At8000 s configurando vla_ns
-
Upload
netplus -
Category
Technology
-
view
3.643 -
download
3
Transcript of At8000 s configurando vla_ns
Virtual Lan (VLAN)
AT-8000S
Transparent Bridge Process (Unicast)
• Learning – reading the MAC source address and adding it to the lookup table
• Flooding – sending a packet to all segments (if no entry for destination MAC)
• Forwarding – “connecting” 2 segments to forward a packet (with a known destination MAC)
• Filtering – ignoring packets sent on the same node• Aging – removing “old” entries from the lookup table
Marvell Confidential
SENDER RECEIVER
MAC Header:DEST: BSRC : A
IP Header: DEST: 1.1.1.2 SRC: 1.1.1.1
DATA
Switch/Bridge
NODE: MAC_R
MAC Header:DEST: BSRC : A
IP Header: DEST: 1.1.1.2 SRC: 1.1.1.1
DATA
PACKET PACKETp1 p2
VID MAC PORT TIME
1 A 1 ##:##
1 B 2 ##:##
NET:1.1.1.1NODE:
MAC_A
NET:1.1.1.2NODE:
MAC_B
port MAC TIME
1 A ##:##
2 B ##:##
Transmission Via a Bridge/Switch
Virtual LAN (VLAN)
• VLANs logically (software) divide the LAN into separate subgroups - broadcast domains
• VLAN groups relate users regardless of the physical LAN segment to which the hosts are attached
• Allows traffic to flow more efficiently within populations of mutual interest• VLANs allow broadcast domains to be defined without using routers• Routers are needed for communication between the different VLANs
VLAN C
VLAN B
VLAN A
Switch with VLANs
Marvell Confidential
VLAN – multiple Switches
Switch Switch#1 #2
VLA N-1 VLAN-2 VLAN-2VLA N-1
Multiple VLANs on One Device –One Armed Router
A,B,C, D
VLAN A
VLAN CVLAN B
VLAN D
A,B,C
C,D
RouterBridge/
Switch
Benefits of VLANs
• Improves network performance
• Reduces the number of routers needed
• Flexible network segmentation (virtual workgroups)
• Simplified administration
• Enhanced network security
• Reduces network solution cost
• Better use of server resources
Types of VLANs
• Membership by 802.1Q tag• Membership by port• Membership by MAC address• Membership by protocol (IP, IPX…)• Membership by subnet• Membership by application or service (telnet, FTP..)
VLAN Solution
Marketing
Engineering
Administration
VLAN - Propriety
• VLAN multi switch solutions were propriety and vendor based:– Cisco: ISL– Bay : Lattisspan– 3Com: VLT– Cabletron: SecureFast
• Propriety VLAN are a disadvantage for networks that don’t wish to be vendor dependant
• The IEEE 802.1q standardized VLANs
Forwarding a Known Unicast Frame
VLAN Unaware Switch• Determine the output port
associated with the destination address based on the address table
• If associated port is different from source port, forward the frame to the destination port
• Otherwise – discard the frame
VLAN Aware Switch• Determine the VLAN
associated with the received frame
• Determine the output port associated with the destination address based on the address table
• If associated port is not the source port, and is a member of the VLAN -forward the frame
• Otherwise, discard the frame
Forwarding Unknown Unicast and Multicast Frames
VLAN Unaware Switch• Flood the frame to all ports
except the source port
VLAN Aware Switch• Determine the VLAN
associated with the received frame
• Flood the frame only to ports that are members of the VLAN, except the source port
(If Ingress filter is on)
VLAN Tagging Methods
• Explicit tagging – VLAN membership is indicated by adding a tag to each packet
• Implicit tagging - VLAN membership is determined by examining information that already exists within each packet:
– Protocol ID (ether type) of the packet
– MAC address (range)
– Etc.
