Secure Web Management (SWM) User Guide: Magnum 6K Family of Switches
Secure Web Management (SWM) User Guide: Magnum 6K Family of Switches
Release 3.7.1
This guide describes how to use the Secure Web Management (SWM) for the
Magnum 6K family of switches.
Some simple guidelines which will be useful for configuring and using the Magnum
6K family of switches -
If you need information on a specific command in the CLI, type the
command name after you type the word “help” (help <command> ) or just
type <command> [Enter].
If you need information on a specific feature in Web Browser Interface, use
the online help provided in the interface.
If you need further information or data sheets on GarrettCom Magnum 6K
family of switches, refer to the GarrettCom web links at:
http://www.garrettcom.com/managed_switches.htm
GarrettCom Inc.
47823 Westinghouse Drive
Fremont, CA 94539-7437
Phone (510) 438-9071• Fax (510) 438-9072
Email – Tech support – [email protected]
Email – Sales – [email protected]
WWW – http://www.garrettcom.com/
i
Trademarks
GarrettCom Inc. reserves the right to change specifications, performance characteristics
and/or model offerings without notice. GarrettCom, Magnum, S-Ring, Link-Loss-Learn,
Converter Switch, Convenient Switch and Personal Switch are trademarks and Personal Hub
is a registered trademark of GarrettCom, Inc.
Copyright © 2004 GarrettCom, Inc. All rights reserved. No part of this publication may be
reproduced without prior written permission from GarrettCom, Inc.
Part #: 84-00142
PK-061306
ii
Table of Contents
1 – Conventions Followed...............................................................19
Flow of the user guide.............................................................21
2 – Getting Started ............................................................................23
Before starting ..........................................................................23
Console connection for CLI...................................................24
Console setup............................................................................25
Console screen..........................................................................26
Logging in for the first time ...................................................26
Setting the IP parameters........................................................26
Web browser .............................................................................27
Operator Privilege Users ............................................................32
Manager Privilege Users .............................................................32
User management.....................................................................33
Add User.......................................................................................33
Deleteing User..............................................................................35
Modify Password .........................................................................37
Modify the Privilege Level .........................................................39
Help ............................................................................................39
Exiting........................................................................................40
3 – IP Address and System Information.....................................44
IP Addressing...............................................................................44
Importance of an IP address ..................................................44
DHCP and bootp ........................................................................45
Bootp Database ...........................................................................46
3
Configuring DHCP/Bootp/Manual IP addresses .................46
Using Telnet .................................................................................47
Date and time............................................................................49
Network time............................................................................49
Saving and loading ...................................................................52
Script file .......................................................................................56
Displaying configuration.........................................................58
Host Names ..............................................................................60
Erasing configuration ..............................................................63
Saving changes..........................................................................64
4 – IPv6 .................................................................................67
Assumptions.................................................................................67
Introduction to IPv6................................................................67
What’s changed in IPV6?........................................................68
IPv6 Addressing .......................................................................69
Configuring IPv6......................................................................69
5 – Access Considerations ....................................................77
Securing access.............................................................................77
Port security ..............................................................................77
Network Security .........................................................................78
Configuring Port Security...........................................................78
Logs ............................................................................................81
Authorized managers...............................................................83
6 – Access Using RADIUS ...................................................87
RADIUS .......................................................................................87
802.1x .........................................................................................87
Configuring 802.1x...................................................................90
7 – Access Using TACACS+ .............................................. 100
TACACS - Its Flavors and History.........................................100
TACACS+ flow......................................................................101
4
TACACS+ packet ..................................................................102
Configuring TACACS+ ........................................................102
8 – Port Mirroring and Setup.............................................. 106
Port Monitoring and Mirroring ...............................................106
Port mirroring.........................................................................106
Port setup ................................................................................109
Speed Settings ............................................................................112
Flow Control ..............................................................................113
Back Pressure .............................................................................113
Broadcast Storms.......................................................................113
Preventing broadcast storms ................................................113
9 – VLAN............................................................................ 117
Why VLANs?.............................................................................117
Tag VLAN or port VLAN?..................................................119
Private VLANs .......................................................................120
Configuring Tag VLANs ......................................................121
Configuring Port VLANs .....................................................138
10 – Spanning Tree ............................................................. 145
STP Features and Operations..................................................145
RSTP Concepts..........................................................................146
Transition from STP to RSTP .............................................148
Configuring STP/RSTP ........................................................149
11 – RS-Ring™, S-Ring™ and Link-Loss-Learn™ (LLL). 158
S-Ring and LLL concepts.........................................................159
RS-Ring concepts ......................................................................160
When to use RS-Ring vs S-Ring ..........................................161
Comparing resiliency methods.............................................162
RSTP/STP Operation without RS-Ring or S-Ring ..........163
RSTP/STP Operation with S-Ring .....................................165
LLL with S-Ring.....................................................................167
5
Ring learn features..................................................................167
Configuring S-Ring ................................................................167
RSTP Operation with RS-Ring ............................................179
Configuring RS-Ring .............................................................180
12 – Dual-Homing .............................................................. 189
Dual-Homing concepts ............................................................189
Dual-Homing Modes.............................................................192
Configuring Dual-Homing ...................................................192
13 – Link Aggregation Control Protocol (LACP) ...............203
LACP concepts ..........................................................................203
LACP Configuration..............................................................204
14 – Quality of Service ........................................................ 217
QoS Concepts ............................................................................217
DiffServ and QoS...................................................................218
IP precedence..........................................................................219
Configuring QoS ....................................................................220
15 – IGMP...........................................................................229
IGMP Concepts.........................................................................229
IGMP-L2 .................................................................................233
Configuring IGMP.................................................................236
16 – GVRP...........................................................................240
GVRP Concepts ........................................................................240
GVRP operations...................................................................241
Configuring GVRP ................................................................244
GVRP operations notes ........................................................247
17 – SNMP ..........................................................................248
SNMP Concepts ........................................................................248
Standards .................................................................................250
Configuring SNMP ................................................................251
6
Configuring RMON ..............................................................256
18 – Miscellaneous Commands ..........................................258
Alarm relays.............................................................................258
Statistics ...................................................................................261
Logs ..........................................................................................263
Email ........................................................................................270
Serial connectivity ..................................................................271
Ping...........................................................................................272
Set .............................................................................................273
Appendix 1 – Updating MNS-6K using SWM....................284
Before starting ........................................................................284
Index...................................................................................292
7
List of Figures
8
FIGURE 22 - Changing the boot mode as well as IP address and other parameters of the switch.
Note if the IP address is changed, the http session has to be restarted with the new IP
address...................................................................................................................................... 47
FIGURE 23 - Telnet session to the switch can be launched from Secure Web Management
(SWM). The telnet interface is a convenient way to access Command Line Interface (CLI)
commands, Note – multiple telnet sessions (up to 4) are supported.............................................. 48
FIGURE 24 – Setting the date and time ................................................................................................. 49
FIGURE 25 – SNTP parameters. Note – the Edit button allows edit of the SNTP parameters as
shown below. Adding or deleting SNTP servers is done by using the add button or delete
button (white “X” in the red circle)............................................................................................ 50
FIGURE 26 – Modifying the SNTP parameters. SNTP can be enabled or disabled from this
menu as well ............................................................................................................................. 51
FIGURE 27 – Adding SNTP servers. Time Out is in seconds. Note the Time server can be a
NTP server available on the Internet. Make sure the IP parameters are configured for the
switch and the device can be pinged by the switch. The Sync Now button allows the
synchronization as soon as the server information is added. ......................................................... 52
FIGURE 28 – Using FTP to save configuration as well as up load new image or reload a saved
configuration. Note – the active or passive mode of ftp can be used. To set that, use
Administration Set FTP Mode menu item..................................................................... 53
FIGURE 29 - Saving the configuration on a tftp server – note the menu is similar to the FTP
screen described earlier ............................................................................................................... 54
FIGURE 30 – Different file transfer types............................................................................................... 55
FIGURE 31 – Example of Script file. Note all the commands are CLI commands. This script
provides insights into the configuration of Magnum MNS-6K settings. GarrettCom
recommends that modifications of this file and the commands should be verified by the User
in a test environment prior to use in a "live" production network................................................. 57
FIGURE 32 – ‘show config’ command output................................................................................... 59
FIGURE 33 – displaying specific modules using the ‘show config’ command....................................... 60
FIGURE 34 – displaying configuration for different modules. Note – multiple modules can be
specified on the command line..................................................................................................... 60
FIGURE 35 – creating commonly used host entries. These entries can be saved using Host upload
capabilities under Administration File Management menus .................................................. 61
FIGURE 36 – Adding information about specific hosts........................................................................... 62
FIGURE 37 – After hosts are added, the information related to the added host is displayed. .................... 63
FIGURE 38 – Saving changes made – for example after adding SNTP server, the change needs to
be saved. This can be done by clicking on the floppy icon to save current configuration .................. 64
FIGURE 39 – Confirmation to save changes........................................................................................... 65
FIGURE 40 – After changes are made ................................................................................................... 66
9
FIGURE 41 – Accessing IPv6 configuration information......................................................................... 70
FIGURE 42 – Enter in the IPv6 address and netmask. In this example the IPv6 address is
fe80::220:8ff:fe03:509 and the netmask is ffff:ffff:ffff:ffff::.......................................................... 71
FIGURE 43 – Optional way to enter the netmask information. The information entered in this
figure and the prior figure is the same ......................................................................................... 72
FIGURE 44 – After successfully adding an IPv6 address, the address is displayed. Note – the
Gateway IPv6 address has still not been added........................................................................... 73
FIGURE 45 – Click on Edit to Edit the gateway information. Make sure the IP address is not
selected as shown above. To edit the IPv6 address, select the IP address and then click on
the Edit button ......................................................................................................................... 74
FIGURE 46 – Add the gateway information. After the information is added, click OK........................... 75
FIGURE 47 – After adding the gateway information, this information is displayed on the main
IPv6 screen ...............................................................................................................................76
FIGURE 48 – Port security configuration ............................................................................................... 78
FIGURE 49 – Enable or disable Port Security functions. Note the screen also provides an overview
of each port on the switch. Each port can be individually configured for the proper port
security action............................................................................................................................ 79
FIGURE 50 – Port security – allowing specific MAC addresses on a specified port as well as
changing the status of each port .................................................................................................. 80
FIGURE 51 – Adding MAC addresses – after clicking on the Add button, the screen opens up to
allow you to specify a specific MAC address ............................................................................... 81
FIGURE 52 – Logs made on the switch. Specific logs may be viewed by using the drop down menu
in the top right corner ................................................................................................................ 82
FIGURE 53 – Authorized access list for managing the switch. Note specific servers can be
authorized using the Host menu. The host entries can be backed up by using the
Administration File Mgmt menu. A group of stations with IP addresses can be
authorized using the IP access menu........................................................................................... 84
FIGURE 54 – Adding any computer on the 10.10.10.0 sub net to manage the switch. Note from
this network, the stations will not be allowed telnet access. The stations will be allowed
access via SWM as well as SNMP managers on the 10.10.10.0/24 network will be able
to query the switch. .................................................................................................................... 85
FIGURE 55 – After adding access to the network, the capabilities allowed are displayed .......................... 86
FIGURE 56 – 802.1x network components........................................................................................... 88
FIGURE 57 – 802.1x authentication details ......................................................................................... 89
FIGURE 58 – Configuring the RADIUS Server – initially, the RADIUS Services are disabled
and the server IP address is set to 0.0.0.0 – edit that server IP and secret to add a
RADIUS server....................................................................................................................... 91
10
FIGURE 59 – Editing information of the RADIUS server. Note the UDP port number can be
left blank and the default port 1812 is used............................................................................... 92
FIGURE 60 – Setting the port characteristic for RADIUS authentication. To edit the port settings
– click on the edit icon............................................................................................................... 93
FIGURE 61 – Ensure that the port which has the RADIUS server is force authorized and
asserted. Other ports (user ports), it is best to leave the Control on auto and Initialize on
deasserted .................................................................................................................................. 94
FIGURE 62 – Changing the Port Access characteristics when authenticating with a RADIUS
server ........................................................................................................................................ 95
FIGURE 63 – Backend or communication characteristics between Switch and RADIUS Server ............. 96
FIGURE 64 – Port authentication characteristics – set values on how the authenticator (Magnum
6K switch) does the re-authentication with the supplicant or PC.................................................. 97
FIGURE 65 – RADIUS Statistics – note that the stats are for each port............................................... 98
FIGURE 66 – Flow chart describing the interaction between local users and TACACS
authorization ..........................................................................................................................101
FIGURE 67 – TACACS packet format.............................................................................................102
FIGURE 68 – Accessing TACACS configuration menu. By default, no TACACS+ servers are
defined ....................................................................................................................................103
FIGURE 69 – Adding a TACACS+ server – note – the TCP port can be left blank – Port 49
is used as a default port. Up to 5five TACACS+ servers can be defined. Note the
manager level and the operator level defines the levels for the server being defined.........................104
FIGURE 70 – After adding TACACS+ servers, do not forget to save and enable the TACAS+
services ....................................................................................................................................105
FIGURE 71 – Editing and enabling port mirroring ..............................................................................107
FIGURE 72 – Setting the port which needs to be monitored and the port on which the traffic is
reflected. Make sure the Mirror Status is also set to enabled for mirroring.................................108
FIGURE 73 – After the ports are setup – the changes are shown...........................................................109
FIGURE 74 – Viewing and changing the Port settings..........................................................................110
FIGURE 75 – Clicking on any port in the Graphics Display (or after the login screen) also leads
to Configuration Port Settings screen as shown in the previous figure .............................111
FIGURE 76 – Editing Port configuration values – not all fields can be edited from this screen ...............112
FIGURE 77 – Menus for limiting broadcast storms. Note the 19531 threshold refers to 64 byte
packets for a 10Mbps network. Since most broadcast packets are 64 bytes long, this
number is used as a default. For 100Mbps networks, the threshold is 195310 packets –
adjust the threshold accordingly for a 100Mbps network...........................................................114
FIGURE 78 – Limiting the broadcast..................................................................................................115
FIGURE 79 – After setting the values, enable the Broadcast Protection.................................................116
11
FIGURE 80 – VLAN as two separate collision domains. The top part of the figure shows two
“traditional” Ethernet segments. Up to 32 VLANs can be defined per switch.........................117
FIGURE 81 – Ports can belong to multiple VLANs. In this figure a simplistic view is presented
where some ports belong to VLANs 1, 2 and other ports belong to VLANs 2,3. Ports
can belong to VLANs 1, 2 and 3. This is not shown in the figure. .........................................118
FIGURE 82 – Routing between different VLANs is performed using a router or a Layer 3 switch
(L3-switch) .............................................................................................................................119
FIGURE 83 – Setting the VLAN type – by default no VLANs are active. To set the VLAN
type, the menu can be accessed from Configuration VLAN or from Administration
Set VLAN Type menu..............................................................................................122
FIGURE 84 – Currently assigned Port VLAN’s................................................................................123
FIGURE 85 – Adding a new VLAN and defining ports belonging to the VLAN .............................124
FIGURE 86 – After the VLANs and the Ports associated with VLANs are defined, next step
is to define the port setting and enable tagging on the necessary ports. This is done by
clicking on Port settings as shown above. ..................................................................................125
FIGURE 87 – Enable the tagging for each port belonging to VLAN 10. Note the Default
VLAN can also be changed for these port using the menu shown above. Also note, how
selected values only are sent to MNS-6K for change in configuration. In the example above,
only VLAN 10 being set as Tagged is sent as a configuration parameter to MNS-6K ............126
FIGURE 88 – After the Tag information is added, the information is displayed on the screen. Note
the Tagged Column – the information is changed for VLAN 10 to “Yes”. Repeat the
process for other VLANs. ......................................................................................................127
FIGURE 89 – The status of the VLANs can be viewed from the Tagging menu. Note at this
stage, the VLANs are all still pending as the VLANs have not been activated yet. Also
note how one port belongs to multiple VLANs........................................................................128
FIGURE 90 – Activating a VLAN – click on the Status button to view/modify the status of the
VLANs................................................................................................................................129
FIGURE 91 – Select the VLANs to activate. In this example we activate all the VLANs .................130
FIGURE 92 – After activating the VLANs, note the port move out of the default VLAN to the
specific VLAN they were assigned to. If the ports need to belong to default VLAN, they
have to be added to the default VLAN explicitly. Also note that one port belongs to
multiple VLANs and all VLAN status has been changed to Active .....................................131
FIGURE 93 – Adding the ports back to the Default VLAN – edit the default VLAN and add
the ports to the default VLAN...............................................................................................132
FIGURE 94 – After activation, note that ports 9-13 belong to the new VLANs. After adding the
ports back to the default VLAN, the results are shown above. Each port can join or leave
a VLAN membership by clicking on Join & Leave as shown above .......................................132
FIGURE 95 – Port 11 is removed from VLAN 10............................................................................133
12
FIGURE 96 – After Port 11 is removed from VLAN 10, the new status reflects the change.
Note – if ports 12 and 13 are not tagged (from the Port Settings menu) the Tagged Colum
will reflect that fact as well .......................................................................................................134
FIGURE 97 – VLAN Status is also shown at a glance from the settings menu as shown above ...........135
FIGURE 98 – Once the Tag VLANs are active, the Port VLANs are in the Pending stage.
Also note the VLAN definitions of the Port VLANs and Tag VLANs are different. .........136
FIGURE 99 – Enabling the filter capability for each port. Note – the information for the default
ID and the filter status is sent. The tagging control information is not changed as the check
box is not checked. ..................................................................................................................137
FIGURE 100 – After filtering is activated on ports 15 and 16, the Filter menu shows the status ...........138
FIGURE 101 – Set the VLAN type to be Port VLAN ....................................................................139
FIGURE 102 – Add the necessary VLANs .......................................................................................140
FIGURE 103 – Add the VLANs and the ports belonging to the specific VLANs..............................141
FIGURE 104 – After adding all the necessary VLAN.s. The information can be edited or deleted
at any time from this screen as well. To activate the VLAN, click on Status button. ...............142
FIGURE 105 – To activate the Port VLANs ....................................................................................143
FIGURE 106 – After the Port VLANs are activated, note the ports are moved from the default
VLANs to the VLANs assigned to the ports. Also note the Status changes to Active.
