You are on page 1of 302

CAP/ENT Certified Allied Telesis Professional Enterprise

CAP/ENT Certified Allied Telesis Professional Enterprise

Training Modules
Service and Support Overview.................................................................................. 8 Hardware Overview........................................................................................................... 26 Operations................................................................................................................................. 32 Layer 2 Switching................................................................................................................... 74 VLAN - Virtual LANs......................................................................................................... 96 VCStacking - Virtual Chassis Stacking...................................................................... 122 Link Aggregation..................................................................................................................... 150 Spanning-Tree / Rapid Spanning-Tree..................................................................... 168 EPSR - Ethernet Protection Switched Rings...................................................... 192 IP Routing / Layer 3 Switching...................................................................................... 212 RIP Routing................................................................................................................................. 228 ACL ........................................................................................................................................... 240 Queue Weighting and QoS........................................................................................... 250 Event logging / troubleshooting................................................................................... 286

CAP/ENT Certified Allied Telesis Professional Enterprise

Introduction
CAP/ENT

Course Objectives
This 3 day technical training course gives the core knowledge to work with Allied Telesis products running the AlliedWare Plus operating system. Course participants should have a good knowledge of networking fundamentals before attending this course. Students are encouraged to take part in the online pre-test course, to be certain that they currently have the required prerequisites.

slide 2

Course Objectives
Upon completion of this course, the attendees will be able to: Have a good basic knowledge of the command structure and operations of products based on AlledWare Plus, which are standards based. Have an equivalent background understanding of the standard based CLI. Create and troubleshoot configurations for Layer 3 devices running AlliedWare Plus. Modify an existing configuration to enhance the network performance or provide new or improved services on AlliedWare Plus devices.

CAP/ENT Certified Allied Telesis Professional Enterprise

Modules List
Service and Support Overview Hardware Overview Operations Layer 2 Switching VLAN Stacking Link Aggregation Spanning-Tree / Rapid Spanning-Tree EPSR IP Routing / Layer 3 Switching RIP ACL QoS Event logging / troubleshooting

Agenda
Day 1
Service and Support Overview Hardware Overview Operations Layer 2 Switching VLAN Lab sessions spread throughout the day Day 2 Virtual Chassis Stacking Link Aggregation Spanning Tree EPSR IP Routing / Layer 3 Switching Lab sessions spread throughout the day Day 3 RIP ACL QoS Event Login Final Exam Lab sessions spread throughout the day

slide 5

Before Starting
Breaks and lunch schedule Rest rooms Emergency exit(s) and procedures Fill forms in Course material.

slide 6

CAP/ENT Certified Allied Telesis Professional Enterprise

Services EMEA
2010 / 2011

Service & Support


Table of Content Allied Telesis Support Overview Allied Telesis Warranty Technical Support in Europe Allied Telesis Maintenance Europe

slide 8

Allied Telesis Support Overview


Allied Telesis EMEA Services Warranty Support Training Professional Services

Service & Maintenance Contracts

Network Diagnostic

CAP/ENT Certified Allied Telesis Professional Enterprise

Allied Telesis Warranty


Allied Telesis Answer to the EU Directive
All products from Allied Telesis have a 2 year warranty After registering Enterprise products on our website the benefit will be an additional 3 years warranty so, in total, a 5 year warranty! For service provider products (the iMG and iMAP product lines) we offer only a 2 year warranty on a Return & Repair basis For registered products that fail within the first 30 days after purchase (Dead-on-Arrival DOA) we offer an Advanced Hardware Replacement If a product had not been registered, the customer must provide an invoice or shipment document as proof of Day-of-Purchase (DOP) All other RMAs (Return-of Authorization) will be handled as Repair & Return
slide 10

Allied Telesis Warranty


Registration
Registration of the warranty today under www.alliedtelesis.co.uk under Support Warranties Register your product:

slide 11

Allied Telesis Warranty


Registration
Registration of 100s of units and the website is not convenient to do so? Let your customer send the same information as on the website with a list of the products in an Excel spreadsheet (or similar), to the following e-Mail address:

Netcover_Europe@alliedtelesis.com

10

slide 12

CAP/ENT Certified Allied Telesis Professional Enterprise

11

Allied Telesis Warranty


Important information about the Warranty
Its a free benefit for the customer and exceeds EU law! Registering of the unit is mandatory in order to get the benefit of the 5 year warranty The customer has to send his faulty unit to our central warehouse in Amsterdam, Netherlands at their own expense The repaired or, if necessary, replaced unit will return to the customer in an estimated time frame of 30 calendar days Its only a logistics service! It doesnt mean getting a replacement unit next business day this is only covered in service contracts! Onsite intervention provided only as paid service on demand!
slide 13

SUPPORT FOR ALL CUSTOMERS IN EMEA/US WITH OR WITHOUT SERVICE CONTRACT

Technical Support in Europe


Web-based Service Portal
All Allied Telesis customers can access our Service Portal on our public website to help themselves with over 1,200 technical knowledge articles Additionally, every customer can register themselves to subscribe to Q&A By subscribing, any customer also has the opportunity to raise a question and get in contact with Allied Telesis. The answers are provided on a best effort basis in typically 1-3 days. Soon we expect to also have the ability for customers to use the service portal to register this installed base and to simplify several processes.

12

slide 15

CAP/ENT Certified Allied Telesis Professional Enterprise

13

Technical Support in Europe


Allied Telesis Service Portal
Available from our public website www.alliedtelesis.co.uk under Support and Support Center

slide 16

Technical Support in Europe


Service Description Access through service portal Contract level and priority defines service level Service level agreement defines: Response time to customer Internal escalation time Local service team provides regular updates
Internal Allied Telesis Service Structure Level 1
Receives Call Logs Problem Sets Priority Resolves H/W Issues

Question/Problem

Level 2 Customer Answer/Solution


Resolves Network Configuration Issues Contacts Customer

Level 3
Drives Engineering for Solution
slide 17

Technical Support in Europe


Contacts
Preferably, technical support requests should be raised through the service portal on our public website. If you have an urgent incident but do not yet have a service contract, then get in touch with us to find the right solution under European Technical Enquiries: +39 024 070 8317 Customers with an active Net.Cover service contract can also contact our support by telephone. The freecall number for each country is obtained by activating the service contract

14

slide 18

CAP/ENT Certified Allied Telesis Professional Enterprise

15

Technical Support in Europe


What information must the customer provide?
We need the following information from a customer before we can help with their problem: Contact information including a telephone number for any questions Product type Serial number Net.Cover contract number (if available) Detailed error description Mailing address for RMA The more completely you provide this information the faster the support process can run!
slide 19

Technical Support in Europe


RMAs
An RMA request for a product follows the same process as all other incidents. So, for RMAs a support ticket with a call-ID is mandatory for the replacement of a faulty product under warranty. A complete set of information has to be provided. These will help us to provide swift support. The delivery time for the RMA will depend on your service contract.

slide 20

Technical Support Processes


RMA-Request
An RMA will have to be confirmed by the customer in electronic format as this replacement is also followed up by an invoice, and a credit note upon the return of the faulty product!

16

slide 21

CAP/ENT Certified Allied Telesis Professional Enterprise

17

ALLIED TELESIS MAINTENANCE OFFER

Allied Telesis Maintenance EMEA


Support contracts Warranty Technical support over the web on best effort (free) RMA and Repair Service (estimate 30 days) Maintenance with Contract Delivery Service Allied Telesis Net.Cover Basic (Replacement like in warranty) Allied Telesis Net.Cover Basic Plus (Replacement Next-business-day) Onsite Service Allied Telesis Net.Cover Silver * (Onsite next business day) Allied Telesis Net.Cover Gold * (Onsite in 4hrs 365days during business hrs) Allied Telesis Net.Cover Platinum * (Onsite in 4hrs for 24x7x365days)
* Please check availability with your Allied Telesis sales representative slide 23

Acceptance window 24 x 7 x 365 24 x 7 x 365 8x5 8x5 24 x 7 x 365 24 x 7 x 365 24 x 7 x 365

Net.Cover Service
Allied Telesis Net.Cover Basic
Includes: Global access to Allied Telesis Technical Assistance Center (TAC) by phone, e-Mail and Web 8hrs x 5days a week all year Full access to the knowledgebase on the web portal Prioritized incident handling with 2 severity levels Replacement of faulty products as Repair & Return with a 30 calendar day turn around, the same as under warranty Providing new major firmware releases for units as upgrades (to enhance the feature set)

18

slide 24

CAP/ENT Certified Allied Telesis Professional Enterprise

19

Net.Cover Service
Allied Telesis Net.Cover Basic Plus
Includes: Global access to Allied Telesis Technical Assistance Center (TAC) by phone, e-Mail and Web 8hrs x 5days a week all year Full access to the knowledgebase on the web portal Prioritized incident handling with 2 severity levels Replacement of faulty products as advanced replacement, with same day shipping from the central warehouse Providing new major firmware releases for units as upgrade (to enhance the feature set)

slide 25

Net.Cover Service
Allied Telesis Net.Cover Silver
(Please check the availability of NC Silver with Allied Telesis in your region!) Includes additional: Highest priority incident handling by system experts for all levels of support Onsite support by a field engineer next business day with a spare part Onsite installation of the replacement by a system expert, including setting up the customer provided configuration Health check of the replacement unit to ensure a fully operational network again Onsite engineer takes the faulty unit back to Allied Telesis

slide 26

Net.Cover Service
Allied Telesis Net.Cover Gold
(Please check the availability of NC Gold with Allied Telesis in your region!) Includes additional: Onsite support by a field engineer, not only next business day but within 4hrs during business hours For example: A failure raised at 10 a.m. to Allied Telesis will be fixed no later than 2 p.m. by the onsite engineer

20

slide 27

CAP/ENT Certified Allied Telesis Professional Enterprise

21

Net.Cover Service
Allied Telesis Net.Cover Platinum
(Please check the availability of NC Platinum with Allied Telesis in your region!) Includes additional: Onsite support by an engineer in 4 hours for 365days a year with a spare part to fix your failed device Perfect solution for all highly demanding networks that require 24 x 7 x 365 access

slide 28

Net.Cover Service
Contracts
The Net.Cover Service contract is purchased just like a product from your reseller or distributor. The following is true for Net.Cover contracts, independent of whether they have been purchased as a bundle or as single products: The Net.Cover contract only becomes effective after it has been registered. Until registration, the standard guarantee conditions remain in place. Please note that a product can be registered by the end-user or the partner. However a RMA or Net.Cover request can only be raised by this previously entered contact.

slide 29

Net.Cover Service
Registration of Net.Cover Contracts
To register your Net.Cover contract in EMEA please go to http://www.alliedtelesis.co.uk/ support/netcover/register

22

slide 30

CAP/ENT Certified Allied Telesis Professional Enterprise

23

Net.Cover Service
Registration of Net.Cover Contracts
You have several products that you want to register and registration on the web is too slow? Then use this option. Send an email to: Europe_Netcover@alliedtelesyn.com Necessary information: Net.Cover contract number, if not bundled Company with service : Name and address Contact details: Name, Telephone number and email Location where the product is installed, if different Reseller information: Name and address

slide 31

24

CAP/ENT Certified Allied Telesis Professional Enterprise

25

Hardware Overview

Allied Telesis portfolio


Connectivity Switching Routing Multiple Services Mobility Management

Network Interface Cards

Media Converters

Switches

Routers

iMAP

Wireless

SNMP

Solutions
slide 33

Services

Services

ToIP; Enterprise; Banks; Data; MAN; Video-surveillance; Education; Television over IP ; Defense , Hospitality, SMB; Security; ...

Connectivity
Network Interface Cards
Copper Fast Ethernet Gigabit Desktop and Laptop options Fiber Fast Ethernet Gigabit Desktop and Laptop options

Media Conversion
Non-managed Single channel Multiple channels VDSL conversion Manageable Single channel Multiple channels

26

slide 34

CAP/ENT Certified Allied Telesis Professional Enterprise

27

Switching
Small Business
Fast Ethernet and Gigabit Broad choice of nonmanaged or Websmart switches

Enterprise/Convergent Networks

Stackable Chassis Scalability Fast Ethernet, Gigabit, 10 Gigabit Advanced Services: Routing, high availability, QoS, security features

slide 35

Routers
SoHo SMB and Central Office

AR200 Series ADSL2/2+ WiFi Firewall

Internet

AR400 and AR700 Series Built-in switch WAN slot (PIC) VPN / firewall Advanced QoS Gigabit routing (AR770S)

slide 36

Multi Services Access Platform : iMAP


xDSL Ethernet GbE 10GbE E1

ISP

Mulitple services chassis-based solution Available in 3, 7 or 17 slot configurations xDSL (ADSL,VDSL2, SDSL), Ethernet, GbE, 10GbE, E1 Created and optimized for IP converged networks Hotels Hospitality MAN Campus

28

slide 37

CAP/ENT Certified Allied Telesis Professional Enterprise

29

Wireless Solutions
Point To Point Multipoint/Access Point Access Point Concentrator

AT -WR4541

Bridged or routed P2P link between buildings All-in-One solution

AT -WR4562

Bridged or routed P2P link Bridged or routed multipoint links Mesh networks Access Point features Hot Spot features

Extricom Series

Wireless clients, no-roaming Concentrator + ultra light radios 4th generation Across sites, floors, buildings solution

slide 38

Management and monitoring


SNMPc Monitoring
SNMPc, AlliedView EMS
Monitoring Management Reporting

Global Solution
AlliedView NMS
Monitoring Management Reporting Inventory Upgrades and configuration provisioning

Extricom Management
EXNM-2000
Provisioning Monitoring Management

AlliedView UM (EoL)

Software Upgrade Manager

slide 39

30

CAP/ENT Certified Allied Telesis Professional Enterprise

31

Operations

Operations Table of Content


Initial connection Start-up The Command line modes (CLI) AlliedWare Plus CLI Overview, Basic Operations Port management Feature licensing Web Management - Graphical User Interface (GUI) (Appendix)

slide 41

Initial connection
32

CAP/ENT Certified Allied Telesis Professional Enterprise

33

The various connection methods


One of the following methods must be used for connection in order to configure or manage the switches: Via serial port Terminal emulator (e.g. Hyper-terminal under Windows) Via the network using an IP-based tool Command Line Interface (CLI) Telnet / SSH Multi-vendor network management systems (SNMP) Web browser (GUI) based Management (HTTP, Java) A terminal emulator via the serial port is therefore the only possible method initially. These three latter methods need an IP address to be assigned to the switch.

slide 43

Connection via DB9 serial port


The Serial Interface : RS-232 / Connectors

Adapter USB / RS-232

DB9 RJ45

slide 44

Connection via serial port


Connect one of the serial ports (Com ports) from the PC to the switch's serial port using the cable supplied. Run Hyperterminal.

Serial Interface (USB Adapter, etc.)

1) Give it a name and click OK

2) Select the Com port to use


slide 45

34

CAP/ENT Certified Allied Telesis Professional Enterprise

35

Connection via DB9 serial port

Baud Rate 9600 bits/sec 8 data bits Party none 1 stop bit Flow control none

3) The default baud rate is 9600


slide 46

4) By default the AlliedWare PlusTM OS supports VT100 compatible terminals on the console port. This means that the terminal size is 80 columns by 24 rows.

Connection via DB9 serial port


The defaults are: Username manager Password friend

slide 47

Start-up
36

CAP/ENT Certified Allied Telesis Professional Enterprise

37

Start-up: Status, System Messages


At the beginning of the boot process typically internal hardware components (memory, etc.) are tested and the results reported Many systems allow the administrator to interrupt the start-up sequence for maintenance and file operations (like choosing a different boot image). The AlliedWare Plus Bootloader allows a number of operations to be performed before loading the operating system. The user can access the bootloader when the following message appears:

Bootloader 1.1.0 loaded Press <Ctrl+B> for the Boot Menu

slide 49

Start-up: bootloader
The Bootloader menu:
Boot Menu: 0. Restart -----------------------------------------------------1. Perform one-off boot from alternate source 2. Change the default 4. Adjust the console baud rate 5. Special boot options 6. System information 7. Restore Bootloader factory settings -----------------------------------------------------9. Quit and continue booting Enter selection ==>
slide 50

Start-up: bootloader
1. Perform one-off boot from alternate source This option allows the system to boot up (loading the AlliedWare Plus system) from a number of sources: Flash SD Card TFTP YMODEM This allows several options for updates and debugging equipment. When the equipment has started up from an alternative source, after login there is an automatic option of copying the booted SW version to Flash memory, and to select it as the default boot version. One of the following 4 possible options can be selected as the default. ONLY RECOMMENDED METHOD: FLASH (activated by default)
slide 51

2. Change the default boot source (for advanced users)

38

CAP/ENT Certified Allied Telesis Professional Enterprise

39

Start-up: bootloader
3. Update Bootloader

Allows the equipment bootloader to be updated (if requested by technical support). 4. Adjust the console baud rate For altering the baud rate of console port.

Default value is 9600 5. Special boot options


For restoring the default blank configuration, especially if the password is lost (for recovering the manager/friend account) 0. Return to previous menu -----------------------------------------------------1. Skip startup script (Use system defaults)
slide 52

Start-up: bootloader
6. System information

For displaying system information on the hardware: CPU, memory, MAC address, etc.

7. Restore Bootloader factory settings For reconfiguring the bootloader as a whole with its factory settings.

slide 53

Start-up: stages
The switch starts up in this sequence:

Loading the bootloader A brief pause to give the user the option to press Ctrl+B to access the
Bootloader menu

Loading the AlliedWare Plus system

40

slide 54

CAP/ENT Certified Allied Telesis Professional Enterprise

41

Loading AlliedWare Plus


Initialising ECC Memory... Done Bootloader 1.1.0 loaded Press <Ctrl+B> for the Boot Menu Reading filesystem... Loading flash:r6-5.3.4-0.5.rel... Verifying release... OK Booting... Starting base/first... ______________ ____ /\ \ / /______\ / \ \_ __/ /| ______ | / \ | | / | ______ | / \ \ / / \ ____ / /______/\____\ \/ /____________/ Allied Telesis Inc. AlliedWare Plus (TM) v5.3.4 Original release filename: r6-5.3.4-0.5.rel Built: Tue Nov 2 19:08:21 NZDT 2010 by: maker@awpmaker01-dl Mounting Mounting Checking Mounting Checking Mounting Starting Starting virtual filesystems... static filesystems... flash filesystem... flash filesystem... NVS filesystem... NVS filesystem... base/dbus... base/syslog... [ [ [ [ [ [ [ [ OK OK OK OK OK OK OK OK ] ] ] ] ] ] ] ]

OK

slide 55

Loading AlliedWare Plus


Each module is loaded and sends a status message to the screen:

[ OK ] : Shows that the module is correctly loaded [ INFO ] : Displays an error that doesn't affect the operation [ ERROR ] : Displays an error that affects the operation of the module

slide 56

Default parameters
Passwords are encrypted. Logs are activated. Support for jumbo frames is activated on all ports. Telnet access is activated. Rapid Spanning Tree (RSTP) is activated (ports are not in Portfast mode). All ports are untagged in VLAN 1. All RJ45 ports support auto-negotiation and auto MDI/X.

42

slide 57

CAP/ENT Certified Allied Telesis Professional Enterprise

43

The Command line modes (CLI)

AlliedWare Plus CLI modes


Exec mode enable Privileged Exec mode Command modec Command used to enter the next command mode User Exec mode disable Privileged Exec mode exit Global Configure mode exit Interface mode Other sub-modes Router mode Command modec Command used to return to this command mode

Configure terminal Configure mode interface (interface name) Interface mode

end orCtrl+Z Or Ctrl+C exit

router (routing protocol) Router mode

exit

Other sub-modes

slide 59

The Command line modes


User Mode

In this mode, the user has access to a restricted set of commands that do not affect the operation of the switch, but are used to perform some diagnostic tests. The prompt appears on screen as follows:

awplus>

44

slide 60

CAP/ENT Certified Allied Telesis Professional Enterprise

45

The Command line modes


Privileged Mode

In this mode, all system commands are accessible, including file system management, protocol function display, ping, traceroute, telenet etc. Enter the command " enable" from user mode to activate this mode. Use "disable" to quit this mode. The prompt appears on screen as follows:

awplus#

slide 61

The Command line modes


Global Configuration Mode

This mode gives access to all configuration commands for the equipment. Enter the command "configure terminal" from privilege mode to activate this mode. Use "end" to quit this mode. The prompt appears on screen as follows:

awplus(config)#

Privilege mode commands can be executed from this mode by prefixing them with "do":

awplus(config)# do show ip interface brief


slide 62

The Command line modes - Help system


Help is available from all 3 operating modes using:
?

