OMNISWITCH R8

OMNISWITCH LAN BOOTCAMP - ISSUE 09

PARTICIPANT'S GUIDE

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
 OmniSwitch AOS R8
Bootcamp
DT00CTE220EN

Agenda
1
The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
 Topics
Administration – Class schedule

Course agenda

Your opinion counts!

Reach the session evaluation

2
Administration – Class schedule

Standard class hours Break Badges for participants Internet access

5 days 9:00 AM to 5:00 PM Lunch 12:00 to 1:30 PM Access to the classroom & the
restaurant
Morning & Afternoon 15 Min

3
Agenda

Day 1
• Course introduction • Virtual Chassis
‐ Training course agenda & Access to remote lab ‐ Overview
‐ Lab: Virtual chassis (6900 & 6360)
• OmniSwitch R8 - Portfolio Description
‐ Overview • VLANs Management
‐Overview
• AOS OmniSwitch Management ‐Labs : VLAN
‐ Log into the switch
‐ Managing Files/Directories • Basic Switch Management & Diagnostic
‐ Labs :
‐ Overview
‐ Working/Running/Certified Directory
‐ Lab: Switch maintenance and Diagnostics tools
4 ‐ Remote Switch Access
Agenda

Day 2
• Link Aggregation Groups • VRRP
‐ Overview
‐ Overview
‐ Lab : Virtual router redundancy Protocol
‐ Lab : Link Aggregation and 802.1Q

• Spanning Tree Protocole (STP) • AOS Network security

‐ Overview ‐Lab: Learned Port Security
‐ Lab : STP

• Dual Home Link (DHL)

‐ Overview
‐ Lab : Dual Home Link Active-Active
5
Agenda

Day 3
• IP interfaces • Graceful Restart
‐ Overview
‐ Overview

• Open Shortest Path First (OSPF) • DHCP

‐ Fundamentals ‐ Overview
‐ Areas ‐ Lab : DHCP Serveur & DHCP Relay
‐ Adv. Features & Troubleshooting
‐ Global Routing Protocol Redistribution
‐ Lab: OSPF

6
Agenda

Day 4
• Quality of Service
‐ Overview • Security Network
‐ Lab : Quality of Service ‐Overview Access Guardian
‐Lab : Access Guardian Implementation
• OmniVista 2500 NMS
‐ Overview • Link Layer Discovery Protocol (LLDP)
‐ Lab :Access to the OmniVista 2500 NMS server ‐ Overview
‐Lab : LLDP Implementation
• Flow Based Filtering (ACL)
‐ Overview • Power over Ethernet (PoE)
‐ Lab : Security Network Access Control ‐Overview
7
Agenda

Day 5
• Multicast Introduction
‐ Overview • Ethernet Ring Protection
‐ Lab: IP Multicast switching ‐ Lab - Ethernet Ring Protection

• Distance Vector Multicast Routing Protocol • Mac-Sec

Overview ‐ Overview
‐Lab - Mac-Sec

• Protocol Independent Multicast (PIM)

‐ Overview
‐ Lab :Access to the OmniVista 2500 NMS server

8
AOS – Technical Documentations
OmniSwitch xxxx Series Hardware Users Guide
• Switch hardware components and basic switch hardware
OmniSwitch AOS Switch Management Guide
• Describes basic attributes of the switch and basic switch administration tasks
OmniSwitch AOS Network Configuration Guide
• Describes how to set up and monitor software features that will allow the switch to operate in a live network
environment
OmniSwitch AOS Advanced Routing Configuration Guide
• Describes how to set up and monitor advanced routing protocols for operation in a live network environment
OmniSwitch CLI Reference Guide
• Comprehensive resource to all Command Line Interface (CLI) commands available on the OmniSwitch products
OmniSwitch Transceivers Guide
• Provides specifications and compatibility information SFP/XFP/QSFP/… transceivers supported on the OmniSwitch
switches

9
 Internet Ressources
• Alcatel-Lucent Enterprise Web Site
https://www.al-enterprise.com/en

• Training & Certification

https://www.al-enterprise.com/en/services/education-services

• RFC Technical documents

http://www.ietf.org

10
Internet Resources
Partners Website ALE Network Equipment
• MyPortal • www.al-enterprise.com/en/products/switches

Spacewalkers Community
• www.spacewalkers.com

11
Datasheets
OmniSwitch Switches (LAN) NMS Solutions
• OmniSwitch 2260 WebSmart switch: datasheet • OmniVista 2500 (on premises) datasheet
• OmniSwitch 2360 WebSmart switch: datasheet • OmniVista Cirrus (cloud) datasheet
• OmniSwitch 6360 LAN switch: datasheet
• OmniSwitch 6465 L2+ Hardened LAN Switch datasheet
• OmniSwitch 6560 L2+ Multigig LAN switch: datasheet
• OmniSwitch 6860 L3 LAN switch with multigig and DPI option datasheet
• OmniSwitch 6865 L3 Hardened Switch datasheet
• OmniSwitch 6900 L3 core switch datasheet
• OmniSwitch 9900 Chassis core switch datasheet

OmniAccess Stellar Access Points (WLAN)

• OmniAccess Stellar AP1101 802.11ac AP: datasheet
• OmniAccess Stellar AP1201 entry-level 802.11ac wave 2 AP: datasheet
• OmniAccess Stellar AP1201H resident 802.11ac wave 2 AP: datasheet
• OmniAccess Stellar AP1220 high performance wave 2 AP: datasheet
• OmniAccess Stellar AP1230 ultra high performance wave 2 AP: datasheet
• OmniAccess Stellar AP1251 hardened wave 2 AP: datasheet
• OmniAccess Stellar AP1301 entry level Wi-Fi 6 AP: datasheet
• OmniAccess Stellar AP1311 high performance Wi-Fi 6 AP: datasheet
• OmniAccess Stellar AP1320 high performance Wi-Fi 6 AP: datasheet
• OmniAccess Stellar AP1351 premium high-end Wi-Fi 6 AP: datasheet
• OmniAccess Stellar AP1360 hardened outdoor Wi-Fi 6 AP: datasheet
Poster (Complete ALE Network Solutions Portfolio)

Document showcasing the networking products designed by ALE.

Summary of the features proposed by each product.
Download it from the MyPortal website.
Your opinion counts!
Evaluation links are available to you as of the last day of the session and can therefore be filled in
at the end of the session before leaving the classroom or virtual class.
Two main situations have to be considered to access to the course evaluation, and this depends
on the Knowledge Hub session status (while still being in “In progress”, and as of it has switched
to “Completed”).

The status switches usually the next Monday after the session has ended.

14
Reach the session evaluation
Directly from the Home page / My Recent Learning activity;
•if “Evaluate” option is viewable, please click on it.

•if “Evaluate” is not proposed, click on “Open Curriculum” and after, on “Evaluate”

15
OmniSwitch R8
Remote lab Connection

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Objectives
Connection to the Remote-Labs (R-Labs)

Introduction
At the end of this module, you will be able to:
• Describe Remote-Labs (R-Labs) topology
• Connect to a Remote-Lab (R-Lab)
 Remote Desktop Connection

2
3

- Computer : LanPodX (X = R-Lab Number)

- User name : remote-lab\lanpodXa or remote-lab\lanpodXb
- RD Gateway server: remotelab.education.al-enterprise.com
Please refer to « Lab Preparation per OS (Linux, Apple .,.) in the « If you want to know more » section to connect to the R-Lab from other OS
Remote Labs > Topology

Switch Interface Ip adress Vlan

6900-A EMP 10.4.Pod#.1 NA

6900-B EMP 10.4.Pod#.2 NA
6560-A 1/24 10.4.Pod#.3 4001
6560-B 1/24 10.4.Pod#.4 4001
6360-A 1/1/24 10.4.Pod#.5 4001
6360-B 1/1/24 10.4.Pod#.6 4001
6860-A EMP or 1/20 10.4.100+Pod#.7 NA or 4001

6860-B EMP or 1/20 10.4.100+Pod#.8 NA or 4001

Remote Labs > Topology

3 1

4
Virtual Machines
• 10 VM (Clients)

• AAA Training Server POD x

• DHCP Server, Radius Server: 192.168.100.102
• Web Server: 192.168.100.102
• FTP Server: 192.168.100.102
- login “admin” and password “switch”

• Podx_OV<ov_release>
• OmniVista 2500: 192.168.100.107

• Firewall/NAT server
• Podx_pfSense : 192.168.100.108
DHCP Server
• A DHCP server is running with an IP address of 192.168.100.102 and has the following scopes
(where x stands for the switch number) :
OmniVista 2500 & Internet Access
An OmniVista 2500 server is configured with the IP address 192.168.100.107/24.

• The OmniVista 2500 is reachable

from RDP desktop through a WEB
client at the URL :

https://10.4.pod#.208:8443

• DNS server on the client : 10.0.0.51

• If Internet access is required for VM clients,

a pre-configuration has to be done on the OS6900-A
Campus LAN Network Solution
OmniSwitch Portfolio and Features List
Objectives
OmniSwitch Software Releases and New
Features List

At the end of this module, you will be able to:

• List the OmniSwitch models and their characteristics
• Describe the features offered by the AOS Operating System
Campus Switch Quickview
ALE Portfolio
OmniVista 2500 OmniAccess Stellar
WLAN OmniAccess

WiFi5
AP1201 AP1201H AP122X AP123X AP1251

AP228 AP375 AP103

OA4xxx
WiFi6
AP1301 AP1301H AP1311 AP132X AP1360

OmniVista Cirrus
LAN OmniSwitch WAN
OS9900
Core

IP/MPLS
OS6900
7750 SR 7705 SAR

Location based services OS6865 OS6465 OS6360 OS2360 OA5740

OA5725R

ESR
Access

OS6860E OS6860N OS6560 OS2260 Automotive + Rail

= hardened / outdoor AP
OmniSwitch LAN Family
Edge

Access stackable L2+

⚫ Virtual chassis ⚫ POE OmniSwitch 6360 OmniSwitch 6560
⚫ 10/100, 1000 et ⚫ Basic routing AOS L2+ OmniSwitch 6465
AOS L2+
Fiber ⚫ Energy efficient Basic L3 MGIG - 1OG AOS L2+
Basic L3 GE uplinks Simple L3 GE

Aggregation
Advanced stackable L2-L3
⚫ Virtual chassis ⚫ Advanced
⚫ 10/100/1000, routing
Routing OmniSwitch 6860E OmniSwitch 6865
10Gig ⚫ Energy
Green energy
Efficient OmniSwitch 6865
⚫ IPv4/IPv6 OmniSwitch 6860N AOS Advanced L3
AOS advanced L3
⚫ PoE, Copper & AOS Advanced L3
fiber
Fiber

Core
High end modular core, aggregation,
Data center switches L2-L3
⚫ High Availability ⚫ VRF
⚫ High ⚫ MPLS, VPLS
Virtual Chassis OmniSwitch 6900
Performance ⚫ Virtualenergy
Green Chassis AOS Advanced L2-L3
OmniSwitch 9900
⚫ 10Gig high ⚫ MC-LAG Modular Chassis
Aggregation/Core
density ⚫ Green energy AOS Advanced L3 10/40 GE
DC TOR 10/25/40/100 GE
⚫ I.S.S.U
Campus Switch Description
 OmniSwitch 6360
MAIN CHARACTERISTICS OMNISWITCH 6360
Gigabit Ethernet LAN switch OS6360-(P)10
10, 24, 48 port models (PoE/non-PoE) Model OS6360-(P)10
1G user port models: 8 fixed 10/100/1000 Base-T ports
POE: IEEE 802.2at
Increased Uplink\VFL speeds 2 fixed RJ45 (1G) uplink ports
10GBaseT ports 2 SFP (1G) uplink ports

Partial (optimized) PoE budget models

Full PoE budget models
Fast & Perpetual PoE support OS6360-(P)24, (PH24), (P24X)
Model OS6360-(P)24
Increased # of Fan-less models (PH24), (P24X)
9 models in the family 24 fixed 10/100/1000 Base-T ports
POE: IEEE 802.2at
(P)24 2 RJ45/SFP (1G) combo ports
2 SFP+ (1/10G) ports

OS6360-(P)48, (P48X)
Model OS6360-(P)48,
TYPICAL DEPLOYMENT (P48X)
48 fixed 10/100/1000 Base-T ports
POE: IEEE 802.2at
Gigabit Ethernet switch in small networks (P)48 2 RJ45/SFP (1G) combo ports
Provides integrated Voice/Data/Wi-Fi solution P48X 2 RJ45/SFP+ (1/10G) combo
ports
For networks with 1Gig access and 1Gig & 10Gig uplinks 2 SFP+ (1/10G) ports
OmniSwitch 6465
OMNISWITCH 6465
MAIN CHARACTERISTICS Model OS6465-P6 OS6465-P6
4 fixed 10/100/1000 Base-T ports
Compact Hardened Value LAN switch POE+: IEEE 802.2at
HPoE 60W : up to 2 ports
Virtual Chassis: Up to 4 switches in a local or remote stack (up to 10km) 2 x SFP ports
Industrial PoE with HPoE (60W) on all models Stacking ports (2 x SFP)
Supports Cat 5E/6 cabling standards DIN AC Power supplies
Hot-swappable, fully redundant power supplies (AC+AC, AC+DC or DC+DC) OS6465-BPN-H(180W)
Switch Backup & Restore OS6465-BPN (75W)
OS6465-P12
IEEE 1588v2 PTP support Model OS6465(T)-P12
MACSec Support 8 fixed 10/100/1000 Base-T ports
POE+: IEEE 802.2at
Auto-fabric technology HPoE 60W : up to 4 ports
Fanless 2 x SFP ports
Alarm relay Input/Output Stacking ports (2 x SFP)
OS6465T-P12 Extended Temp Ethernet
Basic L3 routing: IPv4 and IPv6 Switch
Operating Temperature -10 to +60 ℃
OS6465T-(P12) Extended Temperature Ethernet Switches DIN AC Power supplies
OS6465-BPN-H(180W)
Perpetual PoE and Fast PoE are now supported on 6465P-12 (8.8R1) OS6465-BPN (75W)
OS6465-P28

Model OS6465-P28
TYPICAL DEPLOYMENT 22 fixed 10/100/1000 Base-T ports
POE+: IEEE 802.2at
HPoE 60W : up to 8 ports
Ruggedized Access switch for: 2 x SFP ports
OS6465T-(P)12
Transportation 4 x SFP+ ports
Traffic control systems Stacking ports (2 x SFP+)
Utilities DIN DC Power supply
IP surveillance systems OS6465-BPRD(180W)
Outdoor installations DIN AC Power supply
OS6465-BPR(180W)
 Model OS6560-X10
8 x 10/100/1G Base-X ports

OmniSwitch 6560
2 x QSFP+ 20G stacking ports

Model OS6560-24X4
24 x 10/100/1G Base-T ports
2 x SFP 1G ports
4 x SFP+ 1/10G ports

Model OS6560-P24X4
24 x 10/100/1G Base-T POE+ ports

MAIN CHARACTERISTICS 2 x SFP 1G ports

4 x SFP+ 1/10G ports
OMNISWITCH 6560
Value Multi-GIG and 10G LAN switch Model OS6560-24Z8 OS6560-X10 10G
16 x 10/100/1000 Base- ports
Linux based AOS software 8 x 1G / 2,5G Base-T ports
2 x SFP+ 1/10G ports
1/10Gig or MultiGig (1G/2.5G) port models (uplink / stacking / remote stacking)
Up to eight switches in a virtual chassis Model OS6560-P24Z8 OS6560-24X4 Multi Gig
PoE (802.3.at) and HPOE (802.3.bt) standards 16 x 10/100/1000 Base- ports (802.3af/at)
8 x 1G / 2,5G Base-T ports OS6560-P24X4
10G, 10G remote, and 20G stacking options POE (802.3af/at/bt) (Up to 95W on a port)
2 x SFP+ 10G ports
Backup Power supply (uplink/stacking / remote stacking)
MACSec Support Model OS6560-24Z24 OS6560-24Z8
Same power supplies as OS6860 24 x 100/1G/2,5G Base-T ports
OS6560-P24Z8
4 x SFP+ 1/10G ports
Metro Ethernet Features 2 x QSFP 20G dedicated stacking ports
OSPF stub area Model OS6560-P24Z24
24 x 100/1G/2,5G Base-T ports
POE (802.3af/bt) (Up to 95W on a port)
4 x SFP+ 10G ports
OS6560-24Z24
2 x QSFP 20G dedicated stacking ports OS6560-P24Z24
Model OS6560-P48Z16
TYPICAL DEPLOYMENT 32 x 10/100/1000 Base-T ports
POE (802.3af/at) (Up to 30W on a port)
16 x 100/1G/2,5G Base-T ports OS6560-P48Z16
POE (802.3af/at/bt) (Up to 95W on a port)
For networks with 802.11ac multi-gig APs 4 x SFP+ 10G ports
(over the air throughput >1G) (PoE over 2.5G access) 2 x QSFP 20G dedicated stacking ports

Model OS6560-48X4
48 x 10/100/1000 Base-T ports OS6560-48X4
Access switch in 10 gigabit converged campus networks 2 x SFP ports
OS6560-P48X4
POE (802.3af/at/bt)
Aggregation for wired and wireless access 4 x SFP+ 10G ports (Stacking/Uplinks)
Carrier and Service Provider Ethernet Access Model OS6560-P48X4
48 x 10/100/1000 Base-T ports
POE (802.3af/at) (Up to 30W on a port)
2 x SFP ports
POE (802.3af/at/bt)
4 x SFP+ 10G ports (Stacking/Uplinks)
 OmniSwitch 6860E
Stackable Gigabit Ethernet LAN switch
MAIN CHARACTERISTICS OMNISWITCH 6860E
Stackable Gigabit Ethernet LAN switch Models OS6860(E)-(P)24/48
OS6860(E)-(P)24 (D)
24-port and 48-port models
Up to 264 Gb/s of wire-rate capacity RJ45 and/or PoE+/++ and SFP ports
Advanced L3 routing*: VRF, Multicast, IPv4 and IPv6 4 fixed SFP+ (1G/10G) ports
Up to eight switches in a virtual chassis (local or remote stacking) 2 VFL QSFP+ stacking ports (20G each)
AC power supply
Optional choice of standard or advanced backup power OS6860(E)-(P)48 (D)
Universal Network Profiles: Policy based access Models OS6860(E)-(P)24/48D
Network Analytics and Control (signature based) Same as OS6860(E)-P24/48
Application monitoring enforcement With a DC power supply
RESTful API and OpenFlow for SDN
Models OS6860E-U28
28 x 100/1000 Base-X SFP ports OS6860E-U28 (D)
4 fixed SFP+ (1G/10G)
2 VFL QSFP+ ports (20G each)
AC power supply

Models OS6860E-U28D
TYPICAL DEPLOYMENT Same as OS6860-U28
With a DC power supply
OS6860E-P24Z8
Converged campus networks
Access switch Models OS6860E-P24Z8
Multi-Gig Advanced Access 16 x 100/1000 Base-T POE+ ports
High capacity & high-density wired and wireless access 8 x 2.5G Multi-Gigabit HPoE ports
Distribution switch 4 fixed SFP+ (1G/10G) ports
Data Center 2 VFL QSFP+ ports (20G each)
Top of Rack switch AC power supply
Carrier and Service Provider Ethernet Access
 OmniSwitch 6860N OMNISWITCH 6860N
Stackable Gigabit Ethernet LAN switch
OS6860N-P24M
MAIN CHARACTERISTICS OmniSwitch 6860N-P24M
NEW in
R8.8
24 x 100/1/2.5/5/10G, MACec
Secure virtual networks All ports 95W 802.3bt PoE
• SPB, VxLAN*, MPLS* VPNs VC 2 x 20/40/100G
OS6860N-P24Z
• 256-bit MACsec NEW in
• Native Inline routing OmniSwitch 6860N-P24Z
R8.8

12 x 100/1/2.5/5
WiFi 6 Ready 12 x 10/100/1G OS6860N-P48M
PoE 802.3bt 60W, 12 x 1G; 95W 12 x 5G m-gig
• Full Multi-gig Support VC 2 x 20/40/100G
• 95W PoE (802.3bt)
OmniSwitch 6860N-P48M
Next-Gen HW 36 100/1G/2.5G BaseT bt PoE OS6860N-P48Z
• Hi-speed uplinks 12 100/1G/2.5G/5G/10G BaseT bt PoE
2 QSFP28 VFL ports
• 2 x 100G Stacking 1 expansion slot

Built for Next-Gen L3 Access Networks OmniSwitch 6860N-P48Z OS6860N-P24Z8

36 x 1GBaseT 60W PoE, 12 x 5G multi-gig 95W
PoE, 4 x 10/25G SFP28 fixed, MACsec uplinks
TYPICAL DEPLOYMENT
Converged campus networks OmniSwitch 6860N-P24Z8
• Multi-Gig Advanced Access 24 x 1GBaseT 60W PoE, 12 x 5G multi-gig 95W
• Access switch PoE, 4 x 10/25G SFP28 fixed, MACsec uplinks OS6860N-U28
• High capacity & high-density wired and wireless access
• Distribution switch
Data Center OmniSwitch 6860N-U28
• Top of Rack switch 24 x 100/1000BaseX,4 x 1/10G SFP+, 4 x 10/25G
SFP28 fixed uplinks. All ports MACsec capable.
Carrier and Service Provider Ethernet Access
OmniSwitch 6865
Advanced Ruggedized Ethernet LAN switch
Model OS6865-P16X
MAIN CHARACTERISTICS 8 x 10/100/1000 ports (POE+) OMNISWITCH 6865
4 x 10/100/1000 ports (POE+, HPoE 75W )
2 x 1G SFP ports (uplink)
Advanced Ruggedized Ethernet LAN switch 2 x SFP+ ports (1G/10G, uplink or stacking) OS6865-P16X (D)
Up to 320W PoE Budget
Optional backup power
Up to eight switches in a virtual chassis Model OS6865-P16XD
Local or remote stacking Same as OS6865-P16X
With a DC power supply
Advanced L3 routing license
Universal Network Profiles: Policy based access
Network Analytics and Control with signature Model OS6865-U12X
based traffic inspection 2 x 1G BaseX SFP ports
4 x 100/1000 Base-T HPoE ports
RESTful API and OpenFlow for SDN (all are 75W PoE capable)
OS6865-U12X (D)
Metro Ethernet Features 4 x 100/1000 BaseX SFP ports
IEEE 1588v2: Precision Time Protocol (PTP) 2 x SFP+ ports (1G/10G)
(uplink or stacking)
Pre-defined role templates in AG for IEDs, Cameras Up to 300W PoE Budget
Multicast Over SPB Optimizations
Operating Temperature -10 to +60 ℃ Model OS6865-U12XD
Same as OS6865-U12X
With a DC power supply

TYPICAL DEPLOYMENT Model OS6865-U28X

Ruggedized Advanced Access switch for:
Industrial applications
Utility and transportation networks
Access layer in outdoor cabinets
Carrier and Service Provider Ethernet Access
Security & Surveillance
20 x 100/1000 BaseX SFP ports OS6865-U28X (D)
4 x 100/1000 BaseT HPoE ports
(all are 75W PoE capable)
4 x SFP+ ports (1G/10G) (uplink/stacking)
2 x 20G QSFP stacking ports
Up to 280W PoE Budget
Model OS6865-U28XD
Same as OS6865-U28X
With a DC power supply
 OMNISWITCH 6900

OmniSwitch 6900 Models OS6900-X20 (X40)

20 (40) SFP+/FCOE ports (1G/10G)
OS6900-X20 / X40 10/40 Gig

Up to 32 (64) SFP+/FCOE ports

Up to 6 x 40G QSFP+/FCOE ports
MAIN CHARACTERISTICS Up to 12 (24) x 8G Fiber channel ports

Models OS6900-T20 (T40) OS6900-T20 / T40

Stackable 10/25/40/100 Gig LAN switch 20 (40) fixed 10GBase-T ports (IEEE 802.3an)
Sub-microsecond latency Up to 28 (56) 10GBase-T ports
Up to 3 (6) x 40G QSFP+/FCOE ports
Up to 2.56 Tb/s of wire-rate capacity Up to 12 (24) x 8G Fiber channel ports
Redundant power
Front to back or back to front cooling models Models OS6900-X72
48 fixed SFP+/FCOE (1G/10G) ports OS6900-X72
Advanced L3 routing: VRF, Multicast, IPv4 and IPv6 6 fixed QSFP+/FCOE (40G or 4x10G) ports
Universal Network Profiles; Policy based VM movement Up to 72 SFP+ (10G) ports (splitter)

Fiber Channel connectivity (FIP Snooping, FCoE/FC Gateway)

Auto-Intelligent Fabric Models OS6900-V72
48-port unpopulated SFP28 (10/25GE) OS6900-V72
In Service Software Upgrade 6-port unpopulated QSFP28 (40/100G)
SFP28 ports operate at 1/10/25GE
Shortest Path Bridging (SPB), IPv4/IPv6 routing over SPB QSFP28 ports operate at 1/10/25/40/100GE
10/25/40/100 Gig
Virtual Extensible LAN (VxLAN)
OS6900-C32(E)
RESTful API and OpenFlow for SDN Models OS6900-C32(E) C32E
Virtual chassis technology 32-port unpopulated QSFP28 ports
NEW in
operate at 100GE, 40GE, 4x25GE or 4x10GE
R8.8
OS6900-X48C6
Models OS6900-X48C6
48 fixed SFP+ (1G/10G) ports
6 fixed QSFP28 ports 10/25/40/100 GE
Up to 72 SFP+ (10G) ports (splitter)
TYPICAL DEPLOYMENT OS6900-T48C6
Models OS6900-T48C6
48 fixed Base-T (1G/10G) ports
For core networks of large networks 6 fixed QSFP28 ports
Top-of-rack or Spine switches in Data Center networks demanding a high 10G OS6900-X48C4E
Models OS6900-X48C4E
or 40G port density and/or FC connectivity 48 ports unpopulated SFP+ 1/10 GE
4 ports unpopulated QSFP28
100/40/4x25/4x10 GE
OS6900-V48C8
Models OS6900-V48C8
48 ports unpopulated SFP28 1/10/25 GE
8 ports unpopulated QSFP28
100/40/4x25/4x10 GE
OmniSwitch 9900
OS99-GNI-48
48 x RJ-45 10/100/1000-BaseT ports

MAIN CHARACTERISTICS OS99-GNI-P48

48 x RJ-45 10/100/1000-BaseT PoE ports OMNISWITCH 9900
8 ports HPoE (75W)
40 ports 802.3at (30W)
Chassis based LAN Switch with 5 line card slots
2 x CMM with 2
Low latency Campus LAN Chassis OS99-GNI-U48
integrated 40G ports
48 unpopulated wire rate SFP 1000Base-X ports
GigE RJ45, SFP, SFP+ and QSFP line cards (also act as 4x10G)
1/2.5/10/40/100 GigE OS99-XNI-U24 160Gbps switching
24 x 1/10GigE SFP+ ports
2.56Tbps Full Duplex current switching capacity OS9907
480 Gbps/Slot OS99-XNI-U48
48 x 1/10GigE SFP+ ports
Hardware Redundancy
Power supply OS99-XNI-24/48
Management 24/48 x RJ-45 1/10-GigE BaseT ports

Switch fabric OS99-XNI-P24Z8

Fans 16 x 1G/10G Base-T ports
8 x 1G/2.5G/10G Base-T ports
Internal POE supply/ HPoE up to 75W & 802.3at support Ports 1-8: 10/100/1000/2500/5000/10000 Mbps
Power Supply options Support 75W HPoE
PS-AC (3000W@220V/ 1200W@110V) Ports 9-24:10/100/1000/10000 Mbps
Up to 30W POE (at)
OS99-PS-A
PS-DC (2500W)
OS99-XNI-P48Z16
32 x 1G/10G Base-T 802.3at PoE ports
16 x 1G/2.5G/10G BaseT 802.3bt PoE ports
TYPICAL DEPLOYMENT Ports 1-8 support 75W HPoE
9-48 ports up to 30W (at) Redundant Power
supplies 3+1
OS99-CNI-U8
Converged campus networks 32 x 100G unpopulated wire rate QSFP28 ports
Core/aggregation switch
OS99-XNI-U12Q
Data Center 12 x 1/10G SFP+
End of Row Switch 1 x 10/40G QSFP
OS99-PS-A or OS99-PS-D
Spine-Leaf Architecture (L3 design) OS99-XNI-UP24Q2 3000W@220V 2500W
12 x 1/10G SFP+ 1200W@110V
12 x 1/10G-BaseT
2 x 40G QSFP
12 ports upto 75 W (HPoE)
OS9907 – CFM2
MAIN CHARACTERISTICS OS9907-CFM2
New fabric card for OS9907 chassis
Single ASIC with 6.4 Tbps switching capacity.
Increases performance 5 times compared to current fabric card OS9907-CFM
(1.28 Tbps) Using dual fabric cards, chassis switching capacity on OS9907 will
increase to 12.8 Tbps ingress/egress for total of 25.6 Tbps.
Same form and fit as current fabric card
Works with all current line cards
Enables 100G line card to become wire-rate
NOTE: Mix of CFM and CFM2 will not be allowed in same chassis
CFM2 available on Release 8.8.R1
OEM Switches
OmniSwitch 2260
MAIN CHARACTERISTICS OMNISWITCH 2260
Gigabit Ethernet LAN switch OS2260-(P)10
8-, 24- and 48 ports
Fan-less on 10/P10, 24/P24 models Model OS2260-(P) 8
8 fixed 10/100/1000 Base-T ports
Standalone NEW
POE: IEEE 802.2at/af
Advanced Layer2+ with static routing 4 fixed SFP (1G) ports
Optimized PoE+ budget
PPoE/FPoE
1G user port/uplink models
Model OS2260-(P) 24 OS2260-(P)24
OmniVista Cirrus Support 24 fixed 10/100/1000 Base-T ports
Limited CLI, Webview2.0 POE: IEEE 802.2at/af
No 10G uplinks 2 fixed SFP (1G) ports NEW
No Backup Power Supply
No Stacking
Model OS2260-(P) 48
48 fixed 10/100/1000 Base-T ports
TYPICAL DEPLOYMENT POE: IEEE 802.2at/af
OS2260-(P)48
2 fixed RJ45/SFP (1G) ports
• Small and medium-sized business network solutions
• High-speed desktop connectivity NEW
• Secure wireless connectivity
• Unified communications (IP telephony, video, and converged solutions)
OmniSwitch 2360
MAIN CHARACTERISTICS OMNISWITCH 2360
Stackable Gigabit LAN switches
24- and 48-port models
Gigabit Ethernet SFP uplink ports or 10 Gigabit Ethernet SFP+ uplink ports (X Model OS2360-(P) 24
24 fixed 10/100/1000 Base-T ports OS2360-(P)24(X)
models) POE: IEEE 802.2at/af
Reduced power consumption with energy efficient ethernet (EEE) technology 2 fixed SFP (1) ports
Simplified web-based management
Fanless with non-POE 8 and 24 ports model NEW
Model OS2360-P24X
Easy MAC/IP-based ACLs
24 fixed 10/100/1000 Base-T ports
No Backup Power Supply POE: IEEE 802.2at/af
2 SFP+ (1/10G) uplink ports
2 SFP+ (1/10G) VFL ports

Model OS2360-(P) 48 OS2360-(P)48(X)

48 fixed 10/100/1000 Base-T ports
POE: IEEE 802.2at/af
TYPICAL DEPLOYMENT 2 fixed RJ45/SFP (1G) ports

• Brand and campus workgroups NEW

• SMB networks Model OS2360-P48X
48 fixed 10/100/1000 Base-T ports
POE: IEEE 802.2at/af
2 fixed SFP (1G) uplink ports
2 SFP+ (1/10G) uplink ports
2 SFP+ (1/10G) VFL ports
OmniSwitches comparison
OmniSwitch WebSmart 2260, 2360 comparison
OS2260 OS2360

Software OEM OEM

L2 L2
Features
Non Stackable Stackable

Routing Basic static Basic static

10M/100M/1G 10M/100M/1G
User ports
802.3at support 802.3at support

Uplinks 1 Gbps 1/10 Gbps

Stacking No Yes

Switching 80.4 Mpps 133.9 Mpps

Fabric Capacity 216 Gb/s 216 Gb/s

Traffic Analysis No No

Advanced Security AG, UNP AG, UNP

Management OmniVista™ 2500 NMS OmniVista™ 2500 NMS

Mac Table 16K 16K
Routing Table 2 Static entries 32 Static entries

Multicast IGMP / Switching IGMP / Switching

OmniSwitch 6360, 6560 comparison
OS6360 OS6560

Software AOS 8 base AOS 8 base

AOS L2 & Basic L3 AOS L2 & Basic L3

Features
Stackable Stackable
Basic static and Static, RIP/RIPng,
Routing
RIP/RIPng OSPF Stub area

10M/100M/1G/2.5G
10M/100M/1G
User ports 802.3at/bt
802.3at support
95W POE (1 port)

Uplinks 10 Gbps 10 Gbps

Stacking 20 Gbps links 10/20 Gbps links

Switching 208 Mpps 208 Mpps

Fabric Capacity 140 Gb/s 168 Gb/s

Traffic Analysis Network Analytics Network Analytics

Advanced Security AG, UNP, CP, BYOD AG, UNP, CP, BYOD

Management OmniVista™ 2500 NMS OmniVista™ 2500 NMS

Mac Table 16K 16K
Routing Table 256-entries 256-entries

Multicast IGMP / Switching IGMP / Switching

OmniSwitch 6860, 6900, 9900 comparison
OS6860/6860E OS6860N OS6900 OS9900

Software AOS 8 base AOS 8 base AOS 8 base AOS 8 base

AOS L2 & Adv. L3 AOS L2 & Adv. L3 AOS L2 & Basic L3 Chassis with 5
Features
Virtual Chassis, SPB-M Virtual Chassis, SPB-M Stackable line card slots
Static, OSPFv2, OSPFv3, IS-IS Static, OSPFv2, OSPFv3, IS-IS
Routing Full, advanced IP Routing Full, advanced IP Routing
RIP/RIPng, BGP IPv4, IS-IS, RIP/RIPng, BGP
10M/100M/1G/2.5G
10M/100M/1G/2.5G/5G 10M/100M/1G/2.5G/10G
802.3at support 10M/100M/1G/2.5G/10G
User ports 802.3bt support 40G/100G
60W POE+ on 4 ports (E) 40G/100G
60W POE+ on 4 ports (E) 802.3at/bt
75W HPOE 8 ports (P24Z8)
Uplinks 10 Gbps 10 Gbps 10/40/100 Gbps 10/40/100 Gbps

Stacking 80 Gbps links 100 Gbps links 10/40/100 Gbps links 2x40 Gbps links

Switching 190.6 Mpps 758.9 Mpps 2000 Mpps 767 Mpps

Fabric Capacity 264 Gb/s 1,120 Gb/s 64 Tb/s 2.56 Tb/s
Network Analytics, DPI, Network Analytics, DPI,
Traffic Analysis Network Analytics Network Analytics
Application Monitoring Application Monitoring

Advanced Security AG, UNP, CP, BYOD AG, UNP, CP, BYOD MACsec AG, UNP, CP, BYOD AG, UNP, CP, BYOD, MACsec

Management OmniVista™ 2500 NMS OmniVista™ 2500 NMS OmniVista™ 2500 NMS OmniVista™ 2500 NMS
Mac Table 48K 64K 228K 128K
Routing Table 12K 12K 128K 128K

Multicast Full IP Multicast routing Full IP Multicast routing Full IP Multicast routing Full IP Multicast routing
OmniSwitch -Product Data sheets
OmniSwitch Details - Product Data sheets
LAN Switches
• OmniSwitch 2200 WebSmart switch: datasheet
• OmniSwitch 2260 WebSmart switch: datasheet
• OmniSwitch 2360 WebSmart switch: datasheet
• OmniSwitch 6360 LAN switch: datasheet
• OmniSwitch 6465 L2+ Hardened LAN Switch datasheet
• OmniSwitch 6560 L2+ Multigig LAN switch: datasheet
• OmniSwitch 6860 L3 LAN switch with multigig and DPI option datasheet
• OmniSwitch 6865 L3 Hardened Switch datasheet Management Platform
• OmniSwitch 6900 L3 core switch datasheet • OmniVista 2500 (on premises) datasheet
• OmniSwitch 9900 Chassis core switch datasheet • OmniVista Cirrus (cloud) datasheet

Stellar WLAN
• OmniAccess Stellar AP1101 802.11ac AP: datasheet
• OmniAccess Stellar AP1201 entry-level 802.11ac wave 2 AP: datasheet
• OmniAccess Stellar AP1201H resident 802.11ac wave 2 AP: datasheet
• OmniAccess Stellar AP1220 high performance wave 2 AP: datasheet
• OmniAccess Stellar AP1230 ultra high performance wave 2 AP: datasheet
• OmniAccess Stellar AP1251 hardened wave 2 AP: datasheet
• OmniAccess Stellar AP1301 entry level Wi-Fi 6 AP: datasheet
• OmniAccess Stellar AP1311 high performance Wi-Fi 6 AP: datasheet
• OmniAccess Stellar AP1320 high performance Wi-Fi 6 AP: datasheet
• OmniAccess Stellar AP1351 premium high-end Wi-Fi 6 AP: datasheet
• OmniAccess Stellar AP1360 hardened outdoor Wi-Fi 6 AP: datasheet
OmniSwitch LAN Campus
Software Current Releases
LAN Campus
Current Software Releases

AOS
R8

OmniSwitch 6860E
OmniSwitch 9900 OmniSwitch 6900
OmniSwitch 6860N

OmniSwitch 6560 OmniSwitch 6865 OmniSwitch 6465 OmniSwitch 6360

Ruggedized Ethernet LAN switch

 OS9900
OS9900

New Software Releases

OS6900
OS6900
OS6860
OS6860
OS6865
OS6865
OS6560

AOS R8
OS6560
OS6465
OS6465
OS6360
AOS 8.8

AOS 8.8.R1 Features

▪ Console Log Redirection QoS Features

▪ DHCP options 2 and 12 ▪ qos on VFL links
▪ Increase Authentication Server Down Re-Auth Time ▪ Introduction to statistical jitter
▪ Thin Client OmniSwitch Service Features
▪ AMS Controller Redundancy ▪ DPI over SPB
▪ Hitless Upgrade for IP Services ▪ Hybrid NNI mode with VLAN Stacking and 802.1Q vlans on the same NNI port
▪ Remote NI Syslog on OS9900 (UDP/TLS) ▪ OAM PDU Support for EVC MEF OAM on per- CVLAN\SVLAN basis
▪ Allow miniboot shell access after authenticating with password. Allow ▪ Support for additional tag-values under unp-profile mapped to services
user to modify this password. (spb/vxlan/l2gre)
▪ Increasing re-authentication session timer from 5 mins done through ▪ LPS over SPB
TACACS+ ▪ ERP - SPB Interworking for convergence
▪ USB backup improvement and Boot from USB and/or external flash Other
▪ Microservice Marketplace ▪ mtu handling of tunneled traffic
▪ Support for USB->Ethernet Dongle for OoB management ▪ NIS enhancements/certifications
▪ WV refresh and localization (french / spanish) ▪ MRP multi-NI Interconnect
▪ Naas 2.0 requirements (licensing enforcement) ▪ DHCPv6 guard configuration using VLAN range option
▪ Increase ARP table to 2048 for OS6560

▪ OS6900-C32E
▪ OS6860N-P24Z
▪ OS6860N-P24M
▪ OS6465E-P12
OmniVista NMS & Cirrus Software Releases evolution
OV2500 & OVC
4.6 New features
▪ AWOS 4.0.3 Stellar Support
▪ New Stellar AP1301
▪ New Stellar AP1351E
▪ Monitoring the RAPVA Health
▪ Heartbeat & Test check
▪ Local UPAM support
▪ New Omniswitch support (8.7R2 & 8.8.R1)
▪ New OS2X60 Series
▪ New OS6465-P12
▪ New OS6900 Models: OS6900-C32E, OS6900-X24C2,
OS6900T24C2
▪ New OS6860 Models: OS6860N-P24M, OS6860N-P24Z
▪ AMS Support
▪ KVM Support by OV2500 VMM
▪ Stellar Operational Improvements: Show Neighbor AP by Name,
AP Uplink Health, Link speed and Duplex Status
▪ High Availability Improvement
▪ Hypervisor Certification: VmWare Esxi, MS Hyper-V, Linux KVM
LAN Campus - AOS Software Highlights
System / Management
CLI/WebView/OMniVista 2500
SNMP v1/2/3
Local and remote server logging
Policy and Port-based mirroring
Remote port mirroring
Local port monitoring
sFlow v5 and RMON
UDLD and DDM
USB Disaster recovery / Auto-copy
File upload using USB, TFTP, FTP, SFTP, or SCP
Auto-configuration
BOOTP/DHCP client with option 60
RFC 1588 v2 – Precision Time Protocol
IEEE 802.1AB LLDP with MED extensions
Network Time Protocol C/S
Multiple VLAN registration Protocol (MVRP)
Port mirroring (many-to-one)
Remote port mirroring
Policy based mirroring
Jumbo frames (9K)
BootP/DHCP Relay
Multinetting
Proxy ARP / Ext Proxy ARP
License Manager
Application Visibility
Analytics
Intelligent Fabric
RESTful API
Open Northbound / Southbound Interfaces – SDN APIs
OpenFlow™ 1.0/1.3
OpenStack® neutron plugin
Switching/Routing
Multiple virtual routing and forwarding (VRF)
VRF Route Leaking
Protocol (RIP) v1/v2
Open Shortest Path First (OSPF) v2
Border Gateway Protocol (BGP) v4
IS-IS
GRE tunneling
VRRP v2
BGP v4
Multicast routing
DVMRP, PIM-DM, PIM-SM, PIM-DIR, M-ISIS
Graceful restart extensions for OSPF and BGP
NDP (neighbor discovery protocol )
Bi-Directional Forwarding Detection (BFD)
IPv6 routing
RIPng, OSPFv3, VRRPv3, BGP, ISIS
Quality of Service
Traffic prioritization
Flow-based QoSClassification on L1/L2/L3/L4
8 internal priorities
802.1p/ToS/DiffServ marking
Per COS Max bandwidth
Statistics (# of pkt, # of byte)
Ingress Policing / Egress Shaping
Multi-actions support
Traffic prioritization: Flow-based QoS
Flow-based bandwidth management
Queue management
Configurable scheduling algorithm
DiffServ Architecture
Virtual Output Queues
LLDP PoE Power Negotiation
Application Fingerprinting
Application Monitoring and Enforcement
AOS
Advanced Security
ALE Secured Code
Unified Access
Access Guardian
Captive Portal
User Network Profiles (UNP)
BYOD
MACsec
LLDP security for rogue device restriction
Authentication priority
Loop Guard
Learned Port Security
Dynamic ARP inspection
Private VLAN
Web Cache Coordination Protocol (WCCP)
sFlow ® , RMON (4 groups)
SSH, SSL, Radius, LDAP
Traffic Anomaly Detection
Auto negotiation of POE class limit
Resiliency and High Availability
Virtual Chassis
VC Split Protection
Shortest Path Bridging (SPB)
IPv4/IPv6 Routing over SPB
Loopback Detection
Smart continuous switching technology
ISSU
ITU-T G.8032 Ethernet Ring Protection (ERPv2)
BFD
IEEE 802.1s Multiple Spanning Tree
Per-VLAN Spanning Tree (PVST+)
Alcatel-Lucent 1x1 STP mode
IEEE 802.3ad Link Aggregation
Control Protocol (LACP) and static
ECMP (v4 & v6)
High Availability VLANs
Server Load Balancing
Metro Ethernet Access Services
DHCP Option 82 configurable / DHCP Snooping
IP Anti-Spoofing based on DHCP snooping
Dynamic ARP Inspection
Multicast TV VLAN
Ethernet services support
IEEE 802.1ad Provider Bridges
IEEE 802.1aq Shortest Path Bridging (SPB-M))
Multipoint Ethernet VPN (EVPN) over I-SID service virtualization
or
Q-in-Q tunnels
Service Access Point (SAP) profile identification
Service VLAN (SVLAN) and Customer VLAN (CVLAN) support
VLAN translation and mapping including CVLAN to SVLAN
C-tag to S-tag priority mapping
ETHOAM (802.1ag) Connectivity layer
Service Assurance Agent (SAA)
Port Mapping (Private VLANs)
ALE secured code
LAN Campus - Hardened AOS Software
ALE diversified AOS ALE
Secured
● Increasing security at network devices Code
● Same functionality and performance
as the normal release

Network Protection
● Intrinsic vulnerabilities
● Code exploits Secure Diversified Code
● Embedded malware ● Independent verification & validation of OS
● Potential back doors ● Automatic diversification on bootup
Follow us on…

Follow us on: www.al-enterprise.com

facebook.com/ALUEnterprise

linkedin.com/company/alcatellucententerprise

twitter.com/ALUEnterprise

youtube.com/user/enterpriseALU
OmniSwitch R8
Connecting to the switch

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Objectives
Connecting to the switch

At the end of this presentation, you will be able to :

• Describe the different possibilities of connection to the

switch
Connecting to the switch: Overview
Remote user
Login via SSH, telnet,
HTTP/HTTPS (WebView)
AOS OmniSwitch
• Goal or SNMP (OV)

OXO R > 9.1

Authentication Server R.1
Local or external database

EMP (Outbound IP
interface) Local User -> no aaa authentication http
Login via console
port -> show aaa authentication
Service type = Default
1rst authentication server = local
Service type = Console
1rst authentication server = local
Service type = Telnet
• How it works Authentication = Use Default,
1rst authentication server = local
Service type = Ftp
• Allow or deny access available management Authentication = Use Default,
1rst authentication server = local
Service type = Http
- on Console, Telnet, HTTP, HTTPS, FTP, SSH, and SNMP Authentication = denied
Service type = Snmp

• Authenticated Switch Access (ASA) feature Authentication = Use Default,

---

- Lock or Unlock session types (aaa authentication command)

Connecting to the switch > Local or Remote Connection
• Example: Allow or deny access available management

-> show aaa authentication

-> show aaa authentication
Service type = Default
1st authentication server = local Service type = Default
Service type = Console 1st authentication server = local
1st authentication server = local Service type = Console
Service type = Telnet 1st authentication server = local
Authentication = Use Default, Service type = Telnet
1st authentication server = local Authentication = Use Default,
Service type = Ftp 1st authentication server = local
Authentication = Use Default, Service type = Ftp
1st authentication server = local Authentication = Use Default,
Service type = Http 1st authentication server = local
Authentication = Use Default, Service type = Http
1st authentication server = local Authentication = denied
Service type = Snmp Service type = Snmp
Authentication = Use Default, Authentication = Use Default,
... ...

