MAGNUM 6K FAMILY OF SWITCHES

Secure Web Management for Magnum 6K family of Switches

Release 3.7.1

Secure Web Management

(SWM) User Guide
Preface

This guide describes how to use the Secure Web Management (SWM) for the
Magnum 6K family of switches.
Some simple guidelines which will be useful for configuring and using the Magnum
6K family of switches -
If you need information on a specific command in the CLI, type the
command name after you type the word “help” (help <command> ) or just
type <command> [Enter].
If you need information on a specific feature in Web Browser Interface, use
the online help provided in the interface.
If you need further information or data sheets on GarrettCom Magnum 6K
family of switches, refer to the GarrettCom web links at:
http://www.garrettcom.com/managed_switches.htm

GarrettCom Inc.
47823 Westinghouse Drive
Fremont, CA 94539-7437
Phone (510) 438-9071• Fax (510) 438-9072
Email – Tech support – [email protected]
Email – Sales – [email protected]
WWW – http://www.garrettcom.com/

i
Trademarks
GarrettCom Inc. reserves the right to change specifications, performance characteristics
and/or model offerings without notice. GarrettCom, Magnum, S-Ring, Link-Loss-Learn,
Converter Switch, Convenient Switch and Personal Switch are trademarks and Personal Hub
is a registered trademark of GarrettCom, Inc.

NEBS is a registered trademark of Telcordia Technologies.

UL is a registered trademark of Underwriters Laboratories.

Ethernet is a trademark of Xerox Corporation.

Copyright © 2004 GarrettCom, Inc. All rights reserved. No part of this publication may be
reproduced without prior written permission from GarrettCom, Inc.

Printed in the United States of America.

Part #: 84-00142
PK-061306

ii
Table of Contents

1 – Conventions Followed...............................................................19
Flow of the user guide.............................................................21
2 – Getting Started ............................................................................23
Before starting ..........................................................................23
Console connection for CLI...................................................24
Console setup............................................................................25
Console screen..........................................................................26
Logging in for the first time ...................................................26
Setting the IP parameters........................................................26
Web browser .............................................................................27
Operator Privilege Users ............................................................32
Manager Privilege Users .............................................................32
User management.....................................................................33
Add User.......................................................................................33
Deleteing User..............................................................................35
Modify Password .........................................................................37
Modify the Privilege Level .........................................................39
Help ............................................................................................39
Exiting........................................................................................40
3 – IP Address and System Information.....................................44
IP Addressing...............................................................................44
Importance of an IP address ..................................................44
DHCP and bootp ........................................................................45
Bootp Database ...........................................................................46

3
 Configuring DHCP/Bootp/Manual IP addresses .................46
Using Telnet .................................................................................47
Date and time............................................................................49
Network time............................................................................49
Saving and loading ...................................................................52
Script file .......................................................................................56
Displaying configuration.........................................................58
Host Names ..............................................................................60
Erasing configuration ..............................................................63
Saving changes..........................................................................64
4 – IPv6 .................................................................................67
Assumptions.................................................................................67
Introduction to IPv6................................................................67
What’s changed in IPV6?........................................................68
IPv6 Addressing .......................................................................69
Configuring IPv6......................................................................69
5 – Access Considerations ....................................................77
Securing access.............................................................................77
Port security ..............................................................................77
Network Security .........................................................................78
Configuring Port Security...........................................................78
Logs ............................................................................................81
Authorized managers...............................................................83
6 – Access Using RADIUS ...................................................87
RADIUS .......................................................................................87
802.1x .........................................................................................87
Configuring 802.1x...................................................................90
7 – Access Using TACACS+ .............................................. 100
TACACS - Its Flavors and History.........................................100
TACACS+ flow......................................................................101

4
 TACACS+ packet ..................................................................102
Configuring TACACS+ ........................................................102
8 – Port Mirroring and Setup.............................................. 106
Port Monitoring and Mirroring ...............................................106
Port mirroring.........................................................................106
Port setup ................................................................................109
Speed Settings ............................................................................112
Flow Control ..............................................................................113
Back Pressure .............................................................................113
Broadcast Storms.......................................................................113
Preventing broadcast storms ................................................113
9 – VLAN............................................................................ 117
Why VLANs?.............................................................................117
Tag VLAN or port VLAN?..................................................119
Private VLANs .......................................................................120
Configuring Tag VLANs ......................................................121
Configuring Port VLANs .....................................................138
10 – Spanning Tree ............................................................. 145
STP Features and Operations..................................................145
RSTP Concepts..........................................................................146
Transition from STP to RSTP .............................................148
Configuring STP/RSTP ........................................................149
11 – RS-Ring™, S-Ring™ and Link-Loss-Learn™ (LLL). 158
S-Ring and LLL concepts.........................................................159
RS-Ring concepts ......................................................................160
When to use RS-Ring vs S-Ring ..........................................161
Comparing resiliency methods.............................................162
RSTP/STP Operation without RS-Ring or S-Ring ..........163
RSTP/STP Operation with S-Ring .....................................165
LLL with S-Ring.....................................................................167

5
 Ring learn features..................................................................167
Configuring S-Ring ................................................................167
RSTP Operation with RS-Ring ............................................179
Configuring RS-Ring .............................................................180
12 – Dual-Homing .............................................................. 189
Dual-Homing concepts ............................................................189
Dual-Homing Modes.............................................................192
Configuring Dual-Homing ...................................................192
13 – Link Aggregation Control Protocol (LACP) ...............203
LACP concepts ..........................................................................203
LACP Configuration..............................................................204
14 – Quality of Service ........................................................ 217
QoS Concepts ............................................................................217
DiffServ and QoS...................................................................218
IP precedence..........................................................................219
Configuring QoS ....................................................................220
15 – IGMP...........................................................................229
IGMP Concepts.........................................................................229
IGMP-L2 .................................................................................233
Configuring IGMP.................................................................236
16 – GVRP...........................................................................240
GVRP Concepts ........................................................................240
GVRP operations...................................................................241
Configuring GVRP ................................................................244
GVRP operations notes ........................................................247
17 – SNMP ..........................................................................248
SNMP Concepts ........................................................................248
Standards .................................................................................250
Configuring SNMP ................................................................251

6
 Configuring RMON ..............................................................256
18 – Miscellaneous Commands ..........................................258
Alarm relays.............................................................................258
Statistics ...................................................................................261
Logs ..........................................................................................263
Email ........................................................................................270
Serial connectivity ..................................................................271
Ping...........................................................................................272
Set .............................................................................................273
Appendix 1 – Updating MNS-6K using SWM....................284
Before starting ........................................................................284
Index...................................................................................292

7
List of Figures

FIGURE 1 - HyperTerminal screen showing the serial settings ................................................................. 25

FIGURE 2 - Prompt indicating the switch model number as well as mode of operation – note the
commands to switch between the levels is not shown here.............................................................. 26
FIGURE 3 - Setting IP address on the switch ......................................................................................... 27
FIGURE 4 - Rebooting the switch .......................................................................................................... 27
FIGURE 5 – Security certificate – click “yes” to proceed ......................................................................... 28
FIGURE 6 – Login screen – for the first time login with the default login name and password. If
you have created other users, you can use the user name and password created. Note – the
switch model number is displayed on the screen. Not all models are shown above.......................... 29
FIGURE 7 – Login with the proper user name and password. For the first time use manager as
login name and manager as the password ................................................................................... 29
FIGURE 8 – After a successful login the initial screen displaying the device ports is show ......................... 30
FIGURE 9 – Welcome screen. Note the different information provided on the screen and different
areas. The menus are used to configure settings on the switch. ...................................................... 31
FIGURE 10 - Hovering the cursor in the top left corner of the module provides information on the
module type ...............................................................................................................................32
FIGURE 11 - Adding users .................................................................................................................. 33
FIGURE 12 – Adding a user with Manager Privilege............................................................................. 34
FIGURE 13 – Added user is shown in the list of users............................................................................ 35
FIGURE 14 - Deleting a user – click on the delete icon (a white “X” in a red circle) as shown ............... 36
FIGURE 15 – Deleting a user – a question is asked to validate the action............................................... 37
FIGURE 16 - Changing the password for a specific user – click on the edit icon (shown as a pencil) ........ 38
FIGURE 17 - Modifying the password .................................................................................................... 39
FIGURE 18 - Help – note the top right corner with the “?” icon. Note the help is available from
any menu and is context sensitive. .............................................................................................. 40
FIGURE 19 – Logout............................................................................................................................ 41
FIGURE 20 – Confirming the logout – after “OK” the login prompt is displayed again........................... 42
FIGURE 21 - Checking the IP settings. Click on Edit button to edit the IP or other settings.
Note this screen also displays the serial number as well as the configuration code set at the
factory ....................................................................................................................................... 45

8
FIGURE 22 - Changing the boot mode as well as IP address and other parameters of the switch.
Note if the IP address is changed, the http session has to be restarted with the new IP
address...................................................................................................................................... 47
FIGURE 23 - Telnet session to the switch can be launched from Secure Web Management
(SWM). The telnet interface is a convenient way to access Command Line Interface (CLI)
commands, Note – multiple telnet sessions (up to 4) are supported.............................................. 48
FIGURE 24 – Setting the date and time ................................................................................................. 49
FIGURE 25 – SNTP parameters. Note – the Edit button allows edit of the SNTP parameters as
shown below. Adding or deleting SNTP servers is done by using the add button or delete
button (white “X” in the red circle)............................................................................................ 50
FIGURE 26 – Modifying the SNTP parameters. SNTP can be enabled or disabled from this
menu as well ............................................................................................................................. 51
FIGURE 27 – Adding SNTP servers. Time Out is in seconds. Note the Time server can be a
NTP server available on the Internet. Make sure the IP parameters are configured for the
switch and the device can be pinged by the switch. The Sync Now button allows the
synchronization as soon as the server information is added. ......................................................... 52
FIGURE 28 – Using FTP to save configuration as well as up load new image or reload a saved
configuration. Note – the active or passive mode of ftp can be used. To set that, use
Administration Set FTP Mode menu item..................................................................... 53
FIGURE 29 - Saving the configuration on a tftp server – note the menu is similar to the FTP
screen described earlier ............................................................................................................... 54
FIGURE 30 – Different file transfer types............................................................................................... 55
FIGURE 31 – Example of Script file. Note all the commands are CLI commands. This script
provides insights into the configuration of Magnum MNS-6K settings. GarrettCom
recommends that modifications of this file and the commands should be verified by the User
in a test environment prior to use in a "live" production network................................................. 57
FIGURE 32 – ‘show config’ command output................................................................................... 59
FIGURE 33 – displaying specific modules using the ‘show config’ command....................................... 60
FIGURE 34 – displaying configuration for different modules. Note – multiple modules can be
specified on the command line..................................................................................................... 60
FIGURE 35 – creating commonly used host entries. These entries can be saved using Host upload
capabilities under Administration File Management menus .................................................. 61
FIGURE 36 – Adding information about specific hosts........................................................................... 62
FIGURE 37 – After hosts are added, the information related to the added host is displayed. .................... 63
FIGURE 38 – Saving changes made – for example after adding SNTP server, the change needs to
be saved. This can be done by clicking on the floppy icon to save current configuration .................. 64
FIGURE 39 – Confirmation to save changes........................................................................................... 65
FIGURE 40 – After changes are made ................................................................................................... 66

9
FIGURE 41 – Accessing IPv6 configuration information......................................................................... 70
FIGURE 42 – Enter in the IPv6 address and netmask. In this example the IPv6 address is
fe80::220:8ff:fe03:509 and the netmask is ffff:ffff:ffff:ffff::.......................................................... 71
FIGURE 43 – Optional way to enter the netmask information. The information entered in this
figure and the prior figure is the same ......................................................................................... 72
FIGURE 44 – After successfully adding an IPv6 address, the address is displayed. Note – the
Gateway IPv6 address has still not been added........................................................................... 73
FIGURE 45 – Click on Edit to Edit the gateway information. Make sure the IP address is not
selected as shown above. To edit the IPv6 address, select the IP address and then click on
the Edit button ......................................................................................................................... 74
FIGURE 46 – Add the gateway information. After the information is added, click OK........................... 75
FIGURE 47 – After adding the gateway information, this information is displayed on the main
IPv6 screen ...............................................................................................................................76
FIGURE 48 – Port security configuration ............................................................................................... 78
FIGURE 49 – Enable or disable Port Security functions. Note the screen also provides an overview
of each port on the switch. Each port can be individually configured for the proper port
security action............................................................................................................................ 79
FIGURE 50 – Port security – allowing specific MAC addresses on a specified port as well as
changing the status of each port .................................................................................................. 80
FIGURE 51 – Adding MAC addresses – after clicking on the Add button, the screen opens up to
allow you to specify a specific MAC address ............................................................................... 81
FIGURE 52 – Logs made on the switch. Specific logs may be viewed by using the drop down menu
in the top right corner ................................................................................................................ 82
FIGURE 53 – Authorized access list for managing the switch. Note specific servers can be
authorized using the Host menu. The host entries can be backed up by using the
Administration File Mgmt menu. A group of stations with IP addresses can be
authorized using the IP access menu........................................................................................... 84
FIGURE 54 – Adding any computer on the 10.10.10.0 sub net to manage the switch. Note from
this network, the stations will not be allowed telnet access. The stations will be allowed
access via SWM as well as SNMP managers on the 10.10.10.0/24 network will be able
to query the switch. .................................................................................................................... 85
FIGURE 55 – After adding access to the network, the capabilities allowed are displayed .......................... 86
FIGURE 56 – 802.1x network components........................................................................................... 88
FIGURE 57 – 802.1x authentication details ......................................................................................... 89
FIGURE 58 – Configuring the RADIUS Server – initially, the RADIUS Services are disabled
and the server IP address is set to 0.0.0.0 – edit that server IP and secret to add a
RADIUS server....................................................................................................................... 91

10
FIGURE 59 – Editing information of the RADIUS server. Note the UDP port number can be
left blank and the default port 1812 is used............................................................................... 92
FIGURE 60 – Setting the port characteristic for RADIUS authentication. To edit the port settings
– click on the edit icon............................................................................................................... 93
FIGURE 61 – Ensure that the port which has the RADIUS server is force authorized and
asserted. Other ports (user ports), it is best to leave the Control on auto and Initialize on
deasserted .................................................................................................................................. 94
FIGURE 62 – Changing the Port Access characteristics when authenticating with a RADIUS
server ........................................................................................................................................ 95
FIGURE 63 – Backend or communication characteristics between Switch and RADIUS Server ............. 96
FIGURE 64 – Port authentication characteristics – set values on how the authenticator (Magnum
6K switch) does the re-authentication with the supplicant or PC.................................................. 97
FIGURE 65 – RADIUS Statistics – note that the stats are for each port............................................... 98
FIGURE 66 – Flow chart describing the interaction between local users and TACACS
authorization ..........................................................................................................................101
FIGURE 67 – TACACS packet format.............................................................................................102
FIGURE 68 – Accessing TACACS configuration menu. By default, no TACACS+ servers are
defined ....................................................................................................................................103
FIGURE 69 – Adding a TACACS+ server – note – the TCP port can be left blank – Port 49
is used as a default port. Up to 5five TACACS+ servers can be defined. Note the
manager level and the operator level defines the levels for the server being defined.........................104
FIGURE 70 – After adding TACACS+ servers, do not forget to save and enable the TACAS+
services ....................................................................................................................................105
FIGURE 71 – Editing and enabling port mirroring ..............................................................................107
FIGURE 72 – Setting the port which needs to be monitored and the port on which the traffic is
reflected. Make sure the Mirror Status is also set to enabled for mirroring.................................108
FIGURE 73 – After the ports are setup – the changes are shown...........................................................109
FIGURE 74 – Viewing and changing the Port settings..........................................................................110
FIGURE 75 – Clicking on any port in the Graphics Display (or after the login screen) also leads
to Configuration Port Settings screen as shown in the previous figure .............................111
FIGURE 76 – Editing Port configuration values – not all fields can be edited from this screen ...............112
FIGURE 77 – Menus for limiting broadcast storms. Note the 19531 threshold refers to 64 byte
packets for a 10Mbps network. Since most broadcast packets are 64 bytes long, this
number is used as a default. For 100Mbps networks, the threshold is 195310 packets –
adjust the threshold accordingly for a 100Mbps network...........................................................114
FIGURE 78 – Limiting the broadcast..................................................................................................115
FIGURE 79 – After setting the values, enable the Broadcast Protection.................................................116

11
 FIGURE 80 – VLAN as two separate collision domains. The top part of the figure shows two
“traditional” Ethernet segments. Up to 32 VLANs can be defined per switch.........................117
FIGURE 81 – Ports can belong to multiple VLANs. In this figure a simplistic view is presented
where some ports belong to VLANs 1, 2 and other ports belong to VLANs 2,3. Ports
can belong to VLANs 1, 2 and 3. This is not shown in the figure. .........................................118
FIGURE 82 – Routing between different VLANs is performed using a router or a Layer 3 switch
(L3-switch) .............................................................................................................................119
FIGURE 83 – Setting the VLAN type – by default no VLANs are active. To set the VLAN
type, the menu can be accessed from Configuration VLAN or from Administration
Set VLAN Type menu..............................................................................................122
FIGURE 84 – Currently assigned Port VLAN’s................................................................................123
FIGURE 85 – Adding a new VLAN and defining ports belonging to the VLAN .............................124
FIGURE 86 – After the VLANs and the Ports associated with VLANs are defined, next step
is to define the port setting and enable tagging on the necessary ports. This is done by
clicking on Port settings as shown above. ..................................................................................125
FIGURE 87 – Enable the tagging for each port belonging to VLAN 10. Note the Default
VLAN can also be changed for these port using the menu shown above. Also note, how
selected values only are sent to MNS-6K for change in configuration. In the example above,
only VLAN 10 being set as Tagged is sent as a configuration parameter to MNS-6K ............126
FIGURE 88 – After the Tag information is added, the information is displayed on the screen. Note
the Tagged Column – the information is changed for VLAN 10 to “Yes”. Repeat the
process for other VLANs. ......................................................................................................127
FIGURE 89 – The status of the VLANs can be viewed from the Tagging menu. Note at this
stage, the VLANs are all still pending as the VLANs have not been activated yet. Also
note how one port belongs to multiple VLANs........................................................................128
FIGURE 90 – Activating a VLAN – click on the Status button to view/modify the status of the
VLANs................................................................................................................................129
FIGURE 91 – Select the VLANs to activate. In this example we activate all the VLANs .................130
FIGURE 92 – After activating the VLANs, note the port move out of the default VLAN to the
specific VLAN they were assigned to. If the ports need to belong to default VLAN, they
have to be added to the default VLAN explicitly. Also note that one port belongs to
multiple VLANs and all VLAN status has been changed to Active .....................................131
FIGURE 93 – Adding the ports back to the Default VLAN – edit the default VLAN and add
the ports to the default VLAN...............................................................................................132
FIGURE 94 – After activation, note that ports 9-13 belong to the new VLANs. After adding the
ports back to the default VLAN, the results are shown above. Each port can join or leave
a VLAN membership by clicking on Join & Leave as shown above .......................................132
FIGURE 95 – Port 11 is removed from VLAN 10............................................................................133

12
FIGURE 96 – After Port 11 is removed from VLAN 10, the new status reflects the change.
Note – if ports 12 and 13 are not tagged (from the Port Settings menu) the Tagged Colum
will reflect that fact as well .......................................................................................................134
FIGURE 97 – VLAN Status is also shown at a glance from the settings menu as shown above ...........135
FIGURE 98 – Once the Tag VLANs are active, the Port VLANs are in the Pending stage.
Also note the VLAN definitions of the Port VLANs and Tag VLANs are different. .........136
FIGURE 99 – Enabling the filter capability for each port. Note – the information for the default
ID and the filter status is sent. The tagging control information is not changed as the check
box is not checked. ..................................................................................................................137
FIGURE 100 – After filtering is activated on ports 15 and 16, the Filter menu shows the status ...........138
FIGURE 101 – Set the VLAN type to be Port VLAN ....................................................................139
FIGURE 102 – Add the necessary VLANs .......................................................................................140
FIGURE 103 – Add the VLANs and the ports belonging to the specific VLANs..............................141
FIGURE 104 – After adding all the necessary VLAN.s. The information can be edited or deleted
at any time from this screen as well. To activate the VLAN, click on Status button. ...............142
FIGURE 105 – To activate the Port VLANs ....................................................................................143
FIGURE 106 – After the Port VLANs are activated, note the ports are moved from the default
VLANs to the VLANs assigned to the ports. Also note the Status changes to Active.
To add the Default VLAN to all ports, simply add the edit icon next to the Default
VLAN entry above. ..............................................................................................................144
Figure 107 – STP default values – refer to next section “Using STP” for more detailed
explanation on the variables ....................................................................................................146
FIGURE 108 – Setting the STP type – choose RSTP or STP. Note – depending on the choice, the
Menu under Configuration will change to reflect the choice made ...............................................149
FIGURE 109 – Note the menus change depending on whether STP or RSTP is selected. The
cursor is placed close to the changes in the above screen captures .................................................150
FIGURE 110 – Configuring RSTP. RSTP or STP is disabled. Designated root is set to zero as
RSTP is disabled....................................................................................................................151
FIGURE 111 – Changing the RSTP or STP bridge parameters. Note on this screen you can select
and enable STP or RSTP.......................................................................................................153
FIGURE 112 – After RSTP is enabled, the fields are updated – note specifically, “Status”, “Time
since TC” and “Designated Root”...........................................................................................154
FIGURE 113 – Port specific values for RSTP or STP..........................................................................155
Figure 114 – Path cost as defined in IEEE 802.1d (STP) and 802.1w (RSTP)..............................156
FIGURE 115 – Changing the port specific STP or RSTP values...........................................................157
FIGURE 116 – Normal RSTP/STP operations in a series of switches. Note – this normal status
is designated RING_CLOSED ............................................................................................164

13
FIGURE 117 – A fault in the ring interrupts traffic. The blocking port now becomes forwarding so
that traffic can reach all switches in the network Note – the mP62 as well as the ESD42
switches support LLL and can participate in S-Ring as an access switch ..................................165
FIGURE 118 – More than one S-Ring pair can be selected and more than one S-Ring can be
defined per switch. Note – the mP62 as well as the ESD42 switches support LLL and
can participate in S-Ring as an access switch ............................................................................166
FIGURE 119 – Activating S-Ring on the switch...................................................................................168
FIGURE 120 – Activating S-Ring license ............................................................................................169
FIGURE 121 – Configure the switch for RSTP (or STP). In this example, RSTP is enabled ...............170
FIGURE 122 – Adding S-Ring. Using the Learn function built in to MNS-6K to see if there are
other members participating in S-Ring .....................................................................................171
FIGURE 123 – Learning S-Ring defined or on the network. This learning takes a few minutes.............172
FIGURE 124 – No S-Ring detected .....................................................................................................173
FIGURE 125 – If STP or RSTP is not enabled, S-Ring detection will fail. To fix that, enable
RSTP or STP first as shown. In some cases the S-Ring detection will fail as there is no S-
Ring defined. In those situations, the ports have to be added to define an S-Ring .......................174
FIGURE 126 – Defining Port 1 (Ingress) and Port 2 (Egress) ports for S-Ring....................................174
FIGURE 127 – Ensure the status is set to enable after the S-Ring is added...........................................175
FIGURE 128 – Link Loss Learn .......................................................................................................176
FIGURE 129 – Adding Ports for LLL...............................................................................................177
FIGURE 130 – Adding (or deleting) ports with LLL ..........................................................................178
FIGURE 131 – More than one RS-Ring cannot be defined per managed Magnum 6K switch. Note
– unmanaged switches cannot participate in RS-Ring. ..............................................................179
FIGURE 132 – Activating S-Ring on the switch ..................................................................................181
FIGURE 133 – Activating RS-Ring license – the same license as S-Ring is used to activate RS-
Ring .......................................................................................................................................182
FIGURE 134 – Configure the switch for RSTP (or STP). In this example, RSTP is enabled ...............183
FIGURE 135 – If there is an S-Ring configured, make sure that it is disabled.......................................184
FIGURE 136 – Manually add the two ports which will participate in the RS-Ring ...............................185
FIGURE 137 – Manually add the two ports which will participate in the RS-Ring. Click OK to
add these ports as members of RS-Ring....................................................................................186
FIGURE 138 – Disable LLL on ports participating in RS-Ring .........................................................187
FIGURE 139 – To activate RS-Ring – use the enable drop down from the RS-Ring menu ....................187
FIGURE 140 – Dual-homing using ESD42 switch and Magnum 6K family of switches. In case
of a connectivity break – the connection switches to the standby path or standby link .................190

14
FIGURE 141 – Dual-homing using Magnum 6K family of switches. Note the end device (video
surveillance camera) can be powered using PoE options on MNS-6K family of switches. In
case of a connectivity break – the connection switches to the standby path or standby link...........190
FIGURE 142 – Using S-Ring, RS-Ring and dual-homing, it is possible to build networks resilient
not only to a single link failure but also for one device failing on the network .............................191
FIGURE 143 – Dual-Homing configuration. Click on Edit, as shown above, to add dual-homing ........193
FIGURE 144 – To select the Primary-backup mode, as discussed earlier, click on Yes. To select the
“equivalent” port modes, select No...........................................................................................194
FIGURE 145 – After electing the ports for dual homing (maximum of 2 only), click OK. Make
sure one port is Primary and the other one is the Secondary port................................................195
FIGURE 146 – Enable Dual-Homing after the ports are added. ..........................................................196
FIGURE 147 – After activation, a check mark in the active column shows the active port and
defines the type of port as well ..................................................................................................197
FIGURE 148 – deleting dual-homing configuration. Click OK to delete the configuration. Dual
homing is disabled after the deletion..........................................................................................198
FIGURE 149 – Click on Edit to add dual-homing...............................................................................199
FIGURE 150 - Click on “No” to add “equivalent” mode.....................................................................200
FIGURE 151 – Select the dual-homing ports.........................................................................................201
FIGURE 152 – After enabling dual-homing the status of the active port is shown..................................202
FIGURE 153 – Some valid LACP configurations................................................................................205
FIGURE 154 – an incorrect LACP connection scheme for Magnum 6K family of switches. All
LACP trunk ports must be on the same module and cannot span different modules..................205
FIGURE 155 – In this figure, even though the connections are from one module to another, this is
still not a valid configuration (for LACP using 4 ports) as the trunk group belongs to two
different VLANs...................................................................................................................206
FIGURE 156 - In the figure above, there is no common VLAN between the two sets of ports, so
packets from one VLAN to another cannot be forwarded. There should be at least one
VLAN common between the two switches and the LACP port groups. ...................................206
FIGURE 157 – This configuration is similar to the previous configuration, except there is a
common VLAN (VLAN 1) between the two sets of LACP ports. This is a valid
configuration............................................................................................................................207
FIGURE 158 – In the architecture above, using RSTP and LACP allows multiple switches to be
configured together in a meshed redundant link architecture. First define the RSTP
configuration on the switches. Then define the LACP ports. Then finally connect the ports
together to form the meshed redundant link topology as shown above..........................................207
FIGURE 159 – LACP, along with RSTP/STP brings redundancy to the network core or
backbone. Using this reliable core with a dual homed edge switch brings reliability and
redundancy to the edge of the network.......................................................................................208

15
FIGURE 160 – This architecture is not recommended............................................................................209
FIGURE 161 – Creating a reliable infrastructure using wireless bridges (between two facilities) and
LACP. “A” indicates a Wi-Fi wireless Bridge or other wireless Bridges..................................210
FIGURE 162 – Enable LACP first....................................................................................................211
FIGURE 163 – Add the necessary ports to define the trunk ..................................................................212
FIGURE 164 – Add the ports which make up the trunk. The priorities will be automatically
assigned – this field can be left blank .......................................................................................213
FIGURE 165 – After the ports are added, the values can be edited if needed or the ports deleted
using the edit or delete icons on the menu ..................................................................................214
FIGURE 166 – Reviewing the trunk status ..........................................................................................215
FIGURE 167 – The orphan status display the reason why the ports were not members of the
LACP trunk. The links is down – i.e. the ports were not connected. After the other switch
is configured with the proper LACP settings, should the RJ-45 cables be plugged in to
enable LACP.........................................................................................................................216
FIGURE 168 – ToS and DSCP.........................................................................................................218
FIGURE 169 - IP Precedence ToS Field in an IP Packet Header ........................................................219
FIGURE 170 - Port weight settings and the meaning of the setting.........................................................221
FIGURE 171 - Accessing QoS settings .................................................................................................222
FIGURE 172 – Setting Port 14 for Port based QoS with a high priority. Note the sections on Tag
and TOS are ignored for Port settings......................................................................................223
FIGURE 173 – Port 14 QoS settings indicate a High Priority as set ....................................................224
FIGURE 174 – Adding Tag based QoS on Port 13 – Note the menu area for Tag Setting is only
relevant ...................................................................................................................................225
FIGURE 175 – Port 13 reflects the Tag QoS settings...........................................................................226
FIGURE 176 – Adding ToS for Port 12. Only the ToS Level Settings of the screen are relevant...........227
FIGURE 177 – After ToS settings. Note the different types of settings are clear from this window.
Port 14 has Port based QoS, port 13 has Tag based QoS and finally port 12 is using
ToS. .......................................................................................................................................228
FIGURE 178 – IGMP concepts – advantages of using IGMP .............................................................231
FIGURE 179 – IGMP concepts – Isolating multicast traffic in a network ............................................232
FIGURE 180 - In a Layer 2 network, an IGMP multicast traffic goes to all the nodes. In the
figure, T1, a surveillance camera, using multicast, will send the traffic to all the nodes - R1
through R6 - irrespective of whether they want to view the surveillance traffic or not. The
traffic is compounded when additional cameras are added to the network. End result is that
users R1 through R6 see the network as heavily loaded and simple day to day operations
may appear sluggish.................................................................................................................234