To display the options for a command, enter the command + ?


show ?

The system has a command completion module:


Enter the start of the command then <TAB> to use this

sh + <TAB> = show

The up/down arrow keys recall the last commands used.

46

slide 63

CAP/ENT Certified Allied Telesis Professional Enterprise

47

The Command line modes Remote access


The switch needs an IP address so that it can be administered remotely:

On the "Out of Band" administration Ethernet port, eth0 (only available on Or on a VLAN for "In Band" administration (VLAN1 is default)
x900 series/AT-SBx908) awplus> enable awplus# configure terminal awplus(config)# interface vlan1 (or eth0) awplus(config-if)# ip address <address/mask> awplus(config-if)# end awplus# show ip interface Interface IP-Address Status Protocol vlan1 x.x.x.x admin up down
slide 64

The Command line modes Remote access


The TELNET server is enabled as default

slide 65

AlliedWare Plus CLI Overview

Basic Operations
48

CAP/ENT Certified Allied Telesis Professional Enterprise

49

Basic Operations Managing users


Creating/modifying users Must be in configuration mode:

awplus> enable awplus# configure terminal

Creation/Modification:

awplus(config)# username <name> privilege <1-15> password <password>

Only users with privilege 15 have access to privilege and configuration modes. The 'no form of the command removes a user:
awplus(config)# no username <name>
slide 67

Basic Operations Managing users


The configuration Web interface (GUI) is accessed by creating a specific guiuser account.
awplus(config)# username <name> privilege 15 guiuser password <password>

The graphical interface file (.jar file) has to be present in the equipment's Flash memory. Show connected users:
awplus#show users Line User Host(s) Idle con 0 manager vty 0 guiuser idle idle Location Priv 15 15 Idletime Timeout 10 10 N/A N/A

00:00:00 ttyS0 00:00:02 192.168.1.64


slide 68

Basic Operations Managing users


Input commands from the command line interface are recognized dynamically. Commands entered are stored in the running configuration. The running configuration is not saved automatically. The running configuration has to be saved so it can be used when the switch boots up. Several configuration files can be stored in the switch's flash memory.

50

slide 69

CAP/ENT Certified Allied Telesis Professional Enterprise

51

Running-configuration management
Show the running configuration (from the memory) You have to be in privilege mode: Display configuration:

awplus> enable

awplus# show running-config <module>


module=access-list, interface, stack, etc.. (full list with show running-config ?)

Partial display of configuration containing a particular word:

Partial display of configuration from particular word:

awplus# show running-config|include <word>


awplus# show running-config|begin <word>
slide 70

Startup-configuration management
Show the start-up configuration (from flash)
You have to be in privilege mode: Display configuration:

awplus> enable

awplus# show startup-config <module>


module=access-list, interface, stack, etc.. (full list with show running-config ?)

Partial display of configuration containing a particular word:

Partial display of configuration from particular word:

awplus# show startup-config|include <word>


awplus# show startup-config|begin <word>
slide 71

Startup-configuration management
Save configuration (Privilege mode): Save in default start-up file

awplus# copy running-config startup-config

The start-up configuration is stored in the flash memory by default in the default.cfg file with the alias startup-config
Save to another file:

awplus# copy running-config ulis.cfg

52

slide 72

CAP/ENT Certified Allied Telesis Professional Enterprise

53

Startup-configuration management
Show the boot settings (Privilege mode): The default alias startup-config is associated with the default.cfg file Display: awplus# show boot Boot configuration ---------------------------------------------------Current software : r1-5.3.4-0.5.rel Current boot image: flash:/r1-5.3.4-0.5.rel Backup boot image: Not set Default boot config: flash:/default.cfg Current boot config: flash:/default.cfg (file exists)
slide 73

Startup-configuration management
Changing the boot startup script (Configuration mode): The file associated with the alias startup-config can be change via: awplus(config)# boot config-file test.cfg awplus(config)# end awplus#show boot Boot configuration ---------------------------------------------------Current software : r1-5.3.4-0.5.rel Current boot image: flash:/r1-5.3.4-0.5.rel Backup boot image: Not set Default boot config: flash:/default.cfg Current boot config: flash:/test.cfg (file exists) From then on, the command: awplus# copy running-config startup-config will save to the file test.cfg
slide 74

Startup-configuration management
Restore to factory configuration Reset the startup-config alias to its default value default.cfg (Mode Config):
awplus(config)# no boot config-file awplus(config)# do sh boot

Remove start-up file (Privilege mode): awplus# erase startup-config Reboot (Privilege mode): awplus# reload awplus# reboo

54

slide 75

CAP/ENT Certified Allied Telesis Professional Enterprise

55

Basic Operations - System parameters


Show global information (Privilege mode):
Modules installed & hardware version Memory state Software version

awplus# show system

Show power & fan status:


Status Voltage Temperatures

awplus# show system environment awplus# show system serialnumber awplus# show system pluggable
slide 76

Show the serial number:

Show pluggable SFPs, XFPs:

Basic Operations - System parameters


Add/remove a name to the switch (Config mode):
awplus(config)# hostname RepCentral RepCentral(config)# no hostname awplus(config)#

Apply a banner (Config mode):

Apply a banner: awplus(config)#banner motd Welcome to Main Distributor Setting up a default banner: awplus(config)#banner motd default Removal of banner awplus(config)#no banner motd
slide 77

Outputs a banner of the form: AlliedWare Plus (TM) 5.3.4 10/29/10 12:44:12

Basic Operations - Managing clock


Display time:
awplus#show clock UTC Time: Wed, 17 Nov 2010 10:36:07 +0000 Timezone: UTC Timezone Offset: +00:00 Summer time zone: None awplus(config)# clock timezone <timezone name> <plus/minus> <offset>

Configure time zone: Set time and date:

awplus# clock set <hh:mm:ss> <day> <month> <year>

Configuration of NTP:

awplus(config)# ntp server <IP address NTP> awplus(config)# no ntp server


slide 78

56

CAP/ENT Certified Allied Telesis Professional Enterprise

57

Basic Operations - "Summer time" configuration


The switch can apply summer time and winter time automatically. You have to define a geographical zone, giving the times and dates of the changeover.

awplus(config)# clock summer-time ZONENAME recurring START-WEEK START-DAY START-MONTH START-TIME END-WEEK END-DAY END-MONTH END-TIME <1-180> awplus(config)# clock summer-time <timezone name> recurring 5 Sun Mar 02:00 5 Sun Oct 03:00 60

slide 79

Basic Operations - Managing file system


Show File list (Privilege mode):
awplus#dir 534 -rw- Nov 16 2010 16:31:16 default.cfg 3610612 -rwx Nov 16 2010 11:20:42 gui_534_07.jar 15499001 -rwx Nov 16 2010 11:18:05 r6-5.3.4-0.5.rel awplus#dir all 0 drwx Nov 17 2010 11:10:32 .configs/ 534 -rw- Nov 16 2010 16:31:16 default.cfg 0 drwx Nov 16 2010 16:30:51 ./ 13 -rw- Nov 16 2010 11:23:21 .backup 17 -rw- Nov 16 2010 11:21:51 .release 3610612 -rwx Nov 16 2010 11:20:42 gui_534_07.jar 15499001 -rwx Nov 16 2010 11:18:05 r6-5.3.4-0.5.rel 303 drwx Nov 2 2010 07:08:22 ../ 84 -rw- Nov 10 2009 17:02:03 .ash_history 0 drwx Nov 10 2009 15:46:06 .home/
slide 80

Show file list, including hidden files (Privilege mode):

Basic Operations - Managing file system


Managing directories
Create a directory Remove a directory Change a directory Display running directory Change media Copy a file Delete a file Types of URL permitted: filename tftp://10.0.0.1/filename sftp:// 10.0.0.1/filename scp:// 10.0.0.1/filename flash:/filename card:/filename mkdir <url> rmdir <url> cd <url> or cd.. pwd cd flash:/ or cd card:/ copy <Src-url> <Dest-url> del <url> to or from 10.0.0.1 by tftp to or from 10.0.0.1 by sftp to or from 10.0.0.1 by scp to or from Flash to or from SD position
slide 81

Managing files

58

CAP/ENT Certified Allied Telesis Professional Enterprise

59

Basic Operations - Managing file system


Copy assistant
A copy assistant has been included to simplify file transfer between the switch and other equipment. To use it, you define the source medium and destination medium, then answer the assistant's questions. Examples: copy tftp flash copy from a tftp server to flash copy flash tftp copy from flash to tftp server Back up a test.cfg file to a tftp server at address 10.0.0.1 awplus# copy flash tftp Enter source file name []:test.cfg Enter destination host name []:10.0.0.1 Enter destination file name [test.cfg]:test.cfg Copying..
slide 82

Basic Operations - Managing file system


Transfer the image to flash
Use the transfer assistant (Privilege mode): awplus# copy tftp flash awplus# enter source host name[]:192.168.1.254 awplus# enter source file name[]:r1-5.3.4-0.5.rel awplus# enter destination file name[r1-5.3.4-0.5.rel]:r15.3.4-0.5.rel Check the file is in the flash (Privilege mode): awplus# dir Set up the release file as start-up image (Config mode): awplus(config)# boot system r1-5.3.4-0.5.rel awplus(config)# do show boot
slide 83

Basic Operations - Update Operating system


It is possible to set a second software image
This image will be used to reboot the switch if the first one cannot be loaded into the memory (missing, corrupted, etc.). This image may be the same version as the main image. This image may be a different version of the main image.

Example: Use of the same version of main image and back-up

awplus# copy r1-5.3.4-0.5.rel r1-5.3.4-0.5.back.rel awplus# configure terminal awplus(config)# boot backup r1-5.3.4-0.5.back.rel awplus(config)# do show boot

60

slide 84

CAP/ENT Certified Allied Telesis Professional Enterprise

61

Port management

Port management - Overview


Each port in a switch is associated with one of the physical interfaces on the switch Each port is uniquely identified by a number

slide 86

Port management - Numbering ports


Within AlliedWare Plus switch ports are designated by
portx.y.z (e.g.: port1.0.1)
x indicates the switch number in a stack (x=1 if the switch is not stacked). y indicates the XEM ID. (y=0 for native ports of the x600 series or x900 series). z indicates the port number in the module. port1.0.1 = switch port 1 on an x900 XEM ID for AT-x900

XEM ID for AT-SBx908

62

slide 87

CAP/ENT Certified Allied Telesis Professional Enterprise

63

Port management - Enabling and disabling switch ports


Enabling switch ports Available for packet reception and transmission Administrative status in the Interfaces MIB is UP Participates in STP

Disabling switch ports: Not available for packet reception and transmission Will not send or receive any frames Incoming STP BPDU packets are discarded Administrative status in the Interfaces MIB is DOWN

awplus# configure terminal awplus(config)# interface port1.0.20 awplus(config-if)# no shutdown

awplus# configure terminal awplus(config)# interface port1.0.20 awplus(config-if)# shutdown


slide 88

Port management - Autonegotation


Autonegotiation allows the ports to adjust their speed and duplex mode to accommodate devices connected to them If another autonegotiating device is connected to the switch, they will negotiate the highest possible common speed and duplex mode User can set the speed, duplex mode and flow control parameters to be advertised in autonegotiation Speed-duplex capabilities to be advertised can be any combination of the following: 10h, 10f, 100h, 100f, 1000f

slide 89

Port management - Autonegotation - Parallel Detection


If only one of the two devices is autonegotiation compliant, the protocol is designed to use Parallel Detection Parallel Detection, on the compliant device senses the link speed, but configures its port as Half Duplex
Configured: AUTONEG 100M FULL

COLLISIONS

Actual:

100M HALF
slide 90

100M FULL

64

CAP/ENT Certified Allied Telesis Professional Enterprise

65

Switch Port MDI/MDIX


The device can automatically correct errors in cable selection, and make the distinction between a "straight through" cable and a "crossover" cable irrelevant. This capability is known as Auto-MDI/MDIX. Auto MDI/MDIX works only on copper ports. Port can be set to either MDI, MDIX or Auto Auto is the default setting for all ports. MDI/MDIX setting is separate to that of the speed/Duplex auto-negotiation

slide 91

Port Configuration - Autonegotation, Speed


To change speed and duplex mode of a switch port: awplus# configure terminal awplus(config-if)# interface port1.0.2 awplus(config-if)# duplex (auto | full | half) awplus(config-if)# speed (10 | 100 | 1000 | auto)

slide 92

Port Configuration - MDI-X Interface Configuration


The mdix Interface Configuration (Ethernet) mode command enables cable crossover on a given interface. awplus(config)# interface port1.0.1 awplus(config-if)# mdix auto The parameters for the mdix command are
On Auto

To force the port to MDI mode, use the no form of this command. awplus(config)# interface port1.0.1 awplus(config-if)# no mdix

66

slide 93

CAP/ENT Certified Allied Telesis Professional Enterprise

67

Port Configuration - Viewing Port Information


To get full information about Ethernet ports:

show interface port1.0.1

Interface port1.0.1 Scope: both Link is UP, administrative state is UP Hardware is Ethernet, address is 0000.cd24.daeb (bia 0000.cd24.daeb) VRRP Master of : VRRP is not configured on this interface. index 5001 metric 1 mtu 1500 duplex-full speed 1000 polarity auto <UP,BROADCAST,RUNNING,MULTICAST> VRF Binding: Not bound Bandwidth 1g input packets 2396, bytes 324820, dropped 0, multicast packets 2370 output packets 73235, bytes 4906566, multicast packets 73218 broadcast packets 7

slide 94

AlliedWare Plus TM

Feature Licensing

Licensing Overview
Products ship with the base software release enabled for use
Licensing system is only for additional feature licenses For example, the Advanced Layer 3 feature bundle includes:
BGP OSPF PIM VLAN Double Tagging

Feature licenses are obtained from authorized distributor or reseller. If a license key expires or a proper key is not installed, some software features will not be available.

68

slide 96

CAP/ENT Certified Allied Telesis Professional Enterprise

69

Activate software feature license


These commands enable or disable the specified licensed software feature set.
Syntax: license <name> <key> no license [<name>|index <index-number>] Parameter <name> Description The license name of the software feature. To display enabled license names, use the show license command. The default license names are issued with encrypted keys that enable the features. Default names can be changed but must be 15 characters or less. The encrypted license key to enable this software feature. The index number of the software feature. To display the index number, use the show license command.
slide 97

<key> <index-number>

Web management

Web management Introduction


Graphical User Interface (GUI)

This following slides describe how to install, configure and use the Graphical User Interface (GUI) on switches running the AlliedWare Plus OS

70

slide 99

CAP/ENT Certified Allied Telesis Professional Enterprise

71

Graphical User Interface (GUI) - Introduction


The GUI functionality is provided via a Java applet file. Before you can use the GUI to manage your switches, you must download the Java applet file, and install it to your switchs flash file system.
Step 1: Download a GUI Java applet file from the from the Support area of the Allied Telesis Website.
The version number of the software applet file (.jar) gives the earliest version of the software file (.rel) that the GUI can operate with.

Step 2: Copy the GUI applet.jar file onto a switchs flash


Copy the GUI applet .jar file onto a TFTP server. Ensure this TFTP server is enabled and ready for the switch. Connect to the management port of the switch, then login to the switch.
slide 100

Graphical User Interface (GUI) - Introduction


Step 3: Assign the IP addresses:
awplus# configure terminal awplus(config)# interface vlan1 awplus(config-if)# ip address <address>/<prefixlength>

Step 4: Configure the Default Gateway if needed

awplus(config-if)# exit awplus(config)# ip route 0.0.0.0/0 <gateway address> awplus# copy tftp://<server-address>/<filename.jar> flash:/
slide 101

Step 5: Copy the GUI Java applet to your switch

Graphical User Interface (GUI) - Introduction


Step 6: Create a user account awplus(config)# username <username> privilege 15 guiuser password <password> Step 7: Logging into the GUI
Start a browser then enter the IP address you configured in step 3 as the URL. You will then be presented with a login screen after the GUI Java applet has started. You can then Log in with the username and password that you defined previously in step 6
slide 102

72

CAP/ENT Certified Allied Telesis Professional Enterprise

73

L2 Switching

L2 Switching :Table of Contents


L2 Switching Basics MAC Address Table / Forwarding Database Broadcast Storm Control / Broadcast Limiting Port Mirroring Port Security Layer 2 Filtering

slide 104

L2 Switching Basics

74

CAP/ENT Certified Allied Telesis Professional Enterprise

75

L2 Switching Basics: Ethernet Addressing - Introduction


Normally, one address is permanently associated with each switch. This means that each Ethernet device is manufactured with an unique address stored in ROM. This individual address is called the Hardware MAC Address. These (globally administered) unique addresses are allocated in address blocks to organizations in a centralized manner. A block is identified by the first 3 bytes, called the OUI (Organizationally Unique Identifier). Allied Telesis, for example, has the following ranges of addresses (besides others) assigned to it: 00-A0-D2-xx-xx-xx 00-00-CD-xx-xx-xx 00-09-41-xx-xx-xx 00-15-77-xx-xx-xx

There are specific types of addresses that are essential for some of the higher layer protocols:

Multicast Address - a multi-destination address, a packet forwarded to multiple nodes Broadcast Address - a single Multicast address intended for all nodes
slide 106

L2 Switching Basics: A switch forwards packets:


Packets are received and switched by the switch chip, which is directly connected to the ports. The switch chip decides what to do with these packets based on a series of dynamic tables in the chip. Some packets (like broadcasts, and those addressed to the switch itself) are sent up to the CPU, but the vast majority of packets are dealt with inside the switch chip.

slide 107

L2 Switching Basics: Relationship between switch chip and CPU


Many of the packets sent to the CPU are packets belonging to networking protocols, like ARP, OSPF, IGMP, LACP etc. The CPU processes these protocol packets Based on current protocol states, it will configure the dynamic tables in the switch chip that control switching and routing.

76

slide 108

CAP/ENT Certified Allied Telesis Professional Enterprise

77

MAC Address Table / Forwarding Database

MAC Address Table / Forwarding Database

Forwarding Database

When a switch is first powered up, its FDB is, of course, empty. The switch cannot possibly know in advance all the MAC addresses in use in the network, and which VLANs all those MAC addresses reside in. So, it needs to learn all the MACaddress/VLAN combinations as packets start to flow through it. In essence, this learning process is very simple. If the switch sees a packet arrive on VLAN X on port Y with source MAC A, it says: I have now learned that the host with MAC address A can be reached on VLAN X via port Y. I will store that information in the FDB. The exception to this is if learning is disabled using port security.

slide 110

MAC Address Table / Forwarding Database


Address Learning (Example when IPv4 is the L3 protocol)
PC A needs to know PC Bs MAC address (IP is known) An ARP packet is generated by PC A (Broadcast) The L2 switch learns PC A MAC address when the ARP ingresses port 1 The L2 switch broadcasts the ARP request out other ports PC B recognizes its own IP address; the other hosts discard these ARP requests PC B learns PC A MAC address (ARP table)
ARP Packet D.MAC FF-FF D.IP 1.11 S.MAC 00-0A S.IP 1.10 PCB ARP Table MAC 00-0A IP 1.10 slide 111 L2 Switch MAC Table D.MAC Port 1
PCB ARP Table

ARP A

20

00-0A

MAC 00-0B 00-0A

IP 1.11 1.10

78

CAP/ENT Certified Allied Telesis Professional Enterprise

79

MAC Address Table / Forwarding Database


Address Learning (Example when IPv4 is the L3 protocol)
PC B answers to PC A, communicating its MAC address (unicast) The switch learns PC B MAC address into its MAC table A learns PC B MACA into its ARP table
ARP Packet D.MAC 00-0A D.IP 1.10 S.MAC 00-0B S.IP 1.11 PCA MAC 00-0A 00-0B IP 1.10 1.11 slide 112 L2 Switch MAC Table D.MAC 00-0A Port 1 20
PCB

20

00-0B

ARP B

MAC 00-0B 00-0A

IP 1.11 1.10

MAC Address Table / Forwarding Database


Address Learning (Example when IPv4 is the L3 protocol)
Traffic is generated by PC A destined to PC B (unicast) will egress only port 20

Data Packets D.MAC 00-0B D.IP 1.11 S.MAC 00-0A S.IP 1.10 PCA MAC 00-0A 00-0B IP 1.10 1.11 slide 113 L2 Switch MAC Table D.MAC 00-0A 00-0B Port 1 20
PCB

data A

MAC 00-0B 00-0A

IP 1.11 1.10

Layer 2 Filtering Configuration


The switch has a Forwarding Database, with entries which determine whether frames are forwarded or discarded, based on dest MAC address This database is also called the MAC address table Entries are created dynamically by the Learning Process They can be created manually as well Try show mac address-table to see the MAC table:
awplus# sho mac addr VLAN port 1 CPU 1 port1.0.1 1 port1.0.1 1 port1.0.1 1 port1.0.1 mac 0000.cd27.c147 0004.615f.cd8b 0009.6be3.d55f 000e.a690.7c5d 0015.0c52.54ff slide 114 type static dynamic dynamic dynamic dynamic

forward forward forward forward forward

80

CAP/ENT Certified Allied Telesis Professional Enterprise

81

Broadcast Storm Control / Broadcast Limiting

Broadcast Storm Control / Limiting


Forwarding Database
Broadcast Storm Control enabled Broadcast Storm Switch

slide 116

Broadcast Storm Control / Limiting

Introduction
The device can measure the rate of incoming broadcast frames on each port separately, and discard frames when the rate exceeds a user-set threshold. Storm control feature is enabled/disabled separately for each port. It can be applied separately to broadcast, multicast or DLF (Destination Lookup Failure) traffic. The desired rate threshold is applied separately to each port. The threshold is set as a percentage of the ports bandwidth.