-> no aaa authentication http

Connecting to the switch: Switch user account
• How it works
• Stored in the local user database and / or on external authentication servers

AOS OmniSwitch
Authentication Server Local User
RADIUS or LDAP Login via console
port

The Local userDB file is named userTable8

Path: flash/system directory

By default : 2 users “admin and default”

*User login information
and user privileges
can be stored on the
servers. Default login name and password
Login : admin
Password : switch

* Up to 64 users can be configured in the local switch database

* User Privileges : read and write access to command domains and families
Connecting to the switch: Access via the console port
• Goal
• By default, single user management account is available at the first bootup of the switch

• How it works
AOS OmniSwitch

Login to the Console Port * By default, DCE console connection

* Except for 6900 V72/C32
(cross cable)

1 RJ45 – Port console 2 USB - RS232 3 Micro-USB - USB 4 Micro-USB - RS232

More information about cable

used are available on the
eBook below in section
“If you want to know more”

* USB Adapter with Bluetooth Technology supported on an OS6465, 6560, 6860, 6865, 6900-V72 /C32
USB adapters supported are listed on release note
Connecting to the switch: Access via the console port
• CLI: COMMAND LINE INTERFACE
• USE SOFTWARE LIKE TERA TERM, PUTTY, HYPERTERMINAL …

Default settings

Note: the configuration for the 6900

V72 / C32 and 6860N switches is
different:

Speed (baud) : 115200

Parity: None
Stop bits : 1
Flow control : none
Connecting to the switch: Access via The EMP port
• Goal:
• Bypass the network interface modules (NI)
• Remotely manage the switch directly via the CMM (not available in all switches)

OS6860N

• The EMP port IP address of the master chassis (Virtual Chassis)

ip interface master emp address 172.25.167.203 mask 255.255.255.224

Connecting to the switch: Telnet, SSH, HTTP, SNMP
• Session specification
Session AOS OmniSwitch

Telnet (V4 or V6) 6

FTP (V4 or V6) 4

SSH + SFTP (V4 or V6 secure session) 8

HTTP 4

Total sessions (Secure Shell, Telnet, FTP, 20

HTTP, and console)
SNMP 50

* Extract from OmniSwitch AOS Release 8 Specifications Guide

Secure Shell public key authentication Password

DSA/RSA Public Key
RFCs Supported for SSHv2 RFC 4253 – SSH Transport Layer Potocol
RFC 4418 – UMAC : message
Authentication Code Universal Hashing
Connecting to the switch: Access via WebView
• GOAL
• The switch can be monitored and configured using WebView
• View is limited to one switch
• Access can be secured

• HOW IT WORKS
• The WebView application is embedded in the switch and is accessible via a web browser.
Connecting to the switch: Access via WebView
• WEBVIEW CONFIGURATION

- webview server enable – Enables the WebView Application (default= enabled)

- webview force-ssl enable – Forces SSL connection between browser and switch (default=enabled)

- webview http(s) port - Changes the port number for the embedded Web server

- aaa authentication http local – Checks the local database for HTTP authentication

-> show webview

WebView Server = Enabled,
WebView Access = Enabled,
WebView Force-SSL = Enabled,
WebView HTTP-Port = 80,
WebView HTTPS-Port = 443
Connecting to the switch: Access via SNMP
• SNMP— IPv4 & IPv6 On premise or on Cloud (OV Cirrus)
- Versions
• SNMPv1
OmniVista Advanced
• SNMPv2
• SNMPv3 Applications

• Main Applications to
OmniVista 2500 Series
Manage and Supervize Infrastructure
- Discovery
Analytics
- Topology Displays Application Traffic Patterns

- Access Guardian, UNP

- Performance
- Traps/Events
- VLAN Manager
- Locator
- Policy Mgt
Quarantine Manager and Remediation
- … Provides Global device containment
Topology
OmniSwitch AOS R8
Remote Switch Access

How to
✓ Administrate the OmniSwitches remotely

Contents
1 Accessing to the Switch Remotely .......................................................... 2
2 Authenticating to the Switch ................................................................ 4
2.1. Enabling the SSH connection ...................................................................... 4
2.2. Testing the SSH connection ....................................................................... 4
2.2.1. Configuring the OmniSwitch .............................................................................. 5

3 Accessing to the WebView ................................................................... 6

3.1. Setting up the HTTP Session ...................................................................... 6
3.2. Opening the WebView ............................................................................. 7
3.3. Configuring the OmniSwitch from the WebView ............................................... 8
3.4. Visualize your chassis .............................................................................. 9
3.5. Creating a VLAN from the WebView ............................................................. 9
3.6. Deleting a VLAN from the WebView ............................................................ 10

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
 2
Remote Switch Access

Implementation

1 Accessing to the Switch Remotely

The OmniSwitches have been reinitialized with a minimum Network configuration. Please note this is not an
empty configuration.
- A static route is configured to reach the administration network 10.0.0.0, allowing you to have IP
connectivity from your remote desktop to any switch of your R-Lab.
 3
Remote Switch Access

Switch Interface IP address VLAN

6900-A EMP 10.4.Pod#.1 NA
6900-B EMP 10.4.Pod#.2 NA
6560-A 1/24 10.4.Pod#.3 4001
6560-B 1/24 10.4.Pod#.4 4001
6360-A 1/24 10.4.Pod#.5 4001
6360-B 1/24 10.4.Pod#.6 4001
6860-A EMP or 1/20 10.4.100+Pod#.7 NA or 4001
6860-B EMP or 1/20 10.4.100+Pod#.8 NA or 4001

- If the switch has an EMP interface (OS6900, OS6860E), an IP address will be assigned to it.
- If the switch doesn’t have an EMP interface (OS6560, OS6360), one of its interfaces is configured in an
administration VLAN (4001) and this VLAN is configured with an IP address.

- For example, check the IP interface of one switch which has an EMP interface (ex. 6900-A):
sw1 (6900-A) -> show ip interface

Total 3 interfaces
Flags (D=Directly-bound)

Name IP Address Subnet Mask Status Forward Device Flags

--------------------------------+---------------+---------------+------+-------+---------+------
EMP-CHAS1 10.4.X.1 255.255.255.0 UP NO EMP
EMP-CMMA-CHAS1 0.0.0.0 0.0.0.0 DOWN NO EMP
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
---[truncated]---

- For example, check the IP interface of one switch which doesn’t have an EMP interface and uses the
administration VLAN 4001 (ex. 6360-A):
sw5 (6360-A) -> show vlan 4001 members

port type status

----------+-----------+---------------
1/1/24 default forwarding

sw5 (6360-A) -> show ip interface

Total 2 interfaces
Flags (D=Directly-bound)

Name IP Address Subnet Mask Status Forward Device Flags

--------------------------------+---------------+---------------+------+-------+---------+------
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
admin 10.4.X.5 255.255.255.0 UP YES vlan 4001

- From your Windows Desktop, open a console and try to ping the 8 switches:
C:\>ping 10.4.Pod#.1
C:\>ping 10.4.Pod#.2
C:\>ping 10.4.Pod#.3
C:\>ping 10.4.Pod#.4
C:\>ping 10.4.Pod#.5
C:\>ping 10.4.Pod#.6
C:\>ping 10.4.Pod#+100.7
C:\>ping 10.4.Pod#+100.8
 4
Remote Switch Access

2 Authenticating to the Switch

Authenticated Switch Access (ASA) provides the ability to restrict which users can configure the switch
remotely. Switch login attempts can be challenged via the local database, or a remote database such as RADIUS
or LDAP. ASA applies to Telnet, FTP, SNMP, SSH, HTTP, and the console and modem ports.

2.1. Enabling the SSH connection

- Log into the OS6560-A, then use the command to verify that the switch is checking its local database when
an SSH connection is attempted:
sw3 (6560-A) -> show aaa authentication
Service type = Default
1st authentication server = local
Service type = Console
1st authentication server = local
Service type = Telnet
Authentication = Use Default,
1st authentication server = local
Service type = Ftp
Authentication = Use Default,
1st authentication server = local
Service type = Http
Authentication = Use Default,
1st authentication server = local
Service type = Snmp
Authentication = Use Default,
1st authentication server = local
Service type = Ssh
Authentication = Use Default,
1st authentication server = local

Notes > Why “local”?

The keywork “local” in “1st authentication server = local” means that the local database will be the first
database to be polled for authentication information.

Tips
If the SSH service type has Authentication = denied, type the command:
-> aaa authentication ssh local

2.2. Testing the SSH connection

- Test the SSH connection (by using the Teraterm software available in Windows Start button> All Programs
> Tera Term > Tera Term):

* Example with switch 3 pod 5

 5
Remote Switch Access

- Enter the following credentials:

- You are now connected to the OS6560-A via SSH:

2.2.1. Configuring the OmniSwitch

- First, we are going to change the Inactivity Timer

- Change the value of Inactivity Timer to “60”

- Save the modification in the running directory

sw3 (6560-A) -> session cli timeout 60

sw3 (6560-A) -> write memory

File /flash/working/vcsetup.cfg replaced.

File /flash/working/vcboot.cfg replaced.

sw3 (6560-A) -> show session config

Cli Default Prompt = sw3 (6560-A) ->,
Cli Banner File Name = ,
Cli Inactivity Timer in minutes = 60,
Ftp Banner File Name = ,
Ftp Inactivity Timer in minutes = 4,
Http Inactivity Timer in minutes = 4,
Http Banner File Name = ,
Login Timer in seconds = 55,
Maximum number of Login Attempts = 3,
 6
Remote Switch Access

3 Accessing to the WebView

The OmniSwitch can also be monitored and configured by using the WebView (Alcatel-Lucent Enterprise’s web-
based device management tool). The WebView application is embedded in the OmniSwitch and is accessible via
a web browser.

3.1. Setting up the HTTP Session

- Check that the HTTP service is enabled (ex. 6560-A):
Pod11sw3 login: admin
Password: switch

Sw3 (6560-A) -> show aaa authentication

[/TRUNCATED]
Service type = Http
Authentication = Use Default,
1rst authentication server = local
[/TRUNCATED]

- As you can see here, HTTP authentication is enabled, and the first authentication server to be polled is
the local database.
Notes
By default, the WebView is enabled on the OmniSwitch but you are not allowed to authenticate. On the
Remote-Lab, the WebView access has already been enabled.

It is possible to disable it with the command: no aaa authentication http

- Check the WebView status:

sw3 (6560-A) -> show webview

WebView Server = Enabled,
WebView Access = Enabled,
WebView Force-SSL = Enabled,
WebView HTTPS-Port = 443

Tips
SSL is forced by default in Release 8. It means that you can’t connect with plain HTTP on R8 OmniSwitches, you
will be automatically redirected to an HTTPS connection.
 7
Remote Switch Access

3.2. Opening the WebView

- From the Windows Desktop, open a Web Browser (ex. Firefox, Chrome)
- In the URL area, type https://<IP address of OS6560-A> (10.4.Pod#.3)

- Login to the WebView with the admin credentials:

User Name : admin
Password : switch
Language : English

After a successful connection, the dashboard page appears

The switch configuration is divided into seven main configuration groups

- Physical,
- Layer 2,
- Networking
- Service management,
- Security
- Quality of service
- Device management.
 8
Remote Switch Access

3.3. Configuring the OmniSwitch from the WebView

- First, we are going to change the Inactivity Timer from the WebView.
- From the horizontal menu bar at the top of the page, select Security > ASA, then click Session and then
Configuration.

Change the value to "45 for the CLI interface and “15” for the Webview" then click on Apply at the
bottom of the page

- From the CLI, check that the modification has been taken into account:
sw3 (6560-A) -> show session config
Cli Default Prompt = sw3 (6560-A) ->,
Cli Banner File Name = ,
Cli Inactivity Timer in minutes = 45,
Ftp Banner File Name = ,
Ftp Inactivity Timer in minutes = 4,
Http Inactivity Timer in minutes = 15,
Http Banner File Name = ,
Login Timer in seconds = 55,
Maximum number of Login Attempts = 3,

- Return to the Webview application. In the horizontal icon bar at the top of the page, select the third
icon from the left (write memory).

- Click yes to save the modification in the active directory (running).

 9
Remote Switch Access

3.4. Visualize your chassis

- In the horizontal menu bar at the top of the page, select Physical, then in the "Chassis management"
column, click on "Chassis visualization".

- You can hover with your mouse over the ports to get more information By clicking on a port you will be
redirected to the chassis port configuration page.

3.5. Creating a VLAN from the WebView

- Select Layer 2 > VLAN in the VLAN management column or in the left menu.
- Click on the "+" icon to create a new VLAN
- The table of the vlan created on the switch is displayed.

Vlan : 59
Description : Student
 10
Remote Switch Access

- Click on SUBMIT and the new VLAN 59 is displayed in the table

- Connect to the OmniSwitch 6560-A and verify that the VLAN has been created on the OmniSwitch :

sw3 (6560-A) -> show vlan

vlan type admin oper ip mtu name
------+-------+-------+------+------+------+------------------
1 std Ena Dis Dis 1500 VLAN 1
59 std Ena Dis Dis 1500 student
4001 std Ena Ena Ena 1500 Admin
4094 vcm Ena Dis Dis 1500 VCM IPC

3.6. Deleting a VLAN from the WebView

- Select Layer 2 > VLAN Mgmt in the left-hand me

- Select the VLAN(s) to be deleted from the table (e.g. VLAN 59)
- Click on the " trashbin " icon to the right

- Click on yes

- In the CLI of the OmniSwitch 6560-A, verify that the VLANs have been deleted and save it on flash
running directory

sw3 (6560-A) -> show vlan

vlan type admin oper ip mtu name
------+-------+-------+------+------+------+------------------
1 std Ena Dis Dis 1500 VLAN 1
4001 std Ena Ena Ena 1500 Admin
4094 vcm Ena Dis Dis 1500 VCM IPC

sw3 (6560-A) -> write memory

File /flash/working/vcsetup.cfg replaced.

File /flash/working/vcboot.cfg replaced.
OmniSwitch R8
Managing Files/Directories

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Objectives
Managing Files/Directories

At the end of this presentation, you will be able to :

• Describe the specificities of the OmniSwitch switch
bootup process
• Describe the OmniSwitch directories architecture
• List the OmniSwitch Command Line Interface (CLI)
specificities
OmniSwitch Switches Models in R8

AOS RELEASE 8

OMNISWITCH 6360 OMNISWITCH 6560 OMNISWITCH 6860E/N

HARDENED SWICTHES

OMNISWITCH 6465

OMNISWITCH 6900 OMNISWITCH 9900

OMNISWITCH 6865
 R8
AOS Managing Files/Directories
FLASH MEMORY • Rollback Based on the working, certified and User-
defined directories

USER DEFINED DIR • Additional User-defined directories

• Created by the user (any name)
• Can be used to store additional switch configurations.
• Configuration changes CAN be saved directly to any user-
WORKING CERTIFIED USER. DIR. NETWORK defined directory

Tos.img Tos.img Tos.img Policy.cfg log_Files *

vcboot.cfg vcboot.cfg vcboot.cfg
vcsetup.cfg vcsetup.cfg vcsetup.cfg
* swlog_chassis1. to 1.6 files
and swlog_archive
(max 40 files)

OS6360 OS6465 OS6860 OS6860N 0S6900 0S9900

OS6560 OS6865

Configuration vcboot.cfg vcboot.cfg vcboot.cfg vcboot.cfg vcboot.cfg vcboot.cfg

files vcsetup.cfg vcsetup.cfg vcsetup.cfg vcsetup.cfg vcsetup.cfg vcsetup.cfg

image files (AOS) Nosa.img Nos.img Uos.img Uosn.img Tos.img Mhost.img

Mos.img
Yos.img Meni.img * Extract from “Release Notes – Rev. A » - Release 8.7R2
(V72/C32/X48C
6/T48C6/
X48C4E/V48C8)
 R8
AOS Managing Files/Directories
Flash RAM
• System Boot Sequence
• Bootstrap Basic Operation (U-Boot)
- Hardware Initialization
BOOTROM 1
- Memory Diagnostics

ROOT DIR IMAGE

• Image selection SELECTION 3 BOOT (KERNEL)
- AOS is copied and loaded into RAM 2
WORKING
KERNEL.LNK FROM
• The image contains its own copy of the kernel DIR. OS PACKAGE
specific to the SW version

CERTIFIED KERNEL.LNK FROM

DIR. OS PACKAGE
RUNNING DIRECTORY
4

USER DEFINED KERNEL.LNK FROM

DIR. OS PACKAGE
 R8
AOS Managing Files/Directories
FLASH MEMORY FLASH MEMORY
FLASH MEMORY

WORKING USER. DIR. CERTIFIED WORKING CERTIFIED USER. DIR. CERTIFIED

OR =
RAM
≠ DIFFERENT CONTENT
≠ DIFFERENT CONTENT

RAM RAM
BOOT FROM THE WORKING WORKING
DIRECTORY OR FROM THE
USER
DEFINED DIRECTORY OR CERTIFIED CERTIFIED

RUNNING CONFIGURATION

USER. DIR.
RUNNING CONFIGURATION RUNNING CONFIGURATION

Command to force reboot from WORKING directory or user defined directory: Command to force reboot from CERTIFIED directory:
-> reload from working no rollback-timeout -> reload all
-> reload from <userdefined> no rollback-timeout
 R8
AOS Managing Files/Directories
• Configuration Rollback Directory which the switch booted from and
where the configuration changes will be
saved
* Except when the Running directory is the Certified directory

WORKING & CERTIFIED directory are different

RAM content is different from the WORKING

directory content
For example : a configuration done on RAM but not save on flash. Lost in
case of reboot

sw7 (OS6860-A) -> write memory

WORKING and CERTIFIED directories content are

still different

The content of the RAM memory and WORKING

directory are similar (synchronized)
* Running configuration (RAM): current operating configuration of the switch retrieved from the running
directory in addition to any configuration changes made by the user.
 R8
AOS Managing Files/Directories
• Configuration Rollback

WORKING and CERTIFIED directory are still

different

-> copy running certified

WORKING and CERTIFIED directory are similar

-> write memory flash-synchro = write memory + copy running certified

 R8
AOS Managing Files/Directories
• When the switch boots from the CERTIFIED directory, changes made to the
switch cannot be saved and files cannot be moved between directories.
3

FLASH MEMORY FLASH MEMORY

1 1

WORKING CERTIFIED USER. DIR. CERTIFIED

4

≠ DIFFERENT CONTENT
≠ DIFFERENT CONTENT

RAM RAM
5
2 2
CERTIFIED CERTIFIED

RUNNING CONFIGURATION RUNNING CONFIGURATION

 R8
Configuration Backup & Restore
• Configuration Backup
• Backup of the session banner, userTable* and vcboot.cfg files

• The configuration backup command creates a .tar file where are stored the collected files
- The tar file name is “configuration_backup.tar” and will be placed in “/flash/config-backup-recovery” folder

• Up to 10 .tar files can be stored in the /flash/config-backup-recovery directory

• Configuration Restore
• When the “restore” option is used, the switch:
- Selects the “configuration_backup.tar” file in “/flash/config-backup-recovery” folder
- Extract the .tar file to get the userTable, session banner, and vcboot.cfg files.
 R8
AOS Managing Files/Directories
• USB Backup and Restore
- If a USB drive is plugged in, switch will store image files, power supply and system configuration files to USB
storage drive automatically upon user commands “write memory” or “copy running-certified” “copy flash-
synchro” if USB backup is enabled on switch.
- The USB drive can be used to restore images and config (power supply and system) from the USB drive on a
switch with usb auto-copy command enabled.
- If the user configures a password at the time of enabling the back-up and restore then the corresponding back-
up and restore content will be encrypted and decrypted.

usb backup admin-state {enable | disable} [key <> | hash-key<>]

usb auto-copy <enable | disable> copy-config <enable| disable> from <directory-path> [key <> |
hash-key<>]
 R8
Thin Client Omniswitch
• No configuration is stored on the switch. It will contact Omnivista 2500 to retrieve the config.
• Thin-client mode is configured through the activation process.
• Switch boots up normally and registers to OV 2500 as part of the activation process.
- Thin-client mode must be configured as part of the activation response message.
• In thin-client mode, no configuration is saved in the ‘running’ directory
- But there will be vcboot.cfg with the minimal network reachability configuration.
• ‘write memory’ can be executed but configurations will not be saved to the vcboot,cfg file.
- All configuration changes should be done in OV 2500.

Callhome OmniVista 2500

Sends Config

CLI – Help > Quick Walkthrough
• Command Line Interface (CLI) specifications
Directory management
commands
pwd – shows current directory.
cd – changes directory.
mkdir – creates a new
directory.
ls – lists contents of a directory.
dir – lists contents of a
directory.
mv – moves a file.
cp – copies a file.
rm – removes a file.
R8
Online Help
A ‘?’ can be used to get a
list of all possible
commands
or
-> v?
VIEW VI
-> vlan ?
PORT NO IPMVLAN 802.1Q
<vid> <vlan1-vlan2>
Built-in Filtering
-> show vlans | more
-> show mac-learning | grep 00:20:da:55:56:76
-> show ip ospf routes | egrep "^10\.10.*" | sort |
less
CLI Line Editor and
History
-> history
1 write memory Completion
2 show running-directory Recognize partial keywords to CLI command
3 ls /flash/working syntax..
4 show microcode working Eg : sh vl for show vlan
5 show microcode certified
6 ls /flash/working
OmniSwitch AOS R8
OmniSwitches Directories Content (R8)

How to
✓ Manage the OmniSwitches R8 main directories content

Contents
1 Introduction .................................................................................... 2
2 Viewing the Image & Configuration Files .................................................. 2
3 Checking the working and certified Directories .......................................... 2
3.1. Displaying the working and certified directories content .................................... 2
3.2. Displaying the microcode version ................................................................ 3
4 Booting behavior in Release 8 ............................................................... 3
5 Determining from which directory the switch was loaded? ............................. 3
6 Synchronizing RAM and Running Directory ................................................. 4
7 Saving the Running Configuration to Working Directory ................................. 5
8 Creating a User-Defined Directory .......................................................... 7
9 Changing the User Directory ................................................................. 8
10 Annex: USB Backup & Restore ............................................................... 9

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
 2
OmniSwitches Directories Content (R8)

1 Introduction
In Release 8, the management of an OmniSwitch is controlled by 2 types of files:
- Images files, which are proprietary code developed by Alcatel-Lucent Enterprise to run the hardware.
- A configuration files, named vcboot.cfg and vcsetup.cfg, in text format, sets and controls the
configurable functions.

The directory structure that store the image and configuration files is divided in several parts:
- The certified directory contains files that have been certified by an authorized user as the default files
for the switch.
- The working directory is a holding place for new files. Files in the working directory must be tested
before committing them to the certified directory.
- The user-defined directories are created by the user and are like the working directory in that they can
contain image and configuration files.

- The running directory is the directory where the configuration changes will be saved.
- The running configuration, stored in the RAM, contains the current operating parameters of the
OmniSwitch obtained from the image and configuration files.

2 Viewing the Image & Configuration Files

- Logging into the OmniSwitch
o Open the OS6560-A serial console (shortcut available on the Windows desktop).
o Use following authentication credentials:
Login: admin
Password: switch

3 Checking the working and certified Directories

3.1. Displaying the working and certified directories content

- Check the files that are in each directory by entering the following:
sw3 (6560-A) -> ls -l /flash/working |or| ls -l /flash/certified
total 109220
-rw-r--r-- 1 admin user 111683640 Sep 26 01:04 Nos.img
-rw------- 1 root root 46 Nov 3 03:17 boot.md5
-rwxr-xr-x 1 admin user 153 Nov 3 03:17 cloudagent.cfg
-rw-r--r-- 1 admin user 237 Jun 11 2016 cspbroker.conf
-rw-r--r-- 1 admin user 74 Sep 1 2015 imgsha256sum
drwxr-xr-x 4 admin user 4096 Jun 1 02:18 pkg
- rw-r--r-- 1 admin user 2787 Nov 3 03:15 vcboot.cfg
-rw-r--r-- 1 admin user 209 Nov 3 03:15 vcsetup.cfg
 3
OmniSwitches Directories Content (R8)

3.2. Displaying the microcode version

- To display the microcode version installed on the OmniSwitch:
sw3 (6560-A) -> show microcode working |or| show microcode certified |or| show microcode loaded
/flash/working
Package Release Size Description
-----------------+-------------------------+---------+-----------------------------------
Nos.img 8.7.98.R03 111683640 Alcatel-Lucent OS
Notes: “Loaded”?
- Loaded displays the currently active microcode versions.
- Entering the command show microcode also displays the currently active microcode version.

4 Booting behavior in Release 8

- At the time of a normal boot (cold start):

- The switch will reboot from certified directory if contents (images and vcboot.cfg) are different from
the running directory (which can be the working directory, or a user-defined directory).
- If contents are the same, the switch will reboot from the running directory (which can be the working
directory, or a user-defined directory).

Warning > The “reload all” command particularity

IF THE OMNISWITCH IS REBOOTED WITH THE “RELOAD ALL” COMMAND, IT WILL REBOOT FROM THE CERTIFIED
DIRECTORY, NO MATTER WHAT THE CONTENT OF THE RUNNING DIRECTORY IS (SAME/DIFFERENT THAN THE
CERTIFIED DIRECTORY CONTENT)

- If the running directory is the certified directory, you will not be able to save any changes made to the
running directory. If the switch reboots, any configuration changes will be lost. In order to save
configuration changes, the running directory cannot be the certified directory.

5 Determining from which directory the switch was loaded?

When a switch boots the RUNNING CONFIGURATION will come from either the certified, working, or
a user-defined directory. A switch can be rebooted to run from any directory using the reload from command.

To check from which directory the OmniSwitch is running, and the content comparison between the WORKING
and CERTIFIED directories:
sw3 (6560-A) -> show running-directory

CONFIGURATION STATUS
Running CMM : MASTER-PRIMARY,
CMM Mode : VIRTUAL-CHASSIS MONO CMM,
Current CMM Slot : CHASSIS-1 A,
Running configuration : WORKING,
Certify/Restore Status : CERTIFIED
SYNCHRONIZATION STATUS
Running Configuration : SYNCHRONIZED

- Running configuration: WORKING > the OmniSwitch is running from the working directory.
- Certify/Restore Status: CERTIFIED > the working directory content matches the certified directory
content.
- Running Configuration: SYNCHRONIZED > the running configuration matches the WORKING configuration.
 4
OmniSwitches Directories Content (R8)

6 Synchronizing RAM and Running Directory

Perform some configuration to make the running configuration different from the configuration stored in the
working and certified directories. Observe what happens.

- Performing modifications in the configuration

o Create 3 new VLANs (2, 3, and 99):

sw3 (6560-A) -> show vlan

vlan type admin oper ip mtu name
------+-------+-------+------+------+------+------------------
1 std Ena Dis Dis 1500 VLAN 1
4001 std Ena Ena Ena 1500 Admin
4094 vcm Ena Dis Dis 1500 VCM IPC

sw3 (6560-A) -> vlan 2

sw3 (6560-A) -> vlan 3
sw3 (6560-A) -> vlan 99

sw3 (6560-A) -> show vlan

vlan type admin oper ip mtu name
------+-------+-------+------+------+------+------------------
1 std Ena Dis Dis 1500 VLAN 1
2 std Ena Dis Dis 1500 VLAN 2
3 std Ena Dis Dis 1500 VLAN 3
99 std Ena Dis Dis 1500 VLAN 99
4001 std Ena Ena Ena 1500 Admin
4094 vcm Ena Dis Dis 1500 VCM IPC

- 3 new VLANs are now created. Changes are made to the configuration file in RAM. These changes take
effect immediately but are not written permanently; they will be lost if the OmniSwitch reboots.

sw3 (6560-A) -> show running-directory

CONFIGURATION STATUS
Running CMM : MASTER-PRIMARY,
CMM Mode : VIRTUAL-CHASSIS MONO CMM,
Current CMM Slot : CHASSIS-1 A,
Running configuration : WORKING,
Certify/Restore Status : CERTIFIED
SYNCHRONIZATION STATUS
Running Configuration : NOT SYNCHRONIZED

- Running configuration: WORKING > the OmniSwitch is running from the WORKING directory.
- Certify/Restore Status: CERTIFIED > the working directory content matches the certified directory
content.
- Running Configuration: NOT SYNCHRONIZED > the running configuration does not match the
configuration of the working directory.

Warning > What if the OmniSwitch reboots now?

IF THE OMNISWITCH IS REBOOTED NOW (VIA A COMMAND RELOAD FROM WORKING … OR IF POWER TO THE
OMNISWITCH IS INTERRUPTED), THE OMNISWITCH WILL BOOT, ALL THE CHANGES IN THE RUNNING
CONFIGURATION WILL BE OVERWRITTEN, AND THE OMNISWITCH WILL ROLL BACK TO THE WORKING DIRECTORY,
SINCE THE WORKING AND CERTIFIED DIRECTORIES ARE THE SAME.

IN OUR CASE, THE VLAN 2, 3 AND 99 WILL BE LOST, AS THEY ARE NOW STORED IN THE RUNNING
CONFIGURATION.
 5
OmniSwitches Directories Content (R8)

7 Saving the Running Configuration to Working Directory

Save the configuration (VLANs created previously) from the running directory to the working directory. Verify it
by using CLI commands.

- To save the running configuration to the working directory:

sw3 (6560-A) -> write memory

File /flash/working/vcsetup.cfg replaced.

File /flash/working/vcboot.cfg replaced.

- To check that:
sw3 (6560-A) -> show running-directory

CONFIGURATION STATUS
Running CMM : MASTER-PRIMARY,
CMM Mode : VIRTUAL-CHASSIS MONO CMM,
Current CMM Slot : CHASSIS-1 A,
Running configuration : WORKING,
Certify/Restore Status : CERTIFY NEEDED
SYNCHRONIZATION STATUS
Running Configuration : SYNCHRONIZED

- Running configuration: WORKING > the OmniSwitch is running from the working directory.
- Certify/Restore Status: CERTIFY NEEDED > the WORKING directory does not match the CERTIFIED
directory.
- Running Configuration: SYNCHRONIZED > the running configuration matches the configuration of the
working directory.

Warning > What if the OmniSwitch reboots now?

IF THE OMNISWITCH IS REBOOTED NOW (VIA A COMMAND RELOAD ALL OR IF POWER TO THE OMNISWITCH IS
INTERRUPTED), THE OMNISWITCH WILL BOOT FROM THE CERTIFIED DIRECTORY, ALL THE CHANGES IN THE
RUNNING CONFIGURATION WILL BE OVERWRITTEN, AND THE OMNISWITCH WILL ROLL BACK TO THE CERTIFIED
DIRECTORY.

HOWEVER, SINCE THE CONFIGURATION FILE WAS SAVED TO THE WORKING DIRECTORY, THAT FILE IS STILL IN
THE WORKING DIRECTORY AND CAN BE RETRIEVED.

SINCE THE WORKING AND CERTIFIED DIRECTORIES ARE NOT THE SAME, THE OMNISWITCH WILL BE RUNNING
FROM THE CERTIFIED DIRECTORY.

- Let’s reboot the OmniSwitch and see what happens:

sw3 (6560-A) -> reload all
Only one reload may be active in VC mode, other scheduled reloads will be canceled
Confirm Reload All (Y/N) : y

This operation will verify and copy images before reloading.

It may take several minutes to complete.
 6
OmniSwitches Directories Content (R8)

sw3 (6560-A) -> show running-directory

CONFIGURATION STATUS
Running CMM : MASTER-PRIMARY,
CMM Mode : VIRTUAL-CHASSIS MONO CMM,
Current CMM Slot : CHASSIS-1 A,
Running configuration : CERTIFIED,
Certify/Restore Status : CERTIFIED
SYNCHRONIZATION STATUS
Running Configuration : SYNCHRONIZED

sw3 (6560-A) -> show vlan

vlan type admin oper ip mtu name
------+-------+-------+------+------+------+------------------
1 std Ena Dis Dis 1500 VLAN 1
4001 std Ena Ena Ena 1500 Admin
4094 vcm Ena Dis Dis 1500 VCM IPC

- Note that when an OmniSwitch is running from the CERTIFIED directory, it is not possible to manipulate
files in the directory structure (i.e. a configuration will be applied in the running configuration, but it
will not be possible to save it neither in the working nor the certify directory):
sw3 (6560-A) -> vlan 4
sw3 (6560-A) -> write memory
ERROR: Write memory is not permitted when switch is running in certified mode

- Let’s reboot the OmniSwitch on Working directory where vlan have been recorded:
sw3 (6560-A) -> reload from working no rollback-timeout
Confirm Activate (Y/N) : y
This operation will verify and copy images before reloading.
It may take several minutes to complete...

- Let’s check if the vlan are present

sw3 (6560-A) -> show running-directory

CONFIGURATION STATUS
Running CMM : MASTER-PRIMARY,
CMM Mode : VIRTUAL-CHASSIS MONO CMM,
Current CMM Slot : CHASSIS-1 A,
Running configuration : WORKING,
Certify/Restore Status : CERTIFY NEEDED
SYNCHRONIZATION STATUS
Running Configuration : SYNCHRONIZED

sw3 (6560-A) -> show vlan

vlan type admin oper ip mtu name
------+-------+-------+------+------+------+------------------
1 std Ena Dis Dis 1500 VLAN 1
2 std Ena Dis Dis 1500 VLAN 2
3 std Ena Dis Dis 1500 VLAN 3
99 std Ena Dis Dis 1500 VLAN 99
4001 std Ena Ena Ena 1500 Admin
4094 cm Ena Dis Dis 1500 VCM IPC
 7
OmniSwitches Directories Content (R8)

8 Creating a User-Defined Directory

User-defined directories are like the working directory in that they can contain image and configuration files.
These directories can have any name and can be used to store additional switch configurations. Configuration
changes CAN be saved directly to any user-defined directory.

- Create a user defined directory and copy the contents of the WORKING directory to it:

sw3 (6560-A) -> mkdir lab

sw3 (6560-A) -> cp working/*.* lab
cp: can't open 'working/boot.md5': Permission denied

Tips
The lab directory may have been already created, ignore error and proceed on.
During the copy; it tries to copy the boot.md5 file but a “permission denied” message is displayed. This file is
auto generated so ignore this error and proceed.
- Now let’s see what files are stored in the newly created directory:
sw3 (6560-A) -> ls lab
Nos.img cspbroker.conf vcboot.cfg.sav
cloudagent.cfg vcboot.cfg vcsetup.cfg

- Boot the switch from the new user-defined directory (lab):

sw3 (6560-A) -> reload from lab no rollback-timeout
Confirm Activate (Y/N): y

- Once the switch boots, verify that it booted from the lab directory:
sw3 (6560-A) -> show running-directory

CONFIGURATION STATUS
Running CMM
CMM Mode
Current CMM Slot
Running configuration
Certify/Restore Status
SYNCHRONIZATION STATUS
Running Configuration
: MASTER-PRIMARY,
: VIRTUAL-CHASSIS MONO CMM,
: CHASSIS-1 A,
: lab,
: CERTIFY NEEDED
: SYNCHRONIZED

- Running configuration: lab > the OmniSwitch is running from the user-defined lab.
- Certify/Restore Status: CERTIFY NEEDED > the running directory (“lab”) does not match the CERTIFIED
directory.
- Running Configuration: SYNCHRONIZED > the running configuration matches the configuration stored in
the running directory (here the user-defined “lab” directory)

Warning > What if the OmniSwitch reboots now?

