWITCH config snmp community ro public SWITCH config snmp community rw private SWITCH config show snmp community Community List Type Community Source OID ro public rw private SWITCH config Information of SNMP Agent You can specify basic information of SNMP agent
272. ng is meaningful and useful to cus tomers A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 To display information on RIP routing transactions use the following command men rs Pom Shows RIP event such as packet transmit and sending debug rip events l l and changed RIP information Enable Global debug rip packet recv send rip packet recv send Shows more detail information about RIP packet The Pri E E rip packet recv send information includes address of packet transmission Pri E E and port number Shows all information configured for RIP debugging showdebuggingrip showdebuggingrip rip A50010 Y3 B100 2 7619 307 UMN CLI 308 11 User Manual SURPASS hiD 6610 S311 R1 0 Abbreviations ACL Access Control List ARP Address Resolution Protocol ATM Asynchronous Transfer Mode BGP Border Gateway Protocol CBS Committed Burst Size CE Communaut Europ enne CIDR Classless Inter Domain Routing CIR Committed Information Rate CLI Command Line Interface CoS Class of Service CPE Customer Premises Equipment CRC Cyclic Redundancy Check Code DA Destination Address DHCP Dynamic Host Configuration Protocol DSCP Differentiated Service Code Point EGP Exterior Gateway Protocol EMC Electro Magnetic Compatibility EN Europ ische Norm European Standard ERP Ethernet Ring Protection FDB Filtering Data Base FE Fast Ethernet FTP File Transfer Protocol GB Gigabyte G
273. ngly Thus different quality of service is providing to each class which the packets belong to The QoS capabilities enable network managers to protect mission critical applications and support differentiated level of bandwidth for managing traffic congestion The hiD 6610 S311 support ingress and egress shaping rate limiting and different scheduling type such as SP Strict Priority WRR Weighted Round Robin and WFQ Weighted Fair Queuing Multicasting Because broadcasting in a LAN is restricted if possible multicasting could be used in stead of broadcasting by forwarding multicast packets only to the member hosts who joined multicast group The hiD 6610 S311 provides IGMP V2 IGMP snooping and PIM SM for host membership management and multicast routing SNMP Simple Network Management Protocol SNMP is to manage Network Elements using TCP IP protocol The hiD 6610 S311 supports SNMP version 1 2 3 and Remote Monitor ing RMON Network operator can use MIB also to monitor and manage the hiD 6610 311 IP Routing The hiD 6610 S311 is Layer 3 switch which has routing table and IP address as router Therefore it supports static routing RIP v1 v2 OSPF v2 and BGP V4 for unicast routing DHCP The hiD 6610 S311 supports DHCP Dynamic Host Control Protocol Server that auto matically assigns IP address to clients accessed to network That means it has IP ad dress pool and operator can effectively utilize limited IP source by
274. nk from specified trunk group use the following com mand e wm Se trunk del lt 0 13 gt PORTS Releases a configured trunk port If the user deleted member port from logical port or release port trunk they are automati cally contained as default VLAN Displaying Port Trunk Configuration To display a configuration of port trunk use the following command na e en Enable Global Shows a configuration for trunk Bridge A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 2 2 8 2 2 1 Link Aggregation Control Protocol LACP Link Aggregation Control Protocol LACP is the function of using wider bandwidth by ag gregating more than two ports as a logical port as previously stated port trunk function If the integrated port by configuring from port trunk is in other VLAN which is different from VLAN where existing member port is originally belong to it should be moved to VLAN where the existing member port is belong to However the integrated port configured by LACP is automatically added to appropriate VLAN The LACP aggregator from LACP could support up to 14 so that it is possible to input ag gregator number from O to 13 and group ID of port trunk and aggregator number of LACP cannot be configured repeatedly The following explains how to configure LACP e Configuring LACH e Packet Route e Operating Mode of Member Port e Priority of Switch e Identifying Member Ports within L
275. nter lear arp inspection statistics lear cpu statistics PORTS lear ip bgp lear ip bgp in lear ip bgp in prefix filter lear ip bgp ipv4 unicast multicast in lear ip bgp ipv4 unicast multicast in prefix filter lear ip bgp ipv4 unicast multicast out lear ip bgp ipv4 unicast multicast soft lear ip bgp ipv4 unicast multicast soft in lear ip bgp ipv4 unicast multicast soft out lear ip bgp out lear ip bgp soft lear ip bgp soft in lear ip bgp soft out lear ip bgp vpnv4 unicast in lear ip bgp vpnv4 unicast out lear ip bgp vpnv4 unicast soft P ip bgp vpnv4 unicast soft in CO EE O A O E O Qoo Qs E EE O Qv O CR O O EE AO A 1 D 0 m lear ip bgp vpnv4 unicast soft out more m Press the ENTER key to skip to the next list In case of the hiD 6610 S311 installed command shell you can find out commands start ing with specific alphabet Input the first letter and question mark without space The fol lowing is an example of finding out the commands starting s in Privileged EXEC Enable mode of hiD 6610 311 SWITCH s show Show running system information SWITCH s Also it is possible to view variables you should input following after commands After in putting the command you need make one space and input question mark The following is an example of viewing variables after the command write Please
276. nter the MAC address no port security PORTS maxi Returns to the default number of secure MAC address mum default 1 no port security PORTS viola Returns to the violation mode to the default shutdown tion mode To display the configuration of port security use the following command nan e eos show port security PORTS Bridge Shows port security on the port This is an example of configuring port security on port 7 SWITCH config bridge SWITCH bridge port security 7 SWITCH bridge port security 7 maximum 10000 SWITCH bridge port security 7 violation protect SWITCH bridge port security 7 mac address 00 02 a5 74 9b 17 vlan 1 SWITCH bridge show port security 7 port security violation aging type static maximum current 7 enabled protect absolute 10000 1 port vlan secure mac addr status in use 7 1 00 02 hast 147 90117 static SWITCH bridge no port security 7 maximum SWITCH bridge no port security 7 violation SWITCH bridge show port security 7 A50010 Y3 B100 2 7619 153 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 port security violation aging type static maximum current 7 enabled shutdown absolute 1 0 port vlan secure mac addr status in use SWITCH bridge 7 10 2 Port Security Aging Port security aging is to set the aging time for all secure addresses on a port Use this feature to remove and add PCs on a secure port without manual
277. o 13 because the hiD 6610 S311 supports 14 logical aggregated ports and group ID of port trunk and Aggregator number of LACP cannot be repeatedly configured A50010 Y3 B100 2 7619 187 UMN CLI 188 D 8 2 1 2 8 2 1 3 User Manual SURPASS hiD 6610 S311 R1 0 For the hiD 6610 S311 source destination MAC address is basically used to decide packet route If packets enter to logical port aggregating several ports and there s no way to decide packet route the packets could be gathered on particular member port so that it is not possible to use logical port effectively Therefore hiD 6610 S311 is configured to decide the way of packet route in order to divide on member port effectively when packets enter It is decided with Source IP address Destination IP address Source MAC address Des tination Mac address and the user could get information of packets to decided packet route e dstip Destination IP address dstmac Destination MAC address e Srcdstip Refer to both Source IP address and Destination IP address e srcdstmac Refer to both Source MAC address and Destination MAC address e Srcip Source IP address e srcmac Source MAC address The port designated as member port of port trunk is automatically deleted from existing VLAN Therefore if member port and aggregated port exist in other VLAN VLAN configu ration should be changed for the aggregated port Disabling Port Trunk To remove the configured port tru
278. o delete the priority of configured switch use the following command ee e es no lacp system priority Clears the priority of the configured switch 8 2 2 9 Displaying LACP Configuration To display a configured LACP use the following command es e en show lacp aggregator Shows the information of aggregated port show lacp aggregator AGGRE Si ies RM E ows the information of selected aggregated por GATIONS Enable dd E Global show lacp port Brid Shows the information of member port ridge show lacp port POHTS Shows the information of appropriated member port show lacp statistics Shows aggregator statistics To clear LACP statistics information use the following command e me ees Enable clear lacp statistics Global Clears the information of statistics Bridge A50010 Y3 B100 2 7619 193 UMN CLI 194 8 3 User Manual SURPASS hiD 6610 S311 R1 0 Spanning Tree Protocol STP LAN which is composed of double path like token ring has the advantage that it is pos sible to access in case of disconnection with one path However there is another problem named Loop when you always use the double path Fig 8 8 Example of Loop Loop is when there are more than one path between switches SWITCH A B PC A sends packet through broadcast or multicast and then the packet keeps rotating It causes superfluous data transmission and network fault STP Spanning Tree Protocol is the function to prevent L
279. o you can set the time zone where the network element belongs To set the time zone use the following command Refer to the below table mmm WE Dein time zone TIME ZONE Global Sets the time zone f Enable show time zone Shows the world time zone map Global Tab 6 1 shows the world time zone oms New on mim ma mes ema Gee e mme nwon J Tab 6 1 World Time Zone Network Time Protocol The Network Time Protocol NTP provides a mechanism to synchronize time on com puters across an internet The specification for NTP is defined in RFC 1119 To enable disable the NTP function use the following command e me ees ntp SERVER1 SERVER2 Enables the NTP function with specified NTP server SERVERS SERVER server IP address ntp start Operates the NTP function with specified NTP server Disables the NTP function To display a configured NTP use the following command e e See Enable l l Shows a configured NTP function Global A50010 Y3 B100 2 7619 17 UMN CLI 78 6 1 5 d User Manual SURPASS hiD 6610 8311 R1 0 Simple Network Time Protocol SNTP NTP Network Time Protocol and SNTP Simple Network Time Protocol are the same TCP IP protocol in that they use the same UDP time packet from the Ethernet Time Server message to compute accurate time The basic difference in the two protocols is the algorithms being used by the client in the client server relationship T
280. ock the port connecting switch B To configure Root Guard use the following command e owe See stp pvst root guard l Configures Root Guard on PVST network VLAN RANGE PORTS stp mst root guard Configures Root Guard on MST network MSTID RANGE PORTS Bridge no stp pvst root guard VLAN RANGE PORTS Disables Root Guard no stp mst root guard MSTID RANGE PORTS Restarting Protocol Migration There are two switches which configured as STP and RSTP Usually in this case STP protocol is used between two switches But if someone configures the STP switch to RSTP mode what happens Because the RSTP switch already received STP protocol packet the two switches still can work with STP mode even though RSTP is enabled at both If you enable this command the switch checks STP protocol packet once again A50010 Y3 B100 2 7619 213 UMN CLI 214 8 3 9 8 3 9 1 User Manual SURPASS hiD 6610 S311 R1 0 To clear configured Restarting Protocol Migration use the following command e me See stp clear detected protocol l l ME l PORTS Bridge Configures restarting protocol migration function Bridge Protocol Data Unit Configuration Bridge Protocol Data Unit BPDU is a transmission message in LAN in order to configure maintain the configuration for STP RSTP MSTP Switches that STP is configured ex change their information BPDU to find best path MSTP BPDU is general STP BPDU hav ing additional MST data on its end MS
281. ocols you want to use 2 Create a protocol group for each of the protocols you want to assign to a VLAN 3 Then map the protocol for each interface to the appropriate VLAN e me es Configures protocol based VLAN vlan pvid PORTS ethertype PORTS input a port number ETHERTYPE lt 1 4094 gt ETHERTYPE 0x800 1 4094 Vlan ID no vlan pvid PORTS ethertype Removes protocol based VLAN ETHERTYPE Because Protocol Based VLAN and normal VLAN run at the same time Protocol Based VLAN operates only matched situation comparing below two cases 1 When Untagged Frame comes in and matches with Protocol VLAN Table tags PVID which configured on Protocol VLAN But in no matched situation tags PVID which configured on and operates VLAN 2 When Tagged Frame comes in and VID is 0 it switches by Protocol VLAN Table But if VID is not O it switches by normal VLAN Table Tagged VLAN In a VLAN environment a frame s association with a given VLAN is soft the fact that a given frame exists on some physical cable does not imply its membership in any particu lar VLAN VLAN association is determined by a set of rules applied to the frames by VLAN aware stations and or switches A50010 Y3 B100 2 7619 175 UMN CLI 176 8 1 4 User Manual SURPASS hiD 6610 S311 R1 0 There are two methods for identifying the VLAN membership of a given frame e Parse the frame and apply the membership rules implicit tagging e Provide an explicit VLAN
282. ode from Privileged configure terminal Enable EXEC Enable mode A50010 Y3 B100 2 7619 21 UMN CLI 28 3 1 4 User Manual SURPASS hiD 6610 S311 R1 0 Tab 3 3 shows a couple of important main commands of Global Configuration mode em Glues plc tiro omatono te saraaa oras m T Regeer P aadress ara MAC aotres RAP EST EE uw tes ac fie tor tne contraten e o em aes varous tuno oroz eden m Omescurenmosea retums 1o Usor ExEC mode Closes current mode and returns to previous mode ext Closes current mode and returns to previous mode honam L omstamenenge ooo an estan operan meras OpereiefaceConguaonmode ie one varus cons ore meras O EE password fears co ES EE rmon event Opens Rmon event configuration mode omer T opens Router Contguraton mode OSPF RIP VRRP PML BGP mw id Coes SW emp AA CI E Tab 3 3 Main Commands of Global Configuration Mode Bridge Configuration Mode In Bridge Configuration mode you can configure various Layer 2 functions such as VLAN STP LACP EFM OAM etc To open Bridge Configuration mode enter the bridge command then the system prompt will be changed from SWITCH config to SWITCH bridge e owe een Global Opens Bridge Configuration mode A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 3 1 5 Tab 3 4 shows a couple of main commands of Bridge Configuration mode auto reset Configures the system for automatic rebooting