82

slide 117

CAP/ENT Certified Allied Telesis Professional Enterprise

83

Broadcast Storm Control / Limiting Enabling / Disabling Broadcast Limiting


The port storm-control broadcast enable interface Configuration (Ethernet) mode command enables broadcast storm control. awplus(config)# interface port1.0.1 awplus(config-if)# storm-control {broadcast|multicast|dlf} level <level> <level> <0-100> Specifies the threshold as a percentage of the maximum port speed. broadcast Applies the storm control to broadcast frames. multicast Applies the storm control to multicast frames. dlf Applies the storm control to destination lookup failure traffic.
slide 118

Port Mirroring

Port Mirroring

Overview
This feature allows traffic flowing through a switch port to be sent to another switch port (mirror port) It can be used to capture data with a protocol analyzer Either traffic received from, traffic transmitted on a port or both can be mirrored

Analyzer

84

slide 120

CAP/ENT Certified Allied Telesis Professional Enterprise

85

Port Mirroring

Overview
One mirror port for traffic monitoring is supported system-wide (tx and rx). User can choose whether to mirror only RX traffic, only Tx traffic, or both. It is often possible to specify several ports to be monitored by a single target port. However, in these cases, any excess traffic will silently be discarded (and user will not know which packets were discarded). Port Mirroring is only relevant to Physical ports.

slide 121

Port Mirroring Configuration

Example Configuration
Before the mirror port can be set, it must be: removed from all VLANs except the default VLAN The mirror port cannot be part of a aggregated link. A Mirror port will not participate in any switching Configuration: Mirroring ports 2 & 4 to port 23: awplus(config)# interface port1.0.23
Outgoing port (capture)

awplus(config-if)# mirror interface port1.0.2, port1.0.4 direction both

Source ports
slide 122

Port Mirroring Configuration Example Configuration


The direction of captured traffic can be defined:
mirror interface port1.0.2,port1.0.4 direction <Value> both Mirror traffic in both directions receive Mirror received traffic transmit Mirror transmit traffic awplus(config)# interface port1.0.23 awplus(config-if)# no mirror interface port1.0.2,port1.0.4 awplus# show mirror
slide 123

End mirror:

Display mirror:

86

CAP/ENT Certified Allied Telesis Professional Enterprise

87

Port Mirroring Configuration

Example Configuration
awplus# show mirror interface port1.0.2 Mirror Test Port Name: port1.0.23 Mirror option: Enabled Mirror direction: both Monitored Port Name: port1.0.2 Source ports

Analyzer

Mirror Port Port1.0.23 Outgoing port (capture)

Data being mirrored Port1.0.2 Port1.0.4


slide 124

Layer 2 Filtering

Layer 2 Filtering

Configuration
To insert a static lookup entry, simply use: awplus# config terminal awplus(config)# mac address-table static 2222.2222.2222 forward interface port1.0.4 vlan 1 The static entry may be either forward or discard

88

slide 126

CAP/ENT Certified Allied Telesis Professional Enterprise

89

Port Security

Port Security

Overview
The port security feature allows control over which stations may send data into each switch port, by analyzing MAC addresses Some switches offer a feature which defines a limit on the number of MAC addresses the switch will learn on certain ports. For a given port, once the limit is reached, the switch will lock out all other source MAC addresses arriving on that port. Depending on the switch hardware, the number of MAC addresses that can be stored, to compare them with the MAC addresses of the attached systems, can differ.
slide 128

Port Security

Overview
When an unknown MAC is detected on a locked port the switch will take one of these actions: Discard the packet and take no further action Discard the packet and notify management with an SNMP trap Discard the packet, notify the management with an SNMP trap and disable the port

90

slide 129

CAP/ENT Certified Allied Telesis Professional Enterprise

91

Port Security Configuration Example


To enable port security on a port
awplus# configure terminal awplus(config)# interface port1.0.1 awplus(config-if)# switchport port-security awplus(config-if)# no switchport port-security awplus(config-if)# switchport port-security violation ( shutdown | restrict | protect) awplus(config-if)# no switchport port-security violation
slide 130

To disable port security

To set the action to be taken To disable the action

Port Security

Configuration Example
Configure the maximum number of MAC addresses for a port and whether aging is enabled before the violation occurs: awplus# config terminal awplus(config)# interface port1.0.1 awplus(config-if)# switchport port-security aging awplus(config-if)# switchport port-security max 1 To remove the max parameter, and return to no max limit on the port: awplus(config-if)# no switchport port-security max

slide 131

Port Security Learnt Addresses


When Port Security is enabled, learnt MAC addresses appear in the running-config as L2 Filtering Forward entries :
! mac address-table static 2222.2222.2222 forward interface port1.0.4 vlan 1 mac address-table static 4444.4444.4444 forward interface port1.0.10 vlan 5 !

If you save the running-config to startup-config, those would behave as static MAC entries upon the next reboot.
slide 132

92

CAP/ENT Certified Allied Telesis Professional Enterprise

93

Port Security
Configuration Example
The port security configuration can been shown by the following:
awplus> show port-security interface port1.0.1 Port Security configuration -----------------------------------------------------------: YES Security Enabled Port Status : ENABLED Violation Mode : DISABLE Aging : ON Maximum MAC Addresses : 1 Current Learned Addresses : 1 Lock Status : LOCKED Security Violation Count : 0 Last Violation Source Address : 00-15-0c-52-54-ff
slide 133

94

CAP/ENT Certified Allied Telesis Professional Enterprise

95

Virtual LANs

Is a Virtual Area Network?


A logical grouping of network users and resources connected to administratively defined ports on a switch VLANs Break up broadcast domains in a pure switched inter-network VLAN features allow the network to be segmented by software management, improving network performance and security Workstations, servers and other network equipment connected to the switch can be grouped according to similar data and security requirements

slide 135

VLAN : IEEE 802.1Q

BroadCast

One Large Broadcast Domain

96

slide 136

CAP/ENT Certified Allied Telesis Professional Enterprise

97

VLAN : IEEE 802.1Q

BroadCast
VLAN 2: Staff Ports: 1-16

VLAN 3: Students Ports: 17-32

Data
VLAN 4: Faculty Ports: 33-48

Separate a single physical LAN into multiple Virtual LANs Multiple broadcast domains
slide 137

Benefits of VLANs
Increased security
Ports in a VLAN can be configured to have limited access to resources Switches can be configured to inform a network management station of any unauthorized access to network resources Able to place restrictions on hardware addresses, protocols, and applications Users can be added to a workgroup regardless of their location When a VLAN has a large number of users, broadcasts can reduce performance, but it is a simple process to implement further VLANs

Flexibility

Capacity

If inter-VLAN communication is required it can be achieved using a router or layer 3 switch


Restrictions on data flow can be implemented on either device
slide 138

VLAN : IEEE 802.1Q


VLAN 2: Staff

Ports: 1-16

VLAN 3: Students

Ports: 17-32

VLAN 4: Faculty

Ports: 33-48

Limitations:

Data

Data

Data

Sharing network resources, such as servers and printers, across multiple VLANs can be difficult. A VLAN that spans several switches requires a port on each switch for the interconnection of the various parts of the VLAN.

Data
VLAN 2: Staff

Data
VLAN 3: Students

VLAN 4: Faculty

Ports: 33-48

Ports: 1-16

Ports: 17-32

Data
slide 139

98

CAP/ENT Certified Allied Telesis Professional Enterprise

99

Tagging
Tagging is used to make a remote device understand the destination VLAN
Local device Remote device

RED tagged port


slide 140

RED tagged port

802.1q Frame Tagging


To accommodate VLAN identification within an Ethernet frame, a 4-byte 802.1q Tag is added to the frame This increases the maximum Ethernet frame size to 1522 bytes The format for an Ethernet Tagged frame is shown below. In an Ethernet Frame, the TPID is 2 bytes long and will contain the value of 81-00

D/A 6 bytes

S/A 6 bytes

802.1q 4 bytes

Type 2 bytes

Data 46-1500 bytes

FCS 4 bytes

Tag Protocol ID 16 bits Priority 3 bits

VLAN ID 12 bits CFI 1 bit


slide 141

Rules
A port can transmit either untagged packets or VLAN tagged packets to a VLAN of which it is a member, but not both (because in that VLAN the port is tagged or untagged, not both) A port can be tagged for more than one VLAN, so that a single port can be used to uplink several VLANs to another compatible switch A VLAN can contain a mixture of VLAN tagged and untagged ports By assigning a port to two different VLANs, to one as an untagged port and to another as a tagged port, it is possible for the port to transmit both VLAN-tagged and untagged frames A port can be untagged for zero or one VLAN, and can be tagged for zero or more different VLANs A port must belong to a VLAN at all times unless the port has been set as the mirror port for the switch
slide 142

100

CAP/ENT Certified Allied Telesis Professional Enterprise

101

VLAN Awareness
The switch is VLAN aware, in that it can accept VLAN tagged frames, and it supports VLAN switching required by such tags A network can contain a mixture of VLAN aware devices, for instance other 802.1Q compatible switches, and VLAN unaware devices, for instance, workstations and legacy switches that do not support VLAN tagging The switch can be configured to send VLAN tagged or untagged frames on each port, depending on whether or not the devices connected to the port are VLAN aware

slide 143

VLAN : IEEE 802.1Q


VLAN 2: Staff

Ports: 1-16

VLAN 3: Students

Ports: 17-32

VLAN 4: Faculty

Ports: 33-48

49
Port 49 Tagged for Staff, Students & Faculty (802.1Q-compliant)

One port on the switch can be configured as an uplink to another 802.1Qcompatible switch By using VLAN tagging, this one port can carry traffic from all VLANs on the switch

49

Data
VLAN 2: Staff

Data
VLAN 3: Students

VLAN 4: Faculty

Ports: 33-48

Ports: 1-16

Ports: 17-32

Data
slide 144

VLAN : IEEE 802.1Q


VLAN 2: Staff

Ports: 1-16

VLAN 3: Students

Ports: 17-32

VLAN 4: Faculty

Ports: 33-48

49
Port 49 Tagged for Staff, Students & Faculty (802.1Q-compliant) 49

Server
Port 50 Tagged for Staff and Students

50

Data
VLAN 2: Staff VLAN 3: Students

VLAN 4: Faculty

Ports: 33-48

Ethernet card on server Tagged for Staff and StudentsVLANs

Ports: 1-16

Ports: 17-32

102

slide 145

CAP/ENT Certified Allied Telesis Professional Enterprise

103

VLAN : IEEE 802.1Q


VLAN 2: Staff

Ports: 1-16

VLAN 3: Students

Ports: 17-32

VLAN 4: Faculty

Ports: 33-48

49
Port 49 Tagged for Staff, Students & Faculty (802.1Q-compliant) 49

Router
Port 50 Tagged for Staff and Students

50

Data
VLAN 2: Staff VLAN 3: Students

VLAN 4: Faculty

Ports: 33-48

Single port on router Tagged for Staff and StudentsVLANs

Ports: 1-16

Ports: 17-32

slide 146

Ingress Rules
The Ingress Rules for the port: check the VLAN tagging in the frame to determine whether it will be discarded or forwarded to the Learning Process Acceptable Frames parameter set to:
Admit All Frames (default) or Admit Only VLAN Tagged Frames

If Ingress Filtering is enabled, frames are admitted only if they have the VID of a VLAN to which the port belongs Ingress Filtering is enabled by default.
slide 147

Tagged Link
The uplink port is tagged for VLAN 100 on both devices
Mac 0A 0B
49

VLAN 100(U) 100(T)

port 16 49
49

Mac 0A 0B

VLAN 100(T) 100(U)

port 49 25

16

D S 0B 0A

100

25

D S 0B 0A

D S 0B 0A
slide 148

104

CAP/ENT Certified Allied Telesis Professional Enterprise

105

Wrong configuration
The uplink port is tagged for VLAN 100 on only one device
Mac 0A
Port 49 untagged 16

VLAN 100(U)

port 16

Mac 0B

VLAN 100(U)

port 25

49

Ingress Rule D S 0B 0A

X
25

D S 0B 0A
slide 149

VLAN - Gateway Addressing


Traffic is switched at Layer 2 within a VLAN Traffic is switched at Layer 3 between VLANs
L2

L3

slide 150

The Default VLAN


By default, the switch is configured to include all ports as untagged members of a single default VLAN, with no VLAN tagging required on incoming frames, or added to outgoing frames This default VLAN cannot be deleted from the switch If all the devices on the physical LAN are to belong to the same logical LAN, that is, the same broadcast domain, then the default settings will be acceptable, and no additional VLAN configuration is required

106

slide 151

CAP/ENT Certified Allied Telesis Professional Enterprise

107

VLAN Ports
VLAN ports have two mode options: Access allows only untagged frames i.e. a normal untagged port Trunk This is normal 802.1Q ports where you add the VLANs to the port tagged and then set the native VLAN as the untagged VLAN.
console# configure console(config)# interface port1.0.1 console(config-if)# switchport mode access console(config-if)# switchport mode trunk

slide 152

VLAN Configuration
To create or delete a VLAN
awplus# configure terminal awplus(config)# vlan database awplus(config-vlan)# vlan 2 name test1 awplus(config-vlan)# vlan 3 awplus(config-vlan)# vlan 4-6 awplus(config-vlan)# no vlan 5 awplus(config-vlan)# exit

slide 153

Adding or Deleting Ports


To add untagged port(s) to a VLAN go to config mode for the port and set those ports to access mode for that VLAN:
awplus# configure terminal awplus(config)# interface port1.0.2 awplus(config-if)# switchport access vlan 2 awplus(config-if)# exit

To delete untagged ports from a VLAN


awplus(config)#interface port1.0.2 awplus(config-if)#no switchport access vlan
slide 154

108

CAP/ENT Certified Allied Telesis Professional Enterprise

109

Adding or Deleting Ports


To add a list of ports (note the format of the port list):
awplus# configure terminal awplus(config)# interface port1.0.1,port1.0.3-port1.0.6 awplus(config-if)# switchport access vlan 2 awplus(config-if)# exit

slide 155

Native VLAN Using Trunk mode:


In this example port1.0.1 is set up with VLAN 2 and 3 tagged and VLAN 4 untagged.
awplus# configure terminal awplus(config)# interface port1.0.1 awplus(config-if)# switchport mode trunk awplus(config-if)# switchport trunk native vlan 4 awplus(config-if)# switchport trunk allowed vlan add 2,3

slide 156

Display the trunked and access VLANs from the previous slide
awplus# sho vlan brief VLAN ID Name Type State Member ports (u)-Untagged, (t)-Tagged ======= ================ ======= ======= ==================================== 1 default STATIC ACTIVE port1.0.2(u) port1.0.3(u) port1.0.4(u) port1.0.5(u) port1.0.6(u) port1.0.7(u) port1.0.8(u) port1.0.9(u) port1.0.10(u) port1.0.11(u) port1.0.12(u) port1.0.13(u) port1.0.14(u) port1.0.15(u) port1.0.16(u) port1.0.17(u) port1.0.18(u) port1.0.19(u) port1.0.20(u) port1.0.21(u) port1.0.22(u) port1.0.23(u) port1.0.24(u) 2 my2 STATIC ACTIVE port1.0.1(t) 3 my3 STATIC ACTIVE port1.0.1(t) 4 my4 STATIC ACTIVE port1.0.1(u)

110

slide 157

CAP/ENT Certified Allied Telesis Professional Enterprise

111

Private VLANs

Overview
A Private VLAN is a VLAN which contains ports that are prevented from communicating with each other at Layer 2 Also known as port-protected VLANs

Switch

slide 159

Private VLANs
One customer is not able to snoop on the traffic from any other, yet each customer is able to access another network (usually the Internet).
Ports 1.0.2 to 1.0.4 Community VLAN 21 plus Primary VLAN 20

Internet

Promiscuous Port 1.0.1 Primary VLAN 20

WEB Server

Ports 1.0.6 to 1.0.8 Isolated VLAN 23 plus Primary VLAN 20

Ports 1.0.10 to 1.0.12 Community VLAN 22 plus Primary VLAN 20

112

slide 160

CAP/ENT Certified Allied Telesis Professional Enterprise

113

Private VLAN Configuration


Private VLAN Association
Primary

Switch Isolated Community

slide 161

Private VLAN Association


With AlliedWare Plus it is possible to associate one or more VLANs with an existing VLAN to provide separation for users within the VLAN Private VLANs can contain both Isolated and Community VLANs These are VLANs within the Primary VLAN and behave in different ways Within the Primary VLAN there are also different port types which govern how the VLANs communicate The port types are
Promiscuous Isolated Community
slide 162

Private VLAN Association


VLAN Types :

Primary VLAN
This is the VLAN to which the associations are made

Isolated
This VLAN contains ports that will have complete layer 2 segregation from each other, but can still communicate with the nominated promiscuous ports

Community

This VLAN contains ports that can communicate with other ports in their community or with the promiscuous ports

114

slide 163

CAP/ENT Certified Allied Telesis Professional Enterprise

115

Private VLAN Association


VLAN Port Types :

Promiscuous port
These ports are usually connected to routers, printers and file servers

Host Port, Isolated


These ports are usually connected to host devices that are not to communicate with any other ports except the promiscuous ports

Host Port, Community


These ports can communicate with any port in their own VLAN and to promiscuous ports

slide 164

Private VLAN Association


The process for creating the association for private VLANs is : Create the Primary VLAN Create the Isolated (and optionally any community) VLANs Allocate the ports with the VLANs Associate the isolated and community VLANs with the primary

slide 165

Private VLAN example


Port 1.0.1 1.0.2 to 1.0.4 1.0.10 to 1.0.12 1.0.6 to 1.0.8 1.0.5 1.0.9 Mode Promiscuous Host Host Host Untagged VLAN Membership 20, 21, 22, 23 20, 21 20, 22 20, 23 PVID 20 21 22 23 Promiscuous Port 1.0.1 Primary VLAN 20

Internet

Not members of the private VLAN Not members of the private VLAN Ports 1.0.2 to 1.0.4 Community VLAN 21 plus Primary VLAN 20

WEB Server

Ports 1.0.6 to 1.0.8 Isolated VLAN 23 plus Primary VLAN 20

Ports 1.0.10 to 1.0.12 Community VLAN 22 plus Primary VLAN 20

116

slide 166

CAP/ENT Certified Allied Telesis Professional Enterprise

117

Private VLAN Configuration


Create the four VLANs 20 to 23.
awplus#configure terminal awplus(config)#vlan database awplus(config-vlan)#vlan 20-23

Set the private VLAN types Set the VLANs to be private and either primary, community, or isolated.
awplus(config-vlan)#private-vlan awplus(config-vlan)#private-vlan awplus(config-vlan)#private vlan awplus(config-vlan)#private vlan
slide 167

20 21 22 23

primary community community isolated

Private VLAN Configuration


Associate the secondary VLANs with the primary VLAN
awplus(config-vlan)#private-vlan 20 association add 21 awplus(config-vlan)#private-vlan 20 association add 22 awplus(config-vlan)#private-vlan 20 association add 23 awplus(config-vlan)#exit awplus(config)#interface port1.0.1 awplus(config-if)#switchport mode private-vlan promiscuous

Set port 1.0.1 to be the promiscuous port.

slide 168

Private VLAN Configuration


Set the other ports to be host ports
awplus(config)#interface port1.0.2-1.0.4, port1.0.61.0.8,port1.0.10-1.0.12 awplus(config-if)#switchport mode private-vlan host