Types of devices on VLAN
• VLAN aware device
Understands VLAN membership(which user belongs to which VLAN) and format
– Making forwarding decisions based on VLAN association and not only on destination address
– Adding (and removing) explicit VLAN identification (tagging) to frames (tag aware)
• VLAN unaware device (usually SNMP unmanaged devices) Does not Understand VLAN membership & format
Frames Sent by Aware\Unaware Devices
Types of Devices
• VLAN unaware device
• VLAN aware device
Types of Frames
• Untagged frames (implicit)
• Tagged frames (explicit)
All connected devices
Other VLAN aware devices
Type of Links – Access Link
• Connects VLAN tagged unaware devices to the port of a VLAN tagged aware switch
• The VLAN switch adds tags to received frames, and removes tags when transmitting frames
• All frames on access links are untagged
VLAN AAccess LinkVLAN tagged aware switch
VLAN tagged
unaware
Types of Links – VLAN Trunk Link
• Attaches 2 VLAN aware switches (or other VLAN tagged aware devices)
• All frames on VLAN Trunk links must have a special header attached(tagged frames)
• Allows for multiple VLAN frames to use one link
VLAN tagged aware switch VLAN
tagged aware switch
VLAN tagged aware
Workstation
VLAN Trunk Link
VLAN Trunk
Link
Types of Links – General Link
• Combination of VLAN Trunk and access Links
• Both VLAN aware and unaware devices are connected
• Can have both tagged and untagged frames,but
all frames sent to a specific VLAN must be either tagged or untagged
General Link
VLAN tagged aware
Workstation
VLAN B tagged
unaware Workstation
VLAN taggedaware switch
VLAN tagged aware switch
Tagged/Untagged Frames on Links
Types of Links
• Trunked Link
• General Link
• Access Link
Types of Frames
• Tagged frame
• Untagged frames
VLAN tagged aware Domain
Core switchesVLAN tagged
unaware Domain
VLAN tagged unaware Domain
VLAN tagged unaware Domain
Advantage/Disadvantage of Tagging
Advantages• The standard way of VLAN
implementation in the networking devices
• VLAN association rules need to be applied only once
• Only edge switches need to know the VLAN association rules
• Core switches can get higher performance by operating on an explicit VLAN identifier
• VLAN aware end stations can reduce load from switches
Disadvantages• Tags can be interpreted only
by VLAN aware devices• Edge switches must strip tags
before forwarding them to VLAN unaware devices
• Insertion or removal of a tag requires recalculation of CRC
• May increase length of frame beyond maximum (“old” frame size – 1518 bytes, “new” frame size – 1522 bytes)
VLAN - Tagged/ Untagged Ports
• The behavior of a specific port added to one or more VLANs depends on themode of the port – access, trunk or general.
• A port added to a VLAN on a (VLAN aware) device can be in one of 2 states –tagged or untagged (for each specific VLAN)
• A certain VLAN can have both tagged and untagged ports
Ingress Port behavior
• At the ingress – tagged and untagged VLAN configuration have the same affect:
– Tagged frames which have a VID matching that of one of the VLANs defined on the port – are forwarded
– Tagged frames which have a VID that does not match any of the VLANs defined on the port – are discarded
– Untagged frames are forwarded on the VLAN which is the PVID – and PVID tag is added to the frames
Egress Port behavior
• At the egress – tagged and untagged VLAN port configuration have different affects:
– Tagged VLANs forward the egress traffic (“out of the device”) as tagged frames
– Un-tagged VLANs forward the egress traffic (“out of the device”) as un-tagged frames
The VLAN Tag – Ethernet Frame
2 Bytes 2 BytesTag Protocol Identifier
TPIDTag Control Information
TCI
Destination Address
Source Address
Length/Type DATA FSCTPID TCI
The VLAN Tag
2 Bytes 2 Bytes
Tag Protocol Identifier
TPID
Tag Control Information
TCI
VLAN protocol Id = 0x8100
Tag Priority3 Bits
CFI1Bit
VID12 Bits
• Tag priority according to IEEE802.1p• CFI – Canonical Format Indicator• VID – VLAN ID
Tag Control Information
• Tag Priority –– “Piggyback” on VLAN TAG– 7 is the highest priority (0 the default)
• CFI –– Value 1
VLAN tag extended to include embedded Source Routing information which will also contain the canonical format of any embedded MAC address
– Value 0VLAN tag not extended + any embedded MAC addresses are in canonical (Little Endian) format
• VLAN ID– Between 1 to 4094 (0x000 and 0xFFF reserved)
VLAN Port Database
1 2 3 … 24
use tag use tag use tag use tag use tag
1 1 1 1 0 0 x … … 1 0
2 0 x 1 0 1 1 … … 1 1
3 1 0 0 x 0 x … … 0 x
… … … … … … … … … … …
4094 1 1 1 1 0 x … … 1 0
VLANPORTS
Switch Filtering Operation Process
• Ingress- Takes received frames from a physical port and performs 3 operations:
* Acceptable frame filter* ingress rules* ingress filter
• Progress- Forwarding decision according to database
• Egress- How to transmit frames through the output ports
Switch Filtering Operation
Port 1input
PortIf.
PortIf.
Port 1 output
Acceptable
Frame Filter
Ingress
Rules
Ingress
Filter
Forwarding
Decision
Χ
Switch Fabric
Egress
Rules
Ingress Progress Egress
PortIf.
PortIf.
Port 2 output
Acceptable
Frame Filter
Ingress
Rules
Ingress
Filter
Forwarding
Decision
Egress
Rules
PortIf.
PortIf.