283. of virtual router group rack Contes Rock ii Configures advertisement time which means the interval that master vr timers router distributes its information to another virtual router Tab 3 12 Main Commands of VRRP Configuration Mode Route Map Configuration Mode To open Route map Configuration mode use the following command The prompt is changed from SWITCH config to SWITCH config route map e e ees route map NAME permit deny Global Opens Route map Configuration mode lt 1 65535 gt On Route map Configuration mode you can configure the place where information is from and sent in routing table Tab 3 13 shows a couple of important main commands of Houte map Configuration mode Transmits routing information to specified place et 00000000 Configures router address and distance Tab 3 13 Main Commands of Route map Configuration Mode A50010 Y3 B100 2 7619 33 UMN CLI 34 3 2 3 2 1 User Manual SURPASS hiD 6610 S311 R1 0 Useful Tips This section provides useful functions for user s convenience while using CLI commands They are as follow e Listing Available Commands e Calling Command History e Using Abbreviation e Using Command of Privileged EXEC Enable Mode e Exit Current Command Mode Listing Available Commands To list available commands input question mark lt gt When you input the question mark lt gt in each command mode you can see available commands used i
284. ompared to de cide order The following is an example of configuring Master Router and Backup Router by comparing IP addresses Virtual Routers Layer 3 SWITCH 1 10 0 0 1 and Layer 3 SWITCH 2 10 0 0 2 A50010 Y3 B100 2 7619 User Manual SURPASS hiD 6610 S311 R1 0 8 4 1 4 A50010 Y3 B100 2 7619 Layer 3 SWITCH 1 IP address 10 0 0 1 24 gt SWTICH1 config router vrrp default 1 SWITCH1 SWITCH1 config router associate 10 0 0 5 config router exit SWITCH1 config show vrrp default virtual router 1 state virtual mac address 0000 s Se 00 r001 advertisement interval l sec preemption enabled priority 100 master down interval 3 624 sec 1 associate address 10 0 0 5 Layer 3 SWITCH 2 IP Address 10 0 0 2 24 gt SWIICH2 config router vrrp default 1 SWITCH2 SWITCH2 config router associate 10 0 0 5 config router exit SWITCH2 config show vrrp default virtual router 1 state virtual mac address QU 00s 5E 002 0T 01 advertisement interval 1 sec preemption enabled priority 100 master down interval 3 620 sec 1 associate address 10 0 0 5 VRRP Track Function UMN CLI In case of same priorities SWITCH 1 with lower IP address is configured as Master When the link connected to Master Router of VRRP is off as below if link of Master Router is not recognized the users on the interface are not able to communicate because
285. one switch Step 1 Activate the port mirroring using the following command e e See Step 2 Designate the monitor port use the following command ICI Mae Fem mirror monitor PORTS cpu Designates the monitor port Step 3 Designate the mirrored ports use the following command e me Se Designates the mirrored ports mirror add PORTS ingress egress ingress ingress traffic egress egress traffic A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 Step 4 To delete and modify the configuration use the following command en re See mirror disable Deactivate monitoring mirror del PORTS ingress Bridge Delete a port from the mirrored ports egress Step 5 To disable monitoring function use the following command m See The following is an example of configuring port mirroring with a port Step 1 Connect a motoring PC to the monitor port of the switch Step 2 Enable mirroring function SWITCH bridge mirror enable SWITCH bridge Step 3 Configure the monitor port 1 and mirroring port 2 3 4 and 5 SWITCH bridge SWITCH Step 4 Check the configuration SWITCH bridge show mirror Mirroring enabled Monitor port 1 Ingress mirrored ports xdi EUR EE 5535 1 NE RENE EE E lec Egress mirrored ports gt 02 5 04 ee rines eer eset pend ined Leer esie ends dee Leer tied ens SWITCH bridge A50010 Y3 B100 2 7619 15
286. onfiguration If you want to continue to reboot press y key if you want to save new configuration press n key SWITCH reload A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 Do you want to save the system configuration y n 4 1 8 2 Auto System Rebooting The hiD 6610 S311 reboots the system according to user s configuration There are two basises for system rebooting These are CPU and memory CPU is rebooted in case CPU Load or Interrupt Load continues for the configured time Memory is automatically re booted in case memory low occurs as the configured times To enable auto system rebooting function use the following command e me ees Configure to reboot the system automatically in case an average of CPU or interrupt load exceeds the con auto reset cpu lt 70 100 gt lt 1 100 gt figured value during the user defined time TIME 70 100 average of CPU load per 1 minute 1 100 average of interrupt load TIME minute Configure to reboot the system automatically in case auto reset memory 1 120 1 memory low occurs as the configured value 10 1 120 time of memory low 1 10 count of memory low The default is 5 no auto reset cpu memory Disables auto system rebooting To show auto system rebooting tee use the following command Global show auto reset cpu memory Shows a configuration of auto rebooting function ridge The following is an example of confi
287. onnnnonanononananonos 120 Activating IRMON TISIOP EE 120 A50010 Y3 B100 2 7619 User Manual SURPASS hiD 6610 S311 R1 0 7 4 1 6 7 4 1 7 7 4 2 7 4 2 1 1 4 2 2 1 4 2 3 1 4 2 4 1 4 2 5 7 4 2 6 1 4 2 7 7 4 2 8 7 4 2 9 7 4 2 10 7 4 3 7 4 3 1 1 4 3 2 7 4 3 3 7 4 3 4 7 4 3 5 7 4 3 6 7 4 3 7 1 9 7 5 1 7 5 2 7 5 3 7 5 4 1 99 7 5 6 7 5 7 7 6 7 6 1 7 6 2 7 6 2 1 7 6 2 2 7 6 2 3 7 6 2 4 7 6 2 5 7 6 2 6 7 6 2 7 7 6 3 7 6 3 1 7 6 3 2 7 6 3 3 7 6 3 4 7 6 3 5 7 6 4 7 6 4 1 7 6 4 2 7 6 4 3 7 6 4 4 7 6 4 5 A50010 Y3 B100 2 7619 UMN CLI Deleting Configuration of RMON Histon 120 Displaying RMON HIStO EE 120 MON tad 121 Subject of RMON Ad Mali 122 Objectol sample AQUI o is 122 Absolute Comparison and Delta Comparison ccccecccceeceeeeeeceeeeeeeeeeeeees 122 Upper Bound of Threshold nnns 122 Lower Bouhd of Threshold ua ii da 123 Configuring Standard of the First Alarm oo ooonccnccccccnconoccnnonononconanencnnononnnnnas 123 Interval or Sample Ingqg ulky cias a os 124 Activating RMON Alam nennen nennen nnne nnn nnn 124 Deleting Configuration of RMON Alamm e 124 Displaying RMON Alal EEN 124 RMON zuo qe M 125 Event ComrmulbilBy sec aii 125 EE 125 Subject of RMON Event EE 125 Event IDE 125 ACHvVatng RMON RE 126 Deleting Configuration of RMON Event 126 Displaying RMON EVG EE 126 AP sotesueg thas nte sane nates cae eode suu R EP SE uae Ee tacenecceanucuaces 127 DVS1OG OULDUE LEVEI eelere
288. oop in LAN with more than two paths and to utilize the double path efficiently It specify in IEEE 802 1d If STP is config ured there is no Loop since it chooses more effective path of them and closes the other path In other words when SWITCH C in the below figure sends packet to SWITCH B path 1 is chosen and path 2 Is blocked Switch B Switch D PC A SS Switch C Fig 8 9 Principle of Spanning Tree Protocol A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 8 3 1 Meanwhile RSTP Rapid Spanning Tree Protocol defined in IEEE 802 1w innovate re duces the time of network convergence on STP Spanning Tree Protocol It is easy and fast to configure new protocol Also 802 1w includes 802 1d inside so it can provide compatibility with 802 1d For more detail description of STP and RSTP refer to the following e STP Operation e RSTP Operation MSTP Operation e Configuring STP RSTP MSTP PVSTP PVRSTP Mode Required e Configuring STP RSTP MSTP e Configuring PVSTP PVRSTP e Root Guard e Restarting Protocol Migration e Bridge Protocol Data Unit Configuration e Sample Configuration STP Operation The 802 1d STP defines port state as blocking listening learning and forwarding When STP is configured in LAN with double path switches exchange their information including bridge ID It is named as BPDU Bridge Protocol Data Unit Switches decide port state based on the exchanged BPDU a
289. orce the autonomous system boundary router to generate a default route use the fol lowing command e me See x Forces the autonomous system boundary router to default information originate Router l l l generate a default route into the RIP routing domain Routing Information Filtering You can filter routing protocol information by performing the following tasks e Suppress sending of routing updates on a particular router interface This is done to prevent other systems on an interface from learning about routes dynamically e Apply an offset to routing metrics This is done to provide a local mechanism for in creasing the value of routing metrics Blocking Outgoing Routing Information to Interface To prevent other routers on a local network from learning about routes dynamically you can keep routing update messages from being sent through a router interface This fea ture applies to all IP based routing protocols except BGP e owe Se passive interface INTERFACE Blocks routing information from interface of router Configuring Offset List An offset list is the mechanism for increasing incoming and outgoing metrics to routes learned via RIP You can limit the offset list with an access list To increase the value of routing metrics use the following command e owe See offset list ACCESS LIST NAME l l Router Applies an offset to routing metrics in out 0 16 INTERFACE A50010 Y3 B100 2 7619
290. orities Virtual Routers Layer 3 SWITCH 1 101 and Layer 3 SWITCH 2 102 Then regardless of IP addresses one that has higher Priority Layer 3 SWITCH 2 becomes Master Router lt Layer 3 SWITCH1 IP Address 10 0 0 1 24 gt SWTICH1 config router vrrp default 1 SWITCH1 config router associate 10 0 0 5 SWITCH1 config router exit SWITCHl config router f vr priority 101 SWITCH1 config show vrrp default virtual router 1 virtual mac address OD VO0NSESUOOYOXS OI advertisement interval 1 sec preemption enabled priority 101 master down interval 3 624 sec 1 associate address 10 0 0 5 lt Layer 3 SWITCH 2 IP Address 10 0 0 2 24 gt SWITCH 2 with higher priority is configured as Master SWTICH2 config rotuer vrrp default 1 SWITCH2 config router associate 110 0 0 5 SWITCH2 config router exit SWITCH1 config router vr priority 102 SWITCH2 config show vrrp default virtual router 1 state virtual mac address OO 005 gt 00 01L Or advertisement interval 1 sec preemption enabled priority 102 master down interval 3 620 sec 1 associate address 10 0 0 5 By default Priority of hiD 6610 S311 is configured as 100 So unless you configure specific Priority this switch becomes Master Router because a device which has lower IP address has higher precedence Also when there are more than two Backup Routers IP addresses are c
291. ort num ber and Remote ID included Option 82 packet If you want to limit the number of IP ad dress you should configure the port number and remote id that will be permitted to as sign IP address To configure Remote ID and the number of IP addresses to be available for allocation use the following command comment HUN NN remote id hex HEXSTRING lease limit Sets Remote ID which will be permitted NUMBEH to be assigned and limits the numbers remote id ip A B C D lease limit of IP address NUMBER HEXSTRING Remote id of hexadeci mal string style REMOTE ID Remote id of ASCII string remote id text REMOTE ID lease limit style NUMBER A B C D Remote id IP address NUMBER the number of IP addresses lt 0 2147483637 gt Option 82 To remove above configurations use the following command Seen Se Femme no remote id hex HEXSTRING lease limit Option 82 no remote no remote id ip P ADDRESS lease limit no remote id ip P ADDRESS lease limit IP ADDRESS lease limit Deletes Remote ID configuration and no no remote id text REMOTE IDlease limit no remote id text REMOTE IDlease limit text REMOTE ID lease limit limitation of the numbers of IP address no _ no remote id all lease timit _ no remote id all lease timit all lease limit A50010 Y3 B100 2 7619 243 UMN CLI 244 User Manual SURPASS hiD 6610 S311 R1 0 Configuring Remote ID with IP pool Administrator is able to configure Remote id with
292. ounts how many times the packets come into config ured Rule match dmac DST MAC D Kr Overwrites a specified destination MAC address ADDRESS match egress filter PORT Deletes a specified egress port match egress port PORT Overwrites a specified egress port To delete a specified rule action match use the following command nen e eos no match dscp Deletes a specified rule action no match ip prec no match bandwidth A50010 Y3 B100 2 7619 135 UMN CLI 136 User Manual SURPASS hiD 6610 S311 R1 0 e me Se no match copy to cpu no match counter no match dmac no match egress Deletes a specified rule action To specify a rule action no match for the packets not matching configured classifying patterns use the following command e me See no match deny no match redirect PORT no match mirror no no match deep lt 0 63 gt no match deep lt 0 63 gt lt 0 63 gt no match cos lt 0 7 gt no match cos lt 0 7 gt overwrite no match cos same as tos over write no match ip prec lt 0 7 gt no match ip prec same as cos no match copy to cpu Denies a packet sd a Denies a packet sd Redirects to specified egress port PORT uplink port number e g 25 28 Sends a copy to mirror monitoring port Changes DSCP field enter DSCP value Changes 802 1p class of service enter CoS value 0 7 CoS value Overwrites 802 1p CoS field in the packet 0 7 CoS value Ove
293. outers that will cand rp access permit A B C D A l exchange candidate RP A50010 Y3 B100 2 7619 285 UMN CLI 286 9 2 5 9 2 5 1 9 2 5 2 9 2 5 3 User Manual SURPASS hiD 6610 S311 R1 0 Assert Message Information When there are several PIM SM routers on same LAN they may exchange packets are not needed In order to prevent this problem you need to assign one PIM SM router to transmit multicast packet In this case assigned router is named Assert For example there are router B C which can transmit multicast packets in case of receiv ing Join message from receiver D and E which send Join message cannot decide which router to receive And C may transmit same packet to B belonged in multicast group In this case if Assert is decided multicast group is well organized because D and E transmit Join message only to Assert When Assert is decided Metric and Preference in Assert message are compared Lower Metric has priority and higher Preference has priority Metric To configure Metric of Assert message use the following command zs owe See metric lt 1 2147483647 gt Configures Metric of Assert message no metie 0 Deletes configured Metric of Assert message Preference To configure Preference of Assert message use the following command Seen rs Femme preference lt 1 2147483647 gt Configures preference of Assert message PIM no preference Deletes configured preference of Assert message Config