On the promiscuous port, map the primary VLAN to each of the secondary VLANs
awplus(config-vlan)#exit awplus(config)#interface port1.0.1 awplus(config-if)#switchport private-vlan mapping 20 add 21 awplus(config-if)#switchport private-vlan mapping 20 add 22 awplus(config-if)#switchport private-vlan mapping 20 add 23
slide 169

118

CAP/ENT Certified Allied Telesis Professional Enterprise

119

Private VLAN Configuration


Associate the community host ports with the community VLANs.
awplus(config)#interface port1.0.2-1.0.4 awplus(config-if)#switchport private-vlan host-association 20 add 21 awplus(config)#interface port1.0.10-1.0.12 awplus(config-if)#switchport private-vlan host-association 20 add 22 awplus(config)#interface port1.0.6-1.0.8 awplus(config-if)#switchport private-vlan host-association 20 add 23

Associate the isolated host ports with the isolated VLAN 23.

slide 170

120

CAP/ENT Certified Allied Telesis Professional Enterprise

121

Virtual Chassis Stacking

Virtual Chassis Stacking :Table of Contents


Differences between Stacking and Clustering VCStack Introduction Connecting switches into a stack VCStack Configuration Software and configuration file synchronization Rolling Reboot Managing Stack Members Monitoring and troubleshooting

slide 172

Virtual Chassis Stacking (VCStack) Difference between Cluster and Stack

122

CAP/ENT Certified Allied Telesis Professional Enterprise

123

Stacking and Clustering

Cluster Stack

Gigabit Ethernet High Speed Stacking

Non Forwarding link (xSTP) LACP

slide 174

Stacking and Clustering


Cluster A single IP address to manage several switches Switches in a cluster dont need to be directly interconnected A cluster is not a single switch, you cant configure some features across the cluster

member (ie. LACP) It is what we call management stacking or Enhanced Stacking

Stack A switch made of several units A single IP address to manage the whole stack High speed stacking link All functionalities can be configured across the stack Switching tables across stack members Centrally managed ports across stack members created as a continuous set It is what we call Virtual Chassis Stacking

slide 175

Virtual Chassis Stacking (VCStack) VCStack Introduction

124

CAP/ENT Certified Allied Telesis Professional Enterprise

125

VCStack Introduction: Stacking Benefits


Simplified Management
A virtual chassis can be configured /managed via a single IP address
Therefore reduces network administration overhead

Simplified Configuration

Often redundancy protocols like VRRP & STP are not needed
Therefore reduces management traffic on the network

Resiliency
Aggregated links configured across different switches in the stack
Full bandwidth from all links available for maximum throughput In the event of failure, a connection to the network core is maintained

slide 177

VCStack Introduction: Stacking Benefits


SBx908 core Hardware redundancy High-bandwidth QoS Stacking High-availability Simplified management Resilient links Scalability Future proof x900 Distribution switches 8000S edge switches

slide 178

Virtual Chassis Stacking (VCStack) Connecting switches into a stack

126

CAP/ENT Certified Allied Telesis Professional Enterprise

127

Connecting switches into a stack


The proprietary high-speed communication protocol that is used over the stacking links requires multiple twisted pairs and a high level of shielding. Specialized cables and connections are required. The types of cables and connections available are dependant on the type of x-Series switches you are stacking : Back-port stacking on SwitchBlade x908 switches Front-port stacking using XEM-STKs on x900 Series switches AT-StackXG slide-in modules on x600 Series switches

slide 180

Connecting switches into a stack


Back-port stacking on SBx908 On the rear of the SwitchBlade x908 chassis, there is a pair of fixed stacking ports. Back port stacking requires a specific cable (AT-HS-STK-CBL1.0) You have to order the cable separately of the chassis Two SBx908 can be stacked together Note that the cables are crossed overport 1 of the top switch is connected to port 2 of the bottom switch, and vice versa

slide 181

Connecting switches into a stack


Back-port stacking on SBx908 This provides 80Gbps FD of stacking bandwidth per stacking port Total bandwidth between units 160Gbps Perfect for the enterprise core with very high-bandwidth

128

slide 182

CAP/ENT Certified Allied Telesis Professional Enterprise

129

Connecting switches into a stack


Front-port stacking using XEM-STKs on x900 You can fit the XEM bays on x900 Series switches with a specialized stacking XEM called the XEM-STK. The specific cable type that connects these XEMs are purchased individually as either 0.5 or 2 meter long cables
AT-XEM-STK-CBL0.5 AT-XEM-STK-CBL2.0

AT-XEM-STK

slide 183

Connecting switches into a stack


Front-port stacking using XEM-STKs on x900 Each XEM-STK module has 2 x 15Gbps HD stacking connectors So, total bandwidth between units is 60Gbps You can stack up to two 2 switches You can stack x900-24XS and x900-24XT together You can stack two x900-12XT/S together You cant mix x900-12XT/S and x900-24X in a stack

slide 184

Connecting switches into a stack


AT-StackXG slide-in modules on x600
An AT-StackXG module can be inserted on the rear of any non-POE x600 You cant add AT-StackXG in X600 POE, stacking ports are built in the chassis on POE model (cable must be purchased separately) The specific cable type that connects the AT-StackXG are purchased as either 0.5 or 1 meter long cables: AT-STACKXG/0.5 AT-STACKXG/1 Each AT-STACKXG is shipped with one AT-STACKXG/0.5

130

slide 185

CAP/ENT Certified Allied Telesis Professional Enterprise

131

Connecting switches into a stack


AT-StackXG slide-in modules on x600 You can stack up to 4 x600 switches You can mix any x600 in a stack (POE and non POE) Each stacking port provide 12 Gbps HD Total bandwith of the stack is 48 Gbps FD

slide 186

Virtual Chassis Stacking (VCStack) VCStack Configuration

VCStack Configuration
How the stack communicates The stack management uses a specific VLAN ID and an IP subnet, default values are : VLAN 4094 Subnet 192.168.255.0/28 You may need to change these values if they clash with a VLAN ID or subnet that is already in use in the network. awplus(config)#stack management subnet <ip-address> awplus(config)#stack management vlan <2-4094> The management traffic is queued to egress queue 7 on the stack link

132

slide 188

CAP/ENT Certified Allied Telesis Professional Enterprise

133

VCStack Configuration
Roles of each switch in a stack

Each switch in a stack acts in one role backup member (also called stack member) stack master (normally as the active master) The stack members are controlled by the stack master. The stack master performs a number of tasks that a stack member does not perform: It controls all switch management activity It synchronizes boot release and configuration files with stack members All routing protocol packets are processed by the stack master. The stack master then transfers any requisite table updates to the stack members.

slide 189

VCStack Configuration
Stack Master selection

Master selection is based on two parameters Firstly - stack members priority setting Secondly - MAC address The switch with the lowest priority become Master Priority default is 128 - can change to select specific master awplus(config)#stack <switch stack ID> priority <0-255> If several switches have the same priority, the one with the lowest MAC@ become Master Master selection is not related with unit ID ((ie master need not to be 1) Any switches in a stack can potentially be Stack Master
slide 190

VCStack Configuration
Stack Member ID

Each switch in a stack has an ID number, which can be an integer between 1 and 8. The default on each switch is a stack ID of 1. The stack IDs on each switch within a stack are unique. The system can automatically assign a unique ID number to each stack member Each members configuration is associated with its ID
Allows putting the stack in a pre-defined configuration

In case of conflict, system automatically modifies ID of the unit with the higher MAC@ From software release 5.3.3, the MAC address is virtual, so when mastership changes, the MAC address stays the same.
slide 191

134

CAP/ENT Certified Allied Telesis Professional Enterprise

135

VCStack Configuration
Assigning stack IDs Manual assignment on a switch before stacking awplus(config)#stack 1 renumber <1-8> Automatic assignment as switches joins the stack The stack master will be assigned stack ID 1, and the other switches will be automatically assigned other IDs. Manual renumbering of a switch after stacking awplus(config)#stack 1 renumber <1-8>

slide 192

VCStack Configuration
Assigning stack IDs

Cascade renumbering of the stack

Starts the stack numbering with a specified ID from a specified switch awplus(config)#stack 3 renumber cascade 1

Renumbering the whole stack using the XEM Select button

By pushing the Select button on a XEM-STK of a switch you renumber the whole stack (starting from ID 1)
slide 193

VCStack Configuration
Displaying the stack IDs

8 segment display on XEM-STK indicates the member ID By connecting on the console port of any unit, you can see the ID in the login prompt On x600 Series switches, you can use the command: awplus#show stack indicator <1-8>|all [time <1-500>] This causes the master LED on the switch to flash in a sequence which indicates the stack ID number
1 will flash on and off without pausing * * * * * * * * * * * * * 2 will flash twice then pause * * * * * * * * * * 3 will flash three times then pause * * * * * * * * * 4 will flash four times then pause * * * * * * * * * * * *
slide 194

136

CAP/ENT Certified Allied Telesis Professional Enterprise

137

VCStack Configuration
Stack Maintenance Adding a stack member A switch can be added to an existing stack (hot-swapped in) Power down the new switch Connect its ports to the stack Power on Removing a stack member A member can be removed from a stack (hot-swapped out) Power down the member Disconnect its stacking ports Reconnect the remaining stack members
slide 195

VCStack Configuration
Stack Maintenance Replacing a stack member You can seamlessly swap a switch into the stack to replace another Configure new switch with the same member ID as its replacement Optional auto-upgrade Auto-upgrade will copy the master's software release onto new member If a new member joins a stack and has a SW release that is different Auto-upgrade works when the master and new-member releases are similar (for example 5.3.2-0.1 and 5.3.2-0.2) Auto-upgrade is enabled by default If disabled, a new member with different SW release cannot join stack
slide 196

VCStack Configuration
Provisioning Provisioning provides the ability to pre-configure ports that are not yet present in a switch or in a stack. Provisioning keeps a 'placeholder' for a XEM or switch which has been hot-swapped out. Switch provisionning awplus(config)#switch 2 provision x900-24 XEM provisionning awplus(config)#switch 2 bay 2 provision xem-12

138

slide 197

CAP/ENT Certified Allied Telesis Professional Enterprise

139

Virtual Chassis Stacking (VCStack)

Software and configuration file synchronization

Files synchronization
A VCStack requires that the software version and the configuration files on all stack members are the same. The following files are synchronised by the stack master:

Software release auto-synchronisation Shared running configuration Shared startup configuration Scripts

Note : licences are not synchronized. For optionnal feature (ie IPv6) each
switch in the stack must have his own feature licence

slide 199

Files synchronization
Software release auto-synchronisation
when a new member joins a stack and has a software release that is different to the active master, then the active master's software release is copied onto the new member. The new member then reboots and comes up on that release The software auto-synchronization feature is enabled on all switches by default. You can enable or disable it using the command: awplus(config)#(no) stack <1-8> software-autosynchronization

140

slide 200

CAP/ENT Certified Allied Telesis Professional Enterprise

141

Virtual Chassis Stacking (VCStack)

Rolling Reboot

Rolling Reboot
This command allows a stack to be rebooted in a rolling sequence so that no more than one unit of the stack is in reboot at any given time. First, the stack master is rebooted causing the remaining stack members to failover and elect a new master As soon as the rebooted Active Master has reloaded, it becomes the Active Master again. Immediately after the Active Master has reloaded and assumed its role again, all of the other switches in the stack are rebooted at the same time.

slide 202

Rolling Reboot
awplus#reboot rolling
The stack master will reboot immediately and boot up with the configuration file settings. The remaining stack members will then reboot once the master has finished re-configuring. Continue the rolling reboot of the stack? (y/n):y awplus#22:11:07 awplus VCS[995]: Automatically rebooting stack member-4 (MAC: 00.15.77.c9.73.cb) due to Rolling reboot URGENT: broadcast message: System going down IMMEDIATELY! ... Rebooting at user request ...

142

slide 203

CAP/ENT Certified Allied Telesis Professional Enterprise

143

Virtual Chassis Stacking (VCStack)

Managing Stack Members

Rolling Reboot
Managing Stack Members file system
To perform an action on another stack member's file system: <stack-member-name>/flash:[/]<file name> The <stack-member-name> = <hostname>-<stack ID If the hostname of the stack is BlueCore, then the stack-member-name for switch 2 in the stack is: BlueCoreExample: BlueCore# dir BlueCore-2/flash:/ BlueCore# delete BlueCore-2/flash:/example.cfg

If you do not use the stack-member-name prefix, then the command refers to a file that resides on the stack master.
slide 205

Virtual Chassis Stacking (VCStack)

Monitoring and troubleshooting

144

CAP/ENT Certified Allied Telesis Professional Enterprise

145

Monitoring and troubleshooting


You can monitor and troubleshoot VCStack with several tools
LEDs on the switch or XEM By using the show stack and show stack detail commands Stack debug output Counters Event logging

slide 207

Monitoring and troubleshooting


LED on SBx908 The front panel of the SwitchBlade x908 has the following LEDs for monitoring back-port stacking:
LED Port 1 and Port 2 State Green Amber (flashing slowly) Off Master Green Amber Green (flashing) Off Meaning A stacking link is established The link has transmission fault The stacking link is down The switch is the stack master The switch is the backup member The stack is selecting a stack master The switch is not a stack member

slide 208

Monitoring and troubleshooting


LED on XEM-STK The LEDs on the XEM-STK show the following:
LED Port 1 and Port 2 State Green Amber (flashing slowly) Off Status Green Amber Green (flashing) Off Numeric ID 1 to 8 Off Meaning A stacking link is established The link has transmission fault The stacking link is down The switch is the stack master The switch is the backup member The stack is selecting a stack master The switch is not a stack member The stack member ID The switch is not a stack member

146

slide 209

CAP/ENT Certified Allied Telesis Professional Enterprise

147

Monitoring and troubleshooting


LED on x600 The front panel of the x600 has the following LEDs for monitoring stacking:
LED MSTR State Green Off 1 L/A and 2 L/A Green Green (flashing) Off PRES On Off Meaning The switch is the stack master The switch is a backup member A stacking link is established on that link The link is transmitting or receiving data The stacking link is down An AT-STACKXG module is correctly installed in the switch There is no AT-STACKXG installed in the switch, or the module is installed incorrectly

slide 210

Monitoring and troubleshooting


Show stack
x600#show stack Virtual Chassis Stacking summary information ID 1 2 3 Pending ID MAC address 0015.77ae.60cb 0015.77ae.5fdc 0015.77c2.4d56 Priority 128 128 128 Role Active Master Backup Member Backup Member

slide 211

148

CAP/ENT Certified Allied Telesis Professional Enterprise

149

Link Aggregation

Link Aggregation :Table of Contents


Introduction Link Aggregation Types Link Aggregation Load balancing Static Link Aggregation Configuration Dynamic Link Aggregation Configuration

slide 213

Link Aggregation
Introduction

150

CAP/ENT Certified Allied Telesis Professional Enterprise

151

Link Aggregation
Introduction
Link aggregation allows two or more links to be bundled (or "aggregated") together to form a logical link called a channel group A channel group provides: Higher Bandwidth Resiliency Load Sharing Links aggregated into a channel group must: Originate and terminate on same device or the same stack Must be member of the same VLANs Have same data rate Have same admin port key (channel-group mode command) Be in full-duplex mode
slide 215

Link Aggregation
Introduction

slide 216

Link Aggregation
Link Aggregation Types

152

CAP/ENT Certified Allied Telesis Professional Enterprise

153

Link Aggregation Types


Types of Link Aggregation
Static Link Aggregation. Not standardized. Ports bundled into a static channel group (also called static aggregator) Dynamic Link Aggregation (LACP) Link Aggregation Control Protocol IEEE 802.3ad Ports bundled into a LACP channel group (also called a ether-channel, an LACP aggregator, or a dynamic channel group) Automatically creates Ether-channels and assigns links to them. Monitors the groups and dynamically adds or removes links as necessary

slide 218

Link Aggregation Types


Static vs. Dynamic Link Aggregation
Static advantage Simple and reliable Static disadvantages No Setup information sent via the links, so all administration must be done manually at both ends Dynamic advantage Standardized via IEEE 802.ad and LACP protocol. Can detect link communication failure, and drop link out, even if port is still up Dynamic disadvantage All partners in aggregated link must understand the LACP protocol
slide 219

Link Aggregation
Load Balancing

154

CAP/ENT Certified Allied Telesis Professional Enterprise

155

Load Balancing
Hashing of information in the L2, 3, and 4 packet headers divides data between the aggregation group ports Because of hashing, an aggregation group provides higher bandwidth between switches but usually not between hosts (Load Balancing per communication flow)

DEST

MAC

SOURCE MAC

SOURCE IP

DEST IP

SOURCE PORT

DEST PORT PAYLOAD DATA

L2

L3

L4

slide 221

Load Balancing

DEST

MAC

slide 222

Link Aggregation
Static Link Aggregation Configuration

156

CAP/ENT Certified Allied Telesis Professional Enterprise

157

Static Link Aggregation Configuration


Creating a Static Channel Group awplus# config terminal awplus(config)# interface port1.0.3-port1.0.4 awplus(config-if)# static-channel-group 2 awplus(config-if)# NOTE: The port properties within the group must match e.g. VLAN, speed, duplex Any other port can be added at any time to an existing static channel-group.

slide 224

Static Link Aggregation Configuration


Display & Delete Static Channel Groups
Display all static channel groups awplus# show static-channel-group % Static Aggregator: sa2 % Member: port1.0.3 port1.0.4 awplus# Delete a port from group awplus(config)# interface port1.0.4 awplus(config-if)# no static-channel-group Note: this will also delete the static channel group after the last member is deleted
slide 225

Static Link Aggregation Configuration


Logical Interface
The system add the static channel group number to sa to create a logical interface: awplus# show interface sa2 Interface sa2 Scope: both Link is DOWN, administrative state is UP Thrash-limiting Status Not Detected, Action learn-disable, Timeout 1(s) Hardware is AGGREGATE index 4502 metric 1 mtu 1500 To configure the static channel group (VLAN membership, etc) you have to configure the sa interface
slide 226

158

CAP/ENT Certified Allied Telesis Professional Enterprise

159

Link Aggregation
LACP Link Aggregation Configuration

Dynamic Link Aggregation / LACP


LACP is based on the IEEE Standard 802.3ad Allows bundling of several physical ports to form a single logical channel providing enhanced performance and resiliency. The aggregated channel is viewed as a single link by each switch. The spanning tree views the channel as one interface. When there is a failure in one physical port, the other ports stay up and there is no disruption. X series supports the aggregation of a maximum of eight physical ports into a single channel group.

slide 228

Dynamic Link Aggregation / LACP


LACP is a state based protocol Each port sends out its state to the connected device When it detects multiple links between itself and a partner if characteristics are the same (VLAN, Speed), a trunk is created LACP works in either ACTIVE or PASSIVE mode Active mode sends LACPDUs constantly, Passive sends only as a response In practice, it is recommended to use Active mode on both ends (certainly not Passive on both ends!)

160

slide 229

CAP/ENT Certified Allied Telesis Professional Enterprise

161

Dynamic Link Aggregation / LACP


Aggregation Criteria For individual links to be formed into an aggregated group, they must meet the following criteria:
Originate on the same device or stack Terminate on the same device or stack Be members of the same VLAN Have the same data rate Share the same admin port key

slide 230

Dynamic Link Aggregation / LACP


The Protocol Exchange
Devices exchange LACPDUs through the channel group and are called the Actor or Partner Information about the switch are sent in the LACPDU such as: Port number Port Key Periodic timeout (how often to send LACPDUs) VLAN association And others Devices analyse LACPDUs that they receive and can take the decision to add ports to the channel if parameters are coherent on both side of the link
slide 231

Dynamic Link Aggregation / LACP


Configuring LACP
The following example shows how to configure three links between two Allied Telesis managed Layer 3 Switches. The three links are assigned the same administrative key (1), so that they aggregate to form a single channel 1. They are viewed by the STP as one interface.
port1.0.1 port1.0.2 port1.0.3 Switch 1 Aggregated Link port1.0.2 port1.0.3 port1.0.4 Switch 2

162

slide 232

CAP/ENT Certified Allied Telesis Professional Enterprise

163

Dynamic Link Aggregation / LACP


Configuration On switch 1

awplus(config)# interface port1.0.1-1.0.3 awplus(config-if)# channel-group 1 mode active awplus(config-if) awplus(config)# interface port1.0.2-1.0.4 awplus(config-if)# channel-group 1 mode active awplus(config-if)#

On switch 2

slide 233

Dynamic Link Aggregation / LACP


LACP channel group logical interface
The system adds the LACP channel group number to po to create a logical interface awplus# sho interface po2 Interface po2 Scope: both Link is DOWN, administrative state is UP Thrash-limiting Status Not Detected, Action learn-disable, Timeout 1(s) Hardware is AGGREGATE index 4502 metric 1 mtu 1500 To configure the LACP channel group (VLAN membership, etc) you have to configure the po interface
slide 234

Dynamic Link Aggregation / LACP


To display the LACP groups awplus# show etherchannel % Lacp Aggregator: po2 % Member: port1.0.3 port1.0.