Port noutput
Acceptable
Frame Filter
Ingress
Rules
Ingress
Filter
Forwarding
Decision
Egress
Rules
Port 2 input
Port ninput
Switch Filtering - Ingress
• Acceptable Frame Filter- Admit all / admit only tagged
• Ingress rules- Tagged frame – according to tag- Untagged frame – association rules (PVID)
• Ingress Filter (default is on)- Forwards frames only if the frame’s tag VID is equal to the VID of one of
the VLANs configured on the port
Switch Filtering - Process
• Filtering Database- Either static or dynamic entries - Either unicast or multicast entries
• Forwarding decisions- Known MAC addresses
Lookup in MAC address table.Lookup key is based on both:
VLAN tag and destination MAC addressleading to the required egress port
- Unknown Unicast – initial lookup in MAC forwarding table, when entry is not found – flooding is performed based on the VLAN Port Table
- Broadcast frame – lookup is done directly at the VLAN Port Table (flooding to all ports of the VLAN)
Switch Filtering - Egress
• Egress Rules Model- Forwards frames as tagged frames if the egress port is defined as
VLAN tagged (for that specific VLAN)
- Forwards frames as untagged frames if the egress port is defined as VLAN un-tagged (for that specific VLAN)
PSS
MAC Table Fast Forwarding Table
ASIC
Buffers
Ports VLAN 1
VLAN 2
Unknown destination MAC address
Incoming port
Ingress filtering
Entry not found
Broadcast to all ports in the same
VLAN
Filtering Database – MAC Address Entries
• Dynamic MAC address entries are learned based on the source MAC of received packets
• Dynamic entries are subject to aging
• Static MAC entries are configured by user, and may be permanent, erased when rebooting or subject to aging
• Lookup in the MAC Forwarding Table (the Filtering Database) is based on VID + Destination Port
VLAN
AT- 8000SImplementation
VLAN Overview
• AT- 8000S devices support 256 VLANs which can be assigned a VID from the full range of 4k VLAN Ids
• Default and the “discard” VLANs (4095), are treated specially as described.
• Some VLAN IDs may be pre-assigned by the system for operational usage.
• The number of (VLANs * ports) configured on the system should be less than or equal to 64K.
VLAN Overview
• Note that the system will never send a frame tagged with VID=1, since the default VLAN can be used (defined) on a port only if it is set to be that port’s PVID
• Note that by using PVID=4095 the user in effect limits the “allowed frame types” to “tagged only” for incoming frames.
• Reference: IEEE802.1Q.
Port Modes
• Access Port
• Trunk Port
• General Port
Access Mode
• Ports set to Access Mode belong to a one VLAN only, whose VID is the currently set PVID (default =1).
• This implies that the Ports will accept all untagged frames (and assign them the PVID tag), and all frames tagged with the VID currently set with the port’s PVID.
• All traffic sent out will be untagged. • If the current PVID of the port is deleted from the system
or deleted from the port, the Port’s PVID will be set to 1 (That is, the port will be made a member of VLAN#1, the default VLAN).
Access Mode
• Ingress Filtering is always ON for ports in Access Mode.
• Access mode ports are intended to connect end-stations to the system, especially when the end-stations are incapable of generating VLAN tags
Trunk Mode
• Ports set to Trunk mode can belong to as many VLANs as desired.
• The port has a native VLAN (PVID) which is untagged, all other VLANs are tagged
• The ports will accept both tagged and untagged frames.
• Untagged frames will be classified to the port’s PVID.
Trunk Mode
• Ingress filtering is always enabled on Trunk-mode ports. Incoming tagged frames will undergo Ingress filtering and if correctly tagged, (tagged with a VID of one of the VLANs to which the port currently belongs) they will be admitted, otherwise – they will be discarded
• Egress frames forwarded on to the PVID VLAN will be sent out un-tagged
• Egress frames sent to all other VLANs active on the port will be sent tagged.
Trunk Mode
• The default PVID (native VLAN) is 1 (the default VLAN). • If another VID is configures as the port’s PVID, and the
corresponding VLAN is deleted from the port or from the system, the port’s PVID returns to 1 .(That is the port will be made a member of the Default VLAN)
• Trunk-mode ports are intended for Switch-to-Switch links, where usually all traffic is tagged.
General Mode• Ports set to General mode may be members of as many
VLANs as desired.
• Port configured in the general mode can be assigned as untagged to as many VLANs as desired
• The user can set separately for each VLAN whether it will be Tagged or Untagged. This setting applies to transmitted frames.
• The user can configure a PVID. The default PVID is the default VLAN.
• The PVID can be that of any of the VLANs configured on the port (tagged or on tagged) and also VLANs not configured on the port or even not configured on the device
General Mode• Incoming Tagged frames are classified according to their
TAG and discarded if such a VLAN is not defined on the port.
• Incoming untagged frames are classified into the VLAN whose VID is the currently configured PVID, and:
– The frame is accepted if this VID (besides being the PVID) is defined on the port
– The frame is discarded if this VID is not defined on the port (although it is the PVID)
• Ingress filtering may be turned OFF on General-mode ports, if so desired. Ingress filtering is ON by default.