294. owing command e owe res Configures the interval of Cache check Default value cache check interval lt 1 128 gt PIM 20 seconds no cache check interval Deletes configured interval of Cache check Multicast Routing Table There is RPF Reverse Path Forwarding on route of transmitting multicast packet RPF is a former router that transmits multicast packet User can configure specified router as RPF by configuring routing table manually To set multicast routing table manually to configure RPF use the following command ee we IC Configures RPF about packets of specified multicast mroute A DC DM A B C D group To delete configured multicast routing table use the following command ne owe ten no mroute A B C D M A B C D ER Deletes the configured multicast routing table PIM Deletes all multicast routing tables A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 9 2 9 9 2 9 1 9 2 9 2 9 2 9 3 PIM SM on Ethernet Interface You need to open nterface Configuration mode of specified interface first for activating PIM SM on Ethernet interface To open nterface Configuration mode use the following command e me See i Opens Interface Configuration mode of specified inter interface INTERFACE Global ace To disable nterface Configuration mode use the following command e e See no interface INTERFACE Global Disables a specified interface PIM S
295. p dates every 30 seconds This process is termed advertised If a router does not receive an update from another router for 180 seconds or more it marks the routes served by the non updating router as being unusable If there is still no update after 120 seconds the router removes all routing table entries for the non updating router The metric that RIP uses to rate the value of different routes is hop count The hop count is the number of routers that can be traversed in a route A directly connected network has a metric of zero an unreachable network has a metric of 16 This small range of metrics makes RIP an unsuitable routing protocol for large networks A router that is running RIP can receive a default network via an update from another router that is running RIP or the router can source generate the default network itself with RIP In both cases the default network is advertised through RIP to other RIP neighbors RIP sends updates to the interfaces in the specified networks If an interface s network is not specified it will not be advertised in any RIP update The system supports RIP version 1 and 2 Enabling RIP To use RIP protocol you should enable RIP Step 1 To open Router Configuration mode use the following command e me See Get Opens Router Configuration mode and operates RIP oba routing protocol Step 2 Configure network to operate as RIP e e Se network P ADDRESS INTER FACE Router Configures
296. p address VLAN ID lt 1 4094 gt PORT enters port number A B C D2 Reporter IP address ip igmp static group A B C D1 M VLAN ID PORT A B C D2 no ip igmp static group VLAN D Global Disables the IGMP static join configuration A B C D1 IGMP group address VLAN ID lt 1 4094 gt no Ip igmp static group PORT enters port number A B C DI M VLAN ID PORT A B C D2 Reporter IP address A B C D2 no ip igmp sStatic group A B C D1 M VLAN ID To see IGMP static Join group use the following command man We emen Enable show ip igmp static group Sia Shows IGMP static join configuration oba To register or delete Multicast group address on IGMP table static Join use the following command on Global Configuration mode e e eem Registers multicast group address on IGMP table statically mac address table vlan VLANS static GROUP VLANS VLAN name ADDDRESS port PORTS GROUP ADDRESS Multicast group Global address PORTS Selects port number no mac address table vlan VLANS static Deletes a specific multicast group ad GROUP ADDDRESS port PORTS dress registered on IGMP table To remove all Multicast group addresses from IGMP table use the following command Removes all multicast group addresses clear mac address table multicast vlan VLANS Enable from the IGMP table ip igmp static group command offers a emulation of multicast group address that multi m cast address pretends to be joined but it doesn t
297. password too short Warning weak password continuing Re enter new password Enter Password changed SWITCH config show user User name Description Level test0 level0user 0 testl levelluser 1 SWITCH config The following is an example of configuring an authority of the security level O and 1 SWITCH config privilege view level 0 enable SWITCH config privilege enable level 0 show SWITCH config privilege enable level 1 configure terminal SWITCH config show privilege Command Privilege Level Configuration Node All Level Command EXEC ENABLE 1 configure terminal EXEC VIEW 0 enable EXEC ENABLE 0 show 3 entry s found SWITCH config A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 4 1 5 4 1 6 In the above configuration as level 0 it is possible to use only show command in Privi leged EXEC Enable mode however as level 1 it is possible to use not only the com mands in level 1 but also time configuration commands in Privileged EXEC Enable mode and accessing commands to Global Configuration mode Limiting Number of User For hiD 6610 S311 you can limit the number of user accessing the switch through both console port and telnet In case of using the system authentication with RADIUS or TA CACS the configured number includes the number of user accessing the switch via the authentication server To set the num
298. permit SWITCH bridge show mac filter L 00201 sa 7 3 0301 3c PERMIT 2 EE cas 74596117 PERMIT SWITCH bridge The following is an example of displaying one configuration SWITCH bridge show mac filter 1 d OOS Ol ee As EE e PERMIT SWITCH bridge A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 13 7 13 1 7 13 1 1 Address Resolution Protocol ARP Device connected to IP network has two addresses LAN address and network address LAN address is sometimes called as data link because it is used in Layer 2 level but more commonly the address is known as MAC address Ethernet Switch needs 48 bit MAC address to transmit packets In this case the process of finding proper MAC ad dress from IP address is called as address resolution On the other hand the progress of finding proper IP address from MAC address is called as reverse address resolution Siemens switches find MAC address from IP address through address resolution protocol ARP This chapter consists of these sections e ARP Table e ARP Alias e ARP Inspection e Gratuitous ARP ARP Table Hosts typically have an ARP table which is a cache of IP MAC address mappings The ARP Table automatically maps the IP address to the MAC address of a switch In addition to address information the table shows the age of the entry in the table the encapsula tion method and the switch interface VLAN ID where pa
299. pf message digest key lt 1 255 gt md5 active Clear Text Authentication 1 Configure 2 keys the first key and second 2 The specified active key is used for encoding OSPF authentication in sender OSPF router If active doesn t exist the first key will be used for encoding 3 The specified active key is also used for OSPF authentication in receiver OSPF router If active doesn t exist the first key will be used for encoding But if OSPF authentication fails using active key the second key will be used for authentication MD5 Authentication MD5 Authentication follows the way that ZebOS provides 1 through 255 ll The specified active key is used for encoding OSPF MD5 authentication in sender OSPF router If active key does not exist it uses the last key in sorted order and encodes the key for authentication Il Decoding will be done based on receiver s OSPF router key ID regardless of ac tive state A50010 Y3 B100 2 7619 299 UMN CLI 300 10 3 10 3 1 User Manual SURPASS hiD 6610 S311 R1 0 Routing Information Protocol RIP Routing Information Protocol RIP is commonly used for use in small homogeneous networks It is a classical distance vector routing protocol with using hop count RIP is documented in RFC 1058 RIP uses broadcast User Datagram Protocol UDP data packets to exchange routing information The OS software sends routing information u
300. playing Rule The following command can be used to show a certain rule by its name all rules of a cer tain type or all rules at once sorted by rule type ana owe res 8 show rule admin rule admin Shows all admin access rules sorted by type Enable anean Global Shows all rules and admin access rules sorted by type oba show rule statistics Shows rule statistics show rule profile Shows a current configuration of a rule A50010 Y3 B100 2 7619 147 UMN CLI 148 1 1 User Manual SURPASS hiD 6610 S311 R1 0 NetBIOS Filtering NetBIOS Network Basic Input Output System is a program that allows applications on different computers to communicate within a local area network LAN NetBIOS is used in Ethernet included as part of NetBIOS Extended User Interface NetBEUI Resource and information in the same network can be shared with this protocol But the more computers are used recently the more strong security is required To secure individual customer s information and prevent information leakages in the LAN environ men the hiD 6610 S311 provides NetBIOS filtering function LAN environment for Internet Service Information Shared Needs to prevent sharing information between customers Fig 7 4 NetBIOS Filtering Without NetBIOS filtering customer s data may be opened to each other even though the data should be kept To keep customer s information and prevent sharing information i
301. py of your sales receipt when submitting your request Also please include the exact name and number of the device and the version number of the installed software The use of Open Source Software contained in this product in any manner other than the simple running of the program occurs at your own risk that is without any warranty claims against Siemens For more information about the warranties provided by the au thors of the Open Source Software contained in this product please consult the GPL and LGPL You have no warranty claims against Siemens when a defect in the product is or could have been caused by changes made by you in any part of the software or its configura tion In addition you have no warranty claims against Siemens when the Open Source Software infringes the intellectual property rights of a third party Siemens provides no technical support for either the software or the Open Source Soft ware contained therein if either has been changed You will find the GPL and LGPL license text on the SW CDR which is delivered with the product SURPASS hiD 6610 311 A50010 Y3 B100 2 7619 21 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 2 System Overview SURPASS hiD 6610 S311 is a Fast Ethernet Switch provides 24 ports of 10 100Base TX interface and 4 ports GE interface and it supports to form a large scale network with level up integrated functions Integrated Layer 3 switching functions in the SURPASS hiD 6610 S311 pro
302. r FE and from 1 to 2097150 for GE By default DLF storm control is enabled and multicast storm control is disabled To disable multicast storm control and DLF storm control use the GE commands no storm control broadcast Brid AE broadcast multicast or DLF storm control ridge multicast dif PORTS S respectively To display a configuration of storm control use the following command m ees Enable show storm control Global Displays storm control configuration Bridge A50010 Y3 B100 2 7619 265 UMN CLI 266 User Manual SURPASS hiD 6610 S311 R1 0 8 12 Jumbo frame Capacity The packet range that can be capable to accept is from 64 bytes to 1518 bytes Therefore packets not between these ranges will not be taken However the hiD 6610 S311 can ac cept Jumbo frame larger than 1518 bytes through user s configuration To configure to accept Jumbo frame larger than 1518 bytes use the following command e me es Configures to accept jumbo frame between specified jumbo frame PORTS 1518 9000 ranges 1518 9000 Max packet length To disable configuration to accept Jumbo frame use the following command O oma o O o Disables configuration to accept jumbo frame on speci no jumbo frame PORTS Bridge SE ied port To display the configuration of Jumbo frame use the following command mn me See Enable show jumbo frame Global Shows a configuration of jumbo frame Bridge
303. rmit PORTS zi By default basic filtering policy provided by system is configured to permit all packets in each port Sample Configuration This is an example of blocking all packets in port 1 3 and port 7 SWTICH bridge mac filter default policy deny 5 10 SWTICH bridge mac filter default policy permit 2 SWTICH bridge show mac filter default policy PORT POLICY PORT POLICY SS SS O O O A R 1 PERMIT 2 PERMIT 3 PERMIT L 4 PERMIT Um DENY 6 DENY 7 DENY 8 DENY a DEN 10 ENY A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 12 2 7 12 3 7 12 4 11 PERMIT 12 PERMIT 13 PERMIT 14 PERMIT 15 PERMIT 16 PERMIT 17 PERMIT 18 PERMIT 19 PERMIT 20 PERMIT 21 PERMIT 22 PERMIT 23 PERMIT 24 PERMIT 25 PERMIT 26 PERMIT 27 PERMIT 28 PERMIT SWITCH bridge Adding Policy of MAC Filter You can add the policy to block or to allow some packets of specific address after config uring the basic policy of MAC Filtering To add this policy use the following commands on Bridge Configuration mode es owe res 08 mac filter add MACADDR Allows or blocks packet which brings configured mac f Bridge n deny permit address to specified port Variable MAC ADDRESS is composed of twelve digits number in Hexa decimal It is pos sible to check it by using the show mac command 00 d0 cb 06 01 32 is an example of MAC addres