To add the Default VLAN to all ports, simply add the edit icon next to the Default
VLAN entry above. ..............................................................................................................144
Figure 107 – STP default values – refer to next section “Using STP” for more detailed
explanation on the variables ....................................................................................................146
FIGURE 108 – Setting the STP type – choose RSTP or STP. Note – depending on the choice, the
Menu under Configuration will change to reflect the choice made ...............................................149
FIGURE 109 – Note the menus change depending on whether STP or RSTP is selected. The
cursor is placed close to the changes in the above screen captures .................................................150
FIGURE 110 – Configuring RSTP. RSTP or STP is disabled. Designated root is set to zero as
RSTP is disabled....................................................................................................................151
FIGURE 111 – Changing the RSTP or STP bridge parameters. Note on this screen you can select
and enable STP or RSTP.......................................................................................................153
FIGURE 112 – After RSTP is enabled, the fields are updated – note specifically, “Status”, “Time
since TC” and “Designated Root”...........................................................................................154
FIGURE 113 – Port specific values for RSTP or STP..........................................................................155
Figure 114 – Path cost as defined in IEEE 802.1d (STP) and 802.1w (RSTP)..............................156
FIGURE 115 – Changing the port specific STP or RSTP values...........................................................157
FIGURE 116 – Normal RSTP/STP operations in a series of switches. Note – this normal status
is designated RING_CLOSED ............................................................................................164
13
FIGURE 117 – A fault in the ring interrupts traffic. The blocking port now becomes forwarding so
that traffic can reach all switches in the network Note – the mP62 as well as the ESD42
switches support LLL and can participate in S-Ring as an access switch ..................................165
FIGURE 118 – More than one S-Ring pair can be selected and more than one S-Ring can be
defined per switch. Note – the mP62 as well as the ESD42 switches support LLL and
can participate in S-Ring as an access switch ............................................................................166
FIGURE 119 – Activating S-Ring on the switch...................................................................................168
FIGURE 120 – Activating S-Ring license ............................................................................................169
FIGURE 121 – Configure the switch for RSTP (or STP). In this example, RSTP is enabled ...............170
FIGURE 122 – Adding S-Ring. Using the Learn function built in to MNS-6K to see if there are
other members participating in S-Ring .....................................................................................171
FIGURE 123 – Learning S-Ring defined or on the network. This learning takes a few minutes.............172
FIGURE 124 – No S-Ring detected .....................................................................................................173
FIGURE 125 – If STP or RSTP is not enabled, S-Ring detection will fail. To fix that, enable
RSTP or STP first as shown. In some cases the S-Ring detection will fail as there is no S-
Ring defined. In those situations, the ports have to be added to define an S-Ring .......................174
FIGURE 126 – Defining Port 1 (Ingress) and Port 2 (Egress) ports for S-Ring....................................174
FIGURE 127 – Ensure the status is set to enable after the S-Ring is added...........................................175
FIGURE 128 – Link Loss Learn .......................................................................................................176
FIGURE 129 – Adding Ports for LLL...............................................................................................177
FIGURE 130 – Adding (or deleting) ports with LLL ..........................................................................178
FIGURE 131 – More than one RS-Ring cannot be defined per managed Magnum 6K switch. Note
– unmanaged switches cannot participate in RS-Ring. ..............................................................179
FIGURE 132 – Activating S-Ring on the switch ..................................................................................181
FIGURE 133 – Activating RS-Ring license – the same license as S-Ring is used to activate RS-
Ring .......................................................................................................................................182
FIGURE 134 – Configure the switch for RSTP (or STP). In this example, RSTP is enabled ...............183
FIGURE 135 – If there is an S-Ring configured, make sure that it is disabled.......................................184
FIGURE 136 – Manually add the two ports which will participate in the RS-Ring ...............................185
FIGURE 137 – Manually add the two ports which will participate in the RS-Ring. Click OK to
add these ports as members of RS-Ring....................................................................................186
FIGURE 138 – Disable LLL on ports participating in RS-Ring .........................................................187
FIGURE 139 – To activate RS-Ring – use the enable drop down from the RS-Ring menu ....................187
FIGURE 140 – Dual-homing using ESD42 switch and Magnum 6K family of switches. In case
of a connectivity break – the connection switches to the standby path or standby link .................190
14
FIGURE 141 – Dual-homing using Magnum 6K family of switches. Note the end device (video
surveillance camera) can be powered using PoE options on MNS-6K family of switches. In
case of a connectivity break – the connection switches to the standby path or standby link...........190
FIGURE 142 – Using S-Ring, RS-Ring and dual-homing, it is possible to build networks resilient
not only to a single link failure but also for one device failing on the network .............................191
FIGURE 143 – Dual-Homing configuration. Click on Edit, as shown above, to add dual-homing ........193
FIGURE 144 – To select the Primary-backup mode, as discussed earlier, click on Yes. To select the
“equivalent” port modes, select No...........................................................................................194
FIGURE 145 – After electing the ports for dual homing (maximum of 2 only), click OK. Make
sure one port is Primary and the other one is the Secondary port................................................195
FIGURE 146 – Enable Dual-Homing after the ports are added. ..........................................................196
FIGURE 147 – After activation, a check mark in the active column shows the active port and
defines the type of port as well ..................................................................................................197
FIGURE 148 – deleting dual-homing configuration. Click OK to delete the configuration. Dual
homing is disabled after the deletion..........................................................................................198
FIGURE 149 – Click on Edit to add dual-homing...............................................................................199
FIGURE 150 - Click on “No” to add “equivalent” mode.....................................................................200
FIGURE 151 – Select the dual-homing ports.........................................................................................201
FIGURE 152 – After enabling dual-homing the status of the active port is shown..................................202
FIGURE 153 – Some valid LACP configurations................................................................................205
FIGURE 154 – an incorrect LACP connection scheme for Magnum 6K family of switches. All
LACP trunk ports must be on the same module and cannot span different modules..................205
FIGURE 155 – In this figure, even though the connections are from one module to another, this is
still not a valid configuration (for LACP using 4 ports) as the trunk group belongs to two
different VLANs...................................................................................................................206
FIGURE 156 - In the figure above, there is no common VLAN between the two sets of ports, so
packets from one VLAN to another cannot be forwarded. There should be at least one
VLAN common between the two switches and the LACP port groups. ...................................206
FIGURE 157 – This configuration is similar to the previous configuration, except there is a
common VLAN (VLAN 1) between the two sets of LACP ports. This is a valid
configuration............................................................................................................................207
FIGURE 158 – In the architecture above, using RSTP and LACP allows multiple switches to be
configured together in a meshed redundant link architecture. First define the RSTP
configuration on the switches. Then define the LACP ports. Then finally connect the ports
together to form the meshed redundant link topology as shown above..........................................207
FIGURE 159 – LACP, along with RSTP/STP brings redundancy to the network core or
backbone. Using this reliable core with a dual homed edge switch brings reliability and
redundancy to the edge of the network.......................................................................................208
15
FIGURE 160 – This architecture is not recommended............................................................................209
FIGURE 161 – Creating a reliable infrastructure using wireless bridges (between two facilities) and
LACP. “A” indicates a Wi-Fi wireless Bridge or other wireless Bridges..................................210
FIGURE 162 – Enable LACP first....................................................................................................211
FIGURE 163 – Add the necessary ports to define the trunk ..................................................................212
FIGURE 164 – Add the ports which make up the trunk. The priorities will be automatically
assigned – this field can be left blank .......................................................................................213
FIGURE 165 – After the ports are added, the values can be edited if needed or the ports deleted
using the edit or delete icons on the menu ..................................................................................214
FIGURE 166 – Reviewing the trunk status ..........................................................................................215
FIGURE 167 – The orphan status display the reason why the ports were not members of the
LACP trunk. The links is down – i.e. the ports were not connected. After the other switch
is configured with the proper LACP settings, should the RJ-45 cables be plugged in to
enable LACP.........................................................................................................................216
FIGURE 168 – ToS and DSCP.........................................................................................................218
FIGURE 169 - IP Precedence ToS Field in an IP Packet Header ........................................................219
FIGURE 170 - Port weight settings and the meaning of the setting.........................................................221
FIGURE 171 - Accessing QoS settings .................................................................................................222
FIGURE 172 – Setting Port 14 for Port based QoS with a high priority. Note the sections on Tag
and TOS are ignored for Port settings......................................................................................223
FIGURE 173 – Port 14 QoS settings indicate a High Priority as set ....................................................224
FIGURE 174 – Adding Tag based QoS on Port 13 – Note the menu area for Tag Setting is only
relevant ...................................................................................................................................225
FIGURE 175 – Port 13 reflects the Tag QoS settings...........................................................................226
FIGURE 176 – Adding ToS for Port 12. Only the ToS Level Settings of the screen are relevant...........227
FIGURE 177 – After ToS settings. Note the different types of settings are clear from this window.
Port 14 has Port based QoS, port 13 has Tag based QoS and finally port 12 is using
ToS. .......................................................................................................................................228
FIGURE 178 – IGMP concepts – advantages of using IGMP .............................................................231
FIGURE 179 – IGMP concepts – Isolating multicast traffic in a network ............................................232
FIGURE 180 - In a Layer 2 network, an IGMP multicast traffic goes to all the nodes. In the
figure, T1, a surveillance camera, using multicast, will send the traffic to all the nodes - R1
through R6 - irrespective of whether they want to view the surveillance traffic or not. The
traffic is compounded when additional cameras are added to the network. End result is that
users R1 through R6 see the network as heavily loaded and simple day to day operations
may appear sluggish.................................................................................................................234
16
FIGURE 181 - Using IGMP-L2 on Magnum 6K family of switches, a Layer 2 network can
minimize multicast traffic as shown above. Each switch has the IGMP-L2 turned on.
Each switch can exchange the IGMP query message and respond properly. R4 wants to
view surveillance traffic from T1. As shown by (1), a join request is sent by R4. Once the
join report information is exchanged, only R4 receives the video surveillance traffic, as
shown by (2). No other device on the network gets the video surveillance traffic unless they
issue a join request as well. ......................................................................................................235
FIGURE 182 – IGMP setup...............................................................................................................237
FIGURE 183 – Configuring IGMP parameters. This screen also enables and disables IGMP...............238
FIGURE 184 - Setting the IGMP-L2..................................................................................................239
FIGURE 185 – GVRP operation – see description below.....................................................................241
FIGURE 186 – VLAN Assignment in GVRP enabled switches. Non GVRP enabled switches
can impact VLAN settings on other GVRP enabled switches.................................................242
FIGURE 187 – Port settings for GVRP operations .............................................................................243
FIGURE 188 – Using GVRP ............................................................................................................244
FIGURE 189 – setting GVRP characteristics for a port. This can be done by clicking on the edit
icon for the port..................................................................................................................245
FIGURE 190 – GVRP options...........................................................................................................246
FIGURE 191 – SNMP configuration ..................................................................................................252
FIGURE 192 – Changing SNMP community parameters ....................................................................253
FIGURE 193 – Adding valid managers. Multiple managers can be added using this screen....................254
FIGURE 194 – Adding Trap receivers.................................................................................................255
FIGURE 195 – Final screen after configuring SNMP. Note the different types of Trap Receivers
added ......................................................................................................................................256
FIGURE 196 – Predefined conditions for the relay ................................................................................259
FIGURE 197 - Alarms........................................................................................................................260
FIGURE 198 – View Port Statistics....................................................................................................261
FIGURE 199 – Port Statistics – Group 2 ...........................................................................................262
FIGURE 200 – Port Statistics – Group 3 ...........................................................................................263
FIGURE 201 – Types of logged events received – most logs are typically informational (notice) ................264
FIGURE 202 – Viewing each log ........................................................................................................265
FIGURE 203 – Specific type of logs can be viewed – in this example only “Notice” logs are
displayed .................................................................................................................................266
FIGURE 204 – Listing of severity - sorted by subsystem and severity .....................................................269
17
FIGURE 205 – Optimizing serial connection (shown for HyperTerminal on Windows XP). The
highlighted fields are the ones to change as described ..................................................................271
FIGURE 206 – Using Ping .................................................................................................................272
FIGURE 207 – Set menu item for setting common parameters for switch operations ...............................273
FIGURE 208 – Setting the boot mode of the switch...............................................................................274
FIGURE 209 – Set the log size............................................................................................................275
FIGURE 210 – Set the log size – click on the Edit button, enter the log size needed, and click OK.
Maximum log size is 1000 lines .............................................................................................276
FIGURE 211 – Changing the password for the current user ...................................................................277
FIGURE 212 – Setting the SNMP type. SNMP type can be SNMP-v1 or all (for SNMP v1,
v2 and v3) ..............................................................................................................................278
FIGURE 213 – Defining the STP protocol to be used...........................................................................279
FIGURE 214 – Set the timeout value. Click on Edit button to change the value....................................280
FIGURE 215 – Setting the VLAN type.............................................................................................281
FIGURE 216 – Setting the ftp mode.....................................................................................................282
FIGURE 217 – FTP to the GarrettCom site and select the folder with the latest release number ............285
FIGURE 218 – Navigate to the MNS-6K folder ................................................................................285
FIGURE 219– Copy the file with the latest Release number to the local disk by using the operating
system copy and paste commands..............................................................................................285
FIGURE 220 – before the upgrade, it is a good idea to save a snap shot of the configuration.
Different FTP modes can be used with the FTP command. ......................................................286
FIGURE 221 – After the configuration is saved, load the new image file copied form the
GarrettCom ftp site.................................................................................................................287
FIGURE 222 – As the image file is loaded, the progress will be indicated by the image above.
Please wait till the file transfer is completed ..............................................................................287
FIGURE 223 – after the new image file is loaded, it is important to save any changes made and
then restart the switch as shown above ......................................................................................288
FIGURE 224 – before the upgrade, it is a good idea to save a snap shot of the configuration...................289
FIGURE 225 – After the configuration is saved, load the new image file copied form the
GarrettCom ftp site.................................................................................................................290
FIGURE 226 – As the image file is loaded, the progress will be indicated by the image above.
Please wait till the file transfer is completed ..............................................................................290
FIGURE 227 – after the new image file is loaded, it is important to save any changes made and
then restart the switch as shown above ......................................................................................291
18
1
Chapter
1 – Conventions Followed
Conventions followed in the manual…
T
O best use this document, please review some of the conventions followed in the
manual, including screen captures, interactions and commands with the switch,
etc.
Box shows interaction with the switch command line or screen captures from the
switch or computer for clarity
Syntax rules
Optional entries are shown in [square brackets]
Parameter values within are shown in < pointed brackets >
Optional parameter values are shown again in [square brackets]
Thus
Syntax command [parameter1=<value1>[, paramter2=<value2>]]
parameter3=<value3|value4>
19
j
Related Topics
Related topics show that GarrettCom strongly recommends reading
about those topics. You may choose to skip those if you already have
prior detailed knowledge on those subjects.
There are icons common to the Secure Web Management (SWM) for edit and delete.
These are
20
Product Family – this manual is for all the Magnum 6K family of switches.
Finally, at the end of each chapter, is a list of the commands covered in the chapter
as well as a brief synopsis of what they do.
Chapter 2 is the basic setup as required by the Magnum 6K family of switches. After
completing Chapter 2, the configuration can be done using the web interface. Chapter 2 is
perhaps the most critical chapter in what needs to be done by the network administrator
once the switch is received.
Chapter 3 focuses on operational issues of the switch. This includes time synchronization
using the command line or using a time server on the network.
Chapter 7 talks about port mirroring and preventing broadcast storms. Port mirroring is
necessary in a network to reflect traffic from one port onto another port so that the traffic
can be captured for protocol analysis or intrusion analysis.
Chapter 8 deals with VLANs. VLANs provide security as well as traffic separation. This
chapter shows how VLANs can be setup and managed.
At this stage the network and the switch are secured. It is now critical to make the
network more reliable. The User Guide switches gears and talks about STP, RSTP and S-
Ring technologies which can be used for making the network reliable. These technologies
allow resiliency in a network. Chapters 9 through Chapter 12 discuss some resiliency
techniques.
Chapter 9 shows how RSTP and STP can be setup and used. Today, RSTP is preferred
over STP.
Chapter 10 focuses on S-Ring™ and setup of S-Ring (optional) and use of Link Loss
Learn (LLL). This chapter also talks about using RS-Ring™ with managed switches.
21
Chapter 11 talks about dual homing and how dual homing can be used to bring resiliency
to edge devices.
Chapter 12 describes LACP and how LACP can be used to increase the throughput
using 10/100 Mbps ports or in situations where resiliency is needed between switches
(trunks).
Once the network is made resilient, the network manager may want to setup prioritization
of traffic.
Chapter 16 shows how the SNMP parameters can be setup for managing the switch with
network management software such as Castle Rock SNMPc™
Chapter 17 includes miscellaneous commands to improve the overall ease of use and
other diagnostic information.
22
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
2
Chapter
2 – Getting Started
First few simple steps …
T
his section explains how the GarrettCom Magnum 6K family of switches can be setup using
the console port on the switch. Some of the functionality includes setting up the IP address of
the switch, securing the switch with a user name and password, setting up VLAN’s and more.
Before starting
Before you start, it is recommended that you acquire the software and necessary
hardware listed below.
1) Make sure you are using the latest version of MNS-6K. To update to the latest release
please refer to the Appendix on upgrading MNS-6K in this manual.
2) Make sure you know the IP address or the logical name of the switch and can ping the
switch. If you do not know the IP address or cannot ping the switch, please follow the
steps listed below in the section on Console connection.
3) Make sure you have a browser that supports secure socket connection
4) Make sure you have loaded the latest version of the Macromedia Flash player. You can
download the player from
http://www.macromedia.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash
a. The supported version of the Macro Media player is version 5 and above.
5) Should you need to configure the switch using the Command Line interface (CLI) it may
be necessary to use the serial connection. To use the serial port, follow the steps below.
A new switch from GarrettCom will first seek a DHCP server for its IP
address. If it cannot find a DHCP server, it will then seek a BootP
server. Not finding a BootP server, the switch will check to see if the IP
address 192.168.1.2 with a mask of 255.255.255.0 is available. If this IP
address is available, it will assign the IP address to the switch. To connect to the switch
and manage the switch, you can connect a computer to the switch, make sure the IP
address of the computer is 192.168.1.x where x is greater than 2 and does not have a
23
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
conflict with other IP addresses. The netmask has to be set to 255.255.255.0 – please refer
to the necessary operating system manual on how to configure the IP addresses for that
operating system. It is a good idea to isolate the Magnum 6K switch before it is put on the
network with the proper IP address, netmask, and gateway information.
Once a switch is assigned a static IP address, a browser can be opened up and in the
browser, type in the URL https://192.168.1.2 to start using SWM. If an IP address is
assigned by a DHCP server, it is important to know the MAC address of the switch. Using
the MAC address, the DHCP server can be queried using the MAC address for the
associated IP address. Once this information is known, open a browser with a URL
https://<IP-Address-found-from-DHCP-server> to start using SWM
The connection to the console is accessed through the serial port available as a DB-9
RS232 connector on the switch marked as “console” on the Magnum 6K family of
switches. This interface provides access to the commands the switch can interpret and is
called the Command Line Interface (or CLI). This interface can be accessed by attaching a
VT100 compatible terminal or a PC running a terminal emulation program to the console
port on the Magnum 6K family of switches.
For using the serial port, make sure you have the following
1) A female-female null modem cable. This cable is available from GarrettCom Inc. as
well as from LANstore (http://www.lanstore.com)
2) Serial port – if your PC does not have a serial port, you may want to invest in a USB to
serial converter. This is again available from LANstore or from GarrettCom Inc.
Alternately a USB to serial cable can also be used. This cable is also available from
LANstore or GarrettCom Inc.
3) A PC (or a workstation/computer) with a terminal emulation program such as
HyperTerminal (included with Windows) or Teraterm-pro, minicom or other
equivalent software. (Make sure the software supports Xmodem protocol, as you may
need this in the future to update the MNS-6K software)
4) Enough disk space to store and retrieve the configuration files as well as copy software
files from GarrettCom. We recommend at least 15MB of disk space for this purpose
5) For access security – decide on a manager level account name and password
6) IP address, netmask, default gateway for the switch being configured
24
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
You can use the CLI to configure the IP address for the switch. Once the IP address is
assigned, you can start using the Secure Web Management (SWM) on the GarrettCom
Magnum 6K family of switches.
USB to serial adapters are also available for laptops or computers that do not have native
serial ports but have access to USB ports.
Console setup
Connect the console port on the switch to the serial port on the computer using the serial
cable listed above. The settings for the HyperTerminal software emulating a VT100 are
shown in Figure 1 below. Make sure the serial parameters are set as shown (or bps =
38400, data bits=8, parity=none, stop bits=1, flow control=none).
25
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Console screen
Once the console cable is connected to the PC and the software configured, MNS-6K
legal disclaimers and other text scrolls by on the screen.
The switch has three modes of operation – Operator (least privilege), Manager and
Configuration. The prompts for the switches change as the switch changes modes from
Operator to Manager to Configuration. The prompts are shown in Figure 2 below, with a
brief explanation of what the different prompts indicate.
The prompt can be changed by the user. When the CLI prompts are shown, it will be
shown as Magnum6K25 as this manual was documented on a Magnum 6K25 switch.
We recommend you login as manager for the first time to set up the IP address as well as
change user passwords or create new users.
Before starting, please ensure that the IP address to be assigned to the switch is known or
contact your system/network administrator to get the IP address information. Follow the
steps listed below to configure the switch.
26
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Magnum6K25# save
FIGURE 3 - Setting IP address on the switch
At this stage you are now ready to use the Secure Web Management (SWM).
Web browser
In the web browser, type in the following URL
27
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Make sure you use HTTPS (secure HTTP) and not HTTP in the
URL
https://192.168.15.15
If your site uses name services, you can use a name instead of the IP
address. Please make sure that the name is resolved to the IP address
assigned to the switch.
The secure site (in this case the switch) issues a certificate check. Once you click “Yes”
on the security certificate, the browser will prompt you to login.
28
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Note on different browsers, the screens looks similar and some examples are enclosed
below for clarity.
FIGURE 6 – Login screen – for the first time login with the default login name and password. If you
have created other users, you can use the user name and password created. Note – the switch model number
is displayed on the screen. Not all models are shown above
For the first time, login with the name “manager” and password “manager”
FIGURE 7 – Login with the proper user name and password. For the first time use manager as login
name and manager as the password
29
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 8 – After a successful login the initial screen displaying the device ports is show
After a successful login, the welcome screen is shown. Note the information provided on the
welcome screen.
(See caption for the figure above with the figure following)
30
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Click on port to
configure it
Menus
Hover in bottom
left corner to get
module type
IP + Other
Information
FIGURE 9 – Welcome screen. Note the different information provided on the screen and different areas. The menus
are used to configure settings on the switch.
Different switches show the different login screen as well as the welcome screen.
In this manual, for consistency, we will show the Magnum 6K25 screen captures.
31
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 10 - Hovering the cursor in the top left corner of the module provides information on the module type
Moving forward, the relevant portion of the screen will only be shown for the switch displayed
above.
32
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
User management
A maximum of five users can be added per switch. Users can be added, deleted or
changed from a manager level account. There can be more than one manager account,
subject to the maximum number of users on the switch being restricted to five.
Add User
To add a user, use the command “add” as shown below. The user name has to be a unique
name. The password is recommended to be at least 8 characters long with a mix of upper case,
lower case, numbers and special characters.
Select the User Accounts from the Administration User Mgmt User Accounts menu
In the example below, after the “Add” button is clicked, user ‘peter’ was added with
Manager Privilege.
33
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
After successfully adding a user, the added user is displayed in the list of users
34
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Deleteing User
To delete a user, click on the delete icon as shown below.
35
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 14 - Deleting a user – click on the delete icon (a white “X” in a red circle) as shown
36
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
In this example, after clicking on OK, the user ‘peter’ will be deleted. If you click on
Cancel, the user ‘peter’ is not deleted. For the next few sections we assume the user was
not deleted.
Modify Password
(Here we assume the user “peter” was not deleted as shown above). To modify the
password, view the users as described above and click on the edit icon
37
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Edit Icon
FIGURE 16 - Changing the password for a specific user – click on the edit icon (shown as a pencil)
After clicking on the edit icon the screen opens up for modifying the password.
38
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
In this example, since the userid ‘peter’ was selected for modification, the password for
‘peter’ will be modified after the new password is typed in. Click OK to accept the new
password.
Privilege levels cannot be changed from the Secure Web Management (SWM). This can be done from the
CLI interface or alternately by deleting the user and adding the same user with the proper privilege level.
Help
Help for the Secure Web Management (SWM) can be obtained by clicking on the Help icon as
shown below. The Tool Tip “Help” is also displayed for clarity.
39
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 18 - Help – note the top right corner with the “?” icon. Note the help is available from any menu and is
context sensitive.
Exiting
To exit or logout – click on the “Logout” button.
40
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 19 – Logout
41
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 20 – Confirming the logout – after “OK” the login prompt is displayed again
42
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
43
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
3
Chapter
T
his section explains how the GarrettCom Switches can be setup using other automatic
methods such as bootp and DHCP. Besides this, other parameters required for proper
operation of the switch in a network are discussed.
IP Addressing
j It is assumed that the user has familiarity with IP addresses, classes
of IP addresses and related netmask schemas (e.g. class A, Class B
and Class C addressing).
Importance of an IP address
Without an IP address, the switch will operate as a standalone Layer 2 switch. Without an IP
address, you cannot
To set the IP address, please refer to the section in Chapter 2 – Setting IP Parameters.
To verify the IP address settings, access the Secure Web Management (SWM), use
Administration System menu item to view and edit the IP address information.
44
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 21 - Checking the IP settings. Click on Edit button to edit the IP or other settings. Note this
screen also displays the serial number as well as the configuration code set at the factory
Besides manually assigning IP addresses, there are other means to assign an IP address
automatically. The two most common procedures are using DHCP and bootp.