• User can define whether to accepted only tagged frames or all frame types
Frame Classification Process
AT- 8000S VLAN – User Settings
• Device level setting (VLAN database context):– Creating/deleting VLANs on the system
• VLAN level settings (interface VLAN context) – Assigning the VLAN a name– Adding a static MAC entries to one of the VLANs ports– General interface commands (e.g: ip, igmp, etc - see other
presentations)
• Port level settings (interface Ethernet context) – Defining the port mode as general, trunk or access (the
default)– Defining access port’s current VLAN (PVID)
AT- 8000S VLAN – User Settings
• Port level settings (cont’)– Defining the “native” (pvid) Trunk mode port– Defining the PVID for General mode port– Adding/removing VLANs on a Trunk/General mode port– Define VLANs as tagged/untagged on general mode port– Defining a port as a forbidden port for a certain VLAN– Control ingress filtering of general mode port (Default=on)– Defining acceptable frame type for General Port (tagged only
or all)– Mapping MAC-groups to VID
VLAN
AT- 8000S CLI Configuration
VLAN Configuration - General
• Use the following Global Mode command to enter VLAN Database mode:
vlan database
• Example:– Enter VLAN Configuration Mode
console#
console# configureconsole(config)# vlan databaseconsole(config-vlan)#
Creating VLANs - Configuration
• Use the following VLAN Configuration Mode Command to create a new VLAN:
vlan vlan-range• To erase a VLAN use the “no” form of the command:
no vlan vlan-range• Example – creating VLANS with VID 2,3,100 and 101, and
then erasing VLAN 101
console(config-vlan)# vlan 2,3,100,101
console(config-vlan)# no vlan 101
VLAN parameters - Name
• To change a parameter of a specific VLAN enter the Interface VLAN Configuration Mode for that VLAN:
• Example – assigning the VID=2 the name “success” (Default name for a VLAN is the vlan tag):
console(config)# interface vlan 2
console(config-if)# name success
console(config-if)#
VLAN Port Mode - Configuration
• Use the following Interface Mode Command to define the “VLAN mode” (access/ general/ trunk) of a certain interface (Ethernet/Port Channel):
switchport mode { access | trunk | general }• Use the “no” form of the command to return to default (access
mode):no switchport mode
Note: Trunk and General Mode port can be changed to Access Mode only if all VLANs (except for an untagged PVID) were first removed
VLAN Port Mode - Configuration
• Example – defining a port as a General Mode port:
console(config)# interface ethernet 1/e11
console(config-if)# switchport mode general
Access Mode Port Configuration
• Use the following Interface Mode command to define a VLAN on a port in the access mode:
switchport access vlan vlan-id
• Example – defining VLAN 2 on access port 1/e12:
console(config)# interface ethernet 1/e12
console(config-if)# switchport mode access
console(config-if)# switchport access vlan 2
Trunk Mode Port Configuration
• Use the following Interface Mode command to add/remove VLAN(s) to port in the Trunk mode:
switchport trunk allowed vlan {add vlan-list | remove vlan-list}• Example – adding VLANs 2,3 and 100 on Trunk port 1/e13:
console(config)# interface ethernet 1/e13
console(config-if)# switchport mode trunk
console(config-if)# switchport trunk allowed vlan add 2-3,100
console(config-if)#
Trunk Mode Port Configuration
• Use the following command to set the native (PVID) VLAN on the port:
switchport trunk native vlan vlan-id
• If the port is already a member in the VLAN (not as a native), it should be first removed from the VLAN
Trunk Mode Port Configuration
• Example - native VLAN:– Defining VID=2 as native VLAN for port 1/e13 and
receiving system error notification– removing VID=2 from port 1/e13 and then setting it as
the native VLANconsole(config)# interface ethernet 1/e13
console(config-if)# switchport trunk native vlan 2
Port 1/e13: Port is Trunk in VLAN 2.
console(config-if)# switchport trunk allowed vlan remove 2
console(config-if)# switchport trunk native vlan 2
console(config-if)#
Trunk Port – tagged/untagged
• Example - VLAN on port untagged on input and untagged on output:
• Example - VLAN on port tagged on input and tagged on output:
console(config)# interface ethernet 1/e18
console(config-if)# switchport mode trunk
console(config-if)# switchport trunk native vlan 2
console(config-if)#
console(config)# interface ethernet 1/e19
console(config-if)# switchport mode trunk
console(config-if)# switchport trunk allowed vlan add 2
General Mode Port Configuration
• Use the following Interface Mode command to add VLAN(s) to a General Mode port:
switchport general allowed vlan add vlan-list [ tagged | untagged ]
Note!!! default is tagged
• To remove a VLAN(s) from the list:switchport general allowed vlan remove vlan-list
General Mode Port Configuration
• Use the following command to set the PVID of a General Port:
switchport general pvid vlan-id
• Use the “No” command to revert to the default VLAN PVID:
no switchport general pvid
Note:The PVID can be either a VID defined on the port (tagged or untagged), or a VID not defined on the port or even on the system
General Mode Port Configuration
• Example – General Mode port configuration– Adding VLANs 2&3 as tagged, and VLAN 100 as untagged to
to general mode port 1/e14– Defining VID 100 as the PVID – Reverting to the default PVID (VID=1)
console(config)# interface ethernet 1/e14
console(config-if)# switchport mode general
console(config-if)# switchport general allowed vlan add 2-3 tagged
console(config-if)# switchport general allowed vlan add 100 untagged
console(config-if)# switchport general pvid 100
console(config-if)# no switchport general pvid
General Port – tagged/untagged
• Example - VLAN on port UNtagged on input and UNtagged on output:
• Example - VLAN on port UNtagged on input and tagged on output:
console(config)# interface ethernet 1/e20
console(config-if)# switchport mode general
console(config-if)# switchport general pvid 2
console(config-if)# switchport general allowed vlan add 2 untagged
console(config)# interface ethernet 1/e21
console(config-if)# switchport mode general
console(config-if)# switchport general pvid 2
console(config-if)# switchport general allowed vlan add 2 tagged
General Port – tagged/untagged
• Example - VLAN on port tagged on input and tagged on output:
• Example - VLAN on port tagged on input and UNtagged on output:
console(config)# interface ethernet 1/e22
console(config-if)# switchport mode general
console(config-if)# switchport general allowed vlan add 2 tagged
console(config)# interface ethernet 1/e23
console(config-if)# switchport mode general
console(config-if)# switchport general allowed vlan add 2 untagged
General Mode – Ingress Filtering
• Use the following command to disable ingress filtering on a General Mode VLAN port. Use the “no” form of the command to switch filter on:
switchport general ingress-filtering disable
no switchport general ingress-filtering disable
General Mode – Acceptable Frame Type
• Use the following Interface Mode command to discard untagged frames at ingress. Use the no form of the command to allow untagged frames at ingress (the default):
switchport general acceptable-frame-type tagged-only
no switchport general acceptable-frame-type tagged-only
Forbidding VLAN - Configuration
• Use the following Interface Mode command to forbid the definition of a specific VLAN (statically or dynamically) on a port (remove option – cancels the restrictions):
switchport forbidden vlan {add vlan-list | remove vlan-list}
• Note that the forbidden VLAN cannot be one that does not exist on the system, or one already define on the port
console(config)# interface ethernet 1/e21
console(config-if)# switchport forbidden vlan add 2
VLAN 2: Port 1/e21 cannot be Egress and Forbidden.
console(config-if)# switchport forbidden vlan add 55
VLAN 55: VLAN was not created by user.
console(config-if)#
console(config-if)# switchport forbidden vlan add 3
VLAN Show Commands
• Use the following EXEC mode command to view entire device VLAN configuration:
show vlan
• Use the following EXEC mode command to show interfaces belonging to a specific VLAN on the device:
show vlan {tag vlan-id | name vlan-name}
VLAN Show Commands
• Example – Show VLAN device configuration:
console# show vlan
Vlan Name Ports Type Authorization
---- ----------------- --------------------------- ------------ -------------
1 1 1/e(1,10-12,15-24),ch(1-8) other Required
2 success 1/e(2-9,13-14) permanent Required
3 3 1/e(13-14) permanent Required
100 100 1/e(13-14) permanent Required
console#
VLAN Show Commands
• Example – Show ports on VLAN with tag=3:
• Example – Show ports on VLAN named success:
console# show vlan tag 3
Vlan Name Ports Type Authorization
---- ----------------- --------------------------- ------------ -------------
3 3 1/e(13-14) permanent Required
console# show vlan name success
Vlan Name Ports Type Authorization
---- ----------------- --------------------------- ------------ -------------
2 success 1/e(2-9,13-14) permanent Required
VLAN Show Commands
• Use the following EXEC mode command to show VLAN configuration (Mode, PVID and configured VLANs) for a specific port:
show interfaces switchport { ethernet interface | port-channel port-channel-number }
VLAN Show Commands• Example – VLAN details of port 1/e14:console# show interfaces switchport ethernet 1/e14
Port : 1/e14
Port Mode: General
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE ): 100
Port is member in:
Vlan Name Egress rule Port Membership Type
---- -------------------------------- ----------- --------------------
2 success Tagged Static
3 3 Tagged Static
100 100 Untagged Static
---
-
Forbidden VLANS:
Vlan Name
---- --------------------------------
Classification rules:
Group ID Vlan ID
-------- -------
1 4
Adding a Static MAC Address
• Use the following VLAN interface mode command to add a static MAC entry to one of the ports in the VLAN:
bridge address mac-address {ethernet interface | port-channel port-channel-number} [permanent | delete-on-reset | delete-on-timeout | secure]
MAC Address format:H.H.H or H:H:H:H:H:H or H-H-H-H-H-H • User can define whether the entry will be:
– permanent– deleted after reset – aged out on time out – as with dynamic entries– Secure – entry is deleted if port mode changes to “ unlock”
(used when port is in locked mode)
Adding a Static MAC Address
• Note – The MAC addresses are added per VLAN, and not per device– The type of entry (permanent secure etc) has to be entered
before interface (if no type is mentioned default is permanent)– You can configure an address on a port even if it does not
belong to a VLAN
• The “no” form of the command deletes a static MAC entry from the table:
no bridge address [mac-address]
if no mac-address is specified in the command, all static entries are erased from the table
Example - Static MAC Addresses• Example – adding 3 static mac entries to VLAN 2:
– One permanent (default)– One to be deleted on reset– One (one a secure port) to be deleted when port is unlocked
Note: the error message
console(config)# interface vlan 2
console(config-if)# bridge address 00:11:22:33:44:55 ethernet 1/e10
console(config-if)# bridge address 00:11:22:33:44:55 permanent ethernet 1/e8
console(config-if)# bridge address 00:99:88:77:66:55 delete-on-reset ethernet 1/e7
console(config-if)# bridge address 00:99:88:77:44:33 secure ethernet 1/e5
VLAN:2, Port:1/e5 , Mac:00:00:99:88:77:44: : Port is not Locked, can't add Secure Address
Address Table Commands
• Use the following Global mode command to set the MAC table aging time (10-360 seconds).