304. rotocol LACH 189 COMTI OUFING DEE 189 Packet e 190 Operating Mode of Member Hot 190 Identifying Member Ports within LACH 191 BP DU Transmission RA eege daa uad dee 191 Key value of Member Hot 192 Priority or Member Poli o 192 PRON OF Wi EEN 192 Displaying LACP Configuration EE 193 Spanning Tree Protocol STP a ata 194 MU AAA TOL UL 195 co Ree de EE 199 Va e En EE 203 Configuring STP RSTP MSTP PVSTP PVRSTP Mode Required 205 Configuring STP RSTP MSTP cccccsseeceeceeeeeeeeeeeecseeeeeeeeeeeeesaeeseesaeeeeessaaes 206 Aclvating STP ARSTPIMS DP EE 206 FROOL SWIC me 206 Soe RN da 206 A T T I ETT 207 Med eet a A 208 KEN Gi os EE 209 Point to point MAC Parameters ccccoccccccccccconnococonoconnnonanonononncnnnnnonannnonanenenas 209 Edge POG ao anios 209 Displaying Configuration oocccccccccnnononcnnconocononnnnononononnnnnnnnnnonnrnnnonancnnnnnncnnnnas 210 Configuring PVSTIP PVISS TIS esc eu esci buts eoru b octo Ud adde Eat repete esc vigas ee 211 Activating PVSTPIPVIRSTB EE 211 ROO WUC ede ars 212 PACOS rusa oda 212 moneda 212 FO ETE A A US 213 Restarting Protocol Migration 1 sees 213 Bridge Protocol Data Unit Configuration ccccooccnccccocnnccononcnnonnnnononcnncnnanonoos 214 HOM EP M 214 11 UMN CLI 12 8 3 9 2 8 3 9 3 8 3 9 4 8 3 9 5 8 3 9 6 8 3 9 7 8 3 9 8 8 3 10 8 4 8 4 1 8 4 1
305. roup of Internet Engineering Task Force IETF OSPF designed for IP network supports IP subneting and marks on information from exterior network Moreover it supports packet authorization and transmits receives routing information through IP multicast It is most convenient to operate OSPF on layered network The first thing you should do on OSPF network is to configure border router and AS boundary router And then you need to configure basic setting to operate OSPF router and interface in area When you customize OSPF router for user s environment you have to check that all con figurations are same in each router Enabling OSPF To configure routing protocol use the following command e owe See router ospf lt 1 65535 gt Global Opens Router Configuration mode OSPF Network Type OSPF provides three types of the network as the follow e Broadcast Network e Non broadcast Multi access NBMA Network e Point to point Network It is possible to configure OSPF network as broadcast type or non broadcast type For example if user s network does not support multicasting it is possible to configure broadcast network as non broadcast type Conversely it is also possible to configure NBMP network such as frame relay as broadcast type To operate network as NBMA type all routers should be connected through virtual circuit However it is possible to connect to some part of OSPF network with using virtual circuit throu
306. rt vlan add VLANS PORTS tagged VLANS enter the VLAN ID PORTS enter the port number VLAN Description You can describe each VLAN with the following command e e een Describes VLAN characteristic vlan description VLANS DESC VLANS enter the VLAN ID DESC enter the detail description no vlan description VLANS Deletes the description about specified VLAN ID A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 8 1 5 Displaying VLAN Information User can display the VLAN information about Port based VLAN Protocol based VLAN and QinQ mana wm on Shows all VLAN configurations show vlan VLANS Enable Shows a configuration for specific VLAN show vlan description Global Shows a description for specific VLAN show vlan dotiq tunnel Bridge Shows QinQ configuration show vlan protocol Shows VLAN based on protocol 8 1 6 QinQ QinQ or Double Tagging is one way for tunneling between networks Customer A Customer A VLAN 200 VLAN 641 PVID 641 VLAN 200 VLAN 201 T Tagged Customer B VLAN 201 Customer B U Untagged Fig 8 2 Example of QinQ Configuration If QinQ is configured on the hiD 6610 S311 it transmits packets adding another Tag to original Tag Customer A group and customer B group can guarantee security because telecommunication is done between each VLANs at Double Tagging part Double tagging is implemented with another VLAN tag in Ethernet frame header A5
307. rt threshold enable dhcp lease enable power enable module enable fan enable temp threshold enable SWITCH config A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 1 9 7 1 9 1 7 1 9 2 7 1 9 3 7 1 9 4 SNMP Alarm The hiD 6610 S311 provides an alarm notification function The alarm will be sent to a SNMP trap host whenever a specific event in the system occurs through CLI and ACI E You can also set the alarm severity on each alarm and make the alarm be shown only in case of selected severity or higher This enhanced alarm notification allows system ad ministrators to manage the system efficiently Enabling Alarm Notification To configure whether the switch enable transmitting SNMP alarm or not use the following command e me ee snmp notify activity enable bs Enables disables an alarm notification on CLI or ACI E oba disable default disable Default Alarm Severity To configure a priority of alarm use the following command e me See snmp alarm severity default o EN E Configures the priority of alarm critical major minor warning Global default minor intermediate Alarm Severity Criterion You can set an alarm severity criterion to make an alarm be shown only in case of se lected severity or higher For example if an alarm severity criterion has been set to major you will see only an alarm whose severity is major or critical
308. rval for transmit ICMP message After you configure the inter val ICMP message will be blocked until the period based on the last message is up For example if you configure the interval as 1 second ICMP will not be sent within 1 second after the last message has been sent To configure interval to transmit ICMP message the administrator should configure the type of message and the interval time Use the following command to configure the interval for transmit ICMP message e owe Se Configures the interval for transmit ICMP message ip icmp interval rate mask MASK Global MASK user should input hexadecimal value until OxFFFFFFFF The default is 0x1818 If mask that is input as hexadecimal number is calculated as binary number 1 means Status ON 0 means Status OFF In binary number if the digit showed as 1 matches with the value of ICMP message lt means ICMP Message is selected as Status ONT Digit value starts from O For example if hexadecimal number 8 is changed as binary number it is 1000 In 1000 O digit is 0 and 1 digit is 0 2 digit is 0 and 3 digit is 1 The digit showed as 1 is 3 and ICMP DEST UNREACH means ICMP value is 3 Therefore ICMP DEST UNREACH is chosen the message of limiting the transmission time Default is 0x1818 If 1818 as hexadecimal number is changed as binary number it is 1100000011000 By calculating from O digit 3 digit 4 digit 11 digi
309. rver with the authentication key SWITCH_A config ssh login 172 16 209 10 Enter passphrase for key etc ssh id_dsa networks SWITCH_B A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 4 5 802 1x Authentication To enhance security and portability of network management there are two ways of au thentication based on MAC address and port based authentication which restrict clients attempting to access to port The port based authentication 802 1x decides to give ac cess to RADIUS server having the information about user who tries to access 802 1x authentication adopts EAP Extensible Authentication Protocol structure In EAP system there are EAP MD5 Message Digest 5 EAP TLS Transport Level Security EAP SRP Secure Remote Password EAP TTLS Tunneled TLS and the hiD 6610 S311 supports EAP MD5 and EAP TLS Accessing with user s ID and password EAP MD5 is one way Authentication based on the password EAP TLS accesses through the mutual authentication system of server authentication and personal authentication and it is pos sible to guarantee high security because of mutual authentication system At a request of user Authentication from user s PC EAPOL Start type of packets are transmitted to authenticator and authenticator again requests identification After getting respond about identification request to approve access to RADIUS server and be au thenticated by checking access through user s in
310. rwrites 802 1p CoS field in the packet same as IP ToS precedence bits Changes IP ToS precedence bits in the packet 0 7 ToS precedence value Changes IP ToS precedence bits in the packet same as 802 1p CoS value Copies to CPU To delete a specified rule action no match use the following command e owe See no no match deny no no match redirect no no match mirror no no match dscp no no match cos no no match ip prec no no match copy to cpu Deletes a specified rule action A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 6 2 5 7 6 2 6 7 6 2 7 Applying Rule After configuring rule using the above commands apply it to the system with the following command If you do not apply the rule to the system all specified rules will be lost To save and apply a rule use the following command e me ees apply Applies a rule to the system 1 The switch performs a detailed plausibility check and rejects the rule if the configuration is incomplete contains bad or unsupported values or conflicts to other rules In this case the switch informs about the reason and the operator may correct the values 2 The switch may reject a rule with the message Already exist rule allthough the name will not be listed by command show rule Unfortunately the entered name in this case interferes with the name of an internally managed rule Remedy Select another name for the r
311. s Deleting MAC Filter Policy To delete MAC filtering policy use the following command ss e See mac filter del SOURCE MACADDR Deletes filtering policy for specified MAC address To delete MAC filtering function use the following command ne me ees no mac filter Deletes all MAC filtering functions Listing of MAC Filter Policy If you need to make many MAC filtering policies at a time it is hard to input command one by one In this case it is more convenient to save MAC filtering policies at etc mfdb conf and display the list of MAC filtering policy To view the list of MAC filtering policy at etc mfdb conf use the following command na e See macdilterlist Bridge Shows the list of MAC filtering policy at etc mfdb conf A50010 Y3 B100 2 7619 157 UMN CLI 158 7 12 5 User Manual SURPASS hiD 6610 S311 R1 0 Displaying MAC Filter Policy To show a configuration about MAC filter policy use the following command Sen es Femme show mac filter default policy show mac filter show mac filter COUNT Enable Global Bridge Shows MAC filter policy show mac filter COUNT SOURCE MACADDR Sample Configuration The latest policy is recorded as number 1 The following is an example of permitting MAC address 00 02 a5 74 9b 17 and 00 01 a7 70 01 d2 and showing table of filter policy SWITCH bridge mac filter add 00 02 a5 74 9b 17 permit SWITCH bridge mac filter add 00 01 a7 70 01 d2
312. s Lowest priority gt highest priority un CVM Round Robin Scheduler Fig 7 1 Weighted Round Robin A50010 Y3 B100 2 7619 139 UMN CLI 140 User Manual SURPASS hiD 6610 S311 R1 0 Weighted Fair Queuing WFQ Weighted fair queuing WFQ provides automatically sorts among individual traffic streams without requiring that you first define access lists It can manage one way or two way streams of data traffic between pairs of applications or voice and video In WFQ packets are sorted in weighted order of arrival of the last bit to determine trans mission order Using order of arrival of last bit emulates the behavior of Time Division Multiplexing TDM hence fair From one point of view the effect of this is that WFQ classifies sessions as high or low bandwidth Low bandwidth traffic gets priority with high bandwidth traffic sharing what s left over If the traffic is bursting ahead of the rate at which the interface can transmit new high bandwidth traffic gets discarded after the configured or default congestive messages threshold has been reached However low bandwidth conversations which include con trol message conversations continue to enquire data Weighted Fair Queuing WFOQ Service According to Packet Finish Time Queue 1 50 bw ag acheduler Queue 25 Di Order of Packet Transmission AIDER E T Queue 3 25 D
313. s not possible to use logical port effectively Therefore the hiD 6610 S311 is configured to decide the way of packet route in order to divide on member port effectively when packets are transmitted It can be selected with Source IP address destination IP address source MAC address destination MAC ad dress and the user could get the information of packets to decided packet route e dstip Destination IP address e dstmac Destination MAC address e Srcdstip Runs by reference to both Source IP address and Destination IP address e Srcdstmac Source MAC address and Destination MAC address e Srcip Source IP address e Ssrcmac Source MAC address For the hiD 6610 S311 srcdstmac source MAC address and destination MAC address is basically used to decide packet route After configuring aggregator you should configure packets transmitting aggregator port The following is the command of configuring packets transmitting aggregator port e me See lacp aggregator distmode AG Defines packets transmitted by way of aggregator GREGETIONS srcmac dstmac srcdstmac srcip dstip srcdstip Bridge which is a logical aggregated port AGGREGATIONS select the aggregator ID lt 0 13 gt To disable configuring packets use the following command e e ees no lacp aggregator Brid Deletes destination MAC address select the aggrega ridge AGGREGETIONS V tor ID Operating Mode of Member Port After configuring
314. s SPVLAN and if not as CVLAN Step 3 If Egress port is Access port Access port is configured as Untagged remove SPVLAN If egress port is uplink port transmit as it is Step 4 The hiD 6610 S311 switch has 0x8100 TPID value as default and other values are used as hexadecimal number A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 1 6 2 8 1 6 3 Double Tagging Configuration Step 1 Designate the QinQ port e e See Configures a qinq port vlan dot1q tunnel enable PORTS Bridge PORTS selects port number qinq to be enabled Step 2 Configure the same PVID with the VLAN of peer network on the designated qinq port e e See Configures a qing port vlan pvid PORTS lt 1 4094 gt PORTS selects port number qinq to be enabled lt 1 4094 gt VLAN ID To disable double tagging use the following command na e een vlan dot1q tunnel disable E Configures a qinq port ridge PORTS 3 PORTS a port qinq to be disabled When you configure Double tagging on the hiD 6610 S311 consider the below attention list DT and HTLS cannot be configured at the same time If switch should operate as DT HTSL has to be disabled e TPID value of all ports on switch is same e Access Port should be configured as Untagged and Uplink port as Tagged e Ignore all tag information of port which comes from untagged port Access Port e Port with DT function should be able to configure Jumbo func