IF THE OMNISWITCH IS REBOOTED (IF THE POWER TO THE OMNISWITCH IS INTERRUPTED), THE OMNISWITCH
WILL BOOT FROM THE CERTIFIED DIRECTORY, SINCE THE RUNNING (LAB) AND CERTIFIED DIRECTORIES ARE NOT
THE SAME (Certify/Restore Status: CERTIFY NEEDED).

- Overwrite the contents of the certified directory with the configuration from the running directory
(“lab” directory here):
sw3 (6560-A) -> copy running certified
Wed Apr 2 04:22:40 : flashManager FlashMgr Main INFO message:
+++ Verifying image directory lab on CMM flash
Wed Apr 2 04:23:04 : ChassisSupervisor MipMgr INFO message:
+++ Copy running to certified succeeded
 8
OmniSwitches Directories Content (R8)

Notes
The copy running certified command should only be done if the running configuration has been verified.

- Check the synchronization status:

sw3 (6560-A) -> show running-directory
CONFIGURATION STATUS
Running CMM : MASTER-PRIMARY,
CMM Mode : VIRTUAL-CHASSIS MONO CMM,
Current CMM Slot : CHASSIS-1 A,
Running configuration : lab,
Certify/Restore Status : CERTIFIED
SYNCHRONIZATION STATUS
Running Configuration : SYNCHRONIZED

- Running configuration: lab > the OmniSwitch is running from the user-defined lab.
- Certify/Restore Status: CERTIFIED > the running directory (“lab”) matches the CERTIFIED directory.
- Running Configuration: SYNCHRONIZED > the running configuration matches the configuration stored in
the running directory (here the user-defined “lab” directory)
Warning > What if the OmniSwitch reboots now?
IF THE OMNISWITCH IS REBOOTED (IF THE POWER TO THE OMNISWITCH IS INTERRUPTED), THE OMNISWITCH
WILL BOOT FROM THE “LAB” DIRECTORY, SINCE THE RUNNING (LAB) AND CERTIFIED DIRECTORIES ARE THE SAME
(Certify/Restore Status: CERTIFIED).

9 Changing the User Directory

Another useful command can be used in Release 8: the modify running-directory command. This command
allows to change the running directory and allow configuration changes to be saved to the new running
directory. Useful if start on certified and want to switch to working or user directory to be able to save
configuration
- The running directory is currently “lab”. Let’s change it back to “working”:

sw3 (6560-A) -> show running-directory

Running CMM : MASTER-PRIMARY,
CMM Mode : VIRTUAL-CHASSIS MONO CMM,
Current CMM Slot : CHASSIS-1 A,
Running configuration : lab,
Certify/Restore Status : CERTIFIED
SYNCHRONIZATION STATUS
Running Configuration : SYNCHRONIZED

sw3 (6560-A) -> modify running-directory working

Please wait...

sw3 (6560-A) -> show running-directory

Running CMM : MASTER-PRIMARY,
CMM Mode : VIRTUAL-CHASSIS MONO CMM,
Current CMM Slot : CHASSIS-1 A,
Running configuration : WORKING,
Certify/Restore Status : CERTIFIED
SYNCHRONIZATION STATUS
Running Configuration : SYNCHRONIZED
 9
OmniSwitches Directories Content (R8)

10 Annex: USB Backup & Restore

In Release 8, it is also possible to backup the images and configuration from certified and running directories
into a USB key (/uflash/6860/certified and /uflash/6860/running directories).

- To enable access to the device connected to the USB port:

sw3 (6560-A) -> usb enable

Tue Aug 14 14:00:26 : uflash uflashMain INFO message:

+++ /uflash interface enable
Mounting /dev/sdb1
+++ /uflash mounted

Tue Aug 14 14:00:26 : SSAPP main INFO message:

+++ CAUTION: Do usb disable before removing usb
WARNING: CAUTION: Do usb disable before removing usb

- To enable the USB backup feature on the switch:

sw3 (6560-A) -> usb backup admin-state enable

Tue Aug 14 14:01:00 : SSAPP main INFO message:

+++ Received SET for Admin State
+++ Just before calling /bin/uflashUtils usbBackUpEnable

Tue Aug 14 14:01:00 : uflash uflashMain INFO message:

+++ /uflash back up enable
+++ USB back-up Started
+++ /flash/certified backup to USB started

sw3 (6560-A) ->

Tue Aug 14 14:01:50 : uflash uflashMain INFO message:
+++ /flash/certified backup completed
+++ /flash/working backup to USB started

Tue Aug 14 14:02:39 : uflash uflashMain INFO message:

+++ /flash/working backup completed
+++ USB backup completed

- When this command is enabled, the images and configuration from certified and running directories are
copied into /uflash/6560/certified and /uflash/6560/running directories.
- When write memory is executed and backup is enabled, the configuration files and images from
/flash/<running-directory> are copied to /uflash/6560/<running-directory name> (ex. lab)

sw3 (6560-A) -> write memory

File /flash/working/vcsetup.cfg replaced.

File /flash/working/vcsetup.cfg saved to USB.

Tue Aug 14 14:03:20 : SSAPP main INFO message:

+++ Received SET for Admin State

File /flash/working/vcboot.cfg replaced.

File /flash/working/vcboot.cfg saved to USB.

 10
OmniSwitches Directories Content (R8)

- When usb backup admin-state is enabled and copy running certified and write memory flash-synchro
commands are executed, the configuration and images from /flash/certified will be copied to
/uflash/6560/certified:
sw3 (6560-A) -> write memory flash-synchro

File /flash/working/vcsetup.cfg replaced.

File /flash/working/vcsetup.cfg saved to USB.

Tue Aug 14 14:03:32 : SSAPP main INFO message:

+++ Received SET for Admin State

File /flash/working/vcboot.cfg replaced.

File /flash/working/vcboot.cfg saved to USB.

Tue Aug 14 14:03:32 : flashManager FlashMgr Main INFO message:

+++ Verifying image directory working on CMM flash
Please wait...

Tue Aug 14 14:03:48 : flashManager FlashMgr Main INFO message:

+++ Image file Nos.img differs - copying file

Tue Aug 14 14:04:10 : flashManager FlashMgr Main INFO message:

+++ Starting USB backup

Tue Aug 14 14:04:10 : ChassisSupervisor MipMgr INFO message:

+++ Copy running to certified succeeded

- To check the USB (uflash directory) content:

sw3 (6560-A) -> cd /uflash
sw3 (6560-A) -> ls
6560 System Volume Information
sw3 (6560-A) -> cd 6560
sw3 (6560-A) -> ls
certified working
sw3 (6560-A) -> cd working
sw3 (6560-A) -> ls
Nos.img vcboot.cfg vcsetup.cfg
sw3 (6560-A) -> cd ..
sw3 (6560-A) -> ls
certified working
sw3 (6560-A) -> cd certified
sw3 (6560-A) -> ls
Nos.img vcboot.cfg vcsetup.cfg
OmniSwitch R8
Virtual Chassis

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Objectives
Virtual Chassis

At the end of this module, you will be able to:

• List the Virtual Chassis benefits
• Identify the Virtual Chassis specificities per switch model
• List the different start up use case
• Summarize the Virtual Chassis configuration steps
• List the synchronization steps occuring on a switch which
is part of a Virtual Chassis
Virtual Chassis – Overview Master
1 2
Slave

1 2

• Goal 8 3
3
• Virtual Chassis = Group of switches which 6
Master
VFL

appears as a single router or bridge VFL 7 4

4 5 8 5
• Key Points
• Single Point of management
• Single Logical Switch
• Redundancy and resiliency supported across
the switches
• No STP/VRRP between Access and Core
switches
• Optimized bandwidth usage • How It Works?
• Upgrade via ISSU (to minimize network impact) • Switches inter-connected via dedicated or optional
SFP+, QSFP ports
• No license needed
• Mesh or Ring topology
Virtual Chassis - Topologies
4 x OS6465 8 x OS6560
4 x OS6360

OS6360 OS6465 OS6560

Up to 2 stacking SFP ports
(OS6360-10/P10)
20G VFL ports
OS9900
Up to 2 VFL member ports
2 x OS9900 for 10Gbps
OS99-XNI-U24/48
Native 40G QSFP on CMM with
40G-to-10G splitter cable
up to 2 VFL stacking ports up to 2 VFL member ports
1G SFP ports (model P6/P12) Local stacking via dedicated
1G/10G SFP+ ports (model P28) 20G VFL ports
and/or Remote stacking via the 2 last
10G SFP+ ports
8 x OS6865/OS6860/E/N
for 40Gbps
OS6860/OS6860E/N/OS6865
OS99-CNI-U8
OS99-XNI-U12Q
OS99-XNI-P12Q up to 8 VFL member ports
Native 40G QSFP ports on CMM Local stacking via dedicated
2 x 2 ports 20G VFL ports
and/or Remote stacking via
For 100Gbps 10G SFP+ ports
OS99-CNI-U8
Native QSFP28 ports
Virtual Chassis - Topologies
OS6900 X/T/Q OS6900 C/V

2 x OS6900 Mix of models

Mix of models OS6900-V72
VFL OS6900-C32
OS6900-X20 VFL
OS6900-X40 OS6900-X48
OS6900-T20 OS6900-T48
OS6900-T40 OS6900-X48E
OS6900-X72

OS6900-V72 / OS6900-C32
up to 16 VFL member ports
up to 2 VFL member ports
for 10Gbps
Support of 2,3,.. up to 6 in Partial or fully Mesh topology 10G SFP+ with 4X10G direct-attach splitter cable
For 25Gbps
Native QSFP28 ports
for 40Gbps
OS6900-X20/X40 Native 40G QSFP
For 100Gbps
up to 16 VFL member ports Native QSFP28 ports
10G SFP+ or 40G QSFP
Needs optional module for 40Gbps OS6900-Q32 / OS6900-X72
OS-QNI-U3, OS-HNI-U6 up to 16 VFL member ports

OS6900-T20/T40 for 10Gbps

Native 10G SPF+ ports
up to 16 VFL member ports
4 x 10G SFP+ with 40G-to-10G splitter cable on native
10G SFP+ or 40G QSFP
QSFP ports
Needs optional module for 10Gbps
for 40Gbps
OS-XNI-U4, OS-XNI-U12, OS-XNI-U12E, OS-HNI-U6
Native 40G QSFP ports
Needs optional module for 40Gbps
OS-QNI-U3, OS-HNI-U6
Virtual Chassis Topology Manager
• VC topology managed by ISIS-VC
• Private TLV report the switch’s capability and numbering
• Exchange IS-IS HELLO for adjacencies and updates
• Maintains a loop-free topology for BUM traffic
• Determines the shortest path to each other element
• Builds the topology and maintains a forwarding database
• Break equal-cost ties in a deterministic manner ala SPBM

I’m Chassis-1, my status is IS-IS HELLO I’m Chassis-2, my status is up, my

up, type X, my role is
role is slave, my master is 1, type X
master Master Slave
1 2

Slave
Slave
3 6
OK, chassis-2 is type X.
Then all work in X mode.

4 5
Slave Slave
Roles and Elections
• Master and slaves communicate to ensure that the slaves have up-to date copies of the master’s image
files and configuration files.
• Reboot required after a slave update (new images and configuration files).

Master/Slave election
based on virtual chassis
protocol (ISIS-VC)
IS-IS VC
Master Slave
2
Highest chassis priority value 1

Slave Slave
Longest chassis uptime 3 6
(if difference in uptime >10 mn)

4 5

Smallest Chassis ID value Slave Slave

Smallest chassis MAC address

Virtual Chassis Takeover/Failover
• Takeover/Failover
• Only master reloads, no impact on slaves, no traffic impact except related to master
• “MAC retention” is always enabled
• When the master reloads or fails, the slaves reelect a new master
• New master election is locally computed based on known partner keys
• The new master will confirm to its slaves the decision
• When the “original” master comes back, no election will be processed, and the “new” Master will retain its Master
role

Master Fails New Master elected Recovery of the original Master

Master Slave Master Slave Master
1 2 2 1 2

Slave Slave Slave Slave Slave Slave

3 6 3 6 3 6

4 5 4 5 4 5
Slave Slave Slave Slave Slave Slave
Virtual Chassis Specifications

Extract from the technical

documentation
« OmniSwith AOS Release 8
Specifications Guide »
Virtual Chassis - Auto VFL port
• GOAL
• Automatically detect whether an auto VFL port can become VFL
• Dynamically assign VFL ID to auto VFL port which can become VFL vcsetup.cfg exists?
N Y
• Aggregate multiple auto VFL ports that can become VFL and are
connected to the same remote chassis

• Default set of auto VFL eligible ports Default set of auto Auto VFL process
VFL eligible ports runs only on port
explicitly configured
Swith Model Auto VFL eligible ports (First bootup of brand new as auto VFL port
chassis from factory)
OS9900 Static VFL only

OS6900 X and T Last 5 ports of each chassis (including ports in expansion slots) regardless of
SFP/QSFP presence on those ports.

OS6900-V72/C32/X/T48C6 - The last 5 ports of the chassis.

OS6860 - OS6860N Dedicated VFL ports.

OS6465-P28 Ports 27/28.

OS6560-24X4/-P24X4/-48X4/-P48X4 Dedicated VFL ports and last two 10G SFP+ ports on (P)24X4/(P)48X4. * Auto VFL detection process will run only on auto VFL ports. Both
ends of the link must be auto VFL ports for an auto VFL port to be
OS6360-24 - OS6360-48 OS6360-24 ports models - Ports 27/28. able to become VFL.
OS6360-48 ports models - Ports 51/52.
Virtual Chassis - Split Chassis
• Failures on VFL links cause potential MAC/IP • RCD protocol will detect this split topology.
duplication
• 2 mechanisms Virtual Chassis

- Out of Band: EMP Remote Chassis Detection (RCD)

Master Master
Slave

- In Band: VC Split Protocol

• EMP Remote Chassis Detection (RCD

• A switch sends an announcement whenever its chassis VC information
changes The former Slave chassis will shutdown all its front-panel user ports to prevent duplicate IP
and chassis MAC addresses in the network.

Virtual Chassis The Slave's chassis status will be modified from Running to Split-Topology to indicate this
Reboot with all second pseudo-master chassis is not operational at this point
Master Master
Slave Interfaces
down
If the VFL comes back up, the former Slave chassis will reboot and rejoin the virtual chassis
EMP
port
EMP
port
topology assuming its Slave role again
OS6860E
RCD OS6900
protocol OS9900

Management network

RCD use the following IP addresses in order of preference

1. CMM IP address stored in NVRAM (if configured)
2. Chassis EMP IP address
Virtual Chassis - Split Chassis
Helper Switch
• In Band: VC Split Protocol
Protection Mode
Master role
All Interfaces
shutdown
Link Aggregation Except VFL & LAG
Helper Switch
AOS support

Potential
OS6860
duplicate MAC/IP
MASTER MASTER
SLAVE

ACCESS
VSCP

Building Building
Link Aggregation
1 2

Platforms Supported in R8

MASTER SLAVE

ACCESS
Extract from C os8_cli_87R2-revA

Building 1 Building 2
Use the virtual-chassis split-protection admin-state and virtual-chassis split-
• Requires an upstream or downstream device to act as helper switch protection linkagg commands to enable VCSP and create the VCSP link aggregate on
the VC.
• Proprietary protocol called “VC Split Protocol”
Use the virtual-chassis split-protection helper admin-state and virtual-chassis split-
• VCSP LAG towards the helper switch protection helper linkagg commands to enable the VCSP helper and create the VCSP
helper link aggregate on the helper switch
• Every VC member switch recommended to have one port as part of the VCSP LAG
to the helper device Extract from OmniSwitch AOS Release 8 Switch Management Guide
In Service Software Upgrade (ISSU)
• GOAL
• Used to upgrade the software on a VC with minimal
network disruption 3
1
• Each element is upgraded individually Master – Chassis ID 1
Slave – Chassis ID = 2

• STEP BY STEP issu-dir Directory

Issu_dir Directory
- Upload new code, vcsetup.cfg and vcboot.cfg in a new vcboot.cfg
vcboot.cfg vcsetup.cfg code
directory (ex. issu_dir)
- Launch the dedicated issu command vcsetup.cfg

- The image and configuration files are then copied to all of Slave – Chassis ID = 3
code
the Slaves 2
- The Slaves are then reloaded from the ISSU directory in order Issu_dir Directory
from lowest to highest chassis ID
vcboot.cfg vcsetup.cfg code
Virtual Chassis - Configuration
Virtual Chassis Configuration
• Step by Step
Switch Bootup

• Main use case

N Y

vcsetup.cfg exists?

Disable Auto
configuration Y
on boot

VC Mode
AUTO-VC Auto Vcsetup VFL : AUTO or
created Static
Management
Auto VC consists of the following: VC created automatically
1. Auto VFL • Chassis ID and Group ID
2. Auto Chassis ID Assignment (Start in certified mode)
Virtual Chassis Configuration
• Step by Step

• VFL : AUTO or STATIC Management

Assign a Chassis ID

Assign a Chassis Group ID and a Priority

Configure VFL link & ports

-Automatic or static

Restart Chassis to Virtual-Chassis Directory

Virtual Chassis Configuration
• Step by Step
Assign a Chassis ID
 Assign a Chassis ID
 Must be different for each switch belonging to the Virtual Chassis

Chassis 1 Chassis 2

1 2

Assign a Chassis Group ID and a Priority

 Assign a Chassis Group number
 Must be the same on all the switches belonging to the Virtual Chassis

 Define a Priority
 Between 0 to 255, switch with the highest priority is elected Master

Chassis 1 (Priority: 200) Chassis 2 (Priority: 100) 1

1 2
Virtual Chassis Configuration
• Step by Step Configure Auto VFL mode Configure Static VFL link & ports

 Specify ports that are designated as VFLs  Create VFL ID

and software will automatically assign  Specify its member ports
VFL IDs.

Chassis 1 (Priority: 100) Chassis 2 (Priority: 200) 1

1/2/1 VFL 2/2/1
1 2
1/2/2 2/2/2

Reload the switches

 Reload both chassis from the directory containing the vcsetup.cfg & vcboot.cfg files

Chassis 1 (Priority: 100) Chassis 2 (Priority: 200) 1

VFL
1 2
Virtual Chassis Synchronization
Virtual Chassis Synchronization- Example
• -> write memory

RAM

WORKING CERTIFIED MASTER

RUNNING
CONFIGURATION

-> show running-directory

WORKING CERTIFIED SLAVE
CONFIGURATION STATUS
Running CMM : MASTER-PRIMARY,
CMM Mode : VIRTUAL-CHASSIS
… …
MONO CMM,
Current CMM Slot : CHASSIS-1 A,
Running configuration : WORKING,
Certify/Restore Status : CERTIFY NEEDED

SYNCHRONIZATION STATUS
Flash Between CMMs : NOT SYNCHRONIZED, WORKING CERTIFIED
Running Configuration : SYNCHRONIZED SLAVE
Virtual Chassis Synchronization - Example
• -> copy running certified

RAM

WORKING CERTIFIED MASTER

RUNNING
CONFIGURATION

WORKING CERTIFIED SLAVE

… …

WORKING CERTIFIED
SLAVE
 Virtual Chassis Synchronization - Example
• -> copy flash-synchro
1 2

RAM

WORKING CERTIFIED WORKING CERTIFIED

RUNNING
CONFIGURATION -> show running-directory

CONFIGURATION STATUS
Running CMM : MASTER-PRIMARY,
CMM Mode : VIRTUAL-CHASSIS

MONO CMM,
WORKING CERTIFIED WORKING CERTIFIED Current CMM Slot : CHASSIS-1 A,
Running configuration : WORKING,
Certify/Restore Status : CERTIFIED

SYNCHRONIZATION STATUS
Flash Between CMMs : SYNCHRONIZED,
… Running Configuration : SYNCHRONIZED

WORKING CERTIFIED WORKING CERTIFIED

• -> write memory flash-synchro : This command can also be used to synchronize the virtual chassis
OmniSwitch AOS R6/R8
Virtual Chassis

How to
✓ This lab is designed to familiarize you with the Virtual Chassis feature (VC)
and its configuration.

Contents
1 Configure a Virtual Chassis of two switches ............................................... 2
2 Virtual Chassis Monitoring.................................................................... 5
 2
Virtual Chassis

1 Configure a Virtual Chassis of two switches

Assign a globally unique chassis identifier to the switch and enable the switch to operate in virtual chassis
mode, on both 6900:
6900-A -> show virtual-chassis topology
6900-A -> virtual-chassis chassis-group 1
6900-A -> show virtual-chassis topology
6900-A -> show configuration vcm-snapshot chassis-id 1
6900-A -> write memory

6900-B -> show virtual-chassis topology

6900-B -> virtual-chassis chassis-id 1 configured-chassis-id 2
6900-B -> virtual-chassis chassis-group 1
6900-B -> show virtual-chassis topology
6900-B -> show configuration vcm-snapshot chassis-id 2

Notes:
A reload is mandatory to take account the new chassis -id

6900-B -> write memory

WARNING - Virtual chassis topology change detected. Chassis 1 missing!
Configuration associated with missing chassis will be erased permanently!
Confirm to continue (Y/N) : y

The command write memory is protected by issuing a warning to prevent or warn purging the configuration of
the elements that are missing. Chassis id has been changed in this case.

6900-B -> reload from working no rollback-timeout

6900-B -> show virtual-chassis topology

Legend: Status suffix "+" means an added unit after last saved topology

Local Chassis: 2
Oper Config Oper
Chas Role Status Chas ID Pri Group MAC-Address
-----+------------+-------------------+--------+-----+------+------------------
2 Master Running 2 100 1 2c:fa:a2:05:cd:71

Force the 6900-A to be the master chassis, assign a highest chassis priority to it:

6900-A -> virtual chassis-id 1 configured-chassis-priority 200

 3
Virtual Chassis

Configure member ports for the VFL:

6900-A -> virtual-chassis vf-link-mode static
6900-A -> virtual-chassis chassis-id 1 vf-link 0 create
6900-A -> virtual-chassis chassis-id 1 vf-link 0 member-port 1/2/1
6900-A -> virtual-chassis chassis-id 1 vf-link 0 member-port 1/2/2
6900-A -> write memory

6900-A -> show configuration vcm-snapshot chassis-id 1

! Virtual Chassis Manager:

virtual-chassis chassis-id 1 configured-chassis-id 1
virtual-chassis vf-link-mode static
virtual-chassis chassis-id 1 vf-link 0 create
virtual-chassis chassis-id 1 vf-link 0 member-port 1/2/1
virtual-chassis chassis-id 1 vf-link 0 member-port 1/2/2
virtual-chassis chassis-id 1 chassis-group 1
virtual-chassis chassis-id 1 configured-chassis-priority 200
!
! PLEASE DO NOT MODIFY THE AREAS OF [SAVED INFO xxx]
! [SAVED INFO VC IDs] 1

! IP:
ip interface local chassis-id 1 emp address 10.4.20.1 mask 255.255.255.0

6900-B ->virtual-chassis vf-link-mode static

6900-B ->virtual-chassis chassis-id 2 vf-link 0 create
6900-B ->virtual-chassis chassis-id 2 vf-link 0 member-port 2/2/1
6900-B ->virtual-chassis chassis-id 2 vf-link 0 member-port 2/2/2
6900-B -> write memory

6900-B ->show configuration vcm-snapshot chassis-id 2

! Virtual Chassis Manager:

virtual-chassis chassis-id 2 configured-chassis-id 2
virtual-chassis vf-link-mode static
virtual-chassis chassis-id 2 vf-link 0 create
virtual-chassis chassis-id 2 vf-link 0 member-port 2/2/1
virtual-chassis chassis-id 2 vf-link 0 member-port 2/2/2
virtual-chassis chassis-id 2 chassis-group 1
!
! PLEASE DO NOT MODIFY THE AREAS OF [SAVED INFO xxx]
! [SAVED INFO VC IDs] 2
!

! IP:
ip interface local chassis-id 2 emp address 10.4.20.2 mask 255.255.255.0

6900-A -> show virtual-chassis vf-link

VFLink mode: Static

Primary Config Active Def Speed
Chassis/VFLink ID Oper Port Port Port Vlan Type
-------------------+----------+---------+-------+-------+---------+-----------
1/0 Down N/A 2 0 1 Unassigned

6900-A -> show virtual-chassis vf-link member-port

VFLink mode: Static

Chassis/VFLink ID Chassis/Slot/Port Oper Is Primary
-------------------+------------------+----------+-------------
1/0 1/2/1 Down No
1/0 1/2/2 Down No
 4
Virtual Chassis

6900-B -> show virtual-chassis vf-link

VFLink mode: Static

Primary Config Active Def Speed
Chassis/VFLink ID Oper Port Port Port Vlan Type
-------------------+----------+---------+-------+-------+---------+-----------
2/0 Down N/A 2 0 1 Unassigned

6900-B -> show virtual-chassis vf-link member-port

VFLink mode: Static

Chassis/VFLink ID Chassis/Slot/Port Oper Is Primary
-------------------+------------------+----------+-------------
2/0 2/2/1 Down No
2/0 2/2/2 Down No

VFL is an aggregate of high-speed ports used, between the peers, for inter-chassis traffic and control data
through the IPC-VLAN

Activate the corresponding interface

6900-A -> interfaces 1/2/1 admin-state enable
6900-A -> interfaces 1/2/2 admin-state enable
6900-A -> write memory

Notes:
On the 6900b, INTERFACE 2/2/1 and INTERFACE 2/2/2 automatically LINK UP and the switch Reboot.
 5
Virtual Chassis

2 Virtual Chassis Monitoring

Wait for a moment after reboot, then verify the Virtual-Chassis status settings and the chassis roles.
Check the virtual-chassis topology:

(6900-A) -> show virtual-chassis topology

Legend: Status suffix "+" means an added unit after last saved topology

Local Chassis: 1
Oper Config Oper
Chas Role Status Chas ID Pri Group MAC-Address
-----+------------+-------------------+--------+-----+------+------------------
1 Master Running 1 100 1 2c:fa:a2:05:cd:a9
2 Slave Running+ 2 100 1 2c:fa:a2:05:cd:71

Notes:
Notice that the chassis priority does not changed. In fact, a reboot of the switch is required to update this
parameter.

Reload the 6900A switch to take account priority value

6900-A -> reload from working no rollback-timeout

What happens to the switch 6900b following this command? ...................................................

...........................................................................................................................

If the status of the OS6900 is not “Running”, check that the System Ready is set to Yes with the command:
(6900-A) -> debug show virtual-chassis topology
Legend: Status suffix "+" means an added unit after last saved topology

Local Chassis: 1
Oper Config Oper System
Chas Role Status Chas ID Pri Group MAC-Address Ready
-----+------------+-------------------+--------+-----+------+------------------+-------
1 Master Running 1 200 1 2c:fa:a2:05:cd:a9 Yes
2 Slave Running+ 2 100 1 2c:fa:a2:05:cd:71 Yes

Notes:
suffix “+”, if any VC element is detected as “Running” but not configuration saved

Once the system reboots, you should see the following messages:

...
Fri Feb 13 16:29:41 : vcmCmm port_mgr info message:
+++ CMM:vcmCMM_client_rx_pm@1485: VFL link 1/0 up (pri 1/2/1:0x28) [L2]

Fri Feb 13 16:29:41 : vcmCmm ipc info message:

+++ CMM:vcmCMM_peer_connected@1726: Remote endpoint (chassis 2, slot 65) [L4]

Notes:
The chassis role determines which switch is the master of the Virtual Chassis.
The Master and Slave roles are only active when the operational status of the virtual-chassis feature is up for
both chassis.
 6
Virtual Chassis

Display the vcsetup file content on the master

(6900-A) -> cat /flash/working/vcsetup.cfg

!========================================!
! File: /flash/working/vcsetup.cfg !
!========================================!
! Virtual Chassis Manager:
virtual-chassis configured-chassis-id 1
virtual-chassis vf-link-mode static
virtual-chassis vf-link 0 create
virtual-chassis vf-link 0 member-port 1/2/1
virtual-chassis vf-link 0 member-port 1/2/2
virtual-chassis chassis-group 1
virtual-chassis configured-chassis-priority 200
!
! PLEASE DO NOT MODIFY THE AREAS OF [SAVED INFO xxx]
! [SAVED INFO VC IDs] 1
!

Save the configuration and Check the virtual-chassis topology

(6900-A) -> write memory

File /flash/ working/vcsetup.cfg replaced.

File /flash/working/vcboot.cfg replaced.

(6900-A) -> show virtual-chassis topology

Legend: Status suffix "+" means an added unit after last saved topology

Local Chassis: 1
Oper Config Oper
Chas Role Status Chas ID Pri Group MAC-Address
-----+------------+-------------------+--------+-----+------+------------------
1 Master Running 1 200 1 2c:fa:a2:05:cd:a9
2 Slave Running 2 100 1 2c:fa:a2:05:cd:71

What has been changed? ..............................................................................................

Why? ....................................................................................................................
...........................................................................................................................

Display the vcsetup file content on the master

(6900-A) -> cat /flash/working/vcsetup.cfg
!========================================!
! File: /flash/working/vcsetup.cfg !
!========================================!
! Virtual Chassis Manager:
virtual-chassis configured-chassis-id 1
virtual-chassis vf-link-mode static
virtual-chassis vf-link 0 create
virtual-chassis vf-link 0 member-port 1/2/1
virtual-chassis vf-link 0 member-port 1/2/2
virtual-chassis chassis-group 1
virtual-chassis configured-chassis-priority 200
!
! PLEASE DO NOT MODIFY THE AREAS OF [SAVED INFO xxx]
! [SAVED INFO VC IDs] 3
!
 7
Virtual Chassis

Display the different ports belonging to the VFL link, type:

6900-A -> show virtual-chassis vf-link

VFLink mode: Static
Primary Config Active Def Speed
Chassis/VFLink ID Oper Port Port Port Vlan Type
-------------------+----------+---------+-------+-------+---------+-----------
1/0 Up 1/2/2 2 2 1 10G
2/0 Up 2/2/2 2 2 1 10G
6900-A -> show virtual-chassis vf-link member-port
VFLink mode: Static

Chassis/VFLink ID Chassis/Slot/Port Oper Is Primary

-------------------+------------------+----------+-------------
1/0 1/2/1 Up No
1/0 1/2/2 Up Yes
2/0 2/2/1 Up No
2/0 2/2/2 Up Yes

Notes:
The “Is Primary” field defines the primary port of the virtual fabric link.

Verify the consistency of system-level mandatory parameters between the two chassis:
6900-A -> show virtual-chassis consistency
Legend: * - denotes mandatory consistency which will affect chassis status
licenses-info - A: Advanced; B: Data Center;

Config Oper Oper Config

Chas Chas Chas Hello Control Control
Chas* ID Status Type* Group* Interv Vlan* Vlan License*
------+------+---------+-------+------+-------+--------+--------+----------
1 1 OK OS6900 1 10 4094 4094 AB
2 2 OK OS6900 1 10 4094 4094 AB

Notes:
The two chassis in the same Virtual-Chassis group must maintain identical configuration and operational
parameters.
OmniSwitch AOS R8
Virtual Chassis-6360

How to
✓ This lab is designed to familiarize you with the Virtual Chassis feature (VC)
and its configuration.

Contents
1 Configure a Virtual Chassis of two switches ............................................... 2
1.1. Objective ............................................................................................ 2
1.2. Management ......................................................................................... 3
2 Virtual Chassis Monitoring.................................................................... 7
 2
Virtual Chassis-6360

1 Configure a Virtual Chassis of two switches

1.1. Objective
 3
Virtual Chassis-6360

1.2. Management

- Assign a globally unique chassis identifier to the switch 6360A and enable the switch to operate in virtual
chassis mode
sw5 (6360-A) -> show virtual-chassis topology
Legend: Status suffix "+" means an added unit after last saved topology

Local Chassis: 1
Oper Config Oper
Chas Role Status Chas ID Pri Group MAC-Address
-----+------------+-------------------+--------+-----+------+------------------
1 Master Running 1 100 0 94:24:e1:7c:82:1d

sw5 (6360-A) -> virtual-chassis chassis-group 1

sw5 (6360-A) -> show virtual-chassis topology

Legend: Status suffix "+" means an added unit after last saved topology

Local Chassis: 1
Oper Config Oper
Chas Role Status Chas ID Pri Group MAC-Address
-----+------------+-------------------+--------+-----+------+------------------
1 Master Running 1 100 1 94:24:e1:7c:82:1d

sw5 (6360-A) -> show configuration vcm-snapshot chassis-id 1

! Virtual Chassis Manager:
virtual-chassis chassis-id 1 configured-chassis-id 1
virtual-chassis vf-link-mode static
virtual-chassis chassis-id 1 chassis-group 1
!
! PLEASE DO NOT MODIFY THE AREAS OF [SAVED INFO xxx]
! [SAVED INFO VC IDs] 1
!
! IP:

- Force the 6360-A to be the master chassis, assign a highest chassis priority to it:

sw5 (6360-A) -> virtual chassis-id 1 configured-chassis-priority 200

sw5 (6360-A) -> write memory

File /flash/working/vcsetup.cfg replaced.

File /flash/working/vcboot.cfg replaced.

sw5 (6360-A) -> show virtual-chassis topology

Legend: Status suffix "+" means an added unit after last saved topology

Local Chassis: 1
Oper Config Oper
Chas Role Status Chas ID Pri Group MAC-Address
-----+------------+-------------------+--------+-----+------+------------------
1 Master Running 1 100 1 94:24:e1:7c:82:1d

Notes:
A reload is mandatory to take account the chassis priority

sw5 (6360-A) -> reload from working no rollback-timeout

Confirm Activate (Y/N) : y
This operation will verify and copy images before reloading.
It may take several minutes to complete..
 4
Virtual Chassis-6360

Notes:
Wait until complete restart.

Tue Jun 22 03:04:41 : qosNi Info INFO message:

+++ VC Takeover in progress.
+++ VC Takeover complete.
Chassis Supervision: CMM has reached the ready state [L8]

sw5 (6360-A) -> show virtual-chassis topology

Legend: Status suffix "+" means an added unit after last saved topology

Local Chassis: 1
Oper Config Oper
Chas Role Status Chas ID Pri Group MAC-Address
-----+------------+-------------------+--------+-----+------+------------------
1 Master Running 1 200 1 94:24:e1:7c:82:1d

- Assign a globally unique chassis identifier to the switch 6360B and enable the switch to operate in virtual
chassis mode

sw6 (6360-B) -> show virtual-chassis topology

Legend: Status suffix "+" means an added unit after last saved topology

Local Chassis: 1
Oper Config Oper
Chas Role Status Chas ID Pri Group MAC-Address
-----+------------+-------------------+--------+-----+------+------------------
1 Master Running 1 100 0 94:24:e1:7c:79:65

sw6 (6360-B) -> virtual-chassis chassis-id 1 configured-chassis-id 2

sw6 (6360-B) -> virtual-chassis chassis-group 1

sw6 (6360-B) -> show virtual-chassis topology

Legend: Status suffix "+" means an added unit after last saved topology

Local Chassis: 1
Oper Config Oper
Chas Role Status Chas ID Pri Group MAC-Address
-----+------------+-------------------+--------+-----+------+------------------
1 Master Running 2 100 1 94:24:e1:7c:79:65

- Check the result

sw6 (6360-B) -> show configuration vcm-snapshot chassis-id 2

! Virtual Chassis Manager:
! IP:

Notes:
A reload is mandatory to take account the new chassis -id

sw6 (6360-B) -> write memory

WARNING - Virtual chassis topology change detected. Chassis 1 missing!

Configuration associated with missing chassis will be erased permanently!
Confirm to continue (Y/N) : y

File /flash/working/vcsetup.cfg replaced.

File /flash/working/vcboot.cfg replaced.

 5
Virtual Chassis-6360

The command write memory is protected by issuing a warning to prevent or warn purging the configuration of
the elements that are missing. Chassis id has been changed in this case.

sw6 (6360-B) -> reload from working no rollback-timeout

Confirm Activate (Y/N) : y
This operation will verify and copy images before reloading.
It may take several minutes to complete..

Notes:
Wait until complete restart.

Tue Jun 22 03:04:41 : qosNi Info INFO message:

+++ VC Takeover in progress.
+++ VC Takeover complete.
Chassis Supervision: CMM has reached the ready state [L8]

sw6 (6360-B) -> show virtual-chassis topology

Legend: Status suffix "+" means an added unit after last saved topology

Local Chassis: 2
Oper Config Oper
Chas Role Status Chas ID Pri Group MAC-Address
-----+------------+-------------------+--------+-----+------+------------------
2 Master Running 2 100 1 94:24:e1:7c:79:65

- Configure member ports for the VFL on 6360-A:

sw5 (6360-A) -> virtual-chassis chassis-id 1 vf-link 0 create

sw5 (6360-A) -> virtual-chassis chassis-id 1 vf-link 0 member-port 1/1/27

sw5 (6360-A) -> virtual-chassis chassis-id 1 vf-link 0 member-port 1/1/28

sw5 (6360-A) -> write memory

File /flash/working/vcsetup.cfg replaced.

File /flash/working/vcboot.cfg replaced.

sw5 (6360-A) -> show configuration vcm-snapshot chassis-id 1

! Virtual Chassis Manager:
virtual-chassis chassis-id 1 configured-chassis-id 1
virtual-chassis vf-link-mode static
virtual-chassis chassis-id 1 vf-link 0 create
virtual-chassis chassis-id 1 vf-link 0 member-port 1/1/27
virtual-chassis chassis-id 1 vf-link 0 member-port 1/1/28
virtual-chassis chassis-id 1 chassis-group 1
virtual-chassis chassis-id 1 configured-chassis-priority 200
!
! PLEASE DO NOT MODIFY THE AREAS OF [SAVED INFO xxx]
! [SAVED INFO VC IDs] 1
!
! IP:
 6
Virtual Chassis-6360

- Configure member ports for the VFL on 6360-B:

sw6 (6360-B) -> virtual-chassis chassis-id 2 vf-link 0 create

sw6 (6360-B) -> virtual-chassis chassis-id 2 vf-link 0 member-port 2/1/27

sw6 (6360-B) -> virtual-chassis chassis-id 2 vf-link 0 member-port 2/1/28

sw6 (6360-B) -> write memory

File /flash/working/vcsetup.cfg replaced.

File /flash/working/vcboot.cfg replaced.

sw6 (6360-B) -> show configuration vcm-snapshot chassis-id 2

! Virtual Chassis Manager:
virtual-chassis chassis-id 2 configured-chassis-id 2
virtual-chassis vf-link-mode static
virtual-chassis chassis-id 2 vf-link 0 create
virtual-chassis chassis-id 2 vf-link 0 member-port 2/1/27
virtual-chassis chassis-id 2 vf-link 0 member-port 2/1/28
virtual-chassis chassis-id 2 chassis-group 1
!
! PLEASE DO NOT MODIFY THE AREAS OF [SAVED INFO xxx]
! [SAVED INFO VC IDs] 2
!
! IP:

- Check the result on both switches

sw5 (6360-A) -> show virtual-chassis vf-link
VFLink mode: Static

Primary Config Active Def Speed

Chassis/VFLink ID Oper Port Port Port Vlan Type
-------------------+----------+---------+-------+-------+---------+-----------
1/0 Down N/A 2 0 1 Unassigned

sw5 (6360-A) -> show virtual-chassis vf-link member-port

VFLink mode: Static

Chassis/VFLink ID Chassis/Slot/Port Oper Is Primary

-------------------+------------------+----------+-------------
1/0 1/1/27 Down No
1/0 1/1/28 Down No

sw6 (6360-B) -> show virtual-chassis vf-link

VFLink mode: Static

Primary Config Active Def Speed

Chassis/VFLink ID Oper Port Port Port Vlan Type
-------------------+----------+---------+-------+-------+---------+-----------
2/0 Down N/A 2 0 1 Unassigned

sw6 (6360-B) -> show virtual-chassis vf-link member-port

VFLink mode: Static

Chassis/VFLink ID Chassis/Slot/Port Oper Is Primary

-------------------+------------------+----------+-------------
2/0 2/1/27 Down No
2/0 2/1/28 Down No

VFL is an aggregate of high-speed ports used, between the peers, for inter-chassis traffic and control data
through the IPC-VLAN
 7
Virtual Chassis-6360

- Activate the corresponding interface

sw5 (6360-A) -> interfaces 1/1/27 admin-state enable
sw5 (6360-A) -> interfaces 1/1/28 admin-state enable

Tue Jun 22 03:48:13 : intfCmm Mgr INFO message:

+++ Link 1/1/27 operationally up
interfaces 1/1/28 admin-state enable

sw5 (6360-A) ->

Tue Jun 22 03:48:21 : intfCmm Mgr INFO message:
+++ Link 1/1/28 operationally up

Notes:
On the 6360-B, INTERFACE 2/1/27 and INTERFACE 2/1/28 automatically LINK UP and the switch Reboot.

2 Virtual Chassis Monitoring

Wait for a moment after reboot this message will be display on 6360-B, then verify the Virtual-Chassis status
settings and the chassis roles.