How to see active ports of the po interface awplus# show etherchannel summary % Aggregator po1 % Admin Key: 0001 - Oper Key 0001 % Link: port1.0.1 (5001) disabled % Link: port1.0.2 (5002) sync: 1

164

slide 235

CAP/ENT Certified Allied Telesis Professional Enterprise

165

Dynamic Link Aggregation / LACP


Show LACP-counter Use this command to display the packet traffic on all ports of all present LACP aggregators, or a given LACP aggregator.
awplus# show lacp-counter
% Traffic statistics Port LACPDUs Sent Recv Sent % Aggregator po4 (4604) port1.0.2 0 0 0
slide 236

Marker Recv Sent 0 0

Pckt err Recv Sent Recv 0 0 0

166

CAP/ENT Certified Allied Telesis Professional Enterprise

167

Spanning Tree Protocol / Rapid Spanning Tree Protocol

STP / RSTP :Table of Contents


Spanning Tree Concepts Spanning Tree- Algorithm Spanning Tree Parameters Rapid Spanning Tree Spanning Tree Configuration Introduction to Multiple Spanning Tree

slide 238

Spanning Tree - Concepts


Ethernet does not inherently cope with looped network paths. There must be only one active path between two devices. (Except when setting up aggregation links)

168

slide 239

CAP/ENT Certified Allied Telesis Professional Enterprise

169

What are the consequences of a loop?


Bravo Segment
MAC MAC Address Address Table Table
Source Source 68-C9-CF-E0-AB68-C9-CF-E0-AB-1 13 3 68-C9-CF-E0-AB68-C9-CF-E0-AB-1 13 3 1A-2B-3C-4D-5E-6F Destination Destination Port Port 1 1 Port Port 2 2 Port 2

Send a 2 identical response to packets???A computer

A
Port 2 Both Computer A computers has moved! have moved Port 2

1A-2B-3C-4D-5E-6F

68-C9-CF-E0-AB13data Port 1 Send

L2 Switch

A A A A
Port 1

A A A A

to computerPort B 1 1A-2B-3C-4D-5E-6F Duplicate packets from computer B

Port 1

L2 Switch

MAC Address Table


Source 68-C9-CF-E0-AB-13 68-C9-CF-E0-AB-13 Destination Port 1 Port 2 Port 2 Port 1 Port 1

A A
Alpha Segment

1A-2B-3C-4D-5E-6F 68-C9-CF-E0-AB-13 1A-2B-3C-4D-5E-6F

Duplicate packets returned to sender

68-C9-CF-E0-AB-13

slide 240

Spanning Tree - Concepts


The Spanning Tree protocol allows a topology with redundant links. This means that there can be link redundancy for dealing with a link or hardware failure. Only one path is active at a given moment.
Inactive link that can become active if another one fails.
slide 241

Spanning Tree - Algorithm


Root Bridge P2
Switch A

Root Bridge P1 P2
Switch C Switch A

P2 P1 P3

P1 P2

Switch C

P1

P3

P1
Switch B

P2 P2 P1 P4 P1 P2 P3

P3
Switch B Switch D

P1 P2 P4 P1 P2 P3 P1 P3 P1

P2

P3 P4

P4 P1

P3

Switch D

P2
Switch E

P2
Switch E

Switch F

Switch F

Complete network topology

Loop-free tree topology of active links calculated by spanning tree slide 242

170

CAP/ENT Certified Allied Telesis Professional Enterprise

171

Spanning Tree Structure


Root Bridge Designated Port Designated Port Root Port Root Port
Designated Port Designated Port

Designated Port

Root Port Root Port Root Port

Root Port

slide 243

Port states for STP


Blocking Rejects all data frames Does not learn MAC addresses. Receives BPDUs but ignores them. Does not transmit BPDUs. Receives and processes topology change notifications (TCN). Rejects all data frames Does not learn MAC addresses. Receives BPDUs and processes them. Does not transmit BPDUs. Receives and processes topology change notifications (TCN).

Listening

slide 244

Port states for STP


Learning Rejects all data frames Learns MAC addresses and includes them in the FDB. Receives, processes and transmits BPDUs. Receives and processes topology change notifications (TCN).

Forwarding Switches data frames. Learns MAC addresses and includes them in the FDB. Receives, processes and transmits BPDUs. Receives and processes topology change notifications (TCN).

172

slide 245

CAP/ENT Certified Allied Telesis Professional Enterprise

173

Spanning Tree - Operation


MAC Address Table
Source 1 A-2B-3C-4D-5E-6F 68-C9-CF-E0-AB13 1A-2B-3C-4D-5E-6F Destination 2 Port 1 Port 2

Bravo Segment

A A
Port 2

Personal Computer 1A-2B-3C-4D-5E-6F

Priority MAC MAC Address Address Priority Cost 32768 20000 A7-8E-5F-51-0B-7C A7-8E-5F-51-0B-7C 2/128 2/0

Designated Port

Listening Learning Learning Forwarding Forwarding

Port 2

Priority

MAC MAC Address Address

Priority Priority Cost

Root Bridge
Priority MAC Address Priority Cost 32768 20000 A7-8E-5F-51-0B-7C 1/128 1/0 Port 1

A
Root Port
Port 1

32768 5F-00-03-DE-B1-9A 5F-00-03-DE-B1-9A 2/128 2/128 2/20

Switch A Designated Port

Switch B
Priority MAC Address Priority Cost 1/10 32768 5F-00-03-DE-B1-9A 1/128

A A A
Alpha Segment

MAC MAC Address Address Table Table


Source Source Source Source 68-C9-CF-E0-AB1 3 68-C9-CF-E0-AB1 3 68-C9-CF-E0-AB1 3 1A-2B-3C-4D-5E-6F Destination Destination Destination Destination Port Port 1 Port 1 Port1 2 Port 2 2 Port

Personal Computer 68-C9-CF-E0-AB-13

slide 246

Spanning Tree - Concepts


Switch Spanning Tree parameters
Bridge priority: value between 0 and 65535. 0 is the highest priority. The switch with the highest priority is selected as root bridge. If several switches have the same priority, the one with the lowest MAC address is selected as root bridge. Default value is 32768. Bridge Hello Time: Frequency of sending BPDUs ( Bridge Protocol Data Unit), Spanning Tree configuration messages. The value can be between 1 and 10 sec. Default value is 2 sec. Bridge Maximum Age : Lifespan of STP information exchanged via BPDU. After the specified deadline, the switch recalculates the data. The value can be set from 6 and 40 sec. Default value is 20 sec. Bridge Forward Delay : Waiting time before a change in topology becomes effective (for instance, activation of a previously inactive path). Default value is 15 sec. This parameter avoids temporary loops appearing when paths are activated.

Today it is recommended not to change any of those values (to improve recovery times, one should consider using RSTP nowadays)

slide 247

Spanning Tree - Concepts


The link with the lowest cost to the root bridge is activated for each switch. If several paths have an equal cost to the root bridge, a priority value, on each port, is used to decide between them. If port priorities are identical, then port numbers, or MAC addresses assigned to them, are the key factor (lowest port numbers or MAC addresses). Rapid Spanning Tree (802.1w) offers all the benefits of Spanning Tree (802.1d) with a much shorter convergence time (path calculation). It is therefore preferable.

Root Bridge

Forwarding Blocking

Bridge priority = 4096 Bridge priority = 32768


Cost = 19 Priority = 128 Cost = 19 Priority = 128 Cost = 19 Priority = 128 Cost = 19 Priority = 128

Bridge priority = 32768

174

slide 248

CAP/ENT Certified Allied Telesis Professional Enterprise

175

Rapid Spanning Tree - Differences


The Rapid Spanning Tree (802.1w) offers a number of improvements, particularly:
Significant improvement in convergence time A change of state on a port used to connect a terminal device does not involve convergence, unlike standard STP (Edge Port or Portfast concept) Backwardly compatible with STP

slide 249

Role of ports for RSTP


In standard Spanning Tree, switch ports have three possible roles:
Root port closest port (metrically) to the Root Bridge Designated port active port of a given segment Disabled port for a deactivated port

The RSTP adds two further roles:

Alternate ports alternate path to Root Bridge Backup ports alternate path to a segment currently served by a Designated port

slide 250

Role of ports for RSTP


Root Bridge

RP

RP

DP DP Root Port DP RP Alternate Port

Backup Port RP

176

slide 251

CAP/ENT Certified Allied Telesis Professional Enterprise

177

Port state for RSTP


State DISABLED DISCARDING Meaning RSTP is disabled on this port Rejects all data frames Does not learn MAC addresses. Receives BPDUs and processes them. Does not transmit BPDUs. Receives and processes topology change notifications (TCN). LEARNING Rejects all data frames Learns MAC addresses and includes them in the FDB. Receives, processes and transmits BPDUs. Receives and processes topology change notifications (TCN). FORWARDING Switches data frames. Learns MAC addresses and includes them in the FDB. Receives, processes and transmits BPDUs. Receives and processes topology change notifications (TCN).

slide 252

Comparing ports in STP/RSTP


State for STP State for RSTP Port included in active topology? Learning MAC addresses?

Disabled Blocking Listening Learning Forwarding

Discarding Discarding Discarding Learning Forwarding

N N N N Y

N N N Y Y

slide 253

Rapid Spanning Tree - Edge Port/PortFast


In Rapid Spanning Tree, it is possible to treat ports used to interconnect switches (contributing to Spanning Tree operation) differently from the ports intended to connect terminal equipment (Edge ports, or PortFast). The ports configured in Edge/PortFast mode will still be monitored by the Spanning Tree algorithm, but a status change does not involve convergence. For these ports this gives immediate access to the network on connection. Only ports used to connect end devices must be configured in Edge mode. If the BPDUs are detected on these ports, the switch automatically deactivates Edge/PortFast mode and makes them operate as normal RSTP ports. It is strongly recommended to set ports used to connect end devices in Edge/PortFast mode. Failure to do so will cause disruptive topology change events in the network every time an edge device is turned on or off.
slide 254

178

CAP/ENT Certified Allied Telesis Professional Enterprise

179

Which ports can switch quickly from Discarding to Forwarding?


Edge / Portfast ports (do not receive BPDUs)
All ports connected to end devices should be in this mode.

Alternate ports
If a Root Port on a switch goes down, an Alternate Port goes to Forwarding state, and becomes the new Root Port.

slide 255

Which ports can switch quickly from Discarding to Forwarding?


Ports being part of point-to-point links
The following ports are automatically in Point-to-Point mode:
Ports operating in full-duplex mode. Aggregated ports

When a port becomes a Designated port, it negotiates a fast transition with the opposite port.

slide 256

RSTP Topology Change Mechanism

Root

180

slide 257

CAP/ENT Certified Allied Telesis Professional Enterprise

181

Port cost values


Port bandwidth Below 100 kb/s 1Mbps 10Mbps 100 Mbps v Gbps 10 Gbps 100 Gbps 1Tbps 10 Tbps Default path cost 200,000,000 20,000,000 2,000,000 200,000 20,000 2,000 200 20 2
slide 258

Recommended values 20,000,000-200,000,000 2,000,000-20,000,000 200,000-2,000,000 20,000-200,000 2,000-20,000 200-2,000 20-200 2-200 2-20

SpanningTree configuration

Spanning Tree
Rapid Spanning Tree is activated by default on all ports of the switch. Therefore, nothing needs to be done to have the following behavior. As all switches have the same configuration, it is the switch with the lowest MAC address that becomes the root bridge.
Bridge priority = 32768 00-00-cd-24-02-26 Bridge priority = 32768 00-00-cd-24-03-31 Forwarding Blocking

Root Bridge
Bridge priority = 32768 00-00-cd-12-78-08

182

slide 260

CAP/ENT Certified Allied Telesis Professional Enterprise

183

Spanning Tree
To explicitly force a switch to be Root Bridge, you simply need to change the priority. This operation takes place in Config mode: awplus(config)# spanning-tree priority 8192
Root Bridge
Bridge priority = 8192 00-00-cd-24-03-31 Passing Blocking

Bridge priority = 32768 00-00-cd-24-02-26

Bridge priority = 32768 00-00-cd-12-78-08

slide 261

Spanning Tree
To change the default cost of a port (refer to the RSTP port cost table): awplus(config-if)# spanning-tree path-cost <cost> To improve convergence time, it is essential to configure all ports intended to connect end devices as "Portfast" ports: awplus(config)# interface port1.0.1-1.0.23 awplus(config-if)# spanning-tree portfast Spanning-Tree can be disabled on a per-port basis, if needed (careful, loops behind those ports would be unaccounted for) : awplus(config)# interface port1.0.24 awplus(config-if)# spanning-tree portfast bpdu-filter enable
slide 262

Spanning Tree
Changing the Spanning Tree operational mode:
Spanning Tree mode
awplus(config)# spanning-tree mode stp

Rapid Spanning Tree mode (default mode)

awplus(config)# spanning-tree mode rstp

Disable Spanning Tree:


Rapid Spanning Tree mode (Default mode) Spanning Tree mode
awplus(config)# no spanning-tree rstp enable awplus(config)# no spanning-tree stp enable

184

slide 263

CAP/ENT Certified Allied Telesis Professional Enterprise

185

Display of Spanning-Tree operation

slide 264

Multiple Spanning Tree Protocol


Overview IEEE Standard Provides multiple forwarding paths for data traffic. MSTP uses RSTP for rapid convergence. Reduces the number of spanning tree instances required to support a large number of VLANs. Enables VLANs to be grouped into a spanning tree instance. Instance = forwarding path. Flexible load balancing.

slide 265

Multiple Spanning Tree Protocol


Where to use MSTP? Switch A has 1000 VLANs (1-1000).
Switch D1 Switch D2

VLAN 1-1000

Switch A
slide 266

186

CAP/ENT Certified Allied Telesis Professional Enterprise

187

Multiple Spanning Tree Protocol


Standard STP and VLANs One spanning tree instance. Does not care about the VLANs. Switch D1 Root Switch D2

VLAN 501-1000 VLAN 1-500

VLAN 1-500 VLAN 501-1000

Switch A
slide 267

Multiple Spanning Tree Protocol


Standard STP and VLANs No load balancing. One instance is computed. The CPU is not loaded. Root

Switch D1

Switch D2

VLAN 501-1000 VLAN 1-500

VLAN 1-500 VLAN 501-1000

Switch A
slide 268

Multiple Spanning Tree Protocol


Where to use MSTP? The purpose is: Achieving load balancing on switch A uplinks.
Switch D1 Switch D2

VLAN 1-1000

Switch A
slide 269

188

CAP/ENT Certified Allied Telesis Professional Enterprise

189

Multiple Spanning Tree Protocol


Load Balance via MSTP Combination of 802.1Q and 802. 1W (standard RSTP). VLAN 1-500 are mapped to instance 1. VLAN 501-1000 are mapped to instance 2. Root Instance 1 Switch D1 Switch D2 Root Instance 2 Instance 1 Instance 2 Instance 1 Instance 2

Switch A
slide 270

Multiple Spanning Tree Protocol


Load Balance via MSTP Load balance is achieved. Only two spanning tree instances. CPU is not loaded. Root Instance 1 Switch D1 Switch D2 Root Instance 2 Instance 1 Instance 2 Instance 1 Instance 2

Switch A
slide 271

Should we use MSTP?


Not necessarily. MSTP configuration is rather complex. The load balancing feature of MSTP is static, and does not dynamically assign bandwidth to available paths. Therefore it doesnt make the best use of the overall network bandwidth. Designing an architecture using stacks and aggregated links is preferable.

190

slide 272

CAP/ENT Certified Allied Telesis Professional Enterprise

191

Ethernet Protection Switched Rings


EPSR

Hardware Overview :Table of Contents


EPSR Introduction How EPSR Works EPSR Configuration EPSR Implementation

slide 274

EPSR Introduction
Overview
A ring of switches at the network core increases resilience No single point of failure The ring must be protected from Layer 2 loops Traditionally, STP-based technologies are used Relatively slow to recover from link failure Creates problems for applications with strict loss requirements such as voice and video The solution is Ethernet Protection Switched Rings (EPSR)
slide 275

192

CAP/ENT Certified Allied Telesis Professional Enterprise

193

EPSR Introduction
Overview Delivering services is the focus of modern network communications Voice over IP (VoIP) Video on demand (VoD) Internet access These services demand a high level of performance, as customers expect uninterrupted delivery Network downtime must be minimised

slide 276

EPSR Introduction
Overview Ethernet Protection Switched Rings (EPSR) Prevents loops in ring-based Ethernet networks Minimizes the impact of failure with sub 50ms recovery Interoperates with standard Ethernet functions including:

QoS, IGMP, VLAN Double Tagging, Filtering iMap interoperability

High availability for mission critical traffic, preventing loss of voice, video or data in the event of failure Avoid down-time in your core enterprise or service provider network
slide 277

EPSR Introduction
Example
10 GbE EPSR ring with 50ms failover provides uninterrupted voice and video on breaks in ring Interoperability with iMAP and x900 Resiliency for the Metro or Enterprise core

194

slide 278

CAP/ENT Certified Allied Telesis Professional Enterprise

195

EPSR Introduction
Products Supporting EPSR
AlliedWare Operating System 8900 & x900-48 series 9900 series x900-24X series AlliedWare Plus Operating System x600 x900-12XT/S x900-24X series SwitchBlade x908 iMAP
slide 279

How EPSR Works


Basic Operation
Each ring of switches forms an EPSR domain One switch is the master node - the others are transit nodes A control VLAN sends EPSR messages The data VLAN(s) sends data around the ring A physical ring can have multiple EPSR domains Each domain operates as a separate logical group of VLANs Each domain has its own control VLAN and master node

slide 280

How EPSR Works


Basic Operation
On the master, one port is the primary, the other is the secondary When all nodes in the ring are up, EPSR prevents loops by blocking the data VLAN on the secondary port The master node does not block any port on the control VLAN Loops never form as master never forwards EPSR messages it receives

196

slide 281

CAP/ENT Certified Allied Telesis Professional Enterprise

197

How EPSR Works


Basic Operation
Control VLAN is forwarding Data VLAN is blocked Secondary Port Primary Port Control VLAN is forwarding Data VLAN is forwarding

Control VLAN

Transit Node 4

Transit Node 1

Transit Node 3 Data VLAN 1 Data VLAN 2 slide 282

Transit Node 2

How EPSR Works

slide 283

How EPSR Works


Establishing a Ring I
1. The master node creates an EPSR Health message and sends it out the primary port This increments the master nodes Transmit: Health counter 2. First transit node receives the Health message and using a hardware filter, sends the message out its other ring port Filter also copies health message to CPU which increments transit nodes Receive: Health counter

198

slide 284

CAP/ENT Certified Allied Telesis Professional Enterprise

199

How EPSR Works


Establishing a Ring II
3. The master eventually receives the Health message back on its secondary port
It now knows that all links and nodes in the ring are up Master node's hardware filter copies packet to the CPU which increments the master nodes Receive: Health counter

4. The master node resets the Failover timer


If the Failover timer expires before the master node receives the Health message back, it concludes that the ring is broken

5. Master node generates a new Health message when the Hello timer expires
slide 285

How EPSR Works


Detecting a Fault 1. Master node polling fault detection Checking ring condition, the master regularly sends health messages out its primary port If all links and nodes are up, health messages arrive back at the masters secondary port This can be a relatively slow detection method It depends on how often the Master sends health messages

slide 286

How EPSR Works


Detecting a Fault 2. Transit node unsolicited fault detection
For faster fault detection, transit nodes directly communicate when one of their interfaces goes down A transit node detecting a fault at an interface, immediately sends a LinkDown message over the remaining link This notifies the master that the ring is broken and causes a response

slide 287

200

CAP/ENT Certified Allied Telesis Professional Enterprise

201

How EPSR Works


Fault Recovery Fault in a link or a transit node When the master node detects an outage, it restores traffic flow by: Declaring the ring to be in a Failed state Unblocking its secondary port, enabling data VLAN traffic to pass between its primary and secondary ports Flushing its own forwarding database (FDB) for the two ring ports Sending an EPSR Ring-Down-Flush-FDB control message to all the transit nodes, via both its primary and secondary ports The transit nodes respond to the Ring-Down-Flush-FDB message by flushing their FDB for their ring ports Master node continues sending Health messages over the control VLAN
slide 288