315. s to configure range of IP address used in DHCP server group in subnet and default gateway of subnet CO L mamenme gaeren ECT ETT Tab 3 6 Main Commands of DHCP Configuration Mode DHCP Option 82 Configuration Mode To open DHCP Option 82 Configuration mode use the command ip dhcp option82 on Global Configuration mode as follow Then the prompt is changed from SWITCH config to SWITCH config opt82 e e See i Opens DHCP Option 82 Configuration mode for DHCP ip dhcp option82 Global l l l option 82 configuration On DHCP Option 82 Configuration mode configure a range of IP address used in DHCP server and designate the group in subnet and configure default gateway of the subnet Tab 3 7 is the main commands of DHCP Option 82 Configuration mode of hiD 6610 8311 Configures a rule for option 82 packet system remote id Configures the remote ID of the system system circuit id Configures the circuit ID of the system Tab 3 7 Main Commands of DHCP Option 82 Configuration Mode A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 3 1 8 3 1 9 Interface Configuration Mode To open Interface Configuration mode enter the command interface INTERFACE on Global Configuration mode and then the prompt is changed from SWITCH config to SWITCH config if zs e See interface INTERFACE Global Opens Interface Configuration mode Interface Configuration mode is to assign IP address
316. so get orders depending on priority Internet Virtual Router Associate IP 10 0 0 5 24 Router 1 Backup Router 2 Backup Router 3 0 0 1 24 IP 10 0 0 2 24 IP 10 0 0 3 24 AA oo mee ee eem mees eme eeeem mees eene rrr ER oo E P e Fig 8 28 VRRP Operation In case routers have same priorities then a router which has lower IP address gets the precedence The Fig 8 28 shows an example of configuring three routers which have IP addresses 10 0 0 1 24 10 0 0 2 24 and 10 0 0 3 24 for each one as Virtual router by As sociated IP 10 0 0 5 24 If these three routers have same Priority a router which has the smallest IP address 10 0 0 1 24 is decided to be Master Router Also switches and PCs connected to the Virtual Router are to have IP address of Virtual Router 10 0 0 5 24 as default gateway A50010 Y3 B100 2 7619 221 UMN CLI 222 8 4 1 8 4 1 1 User Manual SURPASS hiD 6610 S311 R1 0 Configuring VRRP To configure the hiD 6610 S311 as device in Virtual Router use the following command on Global Configuration mode Then you can configure VRRP by opening VRAP Configu ration mode e e Se router vrrp INTERFACE GROUP Eta Configures Virtual Router VRRP Group oba ID GROUP ID 1 255 To display a configuration of VRRP use the following command mana Wee Pom show vrrp Shows current configuration of VRRP Enable show vrrp interface Global Shows current con
317. specified configuration file to the startup con nable copy FILENAME startup config figuration file FILENAME configuration file name Copies a specified configuration file to another configu copy FILENAME1 FILENAME2 SDN ration file Deletes a specified configuration file erase FILENAME FILENAME configuration file name To back up a system configuration file Fe FTP or TFTP use the following command copy ftp tftp config upload Lon MM as a file to ftp or Hip server with a name config FILE NAME startup config ured by user Enable FILE NAME startup copy tftp config download Downloads a file from ia aal or fttp server with a name pc by user copy AA tftp os upload os1 AA eee ere a file to ftp or fttp server with a name of os1 or copy A tftp os download A os2 EM a file from bro sal or fttp server with a name of bro sal Or os2 m To access FTP to back up the configuration or use the backup file you should know FTP user ID and the password To back up the configuration or use the file through FTP you can check the file transmission because hash function is automatically turned on 84 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 To display a system configuration file use the following command mes Wee rem show startup config Shows a current startup configuration e Enable eee show config list Shows a list of configuration files Global T
318. ss device may prevent forwarding of IP packets with source IP addresses other than those it has associated with the receiving circuit This prevents simple IP spoofing attacks on the cen tral LAN and IP spoofing of other hosts MAC Address Spoofing By associating a MAC address with a remote ID a DHCP server can prevent offering an IP address to an attacker spoofing the same MAC address on a different remote ID Client Identifier Spoofing By using the agent supplied remote ID option the untrusted and as yet unstandardized client identifier field need not be used by the DHCP server Fig 8 33 shows how the DHCP relay agent with the DHCP option 82 operates NIZ DHCP Server db 2 DHCP Request Option 82 3 DHCP Response Option 82 N14 DHCP Relay Agent ZIN 1 DHCP Request 4 DHCP Response DHCP Client MN y d Fig 8 33 DHCP Option 82 Operation Enabling DHCP Option 82 To enable disable DHCP option 82 in the hiD 6610 S311 use the following command mn e Se ip dhcp option82 Enables the system to add the DHCP option 82 field oba no ip dhcp option82 Disables the system to add the DHCP option 82 field A50010 Y3 B100 2 7619 241 UMN CLI 242 8 8 6 2 8 8 6 3 User Manual SURPASS hiD 6610 S311 R1 0 Option 82 Sub Option The DHCP option 82 enables a DHCP relay agent to include information about itself when forwarding client originated
319. st SWITCH bridge 264 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 11 Broadcast Storm Control The hiD 6610 S311 supports broadcast storm control for broadcast packets Broadcast storm is overloading situation of broadcast packets since they need major part of transmit capacity Broadcast storm may be often occurred because of difference of versions For example when there are mixed 4 3 BSD and 4 2 BSD or mixed AppleTalk Phase and Phase ll in TCP IP Storm may occur In addition when information of routing protocol regularly transmitted from router incor rectly recognized by system which does not support the protocol Broadcast Storm may be occurred Broadcast Storm Control is operated by system counts how many Broadcast packets are there for a second and if there are packets over configured limit they are discarded The hiD 6610 S311 provides not only broadcast storm but also control of multicast and DLF Destination Lookup Fail storm In order to use control of multicast and DLF storm use the following commands Then all configurations of Broadcast storm control will be equally applied to all VLANs To enable multicast storm control and DLF storm control use the following command e owe res Enables broadcast multicast or DLF storm control storm control broadcast mul l respectively in a port with a user defined rate Rate ticast dif RATE PORTS value is from 1 to 262142 fo
320. stem configuration and information with several commands Tab 3 1 shows main command of Privileged EXEC View mode Opens Privileged EXEC Enable mode eben Shows a system configuration and information Tab 3 1 Main Commande of Privileged EXEC View Mode Privileged EXEC Enable Mode To configure the switch you need to open Privileged EXEC Enable mode with the enable command then the system prompt will changes from SWITCH to SWITCH na e res enable View Opens Privileged EXEC Enable mode You can set a password to Privileged EXEC Enable mode to enhance security Once set ting a password you should enter a configured password when you open Privileged EXEC Enable mode Tab 3 2 shows main commands of Privileged EXEC Enable mode Inputs time and date in system configure terminal Opens Configuration mode Connects to another device through telnet terminal length Configures the number of lines to be displayed in screen traceroute Traces transmission path of packet Finds users accessed to system through telnet Tab 3 2 Main Commands of Privileged EXEC Enable Mode Global Configuration Mode In Global Configuration mode you can configure general functions of the system You can also open another configuration mode from this mode To open Global Configuration mode enter the configure terminal command and then the system prompt will be changed from SWITCH to SWITCH config Opens Global Configuration m
321. suse VER Ale EE Max New Host ORE SECUN EE Port Security on Port Port Security AGING c csecceeeeeeeeeeeeeeeees MAC Table csi dr bero MAC Filtering eese Default Policy of MAC Filtering Adding Policy of MAC Filter Deleting MAC Filter Policy Listing of MAC Filter Policy Displaying MAC Filter Policy Address Resolution Protocol ARP EE Registering ARP Table Displaying ARP Table ooccccocccccocccccnccccoo ARP Alsa ARb Inspechon Enabling ARP Inspection nannaeneneaneannn ARP Inspection mapping policy Configuring IP address validation Enabling match mac Displaying ARP Inspection Ee e EE re ICMP Message Control Blocking Echo Reply Message 0 0000n Interval for Transmit ICMP Message The policy of unreached messages IP TCP Flag Controls sad RST Configuration cccoooccnccnoccnnccnonononanonoos SYN Configuration ccccccseeeeeeeeeeeeeeees Packet DIN Dese Verifying Packet Dump Packet Dump by Protocol Packet Dump with Option Debug Packet Dump System Main Functions
322. t Global no dot1x nas port PORTS Disables 802 1x authentication port Force Authorization The hiD 6610 S311 can allow the users to request the access regardless of the authenti cation from RADIUS server For example it is possible to configure not to be authenti cated from the server even though a client is authenticated from the server To manage the approval for the designated port use the following command na owe ten 00 dot1x port control auto force 0 f Configures the way of authorization to control port authorized force unauthorized PORTS Global Deletes the configuration of the way of authorization to no dot1x port control PORTS control port auto Follows the authentication of RADIUS server whether it has the RADIUS authentication or not a force authorized Gives the authorization to a client even though RADIUS server didn t approve it Q force unauthorized Don t give the authorization to a client even though RADIUS server authenticates it Configuring Interval for Retransmitting Request Identity Packet In hiD 6610 S311 it is possible to specify how long the device waits for a client to send back a response identity packet after the device has sent a request identity packet If the client does not send back a response identity packet during this time the device retrans mits the request identity packet To configure the number of seconds that the switch waits for a response to a re quest
323. t 12 digit is 1 and it is STATUS ON Therefore the message that corresponds to 3 4 11 and 12 is chosen as the message limiting the transmission rate Tab 7 2 shows the result of mask calculation of default value me Sous ICMP ECHOREPLY 0 OFF ICMP DEST UNREACH 3 ICMP REDIRECT 5 OFF ICMP ECHO 8 OFF ICMP TIME EXCEEDED 11 ICMP PARAMETERPROB 12 ICMP TIMESTAMP 13 OFF ICMP TIMESTAMPREPLY 14 OFF ICMP INFO REQUEST 15 OFF ICMP INFO REPLY 16 OFF ICMP ADDRESS 17 OFF ICMP ADDRESSREPLY 18 OFF Tab 7 2 Mask Calculation of Default Value A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 7 14 3 To configure the limited ICMP transmission time use the following command e me ees ip icmp interval rate limit N SE Configures a limited ICMP transmission time oba TERVAL INTERVAL 0 2000000000 unit 10 ms The default ICMP interval is 1 second 100 ms To return to default ICMP configuration use the following command Sen rs Femme ip icmp interval default Global Returns to default configuration To display ICMP interval configuration use the following command II Wd Be Enable show ip icmp interval CSS Shows ICMP interval configuration oba The policy of unreached messages When the packets can t reach Destination host or the network the switch is supposed to bring them back to the source IP address What if too many unrea
324. t characters 2 The order in which the following configuration commands will be entered is arbitrary 3 The configuration of a rule being configured can be changed as often as wanted inclusive rule type until the command apply will be entered 4 Use the command show rule profile to display the configuration entered up to now You can not create the rule name which started with alphabet a If you try to enter a the error message will be appeared Rule Priority If rules that are more than two match the same packet then the rule having a higher prior ity will be processed first To set a priority for a rule use the following command e me See priority low medium high SES i Rule Sets a priority for a rule highest A50010 Y3 B100 2 7619 User Manual SURPASS hiD 6610 S311 R1 0 7 6 2 3 Packet Classification UMN CLI After configuring a packet classification for a rule then configure how to process the packets To specify a packet classifying pattern use the following command When specifying a source and destination IP address as a packet classifying pattern the destination IP address must be after the source IP address e e See port SRC PORT any DST PORT cpu any vlan VID any dscp lt 0 63 gt any cos lt 0 7 gt any tos lt 0 255 gt any ip prec lt 0 7 gt any length lt 21 65535 gt any ethtype 7YPE NUM arp any mac SRC MAC ADDRE
325. t connected to Slave switch is displayed and it is possible to configure Slave switch using DSH command If you use the exit command in Telnet the connection to Slave switch is down Sample Configuration Sample Configuration 1 Configuring Stacking The following is a stacking configuration by designating SWITCH A as a master and SWITCH B as a slave Switch A Master Switch Manage with the same IP address Switch B Nie Leem Slave Switch SF TV LIN Step 1 Assign IP address in Interface configuration mode of Switch and enable interface using no shutdown command In order to enter into Interface configuration mode you should open Interface configuration mode of VLAN to register as a switch group for stacking The following is an example of configuring Interface of switch group as 1 SWITCH_A configure terminal SWITCH_A config interface 1 SWITCH_A interface ip address 192 168 10 1 16 SWITCH_A interface no shutdown SWITCH_A interface A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 E If there are several switches rest of them are managed by a single IP address of Master switch Therefore you don t need to configure IP address in Slave switch Step 2 Configure Switch A as Master switch Configure VLAN to belong in the same switch group after registering Slave switch configure it as a Master switch Switch A Master Switch SWITCH A config ft stack master
