At8000 s configurando vla_ns

Virtual Lan (VLAN)

AT-8000S

Transparent Bridge Process (Unicast)

• Learning – reading the MAC source address and adding it to the lookup table

• Flooding – sending a packet to all segments (if no entry for destination MAC)

• Forwarding – “connecting” 2 segments to forward a packet (with a known destination MAC)

• Filtering – ignoring packets sent on the same node• Aging – removing “old” entries from the lookup table

Marvell Confidential

SENDER RECEIVER

MAC Header:DEST: BSRC : A

IP Header: DEST: 1.1.1.2 SRC: 1.1.1.1

DATA

Switch/Bridge

NODE: MAC_R

MAC Header:DEST: BSRC : A

IP Header: DEST: 1.1.1.2 SRC: 1.1.1.1

DATA

PACKET PACKETp1 p2

VID MAC PORT TIME

1 A 1 ##:##

1 B 2 ##:##

NET:1.1.1.1NODE:

MAC_A

NET:1.1.1.2NODE:

MAC_B

port MAC TIME

1 A ##:##

2 B ##:##

Transmission Via a Bridge/Switch

Virtual LAN (VLAN)

• VLANs logically (software) divide the LAN into separate subgroups - broadcast domains

• VLAN groups relate users regardless of the physical LAN segment to which the hosts are attached

• Allows traffic to flow more efficiently within populations of mutual interest• VLANs allow broadcast domains to be defined without using routers• Routers are needed for communication between the different VLANs

VLAN C

VLAN B

VLAN A

Switch with VLANs

Marvell Confidential

VLAN – multiple Switches

Switch Switch#1 #2

VLA N-1 VLAN-2 VLAN-2VLA N-1

Multiple VLANs on One Device –One Armed Router

A,B,C, D

VLAN A

VLAN CVLAN B

VLAN D

A,B,C

C,D

RouterBridge/

Switch

Benefits of VLANs

• Improves network performance

• Reduces the number of routers needed

• Flexible network segmentation (virtual workgroups)

• Simplified administration

• Enhanced network security

• Reduces network solution cost

• Better use of server resources

Types of VLANs

• Membership by 802.1Q tag• Membership by port• Membership by MAC address• Membership by protocol (IP, IPX…)• Membership by subnet• Membership by application or service (telnet, FTP..)

VLAN Solution

Marketing

Engineering

Administration

VLAN - Propriety

• VLAN multi switch solutions were propriety and vendor based:– Cisco: ISL– Bay : Lattisspan– 3Com: VLT– Cabletron: SecureFast

• Propriety VLAN are a disadvantage for networks that don’t wish to be vendor dependant

• The IEEE 802.1q standardized VLANs

Forwarding a Known Unicast Frame

VLAN Unaware Switch• Determine the output port

associated with the destination address based on the address table

• If associated port is different from source port, forward the frame to the destination port

• Otherwise – discard the frame

VLAN Aware Switch• Determine the VLAN

associated with the received frame

• Determine the output port associated with the destination address based on the address table

• If associated port is not the source port, and is a member of the VLAN -forward the frame

• Otherwise, discard the frame

Forwarding Unknown Unicast and Multicast Frames

VLAN Unaware Switch• Flood the frame to all ports

except the source port

VLAN Aware Switch• Determine the VLAN

associated with the received frame

• Flood the frame only to ports that are members of the VLAN, except the source port

(If Ingress filter is on)

VLAN Tagging Methods

• Explicit tagging – VLAN membership is indicated by adding a tag to each packet

• Implicit tagging - VLAN membership is determined by examining information that already exists within each packet:

– Protocol ID (ether type) of the packet

– MAC address (range)

– Etc.

Types of devices on VLAN

• VLAN aware device

Understands VLAN membership(which user belongs to which VLAN) and format

– Making forwarding decisions based on VLAN association and not only on destination address

– Adding (and removing) explicit VLAN identification (tagging) to frames (tag aware)

• VLAN unaware device (usually SNMP unmanaged devices) Does not Understand VLAN membership & format

Frames Sent by Aware\Unaware Devices

Types of Devices

• VLAN unaware device

• VLAN aware device

Types of Frames

• Untagged frames (implicit)

• Tagged frames (explicit)

All connected devices

Other VLAN aware devices

Type of Links – Access Link

• Connects VLAN tagged unaware devices to the port of a VLAN tagged aware switch

• The VLAN switch adds tags to received frames, and removes tags when transmitting frames

• All frames on access links are untagged

VLAN AAccess LinkVLAN tagged aware switch

VLAN tagged

unaware

Types of Links – VLAN Trunk Link

• Attaches 2 VLAN aware switches (or other VLAN tagged aware devices)

• All frames on VLAN Trunk links must have a special header attached(tagged frames)

• Allows for multiple VLAN frames to use one link

VLAN tagged aware switch VLAN

tagged aware switch

VLAN tagged aware

Workstation

VLAN Trunk Link

VLAN Trunk

Link

Types of Links – General Link

• Combination of VLAN Trunk and access Links

• Both VLAN aware and unaware devices are connected

• Can have both tagged and untagged frames,but

all frames sent to a specific VLAN must be either tagged or untagged

General Link

VLAN tagged aware

Workstation

VLAN B tagged

unaware Workstation

VLAN taggedaware switch

VLAN tagged aware switch

Tagged/Untagged Frames on Links

Types of Links

• Trunked Link

• General Link

• Access Link

Types of Frames

• Tagged frame

• Untagged frames

VLAN tagged aware Domain

Core switchesVLAN tagged

unaware Domain

VLAN tagged unaware Domain

VLAN tagged unaware Domain

Advantage/Disadvantage of Tagging

Advantages• The standard way of VLAN

implementation in the networking devices

• VLAN association rules need to be applied only once

• Only edge switches need to know the VLAN association rules

• Core switches can get higher performance by operating on an explicit VLAN identifier

• VLAN aware end stations can reduce load from switches

Disadvantages• Tags can be interpreted only

by VLAN aware devices• Edge switches must strip tags

before forwarding them to VLAN unaware devices

• Insertion or removal of a tag requires recalculation of CRC

• May increase length of frame beyond maximum (“old” frame size – 1518 bytes, “new” frame size – 1522 bytes)

VLAN - Tagged/ Untagged Ports

• The behavior of a specific port added to one or more VLANs depends on themode of the port – access, trunk or general.

• A port added to a VLAN on a (VLAN aware) device can be in one of 2 states –tagged or untagged (for each specific VLAN)

• A certain VLAN can have both tagged and untagged ports

Ingress Port behavior

• At the ingress – tagged and untagged VLAN configuration have the same affect:

– Tagged frames which have a VID matching that of one of the VLANs defined on the port – are forwarded

– Tagged frames which have a VID that does not match any of the VLANs defined on the port – are discarded

– Untagged frames are forwarded on the VLAN which is the PVID – and PVID tag is added to the frames

Egress Port behavior

• At the egress – tagged and untagged VLAN port configuration have different affects:

– Tagged VLANs forward the egress traffic (“out of the device”) as tagged frames

– Un-tagged VLANs forward the egress traffic (“out of the device”) as un-tagged frames

The VLAN Tag – Ethernet Frame

2 Bytes 2 BytesTag Protocol Identifier

TPIDTag Control Information

TCI

Destination Address

Source Address

Length/Type DATA FSCTPID TCI

The VLAN Tag

2 Bytes 2 Bytes

Tag Protocol Identifier

TPID

Tag Control Information

TCI

VLAN protocol Id = 0x8100

Tag Priority3 Bits

CFI1Bit

VID12 Bits

• Tag priority according to IEEE802.1p• CFI – Canonical Format Indicator• VID – VLAN ID

Tag Control Information

• Tag Priority –– “Piggyback” on VLAN TAG– 7 is the highest priority (0 the default)

• CFI –– Value 1

VLAN tag extended to include embedded Source Routing information which will also contain the canonical format of any embedded MAC address

– Value 0VLAN tag not extended + any embedded MAC addresses are in canonical (Little Endian) format

• VLAN ID– Between 1 to 4094 (0x000 and 0xFFF reserved)

VLAN Port Database

1 2 3 … 24

use tag use tag use tag use tag use tag

1 1 1 1 0 0 x … … 1 0

2 0 x 1 0 1 1 … … 1 1

3 1 0 0 x 0 x … … 0 x

… … … … … … … … … … …

4094 1 1 1 1 0 x … … 1 0

VLANPORTS

Switch Filtering Operation Process

• Ingress- Takes received frames from a physical port and performs 3 operations:

* Acceptable frame filter* ingress rules* ingress filter

• Progress- Forwarding decision according to database

• Egress- How to transmit frames through the output ports

Switch Filtering Operation

Port 1input

PortIf.

PortIf.

Port 1 output

Acceptable

Frame Filter

Ingress

Rules

Ingress

Filter

Forwarding

Decision

Χ

Switch Fabric

Egress

Rules

Ingress Progress Egress

PortIf.

PortIf.

Port 2 output

Acceptable

Frame Filter

Ingress

Rules

Ingress

Filter

Forwarding

Decision

Egress

Rules

PortIf.

PortIf.

Port noutput

Acceptable

Frame Filter

Ingress

Rules

Ingress

Filter

Forwarding

Decision

Egress

Rules

Port 2 input

Port ninput

Switch Filtering - Ingress

• Acceptable Frame Filter- Admit all / admit only tagged

• Ingress rules- Tagged frame – according to tag- Untagged frame – association rules (PVID)

• Ingress Filter (default is on)- Forwards frames only if the frame’s tag VID is equal to the VID of one of

the VLANs configured on the port

Switch Filtering - Process

• Filtering Database- Either static or dynamic entries - Either unicast or multicast entries

• Forwarding decisions- Known MAC addresses

Lookup in MAC address table.Lookup key is based on both:

VLAN tag and destination MAC addressleading to the required egress port

- Unknown Unicast – initial lookup in MAC forwarding table, when entry is not found – flooding is performed based on the VLAN Port Table

- Broadcast frame – lookup is done directly at the VLAN Port Table (flooding to all ports of the VLAN)

Switch Filtering - Egress

• Egress Rules Model- Forwards frames as tagged frames if the egress port is defined as

VLAN tagged (for that specific VLAN)

- Forwards frames as untagged frames if the egress port is defined as VLAN un-tagged (for that specific VLAN)

PSS

MAC Table Fast Forwarding Table

ASIC

Buffers

Ports VLAN 1

VLAN 2

Unknown destination MAC address

Incoming port

Ingress filtering

Entry not found

Broadcast to all ports in the same

VLAN

Filtering Database – MAC Address Entries

• Dynamic MAC address entries are learned based on the source MAC of received packets

• Dynamic entries are subject to aging

• Static MAC entries are configured by user, and may be permanent, erased when rebooting or subject to aging

• Lookup in the MAC Forwarding Table (the Filtering Database) is based on VID + Destination Port

VLAN

AT- 8000SImplementation

VLAN Overview

• AT- 8000S devices support 256 VLANs which can be assigned a VID from the full range of 4k VLAN Ids

• Default and the “discard” VLANs (4095), are treated specially as described.

• Some VLAN IDs may be pre-assigned by the system for operational usage.

• The number of (VLANs * ports) configured on the system should be less than or equal to 64K.

VLAN Overview

• Note that the system will never send a frame tagged with VID=1, since the default VLAN can be used (defined) on a port only if it is set to be that port’s PVID

• Note that by using PVID=4095 the user in effect limits the “allowed frame types” to “tagged only” for incoming frames.

• Reference: IEEE802.1Q.

Port Modes

• Access Port

• Trunk Port

• General Port

Access Mode

• Ports set to Access Mode belong to a one VLAN only, whose VID is the currently set PVID (default =1).

• This implies that the Ports will accept all untagged frames (and assign them the PVID tag), and all frames tagged with the VID currently set with the port’s PVID.

• All traffic sent out will be untagged. • If the current PVID of the port is deleted from the system

or deleted from the port, the Port’s PVID will be set to 1 (That is, the port will be made a member of VLAN#1, the default VLAN).

Access Mode

• Ingress Filtering is always ON for ports in Access Mode.

• Access mode ports are intended to connect end-stations to the system, especially when the end-stations are incapable of generating VLAN tags

Trunk Mode

• Ports set to Trunk mode can belong to as many VLANs as desired.

• The port has a native VLAN (PVID) which is untagged, all other VLANs are tagged

• The ports will accept both tagged and untagged frames.

• Untagged frames will be classified to the port’s PVID.

Trunk Mode

• Ingress filtering is always enabled on Trunk-mode ports. Incoming tagged frames will undergo Ingress filtering and if correctly tagged, (tagged with a VID of one of the VLANs to which the port currently belongs) they will be admitted, otherwise – they will be discarded

• Egress frames forwarded on to the PVID VLAN will be sent out un-tagged

• Egress frames sent to all other VLANs active on the port will be sent tagged.

Trunk Mode

• The default PVID (native VLAN) is 1 (the default VLAN). • If another VID is configures as the port’s PVID, and the

corresponding VLAN is deleted from the port or from the system, the port’s PVID returns to 1 .(That is the port will be made a member of the Default VLAN)

• Trunk-mode ports are intended for Switch-to-Switch links, where usually all traffic is tagged.

General Mode• Ports set to General mode may be members of as many

VLANs as desired.

• Port configured in the general mode can be assigned as untagged to as many VLANs as desired

• The user can set separately for each VLAN whether it will be Tagged or Untagged. This setting applies to transmitted frames.

• The user can configure a PVID. The default PVID is the default VLAN.

• The PVID can be that of any of the VLANs configured on the port (tagged or on tagged) and also VLANs not configured on the port or even not configured on the device

General Mode• Incoming Tagged frames are classified according to their

TAG and discarded if such a VLAN is not defined on the port.

• Incoming untagged frames are classified into the VLAN whose VID is the currently configured PVID, and:

– The frame is accepted if this VID (besides being the PVID) is defined on the port

– The frame is discarded if this VID is not defined on the port (although it is the PVID)

• Ingress filtering may be turned OFF on General-mode ports, if so desired. Ingress filtering is ON by default.

• User can define whether to accepted only tagged frames or all frame types

Frame Classification Process

AT- 8000S VLAN – User Settings

• Device level setting (VLAN database context):– Creating/deleting VLANs on the system

• VLAN level settings (interface VLAN context) – Assigning the VLAN a name– Adding a static MAC entries to one of the VLANs ports– General interface commands (e.g: ip, igmp, etc - see other

presentations)

• Port level settings (interface Ethernet context) – Defining the port mode as general, trunk or access (the

default)– Defining access port’s current VLAN (PVID)

AT- 8000S VLAN – User Settings

• Port level settings (cont’)– Defining the “native” (pvid) Trunk mode port– Defining the PVID for General mode port– Adding/removing VLANs on a Trunk/General mode port– Define VLANs as tagged/untagged on general mode port– Defining a port as a forbidden port for a certain VLAN– Control ingress filtering of general mode port (Default=on)– Defining acceptable frame type for General Port (tagged only

or all)– Mapping MAC-groups to VID

VLAN

AT- 8000S CLI Configuration

VLAN Configuration - General

• Use the following Global Mode command to enter VLAN Database mode:

vlan database

• Example:– Enter VLAN Configuration Mode

console#

console# configureconsole(config)# vlan databaseconsole(config-vlan)#

Creating VLANs - Configuration

• Use the following VLAN Configuration Mode Command to create a new VLAN:

vlan vlan-range• To erase a VLAN use the “no” form of the command:

no vlan vlan-range• Example – creating VLANS with VID 2,3,100 and 101, and

then erasing VLAN 101

console(config-vlan)# vlan 2,3,100,101

console(config-vlan)# no vlan 101

VLAN parameters - Name

• To change a parameter of a specific VLAN enter the Interface VLAN Configuration Mode for that VLAN:

• Example – assigning the VID=2 the name “success” (Default name for a VLAN is the vlan tag):

console(config)# interface vlan 2

console(config-if)# name success

console(config-if)#

VLAN Port Mode - Configuration

• Use the following Interface Mode Command to define the “VLAN mode” (access/ general/ trunk) of a certain interface (Ethernet/Port Channel):

switchport mode { access | trunk | general }• Use the “no” form of the command to return to default (access

mode):no switchport mode

Note: Trunk and General Mode port can be changed to Access Mode only if all VLANs (except for an untagged PVID) were first removed

VLAN Port Mode - Configuration

• Example – defining a port as a General Mode port:

console(config)# interface ethernet 1/e11

console(config-if)# switchport mode general

Access Mode Port Configuration

• Use the following Interface Mode command to define a VLAN on a port in the access mode:

switchport access vlan vlan-id

• Example – defining VLAN 2 on access port 1/e12:


console(config-if)# switchport mode access

console(config-if)# switchport access vlan 2

Trunk Mode Port Configuration

• Use the following Interface Mode command to add/remove VLAN(s) to port in the Trunk mode:

switchport trunk allowed vlan {add vlan-list | remove vlan-list}• Example – adding VLANs 2,3 and 100 on Trunk port 1/e13:


console(config-if)# switchport mode trunk

console(config-if)# switchport trunk allowed vlan add 2-3,100

console(config-if)#


• Use the following command to set the native (PVID) VLAN on the port:

switchport trunk native vlan vlan-id

• If the port is already a member in the VLAN (not as a native), it should be first removed from the VLAN


• Example - native VLAN:– Defining VID=2 as native VLAN for port 1/e13 and

receiving system error notification– removing VID=2 from port 1/e13 and then setting it as

the native VLANconsole(config)# interface ethernet 1/e13

console(config-if)# switchport trunk native vlan 2

Port 1/e13: Port is Trunk in VLAN 2.

console(config-if)# switchport trunk allowed vlan remove 2


console(config-if)#

Trunk Port – tagged/untagged

• Example - VLAN on port untagged on input and untagged on output:

• Example - VLAN on port tagged on input and tagged on output:




console(config-if)#



console(config-if)# switchport trunk allowed vlan add 2

General Mode Port Configuration

• Use the following Interface Mode command to add VLAN(s) to a General Mode port:

switchport general allowed vlan add vlan-list [ tagged | untagged ]

Note!!! default is tagged

• To remove a VLAN(s) from the list:switchport general allowed vlan remove vlan-list


• Use the following command to set the PVID of a General Port:

switchport general pvid vlan-id

• Use the “No” command to revert to the default VLAN PVID:

no switchport general pvid

Note:The PVID can be either a VID defined on the port (tagged or untagged), or a VID not defined on the port or even on the system


• Example – General Mode port configuration– Adding VLANs 2&3 as tagged, and VLAN 100 as untagged to

to general mode port 1/e14– Defining VID 100 as the PVID – Reverting to the default PVID (VID=1)



console(config-if)# switchport general allowed vlan add 2-3 tagged

console(config-if)# switchport general allowed vlan add 100 untagged

console(config-if)# switchport general pvid 100

console(config-if)# no switchport general pvid

General Port – tagged/untagged

• Example - VLAN on port UNtagged on input and UNtagged on output:

• Example - VLAN on port UNtagged on input and tagged on output:








console(config-if)# switchport general allowed vlan add 2 tagged

General Port – tagged/untagged

• Example - VLAN on port tagged on input and tagged on output:

• Example - VLAN on port tagged on input and UNtagged on output:



console(config-if)# switchport general allowed vlan add 2 tagged




General Mode – Ingress Filtering

• Use the following command to disable ingress filtering on a General Mode VLAN port. Use the “no” form of the command to switch filter on:

switchport general ingress-filtering disable

no switchport general ingress-filtering disable

General Mode – Acceptable Frame Type

• Use the following Interface Mode command to discard untagged frames at ingress. Use the no form of the command to allow untagged frames at ingress (the default):

switchport general acceptable-frame-type tagged-only

no switchport general acceptable-frame-type tagged-only

Forbidding VLAN - Configuration

• Use the following Interface Mode command to forbid the definition of a specific VLAN (statically or dynamically) on a port (remove option – cancels the restrictions):

switchport forbidden vlan {add vlan-list | remove vlan-list}

• Note that the forbidden VLAN cannot be one that does not exist on the system, or one already define on the port


console(config-if)# switchport forbidden vlan add 2

VLAN 2: Port 1/e21 cannot be Egress and Forbidden.


VLAN 55: VLAN was not created by user.

console(config-if)#


VLAN Show Commands

• Use the following EXEC mode command to view entire device VLAN configuration:

show vlan

• Use the following EXEC mode command to show interfaces belonging to a specific VLAN on the device:

show vlan {tag vlan-id | name vlan-name}

VLAN Show Commands

• Example – Show VLAN device configuration:

console# show vlan

Vlan Name Ports Type Authorization

---- ----------------- --------------------------- ------------ -------------

1 1 1/e(1,10-12,15-24),ch(1-8) other Required

2 success 1/e(2-9,13-14) permanent Required

3 3 1/e(13-14) permanent Required


console#

VLAN Show Commands

• Example – Show ports on VLAN with tag=3:

• Example – Show ports on VLAN named success:

console# show vlan tag 3


---- ----------------- --------------------------- ------------ -------------


console# show vlan name success


---- ----------------- --------------------------- ------------ -------------

2 success 1/e(2-9,13-14) permanent Required

VLAN Show Commands

• Use the following EXEC mode command to show VLAN configuration (Mode, PVID and configured VLANs) for a specific port:

show interfaces switchport { ethernet interface | port-channel port-channel-number }

VLAN Show Commands• Example – VLAN details of port 1/e14:console# show interfaces switchport ethernet 1/e14

Port : 1/e14

Port Mode: General

Gvrp Status: disabled

Ingress Filtering: true

Acceptable Frame Type: admitAll

Ingress UnTagged VLAN ( NATIVE ): 100

Port is member in:

Vlan Name Egress rule Port Membership Type

---- -------------------------------- ----------- --------------------

2 success Tagged Static

3 3 Tagged Static

100 100 Untagged Static

---

-

Forbidden VLANS:

Vlan Name

---- --------------------------------

Classification rules:

Group ID Vlan ID

-------- -------

1 4

Adding a Static MAC Address

• Use the following VLAN interface mode command to add a static MAC entry to one of the ports in the VLAN:

bridge address mac-address {ethernet interface | port-channel port-channel-number} [permanent | delete-on-reset | delete-on-timeout | secure]

MAC Address format:H.H.H or H:H:H:H:H:H or H-H-H-H-H-H • User can define whether the entry will be:

– permanent– deleted after reset – aged out on time out – as with dynamic entries– Secure – entry is deleted if port mode changes to “ unlock”

(used when port is in locked mode)

Adding a Static MAC Address

• Note – The MAC addresses are added per VLAN, and not per device– The type of entry (permanent secure etc) has to be entered

before interface (if no type is mentioned default is permanent)– You can configure an address on a port even if it does not

belong to a VLAN

• The “no” form of the command deletes a static MAC entry from the table:

no bridge address [mac-address]

if no mac-address is specified in the command, all static entries are erased from the table

Example - Static MAC Addresses• Example – adding 3 static mac entries to VLAN 2:

– One permanent (default)– One to be deleted on reset– One (one a secure port) to be deleted when port is unlocked

Note: the error message

console(config)# interface vlan 2

console(config-if)# bridge address 00:11:22:33:44:55 ethernet 1/e10

console(config-if)# bridge address 00:11:22:33:44:55 permanent ethernet 1/e8

console(config-if)# bridge address 00:99:88:77:66:55 delete-on-reset ethernet 1/e7

console(config-if)# bridge address 00:99:88:77:44:33 secure ethernet 1/e5

VLAN:2, Port:1/e5 , Mac:00:00:99:88:77:44: : Port is not Locked, can't add Secure Address

Address Table Commands

• Use the following Global mode command to set the MAC table aging time (10-360 seconds).

bridge aging-time seconds

• Use the “no” format of the command to return to the default of 300 seconds:

no bridge aging-time

• Use the following EXEC mode command to remove learned addressed from the table:

clear bridge

Address Table Show Commands

• Use the following Privileged EXEC mode command to show the MAC address table of device :

show bridge address-table

• Use the following Privileged EXEC mode command to show addresses on specific VLAN:

show bridge address-table vlan vlan [ethernet interface | port-channel port-channel-number]

• Use the following Privileged EXEC mode command to show addresses on specific port:

show bridge address-table { ethernet interface | port-channel port-channel-number} [vlan vlan]

Example – Aging & Clear Bridge• Example – Showing address table, setting aging time to 100,

and clearing bridge from dynamic entries.

console# show bridge address-table

Aging time is 300 sec

Vlan Mac Address Port Type

------ --------------------- ------ --------------

2 00:10:a4:8f:ba:33 1/e8 dynamic

2 00:11:22:33:44:55 1/e8 static

2 00:99:88:77:44:33 1/e6 secure

2 00:99:88:77:66:55 1/e7 static

console# con

console(config)# bridge aging-time 100

console(config)# exit

console# clear bridge

console# show bridge address-table



------ --------------------- ------ --------------

2 00:11:22:33:44:55 1/e8 static

2 00:99:88:77:44:33 1/e6 secure

2 00:99:88:77:66:55 1/e7 static

console#


• Example – show MAC address entries for a specific port:

console# show bridge address-table ethernet 1/e13



---- ------------------- ---- ------------

3 00:10:a4:8f:ba:33 1/e13 dynamic


• Example – show MAC addresses for a VLAN:console# show bridge address-table vlan 2



------ --------------------- ------ --------------

2 00:11:22:33:44:55 1/e8 static

2 00:99:88:77:44:33 1/e6 secure

2 00:aa:bb:cc:dd:00 1/e9 static

console#


• Use the following Privileged EXEC mode command to show only static MAC entries:

show bridge address-table static

• Note that this option can be used to show (as in the general address table show command):– All static entries on device– Static entries on VLAN – Static entries on a certain Interface – Combination of specific VLAN and interface

Bridge (Address Table) Show Commands

• Example – show device static MAC address entries:

console# show bridge address-table static



------ --------------------- ------ ----------

2 00:11:22:33:44:55 1/e8 permanent

2 00:99:88:77:44:33 1/e6 secure

2 00:aa:bb:cc:dd:00 1/e9 delete-on-reset


• Use the following Privileged EXEC mode command to show number of MAC entries:

show bridge address-table count

• Note that this option can be used to show (as in the general address table show command):– All static entries on device– Static entries on VLAN – Static entries on a certain Interface– Combination of specific VLAN and interface

Bridge (Address Table) Show Commands

• Example – show device MAC address count:

console# sh bridge address-table count

Gathering data.

Capacity : 8192

Free : 8189

Used : 3

Secure : 1

Dynamic : 0

Static : 2

console#

Ghost VLAN SettingsFeature Commands Configuring on a

non existent VLANConfiguring on dynamic VLAN

Deletion of VLAN

Address table

Bridge address, bridge multicast, bridge multicast forward-all, bridge multicast forbidden forward-all

Impossible to enter the VLAN context.

Impossible Entry is removed.

VLAN properties

Name Impossible to enter VLAN context.


Port membership in VLAN

switchport access vlan, switchpoprt trunk allowed vlan, switchport trunk native vlan, switchport general allowed vlan, switchport forbidden vlan

Not allowed (except PVID of general mode)

Not allowed Entry is removed.

IGMP snooping

Ip igmp snooping Impossible to enter the VLAN context.


IP addressing

Ip address, ip address dhcp

Impossible to enter the VLAN context.

Impossible Not allowed

VLAN Configuration Examples

Internet

Example #1

PVID#2

PVID#3

Port 24PVID#100

Example #1. Requirements.

• All servers are connected to the dedicated VLAN with VID#100.

• There are two workgroups in the network (correspondently mapped to two VLANs – VID#2 and VID#3).

• No traffic is allowed between VID#2 and VID#3.

• Traffic from VID#2 and VID#3 is allowed to server and to the Internet.

• No traffic is allowed to/from the Internet from/to the Servers.

• Workstation NICs do not support VLAN tagging.

• Servers and Internet router support VLAN tagging.

Example #1 - Implementation.

Port# VLAN# PVID# Port Mode

1-3 2,3Tagged

100 Trunk

4-13 2, 100untagged

2 General

14-23 3, 100untagged

3 General

24 2,3Tagged

1 Trunk

Example #1 - CLIconsole(config)#

console(config)# vlan database

console(config-vlan)# vlan 2-3,100

console(config-vlan)# exit

console(config)# interface range ethernet 1/e1-3


console(config-if)# switchport trunk allowed vlan add 2-3


14-may-2003 19:12:43 %LINK-I-Up: Vlan 2

14-may-2003 19:12:43 %LINK-I-Up: Vlan 3

14-may-2003 19:12:43 %LINK-I-Up: Vlan 100

console(config-if)#

console(config)# in range ethernet 1/e4-13


console(config-if)# switchport general allowed vlan add 2,100 untagged

console(config-if)# exit

Example #1 - CLI Cont’



console(config-if)# switchport general allowed vlan add 3,100 untagged






console(config)#


console# show vlan


---- -------------------------------- --------------------------- ------------ ----------------

1 1 1/e(4-24),ch(1-7) other Required

2 2 1/e(1-13,24) permanent Required

3 3 1/e(1-3,14-24) permanent Required


Example #1 - CLI Cont’console# show interfaces switchport ethernet 1/e3

Port : 1/e3

Port Mode: Trunk

Gvrp Status: disabled

Ingress Filtering: true

Acceptable Frame Type: admitAll

Ingress UnTagged VLAN ( NATIVE ): 100

Port is member in:

Vlan Name Egress rule Port Membership Type

---- -------------------------------- ----------- --------------------

2 2 Tagged Static

3 3 Tagged Static

100 100 Untagged Static

……

Example #2.

AT- 8000S actingas a L2 switch

LAG#1 Multimedia Server

FTP Server

WEB ServerWindows

LAG#2

…

Layer 2/3/4 switch

Layer 2/3/4 switch

Layer 2 switch

Example #2 - Requirements.

• All servers are connected to the Layer 2 switch (Server’s aggregator)

• There are 4 workgroups in the network (correspondently mapped to 4 VLANs – VID#2 through VID#5).

• No traffic is allowed among VLANs.

• AT- 8000S Device is connected through two L2 LAGs (LAG#1 and LAG#2) to the Layer 2/3/4 switches.

• All VLANs have access to Servers.

• All NICs don’t support VLAN tagging

Example #2 - Implementation

Port VLAN PVID Port Mode

1-4 2 2 Access

5-8 3 3 Access

9-12 4 4 Access

13-16 5 5 Access

17-24 Default Default Access

LAG1 (17-20) 2,3 Tagged 1 Trunk

Lag2 (21-24) 4,5 Tagged 1 Trunk

Example #2 - CLIconsole(config)# vlan database

console(config-vlan)# vlan 2-5

console(config-vlan)# exit






15-Jun-2003 11:40:45 %LINK-I-Up: Vlan 3




15-Jun-2003 11:41:11 %LINK-I-Up: Vlan 4




15-Jun-2003 11:42:24 %LINK-I-Up: Vlan 5




console(config-if)# channel-group 1 mode on

15-Jun-2003 11:43:20 %TRUNK-I-PORTADDED: Port 1/e17 added to ch1




15-Jun-2003 11:43:21 %LINK-I-Up: ch1



console(config-if)# channel-group 2 mode on


15-Jun-2003 11:44:13 %LINK-I-Up: ch2






console(config)# interface port-channel 1




console(config)# interface port-channel 2




console(config)#

Example #2 - CLI Cont’console# show vlan

Vlan Name Ports Type Authorization---- -------------------------------- --------------------------- ------------ ----------------

1 1 ch(1-7) other Required

2 2 1/e(1-4),ch1 permanent Required




console#

VLAN

Troubleshooting

General Switch Issues

Problems reported by customers are usually related somehow to common connectivity issues (two PCs can’t communicate within the VLAN, PC connected to the device doesn’t have access to the Internet or to the centrally located database and so on).The following list presents the typical connectivity problems within the VLANs• Port connectivity issues• Hardware issues• Configuration issues

– Port configuration issues– Port mode configuration issues– Port status issues– 802.1q

• RSTP/STP issues• Access Control and Security issues• LAG issues• Management issues

Possible problem

Problem description

Solution

There is no traffic through the port within the VLAN

Port within the VLAN doesn’t transmit data

1. Use show vlan command to check whether the port belongs to the VLAN.

2. Check whether the port is configured for LAG on both sides of LAG. If on the other side it is not configured for LAG, it can cause the RSTP/STP processes to block the port on the side of LAG. Use show interface switchport port-channel to check whether port belongs to LAG or not.

3. Use the show interfaces status command to check whether there is a mismatch in the port duplex mode configuration - full duplex side thinks that it can send whenever it wants to, but the half duplex side expects packets only at certain times, not at any time.

4. Use show interfaces status to check whether the port is disabled by port security. One of the action modes is “discard-shutdown”. Port security violation blocks automatically a traffic through the port.

Possible problem

Problem description

Solution

There is no traffic through the port within the VLAN

Port within the VLAN doesn’t transmit data

5. Use show spanning-tree ethernet command to check what is the spanning tree port status.

6. In RSTP mode, according to the standard, edge ports are not involved in the RSTP processes. However, if the edge ports received a BPDU (for some reason) it will participate in the STP and may be blocked.

Port can’t be assigned to a VLAN

Port can’t be assigned to VLAN neither through ASCII terminal (telnet) nor through the EWS

1. Use show interfaces port-channel to check whether port belongs to LAG or not.

2. Use show ip interface to check whether port is dedicated for management (for adding untagged VLAN).

3. Use show interface switchport ethernet to check port properties. Verify that port is not forbidden from being a member of that VLAN

4. Trunk port’s native VLAN can’t be added as a tagged VLAN to the port.

5. Use show ports monitor command to check whether the port is a target (mirror) port.

Port Connectivity TroubleshootingHardware Problems.

• CLI shows the port state – up and down either via ASCII terminal or Telnet.

• CLI command “show interface status” - displays current status of the port.

• A link light doesn’t guarantee that the cable is fully functional.• Remove the cable from the port and re-insert it – be sure that traps

are sent to the ASCII terminal or telnet terminal.• Sometimes a cable appears to be seated in the jack, but actually it

is not – unplug the cable and re-insert it.• If, after all the above mentioned, the port doesn’t come up, it is

recommended to check the cable with the cable tester. • Another reason to consider is SW shut down of the port (port

security or ACL port disabled option in other types of devices)

Troubleshooting Security Problems

• Unfortunately, security problems in the modern networks are very common today.

• Network managers are making big efforts to protect networks from internal and external attacks.

• According to the last researches, over 70% of the intrusions in the network are internal.

• In addition to the standard list of a well known internal network intrusions we would like to point out the following ones:– changes in the running and start-up configurations:

• Port configuration• IP interface configuration• RSTP/STP configuration• VLAN configuration and so on

– changing password for the ASCII terminal and telnet access– changes in the access control and security– uploading/downloading new software images– uploading/downloading new system configurations– system reload/reboot either through ASCII terminal and

CLI/Debug CLI or telnet– erasing device configuration– erasing software image

Troubleshooting Security Problems

How to Troubleshoot Hackers Attacks?

• Constantly change passwords and User Names• Periodically monitor telnet sessions• Secure the management port, allow management and control

from dedicated PCs only.

At8000 s configurando vla_ns

Technology

Transcript of At8000 s configurando vla_ns