How EPSR Works


Fault Recovery
Control VLAN is forwarding Data VLAN moved from Blocking to forwarding Secondary Port Primary Port Control VLAN is forwarding Data VLAN is forwarding

Control VLAN

Transit Node 4

Transit Node 1

1 Master Node Health Message 2 Transit Node LinkDown Message 3 Ring-Down Flush-DB Message

Transit Node 3

Transit Node 2

slide 289

How EPSR Works


Fault Recovery Fault in a master node The transit nodes continue forwarding traffic around the ring They stop receiving health & other messages from the master The transit nodes connected to the master experience a broken link, so they send Link-Down messages If the master node is down these messages are simply dropped These symptoms dont affect how the transit nodes forward traffic Once the master recovers, it continues its function as master

202

slide 290

CAP/ENT Certified Allied Telesis Professional Enterprise

203

How EPSR Works


Restoring Normal Operation Master Node The transit nodes continue forwarding traffic around the ring They stop receiving health & other messages from the master The transit nodes connected to the master experience a broken link, so they send Link-Down messages If the master node is down these messages are simply dropped These symptoms dont affect how the transit nodes forward traffic Once the master recovers, it continues its function as master
slide 291

How EPSR Works


Restoring Normal Operation Transit Nodes
Once fault fixed, the transit nodes on each side of the (previously) faulty link detect that connectivity has returned They change their ring port state from Links Down to Pre-Forwarding and wait for the master to send a Ring-Up-Flush-FDB control message Once they receive the Ring-Up-Flush-FDB message, they:
Flush the FDB for both their ring ports Change the state of their ports from blocking to forwarding for data VLAN

slide 292

EPSR Configuration
Example
A simple 3-switch ring with one data VLAN Control packets use VLAN 1000 Data packets use VLAN 2
Master Node( A)

Secondary Port1.0.2 Ring Port1.0.1

Primary Port1.0.1 Ring Port1.0.1 Ring Port1.0.2

Transit Node( C)
slide 293

Ring Port1.0.2

Transit Node( B)

204

CAP/ENT Certified Allied Telesis Professional Enterprise

205

EPSR Configuration
Example Master node configuration 1)
awplus(config)#vlan database awplus(config-vlan)#vlan 1000 name epsr-control awplus(config-vlan)#vlan 2 name data awplus(config-vlan)#interface port1.0.1-port1.0.2 awplus(config-if)#switchport mode trunk awplus(config-if)#switchport trunk allowed vlan add 1000,2 awplus(config-if)#switchport trunk native vlan none
slide 294

Configure the control and data VLANs

2)

Configure the switch ports

EPSR Configuration
Example Master node configuration
3) Configure the EPSR domain
awplus(config-if)#epsr configuration awplus(config-epsr)# epsr awplus mode master controlvlan 1000 primaryport port1.0.1 awplus(config-epsr)#epsr awplus datavlan 2

4) Enable EPSR
awplus(config-epsr)#epsr awplus state enabled

slide 295

EPSR Configuration
Monitoring EPSR show epsr EPSR Information -------------------------------------------------Name ........................ test Mode .......................... Master Status ........................ Enabled State ......................... Complete Control Vlan .................. 1000 Data VLAN(s) .................. 2 Primary Port .................. port1.0.1 Primary Port Status ........... Forwarding Secondary Port ................ port1.0.2 Secondary Port Status ......... Blocked Hello Time .................... 1 s Failover Time ................. 2 s Ring Flap Time ................ 0 s Trap .......................... Enabled --------------------------------------------------

206

slide 296

CAP/ENT Certified Allied Telesis Professional Enterprise

207

EPSR Configuration
Monitoring EPSR
show epsr <epsr-name> count EPSR Counters ----------------------------------------------------------------Name: domain1 Receive: Transmit: Total EPSR Packets 1093 Total EPSR Packets 1093 Health 1092 Health 1092 Ring Up 1 Ring Up 1 Ring Down 0 Ring Down 0 Link Down 0 Link Down 0 Invalid EPSR Packets 0 -----------------------------------------------------------------

slide 297

EPSR Configuration
Debugging EPSR To enable debugging, enter the commands:
awplus# terminal monitor awplus# debug epsr all

The terminal monitor command causes the switch to display terminal logging messages on the console The master node transmits Health messages every second by default Recommend that you capture the debugging output for separate analysis

slide 298

EPSR Implementation
Ports and Recovery Times The following ports report that they are down immediately Tri-speed copper at 10 or 100M, Fiber 1000M, 10G Recovery time generally between 50 and 100ms For tri-speed copper operating at 1000M, there is a short delay 350ms or 750ms - before the port reports that it is down IEEE standard specifies a port must wait after a link goes down For most networks, this slight delay in recovery is no problem For 1000M networks with extremely stringent failover requirements use fiber 1000M ports instead of copper
slide 299

208

CAP/ENT Certified Allied Telesis Professional Enterprise

209

EPSR Implementation
Health Message Priority Health messages are sent to the highest priority egress queue on the switch port (queue 7) This ensures they are forwarded even if the network is congested It is recommended that you: Leave queue 7 as highest priority Leave it using strict priority scheduling Only send essential control traffic to it

slide 300

210

CAP/ENT Certified Allied Telesis Professional Enterprise

211

L3 / IP Overview

L3 Overview :Table of Contents


IP Concepts IP Addresses, IPv4 Addresses ARP Mechanism IP Gateway / Router IPv4 Classes Special IPv4 Addresses IPv4 Configuration

slide 302

IP Concepts
Introduction IP is the short form of the protocol called Internet Protocol IP datagrams are sent from one host to another, possibly through interconnecting routers IP service is unreliable, connectionless, best-effort packet delivery system IP provides network level services
Host addressing Routing Packet fragmentation and reassembly (if necessary) All other higher layer protocols use IP services
slide 303

212

CAP/ENT Certified Allied Telesis Professional Enterprise

213

IP Concepts
IP Version 4 Current default IP is version 4
Defined in 1981 with RFC-791 32 Bit address. This is limited. Therefore Private Addresses are widely used via Network Address Translation (NAT). Variable length IP Header Extra protocol: Address Resolution Protocol (ARP) needed in LANs Octets described in Decimal notation Originally based on Network Classes (A-E), now Classless (CIDR) is often used

Problems
Lack of addresses. Therefore private networks are necessary Lacks Auto-Configuration, Quality-of-Service, Real-Time options defined in protocol

slide 304

IP Concepts
IP Version 6 IP Version 6 is becoming important because of problems in Asia, due to lack of addresses
Defined in 1998 with RFC-2460 128 Bit address. Not yet widely used, but increasing quickly Fixed length header, with defined extensions. No IP checksum. Host address (part of address) can be generated from MAC ARP replaced by concept called Neighbour Detection (ND) Octets always described in Hexadecimal notation Always Classless notation Typically several IP addresses per Interface
slide 305

IP Address
IP Subnet Definition
A subnetwork consists of all systems that can directly communicate with each other using homogeneous technologies An Ethernet segment can contain more than one separate subnet Often different subnets are placed on individual VLANs, for administration ease. IP V4 communication between hosts within an Ethernet subnet uses the ARP (Address Resolution Protocol) mechanism IP V6 has an improved mechanism for communication inside the Ethernet subnet called ND (Neighbour Detection)
slide 306

214

CAP/ENT Certified Allied Telesis Professional Enterprise

215

IPv4 Address
Entry and Subnet Detection
v4 IP Address is 32 bits and expressed in dotted decimal The complete entry requires the following data: Host Address: e.g. 192.168.10.123 Network Mask Dotted decimal: e.g. 255.255.255.0 Binary bit value: e.g. 192.168.10.123 /24 Defines which packets being processed are considered to be in the host subnet, or must be forwarded via to a gateway Defines which parts of the 32 bits are: Network address part Host address part Often entered wrong, which causes network outages
slide 307

IPv4 Address
Network Information
This part of the Host IP address entry is calculated in simple configurations, but will need to be entered manually when non-standard subnets are used. Network Address is often calculated automatically. Network part = Network part of Host address + Host part = all zeros Network Broadcast Is often calculated automatically Network part = Network part of Host address + Host part = all ones

slide 308

ARP Mechanism
IPv4 Data Transfer within a Subnet Decision is made depending on the subnet mask Each host has a local IP Address to MAC Address translation cache When it needs to send an IP datagram, then:
If entry is in cache, the datagram will be sent to the MAC address directly If NOT in cache, then send a ARP broadcast packet and wait for answer from the host.
Problems due to delays occuring Problems due to broadcast traffic to all hosts in VLAN Problems due to old entries in cache from now non-existent hosts

When debugging L3 problems, the ARP cache can give helpful information

216

slide 309

CAP/ENT Certified Allied Telesis Professional Enterprise

217

IP Gateway / Router
IPv4 Data Transfer to another Subnet Decision is made depending on the subnet mask - that the destination address in not in the current subnetwork Must have a host entry with the information as to which neighbour host in the current subnet to send the packet to, so that it is forwarded to the destination subnet (NOTE: it has no information on the destination host, only the destination subnet):
Entry is called a gateway, or a route entry Special subnet 0.0.0.0 is called a default gateway, and will be used when no other gateway is found.

If no matching entry is found then the packet will be discarded Gateway or routing entries are made:
Manually, and are then called static routes Automatically from routing software. E.g. RIP, OSPF
slide 310

IPv4 Classes
v4 Class Concept
Classes were defined in the original concept, but are now slowly being replaced by a newer class-less system (CIDR)
8 bits Class A Class B Class C Class D Class E Class Class A Class B Class C Network Network Network Multicast Reserved Address range (High octet) 0.127 128-191 192-223 slide 311 Mask 255.0.0.0 255.255.0.0 255.255.255.0 8 bits Host Network Network 8 bits Host Host Network 8 bits Host Host Host

Special Addresses
Loopback and Private addresses
Local loopback subnet within each host address 127.0.0.1 / 32 Private addresses are needed due to shortage of public addresses Private addresses, which should never be used in a public network Access to private addresses from the public network is typically via NAT (Network address translation)
Address Class Class A Class B Class C Reserved address space 10.0.0.0 through 10.255.255.255 172.16.0.0 through 172.31.255.255 192.168.0.0 through 192.168.255.255 slide 312

218

CAP/ENT Certified Allied Telesis Professional Enterprise

219

IPv4 Subnets
Typical Subnet Error
Administrator is using addresses from the private class B area in this example Uses host address: 172.16.1.254/24 (but it should be /16) Wants to communicate with 172.16.2.223 What happens to the packets?
Due to the wrong mask, they are not defined as being in the same subnet The host will look for a gateway for the network 172.16.2.0, which is probably not entered The host will look for a default gateway, and send the packet to this host address. This host will probably not have an entry for this subnet either, and will therefore throw the packets away. If no default gateway entered either, then the host will throw the packets away
slide 313

L3 Switching
Introduction

slide 314

L3 Switching
Switch Setup Step 2: Assigning IP Addresses to VLANs

220

slide 315

CAP/ENT Certified Allied Telesis Professional Enterprise

221

L3 Switching
Switch Setup Step 3: Adding routes to the outside

slide 316

Routing Introduction
Overview IP routing is the process of moving packets from one network to another network using routers

The route that is taken to the remote network is decided by the route found in the local router database The local router only moves the packet to the neighbour which is marked as the gateway for the destination. The router does not have any knowledge what happens after that A data connection probably requires packets to move in both directions within the data flow. The remote routers must therefore know a route:

to the remote network from the remote network back to the local
slide 317

Routing Introduction
Route Entries

Routes from local interfaces/VLANs will be automatically inserted when they are created. Routes of networks not directly connected to the local router will need to be inserted:

Static routes must be inserted manually. Routes must be inserted for every subnetwork that should be reachable from this router this can be a large management overhead A default route will route any unknown packets to the gateway address, and can simplify management but be a security risk In networks with multiple subnetworks, static routes become very complex to administer Changes in the network will need to be manually entered as new static routes Dynamic routes are inserted by routing software, running on the routers. The routes are continuously maintained, and will automatically learn about any changes in the complete network The routing protocol sends control packets to other routers with the routing function, and therefore load the network
slide 318

222

CAP/ENT Certified Allied Telesis Professional Enterprise

223

IPv4 Configuration
Setting an IP address On switch ports, the Interface address is defined per VLAN
awplus# configure terminal Enter configuration commands, one per line. awplus(config)# vlan database awplus(config-vlan)# vlan 2 [name myvlan] End with CNTL/Z.

Put access VLAN on the required switch ports

awplus(config)# interface port1.0.3-port1.0.10 awplus(config-if)# switchport access vlan 2 awplus(config-if)# interface vlan2 awplus(config-if)# ip address 192.168.30.250/24
slide 319

Put static IPv4 address on the VLAN

IPv4 Configuration
Displaying IP Interfaces Status Show IPv4 status of all interfaces.
Note: VLAN1 (the default VLAN) is shown in default state The management ethernet port (etho) does not have a VLAN and IP address here. Route definitions, not shown here, will govern whether traffic is routed between VLAN1 and VLAN2
awplus# sho ip inter Interface eth0 lo vlan1 vlan2 awplus# IP-Address unassigned unassigned 192.168.1.1 192.168.30.250
slide 320

Status admin up admin up admin up admin up

Protocol down running down running

IPv4 Configuration
ARP cache Contents The ARP cache is being continually maintained from information learnt from the Ethernet interfaces Displaying the ARP entries can give a lot of help when troubleshooting Ethernet problems. Command to display the ARP cache contents.
as can be seen there are two different hosts attached (probably via a switch) to the port 1.0.3 No hosts have been seen on the ports on VLAN1
MAC Address 0009.6be3.d55f 000e.a690.7c5d Interface vlan2 vlan2
slide 321

awplus# sho arp IP Address 192.168.30.12 192.168.30.254 awplus#

Port port1.0.3 port1.0.3

Type dynamic dynamic

224

CAP/ENT Certified Allied Telesis Professional Enterprise

225

IPv4 Configuration
Default and Static Route Entry Check that forwarding is enabled
awplus# sho ip forwarding IP forwarding is on

Add a default route to route anything, not otherwise defined, outside this subnet to a host in this subnet which will route the traffic
awplus# config terminal Enter configuration commands, one per line. End with CNTL/Z. awplus(config)# ip route 0.0.0.0/0 192.168.30.252

Add the static route to the network 192.168.40.0/24 by forwarding packets to the host in this subnet at 192.168.30.252
awplus# config terminal Enter configuration commands, one per line. End with CNTL/Z. awplus(config)# ip route 192.168.40.0/24 192.168.30.252 awplus#
slide 322

IPv4 Configuration
Displaying IPv4 Routes Routes in RIB (Routing Information Base), that are not active, are not shown
awplus# sho ip route Codes: C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 * - candidate default S 0.0.0.0/0 [1/0] via 192.168.30.254, vlan2 C 192.168.30.0/24 is directly connected, vlan2 S 192.168.40.0/24 [1/0] via 192.168.30.252, vlan2 awplus#
slide 323

IPv4 Configuration
Displaying IPv4 Routes
Show all routes, including those on inactive links
awplus# sho ip route database Codes: C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 > - selected route, * - FIB route, p - stale info S *> C *> S *> S awplus# 0.0.0.0/0 [1/0] 192.168.30.0/24 192.168.40.0/24 192.168.60.0/24 via 192.168.30.254, vlan2 is directly connected, vlan2 [1/0] via 192.168.30.252, vlan2 [1/0] via 192.168.50.250 inactive
slide 324

226

CAP/ENT Certified Allied Telesis Professional Enterprise

227

RIP Routing

RIP Introduction
RIP Version 1 Very old standard Broadcasts routing updates extremely heavy LAN usage RFC 1058 and STD 56 No authentication of routing data therefore unsafe Classful RIP V2 RFC 2453 (in addition to RFC 1058) Uses multicast - address 224.0.0.9 (Class D), therefore less LAN load UDP port 520 Provides MD5 or plain text authentication of routing updates Classless RIPng for IPv6 RFC 2080 Is closely aligned to RIP V2 (multicast, and authentication)
slide 326

RIP updates
RIP Database Router 1 Destination 192.168.2.0 192.168.3.0 Mask 255.255.255.0 255.255.255.0 Nexthop 192.1.1.2 192.1.1.2 Metric 1 2 Destination 192.168.1.0 192.168.3.0 RIP Database Router 2 Mask 255.255.255.0 255.255.255.0 Nexthop 192.1.1.1 192.1.2.1 Metric 1 1

Router 1

192.1.1.0

Router 2

RIP update
192.1.2.0

RIP update

RIP update
192.168.1.0

192.168.2.0

Router 3
192.168.3.0

228

slide 327

CAP/ENT Certified Allied Telesis Professional Enterprise

229

RIP : Routing Information Protocol


Router 1 Destination Nexthop Metric

Router 4 Router 4

Router 3 Router 3

2 3

Through router 3 Through routers 3 and 2

The metric increases at each hop The route with the lowest metric is used.
Router 2

Router 1

Metric: 2

Router 3

Metric: 3 2
slide 328

Metric: 1

Router 4

RIP Commands
Enter the router rip configuration mode :
awplus# config terminal awplus(config)# router rip

Specify over which interfaces RIP should be activated. For instance :


awplus(config-router)# network VLAN2 awplus(config-router)# network VLAN3

In this example interfaces VLAN2 and VLAN3 send and receive RIP updates, and these updates contain routing information about the IP networks associated with VLAN 2 and VLAN3.

slide 329

RIP Commands
AlliedWare Plus uses RIPv2 by default. If RIPv1 must be used (not advised), you can change the RIP version, either globally or on specific interfaces. Globally:
awplus#configure terminal awplus(config)#router rip awplus(config-router)#version 1 awplus#configure terminal awplus(config)#interface VLAN3 awplus(config-if)#ip rip send version 1

On a given interface:

awplus(config-if)#ip rip receive version 1

230

slide 330

CAP/ENT Certified Allied Telesis Professional Enterprise

231

RIP Commands
RIP can be used to communicate with specific neighbors:
Non-passive mode

RIP upd RIP upd


L2 Switch

RIP updates to these neighbors are sent as unicast, and IP unicast updates from these neighbors are also accepted. It doesnt automatically deactivate broadcasting/multicasting of RIP updates. To deactivate broadcasting/multicasting of RIP updates, the interface must be set to passive mode.
awplus(config)#passive-interface VLAN2
slide 331

awplus(config)#router rip awplus(config-router)#neighbor 1.1.1.1

Passive mode with unicast neighbour

RIP upd

L2 Switch

RIP Commands
Other useful commands: To redistribute static routes through RIP (all static routes except any default-route): awplus(config)#router rip awplus(config-router)#redistribute static To redistribute any default-route information: awplus(config)#router rip awplus(config-router)#default-information originate To deactivate reception/transmission of RIP updates (have RIP communicate in one-way only): awplus(config)#interface VLAN4 awplus(config-if)#no ip rip send-packet awplus(config-if)#no ip rip receive-packet
slide 332

RIP Timers
RIP Update RIP Update
Route will be removed

UPDATE

TIMEOUT

GARBAGE

Route isnt valid An update resets the TIMEOUT timer

Route is valid Broadcast with Metric = 16

232

slide 333

CAP/ENT Certified Allied Telesis Professional Enterprise

233

RIP timers
To modify RIP timers :
awplus(config)#router rip

awplus(config-router)#timers basic 30 120 60

Default values :

UPDATE = 30 seconds TIMEOUT = 180 seconds GARBAGE = 120 seconds

Lower values can be used in networks where bandwidth is not an issue (LANs).
slide 334

Checking RIP database


To check the RIP database routing information:
All routes currently in use, learnt with RIP:
awplus#show ip rip database

All routes including those with higher metrics which might not yet be used:
awplus#show ip rip database full

slide 335

RIP Configuration: Basic Example


Router A
awplus#conf t awplus(config)#router rip awplus(config-router)#network 192.168.1.0/24

Router A
192.168.1.1/24

Router B

awplus#conf t awplus(config)#router rip awplus(config-router)#network 192.168.1.0/24 awplus(config-router)#network 192.168.10.0/24

192.168.1.2/24 192.168.10.1/24

Router C

Router C

Router B

192.168.10.2/24

awplus#conf t awplus(config)#router rip awplus(config-router)#network 192.168.10.0/24

234

slide 336

CAP/ENT Certified Allied Telesis Professional Enterprise

235

RIP Configuration: Default Route Example


Router A Internet Router A
awplus#conf t awplus(config)#router rip awplus(config-router)#network 192.168.1.0/24 awplus(config-router)#default-information originate

Router B
192.168.1.1/24

awplus#conf t awplus(config)#router rip awplus(config-router)#network 192.168.1.0/24 awplus(config-router)#network 192.168.10.0/24

192.168.1.2/24 192.168.10.1/24

Router C

Router C

Router B

192.168.10.2/24

awplus#conf t awplus(config)#router rip awplus(config-router)#network 192.168.10.0/24

slide 337

RIP Introduction : Split Horizon


Routing Table 192.168.1.0 192.168.2.0 192.168.3.0 ... 192.168.1.0 192.168.2.0 Routing Table 192.168.1.0 192.168.2.0 192.168.3.0 ...