326. t is possible for user to lose the access right by updated database even though he is once authenticated In this case even though the user is ac cessible to network he should be authenticated once again so that the changed database is applied to Besides because of various reasons for managing RADIUS server and 802 1x authentication port the user is supposed to be re authenticated every regular time The administrator of hiD 6610 S311 can configure a term of re authentication To configure a term of re authentication use the following command mana Tome dot1x timeout reauth period lt 1 Sets the period between re authentication attempts 4294967295 gt PORTS Global no dot1x timeout reauth na EEN the EEN between re authentication attempts na Configuring the Interval of Requesting Re authentication When the authenticator sends Request Identity packet for re authentication and no re sponse is received from the suppliant for the number of seconds the authenticator re transmits the request to the suppliant In hiD 6610 S311 you can set the number of sec onds that the authenticator should wait for a response to request identity packet from the suppliant before retransmitting the request To set a period that the authenticator waits for a response use the following command e e Se Sets reattempt interval for requesting request identity dot1x timeout quiet period lt 1 packet 65535 gt PORTS 1 65535 reattempt
327. t1x PORTS ione Shows 802 1x configuration oba 802 1x User Authentication Statistic To display the statistics about the process of 802 1x user authentication use the following command e me See n Shows the statistics of 802 1x user authentication on show dot1x statistics PORTS Global i i e port A50010 Y3 B100 2 7619 65 UMN CLI 66 4 5 7 User Manual SURPASS hiD 6610 S311 R1 0 To reset statistics by deleting the statistics of 802 1x user authentication use the following command e owe Se MV Makes reset state by deleting the statistics of 802 1x dot1x clear statistics PORTS Global on the port Sample Configuration The following is to show the configuration after configuring pot number 4 as the authenti cation port and registering IP address of authentication port and information of RADIUS server SWTICH config dot ls system auth control SWIICH config dotlx nas port 4 SWTICH config dotlx port control force authorized 4 SWTICH config SWTICH config show dotlx dot ls radius server host 10 1 1 1 auth port 4 key test 802 1x authentication is enabled RADIUS Server 10 1 1 1 Auth key test 802 1x 123456789012345678901234567890123456789012 PortEnable ME NN c AE NEE E EE EE EE NEE EE EE EE E ee ee ae ee ae ee Se POSEEN Je dd osa S ec o ee Se Ed RUP ACRES e RC o MacEnabkes 5555 49 9 5 99 9 ts Les fy oig al beg de bia d Ma acAuthed PUEDE p port
328. te Therefore SWITCH B does not need to block specific port to forwarding state of SWITCH A However since SWITCH C has a port connected to SWITCH D you should make blocking state of the port ROOT Switch A pike ZIN 4 Forwarding stat 4 Forwarding state Switch C Switch B IN 4 Block to make Forwarding state of Switch A Switch D Fig 8 19 Network Convergece of 802 1w 3 202 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 8 3 3 It is same with 802 1d to block the connection of SWITCH D and SWITCH C However 802 1w does not need any configured time to negotiate between switches to make for warding state of specific port So it is very fast progressed During progress to forwarding state of port listening and learning are not needed These negotiations use BPDU Compatibility with 802 1d RSTP internally includes STP so it has compatibility with 802 1d Therefore RSTP can recognize BPDU of STP But STP cannot recognize BPDU of RSTP For example as sume that SWITCH A and SWITCH B are operated as RSTP and SWITCH A is connected to SWITCH C as designated switch Since SWITCH C which is 802 1d ignores RSTP BPDU it is interpreted that switch C is not connected to any switch or segment Switch A Switch B Switch C 802 1w 802 1w 802 1d Fig 8 20 Compatibility with 802 1d 1 However SWITCH A converts a port received BPDU into RSTP of 802 1d because it can re
329. tem by using telnet or console port to configure the functions for system operating through CLI CLI is easy to configure the needed functions after looking for available commands by help menu different with UNIX Broadcast Storm Control Broadcast storm control is when too much of broadcast packets are being transmitted to network a situation of network timeout because the packets occupy most of transmit ca pacity The hiD 6610 S311 supports broadcast and multicast storm control which disuses flooding packet that exceed the limit during the time configured by user RADIUS and TACACS hiD 6610 S311 supports client authentication protocol that is RADIUS Remote Authenti cation Dial In User Service and TACACS Terminal Access Controller Access Control System Plus Not only user IP and password registered in switch but also authentication through RADIUS server and TACACS server are required to access Therefore security of system and network management is strengthened A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 3 3 1 Command Line Interface CLI This chapter describes how to use the Command Line Interface CLI which is used to configure the hiD 6610 S311 system e Command Mode e Useful Tips Command Mode You can configure and manage the hiD 6610 S311 by console terminal that is installed on user s PC For this use the CLl based interface commands Connect RJ45 to DB9 con sole cable to
330. text CIRCUITID PORTS text CIRCUIT ID default port number To delete a specified remote and circuit ID use the following command conned Meme Jn no system remote id Removes the change of form of Re Option 82 ee no system circuit id PORTS mote ID or Circuit id Option 82 Reforwarding Policy A DHCP relay agent may receive a DHCP packet from a DHCP server or another DHCP relay agent that already contains relay information You can specify a DHCP option 82 re forwarding policy to be suitable for the network A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 8 6 4 To configure the policy for Option 82 packet use the following command e me See Configures the policy of option 82 packet replace replaces an existing address with option82 policy replace keep drop Option 82 information of relay or server keep keeps an option 82 information default drop drops an option 82 packet e drop means to throw away option 82 packet e keep means that relay agent transmits packets preserving option 82 which the agent sends e replace means to transmit by changing into its option 82 information It is possible to configure the rule for option 82 packets when the hiD 6610 S311 is DHCP relay agent By default the rule for Option 82 packet is configured as keep Configuring option 82 information DHCP server decides whether IP addresses are assigned or not by identifying p
331. the following command e me NN Enable show max hosts Global Shows configured max host Bridge The following is an example of displaying configured max hosts SWITCH hridge _show max hosts Ki port i 0 5 a current max t port 2 0 5 E current max pert 3 Do uod current max port 4 Pu oy Unlimited current max port Dv 0 Unlimited current max port i O Unlimited current max port 2 0 10 e current max port Y OQ Unlimited current max port 2 0 Unlimited current max port 10 0 Unlimited current max 150 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 9 1 Max New Hosts Max new hosts feature is to limit the number of users by configuring the number of MAC address that can be learned on the system and on the port for a second The number of MAC address that can be learned on the system has the priority To configure max new hosts use the following command es e sees max new hosts PORTS MAX The number of MAC address that can be learned on MAC NUMBER the port for a second Bridge max new hosts system PORTS The number of MAC address that can be learned on MAX MAC NUMBER the system for a second To delete configured max new hosts use the following command e e Se Deletes the number of MAC address that can be no max new hosts PORTS learned on the port Bridge Deletes the number of MAC address that can be no max
332. the hiD 6610 S311 This chapter explains how CLI command mode is organized before installing CLI command mode is consisted as follow e Privileged EXEC View Mode e Privileged EXEC Enable Mode e Global Configuration Mode e Bridge Configuration Mode e DHCP Configuration Mode e DHCP Option 82 Configuration Mode e Interface Configuration Mode e Rule Configuration Mode e RMON Configuration Mode e PIM Configuration Mode e Router Configuration Mode e VRRP Configuration Mode e Route Map Configuration Mode A50010 Y3 B100 2 7619 25 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 Fig 3 1 shows hiD 6610 S311 software mode structure briefly User Log in Privilege EXEC View Mode B DHCP Priviege EXEC Enable Mode Configuration Mode DHCP Option 82 Configuration Mode Interface Configuration Mode Global Configuration Mode Rule Configuration Mode Bridge Mode RMON Configuration Mode PIM Configuration Mode Router Configuration Mode VRRP Configuration Mode Route Map Configuration Mode Fig 3 1 Software mode structure 26 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 3 1 1 3 1 2 Privileged EXEC View Mode When you log in to the switch the CLI will start with Privileged EXEC View mode that is a read only mode In this mode you can see a sy
333. the name owner NAME RMON max 32 characters Object of Sample Inquiry To assign object used for sample inquiry use the following command mana Te en sample variable MIB OBJECT RMON Assigns MIB object used for sample inquiry Absolute Comparison and Delta Comparison To compare object selected as sample with the threshold use the following command mana Ww Fame sample type absolute RMON Compares object with the threshold directly To configure delta comparison use the following command e owe See Compares difference between current data and the sample type delta RMON l latest data with the threshold Upper Bound of Threshold If you need to occur alarm when object used for sample inquiry is more than upper bound of threshold you have to configure the upper bound of threshold To configure upper bound of threshold use the following command e owe res GE Configures upper bound of threshold rising threshold VALUE RMON VALUE 0 2147483647 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 4 2 5 7 4 2 6 After configuring upper bound of threshold configure to generate RMON event when ob ject is more than configured threshold Use the following command e e en Configures to generate RMON event when object is rising event lt 1 65535 gt more than configured threshold 1 65535 event index Lower Bound of Threshold If you need to occur alarm
334. the same VLAN classi fied with same configuration ID is called MST region In a region there s only a STP so that it is possible to reduce the number of STP comparing to PVSTP There s no limitation for region in a network environment but it is possible to generate Instances up to 64 Therefore instances can be generated from 1 to 64 Spanning tree which operates in each region is IST Internal Spanning Tree CST is applied by connecting each span ning tree of region Instance O means that there is not any Instance generated from grouping VLAN that is it does not operate as MSTP Therefore Instance O exists on all the ports of the equipment After starting MSTP all the switches in CST exchanges BPDU and CST Root is decided by comparing their BPDU Here the switches that don t operate with MSTP have instance 0 so that they can also join BPUD exchanges The operation of deciding CST Root is CIST Common amp Internal Spanning Tree Fig 8 22 CST and IST of MSTP 1 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 8 3 4 In CST A and B are the switches operating with STP and C D and E are those operating with MSTP First in CST CIST is established to decide CST Root After CST root is de cided the closest switch to CST root is decided as IST root of the region Here CST root in IST is IST root CST Root amp IST Root VARS Fig 8 23 CST and IST of MSTP 2 In above situation if B
335. the same time To disable the configured Martian filter function use the following command ana e een f Disables a configured Martian filter function no ip martian filter NTERFACE Global l INTERFACE enter an interface name D To see a configuration of Martian filter use the show running config command A50010 Y3 B100 2 7619 149 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 7 9 Max Host You can limit the number of users by configuring maximum number of users also named as max hosts for each port In this case you need to consider not only the number of PCs in network but also devices such as switches in network For the hiD 6610 S311 you have to lock the port like MAC filtering before configuring max hosts In case of ISPs it is possible to arrange billing plan for each user by using this con figuration To configure max host use the following command e e Se Limits the number of connection to a port by setting maximum host PORTS enter the port number 1 16 enter the maximum MAC number no max hosts PORTS Deletes configured max host enter the port number max hosts PORTS lt 1 16 gt The following is an example of configuring to allow two MAC addresses to port 3 and five addresses to port 1 2 and to ten addresses to port 7 SWITCH bridge max hosts 3 2 SWTICH max hosts 1 SWTICH bridge max hosts 2 5 d max hosts To display configured max host use
336. tion address validation enable Global ARP packets To remove the specific ARP Inspection configuration use the following commands nano Y ee i mE i Removes specific ARP inspection con arp inspection address validation disable Global l l figuration Enabling match mac If arp inspection match mac function is enabled hiD 6610 8311 drops ARP packets in the following cases e When ARP Reply Request packet s source mac address is not consistent with mac address of the subject which has been sent this ARP Reply packet e When ARP Reply packets destination mac address is not consistent with mac address of the destination which will be received this ARP packet To enable disable the function to permit the right packets only when they have the proper mac address use the following command e e ee arp inspection match mac enable Enables match mac function Global arp inspection match mac disable Disables match mac function A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 13 3 5 Displaying ARP Inspection To display checking and statistics use the show arp inspection command in Global Configuration mode re e see show arp inspection mapping Enable show arp inspection statistics Sita Displays the information of ARP inspection oba show arp inspection status You can clear ARP Inspection mapping counter and statistics using the following com mand Command Mode Descr