bridge aging-time seconds
• Use the “no” format of the command to return to the default of 300 seconds:
no bridge aging-time
• Use the following EXEC mode command to remove learned addressed from the table:
clear bridge
Address Table Show Commands
• Use the following Privileged EXEC mode command to show the MAC address table of device :
show bridge address-table
• Use the following Privileged EXEC mode command to show addresses on specific VLAN:
show bridge address-table vlan vlan [ethernet interface | port-channel port-channel-number]
• Use the following Privileged EXEC mode command to show addresses on specific port:
show bridge address-table { ethernet interface | port-channel port-channel-number} [vlan vlan]
Example – Aging & Clear Bridge• Example – Showing address table, setting aging time to 100,
and clearing bridge from dynamic entries.
console# show bridge address-table
Aging time is 300 sec
Vlan Mac Address Port Type
------ --------------------- ------ --------------
2 00:10:a4:8f:ba:33 1/e8 dynamic
2 00:11:22:33:44:55 1/e8 static
2 00:99:88:77:44:33 1/e6 secure
2 00:99:88:77:66:55 1/e7 static
console# con
console(config)# bridge aging-time 100
console(config)# exit
console# clear bridge
console# show bridge address-table
Aging time is 100 sec
Vlan Mac Address Port Type
------ --------------------- ------ --------------
2 00:11:22:33:44:55 1/e8 static
2 00:99:88:77:44:33 1/e6 secure
2 00:99:88:77:66:55 1/e7 static
console#
Address Table Show Commands
• Example – show MAC address entries for a specific port:
console# show bridge address-table ethernet 1/e13
Aging time is 100 sec
Vlan Mac Address Port Type
---- ------------------- ---- ------------
3 00:10:a4:8f:ba:33 1/e13 dynamic
Address Table Show Commands
• Example – show MAC addresses for a VLAN:console# show bridge address-table vlan 2
Aging time is 100 sec
Vlan Mac Address Port Type
------ --------------------- ------ --------------
2 00:11:22:33:44:55 1/e8 static
2 00:99:88:77:44:33 1/e6 secure
2 00:aa:bb:cc:dd:00 1/e9 static
console#
Address Table Show Commands
• Use the following Privileged EXEC mode command to show only static MAC entries:
show bridge address-table static
• Note that this option can be used to show (as in the general address table show command):– All static entries on device– Static entries on VLAN – Static entries on a certain Interface – Combination of specific VLAN and interface
Bridge (Address Table) Show Commands
• Example – show device static MAC address entries:
console# show bridge address-table static
Aging time is 100 sec
Vlan Mac Address Port Type
------ --------------------- ------ ----------
2 00:11:22:33:44:55 1/e8 permanent
2 00:99:88:77:44:33 1/e6 secure
2 00:aa:bb:cc:dd:00 1/e9 delete-on-reset
Address Table Show Commands
• Use the following Privileged EXEC mode command to show number of MAC entries:
show bridge address-table count
• Note that this option can be used to show (as in the general address table show command):– All static entries on device– Static entries on VLAN – Static entries on a certain Interface– Combination of specific VLAN and interface
Bridge (Address Table) Show Commands
• Example – show device MAC address count:
console# sh bridge address-table count
Gathering data.
Capacity : 8192
Free : 8189
Used : 3
Secure : 1
Dynamic : 0
Static : 2
console#
Ghost VLAN SettingsFeature Commands Configuring on a
non existent VLANConfiguring on dynamic VLAN
Deletion of VLAN
Address table
Bridge address, bridge multicast, bridge multicast forward-all, bridge multicast forbidden forward-all
Impossible to enter the VLAN context.
Impossible Entry is removed.
VLAN properties
Name Impossible to enter VLAN context.
Impossible Entry is removed.
Port membership in VLAN
switchport access vlan, switchpoprt trunk allowed vlan, switchport trunk native vlan, switchport general allowed vlan, switchport forbidden vlan
Not allowed (except PVID of general mode)
Not allowed Entry is removed.
IGMP snooping
Ip igmp snooping Impossible to enter the VLAN context.
Impossible Entry is removed.
IP addressing
Ip address, ip address dhcp
Impossible to enter the VLAN context.
Impossible Not allowed
VLAN Configuration Examples
Internet
Example #1
PVID#2
PVID#3
Port 24PVID#100
Example #1. Requirements.
• All servers are connected to the dedicated VLAN with VID#100.
• There are two workgroups in the network (correspondently mapped to two VLANs – VID#2 and VID#3).
• No traffic is allowed between VID#2 and VID#3.