Update

192.168.1.0 192.168.2.0

Router A Router B Update Sending this route back violates split horizon
slide 338 192.168.1.0

192.168.3.0

RIP Introduction : Poison Reverse


Routing Table 192.168.1.0 192.168.2.0 192.168.3.0 ... 192.168.1.0 192.168.2.0 192.168.3.0 ... 1 1 16 Routing Table 192.168.1.0 192.168.2.0 192.168.3.0 ...

Update

192.168.1.0 192.168.2.0

Router A Router B
192.168.1.0 16 16 1

192.168.3.0

Update

192.168.2.0 192.168.3.0 ...

236

slide 339

CAP/ENT Certified Allied Telesis Professional Enterprise

237

RIP Introduction : Authentication


Two authentication methods:
Router A Authentication 192.168.11.0 192.168.10.0 Router B

Single key (clear text or MD5) Multiple key (clear text or MD5)

slide 340

RIP Authentication Configuration


Router A

Router A
192.168.11.0 VLAN2

Authentication Router B

awplus#configure terminal awplus(config)#router rip awplus(config-router)#network 192.168.11.0/24 awplus(config-router)#interface vlan2 awplus(config-if)#ip rip authentication string secret awplus(config-if)#ip rip authentication mode md5

192.168.10.0 VLAN2

Router B

awplus#configure terminal awplus(config)#router rip awplus(config-router)#network 192.168.10.0/24 awplus(config-router)#interface vlan2 awplus(config-if)#ip rip authentication string secret awplus(config-if)#ip rip authentication mode md5

slide 341

238

CAP/ENT Certified Allied Telesis Professional Enterprise

239

AlliedWare Plus : Access Lists

Access Lists
Once VLANs are configured and IP interfaces are defined, theres no restriction on communications : one only needs the proper gateway to get IP communication with all devices. In order to get some control over the communications, it is necessary to set up some Access Lists.
Green tag traffic Yellow tag traffic

White tag traffic

Red tag traffic

Blue tag traffic

slide 343

ACLs
AlliedWare Plus provides several types of Access Lists :
Some are software-based. Others are hardware-based.

Software ACLs are used when filtering information relating to dynamic routing protocols. They are not to be used to filter user traffic, which is the job of hardware ACLs. The filtering process is in hardware, through the switching ASICs. This process has no impact on performance or latency.

240

slide 344

CAP/ENT Certified Allied Telesis Professional Enterprise

241

Hardware ACLs
Hardware ACLs are implemented in two different ways : Numbered ACLs : they are created with a number based on the ranges below. They are active on traffic ingressing switch ports to which theyve been associated. The order in which they are applied to the port plays a critical role in the final result. Once they are created any modification is not too easy, they are therefore only recommended for QoS classification.
awplus(config)#access-list ? <3000-3699> Hardware IP access list <4000-4699> Hardware MAC access list

Named ACLs : a named ACL is a list of several rules, each of them is numbered. It is easier to insert/delete a rule inside such an ACL. A named ACL is active once it is associated to one or several ports of the switch.
slide 345

Named ACLs : how they behave


An ACL is associated to one or more ports and acts on traffic ingressing those ports. Each rule of this ACL is read in numerical order. The first valid rule which applies is executed, and the filter processing stops there. If no rule applies to the traffic, it is switched or routed with no modification. This implies that rules have to be numbered in a certain way : from the more specific to the more general. If no number is given to a rule, it is automatically numbered using increments of 100. If a number is specifically assigned to a rule during its creation, it will automatically insert itself among the existing rules.
slide 346

Ingressing Port Rule 1 Rule 2


Traffic Match Match

Actions
Permit Permit

Rule X Egressing Port

Match

Deny

ACLs : two different approaches


Ingressing Port Rule 1 Rule 2
Traffic Match Match Block some traffic Allow the rest

Actions
Deny Deny

Ingressing Port Rule 1 Rule 2


Traffic

Allow some traffic Block everything else Match Match

Actions
Permit Permit

Rule X Egressing Port

Match

Deny

All other traffic Egressing Port


slide 347

Match

Deny

242

CAP/ENT Certified Allied Telesis Professional Enterprise

243

Step-by-step ACL creation


To create a named ACL, first specify its name, then specify its rules.
Creating an ACL awplus(config)#access-list hardware <acl_name> awplus(config-ip-hw-acl)# Adding a rule awplus(config-ip-hw-acl)# [<1-65535>] <action> ip <source_ip> <destination_ip>
Possible actions :
permit deny
slide 348

IP addresses
Source and destination IP addresses can use the following values:
any A.B.C.D/M : network address with its subnet mask. Use a /32 mask to identify a host. host A.B.C.D : same as above with /32 mask.

If other criteria are needed then the rule becomes a TCP or UDP rule.

slide 349

TCP and UDP rules


Creating a TCP or UDP rule awplus(config-ip-hw-acl)# [<1-65535>] <action> {tcp|udp} <source-ip-address> [{eq|gt|lt|ne|range} <source-port> [<source-port>] <destination-ipaddress> [{eq|gt|lt|ne|range} <dest-port> [<destport>] Actions
permit deny eq gt lt ne range equal greater than less than not equal a range of values

The logic operators used with source and/or destination ports are

244

slide 350

CAP/ENT Certified Allied Telesis Professional Enterprise

245

Maintaining rules
An ACL can contain several rules of different types. A given ACL can therefore contain IP, TCP and UDP rules. When a new rule is created, its number will determine its position inside the ACL. If no number is given, the rule will be placed at the end of the ACL (its number = last known number + 10). Those rule numbers dont show up in the configuration file, or in the running-config. When the configuration is saved and the device is rebooted, the numbering is automatically recreated, using 10 increments. This doesnt change, of course, the switch behavior.
slide 351

Modification and visualisation


To display current access-lists :
awplus#show access-list Hardware IP access list filtrage 10 permit tcp 192.168.1.2/32 149.35.65.49/32 eq 23 20 permit tcp 149.35.65.49/32 eq 23 192.168.1.2/32 100 deny ip any any awplus(config-ip-hw-acl)#no <1-65535>

To destroy a rule within an ACL:

slide 352

Modifying an ACL
Once it is created, an ACL must be associated with one or more ports. This can be done to individual ports or port ranges. An ACL can also be applied to a static aggregator interface. When filtering traffic ingressing a LACP aggregator, the ACL must be applied to ports belonging to the po interface, not the po interface itself. To apply to a port : awplus(config)#interface portx.y.z awplus(config-if)#access-group <nom_acl> To apply to a static aggregator : awplus(config)#interface <static_agg_name> awplus(config-if)#access-group <nom_acl>

246

slide 353

CAP/ENT Certified Allied Telesis Professional Enterprise

247

Example

149.35.65.49 Port 9

Only Telnet communications from A to B must be allowed. All other communication must be denied.

B Port 24 192.168.1.2

slide 354

ACL
awplus(config)#access_list hardware telnet_only awplus(config-ip-hw-acl)#10 permit tcp 192.168.1.2/32 149.35.65.49/32 eq 23 awplus(config-ip-hw-acl)#20 permit tcp 149.35.65.49/32 eq 23 192.168.1.2/32 awplus(config-ip-hw-acl)#30 deny ip any any awplus(config)#interface port1.0.24,port1.0.9 awplus(config-if)#access-group telnet_only

slide 355

248

CAP/ENT Certified Allied Telesis Professional Enterprise

249

Queue Weighting and QoS

Table of contents
What is QoS? Principles of switching
Queues Mechanisms for emptying queues

Priority signaling
802.1p (VLAN User Priority) Differentiated Services Code Point (DiffServ, DSCP)

QoS functions and commands


AT-x600
slide 357

What is QoS?

250

CAP/ENT Certified Allied Telesis Professional Enterprise

251

QoS, whats that about?


QoS : Quality of Service The term QoS means a set of architectural and mechanical principles that ensure privileged treatment for particular network traffic. It is a concept, not a functionality. In fact, QoS is really a set of functionalities, such as:
Priority management, Assignment of a minimum bandwidth to a service, Restriction of bandwidth usable with a service, Dynamic management of bandwidth by anticipating congestion events, Etc.
slide 359

What are the needs of each application?


Application Voice Properties Must be forwarded with minimum delay (100 ms max), all packets must be sequenced, no jitter. Can tolerate loss of certain packets. Network processing Forwarding packets with a minimum delay, priority management to ensure forwarding in the event of congestion. Application processing Packets reassembled in sequence, buffering to counteract jitter, rejecting packets that arrive too late, and reconstructing missing data if possible. Reassembling packets, error checking, retransmission requested in the event of errors or excessive delay. Reassembling packets in sequence, buffering to counteract jitter. For videoconferencing, buffering of packets and rejection of packets that are excessively delayed.

Data

Continuous transmission of segments, with bandwidth peaks. Some delay may be tolerated, but no loss of packets. Continuous flow. Loss of packets not tolerated (visible degradation). Slight delay acceptable, in both multicast and unicast, except in real-time applications (video-conferencing) where constraints are similar to voice.

Forwarding packets with error control (TCP). The emphasis is on reliable transfer rather than on speed. Emphasis on reliability of transfer rather than speed, although error checking and retransmission are not possible in multicast.

Video

slide 360

Priority management
There are different mechanisms available, depending on the type of equipment. The most sophisticated functions (dynamic congestion management, "traffic shaping", etc.) are normally reserved for network core switches (Layer 3, such as x600, x900, SBx908) All manageable switches include priority management, but with variations in the available options. This course will therefore concentrate on priority management.

252

slide 361

CAP/ENT Certified Allied Telesis Professional Enterprise

253

Principles of switching

Frame forwarding
Frames received (ingressing frames) at a port are forwarded to their destination port (egressing frames), on the principle of FIFO (First-in, First-out). They are first stored in buffer memory, to:
Enable forwarding via ports operating at different speeds, Allow an integrity check on each frame.
ingress

egress

ingress slide 363

Packet buffering
Frames
- priority + priority In fact there is not just one buffer memory per port, but several. Thus before transmission from a port, the frames may possibly be stored in one of multiple egress buffers. Value: to be able to queue frames to one buffer or others according to particular criteria.
Packets are buffered in one of multiple egress queues egress

Queues
- priority + priority

ingress

ingress

254

slide 364

CAP/ENT Certified Allied Telesis Professional Enterprise

255

Packet buffering
Frames
- priority + priority
ingress egress Packets stored in multiple egress queues

Queues
- priority + priority

ingress The prioritization of traffic is achieved by the way in which each queue is emptied, relative to the others. There are two mechanisms available on most devices: Strict Priority Queuing (SPQ) : Always send packets with the highest priority, not-empty, queue. Weighted round robin (WRR): This is a cyclical process. Each queue is emptied in proportion to its importance (weight).

slide 365

What result does this have on traffic flow?


Priority management involves assigning different priority levels to each type of traffic, to give preference to the most sensitive traffic. Traffic is stored in a queue according to priority, and flows according to the mechanism for emptying queues. If the network becomes congested (outgoing port saturated), priority traffic is therefore less seriously affected than standard traffic.
slide 366

Architectural rules
Setting up priority management makes sense when other rules have been observed:
The network has enough bandwidth to easily forward the average volume of traffic.
Links between devices providing satisfactory bandwidth (1 Gbps minimum)

Switches are non-blocking


This applies to almost all devices currently available.

The various types of traffic are segregated to reduce broadcast effects


Setting up VLANs
slide 367

256

CAP/ENT Certified Allied Telesis Professional Enterprise

257

Myth and reality


Priority management is only activated when traffic is congested.
FALSE: it is always active, even though its effects are only felt when congestion actually occurs.

Priority management must always be implemented for VoIP or any other real-time application.
TRUE/FALSE: this only applies if this traffic has to take precedence over another kind (e.g. traditional data). What is the point of giving preference to one kind of traffic on an Ethernet network used exclusively for one type of traffic (VoIP)?

Priority management overcomes the limitations of an inadequately-sized network.


FALSE: if a network is under-sized (inter-device bandwidth inadequate), the network will often be congested. In this case, congestion will be almost constant.
slide 368

Myth and reality


Priority management helps avoid loss of sensitive packets during temporary congestion.
TRUE: in a properly designed network, if peaks of activity cause congestion, priority management avoids losing sensitive traffic.

Priority management is a kind of insurance against congestion.


TRUE: it ensures priority traffic is always handled properly, even though it is mainly unnecessary (no congestion) on a properly designed network.

slide 369

In practice

258

CAP/ENT Certified Allied Telesis Professional Enterprise

259

How to assign priority traffic


As a frame enters the port of a switch, it is directed to the correct queue of the outgoing port:
Depending on the priority value stored in the frame header
There are 2 possible mechanisms:
IEEE 802.1p, also called VLAN Tag Priority, or User Priority DiffServ (Differentiated Services Code Point, or DSCP)

If there is no priority value, any incoming frame is assigned to a default queue. It is then processed by Best-Effort. If no QoS configuration is provided, all traffic is processed according to this principle.
The queue assigned to a port can still be modified, so all traffic entering a given port can be assigned to a particular priority.
slide 371

Priority marking
An L2 switch such as the AT-8000S can read a priority value in an incoming frame and process it accordingly. Something still has to write a value into the 802.1p field. Marking may be applied at various levels:

By the terminal equipment (e.g.: IP telephone), By the access switch, if it can do this, By the L3 backbone switch (e.g.: AT-x900).
A consistent architecture needs equipment that can handle this priority and apply marking as early as possible on the path of this traffic.

Nowadays, the most widely-used architectures apply priority marking on the terminal equipment. Foe example, all IP telephones on the market at the moment for example can do this. but which mechanism should you choose: 802.1p or DiffServ?
slide 372

802.1p
Priority management by 802.1p is an extension of VLAN Tagging (802.1Q). Marking is therefore applied in the Ethernet header of a frame. The 802.1p priority field is 3 bits in an Ethernet frame. There are therefore 8 possible priority levels.
4 Bytes

Destination Address 2 Bytes

Source Address

802.1Q VLAN Tag

Type/Len

Data

Frame Check

2 Bytes (Tag Control Information) User Priority (3 Bits) Canonical Format Indicator (1 Bit) VLAN ID (12 Bits)

Tag Protocol ID 0x8100

260

slide 373

CAP/ENT Certified Allied Telesis Professional Enterprise

261

802.1p
Although each value can be assigned to the traffic of your choice, there are IEEE recommendations for this.
CoS value 1 2 0 3 4 5 6 7 Recommended use Background (Non-sensitive traffic) Spare (reserve value) Best Effort (default, unmarked traffic) Excellent Effort (> Best Effort) Controlled Load (Applications subject to reserved bandwidth) Video (any application characterized by less than 100ms delay and jitter) Voice (any application characterized by less than 10 ms delay and jitter) Network Control (network protocol traffic such as Spanning Tree)
slide 374

Association between 802.1p value and queue


A switch has a number of queues (egress queues) per port, up to a maximum of 8 (x600, x900, SBx908, etc.). There is a correspondence table in each switch between value 802.1p and CoS, but also between CoS and queue. These tables may be modified if necessary (not recommended).

slide 375

Differentiated Services Code Point (DSCP)


Differentiated Services Code Point (DSCP, or DiffServ) defines a means for end-to-end classification of IP traffic. It is designed to inform all nodes (mainly routers) how to process incoming IP packets. These actions may involve, for instance:
Routing packets in order of priority Restricting bandwidth used by different types of traffic

Within a LAN, DiffServ can be used to replace or supplement CoS priority. Its position in layer 3 (IP header) means it has universal presence in a full LAN-WAN architecture.

262

slide 376

CAP/ENT Certified Allied Telesis Professional Enterprise

263

Differentiated Services Code Point (DSCP)


DiffServ uses the ToS field in the IP header, extending the 3 bits previously used by IP Precedence, and adding the 3 adjacent bits, thus increasing the number of values available to 64. DiffServ therefore remains backwardly compatible with IP Precedence.

64 values (from 0 to 63) 8 values (from 0 to 7)


slide 377

Differentiated Services Code Point (DSCP)


All equipment sharing the same DiffServ policy form a DiffServ domain. Within a domain, a given traffic will receive the same treatment from all IP equipment.
QoS Core Switches QoS Core Switches Classify by DSCP=40 Limit bandwidth Remark to a new DSCP value

Classify by source IP address Mark with DSCP=40 Limit bandwidth Classify by DSCP=40 Limit bandwidth

Differential Services Domain Classify by DSCP=40 Limit bandwidth

QoS Boundary Switch

Unmarked packets

QoS Boundary Switch

Classify by DSCP=40 Limit bandwidth

slide 378

Differentiated Services Code Point (DSCP)


There are essentially two methods for equipment to process traffic marked by DSCP:
Simplified priority processing: similar to 802.1p priority, traffic is directed to a queue according to its DSCP value. Per-Hop Behavior: in this case, the DSCP values of a packet may specify not only the egress queue value, but also higher priority treatment, e.g. the bandwidth consumed by the traffic.

Per-Hop-Behavior processing is only found on advanced Layer 3 routers or switches (such as x600, x900 and SBx908).

264

slide 379

CAP/ENT Certified Allied Telesis Professional Enterprise

265

Simplified priority processing


Create a mapping between DSCP values and queues, as with 802.1p. For instance:
IP Precedence Routine (Default) Priority Immediate Flash Flash Override Critical Internetwork control Network control 000 (0) 001 (1) 010 (2) 011 (3) 100 (4) 101 (5) 110 (6) 111 (7) DSCP range 000000 (0) 000111 (7) 001000 (8) 001111 (15) 010000 (16) - 010111 (23) 011000 (24) - 011111 (31) 100000 (32) 100111 (39) 101000 (40) 101111 (47) 110000 (48) 110111 (55) 111111 (56) - 111111 (63)
slide 380

CoS 0 1 2 3 4 5 6 7

Queue 0 1 2 3 4 5 6 7

Summary
Ethernet Frame

IP Packet
slide 381

802.1p, DSCP: Pros and cons


802.1p

Pros:
Standard Ethernet : understandable and usable by any manageable Ethernet switch. Automatic use: little or no configuration required on switches

Cons:
Located in Ethernet header: information is lost in IP routing (loss of Ethernet encapsulation). Extension of VLAN Tagging: can only be used on Trunk type links. In IP telephony, a link between the IP telephone and the switch must therefore be tagged for the Voice VLAN. This also excludes use of VLAN 1 (by default) as the Voice VLAN.

266

slide 382

CAP/ENT Certified Allied Telesis Professional Enterprise

267

802.1p, DSCP: Pros and cons


DiffServ
Pros: Standard IP : understandable by any IP equipment, especially L3 switch, router, etc. More precise priority management, with more values available. Located in IP header: DSCP information is kept for routing, particularly for LAN->WAN transfer. More advanced processing options (depending on bandwidth used). Cons: Located in IP header: not all Ethernet equipment is necessarily compatible, particularly simple L2 switches. A policy has to be defined: since each DSCP value could mean something different, depending on the domain, it is common to have to re-mark traffic when interconnecting several domains, to match the domain being entered.
slide 383

802.1p, DSCP: Which one to use?


In a LAN, 802.1p has the advantage of being simple to use and universally applicable. It is therefore preferable, especially because it is automatically recognized. Since DiffServ allows priority information to be stored in the IP header, it has to be used when traffic is to be routed locally (inter-VLAN routing), or to the WAN. Both mechanisms are therefore often marked together by terminal equipment (IP telephones, for instance):
802.1p marking for automatic recognition on the LAN DiffServ marking to ensure continuity of priority information on the WAN
slide 384

x600 switches

268

CAP/ENT Certified Allied Telesis Professional Enterprise

269

What are the options?

x600

There are simple priority management options (association between 802.1p / DSCP priority value and queue) But you can also:
Measure the bandwidth consumed by the traffic, and then decide which option to adopt Mark traffic with a 802.1p or DSCP value Etc.

The x900/x908 switches provide further options (not covered in this training):
Advanced traffic smoothing, using RED Curves mechanisms in particular.
slide 386

QoS processing: markers


All traffic traversing the switch, to which QoS processing is applied, has 4 markers. 2 of these are present in the actual packet:
CoS value DSCP value

x600

2 others are "internal" and are carried with the packet, inside the switch:
Egress queue value Bandwidth Class, which corresponds to the traffic's conformance to a predefined bandwidth metering, using 3 colors: green, yellow, red.