Tue Jun 22 04:51:10 : qosNi Info INFO message:

+++ VC Takeover in progress.
+++ VC Takeover complete.
Chassis Supervision: CMM has reached the ready state [L8]

Tue Jun 22 04:51:12 : ChassisSupervisor reloadMgr INFO message:

+++ Redundancy time expired - updating next running to working

- Check the virtual-chassis topology:

sw5 (6360-A) -> show virtual-chassis topology

Legend: Status suffix "+" means an added unit after last saved topology
Local Chassis: 1
Oper Config Oper
Chas Role Status Chas ID Pri Group MAC-Address
-----+------------+-------------------+--------+-----+------+------------------
1 Master Running 1 200 1 94:24:e1:7c:82:1d
2 Slave Running+ 2 100 1 94:24:e1:7c:79:65

Notes:
suffix “+”, if any VC element is detected as “Running” but not configuration saved

- Save the configuration and Check the virtual-chassis topology and Copy running to certified:

sw5 (6360-A) -> write memory flash-synchro

File /flash/working/vcsetup.cfg replaced.

File /flash/working/vcboot.cfg replaced.

Tue Jun 22 04:00:05 : flashManager Main INFO message:

+++ Verifying image directory working on CMM flash
Please wait...

Tue Jun 22 04:00:41 : ChassisSupervisor bootMgr INFO message:

+++ Copy running to certified: Synchronizing chassis 2
Tue Jun 22 04:00:49 : ChassisSupervisor MipMgr INFO message:
+++ Copy running to certified succeeded; Secondary synchronization succeeded
 8
Virtual Chassis-6360

- Check the result

sw5 (6360-A) -> show virtual-chassis topology

Legend: Status suffix "+" means an added unit after last saved topology

Local Chassis: 1
Oper Config Oper
Chas Role Status Chas ID Pri Group MAC-Address
-----+------------+-------------------+--------+-----+------+------------------
1 Master Running 1 200 1 94:24:e1:7c:82:1d
2 Slave Running 2 100 1 94:24:e1:7c:79:65

- Display the vcsetup file content on the master

sw5 (6360-A) -> cat /flash/working/vcsetup.cfg
!========================================!
! File: /flash/working/vcsetup.cfg !
!========================================!
! Virtual Chassis Manager:
virtual-chassis chassis-id 1 configured-chassis-id 1
virtual-chassis vf-link-mode static
virtual-chassis chassis-id 1 vf-link 0 create
virtual-chassis chassis-id 1 vf-link 0 member-port 1/1/27
virtual-chassis chassis-id 1 vf-link 0 member-port 1/1/28
virtual-chassis chassis-id 1 chassis-group 1
virtual-chassis chassis-id 1 configured-chassis-priority 200
!
! PLEASE DO NOT MODIFY THE AREAS OF [SAVED INFO xxx]
! [SAVED INFO VC IDs] 3
!

! IP:
!

- Display the different ports belonging to the VFL link, type:

sw5 (6360-A) -> show virtual-chassis vf-link

VFLink mode: Static

Primary Config Active Def Speed

Chassis/VFLink ID Oper Port Port Port Vlan Type
-------------------+----------+---------+-------+-------+---------+-----------
1/0 Up 1/1/27 2 2 1 10G
2/0 Up 2/1/27 2 2 1 10G

sw5 (6360-A) -> show virtual-chassis vf-link member-port

VFLink mode: Static

Chassis/VFLink ID Chassis/Slot/Port Oper Is Primary

-------------------+------------------+----------+-------------
1/0 1/1/27 Up Yes
1/0 1/1/28 Up No
2/0 2/1/27 Up Yes
2/0 2/1/28 Up No

Notes:
The “Is Primary” field defines the primary port of the virtual fabric link.

- Verify the consistency of system-level mandatory parameters between the two chassis:
 9
Virtual Chassis-6360

sw5 (6360-A) -> show virtual-chassis consistency

Legend: * - denotes mandatory consistency which will affect chassis status
licenses-info - A: Advanced; B: Data Center;

Config Oper Oper Config

Chas Chas Chas Hello Control Control
Chas* ID Status Type* Group* Interv Vlan* Vlan License*
------+------+---------+-------+------+-------+--------+--------+----------
1 1 OK OS6360 1 15 4094 4094 A
2 2 OK OS6360 1 15 4094 4094 A

Notes:
The two chassis in the same Virtual-Chassis group must maintain identical configuration and operational
parameters.

- Check that the HTTP service is enabled (ex. 6360-A):

Pod11sw3 login: admin

Password: switch

Sw5 (6360-A) -> show aaa authentication

[/TRUNCATED]
Service type = Http
Authentication = Use Default,
1rst authentication server = local
[/TRUNCATED]

- As you can see here, HTTP authentication is enabled, and the first authentication server to be polled is
the local database. If it is not, enable it via the command : aaa authentication http

Notes
By default, the WebView is enabled on the OmniSwitch but you are not allowed to authenticate. On the
Remote-Lab, the WebView access has already been enabled.

- Check the WebView status:

Sw5 (6360-A) -> show webview

WebView Server = Enabled,
WebView Access = Enabled,
WebView Force-SSL = Enabled,
WebView HTTPS-Port = 443

Tips
SSL is forced by default in Release 8. It means that you can’t connect with plain HTTP on R8 OmniSwitches, you
will be automatically redirected to an HTTPS connection.
 10
Virtual Chassis-6360

- Opening the WebView From the Windows Desktop, open a Web Browser (ex. Firefox, Chrome)
- In the URL area, type : https://10.4.pod#.5

- Login to the WebView with the admin credentials:

User Name : admin
Password : switch
Language : English

- After a successful connection, the dashboard page appears

- Visualize your chassis In the horizontal menu bar at the top of the page, select Physical, then in the "Chassis
management" column, click on "Chassis visualization".
OmniSwitch R8
VLAN Management

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Objectives
VLAN Management

At the end of this module, you will be able to:

• Understand the VLAN features
• Setup Static and Dynamic VLAN
• Configure Static and dynamic Ports assignment
• Configure inter vlan routing
• Configure VLAN Tagging
VLAN Management
• GOAL
• Logically segment a Local Area Network (LAN) into
different broadcast domains
• Ease of network management
• Provides a more secure network Vlan 30

• HOW IT WORKS
Vlan 50
• Ports become members of VLANs by : Vlan10 Vlan 60

- Static Configuration
- Mobility/with or without Authentication *
- 802.1q
- Mobile Tag

* With authentication : Seen in the following

chapter (Access Guardian)
VLAN Management - Static VLAN Membership
• GOAL
• The initial configuration for all OmniSwitch consists
of a default VLAN 1 and all switch ports are initially
assigned to this VLAN
1/1/1
• Ports can be statically assigned to VLANs. VLAN 1
- When a port is assigned to a VLAN, a VLAN port 1/1/2
association (VPA) is created and tracked by VLAN VLAN 2
management switch software
VLAN 3

VLAN 4

VLAN 5
1/1/4
VLAN 6
1/1/6
VLAN Management - Static VLAN Membership
• CONFIGURATION –STEP BY STEP

Defining a VLAN
-> vlan 2

Assigning Ports to a VLAN

-> vlan 2 members port <chassis/slot/port> untagged

Optional commands

-> vlan 4 admin-state enable

-> vlan 4 name Engineering
Use quotes around string if the VLAN name contains multiple words with spaces between them
-> vlan 10-15 100-105 200 name “Training Network”

Monitoring

-> show vlan 4

-> show vlan members
-> show ip interface
VLAN Management - Dynamic VLAN Membership
GOAL

• VLAN is assigned depending on the device or the user

- Device oriented : VLAN according to traffic criteria (MAC@, VLAN 1
etc…)
- User oriented: Authenticated VLAN (IEEE 802.1x for
VLAN 2
enhanced security) *

VLAN 3

VLAN 4

VLAN 5

VLAN 6

* With authentication : Seen in the following

chapter (Access Guardian)
VLAN Management - Dynamic VLAN Membership
HOW IT WORKS
• When traffic is received on a mobile port:
- The packets are examined to determine if their content matches any of the VLAN rules configured on the switch . If
so, the mobile port is assigned to that VLAN
- Upon receiving a frame, Source Learning compares the frame with VLAN Policies in Order

Classification
Rules

UNP Port classification rules

1. Port
2. Port + VLAN tag
3. Domain + VLAN tag
4. Domain
5. MAC address + VLAN tag
Precedence

6. MAC address
7. MAC-OUI + VLAN tag
8. MAC-OUI
9. MAC address range + VLAN tag
10. MAC address range
11. LLDP
12. Auth-type + VLAN tag
13. Auth-type
14. IP address + VLAN tag
15. IP address
16. VLAN tag
VLAN Management - Dynamic VLAN Membership
• Device oriented : VLAN according to traffic criteria (MAC@,
etc…)

• Unp classification rules Configuration (R8) – STEP BY STEP

UNP profile
Enabling a mobile port
VLAN ID

-> unp port 1/1/1 port-type bridge Policy List

ACL QoS

Configure UNP profile * Policy list, location and period will be seen in
Location
* the following chapter (Access Guardian)
-> unp profile employee Period

Map the vlan to UNP

unp profile employee map vlan 20

VLAN Management - Dynamic VLAN Membership
• Device oriented : unp according to traffic criteria (MAC@, etc…)

• unp classification rules Configuration – STEP BY STEP

- When classification is enabled but authentication is disabled or fails,UNP classification rules are appliedto the traffic received on the
UNP port.
UNP Port classification rules
Port
• MAC Address rule 1.
2. Port + VLAN tag
3. Domain + VLAN tag
unp classification mac-address mac_address profile1 profile_name 4. Domain
5. MAC address + VLAN
tag
Eg: -> unp classification mac-address 00:11:22:33:44:55 profile1 employee 6. MAC address
7. MAC-OUI + VLAN tag
• Ip adress rule 8. MAC-OUI
9. MAC address range +
VLAN tag
unp classification ip-address ip_address mask mask profile1 profile_name 10. MAC address range
11. LLDP
Eg: -> unp classification ip-address 10.0.0.20 mask 255.255.0.0 profile1 employee 12. Auth-type + VLAN tag
13. Auth-type
14. IP address + VLAN tag
P address
• Mac range rule 15.

16. VLAN tag

unp classification mac-address-range low_mac_address high_mac_address profile1 profile_name

Eg: -> unp classification mac-address-range 00:11:22:33:44:55 00:11:22:33:44:66 profile1 employee

VLAN Management - Dynamic VLAN Membership
• Device oriented : unp according to traffic criteria (MAC@, etc…)

• unp classification rules Configuration (R8) – STEP BY STEP

- Configuring Binding Rules for UNP Profiles

• Combination of one or more individual rules all of which a device has to match

1 Port + MAC address + IP address

2 Port + MAC address
3 Port + IP address
4 Domain ID + MAC address + IP address

Eg : Binding rule that combines a MAC address rule, an IP address rule, and a port rule

-> unp classification mac-address 00:11:22:33:44:55 ip-address 10.0.0.20 mask 255.255.0.0 port 1/1/1 profile1 employee

- Configuring Extended Classification Rules for UNP Profiles

• List of individual rules and assigns the list a name and a precedence value. A device must match all of the rules specified in the extended rule list.

-> unp classification-rule ext-r1 precedence 255

-> unp classification-rule ext-r1 profile1 employee
-> unp classification-rule ext-r1 port 1/1/10
-> unp classification-rule ext-r1 vlan-tag 10

• ext-r1” rule combines a port rule and vlan tag type rule
VLAN Management - Dynamic VLAN Membership
• Example of Device oriented : unp according to traffic criteria (MAC@ range)

⚫ Create the required VLANs

UNP Port -> vlan 10 admin-state disable name vlan10-block

Employee -> vlan 20 admin-state enable name vlan20-corporate

No Auth ⚫ Create the required UNP profile and map the profile to VLAN 20
-> unp profile corporate
-> unp profile corporate map vlan 20
Classification
Rules
⚫ Create another UNP profile that will serve as a default profile and map the profile to VLAN 10

-> unp profile def_unp

-> unp profile def_unp map vlan 10

⚫ Create a MAC range classification rule and associate the rule to the “corporate” UNP profile
UNP Profile
-> unp classification-rule rule1 mac-address-range 08:00:27:00:98:0A 08:00:27:00:98:FF
-> unp classification-rule rule1 profile1 corporate

Default ⚫ Enable UNP on the user port that will connect to user device
UNP Profile
-> unp port 1/1/1 port-type bridge

⚫ Set the default UNP profile on the user port

Block
-> unp port 1/1/1 default-profile def_unp
Inter Vlan Routing
Inter Vlan Routing
• IP interfaces are associated with VLANs
• IP routing is active as soon as at least one IP interface is associated with a VLAN

1/1/2
VLAN 20

Virtual Router
The operational status of a
VLAN remains inactive as long
as no active port is associated
with this VLAN

1/1/6
VLAN 60

-> ip interface <int_name> address <ip address/mask> vlan <vlan_id>

Inter VLAN Routing
• Virtual Router

Gateway for Device VLAN 20

ip interface Data address 10.1.20.254 mask 255.255.255.0 vlan 20

1/1/2
VLAN 20 -> show ip interface
Total 2 interfaces
Name IP Address Subnet Mask Status Forward Device

Virtual Router
--------------+-------------+----------------+--------+--------+--------
Data 10.1.20.254 255.255.255.0 UP NO vlan 20
Voice 10.1.60.254 255.255.255.0 UP NO vlan 60

-> show vlan 20

Name : Data,
Administrative State : enabled,
Operational State : enabled,
1x1 Spanning Tree State : enabled,
Flat Spanning Tree State : enabled,
Authentication : disabled,
IP Router Port : on,
IP MTU : 1500,
IPX Router Port : none,
Mobile Tag : off,
Source Learning : enabled
1/1/6 -> show vlan 20 members
VLAN 60 port type status
---------+---------+--------------
1/1/2 default active

Gateway for Device VLAN 60

ip interface Voice address 10.1.60.254 mask 255.255.255.0 vlan 60
802.1Q – VLAN Tagging
802.1Q – VLAN Tagging
• Aggregates multiple VLANs across Ethernet links

- Combines traffic from multiple VLANs over a single link

- Encapsulates bridged frames within standard IEEE 802.1Q frame
- Enabled on fixed ports
- Tags port traffic for destination VLAN

Tagged Frames
IEEE 802.1Q – Tagged VLANs
• VLAN Tag • 802.1P
- 802.3 MAC header change - Three-bit field within 802.1Q header
- 4096 unique VLAN Tags (addresses) - Allows up to 8 different priorities
- VLAN ID == GID == VLAN Tag - Feature must be implemented in hardware

VLAN ID (12 Bits)

802.1p (3 bits)
“Modified 802.3 MAC”

DA SA Ethertype, Priority, Tag

4 Bytes
802.1Q - Configuration
-> vlan 2-3

-> vlan 2-3 members port 1/1/24 tagged

VLAN 3
VLAN 3

VLAN 2
VLAN 2
VLAN 278 VLAN 278
1/1/24 1/1/24

-> show vlan members

VLAN 1
VLAN 1
Dynamic VLAN Membership
Dynamic VLAN Membership - Authenticated Method
• HOW IT WORKS Authentication Method

• Applies to users connected on authenticated ports ⚫ MAC-based (non-supplicant)

or
• Users must authenticate through 802.1x client ⚫ 802.1x-based (supplicant)
{ "user"
• Authentication is based on either RADIUS, LDAP or User-Password="xxxxxx"
Filter-ID = "UNP-name"

TACACS+ RADIUS Access-Request }

- Successful login : The client is associated with the RADIUS Access-Accept + UNP name
correct UNP

UNP R8
VLAN INTERNET VLAN ID
30 ONLY
Policy List
ACL QoS
GUEST
* 802.1X and Mac authentication will Restrict the network access
MEDIUM LOW based on the location of the
be seen in more details in the BWDTH PRIORITY
following chapter (Access Guardian) user/device
Location
Period Chassis/Slot/Port on which the
user is attached Switch Name on
which the user is attached
VLAN NO HR, Switch Location String,
20 FINANCE DB identifying a group of Switches

EMPLOYEE

MEDIUM MEDIUM Specifies the days and times during

PRIORITY which a device can access the network
BWDTH
OmniSwitch AOS R8

VLANs

How to
✓ Manage VLANs on the OmniSwitches

Contents
1 Topology ........................................................................................ 2
2 Creating a VLAN ............................................................................... 2
3 Creating Additional VLANs ................................................................... 7
4 Deleting VLANs & IP interfaces ............................................................ 11
 2
VLANs

1 Topology
Below the topology that will be used during this lab:

2 Creating a VLAN
VLANs provide the ability to segregate a network into multiple broadcast domains. Additionally, Virtual Router
ports (or IP Interfaces) can be assigned to VLANs to allow traffic to be switched at Layer 3.

- In its default configuration, the switch has only one VLAN, the VLAN 1. This is the default VLAN and all
ports are initially associated with it. This VLAN CANNOT be deleted, but it can be disabled if desired.
- Let’s run the command to see the VLANs that exist on the switch as well as information on a single VLAN
(ex. 6360-A):
sw5 (OS6360-A) -> show vlan
stree mble src
vlan type admin oper 1x1 flat auth ip tag lrn name
-----+-----+------+------+------+------+----+-----+-----+------+----------
1 std on off on on off off off on VLAN 1
2 std on off on on off off off on VLAN 2
4001 std on on on on off on off on Administration
 3
VLANs

- To display information on a specific VLAN:

sw5 (6360-A) -> show vlan 1
Name : VLAN 1,
Type : Static Vlan,
Administrative State : enabled,
Operational State : disabled,
IP Routing : disabled,
IP MTU : 1500

- Notice the VLAN‘s Administrative State is enabled, however its Operational State is disabled. Without
members the VLAN will be Operationally down.

Notes
You can also list the ports and their associated VLAN (notice that the status of all the ports is “inactive”, so the
Vlan is operationally down):
-> show vlan members

- Enter the following command on the switch (OS6360-A):

sw5 (6360-A) -> show vlan members
vlan port type status
--------+------------+------------+--------------
1 1/1/1 default inactive
1 1/1/2 default inactive
1 1/1/3 default inactive
1 1/1/4 default inactive
1 1/1/5 default inactive
1 1/1/6 default inactive
1 1/1/7 default inactive
1 1/1/8 default inactive
1 1/1/9 default inactive
1 1/1/10 default inactive
1 1/1/11 default inactive
1 1/1/12 default inactive
1 1/1/13 default inactive
1 1/1/14 default inactive
1 1/1/15 default inactive
1 1/1/16 default inactive
1 1/1/17 default inactive
1 1/1/18 default inactive
1 1/1/19 default inactive
1 1/1/20 default inactive
1 1/1/21 default inactive
1 1/1/22 default inactive
1 1/1/23 default inactive
1 1/1/25 default inactive
1 1/1/26 default inactive
1 1/1/27 default inactive
1 1/1/28 default inactive
4001 1/1/24 default forwarding

- Display the VLAN assignment on a specific port (ex. port 1/1):

sw5 (6360-A) -> show vlan members port 1/1/1
vlan type status
--------+-----------+---------------
1 default inactive

- In order to have IP connectivity to a VLAN interface (not required for connectivity to other
clients/servers within a VLAN), an IP address (IP interface) must be assigned to a Virtual Router port and
associated to that VLAN. This IP address can then be used for IP connectivity as well as Layer 3
switching.
 4
VLANs

- To create the IP interface (ex. int_1 = IP interface name, 192.168.10.5 = IP@ of the IP Interface):
sw5 (6360-A) -> ip interface int_1 address 192.168.10.5/24

sw5 (6360-A) -> show ip interface

Total 3 interfaces
Flags (D=Directly-bound)
Name IP Address Subnet Mask Status Forward Device Flags
--------------------------------+---------------+---------------+------+-------+---------+------
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
admin 10.4.5.5 255.255.255.0 UP YES vlan 4001
int_1 192.168.10.5 255.255.255.0 DOWN NO unbound

- The Device status is unbound. It is because the IP interface has not been associated to a VLAN yet.
- To bind the IP Interface (ex. int 1) to a VLAN (ex. VLAN 1):
sw5 (6360-A) -> ip interface int_1 vlan 1

Notes
The last 2 commands can be merged into a single command:
-> ip interface int_1 address 192.168.10.5/24 vlan 1

- Check that the IP Interface is now associated to the VLAN 1:

sw5 (6360-A) -> show ip interface
Total 3 interfaces
Flags (D=Directly-bound)
Name IP Address Subnet Mask Status Forward Device Flags
--------------------------------+---------------+---------------+------+-------+---------+------
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
admin 10.4.5.5 255.255.255.0 UP YES vlan 4001
int_1 192.168.10.5 255.255.255.0 DOWN YES vlan 1

- If Status = DOWN, it indicates no active ports or devices have been associated with the VLAN that the IP
interface has been assigned to. If an IP interface is DOWN, it cannot be connected to, will not reply to
PING requests nor will it be advertised in any router updates. This will not affect the Layer 2 broadcast
domain, however.
- Let’s activate a port in VLAN 1 to change the status to enable:
sw5 (6360-A) -> interfaces 1/1/1 admin-state enable

sw5 (6360-A) ->

Mon Jun 21 23:31:44 : intfCmm Mgr INFO message:
+++ Link 1/1/1 operationally up

Tips
The equipment connected to the port 1/1/1 of the 6360-A is the Client 5 virtual machine:

- Then check the port status:

sw5 (6360-A) -> show vlan members port 1/1/1
vlan type status
--------+-----------+---------------
1 default forwarding
 5
VLANs

- By default, all ports (including the port 1/1/1) belong to VLAN 1, so the VLAN 1 will become active.
- Run the command to check that the status of the IP interface is UP:
sw5 (6360-A) -> show ip interface
Total 3 interfaces
Flags (D=Directly-bound)

Name IP Address Subnet Mask Status Forward Device Flags

--------------------------------+---------------+---------------+------+-------+---------+------
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
admin 10.4.5.5 255.255.255.0 UP YES vlan 4001
int_1 192.168.10.5 255.255.255.0 UP YES vlan 1

Now that the VLAN has an active port, let’s modify the IP information of the Client 5, and ping the IP
interface associated with VLAN 1.

- Open the virtual machine Client 5 and set its IP address:

Windows Desktop
Double-click on VMware
vSphere

Select the Client5 in the list

Click on Console tab

Double click on Network

Connections
 6
VLANs

Select the network connection

Pod

Click on Internet Protocol

(TCP/IP)

Select Use the following IP

address

- IP address: 192.168.10.105
- Subnet mask:
255.255.255.0
- Default gateway:
192.168.10.5 (The IP address
of VLAN 1 virtual router)

- From Client 5, open a command prompt and ping the switch’s VLAN 1 Virtual Router IP address. You
should now have IP connectivity:
 7
VLANs

3 Creating Additional VLANs

Currently, there is only the default VLAN created on the switch (except for the VLAN 4001, which is a VLAN used
for the R-Lab administration). The following steps will provide information on creating another VLAN, enabling
IP on the VLAN, moving ports into the VLAN, and forwarding IP packets between VLANs.

- To begin, let’s create a new VLAN and assign an IP address to that VLAN as done previously:
sw5 (6360-A) -> vlan 50
sw5 (6360-A) -> ip interface int_50 address 192.168.50.5/24 vlan 50

- Let's look at what we have configured so far:

sw5 (6360-A) -> show ip interface
Total 4 interfaces
Flags (D=Directly-bound)

Name IP Address Subnet Mask Status Forward Device Flags

--------------------------------+---------------+---------------+------+-------+---------+------
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
admin 10.4.5.5 255.255.255.0 UP YES vlan 4001
int_1 192.168.10.5 255.255.255.0 UP YES vlan 1
int_50 192.168.50.5 255.255.255.0 DOWN NO vlan 50

sw5 (6360-A) -> show vlan

vlan type admin oper ip mtu name
------+-------+-------+------+------+------+------------------
1 std Ena Ena Ena 1500 VLAN 1
50 std Ena Dis Ena 1500 VLAN 50
4001 std Ena Ena Ena 1500 Admin
4094 vcm Ena Dis Dis 1500 VCM IPC

- Why the status of the IP interface int_50 is DOWN?

> ___________________________________________________________________________________

- Assign the VLAN 50 to the port 1/1/2 where Client 9 is connected:

sw5 (6360-A) -> vlan 50 members port 1/1/2 untagged

sw5 (6360-A) -> show ip interface

Total 4 interfaces
Flags (D=Directly-bound)

Name IP Address Subnet Mask Status Forward Device Flags

--------------------------------+---------------+---------------+------+-------+---------+------
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
admin 10.4.5.5 255.255.255.0 UP YES vlan 4001
int_1 192.168.10.5 255.255.255.0 UP YES vlan 1
int_50 192.168.50.5 255.255.255.0 DOWN NO vlan 50

sw5 (6360-A) -> show vlan members port 1/1/2

vlan type status
--------+-----------+---------------
50 default inactive

sw5 (6360-A) -> interface 1/1/2 admin-state enable

sw5 (6360-A) -> sh

Mon Jun 21 23:38:46 : intfCmm Mgr INFO message:
+++ Link 1/1/2 operationally up
 8
VLANs

sw5 (6360-A) -> show ip interface

Total 4 interfaces
Flags (D=Directly-bound)

Name IP Address Subnet Mask Status Forward Device Flags

--------------------------------+---------------+---------------+------+-------+---------+------
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
admin 10.4.5.5 255.255.255.0 UP YES vlan 4001
int_1 192.168.10.5 255.255.255.0 UP YES vlan 1
int_50 192.168.50.5 255.255.255.0 UP YES vlan 50

- Assign an IP address to the Client 9:

Windows Desktop
Double-click on VMware
vSphere

Select the Client9 in the list

Click on Console tab

Double click on Network

Connections
 9
VLANs

Select the network connection

Pod

Click on Internet Protocol

(TCP/IP)

Select Use the following IP

address

- IP address: 192.168.50.55
- Subnet mask:
255.255.255.0
- Default gateway:
192.168.50.5 (The IP address
of VLAN 50 virtual router)
 10
VLANs

The following diagram represents the current configuration.

By default, the switch will route packets between VLAN 1 and VLAN 50 using the IP interfaces that you have
created.

- Check the routing table on the switch:

sw5 (6360-A) -> show ip routes

+ = Equal cost multipath routes

Total 5 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
10.0.0.0/24 10.4.5.254 3d16h STATIC
10.4.5.0/24 10.4.5.5 3d16h LOCAL
127.0.0.1/32 127.0.0.1 3d16h LOCAL
192.168.10.0/24 192.168.10.5 00:11:04 LOCAL
192.168.50.0/24 192.168.50.5 00:04:03 LOCAL

- From client 9, open a command prompt and ping the client 5. You should now have IP connectivity:
 11
VLANs

4 Deleting VLANs & IP interfaces

- Before continuing with the other labs, remove the previous configuration: delete the VLAN 50, and the
IP interfaces (int_1 and int_50).
sw5 (6360-A) -> no ip interface int_50
sw5 (6360-A) -> no vlan 50
sw5 (6360-A) -> no ip interface int_1

Notes
VLAN 1 cannot be deleted. It is only possible to deactivate.

- Check that the VLAN 50 and the IP interfaces have been correctly deleted:
sw5 (6360-A) -> show vlan
vlan type admin oper ip mtu name
------+-------+-------+------+------+------+------------------
1 std Ena Ena Dis 1500 VLAN 1
4001 std Ena Ena Ena 1500 Admin
4094 vcm Ena Dis Dis 1500 VCM IPC

sw5 (6360-A) -> show ip interface

Total 2 interfaces
Flags (D=Directly-bound)

Name IP Address Subnet Mask Status Forward Device Flags

--------------------------------+---------------+---------------+------+-------+---------+------
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
admin 10.4.5.5 255.255.255.0 UP YES vlan 4001
OmniSwitch R8
Diagnostic Tools

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Objectives
Diagnostic Tools

At the end of this module, you will be able to:

• Use the Switch & Command Logging utilities
• Use the Remote MONitoring (RMON) application
• Enable the Port Mirroring feature
• Enable the Port Monitoring feature
• Check the Switch Health
• Use the sFlow Application
Switch logging
Switch logging Output
• Event logging utility
• useful in maintaining and servicing the switch
• Switch events can be logged to sw1 (6900-A) -> show swlog
Operational Status : Running
File Size per file : 1250 Kbytes,
Log Device 1 : console flash,
• Switch console Syslog FacilityID : local0(16),
-> swlog output console Hash Table entries age limit : 60 seconds,
Switch Log Preamble : Enabled,
Switch Log Debug, : Disabled
Switch Log Duplicate Detection : Enabled,
• Local text file Console Display Level
RFC5424 Format Logging
: info,
: Disabled,
-> swlog output flash Swlog Threshold : 90 percent

- Configurable default file size 1250 Kbytes swlog output socket console enable

- Multiple remote devices (syslog) 12 max When this command is enabled, syslog server will be
-> swlog output socket ipaddr 168.23.9.100 restarted and allowing send Console log to remote
 Loopback0 have to be configured Syslog servers
Switch Logging files
• Switch logging are stored in /flash directory
sw1 (6900-A) -> ls -l
• Up to 7 Swlog logs files can be stored in the drwxr-xr-x 2 admin user 4096 Jun 7 09:15 app-signature
drwxr-xr-x 2 admin user 4096 Jun 7 07:57 certified
/flash directory starting (from swlog_chassis1 to 1.6) -rw-r--r-- 1 admin user
-drwxr-xr-x 2 admin user
255 Jun 7 09:11 hwinfo
16384 Dec 18 2013 lost+found
drwxr-xr-x 2 admin user 4096 Feb 10 2016 network
drwxr-xr-x 3 admin user 4096 Apr 23 2015 pmd
• An Swlog archive can store up to 40 files drwxr-xr-x 7 admin user
drwxr-xr-x 2 admin user
4096 Jun 7 07:57 switch
4096 Jun 8 10:53 swlog_archive
-rw-r--r-- 1 root root 560111 Jun 10 12:50 swlog_chassis1
-rw-r--r-- 1 root root 1280031 Jun 10 12:44 swlog_chassis1.0
-rw-r--r-- 1 root root 1280067 Jun 10 12:28 swlog_chassis1.1
• Configuring the Switch Logging File Size -rw-r--r-- 1 root root 1280027 Jun 10 12:12 swlog_chassis1.2
-rw-r--r-- 1 root root 1280041 Jun 10 11:56 swlog_chassis1.3
- -> swlog output flash file-size 500000 (in bytes) -rw-r--r-- 1 root root 1280094 Jun 10 11:41 swlog_chassis1.4
-rw-r--r-- 1 root root 1280125 Jun 10 11:26 swlog_chassis1.5
-rw-r--r-- 1 root root 1280100 Jun 10 11:12 swlog_chassis1.6
Displaying Switch Logging Records
• Clear the log files contents
• -> swlog clear
• Clear both the log files contents and event logs
• -> swlog clear all

• Displaying Switch Logging Records

sw1 (6900-A) -> show swlog
Operational Status : Running
• -> show swlog File Size per file : 1250 Kbytes,
Log Device 1 : console flash,
Syslog FacilityID : local0(16),
Hash Table entries age limit : 60 seconds,
Switch Log Preamble : Enabled,
Switch Log Debug, : Disabled
Switch Log Duplicate Detection : Enabled,
Console Display Level : info,
RFC5424 Format Logging : Disabled,
Swlog Threshold : 90 percent
• -> show log swlog
sw1 (6900-A) -> show log swlog
/flash/swlog_chassis1.7 not found!
Displaying file contents for '/flash/swlog_chassis1.6'
2017 Jun 10 10:43:46 Pod18sw1 Switch log file reached 100%, overwritten !!!
2017 Jun 10 10:43:46 Pod18sw1 swlogd: ospf_0 INFO debug2(7) (11654):(3157):ENTER select usec=870000, lastMs=264773690, curMs=264773820.
2017 Jun 10 10:43:46 Pod18sw1 swlogd: SSAPP main info(5) sending trap for swlog failure trap
2017 Jun 10 10:43:47 Pod18sw1 swlogd: rip_0 INFO debug2(7) (9046):(1779):ripRun: ENTER select usec=998000, lastMs=264774578,
curMs=264774630.
Switch Logging severity level
• Default severity level is “info”. The numeric equivalent for the level “info” is 6
• It is also possible to assign different severity levels to different swicth applications (some of
the events will be filtered out of the display)
Switch Logging application ID levels of reporting
• Specific applications may have different levels of reporting and can be specified by their
application ID or by their numeric equivalent

show swlog appid ?

^
ALL <string>
SWLOG PMD ChassisSupervisor flashManager MIP_GATEWAY
ConfigManager capManCmm vc_licManager vcmCmm SSTIME SSAPP
mrvld capManSig fabric portMgrCmm vfcm intfCmm dafcCmm
linkAggCmm VlanMgrCmm ipmscmm pvlanCmm isis_spb_0 isisVc
stpCmm AGCMM slCmm mirMonSFlowCmm ipv4 ipv6 ipsecSys ipsec
tcamCmm qosCmm vstkCmm eoamCmm erpCmm NTP udpRelay
remoteConfig AAA havlanCmm SES rmon WEBVIEW trapmgr radCli
ldapClientCmm tacClientCmm healthCmm svcCmm lldpCmm udldCmm
evbCmm mpls saaCmm SNMP csEventMonitor bfdcmm mvrpCmm
dhcp6r messageService dhcpv6Srv dhcpSrv grm bcdcmm lpCmm
DG_CMM qmrCmm iprm_0 vrrp_0 ospf_0 flashManagerNI capManNi
vcmNi portMgrNi bcd vfcn intfNi dafcNi linkAggNi VlanMgrNi
stpNi erpNi vstkNi fdbmgr1 slNi healthNi ipni ip6ni
mirMonSFlowNi tcamni qosNi ipmsni svcNi evbNi lldpNi udldNi
bfdni mvrpNi AGNI DG_NI nipktrly loamNi eoamNi fdbmgr4 lpNi
fdbmgr3
Switch Logging application id
• Example of levels of reporting management for OSPF
• All sub application
sw1 (6900-A) -> swlog appid ospf_0 subapp all level 8 or sw1 (6900-A) -> swlog appid ospf_0 subapp all level debug3

• Only for the hello message

sw1 (6900-A) -> swlog appid ospf_0 subapp hello level debug3

sw1 (6900-A) -> swlog appid ospf_0 subapp ?

ALL <num> <string>
1=ERROR 2=WARNING 3=RECV 4=SEND
5=FLOOD 6=SPF 7=LSDB 8=RDB 9=AGE
10=VLINK 11=REDIST 12=SUMMARY
13=DBEXCH 14=HELLO 15=AUTH 16=STATE
17=AREA 18=INTF 19=CONFIG 20=INFO
21=SETUP 22=TIME 23=MIP 24=TM
25=RESTART 26=HELPER 27=HOST
28=AUTOCONFIG
Displaying Switch Logging Records
• Timestamps

• show log swlog [timestamp mm/dd/yyyy hh:mm:ss]

2017 Jun 10 10:43:59 Pod18sw1 swlogd: ospf_0 AREA debug2(7) (11654):(3254):[curTime=251171s] Flooding area 0.0.0.0
2017 Jun 10 10:43:59 Pod18sw1 swlogd: ospf_0 TIME debug2(7) (11654):(1259):Intf addr 172.16.17.1, curTime = 251171, helloTimer = 251497, deadTimer = 75447
2017 Jun 10 10:43:59 Pod18sw1 swlogd: ospf_0 TIME debug2(7) (11654):(1259):Intf addr 172.16.18.1, curTime = 251171, helloTimer = 251180, deadTimer = 66940
2017 Jun 10 10:43:59 Pod18sw1 swlogd: ospf_0 TIME debug2(7) (11654):(1259):Intf addr 192.168.110.1, curTime = 251171, helloTimer = 251180, deadTimer = 66940

• Application

• show log swlog |grep [appid] |grep [subapp] …

sw1 (6900-A) -> show log swlog |grep ospf

2017 Jun 10 10:43:46 Pod18sw1 swlogd: ospf_0
2017 Jun 10 10:43:47 Pod18sw1 swlogd: ospf_0
2017 Jun 10 10:43:47 Pod18sw1 swlogd: ospf_0
2017 Jun 10 10:43:47 Pod18sw1 swlogd: ospf_0
2017 Jun 10 10:43:47 Pod18sw1 swlogd: ospf_0
2017 Jun 10 10:43:47 Pod18sw1 swlogd: ospf_0
2017 Jun 10 10:43:47 Pod18sw1 swlogd: ospf_0
INFO debug2(7) (11654):(3157):ENTER select usec=870000, lastMs=264773690, curMs=264773820.
INFO debug2(7) (11654):(3163):EXIT select with n=0, lastMs=264773690, curMs=264773820, drcTimeGetMs=264774691
AREA debug2(7) (11654):(3254):[curTime=251159s] Flooding area 0.0.0.0
TIME debug2(7) (11654):(1259):Intf addr 172.16.17.1, curTime = 251159, helloTimer = 251497, deadTimer = 75447
TIME debug2(7) (11654):(1259):Intf addr 172.16.18.1, curTime = 251159, helloTimer = 251160, deadTimer = 66940
TIME debug2(7) (11654):(1259):Intf addr 192.168.110.1, curTime = 251159, helloTimer = 251160, deadTimer = 66940
INFO debug2(7) (11654):(3157):ENTER select usec=999000, lastMs=264774690, curMs=264774691.
Readable Customer Event Logs
• OmniSwitch is now designed to provide Readable Customer Event information about important
events on the Switch
- User-friendly, consistent and customer readable format.

• Use the following CLI commands to view Readable Customer Events.

- swlog appid command with level event to filter switch logging information for events
- swlog appid all subapp all level event

• To display customer event logs, enter the following command

- show log events

• The log output is in the following format:

- <SWLOG TIMESTAMP> : <CMM>/<NI> : <MODULE_NAME> : <LOG_DESCRIPTION>

- 2019 Apr 28 19:17: 8.83 : CMM : ChassisSupervisor : chassisTrapsAlert - CERTIFY w/ FLASH SYNCHRO process started
Command Logging
Overview
• Command Logging
• Logs commands and output
• Different than command history
• Displays additional information
• Creates command.log file in /flash directory
- Command results stored in command.log
• Deleting command.log deletes log history
- Cannot be deleted while command logging is enabled
• Stores 100 most recent commands

• Must be enabled
-> command-log enable/disable
-> swlog remote command-log enable/disable
Example
-> show command-log
Command : vlan 68 router ip 168.14.12.120
UserName : admin
Date : MON APR 28 01:42:24
Ip Addr : 128.251.19.240
Result : SUCCESS

Command : vlan 68 router ip 172.22.2.13

UserName : admin
Date : MON APR 28 01:41:51
Ip Addr : 128.251.19.240
Result : ERROR: Ip Address must not belong to IP VLAN 67 subnet

Command : command-log enable

UserName : admin
Date : MON APR 28 01:40:55
Ip Addr : 128.251.19.240
Result : SUCCESS

Command : command-log enable

UserName : admin
Date : MON APR 28 11:13:13
Ip Addr : console
Result : SUCCESS

-> show command-log status

CLI command logging: Enable
Port Mirroring
Overview
• Port Mirroring
- Copies all incoming and outgoing traffic from one switch port to another
- Provides the ability to perform a packet capture

• Ports supported
- Ethernet, Fast/ Gigabit Ethernet, 10/ 40 Gigabit Ethernet

• Sessions supported
- 2 per standalone switch and per stack

• N-to-1 Mirroring Supported

- 128 to 1 all models
- Port requirements - must be of identical capacity
• -> port mirroring <id> source <s/s/p> destination <s/s/p>
- -> port-mirroring 1 source 1/1/2-6 1/1/9 1/2/7 1/3/5 destination 1/2/4
Port monitoring
Port Monitoring
• Captures data and stores in Sniffer format on switch
• Ports supported
- Ethernet, Fast/ Gigabit Ethernet, 10/40 Gigabit Ethernet
• Captures first 64-bytes of frame
• Session supported per switch or stack: 1
• Default file size:
- R8: 64 KB (max = 2 MB)
• Round-Robin or stop capture when max storage reached
• Cannot use port monitoring and mirroring on same port
• Data stored in compliance with the ENC file format (Network General Sniffer Format)
-> port monitoring 6 source 1/2/3 enable
- 6 – session ID
- Session can be paused, resumed, disabled and associated with a timeout
• -> show port monitor file
Remote monitoring
Remote Monitoring - RMON
• RMON probes are used to collect, interpret and forward statistical data about network traffic
from designated active ports in a LAN segment
- Can be monitored using OmniVista
- 4 groups supported:
 Ethernet Statistics – Gather Ethernet port statistics (e.g. port utilization, error statistics)
 History Group - Stores sampling such as utilization and error count
 Alarms Group – Compare samplings to thresholds (e.g. absolute or relative, rising and falling thresholds)
 Events Group – Controls generation an notification to NMS station

• -> rmon probes alarm enable

• -> rmon probes stats enable
Probe’s Owner: Analyzer-p:128.251.18.166 on Slot 1, Port 35
• -> show rmon probes history 30562 History Control Buckets Requested = 2
History Control Buckets Granted = 2
History Control Interval = 30 seconds
History Sample Index = 5859
Entry 10325
Flavor = History, Status = Active
Time = 48 hrs 53 mins,
System Resources (bytes) = 601
System Health
Overview
• Monitors switch resource utilization and thresholds
- Switch-level Input/Output
- Memory and CPU Utilization Levels
• Most recent utilization level (percentage)
• Average utilization level over the last minute (percentage)
• Average utilization level over the last hour (percentage)
• Maximum utilization level over the last hour (percentage)
• Threshold level
-> show health
sw8 (6860-B) -> show health
CMM Current 1 Min 1 Hr 1 Day
Resources Avg Avg Avg
----------------------+---------+-------+-------+-------
CPU 11 13 11 0
Memory 57 57 57 0
sFlow
sFlow - Network monitoring technology
• Industry standard with many vendors
- Delivering products with sFlow support (RFC 3176)
- Gives visibility in to the activity of the network
- Provides network usage information and network wide view of usage and active routes
- Used for measuring network traffic, collecting, storing and analyzing the traffic data
• sFlow data applications
OmniSwitch
• Detecting, diagnosing and fixing network
problems Forwarding
tables sFlow Agent
• Real time congestion management Interface
counters
• detecting unauthorized network activity
Switching
(DOS) ASICs
Sampling

• Usage accounting and billing

• Understanding application mix (web, DNS etc.)
• Route profiling and peering optimization
• Capacity planning Network
Overview
• Traffic flows monitoring and sampling technology embedded within switches
- sFlow Agent software process running as part of the switch software
- sFlow Collector which receives, analyses the monitored data (3rd Party software)
- sFlow Collector makes use of SNMP to communicate with a sFlow agent in order to configure sFlow monitoring on
the device (switch)
sFlow

sFlow

sFlow

sFlow

Packet In/out if Sampling Forwarding User ID URL counters

Header params
Rate Src 802.1p/Q Src/Dst
pool Dst 802.1p/Q Radius
Next hop TACACS
Src/dst mask
AS path
Communities
Switch Configuration
• One agent to represent whole switch AGENT
• -> ip service source-ip {Loopback0 | interface-name} sflow
• -> show sflow agent
• Represents the remote collector {destination IP address + port} RECEIVER
• Encodes samples into UDP datagrams
• -> sflow receiver 1 name Server1 address 192.168.1.100
• -> sflow receiver 2 name server2 address 172.30.130.102
• One Sampler for each interface
• Collects packet samples SAMPLER
• -> sflow sampler 1 port 1/1/6 receiver 1 rate 5 sample-hdr-size 64
• One Poller for each interface
• -> sflow poller 1 port 1/1/6 receiver 1 interval 20
POLLER
• Collects counter samples
• -> show sflow receiver
• -> show sflow sampler
• -> show sflow poller
OmniSwitch AOS R8

Switch maintenance and Diagnostics tools

How to
✓ This lab is designed to familiarize you with some basic troubleshooting and
debugging tools on an OmniSwitch.