1 Note – on Windows systems – the location of the file will vary depending on which software is being used.
45
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Bootp Database
Bootp keeps a record of systems supported in a database – a simple text file. On most
systems, the bootp service is not started as a default and has to be enabled. A sample entry
by which the bootp software will look up the database and update the IP address and
subnet mask of the switch would be as follows
M6k25switch:\
ht=ether:\
ha=002006250065:\
ip=192.168.1.88:\
sm=255.255.255.0:\
gw=192.168.1.1:\
hn:\
vm=rfc1048
where
M6k25switch: is a user-defined symbolic name for the switch
ht: is the “hardware type”. For the Magnum 6K family of switches, set this to ether (for
Ethernet). This tag must precede the “ha” tag.
ha: is the “hardware address”. Use the switch’s 12-digit MAC address
ip: is the IP address to be assigned to the switch
sm: is the subnet mask of the subnet in which the switch is installed
46
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 22 - Changing the boot mode as well as IP address and other parameters of the switch. Note if the
IP address is changed, the http session has to be restarted with the new IP address
Using Telnet
By default, the telnet client is enabled on the GarrettCom Magnum 6K family of switches.
Using the Secure Web Management (SWM), telnet cannot be disabled. The telnet client
can be disabled by using the ‘telnet disable’ command on the CLI. To use a telnet
session on the switch, the Configuration Telnet menu is used. A maximum of four
simultaneous telnet sessions are permitted.
47
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 23 - Telnet session to the switch can be launched from Secure Web Management
(SWM). The telnet interface is a convenient way to access Command Line Interface (CLI)
commands, Note – multiple telnet sessions (up to 4) are supported.
48
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Network time
Many networks synchronize the time using a Network time server. The network time
server provides time to the different machines using the Simple Network Time Protocol
(SNTP). To specify the SNTP server, one has to
1) Set the IP parameters on the switch
2) Define the SNTP parameters
49
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Configure the SNTP parameters using Configuration SNTP menu. The SNTP menu
allows the time zone (hours from GMT) to be defined along with other appropriate
parameters on setting the time and synchronizing clocks on network devices.
Editing Time-
zone and SNTP
status
Adding
additional
servers
FIGURE 25 – SNTP parameters. Note – the Edit button allows edit of the SNTP parameters as shown
below. Adding or deleting SNTP servers is done by using the add button or delete button (white “X” in the
red circle)
On clicking the Edit button shown above, the parameter of the SNTP settings can be
modified.
50
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 26 – Modifying the SNTP parameters. SNTP can be enabled or disabled from this menu as
well
After the proper SNTP values are entered, click OK to register the changes. Click Cancel
to back out from the changes made.
To add an SNTP server, click on the “Add” button on Configuration SNTP menu.
The menu prompts you to add IP address of an SNTP server, the time out in seconds and
the number of retries, before the time synchronization effort is aborted.
51
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 27 – Adding SNTP servers. Time Out is in seconds. Note the Time server can be a NTP server
available on the Internet. Make sure the IP parameters are configured for the switch and the device can be
pinged by the switch. The Sync Now button allows the synchronization as soon as the server information is
added.
Once the server is added, it is listed with the other SNTP servers. The time of the day (in 24
hour clock format) when the time on the switch is updated can be changed by adding a new
server or by editing the time server information. If the time when the synchronization is
changed, the change is reflected on all servers added.
52
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 28 – Using FTP to save configuration as well as up load new image or reload a saved
configuration. Note – the active or passive mode of ftp can be used. To set that, use Administration
Set FTP Mode menu item
Make sure the machine specified by the IP address has the necessary services running on
it. For serial connections, x-modem or other alternative methods can be used. File name
in many situations has to be a unique file name as over-writing files is not permitted by
most ftp and tftp servers (or services). Make sure the user name and passwords are known
before the process begins.
53
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 29 - Saving the configuration on a tftp server – note the menu is similar to the FTP screen described
earlier
This process can also be used to update new software to the Magnum 6K family of
switches. Before the software is updated, it is advised to save the configurations. The re-
loading of the configuration is not usually necessary; however, in certain situations it may
be needed and it is advised to save configurations before a software update. Make sure to
reboot the switch after a new configuration is loaded.
Using the File Mgmt (management) menus several operations can take place as shown in
the figure below and summarized below. These operations can take place from the FTP or
TFTP servers on the network as shown above.
54
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
55
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Script file
Script file is a file containing a set of CLI commands which are used to configure the switch. CLI
commands are repeated in the file for clarity, providing guidance to the user editing the file as to
what commands can be used for modifying variables used by MNS-6K. The script file does not
have a check sum at the end and is used for configuring a large number of switches easily. As with
any configuration file that is uploaded, GarrettCom recommends that modifications of this file
and the commands should be verified by the User in a test environment prior to use in a "live"
production network.
The script file will look familiar to people familiar with the CLI commands as all the commands saved
in the script file are described in the CLI User Guide. A sample of the script file is shown below.
################################################################
# Copyright (c) 2001-2005 GarrettCom, Inc All rights reserved.
# RESTRICTED RIGHTS
# ---------------------------------
# Use, duplication or disclosure is subject to U.S. Government
# restrictions as set forth in Sub-division (b)(3)(ii) of the
# rights in Technical Data and Computer Software clause at
# 52.227-7013.
#
# This file is provided as a sample template to create a backup
# of Magnum 6K switch configurations. As such, this script
# provides insights into the configuration of Magnum 6K switch's
# settings. GarrettCom recommends that modifications of this
# file and the commands should be verified by the User in a
# test environment prior to use in a "live" production network.
# All modifications are made at the User's own risk and are
# subject to the limitations of the GarrettCom software End User
# License Agreement (EULA). Incorrect usage may result in
# network shutdown. GarrettCom is not liable for incidental or
# consequential damages due to improper use.
################################################################
56
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
exit
##########################################################
# User Accounts - This area configures user accounts for #
# accessing this system. #
##########################################################
user
add user=manager level=2 pass=manager
useraccess user=manager service=telnet enable
useraccess user=manager service=web enable
useraccess user=manager service=acl enable
add user=operator level=1 pass=operator
useraccess user=operator service=telnet enable
useraccess user=operator service=web enable
useraccess user=operator service=acl enable
exit
##########################################################
# IP-based Access List - This area configures the #
# access/deny control list. #
##########################################################
##########################################################
# Serial Communication - This area configures the serial #
# communication parameters. #
##########################################################
set serial baud=38400 data=8 parity=none stop=1 flowctrl=none
##########################################################
# Host Table - Host to IP address resolution. #
# #
##########################################################
access
gdp enable
gdp proxy status=disable
exit
set prompt $p
set ftp mode=normal
hbarp disable
##########################################################
# Event Logging - This area configures event logging #
# options. #
##########################################################
set logsize size=100
##########################################################
# Alarms - This area configures alarm triggers and #
# options. #
##########################################################
alarm
alarm disable
period time=3
exit
<additional lines deleted for succinct viewing>
FIGURE 31 – Example of Script file. Note all the commands are CLI commands. This script provides
insights into the configuration of Magnum MNS-6K settings. GarrettCom recommends that modifications
of this file and the commands should be verified by the User in a test environment prior to use in a "live"
production network
57
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
To ease the process of uploading the script files, use the Script Upload/Download
capability described above.
Displaying configuration
Using SWM, the need to display specific CLI commands for configuring capabilities is not needed. The
menus are modular and are alphabetically sorted to display each necessary component in a logical
manner. This section is repeated from the CLI manual, should the need arise to view the necessary
commands. The best way to view these commands is to telnet to the switch using the Telnet menu
from the Administration menu.
To display the configuration or to view specific modules configured, the ‘show config’ command is
used as described below.
58
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
--more—
<additional lines deleted for succinct viewing>
FIGURE 32 – ‘show config’ command output
59
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
--more—
<additional lines deleted for succinct viewing>
FIGURE 33 – displaying specific modules using the ‘show config’ command
--more—
<additional lines deleted for succinct viewing>
FIGURE 34 – displaying configuration for different modules. Note – multiple modules can be specified on the
command line
Host Names
Instead of typing in IP addresses of commonly reached hosts, MNS-6K allows host names to
be created with the necessary host names and IP addresses, user names and passwords. To
create host entries, use the Configuration Access Host menus as shown below.
60
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 35 – creating commonly used host entries. These entries can be saved using Host upload capabilities
under Administration File Management menus
To add a host, click on the Add button and then fill in all the fields below to create the
necessary host entries.
61
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
62
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 37 – After hosts are added, the information related to the added host is displayed.
To delete or edit the entries, use the delete or edit icons next to each entry shown above.
Erasing configuration
To erase the configuration and reset the configurations to factory default, the Secure Web
Management (SWM) interface cannot be used. A serial or a telnet session to the switch will
provide a CLI interface. Once the CLI interface is available, the ‘kill config’ command can be
used to erase the configuration. This command is a “hidden command” i.e. the on-line help
and other help functions normally do not display this command. Please refer to the “Magnum
MNS-6K User Guide” for more information on this command.
63
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Saving changes
Any changes can be saved by clicking on the Save (floppy) icon . SWM will ask again if the
changes need to be saved or ignored. If the changes need to be ignored, click on cancel and
reboot the switch. If the changes need to be saved, click on OK.
FIGURE 38 – Saving changes made – for example after adding SNTP server, the change needs to be saved.
This can be done by clicking on the floppy icon to save current configuration
64
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
The “Save Configuration” saves the configuration to the memory. Without the “Save
Configuration”, the changes made are not permanent. To make the changes permanent, use
the “Save Configuration” as shown above and click on OK to register the changes.
65
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
The changes are now permanent. GarrettCom Inc. recommends that the new configuration is
backed up as described above.
66
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
4
Chapter
4 – IPv6
Next generation IP addressing
T
his section explains how the access to the GarrettCom Magnum MNS-6K can setup using
IPv6 instead of IPv4 addressing described earlier. IPv6 provides a much larger address space
and is required today by many.
Assumptions
It is assumed here that the user is familiar with IP addressing
j schemes and has other supplemental material on IPv6,
configuration, routing, setup and other items related to IPv6. This
user guide does not dwell or probe those details.
Introduction to IPv6
IPv6 is short for "Internet Protocol Version 6". IPv6 is the "next generation" protocol or
IPng and was recommended to the IETF to replace the current version Internet Protocol,
IP Version 4 ("IPv4"). IPv6 was recommended by the IPv6 (or IPng) Area Directors of
the Internet Engineering Task Force at the Toronto IETF meeting on July 25, 1994 in
RFC 1752, The Recommendation for the IP Next Generation Protocol. The
recommendation was approved by the Internet Engineering Steering Group and made a
proposed standard on November 17, 1994. The core set of IPv6 protocols were made an
IETF draft standard on August 10, 1998.
IPv6 is a new version of IP which is designed to be an evolutionary step from IPv4. It is a
natural increment to IPv4. It can be installed as a normal software upgrade in internet
devices and is interoperable with the current IPv4. Its deployment strategy is designed to
not have any dependencies. IPv6 is designed to run well on high performance networks
(e.g. Gigabit Ethernet, OC-12, ATM, etc.) and at the same time still be efficient for low
bandwidth networks (e.g. wireless). In addition, it provides a platform for new internet
functionality that will be required in the near future.
IPv6 includes a transition mechanism which is designed to allow users to adopt and
deploy IPv6 in a highly diffuse fashion and to provide direct interoperability between IPv4
67
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
and IPv6 hosts. The transition to a new version of the Internet Protocol is normally
incremental, with few or no critical interdependencies. Most of today's internet uses IPv4,
which is now nearly twenty years old. IPv4 has been remarkably resilient in spite of its age,
but it is beginning to have problems. Most importantly, there is a growing shortage of
IPv4 addresses, which are needed by all new machines added to the Internet.
IPv6 fixes a number of problems in IPv4, such as the limited number of available IPv4
addresses. It also adds many improvements to IPv4 in areas such as routing and network
auto configuration. IPv6 is expected to gradually replace IPv4, with the two coexisting for
a number of years during a transition period.
68
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
IPv6 Addressing
IPv6 addresses are 128-bits long and are identifiers for individual interfaces and sets of
interfaces. IPv6 addresses of all types are assigned to interfaces, not nodes. Since each
interface belongs to a single node, any of that node's interfaces' unicast addresses may be
used as an identifier for the node. A single interface may be assigned multiple IPv6
addresses of any type.
There are three types of IPv6 addresses. These are unicast, anycast, and multicast. Unicast
addresses identify a single interface. Anycast addresses identify a set of interfaces such that
a packet sent to an anycast address will be delivered to one member of the set. Multicast
addresses identify a group of interfaces, such that a packet sent to a multicast address is
delivered to all of the interfaces in the group. There are no broadcast addresses in IPv6,
their function being superseded by multicast addresses.
IPv6 supports addresses which are four times the number of bits as IPv4 addresses (128
vs. 32). This is 4 Billion times 4 Billion times 4 Billion (296) times the size of the IPv4
address space (232). This works out to be:
340,282,366,920,938,463,463,374,607,431,768,211,456
This is an extremely large address space. In a theoretical sense this is approximately
665,570,793,348,866,943,898,599 addresses per square meter of the surface of the planet
Earth (assuming the earth surface is 511,263,971,197,990 square meters). In the most
pessimistic estimate this would provide 1,564 addresses for each square meter of the
surface of the planet Earth. The optimistic estimate would allow for
3,911,873,538,269,506,102 addresses for each square meter of the surface of the planet
Earth. Approximately fifteen percent of the address space is initially allocated. The
remaining 85% is reserved for future use.
The details on the addressing are covered by numerous articles on the WWW as well as
other literature and are not covered here.
Configuring IPv6
To configure IPv6, click on Configuration IPv6 as shown below.
69
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Click on edit to edit an existing IPv6 Address. Click on Add to add a new IPv6 address.
70
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 42 – Enter in the IPv6 address and netmask. In this example the IPv6 address is
fe80::220:8ff:fe03:509 and the netmask is ffff:ffff:ffff:ffff::
After the IPv6 address is added, the screen shown below reflects the address added. Note – the gateway
is still blank. Once the address is added, this can be either deleted or edited. Note netmask can also be
entered in as the number of “1’s” in the netmask as shown below.
71
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 43 – Optional way to enter the netmask information. The information entered in this figure and the
prior figure is the same
72
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 44 – After successfully adding an IPv6 address, the address is displayed. Note – the Gateway IPv6
address has still not been added
To add the gateway, click on Edit as shown below. Make sure that the IP address is not selected. If the
IP address is selected, clicking on Edit will allow you to edit the IP address.
73
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 45 – Click on Edit to Edit the gateway information. Make sure the IP address is not selected as shown
above. To edit the IPv6 address, select the IP address and then click on the Edit button
74
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 46 – Add the gateway information. After the information is added, click OK
75
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 47 – After adding the gateway information, this information is displayed on the main IPv6 screen
76
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
5
Chapter
5 – Access Considerations
Securing the switch access….
T
his section explains how the access to the GarrettCom Magnum 6K family of switches can be
secured. Further security considerations are also covered such as securing access by IP address
or MAC address.
Securing access
It is assumed here that the user is familiar with issues concerning
j security as well as securing access for users and computers on a
network. Secure access on a network can be provided by
authenticating against an allowed MAC address as well as IP
address.
Port security
The port security feature can be used to block computers from accessing the network by
requiring the port to validate the MAC address against a known list of MAC addresses.
This port security feature is provided on an Ethernet, Fast Ethernet, or Gigabit Ethernet
port. In case of a security violation, the port can be configured to go into the disable
mode or drop mode. The disable mode disables the port, not allowing any traffic to pass
through. The drop mode allows the port to remain enabled during a security violation and
drop only packets that are coming in from insecure hosts. This is useful when there are
other network devices connected to the Magnum 6K family of switches. If there is an
insecure access on the secondary device, the Magnum 6K family of switches allows the
authorized users to continue to access the network; the unauthorized packets are dropped
preventing access to the network.
77
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Network Security
j Network security hinges on the ability to allow or deny access to
network resources. The access control aspect of secure network
services involves allowing or disallowing traffic based on information
contained in packets, such as the IP address, MAC address, or other content. Planning for
access is a key architectural and design consideration. For example, which ports are
configured for port security? Normally rooms with public access e.g. lobby, conference
rooms etc. should be configured with port security. Once that is decided, the next few
decisions are – who are the authorized and unauthorized users? What action should be
taken against authorized as well as unauthorized users? How are the users identified as
authorized or unauthorized?
78
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
From the menu shown above, each individual port can be configured for the proper
action on the port, auto learn MAC addresses and specify individual MAC addresses. To
edit each port, click on the edit icon (shown as a pencil).
To enable or disable Port Security – use the Status Enable/Disable drop down menu as
shown in the next figure.
FIGURE 49 – Enable or disable Port Security functions. Note the screen also provides an overview of each port on
the switch. Each port can be individually configured for the proper port security action
Each individual port can be configured by clicking on the edit icon . Once the edit
screen is shown the following actions can be taken for each port:
1) The port can be specified to create a log entry or send a trap, do both or do nothing.
This is done by the “Signal Status” drop down menu
79
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
2) The port can be specified to drop the connection, disable the port or do nothing. This
is indicated by the “Action Status” drop down menu
3) The port can be put in the learn mode or the learning can be disabled. This is
indicated by the “Learn Status” drop down menu
Additionally, MAC addresses can be added or deleted from the table of allowed MAC
addresses. To delete a MAC address, click on the delete icon . To add a MAC address,
click on the ADD button and fill in the MAC address in the MAC address window.
FIGURE 50 – Port security – allowing specific MAC addresses on a specified port as well as changing the
status of each port
There is a limitation of 200 MAC addresses per port and 500 MAC
addresses per Switch for Port Security.
80
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Once port security is setup, it is important to manage the log and review the log often. If the
signals are sent to the trap receiver, the traps should also be reviewed for intrusion and other
infractions.
Logs
All events occurring on the Magnum 6K family of switches are logged. The events can be
as shown below
Code Description
0 Emergency: system is unusable – called “fatal” in show log
command
1 Alert: action must be taken immediately
2 Critical: critical conditions
3 Error: error conditions
4 Warning: warning conditions
5 Notice: normal but significant condition – called “note” in show log
command
6 Informational: informational messages
7 Debug: debug-level messages
81
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
These logs are in compliance with the definitions of RFC 3164, though not all the nuances
of the syslog are implemented as specified by the RFC.
FIGURE 52 – Logs made on the switch. Specific logs may be viewed by using the drop down menu in the top
right corner
The log shows the most recent intrusion at the top of the listing. If the log is filled when the
switch detects a new intrusion, the oldest entry is dropped off the listing.
As discussed in the prior section, any port can be set to monitor security as well as make a
log on the intrusions that take place. The logs for the intrusions are stored on the switch.
When the switch detects an intrusion on a port, it sets an “alert flag” for that port and
makes the intrusion information available.
The default log size is 50 rows. To change the log size please use the
Configuration Statistics Log Statistics menu
82
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
When the switch detects an intrusion attempt on a port, it records the date and time
stamp, the MAC address, the port on which the access was attempted and the action taken
by MNS-6K software. The event log lists the most recently detected security violation
attempts. This provides a chronological entry of all intrusions attempted on a specific
port.
When the switch detects an intrusion attempt on a port, it records the date and time
stamp, the MAC address, the port on which the access was attempted and the action taken
by MNS-6K software. The event log lists the most recently detected security violation
attempts. This provides a chronological entry of all intrusions attempted on a specific
port.
The event log records events as single-line entries listed in chronological order, and serves
as a tool for isolating problems. Each event log entry is composed of four fields
Severity – the level of severity (see below)
Date – date the event occurred on. See Chapter 3 on setting the date and time on the
switch
Time – time the event occurred on. See Chapter 3 on setting the date and time on the
switch
Log Description – description of event as detected by the switch
Authorized managers
Just as port security allows and disallows specific MAC addresses from accessing a network,
SWM can allow or block specific IP addresses or a range of IP addresses to access the switch.
This access is mainly for management and configuration purposes only and does not blow
other traffic (e.g. IGMP or file transfer traffic.) The menu is Administration Access
83
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 53 – Authorized access list for managing the switch. Note specific servers can be authorized using
the Host menu. The host entries can be backed up by using the Administration File Mgmt menu. A group
of stations with IP addresses can be authorized using the IP access menu.
In the example below – any computer on 10.10.10.0 sub network is allowed (note how the
subnet mask is used to indicate that). Also shown below are stations (hosts) which are
allowed access as well as how other applications such as ftp or telnet (under
Administration File Mgmt) menus can upload/download the files.
84
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 54 – Adding any computer on the 10.10.10.0 sub net to manage the switch. Note from this
network, the stations will not be allowed telnet access. The stations will be allowed access via SWM as well as
SNMP managers on the 10.10.10.0/24 network will be able to query the switch.
85
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 55 – After adding access to the network, the capabilities allowed are displayed
86
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
6
Chapter
T
he IEEE 802.1x standard, Port Based Network Access Control, defines a mechanism for port-
based network access control that makes use of the physical access characteristics of
IEEE 802 LAN infrastructure. It provides a means of authenticating and authorizing
devices attached to LAN ports that have point-to-point connection characteristics. It also
prevents access to that port in cases where the authentication and authorization fails.
Although 802.1x is mostly used in wireless networks, this protocol is also implemented in
LANs. The Magnum MNS-6K Software switch implements the authenticator, which is a
major component of 802.1x.
j RADIUS
Remote Authentication Dial-In User Service or RADIUS is a server that has been
traditionally used by many Internet Service Providers (ISP) as well as
Enterprises to authenticate dial in users. Today, many businesses use the RADIUS server for
authenticating users connecting into a network. For example, if a user connects PC into the
network, whether the PC should be allowed access or not provides the same issues as to
whether or not a dial in user should be allowed access into the network. A user has to
provide a user name and password for authenticated access. A RADIUS server is well suited
for controlling access into a network by managing the users who can access the network on a
RADIUS server. Interacting with the server and taking corrective action(s) is not possible on
all switches. This capability is provided on the Magnum 6K family of switches.
RADIUS servers and its uses are also described by one or more RFCs.