16
FIGURE 181 - Using IGMP-L2 on Magnum 6K family of switches, a Layer 2 network can
minimize multicast traffic as shown above. Each switch has the IGMP-L2 turned on.
Each switch can exchange the IGMP query message and respond properly. R4 wants to
view surveillance traffic from T1. As shown by (1), a join request is sent by R4. Once the
join report information is exchanged, only R4 receives the video surveillance traffic, as
shown by (2). No other device on the network gets the video surveillance traffic unless they
issue a join request as well. ......................................................................................................235
FIGURE 182 – IGMP setup...............................................................................................................237
FIGURE 183 – Configuring IGMP parameters. This screen also enables and disables IGMP...............238
FIGURE 184 - Setting the IGMP-L2..................................................................................................239
FIGURE 185 – GVRP operation – see description below.....................................................................241
FIGURE 186 – VLAN Assignment in GVRP enabled switches. Non GVRP enabled switches
can impact VLAN settings on other GVRP enabled switches.................................................242
FIGURE 187 – Port settings for GVRP operations .............................................................................243
FIGURE 188 – Using GVRP ............................................................................................................244
FIGURE 189 – setting GVRP characteristics for a port. This can be done by clicking on the edit
icon for the port..................................................................................................................245
FIGURE 190 – GVRP options...........................................................................................................246
FIGURE 191 – SNMP configuration ..................................................................................................252
FIGURE 192 – Changing SNMP community parameters ....................................................................253
FIGURE 193 – Adding valid managers. Multiple managers can be added using this screen....................254
FIGURE 194 – Adding Trap receivers.................................................................................................255
FIGURE 195 – Final screen after configuring SNMP. Note the different types of Trap Receivers
added ......................................................................................................................................256
FIGURE 196 – Predefined conditions for the relay ................................................................................259
FIGURE 197 - Alarms........................................................................................................................260
FIGURE 198 – View Port Statistics....................................................................................................261
FIGURE 199 – Port Statistics – Group 2 ...........................................................................................262
FIGURE 200 – Port Statistics – Group 3 ...........................................................................................263
FIGURE 201 – Types of logged events received – most logs are typically informational (notice) ................264
FIGURE 202 – Viewing each log ........................................................................................................265
FIGURE 203 – Specific type of logs can be viewed – in this example only “Notice” logs are
displayed .................................................................................................................................266
FIGURE 204 – Listing of severity - sorted by subsystem and severity .....................................................269

17
FIGURE 205 – Optimizing serial connection (shown for HyperTerminal on Windows XP). The
highlighted fields are the ones to change as described ..................................................................271
FIGURE 206 – Using Ping .................................................................................................................272
FIGURE 207 – Set menu item for setting common parameters for switch operations ...............................273
FIGURE 208 – Setting the boot mode of the switch...............................................................................274
FIGURE 209 – Set the log size............................................................................................................275
FIGURE 210 – Set the log size – click on the Edit button, enter the log size needed, and click OK.
Maximum log size is 1000 lines .............................................................................................276
FIGURE 211 – Changing the password for the current user ...................................................................277
FIGURE 212 – Setting the SNMP type. SNMP type can be SNMP-v1 or all (for SNMP v1,
v2 and v3) ..............................................................................................................................278
FIGURE 213 – Defining the STP protocol to be used...........................................................................279
FIGURE 214 – Set the timeout value. Click on Edit button to change the value....................................280
FIGURE 215 – Setting the VLAN type.............................................................................................281
FIGURE 216 – Setting the ftp mode.....................................................................................................282
FIGURE 217 – FTP to the GarrettCom site and select the folder with the latest release number ............285
FIGURE 218 – Navigate to the MNS-6K folder ................................................................................285
FIGURE 219– Copy the file with the latest Release number to the local disk by using the operating
system copy and paste commands..............................................................................................285
FIGURE 220 – before the upgrade, it is a good idea to save a snap shot of the configuration.
Different FTP modes can be used with the FTP command. ......................................................286
FIGURE 221 – After the configuration is saved, load the new image file copied form the
GarrettCom ftp site.................................................................................................................287
FIGURE 222 – As the image file is loaded, the progress will be indicated by the image above.
Please wait till the file transfer is completed ..............................................................................287
FIGURE 223 – after the new image file is loaded, it is important to save any changes made and
then restart the switch as shown above ......................................................................................288
FIGURE 224 – before the upgrade, it is a good idea to save a snap shot of the configuration...................289
FIGURE 225 – After the configuration is saved, load the new image file copied form the
GarrettCom ftp site.................................................................................................................290
FIGURE 226 – As the image file is loaded, the progress will be indicated by the image above.
Please wait till the file transfer is completed ..............................................................................290
FIGURE 227 – after the new image file is loaded, it is important to save any changes made and
then restart the switch as shown above ......................................................................................291

18
 1
Chapter

1 – Conventions Followed
Conventions followed in the manual…

T
O best use this document, please review some of the conventions followed in the
manual, including screen captures, interactions and commands with the switch,
etc.

Box shows interaction with the switch command line or screen captures from the
switch or computer for clarity

Commands typed by a user will be shown in a different color and this

font
Switch prompt – shown in Bold font, with a “# or >” at the end. For the
document we will use Magnum6K25# as the default prompt.

Syntax rules
Optional entries are shown in [square brackets]
Parameter values within are shown in < pointed brackets >
Optional parameter values are shown again in [square brackets]

Thus
Syntax command [parameter1=<value1>[, paramter2=<value2>]]
parameter3=<value3|value4>

In the example above:

Parameter 1 and Parameter 2 are optional values
Parameter 2 can be used optionally only if Parameter 1 is specified
Parameter 3 is mandatory.

Parameter 1 has value1 = IP address

Parameter 2 has value2 = string
Parameter 3 has vlaue3 or value4

19
 j
Related Topics
Related topics show that GarrettCom strongly recommends reading
about those topics. You may choose to skip those if you already have
prior detailed knowledge on those subjects.

Tool box – Necessary software and hardware components needed (or

recommended to have) as a perquisite. These include serial ports on a
computer, serial cables, TFTP or FTP software, serial terminal emulation
software etc.

Caution or take notice – Things to watch out for in case of problems or

potential problems. This is also used to draw attention to a special issue,
capability or fact.

There are icons common to the Secure Web Management (SWM) for edit and delete.
These are

Edit – edit the values

Delete – delete the current row or the value(s)

Save – save configuration changes

Refresh – repaint the screen

Terminology – Whenever the word PC is used it implies a UNIX, Linux, Windows or

any other operating system based work station, computer, personal computer, laptop,
notebook or any other computing device. Most of the manual uses Windows XP based
examples. While effort has been made to indicate other Operating System interactions, it
is best to use a Windows-XP based machine when in doubt.

Supported MNS-6K Version – The documentation reflects features of MNS-6K

version 3.3 or higher. If your switch is not at the current version, GarrettCom Inc.
recommends upgrading to the current version. Please refer to the GarrettCom Web site
for information on upgrading the MNS-6K software on Magnum 6K family of switches
or refer to the Appendix in this document.

20
Product Family – this manual is for all the Magnum 6K family of switches.

Finally, at the end of each chapter, is a list of the commands covered in the chapter
as well as a brief synopsis of what they do.

Flow of the user guide

The manual is designed to guide the user through a sequence of events.

Chapter 1 is a guide to this manual.

Chapter 2 is the basic setup as required by the Magnum 6K family of switches. After
completing Chapter 2, the configuration can be done using the web interface. Chapter 2 is
perhaps the most critical chapter in what needs to be done by the network administrator
once the switch is received.

Chapter 3 focuses on operational issues of the switch. This includes time synchronization
using the command line or using a time server on the network.

Chapter 4 through Chapter 6 focuses on security and access consideration. Bad

passwords trump any security setup, so setup the manager passwords carefully as
described in Chapter 2. Chapter 4 describes how to setup port access using MAC address
security. Chapter 5 describes how a RADIUS server can be used for authentication and
access. Chapter 6 essentially is similar to Chapter 5, and talks about using a TACACS+
server instead of a RADIUS server.

Chapter 7 talks about port mirroring and preventing broadcast storms. Port mirroring is
necessary in a network to reflect traffic from one port onto another port so that the traffic
can be captured for protocol analysis or intrusion analysis.

Chapter 8 deals with VLANs. VLANs provide security as well as traffic separation. This
chapter shows how VLANs can be setup and managed.

At this stage the network and the switch are secured. It is now critical to make the
network more reliable. The User Guide switches gears and talks about STP, RSTP and S-
Ring technologies which can be used for making the network reliable. These technologies
allow resiliency in a network. Chapters 9 through Chapter 12 discuss some resiliency
techniques.

Chapter 9 shows how RSTP and STP can be setup and used. Today, RSTP is preferred
over STP.

Chapter 10 focuses on S-Ring™ and setup of S-Ring (optional) and use of Link Loss
Learn (LLL). This chapter also talks about using RS-Ring™ with managed switches.

21
Chapter 11 talks about dual homing and how dual homing can be used to bring resiliency
to edge devices.

Chapter 12 describes LACP and how LACP can be used to increase the throughput
using 10/100 Mbps ports or in situations where resiliency is needed between switches
(trunks).

Once the network is made resilient, the network manager may want to setup prioritization
of traffic.

Chapter 13 focuses on Quality of Service (QoS) and other prioritization issues.

Chapters 14 and 15 focus on advanced topics such as IGMP and GVRP.

Chapter 14 focuses on IGMP.

Chapter 15 focuses on GVRP.

Chapter 16 shows how the SNMP parameters can be setup for managing the switch with
network management software such as Castle Rock SNMPc™

Chapter 17 includes miscellaneous commands to improve the overall ease of use and
other diagnostic information.

22
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

2
Chapter

2 – Getting Started
First few simple steps …

T
his section explains how the GarrettCom Magnum 6K family of switches can be setup using
the console port on the switch. Some of the functionality includes setting up the IP address of
the switch, securing the switch with a user name and password, setting up VLAN’s and more.

Before starting
Before you start, it is recommended that you acquire the software and necessary
hardware listed below.

1) Make sure you are using the latest version of MNS-6K. To update to the latest release
please refer to the Appendix on upgrading MNS-6K in this manual.
2) Make sure you know the IP address or the logical name of the switch and can ping the
switch. If you do not know the IP address or cannot ping the switch, please follow the
steps listed below in the section on Console connection.
3) Make sure you have a browser that supports secure socket connection
4) Make sure you have loaded the latest version of the Macromedia Flash player. You can
download the player from
http://www.macromedia.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash
a. The supported version of the Macro Media player is version 5 and above.
5) Should you need to configure the switch using the Command Line interface (CLI) it may
be necessary to use the serial connection. To use the serial port, follow the steps below.

A new switch from GarrettCom will first seek a DHCP server for its IP
address. If it cannot find a DHCP server, it will then seek a BootP
server. Not finding a BootP server, the switch will check to see if the IP
address 192.168.1.2 with a mask of 255.255.255.0 is available. If this IP
address is available, it will assign the IP address to the switch. To connect to the switch
and manage the switch, you can connect a computer to the switch, make sure the IP
address of the computer is 192.168.1.x where x is greater than 2 and does not have a

23
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

conflict with other IP addresses. The netmask has to be set to 255.255.255.0 – please refer
to the necessary operating system manual on how to configure the IP addresses for that
operating system. It is a good idea to isolate the Magnum 6K switch before it is put on the
network with the proper IP address, netmask, and gateway information.

Once a switch is assigned a static IP address, a browser can be opened up and in the
browser, type in the URL https://192.168.1.2 to start using SWM. If an IP address is
assigned by a DHCP server, it is important to know the MAC address of the switch. Using
the MAC address, the DHCP server can be queried using the MAC address for the
associated IP address. Once this information is known, open a browser with a URL
https://<IP-Address-found-from-DHCP-server> to start using SWM

Console connection for CLI

This section is optional. The switch should get it’s IP address through the DHCP or
BootP server or if neither are present on the network, the switch will be assigned a default
IP address of 192.168.1.2 with a netmask of 255.255.255.0. The console cable or the serial
connection is used when these methods fail or the IP address is not known. In those few
exceptional cases, the Command Line Interface (or CLI) is used to determine as well as
reset the IP address if needed.

The connection to the console is accessed through the serial port available as a DB-9
RS232 connector on the switch marked as “console” on the Magnum 6K family of
switches. This interface provides access to the commands the switch can interpret and is
called the Command Line Interface (or CLI). This interface can be accessed by attaching a
VT100 compatible terminal or a PC running a terminal emulation program to the console
port on the Magnum 6K family of switches.

For using the serial port, make sure you have the following
1) A female-female null modem cable. This cable is available from GarrettCom Inc. as
well as from LANstore (http://www.lanstore.com)
2) Serial port – if your PC does not have a serial port, you may want to invest in a USB to
serial converter. This is again available from LANstore or from GarrettCom Inc.
Alternately a USB to serial cable can also be used. This cable is also available from
LANstore or GarrettCom Inc.
3) A PC (or a workstation/computer) with a terminal emulation program such as
HyperTerminal (included with Windows) or Teraterm-pro, minicom or other
equivalent software. (Make sure the software supports Xmodem protocol, as you may
need this in the future to update the MNS-6K software)
4) Enough disk space to store and retrieve the configuration files as well as copy software
files from GarrettCom. We recommend at least 15MB of disk space for this purpose
5) For access security – decide on a manager level account name and password
6) IP address, netmask, default gateway for the switch being configured

24
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

You can use the CLI to configure the IP address for the switch. Once the IP address is
assigned, you can start using the Secure Web Management (SWM) on the GarrettCom
Magnum 6K family of switches.

USB to serial adapters are also available for laptops or computers that do not have native
serial ports but have access to USB ports.

Once the switch is configured with an IP address, Command Line

Interface (or CLI) is also accessible using telnet as well as the serial port.
Access to the switch can be either through the console interface or
remotely over the network.

The Command Line Interface (CLI) enables local or remote unit

installation and maintenance. The Magnum 6k family of switches provides a set of system
commands which allow effective monitoring, configuration and debugging of the devices
on the network.

Console setup
Connect the console port on the switch to the serial port on the computer using the serial
cable listed above. The settings for the HyperTerminal software emulating a VT100 are
shown in Figure 1 below. Make sure the serial parameters are set as shown (or bps =
38400, data bits=8, parity=none, stop bits=1, flow control=none).

FIGURE 1 - HyperTerminal screen showing the serial settings

25
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Console screen
Once the console cable is connected to the PC and the software configured, MNS-6K
legal disclaimers and other text scrolls by on the screen.

The switch has three modes of operation – Operator (least privilege), Manager and
Configuration. The prompts for the switches change as the switch changes modes from
Operator to Manager to Configuration. The prompts are shown in Figure 2 below, with a
brief explanation of what the different prompts indicate.

Magnum6K25> Operator Level – for running operations queries

Magnum6K25# Manager Level – for setting and reviewing commands
Magnum6K25## Configuration Level – for changing the switch parameter values
FIGURE 2 - Prompt indicating the switch model number as well as mode of operation – note the commands to
switch between the levels is not shown here

The prompt can be changed by the user. When the CLI prompts are shown, it will be
shown as Magnum6K25 as this manual was documented on a Magnum 6K25 switch.

Logging in for the first time

For the first time, use the default user name and passwords assigned by GarrettCom for
the Magnum switches. They are:

Username – manager Password – manager

Username – operator Password – operator

We recommend you login as manager for the first time to set up the IP address as well as
change user passwords or create new users.

Setting the IP parameters

To setup the switch, the IP address and other relevant TCP/IP parameters have to be
specified.

Before starting, please ensure that the IP address to be assigned to the switch is known or
contact your system/network administrator to get the IP address information. Follow the
steps listed below to configure the switch.

26
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

• Ensure the power is off

• Follow the steps described above for connecting the console cable and setting the
console software
• Power on the switch
• Once the login prompt appears, login as manager using default password (manager)
• Configure the IP address, network mask and default gateway as per the IP addressing
scheme for your network
• Set the Manager Password (recommended–refer to next section)
• Save the settings (without saving, the changes made will be lost)
• Power off the switch (or a software reboot as discussed below)
• Power on the switch – login with the new login name and password
• From the PC (or from the switch) ping the IP address specified for the switch to
ensure connectivity
• From the switch ping the default gateway specified (ensure you are connected to the
network to check for connectivity) to ensure network connectivity

Syntax ipconfig [ip=<ip-address>] [mask=<subnet-mask>] [dgw=<gateway>]

Magnum6K25# ipconfig ip=192.168.1.150 mask=255.255.255.0 dgw=192.168.1.10

Magnum6K25# save
FIGURE 3 - Setting IP address on the switch

This document assumes the reader is familiar with IP addressing

schemes as well as how net mask is used and how default gateways
and routers are used in a network.
Reboot gives an opportunity to save the configuration prior to shutdown. For a reboot –
simply type in the command “reboot”. (Note – even though the passwords are not
changed, they can be changed later.)
Magnum6K25# reboot
Proceed on rebooting the switch? [ 'Y' or 'N' ] Y
Do you wish to save current configuration? [ 'Y' or 'N' ] Y
Magnum6K25#
FIGURE 4 - Rebooting the switch

At this stage you are now ready to use the Secure Web Management (SWM).

Web browser
In the web browser, type in the following URL

27
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

https://<IP Address assigned to the switch>

Make sure you use HTTPS (secure HTTP) and not HTTP in the
URL

If the IP address of the switch is set to 192.168.15.15, the URL would be

https://192.168.15.15

If your site uses name services, you can use a name instead of the IP
address. Please make sure that the name is resolved to the IP address
assigned to the switch.

FIGURE 5 – Security certificate – click “yes” to proceed

The secure site (in this case the switch) issues a certificate check. Once you click “Yes”
on the security certificate, the browser will prompt you to login.

28
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Note on different browsers, the screens looks similar and some examples are enclosed
below for clarity.

FIGURE 6 – Login screen – for the first time login with the default login name and password. If you
have created other users, you can use the user name and password created. Note – the switch model number
is displayed on the screen. Not all models are shown above

For the first time, login with the name “manager” and password “manager”

FIGURE 7 – Login with the proper user name and password. For the first time use manager as login
name and manager as the password

29
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 8 – After a successful login the initial screen displaying the device ports is show

After a successful login, the welcome screen is shown. Note the information provided on the
welcome screen.

(See caption for the figure above with the figure following)

30
 M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Click on port to
configure it
Menus

Hover in bottom
left corner to get
module type
IP + Other
Information

FIGURE 9 – Welcome screen. Note the different information provided on the screen and different areas. The menus
are used to configure settings on the switch.

Different switches show the different login screen as well as the welcome screen.
In this manual, for consistency, we will show the Magnum 6K25 screen captures.

31
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 10 - Hovering the cursor in the top left corner of the module provides information on the module type

Moving forward, the relevant portion of the screen will only be shown for the switch displayed
above.

Operator Privilege Users

Operator privileges allow views of the current configurations but do not allow changes to
the configuration.

Manager Privilege Users

Manager privileges allow configuration changes. The changes can be done at the manager
prompt or for global configuration as well as specific configuration.

32
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

User management
A maximum of five users can be added per switch. Users can be added, deleted or
changed from a manager level account. There can be more than one manager account,
subject to the maximum number of users on the switch being restricted to five.

Add User
To add a user, use the command “add” as shown below. The user name has to be a unique
name. The password is recommended to be at least 8 characters long with a mix of upper case,
lower case, numbers and special characters.

Select the User Accounts from the Administration User Mgmt User Accounts menu

FIGURE 11 - Adding users

In the example below, after the “Add” button is clicked, user ‘peter’ was added with
Manager Privilege.

33
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 12 – Adding a user with Manager Privilege

After successfully adding a user, the added user is displayed in the list of users

34
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 13 – Added user is shown in the list of users

Deleteing User
To delete a user, click on the delete icon as shown below.

35
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 14 - Deleting a user – click on the delete icon (a white “X” in a red circle) as shown

36
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 15 – Deleting a user – a question is asked to validate the action

In this example, after clicking on OK, the user ‘peter’ will be deleted. If you click on
Cancel, the user ‘peter’ is not deleted. For the next few sections we assume the user was
not deleted.

Modify Password

(Here we assume the user “peter” was not deleted as shown above). To modify the
password, view the users as described above and click on the edit icon

37
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Edit Icon

FIGURE 16 - Changing the password for a specific user – click on the edit icon (shown as a pencil)

After clicking on the edit icon the screen opens up for modifying the password.

38
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 17 - Modifying the password

In this example, since the userid ‘peter’ was selected for modification, the password for
‘peter’ will be modified after the new password is typed in. Click OK to accept the new
password.

Modify the Privilege Level

Privilege levels cannot be changed from the Secure Web Management (SWM). This can be done from the
CLI interface or alternately by deleting the user and adding the same user with the proper privilege level.

Help
Help for the Secure Web Management (SWM) can be obtained by clicking on the Help icon as
shown below. The Tool Tip “Help” is also displayed for clarity.

39
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 18 - Help – note the top right corner with the “?” icon. Note the help is available from any menu and is
context sensitive.

Exiting
To exit or logout – click on the “Logout” button.

40
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 19 – Logout

41
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 20 – Confirming the logout – after “OK” the login prompt is displayed again

42
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

(Intentionally left blank)

43
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

3
Chapter

3 – IP Address and System

Information
Few simple steps to follow…

T
his section explains how the GarrettCom Switches can be setup using other automatic
methods such as bootp and DHCP. Besides this, other parameters required for proper
operation of the switch in a network are discussed.

IP Addressing
j It is assumed that the user has familiarity with IP addresses, classes
of IP addresses and related netmask schemas (e.g. class A, Class B
and Class C addressing).

Importance of an IP address
Without an IP address, the switch will operate as a standalone Layer 2 switch. Without an IP
address, you cannot

• Use the web interface to manage the switch

• Use telnet to access the CLI
• Use any SNMP Network Management software to manage the switch
• Use NTP protocol or an NTP server to synchronize the time on the switch
• Use TFTP or FTP to download the configurations or upload software updates
• Run ping tests to test connectivity

To set the IP address, please refer to the section in Chapter 2 – Setting IP Parameters.

To verify the IP address settings, access the Secure Web Management (SWM), use
Administration System menu item to view and edit the IP address information.

44
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 21 - Checking the IP settings. Click on Edit button to edit the IP or other settings. Note this
screen also displays the serial number as well as the configuration code set at the factory

Besides manually assigning IP addresses, there are other means to assign an IP address
automatically. The two most common procedures are using DHCP and bootp.

DHCP and bootp

j DHCP is commonly used for setting up addresses for computers,
users and other user devices on the network. bootp is the older
cousin of DHCP and is used for setting up IP addresses of
networking devices such as switches, routers, VoIP phones and more. Both of them can
work independent of each other. Both of them are widely used in the industry. It is best to
check with your network administrator regarding what protocol to use and what the
related parameters are. DHCP and bootp require respective services on the network.
DHCP and bootp can automatically assign an IP address. It is assumed that the reader
knows how to setup the necessary bootp parameters (usually specified on Linux/UNIX
systems in /etc/boopttab 1 ).

1 Note – on Windows systems – the location of the file will vary depending on which software is being used.

45
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Bootp Database
Bootp keeps a record of systems supported in a database – a simple text file. On most
systems, the bootp service is not started as a default and has to be enabled. A sample entry
by which the bootp software will look up the database and update the IP address and
subnet mask of the switch would be as follows

M6k25switch:\
ht=ether:\
ha=002006250065:\
ip=192.168.1.88:\
sm=255.255.255.0:\
gw=192.168.1.1:\
hn:\
vm=rfc1048

where
M6k25switch: is a user-defined symbolic name for the switch
ht: is the “hardware type”. For the Magnum 6K family of switches, set this to ether (for
Ethernet). This tag must precede the “ha” tag.
ha: is the “hardware address”. Use the switch’s 12-digit MAC address
ip: is the IP address to be assigned to the switch
sm: is the subnet mask of the subnet in which the switch is installed

Configuring DHCP/Bootp/Manual IP addresses

By default, the switch is configured for manual IP operation. DHCP/bootp can be

enabled by using the Secure Web Management (SWM) as shown below. After the changes
are completed, click OK to register the changes.

46
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 22 - Changing the boot mode as well as IP address and other parameters of the switch. Note if the
IP address is changed, the http session has to be restarted with the new IP address

Using Telnet

By default, the telnet client is enabled on the GarrettCom Magnum 6K family of switches.
Using the Secure Web Management (SWM), telnet cannot be disabled. The telnet client
can be disabled by using the ‘telnet disable’ command on the CLI. To use a telnet
session on the switch, the Configuration Telnet menu is used. A maximum of four
simultaneous telnet sessions are permitted.

47
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 23 - Telnet session to the switch can be launched from Secure Web Management
(SWM). The telnet interface is a convenient way to access Command Line Interface (CLI)
commands, Note – multiple telnet sessions (up to 4) are supported.

The default port – port 23 is used for telnet.

A maximum of four simultaneous telnet sessions are allowed at any time on

the switch. The commands in these telnet windows are executed in a round
robin – i.e. if one window takes a long time to finish a command, the other
windows may encounter a delay before the command is completed. For example, if one window
is executing a file download, the other windows will not be able to execute the command before
the file transfer is completed. Another example, if a outbound telnet session is started from the
switch (through a telnet window) then the other windows will not be able to execute a command
till the telnet session is completed.

48
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Date and time

It may be necessary to set the day, time or the time zone manually. This can be done using
the Administration Set Date and Time menu as shown below.

FIGURE 24 – Setting the date and time

Network time
Many networks synchronize the time using a Network time server. The network time
server provides time to the different machines using the Simple Network Time Protocol
(SNTP). To specify the SNTP server, one has to
1) Set the IP parameters on the switch
2) Define the SNTP parameters

49
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Configure the SNTP parameters using Configuration SNTP menu. The SNTP menu
allows the time zone (hours from GMT) to be defined along with other appropriate
parameters on setting the time and synchronizing clocks on network devices.

Editing Time-
zone and SNTP
status

Adding
additional
servers

FIGURE 25 – SNTP parameters. Note – the Edit button allows edit of the SNTP parameters as shown
below. Adding or deleting SNTP servers is done by using the add button or delete button (white “X” in the
red circle)

On clicking the Edit button shown above, the parameter of the SNTP settings can be
modified.

50
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 26 – Modifying the SNTP parameters. SNTP can be enabled or disabled from this menu as
well

After the proper SNTP values are entered, click OK to register the changes. Click Cancel
to back out from the changes made.

To add an SNTP server, click on the “Add” button on Configuration SNTP menu.
The menu prompts you to add IP address of an SNTP server, the time out in seconds and
the number of retries, before the time synchronization effort is aborted.

If your site has internet connectivity, there are a number of SNTP

servers available on the Internet 2 . A quick search on the Internet
will yield information about these servers. You should use the IP
address of these servers (or add the information of their IP address
in the host table. Refer to the section of the host table in this user
guide.) Please make sure that the server can be reached by using the
ping command. (The ping utility also yields the IP address of the
server.) The ping command can also be launched from Secure Web
Management (SWM).

2 The most commonly used is the NIST time server time.nist.gov

51
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 27 – Adding SNTP servers. Time Out is in seconds. Note the Time server can be a NTP server
available on the Internet. Make sure the IP parameters are configured for the switch and the device can be
pinged by the switch. The Sync Now button allows the synchronization as soon as the server information is
added.

Once the server is added, it is listed with the other SNTP servers. The time of the day (in 24
hour clock format) when the time on the switch is updated can be changed by adding a new
server or by editing the time server information. If the time when the synchronization is
changed, the change is reflected on all servers added.

Saving and loading

After configuration changes are made, all the changes are automatically saved. It is a good practice
to save the configuration on another server on the network using the tftp or ftp protocols. Once
the configuration is saved – the saved configuration can be loaded to restore back the settings.

52
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

DO NOT USE SECURE WEB MANAGEMENT (SWM) INTERFACE

AND THE TFTP COMMAND IN SWM TO UPDATE THE SWITCH
UNLESS YOU ARE USING MSN-6K RELEASE 3.1 (OR LATER) –
BEFORE THIS RELEASE, TFTP COULD TIME-OUT CAUSING
UNDESIREABLE EFFECTS ON THE SWITCH.

Server name can be

used if specified in
host file

Login and password

required by FTP server

Using the drop down the

operation can be specified

FIGURE 28 – Using FTP to save configuration as well as up load new image or reload a saved
configuration. Note – the active or passive mode of ftp can be used. To set that, use Administration
Set FTP Mode menu item

Make sure the machine specified by the IP address has the necessary services running on
it. For serial connections, x-modem or other alternative methods can be used. File name
in many situations has to be a unique file name as over-writing files is not permitted by
most ftp and tftp servers (or services). Make sure the user name and passwords are known
before the process begins.

Download from the tftp/ftp server to the switch

53
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Upload from the switch to the ftp/TFTP server

Server name can

be used if specified
in host file

FIGURE 29 - Saving the configuration on a tftp server – note the menu is similar to the FTP screen described
earlier

This process can also be used to update new software to the Magnum 6K family of
switches. Before the software is updated, it is advised to save the configurations. The re-
loading of the configuration is not usually necessary; however, in certain situations it may
be needed and it is advised to save configurations before a software update. Make sure to
reboot the switch after a new configuration is loaded.

Using the File Mgmt (management) menus several operations can take place as shown in
the figure below and summarized below. These operations can take place from the FTP or
TFTP servers on the network as shown above.

54
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 30 – Different file transfer types

The file transfer operations allowed are:

1. Image Download (or Image Upload) copy the MNS-6K image from switch to the
server (or from the server to the switch). The “Image Upload” option is commonly
used to upgrade the MNS-6K image on the switch.
2. Config Download (or Config Upload) save the configuration of the switch on the
server (or load the saved configuration from the server to the switch). This option is
used to save a backup of the switch configuration or restore the configuration (in case
of a disaster.)
3. Script Download (or Script Upload) save the necessary CLI commands used for
configuration of the switch (or upload the necessary CLI commands needed to
configure the switch). This option is used to ease the repetitive task for configuring
multiple commands or reviewing all the commands needed to configure the switch.
4. Host Download (or Host Upload) save the host information. The hosts are created
by the Configuration Access Host commands
5. Log Upload Save the log file on the ftp/TFTP server

55
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Script file
Script file is a file containing a set of CLI commands which are used to configure the switch. CLI
commands are repeated in the file for clarity, providing guidance to the user editing the file as to
what commands can be used for modifying variables used by MNS-6K. The script file does not
have a check sum at the end and is used for configuring a large number of switches easily. As with
any configuration file that is uploaded, GarrettCom recommends that modifications of this file
and the commands should be verified by the User in a test environment prior to use in a "live"
production network.

The script file will look familiar to people familiar with the CLI commands as all the commands saved
in the script file are described in the CLI User Guide. A sample of the script file is shown below.

################################################################
# Copyright (c) 2001-2005 GarrettCom, Inc All rights reserved.
# RESTRICTED RIGHTS
# ---------------------------------
# Use, duplication or disclosure is subject to U.S. Government
# restrictions as set forth in Sub-division (b)(3)(ii) of the
# rights in Technical Data and Computer Software clause at
# 52.227-7013.
#
# This file is provided as a sample template to create a backup
# of Magnum 6K switch configurations. As such, this script
# provides insights into the configuration of Magnum 6K switch's
# settings. GarrettCom recommends that modifications of this
# file and the commands should be verified by the User in a
# test environment prior to use in a "live" production network.
# All modifications are made at the User's own risk and are
# subject to the limitations of the GarrettCom software End User
# License Agreement (EULA). Incorrect usage may result in
# network shutdown. GarrettCom is not liable for incidental or
# consequential damages due to improper use.
################################################################

#Magnum 6KQ build 3.7.1 Sep 27 2007 16:41:37

#Modules: 39 99 86 0
#Slot A: 4 Port TP-MDIX Module
#Slot B: 2 Port Fiber10 Module
#Slot C: 4 Port Fiber100 Module
#Slot D: 1 10/100/1000T 1 Giga SFP-1000
##########################################################
# System Manager - This area configures System related #
# information. #
##########################################################
set bootmode type=auto
set timeout=10
access
telnet enable
snmp enable
web enable
ssl enable

56
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

exit
##########################################################
# User Accounts - This area configures user accounts for #
# accessing this system. #
##########################################################
user
add user=manager level=2 pass=manager
useraccess user=manager service=telnet enable
useraccess user=manager service=web enable
useraccess user=manager service=acl enable
add user=operator level=1 pass=operator
useraccess user=operator service=telnet enable
useraccess user=operator service=web enable
useraccess user=operator service=acl enable
exit
##########################################################
# IP-based Access List - This area configures the #
# access/deny control list. #
##########################################################
##########################################################
# Serial Communication - This area configures the serial #
# communication parameters. #
##########################################################
set serial baud=38400 data=8 parity=none stop=1 flowctrl=none
##########################################################
# Host Table - Host to IP address resolution. #
# #
##########################################################
access
gdp enable
gdp proxy status=disable
exit
set prompt $p
set ftp mode=normal
hbarp disable
##########################################################
# Event Logging - This area configures event logging #
# options. #
##########################################################
set logsize size=100
##########################################################
# Alarms - This area configures alarm triggers and #
# options. #
##########################################################
alarm
alarm disable
period time=3
exit
<additional lines deleted for succinct viewing>
FIGURE 31 – Example of Script file. Note all the commands are CLI commands. This script provides
insights into the configuration of Magnum MNS-6K settings. GarrettCom recommends that modifications
of this file and the commands should be verified by the User in a test environment prior to use in a "live"
production network

57
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

To ease the process of uploading the script files, use the Script Upload/Download
capability described above.

Displaying configuration
Using SWM, the need to display specific CLI commands for configuring capabilities is not needed. The
menus are modular and are alphabetically sorted to display each necessary component in a logical
manner. This section is repeated from the CLI manual, should the need arise to view the necessary
commands. The best way to view these commands is to telnet to the switch using the Telnet menu
from the Administration menu.

To display the configuration or to view specific modules configured, the ‘show config’ command is
used as described below.

Syntax show config [module=<module-name>]

Where module-name can be

Name Areas affected

system IP Configuration, Boot mode, Users settings (e.g.
login names, passwords)
event Event Log and Alarm settings
port Port settings, Broadcast Protection and QoS
settings
bridge Age time setting
stp STP, RSTP, S- Ring and LLL settings
ps Port Security settings
mirror Port Mirror settings
sntp SNTP settings
llan VLAN settings
gvrp GVRP settings
snmp SNMP settings
web Web and SSL/TLS settings
tacacs TACACS+ settings
auth 802.1x Settings
igmp IGMP Settings
smtp SMTP settings
If the module name is not specified the whole configuration is displayed.

58
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Magnum6K25# show config

[HARDWARE]
type=Magnum6K25
slotB=8 Port TP Module
##########################################################
# System Manager - This area configures System related #
# information. #
##########################################################
[SYSTEM]
***Edit below this line only****
system_name=Main
[email protected]
system_location=Sunnyvale, CA
boot_mode=manual
system_ip=192.168.1.15
system_subnet=0.0.0.0
system_gateway=192.168.1.11
idle_timeout=10
telnet_access=enable
snmp_access=enable
web_access=enable

--more—
<additional lines deleted for succinct viewing>
FIGURE 32 – ‘show config’ command output

Magnum6K25# show config module=snmp

[HARDWARE]
type=Magnum6K25
slotB=8 Port TP Module
##########################################################
# Network Management - This area configures the SNMPv3 #
# agent. #
##########################################################
[SNMP]
engineid=6K_v3Engine
defreadcomm=public
defwritecomm=private
deftrapcomm=public
authtrap=disable
com2sec_count=0
group_count=0
view_count=1
view1_name=all
view1_type=included
view1_subtree=.1
view1_mask=ff

59
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

--more—
<additional lines deleted for succinct viewing>
FIGURE 33 – displaying specific modules using the ‘show config’ command

Magnum6K25# show config module=snmp,system

[HARDWARE]
type=Magnum6K25
slotB=8 Port TP Module
##########################################################
# System Manager - This area configures System related #
# information. #
##########################################################
[SYSTEM]
***Edit below this line only****
system_name=Main
[email protected]
system_location=Sunnyvale, CA
boot_mode=manual
system_ip=192.168.1.15
system_subnet=0.0.0.0
system_gateway=192.168.1.11
idle_timeout=10
telnet_access=enable
snmp_access=enable
web_access=enable

--more—
<additional lines deleted for succinct viewing>
FIGURE 34 – displaying configuration for different modules. Note – multiple modules can be specified on the
command line

Host Names
Instead of typing in IP addresses of commonly reached hosts, MNS-6K allows host names to
be created with the necessary host names and IP addresses, user names and passwords. To
create host entries, use the Configuration Access Host menus as shown below.

60
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 35 – creating commonly used host entries. These entries can be saved using Host upload capabilities
under Administration File Management menus

To add a host, click on the Add button and then fill in all the fields below to create the
necessary host entries.

61
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 36 – Adding information about specific hosts

62
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 37 – After hosts are added, the information related to the added host is displayed.

To delete or edit the entries, use the delete or edit icons next to each entry shown above.

Erasing configuration
To erase the configuration and reset the configurations to factory default, the Secure Web
Management (SWM) interface cannot be used. A serial or a telnet session to the switch will
provide a CLI interface. Once the CLI interface is available, the ‘kill config’ command can be
used to erase the configuration. This command is a “hidden command” i.e. the on-line help
and other help functions normally do not display this command. Please refer to the “Magnum
MNS-6K User Guide” for more information on this command.

63
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Saving changes
Any changes can be saved by clicking on the Save (floppy) icon . SWM will ask again if the
changes need to be saved or ignored. If the changes need to be ignored, click on cancel and
reboot the switch. If the changes need to be saved, click on OK.

FIGURE 38 – Saving changes made – for example after adding SNTP server, the change needs to be saved.
This can be done by clicking on the floppy icon to save current configuration

64
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 39 – Confirmation to save changes

The “Save Configuration” saves the configuration to the memory. Without the “Save
Configuration”, the changes made are not permanent. To make the changes permanent, use
the “Save Configuration” as shown above and click on OK to register the changes.

65
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 40 – After changes are made

The changes are now permanent. GarrettCom Inc. recommends that the new configuration is
backed up as described above.

66
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

4
Chapter

4 – IPv6
Next generation IP addressing

T
his section explains how the access to the GarrettCom Magnum MNS-6K can setup using
IPv6 instead of IPv4 addressing described earlier. IPv6 provides a much larger address space
and is required today by many.

Assumptions
It is assumed here that the user is familiar with IP addressing
j schemes and has other supplemental material on IPv6,
configuration, routing, setup and other items related to IPv6. This
user guide does not dwell or probe those details.

Introduction to IPv6
IPv6 is short for "Internet Protocol Version 6". IPv6 is the "next generation" protocol or
IPng and was recommended to the IETF to replace the current version Internet Protocol,
IP Version 4 ("IPv4"). IPv6 was recommended by the IPv6 (or IPng) Area Directors of
the Internet Engineering Task Force at the Toronto IETF meeting on July 25, 1994 in
RFC 1752, The Recommendation for the IP Next Generation Protocol. The
recommendation was approved by the Internet Engineering Steering Group and made a
proposed standard on November 17, 1994. The core set of IPv6 protocols were made an
IETF draft standard on August 10, 1998.
IPv6 is a new version of IP which is designed to be an evolutionary step from IPv4. It is a
natural increment to IPv4. It can be installed as a normal software upgrade in internet
devices and is interoperable with the current IPv4. Its deployment strategy is designed to
not have any dependencies. IPv6 is designed to run well on high performance networks
(e.g. Gigabit Ethernet, OC-12, ATM, etc.) and at the same time still be efficient for low
bandwidth networks (e.g. wireless). In addition, it provides a platform for new internet
functionality that will be required in the near future.
IPv6 includes a transition mechanism which is designed to allow users to adopt and
deploy IPv6 in a highly diffuse fashion and to provide direct interoperability between IPv4

67
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

and IPv6 hosts. The transition to a new version of the Internet Protocol is normally
incremental, with few or no critical interdependencies. Most of today's internet uses IPv4,
which is now nearly twenty years old. IPv4 has been remarkably resilient in spite of its age,
but it is beginning to have problems. Most importantly, there is a growing shortage of
IPv4 addresses, which are needed by all new machines added to the Internet.
IPv6 fixes a number of problems in IPv4, such as the limited number of available IPv4
addresses. It also adds many improvements to IPv4 in areas such as routing and network
auto configuration. IPv6 is expected to gradually replace IPv4, with the two coexisting for
a number of years during a transition period.

What’s changed in IPV6?

The changes from IPv4 to IPv6 fall primarily into the following categories:
• Expanded Routing and Addressing Capabilities – IPv6 increases the IP address size
from 32 bits to 128 bits, to support more levels of addressing hierarchy and a much
greater number of addressable nodes, and simpler auto-configuration of addresses.
The scalability of multicast routing is improved by adding a "scope" field to multicast
addresses.
• A new type of address called a "anycast address" is defined, to identify sets of nodes
where a packet sent to an anycast address is delivered to one of the nodes. The use of
anycast addresses in the IPv6 source route allows nodes to control the path which
their traffic flows.
• Header Format Simplification - Some IPv4 header fields have been dropped or made
optional, to reduce the common-case processing cost of packet handling and to keep
the bandwidth cost of the IPv6 header as low as possible despite the increased size of
the addresses. Even though the IPv6 addresses are four time longer than the IPv4
addresses, the IPv6 header is only twice the size of the IPv4 header.
• Improved Support for Options - Changes in the way IP header options are encoded
allows for more efficient forwarding, less stringent limits on the length of options, and
greater flexibility for introducing new options in the future.
• Quality-of-Service Capabilities - A new capability is added to enable the labeling of
packets belonging to particular traffic "flows" for which the sender requests special
handling, such as non-default quality of service or "real- time" service.
• Authentication and Privacy Capabilities - IPv6 includes the definition of extensions
which provide support for authentication, data integrity, and confidentiality. This is
included as a basic element of IPv6 and will be included in all implementations.

68
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

IPv6 Addressing
IPv6 addresses are 128-bits long and are identifiers for individual interfaces and sets of
interfaces. IPv6 addresses of all types are assigned to interfaces, not nodes. Since each
interface belongs to a single node, any of that node's interfaces' unicast addresses may be
used as an identifier for the node. A single interface may be assigned multiple IPv6
addresses of any type.
There are three types of IPv6 addresses. These are unicast, anycast, and multicast. Unicast
addresses identify a single interface. Anycast addresses identify a set of interfaces such that
a packet sent to an anycast address will be delivered to one member of the set. Multicast
addresses identify a group of interfaces, such that a packet sent to a multicast address is
delivered to all of the interfaces in the group. There are no broadcast addresses in IPv6,
their function being superseded by multicast addresses.
IPv6 supports addresses which are four times the number of bits as IPv4 addresses (128
vs. 32). This is 4 Billion times 4 Billion times 4 Billion (296) times the size of the IPv4
address space (232). This works out to be:
340,282,366,920,938,463,463,374,607,431,768,211,456
This is an extremely large address space. In a theoretical sense this is approximately
665,570,793,348,866,943,898,599 addresses per square meter of the surface of the planet
Earth (assuming the earth surface is 511,263,971,197,990 square meters). In the most
pessimistic estimate this would provide 1,564 addresses for each square meter of the
surface of the planet Earth. The optimistic estimate would allow for
3,911,873,538,269,506,102 addresses for each square meter of the surface of the planet
Earth. Approximately fifteen percent of the address space is initially allocated. The
remaining 85% is reserved for future use.
The details on the addressing are covered by numerous articles on the WWW as well as
other literature and are not covered here.

Configuring IPv6
To configure IPv6, click on Configuration IPv6 as shown below.

69
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 41 – Accessing IPv6 configuration information

Click on edit to edit an existing IPv6 Address. Click on Add to add a new IPv6 address.

70
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 42 – Enter in the IPv6 address and netmask. In this example the IPv6 address is
fe80::220:8ff:fe03:509 and the netmask is ffff:ffff:ffff:ffff::

After the IPv6 address is added, the screen shown below reflects the address added. Note – the gateway
is still blank. Once the address is added, this can be either deleted or edited. Note netmask can also be
entered in as the number of “1’s” in the netmask as shown below.

71
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 43 – Optional way to enter the netmask information. The information entered in this figure and the
prior figure is the same

72
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 44 – After successfully adding an IPv6 address, the address is displayed. Note – the Gateway IPv6
address has still not been added

To add the gateway, click on Edit as shown below. Make sure that the IP address is not selected. If the
IP address is selected, clicking on Edit will allow you to edit the IP address.

73
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 45 – Click on Edit to Edit the gateway information. Make sure the IP address is not selected as shown
above. To edit the IPv6 address, select the IP address and then click on the Edit button

74
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 46 – Add the gateway information. After the information is added, click OK

After the gateway information is added, this is displayed on the screen.

75
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 47 – After adding the gateway information, this information is displayed on the main IPv6 screen

Finally, click on the save button to save the information added.

76
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

5
Chapter

5 – Access Considerations
Securing the switch access….

T
his section explains how the access to the GarrettCom Magnum 6K family of switches can be
secured. Further security considerations are also covered such as securing access by IP address
or MAC address.

Securing access
It is assumed here that the user is familiar with issues concerning
j security as well as securing access for users and computers on a
network. Secure access on a network can be provided by
authenticating against an allowed MAC address as well as IP
address.

Port security
The port security feature can be used to block computers from accessing the network by
requiring the port to validate the MAC address against a known list of MAC addresses.
This port security feature is provided on an Ethernet, Fast Ethernet, or Gigabit Ethernet
port. In case of a security violation, the port can be configured to go into the disable
mode or drop mode. The disable mode disables the port, not allowing any traffic to pass
through. The drop mode allows the port to remain enabled during a security violation and
drop only packets that are coming in from insecure hosts. This is useful when there are
other network devices connected to the Magnum 6K family of switches. If there is an
insecure access on the secondary device, the Magnum 6K family of switches allows the
authorized users to continue to access the network; the unauthorized packets are dropped
preventing access to the network.

77
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Network Security
j Network security hinges on the ability to allow or deny access to
network resources. The access control aspect of secure network
services involves allowing or disallowing traffic based on information
contained in packets, such as the IP address, MAC address, or other content. Planning for
access is a key architectural and design consideration. For example, which ports are
configured for port security? Normally rooms with public access e.g. lobby, conference
rooms etc. should be configured with port security. Once that is decided, the next few
decisions are – who are the authorized and unauthorized users? What action should be
taken against authorized as well as unauthorized users? How are the users identified as
authorized or unauthorized?

Configuring Port Security

After enabling the Secure Web Management (SWM), click on Configuration Port
Security menus to configure port security as shown below.

FIGURE 48 – Port security configuration

78
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

From the menu shown above, each individual port can be configured for the proper
action on the port, auto learn MAC addresses and specify individual MAC addresses. To
edit each port, click on the edit icon (shown as a pencil).

To enable or disable Port Security – use the Status Enable/Disable drop down menu as
shown in the next figure.

FIGURE 49 – Enable or disable Port Security functions. Note the screen also provides an overview of each port on
the switch. Each port can be individually configured for the proper port security action

Each individual port can be configured by clicking on the edit icon . Once the edit
screen is shown the following actions can be taken for each port:

1) The port can be specified to create a log entry or send a trap, do both or do nothing.
This is done by the “Signal Status” drop down menu

79
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

2) The port can be specified to drop the connection, disable the port or do nothing. This
is indicated by the “Action Status” drop down menu
3) The port can be put in the learn mode or the learning can be disabled. This is
indicated by the “Learn Status” drop down menu

Additionally, MAC addresses can be added or deleted from the table of allowed MAC
addresses. To delete a MAC address, click on the delete icon . To add a MAC address,
click on the ADD button and fill in the MAC address in the MAC address window.

FIGURE 50 – Port security – allowing specific MAC addresses on a specified port as well as changing the
status of each port

There is a limitation of 200 MAC addresses per port and 500 MAC
addresses per Switch for Port Security.

80
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 51 – Adding MAC addresses – after clicking on the Add

button, the screen opens up to allow you to specify a specific MAC
address

Once port security is setup, it is important to manage the log and review the log often. If the
signals are sent to the trap receiver, the traps should also be reviewed for intrusion and other
infractions.

Logs
All events occurring on the Magnum 6K family of switches are logged. The events can be
as shown below

Code Description
0 Emergency: system is unusable – called “fatal” in show log
command
1 Alert: action must be taken immediately
2 Critical: critical conditions
3 Error: error conditions
4 Warning: warning conditions
5 Notice: normal but significant condition – called “note” in show log
command
6 Informational: informational messages
7 Debug: debug-level messages

A few point to note about logs

• By default, the logging is limited to the first six levels
• The event log is now automatically saved to flash, so rebooting will not loose
them
• The event log now includes more information, because of the additional
flexibility built into the log engine. For example, it now logs the IP address and
user name of a remote user login
• The log size parameter is now redefined as the max size of the log that is saved to
flash. More events might appear in the log as they happen, but the whole list will
be trimmed to the specified max size when a save command is issued, or the
system rebooted.

81
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

These logs are in compliance with the definitions of RFC 3164, though not all the nuances
of the syslog are implemented as specified by the RFC.

FIGURE 52 – Logs made on the switch. Specific logs may be viewed by using the drop down menu in the top
right corner

The log shows the most recent intrusion at the top of the listing. If the log is filled when the
switch detects a new intrusion, the oldest entry is dropped off the listing.

As discussed in the prior section, any port can be set to monitor security as well as make a
log on the intrusions that take place. The logs for the intrusions are stored on the switch.
When the switch detects an intrusion on a port, it sets an “alert flag” for that port and
makes the intrusion information available.

The default log size is 50 rows. To change the log size please use the
Configuration Statistics Log Statistics menu

82
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

When the switch detects an intrusion attempt on a port, it records the date and time
stamp, the MAC address, the port on which the access was attempted and the action taken
by MNS-6K software. The event log lists the most recently detected security violation
attempts. This provides a chronological entry of all intrusions attempted on a specific
port.

When the switch detects an intrusion attempt on a port, it records the date and time
stamp, the MAC address, the port on which the access was attempted and the action taken
by MNS-6K software. The event log lists the most recently detected security violation
attempts. This provides a chronological entry of all intrusions attempted on a specific
port.

The event log records events as single-line entries listed in chronological order, and serves
as a tool for isolating problems. Each event log entry is composed of four fields
Severity – the level of severity (see below)
Date – date the event occurred on. See Chapter 3 on setting the date and time on the
switch
Time – time the event occurred on. See Chapter 3 on setting the date and time on the
switch
Log Description – description of event as detected by the switch

Severity is one of 8 severities described at the beginning of this section.

This information is covered again in a later chapter as well

Authorized managers
Just as port security allows and disallows specific MAC addresses from accessing a network,
SWM can allow or block specific IP addresses or a range of IP addresses to access the switch.
This access is mainly for management and configuration purposes only and does not blow
other traffic (e.g. IGMP or file transfer traffic.) The menu is Administration Access

83
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 53 – Authorized access list for managing the switch. Note specific servers can be authorized using
the Host menu. The host entries can be backed up by using the Administration File Mgmt menu. A group
of stations with IP addresses can be authorized using the IP access menu.

It is assumed here that the user is familiar with IP addressing schemes

(e.g. Class A, B, C etc.), subnet masking and masking issues such as
how many stations are allowed for a given subnet mask.

In the example below – any computer on 10.10.10.0 sub network is allowed (note how the
subnet mask is used to indicate that). Also shown below are stations (hosts) which are
allowed access as well as how other applications such as ftp or telnet (under
Administration File Mgmt) menus can upload/download the files.

84
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 54 – Adding any computer on the 10.10.10.0 sub net to manage the switch. Note from this
network, the stations will not be allowed telnet access. The stations will be allowed access via SWM as well as
SNMP managers on the 10.10.10.0/24 network will be able to query the switch.

85
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 55 – After adding access to the network, the capabilities allowed are displayed

86
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

6
Chapter

6 – Access Using RADIUS

Using a RADIUS server to authenticate access….

T
he IEEE 802.1x standard, Port Based Network Access Control, defines a mechanism for port-
based network access control that makes use of the physical access characteristics of
IEEE 802 LAN infrastructure. It provides a means of authenticating and authorizing
devices attached to LAN ports that have point-to-point connection characteristics. It also
prevents access to that port in cases where the authentication and authorization fails.
Although 802.1x is mostly used in wireless networks, this protocol is also implemented in
LANs. The Magnum MNS-6K Software switch implements the authenticator, which is a
major component of 802.1x.

j RADIUS
Remote Authentication Dial-In User Service or RADIUS is a server that has been
traditionally used by many Internet Service Providers (ISP) as well as
Enterprises to authenticate dial in users. Today, many businesses use the RADIUS server for
authenticating users connecting into a network. For example, if a user connects PC into the
network, whether the PC should be allowed access or not provides the same issues as to
whether or not a dial in user should be allowed access into the network. A user has to
provide a user name and password for authenticated access. A RADIUS server is well suited
for controlling access into a network by managing the users who can access the network on a
RADIUS server. Interacting with the server and taking corrective action(s) is not possible on
all switches. This capability is provided on the Magnum 6K family of switches.

RADIUS servers and its uses are also described by one or more RFCs.

802.1x
There are three major components of 802.1x: - Supplicant, Authenticator and Authentication
Server (RADIUS Server). In the figure below, the PC acts as the supplicant. The supplicant is an
entity being authenticated and desiring access to the services. The switch is the authenticator. The
authenticator enforces authentication before allowing access to services that are accessible via that

87
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

port. The authenticator is responsible for communication with the supplicant and for submitting
the information received from the supplicant to a suitable authentication server. This allows the
verification of user credentials to determine the consequent port authorization state. It is
important to note that the authenticator’s functionality is independent of the actual authentication
method. It effectively acts as a pass-through for the authentication exchange.

802.1x
Switch

Authenticator
Supplicant
Authentication
Server (RADIUS)

FIGURE 56 – 802.1x network components

The RADIUS server is the authentication server. The authentication server provides a standard
way of providing Authentication, Authorization, and Accounting services to a network.
Extensible Authentication Protocol (EAP) is an authentication framework which supports
multiple authentication methods. EAP typically runs directly over data link layers such as PPP or
IEEE 802, without requiring IP. EAP over LAN (EAPOL) encapsulates EAP packets onto 802
frames with a few extensions to handle 802 characteristics. EAP over RADIUS encapsulates EAP
packets onto RADIUS packets for relaying to RADIUS authentication servers.

The details of the 802.1x authentication are shown below

88
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

EAPOL EAP over RADIUS

802.1x
Switch

X Port Connected Access Blocked

Y EAP Request Id
Z
RADIUS Access Request
[
\ EAP Request
RADIUS Access Challenge

]
EAP Response ^ RADIUS Access Request
` _ RADIUS Access Accept
EAP Success
Access Allowed

FIGURE 57 – 802.1x authentication details

1. The supplicant (laptop/host) is initially blocked from accessing the network. The
supplicant wanting to access these services starts with an EAPOL-Start frame
2. The authenticator (Magnum 6K switch), upon receiving an EAPOL-start frame, sends a
response with an EAP-Request/Identity frame back to the supplicant. This will inform
the supplicant to provide its identity
3. The supplicant then sends back its own identification using an EAP-Response/Identity
frame to the authenticator (Magnum 6K switch.) The authenticator then relays this to the
authentication server by encapsulating the EAP frame on a RADIUS-Access-Request
packet
4. The RADIUS server will then send the authenticator a RADIUS-Access-Challenge packet
5. The authenticator (Magnum 6K switch) will relay this challenge to the supplicant using an
EAP-Request frame. This will request the supplicant to pass its credentials for
authentication
6. The supplicant will send its credentials using an EAP-Response packet
7. The authenticator will relay using a RADIUS-Access-Request packet
8. If the supplicant’s credentials are valid, RADIUS-Access-Accept packet is sent to the
authenticator
9. The authenticator will then relay this on as an EAP-Success and provide access to the
network
10. If the supplicant does not have the necessary credentials, a RADIUS-Access-Deny packet
is sent back and relayed to the supplicant as an EAP-Failure frame. The access to the
network continues to be blocked

89
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

The Magnum MNS-6K Software implements the 802.1x authenticator. It fully conforms to the
standards as described in IEEE 802.1x, implementing all the state machines needed for port-
based authentication. The Magnum MNS-6K Software authenticator supports both EAPOL and
EAP over RADIUS to communicate to a standard 802.1x supplicant and RADIUS authentication
server.

The Magnum MNS-6K Software authenticator has the following characteristics:

• Allows control on ports using STP-based hardware functions. EAPOL frames are
Spanning Tree Protocol (STP) link Bridge PDUs (BPDU) with its own bridge multicast
address
• Relays MD5 challenge (although not limited to) authentication protocol to RADIUS
server
• Limits the authentication of a single host per port
• The Magnum 6K switch provides the IEEE 802.1x MIB for SNMP management

Configuring 802.1x
To access the 802.1x menus, use the Configuration 802.1x menus.

First select the server. DO NOT ENABLE RADIUS capabilities till you have ensured that the
ports are configured properly. After the ports are configured, enable the RADIUS capability. Also
ensure that the port connected to the RADIUS server or the network where the RADIUS server
is connected to, is not an authenticated port.

90
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 58 – Configuring the RADIUS Server – initially, the RADIUS Services are disabled and the
server IP address is set to 0.0.0.0 – edit that server IP and secret to add a RADIUS server

91
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 59 – Editing information of the RADIUS server. Note the UDP port number can be left blank
and the default port 1812 is used

After configuring the Server information, specific port information is configured. Click on
Configuration Radius Port to configure the RADIUS characteristics of each port.

92
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 60 – Setting the port characteristic for RADIUS authentication. To edit the port settings – click
on the edit icon

93
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 61 – Ensure that the port which has the RADIUS server is force authorized and asserted. Other ports
(user ports), it is best to leave the Control on auto and Initialize on deasserted

94
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 62 – Changing the Port Access characteristics when authenticating with a RADIUS server

Quiet Period – This is the quiet period or the amount of time, in seconds, the supplicant
is held after an authentication failure before the authenticator retries the supplicant for
connection. The default value is 60 seconds. Values can range from 0 to 65535 seconds.
Max Reauth – The number of re-authentication attempts that are permitted before the
port becomes unauthorized. Default value is 2. Values are integers and can range from 0
to 10.
Transmit Period – This is the transmit period; it is the time in seconds the authenticator
waits to transmit another request for identification from the supplicant. Default value is
30. Values can be from 1 to 65535 seconds

These values can be edited by clicking on the edit icon

95
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 63 – Backend or communication characteristics between Switch and RADIUS Server

Supp Timeout – This is the timeout in seconds the authenticator waits for the supplicant
to respond back. Default value is 30 seconds. Values can range from 1 to 240 seconds.
Server Timeout – This is the timeout in seconds the authenticator waits for the backend
RADIUS server to respond back. The default value is 30 seconds. Values can range from
1 to 240 seconds.
Max Request – The maximum number of times the authenticator will retransmit an EAP
Request packet to the Supplicant before it times out the authentication session. Its default
value is 2. It can be set to any integer value from 1 to 10.

These values can be edited by clicking on the edit icon

96
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 64 – Port authentication characteristics – set values on how the authenticator (Magnum 6K switch)
does the re-authentication with the supplicant or PC

Reauth Period – This is the re-authentication period in seconds. It is the time the
authenticator waits before a re-authentication process will be done again to the supplicant.
Default value is 3600 seconds (1 hour). Values can range from 10 to 86400 seconds.

97
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 65 – RADIUS Statistics – note that the stats are for each port

Finally – after all the port characteristics are enabled do not forget to save the
configuration using the save (floppy disk) icon and enabling RADIUS from the
Configuration 802.1x Server menu.

98
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

(Intentionally left blank)

99
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

7
Chapter

7 – Access Using TACACS+

Using a TACACS+ server to authenticate access….

T
ACACS+, short for Terminal Access Controller Access Control System, protocol provides
access control for routers, network access servers and other networked computing devices via
one or more centralized servers. TACACS+ provides separate authentication, authorization
and accounting services.

TACACS - Its Flavors and History

j TACACS allows a client to accept a username and password and send a query to
a TACACS authentication server, sometimes called a TACACS daemon (server)
or simply TACACSD. This server was normally a program running on a host.
The host would determine whether to accept or deny the request and send a response back.

The TACACS+ protocol is the latest generation of TACACS. TACACS is a simple UDP based
access control protocol originally developed by BBN for the MILNET (Military Network).
Cisco’s enhancements to TACACS are called XTACACS. XTACACS is now replaced by
TACACS+. TACACS+ is a TCP based access control protocol. TCP offers a reliable connection-
oriented transport, while UDP offers best-effort delivery.

TACACS+ improves on TACACS and XTACACS by separating the functions of

authentication, authorization and accounting and by encrypting all traffic between the Network
Access Server (NAS) and the TACACS+ clients or services or daemon. It allows for arbitrary
length and content authentication exchanges, which allows any authentication mechanism to be
utilized with TACACS+ clients. The protocol allows the TACACS+ client to request very fine-
grained access control by responding to each component of a request.

The Magnum 6K switch implements a TACACS+ client.

1. TACACS+ servers and daemons use TCP Port 49 for listening to client
requests. Clients connect to this port number to send authentication and
authorization packets
2. There can be more than one TACACS+ server on the network. MNS-
6K supports a maximum of five TACACS+ servers

100
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

TACACS+ flow
TACACS works in conjunction with the local user list on the MNS-6K software (operating
system.) Please refer to User Management for adding users on the MNS-6K software. The
process of authentication as well as authorization is shown in the flow chart below.

Start
Login as Operator

Login
No

Is User Manager? Yes User in Local

User List?

Yes

Login as Manager No

Logout TACACS+ Enabled?

No

Yes
Yes
Authentication failure Connection failure
Connect to Additional
Logout TACACS server to Servers?
authenticate

Authorized as Authenticated No
Operator or Logout
Authorization Failure TACACS+
Login as Operator
authorization

Authorized as
Manager
Login as Manager

FIGURE 66 – Flow chart describing the interaction between local users and TACACS authorization

The above flow diagram shows the tight integration of TACACS+ authentication with the local
user-based authentication. There are two stages a user goes through in TACACS+. The first stage

101
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

is authentication where the user is verified against the network user database. The second stage is
authorization, where it is determined whether the user has operator access or manager privileges.

TACACS+ packet
Packet encryption is a supported and is a configurable option for the Magnum MNS-6K Software.
When encrypted, all authentication and authorization TACACS+ packets are encrypted and are
not readable by protocol capture and sniffing devices such as EtherReal or others. Packet data is
hashed and shared using MD5 and secret string defined between the Magnum 6K family of
switches and the TACACS+ server.

32 bits wide

4 4 8 8 8 bits
Major Minor Packet type Sequence no. Flags
Version Version
Session ID
Length
FIGURE 67 – TACACS packet format

• Major Version – The major TACACS+ version number

• Minor version – The minor TACACS+ version number. This is intended to allow
revisions to the TACACS+ protocol while maintaining backwards compatibility
• Packet type – Possible values are
TAC_PLUS_AUTHEN:= 0x01 (Authentication)
TAC_PLUS_AUTHOR:= 0x02 (Authorization)
TAC_PLUS_ACCT:= 0x03 (Accounting)
• Sequence number – The sequence number of the current packet for the current
session
• Flags – This field contains various flags in the form of bitmaps. The flag values signify
whether the packet is encrypted
• Session ID – The ID for this TACACS+ session
• Length - The total length of the TACACS+ packet body (not including the header)

Configuring TACACS+
To access the TACACS servers, click on Administration User Mgmt TACACS menu.

102
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 68 – Accessing TACACS configuration menu. By default, no TACACS+ servers are defined

To add a server, click on the Add button as shown above.

103
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 69 – Adding a TACACS+ server – note – the TCP port can be left blank – Port 49 is used as
a default port. Up to 5five TACACS+ servers can be defined. Note the manager level and the operator level
defines the levels for the server being defined.

104
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 70 – After adding TACACS+ servers, do not forget to save and enable the TACAS+ services

After the configuration is completed do not forget to save using the save icon and enabling
the TACACS+ services by using the Status drop down menu.

105
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

8
Chapter

8 – Port Mirroring and Setup

Setup the ports for network speeds, performance as well as for monitoring….

T
his section explains how individual characteristics of a port on the GarrettCom Magnum 6K
family of switches are setup. For monitoring a specific port, the traffic on a port can be
mirrored on another port and viewed by protocol analyzers. Other setup includes
automatically setting up broadcast storm prevention thresholds.

Port Monitoring and Mirroring

j An Ethernet switch sends traffic from one port to another port.

Unlike a switch, a hub, or a shared network device, the traffic is
“broadcast” on each and every port. Capturing traffic for protocol
analysis or intrusion analysis can be impossible on a switch unless
all the traffic from a specific port is “reflected” on another port, typically a monitoring
port. The Magnum 6K family of switches can be instructed to repeat the traffic from one
port onto another port. This process - when traffic from one port is reflecting to another
port - is called port mirroring. The monitoring port is also called a “sniffing” port. Port
monitoring becomes critical for trouble shooting as well as for intrusion detection.

Port mirroring
Monitoring a specific port can be done by port mirroring. Mirroring traffic from one port
to another port allows analysis of the traffic on that port. To enable port mirroring as well
as setting up the ports to be “sniffed” use Configuration Port Mirroring

106
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 71 – Editing and enabling port mirroring

107
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 72 – Setting the port which needs to be monitored and the port on which the traffic is reflected.
Make sure the Mirror Status is also set to enabled for mirroring

108
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 73 – After the ports are setup – the changes are shown

Once port monitoring is completed, for security reasons, GarrettCom strongly

recommends that the port mirroring be disabled using the Edit button and setting the
“Mirror Status” to off.

1) Only one port can be set to port mirror at a time

2) Both the ports (monitored port and mirrored port) have to belong to
the same VLAN
3) The mirrored port shows both incoming as well as outgoing traffic
1. T

Port setup
Each port on the GarrettCom Magnum 6K family of switches can be setup for specific
port characteristics. The menu for setting the port characteristics is Configuration Port
Settings

109
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 74 – Viewing and changing the Port settings

Port Number – is the port number on the switch

Port Name – assigns a specific name to the port. This name is a designated name for the
port and can be a server name, user name or any other name
Admin Status – whether the port can be administered remotely
Link – Link Status – in the example above the link is down – implying either there is no
connection or the system connected to the port is turned off
Auto-Neg – auto negotiation for 100 Mbps and Gigabit copper ports – for fiber ports
there is no auto negotiation as fiber port speeds are fixed
Port Speed – specifically sets the speed to be 10 or 100Mbps. Note – this works only
with 10/100 ports – with 10Mbps ports, the option is ignored

110
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Duplex – sets full duplex or half duplex capabilities for 10/100 Mbps ports
Priority – displays priority set for the port. This value cannot be edited here
VLAN ID – displays VLAN set for the port. This value cannot be edited here
STP State – displays the STP settings for the port. This value cannot be edited here
Tagged State – displays the Tag settings on the port. This value cannot be edited here
GVRP State – displays the GVRP settings on the port. This value cannot be edited here

FIGURE 75 – Clicking on any port in the Graphics Display (or after the login screen) also leads to
Configuration Port Settings screen as shown in the previous figure

111
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 76 – Editing Port configuration values – not all fields can be edited from this screen

Speed Settings
Auto (default) – Senses speed and negotiates with the port at the other end of the link
for data transfer operation (half-duplex or full-duplex). “Auto” uses the IEEE 802.3u
auto negotiation standard for 100BASE-T networks. If the other device does not comply
with the 802.3u standard, then the port configuration on the switch must be manually set
to match the port configuration on the other device.

Possible port setting combinations for copper ports are:

• 10HDx: 10 Mbps, Half-Duplex
• 10FDx: 10 Mbps, Full-Duplex
• 100HDx: 100 Mbps, Half-Duplex
• 100FDx: 100 Mbps, Full-Duplex

Possible port settings for 100FX (fiber) ports are:

• 100FDx (default): 100 Mbps, Full-Duplex

112
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

• 100HDx: 100 Mbps, Half-Duplex

Possible port settings for 10FL (fiber) ports are:

• 10HDx (default): 10 Mbps, Half-Duplex
• 10FDx: 10 Mbps, Full-Duplex

Gigabit fiber-optic ports (Gigabit-SX and Gigabit-LX):

• 1000FDx (default): 1000 Mbps (1 Gbps), Full Duplex only
• Auto: The port operates at 1000FDx and auto-negotiates flow control with the
device connected to the port

Flow Control
This can only be done using the CLI interface. Please refer to the “Magnum MNS-6K
User Guide” for more information on setting date and time manually using the CLI
interface. The commands for changing the flow control are “flowcontrol” and “show
flowcontrol”

Back Pressure
This can only be done using the CLI interface. Please refer to the “Magnum MNS-6K
User Guide” for more information on setting date and time manually using the CLI
interface. The commands for changing the flow control are “backpressure” and “show
backpressure”

Broadcast Storms

j One of the best features of the Magnum 6K family of switches is its

ability to keep broadcast storms from spreading throughout a network.
Network storms (or broadcast storms) are characterized by an excessive
number of broadcast packets being sent over the network. These storms can occur if network
equipment is configured incorrectly or the network software is not properly functioning or
badly designed programs (including some network games) are used. Storms can reduce
network performance and cause bridges, routers, workstations, servers and PC's to slow down
or even crash.

Preventing broadcast storms

The Magnum 6K family of switches is capable of detecting and limiting storms on each
port. A network administrator can also set the maximum rate of broadcast packets
(frames) that are permitted from a particular interface. If the maximum number is
exceeded, a storm condition is declared. Once it is determined that a storm is occurring on
an interface, any additional broadcast packets received on that interface will be dropped
until the storm is determined to be over. The storm is determined to be over when a one-
second period elapses with no broadcast packets received.

113
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 77 – Menus for limiting broadcast storms. Note the 19531 threshold refers to 64 byte packets for a
10Mbps network. Since most broadcast packets are 64 bytes long, this number is used as a default. For
100Mbps networks, the threshold is 195310 packets – adjust the threshold accordingly for a 100Mbps
network.

To adjust for broadcast protection, first check if the port is set to 100Mbps or 10 Mbps.
For a 10 Mbps, the max broadcast rate is 19,531 packets per second (PPS). To limit the
broadcast range to 10%, set the threshold to 1953 PPS by clicking on the edit menu.

114
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 78 – Limiting the broadcast

115
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 79 – After setting the values, enable the Broadcast Protection

After changes are made, do not forget to save the changes using the save icon . If the
switch is rebooted before the changes are made, the changes will be lost.

116
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

9
Chapter

9 – VLAN
Create separate network segments (collision domains) across Magnum 6K family of
switches…..

S
hort for virtual LAN (VLAN), a VLAN creates separate collision domains or network
segments that can span multiple Magnum 6K switches. A VLAN is a group of ports designated
by the switch as belonging to the same broadcast domain. The IEEE 802.1Q specification
establishes a standard method for inserting VLAN membership information into Ethernet
frames.

Why VLANs?

j VLAN’s provide the capability of having two (or more) Ethernet

segments co-existing on common hardware. The reason for
creating multiple segments in Ethernet is to isolate collision
domains. VLANs can isolate groups of users, or divide up traffic for security, bandwidth
management, etc. VLANs are widely used today and are here to stay. VLANs need not be
in one physical location. They can be spread across geography or topology. VLAN
membership information can be propagated across multiple Magnum6K switches.

Segment 1 Segment 2

VLAN 1 VLAN 2

FIGURE 80 – VLAN as two separate collision domains. The top part of the figure shows two
“traditional” Ethernet segments. Up to 32 VLANs can be defined per switch.

117
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

A group of network users (ports) assigned to a VLAN form a broadcast domain. Packets
are forwarded only among ports that are designated for the same VLAN. Cross-domain
broadcast traffic in the switch is eliminated and bandwidth is saved by not allowing
packets to flood out on all ports. For many reasons a port may be configured to belong to
multiple VLANs.

Segment 1 Segment 2 Segment 3

VLAN 1 VLAN 2 VLAN 3

FIGURE 81 – Ports can belong to multiple VLANs. In this figure a simplistic view is presented where
some ports belong to VLANs 1, 2 and other ports belong to VLANs 2,3. Ports can belong to
VLANs 1, 2 and 3. This is not shown in the figure.

By default, on Magnum 6K family of switches, VLAN support is

enabled and all ports on the switch belong to the default VLAN
(DEFAULT-VLAN). This places all ports on the switch into one
physical broadcast domain.

If VLANs are entirely separate segments or traffic domains – how can the VLANs route
traffic (or “talk”) to each other? This can be done using routing technologies (e.g., a router
or a L3-switch). The routing function can be done internally via an L3-switch. One
advantage of an L3 switch is that the switch can also support multiple VLANs. The L3
switch can thus route traffic across multiple VLANs easily and provides a cost effective
solution if there are may VLANs defined.

118
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Segment 1 Segment 2

Router

Router or
L3-switch
VLAN 1 VLAN 2

FIGURE 82 – Routing between different VLANs is performed using a router or a Layer 3 switch (L3-
switch)

The Magnum 6K family of switches supports up to 32 VLANs per

switch

Tag VLAN or port VLAN?

What is the difference between tag and port VLAN? In a nutshell – port VLAN sets a specific
port or group of ports belong to a VLAN. Port VLANs do not look for VLAN identifier
(VID) information nor do they manipulate the VID information. They thus works
“transparently” and propagate the VLAN information along.

In the tag VLAN, an identifier called the VLAN identifier (VID) is either inserted or
manipulated. This manipulated VLAN tag allows VLAN information to be propagated across
devices or switches, allowing VLAN information to span multiple switches.

119
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

As described earlier, VLAN is an administratively configured LAN or broadcast domain. Instead

of going to the wiring closet to move a cable to a different LAN segment, the same task can be
accomplished remotely by configuring a port on an 802.1Q-compliant switch to belong to a
different VLAN. The ability to move end stations to different broadcast domains by setting
membership profiles for each port on centrally managed switches is one of the main advantages
of 802.1Q VLANs.

802.1Q VLANs aren't limited to one switch. VLANs can span many switches. Sharing VLANs
between switches is achieved by inserting a tag with a VLAN identifier (VID) into each frame. A
VID must be assigned for each VLAN. By assigning the same VID to VLANs on many switches,
one or more VLAN (broadcast domain) can be extended across a large network.

802.1Q-compliant switch ports, such as those on the Magnum 6K family of switches, can be
configured to transmit tagged or untagged frames. A tag field containing VLAN information can
be inserted into an Ethernet frame. If a port has an 802.1Q-compliant device attached (such as
another switch), these tagged frames can carry VLAN membership information between switches,
thus letting a VLAN span multiple switches. Normally connections between switches can carry
multiple VLAN information and this is call port trunking or 802.1Q trunks.

There is one important caveat: administrators must ensure that ports with non-802.1Q-compliant
devices attached are configured to transmit untagged frames. Many network interface cards such
as those for PCs printers and other “dumb” switches are not 802.1Q-compliant. If they receive a
tagged frame, they will not understand the VLAN tag and will drop the frame. In situations like
these, it is best to use port based VLANs for connecting to these devices.

Sometimes a port may want to listen to broadcasts across different VLANs or propagate the
VLAN information on to other ports. This port must thus belong to multiple VLANs so that the
broadcast information reaches the port accurately. If the port also wants to send broadcast traffic,
the proper egress (sending out of information) and ingress (receiving information) has to be
configured on the Magnum 6K family of switches.

Private VLANs
Private VLANs are VLANs which are private to a given switch in a network. For Magnum 6K
family of switches, the Private VLANs are restricted to a single switch only. Private VLANs
are implemented on Magnum 6K family of switches using Port based VLAN.

The reasons Private VLANs are constructed are for security. For example, if some confidential
data were residing on VLAN 5, then only the people connected to that switch on VLAN 5 can
have access to that information. No one else can access that VLAN. Similarly, if another
switch had video surveillance equipment on VLAN 20 then only ports with access to VLAN
20 can have access to the video surveillance information.

120
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Finally, one port can belong to multiple VLANs – so depending on the function and use,
different VLANs information can be shared across a port. Such a port is said to be in
promiscuous mode for private VLANs.

Configuring Tag VLANs

Port VLANs are rarely used in networks which use VLANs across multiple switches. Port
VLANs are used when VLANs are setup up on a single switch and connectivity between the
systems on different VLANs is needed; however the broadcasts and multicasts are isolated to
the specific VLAN.

Either port VLANs or Tag VLAN can be active at any given time on a switch.
Only the default VLAN (VLAN id = 1) is active as a Tag VLAN as well as a
port VLAN.

General steps for using Tag VLANs are

1) Plan your VLAN strategy and create a map of the logical topology that will result from
configuring VLANs. Include consideration for the interaction between VLANs
2) Configure at least one VLAN in addition to the default VLAN
3) Assign the desired ports to the VLANs
4) Decide on trunking strategy – how will the VLAN information be propagated from
one switch to another and also what VLAN information will be propagated across
5) (Layer 3 consideration) check to see if the routing between the VLANs is “working”
by pinging stations on different VLANs

1) You can rename the default VLAN, but you cannot

change its VID =1 or delete it from the switch
2) Any ports not specifically assigned to another VLAN will
remain assigned to the DEFAULT-VLAN (VID=1)
3) Changing the number of VLANs supported on the switch
requires the changes to be saved for future use. To
eliminate the changes, reboot the switch without saving the
changes

For VLAN configuration use Configuration VLAN menu items as shown below

Since Port VLANs are rarely used, this documentation will cover Tag VLANs. To set the VLAN type,
use the menu Configuration VLAN Set Type. The VLAN type can also be set from
Administration Set VLAN Type

121
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 83 – Setting the VLAN type – by default no VLANs are active. To set the VLAN type, the menu can
be accessed from Configuration VLAN or from Administration Set VLAN Type menu

Next step is to define the VLANs needed. To do that, click on Configuration VLAN Tag-Based
menu item as shown below and then click on the Add button.

122
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 84 – Currently assigned Port VLAN’s

Now add the necessary VLANs. In the example below, add the VLANs in the following manner

VLAN 1 All ports – default VLAN

VLAN 10 Engineering VLAN ports 11, 12, 13
VLAN 20 Support VLAN ports 13, 14, 15 (note – port 13 belongs to VLAN 10, 20)
VLAN 30 Marketing VLAN ports 15, 16 (note port 15 belongs to VLAN 20, 30)

The VLANs are added and the results are shown below.

123
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 85 – Adding a new VLAN and defining ports belonging to the VLAN

After adding the ports and defining the VLAN, click OK.

124
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 86 – After the VLANs and the Ports associated with VLANs are defined, next step is to define the
port setting and enable tagging on the necessary ports. This is done by clicking on Port settings as shown above.

125
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 87 – Enable the tagging for each port belonging to VLAN 10. Note the Default VLAN can also be
changed for these port using the menu shown above. Also note, how selected values only are sent to MNS-6K for
change in configuration. In the example above, only VLAN 10 being set as Tagged is sent as a configuration
parameter to MNS-6K

126
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 88 – After the Tag information is added, the information is displayed on the screen. Note the Tagged
Column – the information is changed for VLAN 10 to “Yes”. Repeat the process for other VLANs.

Repeat the last two steps for each of the ports and each of the VLANs (click on Port settings and
enable the Tag on the port.) After all the ports are Tagged, the Tagged Column should change to “Yes”
for all VLANs. After the steps are completed, The tagged Column should indicate a “Yes” on the
VLANs which were updated.

To check the status of the tagging, the Configuration VLAN Tag-Based Tagging menu is
used as shown below.

127
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 89 – The status of the VLANs can be viewed from the Tagging menu. Note at this stage, the
VLANs are all still pending as the VLANs have not been activated yet. Also note how one port belongs to
multiple VLANs

To activate the VLAN, click on the Status button under Configuration VLAN Tag-Based
Settings and click on the Status button as shown in the two figures below.

128
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 90 – Activating a VLAN – click on the Status button to view/modify the status of the VLANs

Click OK to activate VLANs.

129
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 91 – Select the VLANs to activate. In this example we activate all the VLANs

130
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 92 – After activating the VLANs, note the port move out of the default VLAN to the specific
VLAN they were assigned to. If the ports need to belong to default VLAN, they have to be added to the default
VLAN explicitly. Also note that one port belongs to multiple VLANs and all VLAN status has been changed
to Active

Notice in the figure above (as well as in the figures shown below), before the VLANs were activated
ports 9-16 belonged to the Default VLAN (VLAN 1). After the ports are activated, the default VLAN
is deleted from the ports belonging to other VLANs. This is the correct behavior.

To add all the ports to the default VLAN, we can edit the default VLAN definition and add the
necessary ports to the default VLAN.

131
 M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 93 – Adding the ports back to the Default VLAN – edit the default VLAN and add the ports to the default VLAN

FIGURE 94 – After activation, note that ports 9-13 belong to the new VLANs. After adding the ports
back to the default VLAN, the results are shown above. Each port can join or leave a VLAN membership
by clicking on Join & Leave as shown above

132
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

To add or delete specific ports from a VLAN, click on Join & Leave button and specify the action. In
the example below, we will take port 11 and assign it to leave VLAN 10. After the action is completed,
note that port 11 will belong to VLAN 1 only.

FIGURE 95 – Port 11 is removed from VLAN 10

133
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 96 – After Port 11 is removed from VLAN 10, the new status reflects the change. Note – if ports 12
and 13 are not tagged (from the Port Settings menu) the Tagged Colum will reflect that fact as well

One other way to view the overall VLAN status is to look at Configuration Port Settings menu.

134
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 97 – VLAN Status is also shown at a glance from the settings menu as shown above

135
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 98 – Once the Tag VLANs are active, the Port VLANs are in the Pending stage. Also note the
VLAN definitions of the Port VLANs and Tag VLANs are different.

To delete a VLAN, click on the delete icon . You will be prompted whether or not to delete the
VLAN in order to prevent an accidental delete.

At this time, since the Tag VLAN is active, the Port VLAN is inactive and all ports belong to the
Default Port VLAN. When Filtering is enabled, packets can only be routed from one specified VLAN
to another.

1. A word of caution – when Tag VLAN filtering is enabled, there

can be serious connectivity repercussions – the only way to
recover from that it is to reload the switch without saving the
configuration or by modifying the configuration from the
console (serial) port.
2. There can be either Tag VLAN on MSN-6K or Port VLAN.
Both VLANs cannot co-exit at the same time

136
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

3. There can only be one default VLAN for the switch. The default is set to VLAN 1 and
can be changed to another VLAN. A word of caution on changing the default VLAN as
well – there can be repercussions on management as well as multicast and other issues
4. Tag VLAN support VLAN ids from 1 to 4096. VLAN ids more than 2048 are reserved
for specific purposes and it is recommended they not be used
5. Default VLAN can be changed. GarrettCom Inc. recommends that the administrator be
cautious of the connectivity repercussions before changing the default VLAN.

FIGURE 99 – Enabling the filter capability for each port. Note – the information for the default ID and the filter
status is sent. The tagging control information is not changed as the check box is not checked.

After the filter is activated, the filter settings can be viewed by looking at Configuration VLAN
Tag-Based Tagging

137
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 100 – After filtering is activated on ports 15 and 16, the Filter menu shows the status

Configuring Port VLANs

When the network is simple, a Port based VLAN can be used to minimize the connectivity
issues between VLANs. Broadcasts are not filtered on a Port VLAN. Port based VLANs are
listed here for historical reasons.

On the Magnum 6K family of switches, the port VLANs are not active as a
defualt.. To use Port VLANs, eanble Port VLANs first.

First step is to define the VLANs and which ports are members of the specific VLAN. In this
example, we will assume the following:

VLAN 1 Default VLAN

VLAN 20 Engineering Port 11 only
VLAN 10 Sales Ports 11,12,13

138
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

VLAN 40 Marketing Ports 12-16

VALN 30 Support Ports 11, 12, 13

Step 1 – Define the VLAN Type to be a Port VLAN. This is shown below.

FIGURE 101 – Set the VLAN type to be Port VLAN

If Tag VLANs are active, you will have to stop Tag VLANs before Port VLANs
are enabled. This is done by selecting Configuration VLAN Tag-Based
Setting menu and then by clicking on the Status button.

139
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 102 – Add the necessary VLANs

140
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 103 – Add the VLANs and the ports belonging to the specific VLANs

Repeat the steps as shown above to add the other VLANs.

After all the VLANs are added, the screen will look as shown below.

141
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 104 – After adding all the necessary VLAN.s. The information can be edited or deleted at any time
from this screen as well. To activate the VLAN, click on Status button.

To activate the VLANs, click on the Status button as shown above and then select All for VLAN
Id and select Start for VLAN Status as shown below. Click OK to activate the VLANs.

142
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 105 – To activate the Port VLANs

After the VLANs are activated, the screen as shown below appears. Note, the ports that belong to
other VLANs are moved from the default VLANs to the VLANs that they belong to. Also note th
Status changes to Active from Pending.

143
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 106 – After the Port VLANs are activated, note the ports are moved from the default VLANs to the
VLANs assigned to the ports. Also note the Status changes to Active. To add the Default VLAN to all ports,
simply add the edit icon next to the Default VLAN entry above.

Final step – save the configuration changes by using the save icon .

144
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

10
Chapter

10 – Spanning Tree
Create and manage alternate paths to the network

S
panning Tree Protocol was designed to avoid loops in an Ethernet network. An Ethernet
network using switches can have redundant paths – this may however cause loops. To
prevent the loops MNS-6K software uses spanning tree protocol. As a manager of the
MNS-6K software, controlling the link or trunk over which the traffic traverses is
necessary. It is also necessary to specify the parameters of STP. STP is available as the IEEE
802.1d protocol and is a standard of the IEEE. Rapid Spanning Tree Protocol (RTSP), like STP,
was designed to avoid loops in an Ethernet network. Rapid Spanning Tree Protocol (RSTP)
(IEEE 802.1w) is an evolution of the Spanning Tree Protocol (STP) (802.1d standard) and
provides for faster spanning tree convergence after a topology change.

STP Features and Operations

j The switch uses the IEEE 802.1d Spanning Tree Protocol (STP).
When STP is enabled, it ensures that only one path at a time is
active between any two nodes on the network. In networks where
more than one physical path exists between two nodes, STP ensures only a single path is
active by blocking all redundant paths. Enabling STP is necessary to avoid loops and
duplicate messages. This duplication leads to a “broadcast storm” or other erratic
behavior that can bring down the network.

As recommended in the IEEE 802.1Q VLAN standard, the Magnum 6K family of

switches uses single-instance STP. This means a single spanning tree is created to make
sure there are no network loops associated with any of the connections to the switch.
This works regardless of whether VLANs are configured on the switch. Thus, these
switches do not distinguish between VLANs when identifying redundant physical links.

The switch automatically senses port identity and type, and automatically defines port cost
and priority for each type. The MNS-6K software allows a manager to adjust the cost,
priority, the mode for each port as well as the global STP parameter values for the switch.

While allowing only one active path through a network at any time, STP retains any
redundant physical path to serve as a backup (blocked) path in case the existing active path

145
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

fails. Thus, if an active path fails, STP automatically activates (unblocks) an available
backup to serve as the new active path for as long as the original active path is down.

The table below lists the default values of the STP variables.

Variable or Attribute Default Value

STP capabilities Disabled
Reconfiguring general operation priority 32768
Bridge maximum age 20 seconds
Hello time 2 seconds
Forward delay 15 seconds
Reconfiguring per-port STP path cost 0
Priority 32768
Mode Normal
Monitoring of STP Not Available
Root Port Not set
Figure 107 – STP default values – refer to next section “Using STP” for more detailed explanation on
the variables

By default, STP is disabled. To use STP, it has to be manually enabled. The

switch is also setup to use STP as a default.

RSTP Concepts
j The IEEE 802.1d Spanning Tree Protocol (STP) was developed to
allow the construction of robust networks that incorporate
redundancy while pruning the active topology of the network to
prevent loops. While STP is effective, it requires that frame transfer must halt after a link
outage until all bridges in the network are sure to be aware of the new topology. Using
STP (IEEE 802.1d) recommended values, this period lasts 30 seconds.

Rapid Spanning Tree Protocol (IEEE 802.1w) is a further evolution of the 802.1d
Spanning Tree Protocol. It replaces the settling period with an active handshake between
switches (bridges) that guarantees topology information to be rapidly propagated through
the network. RSTP converges in less than one second. RSTP also offers a number of
other significant innovations. These include

146
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

• Topology changes in STP must be passed to the root bridge before they can be
propagated to the network. Topology changes in RSTP can be originated from
and acted upon by any designated switch (bridge), leading to more rapid
propagation of address information
• STP recognizes one state - blocking for ports that should not forward any data or
information. RSTP explicitly recognizes two states or blocking roles - alternate and
backup port including them in computations of when to learn and forward and
when to block
• STP relays configuration messages received on the root port going out of its
designated ports. If an STP switch (bridge) fails to receive a message from its
neighbor it cannot be sure where along the path to the root a failure occurred.
RSTP switches (bridges) generate their own configuration messages, even if they
fail to receive one from the root bridge. This leads to quicker failure detection
• RSTP offers edge port recognition, allowing ports at the edge of the network to
forward frames immediately after activation while at the same time protecting
them against loops
• An improvement in RSTP allows configuration messages to age more quickly
preventing them from “going around in circles” in the event of a loop

RSTP has three states. They are discarding, learning and forwarding.

The discarding state is entered when the port is first taken into service. The port does not
learn addresses in this state and does not participate in frame transfer. The port looks for
STP traffic in order to determine its role in the network. When it is determined that the
port will play an active part in the network, the state will change to learning. The learning
state is entered when the port is preparing to play an active member of the network. The
port learns addresses in this state but does not participate in frame transfer. In a network
of RSTP switches (bridges) the time spent in this state is usually quite short. RSTP
switches (bridges) operating in STP compatibility mode will spend between 6 to 40
seconds in this state. After ‘learning’ the bridge will place the port in the forwarding state.
While in this state the port does both - learns addresses and participates in frame transfer.

The result of these enhanced states is that the IEEE 802.1d version of spanning tree
(STP) can take a fairly long time to resolve all the possible paths and to select the most
efficient path through the network. The IEEE 802.1w Rapid reconfiguration of Spanning
Tree significantly reduces the amount of time it takes to establish the network path. The
result is reduced network downtime and improved network robustness. In addition to
faster network reconfiguration, RSTP also implements greater ranges for port path costs
to accommodate the higher connection speeds that are being implemented.

Proper implementations of RSTP (by switch vendors) is designed to be compatible with

IEEE 802.1d STP. GarrettCom recommends that you employ RSTP or STP in your
network.

147
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Transition from STP to RSTP

IEEE 802.1w RSTP is designed to be compatible with IEEE 802.1d STP. Even if all the other
devices in your network are using STP, you can enable RSTP on your Magnum 6K family of
switches. The default configuration values of the RSTP available in MNS-6K software will ensure
that your switch will interoperate effectively with the existing STP devices. RSTP automatically
detects when the switch ports are connected to non-RSTP devices using spanning tree and
communicates with those devices using 802.1d STP BPDU packets.

Even though RSTP interoperates with STP, RSTP is much more efficient at establishing the
network path, and the network convergence in case of a failure is very fast. For this reason,
GarrettCom recommends that all your network devices be updated to support RSTP. RSTP
offers convergence times typically of less than one second. However, to make best use of RSTP
and achieve the fastest possible convergence times there are some changes that you should make
to the RSTP default configuration.

1. GarrettCom Inc. provides downloadable software Fault Timing

Analyzer (FTA) for testing how quickly a network recovers from a
fault, once the redundancy features such as STP or RSTP is configured
on the switches (bridges). This software can be downloaded from the
GarrettCom site. This software is available at
http://www.garrettcom.com/ftaform.htm
2. Under some circumstances it is possible for the rapid state transitions
employed by RSTP to result in an increase in the rates of frame
duplication and the order in which the frames are sent and received. In
order to allow RSTP switches to support applications and protocols
that may be sensitive to frame duplication and out of sequence frames,
RSTP may have to be explicitly set to be compatible with STP. This
explicit setting is called setting the “Force Protocol Version”
parameter to be STP compatible. This parameter should be set to all
ports on a given switch
3. As indicated above, one of the benefits of RSTP is the implementation
of a larger range of port path costs which accommodates higher
network speeds. New default values have also been implemented for
the path costs associated with the different network speeds. This could
create incompatibility between devices running the older
implementations of STP a switch running RSTP
4. At a given time, the MNS-6K software can support either STP or
RSTP but not both

148
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Configuring STP/RSTP
To setup and configure RSTP use the Configure RSTP menus. In setting up RSTP or STP, it is
advised that the system defaults are used for weights etc. Only when specific ports need to be the
active link, should the default values change for that port.

To set the Spanning Tree to be STP or RSTP – use the Administration Set STP Type menu
as shown below.

FIGURE 108 – Setting the STP type – choose RSTP or STP. Note – depending on the choice, the Menu under
Configuration will change to reflect the choice made

Depending on the selection made for the Spanning Tree type, the Menu under configuration will
change as shown below.

149
 M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 109 – Note the menus change depending on whether STP or RSTP is selected. The cursor is placed close to the
changes in the above screen captures

After the proper selection (RSTP/STP) is made, the necessary capabilities can be configured as
shown below.

150
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 110 – Configuring RSTP. RSTP or STP is disabled. Designated root is set to zero as RSTP is
disabled

Designated Root: shows the MAC address of the bridge in the network elected or
designated as the root bridge. Normally when STP is not enabled the switch designates
itself as the root switch

Root Path Cost: a path cost is assigned to individual ports for the switch to determine
which ports are the forwarding points. A higher cost means more loops; a lower cost
means fewer loops. More loops equal more traffic and a tree which takes a long time to
converge – resulting in a slower system

Root Port: indicates the port number, which is elected as the root port of the switch. A
root port of “0” indicates STP is disabled

Protocol: indicates whether STP or RSTP is being used

Bridge ID: indicates the MAC address of the current bridge over which traffic will flow

151
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Bridge Priority: specifies the switch (bridge) priority value. This value is used along with
the switch MAC address to determine which switch in the network is the root device.
Lower values mean higher priority. Value ranges from 0 to 65535. Default value is 32768

Status: indicates whether STP or RSTP is enabled

Bridge Hello Time: when the switch is the root device, this is the time between messages
being transmitted. The value is from 1 to 10 seconds. Default value is 2 seconds

Bridge Forward Delay: indicates the time duration the switch will wait from listening to
learning states and from learning to forwarding states. The value ranges from 4 to 30
seconds. Default value is 15

Bridge Max Age: this is the maximum time a message with STP information is allowed
by the switch before the switch discards the information and updates the address table
again. Value ranges from 6 to 40 seconds with default value of 20 seconds

Hold Time: is the minimum time period to elapse between the transmissions of
configuration BPDUs through a given LAN Port. At most one configuration BPDU shall
be transmitted in any Hold Time period. This parameter is a fixed parameter, with values
as specified in RSTP standard (3 seconds)

Topology Change: counter indicating the number of times topology has changed

Time since TC: indicates time that has elapsed since the last topology change. Use this in
conjunction with uptime on the Graphical Display (screen shown after a successful login)
to find the frequency of the topology changes

Click on Edit to make any changes

152
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 111 – Changing the RSTP or STP bridge parameters. Note on this screen you can select and enable
STP or RSTP

Under protocol, select STP if there are legacy devices or other third party devices which do not
support RSTP. Otherwise it is recommended to enable RSTP for use. Once again, if you are not
familiar with the STP or RSTP parameter settings, is best to use the default values displayed
above. Simply enable RSTP (or STP) and let the system default values prevail.

153
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 112 – After RSTP is enabled, the fields are updated – note specifically, “Status”, “Time since TC” and
“Designated Root”

154
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 113 – Port specific values for RSTP or STP

Click on the edit icon to edit the values for a specific port.

Port#: indicates the port number. Value ranges from 01 to max number of ports in the
switch

Port Type: indicates the type of port and speed – TP indicates Twisted Pair

Port State: forwarding implies traffic is forwarded onto the next switch or device
connected the port. Disabled implies that the port may be turned off or the device
connected to it may be unplugged or turned off. Values can be Listening, Learning,
Forwarding, Blocking and Disabled.

Path Cost: this is the assigned port cost value used for the switch to determine the
forwarding points. Values range from 1 to 2000000. Lower the value, lower the cost and
hence the preferred route. The costs for different Ethernet speeds are shown below. The
Path cost in STP is compared to the path cost in RSTP.

155
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Port Type STP Path cost RSTP Path cost

10 Mbps 100 2,000,000
100 Mbps 19 200,000
1 Gbps 4 20,000
10 Gbps 2 2,000
Figure 114 – Path cost as defined in IEEE 802.1d (STP) and 802.1w (RSTP)

Priority: STP uses this to determine which ports are used for forwarding. Lower the
number means higher priority. Value ranges from 0 to 255. Default is 128

Edge Ports: RSTP offers edge port recognition, allowing ports at the edge of the network
to forward frames immediately after activation while at the same time protecting them
against loops

P2P Ports: set the “point-to-point” value to off on all ports that are connected to shared
LAN segments (i.e. connections to hubs). The default value is auto. P2P ports would
typically be end stations or computers on the network

Designated Root: MAC Address of the Root Bridge in the tree

Status: status of STP/RSTP for the port

STP or RSTP values can be changed for each port as shown below.

156
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 115 – Changing the port specific STP or RSTP values

Migration is enabled for all ports connected to other devices such as hubs, bridges and switches
known to support IEEE 802.1d STP services and cannot support RSTP services.

Status is normally enabled – in certain cases the Status can be set to disabled to turn off RSTP or
STP on that port

157
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

11
Chapter

11 – RS-Ring™, S-Ring™ and Link-

Loss-Learn™ (LLL)
Speed up recovery from faults in Ethernet networks

S
-Ring and RS-Ring use ring topology to provide fast recovery from faults. These are based
on industry standard STP and RSTP technologies. These technologies have been adapted to
ring recovery applications by GarrettCom Inc. and these rings are called S-Ring. In
addition, LLL enables a switch to rapidly re-learn MAC addresses in order to participate in
S-Ring configurations.

In the last two chapters we looked at how RSTP or STP can be used to bring resiliency to
a meshed network. This chapter’s focus is to look at ring topologies and how these
topologies can be used to provide faster recovery times than what STP or RSTP can offer.
Both RSTP and STP are industry standard protocols and can be used with networking
switches from different vendors.

LLL triggers action on the device supporting LLL when a connection is broken or there is
loss of the link signal on a ring port. LLL can be used with S-Ring on managed switches
such as the GarrettCom Magnum 6K family of switches. LLL can also be used on
managed switches such as Magnum 6K family of switches, MP62 as well as on unmanaged
switches such as ESD42 switches. Note that LLL can also be used with non-ring
topologies (such as mesh topologies) using RSTP or STP where it does the necessary
actions for fault recovery (such as re-learn addresses) in case of a link failure.

S-Ring is a ring technology using the GarrettCom MNS-6K software. In a S-Ring, a switch
is designated as a “Ring Manager”. Devices in a S-Ring can be managed switches such as
the Magnum 6K family of switches, non managed switches such as MP62 or ESD42 or
even hubs which leverages LLL. S-Ring is a licensed product from GarrettCom Inc.
GarrettCom Inc. also licenses this technology to other companies who are interested in
implementing the resiliency capabilities offered by S-Ring.

RS-Ring provides superior recovery times from failures. It works when

158
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

• The ring is made up of devices which are managed switches only from Magnum
6K family of switches
• Each of the switches in the ring topology are configured for RSTP
• The RS-Ring product license key is configured on each switch in the ring

S-Ring and LLL concepts

j S-Ring is built upon networking software standards such as IEEE

802.1d Spanning Tree Protocol (STP) or Rapid Spanning Tree
Protocol (RSTP) based on IEEE 802.1w. The purpose of S-Ring is
to define two ports which participate in the RSTP/STP tree structure in a ring topology as
opposed to a meshed topology. S-Ring running on the ring manager switch leverages this
capability to recover quickly from fault situations. The recovery times for S-Ring based
networks are within a few hundred milliseconds. Recovery time for STP devices is in tens
of seconds (typically 30-50 seconds in most networks) or sub second to a few seconds for
RSTP networks. The biggest advantage of S-Ring, besides the fast recovery time, is the
defined ring topology which makes the network manageable. S-Ring can also be an overall
lower cost solution as there are hubs as well as switches which can be used in the ring.

In the Magnum 6K family of switches as well as in other unmanaged switches such as the
ESD42, a feature called Link-Loss-Learn™ (LLL) can be activated to immediately flush
its address buffer and relearn the MAC addresses that route packets around the fault. This
procedure, which is similar to switch initialization, occurs within milliseconds, resulting in
fast ring recovery. An S-Ring implementation watches for link-loss as well as for
STP/RSTP BPDU packet failures and responds to whichever occurs first. In most
instances the link-loss will be detected faster than the two-second interval at which the
BPDU packets are successfully passed around the ring. Typical ring recovery times using
S-Ring software and mP62 edge switches with the LLL feature enabled on the ring ports
is less than 250 milliseconds, even with 50 or more Magnum 6K family of switches in a
ring structure. Without LLL activation, the Magnum 6K family of switches address buffer
aging time (5 minutes default) could be the gating factor in ring recovery time. LLL is used
on S-Ring and helps speed up the ring recovery time.

S-Ring operates from specifically defined port pairs that participate in a ring-topology.
Multiple rings of different pairs on the same switch are also supported; however,
intersecting rings or a “ring of rings” or “overlapping rings” is not supported in the
current version. While S-Ring builds upon the foundation of RSTP or STP, S-Ring offers
an additional topology option to network architects. The two ends of a ring must be
connected to two ports in a Magnum 6K Switch that is enabled with the S-Ring software.
The end points of the ring provide an alternate path to reach the switch that has failed.
The in-out pairs of the ports to other devices in the ring have to be enabled with LLL.
Some items to be aware of with S-Ring are as follows:

1. The S-Ring feature is a separately licensed module for the MNS-6K software
package. This module must be enabled by means of a software key

159
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

2. Only one switch is the “Ring Master”. That switch has S-Ring Software authorized
(enabled) for that device. Thus only one license key is needed per ring (and not per
switch)
3. There can be multiple S-Rings on a given Magnum 6K switch. There can be
multiple ring topologies in a network. Each ring has to be a separate ring. Ring of
rings or overlapping rings are not supported at this time
4. S-Ring topologies support one failure in the network. A second failure may create
isolated network islands
5. At least one untagged VLAN must be available for the BPDU’s to propagate
through the network to update RSTP/STP status
6. S-Ring faults can be software signaled to alarm contacts.

RS-Ring concepts

j Today, more and more situations demand a network to be built

using managed switches. These situations also demand a faster
recovery time in case of a network failure. The topologies have to
be simple for maintenance and other reasons. In these situations, a ring topology provides
fault tolerance with the simplicity. RS-Ring feature can be used on managed Magnum 6K
family of switches. RS-Ring provides the simple ring topology and provides faster
recovery times than S-Ring or STP/RSTP.

RS-Ring is built upon networking software standards such as Rapid Spanning Tree
Protocol (RSTP) based on IEEE 802.1w. RS-Ring defines two ports on each switch
which participates in the ring topology and works with the RSTP tree structure. RS-Ring
requires RSTP to be configured across all switches and uses the underlying RSTP protocol
to provide simplicity in configuration as well as rapid recovery in the RS-Ring topology.
The recovery times for RS-Ring based networks are within milliseconds. While the
recovery time for STP devices is in tens of seconds (typically 30 seconds in most
networks) or sub second to a few seconds for RSTP networks, RS-Ring offers recovery
times typically in less than 100 milliseconds. The biggest advantage of RS-Ring, besides
the fast recovery time, is the defined topology which makes the network manageable. RS-
Ring is configured on Magnum 6K family of switches and requires RSTP to be enabled on
all switches participating in the RS-Ring. RS-Ring cannot be used in a multi-vendor
environment.

RS-Ring operates from specifically defined port pairs that participate in a ring-topology.
Each of the two ends of a ring must be connected to two ports in a Magnum 6K Switch
that is enabled with the RS-Ring software. The end points of the ring provide an alternate
path to reach the switch that has failed. Some items for using RS-Ring are as follows:

1. Faster recover times than S-Ring or RSTP are needed by the network
2. The RS-Ring feature is a separately licensed module for the MNS-6K software
package. This module must be enabled by means of a software key.
3. The same key can be used for either S-Ring or RS-Ring

160
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

4. The same license key needs to be configured for each switch on the ring and RS-
Ring capability has to be enabled on all switches (and hence all the devices in the
ring have to be a managed Magnum 6K switches)
5. RS-Ring topologies support one failure in the network. The second failure may
create isolated network islands
6. RSTP has to be enabled on all Magnum 6K switches in the ring
7. At least one untagged VLAN must be available for the BPDU’s to propagate
through the network to update RSTP status.

When to use RS-Ring vs S-Ring

RS-Ring or S-Ring provides resiliency in the network. So does RSTP and STP. The general
guidelines for making a decision as to whether to use S-Ring or RS-Ring or for that matter, RSTP
or STP, matters a lot on some key criteria, some of which are listed below.
• Speed – RS-Ring offers substantially faster recovery times compared to S-Ring. While
the recovery time will vary on factors such as number of nodes in a ring, lengthof the
ring etc., on an average, RS-Ring recovers typically in less than 100 mSec vs 300 mSec
for S-Ring.
• Cost – RS-Rings and S-Rings are licensed features. S-Ring requires at least one device
in the network should be a managed switch. RS-Ring requires all devices in the ring
should be a managed Magnum 6K switches. So while the recovery times are faster for
RS-Ring, the cost of building such a ring may be higher
• Ring Topology – multiple rings may be implemented with S-Ring running on one
managed Magnum 6K switch. Only one RS-Ring per Magnum 6K switch can be
configured 3 .
• Managed Switches – RS-Ring requires all devices in the ring are managed Magnum
6K family of switches. If there are non managed devices, RS-Ring cannot be used.

3It is technically possible to have S-Ring and RS-Ring on the same Magnum 6K Switch. GarrettCom Inc. does not recommend
nor support such configurations.

161
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Comparing resiliency methods

So far we have briefly covered S-Ring with LLL, RS-Ring, RSPT as well as STP. The table below
summarizes some decision criteria on selecting RSPT vs STP vs S-Ring (and LLL) vs RS-Ring.

RS-Ring S-Ring with LLL RSTP STP

License Same license key as A license key is Included in Included in
S-Ring. One license needed. One key per MNS-6K MNS-6K
key needs to be ring manager switch
enabled on each
Magnum 6K switch
Spanning Tree Works with RSTP Works with RSTP or -- --
STP devices
Devices Managed Magnum Managed or certain Many Many
supported 6K family of non managed Magnum
switches switches. Requires at
least one Magnum 6K
switch as ring manager
Recovery Distributed across Centralized to “Ring Typically done Typically
decision all switches in the Manager”. LLL using BPDU. done using
ring. Works with provides triggers to Can take time. BPDU. Can
RSTP in each switch recomputed topology take time.
for ring members.
Also works with RSTP
or STP.
Topology Single ring, multiple Single ring, multiple Mesh topology Mesh
rings, no rings, no overlapping – can have topology –
overlapping rings or rings or ring of rings multiple paths can have
ring of rings multiple
paths
Interoperability Works with Works with managed Wide range of Wider range
managed Magnum 6K family of switches, products, of products,
6K family of other managed including other including
switches switches such as MP62 vendor other vendor
and non managed products products
switches as well as
some hubs
Recovery time Fastest Fast Medium – sub Slow – in tens
second to a few of seconds
seconds

162
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

RS-Ring S-Ring with LLL RSTP STP

Resiliency Fast recovery from a Fast recovery from a Multiple points Multiple
single point of single point of failure. of failure – points of
failure. No Ring Master is each connected failure – each
centralized decision responsible for node can be in connected
making decision making stand-by node can be
in stand-by
Software Cost Licensed per ring Licensed per ring Included in Included in
MNS-6K MNS-6K
Hardware cost Managed 6K One Managed 6K per Many choices Many choices
switches only ring. Multiple choices available, available,
for members of the making it cost making it cost
ring effective effective
Software Alarm Not available at this Yes No No
time
Ring Size 50+ nodes 50+ nodes NA NA
Dual Homing Supports dual Supports dual homing Supports dual Supports dual
homing to members to members in the ring homed device homed device
in the ring to devices in to devices in
the network the network

RSTP/STP Operation without RS-

Ring or S-Ring
S-Ring supports non managed switches as long as LLL capability is supported on that switch. A
ring is a special form of mesh network topology. The two top-of-the-ring ports form an
otherwise-illegal redundant path, and standard RSTP/STP causes one of these two ports to block
incoming packets in order to enable normal Ethernet traffic flow. All ring traffic goes through the
non-blocking port for normal LAN operation. This port is designated Forwarding Port.
Meanwhile, there is a regular flow of status-checking multi-cast packets (called BPDUs or Bridge
Protocol Data Units) sent out by RSTP/STP that move around the ring to show that things are
functioning normally.

163
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

ff ic
Tra
DU
BP Forwarding Blocking
Port Port

FIGURE 116 – Normal RSTP/STP operations in a series of switches. Note – this normal status is designated
RING_CLOSED

This normal status is designated as RING_CLOSED. Operations will continue this way
indefinitely until a fault occurs.

A fault anywhere in the ring will interrupt the flow of standard RSTP/STP status-checking BPDU
packets, and will signal to RSTP/STP that a fault has occurred. According to the standard
RSTP/STP defined sequence, protocol packets are then sent out, gathered up and analyzed to
enable RSTP/STP to calculate how to re-configure the LAN to recover from the fault. After the
standard RSTP/STP reconfiguration time period (typically 20 to 30 seconds), the RSTP/STP
analysis concludes that recovery is achieved by changing the blocking port of the ring port-pair to
the forwarding state.

Intentionally left blank

164
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

ffic
Tr a

c
Traffi
DU
BP Forwarding
Forwarding
Port
Port

U
X BPD

FIGURE 117 – A fault in the ring interrupts traffic. The blocking port now becomes forwarding so that traffic can
reach all switches in the network Note – the mP62 as well as the ESD42 switches support LLL and can
participate in S-Ring as an access switch

When this change is made by RSTP/STP and both of the ring manager switch’s ring ports are
forwarding, the fault is effectively bypassed and there is a path for all LAN traffic to be handled
properly. This abnormal status is designated RING_OPEN, and may continue indefinitely, until
the ring fault is repaired. At that time, RSTP/STP will change one of the ring control ports to be a
blocking port again. This recovery operation may take thirty seconds to a few minutes, depending
on the number of switches and other RSTP/STP parameters in operation.

RSTP/STP Operation with S-Ring

When the Magnum 6K family of switches is used in the network and the S-Ring feature is
enabled, the result of a ring-fault is the same but the recovery is faster. The S-Ring capability
overrides the normal RSTP/STP analysis for the ring-pair ports of the ring manager (or ring-
control) switch, providing quick recovery of the ring fault without conflicting with standard
RSTP/STP.

The Magnum 6K family of switches, running MNS-6K software, offer users the choice of
selecting S-Ring when RSTP or STP is configured and in use. For the S-Ring, the user must select
two ports of one 6K switch to operate as a pair in support of each Ethernet ring, and attach to the
two “ends” of each ring as it comes together at the ring control switch.

165
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Ring 1
Ring 2

FIGURE 118 – More than one S-Ring pair can be selected and more than one S-Ring can be defined per switch.
Note – the mP62 as well as the ESD42 switches support LLL and can participate in S-Ring as an access
switch

More than one S-Ring port-pair may be selected per ring control switch. Each port-pair will have
its own separate attached ring, and each port-pair operates on faults independently. The port-pairs
may be of any media type, and the media type does not have to be the same for the pair. With the
Magnum 6K family of switches, a port operating at any speed (10Mb, 100Mb, Gb) may be
designated as part of an S-Ring port-pair (or RS-Ring port pair) ensuring proper Ethernet
configuration of the ring elements.

After selecting a port-pair for a ring, the manager or administrator enables S-Ring (on the selected
port-pairs via S-Ring software commands. One command (enable / disable) turns S-Ring on and
off. Another command adds / deletes port- pairs. Other commands provide for status reporting
on the ring. The MNS-6K software package provides for remote operation, access security, event
logs, and other industry-standard managed network capabilities suitable for industrial applications
requiring redundancy.

When S-Ring is enabled for a port-pair, fault detection and recovery are armed for the associated
ring. The standard RSTP/STP functions are performed by the Magnum 6K family of switches for
other ports in the same manner as they would be without S-Ring enabled, when operating in the
RING_CLOSED state. During this state, RS-Ring or S-Ring is also watching the flow of the
BPDU packets that move around the ring between the designated part-pair.

The extra capability of S-Ring comes into play when a fault occurs. When the flow of BPDU
packets around the ring is interrupted (or when Link-Loss is sensed on one of the ports of the
ring port-pair by S-Ring), S-Ring quickly acts to change the blocking port’s state to forwarding.
No waiting for STP analysis. No waiting for RSTP analysis. No checking for other possible
events. No other ports to look at. No 30-second delay before taking action. S-Ring or RS-Ring
takes immediate corrective action for quick recovery from the fault in the ring. The ring becomes
two strings topologically, as shown above, and there is a path through the two strings for all
normal LAN traffic to move as needed to maintain LAN operations.

166
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

When the fault is cured, the re-emergence of the ring structure enables the BPDU packets to flow
again between the ring’s port-pair. This is recognized by S-Ring (and RSTP/STP) as well as by
RS-Ring (and RSTP) , and one of the ports in the ring’s port pair is changed to the blocking state.
S-Ring takes the recovery action immediately, not waiting for the 30-second STP analysis.

Rings are simple structures. Either one port of a pair is forwarding or both are. Not complicated;
not much to go wrong.

A Link-loss on one of the Magnum 6K Switch’s ring ports is an alternative trigger for S-Ring to
initiate fault recovery. The Link-loss trigger almost always comes quicker after a fault (a few
milliseconds) than the loss of a BPDU packet which is gated by the standard STP 2-second “hello
time” interval. So the Link-loss trigger will almost always provide faster fault detection and faster
recovery accordingly.

LLL with S-Ring

The Link-Loss-Learn™ feature, available on Magnum 6K family of switches can significantly
reduce switch address memory decay time, resulting in more rapid reconfiguration. With Link-
Loss-Learn (LLL), Magnum 6K family switches in a ring can flush their address memory buffer
and quickly re-learn where to send packets, enabling them to participate in a very quick recovery
or restoration. Note that a Link-loss on any Magnum 6K Switch port somewhere in the ring is an
alternative trigger for S-Ring to act for either fault recovery or ring restoration. The interruption
(or the restoration) of the flow of BPDU packets is one trigger, link-loss is another, and action is
taken by S-Ring based on whichever occurs first.

Ring learn features

One of the S-Ring software commands, “s-ring learn”, causes the scanning of all ports in the
Magnum 6K family of switches for the presence of rings. This command can be a handy tool in
setting up the S-Ring product for correct initial operation. During a ring-learn scan, if any port
receives a BPDU packet that was also originated by the same switch, the source and destination
ports are designated as a ring port-pair and they are automatically added to the S-Ring port-pair
list for that 6K Switch. The user can enable or disable ports pairs that are on the S-Ring list by
CLI commands in order to exercise final control if needed. This feature is not available with RS-
Ring.

Configuring S-Ring
S-Ring is a licensed software feature from GarrettCom Inc. Before using the S-Ring capabilities;
authorize the use of the software with the license key. To obtain the license key, please contact
GarrettCom Inc. Sales (for purchasing the S-Ring feature) or Technical Support (to obtain the 12

167
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

character key.) If the S-Ring capability was purchased along with the switch, the software license
code will be included with the switch.

Syntax authorize <module> key=<security key> - activate the S-Ring capabilities. Don’t forget to use
the “save” command to save the key

In the example below – STP is used to show how S-Ring is setup. S-Ring will
also work with RSTP. If RSTP is used, GarrettCom Inc. recommends using RS-
Ring instead.

Magnum6K25# authorize s-ring key=abc123456789

S-RING Module Successfully Authorized
Please Save Configuration.
Magnum6K25# save

Saving current configuration

Configuration saved

Saving current event logs

Event logs saved
FIGURE 119 – Activating S-Ring on the switch

One can use a telnet session to activate the S-Ring license as shown below.

168
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 120 – Activating S-Ring license

Since S-Ring uses RSTP/STP, STP has to be activated and enabled. Some of the commands are
repeated here for clarity. Using S-Ring with multiple switches, it is recommended to do the
following:
1) On the switch which is the root node, authorize the use of S-Ring software
2) On the switch which is the root node or where the top of the ring ports are configured
enable RSTP (or STP)
3) On the root node do not enable LLL along with RSTP (or STP)
4) On all other switches (except the root node), disable RSTP (or STP)
5) On all other switches (except the root node), enable LLL for the ring ports

Ports associated with S-Ring should have the following settings

• Auto negotiation - disable
• Speed - Fixed
• Same Speed
• Same Duplex and
• LLL - enable

The steps to configure S-Ring are

169
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 121 – Configure the switch for RSTP (or STP). In this example, RSTP is enabled

Once RSTP (or STP) is enabled, the next step is to go to the Root Node or the Ring Master and
designate the ports which make up the ring. The Root Node or the Ring Master is usually the
switch on which on which the S-Ring license key was authorized.

The menu is Configuration RSTP S-Ring

Initially no S-Ring is defined. As discussed earlier, S-Ring has to have two ports defined. In case
there is already an S-Ring defined, its best to start with Learn option. Failing a Learn, the S-Ring
can be defined and added. To initiate the Learn, click on the Learn button shown in the figure
above.

170
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 122 – Adding S-Ring. Using the Learn function built in to MNS-6K to see if there are other members
participating in S-Ring

171
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 123 – Learning S-Ring defined or on the network. This learning takes a few minutes

After the learning is completed, the S-Ring information will be displayed or a warning window
shown to indicate that no S-Rings were found.

172
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 124 – No S-Ring detected

If there is no ring, this is a valid detection. Sometimes, the ring is not detected as the ports
connected to the rings may not have RSTP (or STP) enabled. To do that – follow the directions
below.

173
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 125 – If STP or RSTP is not enabled, S-Ring detection will fail. To fix that, enable RSTP or STP
first as shown. In some cases the S-Ring detection will fail as there is no S-Ring defined. In those situations, the
ports have to be added to define an S-Ring

FIGURE 126 – Defining Port 1 (Ingress) and Port 2 (Egress) ports for S-Ring

If no S-Ring is defined, the S-Ring can be added. As discussed earlier, multiple S-Rings can be
added to a switch using this process.

174
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

After the S-Ring is added, don’t forget to enable S-Ring as shown below.

FIGURE 127 – Ensure the status is set to enable after the S-Ring is added

After the S-Rings are defined, it is important to define the ports as part of the S-Rings with LLL
capabilities. If multiple switches are used as part of the S-Ring, this process has to be followed on
each switch. On member switch, also ensure that STP is turned off. To use LLL, use the
Configuration RSTP Link Loss Learn menu as shown below.

175
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 128 – Link Loss Learn

It is important to add the ports connected to other devices to be enabled with LLL capabilities. For
example if ports 9,10,11 also were “trunk” ports (besides ports 13, 14 being S-Ring ports), add these
ports as LLL ports. To do that click on the Edit button shown above and select the ports as shown
below.

176
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 129 – Adding Ports for LLL

Once the proper ports are added, click on OK. The LLL menu will show the ports added as
shown in the figure below.

177
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 130 – Adding (or deleting) ports with LLL

Finally – save the configuration using the Save icon

If the BPDU stream is broken, or it finds the Link-Loss-Learn signal, the system
will immediately force RSTP to put both ports in forwarding mode. Should that
happen, the ring status will be displayed as “OPEN”

If the ring sees BPDU packets not belonging to itself on any of the ports, it will
set the ring to “UNKNOWN” state, and stop all ring activity on that ring.

The ring activity has several timers and safeguards to prevent erroneous
operation. Ring faults are not expected to happen in quick successions. If the ring system sees a
sequence of changes in the duration of a less than a second each, it will temporarily ignore the
signals and leave RSTP (or STP) to reconfigure the ring (network) using the normal IEEE 802.1d
algorithms.

With S-Ring it is also critical to setup and configure Link-Loss-Learn as the S-ring can recover from
fault situations a lot faster.

178
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

RSTP Operation with RS-Ring

When the managed Magnum 6K family of switches is used in the network and the RS-Ring
feature is enabled 4 , each of the managed Magnum 6K switches knows of the neighbor and the
related associations and topologies. The RS-Ring capability overrides the normal RSTP analysis
for the ring-pair ports on each switch, providing quick recovery of the ring fault without
conflicting with standard RSTP. Unlike S-Ring, the decision is made by each individual switch and
not by the ring master. For RS-Ring, the user must select the two ports (port pairs) and enable
RS-Ring on each of the switches in the ring.

Ring 1
Ring 2

FIGURE 131 – More than one RS-Ring cannot be defined per managed Magnum 6K switch. Note –
unmanaged switches cannot participate in RS-Ring.

The port-pairs may be of any media type, and the media type does not have to be the same for the
pair. With the Magnum 6K family of switches, a port operating at any speed (10Mb, 100Mb, Gb)
may be designated as part of a RS-Ring port pair ensuring proper Ethernet configuration of the
ring elements.

After selecting a port-pair for a ring, the manager or administrator enables RS-Ring on the
selected port-pairs via RS-Ring software commands. One command (enable / disable) turns RS-
Ring on and off. Another command adds / deletes port- pairs. Other commands provide for
status reporting on the ring. The MNS-6K software package provides for remote operation,
access security, event logs, and other industry-standard managed network capabilities suitable for
industrial applications requiring redundancy.

When RS-Ring is enabled for a port-pair, fault detection and recovery are armed for the associated
ring. The standard RSTP functions are performed by the Magnum 6K family of switches for
other ports in the same manner as they would be without RS-Ring enabled, when operating in the

4 Note – S-Ring license also enables use of RS-Ring

179
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

RING_CLOSED state. During this state, RS-Ring is also watching the flow of the BPDU packets
that move around the ring between the designated part-pair.

The extra capability of RS-Ring comes into play when a fault occurs. When the flow of BPDU
packets around the ring is interrupted RS-Ring quickly acts to change the blocking port’s state to
forwarding. No waiting for RSTP analysis. No checking for other possible events. No other ports
to look at. No 30-second delay before taking action. RS-Ring takes immediate corrective action
for quick recovery from the fault in the ring. The ring becomes two strings topologically, and
there is a path through the two strings for all normal LAN traffic to move as needed to maintain
LAN operations.

When the fault is cured, the re-emergence of the ring structure enables the BPDU packets to flow
again between the ring’s port-pair. This flow of packets may take as long as 6 seconds in most
situations. This is recognized by RS-Ring as well as by RSTP and one of the ports in the defined
ring port pair is changed to the blocking state. RS-Ring takes the recovery action immediately, not
waiting for the 30-second STP analysis.

Rings are simple structures. Either one port of a pair is forwarding or both are. Not complicated;
not much to go wrong.

Configuring RS-Ring
RS-Ring is a licensed software feature from GarrettCom Inc. Before using the RS-Ring
capabilities; authorize the use of the software with the S-Ring license key. The same license key is
used for either the S-Ring or RS-Ring. To obtain the license key, please contact GarrettCom Inc.
Sales (for purchasing the S-Ring feature) or Technical Support (to obtain the 12 character key.) If
the S-Ring capability was purchased along with the switch, the software license code will be
included with the switch.

Since RS-Ring uses RSTP, RSTP has to be activated and enabled. Some of the commands are
repeated here for clarity. Using RS-Ring with multiple switches, it is recommended to do the
following:
1) On all switches in the ring topology, authorize the use of RS-Ring software
2) On all the switches in the ring, enable RSTP
3) On all the switches in the ring designate the ports which make the ring pair
4) Only the ports on the RS-Ring must be enabled with RS-Ring capability
5) DO NOT enable S-Ring and RS-Ring in a given ring at the same time.
6) Enable RS-Ring on each switch

Ports associated with RS-Ring should have the following settings

• Same Speed
• Same Duplex capabilities

180
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

The necessary steps are

Activate the RS-Ring license on each of the switches participating in the RS-Ring. Note the same
license as S-Ring is used to activate RS-Ring. To activate RS-Ring, use the CLI command

Syntax authorize <module> key=<security key> - activate the RS-Ring (or S-Ring) capabilities.
Don’t forget to use the “save” command to save the key

Magnum6K25# authorize s-ring key=abc123456789

S-RING Module Successfully Authorized
Please Save Configuration.
Magnum6K25# save

Saving current configuration

Configuration saved

Saving current event logs

Event logs saved
FIGURE 132 – Activating S-Ring on the switch
One can use a telnet session to activate the S-Ring license as shown below.

181
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 133 – Activating RS-Ring license – the same license as S-Ring is used to activate RS-Ring

182
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 134 – Configure the switch for RSTP (or STP). In this example, RSTP is enabled

Once RSTP is enabled, the next step is to enable RS-Ring on the necessary ports. Make sure S-Ring, if
any, is disabled on the switch as shown below.

183
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 135 – If there is an S-Ring configured, make sure that it is disabled

Add the two ports which will participate in the RS-Ring as shown below

184
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 136 – Manually add the two ports which will participate in the RS-Ring

185
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 137 – Manually add the two ports which will participate in the RS-Ring. Click OK to add these ports
as members of RS-Ring

Check to see if LLL is active on the two member ports. If LLL is active on those ports, disable LLL on
those ports. In the example below, LLL is active on ports 13,14. Click on Edit and then turn off LLL
on the ports as shown below.

186
 M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 138 – Disable LLL on ports participating in RS-Ring

Finally activate RS-Ring

FIGURE 139 – To activate RS-Ring – use the enable drop down from the RS-Ring menu

187
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Finally – save the configuration using the Save icon

Intentionally left blank

188
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

12
Chapter

12 – Dual-Homing
Fault tolerance options for edge devices

D
esigning and implementing high-availability Ethernet LAN topologies in networks
can be challenging. Traditionally, the choices for redundancy for edge of the
network devices were too limited, too expensive, and too complicated to be
considered in most networks. Redundancy at the edge of the network is greatly
simplified by the using dual-homing.

Dual-Homing concepts

j In Ethernet LANs, dual-homing is a network topology that adds

reliability by allowing a device to be connected to the network by way
of two independent connection points (points of attachment). One
connection point is the operating connection, and the other is a standby or back-up connection
that is activated in the event of a failure of the operating connection. A dual-homing switch
(such as EDS42) offers two attachments into the network or two independent media paths and
two upstream switch connections. In the case of the Magnum 6K family of switches, any two
ports can be defined as dual-home ports to provide this level of redundancy. Loss of the Link
signal on the operating port connected upstream indicates a fault in that path, and traffic is
quickly moved to the standby connection to accomplish a fault recovery.

189
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

= Active link
= Standby Link

FIGURE 140 – Dual-homing using ESD42 switch and Magnum 6K family of switches. In case of a connectivity
break – the connection switches to the standby path or standby link

In those situations where the end device is a PoE device (for example, a video surveillance
camera, as shown above) a Magnum 6K switch with MNS-6K can provide PoE to the end
devices as well as other advantages such as IGMP, managed configuration and more. To
provide the managed reliability to the end devices, dual-homing can be used with MNS-6K
devices.

PoE

= Active link
= Standby Link
FIGURE 141 – Dual-homing using Magnum 6K family of switches. Note the end device (video surveillance
camera) can be powered using PoE options on MNS-6K family of switches. In case of a connectivity break – the
connection switches to the standby path or standby link

190
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Because it takes advantage of Ethernet standards, the dual-homing redundancy features of the
ESD42 as well as those for MNS-6K work with any brands or models of Ethernet switches
upstream. With MNS-6K, the user has to define the set of ports which make up the dual-home
ports.

= Active link
PoE = Standby Link

FIGURE 142 – Using S-Ring, RS-Ring and dual-homing, it is possible to build networks resilient not only to a
single link failure but also for one device failing on the network

The following points should be remembered for setting up dual-homing

• Configure dual-homing before connecting the Ethernet
connectors (cables) in the switch 5
• Only one set of dual-homing ports can be defined per switch
• Port types (Copper vs fiber) as well as speeds can be mixed and
matched – both ports need not be identical

5 If dual homing is not configured there is a potential a loop can be created and either STP or RSTP will setup the port in the
active stand-by mode. Dual-homing may not work if one of the dual-homed port is in active standby. To avoid that situation, it is
recommended to configure dual-homing first.

191
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

• By default dual-homing is turned off – you have to enable it after the ports are defined
• Dual-homing ports can span different modules in a switch

Dual-Homing Modes
There are two modes in which the dual-homing works. The first one is where the ports are
“equivalent” i.e. if one port fails, the other one take over, however, if the first (failed) port
recovers, the active port does not switch back.

The second mode of operation is primary-secondary mode. In this mode of operation, the
primary port is explicitly defined and the secondary port is explicitly defined. In the primary-
secondary mode of operation, if the primary fails, the secondary takes over. When the primary
recovers, the secondary switches back from active state to passive state and the primary port is
now the active port.

The primary-secondary mode has to be explicitly setup. The primary-secondary mode of

operation is only possible on managed switches such as the Magnum 6K family of switches.

The primary-secondary mode of operation allows the network manager to determine on which
path the packets will flow (as a default).

Configuring Dual-Homing
The following steps can be used for configuring Dual-Homing.

Select the menus Configuration Dual Homing as shown below

192
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 143 – Dual-Homing configuration. Click on Edit, as shown above, to add dual-homing

Make sure the Ethernet cables are not plugged in as described above.

To add dual homing, click on the edit button. Before the dual homing ports are configured, SWM
will ask you to select the mode of operation for the dual homing.

193
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 144 – To select the Primary-backup mode, as discussed earlier, click on Yes. To select the “equivalent”
port modes, select No

194
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 145 – After electing the ports for dual homing (maximum of 2 only), click OK. Make sure one port is
Primary and the other one is the Secondary port

After this, the screen shows the ports added. Next step is to enable Dual homing as shown below.

195
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 146 – Enable Dual-Homing after the ports are added.

196
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 147 – After activation, a check mark in the active column shows the active port and defines the type of
port as well

To delete the configuration, click on the “Delete” button. SWM will ask for confirmation, and clicking
OK, the configuration is deleted.

197
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 148 – deleting dual-homing configuration. Click OK to delete the configuration. Dual homing is disabled
after the deletion

To add the mode of dual-homing so that the dual home ports are “equivalent” i.e. the non active port,
when it becomes active, stays active, follow the steps below.

198
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 149 – Click on Edit to add dual-homing

199
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 150 - Click on “No” to add “equivalent” mode

Select the ports for the dual homing and then click OK, as shown below

200
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 151 – Select the dual-homing ports

After selecting the port, enable dual-homing as shown earlier. Once dual-homing is enabled, the active
port has a check mark next to it as shown below.

201
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 152 – After enabling dual-homing the status of the active port is shown

Finally – save the configuration using the Save icon

202
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

13
Chapter

13 – Link Aggregation Control

Protocol (LACP)
Increase Network throughput and reliability

L
ink aggregation Link Aggregation Control Protocol (LACP) is part of an IEEE
specification (IEEE 802.3ad) that allows several physical ports to be grouped or bundled
together to form a single logical channel. This increases the throughput across two
devices and provides improved reliability.

LACP concepts

j The IEEE802.3ad standard provides for the formation of a single

Layer 2 link from two or more standard Ethernet links using the
Link Aggregation Control Protocol (LACP). LACP provides a
robust means of assuring that both ends of the link are up and agree to be members of the
aggregation before the link member is activated. LACP trunking is a method of combining
physical network links into a single logical link for increased bandwidth. With LACP the
effective bandwidth of a trunk and network availability is increased. Two or more Fast
Ethernet connections are combined as one logical trunk in order to increase the
bandwidth and to create resilient and redundant links. By taking multiple LAN
connections and treating them as a unified, aggregated link, Link Aggregation provides the
following important benefits:
• Higher link availability – in case a link fails, the other links continue to operate
• Increased link capacity – the effective throughput is increased
• Better port utilization – allows unused ports to be used as trunk ports allowing
better throughput and availability
• Interoperability – being a standard allows LACP to work across different hardware
platforms where LACP is supported

Failure of any one physical link will not impact the logical link defined using LACP. The
loss of a link within an aggregation reduces the available capacity, but the connection is
maintained and the data flow is not interrupted.

203
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

The performance is improved because the capacity of an aggregated link is higher than
each individual link alone. 10Mbps or 10/100Mbps or 100Mbps ports can be grouped
together to form one logical link.

Instead of adding new hardware to increase speed on a trunk – one can now use LACP to
incrementally increase the throughput in the network, preventing or deferring hardware
upgrades. Some known issues with LACP on the Magnum 6K family of switches are:

• LACP will not work on Half Duplex ports.

• All trunk ports must be on the same module. Trunk ports cannot
be spread out across different modules.
• All trunk ports MUST have the same speed setting. If the speed is
different, LACP shows an error indicating speed mismatch.
• Many switches do not forward the LACPDUs by default. So, it is possible to hook up
multiple ports to these switches and create an Ethernet loop. (In many cases this is
prevented by Spanning Tree running on these switches).
• All ports in a trunk group should be members of the same VLAN. Each port can be a
member of multiple VLANs, but each port should have at least one VLAN that is
common to both the port groups.
• The LACPDU packets are sent out every 30 seconds. It is possible that in configuring
LACP, a loop can be created until LACP notification is completed. It is recommended
to configure LACP first and then physically connect the ports to avoid this potential
issue.
• Port Security will not work with the ports configured for LACP.
• IGMP will work with the primary LACP port only. All IGMP traffic is sent via a
primary port. If needed, this port can be mirrored for traffic analysis.

LACP Configuration
For LACP to work on the Magnum 6K family of switches, only one trunk per module can be
created. Some valid connections are shown in the picture below.

204
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Switch 1 Switch 1

Switch 2 Switch 2

FIGURE 153 – Some valid LACP configurations.

Should trunks be created so as to span multiple ports, a “trunk mismatch” error message is
printed on the console. An example of an incorrect configuration is shown below.

Switch 1

Switch 2

FIGURE 154 – an incorrect LACP connection scheme for Magnum 6K family of switches. All LACP trunk
ports must be on the same module and cannot span different modules.

Another example is highlighted below where some ports belong to VLAN 10 (shown in red)
and other ports belong to VLAN 20 (shown in blue). If the port groups do not have a common
VLAN between them, LACP does not form a connection.

205
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Switch 1
VLAN 10
VLAN 20

Switch 2

FIGURE 155 – In this figure, even though the connections are from one module to another, this is still not a valid
configuration (for LACP using 4 ports) as the trunk group belongs to two different VLANs.

However – on each switch, the set of ports can belong to same VLANs as shown in the figure
below. While the ports belong to the same VLANs, there is no common VLAN between the
switches and hence the LACPDU cannot be transmitted. This configuration will not work in
the LACP mode.

VLAN 10 Switch 1

VLAN 20 Switch 2

FIGURE 156 - In the figure above, there is no common VLAN between the two sets of ports, so packets from one
VLAN to another cannot be forwarded. There should be at least one VLAN common between the two switches
and the LACP port groups.

206
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Switch 1
VLAN 1,10
VLAN 1,20

Switch 2

FIGURE 157 – This configuration is similar to the previous configuration, except there is a common VLAN
(VLAN 1) between the two sets of LACP ports. This is a valid configuration.

Switch 1

Switch 2

Switch 3

FIGURE 158 – In the architecture above, using RSTP and LACP allows multiple switches to be configured together in a
meshed redundant link architecture. First define the RSTP configuration on the switches. Then define the LACP ports.
Then finally connect the ports together to form the meshed redundant link topology as shown above

Using the Magnum edge switch with dual homing allows the edge devices to
have link level redundancy as well – bringing the fault tolerance from the
network to the edge.

207
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Switch 1

Switch 2

Switch 3
ACT
/
LK

T
LK/

Dual Homed
AC
A
F

R
10 OR

OR

PW
100

1 0/
10 0

6
1

Edge Switch
3

P ORT
4

P O RT
D

4
3

Ma gn
2

um
1

H a E 42
r d
Edg Se
e n
d
e S
w it
12 VDC 1 AM P

ch
100
10/
100
10/

FIGURE 159 – LACP, along with RSTP/STP brings redundancy to the network core or backbone. Using this
reliable core with a dual homed edge switch brings reliability and redundancy to the edge of the network

It is recommended not to use LACP with S-Ring or RS-Ring at this time.

Since S-Ring, RS-Ring and LACP use the same BPDUs (called LACPDUs), the architecture
shown below is not supported in this release.

208
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

S-Ring 1

S-Ring 2

FIGURE 160 – This architecture is not recommended

LACP can be used for creating a reliable network between two facilities connected via a
wireless bridge. As shown in the figure below, four trunk ports are connected to four wireless
bridge pairs. This increases the effective throughput of the wireless connections and also
increases the reliability. If one of the bridges were to stop functioning, the other three will
continue to operate, providing a very reliable infrastructure.

209
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Facility 1

A A

A A

A A
A
A

Facility 2
FIGURE 161 – Creating a reliable infrastructure using wireless bridges (between two facilities) and LACP. “A”
indicates a Wi-Fi wireless Bridge or other wireless Bridges.

Some other definitions are worth noting are primary port. Primary port is the port over
which specific traffic like Multicast (IGMP), unknown Unicast and broadcast traffic is
transmitted. As shown by the add port command, the port with the lowest priority
value has the highest priority and is designated as the primary port. If traffic analysis is
required, it is recommended to mirror the primary port (and physically disconnect the
other ports if all traffic needs to be captured).

If multiple ports have the same priority, the first port physically connected becomes the
primary port. In case the ports are already connected, the port with the lowest port
count becomes the primary port i.e. if ports 12, 13, 14 are designated as the LACP
group, port 12 would become the primary port.

If the primary port fails, the next available secondary port is designated as the primary
port. So in the example above, if port 12 fails, port 13 will be designated as the primary
port.

To configure LACP, first define the set of ports which make up the trunk. Next define
the set of trunks. In the example below, we will define ports 12, 13 as a set of ports for
the trunk.

210
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

For the LACP menu, use Configuration LACP Port as shown below.

FIGURE 162 – Enable LACP first

211
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 163 – Add the necessary ports to define the trunk

Define ports 12 and 13 as the set of ports for the first trunk

212
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 164 – Add the ports which make up the trunk. The priorities will be automatically assigned – this field
can be left blank

The priorities can be changed to manipulate on which links the Ethernet traffic traverses on.

213
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 165 – After the ports are added, the values can be edited if needed or the ports deleted using the edit or
delete icons on the menu

Once the ports are added, the trunk status is checked by viewing the Configuration LACP Trunk
menu as shown below.

214
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 166 – Reviewing the trunk status

One would expect the trunk status to display the trunk which was just added. However in this situation,
no trunk is displayed. Clicking on the Orphan Port(s) status, as shown above, will display the status of
the “orphan” ports or ports which are not members of any LACP trunks.

215
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 167 – The orphan status display the reason why the ports were not members of the LACP trunk. The
links is down – i.e. the ports were not connected. After the other switch is configured with the proper LACP
settings, should the RJ-45 cables be plugged in to enable LACP

Only after the other switch is configured with the proper LACP settings, the Ethernet cables
should be plugged into both the switches to enable LACP. After that is done, the Trunk menu
will display the LACP trunks which are active.

Finally – save the configuration using the Save icon

216
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

14
Chapter

14 – Quality of Service
Prioritize traffic in a network

Q
uality of Service (QoS) refers to the capability of a network to provide different
priorities to different types of traffic. Not all traffic in the network has the same
priority. Being able to differentiate different types of traffic and allowing this traffic to
accelerate through the network improves the overall performance of the network. It
also provides the necessary quality of service demanded by different users and devices.
The primary goal of QoS is to provide priority including dedicated bandwidth.

QoS Concepts

j The Magnum 6K family of switches supports QoS as specified in

the IEEE 802.1p and IEEE 802.1q standards. QoS is important in
network environments where there are time-critical applications,
such as voice transmission or video conferencing, which can be adversely effected by
packet transfer delays or other latency in a network.

Most switches today implement buffers to queue incoming packets as well as outgoing
packets. In a queue mechanism, normally the packet which comes in first leaves first
(FIFO) and all the packets are serviced accordingly. Imagine if each packet had a priority
assigned to it. If a packet with a higher priority than other packets were to arrive in a
queue, the packet would be given a precedence and moved to the head of the queue and
would go out as soon as possible. The packet is thus preempted from the queue and this
method is called preemptive queuing.

Preemptive queuing makes sense if there are several levels of priorities, normally more
than two. If there are too many levels, then the system has to spend a lot of time
managing the preemptive nature of queuing. IEEE 802.1p defines and uses eight levels of
priorities. The eight levels of priority are enumerated 0 to 7, with 0 the lowest priority and
7 the highest.

To make the preemptive queuing possible, most switches implement at least two queue
buffers. The Magnum 6K family of switches has two priority queues, 1 (low) and 0
(high).When tagged packets enter a switch port, the switch responds by placing the packet

217
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

into one of the two queues, and depending on the precedence levels the queue could be
rearranged to meet the QoS requirements.

DiffServ and QoS

QoS refers to the level of preferential treatment a packet receives when it is being sent through a
network. QoS allows time sensitive packets such as voice and video, to be given priority over time
insensitive packets such as data. Differentiated Services (DiffServ or DS) are a set of technologies
defined by the IETF (Internet Engineering Task Force) to provide quality of service for traffic on
IP networks.

DiffServ is designed for use at the edge of an Enterprise where corporate traffic enters the service
provider environment. DiffServ is a layer-3 protocol and requires no specific layer-2 capability,
allowing it to be used in the LAN, MAN, and WAN. DiffServ works by tagging each packet (at
the originating device or an intermediate switch) for the requested level of service it requires
across the network.

IP Header

Protocol
DMAC SMAC ToS Data FCS
Type

Diffserv Code Points (DSCP) Unused

FIGURE 168 – ToS and DSCP

DiffServ inserts a 6-bit DiffServ code point (DSCP) in the Type of Service (ToS) field of the IP
header, as shown in the picture above. Information in the DSCP allows nodes to determine the
Per Hop Behavior (PHB), which is an observable forwarding behavior for each packet. Per hop
behaviors are defined according to:
• Resources required (e.g., bandwidth, buffer size)
• Priority (based on application or business requirements)
• Traffic characteristics (e.g., delay, jitter, packet loss)

Nodes implement PHBs through buffer management and packet scheduling mechanisms. This
hop-by-hop allocation of resources is the basis by which DiffServ provides quality of service for
different types of communications traffic.

218
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

IP precedence
IP Precedence utilizes the three precedence bits in the IPv4 header's Type of Service (ToS) field
to specify class of service for each packet. You can partition traffic in up to eight classes of service
using IP precedence. The queuing technologies throughout the network can then use this signal to
provide the appropriate expedited handling.

Data +FCS

ToS byte

3 bits

IP precedence
FIGURE 169 - IP Precedence ToS Field in an IP Packet Header

The 3 most significant bits (correlating to binary settings 32, 64, and 128) of the Type of Service
(ToS) field in the IP header constitute the bits used for IP precedence. These bits are used to
provide a priority from 0 to 7 for the IP packet.

Because only 3 bits of the ToS byte are used for IP precedence, you need to differentiate these
bits from the rest of the ToS byte.

The Magnum 6K family of switches has the capability to provide QoS at Layer 2. At Layer 2, the
frame uses Type of Service (ToS) as specified in IEEE 802.1p. ToS uses 3 bits, just like IP
precedence, and maps well from Layer 2 to Layer 3, and vice versa.

The switches have the capability to differentiate frames based on ToS settings. With two queues
present - high or low priority queues or buffers in Magnum 6K family of switches, frames can be
placed in either queue and serviced via the weight set on all ports. This placement of queues -
added to the weight set plus the particular tag setting on a packet - allows each queue to have
different service levels.

Magnum QoS implementations provide mapping of ToS (or IP precedence) to Class of Service
(CoS). A CoS setting in an Ethernet Frame is mapped to the ToS byte of the IP packet, and vice
versa. A ToS level of 1 equals a CoS level of 1. This provides end-to-end priority for the traffic
flow when Magnum switches are deployed in the network.

219
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Not all packets received on a port have high priority. IGMP and BPDU packets
have high priority by default

Magnum 6K family of switches has the capability to set the priorities based on three different
functions. They are

Port QoS: assigns a high priority to all packets received on a port, regardless of the type of
packet

Tag QoS: if a packet contains a tag, the port on which the packet was received then looks to see
at which level that tag value is set. Regardless of the tag value, if there is a tag, that packet is
automatically assigned high priority (sent to the high priority queue)

ToS QoS: (Layer 3) when a port is set to ToS QoS, the most significant 6-bits of the IPv4 packet
(which has 64 bits) are used. If the 6 bits are set to ToS QoS for the specific port number the
packet went to, that packet is assigned high priority by that port

Configuring QoS
Magnum 6K Switches support three types of QoS - Port based, Tag based and ToS based.

QoS is disabled by default on the switch. QoS needs to be enabled and

configured

A weight is a number calculated from the IP precedence setting for a packet.

This weight is used in an algorithm to determine when the packet will be serviced

As mentioned previously, the switch is capable of detecting higher-priority packets marked with
precedence by the IP forwarder and can schedule them faster, providing superior response time
for this traffic. The IP Precedence field has values between 0 (the default) and 7. As the
precedence value increases, the algorithm allocates more bandwidth to that traffic to make sure
that it is served more quickly when congestion occurs. Magnum 6K family of switches can assign
a weight to each flow, which determines the transmit order for queued packets. In this scheme,
lower weights (set on all ports) are provided more service. IP precedence serves as a divisor to
this weighting factor. For instance, traffic with an IP Precedence field value of 7 gets a lower
weight than traffic with an IP Precedence field value of 3, and thus has priority in the transmit
order.

220
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Once the port weight is set, the hardware will interpret the weight setting for all ports as outlined
below (assuming the queues are sufficiently filled. If there are no packets for example in the high
priority queue, packets are serviced on a first come first served - FCFS - basis from the low
priority queue).

Setting Hardware traffic queue behavior

0 No priority – traffic is sent alternately from each queue and packets are queued
alternately in each queue
1 Two packets are sent from the HIGH priority queue and one packet from LOW
priority queue
2 Four packets are sent from the HIGH priority queue and one packet from LOW
priority queue
3 Six packets are sent from the HIGH priority queue and one packet from LOW
priority queue
4 Eight packets are sent from the HIGH priority queue and one packet from LOW
priority queue
5 Ten packets are sent from the HIGH priority queue and one packet from LOW
priority queue
6 Twelve packets are sent from the HIGH priority queue and one packet from
LOW priority queue
7 All packets are sent from the HIGH priority queue and none are sent from LOW
priority queue
FIGURE 170 - Port weight settings and the meaning of the setting

Sometimes it is necessary to change the priority of the packets going out of a switch. For example,
when a packet is received untagged and has to be transmitted with an addition of the 802.1p
priority tag, the tag can be assigned depending on the untag value set. To access QoS settings, use
the Configuration QoS menus.

221
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 171 - Accessing QoS settings

Select the Port and the type of QoS/ToS Settings. The next few figures show examples of them.

222
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 172 – Setting Port 14 for Port based QoS with a high priority. Note the sections on Tag and TOS are
ignored for Port settings

After the port QoS settings are completed, the changes are reflected on the QoS menu screen.

223
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 173 – Port 14 QoS settings indicate a High Priority as set

Next a Tag based QoS is enabled on Port 13.

224
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 174 – Adding Tag based QoS on Port 13 – Note the menu area for Tag Setting is only relevant

After the Tag QoS settings are completed, the changes are reflected on the QoS menu screen.

225
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 175 – Port 13 reflects the Tag QoS settings

Next a ToS is enabled on Port 12.

226
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 176 – Adding ToS for Port 12. Only the ToS Level Settings of the screen are relevant

227
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 177 – After ToS settings. Note the different types of settings are clear from this window. Port 14 has
Port based QoS, port 13 has Tag based QoS and finally port 12 is using ToS.

Finally, after all changes are made, do not forget to save the changes using the save icon

228
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

15
Chapter

15 – IGMP
Multicast traffic on a network

I
nternet Group Management Protocol (IGMP) is defined in RFC 1112 as the standard for IP
multicasting in the Internet. It is used to establish host memberships in particular multicast
groups on a single network. The mechanisms of the protocol allows a host to inform its
local router, using Host Membership Reports that it wants to receive messages addressed to
a specific multicast group. All hosts conforming to level 2 of the IP multicasting
specification require IGMP.

IGMP Concepts6

j The Magnum 6K family of switches supports IGMP L2 standards as

defined by RFC 1112. IGMP is disabled by default and needs to be
enabled on the Magnum 6K family of switches. IP multicasting is defined
as the transmission of an IP datagram to a "host group", a set of zero or more hosts identified by
a single IP destination address. A multicast datagram is delivered to all members of its destination
host group with the same "best-efforts" reliability as regular unicast IP datagrams, i.e. the
datagram is not guaranteed to arrive at all members of the destination group or in the same order
relative to other datagrams.
The membership of a host group is dynamic; that is, hosts may join and leave groups at any time.
There is no restriction on the location or number of members in a host group, but membership in
a group may be restricted to only those hosts possessing a private access key. A host may be a
member of more than one group at a time. A host need not be a member of a group to send
datagrams to it.
A host group may be permanent or transient. A permanent group has a well-known,
administratively assigned IP address. It is the address and not the membership of the group that is
permanent; at any time a permanent group may have any number of members, even zero. A
transient group on the other hand is assigned an address dynamically when the group is created, at
the request of a host. A transient group ceases to exist, and its address becomes eligible for
reassignment, when its membership drops to zero.

6 Most of the concepts are extracted from RFC 1112 and it is recommended that RFC 1112 be read and understood carefully if

IGMP is used or planned for the network.

229
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

The creation of transient groups and the maintenance of group membership information is the
responsibility of "multicast agents", entities that reside in internet gateways or other special-
purpose hosts. There is at least one multicast agent directly attached to every IP network or sub-
network that supports IP multicasting. A host requests the creation of new groups, and joins or
leaves existing groups, by exchanging messages with a neighboring agent.
The Internet Group Management Protocol (IGMP) is an internal protocol of the Internet
Protocol (IP) suite. IP manages multicast traffic by using switches, multicast routers, and hosts
that support IGMP. (In the MNS-6K implementation of IGMP, a multicast router is not
necessary as long as a switch is configured to support IGMP with the querier feature enabled.) A
set of hosts, routers, and/or switches that send or receive multicast data streams to or from the
same source(s) is termed a multicast group, and all devices in the group use the same multicast group
address. The multicast group running version 2 of IGMP uses three fundamental types of
messages to communicate:

• Query: A message sent from the querier (multicast router or switch) asking for a response from
each host belonging to the multicast group. If a multicast router supporting IGMP is not present,
then the switch must assume this function in order to elicit group membership information from
the hosts on the network. (If you need to disable the querier feature, you can do so through the
CLI, using the IGMP configuration MIB. See “Changing the Querier Configuration Setting” on
page “Configuring the Querier Function”)

• Report: A message sent by a host to the querier to indicate that the host wants to be or is a
member of a given group indicated in the report message

• Leave Group: A message sent by a host to the querier to indicate that the host has ceased to be a
member of a specific multicast group. Thus, IGMP identifies members of a multicast group
(within a subnet) and allows IGMP-configured hosts (and routers) to join or leave multicast groups

When IGMP is enabled on the Magnum 6K family of switches, it examines the IGMP packets it
receives:
• To learn which of its ports are linked to IGMP hosts and multicast routers/queriers belonging
to any multicast group

• To become a querier if a multicast router/querier is not discovered on the network

Once the switch learns the port location of the hosts belonging to any particular multicast group,
it can direct group traffic to only those ports, resulting in bandwidth savings on ports where
group members do not reside. The following example illustrates this operation.

The figure below shows a network running IGMP.

230
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 178 – IGMP concepts – advantages of using IGMP

• PCs 1 and 4, switch 2, and all of the routers are members of an IP multicast group. (The
routers operate as queriers.)
• Switch 1 ignores IGMP traffic and does not distinguish between IP multicast group members
and non-members. Thus, it is sending large amounts of unwanted multicast traffic out the
ports to PCs 2 and 3
• Switch 2 is recognizing IGMP traffic and learns that PC 4 is in the IP multicast group
receiving multicast data from the video server (PC X). Switch 2 then sends the multicast data
only to the port for PC 4, thus avoiding unwanted multicast traffic on the ports for PCs 5 and
6

231
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

The figure below shows a network running IP multicasting using IGMP without a multicast
router. In this case, the IGMP-configured switch runs as a querier. PCs 2, 5, and 6 are members
of the same IP multicast group. IGMP is configured on switches 3 and 4. Either of these switches
can operate as querier because a multicast router is not present on the network. (If an IGMP
switch does not detect a querier, it automatically assumes this role, assuming the querier feature is
enabled—the default—within IGMP.)

FIGURE 179 – IGMP concepts – Isolating multicast traffic in a network

• In the above figure, the multicast group traffic does not go to switch 1 and beyond. This
is because either the port on switch 3 that connects to switch 1 has been configured as
blocked or there are no hosts connected to switch 1 or switch 2 that belong to the
multicast group
• For PC 1 to become a member of the same multicast group without flooding IP multicast
traffic on all ports of switches 1 and 2, IGMP must be configured on both switches 1 and
2, and the port on switch 3 that connects to switch 1 must be unblocked

IP Multicast Filters - IP multicast addresses occur in the range from 224.0.0.0 through
239.255.255.255 (which corresponds to the Ethernet multicast address range of 01005e-000000
through 01005e-7fffff in hexadecimal.) Devices such as the Magnum 6K family of switches
having static Traffic/Security filters configured with a “Multicast” filter type and a “Multicast
Address” in this range will continue in effect unless IGMP learns of a multicast group destination

232
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

in this range. In that case, IGMP takes over the filtering function for the multicast destination
address(es) for as long as the IGMP group is active. If the IGMP group subsequently deactivates,
the static filter resumes control over traffic to the multicast address formerly controlled by IGMP.

Reserved Addresses Excluded from IP Multicast (IGMP) Filtering – Traffic to IP multicast

groups in the IP address range of 224.0.0.0 to 224.0.0.255 will always be flooded because
addresses in this range are “well known” or “reserved” addresses. Thus, if IP Multicast is enabled
and there is an IP multicast group within the reserved address range, traffic to that group will be
flooded instead of filtered by the switch.

IGMP Support - Magnum 6K family of switches support IGMP version 1 and version 2. The
switch can act either as a querier or a nonquerier. The querier router periodically sends general
query messages to solicit group membership information. Hosts on the network that are members
of a multicast group send report messages. When a host leaves a group, it sends a leave group
message. The difference between version 1 and version 2 is that version 1 does not have a
“Leave” mechanism for the host. Magnum 6K family of switches do pruning when there is a leave
message or a time expires on a port, we prune the multicast group membership on that port.

1. The Magnum 6K family of switches can snoop up to 256 Multicast groups.

It can be enabled within a port VLAN, tagged VLAN, or no VLAN.
2. IGMP is disabled as a default.

A switch, with IGMP snooping has the behavior similar to a regular switch
(default IGMP behavior) i.e. it forwards the multicast stream (packets) to all the ports.
Now, if a device on any of the ports sends a join report or invokes the IGMP Pruning action, the
behavior changes. A multicast group is formed in the switch, and the stream is sent only to those
ports that actually want to join the stream.
The default behavior of multicasting streams to all ports could create problems when there are a
number of multicast streams that enter the switch though a number of different ports. Each
stream goes to ALL OTHER ports and creates congestion in the switch.

IGMP-L2
IGMP requires a Layer 3 device in the network. What happens if your network has only Layer 2
devices? Can the Layer 2 devices take advantage of the IGMP technology and reduce the overall
traffic in the network, without requiring the presence of a Layer 3 device in the network? Using
GarrettCom IGMP-L2 (patent pending technology), it is possible to do that.
The benefits of IGMP are clear. The traditional ways of building an IGMP network calls for the
IGMP querier to reside on a Layer 3 network device - typically a router or a Layer 3 switch. The
end devices (encoders or transmitters) reside on a Layer 2 device and the encoder sends a
query/join request to join the specific multicast group. The Magnum 6K family of switches, with
the IGMP-L2 enabled, can propagate the query request and also make sure that the multicast

233
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

traffic only goes to the ports requesting the traffic. The Magnum 6K family of switches, using
IGMP-L2, can perform the similar tasks a Layer 3 device performs for IGMP.
For a Layer 2 IGMP environment, all Magnum 6K family of switches have to be enabled in the
IGMP-L2. This is done using the CLI command 'set igmp mode=l2' which will be described
later.
In a Layer 2 network, without IGMP-L2, there is no querier nor is there any capability for the
devices to use IGMP snooping to join a multicast group. Thus - the traffic picture from a
multicast device would look as shown below.

R1 R2

T1

T2
R3 R4

R6 R5
FIGURE 180 - In a Layer 2 network, an IGMP multicast traffic goes to all the nodes. In the figure, T1, a
surveillance camera, using multicast, will send the traffic to all the nodes - R1 through R6 - irrespective of whether
they want to view the surveillance traffic or not. The traffic is compounded when additional cameras are added to
the network. End result is that users R1 through R6 see the network as heavily loaded and simple day to day
operations may appear sluggish.

With IGMP-L2 enabled on all Magnum 6K family of switches, this situation as shown above is
prevented. This is explained in the figure below.

234
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

R1 R2

L2 Mode

T1 L2 Mode
L2 Mode

T2 L2 Mode

R3 R4

R6 R5

FIGURE 181 - Using IGMP-L2 on Magnum 6K family of switches, a Layer 2 network can minimize multicast
traffic as shown above. Each switch has the IGMP-L2 turned on. Each switch can exchange the IGMP query
message and respond properly. R4 wants to view surveillance traffic from T1. As shown by (1), a join request is
sent by R4. Once the join report information is exchanged, only R4 receives the video surveillance traffic, as shown
by (2). No other device on the network gets the video surveillance traffic unless they issue a join request as well.

Since the query and the join information is exchanged between the neighboring switches, the
topology does not matter. The design issue to consider is the timing difference between a
topology recovery and IGMP refresh (recovery). GarrettCom Magnum 6K family of switches,
connected in a S-Ring or RS-Ring topology recovers very rapidly (sub-second recovery). The
IGMP requests for updates are sent out every few seconds (depending on the network and the
devices on the network). The recovery of the network from a fault situation is much faster than
the age out and join request from IGMP. Thus when the Magnum 6K switch network self heals,
it is possible that the video may freeze till the (IGMP) device reissues a join request again.

A few additional facts about IGMP L2

235
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

• GarrettCom Magnum 6K family of switches configured for IGMP-L2 can perform the
Join aggregation required by IGMP
• Multicast forwarding is done based on MAC addresses – so datagram to IP addresses
224.1.2.3 and 239.129.2.3 can be forwarded on the same port groups. It is not possible to
do forwarding based on IP addresses as the Magnum 6K family of switches operate at
Layer-2
• Magnum 6K family of switches, configured for IGMP L2 are aware of IP address range
224.0.0.x as well as MAC address range 01:00:5e:00:00:xx aware as required by RFC 4541
• The Magnum 6K family of switches, configured for IGMP L2 support forwarding to
ports on which multicast routers are attached in addition to the ports where IGMP joins
have been received. Thus IGMP L2 and IGMP L3 networks can co-exist
• The Magnum 6K family of switches, configured for IGMP L2 are aware of topology
changes, so new queries can be sent or tables updated to ensure robustness

Configuring IGMP
For configuring IGMP, use the Configuration IGMP menu

The menu allows the IGMP parameters described earlier to be set. It also provides the necessary
information of IGMP groups and routers.

236
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 182 – IGMP setup

Click on the Edit button to edit the IGMP parameters.

237
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 183 – Configuring IGMP parameters. This screen also enables and disables IGMP

Once the changes are made these are reflected on the Configuration IGMP Information
screen. The Groups and Routers screen displays the IGMP Groups and IGMP Routers
information. All edits to IGMP are done through the Information Screen only.

To set the switch to set the IGMP-L2, use the Administration Set IGMP menu as shown
below

238
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 184 - Setting the IGMP-L2

Finally, do not forget to save the changes made using the save icon .

239
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

16
Chapter

16 – GVRP
Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol (GVRP)

G
eneric Attribute Registration Protocol (GARP) and VLAN registration over GARP is
called GVRP. GVRP is defined in the IEEE 802.1q and GARP in the IEEE 802.1p
standards. In order to utilize the capabilities of GVRP, GarrettCom Inc. strongly
recommends that the user be familiar with the concepts and capabilities of IEEE
802.1q.

GVRP Concepts
j GVRP makes it easy to propagate VLAN information across multiple switches.
Without GVRP, a network administrator has to go to each individual
switch and enable the necessary VLAN information or block specific
VLAN’s so that the network integrity is maintained. With GVRP, this process can be
automated.

It is critical that all switches share a common VLAN. This VLAN typically is the default
VLAN (VID=1) on most switches and other devices. GVRP uses “GVRP Bridge
Protocol Data Units” (“GVRP BPDUs”) to “advertise” static VLANs. We refer to GVRP
BPDU is as an “advertisement”.

GVRP enables the Magnum 6K family of switches to dynamically create 802.1q-compliant

VLANs on links with other devices running GVRP. This enables the switch to
automatically create VLAN links between GVRP-aware devices. A GVRP link can include
intermediate devices that are not GVRP-aware. This operation reduces the chances for
errors in VLAN configuration by automatically providing VLAN ID (VID) consistency
across the network. GVRP can thus be used to propagate VLANs to other GVRP-aware
devices instead of manually having to set up VLANs across the network. After the switch
creates a dynamic VLAN, GVRP can also be used to dynamically enable port membership
in static VLANs configured on a switch.

There must be one common VLAN (that is, one common VID)
connecting all of the GVRP-aware devices in the network to carry
GVRP packets. GarrettCom Inc. recommends the default VLAN
(DEFAULT_VLAN; VID = 1), which is automatically enabled and

240
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

configured as untagged on every port of the Magnum 6K family of switches. That is, on
ports used as GVRP links, leave the default VLAN set to untagged and configure other
static VLANs on the ports as either “Tagged or Disable”. (“Disable” is discussed later in this
chapter.)

GVRP operations
A GVRP-enabled port with a Tagged or Untagged static VLAN sends advertisements (BPDUs, or
Bridge Protocol Data Units) advertising the VLAN identification (VID) Another GVRP-aware
port receiving the advertisements over a link can dynamically join the advertised VLAN. All
dynamic VLANs operate as Tagged VLANs. Also, a GVRP-enabled port can forward an
advertisement for a VLAN it learned about from other ports on the same switch. However, the

Switch 1 Switch 2 Switch 3 Static VLAN

GVRP On GVRP On GVRP On configured end
device (NIC or
switch) with
2 3 5 GVRP on
1 4 6

forwarding port will not itself join that VLAN until an advertisement for that VLAN is received
on that specific port.

FIGURE 185 – GVRP operation – see description below

Switch 1 with static VLANs (VID= 1, 2, & 3). Port 2 is a member of VIDs 1, 2, & 3.
1. Port 2 advertises VIDs 1, 2, & 3
2. On Switch 2 - Port 1 receives advertisement of VIDs 1, 2, & 3 AND becomes a member
of VIDs 1, 2, & 3
3. As discussed above, a GVRP enabled port can forward advertisement for a VLAN it
learned about. So port 3 advertises VIDs 1, 2, & 3, but port 3 is NOT a member of VIDs
1, 2, & 3 at this point, nor will it join the VLAN until an advertisement is received
4. On Switch 3, port 4 receives advertisement of VIDs 1, 2, & 3 and becomes a member of
VIDs 1, 2, & 3
5. Port 5 advertises VIDs 1, 2,& 3, but port 5 is NOT a member of VIDs 1, 2, & 3 at this
point
6. Port 6 on the end device is statically configured to be a member of VID 3. Port 6
advertises VID 3
7. Port 5 receives advertisement
8. Port 4 advertises VID 3
9. Port 3 receives advertisement of VID 3 AND becomes a member of VID 3. (Still not a
member of VIDs 1 & 2 as it did not receive any advertisements for VID 1 or 2)
10. Port 1 advertises VID 3 AND becomes a member of VID 3. (Port 1 is still not a member
of VIDs 1 & 2)

241
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

11. Port 2 receives advertisement of VID 3. (Port 2 was already statically configured for VIDs
1, 2, 3)

If a static VLAN is configured on at least one port of a switch, and that port has
established a link with another device, then all other ports of that switch will send
advertisements for that VLAN.

In the figure below, tagged VLAN ports on switch “A” and switch “C” advertise VLANs 22 and
33 to ports on other GVRP-enabled switches that can dynamically join the VLANs. A port can
learn of a dynamic VLAN through devices that are not aware of GVRP (Switch “B”.)

Switch C Switch C
1 5 GVRP On Port 5 dynamically joined VLAN 22
Switch A Ports 11, 12 belong to Tagged VLAN 33
GVRP On Tagged
VLAN 22
Tagged 11
2 Switch E
VLAN 22 Tagged 12 GVRP On
VLAN 33 Dynamic
VLAN 33

Switch D
GVRP On Dynamic
Switch B Dynamic 3 VLAN 22
No GVRP 7
VLAN 33
Tagged Switch E
Dynamic 6
VLAN 22 Port 2 dynamically joined VLAN 33
VLAN 22 Ports 7 dynamically joined VLAN 33

Switch D
Port 3 dynamically joined VLAN 33
Ports 6 dynamically joined VLAN 33

FIGURE 186 – VLAN Assignment in GVRP enabled switches. Non GVRP enabled switches can impact
VLAN settings on other GVRP enabled switches

An “unknown VLAN” is a VLAN that the switch learns of by GVRP. For example, suppose that
port 1 on switch “A” is connected to port 5 on switch “C”. Because switch “A” has VLAN 22
statically configured, while switch “C” does not have this VLAN statically configured, VLAN 22
is handled as an “Unknown VLAN” on port 5 in switch “C”. Conversely, if VLAN 22 was
statically configured on switch C, but port 5 was not a member, port 5 would become a member
when advertisements for VLAN 22 were received from switch “A”. GVRP provides a per-port
join-request option which can be configured.

242
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

VLANs must be disabled in GVRP-unaware devices to allow tagged packets to pass through. A
GVRP-aware port receiving advertisements has these options:

• If there is no static VLAN with the advertised VID on the receiving port, then
dynamically create a VLAN with the same VID as in the advertisement, and allow that
VLAN’s traffic
• If the switch already has a static VLAN with the same VID as in the advertisement, and
the port is configured to learn for that VLAN, then the port will dynamically join the
VLAN and allow that VLAN’s traffic.
• Ignore the advertisement for that VID and drop all GVRP traffic with that VID
• Don’t participate in that VLAN

A port belonging to a tagged or untagged static VLAN has these configurable

options:
• Send VLAN advertisements, and also receive advertisements for VLANs
on other ports and dynamically join those VLANs
• Send VLAN advertisements, but ignore advertisements received from
other ports
• Avoid GVRP participation by not sending advertisements and dropping
any advertisements received from other devices

Unknown Operations
VLAN Mode
Learn Enables the port to dynamically join any VLAN for which it receives an
advertisement, and allows the port to forward the advertisement it receives
Block Prevents the port from dynamically joining a VLAN that is not statically
configured on the switch. The port will still forward advertisements that were
received by the switch on other ports. Block should typically be used on
ports on insecure networks where there is exposure to attack – such as ports
where intruders can connect to
Disable Causes the port to ignore and drop all the advertisements it receives from
any source
FIGURE 187 – Port settings for GVRP operations

For GVRP, Tag VLAN has to be enabled. Please refer to Chapter on VLAN on
Configuring Tag VLANs.

243
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Configuring GVRP
To configure GVRP use Configuration VLAN GVRP menus

FIGURE 188 – Using GVRP

From the GVRP menu screen, GVRP can be enabled or disabled using the drop down
Enabled/Disabled menu. Each specific port can be put in the Learn, Disable or Enable state as
discussed earlier and shown below.

244
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 189 – setting GVRP characteristics for a port. This can be done by clicking on the edit icon for the
port

The table below has the implications for the port settings.

245
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Per Port Per-Port Static VLAN Options

“unknown
VLAN” (GVRP) Tagged or Untagged Auto Forbid
configuration
Learn Generate advertisements. Receive Do not allow the
Forward advertisements advertisements and port to become a
for other VLANs dynamically join any member of this
Receive advertisements advertised VLAN that VLAN
and dynamically join any has the same VID as
advertised VLAN the static VLAN
Block Generate advertisements Receive Do not allow the
Forward advertisements advertisements and VLAN on this
received from other ports dynamically join any port
to other VLANs advertised VLAN that
Do not dynamically join has the same VID
any advertised VLAN
Disable Ignore GVRP and drop Ignore GVRP and Do not allow the
all GVRP advertisements drop all GVRP VLAN on this
advertisements port
FIGURE 190 – GVRP options

As the above table indicates a port that has a tagged or untagged static VLAN has the option for
both generating advertisements and dynamically joining other VLANs.

The unknown VLAN parameters are configured on a per interface basis. The
Tagged, Untagged, Auto, and Forbid options are configured in the VLAN
context. Since dynamic VLANs operate as tagged VLANs, and it is possible
that a tagged port on one device may not communicate with an untagged
port on another device, GarrettCom, Inc. recommends that you use Tagged
VLANs for the static VLANs.

A dynamic VLAN continues to exist on a port for as long as the port continues to receive
advertisements of that VLAN from another device connected to that port or until you:
• Convert the VLAN to a static VLAN
• Reconfigure the port to Block or Disable
• Disable GVRP
• Save the configurations
• Reboot the switch

The time-to-live for dynamic VLANs is 10 seconds. That is, if a port has not received an
advertisement for an existing dynamic VLAN during the last 10 seconds, the port removes itself
from that dynamic VLAN.

246
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Finally, after all the changes are made, do not forget to save the changes using the save icon .

GVRP operations notes

A dynamic VLAN must be converted to a static VLAN before it can have an IP address.

After converting a dynamic VLAN to a static VLAN use the “save” command to save the
changes made – on a reboot the changes can be lost without the save command.

Within the same broadcast domain, a dynamic VLAN can pass through a device that is not
GVRP-aware. This is because a hub or a switch that is not GVRP-aware will flood the GVRP
(multicast) advertisement packets out of all ports.

GVRP assigns dynamic VLANs as tagged VLANs. To configure the VLAN as untagged, first
convert the tagged VLAN to a static VLAN.

A switch on which a dynamic VLAN is defined on reboot, deletes that dynamic VLAN as well as
all other dynamic VLANs.. However, the dynamic VLAN re-appears after the reboot if GVRP is
enabled and the switch again receives advertisements for that VLAN through a port configured to
add dynamic VLANs.

By receiving advertisements from other devices running GVRP, the switch learns of static
VLANs from those devices and dynamically (automatically) creates tagged VLANs on the links to
the advertising devices. Similarly, the switch advertises its static VLANs to other GVRP-aware
devices.

A GVRP-enabled switch does not advertise any GVRP-learned VLANs out of the port(s) on
which it originally learned of those VLANs.

247
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

17
Chapter

17 – SNMP
Managing your network using SNMP

S
imple Network Management Protocol (SNMP) enables management of the network.
There are many software packages which provide a graphical interface and a graphical view
of the network and its devices. These graphical interfaces and views would not be possible
without SNMP. SNMP is thus the building block for network management.

SNMP Concepts
j SNMP provides the protocol to extract the necessary information from a
networked device and display the information. The information is defined and
stored in a Management Information Base (MIB). MIB is the “database” of the
network management information.

SNMP has evolved over the years (since 1988) using the RFC process. Several RFC’s today define
the SNMP standards. The most common standards for SNMP are SNMP v1 (the original version
of SNMP); SNMP v2 and finally SNMP v3.

SNMP is a poll based mechanism. SNMP manager polls the managed device for information and
display the information retrieved in text or graphical manner. Some definitions related to SNMP
are

Authentication – The process of ensuring message integrity and protection against message
replays. It includes both data integrity and data origin authentication

Authoritative SNMP engine – One of the SNMP copies involved in network communication
designated to be the allowed SNMP engine which protects against message replay, delay, and
redirection. The security keys used for authenticating and encrypting SNMPv3 packets are
generated as a function of the authoritative SNMP engine's engine ID and user passwords. When
an SNMP message expects a response (for example, get exact, get next, set request), the receiver of
these messages is authoritative. When an SNMP message does not expect a response, the sender is
authoritative

Community string – A text string used to authenticate messages between a management station
and an SNMP v1/v2c engine

248
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Data integrity – A condition or state of data in which a message packet has not been altered or
destroyed in an unauthorized manner

Data origin authentication – The ability to verify the identity of a user on whose behalf the
message is supposedly sent. This ability protects users against both message capture and replay by
a different SNMP engine, and against packets received or sent to a particular user that uses an
incorrect password or security level

Encryption – A method of hiding data from an unauthorized user by scrambling the contents of
an SNMP packet

Group – A set of users belonging to a particular security model. A group defines the access rights
for all the users belonging to it. Access rights define what SNMP objects can be read, written to,
or created. In addition, the group defines what notifications a user is allowed to receive

Notification host – An SNMP entity to which notifications (traps and informs) are to be sent

Notify view – A view name (not to exceed 64 characters) for each group that defines the list of
notifications that can be sent to each user in the group

Privacy – An encrypted state of the contents of an SNMP packet where they are prevented from
being disclosed on a network. Encryption is performed with an algorithm called CBC-DES (DES-
56)

Read view – A view name (not to exceed 64 characters) for each group that defines the list of
object identifiers (OIDs) that are accessible for reading by users belonging to the group

Security level – A type of security algorithm performed on each SNMP packet. The three levels
are: noauth, auth, and priv. noauth authenticates a packet by a string match of the user name. auth
authenticates a packet by using either the HMAC MD5 algorithms. priv authenticates a packet by
using either the HMAC MD5 algorithms and encrypts the packet using the CBC-DES (DES-56)
algorithm

Security model – The security strategy used by the SNMP agent. Currently, MNS-6K supports
three security models: SNMPv1, SNMPv2c, and SNMPv3

Simple Network Management Protocol (SNMP) – A network management protocol that

provides a means to monitor and control network devices, and to manage configurations,
statistics collection, performance, and security

Simple Network Management Protocol Version 2c (SNMPv2c) – The second version of

SNMP, it supports centralized and distributed network management strategies, and includes
improvements in the Structure of Management Information (SMI), protocol operations,
management architecture, and security

249
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

SNMP engine – A copy of SNMP that can either reside on the local or remote device

SNMP group – A collection of SNMP users that belong to a common SNMP list that defines an
access policy, in which object identification numbers (OIDs) are both read-accessible and write-
accessible. Users belonging to a particular SNMP group inherit all of these attributes defined by
the group

SNMP user – A person for which an SNMP management operation is performed. The user is
the person on a remote SNMP engine who receives the information

SNMP view – A mapping between SNMP objects and the access rights available for those
objects. An object can have different access rights in each view. Access rights indicate whether the
object is accessible by either a community string or a user

Write view – A view name (not to exceed 64 characters) for each group that defines the list of
object identifiers (OIDs) that are able to be created or modified by users of the group

Standards
There are several RFC’s defining SNMP. MNS-6K supports the following RFC’s and standards

SNMPv1 standards
• Security via configuration of SNMP communities
• Event reporting via SNMP
• Managing the switch with an SNMP network management tool Supported Standard MIBs
include:
• SNMP MIB-II (RFC 1213)
• Bridge MIB (RFC 1493) (ifGeneralGroup, ifRcvAddressGroup, ifStackGroup)
• RMON MIB (RFC 1757)
• RMON: groups 1, 2, 3, and 9 (Statistics, Events, Alarms, and History)
• Version 1 traps (Warm Start, Cold Start, Link Up, Link Down, Authentication Failure,
Rising Alarm, Falling Alarm)

RFC 1901-1908 – SNMPv2

RFC 2271-2275 – SNMPv3

• RFC 1901, Introduction to Community-Based SNMPv2. SNMPv2 Working Group

• RFC 1902, Structure of Management Information for Version 2 of the Simple Network
Management Protocol (SNMPv2). SNMPv2 Working Group
• RFC 1903, Textual Conventions for Version 2 of the Simple Network Management
Protocol (SNMPv2). SNMPv2 Working Group
• RFC 1904, Conformance Statements for Version 2 of the Simple Network Management
Protocol (SNMPv2). SNMPv2 Working Group
• RFC 1905, Protocol Operations for Version 2 of the Simple Network Management

250
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Protocol (SNMPv2). SNMPv2 Working Group

• RFC 1906, Transport Mappings for Version 2 of the Simple Network Management
Protocol (SNMPv2)
• RFC 1907, Management Information Base for Version 2 of the Simple Network
Management Protocol (SNMPv2). SNMPv2 Working Group
• RFC 1908, Coexistence between Version 1 and Version 2 of the Internet-standard
Network Management Framework. SNMPv2 Working Group
• RFC 2104, Keyed Hashing for Message Authentication
• RFC 2271, An Architecture for Describing SNMP Management Frameworks
• RFC 2272, Message Processing and Dispatching for the Simple Network Management
Protocol (SNMP)
• RFC 2273, SNMPv3 Applications
• RFC 2274, User-Based Security Model (USM) for version 3 of the Simple Network
Management Protocol (SNMPv3)
• RFC 2275, View-Based Access Control Model (VACM) for the Simple Network
Management Protocol (SNMP)

Configuring SNMP
Most SNMP v1 capabilities can be set using SWM. For SNMP V2 and V3 parameters please refer
to the CLI manual’s chapter on SNMP.

SNMP variables are used in conjunction with Alert definitions. Alert Definitions are covered in
the next chapter. To configure SNMP use Administration SNMP menus.

251
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 191 – SNMP configuration

Using the Edit button the SNMP community parameters can be changed. By using the Add
buttons, the Management and Trap receivers can be added.

252
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 192 – Changing SNMP community parameters

It is recommended to change the community strings from the default values of public and private
to other values.

When done changing the community strings, click OK.

253
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 193 – Adding valid managers. Multiple managers can be added using this screen

When adding SNMP manager stations, click on the Add button on the SNMP menu screen. Make
sure that each station can be “pinged” from the switch by using the Configuration Ping menu.
When done adding stations, click OK.

254
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 194 – Adding Trap receivers

When adding SNMP trap receivers, click on the Add button on the SNMP menu screen. Make
sure that each station can be “pinged” from the switch by using the Configuration Ping menu.
Determine which sorts of traps each station will receive, as shown above. If not sure, select all
three types. When done adding trap receivers, click OK.

255
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 195 – Final screen after configuring SNMP. Note the different types of Trap Receivers added

Stations can be deleted using the delete icon . To change the stations characteristics or IP
addresses, it is recommended to delete the station and add a new one.

Finally after all changes are made, save the changes using the save icon .

Configuring RMON
The switch supports RMON (Remote Monitoring) on all connected network segments. This
allows for troubleshooting and optimizing your network. The Magnum 6K family of switches
provides hardware-based RMON counters. The switch manager or a network management
system can poll these counters periodically to collect the statistics in a format that complies with
the RMON MIB definition.

The following RMON groups are supported:

256
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

• Ethernet Statistics Group - maintains utilization and error statistics for the switch port
being monitored
• History Group – gathers and stores periodic statistical samples from previous Statistics
Group
• Alarm Group – allows a network administrator to define alarm thresholds for any MIB
variable
• Log and Event Group – allows a network administrator to define actions based on alarms.
SNMP Traps are generated when RMON Alarms are triggered

For configuring RMON, please refer to the “Magnum MNS-6K CLI User Guide” for more
information.

257
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

18
Chapter

18 – Miscellaneous Commands
Improving productivity and manageability

T
here are several features built into the Magnum 6K family of switches which help with
the overall productivity and manageability of the switch. These items are examined
individually in this chapter.

Alarm relays
In a wiring closet, it would be helpful if there were a visual indication for faults on components
on the network. Normally, these would be performed by LED’s. While the Magnum 6K family of
switches has the necessary LED’s to provide the information needed, it also has a provision for
tripping or activating an external relay to electrically trigger any circuit desired. These could be an
indicator light, a flashing strobe light, an audible alarm or other devices.

The Magnum 6K family of switches has a software (optional) controlled relay contact that can be
used to report alarm conditions. The relay is held open (no connection) in normal circumstances
and will go to close position during alarm conditions.

Two types of alarm signals are defined in the alarm system.

• SUSTAINED
• MOMENTARY

The SUSTAINED mode is used to report a continuing error condition. The MOMENTARY
mode is used to report a single event.

The following pre-defined events are currently supported on the MNS-6K and the relay which
can be triggered by software:

258
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Event ID Event Description Signal Type

1 S-RING OPEN SUSTAINED

2 Cold Start MOMENTARY

3 Warm Start MOMENTARY

4 Link Up MOMENTARY

5 Link Down MOMENTARY

6 Authentication Failure MOMENTARY

7 RMON Rising Alarm 7 MOMENTARY

8 RMON Falling Alarm MOMENTARY

9 Intruder Alarm MOMENTARY

10 Link Loss Learn Triggered MOMENTARY

11 Broadcast Storm Detected MOMENTARY

12 STP/RSTP Reconfigured MOMENTARY

FIGURE 196 – Predefined conditions for the relay

The S-RING open condition generates a sustained relay contact close. The relay will stay closed
during the period which the S-RING is in OPEN condition. The relay will revert to closed
position when the S-RING goes to CLOSED position. This information is covered in more
details in the Chapter on S-Ring and Link-Loss-Learn.

To customize these capabilities, use the SWM Configuration Alarms menu

7 The RMON settings are when the RMON thresholds are crossed and hence indicated as RMON rising or falling – indicating the

threshold has been crossed. While there is no specific command to view and change the specific RMON variables, the RMON
discussion is in Chapter 15. Best way to set RMON values will be via using the web interface or a Management system such as
Castle Rock’s SNMPc™

259
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 197 - Alarms

Each alarm can be enabled or disabled form the screen shown above. All alarms can be enabled
or disabled using the Alarm Status drop down menu. Relay closure times can be set using the
drop down menu.

After changing the Alarm settings, save the configuration using the save icon

260
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Statistics
SWM provides several statistics in a graph. These are described below.

To view Statistics, click on Configuration Statistics menu. To view Port specific Statistics, use
the Configuration Statistics Port Statistics menu.

FIGURE 198 – View Port Statistics

Each port can be viewed by clicking on the navigation windows as shown by Slot and Port.

Each group represents different Statistics. The next few figures display the different groups for
the same port.

261
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 199 – Port Statistics – Group 2

262
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 200 – Port Statistics – Group 3

Logs
SWM provides an overview of the type of Logs by reviewing the statistics. Each specific log can
be viewed by viewing the Logs menu. To view the Log Statistics use the Configuration
Statistics Log Statistics menu. This is shown below.

263
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 201 – Types of logged events received – most logs are typically informational (notice)

Note – from this menu, the log buffer size can be controlled. For viewing each specific log, use
the Configuration Logs menu

264
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 202 – Viewing each log

Each specific type of log can be viewed by using the drop down menu as shown below.

265
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 203 – Specific type of logs can be viewed – in this example only “Notice” logs are displayed

The Clear button clears all the logs. To prevent accidental erasures, you will be
prompted again if the logs should be deleted.

The Event Log records operating events as single-line entries listed in chronological order,
and are a useful tool for isolating problems. Each Event Log entry is composed of the following
fields - Severity, Date and Time Stamp and Event Description

Severity is one of the following:

I (Information) indicates routine events
A (Activity) indicates the activity on Switch
D (Debug) reserved for Magnum internal diagnostic information
C (Critical) indicates that a severe Switch error has occurred
F (Fatal) indicates that a service has behaved unexpectedly

Date is the date in mm/dd/yyyy format (as per configured) that the entry was placed in the
log

266
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Time is the time in hh:mm:ss format (as per configured) that the entry was placed in the
log
Description is a brief description of the event

The event log holds up to 1000 lines in chronological order, from the oldest to the newest. Each
line consists of one complete event message. Once the log has received 1000 entries, it discards
the current oldest line (with information level severity only) each time a new line is received. The
event log window contains 22 log entry lines and can be positioned to any location in the log.
For the alerts, the events per subsystem function are listed below. The table is sorted by the
subsystem function first and then by the severity level.

Subsystem Description Severity

BRIDGE Unable to delete MAC address from FDB D
BRIDGE Unable to insert MAC address to FDB D
BRIDGE Bridge init failed for ethx F
BRIDGE Bridge enable for ethx failed F
BRIDGE Bridge MIB init is done I
CLI Manager login at console I
CLI Operator login at console I
CLI Manager password changed I
CLI Operator password changed I
DEVICE Port x enabled A
DEVICE Port x disabled A
DEVICE Port X link down A
DEVICE Port X link up A
DEVICE Ethernet counters init failure C
DEVICE Unable to access ethernet counters C
DEVICE Failed to read saved system logs D
DEVICE Ethernet DMA init failure F
DEVICE Ethernet hardware error F
DEVICE Ethernet interrupt init failure F
DEVICE Unable to allocate ethernet memory F
DEVICE System started I
DEVICE Network Stack not yet configured I
DEVICE IP address a.b.c.d configured I
DEVICE subnetmask a.b.c.d configured I
DEVICE Default gateway a.b.c.d configured I
DEVICE Switch rebooted by user I
DEVICE No saved system logs I
DEVICE Timezone set to x I
DEVICE Country set to x (no DST) I

267
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Subsystem Description Severity

DEVICE Country set to x (DST valid) I
DEVICE Time set to x : y : z (HH:MM:SS) tz = a I
DEVICE Date set to x : y : z (HH:MM:YYYY) I
PRTMR Enabled by user monitor = x , sniffer = y I
PRTMR Disabled by user I
PS INTRUDER a:b:c:d:e:f @ port X , port disabled A
PS INTRUDER a:b:c:d:e:f @ port X , port disabled A
PS Port security enabled A
PS port security disabled A
PS Resetting MAC a:b:c:d:e:f at port X failed C
PS Unable to delete learnt MACs in hardware D
RMON Alarm : internal error , unable to get memory F
RMON Alarm : internal error, unable to get memory for alarm entry F

RMON History : internal error, unable to get memory for history control F
entry
RMON History : internal error, unable to get memory for history data F
entry
RMON History : internal error, unable to get memory F
RMON Event : unable to get memory for event entry F
RMON Alarm : unable to get memory for RMON logs F
RMON rising alarm trap sent to a.b.c.d by alarm entry X I
RMON falling alarm trap sent to a.b.c.d by alarm entry X I
RMON RMON init is done I
RMON history : control entry X is set to valid I
RMON history : control entry X is set to invalid I
RMON Event : entry X is set to valid I
RMON Event : entry X is set to invalid I
RMON Alarm : entry X is set to valid I
RMON Alarm : entry X is set to invalid I
SNMP Snmp.snmpEnableAuthenTraps is set to enabled A
SNMP Snmp.snmpEnableAuthenTraps is set to disabled A
SNMP System.sysName configured A
SNMP System.sysLocation configured A
SNMP System.sysContact configured A
SNMP Port X link up trap sent to a.b.c.d A
SNMP Port X Link down trap sent to a.b.c.d A
SNMP Configuring IP address in trap receivers list failed D
SNMP read community string changed I
SNMP write community string changed I
SNMP trap community string changed I

268
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Subsystem Description Severity

SNMP authentication failure trap sent to a.b.c.d I
SNMP Trap receiver a.b.c.d added I
SNMP Trap receiver a.b.c.d deleted I
SNMP Cold start trap sent to a.b.c.d I
SNMP Warm start trap sent to a.b.c.d I
SNTP client started I
SNTP client stopped….disabled by user I
SNTP client stopped….server not configured I
SNTP Request timed out I
SNTP Retrying.. I
SNTP Time synchronized through SNTP I
TCP/IP Duplicate IP a.b.c.d sent from MAC address XXXXXX C
TCP/IP Unable to allocate memory for an ICMP packet C
TCP/IP IP packet from a.b.c.d , with checksum error dropped D
TCP/IP Bad IP fragments from a.b.c.d dropped D
TCP/IP UDP checksum error in the received packet a.b.c.d D
TCP/IP TCP checksum error in the received packet a.b.c.d D
TCP/IP ICMP checksum error in the received packet D
TCP/IP Failed to initialize the interface x F
TCP/IP IP packet of version X is dropped I
VLAN Type set to port I
VLAN Type set to mac I
VLAN Type set to tag I
VLAN Type set to none I
VLAN Pvlan: port based vlan started I
VLAN Pvlan: default vlan is modified I
VLAN Tvlan: Tag based vlan started I
VLAN pvlan:vlan X enabled I
VLAN pvlan:vlan X disabled I
VLAN pvlan:vlan X deleted I
VLAN pvlan:port based VLAN started I
VLAN pvlan:port based VLAN stopped I
VLAN pvlan:default vlan is modified I
VLAN tvlan:vlan X deleted I
VLAN tvlan:vlan X enabled I
VLAN tvlan:vlan X disabled I
VLAN tvlan:tag based VLAN stopped I
VLAN tvlan:tag based VLAN started I
FIGURE 204 – Listing of severity - sorted by subsystem and severity

269
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Email
SMTP (RFC 821) is a TCP/IP protocol used in sending email. However, since it is limited in its
ability to queue messages at the receiving end, it is usually used with one of two other protocols,
POP3 or Internet Message Access Protocol (IMAP) that lets the user save messages in a server
mailbox and download them as needed from the server. In other words, users typically use a
program that uses SMTP for sending emails (out going – e.g. replying to an email message) and
either POP3 or IMAP for receiving messages that have arrived from the outside world. While
SMTP (and its related protocols such as POP3, IMAP etc.) are useful transports for sending and
receiving emails, it is extremely beneficial for a network administrator to receive emails in case of
faults and alerts. The Magnum 6K family of switches can be setup to send an email alert when a
trap is generated.

If this capability is used, please ensure that SPAM filters and other filters are not
set to delete these emails.

GarrettCom, Inc. recommends that a rule be setup on the mail server so that all
emails indicating SNMP faults are automatically stored in a folder or redirected
to the necessary administrators.

The SNMP alerts can be configured using MNS-6K for the following:

• Send email alert according to the configuration rules when a specific event category
happens
• Send email alert according to the configuration rules when a specific trap SNMP trap
category happens
• Provide configuration and customization commands for users to specify SMTP server to
connect to, TCP ports, user recipients and filters

The SMTP alerts provide the following capabilities:

• SMTP alerts can be enabled or disabled globally
• User can define a global default SMTP server identified by its IP address, TCP port and
retry count
• User can add up to five SMTP alert recipients. Each recipient is identified by an ID and
email address. The email address needs to be a valid address and can be an alias setup for
distribution to a larger audience
• Filters are provided for each recipient to allow only certain categories of traps and events
be sent by email
• Each recipient can have its own SMTP server and TCP port number, if this is not defined
on a certain recipient, the default SMTP server and TCP port number is used

270
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Email alerts can be forwarded so as to be received by other devices such as Cell

phones, pagers etc. Most interfaces to SMTP are already provided by the cell phone
service provider or the paging service provider.

Email configuration cannot be done from SWM at this time – please

refer to the “Magnum MNS-6K User Guide” for more information.

Serial connectivity
When using the serial connectivity with applications such as HyperTerminal etc. it may be
necessary to optimize the character delays so that the FIFO buffer used in the GarrettCom
Magnum 6K family of switches is not overrun. The important parameters to set for any serial
connectivity software is to set the line delay to be 500 milliseconds and the character delay to be
50 milliseconds. For example, using HyperTerminal this can be set under File Properties and
when the Properties sheets is open, click on the ASCII Setup button and in the Line Delay entry
box enter in 500 and in the Character Delay entry box enter in 50 as shown below.

FIGURE 205 – Optimizing serial connection (shown for HyperTerminal on Windows XP). The highlighted
fields are the ones to change as described

271
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Ping
Ping command can be used from MNS-6K to test connectivity to other devices as well as
checking to see if the IP address is setup correctly. Use the Configuration Ping menu to use
ping.

FIGURE 206 – Using Ping

Many devices do not respond to ping or block ping commands. Make sure that
the target device does respond or the network does allow the ping
packets to propagate through the network.

272
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Set
A new menu item has been added as of MSN-6K Release 3.2. This is the set menu as shown
below.

FIGURE 207 – Set menu item for setting common parameters for switch operations

Set menu allows several values to be set. The first one is the Boot Mode.

Boot Mode with values of

Manual the IP address of the switch is set manually
DHCP on reboot – look for a DHCP server on the network and get the switches IP address
and other IP parameters from the DHCP server
BootP on reboot – look for a DHCP server on the network and get the switches IP address and
other IP parameters from the DHCP server

273
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Auto on reboot, first look for a DHCP server. If server is found, get the IP address and other IP
parameters from the DHCP server.
If a DHCP server is not found, look for a BootP server. If found, get the IP address
and other parameters from the BootP server. Please refer to the “Magnum MNS-6K
CLI User Guide” for additional information on how MNS-6K can be setup to receive
MNS-6K binary as well as configuration values from a BootP server.
If a BootP server is not found, check to see if there was a pre-configured IP address. If
there was a pre-configured IP address, assign that IP address, else check to see if the IP
address 192.168.1.2 with a netmask of 255.255.255.0 is available for use (or does not
cause an IP address conflict). If the address is available, assign it to the switch.
If the static IP address is not available start the process with looking for a DHCP server.

Do not forget to save the change using the and then reboot

FIGURE 208 – Setting the boot mode of the switch

274
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

The next value that is allowed to be set is the log size. See screen below for more information

Click up arrow
to increment by 1
and down arrow
Click here to
to decrement by
increment by 50
1

FIGURE 209 – Set the log size.

Note the log size can also be set from the Configuration menu as shown below.

275
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 210 – Set the log size – click on the Edit button, enter the log size needed, and click OK. Maximum log
size is 1000 lines

The set menu can also allow the password to be changed. Click on the menus as shown below to
change the password.

276
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 211 – Changing the password for the current user

The set menu can define the SNMP type used as shown below.

277
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 212 – Setting the SNMP type. SNMP type can be SNMP-v1 or all (for SNMP v1, v2 and v3)

The set menu allows the Spanning Tree Protocol (STP) to be used. The types are as shown below.

278
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 213 – Defining the STP protocol to be used

The set menu allows the idle timeout values to be set. After the defined number of minutes, the
session will be terminated and the user logged out. The default timeout is set to 10 minutes.

279
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 214 – Set the timeout value. Click on Edit button to change the value

The set menu also allows the VLAN type to be set. This value can also be set from Configuration
VLAN Set Type menu (as shown by the cursor next to the menu item in the figure below).

280
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 215 – Setting the VLAN type

The file transfer protocol or ftp is supported on MNS-6K. MNS-6K supports normal ftp as well
as passive ftp. Passive FTP is used by many companies today to work with firewall policies and
other security policies set by companies.

FTP uses a set of separate ports for the data stream and command stream. This causes problems
in security conscious companies who prefer that the client initiate the file transfer as well as the
stream for the commands. To accommodate that, ftp added the capability called “passive ftp” in
which the client initiating the connection initiates both the data and command connection
request. Most companies prefer passive ftp and GarrettCom MNS-6K provides means to operate
in those environments.

To set the different modes commonly used by FTP are done using the Administration Set
FTP Mode menu as shown below.

281
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 216 – Setting the ftp mode

282
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

(Intentionally left blank)

283
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

1
Appendix

Appendix 1 – Updating MNS-6K using

SWM
Keep the MNS-6K up to date

T
here are several features built into the Magnum 6K family of switches which help with
the overall productivity and manageability of the switch. To take advantage of the latest
features and bug fixes, it is important to keep the MNS-6K version up to date.

Before starting
Before you start, it is recommended that you acquire the software to perform the
upgrade

1. Make sure SWM is operational on the switch you want to upgrade.

2. Download the latest version of the MNS-6K software from the GarrettCom site. One way to
do that is to get to ftp://ftp.garrettcom.com and use your own login and password. If you do
not have your login and password, you can use the default login name m6kuser and password
m6kuser. To embed the login name and password in a URL in a browser, you can type the
URL as shown below

ftp://m6kuser:[email protected]

Once you are connected, the folders are arranged by Release number. Click on the folder with
the latest Release number. In the example below, click on Rel3 folder

284
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 217 – FTP to the GarrettCom site and select the folder with the latest release number

a. Next navigate to the MNS-6K folder as shown.

FIGURE 218 – Navigate to the MNS-6K folder

b. Once in the folder, the files are arranged by the release number. Right-click (or left
click if your mouse if configured as a left handed mouse) on the latest release number
file and copy the file

FIGURE 219– Copy the file with the latest Release number to the local disk by using the operating
system copy and paste commands

c. Paste the file to a convenient spot on the local computer.

d. Download the Release notes and read them for the latest information.

3. Make sure the file is saved and the file transfer is complete.

285
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

4. Move the file to another computer which has ftp or tftp services available8 . Make sure the ftp
or tftp services have been started and are running. Make sure that you have the tftp or ftp path
configured properly. If you are using ftp, make sure you also have the ftp login name and
password information ready.
5. Select the switch you want to upgrade. Make sure you have system administration rights and
privileges available on that switch.
6. Open a SWM session with the switch by typing in the URL https://<IPaddress> of the switch
or https://logincal-name of the switch

USING FTP – it is always a good idea to save the configuration before an

upgrade. So GarrettCom recommends a two step update. First save the configuration to the ftp
server. Then load the new image and restart the switch. To save the configuration using ftp follow
the steps on the screen below.

FIGURE 220 – before the upgrade, it is a good idea to save a snap shot of the configuration. Different FTP
modes can be used with the FTP command.

8 For Windows XP or other Windows operating systems, it is possible to find Open Source FTP or TFTP servers on the WWW.
Alternately, you can purchase software to provide these services. Most Linux or UNIX systems provide these services.

286
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

After the configuration is saved, load the binary copied from the GarrettCom site.

FIGURE 221 – After the configuration is saved, load the new image file copied form the GarrettCom ftp site

As the file is being loaded, you will see the file transfer in progress image show up

FIGURE 222 – As the image file is loaded, the progress will be indicated by the image above. Please wait
till the file transfer is completed

287
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

Once the transfer is completed, the switch needs to be restarted.

FIGURE 223 – after the new image file is loaded, it is important to save any changes made and then
restart the switch as shown above

After the restart the new version of MNS-6K is ready for use.

Using the process described above, one may be tempted to update the
Magnum 6K switch directly over the Internet from the GarrettCom site.
GarrettCom DOES NOT RECOMMEND DOING THAT.
GarrettCom recommends that the binary be loaded and copied to a server
locally, then upload the binaries over the LAN or the local Intranet to the Magnum 6K family
of switches in your network

288
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

USING TFTP - it is always a good idea to save the configuration before an

upgrade. So GarrettCom recommends a two step update. First save the configuration to the TFTP
server. Then load the new image and restart the switch.

FIGURE 224 – before the upgrade, it is a good idea to save a snap shot of the configuration

After the configuration is saved, load the binary copied from the GarrettCom site.

289
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 225 – After the configuration is saved, load the new image file copied form the GarrettCom ftp site

As the file is being loaded, you will see the file transfer in progress image show up

FIGURE 226 – As the image file is loaded, the progress will be indicated by the image above. Please wait till
the file transfer is completed

Once the transfer is completed, the switch needs to be restarted.

290
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E

FIGURE 227 – after the new image file is loaded, it is important to save any changes made and then restart
the switch as shown above

After the restart the new version of MNS-6K is ready for use.

291
I N D E X

Index
802.1d, 145, 146, 147, 148, 156, Config Download, 55
157 Config Upload, 55
802.1q, 240 CoS, 219
802.1Q, 117, 120, 145 datagrams, 229
802.1w, 145, 146, 147, 148, 156, default user name, 26
159, 160
DEFAULT-VLAN, 118, 121
802.1x, 87, 88, 89, 90, 98
DHCP, 44, 45, 46, 273
Access, 55, 83
Differentiated Services. See Diffserv
advertisement, 240
DiffServ, 218
alarm, 260
disable mode, 77
Alarm Group, 257
drop mode, 77
anycast address, 68
DS. See Diffserv
Authentication, 248
DSCP, 218
Authentication Server, 87
Dual-Homing, 189
authenticator, 87, 89, 90, 95, 96,
97 EAP, 88
Authenticator, 87 EAPOL, 88
Authoritative SNMP engine, 248 Edge Ports, 156
authorize, 168, 181 Egress, 174
Auto, 274 Ethernet segments, 117
backpressure, 113 Ethernet Statistics Group. See
RMON
bootp, 45, 46
FIFO, 217
BootP, 273
file transfer protocol. See ftp
BPDU, 90, 159, 163, 164, 166, 167,
178, 180, 208 flowcontrol, 113
broadcast domain, 120 FTA, 148
broadcast storms, 113 ftp, 281
CLI, 24, 25 GARP, 240
community string, 248

292
I N D E X

GVRP, 111, 240, 241, 242, 243, 244, Log and Event Group, 257
245, 246, 247 log size, 275, 276
GVRP BPDUs, 240 Log Statistics, 82, 263
Help, 39 Log Upload, 55
History Group, 257 logout, 40
host, 60 Management Information Base. See
Host, 55 MIB
Host Download, 55 manager stations, 254
Host Upload, 55 Manual, 273
IEEE, 88, 90, 112, 117, 145, 146, MD5, 90, 102
147, 148, 156, 157, 159, 160, MIB, 90, 230, 248, 256, 257
178, 203, 217, 219, 240
Mirror Status, 109
IEEE 802.1p, 217, 240
Mirroring, 106
IEEE 802.1q, 217, 240
modes of operation, 26
IEEE 802.3ad, 203
MOMENTARY, 258, 259
IETF, 218
NAS, 100
IGMP, 22, 58, 83, 204, 210, 220,
229, 230, 231, 232, 233, 236, OPEN, 178
237, 238, 240, 248, 258, 284 P2P, 156
IGMP-L2, 236 PHB, 218
Image Download, 55 PoE, 190
Image Upload, 55 POP3, 270
IMAP, 270 Port, 78, 106
Ingress, 174 port security, 77
ipconfig, 27 Port Security, 79
IPv4, 67, 68, 69 Port Statistics, 261
IPv6, 67, 68, 69 port VLAN, 119
ISP, 87 port VLANs, 121
kill config, 63 priority, 217
LACP, 22, 203, 204, 210, 215 Priority, 156
LACPDU, 204, 206, 208 Private VLAN, 120
Link-Loss-Learn, 158, 159, See LLL QoS, 22, 217, 218, 219, 220, 221
LLL, 158, 159, 167, 186 RADIUS, 87, 88, 89, 90, 96

293
I N D E X

reboot, 27 RSTP Path cost, 156

RFC, 87, 229, 248, 250, 251, 270 RTSP, 145
RFC 1752, 67 save, 27, 181, 247
RFC 1901, 250 Script Download, 55
RFC 1902, 250 Script Upload, 55
RFC 1903, 250 Security, 78
RFC 1904, 250 security certificate, 28
RFC 1905, 250 serial connectivity, 271
RFC 1906, 251 Serial Number, 45
RFC 1907, 251 Server, 98
RFC 1908, 251 set, 25, 26, 44, 46, 82, 109, 112,
234, 275, 279
RFC 2104, 251
Set, 273
RFC 2271, 251
set igmp, 234
RFC 2272, 251
show, 20
RFC 2273, 251
show backpressure, 113
RFC 2274, 251
show config, 58, 59, 60
RFC 2275, 251
show flowcontrol, 113
RFC 3164, 82
SMTP, 270, 271
RFC 4541, 236
SNMP, 22, 44, 90, 248, 249, 250,
RFC 821, 270
251, 252, 253, 254, 255, 256,
RING_CLOSED, 164, 166, 180 257, 268, 269, 270
RING_OPEN, 165 SNMP engine, 250
RMON, 256, 257, 259 SNMP group, 250
RS-Ring, 21, 158, 159, 160, 161, SNMP user, 250
162, 163, 166, 167, 168, 179,
SNMPv2c, 249
180, 181, 182, 183, 184, 185,
186, 187, 208 SNTP, 49, 50, 51, 52, 64, 269
RSTP, 21, 58, 145, 146, 147, 148, S-Ring, ii, 21, 158, 159, 160, 161,
149, 150, 151, 152, 153, 154, 163, 165, 166, 167, 168, 169,
155, 156, 157, 158, 159, 160, 170, 172, 173, 174, 175, 178,
161, 162, 163, 164, 165, 166, 179, 180, 181, 217
167, 168, 169, 170, 173, 174, Statistics, 82, 261, 263
175, 178, 179, 180, 183, 207,
208, 259

294
I N D E X

STP, 21, 90, 111, 145, 146, 147, Unicast, 210

148, 149, 151, 152, 153, 155, UNKNOWN, 178
156, 157, 159, 175, 259, 278
User Accounts, 33
STP Path cost, 156
User Mgmt, 33, 102
supplicant, 87, 89, 90, 95, 96, 97
USM, 251
Supplicant, 87
VACM, 251
SUSTAINED, 258, 259
VID, 119, 120, 121, 240, 241, 242,
System, 44 243, 246
TACACS, 102 virtual LAN, 117
TACACS+, 100, 101, 102 VLAN, 23, 58, 109, 111, 117, 118,
TACACSD, 100 119, 120, 121, 122, 123, 124,
126, 127, 128, 129, 131, 132,
tag VLAN, 119
133, 134, 135, 136, 137, 138,
TCP, 26, 100 139, 142, 144, 145, 160, 161,
telnet, 47 204, 205, 206, 207, 240, 241,
242, 243, 244, 246, 247, 269,
ToS, 218, 219, 220 280, 281
trap receivers, 255 VLAN identifier, 120
UDP, 100 Write view, 250
unicast, 229 XTACACS, 100

295