Contents
1 Switch Logging ................................................................................. 2
2 Readable Customer Event Logs.............................................................. 3
3 Command Logging ............................................................................. 4
4 Port Mirroring .................................................................................. 5
5 Port Monitoring ................................................................................ 5
6 Health ........................................................................................... 7
7 RMON............................................................................................ 7
 2
Switch maintenance and Diagnostics tools

1 Switch Logging
Switch Logging can be used to track informational or debugging messages from the switch. This is
dependent upon the severity level set for a particular process. Logging can be configured to send its output
to flash, console, or an external server. By default, switch logging is enabled
- On the 6860-A, type the following:
sw7 (6860-A) -> show swlog
Operational Status : Running,
File Size per file : 1250 Kbytes,
Log Device 1 : console flash,
Syslog FacilityID : local0(16),
Hash Table entries age limit : 60 seconds,
Switch Log Preamble : Enabled,
Switch Log Debug : Disabled,
Switch Log Duplicate Detection : Enabled,
Console Display Level : info

- You should see that logging is running and sending its output to both flash and the console. It does not
mean that all messages will be displayed on the console, only messages matching the severity level, by
default, informational (6). Logging can be disabled if desired.
- Type the following:
sw7 (6860-A) -> swlog disable

sw7 (6860-A) -> show swlog

Operational Status : Not Running,
File Size per file : 1250 Kbytes,
Log Device 1 : console flash,
Syslog FacilityID : local0(16),
Hash Table entries age limit : 60 seconds,
Switch Log Preamble : Enabled,
Switch Log Debug : Disabled,
Switch Log Duplicate Detection : Enabled,
Console Display Level : info

- To re-enable logging enter :

sw7 (6860-A) -> swlog enable

- The logging feature has a number of application IDs. These IDs are used to determine which process
generated the logging message and at what severity level. Consult the user guide for a list of processes
and associated severity levels. By default all processes are set to a severity level of 6, which is
informational, as indicated above. All logging messages are stored in the swlog*.log files and can be
viewed right on the switch.
sw7 (6860-A) -> show log swlog

Notes
Use CTRL+C keys to stop the display of the file.
You may also use show log swlog | grep “string to find” or show log swlog timestamp mm/dd/yy
hh:mm:ss to find specific information on the log file.
 3
Switch maintenance and Diagnostics tools

2 Readable Customer Event Logs

AOS is now designed to provide Readable Customer Event information about important events on the
OmniSwitch in a user-friendly, consistent and customer readable format. A new set of CLI commands are
introduced to view Readable Customer Events. Unlike AOS Syslog, Readable Customer Event feature provides
logs for the most significant switch events

- On the 6860-A, type the following:

sw7 (6860-A) -> swlog appid all subapp all level event

- To display customer event logs, enter the following command.

sw7 (6860-A) -> show log events
2019 Jul 15 20:26:27.515 : CMM : vc_licManager : Demo License will expire on date: 7/14/2019
2019 Jul 15 20:26:53.212 : CMM : ChassisSupervisor : chassisTrapsAlert - Power supply is OK: PS 1
2019 Jul 15 20:26:53.213 : CMM : ChassisSupervisor : chassisTrapsAlert - All power supplies OK
2019 Jul 15 20:26:53.213 : CMM : ChassisSupervisor : The switch was restarted by the user
2019 Jul 15 20:26:53.213 : CMM : ChassisSupervisor : chassisTrapsAlert - CMM startup completed
2019 Jul 15 20:27:35.755 : CMM : stpCmm : STP instance 1: Bridge has become new Root
2019 Jul 15 20:27:50.148 : CMM : vcmCmm : Virtual Chassis: Chassis 1 Role changed to Master
2019 Jul 15 20:27:50.148 : CMM : vcmCmm : Virtual Chassis: Chassis 1 Status changed to Running
2019 Jul 15 20:27:50.149 : CMM : ChassisSupervisor : Sending VC Takeover to NIs and applications [L6]
2019 Jul 15 20:27:52.299 : CMM : ChassisSupervisor : System Ready
2019 Jul 15 20:37:21.569 : CMM : stpCmm : STP instance 112: Bridge has become new Root
2019 Jul 15 20:39:47.696 : CMM : intfCmm : Link 1/2/1 operationally up
2019 Jul 15 20:39:51.772 : CMM : stpCmm : STP instance 112: Root port change detected
2019 Jul 15 20:47: 3.234 : CMM : intfCmm : Link 1/2/1 operationally down
2019 Jul 15 20:47: 4.370 : CMM : stpCmm : STP instance 112: Bridge has become new Root
2019 Jul 15 20:49:32.102 : CMM : intfCmm : Link 1/2/1 operationally up
...

- Compare the output of this command with the show log swlog from the previous section
Notice the difference in the output of both commands
The show log events command has the following output:

<SWLOG TIMESTAMP>: <CMM>/<NI>: <MODULE_NAME>: <LOG_DESCRIPTION>

 4
Switch maintenance and Diagnostics tools

3 Command Logging
Like switch logging, commands entered on the OmniSwitch can captured to a log file. These can then be
reviewed later to see what changes have been made. This is a very valuable tool, especially when modifying
the switch configuration.
- Type the following:
sw7 (6860-A) -> show command-log

sw7 (6860-A) -> command-log enable

- Let's create and delete a couple of VLAN's to demonstrate:

sw7 (6860-A) -> vlan 4-5

sw7 (6860-A) -> no vlan 4-5

sw7 (6860-A) -> show command-log

Command : no vlan 4-5
UserName : admin
Date : Tue Feb 11 03:54:58
Ip Addr : console
Result : SUCCESS

Command : vlan 4-5

UserName : admin
Date : Tue Feb 11 03:54:53
Ip Addr : console
Result : SUCCESS

Command : command-log enable

UserName : admin
Date : Tue Feb 11 03:53:33
Ip Addr : console
Result : SUCCESS

- You should now see the commands you entered displayed on the screen with information about the time
and where they were entered from, such as a console or TELNET session.
- To disable it enter :
sw7 (6860-A) -> command-log disable
 5
Switch maintenance and Diagnostics tools

4 Port Mirroring
Port mirroring can be configured to copy traffic from one or multiple ports to another. The destination port
would normally have a traffic analyzer connected.
- Let’s create a mirroring session to copy traffic from one port to another.
sw7 (6860-A) -> port-mirroring 1 source port 1/1/1 destination port 1/1/10

sw7 (6860-A) -> port-mirroring 1 enable

sw7 (6860-A) -> show port-mirroring status 1

Session Mirror Mirror Unblocked RPMIR Config Oper

Destination Direction Vlan Vlan Status Status
----------+-----------+--------------+----------+---------+----------+---------
1. 1/1/10 - NONE NONE Enable On
----------+-----------+--------------+----------+---------+----------+---------
Mirror
Source
----------+-----------+--------------+----------+---------+----------+---------
1. 1/1/1 bidirectional - - Enable On

- To remove a port mirroring session, enter :

sw7 (6860-A) -> no port-mirroring 1

The maximum number of mirroring sessions is limited to two.

5 Port Monitoring
Port Monitoring makes it possible to capture traffic being sent to and from a port and store it in /flash in
".enc" (or Sniffer) format. The data is stored in a file named pmonitor.enc by default, but this can be
modified. The file can then be transferred off the switch and viewed in detail using a traffic analyzer. It is
also possible to display the output directly to the console or to a telnet session.
- Start a port monitoring session :
sw7 (6860-A) -> interfaces 1/1/1 admin-state enable
sw7 (6860-A) -> port-monitoring 1 source port 1/1/1 enable

sw7 (6860-A) -> show port-monitoring status

Sess Mon. Mon. Over Oper. Admin Capt. Max. File

Src Dir write Stat Stat Type Size Name
-----+-------+----+-----+------+------+-------+------+-----------------------
1. 1/1/1 Bi ON ON ON Brief 64K /flash/pmonitor.enc

- Generate traffic from client by issuing pings to any reachable address.

- The session can be paused and resumed if necessary, type the following:
sw7 (6860-A) -> port-monitoring 1 pause

sw7 (6860-A) -> show port-monitoring status

Sess Mon. Mon. Over Oper. Admin Capt. Max. File

Src Dir write Stat Stat Type Size Name
-----+-------+----+-----+------+------+-------+------+-----------------------
1. 1/1/1 Bi ON OFF ON Brief 64K /flash/pmonitor.enc

sw7 (6860-A) -> port-monitoring 1 resume

sw7 (6860-A) -> port-monitoring 1 disable
WARNING:
Monitored data is available in file /flash/pmonitor.enc
 6
Switch maintenance and Diagnostics tools

- You should now see a message indicating that it has finished writing the capture file. The data is stored in
a file called pmonitor.enc in the /flash directory.
sw7 (6860-A) -> ls -l
total 7948
-rw-r--r-- 1 admin user 4053444 Jan 1 2021 UAppSig.upgrade_kit
drwxr-xr-x 2 admin user 4096 Jan 5 2021 bootflash
drwxr-xr-x 2 admin user 4096 Jan 1 00:06 certified
-rw-r--r-- 1 admin user 66402 Feb 11 03:54 command.log
drwxr-xr-x 2 admin user 4096 Dec 4 17:20 diags
-rw-r--r-- 1 admin user 526184 Dec 4 17:20 eeprom
drwxr-xr-x 5 admin user 4096 Jan 1 00:04 externalCPU
drwxr-xr-x 2 admin user 4096 Feb 8 01:19 foss
-rw-r--r-- 1 admin user 239 Feb 8 01:20 hwinfo
drwxr-xr-x 2 admin user 4096 Jan 1 2021 labinit
drwxr-xr-x 2 admin user 16384 Dec 4 17:21 lost+found
drwxr-xr-x 2 admin user 4096 Jan 5 2021 network
drwxr-xr-x 3 admin user 4096 Jan 5 2021 pmd
-------r-- 1 root root 4835 Feb 11 04:09 pmonitor.enc
drwxrwx--- 2 root admins 4096 Jan 1 00:00 python
-rw-r--r-- 1 admin user 2848 Jan 2 21:45 snapall
drwxr-xr-x 6 admin user 4096 Jan 1 00:01 switch
-rw-r--r-- 1 admin user 735660 Jan 1 2021 swlog
drwxr-xr-x 2 admin user 4096 Feb 8 01:21 swlog_archive
-rw-r--r-- 1 admin user 740893 Feb 11 04:09 swlog_chassis1
-rw-r--r-- 1 admin user 1280009 Feb 7 19:13 swlog_chassis1.0
drwxr-xr-x 2 admin user 4096 Jan 5 2021 system
-------r-- 1 root root 4835 Feb 11 02:06 test.cap
-rw-r--r-- 1 admin user 594809 Jan 1 2021 u-boot.8.2.1.R01.255.tar.gz
-rw-r--r-- 1 admin user 3453 Jan 1 2021 u-boot_copy
drwxr-xr-x 2 admin user 4096 Feb 8 01:20 working

- To display the capture, enter :

sw7 (6860-A) -> show port-monitoring file
Destination | Source | Type | Data
-------------------------------------------------------------------------------
01:80:C2:00:00:00 | E8:E7:32:F6:16:20 | 2700 | 00:27:42:42:03:00:00:02:02:7C

01:80:C2:00:00:00 | E8:E7:32:F6:16:20 | 2700 | 00:27:42:42:03:00:00:02:02:7C

01:80:C2:00:00:00 | E8:E7:32:F6:16:20 | 2700 | 00:27:42:42:03:00:00:02:02:7C

01:80:C2:00:00:00 | E8:E7:32:F6:16:20 | 2700 | 00:27:42:42:03:00:00:02:02:7C

01:80:C2:00:00:00 | E8:E7:32:F6:16:20 | 2700 | 00:27:42:42:03:00:00:02:02:7C

- Use the ‘?’ to display additional parameters. How would you change the name of the capture file?
sw7 (6860-A) -> show port-monitoring ?
^
STATUS FILE

- When done, delete the monitoring session.

sw7 (6860-A) -> show port-monitoring status

Sess Mon. Mon. Over Oper. Admin Capt. Max. File

Src Dir write Stat Stat Type Size Name
-----+-------+----+-----+------+------+-------+------+-----------------------
1. 1/1/1 Bi ON OFF ON Brief 64K /flash/pmonitor.enc

sw7 (6860-A) -> no port-monitoring 1

 7
Switch maintenance and Diagnostics tools

6 Health
The Health feature can be used to gather basic information on the state of the switch such as CPU, memory
and traffic utilization information.
sw7 (6860-A) -> show health
CMM Current 1 Min 1 Hr 1 Day
Resources Avg Avg Avg
----------------------+---------+-------+-------+-------
CPU 7 7 7 6
Memory 64 64 64 64

sw7 (6860-A) -> show health slot 1/1

Slot 1/ 1 Current 1 Min 1 Hr 1 Day
Resources Avg Avg Avg
----------------------+---------+-------+-------+-------
CPU 9 7 7 6
Memory 65 65 65 65
Receive 0 0 0 0
Receive/Transmit 0 0 0 0

7 RMON
Remote Monitoring can be used to gather statistics for displaying in OmniVista or other NMS solutions.

Make sure that interface 1/1/1 is enabled so you can get these statistics.
-> interfaces 1/1/1 admin-state enable

sw7 (6860-A) -> show rmon probes

Chassis/
Entry Slot/Port Flavor Status Duration System Resources
-------+----------+---------+-----------+------------+----------------
1001 1/1/1 Ethernet Active 74:21:55 300 bytes
1004 1/1/4 Ethernet Active 74:21:55 300 bytes
1010 1/1/10 Ethernet Active 74:21:55 301 bytes
1023 1/1/23 Ethernet Active 74:21:55 301 bytes
1024 1/1/24 Ethernet Active 74:21:55 301 bytes
1003 1/1/3 Ethernet Active 74:21:55 300 bytes
1006 1/1/6 Ethernet Active 74:21:54 300 bytes
1005 1/1/5 Ethernet Active 74:21:54 300 bytes
1009 1/1/9 Ethernet Active 72:50:10 300 bytes
1007 1/1/7 Ethernet Active 01:13:21 300 bytes

sw7 (6860-A) -> show rmon probes history

Chassis/
Entry Slot/Port Flavor Status Duration System Resources
-------+----------+---------+-----------+------------+----------------
1 1/1/1 History Active 74:22:28 5470 bytes
2 1/1/4 History Active 74:22:28 5470 bytes
3 1/1/10 History Active 74:22:28 5471 bytes
4 1/1/23 History Active 74:22:28 5471 bytes
5 1/1/24 History Active 74:22:28 5471 bytes
6 1/1/3 History Active 74:22:28 5470 bytes
7 1/1/6 History Active 74:22:27 5470 bytes
8 1/1/5 History Active 74:22:27 5470 bytes
9 1/1/9 History Active 72:50:43 5470 bytes
10 1/1/7 History Active 01:13:54 5470 bytes

sw7 (6860-A) -> show rmon probes stats

Chassis/
Entry Slot/Port Flavor Status Duration System Resources
-------+----------+---------+-----------+------------+----------------
 8
Switch maintenance and Diagnostics tools

1001 1/1/1 Ethernet Active 74:22:36 300 bytes

1004 1/1/4 Ethernet Active 74:22:36 300 bytes
1010 1/1/10 Ethernet Active 74:22:36 301 bytes
1023 1/1/23 Ethernet Active 74:22:36 301 bytes
1024 1/1/24 Ethernet Active 74:22:36 301 bytes
1003 1/1/3 Ethernet Active 74:22:36 300 bytes
1006 1/1/6 Ethernet Active 74:22:35 300 bytes
1005 1/1/5 Ethernet Active 74:22:35 300 bytes
1009 1/1/9 Ethernet Active 72:50:51 300 bytes
1007 1/1/7 Ethernet Active 01:14:02 300 bytes

sw7 (6860-A) -> show rmon probes 1001

Probe's Owner: Switch Auto Probe on Chassis 1, Slot 1, Port 1, ifindex 1001
Entry 1001
Flavor = Ethernet, Status = Active,
Time = 74 hrs 23 mins,
System Resources (bytes) = 300
OmniSwitch R8
Link Aggregation Groups

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Objectives
Link Aggregation Groups

At the end of this module, you will be able to:

• Understand the Link Aggregation operation on
AOS based switches
• Learn how to configure
• Static Link Aggregation
• Dynamic Link Aggregation
• Load Balancing Control
Overview
• Goal
• Method of aggregating (combining) more than 2 ports/links so that the switch will “see” them as one
logical link

• Advantages of Link Aggregation

• Scalability
• Reliability
• Ease of Migration
Logical Link can be statically assigned to any VLAN
802.1q can be configured on the logical aggregated link

• Provides an aggregated link

(multiple physical links combined into one logical link)
Specifications
• Static (OmniChannel) or Dynamic (IEEE 802.3ad/LACP)
Static vs. Dynamic
• Difference between Static and Dynamic

• Static
- Port parameters MUST be exactly the same at both ends and within the group
• same speed (e.g., all 10 Mbps, all 100 Mbps, all 1 Gigabit, or all 10 Gigabit)
- Only works between Alcatel-Lucent OmniSwitches

• Dynamic
- IEEE 802.3ad LACP
- LACP will negotiate the optimal parameters for both ends using LACPDU (Link Aggregation Control Protocol Data Unit)
- Ports must be of the same speed within the same aggregate group
- It also works between two different devices such as switches, servers and storage systems.
Static Link Aggregation Groups - CLI
Creating a Static Aggregate Group
• -> linkagg static agg <agg_num> size <size> admin-state enable

Adding Ports to a Static Aggregate Group

• -> linkagg static port < Chassis/slot/port> agg <agg_num>

Removing Ports from a Static Aggregate Group

• -> no linkagg static port <Chassis/slot/port>
Dynamic Link Aggregation Groups - CLI
Configuring a Dynamic Link Aggregation Group

• -> linkagg lacp agg <agg_num> size <size> admin-state enable

• -> linkagg lacp agg <agg_num> actor admin-key <actor_admin_key>

Assigning ports to the Dynamic Link Aggregation Group

• -> linkagg lacp agg <chassis/slot/port> actor admin-key <actor_admin_key>
Monitoring
• Static & Dynamic Link Aggregation Groups can be used for VLAN tagging (802.1q)
• -> vlan <vlan_id> members linkagg <agg_num> untagged

• -> vlan <vlan_id> members linkagg <agg_num> tagged

• Useful monitoring commands:

• -> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
------+----------+--------+-----+-------------+------------+-------------
1 Static 40000001 8 ENABLED UP 2 2
2 Dynamic 40000002 4 ENABLED DOWN 0 0
3 Dynamic 40000003 8 ENABLED DOWN 0 2
4 Static 40000005 2 DISABLED DOWN 0 0

• -> show linkagg <agg_num> port </Chassis/slot/port>

Link aggregation statistics
Link aggregation statistics
• To display the statistics for a linkagg, all the physical ports in the linkagg are identified, and
relevant statistics are aggregated and displayed for various show commands.

Command Usage

show linkagg counters Displays statistics collected for the type and
number of packets transmitted and received on
link aggregate ports.
show linkagg traffic Displays the total number of packets and bytes
that are received and transmitted on link
aggregate ports.

show linkagg accounting Displays statistics collected for packets

transmitted and received on link aggregate ports.

show linkagg port Displays information about link aggregation ports.

Load Balancing control
Hashing Control Algorithm AA
AA
Source
Address
Destination
Address
AA
AA

• Hashing Control
• Control over the hashing mode Server #

- Link Aggregation Brief Mode

- ECMP
- Server Load Balancing
AA Source Destination UDP/TCP AA
• Two hashing algorithms available AA Address Address Port AA

• Brief Mode:
- UDP/TCP ports not included
Server #
- Only Source IP and destination IP addresses
are considered Extended Mode
-> hash-control brief
• Extended Switch Default Hasing Mode
- UDP/TCP ports to be included in the hashing 9900 extended
algorithm
6900 brief
- Result in more efficient load balancing 6860 extended
-> hash-control extended [ udp-tcp-port | no] 6865 extended
6560 extended
6465 brief
Load Balancing Multicast on Link Aggregation Groups
• Multicast traffic is by default forwarded through the primary port of the Link Aggregation Group

• User has the option to enable hashing for non-unicast traffic, which will load balance the non-unicast
traffic across all ports in the Link Aggregation Group

• If non-ucast option is not specified, link aggregation will only load balance unicast packets
OmniSwitch AOS R8

Link Aggregation

How to
✓ This lab is designed to familiarize you with Dynamic link aggregation.

Contents
1 Topology ........................................................................................ 2
2 Link Aggregation – Dynamic between 6860’s .............................................. 2
2.1. Create a Dynamic Link Aggregation .............................................................. 2
2.2. Test the configuration ............................................................................. 4
3 Link Aggregation – Dynamic between 6860-A and 6900 VC .............................. 6
3.1. Create a Dynamic Link Aggregation .............................................................. 6
3.2. Test the configuration ............................................................................. 8
 2
Link Aggregation

1 Topology
Link Aggregation provides the ability to combine multiple physical ports into a single logical port for added
throughput and redundancy; this can be done statically using OmniChannel or dynamically using the IEEE
802.3ad (LACP) protocol.

2 Link Aggregation – Dynamic between 6860’s

2.1. Create a Dynamic Link Aggregation

- Now, we will define a dynamic link aggregate, assign the group ID 78 and size it at 2 ports.

• sw7 (6860-A)

• sw8 (6860-B)

-
 3
Link Aggregation

Type on both 6860:

sw7 (6860-A) -> linkagg lacp agg 78 size 2 actor admin-key 78

sw8 (6860-B) -> linkagg lacp agg 78 size 2 actor admin-key 78

sw7 (6860-A) -> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+-------------+---------+----+------------+--------------+-------------
78 Dynamic 40000078 2 ENABLED DOWN 0 0

sw8 (6860-B) -> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+-------------+---------+----+------------+--------------+-------------
78 Dynamic 40000078 2 ENABLED DOWN 0 0

- Notice we have no ports associated, using the actor admin key assigned to the link aggregation, let's
associate the ports:
- Ports are associated to a dynamic link aggregation using the actor admin key. Although in the above
example the actor admin key matches the link agg number, this is not a requirement as the admin key
has local significance only.

sw7 (6860-A) -> linkagg lacp port 1/1/23-24 actor admin-key 78

sw8 (6860-B) -> linkagg lacp port 1/1/23-24 actor admin-key 78

- Now, connect the switches by activating linkagg interfaces :

sw7 (6860-A) -> interfaces 1/1/23-24 admin-state enable

sw8 (6860-B) -> interfaces 1/1/23-24 admin-state enable

- Check the result

sw7 (6860-A) -> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+-------------+---------+----+------------+--------------+-------------
78 Dynamic 40000078 2 ENABLED UP 2 2

sw8 (6860-B) -> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+-------------+---------+----+------------+--------------+-------------
78 Dynamic 40000078 2 ENABLED UP 2 2

sw7 (6860-A) -> show linkagg agg 78

Dynamic Aggregate
SNMP Id : 40000078,
Aggregate Number : 78,
SNMP Descriptor : Dynamic Aggregate Number 78 ref 40000078 size 2,
Name : ,
Admin State : ENABLED,
Operational State : UP,
Aggregate Size : 2,
Number of Selected Ports : 2,
Number of Reserved Ports : 2,
 4
Link Aggregation

Number of Attached Ports : 2,

Primary Port : 1/1/23,
Port Selection Hash : Source Destination Ip,
Wait To Restore Time : 0 Minutes
LACP
MACAddress : [2c:fa:a2:0e:62:5c],
Actor System Id : [00:00:00:00:00:00],
Actor System Priority : 0,
Actor Admin Key : 78,
Actor Oper Key : 78,
Partner System Id : [00:00:00:00:00:00],
Partner System Priority : 0,
Partner Admin Key : 0,
Partner Oper Key : 78

sw8 (6860-B) -> show linkagg agg 78

Dynamic Aggregate
SNMP Id : 40000078,
Aggregate Number : 78,
SNMP Descriptor : Dynamic Aggregate Number 78 ref 40000078 size 2,
Name : ,
Admin State : ENABLED,
Operational State : UP,
Aggregate Size : 2,
Number of Selected Ports : 2,
Number of Reserved Ports : 2,
Number of Attached Ports : 2,
Primary Port : 1/1/23,
Port Selection Hash : Source Destination Ip,
Wait To Restore Time : 0 Minutes
LACP
MACAddress : [e8:e7:32:d4:84:20],
Actor System Id : [00:00:00:00:00:00],
Actor System Priority : 0,
Actor Admin Key : 78,
Actor Oper Key : 78,
Partner System Id : [00:00:00:00:00:00],
Partner System Priority : 0,
Partner Admin Key : 0,
Partner Oper Key : 78
Agg-Down/Violation Reason: None,

2.2. Test the configuration

- By default, the linkagg is associated with vlan 1. In order to increase security, assign another default
vlan to it and an IP address to this VLAN :

sw7 (6860-A) -> vlan 278

sw7 (6860-A) -> ip interface int_278 address 172.16.78.7/24 vlan 278
sw7 (6860-A) -> vlan 278 members linkagg 78 untagged

sw8 (6860-B) -> vlan 278

sw8 (6860-B) -> ip interface int_278 address 172.16.78.8/24 vlan 278
sw8 (6860-B) -> vlan 278 members linkagg 78 untagged

sw7 (6860-A) -> show vlan 278 members

port type status
----------+-----------+---------------
0/78 default forwarding

sw8 (6860-B) -> show vlan 278 members

port type status
----------+-----------+---------------
0/78 default forwarding
 5
Link Aggregation

sw7 (6860-A) -> show ip interface

Total 4 interfaces
Flags (D=Directly-bound)

Name IP Address Subnet Mask Status Forward Device Flags

--------------------------------+---------------+---------------+------+-------+---------+------
EMP-CHAS1 10.4.105.7 255.255.255.0 UP NO EMP
EMP-CMMA-CHAS1 0.0.0.0 0.0.0.0 DOWN NO EMP
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
int_218 172.16.78.7 255.255.255.0 UP YES vlan 278

sw8 (6860-B) -> show ip interface

Total 4 interfaces
Flags (D=Directly-bound)

Name IP Address Subnet Mask Status Forward Device Flags

--------------------------------+---------------+---------------+------+-------+---------+------
EMP-CMMA-CHAS1 0.0.0.0 0.0.0.0 DOWN NO EMP
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
admin 10.4.105.8 255.255.255.0 UP YES vlan 4001
int_278 172.16.78.8 255.255.255.0 UP YES vlan 278

- Try to make a ping between both 6860

sw7 (6860-A) -> ping 172.16.78.8

PING 172.16.78.8 (172.16.78.8) 56(84) bytes of data.

64 bytes from 172.16.78.8: icmp_seq=1 ttl=64 time=12.4 ms
64 bytes from 172.16.78.8: icmp_seq=2 ttl=64 time=0.685 ms
64 bytes from 172.16.78.8: icmp_seq=3 ttl=64 time=0.771 ms
64 bytes from 172.16.78.8: icmp_seq=4 ttl=64 time=0.766 ms
64 bytes from 172.16.78.8: icmp_seq=5 ttl=64 time=0.710 ms
64 bytes from 172.16.78.8: icmp_seq=6 ttl=64 time=0.721 ms

--- 172.16.78.8 ping statistics ---

6 packets transmitted, 6 received, 0% packet loss, time 5001ms
rtt min/avg/max/mdev = 0.685/2.686/12.466/4.373 ms

- To demonstrate the redundancy capabilities, experiment with removing a link and monitor the results of
your pings tests
Tips
You can use the command ping <dest_ip_address> count <number> to send more than 6 pings.
To break a ping sequence, press the key CTRL+C
To simulate a link failure, you can bring down the corresponding interface :
interface chassis/slot/port admin-state disable (6860)

- Save the configuration

sw7 (6860-A) -> write memory

File /flash/working/vcsetup.cfg replaced.

File /flash/working/vcboot.cfg replaced.

sw8 (6860-B) -> write memory

File /flash/working/vcsetup.cfg replaced.

File /flash/working/vcboot.cfg replaced.
 6
Link Aggregation

3 Link Aggregation – Dynamic between 6860-A and 6900 VC

3.1. Create a Dynamic Link Aggregation

- Now, we define a dynamic link aggregate on 6900-A and 6860-A, assign the group ID 17 and size it at 2
ports.
sw1 (6900-A) -> linkagg lacp agg 17 size 2 actor admin-key 17
sw1 (6900-A) -> linkagg lacp port 1/1/5 actor admin-key 17
sw1 (6900-A) -> linkagg lacp port 2/1/6 actor admin-key 17

sw1 (6900-A) -> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+-------------+---------+----+------------+--------------+-------------
17 Dynamic 40000017 2 ENABLED DOWN 0 0

sw7 (6860-A) -> linkagg lacp agg 17 size 2 actor admin-key 17

sw7 (6860-A) -> linkagg lacp port 1/1/5 actor admin-key 17
sw7 (6860-A) -> linkagg lacp port 1/1/6 actor admin-key 17

sw7 (6860-A) -> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+-------------+---------+----+------------+--------------+-------------
17 Dynamic 40000017 2 ENABLED DOWN 0 0

- Now, connect the switches by activating the linkagg interfaces:

sw1 (6900-A) ->interfaces 1/1/5 admin-state enable
sw1 (6900-A) ->interfaces 2/1/6 admin-state enable

sw7 (6860-A) -> interfaces 1/1/5 admin-state enable

sw7 (6860-A) -> interfaces 1/1/6 admin-state enable
 7
Link Aggregation

sw1 (6900-A) -> show linkagg agg 17 port

Chassis/Slot/Port Aggregate SNMP Id Status Agg Oper Link Prim

-------------------+----------+--------+----------+----+-----+-----+----
1/1/5 Dynamic 1005 ATTACHED 17 UP UP YES
2/1/6 Dynamic 101006 ATTACHED 17 UP UP NO

sw7 (6860-A) -> show linkagg agg 17 port

Chassis/Slot/Port Aggregate SNMP Id Status Agg Oper Link Prim

-------------------+----------+--------+----------+----+-----+-----+----
1/1/5 Dynamic 1005 ATTACHED 17 UP UP YES
1/1/6 Dynamic 1006 ATTACHED 17 UP UP NO

- Additional VLAN creation

o Currently, only VLAN 1 is bridged between 6900-A and 6860-A
o Change the default VLAN
sw1 (6900-A) -> vlan 217
sw1 (6900-A) -> ip interface int_217 address 172.16.17.1/24 vlan 217
sw1 (6900-A) -> vlan 217 members linkagg 17 untagged

sw1 (6900-A) -> show vlan 217 members

port type status
----------+-----------+---------------
0/17 default forwarding

sw1 (6900-A) -> show ip interface vlan 217

Total 1 interfaces
Flags (D=Directly-bound)

Name IP Address Subnet Mask Status Forward Device Flags

--------------------------------+---------------+---------------+------+-------+---------+------
int_217 172.16.17.1 255.255.255.0 UP YES vlan 217

sw7 (6860-A) -> vlan 217

sw7 (6860-A) -> ip interface int_217 address 172.16.17.7/24 vlan 217
sw7 (6860-A) -> vlan 217 members linkagg 17 untagged

sw7 (6860-A) -> show ip interface vlan 217

Total 1 interfaces
Flags (D=Directly-bound)

Name IP Address Subnet Mask Status Forward Device Flags

--------------------------------+---------------+---------------+------+-------+---------+------
int_217 172.16.17.7 255.255.255.0 UP YES vlan 217

sw7 (6860-A) -> show vlan 217 members

port type status
----------+-----------+---------------
0/17 default forwarding

- Check the result

sw1 (6900-A) -> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+-------------+---------+----+------------+--------------+-------------
17 Dynamic 40000017 2 ENABLED UP 2 2
 8
Link Aggregation

sw7 (6860-A) -> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports

17 Dynamic 40000017 2 ENABLED UP 2 2

78 Dynamic 40000078 2 ENABLED UP 2 2
-----+-------------+---------+----+------------+--------------+-------------

3.2. Test the configuration

- Try to make a ping between both 6860

sw7 (6860-A) -> ping 172.16.17.1

- Save the configuration

sw1 (6900-A) -> write memory flash-synchro

sw7 (6860-A) -> write memory flash-synchro

OmniSwitch AOS R8

Link Aggregation

How to
✓ Create Dynamic Aggregation Links

Contents
1 Topology ........................................................................................ 2
2 Creating a Dynamic Link Aggregation ...................................................... 3
2.1. Creating a Dynamic Link Aggregation between the 6360 virtual chassis and the 6860-A 3
2.1.1. On the 6360 virtual chassis ................................................................................ 3
2.1.2. On the 6860-A ............................................................................................... 4

3 Testing the configuration .................................................................... 7

 2
Link Aggregation

1 Topology
Link Aggregation provides the ability to combine multiple physical ports into a single logical port for added
throughput and redundancy. In this lab, you will create dynamic link aggregation using the IEEE 802.3ad (LACP)
protocol on AOS Release 8.
In this lab, you are going to create a new link aggregation between the 6360 Virtual Chassis and 6860-A. The link
aggregation 78 (Vlan 278) has been already created between the 2 OS6860s for in the network core.
Furthermore, for security reason, the client wants to avoid using the VLAN1 (the default VLAN). Thus, the
default VLAN on the link aggregation will be the VLAN 57.
 3
Link Aggregation

2 Creating a Dynamic Link Aggregation

2.1. Creating a Dynamic Link Aggregation between the 6360 virtual chassis and the 6860-A

2.1.1. On the 6360 virtual chassis

- Now, we will define a dynamic link aggregate, assign the group ID 7 and configure its size to 2:
sw5 (OS6360-A) -> linkagg lacp agg 7 size 2 actor admin-key 7

Notes: Actor Admin Key

The link aggregation number and ports are associated to a dynamic link aggregation using the actor admin key.
Although in the above example the actor admin key matches the link aggregation number, this is not a
requirement as the admin key has local significance only.

- Check the link aggregation status on the OS6360-A:

sw5 (6360-A) -> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+----------+---------+----+------------+--------------+-------------
7 Dynamic 40000007 2 ENABLED DOWN 0 0

- Notice we have no ports associated to the link aggregation 7 :

sw5 (6360-A) -> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+-------------+---------+----+------------+--------------+-------------
7 Dynamic 40000007 2 ENABLED DOWN 0 0

- Using the actor admin key assigned to the link aggregation, associate the ports 1/1/3 and 2/1/4 to the
linkagg 7:
sw5 (6360-A) -> linkagg lacp port 1/1/3 actor admin-key 7
sw5 (6360-A) -> linkagg lacp port 2/1/4 actor admin-key 7

- Enable the ports:

sw5 (6360-A) -> interfaces 1/1/3 admin-state enable
sw5 (6360-A) -> interfaces 2/1/4 admin-state enable
 4
Link Aggregation

- Now 2 ports are linked to the link aggregation, but the link aggregation is still DOWN, because the
configuration on the other side (on the 6860-A) has not been done yet.
sw5 (6360-A) -> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+-------------+---------+----+------------+--------------+-------------
7 Dynamic 40000007 2 ENABLED DOWN 0 0

sw5 (6360-A) -> show linkagg agg 7 port

Chassis/Slot/Port Aggregate SNMP Id Status Agg Oper Link Prim

-------------------+----------+--------+----------+----+-----+-----+----

2.1.2. On the 6860-A

- Create the link aggregation 7:

sw7 (OS6860-A) -> linkagg lacp agg 7 size 2 actor admin-key 7

Notes: Actor Admin Key

The link aggregation number and ports are associated to a dynamic link aggregation using the actor admin key.
Although in the above example the actor admin key matches the link agg number, this is not a requirement as
the admin key has local significance only.

- Associate the port 1/1/3 and 1/1/4 to the link aggregation 7:

sw7 (OS6860-A) -> linkagg lacp port 1/1/3-4 actor admin-key 7

- Enable the ports:

sw7 (OS6860-A) -> interface 1/1/3-4 admin-state enable

- Check the link aggregation status on the OS6860-A:

sw7 (OS6860-A) -> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+-------------+---------+----+------------+--------------+-------------
7 Dynamic 40000007 2 ENABLED UP 2 2
17 Dynamic 40000017 2 ENABLED UP 2 2
78 Dynamic 40000078 2 ENABLED UP 2 2

Notes: Link Aggregation 17? 78?

On the 6860-A, 3 link aggregations are available: the new one you created (linkagg 7), plus 2 other link
aggregations (17 and 78) used to connect the switch to the 6900 and 6860-B (Core network part). These two
other aggregations have already been created on a previous lab or via a configuration download at the
beginning of the course depending on the course you are taking.
 5
Link Aggregation

- Check the link aggregation properties on the 6860-A:

sw7 (6860-A) -> show linkagg agg 7

Dynamic Aggregate
SNMP Id : 40000007,
Aggregate Number : 7,
SNMP Descriptor : Dynamic Aggregate Number 7 ref 40000007 size 2,
Name : ,
Admin State : ENABLED,
Operational State : UP,
Aggregate Size : 2,
Number of Selected Ports : 2,
Number of Reserved Ports : 2,
Number of Attached Ports : 2,
Primary Port : 1/1/4,
Port Selection Hash : Source Destination Ip,
Wait To Restore Time : 0 Minutes
LACP
MACAddress : [2c:fa:a2:0e:62:49],
Actor System Id : [00:00:00:00:00:00],
Actor System Priority : 0,
Actor Admin Key : 7,
Actor Oper Key : 7,
Partner System Id : [00:00:00:00:00:00],
Partner System Priority : 0,
Partner Admin Key : 0,
Partner Oper Key : 7
Agg-Down/Violation Reason: None,
 6
Link Aggregation

- Check the link aggregation properties on the 6360 Virtual Chassis:

sw5 (6360-A) -> show linkagg agg 7

Dynamic Aggregate
SNMP Id : 40000007,
Aggregate Number : 7,
SNMP Descriptor : Dynamic Aggregate Number 7 ref 40000007 size 2,
Name : ,
Admin State : ENABLED,
Operational State : UP,
Aggregate Size : 2,
Number of Selected Ports : 2,
Number of Reserved Ports : 2,
Number of Attached Ports : 2,
Primary Port : 2/1/4,
Port Selection Hash : Source Destination Ip,
Wait To Restore Time : 0 Minutes
LACP
MACAddress : [94:24:e1:7c:79:6f],
Actor System Id : [00:00:00:00:00:00],
Actor System Priority : 0,
Actor Admin Key : 7,
Actor Oper Key : 7,
Partner System Id : [00:00:00:00:00:00],
Partner System Priority : 0,
Partner Admin Key : 0,
Partner Oper Key : 7
Agg-Down/Violation Reason: None,

- By default, a link aggregation is associated with the VLAN 1 (default VLAN).