• Traffic from VID#2 and VID#3 is allowed to server and to the Internet.
• No traffic is allowed to/from the Internet from/to the Servers.
• Workstation NICs do not support VLAN tagging.
• Servers and Internet router support VLAN tagging.
Example #1 - Implementation.
Port# VLAN# PVID# Port Mode
1-3 2,3Tagged
100 Trunk
4-13 2, 100untagged
2 General
14-23 3, 100untagged
3 General
24 2,3Tagged
1 Trunk
Example #1 - CLIconsole(config)#
console(config)# vlan database
console(config-vlan)# vlan 2-3,100
console(config-vlan)# exit
console(config)# interface range ethernet 1/e1-3
console(config-if)# switchport mode trunk
console(config-if)# switchport trunk allowed vlan add 2-3
console(config-if)# switchport trunk native vlan 100
14-may-2003 19:12:43 %LINK-I-Up: Vlan 2
14-may-2003 19:12:43 %LINK-I-Up: Vlan 3
14-may-2003 19:12:43 %LINK-I-Up: Vlan 100
console(config-if)#
console(config)# in range ethernet 1/e4-13
console(config-if)# switchport mode general
console(config-if)# switchport general allowed vlan add 2,100 untagged
console(config-if)# exit
Example #1 - CLI Cont’
console(config)# interface range ethernet 1/e14-23
console(config-if)# switchport mode general
console(config-if)# switchport general allowed vlan add 3,100 untagged
console(config-if)# exit
console(config)# interface ethernet 1/e24
console(config-if)# switchport mode trunk
console(config-if)# switchport trunk allowed vlan add 2-3
console(config-if)# exit
console(config)#
Example #1 - CLI Cont’
console# show vlan
Vlan Name Ports Type Authorization
---- -------------------------------- --------------------------- ------------ ----------------
1 1 1/e(4-24),ch(1-7) other Required
2 2 1/e(1-13,24) permanent Required
3 3 1/e(1-3,14-24) permanent Required
100 100 1/e(1-23) permanent Required
Example #1 - CLI Cont’console# show interfaces switchport ethernet 1/e3
Port : 1/e3
Port Mode: Trunk
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE ): 100
Port is member in:
Vlan Name Egress rule Port Membership Type
---- -------------------------------- ----------- --------------------
2 2 Tagged Static
3 3 Tagged Static
100 100 Untagged Static
……
Example #2.
AT- 8000S actingas a L2 switch
LAG#1 Multimedia Server
FTP Server
WEB ServerWindows
LAG#2
…
Layer 2/3/4 switch
Layer 2/3/4 switch
Layer 2 switch
Example #2 - Requirements.
• All servers are connected to the Layer 2 switch (Server’s aggregator)
• There are 4 workgroups in the network (correspondently mapped to 4 VLANs – VID#2 through VID#5).
• No traffic is allowed among VLANs.
• AT- 8000S Device is connected through two L2 LAGs (LAG#1 and LAG#2) to the Layer 2/3/4 switches.
• All VLANs have access to Servers.
• All NICs don’t support VLAN tagging
Example #2 - Implementation
Port VLAN PVID Port Mode
1-4 2 2 Access
5-8 3 3 Access
9-12 4 4 Access
13-16 5 5 Access
17-24 Default Default Access
LAG1 (17-20) 2,3 Tagged 1 Trunk
Lag2 (21-24) 4,5 Tagged 1 Trunk
Example #2 - CLIconsole(config)# vlan database
console(config-vlan)# vlan 2-5
console(config-vlan)# exit
console(config)# interface range ethernet 1/e1-4
console(config-if)# switchport access vlan 2
console(config-if)# exit
console(config)# interface range ethernet 1/e5-8
console(config-if)# switchport access vlan 3
15-Jun-2003 11:40:45 %LINK-I-Up: Vlan 3
console(config-if)# exit
console(config)# interface range ethernet 1/e9-12
console(config-if)# switchport access vlan 4
15-Jun-2003 11:41:11 %LINK-I-Up: Vlan 4
console(config-if)# exit
console(config)# interface range ethernet 1/e13-16
console(config-if)# switchport access vlan 5
15-Jun-2003 11:42:24 %LINK-I-Up: Vlan 5
Example #2 - CLI Cont’
console(config-if)# exit
console(config)# interface range ethernet 1/e17-20
console(config-if)# channel-group 1 mode on
15-Jun-2003 11:43:20 %TRUNK-I-PORTADDED: Port 1/e17 added to ch1
15-Jun-2003 11:43:20 %TRUNK-I-PORTADDED: Port 1/e18 added to ch1
15-Jun-2003 11:43:21 %TRUNK-I-PORTADDED: Port 1/e19 added to ch1
15-Jun-2003 11:43:21 %TRUNK-I-PORTADDED: Port 1/e20 added to ch1
15-Jun-2003 11:43:21 %LINK-I-Up: ch1
console(config-if)# exit
console(config)# interface range ethernet 1/e21-24
console(config-if)# channel-group 2 mode on
15-Jun-2003 11:44:13 %TRUNK-I-PORTADDED: Port 1/e21 added to ch2
15-Jun-2003 11:44:13 %LINK-I-Up: ch2
15-Jun-2003 11:44:13 %TRUNK-I-PORTADDED: Port 1/e22 added to ch2
15-Jun-2003 11:44:13 %TRUNK-I-PORTADDED: Port 1/e23 added to ch2
15-Jun-2003 11:44:13 %TRUNK-I-PORTADDED: Port 1/e24 added to ch2
Example #2 - CLI Cont’
console(config-if)# exit
console(config)# interface port-channel 1
console(config-if)# switchport mode trunk
console(config-if)# switchport trunk allowed vlan add 2-3
console(config-if)# exit
console(config)# interface port-channel 2
console(config-if)# switchport mode trunk
console(config-if)# switchport trunk allowed vlan add 4-5
console(config-if)# exit
console(config)#