337. tion also TPID Configuration TPID Tag Protocol Identifier is a kind of Tag protocol and it indicates the currently used tag information User can change the TPID By default the port which is configured as 802 1q 0x8100 cannot work as VLAN member Use the following command to set TPID on a QinQ port na owe een 0 vlan dotig tunnel tpid TPID Configures TPID A50010 Y3 B100 2 7619 179 UMN CLI 180 8 1 7 1 User Manual SURPASS hiD 6610 S311 R1 0 Layer 2 Isolation Private VLAN is a kind of LAN Security function using by Cisco products and it can be classified to Private VLAN and Private edge Until now there is no standard document of it Private VLAN Edge Private VLAN edge protected port is a function in local switch That is it cannot work on between two different switches with protected ports A protected port cannot transmit any traffic to other protected ports Private VLAN Private VLAN provides L2 isolation within the same Broadcast Domain ports That means another VLAN is created within a VLAN There are three type of VLAN mode e Promiscuous A promiscuous port can communicate with all interfaces including the isolated and community ports within a PVLAN e Isolated An isolated port has complete Layer 2 separation from the other ports within the same PVLAN but not from the promiscuous ports PVLANs block all traffic to iso lated ports except traffic from promiscuous ports Traffic from isolate
338. to attach to the syslog message for its identity To specify IP address for syslog identity use the following command e me ees syslog bind address 4 B C D het A Specifies IP address for a syslog message identity oba no syslog bind address Deletes a specified binding IP address A50010 Y3 B100 2 7619 129 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 7 5 4 Debug Message for Remote Terminal To display a syslog debug message to a remote terminal use the following command e e rees terminal monitor terminal monitor Enables a terminal monitor function EA BMC no terminal monitor Disables a terminal monitor function d Terminal monitor is not possible to be operational in local console 7 5 5 Enabling Syslog To enable disable the syslog manually use the following command e me See Em start Enables the syslog Global no mosysg Disables the syslog D The syslog is basically enabled in the system so the command syslog start is neces sary only when the function is manually disabled by user 7 5 6 Displaying Syslog Message To display a received syslog message in the system memory use the following command e e See Shows a received syslog message show syslog local volatile volatile removes a syslog message after restart non volatile NUMBEH Enable non volatile reserves a syslog message Global NUMBER shows the last N syslog messages show syslog local volatile f
339. to be used for probing Port The default is Port Number 33434 33434 The command of traceroute depends on the port range of des tination host up to base nhops 1 through the base Tab 6 4 Options for Tracing Packet Route The following is an example of tracing packet route sent to 10 2 2 20 SWITCH traceroute 10 2 2 20 traceroute to 10 22 20 10 2 2 20 30 hops max 38 byte packets 1 10 2 2 20 10 2 2 20 0 598 ms 0 418 ms 0 301 ms SWITCH Displaying User Connecting to System To display current users connecting to the system from a remote place or via console in terface use the following command e owe Se 0000 Enabl Shows current users connecting to the system from a nable remote place or via console interface A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 The following is an example of displaying if there is any accessing user from remote place SWITCH where admin at ttyp0 from 10 20 1 52 21960 for 30 minutes 35 56 seconds admin at ttyS0 from console for 28 minutes 10 90 seconds SWITCH 6 3 5 MAC Table To display MAC table recorded in specific port use the following command e me See Enable show mac BRIDGE PORTS Global Shows MAC table BRIDGE bridge name Bridge The following is an example of displaying MAC table recorded in default SWITCH config show mac 1 port mac addr permission in use eth01 00 0b 5d 98 92 da OK 16
340. ts on a switch belong to the single multicast VLAN e Receiver This configures a port as a receiver port if it is a subscriber port and should only re ceive multicast data It does not receive data unless it becomes a member of the A50010 Y3 B100 2 7619 217 UMN CLI 2 8 9 1 5 5 9 1 6 1 User Manual SURPASS hiD 6610 S311 R1 0 multicast group either statically or by using IGMP leave and join messages Receiver ports cannot belong to the multicast VLAN To delete the statically configured MVR port use the following command e e sees no mvr port PORTS Global Deletes a MVR port Displaying MVR Configuration To display an MVR configuration use the following command na owe en 0 show mvr Enable l l Global show mvr vlan VLAN ID IGMP Filtering and Profile With the IGMP filtering feature you can filter multicast joins on a per port basis by config uring IP multicast profiles and associating them with individual switch ports An IGMP pro file can contain one or more multicast groups and specifies whether access to the group is permitted or denied If an IGMP profile denying access to a multicast group is applied to a switch port the IGMP join report requesting the stream of IP multicast traffic is dropped and the port is not allowed to receive IP multicast traffic from that group If the filtering action permits access to the multicast group the IGMP report from the port is forwarded for normal processing
341. u are in a situation that could cause bodily injury or broke the equipment Before you work on any equipment be aware of the hazards in volved with electrical circuitry and be familiar with standard practices for preventing acci dents by making quick guide based on this guide Document Notation The following table shows commands used in guide book Please be aware of each command to use them correctly Notation scription O O DREES Commands or variables that appear within square brackets are optional A choice of required keywords appears in braces You must se lect one Optional variables are separated by vertical bars CN een norm Tab 1 2 Command Notation of Guide Book CE Declaration of Conformity The CE declaration of the product will be fulfilled if the construction and cabling is under taken in accordance with the manual and the documents listed there in e g mounting in structions cable lists where necessary account should be taken of project specific docu ments Deviations from the specifications or unstipulated changes during construction e g the use of cable types with lower screening values can lead to violation of the CE require ments In such case the conformity declaration is invalidated and the responsibility passes to those who have caused the deviations A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 1 6 GPL LGPL Warranty and Liability Exclus
342. u need to change a configuration of RMON history you should delete an existing RMON history To delete RMON history use the following command e a ees Deletes RMON history of specified number enter the no rmon history 1 65535 RMON value for deleting Displaying RMON History To display RMON history use the following command e owe See 008 show running config rmon e l All Shows a configured RMON history history Always the last values will be displayed but no more than the number of the granted buckets A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 4 2 The following is an example of displaying RMON history SWITCH config rmonhistory 5 show running config rmon history I rmon history 9 owner test data source ifindex hdlcl interval 60 requested buckets 25 active SWITCH config rmonhistory 5 RMON Alarm There are two ways to compare with the threshold absolute comparison and delta com parison Absolute Comparison Comparing sample data with the threshold at configured in terval if the data is more than the threshold or less than it alarm is occurred e Delta Comparison Comparing difference between current data and the latest data with the threshold if the data is more than the threshold or less than it alarm is oc curred You need to open RMON Alarm Configuration mode first to configure RMON alarm e e See Opens RMON Alarm Conf
343. ue path The black ar rows describe the routine path to the Aggregation Switch And the dot lines are in blocking state But if there is a broken between Switch A and Switch B the data from PC A should find another route at Switch D Switch D can send the data to Switch C and Switch E Be cause Switch E has shorter hop count than Switch B the data may go through the Switch E and A as the red line And we can assume Switch E is also failed at the same time In this case since Switch D can has the other route to Switch C the network can be stable than just one backup route network A50010 Y3 B100 2 7619 219 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 MSTP Configuration MST Region 2 Instance 1 VLAN 170 MST Region 1 Instance 2 VLAN 180 190 Instance 1 VLAN 111 120 Instance 3 VLAN 191 195 Instance 2 VLAN 121 130 Region Name test Instance 3 VLAN 131 140 Revision 2 Region Name test Revision 1 MST Region 3 Instance 4 VLAN 150 160 Instance 5 VLAN 161 165 Region Name sample Revision 5 Router MST Region 4 Instance 6 VLAN 200 Region Name test Revision 1 VLAN 101 200 Fig 8 27 Example of Layer 2 Network Design in MSTP Environment The following is an example of configuring MSTP in the switch SWITCH bridge stp force version mstp SWITCH bridge stp mst enable SWITCH bridge stp mst config id map 2 1 50 SWITCH bridge stp mst config i
344. ule e g add a prefix 3 All previously entered values remain valid after successful or unsuccessful execution of command apply That is if several rules being different only in one value should be created then only the one changed value needs to be entered again Modifying and Deleting Rule To modify a rule use the following command ze e rees rule NAME modify Global Modifies a rule enter a rule name To delete a rule use the following command nn e ees no rule NAME Global Deletes a rule enter a rule name optionally Displaying Rule The following command can be used to show a certain rule by its name all rules of a cer tain type or all rules at once sorted by rule type ees We rem Shows a rule enter a rule name show rule NAME NAME rule name enable Shows all rules sorted by type Global Shows all rules and admin access rules sorted by type show rule statistics Shows rule statistics show rule profile Shows a current configuration of a rule A50010 Y3 B100 2 7619 137 UMN CLI User Manual SURPASS hiD 6610 S311 R1 0 The following is an example of configuring specific rule action on rule profile and showing it SWITCH configure terminal SWITCH config rule jean create SWITCH config rule jean SWITCH config rule jean E SWITCH config rule jean J SWITCH config rule jean match copy to cpu SWITCH config rule jea
345. under Layer 2 environment 2 182 Fig 8 7 Biel tele e m M Rn 187 Fig 8 8 ExXamplesor Lo Dust id 194 Fig 8 9 Principle of Spanning Tree Protocol cccccooccncococnccconcnnconononcononcnnnnnanonoos 194 FO SL EE 195 Fig 8 11 Designated Witch a sida 196 mio Oe ROMPO asar do rice 197 Flo e oa 198 Fig 8 14 Alternate Port and Backup port 199 Fig 8 15 Example of Receiving Low BD 200 Fig 8 16 Convergence of GU 1dhNetwork esses 201 Fig 8 17 Network Convergence of GUZ iw 201 Fig 8 18 Network Convergence Of GU Z Iw 202 Fig 8 19 Network Convergece of OZ Iw 202 Fig 8 20 Compatibility with 02 90 sitas 203 Fig 8 21 Compatibility with GOZ d 203 Fig 6 22 lt CST andisl ot OCH E ss O 204 Fig 9 29 COT and IST Of On tt EE 205 Fig 024 Example OPUS TP id 211 lef Ee Ouanna 213 Fig 8 26 Example of Layer 2 Network Design in RSTP Emronment 219 Fig 8 27 Example of Layer 2 Network Design in MSTP Emronment 220 Fig 0 20 Re Ee WEE 221 Se VERE Tack a 226 Fig 8 30 Rate Limit and Flood Guard oocccccncccncccccnnccnncnnccnnconconononnnnnnronconanonnonancnnnnnos 230 Fig 6 31 DHCP Service Construccion iioc sos oda 232 Fig 8 32 Example of DHCP Relay Agent 239 Fig 6 63 DHCP Option 82 Operation ictus eh di eee eee Ree 241 Fig 8 34 DHCP Server Packet kiteng AE 253 Fig 8 35 Ethernet Ring Protocol Operation in Failure State 204 moneo RINO Een CUOM EEN 255 rFig o
346. unity name to security name enter security and IP ADDRESS IP ADDRESS M community name COMMUNITY SECURITY security name epee COMMUNITY community name Deletes a specified security name enter the security no snmp com2sec SECURITY name SECURITY security name Enable oba The following is an example of configuring SNMP com2sec SWITCH config snmp com2sec TEST 10 1 1 1 PUBLIC SWITCH config show snmp com2sec Com2Sec List SecName Source Community com2sec TEST LOST E T BPUBETC SWITCH config SNMP Group You can create an SNMP group that can access SNMP agent and its community that be longs to a group To create an SNMP group use the following command na e res Creates SNMP group enter the group name snmp group GROUP v1 v2c GROUP group name v3 SECURITY SECURITY security name no snmp group GROUP v1 v2c Deletes SNMP group enter the group name v3 SECURITY GROUP group name Enable show snmp group diona Shows a created SNMP group oba A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 1 5 7 1 6 SNMP View Record You can create an SNMP view record to limit access to MIB objects with object identity OID by an SNMP manager To configure an SNMP view record use the following command e me ees Creates an SNMP view record VIEW view record name snmp view VIEW included included includes sub tree excluded O D MASK
347. up RED function by designating start threshold and probability use the following command e me See Configures the value of parameters for RED operation qos red lt 0 7 gt start 0 127 0 7 cos number probability 1 15 Global 0 127 start queue length value 1 15 drop probability no qos red 0 7 Deletes the configured parameter values Displaying QoS To display a configuration of QoS enter following command LL IIl o Shows a configuration of QoS for all ports EE qos POHTS Enable Shows a configuration of QoS per each port show qos red Global Shows a configuration of a RED function Shows a configuration of QoS for CPU packets A50010 Y3 B100 2 7619 143 UMN CLI 144 7 6 4 7 6 4 1 7 6 4 2 User Manual SURPASS hiD 6610 S311 R1 0 Admin Access Rule For the hiD 6610 S311 it is possible to block a specific service connection like telnet FTP ICMP etc with an admin access rule function Rule Creation For the hiD 6610 S311 you need to open Admin Access Rule Configuration mode first After opening Admin Access Rule Configuration mode the prompt changes from SWITCH config to SWITCH config admin rule NAME To open Rule Configuration mode use the following command e e Se i Opens Admin Access Rule Configuration mode enter rule NAME create admin Global rule name After opening Admin Access Rule Configuration mode a rule can be configured by user The rule priority packet cl