- For security reason, the client wants to avoid using the VLAN 1 as the network data VLAN. So, the VLAN
associated with link aggregation 7 must be modified:
o On the 6360-A:
sw5 (6360-A) -> vlan 57
sw5 (6360-A) -> vlan 57 members linkagg 7 untagged

sw5 (6360-A) -> show vlan 57 members

port type status
----------+-----------+---------------
0/7 default forwarding

o On the 6860-A:
sw7 (OS6860-A)-> vlan 57
sw7 (OS6860-A)-> vlan 57 members linkagg 7 untagged

sw7 (6860-A) -> show vlan 57 members

port type status
----------+-----------+---------------
0/7 default forwarding
 7
Link Aggregation

3 Testing the configuration

In order to test the link aggregation, we will launch a ping between 2 clients connected on each side (Client 5
on the 6360 Virtual Chassis, Client 7 on the 6860-A), then we will simulate a failure on the link aggregation.

Infrastructure

- Put the Client 7 in the VLAN 57 (6860-A):

sw7 (OS6860-A)-> vlan 57 members port 1/1/1 untagged
sw7 (OS6860-A)-> interfaces 1/1/1 admin-state enable

- Put the Client 5 in the VLAN 57 (6360-A):

Sw5 (OS6360-A)-> vlan 57 members port 1/1/1 untagged
Sw5 (OS6360-A)-> interfaces 1/1/1 admin-state enable

Client 5
Double-click on VMware vSphere

Select the Client5 in the list

Click on Console tab

Double click on Network

Connections
 8
Link Aggregation

Select the network connection

Pod

Click on Internet Protocol

(TCP/IP)

Select Use the following IP

address

- IP address: 192.168.57.105
- Subnet mask: 255.255.255.0

Client 7
Double-click on VMware vSphere

Select the Client7 in the list

Click on Console tab

Double click on Network

Connections

Select the network connection

Pod

Click on Internet Protocol

(TCP/IP)

Select Use the following IP

address

- IP address: 192.168.57.107
- Subnet mask: 255.255.255.0

- From client 5, launch a continuous ping (-t option) to the Client 7:

C:\Program Files […]\Tools> ping -t 192.168.57.107
 9
Link Aggregation

- To demonstrate the redundancy capabilities, put a port (belonging to the link aggregation) down, and
monitor the results of your pings tests.
sw7 (6860-A) -> interface 1/1/3 admin-state disable

sw7 (6860-A) -> show linkagg port

Chassis/Slot/Port Aggregate SNMP Id Status Agg Oper Link Prim

-------------------+----------+--------+----------+----+-----+-----+----
1/1/3 Dynamic 1003 CONFIGURED NONE DOWN DOWN UNK
1/1/4 Dynamic 1004 ATTACHED 5 UP UP YES
1/1/5 Dynamic 1005 ATTACHED 17 UP UP YES
1/1/6 Dynamic 1006 ATTACHED 17 UP UP NO
1/1/23 Dynamic 1023 ATTACHED 78 UP UP YES
1/1/24 Dynamic 1024 ATTACHED 78 UP UP NO

- Once finished, reactivate the port 1/1/3:

sw7 (6860-A) -> interface 1/1/3 admin-state enable
OmniSwitch AOS R8

802.1q

How To
✓ Apply 802.1q tagging on link aggregation and ports

Content
1 Topology ........................................................................................ 2
2 Enabling the 802.1Q Tagging ................................................................ 2
2.1. Tagging a Link ....................................................................................... 2
2.1.1. On the 6360 Virtual Chassis ............................................................................... 2
2.1.2. On the 6860-B ............................................................................................... 2
2.2. Creating Additional VLANs ........................................................................ 3
2.3. Configuring 802.1Q on Ports ...................................................................... 4
3 Testing the Configuration .................................................................... 6
 2
802.1q

1 Topology
In a Layer 2 environment the Ports is used for bridging traffic across a physical connection between
switches. In an IEEE 802.1Q environment, the Default VLAN for the port is bridged, and all the other VLANs
will have the IEEE 802.1Q tag inserted for proper VLAN association at the remote side.

2 Enabling the 802.1Q Tagging

2.1. Tagging a Link

In this part, we are going to configure the link between the 6360 Virtual Chassis and the 6860-B.

2.1.1. On the 6360 Virtual Chassis

- Activate the port 2/1/3 on the 6360 Virtual Chassis (linked to the 6860-B):
sw5 (6360-A) -> interfaces 2/1/3 admin-state enable

- Create the VLAN 58, then modify the VLAN on the port 2/1/3 from the default VLAN (VLAN 1) to VLAN
58:
sw5 (6360-A) -> vlan 58
sw5 (6360-A) -> vlan 58 members port 2/1/3 untagged

sw5 (6360-A) -> show vlan 58 member

port type status
----------+-----------+---------------
2/1/3 default inactive

2.1.2. On the 6860-B

- Activate the port 1/1/3 on the 6860-B (linked to the 6360 Virtual Chassis):
sw8 (6860-B) -> interfaces 1/1/3 admin-state enable
 3
802.1q

- Create the VLAN 58, then modify the VLAN on the port 1/1/3 from the default VLAN to VLAN 58:
sw8 (6860-B) -> vlan 58
sw8 (6860-B) -> vlan 58 members port 1/1/3 untagged

sw8 (6860-B) -> show vlan 58 members

port type status
----------+-----------+---------------
1/1/3 default forwarding

2.2. Creating Additional VLANs

Currently, only 2 VLANs are bridged:
- VLAN 57 between the 6860-A and the 6360 Virtual Chassis
- VLAN 58 between the 6860-B and the 6360 Virtual Chassis

- Create the VLANs 20 and 30 on the 3 switches (Virtual Chassis of 6360-A, 6860-A et 6860-B) :
sw5 (6360-A) -> vlan 20
sw5 (6360-A) -> vlan 30

sw7 (6860-A) -> vlan 20

sw7 (6860-A) -> vlan 30

sw8 (6860-B) -> vlan 20

sw8 (6860-B) -> vlan 30

The gateway for the VLAN 20 will be created on the 6860-A.

The gateway for the VLAN 30 will be created on the 6860-B.

- Assign an IP interface to these 2 new VLAN on the correspondent switches:

sw7 (6860-A) -> ip interface int_20 address 192.168.20.7/24 vlan 20

sw8 (6860-B) -> ip interface int_30 address 192.168.30.8/24 vlan 30

- Check the configuration:

sw8 (6860-B) -> show ip interface
Total 6 interfaces
Flags (D=Directly-bound)

Name IP Address Subnet Mask Status Forward Device Flags

--------------------------------+---------------+---------------+------+-------+---------+------
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
Loopback0 192.168.254.8 255.255.255.255 UP YES Loopback0
admin 10.4.111.8 255.255.255.0 UP YES vlan 4001
int_278 172.16.78.8 255.255.255.0 UP YES vlan 278
int_30 192.168.30.8 255.255.255.0 DOWN NO vlan 30

sw7 (6860-A) -> show ip interface

Total 7 interfaces
Flags (D=Directly-bound)

Name IP Address Subnet Mask Status Forward Device Flags

--------------------------------+---------------+---------------+------+-------+---------+------
EMP-CHAS1 10.4.111.7 255.255.255.0 UP NO EMP
EMP-CMMA-CHAS1 0.0.0.0 0.0.0.0 DOWN NO EMP
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
Loopback0 192.168.254.7 255.255.255.255 UP YES Loopback0
int_20 192.168.20.7 255.255.255.0 DOWN NO vlan 20
int_217 172.16.17.7 255.255.255.0 UP YES vlan 217
int_278 197.16.78.7 255.255.255.0 UP YES vlan 278
 4
802.1q

- The IP interfaces status is DOWN. Why?

----------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------

2.3. Configuring 802.1Q on Ports

- Our VLAN 20 and 30 IP interfaces are currently down because we have no members in the two VLANs.
Remember, if there are no members of a VLAN the IP interface is not only down but will not be
advertised to the Layer 3.
- Normally, to have Layer 2 connectivity between the two switches for all three VLANs, three physical
links would be required. However, we will configure 802.1Q tagging to carry data from all VLANs over
physical link.

- For now, no port has been assigned neither to VLAN 20 nor VLAN 30.
- Tag the VLANs 20 and 30 on the link between the 3 switches (in red on the diagram below):

sw5 (6360-A) -> vlan 20 members linkagg 7 tagged

sw5 (6360-A) -> vlan 30 members linkagg 7 tagged

sw5 (6360-A) -> vlan 20 members port 2/1/3 tagged

sw5 (6360-A) -> vlan 30 members port 2/1/3 tagged

sw7 (6860-A) -> vlan 20 members linkagg 78 tagged

sw7 (6860-A) -> vlan 30 members linkagg 78 tagged
sw7 (6860-A) -> vlan 20 members linkagg 7 tagged
sw7 (6860-A) -> vlan 30 members linkagg 7 tagged

sw8 (6860-B) -> vlan 20 members linkagg 78 tagged

sw8 (6860-B) -> vlan 30 members linkagg 78 tagged
sw8 (6860-B) -> vlan 20 members port 1/1/3 tagged
sw8 (6860-B) -> vlan 30 members port 1/1/3 tagged
 5
802.1q

- Check the VLAN-port association on each switch:

Notes: The ports status available in the tables below depend on the STP root bridge election. Could be different on your pod.

o On the 6360-A:
sw5 (6360-A) -> show vlan 20 members
port type status
----------+-----------+---------------
2/1/3 qtagged forwarding
0/7 qtagged forwarding

sw5 (6360-A) -> show vlan 30 members

port type status
----------+-----------+---------------
2/1/3 qtagged forwarding
0/7 qtagged forwarding

sw5 (6360-A) -> show vlan members port 2/1/3

vlan type status
--------+-----------+---------------
20 qtagged forwarding
30 qtagged forwarding
58 default forwarding

o On the 6860-A:
sw7 (6860-A) -> show vlan 20 members
port type status
----------+-----------+---------------
0/7 qtagged forwarding
0/78 qtagged forwarding

sw7 (6860-A) -> show vlan 30 members

port type status
----------+-----------+---------------
0/7 qtagged forwarding
0/78 qtagged forwarding

o On the 6860-B:
sw8 (6860-B) -> show vlan 20 members
port type status
----------+-----------+---------------
1/1/3 qtagged blocking
0/78 qtagged forwarding

sw8 (6860-B) -> show vlan 30 members

port type status
----------+-----------+---------------
1/1/3 qtagged blocking
0/78 qtagged forwarding

sw8 (6860-B) -> show vlan members port 1/1/3

vlan type status
--------+-----------+---------------
20 qtagged blocking
30 qtagged blocking
58 default forwarding

If we take, for example, the port 1/1/3 on the 6860-B, we can see that it is carrying tagged information for
VLANs 20 and 30 and bridging the VLAN 58.

Reminder
A physical port always has 1 VLAN (the default VLAN for the port) that bridges traffic (level 2)
 6
802.1q

3 Testing the Configuration

Let’s see what happens when we modify the Client VM IP addresses, move them to the VLAN 20 and VLAN 30,
and ping them each other.

- Let’s assign the port of each Client VM to the appropriate VLAN, and modify their IP addresses as
described below:
o Client 5:
sw5 (6360-A) -> vlan 20 members port 1/1/1 untagged
sw5 (6360-A) -> interfaces 1/1/1 admin-state enable
sw5 (6360-A) -> show vlan members port 1/1/1
vlan type status
--------+-----------+---------------
20 default forwarding

Modify the IP information of client 5 to match the following:

IP Address: 192.168.20.105
Mask: 255.255.255.0
Default Gateway: 192.168.20.7 (VLAN 20 IP Interfaces)

o Client 6:
sw5 (6360-A) -> vlan 30 members port 2/1/1 untagged
sw5 (6360-A) -> interfaces 2/1/1 admin-state enable
sw5 (6360-A) -> show vlan members port 2/1/1
vlan type status
--------+-----------+---------------
30 default forwarding

Modify the IP information of client 6 to match the following:

IP Address – 192.168.30.106
Mask – 255.255.255.0
Default Gateway – 192.168.30.8 (VLAN 30 IP Interfaces)

- Check that the Client 5 (VLAN 20) can reach its gateway (ping 192.168.20.7)
- Check that the Client 6 (VLAN 30) can reach its gateway (ping 192.168.30.8)
 7
802.1q

- How are the Clients VM exchange between each other (Layer 2 or Layer 3)?
----------------------------------------------------------------------------------------------------------------------------- -
----------------------------------------------------------------------------------------------------------------------------- -

- Are packets being bridged? Routed? Both?

----------------------------------------------------------------------------------------------------------------------------- -
-------------------------------------------------------------------------------------- ----------------------------------------

- Save the configuration and Copy running to certified all the switches managed

sw7 (6860-A) -> write memory flash-synchro

sw8 (6860-B) -> write memory flash-synchro
sw5 (6360-A) -> write memory flash-synchro
OmniSwitch R8
Spanning Tree

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Objectives
Spanning Tree

At the end of this module, you will be able to:

• Understand the implementation of Spanning Tree
on AOS-based switches
– STP modes
– STP protocols
• Learn how to implement
– 1x1 and FLAT mode
– Spanning Tree Protocol 802.1D/802.1w
 PRIORITY: 32768

STP reminder 1/1/1

SW-A (MAC@: aa)

1/1/2
F - DP ROOT BRIDGE F - DP

• GOAL
• Self-configuring algorithm that
F - RP
maintains a loopfree topology 1/1/1 F - RP 1/1/1
SW-B (MAC@: bb) 1/1/2 1/1/5
on a network F - DP BLK- ALT
X SW-C (MAC@: cc)

PRIORITY: 32768
• Provides helps to provide data PRIORITY: 32768

path redundancy and network

scalability
• HOW IT WORKS flat
1/1/1 VLAN 1 1/1/1

• Supports two Spanning Tree operating modes: SW-A (MAC@: aa) 1/1/2
1/1/3
VLAN 2
VLAN 3
X
1/1/2
1/1/3
SW-B (MAC@: bb)
X
- flat (single STP instance per switch)
- per-VLAN (single STP instance per VLAN).(By default on OmniSwitch)
Per-VLAN
1/1/1 VLAN 1 1/1/1
SW-A (MAC@: aa) 1/1/2 VLAN 2 1/1/2 SW-B (MAC@: bb)
• Supports three Spanning Tree operating protocols: 1/1/3 VLAN 3 1/1/3
STP : Convergence time : 50 secs
RSTP : Convergence time : < 1 sec
MSTP : < 1 sec ->
STP reminder
• SPECIFICATION

• IEEE 802.1S - DEFAULT PORT PATH COSTS 16-bit Port Path Cost PPC 32-bit Port Path Cost PPC

Link IEEE Recom. Link IEEE Recom.

Speed Value – 16 bit Speed Value – 32 bit

10 Mbps 100 10 Mbps 2,000,000

100 Mbps 19 100 Mbps 200,000
1 Gbps 4 1 Gbps 20,000
10 Gbps 2 10 Gbps 2,000
 PRIORITY: 32768
MAC@ : E8:E7:32:56:45:C4

STP reminder -> show spantree

SW-A (MAC@: aa)

VLAN STP Protocol Priority

1/1/1 RP -FW DP FW
-----+--------+--------+-------------- 1/1/2
1 ON RSTP 32768 (0x8000)
20 ON RSTP 20000 (0x4e20)
PER VLAN (1X1) - LOAD BALANCING 30 ON RSTP 32768 (0x8000)

VLAN 20
PRIORITY: 32768
MAC@ : E8:E7:32:56:45:C4 ROOT BRIDGE
SW-A (MAC@: aa) DP 1/1/1 1/1/1 ALT - BLK
1/1/5 1/1/2
SW-B (MAC@: cc) SW-C (MAC@: bb)
D- FW ROOT BRIDGE D -FW DP FW RP-FW
1/1/1 1/1/2
MAC@ : E8:E7:32:CD:63:D3 MAC@: E8:E7:32:D4:85:0D
PRIORITY: 20000 PRIORITY: 32768

VLAN 1, 20, 30 PRIORITY: 32768

MAC@ : E8:E7:32:56:45:C4
SW-A (MAC@: aa)
RP -FW 1/1/1 1/1/1 RP - FW -> show spantree
1/1/5 1/1/2
SW-B (MAC@: cc) SW-C (MAC@: bb) DP-FW RP -FW
X VLAN STP Protocol Priority
1/1/2
D -FW -----+--------+--------+-------------- 1/1/1
1 ON RSTP 32768 (0x8000)
20 ON RSTP 32768 (0x8000)
MAC@ : E8:E7:32:CD:63:D3 ALT- BLK MAC@: E8:E7:32:D4:85:0D 30 ON RSTP 20000 (0x4e20)
VLAN 30
PRIORITY: 32768 PRIORITY: 32768

-> show spantree

Spanning Tree Path Cost Mode : AUTO ROOT BRIDGE

VLAN STP Status Protocol Priority ALT -BLK 1/1/1 1/1/1 DP FW
-----+--------------- +--------+--------------
1 ON RSTP 32768 (0x8000) 1/1/5 1/1/2
20 ON RSTP 32768 (0x8000) SW-B (MAC@: cc) SW-C (MAC@: bb)
30 ON RSTP 32768 (0x8000)
RP-FW DP-FW
MAC@ : E8:E7:32:CD:63:D3 MAC@: E8:E7:32:D4:85:0D
PRIORITY: 32768 PRIORITY: 20000
STP CONFIGURATION
STP CONFIGURATION
• STEP BY STEP

Protocol selection

Mode selection

Bridge ID, Priority and Path Cost

Set the path cost mode

STP CONFIGURATION
• STEP BY STEP

Protocol selection

 Select protocol

-> spantree [cist | vlan vlan_id] protocol {stp | rstp | mstp}

 Check the protocol selected:

-> show spantree

Spanning Tree Path Cost Mode : AUTO

VLAN STP Status Protocol Priority

-----+--------------- +--------+--------------
1 ON RSTP 32768 (0x8000)
20 ON RSTP 32768 (0x8000)
30 ON RSTP 32768 (0x8000)
 STP CONFIGURATION
• STEP BY STEP

Mode Selection

 Select Mode

-> spantree mode {flat | per-vlan}

 Monitor

-> show spantree mode

Spanning Tree Global Parameters

Current Running Mode : Per VLAN,
Current Protocol : N/A (Per VLAN),
Path Cost Mode : AUTO,
Auto VLAN Containment : N/A
Cisco PVST+ mode : Disabled
VLAN Consistency check: Disabled
STP CONFIGURATION
• STEP BY STEP

Bridge ID, Priority and Path Cost

 Configure the bridge and port priority

spantree [cist | msti msti_id | vlan vlan_id] [port chassis/slot/port[-port2] | linkagg agg_id[-agg_id2]] priority priority

Ex : ->spantree vlan 20 priority 20000

A bridge or port priority value. The valid range for the bridge
priority is 0–65535.
Ex : ->spantree vlan 200 port 2/1/1 priority 15
The valid range for the port priority is 0–15.

If MSTP is the active flat mode protocol, enter a value that is a

multiple of 4096 (for example, 4096, 8192, 12288).
 Configure the path cost

spantree cist {port chassis/slot/port[-port2] | linkagg agg_id[-agg_id2]} path-cost path_cost

Path cost 0 -> 65535 for 16-bit

0 –> 200000000 for 32-bit - Default:0
STP CONFIGURATION
• STEP BY STEP

Spanning Tree Port Status

 Displays Spanning Tree port information

-> show spantree ports [forwarding | blocking | active | configured]

-> show spantree ports

Disabled
VLAN Port Oper Status Path Cost Role Loop Guard Note
Blocking
-----+-------+------------+---------+-------+----------+------
1 1/1/1 FORW 4 DESG DIS < 1 sec
Learning
1 1/1/2 DIS 0 DIS DIS

 Displays Spanning Tree bridge information for a per-VLAN mode VLAN instance Forwarding // Discarding

-> show spantree vlan [vlan_id]

-> show spantree 20 ports active

Spanning Tree Port Summary for VLAN 20
Oper Path Desig Prim. Op Op
Port St Cost Cost Role Port Cnx Edg Desig Bridge ID Note
------+----+-------+-------+----+------+---+---+----------------------+----
. 1/1/3 BLK 4 3 ALT 1/1/3 PTP NO 8000-e8:e7:32:cd:63:d3
1/1/4 FORW 4 0 ROOT 1/1/4 PTP NO 4E20-e8:e7:32:d4:85:0d
STP CONFIGURATION
• STEP BY STEP

Set the path cost mode

spantree path-cost-mode {auto | 32bit}

◼ 16-bit when STP/RSTP protocol is active

◼ 32-bit when MSTP protocol is active

-> spantree path-cost-mode auto

◼ 32-bit regardless of which protocol is active

-> spantree path-cost-mode 32bit

OmniSwitch AOS R8
Spanning Tree Protocol (STP)

How to
✓ Configure the Spanning Tree Protocol (STP) options on an OmniSwitch.

Contents
1 Topology ........................................................................................ 2
2 Managing the Spanning Tree Protocol ...................................................... 2
2.1. Changing the priority of the 6860-A ............................................................. 2
2.2. Identifying the port status ........................................................................ 2
2.3. Testing the redundancy ........................................................................... 6
3 Using the 1x1 Spanning Tree Mode ......................................................... 8
3.1. Configuring the Priority............................................................................ 9
3.2. Verifying the Configuration ....................................................................... 9
3.2.1. Verifying the VLAN 20 Configuration..................................................................... 9
3.2.2. Verifying the VLAN 30 Configuration................................................................... 11
 2
Spanning Tree Protocol (STP)

1 Topology
The Spanning Tree Protocol (STP) is an important concept to understand in a bridged network.

2 Managing the Spanning Tree Protocol

2.1. Changing the priority of the 6860-A

- Customer wants to have the 6860-A as root bridge for vlan 20 and vlan 30
To achieve this, change the priority of the 6860 to ensure that:
sw7 (6860-A) -> spantree vlan 20 priority 20000
sw7 (6860-A) -> spantree vlan 30 priority 20000

2.2. Identifying the port status

- Check the Spanning Tree Protocol Status for VLAN 20 on the 3 switches (6360, 6860-A and 6860-B):
o On the 6360-A:
sw5 (6360-A) -> show spantree vlan 20
Spanning Tree Parameters for Vlan 20
Spanning Tree Status : ON,
Protocol : IEEE Rapid STP,
mode : Per VLAN (1 STP per Vlan),
Priority : 32768 (0x8000),
Bridge ID : 8000-94:24:e1:7c:82:1d,
Designated Root : 8000-2c:fa:a2:0e:62:3f,
Cost to Root Bridge : 3,
Root Port : Slot 0 Interface 7,
TxHoldCount : 3,
Topology Changes : 6,
Topology age : 02:56:49,
Last TC Rcvd Port : 2/1/3,
Last TC Rcvd Bridge : 8000-e8:e7:32:d4:84:03,
Current Parameters (seconds)
 3
Spanning Tree Protocol (STP)

Max Age = 20,

Forward Delay = 15,
Hello Time = 2
Parameters system uses when attempting to become root
System Max Age = 20,
System Forward Delay = 15,
System Hello Time = 2

o On the 6860-A:
sw7 (6860-A) -> show spantree vlan 20
Spanning Tree Parameters for Vlan 20
Spanning Tree Status : ON,
Protocol : IEEE Rapid STP,
mode : Per VLAN (1 STP per Vlan),
Priority : 32768 (0x8000),
Bridge ID : 8000-2c:fa:a2:0e:62:3f,
Designated Root : 8000-2c:fa:a2:0e:62:3f,
Cost to Root Bridge : 0,
Root Port : None,
TxHoldCount : 3,
Topology Changes : 5,
Topology age : 03:00:02,
Last TC Rcvd Port : Slot 0 Interface 7,
Last TC Rcvd Bridge : 8000-94:24:e1:7c:82:1d,
Current Parameters (seconds)
Max Age = 20,
Forward Delay = 15,
Hello Time = 2
Parameters system uses when attempting to become root
System Max Age = 20,
System Forward Delay = 15,
System Hello Time = 2

o On the 6860-B:
sw8 (6860-B) -> show spantree vlan 20
Spanning Tree Parameters for Vlan 20
Spanning Tree Status : ON,
Protocol : IEEE Rapid STP,
mode : Per VLAN (1 STP per Vlan),
Priority : 32768 (0x8000),
Bridge ID : 8000-e8:e7:32:d4:84:03,
Designated Root : 8000-2c:fa:a2:0e:62:3f,
Cost to Root Bridge : 3,
Root Port : Slot 0 Interface 78,
TxHoldCount : 3,
Topology Changes : 5,
Topology age : 03:01:19,
Last TC Rcvd Port : Slot 0 Interface 78,
Last TC Rcvd Bridge : 8000-2c:fa:a2:0e:62:3f,
Current Parameters (seconds)
Max Age = 20,
Forward Delay = 15,
Hello Time = 2
Parameters system uses when attempting to become root
System Max Age = 20,
System Forward Delay = 15,
System Hello Time = 2

This gives you the configured STP parameters of VLAN 20. Notice the mode (Per VLAN or 1X1), meaning
each VLAN runs a separate STP instance.

Additionally, take note of the Bridge ID and the Designated Root. If they are the same, your switch is the
Root Bridge for VLAN 20.
 4
Spanning Tree Protocol (STP)

According to the information retrieved from the commands above:

- The root bridge switch is the 6860-A.
- The 6860-B is at a cost of 3 away the root bridge switch, we can deduce that the Root Bridge is the
upstream neighbor on port 0 /78.(linkagg)

- We can also deduce from the above output that our STP is relatively stable, it has been 03:01:19
hours since the last topology change (Topology Age) and we have only had 5 Topology changes

By default, the bridge priority is 32768 (0x8000). Since all priorities are identical by default, the switch
with the lowest MAC address is selected as the root bridge (in this example, the 6860-A has the lowest
MAC address).

- One port should be in blocking mode to prevent a loop:

sw5 (6360-A) -> show spantree vlan 20 port

Spanning Tree Port Summary for Vlan 20

Oper Path Desig Prim. Op Op Loop
Port St Cost Cost Role Port Cnx Edg Guard Desig Bridge ID Note
-------+----+-------+-------+----+-------+---+---+------+----------------------+------
2/1/3 FORW 4 3 DESG 2/1/3 PTP NO DIS 8000-94:24:e1:7c:82:1d
0/7 FORW 3 0 ROOT 2/1/4 PTP NO DIS 8000-2c:fa:a2:0e:62:3f

sw7 (6860-A) -> show spantree vlan 20 port

Spanning Tree Port Summary for Vlan 20

Oper Path Desig Prim. Op Op Loop
Port St Cost Cost Role Port Cnx Edg Guard Desig Bridge ID Note
-------+----+-------+-------+----+-------+---+---+------+----------------------+------
0/7 FORW 3 0 DESG 1/1/4 PTP NO DIS 8000-2c:fa:a2:0e:62:3f
0/78 FORW 3 0 DESG 1/1/23 PTP NO DIS 8000-2c:fa:a2:0e:62:3f

sw8 (6860-B) -> show spantree vlan 20 ports

Spanning Tree Port Summary for Vlan 20

Oper Path Desig Prim. Op Op Loop
Port St Cost Cost Role Port Cnx Edg Guard Desig Bridge ID Note
-------+----+-------+-------+----+-------+---+---+------+----------------------+------
1/1/3 BLK 4 3 ALT 1/1/3 PTP NO DIS 8000-94:24:e1:7c:82:1d
0/78 FORW 3 0 ROOT 1/1/23 PTP NO DIS 8000-2c:fa:a2:0e:62:3f

sw8 (6860-B) -> show spantree ports blocking

Vlan Port Oper Status Path Cost Role Loop Guard Note
-----+-------+------------+---------+-------+----------+------
20 1/1/3 BLK 4 ALT DIS
30 1/1/3 BLK 4 ALT DIS
 5
Spanning Tree Protocol (STP)

Also, notice that only one side of the link(s) has a port or link aggregation with the status BLK (blocking).
This ensures the neighbor(s) are still able to initiate a topology change in the event of a failure.
- Fill up the following diagrams:

For VLAN 20

For VLAN 30

- What determines which side of the link is blocking?

----------------------------------------------------------------------------------------------------------------------------- ------
-----------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------- ------
-----------------------------------------------------------------------------------------------------------------------------------
 6
Spanning Tree Protocol (STP)

2.3. Testing the redundancy

- Put the client 8 is in the VLAN 20.

sw8 (6860-B) -> vlan 20 members port 1/1/1 untagged

Notes
The Client 5 is already in the VLAN 20. If not, type: sw5 (6360-A) -> vlan 20 members port 1/1/1 untagged

- Activate the interface:

sw8 (6860-B) -> interfaces 1/1/1 admin-state enable

- Configure the network interface of the Client 8 with the following information:
Client 8:
IP address = 192.168.20.108
Subnet mask = 255.255.255.0
Default Gateway = 192.168.20.7

- Start a continuous ping between client connected across an uplink (e.g between client 8 and client 5):
Client 8:
C:\> ping –t 192.168.20.105

- Once your ping is successful, remove the connection between the 6360 virtual Chassis and the 6860-A:
sw5 (6360-A) -> linkagg lacp agg 7 admin-state disable

- Relaunch the commands above, and notice how quickly Rapid STP recovers from a link failure:
sw7 (6860-A) -> show spantree vlan 20
Spanning Tree Parameters for Vlan 20
Spanning Tree Status : ON,
Protocol : IEEE Rapid STP,
mode : Per VLAN (1 STP per Vlan),
Priority : 32768 (0x8000),
Bridge ID : 8000-2c:fa:a2:0e:62:3f,
Designated Root : 8000-2c:fa:a2:0e:62:3f,
Cost to Root Bridge : 0,
Root Port : None,
TxHoldCount : 3,
Topology Changes : 8,
 7
Spanning Tree Protocol (STP)

Topology age : 00:00:58,

Last TC Rcvd Port : Slot 0 Interface 78,
Last TC Rcvd Bridge : 8000-e8:e7:32:d4:84:03,
Current Parameters (seconds)
Max Age = 20,
Forward Delay = 15,
Hello Time = 2
Parameters system uses when attempting to become root
System Max Age = 20,
System Forward Delay = 15,
System Hello Time = 2

sw8 (6860-B) -> show spantree ports blocking

Vlan Port Oper Status Path Cost Role Loop Guard Note
-----+-------+------------+---------+-------+----------+------

sw7 (6860-A) -> show spantree vlan 20 ports

Spanning Tree Port Summary for Vlan 20
Oper Path Desig Prim. Op Op Loop
Port St Cost Cost Role Port Cnx Edg Guard Desig Bridge ID Note
-------+----+-------+-------+----+-------+---+---+------+----------------------+------
0/7 DIS 0 0 DIS 1/1/1 NS NO DIS 0000-00:00:00:00:00:00
0/78 FORW 3 0 DESG 1/1/23 PTP NO DIS 8000-2c:fa:a2:0e:62:3f

sw8 (6860-B) -> show spantree vlan 20 ports

Spanning Tree Port Summary for Vlan 20
Oper Path Desig Prim. Op Op Loop
Port St Cost Cost Role Port Cnx Edg Guard Desig Bridge ID Note
-------+----+-------+-------+----+-------+---+---+------+----------------------+------
1/1/1 FORW 4 3 DESG 1/1/1 PTP EDG DIS 8000-e8:e7:32:d4:84:03
1/1/3 FORW 4 3 DESG 1/1/3 PTP NO DIS 8000-e8:e7:32:d4:84:03
0/78 FORW 3 0 ROOT 1/1/23 PTP NO DIS 8000-2c:fa:a2:0e:62:3f

sw5 (6360-A) -> show spantree vlan 20 ports

Spanning Tree Port Summary for Vlan 20
Oper Path Desig Prim. Op Op Loop
Port St Cost Cost Role Port Cnx Edg Guard Desig Bridge ID Note
-------+----+-------+-------+----+-------+---+---+------+----------------------+------
1/1/1 DIS 0 0 DIS 1/1/1 NS NO DIS 0000-00:00:00:00:00:00
2/1/3 FORW 4 3 ROOT 2/1/3 PTP NO DIS 8000-e8:e7:32:d4:84:03
0/7 DIS 0 0 DIS 1/1/1 NS NO DIS 0000-00:00:00:00:00:00

- Has our Topology age changed?

----------------------------------------------------------------------------------------------------------------------------- ------

- Has the Root port changed?

-----------------------------------------------------------------------------------------------------------------------------------

Tips
Remember that anytime there is a physical change, the STP will make the network infrastructure re-converge.
 8
Spanning Tree Protocol (STP)

- What will happen when we re-connected the disconnected port?

----------------------------------------------------------------------------------------------------------------------------- -

sw8 (6860-B) -> show spantree ports blocking

Vlan Port Oper Status Path Cost Role Loop Guard Note
-----+-------+------------+---------+-------+----------+------

sw5 (6360-A) -> linkagg lacp agg 7 admin-state enable

sw8 (6860-B) -> show spantree ports blocking

Vlan Port Oper Status Path Cost Role Loop Guard Note
-----+-------+------------+---------+-------+----------+------
20 1/1/3 BLK 4 ALT DIS
30 1/1/3 BLK 4 ALT DIS

3 Using the 1x1 Spanning Tree Mode

By default, an OmniSwitch uses the 1x1 or Per VLAN Spanning Tree mode. That means there’s a separate
instance of Spanning Tree for each VLAN.

As the default parameters are the same for each VLAN (base MAC address, cost links, etc…), the status of
each port is the same for each VLAN. To take advantage of the 1x1 mode and provide load-balancing, it may
be necessary to modify bridge priority to have a predictable behavior.

For example, this design would be interesting, considering that the blocked port for each VLAN is different:

Here, the 6360 VC is the access switch and 6860s are core switches. The 6360 VC has a dual attachment to
the 6860s to provide redundancy. The goal is to have one of the uplinks up for VLAN 20 and the other one for
VLAN 30.
 9
Spanning Tree Protocol (STP)

3.1. Configuring the Priority

- To achieve this, change the priority of the 6860 to ensure that:
- The 6860-A is root bridge for VLAN 20. (already done on part 2.1), restore default priority for VLAN 30
sw7 (6860-A) -> spantree vlan 30 priority 32768

- The 6860-B root bridge for VLAN 30.

Sw8 (6860-B)-> spantree vlan 30 priority 20000

3.2. Verifying the Configuration

3.2.1. Verifying the VLAN 20 Configuration

- Check the priority for the instance VLAN 20:
o On the 6860-A:
sw7 (6860-A) -> show spantree
Spanning Tree Path Cost Mode : AUTO
Vlan STP Status Protocol Priority
-----+----------+--------+--------------
1 ON RSTP 32768 (0x8000)
20 ON RSTP 20000 (0x4e20)
30 ON RSTP 32768 (0x8000)
57 ON RSTP 32768 (0x8000)
217 ON RSTP 32768 (0x8000)
278 ON RSTP 32768 (0x8000)
4094 OFF RSTP 32768 (0x8000)

sw7 (6860-A) -> show spantree vlan 20

Spanning Tree Parameters for Vlan 20
Spanning Tree Status : ON,
Protocol : IEEE Rapid STP,
mode : Per VLAN (1 STP per Vlan),
Priority : 20000 (0x4E20),
Bridge ID : 4E20-2c:fa:a2:0e:62:3f,
Designated Root : 4E20-2c:fa:a2:0e:62:3f,
Cost to Root Bridge : 0,
Root Port : None,
TxHoldCount : 3,
Topology Changes : 9,
Topology age : 00:14:48,
Last TC Rcvd Port : Slot 0 Interface 7,
Last TC Rcvd Bridge : 8000-94:24:e1:7c:82:1d,
Current Parameters (seconds)
Max Age = 20,
Forward Delay = 15,
Hello Time = 2
Parameters system uses when attempting to become root
System Max Age = 20,
System Forward Delay = 15,
System Hello Time = 2
----

sw7 (6860-A) -> show spantree vlan 20 ports

Spanning Tree Port Summary for Vlan 20
Oper Path Desig Prim. Op Op Loop
Port St Cost Cost Role Port Cnx Edg Guard Desig Bridge ID Note
-------+----+-------+-------+----+-------+---+---+------+----------------------+------
0/7 FORW 3 0 DESG 1/1/4 PTP NO DIS 4E20-2c:fa:a2:0e:62:3f
0/78 FORW 3 0 DESG 1/1/23 PTP NO DIS 4E20-2c:fa:a2:0e:62:3f
 10
Spanning Tree Protocol (STP)

o On the 6860-B:
sw8 (6860-B) -> show spantree vlan 20
Spanning Tree Parameters for Vlan 20
Spanning Tree Status : ON,
Protocol : IEEE Rapid STP,
mode : Per VLAN (1 STP per Vlan),
Priority : 32768 (0x8000),
Bridge ID : 8000-e8:e7:32:d4:84:03,
Designated Root : 4E20-2c:fa:a2:0e:62:3f,
Cost to Root Bridge : 3,
Root Port : Slot 0 Interface 78,
TxHoldCount : 3,
Topology Changes : 11,
Topology age : 00:16:44,
Last TC Rcvd Port : Slot 0 Interface 78,
Last TC Rcvd Bridge : 8000-2c:fa:a2:0e:62:3f,
Current Parameters (seconds)
Max Age = 20,
Forward Delay = 15,
Hello Time = 2
Parameters system uses when attempting to become root
System Max Age = 20,
System Forward Delay = 15,
System Hello Time = 2

sw8 (6860-B) -> show spantree vlan 20 ports

Spanning Tree Port Summary for Vlan 20
Oper Path Desig Prim. Op Op Loop
Port St Cost Cost Role Port Cnx Edg Guard Desig Bridge ID Note
-------+----+-------+-------+----+-------+---+---+------+----------------------+------
1/1/1 FORW 4 3 DESG 1/1/1 PTP EDG DIS 8000-e8:e7:32:d4:84:03
1/1/3 BLK 4 3 ALT 1/1/3 PTP NO DIS 8000-94:24:e1:7c:82:1d
0/78 FORW 3 0 ROOT 1/1/23 PTP NO DIS 4E20-2c:fa:a2:0e:62:3f

o On the 6360:
sw5 (6360-A) -> show spantree vlan 20
Spanning Tree Status : ON,
Protocol : IEEE Rapid STP,
mode : Per VLAN (1 STP per Vlan),
Priority : 32768 (0x8000),
Bridge ID : 8000-94:24:e1:7c:82:1d,
Designated Root : 4E20-2c:fa:a2:0e:62:3f,
Cost to Root Bridge : 3,
Root Port : Slot 0 Interface 7,
TxHoldCount : 3,
Topology Changes : 16,
Topology age : 00:20:47,
Last TC Rcvd Port : Slot 0 Interface 7,
Last TC Rcvd Bridge : 8000-2c:fa:a2:0e:62:3f,
Current Parameters (seconds)
Max Age = 20,
Forward Delay = 15,
Hello Time = 2
Parameters system uses when attempting to become root
System Max Age = 20,
System Forward Delay = 15,
System Hello Time = 2

sw5 (6360-A) -> show spantree vlan 20 ports

Spanning Tree Port Summary for Vlan 20
Oper Path Desig Prim. Op Op Loop
Port St Cost Cost Role Port Cnx Edg Guard Desig Bridge ID Note
-------+----+-------+-------+----+-------+---+---+------+----------------------+------
1/1/1 DIS 0 0 DIS 1/1/1 NS NO DIS 0000-00:00:00:00:00:00
2/1/3 FORW 4 3 DESG 2/1/3 PTP NO DIS 8000-94:24:e1:7c:82:1d
0/7 FORW 3 0 ROOT 2/1/4 PTP NO DIS 4E20-2c:fa:a2:0e:62:3f
 11
Spanning Tree Protocol (STP)

3.2.2. Verifying the VLAN 30 Configuration

- Use the same commands as in the previous part to verify that the 6860-B is the root bridge switch for
the VLAN 30:
o On the 6860-B:
sw8 (6860-B) -> show spantree
sw8 (6860-B) -> show spantree vlan 30
sw8 (6860-B) -> show spantree vlan 30 ports

o On the 6860-A:
Sw7 (6860-A) -> show spantree
sw7 (6860-A) -> show spantree vlan 30
sw7 (6860-A) -> show spantree vlan 30 ports

o On the 6360-A (VC):

Sw5 (6360-A) -> show spantree
Sw5 (6360-A) -> show spantree vlan 30
Sw5 (6830-A) -> show spantree vlan 30 ports
OmniSwitch R8
Dual-Home Links (DHL)

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Objectives
Dual-Home Link (DHL)

At the end of this module, you will be able to:

• List the Dual-Home Link (DHL) advantages
• Identify the Dual-Home Link (DHL) specification per
switch model
• Summarize the Dual-Home Link (DHL) configuration step
 •NORMAL STATE (BOTH LINKS UP)

Dual-Home Link reminder

•AGGREGATION OR CORE LAYER

•DHL
• GOAL •LinkA VLANs •LinkB VLANs

•ACCESS LAYER

• High availability feature

• Provides fast failover between Core/Aggregation

and Access switches without using STP

• HOW IT WORKS •FAILED STATE (ONE LINK DOWN)

•AGGREGATION OR CORE LAYER

• DHL Active-Active splits VLANs between two active

links •DHL

•LinkA VLANs •LinkA & LinkB VLANs

• The forwarding status of each VLAN is modified by •ACCESS LAYER

DHL to prevent network loops and maintain
connectivity to the core when one of the links
DHL Timers & MAC-Flushing
• Pre-Emption timer
•NORMAL STATE (BOTH LINKS UP)
• Amount of time to wait before a failed link that has recovered can resume
servicing VLANs •AGGREGATION OR CORE LAYER

• 0 to 600 seconds
•DHL

• Mac Address Flushing •LinkA VLANs •LinkB VLANs

• Spanning Tree is automatically disabled on DHL ports •ACCESS LAYER

- Problem: No topology change after changeover of DHL links

• 3 options are available to avoid staling MAC address entries

• None (default) :The staled MAC adress entries are kept in the MAC table

• MVRP Enhanced:
• Joins only VLAN that are maps on DHL link
• When DHL link fails, the other link issues joins message with « new » flags set
• When DHL link recovers, the link issues new joins to reestablish connectivity
• RAW Flooding
• List of MAC addresses learned on non DHL port for all VLAN assigned to DHL links
• Send a broadcast frame with source MAC address from that list on redundant DHL
links in case of failure, or on the primary in case of recovery.
MAC Address Flushing MVRP ENHANCED
SW2 1/3 SW3

1/2
1/1 1/1
•VLAN 2 •MVRP Join +
SW2 1/3 SW3
•VLAN 1 • « New » flag
1/2
1/1 1/1

•DHL SW1
•VLAN 1 •VLAN 2 •(VLAN 2)

SW1
RAW FLOODING
•(VLAN 2)
SW2 1/3 SW3

@MAC Port VLAN 1/2

1/1 1/1
SW 2 1/3 2
•VLAN 2 •Bdcst
•VLAN 1 • @SRC:
@MAC Port VLAN
SW 3 1/1 2
SW1
•(VLAN 2)
Dual-Home Link reminder
COMPARISON BETWEEN DIFFERENT SOLUTIONS

STP 802.3Ad LACP DHL Active-Active

50% Bandwidth 100% Bandwidth 100% Bandwidth

Link redundancy Link redundancy Link redundancy
Switch redundancy Switch redundancy Switch redundancy
Convergence time Convergence time Convergence time
DHL CONFIGURATION
DHL Configuration
• Step by Step

Create a DHL session

Map the Link A/B & Ports/ Linkagg

Map the VLANs to the LinkB

Enable the DHL Session

Activate the “RAW” MAC-Flushing or MVRP Enhanced

DHL Configuration
• Step by Step

Create a DHL session

 Create the DHL Session

1/1/2
 Unique ID Linkagg 1
-> dhl 1 SW1

Map the LinkA/B & Ports/Linkagg

LinkA
 Identify 2 ports/link aggregates LinkB
1/1/2
 Map one to LinkA Linkagg 1
 Map the other one to LinkB SW1
 Example with port

-> dhl 1 linka port 1/1/3 linkb port 1/1/4

 Example with linkagg

-> dhl 1 linka linkagg 1 linkb linkagg 2
DHL Configuration
• Step by Step

Map the VLANs to the LinkB

 Map a set of VLANs to LinkB LinkB: 30

LinkA: all the other VLANs
 The other VLANs will be automatically mapped to LinkA 1/1/2
Linkagg 1
-> dhl 1 vlan-map linkb 30 SW1

Enable the DHL Session

 Enable the DHL session (admin-state enable)

-> dhl 1 admin-state enable

Avoid stale MAC address entries

 Activate the “RAW” MAC-Flushing or MVRP Enhanced

-> dhl 1 mac-flushing raw

-> dhl 1 mac-flushing mvrp

OmniSwitch AOS R8

Dual Home Link Active-Active

How to
✓ Setup the high availability Dual-Home Link Active-Active feature.

Contents
1 Topology ........................................................................................ 2
2 Configuring the Prerequisites ............................................................... 3
2.1. Prerequisite: Creating a linkagg from 6360 VC to 6860-B .................................... 3
2.2. Assigning VLANs on the Link Aggregations ...................................................... 4
2.3. Tag the VLAN 20 and 30 on the link aggregation ............................................... 4
2.4. Tag the VLAN 57 on the link aggregation 78 .................................................... 5
3 Configuring the DHL Active-Active link .................................................... 5
3.1. DHL session Creation ............................................................................... 5
4 DHL Active-Active Monitoring ............................................................... 6
 2
Dual Home Link Active-Active

1 Topology
The customer wants to configure the dual home link solution instead of the STP.

Dual-Home Link (DHL) provides fast failover between core and edge switches without implementing Spanning
Tree.

A DHL Active-Active configuration consists of the following components:

- A DHL session. Only one session per switch is allowed.
- Two DHL links associated with the session (link A and link B).
- A physical switch port or a logical link aggregation (linkagg) ID are configurable as a DHL link.
- A group of VLANs (or pool of common VLANs) in which each VLAN is associated (802.1q tagged) with both
link A and link B.
- A VLAN-to-link mapping that specifies which of the VLANs each DHL link will service.

This mapping prevents network loops by designating only one active link for each VLAN, even though both links
remain active and are associated with each of the common VLANs.

When one of the 2 active DHL links fails or is brought down, the VLANs mapped to that link are then forwarded
on the remaining active link to maintain connectivity to the core. When the failed link comes back up, DHL
waits a configurable amount of time before the link resumes forwarding of its assigned VLAN traffic.

DHL linkA and linkB must belong to the same default VLAN.
 3
Dual Home Link Active-Active

2 Configuring the Prerequisites

2.1. Prerequisite: Creating a linkagg from 6360 VC to 6860-B

- For the purpose of the lab, create a link aggregation between the 6360 VC and the 6860-B:
o 6360 VC
sw5 (6360-A) -> linkagg lacp agg 8 size 2 actor admin-key 8

sw5 (6360-A) -> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+-------------+---------+----+------------+--------------+-------------
7 Dynamic 40000007 2 ENABLED UP 2 2
8 Dynamic 40000008 2 ENABLED DOWN 0 0

sw5 (6360-A) -> linkagg lacp port 2/1/3 actor admin-key 8

ERROR: Port cannot be added to Linkagg, please remove other configuration on this port

- Untagged the vlan on this port to be able to add it to the linkagg

sw5 (6360-A) -> show vlan members port 2/1/3

vlan type status
--------+-----------+---------------
20 qtagged forwarding
30 qtagged forwarding
58 default forwarding

sw5 (6360-A) -> no vlan 58 members port 2/1/3

sw5 (6360-A) -> no vlan 20 members port 2/1/3
sw5 (6360-A) -> no vlan 30 members port 2/1/3
sw5 (6360-A) -> no vlan 58

sw5 (6360-A) -> show vlan members port 2/1/3

vlan type status
--------+-----------+---------------
1 default forwarding

sw5 (6360-A) -> linkagg lacp port 1/1/4 actor admin-key 8

sw5 (6360-A) -> linkagg lacp port 2/1/3 actor admin-key 8

sw5 (6360-A) -> interfaces 1/1/4 admin-state enable

sw5 (6360-A) -> interfaces 2/1/3 admin-state enable

o 6860-B
sw8 (6860-B) -> show vlan members port 1/1/3
vlan type status
--------+-----------+---------------
20 qtagged forwarding
30 qtagged forwarding
58 default forwarding

sw8 (6860-B) -> no vlan 58 members port 1/1/3

sw8 (6860-B) -> no vlan 20 members port 1/1/3

sw8 (6860-B) -> no vlan 30 members port 1/1/3

sw8 (6860-B) -> no vlan 58

 4
Dual Home Link Active-Active

sw8 (6860-B) -> linkagg lacp agg 8 size 2 actor admin-key 8

sw8 (6860-B) -> linkagg lacp port 1/1/3 actor admin-key 8

sw8 (6860-B) -> linkagg lacp port 1/1/4 actor admin-key 8

sw8 (6860-B) -> interfaces 1/1/3 admin-state enable

sw8 (6860-B) -> interfaces 1/1/4 admin-state enable

sw8 (6860-B) -> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+-------------+---------+----+------------+--------------+-------------
8 Dynamic 40000008 2 ENABLED UP 2 2
18 Dynamic 40000018 2 ENABLED UP 2 2
78 Dynamic 40000078 2 ENABLED UP 2 2

2.2. Assigning VLANs on the Link Aggregations

- Change default VLAN on the link aggregation (the client does not want to use the VLAN 1):

sw8 (6860-B) -> vlan 57

sw8 (6860-B) -> vlan 57 members linkagg 8 untagged

sw8 (6860-B) -> show vlan 57 members

port type status
----------+-----------+---------------
0/8 default forwarding
sw5 (6360-A) -> vlan 57 members linkagg 8 untagged

sw5 (6360-A) -> show vlan 57 members

port type status
----------+-----------+---------------
0/7 default forwarding
0/8 default forwarding

2.3. Tag the VLAN 20 and 30 on the link aggregation

sw5 (6360-A) -> vlan 20 members linkagg 8 tagged

sw5 (6360-A) -> vlan 30 members linkagg 8 tagged

sw5 (6360-A) -> show vlan 20 members

port type status
----------+-----------+---------------
1/1/1 default forwarding
0/7 qtagged forwarding
0/8 qtagged forwarding

sw5 (6360-A) -> show vlan 30 members

port type status
----------+-----------+---------------
2/1/1 default forwarding
0/7 qtagged forwarding
0/8 qtagged forwarding

sw8 (6860-B) -> vlan 20 members linkagg 8 tagged

sw8 (6860-B) -> vlan 30 members linkagg 8 tagged
sw8 (6860-B) -> show vlan 20 members
port type status
----------+-----------+---------------
1/1/1 default forwarding
0/8 qtagged blocking
 5
Dual Home Link Active-Active

sw8 (6860-B) -> show vlan 30 members

port type status
----------+-----------+---------------
0/8 qtagged forwarding

2.4. Tag the VLAN 57 on the link aggregation 78

sw8 (6860-B) -> vlan 57 members linkagg 78 tagged

sw8 (6860-B) -> show vlan 57 members

port type status
----------+-----------+---------------
0/8 default blocking
0/78 qtagged forwarding

sw7 (6860-A) -> vlan 57 members linkagg 78 tagged

sw7 (6860-A) -> show vlan 57 members

port type status
----------+-----------+---------------
0/7 default forwarding
0/78 qtagged forwarding

3 Configuring the DHL Active-Active link

3.1. DHL session Creation

- Configure a DHL session with the identifier 1 on the 6360-A (VC):
sw5 (6360-A) -> dhl 1

- Configure 2 links (link-A and link-B) for the DHL session:

sw5 (6360-A) -> dhl 1 linka linkagg 7 linkb linkagg 8

Notes
Spanning Tree is disabled on all the DHL enabled ports

- Map VLANs to link-B:

sw5 (6360-A) -> dhl 1 vlan-map linkb 30

- Enable the DHL session:

sw5 (6360-A) -> dhl 1 admin-state enable
 6
Dual Home Link Active-Active

4 DHL Active-Active Monitoring

- Display the global status of the DHL configuration:
sw5 (6360-A) -> show dhl
Legends: PE - Pre-Emption
Session Session Admin Oper PE MAC Active MAC
ID Name State State Time Flushing Flushing
(sec) Technique Technique
----------+---------------------------------+-------+------+-------+----------+--------------
1 DHL-1 up up 30 none none

Total number of sessions configured = 1

- Displays information about specific DHL session 1:

sw5 (6360-A) -> show dhl 1
DHL session name : DHL-1
Admin state : up,
Operational state : up,
Pre-emption time(sec) : 30,
Mac Flushing : none,
Active MAC flushing : none,
LinkB Vlan Map : 30,
Protected Vlans : 20 30 57
LinkA:
Port : 0/7,
Operational State : up,
Unprotected Vlans : none,
Active Vlans : 20 57
LinkB:
Port : 0/8,
Operational State : up,
Unprotected Vlans : none,
Active Vlans : 30

- Displays information about a specific DHL link:

sw5 (6360-A) -> show dhl 1 linka
LinkA:
Port : 0/7,
Operational State : up,
Protected Vlans : 20 30 57,
Unprotected Vlans : none,
Active Vlans : 20 57

sw5 (6360-A) -> show dhl 1 linkb

LinkB:
Port : 0/8,
Operational State : up,
Protected Vlans : 20 30 57,
Unprotected Vlans : none,
Active Vlans : 30

- Display information about protected VLANs:

sw5 (6360-A) -> show vlan 20 members
port type status
----------+-----------+---------------
1/1/1 default forwarding
0/7 qtagged forwarding
0/8 qtagged dhl-blocking

sw5 (6360-A) -> show vlan 30 members

port type status
----------+-----------+---------------
2/1/1 default forwarding
0/7 qtagged dhl-blocking
0/8 qtagged forwarding
 7
Dual Home Link Active-Active

- Check the Client 5 configuration with the following parameters:

Client 5:

IP address = 192.168.20.105
Subnet mask = 255.255.255.0
Default Gateway = 192.168.20.7

- Activate the “RAW” MAC-Flushing method:

sw5 (6360-A) -> dhl 1 mac-flushing raw

- From Client 5, start a continuous ping to the VLAN 20 IP interface (created on the 6860-A):
C:\> ping –t 192.168.20.7

- The VLAN 20 is blocked on the link aggregation to avoid a loop. Thus, the traffic goes from 6360-A to
6860-A via the link aggregation 7:
sw5 (6360-A) -> show vlan 20 members
port type status
----------+-----------+---------------
1/1/1 default forwarding
0/7 qtagged forwarding
0/8 qtagged dhl-blocking

- Now disable the link aggregation 7 on the 6360-A while the ping is still running:

sw5 (6360-A) -> linkagg lacp agg 7 admin-state disable

- Did you notice any packet loss? ---------------------------------------------------------------------------------------

- Check VLAN 20 members:

sw5 (6360-A) -> show vlan 20 members
port type status
----------+-----------+---------------
1/1/1 default forwarding
0/7 qtagged inactive
0/8 qtagged forwarding

- Stop the ping and enable the link aggregation 7 on the 6560-A:
sw5 (6360-A) -> linkagg lacp agg 7 admin-state enable

- Check VLAN 20 members:

sw5 (6360-A) -> show vlan 20 members
port type status
----------+-----------+---------------
1/1/1 default forwarding
0/7 qtagged forwarding
0/8 qtagged dhl-blocking

Notes
It can takes a few seconds for the VLAN 20 to be forwarded back on the link aggregation 8: when the failed link
comes back up, DHL waits a configurable amount of time (default: 30 secs) before the link resumes forwarding
of its assigned VLAN traffic.

- Save configuration:
sw5 (6360-A) -> write memory flash-synchro
sw8 (6860-B) -> write memory flash-synchro
OmniSwitch R8
Virtual Router Redundancy Protocol (VRRP)

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Objectives
Virtual Router Redundancy Protocol (VRRP)

At the end of this module, you will be able to:

• Describe the VRRP feature on AOS switch
• List the management step to implement it
VRRP Reminder
VRRP reminder
• Goal

• Business continuity solution

for default gateway redundancy

• Protocol for electing a switch as the master virtual router Master Backup
• Dynamic fail over in the forwarding responsibility Multicast - 224.0.0.18

if the Master becomes unavailable

• RFCs Supported Virtual Router IP

• RFC 2338 – Virtual Router Redundancy Protocol Subnet

• RFC 2787 – Definitions of Managed Objects for
the Virtual

Default gateway = Virtual Router IP

Virtual MAC address: 00-00-5E-00-01-{VRID}

VRRP reminder
Virtual Router ID = 1

• Load balancing Outgoing Traffic Virtual Router ID = 2

Master 1 Backup 1

Backup 2 Master 2

Subnet

Def GW = Def GW =
VR 1 IP address VR 2 IP address

* Two virtual routers with their hosts splitting traffic between them
VRRP reminder
• VRRP Tracking

• Base set of tracking policies supported:

ADDRESS

X
• 2
• IPV4-INTERFACE
• IPV6-INTERFACE Master 1 Pri = 100 1/1/3 1/1/1 Backup 1 Pri = 80
• PORT
VLAN
R1
• Virtual Router ID = 1
3 VLAN 20 (int_20) R2 4

Backup 1 Pri = 70
Master 1 Pri = 80
1 5

Default Route

New route if port 1/1/3 goes down

VRRP Configuration steps
 VRRP – Basic configuration step
• Step by step
Creates a VRRP virtual router for IP addresses

ip vrrp 1 interface int_20

Specifying an IP Address for a Virtual Router

ip vrrp 1 interface int_20 address 192.168.20.254

Enabling a Virtual Router

ip vrrp 1 interface int_20 admin-state enable

Monitor the result

show ip vrrp
show ip vrrp 1
show ip vrrp statistics

* At least two virtual routers must be configured on the LAN—a master router and a backup router.
VRRP – Full configuration step
• Step by step
Creates a VRRP virtual router for IP addresses

Configuring Virtual Router Priority

- Role of each router
- Selection of backup routers
Setting Preemption

- Allow by default
- may be disabled “no preempt”

Configuring the Advertisement Interval

- In VRRP version 2 virtual routers (same VRID) may configured to use
the same interval value
ip vrrp 1 interface int_20 priority 100 preempt interval 100

Specifying an IP Address for a Virtual Router

ip vrrp 1 interface int_20 address 192.168.20.254

Enabling a Virtual Router

ip vrrp 1 interface int_20 admin-state enable

VRRP – Creating VRRP Tracking Policies
• VRRP Tracking Policies

Master 1 Pri = 100

2
X
Create tracking Policy ID (3) 1/1/3 1/1/1 Backup 1 Pri = 80

R1 Virtual Router ID = 1
3 R2 3
Enabled for a port or ip address, VLAN 20 (int_20)
or Vlan , or address
Backup 1 Pri = 70 Master 1 Pri = 80
1 4
Associated a Tracking Policy with VRRP
a Virtual Router

-> ip vrrp track 3 admin-state enable priority 30 port 1/1/3

-> ip vrrp 1 interface int_20 track-association 3

-> ip vrrp track 4 admin-state enable priority 50 address 20.1.1.3

-> ip vrrp 6 interface ipv4-100 track-association 4
OmniSwitch AOS R8
Virtual Router Redundancy Protocol (VRRP)

How to
✓ Configure the VRRP protocol in Release 8

Contents
1 Topology ........................................................................................ 2
2 Configuring the VRRP ......................................................................... 3
3 Configuring the Master / Backup............................................................ 8
 2
Virtual Router Redundancy Protocol (VRRP)

1 Topology
The Virtual Router Redundancy Protocol is a standard router redundancy protocol which provides redundancy by
eliminating the single point of failure inherent in a default route environment. The VRRP router, which controls
the IP address associated with a virtual router is called the master router and is responsible for forwarding
virtual router advertisements. If the master router becomes unavailable, the highest priority backup router
transitions to the master state.
 3
Virtual Router Redundancy Protocol (VRRP)

2 Configuring the VRRP

- Configure the VRRP for VLAN 20 and 30 on both 6860s:

o On 6860-A

sw7 (6860-A) -> show ip interface

Total 7 interfaces
Flags (D=Directly-bound)

Name IP Address Subnet Mask Status Forward Device Flags

--------------------------------+---------------+---------------+------+-------+---------+------
EMP-CHAS1 10.4.111.7 255.255.255.0 UP NO EMP
EMP-CMMA-CHAS1 0.0.0.0 0.0.0.0 DOWN NO EMP
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
Loopback0 192.168.254.7 255.255.255.255 UP YES Loopback0
---

int_20 192.168.20.7 255.255.255.0 UP YES vlan 20

int_217 172.16.17.7 255.255.255.0 UP YES vlan 217
int_278 197.16.78.7 255.255.255.0 UP YES vlan 278
---

sw7 (6860-A) -> ip interface int_30 address 192.168.30.7/24 vlan 30

sw7 (6860-A) -> show ip interface

Total 10 interfaces
Flags (D=Directly-bound)

Name IP Address Subnet Mask Status Forward Device Flags

--------------------------------+---------------+---------------+------+-------+---------+------
EMP-CHAS1 10.4.105.7 255.255.255.0 UP NO EMP
EMP-CMMA-CHAS1 0.0.0.0 0.0.0.0 DOWN NO EMP
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
Loopback0 192.168.254.7 255.255.255.255 UP YES Loopback0
---
int_20 192.168.20.7 255.255.255.0 UP YES vlan 20
int_217 172.16.17.7 255.255.255.0 UP YES vlan 217
int_278 172.16.78.7 255.255.255.0 UP YES vlan 278
int_30 192.168.30.7 255.255.255.0 UP YES vlan 30
---

sw7 (6860-A) -> ip vrrp 1 interface int_20

sw7 (6860-A) -> ip vrrp 1 interface int_20 address 192.168.20.254
sw7 (6860-A) -> ip vrrp 1 interface int_20 admin-state enable

Thu Nov 14 16:53:50 : vrrp_0 proto INFO message:

+++ Virtual router enabled IPv4 VRID=1

sw7 (6860-A) -> ip vrrp 2 interface int_30

sw7 (6860-A) -> ip vrrp 2 interface int_30 address 192.168.30.254
sw7 (6860-A) -> ip vrrp 2 interface int_30 admin-state enable

Thu Nov 14 16:56:45 : vrrp_0 proto INFO message:

+++ Virtual router enabled IPv4 VRID=2
 4
Virtual Router Redundancy Protocol (VRRP)

o On 6860-B

sw8 (6860-B) -> show ip interface

Total 6 interfaces
Flags (D=Directly-bound)

Name IP Address Subnet Mask Status Forward Device Flags

--------------------------------+---------------+---------------+------+-------+---------+------
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
Loopback0 192.168.254.8 255.255.255.255 UP YES Loopback0
admin 10.4.111.8 255.255.255.0 UP YES vlan 4001
--
int_218 172.16.18.8 255.255.255.0 UP YES vlan 218
int_278 172.16.78.8 255.255.255.0 UP YES vlan 278
int_30 192.168.30.8 255.255.255.0 UP YES vlan 30

sw8 (6860-B) -> ip interface int_20 address 192.168.20.8/24 vlan 20

sw8 (6860-B) -> show ip interface

Total 9 interfaces
Flags (D=Directly-bound)

Name IP Address Subnet Mask Status Forward Device Flags

--------------------------------+---------------+---------------+------+-------+---------+------
EMP-CMMA-CHAS1 0.0.0.0 0.0.0.0 DOWN NO EMP
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
Loopback0 192.168.254.8 255.255.255.255 UP YES Loopback0
---
int_20 192.168.20.8 255.255.255.0 UP YES vlan 20
int_218 172.16.18.8 255.255.255.0 UP YES vlan 218
int_278 172.16.78.8 255.255.255.0 UP YES vlan 278
int_30 192.168.30.8 255.255.255.0 UP YES vlan 30
---

sw8 (6860-B) -> ip vrrp 1 interface int_20

sw8 (6860-B) -> ip vrrp 1 interface int_20 address 192.168.20.254
sw8 (6860-B) -> ip vrrp 1 interface int_20 admin-state enable

Thu Nov 14 17:00:12 : vrrp_0 proto INFO message:

+++ Virtual router enabled IPv4 VRID=1

sw8 (6860-B) -> ip vrrp 2 interface int_30

sw8 (6860-B) -> ip vrrp 2 interface int_30 address 192.168.30.254
sw8 (6860-B) -> ip vrrp 2 interface int_30 admin-state enable

Thu Nov 14 17:01:54 : vrrp_0 proto INFO message:

+++ Virtual router enabled IPv4 VRID=2
 5
Virtual Router Redundancy Protocol (VRRP)

- Check the VRRP status:

sw7 (6860-A) -> show ip vrrp 1
Virtual Router VRID = 1 on INTERFACE = int_20
Version = V2
Admin. Status = Enabled
Priority = 100
Preempt = Yes
Adv. Interval = 100
Virtual MAC = 00-00-5E-00-01-01
IP Address(es)

sw7 (6860-A) -> show ip vrrp 2

Virtual Router VRID = 2 on INTERFACE = int_30
Version = V2
Admin. Status = Enabled
Priority = 100
Preempt = Yes
Adv. Interval = 100
Virtual MAC = 00-00-5E-00-01-02
IP Address(es)
192.168.30.254

sw8 (6860-B) -> show ip vrrp 1

Virtual Router VRID = 1 on INTERFACE = int_20
Version = V2
Admin. Status = Enabled
Priority = 100
Preempt = Yes
Adv. Interval = 100
Virtual MAC = 00-00-5E-00-01-01
IP Address(es)
192.168.20.254

sw8 (6860-B) -> show ip vrrp 2

Virtual Router VRID = 2 on INTERFACE = int_30
Version = V2
Admin. Status = Enabled
Priority = 100
Preempt = Yes
Adv. Interval = 100
Virtual MAC = 00-00-5E-00-01-02
IP Address(es)
192.168.30.254

- In the steps above, we have created 2 VRRP instances 1 and 2 (VRRP 1, VRRP 2), and associated it with
respectively VLAN 20 and 30 (VRRP 1 > VLAN 20, VRRP 2 > VLAN 30). We have then associated a Virtual IP
address of 192.168.20.254 to VRRP 1 and 192.168.30.254 to VRRP 2 which both VRRP instances will share.
- Also take note of the Virtual MAC address. This is the address that the router will use in the active state
for all the responses. This prevents end stations from having to re-arp to their router in the event of a
failure:
sw7 (6860-A) -> show ip vrrp statistics
Checksum Errors : 0,
Version Errors : 0,
VRID Errors : 0

Interface
VRID Name State UpTime Become Master Adv. Rcvd
----+--------------------------------+----------+----------+-------------+----------
1 int_20 Master 98575 1 0
2 int_30 Master 81058 1 0
 6
Virtual Router Redundancy Protocol (VRRP)

sw8 (6860-B) -> show ip vrrp statistics

Checksum Errors : 0,
Version Errors : 0,
VRID Errors : 0

Interface
VRID Name State UpTime Become Master Adv. Rcvd
----+--------------------------------+----------+----------+-------------+----------
1 int_20 Backup 44764 0 448
2 int_30 Backup 34581 0 346

- From the “statistics” command, we can see that the 6860-A is the active virtual router. Since all priorities
are equal, the lowest router ID is the selection criteria.
- The DHCP server has not been configured with these gateway addresses, so to perform this test we need
to switch back to static addresses by setting the gateway for clients 5 and 9.
- Now let's change our default gateway for clients 5 and 9 :
Client 5:
IP address = 192.168.20.105
Subnet mask = 255.255.255.0
Default Gateway = 192.168.20.254
Client 9:
IP address = 192.168.30.109
Subnet mask = 255.255.255.0
Default Gateway = 192.168.30.254

- Check the table on the switches

sw5 (6360-A) -> show mac-learning port 1/1/1
Legend: Mac Address: * = address not valid,

Mac Address: & = duplicate static address,

Domain Vlan/SrvcId[ISId/vnId] Mac Address Type Operation Interface
------------+----------------------+-------------------+------------------+-------------+-----------------
VLAN 20 00:50:56:90:22:3c dynamic bridging 1/1/1

Total number of Valid MAC addresses above = 1

sw5 (6360-A) -> show mac-learning port 1/1/2

Legend: Mac Address: * = address not valid,

Mac Address: & = duplicate static address,

Domain Vlan/SrvcId[ISId/vnId] Mac Address Type Operation Interface
------------+----------------------+-------------------+------------------+-------------+-----------------
--------
VLAN 30 00:50:56:90:05:d4 dynamic bridging 1/1/2

Total number of Valid MAC addresses above = 1

 7
Virtual Router Redundancy Protocol (VRRP)

Tips > MAC address table empty

If the MAC address table is empty, generate some traffic from the client connected on the switch (ex. 6360
MAC@ table empty > from the Client 9, launch a ping to its gateway (192.168.30.8).

- From the client 5, try to ping the client 9:

C:\> ping 192.168.30.109

- Now check the content of the client 5 ARP cache:

C:\> arp -a

- Notice that the “Physical Address” which corresponds to the IP address 192.168.20.254 is the VRRP
interface MAC address (VRRP instance 1 > VLAN 20).
- Now start a continuous ping to VRRP interface (192.168.20.254) from the client 5 …
C:\> ping –t 192.168.20.254

- … Then remove the master VRRP gateway (in this example 6860-A). We will simply reboot the switch
(don’t forget to save!):
6860-A -> write memory
6860-A -> reload from working no rollback-timeout

- Notice how quickly the DHL switch from one link to the other, and how fast the Backup VRRP becomes
master. Check the VRRP status on 6860-B:
sw8 (6860-B) -> show ip vrrp statistics
Checksum Errors : 0,
Version Errors : 0,
VRID Errors : 0

Interface
VRID Name State UpTime Become Master Adv. Rcvd
----+--------------------------------+----------+----------+-------------+----------
1 int_20 Master 6205571 1 62003
2 int_30 Master 6195388 1 61900

Tips > Pre-Emption

Once 6860-A has rebooted, notice that 6860-B remains the Master since we do not have the preempt option
enabled.
 8
Virtual Router Redundancy Protocol (VRRP)

3 Configuring the Master / Backup

To manually configure which will be the Master and which will be the Backup, the priority of the VRRP instance
can be modified. The higher the value, the higher the priority will be to be elected as Master.

- To provide load balancing between both 6860, we will configure the 6860-A to be Master on VLAN 20, and
the 6860-B to be Master on VLAN 30.
- The default priority is 100. Let’s put a priority of 150 for VRRP 1 on 6860-A, and a priority of 150 for VRRP
2 on 6860-B:

Warning
THE VRRP INSTANCE MUST BE DISABLED BEFORE CHANGING THE PRIORITY

sw7 (6860-A) -> ip vrrp 1 interface int_20 admin-state disable

sw7 (6860-A) -> ip vrrp 1 interface int_20 priority 150
sw7 (6860-A) -> ip vrrp 1 interface int_20 admin-state enable
sw7 (6860-A) -> show ip vrrp statistics
Checksum Errors : 0,
Version Errors : 0,
VRID Errors : 0

Interface
VRID Name State UpTime Become Master Adv. Rcvd
----+--------------------------------+----------+----------+-------------+----------
1 int_20 Master 1895 1 3
2 int_30 Backup 112204 0 1122

sw8 (6860-B) -> ip vrrp 2 interface int_30 admin-state disable

sw8 (6860-B) -> ip vrrp 2 interface int_30 priority 150
sw8 (6860-B) -> ip vrrp 2 interface int_30 admin-state enable
sw8 (6860-B) -> show ip vrrp statistics
Checksum Errors : 0,
Version Errors : 0,
VRID Errors : 0

Interface
VRID Name State UpTime Become Master Adv. Rcvd
----+--------------------------------+----------+----------+-------------+----------
1 int_20 Backup 6356865 1 62164
2 int_30 Master 2228 1 3
OmniSwitch R8
Consistent AOS Network Security

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Objectives
Use the Advanced AOS Security mechanisms in order to
protect the core network as well as data

At the end of this module, you will be able to:

• Understand and implement the following features
– DOS Protection
– UDP Relay
– ARP poisoning
– Port Mapping
– Storm Control
– Learned Port Security
DOS Protection
DOS Filtering
• Ability to filter the following DoS attacks

- Ping of Death, SYN attack, Land attack, Teardrop, Bonk, Boink, Pepsi
- Detect ARP flooding
QoS rate-limits ARP packets to the CPU
- Detect any packet with invalid source or destination IP address
A packet matching specific criteria well be marked at “Invalid-IP”
- Detect Multicast IP and MAC address mismatch
- Detect Ping overload
System measures the rate of ICMP requests received over a period of 5 seconds, and detects a DoS attack if the measured rate
exceeds 100 pkts/sec
- Detect packets received with a source address of 127.0.0.1
- Traps can be configured or QM can be used to Quarantine device

• Ability to detect port scanning based on packet thresholds

UDP relay
Generic UDP Port Relay
• To enable UDP Relay for a specified UDP service ports

-> ip udp relay port port_num [description description]

• To support for service name and custom ports

-> ip udp relay service {tftp | tacacs | ntp | nbns | nbdd | dns} [description description]

• To specify a VLAN on which traffic destined for the specified UDP service port is forwarded
-> ip udp relay {service {tftp | tacacs | ntp | nbns | nbdd | dns} | port port_num
[description description]} vlan vlan_id[-vlan_id2]

• To specify the UDP server IP address to which traffic destined for a UDP port is forwarded as
unicast packets.
-> ip udp relay {service {tftp | tacacs | ntp | nbns | nbdd | dns} | port port_num [description
description]} address ip_address
Generic UDP Port Relay
• To display the generic UDP relay service configuration

-> show ip udp relay [service {tftp | tacacs | ntp | nbns | nbdd | dns} | port port_num]

• To display the current statistics for each UDP port relay service.

-> show ip udp relay statistics [service {tftp | tacacs | ntp | nbns | nbdd | dns}] [port
[port_num]]

-> show ip udp relay -> show ip udp relay statistics

Service Name Port IP Address Vlans Services Port Service Pkts Recvd Pkts Sent Dst Vlan/IP Address Svc
---------------------+------+----------------+---------+-------------------- -----+--------------+---------------+-----------+----------------------+------------------
DNS port 53 20 53 DNS port 0 0 20
TFTP port 69 69 TFTP port 0
ARP
ARP Defense Mechanism
• Prevents the CPU from receiving multiple unresolved next hop requests

• Creates a drop-entry as soon as it attempts to resolve an ARP for the purpose of forwarding
traffic
- The entry is removed either:
when the ARP is resolved, or
after 12 attempts have been made, once every 5 secs. (~1 minute)

• Duplicate request received during the time the switch is attempting to resolve the ARP is
dropped

- Avoids CPU utilization climb and destabilizing the switch while next-hop is being resolved
ARP Poisoning Detection
• Detects the presence of a ARP-Poisoning host on the network
- Identifies unsolicited ARP Replies from an attacker, false ARP requests and unsolicited
ARP replies
- Sends out ARP Requests for certain configurable restricted addresses and its own interface addresses
- Reply to all ARP Requests for its IP Interface address, but will not learn the ARP mapping of the source from such
packets
- ARP Reply will be accepted only if the Switch had originated a corresponding ARP Request
- Logs the event and send a trap

ARP Poisoning Examples 1. ARP Poisoning by a host

Man in the middle that replies to all ARP
THU JAN 24 16:34:38 : NS (123) alert message:
Requests
+++ +++++++++++++++++++++++++++++++++++++++++++++++
+++ ARPADDRESSSCAN source detected on 1/7...
+++ Trigger Operation... 2. ARP Requests from an
+++ Interval Count Sensitivity Impersonation Attacker
+++ ---------------------------------------------
+++ 5 5 50
+++ Traffic Statistics...
+++ Packet-Type Direction Count MAC Flooding 3. Unsolicited ARP Replies
+++ --------------------------------------------- from an Attacker
+++ ARP_REP OUT 0
+++ ARP_REQ IN 71
+++ +++++++++++++++++++++++++++++++++++++++++++++++
ARP Poisoning Detection
Adding an ARP Poison restricted address
• Maximum of two IP addresses per IP interface
-> ip dos arp-poison restricted-address 192.168.100.152

Displaying the number of attacks detected for configured ARP poison restricted-addresses
-> show ip dos arp-poison
WED JAN 30 16:15:35 : IP (15) info message:
+++ 1/0 ARP poisoning REPLY from 192.168.60.100.

-> show ip dos arp-poison

IP Address Attacks Attacks
--------------------+------------
192.168.1.1 0 0
192.168.1.2 0 0
192.168.60.100 2
Address Resolution Protocol (ARP)
The switch stores the hardware address in its ARP cache (ARP table)

The table contains a list of IP addresses and their corresponding MAC addresses

Entries in the table are used to translate 32-bit IP addresses into 48-bit Ethernet or IEEE 802.3
hardware addresses

Dynamic addresses remain in the table until they time out (Default 300 sec.)
-> arp 171.11.1.1 00:05:02:c0:7f:11

Static entries are permanent and are created using the IP address of the entry followed by its
physical (MAC) address
-> arp 171.11.1.1 00:05:02:c0:7f:11 alias

Use the alias keyword to specify that the switch will act as an alias (proxy) for this IP address.
Local Proxy ARP
Allows the network administrator to configure proxy functionality on the switch
Enables proxy ARP on a per VLAN basis
All ARP requests received on VLAN memberSwitch
ports
B
are answered with the MAC address of the
VLAN’s virtual IP router port ARP Normal ARP

Local Proxy ARP

ARP
Switch C
Switch A

PC 1 PC 2
192.168.10.101 192.168.10.102

-> ip interface name [address ip_address] [mask subnet_mask] [admin [enable |

disable]] [vlan vid] [forward | no forward] [local-proxy-arp | no local-proxy-
arp] [eth2 | snap] [primary | no primary]
Proxy ARP Filtering
Extended Proxy ARP Filtering
• Blocks the switch from providing ARP replies for the specified IP address(es).
• It is generally used in conjunction with the Local proxy ARP application
• By default, no ARP filters exist in the switch

-> arp filter ip_address [mask mask] [vid] [sender | target] [allow | block]
-> arp filter 198.0.0.0 mask 255.0.0.0 sender block

-> show arp filter

Port Mapping /MAC Forced Forwarding
Port Mapping
• Goal
- Defining 2 set of ports & controlling the communication within each set

 Up to 8 Port Mapping sessions Port Mapping Session 1

 Ports can only belong to a single session - except uni. network pts

• Uni-directionnal 1/3/1
1/3/2 2/1/16
- User-port 1/3/3
1/3/4
2/1/17

 no direct user-to-user traffic

User Network
 only user-to-network
Ports Ports
- Network-port
 network-to-user & network-to-network

• Bi-directional Platform Supported

- User-port Release 8:
 no direct user-to-user traffic
 only user-to-network

- Network-port
 no direct network-to-network traffic
 only network-to-user
Port Mapping
• Creating a Mapping Session
- -> port-mapping session_id [user-port {slot chassis/slot | chassis/slot/port[-port2] | linkagg agg_id}] [network-port {slot
chassis/slot | chassis/slot/port[-port2] | linkagg agg_id}]

• Enables, disables a port mapping session
-> port-mapping session_id {enable | disable}
Examples
-> port-mapping 3 user-port 1/2/3 network-port 1/6/4
-> port-mapping 4 user-port 1/2/5-8
-> port-mapping 5 user-port 1/2/3 network-port slot 3

• Creates a port mapping session with the user ports, network ports, or both user ports and network ports

• -> port-mapping session_id [user-port {slot chassis/slot | chassis/slot/port[-port2] | linkagg agg_id}] [network-port {slot
chassis/slot | chassis/slot/port[-port2] | linkagg agg_id}]

• Displaying the status of one or more port mapping sessions

- -> show port-mapping [session_id] status

• Displaying the configuration of one or more port mapping sessions

- -> show port-mapping [session_id]
MAC Forced Forwarding
IP1 - MAC1
Access Router
DHCP Server

• Described in RFC 4562

- Control unwanted broadcast traffic and host-to-host 1- DHCP ACK – option 3
Router IP/Gateway = IP1
communication
2 - ARP Reply
- Implements an ARP proxy function that IP1 is MAC1 Aggregation
- Prohibits MAC address resolution between hosts located within the
same subnet but at different customer premises IP1-MAC1 mapping
Proxy ARP: MAC1
- In effect directs all upstream traffic to an IP gateway providing IP
connectivity between these same hosts IP1-MAC1 mapping
Subnet Proxy ARP: MAC1
• Dynamic Proxy ARP uses: 10.0.0.0/8
- Port Mapping
Port Mapping
- DHCP snooping
User/network ports
- Local proxy ARP

IPA IPB
• Description MACA MACB
- Once a DHCP lease is offered to a L2 client, stores the router ARP cache ARP cache
IPB -> MAC1 IPA -> MAC1
IP advertised in the DHCP ACK
- An ARP reply with the access router @MAC is sent for all
subsequent ARP requests to the access router or to any other
IPs in the same VLAN/subnet
MAC Forced Forwarding - CLI/WebView
-> port-mapping 1 user-port 1/1/1-2 network-port linkagg 8
-> port-mapping 1 dynamic-proxy-arp enable
-> dhcp-snooping vlan 20 admin-state enable
-> port-mapping 1 enable
-> show port-mapping
SessionID USR-PORT NETWORK-PORT
-----------+----------------+------------------
1 1/1/1 0/8
1 1/1/2
-> show port-mapping status

SessionID Direction Status Unknown Unicast DPA Status

------------+-----------------+--------------+------------------+--------------
1 bi enable flood enable
-> show ip dynamic-proxy-arp

Router IP Vlan Mac-Address Port

-----------------+------------------+---------------------+---------------------
Storm Control
Storm Control
• Configures the flood rate settings on a single port, a range of ports, or an entire Network
Interface (NI)
-> interfaces {slot chassis/slot| port chassis/slot/port[-port2]} flood-limit {bcast | mcast | uucast
| all} rate {pps pps_num| mbps mbps_num | cap% cap_num | enable | disable | default} [low-
threshold low_num]

• Configures the action on a single port, a range of ports, when the port reaches the storm
violated state

interfaces {slot chassis/slot| port chassis/slot/port[-port2]} flood-limit {bcast | mcast | uucast |

all} action {shutdown | trap | default}
Learned Port Security
Learned Port Security
• Mechanism for controlling network device access on one or more switch ports
- Limit the amount of time source learning occurs on all LPS ports
- Limit the max number of L2 addresses that can be learned on a port. (Dynamic or Static)
- Limit the L2 address learning for the specific period of time

• Supported on Fixed, Mobile, 802.1Q tagged, Authenticated, 802.1X

- Not supported on Link Aggregate ports

• Violation options
- Block only traffic that violates LPS port restrictions MAC-1
-> authorized traffic is forwarded on the port
- Shutdown the port
MAC Limit
• Steps to Configuring LPS: Or
MAC List
- Enable LPS on a port
- Set the number of learned Mac’s
- Set the time limit for LPS MAC-2

- Select the violation mode

Learned Port Security - Configuration
• Configuring LPS on a port

-> port-security port {chassis/slot/port[-port2] } [admin-state {enable | disable | locked}]

• Disables all learning on the port. Existing MAC addresses are retained but no additional learning of
addresses, except for static MAC addresses, is allowed

• Disabling LPS on a port

-> no port-security port <chassis/slot/port>

• In case of violation, two possible actions can be taken: filtering or shutdown

-> port-security port <chassis/slot/port> violation [shutdown | restrict/ discard]

- Shutdown. Stops all traffic on a port after violation

- Filtering. Only stops traffic from violating device
Learned Port Security
• Specifying the maximum number of source MAC addresses that an LPS port is allowed to
learn.
-> port-security port chassis/slot/port[-port2] maximum number

• Configures the amount of time, in minutes, to allow source learning on all LPS ports.