They are likely to change their value at various stages of QoS processing.
slide 387

Full QoS model

x600

There are several successive stages in full QoS processing of the x600/x900/SBx908 switches:
At the input to a port, a packet marked with a CoS priority is automatically associated with the corresponding queue. Otherwise a defined queue can be associated with the input port. A classification phase is then used to select different parts of the incoming traffic, according to several criteria, for different processing. A premarking phase is used for initially modifying the markers. A policing phase is used to control bandwidth consumed by the classified traffic. A remarking phase is used for modifying the markers again, depending on the results of the policing. Alternatively, some of the traffic may also be rejected. The final values of the DSCP and 802.qp markers are written into the packet. The packets are finally switched to the output port and the correct queues.

270

slide 388

CAP/ENT Certified Allied Telesis Professional Enterprise

271

Stages in QoS model


Packet Ingress Port

x600

Ingress

Tagged: priority mapped to queue Untagged: mapped to default queue Classification using ACLs Premarking Remarking Limiting (dropping non-conformant) Policing

Egress

Queue shaping Queue emptying and egress


slide 389

In detail: Classification
The classification phase separates incoming flows according to a number of criteria. The more accurate the classification, the more specific the flows targeted.

x600

None of the 4 markers is modified at this point, since the classification simply determines the way the packet will be subsequently processed.

slide 390

In detail: Premarking

x600

On the x600s, the premarking stage plays the same role as in the x900/x908, but with fewer options:
The queue cannot be modified at this stage. Other markers may be modified with the premark-dscp map table, depending on the DSCP value marked in the incoming traffic.

272

slide 391

CAP/ENT Certified Allied Telesis Professional Enterprise

273

In detail: Policing

x600

The policing phase involves measuring bandwidth consumed by the incoming traffic, and determining which traffic types are and are not conforming to their configured bandwidth limits. The bandwidth class marker of the traffic is then updated:
Green: full conformity Yellow: partial conformity Red: non-conformity

slide 392

In detail: Remarking

x600

The options are basically the same on the x600 at this stage, although they are implemented differently:
Reject traffic whose bandwidth class is now red Recognize the new bandwidth class of the traffic and determine from this the new values of the DSCP and bandwidth-class, using the remark-map table. Mark a new CoS value in the packet, and/or send the packet to a new queue. This action is performed independently of the traffic bandwidth-class.

slide 393

In detail: Egressing

x600

After a possible traffic shaping phase (not in the training), the traffic is then sent to the queues at the output ports, from where it will be egressed:
Either by the strict priority queuing (SPQ) mechanism. Or by the Weighted Round-Robin mechanism. The weighting of each queue is therefore configurable.

274

slide 394

CAP/ENT Certified Allied Telesis Professional Enterprise

275

How do you configure this?


All these stages can be configured for each port. They involve creation of elements embedded in each other:

x600

Traffic classification mainly involves access-lists (see course on ACLs) These ACLs are then associated with a class-map. A class-map can also be associated with traffic properties that ACLs do not classify (e.g.: CoS or DSCP values, etc.). One or more class-maps are then associated with a policy-map. Premarking and remarking actions are defined in the class-map once it is associated with the policy-map. The policers can also be associated with a class-map and define the properties of the bandwidth to be measured during the policing phase. A policy-map is then associated with one or more ports. QoS treatment is then activated on traffic entering these ports.
slide 395

QoS diagram
Port

x600

policy-map

class-map match policer class-map match match policer

class-map match match

slide 396

Simple configure : recognition of 802.1p

x600

The simplest configuration, assuming traffic has previously been marked with an 802.1p value, involves having it automatically recognized by the switch. To do this:
Activate QoS (deactivated by default):
awplus(config)# mls qos enable

The no mls qos enable command deactivates the QoS and deletes any existing QoS configuration.

276

slide 397

CAP/ENT Certified Allied Telesis Professional Enterprise

277

Association between 802.1p and queues


The default association between 802.1p values (CoS values automatically) and queues complies with the 802.1p standard. This association can be modified through the following command:
CoS value
0 1 2 3 4 5 6 7

x600
Queue
2 0 1 3 4 5 6 7

awplus(config)# mls qos map cos-queue <cos-priority> to <queuenumber>


slide 398

Step-by-step configuration: class-map


Enable QoS:
awplus(config)# mls qos enable

x600

Create a class-map:
awplus(config)# class-map <name>

Classification of class-map traffic:


awplus(config-cmap)# match access-group <3000-3699> awplus(config-cmap)# match cos <0-7> Awplus(config-cmap)# match vlan <1-4094>

As many match criteria as needed can be specified. If a class-map contains no match criterion, it covers all incoming traffic.
slide 399

Step-by-step configuration: policy-map


Creation of a policy-map, and association of the previously created class-map:
awplus(config)# policy-map <name> awplus(config-pmap)# class <name> awplus(config-pmap-c)#

x600

There is a default class-map: it is implicit, and covers all traffic not covered by other class-maps associated with the policy-map. This default class-map can be configured just like any other class-map.

278

slide 400

CAP/ENT Certified Allied Telesis Professional Enterprise

279

Step-by-step configuration: premarking


Configuration of premarking actions (invoking the premark-dscp table): Start by creating the premark-dscp table:

x600

awplus(config)# mls qos map premark-dscp <0-63> to {[new-dscp <063>][new-cos<0-7>][new-bandwidth-class{green|yellow|red}]} There is no need to create all 64 inputs on the table if you aren't going to use them all Then you configure the class-map to use this table: awplus(config-pmap-c)# trust dscp The DSCP values of the incoming traffic then act as indices into the table, to determine the new values of these markers

slide 401

Step-by-step configuration: single policer

x600

A single policer is configured directly on a class-map associated with a policy-map:


awplus(config-pmap-c)# police single-rate <cir> <cbs> <ebs> action {drop-red|remark-transmit}

Parameters:
CIR (Committed Information Rate): permitted bandwidth value (in kbps) CBS (Committed Burst Size): minimum burst value (in octets) EBS (Excess Burst Size): maximum burst value (in octets) Action:
Drop-red: rejects all traffic with bandwidth class red after policing remark-transmit: marker values will be modified according to the remark map table.
slide 402

Step-by-step configuration: single policer

x600

A remark-transmit action is a function of the remark map table. This is created with the following command:
awplus(config)# remark-map [bandwidth-class {green|yellow|red}] to {[new-dscp <0-63>][new-bandwidth-class {green|yellow|red}]}

Unlike the x900/x908, this table does not allow CoS and Queue markers to be modified. They can be modified on a class-map associated with a policy-map using the remark new-cos command:
awplus(config-pmap-c)# remark new-cos <0-7> [internal|external|both]
Internal: only the queue value is changed according to the CoS and queue number mapping table. External: traffic is marked with the specified CoS value. Both : both actions take place simultaneously.
slide 403

280

CAP/ENT Certified Allied Telesis Professional Enterprise

281

How is bandwidth class determined

x600

After passing through the policer mill, the bandwidth class marker for the traffic concerned is changed according to the following criteria:
Bandwidth measured below or slightly above CIR and <total number of octets over CIR> < CBS
Green

Bandwidth measured higher than CIR and <total number of octets over CIR> < EBS
Yellow

Bandwidth measured higher than CIR and <total number of octets over CIR> > EBS
Red

slide 404

Step-by-step configuration: Egressing

x600

QoS treatment is activated by associating the policy-map with the port(s) involved (input ports). awplus(config)# interface <interface name> awplus(config-if)# service-policy input <policy-map> The traffic then simply has to be transmitted by the output port, by emptying queues (SPQ or WRR). awplus(config)# interface <interface name> awplus(config-if)# priority-queue {1}[2][3][4][5][6][7][8] awplus(config)# interface <interface name> awplus(config-if)# wrr-queue weight <6-255> queues [0][1][2]3][4][5][6][7]
slide 405

Examples : 802.1p remarking


awplus(config)# vlan database awplus(config-vlan)# vlan 2 name video awplus(config-vlan)# exit awplus(config)# interface port1.0.2,port1.0.24 awplus(config-if)# switchport mode trunk awplus(config-if)# switchport trunk allowed vlan add 2 awplus(config-if)# interface port1.0.1 awplus(config-if)# switchport access vlan 2 awplus(config)# mls qos enable awplus(config)# access-list 3000 permit ip 10.0.0.10/32 any awplus(config)# class-map video awplus(config-cmap)# match access-group 3000 awplus(config-cmap)# exit awplus(config)# policy pvideo awplus(config-pmap)# class video awplus(config-pmap-c)# remark new-cos 6 both awplus(config-pmap-c)# exit awplus(config-pmap)# exit awplus(config)# interface port1.0.1 awplus(config-if)# service-policy input pvideo

x600

282

slide 406

CAP/ENT Certified Allied Telesis Professional Enterprise

283

Examples : DSCP remarking


awplus(config)# interface port1.0.2,port1.0.24 awplus(config-if)# switchport mode trunk awplus(config-if)# switchport trunk allowed vlan add 2 awplus(config-if)# interface port1.0.1 awplus(config-if)# switchport access vlan 2 awplus(config)# mls qos enable awplus(config)# access-list 3000 permit ip 10.0.0.10/32 any awplus(config)# class-map video awplus(config-cmap)# match access-group 3000 awplus(config-cmap)# exit awplus(config)# policy pvideo awplus(config-pmap)# class video awplus(config-pmap-c)# policer single-rate 1 1 1 action remark-transmit awplus(config-pmap-c)# remark-map to new-dscp 55 new-bandwidth-class green awplus(config-pmap-c)# remark new-cos 6 internal awplus(config-pmap)# exit awplus(config)# interface port1.0.1 awplus(config-if)# service-policy input pvideo

x600

slide 407

Bandwidth metering
Core configuration:
awplus(config)# mls qos enable awplus(config)# access-list 3001 permit udp 10.0.0.20/32 any awplus(config)# class-map garbage awplus(config-cmap)# match access-group 3001 awplus(config-cmap)# exit awplus(config)# policy pgarbage awplus(config-pmap)# class garbage awplus(config-pmap-c)# police single-rate 25000 512 1024 action drop-red awplus(config-pmap-c)# exit awplus(config-pmap)# exit awplus(config)# interface port1.0.2 awplus(config-if)# service-policy input pgarbage

x600

slide 408

284

CAP/ENT Certified Allied Telesis Professional Enterprise

285

Troubleshooting, using Logging, SNMP and Debug

Hardware Overview :Table of Contents


Troubleshooting Introduction Logging Logging Configuration Debugging Configuration SNMP Introduction SNMP Configuration General Troubleshooting

slide 410

Troubleshooting Introduction
Overview Think in layers.
A problem originating in Layer 2 will also be seen at layer 3, but cannot be corrected there!!!!

Collect as much information as possible


Logging Debug SNMP Counters

286

slide 411

CAP/ENT Certified Allied Telesis Professional Enterprise

287

Logging
Concepts 1 Console: The default log setup is to the console port. Default setting: critical level Buffered: Rotating data is set to store up to 50kb in RAM. Default setting: notice level. Is deleted after a reboot. Permanent: Log writes to NVS storage (if available) Is kept after a reboot Default setting: warning level
slide 412

Logging
Concepts 11 Host: Sends logs to remote syslog server No default filters. No data kept on device. Email: Send SMTP email to a remote SMTP server No default filters No data kept on device

slide 413

Logging Configuration
awplus# sho log config Buffered log: Status ......... enabled Maximum size ... 50kb Filters: *1 Level ...... notices Program .... any Facility ... any Msg text ... any Statistics ..... 6 messages received, 2 accepted by filter (2008 Jul 29 10:14:44) .. More text follows

288

slide 414

CAP/ENT Certified Allied Telesis Professional Enterprise

289

Logging Configuration
Logging Levels The minimum severity of message to send to the log. The level can be specified as one of the following numbers or level names, where 0 is the highest severity and 7 is the lowest severity: 0 1 2 3 4 5 6 7 emergencies: alerts critical errors warnings Notices Informational Debugging System is unusable Action must be taken immediately Critical conditions Error conditions Warning conditions Normal, but significant, conditions Informational messages Debug-level messages

slide 415

Logging Configuration
Displaying Logging Entries in Buffered Log awplus# sho log <date> <time> <facility>.<severity> <program[<pid>]>: <message> -----------------------------------------------------------------------2008 Jul 29 09:41:20 user.notice (none) kernel: klogd started: BusyBox v1.2.2 (2008.03.11-00:47+0000) 2008 Jul 29 09:41:20 user.notice (none) kernel: Linux version 2.6.19-at5 (maker@awpmaker04-dl) (gcc version 4.1.1) #1 Tue Mar 11 13:22:15 NZDT 2008 2008 Jul 29 09:41:20 user.notice (none) kernel: Kernel command line: console=ttyS0,9600 releasefile=r1-5.2.1-0.4.rel ramdisk=10584 bootversion=1.0.9-rc2 loglevel=1 extraflash=00000000
slide 416

Logging Configuration
Displaying Contents of Permanent Log awplus# sho log permanent <date> <time> <facility>.<severity> <program[<pid>]>: <message> -----------------------------------------------------------------------2008 Jul 6 15:07:56 user.err awplus NSM[1472]: [IGMP-ENCODE] : sendto() failed on port1.0.3: Network is down(100) 2008 Jul 6 15:07:56 user.err awplus NSM[1472]: [IGMP-ENCODE] : sendto() failed on port1.0.4: Network is down(100) 2008 Jul 6 15:07:56 user.err awplus NSM[1472]: [IGMP-ENCODE] : sendto() failed on port1.0.5: Network is down(100) More data follows

290

slide 417

CAP/ENT Certified Allied Telesis Professional Enterprise

291

Logging Configuration
Host Logging Setup Dumps log entries to a remote syslog server.
No authentication No encryption No delivery guarantee No local copy kept in host filter No error when remote server rejects datagram

Very powerful when centralizing logging for a complete network


awplus# config term Enter configuration commands, one per line. End with CNTL/Z. awplus(config)# log host 192.168.30.33 level 5
slide 418

Logging Configuration
Email Logging Setup Important: Messages are not retained on the switch device An SMTP server must also be setup as follows:
The server must accept incoming unencrypted/unauthorized SMTP from the switch IP-address.
awplus(config)# mail smtpserver 192.168.30.12 awplus(config)# mail from training@abc.de

The email logging is now set as follows


awplus(config)# log email john.bloggs@training.de level 5
slide 419

Debugging Configuration
Debugging Concept Debugging can be enabled in many modules The output is sent to the logging system with the level debug
awplus(config)# debug rip all awplus# sho debug rip RIP debugging status: RIP event debugging is on RIP packet detail debugging is on RIP NSM debugging is on awplus(config)# awplus(config)#

To enable Debug output enable on terminal: Disable with:


terminal monitor no terminal monitor
slide 420

292

CAP/ENT Certified Allied Telesis Professional Enterprise

293

Debugging Configuration
Display RIP Debug
awplus(config)# log buff level 7 awplus(config)# exit awplus# sho log tail <date> <time> <facility>.<severity> <program[<pid>]>: <message> ------------------------------------------------------------------------2008 Aug 6 09:14:33 user.info awplus RIP[1555]: SEND[vlan1]: Send to 224.0.0.9:520 2008 Aug 6 09:14:34 user.info awplus RIP[1555]: UPDATE: Triggered update! 2008 Aug 6 09:14:34 user.info awplus RIP[1555]: UPDATE[eth0]: Update RIPv2 routes to 224.0.0.9:520 2008 Aug 6 09:14:34 user.info awplus RIP[1555]: SEND[eth0]: Send to 224.0.0.9:520 2008 Aug 6 09:14:34 user.info awplus RIP[1555]: SEND[eth0]: RESPONSE version 2 packet size 24
slide 421

SNMP - Network monitoring and management software

slide 422

SNMP Introduction
Elements
Network Management System GET / SET / GET-NEXT

Agent
TRAP / RESPONSE

Manager

294

slide 423

CAP/ENT Certified Allied Telesis Professional Enterprise

295

SNMP Introduction
SNMP Versions SNMP V1 SNMP V2c (typically referred to as SNMP V2)
Uses UDP protocol not guaranteed transfer Minimal security community string in clear text (password) Management data described in MIBs (Management Information Base). Language used is ASN.1 V2c has added functions for improved efficiency (GET-BULK) Simple to use Uses UDP not guaranteed transfer Strong authentication possible Strong encryption possible Complex to use
slide 424

SNMP V3

SNMP Introduction
Concepts SNMP GET and SET transfers

Manager sends a UDP packet Agent checks


Includes the MIB address (and perhaps the new value) Includes a community string in clear text Is MIB known? Is community known? Does this community allow this access? If access allowed, then respond with a UDP packet

SNMP TRAP

Agent setup via management commands Unsolicited event on the agent Agent sends UDP TRAP
MIB value Community string

slide 425

SNMP Configuration
SNMP V1/V2c Commands awplus# sho snmp SNMP enable ........ No SNMPv3 engine ID (configured) ....... Not set SNMPv3 engine ID (actual)............ Not set awplus(config)# snmp-server community private rw awplus(config)# snmp-server community public ro awplus(config)# exit awplus# sho snmp SNMP enable ........ Yes SNMPv3 engine ID (configured) ....... Not set SNMPv3 engine ID (actual)............ 0x80001f88807095fd04489958cd

296

slide 426

CAP/ENT Certified Allied Telesis Professional Enterprise

297

SNMP Configuration
Additional Support Information Extra info that can be used by the manager NMS system to identify switches
awplus(config)# snmp-server contact Fred Bloggs awplus(config)# snmp-server location Munich

SNMP access should also be limited as much as possible.


Access only from specified IP address Access only from specified subnet Note: these are not real security features, just improvements. Real SNMP security is achieved by using encryption/authentication with SNMPv3
slide 427

General Troubleshooting
General Useful Information
Displays the CPU load now and over various periods. This can indicate that the CPU is overloaded with additional functions not running in switch engine.

awplus# show cpu CPU averages: 1 second: 4%, 20 seconds: 0%, 60 seconds: 0% System load averages: 1 minute: 0.00, 5 minutes: 0.00, 15 minutes: 0.00 Current CPU load: userspace: 2%, kernel: 1%, interrupts: 0% iowaits: 0% user processes ============== pid name hrds 1282 hostd 1 962 automount 1 1109 exfx 19 1 init 1
..

cpu% 3.8 0.9 0.9 0.0

pri 20 20 20 20

state run sleep sleep sleep

sleep% 0 0 0 0

runtime 184 167 4262 27

slide 428

General Troubleshooting
Interface Counters The counters at the end of the printout display the standard Ethernet receive and send parameters and reflect the quality of the cabling, etc.

awplus# show inter eth0 Interface eth0 Scope: both Link is UP, administrative state is UP Hardware is Ethernet, address is 0000.cd24.fafe IPv4 address 192.168.30.252/24 broadcast 192.168.30.255 index 1 metric 1 mtu 1500 current duplex full, current speed 100, polarity auto configured duplex auto, configured speed auto <UP,BROADCAST,RUNNING,MULTICAST> VRF Binding: Not bound Bandwidth 1g input packets 1828, bytes 139448, dropped 0, multicast packets 0 output packets 755, bytes 61336, multicast packets 0 broadcast packets 0 awplus#

298

slide 429

CAP/ENT Certified Allied Telesis Professional Enterprise

299

General Troubleshooting
System and Platform Information Very useful general faultfinding commands: Show tech-support
This command saves useful information to tech-support.txt.gz. You should retrieve this file and send it to our technical support team, whatever the problem might be. General system counts Status of complete platform.
slide 430

show counters show platform

System Start-up
Start-up Sequence Additional specific information accompanies an INFO or ERROR
Bootloader 1.0.8 loaded Press <Ctrl+B> for the Boot Menu Reading filesystem... Error: Release filename is invalid (should be <release>.rel) Error: There is no backup release file set Error: Boot failed. Please recover the system using the Boot Menu Restarting... Bootloader 1.0.8 loaded Press <Ctrl+B> for the Boot Menu
slide 431

300

CAP/ENT Certified Allied Telesis Professional Enterprise

301

Company Details

Americas Headquarters | 19800 North Creek Parkway | Suite 100 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895 Asia-Pacific Headquarters | 11 Tai Seng Link | Singapore | 534182 | T: +65 6383 3832 | F: +65 6383 3830 EMEA Headquarters | Via Motta 24 | 6830 Chiasso | Switzerland | T: +41 91 69769.00 | F: +41 91 69769.11

alliedtelesis.com
2011 Allied Telesis, Inc. All rights reserved. Information in this document is subject to change without notice. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners.