OMNISWITCH R6/R7/R8

ACCESS SWITCHING - ISSUE 08

PARTICIPANT'S GUIDE
OMNISWITCH AOS R6/R7/R8

OmniSwitch Series Overview 6250/6450/6850/6860/6900

LAN Portfolio Description OS 6250/6450/6850/6860/6900
Agenda
 Product Overview
 Stackable switch
 Hardened Access Switch

 Characteristics

 Supported Features

 Market Positioning
AOS Software Evolution Releases AOS
6.6.3.R01 6.6.4.R01 R6
User Network Profile 6450L
DHL Active Active 6450-24/48 Remote Stacking
VRRP DHCP Server

OS-6450 OS-6250
OS-6450 OS-6250
6.6.3.R01 6.6.4.R01
May-12 Jun-13

2012 2013 2014

6.4.5.R02 6.4.6.R01
Jan-13 Nov-13

6.4.5.R02 6.4.6.R01
ERPv2 6850E Split Stack Protection
Kerberos snooping BYOD
Sip snooping OS-9000E mDNS Relay
MC-LAG on OS9000E
OS-9000E

OS-6400 OS-6855 OS-6850E OS-6850E

<< OS-6855
AOS Software Evolution Releases
AOS
R6 Software Evolution R6
OS6250
AOS 6.6.4 AOS 6.6.5 OS6450

• OS6450L license upgrade • mDNS relay for Apple TV/Airprint

• Remote Stacking (24 and 48 port
models only)
• OS6450-10 stacking to 4 units
• Fast take Over in Stack Mode
• DDM (Digital Diagnostics Monitoring)
• TDR Capability (Time Domain
Reflectometry)
• Posture Check
• Support of IEEE 802.3az (Energy
Efficient) Ethernet
• DHCP Server on 6250\6450
• Storm Control Options
• Improved Layer 2 Multicast Re-
convergence after takeover
• Add support of DHCP vendor class and
switch type
• Preference to an OXO DHCP server
• LPS Sticky mode
• BYOD and External Captive Portal
• ClearPass Integration
• OpenFlow 1.0 and 1.3.1
• IPv6 Certification
• PoE Link layer classification
• Stack Split Protection
• RFC 1588 v2 – Precision Time Protocol
• Multiple VLAN Registration Protocol
(MVRP)
• Per port rate limiting for port group
OmniSwitch 6450-P10S
OmniSwitch 6450-U24S
SFP-GIG-T

AOS 6.6.4 New Hardware

OS6450-24L
OS6450-P24L
OS6450-48L
OS6450-P48L
AOS Software Evolution Releases
R6 Software Evolution OS6250
OS6350
OS6450
AOS 6.7.1
OS6250/6450
• Monitor Interswitch Stack Connection
• Prioritization of ERP Packets
• CPE Test Head enhancements
OS6250/6350/6450
• IPv6 Supported RFC / IPv6 Phase 2
• IPv6 Security Source Guard
• IPv6 Security RA Guard
• IPv6 DHCP Relay
• IPv6 DHCP Snooping and Remote Circuit ID
• RCL – DHCP Server Priority
• Critical Voice VLAN when Radius is down

AOS 6.7.1 New Hardware

OS6350-24
OS6350-P24
OS6350-48
OS6350-P48
AOS Software Evolution Releases AOS
R7
7.3.2.R01
6900-T20
Dynamic Auto Fabric
FIP Snooping
Application
Fingerprinting

7.3.1.R01 OS-6900 OS-10k 7.3.3.R01

Sep-12 Jan-14

2012 2013 2014

7.3.2.R01
Jun-13
7.3.1.R01
7.3.3.R01
ERPv2
FCoE
VRF
VC of 6
Data Center OS-6900
OpenFlow
(SPB,DCB,EVB)

OS-6900 OS-10k
AOS Software Evolution Releases AOS
R8

8.1.1.R01
Virtual Chassis
Access Guardian 2.0
OpenFlow

OS-6860 8.1.1.R01
May-14

2012 2013 2014

LAN OmniSwitch Family
Edge

Entry level stackable L2+ OmniSwitch 6250 OmniSwitch 6450

OmniSwitch 6350
 Virtual chassis  POE AOS L2+ Basic L3 FE AOS L2+ Basic L3 GE -
AOS L2+ Basic L3 GE 1OG uplinks
 10/100, 1000 and  Basic routing
Fiber  Green energy

Aggregation

Advanced stackable L2-L3

 Virtual chassis  Advanced
 10/100/1000, routing
10Gig  Green energy OmniSwitch 6850E OmniSwitch 6855 OmniSwitch 6860
 IPv4/IPv6 Advanced AOS L3 AOS Advanced L3 AOS Advanced L3
 PoE, Copper &
fiber

Core
High end modular core, aggregation,
Data center switches L2-L3
 High Availability  VRF
 High  MPLS, VPLS OmniSwitch 6900 OmniSwitch 10K
Performance  Virtual Chassis AOS Advanced L2-L3 OmniSwitch 9000E High end modular
 10Gig high  MC-LAG Aggregation/Core Modular Chassis AOS Advanced L2-L3 Core &
density  Green energy DC TOR 10/40 GE AOS Advanced L3 10GE Aggregation 10/40 GE
 I.S.S.U
OMNISWITCH 6250
 OmniStack 6250
Positioning in the Stackable portfolio
Large

OmniSwitch 6850E OmniSwitch 6850E-X OmniSwitch 6855

24/48 E24X/E48X
12/24 (4 POE)
24/48 POE E24X/E48X POE+
EU24X fiber U10/U24
Advanced AOS L3 GE
Advanced AOS Advanced AOS L3 GE
L3 GE with 10G

OmniSwitch 6450 OmniSwitch 6450

Medium

10/P10/10L/P10L 24/P24/24L/P24L
AOS L2+ Basic L3 48/P48/48L/P48L
GE with 1OG AOS L2+ Basic L3
GE with 1OG

OmniSwitch 6250 AOS

Enterprise 24 ports POE
+ R6
Small

Metro 8/24 ports

Value AOS L2+ FE

10/100 Gig Gig w/ 10G Hardened

OmniSwitch 6250
L2+ Fast Ethernet Stack
 AOS L2+ Key features
 AOS software based
 L2+ = Full L2 and Static/RIP routing
 AOS Management and OmniVista full support
 Wire-speed first packet classification and processing
 Full L2+ for Ethernet Access services
 Vlan Stacking, Ethernet OAM, ERP, IPMVLAN
 Edge security with Access Guardian, DHCP snooping, LPS…
 HDMI stacking bus
 802.3at hot swappable power supplies Virtual Chassis

 Eco-friendly design (power, noise, dimensions)

 Unique 8.5” wide (half a rack)

Small and Medium sized Enterprise (SME)

Metro Ethernet Access
Residence and business deployments
Carrier Ethernet (e.g., Telco, CityNets, Metro access)
OmniSwitch 6250 Models

Distribution Ports
OmniSwitch Backup
Combo Power
6250 Nbr type Stack Power
SFP/RJ45 Supply
Supply

24 24 10/100 2 2 42 External

P24 22 10/100 POE+ 2 2 225 External

8M 8 10/100 4 2 42 External

24M 24 10/100 4 2 42 External

24MD 24 10/100 4 2 30 DC External

OmniSwitch 6250
Stacking
 Enterprise

 HDMI ports
 2 x 2,5 Gigabit stacking links
 30/60/150 centimeters  Metro
 Up to 8 chassis in a stack
 192 FE ports  SFP+
 16 GE ports  Interfaces for additional Gigabit uplinks or
 PoE and non-PoE can be mixed stacking capability
 Stack element number identify by port LEDs  30/60/150 centimeters
by pressing PB  Up to 2 chassis in a stack
 48 FE ports
 4 GE ports
 Stack element number identify by software
configurable
OMNISWITCH 6350
 OmniStack 6350 - Positioning in the Stackable portfolio
Large

OmniSwitch 6850E OmniSwitch 6850E-X OmniSwitch 6855

24/48 E24X/E48X
12/24 (4 POE)
24/48 POE E24X/E48X POE+
EU24X fiber U10/U24
Advanced AOS L3 GE
Advanced AOS Advanced AOS L3 GE
L3 GE with 10G
OmniSwitch 6450
10/P10/10L/P10L OmniSwitch 6450
Medium

AOS L2+ Basic L3 24/P24/24L/P24L

GE with 1OG 48/P48/48L/P48L
AOS L2+ Basic L3
GE with 1OG

OmniSwitch 6250 AOS

Enterprise 24 ports POE OmniSwitch 6350
+ 24/P24/48/P48 R6
Small

Metro 8/24 ports Value AOS L2+ GE

Value AOS L2+ FE

10/100 Gig Gig w/ 10G Hardened

Omniswitch 6350 Gigabit Ethernet Switch

 Four fixed configurations (24-/48-ports, with/without PoE)

 ALE OS software based (6.7.1)
OmniSwitch 6350-24
 Supports Gigabit RJ-45 access and up to four dedicated Gigabit SFP uplinks OmniSwitch 6350-P24
 Fixed internal power supply, no backup power supply
 PoE models are IEEE 802.3af and IEEE 802.3at compliant
 Configurable per-port PoE priority and max power
 Efficient power management and low power consumption

OmniSwitch 6350-48
OmniSwitch 6350-P48
 Set of features for the SMB Market:
 Advanced L2 features with basic L3 routing for both IPv4 and IPv6
 Simplified VoIP deployments using the advanced Auto-QoS feature
 Eight hardware-based queues per port for flexible QoS management
 Edge security with Access Guardian, DHCP snooping, LPS and UNP.
 Auto-configurable via OmniPCX Office
 LLDP with MED extensions for automated device discovery

Small business network solutions

Edge of small-to-mid-sized networks
Branch office and campus workgroups
Omniswitch 6350 - Models

Model 10/100/1000 Fixed 1G Power Supply Fan (Variable System Power

RJ-45 ports SFP ports Primary / Backup Speed) Consumption
OS6350-24 24 4 Internal / - Fanless 24W
OS6350-P24 24 4 Internal / - 3 fans 30W
OS6350-48 48 4 Internal / - 1 fan 50W
OS6350-P48 48 4 Internal / - 4 fans 58W

Power Supply Specifications

Model Nominal Input Output Voltage Wattage PoE Power Budget Power Supply
Voltage Efficiency
OS6350-24 90-220 V AC 12 V DC 30 W N/A 80%
OS6350-P24 90-220 V AC 12 V DC / 54 V DC 525 W 380 W 85%
OS6350-48 90-220 V AC 12 V DC 60 W N/A 87%
OS6350-P48 90-220 V AC 12 V DC / 53 V DC 900 W 780 W 85%
OMNISWITCH 6450
 OmniStack 6450
Positioning in the Stackable portfolio
Large

OmniSwitch 6850E OmniSwitch 6850E-X OmniSwitch 6855

24/48 E24X/E48X
12/24 (4 POE)
24/48 POE E24X/E48X POE+
EU24X fiber U10/U24
Advanced AOS L3 GE
Advanced AOS Advanced AOS L3 GE
L3 GE with 10G

OmniSwitch 6450 OmniSwitch 6450

Medium

24/P24/24L/P24L
10/P10/10L/P10L
48/P48/48L/P48L
AOS L2+ Basic L3
AOS L2+ Basic L3
GE with 1OG
GE with 1OG

OmniSwitch 6250 AOS

Enterprise 24 ports POE
+ R6
Small

Metro 8/24 ports

Value AOS L2+ FE

10/100 Gig Gig w/ 10G Hardened

OmniSwitch 6450-10 Gigabit Ethernet Switch
Overview
 L2+ = Full L2 and Static/RIP routing  Metro Ethernet features enabled by
License
 OS6450 - 10
 License OS6450-SW-ME
 8 - Gigabit RJ45
 2 - Gigabit RJ45/SFP combo  Stacking up to 4 units
 2 - SFP GigE uplink ports  Built-in SFP stacking ports

 OS6450 - 10L/P10L  Internal AC power supply

 Lite models software upgradable 10/100 to  No power redundancy
GigE
 License OS6450-10L-UPGD  Fan less

 OS6450 - P10/P10L  1RU x ½ rack width form factor

 Delivering 802.3at PoE
 80W POE budget
Classroom and workgroup networks
Small enterprise or branch office networks
Commercial and residential managed services
OmniSwitch 6450-24/48 Gigabit Ethernet Switch
Overview
 Stacking from 24 to 384 gigabit ports and 16 10GigE ports

 Optional SFP+ stacking module

 L2+ = Full L2 and Static/RIP routing

 Wire-speed first packet classification and processing

 Optional Metro Services feature license for service provider deployments

 License OS6450-SW-M

 Support for IEEE 802.3af / IEEE 802.3at-compliant PoE

 Internal AC or DC redundant power supplies

 AOS Management and OmniVista full support

Edge workgroups for Small, Mid-sized business

Business Metro Ethernet CPE
IP convergence in Branch offices
OmniSwitch 6450-24/48 Gigabit Ethernet Switch
Models
 OS6450-24/24L/P24/P24L
 24 10/100/1000 ports
 Lite (L) model: 10/100 RJ-45 non-combo ports upgradable to support 10/100/1000 (*)
 2 Fix SFP/SFP+ GE ports upgradable to 10G (**)
 IEEE 802.3at POE ports
 Expansion module

 OS6450-48/48L/P48/P48L
 48 10/100/1000 ports
 Lite (L) model: 10/100 RJ-45 non-combo ports upgradable to support 10/100/1000 (*)
 2 Fix SFP/SFP+ GE ports upgradable to 10G (**)
 IEEE 802.3at POE ports
 Expansion module

 OS6450-U24
 22 100/1000 BaseX ports
 2 Combo ports 10/100/1000 BaseT-SFP
 2 Fix SFP/SFP+ GE ports upgradable to 10G (*)
 Expansion module *Optional 1G RJ45 ports license option (OS6450-24/48L-UPGD)
**Optional 10GigE uplink license option (OS6450-SW-PERF )
OmniSwitch 6450
Models
Model 10/100/1000 10/100/1000 & Fixed (1G/5G) Module Stacking Power Supply
RJ-45 ports SFP combos SFP ports Slot Primary / Backup
OS6450-10L 8 2 2 No - Internal / -
OS6450-P10L 8 2 2 No - Internal / -
OS6450-10 8 2 2 No - Internal / -
OS6450-P10 8 2 2 No - Internal / -
Module
10/100/1000 10/100/1000 & Fixed (1G/10G*)
Model Slot Stacking Power Supply
RJ-45 ports SFP combos SFP+ ports
Options

OS6450-24 (L) 24 0 2 Yes 10G SFP+ Internal / Internal

24
OS6450-P24 (L) 0 2 Yes 10G SFP+ Internal / External
802.3at POE

OS6450-48 (L) 48 0 2 Yes 10G SFP+ Internal / Internal

48
OS6450-P48 (L) 0 2 Yes 10G SFP+ Internal / External
802.3at POE
22 SFP
OS6450-U24 2 2 Yes 10G SFP+ Internal / Internal
100/1000

(*) Requires OS6450-SW-PERF license to enable 10GigE operation

(*) Requires OS6450-SW-ME license to enable Metro Service Features
OmniSwitch 6450-(P) 24/48
Expansion module & Backup Power supplies
 Optional Expansion module  OS6450-CBL-xM
 Located on back of unit  Direct SFP+ Stacking copper cable:
 2 port 10G SFP+ stacking module x=1m/3m/7m
 2 port gigabit SFP fiber uplink module
 2 port gigabit RJ-45 copper uplink module

Module Module Module

OS6450-GNI-U2 OS6450-XNI-U2 OS6450-GNI-C2

 Backup Power Supplies

Model

OS6450-BP 90W power AC backup power supply OS6450 Non-POE

OS6450-BP-D 90W power DC backup power supply OS6450 Non-POE

OS6450-BP-PH 550W AC backup power supply OS6450-P24

OS6450-BP-PX 900W AC backup power supply OS6450-P48

OmniSwitch 6450-(P) 24/48
Hardware in brief

24 or 48 gigabit port (PoE/PoE+ of “P” Model) 2 GIGABIT SFP+ ports (upgradeable to 10Gb)

P48 : 780W PoE Budget

P24 : 390W PoE Budget

OS6450-XNI-U2 2xSFP+ 10G (Stacking only)

Internal Main Power Supply External BPS for PoE Models Or OS6450-GNI-U2 2xSFP 1G
Or OS6450-GNI-C2 2xRJ45 1G

POE

NON POE

Slide in Bps for Non PoE Models

OS6450
Supported SFPs
 10 Gigabit SFP+ Transceivers
 SFP-10G-ER - reach of 40km over SMF (1550nm) with an LC connector
 SFP-10G-LR – reach of 10K over SMF (1310nm ) with an LC connector
 SFP-10G-LRM - reach of 220m over MMF FDDI-grade (62.5 μm)(1310nm )with an LC connector
 SFP-10G-SR - reach of 300m over MMF (850nm) with an LC connector
 SFP-10G-C1M - 10 Gigabit direct attached copper cable (1m, SFP+)
 SFP-10G-C3M - 10 Gigabit direct attached copper cable (3m, SFP+)
 SFP-10G-C7M - 10 Gigabit direct attached copper cable (7m, SFP+)

 Gigabit SFPs Transceivers

 SFP-GIG-EXTND - up to 2 km on 62.5/125 μm MMF and 50/125 μm MMF
 SFP-GIG-LH40 - reach of 40 Km on 9/125 μm SMF
 SFP-GIG-LH70 - reach of 70 Km on 9/125 μm SMF
 SFP-GIG-LX - reach of 10 Km on 9/125 μm SMF
 SFP-GIG-SX - reach of 300m on 62.5/125 μm MMF or 550m on 50/125 μm MMF
 SFP-GIG-T - Supports category 5, 5E, and 6 copper cabling up to 100m
 SFP-GIG-BX-D - for use over SMF optic on a single strand link up to 10 km
 SFP-GIG-BX-U - for use over SMF optic on a single strand link up to 10 km

 100 Mb SFPs Transceivers

 SFP-100-BX20LT - for use over SMF optic on a single strand link up to 20KM
 SFP-100-BX20NU - for use over SMF optic on a single strand link up to 20KM
 SFP-100-LC-MM – for use over MMF for distances between 300-2000 meters
 SFP-100-LC-SM15 – for use over SMF optic cable up to 15KM
 SFP-100-LC-SM40 – for use over SMF optic cable up to 40KM
OMNISWITCH 6850E
 OmniSwitch 6850E
Positioning in the Stackable portfolio
Large

OmniSwitch 6850E-X OmniSwitch 6855

OmniSwitch 6850E
24/48 E24X/E48X 12/24 (4 POE)
24/48 POE E24X/E48X POE+ U10/U24
Advanced AOS L3 GE EU24X fiber
Advanced AOS L3 GE
Advanced AOS
L3 GE with 10G
Medium

OmniSwitch 6450 OmniSwitch 6450

24/P24/24L/P24L
10/P10/10L/P10L
48/P48/48L/P48L
AOS L2+ Basic L3
AOS L2+ Basic L3
GE with 1OG
GE with 1OG

OmniSwitch 6250
Enterprise 24 ports POE AOS
+
R6
Small

Metro 8/24 ports

Value AOS L2+ FE

10/100 Gig Gig w/ 10G Hardened

OmniSwitch 6850E
Overview
 Standalone switch
 24-and 48 1GigE port with 10GigE interfaces
 Optional 10G SFP+ ports plug-in module in a dedicated slot
 Wire rate, non blocking

 IEEE 802.3af/at compliant PoE (30W)

 Dynamic power allocation
OmniSwitch 6850E-24X
 Priority power assignment in low power conditions
 803.af (15.4W) on all 48 ports simultaneously
 802.at (30W) on 25 ports simultaneously

 Modular AC and DC power supplies

OmniSwitch 6850E-48X

At the edge of mid to large size enterprise networks

Aggregation layer and small enterprise core
Metro Ethernet (Ethernet Access, Multi-dwelling, CPE
Top of rack switch for 1G servers in Data Center
OmniSwitch 6850E
Models

10/100/1000 1 Gig SFP 10Gig SFP+ 10Gig SFP+ plug-in or Max # 802.3af Max # 802.3at
Models
RJ-45 ports ports ports - fixed stacking ports ports ports ( @30W)

Non PoE Models

OS6850E-24 24 4* 2 * *

OS6850E-24X 24 4* 2 2 * *

OS6850E-48 48 4* 2 * *

OS6850E-48X 48 2* 2 2 * *

OS6850E-U24X 2* 24 2 2 * *

PoE Models
24 24
OS6850E-P24 24 4* 2
(510W PSU) (900W PSU)
24 24
OS6850E-P24X 24 4* 2 2
(510W PSU) (900W PSU)
48 25
OS6850E-P48 48 4* 2
(900W PSU) (900W PSU)
48 25
OS6850E-P48X 48 2* 2 2
(900W PSU) (900W PSU)
P = PoE
H = High-POE PS
X = 10G SFP+ slots
OmniSwitch 6850E
Stacking
 All of the models in the 6850E family are stackable

 Characteristics
 Dedicated 40 Gigabit stacking links on each model
 Up to 8 switches in a stack
 384 Gigabit ports
 16 10 Gig ports
 PoE and non-PoE can be mixed
 Stack module IDs are set using CLI and displayed on the panel
 Each module in the stack is capable to act as Primary

 Benefits :
 Acts as an OS-9000E chassis
 Virtual chassis, single IP for management
 Primary, secondary, idle and pass-through elements in the stack
 Smart Continuous Switching
 Link aggregation (OmniChannel or LACP) distributed over different units
OmniSwitch 6850E
Stacking
 Stacking is provided by either using the CX4 stacking cables or the SFP+ module

 Maximum number of units in stack is 8

 384 Gig ports / 16 10Gig SFP+ ports

Default Stacking Replaceable by OS6-XNI-U2

CX4 stacking connectors SFP+ stacking connectors

OS6-XNI-U2
for remote
stacking

 CX4 module (default shipping)  SFP+ module (copper or fiber)

 Stacking with OS6850 and other OS6850E  Remote stacking ( up to 10km) is supported
having a CX4 module when using SFP+ plug-in module
 OS6850-CBL-xx where xx = 30, 60 or 150 cm  A reboot is required to activate the SFP+
interfaces in stacking mode
OmniSwitch 6850E
Power Supplies
For Non-PoE For PoE

• 120W DC • 360W AC
• 126W AC • 510W AC
• 900W AC
One 120/126/360 in a half shelf
Models Models
• 6850E-24 • 6850E-P24
• 6850E-24X • 6850E-P24X
• 6850E-48 • 6850E-P48
• 6850E-48X • 6850E-P48X
One 510W AC taking the whole shelf

 Main power supply is external to the box (rear of the unit)

 Power shelf used to hold either

 one 510/900W PS
 or two 360W PS P48X with 510W PS

 2 PS connection options
 Directly pluggable in the back of the unit
 Attached with a cable for 2U configuration
48X with 126W AC PS
OmniSwitch 6850E
Backup Power Supplies

OS6850E-BP AC 126 W Backup Power Supply

OS6850E-BPD DC 120 W Backup Power Supply

OS6850E-BPP Standard POE 360W Backup Power Supply

OS6850E-BPPH High POE 510W Backup Power Supply

OS6850E-BPPX High POE 900W Backup Power Supply for P48 model

PoE
Global power POE Capacity
Backup PS 510/900W
360W AC 240W

360W AC 240W
PS 360/900W Main PS
510W AC 390W

900W AC 780W
OMNISWITCH 6855
OmniSwitch 6855
Hardened LAN Access Switch
 Industrial, ruggedized L2/L3 GigE
 Designed for Harsh Environment Operations

 Benefits
 Highest hardened port density ( up to 24 GigE) with throughput up to 35.7 Mpps
 High performance – full forwarding rate on all ports
 OS6850E AOS features supported
 L3 features set with IPv4 and IPv6
 POE power option (4 ports)
 Fully integrated into OmniVista
 Designed with redundancy and availability in mind
 External, hot-swappable, redundant AC and DC power supplies
 Redundant fan operation for the 24 port models

AOS
Defense, Energy, Utilities, Transportation R6
Outdoor deployment (cabinet)
OmniSwitch 6855
Model description

Maximum 10 Maximum 10/100/1000 Maximum Combo

Maximum SFP
OmniSwitch 6855 Gigabit Base-T Copper
connectors
POE Stacking
Ethernet RJ-45 connectors

OS6855-U10 0 8 2 - 0 N

4 first
OS6855-14 0 12 - 2 N
ports

OS6855-P14 0 12 - 2 12 N

4 first
OS6855-24 0 20 4 4 N
ports

OS6855-U24X 2 2 2 24 0 Y
OmniSwitch 6855-U24X
Model description and port options
 22 hot-pluggable SFP ports plus 2 combo ports individually configurable

 10/100/1000Base-T or 1000Base-X/100Base-FX

 2 x 10G SFP+ ports for stacking or uplink ports (default)

 Can stack 4 units with copper or fiber links

 Copper
 30cm, 3m, 10m
 Fiber
 Remote stacking with 10 km between two units &
40 km covered with 4 units in a stacking Loop

 Fan less design

2 10G SFP+ ports used as stacking or uplinks Power Supply Connectors

Choice of either 10G uplinks or stacking (SFP+ Two DB-25 connectors for primary and
connectors) redundant power supplies
OmniSwitch 6855
Power Supply Options
 OS6855-14, OS6855-P14 and OS6855-U10  OS6855-24, OS6855-U24X
 Power supplies in the form of a power  Either Directly pluggable in the back of the
brick unit or Remotely connected to the unit
 A power supply shelf that can hold primary and through a cable
backup PS is provided  Primary and backup power supplies are
 Primary and backup power supplies are external and hot swappable
external and hot swappable  A power supply shelf can hold primary and
 Power options: 24V, -48V DC and AC backup PS
 Power options: 24V, -48V DC and AC

OS6855-PSS Power brick AC PSU for system power. 40W, 12V, AC-DC OS6855 PSU 80W, 12V, AC-DC
OS6855-PSL
OS6855-PSS-P Power brick AC PSU for PoE only; 66W, 48V, AC-DC OS6855-PSL-P OS6855 PSU 160W, 48V/12V/POE, AC-DC
OS6855-PSS-D Power brick DC PSU for system power; 40W, 24V-48V DC-DC OS6855-PSL-D OS6855 PSU 80W, 48V/12V, DC-DC
OS6855-PSS-P-D Power brick DC PSU for PoE only; 66W, -48V DC-DC OS6855-PSL-DL OS6855 PSU 80W, 24V/12V, DC-DC
OS6855-PSSPH Power brick AC PSU for PoE only; 66W, AC

Redundant System and PoE Power

Supplies - Side Mount
OmniSwitch 6855
Over temperature condition
 Operating environment
 Storage temp: -45°to 85°C (-60° to 210°F )
 Operating temp: -40° to 75°C ( 70C for the smaller models )
 Ambient relative humidity 5% to 95% non condensing
 Suitable for sheltered type of installations not requiring heated or cooled enclosures

 Hardware protection to shut down the box automatically if critical ambient

temperature is reached
 Automatically turns the box on when temperature cools down

 Fans on the 24 port models are turned on only when critical ambient
temperature is reached
OS6855-U10/OS6855-14 OS6855-U24/OS6855-24
Shutdown temperature 73C 78C
Warning temperature (interrupt) 71C 76C
Automatic Recovery temperature 60C 65C
Fan turn on temperature - 50C
Fan turn off temperature - 35C
OMNISWITCH 6860/6860E
OmniSwitch 6860 AOS
R8
 256G wire rate engine
 Deep Packet Inspection and Application Monitoring
 Coprocessor for enhanced network services
 OS6860E model only

 Virtual Chassis support

 Comprehensive user and device authentication and access
control
 Enables deployment of an advanced and secure BYOD services
Application Fingerprinting
 PoE+ on all ports Applications Discovery (up to
Policy
1,000 signatures)
 Up to 60W of PoE Enforcement
 First 4 ports on OS6860E

 Energy Efficient Ethernet (EEE) Wire-rate


Application
 SDN ready
Match
 Data center/IT friendly (up to 100
signatures) SDN
 All ports, including stack in the front Inside

 Front to back cooling

 BlueTooth management port

OmniSwitch 6860/E
OmniSwitch 6860
Models
OS6860-24
 24 x 10/100/1000 BaseT port,
 4 fixed SFP+ (1G/10G)
 2 VFL QSFP+ ports (20G each)
 AC and DC power supply
OS6860-P24
 24 x 10/100/1000 BaseT POE port,
 4 fixed SFP+ (1G/10G)
 2 VFL QSFP+ ports (20G each)
 600W AC power supply
AOS
R8
OS6860-48
 48 x 10/100/1000 BaseT port,
 4 fixed SFP+ (1G/10G)
 2 VFL QSFP+ ports (20G each)
 AC and DC power supply
OS6860-P48
 48 x 10/100/1000 BaseT POE port,
 4 fixed SFP+ (1G/10G)
 2 VFL QSFP+ ports (20G each)
 920W AC power supply
OmniSwitch 6860E
AOS
Enhanced Models R8

OS6860E-24 OS6860E-48
 24 RJ-45 10/100/1000 BaseT ports,  48 x 10/100/1000 BaseT ports
 4 fixed SFP+ (1G/10G)  4 fixed SFP+ (1G/10G)
 2 VFL QSFP+ ports (20G each)  2 VFL QSFP+ ports (20G each)
 AC and DC power supply  AC and DC power supply

OS6860E-U28
 28 x 100/1000 Base-X SFP ports
 4 fixed SFP+ (1G/10G)
 2 VFL QSFP+ ports (20G each)
 AC and DC power supply

OS6860E-P24 OS6860E-P48
 24 x 10/100/1000 BaseT POE  48 x 10/100/1000 BaseT POE
ports, ports,
 4 fixed SFP+ (1G/10G)  4 fixed SFP+ (1G/10G)
 2 VFL QSFP+ ports (20G each)  2 VFL QSFP+ ports (20G each)
 600W AC power supply  920W AC power supply
OmniSwitch 6860 and 6860E
Differences
 Features only available on the enhanced models
 Specialized built-in co-processor board
 Used for running additional applications
 With AOS 8.1.1 the Application Monitoring / Fingerprinting function will run on it
 A separate LED (OK2) on the front of the chassis indicates the status of the co-processor board

 The first 4 ports on OS6860E only can deliver up to for 60W of PoE per port
 These ports are clearly marked on the switch overlay

 Only the enhanced models have EMP port at the back

OmniSwitch 6860
Product Family Overview

User ports SFP+ 20G Stack DPI HW App. 60W EMP

uplinks Monitoring PoE

OS6860-24 24 4 Yes Yes No n/a No

OS6860-P24 24 PoE 4 Yes Yes No No No

OS6860-48 48 4 Yes Yes No n/a No

OS6860-P48 48 PoE 4 Yes Yes No No No

OS6860E-24 24 4 Yes Yes Yes n/a Yes

OS6860E-P24 24 PoE 4 Yes Yes Yes Yes Yes

OS6860E-48 48 4 Yes Yes Yes n/a Yes

OS6860E-P48 48 PoE 4 Yes Yes Yes Yes Yes

OS6860E-U28 28 SFP 4 Yes Yes Yes n/a Yes

Virtual Chassis between base models and “E” models

OS6860
Power supplies
PS MODELS OS6860-BP OS6860-BP-D OS6860-BPPH OS6860-BPPX

AC power supply. Provides DC power supply ( 48V DC). 600W AC PoE power 920W AC PoE power
150 W system power to Provides 150 W system supply. Provides system supply. Provides system
Description
one OS6860 non-PoE power to one OS6860 non- and PoE power to one 24 and PoE power to one 48
switch. PoE switch. port PoE switch. port PoE switch.

Model Name PS-150AC PS-150W-DC PS-600W-AC-P PS-920W-AC-P

OS6860-24 OS6860-24
OS6860-P24 OS6860-P48
OS6860-48 OS6860-48
OS6860 Models OS6860E-P24 OS6860E-P48
OS6860E-24 OS6860E-24
supported
OS6860E-48 OS6860E-48
OS6860-U28 OS6860-U28
Max PoE budget
N/A N/A 450W of PoE 750E of PoE
with 1 PSU
Max PoE budget
N/A N/A 900W of PoE 1500W of PoE
with 2 PSU
Valid Backup OS6860-BP OS6860-BP-D OS6860-BPPH OS6860-BP-BPPX
Configurations OmniSwitch BPS OmniSwitch BPS OmniSwitch BPS OmniSwitch BPS

Same BPS can be used for OS6860 and OS6850E

OS6860 and OS6850E sharing one BPS is not supported
OS6860 vs OS6850E
Feature OS6850E OS6860
Flash size 128MB 2GB
Memory 512M SDRAM 2GB
CPU 400MHz 1GHz
10G built-in ports 2 4
Stacking/VC ports 2 x 10G 2 x 20G
Stacking /VC cables Proprietary and SFP+ DAC QSFP+ DAC
PoE Load sharing No Yes
30W of PoE on all 48 ports No Yes
BlueTooth connection No Yes
Remote Stacking Yes ( up to 10km) Yes ( up to 100m)
L2 entry table 32K 48K
L3 exact match table 12K 24K
ARP Entries (IPv4) 8K 24K*
IPv6 neighbors 4K 12K*
IPv4 / IPv6 Multicast 8K / 2K 12K* / 6K*
IPv4 / IPv6 LPM table 12K / 6K 12K / 7K (6K 64-bit pref + 1K 128-bit pref)
VLAN table 4K 4K in 8.1.1 ( capable of 8K)
OmniSwitch 6250, 6450, 6850E, 6860, 6860E
Comparison
Alcatel-Lucent Alcatel-Lucent Alcatel-Lucent Alcatel-Lucent
OmniSwitch 6250 OmniSwitch 6450 OmniSwitch 6850E OmniSwitch 6860/6860E

AOS software base + AOS software base + Optional

Software AOS software base AOS software base
Optional Advanced Routing Advanced Routing code

AOS L2 + Basic L3 AOS L2 & Basic L3 AOS L2 & Adv. L3 AOS L2 & Adv. L3
Features
Stackable Stackable Stackable Virtual Chassis
Basic static and
Routing Basic static and RIP/RIPng Full, advanced IP Routing Full, advanced IP Routing
RIP/RIPng
10/100 or 10/100/1000 10/100 or 10/100/1000 Mbps
10/100/1000 Mbps
User ports 10/100 Mbps Mbps
IEEE 802.3at / 60W POE on 4
IEEE 802.3at support
IEEE 802.3at support ports
Uplinks 1 Gbps 10 Gbps 10 Gbps 10 Gbps
Stacking 10 Gbps links 20 Gbps links 40 Gbps links 80 Gbps links
Switching 28 Mpps 101,2 Mpps 131 Mpps 190,6 Mpps
Fabric Capacity 24,8 Gb/s 68 Gb/s 240 Gb/s 264 Gb/s
Traffic Analysis DPI, AppMon

Access Guardian, UNP, Access Guardian, UNP, CP

Security Access Guardian, UNP, CP Access Guardian 2.0, UNP, CP
CP Traffic Anomaly Detection

ALU OmniVista™ NMS ALU OmniVista™ NMS

ALU OmniVista™ NMS ALU OmniVista™ NMS
Management ALU 5620 Service ALU 5620 Service Aware
ALU 5620 Service Aware Mgr ALU 5620 Service Aware Mgr
Aware Mgr Mgr
Mac Table 16K 16K 32K 48K

Routing Table 1024-entry routing table 16,000-entry routing table 16,000-entry routing table 64,000-entry routing table

IP multicast IGMP / Full IP Multicast routing Full IP Multicast routing and

Multicast IP multicast IGMP / Switching
Switching and membership membership
OMNI BPS
Advanced Backup Power Shelf
Omni BPS
 Full PoE and system backup power for OmniSwitch 6850E/6860/6860E family
 OS6850E-U24X excluded
 6860 and 6850E sharing one BPS is not supported
 N+1 and N+N modes are supported
 Setting port priority and connector priority on the BPS
 Backup for 360/510/900W PoE PSU as well as 126W AC system PSU
Advanced Backup Power Shelf
Omni BPS
 One BPS provides:
 Flexible N+1 backup and full N+N backup solutions
 Backup power for up to 8 units (stacked or standalone)
 Up to 900W of redundant system power
 Up to 3600W (low line) and 6000W (high line) of redundant PoE power

Three slots for PoE PSU Two slots for system PSU

Back view

8 DB25 connectors
Advanced Backup Power Shelf
N+1 also called SINGLE backup
 Protects against switch primary PSU failure
 not against AC power line failure

 ABPS Configuration
1 x 1200W 1 x 450W
 1x 1200W/2400W (110V/220V AC) PoE power supply PoE PSU system PSU

 1x 450W system power supply

 BPS can backup only one switch at a time

8 x 1M Cables

BPS and OmniSwitch connected to the same AC Source

Advanced Backup Power Shelf
N+N also called FULL backup
 Protects against AC line failure

 If primary AC line fails the BPS will be the only Backup AC Source B
source of power for all switches in the stack
3 x 1200W 2
 ABPS Configuration: PoE PSU System PSU

 3 x PoE PS support 6800W @ 220V AC

 3 x PoE PS support 3400W @ 110V AC
 2 x system PSU @ 96~264vAC support 8
“OmniSwitch” system power
 Primary AC source connected to OmniSwitch
 Backup AC source B connected to BPS

8 x 1M Cables

Primary AC Source A
OMNISWITCH 6900
OmniSwitch 6900-X
High Density 10GigE Switch
 High Density 10GigE Switch
 20 or 40 SFP+ ports (1G/10G) OS6900-X40
 Up to 64 SFP+ ports on the 6900-X40
 Up to 32 SFP+ ports on the 6900-X20

 640Gbps / 1.28 Tbps wire-rate capacity

 480/ 960 Mpps OS6900-X20

 Sub microsecond latency

 Virtual chassis of up to 6 switches

 Redundant hot power supplies, fans

 Low power per port (3.5W per port)
 Wire-rate switching and routing
AOS
R7
 128K MAC addresses
 Optional modules for utmost flexibility
 Front To Back / Back To Front Air Flow
LAN Core / Aggregation
Data Center Top of Rack switch
 Software Controlled Fans Speed
Verticals
OmniSwitch 6900-X
Models
20 SFP+ Ports Optional Module

OS6900-X20

Ethernet management port

USB Serial port
USB drive port

•Hot swappable fan tray •Redundant slide-in power

(3+1 fan redundancy) supplies (450W, AC or DC)

40 SFP+ Ports
Optional Module #1
OS6900-X40

Optional Module #2

•Hot swappable fan tray •Redundant slide-in power supplies

(3+1 fan redundancy) (450W, AC or DC)
OmniSwitch 6900-T
High Density 10GigE Switch
 High Density 10GigE Switch
 20 or 40 fixed 10GBase-T ports (IEEE 802.3an) OS6900-T40
 Up to 56 10GBase-T ports on the 6900-T40
 Up to 28 10GBase-T ports on the 6900-T20

 10GigE Server and Storage connectivity

 640Gbps / 1.28 Tbps wire-rate capacity/ low latency
 Latency <4us (~3.3us)
 Redundant hot power supplies, fans
 Wire-rate switching and routing
 128K MAC addresses
 IPv4 hosts 8K / IPMC 8K OS6900-T20
 Optional modules
 1 for OS6900-T20 (in front)
 2 for OS6900-T40 (one each in front & rear)
 Front to Back / Back to Front Air Flow
 Software Controlled Fans Speed
 Energy Efficient Ethernet IEEE 802.3az
 CAT 5e = 55 meters
 CAT 6a/7 = 100 meters
 1G/10G auto-negotiation
OmniSwitch 6900-T

Serial and USB OmniSwitch OS6900-T40 (front / back)

Optional Module
ports #1

Ethernet
Management
Port

Optional
Module #2
Redundant slide-in
power supplies (AC or
Hot swappable fan
DC)
tray 3+1 fan
redundancy, Front
to Back cooling
OmniSwitch 6900
Optional modules

Expansion Modules Hot Swappable

Compatible across all models
OS-QNI-U3 OS-XNI-U12E OS-HNI-U6
3 x 40G QSFP+ ports 12 SFP+ ports (1G/10G) 4 x 10G SFP+ ports
12 FC ports (2G/4G/8G) 2 x 40G QSFP+ ports

OS-XNI-U12 OS-XNI-T8 OS-XNI-U4

12 SFP+ ports (1G/10G) 8 10GBase-T ports (1G/10G) 4 SFP+ ports (1G/10G)
OmniSwitch 6900
Power Supplies and Fans
 Fully loaded OS6900-xxx requires a single 450w PSU power

 Hot-swappable AC and DC PSU

 1+1 redundant, removable

PS & Fans (Front-to-Rear Airflow) PS & Fans (Rear-to-Front Airflow)

 AC - OS6900-BP-F  AC - OS6900-BP-R
 DC - OS6900-BPD-F  DC - OS6900-BPD-R

 Fans OS6900-FT-F  Fans OS6900-FT-R

 Single removable unit  Single removable unit
 Field replaceable tray in the rear of the chassis  Field replaceable tray in the rear of the chassis
OmniSwitch 6900 & 1OK
Optional Transceivers Support
10-Gigabit SFP+ Transceivers
Gigabit Ethernet Transceivers  SFP-10G-SR
 SFP-GIG-SX  SFP-10G-LR
 SFP-GIG-LX  SFP-10G-ER
 SFP-GIG-LH40  SFP-10G-LRM
 SFP-GIG-LH70  SFP-10G-C
 SFP-GIG-T
40-Gigabit QSFP+ Transceivers
 QSFP-40G-SR
Bi-directional Ethernet Transceivers  QSFP-40G-C
 SFP-100-BX20LT
 SFP-100-BX20NU
 SFP-100-BXLC-D
Triple-speed SFP+ Fibre Channel
 SFP-100-BXLC-U optical transceiver
 SFP-GIG-BX-D  Auto-sensing 2G, 4G, 8G Fibre Channel
(FC)
 SFP-GIG-BX-U
 Supports multimode fiber 850nm
wavelength with an LC connector
CWDM Gigabit Ethernet Transceivers
 SFP-GIG-CWD 100-FX Ethernet Transceivers
 SFP-100-LC-MM
Direct Attach SFP+  SFP-100-LC-SM15
 1m/3m/7m  SFP-100-LC-SM40
OmniSwitch 6900 Hardware
Buffer And Traffic Management
 Switch Advanced Features
 Virtualization with MC-LAG or Virtual Chassis
 Fast network re-convergence and optimal load balancing with Shortest Path Bridging
 Ease of configuration

 Optimum Application Performance with Rich QoS

 Rich application classification capabilities (L2/L3/L4)
 Advanced Queuing and congestion management
 Enhanced Transmission Selection (ETS) 802.1Qaz (DCB)
 Queue Set profiles (SPQ, WFQ, RED, WRED)
 Congestion Notification
 Priority based Flow Control (PFC), IEEE 802.1Qbb (DCB)
 802.3x

 Core Routing Layer 3 support

 Wire-rate at L2 / L3 (IPv4/v6, unicast and multicast)
 Advanced routing support with protocols such as OSPF, BGP, PIM-SM, BFD, VRF
OMNISWITCH AOS R6/R7/R8

AOS OmniSwitch Management

Module Objectives
 You will learn about:

 Logging Into The Switch

 Managing Files/Directories
 Loading Software image
 Access methods
 User Accounts
 AAA Authentication
 Role based management AOS
Management Tools
 Accessing the switch may be done locally or remotely

 Management tools include:

 CLI - May be accessed locally via the console port, or remotely via Telnet
 Webview - which requires an HTTP client (browser) on a remote workstation
 SNMP, which requires an SNMP manager (such as Alcatel-Lucent’s OmniVista
or HP OpenView) on the remote workstation
 Secure Shell - Available using the Secure Shell interface
 FTP - File transfers can be done via FTP or Secure Shell FTP
 TFTP - File transfers can be done via TFTP
 USB device - Disaster recovery, Upload/download image files
MANAGING FILES/DIRECTORIES

AOS
R6
AOS File System
 Flash Memory – 128 MB per CMM  File System
 Provides storage for system and
configuration files
 2 versions are present on flash; working
and certified
Swlog1.log  *.img files are stored in both working and
network
Swlog2.log certified directories
Boot.params
 Configuration rollback
switch  Based on the working and certified
Directories
Working Directory Certified Directory
 Applies to system files and configuration
Jdiag.img Jdiag.img
file
Jsecu.img Jsecu.img
Jbase.img Jbase.img
 A certified version (SW + conf) will be used as a
Jeni.img Jeni.img
backup when dealing with any changes
Jos.img Jos.img
(modification, upgrades, …)

Flash Directory
AOS Flash Organization

Sample flash Directory

Switch Network Directory

swlog1.log
swlog2.log
policy.cfg
command.log
boot.params
boot.slot.cfg

Working Directory Certified Directory

-base.img -base.img
-secu.img -secu.img
-eni.img -eni.img
-advrout.img -advrout.img
-os.img -os.img
-release.img -release.img
-boot.cfg -boot.cfg
System Boot Sequence

 Boot Sequence (Recalls) Flash RAM

 Bootstrap Basic Operation BootROM 1
 Initializes Hardware
 Performs memory diagnostics
MiniBoot 2
 Selects a right Miniboot
 Copy & execute MiniBoot root directory MiniBoot
4
 MiniBoot Basic Operation boot.params 3
 Initializes basic kernel
/working directory
 Selection of image kernel.lnk from
 Based on boot.params OS package

 Copy & load the OS 5

Production
/certified directory
 The image contains its own copy of the
kernel.lnk from
kernel
kernel specific to the SW version
OS package
System Boot Sequence
Working and Certified directories are identical

Working Directory Working Directory

-base.img -base.img
-secu.img -secu.img
-eni.img The switch runs -eni.img
-advrout.img from working -advrout.img
-os.img -os.img
-release.img -release.img
-boot.cfg -boot.cfg
Working and Certified
Contents are identical
Certified Directory Certified Directory
-base.img -base.img
-secu.img -secu.img
-eni.img -eni.img
-advrout.img
-advrout.img
-os.img
-os.img -release.img
-release.img -boot.cfg
-boot.cfg
System Boot Sequence
Working and Certified directories are different

Working Directory Working Directory

-base.img -base.img
-secu.img -secu.img
-eni.img -eni.img
-advrout.img -advrout.img
-os.img -os.img
-release.img -release.img
-boot.cfg -boot.cfg
Working and Certified
Contents are different
Certified Directory
The switch runs Certified Directory
-base.img -base.img
from certified
-secu.img -secu.img
-eni.img -eni.img
-advrout.img -advrout.img
-os.img -os.img
-release.img
-release.img
-boot.cfg
-boot.cfg
System Boot Sequence
Working and Certified directories are different
 If Working and Certified directories are different, then the switch runs from Certified

Primary

Working Certified

boot.cfg boot.cfg

1. Switch will run from

Certified
1

Running configuration
CMM A

---> Changes cannot be saved directly to the Certified directory

System Boot Sequence
Working and Certified directories are different
 Switch can be rebooted from Working Directory

Primary

Working Certified

boot.cfg

3
3. Changes made on
running config -> 2
saved to working
directory 2. Rebooting from
-> copy running-config working directory
working -> reload working no rollback-timeout

Running configuration
CMM A

---> Changes made to the running config are saved to the Working directory
System Boot Sequence
Working and Certified directories now are identical

Primary
4. Finally, contents of working and certified
4 directories are identical
-> copy working certified
Working Certified

boot.cfg boot.cfg

Running configuration
CMM A

---> Now running config matches working and certified matches working
OmniSwitch with Redundant CMM
CMM Role
 Synchronization process between switches in a chassis
 /flash/working + /flash/certified directories must be the same on both Switches (Primary,
Secondary) in normal operation.
 Same software running on both switches
 CLI commands to synchronize Primary & Secondary switches in the chassis

-> copy flash-synchro

-> copy working certified flash-synchro
-> write memory flash-synchro

 Switching primary and Secondary roles

 Take over function
 Primary switch becomes Secondary, Secondary switch becomes Primary
 Flash synchro must be done before Take over
 Switch management functions are maintained during take over
 CLI commands (Primary and Secondary switches only)

->takeover
->show running directory (display switch (CMM) role, primary or secondary)
->show chassis
OmniSwitch - Primary and Secondary CMM Synchonization

 For CMM software redundancy, at least two fully-operational OmniSwitches

must be linked together as a stack.

 In a stack of switches, one of the switches has the primary role and the other
switch has the secondary role at any given time.

 The primary switch manages the current switch operations while the secondary
switch provides backup (also referred to as “fail over”).
 Additional switches in a stack are set to “idle” for the purposes of redundancy.

 Primary and Secondary CMM Date and Time settings synchronization

-> system time-and-date synchro
OmniSwitch - Primary and Secondary CMM Synchonization
 Certify and Synchronize the Working to Certified and Primary to Secondary CMM
-> copy working certified flash-synchro
1. Copies working to certified on primary
2. Copies working Primary to working secondary
3. Copies working secondary to certified secondary

Primary Secondary

Swlog1.log Swlog1.log
network network
Swlog2.log Swlog2.log

Boot.params -> show running-directory

Boot.params
CONFIGURATION STATUS
switch
2.
2 Running CMM : PRIMARY,
switch

CMM Mode 3 : DUAL CMMs,

Working Directory 1 Certified Directory Current
Working CMM Slot
Directory : B, Certified Directory
Jdiag.img Jdiag.img
Running configuration
Jdiag.img
: WORKING,
Jdiag.img
Certify/Restore
Jsecu.img
Status : CERTIFIED
Jsecu.img
Jsecu.img Jsecu.img
Jbase.img Jbase.img
SYNCHRONIZATION
Jbase.img STATUS Jbase.img

Jeni.img Jeni.img
Flash Between
Jeni.img
CMMs : SYNCHRONIZED,Jeni.img

Jos.img Jos.img
Running Configuration
Jos.img : SYNCHRONIZED, Jos.img
NIs Reload On Takeover : NONE

Flash Directory Flash Directory

CMM A CMM B
OmniSwitch
Software System Architecture
-> show running-directory
CONFIGURATION STATUS
Running CMM : PRIMARY,
CMM Mode : DUAL CMMs,
Current CMM Slot :A
Running configuration : WORKING,
Certify/Restore Status : CERTIFIED
SYNCHRONIZATION STATUS
Flash Between CMMs : SYNCHRONIZED,
Running Configuration : SYNCHRONIZED,
NIs Reload On Takeover : NONE

Swlog1.log Swlog1.log
network network
Swlog2.log Swlog2.log

Boot.params Boot.params

switch switch
CMM-A
Working Directory Certified Directory Working Directory Certified Directory
diag.img diag.img diag.img diag.img

secu.img secu.img secu.img secu.img

base.img base.img base.img base.img

eni.img eni.img eni.img eni.img

os.img os.img CMM-B os.img os.img

Flash Directory Flash Directory

System Commands
 Directory Commands include:
 pwd - display current directory
 cd – change directory
 dir – list directory contents
 mkdir – create new directory
 rmdir – remove existing directory

 File Commands include:

 ls – list directory content
 cp – copy a file
 mv – move a file
 vi – invoke editor
 rm – remove a file

 Utility Commands include:

 freespace - command displays the amount free file system memory
 fsck – performs file system check
Managing Files and Directories
Upgrading/Registering Switch Software
 File transfer is available using
 FTP
 Secure FTP
 TFTP
 Zmodem
 USB

 The switch acts as CLI

 FTP Server WebView
 FTP/TFTP client
OmniVista

 By default, an FTP session connects to the ‘working’ directory

 FTP Authentication has to be enabled using the ‘aaa authentication ftp local’
command
Managing Files
FTP/TFTP Upgrading/Registering Switch Software
-> ftp {host_name | ip_address}

-> sftp {host_name | ip_address}

-> tftp {host_name | ip_address} {get | put} source-file [src_path/]src_file [destination-

file [dest_path/] dest_file] [ascii]

FTP Server

WebView
USB support
 Disaster recovery (requires miniboot-uboot upgrade and special directory structure in the
driver to store image files)
 Upload/download image and configuration files

 USB support is disabled by default

 Only this USB device will be supported and guaranteed to function correctly

 Any file management operation is supported including recursive operations

 CLI commands used on the /flash directory can also be used on the /uflash directory

-> usb enable

-> /uflash Bulk device is created
Node ID 0x2
LUN #0
Vendor Info : PIXIKA
Product ID : USB Flash Drive -> show usb statistics
Product Revision : 4.00 USB: Enabled
Number of Blocks : 509695 USB auto-copy: Disabled
Bytes per Block : 512 USB disaster-recovery: Enabled
Total Capacity : 260963840 Node ID 0x2
LUN #0
TUE MAR 09 15:09:21 : SYSTEM (75) alert message: Vendor Info : PIXIKA
+++ USB Bulk Device mounted at 12 Mbps. Product ID : USB Flash Drive
Product Revision : 4.00
-> usb disable Number of Blocks : 509695
TUE MAR 09 15:13:12 : SYSTEM (75) alert message: Bytes per Block : 512
+++ Device /uflash removed and uninstalled from FS Total Capacity : 260963840
USB Flash Drive Management
 Disaster-recovery
 This can be used if the image files on the CMM become corrupted, deleted, or the
switch is unable to boot from the CMM for other reasons
 -> usb enable
 -> usb disaster-recovery enable
 Create a directory named xxxx/certified* on the USB flash drive with all the proper backup
image and configuration files
 Connect the USB flash drive to the CMM; the CMM flash will be reformatted and the images
will be copied from the /uflash/xxxx/certified to the /flash/certified directory of the CMM
and the switch will reboot from the certified directory

* xxxx= switch model

USB Flash Drive Management
 Auto-copy
 The switch can be configured to automatically mount and copy the image files from
the USB device to the /flash/working directory
 Create a file named aossignature in the root of the USB flash drive
 Create a directory named xxxx/working* on the USB flash drive with all the proper image files
 -> usb enable
 -> usb auto-copy enable
 Connect the USB flash drive to the CMM; the images will be validated and copied to the
/flash/working directory of the CMM and the switch will reboot from the working directory
applying the code upgrade
 Once the switch reboots the auto-copy feature is automatically disabled to prevent another upgrade

* xxxx= switch model

Managing Files and Directories
Upgrading Switch Software
 Transfer new image files to the /flash/working directory
 Use methods previously discussed
 OS Package

 Jadvrout.img Optional Advanced Routing CMM Advanced Routing

 Jbase.img Base Software CMM Base Swlog1.log
network
Swlog2.log
 Jdiag.img Base Software CMM Diagnostics
Boot.params
 Jeni.img Base Software NI image for all Ethernet-type NIs switch
 Jos.img Base Software CMM Operating System
 Jqos.img Base Software CMM Quality of Service Working Directory Certified Directory
diag.img diag.img
 Jrout.img Base Software CMM Routing (IP and IPX) secu.img secu.img

 Jsecu.img Optional Security CMM Security (AVLANS) base.img

eni.img
base.img
eni.img

 Jrelease.img Base Software Release Archive os.img os.img

 -> reload working no rollback-timeout

Flash Directory
 -> copy working certified

Jxxxx.img for OS9000

Gxxxx.img for OS6400
Kxxxx.img for OS6850E
Kxxxx.img for OS6855
Managing Files
Upgrading/Monitoring Switch Software

-> show microcode [working | certified | loaded]

-> show microcode

Package Release Size Description
-----------------+---------------+--------+-----------------------------------
Kbase.img 6.4.5.402.R02 20599723 Alcatel-Lucent Base Software
Kadvrout.img 6.4.5.402.R02 2991820 Alcatel-Lucent Advanced Routing
K2os.img 6.4.5.402.R02 1965391 Alcatel-Lucent OS
Keni.img 6.4.5.402.R02 6093065 Alcatel-Lucent NI software
Ksecu.img 6.4.5.402.R02 649040 Alcatel-Lucent Security Management
Kencrypt.img 6.4.5.402.R02 3437 Alcatel-Lucent Encryption Management
MANAGING FILES/DIRECTORIES

AOS
R7/8
Module Objectives
 You will learn about:
 AOS R7/8 system administration
 ISSU
 Software Licensing

AOS
AOS File System – Multi image/config
OS 10K OS 6900/6860  Directories
 Flash Memory 2GB* 2GB  Certified directory
 Read only version of *.img files and
 Ram Memory 4GB* 2GB boot.cfg files
* per CMM  Configuration changes CANNOT be saved
directly to the certified directory
Swlog1.log  Working directory
Swlog2.log Network Directory

Boot.params
Policy.cfg
 Saved versions of *.img files and boot.cfg
files
 Files in the working directory must be
tested before committing them to the
Certified Directory Working Directory User Defined Directory
certified directory.
Ros.img Ros.img Ros.img
 Configuration changes can be saved to
Reni.img Reni.img Reni.img
the working directory.
Boot.cfg Boot.cfg Boot.cfg  User-defined directories
 Any other directories created by the user
 These directories can have any name and
can be used to store additional switch
configurations.
Flash Directory  Configuration changes CAN be saved
directly to any user-defined directory
AOS File System – Multi image/config

 Running directory
 Directory from which the switch booted from.
 Directory where the configuration changes will be saved.
 Except when the Running directory is the Certified directory.

 Running configuration
 Current operating configuration of the switch obtained from the running directory in
addition to any configuration changes made by the user.
 It resides in the switch’s RAM.
Configuration rollback
 Based on the working, certified and User-defined directories

 Applies to system files and configuration file

 A certified version (SW + conf) will be used as a backup when dealing with any
changes (modification, upgrades, …)

-> show running-directory

CONFIGURATION STATUS
Running CMM : PRIMARY,
CMM Mode : MONO CMM,
Current CMM Slot : A,
Running configuration : CERTIFIED,
Certify/Restore Status : CERTIFIED
SYNCHRONIZATION STATUS
Running Configuration : SYNCHRONIZED

->reload from working no rollback-timeout

->reload from <userdefined> no rollback-timeout
Changing the Running Directory
 When the switch is booted and run from the certified directory, changes made
to the switch cannot be saved and files cannot be moved between directories
 To change the running directory to a directory other than the certified use the
modify running-directory command and then save the configuration with the
write memory command

-> modify running-directory working

-> write memory
-> copy running certified

-> show running-directory

CONFIGURATION STATUS
Running CMM : PRIMARY,
CMM Mode : MONO CMM,
Current CMM Slot : A,
Running configuration : WORKING,
Certify/Restore Status : CERTIFY NEEDED
SYNCHRONIZATION STATUS
Running Configuration : SYNCHRONIZED
CMM Role (OmniSwitch 10K only)
 Synchronization process between CMM’s in a chassis
 Running and Certified directories must be the same on both CMM’s (Primary,
Secondary) in normal operation
 Same software running on both CMM’s
 CLI commands to synchronize Primary & Secondary CMM’s in the chassis
-> copy flash-synchro
-> copy running certified flash-synchro
-> write memory flash-synchro

 Switching primary and Secondary roles

 Takeover function
 Primary CMM becomes Secondary, Secondary CMM becomes Primary
 Flash synchro must be done before Takeover
 Switch management functions are maintained during take over
 CLI commands (Primary and Secondary switches only)

-> takeover
-> show running directory (display switch (CMM) role, primary or secondary)
-> show chassis
Reload Commands
 Reload [ secondary] [in | at ]
 This command reloads the primary by default.
 No CMM failover during this reload.
 This command can also be used on the secondary CMM.

 Reload From
 Immediately reboots the primary CMM.
 No CMM failover during this reload.
 All the NIs reboot, including the secondary CMM.

-> reload from working no rollback-timeout

-> reload from user-config1 no rollback-timeout
Configuration Management
 Bash shell is used for all user input

 CLI command set has changed from 6.x to 7.x

 Command Auto-completion

 Allows aliasing for commands

 stored in boot.cfg
-> alias dir=‘ls –l’
 Prefix recognition – same as AOS 6.x

 Built-in Filtering
 Unix piping mechanisms built into bash redirections
-> show vlans | more
-> show mac-learning | grep 00:20:da:55:56:76
-> show ip ospf routes | egrep "^10\.10.*" | sort | less
CLI Commands
 AOS/ Bash shell (Switch Specific)
 Arp, aaa, boardinfo, clear, capability, configuration, copy, clicomp,
cliwrapper, command-log, diusin, debug, ethernet-service, expr, erp-ring
fsck, ftp, freespace, gvrp, hash-control, health, installsshkey, icmp, ipv6,
issu, Ipsec, interfaces, ip, kill, linkagg, lldp, mount, mac-range, mvrp,
modify, mac-learning, multi-chassis, netsec, newfs, no, ntp, nslookup,
pam_cli, powersupply, power, port-session, security, port-mapping, port-
mirroring, port-monitoring, ping6, policy, password, ping, qos, rmon, rcp,
rdf, reload, rls, revokesshkey, rrm, swlog, sftp, system, scp, sflow, show,
snmp, snmp-trap, spantree, ssh, sh, takeover, telnet, tps, traceroute,
traceroute6, tty, temp-threshold, Umount, update, user, udld, Usb, verbose,
vrrp, vlan, vrf, vrrp3, who, webview, write, whoami.
 Busybox commands (see www.busybox.net for reference)
 Awk, cat, chmod, cmp, cp, diff, dmesg, du, egrep, fgrep, find, free, grep,
head, less, ls, mkdir, more, mv, reset, rm, rmdir, sed, stty, sync, tail, tftp,
time, vi, wc, xargs
System Commands
 Directory Commands include:
 pwd - display current directory
 cd – change directory
 dir – list directory contents
 mkdir – create new directory
 rmdir – remove existing directory
 File Commands include:
 ls / rls – list directory content (No “dir”) / list secondary CMM directory content
 Cp / rcp – copy a file / copies file from secondary CMM
 scp – secure file copy
 mv – move a file
 vi – invoke editor
 rm / rrm – remove a file / remove from secondary CMM
 Utility Commands include:
 freespace - command displays the amount free file system memory
 fsck – performs file system check
Software System Architecture
-> show running-directory
CONFIGURATION STATUS
Running CMM : PRIMARY,
CMM Mode : DUAL CMMs,
Current CMM Slot : A
Running configuration : WORKING,
Certify/Restore Status : CERTIFIED
SYNCHRONIZATION STATUS
Flash Between CMMs : SYNCHRONIZED,
Running Configuration : SYNCHRONIZED,
NIs Reload On Takeover : NONE
Swlog1.log Swlog1.log
Swlog2.log Network Directory Swlog2.log Network Directory
Policy.cfg Policy.cfg
Boot.params Boot.params

CMM-A

Certified Directory Working Directory User Defined Directory Certified Directory Working Directory User Defined Directory
Ros.img Ros.img Ros.img
Ros.img Ros.img Ros.img

Reni.img Reni.img Reni.img

Reni.img Reni.img Reni.img
Boot.cfg Boot.cfg Boot.cfg
CMM-B Boot.cfg Boot.cfg Boot.cfg

Flash Directory Flash Directory

OmniSwitch 10K - Setting the EMP IP Address
 The EMP IP address shared between both CMMs, Boot.cfg

stored in the boot.cfg file. (Required for remote access)

-> ip interface emp address 192.168.10.100 mask 255.255.255.0

 The Primary or Secondary’s CMM’s IP address, stored in NVRAM. (Not required

for remote access)
 Changes stored in NVRAM will remain with the CMM if the CMM is moved to a different
chassis.
 All the EMP IP addresses and CMM’s IP addresses must be in the same subnet.
 Each of the IP addresses must be unique.

-> modify boot parameters

Boot > boot empipaddr 192.168.100.2
Boot > boot empmasklength 24
Boot > commit system
Boot > commit boot
Boot > exit
OmniSwitch 6900 - Setting the EMP IP Address
Boot.cfg

 Use the “ip interface” command to change

the default EMP IP address. (Saved to the boot.cfg file.)
-> ip interface emp address 192.168.10.100 mask 255.255.255.0

The default EMP IP address is 10.255.24.81

 The EMP address can also be changed from

the boot parameters menu.

-> modify boot parameters

Boot > boot empipaddr 192.168.100.2
Boot > boot empmasklength 24
Boot > commit system
Boot > commit boot
Boot > exit
IN-SERVICE SOFTWARE UPGRADE (ISSU)
ISSU
 In-service software upgrade (ISSU) at a module-level
 Full CMM and NI image
 Upgrade CMMs independent of NIs

 Dual CMMs should be present and should be running certified image/config

 CMMs are upgraded first

 NIs have to be reset to get the new version

 Manually schedule reboot
 NIs begin to reboot 120 minutes after the CMMs come up

 New CMM image should work with the previous NI version until it is upgrade
 Individual NI upgrade capability from main postGA tree only
 There is backward compatibility with a N-1 version of the protocol
ISSU
 Software supports only N-1 compatibility

 It is possible to upgrade from GA to any post-GA, it might take more than one
upgrade to accomplish this because protocols could change more than once
 Following shows a upgrade from GA to some post-GA maintenance build

 Only upgrading from one major release’s maintenance release to the next
major release is guaranteed
 Version of the GA build is fixed at the version of the one of the maintenance release
of the previous major release

7.2.100 - GA
main trunk

7.2.1.200.R01 – 7.2.1.300.R01 –
Protocol protocol version 2 protocol version 3 ISSU
version 1

7.2.R01
maintenance
branch
ISSU
Specifications

CMMs Must be synchronized and certified redundant

CMMs Image Files Ros.img Reni.img
Validation File issu_version.txt
ISSU Directory Any user-defined directory to store the
image files
Default NI Reset Timer 120 minutes
Control LED Blinks amber during ISSU upgrade

ISSU Files:

Ros.img – CMM/CFM image

Reni.img – NI image
issu_version.txt
ISSU - Sequences
OS 6900 - LICENSE MANAGER
Software Licensing Feature Set
 Advanced Routing Software License (OS6900-SW-AR)
 OSPF v2, VRRP, DVMRP, IPSec, BGP, VRRP v3, PIM-SM, VRF, MP-BGP, Static Routing
IPv6, PIM-SM IPV6, Policy Based routing, RIPng and ECMP for OSPF.

 Needed to Activate License

 System Serial Number
 System Mac Address
 License Key or File

-> show chassis

Model Name: OS6900-X20,
Module Type: 0X5062201,
Description: Chassis,
Part Number: 050535-46T,
Hardware Revision: B04,
Serial Number: N2360043,
Manufacture Date: Jun 09 2011,
Admin Status: POWER ON,
Operational Status: UP,
Number Of Resets: 115,
MAC Address: e8:e7:32:97:07:54
Product License Generation Center
 https://service.esd.alcatel-lucent.com
OS6900 License / Registration
 https://service.esd.alcatel-lucent.com/portal/page/portal/EService/OS6900
Configuring License information
 Applying the license using a license key file:
-> license apply file swlicense.dat

 Applying the license using an individual license key:

-> license apply key ‘q9T3-j4|q-*91t-^cPL-VGBy-DyOU-i^k2-$KZ]’

 De-activating/downgrading software-licensed switch:

-> license deactivate

 Viewing License Information

-> show license info

License Type Time (Days)
Remaining
------------+-------------+-----------
Advanced Permanent NA
Webview License Management
OUT-OF-THE-BOX AUTO-CONFIGURATION
Out-of-the-box Auto-configuration
 Remote Installation when first on site
operation needs to be done by non-technical 1. DHCP answer Includes “tftp-server-name”
personnel and “bootfile-name” options
 Automated bulk deployment or firmware upgrades

 Operation
 No “boot.cfg” exists, IP connectivity (address,
mask and default route) will be set using DHCP DHCP Server
 DHCP Server will return the path and the filename
OmniSwitch
of an instruction file containing
 Firmware
 Configuration file
 Script file
 File server details
TFTP Server
 Once downloaded, the instruction file is parsed and
executed

 Guidelines
3. FTP stores Firmware,
 Requires DHCP server and TFTP server for first boot Config, Scripts
 Increased Boot-up time FTP Server
 No EMP port supported
 Filename and path length limited to 63 and 255 2. TFTP stores Instruction file.
characters Can also store Firmware and config
 No IPv6 support
Out-of-the-box Auto-configuration

subnet 192.168.255.0 netmask 255.255.255.0 {

dynamic-dhcp range 192.168.255.10
192.168.255.100 { Power
option subnet-mask 255.255.255.0; on
option routers 192.168.255.1;
option tftp-server-name "10.255.204.100";
Yes
option bootfile-name “inst.file"; Is boot.cfg Reload Switch
option dhcp-lease-time 600; Present? Normal Switch
Bootup
}
}
1
Start Auto-Config Yes
Start dhcp client on vlan 1 3

Yes
Download
Does dhcp offer Found
Connect to server Firmware
Has a tftp server Instruction
Get Instruction File and/or boot
and filename? File?
•! Alcatel-Lucent OmniSwitch OS6850 - Instruction file Config?
•! Firmware version 2
•Firmware version:OS_6_4_3_339_R01 No
•Firmware location:/home/ftpboot/firmware
•! Configuration file No No
•Config filename:boot_OS6850.cfg No Download
Script?
4
•Config location:/tftpboot/
•! Debug file Yes
•!Debug filename:AlcatelDebug.cfg
•!Debug location:/home/ftpboot/debug
•! Script file Switch is available remotely Execute Script
•!Script filename:OS6850_script.txt
•! Primary File Server
•Primary server: 10.255.204.100
vlan 10
•Primary protocol: FTP
•Primary user: tftptest vlan port mobile 1/10
•! Secondary File Server vlan 10 mobile-tag enable
•!Secondary server:10.200.110.111
•!Secondary protocol:SFTP
•!Secondary user:admin
CONFIGURATION METHODS
Configuration Methods
Command Line Interface
 Command Line Interface
 Online configuration via real-time sessions using CLI commands
 Console or Telnet

 Offline configuration using text file holding CLI commands

 Transfer to switch at a later time

 Snapshot feature captures switch configurations in a text file

 configuration snapshot feature_list [path/filename]

 configuration apply filename

 show configuration snapshot [feature_list]

Command Line Interface
Options
 Command Line Editing
 Use ‘!!’, arrow, delete, insert keys to recall and modify previous commands
 Command Prefix Recognition
 Remembers command prefixes to reduce typing
 CLI Prompt Option
 Modify the CLI prompt
 Command Help
 Use ‘?’ to display possible parameters
 Keyword Completion
 Use <TAB> key to auto complete keywords
 Command History (up to 30 commands)
 Display a list of previously entered commands
 Command Logging (up to 100 commands; detailed information)
 Logs command and results of the command entered
 Syntax Error Display
 Displays indicators showing what is wrong and where in the command
 Alias Command Option
 Substitute text for CLI command
 More Command
 Set the number of displayed lines
Ethernet Ports
Setting Port Options through CLI
Port parameters setting
Slot 6 - Idle

Slot 7 - Idle -> interfaces slot[/port[-port2]] speed {auto | 10 | 100 | 1000 | 10000 |
max {100 | 1000}}
Slot 8 - Idle -> interfaces slot[/port] mode {uplink | stacking}
-> interfaces slot[/port[-port2]] autoneg {enable | disable | on | off}
-> interfaces slot[/port[-port2]] crossover {auto | mdix | mdi}
Slot 1 - Pri -> interfaces slot[/port[-port2]] pause {tx | rx | tx-and-rx | disable}
-> interfaces slot[/port[-port2]] duplex {full | half | auto}
Slot 2 - Sec -> interfaces slot[/port[-port2]] admin {up | down}
-> interfaces slot/port alias description
Slot 3 - Idle -> interfaces slot[/port[-port2]] no l2 statistics [cli]
-> interfaces slot[/port[-port2]] max frame bytes
Slot 4 - Idle -> interfaces slot[/port[-port2]] flood multicast {enable | disable}
-> interfaces slot[/port[-port2]] flood [broadcast | multicast | unknown-unicast|all]
[enable | disable]
Slot 5 - Idle -> interfaces violation-recovery-time
-> interfaces violation-recovery-trap
-> interfaces clear-violation-all

• Ethernet Ports
Fixed 10/100/1000BaseT

• SFP Ports
SFP connectors for 100/1000 Base-
X SFP connectors
• Combo Ports
Combo RJ45/SFP connectors for
10/100/1000BaseT or 1000Base-X

• XFP Ports
10 Gbps Small Form Factor
Pluggable (XFP) transceivers

• SFP+ Ports
10 Gbps Small Form Factor
Pluggable Plus (SFP+) transceivers
Ethernet Ports
CLI Monitoring
-> show interfaces port
Slot/ Admin Link Violations Alias
Port Status Status
-----+----------+---------+----------+-------------
1/1 enable down none “ sales "
1/2 enable down none " sales "
1/3 enable down none " sales "
1/4 enable down none " sales "
1/5 enable down none " sales "
1/6 enable down none " sales "
-> show interfaces 1/7 enable down none " sales "
1/8 enable down none " sales “
-> show interfaces capability ….
-> show interfaces flow control ….
-> show interfaces pause
-> show interfaces e2e-flow-vlan -> show interfaces 1/20
-> show interfaces accounting Slot/Port 1/20 :
Operational Status : up,
-> show interfaces counters Last Time Link Changed : TUE NOV 22 12:19:52 ,
-> show interfaces counters errors Number of Status Change: 1,
-> show interfaces collisions Type : Ethernet,
SFP/XFP : Not Present,
-> show interfaces status MAC address : 00:e0:b1:c5:3a:0b,
-> show interfaces port BandWidth (Megabits) : 1000, Duplex : Full,
Autonegotiation : 1 [ 1000-F 100-F 100-H 10-F 10-H ],
-> show interfaces ifg Long Frame Size(Bytes) : 9216,
-> show interfaces flood rate Rx :
Bytes Received : 233117328, Unicast Frames : 51104,
-> show interfaces traffic Broadcast Frames: 22156, M-cast Frames : 3542048,
-> show interfaces transceiver UnderSize Frames: 0, OverSize Frames: 0,
Lost Frames : 0, Error Frames : 0,
CRC Error Frames: 0, Alignments Err : 0,
Tx :
Bytes Xmitted : 14720188, Unicast Frames : 12,
Broadcast Frames: 1870, M-cast Frames : 227257,
UnderSize Frames: 0, OverSize Frames: 0,
Lost Frames : 0, Collided Frames: 0,
Error Frames : 0

-> show interfaces 1/20 capability

Slot/Port AutoNeg Flow Crossover Speed Duplex
-----------+---------+--------+-----------+----------+----------
1/20 CAP EN/DIS EN/DIS MDI/X/Auto 10/100/1G Full/Half
1/20 DEF EN DIS Auto Auto Auto
Pre-Banner Text
 Provides ability to display custom message before user login

 Any text stored in pre_banner.txt file in /flash directory will be displayed

before login prompt

 Ex.
 Please supply your user name and password at the prompts.
 login : user123
 password :*****
WebView
 Monitoring and configuring the switch by using WebView
 Embedded in switch software
 The following web browsers are supported
 Internet Explorer 6.0 and later for Windows NT, 2000, XP, 2003
 Firefox 2.0 for Windows and Solaris SunOS 5.10

 WebView configuration
 ip http(s) server (R6) or webview server enable (R7/8) – Enables the WebView Application
(default= enabled)
 ip http(s) ssl (R6) or webview force-ssl enable (R7/8) – Forces SSL connection between browser
and switch (default=enabled)
 ip http(s) port (R6) or webview http(s) port (R7/8) - Changes the port number for the
embedded Web server
 aaa authentication http local – Checks the local database for http authentication

-> show webview (R7/8)

-> show ip http (R6)
WebView Server = Enabled,
Web Management = on
WebView Access = Enabled,
Web Management Force SSL = off
WebView Force-SSL = Enabled,
Web Management Http Port = 80
WebView HTTP-Port = 80,
Web Management Https Port = 443
WebView HTTPS-Port = 443
WebView – Login
WebView Home Page Chassis Home Page

Help page layout

OmniVista
OmniVista Advanced
 Supports SNMP
Applications
 Over IPv4 and IPv6
 Versions
OmniVista 2500 Series
 SNMPv1
Infrastructure
 SNMPv2
 SNMPv3
OmniVista Web Based
Programmatic ELMs
ELMs
OmniVista - Core Applications

OmniVista
Advanced Applications  Discovery
OmniVista 2500 Series  Topology
Infrastructure
 Access Guardian, UNP, HIC
OmniVista Web Based  Performance
Programmatic ELMs
ELMs
 Traps/Events

 VLAN Manager

 Locator

 Policy Mgt

 Resource Manager

 Inventory
OmniVista Applications
Quarantine Manager and
Remediation
Provides Global device
containment

OmniVista Advanced
Applications
SecureView ACL
Provides Global ACL Configuration OmniVista
Infrastructure Web Services
Provides XML interface & Web
OmniVista Web Based browser GUI for Read-only
Programmatic ELMs monitoring capabilities
ELMs

PolicyView
Provides Global QoS Configuration
SecureView Switch Access
Provides Global User Management
Access Guardian
Provides Proactive Network Security Management
ACCESS METHODS AND USER ACCOUNTS
Access Methods
Specifications
 The switch may be set up to allow or deny access through any of the available
management interfaces
 Console, Telnet, HTTP, HTTPS, FTP, Secure Shell, and SNMP

 Configured through the Authenticated Switch Access (ASA) feature

 Authentication and authorization

 Local or external database

 Switch Security Specifications

 Telnet - 4 concurrent sessions
 FTP - 4 concurrent sessions
 HTTP - 4 concurrent sessions
 SSH + SFTP - 8 concurrent sessions
 Total sessions (Secure Shell, Telnet, FTP, HTTP, and console) - 20
 SNMP - 50 concurrent sessions
User Accounts
Admin and Default
 Two default user accounts
 Admin
 Full privileges
 By default, access only allowed through console port
 Cannot be modified except for password
 Default password is ‘switch’
 Default
 Not an active user account
 Default privileges given to new user

 Ability to create new users with full or limited access rights

 Partition Management
 Limits commands a user can run
 Type of access FTP, Telnet, SNMP, Console, WebView
User Accounts
 Two types of accounts:

 Network administrator accounts.

 Configured with user (sometimes called functional) privileges.
 These privileges determine whether the user has read or write access to the switch
and which command domains and families the user is authorized to execute on the
switch.

 End-user or customer login accounts.

 Configured with end-user profiles rather than functional privileges.
 Profiles are configured separately and then attached to the user account. A profile
specifies command domains to which a user has access as well as VLANs, ports.
User Accounts
Network Administrator Accounts
-> user username [password password] [expiration {day | date}] [read-only |
read-write [families... |domains...| all | none]] [no snmp | no auth | sha |
md5 | sha+des | md5+des] [end-user profile name] [console-only {enable |
disable}]

-> no user username

 “admin” user restriction to console only

 -> user admin console-only {enable | disable}

 Minimum password length

 -> user password-size min 10

 Password expiration
 -> user password-expiration 5 (Expires in 5 days for all users)
 -> user user1 password userpass expiration 5 (Specific user)
 -> user user1 password userpass expiration 12/01/2006 15:30
User Accounts
Monitoring

-> show user

User name = Customer1,
Password expiration = 10/27/2011 11:01 (30 days from now),
Password allow to be modified date = 9/30/2007 10:59 (3 days from now),
Account lockout = Yes (Automatically unlocked after 19 minute(s) from now),
Password bad attempts = 3,
Read Only for domains = None,
Read/Write for domains = Admin System Physical Layer2 Services policy Security ,
Read/Write for families = ip rip ospf bgp vrrp ip-routing ipx ipmr ipms ,
Snmp allowed = YES,
Snmp authentication = SHA,
Snmp encryption = DES
Console-Only = Disabled
Account and password policy
 Password policy settings (for Local Switch Access)
 Complexity
 min. number of upper-case letter
 lower case letters
 Numbers
 non-alphanumeric characters
 not to contain user name, etc.
 History - Retain 0 to 24 passwords in history
 Min Password Length – 0 to 14 char
 Min and Max password age – 0 to 999 days

 Commands to enable Password policy include

 -> user password-policy min-nonalpha 2
 -> user password-policy cannot-contain-username enable
 -> user password-history 20
 -> user password-expiration 30
 -> user password-min-age 7
Account and password policy
 Account Lockout settings – global to all accounts
 Failed attempts count - configurable
 Observation Window – period of time after which failed attempt counts is
reset
 Lockout
 Threshold – number of attempts before the account is locked out
 Duration – minutes to elapse before the user is allowed to try again

 Commands to enable Password lockout:

 -> user lockout-window 30
 -> user lockout-threshold 3
 -> user lockout-duration 60

 Commands to manually lockout a user:

 -> user lockout j_smith
 -> user unlock j_smith
User Accounts
Role Based Management – End User Accounts (R6 only)
 Creates an End User Profile
-> end-user profile myprofile read-write physical
 Configures a range of ports associated with an end-user profile
-> end-user profile myprofile port-list <slot/port>
 Configures a range of VLANs associated with an end-user profile
-> end-user profile myprofile vlan-range <.-.>
 Associates a Profile With a User
-> user User2 end-user profile myprofile
 Displays information about end-user profiles
-> show end-user profile

If a profile is deleted, but the profile By default, new profiles do not allow
name is still associated with a user, access to any ports or VLANs
the user will not be able to log into
the switch
User Accounts
User Session Customization
 -> session login-attempt
 Sets the number of times a user can attempt unsuccessfully to log into the
switch before the TCP connection is closed
 -> session login-timeout
 Sets the amount of time the user can take to accomplish a successful login to
the switch
 -> session banner
 Sets the file name of the user–defined banner (cli, ftp and/or http)
 -> session timeout
 Configures the inactivity timer for a CLI, HTTP (including WebView), or FTP
interface
 -> session prompt
 Configures the default CLI prompt for console and Telnet sessions
 -> user profile save
 Saves the user account settings for aliases, prompts, and the more mode
screen setting
Authenticated Switch Access (ASA)
Authentication Methods
 ASA
 Method of authenticating users who want to manage the switch using the
console, Telnet, FTP, SNMP, Secure Shell, or HTTP

 Local user database

 Third-party server
 RADIUS, LDAP, TACACS+, ACE/Server (Authentication Only)

1
2
4
3
Telnet/HTTP/SNMP/SSH/FTP

AAA
• Access through console (local) port is always enabled Server
• By default all remote access is disabled
Authenticated Switch Access
CLI
Backup 3
 Grant user access to manage the switch local

 Local Authentication
 aaa authentication <management interface> local

 External Authentication
 aaa authentication <management interface> server1 server2 server3 local

console
telnet
ftp Backup 2
Primary
http AAA server
AAA server
snmp Backup 1
ssh AAA server
default

 The switch uses the first available server in the list

 They are polled in the order they are listed
 Up to 3 backups may be specified (including local)
Authenticated Switch Access
Radius Server configuration
 Authentication servers
 -> aaa radius-server rad host {hostname | ip_address} [hostname2|ip_address2]] key secret auth-port
auth_port acct-port acct_port
 Tells the switch where the RADIUS server is
 -> aaa authentication telnet rad
 The radius server ‘rad’ is checked for telnet authentication

 Accounting servers
 Track network resources such as time, packets, bytes, etc., and user activity (when a user logs in and out, how many
login attempts were made, session length, etc.)
 May be located anywhere in the network
 -> aaa accounting session rad
 tells the switch to send accounting information to the RADIUS server rad

Interface Loopback0 address if configured, used for the source IP field

Else the first available ip from the IP stack will be used
Authenticated Switch Access
Verifying the switch access setup
-> show aaa authentication
Service type = Default
1rst authentication server = rad
2nd authentication server = local
Service type = Console
Authentication = Use Default,
1rst authentication server = rad
2nd authentication server = local
Service type = Telnet
Authentication = Use Default,
1rst authentication server = rad
2nd authentication server = local
Service type = Ftp
Authentication = Use Default,
1rst authentication server = rad
2nd authentication server = local
Service type = Http
Authentication = denied
Service type = Snmp
Authentication = Use Default,
1rst authentication server = rad
2nd authentication server = local
Service type = Ssh
Authentication = Use Default,
1rst authentication server = rad
2nd authentication server = local
NTP

 OmniSwitch can act as an NTP Client, Server, or Peer

Higher Stratum Servers
 Supported on OmniSwitch 6400, 6850, 6855, 9000, 9000E
 NTP Server
 NTP Authentication
 NTP Broadcast Services

 NTP server is interoperable with a SNTP client/server

 64 associations supported Management

Server

 Improve Network Log File Accuracy to Speed up Network

Fault Diagnosis
 Accurately Synchronize Critical Network Operations and
Applications, I.e.:
 Log file accuracy, auditing & monitoring
Ethernet Switch Lower Stratum Server
 Network fault diagnosis and recovery Workstations
 Access security and authentication

 Designating an NTP Server on a client (3 max.)

-> ntp server 1.1.1.1 NTP Server implementation conforms to

RFC1305 NTP version 3
NTP Server - CLI
-> show ntp status
Typical scenario:
-> show ntp server status
Current time:
18:14:36.600 (UTC),
Tue, Mar 16 2011
NTP Broadcast IP address
Host mode
= 192.168.100.1,
= client,
Last NTP update: -, Peer mode = server,
Server reference: 0.0.0.0, Prefer = no,
Client mode: disabled, Version = 4,
Broadcast client mode: disabled, Key = 0,
Broadcast delay (microseconds): 4000, Stratum = 16,
Server qualification: synchronized, Minpoll = 6 (64 seconds),
Stratum: 16, Maxpoll = 10 (1024 seconds),
Maximum Associations Allowed: 32, Delay = 0.016 seconds,
Authentication: disabled, Offset = 1.517 seconds,
Source IP Configuration: default Dispersion = 0.969 seconds
Root distance = 0.000,
Broadcasts occur Precision = -6,
every 64 seconds Reference IP = 0.0.0.0,
Status = configured : reachable :
ip directed-broadcast enable synchronization peer,
ntp broadcast n.n.n.255 Uptime count = 1910 seconds,
192.168.100.0/16 Reachability = f,
Unreachable count = 0,
Stats reset count = 2 seconds,
Packets sent = 12,
Packets received = 11,
-> show ntp server client-list Duplicate packets = 0,
IP Address Ver Key Bogus origin = 0,
-----------------+---+-------+ Bad authentication = 0,
192.168.100.253 4 0 Bad dispersion = 0,
Last Event = peer changed to reachable,

-> show ntp client

Current time: Tue, Mar 16 2011 18:24:13.566
(UTC),
Last NTP update: Tue, Mar 16 2011 18:17:36.116 (UTC),
Server reference: 192.168.100.1,
ntp client disable Client mode: enabled,
ntp broadcast-client enable Broadcast client mode: enabled,
ntp client enable Broadcast delay (microseconds): 4000,
Server qualification: unsynchronized

Notes: Server can be disable only by interface as follow: ntp interface n.n.n.n disable
 1

OmniSwitch
Overview

OBJECTIVE
This lab is designed to familiarize you with the:
1. Code, switch information, including code versions and revision levels (lab1)
2. Operation of the WORKING and CERTIFIED directories of an OmniSwitch including how to
determine which directory the switch will boot from (lab2)
3. OmniSwitch Operating System including the directory structure, configuration and CLI (lab3)
4. USB drive support (lab4)
5. Remote and GUI Webview interface access (lab5)
6. Different admin user access rights (lab6)

EQUIPMENT/SOFTWARE REQUIRED
One OmniSwitch
One PC

RELATED COMMANDS
Show hardware info, show microcode, show microcode history
show chassis, show cmm, show ni, show power supply, show fan, show temperature
reload, show running-directory, show system, reload working no rollback-timeout, show
microcode
usb enable, mount /uflash, cp /flash/working/boot.cfg /uflash/boot.cfg, umount /uflash
cd, pwd, mkdir, ls, dir, rename, rm, delete, cp, mv, move, chmod, attrib, freespace, fsck,
newfs, snapshot, copy working certified, copy flash-synchro, write memory

SUPPORTED PLATFORMS
All

OmniSwitch Overview
 2

HARDWARE INFORMATION AND OPERATION

It’s important to determine code versions and serial numbers of the switches. These can be
helpful for troubleshooting when dealing with customer support or for upgrading switch
hardware and software.

LAB STEPS
The following will show you how to gather code and module information on a switch.
Gathering Switch Information
Enter the following commands to gather basic switch information about hardware and
software.
Type the following:
-> show hardware info – Information on CPU, Memory, Miniboot.
-> show microcode – Code descriptions and versions.
-> show chassis – Chassis type and part numbers.
-> show cmm – Processor and fabric board information.
-> show ni – Networking interface information.
-> show power – Power supply information.
-> show fan – Fan Information.
-> show temperature – Temperature and temperature threshold.
-> show health – health statistics.
The commands listed on page 1 will tell you the version of code running on the switch as well
as revision level and serial numbers for the modules, power supplies and fans.
Ethernet Port Configuration
You can allow Ethernet ports to auto-negotiate the speed and duplex, or you can manually set
them. Enter the following commands to change and view the configuration of the Ethernet
ports as well as gather frame statistics and error counts:
Enter:
-> show interfaces slot/port – Tells whether the port is active or not as well as
traffic statistics.
-> interfaces slot/port duplex [half,full,auto] – Sets the duplex mode.
-> interfaces slot/port speed [10,100,1000,auto] – Sets the speed.
-> interfaces slot/port admin [up,down] – enable or disable a port.
-> show interfaces status – Display line interface settings
-> show interfaces slot/port accounting – gather frame statistics.
-> show interfaces slot/port counters – gather error and frame counts.
Use ‘?’ to experiment with other interface commands

SUMMARY
This lab briefly introduced you to the hardware and software of an OmniSwitch and how to
gather basic information.

OmniSwitch Overview
 3

LAB CHECK
What commands would be used to determine the following?
UBOOT-miniboot Version -> _______________________________
Code Release -> _______________________________
Date of Upgrade -> _______________________________
Chassis Part # -> _______________________________
Chassis MAC-Address -> _______________________________
NI Part Numbers -> _______________________________

OmniSwitch Overview
 4

WORKING/CERTIFIED DIRECTORIES

An OmniSwitch provides the user with the ability to keep two separate configurations stored
on the switch. These configurations are stored in the WORKING and CERTIFIED directories.
The switch can boot from either configuration.

LAB STEPS
Working/CERTIFIED Directory
Ensure that there is a console connection to the switch, open your communication
software such as HyperTerminal or ProComm and power cycle the switch.
Default Com Settings:
BPS – 9600
Data Bits – 8
Parity – None
Stop Bits – 1
Flow Control - None

Watch as the switch boots, take note of the various messages that scroll across the screen as
well as which directory the switch is booting from. Once prompted, log in to the switch.
Type the following:
login: admin
password: switch
-> exit
login: admin
password: switch
-> show system
After logging back in, check to see which directory the switch booted from. It will show either
CERTIFIED or WORKING. The switch boots from the CERTIFIED directory when the
configurations in the WORKING and CERTIFIED directories differ. If the configurations are
identical, including code and the boot.cfg file, it will boot from WORKING, this is shown
under ‘Running Configuration’.
Type the following:
-> show running-directory
CONFIGURATION STATUS
Running CMM : PRIMARY,
CMM Mode : DUAL CMMs,
Current CMM Slot : A,
Running configuration : WORKING,
Certify/Restore Status : CERTIFIED
SYNCHRONIZATION STATUS
Flash Between CMMs : NOT SYNCHRONIZED,
Running Configuration : NOT SYNCHRONIZED,
NIs Reload On Takeover : ALL NIs (RUNNING Directories OUT-OF-SYNC)
Now let’s check to see what version of code is running on the switch as well as what files are
stored in both the WORKING and CERTIFIED directories. These topics will be discussed in more
detail in a later lab.

OmniSwitch Overview
 5

Type the following:

-> show running-directory
-> ls /flash/working
-> ls /flash/certified

The switch can be forced to boot from the WORKING directory even if the configurations are
different. If changes were made, but not saved, you will be prompted to confirm the reboot.
Type the following (on Release 6 switches) :
-> reload working no rollback-timeout
Confirm Activate (Y/N) : y

This will reboot the switch, but it will now boot from the WORKING directory. The ‘no
rollback’ parameter tells the switch to continue running under the WORKING directory
permanently rather than rebooting after a specified amount of time.
Once the switch boots, verify that it booted from the WORKING directory.
Type the following:
-> show running-directory
CONFIGURATION STATUS
Running CMM : PRIMARY,
CMM Mode : DUAL CMMs,
Current CMM Slot : A,
Running configuration : WORKING,
Certify/Restore Status : CERTIFIED
SYNCHRONIZATION STATUS
Flash Between CMMs : NOT SYNCHRONIZED,
Running Configuration : NOT SYNCHRONIZED,
NIs Reload On Takeover : ALL NIs (RUNNING Directories OUT-OF-SYNC)

To see what version of code is running, type:

-> show microcode
Make note of the version of code you are running (e.g. – 6.4.5.402.R02)

SUMMARY
The WORKING and CERTIFIED directories provide the opportunity to have two different
configurations or versions of code on the switch. The CERTIFIED version can be used as a
backup to the WORKING directory. These two directories will be discussed in more detail in a
later lab.

LAB CHECK

1. What command would be used to reboot a switch to a default configuration?

2. What command would be used to determine the version of operating code running on a switch?

3. How do you log-out of a console session?

OmniSwitch Overview
 6

OPERATING SYSTEM

An OmniSwitch provides the user with the ability to keep two separate configurations stored
on the switch. These configurations are stored in the WORKING and CERTIFIED directories.
The switch can boot from either configuration.

LAB STEPS
This lab will introduce the commands necessary to navigate the directory structure of the
switch. Also, to introduce the CLI and line editing feature as well as saving and applying
configuration files.
The switch can be configured using SNMP, WebView or the CLI. In this section, we’ll
concentrate on the CLI, its syntax, and its line-editing feature. The CLI gives you the ability
to search for parameters if the complete command is not known as well as recall and edit
previous commands.
Using ‘?’
A ‘?’ can be used to get a list of possible commands. Additionally, a question mark can be
entered after a command is started to get a list of available parameters.
Type the following:
login: admin
password: switch
-> ?
-> vlan ?
Notice the list of options available with the vlan command. Experiment with this for some
other commands such as ‘show ?’, ‘aaa ?’, or ‘copy ?’; this can be a useful feature when
you are unsure of the entire command.
Also, entering a ‘?’ after a letter or string of letters, will list all commands that begin with
that string.
Type the following:
-> po?

Using <TAB>
Abbreviated commands are not allowed, however, pressing the <TAB> key will automatically
complete any partial commands.
Type the following:
-> sh<TAB> vl<TAB>

CLI Line Editor and History

Some additional capabilities of the CLI are to display the last command entered, modify
commands, scroll through previous commands, and to re-enter a specific previously entered
command.
Display the previous command
Type the following:
-> !!

OmniSwitch Overview
 7

You can now modify the command as necessary. Additionally, you can use the arrow keys
to scroll through previous commands.
You can also display a list of previously entered commands, copy one of those commands
to the CLI, modify it if needed, and re-enter it.
Type the following:
-> show history
-> !# (‘#’ = command number)
You now have the ability to edit the command as needed and re-enter it.You can bring up the
last command that begins with a prefix. Bring up the last command previously entered that
begins with ‘show’. Enter:
-> !show

Directory Structure
It is important to understand the directory structure of an OmniSwitch. Different directories
store different configurations on the switch. There are two main directories, flash/Working
and flash/Certified. Each contains a configuration for the switch. The switch uses basic UNIX
commands to create, delete, move and copy files and directories.
pwd – show current directory.
cd – change directory.
mkdir – create a new directory.
ls – list contents of a directory.
dir – list contents of a directory.
mv – move a file.
cp – copy a file.
rm – remove a file.
Type the following:
-> ls
-> pwd
-> cd /flash/working
-> ls -l (view file date/times including boot.cfg)
-> pwd
-> cd ..
-> cd certified
-> pwd
-> cd /flash
-> pwd

Note: Be careful not to move or delete any important files.

Configuration Basics
There are three different versions of a configuration on an OmniSwitch. They are the
Working, Certified, and Running version. When the switch boots, (depending on the switch
configurations), it will boot from either the WORKING or CERTIFIED Directory. Once it boots
from one of these directories, that configuration then becomes the Running Configuration.
Running Configuration
Let’s create three new VLANs numbered VLAN 2, VLAN 3, and VLAN 99.
Type the following:
-> vlan 2
-> vlan 3
-> vlan 99
-> show vlan[Do you remember the shortcut using the <tab> key?]

OmniSwitch Overview
 8

The above commands created three VLANs with their respective numbers. Entering the
commands makes changes to the Running Configuration. The changes take effect
immediately, but have not been written permanently. To demonstrate this, reboot the
switch.
Type the following :
-> reload working no rollback-timeout

When the switch reboots, login and check to see which VLANs have been created.
Type the following:
-> show vlan

Notice that the VLANs do not exist. This is because the changes were made to the Running
Configuration, but not saved. Let’s do the same again, but this time we’ll save the changes
to the WORKING directory.
Working Directory
The WORKING directory is a directory on the switch where the configuration file and code are
stored. This directory can be read when the switch boots and the configuration stored in the
boot.cfg file will be applied.
Re-Type the following:
-> vlan 2
-> vlan 3
-> vlan 99
-> show vlan

The configuration file the switch reads upon boot is called boot.cfg. The boot.cfg file can
exist in either the WORKING or CERTIFIED directory.
Type the following:
-> write memory
File /flash/working/boot.cfg replaced.
This file may be overwritten if "takeover" is executed before "certify"

The command above writes the running configuration to the boot.cfg file in the WORKING
directory. Now if the switch is rebooted from the WORKING directory, the configuration will
be saved. Let’s reboot the switch, giving it the command to reboot from the configuration
stored in the WORKING directory.
Type the following:
-> reload working no rollback-timeout

When the switch reboots log in and type the command to view the VLANs.
Type the following:
-> show vlan

Notice the VLANs are still there since they were saved to the boot.cfg file in the WORKING
directory and the switch booted from the WORKING directory.
The boot.cfg file contains the switch configuration that gets read when the switch boots, we
will view this file in the next section. By using the parameter ‘no rollback-timeout’ with
the reload command, the switch will permanently run with that configuration. The
‘rollback-timeout’ parameter could be used to have the switch automatically reboot
after a specified amount of time. The following command will cause the switch to reboot to
the WORKING directory, then after 1 minute, reboot again.
-> reload working rollback-timeout 1

OmniSwitch Overview
 9

Certified Directory
Recall that the CERTIFIED directory can be used to store a backup configuration on the
switch. When the switch boots, it compares the configurations in both the WORKING and
CERTIFIED directories, if they’re the same it boots from the WORKING directory, if they
differ, it boots from the CERTIFIED directory. Let’s reboot the switch, without telling it to
specifically boot from the WORKING directory (please be aware that in case of two CMMs,
e.g, 9700, a takeover will happened and the secondary CMMs becomes Primary and
former Primary reboots and comes back as Secondary).
Enter:
-> reload

When the switch reboots, check for the VLANs.

Enter:
-> show vlan

Notice they are gone, this is because the switch booted from the CERTIFIED directory. Enter
the command to show what directory the switch booted from.
Enter:
-> show running-directory

The switch booted from the CERTIFIED directory because the changes saved to the WORKING
directory have not been saved to the CERTIFIED directory, causing the two directories to be
different.
Changes cannot be written directly to the CERTIFED directory, they can only be copied to the
CERTIFIED directory from the WORKING directory. Let’s reboot the switch from the WORKING
directory once again.
Enter:
-> reload working no rollback-timeout

When the switch reboots, log in and enter the command to see which directory the switch
booted from as well the Certify/Restore status.
-> show running-directory
CONFIGURATION STATUS
Running CMM : PRIMARY,
CMM Mode : DUAL CMMs,
Current CMM Slot : A,
Running configuration : WORKING,
Certify/Restore Status : CERTIFIED NEEDED
SYNCHRONIZATION STATUS
Flash Between CMMs : NOT SYNCHRONIZED,
Running Configuration : NOT SYNCHRONIZED,
NIs Reload On Takeover : ALL NIs (RUNNING Directories OUT-OF-SYNC)

Notice that the entry reads ‘CERTIFY NEEDED’. This indicates that the WORKING directory has
not been copied to the CERTIFIED directory. Enter the command to copy the configuration in
the WORKING directory to the CERTIFIFIED directory.
Enter:
-> copy working certified

OmniSwitch Overview
 10

The above command “Certifies” the WORKING directory. You now have a backup
configuration stored in the CERTIFIED directory. Enter the command to check the
Certify/Restore status, notice it reads ‘CERTIFIED’.
-> show running-directory
CONFIGURATION STATUS
Running CMM : PRIMARY,
CMM Mode : DUAL CMMs,
Current CMM Slot : A,
Running configuration : WORKING,
Certify/Restore Status : CERTIFIED
SYNCHRONIZATION STATUS
Flash Between CMMs : NOT SYNCHRONIZED,
Running Configuration : NOT SYNCHRONIZED,
NIs Reload On Takeover : ALL NIs (RUNNING Directories OUT-OF-SYNC)

Note: The ‘copy working certified’ command should be used only after the configuration
in the WORKING directory is known to be good (or valid).
Snapshot / Text Based Configuration
The snapshot feature allows a text file to be created based on the current running
configuration. This file can then be uploaded from the switch, manipulated, and applied to
other switches.
The command “more” enables the more mode for your console screen display.
Type the following:
-> show configuration snapshot all
-> write terminal
The commands above list your current running configuration on the screen. You can capture
your configuration to a text file. Either command can be used.
Type the following.
-> configuration snapshot all snapall

The above command creates a snapshot of the entire switch configuration and copies it to a
file called snapall in the current directory.
Type the following:
-> view snapall

The above command will bring up the vi editor but allows you to only view the file. Notice
the syntax of the ASCII file. Use the ‘j’ and ‘k’ keys to scroll up and down respectively.
Note: Entering ‘vi’ instead of ‘view’ will allow you to use the vi editor to edit the file.
Exit from viewing the snapshot file. If vi is used, ‘<esc> :q!’ exits the vi session.
Type the following:
-> :q

The ‘more’ command can be used as an alternative to view the file.

-> more snapall

It isn’t necessary to create a snapshot of the entire switch configuration. To create a

snapshot of only the VLAN configuration enter the following.
Type the following:
-> vlan 5-7
-> show vlan
-> configuration snapshot vlan snapvlan

OmniSwitch Overview
 11

This will copy only the VLAN configuration to a file called snapvlan in the current directory.
Additional options can be specified for creating snapshots. Enter the following to see the
additional parameters and experiment with creating additional snapshots.
Enter:
-> configuration snapshot ?

A syntax check can be run on a configuration snapshot before it is applied.

Enter:
-> configuration syntax check snapvlan verbose

After running a syntax check, the snapshot can be applied to the switch. Let’s delete some
existing VLANs and then reapply them using the VLAN snapshot.
Enter:
-> no vlan 5-7
-> show vlan

Notice the VLANs have been removed. Apply the VLAN snapshot saved earlier.
-> configuration apply snapvlan
-> show vlan

This will reapply the snapshot file used in the command and recreate VLANs 5, 6, and 7. This
command can be used to apply a snapshot taken from another switch to help make
configuration easier.

OmniSwitch Overview
 12

USB FLASH DRIVE

An Alcatel-Lucent certified USB flash drive can be connected the CMM and used to transfer
images to and from the flash memory on the switch. This can be used for upgrading switch code
or backing up files. Additionally, automatic code upgrades as well having the capability to boot
from the USB flash drive for disaster recovery purposes are also supported.
This lab will introduce the Omniswitches usb port utilization. For this lab, we will only
demonstrate how to copy a file from the switch to the USB memory stick.

LAB STEPS
You will need to plug an USB memory stick to the USB port of the Omniswitch.
Then you will type the following commands on Omniswitches to mount and transfer files using
USB flash drive. For this lab, we will only copy the configuration file (boot.cfg) from the
switch to the usb flash driver.
-> usb enable
-> cp /flash/working/boot.cfg /uflash/boot.cfg

Then check that files are well transferred on your USB drive.
-> cd /uflash
-> ls

OmniSwitch Overview
 13

WEB VIEW REMOTE ACCESS

By default, remote access is not allowed on an OmniSwitch. This is a security measure to

prevent unauthorized access. In order to allow remote access, including Telnet and WebView
(HTTP), the switch must be configured to allow it.

LAB STEPS
Before beginning, reboot the switch from the WORKING directory.
Enter:
-> rm /flash/working/boot.cfg
-> reload working no rollback-timeout
When the switch reboots, save the configuration to the boot.cfg file.
Enter:
-> write memory
Steps for connecting to a virtual IP address on the switch
For switches without EMP interface (6450 and 6850E) :
Create a virtual router IP address for VLAN 1 with a class C netmask.
Enter:
-> ip interface VLAN1 address 10.0.1.1/24 vlan 1
Ensure you have IP connectivity by pinging the switch via the PC attached to the switch. Once
IP connectivity has been established, enter the command to show the current status of Web
Management.
Enter:
-> show http
Web Management = on
Web Management Force SSL = off
Web Management Http Port = 80
Web Management Https Port = 443

Bring up a web browser, and enter the IP address of the switch in the URL.
You should still not be able to access the switch. If a message in your browser displays
telling you that Web Management is disabled enter the following to enable Web
Management.
Enter:
-> ip http server
Now that Web Management has been enabled, try connecting again using a web browser using
admin and switch to login. You still do not have the ability to login and configure the switch
with WebView.
You should receive a message indicating an invalid username and password was entered.
Display the current AAA authentication settings.
Enter:
-> show aaa authentication

OmniSwitch Overview
 14

Under the HTTP section, it indicates that HTTP access is denied. By default, all remote access
is denied. Let’s enable remote access.
Enter:
-> aaa authentication http local
-> show aaa authentication
This configures the switch to check the local database for any type of login. You could also
have entered ‘aaa authentication default local’ to have it check the local database for
all access methods such as FTP or TELNET. Take note of the various methods of access and
their default values.
Attempt remote access via your browser again, you should have access to the switch.

SECURE SOCKET LAYER

The Secure Socket Layer feature of WebView allows for secure access to the switch by
encrypting the HTML from the web browser to the switch. Keep in mind that the switch is
capable of handling SSL at anytime. The following command forces SSL communication
between the switch and browser, non-encrypted HTML will not be accepted. The force-ssl
option is enabled by default on R7 switches.
Enter:
-> ip http ssl
-> ip
-> show http
Web Management = off
Web Management Force SSL = on
Web Management Http Port = 80
Web Management Https Port = 443

Try connecting by using https://{IP Address} in your web browser, the communication is now
encrypted using SSL.
Now, look around:
1. Under Networking --- IP (vertical options on left) rollover IP (along horizontal at the
top) and then click on Global. What are the IP Route Preferences?
2. Under Networking --- IP rollover IP and Interfaces then click on Configured.
3. Under System -- Interfaces, click on General. Make note of the MAC address of the
port your PC is connected to. Also, take a look at Statistics (Input and Output).

OmniSwitch Overview
 15

SWITCH SECURITY ACCESS

This lab is designed to familiarize you with the switch security features of an OmniSwitch.
With this feature, users with different access rights and configuration abilities can be
created.
Security is an important element on an OmniSwitch. In this lab, we’ll discover how to create
users and manipulate the read and write privileges on the switch.

LAB STEPS
Before you begin this lab, remove the boot.cfg file in the working and certified directories,
and type reload, to set your switch back to factory defaults. [You may also need to remove
userTable5 from the network directory.
To view a list of users already created enter the following.
Enter:
show user

You should see at least 2 users: admin and default. Notice the read and write privileges for
each user and domain, as well as the SNMP privileges.
Admin – Default user with full capability to configure the switch and create additional
users.
Default – This account cannot be used to login to the switch. These privileges are applied
to all new users created on the switch. By default, new users have no privileges; however
the privileges of the default user can be modified if desired.
-> show user
User name = admin
Password expiration = None,
Read-Only for domains = None,
Read/Write for domains = All ,
SNMP allowed = NO
User name = default
Password expiration = None,
Read-Only for domains = None,
Read/Write for domains = None ,
Snmp Allowed = NO

As you can see, new users have no administrative rights by default. (In the next section we’ll
see how to create new users and configure administrative rights for them).
Creating/Deleting Users
If the user accounts of userread and userwrite have already been created, then use the
following commands to delete them before continuing.
Enter:
-> no user userread
-> no user userwrite
-> write memory

Next, we’ll create two new users called userread and userwrite, assign them passwords, and
save the configuration.

OmniSwitch Overview
 16

Enter:
-> user userread password userread
(You have created a new user, but they can’t do anything yet. You don’t have
privileges because the default user privileges get assigned to all new users, and the
default user has no privileges. If you do not set the privilege for a user, that user will
not even be able to login).
-> user userread read-only ip
-> user userwrite password userwrite
-> user userwriteIread-write ip
-> write memory

You will now log back in with either of these users. Then attempt to enter four commands
(show vlan, show ip interface, ip interface…, and reload).
Enter:
-> exit
login: userread
password: ********
-> show vlan
-> show ip interface
-> ip interface vlan-1-20 address 192.168.20.1/24 vlan 1
-> reload

Which of these four commands worked? Try running various commands to see what access
your privileges have given you.
-> show vlan
ERROR: Authorization failed. No functional privileges on this command

Login as userwrite and attempt the same three commands. What have you learned?
Now, log back in under the admin account and enter the command to see the new users.
Enter:
-> exit
login: admin
password: *****
-> show user

You will see the privileges you assigned to userread and userwrite.
User name = userread
Password expiration = None,
ReadOnly for domains = ,
Read only for families = ip ,
Read/Write for domains = None,
SNMP allowed = NO

User name = userwrite

Password expiration = None,
Read-Only for domains = None,
Read/Write for domains = ,
Read/Write for families = ip ,
SNMP allowed = NO

Now let’s change the privileges of userread and then view the changes.
Enter:
-> user userread read-only all
-> show user userread
-> write memory

OmniSwitch Overview
 17

You should now see that this user has full read access.
-> show user userread
User name = userread
Password expiration = None,
Read-Only for domains = All,
Read/Write for domains = None ,
SNMP allowed = NO

Log in as userread and type the following commands. Notice you now have the ability to view
the information.
Enter:
-> exit
login: userread
password: ********
-> show vlan
-> show user
-> show chassis
Now let’s test the ability of this user to make changes to the switch.
Enter:
-> vlan 2
You will get an error saying you’re not authorized. This is because userread only has read
privileges, not write privileges.
-> vlan 2
ERROR: Authorization failed. No functional privileges on this command
Log back in under admin and modify the privileges of userwrite to allow changes to the
switch.
Enter:
-> exit
login:admin
password: *****
-> user userwrite read-write all
-> show user userwrite
-> write memory
You should now see that this user has full write privileges.
-> show user userwrite
User name = userwrite
Password expiration = None,
Read-Only for domains = None,
Read/Write for domains = All ,
SNMP allowed = NO
Login as userwrite, and enter the command to create a VLAN. You can now create VLANs
since you have full write privileges.
Enter:
-> exit
login: userwrite
password: *********
-> vlan 2

PARTITION MANAGEMENT
You can give users privileges based on specific commands or groups of commands known as
domains. This is known as Partition Management.
Let’s modify the privileges of userread and only give permission to run commands in the
Layer2 domain.

OmniSwitch Overview
 18

Enter:
-> user userread read-only none
-> user userread read-only domain-layer2
-> show user userread
-> write memory
This gives the user read-only privileges to the commands under the Layer2 domain.
-> show user userread
User name = userread,
Password expiration = None,
Read-Only for domains = Layer 2,
Read/Write for domains = All ,
SNMP allowed = NO
Login in as userread and run the following commands.
Enter:
login: userread
password: ********
-> show vlan
-> show running-directory
You have the ability to run VLAN commands since they are under the layer2 domain.
However, the ‘running-directory’ command will fail since you do not have access to the
admin domain.
-> show running-directory
ERROR: Authorization failed. No functional privileges on this command
A list of the domains and the associated commands are available in the user guide. The
same domain privileges can be applied for write access also.
Authenticated Switch Access
ASA provides the ability to restrict which users are able to configure the switch remotely.
Switch login attempts can be challenged via the local database, or a remote database such as
RADIUS or LDAP. ASA applies to Telnet, FTP, SNMP, SSH, HTTP, and the console and modem
ports.
Enter the following to configure the switch to check the local database when a TELNET
connection is attempted.
Enter:
-> aaa authentication telnet local
Ensure you have IP connectivity through a virtual router interface as shown in the Remote
Access lab. Perform the following to test TELNET connectivity.
Telnet to the IP address on the switch from your PC
login: admin
password: *****

You will now be allowed to access the switch using a TELNET connection. This capability can
be disabled if desired. From your console connection, perform the following to check the
remote access status and then disable it.
Enter:
-> show aaa authentication

OmniSwitch Overview
 19

Notice that it shows TELNET authentication is being done locally, or by the switch’s internal
database. No external authentication (RADIUS, LDAP) is being done at this time.
-> show aaa authentication
Service type = Default
1rst authentication server = local
Service type = Console
1rst authentication server = local
Service type = Telnet
Authentication = Use Default,
1rst authentication server = local
Service type = Ftp
1rst authentication server = local
Service type = Http
Authentication = Use Default,
1rst authentication server = local
Service type = Snmp
1rst authentication server = local
Service type = Ssh
Authentication = Use Default,
1rst authentication server = local

Now, let’s disable TELNET access and try connecting once again. From your console
connection enter the following.
Enter:
-> no aaa authentication telnet
-> show aaa authentication
Service type = Default
1rst authentication server = local
Service type = Console
1rst authentication server = local
Service type = Telnet
Authentication = Denied,
Service type = Ftp
1rst authentication server = local
Service type = Http
Authentication = Use Default,
1rst authentication server = local
Service type = Snmp
1rst authentication server = local
Service type = Ssh
Authentication = Use Default,
1rst authentication server = local

Attempt to TELNET the switch again.

Notice you are no longer authorized. Experiment with this feature using FTP and HTTP.
End User Profiles
Partition Management allows the administrator to limit what commands users have access to.
EUP is similar to Partition Management, but with the additional capability of limiting what
VLANs and ports a user has access to.

OmniSwitch Overview
 20

Let’s begin by creating a few VLANs and a new user called customer1.
Enter:
-> vlan 100
-> vlan 200
-> vlan 300
-> user customer1 password customer1

Now, let’s create an End-User Profile with read-write access but limit the profile to VLANs
100-200.
Enter:
-> end-user profile profile1 read-write all
-> end-user profile profile1 vlan-range 100-200
-> end-user profile profile1 port-list 1/1-12

Now associate the user to the profile and save the configuration.
-> user customer1 end-user-profile profile1
-> write memory

Logout out and then log back in under the newly created user account. Then run the
commands listed below. Notice that you do not have access to VLAN 300 since it is not part of
the user profile for customer 1.
-> exit
login: customer1
password: *********
-> show vlan
-> vlan 300 port default [slot /port] ( port within the range 1-12 as specified in
the end-user-profile profile1)
(For instance, use slot/port 1/5)
Password Expiration
An administrator has the ability to set the expiration date on passwords. It can be set in days
or at a specific date and time. Let’s change the password expiration time to 5 days for
customer1.
Log in under admin.
-> user customer1 expiration 5
-> write memory
Log in under customer1

The switch now informs you that your password expires in 5 days.

OmniSwitch Overview
 21

SUMMARY
This lab introduced you to the Operating System of an OmniSwitch. The WORKING and
CERTIFIED directories allow multiple configurations to be stored on the switch. The CERTIFIED
configuration can be used as a backup in case of any mis-configurations to the WORKING
directory. Once a WORKING configuration is known to be valid, it can then be copied to the
CERTIFIED directory, and used as a backup.
The snapshot feature can be helpful if you have a number of switches with similar
configurations, perhaps with only IP addresses having to be changed. Saving the configuration
to an ASCII file, modifying it, then applying it to a different switch can make configuring a
group of switches easier.
It introduced also the WebView remote access feature. WebView can be used to configure the
switch using a Web Browser instead of the CLI. Additionally, using the SSL feature, the
communication can be encrypted between the browser and the switch.
As well as the authenticated access feature of an OmniSwitch. Using this feature an
administrator is able to configure a security scheme to allow only authorized users access to
the switch. Additionally, read and write privileges as well as remote access can be strictly
controlled.

LAB CHECK

1. What command is used to create a text-based listing of all or part of your configuration?

2. What is the UNIX command used to list the contents of a text file?

3. What is the command one would use to verify a text-based configuration file?

4. How does one delete a VLAN?

5. How does one save configuration changes into the working directory?

6. How does one make a configuration the default for the switch?

7. Under what file name are configurations written?

8. How does one take a text-based configuration (or snapshot) and invoke it as the switch configuration?

9. What is the command to set an IP address of 10.10.10.1/24 for VLAN 10 on an OmniSwitch?

10. What three things must you do on an OmniSwitch before you can start a WebView session?

11. Where would you go in WebView to set the Inactivity Timer for Web Management from the default time
of 4 minutes?

12. What command would one use to create a user “vlan3user” with password “password”?

13. How would one create a profile to limit rights to VLAN 3?

OmniSwitch Overview
 22

SECURE SHELL

This lab is designed to familiarize you with the SSH feature on an OmniSwitch.
Secure Shell provides a secure (encrypted) mechanism to remotely login to an OmniSwitch as
well as securely transfer files.

LAB STEPS
In order to demonstrate the SSH and SFTP capabilities of an OmniSwitch, let’s connect two
OmniSwitches using VLAN 1 with the appropriate IP addresses to allow IP connectivity. Perform
the following:
Connect the two OmniSwitches together using slot/port 1/20 on Switch X3 (OS6900) and 1/24 on
Switch X2 (OS6850) by enabling appropriate ports.
Note: Replace ‘X’ with your pod number.
On switch X3, type the following:
-> interfaces 1/20 admin-state enable
-> ip interface int_v1 address 192.168.10.3 vlan 1

On switch X2, type the following:

-> interfaces 1/24 admin up
-> ip interface int_v1 address 192.168.10.2 vlan 1

Try to ping switch X3 fron switch X2.

Once IP connectivity is established, the switch needs to be configured to allow SSH connectivity.
Remember from the Remote Access lab, that no remote access is allowed by default. Let’s
enable AAA authentication on the switch and have it check the local database when an SSH
session is attempted.
On switch X3 (OS6900), type the following:
–> aaa authentication ssh local

Now that we have IP connectivity and have enabled the switch to accept SSH connections,
establish an SSH session from each switch to his neighbor.
From switch X2, type the following:
-> ssh 192.168.10.3
login as: admin
OS6900 S2
Password: switch

Once the Secure Shell session is established, you may want to verify by using the who command
as well as run some commands.
-> who
-> show vlan
-> show ip interface
-> exit
An SSH session can be used to securely manage a remote switch. Additionally, you can use SFTP
to securely transfer files to and from a remote switch.

OmniSwitch Overview
 23

From switch X2, type the following:

-> sftp 192.168.10.3
-> ls
-> ?
-> exit

SUMMARY
This lab introduced the Secure Shell functionality of the OmniSwitch. Secure Shell and Secure
FTP can be used to securely manage and transfer files to and from remote switches.

OmniSwitch Overview
ALCATEL-LUCENT OMNISWITCH ACCESS
SWITCHING – CONFIGURATION AND MANAGEMENT
OMNISWITCH ACCESS SWITCHING – CONFIGURATION AND MANAGEMENT

Installing and Upgrading Code

How to
 familiarize you with the image files stored int the switch and how to
upgrade code

Contents
1 CURRENT CODE VERSION ....................................................................... 2
1.1. Gathering Switch Code Version ...................................................................... 2
2 Transferring files using FTP .................................................................. 3
2.1. Setting up FTP session ................................................................................ 3
2.2. Upgrading the code version .......................................................................... 3
2.3. Lab Check ............................................................................................... 4
 2
Installing and Upgrading Code

Implementation

Ask your instructor where the switch code is located before continuing

- Only one Omniswitch is used for the following sections

1 CURRENT CODE VERSION

1.1. Gathering Switch Code Version

There are two ways to copy code to the switch using the CLI. They are zmodem and FTP. Both of these
methods can be performed while the switch is fully operational. Additionally, FTP can be performed from
any virtual router interface on the switch. FTP is the most common method to transfer files to the switch
and is the only method demonstrated in this lab.

For additional information in transferring files using zmodem or FTP consult the user manual
or ask your instructor.

- Open a console session to switch 6450-A or B with the following authentication credentials:
Login: admin
Password: switch

- Before performing any upgrades check the current versions of code on the switch.
- Type the following:
-> show microcode loaded – Version currently loaded
-> show microcode working – Version in WORKING directory
-> show microcode certified – Version in CERTIFIED directory

- These commands give you an explanation of each image file and its current version for the various
directories.
-> show microcode working
Package Release Size Description
-----------------+---------------+--------+-----------------------------------
Gbase.img 6.6.4.425.R01 17499295 Alcatel-Lucent Base Software
Gos.img 6.6.4.425.R01 1864653 Alcatel-Lucent OS
Geni.img 6.6.4.425.R01 5470896 Alcatel-Lucent NI software
Gsecu.img 6.6.4.425.R01 607273 Alcatel-Lucent Security Management
Gdiag.img 6.6.4.425.R01 1599514 Alcatel-Lucent Diagnostic Software
 3
Installing and Upgrading Code

Are the contents in the WORKING and CERTIFIED directory the same? Why?

2 Transferring files using FTP

- Remove configuration from previous labs and reboot the switch from the WORKING directory
- Type the following:
-> rm /flash/working/boot.cfg
-> reload working no rollback-timeout

- After the switch reboots, save the configuration to the boot.cfg file
-> write memory

2.1. Setting up FTP session

- In order to use FTP to transfer files to the switch, IP connectivity must be established.
- Connect your PC to an Ethernet port on an OmniSwitch

Ask your instructor how to open and configure a virtual client when using the remote lab.

- On 6450-A or B, type the following:

-> interfaces 1/1 admin up
-> ip interface int_v1 address 192.168.10.# vlan 1 (Replace # with your switch number)

- Assign an IP address within the same subnet to your PC an ensure there is IP connectivity by pinging the
switch from the PC.

Before you can transfer the files using FTP, you must configure the switch to accept FTP
connections

- Type the following:

-> aaa authentication ftp local

- Have your instructor show you where to get the code for upgrading the switch if necessary.
- Use an FTP program or the command line to FTP from the PC to the switch.
- Once connected, type the following command to display the current directory:
-> pwd

To which directory is the FTP connection established?

-

2.2. Upgrading the code version

- Upload the image files from PC to the switch

- Compare the code versions in the WORKING and CERTIFIED directory
 4
Installing and Upgrading Code

-> show microcode working

-> show microcode certified

- Reboot the switch forcing it to load from the now upgraded WORKING directory.
-> reload working no rollback-timeout

- Once the switch has rebooted and everything is functioning properly, use the command below to copy the
WORKING directory to the CERTIFIED directory.
-> copy working certified

2.3. Lab Check

What is the command used to allow FTP access to the switch?
What command is used to make a new image file to be available on reboot?
OMNISWITCH R6 6250/6400/6450/6850E/6855
Stacking
Module Objectives
 You will:
 Learn the OS6400, OS6450, 6855/6850E
and 6250 stacking design and
description

AOS
OMNISWITCH AOS 6250,6450 & 6850E -
STACKING
OmniSwitch 6250/6400/6450/6850E Stacking - Overview
 All of the models in the same family
are stackable
 Only 6250, or 6400, or 6450, or 6850E or Distributed and
20G full
resilient
6855-U24X management duplex
stack loop
 Dedicated 2 stacking links on each
Smart
model Continuous
Switching
 Up to 2 or 8 chassis in a stack
 384 Gigabit ports
 16 10 Gig ports
Image /
 PoE and non-PoE can be mixed config
rollback
 Virtual chassis, single IP for
management 802.3ad
802.1w
 Primary, secondary, idle and pass- Hot swap OSPF
through elements in the stack everything ECMP
VRRP
 Each module in the stack is capable to
act as Primary
 Stack module IDs are set using CLI and
displayed on the panel -> more boot.slot.cfg
boot slot 1
OmniSwitch Stacking - Overview

 OS6250 Enterprise Model  OmniSwitch 6400/6850E

 Dedicated 2 – 2.5 Gigabit stacking links on each  Dedicated 2 x 10 Gigabit stacking links
model  Up to 8 chassis in a stack
 Up to 8 chassis in a stack  384 GE ports
 384 Fast Ethernet and 32 Gigabit ports in a 8U space
 16 10 GE ports
 PoE and non-PoE
 PoE and non-PoE can be mixed
 Virtual chassis, single IP for management
 Primary, secondary, idle and pass-through elements in
 Stack module IDs are set using CLI and displayed on
the stack the panel
 Stack element number identify by port LEDs by
pressing PB
 Each module in the stack is capable to act as Primary
 ALU supplied HDMI cables required for stacking

 OmniSwitch 6450
 2 stacking/uplink ports on 6450-10
5G Full Duplex  2 units maximum in a stack of 6450-10
 Dedicated 2 –10 Gigabit stacking links on 6450-
stacking 24/48/U24
 Up to 8 units in a stack of 6450-24/48/U24
OmniSwitch 6855 Stacking - Overview
 Two 10G SFP+ Ports at the back of the unit can
be used either as stacking or uplinks -> interfaces 1/25 mode stacking
WED Nov 04 09:08:29 : HSM-CHASSIS (101) info message:
+++ Ni 1 Port 25,26 are set to stackable for next boot:OK
-> reload working no rollback-timeout
 OmniSwitch 6855-U24X ONLY!
 Cannot be mixed with any other models

 OS6855-U24X 10G SFP+ stacking

 Up to 4 units in looped stack configuration
 Stacking through direct attached SFP+ copper
cables:
 iSFP-10G-C30CM  30 cm
 iSFP-10G-C3M  3m
 iSFP-10G-C10M,  10m
 Two 10G stacking ports
 Remote stacking is supported to cover up to 10 km
between two units & 40KM covered with 4 units in
a stacking Loop:
 iSFP-10G-SR SFP+: up to 300m SFP+ Stacking/Uplink Ports
 iSFP-10G-LR SFP+: up to 10 km Two 10G SFP+ ports

SFP+ Copper Cable

Direct Attached
OmniSwitch 6250/6400/6450/6850E - Stacking methods
 Stack of eight switches in a crossed
 Stacking port A to stacking port B
 Redundant stacking cable connection exists
between top and bottom switches
 Required for effective redundancy across the stack
 Stack of eight switches in a straight
 Stacking port A to stacking port A
 Stacking port B to stacking port B
 Redundant stacking cable connection exists
between top and bottom switches
 Required for effective redundancy across the stack
OmniSwitch
Stacking CMM Roles
 In a virtual-Chassis, a switch can handle 4 different roles:
 Primary
 It is the primary CMM role that support all the chassis features (Management, Firmware upgrade,
SNMP, switch diagnostic, rollback…) and acts as the “Main” Controller switch in the Stack
 Secondary
 It is the backup CMM of the stack and is ready to handle the Primary role when the Primary switch
takes over or fails
 Idle
 It is seen as a NI in a Chassis (Network Interface)
 This switch is ready to handle the “Secondary” role in case of loss of Primary switch
 Pass-through
 In case of Slot-Id duplication, the second stared switch gets “Pass-through” role
 It is not part of the stack, but does not block the traffic going through it (no disruption of the
stack)
 Its “Slot-id” has to be redefined, and restarted to become “Idle”

 Stack Manager is the first process (present on all CMM ’s) to be started
for CMM Role election during Stack boot up
OmniSwitch Stacking - “Slot-Id” setup
 A switch uses a unique Slot-Id in the virtual stack. This Slot-Id can be:
 Dynamically assigned in case no “boot.slot.cfg” file (or in case of out-of-the-
box)
 All switches are interconnected and boot up within a 15s timer (MAC @ method)
 The switch with the lowest MAC @ will get Slot-Id 1, and then gets the role Primary
 The switch connected to the Primary switch on Stack port A, gets Slot-Id 2 and becomes
Secondary
 The switch connected on Stack port A of the secondary gets Slot-Id 3 and becomes Idle, and…
 All switches are interconnected, but a timer of 15s elapses between each switch startup
(Chassis uptime method)
 The first started switch gets Slot-Id 1 and uses Primary role
 The second started switch (but connected to the Primary), gets Slot-Id 2, and becomes Secondary
 The third started switch, connected to one of the previous ones, gets Slot-Id 3, and becomes
Idle…
 Manually assigned, the slot-Id is managed switch by switch
 All switches boot up simultaneously, the Slot-Id 1 become Primary…
OmniSwitch
Stacking supervision
 Checking the stack status
show stack topology
Link A Link A Link B Link B
NI Role State Saved Link A Remote Remote Link B Remote Remote
Slot State NI Port State NI Port
----+-----------+--------+------+-------+-------+-------+-------+-------+-------
1 PRIMARY RUNNING 1 UP 1001 StackB UP 1003 StackA
1001 PASS-THRU DUP-SLOT 1 UP 1002 StackB UP 1 StackA
1002 PASS-THRU DUP-SLOT 1 UP 1003 StackB UP 1001 StackA
1003 PASS-THRU DUP-SLOT 1 UP 1 StackB UP 1002 StackA

 In this example all switches started simultaneously. All of them had the
“1” as their ID in their corresponding “boot.slot.cfg” file
 The upper one on the list has the lowest MAC address and is given the
“Primary” role
 The Primary switch assigns “1001, 1002 & 1003” to the other switches
 This can be checked with the Slot LED on the front panel of the switches.
 “1, 2 & 3” digits are blinking whereas the Primary displays a fixed “1”
Omniswitch
“Pass Through” role modification

 User can modify the “Pass-through” switches by changing their “Slot-

id”
 stack set slot <current_slot> saved-slot <new_slot>

 New slot-id will be written on the flash and will be in effect after the next
reboot

 Or it is possible to clear the slot-id via

 stack clear slot <slot_number>
 Restore the slot to the factory default configuration (empty file)
 At next startup, the slot-Id will be given automatically
OmniSwitch - Pass-Through mode correction
 Modifications
-> stack set slot 1001 saved-slot 2
-> stack set slot 1002 saved-slot 3 1
1001
-> stack set slot 1003 saved-slot 4
1002
1003

 Result before the stack reboot

show stack topology
Link A Link A Link B Link B
NI Role State Saved Link A Remote Remote Link B Remote Remote
Slot State NI Port State NI Port
----+-----------+--------+------+-------+-------+-------+-------+-------+-------
1 PRIMARY RUNNING 1 UP 1001 StackB UP 1003 StackA
1001 PASS-THRU DUP-SLOT 2 UP 1002 StackB UP 1 StackA
1002 PASS-THRU DUP-SLOT 3 UP 1003 StackB UP 1001 StackA
1003 PASS-THRU DUP-SLOT 4 UP 1 StackB UP 1002 StackA

reload all(1)
Confirm Reload All (Y/N) : Y
OmniSwitch - Rebooting the stack or the CMM
 Resetting all the stack at once (Remember that the stack must be
synchronized!)
 “reload all”
 At next startup, the switch with lowest slot-id becomes “Primary”, the following one
becomes “Secondary”… But it can be on “Certified” partition if the there is a difference
between Working/Certified

 “reload working no-rollback timeout”

 At next startup, the switch with lowest slot-id becomes “Primary”, the following one
becomes “Secondary”… on “Working” partition (whatever partitions differences)

 Manually restart the stack (power off/on)

 Switching Primary/Secondary CMM roles

 “takeover” function has to be used (on Primary or on Secondary CMM)

 Primary CMM resets and Secondary CMM becomes Primary
 The next “Idle” switch with the lowest Slot-Id becomes Secondary (even without direct
stacking link)
 The former Primary becomes “Idle”

 A synchronization has to be done before “takeover”

 Switch management functions are maintained during take over

OmniSwitch - Inserting a new switch in an existing Stack
 Recommendations
 Never attempt to operate more than eight switches in a single stack
 Make sure all switches are running the same software version
 “copy flash-synchro” has to be used
 Avoid duplicate “saved slot” numbers

 Default mechanism
 If inserting a switch with a duplicated Slot-id, the Primary CMM
automatically detects it:
FRI JAN 13 14:05:26 : STACK-MANAGER (27) warning message:
+++ == SM == Duplicate slots: 1 - Remote must relinquish its slot number
FRI JAN 13 14:05:27 : STACK-MANAGER (27) warning message:
+++ == SM == An element(253) enters passthru mode (duplicate slot)

 Change the slot-id and restart the switch

 “reload pass-through NI-Id”
OmniSwitch - CMM/NI commands possibilities
 After modifications and stack restart
show stack topology
Link A Link A Link B Link B
NI Role State Saved Link A Remote Remote Link B Remote Remote
Slot State NI Port State NI Port
----+-----------+--------+------+-------+-------+-------+-------+-------+-------
1 PRIMARY RUNNING 1 UP 2 StackB UP 4 StackA
2 SECONDARY RUNNING 2 UP 3 StackB UP 1 StackA
3 IDLE RUNNING 3 UP 4 StackB UP 2 StackA
4 IDLE RUNNING 4 UP 1 StackB UP 3 StackA

 The connection is allowed only on primary (full access rights) and

secondary (no configuration allowed)
 CLI commands on Secondary CMM
 “takeover”
 “show running directory” (to display CMM role but without stack synchronization
information)
 “show chassis” (to display the different switches present in the stack)
 It is not possible to log on “Idle” switches (nor pass-through)

INFO: This is an IDLE unit and no commands are allowed!

OmniSwitch - Stack Synchronization - Example
 A new configuration command is issued on the primary switch, the
changes are first stored in the RAM of primary switch

Working Certified
Primary
CMM
Running

Working Certified Secondary

CMM

Working Certified
Switch Slot 8
OmniSwitch - Stack Synchronization - Example
 -> write-memory

Working Certified
Primary
CMM
Running

Working Certified Secondary

CMM

Working Certified
Switch Slot 8
OmniSwitch - Stack Synchronization - Example
 -> copy working certified

Working Certified
Primary
CMM
Running

Working Certified Secondary

CMM

Working Certified
Switch Slot 8
OmniSwitch - Stack Synchronization - Example
 -> copy flash-synchro

Working Certified
Primary
CMM
Running

Working Certified Secondary

CMM

Working Certified
Switch Slot 8
OmniSwitch - Stack Synchronization - Example
 -> copy flash-synchro – automatic certification

Working Certified
Primary
CMM
Running

Working Certified Secondary

CMM

Working Certified
Switch Slot 8
OmniSwitch - Stack Synchronization - Example
 Stack is now synchronized

 -> write memory flash-synchro

Working Certified
Primary
CMM
Running

Working Certified Secondary

CMM

Working Certified
Switch Slot 8
OmniSwitch - Software System Architecture
 -> show running-directory

CONFIGURATION STATUS
Running CMM : PRIMARY,
CMM Mode : DUAL CMMs,
Current CMM Slot :A
Running configuration : WORKING,
Certify/Restore Status : CERTIFIED
SYNCHRONIZATION STATUS
Flash Between CMMs : SYNCHRONIZED,
Running Configuration : SYNCHRONIZED,
NIs Reload On Takeover : NONE

 “Flash Between CMMs” indicates the synchronization status between

switches
MAC RETENTION
Virtual Chassis - MAC Retention
 MAC Retention

 OmniSwitch 6250/6400/6850E
 Allows a stack of switches to retain the MAC address of the primary switch for a
fixed or indefinite time, even after multiple takeovers.
Makes the system resilient to failures of the current primary
 Smart Continuous Switching for the stack-based products
 Reduces disruption of services during failure of primary

Primary
• If primary element in Stack 1 fails
Secondary
X (Power or hardware failure) then:
• Secondary becomes the new
primary and shares the MAC address
of the former primary of the stack
• Retention of the base MAC address
is acceptable
 Virtual Chassis - MAC Retention

 Without MAC retention

 Services disrupted Stack of 4 Primary Fails Stack of 3
 STP
 all state machines are restarted 00:D0:95:E6:DD:E4

 LACP Primary
 all LACP ports torn down and
restarted
 IP X
 Gratuitous ARP packets are sent HW Sec X 00:D0:95:E6:DD:E4
tables updated, incoming routed Primary
traffic - disrupted
 With MAC retention
Idle
 New primary use the MAC of the old one
 User configurable (disabled by default) Sec
 A trap is raised to notify the administrator of
possible duplicate MACs Idle

 User allowed to explicitly release the Idle

retained base MAC
MAC retention
CLI setup
 Enabling MAC retention
-> mac-retention status enable

 Enabling duplicate MAC address trap generation

-> mac-retention dup-mac-trap enable

 Releasing the MAC address currently being used as the primary base MAC
-> mac release

-> show mac-retention status

MAC RETENTION STATUS
====================================
Admin State : Enabled
Trap admin state : Enabled
Current MAC address : 00:0a:0b:0c:0d:0e
MAC address source : Retained
Topology Status : Ring present
Contents
1 OBJECTIVE...................................................................................... 2
2 Hardware Information and Operation ...................................................... 2
3 Equipment/Software Required .............................................................. 2
4 Related Commands............................................................................ 2
5 Supported Platforms .......................................................................... 2
6 Basic Stacking Operations Lab............................................................... 3
6.1. Primary Management Module Selection ............................................................ 3
6.2. Using Saved Slot Information ........................................................................ 3
6.3. Using the Chassis MAC Address ...................................................................... 5
6.4. Using Saved Slot Information ........................................................................ 5
6.5. Using Switch uptime ................................................................................... 5
6.6. Gathering Virtual chassis Information .............................................................. 5
6.7. Recovering from Pass-Through Mode ............................................................... 8
6.8. Software Synchronization ............................................................................ 9
7 Test of resiliency ............................................................................ 11
7.1. Loss of stacking cable ............................................................................... 11
7.2. Loss of Primary CMM................................................................................. 11
8 Delete the stack ............................................................................. 12
9 Summary ...................................................................................... 12
10 Lab Check .................................................................................... 13
 2
Virtual Chassis - Stacking

1 OBJECTIVE
This lab is designed to familiarize you with the concept of Virtual chassis. In addition to their working as
individual stand-alone switches, OmniSwitch 6450 switches can also be linked together to work as a single
virtual chassis known as a stack. With stacks, users can easily expand their switching capacity simply by
adding additional switches to the stack. In addition, stacks provide enhanced resiliency and redundancy
features.

2 Hardware Information and Operation

The terms module, switch, slot, and element are used to refer to individual switches within a stacked
configuration. The terms Chassis Management Module (CMM) and management module refer to those switches
operating in a stack either in the primary or secondary management roles. OmniSwitch 6450 switches
operating in an idle role are essentially acting as network interface modules and therefore may be referred
to as Network Interfaces (NIs).

Notes
You cannot mix OS6450, OS6850 and OS6250 switches in the same stack - all switches in a stack must be from
the same family but can be different models within the family.

3 Equipment/Software Required
2 OmniSwitch 6850 or 6450 or 6250
1 PC

4 Related Commands
show hardware info, show chassis, show stack topology
Stack set slot, show cmm, show ni, show power supply, show fan, show temperature
Reload primary, reload secondary

5 Supported Platforms
OmniSwitch 6850, 6450 and 6250
 3
Virtual Chassis - Stacking

6 Basic Stacking Operations Lab

Do not insert stacking cables at this time in any of the two switches.
When planning the stack cabling configuration, keep in mind that by default the switch connected to stacking
port A of the primary switch will be assigned the secondary management role.
To avoid a pass-through condition following a reboot, make sure that all saved slot values for the two
switches are unique.
Prior to beginning this lab remove any prior configurations from all switches to ensure any previous labs do
not affect the outcome. Also, remove any pre-configured slot configuration by removing the
/flash/boot.slot.cfg file and reboot the switch. For the remote-lab, reset the pod.

6.1. Primary Management Module Selection

For a stack of switches to operate as a virtual chassis, there must be a mechanism for dynamically selecting
the switch within the stack that will assume the primary management role. There are three different
methods for selecting the primary switch. These methods are:
- Chassis Uptime
- Saved slot number
- Chassis MAC Address

6.2. Using Saved Slot Information

The saved slot number is the slot number the switch will assume following a reboot. This information is
stored in a switch’s boot.slot.cfg file; the switch reads its slot number assignment from this file at bootup
and assumes the specified slot number within the stack.
If switches in a stacked configuration have no preconfigured slot assignments, the slot number for each
switch is dynamically assigned by the system software. Slot numbers can also be manually assigned by the
user which is the recommended method for stacking.
On 6450-A, active the stacking link, define the slot number 1, activate the stacking mode and reload the
switch:
-> interfaces 1/11-12 admin up
-> write memory
-> stack set slot 1 saved-slot 1
-> stack set slot 1 mode stackable reload

Do the same on 6450-B, but with slot number 2 :

-> interfaces 1/11-12 admin up
-> write memory
-> stack set slot 1 saved-slot 2
-> stack set slot 1 mode stackable reload

After the reboot and synchronization of the stack, you should now see what was the secondary switch as the
Primary :
 4
Virtual Chassis - Stacking

-> show stack topology

Link A Link A Link B Link B
NI Role State Saved Link A Remote Remote Link B Remote Remote
Slot State NI Port State NI Port
----+-----------+--------+------+-------+-------+-------+-------+-------+------
1 PRIMARY RUNNING 1 UP 2 StackA UP 2 StackB
2 SECONDARY RUNNING 2 UP 1 StackA UP 1 StackB

-> show cmm

CMM in slot 1
Model Name: OS6450-10,
Description: CMM,
Part Number: 903005-90,
Hardware Revision: 08,
Serial Number: P0980885,
Manufacture Date: FEB 27 2013,
Firmware Version: n/a,
Admin Status: POWER ON,
Operational Status: UP,
Power Consumption: 0,
Power Control Checksum: 0x7090,
CPU Model Type : MV88F6281 Rev 2,
MAC Address: e8:e7:32:78:af:ee,

CMM in slot 2
Model Name: OS6450-10,
Description: CMM,
Part Number: 903005-90,
Hardware Revision: 08,
Serial Number: P0980781,
Manufacture Date: FEB 27 2013,
Firmware Version: n/a,
Admin Status: POWER ON,
Operational Status: SECONDARY,
Power Consumption: 0,
Power Control Checksum: 0xe489,
CPU Model Type : MV88F6281 Rev 2,
MAC Address: e8:e7:32:78:ae:ac,

Take a look at the /flash/boot.slot.cfg file on each switch:

-> ls

Listing Directory /flash:

drw 2048 Sep 21 2012 certified/

-rw 310 Jan 1 01:19 boot.params
drw 2048 Jan 1 01:03 working/
drw 2048 Jan 1 03:17 switch/
-rw 64000 Jan 1 01:21 swlog1.log
-rw 64000 Jan 1 01:01 swlog2.log
-rw 12 Jan 1 01:19 boot.slot.cfg
-rw 1010 Jan 1 01:32 base_cfg
-rw 20 Jan 1 03:17 installed
drw 2048 Jan 1 01:03 network/

59912192 bytes free

Switch 5

-> more boot.slot.cfg

boot slot 1
->

Switch 6
-> more boot.slot.cfg
boot slot 2
->
 5
Virtual Chassis - Stacking

6.3. Using the Chassis MAC Address

By default, the primary management role will be given to the switch with the lowest chassis MAC address.
However, for this to occur, all switches in the stack must be booted within 15 seconds of each other. In
addition, switches in the stack must have no preconfigured slot information (/flash/boot.slot.cfg). Because of
these two conditions, the MAC address method for selecting the primary module usually occurs with new “out
of the box” switches, or switches from which any preconfigured slot information has been cleared.

6.4. Using Saved Slot Information

The saved slot number is the slot number the switch will assume following a reboot. This information is
stored in a switch’s boot.slot.cfg file; the switch reads its slot number assignment from this file at bootup
and assumes the specified slot number within the stack.
If switches in a stacked configuration have no preconfigured slot assignments, the slot number for each
switch is dynamically assigned by the system software. Slot numbers can also be manually assigned by the
user which is the recommended method for stacking.

6.5. Using Switch uptime

A user can override both the MAC address and saved slot methods for determining a stack’s primary
management module. This is done by controlling the uptime of switches in the stack. If all elements of a
stack are powered off, the user can force a particular switch to become primary by powering on that switch
and waiting a minimum of 15 seconds before powering on any other switches. This can be useful if the user
wants a switch placed in a specific location, e.g., the top-most switch in a stack, to become the primary.
As with the lowest MAC address method, the primary management module is dynamically assigned slot
number 1 when the stack is booted.

Notes
Although, for ease-of-management purposes, it is recommended that slot numbers are assigned beginning with
slot number 1, it is not a requirement. In other words, a stack of four switches can have slot assignments 3, 4,
5, and 6. However, it is important that each element in a stack is assigned a unique slot number. Do not assign
duplicate slot numbers to elements in a stack. Otherwise, one or more switches will be forced into pass-
through mode. It is also recommended that Slot's are configured from the top down to ease of management
purposes.

6.6. Gathering Virtual chassis Information

Enter the following commands to gather virtual chassis information about hardware and software.
Type the following:
-> show hardware info
CPU Type : Marvell Feroceon,
Flash Manufacturer : Micron Technology, Inc.,
Flash size : 134217728 bytes (128 MB),
RAM Manufacturer : Nanya Technology,
RAM size : 268435456 bytes (256 MB),
Miniboot Version : 6.6.3.259.R01,
Product ID Register : 07
Hardware Revision Register : 30
FPGA Revision Register : 6

-> show running-directory

CONFIGURATION STATUS
Running CMM : PRIMARY,
CMM Mode : DUAL CMMs,
Current CMM Slot : 1,
Running configuration : WORKING,
Certify/Restore Status : CERTIFY NEEDED
SYNCHRONIZATION STATUS
Flash Between CMMs : SYNCHRONIZED,
Running Configuration : SYNCHRONIZED,
 6
Virtual Chassis - Stacking

Stacks Reload on Takeover: ALL STACKs (SW Activation)

-> show stack status

Redundant cable status : present

Tokens used : 2
Tokens available : 30

-> show chassis

Chassis 1
Model Name: OS6450-10,
Description: 8 10/100/1000 + 2 Combo + 2 5G STK/UPLINK,
Part Number: 903005-90,
Hardware Revision: 08,
Serial Number: P0980885,
Manufacture Date: FEB 27 2013,
Admin Status: POWER ON,
Operational Status: UP,
Number Of Resets: 26
MAC Address: e8:e7:32:78:af:ee,

Chassis 2
Model Name: OS6450-10,
Description: 8 10/100/1000 + 2 Combo + 2 5G STK/UPLINK,
Part Number: 903005-90,
Hardware Revision: 08,
Serial Number: P0980781,
Manufacture Date: FEB 27 2013,
Admin Status: POWER ON,
Operational Status: UP,
MAC Address: e8:e7:32:78:ae:ac,

-> show ni

Module in slot 1
Model Name: OS6450-10,
Description: 8 10/100/1000 + 2 Combo + 2 5G STK/UPLINK,
Part Number: 903005-90,
Hardware Revision: 08,
Serial Number: P0980885,
Manufacture Date: FEB 27 2013,
Firmware Version: ,
Admin Status: POWER ON,
Operational Status: UP,
Power Consumption: 0,
Power Control Checksum: 0x7090,
CPU Model Type : ARM926 (Rev 1),
MAC Address: e8:e7:32:78:af:f0,
ASIC - Physical 1: MV88F6281 Rev 2,
FPGA - Physical 1: 006/00,
UBOOT Version : n/a,
UBOOT-miniboot Version : 6.6.3.259.R01,
POE SW Version : n/a
Module in slot 2
Model Name: OS6450-10,
Description: 8 10/100/1000 + 2 Combo + 2 5G STK/UPLINK,
Part Number: 903005-90,
Hardware Revision: 08,
Serial Number: P0980781,
Manufacture Date: FEB 27 2013,
Firmware Version: ,
Admin Status: POWER ON,
Operational Status: UP,
Power Consumption: 0,
Power Control Checksum: 0xe489,
CPU Model Type : ARM926 (Rev 1),
MAC Address: e8:e7:32:78:ae:ae,
ASIC - Physical 1: MV88F6281 Rev 2,
 7
Virtual Chassis - Stacking

FPGA - Physical 1: 006/00,

UBOOT Version : n/a,
UBOOT-miniboot Version : 6.6.3.259.R01,
POE SW Version : n/a

Using the reload ni <slot> command, it’s possible to reload a specific switch within Stack :

-> reload ni 2

TUE JAN 23 21:41:43 : STACK-MANAGER (27) info message:

+++ == SM == Stack Port B Status Changed: DOWN

TUE JAN 23 21:41:44 : STACK-MANAGER (27) info message:

+++ == SM == Stack Port A Status Changed: DOWN
+++ == SM == NI 2 down notification sent to LAG

TUE JAN 23 21:41:47 : HSM-CHASSIS (101) info message:

+++ T8: Ni(2) extraction detected
+++ === HSM === Power Supply 3 has been REMOVED

TUE JAN 23 21:42:35 : STACK-MANAGER (27) info message:

+++ == SM == Stack Port A Status Changed: UP
+++ == SM == Stack Port A MAC Frames TX/RX Enabled

TUE JAN 23 21:42:36 : STACK-MANAGER (27) info message:

+++ == SM == Stack Port B Status Changed: UP
+++ == SM == Stack Port B MAC Frames TX/RX Enabled
+++ Retaining Module Id for slot 2 unit 0 as 1

TUE JAN 23 21:42:44 : HSM-CHASSIS (101) info message:

+++ T8: Ni(2) insertion detected

TUE JAN 23 21:42:46 : CSM-CHASSIS (103) info message:

+++ == CSM == Primary.CMM is to Flash Synchro with slot 2 .
+++ == CSM == ftp in progress, please wait ...

TUE JAN 23 21:42:48 : HSM-CHASSIS (101) info message:

+++ === HSM === Power Supply 3 has been INSERTED

TUE JAN 23 21:43:13 : CVM-CHASSIS (104) info message:

+++ == CVM == Synchro Timer set for 720 seconds

TUE JAN 23 21:43:14 : FTP (82) info message:

+++ Session 0 New Connection, Client Address 127.2.66.1
+++ Get /flash/working/boot.cfg!
+++ Session 0 Ending
+++ Session 0 New Connection, Client Address 127.2.66.1
+++ Get /flash/switch/snmp.engine!
+++ Session 0 Ending

TUE JAN 23 21:43:14 : CSM-CHASSIS (103) info message:

+++ == CSM == File transfer is completed successfully

TUE JAN 23 21:43:21 : STACK-MANAGER (27) info message:

+++ == SM == Stack Port B Status Changed: DOWN
+++ == SM == Stack Port A Status Changed: DOWN

TUE JAN 23 21:43:22 : STACK-MANAGER (27) info message:

+++ == SM == NI 2 down notification sent to LAG

TUE JAN 23 21:43:23 : HSM-CHASSIS (101) info message:

+++ T8: Ni(2) extraction detected
+++ === HSM === Power Supply 3 has been REMOVED

TUE JAN 23 21:44:13 : STACK-MANAGER (27) info message:

+++ == SM == Stack Port A Status Changed: UP
+++ == SM == Stack Port A MAC Frames TX/RX Enabled
 8
Virtual Chassis - Stacking

TUE JAN 23 21:44:14 : STACK-MANAGER (27) info message:

+++ == SM == Stack Port B Status Changed: UP
+++ == SM == Stack Port B MAC Frames TX/RX Enabled
+++ Retaining Module Id for slot 2 unit 0 as 1

TUE JAN 23 21:44:26 : HSM-CHASSIS (101) info message:

+++ T8: Ni(2) insertion detected

TUE JAN 23 21:44:30 : HSM-CHASSIS (101) info message:

+++ === HSM === Power Supply 3 has been INSERTED

TUE JAN 23 21:44:52 : CSM-CHASSIS (103) info message:

+++ == CSM == Stack 2 AutoCertify process Completed
+++ == CSM == Flash Synchronization process completed successfully

TUE JAN 23 21:45:16 : INTERFACE (6) info message:

+++ NIs are ready
Successfully sent the I2C read message to NISUP!!
->

6.7. Recovering from Pass-Through Mode

The pass-through mode is a state in which a switch has attempted to join a stack but has been denied
primary, secondary, or idle status. When a switch is in the pass-through mode, its Ethernet ports are brought
down (i.e, they cannot pass traffic), however its stacking cable connections remain fully functional and can
pass traffic through to other switches in the stack. In this way, the pass-through mode provides a mechanism
to prevent the stack ring from being broken.
The most common reason for one or more switches to enter pass-through is duplicate slot number
assignments within the stack. So, in order to avoid pass-through mode, it is useful to keep track of the
current saved slot numbers on all elements in the stack. Slot number assignments are stored in the
boot.slot.cfg file in the /flash directory of each switch.
If the stack is booted and the same slot number is discovered on two or more switches, the switch with the
lowest MAC address is allowed to come up and operate normally. Meanwhile, switches with the duplicate slot
number and a higher MAC address come up in pass-through mode.
Let's change our configuration a little bit, change the slot number of the switch that is currently slot 2 to be
configured as slot 1 also. From the Primary switch:

-> stack set slot 2 saved-slot 1

-> reload ni 2

When the switch finishes booting, from the primary check the stack topology:

-> show stack topology

Link A Link A Link B Link B
NI Role State
Saved Link A Remote Remote Link B Remote Remote
Slot State NI Port State NI Port
----+---------+---------+------+-------+-------+-------+-------+-------+------
1 PRIMARY RUNNING 1 UP 1001 StackA UP 1001 StackB
1001 PASS-THRU DUP-SLOT 1 UP 1 StackA UP 1 StackB

-> show cmm

CMM in slot 1
Model Name: OS6450-10,
Description: CMM,
Part Number: 903005-90,
Hardware Revision: 08,
Serial Number: P0980885,
Manufacture Date: FEB 27 2013,
Firmware Version: n/a,
Admin Status: POWER ON,
Operational Status: UP,
Power Consumption: 0,
Power Control Checksum: 0x7090,
 9
Virtual Chassis - Stacking

CPU Model Type : MV88F6281 Rev 2,

MAC Address: e8:e7:32:78:af:ee,

Had we rebooted both switches, the one with the lower MAC would have been the primary switch. Since we
just changed slot 2's configuration this did not occur. To bring the switch in pass-thru mode back to normal
let's change the slot number back and reload the entire stack:
-> stack set slot 1001 saved-slot 2
-> reload all
Confirm Reload All (Y/N) : y

Now your switches should be back to normal.

6.8. Software Synchronization

Synchronization between primary and secondary is not automatic. Synchronization means copying the
configuration and Operation System images from the primary to the secondary switch. Let’s create a vlan 2 to
change the configuration status and proceed to certified configuration synchronization.
Type the following:

-> vlan 2
-> copy running-config working
File /flash/working/boot.cfg replaced.
This file may be overwritten if "takeover" is executed before "certify"
->
-> copy working certified

MON JAN 01 02:48:38 : CSM-CHASSIS (103) info message:

+++ == CSM == CERTIFYing software process started
+++ == CSM == Setting CERTIFY Timeout for 800 seconds

from /flash/working to /flash/certified

Copying boot.cfg .................... completed

+++ == CSM == Stack 1 Certify process Completed

+++ == CSM == CERTIFY process completed successfully

-> show running-directory

CONFIGURATION STATUS
Running CMM : PRIMARY,
CMM Mode : DUAL CMMs,
Current CMM Slot : 1,
Running configuration : WORKING,
Certify/Restore Status : CERTIFIED
SYNCHRONIZATION STATUS
Flash Between CMMs : NOT SYNCHRONIZED,
Running Configuration : NOT SYNCHRONIZED,
Stacks Reload on Takeover: ALL STACKs (SW Activation)

-> copy flash-synchro

MON JAN 01 02:48:59 : CSM-CHASSIS (103) info message:

+++ == CSM == CERTIFYing software process started
+++ == CSM == Setting CERTIFY Timeout for 800 seconds

+++ == CSM == Stack 1 Certify process Completed

MON JAN 01 02:49:00 : CSM-CHASSIS (103) info message:

+++ == CSM == CERTIFY process completed successfully
+++ == CSM == Flash Synchronization process started
+++ == CSM == Primary.CMM is to Flash Synchro with slot 2 .
+++ == CSM == ftp in progress, please wait ...

MON JAN 01 02:49:03 : CVM-CHASSIS (104) info message:

 10
Virtual Chassis - Stacking

+++ == CVM == Synchro Timer set for 720 seconds

MON JAN 01 02:49:04 : FTP (82) info message:

+++ Session 0 New Connection, Client Address 127.2.66.1
+++ Get /flash/working/boot.cfg!
+++ Session 0 Ending
+++ Session 0 New Connection, Client Address 127.2.66.1
+++ Get /flash/network/userTable5!
+++ Session 0 Ending
+++ Session 0 New Connection, Client Address 127.2.66.1
+++ Get /flash/network/lockoutSetting!

MON JAN 01 02:49:05 : FTP (82) info message:

+++ Session 0 Ending
+++ Session 0 New Connection, Client Address 127.2.66.1
+++ Get /flash/network/policy.cfg!
+++ Session 0 Ending
+++ Session 0 New Connection, Client Address 127.2.66.1
+++ Get /flash/network/ssh_host_dsa_key!
+++ Session 0 Ending
+++ Session 0 New Connection, Client Address 127.2.66.1
+++ Get /flash/network/ssh_host_dsa_key.pub!
+++ Session 0 Ending

MON JAN 01 02:49:06 : FTP (82) info message:

+++ Session 0 New Connection, Client Address 127.2.66.1
+++ Get /flash/switch/snmp.engine!
+++ Session 0 Ending
+++ Session 0 New Connection, Client Address 127.2.66.1
+++ Get /flash/switch/pre_banner.txt!
+++ Session 0 Ending
+++ Session 0 New Connection, Client Address 127.2.66.1

MON JAN 01 02:49:07 : FTP (82) info message:

+++ Get /flash/switch/avlan/topA.html!
+++ Session 0 Ending
+++ Session 0 New Connection, Client Address 127.2.66.1
+++ Get /flash/switch/avlan/topB.html!
+++ Session 0 Ending
+++ Session 0 New Connection, Client Address 127.2.66.1
+++ Get /flash/switch/avlan/bottomA.html!
+++ Session 0 Ending

MON JAN 01 02:49:08 : FTP (82) info message:

+++ Session 0 New Connection, Client Address 127.2.66.1
+++ Get /flash/switch/avlan/bottomB.html!
+++ Session 0 Ending
+++ Session 0 New Connection, Client Address 127.2.66.1
+++ Get /flash/switch/dhcpClient.db!
+++ Session 0 Ending

MON JAN 01 02:49:09 : CSM-CHASSIS (103) info message:

+++ == CSM == File transfer is completed successfully
+++ == CSM == Please wait while module 2 performs Certify process ...
+++ == CSM == Stack 2 Certify process Completed

MON JAN 01 02:49:11 : CSM-CHASSIS (103) info message:

+++ == CSM == Flash Synchronization process completed successfully
->

Let’s check the new configuration status:

-> show running-directory

CONFIGURATION STATUS
Running CMM : PRIMARY,
CMM Mode : DUAL CMMs,
Current CMM Slot : 1,
Running configuration : WORKING,
Certify/Restore Status : CERTIFIED
 11
Virtual Chassis - Stacking

SYNCHRONIZATION STATUS
Flash Between CMMs : SYNCHRONIZED,
Running Configuration : SYNCHRONIZED,
Stacks Reload on Takeover: PRIMARY ONLY

In order to synchronize the time and date settings between primary and secondary switches, enter the
following command:

-> system time-and-date synchro

-> show system
System:
Description:Alcatel-Lucent OS6450-10 6.6.4.177.R01 GA, May 24, 2013.,
Object ID: 1.3.6.1.4.1.6486.800.1.1.2.1.12.1.1,
Up Time: 0 days 0 hours 7 minutes and 17 seconds,
Contact: Alcatel-Lucent, http://alcatel-lucent.com/wps/portal/enterprise,
Name: switch415,
Location: Unknown,
Services: 72,
Date & Time:TUE JAN 23 2001 22:24:10 (UTC)

Flash Space:
Primary CMM:
Available (bytes): 57632768,
Comments : None

7 Test of resiliency

7.1. Loss of stacking cable

Connect two PCs to the stack on different switches (NI's) and ping each other. Remove one of the redundant
cables (not available in remote lab). Do you loose any pings?
Check the both switch status and stacking topology.

7.2. Loss of Primary CMM

Ping between the two PCs located on different switches. Perform a switch/CMM takeover while pinging
between PCs. Log onto the current secondary switch:

-> takeover
Confirm Takeover (Y/N) :

MON JAN 01 02:56:28 : CSM-CHASSIS (103) info message:

+++ == CSM == RELOAD other CMM received
->
MON JAN 01 02:56:33 : STACK-MANAGER (27) info message:
+++ == SM == Stack Port B Status Changed: DOWN
+++ == SM == Stack Port A Status Changed: DOWN

MON JAN 01 02:56:34 : STACK-MANAGER (27) info message:

+++ == SM == NI 1 down notification sent to LAG
+++ == SM == Primary change reset connection (old 1, new 2, prev 0)

MON JAN 01 02:56:34 : CSM-CHASSIS (103) info message:

+++ == CSM == SECONDARY received PRIMARY role - TAKEOVER in progress, set secTakeov
+++ [Count.]erInProgress
vrrpIPCSocketHandler: Msg (64.6)
vrrpCsSendTakeoverAck: sending takeover ack....

MON JAN 01 02:56:36 : CCM-CHASSIS (100) info message:

+++ === CCM === csCcmEoicFunc: send CCM_CSM_EOIC OK
 12
Virtual Chassis - Stacking

MON JAN 01 02:56:36 : CSM-CHASSIS (103) info message:

+++ == CSM == CMM take-over ongoing
vrrpCsSendTakeoverAck: takeover ack sent: 8 bytes
login : Target Name: vxTarget

MON JAN 01 02:56:38 : CSM-CHASSIS (103) info message:

+++ == CSM == CMM take-over completed
Successfully sent the I2C read message to NISUP!!

MON JAN 01 02:56:38 : INTERFACE (6) info message:

+++ NIs are ready

-> show stack topology

Link A Link A Link B Link B
NI Role State
Saved Link A Remote Remote Link B Remote Remote
Slot State NI Port State NI Port
----+-----------+--------+------+-------+-------+-------+-------+-------+-------
1 SECONDARY RUNNING 1 UP 2 StackB UP 2 StackA
2 PRIMARY RUNNING 2 UP 1 StackB UP 1 StackA

->
MON JAN 01 02:58:05 : INTERFACE (6) info message:
+++ NIs are ready
Successfully sent the I2C

8 Delete the stack

To continue with the other labs, it’s recommended to remove the stack configuration. On the primary switch,
enter the following commands:
-> stack set slot 1 standalone
-> stack set slot 2 standalone
-> rm boot.slot.cfg

On the secondary, type

-> rm boot.slot.cfg

And back to primary, type

-> reload from working no rollback-timeout

9 Summary
This lab briefly introduced you to the OmniSwitch virtual chassis concept.
 13
Virtual Chassis - Stacking

10 Lab Check
1) What commands would be used to perform the following?
.....................................................................................................................
2) Determine the Slot number of primary switch
.....................................................................................................................
3) Cause the secondary switch to take over the functions of the primary switch
.....................................................................................................................
4) Reboot the primary CMM only
.....................................................................................................................
5) Which role is assuming by each of the switches
.....................................................................................................................
6) Reload all modules in one way
.....................................................................................................................
7) Determine which stacking cables connected to which switch
.....................................................................................................................
8) Verify if redundant stacking cable is currently installed
.....................................................................................................................
OMNISWITCH AOS R6/R7/R8

VLAN Management
VLAN Management - Module objectives
 You will:
 Understand the VLAN implementation and
features on AOS based switches
 Learn how to:
 Deploy static or dynamic VLAN in order to
segment a network
 Configure VLAN Tagging over Ethernet links
 DHCP Client High
Ava ila bility
 Implement and monitor the MVRP protocol
AOS
Opera ting
System
Extensive Enha nced
Ma na gea bility Security
VLANs - Overview
 VLAN - Virtual LAN
 A broadcast domain
 Ease of network management
 Provides a more secure network

 Ports become members of VLANs by

 Static Configuration
 Mobility/Authentication
 802.1q
 VLAN Mobile Tag
VLANs - Evolution to Virtual LANs
Switch-centric model with VLANs (Logical perspective)

VLAN
Yellow
VLAN
Blue

Red
VLAN
Static VLAN Membership
 Static VLAN
 VLAN is assigned to the data port (aka the default VLAN of the port).
 By default, all ports belong to VLAN 1.
 Segmentation of VLANs is done according to topology, geography, etc.

VLAN 1
1/2

Virtual Router
VLAN 2

-> VLAN 2 port default 1/2 (R6) VLAN 3

-> VLAN 2 members port 1/2* untagged (R7/8)

VLAN 4

VLAN 5
1/4
VLAN 6
1/6
*chassis/slot/port for R8
VLANs - CLI
 Defining a VLAN
-> vlan 2

 Assigning Ports to a VLAN

-> vlan 2 port default <slot>/<port> (R6)
-> vlan 2 members port <slot>/ <port> untagged (R7/8)

 Optional commands
 -> vlan 4 enable (R6)
 -> vlan 4 admin-state enable (R7/8)
 -> vlan 4 name Engineering
 Use quotes around string if the VLAN name contains multiple words with spaces between them
 -> vlan 10-15 100-105 200 name “Training Network”

 Monitoring
-> show vlan 4
-> show vlan port (R6)
-> show vlan members (R7/8)
-> show ip interface
Static VLAN assignment configuration
Example
VLAN VLAN
Data Voice DHCP Server

IP Phone
Data VLAN Voice VLAN
VLAN 2 VLAN 3
dynamic @IP dynamic @IP

-> vlan 2 name Data -> show ip intreface

Total 6 interfaces
-> vlan 2 port default 1/1 Name IP Address Subnet Mask Status Forward Device
--------------+-------------+----------------+--------+--------+--------
-> ip interface Data address 10.1.20.1 mask 255.255.255.0 vlan 2 Data 10.1.20.1 255.255.255.0 DOWN NO vlan 2

-> vlan 3 name Voice -> show vlan 2

Name : Data,
-> vlan 3 port default 1/14 Administrative State : enabled,
Operational State : disabled,
-> ip interface Voice address 10.1.30.1 mask 255.255.255.0 vlan 3 1x1 Spanning Tree State : enabled,
Flat Spanning Tree State : enabled,
Authentication : disabled,
IP Router Port : on,
-> show vlan IP MTU : 1500,
stree IPX Router Port : none,
mble src Mobile Tag : off,
vlan type admin oper 1x1 flat auth ip ipx tag lrn Source Learning : enabled
name
----+-----+------+------+------+------+----+-----+-----+-----+-----+--------- -> show vlan 2 port
port type status
1 std on on on on off on NA off on VLAN 1
---------+---------+--------------
2 std on on on on off on NA off on Data 1/1 default active
3 std on on on on off on NA off on VLAN 3
Dynamic VLAN Membership
 Dynamic VLANs
 VLAN is assigned depending on the device or the user
 Device oriented : VLAN according to traffic criteria (MAC@, etc.).
 User oriented: Authenticated VLAN (IEEE 802.1X for enhanced security)

VLAN 1

Virtual Router
VLAN 2

VLAN

VLAN 4

VLAN 5

VLAN 6
Dynamic VLAN Membership
 Dynamic assignment.
 Applies only to mobile (R6) or UNP (R7/8)* ports
 Requires additional configuration of VLAN rules or UNP classification rules*.

 When traffic is received on a mobile port,

 the packets are examined to determine if their content matches any of the VLAN rules
configured on the switch.
 If so, the mobile port is assigned to that VLAN

 Rules are defined by specifying a port, MAC address, protocol, network

address, binding, or DHCP criteria

 It is also possible to define multiple rules for the same VLAN.

*UNP ports and classification rules are covered in a different module

Dynamic VLAN Membership - Policy Types

Appletalk devices
IPX network/protocol  MAC Address
 Single
 Range

 Protocol
 IP
 IPX
 DECNET
 APPLETALK
 Specified by Ether-type
 Specified by DSAP and SSAP
 Specified by SNAP

192.168.10.0/24
 Network Layer Address
 IP Subnet
 IPX network number

0005d3:123456
Dynamic VLAN Membership - DHCP Policy
 DHCP VLAN Membership
 DHCP PORT policy
 Devices generating DHCP requests on these ports
2 BootP Relay delivers request
to DHCP server
 DHCP MAC/MAC Range policy 1 Client needing IP address appears
 Devices with specified MAC addresses generating
in default DHCP VLAN
DHCP requests
BootP Relay
BootP Relay
 DHCP Generic policy
 Any DHCP packet (one rule per switch)

 DHCP request frames will not be

forwarded until a devices VLAN
membership is defined
BootP Relay

 Without internal BootP Relay entity DHCP 3 After receiving IP address, now
frames are only forwarded to ports within participates in authorized VLANs
the VLAN
 With an internal BootP Relay entity DHCP
frames are forwarded to the Relay
Dynamic VLAN Membership - Binding Policy (R6)
 A device must match multiple criteria for assignment to a VLAN

 Failure to match all criteria is a “violation” and the device is not assigned to any VLAN
 If user’s IP changes while connected
 Users will be disconnected 192.168.10.2 192.168.10.3
 Trap will be generated AAAAAA:AAAAAA BBBBBB:BBBBBB

 Allowed port binding rules

 MAC + IP + Port
 MAC + Port
3/1 3/2
 Port + Protocol

192.168.10.4
3/3 DDDDDD:DDDDDD

Example: VLAN 1:2

Rule 1: 3/1, 192.168.10.2, AAAAAA:AAAAAA
Rule 1: 3/2, 192.168.10.3, BBBBBB:BBBBBB
Rule 1: 3/3, 192.168.10.4, CCCCCC:CCCCCC

-> vlan vid binding [PORT-PROTOCOL | MAC-PORT | MAC-IP-PORT]

Dynamic VLAN Membership - 802.1x Authenticated VLANs
 Applies to users connected on authenticated ports

 Users must authenticate through 802.1x client

 Authentication is based on either RADIUS, LDAP or TACACS+

 Successful login
 The client MAC is associated with the correct VLAN

Switch running
Authentication Agent
Host
Using
802.1x Default
client RADIUS, TACACS+, or LDAP
VLAN
Server

Supplicant
User

Target
VLAN

*802.1x configuration is covered in a different module

VLAN rules (R6)
CLI
 Enabling a mobile port
-> vlan port mobile <slot>/<port>

 Assigning a rule to a VLAN

-> vlan 2 <rule>

 Defining an IP or IPX protocol rule for VLAN 2

-> vlan 2 protocol ?
 snap ipx-snap ipx-novell ipx-llc ipx-e2 ip-snap ip-e2 ethertype dsapssap decnet appletalk

 Defining an IP network address rule for VLAN 25

-> vlan 25 ip 21.0.0.0
-> vlan 25 ip 21.1.0.0 255.255.0.0

 Defining a MAC-IP-port binding rule

-> vlan 2 binding [PORT-PROTOCOL | MAC-PORT | MAC-IP-PORT]
->VLAN 2 binding mac-ip-port 00:00:20:11:4a:29 192.168.100.1 4/1

 Monitoring
-> show vlan 4
-> show vlan port
-> show vlan rules
-> show vlan 4 rules
-> show vlan port mobile
Vlan Mobility rules
Example
VLAN VLAN
Data Voice DHCP Server

IP Phone
Data VLAN Voice VLAN
VLAN 2 VLAN 3
dynamic @IP dynamic @IP

-> show ip intreface

-> vlan 2 name Data Total 6 interfaces
Name IP Address Subnet Mask Status Forward Device
-> vlan 2 ip 10.1.20.0 255.255.255.0
----------+--------------+----------------+---------+----------+--------
-> vlan port mobile 1/1 Data 10.1.20.1 255.255.255.0 UP YES vlan 2
Voice 10.1.30.1 255.255.255.0 UP YES vlan 3
-> ip interface Data address 10.1.20.1 mask 255.255.255.0 vlan 2
-> vlan 3 name Voice -> show vlan 2
Name : Data,
-> vlan 3 mac-range 00:80:9f:00:00:00 00:80:9f:ff:ff:ff
Administrative State : enabled,
-> vlan port mobile 1/14 Operational State : enabled,
1x1 Spanning Tree State : enabled,
-> ip interface Voice address 10.1.30.1 mask 255.255.255.0 vlan 3
Flat Spanning Tree State : enabled,
Authentication : disabled,
IP Router Port : on,
IP MTU : 1500,
sw1> show vlan rules IPX Router Port : none,
type vlan rule Mobile Tag : off,
-----------------+------+------------------------------------------- Source Learning : enabled
ip-net 2 10.1.1.0, 255.255.255.0
ip-net 2 10.1.20.0, 255.255.255.0 -> show vlan 2 port
mac-range 3 00:80:9f:00:00:00, 00:80:9f:ff:ff:ff port type status
---------+---------+--------------
1/1 mobile active
Precedence/Rule Type
 Upon receiving a frame, Source Learning compares the frame with VLAN
Policies in Order

 1. Frame Type
 2. DHCP MAC
 3. DHCP MAC Range
 4. DHCP Port
 5. DHCP Generic
 6. MAC-Port-IP
 7. MAC-Port Binding
 8. Port-Protocol Binding
 9. MAC Address
 10. MAC Range
 11. Network Address
 12. Protocol
 13. Default (No Match -> port default VLAN)
VLAN Mobility
Default behaviour
 Default VLAN handling (renaming)

 Default VLAN
-> vlan port slot/port default vlan {enable | disable}

 Enabled -> user will join default VLAN when no rule matches (default)
 Disabled -> user’s traffic will be dropped, when no rule matches

 Default VLAN restore

-> vlan port slot/port default vlan restore {enable | disable}

 Enabled -> user will join default VLAN when traffic ages out (default)
 Disabled -> user will remain in the VLAN membership even after traffic ages out
VLANs
IEEE 802.1Q
 Aggregates multiple VLANs across Ethernet links
 Combines traffic from multiple VLANs over a single link
 Encapsulates bridged frames within standard IEEE 802.1Q frame
 Enabled on fixed ports
 Tags port traffic for destination VLAN

Tagged Frames
802.1Q
 VLAN Tag
 802.3 MAC header change
 4096 unique VLAN Tags (addresses)
 VLAN ID == GID == VLAN Tag
 802.1P
 Three bit field within 802.1Q header
 Allows up to 8 different priorities
 Feature must be implemented in hardware

VLAN ID (12 Bits)

802.1p (3 bits)
“Modified 802.3 MAC”

DA SA Ethertype, Priority, Tag

4 Bytes
VLANs
802.1Q Configuration
-> vlan 1-3

-> vlan 1-3 802.1q 3/4 (R6)

-> vlan 1-3 members port 3/4* tagged (R7/8)

VLAN 3 VLAN 3

3/4 VLAN 2

3/4

VLAN 2

VLAN 1 VLAN 1
-> show vlan 2 port
-> show 802.1q 3/4 (R6)
-> show vlan members (R7/8)
*chassis/slot/port for R8
VLAN - Mobile Tag
 Allows the dynamic assignment of mobile ports to more than one VLAN at the
same time
 Enabled on mobile ports
-> vlan 3 mobile-tag enable
 Allows mobile ports to receive 802.1Q tagged packets
 Enables the classification of mobile port packets based on 802.1Q VLAN ID tag 3
 Takes precedence over all VLAN Rules

OmniPCX
Communication Enterprise
Server

Voice VLAN
Tagged packets
Data VLAN
With tag=3

Default VLAN
VLAN mobile - Tagging vs 802.1Q tagging

VLAN Mobile Tag 802.1Q Tag

 Allows mobile ports to receive 802.1Q  Not supported on mobile ports

tagged packets
 Enabled on fixed ports; tags port traffic for
 Enabled on the VLAN that will receive destination VLAN
tagged mobile port traffic
 Statically assigns (tags) fixed ports to one or
 Triggers dynamic assignment of tagged more VLANs
mobile port traffic to one or more VLANs
INTER-VLAN ROUTING
Inter-VLAN routing
IP Interface

 IP is enabled by default.

 IP interfaces are bound to VLANs.

 IP forwarding is enabled when at least one IP interface is configured on a VLAN.

 IP Interfaces have the following characteristics:

 The subnet mask can be expressed in dotted decimal notation (255.255.0.0) or with a
slash (/) followed by the number of bits in the mask (192.168.10.1/24).
 A forwarding router interface sends IP frames to other subnets. A router interface that
is not forwarding can receive frames from other hosts on the same subnet.
 The default encapsulation for the interface is Ethernet-II.
 The first interface bound to a VLAN becomes the primary interface for that VLAN.

-> ip interface <int_name> address <ip address/mask> vlan <vlan_id>

-> show ip interface
Configuring inter-VLAN routing
 Create VLANs 10 & 20 with a description
-> vlan 10 name “VLAN 10”
-> vlan 20 name “VLAN 20”

 Assign an active port to VLANs 10 & 20

-> vlan 10 port default 1/1 (R6) ->vlan 10 members port 1/1 untagged (R7/8)
-> vlan 20 port default 1/2 ->vlan 20 members port 1/2 untagged

 Create an IP router interface on VLAN 10

-> ip interface vlan-10 address 171.10.1.1 vlan 10

 Create an IP router interface on VLAN 20

-> ip interface vlan-20 address 171.11.1.1 vlan 20
Note. The operational status of a VLAN remains inactive until at least one active switch port is assigned
to the VLAN. Ports are considered active if they are connected to an active network device. Non-
active port assignments are allowed, but do not change the operational state of the VLAN.

-> ip interface name [address ip_address] [mask subnet_mask] [admin [enable | disable]]
[vlan vid] [forward | no forward] [local-proxy-arp | no local-proxy-arp] [eth2 | snap]
[primary | no primary]
MULTIPLE VLAN REGISTRATION PROTOCOL
IEEE 802.1ak - MVRP
 MVRP close to GVRP operation
 Controls and signals dynamic VLAN registration entries across the bridged
network
 Standards-based Layer 2 network protocol

 Implement MRP and MVRP protocols

 Multiple Vlan Registration Protocol (MRVP)

 Re-declaration during topology change (only for affected VLANs)

 Flushing of learnt attributes during topology change

IEEE 802.1ak MVRP – Description
 Declarations & registrations follow the
•.1q
path defined by STP topology
 Once a port receives a MVRP PDU
 Becomes a member of the advertised VLAN
 Shares all information in the PDU with all VLAN10 VLAN10
switches participating in MVRP in the switching
network by propagating/transmitting out of
other forwarding ports in that STP instance VLAN11 VLAN11

 MVRP sends one PDU that includes the •Static VLAN •Dynamic VLAN (GVRP/ MVRP)
state of all 4094 VLANs on a port

 MVRP vlan advertisement can be trigger

by group mobility vlans

 MVRP also includes the transmission of a

TCN for individual VLANs •TCN, VLAN11

VLAN10 VLAN11
IEEE 802.1ak MVRP
CLI configuration
 MVRP is supported only in STP flat mode
 -> mvrp ?
transparent-switching port maximum linkagg enable disable clear-statistics
 -> mvrp {enable | disable}
 Enables/Disables MVRP on a switch globally

 -> mvrp {linkagg <agg_num [-agg_num2]> | port <slot/port [– port2]>} { enable | disable}
 Enables/Disables MVRP on specific port(s) or aggregate(s) on the switch

 -> mvrp transparent-switching {enable | disable}

 Enables/Disables transparent switching on the switch. When transparent switching is enabled, the switch
propagates MVRP information to other switches but does not participate in the MVRP protocol

 -> mvrp maximum vlan <vlanlimit>

 Configures the maximum number of dynamic VLANs that can be created by MVRP

 -> mvrp {linkagg <agg_num [-agg_num2]> | port <slot/port [– port2]>} registration {normal | fixed |
forbidden}
 Normal: both registration and de-registration of VLANs are allowed
 VLANs can be mapped either dynamically (through MVRP) or statically (through management application) on such a port
 Fixed: Only static mapping of VLANs is allowed on the port but de-registration of previously created dynamic or
static VLANs is not allowed
 Forbidden: dynamic VLAN registration or de-registration is not allowed on the port. Any dynamic VLAN created
earlier will be deregistered
IEEE 802.1ak MVRP
CLI configuration
 -> mvrp {linkagg <agg_num [-agg_num2]> | port <slot/port [– port2]>} applicant {participant | non-
participant | active}

 applicant mode determines whether or not MVRP PDU exchanges are allowed on a port depending on the Spanning
Tree state of the port
 Normal participant: State machine participates normally in MRP protocol exchanges for forwarding ports only
 Non-participant: State machine does not send any MRP message
 Active: State machine participates normally in MRP protocol exchanges for both forwarding and blocking ports. This
is an Alcatel-Lucent proprietary mode

 -> mvrp {linkagg <agg_num [-agg_num2]> | port <slot/port [– port2]>} periodic-transmission

{enable|disable}

 Enables the periodic transmission status on a port or aggregate of ports

 -> mvrp {linkagg <agg_num [-agg_num2]> | port <slot/port [– port2]>} restrict-vlan-registration vlan
<vlan-list>

 Restricts MVRP processing from dynamically registering the specified VLAN(s) on the switch
IEEE 802.1ak MVRP
CLI monitoring
-> show mvrp ?
timer statistics port linkagg configuration

-> show mvrp [linkagg <agg_num [-agg_num2]> | port <slot/port [– port2]>] ?

disabled enabled last-pdu-origin statistics timer vlan-restrictions

-> show mvrp {linkagg <agg_num> | port <slot/port>} configuration

-> show mvrp configuration

MVRP Enabled : yes, -> show mvrp port 1/15 statistics
Transparent Switching Enabled : no, Port 1/15:
New Received : 0,
Maximum VLAN Limit : 256 Join In Received : 0,
Join Empty Received : 0,
Leave Received : 0,
-> show mvrp [linkagg <agg_num [-agg_num2]> | port <slot/port [– port2]>] statistics In Received : 0,
Empty Received : 0,
Leave All Received : 0,
-> mvrp [linkagg <agg_num [-agg_num2]> | port <slot/port [– port2]>] clear-statistics New Transmitted : 0,
Join In Transmitted : 0,
Join Empty Transmitted : 0,
Leave Transmitted : 0,
In Transmitted : 0,
Empty Transmitted : 0,
LeaveAll Transmitted : 0,
Failed Registrations : 0,
Total Mrp PDU Received : 0,
Total Mrp PDU Transmitted : 0,
Total Mrp Msgs Received : 0,
Total Mrp Msgs Transmitted : 0,
Invalid Msgs Received : 0
VLANS

Contents
1 OBJECTIVE...................................................................................... 2
2 VLANs ........................................................................................... 2
3 Equipment/Software Required .............................................................. 2
4 Related Commands............................................................................ 2
5 Supported Platforms .......................................................................... 2
6 Lab Steps ....................................................................................... 2
6.1. Creating Additional VLANs ........................................................................... 6
6.2. Mobility .................................................................................................. 8
7 Summary ...................................................................................... 10
8 Lab Check .................................................................................... 10
 2
VLANs

1 OBJECTIVE
This lab is designed to familiarize you with VLANs on an OmniSwitch.

2 VLANs
VLANs provide the ability to segregate a network into multiple broadcast domains. This can be done
statically or dynamically by creating policies. Additionally, Virtual Router ports can be assigned to VLANs
to allow traffic to be switched at Layer 3.

3 Equipment/Software Required
One OmniSwitch (Any Model)
2 or more PCs.

4 Related Commands
vlan, show vlan, show vlan [vid], ip interface,
show vlan [vid] ports, vlan [vid] ip, vlan [vid] mac

5 Supported Platforms
All

6 Lab Steps

Before continuing, remove the existing configuration from the WORKING directory and reboot, or in the remote
lab, use the reset script.
Type the following:

-> rm /flash/working/boot.cfg
-> reload working no rollback-timeout
In its default configuration, the switch has only one VLAN; VLAN 1. This is the default VLAN and all ports are
initially associated with it. This VLAN CANNOT be deleted, but it can be disabled if so desired.
 3
VLANs

Let’s run the command to see the VLANs that exist on the switch as well as information on a single VLAN.
Type the following:

-> show vlan

stree mble src
vlan type admin oper 1x1 flat auth ip tag lrn name
-----+-----+------+------+------+------+----+-----+-----+------+----------
1 std on off on on off on off on VLAN 1

Reference the User Guides for details on each column:

vlan – The VLAN ID number

type - The type of VLAN (std, vstk, gvrp or ipmv)
admin – Administrative status
oper – Operational Status (Any active ports associated with the VLAN)
1X1 – 1X1 Spanning Tree Status – (on/off)
flat – Flat Spanning Tree Status – (Is 802.1s Enabled)
auth – Authenticated VLAN status
ip – IP status (Has an IP address been associated with the VLAN)
ipx – IPX status (Has an IPX address been associated with the VLAN)
mble tag – mobility tag (on/off)
name – VLAN name

To display information on a specific VLAN:

-> show vlan 1

Name : VLAN 1,
Administrative State: enabled,
Operational State : disabled,
1x1 Spanning Tree State : enabled,
Flat Spanning Tree State : enabled,
Authentication : disabled,
IP Router Port : off,
IPX Router Port : none,
Mobile Tag : off,
Source Learning : enabled
Router Vlan : no
Notice the VLAN is Administrative State is enabled, however its Operational State is disabled. Without members
the VLAN will be Operational down.
You can also list the ports and their associated VLAN assignments (notice we have no active ports to
Operationally enable the VLAN):

-> show vlan port (or 'show vlan 1 port' to display just vlan 1 ports)
vlan port type status
------+-------+---------+-------------
1 1/1 default inactive
1 1/2 default inactive
1 1/3 default inactive
1 1/4 default inactive
1 1/5 default inactive
1 1/6 default inactive
1 1/7 default inactive
1 1/8 default inactive
1 1/9 default inactive
 4
VLANs

1 1/10 default inactive

1 1/11 default inactive
1 1/12 default inactive
1 1/13 default inactive
1 1/14 default inactive
1 1/15 default inactive
1 1/16 default inactive
1 1/17 default inactive
1 1/18 default inactive
1 1/19 default inactive
1 1/20 default inactive
1 1/21 default inactive
1 1/23 default inactive
1 1/24 default inactive

To display the VLAN assignment on a specific port (or ports):

-> show vlan port 1/1

vlan type status
--------+---------+--------------
1 default inactive
In order to have IP connectivity to a VLAN interface (not required for connectivity to other clients/servers within
a VLAN), an IP address must be assigned to a Virtual Router port and associated to that VLAN. This IP address can
then be used for IP connectivity as well as Layer 3 switching. In order to do this, we first create the IP address
and then associate it to a VLAN.
Type the following (int_1 is the VLAN alias, 192.168.10.X is the IP interface address, replace X with your switch
number - the example below is for switch 3):

-> ip interface int_1 address 192.168.10.3/24

-> show ip interface
Total 3 interfaces
Name IP Address Subnet Mask Status Forward Device
--------------------+---------------+---------------+------+-------+--------
Loopback 127.0.0.1 255.0.0.0 UP NO Loopback
dhcp-client 0.0.0.0 0.0.0.0 DOWN NO vlan 1
int_1 192.168.10.3 255.255.255.0 DOWN NO unbound

Notice we did not associate a VLAN with the interface yet, this is indicated by the 'unbound' status in the Device
column. To bind a VLAN:

-> ip interface int_1 vlan 1

Note: The last two commands could have been consolidated as one command:

-> ip interface int_1 address 192.168.10.3/24 vlan 1

-> show ip interface
Total 3 interfaces
Name IP Address Subnet Mask Status Forward Device
--------------------+---------------+---------------+------+-------+--------
Loopback 127.0.0.1 255.0.0.0 UP NO Loopback
dhcp-client 0.0.0.0 0.0.0.0 DOWN NO vlan 1
int_1 192.168.10.3 255.255.255.0 DOWN NO vlan 1

Take note of the Status field. If it reads DOWN, this indicates no active ports or devices have been associated
with the VLAN that the Virtual Router has been assigned to. If a Virtual Router interface is down, it cannot be
 5
VLANs

connected to, will not reply to PING requests nor will it be advertised in any router updates. This will not affect
the Layer 2 broadcast domain, however.
Let’s activate a port in VLAN 1 to change the status to UP.
Perform the following:
Connect PC1 to an Ethernet port on the switch. (remember, all ports by default are members of VLAN
1 so any port can be used)
In remote lab, activate associated interface :
-> interfaces 1/1 admin up
Now, type:

-> show vlan 1 port

port type status
---------+---------+--------------
1/1 default forwarding
1/2 default inactive
1/3 default inactive
1/4 default inactive
1/5 default inactive
1/6 default inactive
1/7 default inactive
1/8 default inactive
1/9 default inactive
1/10 default inactive
1/11 default inactive
1/12 default inactive
1/13 default inactive
1/14 default inactive

Since all ports currently belong to VLAN 1, this will now cause VLAN 1 to become active. Run the command to
check the status of the IP interface to see this.
Type the following:

-> show ip interface

Total 3 interfaces
Name IP Address Subnet Mask Status Forward Device
--------------------+---------------+---------------+------+-------+--------
Loopback 127.0.0.1 255.0.0.0 UP NO Loopback
dhcp-client 0.0.0.0 0.0.0.0 DOWN NO vlan 1
int_1 192.168.10.3 255.255.255.0 UP YES vlan 1

Now that the VLAN has an active port, let’s modify the IP information of PC1 and PING the router interface
associated with VLAN 1. Perform the following:
Modify the IP information of client 3:

PC1 - IP Address - 192.168.10.103

PC1 - Mask – 255.255.255.0
PC1 - Default Gateway – 192.168.10.3 (The IP address of VLAN 1 virtual router).
Ping the switch’s VLAN 1 Virtual Router IP address. You should now have IP connectivity.
 6
VLANs

6.1. Creating Additional VLANs

Currently there is only one VLAN created on the switch. The following steps will provide information on creating
a second VLAN, enabling IP on the VLAN, moving ports into the VLAN, and forwarding IP packets between VLANs.

To begin, let’s create a new VLAN and assign an IP address to that VLAN as done previously;

-> vlan 20
-> ip interface int_20 address 192.168.20.3/24
-> ip interface int_20 vlan 20

How would you enter the last two commands as one command?
 ________________________________________________________________________
Let's look at what we have configured so far:

-> show ip interface

Total 4 interfaces
Name IP Address Subnet Mask Status Forward Device
--------------------+---------------+---------------+------+-------+--------
Loopback 127.0.0.1 255.0.0.0 UP NO Loopback
dhcp-client 0.0.0.0 0.0.0.0 DOWN NO vlan 1
int_1 192.168.10.3 255.255.255.0 UP YES vlan 1
int_20 192.168.20.3 255.255.255.0 DOWN NO vlan 20

-> show vlan

stree mble src
vlan type admin oper 1x1 flat auth ip ipx tag lrn name
-----+------+------+------+------+------+----+-----+-----+-----+-----+----------
1 std on on on on off on NA off on VLAN 1
20 std on off on on off on NA off on VLAN 20

Now let’s assign a port to VLAN 20, connect client7 to that port, and modify its IP addressing to allow
communication to the Virtual Router interface. Remember from earlier that all ports belong to VLAN 1 by
default so we must move a port into VLAN 20.

Type/Perform the following:

-> vlan 20 port default 1/2 (1/2 = slot/port the PC is connected to)
-> interfaces 1/2 admin up

Make sure you have connected PC2 to the slot and port above. Modify the IP information of PC2 to match the
following:

PC2 - IP Address – 192.168.20.107

PC2 - Mask – 255.255.255.0
PC2 - Default Gateway – 192.168.20.3 (The IP address of VLAN 20 Virtual Router for your station)
Review what you’ve done:

-> show vlan 20 port

port type status
---------+---------+--------------
1/2 default forwarding

-> show vlan 1 port

port type status
 7
VLANs

---------+---------+--------------
1/1 default forwarding

-> show ip interface

Total 4 interfaces
Name IP Address Subnet Mask Status Forward Device
--------------------+---------------+---------------+------+-------+--------
Loopback 127.0.0.1 255.0.0.0 UP NO Loopback
dhcp-client 0.0.0.0 0.0.0.0 DOWN NO vlan 1
int_1 192.168.10.3 255.255.255.0 UP YES vlan 1
int_20 192.168.20.3 255.255.255.0 UP NO vlan 20

-> show vlan

stree mble src
vlan type admin oper 1x1 flat auth ip ipx tag lrn name
-----+------+------+------+------+------+----+-----+-----+-----+-----+----------
1 std on on on on off on NA off on VLAN 1
20 std on off on on off on NA off on VLAN 20

The following diagram represents the current configuration. By default the switch will route the packets
between VLAN 1 and VLAN 20 using the Virtual IP interfaces you created.

Perform the following to test connectivity:

From client 7 ping the Virtual Router port for VLAN 20. (For example, ping 192.168.20.1)
This should be successful since they are in the same IP subnet range.

From client 7 ping the virtual router port for VLAN 1. (For example, ping 192.168.10.1)
This should be successful since you’ve set the Default Gateway of PC2 to the virtual router interface of VLAN 20.
The switch will route the packets to interface int_1.

From client 7 ping client 3. (For example, ping 192.168.10.103)

This should be successful since you’ve set the Default Gateway to the Virtual Router interface of VLAN 20. The
switch will route the request packet to VLAN 1 in one direction, then route the echo back to VLAN 20.

Perform the same steps from client 3 – that is 1) ping the virtual router for VLAN 1, 2) ping the virtual router for
VLAN 20, and 3) ping client 7.
You should receive successful responses to all the above PINGs. If the PINGs are not successful, check your IP
addressing (and Gateway) on both the PC and the switch as well as checking the VLAN associations using the
following commands. Again, you may type:
 8
VLANs

-> show vlan

-> show vlan 1
-> show vlan 1 port
-> show vlan 20
-> show vlan 20 port
-> show ip interface

6.2. Mobility
We just saw how ports can be statically associated with VLANs. In this section, we will configure mobility to
dynamically associate MACs based on the traffic they are receiving.
Let’s begin by moving the port PC2 is connected to back to the default VLAN 1.
Type the following:

-> vlan 1 port default 1/2 (or the port you configured earlier)

-> show vlan 1 port

port type status
---------+---------+--------------
1/1 default forwarding
1/2 default forwarding
1/3 default inactive
1/4 default inactive
1/5 default inactive
1/6 default inactive
1/7 default inactive
1/8 default inactive
1/9 default inactive
1/10 default inactive
1/11 default inactive
1/12 default inactive
1/13 default inactive
1/14 default inactive

-> show vlan 20 port

port type status
---------+---------+--------------

-> show vlan port 1/2

vlan type status
--------+---------+--------------
1 default forwarding

You should now see that the port PC2 is connected to has been moved back to VLAN 1.
You should no longer be able to ping the router interface from PC2 since the PC is now in VLAN 1 and you have
an IP address that belongs to the VLAN 20 interface (int_20).
In order to have ports dynamically move from one VLAN to another, two things must occur; 1) The port has to be
configured as mobile, and 2) the traffic being sent has to match a rule. Making a port mobile, gives it the
ability to dynamically move a client or MAC from one VLAN to another based on the traffic it is receiving.
 9
VLANs

Type the following:

-> vlan port mobile 1/2

-> show vlan port mobile 1/2

Mobility : on,
Config Default Vlan: 1,
Default Vlan Enabled: on,
Default Vlan Restore: on,
Authentication : off,
Ignore BPDUs : off
Ingress Filtering : off

Now that the port has been configured as a mobile port, we need to create a rule that client 7 will match. Rules
get applied to VLANs and devices (MACs) join that VLAN when they match a rule.
Type the following:

-> show vlan rules

Legend: type: * = binding rule

type vlan rule

-----------------+------+-------------------------------------------------------
You’ll see that currently no rules have been created. Let’s create a rule that client 7 will match.
Type the following:

-> vlan 20 ip 192.168.20.0 255.255.255.0

An IP Address rule has now been created. This rule states that a device sending traffic with a source IP address
in the 192.168.20.0/24 subnet will become a member of VLAN 20.

-> show vlan rules

Legend: type: * = binding rule

type vlan rule

-----------------+------+-------------------------------------------------------
ip-net 20 192.168.20.0, 255.255.255.0
Let’s check the VLAN association for PC2.

-> show vlan 20 port

port type status
---------+---------+--------------
The port client 7 is connected to should not be a member yet. This is because no traffic has been sent to
dynamically move the port. Now, generate traffic that matches the rule just created.

Perform the following:

From client 7, ping the Virtual Router IP address associated with VLAN 20.
You should see successful responses since the PC was dynamically moved to VLAN 20. It was dynamically moved
because it is sending traffic with a source address of 192.168.20.0/24, which matches the rule for VLAN 20.
Type the following:
-> show vlan 20 port
port type status
 10
VLANs

---------+---------+--------------
1/2 mobile forwarding

-> show mac-address-table

Legend: Mac Address: * = address not valid

Domain Vlan/SrvcId Mac Address Type Protocol Operation Interface

--------+--------------+---------------------+----------------+------------+--------------+---------
VLAN 1 e8:03:9a:29:25:80 learned 806 bridging 1/2
VLAN 20 e8:03:9a:29:25:80 learned 806 bridging 1/2

Total number of Valid MAC addresses above = 2

->
The above commands will show you that the port was successfully associated with VLAN 20 as well as client 7’s
MAC address being learned on VLAN 20.
Why is the MAC of your PC in both VLANs? _____________________________________.
Your PC MAC was in both VLAN's because it initially was source learned on VLAN 1. After 300 seconds (the default
aging time) your MAC would be aged out of VLAN 1 and remain only in VLAN 20.
An IP network address rule is only one method of dynamically moving devices. Experiment with the following
commands to create a MAC address rule as well as an IP protocol rule.

-> vlan 30
-> ip interface int_30 address 192.168.30.3/24 vlan 30
-> vlan 30 mac <client 7's mac address>
-> vlan 40
-> ip interface int_40 address 192.168.40.3/24 vlan 40
-> vlan 40 protocol ip-e2
By plugging your PCs (client 3, client 7) into mobile ports, you can determine the precedence for IP, MAC, and
protocol rules. What have you discovered?
1. _______________________________________________________________________
2. _______________________________________________________________________
3. _______________________________________________________________________

7 Summary
VLANs are an important concept to understand when configuring an OmniSwitch. They provide the ability
to segregate the network into multiple broadcast domains. This can be done either statically or
dynamically. Also, in order for devices in different VLANs to communicate, they must be routed. A virtual
router interface can be associated for each VLAN to allow for the routing of traffic.

8 Lab Check
- What is the purpose of a VLAN?
________________________________________________________________________
- In this lab, name two methods that were used to associate a port with a VLAN?

1)

2)
- What type of rule(s) were used to dynamically move a port into a VLAN?
 11
VLANs

________________________________________________________________________
- Is it necessary to have a routing protocol configured in order to route between VLANs on the same switch?
____________________________________________________________ (yes or no – why?)
- In order for a VLAN to route traffic, what must be created on the switch?
________________________________________________________________________
- Which VLAN does a port belong to by default?
VLAN ______________________________________________________________________
- What is the command to move a port into a different default VLAN?
________________________________________________________________________
- What are two commands to check which VLAN a port is associated with?
________________________________________________________________________
VLANS and 802.1Q Tagging

Contents
1 Objective .......................................................................................2
2 802.1Q ..........................................................................................2
3 EQUIPMENT/SOFTWARE REQUIRED ..........................................................2
4 Related Commands ............................................................................2
5 Supported Platforms ..........................................................................2
6 Clear Configuration and Reset VLAN 1 IP interface ......................................2
7 Lab Steps .......................................................................................3
7.1. Additional VLAN Creation ............................................................................ 3
7.2. Configure 802.1Q ...................................................................................... 4
8 Summary ........................................................................................4
9 Lab Check ......................................................................................5
 2
VLANs and 802.1Q Tagging

1 Objective
This lab is designed to familiarize you with IEEE802.1Q. Two OmniSwitch's must be used to understand
these concepts; any combination of switches will work.
THIS MEANS YOU MAY NEED TO BE WORKING COOPERATIVELY WITH ANOTHER TEAM! PLAN
ACCORDINGLY!!!

2 802.1Q
In a Layer 2 environment the Ports default VLAN is used for bridging traffic across a physical connection
between switches. In an IEEE 802.1Q environment, the Default VLAN for the port is bridged all other
VLANs will have the IEEE 802.1Q tag inserted for proper VLAN association at the remote side.

3 EQUIPMENT/SOFTWARE REQUIRED
Two OmniSwitches of any type (OS9xxx, OS685x, OS6450 or OS6250)
Two PCs

4 Related Commands
vlan <vid> 802.1q slot/port, vlan <vid> no 802.1q,
show 802.1q slot/port

5 Supported Platforms
All

6 Clear Configuration and Reset VLAN 1 IP interface

Before you begin this exercise, remove boot.cfg in the Working directory on all switches and reboot so
that previous labs do not affect the outcome (for remote-lab, reset the pod):
-> rm /flash/working/boot.cfg (R6 & R7)
-> reload working no rollback-timeout (R6)
-> reload from working no rollback-timeout (R7)
On each switch create a Virtual Router interface for VLAN 1 with an IP address in 192.168.10.X/24
subnet, where X represents the number of the switch you are on.
Type:
-> ip interface “int_1” address 192.168.10.x/24 vlan 1 (R6 & R7)
Connect one PC to a VLAN 1 port on each switch, in a default configuration such as this, all ports are
members of VLAN 1. Don’t forget to configure your PCs for the VLAN 1 subnet, i.e. – assign them IP
addresses in subnet 192.168.10.0/24. Interconnect your switches using port 3. Don’t forget to activate
the port on remote lab :
-> interfaces 1/x admin up (R6)
-> interfaces 1/x admin-state enable (R7)
 3
VLANs and 802.1Q Tagging

7 Lab Steps
Bridged VLAN Physical Connections

In order to see the IP addresses on your switches, type:

-> show ip interface
Total 3 interfaces
Name IP Address Subnet Mask Status Forward Device
--------------------+---------------+---------------+------+-------+--------
Loopback 127.0.0.1 255.0.0.0 UP NO Loopback
dhcp-client 0.0.0.0 0.0.0.0 DOWN NO vlan 1
int_1 192.168.10.3 255.255.255.0 UP YES vlan 1
Ensure both PC's can ping their respective router interfaces. Ensure you have a physical connection
between the two switches and ensure both PCs can ping both routers and each other.
Show the MAC Address Table to view the MAC's we have learned and the ports they were learned on:
-> show mac-learning (R7)
-> show mac-address-table (R6)
Legend: Mac Address: * = address not valid
Domain Vlan/SrvcId Mac Address Type Protocol Operation Interface
--------+--------------+---------------------+----------------+------------+--------------+----------
VLAN 1 00:0f:1f:a8:7b:80 learned --- bridging 1/3
VLAN 1 00:0b:db:a7:4d:c4 learned --- bridging 1/24
VLAN 1 00:d0:95:e4:2b:48 learned --- bridging 1/24
VLAN 1 00:d0:95:e4:2b:60 learned --- bridging 1/24
Total number of Valid MAC addresses above = 4

7.1. Additional VLAN Creation

You should have connectivity to your neighbor using VLAN 1. This is the bridged VLAN. Now, create two
additional VLANs on each switch. These VLANs will be tagged across the same physical link using 802.1Q
tagging. Type the following on each switch: (replace ‘X’ with your switch number)
-> vlan 11-12
-> ip interface int_11 address 192.168.11.X/24 vlan 11
-> ip interface int_12 address 192.168.12.X/24 vlan 12
switch1-> show ip interface
Total 5 interfaces
Name IP Address Subnet Mask Status Forward Device
--------------------+---------------+---------------+------+-------+--------
Loopback 127.0.0.1 255.0.0.0 UP NO Loopback
dhcp-client 0.0.0.0 0.0.0.0 DOWN NO vlan 1
int_1 192.168.10.1 255.255.255.0 UP YES vlan 1
int_11 192.168.11.1 255.255.255.0 DOWN NO vlan 11
int_12 192.168.12.1 255.255.255.0 DOWN NO vlan 12
Why are the two new IP interfaces down____________________?
 4
VLANs and 802.1Q Tagging

7.2. Configure 802.1Q

Our VLAN 11 and 12 IP interfaces are currently down because we have no members in the two VLANs.
Remember, if there are no members of a VLAN the IP interface is not only down but will not be
advertised to the Layer 3 Autonomous System.
Normally, to have Layer 2 connectivity between the two switches for all three VLANs, three physical
links would be required. However, we will configure 802.1Q tagging to carry data from all three VLANs
over one physical link.
Type the following: (assuming slot 1 port 3 is the connection to your neighbor)
-> vlan 11-12 802.1q 1/3 (R6)
-> vlan 11-12 member port 1/3 tagged (R7)
-> show vlan 11 port (R6)
-> show vlan 11 members (R7)
port type status
---------+---------+--------------
1/3 qtagged forwarding
-> show vlan 12 port (R6)
-> show vlan 12 members (R7)
port type status
---------+---------+--------------
1/3 qtagged forwarding
-> show vlan port 1/3 (R6)
-> show vlan members port 1/3
vlan type status
--------+---------+--------------
1 default forwarding
11 qtagged forwarding
12 qtagged forwarding
-> show 802.1q 1/3 (R6)
Acceptable Frame Type : Any Frame Type
Force Tag Internal : NA
Tagged VLANS Internal Description
-------------+------------------------------------------+
11 TAG PORT 1/3 VLAN 11
12 TAG PORT 1/3 VLAN 12
There’s no equivalent command in release 7. You should see that slot 1 port 3 is carrying tagged
information for VLANs 11 and 12 and bridging VLAN 1. Remember, a physical port MUST always have at
least one VLAN (the default for the port) bridging.
Ping your neighbor’s router interface for VLANs 11 and 12.
Experiment with what happens when you change your PC’s IP address and move it to VLAN 11 or 12 and
ping all IP interfaces. To accomplish this on your switch, remember to move the port your PC is
connected into the appropriate VLAN:
-> vlan 11 port default 1/1 (port PC is connected to)
Besides pinging and using tracert on your PC, you can also use the following commands on the switch to
verify operation:
-> show vlan port (R6)
-> show vlan members (R7)
-> show ip interface
You should now be able to ping any address in our example network because each switch is tagging the
data over the link between the two switches; allowing each packet to be sent over the same physical
link, while remaining in the correct VLAN as it is forwarded to the remote switch. How is your PC
communicating? Are packets being bridged? Routed? Both? How do you know?

8 Summary
This lab introduced you to the 802.1Q feature of an OmniSwitch. 802.1Q can be used to carry multiple
broadcast domains, or VLANs, over the same physical link. This is accomplished by adding new
information to the packet known as a VLAN tag. This tag determines which VLAN the packet belongs to.
 5
VLANs and 802.1Q Tagging

9 Lab Check
1. What is the purpose for configuring 802.1Q?
....................................................................................................................
....................................................................................................................

2. Was it necessary to configure 802.1Q for VLAN 1? Why or Why Not?

....................................................................................................................
....................................................................................................................

3. Did you have to move a port into VLANs 11 or 12 before you could ping either interface? Why or Why
Not?
....................................................................................................................
....................................................................................................................

4. Give an example of when basic bridging is occurring in this lab exercise.

....................................................................................................................
....................................................................................................................

5. Give an example of when 802.1Q tagging is occurring in this lab exercise.

....................................................................................................................
....................................................................................................................

6. Give an example of when routing is occurring in this lab exercise.

....................................................................................................................
....................................................................................................................
ALCATEL-LUCENT OMNISWITCH ACCESS
SWITCHING – CONFIGURATION AND MANAGEMENT
OMNISWITCH ACCESS SWITCHING – CONFIGURATION AND MANAGEMENT

Multiple VLAN Registration Protocol

How to
 This lab is designed to familiarize you with the MVRP feature and learn
how to configure it through the CLI.

Contents
1 Enabling MVRP ................................................................................. 2
2 Configuring the Maximum Number of VLANs .............................................. 3
 2
Multiple VLAN Registration Protocol

1 Enabling MVRP
MVRP is used primarily to prune unnecessary broadcast and unknown unicast traffic, and dynamically create
and manage VLANs.
MVRP has to be globally enabled on a switch before it can start forwarding MVRP frames.
In order to have MVRP enabled, switch must be in spanning-tree flat mode.
- On 6850E-A or B enter the following commands:
6850E-A/B -> mvrp enable
ERROR: STP Mode is 1X1

6850E-A/B -> show mvrp ?

TIMER STATISTICS PORT LINKAGG CONFIGURATION

6850E-A/B -> show mvrp configuration

MVRP Enabled : no,
Transparent Switching Enabled : no,
Maximum VLAN Limit : 256

- Now enable the flat mode and then MVRP:

6850E-A/B -> bridge mode flat
6850E-A/B -> mvrp enable
6850E-A/B -> show mvrp configuration
MVRP Enabled : yes,
Transparent Switching Enabled : no,
Maximum VLAN Limit : 256

- On 6900-A or B enable MVRP :

6900-A/B -> mvrp enable

MVRP can be enabled on ports regardless of whether it is globally enabled or not. However, for
the port to become an active participant, MVRP must be globally enabled on the switch. By
default, MVRP is disabled on the ports. To enable MVRP on a specified port, use the mvrp port
command

- Enable MVRP on trunk ports of both switches :

- On 6850E-A or B enter the following commands:
6850E-A/B -> mvrp port 1/3 enable
6850E-A/B -> interfaces 1/3 admin up

- On 6900-A or B enter the following commands:

6900-A/B -> mvrp port 1/3 enable
6900-A/B -> interfaces 1/3 admin-state enable
 3
Multiple VLAN Registration Protocol

Notes: MVRP can be configured only on fixed, 802.1 Q and aggregate ports. It cannot be
configured on mirror, aggregate, mobile, VPLS Access, and VLAN Stacking User ports.

2 Configuring the Maximum Number of VLANs

A switch can create dynamic VLANs using MVRP. By default, the maximum number of dynamic VLANs that
can be created using MVRP is 256. If the VLAN limit to be set is less than the current number of dynamically
learned VLANs, then the new configuration will take effect only after the MVRP is disabled and enabled
again on the switch. If this operation is not done, the VLANs learned earlier are maintained.
- To modify the maximum number of dynamic VLANs the switch is allowed to create, use the mvrp
maximum vlan command as shown:
- On 6850E-A or B enter the following commands:
6850E-A/B -> mvrp maximum vlan 150

- On 6900-A or B enter the following commands:

6900-A/B -> mvrp maximum-vlan 150

- Creating some dynamic vlan

- On 6850E-A or B only enter the following commands:
6850E-A/B -> vlan 777
6850E-A/B -> vlan 777 802.1q 1/3
6850E-A/B -> vlan 555
6850E-A/B -> vlan 555 802.1q 1/3

- Now on switch 1 or 2 (6900), let’s have a look to the informations:

6900-A/B -> show mvrp port 1/3 statistics
Port 1/3:
New Received : 4,
Join In Received : 0,
Join Empty Received : 4,
Leave Received : 1,
In Received : 0,
Empty Received : 31888,
Leave All Received : 0,
New Transmitted : 0,
Join In Transmitted : 0,
Join Empty Transmitted : 20,
Leave Transmitted : 0,
In Transmitted : 0,
Empty Transmitted : 81880,
LeaveAll Transmitted : 1,
Failed Registrations : 9,
Total Mrp PDU Received : 9,
Total Mrp PDU Transmitted : 20,
Total Mrp Msgs Received : 25,
Total Mrp Msgs Transmitted : 120,
Invalid Msgs Received : 0

- Look at the port configuration:

6900-A/B -> show mvrp port 1/3 enable
Registrar Mode : normal,
Applicant Mode : active,
Join Timer (msec) : 600,
Leave Timer (msec) : 1800,
LeaveAll Timer (msec) : 30000,
Periodic Timer (sec) : 1,
Periodic Tx status : disabled

6900-A/B -> show mvrp port 1/3 last-pdu-origin

Port Last-PDU Origin
-------+--------------------
1/3 00:d0:95:fc:9f:51
 4
Multiple VLAN Registration Protocol

- Notice that vlans 555 and 777 have been automatically created:
6900-A/B -> show vlan
stree mble src
vlan type admin oper 1x1 flat auth ip ipx tag lrn name
-----+------+------+------+------+------+----+-----+-----+-----+-----+----------
1 std on on on on off on NA off on VLAN 1
555 mvrp on on off on off off NA off on VLAN 555
777 mvrp on off off on off off NA off on VLAN 777

- And that port have been dynamically tagged :

6900-A/B -> show vlan port 1/3
vlan type status
--------+---------+--------------
1 default forwarding
555 dynamic forwarding
777 dynamic forwarding
OMNISWITCH AOS R6/R7/R8

Basic Maintenance and Diagnostics

Module Objectives
 You will:
 Learn how to use AOS OmniSwitch
diagnostic tools
 Switch Logging
 Command Logging
 Port Mirroring
 Port Monitoring
 Health High
Ava ila bility
 sFlow
AOS
Opera ting
System
Extensive Enha nced
Ma na gea bility Security
LOGGING
Switch Logging – Syslog output
 It is an event logging utility that is useful in maintaining and servicing the
switch
 Switch events can be logged to
 Switch console
-> swlog output console
 Local text file
-> swlog output flash
 Default file size 128000 bytes – configurable
 Multiple remote device (syslog)
-> swlog output socket ipaddr 168.23.9.100 (4 max) 2 (Alarm - highest)
 Syslog messages should have Loopback0 if configured 3 (Error)
4 (Alert)
 Switch application severity levels can be defined 5 (Warning)
-> swlog appid system level warning 6 (Info - default)
 Refer to user guide for all switch applications 7 (Debug 1)
8 (Debug 2)
9 (Debug 3 – lowest)
Switch Logging - Example

-> show log swlog

Displaying file contents for '/flash/swlog1.log'
FILEID: fileName[/flash/swlog1.log], endPtr[60676], configSize[64000], mode[2]
Time Stamp Application Level Log Message
------------------------+--------------+-------+--------------------------------
MON MAR 08 14:42:40 2011 CSM-CHASSIS alert == CSM == loading openssh.lnk from /flash/working/Kbase.img
MON MAR 08 14:42:40 2011 CSM-CHASSIS alert == CSM == loading ssApp.lnk from /flash/working/Kbase.img
MON MAR 08 14:42:41 2011 CSM-CHASSIS alert == CSM == loading ftpSrv.lnk from /flash/working/Kbase.img
MON MAR 08 14:42:41 2011 CSM-CHASSIS alert == CSM == loading ntp.lnk from /flash/working/Kbase.img
MON MAR 08 14:42:41 2011 CSM-CHASSIS alert == CSM == loading lanpower.lnk from /flash/working/Kbase.img
MON MAR 08 14:42:41 2011 CSM-CHASSIS alert == CSM == loading telnetdaemon.lnk from /flash/working/Kbase.img
MON MAR 08 14:42:42 2011 CSM-CHASSIS alert == CSM == loading health_monitor.lnk from /flash/working/Kbase.img
MON MAR 08 14:42:42 2011 CSM-CHASSIS alert == CSM == loading rmon.lnk from /flash/working/Kbase.img
MON MAR 08 14:42:42 2011 CSM-CHASSIS alert == CSM == loading bfdcmm.lnk from /flash/working/Kbase.img

-> show swlog

Operational Status : On,
Log Device 1 : flash,
Log Device 2 : console,
Syslog FacilityID : local0(16),
Remote command-log : Enabled,
Console Display Level : info (6),
All Applications Trace Level : info (6)

-> swlog clear

Command Logging – Enabling
 Command Logging
 Logs commands and output
 Different than command history
 Displays additional information
 Creates command.log file in /flash directory
 Command results stored in command.log
 Deleting command.log deletes log history
 Cannot be deleted while command logging is enabled
 Stores 100 most recent commands
 Must be enabled
-> command-log enable/disable
-> swlog remote command-log enable/disable
Command Logging - Example

-> show command-log

Command : vlan 68 router ip 168.14.12.120
UserName : admin
Date : MON APR 28 01:42:24
Ip Addr : 128.251.19.240
Result : SUCCESS

Command : vlan 68 router ip 172.22.2.13

UserName : admin
Date : MON APR 28 01:41:51
Ip Addr : 128.251.19.240
Result : ERROR: Ip Address must not belong to IP VLAN 67 subnet

Command : command-log enable

UserName : admin
Date : MON APR 28 01:40:55
Ip Addr : 128.251.19.240
Result : SUCCESS

Command : command-log enable

UserName : admin
Date : MON APR 28 11:13:13
Ip Addr : console
Result : SUCCESS

-> show command-log status

CLI command logging: Enable
PORT MIRRORING
Port Mirroring
 Port Mirroring
 Copies all incoming and outgoing traffic from one switch port to another
 Provides the ability to perform a packet capture

 Ports supported
 Ethernet, Fast/ Gigabit Ethernet, 10/ 40 Gigabit Ethernet.

 Sessions supported
 2 per standalone switch and per stack

 N-to-1 Mirroring Supported

 24 to 1 (OS6250/OS6450)
 128 to 1 (OS6850/OS6855/OS6900/OS10K/OS6860)
 Port requirements - must be of identical capacity
 -> port mirroring <id> source <s/p> destination <s/p>
-> port mirroring 1 source 1/2-6 destination 2/4
-> port mirroring 1 source 1/9 2/7 3/5 destination 2/4
-> port mirroring 1 source 1/2-6 1/9 2/7 3/5 destination 2/4
Remote Port Mirroring (RPM)
 Allows traffic to be carried over the network to a remote switch

 Achieved by using a dedicated remote port mirroring VLAN

 RPM VLAN has to be configured on the source, destination and intermediate

switches
 No other traffic is allowed on that VLAN

 The following types of traffic will not be mirrored:

 Link Aggregation Control Packets (LACP), 802.1AB (LLDP), 802.1x port authentication,
802.3ag (OAM), Layer 3 control packets, Generic Attribute Registration Protocol
(GARP)

Destination
Switch

Destination Intermediate Source

Port Switch Port
Policy Based Mirroring
 Mirroring is done based on a QoS policy instead of a specific port
 1 session supported at any given time

 Port Based Mirroring. It can be done on incoming or outgoing traffic or both.

 policy action mirror

 Mirror traffic based on

 source and destination addresses
 address pairs
 protocols
 VLAN classification

 Port mirroring and monitoring cannot be configured on the same NI

ingress, egress, or both ingress & egress packets

Policy Action & Port Assignment
direct traffic to Mirror port

Mirroring Policy
Policy Based Mirroring
 Example 1
-> policy condition c1 source ip 1.1.1.1
-> policy action a1 ingress egress mirror 1/1
-> policy rule r1 condition c1 action a1
-> qos apply

Policy rule r1 will cause all packets with a source IP of 1.1.1.1 to be ingress and egress mirrored to
port 1/1

 Example 2
-> policy condition c1 source ip 1.1.1.1
-> policy action a2 ingress egress mirror 1/1 disposition drop
-> policy rule r2 condition c1 action a2
-> qos apply

Policy rule r2 drops traffic with a source IP of 1.1.1.1, but the mirrored traffic from this source is
not dropped and is forwarded to port 1/1
PORT MONITORING
Port Monitoring
 Captures data and stores in Sniffer format on switch

 Ports supported
 Ethernet, Fast/ Gigabit Ethernet, 10/40 Gigabit Ethernet

 Captures first 64-bytes of frame

 Session supported per switch or stack: 1

 512K Max Storage - Configurable

 Round - robin or stop capture when max storage reached

 Cannot use port monitoring and mirroring on same port

 Data stored in compliance with the ENC file format (Network General Sniffer
Format)
->port monitoring 6 source 2/3 enable
 6 – session ID
 Session can be paused, resumed, disabled and associated with a timeout
->show port monitor file
Remote Monitoring - RMON
 RMON probes are used to collect, interpret and forward statistical data about
network traffic from designated active ports in a LAN segment
 Can be monitored using OmniVista
 4 groups supported:
 Ethernet Statistics – Gather Ethernet port statistics (e.g. port utilization, error statistics)
 History Group - Stores sampling such as utilization and error count
 Alarms Group – Compare samplings to thresholds (e.g. absolute or relative, rising and falling
thresholds)
 Events Group – Controls generation an notification to NMS station

-> rmon probes alarm enable

-> rmon probes stats enable
-> show rmon probes history 30562
Probe’s Owner: Analyzer-p:128.251.18.166 on Slot 1, Port 35
History Control Buckets Requested = 2
History Control Buckets Granted = 2
History Control Interval = 30 seconds
History Sample Index = 5859
Entry 10325
Flavor = History, Status = Active
Time = 48 hrs 53 mins,
System Resources (bytes) = 601
SYSTEM HEALTH
Health
 Monitors switch resource utilization and thresholds
 Switch-level Input/Output
 Memory and CPU Utilization Levels

 Most recent utilization level (percentage)

 Average utilization level over the last minute (percentage)

 Average utilization level over the last hour (percentage)

 Maximum utilization level over the last hour (percentage)

 Threshold level

-> show health

* - current value exceeds threshold
Device 1 Min 1 Hr 1 Hr
Resources Limit Curr Avg Avg Max
-----------------+-------+------+------+------+--------
Receive 80 00 00 00 00
Transmit/Receive 80 00 00 00 00
Memory 80 64 64 63 64
Cpu 80 21 19 24 73
SFLOW
sFlow - Network monitoring technology
 Industry standard with many vendors
 Delivering products with sFlow support (RFC 3176)
 Gives visibility in to the activity of the network
 Provides network usage information and network wide view of usage and active routes
 Used for measuring network traffic, collecting, storing and analyzing the traffic data

 sFlow data applications

OmniSwitch
 Detecting, diagnosing and fixing network
problems Forwarding
tables
 Real time congestion management sFlow Agent
Interface
 detecting unauthorized network activity counters
(DOS)
Switching Sampling
 Usage accounting and billing ASICs

 Understanding application mix (web, DNS etc.)

 Route profiling and peering optimization
 Capacity planning
Network
sFlow - Switch Configuration

loopback0 IP address is used as source

sFlow
sFlow

sFlow

sFlow

Measurements from every port

Real-time, central collection

 Traffic flows monitoring and sampling technology embedded within switches

 sFlow Agent software process running as part of the switch software
 sFlow collector which receives, analyses the monitored data (3rd Party software)
 sFlow collector makes use of SNMP to communicate with a sFlow agent in order to
configure sFlow monitoring on the device (switch)
sFlow - Switch Configuration

Agent One Agent to represent whole switch

-> ip managed-interface {Loopback0 | interface-name} application sflow
-> show sflow agent

Receiver Represents the remote collector {destination IP address + port}

- encodes samples into UDP datagrams
-> sflow receiver 1 name Server1 address 192.168.1.100
-> sflow receiver 2 name server2 address 172.30.130.102

Sampler One Sampler for each interface

Collects packet samples
-> sflow sampler 1 1/1-24 receiver 1 rate 512 sample-hdr-size 128

Poller One Poller for each interface

Collects counter samples
-> sflow poller 1 1/1-24 receiver 1 interval 10

-> show sflow receiver

-> show sflow sampler
-> show sflow poller
Switch Logging

Contents
1 Objective .......................................................................................2
2 EQUIPMENT/SOFTWARE REQUIRED ..........................................................2
3 Related Commands ............................................................................2
4 Supported Platforms ..........................................................................2
5 Lab Steps .......................................................................................3
5.1. Switch Logging ......................................................................................... 3
5.2. Command Logging ..................................................................................... 4
5.3. Port Mirroring........................................................................................... 6
5.4. Health.................................................................................................... 6
5.5. Port Monitoring ......................................................................................... 7
5.6. RMON..................................................................................................... 8
6 Summary ........................................................................................9
7 Lab Check .................................................................................... 10
 2
Switch Logging

1 Objective
This lab is designed to familiarize you with some basic troubleshooting and debugging tools on an
OmniSwitch.

2 EQUIPMENT/SOFTWARE REQUIRED
One OmniSwitch
One PC

3 Related Commands
swlog, show swlog, swlog appid, show health
port mirror, rmon probes, show rmon probes

4 Supported Platforms
All
 3
Switch Logging

5 Lab Steps

5.1. Switch Logging

Switch Logging can be used to track informational or debugging messages from the switch. This is
dependant upon the severity level set for a particular process. Logging can be configured to send its output
to flash, console, or an external server. By default switch logging is enabled.
Type the following:

6850E-> show swlog

Operational Status : On,
Log Device 1 : flash,
Log Device 2 : console,
Syslog FacilityID : local0(16),
Remote command-log : Disabled,
Console Display Level : info (6),
All Applications Trace Level : info (6)

You should see that logging is running and sending its output to both flash and the console. It does not
mean that all messages will be displayed on the console, only messages matching the severity level, by
default, informational (6). Logging can be disabled if desired.
Type the following:

6850E-> no swlog

WED OCT 23 17:54:41 : SYSTEM (75) info message:

+++ Switch Logging Facility stopped by command

6850E-> show swlog

Operational Status : Off,
Log Device 1 : flash,
Log Device 2 : console,
Syslog FacilityID : local0(16),
Remote command-log : Disabled,
Console Display Level : info (6),
All Applications Trace Level : info (6)
To re-enable logging enter:

6850E-> swlog

WED OCT 23 17:55:27 : SYSTEM (75) info message:

+++ Switch Logging Facility started by command
The logging feature has a number of application IDs. These IDs are used to determine which process
generated the logging message and at what severity level. Consult the user guide for a list of processes and
associated severity levels. By default all processes are set to a severity level of 6, which is informational,
as indicated above. All logging messages are stored in the swlog*.log files and can be viewed right on the
switch (Note: the "more" command comes in handy for outputs of this size, try it with the default of "more"
off and with "more" enabled).
Type the following:

6850E-> more
6850E-> show log swlog
Displaying file contents for '/flash/swlog1.log'
 4
Switch Logging

FILEID: fileName[/flash/swlog1.log], endPtr[61632], configSize[64000], mode[2]

Time Stamp Application Level Log Message
------------------------+--------------+-------+--------------------------------
MON OCT 21 10:01:47 2013 CSM-CHASSIS alert == CSM == loading remote_config.lnk from /flash/working/Kbase.img
MON OCT 21 10:01:47 2013 CSM-CHASSIS alert == CSM == loading openssh.lnk from /flash/working/Kbase.img
MON OCT 21 10:01:48 2013 CSM-CHASSIS alert == CSM == loading ssApp.lnk from /flash/working/Kbase.img
MON OCT 21 10:01:49 2013 CSM-CHASSIS alert == CSM == loading ftpSrv.lnk from /flash/working/Kbase.img
MON OCT 21 10:01:49 2013 CSM-CHASSIS alert == CSM == loading ntp.lnk from /flash/working/Kbase.img
MON OCT 21 10:01:49 2013 CSM-CHASSIS alert == CSM == loading lanpower.lnk from /flash/working/Kbase.img
MON OCT 21 10:01:50 2013 CSM-CHASSIS alert == CSM == loading telnetdaemon.lnk from /flash/working/Kbase.img
MON OCT 21 10:01:50 2013 CSM-CHASSIS alert == CSM == loading health_monitor.lnk from /flash/working/Kbase.img
MON OCT 21 10:01:51 2013 CSM-CHASSIS alert == CSM == loading rmon.lnk from /flash/working/Kbase.img
MON OCT 21 10:01:51 2013 CSM-CHASSIS alert == CSM == loading bfdcmm.lnk from /flash/working/Kbase.img
MON OCT 21 10:01:52 2013 CSM-CHASSIS alert == CSM == loading esm_driver.lnk from /flash/working/Kbase.img
MON OCT 21 10:01:52 2013 CSM-CHASSIS alert == CSM == loading source_learning.lnk from /flash/working/Kbase.img
MON OCT 21 10:01:53 2013 INTERFACE info Got connection from slot 1:18
MON OCT 21 10:01:53 2013 CSM-CHASSIS alert == CSM == loading spanning_tree.lnk from /flash/working/Kbase.img
MON OCT 21 10:01:53 2013 INTERFACE info Got connection from slot 1:105
MON OCT 21 10:01:54 2013 CSM-CHASSIS alert == CSM == loading sip.lnk from /flash/working/Kbase.img
MON OCT 21 10:01:54 2013 CSM-CHASSIS alert == CSM == loading erpv2.lnk from /flash/working/Kbase.img
MON OCT 21 10:01:55 2013 CSM-CHASSIS alert == CSM == loading saa.lnk from /flash/working/Kbase.img
MON OCT 21 10:01:55 2013 CSM-CHASSIS alert == CSM == loading 8021q.lnk from /flash/working/Kbase.img

Let’s change the level of the IP process to gather some additional information.
Type the following:

6850E-> show swlog

Operational Status : On,
Log Device 1 : flash,
Log Device 2 : console,
Syslog FacilityID : local0(16),
Remote command-log : Disabled,
Console Display Level : info (6),
All Applications Trace Level : info (6)

6850E-> no swlog output console

6850E-> swlog appid ip level debug3

6850E-> show swlog

Operational Status : On,
Log Device 1 : flash,
Syslog FacilityID : local0(16),
Remote command-log : Disabled,
Console Display Level : info (6),
All Applications Not Shown Level : info (6)

Application ID Level
--------------------+----------------
IP ( 15) debug3 (9)

The above command modified the IP application to a level of debug 3, which is the most verbose.
From a PC, ping the router interface of any VLAN on the switch, or any IP address at all to generate IP
packets.
You should see debugging information scrolling across the screen indicating the switch received an ARP
packet as well as additional information on the slot/port the PC is connected to. Set the level back to info:
6850E-> swlog appid ip level info

5.2. Command Logging

 5
Switch Logging

Like switch logging, commands entered on the OmniSwitch can captured to a log file. These can then be
reviewed at a later time to see what changes have been made. This is a very valuable tool, especially when
doing changes to your configurations.

Type the following:

6850E-> show command-log

6850E-> command-log enable

Let's create and delete a couple of VLAN's to demonstrate:

6850E-> vlan 11
6850E-> vlan 12
6850E-> no vlan 11
6850E-> no vlan 12

6850E-> show command-log

Command : no vlan 12
UserName : admin
Date : WED OCT 23 18:00:13
Ip Addr : console
Result : SUCCESS

Command : no vlan 11
UserName : admin
Date : WED OCT 23 18:00:10
Ip Addr : console
Result : SUCCESS

Command : vlan 12
UserName : admin
Date : WED OCT 23 18:00:07
Ip Addr : console
Result : SUCCESS

Command : vlan 11
UserName : admin
Date : WED OCT 23 18:00:05
Ip Addr : console
Result : SUCCESS

Command : command-log enable

UserName : admin
Date : WED OCT 23 18:00:04
Ip Addr : console
Result : SUCCESS

You should now see the commands you entered displayed on the screen with information about the time
and where they were entered from, such as a console or TELNET session.
 6
Switch Logging

5.3. Port Mirroring

Port mirroring can be configured to copy traffic from one or multiple ports to another. The destination port
would normally have a traffic analyzer connected. Let’s create a mirroring session to copy traffic from one
port to another.
Type the following:

6850E-> port mirroring 1 source 1/2 destination 1/1

6850E-> show port mirroring status 1

Session Mirror Mirror Unblocked RPMIR Config Oper

Destination Direction Vlan Vlan Status Status
----------+-----------+--------------+----------+---------+----------+---------
1. 1/1 - NONE NONE Enable Off
----------+----------+--------------+----------+---------+----------+---------
Mirror
Source
----------+----------+--------------+----------+---------+----------+---------
1. 1/2 bidirectional - - Enable Off

Use the ‘?’ to view additional parameters. Notice you can capture just incoming or outgoing traffic if
desired.

5.4. Health
The Health feature can be used to gather basic information on the state of the switch such as CPU, memory
and traffic utilization information.

6850E-> show health

* - current value exceeds threshold

Device 1 Min 1 Hr 1 Hr
Resources Limit Curr Avg Avg Max
-----------------+-------+------+------+-----+----
Receive 80 01 01 01 01
Transmit/Receive 80 01 01 01 01
Memory 80 53 53 52 53
Cpu 80 29 23 21 100

6850E-> show health 1/1

* - current value exceeds threshold

Port 01/01 1 Min 1 Hr 1 Hr

Resources Limit Curr Avg Avg Max
-----------------+-------+------+------+-----+----
Receive 80 00 00 00 00
Transmit/Receive 80 00 00 00 00

6850E-> show health ?

^
<cr> THRESHOLD STATISTICS SLICE INTERVAL ALL
<num1-num2> <num> <slot/port>
(Miscellaneous Command Set)
 7
Switch Logging

5.5. Port Monitoring

Port Monitoring makes it possible to capture traffic being sent to and from a port and store it in /flash in
".enc" (or Sniffer) format. The data is stored in a file named pmon.enc by default, but this can be
modified. The file can then be transferred off the switch and viewed in detail using a traffic analyzer. It is
also possible to display the output directly to the console or to a telnet session.
Connect your PC to any slot and port on the switch.

6850E-> port monitoring 1 source 1/1 enable

ERROR: Source port 1001 is part of other session or monitoring

6850E-> port monitoring 1 source 1/3

6850E-> show port monitoring status

Session Monitor Monitor Overwrite Operating Admin

slot/port Direction Status Status
---------+--------------+------------------+---------------+-------------+-----------
-
1. 1/3 Bidirectional ON OFF ON

Notice that when we attempted to enable monitoring for source port 1/1 we received an error message.
Earlier in this lab, we had enabled port mirroring for that port, a port can only belong to one session at a
time. How do we go about enabling port mirroring for port 1/1?
Generate traffic by issuing pings to any address.
The above commands enabled a port monitoring session with an ID of 1 on the slot and port your PC is
connected to. The session can be paused and resumed if necessary.
Type the following:

6850E-> port monitoring 1 pause

6850E-> show port monitoring status

Session Monitor Monitor Overwrite Operating Admin

slot/port Direction Status Status
---------+--------------+------------------+---------------+-------------+------------
1. 1/3 Bidirectional ON ON PAUSE

6850E-> port monitoring 1 resume

6850E-> port monitoring 1 disable

You should now see a message indicating that it has finished writing the capture file. The data is stored in a
file called pmonitor.enc in the /flash directory.
Type the following:

6850E-> ls

Listing Directory /flash:

drw 2048 Oct 23 17:28 certified/

-rw 340 Oct 23 17:29 boot.params
drw 2048 Oct 23 17:28 working/
-rw 64000 Oct 23 17:29 swlog1.log
-rw 64000 Oct 23 18:00 swlog2.log
drw 2048 Oct 16 16:28 switch/
 8
Switch Logging

-rw 12 Oct 23 17:29 boot.slot.cfg

drw 2048 Jul 16 16:04 network/
drw 2048 Jan 21 20:05 diag/
drw 2048 Oct 15 10:38 labinit/
-rw 57317 Sep 30 17:01 ipcTech.log
-rw 66402 Oct 23 18:04 command.log
-rw 20 Oct 15 10:30 installed
-rw 4583 Oct 23 18:04 pmonitor.enc

68661248 bytes free

6850E-> show port monitoring file

Destination | Source | Type | Data
-------------------------------------------------------------------------------
01:80:C2:00:00:00 | 00:E0:B1:6B:31:5A | II-8100| 81:00:00:01:00:27:42:42:03:00
FF:FF:FF:FF:FF:FF | 00:0B:DB:A7:4D:C4 | II-8100| 81:00:00:01:08:00:45:00:00:4E
FF:FF:FF:FF:FF:FF | 00:0B:DB:A7:4D:C4 | II-8100| 81:00:00:01:08:00:45:00:00:4E
01:80:C2:00:00:00 | 00:E0:B1:6B:31:5A | II-8100| 81:00:00:01:00:27:42:42:03:00
FF:FF:FF:FF:FF:FF | 00:0B:DB:A7:4D:C4 | II-8100| 81:00:00:01:08:06:00:01:08:00
Use the ‘?’ to display additional parameters. How would you change the name of the capture file?

6850E-> port monitoring 1 source 1/1 ?

^
<cr> BIDIRECTIONAL DISABLE ENABLE
FILE
INPORT NO OFF ON OUTPORT TIMEOUT
(Miscellaneous Command Set)

When done, delete the monitoring session.

6850E-> show port monitoring status

Session Monitor Monitor Overwrite Operating Admin

slot/port Direction Status Status
---------+--------------+------------------+---------------+-------------+-----------
-
1. 1/1 Bidirectional ON OFF OFF

6850E-> no port monitoring 1

5.6. RMON
Remote Monitoring can be used to gather statistics for displaying in OmniVista or other NMS
packages.

6850E-> show rmon probes

Entry Slot/Port Flavor Status Duration System Resources

-------+----------+---------+-----------+------------+----------------
1001 1/1 Ethernet Active 00:09:07 271 bytes
1 1/1 History Active 01:10:30 5459 bytes
2 1/2 History Active 01:10:30 5459 bytes
3 1/3 History Active 01:10:30 5459 bytes
4 1/4 History Active 01:10:30 5459 bytes
.
.
.
 9
Switch Logging

.
46 1/46 History Active 01:10:30 5460 bytes
47 1/47 History Active 01:10:30 5460 bytes
48 1/48 History Active 01:10:30 5460 bytes

6850E-> show rmon probes history

Entry Slot/Port Flavor Status Duration System Resources

-------+----------+---------+-----------+------------+----------------
1 1/1 History Active 01:12:33 5459 bytes
2 1/2 History Active 01:12:33 5459 bytes
3 1/3 History Active 01:12:33 5459 bytes
4 1/4 History Active 01:12:33 5459 bytes
.
.
.
46 1/46 History Active 01:12:33 5460 bytes
47 1/47 History Active 01:12:33 5460 bytes
48 1/48 History Active 01:12:33 5460 bytes

6850E-> show rmon probes alarm

Entry Slot/Port Flavor Status Duration System Resources

-------+----------+---------+-----------+------------+----------------

6850E-> show rmon events

Entry Time Description

-------+---------------+---------------------------

6850E-> show rmon probes 1011

Probe's Owner: Switch Auto Probe on Slot 1, Port 11
Entry 1011
Flavor = Ethernet, Status = Active,
Time = 75 hrs 15 mins,
System Resources (bytes) = 272

6850E-> show rmon probes history 1

Probe's Owner: Switch Auto Probe on Slot 1, Port 1
History Control Buckets Requested = 50,
History Control Buckets Granted = 50,
History Control Interval = 30 seconds,
History Sample Index = 18009
Entry 1
Flavor = History, Status = Active,
Time = 150 hrs 4 mins,
System Resources (bytes) = 5459

6 Summary
This lab introduced you to some basic debugging and troubleshooting features of an OmniSwitch.
 10
Switch Logging

7 Lab Check
- What is the command to view the switch log?
-
- Port mirroring will capture source and destination traffic to a Sniffer file format?
-
- Port Monitoring is currently supported on which platform?
-
- What’s the command for capturing just inbound or outbound packets using port monitoring?
-
OMNISWITCH AOS R6/R7

Power over Ethernet Configuration

Module Objectives
 You will:
 Learn how to setup and monitor Power Over
Ethernet management parameters

High
Ava ila bility

AOS
Opera ting
System
Extensive Enha nced
Ma na gea bility Security
OmniSwitch 6250/6400/6450/6850E/6855/9000
Power Over Ethernet
 Specifications
 IEEE 802.3af and/or IEEE 802.3at DTE Power via MDI
 Cable distances supported: 100m
 Default in-line power per port
 Total number of PoE-capable ports per switch

 OmniSwitch uses dynamic PoE

 Delivers what’s needed, up to total budget
 Goes beyond classification (which is optional in IEEE 802.3af)
 This allows smaller (cheaper) power supply deployment
OmniSwitch 6250/6400/6450/6850E/6855/9000
Power Over Ethernet
 Powering of devices over Ethernet
 PSE: Power Sourcing Equipment, i.e. OmniSwitch 6850-P24
 PD: Powered Device, i.e. Alcatel-Lucent IP Touch 4068 EE
 Optional Classification

 The class of a PD is determined by the PSE via a fixed resistance in the PD

 Resistance = hardware

 IEEE 802.3af specifies 4 classes of maximum power

 Unclassified, Class 0: max 15.4W output @ PSE, max 12.95W input @ PD
 Class 1: max 4W output @ PSE, max 3.84 input @ PD
 Class 2: max 7W output @ PSE, max 6.49W input @ PD
 Class 3: max 15.4W output @ PSE, max 13W input @ PD

 IEEE 802.3at specifies an additional class for PD type 2

 Class 4: max 34.2W output @ PSE, max 25.5W input @ PD
OmniSwitch 6250/6400/6450/6850E/6855/9000
Power over Ethernet Supplies rating
 PoE models
 OmniSwitch 6250-P24
 225W AC power supplies
 180W PoE power budget – 3 to 30 W per port
 OmniSwitch 6400-P24 & P48
 360 or 510W AC power supplies Brick
 240 or 390W PoE power budget power supply
 OmniSwitch 6450-P10 & P10L
 Internal power supply and 120W PoE power budget
 OmniSwitch 6450-P24 & P48
 Internal PS and External backup PS (550 or 900W)
 390/780W PoE power budget
 OmniSwitch 6850-EP24, P24L, P24X, P48, P48L,
and P48X
 360W AC and 510W AC power supplies Two 360W in a shelf One 510W in a shelf
 3-18W per port
 OmniSwitch 6855-14, OmniSwitch 6855-24
 External PS for PoE: 66W (6855-14) or 160W (6855-
24)
 4 PoE capable ports, 3-15,4W per port / 20W on 3
ports
 OmniSwitch 9000 OS-GNI-P24
 PoE is supplied by an external power shelf
 Maximum number of modules per chassis
 4 (OS9600); 8 (OS9700); 16 (OS9800)
 Configurable Total Power Available per Port and per
slot
 3-18W (Default at 15.4W)
OS-IP-SHELF PoE Power Shelf
OmniSwitch 6250/6400/6450
Power over Ethernet Specifications

OmniSwitch 6250 OmniSwitch 6400 OmniSwitch 6450-10 OmniSwitch 6450

IEEE Standards supported IEEE 802.3af, 802.3at IEEE 802.3af IEEE 802.3af, 802.3at IEEE 802.3af, 802.3at

Def PoE admin status Enabled

Def PoE oper status Disabled (PoE must be activated on a switch-by-switch basis (lanpower start)
Platforms supporting PoE OS6250-P24 OS 6400-P24 & P48 OS 6850-P10 OS 6450-P24
OS 6850-P10L OS 6450-P48
Cable distances 100 meters (approx.)
supported
Total nb of PoE-capable 24 24 or 48 8 24 or 48
ports per switch
Def amount of inline 240W (360W PS) 120W 390W (530W backup PS)
power available per
390W (510W PS) 780W (900W backup PS)
switch
Default amount of Inline Ports 1-6, 23/24 or 25/26:30W 15.4W
power Available
Ports (7-24): 16W
Range of inline Power Ports 1-6, 23/24 or 25/26:3- 3–18W Ports 1-8:3-30W 3-30W
Allowed per Port 30W
Ports (7-24): 3 - 16 W
PoE Power Supply 225 W 390W (510W PS) 120W 390W (530W PS)
240W (360W PS) 780W (900W PS)
OmniSwitch 6850E/6855/9000
Power over Ethernet Specifications
OmniSwitch 6850E OmniSwitch 6855 OmniSwitch 9000

IEEE Standards supported IEEE 802.3af

Def PoE admin status Enabled

Def PoE oper status Disabled (PoE must be activated on a switch-by-switch basis (lanpower start)

Platforms supporting PoE OS 6850-P24, P24L, P24X, P48, OS 6855-14 OS9600, 9700/9702, 9800
P48L, P48X
OS 6855-24 Module OS9-GNI-P24
Cable distances supported 100 meters (approx.)

Total nb of PoE-capable ports per 24 or 48 4 first ports 96 (OS9600); 192 (OS9700); 384
switch (OS9800)
Def amount of inline power 240W (360W PS)
available for each Slot
390W (510W PS)
Range of inline power allowed for 37-240 (360W PS) 260W
each slot
37–390 (510W PS)
Default amount of Inline power 15,4W 15,4W
Available
Range of inline Power Allowed per 3–18W 3-20W 3 – 18W
Port
PoE Power Supply 390W (510W PS) 80W (OS6855-C24) 240W of PoE w/ PS 360W
240W (360W PS) 66W (OS6855-C14) 390W of POE w/ PS 510W
OmniSwitch 6250/6400/6450/6850E/6855/9000
POE Management
 Viewing PoE Power Supply Status

-> show power

Slot PS Wattage Type Status Location

----+----+---------+------+-----------+----------
1 1 360 AC UP External
1 2 360 AC UP External
1 3 -- -- -- --

 Setting the PoE Operational Status

-> lanpower start 1

 Reactivating / Deactivating power to one port

-> lanpower start / stop 1/3

 Setting the maximum amount of inline power

-> lanpower 1/9 power 18000

OmniSwitch 6250/6400/6450/6850E/6855/9000
POE Management
 Setting the PoE Operational Status on a Port
 Disabled by default
-> lanpower start 1/2

 Setting Port Priority Levels

 low, high, and critical
 Default priority level for a port is low
 Low: In the event of a power management issue, inline power to low-priority
ports is interrupted first
 High: This value is used for port(s) that have important, but not mission-
critical, devices attached. If other ports in the chassis have been configured
as critical, inline power to high-priority ports is given second priority.
 Critical: In the event of a power management issue, inline power to critical
ports is maintained as long as possible

-> lanpower 1/22 priority critical

OmniSwitch 6250/6400/6450/6850E/6855/9000
POE Management
 Setting the Capacitor Detection Method
 not compatible with IEEE specification 802.3af
 It should only be enabled to support legacy IP phones
-> lanpower 1 capacitor-detection enable

 Setting Priority Disconnect Status

 used by the system software in determining whether an incoming PD will be
granted or denied power when there are too few watts remaining in the PoE
power budget for an additional device
-> lanpower 1 priority-disconnect enable
OmniSwitch 6250/6400/6450/6850E/6855/9000
POE Monitoring
sw1> show lanpower 1

Port Maximum(mW) Actual Used(mW) Status Priority On/Off

----+-----------+---------------+-----------+---------+------
1 15400 0 Powered Off Low ON
2 15400 0 Powered Off Low ON
6 15400 0 Powered Off Low ON
7 15400 0 Powered On Low ON
8 15400 0 Powered Off Low ON
--------------------------------------------------------------------
15 15400 0 Powered Off Low ON
16 15400 0 Powered Off Low OFF
17 15400 0 Powered On Low ON
--------------------------------------------------------------------
23 15400 0 Undefined Low ON
24 15400 0 Undefined Low ON

Slot 1 Max Watts 240

0 Watts Total Power Budget Remaining
240 Watts Total Power Budget Available
1 Power Supplies Available
OMNISWITCH AOS R6/R7/R8

Link Aggregation Groups

Module Objectives
 You will:
 Understand the Link Aggregation operation
on AOS based switches
 Learn how to configure
 Static Link Aggregation
 Dynamic Link Aggregation
 Load Balancing Control
High
Ava ila bility

AOS
Opera ting
System
Extensive Enha nced
Ma na gea bility Security
Link Aggregation Groups
Overview
 What is Link Aggregation?
 Method of aggregating (combining) more than 2 ports/links so that the switch will
“see” them as one logical link

 Advantages of Link Aggregation

 Scalability
 Reliability
 Ease of Migration

 Provides an aggregated link (multiple physical links combined into one logical
link)

Logical Link can be statically assigned to any VLAN

802.1q can be configured on the logical aggregated link
Link Aggregation Groups
 Static (OmniChannel) or Dynamic (IEEE 802.3ad/LACP)

 Maximum of aggregation groups per switch

 32 for a standalone switch or a stack of switches (R6)
 128 for a chassis-based switch (R6) and for R7 and R8 switches
 applies for both OmniChannel AND 802.3ad

 Maximum of 256 link aggregation ports per switch

 2 ports per group - maximum 128 link aggregate groups
 4 ports per group – maximum 64 link aggregate groups
 8 ports per group – maximum 32 link aggregate groups

 Number of links per group supported: 2, 4 or 8

 10-Mbps, 100-Mbps, 1-Gbps, or 10-Gbps Ethernet links

 One port can only belong to one link aggregation

 Load balancing based on L2 SA/DA (in bridging) or L3 SA/DA (in routing) by

default
Link Aggregation Groups
Static vs. Dynamic
 Difference between static and dynamic
 Static
 Port parameters MUST be exactly the same at both ends and within the group
 same speed (e.g., all 10 Mbps, all 100 Mbps, all 1 Gigabit, or all 10 Gigabit)
 Only works between Alcatel-Lucent OmniSwitchs and OmniStacks
(new and early-generation)
 Dynamic
 IEEE 802.3ad LACP
 LACP will negotiate the optimal parameters for both ends by using LACPDU (Link Aggregation
Control Protocol Data Unit)
 Ports must be of the same speed within the same aggregate group

 For both, Load balancing is based on:

 L2 SA/DA (in bridging)
 L3 SA/DA (in routing) in brief “Hashing mode”
 L3 SA/DA + TCP/UDP ports (in routing) in extended “Hashing mode”

Ports that belong to the same aggregate group do not have to be configured sequentially
and can be on any Network Interface (NI) or unit within a stack
Static Link Aggregation Groups
CLI
 Creating a Static Aggregate Group 8 (enabled by default)

-> static linkagg 8 size 4 name training admin state enable (R6)
-> linkagg static agg 8 size 4 name training admin-state enable (R7/8)
 Adding Ports to a Static Aggregate Group

-> static agg 1/1 agg num 8 (R6) -> linkagg static port 1/1* agg 8 (R7/8)
-> static agg 1/2 agg num 8 -> linkagg static port 1/2 agg 8
-> static agg 1/3 agg num 8 -> linkagg static port 1/3 agg 8
 Removing Ports from a Static Aggregate Group

-> static agg no 1/3 (R6) -> no linkagg static port 1/3* (R7/8)
*chassis/slot/port for R8
Dynamic Link Aggregation Groups
CLI
 Creating a dynamic link aggregation group 1
-> lacp linkagg 1 size 4 admin state enable (R6)
-> lacp linkagg 1 actor admin key 2

-> linkagg lacp agg 1 size 4 admin-state enable (R7/8)

-> linkagg lacp agg 1 actor admin-key 2

 Assigning ports to the dynamic link aggregation group 1

-> lacp agg 1/1 actor admin key 2 (R6) -> linkagg lacp agg 1/1* actor admin-key 2 (R7/8)
-> lacp agg 1/2 actor admin key 2 -> linkagg lacp agg 1/2 actor admin-key 2

 Static and dynamic link aggregation groups can be used for VLAN tagging
(802.1q)

-> vlan 3 802.1q 1 (R6) -> vlan 3 members linkagg 1 tagged (R7/8)

 *chassis/slot/port for R8
Monitoring
-> show linkagg
Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
------+----------+--------+-----+-------------+------------+-------------
1 Static 40000001 8 ENABLED UP 2 2
2 Dynamic 40000002 4 ENABLED DOWN 0 0
3 Dynamic 40000003 8 ENABLED DOWN 0 2
4 Static 40000005 2 DISABLED DOWN 0 0
-> show linkagg port 2/1
Dynamic Aggregable Port
SNMP Id : 2001,
Slot/Port : 2/1,
Administrative State : ENABLED,
Operational State : DOWN,
Port State : CONFIGURED,
Link State : DOWN,
Selected Agg Number : NONE,
Primary port : UNKNOWN,
LACP
Actor System Priority : 10,
Actor System Id : [00:d0:95:6a:78:3a],
Actor Admin Key : 8,
Actor Oper Key : 8,
Partner Admin System Priority : 20,
Partner Oper System Priority : 20,
Partner Admin System Id : [00:00:00:00:00:00],
Partner Oper System Id : [00:00:00:00:00:00],
Partner Admin Key : 8,
Partner Oper Key : 0,
Attached Agg Id : 0,
Actor Port : 7,
Actor Port Priority : 15,
Partner Admin Port : 0,
Partner Oper Port : 0,
Partner Admin Port Priority : 0,
Partner Oper Port Priority : 0,
Actor Admin State : act1.tim1.agg1.syn0.col0.dis0.def1.exp0,
Actor Oper State : act1.tim1.agg1.syn0.col0.dis0.def1.exp0,
Partner Admin State : act0.tim0.agg1.syn1.col1.dis1.def1.exp0,
Partner Oper State : act0.tim0.agg1.syn0.col1.dis1.def1.exp0
LOAD BALANCING CONTROL
Link Aggregation Groups - Hashing Control
 Two hashing algorithms available
 Brief Mode: Brief Mode
 UDP/TCP ports not included Source Link #
Addresse
 Only Source IP and destination IP addresses are
considered
-> hash-control brief
Destination
 Extended Addresse

 UDP/TCP ports to be included in the hashing

algorithm
 Result in more efficient load balancing
-> hash-control extended [ udp-tcp-port | no]

Extended Mode
 Default Hashing Modes Source
Addresse
Link #

Platform Default Hashing Mode

9000/9000E Extended UDP/TCP Port

6400/6850/6855/6860/ Brief Destination

6900/10K Addresse
Load balancing multicast on Link Aggregation Groups
 Multicast traffic is by default forwarded through the primary port of the Link
Aggregation Group
 Option to enable the hashing for non-unicast traffic, which will load balance
the non-unicast traffic across all ports in the Link Aggregation
 If non-ucast option is not specified, link aggregation will only load balance unicast
packets

-> hash-control {brief | extended [udp-tcp-port] | load-balance non-ucast {enable | disable}}

-> show hash-control

Hash Mode = brief,
Udp-Tcp-Port = disabled

-> show hash-control non-ucast

Non-ucast Hash Status = Disabled
Link Aggregation

Contents
1 Objective ....................................................................................... 2
2 Link Aggregation............................................................................... 2
3 EQUIPMENT/SOFTWARE REQUIRED ......................................................... 2
4 Related Commands............................................................................ 2
5 Supported Platforms .......................................................................... 2
6 Clear Configuration ........................................................................... 2
7 Lab Steps ....................................................................................... 3
7.1. Link Aggregation – Static option..................................................................... 3
7.2. Link Aggregation – Dynamic .......................................................................... 5
8 Summary ........................................................................................ 7
9 Lab Check ...................................................................................... 7
 2
Link Aggregation

1 Objective
This lab is designed to familiarize you with link aggregation. Two OmniSwitch's must be used to understand
these concepts; any combination of switches will work.
THIS MEANS YOU MAY NEED TO BE WORKING COOPERATIVELY WITH ANOTHER TEAM! PLAN ACCORDINGLY!!!

2 Link Aggregation
Link Aggregation provides the ability to combine multiple physical ports into a single logical port for added
throughput and redundancy; this can be done statically using OmniChannel or dynamically using the IEEE
802.3ad (LACP) protocol.

3 EQUIPMENT/SOFTWARE REQUIRED
Two OmniSwitches of any type (OS6900, OS6850, OS6450)
Two PCs

4 Related Commands
show linkagg, static linkagg, static agg [slot/port],
show linkagg port, lacp linkagg # size #,
lacp agg [slot/port] actor admin key #

5 Supported Platforms
All

6 Clear Configuration
Before you begin this exercise, remove boot.cfg in the Working directory on all switches and reboot so that
previous labs do not affect the outcome (or reset the pod for remote lab):
-> rm /working/boot.cfg
-> reload working no rollback-timeout (R6)
-> reload from working no rollback-timeout (R7)
 3
Link Aggregation

7 Lab Steps

7.1. Link Aggregation – Static option

** Do not interconnect your switches yet**
Define a static link aggregate and set its size on BOTH switches, by typing:
-> static linkagg 5 size 2 (R6)
-> linkagg static agg 5 size 2 (R7)
[In this example, 5 represents the aggregate identifier and 2 is the maximum number of ports in the
aggregate.]
Check to see what you have done so far. Notice the state is DOWN.
Type:
-> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+----------+---------+----+------------+--------------+-------------
5 Static 40000005 2 ENABLED DOWN 0 0
-> show linkagg 5 (R6)
-> show linkagg agg 5 (R7)
Static Aggregate
SNMP Id : 40000005,
Aggregate Number : 5,
SNMP Descriptor : Omnichannel Aggregate Number 5 ref 40000005 size 2,
Name : ,
Admin State : ENABLED,
Operational State : DOWN,
Aggregate Size : 2,
Aggregate Min-Size : 1,
Number of Selected Ports : 0,
Number of Reserved Ports : 0,
Number of Attached Ports : 0,
Primary Port : NONE
 4
Link Aggregation

Add ports to your aggregate, by typing: static agg [slot/port] agg num # (R6) or linkagg static port
[slot/port] agg # (R7),

-> static agg 1/23 agg num 5 (R6)

-> static agg 1/24 agg num 5 (R6)
-> linkagg static port 2/1-2 agg 5 (R7)

In this example, ports 1/23 and 1/24 have been added to aggregate 5 on 6850 and ports 2/1 and 2/2 been
added to aggregate 5 on 6900
Let’s see what we have accomplished. (You might want to make note of this information to compare it to
what you see when you connect your switches and repeat these steps.)
Type:

-> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+----------+---------+----+------------+--------------+-------------
5 Static 40000005 2 ENABLED DOWN 0 2

-> show linkagg 5 (R6)

-> show linkagg agg 5 (R7)

Static Aggregate
SNMP Id : 40000005,
Aggregate Number : 5,
SNMP Descriptor : Omnichannel Aggregate Number 5 ref 40000005 size 2,
Name : ,
Admin State : ENABLED,
Operational State : DOWN,
Aggregate Size : 2,
Aggregate Min-Size : 1,
Number of Selected Ports : 2,
Number of Reserved Ports : 2,
Number of Attached Ports : 0,
Primary Port : NONE

-> show linkagg port

Slot/Port Aggregate SNMP Id Status Agg Oper Link Prim Standby

---------+---------+-------+----------+----+----+----+----+-------
1/23 Static 1023 SELECTED 5 DOWN DOWN NO NO
1/24 Static 1024 SELECTED 5 DOWN DOWN NO NO

Now, connect your switches via the linkagg 5 ports, or bring up corresponding interface on remote-lab (In the
above example 1/23 on switch1 to 1/23 on switch2 and 1/24 on switch1 to 1/24 on switch 2.)
Note: Ports don't necessarily have to be the same on both ends of the link.
Using the commands you learned earlier, compare the outputs:

-> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+----------+---------+----+------------+--------------+-------------
5 Static 40000005 2 ENABLED UP 2 2

-> show linkagg 5 (R6)

-> show linkagg agg 5 (R7)
Static Aggregate
SNMP Id : 40000005,
Aggregate Number : 5,
 5
Link Aggregation

SNMP Descriptor : Omnichannel Aggregate Number 5 ref 40000005 size 2,

Name : ,
Admin State : ENABLED,
Operational State : UP,
Aggregate Size : 2,
Aggregate Min-Size : 1,
Number of Selected Ports : 2,
Number of Reserved Ports : 2,
Number of Attached Ports : 2,
Primary Port : 1/24

-> show linkagg port

Slot/Port Aggregate SNMP Id Status Agg Oper Link Prim Standby
---------+---------+-------+----------+----+----+----+----+-------
1/23 Static 1023 ATTACHED 5 UP UP NO NO
1/24 Static 1024 ATTACHED 5 UP UP YES NO

Test your configuration; do a ping test – i.e., ping all of your routers and PCs from console session and from
each PC.

To demonstrate the redundancy capabilities, experiment with removing a link and monitor the results of your
pings tests
We will now perform a similar configuration exercise using the IEEE 802.3ad standard (LACP). Before
proceeding remove the static link aggregation group you created. You can either return your switch to
factory default or remove them manually. Note that you cannot delete a link aggregation group if there are
ports still associated with it:

-> no static linkagg 5 (R6)

ERROR: LAERR53 Static aggregate not empty deletion failed
-> no linkagg static agg 5 (R7)
ERROR: Static aggregate not empty deletion failed

-> static agg no slot/port (R6)

-> no linkagg static port slot/port (R7)
-> no static linkagg 5
-> no linkagg static agg 5 (R7)

Ensure the link aggregation groups are removed on both switches as described above. There is no need to
disconnect the physically connections to continue to the next lab section.

7.2. Link Aggregation – Dynamic

First, we will define a dynamic link aggregate, call it 5 as we did previously and size it at 2 ports.
Type:

-> lacp linkagg 5 size 2 actor admin key 5 (R6)

-> linkagg lacp agg 5 size 2 actor admin-key 5 (R7)

Unlike static link aggregations where we physically assigned the ports to the link aggregation number, ports
are associated to a dynamic link aggregation using the actor admin key. Although in the above example the
actor admin key matches the link agg number, this is not a requirement as the admin key has local
significance only.

-> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+----------+---------+----+------------+--------------+-------------
5 Dynamic 40000005 2 ENABLED DOWN 0 0

Notice we have no ports associated, using the actor admin key assigned to the link aggregation, let's associate
 6
Link Aggregation

the ports:

-> lacp agg slot/port actor admin key 5 (R6)

-> linkagg lacp port slot/port actor admin-key 5 (R7)
-> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+----------+---------+----+------------+--------------+-------------
5 Dynamic 40000005 2 ENABLED UP 2 2

-> show linkagg 5 (R6)

-> show linkagg agg 5 (R7)
Dynamic Aggregate
SNMP Id : 40000005,
Aggregate Number : 5,
SNMP Descriptor : Dynamic Aggregate Number 5 ref 40000005 size 2,
Name : ,
Admin State : ENABLED,
Operational State : UP,
Aggregate Size : 2,
Aggregate Min-Size : 1,
Number of Selected Ports : 2,
Number of Reserved Ports : 2,
Number of Attached Ports : 2,
Primary Port : 1/23
LACP
MACAddress : [00:d0:95:e4:2b:60],
Actor System Id : [00:00:00:00:00:00],
Actor System Priority : 0,
Actor Admin Key : 5,
Actor Oper Key : 5,
Partner System Id : [00:00:00:00:00:00],
Partner System Priority : 0,
Partner Admin Key : 0,
Partner Oper Key : 5,
Pre-emption : DISABLED,
Pre-empt Value : 30

Test your configuration; do a ping test – i.e., ping all of your routers and PCs from console session and from
each PC.
To demonstrate the redundancy capabilities, experiment with removing a link (or bring down interfaces) and
monitor the results of your pings tests
 7
Link Aggregation

8 Summary
This lab introduced you to the link aggregation feature of an OmniSwitch. Link aggregation allows you to
logically group multiple physical links into a single logical link. This logical link can be used to provide
increased throughput for a backbone connection.

9 Lab Check
- What command is used to add port 5/10 to a dynamic link aggregate 7?
.......................................................................................................................
- What command is used to check the status of a particular link aggregate?
.......................................................................................................................
- Do actor admin keys have to match on both ends of the physical link?
.......................................................................................................................
802.1Q and Link Aggregation

Contents
1 Objective ....................................................................................... 2
2 802.1Q and Link Aggregation ................................................................ 2
3 EQUIPMENT/SOFTWARE REQUIRED ......................................................... 2
4 Related Commands............................................................................ 2
5 Supported Platforms .......................................................................... 2
6 Clear Configuration ........................................................................... 2
7 Lab Steps ....................................................................................... 3
7.1. Additional VLAN Creation............................................................................. 3
7.2. Link Aggregation – Dynamic .......................................................................... 4
7.3. Configure 802.1Q ...................................................................................... 4
8 Summary ........................................................................................ 5
9 Lab Check ...................................................................................... 5
 2
802.1Q and Link Aggregation

1 Objective
This lab is designed to familiarize you with 802.1Q over link aggregation. Two Omni Switch’s must be used to
understand these concepts; any combination of switches will work.
THIS MEANS YOU MAY NEED TO BE WORKING COOPERATIVELY WITH ANOTHER TEAM! PLAN ACCORDINGLY!!!

2 802.1Q and Link Aggregation

Link Aggregation provides the ability to combine multiple physical ports into a single logical port for added
throughput; this can be done statically using OmniChannel or dynamically using the LACP protocol. 802.1Q
provides the ability to carry multiple broadcast domains or VLANs over a single link by tagging the frames
with the VLAN ID which will be used at the remote end to classify the traffic. Putting the two together
creates an 802.1Q tagged aggregate, allowing multiple VLAN traffic over a single link aggregate.

3 EQUIPMENT/SOFTWARE REQUIRED
Two OmniSwitches of any type (OS6900, OS6850, OS6450)
Two PCs

4 Related Commands
show linkagg, static linkagg, static agg [slot/port],
show linkagg port, lacp linkagg # size #,
lacp agg [slot/port] actor admin key #, show linkagg,
static linkagg, static agg [slot/port],
show linkagg port, lacp linkagg # size #,
lacp agg [slot/port] actor admin key #

5 Supported Platforms
All

6 Clear Configuration
Before you begin this exercise, remove boot.cfg in the Working directory on all switches and reboot so that
previous labs do not effect the outcome:
-> rm /working/boot.cfg
-> reload working no rollback-timeout (R6)
-> reload from working no rollback-timeout (R7)
 3
802.1Q and Link Aggregation

7 Lab Steps

Identify your two switches and on each of them create a router interface for VLAN 1 with an IP address
192.168.10.X/24, where X represents the number of the switch you are on:

-> ip interface “int_1” address 192.168.10.X/24 vlan 1

Connect one PC to a VLAN 1 port each switch. Don’t forget to configure your PCs for the VLAN 1 subnet, i.e. –
assign them IP addresses in subnet 192.168.10.0/24. Interconnect your switches or bring up corresponding
interfaces.

7.1. Additional VLAN Creation

You should have connectivity to your neighbor using VLAN 1. This can be verified with the ping command
from the PC's. This is the bridged VLAN. Now, create two additional VLANs; VLAN 11 and VLAN 12 with IP
Interfaces assigned to both; VLAN 11 using the 192.168.11.0.24 subnet and VLAN 12 using the
192.168.12.0/24 subnet. Type the following on each switch: (replace ‘X’ with your switch number)

-> vlan 11-12

-> ip interface int_11 address 192.168.11.X vlan 11
-> ip interface int_12 address 192.168.12.X vlan 12

-> show ip interface

Total 5 interfaces
Name IP Address Subnet Mask Status Forward Device
--------------------+---------------+---------------+------+-------+--------
Loopback 127.0.0.1 255.0.0.0 UP NO Loopback
dhcp-client 0.0.0.0 0.0.0.0 DOWN NO vlan 1
int_1 192.168.10.2 255.255.255.0 UP YES vlan 1
int_11 192.168.11.2 255.255.255.0 DOWN NO vlan 11
int_12 192.168.12.2 255.255.255.0 DOWN NO vlan 12

At this point you should be able to ping BOTH VLAN 1 IP interfaces from either PC, however you should NOT
be able to ping ANY of the VLAN 11 or 12 Interfaces. Why_________________?
You should not be able to ping any of the VLAN 11 or 12 interfaces as we have no members of those VLANs
yet. Change PC2's default VLAN to VLAN 11 (Along with PC2's IP configuration). You should now be able to
ping the 192.168.11.2 IP interface as well as the 192.168.10.2.
 4
802.1Q and Link Aggregation

7.2. Link Aggregation – Dynamic

Although we can use either static or dynamic link aggregate configuration, we will use dynamic in this lab
since it is the industry standard.
First, we will define a link aggregate, call it 5 to accept up to 2 ports as we did in the Link Aggregation lab
exercise:

-> lacp linkagg 5 size 2 actor admin key 5 (R6)

-> linkagg lacp agg 5 size 2 actor admin-key 5 (R7)

Check to see what you’ve done by typing:

-> show linkagg

-> show linkagg 5 (R6)
-> show linkagg agg 5 (R7)

Next add ports to the aggregate using the admin key 5, by typing:

-> lacp agg slot/port actor admin key 5 (R6)

-> linkagg lacp port slot/port actor admin-key 5 (R7)

Again, check to see what you’ve done, by typing:

-> show linkagg port

Slot/Port Aggregate SNMP Id Status Agg Oper Link Prim

-------------------+----------+--------+----------+----+-----+-----+----
2/1 Dynamic 2001 ATTACHED 5 UP UP YES
2/2 Dynamic 2002 ATTACHED 5 UP UP NO

Our ping tests should stay the same as before since we still do not have the additional VLANs associated with
our link aggregation ports.

7.3. Configure 802.1Q

Normally, to have Layer 2 connectivity between the two switches for all three VLANs, three physical links
would be required. However, we will configure 802.1Q tagging to carry data from all three VLANs over one
link aggregate group.
Type the following:

-> vlan 11-12 802.1q 5 (R6)

-> vlan 11-12 members linkagg 5 tagged (R7)

-> show vlan 11 port (R6)

-> show vlan 11 members (R7)
port type status
---------+---------+--------------
0/5 qtagged forwarding

-> show vlan 12 port (R6)

-> show vlan 12 members (R7)
port type status
---------+---------+--------------
0/5 qtagged forwarding

You should see that the link aggregate group is carrying tagged information for VLANs 11 and 12. You should
now have full connectivity from PC to any PC as well as all router interfaces.
Experiment with what happens when you change your PC’s IP address and move it to VLAN 11 or 12 and ping
all IP interfaces. To accomplish this on your switch, remember to move the port to which your PC is
connected into the appropriate VLAN.
 5
802.1Q and Link Aggregation

8 Summary
This lab introduced you to the link aggregation feature of an OmniSwitch. Link aggregation allows you to
logically group multiple physical links into a single logical link. This logical link can be used to provide
increased throughput for a backbone connection.

9 Lab Check
- What command is used to add port 5/10 to a dynamic link aggregate group 7?
.......................................................................................................................
- What command is used to check the status of a particular link aggregate?
.......................................................................................................................
- What command is used to determine which port a VLAN is associated with?
.......................................................................................................................
- What command is used to see the state of 802.1Q?
.......................................................................................................................
- What is different about implementing 802.1Q on a link aggregate?
.......................................................................................................................
- When traffic is traversing a link aggregate configured with 802.1Q, is it bridged? Routed? Both?
.......................................................................................................................
OMNISWITCH AOS R6/R7/R8

AOS Spanning Tree Configuration

Module Objectives
 You will:
 Understand the Spanning Tree
implementation on AOS based switches
 STP modes
 STP protocols
 Learn how to implement
 1x1 and FLAT mode
 Spanning Tree Protocol 802.1D/802.1w High
Ava ila bility

 Per VLAN Spanning Tree (PVST +)

AOS
Opera ting
System
Extensive Enha nced
Ma na gea bility Security
STP
 Purpose
 Preventing network loops
 Having an automatic reconfiguration in case of a topology change

 Spanning Tree Operating Modes supported

 Flat mode - one spanning tree instance per switch
 1x1 (per-VLAN) mode - one spanning tree instance per VLAN

 Spanning Tree Protocols supported

 802.1D Standard Spanning Tree Algorithm and Protocol (STP)
 802.1w Rapid Spanning Tree Algorithm and Protocol (RSTP)
 802.1Q 2005 Multiple Spanning Tree Protocol (MSTP)
 Ring Rapid Spanning Tree Protocol (RRSTP)

IEEE 802.1w and mode 1x1 by default

STP - Preventing network loops

X X

Active link
Standby link
Spanning Tree - Parameters
 Controlling STP parameters
 Mode
 Protocol
 Bridge ID/ priority
 Path Cost
Spanning Tree - Modes
 Modes
 Flat mode - one spanning tree instance per switch
 1x1 mode - one spanning tree instance per VLAN (default)

Mode 1x1 by default

Spanning Tree - Modes
 Use these commands to select the flat or 1x1 Spanning Tree mode

-> bridge mode {flat | 1x1} (R6)

-> spantree mode {flat | per-vlan} (R7/8)

 To determine which mode the switch is operating in, use the ‘show spantree
mode’ command

-> show spantree mode

Spanning Tree Global Parameters
Current Running Mode : 1x1,
Current Protocol : N/A (Per VLAN),
Path Cost Mode : AUTO,
Auto Vlan Containment : N/A
Spanning Tree
Flat Mode
 One STP instance for the entire switch
 Port states are determined across VLANs

 Multiple connections between switches are considered redundant paths even if

they are configured in different VLANs
 STP parameters are configured for VLAN 1

 Fixed (untagged) and 802.1Q tagged ports are supported in each VLAN
 BPDU always untagged

 When the Spanning Tree mode is changed from 1x1 to flat, ports still retain
their VLAN associations but are now part of a single Spanning Tree instance
that spans across all VLANs

vlan1 vlan1

vlan2 X vlan2

vlan3 X vlan3
Spanning Tree
1x1 Mode
 Single STP instance enabled for each VLAN configured on the switch

 Each STP instance have a spanning-tree topology independent of other

spanning-tree instances

 Provides multiple forwarding paths for data traffic

 Enables load balancing

 Maximum VLAN instances per switch:

 R6 = 252
 R7 = 128
 R8 = 100
Spanning Tree
1x1 Mode
 Enabled by default

 Port state undetermined on a per VLAN basis

 Fixed (untagged) ports single STP instance -> configured Port default VLAN

 802.1Q tagged ports participate in an 802.1Q STP instance allowing it to extend

across tagged VLANs
 If a VLAN contains both fixed and tagged ports
 A hybrid of the two Spanning Tree instances (single and 802.1Q) is applied.
 If a VLAN appears as a tag on a port, then the BPDU for that VLAN are also tagged.
 If a VLAN appears as the configured default VLAN for the port, then BPDU are not
tagged and the single Spanning Tree instance applies

vlan1 vlan1

vlan2 vlan2

vlan3 vlan3
Spanning Tree
Protocols
 Protocols
 802.1D Standard Spanning Tree Algorithm and Protocol (STP)
 802.1w Rapid Spanning Tree Algorithm and Protocol (RSTP) (default)
 802.1s Multiple Spanning Tree Protocol (MSTP)
 Ring Rapid Spanning Tree Protocol (RRSTP)

-> bridge protocol stp / rstp /mstp (R6)

-> bridge 1x1 vid protocol stp / rstp

-> spantree protocol stp/ rstp / mstp (R7/8)

-> spantree vlan vid protocol stp /rstp
Spanning Tree Protocol
IEEE 802.1D
 Defined in IEEE 802.1d as a protocol that detects and prevents loops in a network

 Between any 2 logical LANs

 Only 1 Forwarding path
 Rest of the paths in Blocking mode
 STP provides recovery from bridge failures by changing blocked interfaces to a forwarding
state, if a primary link fails

 How it works:
 BPDUs are exchanged among the Switches/Bridges
 Root bridge selection based on
 lowest numerical bridge priority (0 to 65535)
 If same priority, use of lowest MAC address
 Port roles
 Root Port and Designated Ports
 BPDU with the lowest value (Bridge ID, Path Cost and/or Port MAC) will decide the Root Port
 Others will be designed as Designated or Disabled ports
 A logical tree will then be built with the Root Bridge at the top of the tree (an inverted
tree)
 Physical changes of the network force spanning-tree recalculation
802.1D Spanning Tree Protocol
Root election and Port states
 Root bridge decisions based on:
 Lowest Root Bridge ID
 Lowest Root Path Cost to Root Bridge
 Lowest Sender Bridge ID
 Lowest Sender Port ID

 5 ports states

X Disabled
Blocking
20 sec

Listening
Operational Status STP Port State Active Port? 15 sec

Enabled Blocking No
Learning
Enabled Listening No
15 sec
Enabled Learning Yes
Enabled Forwarding Yes Forwarding // Blocking
Disabled Disabled No
Spanning Tree Protocol
IEEE 802.1D

-> bridge 1x1 vid protocol stp

-> spantree vlan vid protocol stp

 Determine STP protocol in use

-> show spantree

Spanning Tree Path Cost Mode : AUTO
Vlan STP Status Protocol Priority
-----+----------+--------+--------------
1 ON STP 32768 (0x8000)
3 ON RSTP 32768 (0x8000)
11 ON RSTP 32768 (0x8000)
12 ON RSTP 32768 (0x8000)
13 ON STP 32768 (0x8000)
Spanning Tree Protocol - IEEE 802.1D
 Displaying Spanning Tree parameters for a given VLAN instance
-> show spantree 1 (R6)
-> show spantree vlan 1 (R7/8)

Spanning Tree Parameters

Spanning Tree Status : ON,
Protocol : IEEE STP,
mode : FLAT (Single STP),
Auto-Vlan-Containment: Enabled ,
Priority : 32768 (0x8000),
Bridge ID : 8000-00:d0:95:fc:a2:ea,
Designated Root : 8000-00:12:cf:5e:21:70,
Cost to Root Bridge : 19,
Root Port : Slot 1 Interface 12,
Next Best Root Cost : 19,
Next Best Root Port : Slot 1 Interface 18,
TxHoldCount : 3,
Topology Changes : 5,
Topology age : 00:00:06,
Current Parameters (seconds)
Max Age = 20,
Forward Delay = 15,
Hello Time = 2
Parameters system uses when attempting to become root
System Max Age = 20,
System Forward Delay = 15,
System Hello Time = 2
Rapid Spanning Tree Protocol
IEEE 802.1w
 RSTP - Rapid Spanning Tree Protocol
 Defined in IEEE 802.1w as a protocol to provide for subsecond reconvergence of STP
after failure of one of the links

 Faster convergence time

 With IEEE 802.1w, instead of ports going into a Blocking mode, they are now in
standby mode
 Once the forwarding port fails (thru the detection of the data-link layer), the standby
port will immediately take over

 Interoperates with IEEE 802.1D

 RSTP calculates final topology using exactly the same criteria as IEEE 802.1d
Rapid Spanning Tree Protocol
IEEE 802.1w
 Faster convergence time

 IEEE 802.1d states disabled, blocking,

and listening have been merged into a Blocking
unique 802.1w discarding state

< 1 sec

 3 port states Forwarding

Disabled Operational Status RSTP Port State Active Port?

Blocking Enabled Learning Yes

Enabled Forwarding Yes

Learning
Disabled Discarding No

Forwarding // Discarding
Rapid Spanning Tree Protocol
802.1w
 Port Roles
 Root Port - provides the best path (lowest cost) to the root switch.

 Designated Port - Connects the LAN to the designated bridge. This bridge provides the
LAN with the shortest path to the root.

 Alternate Port - Offers an alternate path to the root bridge if the root port on its own
bridge goes down.

 Backup Port - Provides a backup connection for the designated port. It can only exist
when there are redundant designated port connections to the LAN.

 Disabled Port - Port is not operational.

Spanning Tree Protocol
IEEE 802.1w

-> bridge 1x1 vid protocol rstp (R6)

-> spantree vlan vid protocol rstp (R7/8)
 Spanning Tree parameters

-> show spantree

Spanning Tree Path Cost Mode : AUTO
Vlan STP Status Protocol Priority
-----+----------+--------+--------------
1 ON STP 32768 (0x8000)
3 ON RSTP 32768 (0x8000)
11 ON RSTP 32768 (0x8000)
12 ON RSTP 32768 (0x8000)
13 ON STP 32768 (0x8000)
Spanning Tree Protocol - IEEE 802.1w
 Spanning Tree parameters for a given VLAN instance

-> show spantree 1 (R6)

-> show spantree vlan 1 (R7/8)
Spanning Tree Parameters for Vlan 1
Spanning Tree Status : ON,
Protocol : IEEE Rapid STP,
mode : 1X1 (1 STP per Vlan),
Priority : 32768 (0x8000),
Bridge ID : 8000-00:d0:95:fc:a2:ea,
Designated Root : 8000-00:d0:95:fc:a2:ea,
Cost to Root Bridge : 0,
Root Port : None,
Next Best Root Cost : 0,
Next Best Root Port : None,
TxHoldCount : 3,
Topology Changes : 0,
Topology age : 00:00:00,
Current Parameters (seconds)
Max Age = 20,
Forward Delay = 15,
Hello Time = 2
Parameters system uses when attempting to become root
System Max Age = 20,
System Forward Delay = 15,
System Hello Time = 2
Spanning Tree Protocol
IEEE 802.1w
 Spanning Tree port information

-> show spantree ports [forwarding | blocking | active | configured]

-> show spantree ports

Vlan Port Oper Status Path Cost Role
-----+-----+------------+---------+-------
1 1/12 DIS 0 DIS
1 1/18 DIS 0 DIS
11 1/2 DIS 0 DIS
12 1/8 DIS 0 DIS
13 1/14 DIS 0 DIS
14 1/20 DIS 0 DIS
100 1/6 DIS 0 DIS
151 1/1 DIS 0 DIS
152 1/7 BLK 4 BACK
153 1/13 DIS 0 DIS
154 1/19 DIS 0 DIS
171 1/3 FORW 4 DESG
172 1/9 DIS 0 DIS
STP
Bridge ID, Priority and Path Cost
 Root bridge decisions based on:
 Lowest Root Bridge ID
 Lowest Root Path Cost to Root Bridge
Port priority: (0–>15)
 Lowest Sender Bridge ID
Lower number= higher priority
 Lowest Sender Port ID Default: 7

-> bridge instance {slot/port | logical_port} priority priority

-> spantree vlan instance {port slot/port | linkagg linkagg_id} priority priority

-> bridge instance {slot/port | logical_port} path cost path_cost

-> spantree vlan instance {port slot/port | linkagg linkagg_id} path-cost path_cost

Path cost 0 -> 65535 for 16-bit

0 –> 200000000 for 32-bit
Default:0
IEEE 802.1s
Default Port Path Costs
 16-bit Port Path Cost PPC  32-bit Port Path Cost PPC

 Default on AOS switches

If path_cost=0 If path_cost=0
Link Speed IEEE Recom. Value – 16bit Link Speed IEEE Recom. Value – 32bit
10 Mbps 100 10 Mbps 2,000,000
100 Mbps 19 100 Mbps 200,000
1 Gbps 4 1 Gbps 20,000
10 Gbps 2 10 Gbps 2,000
 Set the path cost mode to always use a  Set the path cost mode to always use a
16-bit when STP/RSTP protocol is active 32-bit regardless of which protocol is
active
->bridge path cost mode auto
->bridge path cost mode 32bit
->spantree path-cost-mode auto
->spantree path-cost-mode 32bit
Per VLAN Spanning tree
PVST+

PVST+ PVST+

 Cisco-proprietary

 Enables Cisco switches interoperability

 OmniSwitch and PVST+ support

 Standard IEEE BPDUs or PVST+ BPDUs
 Any user port can detect a PVST+ BPDU and become PVST+ port automatically
 Once a PVST+ BPDU is received, the port will send and receive only PVST+ BPDUs for
tagged VLANs and IEEE BPDUs for default VLANs
Per VLAN Spanning tree
Configuring PVST+
 Enable PVST+ mode on an OmniSwitch (Global)

-> bridge mode 1x1 pvst+ {enable | disable} (R6)

-> spantree pvst+compatibility {enable | disable} (R7/8)

 Enable PVST+ mode on a specific port

 Ports must be configured in 1x1 mode

-> bridge port {slot/port | agg_num} pvst+ {auto | enable | disable} (R6)
-> spantree pvst+compatibility {port slot/port* | linkagg linkagg_id}
{enable | disable | auto} (R7/8)
*chassis/slot/port for R8

By default, a port is configured for PVST+ auto mode on an OmniSwitch (R6)

Spanning Tree
Default values

Note: Disabled by default

Contents
1 Objective ....................................................................................... 2
2 Spanning Tree.................................................................................. 2
3 EQUIPMENT/SOFTWARE REQUIRED ......................................................... 2
4 Related Commands............................................................................ 2
5 Supported Platforms .......................................................................... 2
6 Lab Steps ....................................................................................... 3
7 Summary ...................................................................................... 14
8 Lab Check .................................................................................... 14
 2
Spanning Tree Protocol

1 Objective
This lab is designed to familiarize you with the Spanning Tree Protocol (STP) options on an OmniSwitch.
Two OmniSwitch's must be used to understand these concepts, any combination of switches will work.

THIS MEANS YOU MAY NEED TO BE WORKING COOPERATIVELY WITH

ANOTHER TEAM! PLAN ACCORDINGLY!!!

2 Spanning Tree
The Spanning Tree Protocols (STP) are an important concept to understand in a bridged network. We’ll
discuss the different STP configurations including single vs. multiple STP, Rapid STP, and 802.1s.

3 EQUIPMENT/SOFTWARE REQUIRED
Two OmniSwitches of any type (OS9xxx, OS6850, OS6450 or OS6250)
One PC

4 Related Commands
show spantree, show spantree <vid> port, show spantree port forward, show spantree port block, bridge
mode, , bridge <vid> mode, vlan stp, bridge msti, bridge cist

5 Supported Platforms
All
 3
Spanning Tree Protocol

6 Lab Steps

Spanning tree can be configured multiple ways depending on the network configuration. This first section will
demonstrate some common STP commands.

To ensure other labs don't impact this lab, return the switches to their factory default settings or reset the Pod:

-> rm /flash/working/boot.cfg
-> reload working no rollback-timeout

Bridge two OmniSwitches together with at least two cables. On remote-lab, activate corresponding interfaces. In
the examples below we used ports 1/23-24.

-> show spantree 1 (R6)

-> show spantree vlan 1 (R7)
Spanning Tree Parameters for Vlan 1
Spanning Tree Status : ON,
Protocol : IEEE Rapid STP,
mode : 1X1 (1 STP per Vlan),
Priority : 32768 (0x8000),
Bridge ID : 8000-00:e0:b1:6b:31:58,
Designated Root : 8000-00:d0:95:e4:2b:48,
Cost to Root Bridge : 4,
Root Port : Slot 1 Interface 23,
Next Best Root Cost : 4,
Next Best Root Port : Slot 1 Interface 24,
TxHoldCount : 3,
Topology Changes : 2,
Topology age : 12:06:59,
Current Parameters (seconds)
Max Age = 20,
Forward Delay = 15,
 4
Spanning Tree Protocol

Hello Time = 2
Parameters system uses when attempting to become root
System Max Age = 20,
System Forward Delay = 15,
System Hello Time = 2

This will give you the configured STP parameters of VLAN 1. Notice the mode, it’s 1X1, meaning each VLAN runs
a separate STP. Additionally, take note of the Bridge ID and the Designated Root. If they’re the same then your
switch is the Root Bridge for VLAN 1. Is your switch the root_________? If not, where is the root
located__________?

In the screen capture above, this switch is not the root. The root in this example is a cost of 4 away on slot 1
port 23. Since we know that Gigabit Ethernet, by default, has a path cost of 4 we can deduct that the Root
Bridge is the upstream neighbor on that port. If the path cost was 8, we could deduct that the root bridge was 2
hops away (Assuming default configurations) on port 1/23.

We can also deduct from the above output that our STP is relatively stable, it has been 12 hours since the last
topology change (Topology Age) and we have only had 2 Topology changes.

By default, the bridge priority is 32768 (0x8000). Since all priorities are identical by default, the switch with the
lowest MAC address is selected as the root bridge.
Type the following:

-> show spantree ports

Vlan Port Oper Status Path Cost Role Loop Guard Note
-----+------+------------+---------+-------+-----------+---------
1 1/1 DIS 0 DIS DIS
1 1/2 DIS 0 DIS DIS
1 1/3 DIS 0 DIS DIS
1 1/4 DIS 0 DIS DIS
.
.
.
1 1/20 DIS 0 DIS DIS
1 1/21 DIS 0 DIS DIS
1 1/22 DIS 0 DIS DIS
1 1/23 FORW 4 ROOT DIS
1 1/24 BLK 4 ALT DIS
1 1/25 DIS 0 DIS DIS
1 1/26 DIS 0 DIS DIS
1 1/27 DIS 0 DIS DIS

-> show spantree ports forwarding

Vlan Port Oper Status Path Cost Role Loop Guard Note
-----+------+------------+---------+-------+-----------+---------
1 1/23 FORW 4 ROOT DIS

-> show spantree ports blocking

Vlan Port Oper Status Path Cost Role Loop Guard Note
-----+------+------------+---------+-------+-----------+---------
1 1/24 BLK 4 ALT DIS
 5
Spanning Tree Protocol

The commands above display the status and parameters of each port, as well as show which ports are forwarding
and which are blocking. If your switch is not the root bridge, you should have at least one port in blocking mode
to prevent a loop. Also, notice that only one side of the link(s) have a port in blocking. This ensures the
neighbor(s) are still able to initiate a topology change in the event of a failure. What determines which side of
the link is blocking____________________?

You should also notice that there is data going between the switches; this is the BPDU exchange between the
switches. Show the statistics counts on the forwarding ports (issue the command a few times to see the packet
count increment):

-> show interfaces 1/23

Slot/Port 1/23 :
Operational Status : up,
Last Time Link Changed : FRI DEC 14 11:09:09 ,
Number of Status Change: 1,
Type : Ethernet,
SFP/XFP : Not Present,
MAC address : 00:e0:b1:6b:31:70,
BandWidth (Megabits) : 1000, Duplex : Full,
Autonegotiation : 1 [ 1000-F 100-F 100-H 10-F 10-H ],
Long Frame Size(Bytes) : 9216,
Rx :
Bytes Received : 122952, Unicast Frames : 11,
Broadcast Frames: 93, M-cast Frames : 1688,
UnderSize Frames: 0, OverSize Frames: 0,
Lost Frames : 0, Error Frames : 0,
CRC Error Frames: 0, Alignments Err : 0,
Tx :
Bytes Xmitted : 8900, Unicast Frames : 11,
Broadcast Frames: 2, M-cast Frames : 113,
UnderSize Frames: 0, OverSize Frames: 0,
Lost Frames : 0, Collided Frames: 0,
Error Frames : 0

Connect a PC to each of the switches and configure an IP Interface for VLAN 1 (replace x with your switch
number):

-> ip interface int_1 address 192.168.10.X vlan 1

From the PC's start a continuous ping to the router interface on your neighbors switch:

c:\ ping -t 192.168.10.1

Once your ping is successful, remove the connection that is forwarding between the two switches. Notice how
quickly Rapid STP recovers from a link failure. Review the previous commands. Has our Topology age changed?
Has the Root port changed? What will happen when we re-connected the disconnected port? (hint: Remember
that anytime there is a physical change STP will re-converge)

1x1 Spanning Tree Mode

Using the configuration parameters already configured create an additional VLAN and move a port into that
VLAN, this will demonstrate how 1X1 mode works on an OmniSwitch.
Type the following (on both switches): (replace slot/port with the 2nd port connecting your OmniSwitches)
 6
Spanning Tree Protocol

-> vlan 2
-> vlan 2 port default slot/port (R6)
-> vlan 2 members port slot/port untagged (R7)
-> show spantree 2
-> show spantree 2 ports

-> show spantree ports forwarding

Vlan Port Oper Status Path Cost Role Loop Guard Note
-----+------+------------+---------+-------+-----------+---------
1 1/1 FORW 4 DESG DIS
1 1/23 FORW 4 ROOT DIS
2 1/24 FORW 4 ROOT DIS

-> show spantree ports blocking

Vlan Port Oper Status Path Cost Role Loop Guard Note
-----+------+------------+---------+-------+-----------+---------

Notice the switch is running a separate STP for each VLAN. This is because the bridge mode is set to 1X1, or a
separate STP for each VLAN. Even though there are two physical connections between the switches, neither
connection blocks since each is in a different VLAN and STP domain. With your previous Ping test still running,
remove the port connection for VLAN 2 between the switches, notice that this has no effect on the Spanning
Tree for VLAN 1.

Re-connect the port connections and move to the next step of the lab.

Flat Spanning Tree Mode

The OmniSwitch can be run in Single STP, or Flat mode. Flat mode ignores any VLAN information and considers
the entire switch to be a single STP domain.
Type the following:

-> bridge mode flat (R6)

-> spantree mode flat (R7)
-> show spantree 1 (R6)
-> show spantree 2 (R6)

ERROR: Please use 'show spanntree 1' for flat spanning tree display
-> show spantree vlan 1 (R7)
Single/Multiple Spanning Tree is enforced !! (flat mode)
INACTIVE Spanning Tree Parameters for Vlan 1
Spanning Tree Status : ON,
Protocol : IEEE Rapid STP,
Priority : 32768 (0x8000),
TxHoldCount : 3,
System Max Age (seconds) = 20,
System Forward Delay (seconds) = 15,
System Hello Time (seconds) = 2

-> show spantree vlan 2 (R7)

Single/Multiple Spanning Tree is enforced !! (flat mode)
INACTIVE Spanning Tree Parameters for Vlan 2
Spanning Tree Status : ON,
Protocol : IEEE Rapid STP,
Priority : 32768 (0x8000),
TxHoldCount : 3,
 7
Spanning Tree Protocol

System Max Age (seconds) = 20,

System Forward Delay (seconds) = 15,
System Hello Time (seconds) = 2

-> show spantree cist (R7)

Spanning Tree Parameters
Spanning Tree Status : ON,
Protocol : IEEE Rapid STP,
mode : FLAT (Single STP),
Auto-Vlan-Containment: Enabled ,
Priority : 32768 (0x8000),
Bridge ID : 8000-e8:e7:32:81:39:85,
Designated Root : 8000-e8:e7:32:81:39:85,
Cost to Root Bridge : 0,
Root Port : None,
Next Best Root Cost : 0,
Next Best Root Port : None,
TxHoldCount : 3,
Topology Changes : 0,
Topology age : 00:00:00,
Current Parameters (seconds)
Max Age = 20,
Forward Delay = 15,
Hello Time = 2
Parameters system uses when attempting to become root
System Max Age = 20,
System Forward Delay = 15,
System Hello Time = 2

Notice the message telling you a single STP is configured on the chassis. The switch will only allow STP changes
only to VLAN 1 when running in flat mode.
Type the following:

-> show spantree ports

-> show spantree ports forwarding
-> show spantree ports blocking
Brdge Port Oper Status Path Cost Role Loop Guard Note
-----+------+------------+---------+-------+-----------+---------
1 1/24 BLK 4 ALT DIS

-> show vlan 2 port (R6)

-> show vlan 2 members (R7)
port type status
---------+---------+--------------
1/24 default blocking

Notice that the port in VLAN 2 is blocking and showing as a bridge 1 port even though it’s in a separate VLAN. In
Flat STP mode there is only 1 STP built, so even though the two ports are in different VLANs, STP see's them as a
single STP domain.

Spanning Tree Convergence – 802.1d

Fast STP allows the switch to transition to forwarding mode almost immediately in the event of a STP topology
change. In the previous section of this lab, you demonstrated the speed at which a STP convergence happens
when running the default Rapid STP protocol, A major difference between the IEEE 802.1d and 802.1w STP
protocols is the speed at which convergence occurs. To demonstrate this change the STP mode back to 1x1 and
the protocol to 802.1d STP:
 8
Spanning Tree Protocol

-> bridge mode 1x1 (R6)

-> spantree mode per-vlan (R7)
-> bridge 1 protocol stp (R6)
-> spantree vlan 1 protocol stp (R7)
-> show spantree 1 (R6)
-> show spantree vlan 1 (R7)

Spanning Tree Parameters for Vlan 1

Spanning Tree Status : ON,
Protocol : IEEE STP,
mode : 1X1 (1 STP per Vlan),
Priority : 32768 (0x8000),
Bridge ID : 8000-00:d0:95:e4:2b:48,
Designated Root : 8000-00:d0:95:e4:2b:48,
Cost to Root Bridge : 0,
Root Port : None,
Next Best Root Cost : 0,
Next Best Root Port : None,
TxHoldCount : 3,
Topology Changes : 6,
Topology age : 00:00:06,
Current Parameters (seconds)
Max Age = 20,
Forward Delay = 15,
Hello Time = 2
Parameters system uses when attempting to become root
System Max Age = 20,
System Forward Delay = 15,
System Hello Time = 2

-> show spantree 2 (R6)

-> show spantree vlan 2 (R7)

Spanning Tree Parameters for Vlan 2

Spanning Tree Status : ON,
Protocol : IEEE Rapid STP,
mode : 1X1 (1 STP per Vlan),
Priority : 32768 (0x8000),
Bridge ID : 8000-00:d0:95:e4:2b:48,
Designated Root : 8000-00:d0:95:e4:2b:48,
Cost to Root Bridge : 0,
Root Port : None,
Next Best Root Cost : 0,
Next Best Root Port : None,
TxHoldCount : 3,
Topology Changes : 5,
Topology age : 00:00:09,
Current Parameters (seconds)
Max Age = 20,
Forward Delay = 15,
Hello Time = 2
Parameters system uses when attempting to become root
System Max Age = 20,
System Forward Delay = 15,
System Hello Time = 2
 9
Spanning Tree Protocol

Notice that VLAN 1 is IEEE 802.1D STP and VLAN 2 is IEEE 802.1w Rapid STP showing that you can "mix and
match" the protocols within a switch. Currently, we do not have a loop in our network, let's add a port for each
VLAN between the switches so we have two ports connecting the switches for VLAN 1 and two ports connecting
the switch for VLAN 2 (i.e tag vlan 1 on port which is on default vlan 2 and tag vlan 2 on port which is on default
vlan 1). Notice that the pings from your PC's stopped when you added the 2nd port for VLAN 1. Also, notice the
length of time it took for the port to begin forwarding again. Remember, anytime there is a physical change the
STP protocol has to reconverge the network.

Before continuing, determine which port is forwarding and which port is blocking on the non-root bridge.
Type the following:

-> show spantree ports blocking

Now, test the failover time when running in standard 802.1d STP mode:

Start a continuous ping from the PCs.

Disconnect the port that’s in forwarding mode.
Notice the time it takes for the ping to recover. It should be approximately 30 seconds while STP 802.1d
reconfigures.

Spanning Tree Convergence – 802.1w

Fast (or Rapid) Spanning - 802.1w - can significantly reduce the time it takes for STP to converge. Change the
protocol being used and perform the same test. Reconnect both physical links for VLAN

Type/perform the following:

-> bridge 1 protocol rstp (R6)

-> spantree vlan 1 protocol rstp (R7)
-> show spantree 1 (R6)
-> show spantree vlan 1 (R7)
Spanning Tree Parameters for Vlan 1
Spanning Tree Status : ON,
Protocol : IEEE Rapid STP,
mode : 1X1 (1 STP per Vlan),
Priority : 33000 (0x80E8),
Bridge ID : 80E8-00:d0:95:dd:fa:00,
Designated Root : 8000-00:d0:95:cc:fb:00,
Cost to Root Bridge : 4,
Root Port : Slot 1 Interface 1,
Next Best Root Cost : 19,
Next Best Root Port : Slot 2 Interface 24,
Hold Time : 1,
Topology Changes : 0,
Topology age : 00:00:00,
Current Parameters (seconds)
Max Age = 20,
Forward Delay = 15,
Hello Time = 2
Parameters system uses when attempting to become root
 10
Spanning Tree Protocol

System Max Age = 20,

System Forward Delay = 15,
System Hello Time = 2
Notice the protocol being used. Also, notice the new information about the Next Best Root Cost and Port. Test
the convergence time as you did in the previous step:

Start a ping from both PCs.

Disconnect the Root Port connection.

Notice the short amount of time needed for the ping to recover. This is one of the benefits of the Rapid STP
Protocol.

Multiple Spanning Tree

802.1s is an IEEE standard allowing for multiple STP instances to be configured on the switch. It is similar in
operation to 1X1 mode, but allows for multiple VLANs to be assigned to a single STP instance. Before we start,
return your switches back to factory default values so anything you have done previously does not change the
results, if you don't remember how to do this ask your instructor for direction.
Type the following on each of your connected switches:

-> bridge mode flat (R6)

-> spantree mode flat (R7)
-> bridge mst region name omni_region (R6)
-> spantree mst region name omni_region (R7)
-> bridge mst region revision level 1 (R6)
-> spantree mst region revision-level 1 (R7)
-> bridge protocol mstp (R6)
-> spantree protocol mstp (R7)
WARNING: Changing to MSTP(802.1s) resets flat bridge priority and path
WARNING: Changing to MSTP(802.1s) resets flat bridge priority and path

-> show spantree cist

Spanning Tree Parameters for Cist
Spanning Tree Status : ON,
Protocol : IEEE Multiple STP,
mode : FLAT (Single STP),
Priority : 32768 (0x8000),
Bridge ID : 8000-00:d0:95:dd:fa:00,
CST Designated Root : 8000-00:d0:95:cc:fb:00,
Cost to CST Root : 0,
Next CST Best Cost : 0,
Designated Root : 8000-00:d0:95:cc:fb:00,
Cost to Root Bridge : 20000,
Root Port : Slot 1 Interface 1,
Next Best Root Cost : 200000,
Next Best Root Port : Slot 2 Interface 24,
Hold Time : 1,
Topology Changes : 5,
Topology age : 00:00:53,
Current Parameters (seconds)
Max Age = 20,
Forward Delay = 15,
Hello Time = 2
Parameters system uses when attempting to become root
 11
Spanning Tree Protocol

System Max Age = 20,

System Forward Delay = 15,
System Hello Time = 2
The commands above set the switch to flat mode, configured a Multiple STP region name and revision level, and
finally enabled the IEEE MSTP protocol. 1X1 and MSTP cannot be configured at the same time; and the switch
must be configured in flat Spanning Tree mode.
Notice the Cost to Root Bridge values in the example above. Multiple STP uses a 32-bit Path Cost value vs the 16-
bit path cost value that 802.1d/802.1w use by default.
 12
Spanning Tree Protocol

VLAN/Physical Port Configuration

To demonstrate the 802.1s protocol, create VLANs 2 through 10 on both switches and tag them across a single
physical link.
Type/perform the following: (replace ‘X’ with the VLAN ID)
Connect the OmniSwitches with a single physical link only.
Create VLANs 2 through 10:

-> vlan 2-10

-> vlan 2-10 802.1q slot/port (R6, use the slot/port you interconnected the switches with)
-> vlan 2-10 members port slot/port tagged (R7, use the slot/port you interconnected the
switches with)
Now, check to see how 802.1s operates with just the single default STP instance, called the Common and
Internal Spanning Tree (CIST):

-> show spantree cist

Spanning Tree Parameters for Cist
Spanning Tree Status : ON,
Protocol : IEEE Multiple STP,
mode : FLAT (Single STP),
Auto-Vlan-Containment: Enabled ,
Priority : 32768 (0x8000),
Bridge ID : 8000-00:e0:b1:6b:31:58,
CST Designated Root : 8000-00:d0:95:e4:2b:48,
Cost to CST Root : 0,
Next CST Best Cost : 0,
Designated Root : 8000-00:d0:95:e4:2b:48,
Cost to Root Bridge : 20000,
Root Port : Slot 1 Interface 24,
Next Best Root Cost : 0,
Next Best Root Port : None,
TxHoldCount : 3,
Topology Changes : 1,
Topology age : 00:03:40,
Current Parameters (seconds)
Max Age = 20,
Forward Delay = 15,
Hello Time = 2
Parameters system uses when attempting to become root
System Max Age = 20,
System Forward Delay = 15,
System Hello Time = 2

-> show spantree cist vlan-map

Spanning Tree Cist Vlan map
-----------------------------
Cist
Name : ,
VLAN list : 1-4094
-> show spantree cist ports
You should see that all VLANs belong to the CIST instance, the CIST instance is created by default and all VLANs
on the switch are mapped to it by default.

Now, create 2 additional STP instances and map the appropriate VLANs to them. Type the following:
 13
Spanning Tree Protocol

-> bridge msti 1 (R6)

-> spantree msti 1 (R7)
-> bridge msti 2 (R6)
-> spantree msti 2 (R7)
-> bridge msti 1 vlan 1-5 (R6)
-> spantree msti 1 vlan 1-5 (R7)
-> bridge msti 2 vlan 6-10 (R6)
-> spantree msti 2 vlan 6-10 (R7)
-> show spantree msti vlan-map
Spanning Tree Msti/Cist Vlan map
-----------------------------------
Cist
Name : ,
VLAN list : 11-4094
Msti 1
Name : ,
VLAN list : 1-5
Msti 2
Name : ,
VLAN list : 6-10
Notice that VLANs 1-10 have been removed from the CIST and associated with a Multiple Spanning Tree Instance
(MSTI) as configured above. Now, check the root bridge for the MSTI's.
Type the following: (replace slot/port with physical switch connection)

-> show spantree mst port 1/24 (the slot/port # interconnecting the switches)
MST Role State Pth Cst Edge Boundary Op Cnx Loop Guard Note Vlans
-----+------+-----+--------+----+--------+------+----------+------+-----
0 DESG FORW 20000 NO NO PTP DIS
1 DESG FORW 20000 NO NO PTP DIS 1-5
2 DESG FORW 20000 NO NO PTP DIS 6-10

-> show spantree msti 1

-> show spantree msti 2
Notice that both MSTIs have the same root bridge. Load balancing can be achieved by changing the priority of
one of the MSTIs.
Type the following: (On the non-root bridge for MSTI 1)

-> bridge msti 1 priority 4096 (R6)

-> spantree msti 1 priority 4096 (R7)
-> show spantree msti 1
Spanning Tree Parameters for Msti 1
Spanning Tree Status : ON,
Protocol : IEEE Multiple STP,
mode : FLAT (Single STP),
Auto-Vlan-Containment: Enabled ,
Priority : 4097 (0x1001),
Bridge ID : 1001-00:e0:b1:6b:31:58,
Designated Root : 1001-00:e0:b1:6b:31:58,
Cost to Root Bridge : 0,
Root Port : None,
Next Best Root Cost : 0,
Next Best Root Port : None,
TxHoldCount : 3,
Topology Changes : 1,
 14
Spanning Tree Protocol

Topology age : 00:04:54,

Current Parameters (seconds)
Max Age = 20,
Forward Delay = 15,
Hello Time = 2
Parameters system uses when attempting to become root
System Max Age = 20,
System Forward Delay = 15,
System Hello Time = 2

You should see the switch take over as the root bridge for MSTI 1 and all VLANs associated with it. Also notice
the priority value. Why is it not 4096 as we configured?
Remember, in Multiple Spanning Tree the bridge priority is the assigned Bridge Priority value PLUS the MSTI
instance value. In this example we configured MST 1 to a bridge priority of 4096 - hence bridge priority is now
4097 (4096 + 1).

7 Summary
This lab introduced you to the STP operation of an OmniSwitch. The STP mode can be configured for
either flat or multiple STP. Multiple STP is useful in an environment with multiple VLANs to allow each
VLAN to run its own STP. Additionally, the bridge mode can be set for 802.1d or 802.1w for faster
convergence times. Also, the IEEE 802.1s protocol can be configured to allow for multiple spanning
instances.

8 Lab Check
What is the purpose of STP?
What’s the difference between Flat mode and 1X1 mode?
What is the difference between 1X1 mode and 802.1s?
When would it be appropriate to run a single spanning tree for the entire switch?
What is the default spanning tree setting on your switch? (Circle all correct answers.)
802.1d 802.1w 802.1s
1x1 flat none
OMNISWITCH AOS R6/R7/R8

Link Layer Discovery Protocol

Module Objectives

 You will:
 Learn how to setup LLDP protocol
parameters
 IEEE 802.1AB – Link Layer Discovery Protocol
(LLDP)

High
Ava ila bility

AOS
Opera ting
System
Extensive Enha nced
Ma na gea bility Security
Link Layer Discovery Protocol

 IEEE 802.1AB – Link Layer Discovery Protocol (LLDP)

 Standard and extensible multi-vendor protocol and management elements to support network
topology discovery and exchange device configuration and capabilities

 Accurate physical topology and device inventory simplifies management and maintenance

 L2 discovery protocol
 Exchange information with neighboring devices to build a database of adjacent devices

port device info

2/22 Switch xxxx

port device info 2/1 IP-Phone xxxx

1/1 IP-phone xxxx 2/12 IP-Phone xxxx

1/2 PC xxxx 2/13 IP-PBX xxxx

1/3 Switch xxxx

I’ m a OXE
switch
I’ m a
switch
I’ m an
IP - PBX
I’ m a I’ m a
switch I’ m a switch
switch
I ’m a
I’m a
switch
switch
I ’m a PC
I’ m a PC I’m an
I ’m an IP - Phone
IP - Phone
LLDP
Configuring and monitoring
 Enabling LLDP PDU flow on a port, slot, or all ports on a switch
-> lldp {slot/port | slot | chassis} lldpdu {tx | rx | tx-and-rx | disable}
Sent out/received even in STP blocked ports

 Enabling LLDP notification status

-> lldp {slot/port | slot | chassis} notification {enable | disable} LLDP is enabled globally
by default

 Periodic LLDP PDUs -> show lldp 1/9 remote-system

Remote LLDP Agents on Local Slot/Port 1/9:
 Mandatory fields
 Chassis ID
 Port ID and description
 System name
 System description
 System capabilities
 Management address
Chassis 00:e0:b1:99:bb:5a, Port 1009:
Remote ID = 2,
Chassis Subtype = 4 (MAC Address),
Port Subtype = 7 (Locally assigned),
Port Description = Alcatel-Lucent 1/9,
System Name = vxTarget,
System Description = 6.4.3.488.R01 Development, March 24, 2011.,
Capabilities Supported = Bridge Router,
Capabilities Enabled = Bridge Router,
Management IP Address = 1.1.1.1,
Remote port default vlan = 1,
Vlan ID = 1,
Vlan Name = VLAN 1,
Protocol vlan Id = 0 (Flags = 0),
Protocol Identity = 88cc,
Remote port MAC/PHY AutoNeg = Supported Enabled Capability 0xf000,
Mau Type = 1000BaseTFD - Four-pair Category 5 UTP full duplex mode
LLDP
Verifying Operation
 Displaying LLDP information

-> show lldp system-statistics

-> show lldp [slot|slot/port] statistics
-> show lldp local-system
-> show lldp [slot/port | slot] local-port
-> show lldp local-management-address
-> show lldp config

-> show lldp 1/9 config

----------+-------------------------------------------+---------------------+----------
| Admin | Notify | Std TLV | Mgmt | 802.1 | 802.3 | MED
Slot/Port| Status | Trap | Mask | Address | TLV | Mask | Mask
----------+----------+----------+----------+----------+----------+----------+----------
1/9 Rx + Tx Enabled 0xf0 Enabled Enabled 0x80 0xd0
 Link Layer Discovery Protocol (LLDP)
LLDP-PDU
Standard: IEEE 802.1AB
Ethernet Header Link Layer Discovery Protocol Protocol Data Unit (LLDP-PDU)

Port mac Chassis ID Port ID Time To Optional Optional End Of

01:80:c2:00:00:0e
addr.
88:cc TLV TLV Live TLV TLV
…
TLV LLDPPDU TLV

Destination Source Ethertype M M M O O M

addr. addr. For LLDP
Basic Type Length Value (TLV) format

TLV TLV information

TLV header TLV information string
Type string length

7 bits 9 bits 0 – 511 octets

 LLDP PDUs
 Extensions optional fields
 802.1: Vlan name, port vlan
 802.3: MAC Phy
 MED: Power and Capability
 Inventory Management
 Network Policy
LLDP-Media Endpoint Devices (LLDP-MED)
Capabilities

Network
Policy

Location ID

Extended
Power-via-MDI

Inventory
LLDP-MED

 Provides VoIP-specific extensions to base LLDP protocol

 TLVs (Type, Length, Value) for
 Device location discovery to allow creation of location databases, including the support for
Emergency Call Service
 LAN policy discovery (VLAN, Layer 2 priority, Layer 3 QoS)
 Extended and automated power management for Power over Ethernet devices
 Inventory management

Admin
1 2

Policy: Unkn Policy: Defin

Tagged: No Tagged: Yes
VLAN ID :0 VLAN ID :10
L2 priority:5 L2 priority:7
DSCP: 4611 DSCP: 46

IP Phone
Configuring
LLDP Network Policies
 Specifying whether or not LLDP-MED TLVs are included in transmitted LLDPDUs
-> lldp {slot/port | slot | chassis} tlv med {power | capability | network policy} {enable |
disable}

 Configuring a local Network Policy on the switch for a specific application type
-> lldp network-policy policy_id - [ policy_id2] application { voice | voice-signaling | guest-
voice | guest-voice-signaling | softphone-voice | video-conferencing | streaming-video | video-
signaling } vlan { untagged | priority-tag | vlan-id } [ l2-priority 802.1p_value ] [ dscp
dscp_value ]

 Associating an existing network policy to a port, slot, or chassis

-> lldp {slot/port | slot | chassis} med network-policy policy_id - [policy_id2]
LLDP-MED
Example
-> show lldp remote-system
Remote LLDP Agents on Local Slot/Port 1/14:
Chassis 80:4e:53:c6:00:00, Port 00:80:9f:8e:a4:ab:
Remote ID = 3,
Chassis Subtype = 4 (MAC Address),
Port Subtype = 3 (MAC address),
Port Description = (null),
System Name = (null),
System Description = (null),
Capabilities Supported = Telephone,
Capabilities Enabled = Telephone,
MED Device Type = Endpoint Class III,
MED Capabilities = Capabilities | Power via MDI-PD(33),
MED Extension TLVs Present = Network Policy| Inventory,
MED Power Type = PD Device,
MED Power Source = PSE,
MED Power Priority = Low,
MED Power Value = 5.6 W,
Remote port MAC/PHY AutoNeg = Supported Enabled Capability 0xc036,
Mau Type = 1000BaseTFD - Four-pair Category 5 UTP full duplex mode

-> show lldp remote-system med inventory

Remote LLDP Agents on Local Slot/Port 1/14:

Chassis 80:4e:53:c6:00:00, Port 00:80:9f:8e:a4:ab:

Remote ID = 3,
Hardware Revision = "3GV23021JCDA060921",
Firmware Revision = "NOE 4.20.60",
Software Revision = "NOE 4.20.60",
Serial Number = "FCN00913901069",
Manufacturer Name = "Alcatel-Lucent Enterprise",
Model Name = "IP Touch 4038 EE",
Asset Id = "00:80:9f:8e:a4:ab"
Vlan Mobility
with LLDP-MED network policy
 ALU IP Phone & Omni Switch through
LLDP Network policy allowing
vlan 10
advertisement of vlan port mobile 1/10
vlan 10 mobile-tag enable
 Vlan id
lldp 1/10 tlv med network-policy enable
 802.1p lldp network-policy 1 application voice vlan 10 l2-priority 7 dscp 46
lldp 1/10 med network-policy 1
 DSCP

IP Touch LLDP-MED VLAN assignment

feature activated by default
1
Communication 3
Server
Voice VLAN
VLAN 10
1/10

Admin
Link Layer Discovery Protocol (LLDP)

How to
 Configure LLDP parameters on the OmniSwitch family of products.

Contents
1 Link Layer Discovery Protocol (LLDP) ...................................................... 2
 2
Link Layer Discovery Protocol (LLDP)

Implementation
- Two Omniswitches are used on the following sections

1 Link Layer Discovery Protocol (LLDP)

Link Layer Discovery Protocol (LLDP) is an emerging standard that provides a solution for the configuration
issues caused by expanding networks. LLDP supports the network management software used for complete
network management. LLDP is implemented as per the IEEE 802.1AB standard.

The exchanged information, passed as LLDPDU, is in TLV (Type, Length, Value) format. The information
available to the network management software must be as new as possible; hence, remote device
information is periodically updated.

LLDP is enabled by default

- To enable the transmission and the reception of LLDPDUs on a port, enter the following commands on
both switches:
-> interfaces 1/11 admin up
-> lldp 1/11 lldpdu tx-and-rx

- To control per port notification status about a change in a remote device associated to a port, use the
following command :
-> lldp 1/11 notification enable

LLDPDU administrative status must be in receive state before using this command

- To control per port management TLV to be incorporated in the LLDPDUs, use the following command.
-> lldp 1/11 tlv management port-description enable

- Verify the LLDP per port statistics by entering the following command:
-> show lldp statistics
----------+--------------------------------------+---------------------+----------
| LLDPDU | TLV | Device
Slot/Port | Tx Rx Errors Discards | Unknown Discards | Ageouts
----------+--------+----------+----------+----------+----------+----------+-------
1/11 52 0 0 0 0 0 0
 3
Link Layer Discovery Protocol (LLDP)

- To verify the remote system information, use the following command:

-> show lldp remote-system

Remote LLDP Agents on Local Slot/Port: 1/11,

Chassis ID Subtype = 4 (MAC Address),
Chassis ID = 00:d0:95:e9:c9:2e,
Port ID Subtype = 7 (Locally assigned),
Port ID = 2048,
Port Description = (null),
System Name = (null),
System Description = (null),
Capabilities Supported = none supported,
Capabilities Enabled = none enabled,

Take notes about the output displayed by this command

- To display local system information, type the following command:

-> show lldp local-system
Local LLDP Agent System Data:
Chassis ID Subtype = 4 (MAC Address),
Chassis ID = 00:d0:95:e9:c9:2e,
System Name = vxTarget,
System Description = Alcatel-Lucent 6450 10 PORT COPPER GE 6.6.3.177.
R01 Development, February 10, 2012.,
Capabilities Supported = Bridge, Router,
Capabilities Enabled = Bridge, Router,
LLDPDU Transmit Interval = 30 seconds,
TTL Hold Multiplier = 4,
LLDPDU Transmit Delay = 2 seconds,
Reinitialization Delay = 2 seconds,
MIB Notification Interval = 5 seconds
Fast Start Count = 3,
Management Address Type = 1 (IPv4),
Management IP Address = 10.255.13.44,

- The commands below specify the switch to control per port management TLVs to be incorporated in the
LLDPDUs. This will allow to have additional information such as system description, name, capabilities and
management IP address of neighbouring devices.
- Type the following on both switches:
-> lldp 1/11 tlv management system-name enable
-> lldp 1/11 tlv management system-description enable
-> lldp 1/11 tlv management system-capabilities enable
-> lldp 1/11 tlv management management-address enable

- To display remote system information, enter the following command on the remote switch :
-> show lldp remote-system

Remote LLDP nearest-bridge Agents on Local Port 1/11:

Chassis e8:e7:32:56:46:f8, Port 1009:

Remote ID = 1,
Chassis Subtype = 4 (MAC Address),
Port Subtype = 7 (Locally assigned),
Port Description = Alcatel-Lucent 1/11,
System Name = switch14,
System Description = Alcatel-Lucent 6450 10 PORT COPPER GE POE 6.6.3.413.R01 Service
Release, August 16, 2012.,
Capabilities Supported = Bridge Router Network address,
Capabilities Enabled = Bridge Router Network address,
Management IP Address = 10.255.13.44
 4
Link Layer Discovery Protocol (LLDP)

Compare the output of this command with the same command that was entered before

- To display the general LLDP configuration information for LLDP ports, type the following command:
-> show lldp config

----------+-------------------------------------------+-----------------+-------
| Admin | Notify | Std TLV | Mgmt | 802.1 | 802.3| MED
Slot/Port | Status | Trap | Mask | Address | TLV | Mask | Mask
----------+----------+----------+----------+----------+----------+------+------
1/11 Rx + Tx Disabled 0x00 Enabled Disabled 0x00 0x00
OMNISWITCH AOS R6/R7/R8

IP Interfaces
Module Objectives
 You will learn about how to setup IP
parameters on an AOS OmniSwitch
 IP Router Interface
 Optional parameters
 DHCP Client Interface
 Loopback0 interface
 DHCP Relay
High

 Multinetting
Ava ila bility

AOS
Opera ting
System
Extensive Enha nced
Ma na gea bility Security
IP ROUTER INTERFACE
IP VLAN Interface
CLI
 Creating a new VLAN with a specified VLAN ID (VID)
 Name description is optional
-> vlan vid [enable | disable] [name description] (R6)
-> vlan vid admin-state {enable | disable} name description (R7/8)

 Configuring an IP interface
 Enable IP routing on a VLAN
 Without an IP interface, traffic is bridged within the VLAN or across connections to
the same VLAN on other switches
-> ip interface if_name [address ip_address] [mask subnet_mask] [admin [enable | disable]]
[vlan vid] [forward | no forward] [local-proxy-arp | no local-proxy-arp] [eth2 | snap] [primary | no
primary]

 Displays VLAN IP router interface information

-> show ip interface
IP Vlan Interface
CLI

-> ip interface if_name [address ip_address] [mask subnet_mask] [admin [enable | disable]]
[vlan vid] [forward | no forward] [local-proxy-arp | no local-proxy-arp] [eth2 | snap] [primary | no
primary]

Forward
Interface sends IP frames to other subnets
Default

no forward
Interface only receives frames from other hosts on the same subnet

Primary
Specified IP interface as the primary interface for the VLAN
By default, first interface bound to a VLAN becomes the primary interface for that VLAN
IP Vlan Interface
Local-proxy-arp
-> ip interface name [address ip_address] [mask subnet_mask] [admin [enable |
disable]] [vlan vid] [forward | no forward] [local-proxy-arp | no local-proxy-arp]
[eth2 | snap] [primary | no primary]
 Allows the network administrator to Normal ARP

configure proxy functionality on the Ext proxy ARP

switch
Local Proxy ARP
ARP

Switch B
 It is enabled per VLAN
ARP

Switch C
 All ARP requests received on VLAN Switch A
member ports are answered with
the MAC address of the VLAN’s
virtual IP router port

PC 1 PC 2

192.168.10.101 192.168.10.102
IP Vlan Interface
Local-proxy-arp
 Proxy ARP commands

-> ip interface name [address ip_address] [mask subnet_mask] [vlan vid]

[local-proxy-arp | no local-proxy-arp]
 When enabled, all traffic within the VLAN is routed
 ARP requests return the MAC address of the IP router interface

-> show arp

-> show mac-address-table
 Extended Proxy ARP Filtering
 Ability to block specific IP addresses in the extended proxy ARP process

-> arp filter ip_address [mask ip_mask] [vid] [sender | target] [allow | block]
-> arp filter 198.0.0.0 mask 255.0.0.0 sender block
-> show arp filter
DHCP client IP interface
 Allows OmniSwitches 6250/6450 to
 Function as DHCP client on any configured VLAN
 Get an IP address from the DHCP server
 Create IP interface for that VLAN in the switch
 Create a default static route

-> ip interface dhcp-client [vlan vid] [release | renew] [option-60 string]

• Only 1 DHCP client IP interface

• Interface can belong to any VLAN and any VRF instance

-> show ip interface

Total 4 interfaces
Name IP Address Subnet Mask Status Forward Device
-------------------+---------------+----------------+------+-------+--------
Loopback 127.0.0.1 255.0.0.0 UP NO Loopback
Loopback0 1.1.1.1 255.255.255.255 UP YES Loopback0
dhcp-client 0.0.0.0 0.0.0.0 UP YES vlan 12
vlan1000 172.25.167.212 255.255.255.224 DOWN NO vlan 1000
DHCP client IP interface
-> ip interface dhcp-client vlan 12 ifindex 1

-> show ip interface dhcp-client

Interface Name = dhcp-client
SNMP Interface Index = 13600001,
IP Address = 172.16.12.11,
Subnet Mask = 255.255.255.0,
Broadcast Address = 172.16.12.255,
Device = vlan 12,
Encapsulation = eth2,
Forwarding = enabled,
Administrative State = enabled,
Operational State = up,
Router MAC = 00:e0:b1:80:00:f0,
Local Proxy ARP = disabled,
Maximum Transfer Unit = 1500,
Primary (config/actual) = yes/yes
DHCP-CLIENT Parameter Details
Client Status = Active,
Server IP = 172.16.12.102,
Router Address = 172.16.12.1,
Lease Time Remaining = 0 days 5 hour 58 min 14 sec,
Option-60 = OmniSwitch-OS6850,
HostName = vxTarget

-> show ip route

+ = Equal cost multipath routes
* = BFD Enabled static route
Total 15 routes
Dest Address Subnet Mask Gateway Addr Age Protocol
------------------+-----------------+----------------+----------+-----------
0.0.0.0 0.0.0.0 172.16.12.1 00:00:10 NETMGMT
2.2.2.2 255.255.255.255 2.2.2.2 03:54:09 LOCAL
127.0.0.1 255.255.255.255 127.0.0.1 03:55:13 LOCAL
172.16.12.0 255.255.255.0 172.16.12.11 00:00:10 LOCAL
Loopback0 Interface
 Identify a consistent address for network management purposes
 Not bound to any VLAN
 Always remain operationally active

 To identify a Loopback0 interface, enter Loopback0 for the interface name

-> ip interface Loopback0 address 100.10.1.1

 Automatically advertised by RIP and OSPF protocols when the interface is created
(not by BGP)

 Use
 RP (Rendez-Vous Point) in PIMSM
 sFlow Agent IP address
 Source IP of RADIUS authentication
 NTP Client
 BGP peering
 OSPF router-id
 Switch and Traps Identification from an NMS station (i.e OmniVista)
IP choosable Interface/Loopback0 for applications
 Applications will be able to choose the source interface IP
 any IP interface/ loopback
 in the particular VRF based on an application specific command

ip managed-interface {Loopback0 | interface-name} application [ldap-server] [tacacs]

[radius] [snmp] [sflow] [ntp] [syslog] [dns] [dhcp-server] [telnet] [ftp] [ssh] [tftp] [all]

-> show ip managed-interface

Legend: "-" denotes no explicit configuration
Application Interface-Name
-----------------+------------------------------
tacacs -
sflow -
ntp Loopback0
syslog -
dns -
telnet -
ssh -
tftp -
ldap-server -
radius Loopback0
snmp Loopback0
ftp -
Default IP interface - Mode of operation
Application Default setting for the Source IP Address VRF support
AAA authentication Server
LDAP Loopback0 if configured, otherwise outgoing NO
interface Server can only be set in the default VRF
TACACS+ Outgoing interface
RADIUS Loopback 0 if configured, otherwise outgoing YES - Can be configured with any VRF-ID (configuration only
interface available in default VRF)

Switch Management applications

SNMP Loopback 0 if configured, otherwise outgoing
(includes traps) interface
SFLOW Loopback 0 if configured, outgoing IP otherwise

NTP Loopback 0 if configured, otherwise outgoing NO

interface Servers/stations can only be set in the default VRF
SYSLOG Outgoing interface
DNS Outgoing interface
DHCP server Outgoing interface

Switch access and utilities

(ping and traceroute command can specific a source address as an optional parameter)

Telnet Outgoing interface YES - Can be initiated in any VRF

FTP Outgoing interface NO - Can only be initiated in default VRF
SSH Outgoing interface YES - Can be initiated in any VRF
Includes scp sftp
TFTP Outgoing interface NO - Can only be initiated in default VRF
DHCP Relay
 Ability to forward DHCP/BootP packets
DHCP DHCP
between VLANs Server Client

 Support for global or per-vlan

configuration 120.1.1.1
VLAN 2

 Multiple DHCP server

 Global DHCP

 Per-VLAN DHCP DHCP Relay

-> ip helper address <Server Addr>
 Multiple DHCP Per-VLAN LAN
-> ip helper address <Server Addr> vlan <id>

130.1.1.1
-> ip helper address <address1> <address2> vlan <id> VLAN 3

DHCP DHCP
Client Client
Generic UDP Port Relay
 Relay for generic UDP service ports
 i.e., NBNS/NBDD, other well-known UDP service ports, and service ports that are not
well-known

 Supports for service name and custom ports

 DNS (53), TACACS+ (65), TFTP (69), NTP (123), NBNS (137), NBDD (138)
 Custom port (1-65535)
-> ip udp relay [port*] DNS
 enables relay on the DNS well-known service port
-> ip udp relay [port*] 3456
 enables relay on a user-defined (not well-known) UDP service port
-> ip udp relay [port*] dns vlan 4
 Assigns VLAN 5 as a forwarding VLAN for the DNS well-known service port

 Up to 32 different relays can be defined

*R7/8
Multinetting
 Ability to have multiple IP subnets  Subnet renumbering during transition
assigned to the same VLAN
 More hosts to a broadcast domain than
 Maximum of 8 subnets per VLAN (R6)
addressing allows
 Maximum of 16 subnets per VLAN (R7/8)
 Multi-homed server to a single switch
 Ability to route between multi-netted port
interfaces
 Dynamic routing protocols supported on VLAN IP subnet of
multi-netted interfaces 192.168.10.0/24
 VRRP supported
192.168.11.0/24
 ACLs supported
 UDP/DHCP relay supported
VLAN 10
 Broadcast traffic from one subnet will be
seen by users in different subnets Interface “Sales”
192.168.10.1

Interface “marketting”
192.168.11.1

Broadcast traffic in the 192.168.10.0 network will be seen by users in the 192.168.11.0 network
Multinetting

Contents
1 Objective ....................................................................................... 2
2 Multinetting .................................................................................... 2
3 Equipment Required .......................................................................... 2
4 Related Commands............................................................................ 2
5 Supported Platforms .......................................................................... 2
6 Lab Steps ....................................................................................... 3
6.1. VLAN Configuration .................................................................................... 3
6.2. Routing................................................................................................... 4
7 Summary ........................................................................................ 5
8 Lab Check ...................................................................................... 5
 2
Multinetting

1 Objective
This lab will introduce the Multinetting feature on an OmniSwitch. Multinetting allows for the creation of
multiple IP router interfaces on a single VLAN. Three OmniSwitch's must be used to understand these
concepts, any combination of switches will work.
THIS MEANS YOU MAY NEED TO BE WORKING COOPERATIVELY WITH ANOTHER
TEAM! PLAN ACCORDINGLY!!!

2 Multinetting
In this lab you’ll use the CLI to create multiple IP interfaces for a VLAN. Additionally, routing using RIP will be
enabled.
This lab, as with other Layer 3 labs, assumes a basic knowledge of the OmniSwitch products. Specific
commands for creating VLANs, associating ports with VLANs and creating Virtual IP interfaces may not be
listed. Refer to previous labs or the CLI Quick Reference Guide if necessary.

3 Equipment Required
Three OmniSwitches (OS6900, OS685x, OS6450 or OS6250)
Three PCs

4 Related Commands
ip interface <name> address <ip_address> vlan <vid>

5 Supported Platforms
All
 3
Multinetting

6 Lab Steps

6.1. VLAN Configuration

Multinetting allows multiple IP interfaces to be created for a single VLAN. First, reset the switches and assign
multiple IP interfaces to VLAN 1.
On each switch configure the following : ( replace ‘X’ with your switch number)
ALL-> ip interface int_1 address 192.168.10.X vlan 1
ALL-> ip interface int_1_1 address 192.168.1X.X vlan 1

Connect your switches as shown in the diagram.

From your switch, ping all routing instances in the 192.168.10.0/24 network on all switches.
Give your PC an address of 192.168.10.10X and a gateway of 192.168.10.X.
Check connectivity by pinging the IP interfaces in the 192.168.10.0/24 network.
You should have connectivity to all IP interfaces in the 192.168.10.0 network on all switches. You should not
be able to communicate via the 192.168.1X.0/24 network yet.
Even though both IP subnets are in the same VLAN, you still need to route to communicate with the other IP
interfaces.
 4
Multinetting

6.2. Routing
In order to advertise the other networks, enable RIP on the 192.168.10.X interface and create a route map to
distribute the routes (remember to replace 'X' with your switch number):
6900 -> ip load rip
6900 -> ip rip admin-state enable
6900 -> ip rip interface int_1
6900 -> ip rip interface int_1 admin-state enable
6900 -> ip route-map switchXrip sequence-number 10 action permit
6900 -> ip redist local into rip route-map switchXrip admin-state enable
6850E&6450 -> ip load rip
6850E&6450 -> ip rip status enable
6850E&6450 -> ip rip interface int_1
6850E&6450 -> ip rip interface int_1 status enable
6850E&6450 -> ip route-map switchXrip sequence-number 10 action permit
6850E&6450 -> ip redist local into rip route-map switchXrip status enable
ALL -> show ip rip peer
Total Bad Bad Secs since
IP Address Recvd Packets Routes Version last update
----------------+------+-------+------+-------+-----------
192.168.10.3 14 0 0 2 4
192.168.10.5 10 0 0 2 3
ALL -> show ip rip interface
Interface Intf Admin IP Intf Updates
Name vlan status status sent/recv(bad)
---------------------+------+-----------+-----------+---------------
int_1 1 enabled enabled 17/26(0)
ALL -> show ip route (R6)
ALL -> show ip routes (R7)
+ = Equal cost multipath routes
Total 5 routes
Dest Address Gateway Addr Age Protocol
------------------+-------------------+----------+-----------
127.0.0.1/32 127.0.0.1 00:17:12 LOCAL
192.168.10.0/24 192.168.10.1 00:10:55 LOCAL
192.168.11.0/24 192.168.11.1 00:10:37 LOCAL
192.168.13.0/24 192.168.10.3 00:05:59 RIP
192.168.15.0/24 192.168.10.5 00:04:42 RIP
ALL -> show ip rip routes
Legends: State: A = Active, H = Holddown, G = Garbage
Destination Gateway State Metric Proto
-----------------+-----------------+----+------+------
192.168.10.0/24 +192.168.10.1 A 1 Redist
192.168.11.0/24 +192.168.11.1 A 1 Redist
192.168.13.0/24 +192.168.10.3 A 2 Rip
192.168.15.0/24 +192.168.10.5 A 2 Rip
ALL -> show ip router database
Legend: + indicates routes in-use
b indicates BFD-enabled static route
r indicates recursive static route, with following address in brackets
Total IPRM IPv4 routes: 5
Destination Gateway Interface Protocol Metric Tag Misc-Info
---------------------+---------------+------------+--------+-------+----------+-----------------
+ 127.0.0.1/32 127.0.0.1 Loopback LOCAL 1 0
+ 192.168.10.0/24 192.168.10.1 int_1 LOCAL 1 0
+ 192.168.11.0/24 192.168.11.1 int_1_1 LOCAL 1 0
+ 192.168.13.0/24 192.168.10.3 int_1 RIP 2 0
+ 192.168.15.0/24 192.168.10.5 int_1 RIP 2 0
Inactive Static Routes
Destination Gateway Metric Tag Misc-Info
--------------------+-----------------+------+----------+-----------------

Now that RIP has been enabled and the proper filter configured, you should begin to see your neighbor’s
routes appear. From your PC, ping the additional IP interfaces. You should be able to communicate, routing
between the different IP subnets even though they’re in the same VLAN.
Modify your PCs address to 192.168.1X.10X and a gateway of 192.168.1X.X.
Ping to check connectivity.
 5
Multinetting

You should still have connectivity since your PC is associated with VLAN 1 and both IP interfaces are assigned
to VLAN 1.

7 Summary
This lab introduced you to Multinetting on an OmniSwitch. Multinetting allows for multiple IP interfaces to
be associated to a single VLAN. However, traffic still needs to be routed from one IP subnet to another.

8 Lab Check
- Is broadcast traffic sent on the 192.168.10.0 network seen on the 192.168.1#.0 network?
- Since both IP interfaces were associated with VLAN 1, why did RIP have to be enabled?
- What does multinetting do to the concept that a VLAN is a broadcast domain?
OMNISWITCH AOS R6/R7/R8

IP Routing
Module Objectives
 You will learn about the alternative
solutions to implement a basic IP routing
available on the AOS OmniSwitch
 Static routing and associated options
 Discuss the benefits when using RIP in an
OmniSwitch network
 Basic configuration
 Monitoring High
Ava ila bility

AOS
Opera ting
System
Extensive Enha nced
Ma na gea bility Security
STATIC AND DYNAMIC ROUTING BASICS
Static Versus Dynamic routing
 Static routes
 Entered manually by the network administrator
 Anytime the network topology changes, administrator must update the routes
 Static routes always have priority over dynamic routes
 Suitable for environments where network traffic is relatively predictable and where
network design is relatively simple.

 Dynamic routing protocols

 Allows network to updates routes quickly and automatically without the administrator
having to configure new routes
 Routing protocols describe
 how to send updates?
 what information is in the updates?
 when to send updates?
 how to locate the recipients of the updates?
STATIC ROUTING
Static Routes
 Gateway or nexthop address is mapped to a particular interface on the switch

 Associated interface needs to be “UP” and running

 By default, static routes have preference over dynamic routes

 Priority can be set by assigning a metric value

-> ip static-route <destination>/<maskBits> gateway <host> [metric <value>]

Configuring static routes

-> ip static-route 134.1.21.0/24 gateway 10.1.1.1

Specifies a static route to the destination IP address 134.1.21.0

-> ip static-route 0.0.0.0/0 gateway 10.1.1.1

Specifies a default route

-> ip static-route 0.0.0.0/0 gateway 1.1.1.1 metric 1

-> ip static-route 0.0.0.0/0 gateway 2.2.2.2 metric 2
Configuring a backup default-route

-> show ip router database

Total IPRM IPv4 routes: 4
Destination Gateway Interface Protocol Metric Tag
---------------+---------------+------------+--------+-------+----------
0.0.0.0/0 1.1.1.1 vlan11 STATIC 1 0
0.0.0.0/0 2.2.2.2 vlan12 STATIC 2 0
----------------
-> show ip route
Total 4 routes
Dest Address Subnet Mask Gateway Addr Age Protocol
------------------+-----------------+-----------------+---------+-----------
0.0.0.0 0.0.0.0 1.1.1.1 00:00:33 NETMGMT
----------------
Recursive Static Route
 Allows you to assign static routes with the next hop being the same as a route
learned through a routing protocol

 Recursive static routes

 Nexthop (or gateway) address no longer must be tied to a particular interface
 Capability to tie the destination route to the best route used to reach a particular
host
 May be an interface or a dynamically learned route (i.e. BGP, OSPF, RIP, etc)
 May change over time

-> ip static-route <destination>/<maskBits> follows <host> [metric <value>]

Recursive Static Route - CLI
 -> ip static-route 172.30.0.0/16 follows 2.2.2.2 metric 1

 -> show ip router database

Legend: + indicates routes in-use

* indicates BFD-enabled static route
r indicates recursive static route, with following address in brackets
Total IPRM IPv4 routes: 4
Destination Gateway Interface Protocol Metric Tag Misc-Info
-------------------+------------------+-----------+---------+--------+-------+-----------------
+ 2.2.2.2/32 192.168.100.253 vlan100 RIP 2 0
+ 10.1.20.0/24 10.1.20.1 vlan20 LOCAL 1 0
+r 172.30.0.0/16 192.168.100.253 vlan100 STATIC 1 0 [2.2.2.2]
+ 192.168.100.0/24 192.168.100.1 vlan100 LOCAL 1 0

Inactive Static Routes

Destination Gateway Metric +r 172.30.0.0/16 10.1.20.2 vlan20 STATIC 1 0 [2.2.2.2]
--------------------+-----------------+---------
r 172.20.0.0/16 3.3.3.3 1

+ = Equal cost multipath routes

* = BFD Enabled static route
Total 5 routes

Dest Address Subnet Mask Gateway Addr Age Protocol

----------------+------------------+------------------+---------+-----------
2.2.2.2 255.255.255.255 192.168.100.253 16:52:44 RIP
10.1.20.0 255.255.255.0 10.1.20.1 00:09:27 LOCAL
127.0.0.1 255.255.255.255 127.0.0.1 17:55:33 LOCAL
172.30.0.0 255.255.0.0 192.168.100.253 00:08:06 NETMGMT
192.168.100.0 255.255.255.0 192.168.100.1 17:54:09 LOCAL
2.2.2.2 255.255.255.255 10.1.20.2 00:07:28 RIP
RIP
IP Routing - AOS Specifications
 Supported RFCs
 RFC 1058
 RIP v1
 RFC 1722/1723/2453/1724
 RIPv2 & MIB
 RFC 1812/2644
 IPv4 Router Requirement
 RFC 2080
 RIPng

 Support for ECMP routes

 4 (OmniSwitch 6250, 6400, 6855)
 16 (OmniSwitch 6850, 9000, 9000E)
RIP - Version 1 & 2 Basics
 RIP - Routing Information Protocol

 Supports IPv4

 Distance Vector Protocol

 Uses hop count to determine best path

 Hop count limit of 16 is considered unreachable (prevents loops)

 Generates updates every 30 seconds

 Updates contain all of the router’s routing table

 Routes timeout after 180 seconds

 Uses UDP port 520

RIP – Version 1 & 2 Basics

 Maximum packet size is 512 bytes

 20 Route Updates

 Minimal amount of information to route through a network

 Two Versions Available

 RIP I (RFC-1058)
 Single mask on all subnets of a network
 Updates sent via broadcasts

 RIP II (RFC-1723)
 Carries additional subnet mask information
 Carries next hop routing information
 Updates sent as Multicasts (224.0.0.9)
 Supports authentication
RIP Limitations
 Maximum network diameter = 15

 Regular updates include entire routing table approximately every 30 seconds

 Poor convergence

 Poison reverse increases size of routing updates

 Valid and poisoned routes are included in the updates

 Metrics only involve hop count

 Other factors such as link bandwidth are not considered

 RIPv1
 Updates are sent via broadcast
 No prefix length is carried in the updates (Classful routing)
 No authentication mechanism
RIP - CLI Commands

 Minimum configuration

-> ip load rip

-> ip rip interface if_name status* enable
-> ip rip status* enable

-> ip route-map rip_1 sequence-number 50 action permit

-> ip route-map rip_1 sequence-number 50 match ip-address 0.0.0.0/0
-> ip redist local into rip route-map rip_1 status* enable
-> ip redist static into rip route-map rip_1 status* enable

Need for Redistribution

Only learned RIP routes and Loopback0 interface are advertised by default.
Local routes must be redistributed.

*admin-state for R7/8

RIP - Redistributing Routing Information
 Routes learned via different protocols must be redistributed
 Local/Static/OSPF ->RIP

 Metrics can be modified upon redistribution

-> ip route-map …..
-> ip redist {local | static | ospf | isis | bgp} into rip route-map route-mapname
 Routes can be aggregated

 Routes can be denied

RIP - CLI Commands

-> ip rip interface int_name send-version [v2 / v1 / v1compatible / none]

-> ip rip interface int_name recv-version [v1 / v2 / both / none]
-> ip rip interface int_name metric #
-> ip rip interface int_name auth-type [none / simple / MD5]
-> ip rip update-interval seconds

-> show ip rip

-> show ip rip peer
-> show ip rip interface
-> show ip rip interface int_name
Monitoring RIP
 Show ip rip routes
Destination Mask Gateway Metric
------------------+------------------+------------------+-------
50.50.50.0 255.255.255.0 50.50.50.1 1

 Show ip rip peer

Total Bad Bad Secs since
IP Address Recvd Packets Routes Version last update
----------------+------+-------+------+-------+-----------
100.10.10.1 1 0 0 2 3

 Show ip rip interface

Intf Admin IP Intf Updates
Interface vlan status status sent/recv(bad)
name
----------------+-----+------------+----------+----------------
30.30.30.1 30 enabled enabled 5/5(0)
RIP/RIP2

Contents
1 Objective .......................................................................................2
2 RIP/RIP2 ........................................................................................2
3 EQUIPMENT/SOFTWARE REQUIRED ..........................................................2
4 Related Commands ............................................................................2
5 Supported Platforms ..........................................................................2
6 Lab Steps .......................................................................................3
6.1. Enabling RIP ............................................................................................ 3
6.2. 6900 Configuration .................................................................................... 4
6.3. 6850E Configuration ................................................................................... 5
6.4. 6450 Configuration .................................................................................... 5
6.5. Verification of the Backbone ........................................................................ 6
6.6. Distributing Routes .................................................................................... 7
6.7. RIP Updates using V1 and V2......................................................................... 9
6.8. Metrics ................................................................................................... 9
6.9. RIP Authentication – Simple......................................................................... 11
7 Summary ...................................................................................... 11
8 Lab Check .................................................................................... 12
 2
RIP/RIP2

1 Objective
This lab will introduce RIP and RIP2 on an OmniSwitch. This includes loading RIP and enabling both
version 1 and version 2. Three OmniSwitch's must be used to understand these concepts, any
combination of switches will work.
THIS MEANS YOU MAY NEED TO BE WORKING COOPERATIVELY WITH
ANOTHER TEAM! PLAN ACCORDINGLY!!!

2 RIP/RIP2
This lab will introduce the routing protocols of RIP and RIP2. Also, we’ll briefly discuss the routing table
and how to display it.
This lab, as with other Layer 3 labs, assume a basic knowledge of the OmniSwitch products. Specific
commands for creating VLANs, associating ports with VLANs and creating Virtual IP interfaces may not be
listed. Refer to previous labs or the CLI Quick Reference Guide if necessary.

3 EQUIPMENT/SOFTWARE REQUIRED
Three OmniSwitches of any type (OS9xxx, OS6850, OS6450 or OS6250)
Three PCs

4 Related Commands
show ip rip, ip load rip, ip rip, show ip routes
IP rip status enable

5 Supported Platforms
All
 3
RIP/RIP2

6 Lab Steps

6.1. Enabling RIP

This lab will cover the RIP and RIP 2 routing protocols. If a switch is booted without any routing
protocols enabled, they must first be loaded into memory and enabled before they can be configured.
Before you begin this exercise, return all switches to factory defaults so that previous labs do not effect
the outcome. Refer to the diagram below and confirm which switch will be number 1,3 or 5.

When the switches completes the boot cycle configure the VLAN 1 parameters and interconnect the
switches. Ensure you have basic Layer 2 connectivity before continuing. As in all labs, replace 'X' with
your switch number. Don’t forget to activate all needed ports (uplink and clients).
Loopback0 = 10.X.X.X
VLAN 1:
IP interface = int_1
IP address = 192.168.10.X/24 (X=your switch number)
Default Ports = All
Once you are satisfied you have L2 connectivity between all switches, load the RIP kernel and enable
the RIP Protocol:
-> show ip rip
ERROR: The specified application is not loaded

-> ip load rip

-> show ip rip
Status = Disabled,
Number of routes = 0,
Number of prefixes = 0,
Host Route Support = Enabled,
Route Tag = 0,
Update interval = 30,
Invalid interval = 180,
Garbage interval = 120,
Holddown interval = 0,
Forced Hold-Down Timer = 0

Notice the status of RIP is still Disabled. The next step is to enable the protocol itself:
 4
RIP/RIP2

R6-> ip rip status enable

R7-> ip rip admin-state enable

-> show ip rip

Status = Enabled,
Number of routes = 0,
Number of prefixes = 0,
Host Route Support = Enabled,
Route Tag = 0,
Update interval = 30,
Invalid interval = 180,
Garbage interval = 120,
Holddown interval = 0,
Forced Hold-Down Timer = 0

Although we have loaded the RIP Protocol, we have not assigned it to any IP interfaces yet. Review the
RIP Command set to see the status (Remember the '?'):
-> show ip rip ?
^
ROUTES PEER INTERFACE <cr>
(IP Routing & Multicast Command Set)

-> show ip rip routes

Legends: State: A = Active, H = Holddown, G = Garbage
Destination Gateway State Metric Proto
---------------+-----------------+----+------+------

-> show ip rip peer

Total Bad Bad Secs since
IP Address Recvd Packets Routes Version last update
----------------+------+-------+------+-------+-----------

-> show ip rip interface

Interface Intf Admin IP Intf Updates
Name vlan status status sent/recv(bad)
---------------------+------+-----------+-----------+---------------
No interfaces configured !

Our next configuration step will be to enable RIP on our Virtual IP Interfaces. We are going to use VLAN
1 as our RIP backbone so the following assumes the interfaces you created for VLAN 1 earlier are named
as described:

6.2. 6900 Configuration

6900-> show ip interface
Total 5 interfaces
Name IP Address Subnet Mask Status Forward Device
--------------------+---------------+---------------+------+-------+--------
EMP 10.4.5.1 255.255.255.0 UP NO EMP
EMP-CMMA 0.0.0.0 0.0.0.0 DOWN NO EMP
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
Loopback0 10.1.1.1 255.255.255.255 UP YES Loopback0
int_1 192.168.10.1 255.255.255.0 UP YES vlan 1

6900-> ip rip interface int_1 admin-state enable

6900-> show ip rip interface
Interface Intf Admin IP Intf Updates
Name vlan status status sent/recv(bad)
---------------------+------+-----------+-----------+---------------
int_1 1 enabled enabled 0/0(0)

6900-> show ip rip interface int_1

Interface IP Name = int_1,
Interface IP Address = 192.168.10.1,
IP Interface Number (VLANId) = 1,
Interface Admin status = enabled,
IP Interface Status = enabled,
Interface Config Ingress Route Map Name = ,
 5
RIP/RIP2

Interface Config Egress Route Map Name = ,

Interface Config AuthType = None,
Interface Config AuthKey Length = 0,
Interface Config Send-Version = v2,
Interface Config Receive-Version = both,
Interface Config Default Metric = 1,
Received Packets = 0,
Received Bad Packets = 0,
Received Bad Routes = 0,
Sent Updates = 2

The commands above enabled RIP on the 192.168.10.1 interface named int_1. Notice the RIP version
being sent and received by default.

6.3. 6850E Configuration

6850E-> show ip interface

Total 4 interfaces
Name IP Address Subnet Mask Status Forward Device
------------------+---------------+---------------+------+-------+-----------
Loopback 127.0.0.1 255.0.0.0 UP NO Loopback
Loopback0 10.3.3.3 255.255.255.255 UP YES Loopback0
admin 10.4.5.3 255.255.255.0 UP YES vlan 4001
int_1 192.168.10.3 255.255.255.0 UP YES vlan 1

6850E-> ip rip interface int_1 status enable

6850E-> show ip rip interface
Interface Intf Admin IP Intf Updates
Name vlan status status sent/recv(bad)
---------------------+------+-----------+-----------+---------------
int_1 1 enabled enabled 1/0(0)

switch2-> show ip rip interface int_1

Interface IP Name = int_1,
Interface IP Address = 192.168.10.3,
IP Interface Number (VLANId) = 1,
Interface Admin status = enabled,
IP Interface Status = enabled,
Interface Config AuthType = None,
Interface Config AuthKey Length = 0,
Interface Config Send-Version = v2,
Interface Config Receive-Version = both,
Interface Config Default Metric = 1,
Received Packets = 4,
Received Bad Packets = 0,
Received Bad Routes = 0,
Sent Updates = 1

The commands above enabled RIP on the 192.168.10.3 interface named int_1. Notice the RIP version
being sent and received by default.

6.4. 6450 Configuration

6450-> show ip interface

Total 4 interfaces
Name IP Address Subnet Mask Status Forward Device
------------------+---------------+---------------+------+-------+--------
Loopback 127.0.0.1 255.0.0.0 UP NO Loopback
Loopback0 10.5.5.5 255.255.255.255 UP YES Loopback0
admin 10.4.5.5 255.255.255.0 UP YES vlan 4001
int_1 192.168.10.5 255.255.255.0 UP YES vlan 1

6450-> ip rip interface int_1 status enable

6450-> show ip rip interface
Interface Intf Admin IP Intf Updates
 6
RIP/RIP2

Name vlan status status sent/recv(bad)

---------------------+------+-----------+-----------+---------------
int_1 1 enabled enabled 0/0(0)

6450-> show ip rip interface int_1

Interface IP Name = int_1,
Interface IP Address = 192.168.10.5,
IP Interface Number (VLANId) = 1,
Interface Admin status = enabled,
IP Interface Status = enabled,
Interface Config AuthType = None,
Interface Config AuthKey Length = 0,
Interface Config Send-Version = v2,
Interface Config Receive-Version = both,
Interface Config Default Metric = 1,
Received Packets = 6,
Received Bad Packets = 0,
Received Bad Routes = 0,
Sent Updates = 2

The commands above enabled RIP on the 192.168.10.5 interface named int_1. Notice the RIP version
being sent and received by default.

6.5. Verification of the Backbone

Since we have already interconnected the switches in a previous steps, we should begin to see RIP begin
to peer with it's neighbors (Note, the output will vary slightly depending on which station you are on:

6900-> show ip rip routes

Legends: State: A = Active, H = Holddown, G = Garbage
Destination Gateway State Metric Proto
---------------+-----------------+----+------+------
10.1.1.1/32 +10.1.1.1 A 1 Redist
10.3.3.3/32 +192.168.10.3 A 2 Rip
10.5.5.5/32 +192.168.10.5 A 2 Rip

6900-> show ip rip peer

Total Bad Bad Secs since
IP Address Recvd Packets Routes Version last update
----------------+------+-------+------+-------+-----------
192.168.10.3 11 0 0 2 22
192.168.10.5 7 0 0 2 13

6900-> show ip rip interface

Interface Intf Admin IP Intf Updates
Name vlan status status sent/recv(bad)
---------------------+------+-----------+-----------+---------------
int_1 1 enabled enabled 24/21(0)

6900-> show ip rip interface int_1

Interface IP Name = int_1,
Interface IP Address = 192.168.10.1,
IP Interface Number (VLANId) = 1,
Interface Admin status = enabled,
IP Interface Status = enabled,
Interface Config Ingress Route Map Name = ,
Interface Config Egress Route Map Name = ,
Interface Config AuthType = None,
Interface Config AuthKey Length = 0,
Interface Config Send-Version = v2,
Interface Config Receive-Version = both,
Interface Config Default Metric = 1,
Received Packets = 21,
Received Bad Packets = 0,
Received Bad Routes = 0,
Sent Updates = 20

Notice we see the Loopback0 addresses of your neighbors learned via RIP. Loopback0 will always be
 7
RIP/RIP2

advertised, even if there are no users on the switch; no route re-distribution is necessary. A VLAN must
have associations for it to be active and advertised.
Take note of the number of updates sent and received and the secs since last update. In the example
above, 6900 should see another update from 6450 in 3 seconds (Remember, RIP's default update timer is
30 secs), and 8 seconds before it will see an update from switch2.

6.6. Distributing Routes

Let's create some more VLANs so our route tables contain something more than just local routes. Create
VLAN 101 IP address 192.168.101.1/24 on 6900, create VLAN 103 IP address 192.168.103.3/24 on 6850E
and VLAN 105 IP address 192.168.105.5/24 on 6450.
6900-> vlan 101
6900-> ip interface int_101 address 192.168.101.1/24 vlan 101
6900-> show ip interface

Name IP Address Subnet Mask Status Forward Device

-------------------+---------------+---------------+------+-------+--------
EMP 10.4.5.1 255.255.255.0 UP NO EMP
EMP-CMMA 0.0.0.0 0.0.0.0 DOWN NO EMP
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
Loopback0 10.1.1.1 255.255.255.255 UP YES Loopback0
int_1 192.168.10.1 255.255.255.0 UP YES vlan 1
int_101 192.168.101.1 255.255.255.0 DOWN NO vlan 101

Since we have no members in VLAN 10X on any of the switches the IP Interface status is DOWN. In our
lab we are going to cheat and tag this VLAN on the client port which is already up.
6900-> vlan 101 members port 1/1 tagged
6900-> show ip interface
Total 6 interfaces
Name IP Address Subnet Mask Status Forward Device
------------------+---------------+---------------+------+-------+--------
EMP 10.4.5.1 255.255.255.0 UP NO EMP
EMP-CMMA 0.0.0.0 0.0.0.0 DOWN NO EMP
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
Loopback0 10.1.1.1 255.255.255.255 UP YES Loopback0
int_1 192.168.10.1 255.255.255.0 UP YES vlan 1
int_101 192.168.101.1 255.255.255.0 UP YES vlan 101

Check to see if the routes for the VLANs exist:

6900-> show ip route

+ = Equal cost multipath routes

Total 6 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
10.1.1.1/32 10.1.1.1 00:32:30 LOCAL
10.3.3.3/32 192.168.10.3 00:22:00 RIP
10.5.5.5/32 192.168.10.5 00:20:18 RIP
127.0.0.1/32 127.0.0.1 01:40:48 LOCAL
192.168.10.0/24 192.168.10.1 00:30:22 LOCAL
192.168.101.0/24 192.168.101.1 00:01:42 LOCAL

You should only see the local networks for your VLANs at this time. In order for routes not learned via
RIP to be advertised, they must be redistributed. Let’s enable route redistribution for the local routes
on all three switches. Remember, routing protocols will only advertise routes they learned by that
protocol. If route is learned by another protocol or of they are local or static routes redistribution is
required. (Replace X with your switch number)
6900-> ip route-map switchXrip sequence-number 10 action permit
6900-> ip redist local into rip route-map switchXrip admin-state enable
6900->
 8
RIP/RIP2

In this example, switchXrip is an alias for the route-map statement. We then added a re-distribution
command to that alias to re-distribute all local routes into rip.
6900-> show ip rip routes
Legends: State: A = Active, H = Holddown, G = Garbage
Destination Gateway State Metric Proto
------------------+-----------------+----+------+------
10.1.1.1/32 +10.1.1.1 A 1 Redist
10.3.3.3/32 +192.168.10.3 A 2 Rip
10.5.5.5/32 +192.168.10.5 A 2 Rip
192.168.10.0/24 +192.168.10.1 A 1 Redist
192.168.101.0/24 +192.168.101.1 A 1 Redist

6900-> show ip router database

Legend: + indicates routes in-use
b indicates BFD-enabled static route
r indicates recursive static route, with following address in brackets

Total IPRM IPv4 routes: 8

Destination Gateway Interface Protocol Metric Tag

---------------------+---------------+------------+--------+-------+----------
+ 10.0.0.0/24 10.4.5.254 EMP STATIC 1 0
+ 10.1.1.1/32 10.1.1.1 Loopback0 LOCAL 1 0
+ 10.3.3.3/32 192.168.10.3 int_1 RIP 2 0
+ 10.4.5.0/24 10.4.5.1 EMP LOCAL 1 0
+ 10.5.5.5/32 192.168.10.5 int_1 RIP 2 0
+ 127.0.0.1/32 127.0.0.1 Loopback LOCAL 1 0
+ 192.168.10.0/24 192.168.10.1 int_1 LOCAL 1 0
+ 192.168.101.0/24 192.168.101.1 int_101 LOCAL 1 0

Inactive Static Routes

Destination Gateway Metric Tag Misc-Info
--------------------+-----------------+------+----------+-----------------

You should see the other switches as peers and their VLAN 1 router interfaces as gateways to their other
VLANs.
Ping all router interfaces on all switches from both the OmniSwitch and your PCs to test connectivity.
The commands above enabled route redistribution for all local routes only. We could have used an ip
access-list to identify specific routes to redistribute. Refer to User Manuals for details. Additional
commands were included to display RIP peers and the routing database.
 9
RIP/RIP2

6.7. RIP Updates using V1 and V2

By default RIP is configured to accept either RIP v1 or RIP v2 updates, and sends out RIP v2. RIP v2 will
accept RIP v1 updates, however RIP v1 will not accept RIP v2 updates. On Switch 1 let’s modify the RIP
interface and set it to receive RIP v1. Type the following on Switch 1 ONLY.

6900-> ip rip interface int_1 recv-version v1

6900-> show ip rip interface

Interface Intf Admin IP Intf Updates
Name vlan status status sent/recv(bad)
---------------------+------+-----------+-----------+---------------
int_1 1 enabled enabled 65/109(0)

6900-> show ip rip peer

Total Bad Bad Secs since
IP Address Recvd Packets Routes Version last update
----------------+------+-------+------+-------+-----------
192.168.10.3 58 0 0 2 47
192.168.10.5 51 0 0 2 74

6900-> show ip router database

Legend: + indicates routes in-use
b indicates BFD-enabled static route
r indicates recursive static route, with following address in brackets

Total IPRM IPv4 routes: 6

Destination Gateway Interface Protocol Metric Tag

---------------------+---------------+------------+--------+-------+----------
+ 10.0.0.0/24 10.4.5.254 EMP STATIC 1 0
+ 10.1.1.1/32 10.1.1.1 Loopback0 LOCAL 1 0
+ 10.4.5.0/24 10.4.5.1 EMP LOCAL 1 0
+ 127.0.0.1/32 127.0.0.1 Loopback LOCAL 1 0
+ 192.168.10.0/24 192.168.10.1 int_1 LOCAL 1 0
+ 192.168.101.0/24 192.168.101.1 int_101 LOCAL 1 0

Inactive Static Routes

Destination Gateway Metric Tag Misc-Info
--------------------+-----------------+------+----------+-----------------

After approximately 180 seconds switch 1 should see the metrics for the routes change to 16, meaning
unreachable, and the route will age out shortly after. This is because switch 2 and switch 3 are sending
RIP v2 packets and RIP v1 will not accept RIP v2 packets. Take a look at the tables on switches 2 and 3.
Notice they still see switch 1.
Now, configure Switch 1 to accept either RIP v1 or RIP v2 on the interface.
Type the following:
6900-> ip rip interface int_1 recv-version both

You will see switches 2 and 3 show back up in the router database.

6.8. Metrics
Metrics can be manually configured for RIP. Let’s check the current metric for the 192.168.103.0
network on 6900 and 6450. Type the following on 6850E:

6850E-> show ip router database

Legend: + indicates routes in-use
* indicates BFD-enabled static route
r indicates recursive static route, with following address in brackets

Total IPRM IPv4 routes: 8

 10
RIP/RIP2

Destination Gateway Interface Protocol Metric Tag

---------------------+---------------+------------+--------+-------+--+-
+ 10.0.0.0/24 10.4.5.254 admin STATIC 1 0
+ 10.1.1.1/32 192.168.10.1 int_1 RIP 2 0
+ 10.3.3.3/32 10.3.3.3 Loopback0 LOCAL 1 0
+ 10.4.5.0/24 10.4.5.3 admin LOCAL 1 0
+ 10.5.5.5/32 192.168.10.5 int_1 RIP 2 0
+ 127.0.0.1/32 127.0.0.1 Loopback LOCAL 1 0
+ 192.168.10.0/24 192.168.10.3 int_1 LOCAL 1 0
+ 192.168.101.0/24 192.168.10.1 int_1 RIP 2 0

Inactive Static Routes

Destination Gateway Metric
--------------------+-----------------+---------

Notice the current metrics on the learned routes.

Type the following on Switch 2 ONLY:
6850E-> ip rip interface int_1 metric 5

The command above says that switch2 will add a metric of 5 to all routes being learned on interface
int_1. Check the current metric to see this.
Type the following:
switch2-> show ip router database
Legend: + indicates routes in-use
* indicates BFD-enabled static route
r indicates recursive static route, with following address in brackets

Total IPRM IPv4 routes: 8

Destination Gateway Interface Protocol Metric Tag

---------------------+---------------+------------+--------+-------+--+-
+ 10.0.0.0/24 10.4.5.254 admin STATIC 1 0
+ 10.1.1.1/32 192.168.10.1 int_1 RIP 6 0
+ 10.3.3.3/32 10.3.3.3 Loopback0 LOCAL 1 0
+ 10.4.5.0/24 10.4.5.3 admin LOCAL 1 0
+ 10.5.5.5/32 192.168.10.5 int_1 RIP 6 0
+ 127.0.0.1/32 127.0.0.1 Loopback LOCAL 1 0
+ 192.168.10.0/24 192.168.10.3 int_1 LOCAL 1 0
+ 192.168.101.0/24 192.168.10.1 int_1 RIP 6 0
+ 192.168.103.0/24 192.168.103.3 int_103 LOCAL 1 0

Inactive Static Routes

Destination Gateway Metric
--------------------+-----------------+---------
 11
RIP/RIP2

6.9. RIP Authentication – Simple

Authentication can be configured on interfaces running the RIP V2 protocol. This offers some level of
security against injected routes and even accidental configuration.
Type the following on Switch 2 ONLY:
6850E-> ip rip interface int_1 auth-type simple
6850E-> ip rip interface int_1 auth-key alcatel

Check the routing table on all switches; the routes should be removed after their aging period.
Type the following:
6850E-> show ip rip peer
Total Bad Bad Secs since
IP Address Recvd Packets Routes Version last update
----------------+------+-------+------+-------+-----------
192.168.10.1 87 2 0 2 15
192.168.10.5 76 2 0 2 1

6850E-> show ip router database

Legend: + indicates routes in-use
* indicates BFD-enabled static route
r indicates recursive static route, with following address in brackets

Total IPRM IPv4 routes: 8

Destination Gateway Interface Protocol Metric Tag

---------------------+---------------+------------+--------+-------+--+-
+ 10.0.0.0/24 10.4.5.254 admin STATIC 1 0
+ 10.3.3.3/32 10.3.3.3 Loopback0 LOCAL 1 0
+ 10.4.5.0/24 10.4.5.3 admin LOCAL 1 0
+ 127.0.0.1/32 127.0.0.1 Loopback LOCAL 1 0
+ 192.168.10.0/24 192.168.10.3 int_1 LOCAL 1 0
+ 192.168.103.0/24 192.168.103.3 int_103 LOCAL 1 0

Inactive Static Routes

Destination Gateway Metric
--------------------+-----------------+---------

You should see that you are now receiving bad packets from switch2 since authentication is not enabled
on all switches. Type the following on 6900 and 6450:
6900-> ip rip interface int_1 auth-type simple
6900-> ip rip interface int_1 auth-key alcatel
6450-> ip rip interface int_1 auth-type simple
6450-> ip rip interface int_1 auth-key alcatel
6900-> show ip rip peer
6900-> show ip rip routes

You should see that you are now receiving valid RIP updates since Authentication is configured correctly
on all switches.

7 Summary
This lab introduced you to RIP v1 and RIP v2 on an OmniSwitch. RIP and RIP v2 are part of the basic
routing package for the OmniSwitch. The RIP protocol can be used in smaller networks to advertise
routing information.
 12
RIP/RIP2

8 Lab Check
- What command must be run before RIP can be enabled on an interface?
........................................................................................................................
- RIP will advertise routes to inactive VLANs. (T/F)
- What is the purpose of enabling redistribution for local routes?
........................................................................................................................
- What is the command for redistributing only a single IP subnet instead of all local routes?
........................................................................................................................
- What are some concerns when running both RIPv1 and RIPv2?
........................................................................................................................
- What are some advantages of enabling authentication?
........................................................................................................................
OMNISWITCH AOS R6/R7/R8

Quality of service
Module Objectives
 You will:
 Learn about Quality of Service
implementation and associated features on
an AOS switch based
 Overview
 QOS Global default
 QOS and ports Configuration
 QOS Policies High

QOS Conditions and Actions

Ava ila bility


 QOS-Auto Configuration AOS

Opera ting
System
 QOS monitoring Extensive
Ma na gea bility
Enha nced
Security
QoS – Overview
 QoS refers to a transmission quality and available service that is measured and
sometimes guaranteed in advance for a particular type of traffic in a network
 Often defined as a way to manage bandwidth

Queues for egress traffic

Policy Condition
Classifies the flow Policy Action
Determines how
packets are queued

 Using QoS, a network administrator can gain more control over networks where
different types of traffic are in use
 I.E. VoIP traffic or mission critical data may be marked as priority traffic and given
more bandwidth on the link.
 In fact, the QoS may also be scheduled to run at a certain time
 QoS may be defined through the CLI, Webview or OmniVista-PolicyView
Queuing
 QoS is responsible for enforcing user-
defined policies on switch traffic
 QoS policies can affect such things as
 Accept/Drop behavior of a packet
 Queuing priority
 Next hop for routing QoS
 Bandwidth shaping
 Setting 802.1p/TOS/DSCP packet priorities Routing Classification
 IGMP/MLD join behavior Engine Engine

 Packet Mirroring Memory Switching Buffer

Engine Management
 Coloring frames that exceed configured Security Traffic
rate Engine Management

 Classification on L1/L2/L3/L4 Parser Modification

 Enqueuing in one of the 8 COS queues

 De-queuing logic to apply at each step
QOS - Packet Classification

Incoming
Packet
H Forwarding Engine
E Action
A Packet Classification
D
E
R
Classifier (policy database)
Condition Action
---- ----
(source&dest) ---- ----
Gets Policies from : L2
Prioritization, Bandwidth shaping
MAC, Vlan,
CLI ICMP filtering
slot/port, Inter typ
Webview, or IPMS Filtering ICMP prioritizing, ICMP rate limiting
PolicyView 802.1p/ToS/DSCP marking and mapping
Policy Based Routing PBR for redirecting
L3
---- ---- routed traffic
Maintains QoS tables
Rules L3/L4 Policy Based Mirroring
Actions, SIP, DIP, Advanced Layer 2 to 4 Filtering
Conditions, TCP,UDP,IP proto Server Load Balancing
Services, Source TCP/UDP port
Groups Dest. TCP/UDP port
QoS
Specifications
 Default Priority Queues
 8 CoS queues per egress port
 802.1p/TOS used to select queues
 Strict priority for scheduling

 Configured by QoS commands

 Condition
 Action
 Rules (<condition> + <action> + <time valid, optional>)
 Using CLI, WebView, PolicyView

 Maximum
 Conditions = 2048
 Actions = 2048
 Rules
 2048 (6400/6850/6855)
 1400 (6250)
Queuing
 Local Destination
 Packet does not flow through the Fabric
 Packet goes to one of the 8 CoS Queues for
the destination port C
o

SCHEDULER
s

EGRESS
MMU
MAC

MAC
TLU
 Remote Destination Q
u
 Packet goes to one of the 8 CoS Queues e
s

 MMU (Mem. Mgt. Unit) manages buffers

 Limits on the Queue lengths are configured
by AOS
 If the Queue length exceeds the
configurable limit at any time, no packet
can be queued (packet is dropped)
Scheduling
 Scheduler for each port
C
 Monitors COS Queues o

SCHEDULER
s

EGRESS
 Selects Queues based on either:

MMU
MAC

MAC
TLU
Q
 Strict Priority u
e
 Starting w/ highest priority first s

 Queues are serviced until empty

 Weighted Round Robin
 User can specify the number of packets to be dequeued (from 1 to 15) from a Queue before
going to the next Queue
 A “0” weight means strict priority Queue
 A Queue is skipped if empty
 Deficit Round Robin
 Weight configurable 0-15
 Same principle as WRR by volume based (1=10KB)
Unicast and Multicast
 Value of 0 to indicate the queue is to be considered Strict Priority have equal Priority
 Dequeues and sends the packet
 Returns buffer to the buffer pool -> qos port <slot/port> servicing mode wrr
-> qos default servicing mode wrr
Congestion Control
 “End to End” protocol between the egress and the ingress chips

 Discards frames at the ingress port if the egress port is congested (on a per priority basis)
 i.e. the queue length at the egress port exceeds its limit
=> Avoids wasting fabric bandwidth on frames that would be dropped at egress
=> Frames destined for non-congested ports not dropped

C Egress Switch chip sends

o "congestion bitmask" for {port,
s
COS} combinations to all
Q ingress Switch chips
u
e
Ingress s
Data C
o
Buffer Pool s
2 MB
Q Congested
u
e Ethernet port
C s
o
s
Fabric chip does not
Q
u interpret E2E
Ingress e messages.
Data s

Egress Switch chip

compares queue length
Ingress Switch Chips for each port against
Drop Frames destined thresholds.
for congested ports
.
QOS GLOBAL DEFAULT CONFIGURATION
Defining QOS - Global Defaults
Description Command Default
QoS enabled or disabled qos enabled
Global default queuing scheme for ports qos default servicing mode strict-priority
Whether ports are globally trusted or untrusted qos trust ports 802.1Q-tagged ports and mobile
ports are always trusted; any
other port is untrusted
Statistics interval qos stats interval 60 seconds
Global bridged disposition qos default bridged disposition accept
Global routed disposition qos default routed disposition accept
Global multicast disposition qos default multicast disposition accept
Level of log detail qos log level 6
Number of lines in QoS log qos log lines 256
Whether log messages are sent to the console qos log console no
Whether log messages are available to qos forward log no
OmniVista applications
Whether IP anti-spoofing is enabled on qos user-port filter yes
UserPorts.
Whether a UserPorts port is administratively qos user-port shutdown no
disabled when unwanted traffic is received.
Type of messages logged debug qos info
Modifying
Global QOS configuration
-> qos enable

-> qos default bridged disposition {accept | deny | drop}

 Denies all bridged, routed or multicast traffic by default
 Supported only on R6 switches

-> qos reset

 Resets the QoS configuration to its defaults

-> qos revert

 Deletes the pending configuration

-> qos flush

 Flushes the configuration

-> qos apply

QOS PORTS DEFAULT CONFIGURATION
QOS Parameters
Physical Port
-> qos port slot/port
[trusted]
[servicing mode]
[qn {minbw | maxbw} kbps]
[maximum egress-bandwidth]
[maximum ingress-bandwidth]
[default 802.1p value]
[default dscp value]
[default classification {802.1p | tos | dscp}]
[dei {ingress | egress}]

Physical Port Default Parameters

Description Command/keyword Default
The default 802.1p value inserted into packets qos port default 802.1p 0
received on untrusted ports.
The default DSCP value inserted into packets qos port default dscp 0
received on untrusted ports.
Whether the port uses strict priority or weighted qos port servicing mode strict priority queuing
fair queuing.
The default minimum/maximum bandwidth for qos port q minbw maxbw minimum = best effort
each of the eight CoS queues per port.
maximum = port bandwidth
Whether the port is trusted or untrusted qos port trusted 802.1Q and mobile ports are
always trusted
Maximum bandwidth qos port maximum bandwidth port bandwidth
QOSPorts Configuration
 Trusted Ports  Precedence rule
 VLAN, 802.1p or ToS/DSCP values are  802.1p, TOS, DSCP
preserved  default priority/DSCP can be used when
-> qos trust ports expected field is missing
-> qos port slot/port trusted
 Per port configurable default priority (0..7)
& DSCP

 802.1p or ToS/DSCP Port Default

 Untrusted Ports
->qos port 3/1 default 802.1p 7
 Switch zeroes out the 802.1p bits or
ToS/DSCP value
 VLAN is reset to the default VLAN on the
port
-> qos port slot/port no trusted
QOS Parameters
Physical Port

Weighted Round Robin configuration

-> qos default servicing mode wrr (Global)

-> qos port 1/8 servicing mode wrr (Per port)

Setting the weights for each queue on port 1/10

-> qos port 1/10 servicing mode wrr 0 2 3 4 8 1 1 7

Configuring the maximum rate at which to send traffic on the specified port
-> qos port 1/1 maximum egress-bandwidth 10M
Takes precedence over an egress queue limit configured on the same port

Configuring the maximum rate at which traffic is received on a QoS port

-> qos port 1/1 maximum ingress-bandwidth 5M

Configuring a minimum and maximum bandwidth for each of the COS egress queue on the specified port
-> qos port 2/10 q7 minbw 2k q7 maxbw 10k
QOS POLICIES CONFIGURATION
QOS
Policy types

Access Guardian
• User Network Profile

Basic QOS ICMP Policies

• Traffic prioritization • Filtering
• Bandwidth shaping • Prioritizing
• Queuing management • Rate limiting traffic (security)

QOS
802.1p / ToS / DSCP
• Marking Policy Based
• Stamping Routing
• Routed traffic redirecting
Filtering
• Layer 2 and Layer 3/4 Policy Based
ACLs Mirroring
• Mirror traffic based
on QoS policies
QOS Policy Rule
Configuration
-> policy rule rule_name [enable | disable] [precedence precedence] [condition condition] [action action]
[validity period name | no validity period] [save] [log [log-interval seconds]] [count {packets | bytes}]
[trap | no trap] [default-list | no default-list]

Incoming
Packet

Action
Packet Classification
applies to outgoing traffic
classifies incoming traffic

Condition Action

policy rule

-> policy validity period vp01 hours 13:00 to 19:00 days monday friday
-> policy rule r1 validity period vp01
Configures a validity period for rule r1

-> policy rule r1 precedence 200 condition c1 action a1 log

Sets the precedence for rule r1 and turns on logging
Flow classification
Policy
Incoming
Packet

Action
Packet Classification
applies to outgoing traffic
classifies incoming traffic

Condition Action

policy rule

 If there are no policies that match the flow

 flow is accepted or denied based on the global disposition set for the switch
 If the flow is accepted, it is placed in a default queue on the output port

 If there is more than one policy that matches the flow

 policy with the highest precedence (0-65535) is applied to the flow

 Flows must also match all parameters configured in a policy condition

 A policy condition must have at least one classification parameter
Defining Policies
Policies Defaults

Policies Rules Defaults

Description Keyword Default

Policy rule enabled or disabled enable | disable enabled
Determines the order in which rules precedence 0
are searched
Whether the rule is saved to flash save enabled
immediately
Whether messages about flows that log no
match the rule are logged.
How often to check for matching flow log-interval 30 seconds
messages.
Whether to count bytes or packets count packets are counted
that match the rule.
Whether to send a trap for the rule. trap enabled (trap sent only on port
disable action or UserPort
QOS - Policy Conditions
 Conditions
source TCP/UDP port
destination TCP/UDP port
service, service group,
TCP flags
IP protocol, source IP,
multicast IP, destination IP,
source network group,
destination network group,
multicast network group,
ToS, DSCP, ICMP type, ICMP code
source MAC, source MAC group,
destination MAC, destination MAC group,
802.1p, 802.1p range, ethertype,
source VLAN, destination VLAN
source port, source port group,
destination port,
destination port group
-> policy condition condition_name
[source ip ip_address [mask netmask]]
[source ipv6 {any | ipv6_address [mask netmask]}
[destination ip ip_address [mask netmask]]
[destination ipv6 {any | ipv6_address [mask netmask]}
[multicast ip ip_address [mask netmask]]
[source network group network_group]
[destination network group network_group]
[multicast network group multicast_group]
[source ip port port[-port]]
[destination ip port port[-port]]
[source tcp port port[-port]]
[destination tcp port port[-port]]
[source udp port port[-port]]
[destination udp port port[-port]]
[ethertype etype]
[established]
[tcpflags {any | all} flag [mask flag]
[service service]
[service group service_group]
[icmptype type]
[icmpcode code]
[ip protocol protocol]
[ipv6]
[nh next_header_value]
[flow-label flow_label_value]
[tos tos_value tos_mask]
[dscp {dscp_value[-value} [dscp_mask]]
[source mac mac_address [mask mac_mask]]
[destination mac mac_address [mask mac_mask]]
[source mac group group_name]
[destination mac group mac_group]
[source vlan vlan_id]
[destination vlan vlan_id]
[802.1p 802.1p_value]
[source port slot/port[-port]]
[source port group group_name}
[destination port slot/port[-port]]
[destination port group group_name]
[vrf { vrf_name | default}]
QOS - Conditions groups
 Policy port group
 slot and port number combinations
-> policy port group techports 1/1 3/1 3/2 3/3
-> policy condition cond4 source port group techports

 Policy mac group

 Multiple MAC addresses that may be attached to a condition
-> policy mac group macgrp2 08:00:20:00:00:00 mask ff:ff:ff:00:00:00 00:20:DA:05:f6:23

 Policy vlan group

 vlan list or vlan range
 policy condition can be used in both ingress and egress policy rule
-> policy vlan group local 10-13 20 21
 Policy network group
 IPv4 source or destination addresses
 Default “switch” group
 Includes all IPv4 addresses configured on the switch
-> policy network group netgroup3 173.21.4.0 mask 255.255.255.0 10.10.5.3

 Policy service group

 TCP or UDP ports or port ranges (source or destination)
-> policy service telnet1 protocol 6 destination ip port 23
-> policy service ftp2 source tcp port 20-21 destination tcp port 20
-> policy service group serv_group telnet1 ftp2
QOS Policy - Actions

Does it Match Condition ?

Use higher Action policy Use Default Action

Mark, Prioritize, Shape

Filter, Mirror,…

Description Keyword Default

Actions Defaults Whether the flow matching the rule disposition accept
should be accepted or Denied
QOS - Policy Actions

 Actions

ACL (disposition drop)

Change queuing priority
Update TOS/Diffserv and/or 802.1P priority tags
802.1p/TOS/Diffserv marking
802.1p/TOS/Diffserv mapping
Per COS max bandwidth (64K bps)
Maximum depth
Statistics (# of packets, # of bytes)
Ingress policing / Egress shaping
Port Redirection
Routed Traffic Redirection
Link Aggregate Redirection
Port Disable
Mirroring
Multi-actions support
Ingress Rate Limiting
-> policy action action_name
[disposition {accept | drop | deny}]
[shared]
[priority priority_value]
[maximum bandwidth bps]
[maximum depth bytes]
[tos tos_value]
[802.1p 802.1p_value]
[dcsp dcsp_value]
[map {802.1p | tos | dscp} to {802.1p | tos| dscp} using map_group]
[permanent gateway ip ip_address]
[port-disable]
[redirect port slot/port]
[redirect linkagg link_agg]
[no-cache]
[{ingress | egress | ingress egress | no} mirror slot/port]
[cir bps [cbs byte] [pir bps] [pbs byte] [counter-color [red-
nonred | green-nongreen | green-red |green-yellow | red- yellow]]
QOS - Policy and action combinations
 Actions that can be combined within the same policy action

Drop/ Priority Stamp / Max BW Redirect Redirect Port Permanent Mirroring

Map Port Disable
Port Disable Linkagg Gateway IP
Drop / Port Disable N/A No No No No No No No Yes
Priority No N/A Yes Yes Yes Yes No Yes Yes
Stamp / Map No Yes N/A Yes Yes Yes No Yes Yes
Max BW No Yes Yes N/A Yes Yes No Yes Yes
Redirect Port No Yes Yes Yes N/A No No Yes Yes
Redirect / Linkagg No Yes Yes Yes No N/A No Yes Yes
Port Disable No No No No No No N/A No No
Permanent No Yes Yes Yes Yes Yes No N/A Yes
Gateway IP
Mirroring Yes Yes Yes Yes Yes Yes No Yes N/A
Defining Policies - Prioritization and Queue Mapping
Packet Classification
???????
Priority????
Condition

 If a packet matches a QoS policy rule that specifies a priority value

 the egress priority for the packet is set using the value contained in the rule

 If a packet does not match any QoS policy rules

 if received on a trusted port, the egress priority for the packet is set using the DSCP
value (IP packets) or the 802.1p value (non-IP packets)
 if received on an untrusted port,
the egress priority for the packet 802.1p ToS/DSCP Priority Queue

is set using the default 802.1p 0 000xxx 0 0

value configured for the port on 1 001xxx 1 1

which the packet was received 2 010xxx 2 2

3 011xxx 3 3
4 100xxx 4 4
5 101xxx 5 5
Priority to Queue Mapping Table 6 110xxx 6 6
7 111xxx 7 7
QOS Policy Actions - Examples

-> policy condition Traffic destination port 3/2 802.1p 4

-> policy action SetBits 802.1p 7
802.1p
-> policy rule Rule2 condition Traffic action SetBits Mapping
 Maps traffic destined for port 3/2 with and 802.1p value of 4 to an 802.1p value of 7

-> policy condition cond3 source ip 10.10.2.3

-> policy action action2 priority 7
-> policy rule my_rule condition cond3 action action2 Setting
 Sets traffic from 10.10.2.3 to a priority of 7 Priority
QOS enhancements
Egress Filtering
 Egress Filtering is only supported on
 OS6400
 OS6855_U24X
 OS9000E

 Egress policies
 Grouped in a policy list with a policy list type of “egress”
 Same rule allowed in both ingress and egress policy list
 By default, a policy rule is treated as an ingress policy

-> policy list list_name type [unp | egress] rules rule_name [rule_name2...] [enable | disable]

Applies the list of policy rules to traffic egressing on QoS ports

-> policy list eggress1 type egress rules rule1 rule2 rule3
QOS
Monitoring Policies
 Displaying the actual number of matches for the configured rules
->show active policy rules

Policy From Prec Enab Act Refl Log Trap Save Def Matches
R1 cli 0 Yes Yes No No Yes Yes Yes 2
(L2/3): C1 -> QoS_Action1
R2 cli 0 Yes Yes No No Yes Yes Yes 0
(L2/3): C2 -> QoS_Action1
R3 cli 0 Yes Yes No No Yes Yes Yes 0
(L2/3): C3 -> QoS_Action1

 Rule match counting

 2 options to configure rule count
->policy rule name count packets (default)
 Every packet matching a rule will be counted in the “matches” column

->policy rule name count bytes

 Same but count number of bytes instead of number of packets
QOS
Testing Policies
-> show policy classify {l2 | l3 | multicast} [applied]
[source port slot/port]
[destination port slot/port]
[source mac mac_address]
[destination mac mac_address]
[source vlan vlan_id]
[destination vlan vlan_id]
[source interface type {ethernet | wan | ethernet-10 | ethernet-100 | ethernet-1G | ethernet-10G}]
[destination interface type {ethernet | wan | ethernet-10 | ethernet-100 | ethernet-1G | ethernet-10G}]
[802.1p value]
[source ip ip_address]
[destination ip ip_address]
[multicast ip ip_address]
[tos tos_value]
[dscp dscp_value]
[ip protocol protocol]
[source ip port port]
[destination ip port port]

-> show policy classify l3 source ip 192.168.10.100 destination ip 198.168.10.1

Packet headers:
L2:
*Port : 0/0 -> 0/0
*IfType : any -> any
*MAC : 000000:000000 -> 000000:000000
*VLAN : 0 -> 0
*802.1p : 0
L3/L4:
*IP : 192.168.10.100 -> 192.168.10.1
*TOS/DSCP : 0/0
Using applied l3 policies
Classify L3:
*Matches rule ‘r1’: action a1 (drop)
QOS enhancements
Egress Port/Queue Statistics
 Queue Statistics
-> show qos queue
displays the number of packets transmitted & discarded on each queue
 Transmitted: indicates the number of packets successfully transmitted out of the egress Port/CoS queue
 The packets are guaranteed to go out on the egress port
 Discarded-Low
 Indicates the number of packets dropped in the egress Port/Cos queue (when queue is full)
 Discarded-High
 Indicates the number of yellow or high drop precedence packets dropped in the egress Port/CoS queue when the queue is not
full

 OS6400/OS685X/OS9000 platforms
-> show qos queue 1/9
 To capture statistics on a per port basis Slot/ Q Bandwidth Packets
Port VPN No Pri Wt Min Max Xmit Drop Type
-> qos port 1/1 monitor -----+----+--+---+--+-----+-----+---------+---------+----
 Automatically active on OmniSwitch 1/9 8 0 0 - - - 0 0 PRI
6855-U24X or 9000E 1/9 8 1 1 - - - 0 0 PRI
1/9 8 2 2 - - - 0 0 PRI
1/9 8 3 3 - - - 0 0 PRI
1/9 8 4 4 - - - 0 0 PRI
 Port queues Reset statistics 1/9 8 5 5 - - - 0 0 PRI
1/9 8 6 6 - - - 0 0 PRI
-> qos stats reset egress 1/9 8 7 7 - 2K 10K 0 0 PRI
-> qos stats interval
AUTO-QOS CONFIGURATION
Auto QoS on Alcatel-Lucent voice applications
If you see Alcatel-
Lucent phone place
 Trusts and prioritizes traffic from Alcatel-Lucent it in priority queue –
phones based on the priority in the packet set by OXE, i.e.
priority 5
Treat the rest as needed
 on trusted and un-trusted ports

 It’s enabled by default on the switch

 Switch detects traffic coming from ALU phones
(based on MAC address)
 Additional MAC group can be configured and
will be treated the same
 The alaPhones mac group must be redefined
-> policy mac group alaPhones 00:80:9f:00:00:00 mask ff:ff:ff:00:00:00

 The administrator has the option to prioritize the phone traffic instead of
merely trusting it
-> qos phones [priority priority_value | trusted]

 When enabled, qos policies specifying priority will not take effect on the
phone traffic
 Administrator can still apply other policies such as ACLs and Rate limiting
policies
Auto QoS - Alcatel-Lucent NMS applications
 Prioritizes NMS traffic to the switch that aims to alleviate access problems to
the switch that is under attack
 Supported only on R6 switches

 Needs to be enabled on the switch

 Only supported on the first 8 interfaces in order of creation. Defined by their ifIndex
value.

 MNS traffic is identified by the port number

 SSH (TCP port 22)
-> qos nms priority
 telnet (TCP port 23)
 WebView (HTTP port 80)
 SNMP (TCP port 161)

 Allows management access to the switch even under heavy load conditions

 Avoids the possibility of the switch being DOS condition by rate limiting the
high priority NMS traffic to 512 pps
SIP SNOOPING
Session Initiation Protocol (SIP)
 It is a network communications protocol commonly applied for Voice over IP
(VoIP) signaling.
 It is an alternative approach to signaling using the H.323 protocol standard.

 It can work with other protocols to establish connections between all sorts of
different devices and it is capable of supporting audio, video and instant
messaging.
 Regardless the particular device or media through which the content is delivered

 It carries out the signaling by sending small messages, consisting of a header

and a body.
 When SIP snooping is enabled, the OmniSwitch differentiates the traffic, based
on application, user and context, and provides applicable service levels.
 Voice and video traffic is prioritized over non-voice traffic
 Mission critical data traffic is provided guaranteed bandwidth for better performance.
SIP Snooping – Identify, Mark, Treat and Monitor
 Allows the configuration of SIP policy rules
 QOS treatments for the media streams / RTP flows being established between the SIP
user agent endpoints.
 Identifies and marks SIP and its corresponding media streams.
 Each media stream contains RTP and RTCP flows.
 Marking is done using the DSCP field in IP header.
 Provides user configured QOS treatment for SIP/RTP/RTCP traffic flows based on its
marking.
 By mapping DSCP to queue number and drop precedence
 Calculates QOS metric values of delay, jitter, round trip time, R factor and MOS values
of media streams from its corresponding RTCP.
 A trap is raised when any of the QOS metrics crosses a user defined threshold.

 The SIP snooping feature also allows basic and global QOS treatments for the
SIP signaling messages themselves and the SOS call.
 When SIP snooping is disabled, the SIP packets forwarded by hardware are not
subject to any specific QOS treatment.
 Treated as normal packets following the same QOS treatment according to qos port or
policy rules configuration.
SIP Snooping Overview
 SIP network Components
 Edge switches, aggregation switches and core
switches
 SIP Server (registrar, proxy, redirect, gateway) External
 SIP Phones (User Agents) WAN

 SIP snooping operation

 A SIP ACL triggers the setup of HW with SIP SIP Server
keywords: INVI, UPDA, BYE,…
 Match on keywords copies packet to CPU:
“snooping” SIP signaling
 Once RTP and RTCP ports have been
negotiated RTP/RTCP flows
 ACL is setup in HW for the 4 flows (2 x RTP, 2 x
RTCP)
 RTCP flows are duplicated to CPU for analysis
 When call Ends, HW resources taken for
RTP/RTCP are freed up

 On the edge switch, the QOS SIP Phones SIP Phones

treatment is enforced for both ingress

and egress media streams (RTP flows).
SIP Snooping Overview
 SIP snooping enabled on the edge
SIP
switches with QOS treatment
enforced for both ingress and egress External
media streams (RTP flows). WAN
 Internal call, QOS treatment is enforced on
both edge switches on which the SIP user
SIP Server
agent endpoints are connected.
 External call, QOS treatment is only
enforced on the edge switch on which the SIP signaling
internal SIP user agent endpoint is
connected.
RTP/RTCP flows
 Performs
 Application recognition and application of
QoS / ACLs on specific flows
 Monitor jitter, delay, packet loss, MOS
score, R-factor on specific flows
SIP SIP SIP SIP
Identification of SIP packets
 SIP packets are identified based on string value at the beginning of UDP
payload.
 SIP responses always have SIP/2.0 at the beginning.
 SIP requests have their name at the beginning.

 SIP packets are identified by doing lookup at starting of UDP payload.

 SIP/2.0
 INVITE
 ACK
 PRACK
 UPDATE
 BYE

 SIP Snooping supports a 4 byte lookup, only “INVI” lookup will be done instead
of complete INVITE.
 Packets with similar strings at the beginning of their payload may be identified
as SIP. It is expected that software on CPU will do further filtering, but marking
will done anyway.
SIP Snooping - Configuring Edge Port
 SIP snooping has two modes:
 Automatic - (Default) The edge/non edge mode is derived from LLDP
 non-edge port – Port receives LLDP with a “switch/router” capability.
 edge port – Port receives no LLPD or LLPD without the switch/router capability.
Note: For AOS, the switch/router capability is by default not advertised.
This can be enabled with the command:
-> lldp <slot/port> tlv management system-capabilities enable”
 Force mode - The edge/non edge mode is forced by configuration

 In case of conflict, User configuration overwrites the default behavior derived

from LLDP.
 Auto-phone configuration has higher precedence than SIP snooping. Disable
auto phone with the “qos no phones” command.
 Set all edge ports, including network edge ports to the un-trusted mode
SIP Snooping - Configuring Trusted SIP Server
 The SIP snooping feature allows the configuration of trusted SIP servers. This
restricts the SIP snooping functions to a list of trusted server IP address.
 By default, any SIP server is trusted. The SIP messages are trusted regardless of
the origin (i.e. source IP address) or destination (i.e. destination IP address) of
the SIP message.
 Up to 8 trusted addresses can be configured as trusted SIP server. For
configuring the trusted SIP server, use the command:
-> sip-snooping trusted-server 192.168.0.1
 Other calls are discarded by the SIP snooping module and will not be subject to
the configured SIP QOS treatment.
Configuring Policy Rules for SIP Snooping
 The SIP snooping sets a global DSCP marking for the SIP messages (RTP / RTCP
flows)
 The packet DSCP
 Internal priority
-> policy condition <cond_name> sip {audio| video| other}
-> policy action <action_name> dscp <dscp_num>
-> policy rule <rule_name> condition <cond_name> action <action_name>

 PDU signaling messages are rate limited to 1Mbps. This rate limiter is not
configurable.

 By default, no dscp or rate limiter is configured for SIP Snooping control

messages
-> sip-snooping sip-control [no] dscp <num>
SIP Snooping – Configuring SOS Calls
 The SIP snooping features allow the detection of emergency calls based on the
“to” URI in the invite message.
 Up to 4 SOS call strings can be configured.
 The string must be the exact URI to be matched in the ‘to” URI; regular expression is
not supported.

 The QOS treatment for SOS call is limited to a global DSCP marking for all SOS
calls. When a call is deemed to be a SOS call, a default DSCP of 46 (EF) is
assigned for both RTP and RTCP flows of that call.
 The DSCP marking can be configured to any value.

 Also, a rate limiter of 128Kbps is imposed in the call.

 Rate limiter is not configurable.

 By default, no SOS number is configured for SIP Snooping

-> sip-snooping sos-call number “911” “2233”
SIP Snooping Limitations
 Media types other than audio and video as application, image media types etc
are not supported.
 Solution only support SIP, no support of NOE

 SIP Registrar, outbound proxy, proxy, redirect functions should be provided by

the same server, called the SIP Server.
 Only SIP over UDP is supported. Solution does not support SIP over TCP, SCTP or
MPLS. SIP Snooping does not support secured SIP over TLS. Similarly, encrypted
RTCP or SDP is not supported.
 Only SIP over IPv4 is supported, no support for IPV6. Multicast Media Sessions by
SIP is not supported
 Outbound proxy configured on phone and trusted call server configured on
switch must be same.
Quality of Service

Contents
1 Objective .......................................................................................2
2 Quality of Service Settings ...................................................................2
3 EQUIPMENT/SOFTWARE REQUIRED ..........................................................2
4 Related Commands ............................................................................2
5 Supported Platforms ..........................................................................2
6 Discussion .......................................................................................2
7 Global QoS Defaults ...........................................................................3
8 Lab Steps .......................................................................................3
8.1. Global Configuration .................................................................................. 3
8.2. Bandwidth Shaping .................................................................................... 7
8.3. Port Default 802.1P/ToS/DSCP Configuration .................................................... 9
8.4. Configuring Trusted Ports ............................................................................ 9
8.5. Configuring Servicing Mode and Thresholds ...................................................... 10
8.6. Configuring Policies .................................................................................. 11
8.7. policy rule keywords ................................................................................. 14
8.8. Rule Precedence ...................................................................................... 14
8.9. policy network group................................................................................. 15
8.10. policy service group .................................................................................. 15
8.11. policy mac group...................................................................................... 16
8.12. policy port group ..................................................................................... 16
8.13. policy map group ..................................................................................... 17
9 Summary ...................................................................................... 17
10 Lab Check .................................................................................... 17
 2
Quality of Service

1 Objective
This lab will provide an overview of the myriad of QOS settings on the OmniSwitch family of products.
It introduces many different configurations. It allows you to become familiar with the syntax. By the
end of this lab, you will realize how complex QoS can be and steps to make it work properly. The
final section will challenge you to create a configuration based a scenario.

2 Quality of Service Settings

The OmniSwitch family of products was designed with Quality of Service in mind. As a result, there
are a variety of features and settings available. And, the feature set will continue to expand as new
standards and functional needs emerge.

3 EQUIPMENT/SOFTWARE REQUIRED
One OmniSwitch (any Model)
Two or more PCs.

4 Related Commands
qos (enable, disable, apply, reset, flush), qos port …,
policy (condition, action, rule, …), show qos …, show policy …, policy … group, policy service …

5 Supported Platforms
All

6 Discussion
While policies may be used in many different types of network scenarios (QOS ACLs, SLB, PBR), we will
address the following:
Basic QoS – including traffic prioritization and bandwidth shaping;
ICMP policies – including filtering, prioritizing and rate limiting;
802.1p/ToS/DSCP – for marking and mapping;
QoS configuration may interact with other configured features – like SLB, dynamic link aggregation (LACP),
802.1Q, mobile ports, IP routing, and LDAP policy management. Also, one can configure combinations of
policies. These topics will not be addressed in this lab exercise, and are left to the student for further
study and investigation.
Use the Policy Condition Combination table in the Network Configuration Guide for a list of valid
combinations and further discussion on combinations.
 3
Quality of Service

7 Global QoS Defaults

Use the qos reset command to reset global values to their defaults.
Keep in mind qos is enabled by default. Other global qos defaults include:
Strict Priority Queuing
802.1Q tagged and Mobile ports are always trusted; any other port is untrusted
Default bridged, routed, and multicast disposition is accept
Debug qos is set at info level
802.1p and dscp default to 0 on a per port basis
Policy rules precedence defaults to 0
Policy actions default is accept
The default network group (named ‘Switch’) contains all IP addresses created on a switch
Each slot has its own default port group (named ‘Slot#’, i.e Slot01 on a OS6850)
Along with qos reset, other global commands one might use include:
qos revert
qos flush
qos disable
Use the qos port “slot/port”reset command to reset port settings to their defaults.
(Please consult the configuration guides for default settings.)
The current software release, the deny and drop options, produce the same effect. That is, the traffic is
silently dropped.
There are no defaults for the policy condition command.

8 Lab Steps

8.1. Global Configuration

By default QoS is enabled on the switch. If QoS policies are configured and applied, the switch will attempt
to classify traffic and apply relevant policy actions.
To disable the QoS, use the qos command. Type:

ALL -> qos disable

QoS is immediately disabled. When QoS is disabled globally, no flows coming into the switch are classified
(matched to policies).
To re-enable QoS, enter the qos command with the enable option. Type:

ALL -> qos enable

QoS is immediately re-enabled. Any policies that are active on the switch will be used to classify traffic
coming into the switch.
Individual policy rules may be enabled or disabled with the policy rule command.
By default, bridged, routed, and multicast flows that do not match any policies are accepted on the switch.
In Release 6 switches, to change the global default disposition (which determines whether the switch will
accept, deny, or drop the flow), use the desired disposition setting (accept, drop, or deny) with any of the
 4
Quality of Service

following commands: qos default bridged disposition, qos default routed disposition, or qos default
multicast disposition.
For example, to deny any routed flows that do not match policies, type:

6850E & 6450 -> qos default routed disposition deny

6850E & 6450 -> show qos config
QoS Configuration:
Enabled : No
Pending changes : global policy
DEI:
Mapping : Disabled
Marking : Disabled
Classifier:
Default queues : 8
Default queue service : strict-priority
Trusted ports : No
NMS Priority : Yes
Phones : trusted
Default bridged disposition : accept
Default routed disposition : accept (deny)
Default IGMP/MLD disposition: accept
Logging:
Log lines : 256
Log level : 6
Log to console : No
Forward log : No
Stats interval : 60 seconds
Userports:
Filter : spoof
Shutdown: none
Quarantine Manager:
Quarantine MAC Group : Quarantined
Quarantined Page : Yes
Remediation URL :
Debug : info

Notice that the global policy needs activation. To activate the setting, type:

6850E & 6450 -> qos apply

6850E & 6450 -> show qos config
QoS Configuration:
Enabled : No
Pending changes : None
DEI:
Mapping : Disabled
Marking : Disabled
Classifier:
Default queues : 8
Default queue service : strict-priority
Trusted ports : No
NMS Priority : Yes
Phones : trusted
Default bridged disposition : accept
Default routed disposition : deny
Default IGMP/MLD disposition: accept
Logging:
Log lines : 256
Log level : 6
Log to console : No
Forward log : No
Stats interval : 60 seconds
 5
Quality of Service

Userports:
Filter : spoof
Shutdown: none
Quarantine Manager:
Quarantine MAC Group : Quarantined
Quarantined Page : Yes
Remediation URL :
Debug : info

Typically, the disposition is only configured when you are using policies for Access Control Lists (ACLs).
If you set qos default bridged disposition to deny, as well, you effectively drop all traffic (bridged or
routed) that does not match any policy. If you want to create ACLs to allow some Layer 2 traffic through
the switch, you must configure two rules for each type of Layer 2 traffic, one for source and one for
destination.

Let's reset all QoS parameters back to their defaults:

6850E & 6450 -> qos reset

6850E & 6450 -> show qos config

QoS Configuration:
Enabled : No
Pending changes : None
DEI:
Mapping : Disabled
Marking : Disabled
Classifier:
Default queues : 8
Default queue service : strict-priority
Trusted ports : No
NMS Priority : Yes
Phones : trusted
Default bridged disposition : accept
Default routed disposition : deny (accept)
Default IGMP/MLD disposition: accept
Logging:
Log lines : 256
Log level : 6
Log to console : No
Forward log : No
Stats interval : 60 seconds
Userports:
Filter : spoof
Shutdown: none
Quarantine Manager:
Quarantine MAC Group : Quarantined
Quarantined Page : Yes
Remediation URL :
Debug : info

6850E & 6450 -> qos apply

6850E & 6450 -> show qos config

QoS Configuration:
Enabled : No
Pending changes : None
DEI:
Mapping : Disabled
Marking : Disabled
Classifier:
 6
Quality of Service

Default queues : 8
Default queue service : strict-priority
Trusted ports : No
NMS Priority : Yes
Phones : trusted
Default bridged disposition : accept
Default routed disposition : accept
Default IGMP/MLD disposition: accept
Logging:
Log lines : 256
Log level : 6
Log to console : No
Forward log : No
Stats interval : 60 seconds
Userports:
Filter : spoof
Shutdown: none
Quarantine Manager:
Quarantine MAC Group : Quarantined
Quarantined Page : Yes
Remediation URL :
Debug : info

Although it is not covered in this lab exercise, there is a significant amount of information to be gathered
using qos log and debug qos. (Please consult the configuration guides for further information.)
Another command that is useful for gathering some basic information about QoS is the statistics command:

6850E & 6450 -> show qos statistics

QoS stats
Events Matches Drops
L2 : 0 0 0
L3 Inbound : 0 0 0
L3 Outbound : 0 0 0
IGMP Join : 0 0 0
Fragments : 0
Bad Fragments : 0
Unknown Fragments : 0
Sent NI messages : 0
Received NI messages : 52
Failed NI messages : 0
Load balanced flows : 0
Reflexive flows : 0
Reflexive correction : 0
Flow lookups : 0
Flow hits : 0
Max PTree nodes : 0
Max PTree depth : 0
Spoofed Events : 0
NonSpoofed Events : 0
DropServices : 0

Software resources
Applied Pending
Table CLI LDAP ACLM Blt Total CLI LDAP ACLM Blt Total Max
rules 0 0 0 0 0 0 0 0 0 0 2048
actions 0 0 0 0 0 0 0 0 0 0 2048
conditions 0 0 0 0 0 0 0 0 0 0 2048
services 0 0 0 0 0 0 0 0 0 0 256
service groups 1 0 0 0 1 1 0 0 0 1 1024
network groups 0 0 0 1 1 0 0 0 1 1 1024
port groups 2 0 0 8 10 2 0 0 8 10 1024
 7
Quality of Service

mac groups 0 0 0 0 0 0 0 0 0 0 1024

map groups 0 0 0 0 0 0 0 0 0 0 1024
vlan groups 0 0 0 0 0 0 0 0 0 0 1024

Hardware resources TCAM Ranges

Slot Slice Unit Used Free Max Used Free Max
1 0 0 0 1664 1664 0 16 16
1 0 1 0 1664 1664 0 16 16

8.2. Bandwidth Shaping

For the next few sample configurations, reset the Pod. On the switch 6900, create VLAN 10 with an IP
router address 192.168.10.254/24, and VLAN 20 with IP address 192.168.20.254/24, put the ports 1/7 in
default vlan 10 and the port 1/3 in default vlan 20. Enable ports 1/3 and 1/7.
6900 -> vlan 10
6900 -> ip interface int_10 address 192.168.10.254/24 vlan 10
6900 -> vlan 20
6900 -> ip interface int_20 address 192.168.20.254/24 vlan 20
6900 -> vlan 10 members port 1/7 untagged
6900 -> vlan 20 members port 1/3 untagged
6900 -> interfaces 1/3 admin-state enable
6900 -> interfaces 1/7 admin state enable
On 6450, activate port 1/1 (client) and 1/7 (uplink) :
6450 -> interfaces 1/1 admin up
6450 -> interfaces 1/7 admin up
On 6850E, activate port 1/1 (client) and 1/3 (uplink) :
6850E -> interfaces 1/1 admin up
6850E -> interfaces 1/3 admin up
Clients 5/6 are connected on port 1/1 of 6450, client 3/4 on port 1/1 of 6850E. Configure Client 5/6 with
the following parameters:
IP = 192.168.10.10
MASK = 255.255.255.0
GW = 192.168.10.254
 8
Quality of Service

And Client 3/4 with this ones :

IP = 192.168.20.10
MASK = 255.255.255.0
GW = 192.168.20.254
To create a policy rule to prioritize the traffic from Client 5/6, first create a condition for the traffic that
you want to prioritize. In this example, the condition is called client_traffic. Then create an action to
prioritize the traffic as highest priority. In this example, the action is called high. Combine the condition
and the action into a policy rule called rule1.

6900 -> policy condition client_traffic source ip 192.168.10.10

6900 -> policy action priority_7 802.1p 7
6900 -> policy rule rule1 condition client_traffic action priority_7
Is your rule active? Remember, the rule is not active on the switch until it has been applied:
6900 -> qos apply
When the rule is activated, every flow into the switch that is sourced from the Multicast server IP address
to any other device will be given the highest priority.
It could be seen when you capture traffic on the egress port using Wireshark.

In this next example, any flow from a source IP address is sent to a queue supporting its maximum
bandwidth requirement.
Modify the policy action that you have been created earlier to limit the maximum bandwidth, from the
same source:

6900 -> policy action priority_7 maximum bandwidth 100k

6900 -> qos apply
6900 -> show policy action priority_7
Action name : priority_7
 9
Quality of Service

Maximum bandwidth = 100K,

802.1p = 7

The bandwidth may be specified in abbreviated units, in this case, 100k. Try to launch a ping from client
5/6 to client 3/4
ping 192.168.20.10
As it doesn’t exceed the maximum bandwidth, it should works. Try now to launch a ping by specifying a
greater datagram size :
ping –l 65000 192.168.20.10.
Your ping is now using a greater bandwidth, so it shouldn’t works.
Once testing is complete, remove the condition, action and rule:

6900 -> no policy rule rule1

6900 -> no policy action priority_7
6900 -> no policy condition client_traffic

8.3. Port Default 802.1P/ToS/DSCP Configuration

By default, the port defaults for 802.1p and ToS/DSCP are 0. To change the default 802.1p or ToS/DSCP
setting for a port, use the qos port default 802.1p or qos port default dscp command. For example:

ALL -> qos port 1/1 default 802.1p 7

ALL -> show qos port 1/1
Slot/ Default Default Queues Bandwidth DEI
Port Active Trust P/DSCP Classification Default Total Physical Ingress Egress Map/Mark Type
----+-------+-----+------+--------------+-------+-----+--------+-------+------+----------+-----------
1/1 No Yes 7/ 0 DSCP 8 0 0K - - No /No ethernet

In this example, any untagged traffic (traffic without any 802.1p setting) arriving on port 1/1 will be
stamped with an 802.1p value of 7 (highest priority). If the port is configured to be untrusted, any tagged
traffic will be stamped with an 802.1p value of 7. If the port is configured to be trusted, any tagged traffic
will preserve the 802.1p value in the flow. By default, switched ports are not trusted.

8.4. Configuring Trusted Ports

To configure the global setting on the switch, use the qos trust ports command. For example:

6900 -> qos trust-ports

6850E & 6450 -> qos trust ports

In most environments, all ports are not typically trusted. To configure individual ports to recognize 802.1p
or ToS, use the qos port trusted command with the desired slot/port number. For example:

ALL -> qos port 1/1 trusted

The global setting is active immediately; however, the port setting requires qos apply to activate the
change.
802.1p bits may be set or mapped to a single value using the policy action 802.1p command. In this
example, the qos port command specifies that slot 1 port 5 will be able to recognize 802.1p bits.
A policy condition Traffic is then created to classify traffic containing 802.1p bits set to 4 and destined for
slot 1 port 7. The policy action SetBits specifies that the bits will be changed to 7 when the traffic leaves
 10
Quality of Service

the switch on slot 1 port 7. A policy rule called 802.1p_rule puts the condition and the action together.
Type:

ALL -> qos port 1/5 trusted

ALL -> policy condition Traffic destination port 1/7 802.1p 4
ALL -> policy action SetBits 802.1p 7
ALL -> policy rule 802.1p_rule condition Traffic action SetBits
ALL -> qos apply
Note: 802.1p mapping may also be set for Layer 3 traffic, which typically has the 802.1p bits set to zero.
In the above example, what would happen if ingress traffic on slot 1 port 5 was tagged with an 802.1p value
of 5?
To view QoS configuration and activity, type:

ALL -> show policy condition

Condition name : Traffic
Destination slot = 1/7,
802.1p = 4

ALL -> show policy action

Action name : SetBits
802.1p = 7

switch1-> show policy rule

Rule name : 802.1p_rule
Condition name = Traffic,
Action name = SetBits

8.5. Configuring Servicing Mode and Thresholds

To change the servicing mode, use the qos slice servicing mode command with the desired keyword for the
mode (strict-priority, priority-wrr, or wrr). For example:

6850E & 6450 -> qos port 1/7 servicing mode strict-priority
In this example, the servicing mode of port 6 on slot 2 is set to strict priority (this is also the default value),
which means that highest priority packets will always be sent out first.
The OmniSwitch also support WRR and DRR (Deficit Round Robin). The weight assigned to a WRR queue
designates the number of packets the queue sends out before the scheduler moves on to the next queue.
For example, a queue weight of 10 sends out 10 packets at each interval. What do you think happens when
the following commands are applied?

6850E & 6450 -> qos port 1/7 servicing mode wrr 8 1 5 0 4 0 3 0
Port 1/7 is now configured with a mix of Strict Priority and WRR:

Queues 1 is configured for best effort because of a weight of 1.

Queues 3, 5 and 7 are configured Strict Priority because of weight 0, resulting in Q7 being always
serviced first, followed by Q5, and Q3, before servicing any WRR/DRR queues

Queues 0, 2, 4 and 6 are configured WRR with weights 8 5 4 3 respectively. They are
serviced only after the Strict Priority queues are serviced. Based on the
weights, Q0 will have the best throughput, then Q2, then Q4 and then Q6
To reset the servicing mode for the port back to the global default mode, use the default parameter with
this command and do not specify a queuing scheme. For example,
 11
Quality of Service

6850E & 6450 -> qos port 1/7 servicing mode default
Configuring a minimum and maximum bandwidth value for each of the eight egress port queues is allowed
on the OmniSwitch. By default the bandwidth values are set to zero, which means best effort for the
minimum bandwidth and port speed for the maximum bandwidth.
To configure the bandwidth values use the qos port q minbw maxbw command. For example, the following
command sets the minimum and maximum bandwidth for queue 7 on port 1/10 to 2k and 10k:

6850E & 6450 -> qos port 1/10 q7 minbw 2k q7 maxbw 10k

8.6. Configuring Policies

Basic commands for creating policies include:

ALL -> policy condition ?

^
<"string"> <string>
(QoS Command Set)

ALL -> policy action ?

^
<"string"> <string>
(QoS Command Set)

ALL -> policy rule ?

^
<"string"> <string>
(QoS Command Set)
Reset QoS:

ALL -> qos reset

Define a condition (named my_condition) to identify a source IP address of 10.1.10.3

ALL -> policy condition my_condition source ip 10.1.10.3

Define an action (named my_action) to set a priority of 7

ALL -> policy action my_action priority 7

Define a rule (named my_rule) that will give all traffic from IP address 10.10.2.3 the highest priority (7) as
it passes through the switch:

ALL -> policy rule my_rule condition my_condition action my_action

ALL -> qos apply
There are many options for configuring a condition, depending on how you want the switch to classify
traffic for this policy. More than one condition parameter may be specified. However, some condition
parameters, like ToS and DSCP, are mutually exclusive.
Remember, the condition will not be active on the switch until you enter the qos apply command.

Policy condition keywords

 12
Quality of Service

Source ip tos
destination ip dscp
multicast ip 802.1p
source network group source mac
destination network group destination mac
multicast network group source mac group
source ip port destination mac group
destination ip port source vlan
source tcp port destination vlan
destination tcp port source port
source udp port source port group
destination udp port destination port
service destination port group
service group source interface type
ip protocol destination interface type

To create or modify a policy condition, use the policy condition command with the keyword for the type of
traffic you want to classify, for example, an IP address or group of IP addresses. In this example, a
condition named c1 is created for classifying traffic from destination IP address 10.10.10.100 and
destination port 23.
6850E & 6450 -> policy condition c1 destination ip 10.10.10.100 destination tcp
port 23
6850E & 6450 -> show policy condition c1
Condition Name From Src -> Dest
+c1 cli
*IP : Any -> 10.10.10.100
*TCP : Any -> 23
6900 -> policy condition c1 destination ip 10.10.10.100 destination tcp-port 23
6900 -> show policy condition c1
Condition name : c1
State = new,
Destination IP = 10.10.10.100,
Destination TCP port = 23

To remove a classification parameter from the condition and retain the destination IP information, use no
with the relevant keyword; in this case destination TCP port. For example:

6850E & 6450-> policy condition c1 no destination tcp port

6900 -> policy condition c1 no destination tcp-port
switch1-> show policy condition c1
Condition Name From Src -> Dest
+c1 cli
*IP : Any -> 10.10.10.100

Do not forget to type qos apply to activate each condition command.

To completely remove a policy condition, use the no form of the command. For example:

ALL -> no policy condition c1

 13
Quality of Service

ALL -> show policy condition c1

No condition `c1'
A condition, in our example c1 cannot be deleted if it is currently being used by a policy rule. If a rule is
using the condition, the switch will display an error message. Re-Create condition c1 and create a new
action and put them together in a rule:

ALL -> policy condition c1 destination ip 10.10.10.100

ALL -> policy action a1 maximum bandwidth 100k
ALL -> policy rule rule_1 condition c1 action a1
Now try to delete condition C1

ALL -> no policy condition c1

ERROR: c1 is being used by rule 'rule_1'

Delete the rule, the action and conditions can be deleted:

ALL -> no policy rule rule_1

ALL -> no policy action a1
ALL -> no policy condition c1
To create or modify a policy action, use the policy action command with the desired action parameter. A
policy action should specify the way traffic should be treated. For example, it might specify a priority for
the flow or it may specify that the flow may simply be denied. For example, create an action called
bw_action:

ALL -> policy action bw_action maximum bandwidth 300K

More than one action parameter may be specified. Some parameters, like ToS and DSCP, are mutually
exclusive. In addition, some action parameters are only supported with particular condition parameters.

policy action keywords

disposition 802.1p
shared dscp
priority map
maximum bandwidth load balance group
maximum depth
maximum buffers
tos

To remove an action parameter or return the parameter to its default, use no with the relevant keyword as
we did in the above example

ALL -> policy action bw_action no maximum bandwidth

To remove a policy action, use the no form of the command.

ALL -> no policy action bw_action

As with a condition, an action cannot be deleted if it is currently being used by a policy rule. If a rule is
using the action, the switch will display an error message. For example:

ALL -> no policy action bw_action

ERROR: bw_action is being used by rule 'rule_1'
 14
Quality of Service

Now, let’s put it together. Type:

6850E & 6450 -> policy condition c1 destination ip 10.10.10.100 destination tcp
port 23
6900 -> policy condition c1 destination ip 10.10.10.100 destination tcp-port 23
ALL -> policy action bw_action maximum bandwidth 300k
ALL -> policy rule telnet_rule condition c1 action bw_action
ALL -> qos apply

8.7. policy rule keywords

precedence
validity period
save
log
log interval
count
trap

By default, rules are enabled. Rules may be disabled or re-enabled through the policy rule command

ALL -> policy rule telnet_rule disable

ALL -> qos apply

8.8. Rule Precedence

The switch attempts to classify flows coming into a port according to policy precedence. The rule with the
highest precedence will be applied to the flow.
Precedence is determined by the following, in order:
• Precedence value — Each policy has a precedence value. The value may be user-configured
through the policy rule command in the range from 0 (lowest) to 65535 (highest). (The range 30000 to
65535 is typically reserved for PolicyView.) By default, a policy rule has a precedence of 0.
• Configured rule order — If a flow matches more than one rule and both rules have the same
precedence value, the rule that was configured first in the list will take precedence.
To specify a precedence value for a particular rule, use the policy rule command with the precedence
keyword. For example, type:

ALL -> policy rule telnet_rule precedence 1000 condition c1 action bw_action
Logging a rule may be useful for determining such things as the source of attacks. Often, at least when
initially configuring your rules, it is recommended to use the log option to monitor how your policies are
being used. To specify that the switch should log information about flows that match the specified policy
rule, use the policy rule command with the log option. For example, type:

ALL -> policy rule telnet_rule log

Commands used for configuring condition groups include the following:

policy network group

policy service group
policy mac group
 15
Quality of Service

policy port group

8.9. policy network group

By default, the switch contains a network group called Switch that includes all IP addresses configured for
the switch itself. This network group may also be used in policy conditions.
In the next example, a policy network group called netgroup3 is created with three IP addresses. The first
address also specifies a mask.

ALL -> policy network group netgroup3 173.21.4.39 mask 255.255.255.0 10.10.5.3
10.10.5.5
ALL -> policy condition c4 source network group netgroup3

Procedure Keywords (R6) Keywords (R7) Notes

Basic procedure for either
TCP or UDP service
Shortcut for TCP service
protocol protocol The protocol must be
source ip port source ip-port specified with at least
one source or destination
destination ip port destination ip-port
port.
source tcp port source tcp-port Keywords may be used in
destination tcp port destination tcp-port combination.

Shortcut for UDP service source udp port source udp-port Keywords may be used in
destination udp port destination udp-port combination.

8.10. policy service group

In this example, a policy service called telnet1 is created with the TCP protocol number (6) and the
well-known Telnet destination port number (23). Type:
6850E & 6450 -> policy service telnet1 protocol 6 destination ip port 23
6900 -> policy service telnet1 protocol 6 destination ip-port 23

Or a shortcut for this command replaces the protocol and destination ip port keywords with
destination tcp port, by typing:

6850E & 6450 -> policy service telnet1 destination tcp port 23
6900 -> policy service telnet1 destination tcp-port 23

Add a second service by typing:

6850E & 6450 -> policy service ftp1 destination tcp port 21
6900 -> policy service ftp1 destination tcp-port 21

Now, let’s combine the services into a service group, by typing:

ALL -> policy service group tel_ftp telnet1 ftp1

ALL -> show policy service group

Group Name From Entries
 16
Quality of Service

+tel_ftp cli ftp1

telnet1

8.11. policy mac group

To create a MAC group, use the policy mac group command. For example, type:

ALL -> policy mac group macgrp2 08:00:20:00:00:00 mask ff:ff:ff:00:00:00

The MAC group may then be associated with a condition through the policy condition command. Note that
the policy condition specifies whether the group should be used for source or destination. For example,
type:

ALL -> policy condition cond3 source mac group macgrp2

8.12. policy port group

To create a port group, use the policy port group command. For example,

ALL -> policy port group visitor_ports 1/1 1/10-12

When a port group is used as part of a policy rule and a policy action specifies a maximum bandwidth, each
interface in the port group will be allowed the maximum bandwidth. Using the port group policy created
above let's tie them together:

ALL -> policy condition Ports source port group visitor_ports

ALL -> policy action MaxBw maximum bandwidth 100K
ALL -> policy rule VisitorPortRule condition Ports action MaxBw
ALL -> qos apply
In this example, 100 Kbps will be allowed over each port in the port group visitor_ports (ports 1/1 1/10-12).
To view group settings, type:
ALL -> show policy network group
Group Name From Entries
Switch blt 10.1.1.1

netgroup3 cli 10.10.5.3

10.10.5.5
173.21.4.39 mask 255.255.255.0
ALL -> show policy service
Service Name From IPProto SrcPort DstPort
ftp1 cli TCP 21

telnet1 cli TCP 23

ALL -> show policy service group

Group Name From Entries
tel_ftp cli ftp1
telnet1

ALL -> show policy mac group

Group Name From Entries
macgrp2 cli 08:00:20:00:00:00 mask FF:FF:FF:00:00:00
 17
Quality of Service

ALL -> show policy port group

Group Name From Entries Mode
Slot01 blt 1/1-14 non-split

visitor_ports cli 1/1 non-split

1/10-12

8.13. policy map group

When mapping to the same type of value (802.1p to 802.1p, ToS to ToS, or DSCP to DSCP), the action will
result in remapping the specified values. Any values that are not specified in the map group are preserved.
In this example, a map group is created for 802.1p bits. Type:

ALL -> policy map group Group2 1-2:5 4:5 5-6:7

ALL -> policy action Map1 map 802.1p to 802.1p using Group2

When mapping to a different type of value, however (802.1p to ToS, 802.1p to DSCP), any values in the
incoming flow that matches the rule but that are not included in the map group will be zeroed out. For
example, the following action specifies the same map group but instead specifies mapping 802.1p to ToS,
type:
ALL -> policy action Map2 map 802.1p to tos using Group2

9 Summary
This lab introduced you to the process many QoS configurations of the OmniSwitch.

10 Lab Check
- What are the three basic steps to forming a policy?
........................................................................................................................
- What are the types of condition groups available and how are they used?
........................................................................................................................
- What is the command used to set QoS back to its default configurations?
........................................................................................................................
- (True or False)
By default, bridged, routed, and multicast flows that do not match any policies are accepted on the
switch.
- (True or False)
By default, switched ports are not trusted.
OMNISWITCH AOS R6/R7/R8

Flow Based Filtering

Module Objectives
 You will:
 Learn how to use the Advanced AOS Security
mechanisms in order to protect the core
network as well as data
 Access Control Lists (ACL)
 ACL Manager (ACLMAN)

AOS
R6
QOS
Policy Types

Access Guardian
• User Network Profile

Basic QOS ICMP Policies

• Traffic prioritization • Filtering
• Bandwidth shaping • Prioritizing
• Queuing management • Rate limiting traffic (security)

QOS
802.1p / ToS / DSCP
• Marking Policy Based
• Stamping Routing
• Routed traffic redirecting
Filtering
• Layer 2 and Layer 3 & 4 Policy Based
ACLs
Mirroring
• Mirror traffic based
on QoS policies
Policy Based Filtering
ACLs
 ACLs are the filtering part of policies
 Other policies can apply to prioritization and bandwidth management

 ACL policies come from

 Webview (SNMP) /CLI / secureview ACL (OmniVista)

 Access control list (ACL) policies applied

 For the whole chassis
 Each policy is global to the switch and has a precedence (0..65535) – higher comes first
 At ingress only
 On L1 – L4
 The type of traffic is specified in the policy condition
 Hardware-based packet filtering based on L1/L2/L3/L4
 A condition flag to be characterized as established in case a flow is allowed while its answer is not
 The ‘policy action’ command determines whether the traffic is allowed or denied
ACL
Defining Policies
 Policies for ACLs are created in the same manner as QoS policies

 Parameters are:
 Policy name <name>
Policy Rule
 Condition name <name>
 Action name <name> Condition Action “disposition”
 Precedence 0-65535 (higher first)
 Established (used when needing a response, e.g.. Telnet)

 Customizable Groups for conditions

 Network group
 MAC group
 Service group
 Port group
CLI
QOS ACL Policy Rule Configuration

-> policy condition condition_name

-> policy action action_name [disposition {accept | drop | deny}]

-> policy rule rule_name [enable | disable] [precedence precedence] [condition condition_name]
[action action_name] [validity period name | no validity period] [save] [log [log-interval seconds]]
[count {packets | bytes}] [trap | no trap] [default-list | no default-list]

Incoming
Packet Action
Packet Classification
Forward or block
outgoing traffic
Accept or deny incoming traffic

Condition Action “disposition”

policy rule
ACL
Default Settings
 Default settings allow all traffic but can be modified

Parameter Command Default

Global bridged disposition qos default bridged disposition accept
Global routed disposition qos default routed disposition accept

Global multicast qos default multicast disposition accept

disposition
Policy rule disposition policy rule disposition accept

Policy rule precedence policy rule precedence 0 (lowest)

ACL
Conditions
Layer 2 ACL Layer 3/4 ACL Multicast ACL
Condition Keywords Condition Keywords Condition Keywords

source mac source ip multicast ip

source mac group source ipv6 multicast network group
destination mac source network group destination ip
destination mac group destination ip destination vlan
source vlan destination ipv6 destination port
source port destination network group destination port group
source port group source ip port destination mac
destination port destination ip port destination mac group
destination port group service
ethertype service group
802.1p ip protocol
ipv6
nh
flow-label
destination port
destination port group
icmptype
icmpcode
TOS DSCP
source tcp port
destination tcp port
source udp port
destination udp port
established
Tcpflags
Layer 2 ACL
Example
 L2 Conditions can be defined for the following:
 MAC address or MAC group
 Source VLAN
 Physical slot/port or port group

-> qos default bridged disposition accept

->policy condition Cond-Deny-Host1 source mac D4:85:64:EC:33:EF source vlan 5
->policy action Act-deny-Host1 disposition deny
->policy rule Rule-Deny-Host1 condition Cond-Deny-Host1 action Act-deny-Host1 log
->qos apply

 Allows all bridged traffic except for traffic matching the source MAC address and VLAN 5.
Layer 3 ACL
Example
 L3 Conditions can be defined for the following:
 Source IP address or source network group
 Destination IP address or destination network group
 IP protocol
 ICMP code
 ICMP type
 Source TCP/UDP port
 Destination TCP/UDP port or service or service group

-> qos default routed disposition accept

-> policy network group netgroup1 192.168.82.0 mask 255.255.255.0 192.60.83.0
-> policy condition lab3 source network group netgroup1
-> policy action deny_traffic disposition deny
-> policy rule lab_rule1 condition lab3 action deny_traffic precedence 65535
-> qos apply
ACL L3 Example

Subnet
192.168.100.024

Host1
172.16.30.2/24

-> qos default routed disposition deny

->policy condition allow-host1 source ip 172.16.30.2 mask 255.255.255.255 destination ip 192.168.100.0 mask 255.255.255.0
->policy condition subnet-100 source ip 192.168.100.0 mask 255.255.255.0 destination ip 172.16.30.2 mask 255.255.255.255
->policy action action-allow disposition accept
->policy rule rule1 condition allow-host1 action action-allow log
->policy rule rule2 condition subnet-100 action action-allow log
->qos apply

This set of commands globally denies routed traffic on the switch and allows communication to and from
Host1 to subnet 192.168.100.0/0
ACL
Established example
 To allow TCP connections initiated from Inside only

Outside

Inside

policy network group internal 10.0.0.0 mask 255.0.0.0 192.168.0.0 mask 255.255.0.0 172.16.0.0 mask 255.240.0.0
policy condition condition1 destination network group internal established*
policy action allow disposition allow
policy rule rule1 condition condition1 action allow
policy condition condition2 destination network group internal
policy action drop disposition drop
policy rule rule2 condition condition2 action drop

•TCP header information is examined to determine if the ack or rst flag bit is set
•This condition is used in combination with a source/destination IP or source/destination TCP
port condition.
ACL MANAGER (ACLMAN)
ACL Manager Overview

 Separate interface that allows network administrators to configure and manage

ACLs using common industry syntax
 Transparently converted into Alcatel-Lucent QoS filtering policies and applied to the switch
-> aclman
Aclman#

 Supported on OS6250, OS6450, OS6850

 Once ACLMAN is invoked, no AOS CLI commands can be entered

 Configured through command modes,

aclman# write memory
 Enable
 Configure

 ACL Types
 Standard – Compares source address of packet
 Numbered - Valid Ranges are 1-99 and 1300-1999
 Named - Example. ACLDemo, ACLDataCenter

 Extended – Compares source/destination/protocol/TCP/UDP

 Numbered - Valid Ranges are 100-199 and 2000-2699
Aclman.cfg
 Named – Example. ACLDemoEx, ACLDataCenterEx
Extended ACL Example
-> aclman
aclman# configure terminal
aclman(config)# ip access-list extended allow_http
aclman(config-ext-nacl)# permit tcp 10.0.0.0 0.255.255.255 host 10.2.2.2 eq www log
aclman(config-ext-nacl# exit
aclman(config)# interface ethernet 1/1
aclman(config-if)# ip access-group allow_http in
aclman(config-if)# end
aclman# write memory
10.1.1.1 – Permit HTTP
Allow only HTTP

aclman# show ip interface Ethernet1/1 1/1

Inbound access list is allow_http
Outgoing access list is not set

10.1.1.2 – Permit HTTP

aclman# show access-lists Extended IP access list allow_http
10 permit tcp 10.0.0.0 255.0.0.0 host 10.2.2.2 eq www log
Qos Rule & ACLMAN Example

aclman(config)# ip access-list extended 101

aclman(config-ext-nacl)# deny ip host 192.168.2.101 host 10.0.66.101
aclman(config-ext-nacl)# permit ip any any
!
aclman(config)# interface Ethernet 1/1
aclman(config-if)# ip access-group 101 In

192.168.2.101
10.0.66.101

1/1

policy condition cond2 source port 1/1 source ip 192.168.2.101 destination ip 10.0.66.101
policy action block disposition deny
policy rule rule2 condition cond2 action block

(Default implicit accept)

ACL Settings

Contents
1 Objective ......................................................................................... 3
2 ACL Settings ...................................................................................... 3
3 EQUIPMENT/SOFTWARE REQUIRED ........................................................... 3
4 Related Commands ............................................................................. 3
5 Supported Platforms ............................................................................ 3
6 Discussion......................................................................................... 3
7 ACL Specifications .............................................................................. 4
7.1. Global QoS Defaults ................................................................................... 4
8 Reminders ........................................................................................ 5
8.1. Global Configuration .................................................................................. 5
8.2. Condition ................................................................................................ 6
8.3. Policy network group.................................................................................. 6
8.4. Policy service group ................................................................................... 7
8.5. Policy mac group....................................................................................... 7
8.6. Policy port group....................................................................................... 7
8.7. Action .................................................................................................... 7
8.8. Rule ...................................................................................................... 8
8.9. Rule Precedence ....................................................................................... 8
8.10. How Precedence is Determined ..................................................................... 8
8.11. Logging .................................................................................................. 8
8.12. Monitoring ............................................................................................... 8
 2
ACL Settings

9 LABS STEPS ....................................................................................... 9

9.1. To filter multicast clients ............................................................................ 9
9.2. FTP traffic filtering ...................................................................................10
9.2.1. Policy 1 ........................................................................................................ 10
9.2.2. Policy 2 ........................................................................................................ 11
9.2.3. Policy 3 ........................................................................................................ 11

10 Summary ......................................................................................... 11
11 Lab Check ....................................................................................... 12
 3
ACL Settings

1 Objective
This lab will provide an overview of ACL settings on the OmniSwitch family of products. It introduces
many different configurations. It allows you to become familiar with the syntax. By the end of this
lab, you will realize how complex ACLs can be and steps to make it work properly. The final section
will challenge you to create a configuration based on a scenario.

2 ACL Settings
The OmniSwitch family of products was designed with Security in mind. As a result, there are a
variety of features and settings available. And, the feature set will continue to expand as new
standards and functional needs emerge.

3 EQUIPMENT/SOFTWARE REQUIRED
Two (2) OmniSwitches and two or more PCs.

4 Related Commands
qos (enable, disable, apply, reset, flush), qos port …,
policy (condition, action, rule, …), show qos …, show policy …, policy … group, policy service …

5 Supported Platforms
All

6 Discussion
While policies may be used in many different types of network scenarios, we will address the following:
- ICMP policies – including filtering
- ACLs – used for Layer 2, Layer 3/4 and multicast filtering.
ACLs configuration may interact with other configured features – like SLB, dynamic link aggregation (LACP),
802.1Q, mobile ports, IP routing, and LDAP policy management. Also, one can configure combinations of
policies. These topics will not be addressed in this lab exercise, and are left to the student for further
study and investigation.
Use the Policy Condition Combination table in the Network Configuration Guide for a list of valid
combinations and further discussion on combinations.]
This lab covers the QoS CLI commands used specifically to configure ACLs.
ACLs are basically a type of QoS policy, and the commands used to configure ACLs are a subset of the
switch’s QoS commands.
 4
ACL Settings

7 ACL Specifications
These specifications are the same as those for QoS in general:
Maximum number of policy rules 2048 (1024 for OS6250& 6450, 8192 for 6900)
Maximum number of policy conditions 2048 (8192 fro 6900)
Maximum number of policy actions 2048 (8192 for 6900)
Maximum number of policy services 256 (512 for 6900)
Maximum number of groups (network, MAC, service, port) 1024 (2048 fro 6900)

ACLs provide moderate security between networks. The following illustration shows how ACLs may be
used to filter subnetwork traffic through a private network, functioning like an internal firewall for
LANs.
When traffic arrives on the switch, the switch checks its policy database to attempt to match Layer 2 or
Layer 3/4 information in the protocol header to a filtering policy rule. If a match is found, it applies the
relevant disposition to the flow. Disposition determines whether a flow is allowed or denied. There is a
global disposition (the default is accept), and individual rules may be set up with their own dispositions.

7.1. Global QoS Defaults

Use the qos reset command is to reset global values to their defaults.
qos is enabled by default. Other global qos defaults include:
- strict priority queuing
- 802.1Q tagged and mobile ports are always trusted; any other port is untrusted
- default bridged, routed, and multicast disposition is accept
- debug qos is set at info level
- 802.1p and dscp default to 0 on a per port basis
- policy rules precedence defaults to 0
- policy actions default is accept
- the default network group (named ‘Switch’) contains all IP addresses created on a switch
- each slot has its own default port group (named ‘Slot#’, i.e Slot01 on a OS6850)
Along with qos reset, other global commands one might use are:
qos revert
qos flush
qos disable
Use the qos port reset command to reset port settings to their defaults.
(Please consult the configuration guides for default settings.)
 5
ACL Settings

Notes
The current software release, the deny and drop options, produce the same effect. That is, the traffic is
silently dropped.

Notes
There are no defaults for the policy condition command

Globally, in order to configure an ACL, the following general steps are basically required:
1. Set the global disposition
2. Create a condition for the traffic to be filtered
3. Create an action to accept or deny the traffic
4. Create a policy rule that combines the condition and the action

8 Reminders

8.1. Global Configuration

By default QoS is enabled on the switch. If QoS policies are configured and applied, the switch will
attempt to classify traffic and apply relevant policy actions.
To disable the QoS, use the qos command. Type:
-> qos disable
QoS is immediately disabled. When QoS is disabled globally, no flows coming into the switch is
classified (matched to policies).
To re-enable QoS, enter the qos command with the enable option. Type:
-> qos enable
QoS is immediately re-enabled. Any policies that are active on the switch will be used to classify
traffic coming into the switch.

Notes
Individual policy rules may be enabled or disabled with the policy rule command

By default, bridged, routed, and multicast flows that do not match any policies are accepted on the
switch. To change the global default disposition (which determines whether the switch will accept,
deny, or drop the flow), use the desired disposition setting (accept, drop, or deny) with any of the
following commands: qos default bridged disposition, qos default routed disposition, or qos
default multicast disposition.
For example, to deny any routed flows that do not match policies, type:
-> qos default routed disposition deny
To activate the setting, type:
-> qos apply
Typically, the disposition is only configured when you are using policies for Access Control Lists
(ACLs).
Note:
Notes
If you set qos default bridged disposition to deny, as well, you effectively drop all traffic (bridged or routed)
that does not match any policy. If you want to create ACLs to allow some Layer 2 traffic through the switch,
you must configure two rules for each type of Layer 2 traffic, one for source and one for destination.
 6
ACL Settings

What would be the command to reset all QoS parameters back to their defaults?
Type:
-> qos reset
Although it is not covered in this lab exercise, there is a significant amount of information to be
gathered using qos log and debug qos. (Please consult the configuration guides for further
information.)
To quickly gather some basic information about QoS settings, type:
-> show qos config
-> show qos statistics

8.2. Condition
There are many options for configuring a condition, depending on how you want the switch to
classify traffic for this policy. More than one condition parameter may be specified.
The condition will not be active on the switch until you enter the qos apply command.

Policy condition keywords

Source ip tos
destination ip dscp
multicast ip 802.1p
source network group source mac
destination network group destination mac
multicast network group source mac group
source ip port destination mac group
destination ip port source vlan
source tcp port destination vlan
destination tcp port source port
source udp port source port group
destination udp port destination port
service destination port group
service group source interface type
ip protocol destination interface type

The commands used for creating condition groups include:

policy network group
policy mac group
policy service
policy service group
policy port group

8.3. Policy network group

By default, the switch contains a network group called Switch that includes all IP addresses
configured for the switch itself. This network group may also be used in policy conditions.
In the next example, a policy network group called netgroup3 is created with three IP addresses.
The first address also specifies a mask.
-> policy network group netgroup3 173.21.4.39 mask 255.255.255.0 10.10.5.3 10.10.5.5
-> policy condition c4 source network group netgroup3
 7
ACL Settings

8.4. Policy service group

In this example, a policy service called telnet1 is created with the TCP protocol number (6) and the
well-known Telnet destination port number (23). Type:
-> policy service telnet1 protocol 6 destination ip port 23
Or a shortcut for this command replaces the protocol and destination ip port keywords with
destination tcp port, by typing:
-> policy service telnet1 destination tcp port 23
Add a second service by typing:
-> policy service ftp1 destination tcp port 21
Now, let’s combine the services into a service group, by typing:
-> policy service group tel-ftp telnet1 ftp1

8.5. Policy mac group

To create a MAC group, use the policy mac group command. For example, type:
-> policy mac group macgrp2 08:00:20:00:00:00 mask ff:ff:ff:00:00:00 00:20:da:05:f6:23
The MAC group may then be associated with a condition through the policy condition command.
Note that the policy condition specifies whether the group should be used for source or destination.
For example, type:
-> policy condition cond3 source mac group macgrp2

8.6. Policy port group

To create a port group, use the policy port group command. For example, type:
-> policy port group visitor_ports 2/1 3/1-24
To view group settings, type:
-> show policy network group
-> show policy service
-> show policy service group
-> show policy mac group
-> show policy port group

8.7. Action
More than one action parameter may be specified. Some parameters, like ToS and DSCP, are
mutually exclusive. In addition, some action parameters are only supported with particular condition
parameters.

policy action keywords

disposition 802.1p
shared dscp
priority map
maximum bandwidth load balance group
maximum depth
maximum buffers
tos
 8
ACL Settings

8.8. Rule
policy rule keywords
precedence
validity period
save
log
log interval
count
trap
By default, rules are enabled. Rules may be disabled or re-enabled through the policy rule command
using the disable and enable options. For example:
-> policy rule telnet_rule disable
[Another option is to turn off QoS completely by typing: -> qos disable.]

8.9. Rule Precedence

The switch attempts to classify flows coming into a port according to policy precedence. The rule
with the highest precedence will be applied to the flow.

8.10. How Precedence is Determined

Precedence is determined by the following, in order:
- • Precedence value—Each policy has a precedence value. The value may be user-configured
through the policy rule command in the range from 0 (lowest) to 65535 (highest). (The range
30000 to 65535 is typically reserved for PolicyView.) By default, a policy rule has a precedence of
0.
- • Configured rule order— If a flow matches more than one rule and both rules have the same
precedence value, the rule that was configured first in the list will take precedence.
To specify a precedence value for a particular rule, use the policy rule command with the
precedence keyword. For example, type:
-> policy rule telnet_rule precedence 1000 condition c1 action accept

8.11. Logging
Logging a rule may be useful for determining such tings as the source of firewall attacks. To specify
that the switch should log information about flows that match the specified policy rule, use the
policy rule command with the log option. For example, type:
-> policy rule telnet_rule log
-> show qos log

8.12. Monitoring
To view QoS configuration and activity, type:
-> show policy condition
-> show policy action
-> show policy rule
-> show active policy rule
 9
ACL Settings

9 LABS STEPS
To allow Layer 2 traffic into the switch, one rule must be configured, for Layer 2 source traffic, and for
Layer 2 destination traffic.
On 6450, type:
-> qos reset
-> qos flush
-> qos apply
-> qos default bridged disposition deny
-> policy condition cond4 source mac 00:50:56:00:00:00 mask ff:ff:ff:00:00:00
destination port 1/3
-> policy action AllowTraffic disposition accept
-> policy rule Filter1 condition cond4 action AllowTraffic
Since the QoS software classifies the MAC address twice, after Filter1 is applied to the configuration,
the switch will classify any traffic with a MAC address starting with 00:50:56 as both source and
destination
Condition cond4 allows the source traffic on the switch, but the destination traffic will be denied
unless another rule is set up.
Condition cond4 is set up for classifying Layer 2 destination traffic on physical ports 9. Now when
Layer 2 flows with a MAC address starting with 005056 arrive on the switch destined for destination
ports 9, the flows will be allowed on the switch.
In this example, the default routed disposition is accept (the default). Since the default is accept,
the qos default routed disposition command would only need to be entered if the disposition had
previously been set to deny. The command is shown here for completeness. Type:
-> qos reset
-> qos default routed disposition accept
-> policy condition addr2 source ip 192.168.82.1 destination tcp port 23
-> policy action Block disposition deny
-> policy rule FilterL31 condition addr2 action Block
Traffic with a source IP address of 192.168.82.0, a destination IP port of 23, using protocol 6 (TCP),
will match condition addr2, which is part of FilterL31. The action for the filter (Block) is set to
deny traffic. The flow will be dropped on the switch.

9.1. To filter multicast clients

Specify the multicast IP address, which is the address of the multicast group or stream, and specify the
client IP address, VLAN, MAC address, or slot/port. For example, type:
-> qos default multicast disposition deny
-> policy condition Mclient1 multicast ip 225.0.1.2 destination vlan 5
-> policy action ok disposition accept
-> policy rule Mrule condition Mclient1 action ok
In this example, any traffic coming in on VLAN 5 requesting membership to the 225.0.1.2 multicast
group will be allowed.
In the following example, a condition called icmpCondition is created with no other condition as part
of icmp protocol parameters. Use one switch and one PC. Begin by setting up IP and perform a ping test.
Type:
-> policy condition icmpCondition ip protocol 1
-> policy action icmpAction disposition deny
-> policy rule icmpRule condition icmpCondition action icmpAction log
Once you enter qos apply, ping will cease to work.
 10
ACL Settings

This policy (icmpRule) drops all ICMP traffic. To displays debugging information for QoS internal to
the switch to ICMP echo requests (pings), use the debug qos internal command with the pingonly
keyword, then the show qos log command to display stored log messages.
When you are finished, remove the rule, action and condition for this policy, and get ping working
again.

9.2. FTP traffic filtering

In this application for IP filtering, FTP traffic from an engineering group is routed through the
OmniSwitch. A policy is configured to accept this traffic on the switch.
Another policy denies traffic from the outside world to the engineering group; however, reverse
flows (reply packets) in response to the Telnet session are allowed through the switch.
3 policies must be created in this example to affect only FTP sessions.
In a first step, set up a service group (ftp) to identify ftp traffic only:
->policy service ftp1 destination tcp port 20
->policy service ftp2 destination tcp port 21
->policy service group ftp ftp1 ftp2

9.2.1. Policy 1
Set up a policy rule called DenyFromOutside to deny FTP traffic to the private network.
1) Create a policy condition (FromOutside) that references the input port 1/1 and ftp traffic:
-> policy condition FromOutside source port 1/1 destination ip any service group
ftp
2) Create a policy action (deny) to deny the traffic.
-> policy action deny disposition deny
3) Then combine the condition and the action in a policy rule (outside).
-> policy rule DenyFromOutside condition FromOutside action deny precedence 2
(or another alternative)
1) Create a policy condition (FromOutside) that references the destination IP subnet.
-> policy condition FromOutside destination ip 10.1.1.0 mask 255.255.255.0 service
group ftp
2) Create a policy action (deny) to deny the traffic.
-> policy action deny disposition deny
3) Then combine the condition and the action in a policy rule (outside).
-> policy rule DenyFromOutside condition FromOutside action deny precedence 20
-> qos apply
4) Check you don’t have any ftp connectivity from the outside network
 11
ACL Settings

9.2.2. Policy 2
Set up a second rule called FromInsideFTP to accept FTP traffic from the private network out to the
public network.
1) Create a policy condition (FromInsideFTP) for the FTP traffic.
->policy condition FromInsideFTP source ip 10.1.1.0 mask 255.255.255.0 destination
ip any service group ftp
2) Create a policy action (accept) to allow the flow.
-> policy action accept disposition accept
3) Create a rule that references the policy condition and the policy action.
-> policy rule FromInsideFTP condition FromInsideFTP action accept precedence 10
This rule condition would normally make the FTP reply packets to be denied by the previous
DenyFromOutside policy rule.
-> qos apply
4) Check you don’t have any ftp connectivity from the inside network

9.2.3. Policy 3
An ACL can be defined using the established parameter to identify packets that are part of an
established TCP connection and allow forwarding of the packets to continue. When this parameter is
invoked, TCP header information is examined to determine if the ack, fin or rst flag bit is set. If this
condition is true, then the connection is considered established.
Set up a new rule called Established to accept FTP traffic from the private network out to the public
network.
1) Create a policy condition (FromInsideFTPestablished) for the FTP traffic.
-> policy condition FromInsideFTPestablished destination ip 10.1.1.0 mask
255.255.255.0 destination ip any established
2) Create a rule that references the policy condition and the policy action. The rule condition using
the keyword established, so that reply packets that would normally be denied by the outside policy
rule will be able to get through.
-> policy rule Established condition FromInsideFTPEstablished action accept
precedence 30
This configuration is not applied on the switch until the qos apply command is entered. You can test
the rule first by using the policy classify l3 command.

10 Summary
This lab introduced you to the process many ACL configurations of the OmniSwitch.
 12
ACL Settings

11 Lab Check
- What are the three basic steps to forming a policy?
........................................................................................................................
- What are the types of condition groups available and how are they used?
........................................................................................................................
- What does established do?
........................................................................................................................
- What are ACLs used for?
........................................................................................................................
- What is the command used to set QoS back to its default configurations?
........................................................................................................................
- (True or False)
By default, bridged, routed, and multicast flows that do not match any policies are accepted on the
switch.
- (True or False)
By default, switched ports are not trusted.
OMNISWITCH AOS R6/R7/R8

Security Network Access Control

Module Objectives
 You will:
 Learn how to configure different types of
user authentication
 Access Guardian
 Overview
 Radius Server setup
 Device Classification Policy description
 Policies definition
 Monitoring High
Ava ila bility

 Captive Portal
 Concept AOS
Opera ting
System
 Customization Extensive Enha nced
Ma na gea bility Security
 Parameter definition
 Monitoring
 User Network Profile
 Role Based Access Control by User Network Profile
 UNP and AAA Packet Classification Rule
 802.1x Authentication server down classification policy
 Windows Logon Snooping
 Concept
 Configuration
 Access Guardian 2.0
 Overview
 Configuration
 BYOD with ClearPass
ACCESS GUARDIAN
Access Guardian - Description
 Auto-sensing, multi-client authentication on a port
 Automatic detection of 802.1X and non-802.1X devices
 Port must be mobile and 802.1x enabled

 Can be configured from I speak RADIUS

802.1X I speak
Server
 CLI 802.1X I do not
speak
 Webview 802.1X

 OmniVista Access Guardian application

I do not
speak
 The network is configured to 802.1X

 Accept any authentication method

 Authenticate 802.1X users, IP phones, printers, XBoxes, Unix devices… any device with
a MAC address
 Support multiple types on one port
Access Guardian
Description
 Flexible per port configuration of security policies
 802.1X is used for user authentication
 MAC-based authentication can be used for non-802.1X clients on the same port
 Capability to mix
 Active Authentication (802.1x - per client port access or Captive Portal)
 Passive Authentication (MAC based)
 Guest VLAN (CP and/or others mobility rules)
Received frame on
802.1x enable port
 Supported classification policies
 802.1X
 MAC authentication NO Source is YES
 Captive Portal 802.1x
client?
 User Network Profile
 Group mobility rules First non- Perform 802.1x
 VLAN supplicant policy Authentication

 Default VLAN
 Block

 Centralized location for user/device authentication

 Using RADIUS Server

 Separate security policies can be configured for supplicants and non-supplicants

Access Guardian
Application - Higher Education – Campus Enterprise
Students can be
Admin and teachers use
authenticated via either
802.1x authentication
802.1x or MAC based

Admin
Teacher Student

802.1x - Supplicant Non - Supplicant

1 - Non-802.1x frame sent

1 – 802.1x/EAP Auth. frame sent with user/login
2 - EAP intercepted by switch
3 – Switch modifies Radius frame with source MAC
4 - Relays authentication frame to Server
5 - Login/password validated
6 - Device moved to appropriate VLAN
7 - Login/password failed
8 - Device moved to Default VLAN for registration
2 - Non-802.1x frame intercepted by switch
3 - Switch builds auth. Request using source MAC
as login/password
4 - Authentication frame is sent to RADIUS Server
5 - MAC validated
6 - Device moved to appropriate VLAN
7 - MAC failed
8 - Device moved to Default VLAN for registration

Student
Default Admin/Teacher
Vlan
Vlan Vlan
 ACCESS GUARDIAN
RADIUS SERVER SETUP
External Authentication
Configuring a RADIUS server

1
2
4
3 Radius
Server

 Define Radius server parameters

 aaa radius-server server_name host {hostname | ip_address} [hostname2|

ip_address2]] key secret auth-port auth_port acct-port acct_port

 The default ports are based on the new RADIUS standards (port 1812 for
authorization and 1813 for accounting).
 Some servers may be set up using the old standards (ports 1645 and 1646 respectively)
Selectable IP Interface/Loopback0 for applications
 Applications will be able to choose the source IP interface
 any IP interface/ Loopback0
 in the particular VRF based on an application specific command

ip managed-interface {Loopback0 | interface-name} application [ldap-server] [tacacs]

[radius] [snmp] [sflow] [ntp] [syslog] [dns] [dhcp-server] [telnet] [ftp] [ssh] [tftp] [all]

-> show ip managed-interface

Legend: "-" denotes no explicit configuration

Application Interface-Name
-----------------+------------------------------
tacacs -
sflow -
ntp Loopback0
syslog -
dns -
telnet -
ssh -
tftp -
ldap-server -
radius Loopback0
snmp Loopback0
ftp -
802.1x Supplicant and Non-Supplicant
Device classification

Received EAP
frames on 802.1x
enable port

Source
NO YES
is
MAC 802.1x 802.1X
client?

Non-Supplicant 802.1x
Device Device
MAC Authentication 802.1x Authentication

Radius
Server
802.1x Authentication server down
classification policy
 Users are moved to a specific profile when RADIUS server is not available

 Supported for 802.1x and MAC-based authentication (no CP)

 When authentication server becomes reachable

 Users are re-authenticated

-> 802.1x auth-server-down {enable | disable}

Enables or disables the authentication server down classification policy

-> 802.1x auth-server-down policy {user-network-profile profile_name | block}

Configures the policy for classifying the device when the authentication server is not reachable

-> 802.1x auth-server-down re-authperiod {value}

Sets re-authentication time for the device to authenticate again with the RADIUS server when it is
classified according to the auth-server-down policy

-> show 802.1x auth-server-down

Status = Enabled
Re-authentication Interval = 30 seconds
Classification policy = UNP 'radback', block
 ACCESS GUARDIAN
DEVICE CLASSIFICATION POLICIES
Access Guardian Policies - Conceptual Flow

Supplicant?
Yes No

802.1x MAC Captive

No
auth authentication Portal
Pass Pass
Fail Pass
Fail
Fail
RADIUS VLAN RADIUS VLAN RADIUS VLAN

Captive Portal Captive Portal Captive Portal Captive Portal Captive Portal

Group mobility Group mobility Group mobility Group mobility Group mobility Group mobility Group mobility

UNP UNP UNP UNP UNP UNP UNP

VLAN VLAN VLAN VLAN VLAN VLAN VLAN

Default VLAN Default VLAN Default VLAN Default VLAN Default VLAN Default VLAN Default VLAN

Block Block Block Block Block Block Block

Order of policies can be interchanged

Some policies (Captive portal, Default-vlan, Block) are final policies
They cannot be followed by other policies
The Captive Portal policy will start a new authentication branch
“Fail” branches will only classify devices into non-authenticated Profiles
Access Guardian Policies

 Policies can only be used once for a ‘pass’ condition and once for a ‘fail’ condition
 Except for the VLAN policy. Up to 3 VLAN ID policies are allowed within the same compound
policy, as long as the ID number is different for each instance specified (e.g., Vlan 20 Vlan 30
Vlan 40)

 Compound policies must terminate

 The last policy must result in either blocking the device or assigning the device to the default
VLAN. If a terminal policy is not specified then the block policy is used by default

 The order in which policies are configured determines the order in which the policies
are applied
Access Guardian Security Policies - WebView

Device classification policies

Access Guardian Security Policies
OmniVista Application

 List of available policies to be applied if no VLAN is  For both pass and fail policies, order in which
returned from RADIUS parameters are specified determines the order in
 Group Mobility which they are applied
 Specific VLAN(s)  Type of policy must end with either the default-vlan,
 Captive Portal block, or captive-portal
 User Network Profile  Terminal parameter block parameter is used by
 Default VLAN default
 Block
 Same type of policies but in different order can be
configured for non-supplicant on the same port
Access Guardian Policies
802.1x Supplicant device classification policy
Enabling 802.1x Authentication
-> aaa authentication 802.1x rad1 rad2

1 Radius Server
2
4
3
Supplicant will send an EAP frame
with login + password Switch will act as a relay between
supplicant and radius server
•Received frame on
802.1x enable port
 Before sending frame to server, switch adds MAC of supplicant
 MAC will be placed in the Calling Station ID field of Radius frame

•YES •Source  If authentication is not successful, supplicant fail policy is

is 802.1x applied
client?
Perform 802.1x  If authentication is successful, the server will return a VLAN ID
authentication
 If VLAN exists, MAC address is learned on this VLAN
 If VLAN doesn’t exist, next policy in suppicant pass policy chain is used
 Later policy must be strict VLAN ID or terminal
•Authenticated •NO
?  If server doesn’t return a VLAN ID, next policy in policy chain is
used
•YES  Later policy must be non-strict or terminal

First pass First fail  In cases where device is known but VLAN doesn’t exist, this is
supplicant policy supplicant policy considered a failed authentication
Security Policies for 802.1X Supplicant clients - Configuration
-> 802.1x slot/port supplicant policy authentication [[pass] {group-mobility | user-network-profile
profile_name | vlan vid | default-vlan | block | captive portal}...] [[fail] {user-network-profile
profile_name | vlan vid | block | captive-portal}...]

802.1X Supplicant clients

Supplicant Policy - WebView Example

Supplicant?
Yes

802.1x

Pass Fail

Radius Vlan
Captive Portal
Captive Portal
RADIUS request
Group mobility Vlan 10

VLAN
I speak RADIUS
I speak I speak
802.1X
Default VLAN Block 802.1X 802.1X
Server

Block

I speak
802.1X
Supplicant Policy - CLI Examples
 -> 802.1x 1/19 supplicant policy authentication pass group-mobility default-
VLAN fail VLAN 10 block
 If the 802.1x authentication process is successful but does not return a VLAN ID for the
device
 Group Mobility rules are applied
 If Group Mobility classification fails, then the device is assigned to the default VLAN for port
1/19
 If the device fails 802.1x authentication
 If VLAN 10 exists and is not an authenticated VLAN, then the device is assigned to VLAN 10
 If VLAN 10 does not exist or is an authenticated VLAN, then the device is blocked from accessing
the switch on port 1/19

-> show 802.1x device classification policies

Device classification policies on 802.1x port 1/19
Supplicant:
authentication:
pass: group-mobility, default-VLAN
fail: VLAN 10, block
Non-Supplicant:
block (default)
Access Guardian Policies
Non-Supplicant device classification policy
 Silent or passive authentication Enabling MAC Authentication
-> aaa authentication mac rad1 rad2
 MAC address used for authentication

Radius
Server
1
2

•Received frame on
802.1x enable port 3

Switch will intercept non-802.1x frame from Non-Supplicant and

generate an authentication frame and send to radius server
•NO •Source
is 802.1x
client?
•Perform MAC
based
authentication  If authentication is unsuccessful, next policy in non-supplicant fail policy
chain is used
 Latter policy must be either a strict or terminal one

•Authenti •NO  If authentication is successful and server returns a VLAN ID…

cated?
 and VLAN exists, MAC address is learned on this VLAN
 if VLAN doesn’t exist, next policy in policy chain is used
•YES First fail non-  Latter policy must be either a non-strict or terminal one
First pass non- supplicant policy
supplicant policy
Security Policies for Non-Supplicant clients
Configuration
-> 802.1x slot/port non-supplicant policy authentication [[pass] {group-mobility | user-network-
profile profile_name | vlan vid | default-vlan | block | captive-portal}] [[fail] {group-mobility |
user-network-profile profile_name | vlan vid | default-vlan | block | captive-portal}]
Non-Supplicant Policy
WebView Examples

Supplicant?
No

MAC No
auth authentication
Pass
Fail RADIUS request
Radius Vlan

Captive Portal Captive Portal Captive Portal

Group mobility Group mobility I do not RADIUS

Group mobility I do not
speak
I do not
speak speak
802.1X Server
802.1X 802.1X
VLAN Vlan 5 VLAN

Default VLAN Default VLAN Default VLAN

Block Block Block

I do not
speak
802.1X
Non-Supplicant Policy - CLI Example
 -> 802.1x 1/2 non-supplicant policy authentication pass group-mobility
default-VLAN fail VLAN 5 block
 If the MAC authentication process is successful but does not return a VLAN ID for the
device
 Group Mobility rules are applied
 If Group Mobility classification fails, then the device is assigned to the default VLAN for port ½
 If the device fails MAC authentication
 If VLAN 5 exists and is not an authenticated VLAN, the device is assigned to VLAN 5
 If VLAN 5 does not exist or is an authenticated VLAN, the device is blocked from accessing the
switch on port 1/2

-> show 802.1x device classification policies 1/2

Device classification policies on 802.1x port 1/2
Supplicant:
authentication:
pass: group-mobility, default-VLAN
fail: VLAN 5, block
Non-Supplicant:
authentication:
pass: group-mobility, default-VLAN
fail: VLAN 5, block
Security Policies through LLDP
Conceptual Flow
New user/mac-address
Yes Supplicant? No

1 1
MAC No
802.1x Authentication
auth
Pass Fail Pass Fail

RADIUS
Yes
DONE RADIUS
Yes
DONE Radius
Attribute Classified Attribute Classified Classification
through AVP through AVP
No No
2 2

1st Frame 4 1st Frame 4 1st Frame

Validation Validation Validation
3 Is device = IP Yes Done 3 Is device = IP Yes Done
Is device = IP Yes Done
Classified Classified Classified
Phone? Phone? Phone?
In LLDP-MED In LLDP-MED In LLDP-MED
AND AND AND
UNP UNP UNP
LLDP-MED LLDP-MED LLDP-MED
classification rule classification rule classification rule

No 5 No 5
Captive Portal Captive Portal Captive Portal Captive Portal Captive Portal

Group mobility Group mobility Group mobility Group mobility Group mobility

UNP UNP UNP UNP UNP Access

Guardian
VLAN VLAN VLAN VLAN VLAN
Policy
Default VLAN Default VLAN Default VLAN Default VLAN Default VLAN

Block Block Block Block Block

DONE DONE DONE DONE DONE

Classified in UNP VLAN Classified in UNP VLAN Classified in UNP VLAN Classified in UNP VLAN Classified in UNP VLAN
Or Block Or Block Or Block Or Block Or Block
 Security Policies through LLDP
LLDP-MED network policy
 LLDP-MED Network Connectivity Devices
 Provide IEEE 802 networks access to LLDP-MED Endpoints

 LLDP for IP Phone & Omni Switch through LLDP vlan 10

Network policy vlan port mobile 1/10
vlan 10 mobile-tag enable
 Allows advertisement of lldp 1/10 tlv med network-policy enable
lldp network-policy 1 application voice vlan 10 l2-priority 7 dscp 46
 Vlan id
lldp 1/10 med network-policy 1
 802.1p
 DSCP IP Touch LLDP-MED VLAN assignment
 Assigning a VLAN to IP Phones explicitly through definition of feature activated by default
LLDP MED Network Policy Identifier

1 3

Communication Voice VLAN

Server VLAN 10

LLDP is enabled globally

Admin
by default
Access Guardian Device Classification Policies
Monitoring
-> show 802.1x
Displays information about ports configured for 802.1X
-> show 802.1x users
Displays a list of all users (supplicants) for one or more 802.1X ports
-> show 802.1x non-supplicant
Displays a list of all non-802.1x users (non-supplicants) learned on one or more 802.1x ports
-> show aaa-device all-users
Displays the Access Guardian status of all users learned on 802.1x ports
-> show 802.1x statistics
Displays statistics about 802.1X ports
-> show 802.1x device classification policies
Displays Access Guardian 802.1x device classification policies configured for 802.1x ports
-> show aaa authentication 802.1x
Displays information about the global 802.1X configuration on the switch
-> show aaa accounting 802.1x
Displays information about accounting servers configured for 802.1X port-based network access
control
-> show aaa authentication mac
Displays a list of RADIUS servers configured for MAC based authentication
CAPTIVE PORTAL
Access Guardian
Captive Portal Overview
 Web Portal for getting user credential
 Could be applied to supplicants and non-supplicants
 When an authorized user launches a browser a web page is served to ask for credentials
 Still requires RADIUS for authentication
 Has its own fail/pass policies

AAA Radius

http://www.alcatel-lucent.com
2

1
You have to log in fist!

 Useful for guest or contractor to temporarily gaining controlled network access to

the enterprise network
 Integrated with the rest of the policies
Captive Portal
Another Access Guardian Policy

Supplicant?
Yes No

MAC No
802.1X authentication
auth
Pass Pass
Fail Fail
Captive
RADIUS Profile RADIUS Profile Portal
Captive Portal Captive Portal Captive Portal Captive Portal Pass

Group mobility Captive Portal Group mobility Group mobility Group mobility Fail

Profile Profile Profile Profile Profile RADIUS Profile

Block Block Block Block Block Group mobility

Profile Profile

Block

Block
Policies can be interchanged
Some policies (Captive portal, Profile, Block) are terminal policies (cannot be followed by other policies)
Captive Portal policy will start a new authentication branch
“Fail” branches will only classify devices into non-authenticated Profiles
Captive Portal
Use case example

Supplicant?
Yes No

Captive
MAC
802.1X Portal
auth
Pass Pass
Pass
Fail
Fail Fail
Radius Profile

Captive Portal Group mobility Captive Portal

Profile

Enterprise users with Known devices (printers, Unknown users

802.1X capable devices IP phones, etc.) (guests, contractors)

Default VLAN Block Block

Access Guardian
Captive Portal Concept
AAA Radius
Supplicants
or
non-supplicants user http://www.alcatel-lucent.com

DHCP
1 Offer
Switch DHCP and DNS Server
DHCP
Default DHCP scope
Request
10.123.0.0/16
Def GW: 10.123.0.1
1 DNS Request DNS server: 10.123.0.1

Pre authentication phase Authentication phase

2

HTTP redirect to
captive portal login

Operating System Browser

IE6, IE7, IE8
Windows 2000, XP, Vista, 7
Firefox 3.x.x
Mac OS X 10.5 Leopard,
Firefox2 and Firefox 3
Mac OS X Snow Leopard

Linux (Redhat) Firefox 3.x.x

Captive Portal
Customization
 Logo

 Welcome text

 Background image

 Company policy file

 Customizable banner image

 Associated Help pages

/flash/switch
• cpPolicy.html
• logo.png ( prefered ), jpg, gif
• background.png, jpg, gif
• banner.jpg My Company Welcome text message

• cpLoginWelcome.inc
• cpStatusWelcome.inc
• cpFailWelcome.inc
• cpLoginHelp.html
• cpStatusHelp.html
• cpFailHelp.html
• cpBypassHelp.html
Captive Portal
Customization

 Configuring a different subnet for the Captive Portal IP address

 -> 802.1X captive-portal address 10.124.0.1

 Configuring a URL for the Captive Portal users proxy web server
 -> 802.1x captive-portal proxy-server-url www.training.com

 URL redirection
 capability of redirecting the user to a
 Redirection URL upon successful authentication
 Redirection URL upon failure/bypass authentication
 -> 802.1x captive-portal success-redirect-url http://test-cp.com/fail.html
 -> 802.1x captive-portal fail-redirect-url http://test-cp.com/fail.html

 Customizable DNS keyword list

 up to 4 user-definable DNS keyword entries
 -> 802.1x captive-portal dns-keyword-list “univ.intra-net.jp”
or
 -> 802.1x captive-portal dns-keyword-list “univ.intra-net1.jp”
“univ.intra-net2.jp” “univ.intra-net3.jp” “univ.intra-net4.jp”
Security Policies for Captive Portal Authentication
Configuration
-> 802.1x slot/port captive-portal policy authentication
pass {group-mobility | vlan vid | default-vlan | block}]
fail {group-mobility | vlan vid | default-vlan | block}

Used when successful CP auth does

not return a VLAN ID, returns a
VLAN ID that does not exist,
or when CP auth fails

• For both pass and fail policies, order in which parameters are specified determines the order in
which they are applied
• Type of policy must end with either the default-vlan, block, or captive-portal
• Terminal parameter block parameter is used by default
Supplicant Policy with Captive Portal
Example
 -> 802.1x 1/1 supplicant policy authentication pass group-mobility captive-portal fail vlan 70
block

Supplicant?
Yes

802.1x
-> show 802.1x users
Pass Slot MAC Port User
Fail Port Address State Policy Name
-----+-----------------+---------------+--------------+-------------------------
01/01 00:1a:4b:6c:d0:b0 Authenticated -- john
Radius Vlan

Vlan 70 Slot MAC Port User

Group-mobility Port Address State Policy Name
-----+-----------------+---------------+--------------+-------------------------
Block
Captive Portal 01/01 00:1a:4b:6c:d0:b0 Authenticated CP in progress john

Block Slot MAC Port User

Port Address State Policy Name
-----+-----------------+---------------+--------------+-------------------------
01/01 00:1a:4b:6c:d0:b0 Authenticated Auth Srv - CP john
Non-Supplicant Policy with Captive Portal
Example
 -> 802.1x 1/1 non-supplicant policy authentication pass group-mobility vlan 5 default-vlan fail
captive-portal

MAC
NO auth

Supplicant? Pass
Fail

Radius Vlan Captive Portal

Mobile Vlan Block

Block
-> show 802.1x non-supplicant 1/1 -> show 802.1x non-supplicant 1/1
Slot MAC MAC Authent Classification Vlan
Slot MAC MAC Authent Classification Vlan Port Address Status Policy Learned
Port Address Status Policy Learned -----+-----------------+----------------+------------------+-------
-----+-----------------+----------------+------------------+------- 01/01 00:1a:4b:6c:d0:b0 failed CP - In Progress -
01/01 00:1a:4b:6c:d0:b0 Authenticated Group Mobility - 12 -----+-----------------+----------------+------------------+-------
-----+-----------------+----------------+------------------+------- 01/01 00:1a:4b:6c:d0:b0 failed CP - In Progress -
-----+-----------------+----------------+------------------+-------
01/04 00:1a:4b:70:33:db failed Auth srv - CP 11

-> show vlan port 1/1 -> show vlan port 1/1
vlan type status vlan type status
--------+---------+-------------- --------+---------+--------------
1 default forwarding 1 default forwarding
12 mobile forwarding 11 mobile forwarding
Non-Supplicant Policy with Captive Portal
Example
 -> 802.1x 1/1 captive-portal policy authentication pass vlan 42 fail vlan 220

Captive
MAC
Portal
auth
NO
Supplicant?

Pass Fail Pass Fail

Radius Vlan Captive Portal Radius Vlan Vlan 220

Mobile Vlan Mobile Vlan Block

Captive Portal Block

-> show 802.1x non-supplicant 1/1 -> show 802.1x non-supplicant 1/1
Slot MAC MAC Authent Classification Vlan Slot MAC MAC Authent Classification Vlan
Port Address Status Policy Learned Port Address Status Policy Learned
-----+-----------------+----------------+------------------+-------- -----+-----------------+----------------+------------------+-------
01/01 00:1a:4b:6c:d0:b0 Authenticated Auth srv - CP 11 01/01 00:1a:4b:6c:d0:b0 Failed (timeout) CP - In Progress -

Slot MAC MAC Authent Classification Vlan Slot MAC MAC Authent Classification Vlan
Port Address Status Policy Learned Port Address Status Policy Learned
-----+-----------------+----------------+------------------+-------- -----+-----------------+----------------+------------------+-------
01/01 00:1a:4b:6c:d0:b0 Authenticated Auth srv - CP 11 01/01 00:1a:4b:6c:d0:b0 Failed (timeout) Vlan ID - CP 220
Access Guardian Device Classification Policies
Captive Portal Monitoring
 show 802.1x device classification policies

 show 802.1x captive-portal configuration

 show aaa-device all-users

 show aaa-device non-supplicant-users

 show aaa-device captive-portal-users

 show 802.1x slot/port

USER NETWORK PROFILE
User Network Profile (UNP)
 Defines network access controls for one or more users.

 Each device that is assigned to a specific profile is granted network access

based on the profile criteria, instead of on an individual MAC address, IP
address, or port.
 Administrators can use profiles to group users according to their function.
 All users assigned to the same UNP become members of that profile group.

 The UNP consists of:

 A VLAN ID.
 A configurable HIC flag (enabled or disabled). After classification, a user might not
have full access to the network because the device credentials need to be verified by
a Host Integrity Server
 A configurable role that consists in a list of pre-configured policy rules. Using the
existing capabilities provided by QOS, various policy rules or ACL are configured and
shall be aggregated in a concept of “policy list”
User Network Profile - Role Based Access Control with UNP
 Scalable deployment with distinct ACL/QoS policy lists

10 M, All except Patient

Admin
confidential DB AAA Radius
Admin ACLs, QoS,
HIC, VLAN
100 M, All except Any
Employee
Patient DB Employees ACLs,, QoS,
HIC, VLAN
VoIP
ACLs, QoS,
Voice trafic Stamping and HIC, VLAN
Priorization Doctor
ACLs, QoS,
Voice HIC, VLAN

Guest Patient
ACLs, QoS, Confidential
HIC, VLAN
Doctor 100 M Access All Info
Captive Portal

Guest 10 M, Internet Access DHCP

Only ACLs, QoS,
Default VLAN HIC, VLAN
Patient
Contacts DB
Internet
• User Security Profiles follows the user
• Security Profiles dynamically applied to switch port
Access Guardian Policies - UNP device classification policy
Login request Radius
1 Authentication request
Server
2

Switch 3
mapping Request granted
table

-> show aaa user-network-profile

Filter_ID matches local profile:
VLAN number, Policy list, HIC Y/N
Yes
Profile name returned Apply RADIUS Profile
from RADIUS? UNP name (ASCII) returned
from radius

No

Group mobility
Apply Local profile
Local Profile UNP Name defined locally on the
switch
VLAN

Block
• Local Profile is now one of the Access Guardian policies
• Order of policies can be interchanged
Access Guardian policies - UNP
 The UNP name is obtained from the RADIUS server and is mapped to the same
profile name configured on the switch.
 When both VLAN ID and UNP name are returned from the RADIUS server and the UNP
profile is configured on the switch; the VLAN ID in the User Network Profile will take
precedence if it is different from the VLAN ID returned from the RADIUS server.

 If the RADIUS server does not return a UNP name, then a local UNP profile can
be applied if this is included in the set of policies.

 Profiles can be applied to 802.1x supplicants, to MAC-based as well as Web-

based authentication clients and they can exist in both “Pass “ and “Fail”
policies.
User Network Profile Policy - CLI Configuration

1. Configuring a user network profile for an Access Guardian device classification policy
-> aaa user-network-profile name profile_name vlan vlan-id [hic [enable | disable]]
[policy-list-name list_name]

UNP
VLAN

HIC

Policy List
2. Applying a UNP to classify all devices connected to a port for QOS

 Supplicant device authentication ACL

 Non-supplicant device authentication

 Captive-portal authentication

-> 802.1x slot/port supplicant policy authentication [[pass] {group-mobility | user-

network-profile profile_name | vlan vid | default-vlan | block | captive-portal}...]
[[fail] {user-network-profile profile_name | vlan vid | block | captive-portal}...]
UNP – QoS policy lists

 A default policy list exists in the switch configuration.

 This list is applied to the whole switch.
 Rules are automatically added to this list when they are created.
 The rule remains as member of the default list even when it is subsequently assigned
to additional lists.
 The user has the option to exclude the rule from the default list using the no default-list
command while creating the rule.

 Only one policy list per UNP is allowed, but a policy list can be associated with
multiple profiles
UNP Policy List - Configuration
 Assigning a QoS policy list to a User Network Profile UNP
 Enforce the access of a device to network resources VLAN

 Policy list = one or more QoS policy rules HIC

 QOS policy list done in 2 steps Policy List

QOS

ACL

1. QOS policy by assigning a name and the list of existing QOS policies

-> policy list list_name rules rule_name [rule_name2...] [enable | disable]

-> policy list list_name type unp [enable | disable]

2. User Network Profile with the QOS Policy list name

-> aaa user-network-profile name profile_name vlan vlan-id [hic [enable | disable]]
[policy-list-name list_name]
User Network Profile Policy – Example (1)
Radius server

UNP missing
OmniSwitch

-> show 802.1x device classification policies 1/3

Device classification policies on 802.1x port 1/3

Supplicant:
authentication:
pass: group-mobility, default-vlan (default)
fail: block (default)
Non-Supplicant:
authentication:
pass: group-mobility, default-vlan
fail: UNP guest, block
Captive Portal:
authentication:
pass: default-vlan (default)
fail: block (default)

-> show aaa user-network-profile

Role Name Vlan HIC Policy List Name
---------------------------+----+----+----------------------
guest 20 No internet_only
User Network Profile Policy - Example (2)
Radius server

UNP missing
OmniSwitch

-> show 802.1x non-supplicant 1/3

onex_view, inIndexCount=1, all=0

Slot MAC MAC Authent Classification Vlan

Port Address Status Policy Learned
-----+-----------------+----------------+------------------+--------
01/03 00:1a:4b:6c:d0:b0 Authenticated Group Mobility 42

Non-Supplicant:
authentication:
pass: group-mobility, default-vlan
fail: UNP guest, block

Slot MAC MAC Authent Classification Vlan

Port Address Status Policy Learned
-----+-----------------+----------------+------------------+--------
01/03 00:1a:4b:6c:d0:b0 Failed User Net Profile 20
 USER NETWORK PROFILE AND
AAA PACKET CLASSIFICATION RULE
Group-mobility device classification policies
AAA Packet Classification Rule

 AAA Packet Classification Rule maps a rule to a User Network Profile

 Additional type of device classification policy

 Similar to the “Group Mobility” rules

 Users to be classified on “mobile user network profiles”

 AAA Packet Classification Rule types

 ip rule (subnet/mask)
 mac rule
precedence
 mac range rule
AAA Packet Classification Rule - CLI Configuration
 AAA Packet Classification MAC Rule

->aaa classification-rule mac-address mac_address user-network-profile name profile_name

->aaa classification-rule mac-address-range low_mac_address high_mac_address user-network-profile

name profile_name

 AAA Packet Classification IP Rule

->aaa classification-rule ip-address ip_address [subnet_mask] user-network-profile name profile_name

• When Group Mobility is configured as an Access Guardian device classification policy

for an 802.1x port, both AAA classification rules and VLAN rules are applied to device
traffic on that port
• Classification rules take precedence over VLAN rules
AAA Packet/UNP Classification Rule - Example

Employee Guest

Employee Voice Guest

UNP "Employee"
vlan 30 UNP “Voice" UNP “Guest"
hic enable vlan 21 vlan 26
Policy List “qos_gold” Policy list “internet_only
hic enable

aaa classification-rule mac-address-range 00:80:9f:00:00:00 00:80:9f:ff:ff:ff user-network-profile name Voice

-> show aaa-device non-supplicant-users port 1/10

-----+----------------------+---------------+----+----+---------------+----+----+---------------
1/10 00:12:79:c2:c8:11 -- 26 Brdg - MAC Fail internet

-> show aaa-device supplicant-users port 1/12

-----+----------------------+---------------+----+----+---------------+----+----+---------------
1/12 00:1f:29:81:4b:8f test1 30 Brdg - 1X Pass Employee
1/12 00:1f:29:81:4b:8f -- 26 Brdg - MAC Fail internet

-> show aaa-device non-supplicant-users port 1/12

-----+----------------------+---------------+----+----+---------------+----+----+---------------
1/12 00:80:9f:56:3b:b3 -- 21 Brdg - MAC Pass Telephony
WINDOWS LOGON SNOOPING
Kerberos
 The purpose of Kerberos is to perform authentication.

 It is a robust security protocol used to establish the identity of users and

systems accessing services across the network,
 Protects the network protocols from tampering (integrity protection)
 It often encrypts the data sent across the protocol (privacy protection).

 It is based on the concept of symmetric encryption keys; the same key is used
to encrypt and decrypt a message.
 This is also referred to as a shared private key.

 A trusted Kerberos server is used to verify secure access.

 This trusted server is called the key distribution center (KDC). The KDC issues tickets
to validate users and services.
 The password of the user is never stored in any form on the client machine. The
password is immediately discarded after being used.

 Kerberos provides authentication only. It does not support user authorization.

Kerberos Snooping
 Snoops the user information and identifies if a system has successfully logged
on to a domain.
 Kerberos authentication is handled by external Kerberos server (KDC).

 Kerberos agent is placed between the client and the Kerberos server.

 Kerberos agent maintains the database of client information:

 Client Name
 Source MAC Address
 IP Address
 Domain Name
 Authenticated State
 Port number on which the client is attached
 QoS policy-list to be applied after authentication process ends.

 Kerberos snooping is supported only on 802.1x ports with non-supplicant users.

Application Fluency – User Fingerprinting
Data Center Evolution
Windows Logon Snooping

 New Authentication Method for Microsoft

Corporate Users Kerberos Active
 Most Secure Solution: 802.1x Authentication Transaction Directory
 Challenge: how do you ensure endpoints can all
Server
support 802.1x
 Challenge: Need to maintain RADIUS server
 With release 6.4.5: Windows Login is
snooped for Authentication
Core
 Authentication Sequence
 User is granted limited network access
based on the default UNP
 Domain Server Authentication is snooped
and result is tracked: success/failure,
Domain name, User name Access
 Final network access is granted based on
success/failure and Domain name
 If new user initiates new login,
Authentication Sequence re-starts
 Inactivity timer (default 5h) to account for
“silent” logoff
Windows Logon Snooping - Things
Data Center to know
Evolution

 Mobility
 Mobility on the same switch is supported w/ no re-authentication
 Switch to switch mobility is not yet supported: user needs to logoff/login to get back
on the network

 Compatibility with other authentication methods

 Kerberos user authentication will happen after mac based authentication of same user
and system. Mac based authentication will provide a path between Kerberos client and
server.
 If 802.1x authentication happens before Kerberos authentication for the same client
then the Kerberos request packet will not be entertained on the switch and will be
switched/routed/dropped based on the user’s 802.1x results (failed/success) and
other configuration on switch.
 Works like HIC rule – based on dynamic ACLs
 Not compatible with Captive Portal
Windows Logon Snooping - Things
Data Center to know
Evolution

 Boundary Conditions
 Maximum Kerberos server’s ip-address that can be configured on switch – 4
 Maximum number of Kerberos users can be learned on switch is 1000.

 Policy List
 Once user is authenticated through Kerberos server then qos-policy-list configured for
Kerberos (global or per domain) will be updated in hardware l2 table for this user
(MAC). Kerberos qos-policy-list will overwrite qos-policy-list of UNP/HIC if user is
already classified as a UNP/HIC user with few exception listed below:
 If user is learned in filtering mode then Kerberos shall not overwrite the hardware l2 table for
Kerberos qos-policy-list.
 If user is in HIC-IN-PROGRESS state then Kerberos shall not overwrite the HIC qos-policy-list with
Kerberos qos-policy-list
Windows Logon Snooping - Configuration
Data Center Evolution Example

-> vlan port mobile 3/1

-> vlan port 3/1 802.1x enable
-> 802.1x 3/1 kerberos enable
-> aaa kerberos mac-move enable
-> aaa kerberos ip-address 172.21.160.102
-> aaa kerberos inactivity-timer 30
-> aaa kerberos server-timeout 20
-> aaa kerberos authentication-pass policy-list-name pl1
-> aaa kerberos authentication-pass domain EXAMPLE.COM policy-list-name p1

CLI show commands to display the Kerberos configuration for the switch
-> show aaa kerberos configuration
-> show aaa kerberos port
-> show aaa kerberos users
-> show aaa kerberos statistics
-> show aaa kerberos port statistics
ACCESS GUARDIAN 2.0
AOS 8.X
Access Guardian 2.0 - AOS 8.X
 Ports are classified into Access, Bridge and Edge Ports
 Access and Bridge ports are supported only on OS10K and OS6900
 Edge ports are supported only on OS6860

 The AG rules are different

 UNP returned by Radius
 UNP Classification Rules
 Pass Alternate UNP
 Blocked

 8.1.1 includes an Auth Server Down Path

 Captive Portal is set separately

 captive portal is only activated through unp edge-profile, the CP properties are set as
part of a CP profile
Access Guardian 2.0 - AOS 8.X
 Access Guardian 2.0 aims to provide network access and roles
(policy list) per user using a two step process
 First Step: L2 authentication, which may be 802.1x or MAC authentication or
classification. The result of this process is a UNP
 Second Step: L3 authentication/classification.

 QMR/Location/Time based validations may be enabled in the UNP

 if these validations fail the user is put into a Restricted Role (policy list)

 In addition to this, user may be placed into a new Role after captive portal
authentication and other user defined roles
 The initial UNP (which provides the initial policy list and role) and Vlan does
not change during the lifetime of the user. Only the roles change dynamically
Access Guardian 2.0 - AOS 8.X
 AG 2.0 shall support Built-in restricted roles determined by
the state of the following AOS components
 Location and Time based Policies (Unauthorized)
 Quarantine Manager and Remediation
 Captive Portal (pre-login)
 Redirect (byod guest registration/onboard)

 AG 2.0 also supports explicit configuration of the restricted roles determined

by the state of the following AOS components.
 Location and Time based Policies (Unauthorized)
 Quarantine Manager and Remediation
 Captive Portal (pre-login)
 Redirect (byod guest registration/onboard)

 The explicitly configured restricted roles have higher precedence over the
built-in restricted roles
Access Guardian 2.0 - AOS 8.X
Access Guardian 2.0 - Atomic Classification Rules

 Port  Port + MAC + IP

 Group-ID  Port + MAC

 MAC  Port + IP

 MAC-OUI  Group-ID + MAC +IP

 MAC-Range  Group-ID + MAC

 LLDP  Group-ID +IP

 IP-Phone

 Authentication-Type
 802.1x, MAC

 IP -> unp classification mac-address 00:11:22:33:44:55 port 1/1/5 edge-profile Pr1

-> unp classification ip-address 10.0.0.20 mask 255.255.0.0 port 1/1/10 edge-profile Pr2
-> unp classification group-id GRP1 edge-profile myProfile1PSK
-> unp classification mac-address 00:11:22:33:44:55 group-id GRP1 edge-profile Pr1
-> unp classification mac-oui 00:11:22 edge-profile myProfile1
-> unp classification lldp med-endpoint ip-phone edge-profile myProfile1
-> unp classification authentication-type 802.1X edge-profile myProfile1
-> unp classification authentication-type MAC edge-profile myProfile2
Access Guardian 2.0 - Extended Classification rules
 Extended classification rules
 Define a list of criteria to be matched
 Only matched when all criteria are met
 Support precedence
 only one extended rule can be matched for a given user
 Always has higher precedence over binding rules and atomic rules

 Extend classification supports

 MAC
 PORT
 Group-ID -> unp classification-rule EXT1 Edge-profile “UNP1”
 LLDP -> unp classification-rule EXT1 group-id GRP1
-> unp classification-rule EXT1 mac-address 00:11:22:33:44:55
 Authentication -> unp classification-rule EXT1 mac-oui 00:11:22
-> unp classification-rule EXT1 lldp med-endpoint ip-phone
-> unp classification-rule EXT1 authentication-type 8021X
-> unp classification-rule EXT1 authentication-type MAC
Access Guardian 2.0 - Edge Templates
 Edge Template
 Contains all of the UNP properties
Edge-Template
 Can be applied to UNP Port of Linkagg
802.1x MAC
 Properties authent. authent.
 Name
 802.1x authentication [enable|disable]
Edge Profile AAA Profile
 802.1x authentication tx-period <secs>
 802.1x authentication max_req <num>
 802.1x authentication supp-timeout <secs>
 802.1X authentication pass-alternate edge-profile <name>
 Mac-authentication [enable|disable]
 Mac-authentication pass-alternate edge-profile <name>
 Classification [enable|disable]
 Default-edge-profile <name>
 Group-id <string>
 AAA-profile <string>
 Bypass [enable|disable]
 Allow-eap [pass|fail|noauth|none]
 Failure-policy [mac-authentication|default]
Access Guardian 2.0 - Edge Templates
 Group-ID
 Logical ports group
 Same as a Customer Domain in Previous AOS releases

-> unp group-id 2 description grp2

 Bypass
 802.1x bypass – in this mode MAC based authentication precedes 802.1x
authentication
 Failure Policy
 If 802.1x Authentication fails either
 Perform device classification (default)
 Perform mac authentication

 Allow-EAP
 Pass perform 802.1x upon Mac-authentication pass
 Fail perform 802.1x upon Mac-authentication fail
 Noauth perform 802.1x upon Mac-authentication disable
 None always skip 802.1x
Access Guardian 2.0 - Edge Templates
 AAA Profile
 Specifies the default AAA profile for the Edge Template

 Default Edge-Profile
 When edge-template is attached to UNP port/linkagg any existing default profile is
overriden

 Pass-alternate
 If classification does not return a valid UNP then the pass-alternate is assigned
Access Guardian 2.0 – Edge Profile
 Edge Profile
 Edge-profile <name> Edge-Profile
 Qos-policy-list <name> QoS Policy Location
 The name of a Policy List (ACL or QoS) associated list Policy
with the UNP
 Defines the initial Role for the user
Captive Period
 Location-policy <string> Portal Policy
 Slot/port, System name, location
 Period-policy <string>
 Captive-portal-authentication [enable|disable]
Vlan-Mapping
 Captive-portal-profile <name> VLAN ID
 Authentication-flag [enable|disable]
 Mobile-tag [enable|disable]
 Redirect

 Vlan-mapping
Access Guardian 2.0 - Edge Profile
 Once a user is L2-authenticated/classified into a UNP,
 The initial role of the user is determined by the qos policy-list attached to the UNP.
 This role could be replaced with one of the more specific roles based on result of
enforcing one or more properties/methods enabled on the UNP Edge Profile as listed
below
 Captive Portal
 Location/Time based Policy
 QMR based Policy
 User Derived Role using
 Authentication Type
 BYOD
Access Guardian 2.0 - Edge Profile
 Edge Profile Location Policy
 Location-policy <string>
 The location policy is used to restrict the network access based on the location of the
user/device
 When the specified location-policy is not met by the UNP user, the user role will be
automatically changed to an unauthorized role.
 The location of a wired user would be determined with:
 Chassis/Slot/Port on which the user is attached
 Switch Name on which the user is attached
 Switch Location String, identifying a group of Switches

 Setting Location
 system location <string>
 unp policy validity location “Alcatel” port 1/1/10
Access Guardian 2.0 – Edge Profile
 Edge Profile Time Period Policy
 Period-policy <string>
 The period policy is used to restrict the network access based on the time of access by
the user/device
 The time criteria for network access by a user could be specified in days, hours,
months and intervals comprising of date/time.
 A period policy is said to have matched if any of the specified day/month/time/date
criteria is matched

 Setting Time
 unp policy validity period “Office-Time”
 unp policy validity period “Office-Time” days MONDAY
 unp policy validity period “Office-Time” days MONDAY time-zone
 unp policy validity period “Office-Time” hours 9:00 to 17:00
Access Guardian 2.0 - Edge Profile
 Captive-portal-authentication [enable|disable]
 If Enabled, it allows the UNP user to undergo Captive-Portal Authentication

 Authentication-flag [enable|disable]
 If Enabled, the UNP-name can be selected only if the UNP user gets learnt into it
through L2-authentication (802.1x/Mac)

 Mobile-tag [enable|disable]
 Enable/Disable mobile tag mode on a UNP Port for wired users.
 If Enabled, it enforces the Port where the UNP-user gets learnt to be added as Tagged
Member of the vlan associated with the UNP
Access Guardian 2.0 - AAA Profile
 AAA profile defines
 AAA authentication servers associated with different authentication methods.
 Up to 4 authentication servers can be specified per authentication method
 AAA accounting servers associated with different authentication methods.
 Up to 4 accounting servers can be specified per authentication method.
 A syslog server may be specified as an accounting server
 The properties of the various radius attributes
 Specifying a mac-address or ip-address as the calling-station-id in the RADIUS attributes
 Specifying 802.1x properties with RADIUS server
 enable/disable of re-authentication
 Reauthentication interval
 Specifying the periodicity of the RADIUS Accounting-Request Interim message for
802.1x/MAC/Captive-Portal authenticated users
 Specifying the inactivity logout timer for mac and captive portal authentication
Access Guardian 2.0 - Captive-Portal Profile
 Captive Portal Profile
 Mode [internal|external] - 8.1.1 only internal supported
 Success-Redirect URL
 Redirect URL on Successful Authentication
 Retry-Count
 Number of retry attempts before authentication is declared to fail
 Policy-List <name>
 Policy List to be attached on successful authentication
 Realm [prefix|suffix] Domain <domain-name>
 For example in “domain-name\user1”, domain-name refers to the domain name if prefix option
is chosen.
 For example in “user@domain-name” , domain-name refers to the domain name if the suffix
option is chosen.
 AAA-Profile <name> Name of AAA Profile
Access Guardian 2.0
Quarantine Manager and Remediation

 QMR is handled as part of the L3 Authentication/Classification stage .

 This stage is after the primary L2 authentication stage during which a UNP is
assigned.
 Based on the UNP in which the user is learnt to, the user may undergo QMR,
Location or Time based validations and assignment of dynamic roles (policylist).
 If QMR/Location/Time based validations fail the user is put into a Restricted
Role (policy list)
 QMR allows
 Configuration of the quarantine page
 Enable/disable the ability to send the configuration page to the client
 Specify a list of IP addresses that the device can communicate with
 Configure a custom proxy port
BYOD WITH CLEARPASS
BYOD with ClearPass
 Unified access policy management solution for Wireline and Wireless networks

 Standardized RADIUS CoA Interface between the Switch and CPPM

 RADIUS Change of Authorization

 Provides a mechanism to change AAA RADIUS attributes of a session after
authentication
 New Edge Profile (UNP Name), redirection URL if required and AccessPolicyList can be
sent as attributes in the message. (646R01 does not return AccessPolicyList Name).
 If CPPM is not configured to return the AccessPolicyList then the policy-list of the
Edge-profile is applied,
 If there is no policy-list associated with the Edge-profile then a default policy-list
“Allow All” is applied

 Disconnect Message to terminate user session and discard all user context

 Supported AOS switches

 6860 : AOS R8.1.1
 6850E : AOS6.4.6
 6250/6450 : AOS R6.6.5
BYOD with ClearPass

• Host posture check:

• Anti-virus
• Anti-spyware
OnGuard
• Firewalls • Device fingerprinting
• Fingerprint dictionary
Profile • Device Profile change monitoring

• ClearPass can act as a

ClearPass - RADIUS Server for new deployments
Policy - RADIUS Proxy for Overlay networks for MAC authentication service
only
Manager
• ClearPass version 6.3 is supported in 8.1.1.R01

• Sponsors
Guest • Branded portals
• Self-registration

Onboard
• Device certificates
• User driven portal
• Built-in CA
Employee Owned device On-boarding
 Policies to control type of device to be on-boarded

 Management of Digital Certificates

 On-boarding process automates 802.1x configuration & provisioning of devices

 Device Provisioning is supported through Aruba QuickConnect or Apple OTA API

 Quick Connect supports native supplicants on Windows Vista, XP, 7, Apple &
Android
Redirect HTTP
traffic to
Onboard URL

Supplicant Yes Initiate Yes 802.1x

Yes EAP- Yes Employee Bloc No AD
802.1x credentials
Client ? auth
Pass? TLS ? UNP k match ?

No No Yes
No
Restricted No Yes
Initiate Prompt to install
UNP Block .1x
MAC Auth Quick Connect TM
returned credentials
.1x Auth reinitiated
match?
with EAP-TLS
Employee Owned device On-boarding

ClearPass AD Auth

RADIUS CoA XML API

Employee UNP

Edge Switch WLAN Controller

Access Points

Employee Owned Devices

Employee Owned Devices
Guest Management using Captive Portal of CPPM
 Offers Guest Self registration, Sponsored Guest Access & Pre-registration of Guests.

 Types of Guest Registration

 MAC Authentication & Captive Portal Authentication
 MAC Authentication & Self Registration with Sponsor

 MAC Auth & Captive Portal with MAC Caching

 First MAC Authentication Fails & CPPM returns a restricted edge-profile, Redirection URL
and Restricted AccessPolicyList
 If Restricted AccessPolicyList is not returned and preconfigured/built-in default Access List
is applied
 Guest is redirected to Guest Registration Captive Portal.
 Guest provides login credentials
 On successful authentication, “Guest edge-profile” is returned through RADIUS CoA along
with GuestAccessPolicyList
 Switch bounces port / flushes user context to re-initiate auth if there is a vlan change.
 Next connection from Guest (within defined time) will result in MAC Auth succeeding.
 The MAC-AUTH service on CPPM should be configured to cache roles which will be returned
on subsequent MAC authentication process
Guest Management using Captive Portal of CPPM

ClearPass Guest Sponsor

Central Captive
Portal  Sponsored Access
 Guest Registration URL contains link for Account
creation
 Sponsor gets email when Guest submits account
request
 On Approval, Password for guest received on email
 Flows between CPPM & OmniSwitch remain same

WLAN Controller
Edge Switch
Guest
devices Access Points

password
Guest Devices
Unified Device Profiling
 Automated function in CPPM. Identifies the
 Device category – Computer, Printer, AP etc.
 OS family – MAC, Android, Windows, Linux
 Device name and OS Version

 Useful for silent wired devices that can’t authenticate themselves – Printers, IP
Phones, Cameras etc.
 Also used for profiling Guest, Employee owned devices
 Profiling based on contextual data
 DHCP fingerprinting,
 MAC OUIs,
 HTTP User Agent
 SNMP or other device centric identity information

 Access denied in case of device impersonation

 Device disconnected if device signature changes
 CPPM should be configured as DHCP relay on switch in addition to DHCP Server
(ip helper address )
Unified Host Posture Check
 Determines the Network Security Context based on posture of hosts after the
host has been authenticated at the CPPM
 Posture Check is an optional step configured on ClearPass to check the health
of connecting host.
 Ensures compliance to Enterprise policies

 Initial MAC authentication for device will fail and switch will place the endpoint
in restricted UNP.
 Posture determination by ClearPass is done through
 Permanent agent running on Hosts
 A specific TCP port traffic should be allowed in the Restricted UNP
 Web-based dissolvable agent
 HTTPS traffic should be allowed through restricted UNP.

 A devices found unhealthy can be

 Blocked through a Disconnect Message
 Remediation – Device redirected to a remediation portal for system upgrade
Access Guardian

How to
 Implement Access Guardian security feature on an AOS OmniSwitch. This includes device
classification policies. Both supplicant and non-supplicants user authentication methods will be
configured as well as Captive portal and User Network profiles.

Contents
1 Basic 802.1X Authentication ................................................................. 2
1.1. Configuration ........................................................................................... 2
1.2. Verification ............................................................................................. 4
2 Access Guardian Authentication ............................................................ 4
2.1. Supplicant (802.1x client) policy configuration .................................................. 5
2.1.1. Verification .................................................................................................. 5
2.2. Non-supplicant (Non-802.1x client) policy configuration ....................................... 5
2.2.1. Verification .................................................................................................. 6

3 Captive Portal Authentication ............................................................... 6

3.1. Configuration ........................................................................................... 6
3.2. Verification ............................................................................................. 7
4 User Network Profile ......................................................................... 7
4.1. Configuration ........................................................................................... 7
4.1.1. Verification .................................................................................................. 8
4.2. QoS Policy list configuration ......................................................................... 9
4.2.1. Verification .................................................................................................. 9
4.3. UNP mobile rules ..................................................................................... 10
4.3.1. Verification ................................................................................................ 10
 2
Access Guardian

Implementation
A single Omniswitch is used in the following sections

1 Basic 802.1X Authentication

Basic 802.1x port may be used when only successful authenticated 802.1x devices are allowed in the
network without any other requirements.
An 802.1x client is classified on the port’s default VLAN, a mobile VLAN or an authenticated VLAN (user
VLAN returned by RADIUS server). Mobile rules can only be applied after user authentication.

1.1. Configuration
- Open a console session to the 6850 with the following authentication credentials:
Login: admin
Password: switch

- Remove configuration from previous labs and reboot the switch from the WORKING directory
- Type the following:
-> rm /flash/working/boot.cfg
-> reload working no rollback-timeout

- After rebooting, save the configuration to the boot.cfg file

-> write memory

- Create a Loopback0 interface with an IP address according to your switch. This IP address is used for
RADIUS server authorization
-> ip interface Loopback0 address #.#.#.# (where # is your switch number)

- Create the VLAN 100 and assign the IP address 192.168.100.# to VLAN 100, where # is your switch number.
- Type the following :
-> vlan 100
-> vlan 100 port default 1/9
-> ip interface vl100 address 192.168.100.# vlan 100
-> interfaces 1/9 admin up

The Radius/DHCP Server is plugged on port 1/9 on 6850A with an IP address

192.168.100.102. Ask your instructor for RADIUS server availability

- Ensure connectivity to the RADIUS server, type the following :

-> ping 192.168.100.102

- Create an Authenticated VLAN with an IP address. For this example VLAN 11 will be the Authenticated
 3
Access Guardian

VLAN
- Type the following on the 6850 :
-> vlan 11
-> ip interface vl11 address 192.168.11.1 vlan 11

- In order to assign dynamically an IP address to users, configure a DHCP Relay and DNS server addresses on
the switch as follows:
-> ip helper address 192.168.100.102
-> ip name-server 192.168.100.102

- The next step is to enable mobility and 802.1x Authentication on the port the Client is connecting to
(1/1). Type the following:
-> interfaces 1/1 admin up
-> vlan port mobile 1/1
-> vlan port 1/1 802.1x enable

- The next step is to tell the switch where to forward the Authentication requests, this will be the address
of the RADIUS server (192.168.100.102)
-> aaa radius-server rad1 host 192.168.100.102 key alcatel-lucent

The command above, adds the RADIUS server, called rad1 with an IP address of 192.168.100.102, to the
switch. The switch will use the shared secret of ‘alcatel-lucent’ to communicate with the RADIUS server.

- Now we must tell the OmniSwitch to forward 802.1x requests to the RADIUS Server.
- Type the following:
-> aaa authentication 802.1x rad1

- You will also enable MAC authentication as follows:

-> aaa authentication mac rad1

The switch will now know where to send 802.1x and MAC authentication requests

The RADIUS server has been configured to return VLAN 11 to the switch if the authentication is
successful. The switch will then move the user into VLAN 11, the authenticated VLAN.

- Open the client PC that will be used to test authentication. For this example, client 3 is used.
- The following steps are performed on the client to setup 802.1X authentication:

A Windows XP client is being used for this example. Ask your instructor in case a different
Operating System is used.

- Double-click the Local Area network icon in the system tray.

- Click Properties. Then Choose the Authentication Tab
- Click ‘Enable IEEE 802.1x’
- For EAP Type choose PEAP
- Click Settings then Uncheck ‘Validate Server Certificate’
- Close all dialogue boxes to save changes and enable 802.1x.
- A balloon popup appears in the system tray.

If the Authentication Tab doesn’t appear, run “services.msc” and start service “Wired Autoconfig
service”
 4
Access Guardian

1.2. Verification

- Use the following username and password for testing purposes:

o Username: user11 / Password: user11 - > user is assigned to VLAN 11

Windows stores previous authentication information in the registry and uses it for automatically
authenticating users. If you are not being prompted for a username/password, follow the
instruction below showing how to clear out the credential cache by editing the registry.
Fire up the registry editor (START->RUN->REGEDIT) and delete the
HKEY_CURRENT_USER\Software\Microsoft\EAPOL\UserEAPinfo registry key.

- The client PC can be set to DHCP, if a valid address has not been applied after authentication, check that
your configuration is relevant to your switch number.
- You should see that you have been authenticated using the 802.1x method and your client PC has obtained
an IP address matching VLAN 11’s subnet IP address.
- Let’s check connectivity, now that you have been authenticated. You should see that your port and MAC
address have been moved to VLAN 11.
- Type/Perform the following:
-> show mac-address-table
-> show vlan 11 port
-> show 802.1x 1/1
-> show 802.1x statistic
-> show 802.1x users

Type the following command:

-> show 802.1x device classification policies 1/1
These policies are the default policies that are applied to the port when 802.1x is enabled

For more information about the displays that result from these commands and others, see the
OmniSwitch CLI Reference Guide and Network Configuration Guide

2 Access Guardian Authentication

Access Guardian provides functionality that allows the configuration of 802.1x device classification policies
for supplicants (802.1x clients) and non-supplicants (non-802.1x clients).
The policies are configured in chains specifying both the policies and the order in which they will be
applied. The first policy in the chain is applied first and if it does not terminate the second policy is
applied and so on.
Consider the following when configuring policies:
- A single policy can only appear once for a pass condition and once for a failed condition.
- Up to three VLAN ID policies are allowed within the same compound policy, as long as the ID number is
different for each instance specified (e.g., vlan 20 vlan 30 vlan 40).
- Policies must terminate. The last policy must result in either blocking the device or assigning the device to
the default VLAN. If a terminal policy is not specified, the block policy is used by default.
- The order in which policies are configured determines the order in which the policies are applied.
 5
Access Guardian

2.1. Supplicant (802.1x client) policy configuration

- A policy will be created that classifies a user based on the following assumptions:
- Using RADIUS authentication:
o If authentication is successful (PASS), then
 RADIUS returns a VLAN ID and the user is moved to this VLAN.
 If RADIUS doesn’t return a VLAN ID, then Group Mobility rules are applied
 If Group Mobility fails, then the client is assigned to VLAN 1000
 If VLAN 1000 doesn’t exist then the client is placed on the default VLAN.
o If authentication is not successful (FAIL), then
 The User is moved to VLAN 12
 If VLAN 12 doesn’t exist then the user traffic is blocked.
- Type the following:
-> vlan 1000
-> vlan 12
-> ip interface vl12 address 192.168.12.2/24 vlan 12
-> 802.1x 1/1 supplicant policy authentication pass group-mobility vlan 1000 default-vlan fail vlan 12
block

- Check the configuration by using the following command:

-> show 802.1x device classification policies 1/1
Device classification policies on 802.1x port 1/1
Supplicant:
authentication:
pass: group-mobility, vlan 1000, default-vlan
fail: vlan 12, block
Non-Supplicant:
block (default)

2.1.1. Verification
- Perform different type of authentication tests by using credentials as follow:
o Login = user10, password = user10  VLAN returned does not exist in the switch
o Login = user11, password = user11  VLAN 11 returned
o Login = unknown, password = unknown  authentication fails

Ask your instructor in case a different user or password is used

- To reset authentication disable the Local Area Connection on Windows XP client

- Then, type the following:
-> aaa admin-logout port 1/1

- And re-enable the Local Area Connection.

- Let’s check connectivity every time that you have been authenticated. You should see that your port and
MAC address have been moved to different VLAN id.
- Type/Perform the following:
-> show mac-address-table
-> show vlan 11 port
-> show 802.1x users
-> show aaa-device all-users

2.2. Non-supplicant (Non-802.1x client) policy configuration

- A policy will be created that classifies a user based on the following assumptions:
- Using RADIUS authentication:
o If authentication is successful (PASS), then
 6
Access Guardian

 RADIUS returns a VLAN ID and the user is moved to this VLAN

 If RADIUS does not return a VLAN ID, then Group Mobility rules are applied
 If Group Mobility fails, then the user is assigned to the default VLAN
o If authentication is not successful (FAIL), then
 Group Mobility is applied
 If group mobility fails, then the user is moved to VLAN 11
 If VLAN 11 doesn’t exist then the user is placed in the default VLAN.

- Type the following:

-> 802.1x 1/1 non-supplicant policy authentication pass group-mobility default-vlan fail vlan 11 default-
vlan

- Check the configuration by using the following command:

-> show 802.1x device classification policies 1/1
Device classification policies on 802.1x port 1/1
Supplicant:
authentication:
pass: group-mobility, vlan 1000, default-vlan
fail: vlan 12, block
Non-Supplicant:
authentication:
pass: group-mobility, default-vlan
fail: vlan 11, default-vlan

2.2.1. Verification
- A non-supplicant will authenticate on the radius with its MAC address.
- As the RADIUS server is not configured with different MAC addresses, the authentication will fail. You
should see that your port and MAC address have been moved to VLAN 11.
- For non-supplicant attempt, just disable 802.1x on your client PC in the Local area connection properties
window and make a new port connection.
- Verify this by typing the following
-> show mac-address-table
-> show vlan 11 port
-> show 802.1x non-supplicant 1/11
-> show aaa-device all-users

For more information about the displays that result from these commands and others, see the
OmniSwitch CLI Reference Guide and Network Configuration Guide

3 Captive Portal Authentication

By using Captive Portal, Access Guardian will determine that a client device is a candidate for Web-based
authentication if the following conditions are true:
• The device is connected to an 802.1x-enabled port.
• An Access Guardian policy (supplicant or non-supplicant) that includes the Captive Portal option is
configured for the port.

3.1. Configuration
- In this section, a way to identify users through a web portal will be configured. This is usually done for
guest access.
 7
Access Guardian

- Let’s create a new authentication policy for non-supplicant users on port 1/1
- Type the following:
-> 802.1x 1/1 non-supplicant policy authentication pass group-mobility block fail captive-portal
-> 802.1x 1/1 captive-portal policy authentication pass vlan 11

Explain the new non-supplicant policy that has been configured on the switch
-

- Reset previous 802.1x authentication

-> aaa admin-logout port 1/1

- Use a standard browser available on the client device and access the following URL:
http://www.google.com
- Enter credentials as requested on web page and select submit.
o Login = user11, password = user11  vlan 11

RADIUS server is still used for Captive Portal Authentication.

Ask your instructor in case a different user or password is used.

3.2. Verification
- Let’s check connectivity now that you have been authenticated.
- Type the following:
-> show mac-address-table
-> show vlan port 1/1
-> show 802.1x non-supplicant 1/1
-> show aaa-device captive-portal-users
-> show aaa-device all-users

- To display the global Captive Portal configuration for the switch type the following:
-> show 802.1x captive-portal configuration

4 User Network Profile

User Network Profiles (UNP) are applied to host devices using Access Guardian device classification policies.
A profile name and the following associated attributes are required prior to assigning the profile using
device classification policies:
• VLAN ID. All members of the profile group are assigned to the VLAN ID specified by the profile.
• Host Integrity Check (HIC). Enables or disables device integrity verification for all members of the profile
group.
• QoS policy list name. Specifies the name of an existing list of QoS policy rules. The rules within the list
are applied to all members of the profile group. Only one policy list is allowed per profile, but multiple
profiles may use the same policy list.

4.1. Configuration
- Configure two User Network Profiles unp_sample1 and unp_sample2 as follows:
-> aaa user-network-profile name unp_sample1 vlan 11
-> aaa user-network-profile name unp_sample2 vlan 1000
 8
Access Guardian

- Verify the UNP parameters:

-> show aaa user-network-profile

Role Name Vlan HIC Policy List Name

--------------------------------+-----+----+----------------------------
unp_sample1 11 No
unp_sample2 1000 No

- Let’s configure a basic device classification policy using the following UNP mapping configuration on port
1/1:
-> 802.1x 1/1 supplicant policy authentication pass user-network-profile unp_sample1 block fail captive-
portal
-> 802.1x 1/1 non-supplicant policy authentication pass block fail user-network-profile unp_sample2 block

Explain both policies that have been just configured

-

- Verify the configuration:

-> show 802.1x device classification policies 1/1

Device classification policies on 802.1x port 1/1

Supplicant:
authentication:
pass: UNP unp_sample1, block
fail: captive-portal
Non-Supplicant:
authentication:
pass: block
fail: UNP unp_sample2, block
Captive Portal:
authentication:
pass: vlan 11
fail: block (default)

4.1.1. Verification
- Connect the Client PC, and make sure the client is classified based on the User Profile Mapping Table.
- Verify that client (supplicant) is able to authenticate and classified based on the User Profile Mapping
Table.
- Use the following username and password for testing purposes:
o Login = user13, password = user13

The RADIUS server is configured to return a different VLAN from the ones that are configured in the
switch. Therefore, the user will be assigned to the UNP unp_sample1 as indicated by the policy
Ask your instructor in case a different user or password is used.

- Type the following commands:

-> show mac-address-table
-> show vlan port 1/1
-> show 802.1x non-supplicant 1/1
-> show aaa-device all-users

- Now perform an authentication by using the credentials as follows:

o Login = sample1, password = alcatel-lucent
 9
Access Guardian

The RADIUS server is configured to return the UNP unp_sample1 if this user/password combination
is used for authentication.
Ask your instructor in case a different user or password is used.

- Use the previous CLI commands in order to check the UNP that has been associated to the client and the
VLAN ID returned by the RADIUS server.

4.2. QoS Policy list configuration

- Let’s now configure a policy list that contains 2 rules, one filtering the traffic to a server address and a
second one giving highest priority to the user traffic.
- Configure a qos rule that filters traffic to a specific IP address
-> policy condition server1 destination ip 10.0.0.10
-> policy action drop disposition drop
-> policy rule no_server1 condition server1 action drop log no default-list

- Configure a qos rule that gives the highest priority to the user traffic
-> policy condition high_prio source ip any destination ip any
-> policy action prio7 priority 7
-> policy rule traffic_prio condition high_prio action prio7 no default-list
-> qos apply

A default policy list is available when the switch boots up. This list has no name and is
not configurable. All QoS policy rules are assigned to this default list and applied to the
switch unless the no default-list option of the policy rule command is used.

- Configure a policy list based on previous step:

-> policy list list1 type UNP rules traffic_prio no_server1

-> qos apply

- Configure the User Profile Mapping Table:

-> aaa user-network-profile name high-prio vlan 11 policy-list-name list1

- Let’s configure a new device classification policy using the configured UNP “high-prio” for successful
authentication for 802.1x users; and for unsuccessful authentication for non-802.1x users:
-> 802.1x 1/1 supplicant policy authentication pass user-network-profile high-prio fail block
-> 802.1x 1/1 non-supplicant policy authentication pass block fail user-network-profile high-prio block

- Verify the configuration:

-> show 802.1x device classification policies 1/1
-> show policy rule
-> show policy list

4.2.1. Verification

- Connect one supplicant on the switch, and make sure the client is classified based on the User Profile
Mapping Table.
 10
Access Guardian

Do the same for a non-supplicant user (in a simple manner, uncheck 802.1x authentication on your client)
- Verify that both clients are able to authenticate and classified based on the User Profile Mapping Table.
- Check that UNP profiles and their associated rules are matching specific user traffic with detailed
information.
- Type the following commands:
-> show active policy rule
-> show active policy list
-> show 802.1x device classification policies 1/1
-> show aaa-device all-users
-> show vlan port 1/1

If you want to verify that the QoS policies are applied, assign the 10.0.0.10 address to another
client PC and connect it to a different port on the switch. In the switch create a separate VLAN
with an IP address in the 10.0.0.X/24 subnet and assign this VLAN to the port that the new client is
connected to. Verify that the connection between the two clients is not successful.

4.3. UNP mobile rules

Let’s use now the capability of AOS switch to classify devices with “UNP mobile rules”. This allows the
administrator to assign users to a profile group based on the client traffic that is seen by the switch.
It takes precedence over VLAN rules already configured on the switch.

- Configure a UNP mobile rule with 172.30.#.0 as the source IP value and “employee” as the user network
profile. Any devices connecting to port 1/1 with a source IP address that falls within the 172.30.#.0
network will be assigned to the “Employee” profile.
- For this example, let’s type the following commands:
-> vlan 30
-> ip interface employee address 172.30.#.# vlan 30 (where # is your switch number)
-> aaa user-network-profile name employee vlan 30
-> aaa classification-rule ip-address 172.30.#.0 255.255.255.0 user-network-profile name employee

- Verify the configuration by using the following command:

-> show aaa classification-rule ip-net-rule

IP Addr IP Mask User Network Profile Name

------------------+-----------------+-------------------------
172.30.1.0 255.255.255.0 employee

Mobility and 802.1X authentication must be enabled to use UNP mobile rules. The default 802.1x policy on
the port is enough for using UNP mobile rules.
- In this example, we need to modify the Access Guardian supplicant policy as follows:

-> 802.1x 1/1 supplicant policy authentication pass group-mobility fail block
-> 802.1x 1/1 non-supplicant policy authentication pass group-mobility fail block

4.3.1. Verification

- On the client PC, assign an IP address in the 172.30.#.0 subnet. Then ping the IP address configured for
VLAN 30 on the switch (172.30.#.#).
 11
Access Guardian

- Verify that the client is authenticated and classified based on the User Profile Mapping Table.
- Check UNP profiles and associated rules are matching specific user traffic with detailed information.
- Type the following:
-> show aaa-device all-users
-> show vlan port 1/1

Recall to perform the following if you want to make different authentication attempts:
-Disable the Local interface on the client PC
-Type the following command: -> aaa admin-logout port 1/1
-Re-enable the Local interface on the client PC
Security Network Access Control

How to
 Configure Omniswitch 6860 to integrate ClearPass Solution

Contents
1 Setup ClearPass Policy Manager ............................................................. 2
2 Setup OS6860 .................................................................................. 5
3 Test ............................................................................................. 6
 2
Security Network Access Control

1 Setup ClearPass Policy Manager

At this step, we will deploy a ClearPass virtual machine and restore a basic configuration to be used with
Access Guardian 2.0 features of the 6860.
- From vSphere, right-click on ClearPass virtual machine and select Snapshot > Snapshot Manager…

- Select Before License and click on Go To button

- Click Yes on the Confirm window

 3
Security Network Access Control

- Click Close
- Once the revert snapshot is completed,start the ClearPass Virtual machine, as well as DHCP_RADIUS and
DomainController
- On the 6850E-A, configure the management VLAN 100:
OS6850E-A -> vlan 100 name “management”
OS6850E-A -> vlan 100 port default 1/9
OS6850E-A -> vlan 100 port default 1/1
OS6850E-A -> vlan 100 port default 1/7-8
OS6850E-A -> ip interface vl100 address 192.168.100.254/24 vlan 100
OS6850E-A -> interfaces 1/1 admin up
OS6850E-A -> interfaces 1/9 admin up
OS6850E-A -> interfaces 1/7-8 admin up

- Open Client3 console and ensure it’s configured as DHCP client

- From Client3 console open a browser and enter ClearPass URL : https://192.168.100.21
- Bypass the warning by clicking on Proceed anyway

- On the client3 desktop, open the file CPPM_License.txt and copy/paste the license on ClearPass admin
page. Tick the box “I agree to the above terms and conditions” and click on Add License.
 4
Security Network Access Control

- On the login screen, enter the following credentials and click on Login.
Username = admin
Password = eTIPS123

- Select Administration > Server Manager > Server Configuration

- Click the Restore button

- Click Choose File

- Browse the Desktop and select ClearPass_Backup.tar and click Start.

 5
Security Network Access Control

- Once the database restore is done, your ClearPass Policy Manager is ready to use. Click on Close.

2 Setup OS6860
We will now configure the 6860 to apply different User Network Profile depending on user type :
An employee is authenticated through 802.1x and will be assigned an employee VLAN and Allow-All policy
list. A guest is by default on restricted role which only allow him DHCP, DNS and HTTP request to the
Captive Portal. And once authenticated, a new role will be assigned giving him more access rights.
- On the 6860 (A or B) configure the different VLAN :
OS6860-A/B -> vlan 20 admin-state enable name “employee”
OS6860-A/B -> vlan 21 admin-state enable name “guest”
OS6860-A/B -> vlan 100 admin-state enable name “management”
OS6860-A/B -> vlan 4092 admin-state disable name “default”
OS6860-A -> vlan 100 members port 1/1/7 untagged
OS6860-A -> vlan 20-21 members port 1/1/7 tagged
OS6860-A -> interfaces 1/1/7 admin-state enable
OS6860-A -> ip interface vl100 address 192.168.100.47/24 vlan 100
OS6860-B -> vlan 100 members port 1/1/8 untagged
OS6860-B -> vlan 20-21 members port 1/1/8 tagged
OS6860-B -> interfaces 1/1/8 admin-state enable
OS6860-B -> ip interface vl100 address 192.168.100.48/24 vlan 100

- Configure Employee and Guest vlan on 6850-A :

OS6850E-A -> vlan 20 name “employee”
OS6850E-A -> vlan 21 name “guest”
OS6850E-A -> vlan 20-21 802.1q 1/7
OS6850E-A -> vlan 20-21 802.1q 1/8
OS6850E-A -> ip interface vl20 address 192.168.20.3/24 vlan 20
OS6850E-A -> ip interface vl21 address 192.168.21.3/24 vlan 21
OS6850E-A -> ip helper address 192.168.100.104

- On the 6860 (A or B) configure the ClearPass Policy Manager as RADIUS server

OS6860-A/B -> aaa radius-server “cppm” host 192.168.100.21 key alcatel-lucent
OS6860-A/B -> aaa device-authentication 802.1x cppm
OS6860-A/B -> aaa device-authentication mac cppm
OS6860-A/B -> aaa accounting 802.1x cppm
OS6860-A/B -> aaa accounting mac cppm

- On the 6860 (A or B) create the different edge-profiles and assign them the corresponding vlan.
Note that we should also define some policy list and associate them with the edge-profile. By default, the
Allow-All policy list is applied, except for edge-profile with captive-portal flag enabled, in that case for
UNP-restricted which will get a redirect URL to reach ClearPass Captive Portal, so only DHCP, DNS, ARP
and HTTP(S) URL are allowed.
OS6860-A/B -> unp edge-profile UNP-employee
OS6860-A/B -> unp edge-profile UNP-contractor
OS6860-A/B -> unp edge-profile UNP-guest
OS6860-A/B -> unp edge-profile UNP-guest redirect enable
OS6860-A/B -> unp edge-profile UNP-restricted
OS6860-A/B -> unp edge-profile UNP-restricted redirect enable
OS6860-A/B -> unp edge-profile UNP-default
 6
Security Network Access Control

OS6860-A/B -> unp vlan-mapping edge-profile UNP-employee vlan 20

OS6860-A/B -> unp vlan-mapping edge-profile UNP-contractor vlan 20
OS6860-A/B -> unp vlan-mapping edge-profile UNP-restricted vlan 21
OS6860-A/B -> unp vlan-mapping edge-profile UNP-guest vlan 21
OS6860-A/B -> unp vlan-mapping edge-profile UNP-default vlan 4092
OS6860-A/B -> unp redirect-server 192.168.100.21

- On the 6860 (A or B) configure user port with authentication

OS6860-A/B -> unp port 1/1/10 port-type edge
OS6860-A/B -> unp port 1/1/10 802.1x-authentication enable
OS6860-A/B -> unp port 1/1/10 802.1x-authentication pass-alternate edge-profile UNP-default
OS6860-A/B -> unp port 1/1/10 mac-authentication enable
OS6860-A/B -> unp port 1/1/10 mac-authentication pass-alternate edge-profile UNP-default
OS6860-A/B -> interfaces 1/1/10 admin-state enable

A supplicant user is authenticated by the ClearPass which send back the UNP as Filter-Id
attibutes (UNP-employee or UNP-contractor).
A non-supplicant user is authenticated with mac address. The ClearPass is configured to send
back the UNP-restricted and the captive portal redirect URL. Once authenticated on the
captive portal, the user get the UNP-guest profile

3 Test
- First, we will test if radius is properly configured and reachable. From 6860 (A or B) type :
OS6860-A/B -> aaa test-radius-server cppm type authentication user employee password password
Testing Radius Server <192.168.100.21/cppm>
Access-Challenge from 192.168.100.21 Port 1812 Time: 8 ms
Please wait.Reply from 192.168.100.21 port 1812 req_num<0>: timeout
Access-Reject from 192.168.100.21 Port 1812 Time: 0 ms
Returned Attributes

- From Client 3, open the web admin page of cppm and go to Monitoring > Live monitoring > Access
Tracker

- You should see your radius request, click it to open it.

- The request failed because EAP method is not provided, but at least you know that your radius server is
reachable.
 7
Security Network Access Control

- We will now test the different authentication methods to check the edge-profile associate to the user
- Open client 15 or 16 console from vsphere
- Open the Networks Connections and right-click on the Local Area Connection

- Select Properties then Authentication tab

If Authentication tab is not available, click on the Start button, Run…, type services.msc and
click Ok. Look for Wired AutoConfig service and start it. Now the Authentication should be
available

- Check the box Enable IEE 802.1X authentication and uncheck the box Cache user information for
subsequent connections to this network
 8
Security Network Access Control

- Click on Settings and uncheck Validate server certificate.

- Keep default authentication method (Secured password EAP-MSCHAP v2) and click on configure.
- Uncheck the box Automatically use my windows logon name and password.

- Click on Ok three times to leave LAN connections properties.

- To ensure a clean status of the user port on the 6860 type :
OS6860-A/B -> unp edge-user flush port 1/1/10

- On client 15 or 16 right click on the network connection and disable it then re-enable it.
- You should get a pop-up asking to connect on the network.

Try the following credentials :

User name = employee
Password = password
- You should now be connected.
- On the 6860 type :
OS6860-A/B -> show unp user
User Learning
Port Username Mac address IP Vlan Profile Type Status Source
------+---------+-----------------+---------------+----+-------------+---------+-----------+-----------
1/1/10 employee 00:50:56:ac:46:1c 192.168.20.10 20 UNP-employee Edge Active Local

Total users : 1
Which UNP Profile is assigned to the user ? __________________________________
Which VLAN ? ___________________________________________________________
 9
Security Network Access Control

- To get more details, you can also type the following commands :
OS6860-A/B -> show unp edge-user status
Profile Authentication
Port Mac address Profile Name Source Type Status Role Name Role Source CP Redirect
------+-----------------+--------------+-------+-----+-------------+----------+-------------+--+--------+
1/1/10 00:50:56:ac:46:1c UNP-employee Radius 802.1x Authenticated - N N

Total users : 1

OS6860-A/B -> show unp edge-user details

Port: 1/1/10
MAC-Address: 00:50:56:ac:46:1c
Access Timestamp = 01/01/2014 03:46:54,
User Name = employee,
IP-Address = 192.168.20.10,
Vlan = 20,
Authentication Type = 802.1x,
Authentication Status = Authenticated,
Authentication Failure Reason = -,
Authentication Retry Count = 0,
Authentication Server IP Used = 192.168.100.21,
Authentication Server Used = cppm,
Server Reply-Message = -,
Profile = UNP-employee,
Profile Source = Auth - Pass - Server UNP,
Profile From Auth Server = UNP-employee,
Classification Profile Rule = -,
Role = -,
Role Source = -,
User Role Rule = -,
Restricted Access = No,
Location Policy Status = -,
Time Policy Status = -,
Captive-Portal Status = -,
QMR Status = Passed,
Redirect Url = -,
SIP Call Type = Not in a call,
SIP Media Type = None,
Applications = None

Total users : 1

- From the ClearPass Admin page, go to the Access Tacker page and select the radius request
 10
Security Network Access Control

- Go to the output tab and expand the RADIUS response.

What RADIUS attribute has been send back to the switch ? _______________________________
With which value ? _________________________________________________________________
- Now disconnect from the switch by typing :
OS6860-A/B -> unp edge-user flush port 1/1/10

- Disable and re-enable the network interface from client 15 or 16.

Logon now with the following credentials :
User name = contractor
Password = password
- On the 6860 :
Which UNP Profile is assigned to the user ? __________________________________
Which VLAN ? ___________________________________________________________
- On the ClearPass Policy Manager Access Tracker :
What RADIUS attribute has been send back to the switch ? _______________________________
With which value ? _________________________________________________________________
- Now disconnect again the user from the switch :
OS6860-A/B -> unp edge-user flush port 1/1/10

- Disable the 802.1x on the network interface (from authentication tab of the LAN connection properties)
on client 15 or 16.
 11
Security Network Access Control

- Disable and re-enable the network interface.

As a non-supplicant, what type of authentication is done ?_____________________________________
- On the switch check the user status :
OS6860-A/B -> show unp user
User Learning
Port Username Mac address IP Vlan Profile Type Status Source
------+-----------------+-----------------+---------------+----+---------------+------+-------+---------
1/1/10 00:50:56:ac:46:1c 00:50:56:ac:46:1c 192.168.21.10 21 UNP-restricted Edge Active Local
Which UNP Profile is assigned to the user ? __________________________________
Which VLAN ? ___________________________________________________________
- Type now the following commands to get details :
OS6860-A/B -> show unp edge-user details
Which Role has been assigned to the user ? __________________________________
- On the ClearPass Policy Manager Access Tracker, find the corresponding RADIUS request and open it :

From the Summary tab, what is the authentication method used ? _____________________________
 12
Security Network Access Control

From the Output tab, expand the RADIUS response, what RADIUS attribute has been send back to the
switch ? _______________________________
With which value ? _________________________________________________________________
- From Client 15 or 16, try to telnet the 6850-A :

It should fail due to the restricted role assigned to the user.

- Now open a web browser and browse any ip address. You are redirected to the ClearPass Captive Portal
(skip the warning about SSL).

- On the Login page, enter the following credentials :

User name = [email protected]
Password = password
 13
Security Network Access Control

- On the switch check the user status :

OS6860-A/B -> show unp user
Which UNP Profile is assigned to the user ? __________________________________
Which VLAN ? ___________________________________________________________
- Type now the following commands to get details :
OS6860-A/B -> show unp edge-user details
Which Role has been assigned to the user ? __________________________________
- On the ClearPass Policy Manager Access Tracker, find the corresponding RADIUS request and open it :

From the Summary tab, what is the authentication method used ? _____________________________
 14
Security Network Access Control

From the Output tab, expand the RADIUS response, what RADIUS attribute has been send back to the
switch ? _______________________________
With which value ? _________________________________________________________________
- From Client 15 or 16, try to telnet the 6850-A :

Now it works !
Part No. 060407-00 Rev. B
September 2015

SMB Configuration Guide

enterprise.alcatel-lucent.com
 enterprise.alcatel-lucent.com Alcatel-Lucent and the Alcatel-Lucent Enterprise logo are trademarks of
Alcatel-Lucent. To view other trademarks used by affiliated companies of ALE Holding, visit: enter-
prise.alcatel-lucent.com/trademarks. All other trademarks are the property of their respective owners. The
information presented is subject to change without notice. Neither ALE Holding nor any of its affiliates
assumes any responsibility for inaccuracies contained herein. (July 2015)

Service & Support Contact Information

North America: 800-995-2696
Latin America: 877-919-9526
EMEA: +800 00200100 (Toll Free) or +1(650)385-2193
Asia Pacific: +65 6240 8484
Web: service.esd.alcatel-lucent.com
Email: [email protected]

ii SMB Configuration Guide September 2015

Contents

Chapter 1 SMB Overview and Quick Configuration ............................................................. 1-1

In This Chapter ................................................................................................................1-1
Overview .........................................................................................................................1-2
OmniPCX Office RCE Quick Configuration ..................................................................1-3
OmniSwitch Quick Configuration ..................................................................................1-3
OAW-IAP Quick Configuration .....................................................................................1-4
Upgrade Information .......................................................................................................1-5

Chapter 2 SMB Configuration With OmniPCX Office RCE ................................................... 2-1

In This Chapter ................................................................................................................2-1
OmniPCX Office RCE Setup for OmniSwitch Auto Configuration ..............................2-2
OmniSwitch Auto Configuration through OmniPCX Office RCE .................................2-2
IAP Configuration ...........................................................................................................2-3
Step 1. Power up IAP ...............................................................................................2-3
Step 2. Connecting to instant ....................................................................................2-4
Step 3. Configure IAP ..............................................................................................2-5

Chapter 3 SMB Configuration Without OmniPCX Office RCE ............................................. 3-1

In This Chapter ................................................................................................................3-1
OmniSwitch Configuration .............................................................................................3-2
IAP Configuration ...........................................................................................................3-3
Step 1. Power up IAP ...............................................................................................3-3
Step 2. Connecting to instant SSID ..........................................................................3-5
Step 3. Configuring IAP ...........................................................................................3-6

SMB Configuration Guide September 2015 1

 Contents

2 SMB Configuration Guide September 2015

1 SMB Overview and Quick
Configuration

This chapter provides a brief overview of the Alcatel-Lucent Enterprise SMB (small-medium business)
solution along with the steps for quickly configuring the various components. For more detailed step-by-
step instructions refer to the appropriate configuration chapter.

In This Chapter
The information described in this chapter includes:
• “Overview” on page 1-2

• “OmniPCX Office RCE Quick Configuration” on page 1-3

• “OmniSwitch Quick Configuration” on page 1-3

• “OAW-IAP Quick Configuration” on page 1-4

• “Upgrade Information” on page 1-5

SMB Configuration Guide September 2015 page 1-1

Overview SMB Overview and Quick Configuration

Overview
This configuration guide covers how to install the various components of the Alcatel-Lucent Enterprise
SMB (small-medium business) solution. The SMB market can be addressed via two Alcatel-Lucent Enter-
prise solutions: one includes an OmniSwitch™ and OmniAccess™ Instant Access Points (IAPs), enabling
high speed wired and wireless (Wi-Fi) LAN access, referred to as the Mobility solution, while the second
includes OmniPCX™ Office RCE, providing IP Telephony, for a complete voice/data/Wi-Fi solution.
This SMB Configuration Guide describes the installation steps based on the following products.
• OmniPCX™ Office RCE
Note: Minimum version R10.2 is required for the OmniPCX Office RCE information described
in this document. See “Upgrade Information” on page 1-5 for information on upgrading to R10.2.
• OmniSwitch OS6450-P24

• OmniSwitch OS6450-P48

• OmniSwitch OS6450-P10

• OmniSwitch OS6450-P10L

• OmniSwitch OS6250-P24

• OmniSwitch OS6450-P24L

• OmniSwitch OS6450-P48L

• OmniSwitch 6350-P24

• OmniSwitch 6350-P48

• OAW-IAP

Chapter 1 provides quick steps to configure these products, Chapter 2 provides a detailed procedure to
configure OmniPCX Office RCE, the OmniSwitch and the OAW-IAP, and Chapter 3 provides a detailed
procedure to configure the OmniSwitch and OAW-IAP when OmniPCX Office RCE is not installed.

For additional solution information please refer to the SMB Solution Sheet.

page 1-2 SMB Configuration Guide September 2015

SMB Overview and Quick Configuration OmniPCX Office RCE Quick Configuration

OmniPCX Office RCE Quick Configuration

If using OmniPCX Office RCE version R10.2 there is no configuration required, the necessary files are
already included as part of the default configuration.
1 The os_conf configuration file contains the following commands and will be used to automatically
configure the OmniSwitch:

system daylight savings time disable

vlan 1 enable name "VLAN 1"
ip service all
ip interface dhcp-client vlan 1 ifindex 1
ip interface dhcp-client vsi-accept-filter "alcatel.a4400.0"
aaa authentication default "local"
aaa authentication console "local"
bridge mode flat
qos enable
qos trust ports
qos no phones
swlog console level info
lanpower start 1

2 The os_script script file contains the following command for certifying the configuration:

copy working certified

3 The os_ins.alu instruction file contains the following entries describing the location and file names
needed by the OmniSwitch:

Config filename: os_conf

Config location: /tftpboot
Script filename: os_script
Script location: /tftpboot

OmniSwitch Quick Configuration

Follow the steps below to automatically configure the OmniSwitch:

1 Connect an Ethernet cable between the OmniPCX Office RCE and the OmniSwitch.

2 Connect AC power cord on the OmniSwitch.

3 The OmniSwitch will boot up and automatically download the configuration files from the OmniPCX
Office RCE. Once the download is complete, the OmniSwitch will reboot again. This process will take
approximately 6 to 8 minutes.

Note. DO NOT INTERUPT WHEN AUTO CONFIGURATION IS IN PROGRESS.

Note. Repeat these steps for the installation of each OmniSwitch.

SMB Configuration Guide September 2015 page 1-3

OAW-IAP Quick Configuration SMB Overview and Quick Configuration

OAW-IAP Quick Configuration

1 Connect an Ethernet cable between IAP and OmniSwitch, wait for approximately 6 minutes for the
IAP to initialize.
2 Using a wireless PC, scan the wireless networks and connect to the instant SSID.

3 Open a web browser to http://instant.alcatel-lucent.com.

4 Log in to the OAW-IAP UI with admin as the username and password.

Note. Alcatel-Lucent recommends that you change the administrator credentials after the initial configura-
tion.

Note. If the country code window is displayed after a successful login, select a country from the list.

5 From the AOS-W Instant UI main window, click New under the Networks section. The New WLAN
window is displayed.
6 In the New WLAN setting tab, enter an SSID name for the network and click Next.

7 In the VLAN tab, select the required Client IP assignment and Client VLAN assignment options and
click Next.
8 In the Security tab, enter a unique passphrase and retype it to confirm and click Next.

9 In the Access tab, ensure that the Unrestricted access control is specified and click Finish.

10 The new network is added and displayed in the Networks window.

Note. After the secure wireless network access is configured, Alcatel-Lucent recommends deleting the
instant SSID to protect from unauthorized wireless access.

page 1-4 SMB Configuration Guide September 2015

SMB Overview and Quick Configuration Upgrade Information

Upgrade Information
When upgrading to OmniPCX Office RCE version R10.2:
• The old default configuration files will be replaced with the new default configuration files of R10.2.

• Any customized configuration files will be retained in R10.2.

SMB Configuration Guide September 2015 page 1-5

Upgrade Information SMB Overview and Quick Configuration

page 1-6 SMB Configuration Guide September 2015

2 SMB Configuration With
OmniPCX Office RCE

This chapter describes the detailed configuration steps to install the SMB solution with the OmniPCX
Office RCE.

In This Chapter
The information described in this chapter includes:
• “OmniPCX Office RCE Setup for OmniSwitch Auto Configuration” on page 2-2

• “OmniSwitch Auto Configuration through OmniPCX Office RCE” on page 2-2

• “IAP Configuration” on page 2-3

SMB Configuration Guide September 2015 page 2-1

OmniPCX Office RCE Setup for OmniSwitch Auto Configuration SMB Configuration With OmniPCX Office RCE

OmniPCX Office RCE Setup for OmniSwitch Auto

Configuration
If using OmniPCX Office RCE version R10.2 there is no configuration required, the necessary files are
already included as part of the default configuration. See “OmniPCX Office RCE Quick Configuration” on
page 1-3 for a description of the files and their contents.

OmniSwitch Auto Configuration through

OmniPCX Office RCE
Follow the steps below auto configure the OmniSwitch:

1 The OmniSwitch should be in factory default mode with no boot.cfg file.

2 Connect an Ethernet cable between the OmniPCX Office RCE and the OmniSwitch.

OmniPCX Office RCE / OmniSwitch Ethernet Connection

3 Connect the AC power cord on OmniSwitch.

OmniSwitch AC Power Connection

4 The OmniSwitch will boot up and automatically download the configuration files from the OmniPCX
Office RCE. Once the download is complete, the OmniSwitch will reboot again. This process will take
approximately 6 to 8 minutes.

Note. DO NOT INTERUPT WHEN AUTO CONFIGURATION IS IN PROGRESS.

Note. Repeat these steps for the installation of each OmniSwitch.

page 2-2 SMB Configuration Guide September 2015

SMB Configuration With OmniPCX Office RCE IAP Configuration

IAP Configuration
The next process in the installation of SMB is the IAP configuration. This section describes the steps to
configure the IAP.

Step 1. Power up IAP

1 The IAP should be in factory default mode without any configuration.

2 Connect an Ethernet cable between IAP and OmniSwitch, wait for approximately 6 minutes for the
IAP to initialize.

Ethernet

OAW-IAP Ethernet Connection

OmniSwitch/IAP Ethernet Connection

SMB Configuration Guide September 2015 page 2-3

IAP Configuration SMB Configuration With OmniPCX Office RCE

3 Wait for all LEDs on the IAP to turn green and blink.

LEDs turned green and blinking

Step 2. Connecting to instant

1 Using a wireless PC, scan the wireless networks and connect to the instant SSID.

Connecting to SSID

2 Open a web browser http://instant.alcatel-lucent.com.

page 2-4 SMB Configuration Guide September 2015

SMB Configuration With OmniPCX Office RCE IAP Configuration

If not able to connect, disable proxy setting in the browser.

Instant Alcatel-Lucent browser

Step 3. Configure IAP

1 Log in to the AOS-W instant UI with admin as the username and password respectively.

Note. Alcatel-Lucent recommends that you change the administrator credentials after the initial configura-
tion. For more information, see the Management Authentication Settings section in AOS-W Instant User
Guide.

Log in to the AOS-W instant UI

SMB Configuration Guide September 2015 page 2-5

IAP Configuration SMB Configuration With OmniPCX Office RCE

Note. If the country code window is displayed after a successful login, select a country from the list. The
country code window is displayed only when OAW-IAP-ROW (Rest of world) variants are installed. The
country code setting is not applicable to the OAW-IAPs designed for US, Japan, and Israel.

2 To create a secure wireless network access, perform the following steps:

a. From the AOS-W instant UI main window, click New under the Network section. The New
WLAN window is displayed.

New WLAN window

page 2-6 SMB Configuration Guide September 2015

SMB Configuration With OmniPCX Office RCE IAP Configuration

b. In the New WLAN setting tab. Enter an SSID name for the network and click Next.

New WLAN setting tab

c. In the VLAN tab, select the required Client IP assignment and Client VLAN assignment
options and click Next.

VLAN setting tab

SMB Configuration Guide September 2015 page 2-7

IAP Configuration SMB Configuration With OmniPCX Office RCE

d. In the security tab, enter a unique passphrase and retype it to confirm. Click Next.

Security setting tab

e. In the Access tab, ensure that the Unrestricted access control is specified and click Finish.

Access setting tab

f. Try connecting to the new SSID that was just created. Ensure network access before proceeding to
deleting instant SSID step.
3 Delete the instant SSID to protect from unauthorized wireless access. Follow the steps below to delete

page 2-8 SMB Configuration Guide September 2015

SMB Configuration With OmniPCX Office RCE IAP Configuration

the instant SSID:

a. Select instant SSID in Networks. Click X and click Delete Now.

Instant deletion window

Instant deletion confirm window

SMB Configuration Guide September 2015 page 2-9

IAP Configuration SMB Configuration With OmniPCX Office RCE

Note. For multiple OAW-IAPs deployment, IAPs automatically find each other in same subnet and form a
single functioning network managed by a Virtual Controller. It is recommended to configure a virtual
controller IP in a multiple IAP deployment scenario. Please refer to user manual for configuration proce-
dure.

This completes the IAP configuration with secure wireless access.

page 2-10 SMB Configuration Guide September 2015

3 SMB Configuration Without
OmniPCX Office RCE

This chapter describes the detailed configuration steps to configure the SMB solution without an
OmniPCX Office RCE.

In This Chapter
The information described in this chapter includes:
• “OmniSwitch Configuration” on page 3-2

• “IAP Configuration” on page 3-3

SMB Configuration Guide September 2015 page 3-1

OmniSwitch Configuration SMB Configuration Without OmniPCX Office RCE

OmniSwitch Configuration
To install the SMB solution without an OmniPCX Office RCE the OmniSwitch must be manually config-
ured. To configure the OmniSwitch follow the below steps:
1 The OmniSwitch should be in the factory default mode with no boot.cfg file.

2 Connect the AC power cord on the OmniSwitch.

OmniSwitch AC Power Connection

3 Connect to the console and log in to the OmniSwitch CLI with admin and switch as the username and
password, respectively.

Console Connection

4 Execute the following commands:

-> system daylight savings time disable

-> vlan 1 enable name "VLAN 1"
-> ip service all
-> ip interface dhcp-client vlan 1 ifindex 1
-> ip interface dhcp-client vsi-accept-filter "alcatel.a4400.0"
-> aaa authentication default "local"
-> aaa authentication console "local"
-> bridge mode flat
-> qos enable
-> qos trust ports
-> qos no phones
-> swlog console level info
-> lanpower start 1
-> write memory
-> copy working certified

Note. Repeat these steps for the installation of each OmniSwitch.

page 3-2 SMB Configuration Guide September 2015

SMB Configuration Without OmniPCX Office RCE IAP Configuration

IAP Configuration
The next process in the installation of the SMB solution is the IAP configuration. This section describes
the steps to configure the IAP.

Step 1. Power up IAP

1 The IAP should be in factory default mode without any configuration.

2 Connect an Ethernet cable between IAP and OmniSwitch, wait for approximately 6 minutes for the
IAP to initialize.

Ethernet

OAW-IAP Ethernet Connection

OmniSwitch/IAP Ethernet Connection

SMB Configuration Guide September 2015 page 3-3

IAP Configuration SMB Configuration Without OmniPCX Office RCE

3 Wait for all LEDs on the IAP to turn green and blink.

LEDs turned green and blinking

page 3-4 SMB Configuration Guide September 2015

SMB Configuration Without OmniPCX Office RCE IAP Configuration

Step 2. Connecting to instant SSID

1 Using a wireless PC, scan the wireless networks and connect to instant SSID.

Connecting to SSID

2 Open a web browser to http://instant.alcatel-lucent.com.

If not able to connect, disable the proxy settings in the browser.

Instant Alcatel-Lucent browser

SMB Configuration Guide September 2015 page 3-5

IAP Configuration SMB Configuration Without OmniPCX Office RCE

Step 3. Configuring IAP

1 Log in to the AOS-W instant UI with admin as username and password.

Note. Alcatel-Lucent recommends that you change the administrator credentials after the initial configura-
tion. For more information, refer the Management Authentication Settings section in AOS-W Instant User
Guide.

Log in to the AOS-W instant UI

Note. If the country code window is displayed after a successful login, select a country from the list. The
country code window is displayed only when OAW-IAP-ROW (Rest of world) variants are installed. The
country code setting is not applicable to the OAW-IAPs designed for US, Japan, and Israel.

page 3-6 SMB Configuration Guide September 2015

SMB Configuration Without OmniPCX Office RCE IAP Configuration

2 To create a secure wireless network access, perform the following steps:

a. From the AOS-W instant UI main window, click New under the Network section. The New
WLAN window is displayed.

New WLAN window

b. In the New WLAN setting tab, enter a SSID name for the network and click Next.

New WLAN setting tab

c. In the VLAN tab, select the required Client IP assignment and Client VLAN assignment

SMB Configuration Guide September 2015 page 3-7

IAP Configuration SMB Configuration Without OmniPCX Office RCE

options and then click Next.

VLAN setting tab

d. In the security tab, enter a unique passphrase and retype it to confirm and click Next.

Security setting tab

page 3-8 SMB Configuration Guide September 2015

SMB Configuration Without OmniPCX Office RCE IAP Configuration

e. In the Access tab, ensure that the unrestricted access control is specified and click Finish.

Access setting tab

f. Try connecting to new SSID that was just created. Ensure network access before proceeding to
deleting instant SSID step.
3 Delete the instant SSID to protect from unauthorized wireless access. Follow the below steps to delete
the instant SSID:

a. Select instant SSID in network. Click X and click Delete Now.

SSID deletion window

SMB Configuration Guide September 2015 page 3-9

IAP Configuration SMB Configuration Without OmniPCX Office RCE

Instant deletion confirm window

Note. In a multiple OAW-IAP deployment, the IAPs automatically find each other in the same subnet and
form a single functioning network managed by a Virtual Controller. It is recommended to configure virtual
controller IP in multiple IAP deployment scenario. Please refer to AOS-W user manual for configuration
procedure.

This completes IAP configuration with secure wireless access.

page 3-10 SMB Configuration Guide September 2015

ALCATEL-LUCENT PROACTIVE LIFECYCLE
MANAGEMENT
Alcatel-Lucent ProActive Lifecycle Management provides access to the essential lifecycle
information regarding your Alcatel-Lucent Enterprise Wi-Fi® and LAN switching products with
minimal effort and cost. It allows your IT staff to ensure that your network is up to date and
operating within the best practices. Planning for future network infrastructure budget expenditures
is also simplified as the application provides ample notification through an easily identifiable color
scheme. ProActive Lifecycle Management is a cloud-based application which works in conjunction
with the Alcatel-Lucent OmniVista® 2500 Network Management System (NMS).

and securely transmits attributes of the

BENEFITS
• Time savings — Quickly and easily
generate an inventory list of Alcatel-
Lucent Enterprise Wi-Fi and LAN switching
products on your network. You simply
need to log into the portal and export the
details from the Device List.
• Risk reduction — You can quickly identify
devices which need to have their software
upgraded, hardware replaced, or support
services renewed. This way, you can ensure
that your devices are up to date and the
network operation risks are minimized.
• Proactive planning — Ample notification is
provided so you can plan for the future at
the pace which is best for your business.
• Easy-to-use interface — View the status of
your network at a glance from an easily
identifiable color scheme. With a couple of
mouse clicks you can drill down to obtain
details per device.
OVERVIEW
In order to use Proactive LifeCycle
Management, Alcatel-Lucent OmniVista®
Network Management System (NMS) has
to be installed at the customer premises. It
polls the Alcatel-Lucent Enterprise Wi-Fi and
LAN switching products on your network
products to the Alcatel-Lucent Enterprise
cloud. It correlates the product attributes on
your network with information within our
Customer Relationship Management (CRM)
tools and presents you with the status of
your products in terms of software lifecycle,
hardware lifecycle, warranty, and support
status. The information is presented on a
web portal, providing a view of the network
as a whole or for individual devices.
You can drill down to obtain additional
details including:
• Current maintenance release and the
generally available release of the
operating system for a given device
• Recommended replacements for end-of-
sale product
• Start and end dates for the warranty on
devices and support service entitlements
purchased on devices
Options are available to download release
notes for the product’s operating systems
as well as request a quote to your reseller
of Alcatel-Lucent Enterprise solutions for
replacement products and support service
entitlements.
For each view and table within the
ProActive Lifecycle Management
application you can download the table.
This allows you to capture the status of
your network at a moment in time and
share the information with colleagues in
your organization.
During the installation of the OmniVista
2500 NMS you are presented with the
option to enable ProActive Lifecycle
Management. If you choose not to enable
ProActive Lifecycle Management during
the installation, you can enable it at a later
date. By default, the product attributes
are pushed from the OmniVista 2500
NMS every two weeks. In addition, an
option is available to manually initiate the
transmission of the product attributes to
the Alcatel-Lucent Enterprise cloud.
 SUPPORTED PRODUCTS AND REQUIREMENTS
The following products are supported in the initial release of ProActive Lifecycle Management.

LAN SWITCHES AOS SUPPORTED WIRELESS LAN SWITCHES/CONTROLLERS AOS SUPPORTED

OmniSwitch 10K AOS 7.3.4.R01 or greater OmniAccess 4005 AOS-W 6.4.2.6 or greater

OmniSwitch 9000E AOS 6.4.6.218.R01 or greater OmniAccess 4010 AOS-W 6.4.2.6 or greater

OmniSwitch 6900 AOS 7.3.4.R01 or greater OmniAccess 4030 AOS-W 6.4.2.6 or greater

OmniSwitch 6860E AOS 8.1.1.585.R01 or greater OmniAccess 4504XM AOS-W 6.4.2.6 or greater

OmniSwitch 6860 AOS 8.1.1.585.R01 or greater OmniAccess 4604 AOS-W 6.4.2.6 or greater

OmniSwitch 6850E AOS 6.4.6.218.R01 or greater OmniAccess 4704 AOS-W 6.4.2.6 or greater

OmniSwitch 6850 AOS 6.4.4.707.R01 or greater OmniAccess 4550 AOS-W 6.4.2.6 or greater

OmniSwitch 6855 AOS 6.4.6.218.R01 or greater OmniAccess 4650 AOS-W 6.4.2.6 or greater

OmniSwitch 6450 AOS 6.6.5.R02 or greater OmniAccess 4750 AOS-W 6.4.2.6 or greater

OmniSwitch 6350 AOS 6.7.1.147.R01 or greater

OmniSwitch 6250 AOS 6.6.5.R02 or greater

SUPPORTED BROWSERS INFORMATION AND REQUESTS

The following is a list of web browsers For further information on ProActive
supported for use when accessing the Lifecycle Management or support services
ProActive Lifecycle Management web for Alcatel-Lucent Enterprise Wi-Fi and
portal. LAN switching products, please contact
• Firefox: V44 or greater your Business Partner or our sales
representative. To find a Business Partner,
• Internet Explorer: V9 or greater
please use Find A Reseller on our website.
• Safari: V9 or greater
• Chrome: V49 or greater

enterprise.alcatel-lucent.com
Alcatel-Lucent and the Alcatel-Lucent Enterprise logo are trademarks of Alcatel-Lucent. To view other trademarks used by affiliated
companies of ALE Holding, visit: enterprise.alcatel-lucent.com/trademarks. All other trademarks are the property of their respective
owners. The information presented is subject to change without notice. Neither ALE Holding nor any of its affiliates assumes any
responsibility for inaccuracies contained herein. (April 2016)
LGS CODEGUARDIAN
TECHNOLOGY IN ALCATEL-LUCENT
OMNISWITCH PRODUCTS
SWITCH-LEVEL SOFTWARE INTEGRITY
ENHANCES NETWORK SECURITY
We have partnered with LGS Innovations to bring their CodeGuardian™ technology to the Alcatel-
Lucent OmniSwitch® family of products. CodeGuardian™ is a solution that hardens network devices
at the binary software level to enhance overall network security.
The increasing number of malicious
network attacks worldwide are causing
administrators to reformulate security
strategies to protect the integrity of their
networks and the data that traverses
them.
Together with our partner LGS
Innovations, we recognize the importance
of switch-level software integrity as
a component of the larger network
security ecosystem. CodeGuardian is a
security evolution for mission critical
network enterprise devices. The LGS
CodeGuardian™ technology hardens the
OmniSwitch software on three levels:
• Independent verification and validation
(IV&V) and vulnerability analysis of switch
source code
• Software diversification to prevent
exploitation
• Secure delivery of software to our
customers
Markets trusting AOS with CodeGuardian:
• Healthcare institutions
• Government agencies
• Information technology organizations
• Military operations
• Academic institutions
Available AOS releases:
• AOS 6.7.1R01 (OmniSwitch 6450)
• AOS 6.6.4R01 (OmniSwitch 6855,
OmniSwitch 6850E, OmniSwitch 9000E)
• AOS 8.3.1R01 (OmniSwitch 6860,
OmniSwitch 6900, OmniSwitch 9900,
OmniSwitch 10K)*
*Future Release
FEATURES • The solution hardens network devices at
both the software source code and binary
• Offered as a simple 1-year subscription
executable level to identify and remove
software service with access to any AOS
hidden vulnerabilities, so that it can
with CodeGuardian™ updates
enhance overall network security.
• Software diversification to prevent
• This three-layer approach not only
software exploitation while maintaining
ensures security, but chain of software
the same software functionality and
custody control as well.
performance as the standard AOS software
• Five different CodeGuardian™ diversified
images available per release to prevent TECHNICAL SPECIFICATIONS
memory map address vulnerabilities • Addresses potential software threats:
• CodeGuardian™ IV&V and vulnerability ¬¬ Back door threats
analysis addresses external device ¬¬ Embedded malware
interfaces
¬¬ Exploitable vulnerabilities
• Secure download server with file integrity
¬¬ Exposure of proprietary or classified
checksum to ensure your software images
information
are original and not compromised
• Available on AOS 6.4.6, 6.7.1 and soon
8.3.1* • CodeGuardian™ IV&V and vulnerability
analysis addresses external interfaces
such as:
BENEFITS ¬¬ HTTPS interface
• Proactive security approach through ¬¬ Login interface
operational vulnerability scanning and
¬¬ NTP interface
analysis of switch software reduces
the threat potential of back doors, ¬¬ Command line interface
embedded malware and other exploitable ¬¬ IP port usage
vulnerabilities. ¬¬ SNMP interface
• CodeGuardian™ protects networks from ¬¬ Data packet interface
intrinsic vulnerabilities, code exploits,
embedded malware, and potential back
doors that could compromise mission-
critical operations.
• CodeGuardian™ promotes a defense-in-
depth approach toward network security
that continuously defines and implements
value-add capabilities to address both
current and future threats.
 CODEGUARDIAN SUPPORTED OMNISWITCH RELEASES
STANDARD AOS LGS AOS CODEGUARDIAN™
CHASSIS AOS RELEASE CODEGUARDIAN™ RELEASE RELEASE
OmniSwitch 6450 AOS 6.7.1R01 AOS 6.7.1RX1 AOS 6.7.1.LX1
OmniSwitch 6850E
OmniSwitch 6855 AOS 6.4.6R01 AOS 6.4.6RX1 AOS 6.4.6.LX1
OmniSwitch 9000E
OmniSwitch 6860
OmniSwitch 6900
AOS 8.3.1R01* AOS 8.3.1RX1* AOS 8.3.1LX1*
OmniSwitch 9900E
OmniSwitch 10K

X=Diversified image 1-5

We will have 5 different diversified images per AOS release (R11 through R51)
Our partner LGS will have 5 different diversified images per AOS release (L11 through L51)

*Future Release

ORDERING INFORMATION
MODEL NUMBER DESCRIPTION
SD1N-OS6450 1YR AOS With CodeGuardian software subscription for all OS6450 models. Includes access to AOS with CodeGuardian
software and updates during the subscription period. One subscription per switch and must be accompanied by a
valid maintenance agreement.
SD1N-OS6850E 1YR AOS With CodeGuardian software subscription for all OS6850E models. Includes access to AOS With
CodeGuardian software and updates during the subscription period. One subscription per switch and must be
accompanied by a valid maintenance agreement.
SD1N-OS6855 1YR AOS With CodeGuardian software subscription for all OS6855 models. Includes access to AOS With CodeGuardian
software and updates during the subscription period. One subscription per switch and must be accompanied by a
valid maintenance agreement.
SD1N-OS9000E 1YR AOS With CodeGuardian software subscription for all OS9000E models. Includes access to AOS With
CodeGuardian software and updates during the subscription period. One subscription per switch and must be
accompanied by a valid maintenance agreement.

enterprise.alcatel-lucent.com
Alcatel-Lucent and the Alcatel-Lucent Enterprise logo are trademarks of Alcatel-Lucent. To view other trademarks used by affiliated
companies of ALE Holding, visit: enterprise.alcatel-lucent.com/trademarks. All other trademarks are the property of their respective
owners. The information presented is subject to change without notice. Neither ALE Holding nor any of its affiliates assumes any
responsibility for inaccuracies contained herein. (April 2016)
Alcatel-Lucent OmniSwitch 6250
S TACK A BL E FA S T E T HERNE T L A N S W I TCH

The Alcatel-Lucent OmniSwitch™ 6250 is a new value layer-2+ Fast Ethernet stackable LAN family of switches
for both the enterprise and Ethernet access segments. Enterprise models address the small- and medium-sized
enterprise edge and branch office environments, while the metro models address the residential and business
Ethernet access supplied by service providers.

With an optimized design for flexibility
and scalability as well as low power
consumption, the OmniSwitch 6250
runs the field-proven Alcatel-Lucent
Operating System (AOS), providing
OmniSwitch 6250-8M an outstanding edge solution for
highly available, self-protective, easily
managed and eco-friendly networks.
The OmniSwitch 6250 family is an
evolution of the current Alcatel-Lucent
OmniStack™ 6200 Stackable LAN Switch
OmniSwitch 6250-24/P24/24M/24MD
product family, embedding the latest
technology and AOS innovations.
Solutions benefiting from the
OmniSwitch 6250 family of
switches are:
• Edge of small- to medium-sized
networks
• Branch office enterprise
work groups
• Residential/metro Ethernet
triple play applications

FEATURES BENEFITS

OmniSwitch 6250 switches offer innovative half-rack-wide models for a great
variety of switch combination deployments
OmniSwitch 6250 switches are highly efficient and optimized in their form
factor, power consumption and acoustic output
Developed to satisfy customers’ requests for feature-rich, cost-effective,
10/100 stackable switch built on the latest technologies
Feature-rich services incorporated in the operating system:
• Integrated security including Access Guardian, 802.1x and captive portal
• Alcatel-Lucent virtual chassis design provides resiliency and 5G performance
• Quality of service (QoS) and static, RIP routing and IPv6
OmniSwitch 6250 switches run the same AOS as the other OmniSwitch
products and are fully manageable by Alcatel-Lucent CLI, WebView browser,
the OmniVista™ network management system and the Alcatel-Lucent 5620
Service Aware Manager (SAM)
Limited Lifetime Warranty Software and Hardware Support included
Provides simplified selection with only two enterprise models: Power-over-
Ethernet (PoE) and non-PoE
• Reduces sparing and inventory costs
• Allows any combination of PoE and non-PoE, up to 416 ports
Small form factor and low noise output make the OmniSwitch 6250 ideal for
collocation environments. The low power consumption reduces operating
expenses and cooling costs, lowering operating expenditures (OPEX), resulting
in faster return on investment (ROI).
Leads the industry in price/feature-performance ratio and offers customers a
cost-efficient network technology upgrade, without the necessity to move to
a higher priced, layer-2+ Gigabit solution
Outstanding list of features and performance for supporting scalable, real-time
voice, data and video applications for converged networks
Existing AOS customers/users are immediately familiar with the product from
day one, reducing their ownership and training costs. New users may choose the
method of switch access most beneficial to their needs
The lifetime warranty eliminates service program costs and ongoing service
renewals, lowering total cost of ownership (TCO) and allowing customers to reach
ROI targets more quickly.
Alcatel-Lucent OmniSwitch 6250 models
All models in the OmniSwitch 6250 switch family are stackable, with a half-rack width (21.59 cm/8.5 in.), fixed-configuration
chassis in a 1U form factor. A variety of PoE (enterprise) and non-PoE (enterprise and metro) models are available. They can be
optionally equipped with Alcatel-Lucent-approved small form factor pluggable (SFP) transceivers supporting short, long and
very long distances.

Table 1. OmniSwitch 6250 models available

Enterprise models

Chassis 10/100 ports Gigabit combo ports HDMI stacking Power supply Backup power supply
ports (2.5 Gb/s) supported supported

Non-PoE model 24 2 2 Internal AC supply External AC brick

OS6250-24 supply
PoE model 24 2 2 225 W, external 225 W, external
OS6250-P24 AC supply AC supply

The OmniSwitch 6250-P24 supports 30 W per port PoE (complies with both IEEE 802.3af and 802.3at standards).

Metro models

Chassis 10/100 ports 10/100/1000 combo SFP uplink (gigabit) Power supply Backup power
ports SFP stacking (2.5 Gb/s) supported supply supported

OS6250-8M 8 2 2 Internal AC supply N/A

OS6250-24M 24 2 2 Internal AC supply External AC brick
supply
OS6250-24MD 24 2 2 Internal DC supply External DC supply

OmniSwitch 6250 metro models support additional metro software features outlined later in this document.
• Gigabit combo port supporting RJ45 10/100/1000 and SFP 100/1000
• M model SFP interfaces support only Gigabit SFP transceivers or OmniSwitch 6250 SFP direct stacking cable
Technical specifications

Enterprise models Metro models

PORT OS6250-24 OS6250-P24 OS6250-8M OS6250-24M OS6250-24MD

RJ-45 100/100 ports 24 24 8 24 24

RJ-45/SFP 10/100/1000 2 2 2 2 2
combo ports
HDMI stacking ports 2 2 0 0 0
SFP uplink/stacking 0 0 2 2 2
ports
PoE ports 0 24 FE or 22 FE + 2 GE 0 0 0
Max unit per stack 8* 8* 2 2 2
* 16 units available in future software release

2 Alcatel-Lucent OmniSwitch 6250 | Data Sheet

 Enterprise models Metro models

DIMENSIONS OS6250-24 OS6250-P24 OS6250-8M OS6250-24M OS6250-24MD

Switch width
Switch height
Switch depth
(no PS shelf attached)
Switch depth
(with PS shelf attached)
Switch weight (*no PS)
Switch tray weight
WIRE-RATE PERFORMANCE
21.5 cm (8.50 in.)
4.4 cm (1.73 in.)
29.21 cm (11.5 in.)
47.6 cm (18.88 in.)
1.72 kg (3.80 lb)
0.61 kg (1.35 lb)
OS6250-24
21.5 cm (8.50 in.) 21.5 cm (8.50 in.) 21.5 cm (8.50 in.) 21.5 cm (8.50 in.)
4.4 cm (1.73 in.) 4.4 cm (1.73 in.) 4.4 cm (1.73 in.) 4.4 cm (1.73 in.)
29.21 cm (11.5 in.) 29.21 cm (11.5 in.) 29.21 cm (11.5 in.) 29.21 cm (11.5 in.)
47.6 cm (18.88 in.) N/A 47.6 cm (18.88 in.) 47.6 cm (18.88 in.)
1.91 kg (4.20 lb)* 1.72 kg (3.80 lb) 1.72 kg (3.80 lb) 1.72 kg (3.80 lb)
0.61 kg (1.35 lb) 0.61 kg (1.35 lb) 0.61 kg (1.35 lb) 0.61 kg (1.35 lb)
OS6250-P24 OS6250-8M OS6250-24M OS6250-24MD

Raw switch capacity: 12.4 Gb/s/24.8 Gb/s 12.4 Gb/s/24.8 Gb/s 10.8 Gb/s/21.6 Gb/s 12.4 Gb/s/24.8 Gb/s 12.4 Gb/s/24.8 Gb/s
(full duplex/aggregated)
Throughput no stacking 13 Mpps @ 8.8 Gb/s 13 Mpps @ 8.8 Gb/s 14.3 Mpps @ 9.6 Gb/s 19 Mpps @ 12.8 Gb/s 19 Mpps @ 12.8 Gb/s
at aggregated
Throughput with stacking 28 Mpps @ 18.8 Gb/s 28 Mpps @ 18.8 Gb/s 23.2 Mpps @ 15.6 Gb/s 28 Mpps @ 18.8 Gb/s 28 Mpps @ 18.8 Gb/s
at aggregated
Stacking capacity 5 Gb/s/10 Gb/s 5 Gb/s/10 Gb/s 5 Gb/s/10 Gb/s 5 Gb/s/10 Gb/s 5 Gb/s/10 Gb/s
(full duplex/aggregated)
OPERATING CONDITIONS OS6250-24 OS6250-P24 OS6250-8M OS6250-24M OS6250-24MD

Operating temperature 0°C to 45°C 0°C to 45°C 0°C to 45°C 0°C to 45°C 0°C to 45°C
(32°F to 113°F) (32°F to 113°F) (32°F to 113°F) (32°F to 113°F) (32°F to 113°F)
Storage temperature -40°C to +75°C -40°C to +75°C -40°C to +75°C -40°C to +75°C -40°C to +75°C
(-40°F to +167°F) (-40°F to +167°F) (-40°F to +167°F) (-40°F to +167°F) (-40°F to +167°F)
Humidity (operating and 5% to 95% 5% to 95% 5% to 95% 5% to 95% 5% to 95%
storage)
MTBF (hours) 268,730 189,585 290,108 268,698 268,715
Fanless design Yes 1 fan Yes Yes Yes
Acoustic (dB) – all fans on* Silent <35db(A) Silent Silent Silent
System power consumption 17.40 W 24.90 W 12.80 W 16.20 W 15.89 W
(watts)**
Heat dissipation (BTU)*** 59 85 44 55 54
* Acoustic levels measured with a single power supply at room temperature
** Power consumption of the OmniSwitch 6250 PoE model is tested under fully loaded traffic conditions using a 225 W PoE supply.
*** Power consumption measured under fully loaded traffic conditions

OmniSwitch 6250 backup power supplies and specifications

Backup power supplies for the OmniSwitch 6250-24 and OmniSwitch 6250-24MD models come in the form of a power brick
in either AC or DC variant respectively and may be mounted to the rear of the chassis using the power shelf with securing
brackets. All necessary parts are included in the backup power supply kits.

The OmniSwitch 6250-P24 external 225 W power supply acts as both the primary supply and the redundant supply. The
primary supply/tray combination attaches directly to the rear of the chassis. The redundant supply/tray combination mounts
to the side of the switch and attaches using remote cable.

SPECIFICATION Backup Power Supply Model

OS6250-BP OS6250-BP-D OS6250-BP-P

Style Brick Brick Framed

Internal/external External External External
Input voltage 90 V AC to 220 V AC 36 V DC to 72 V DC 90 V AC to 220 V AC
Output voltage 12 V DC 12 V DC 12 V DC/54 V DC
Wattage 42 W 30 W 225 W
PoE power budget N/A N/A 180 W
Weight 0.21 kg (0.45 lb) 0.25 kg (0.55 lb) 1.04 kg (2.30 lb)

Alcatel-Lucent OmniSwitch 6250 | Data Sheet 3

Power supply shelf
The power supply shelf holds one brick or PoE style backup power supply and mounts to the rear of the unit. Any backup
power supply and shelf may be mounted in a side-by-side configuration to the switch using the supplied mounting ears.
This feature allows for space-sensitive installations requiring reduced depth (for example, in a wall-mounted cabinet).
Indicators
System LEDs
• System (OK) (chassis HW/SW status)
• PWR (primary power supply status)
• PRI (virtual chassis primary)
• BPS (backup power status)
• STK (stacking indicator for metro models)
• Switch ID via port LED indicates the stack
ID of the unit in the stack: 1 to 8
Per-port LEDs
• 10/100/1000: PoE, link/activity
• SFP: link/activity
• Stacking: link/activity
Compliance and certifications
Commercial
EMI/EMC
• FCC CRF Title 47 Subpart B (Class A limits.
Note: Class A with UTP cables)
• VCCI (Class A limits. Note: Class A with
UTP cables)
• AS/NZS 3548 (Class A limits. Note: Class A
with UTP cables)
• CE marking for European countries (Class A.
Note: Class A with UTP cables)
• EN 55022: 2006 (Emission Standard)
• EN 61000-3-3:1995
• EN 61000-3-2:2006
• EN 55024: 1998 (Immunity Standards)
¬ EN 61000-4-2:1995 + A1:1998
¬ EN 61000-4-3:1996 + A1:1998
¬ EN 61000-4-4:1995
¬ EN 61000-4-5:1995
¬ EN 61000-4-6:1996
¬ EN 61000-4-8:1994
¬ EN 61000-4-11:1994
• IEEE 802.3: Hi-Pot Test (2250 V DC on all
Ethernet ports)
Safety agency certifications
• US UL 60950
• IEC 60950-1:2001; all national deviations
• EN 60950-1:2001; all deviations
• CAN/CSA-C22.2 No. 60950-1-03
• NOM-019 SCFI, Mexico
• AS/NZ TS-001 and 60950:2000, Australia
• UL-AR, Argentina
• UL-GS Mark, Germany
• EN 60825-1 Laser, EN 60825-2 Laser
• CDRH Laser
4 Alcatel-Lucent OmniSwitch 6250 | Data Sheet
Detailed product features
Simplified management
Management interfaces
• Intuitive Alcatel-Lucent CLI with familiar
interface reducing training costs
• Easy-to-use, point-and-click, web-based
element manager (WebView) with built-in
help for easy configuration
• Integration with Alcatel-Lucent OmniVista™
Network Management System (NMS)
• Full configuration and reporting using SN-
MPv1/2/3 across all OmniSwitch families
to facilitate third-party NMS integration
• Remote Telnet management or Secure Shell
access using SSH
• File upload using TFTP, FTP, SFTP, or SCP for
faster configuration
• Human-readable ASCII-based configuration
files for off-line editing and bulk configuration
• Managed by Alcatel-Lucent 5620 Service
Aware Manager (SAM)*
Monitoring and troubleshooting
• Local (on the flash) and remote server logging:
Syslog and command log
• Port-based mirroring for troubleshooting and
lawful interception, supports four sessions
with multiple sources-to-one destination
• Policy-based mirroring allows selection of the
type of traffic to mirror by using QoS policies*
• Remote port mirroring facilitates passing
mirrored traffic through the network to a
remotely connected device
• Port monitoring feature allows capture of
Ethernet packets to a file, or for on-screen
display to assist in troubleshooting
• sFlow v5 and RMON for advanced monitoring
and reporting capabilities (statistics, history,
alarms and events)
• IP tools: ping and traceroute
Network configuration
• Auto-negotiating 10/100/1000 ports
automatically configure port speed and
duplex setting
• Auto-MDI/MDIX automatically configures
transmit and receive signals to support
straight-through and crossover cabling
• BOOTP/Dynamic Host Configuration Protocol
(DHCP) client allows auto-configuration of
switch IP information for simplified deployment
• DHCP relay to forward client requests to a
DHCP server
• Alcatel-Lucent Mapping Adjacency Protocol
(AMAP) for building topology maps
• IEEE 802.1AB Link Layer Discovery Protocol
(LLDP) with MED extensions for automated
device discovery
• GARP VLAN Registration Protocol (GVRP) for
802.1Q-compliant VLAN pruning and dynamic
VLAN creation
• Auto-QoS for switch management traffic as
well as traffic from Alcatel-Lucent IP phones
• Network Time Protocol (NTP) for network-wide
time synchronization
• Stackable to eight units (*16 units – check
availability)
Resiliency and high availability
• Ring Rapid Spanning Tree Protocol (RRSTP)
optimized for ring topology to provide less
than 100 ms convergence time
• IEEE 802.1s Multiple Spanning Tree Protocol
(MSTP) encompasses IEEE 802.1D Spanning Tree
Protocol (STP) and IEEE 802.1w Rapid Spanning
Tree Protocol (RSTP)
• Per-VLAN Spanning Tree (PVST) and
Alcatel-Lucent 1x1 STP mode
• IEEE 802.3ad Link Aggregation Control Protocol
(LACP) and static link aggregation (LAG) groups
across modules are supported
• Broadcast and multicast storm control to avoid
degradation in overall system performance
• Uni-Directional Link Detection (UDLD) detects
and disables unidirectional links on fiber optic
interfaces
• Redundant and hot-swappable power supplies,
transceivers, modules offering uninterruptable
service
• Dual-image and dual-configuration file storage
provides backup
Advanced security
Access control
• AOS Access Guardian framework for compre-
hensive user-policy-based Network Access
Control (NAC)*
• Auto-sensing 802.1X multi-client, multi-VLAN
• MAC-based authentication for non-802.1x hosts
• Web-based authentication (captive portal) – a
customizable web portal residing on the switch
that can be used for authenticating supplicants
as well as non-supplicants
• Group mobility rules and “guest” VLAN support
• The host integrity check (HIC) agent on each
switch makes it an HIC enforcer and facilitates
endpoint device control for company policy
compliance; quarantine and remediation are
supported as required.*
• User Network Profile (UNP) simplifies NAC
management and control by dynamically
providing pre-defined policy configuration to
authenticated clients – VLAN, ACL, BW, HIC
• SSH for secure CLI session with PKI support
• Centralized RADIUS and LDAP user authentication
* Future support – contact for availablility
Containment, monitoring and quarantine
• Support for Alcatel-Lucent OmniVista 2500
NMS Quarantine Manager and quarantine VLAN*
• Learned Port Security (LPS) or MAC address
lockdown secures network access on user or
trunk ports based on MAC address
• DHCP Snooping, DHCP IP Spoof protection
• TACACS+ client allows for authentication,
authorization and accounting with a remote
TACACS+ server
• Dynamic Address Resolution Protocol (ARP)
protection and ARP poisoning detection
• Access control lists (ACLs) to filter out unwanted
traffic including denial of service attacks; flow-
based filtering in hardware (L1-L4)
• Bridge Protocol Data Unit (BPDU) blocking
automatically shuts down user ports if an STP
BPDU packet is seen to prevent topology loops
• STP Root Guard prevents edge devices from
becoming STP root node
Converged networks
PoE
• The PoE models support Alcatel-Lucent IP
phones and WLAN access points, as well as
any end device compliant with IEEE 802.3af
or IEEE 802.3at compliant end device.
• Configurable per-port PoE priority and max
power for power allocation
• Dynamic PoE allocation delivers only the power
needed by the device up to the total power bud-
get for the most efficient power consumption.
QoS
• Priority queues: Eight hardware-based queues
per port for flexible QoS management
• Traffic prioritization: Flow-based QoS with
internal and external (re-marking) prioritization
• Bandwidth management: flow (policy) based
and port based bandwidth management for both
ingress rate limiting and/or egress rate shaping
• Queue management: Configurable scheduling
algorithm – Strict Priority, Weighted Round
Robin (WRR) and Deficit Round Robin (DRR)
• Congestion avoidance: Support for End-to-End
Head-of-Line (E2E-HOL) Blocking Protection
• Auto-QoS for switch management traffic as
well as traffic from Alcatel-Lucent IP phones
• Three-color marker – Single/Dual Rate – polic-
ing with Commit BW, Excess BW, Burst Size
Layer-2, layer-3 routing
and multicast
Layer-2 switching
• Up to 16,000 MACs
• Up to 4000 VLANs
• Up to 2000 ACLs
• Latency: <4 µseconds
IPv4 and IPv6
• Static routing for IPv4 and IPv6
• RIP v1 and v2 for IPv4, RIPng for IPv6
• Up to 256 IPv4/128 IPv6 static and RIP routes
• Up to 128 IPv4 and 16 IPv6 interfaces
Multicast
• IGMPv1/v2/v3 snooping to optimize
multicast traffic
• MLD snooping
• Up to 1000 multicast groups/stack
• IP Multicast VLAN (IPMVLAN) for optimized
multicast replication at the edge, saving
network core resources
Network protocols
• DHCP relay (including generic User Datagram
Protocol (UDP) relay)
• ARP
• DHCP relay
• DHCP relay to forward client requests to a
DHCP server
• Generic UDP relay per VLAN
• DHCP Option 82 – configurable relay agent
information
Metro Ethernet access
(software features available
on the M models)
• Ethernet services support per IEEE 802.1ad
Provider Bridge
¬ Transparent LAN Services with Service VLAN
(SVLAN) and Customer VLAN (CVLAN) concept
¬ Ethernet network-to-network interface (NNI)
and user-network interface (UNI) services
¬ Service Access Point (SAP) profile identification
¬ CVLAN to SVLAN translation and mapping
• ITU-T Y.1731 and IEEE 802.1ag (v8.1) Ethernet
operations administration and maintenance
(OA&M): Connectivity Fault Management and
performance measurements (layer-2 ping and
link trace)
• IEEE 802.3ah Ethernet in the First Mile (EFM)
for link monitoring , remote fault detection, and
loopback control (layer-1 ping)
• UDLD: detects and disables unidirectional links
on fiber optic interfaces
• ITU-T G.8032 Ethernet Ring Protection designed
for loop protection and fast convergence times
(sub 50 ms) in ring topologies
• Private VLAN feature for user traffic segregation
• Port loopback detection for preventing customer
loops on Ethernet access ports
• DHCP Option 82 – configurable relay agent
information
• IPMVLAN for optimized multicast replication
at the edge, saving network core resources
• Three-color marker – Single/Dual Rate – polic-
ing with Commit BW, Excess BW, Burst Size
• Layer 2 Protocol Tunneling (L2PT) support
with ability to define tunnel destination MAC
address for maximum vendor compatibility
• Embedded 2544 customer premise equipment
(CPE) test head feature for validating a
customer’s provisioned bandwidth and uni-
profile settings from CPE-to-CPE
• Service Assurance Agent (SAA) for SLA compli-
ance validation including: L2, IP, ETH-LB and
ETH-DMM
• Zero touch auto configuration of switch
over specified management VLAN using
DHCP services
• MEF 9 and 14 certified
• Managed by Alcatel-Lucent 5620 SAM
Supported standards
IEEE standards
• IEEE 802.1D (STP)
• IEEE 802.1p (CoS)
• IEEE 802.1Q (VLANs)
• IEEE 802.1ad (Provider Bridge) Q-in-Q
(VLAN stacking)
• IEEE 802.1ag (Connectivity Fault Management)
• IEEE 802.1s (MSTP)
• IEEE 802.1w (RSTP)
• IEEE 802.1X (Port-based Network Access Protocol)
• IEEE 802.3i (10Base-T)
• IEEE 802.3u (Fast Ethernet)
• IEEE 802.3x (Flow Control)
• IEEE 802.3z (Gigabit Ethernet)
• IEEE 802.3ab (1000Base-T)
• IEEE 802.3ac (VLAN Tagging)
• IEEE 802.3ad (Link Aggregation)
• IEEE 802.3af (Power-over-Ethernet)
• IEEE 802.3at (Power-over-Ethernet)
• IEEE 802.ah (Ethernet First Mile)
ITU-T standards
• ITU-T G.8032: Draft (June 2007) Ethernet Ring
Protection
IETF standards
IPv4
• RFC 2003 IP/IP tunneling
• RFC 2784 GRE tunneling
RIP
• RFC 1058 RIP v1
• RFC 1722/1723/2453/1724 RIP v2 and MIB
• RFC 1812/2644 IPv4 Router Requirement
• RFC 2080 RIPng for IPv6
IP Multicast
• RFC 1112 IGMP v1
• RFC 2236/2933 IGMP v2 and MIB
• RFC 2365 Multicast
• RFC 3376 IGMPv3 for IPv6
IPv6
• RFC 1886 DNS for IPv6
• RFC 2292/2373/2374/2460/2462
• RFC 2461 NDP
• RFC 2463/2466 ICMP v6 and MIB
• RFC 2452/2454 IPv6 TCP/UDP MIB
• RFC 2464/2553/2893/3493/3513
• RFC 3056 IPv6 Tunneling
• RFC 3542/3587 IPv6
• RFC 4007 IPv6 Scoped Address Architecture
• RFC 4193 Unique Local IPv6 Unicast Addresses
* Future support – contact for availablility
Alcatel-Lucent OmniSwitch 6250 | Data Sheet 5
Manageability Security • RFC 925/1027 Multi LAN ARP/Proxy ARP
• RFC 1350 TFTP Protocol • RFC 1321 MD5 • RFC 950 Sub-netting
• RFC 854/855 Telnet and Telnet Options • RFC 2104 HMAC Message Authentication • RFC 951 BOOTP
• RFC 1155/2578-2580 SMI v1 and SMI v2 • RFC 2138/2865/2868/3575/2618 RADIUS • RFC 1151 RDP
• RFC 1157/2271 SNMP Authentication and Client MIB • RFC 1191 Path MTU Discovery
• RFC 1212/2737 MIB and MIB-II • RFC 2139/2866/2867/2620 RADIUS Accounting • RFC 1256 ICMP Router Discovery
and Client MIB
• RFC 1213/2011-2013 SNMP v2 MIB • RFC 1305/2030 NTP v3 and Simple NTP
• RFC 2228 FTP Security Extensions
• RFC 1215 Convention for SNMP Traps • RFC 1493 Bridge MIB
• RFC 2284 PPP EAP
• RFC 1573/2233/2863 Private Interface MIB • RFC 1518/1519 CIDR
• RFC 2869/2869bis RADIUS Extension
• RFC 1643/2665 Ethernet MIB • RFC 1541/1542/2131/3396/3442 DHCP
Quality of service
• RFC 1901-1908/3416-3418 SNMP v2c • RFC 1757/2819 RMON and MIB
• RFC 896 Congestion Control
• RFC 2096 IP MIB • RFC 2131/3046 DHCP/BOOTP Relay
• RFC 1122 Internet Hosts
• RFC 2570-2576/3411-3415 SNMP v3 • RFC 2132 DHCP Options
• RFC 2474/2475/2597/3168/3246 DiffServ
• RFC3414 User-based Security Model • RFC 2251 LDAP v3
• RFC 3635 Pause Control
• RFC 2616 /2854 HTTP and HTML • RFC 3060 Policy Core
Others
• RFC 2667 IP Tunneling MIB • RFC 3176 sFlow
• RFC 791/894/1024/1349 IP and IP/Ethernet
• RFC 2668/3636 IEEE 802.3 MAU MIB • RFC 3021 Using 31-bit prefixes
• RFC 792 ICMP
• RFC 2674 VLAN MIB
• RFC 768 UDP
• RFC 4251 Secure Shell Protocol Architecture
• RFC 793/1156 TCP/IP and MIB
• RFC 4252 The Secure Shell (SSH) Authentication
Protocol • RFC 826/903 ARP and Reverse ARP
• RFC 959/2640 FTP • RFC 919/922 Broadcasting Internet Datagram

OmniSwitch 6250 ordering information

PART NUMBER DESCRIPTION

OS6250-8M OS6250-8M Fast Ethernet chassis with AOS Metro software

Chassis provides 8 RJ-45 ports configurable to 10/100Base-T, 2 SFP/RJ-45 combo ports configurable to
be 10/100/1000Base-T or 100/1000Base-X and 2 SFP fiber ports configurable to be 1G uplinks or 2.5G
stacking ports in a 1U by half-rack form factor with internal AC power supply.
OS6250-24M OS6250-24M Fast Ethernet chassis with AOS Metro software
OS6250-24MD Chassis provides 24 RJ-45 ports configurable to 10/100Base-T, 2 RJ-45/SFP combo ports configurable to
be 10/100/1000Base-T or 100/1000Base-X and 2 SFP fiber ports configurable to be 1G uplinks or 2.5G
stacking ports in a 1U by half-rack form factor with internal AC or DC power supply respectively.
OS6250-24 OS6250-24 Fast Ethernet chassis with AOS Enterprise software
Chassis includes 24 RJ-45 ports configurable to 10/100Base-T, 2 RJ-45/SFP combo ports configurable to be
10/100/1000Base-T or 100/1000Base-X and 2 dedicated 2.5G HDMI stacking ports. Ethernet SFP optical
transceivers, HDMI stacking cables and backup power supply can be ordered separately.
OS6250-P24 OS6250-P24 Fast Ethernet chassis with AOS Enterprise software
Chassis includes 24 PoE RJ-45 ports configurable to 10/100Base-T, 2 SFP/PoE RJ-45 combo ports
configurable to be 10/100/1000Base-T or 100/1000Base-X and 2 dedicated 2.5G HDMI stacking ports in
a 1U by half-rack form factor with external AC PoE supply. Includes 225 W AC PoE supply and power shelf.
BOS6250-48 Two OS6250-24 units with AOS Enterprise software bundled for side-by-side mounting in a 19-in. by 1U
rack space providing a total of 48 Fast Ethernet and 4 RJ-45/SFP combo ports
BOS6250-P48 Two OS6250-P24 units with AOS Enterprise software bundled for side-by-side mounting within a 19-in.
by 1U rack space for a total of 48 PoE Fast Ethernet ports and 4 PoE RJ-45/SFP combo ports. Includes two
225 W supplies and power shelves.
Ethernet SFP optical transceivers and SFP direct connect stacking cable can be ordered separately.
Above bundles include country-specific power cords, user manuals access cards, software download access cards, RJ-45 to DB-9 adapters and hardware for mounting unit
side by side with another OmniSwitch 6250 in a 19-in. rack.
Order mounting tray kit (OS6250-RM-19) for single-mounting the unit in a 19-in. rack

6 Alcatel-Lucent OmniSwitch 6250 | Data Sheet

OmniSwitch 6250 ordering information (continued)

PART NUMBER DESCRIPTION

POWER SUPPLIES

OS6250-BP OS6250-BP 40 W power brick AC backup power supply. Provides backup power to one non-PoE switch.
Ships with country-specific power cord, backup power supply tray and securing brackets.
OS6250-BP-P OS6250-BP-P 225 W AC PoE backup power supply. Provides backup power to one PoE switch. Ships with
country-specific power cord and backup power supply tray.
OS6250-BP-D OS6250-BP-D 30 W DC power brick backup power supply. Provides backup DC power to one non-PoE
switch. Ships with chassis connection cable, backup power supply tray and securing brackets.
CABLES AND MOUNTING

OS6250-CBL-30 OS6250 30-cm long HDMI stacking cable

OS6250-CBL-60 OS6250 60-cm long HDMI stacking cable
OS6250-CBL-150 OS6250 150-cm long HDMI stacking cable
OS6250M-CBL-30 OS6250M 30-cm long SFP direct stacking cable
OS6250M-CBL-60 OS6250M 60-cm long SFP direct stacking cable
OS6250M-CBL-150 OS6250M 150-cm long SFP direct stacking cable
OS6250-RM-19 Tray kit for mounting one OmniSwitch 6250 in a 19-in. rack
OS6250-DUAL-MNT Two mounting and sliding brackets replacement kit. Hardware to mount two 6250 units in a 19-in. rack
GIGABIT TRANSCEIVERS

SFP-GIG-LH70 1000Base-LH transceiver with an LC interface for single-mode fiber over 1550 nm wavelength.
Typical reach of 70 km
SFP-GIG-LH40 1000Base-LH transceiver with an LC interface for single-mode fiber over 1310 nm wavelength.
Typical reach of 40 km
SFP-GIG-LX 1000Base-LX transceiver with an LC interface for single-mode fiber over 1310 nm wavelength.
Typical reach of 10 km
SFP-GIG-SX 1000Base-SX transceiver with an LC interface for multimode fiber over 850 nm wavelength.
Typical reach of 300 m
SFP-GIG-BX-D 1000Base-BX bidirectional transceiver with an LC-type interface for use over single-mode fiber on a
single strand link up to 10 km point-to-point. Transmits 1490 nm and receives 1310 nm optical signal
SFP-GIG-BX-U 1000Base-BX bidirectional transceiver with an LC-type interface for use over single-mode fiber on a
single strand link up to 10 km point-to-point. Transmits 1310 nm and receives 1490 nm optical signal
100 MEGABIT TRANSCEIVERS

SFP-100-MM 100Base-FX transceiver with an LC interface for multimode fiber optic cable
SFP-100-SM15 100Base-FX transceiver with an LC-type interface for single-mode fiber optic cable up to 15 km
SFP-100-SM40 100Base-FX transceiver with an LC-type interface for single-mode fiber optic cable up to 40 km
SFP-100-BX-U 100Base-BX bidirectional transceiver with an SC-type interface for use over single-mode fiber on a
single strand link up to 20 km point-to-point, where the client (ONU) transmits 1310 nm and receives
1550 nm optical signal
SFP-100-BX-D 100Base-BX bidirectional transceiver with an SC-type interface for use over single-mode fiber on a
single strand link up to 20 km point-to-point, where the client (OLT) transmits 1550 nm and receives
1310 nm optical signal

Alcatel-Lucent OmniSwitch 6250 | Data Sheet 7

Service and support
Warranty information – OmniSwitch 6250 Lifetime Support
Alcatel-Lucent includes a Limited Lifetime Warranty with the purchase of your OmniSwitch 6250 product. This program covers
both the OmniSwitch 6250 hardware and related Alcatel-Lucent Operating System (AOS) software.

Hardware Limited Lifetime Warranty (LLW) Support

This hardware warranty support service concerns Alcatel-Lucent OmniStack and OmniSwitch 6XXX series. (Refer to the
worldwide price list [WPL] for information on availability.) Limited to the original owner and/or registered end user, this
service is provided for up to 5 years after the product’s End-of-Sales announcement.

Replacement parts will be shipped within 5 business days of receipt of the order with the refurbished product.

Note: Hardware Limited Lifetime Warranty does not cover transceivers.

This service covers only hardware switch replacement and does not apply to transceivers.

Software Limited Lifetime Support

This service applies to the Alcatel-Lucent OmniSwitch 6250 series. Limited to the original product owner and/or registered end
user, this Advanced Replacement (AVR) service will be provided for up to 2 years after the product’s End-of-Sales announcement.

This service includes:

• Technical support with Alcatel-Lucent Switch Certified personnel
• Web and phone access to support services
• Remote diagnostics
• Operating system software maintenance, minor and major releases

For more information about the Alcatel-Lucent OmniSwitch 6250 warranty, service and support programs, please visit:
www.alcatel-lucent.com/support

www.alcatel-lucent.com Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo

are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners.
The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility
for inaccuracies contained herein. Copyright © 2010 Alcatel-Lucent. All rights reserved.
EPG3310091209 (02)
ALCATEL-LUCENT
OMNISWITCH 6350
GIGABIT ETHERNET LAN
SWITCH FAMILY
The Alcatel-Lucent OmniSwitch® 6350 family is a series of fixed-configuration Gigabit Ethernet
switches available as 24- to 48-port, Power-over-Ethernet (PoE) and non-PoE models to create
the exact network for your small business.
The network capabilities of the OmniSwitch 6350 family include advanced security, quality
of service and high availability features for your business-class data, voice and wireless
technologies. These switches are simple to deploy, configure and manage.
All OmniSwitch 6350 switches use the
field-proven Alcatel-Lucent Operating
System (AOS) to deliver highly available,
secure, self-protective, easily managed, and
eco-friendly networks.
OmniSwitch 6350-24
The OmniSwitch 6350 family is embedded
OmniSwitch 6350-P24 with the latest technology innovations and
offers maximum investment protection.
The following type of deployments benefit
from the OmniSwitch 6350 family:
• Small business network solutions
BENEFITS
OmniSwitch 6350-48 • Meets all customer configuration needs
OmniSwitch 6350-P48 and offers excellent investment protection
and flexibility with easy deployment,
operation and maintenance
• Provides outstanding performance when
supporting real-time voice, data and
video applications for converged scalable
networks
• Ensures efficient power management,
reduces operating expenses (OPEX) and
lowers total cost of ownership (TCO)
through low power consumption and
dynamic PoE allocation, which delivers
only the power needed by the attached
device
• Field-upgradeable solution makes the
network highly available and reduces
OPEX
• Comprehensive security features for your
small business network or campus edge at
no additional cost
• Supports cost-effective installation and
deployment with automated switch setup
and configuration
FEATURES
• 24-port and 48-port, PoE and non-PoE
models, with four fixed small form-factor
pluggable (SFP) Gigabit uplink interfaces
• Provides up to 48 ports of PoE
connectivity for simplified IP phones,
wireless and IP surveillance deployments
over a single Ethernet cable. All 6350
models are IEEE 802.3af as well as IEEE
802.3at PoE compliant
• Provides native IPv4 and IPv6 support
for routing, Access Control Lists (ACLs)
and Dynamic Host Configuration Protocol
(DHCP) relay
• Advanced IPv6 threat protection (DHCP
snooping, router advertisement protection
and source address filter protection)
providing protection against a wide range
of address spoofing attacks
• Simplified Voice over IP (VoIP)
deployments using the advanced Auto-
Quality of Service (Auto-QoS) feature
that configures the IP telephony devices
into the proper virtual LAN (VLAN) with
the correct QoS parameters to prioritize
voice traffic
 MANAGEMENT
• AOS field-proven software managed
through a web interface (WebView),
command line interface (CLI), and Simple
Network Management Protocol (SNMP)
• Supported by Alcatel-Lucent OmniVista®
2500 Network Management System (NMS)*
SECURITY
• Flexible device and user authentication
with Alcatel-Lucent Access Guardian (IEEE
802.1x/MAC)
• Advanced QoS and ACLs for traffic control,
including an embedded denial of service
(DoS) engine to filter out unwanted traffic
attacks
OMNISWITCH 6350 24- AND 48-PORT MODELS
All models ship with four fixed SFP ports that operate at 1 Gb/s. All PoE and non-PoE models have a full-rack width, power-optimized,
fixed-configuration chassis in a 1U form factor.
CHASSIS 10/100/1000
RJ45 PORTS
Non-PoE models
OS6350-24 24
OS6350-48 48
PoE models
OS6350-P24 24
OS6430-P48 48
DETAILED PRODUCT FEATURES
Management
Configuration management interfaces
• Intuitive CLI with a familiar interface,
reducing training costs
• Easy-to-use, point-and-click web-based
element manager (WebView) with built-in
help for easy configuration
• Integration with Alcatel-Lucent OmniVista
2500 for network management*
• Full configuration and reporting using
SNMPv1/2/3 across all OmniSwitch
families to facilitate third-party NMS
integration
• Remote Telnet management or Secure
Shell access using SSHv2
• File upload using USB, TFTP, FTP, SFTP, or
SCP for faster configuration
• Human-readable ASCII-based configuration
files for offline editing and bulk
configuration
*Future OmniVista development
ALCATEL-LUCENT OMNISWITCH 6350
ALCATEL-LUCENT ENTERPRISE DATA SHEET
2
• Protection of management sessions using
radius, Terminal Access Controller Access-
Control System Plus (TACACS+) and local
database authentication as well as secure
management sessions over Secure Sockets
Layer (SSL), Secure Shell (SSH), and Simple
Network Management Protocol version 3
(SNMPv3)
• Extensive support for user-oriented
features, such as learned port security
(LPS), port mapping, DHCP binding tables,
and User Network Profile (UNP)
PERFORMANCE AND
REDUNDANCY
• Advanced layer-2+ features with basic
layer-3 routing for both IPv4 and IPv6
SFP GIGABIT PRIMARY POWER
UPLINK SFP
4 Internal AC
4 Internal AC
4 Internal AC
4 Internal AC
Monitoring and troubleshooting
• Local (on the Flash) and remote server
logging: Syslog and command log
• Port-based mirroring for troubleshooting
and lawful interception supports four
sessions with multiple sources-to-one
destination
• Policy-based mirroring that allows
selecting the type of traffic to mirror using
QoS policies
• Remote port mirroring that facilitates
passing mirrored traffic through the
network to a remotely connected device
• Port monitoring feature that allows
capturing Ethernet packets to a file,
or to an on-screen display to assist in
troubleshooting
• sFlow v5 and Remote Network Monitoring
(RMON) for advanced monitoring and
reporting capabilities for statistics, history,
alarms and events
• Triple-speed (10/100/1000) user
interfaces and fiber interfaces (SFPs)
supporting 1000Base-X optical
transceivers
• Wire-rate switching and routing
performance
• High availability redundant uplinks,
hot-swappable SFPs, dual-image and
configuration file support
CONVERGENCE
• Enhanced VoIP and video performance
with policy-based QoS
• Support for multimedia applications with
wire-rate multicast to help you prepare
for the future
• IEEE 802.3at PoE+ support for IP phones,
wireless LAN (WLAN) access points and
video cameras
BACKUP POWER
N/A
N/A
N/A
N/A
• IP tools: Ping and trace route
• Digital Diagnostic Monitoring (DDM):
Real-time diagnostics of fiber connections
for early detection of optical signal
deterioration
• Time Domain Reflectometry (TDR) for
locating breaks or other discontinuity in
copper cables
Network configuration
• Remote auto-configuration download
• Auto-negotiating: 10/100/1000 ports
automatically configure port speed and
duplex setting
• Automatic medium-dependent interface
/ medium-dependent interface crossover
(Auto-MDI/MDI-X) configuring to transmit
and receive signals to support straight-
through and crossover cabling
• Bootstrap protocol (BOOTP)/DHCP client
that allows auto-configuring switch IP
information for simplified deployment
• DHCP relay for forwarding client requests
to a DHCP server
• Alcatel-Lucent Mapping Adjacency
Protocol (AMAP) for building topology
maps
• IEEE 802.1AB Link Layer Discovery
Protocol (LLDP) with Media Endpoint
Device (MED) extensions for automated
device discovery
• Multiple VLAN Registration Protocol
(MVRP) for IEEE 802.1Q-compliant VLAN
pruning and dynamic VLAN creation
• Auto-QoS for switch management traffic
and traffic from Alcatel-Lucent IP phones
• Network Time Protocol (NTP) for network-
wide time synchronization
Resiliency and high availability
• Ring Rapid Spanning Tree Protocol (RRSTP)
optimized for ring topology to provide
less than 100 ms convergence time
• IEEE 802.1s Multiple Spanning Tree
Protocol: Encompasses IEEE 802.1D
Spanning Tree Protocol (STP) and IEEE
802.1w Rapid Spanning Tree Protocol
• Per-VLAN spanning tree (PVST) and 1x1
STP mode
• Support for IEEE 802.3ad Link Aggregation
Control Protocol (LACP) and static Link
Aggregation Groups (LAGs) across modules
• Broadcast and multicast storm control
to avoid degradation in overall system
performance
• Unidirectional Link Detection (UDLD) for
detecting and disabling unidirectional links
on fiber optic interfaces
• Hot-swappable transceiver modules
offering uninterruptable service
• Dual-image and dual-configuration file
storage provide backup
Advanced security
Access control
• Access Guardian framework in the AOS for
comprehensive user-policy-based network
access control (NAC)
• Auto-sensing IEEE 802.1X multi-client,
multi-VLAN MAC-based authentication for
non-802.1X hosts
• Group mobility rules and guest VLAN
support
ALCATEL-LUCENT OMNISWITCH 6350
ALCATEL-LUCENT ENTERPRISE DATA SHEET
3
• User network profile (UNP): Simplifying
NAC management and control by
dynamically providing predefined policy
configuration to authenticated clients
(VLAN, ACL, BW)
• SSH for secure CLI session with public key
infrastructure (PKI) support
• Centralized Remote Access Dial-In
User Service (RADIUS) and Lightweight
Directory Access Protocol (LDAP) user
authentication
Containment, monitoring and quarantine
• DHCP snooping, DHCP IP spoof protection
• TACACS+ client allowing authentication,
authorization and accounting with a
remote TACACS+ server
• Dynamic Address Resolution Protocol
(ARP) protection and ARP poisoning
detection
• ACLs for filtering out unwanted traffic
including DoS attacks; flow-based filtering
in hardware (L1 to L4)
• Bridge Protocol Data Unit (BPDU) blocking:
Automatically shutting down user ports
if an STP BPDU packet is seen to prevent
topology loops
• STP Root Guard: Preventing edge devices
from becoming Spanning Tree Protocol
root nodes
Converged networks
PoE
• PoE models support Alcatel-Lucent
IP phones and WLAN access points,
as well as any IEEE 802.3af or IEEE
802.3at-compliant end devices
• Configurable per-port PoE priority and
max power for power allocation
• Dynamic PoE allocation: Delivering only
the amount of power needed by the
powered devices (PD) up to the total
power budget for most efficient power
consumption
QoS
• Priority queues: Eight hardware-based
queues per port for flexible QoS
management
• Traffic prioritization: Flow-based QoS
with internal and external (remarking)
prioritization
• Bandwidth management: Flow-based
bandwidth management, ingress rate
limiting; egress rate shaping per port
• Queue management: Configurable
scheduling algorithms, including Strict
Priority Queuing (SPQ), Weighted Round
Robin (WRR) and Deficit Round Robin
(DRR)
• Congestion avoidance: Support for End-
to-End Head-Of-Line (E2E-HOL) blocking
protection
• Auto QoS for switch management traffic
and traffic from Alcatel-Lucent IP phones
• Three-color marker: Single/dual rate
policing with commit bandwidth (BW),
excess BW and burst size
Layer-2, Layer-3 Routing and
Multicast
Layer-2 switching
• Up to 16,000 MACs
• Up to 4000 VLANs
• Up to 1,000 ingress rules
• Up to 128 egress rules
• Latency: < 4 µs
• Max Frame: 9,216 bytes (jumbo)
IPv4 and IPv6
• Static routing ( IPv4 and IPv6)
• Up to 8 IPv4 and 4 IPv6 interfaces
• Up to 8 IPv4 and 4 IPv6 static routes
• Up to 256 ARP entries
Multicast
• IGMPv1/v2/v3 snooping for optimized
multicast traffic
• Multicast Listener Discovery (MLD) v1/v2
snooping
• Up to 1000 multicast groups
• IP Multicast VLAN (IPMVLAN) supported
Network protocols
• DHCP relay including generic User
Datagram Protocol (UDP) relay
• ARP
• Dynamic Host Configuration Protocol
(DHCP) relay
• DHCP relay to forward client requests to a
DHCP server
• Generic UDP relay per VLAN
• DHCP Option 82: Configurable relay agent
information
 TECHNICAL SPECIFICATIONS
PORT OS6350-24 OS6350-P24 OS6350-48 OS6350-P48
RJ-45 10/100/1000 ports 24 24 48 48
PERFORMANCE (GIGABIT MODELS)
Switch capacity with 4xGb/s uplinks 56 Gb/s 56 Gb/s 104 Gb/s 104 Gb/s
Switch frame rate with 4xGb/s uplinks 41.67 Mp/s 41.67 Mp/s 77.38 Mp/s 77.38 Mp/s
PORT OS6350-24 OS6350-P24 OS6350-48 OS6350-P48
Gigabit SFP ports 4 4 4 4

PoE ports 0 24 0 48
DIMENSIONS OS6350-24 OS6350-P24 OS6350-48 OS6350-P48
Width 44.0 cm (17.32 in) 44.0 cm (17.32 in) 44.0 cm (17.32 in) 44.0 cm (17.32 in)
Height 4.4 cm (1.73 in) 4.4 cm (1.73 in) 4.4 cm (1.73 in) 4.4 cm (1.73 in)
Depth 23.87 cm (9.4 in) 23.87 cm (9.4 in) 23.87 cm (9.4 in) 32.3 cm (12.72 in)
Weight 4.08 kg (9.0 lb) 5.05 kg (11.0 lb) 5.44 kg (12.0 lb) 6.8 kg (15.0 lb)
OPERATING CONDITIONS OS6350-24 OS6350-P24 OS6350-48 OS6350-P48
Operating temperature 0°C to +45°C 0°C to +45°C 0°C to +45°C 0°C to +45°C
32°F to +113°F 32°F to +113°F 32°F to +113°F 32°F to +113°F
Storage temperature -40°C to +75°C -40°C to +75°C -40°C to +75°C -40°C to +75°C
-40°F to +167°F -40°F to +167°F -40°F to +167°F -40°F to +167°F
Humidity (operating and storage) 5% — 95% 5% — 95% 5% — 95% 5% — 95%
Fan (variable speed)* Fanless 3 fans 1 fan 4 fans
Acoustic (dB) 0 dB (A) < 40 dB (A) < 40 dB (A) < 40dB (A)
Mean Time Between Failures (MTBF) at 1,250,292 421,866 774,351 448,312
25°C (hours)
System power consumption (W)** 24W 30W 50W 58W

* Acoustic levels measured with the primary power supply at room temperature
** Power consumption measured with 64-byte packets at varied traffic conditions on all ports, including the 1 Gigabit Ethernet uplinks

OMNISWITCH 6350 POWER SUPPLY SPECIFICATIONS

The OmniSwitch 6350 24/P24/48/P48 port models offer an internal supply configuration. A backup power supply option is not available
on the OmniSwitch 6350 family of products.

SPECIFICATION OS6350-24 OS6350-P24 OS6350-48 OS6350-P48

Internal/external Internal Internal Internal Internal
Nominal Input voltage 90-220 V AC 90-220 V AC 90-220 V AC 90-220 V AC
Output voltage 12V DC 12V DC/54V DC 12V DC 12V DC/53V DC
Wattage 30 W 525 W 60 W 900 W
PoE power budget N/A 380 W N/A 780 W
PoE device heat dissipation (Btu) N/A 1296 N/A 2661

Power supply efficiency 85% 85% 87% 85%

ALCATEL-LUCENT OMNISWITCH 6350

ALCATEL-LUCENT ENTERPRISE DATA SHEET
4
 INDICATORS
System LEDs
System (OK1) (chassis HW/SW status)
PWR (primary power supply status)
PRI (chassis primary)
Per-port LEDs
• 10/100/1000: PoE, link/activity
• SFP: Link/activity
Compliance and certifications
Commercial
• EMI/EMC
• FCC CRF Title 47 Subpart B (Class A limits.
Note: Class A with UTP cables)
• VCCI (Class A limits. Note: Class A with UTP
cables)
• AS/NZS 3548 (Class A limits. Note: Class A
with UTP cables)
• CE-Mark: Marking for European countries
(Class A limits. Note: Class A with UTP
cables)
• CE-Mark
¬¬ Low voltage Directive
¬¬ EMC Directive
¬¬ RoHS Directive
• EN 55022 (EMI and EMC requirement)
• EN 61000-3-3
• EN 61000-3-2 (Limits for harmonic
current emissions)
• EN 55024: 2010 (ITE Immunity
characteristics)
¬¬ EN 61000-4-2
¬¬ EN 61000-4-3
¬¬ EN 61000-4-4
¬¬ EN 61000-4-5
¬¬ EN 61000-4-6
¬¬ EN 61000-4-8
¬¬ EN 61000-4-11
• IEEE802.3: Hi-Pot Test (2250 V DC on all
Ethernet ports)
• EN 50581: Standard for technical
documentation for RoHS recast
Safety agency certifications
• CB Scheme: Certification per IEC 60950/
EN 60950 with all different country
deviations
¬¬ UL 60950, United States
¬¬ IEC 60950-1, all national deviations
¬¬ EN 60950-1 (Eletric/Health & Safety),
all national deviations
¬¬ CAN/CSA-C22.2 No. 60950-1-03
¬¬ NOM-019 SCFI, Mexico
¬¬ AS/NZ TS-001 and 60950, Australia
¬¬ UL-AR, Argentina
¬¬ UL-GS Mark, Germany • RFC 4649 – Dynamic Host Configuration
¬¬ IEC 60825-1 Laser, IEC 60825-2 Laser Protocol for IPv6 (DHCPv6) Relay agent
Remote-ID option
¬¬ CDRH Laser
• RFC 6105 – Router Advertisement Guard
Supported standards • RFC 6221 – Lightweight DHCPv6 Relay
Agent
• IEEE 802.1D (STP)
• IEEE 802.1p (CoS)
Manageability
• IEEE 802.1Q (VLANs)
• RFC 854/855 Telnet and Telnet options
• IEEE 802.1s (MSTP)
• RFC 959/2640 FTP
• IEEE 802.1w (RSTP)
• RFC 1155/2578-2580 SMI v1 and SMI v2
• IEEE 802.1X (Port Based Network Access
• RFC 1157/2271 SNMP
Protocol)
• RFC 1212/2737 MIB and MIB-II
• IEEE 802.3i (10Base-T)
• RFC 1213/2011-2013 SNMP v2 MIB
• IEEE 802.3u (Fast Ethernet)
• RFC 1215 Convention for SNMP Traps
• IEEE 802.3x (Flow Control)
• RFC 1350 TFTP Protocol
• IEEE 802.3z (Gigabit Ethernet)
• RFC 1573/2233/2863 Private Interface
• IEEE 802.3ab (1000Base-T)
MIB
• IEEE 802.3ac (VLAN Tagging)
• RFC 1643/2665 Ethernet MIB
• IEEE 802.3ad (Link Aggregation)
• RFC 1901-1908/3416-3418 SNMP v2c
• IEEE 802.3af (Power-over-Ethernet)
• RFC 2096 IP MIB
• IEEE 802.3at (Power-over-Ethernet)
• RFC 2131 DHCP Server/Client
• IEEE 802.3az (Energy Efficient Ethernet)
• RFC 2570-2576/3411-3415 SNMP v3
• RFC3414 User-based Security Model
IETF RFCs
• RFC 2616 /2854 HTTP and HTML
IP Multicast
• RFC 2667 IP Tunneling MIB
• RFC 1112 IGMP v1
• RFC 2668/3636 IEEE 802.3 MAU MIB
• RFC 2236/2933 IGMP v2 and MIB
• RFC 2674 VLAN MIB
• RFC 2365 Multicast
• RFC 2818 HTTPS over SSL
• RFC 3376 IGMPv3 for IPv6
• RFC 4251 Secure Shell Protocol
Architecture
IPv6
• RFC 4252 The Secure Shell (SSH v2)
• RFC 1981 Path MTU discovery
Authentication Protocol
• RFC 1886 DNS for IPv6
• RFC 2292/2373/2374/2460/2462 Security
• RFC 4861/2461 Neighbor discovery • RFC 1321 MD5
protocol
• RFC 2104 HMAC Message Authentication
• RFC 4862/2462 IPv6 stateless address
• RFC 2138/2865/2868/3575/2618 RADIUS
auto-configuration
Authentication and Client MIB
• RFC 4443/2463/2466 ICMP v6 and MIB
• RFC 2139/2866/2867/2620 RADIUS
• RFC 2452/2454 IPv6 TCP/UDP MIB Accounting and Client MIB
• RFC 2464/2553/2893/3493/3513 • RFC 2228 FTP Security Extensions step
• RFC 3056 IPv6 Tunneling • RFC 2284 PPP EAP
• RFC 3484 Default Address Selection for • RFC 2869/3579 Radius Extension
IPv6
• RFC 3542/3587 IPv6 API support Quality of service
• RFC 3595 Textual Conventions for IPv6 • RFC 896 Congestion control
Flow Label • RFC 1122 Internet Hosts
• RFC 4291/3315 – Dynamic Host • RFC 2474/2475/2597/3168/3246
Configuration Protocol for IPv6 (DHCPv6) DiffServ
• RFC 4007 IPv6 Scoped Address • RFC 3635 Pause Control
Architecture
• RFC 2697 srTCM
• RFC 4193 Unique Local IPv6 Unicast
• RFC 2698 trTCM
Addresses
• RFC 4291/3315 – Dynamic Host
Configuration Protocol for IPv6 (DHCPv6)

ALCATEL-LUCENT OMNISWITCH 6350

ALCATEL-LUCENT ENTERPRISE DATA SHEET
5
 Others • RFC 925/1027 Multi LAN ARP/Proxy ARP • RFC 1541/1542/2131/3396/3442 DHCP
• RFC 791/894/1024/1349 IP and IP/ • RFC 950 Sub-netting • RFC 1757/2819 RMON and MIB
Ethernet • RFC 951 BOOTP • RFC 2131/3046 DHCP/BOOTP Relay
• RFC 792 ICMP • RFC 1151 RDP • RFC 2132 DHCP Options
• RFC 768 UDP • RFC 1191 Path MTU Discovery • RFC 2251 LDAP v3
• RFC 793/1156 TCP/IP and MIB • RFC 1256 ICMP Router Discovery • RFC 3060 Policy Core
• RFC 826/903 ARP and Reverse ARP • RFC 1305/2030 NTP v3 and Simple NTP • RFC 3176 sFlow
• RFC 919/922 Broadcasting Internet • RFC 1493 Bridge MIB • RFC 3021 Using 31-bit prefixes
Datagram
• RFC 1518/1519 CIDR

ORDERING INFORMATION

MODEL NUMBER DESCRIPTION

OS6350-24 Gigabit Ethernet standalone chassis in a 1U form factor with 24 10/100/1000 Base-T ports, 4 gigabit SFP ports.
OS6350-P24 Gigabit Ethernet standalone chassis in a 1U form factor with 24 10/100/1000 PoE Base-T ports, 4 gigabit SFP ports.
OS6350-48 Gigabit Ethernet standalone chassis in a 1U form factor with 48 10/100/1000 Base-T ports, 4 gigabit SFP ports.
OS6350-P48 Gigabit Ethernet standalone chassis in a 1U form factor with 48 10/100/1000 PoE Base-T ports, 4 gigabit SFP ports.

GIGABIT TRANSCEIVERS
SFP-GIG-LH70 1000Base-LH transceiver with an LC interface for single mode fiber over 1550 nm wavelength. Typical reach of 70 km.
SFP-GIG-LH40 1000Base-LH transceiver with an LC interface for single mode fiber over 1310 nm wavelength. Typical reach of 40 km.
SFP-GIG-LX 1000Base-LX transceiver with an LC interface for single mode fiber over 1310 nm wavelength. Typical reach of 10 km.
SFP-GIG-SX 1000Base-SX transceiver with an LC interface for multimode fiber over 850 nm wavelength. Typical reach of 300 m.
SFP-GIG-EXTND 1000Base-SX transceiver with an LC interface for single mode fiber over 850 nm wavelength. Typical reach of 2 km.
SFP-GIG-T 1000Base-T Gigabit ethernet transceiver Supports category 5, 5E, and 6 copper cabling up to 100m. SFP supports
1000 Mbit/s ONLY on the OS6350 SFP ports.

enterprise.alcatel-lucent.com Alcatel-Lucent and the Alcatel-Lucent Enterprise logo are trademarks of Alcatel-Lucent. To view other
trademarks used by affiliated companies of ALE Holding, visit: enterprise.alcatel-lucent.com/trademarks. All other trademarks are the
property of their respective owners. The information presented is subject to change without notice. Neither ALE Holding nor any of its
affiliates assumes any responsibility for inaccuracies contained herein. (August 2015)
Alcatel-Lucent
OmniSwitch 6450-10
GIGABIT ETHERNET
LAN SWITCH

The Alcatel-Lucent OmniSwitch™ 6450 Stackable Gigabit Ethernet LAN value switch family
includes a series of 10-port models (non-PoE, Power over Ethernet [PoE], Fast and Gigabit
Ethernet) for classroom, workgroup and small enterprise segments. Designed with an optimized
size, low-power consumption, fanless operation and a rich software feature set, the OmniSwitch
6450-10 models provide a highly available, self-protective, easily managed and eco-friendly
collocation solution.

Service providers offering managed Alcatel-Lucent OmniSwitch

services have the option to install the 6450-10
Metro services license enabling a set of
The Alcatel-Lucent OmniSwitch 6450-10
Metro Ethernet features. This allows the
offers eight user ports for smaller network
OmniSwitch 6450-10 port models to be
environments. These models are power
quickly integrated into the provider’s
and acoustically optimized, with a half-
network as advanced customer premise
rack width (8.5 in./21.59 cm), and have a
equipment (CPE) devices.
fixed configuration chassis in a 1 RU form
factor. All models are fanless and have
The Alcatel-Lucent OmniSwitch 6450-10
an internal power supply. PoE models are
models use the latest technologies and
OmniSwitch 6450-10L/P10L both 802.3af/802.3at compliant and offer
Alcatel-Lucent Operating System (AOS)
OmniSwitch 6450-10/P10 120 W of power for PoE attached devices.
innovations.

The OmniSwitch 6450-10L/P10L models

Solutions benefiting from the OmniSwitch
have the user port speeds fixed for
6450-10 switches are:
10/100M operation. These models are
• Classroom and workgroup networks
upgradeable to gigabit speeds in the
• Small enterprise or branch office networks
future using the OS6450-10L-UPGD
• Commercial and residential managed services license upgrade.

Table 1. OmniSwitch 6450-10 model configurations

SFP uplink
(gigabit) Backup
10/100/1000 SFP stacking Power supply power supply
Chassis 10/100 ports ports Gig combo ports (5 Gb/s)* supported supported
Non-PoE models
OS6450-10L 8 0 2 2 Internal AC N/A
OS6450-10 0 8 2 2 Internal AC N/A
PoE models
OS6450-P10L 8 0 2 2 Internal AC N/A
OS6450-P10 0 8 2 2 Internal AC N/A

Combo ports:
• RJ-45 combo port configurable to be RJ10/100/1000Base-T
• SFP combo port supporting 100/1000Base-X transceivers for short, long and very long distances
• SFP fixed fiber interfaces support only gigabit SFP transceivers or SFP stacking cable.
 Technical specifications
PORT OS6450-10L OS6450-10 OS6450-P10L OS6450-P10
RJ-45 10/100 ports 8 0 8 0
RJ-45 10/100/1000 ports 0 8 0 8
RJ-45/SFP 10/100/1000 combo ports 2 2 2 2
SFP uplink/stacking ports 2 2 2 2
PoE ports 0 0 8 8
Maximum units stackable* 2 2 2 2
Dimensions
Switch width 8.50 in. (21.5 cm) 8.50 in. (21.5 cm) 8.50 in. (21.5 cm) 8.50 in. (21.5 cm)
Switch height 1.73 in. (4.4 cm) 1.73 in. (4.4 cm) 1.73 in. (4.4 cm) 1.73 in. (4.4 cm)
Switch depth 11.5 in. (29.21 cm) 11.5 in. (29.21 cm) 11.5 in. (29.21 cm) 11.5 in. (29.21 cm)

Performance (FD/Aggregated)
Switch capacity (2GigE uplinks) 2.8/5.6 Gb/s 10/20 Gb/s 2.8/5.6 Gb/s 10/20 Gb/s
Switch capacity (4GigE uplinks) 4.8/9.6 Gb/s 12/24 Gb/s 4.8/9.6 Gb/s 12/24 Gb/s
Stacking capacity 10/20 Gb/s 10/20 Gb/s 10/20 Gb/s 10/20 Gb/s
Operating conditions
Operating temperature 0°C to +45°C 0°C to +45°C 0°C to +45°C 0°C to +45°C
32°F to +113°F 32°F to +113°F 32°F to +113°F 32°F to +113°F
Storage temperature -40°C to +75°C -40°C to +75°C -40°C to +75°C -40°C to +75°C
-40°F to +167°F -40°F to +167°F -40°F to +167°F -40°F to +167°F
Humidity (operating and storage) 5% to 95% 5% to 95% 5% to 95% 5% to 95%
MTBF (hours) 695, 192 695, 192 499, 729 499, 729
Power supply efficiency 85.6% 85.6% 90.1% 90.1%
Fanless design Yes Yes Yes Yes
Acoustic (dB) Silent Silent Silent Silent
System power consumption (watts)** ~17 W ~17 W ~23.5 W ~23.5 W
Heat dissipation (Btu) 58 58 78 78
PoE power budget N/A N/A 120 W 120 W
PoE device heat dissipation (Btu) N/A N/A 409 409

* Stacking available in a future software release

** Power consumption measured under fully loaded traffic conditions

Indicators Compliance and certifications • EN 61000-4-5: 1995

System LEDs
• System (OK) (chassis HW/SW status)
• PWR (primary power supply status)
• PRI (virtual chassis primary)
• BPS (backup power status)
• STK (stacking indicator for 10 port models)
Per-port LEDs
• 10/100/1000: PoE, link/activity
• SFP: Link/activity
• Stacking: Link/activity
Commercial • EN 61000-4-6: 1996
EMI/EMC • EN 61000-4-8: 1994
• FCC CRF Title 47 Subpart B (Class A limits. • EN 61000-4-11: 1994
Note: Class A with UTP cables)
• IEEE 802.3: Hi-Pot Test (2250 V
• VCCI (Class A limits. Note: Class A with DC on all Ethernet ports)
UTP cables)
• AS/NZS 3548 (Class A limits. Note: Class A
Safety agency certifications
with UTP cables)
• US UL 60950
• CE marking for European countries (Class
• IEC 60950-1:2001; all national deviations
A limits. Note: Class A with UTP cables)
• EN 60950-1: 2001; all deviations
• EN 55022: 2006 (Emission Standard)
• CAN/CSA-C22.2 No. 60950-1-03
• EN 61000-3-3: 1995
• NOM-019 SCFI, Mexico
• EN 61000-3-2: 2006
• AS/NZ TS-001 and 60950:2000, Australia
• EN 55024: 1998 (Immunity Standards)
• UL-AR, Argentina
• EN 61000-4-2: 1995+A1: 1998
• UL-GS Mark, Germany
• EN 61000-4-3: 1996+A1: 1998
• EN 60825-1 Laser, EN 60825-2 Laser
• EN 61000-4-4: 1995
• CDRH Laser

Alcatel-Lucent OmniSwitch 6450-10

Alcatel-Lucent Data sheet
2
 Detailed product features
Simplified management
Configuration management interfaces
• Intuitive Alcatel-Lucent command-line
interface (CLI) with familiar interface
reducing training costs
• Easy-to-use, point-and-click web-based
element manager (WebView)
• with built-in help for easy configuration
• Integration with Alcatel-Lucent OmniVista
for network management
• Full configuration and reporting using
SNMPv1/2/3 across all OmniSwitch
families to facilitate third-party Network
Management System (NMS) integration
• Remote Telnet management or Secure
Shell access using SSHv2
• File upload using USB, TFTP, FTP, SFTP, or
SCP for faster configuration
• Human-readable ASCII-based config files
for offline editing and bulk configuration
• Managed by Alcatel-Lucent 5620 Service
Aware Manager
Monitoring and troubleshooting
• Local (on the flash) and remote server
logging: Syslog and command log
• Port-based mirroring for troubleshooting
and lawful interception, supports
• four sessions with multiple sources-to-one
destination
• Policy-based mirroring – allows selection
of the type of traffic to mirror by using
quality of service (QoS) policies
• Remote port mirroring that facilitates
passing mirrored traffic through the
network to a remotely connected device
• Port monitoring feature that allows
capture of Ethernet packets to a file,
or for on-screen display to assist in
troubleshooting
• sFlow v5 and RMON: For advanced
monitoring and reporting capabilities for
statistics, history, alarms, and events
• IP tools: Ping and trace route
Network configuration
• Auto remote configuration download
feature
• Auto-negotiating 10/100/1000 ports
automatically configure port speed and
duplex setting
• Auto MDI/MDIX automatically configures
transmit and receive signals to support
straight through and crossover cabling
• BootP/Dynamic Host Configuration
Protocol (DHCP) client allows auto-config
of switch IP information for simplified
deployment
Alcatel-Lucent OmniSwitch 6450-10
Alcatel-Lucent Data sheet
3
• DHCP relay to forward client requests
to a DHCP server
• Alcatel-Lucent Mapping Adjacency
Protocol (AMAP) for building topology
maps
• IEEE 802.1AB Link Layer Discovery
Protocol (LLDP) with MED extensions for
automated device discovery
• GARP VLAN Registration Protocol (GVRP)
for 802.1Q-compliant VLAN pruning and
dynamic VLAN creation
• Auto QoS for switch management traffic
as well as traffic from Alcatel-Lucent IP
phones
• Network Time Protocol (NTP) for network-
wide time synchronization
• Stackable to 2 units (future software
release)

Resiliency and high availability
• Rapid Ring Spanning Tree Protocol (RRSTP)
optimized for ring topology to provide
less than 100 ms convergence time
• IEEE 802.1s Multiple Spanning Tree
Protocol: Encompasses IEEE 802.1D STP
and IEEE 802.1w Rapid Spanning Tree
Protocol
• Per-VLAN spanning tree (PVST) and
Alcatel-Lucent 1x1 STP mode
• IEEE 802.3ad Link Aggregation Control
Protocol (LACP) and static LAG groups
across modules is supported
• Dual-home link (DHL) support for
subsecond link protection without STP
• Virtual Router Redundancy Protocol
(VRRP) to provide highly available routed
environments
• Broadcast and multicast storm control
to avoid degradation in overall system
performance
• Unidirectional Link Detection (UDLD):
Detects and disables unidirectional links
on fiber optic interfaces
• Layer 2 port loopback detection for
preventing customer loops on Ethernet
access ports
• Redundant and hot-swappable power
supplies, transceivers modules offering
uninterruptable service
• Dual image and dual configuration files
storage provides backup
Advanced security
Access control
• AOS Access Guardian framework for
comprehensive user policy- based
Network Access Control (NAC)
• Autosensing 802.1X multi-client,
multi-VLAN
• MAC-based authentication for
non-802.1x hosts
• Web-based authentication (Captive
Portal) – a customizable web portal
residing on the switch that can be used
for authenticating supplicants as well as
non-supplicants
• Group mobility rules and “guest” VLAN
support
• The host integrity check (HIC) agent on
each switch makes it a HIC enforcer and
facilitates endpoint device control for
company policy compliance.
• User Network Profile (UNP) – simplify
NAC management and control by
dynamically providing pre-defined policy
configuration to authenticated clients —
VLAN, ACL, BW, HIC
• SSH for secure CLI session with public
key infrastructure (PKI) support
• Centralized RADIUS and Lightweight
Directory Access Protocol (LDAP) user
authentication
Containment, monitoring and quarantine
• Alcatel-Lucent Quarantine Manager and
quarantine VLAN (not supported)
• Learned Port Security (LPS) or MAC
address lockdown – secures the network
access on user or trunk ports based on
MAC address
• DHCP Snooping, DHCP IP Spoof protection
• TACACS+ client allows for authentication
authorization and accounting with a
remote TACACS+ server
• Dynamic Address Resolution Protocol (ARP)
protection and ARP poisoning detection
• Access control lists to filter out unwanted
traffic including denial of service attacks;
flow-based filtering in hardware (L1-L4)
• Bridge Protocol Data Unit (BPDU) blocking
– automatically shuts down user ports
if a STP BPDU packet is seen to prevent
topology loops
• STP Root Guard – prevents edge devices
from becoming Spanning Tree Protocol
root node
Converged networks
PoE
• The PoE models support Alcatel-Lucent
IP phones and WLAN access points, as
well as any IEEE 802.3af or IEEE 802.3at
compliant end device.
• Configurable per port PoE priority and
max power for power allocation
• Dynamic PoE allocation delivers only the
power needed by the Powered Devices
(PD) up to the total power budget for most
efficient power consumption.
 QoS
• Priority queues: Eight hardware-based
queues per port for flexible QoS
management
• Traffic prioritization: Flow-based QoS with
internal and external (that is, remarking)
prioritization
• Bandwidth management: Flow-based
bandwidth management, ingress rate
limiting; egress rate shaping per port
• Queue management: Configurable
scheduling algorithm – Strict Priority
(SQP), Weighted Round Robin (WRR) and
Deficit Round Robin (DRR)
• Congestion avoidance: Support for End-
to-End Head of Line (E2E-HOL) Blocking
Protection
• Auto QoS for switch management traffic
as well as traffic from Alcatel-Lucent IP
phones
• Three color marker – single/dual rate –
policing with commit BW, excess BW,
burst size
Layer 2, Layer 3 routing and
multicast
Layer 2 switching
• Up to 16,000 MACs
• Up to 4000 VLANs
• Up to 2K Access Control Lists (ACLs)
• Latency: <4 µs
IPv4 and IPv6
• Static routing for IPv4 and IPv6
• RIP v1 and v2 for IPv4, RIPng for IPv6
• Up to 256 IPv4/128 IPv6 static and RIP
routes
• Up to 128 IPv4 and 16 IPv6 interfaces
Multicast
• IGMPv1/v2/v3 snooping to optimize
multicast traffic
• Multicast Listener Discovery (MLD) snooping
• Up to 1000 multicast groups/stack
• IP Multicast VLAN (IPMVLAN) for
optimized multicast replication at the edge
saving network core resources
Network protocols
• DHCP relay (including generic UDP relay)
• ARP
• DHCP relay
• DHCP relay to forward client requests
to a DHCP server
• Generic User Datagram Protocol (UDP)
relay per VLAN
• DHCP Option 82 – configurable relay
agent information
Alcatel-Lucent OmniSwitch 6450-10
Alcatel-Lucent Data sheet
4
Metro Ethernet access (features
available through Metro license
upgrade)
• Ethernet services support per IEEE
802.1ad Provider Bridge
¬ Transparent LAN Services with Service
VLAN (SVLAN) and Customer VLAN
(CVLAN) concept
¬ Ethernet network-to-network interface
(NNI) and user network interface (UNI)
services
¬ Service Access Point (SAP) profile
identification
¬ CVLAN to SVLAN translation and
mapping
• IEEE 802.1ag Ethernet OAM: Connectivity
Fault Management (L2 ping and link trace )
• Ethernet OAM compliant with IEEE
802.3ah
• ITU-T G.8032 Ethernet Ring Protection
designed for loop protection and fast
convergence times (sub 50 ms) in ring
topologies
• Private VLAN feature for user traffic
segregation
• Service Assurance Agent (SAA) for
proactively measuring network health,
reliability and performance. Four SAA
tests including L2-MAC, IP, ETH-LB and
ETH-DMM depending on your network
requirements
• Customer Provider Edge (CPE) test head
traffic generator and analyzer tool used
in the metro Ethernet network to validate
customer Service Level Agreements (SLA)
• IPMVLAN for optimized multicast
replication at the edge saving network
core resources
• Layer 2 Multicast VLAN Replication (MVR)
– allows users from different multicast
VLANs to subscribe to a multicast group
from an upstream trunk interface
• Three color marker – single/dual rate
– policing with commit BW, excess BW,
burst size
• TR-101 Point-to-Point Protocol over
Ethernet (PPPoE) Intermediate Agent
allowing for the PPPoE network access
method
• MAC-forced forwarding support according
to RFC 4562
• L2CP – Layer 2 Control Protocol for
tunneling a customer’s L2CP frames, using
a well known address, on a given UNI for
the EPL and EVPL services
• Dying Gasp using SNMP and Ethernet OAM
delivery
• MEF 9 and 14 certified
• Managed by Alcatel-Lucent 5620 Service
Aware Manager
Supported standards
IEEE standards
• IEEE 802.1D (STP)
• IEEE 802.1p (CoS)
• IEEE 802.1Q (VLANs)
• IEEE 802.1ad (Provider Bridge)
• Q-in-Q (VLAN stacking)
• IEEE 802.1ag (Connectivity Fault
Management)
• IEEE 802.1s (MSTP)
• IEEE 802.1w (RSTP)
• IEEE 802.1X (Port-based Network Access
Protocol)
• IEEE 802.3i (10Base-T)
• IEEE 802.3u (Fast Ethernet)
• IEEE 802.3x (Flow Control)
• IEEE 802.3z (Gigabit Ethernet)
• IEEE 802.3ab (1000Base-T)
• IEEE 802.3ac (VLAN Tagging)
• IEEE 802.3ad (Link Aggregation)
• IEEE 802.3af (Power over Ethernet)
• IEEE 802.3at (Power over Ethernet)
• IEEE 802.ah (Ethernet first mile)
ITU-T standards
• ITU-T G.8032: Draft (June 2007) Ethernet
Ring Protection
• ITU-T Y.1731 OA&M fault and performance
management
IETF standards
RIP
• RFC 1058 RIP v1
• RFC 1722/1723/1724/2453 RIP v2
and MIB
• RFC 1812/2644 IPv4 Router Requirement
• RFC 2080 RIPng for IPv6
IP Multicast
• RFC 1112 IGMP v1
• RFC 2236/2933 IGMP v2 and MIB
• RFC 2365 Multicast
• RFC 3376 IGMPv3 for IPv6
IPv6
• RFC 1886 DNS for IPv6
• RFC 2292/2373/2374/2460/2462
• RFC 2461 NDP
• RFC 2463/2466 ICMP v6 and MIB
• RFC 2452/2454 IPv6 TCP/UDP MIB
• RFC 2464/2553/2893/3493/3513
• RFC 3056 IPv6 Tunneling
• RFC 3542/3587 IPv6
• RFC 4007 IPv6 Scoped Address Architecture
• RFC 4193 Unique Local IPv6 Unicast
Addresses
 Manageability
• RFC 1350 TFTP Protocol
• RFC 854/855 Telnet and Telnet options
• RFC 1155/2578-2580 SMI v1 and SMI v2
• RFC 1157/2271 SNMP
• RFC 1212/2737 MIB and MIB-II
• RFC 1213/2011-2013 SNMP v2 MIB
• RFC 1215 Convention for SNMP Traps
• RFC 1573/2233/2863 Private Interface MIB
• RFC 1643/2665 Ethernet MIB
• RFC 1901-1908/3416-3418 SNMP v2c
• RFC 2096 IP MIB
• RFC 2570-2576/3411-3415 SNMP v3
• RFC 3414 User-based security model
• RFC 2616/2854 HTTP and HTML
• RFC 2667 IP Tunneling MIB
• RFC 2668/3636 IEEE 802.3 MAU MIB
• RFC 2674 VLAN MIB
• RFC 4251 Secure Shell Protocol
architecture
• RFC 4252 The Secure Shell (SSH)
Authentication Protocol
• RFC 959/2640 FTP
Security
• RFC 1321 MD5
• RFC 2104 HMAC Message Authentication
• RFC 2138/2865/2868/3575/2618 RADIUS
Authentication and Client MIB
• RFC 2139/2866/2867/2620 RADIUS
Accounting and Client MIB
• RFC 2228 step
• RFC 2284 PPP EAP
• RFC 2869/3579 Radius Extension
Quality of service
• RFC 896 Congestion control
• RFC 1122 Internet Hosts
• RFC 2474/2475/2597/3168/3246
DiffServ
• RFC 3635 Pause Control
• RFC 2697 srTCM
• RFC 2698 trTCM
Others
• RFC 791/894/1024/1349 IP and IP/Ethernet
• RFC 792 ICMP
• RFC 768 UDP
• RFC 793/1156 TCP/IP and MIB
• RFC 826/903 ARP and Reverse ARP
• RFC 919/922 Broadcasting Internet datagram
• RFC 925/1027 Multi LAN ARP/Proxy ARP
• RFC 950 Sub-netting
• RFC 951 BootP
• RFC 1151 RDP
• RFC 1191 Path MTU Discovery
• RFC 1256 ICMP Router Discovery
• RFC 1305/2030 NTP v3 and Simple NTP
• RFC 1493 Bridge MIB
• RFC 1518/1519 CIDR
• RFC 1541/1542/2131/3396/3442 DHCP
• RFC 1757/2819 RMON and MIB
• RFC 2131/3046 DHCP/BootP Relay
• RFC 2132 DHCP Options
• RFC 2251 LDAP v3
• RFC 3060 Policy Core
• RFC 3176 sFlow
• RFC 3021 Using 31-bit prefixes


OmniSwitch 6450-10 models ordering

PART NUMBER DESCRIPTION
OS6450-10L Fast Ethernet chassis in a 1 RU form factor with eight 10/100Base-T, two 10/100/1000 RJ-45/SFP combo and
two fixed SFP uplink/stacking ports
OS6450-10 Gigabit Ethernet chassis in a 1 RU form factor with eight 10/100/1000Base-T, two 10/100/1000 RJ-45/SFP
combo and two fixed SFP uplink/stacking ports
OS6450-P10L Fast Ethernet chassis in a 1 RU form factor with eight PoE 10/100Base-T, two 10/100/1000 RJ-45/SFP combo
and two fixed SFP uplink/stacking ports
OS6450-P10 Gigabit Ethernet chassis in a 1 RU form factor with eight PoE 10/100/1000Base-T, two 10/100/1000 RJ-45/
SFP combo and two fixed SFP uplink/stacking ports
License options All models above support the below license options.
OS6450-10L-UPGD Software license enabling gigabit speeds on the RJ-45 ports of OS6450-10L and OS6450-P10L chassis to
operate at gigabit speed
OS6450-SW-ME OS6450 software license enables the Metro software features outlined in the Metro Ethernet access section of
this data sheet.

Alcatel-Lucent OmniSwitch 6450-10

Alcatel-Lucent Data sheet
5
 Mounting options
OS6450-RM-19-L Simple L-bracket for mounting a single OS6450-10 model switch in a 19-in. rack
OS6450-DUAL-MNT Two universal mounting and sliding brackets accessory kit. Hardware to mount two 6450-10 units
in a 19-in. rack
OS6450-TRAY-19 Optional 19-in. tray for mounting two 10-port models side by side in a 1 RU configuration

Gigabit transceivers
SFP-GIG-LH70 1000Base-LH transceiver with an LC interface for single mode fiber over 1550 nm wavelength. Typical reach
of 70 km
SFP-GIG-LH40 1000Base-LH transceiver with an LC interface for single mode fiber over 1310 nm wavelength. Typical reach
of 40 km
SFP-GIG-LX 1000Base-LX transceiver with an LC interface for single mode fiber over 1310 nm wavelength. Typical reach
of 10 km
SFP-GIG-SX 1000Base-SX transceiver with an LC interface for multimode fiber over 850 nm wavelength. Typical reach
of 300 m
SFP-GIG-BX-D 1000Base-BX bidirectional transceiver with an LC type interface for use over single mode fiber optic on
a single strand link up to 10 km point to point. Transmits 1490 nm and receives 1310 nm optical signal
SFP-GIG-BX-U 1000Base-BX bidirectional transceiver with an LC type interface for use over single mode fiber optic on
a single strand link up to 10 km point to point. Transmits 1310 nm and receives 1490 nm optical signal
100 Megabit transceivers
SFP-100-MM 100Base-FX transceiver with an LC interface for multimode fiber optic cable
SFP-100-SM15 100Base-FX transceiver with an LC type interface for single mode fiber optic cable up to 15 km
SFP-100-SM40 100Base-FX transceiver with an LC type interface for single mode fiber optic cable up to 40 km
SFP-100-BX-U 100Base-BX bidirectional transceiver with an SC type interface for use over single mode fiber optic on
a single strand link up to 20 km point to point, where the client (ONU) transmits 1310 nm and receives
1550 nm optical signal
SFP-100-BX-D 100Base-BX bidirectional transceiver with an SC type interface for use over single mode fiber optic on
a single strand link up to 20 km point to point, where the client (OLT) transmits 1550 nm and receives
1310 nm optical signal

www.alcatel-lucent.com Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of
Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented
is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein.
Copyright © 2012 Alcatel-Lucent. All rights reserved. 2012034193C (March)
Alcatel-Lucent
OmniSwitch 6450
STACKABLE GIGABIT ETHERNET
LAN SWITCH FAMILY

The Alcatel-Lucent OmniSwitch™ 6450 Stackable Gigabit Ethernet LAN value switch family
offers versatile, 24/48 port fixed configuration gigabit switches with optional upgrade paths
for 10 Gigabit Ethernet (GigE) stacking, 10 GigE uplinks and metro Ethernet services.

Offering a design optimized for flexibility and scalability as well as low power consumption,
the OmniSwitch 6450 is an outstanding edge solution. It uses the field-proven Alcatel-Lucent
Operating System (AOS) to deliver highly available, secure, self-protective, easily managed and
eco-friendly networks.

The Alcatel-Lucent OmniSwitch 6450 • Ethernet operations, administration and

family is embedded with the latest
technology, AOS innovations and offers
maximum investment protection.
Solutions benefiting from the
OS6450-24/P24
OmniSwitch 6450 switch family are:
• Edge of small-to-mid-sized networks
• Branch office enterprise and campus
workgroups
• Residential and commercially managed
services applications
OS6450-48/P48 Features
• 24 ports and 48 ports, Power over
Ethernet (PoE), non-PoE and 24-port fiber
models with two fixed Small Form Factor
Pluggable (SFP+) 10 Gb ready interfaces
• Scalability from 24 to 384 gigabit ports
and 16 10GigE ports
• Optional SFP+ stacking module
OS6450-24/U24 • Optional 10GigE uplink license option
• Optional metro services feature license
option for service provider deployments
• Support for IEEE 802.3af as well as IEEE
802.3at-compliant PoE
• Internal AC or DC redundant power
supplies
MANAGEMENT
• AOS field-proven software with
management through web interface
(WebView), command line interface (CLI),
and Simple Network Management Protocol
(SNMP)
management (OA&M) support for service
configuration and monitoring
• Support by Alcatel-Lucent OmniVista™
2500 Network Management System (NMS)
• Alcatel-Lucent 5620 Service Aware
Manager (SAM) applications for service
providers
SECURITY
• Flexible device and user authentication
with Alcatel-Lucent Access Guardian
(IEEE 802.1x/MAC/captive portal) with
Host Integrity Check (HIC)
• Advanced quality of service (QoS) and
Access Control Lists (ACLs) for traffic
control, including an embedded denial of
service (DoS) engine to filter out unwanted
traffic attacks
• Extensive support of AOS user-oriented
features such as learned port security
(LPS), port mapping, Dynamic Host
Configuration Protocol (DHCP) binding
tables and User Network Profile (UNP)
PERFORMANCE
AND REDUNDANCY
• Advanced Layer 2+ features with basic
Layer 3 routing for both IPv4 and IPv6
• Triple speed (10/100/1000) user
interfaces and GigE fiber interfaces (SFPs)
supporting 100Base-X or 1000Base-X
optical transceivers
• 10 Gb uplinks with license installed
• Wire-rate switching and routing
performance
• High availability with virtual chassis BENEFITS • A field-upgradeable solution that makes
concept, redundant stacking links, the network highly available and reduces
• Meets any customer configuration need
primary/secondary unit failover, OPEX
and offers excellent investment protection
hot-swappable power options and • Fully secures the network at the edge at
and flexibility, as well as ease of
configuration rollback no additional cost
deployment, operation and maintenance
• Outstanding performance when • Enterprise-wide cost reduction through
CONVERGENCE supporting real-time voice, data and hardware consolidation to achieve
video applications for converged scalable network segmentation and security
• Enhanced voice over IP (VoIP) and video
networks without additional hardware installation
performance with policy-based QoS
• Ensures efficient power management, • Supports cost-effective installation and
• Future-ready support for multimedia
reduces operating expenses (OPEX) and deployment with automated switch setup
applications with wire-rate multicast
lowers total cost of ownership (TCO) and configuration and end-to-end virtual
• IEEE 802.3at PoE+ support for IP phones,
through the low power consumption and LAN (VLAN) provisioning
wireless LAN (WLAN) access points and
dynamic PoE allocation, which delivers only • Simplifies metro Ethernet network OA&M
video cameras )
the power needed by the attached device for service providers

Alcatel-Lucent OmniSwitch 6450 24- and 48-port models

All models ship with two fixed SFSP+ ports that operate at 1Gbps by default. 10Gbps operation requires the installation of the OS6450-SW-
PERF license. These models also offer a two port expansion slot for additional gigabit uplinks or 10Gbps stacking modules. Both PoE and
non-PoE models are full rack width, power optimized, fixed configuration chassis in a 1U form factor.

Table 1. Available OmniSwitch 6450 models

24/48 port models
SFP+ GiGABIT 10 GBPS SFP+ STACKING
10/100/1000 UPLINK SFP+ 10 EXPANSION MODULE
CHASSIS RJ45 PORTS GIGABIT UPLINK** PORTS PRIMARY POWER BACKUP POWER
Non-PoE models

OS6450-24 24 2 2 Internal AC Internal AC/DC

OS6450-48 48 2 2 Internal AC Internal AC/DC
PoE models

OS6450-P24 24 2 2 Internal AC External AC

OS6450-P48 48 2 2 Internal AC External AC

** Requires OS6450-SW-PERF license to enable 10 gigabit uplink capability.

OmniSwitch 6450-P24 and OmniSwitch 6450-P48 models comply with both IEEE 802.3af/at standards.

SFP+ GiGABIT 10 GBPS SFP+

10/100/1000 10/100/1000 UPLINK SFP+ 10 STACKING EXPANSION PRIMARY BACKUP
CHASSIS SFP PORTS COMBO PORTS GIGABIT UPLINK** MODULE PORTS POWER POWER
Fiber models

OS6450-U24 22 2 2 2 Internal AC Internal AC/DC

** Requires OS6450-SW-PERF license to enable 10 gigabit uplink capability.

• Combo ports are ports individually configurable to be 10/100/1000Base-T or 100/1000Base-X, which support SFP transceivers for short, long and very long distances.
• SFP ports support 100/1000 Base-X SFP transceivers

Expansion port models

GIGABIT 10 GBPS SFP+ STACKING
CHASSIS RJ45 PORTS GIGABIT SFP PORTS MODULE*
OS6450-XNI-U2 0 0 2
OS6450-GNI-U2 0 2 0
OS6450-GNI-C2 2 0 0

* Only stacking mode supported

Alcatel-Lucent OmniSwitch 6450

Alcatel-Lucent Data sheet
2
Technical specification – 24/48 port models
OS6450-24 OS6450-P24 OS6450-48 OS6450-P48 OS6450-U24
Port

RJ-45 10/100/1000 ports 24 24 48 48 0

RJ-45/SFP 10/100/1000 combo ports 0 0 0 0 2
SFP 100/1000 ports 0 0 0 0 22
SFP+ Gigabit/10 Gigabit uplink ports 2 2 2 2 2
Ports per expansion module 2 2 2 2 2
PoE ports 0 24 0 48 0
Max 24/48 port models in a stack 8 8 8 8 8
Dimensions

Switch width 17.32 in. 17.32 in. 17.32 in. 17.32 in. 17.32 in.
(44.0 cm) (44.0 cm) (44.0 cm) (44.0 cm) (44.0 cm)
Switch height 1.73 in. (4.4 cm) 1.73 in. (4.4 cm) 1.73 in. (4.4 cm) 1.73 in. (4.4 cm) 1.73 in. (4.4 cm)
Switch depth 12.3 in. 12.3 in. 15.4 in. 15.4 in. 12.3 in.
(31.24 cm) (31.24 cm) (39.1 cm) (39.1 cm) (31.24 cm)
Switch weight 9 lb. (4.08 kg) 11 lb. (5.05 kg) 12 lb. (5.44 kg) 15 lb. (6.8 kg) 9 lb. (4.08 kg)
Performance

Switch capacity with 2x10G ports 44 Gbps 44 Gbps 68 Gbps 68 Gbps 44 Gbps
(full duplex/aggregated) 88 Gbps 88 Gbps 136 Gbps 136 Gbps 88 Gbps
Switch throughput with 2x10G ports 65.5 Mpps 65.5 Mpps 101.2 Mpps 101.2 Mpps 65.5 Mpps
Stacking capacity 20 Gbps/ 20 Gbps/ 20 Gbps/ 20 Gbps/ 20 Gbps/
(full duplex/aggregated) 40 Gbps 40 Gbps 40 Gbps 40 Gbps 40 Gbps
Operating conditions

Operating temperature 0°C to +45°C 0°C to +45°C 0°C to +45°C 0°C to +45°C 0°C to +45°C
32°F to 113°F 32°F to 113°F 32°F to 113°F 32°F to 113°F 32°F to 113°F
Storage temperature -40°C to +75°C -40°C to +75°C -40°C to +75°C -40°C to +75°C -40°C to +75°C
-40°F to +167°F -40°F to +167°F -40°F to +167°F -40°F to +167°F -40°F to +167°F
Humidity (operating and storage) 5% - 95% 5% - 95% 5% - 95% 5% - 95% 5% - 95%
Fan (variable speed)* Fan less 4 fan 3 fan 4 fan 3 fan
Acoustic (dB) 0 db(A) <40dB(A) <40dB(A) <40dB(A) <40dB(A)
MTBF (hours) 894,251 231,542 337,583 135,087 364,214
System power consumption (watts)** 35.67W 37.89W 64.68W 66.54W 56.26W
System heat dissipation (BTU) 122 129 221 227 192
PoE Power Budget N/A 390W N/A 780W N/A
PoE device heat dissipation (BTU) N/A 1332 N/A 2663 N/A

Power Supply Efficiency 86.99% 88.75% 85.72% 81.25% 85.71%

* Acoustic levels measured with a single power supply at room temperature

** Power consumption measured under fully loaded traffic conditions

OmniSwitch 6450 backup supplies and specifications

The OmniSwitch 6450 24/U24/48 port models offer a 1RU internal backup supply configuration where the redundant supply is installed in a
power supply bay at the back of the unit.

The OmniSwitch 6450 P24/48 port models offer a 2RU external backup supply configuration where the redundant supply/tray combination
mounts above the switch and uses a remote cable for the switch/supply connection. All parts and accessories are included with the backup
supply kit.

Alcatel-Lucent OmniSwitch 6450

Alcatel-Lucent Data sheet
3
 BACKUP POWER SUPPLY MODEL
SPECIFICATION OS6450-BP OS6450-BP-PH OS6450-BP-PX OS6450-BP-D
Style Framed Framed Framed Framed
Internal/external Internal External External Internal
Input voltage 90-220V AC 90-220V AC 90-220V AC 36-72V DC
Output voltage 12V DC 12V DC/54V DC 12V DC/54.5V DC 12V DC
Wattage 90W 530W 900W 90W
PoE power budget N/A 390W 780W N/A
Power supply efficiency 85% 85% 80% 85%
Weight 2.45 lbs (1.11 kg) 5.75 lbs (2.59 kg) 6.02 lbs (2.73 kg) 2.45 lbs (1.11 kg)
Total RU with BPS 1 RU 2 RU 2 RU 1 RU
Models supported OS6450-24/48/U24 OS6450-P24 OS6450-P48 OS6450-24/48/U24

Indicators Safety agency certifications • Policy-based mirroring - Allows selection

System LEDs
• System (OK) (chassis HW/SW status)
• PWR (primary power supply status)
• PRI (virtual chassis primary)
• BPS (backup power status)
• LED segment display indicates the
stack |ID of the unit in the stack:
1 to 8 (24/48 port models)
Per-port LEDs
• 10/100/1000: PoE, link/activity
• SFP: Link/activity
• Stacking: Link/activity
Compliance and certifications
Commercial
EMI/EMC
• FCC CRF Title 47 Subpart B (Class
• A limits. Note: Class A with UTP cables)
• VCCI (Class A limits. Note: Class A with
UTP cables)
• AS/NZS 3548 (Class A limits. Note: Class A
with UTP cables)
• CE marking for European countries (Class
A Note: Class A with UTP cables)
• EN 55022: 2006 (Emission Standard)
• EN 61000-3-3: 1995
• EN 61000-3-2: 2006
• EN 55024: 1998 (Immunity standards)
¬ EN 61000-4-2: 1995+A1: 1998
¬ EN 61000-4-3: 1996+A1: 1998
¬ EN 61000-4-4: 1995
¬ EN 61000-4-5: 1995
¬ EN 61000-4-6: 1996
¬ EN 61000-4-8: 1994
¬ EN 61000-4-11: 1994
• IEEE802.3: Hi-Pot Test
(2250 V DC on all Ethernet ports)
• US UL 60950 of the type of traffic to mirror by using
• IEC 60950-1:2001; all national deviations QoS policies
• EN 60950-1: 2001; all deviations • Remote port mirroring that facilitates
passing mirrored traffic through the
• CAN/CSA-C22.2 No. 60950-1-03
network to a remotely connected device.
• NOM-019 SCFI, Mexico
• Port monitoring feature that allows
• AS/NZ TS-001 and 60950:2000, Australia
capture of Ethernet packets to a file,
• UL-AR, Argentina or for on-screen display to assist in
• UL-GS Mark, Germany troubleshooting
• EN 60825-1 Laser, EN 60825-2 Laser • sFlow v5 and RMON: For advanced
• CDRH Laser monitoring and reporting capabilities
for statistics, history, alarms, and events
Detailed product features • IP tools: ping and trace route
Simplified management
Network configuration
Configuration management interfaces
• Auto remote configuration download feature
• Intuitive Alcatel-Lucent CLI with familiar
• Auto-negotiating 10/100/1000 ports
interface reducing training costs
automatically configure port speed and
• Easy-to-use, point-and-click web based
duplex setting
element manager (WebView) with built-in
• Auto MDI/MDIX automatically configures
help for easy configuration
transmit and receive signals to support
• Integration with Alcatel-Lucent OmniVista
straight through and crossover cabling
for network management
• BootP/DHCP client allows auto-config
• Full configuration and reporting using
of switch IP information for simplified
SNMPv1/2/3 across all OmniSwitch
deployment
families to facilitate third party NMS
• DHCP relay to forward client requests to a
integration
DHCP server
• Remote Telnet management or Secure
• Alcatel-Lucent Mapping Adjacency Protocol
Shell access using SSHv2
(AMAP) for building topology maps
• File upload using USB, TFTP, FTP, SFTP,
• IEEE 802.1AB Link Layer Discovery
or SCP for faster configuration
Protocol (LLDP) with MED extensions for
• Human-readable ASCII-based config files
automated device discovery
for off-line editing and bulk configuration
• GARP VLAN Registration Protocol (GVRP)
• Managed by Alcatel-Lucent 5620 Service
for 802.1Q-compliant VLAN pruning and
Aware Manager
dynamic VLAN creation
• Auto QoS for switch management traffic
Monitoring and troubleshooting
as well as traffic from Alcatel-Lucent IP
• Local (on the flash) and remote server phones
logging: Syslog and command log
• Network Time Protocol (NTP) for network
• Port-based mirroring for troubleshooting wide time synchronization
and lawful interception, supports four
• Stackable to eight units
sessions with multiple sources-to-one
destination

Alcatel-Lucent OmniSwitch 6450

Alcatel-Lucent Data sheet
4
 Resiliency and high availability
• Ring Rapid Spanning Tree (RRSTP)
optimized for ring topology to provide
less than 100ms convergence time
• IEEE 802.1s Multiple Spanning Tree
Protocol: encompasses IEEE 802.1D STP
and IEEE 802.1w Rapid Spanning Tree
Protocol
• Per-VLAN spanning tree (PVST) and
Alcatel-Lucent 1x1 STP mode
• IEEE 802.3ad Link Aggregation Control
Protocol (LACP) and static LAG groups
across modules is supported
• Dual-home link (DHL) support for sub
second link protection without STP
• Virtual Router Redundancy Protocol
(VRRP) to provide highly available routed
environments
• Broadcast and multicast storm control
to avoid degradation in overall system
performance
• Uni-Directional Link Detection (UDLD):
Detects and disables unidirectional links
on fiber optic interfaces.
• Layer 2 port loopback detection for
preventing customer loops on Ethernet
access ports.
• Redundant and hot-swappable power
supplies, transceivers modules offering
uninterruptable service
• Dual image and dual configuration files
storage provides backup
Advanced security
Access control
• AOS Access Guardian framework for
comprehensive user policy based network
access control (NAC)*
• Autosensing 802.1X multi-client, multi-VLAN
• MAC-based authentication for non-802.1x
hosts
• Web-based authentication (Captive
Portal) – A customizable web portal
residing on the switch that can be used
for authenticating supplicants as well as
non-supplicants.
• Group mobility rules and “guest” VLAN
support
• The host integrity check (HIC) agent on
each switch makes it an HIC enforcer and
facilitates endpoint device control for
company policy compliance; quarantine
and remediation are supported as required.
• User network profile (UNP) – Simplify NAC
management and control by dynamically
providing pre-defined policy configuration
to authenticated clients—VLAN, ACL,
BW, HIC
• SSH for secure CLI session with PKI
support
Alcatel-Lucent OmniSwitch 6450
Alcatel-Lucent Data sheet
5
• Centralized RADIUS and LDAP user
authentication
Containment, monitoring and quarantine
• Support for Alcatel-Lucent Quarantine
Manager and quarantine VLAN*
• Learned Port Security (LPS) or MAC
address lockdown - Secures network
access on user or trunk ports based on a
MAC address
• DHCP Snooping, DHCP IP spoof protection
• TACACS+ client allows for authentication
authorization and accounting with a
remote TACACS+ server
• Dynamic ARP protection and ARP
poisoning detection
• Access control lists to filter out unwanted
traffic including denial of service attacks;
Flow-based filtering in hardware (L1-L4)
• BPDU blocking – Automatically shuts down
user ports if an STP BPDU packet is seen
to prevent topology loops
• STP Root Guard - Prevents edge devices
from becoming Spanning Tree Protocol
root node
Converged networks
PoE
• The PoE models support Alcatel-Lucent
IP phones and WLAN access points, as
well as any IEEE 802.3af or IEEE 802.3at
compliant end device.
• Configurable per port PoE priority and
max power for power allocation
• Dynamic PoE allocation, delivers only the
power needed by the Powered Devices
(PD) up to the total power budget for most
efficient power consumption.
QoS
• Priority queues: eight hardware-based
queues per port for flexible QoS
management
• Traffic prioritization: Flow-based
QoS with internal and external
(a.k.a., remarking) prioritization
• Bandwidth management: flow based
bandwidth management, ingress rate
limiting; egress rate shaping per port
• Queue management: configurable
scheduling algorithm: Strict Priority (SQP),
Weighted Round Robin (WRR) and Deficit
Round Robin (DRR)
• Congestion avoidance: Support for End
to End Head-Of-Line (E2E-HOL) Blocking
Protection
• Auto QoS for switch management traffic
as well as traffic from Alcatel-Lucent
IP phones
• Three color marker - Single/Dual Rate
– policing with Commit BW, Excess BW,
Burst size
Layer-2, Layer-3 Routing
and Multicast
Layer-2 switching
• Up to 16,000 MACs
• Up to 4000 VLANs
• Up to 2k ACLs
• Latency: < 4 µseconds
IPv4 and IPv6
• Static routing for IPv4 and IPv6
• RIP v1 and v2 for IPv4, RIPng for IPv6
• Up to 256 IPv4/ 128 IPv6 static and RIP
routes.
• Up to 128 IPv4 and 16 IPv6 interfaces
Multicast
• IGMPv1/v2/v3 snooping to optimize
multicast traffic
• MLD snooping
• Up to 1000 multicast groups/stack
• IP Multicast VLAN (IPMVLAN) for
optimized multicast replication at the edge
saving network core resources
Network protocols
• DHCP relay (including generic UDP relay)
• ARP
• Dynamic Host Configuration Protocol
(DHCP) relay
• DHCP relay to forward client requests to
a DHCP server
• Generic User Datagram Protocol (UDP)
relay per VLAN
• DHCP Option 82 – configurable relay
agent information

Metro Ethernet access (features
available through Metro license
upgrade)
• Ethernet services support per IEEE
802.1ad Provider Bridge
¬ Transparent LAN Services with Service
VLAN (SVLAN) and Customer VLAN
(CVLAN) concept
¬ Ethernet network-to-network interface
(NNI) and user network interface (UNI)
services
¬ Service Access Point (SAP) profile
identification
¬ CVLAN to SVLAN translation and
mapping
• IEEE 802.1ag Ethernet OAM: Connectivity
Fault Management (L2 ping and link trace)
• Ethernet OAM compliant with IEEE
802.3ah
• ITU-T G.8032 Ethernet Ring Protection
designed for loop protection and fast
convergence times (sub 50 ms) in ring
topologies.
• Private VLAN feature for user traffic
segregation
• Service Assurance Agent (SAA) for
proactively measuring network health,
reliability and performance. Four SAA
tests including L2-MAC, IP, ETH-LB and
ETH-DMM depending on your network
requirements.
• Customer provider edge (CPE) test head
traffic generator and analyzer tool used
in the metro Ethernet network to validate
customer Service Level Agreements (SLA)
• IP Multicast VLAN (IPMVLAN) for
optimized multicast replication at the edge
saving network core resources
• Layer 2 Multicast VLAN Replication (MVR)
– Allows users from different multicast
VLANs to subscribe to a multicast group
from an upstream trunk interface
• Three color marker - Single/dual rate
– Policing with commit BW, excess BW,
burst size
• TR-101 PPoE Intermediate Agent allowing
for the PPoE network access method
• MAC-Forced forwarding support according
to RFC 4562
• L2CP – Layer 2 Control Protocol for
tunneling a customer’s L2CP frames, via
well known address, on a given UNI for
the EPL and EVPL services
• Dying Gasp via SNMP and Ethernet
OAM delivery
• MEF 9 and 14 certified
• Managed by Alcatel-Lucent 5620
Service Aware Manager
Supported standards
IEEE standards
• IEEE 802.1D (STP)
• IEEE 802.1p (CoS)
• IEEE 802.1Q (VLANs)
• IEEE 802.1ad (Provider Bridge)
• Q-in-Q (VLAN stacking)
• IEEE 802.1ag (Connectivity Fault
Management)
• IEEE 802.1s (MSTP)
• IEEE 802.1w (RSTP)
• IEEE 802.1X (Port Based Network
Access Protocol)
• IEEE 802.3i (10Base-T)
• IEEE 802.3u (Fast Ethernet)
• IEEE 802.3x (Flow Control)
• IEEE 802.3z (Gigabit Ethernet)
• IEEE 802.3ab (1000Base-T)
Alcatel-Lucent OmniSwitch 6450
Alcatel-Lucent Data sheet
6
• IEEE 802.3ac (VLAN Tagging)
• IEEE 802.3ad (Link Aggregation)
• IEEE 802.3af (Power-over-Ethernet)
• IEEE 802.3at (Power-over-Ethernet)
• IEEE 802.ah (Ethernet first mile)
ITU-T standards
• ITU-T Y.1731 OA&M fault and
performance management
• ITU-T G.8032: Draft (June 2007) Ethernet
Ring Protection
IETF standards • RFC 2138/2865/2868/3575/2618 RADIUS
RIP
• RFC 1058 RIP v1
• RFC 1722/1723/1724/2453 RIP v2
and MIB
• RFC 1812/2644 IPv4 Router Requirement
• RFC 2080 RIPng for IPv6
IP Multicast
• RFC 1112 IGMP v1
• RFC 2236/2933 IGMP v2 and MIB
• RFC 2365 Multicast
• RFC 3376 IGMPv3 for IPv6
IPv6
• RFC 1886 DNS for IPv6
• RFC 2292/2373/2374/2460/2462
• RFC 2461 NDP
• RFC 2463/2466 ICMP v6 and MIB
• RFC 2452/2454 IPv6 TCP/UDP MIB
• RFC 2464/2553/2893/3493/3513
• RFC 3056 IPv6 Tunneling
• RFC 3542/3587 IPv6 • RFC 793/1156 TCP/IP and MIB
• RFC 4007 IPv6 Scoped Address
Architecture
• RFC 4193 Unique Local IPv6 Unicast
Addresses
Manageability
• RFC 1350 TFTP Protocol
• RFC 854/855 Telnet and Telnet options
• RFC 1155/2578-2580 SMI v1 and SMI v2
• RFC 1157/2271 SNMP
• RFC 1212/2737 MIB and MIB-II
• RFC 1213/2011-2013 SNMP v2 MIB
• RFC 1215 Convention for SNMP Traps
• RFC 1573/2233/2863 Private Interface
MIB
• RFC 1643/2665 Ethernet MIB
• RFC 1901-1908/3416-3418 SNMP v2c
• RFC 2096 IP MIB
• RFC 2570-2576/3411-3415 SNMP v3
• RFC3414 User based security model
• RFC 2616 /2854 HTTP and HTML
• RFC 2667 IP Tunneling MIB
• RFC 2668/3636 IEEE 802.3 MAU MIB
• RFC 2674 VLAN MIB
• RFC 4251 Secure Shell Protocol
architecture
• RFC 4252 The Secure Shell (SSH v2)
Authentication Protocol
• RFC 959/2640 FTP
Security
• RFC 1321 MD5
• RFC 2104 HMAC Message Authentication
Authentication and Client MIB
• RFC 2139/2866/2867/2620 RADIUS
Accounting and Client MIB
• RFC 2228 step
• RFC 2284 PPP EAP
• RFC 2869/3579 Radius Extension
Quality of service
• RFC 896 Congestion control
• RFC 1122 Internet Hosts
• RFC 2474/2475/2597/3168/3246
DiffServ
• RFC 3635 Pause Control
• RFC 2697 srTCM
• RFC 2698 trTCM
Others
• RFC 791/894/1024/1349 IP and IP /
Ethernet
• RFC 792 ICMP
• RFC 768 UDP
• RFC 826/903 ARP and Reverse ARP
• RFC 919/922 Broadcasting internet
datagram
• RFC 925/1027 Multi LAN ARP / Proxy ARP
• RFC 950 Sub-netting
• RFC 951 Bootp
• RFC 1151 RDP
• RFC 1191 Path MTU Discovery
• RFC 1256 ICMP Router Discovery
• RFC 1305/2030 NTP v3 and Simple NTP
• RFC 1493 Bridge MIB
• RFC 1518/1519 CIDR
• RFC 1541/1542/2131/3396/3442 DHCP
• RFC 1757/2819 RMON and MIB
• RFC 2131/3046 DHCP/BootP Relay
• RFC 2132 DHCP Options
• RFC 2251 LDAP v3
• RFC 3060 Policy Core
• RFC 3176 sFlow
• RFC 3021 Using 31-bit prefixes
OmniSwitch 6450 Ordering
PART NUMBER DESCRIPTION
OS6450-24 Gigabit Ethernet chassis in a 1U form factor with 24 10/100/1000 BaseT ports, 2 fixed SFP+ (1G/10G*) ports and one
expansion slot for optional stacking or uplink modules.
OS6450-P24 Gigabit Ethernet chassis in a 1U form factor with 24 PoE 10/100/1000 BaseT ports, 2 fixed SFP+ (1G/10G*) ports and
one expansion slot for optional stacking or uplink modules.
OS6450-U24 Gigabit Ethernet chassis in a 1U form factor with 22 100/1000 Base-X SFP ports, 2 combo ports configurable to be
10/100/1000 BaseT or 100/1000 Base-X, 2 fixed SFP+ (1G/10G*) ports and one expansion slot for optional stacking or
uplink modules.
OS6450-48 Gigabit Ethernet chassis in a 1U form factor with 48 10/100/1000 BaseT ports, 2 fixed SFP+ (1G/10G*) ports and one
expansion slot for optional stacking or uplink modules.
OS6450-P48 Gigabit Ethernet chassis in a 1U form factor with 48 PoE 10/100/1000 BaseT ports, 2 fixed SFP+ (1G/10G*) ports and
one expansion slot for optional stacking or uplink modules.
The above All models above includes an internal AC power supply with a country specific power cord, user manuals access card,
bundles contain hardware for mounting in a 19” rack and RJ-45 to DB-9 adaptor.
Ethernet SFP optical transceivers, stacking module and cables may be ordered separately.
License options All models above support the below license options
OS6450-SW-PERF OS6450 Performance software license for enables 10 gigabit speeds on the two fixed SFP+ ports of the 24 or 48
port models.
OS6450-SW-ME OS6450 Software license enables the Metro Software features outlined in the Metro Ethernet Access section of this
datasheet.

EXPANSION MODULES DESCRIPTION

OS6450-XNI-U2 Optional 10 Gigabit SFP+ stacking module. Supports 2xSFP+ 10 Gigabit ports. Inserts into the 6450 expansion slot at the
rear of the OS6450 chassis. Order stacking cables separately. Uplink mode not supported.
OS6450-GNI-U2 Optional SFP Gigabit uplink module. Supports 2xSFP Gigabit ports. Inserts in the 6450 expansion slot at the rear of the
OS6450 chassis. Order SFPs separately.
OS6450-GNI-C2 Optional RJ45 Gigabit uplink module. Supports 2xRJ45 Gigabit ports. Inserts in the 6450 expansion slot at the rear of the
OS6450 chassis.
Power supplies
OS6450-BP 90W power AC backup power supply. Provides backup power to one non-PoE switch. Inserts into the backup power
supply bay at the rear of the chassis. Ships with country specific power cord.
OS6450-BP-PH 550W AC backup power supply. Provides backup PoE power (390W) to one 24 port PoE switch. Ships with remote
power connection cable, country specific power cord, power shelf and rack mounts for a 2 RU configuration.
OS6450-BP-PX 900W AC backup power supply. Provides backup PoE power (780W) to one 48 port PoE switch. Ships with remote
power connection cable, country specific power cord, power shelf and rack mounts for a 2 RU configuration.
OS6450-BP-D 90W power DC backup power supply. Provides backup power to one non-PoE switch. Inserts into the backup power
supply bay at the rear of the chassis.
Cables

OS6450S-CBL-60 OS6450 60 centimeters long SFP+ direct stacking cable for OS6450 24 and 48 port models
OS6450S-CBL-1M OS6450 100 centimeters long SFP+ direct stacking cable for OS6450 24 and 48 port models

Alcatel-Lucent OmniSwitch 6450

Alcatel-Lucent Data sheet
7
 TRANSCEIVERS DESCRIPTION
10 Gigabit transceivers
SFP-10G-ER 10 Gigabit optical transceiver (SFP+). Supports monomode fiber over 1550nm wavelength (nominal) with an
LC connector. Typical reach of 40Km
SFP-10G-LR 10 Gigabit optical transceiver (SFP+). Supports monomode fiber over 1310nm wavelength (nominal) with an
LC connector. Typical reach of 10Km
SFP-10G-LRM 10 Gigabit optical transceiver (SFP+). Supports multimode fiber over 1310nm wavelength (nominal) with an
LC connector. Typical reach of 220m on FDDI-grade (62.5μm)
SFP-10G-SR 10 Gigabit optical transceiver (SFP+). Supports multimode fiber over 850nm wavelength (nominal) with an
LC connector. Typical reach of 300m
SFP-10G-C1M 10 Gigabit direct attached copper cable (1m, SFP+)
SFP-10G-C3M 10 Gigabit direct attached copper cable (3m, SFP+)
SFP-10G-C7M 10 Gigabit direct attached copper cable (7m, SFP+)
Gigabit transceivers
SFP-GIG-LH70 1000Base-LH transceiver with an LC interface for single mode fiber over 1550nm wavelength. Typical reach of 70 km
SFP-GIG-LH40 1000Base-LH transceiver with an LC interface for single mode fiber over 1310nm wavelength. Typical reach of 40 km
SFP-GIG-LX 1000Base-LX transceiver with an LC interface for single mode fiber over 1310nm wavelength. Typical reach of 10 km
SFP-GIG-SX 1000Base-SX transceiver with an LC interface for multimode fiber over 850 nm wavelength. Typical reach of 300 m.
SFP-GIG-BX-D 1000Base-BX bi-directional transceiver with an LC type interface for use over single mode fiber optic on a single strand
link up to 10 km point to point. Transmits 1490 nm and receives 1310 nm optical signal.
SFP-GIG-BX-U 1000Base-BX bi-directional transceiver with an LC type interface for use over single mode fiber optic on a single strand
link up to 10 km point to point. Transmits 1310 nm and receives 1490 nm optical signal.
100 Megabit transceivers
SFP-100-MM 100Base-FX transceiver with an LC interface for multimode fiber optic cable
SFP-100-SM15 100Base-FX transceiver with an LC type interface for single mode fiber optic cable up to 15 km
SFP-100-SM40 100Base-FX transceiver with an LC type interface for single mode fiber optic cable up to 40 km
SFP-100-BX-U 100Base-BX bi-directional transceiver with an SC type interface for use over single mode fiber optic on a single strand
link up to 20KM point-to-point, where the client (ONU) transmits 1310nm and receives 1550nm optical signal.
SFP-100-BX-D 100Base-BX bi-directional transceiver with an SC type interface for use over single mode fiber optic on a single strand
link up to 20KM point-to-point, where the client (OLT) transmits 1550nm and receives 1310nm optical signal.

www.alcatel-lucent.com Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of
Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented
is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein.
Copyright © 2012 Alcatel-Lucent. All rights reserved. 2012013924-B (March)
Alcatel-Lucent OmniSwitch 6850E
STACKABLE LAN SWITCH

The Alcatel-Lucent OmniSwitch™ 6850 Stackable LAN Switch family offers versatile, fixed-
configuration Layer 3 Gigabit and 10 Gigabit Ethernet switches, which provide advanced
services, high performance, and 802.3at compliant power over Ethernet (PoE). All of the
models in the family are stackable and perform wire-rate, Gigabit switching and routing for
both IPv4 and IPv6, delivering intelligent services to the edge of the network with optimal
quality of service (QoS) and integrated security, as well as network admission control (NAC).

These versatile LAN switches can very well be positioned at the edge of mid to large size
enterprise networks, at the aggregation layer, small enterprise core and are suitable advanced
CPE for the Ethernet access for metro and managed services.

FEATURES BENEFITS

Versatile features and models offering Gigabit and 10
Gigabit interfaces, IEEE 802.3af and 802.3at -compliant
PoE. Optional 10G plug-in module delivers additional 2 10
Gigabit ports.
With the variety of interfaces and models, the
OmniSwitch 6850 family meets any customer configuration
need and offers excellent investment protection and
flexibility, as well as ease of deployment, operation and
maintenance.

Wire-rate performance for switching and routing at 10G
and gigabit speeds. Advanced services are incorporated in
the operating system; for example, QoS, access control
lists (ACLs), L2/L3, VLAN stacking, and IPv6.
Low power consumption and dynamic PoE allocation
Redundancy at all levels including power supplies,
software and hot-swappable Small Form Factor Pluggable
(SFP) modules
Wire-rate switching and routing at gigabit speeds.
Advanced services incorporated in the operating system
(OS): quality of service (QoS), access control lists (ACLs),
L2/L3, VLAN stacking, and IPv6
Extensive security features for network access control
(NAC), policy enforcement and attack containment
Hardware-based virtual routing and forwarding (VRF)
support
Outstanding performance when supporting real-time
voice, data, and video applications for converged scalable
networks
The OmniSwitch 6850E ensures efficient power
management, reduces operating expenses and lowers
total cost of ownership (TCO) through the low power
consumption and dynamic PoE allocation, which delivers
only the power needed by the attached device.
A field-upgradeable solution that makes the network
highly available and reduces operating expenses
Outstanding performance when supporting real-time
voice, data, and video applications for converged scalable
networks
Fully secures the network at the edge, at no additional
cost
Enterprise-wide cost reduction through hardware
consolidation to achieve network segmentation and
security without additional hardware installation.

Advanced, out-of-the-box auto-configuration, Link Layer
Discovery Protocol (LLDP) network policies and dynamic
VLAN allocation
Ready for Metro Ethernet access: VLAN stacking,
multicast switching, Dynamic Host Configuration Protocol
(DHCP) snooping/option 82, ITU-T Y.1731, IEEE 802.1ag,
IEEE 802.3ah and MAC-Forced Forwarding
Automated switch setup and configuration, and end-to-
end VLAN provisioning support cost-effective installation
and deployment
Simplifies Metro Ethernet network OA&M for service
providers
Alcatel-Lucent OmniSwitch 6850E Models
The OmniSwitch 6850E family offers customers an extensive selection of gigabit and 10 GigE
fixed-configuration switches with PoE and power supply options that accommodate most needs.
All models are in a 1RU form factor and have two 10GBase-CX4 ports that can be used either
for stacking or as a connector to a plug-in module for additional two 10 Gigabit SFP+ ports.

OS6850E-U24X OS6-XNI-U2

Table 1. OmniSwitch 6850E modules

POWER SUPPLIES
MODEL NAME DESCRIPTION SUPPORTED

Non-PoE models

20 Ethernet 10/100/1000 RJ-45 ports, four combo ports, and two 10GBase-
OS6850E-24 CX4 ports 126W AC / 120W DC
20 Ethernet 10/100/1000 RJ-45, two 10G SFP+, four combo ports, and two
OS6850E-24X 10GBase-CX4 ports 126W AC / 120W DC
44 Ethernet 10/100/1000 RJ-45, four combo ports, and two 10GBase-CX4
OS6850E-48 ports 126W AC / 120W DC
46 Ethernet 10/100/1000 RJ-45, two 10G SFP+, two combo ports, and two
OS6850E-48X 10GBase-CX4 ports 126W AC / 120W DC
22 Ethernet 100/1000 Base-X SFP ports, two 10G SFP+ , two combo ports, and
OS6850E-U24X two 10GBase-CX4 ports 126W AC / 120W DC

PoE models

24 PoE ports — 20 Ethernet 10/100/1000 RJ-45, four combo ports, and two
OS6850E-P24 10GBase-CX4 ports 360W / 510W AC
24 PoE ports — 20 Ethernet 10/100/1000 RJ-45, two 10G SFP+, four combo
OS6850E-P24X ports, and two 10GBase-CX4 ports 360W / 510W AC
48 PoE ports — 44 Ethernet 10/100/1000 RJ-45, four combo ports, and two
OS6850E-P48 10GBase-CX4 ports 360W / 900W AC
48 PoE ports — 46 Ethernet 10/100/1000 RJ-45, two 10G SFP+ , two combo
OS6850E-P48X ports, and two 10GBase-CX4 ports 360W / 900W AC

Combo ports are ports individually configurable to be 10/100/1000Base-T or 1000Base-X, which

support SFP transceivers for short, long and very long distances.

Power supplies
All OmniSwitch 6850E models support redundant, hot-swappable AC, DC or PoE power
supplies. The primary and the backup power supply units are modular, allowing for easier
maintenance and replacement.
There is no interruption of service when a new power supply is installed or an old one replaced

2
Alcatel-Lucent OmniSwitch 6850E Data Sheet
Table 2. OmniSwitch 6850E power supply dimensions
NON-POE PS DIMENSIONS
MODELS DESCRIPTION (W x D x H) WEIGHT

OS6850E-BP-D: Modular 120-W -48-V DC power supply. 16 x 17.5 x 4.4 cm

120 DC Provides system power. (6.3 x 6.9 x 1.73 in.) 2.09 lb (0.95 kg )

OS6850E-BP: Modular 126-W AC power supply. 16 x17.5 x 4.4 cm

126 AC Provides system power. (6.3 x 6.9 x 1.73 in.) 2.45 lb (1.11 kg )
POE PS MODELS

OS6850E-BP-P: Modular 360-W AC power supply. 16 x 17.5 x 4.4 cm

360 AC Provides system and up to 230 W of PoE power. (6.3 x 6.9 x 1.73 in.) 3.22 lb (1.46 kg )

OS6850E-BP-PH: Modular 510-W AC power supply. 32 x 17.5 x 4.4 cm

510W AC Provides system and up to 380 W of PoE power. (12.6 x 6.9 x 1.73 in.) 5.71 lb (2.59 kg )
OS6850E-BP-PH: Modular 900-W AC power supply.
Provides system and up to 780 W of PoE power for 48 32 x 17.5 x 4.4 cm
900W AC port models. (12.6 x 6.9 x 1.73 in.)

Power supply Comes with every bundle and holds one 510-W AC or 35.3 x 21 x 4.4 cm
shelf two 360-W AC, 126-W AC, or 120-W DC power supplies (13.9 x 8.3 x 1.73 in.) 1.26 lb (0.57 kg )

Any power supply can be remotely connected with a cable that enables rack mounting with the
mounting ears provided with the unit. This feature allows for space-sensitive installations
requiring reduced depth, for example, in a wall-mounted cabinet.

Technical Specifications
Physical dimensions • Total size including PS and shelf:
• Chassis size without PS and shelf: - Width: 48.2 cm (19.00 in.)
- Width: 44.0 cm (17.32 in.) - Depth: 44.6 cm (17.56 in.)
- Depth: 27.0 cm (10.63 in.) - Height: 4.4 cm (1.73 in.)
- Height: 4.4 cm (1.73 in.) - Indicators

Indicators
• Per-port LEDs • System LEDs
- 10/100/1000: PoE, link/activity -Switch ID (indicates the stack ID of the
- SFP: link/activity unit in the stack: 1 to 7)
- SFP+: link/activity -System (OK) (chassis HW/SW status)
- PWR (primary power supply status)
- PRI (virtual chassis primary)
- BPS (backup power status)

Acoustic levels
• Under 44 dB for all models, measured with a single power supply at room temperature
Environmental requirements
• Operating temperature: 0°C to +45°C (+32°F to +113°F)
• Storage temperature: –10°C to +70°C (+14°F to +158°F)
• Humidity (operating and storage): 5% to 95% non-condensing

Interface and speeds

• 24 and 48 ports 10/100/1000, 24 ports 100/1000Base-X
• Wire rate at layer 2 and layer 3 on all ports
• Two built-in 10 Gb/s full-duplex stacking ports
• Switching throughput with stacking:

3
Alcatel-Lucent OmniSwitch 6850E Data Sheet
 - 24 port: 35.7 Mp/s
- 24 port with 10G: 65.5 Mp/s
- 48 port: 71.4 Mp/s
- 48 port with 10G: 101.2 Mp/s
• Stacking capacity: 40 Gb/s

Compliance and certifications

Commercial - EN 61000-4-2: 1995+A1:1998 • US UL 60950
EMI/EMC +A2:2001 • IEC 60950-1:2001; all national
• FCC CRF Title 47 Subpart B (Class A) - EN 61000-4-3:2006 deviations
- EN 61000-4-4:2004 • EN 60950-1: 2001; all deviations
• VCCI (Class A)
- EN 61000-4-5:2006 • CAN/CSA-C22.2 No. 60950-1-03
• AS/NZS 3548 (Class A)
- EN 61000-4-6:2007 • NOM-019 SCFI, Mexico
• CE marking for European countries
- EN 61000-4-8:1993 +A1:2001 • AS/NZ TS-001 and 60950:2000,
(Class A)
- EN 61000-4-11:2004 Australia
• EN 55022:2006 (Emission Standard)
• IEEE802.3: Hi-Pot Test (2250 V DC • UL-AR, Argentina
• EN 61000-3-3:1995 +A2:2005
on all Ethernet ports) • UL-GS Mark, Germany
• EN 61000-3-2:2006
• EN 60825-1 Laser
• EN 55024:1998 +A1:2001 +A2:2003
• EN 60825-2 Laser
(Immunity Standards) Safety agency • CDRH Laser
certifications
* Note: Class A with UTP cables.

Detailed product features

Simplified manageability
Management interfaces

Intuitive, familiar Alcatel-Lucent CLI reduces training costs

Easy to use, point-and-click, web-based element manager
(WebView) with built-in help for easy configuration

Integrated with Alcatel-Lucent OmniVista™ products for
network management

Full configuration and reporting using SNMPv1/2/3 across
all OmniSwitch families to facilitate third-party network
management system integration

Remote switch access using Telnet or Secure Shell (SSH)

File upload using USB, TFTP, FTP, SFTP, or SCP for faster
configuration

Human-readable ASCII-based configuration files for off-line
editing, bulk configuration and out-of-the-box auto-
provisioning
Monitoring and troubleshooting

Local (on the flash) and remote server logging: Syslog and
command log

Port based mirroring for troubleshooting and lawful
interception; supports four sessions with multiple sources-
to-one destination

Policy based mirroring allows selection of the type of
traffic to mirror by using QoS policies

Remote port mirroring facilitates passing mirrored traffic
through the network to a remotely connected device

Port monitoring feature allows capture of Ethernet packets
to a file to assist in troubleshooting

sFlow v5 and RMON for advanced monitoring and reporting
capabilities for statistics, history, alarms and events

IP tools: ping and trace route

ITU-T Y.1731 and IEEE 802.1ag Ethernet OA&M:
Connectivity Fault Management and performance
measurements (layer-2 ping and link trace)

IEEE 802.3ah Ethernet in the First Mile (EFM) for link
monitoring , remote fault detection, and loopback control
(layer-1 ping)

Unidirectional Link Detection (UDLD) detects and disables
unidirectional links on fiber optic interfaces.

Digital Diagnostic Monitoring (DDM): Real-time diagnostics
of fiber connections for early detection of optical signal
deterioration
Network configuration

Auto-negotiating 10/100/1000 ports automatically
configure port speed and duplex setting

Auto MDI/MDIX automatically configures transmit and
receive signals to support straight through and crossover
cabling

BOOTP/DHCP client with option 60 allows auto-
configuration of the switch for simplified deployment

DHCP relay to forward client requests to a DHCP server

Alcatel-Lucent Mapping Adjacency Protocol (AMAP) for
building topology maps

IEEE 802.1AB LLDP with MED extensions for automated
device discovery and IP phone provisioning

Multiple VLAN Registration Protocol (MVRP) and GARP VLAN
Registration Protocol (GVRP) for 802.1Q/1ak-compliant
VLAN pruning and dynamic VLAN creation

Auto QoS for switch management and IP phone traffic
Network Time Protocol (NTP) for network-wide time
synchronization

Resiliency and high availability

ITU-T G.8032 Ethernet Ring Protection designed for loop
protection and fast convergence times (sub 50 ms) in ring
topologies

Ring Rapid Spanning Tree Protocol (RRSTP) optimized for
ring topology to provide less than 100-ms convergence time

IEEE 802.1s Multiple Spanning Tree Protocol (MSTP)
encompasses IEEE 802.1D Spanning Tree Protocol (STP) and
IEEE 802.1w Rapid Spanning Tree Protocol (RSTP)

Per-VLAN spanning tree (PVST+) and Alcatel-Lucent 1x1 STP
mode

IEEE 802.3ad Link Aggregation Control Protocol (LACP) and
static LAG groups across modules

Dual-home link support for sub-second link protection
without STP

Virtual Router Redundancy Protocol (VRRP) to provide
highly available routed environments

4
Alcatel-Lucent OmniSwitch 6850E Data Sheet

Bidirectional Forwarding Detection (BFD) for fast failure
detection and reduced re-convergence times in a routed
environment.

Broadcast, unknown unicast and multicast storm control to
avoid degradation in overall system performance
Advanced security
Access control

AOS Access Guardian framework for comprehensive user-
policy-based NAC

Autosensing 802.1X multi-client, multi-VLAN support

MAC-based authentication for non-802.1x hosts

Web based authentication (captive portal): A customizable
web portal residing on the switch

IEEE 802.1X and MAC-based authentication, with group
mobility and “guest” VLAN support

Host integrity check (HIC) agent on each switch makes it an
HIC enforcer and facilitates endpoint device control for
company policy compliance; quarantine and remediation
are supported as required.

User Network Profile (UNP) simplifies NAC by dynamically
providing pre-defined policy configuration to authenticated
clients — VLAN, ACL, BW, HIC

SSH for secure CLI session with public key infrastructure
(PKI) support

TACACS+ client allows for authentication authorization and
accounting (AAA) with a remote TACACS+ server

Centralized RADIUS and Lightweight Directory Access
Protocol (LDAP) user authentication
Converged networks
PoE

Dynamic PoE allocation delivers only the power needed by
the attached device up to the total power budget for most
efficient power consumption

PoE models support Alcatel-Lucent IP phones and WLAN
access points, as well as any IEEE 802.3af-compliant end
device

Configurable per-port PoE priority and max power for
power allocation
QoS

Priority queues: Eight hardware-based queues per port for
flexible QoS management
Layer-3 routing and multicast
IPv4 routing
• Multiple VRF for network segmentation ( in standalone
mode only)
• Static routing, Routing Information Protocol (RIP) v1 and v2
• Open Shortest Path First (OSPF) v2, Border Gateway
Protocol (BGP) v4
• Generic Routing Encapsulation (GRE) and IP/IP tunneling
• Graceful restart extensions for OSPF and BGP
• VRRP v2
• DHCP relay (including generic UDP relay)
• ARP
IPv6 routing
• Static routing
• Routing Information Protocol Next Generation (RIPng)
Metro Ethernet access

Ethernet services support per IEEE 802.1ad Provider Bridges
(also known as Q-in-Q or VLAN stacking):
¬ Service VLAN (SVLAN) and Customer VLAN (CVLAN)
transparent LAN services
¬ Ethernet network-to-network interface (NNI) and user
network interface (UNI) services
¬ Service Access Point (SAP) profile identification
¬ CVLAN to SVLAN translation and mapping
Alcatel-Lucent OmniSwitch 6850E Data Sheet

Redundant and hot-swappable power supplies, transceivers
modules offering uninterruptable service

Dual image and dual configuration files storage provides
backup

Stacking capability for virtual chassis redundancy. Up to 10-
km fault-tolerant remote stacking supported.
Containment, monitoring and quarantine

Support for Alcatel-Lucent OmniVista 2500 Quarantine
Manager and quarantine VLAN

Learned Port Security (LPS) or MAC address lockdown
secures the network access on user or trunk ports based on
MAC address

DHCP Snooping, DHCP IP and Address Resolution Protocol
(ARP) spoof protection

Embedded traffic anomaly detection (TAD) monitors traffic
patterns typical for worm-like viruses and either shuts
down the port or reports to the management system

ARP poisoning detection

ACLs to filter out unwanted traffic including denial of
service (DOS) attacks; flow-based filtering in hardware
(layer 1 to layer 4)

Support of Microsoft® Network Access Protection (NAP)

Bridge Protocol Data Unit (BPDU) blocking automatically
shuts down user ports to prevent topology loops if an STP
BPDU packet is seen

STP Root Guard prevents edge devices from becoming STP
root nodes

Traffic prioritization: Flow-based QoS with internal and
external prioritization (also known as re-marking)

Bandwidth management: Flow based bandwidth
management, ingress rate limiting; egress rate shaping per
port

Queue management: Configurable scheduling algorithms:
Strict Priority Queuing (SPQ), Weighted Round Robin (WRR)
and Deficit Round Robin (DRR)

Congestion avoidance: Support for End-to-end Head-of-Line
(E2E-HOL) blocking prevention and flow control

LLDP network polices for dynamic designation of VLAN-ID
and layer-2/layer-3 priority for IP phones

Auto-QoS for switch management traffic as well as traffic
from Alcatel-Lucent IP phones
• OSPF v3
• BGP v4 (with extensions to IPv6 routing)
• Graceful restart extensions for OSPF and BGP
• VRRP v3
• Neighbor Discovery Protocol (NDP)
IPv4/IPv6 multicast
• Internet Group Management Protocol (IGMP) v1/v2/v3
snooping for optimized multicast traffic
• Protocol Independent Multicast – Sparse Mode (PIM-
SM)/Protocol Independent Multicast – Dense Mode (PIM-DM)
• Distance Vector Multicast Routing Protocol (DVMRP)

• Multicast Listener Discovery (MLD) v1/v2 snooping for
optimized multicast traffic

Ethernet OA&M compliant with ITU Y.1731 and IEEE 802.1ag
version 8.1 for connectivity fault and performance
management and IEEE 802.3ah EFM for link OA&M

Service Assurance Agent (SAA) for SLA compliance
validation

MAC-Forced Forwarding support according to RFC 4562

Private VLAN feature for user traffic segregation

DHCP Option 82: Configurable relay agent information
5

IP Multicast VLAN (IPMVLAN) for optimized multicast
replication at the edge saving network core resources

Optimized Ethernet access services delivery
¬ Network bandwidth protection against overload of video
traffic
Supported Standards
IEEE standards
• IEEE 802.1D (STP)
• IEEE 802.1p (CoS)
• IEEE 802.1Q (VLANs)
• IEEE 802.1ad (Provider Bridges) (Q-
in-Q/VLAN stacking)
• IEEE 802.1ag (Connectivity Fault
Management)
• IEEE 802.1ak (Multiple VLAN
Registration Protocol)
• IEEE 802.1s (MSTP)
• IEEE 802.1w (RSTP)
• IEEE 802.1X (Port Based Network
Access Control)
• IEEE 802.3i (10Base-T)
• IEEE 802.3u (Fast Ethernet)
• IEEE 802.3x (Flow Control)
• IEEE 802.3z (Gigabit Ethernet)
• IEEE 802.3ab (1000Base-T)
• IEEE 802.3ac (VLAN Tagging)
• IEEE 802.3ad (Link Aggregation)
• IEEE 802.3ae (10G Ethernet)
• IEEE 802.3af (Power over Ethernet)
ITU-T standards
• ITU-T G.8032: Draft (June 2007)
Ethernet Ring Protection
• ITU-T Y.1731 OA&M fault and
performance management
IETF standards
IPv4
• RFC 2003 IP/IP Tunneling
• RFC 2784 GRE Tunneling
OSPF
• RFC 1253/1850/2328 OSPF v2 and
MIB
• RFC 1587/3101 OSPF NSSA Option
• RFC 1765 OSPF Database Overflow
• RFC 2154 OSPF MD5 Signature
• RFC 2370/3630 OSPF Opaque LSA
• RFC 3623 OSPF Graceful Restart
RIP
• RFC 1058 RIP v1
• RFC 1722/1723/2453/1724 RIP v2
and MIB
• RFC 1812/2644 IPv4 Router
Requirements
• RFC 2080 RIPng for IPv6
BGP
• RFC 1269/1657 BGP v3 & v4 MIB
• RFC 1403/1745 BGP/OSPF
Interaction
• RFC 1771-1774/2842/2918/3392
BGP v4
• RFC 1965 BGP AS Confederations
• RFC 1966 BGP Route Reflection
• RFC 1997/1998 BGP Communities
Attribute
• RFC 2042 BGP New Attribute
• RFC 2385 BGP MD5 Signature
Alcatel-Lucent OmniSwitch 6850E Data Sheet
¬ Multicast streams isolation from multiple content
providers over the same interface

MEF 9 and 14 certified

Managed by Alcatel-Lucent 5620 Service Aware Manager
• RFC 2439 BGP Route Flap Damping
• RFC 2545 BGP-4 Multiprotocol
Extensions for IPv6 Inter-Domain
Routing
• RFC 2796 BGP Route Reflection
• RFC 2858 Multiprotocol Extensions
for BGP-4
• RFC 3065 BGP AS Confederations
IP multicast
• RFC 1075 DVMRP
• RFC 1112 IGMP v1
• RFC 2236/2933 IGMP v2 and MIB
• RFC 2362/4601 PIM-SM
• RFC 2365 Multicast
• RFC 2715/2932 Multicast Routing
MIB
• RFC 2934 PIM MIB for IPv4
• RFC 3376 IGMPv3
• RFC 5060 Protocol Independent
Multicast MIB
• RFC 5132 IP Multicast MIB
• RFC 5240 PIM Bootstrap Router MIB
IPv6
• RFC 1886/3596 DNS for IPv6
• RFC 2292/2553/3493/3542 IPv6
Sockets
• RFC 2373/2374/3513/3587 IPv6
Addressing
• RFC 2460//2462/2464 Core IPv6
• RFC 2461 NDP
• RFC 2463/2466/4443 ICMP v6 and
MIB
• RFC 2452/2454 IPv6 TCP/UDP MIB
• RFC 2893/4213 IPv6 Transition
Mechanisms
• RFC 3056 IPv6 Tunneling
• RFC 3542/3587 IPv6
• RFC 3595 TC for Flow Label
• RFC 4007 IPv6 Scoped Address
Architecture
• RFC 4193 Unique Local IPv6 Unicast
Addresses
Manageability
• RFC 854/855 Telnet and Telnet
options
• RFC 959/2640 FTP
• RFC 1155/2578-2580 SMI v1 and SMI
v2
• RFC 1157/2271 SNMP
• RFC 1212/2737 MIB and MIB-II
• RFC 1213/2011-2013 SNMP v2 MIB
• RFC 1215 Convention for SNMP
Traps
• RFC 1350 TFTP Protocol
• RFC 1573/2233/2863 Private
Interface MIB
• RFC 1643/2665 Ethernet MIB
• RFC 1901-1908/3416-3418 SNMP v2c
• RFC 2096 IP MIB
• RFC 2131 DHCP server/client
• RFC 2570-2576/3411-3415 SNMP v3
• RFC 2616 /2854 HTTP and HTML
• RFC 2667 IP Tunneling MIB
• RFC 2668/3636 IEEE 802.3 MAU MIB
• RFC 2674 VLAN MIB
• RFC 3414 User based Security model
• RFC 4251 Secure Shell Protocol
architecture
• RFC 4252 The Secure Shell (SSH)
Authentication Protocol
• RFC 4878 OA&M Functions on
Ethernet-Like Interfaces
Security
• RFC 1321 MD5
• RFC 2104 HMAC Message
Authentication
• RFC 2138/2865/2868/3575/2618
RADIUS Authentication and Client MIB
• RFC 2139/2866/2867/2620 RADIUS
Accounting and Client MIB
• RFC 2228 FTP Security Extensions
• RFC 2284 PPP EAP
• RFC 2869/2869bis RADIUS Extension
QoS
• RFC 896 Congestion Control
• RFC 1122 Internet Hosts
• RFC 2474/2475/2597/3168/3246
DiffServ
• RFC 2697 srTCM
• RFC 2698 trTCM
• RFC 3635 Pause Control
Others
• RFC 768 UDP
• RFC 791/894/1024/1349 IP and
IP/Ethernet
• RFC 792 ICMP
• RFC 793/1156 TCP/IP and MIB
• RFC 826/903 ARP and Reverse ARP
• RFC 919/922 Broadcasting internet
datagram
• RFC 925/1027 Multi LAN ARP /
Proxy ARP
• RFC 950 Subnetting
• RFC 951 BOOTP
• RFC 1151 RDP
• RFC 1191/1981 Path MTU Discovery
• RFC 1256 ICMP Router Discovery
• RFC 1305/2030 NTP v3 and Simple
NTP
• RFC 1493 Bridge MIB
• RFC 1518/1519 CIDR
• RFC 1541/1542/2131/3396/3442
DHCP
• RFC 1757/2819 RMON and MIB
• RFC 2131/3046 DHCP/BootP Relay
• RFC 2132 DHCP Options
• RFC 2251 LDAP v3
• RFC 2338/3768/2787 VRRP and MIB
• RFC 3021 Using 31-bit prefixes
• RFC 3060 Policy Core
• RFC 3176 sFlow
• RFC 4562 MAC-Forced Forwarding
6
Service and Support

Warranty
Limited lifetime hardware warranty: Limited to the original owner, and will be provided for up
to 5 years after the product’s End-of-Sales announcement.

7
Alcatel-Lucent OmniSwitch 6850E Data Sheet
 www.alcatel-lucent.com Alcatel, Lucent, Alcatel-Lucent and the Alcatel-
Lucent logo, OmniSwitch and OmniVista are trademarks of Alcatel-Lucent. All
other trademarks are the property of their respective owners. The information
presented is subject to change without notice. Alcatel-Lucent assumes no
responsibility for inaccuracies contained herein. Copyright © 2010 Alcatel-Lucent.
All rights reserved.

8
Alcatel-Lucent OmniSwitch 6850E Data Sheet
Alcatel-Lucent OmniSwitch 6855
HARDENED L AN SWITCH

Alcatel-Lucent OmniSwitch™ 6855 Hardened LAN Switch (HLS) models are industrial grade, managed, Gigabit
and 10 Gigabit Ethernet switches designed to operate reliably in harsh electrical environments and severe
temperatures. This superior, rugged hardware design, coupled with the widely deployed and field-proven
Alcatel-Lucent Operating System (AOS), makes the OmniSwitch 6855 ideal for industrial and mission-critical
applications that require wider operating temperature ranges, more stringent EMC/EMI requirements and an
optimized feature set for high security, reliability, performance and easy management.

The target applications for these versatile LAN switches are power utilities, transportation and traffic control
systems, industrial factory floor installations, video surveillance systems and outdoor installations, all of which
require gigabit backbone connectivity.

FEATURES BENEFITS

Ruggedized hardware design Operates at a wider temperature range from -40°C

Convection cooling for fanless models or
temperature triggered fans for 24 port models
Power over Ethernet (PoE) support on all copper
models
OmniSwitch 6855-14
Redundancy at all levels including power supplies,
software and hot-swappable Small Form Factor
Pluggable (SFP) modules
Wire-rate switching and routing at gigabit speeds.
Advanced services incorporated in the operating
system (OS): quality of service (QoS), access control
lists (ACLs), L2/L3, VLAN stacking, and IPv6
Extensive security features for network access
control (NAC), policy enforcement and attack
containment
Hardware-based virtual routing and forwarding
(VRF) support
Advanced, out-of-the-box auto-configuration, Link
Layer Discovery Protocol (LLDP) network policies
and dynamic VLAN allocation
Ready for Metro Ethernet access: VLAN stacking,
multicast switching, Dynamic Host Configuration
Protocol (DHCP) snooping/option 82, ITU-T Y.1731,
IEEE 802.1ag, IEEE 802.3ah and MAC-Forced
Forwarding (MEF 9/14 compliant)
to +75°C, withstands greater shock, vibrations,
temperature and EMI/EMC tests
Increased reliability, and lower acoustic levels
Enables converged applications by providing power
to IP phones, surveillance cameras, and wireless
access points
A field-upgradeable solution that makes the
network highly available and reduces operating
expenses
Outstanding performance when supporting
real-time voice, data, and video applications for
converged scalable networks
Fully secures the network at the edge, at no
additional cost
Enterprise-wide cost reduction through hardware
consolidation to achieve network segmentation and
security without additional hardware installation
Automated switch setup and configuration, and
end-to-end VLAN provisioning support cost-
effective installation and deployment
Simplifies Metro Ethernet network OA&M for
service providers
Alcatel-Lucent OmniSwitch 6855 models
The OmniSwitch 6855 family offers customers an extensive selection of Gigabit and 10 Gigabit Ethernet fixed-configuration
switches and power supply options that accommodate most needs. Models offered include industrial-strength PoE and
non-PoE models in a 1U form factor.

Combo ports are ports individually configurable to be 10/100/1000Base-T or 1000Base-X, which support SFP transceivers
for short, long and very long distances.

Fiber models with 10 Gigabit Ethernet

OmniSwitch 6855-U10 OmniSwitch 6855-U24X
• Eight SFP ports • Two 10 Gigabit Ethernet
• Two RJ-45 10/100/1000 SFP+ ports for stacking
copper ports or uplinks
• Fanless design • 22 SFP ports
• Two combo ports
OmniSwitch 6855-U24 • Up to four units in a stack
• 22 SFP ports
• Two combo ports

Copper models with POE

OmniSwitch 6855-14 OmniSwitch 6855-24
• 12 10/100/1000 RJ-45 • 20 10/100/1000 RJ-45
copper ports copper ports
• Four PoE-capable ports • Four PoE-capable ports
• Two SFP ports • Four combo ports
• Fanless design

Both models support 15.4 W per port PoE ( compliant with IEEE 802.3af standard).

Technical specifications

OS6855-U10 OS6855-14 OS6855-24 OS6855-U24 OS6855-U24X

NUMBER OF PORTS

Maximum 10 Gigabit Ethernet 0 0 0 0 2

Maximum 10/100/100Base-T RJ-45 2 12 24 2 2
Maximum SFP connectors 8 2 4 24 24
PoE 0 4 4 0 0
Combo 0 0 4 2 2
PHYSICAL DIMENSIONS

Width 21.6 cm (8.50 in) 21.6 cm (8.50 in) 43.8 cm (17.25 in) 43.8 cm (17.25 in) 43.8 cm (17.25 in)
Height 4.4 cm (1.73 in) 4.4 cm (1.73 in) 4.4 cm (1.73 in) 4.4 cm (1.73 in) 4.4 cm (1.73 in)
Depth (no PS shelf attached) 26 cm (10.25 in) 26 cm (10.25 in) 27.4 cm (10.78 in) 27.4 cm (10.78 in) 27.4 cm (10.78 in)
Depth (with PS shelf attached) 44.5 cm (17.50 in) 44.5 cm (17.50 in) 44.8 cm (17.60 in) 44.8 cm (17.60 in) 44.8 cm (17.60 in)
Weight (no PS) 2.42 kg (5.28 lb) 2.42 kg (5.28 lb) 3.78 kg (8.34 lb) 3.78 kg (8.34 lb) 5.3 kg (11.68 lb)
Weight (with one PS and tray) 3.55 kg (7.78 lb) 3.55 kg (7.78 lb) 5.35 kg (11.8 lb) 5.35 kg (11.8 lb) 6.87 kg (15.14 lb)

2 Alcatel-Lucent OmniSwitch 6855 | Data Sheet

 ENVIRONMENT OS6855-U10 OS6855-14 OS6855-24 OS6855-U24 OS6855-U24X

Operating temperature -40°C to +70°C -40°C to +70°C -40°C to +75°C -40°C to +75°C -40°C to +70°C
(-40°F to +158°F) (-40°F to +158°F) (-40°F to +167°F) (-40°F to +167°F) (-40°F to +158°F)
Storage temperature -40°C to +85°C -40°C to +85°C -40°C to +85°C -40°C to +85°C -40°C to +85°C
(-40°F to +185°F) (-40°F to +185°F) (-40°F to +185°F) (-40°F to +185°F) (-40°F to +185°F)
Humidity (operating and storage) 5% to 95% 5% to 95% 5% to 95% 5% to 95% 5% to 95%
MTBF* (hours) 508,942 430,389 529,644 488,705 373,980
Fanless design Yes Yes No No Yes ***
Acoustic (dB) at <50°C silent silent 33 33 silent
Acoustic (dB) – all fans on n/a n/a 57 52 n/a
Power consumption **** 25 W 30 W 46 W 49 W 51 W
Heat dissipation ** (BTU/hr) 85.3 102.4 157 167.2 174
* MTBF values calculated at 25°C (77°F) for the switch only
** Sufficient spacing required for airflow and heat dissipation
*** The OS6855-U24X chassis is fanless. The external AC or DC power supplies have fans.
**** Power consumption was measured from the AC input power using nominal input voltage of 120 V AC and running full traffic on all ports.

Gigabit fiber interfaces on the OmniSwitch 6855-U10 and OmniSwitch 6855-U24 models support Gigabit SFP or
100Base-X SFP optical transceivers. See the full list of supported transceivers at the end of the data sheet.

Power supplies
All OmniSwitch 6855 models support redundant, hot-swappable AC, DC or PoE power supplies. The primary and the backup
power supply units are external, allowing for easier maintenance and replacement.

There is no interruption of service when a new power supply is installed or an old one replaced.

Power supplies for OmniSwitch 6855-14 and OmniSwitch 6855-U10

The power supplies for the OmniSwitch 6855-U10 and OmniSwitch 6855-14 models come in the form of a power brick in either
AC or DC variant. A separate power brick provides PoE power and is available for purchase when PoE is required.

POWER SUPPLY MODELS DESCRIPTION

OS6855-PSS PSU for OS6855-14 and OS6855-U10; 90 V to 240 V AC, 50 Hz to 60 Hz AC; 40 W, 12 V, AC-DC
OS6855-PSS-P PSU for PoE on OS6855-14; 66 W, 48 V PoE, AC-DC
OS6855-PSS-D PSU for 6855-14 and OS6855-U10; 40 W, -48 V and 24 V input to 12 V DC-DC
OS6855-PSS-P-D PSU for PoE on OS6855-14; 66 W, -48 V input DC-DC

SPECIFICATION WEIGHT DEPTH WIDTH HEIGHT

OS6855-PSS 0.65 kg (1.3 lb) 14 cm (5.5 in) 8.1 cm (3.2 in) 4.1 cm (1.6 in)
OS6855-PSS-P
OS6855-PSS-D
OS6855-PSS-P-D 0.5 kg (1.1 lb) 16.6 cm (6.53 in) 8 cm (3.15 in) 4.4 cm (1.73 in)
Power brick tray 0.5 kg (1.35 lb) 19.1 cm (7.5 in) 21.6 cm (8.5 in) 4.4 cm (1.73 in)

The power supply shelf holds two power bricks and can be mounted either in a side-by-side configuration with the switch for
19-inch rack mounting or attached at the back of the switch for bulkhead mounting options.

Alcatel-Lucent OmniSwitch 6855 | Data Sheet 3

Power supplies for OmniSwitch 6855-24 and OmniSwitch 6855-U24
The primary and the backup power supplies for the OmniSwitch 6855-24 port models are modular and connect to the rear of
the unit. A power shelf provided with the unit can slide into the rear of the switch and is used to hold two power supplies.

POWER SUPPLY MODELS DESCRIPTION

OS6855-PSL PSU for OS6855-U24; 90 V to 240 V AC, 50 Hz to 60 Hz AC; 80 W, 12 V, AC-DC

OS6855-PSL-P PSU for OS6855-24; 90 V to 240 V AC, 50 Hz to 60 Hz AC; 160 W, 48 V PoE, 12 V, AC-DC
OS6855-PSL-D PSU for OS6855-24 and OS6855-U24; 80 W, -48 V/12 V DC-DC
OS6855-PSL-DL PSU for OS6855-24 and OS6855-U24; 80 W, 24 V/12 V DC-DC

SPECIFICATION WEIGHT DEPTH WIDTH HEIGHT

Power supply (AC, DC or PoE) 1.00 kg (2.20 lb) 16.5 cm (6.5 in) 16 cm (6.3 in) 4.4 cm (1.73 in)
Power supply tray 0.60 kg (1.32 lb) 17.8 cm (7.0 in) 35.3 cm (13.88 in) 4.4 cm (1.73 in)

Any power supply can be remotely connected using a cable, which enables rack mounting using the mounting ears provided with
the unit. This feature allows for space-sensitive installations requiring reduced depth (for example, in a wall-mounted cabinet).

Indicators
• Per-port LEDs: link/activity/PoE
• System LEDs: OK (switch HW/SW status)
• PS1/PS2: primary and/or redundant power supply status
• 7-segment LED on OS6855-U24X indicating the operational mode and stack number

Compliance and certifications • IEEE 1613 C37.90.1 (Oscillatory )

Industrial • IEEE 1613 C37.90 (H.V. Impulse)
• IEC 60870-2-2 (operational temperature) • IEEE 1613 C37.90 (Dielectric Strength)
Commercial • IEC 60068-2-1 (temperature type test – cold)
• IEC 60068-2-2 (temperature type test – hot) Military
EMI/EMC
• IEC 60721-3-1: Class 1K5 (storage temperature) • MIL-STD-810F (shock and vibration)
• FCC CRF Title 47 Subpart B (Class A)
• IEC 68-2-30: 5% to 95% non-condensing • MIL-STD-901D (shock)**
• VCCI (Class A)
humidity • MIL-STD-167-1 (vibration)**
• AS/NZS 3548 (Class A)
• IEC 60255-21-2 (mechanical shock) • MIL-STD-810F**: Methods 500, 501, 502, 503,
• CE marking for European countries (Class A)
• IEC 60255-21-1 (vibration) 504, 505, 506, 507, 508, 509, 510, 512, 514,
• EN 55022:2006 (Emission Standard) 515, 516, 520, 521
• EN 61000-3-3:1995 +A2:2005 EMI/EMC • MIL-STD-461E**: CE101, CE102, CS101, CS114,
• EN 61000-3-2:2006 • EN 61131-2 CS115, CS116, RE101, RE 102, RS101, RS103
• EN 55024:1998 +A1:2001 +A2:2003 (Immunity • EN 61000-6-4 :2007 (emission)
Standards) Safety agency certifications
• EN 61000-6-2 :2005 ( immunity)
¬ EN 61000-4-2: 1995+A1:1998 +A2:2001 • US UL 60950
• EN 55024: 1998 (Immunity)
¬ EN 61000-4-3:2006 • IEC 60950-1:2001; all national deviations
¬ IEC 61000-4-3
¬ EN 61000-4-4:2004 • EN 60950-1: 2001; all deviations
¬ IEC 61000-4-12
¬ EN 61000-4-5:2006 • CAN/CSA-C22.2 No. 60950-1-03
¬ IEC 61000-4-16
¬ EN 61000-4-6:2007 • NOM-019 SCFI, Mexico
¬ IEC 61000-4-17
¬ EN 61000-4-8:1993 +A1:2001 • AS/NZ TS-001 and 60950:2000, Australia
¬ IEC 61000-4-29
¬ EN 61000-4-11:2004 • UL-AR, Argentina
• IEC 60255-5
• IEEE802.3: Hi-Pot Test (2250 V DC on all • UL-GS Mark, Germany
• IEC 61850-3 (Electric Power Substations)
Ethernet ports) • EN 60825-1 Laser
• IEC 62236-4:2008 – Railway applications:
• EN 50121-4 • EN 60825-2 Laser
Electromagnetic compatibility – Part 4
• EN 50121-4:2006 for Class A device • CDRH Laser
NEBS** • IEEE 1613 (C37.90.x)
• GR-63-CORE (temperature, humidity, altitude, • C37.90.3 (ESD) * Note: Class A with UTP cables.
contamination) ** C ontact for availability
• C37.90.2 (Radiated RFI)
• GR-1089-CORE Issue 4 (section 2-3)
• IEEE 1613 C37.90.1 (Fast Transient )
• GR-1089-CORE Issue 4 (section 3.2, 4-10)

4 Alcatel-Lucent OmniSwitch 6855 | Data Sheet

Detailed product features
Simplified manageability
Management interfaces
• Intuitive, familiar Alcatel-Lucent CLI reduces
training costs
• Easy to use, point-and-click, web-based
element manager (WebView) with built-in help
for easy configuration
• Integrated with Alcatel-Lucent OmniVista™
products for network management
• Full configuration and reporting using
SNMPv1/2/3 across all OmniSwitch families to
facilitate third-party network management
system integration
• Remote switch access using Telnet or Secure
Shell (SSH)
• File upload using USB, TFTP, FTP, SFTP, or SCP
for faster configuration
• Human-readable ASCII-based configuration
files for off-line editing, bulk configuration and
out-of-the-box auto-provisioning
Monitoring and troubleshooting
• Local (on the flash) and remote server logging:
Syslog and command log
• Port-based mirroring for troubleshooting and
lawful interception; supports four sessions with
multiple sources-to-one destination
• Policy-based mirroring allows selection of the
type of traffic to mirror by using QoS policies
• Remote port mirroring facilitates passing
mirrored traffic through the network to a
remotely connected device
• Port monitoring feature allows capture of
Ethernet packets to a file to assist in trouble-
shooting
• sFlow v5 and RMON for advanced monitoring
and reporting capabilities for statistics, history,
alarms and events
• IP tools: ping and trace route
• Y.1731 and IEEE 802.1ag Ethernet operations,
administration and maintenance (OA&M):
Connectivity Fault Management and
performance measurements (layer-2 ping
and link trace)
• IEEE 802.3ah Ethernet in the First Mile (EFM)
for link monitoring , remote fault detection, and
loopback control (layer-1 ping)
• Unidirectional Link Detection (UDLD) detects
and disables unidirectional links on fiber optic
interfaces.
• Digital Diagnostic Monitoring (DDM): Real-time
diagnostics of fiber connections for early
detection of optical signal deterioration
Network configuration
• Auto-negotiating 10/100/1000 ports automati-
cally configure port speed and duplex setting
• Auto MDI/MDIX automatically configures
transmit and receive signals to support
straight-through and crossover cabling
• BOOTP/DHCP client with option 60 allows
auto-configuration of the switch for simplified
deployment
• DHCP relay to forward client requests to a DHCP
server
• Alcatel-Lucent Mapping Adjacency Protocol
(AMAP) for building topology maps
• IEEE 802.1AB LLDP with MED extensions for
automated device discovery and IP phone
provisioning
• Multiple VLAN Registration Protocol (MVRP)
and GARP VLAN Registration Protocol (GVRP)
for 802.1Q/1ak-compliant VLAN pruning and
dynamic VLAN creation
• Auto-QoS for switch management and IP phone
traffic
• Network Time Protocol (NTP) for network-wide
time synchronization
Resiliency and high availability
• ITU-T G.8032 Ethernet Ring Protection designed
for loop protection and fast convergence times
(sub 50 ms) in ring topologies
• Ring Rapid Spanning Tree Protocol (RRSTP) opti-
mized for ring topology to provide less than
100-ms convergence time
• IEEE 802.1s Multiple Spanning Tree Protocol
(MSTP) encompasses IEEE 802.1D Spanning Tree
Protocol (STP) and IEEE 802.1w Rapid Spanning
Tree Protocol (RSTP)
• Per-VLAN spanning tree (PVST+) and
Alcatel-Lucent 1x1 STP mode
• IEEE 802.3ad Link Aggregation Control Protocol
(LACP) and static LAG groups across modules
• Dual-home link support for sub-second link
protection without STP
• Virtual Router Redundancy Protocol (VRRP) to
provide highly available routed environments
• Bidirectional Forwarding Detection (BFD) for fast
failure detection and reduced re-convergence
times in a routed environment
• Broadcast, unknown unicast and multicast
storm control to avoid degradation in overall
system performance
• Redundant and hot-swappable power supplies,
transceivers modules offering uninterruptable
service
• Dual image and dual configuration file storage
provides backup
• Stacking capability (OS6855-U24X only) for
virtual chassis redundancy. Up to 10-km
fault-tolerant remote stacking supported.
Advanced security
Access control
• AOS Access Guardian framework for compre-
hensive user-policy-based network access
control (NAC)
• Autosensing 802.1X multi-client, multi-VLAN
support
• MAC-based authentication for non-802.1x hosts
• Web based authentication (captive portal): A
customizable web portal residing on the switch
• IEEE 802.1X and MAC-based authentication,
with group mobility and “guest” VLAN support
• Host integrity check (HIC) agent on each switch
makes it an HIC enforcer and facilitates
endpoint device control for company policy
compliance; quarantine and remediation are
supported as required
• User Network Profile (UNP) simplifies NAC
by dynamically providing pre-defined policy
configuration to authenticated clients –
VLAN, ACL, bandwidth, HIC
• SSH for secure CLI session with public key
infrastructure (PKI) support
• TACACS+ client allows for authentication
authorization and accounting (AAA) with a
remote TACACS+ server
• Centralized RADIUS and Lightweight Directory
Access Protocol (LDAP) user authentication
Containment, monitoring and quarantine
• Support for Alcatel-Lucent OmniVista 2500
Quarantine Manager and quarantine VLAN
• Learned Port Security (LPS) or MAC address
lockdown secures the network access on user or
trunk ports based on MAC address
• DHCP Snooping, DHCP IP and Address
Resolution Protocol (ARP) spoof protection
• Embedded traffic anomaly detection (TAD)
monitors traffic patterns typical for worm-like
viruses and either shuts down the port or
reports to the management system
• ARP poisoning detection
• ACLs to filter out unwanted traffic including
denial of service (DoS) attacks; flow-based
filtering in hardware (layer 1 to layer 4)
• Support of Microsoft ® Network Access
Protection (NAP)
• Bridge Protocol Data Unit (BPDU) blocking
automatically shuts down user ports to prevent
topology loops if an STP BPDU packet is seen
• STP Root Guard prevents edge devices from
becoming STP root nodes
Converged networks
PoE
• Dynamic PoE allocation delivers only the power
needed by the attached device up to the total
power budget for most efficient power
consumption
• PoE models support Alcatel-Lucent IP phones
and WLAN access points, as well as any IEEE
802.3af-compliant end device
• Configurable per-port PoE priority and max
power for power allocation
QoS
• Priority queues: Eight hardware-based queues
per port for flexible QoS management
• Traffic prioritization: Flow-based QoS with
internal and external prioritization (also known
as re-marking)
• Bandwidth management: Flow-based
bandwidth management, ingress rate limiting;
egress rate shaping per port
• Queue management: Configurable scheduling
algorithms: Strict Priority Queuing (SPQ),
Weighted Round Robin (WRR) and Deficit
Round Robin (DRR)
• Congestion avoidance: Support for End-to-End
Head-of-Line (E2E-HOL) blocking prevention
and flow control
• LLDP network polices for dynamic designation
of VLAN-ID and layer-2/layer-3 priority for IP
phones
• Auto-QoS for switch management traffic as well
as traffic from Alcatel-Lucent IP phones
Layer-3 routing and multicast
IPv4 routing
• Multiple VRF for network segmentation
• Static routing, Routing Information Protocol
(RIP) v1 and v2
• Open Shortest Path First (OSPF) v2, Border
Gateway Protocol (BGP) v4
• Generic Routing Encapsulation (GRE) and IP/IP
tunneling
• Graceful restart extensions for OSPF and BGP
• VRRP v2
• DHCP relay (including generic UDP relay)
• ARP
Alcatel-Lucent OmniSwitch 6855 | Data Sheet 5
IPv6 routing
• Static routing
• Routing Information Protocol Next Generation
(RIPng)
• OSPF v3
• BGP v4 (with extensions to IPv6 routing)
• Graceful restart extensions for OSPF and BGP
• VRRP v3
• Neighbor Discovery Protocol (NDP)
IPv4/IPv6 multicast
• Internet Group Management Protocol (IGMP)
v1/v2/v3 snooping for optimized multicast
traffic
• Protocol Independent Multicast – Sparse Mode
(PIM-SM)/Protocol Independent Multicast –
Dense Mode (PIM-DM)
• Distance Vector Multicast Routing Protocol
(DVMRP)
• Multicast Listener Discovery (MLD) v1/v2
snooping for optimized multicast traffic
Metro Ethernet access
• Ethernet services support per IEEE 802.1ad
Provider Bridge services (also known as Q-in-Q
or VLAN stacking):
¬ Service VLAN (SVLAN) and Customer VLAN
(CVLAN) transparent LAN services
¬ Ethernet network-to-network interface (NNI)
and user network interface (UNI) services
¬ Service Access Point (SAP) profile identifica-
tion
¬ CVLAN to SVLAN translation and mapping
• Ethernet OA&M compliant with ITU Y.1731 and
IEEE 802.1ag version 8.1 for connectivity fault
and performance management and IEEE
802.3ah EFM for link OA&M
• Service Assurance Agent (SAA) for SLA
compliance validation
• MAC-Forced Forwarding support according to
RFC 4562
• Private VLAN feature for user traffic segrega-
tion
• DHCP Option 82: Configurable relay agent infor-
mation
• IP Multicast VLAN (IPMVLAN) for optimized
multicast replication at the edge saving
network core resources
• Optimized Ethernet access services delivery
¬ Network bandwidth protection against
overload of video traffic
¬ Multicast streams isolation from multiple
content providers over the same interface
• MEF 9 and 14 certified
• Managed by Alcatel-Lucent 5620 Service Aware
Manager
Supported standards
IEEE standards
• IEEE 802.1D (STP)
• IEEE 802.1p (CoS)
• IEEE 802.1Q (VLANs)
• IEEE 802.1ad (Provider Bridges)
• IEEE 802.1ag (Connectivity Fault Management)
• IEEE 802.1ak (Multiple VLAN Registration Protocol)
6 Alcatel-Lucent OmniSwitch 6855 | Data Sheet
• IEEE 802.1s (MSTP)
• IEEE 802.1w (RSTP)
• IEEE 802.1X (Port-based Network
Access Control)
• IEEE 802.3i (10Base-T)
• IEEE 802.3u (Fast Ethernet)
• IEEE 802.3x (Flow Control)
• IEEE 802.3z (Gigabit Ethernet)
• IEEE 802.3ab (1000Base-T)
• IEEE 802.3ac (VLAN Tagging)
• IEEE 802.3ad (Link Aggregation)
• IEEE 802.3ae (10G Ethernet)
• IEEE 802.3af (Power over Ethernet)
ITU-T standards
• ITU-T G.8032: Draft (June 2007) Ethernet Ring
Protection
• ITU-T Y.1731 OA&M fault and performance
management
IETF standards
IPv4
• RFC 2003 IP/IP Tunneling
• RFC 2784 GRE Tunneling
OSPF
• RFC 1253/1850/2328 OSPF v2 and MIB
• RFC 1587/3101 OSPF NSSA Option
• RFC 1765 OSPF Database Overflow
• RFC 2154 OSPF MD5 Signature
• RFC 2370/3630 OSPF Opaque LSA
• RFC 3623 OSPF Graceful Restart
RIP
• RFC 1058 RIP v1
• RFC 1722/1723/2453/1724 RIP v2 and MIB
• RFC 1812/2644 IPv4 Router Requirements
• RFC 2080 RIPng for IPv6
BGP
• RFC 1269/1657 BGP v3 & v4 MIB
• RFC 1403/1745 BGP/OSPF Interaction
• RFC 1771-1774/2842/2918/3392 BGP v4
• RFC 1965 BGP AS Confederations
• RFC 1966 BGP Route Reflection
• RFC 1997/1998 BGP Communities Attribute
• RFC 2042 BGP New Attribute
• RFC 2385 BGP MD5 Signature
• RFC 2439 BGP Route Flap Damping
• RFC 2545 BGP-4 Multiprotocol Extensions for
IPv6 Inter-Domain Routing
• RFC 2796 BGP Route Reflection
• RFC 2858 Multiprotocol Extensions for BGP-4
• RFC 3065 BGP AS Confederations
IP multicast
• RFC 1075 DVMRP
• RFC 1112 IGMP v1
• RFC 2236/2933 IGMP v2 and MIB
• RFC 2362/4601 PIM-SM
• RFC 2365 Multicast
• RFC 2715/2932 Multicast Routing MIB
• RFC 2934 PIM MIB for IPv4
• RFC 3376 IGMPv3
• RFC 5060 Protocol Independent Multicast MIB
• RFC 5132 IP Multicast MIB
• RFC 5240 PIM Bootstrap Router MIB
IPv6
• RFC 1886/3596 DNS for IPv6
• RFC 2292/2553/3493/3542 IPv6 Sockets
• RFC 2373/2374/3513/3587 IPv6 Addressing
• RFC 2460//2462/2464 Core IPv6
• RFC 2461 NDP
• RFC 2463/2466/4443 ICMP v6 and MIB
• RFC 2452/2454 IPv6 TCP/UDP MIB
• RFC 2893/4213 IPv6 Transition Mechanisms
• RFC 3056 IPv6 Tunneling
• RFC 3542/3587 IPv6
• RFC 3595 TC for Flow Label
• RFC 4007 IPv6 Scoped Address Architecture
• RFC 4193 Unique Local IPv6 Unicast Addresses
Manageability
• RFC 854/855 Telnet and Telnet options
• RFC 959/2640 FTP
• RFC 1155/2578-2580 SMI v1 and SMI v2
• RFC 1157/2271 SNMP
• RFC 1212/2737 MIB and MIB-II
• RFC 1213/2011-2013 SNMP v2 MIB
• RFC 1215 Convention for SNMP Traps
• RFC 1350 TFTP Protocol
• RFC 1573/2233/2863 Private Interface MIB
• RFC 1643/2665 Ethernet MIB
• RFC 1901-1908/3416-3418 SNMP v2c
• RFC 2096 IP MIB
• RFC 2131 DHCP server/client
• RFC 2570-2576/3411-3415 SNMP v3
• RFC 2616 /2854 HTTP and HTML
• RFC 2667 IP Tunneling MIB
• RFC 2668/3636 IEEE 802.3 MAU MIB
• RFC 2674 VLAN MIB
• RFC 3414 User based Security model
• RFC 4251 Secure Shell Protocol architecture
• RFC 4252 The Secure Shell (SSH) Authentication
Protocol
• RFC 4878 OA&M Functions on Ethernet-Like
Interfaces
Security
• RFC 1321 MD5
• RFC 2104 HMAC Message Authentication
• RFC 2138/2865/2868/3575/2618 RADIUS
Authentication and Client MIB
• RFC 2139/2866/2867/2620 RADIUS Accounting
and Client MIB
• RFC 2228 FTP Security Extensions
• RFC 2284 PPP EAP
• RFC 2869/2869bis RADIUS Extension
QoS
• RFC 896 Congestion Control
• RFC 1122 Internet Hosts
• RFC 2474/2475/2597/3168/3246 DiffServ
• RFC 2697 srTCM
• RFC 2698 trTCM
• RFC 3635 Pause Control
Others
• RFC 768 UDP
• RFC 791/894/1024/1349 IP and IP/Ethernet
• RFC 792 ICMP
• RFC 793/1156 TCP/IP and MIB
• RFC 826/903 ARP and Reverse ARP
• RFC 919/922 Broadcasting internet datagram
• RFC 925/1027 Multi LAN ARP / Proxy ARP
• RFC 950 Subnetting
• RFC 951 BOOTP
• RFC 1151 RDP
• RFC 1191/1981 Path MTU Discovery
• RFC 1256 ICMP Router Discovery
• RFC 1305/2030 NTP v3 and Simple NTP
• RFC 1493 Bridge MIB
• RFC 1518/1519 CIDR
• RFC 1541/1542/2131/3396/3442 DHCP • RFC 2338/3768/2787 VRRP and MIB
• RFC 1757/2819 RMON and MIB • RFC 3021 Using 31-bit prefixes
• RFC 2131/3046 DHCP/BOOTP Relay • RFC 3060 Policy Core
• RFC 2132 DHCP Options • RFC 3176 sFlow
• RFC 2251 LDAP v3 • RFC 4562 MAC-Forced Forwarding

OmniSwitch 6855 ordering

PART NUMBER DESCRIPTION

OMNISWITCH 6855 MODELS

OS6855-14 Layer-3 fixed-configuration fanless switch in a 1U form factor. It has 12 RJ-45 connectors individually configurable to 10/100/1000Base-T,
OS6855-14D four of which are PoE–capable, and two SFP ports that support various distances. An OS6855-PSS or OS6855-PSS-D power supply respectively
is included inn the bundle.
OS6855-U10 Layer-3 fixed-configuration fanless switch in a 1U form factor. It has two RJ-45 connectors individually configurable to 10/100/1000Base-T,
OS6855-U10D and eight SFP ports that support various distances. An OS6855-PSS or OS6855-PSS-D power supply respectively is included in the bundle.
OS6855-24 Layer-3 fixed-configuration switch in a 1U form factor. It has 20 RJ-45 connectors individually configurable to 10/100/1000Base-T, four of
OS6855-24DL which provide PoE and four combo ports. On the combo ports, either copper or fiber can be used on a one-for-one basis. An OS6855-PSL-P,
OS6855-24D OS6855-PSL-D or OS6855-PSL-DL power supply respectively is included in the bundle.
OS6855-U24 Layer-3 fixed-configuration switch in a 1U form factor. It has 22 SFP ports that support various distances, and two combo ports. On the combo
OS6855-U24DL ports, either RJ-45 connectors individually configurable to 10/100/1000Base-T, or fiber SFP can be used on a one-for-one basis. An OS6855-PSL,
OS6855-U24D OS6855-PSL-DL or OS6855-PSL-D power supply respectively is included in the bundle.
OS6855-U24X Layer-3 fixed-configuration switch in a 1U form factor. It has two 10G SFP+ ports, 22 SFP ports that support various distances, and two combo
OS6855-U24XDL ports. On the combo ports, either RJ-45 connectors individually configurable to 10/100/1000Base-T, or fiber SFP can be used on a one-for-one
OS6855-U24XD basis. The 10G SFP+ ports can be used either as uplinks or as stacking ports. An OS6855-PSL, OS6855-PSL-DL or OS6855-PSL-D power supply
respectively is included in the bundle.
TRANSCEIVERS All optical transceivers qualified for the OmniSwitch 6855 operate at a wider operating temperature range than the corresponding commercial types.
iSFP-10G-LR 10G industrial optical transceiver (SFP+). Supports single-mode fiber over 1310 nm wavelength (nominal) with an LC connector. Typical reach of 10 km.
iSFP-GIG-LH70 1000Base-LH industrial transceiver. Supports single-mode fiber over 1550 nm wavelength (nominal) with an LC connector. Typical reach of 70 km.
iSFP-GIG-LH40 1000Base-LH industrial transceiver Supports single-mode fiber over 1310 nm wavelength (nominal) with an LC connector. Typical reach of 40 km.
iSFP-GIG-LX 1000Base-LX industrial transceiver Supports single-mode fiber over 1310 nm wavelength (nominal) with an LC connector. Typical reach of 10 km.
iSFP-GIG-SX 1000Base-SX industrial transceiver. Supports multimode fiber over 850 nm wavelength (nominal) with an LC connector. Typical reach of 300 m.
iSFP-GIG-T 1000Base-T Gigabit industrial Ethernet Transceiver (SFP MSA). Supports category 5, 5E, and 6 copper cabling up to 100 m. SFP supports
10/100/1000 Mb/s and full-duplex mode.
iSFP-GIG-BX-U 1000Base-BX SFP transceiver with an LC type interface. Supports single-mode fiber on a single strand link up to 10 km. Transmits 1310 nm and
receives 1490 nm optical signal.
iSFP-GIG-BX-D 1000Base-BX SFP transceiver with an LC type interface. Supports single-mode fiber on a single strand link up to 10 km. Transmits 1490 nm and
receives 1310 nm optical signal.
iSFP-100-MM 100Base-FX industrial transceiver with an LC type interface. This transceiver is designed for use over multimode fiber.
iSFP-100-SM15 100Base-FX industrial transceiver with an LC type interface. This transceiver is designed for use over single-mode fiber up to 15 km.
iSFP-100-SM40 100Base-FX industrial transceiver with an LC type interface. This transceiver is designed for use over single-mode fiber up to 40 km.
iSFP-100-BX-U 100Base-BX industrial transceiver with an SC type interface. This bidirectional transceiver is designed for use over single-mode fiber on a
single strand link up to 20 km point-to-point. This transceiver is normally used in the client (ONU) and transmits 1310 nm and receives 1550 nm
optical signal.
iSFP-100-BX-D 100Base-BX industrial SFP transceiver with an SC type interface. This bidirectional transceiver is designed for use over single mode fiber on
a single strand link up to 20 km point-to-point. This transceiver is normally used in the central office (OLT) and transmits 1550 nm and receives
1310 nm optical signal.

Service and support

Warranty
Limited lifetime hardware warranty: Limited to the original owner, and will be provided for up to 5 years after the product’s
End-of-Sales announcement.

Alcatel-Lucent OmniSwitch 6855 | Data Sheet 7

www.alcatel-lucent.com Alcatel, Lucent, Alcatel-Lucent, the Alcatel-Lucent logo,
OmniSwitch and OmniVista are trademarks of Alcatel-Lucent. All other trademarks are the property
of their respective owners. The information presented is subject to change without notice. Alcatel-Lucent
assumes no responsibility for inaccuracies contained herein. Copyright © 2010 Alcatel-Lucent.
All rights reserved. EPG3310100402 (05)
 ENTERPRISE NETWORKING GUIDE
OmniSwitch™ http://offer-guide.enterprise.alcatel-lucent.com/en_us/products/omniswitch-6860-stackable-lan-switch
6860 Stackable LAN Switch

OmniSwitch™ Alcatel-Lucent OmniSwitch™ 6860 Stackable LAN

Switches (SLS) are compact, high-density Gigabit
6860 Stackable Ethernet (GigE) and 10 GigE platforms designed for
LAN Switch the most demanding converged networks.
LAN STACKABLE LAN SWITCH

OVERVIEW In addition to high performance and availability, the

OS6860(E) offers enhanced quality of service (QoS),

The enhanced models of the OmniSwitch 6860 family

also supports emerging services such as application

At the edge of mid- to large-sized converged enterprise

networks

user authentication, deep packet inspection (DPI), and fingerprinting for network analytics and up to 60 watts
At the aggregation layer
comprehensive security features to secure the network of Power over Ethernet (PoE) per port, making it ready

edge while accommodating user and device mobility to meet the evolving business needs of enterprise
In a small enterprise network core
with a high degree of integration between the wired networks.

and wireless LAN. In the data center for GigE server connectivity and SDN
These versatile LAN switches can be positioned:
applications

KEY BENEFITS • With the variety of interfaces and models, the deployments. It offers deployment flexibility, simplifing • OS6860E offers flexible deployment options and enables

OmniSwitch 6860 family meets any customer the wiring and reducing the time to deploy a variety of the network for BYOD deployments and zero-touch guest

configuration needs and offers excellent investment edge devices management

protection and flexibility

• The OS6860 application monitoring capability provides • OS6860E supports SDN for fast deployment of new

• The OmniSwitch 6860 Virtual Chassis increases system network administrators with a comprehensive viewof the network services

redundancy, resiliency, and high availability while applications running in the network, enabling

simplifying deployment, operations and management of optimization and control of network performance
• Future proofs enterprise investment and enables

interoperability with third party solutions

the network
• With its advanced capabilities, the OS6860 shows

• With advanced PoE capabilities and high density of PoE outstanding performance when supporting real-time
ports, the OS6860 is ideal for converged campus voice, data, and video applications

Contact [email protected] for more information

©2014 ALCATEL-LUCENT. ALL RIGHTS RESERVED. APRIL 2014
 ENTERPRISE NETWORKING GUIDE
OmniSwitch™ http://offer-guide.enterprise.alcatel-lucent.com/en_us/products/omniswitch-6860-stackable-lan-switch
6860 Stackable LAN Switch

KEY FEATURES VERSATILE FEATURES AND MODELS OFFERING HIGH DENSITY GIGABIT AND 10 GIGABIT INTERFACES
Up to 8 switches can be connected using Virtual Chassis
technology to create a single chassis-like entity with up
to 32 10Gigabit uplinks and 384 Gigabit ports

IEEE 802.3AF AND 802.3AT COMPLIANT POE OF 30 W PER PORT ON ALL PORTS
The enhanced models of OS6860 family support up to
60W of PoE per port on 4 ports

HARDWARE-ACCELERATED DEEP PACKET INSPECTION (DPI) AVAILABLE ON ALL MODELS

Application monitoring and fingerprinting is available
on the enhanced models

OMNISWITCH 6860 IS SDN READY

Supporting programmable AOS RESTful APIs, OpenFlow
and OpenStack allows the creation of specialized
services

ADVANCED UNIFIED ACCESS AND COMPREHENSIVE AND SECURE BYOD SERVICES

• Integrated Policy with dynamic User Network • SIP Fluency to provision and monitor QOS • Device on-boarding and automated 802.1x
Profiles treatment of SIP flows provisioning

• Extensive security features for network access • Airgroup™ Network Services for Bonjour • Device posture/health check and fingerprinting
control (NAC), policy enforcement and attack speaking devices
containment • Application management
• Advanced guest management capabilities

Contact [email protected] for more information

©2014 ALCATEL-LUCENT. ALL RIGHTS RESERVED. APRIL 2014
 ENTERPRISE NETWORKING GUIDE
OmniSwitch™ http://offer-guide.enterprise.alcatel-lucent.com/en_us/products/omniswitch-6860-stackable-lan-switch
6860 Stackable LAN Switch

TECHNICAL
INFORMATION
OmniSwitch 6860 family GigE RJ-45 ports GigE PoE+ ports GigE PoE++ ports 100/1000 SFP ports 1/10GigE SFP+ ports 20G VFL ports* PoE power budget Power supply AC/DC Optional backup PSU Height rack units

Standard models

OmniSwitch 6860-24 24 0 0 0 4 2 NA AC AC 1

OmniSwitch 6860-48 48 0 0 0 4 2 NA AC AC 1

OmniSwitch 6860-24D 24 0 0 0 4 2 NA DC DC 1

OmniSwitch 6860-48D 48 0 0 0 4 2 NA DC DC 1

Enhanced models

OmniSwitch 6860E-24 24 0 0 0 4 2 NA AC AC 1

OmniSwitch 6860E-48 48 0 0 0 4 2 NA AC AC 1

OmniSwitch 6860E-24D 24 0 0 0 4 2 NA DC DC 1

OmniSwitch 6860E-48D 48 0 0 0 4 2 NA DC DC 1

Power over Ethernet+ models

OmniSwitch 6860-P24 0 20 4 0 4 2 450/900W ** AC AC 1

OmniSwitch 6860-P48 0 44 4 0 4 2 750/1500W ** AC AC 1

Enhanced POE+ models

OmniSwitch 6860E-P24 0 20 4 0 4 2 450/900W ** AC AC 1

OmniSwitch 6860E-P48 0 44 4 0 4 2 750/1500W ** AC AC 1

Enhanced Fiber optic models

OmniSwitch 6860E-U28 0 0 0 28 4 2 NA AC AC 1

OmniSwitch 6860E-U28D 0 0 0 28 4 2 NA DC DC 1

* 60W per port

** Second value is for dual power supply configuration

Contact [email protected] for more information

©2014 ALCATEL-LUCENT. ALL RIGHTS RESERVED. APRIL 2014
Book your remote demo
through the
eDemo website!

• What’s in for you FREE SERVICE to conduct remote

 Demonstration booking forms
demonstrations on your premises or
 User guides
 Requirement lists the customer’s from our data center
 Videos on selected ALE Communications and
 Access to the help desk (from 9am to 6pm CET – PST) Network solutions
 And much more!
http://edemo.al-mydemo.com/
• Specific demonstrations can be handled upon request

1
ACCESS TO TECHNICAL SUPPORT
ENTERPRISE CUSTOMER CARE GUIDELINE – JANUARY 2016

Contents
1 Objective ....................................................................................... 2
2 Introduction .................................................................................... 2
3 Requirements for accessing technical support ............................................ 2
3.1. Accessing Technical support ......................................................................... 2
3.1.1. Service Contract Check .................................................................................... 2
3.1.2. Engineer Certification Check ............................................................................. 2
3.2. Opening Severity 1,2,3 and 4 severities ........................................................... 3
3.3. Basic Requirements for opening an eService Request ........................................... 3
3.4. Status of eService Request ........................................................................... 3
3.5. eService Request Escalation ......................................................................... 4
3.6. END CUSTOMER NAME ................................................................................. 4
4 Incident Severity .............................................................................. 4
4.1. Severity 1: Critical severity (Severity One) ...................................................... 4
4.2. Severity 2: High severity (Severity Two). .......................................................... 4
4.3. Severity 3: Medium severity (Severity Three) .................................................... 4
4.4. Severity 4: Low severity (Severity Four) ........................................................... 4
5 Tools available: ................................................................................ 5
5.1. Contact Checker ....................................................................................... 5
5.2. Alcatel-Lucent Enterprise Application Partner Program (AAPP) ............................... 5
5.3. Security Advisories ..................................................................................... 5
5.4. Technical communications ........................................................................... 5
5.5. The Knowledge Center ................................................................................ 6
5.6. Twitter and Facebook ................................................................................. 6
5.7. Contacts ................................................................................................. 6

Notes
This document is provided and supported by Alcatel Lucent Enterprise Customer Care
 2
Enterprise Customer Care Guideline – January 2016

1 Objective
This document defines how a Business Partner expert can access technical support.

2 Introduction
End-Customers report their technical issues to our business partners who provide them support & services.
Certified Engineers of our business partners are entitled to open request to Alcatel Lucent Enterprise
Technical Support organization. The system for which the issue is reported must have a valid support contract
(SPS).

3 Requirements for accessing technical support

3.1. Accessing Technical support

When accessing technical support, our teams will first perform the following

3.1.1. Service Contract Check

Our Welcome Center will first check the Service Contract status (depending on the product):
- Valid Service contract (SMS/SES or SPS since July 2012) for OmniPCX Enterprise, OpenTouch and
related Communications applications.
- Valid Support Fees for Data solutions.
It is recommended that the business partner engineers keep their certifications up to date and verify the
system for which an issue is reported has a valid contract, prior to reaching out to Alcatel Lucent
Enterprise support. Contracts status can be checked at:
http://enterprise.alcatel-lucent.com/?services=SupportServices&page=ContractChecker

3.1.2. Engineer Certification Check

Our Welcome Center will then verify the certification levels. The engineer must have a valid and
unexpired post-sales certification for the solution he is asking support on

FUNCTIONS CERTIFICATIONS DESCRIPTION LOGOS

ACSR
Alcatel-Lucent Certified For sales representatives who sell
SALES
Sales Representative Alcatel-Lucent products and solutions

AQPS
Alcatel-Lucent For Presales engineers who design
Qualified Presales stand-alone projects
PRESALES

ACPS
Alcatel-Lucent For presales engineers who design
Certified Presales large/complex networking projects

ACFE For field engineers in charge of

Alcatel-Lucent Certified advanced configurations, installation
POSTSALES Field Expert and service support

ACSE For expert engineers in charge of

Alcatel-Lucent Certified complex configurations, installation and
System Expert remote service support
 3
Enterprise Customer Care Guideline – January 2016

3.2. Opening Severity 1,2,3 and 4 severities

For Severity 3 (S3) and Severity 4 (S4) cases, you can contact us by telephone, e-mail or via the internet,
through the eService Request on the BP Entreprise Business Portal.
For Severity 1 (S1) and Severity 2 (S2) cases, you must contact us by telephone only. In that case, you will
be routed immediately to an Alcatel-Lucent engineer.
E-mail: [email protected]
Phone: + 1 650 385 2193
Answer: + 1 650 385 2193
French answer: + 1 650 385 2196
German answer: + 1 650 385 2197
Spanish answer: + 1 650 385 2198

3.3. Basic Requirements for opening an eService Request

When opening an eSR, our business partner expert is expected to provide the system ID (or serial number). In
a majority of cases, Alcatel-Lucent Support Engineer has limited knowledge about the customer configuration
and the environment. So it is key to provide a much information as possible to the technical support engineer
to speed up the trouble shooting process:
Business impacts, occurrence of the issue, reproducibility detailed description of the issue, the use case /
scenario for which the issue can be observed description of the environment, products and servers
involved with their software release.
Before opening a eService Request, please make sure that
The solution you are implementing is supported, your problem has not already been reported and fixed (
Use our TKC knowledge base and Release note library) you have read the technical tips related to the
subject.
Please note that for most products or solutions, a form that contains all required information is available in
the support section of our business partner web site.

3.4. Status of eService Request

With the online Alcatel-Lucent eService Request tool, you can easily track progress or update your eService
Requests with notes and attachments. The status can be set to:
Open: Your Alcatel-Lucent engineer is currently investigating the issue (analysis of the issue, lab
replication efforts, configuration verifications, software code verification, …)
Pending-External: Your Alcatel-Lucent TAC engineer has requested additional information from you;
Customer validation: Your eService Request has been treated. We await your validation of our answer.
Without any feedback, the SR will be automatically closed after 10 days for an eSR, 60 days for a PR
(Engineering request)
Validation refused: You have refused our answer, the SR/PR will be re-opened;
Closed: Your eService Request is closed.
 4
Enterprise Customer Care Guideline – January 2016

3.5. eService Request Escalation

When your business is impacted or in danger due to Technical Support issues, contact us trough the escalation
procedure. If you are not completely satisfied with the progress on resolving your eService Request or if your
business is impacted, please contact us trough the escalation procedure.

3.6. END CUSTOMER NAME

Switching from a pure “case by case” approach, to a more “Customer” oriented approach
In order to improve our need to end customer support, we populate our CRM data base with the end customer
name information to provide better management of the overall customer situation and environment and
improve the level of service and feedback ALE can provide. Kindly provide us with the end customer name
when opening an eSR with ALCATEL LUCENT ENTERPRISE CUSTOMER CARE.

4 Incident Severity
To ensure that all customer maintenance and support problems are reported and evaluated in a standard
format by the Partner and the customer, four (4) problem severity levels have been established. These
severity levels will assist the Partner and Alcatel in allocating the appropriate resources to resolve problems
and use a common classification system that facilitates all action plans and decisions. According to the
problem severity level, the Partner must contact Alcatel Technical Support via the Welcome Center to report
the problem and determine an action plan in order to resolve the issue with all the resources needed within a
specific period of time.
The order of priority levels begins from the most severe system breakdown (severity 1) to normal assistance
and routine support and information requests with no impact on the customer day to day operations (severity
4).

4.1. Severity 1: Critical severity (Severity One)

End User’s telecommunications network or a major business application is down, causing a critical impact to
business operations if service is not restored quickly. Severity 1 cases are processed 24 hours a day seven
days a week. Alcatel requires that a certified technician of the Business Partner is onsite to qualify the issue
as a Severity 1.

4.2. Severity 2: High severity (Severity Two).

End User’s service is not down but telecommunications network or a main business application is severely
degraded with a significant impact to business operations. Workaround needs to be delivered if possible.

4.3. Severity 3: Medium severity (Severity Three)

Network functionality is noticeably impaired but most business operations continue with medium business
impact to customer.

4.4. Severity 4: Low severity (Severity Four)

Network functionality is loosely impaired or End User requires information or assistance on Alcatel product
capabilities, system installation or configuration. These ordinary issues have very low business impact to
customer
 5
Enterprise Customer Care Guideline – January 2016

5 Tools available:

5.1. Contact Checker

This tool can be used to verify the validity of the support contract entering either the support contract
number or the CPU ID)
http://enterprise.alcatel-lucent.com/?services=SupportServices&page=ContractChecker

5.2. Alcatel-Lucent Enterprise Application Partner Program (AAPP)

Kindly VISIT THE APPLICATION PARTNER PORTAL at
http://applicationpartner.alcatel-lucent.com

5.3. Security Advisories

That section contains all latest available information about security alerts and security recommendations
when deploying Alcatel-Lucent Enterprise solutions in a customer environment. Regular connections to that
section of our support portal is important to stay up to date with the latest security communications.

5.4. Technical communications

You can find all technical documentation published by Alcatel-Lucent Enterprise Customer Care (trouble
shooting guides, quick set up guides etc …). Those documents complement the product documentation which
is also available in that section of our business partner web site.
 6
Enterprise Customer Care Guideline – January 2016

5.5. The Knowledge Center

This tool is now available to all our business partners. Each time an issue is resolved, our support engineers
publish a knowledge article available to all experts.

5.6. Twitter and Facebook

The Technical Support Facebook and Twitter channels are accessible in the Technical Quick Links on the
technical support page
The objective is to increase the awareness of our:
- New software releases
- New technical communications
- AAPP InterWorking Reports
- Newsletter
All products Voice & data are covered and direct access is given to the related software or document on the
Business Portal

5.7. Contacts
Please contact one of the following persons should you have any additional questions regarding Customer
Care support access and procedures:
- Franck DUPUY: [email protected]
- Marc CHAUVIN: [email protected]
- Eric LECHELARD: [email protected]

End of document
Find a Course
Browse our catalog available on ALE Knowledge Hub (https://enterprise-education.csod.
com) to find your training path and course detail.

Feedback
In order to improve the quality of the documentation, please report any feedback to:
Address:
Alcatel-Lucent Enterprise
115-225 rue Antoine de Saint-Exupéry
ZAC Prat Pip – Guipavas
29806 BREST CEDEX 9 – France
FAX: (33) 2 98 28 50 03

Or Email: [email protected]