802.1x
There are three major components of 802.1x: - Supplicant, Authenticator and Authentication
Server (RADIUS Server). In the figure below, the PC acts as the supplicant. The supplicant is an
entity being authenticated and desiring access to the services. The switch is the authenticator. The
authenticator enforces authentication before allowing access to services that are accessible via that
87
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
port. The authenticator is responsible for communication with the supplicant and for submitting
the information received from the supplicant to a suitable authentication server. This allows the
verification of user credentials to determine the consequent port authorization state. It is
important to note that the authenticator’s functionality is independent of the actual authentication
method. It effectively acts as a pass-through for the authentication exchange.
802.1x
Switch
Authenticator
Supplicant
Authentication
Server (RADIUS)
The RADIUS server is the authentication server. The authentication server provides a standard
way of providing Authentication, Authorization, and Accounting services to a network.
Extensible Authentication Protocol (EAP) is an authentication framework which supports
multiple authentication methods. EAP typically runs directly over data link layers such as PPP or
IEEE 802, without requiring IP. EAP over LAN (EAPOL) encapsulates EAP packets onto 802
frames with a few extensions to handle 802 characteristics. EAP over RADIUS encapsulates EAP
packets onto RADIUS packets for relaying to RADIUS authentication servers.
88
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
802.1x
Switch
Y EAP Request Id
Z
RADIUS Access Request
[
\ EAP Request
RADIUS Access Challenge
]
EAP Response ^ RADIUS Access Request
` _ RADIUS Access Accept
EAP Success
Access Allowed
1. The supplicant (laptop/host) is initially blocked from accessing the network. The
supplicant wanting to access these services starts with an EAPOL-Start frame
2. The authenticator (Magnum 6K switch), upon receiving an EAPOL-start frame, sends a
response with an EAP-Request/Identity frame back to the supplicant. This will inform
the supplicant to provide its identity
3. The supplicant then sends back its own identification using an EAP-Response/Identity
frame to the authenticator (Magnum 6K switch.) The authenticator then relays this to the
authentication server by encapsulating the EAP frame on a RADIUS-Access-Request
packet
4. The RADIUS server will then send the authenticator a RADIUS-Access-Challenge packet
5. The authenticator (Magnum 6K switch) will relay this challenge to the supplicant using an
EAP-Request frame. This will request the supplicant to pass its credentials for
authentication
6. The supplicant will send its credentials using an EAP-Response packet
7. The authenticator will relay using a RADIUS-Access-Request packet
8. If the supplicant’s credentials are valid, RADIUS-Access-Accept packet is sent to the
authenticator
9. The authenticator will then relay this on as an EAP-Success and provide access to the
network
10. If the supplicant does not have the necessary credentials, a RADIUS-Access-Deny packet
is sent back and relayed to the supplicant as an EAP-Failure frame. The access to the
network continues to be blocked
89
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
The Magnum MNS-6K Software implements the 802.1x authenticator. It fully conforms to the
standards as described in IEEE 802.1x, implementing all the state machines needed for port-
based authentication. The Magnum MNS-6K Software authenticator supports both EAPOL and
EAP over RADIUS to communicate to a standard 802.1x supplicant and RADIUS authentication
server.
Configuring 802.1x
To access the 802.1x menus, use the Configuration 802.1x menus.
First select the server. DO NOT ENABLE RADIUS capabilities till you have ensured that the
ports are configured properly. After the ports are configured, enable the RADIUS capability. Also
ensure that the port connected to the RADIUS server or the network where the RADIUS server
is connected to, is not an authenticated port.
90
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 58 – Configuring the RADIUS Server – initially, the RADIUS Services are disabled and the
server IP address is set to 0.0.0.0 – edit that server IP and secret to add a RADIUS server
91
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 59 – Editing information of the RADIUS server. Note the UDP port number can be left blank
and the default port 1812 is used
After configuring the Server information, specific port information is configured. Click on
Configuration Radius Port to configure the RADIUS characteristics of each port.
92
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 60 – Setting the port characteristic for RADIUS authentication. To edit the port settings – click
on the edit icon
93
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 61 – Ensure that the port which has the RADIUS server is force authorized and asserted. Other ports
(user ports), it is best to leave the Control on auto and Initialize on deasserted
94
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 62 – Changing the Port Access characteristics when authenticating with a RADIUS server
Quiet Period – This is the quiet period or the amount of time, in seconds, the supplicant
is held after an authentication failure before the authenticator retries the supplicant for
connection. The default value is 60 seconds. Values can range from 0 to 65535 seconds.
Max Reauth – The number of re-authentication attempts that are permitted before the
port becomes unauthorized. Default value is 2. Values are integers and can range from 0
to 10.
Transmit Period – This is the transmit period; it is the time in seconds the authenticator
waits to transmit another request for identification from the supplicant. Default value is
30. Values can be from 1 to 65535 seconds
95
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Supp Timeout – This is the timeout in seconds the authenticator waits for the supplicant
to respond back. Default value is 30 seconds. Values can range from 1 to 240 seconds.
Server Timeout – This is the timeout in seconds the authenticator waits for the backend
RADIUS server to respond back. The default value is 30 seconds. Values can range from
1 to 240 seconds.
Max Request – The maximum number of times the authenticator will retransmit an EAP
Request packet to the Supplicant before it times out the authentication session. Its default
value is 2. It can be set to any integer value from 1 to 10.
96
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 64 – Port authentication characteristics – set values on how the authenticator (Magnum 6K switch)
does the re-authentication with the supplicant or PC
Reauth Period – This is the re-authentication period in seconds. It is the time the
authenticator waits before a re-authentication process will be done again to the supplicant.
Default value is 3600 seconds (1 hour). Values can range from 10 to 86400 seconds.
97
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 65 – RADIUS Statistics – note that the stats are for each port
Finally – after all the port characteristics are enabled do not forget to save the
configuration using the save (floppy disk) icon and enabling RADIUS from the
Configuration 802.1x Server menu.
98
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
99
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
7
Chapter
T
ACACS+, short for Terminal Access Controller Access Control System, protocol provides
access control for routers, network access servers and other networked computing devices via
one or more centralized servers. TACACS+ provides separate authentication, authorization
and accounting services.
j TACACS allows a client to accept a username and password and send a query to
a TACACS authentication server, sometimes called a TACACS daemon (server)
or simply TACACSD. This server was normally a program running on a host.
The host would determine whether to accept or deny the request and send a response back.
The TACACS+ protocol is the latest generation of TACACS. TACACS is a simple UDP based
access control protocol originally developed by BBN for the MILNET (Military Network).
Cisco’s enhancements to TACACS are called XTACACS. XTACACS is now replaced by
TACACS+. TACACS+ is a TCP based access control protocol. TCP offers a reliable connection-
oriented transport, while UDP offers best-effort delivery.
1. TACACS+ servers and daemons use TCP Port 49 for listening to client
requests. Clients connect to this port number to send authentication and
authorization packets
2. There can be more than one TACACS+ server on the network. MNS-
6K supports a maximum of five TACACS+ servers
100
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
TACACS+ flow
TACACS works in conjunction with the local user list on the MNS-6K software (operating
system.) Please refer to User Management for adding users on the MNS-6K software. The
process of authentication as well as authorization is shown in the flow chart below.
Start
Login as Operator
Login
No
Yes
Login as Manager No
Yes
Yes
Authentication failure Connection failure
Connect to Additional
Logout TACACS server to Servers?
authenticate
Authorized as Authenticated No
Operator or Logout
Authorization Failure TACACS+
Login as Operator
authorization
Authorized as
Manager
Login as Manager
FIGURE 66 – Flow chart describing the interaction between local users and TACACS authorization
The above flow diagram shows the tight integration of TACACS+ authentication with the local
user-based authentication. There are two stages a user goes through in TACACS+. The first stage
101
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
is authentication where the user is verified against the network user database. The second stage is
authorization, where it is determined whether the user has operator access or manager privileges.
TACACS+ packet
Packet encryption is a supported and is a configurable option for the Magnum MNS-6K Software.
When encrypted, all authentication and authorization TACACS+ packets are encrypted and are
not readable by protocol capture and sniffing devices such as EtherReal or others. Packet data is
hashed and shared using MD5 and secret string defined between the Magnum 6K family of
switches and the TACACS+ server.
32 bits wide
4 4 8 8 8 bits
Major Minor Packet type Sequence no. Flags
Version Version
Session ID
Length
FIGURE 67 – TACACS packet format
Configuring TACACS+
To access the TACACS servers, click on Administration User Mgmt TACACS menu.
102
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 68 – Accessing TACACS configuration menu. By default, no TACACS+ servers are defined
103
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 69 – Adding a TACACS+ server – note – the TCP port can be left blank – Port 49 is used as
a default port. Up to 5five TACACS+ servers can be defined. Note the manager level and the operator level
defines the levels for the server being defined.
104
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 70 – After adding TACACS+ servers, do not forget to save and enable the TACAS+ services
After the configuration is completed do not forget to save using the save icon and enabling
the TACACS+ services by using the Status drop down menu.
105
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
8
Chapter
T
his section explains how individual characteristics of a port on the GarrettCom Magnum 6K
family of switches are setup. For monitoring a specific port, the traffic on a port can be
mirrored on another port and viewed by protocol analyzers. Other setup includes
automatically setting up broadcast storm prevention thresholds.
Port mirroring
Monitoring a specific port can be done by port mirroring. Mirroring traffic from one port
to another port allows analysis of the traffic on that port. To enable port mirroring as well
as setting up the ports to be “sniffed” use Configuration Port Mirroring
106
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
107
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 72 – Setting the port which needs to be monitored and the port on which the traffic is reflected.
Make sure the Mirror Status is also set to enabled for mirroring
108
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 73 – After the ports are setup – the changes are shown
Port setup
Each port on the GarrettCom Magnum 6K family of switches can be setup for specific
port characteristics. The menu for setting the port characteristics is Configuration Port
Settings
109
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
110
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Duplex – sets full duplex or half duplex capabilities for 10/100 Mbps ports
Priority – displays priority set for the port. This value cannot be edited here
VLAN ID – displays VLAN set for the port. This value cannot be edited here
STP State – displays the STP settings for the port. This value cannot be edited here
Tagged State – displays the Tag settings on the port. This value cannot be edited here
GVRP State – displays the GVRP settings on the port. This value cannot be edited here
FIGURE 75 – Clicking on any port in the Graphics Display (or after the login screen) also leads to
Configuration Port Settings screen as shown in the previous figure
111
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 76 – Editing Port configuration values – not all fields can be edited from this screen
Speed Settings
Auto (default) – Senses speed and negotiates with the port at the other end of the link
for data transfer operation (half-duplex or full-duplex). “Auto” uses the IEEE 802.3u
auto negotiation standard for 100BASE-T networks. If the other device does not comply
with the 802.3u standard, then the port configuration on the switch must be manually set
to match the port configuration on the other device.
112
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Flow Control
This can only be done using the CLI interface. Please refer to the “Magnum MNS-6K
User Guide” for more information on setting date and time manually using the CLI
interface. The commands for changing the flow control are “flowcontrol” and “show
flowcontrol”
Back Pressure
This can only be done using the CLI interface. Please refer to the “Magnum MNS-6K
User Guide” for more information on setting date and time manually using the CLI
interface. The commands for changing the flow control are “backpressure” and “show
backpressure”
Broadcast Storms
113
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 77 – Menus for limiting broadcast storms. Note the 19531 threshold refers to 64 byte packets for a
10Mbps network. Since most broadcast packets are 64 bytes long, this number is used as a default. For
100Mbps networks, the threshold is 195310 packets – adjust the threshold accordingly for a 100Mbps
network.
To adjust for broadcast protection, first check if the port is set to 100Mbps or 10 Mbps.
For a 10 Mbps, the max broadcast rate is 19,531 packets per second (PPS). To limit the
broadcast range to 10%, set the threshold to 1953 PPS by clicking on the edit menu.
114
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
115
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
After changes are made, do not forget to save the changes using the save icon . If the
switch is rebooted before the changes are made, the changes will be lost.
116
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
9
Chapter
9 – VLAN
Create separate network segments (collision domains) across Magnum 6K family of
switches…..
S
hort for virtual LAN (VLAN), a VLAN creates separate collision domains or network
segments that can span multiple Magnum 6K switches. A VLAN is a group of ports designated
by the switch as belonging to the same broadcast domain. The IEEE 802.1Q specification
establishes a standard method for inserting VLAN membership information into Ethernet
frames.
Why VLANs?
Segment 1 Segment 2
VLAN 1 VLAN 2
FIGURE 80 – VLAN as two separate collision domains. The top part of the figure shows two
“traditional” Ethernet segments. Up to 32 VLANs can be defined per switch.
117
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
A group of network users (ports) assigned to a VLAN form a broadcast domain. Packets
are forwarded only among ports that are designated for the same VLAN. Cross-domain
broadcast traffic in the switch is eliminated and bandwidth is saved by not allowing
packets to flood out on all ports. For many reasons a port may be configured to belong to
multiple VLANs.
FIGURE 81 – Ports can belong to multiple VLANs. In this figure a simplistic view is presented where
some ports belong to VLANs 1, 2 and other ports belong to VLANs 2,3. Ports can belong to
VLANs 1, 2 and 3. This is not shown in the figure.
If VLANs are entirely separate segments or traffic domains – how can the VLANs route
traffic (or “talk”) to each other? This can be done using routing technologies (e.g., a router
or a L3-switch). The routing function can be done internally via an L3-switch. One
advantage of an L3 switch is that the switch can also support multiple VLANs. The L3
switch can thus route traffic across multiple VLANs easily and provides a cost effective
solution if there are may VLANs defined.
118
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Segment 1 Segment 2
Router
Router or
L3-switch
VLAN 1 VLAN 2
FIGURE 82 – Routing between different VLANs is performed using a router or a Layer 3 switch (L3-
switch)
In the tag VLAN, an identifier called the VLAN identifier (VID) is either inserted or
manipulated. This manipulated VLAN tag allows VLAN information to be propagated across
devices or switches, allowing VLAN information to span multiple switches.
119
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
802.1Q VLANs aren't limited to one switch. VLANs can span many switches. Sharing VLANs
between switches is achieved by inserting a tag with a VLAN identifier (VID) into each frame. A
VID must be assigned for each VLAN. By assigning the same VID to VLANs on many switches,
one or more VLAN (broadcast domain) can be extended across a large network.
802.1Q-compliant switch ports, such as those on the Magnum 6K family of switches, can be
configured to transmit tagged or untagged frames. A tag field containing VLAN information can
be inserted into an Ethernet frame. If a port has an 802.1Q-compliant device attached (such as
another switch), these tagged frames can carry VLAN membership information between switches,
thus letting a VLAN span multiple switches. Normally connections between switches can carry
multiple VLAN information and this is call port trunking or 802.1Q trunks.
There is one important caveat: administrators must ensure that ports with non-802.1Q-compliant
devices attached are configured to transmit untagged frames. Many network interface cards such
as those for PCs printers and other “dumb” switches are not 802.1Q-compliant. If they receive a
tagged frame, they will not understand the VLAN tag and will drop the frame. In situations like
these, it is best to use port based VLANs for connecting to these devices.
Sometimes a port may want to listen to broadcasts across different VLANs or propagate the
VLAN information on to other ports. This port must thus belong to multiple VLANs so that the
broadcast information reaches the port accurately. If the port also wants to send broadcast traffic,
the proper egress (sending out of information) and ingress (receiving information) has to be
configured on the Magnum 6K family of switches.
Private VLANs
Private VLANs are VLANs which are private to a given switch in a network. For Magnum 6K
family of switches, the Private VLANs are restricted to a single switch only. Private VLANs
are implemented on Magnum 6K family of switches using Port based VLAN.
The reasons Private VLANs are constructed are for security. For example, if some confidential
data were residing on VLAN 5, then only the people connected to that switch on VLAN 5 can
have access to that information. No one else can access that VLAN. Similarly, if another
switch had video surveillance equipment on VLAN 20 then only ports with access to VLAN
20 can have access to the video surveillance information.
120
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Finally, one port can belong to multiple VLANs – so depending on the function and use,
different VLANs information can be shared across a port. Such a port is said to be in
promiscuous mode for private VLANs.
Either port VLANs or Tag VLAN can be active at any given time on a switch.
Only the default VLAN (VLAN id = 1) is active as a Tag VLAN as well as a
port VLAN.
For VLAN configuration use Configuration VLAN menu items as shown below
Since Port VLANs are rarely used, this documentation will cover Tag VLANs. To set the VLAN type,
use the menu Configuration VLAN Set Type. The VLAN type can also be set from
Administration Set VLAN Type
121
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 83 – Setting the VLAN type – by default no VLANs are active. To set the VLAN type, the menu can
be accessed from Configuration VLAN or from Administration Set VLAN Type menu
Next step is to define the VLANs needed. To do that, click on Configuration VLAN Tag-Based
menu item as shown below and then click on the Add button.
122
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Now add the necessary VLANs. In the example below, add the VLANs in the following manner
The VLANs are added and the results are shown below.
123
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 85 – Adding a new VLAN and defining ports belonging to the VLAN
After adding the ports and defining the VLAN, click OK.
124
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 86 – After the VLANs and the Ports associated with VLANs are defined, next step is to define the
port setting and enable tagging on the necessary ports. This is done by clicking on Port settings as shown above.
125
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 87 – Enable the tagging for each port belonging to VLAN 10. Note the Default VLAN can also be
changed for these port using the menu shown above. Also note, how selected values only are sent to MNS-6K for
change in configuration. In the example above, only VLAN 10 being set as Tagged is sent as a configuration
parameter to MNS-6K
126
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 88 – After the Tag information is added, the information is displayed on the screen. Note the Tagged
Column – the information is changed for VLAN 10 to “Yes”. Repeat the process for other VLANs.
Repeat the last two steps for each of the ports and each of the VLANs (click on Port settings and
enable the Tag on the port.) After all the ports are Tagged, the Tagged Column should change to “Yes”
for all VLANs. After the steps are completed, The tagged Column should indicate a “Yes” on the
VLANs which were updated.
To check the status of the tagging, the Configuration VLAN Tag-Based Tagging menu is
used as shown below.
127
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 89 – The status of the VLANs can be viewed from the Tagging menu. Note at this stage, the
VLANs are all still pending as the VLANs have not been activated yet. Also note how one port belongs to
multiple VLANs
To activate the VLAN, click on the Status button under Configuration VLAN Tag-Based
Settings and click on the Status button as shown in the two figures below.
128
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 90 – Activating a VLAN – click on the Status button to view/modify the status of the VLANs
129
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 91 – Select the VLANs to activate. In this example we activate all the VLANs
130
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 92 – After activating the VLANs, note the port move out of the default VLAN to the specific
VLAN they were assigned to. If the ports need to belong to default VLAN, they have to be added to the default
VLAN explicitly. Also note that one port belongs to multiple VLANs and all VLAN status has been changed
to Active
Notice in the figure above (as well as in the figures shown below), before the VLANs were activated
ports 9-16 belonged to the Default VLAN (VLAN 1). After the ports are activated, the default VLAN
is deleted from the ports belonging to other VLANs. This is the correct behavior.
To add all the ports to the default VLAN, we can edit the default VLAN definition and add the
necessary ports to the default VLAN.
131
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 93 – Adding the ports back to the Default VLAN – edit the default VLAN and add the ports to the default VLAN
FIGURE 94 – After activation, note that ports 9-13 belong to the new VLANs. After adding the ports
back to the default VLAN, the results are shown above. Each port can join or leave a VLAN membership
by clicking on Join & Leave as shown above
132
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
To add or delete specific ports from a VLAN, click on Join & Leave button and specify the action. In
the example below, we will take port 11 and assign it to leave VLAN 10. After the action is completed,
note that port 11 will belong to VLAN 1 only.
133
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 96 – After Port 11 is removed from VLAN 10, the new status reflects the change. Note – if ports 12
and 13 are not tagged (from the Port Settings menu) the Tagged Colum will reflect that fact as well
One other way to view the overall VLAN status is to look at Configuration Port Settings menu.
134
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 97 – VLAN Status is also shown at a glance from the settings menu as shown above
135
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 98 – Once the Tag VLANs are active, the Port VLANs are in the Pending stage. Also note the
VLAN definitions of the Port VLANs and Tag VLANs are different.
To delete a VLAN, click on the delete icon . You will be prompted whether or not to delete the
VLAN in order to prevent an accidental delete.
At this time, since the Tag VLAN is active, the Port VLAN is inactive and all ports belong to the
Default Port VLAN. When Filtering is enabled, packets can only be routed from one specified VLAN
to another.
136
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
3. There can only be one default VLAN for the switch. The default is set to VLAN 1 and
can be changed to another VLAN. A word of caution on changing the default VLAN as
well – there can be repercussions on management as well as multicast and other issues
4. Tag VLAN support VLAN ids from 1 to 4096. VLAN ids more than 2048 are reserved
for specific purposes and it is recommended they not be used
5. Default VLAN can be changed. GarrettCom Inc. recommends that the administrator be
cautious of the connectivity repercussions before changing the default VLAN.
FIGURE 99 – Enabling the filter capability for each port. Note – the information for the default ID and the filter
status is sent. The tagging control information is not changed as the check box is not checked.
After the filter is activated, the filter settings can be viewed by looking at Configuration VLAN
Tag-Based Tagging
137
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 100 – After filtering is activated on ports 15 and 16, the Filter menu shows the status
On the Magnum 6K family of switches, the port VLANs are not active as a
defualt.. To use Port VLANs, eanble Port VLANs first.
First step is to define the VLANs and which ports are members of the specific VLAN. In this
example, we will assume the following:
138
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Step 1 – Define the VLAN Type to be a Port VLAN. This is shown below.
If Tag VLANs are active, you will have to stop Tag VLANs before Port VLANs
are enabled. This is done by selecting Configuration VLAN Tag-Based
Setting menu and then by clicking on the Status button.
139
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
140
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 103 – Add the VLANs and the ports belonging to the specific VLANs
After all the VLANs are added, the screen will look as shown below.
141
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 104 – After adding all the necessary VLAN.s. The information can be edited or deleted at any time
from this screen as well. To activate the VLAN, click on Status button.
To activate the VLANs, click on the Status button as shown above and then select All for VLAN
Id and select Start for VLAN Status as shown below. Click OK to activate the VLANs.
142
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
After the VLANs are activated, the screen as shown below appears. Note, the ports that belong to
other VLANs are moved from the default VLANs to the VLANs that they belong to. Also note th
Status changes to Active from Pending.
143
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 106 – After the Port VLANs are activated, note the ports are moved from the default VLANs to the
VLANs assigned to the ports. Also note the Status changes to Active. To add the Default VLAN to all ports,
simply add the edit icon next to the Default VLAN entry above.
Final step – save the configuration changes by using the save icon .
144
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
10
Chapter
10 – Spanning Tree
Create and manage alternate paths to the network
S
panning Tree Protocol was designed to avoid loops in an Ethernet network. An Ethernet
network using switches can have redundant paths – this may however cause loops. To
prevent the loops MNS-6K software uses spanning tree protocol. As a manager of the
MNS-6K software, controlling the link or trunk over which the traffic traverses is
necessary. It is also necessary to specify the parameters of STP. STP is available as the IEEE
802.1d protocol and is a standard of the IEEE. Rapid Spanning Tree Protocol (RTSP), like STP,
was designed to avoid loops in an Ethernet network. Rapid Spanning Tree Protocol (RSTP)
(IEEE 802.1w) is an evolution of the Spanning Tree Protocol (STP) (802.1d standard) and
provides for faster spanning tree convergence after a topology change.
j The switch uses the IEEE 802.1d Spanning Tree Protocol (STP).
When STP is enabled, it ensures that only one path at a time is
active between any two nodes on the network. In networks where
more than one physical path exists between two nodes, STP ensures only a single path is
active by blocking all redundant paths. Enabling STP is necessary to avoid loops and
duplicate messages. This duplication leads to a “broadcast storm” or other erratic
behavior that can bring down the network.
The switch automatically senses port identity and type, and automatically defines port cost
and priority for each type. The MNS-6K software allows a manager to adjust the cost,
priority, the mode for each port as well as the global STP parameter values for the switch.
While allowing only one active path through a network at any time, STP retains any
redundant physical path to serve as a backup (blocked) path in case the existing active path
145
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
fails. Thus, if an active path fails, STP automatically activates (unblocks) an available
backup to serve as the new active path for as long as the original active path is down.
The table below lists the default values of the STP variables.
RSTP Concepts
j The IEEE 802.1d Spanning Tree Protocol (STP) was developed to
allow the construction of robust networks that incorporate
redundancy while pruning the active topology of the network to
prevent loops. While STP is effective, it requires that frame transfer must halt after a link
outage until all bridges in the network are sure to be aware of the new topology. Using
STP (IEEE 802.1d) recommended values, this period lasts 30 seconds.
Rapid Spanning Tree Protocol (IEEE 802.1w) is a further evolution of the 802.1d
Spanning Tree Protocol. It replaces the settling period with an active handshake between
switches (bridges) that guarantees topology information to be rapidly propagated through
the network. RSTP converges in less than one second. RSTP also offers a number of
other significant innovations. These include
146
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
• Topology changes in STP must be passed to the root bridge before they can be
propagated to the network. Topology changes in RSTP can be originated from
and acted upon by any designated switch (bridge), leading to more rapid
propagation of address information
• STP recognizes one state - blocking for ports that should not forward any data or
information. RSTP explicitly recognizes two states or blocking roles - alternate and
backup port including them in computations of when to learn and forward and
when to block
• STP relays configuration messages received on the root port going out of its
designated ports. If an STP switch (bridge) fails to receive a message from its
neighbor it cannot be sure where along the path to the root a failure occurred.
RSTP switches (bridges) generate their own configuration messages, even if they
fail to receive one from the root bridge. This leads to quicker failure detection
• RSTP offers edge port recognition, allowing ports at the edge of the network to
forward frames immediately after activation while at the same time protecting
them against loops
• An improvement in RSTP allows configuration messages to age more quickly
preventing them from “going around in circles” in the event of a loop
RSTP has three states. They are discarding, learning and forwarding.
The discarding state is entered when the port is first taken into service. The port does not
learn addresses in this state and does not participate in frame transfer. The port looks for
STP traffic in order to determine its role in the network. When it is determined that the
port will play an active part in the network, the state will change to learning. The learning
state is entered when the port is preparing to play an active member of the network. The
port learns addresses in this state but does not participate in frame transfer. In a network
of RSTP switches (bridges) the time spent in this state is usually quite short. RSTP
switches (bridges) operating in STP compatibility mode will spend between 6 to 40
seconds in this state. After ‘learning’ the bridge will place the port in the forwarding state.
While in this state the port does both - learns addresses and participates in frame transfer.
The result of these enhanced states is that the IEEE 802.1d version of spanning tree
(STP) can take a fairly long time to resolve all the possible paths and to select the most
efficient path through the network. The IEEE 802.1w Rapid reconfiguration of Spanning
Tree significantly reduces the amount of time it takes to establish the network path. The
result is reduced network downtime and improved network robustness. In addition to
faster network reconfiguration, RSTP also implements greater ranges for port path costs
to accommodate the higher connection speeds that are being implemented.
147
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Even though RSTP interoperates with STP, RSTP is much more efficient at establishing the
network path, and the network convergence in case of a failure is very fast. For this reason,
GarrettCom recommends that all your network devices be updated to support RSTP. RSTP
offers convergence times typically of less than one second. However, to make best use of RSTP
and achieve the fastest possible convergence times there are some changes that you should make
to the RSTP default configuration.
148
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Configuring STP/RSTP
To setup and configure RSTP use the Configure RSTP menus. In setting up RSTP or STP, it is
advised that the system defaults are used for weights etc. Only when specific ports need to be the
active link, should the default values change for that port.
To set the Spanning Tree to be STP or RSTP – use the Administration Set STP Type menu
as shown below.
FIGURE 108 – Setting the STP type – choose RSTP or STP. Note – depending on the choice, the Menu under
Configuration will change to reflect the choice made
Depending on the selection made for the Spanning Tree type, the Menu under configuration will
change as shown below.
149
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 109 – Note the menus change depending on whether STP or RSTP is selected. The cursor is placed close to the
changes in the above screen captures
After the proper selection (RSTP/STP) is made, the necessary capabilities can be configured as
shown below.
150
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 110 – Configuring RSTP. RSTP or STP is disabled. Designated root is set to zero as RSTP is
disabled
Designated Root: shows the MAC address of the bridge in the network elected or
designated as the root bridge. Normally when STP is not enabled the switch designates
itself as the root switch
Root Path Cost: a path cost is assigned to individual ports for the switch to determine
which ports are the forwarding points. A higher cost means more loops; a lower cost
means fewer loops. More loops equal more traffic and a tree which takes a long time to
converge – resulting in a slower system
Root Port: indicates the port number, which is elected as the root port of the switch. A
root port of “0” indicates STP is disabled
Bridge ID: indicates the MAC address of the current bridge over which traffic will flow
151
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Bridge Priority: specifies the switch (bridge) priority value. This value is used along with
the switch MAC address to determine which switch in the network is the root device.
Lower values mean higher priority. Value ranges from 0 to 65535. Default value is 32768
Bridge Hello Time: when the switch is the root device, this is the time between messages
being transmitted. The value is from 1 to 10 seconds. Default value is 2 seconds
Bridge Forward Delay: indicates the time duration the switch will wait from listening to
learning states and from learning to forwarding states. The value ranges from 4 to 30
seconds. Default value is 15
Bridge Max Age: this is the maximum time a message with STP information is allowed
by the switch before the switch discards the information and updates the address table
again. Value ranges from 6 to 40 seconds with default value of 20 seconds
Hold Time: is the minimum time period to elapse between the transmissions of
configuration BPDUs through a given LAN Port. At most one configuration BPDU shall
be transmitted in any Hold Time period. This parameter is a fixed parameter, with values
as specified in RSTP standard (3 seconds)
Topology Change: counter indicating the number of times topology has changed
Time since TC: indicates time that has elapsed since the last topology change. Use this in
conjunction with uptime on the Graphical Display (screen shown after a successful login)
to find the frequency of the topology changes
152
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 111 – Changing the RSTP or STP bridge parameters. Note on this screen you can select and enable
STP or RSTP
Under protocol, select STP if there are legacy devices or other third party devices which do not
support RSTP. Otherwise it is recommended to enable RSTP for use. Once again, if you are not
familiar with the STP or RSTP parameter settings, is best to use the default values displayed
above. Simply enable RSTP (or STP) and let the system default values prevail.
153
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 112 – After RSTP is enabled, the fields are updated – note specifically, “Status”, “Time since TC” and
“Designated Root”
154
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Click on the edit icon to edit the values for a specific port.
Port#: indicates the port number. Value ranges from 01 to max number of ports in the
switch
Port Type: indicates the type of port and speed – TP indicates Twisted Pair
Port State: forwarding implies traffic is forwarded onto the next switch or device
connected the port. Disabled implies that the port may be turned off or the device
connected to it may be unplugged or turned off. Values can be Listening, Learning,
Forwarding, Blocking and Disabled.
Path Cost: this is the assigned port cost value used for the switch to determine the
forwarding points. Values range from 1 to 2000000. Lower the value, lower the cost and
hence the preferred route. The costs for different Ethernet speeds are shown below. The
Path cost in STP is compared to the path cost in RSTP.
155
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Priority: STP uses this to determine which ports are used for forwarding. Lower the
number means higher priority. Value ranges from 0 to 255. Default is 128
Edge Ports: RSTP offers edge port recognition, allowing ports at the edge of the network
to forward frames immediately after activation while at the same time protecting them
against loops
P2P Ports: set the “point-to-point” value to off on all ports that are connected to shared
LAN segments (i.e. connections to hubs). The default value is auto. P2P ports would
typically be end stations or computers on the network
STP or RSTP values can be changed for each port as shown below.
156
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Migration is enabled for all ports connected to other devices such as hubs, bridges and switches
known to support IEEE 802.1d STP services and cannot support RSTP services.
Status is normally enabled – in certain cases the Status can be set to disabled to turn off RSTP or
STP on that port
157
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
11
Chapter
S
-Ring and RS-Ring use ring topology to provide fast recovery from faults. These are based
on industry standard STP and RSTP technologies. These technologies have been adapted to
ring recovery applications by GarrettCom Inc. and these rings are called S-Ring. In
addition, LLL enables a switch to rapidly re-learn MAC addresses in order to participate in
S-Ring configurations.
In the last two chapters we looked at how RSTP or STP can be used to bring resiliency to
a meshed network. This chapter’s focus is to look at ring topologies and how these
topologies can be used to provide faster recovery times than what STP or RSTP can offer.
Both RSTP and STP are industry standard protocols and can be used with networking
switches from different vendors.
LLL triggers action on the device supporting LLL when a connection is broken or there is
loss of the link signal on a ring port. LLL can be used with S-Ring on managed switches
such as the GarrettCom Magnum 6K family of switches. LLL can also be used on
managed switches such as Magnum 6K family of switches, MP62 as well as on unmanaged
switches such as ESD42 switches. Note that LLL can also be used with non-ring
topologies (such as mesh topologies) using RSTP or STP where it does the necessary
actions for fault recovery (such as re-learn addresses) in case of a link failure.
S-Ring is a ring technology using the GarrettCom MNS-6K software. In a S-Ring, a switch
is designated as a “Ring Manager”. Devices in a S-Ring can be managed switches such as
the Magnum 6K family of switches, non managed switches such as MP62 or ESD42 or
even hubs which leverages LLL. S-Ring is a licensed product from GarrettCom Inc.
GarrettCom Inc. also licenses this technology to other companies who are interested in
implementing the resiliency capabilities offered by S-Ring.
158
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
• The ring is made up of devices which are managed switches only from Magnum
6K family of switches
• Each of the switches in the ring topology are configured for RSTP
• The RS-Ring product license key is configured on each switch in the ring
In the Magnum 6K family of switches as well as in other unmanaged switches such as the
ESD42, a feature called Link-Loss-Learn™ (LLL) can be activated to immediately flush
its address buffer and relearn the MAC addresses that route packets around the fault. This
procedure, which is similar to switch initialization, occurs within milliseconds, resulting in
fast ring recovery. An S-Ring implementation watches for link-loss as well as for
STP/RSTP BPDU packet failures and responds to whichever occurs first. In most
instances the link-loss will be detected faster than the two-second interval at which the
BPDU packets are successfully passed around the ring. Typical ring recovery times using
S-Ring software and mP62 edge switches with the LLL feature enabled on the ring ports
is less than 250 milliseconds, even with 50 or more Magnum 6K family of switches in a
ring structure. Without LLL activation, the Magnum 6K family of switches address buffer
aging time (5 minutes default) could be the gating factor in ring recovery time. LLL is used
on S-Ring and helps speed up the ring recovery time.
S-Ring operates from specifically defined port pairs that participate in a ring-topology.
Multiple rings of different pairs on the same switch are also supported; however,
intersecting rings or a “ring of rings” or “overlapping rings” is not supported in the
current version. While S-Ring builds upon the foundation of RSTP or STP, S-Ring offers
an additional topology option to network architects. The two ends of a ring must be
connected to two ports in a Magnum 6K Switch that is enabled with the S-Ring software.
The end points of the ring provide an alternate path to reach the switch that has failed.
The in-out pairs of the ports to other devices in the ring have to be enabled with LLL.
Some items to be aware of with S-Ring are as follows:
1. The S-Ring feature is a separately licensed module for the MNS-6K software
package. This module must be enabled by means of a software key
159
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
2. Only one switch is the “Ring Master”. That switch has S-Ring Software authorized
(enabled) for that device. Thus only one license key is needed per ring (and not per
switch)
3. There can be multiple S-Rings on a given Magnum 6K switch. There can be
multiple ring topologies in a network. Each ring has to be a separate ring. Ring of
rings or overlapping rings are not supported at this time
4. S-Ring topologies support one failure in the network. A second failure may create
isolated network islands
5. At least one untagged VLAN must be available for the BPDU’s to propagate
through the network to update RSTP/STP status
6. S-Ring faults can be software signaled to alarm contacts.
RS-Ring concepts
RS-Ring is built upon networking software standards such as Rapid Spanning Tree
Protocol (RSTP) based on IEEE 802.1w. RS-Ring defines two ports on each switch
which participates in the ring topology and works with the RSTP tree structure. RS-Ring
requires RSTP to be configured across all switches and uses the underlying RSTP protocol
to provide simplicity in configuration as well as rapid recovery in the RS-Ring topology.
The recovery times for RS-Ring based networks are within milliseconds. While the
recovery time for STP devices is in tens of seconds (typically 30 seconds in most
networks) or sub second to a few seconds for RSTP networks, RS-Ring offers recovery
times typically in less than 100 milliseconds. The biggest advantage of RS-Ring, besides
the fast recovery time, is the defined topology which makes the network manageable. RS-
Ring is configured on Magnum 6K family of switches and requires RSTP to be enabled on
all switches participating in the RS-Ring. RS-Ring cannot be used in a multi-vendor
environment.
RS-Ring operates from specifically defined port pairs that participate in a ring-topology.
Each of the two ends of a ring must be connected to two ports in a Magnum 6K Switch
that is enabled with the RS-Ring software. The end points of the ring provide an alternate
path to reach the switch that has failed. Some items for using RS-Ring are as follows:
1. Faster recover times than S-Ring or RSTP are needed by the network
2. The RS-Ring feature is a separately licensed module for the MNS-6K software
package. This module must be enabled by means of a software key.
3. The same key can be used for either S-Ring or RS-Ring
160
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
4. The same license key needs to be configured for each switch on the ring and RS-
Ring capability has to be enabled on all switches (and hence all the devices in the
ring have to be a managed Magnum 6K switches)
5. RS-Ring topologies support one failure in the network. The second failure may
create isolated network islands
6. RSTP has to be enabled on all Magnum 6K switches in the ring
7. At least one untagged VLAN must be available for the BPDU’s to propagate
through the network to update RSTP status.
3It is technically possible to have S-Ring and RS-Ring on the same Magnum 6K Switch. GarrettCom Inc. does not recommend
nor support such configurations.
161
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
162
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
163
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
ff ic
Tra
DU
BP Forwarding Blocking
Port Port
FIGURE 116 – Normal RSTP/STP operations in a series of switches. Note – this normal status is designated
RING_CLOSED
This normal status is designated as RING_CLOSED. Operations will continue this way
indefinitely until a fault occurs.
A fault anywhere in the ring will interrupt the flow of standard RSTP/STP status-checking BPDU
packets, and will signal to RSTP/STP that a fault has occurred. According to the standard
RSTP/STP defined sequence, protocol packets are then sent out, gathered up and analyzed to
enable RSTP/STP to calculate how to re-configure the LAN to recover from the fault. After the
standard RSTP/STP reconfiguration time period (typically 20 to 30 seconds), the RSTP/STP
analysis concludes that recovery is achieved by changing the blocking port of the ring port-pair to
the forwarding state.
164
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
ffic
Tr a
c
Traffi
DU
BP Forwarding
Forwarding
Port
Port
U
X BPD
FIGURE 117 – A fault in the ring interrupts traffic. The blocking port now becomes forwarding so that traffic can
reach all switches in the network Note – the mP62 as well as the ESD42 switches support LLL and can
participate in S-Ring as an access switch
When this change is made by RSTP/STP and both of the ring manager switch’s ring ports are
forwarding, the fault is effectively bypassed and there is a path for all LAN traffic to be handled
properly. This abnormal status is designated RING_OPEN, and may continue indefinitely, until
the ring fault is repaired. At that time, RSTP/STP will change one of the ring control ports to be a
blocking port again. This recovery operation may take thirty seconds to a few minutes, depending
on the number of switches and other RSTP/STP parameters in operation.
The Magnum 6K family of switches, running MNS-6K software, offer users the choice of
selecting S-Ring when RSTP or STP is configured and in use. For the S-Ring, the user must select
two ports of one 6K switch to operate as a pair in support of each Ethernet ring, and attach to the
two “ends” of each ring as it comes together at the ring control switch.
165
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Ring 1
Ring 2
FIGURE 118 – More than one S-Ring pair can be selected and more than one S-Ring can be defined per switch.
Note – the mP62 as well as the ESD42 switches support LLL and can participate in S-Ring as an access
switch
More than one S-Ring port-pair may be selected per ring control switch. Each port-pair will have
its own separate attached ring, and each port-pair operates on faults independently. The port-pairs
may be of any media type, and the media type does not have to be the same for the pair. With the
Magnum 6K family of switches, a port operating at any speed (10Mb, 100Mb, Gb) may be
designated as part of an S-Ring port-pair (or RS-Ring port pair) ensuring proper Ethernet
configuration of the ring elements.
After selecting a port-pair for a ring, the manager or administrator enables S-Ring (on the selected
port-pairs via S-Ring software commands. One command (enable / disable) turns S-Ring on and
off. Another command adds / deletes port- pairs. Other commands provide for status reporting
on the ring. The MNS-6K software package provides for remote operation, access security, event
logs, and other industry-standard managed network capabilities suitable for industrial applications
requiring redundancy.
When S-Ring is enabled for a port-pair, fault detection and recovery are armed for the associated
ring. The standard RSTP/STP functions are performed by the Magnum 6K family of switches for
other ports in the same manner as they would be without S-Ring enabled, when operating in the
RING_CLOSED state. During this state, RS-Ring or S-Ring is also watching the flow of the
BPDU packets that move around the ring between the designated part-pair.
The extra capability of S-Ring comes into play when a fault occurs. When the flow of BPDU
packets around the ring is interrupted (or when Link-Loss is sensed on one of the ports of the
ring port-pair by S-Ring), S-Ring quickly acts to change the blocking port’s state to forwarding.
No waiting for STP analysis. No waiting for RSTP analysis. No checking for other possible
events. No other ports to look at. No 30-second delay before taking action. S-Ring or RS-Ring
takes immediate corrective action for quick recovery from the fault in the ring. The ring becomes
two strings topologically, as shown above, and there is a path through the two strings for all
normal LAN traffic to move as needed to maintain LAN operations.
166
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
When the fault is cured, the re-emergence of the ring structure enables the BPDU packets to flow
again between the ring’s port-pair. This is recognized by S-Ring (and RSTP/STP) as well as by
RS-Ring (and RSTP) , and one of the ports in the ring’s port pair is changed to the blocking state.
S-Ring takes the recovery action immediately, not waiting for the 30-second STP analysis.
Rings are simple structures. Either one port of a pair is forwarding or both are. Not complicated;
not much to go wrong.
A Link-loss on one of the Magnum 6K Switch’s ring ports is an alternative trigger for S-Ring to
initiate fault recovery. The Link-loss trigger almost always comes quicker after a fault (a few
milliseconds) than the loss of a BPDU packet which is gated by the standard STP 2-second “hello
time” interval. So the Link-loss trigger will almost always provide faster fault detection and faster
recovery accordingly.
Configuring S-Ring
S-Ring is a licensed software feature from GarrettCom Inc. Before using the S-Ring capabilities;
authorize the use of the software with the license key. To obtain the license key, please contact
GarrettCom Inc. Sales (for purchasing the S-Ring feature) or Technical Support (to obtain the 12
167
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
character key.) If the S-Ring capability was purchased along with the switch, the software license
code will be included with the switch.
Syntax authorize <module> key=<security key> - activate the S-Ring capabilities. Don’t forget to use
the “save” command to save the key
In the example below – STP is used to show how S-Ring is setup. S-Ring will
also work with RSTP. If RSTP is used, GarrettCom Inc. recommends using RS-
Ring instead.
One can use a telnet session to activate the S-Ring license as shown below.
168
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Since S-Ring uses RSTP/STP, STP has to be activated and enabled. Some of the commands are
repeated here for clarity. Using S-Ring with multiple switches, it is recommended to do the
following:
1) On the switch which is the root node, authorize the use of S-Ring software
2) On the switch which is the root node or where the top of the ring ports are configured
enable RSTP (or STP)
3) On the root node do not enable LLL along with RSTP (or STP)
4) On all other switches (except the root node), disable RSTP (or STP)
5) On all other switches (except the root node), enable LLL for the ring ports
169
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 121 – Configure the switch for RSTP (or STP). In this example, RSTP is enabled
Once RSTP (or STP) is enabled, the next step is to go to the Root Node or the Ring Master and
designate the ports which make up the ring. The Root Node or the Ring Master is usually the
switch on which on which the S-Ring license key was authorized.
Initially no S-Ring is defined. As discussed earlier, S-Ring has to have two ports defined. In case
there is already an S-Ring defined, its best to start with Learn option. Failing a Learn, the S-Ring
can be defined and added. To initiate the Learn, click on the Learn button shown in the figure
above.
170
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 122 – Adding S-Ring. Using the Learn function built in to MNS-6K to see if there are other members
participating in S-Ring
171
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 123 – Learning S-Ring defined or on the network. This learning takes a few minutes
After the learning is completed, the S-Ring information will be displayed or a warning window
shown to indicate that no S-Rings were found.
172
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
If there is no ring, this is a valid detection. Sometimes, the ring is not detected as the ports
connected to the rings may not have RSTP (or STP) enabled. To do that – follow the directions
below.
173
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 125 – If STP or RSTP is not enabled, S-Ring detection will fail. To fix that, enable RSTP or STP
first as shown. In some cases the S-Ring detection will fail as there is no S-Ring defined. In those situations, the
ports have to be added to define an S-Ring
FIGURE 126 – Defining Port 1 (Ingress) and Port 2 (Egress) ports for S-Ring
If no S-Ring is defined, the S-Ring can be added. As discussed earlier, multiple S-Rings can be
added to a switch using this process.
174
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
After the S-Ring is added, don’t forget to enable S-Ring as shown below.
FIGURE 127 – Ensure the status is set to enable after the S-Ring is added
After the S-Rings are defined, it is important to define the ports as part of the S-Rings with LLL
capabilities. If multiple switches are used as part of the S-Ring, this process has to be followed on
each switch. On member switch, also ensure that STP is turned off. To use LLL, use the
Configuration RSTP Link Loss Learn menu as shown below.
175
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
It is important to add the ports connected to other devices to be enabled with LLL capabilities. For
example if ports 9,10,11 also were “trunk” ports (besides ports 13, 14 being S-Ring ports), add these
ports as LLL ports. To do that click on the Edit button shown above and select the ports as shown
below.
176
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Once the proper ports are added, click on OK. The LLL menu will show the ports added as
shown in the figure below.
177
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
If the BPDU stream is broken, or it finds the Link-Loss-Learn signal, the system
will immediately force RSTP to put both ports in forwarding mode. Should that
happen, the ring status will be displayed as “OPEN”
If the ring sees BPDU packets not belonging to itself on any of the ports, it will
set the ring to “UNKNOWN” state, and stop all ring activity on that ring.
The ring activity has several timers and safeguards to prevent erroneous
operation. Ring faults are not expected to happen in quick successions. If the ring system sees a
sequence of changes in the duration of a less than a second each, it will temporarily ignore the
signals and leave RSTP (or STP) to reconfigure the ring (network) using the normal IEEE 802.1d
algorithms.
With S-Ring it is also critical to setup and configure Link-Loss-Learn as the S-ring can recover from
fault situations a lot faster.
178
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Ring 1
Ring 2
FIGURE 131 – More than one RS-Ring cannot be defined per managed Magnum 6K switch. Note –
unmanaged switches cannot participate in RS-Ring.
The port-pairs may be of any media type, and the media type does not have to be the same for the
pair. With the Magnum 6K family of switches, a port operating at any speed (10Mb, 100Mb, Gb)
may be designated as part of a RS-Ring port pair ensuring proper Ethernet configuration of the
ring elements.
After selecting a port-pair for a ring, the manager or administrator enables RS-Ring on the
selected port-pairs via RS-Ring software commands. One command (enable / disable) turns RS-
Ring on and off. Another command adds / deletes port- pairs. Other commands provide for
status reporting on the ring. The MNS-6K software package provides for remote operation,
access security, event logs, and other industry-standard managed network capabilities suitable for
industrial applications requiring redundancy.
When RS-Ring is enabled for a port-pair, fault detection and recovery are armed for the associated
ring. The standard RSTP functions are performed by the Magnum 6K family of switches for
other ports in the same manner as they would be without RS-Ring enabled, when operating in the
179
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
RING_CLOSED state. During this state, RS-Ring is also watching the flow of the BPDU packets
that move around the ring between the designated part-pair.
The extra capability of RS-Ring comes into play when a fault occurs. When the flow of BPDU
packets around the ring is interrupted RS-Ring quickly acts to change the blocking port’s state to
forwarding. No waiting for RSTP analysis. No checking for other possible events. No other ports
to look at. No 30-second delay before taking action. RS-Ring takes immediate corrective action
for quick recovery from the fault in the ring. The ring becomes two strings topologically, and
there is a path through the two strings for all normal LAN traffic to move as needed to maintain
LAN operations.
When the fault is cured, the re-emergence of the ring structure enables the BPDU packets to flow
again between the ring’s port-pair. This flow of packets may take as long as 6 seconds in most
situations. This is recognized by RS-Ring as well as by RSTP and one of the ports in the defined
ring port pair is changed to the blocking state. RS-Ring takes the recovery action immediately, not
waiting for the 30-second STP analysis.
Rings are simple structures. Either one port of a pair is forwarding or both are. Not complicated;
not much to go wrong.
Configuring RS-Ring
RS-Ring is a licensed software feature from GarrettCom Inc. Before using the RS-Ring
capabilities; authorize the use of the software with the S-Ring license key. The same license key is
used for either the S-Ring or RS-Ring. To obtain the license key, please contact GarrettCom Inc.
Sales (for purchasing the S-Ring feature) or Technical Support (to obtain the 12 character key.) If
the S-Ring capability was purchased along with the switch, the software license code will be
included with the switch.
Since RS-Ring uses RSTP, RSTP has to be activated and enabled. Some of the commands are
repeated here for clarity. Using RS-Ring with multiple switches, it is recommended to do the
following:
1) On all switches in the ring topology, authorize the use of RS-Ring software
2) On all the switches in the ring, enable RSTP
3) On all the switches in the ring designate the ports which make the ring pair
4) Only the ports on the RS-Ring must be enabled with RS-Ring capability
5) DO NOT enable S-Ring and RS-Ring in a given ring at the same time.
6) Enable RS-Ring on each switch
180
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Activate the RS-Ring license on each of the switches participating in the RS-Ring. Note the same
license as S-Ring is used to activate RS-Ring. To activate RS-Ring, use the CLI command
Syntax authorize <module> key=<security key> - activate the RS-Ring (or S-Ring) capabilities.
Don’t forget to use the “save” command to save the key
181
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 133 – Activating RS-Ring license – the same license as S-Ring is used to activate RS-Ring
182
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 134 – Configure the switch for RSTP (or STP). In this example, RSTP is enabled
Once RSTP is enabled, the next step is to enable RS-Ring on the necessary ports. Make sure S-Ring, if
any, is disabled on the switch as shown below.
183
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Add the two ports which will participate in the RS-Ring as shown below
184
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 136 – Manually add the two ports which will participate in the RS-Ring
185
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 137 – Manually add the two ports which will participate in the RS-Ring. Click OK to add these ports
as members of RS-Ring
Check to see if LLL is active on the two member ports. If LLL is active on those ports, disable LLL on
those ports. In the example below, LLL is active on ports 13,14. Click on Edit and then turn off LLL
on the ports as shown below.
186
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 139 – To activate RS-Ring – use the enable drop down from the RS-Ring menu
187
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
188
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
12
Chapter
12 – Dual-Homing
Fault tolerance options for edge devices
D
esigning and implementing high-availability Ethernet LAN topologies in networks
can be challenging. Traditionally, the choices for redundancy for edge of the
network devices were too limited, too expensive, and too complicated to be
considered in most networks. Redundancy at the edge of the network is greatly
simplified by the using dual-homing.
Dual-Homing concepts
189
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
= Active link
= Standby Link
FIGURE 140 – Dual-homing using ESD42 switch and Magnum 6K family of switches. In case of a connectivity
break – the connection switches to the standby path or standby link
In those situations where the end device is a PoE device (for example, a video surveillance
camera, as shown above) a Magnum 6K switch with MNS-6K can provide PoE to the end
devices as well as other advantages such as IGMP, managed configuration and more. To
provide the managed reliability to the end devices, dual-homing can be used with MNS-6K
devices.
PoE
= Active link
= Standby Link
FIGURE 141 – Dual-homing using Magnum 6K family of switches. Note the end device (video surveillance
camera) can be powered using PoE options on MNS-6K family of switches. In case of a connectivity break – the
connection switches to the standby path or standby link
190
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Because it takes advantage of Ethernet standards, the dual-homing redundancy features of the
ESD42 as well as those for MNS-6K work with any brands or models of Ethernet switches
upstream. With MNS-6K, the user has to define the set of ports which make up the dual-home
ports.
= Active link
PoE = Standby Link
FIGURE 142 – Using S-Ring, RS-Ring and dual-homing, it is possible to build networks resilient not only to a
single link failure but also for one device failing on the network
5 If dual homing is not configured there is a potential a loop can be created and either STP or RSTP will setup the port in the
active stand-by mode. Dual-homing may not work if one of the dual-homed port is in active standby. To avoid that situation, it is
recommended to configure dual-homing first.
191
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
• By default dual-homing is turned off – you have to enable it after the ports are defined
• Dual-homing ports can span different modules in a switch
Dual-Homing Modes
There are two modes in which the dual-homing works. The first one is where the ports are
“equivalent” i.e. if one port fails, the other one take over, however, if the first (failed) port
recovers, the active port does not switch back.
The second mode of operation is primary-secondary mode. In this mode of operation, the
primary port is explicitly defined and the secondary port is explicitly defined. In the primary-
secondary mode of operation, if the primary fails, the secondary takes over. When the primary
recovers, the secondary switches back from active state to passive state and the primary port is
now the active port.
The primary-secondary mode of operation allows the network manager to determine on which
path the packets will flow (as a default).
Configuring Dual-Homing
The following steps can be used for configuring Dual-Homing.
192
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 143 – Dual-Homing configuration. Click on Edit, as shown above, to add dual-homing
Make sure the Ethernet cables are not plugged in as described above.
To add dual homing, click on the edit button. Before the dual homing ports are configured, SWM
will ask you to select the mode of operation for the dual homing.
193
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 144 – To select the Primary-backup mode, as discussed earlier, click on Yes. To select the “equivalent”
port modes, select No
194
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 145 – After electing the ports for dual homing (maximum of 2 only), click OK. Make sure one port is
Primary and the other one is the Secondary port
After this, the screen shows the ports added. Next step is to enable Dual homing as shown below.
195
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
196
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 147 – After activation, a check mark in the active column shows the active port and defines the type of
port as well
To delete the configuration, click on the “Delete” button. SWM will ask for confirmation, and clicking
OK, the configuration is deleted.
197
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 148 – deleting dual-homing configuration. Click OK to delete the configuration. Dual homing is disabled
after the deletion
To add the mode of dual-homing so that the dual home ports are “equivalent” i.e. the non active port,
when it becomes active, stays active, follow the steps below.
198
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
199
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Select the ports for the dual homing and then click OK, as shown below
200
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
After selecting the port, enable dual-homing as shown earlier. Once dual-homing is enabled, the active
port has a check mark next to it as shown below.
201
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 152 – After enabling dual-homing the status of the active port is shown
202
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
13
Chapter
L
ink aggregation Link Aggregation Control Protocol (LACP) is part of an IEEE
specification (IEEE 802.3ad) that allows several physical ports to be grouped or bundled
together to form a single logical channel. This increases the throughput across two
devices and provides improved reliability.
LACP concepts
Failure of any one physical link will not impact the logical link defined using LACP. The
loss of a link within an aggregation reduces the available capacity, but the connection is
maintained and the data flow is not interrupted.
203
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
The performance is improved because the capacity of an aggregated link is higher than
each individual link alone. 10Mbps or 10/100Mbps or 100Mbps ports can be grouped
together to form one logical link.
Instead of adding new hardware to increase speed on a trunk – one can now use LACP to
incrementally increase the throughput in the network, preventing or deferring hardware
upgrades. Some known issues with LACP on the Magnum 6K family of switches are:
LACP Configuration
For LACP to work on the Magnum 6K family of switches, only one trunk per module can be
created. Some valid connections are shown in the picture below.
204
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Switch 1 Switch 1
Switch 2 Switch 2
Should trunks be created so as to span multiple ports, a “trunk mismatch” error message is
printed on the console. An example of an incorrect configuration is shown below.
Switch 1
Switch 2
FIGURE 154 – an incorrect LACP connection scheme for Magnum 6K family of switches. All LACP trunk
ports must be on the same module and cannot span different modules.
Another example is highlighted below where some ports belong to VLAN 10 (shown in red)
and other ports belong to VLAN 20 (shown in blue). If the port groups do not have a common
VLAN between them, LACP does not form a connection.
205
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Switch 1
VLAN 10
VLAN 20
Switch 2
FIGURE 155 – In this figure, even though the connections are from one module to another, this is still not a valid
configuration (for LACP using 4 ports) as the trunk group belongs to two different VLANs.
However – on each switch, the set of ports can belong to same VLANs as shown in the figure
below. While the ports belong to the same VLANs, there is no common VLAN between the
switches and hence the LACPDU cannot be transmitted. This configuration will not work in
the LACP mode.
VLAN 10 Switch 1
VLAN 20 Switch 2
FIGURE 156 - In the figure above, there is no common VLAN between the two sets of ports, so packets from one
VLAN to another cannot be forwarded. There should be at least one VLAN common between the two switches
and the LACP port groups.
206
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Switch 1
VLAN 1,10
VLAN 1,20
Switch 2
FIGURE 157 – This configuration is similar to the previous configuration, except there is a common VLAN
(VLAN 1) between the two sets of LACP ports. This is a valid configuration.
Switch 1
Switch 2
Switch 3
FIGURE 158 – In the architecture above, using RSTP and LACP allows multiple switches to be configured together in a
meshed redundant link architecture. First define the RSTP configuration on the switches. Then define the LACP ports.
Then finally connect the ports together to form the meshed redundant link topology as shown above
Using the Magnum edge switch with dual homing allows the edge devices to
have link level redundancy as well – bringing the fault tolerance from the
network to the edge.
207
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Switch 1
Switch 2
Switch 3
ACT
/
LK
T
LK/
Dual Homed
AC
A
F
R
10 OR
OR
PW
100
1 0/
10 0
6
1
Edge Switch
3
P ORT
4
P O RT
D
4
3
Ma gn
2
um
1
H a E 42
r d
Edg Se
e n
d
e S
w it
12 VDC 1 AM P
ch
100
10/
100
10/
FIGURE 159 – LACP, along with RSTP/STP brings redundancy to the network core or backbone. Using this
reliable core with a dual homed edge switch brings reliability and redundancy to the edge of the network
Since S-Ring, RS-Ring and LACP use the same BPDUs (called LACPDUs), the architecture
shown below is not supported in this release.
208
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
S-Ring 1
S-Ring 2
LACP can be used for creating a reliable network between two facilities connected via a
wireless bridge. As shown in the figure below, four trunk ports are connected to four wireless
bridge pairs. This increases the effective throughput of the wireless connections and also
increases the reliability. If one of the bridges were to stop functioning, the other three will
continue to operate, providing a very reliable infrastructure.
209
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Facility 1
A A
A A
A A
A
A
Facility 2
FIGURE 161 – Creating a reliable infrastructure using wireless bridges (between two facilities) and LACP. “A”
indicates a Wi-Fi wireless Bridge or other wireless Bridges.
Some other definitions are worth noting are primary port. Primary port is the port over
which specific traffic like Multicast (IGMP), unknown Unicast and broadcast traffic is
transmitted. As shown by the add port command, the port with the lowest priority
value has the highest priority and is designated as the primary port. If traffic analysis is
required, it is recommended to mirror the primary port (and physically disconnect the
other ports if all traffic needs to be captured).
If multiple ports have the same priority, the first port physically connected becomes the
primary port. In case the ports are already connected, the port with the lowest port
count becomes the primary port i.e. if ports 12, 13, 14 are designated as the LACP
group, port 12 would become the primary port.
If the primary port fails, the next available secondary port is designated as the primary
port. So in the example above, if port 12 fails, port 13 will be designated as the primary
port.
To configure LACP, first define the set of ports which make up the trunk. Next define
the set of trunks. In the example below, we will define ports 12, 13 as a set of ports for
the trunk.
210
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
For the LACP menu, use Configuration LACP Port as shown below.
211
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Define ports 12 and 13 as the set of ports for the first trunk
212
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 164 – Add the ports which make up the trunk. The priorities will be automatically assigned – this field
can be left blank
The priorities can be changed to manipulate on which links the Ethernet traffic traverses on.
213
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 165 – After the ports are added, the values can be edited if needed or the ports deleted using the edit or
delete icons on the menu
Once the ports are added, the trunk status is checked by viewing the Configuration LACP Trunk
menu as shown below.
214
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
One would expect the trunk status to display the trunk which was just added. However in this situation,
no trunk is displayed. Clicking on the Orphan Port(s) status, as shown above, will display the status of
the “orphan” ports or ports which are not members of any LACP trunks.
215
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 167 – The orphan status display the reason why the ports were not members of the LACP trunk. The
links is down – i.e. the ports were not connected. After the other switch is configured with the proper LACP
settings, should the RJ-45 cables be plugged in to enable LACP
Only after the other switch is configured with the proper LACP settings, the Ethernet cables
should be plugged into both the switches to enable LACP. After that is done, the Trunk menu
will display the LACP trunks which are active.
216
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
14
Chapter
14 – Quality of Service
Prioritize traffic in a network
Q
uality of Service (QoS) refers to the capability of a network to provide different
priorities to different types of traffic. Not all traffic in the network has the same
priority. Being able to differentiate different types of traffic and allowing this traffic to
accelerate through the network improves the overall performance of the network. It
also provides the necessary quality of service demanded by different users and devices.
The primary goal of QoS is to provide priority including dedicated bandwidth.
QoS Concepts
Most switches today implement buffers to queue incoming packets as well as outgoing
packets. In a queue mechanism, normally the packet which comes in first leaves first
(FIFO) and all the packets are serviced accordingly. Imagine if each packet had a priority
assigned to it. If a packet with a higher priority than other packets were to arrive in a
queue, the packet would be given a precedence and moved to the head of the queue and
would go out as soon as possible. The packet is thus preempted from the queue and this
method is called preemptive queuing.
Preemptive queuing makes sense if there are several levels of priorities, normally more
than two. If there are too many levels, then the system has to spend a lot of time
managing the preemptive nature of queuing. IEEE 802.1p defines and uses eight levels of
priorities. The eight levels of priority are enumerated 0 to 7, with 0 the lowest priority and
7 the highest.
To make the preemptive queuing possible, most switches implement at least two queue
buffers. The Magnum 6K family of switches has two priority queues, 1 (low) and 0
(high).When tagged packets enter a switch port, the switch responds by placing the packet
217
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
into one of the two queues, and depending on the precedence levels the queue could be
rearranged to meet the QoS requirements.
DiffServ is designed for use at the edge of an Enterprise where corporate traffic enters the service
provider environment. DiffServ is a layer-3 protocol and requires no specific layer-2 capability,
allowing it to be used in the LAN, MAN, and WAN. DiffServ works by tagging each packet (at
the originating device or an intermediate switch) for the requested level of service it requires
across the network.
IP Header
Protocol
DMAC SMAC ToS Data FCS
Type
DiffServ inserts a 6-bit DiffServ code point (DSCP) in the Type of Service (ToS) field of the IP
header, as shown in the picture above. Information in the DSCP allows nodes to determine the
Per Hop Behavior (PHB), which is an observable forwarding behavior for each packet. Per hop
behaviors are defined according to:
• Resources required (e.g., bandwidth, buffer size)
• Priority (based on application or business requirements)
• Traffic characteristics (e.g., delay, jitter, packet loss)
Nodes implement PHBs through buffer management and packet scheduling mechanisms. This
hop-by-hop allocation of resources is the basis by which DiffServ provides quality of service for
different types of communications traffic.
218
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
IP precedence
IP Precedence utilizes the three precedence bits in the IPv4 header's Type of Service (ToS) field
to specify class of service for each packet. You can partition traffic in up to eight classes of service
using IP precedence. The queuing technologies throughout the network can then use this signal to
provide the appropriate expedited handling.
Data +FCS
ToS byte
3 bits
IP precedence
FIGURE 169 - IP Precedence ToS Field in an IP Packet Header
The 3 most significant bits (correlating to binary settings 32, 64, and 128) of the Type of Service
(ToS) field in the IP header constitute the bits used for IP precedence. These bits are used to
provide a priority from 0 to 7 for the IP packet.
Because only 3 bits of the ToS byte are used for IP precedence, you need to differentiate these
bits from the rest of the ToS byte.
The Magnum 6K family of switches has the capability to provide QoS at Layer 2. At Layer 2, the
frame uses Type of Service (ToS) as specified in IEEE 802.1p. ToS uses 3 bits, just like IP
precedence, and maps well from Layer 2 to Layer 3, and vice versa.
The switches have the capability to differentiate frames based on ToS settings. With two queues
present - high or low priority queues or buffers in Magnum 6K family of switches, frames can be
placed in either queue and serviced via the weight set on all ports. This placement of queues -
added to the weight set plus the particular tag setting on a packet - allows each queue to have
different service levels.
Magnum QoS implementations provide mapping of ToS (or IP precedence) to Class of Service
(CoS). A CoS setting in an Ethernet Frame is mapped to the ToS byte of the IP packet, and vice
versa. A ToS level of 1 equals a CoS level of 1. This provides end-to-end priority for the traffic
flow when Magnum switches are deployed in the network.
219
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Not all packets received on a port have high priority. IGMP and BPDU packets
have high priority by default
Magnum 6K family of switches has the capability to set the priorities based on three different
functions. They are
Port QoS: assigns a high priority to all packets received on a port, regardless of the type of
packet
Tag QoS: if a packet contains a tag, the port on which the packet was received then looks to see
at which level that tag value is set. Regardless of the tag value, if there is a tag, that packet is
automatically assigned high priority (sent to the high priority queue)
ToS QoS: (Layer 3) when a port is set to ToS QoS, the most significant 6-bits of the IPv4 packet
(which has 64 bits) are used. If the 6 bits are set to ToS QoS for the specific port number the
packet went to, that packet is assigned high priority by that port
Configuring QoS
Magnum 6K Switches support three types of QoS - Port based, Tag based and ToS based.
As mentioned previously, the switch is capable of detecting higher-priority packets marked with
precedence by the IP forwarder and can schedule them faster, providing superior response time
for this traffic. The IP Precedence field has values between 0 (the default) and 7. As the
precedence value increases, the algorithm allocates more bandwidth to that traffic to make sure
that it is served more quickly when congestion occurs. Magnum 6K family of switches can assign
a weight to each flow, which determines the transmit order for queued packets. In this scheme,
lower weights (set on all ports) are provided more service. IP precedence serves as a divisor to
this weighting factor. For instance, traffic with an IP Precedence field value of 7 gets a lower
weight than traffic with an IP Precedence field value of 3, and thus has priority in the transmit
order.
220
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Once the port weight is set, the hardware will interpret the weight setting for all ports as outlined
below (assuming the queues are sufficiently filled. If there are no packets for example in the high
priority queue, packets are serviced on a first come first served - FCFS - basis from the low
priority queue).
Sometimes it is necessary to change the priority of the packets going out of a switch. For example,
when a packet is received untagged and has to be transmitted with an addition of the 802.1p
priority tag, the tag can be assigned depending on the untag value set. To access QoS settings, use
the Configuration QoS menus.
221
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Select the Port and the type of QoS/ToS Settings. The next few figures show examples of them.
222
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 172 – Setting Port 14 for Port based QoS with a high priority. Note the sections on Tag and TOS are
ignored for Port settings
After the port QoS settings are completed, the changes are reflected on the QoS menu screen.
223
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
224
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 174 – Adding Tag based QoS on Port 13 – Note the menu area for Tag Setting is only relevant
After the Tag QoS settings are completed, the changes are reflected on the QoS menu screen.
225
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
226
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 176 – Adding ToS for Port 12. Only the ToS Level Settings of the screen are relevant
227
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 177 – After ToS settings. Note the different types of settings are clear from this window. Port 14 has
Port based QoS, port 13 has Tag based QoS and finally port 12 is using ToS.
Finally, after all changes are made, do not forget to save the changes using the save icon
228
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
15
Chapter
15 – IGMP
Multicast traffic on a network
I
nternet Group Management Protocol (IGMP) is defined in RFC 1112 as the standard for IP
multicasting in the Internet. It is used to establish host memberships in particular multicast
groups on a single network. The mechanisms of the protocol allows a host to inform its
local router, using Host Membership Reports that it wants to receive messages addressed to
a specific multicast group. All hosts conforming to level 2 of the IP multicasting
specification require IGMP.
IGMP Concepts6
6 Most of the concepts are extracted from RFC 1112 and it is recommended that RFC 1112 be read and understood carefully if
229
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
The creation of transient groups and the maintenance of group membership information is the
responsibility of "multicast agents", entities that reside in internet gateways or other special-
purpose hosts. There is at least one multicast agent directly attached to every IP network or sub-
network that supports IP multicasting. A host requests the creation of new groups, and joins or
leaves existing groups, by exchanging messages with a neighboring agent.
The Internet Group Management Protocol (IGMP) is an internal protocol of the Internet
Protocol (IP) suite. IP manages multicast traffic by using switches, multicast routers, and hosts
that support IGMP. (In the MNS-6K implementation of IGMP, a multicast router is not
necessary as long as a switch is configured to support IGMP with the querier feature enabled.) A
set of hosts, routers, and/or switches that send or receive multicast data streams to or from the
same source(s) is termed a multicast group, and all devices in the group use the same multicast group
address. The multicast group running version 2 of IGMP uses three fundamental types of
messages to communicate:
• Query: A message sent from the querier (multicast router or switch) asking for a response from
each host belonging to the multicast group. If a multicast router supporting IGMP is not present,
then the switch must assume this function in order to elicit group membership information from
the hosts on the network. (If you need to disable the querier feature, you can do so through the
CLI, using the IGMP configuration MIB. See “Changing the Querier Configuration Setting” on
page “Configuring the Querier Function”)
• Report: A message sent by a host to the querier to indicate that the host wants to be or is a
member of a given group indicated in the report message
• Leave Group: A message sent by a host to the querier to indicate that the host has ceased to be a
member of a specific multicast group. Thus, IGMP identifies members of a multicast group
(within a subnet) and allows IGMP-configured hosts (and routers) to join or leave multicast groups
When IGMP is enabled on the Magnum 6K family of switches, it examines the IGMP packets it
receives:
• To learn which of its ports are linked to IGMP hosts and multicast routers/queriers belonging
to any multicast group
Once the switch learns the port location of the hosts belonging to any particular multicast group,
it can direct group traffic to only those ports, resulting in bandwidth savings on ports where
group members do not reside. The following example illustrates this operation.
230
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
• PCs 1 and 4, switch 2, and all of the routers are members of an IP multicast group. (The
routers operate as queriers.)
• Switch 1 ignores IGMP traffic and does not distinguish between IP multicast group members
and non-members. Thus, it is sending large amounts of unwanted multicast traffic out the
ports to PCs 2 and 3
• Switch 2 is recognizing IGMP traffic and learns that PC 4 is in the IP multicast group
receiving multicast data from the video server (PC X). Switch 2 then sends the multicast data
only to the port for PC 4, thus avoiding unwanted multicast traffic on the ports for PCs 5 and
6
231
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
The figure below shows a network running IP multicasting using IGMP without a multicast
router. In this case, the IGMP-configured switch runs as a querier. PCs 2, 5, and 6 are members
of the same IP multicast group. IGMP is configured on switches 3 and 4. Either of these switches
can operate as querier because a multicast router is not present on the network. (If an IGMP
switch does not detect a querier, it automatically assumes this role, assuming the querier feature is
enabled—the default—within IGMP.)
• In the above figure, the multicast group traffic does not go to switch 1 and beyond. This
is because either the port on switch 3 that connects to switch 1 has been configured as
blocked or there are no hosts connected to switch 1 or switch 2 that belong to the
multicast group
• For PC 1 to become a member of the same multicast group without flooding IP multicast
traffic on all ports of switches 1 and 2, IGMP must be configured on both switches 1 and
2, and the port on switch 3 that connects to switch 1 must be unblocked
IP Multicast Filters - IP multicast addresses occur in the range from 224.0.0.0 through
239.255.255.255 (which corresponds to the Ethernet multicast address range of 01005e-000000
through 01005e-7fffff in hexadecimal.) Devices such as the Magnum 6K family of switches
having static Traffic/Security filters configured with a “Multicast” filter type and a “Multicast
Address” in this range will continue in effect unless IGMP learns of a multicast group destination
232
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
in this range. In that case, IGMP takes over the filtering function for the multicast destination
address(es) for as long as the IGMP group is active. If the IGMP group subsequently deactivates,
the static filter resumes control over traffic to the multicast address formerly controlled by IGMP.
IGMP Support - Magnum 6K family of switches support IGMP version 1 and version 2. The
switch can act either as a querier or a nonquerier. The querier router periodically sends general
query messages to solicit group membership information. Hosts on the network that are members
of a multicast group send report messages. When a host leaves a group, it sends a leave group
message. The difference between version 1 and version 2 is that version 1 does not have a
“Leave” mechanism for the host. Magnum 6K family of switches do pruning when there is a leave
message or a time expires on a port, we prune the multicast group membership on that port.
A switch, with IGMP snooping has the behavior similar to a regular switch
(default IGMP behavior) i.e. it forwards the multicast stream (packets) to all the ports.
Now, if a device on any of the ports sends a join report or invokes the IGMP Pruning action, the
behavior changes. A multicast group is formed in the switch, and the stream is sent only to those
ports that actually want to join the stream.
The default behavior of multicasting streams to all ports could create problems when there are a
number of multicast streams that enter the switch though a number of different ports. Each
stream goes to ALL OTHER ports and creates congestion in the switch.
IGMP-L2
IGMP requires a Layer 3 device in the network. What happens if your network has only Layer 2
devices? Can the Layer 2 devices take advantage of the IGMP technology and reduce the overall
traffic in the network, without requiring the presence of a Layer 3 device in the network? Using
GarrettCom IGMP-L2 (patent pending technology), it is possible to do that.
The benefits of IGMP are clear. The traditional ways of building an IGMP network calls for the
IGMP querier to reside on a Layer 3 network device - typically a router or a Layer 3 switch. The
end devices (encoders or transmitters) reside on a Layer 2 device and the encoder sends a
query/join request to join the specific multicast group. The Magnum 6K family of switches, with
the IGMP-L2 enabled, can propagate the query request and also make sure that the multicast
233
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
traffic only goes to the ports requesting the traffic. The Magnum 6K family of switches, using
IGMP-L2, can perform the similar tasks a Layer 3 device performs for IGMP.
For a Layer 2 IGMP environment, all Magnum 6K family of switches have to be enabled in the
IGMP-L2. This is done using the CLI command 'set igmp mode=l2' which will be described
later.
In a Layer 2 network, without IGMP-L2, there is no querier nor is there any capability for the
devices to use IGMP snooping to join a multicast group. Thus - the traffic picture from a
multicast device would look as shown below.
R1 R2
T1
T2
R3 R4
R6 R5
FIGURE 180 - In a Layer 2 network, an IGMP multicast traffic goes to all the nodes. In the figure, T1, a
surveillance camera, using multicast, will send the traffic to all the nodes - R1 through R6 - irrespective of whether
they want to view the surveillance traffic or not. The traffic is compounded when additional cameras are added to
the network. End result is that users R1 through R6 see the network as heavily loaded and simple day to day
operations may appear sluggish.
With IGMP-L2 enabled on all Magnum 6K family of switches, this situation as shown above is
prevented. This is explained in the figure below.
234
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
R1 R2
L2 Mode
T1 L2 Mode
L2 Mode
T2 L2 Mode
R3 R4
R6 R5
FIGURE 181 - Using IGMP-L2 on Magnum 6K family of switches, a Layer 2 network can minimize multicast
traffic as shown above. Each switch has the IGMP-L2 turned on. Each switch can exchange the IGMP query
message and respond properly. R4 wants to view surveillance traffic from T1. As shown by (1), a join request is
sent by R4. Once the join report information is exchanged, only R4 receives the video surveillance traffic, as shown
by (2). No other device on the network gets the video surveillance traffic unless they issue a join request as well.
Since the query and the join information is exchanged between the neighboring switches, the
topology does not matter. The design issue to consider is the timing difference between a
topology recovery and IGMP refresh (recovery). GarrettCom Magnum 6K family of switches,
connected in a S-Ring or RS-Ring topology recovers very rapidly (sub-second recovery). The
IGMP requests for updates are sent out every few seconds (depending on the network and the
devices on the network). The recovery of the network from a fault situation is much faster than
the age out and join request from IGMP. Thus when the Magnum 6K switch network self heals,
it is possible that the video may freeze till the (IGMP) device reissues a join request again.
235
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
• GarrettCom Magnum 6K family of switches configured for IGMP-L2 can perform the
Join aggregation required by IGMP
• Multicast forwarding is done based on MAC addresses – so datagram to IP addresses
224.1.2.3 and 239.129.2.3 can be forwarded on the same port groups. It is not possible to
do forwarding based on IP addresses as the Magnum 6K family of switches operate at
Layer-2
• Magnum 6K family of switches, configured for IGMP L2 are aware of IP address range
224.0.0.x as well as MAC address range 01:00:5e:00:00:xx aware as required by RFC 4541
• The Magnum 6K family of switches, configured for IGMP L2 support forwarding to
ports on which multicast routers are attached in addition to the ports where IGMP joins
have been received. Thus IGMP L2 and IGMP L3 networks can co-exist
• The Magnum 6K family of switches, configured for IGMP L2 are aware of topology
changes, so new queries can be sent or tables updated to ensure robustness
Configuring IGMP
For configuring IGMP, use the Configuration IGMP menu
The menu allows the IGMP parameters described earlier to be set. It also provides the necessary
information of IGMP groups and routers.
236
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
237
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 183 – Configuring IGMP parameters. This screen also enables and disables IGMP
Once the changes are made these are reflected on the Configuration IGMP Information
screen. The Groups and Routers screen displays the IGMP Groups and IGMP Routers
information. All edits to IGMP are done through the Information Screen only.
To set the switch to set the IGMP-L2, use the Administration Set IGMP menu as shown
below
238
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Finally, do not forget to save the changes made using the save icon .
239
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
16
Chapter
16 – GVRP
Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol (GVRP)
G
eneric Attribute Registration Protocol (GARP) and VLAN registration over GARP is
called GVRP. GVRP is defined in the IEEE 802.1q and GARP in the IEEE 802.1p
standards. In order to utilize the capabilities of GVRP, GarrettCom Inc. strongly
recommends that the user be familiar with the concepts and capabilities of IEEE
802.1q.
GVRP Concepts
j GVRP makes it easy to propagate VLAN information across multiple switches.
Without GVRP, a network administrator has to go to each individual
switch and enable the necessary VLAN information or block specific
VLAN’s so that the network integrity is maintained. With GVRP, this process can be
automated.
It is critical that all switches share a common VLAN. This VLAN typically is the default
VLAN (VID=1) on most switches and other devices. GVRP uses “GVRP Bridge
Protocol Data Units” (“GVRP BPDUs”) to “advertise” static VLANs. We refer to GVRP
BPDU is as an “advertisement”.
There must be one common VLAN (that is, one common VID)
connecting all of the GVRP-aware devices in the network to carry
GVRP packets. GarrettCom Inc. recommends the default VLAN
(DEFAULT_VLAN; VID = 1), which is automatically enabled and
240
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
configured as untagged on every port of the Magnum 6K family of switches. That is, on
ports used as GVRP links, leave the default VLAN set to untagged and configure other
static VLANs on the ports as either “Tagged or Disable”. (“Disable” is discussed later in this
chapter.)
GVRP operations
A GVRP-enabled port with a Tagged or Untagged static VLAN sends advertisements (BPDUs, or
Bridge Protocol Data Units) advertising the VLAN identification (VID) Another GVRP-aware
port receiving the advertisements over a link can dynamically join the advertised VLAN. All
dynamic VLANs operate as Tagged VLANs. Also, a GVRP-enabled port can forward an
advertisement for a VLAN it learned about from other ports on the same switch. However, the
forwarding port will not itself join that VLAN until an advertisement for that VLAN is received
on that specific port.
Switch 1 with static VLANs (VID= 1, 2, & 3). Port 2 is a member of VIDs 1, 2, & 3.
1. Port 2 advertises VIDs 1, 2, & 3
2. On Switch 2 - Port 1 receives advertisement of VIDs 1, 2, & 3 AND becomes a member
of VIDs 1, 2, & 3
3. As discussed above, a GVRP enabled port can forward advertisement for a VLAN it
learned about. So port 3 advertises VIDs 1, 2, & 3, but port 3 is NOT a member of VIDs
1, 2, & 3 at this point, nor will it join the VLAN until an advertisement is received
4. On Switch 3, port 4 receives advertisement of VIDs 1, 2, & 3 and becomes a member of
VIDs 1, 2, & 3
5. Port 5 advertises VIDs 1, 2,& 3, but port 5 is NOT a member of VIDs 1, 2, & 3 at this
point
6. Port 6 on the end device is statically configured to be a member of VID 3. Port 6
advertises VID 3
7. Port 5 receives advertisement
8. Port 4 advertises VID 3
9. Port 3 receives advertisement of VID 3 AND becomes a member of VID 3. (Still not a
member of VIDs 1 & 2 as it did not receive any advertisements for VID 1 or 2)
10. Port 1 advertises VID 3 AND becomes a member of VID 3. (Port 1 is still not a member
of VIDs 1 & 2)
241
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
11. Port 2 receives advertisement of VID 3. (Port 2 was already statically configured for VIDs
1, 2, 3)
If a static VLAN is configured on at least one port of a switch, and that port has
established a link with another device, then all other ports of that switch will send
advertisements for that VLAN.
In the figure below, tagged VLAN ports on switch “A” and switch “C” advertise VLANs 22 and
33 to ports on other GVRP-enabled switches that can dynamically join the VLANs. A port can
learn of a dynamic VLAN through devices that are not aware of GVRP (Switch “B”.)
Switch C Switch C
1 5 GVRP On Port 5 dynamically joined VLAN 22
Switch A Ports 11, 12 belong to Tagged VLAN 33
GVRP On Tagged
VLAN 22
Tagged 11
2 Switch E
VLAN 22 Tagged 12 GVRP On
VLAN 33 Dynamic
VLAN 33
Switch D
GVRP On Dynamic
Switch B Dynamic 3 VLAN 22
No GVRP 7
VLAN 33
Tagged Switch E
Dynamic 6
VLAN 22 Port 2 dynamically joined VLAN 33
VLAN 22 Ports 7 dynamically joined VLAN 33
Switch D
Port 3 dynamically joined VLAN 33
Ports 6 dynamically joined VLAN 33
FIGURE 186 – VLAN Assignment in GVRP enabled switches. Non GVRP enabled switches can impact
VLAN settings on other GVRP enabled switches
An “unknown VLAN” is a VLAN that the switch learns of by GVRP. For example, suppose that
port 1 on switch “A” is connected to port 5 on switch “C”. Because switch “A” has VLAN 22
statically configured, while switch “C” does not have this VLAN statically configured, VLAN 22
is handled as an “Unknown VLAN” on port 5 in switch “C”. Conversely, if VLAN 22 was
statically configured on switch C, but port 5 was not a member, port 5 would become a member
when advertisements for VLAN 22 were received from switch “A”. GVRP provides a per-port
join-request option which can be configured.
242
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
VLANs must be disabled in GVRP-unaware devices to allow tagged packets to pass through. A
GVRP-aware port receiving advertisements has these options:
• If there is no static VLAN with the advertised VID on the receiving port, then
dynamically create a VLAN with the same VID as in the advertisement, and allow that
VLAN’s traffic
• If the switch already has a static VLAN with the same VID as in the advertisement, and
the port is configured to learn for that VLAN, then the port will dynamically join the
VLAN and allow that VLAN’s traffic.
• Ignore the advertisement for that VID and drop all GVRP traffic with that VID
• Don’t participate in that VLAN
Unknown Operations
VLAN Mode
Learn Enables the port to dynamically join any VLAN for which it receives an
advertisement, and allows the port to forward the advertisement it receives
Block Prevents the port from dynamically joining a VLAN that is not statically
configured on the switch. The port will still forward advertisements that were
received by the switch on other ports. Block should typically be used on
ports on insecure networks where there is exposure to attack – such as ports
where intruders can connect to
Disable Causes the port to ignore and drop all the advertisements it receives from
any source
FIGURE 187 – Port settings for GVRP operations
For GVRP, Tag VLAN has to be enabled. Please refer to Chapter on VLAN on
Configuring Tag VLANs.
243
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Configuring GVRP
To configure GVRP use Configuration VLAN GVRP menus
From the GVRP menu screen, GVRP can be enabled or disabled using the drop down
Enabled/Disabled menu. Each specific port can be put in the Learn, Disable or Enable state as
discussed earlier and shown below.
244
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 189 – setting GVRP characteristics for a port. This can be done by clicking on the edit icon for the
port
The table below has the implications for the port settings.
245
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
As the above table indicates a port that has a tagged or untagged static VLAN has the option for
both generating advertisements and dynamically joining other VLANs.
The unknown VLAN parameters are configured on a per interface basis. The
Tagged, Untagged, Auto, and Forbid options are configured in the VLAN
context. Since dynamic VLANs operate as tagged VLANs, and it is possible
that a tagged port on one device may not communicate with an untagged
port on another device, GarrettCom, Inc. recommends that you use Tagged
VLANs for the static VLANs.
A dynamic VLAN continues to exist on a port for as long as the port continues to receive
advertisements of that VLAN from another device connected to that port or until you:
• Convert the VLAN to a static VLAN
• Reconfigure the port to Block or Disable
• Disable GVRP
• Save the configurations
• Reboot the switch
The time-to-live for dynamic VLANs is 10 seconds. That is, if a port has not received an
advertisement for an existing dynamic VLAN during the last 10 seconds, the port removes itself
from that dynamic VLAN.
246
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Finally, after all the changes are made, do not forget to save the changes using the save icon .
After converting a dynamic VLAN to a static VLAN use the “save” command to save the
changes made – on a reboot the changes can be lost without the save command.
Within the same broadcast domain, a dynamic VLAN can pass through a device that is not
GVRP-aware. This is because a hub or a switch that is not GVRP-aware will flood the GVRP
(multicast) advertisement packets out of all ports.
GVRP assigns dynamic VLANs as tagged VLANs. To configure the VLAN as untagged, first
convert the tagged VLAN to a static VLAN.
A switch on which a dynamic VLAN is defined on reboot, deletes that dynamic VLAN as well as
all other dynamic VLANs.. However, the dynamic VLAN re-appears after the reboot if GVRP is
enabled and the switch again receives advertisements for that VLAN through a port configured to
add dynamic VLANs.
By receiving advertisements from other devices running GVRP, the switch learns of static
VLANs from those devices and dynamically (automatically) creates tagged VLANs on the links to
the advertising devices. Similarly, the switch advertises its static VLANs to other GVRP-aware
devices.
A GVRP-enabled switch does not advertise any GVRP-learned VLANs out of the port(s) on
which it originally learned of those VLANs.
247
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
17
Chapter
17 – SNMP
Managing your network using SNMP
S
imple Network Management Protocol (SNMP) enables management of the network.
There are many software packages which provide a graphical interface and a graphical view
of the network and its devices. These graphical interfaces and views would not be possible
without SNMP. SNMP is thus the building block for network management.
SNMP Concepts
j SNMP provides the protocol to extract the necessary information from a
networked device and display the information. The information is defined and
stored in a Management Information Base (MIB). MIB is the “database” of the
network management information.
SNMP has evolved over the years (since 1988) using the RFC process. Several RFC’s today define
the SNMP standards. The most common standards for SNMP are SNMP v1 (the original version
of SNMP); SNMP v2 and finally SNMP v3.
SNMP is a poll based mechanism. SNMP manager polls the managed device for information and
display the information retrieved in text or graphical manner. Some definitions related to SNMP
are
Authentication – The process of ensuring message integrity and protection against message
replays. It includes both data integrity and data origin authentication
Authoritative SNMP engine – One of the SNMP copies involved in network communication
designated to be the allowed SNMP engine which protects against message replay, delay, and
redirection. The security keys used for authenticating and encrypting SNMPv3 packets are
generated as a function of the authoritative SNMP engine's engine ID and user passwords. When
an SNMP message expects a response (for example, get exact, get next, set request), the receiver of
these messages is authoritative. When an SNMP message does not expect a response, the sender is
authoritative
Community string – A text string used to authenticate messages between a management station
and an SNMP v1/v2c engine
248
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Data integrity – A condition or state of data in which a message packet has not been altered or
destroyed in an unauthorized manner
Data origin authentication – The ability to verify the identity of a user on whose behalf the
message is supposedly sent. This ability protects users against both message capture and replay by
a different SNMP engine, and against packets received or sent to a particular user that uses an
incorrect password or security level
Encryption – A method of hiding data from an unauthorized user by scrambling the contents of
an SNMP packet
Group – A set of users belonging to a particular security model. A group defines the access rights
for all the users belonging to it. Access rights define what SNMP objects can be read, written to,
or created. In addition, the group defines what notifications a user is allowed to receive
Notification host – An SNMP entity to which notifications (traps and informs) are to be sent
Notify view – A view name (not to exceed 64 characters) for each group that defines the list of
notifications that can be sent to each user in the group
Privacy – An encrypted state of the contents of an SNMP packet where they are prevented from
being disclosed on a network. Encryption is performed with an algorithm called CBC-DES (DES-
56)
Read view – A view name (not to exceed 64 characters) for each group that defines the list of
object identifiers (OIDs) that are accessible for reading by users belonging to the group
Security level – A type of security algorithm performed on each SNMP packet. The three levels
are: noauth, auth, and priv. noauth authenticates a packet by a string match of the user name. auth
authenticates a packet by using either the HMAC MD5 algorithms. priv authenticates a packet by
using either the HMAC MD5 algorithms and encrypts the packet using the CBC-DES (DES-56)
algorithm
Security model – The security strategy used by the SNMP agent. Currently, MNS-6K supports
three security models: SNMPv1, SNMPv2c, and SNMPv3
249
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
SNMP engine – A copy of SNMP that can either reside on the local or remote device
SNMP group – A collection of SNMP users that belong to a common SNMP list that defines an
access policy, in which object identification numbers (OIDs) are both read-accessible and write-
accessible. Users belonging to a particular SNMP group inherit all of these attributes defined by
the group
SNMP user – A person for which an SNMP management operation is performed. The user is
the person on a remote SNMP engine who receives the information
SNMP view – A mapping between SNMP objects and the access rights available for those
objects. An object can have different access rights in each view. Access rights indicate whether the
object is accessible by either a community string or a user
Write view – A view name (not to exceed 64 characters) for each group that defines the list of
object identifiers (OIDs) that are able to be created or modified by users of the group
Standards
There are several RFC’s defining SNMP. MNS-6K supports the following RFC’s and standards
SNMPv1 standards
• Security via configuration of SNMP communities
• Event reporting via SNMP
• Managing the switch with an SNMP network management tool Supported Standard MIBs
include:
• SNMP MIB-II (RFC 1213)
• Bridge MIB (RFC 1493) (ifGeneralGroup, ifRcvAddressGroup, ifStackGroup)
• RMON MIB (RFC 1757)
• RMON: groups 1, 2, 3, and 9 (Statistics, Events, Alarms, and History)
• Version 1 traps (Warm Start, Cold Start, Link Up, Link Down, Authentication Failure,
Rising Alarm, Falling Alarm)
250
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Configuring SNMP
Most SNMP v1 capabilities can be set using SWM. For SNMP V2 and V3 parameters please refer
to the CLI manual’s chapter on SNMP.
SNMP variables are used in conjunction with Alert definitions. Alert Definitions are covered in
the next chapter. To configure SNMP use Administration SNMP menus.
251
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Using the Edit button the SNMP community parameters can be changed. By using the Add
buttons, the Management and Trap receivers can be added.
252
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
It is recommended to change the community strings from the default values of public and private
to other values.
253
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 193 – Adding valid managers. Multiple managers can be added using this screen
When adding SNMP manager stations, click on the Add button on the SNMP menu screen. Make
sure that each station can be “pinged” from the switch by using the Configuration Ping menu.
When done adding stations, click OK.
254
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
When adding SNMP trap receivers, click on the Add button on the SNMP menu screen. Make
sure that each station can be “pinged” from the switch by using the Configuration Ping menu.
Determine which sorts of traps each station will receive, as shown above. If not sure, select all
three types. When done adding trap receivers, click OK.
255
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 195 – Final screen after configuring SNMP. Note the different types of Trap Receivers added
Stations can be deleted using the delete icon . To change the stations characteristics or IP
addresses, it is recommended to delete the station and add a new one.
Finally after all changes are made, save the changes using the save icon .
Configuring RMON
The switch supports RMON (Remote Monitoring) on all connected network segments. This
allows for troubleshooting and optimizing your network. The Magnum 6K family of switches
provides hardware-based RMON counters. The switch manager or a network management
system can poll these counters periodically to collect the statistics in a format that complies with
the RMON MIB definition.
256
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
• Ethernet Statistics Group - maintains utilization and error statistics for the switch port
being monitored
• History Group – gathers and stores periodic statistical samples from previous Statistics
Group
• Alarm Group – allows a network administrator to define alarm thresholds for any MIB
variable
• Log and Event Group – allows a network administrator to define actions based on alarms.
SNMP Traps are generated when RMON Alarms are triggered
For configuring RMON, please refer to the “Magnum MNS-6K CLI User Guide” for more
information.
257
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
18
Chapter
18 – Miscellaneous Commands
Improving productivity and manageability
T
here are several features built into the Magnum 6K family of switches which help with
the overall productivity and manageability of the switch. These items are examined
individually in this chapter.
Alarm relays
In a wiring closet, it would be helpful if there were a visual indication for faults on components
on the network. Normally, these would be performed by LED’s. While the Magnum 6K family of
switches has the necessary LED’s to provide the information needed, it also has a provision for
tripping or activating an external relay to electrically trigger any circuit desired. These could be an
indicator light, a flashing strobe light, an audible alarm or other devices.
The Magnum 6K family of switches has a software (optional) controlled relay contact that can be
used to report alarm conditions. The relay is held open (no connection) in normal circumstances
and will go to close position during alarm conditions.
The SUSTAINED mode is used to report a continuing error condition. The MOMENTARY
mode is used to report a single event.
The following pre-defined events are currently supported on the MNS-6K and the relay which
can be triggered by software:
258
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
4 Link Up MOMENTARY
The S-RING open condition generates a sustained relay contact close. The relay will stay closed
during the period which the S-RING is in OPEN condition. The relay will revert to closed
position when the S-RING goes to CLOSED position. This information is covered in more
details in the Chapter on S-Ring and Link-Loss-Learn.
7 The RMON settings are when the RMON thresholds are crossed and hence indicated as RMON rising or falling – indicating the
threshold has been crossed. While there is no specific command to view and change the specific RMON variables, the RMON
discussion is in Chapter 15. Best way to set RMON values will be via using the web interface or a Management system such as
Castle Rock’s SNMPc™
259
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Each alarm can be enabled or disabled form the screen shown above. All alarms can be enabled
or disabled using the Alarm Status drop down menu. Relay closure times can be set using the
drop down menu.
After changing the Alarm settings, save the configuration using the save icon
260
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Statistics
SWM provides several statistics in a graph. These are described below.
To view Statistics, click on Configuration Statistics menu. To view Port specific Statistics, use
the Configuration Statistics Port Statistics menu.
Each port can be viewed by clicking on the navigation windows as shown by Slot and Port.
Each group represents different Statistics. The next few figures display the different groups for
the same port.
261
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
262
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Logs
SWM provides an overview of the type of Logs by reviewing the statistics. Each specific log can
be viewed by viewing the Logs menu. To view the Log Statistics use the Configuration
Statistics Log Statistics menu. This is shown below.
263
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 201 – Types of logged events received – most logs are typically informational (notice)
Note – from this menu, the log buffer size can be controlled. For viewing each specific log, use
the Configuration Logs menu
264
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Each specific type of log can be viewed by using the drop down menu as shown below.
265
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 203 – Specific type of logs can be viewed – in this example only “Notice” logs are displayed
The Clear button clears all the logs. To prevent accidental erasures, you will be
prompted again if the logs should be deleted.
The Event Log records operating events as single-line entries listed in chronological order,
and are a useful tool for isolating problems. Each Event Log entry is composed of the following
fields - Severity, Date and Time Stamp and Event Description
Date is the date in mm/dd/yyyy format (as per configured) that the entry was placed in the
log
266
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Time is the time in hh:mm:ss format (as per configured) that the entry was placed in the
log
Description is a brief description of the event
The event log holds up to 1000 lines in chronological order, from the oldest to the newest. Each
line consists of one complete event message. Once the log has received 1000 entries, it discards
the current oldest line (with information level severity only) each time a new line is received. The
event log window contains 22 log entry lines and can be positioned to any location in the log.
For the alerts, the events per subsystem function are listed below. The table is sorted by the
subsystem function first and then by the severity level.
267
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
RMON History : internal error, unable to get memory for history control F
entry
RMON History : internal error, unable to get memory for history data F
entry
RMON History : internal error, unable to get memory F
RMON Event : unable to get memory for event entry F
RMON Alarm : unable to get memory for RMON logs F
RMON rising alarm trap sent to a.b.c.d by alarm entry X I
RMON falling alarm trap sent to a.b.c.d by alarm entry X I
RMON RMON init is done I
RMON history : control entry X is set to valid I
RMON history : control entry X is set to invalid I
RMON Event : entry X is set to valid I
RMON Event : entry X is set to invalid I
RMON Alarm : entry X is set to valid I
RMON Alarm : entry X is set to invalid I
SNMP Snmp.snmpEnableAuthenTraps is set to enabled A
SNMP Snmp.snmpEnableAuthenTraps is set to disabled A
SNMP System.sysName configured A
SNMP System.sysLocation configured A
SNMP System.sysContact configured A
SNMP Port X link up trap sent to a.b.c.d A
SNMP Port X Link down trap sent to a.b.c.d A
SNMP Configuring IP address in trap receivers list failed D
SNMP read community string changed I
SNMP write community string changed I
SNMP trap community string changed I
268
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
269
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Email
SMTP (RFC 821) is a TCP/IP protocol used in sending email. However, since it is limited in its
ability to queue messages at the receiving end, it is usually used with one of two other protocols,
POP3 or Internet Message Access Protocol (IMAP) that lets the user save messages in a server
mailbox and download them as needed from the server. In other words, users typically use a
program that uses SMTP for sending emails (out going – e.g. replying to an email message) and
either POP3 or IMAP for receiving messages that have arrived from the outside world. While
SMTP (and its related protocols such as POP3, IMAP etc.) are useful transports for sending and
receiving emails, it is extremely beneficial for a network administrator to receive emails in case of
faults and alerts. The Magnum 6K family of switches can be setup to send an email alert when a
trap is generated.
If this capability is used, please ensure that SPAM filters and other filters are not
set to delete these emails.
GarrettCom, Inc. recommends that a rule be setup on the mail server so that all
emails indicating SNMP faults are automatically stored in a folder or redirected
to the necessary administrators.
The SNMP alerts can be configured using MNS-6K for the following:
• Send email alert according to the configuration rules when a specific event category
happens
• Send email alert according to the configuration rules when a specific trap SNMP trap
category happens
• Provide configuration and customization commands for users to specify SMTP server to
connect to, TCP ports, user recipients and filters
270
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Serial connectivity
When using the serial connectivity with applications such as HyperTerminal etc. it may be
necessary to optimize the character delays so that the FIFO buffer used in the GarrettCom
Magnum 6K family of switches is not overrun. The important parameters to set for any serial
connectivity software is to set the line delay to be 500 milliseconds and the character delay to be
50 milliseconds. For example, using HyperTerminal this can be set under File Properties and
when the Properties sheets is open, click on the ASCII Setup button and in the Line Delay entry
box enter in 500 and in the Character Delay entry box enter in 50 as shown below.
FIGURE 205 – Optimizing serial connection (shown for HyperTerminal on Windows XP). The highlighted
fields are the ones to change as described
271
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Ping
Ping command can be used from MNS-6K to test connectivity to other devices as well as
checking to see if the IP address is setup correctly. Use the Configuration Ping menu to use
ping.
Many devices do not respond to ping or block ping commands. Make sure that
the target device does respond or the network does allow the ping
packets to propagate through the network.
272
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Set
A new menu item has been added as of MSN-6K Release 3.2. This is the set menu as shown
below.
FIGURE 207 – Set menu item for setting common parameters for switch operations
Set menu allows several values to be set. The first one is the Boot Mode.
273
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
Auto on reboot, first look for a DHCP server. If server is found, get the IP address and other IP
parameters from the DHCP server.
If a DHCP server is not found, look for a BootP server. If found, get the IP address
and other parameters from the BootP server. Please refer to the “Magnum MNS-6K
CLI User Guide” for additional information on how MNS-6K can be setup to receive
MNS-6K binary as well as configuration values from a BootP server.
If a BootP server is not found, check to see if there was a pre-configured IP address. If
there was a pre-configured IP address, assign that IP address, else check to see if the IP
address 192.168.1.2 with a netmask of 255.255.255.0 is available for use (or does not
cause an IP address conflict). If the address is available, assign it to the switch.
If the static IP address is not available start the process with looking for a DHCP server.
Do not forget to save the change using the and then reboot
274
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
The next value that is allowed to be set is the log size. See screen below for more information
Click up arrow
to increment by 1
and down arrow
Click here to
to decrement by
increment by 50
1
Note the log size can also be set from the Configuration menu as shown below.
275
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 210 – Set the log size – click on the Edit button, enter the log size needed, and click OK. Maximum log
size is 1000 lines
The set menu can also allow the password to be changed. Click on the menus as shown below to
change the password.
276
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
The set menu can define the SNMP type used as shown below.
277
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 212 – Setting the SNMP type. SNMP type can be SNMP-v1 or all (for SNMP v1, v2 and v3)
The set menu allows the Spanning Tree Protocol (STP) to be used. The types are as shown below.
278
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
The set menu allows the idle timeout values to be set. After the defined number of minutes, the
session will be terminated and the user logged out. The default timeout is set to 10 minutes.
279
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 214 – Set the timeout value. Click on Edit button to change the value
The set menu also allows the VLAN type to be set. This value can also be set from Configuration
VLAN Set Type menu (as shown by the cursor next to the menu item in the figure below).
280
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
The file transfer protocol or ftp is supported on MNS-6K. MNS-6K supports normal ftp as well
as passive ftp. Passive FTP is used by many companies today to work with firewall policies and
other security policies set by companies.
FTP uses a set of separate ports for the data stream and command stream. This causes problems
in security conscious companies who prefer that the client initiate the file transfer as well as the
stream for the commands. To accommodate that, ftp added the capability called “passive ftp” in
which the client initiating the connection initiates both the data and command connection
request. Most companies prefer passive ftp and GarrettCom MNS-6K provides means to operate
in those environments.
To set the different modes commonly used by FTP are done using the Administration Set
FTP Mode menu as shown below.
281
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
282
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
283
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
1
Appendix
T
here are several features built into the Magnum 6K family of switches which help with
the overall productivity and manageability of the switch. To take advantage of the latest
features and bug fixes, it is important to keep the MNS-6K version up to date.
Before starting
Before you start, it is recommended that you acquire the software to perform the
upgrade
ftp://m6kuser:[email protected]
Once you are connected, the folders are arranged by Release number. Click on the folder with
the latest Release number. In the example below, click on Rel3 folder
284
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 217 – FTP to the GarrettCom site and select the folder with the latest release number
b. Once in the folder, the files are arranged by the release number. Right-click (or left
click if your mouse if configured as a left handed mouse) on the latest release number
file and copy the file
FIGURE 219– Copy the file with the latest Release number to the local disk by using the operating
system copy and paste commands
3. Make sure the file is saved and the file transfer is complete.
285
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
4. Move the file to another computer which has ftp or tftp services available8 . Make sure the ftp
or tftp services have been started and are running. Make sure that you have the tftp or ftp path
configured properly. If you are using ftp, make sure you also have the ftp login name and
password information ready.
5. Select the switch you want to upgrade. Make sure you have system administration rights and
privileges available on that switch.
6. Open a SWM session with the switch by typing in the URL https://<IPaddress> of the switch
or https://logincal-name of the switch
FIGURE 220 – before the upgrade, it is a good idea to save a snap shot of the configuration. Different FTP
modes can be used with the FTP command.
8 For Windows XP or other Windows operating systems, it is possible to find Open Source FTP or TFTP servers on the WWW.
Alternately, you can purchase software to provide these services. Most Linux or UNIX systems provide these services.
286
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
After the configuration is saved, load the binary copied from the GarrettCom site.
FIGURE 221 – After the configuration is saved, load the new image file copied form the GarrettCom ftp site
As the file is being loaded, you will see the file transfer in progress image show up
FIGURE 222 – As the image file is loaded, the progress will be indicated by the image above. Please wait
till the file transfer is completed
287
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 223 – after the new image file is loaded, it is important to save any changes made and then
restart the switch as shown above
After the restart the new version of MNS-6K is ready for use.
Using the process described above, one may be tempted to update the
Magnum 6K switch directly over the Internet from the GarrettCom site.
GarrettCom DOES NOT RECOMMEND DOING THAT.
GarrettCom recommends that the binary be loaded and copied to a server
locally, then upload the binaries over the LAN or the local Intranet to the Magnum 6K family
of switches in your network
288
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 224 – before the upgrade, it is a good idea to save a snap shot of the configuration
After the configuration is saved, load the binary copied from the GarrettCom site.
289
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 225 – After the configuration is saved, load the new image file copied form the GarrettCom ftp site
As the file is being loaded, you will see the file transfer in progress image show up
FIGURE 226 – As the image file is loaded, the progress will be indicated by the image above. Please wait till
the file transfer is completed
290
M A G N U M 6 K S W I T C H E S – S W M U S E R G U I D E
FIGURE 227 – after the new image file is loaded, it is important to save any changes made and then restart
the switch as shown above
After the restart the new version of MNS-6K is ready for use.
291
I N D E X
Index
802.1d, 145, 146, 147, 148, 156, Config Download, 55
157 Config Upload, 55
802.1q, 240 CoS, 219
802.1Q, 117, 120, 145 datagrams, 229
802.1w, 145, 146, 147, 148, 156, default user name, 26
159, 160
DEFAULT-VLAN, 118, 121
802.1x, 87, 88, 89, 90, 98
DHCP, 44, 45, 46, 273
Access, 55, 83
Differentiated Services. See Diffserv
advertisement, 240
DiffServ, 218
alarm, 260
disable mode, 77
Alarm Group, 257
drop mode, 77
anycast address, 68
DS. See Diffserv
Authentication, 248
DSCP, 218
Authentication Server, 87
Dual-Homing, 189
authenticator, 87, 89, 90, 95, 96,
97 EAP, 88
Authenticator, 87 EAPOL, 88
Authoritative SNMP engine, 248 Edge Ports, 156
authorize, 168, 181 Egress, 174
Auto, 274 Ethernet segments, 117
backpressure, 113 Ethernet Statistics Group. See
RMON
bootp, 45, 46
FIFO, 217
BootP, 273
file transfer protocol. See ftp
BPDU, 90, 159, 163, 164, 166, 167,
178, 180, 208 flowcontrol, 113
broadcast domain, 120 FTA, 148
broadcast storms, 113 ftp, 281
CLI, 24, 25 GARP, 240
community string, 248
292
I N D E X
GVRP, 111, 240, 241, 242, 243, 244, Log and Event Group, 257
245, 246, 247 log size, 275, 276
GVRP BPDUs, 240 Log Statistics, 82, 263
Help, 39 Log Upload, 55
History Group, 257 logout, 40
host, 60 Management Information Base. See
Host, 55 MIB
Host Download, 55 manager stations, 254
Host Upload, 55 Manual, 273
IEEE, 88, 90, 112, 117, 145, 146, MD5, 90, 102
147, 148, 156, 157, 159, 160, MIB, 90, 230, 248, 256, 257
178, 203, 217, 219, 240
Mirror Status, 109
IEEE 802.1p, 217, 240
Mirroring, 106
IEEE 802.1q, 217, 240
modes of operation, 26
IEEE 802.3ad, 203
MOMENTARY, 258, 259
IETF, 218
NAS, 100
IGMP, 22, 58, 83, 204, 210, 220,
229, 230, 231, 232, 233, 236, OPEN, 178
237, 238, 240, 248, 258, 284 P2P, 156
IGMP-L2, 236 PHB, 218
Image Download, 55 PoE, 190
Image Upload, 55 POP3, 270
IMAP, 270 Port, 78, 106
Ingress, 174 port security, 77
ipconfig, 27 Port Security, 79
IPv4, 67, 68, 69 Port Statistics, 261
IPv6, 67, 68, 69 port VLAN, 119
ISP, 87 port VLANs, 121
kill config, 63 priority, 217
LACP, 22, 203, 204, 210, 215 Priority, 156
LACPDU, 204, 206, 208 Private VLAN, 120
Link-Loss-Learn, 158, 159, See LLL QoS, 22, 217, 218, 219, 220, 221
LLL, 158, 159, 167, 186 RADIUS, 87, 88, 89, 90, 96
293
I N D E X
294
I N D E X
295