Example #2 - CLI Cont’console# show vlan
Vlan Name Ports Type Authorization---- -------------------------------- --------------------------- ------------ ----------------
1 1 ch(1-7) other Required
2 2 1/e(1-4),ch1 permanent Required
3 3 1/e(5-8),ch1 permanent Required
4 4 1/e(9-12),ch2 permanent Required
5 5 1/e(13-16),ch2 permanent Required
console#
VLAN
Troubleshooting
General Switch Issues
Problems reported by customers are usually related somehow to common connectivity issues (two PCs can’t communicate within the VLAN, PC connected to the device doesn’t have access to the Internet or to the centrally located database and so on).The following list presents the typical connectivity problems within the VLANs• Port connectivity issues• Hardware issues• Configuration issues
– Port configuration issues– Port mode configuration issues– Port status issues– 802.1q
• RSTP/STP issues• Access Control and Security issues• LAG issues• Management issues
Possible problem
Problem description
Solution
There is no traffic through the port within the VLAN
Port within the VLAN doesn’t transmit data
1. Use show vlan command to check whether the port belongs to the VLAN.
2. Check whether the port is configured for LAG on both sides of LAG. If on the other side it is not configured for LAG, it can cause the RSTP/STP processes to block the port on the side of LAG. Use show interface switchport port-channel to check whether port belongs to LAG or not.
3. Use the show interfaces status command to check whether there is a mismatch in the port duplex mode configuration - full duplex side thinks that it can send whenever it wants to, but the half duplex side expects packets only at certain times, not at any time.
4. Use show interfaces status to check whether the port is disabled by port security. One of the action modes is “discard-shutdown”. Port security violation blocks automatically a traffic through the port.
Possible problem
Problem description
Solution
There is no traffic through the port within the VLAN
Port within the VLAN doesn’t transmit data
5. Use show spanning-tree ethernet command to check what is the spanning tree port status.
6. In RSTP mode, according to the standard, edge ports are not involved in the RSTP processes. However, if the edge ports received a BPDU (for some reason) it will participate in the STP and may be blocked.
Port can’t be assigned to a VLAN
Port can’t be assigned to VLAN neither through ASCII terminal (telnet) nor through the EWS
1. Use show interfaces port-channel to check whether port belongs to LAG or not.
2. Use show ip interface to check whether port is dedicated for management (for adding untagged VLAN).
3. Use show interface switchport ethernet to check port properties. Verify that port is not forbidden from being a member of that VLAN
4. Trunk port’s native VLAN can’t be added as a tagged VLAN to the port.
5. Use show ports monitor command to check whether the port is a target (mirror) port.
Port Connectivity TroubleshootingHardware Problems.
• CLI shows the port state – up and down either via ASCII terminal or Telnet.
• CLI command “show interface status” - displays current status of the port.
• A link light doesn’t guarantee that the cable is fully functional.• Remove the cable from the port and re-insert it – be sure that traps
are sent to the ASCII terminal or telnet terminal.• Sometimes a cable appears to be seated in the jack, but actually it
is not – unplug the cable and re-insert it.• If, after all the above mentioned, the port doesn’t come up, it is
recommended to check the cable with the cable tester. • Another reason to consider is SW shut down of the port (port
security or ACL port disabled option in other types of devices)
Troubleshooting Security Problems
• Unfortunately, security problems in the modern networks are very common today.
• Network managers are making big efforts to protect networks from internal and external attacks.
• According to the last researches, over 70% of the intrusions in the network are internal.
• In addition to the standard list of a well known internal network intrusions we would like to point out the following ones:– changes in the running and start-up configurations:
• Port configuration• IP interface configuration• RSTP/STP configuration• VLAN configuration and so on
– changing password for the ASCII terminal and telnet access– changes in the access control and security– uploading/downloading new software images– uploading/downloading new system configurations– system reload/reboot either through ASCII terminal and
CLI/Debug CLI or telnet– erasing device configuration– erasing software image
Troubleshooting Security Problems
How to Troubleshoot Hackers Attacks?
• Constantly change passwords and User Names• Periodically monitor telnet sessions• Secure the management port, allow management and control
from dedicated PCs only.