348. uring Assert Message on specified interface If there is a network environment that needs Assert Assert message is compared to de cide Assert lt is possible to configure Assert message information owned only by Ethernet interface in which PIM SM is configured To configure Assert message information on Ethernet interface use the following com mand ana owe en mE i Configures metric of Assert message of specific inter ip pim metric lt 1 127 gt f ace Configures preference of Assert message of specific ip pim preference lt 1 255 gt Interface interface MEC Configures threshold of Assert message of specific ip pim threshold 1 255 l interface A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 9 2 6 9 2 6 1 To delete configured Assert message information on Ethernet interface use the following commands e owe rees Cisco Router Interoperability Checksum of Full PIM Register Message Although source of multicast is not connected to multicast group multicast communica tion is possible In the below picture First Hop router directly connected to source can re ceive packet from source without S G entry about source The First Hop router encapsulates the packet in Register message and unicast to RP of multicast group RP encapsulates capsule of Register message and transmits it to mem bers of multicast group Multicast Packet First Hop Router
349. use the command A RP address for multicast groups statically cand rp address A DCD A B C D Multicast group Address e f RP address configured through BSR and RP address configured statically are both available for a group range the RP address configured through BSR is chosen e If multiple static RPs are available for a group range then one with the highest IP address is chosen To delete configured ID address use the following command e owe en no cand rp address Deletes configured IP address Multicast Group Registration Use this command to give the router the candidate RP status using the IP address of the specified interface e owe See Registers multicast group IP address belong to RP candidate cand rp group A B C D A A B C D Multicast group Address includes RP candi date Deletes the multicast group IP address belong to RP no cand rp group A B C D A l candidate A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 9 2 4 3 9 2 4 4 9 2 4 5 Priority of Candidate RP Use this command to give the router the candidate RP status using the IP address of the specified interface SS D priority value for a RP candidate cand rp priority lt 0 255 gt PIM 0 255 Priority value no no cand rp priority rp no cand rp priority Deletes Deletes configured priority value of RP candidate priority value Deletes configured priority value of
350. ut the device mounted SNMP agent RMON gives information about overall segments including devices Thus user can manage network more effectively For instance in case of SNMP itis possible to be informed traffic about certain ports but through RMON you can monitor traffics occurred in overall network traffics of each host connected to segment and cur rent status of traffic between hosts Since RMON processes quite lots of data its processor share is very high Therefore administrator should take intensive care to prevent performance degradation and not to overload network transmission caused by RMON There are nine defined RMON MIB groups in RFC 1757 Statistics History Alarm Host Host Top N Matrix Filter Packet Capture and Event The system supports two MIB groups of them most basic ones Sta tistics only for uplink ports and History RMON History RMON history is periodical sample inquiry of statistical data about each traffic occurred in Ethernet port Statistical data of all ports are pre configured to be monitored at 30 minute interval and 50 statistical data stored in one port It also allows you to configure the time interval to take the sample and the number of samples you want to save The following is an example of displaying the default configuration of RMON history SWITCH config show rmon history config 5 RMON History configuration history index EE data Source ads e buckets requested 50 buckets grante
351. ute entry into the RIP tables perform at least one of the following tasks in route map configuration node match interface INTERFACE Transmits information to only specified interface match ip address ACCESS LIST NAME PREFIX LIST IP ADDRESS Transmits information matched with access list or pre fix list match ip next hop ACCESS Transmits information to only neighbor router in ac LIST NAME PREFIX LIST IP Route Map ADDRESS i Transmits information matched with specified metric match metric lt 0 4294967295 gt l enter the metric value ip next hop P ADDRESS Configures Neighbor router address metric lt 1 2147483647 gt Configures metric value Metrics for Redistributed Routes cess list or prefix list The metrics of one routing protocol do not necessarily translate into the metrics of another For example the RIP metric is a hop count and the OSPF metric is a combination of five quantities In such situations an artificial metric is assigned to the redistributed route Be cause of this unavoidable tampering with dynamic information carelessly exchanging routing information between different routing protocols can create routing loops which can seriously degrade network operation To set metrics for redistributed routes use the following command Configures same metric for all route transmitted by default metric VALUE Router routing protocol enter the value The metric of all protoco
352. vent loopback uni direction ENABLE ACTIVE FORWARD DISCARD UNSUPPORT UNSUPPORT SUPPORT disable UNSUPPORT disable SWITCH bridge show oam remote 25 REMOTE PORT 25 mode MAC address variable link event loopback uni direction ACTIVE 00 d0 1cb 127200194 UNSUPPORT UNSUPPORT SUPPORT enable UNSUPPORT SWITCH bridge oam remote loopback start 25 PORT 25 The remote DTE loopback is success SWITCH bridge A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 7 3 7 3 1 7 3 2 7 3 3 Link Layer Discovery Protocol LLDP Link Layer Discovery Protocol LLDP is the function of transmitting data for network management for the switches connected in LAN according to IEEE 802 1ab standard LLDP Operation The hiD 6610 S311 supporting LLDP transmits the management information between near switches The information carries the management information that can recognize the switches and the function This information is saved in internal MIB Management In formation Base When LLDP starts to operate the switches send their information to near switches If there is some change in local status it sends their changed information to near switch to inform their status For example if the port status is disabled it informs that the port is disabled to near switches And the switch that receives the information from near switches processes LLDP frame and saves t
353. vides various connectivity to PC web server LAN device backbone device and other switches The SURPASS hiD 6610 S311 provides per VLAN routing IP multicasting IP packet filtering and DHCP 24 ports of Fast Ethernet interface support 10 100Base TX RJ 45 type 2 ports of 1000Base X or100Base FX with SFP module and 2 ports of 10 100 1000Base TX can be used as uplink towards the core network The Fig 2 1 shows network construction with using hiD 6610 311 Lee 2 Py TTT d i UU See A dee eee FF E E Sse ggg O wa S B s Segen quU was S hiD 6610 311 hiD 6610 311 L3 Switch L3 Switch Switch Fig 2 1 Network Structure with hiD 6610 S311 22 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 2 1 System Features Main features of hiD 6610 S311 having Fast Ethernet switch and Layer 3 switching func tion which supports both Ethernet switching and IP routing are follow VLAN Virtual Local Area Network VLAN is made by dividing one network into several logical networks Packet can not be transmitted and received between different VLANs There fore it can prevent unnecessary packets accumulating and strengthen security The hiD 6610 S311 recognizes 802 1q tagged frame and supports maximum 4096 VLANs and Port based Protocol based MAC based VLANs Quality of Service QoS For the hiD 6610 S311 QoS based forwarding sorts traffic into a number of classes and marks the packets accordi
354. wing command e me ees Debug with according to the conditions debug packet log COUNT COUNT packet counting VALUE TIME 1 10 Enable VALUE CPU threshold 1 10 file number no debug packet log Release the debug configuration Basically user can save current configuration with write memory command However the dump file is not saved A50010 Y3 B100 2 7619 171 UMN CLI 172 8 1 User Manual SURPASS hiD 6610 S311 R1 0 System Main Functions VLAN The first step in setting up your bridging network is to define VLAN on your switch VLAN is a bridged network that is logically segmented by customer or function Each VLAN con tains group of ports called VLAN members On the VLAN network packets received on a port are forwarded only to ports that belong to the same VLAN as the receiving port Net work devices in different VLANs cannot communicate with one another without a Layer 3 switching device to route traffic between the VLANs These VLANs improve performance because they reduce the propagation of local traffic and they improve security benefits because they completely separate traffic Enlarged Network Bandwidth Users belonged in each different VLAN can use more enlarged bandwidth than no VLAN composition because they do not receive unnecessary Broadcast information A properly implemented VLAN will restrict multicast and unknown unicast traffic to only those links necessary to only those links necessary to reach memb
355. wing command e owe See 00 i Enable show version Shows version of system image Global To display a size of the current system image use the following command e e See Enable Shows size of system image Global A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 311 R1 0 6 3 13 6 3 14 6 3 15 6 3 16 N Displaying Installed OS To display utilization of flash memory use the followng command e e See Enable Shows utilization of flash memory Global Default OS The hiD 6610 S311 supports dual OS You can show the flash memory by using show system command When there are two kinds of system images installed user can configure one of two as default OS what user wants In hiD 6610 S311 a system image saved in os1 is configured as default OS by default To desgnate a default OS use the following command e e res default os os1 os2 Desgnates default OS of switch Switch Status To display temperature of switch power status and fan status use the following command e me See Tech Support In hiD 6610 S311 you can display the configuration and configuration file log information register memory debugging information using the following commands By checking tech supporting check the system errors and use it for solving the problem INTI Wwe O Enable tech support all crash info Check tech support on console console tech support
356. xisting VLAN interfaces e e ee ip igmp snooping Sach Enables IGMP snooping globally ip igmp snooping vlan lt 1 4094 gt Enables IGMP snooping in VLAN interface A50010 Y3 B100 2 7619 269 UMN CLI 270 User Manual SURPASS hiD 6610 S311 R1 0 Step 3 To disable IGMP snooping use the following command a Was e no ip igmp snooping Disables IGMP snooping globally no ip igmp snooping vlan lt 1 Global o 4094 Disables IGMP snooping in VLAN To display global IGMP use the following command e owe See 00 show ip igmp snooping vlan Enable Shows IGMP snooping configuration VLAN ID Global IGMP v2 Snooping Layer 2 switches can use IGMP snooping to constrain the flooding of multicast traffic by dynamically configuring Layer 2 interfaces so that multicast traffic is forwarded to only those associated with IP multicast devices Internet Group Management Protocol IGMP is the internet protocol that helps to inform multicast groups to multicast router In the mul ticast network multicast router sends only IGMP query massage that quest whether re ceive multicast packet when multicast packet is transmitted If a switch sends the join massage to multicast router multicast router transmits the multicast packet only to that switch Multicast Packet hiD 6610 D c oe r e Lo d o Multicast Router 2 Transmit the Multicast packet to the port that send join massage CC Multicast Join request
357. y value with key value of another port na owe See Configures key value of member port PORTS select the port number 1 15 select the port key value default 1 lacp port admin key PORTS lt 1 15 gt To delete key value of configured member port use the following command SCC l Deletes key value of selected member port select the no lacp port admin key PORTS Bridge member port number Priority of Member Port To configure priority of LACP member port use the following command ee e re lacp port priority PORTS lt 1 Ens Sets the LACP priority of member port select the port ridge 65535 gt S number default 32768 To remove port priority of configured member port use the following command n See E Deletes port priority of selected member port select no lacp port priority PORTS Bridge the member port number Priority of Switch In case the member ports of connected switches are configured as Active mode LACP system enabled it is required to configure which switch would be a standard for it For this case the user could configure the priority on switch The following is the command of configuring the priority of the switch in LACP function e e res SE Sets the priority of the switch in LACP function enter lacp system priority lt 1 65535 gt Bridge We the switch system priority default 32768 A50010 Y3 B100 2 7619 User Manual UMN CLI SURPASS hiD 6610 S311 R1 0 T
358. ype 0x900 6 SWITCH bridge show vlan protocol Ethertype VID 123456789012345678901234567890123456789012 0x0800 E ee eee eee ee E Ee ake ee 0x0900 SJ EE EE EE SWITCH bridge With above configuration the packets from port number 2 and 4 are decided according to the protocol In case the protocol is incongruous the route is decided according to the 184 A50010 Y3 B100 2 7619 User Manual SURPASS hiD 6610 S311 port UMN CLI R1 0 based VLAN Sample Configuration 4 Configuring QinQ 10 port of SWITCH 1 and 11 port of SWITCH 2 are connected to the network where dif ferent VLANs are configured To communicate without changing VLAN configuration of SWITCH 1 and SWITCH 2 which communicate with PVID 10 configure it as follows should configure the ports connected to network communicating with PVID 11 as A tag Tagged VLAN port lt SWITCH 1 gt SWITCH bridge vlan dotlq tunnel enable 10 SWITCH bridge vlan pvid 10 11 SWITCH bridge show vlan dotlq tunnel Tag Protocol Id 0x8100 d double tagging port dag MMC RES Bl qu TR E QUE ZR E QUE TR OE OR eee ure poor eo ates SWITCH bridge lt SWITCH 2 gt A50010 Y3 B100 2 7619 SWITCH bridge vlan dotlq tunnel enable 11 SWITCH bridge vlan pvid 11 11 SWITCH bridge show vlan dotlq tunnel Tag Protocol Id 0x8100 d double tagging port puse doe euius A O ERE EREE ERE ERE MNE M SWITCH bridge 185 UMN CLI User Manual
Download Pdf Manuals
Related Search