-> port-security learning-window minutes

• Configuring the maximum number of filtered MAC addresses that can be learned on the LPS
port(s)
-> port-security port chassis/slot/port[-port2] maximum number

• Maximum number of mac addresses allowed is 1

• Maximum number of mac address filtered is 5
• Default violation is restricted
Learned Port Security
• Configuring of a list of authorized source MAC addresses
-> port-security port chassis/slot/port[-port2] mac-range [low mac_address | high
mac_address]

- up to eight MAC ranges per port.

• Converting the dynamically learned MAC addresses on the LPS port(s) to static MAC addresses
-> port-security {port chassis/slot/port[-port2] | chassis} convert-to-static

• The following set of commands enables LPS on port 1/1/1, converting dynamically learned
MAC address of currently attached device to static. When another device is connected to
port 1/1, a violation occurs and this port will be shutdown

-> port-security port 1/1/1 admin-state enable

-> port-security port 1/1/1 maximum 1
-> port-security port 1/1/1 violation shutdown
-> port-security port 1/1/1 convert-to-static enable
Learned Port Security
• Displays Learned Port Security configuration and table entries

-> show port-security

Port : 1/1/15
Operation Mode : DISABLED,
Max Bridged MAC allowed : 1,
Max Filtered MAC allowed : 5,
Low End of MAC Range : 00:00:00:00:00:00,
High End of MAC Range : ff:ff:ff:ff:ff:ff,
Violation Setting : RESTRICT,

MAC VLAN MAC TYPE

-------------------+------+-------------------
00:20:95:00:fa:5c 1 STATIC

• Clears all port violations on the switch for the given port
-> clear violation port { chassis/slot/port[-port2] | linkagg agg_id[-agg_id2]}
Learned Port Security - L2 Notification

• Provides notification of newly learned bridged MAC addresses after the port matches the
specified threshold amount
-> port-security port chassis/slot/port[-port2] learn-trap-threshold number

• Sends a trap for every MAC learned after the threshold is reached. It contains:
- MAC address
- Slot/Port
- VLAN
- Date & Time
OmniSwitch AOS R8
Learned Port Security

How to
✓ This lab is designed to familiarize yourself with Learned Port Security
feature.

Contents
1 Topology ........................................................................................ 2
2 Learned Port Security ........................................................................ 3
2.1. Configure the switch to learn maximum one mac address ................................... 3
2.2. Configure the switch port to accept the traffic only from currently attached device ... 4
2.3. Port violation........................................................................................ 5
 2
Learned Port Security

1 Topology
The LPS feature is used in networks to prevent employees to use small basic switches or hub in the enterprise
network. This can grandly help IT stuff to efficiently manage network security.
Learned Port Security provides controls over the source learning function on an OmniSwitch.

- On the 6860B, create client VLAN and assign interfaces

6860-B -> vlan 180

6860-B -> vlan 180 members port 1/1/1 untagged
6860-B -> ip interface int_180 address 192.168.180.8/24 vlan 180
6860-B -> interfaces 1/1/1 admin-state enable

- On the 6860-B, assign port 1/1/7 to vlan 180 and activate the interface:

6860-B -> vlan 180 members port 1/1/7 untagged

6860-B -> interfaces 1/1/7 admin-state enable

- Make sure that the 6560-B is reset to its default values.

- On the 6560-B, activate the interfaces 1/1/1 and 1/1/7, and assign an IP address to VLAN 1:

6560-B -> interfaces 1/1/1 admin-state enable

6560-B -> interfaces 1/1/7 admin-state enable
6560-B -> ip interface int_1 address 192.168.180.4/24 vlan 1

- Start client 4 and configure as below:

Client 4:
IP address = 192.168.180.50
Subnet mask = 255.255.255.0
Default Gateway = 192.168.180.4

- Try to ping the gateway (192.168.180.8) from client 4 and 6560-B.

- On the 6860-B, check the mac addresses learned on port 1/1/7:

6860-B -> show mac-learning port 1/1/7

Legend: Mac Address: * = address not valid,
Mac Address: & = duplicate static address,

Domain Vlan/SrvcId[ISId/vnId] Mac Address Type Operation Interface

------------+----------------------+-------------------+------------------+-------------+----------
VLAN 180 00:50:56:90:ac:77 dynamic bridging 1/1/7
VLAN 180 2c:fa:a2:aa:34:9f dynamic bridging 1/1/7
VLAN 180 2c:fa:a2:aa:34:ac dynamic bridging 1/1/7

Total number of Valid MAC addresses above = 3

Notes
In this example above, there’s 3 mac addresses: 1 from client 4 and 2 from 6560. The 6560 uses different mac
addresses for Layer 2 traffic, like LLDP or STP and another one, the chassis base mac address for Layer3 traffic
associated with VLAN 1 IP interface.
 3
Learned Port Security

2 Learned Port Security

2.1. Configure the switch to learn maximum one mac address

By default, port security allows the switch to learn only a single MAC address and then binds that MAC
address to the port. When the number of filtered MAC addresses learned on the port reaches the maximum,
either the port is disabled (Shutdown Violation mode) or MAC address learning is disabled (Restrict Violation
mode). By default, MAC address learning is disabled (filtering). When LPS is enabled on switch ports with
one single mac address, it will prevent users to plug a basic switch or hub to the network, please note that
you can specify up to 100 mac addresses to be learned per port by LPS.

- Enable LPS on port 1/1/7 of 6860-B:

6860-B -> port-security port 1/1/7 admin-state enable

- Once again try to ping the gateway from both client 3 and 6560 (it should fail).

- Display information about port security and learned mac addresses:

6860-B -> show port-security port 1/1/7

Port: 1/1/7
Admin-State : ENABLED,
Operation Mode : ENABLED,
Max MAC bridged : 1,
Trap Threshold : DISABLED,
Violation : RESTRICT,
Max MAC filtered : 5,
Low MAC Range : 00:00:00:00:00:00,
High MAC Range : ff:ff:ff:ff:ff:ff,
Violating MAC : NULL
MAC VLAN MAC TYPE OPERATION
-------------------------+--------+-----------------+-----------------
2c:fa:a2:aa:34:ac 180 dynamic bridging
2c:fa:a2:aa:34:9f 180 dynamic filtering
00:50:56:90:ac:77 180 dynamic filtering

6860-B -> show mac-learning port 1/1/7

Legend: Mac Address: * = address not valid,
Mac Address: & = duplicate static address,
Domain Vlan/SrvcId[ISId/vnId] Mac Address Type Operation Interface
------------+----------------------+-------------------+------------------+-------------+------------
VLAN 180 00:50:56:90:ac:77 dynamic filtering 1/1/7
VLAN 180 2c:fa:a2:aa:34:9f dynamic filtering 1/1/7
VLAN 180 2c:fa:a2:aa:34:ac dynamic bridging 1/1/7
Total number of Valid MAC addresses above = 3

- The first mac address seen is normally bridged but the others are filtered. There’s more chance for
Layer 2 traffic to be bridged than other Layer 3 traffic.

- To ensure no Layer2 traffic, disable unnecessary protocols on 6560-B port 1/1/7:

6560-B -> spantree vlan 1 port 1/1/7 disable

6560-B -> show spantree ports active

6560-B -> lldp all chassis lldpdu disable

6560-B -> show lldp config

- To Flush the mac-address from the mac-learning table

6860-B -> mac-learning flush vlan 180 port 1/1/7 dynamic
 4
Learned Port Security

- Now it should remain only 2 mac addresses: one from client 3 and another one from the IP interface of
VLAN 1 in 6560.
6860-B -> show mac-learning port 1/1/7
Legend: Mac Address: * = address not valid,

Mac Address: & = duplicate static address,

Domain Vlan/SrvcId[ISId/vnId] Mac Address Type Operation Interface

------------+----------------------+-------------------+------------------+-------------+-----------
VLAN 180 00:50:56:90:ac:77 dynamic bridging 1/1/7
VLAN 180 2c:fa:a2:aa:34:9f dynamic filtering 1/1/7

Total number of Valid MAC addresses above = 2

Notes
Here, the Client 4 mac address is bridged, the 6560B is filtered. Thus we can ping the gateway from client 4
but not from 6560.

2.2. Configure the switch port to accept the traffic only from currently attached device
In order to allow only one dynamically learned mac address on a switch LPS port (only fixe ports), we will
use convert-to-static parameter with port-security. The currently attached devices mac address will be
associated to this LPS port and one static entry will be created in mac address table. This means that only
this device will be allowed on that port.
Please notice that the device must be learned on the LPS port before to enter the command port-security
convert-to-static
- To convert the dynamically learned MAC addresses to static addresses on a specific LPS port at any time
irrespective of the source learning time window, use the port-security convert-to-static command as
shown below:
6860-B -> port-security port 1/1/7 convert-to-static

- Analyze carefully the output of the command shown below, you can see that the currently attached
device mac address is learned on the specified port and the type of the entry is permanent (static).
6860-B -> show mac-learning port 1/1/7
Legend: Mac Address: * = address not valid,

Mac Address: & = duplicate static address,

Domain Vlan/SrvcId[ISId/vnId] Mac Address Type Operation Interface

------------+----------------------+-------------------+------------------+-------------+-----------
VLAN 180 00:50:56:90:ac:77 static bridging 1/1/7
VLAN 180 2c:fa:a2:aa:34:9f dynamic filtering 1/1/7

Total number of Valid MAC addresses above = 2

 5
Learned Port Security

2.3. Port violation

By default, the port violation is restricted, that means traffic from unallowed mac addresses is filtered. We
can change it to shutdown, That means port is shutdown if more that one mac address is seen in our case.
- Configure the shutdown of the port in case of violation, and indicate the max number of filtered mac
address to 0 (that means the port will be shutdown if more than 1 mac address is learned on it).
6860-B -> port-security port 1/1/7 violation shutdown
6860-B -> port-security port 1/1/7 max-filtering 0
6860-B -> show port-security port 1/1/7
Port: 1/1/7
Admin-State : ENABLED,
Operation Mode : ENABLED,
Max MAC bridged : 1,
Trap Threshold : DISABLED,
Violation : SHUTDOWN,
Max MAC filtered : 0,
Low MAC Range : 00:00:00:00:00:00,
High MAC Range : ff:ff:ff:ff:ff:ff,
Violating MAC : NULL
MAC VLAN MAC TYPE OPERATION
-------------------------+--------+-----------------+-----------------
00:50:56:90:15:9d 170 static bridging

Notes
In the example above, the switch mac address age out, so as there’s only the client 3 mac address learnt on the
port, is still forwarding

- Try to ping again the gateway from both client 4 and 6560-B. You should see a warning message on the
6860-B :
Tue Feb 11 02:58:49 : AGCMM AG-Lps info message:
+++ AGCMM_INFO:(1392087529.552)lpsPortViolation[433]Port-security Violation on PORT 1/1/7 : Shutting down
port

- By default, there’s a timer of 300 seconds to clear automatically the violation.

6860-B -> show violation
* = Link Agg ID
LAG ID/ Recovery Recovery
Port Source Action Reason WTR Time Max/Remain
----------+----------+------------------+-------------+-----+--------------+--------------
1/1/7 AG admin down lps shutdown 0 300 10/10

- To change this value of 300 seconds, type :

6860-B -> show violation-recovery-configuration port 1/1/7
Global Violation Trap : Enabled
Global Recovery Maximum : 10
Global Recovery Time : 300
Port Recovery Max Recovery Time
----------+-------------+---------------
1/1/7 10 300
6860-B -> violation port 1/1/7 recovery-time 30
6860-B -> show violation-recovery-configuration port 1/1/7
Global Violation Trap : Enabled
Global Recovery Maximum : 10
Global Recovery Time : 300
Port Recovery Max Recovery Time
----------+-------------+---------------
1/1/7 10 30

- You may also manually recover from a violation :

6860-B -> clear violation port 1/1/7

- Finally, to disable port security, enter :

6860-B -> no port-security port 1/1/7
OmniSwitch R8
IP Interfaces

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Objectives
IP Interfaces

At the end of this module, you will be able to:

• Understand and implement the following features
– IP interfaces
– Loopback0 Interface
– Static routes
– RIP
IP Interface
Overview
• IP is enabled by default on the OmniSwitch switches
• IP forwarding is enabled when at least one IP interface is configured on a VLAN
• IP Interfaces have the following characteristics:
- The subnet mask can be expressed in dotted decimal notation (255.255.0.0) or with a slash (/) followed by the
number of bits in the mask (192.168.10.1/24).
- A forwarding router interface sends IP frames to other subnets. A router interface that is not forwarding can receive
frames from other hosts on the same subnet.
- The first interface bound to a VLAN becomes the primary interface for that VLAN.

• Create a new IP Interface

-> ip interface <int_name> address <ip address/mask> vlan <vlan_id>

• Display the list of the IP Interfaces

-> show ip interface

Loopback0
Loopback0
• Goal
- Identify a consistent address for network management purposes
- Not bound to any VLAN
- Always remain operationally active (as long as at least one VLAN is active)

• To identify a Loopback0 interface, enter Loopback0 for the interface name

-> ip interface Loopback0 address 100.10.1.1

• Automatically advertised by RIP and OSPF protocols when the interface is created (not by BGP)

• Use

- RP (Rendez-Vous Point) in PIMSM

- sFlow Agent IP address
- Source IP of RADIUS authentication
- NTP Client
- BGP peering
- OSPF router-id
- Switch and Traps Identification from an NMS station (i.e OmniVista)
Custom IP Interface/Loopback0 for IP service
• To configure a source IP address as the outgoing IP interface for an IP service
• Any IP interface/ loopback
• In the particular VRF based on an application specific command

[vrf vrf_name] ip service source-ip {Loopback0 | interface_name} [tftp] [telnet]

[tacacs] [swlog] [ssh] [snmp] [sflow] [radius] [ntp] [ldap] [ftp] [dns] [all]

sw5 (6360-A) -> ip service source-ip loopback0 snmp

sw5 (6360-A) -> show ip service source-ip

Legend: - no explicit configuration

Application Interface-name
-------------+--------------------------------
dns -
ftp -
ldap -
ntp -
radius -
sflow -
snmp Loopback0
ssh -
swlog -
tacacs -
telnet -
tftp - -
Static / Dynamic Routing
Static vs Dynamic Routing
Static Routes
• Entered manually by the network administrator
• Anytime the network topology changes, administrator must update the routes
• Static routes always have priority over dynamic routes
• Suitable for environments where network traffic is relatively predictable and where network design is
relatively simple

Dynamic Routing –( RIP, OSPF, …)

• Allows network to updates routes quickly and automatically without the administrator having to
configure new routes
• Routing protocols describe
- How to send updates?
- What information is in the updates?
- When to send updates?
- How to locate the recipients of the updates?
Static Routes
Static Routes - Overview
• Gateway or NextHop address is mapped to a particular interface on the switch

• Associated interface needs to be up and running

• By default, static routes have preference over dynamic routes

• Priority can be set by assigning a metric value

-> ip static-route <Destination Network>/<Mask> gateway <host> [METRIC | BFD-STATE | NAME | TAG | NO]
Static Routes - Configuration
• Specify a static route to the destination IP address 134.1.21.0

-> ip static-route 134.1.21.0/24 gateway 10.1.1.1

• Specify a default route

-> ip static-route 0.0.0.0/0 gateway 10.1.1.1

• Configure a default-route metric

-> ip static-route 0.0.0.0/0 gateway 1.1.1.1 metric 1

• Configure a backup default-route

-> ip static-route 0.0.0.0/0 gateway 2.2.2.2 metric 2

Static Routes - Monitoring
• Display the IP Router Database
-> show ip router database
Legend: + indicates routes in-use
b indicates BFD-enabled static route
i indicates INTERFACE static route
r indicates recursive static route, with following address in brackets

Total IPRM IPv4 routes: 3

Destination Gateway INTERFACE Protocol Metric Tag Misc-Info
---------------------+---------------+--------------------------------+--------+-------+----------+-----------------
+ 10.0.0.0/24 10.4.15.254 EMP STATIC 1 0
+ 10.4.15.0/24 10.4.15.1 EMP LOCAL 1 0
+ 127.0.0.1/32 127.0.0.1 Loopback LOCAL 1 0

Inactive Static Routes

Destination Gateway Metric Tag Misc-Info
--------------------+-----------------+------+----------+-----------------
r 0.0.0.0/0 1.1.1.1 1 0

• Display the IP Routes

-> show ip routes

+ = Equal cost multipath routes

Total 1 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
127.0.0.1/32 127.0.0.1 00:37:17 LOCAL
Recursive Static Route
• Assign static routes with the next hop being the same as a route learned through a routing protocol

• Recursive static routes

• Nexthop (or gateway) address no longer must be tied to a particular INTERFACE
• Capability to tie the destination route to the best route used to reach a particular host
• May be an INTERFACE or a dynamically learned route (i.e. BGP, OSPF, RIP, etc)
• May change over time

-> ip static-route <Destination Network>/<Mask> follows <host> [METRIC | NAME | TAG | NO]
Recursive Static Route - CLI
-> ip static-route 172.30.0.0/16 follows 2.2.2.2 metric 1
-> show ip router database
Legend: + indicates routes in-use
* indicates BFD-enabled static route
r indicates recursive static route, with following address in brackets
Total IPRM IPv4 routes: 4
Destination Gateway Interface Protocol Metric Tag Misc-Info
-------------------+------------------+-----------+---------+--------+-------+-----------------
+ 2.2.2.2/32 192.168.100.253 vlan100 RIP 2 0
+ 10.1.20.0/24 10.1.20.1 vlan20 LOCAL 1 0
+r 172.30.0.0/16 192.168.100.253 vlan100 STATIC 1 0 [2.2.2.2]
+ 192.168.100.0/24 192.168.100.1 vlan100 LOCAL 1 0

Inactive Static Routes

Destination Gateway Metric +r 172.30.0.0/16 10.1.20.2 vlan20 STATIC 1 0 [2.2.2.2]
--------------------+-----------------+---------
r 172.20.0.0/16 3.3.3.3 1

The gateway to reach the 2.2.2.2 network has changed

through RIP; so the gateway to reach the 172.30.0.0 network
+ = Equal cost multipath routes has also changed
* = BFD Enabled static route
Total 5 routes

Dest Address Subnet Mask Gateway Addr Age Protocol

----------------+------------------+------------------+---------+-----------
2.2.2.2 255.255.255.255 192.168.100.253 16:52:44 RIP
10.1.20.0 255.255.255.0 10.1.20.1 00:09:27 LOCAL
127.0.0.1 255.255.255.255 127.0.0.1 17:55:33 LOCAL
172.30.0.0 255.255.0.0 192.168.100.253 00:08:06 NETMGMT
192.168.100.0 255.255.255.0 192.168.100.1 17:54:09 LOCAL
2.2.2.2 255.255.255.255 10.1.20.2 00:07:28 RIP
Routing Information Protocol (RIP)
Routing Information Protocol - AOS Specifications
• RIP - Routing Information Protocol
• Supports IPv4
• Distance Vector Protocol (uses hop count to determine
best path)
• Hop count limit of 16 is considered unreachable
(prevents loops)
• Maximum network diameter = 15
• Generates updates every 30 seconds
- Updates contain all of the router’s routing table
• Routes timeout after 180 seconds
• Uses UDP port 520
• Maximum packet size is 512 bytes
- 20 Route Updates
• Poison reverse increases size of routing updates
- Valid and poisoned routes are included in the updates
• Metrics only involve hop count
Routing Information Protocol - CLI Commands
Minimum configuration

-> ip load rip

-> ip rip interface if_name admin-state enable
-> ip rip admin-state enable

-> ip route-map rip_1 sequence-number 50 action permit

-> ip route-map rip_1 sequence-number 50 match ip-address 0.0.0.0/0
-> ip redist local into rip route-map rip_1 admin-state enable
-> ip redist static into rip route-map rip_1 admin-state enable

More details in next chapter for Redistribution

Only learned RIP routes and Loopback0 interface are advertised by default.
Local and or static routes must be redistributed.
CLI Commands
-> ip rip interface int_name send-version [v2 / v1 / v1compatible / none]
-> ip rip interface int_name recv-version [v1 / v2 / both / none]
-> ip rip interface int_name metric #
-> ip rip interface int_name auth-type [none / simple / MD5]
-> ip rip update-interval seconds

-> show ip rip

-> show ip rip peer
-> show ip rip interface
-> show ip rip interface int_name
Routing Information Protocol - Monitoring
Display the RIP Routes
-> show ip rip routes
Destination Mask Gateway Metric
------------------+------------------+------------------+-------
50.50.50.0 255.255.255.0 50.50.50.1 1

Display the RIP Peers

-> show ip rip peer
Total Bad Bad Secs since
IP Address Recvd Packets Routes Version last update
----------------+------+-------+------+-------+-----------
100.10.10.1 1 0 0 2 3

Display the IP Interfaces redistributed in RIP

-> show ip rip interface
Intf Admin IP Intf Updates
Interface vlan status status sent/recv(bad)
name
----------------+-----+------------+----------+----------------
30.30.30.1 30 enabled enabled 5/5(0)
Routing Information Protocol - Timers
• Update
• Default at 30 - range 1..120
- The time interval between advertisements sent on an interface
- AOS to enforce the constraint that update cannot exceed 1/3 of invalid

-> ip rip update-timer 45 Default 30

• Invalid
• Default at 180 - range 3..360
- The time interval before an active route expires (and enters the “garbage” state)
- AOS to enforce the constraint that invalid cannot be less than 3x of update

-> ip rip invalid-timer 270 Default 180

Routing Information Protocol - Timers
• Garbage
• Default at 120 - range 0..180
- The time interval before an expired route (which is in the “garbage” state) is removed from the RIB.
- During the “garbage” interval measured by the garbage timer, the router advertises the prefix with a metric of
INFINITY

-> ip rip garbage-timer 180 Default 120

• Holddown
• Default at 0 - range 0..120
- The time interval during which a route remains in the holddown state. Whenever a route is seen from the same
gateway with a higher metric than the route in the RIB, the route goes into holddown.
- This excludes route updates with an INFINITY metric

-> ip rip holddown-timer 10 Default 0

OmniSwitch AOS R8

Open Shortest Path First (OSPF) - Fundamentals

Lesson Summary

At the end of this presentation, you will be able to

◼ Memorize the role of a Router ID

◼ Summarize the different states an OSPF

router goes through
OSPF > Overview
◼ Routing Procotol

◼ Interior Gateway Protocol

◼ Overcome RIP deficiencies & scalability problems

◼ Link-State Routing (LSR) Protocol

◼ Shortest Path First Algorithm

◼ Widely used in large enterprise networks

Specifications
Router Identities
◼ Router Identities = Router ID
⚫ Each OSPF router has a unique ID within the OSPF network
⚫ ID included in any OSPF messages sent by the OSPF router

⚫ Router ID can be (in order of priority):

 Manually defined
 The IP address of the router’s Loopback0 interface
 Highest IP address from one of its active interfaces

ID = 1.1.1.1 ID = 2.2.2.2 ID = 3.3.3.3

ID = 4.4.4.4 ID = 5.5.5.5
Finding Neighbors
◼ Exchange Process

R1 State R1 R2 R2 State
Down Down
Hello
Init Init
Hello
2-Way 2-Way
Hello
Exstart Exstart
(cont. R1 ID)
Exchange Exchange
Hello
Loading (cont. R2 ID) Loading
Full Full

⚫ Down State - Hello interval: 10 seconds (keep-alive

function)
 Router have not exchanged any OSPF information
- Dead interval: 40 seconds

⚫ Init State
 A destination router has received a new router’s hello packet
 Adds it to its neighbor list

⚫ 2-Way State
 The new router receives a unidirectional reply from the destination router
 Adds the destination router to its neighbor list
Designated & Backup Designated Routers
◼ Once in 2-Way State, the routers elect a Designated Router (DR) and a Backup
Designated Router (BDR)

◼ 1 DR and 1 BDR for each broadcast segment

◼ Role
⚫ Maintaining the LSDB (Link State DataBase)
⚫ Receiving and disseminating update to the routers on the segment

Update (dst @: 224.0.0.5) 3

R1 R2 R3

DR 2 BDR DROther
Update

VLAN 1 (dst @: 224.0.0.6)

DROther
New link! 1
R4
Designated & Backup Designated Routers
◼ DR & BDR Election
⚫ The DR & BDR are elected according to the following parameters:
1. IP interface priority (highest priority)
2. Router ID (highest value)

⚫ If the DR fails,
 The BDR is promoted to DR
 Another Router (DROther) is promoted to BDR

ID = 1.1.1.1 ID = 2.2.2.2 ID = 3.3.3.3

Priority = 250 Priority = 200 Priority = 150

DR BDR DROther

DROther DROther

ID = 4.4.4.4 ID = 5.5.5.5
Priority = 100 Priority = 50
Designated & Backup Designated Routers
◼ Election > Exstart State
⚫ DR & BDR form adjacencies with the other OSPF routers

R1 State Hello R2 State

➢ Router ID
Init ➢ IP Int./Rtr Priority Init
2-Way 2-Way
Hello
Exstart ➢ Router ID Exstart
➢ IP Int./Rtr Priority

◼ Highest router ID becomes the master and start the exchange process
ID = 1.1.1.1 ID = 2.2.2.2 ID = 3.3.3.3
Priority = 250 Priority = 200 Priority = 150
SLAVE
DR BDR DROther

DROther DROther
MASTER
ID = 4.4.4.4 ID = 5.5.5.5
Priority = 100 Priority = 50

⚫ OSPF routers are ready to share link state information!

Sharing Routing Information
◼ Sharing Link State information > Exchange State
⚫ Database Description (DBD) packets which contains
 ID of the advertising router
 Cost of the advertising router
 Sequence number of the link

MASTER SLAVE

R4 R1 (DR)

R4 DBD R1 (DR)
➢ ID Adv. Router
Init ➢ Cost Adv Router Init
➢ Seq nb
2-Way 2-Way
Exstart Exstart
LSAck
Exchange Exchange
Sharing Routing Information
◼ Loading information in the Database > Loading State
⚫ If the master has more up-to-date information than the slave,
 Slave sends a Link State Request (LSR) to the master
 Master then sends a Link State Update (LSU) with detailed information of the links
 Slave incorporate informations in its local database
 Slave sends a Link State Acknowledge (LSAck) to the master
⚫ If slave has more up-to-date information,
 It will repeat the Exchange and Loading states

MASTER SLAVE
MORE
UP-TO-DATE
INFO R4 R1 (DR)

R4 R1 (DR)
Init LSR Init
2-Way 2-Way
Exstart LSU Exstart
Exchange Exchange
Loading LSAck Loading
Sharing Routing Information
State
Down
◼ Master & Slave synchronized > Full State
Init
⚫ Incremental updates after entering a full state
2-Way
Exstart
◼ In case of Update (ex. new route discovered) Exchange
3 Loading
R1 R2 R3 Full

DR BDR DROther

2
VLAN 1

DROther
1
R4

1 A new network is discovered by R4

2 R4 sends a multicast to the DR and the BDR (destination @: 224.0.0.6)
 The DR and the BDR update their LSDB (based on the received information)
3 The DR informs the other routers on the segment about the change
(destination @: 224.0.0.5 = all OSPF routers)
Sharing Routing Information
◼ Metrics/Cost
⚫ Indicates the overhead required to send packets out a particular interface

◼ Cost is calculated:
⚫ From the root node to every other node in the network
⚫ Using the metric cost of the outgoing interfaces

◼ Cost can be set on a per-interface basis

◼ Routers can disagree about the cost on a network link

◼ Can result in asymmetric routing in the network

OmniSwitch AOS R8

Open Shortest Path First (OSPF) – Areas

Lesson Summary

At the end of this presentation, you will be able to

◼ Define what is an OSPF Area

◼ Summarize the different LSA Types

◼ List the OSPF Area Types

◼ Learn how to redistribute local &

external routes
OVERVIEW
Overview
◼ An OSPF network can be divided in sub-domains called areas
⚫ A router within an area maintains a topological database for the area to which it
belongs
⚫ The router does not have information about the topology outside of its area

⚫ Without Areas ⚫ With Areas

THE SPF IS
RUNNING TOO
OFTEN! AREA 0

CORE I’M RECEIVING

TOO MANY LSAS!

DISTRIBUTION

… … ACCESS … …

MY ROUTING TABLE IS TOO BIG AREA 1 AREA 2

I’M RUNNING LOW ON MEMORY!
Overview
◼ Main benefit of creating areas > reduce the number of routes to propagate

◼ If divided in areas, an OSPF network must have:

⚫ A Backbone Area
 Distributes information between areas
 Must be contiguous (if not, virtual links can be configured)
⚫ Non-backbone area(s) directly connected to the backbone area

◼ Area are identified by an area ID (32 bits dotted decimal format):

⚫ Backbone area > 0.0.0.0
⚫ Other areas > W.X.Y.Z (ex. 1.1.1.1)

AREA 0.0.0.0 (BACKBONE AREA)

… …
AREA 2.2.2.2

AREA 1.1.1.1
ROUTER TYPES
Backbone Router (BB) & Internal Router (IR)
◼ Routers that are entirely within the backbone area are called Backbone Router
(BB)

◼ Routers that are wholly within an area are called Internal Routers (IR)

AREA 0.0.0.0 (BACKBONE AREA)

BB

IR … IR IR … IR
AREA 2.2.2.2

AREA 1.1.1.1
Area Border Router (ABR)
◼ Router that attaches multiples areas (backbone + other areas)

◼ Condense the topological information of their attached areas for distribution to

the backbone
◼ The backbone in turn distributes the information to the other areas

◼ Main function
⚫ Summarize sub networks found throughout the OSPF system

ABR

AREA 0.0.0.0 …

AREA 1.1.1.1
Autonomous System Boundary Router (ASBR)
◼ Router that is running multiple routing protocols

◼ Serves as a gateway

◼ Able to import and translate different protocols into OSPF (redistribution)

EXTERNAL DOMAIN

RIP

ASBR

AREA 0.0.0.0 …

AREA 1.1.1.1
LSA TYPES
LSA – Type 1 > Router LSA
◼ Each router within the area floods router LSA

◼ Aim: provide a list with all the directly connected links

◼ A router LSA always stays within the area

◼ Generated by every router

R2

R1 R3

AREA 0.0.0.0

❖ Each router sends a LSA – Type 1 to each other with all its directly connected links
LSA – Type 2 > Network LSA
◼ Only generated by DR (multi-access network)

◼ A network LSA always stays within the area

◼ Aim: send ID of all the routers connected to the multi-access network

R2 DR

R3
R1

AREA 0.0.0.0

❖ The DR generates a LSA – Type 2 in the Area 0

❖ Contains the directly connected routers:

❖ R1
❖ R3
LSA – Type 3 > Summary LSA
◼ Generated by the ABR

◼ Aim: inform other areas about networks from an area

AREA 0.0.0.0

R3

LSA – TYPE 1 ABR (1)

ABR (2)
R1 R2 LSA – TYPE 3 LSA – TYPE 3
…
NEW …
ROUTE R4 R5
AREA 2.2.2.2
AREA 1.1.1.1

❖ R1 floods the new route information via a LSA – Type 1 (Router LSA) in the Area 2

❖ Reminder: LSA – Type 1 stays within the area!

❖ ABR (1) creates an LSA – Type 3 (Summary LSA) and flood it into the area 0

❖ This LSA is flooded into all the other areas

LSA – Type 5 > External LSA
◼ Generated by the ASBR

◼ Aim: redistribute external routes into OSPF

AREA 0.0.0.0

R3
AREA 2.2.2.2
LSA – TYPE 5 ABR (1)
ABR (2)
LSA – TYPE 5 LSA – TYPE 5
ASBR … R2
…
RIP R4 R5

EXTERNAL DOMAIN AREA 1.1.1.1

❖ The ASBR redistributes the RIP routes into OSPF via a LSA – Type 5 – External LSA

❖ The LSA – Type 5 – External LSA is flooded into all the other areas
LSA – Type 4 > Summary ASBR LSA
◼ Generated by the ABR

◼ Aim: inform other routers where to find the ASBR

◼ Includes the ASBR Router ID

AREA 0.0.0.0

R3
AREA 2.2.2.2
LSA – TYPE 1 ABR (1)
ABR (2)
LSA – TYPE 4 LSA – TYPE 4
ASBR … R2
…
R4 R5
RIP
AREA 1.1.1.1
EXTERNAL DOMAIN

❖ The ASBR flips a bit in the LSA-Type 1 to identify itself as ASBR

❖ When the ABR (1) receives the LSA, it creates a LSA Type 4 – Summary ASBR LSA and flood it into the area 0

❖ This LSA is flooded into all the other areas

LSA – Type 7 > NSSA LSA
◼ Used for specific area type: Not-So-Stubby-Area (explained later)

◼ LSA - Type 5 are not allowed in NSSA areas

◼ LSA – Type 7 carries exact same information as LSA – Type 5 but is not blocked
in NSSA areas

AREA 0.0.0.0
AREA 2.2.2.2
(NSSA AREA) R3

LSA – TYPE 7 ABR (1)

ABR (2)
LSA – TYPE 5 LSA – TYPE 5
ASBR … R2
…
RIP R4 R5

EXTERNAL DOMAIN AREA 1.1.1.1

❖ The ASBR redistributes the RIP routes into OSPF via a LSA – Type 7 – External LSA (because Area 2 is NSSA)

❖ The ABR (1) convert the LSA – Type 7 to LSA – Type 5, then flood it into all the other areas

*LSA-Type 6 are not explained in this course as they are not used in today’s infrastructures
AREA TYPES
Standard Area
AREA 0 STANDARD AREA 1
R1 R2 R3
EXTERNAL
TYPE 1/2 TYPE 1/2
DOMAIN

TYPE 3

TYPE 5

TYPE 4

◼ Router Types
⚫ R2 = Area Border Router (ABR)
⚫ R3 = Autonomous System Boundary Router (ASBR)

◼ LSA Types
⚫ Type 1 & 2 LSAs are flooded between routers in the same area
⚫ Type 3 & 5 are flooded throughout the backbone and all standard areas
⚫ Type 4 LSAs are injected into the backbone by the ABR of an area which contains an
ASBR
Stub Area
◼ External routes are not forwarded in a stub area

AREA 0 STUB AREA 1

R1 R2 R3

TYPE 1/2 TYPE 1/2

TYPE 3

DEFAULT

◼ Router Types
⚫ R2 = Area Border Router (ABR)
⚫ R2 & R3 share a common stub area

◼ LSA Types
⚫ Type 5 LSAs are not propagated into the stub area
 Instead, R2 (ABR) injects a Type 3 LSA containing a default route into the stub area (« through
itself »)
⚫ Type 4 LSAs are not propagated into the stub area
Totally Stubby Area
◼ External routes + Type 3 LSAs are not forwarded in a Totally Stubby area

AREA 0 TOTALLY STUBBY AREA 1

R1 R2 R3

TYPE 1/2 TYPE 1/2

DEFAULT

◼ Router Types
⚫ R2 = Area Border Router (ABR)
⚫ R2 & R3 share a common stub area

◼ LSA Types
⚫ Like stub areas, totally stubby areas do not receive Type 4 & Type 5 LSAs from their
ABRs
⚫ Neither do the Type 3 LSAs
⚫ All routing out of the area relies on a single default route injected by the ABR
Not So Stubby Area (NSSA)
◼ Stub & Totally Stubby Areas
⚫ Pro: Convenient to reduce the resource utilization of routers (no external routes to
process)
⚫ Con: Neither type can contain an ASBR (as types 4 & 5 LSAs not authorized)

AREA 0 NSSA 1
R1 R2 R3
EXTERNAL
TYPE 1/2 TYPE 1/2
DOMAIN

TYPE 5 TYPE 7

TYPE 4

DEFAULT

◼ Router Types
⚫ R2 = Area Border Router (ABR)
⚫ R3 = Autonomous System Boundary Router (ASBR)

◼ LSA Types
⚫ Type 7 LSAs = Type 5 LSAs in disguise
 This allows an ASBR to advertise external links to an ABR
ROUTES REDISTRIBUTION
Routes Redistribution
◼ Allows to learn and advertise IPv4 routes between different protocols

◼ Uses route maps to:

⚫ Determine which routes are allowed/denied access to the network
⚫ Modify route parameters before they are redistributed
EXTERNAL DOMAIN

RIP
◼ STEP 1: CONFIGURING ROUTE MAPS 192.168.1.0/24
192.168.2.0/24
⚫ A Route Map is composed of AREA 0.0.0.0
 Action ASBR
 Route map name
 Sequence number
 Action: permit/deny
 Match EXAMPLE: REDISTRIBUTION OF 192.168.1.0 ONLY
 Criteria that a route must match
ROUTE MAP
 Action statement is applied to the route - ACTION: PERMIT
- MATCH: 192.168.1.0/24
 Set
- SET: NOT USED
 Modify route information before being - ACTION: DENY
redistributed - MATCH: 192.168.2.0/24
 Applied if - SET: NOT USED
 All the route-map criteria is met
 The action permits redistribution
Routes Redistribution
◼ STEP 2: CONFIGURING ROUTE REDISTRIBUTION
⚫ Redistribution from source protocol to destination protocol
 Source protocol: from which the sources are learned
 Destination protocol: from which the sources are redistributed

EXAMPLE: REDISTRIBUTION OF 192.168.1.0 ONLY

EXTERNAL DOMAIN
STEP 1 > ROUTE MAP
RIP - ACTION: PERMIT
192.168.1.0/24 - MATCH: 192.168.1.0/24
192.168.2.0/24 - SET: NOT USED
REDISTRIBUTION
- ACTION: DENY
- MATCH: 192.168.2.0/24
ASBR
- SET: NOT USED

AREA 0.0.0.0 STEP 2 > ROUTES REDISTRIBUTION

- RIP INTO OSPF
- ROUTE MAP (CONFIGURED IN STEP 1)

◼ Redistribution configured > Router becomes ASBR

OSPF CONFIGURATION
OSPF Configuration
◼ Step by Step

Loading the Software

Creating an Area

S p e c i f y i n g a n A r e a Ty p e

Creating an OSPF Interface

Assigning an Interface to an Area

Redistributing Local & External Routes

Enabling OSPF
OSPF Configuration
◼ Step by Step

Loading the Software

 Load the OSPF Software into the running configuration

Creating an Area
 Create the OSPF area(s)

AREA 0 AREA 1

S p e c i f y i n g a n A r e a Ty p e
 When creating an area, an area type can be specified (Normal/Stub/NSSA)
OSPF Configuration
◼ Step by Step

Creating an OSPF Interface

 Once areas established, interfaces need to be created and assigned to the areas

AREA 0 AREA 1

Assigning an Interface to an Area

 Each Interface must then be assigned to an Area

AREA 0 AREA 1
OSPF Configuration
◼ Step by Step

Redistributing Local & External Routes

 If necessary, configure the redistribution of local and/or external routes

REDIST. REDIST.

AREA 0 AREA 1
RIP
EXTERNAL DOMAIN

Enabling OSPF
 Enable the OSPF Software previously loaded
OSPF Configuration
0) CONFIGURING THE ROUTER-ID
SW-> ip router router-id 192.168.254.7
INT 1 INT 2
1) LOADING THE SOFTWARE
SW-> ip load ospf
AREA 0
2) CREATING AN AREA
SW-> ip ospf area 0.0.0.0

3) SPECIFYING AN AREA TYPE

SW-> ip ospf area 1.1.1.1 type normal

4) CREATING AN OSPF INTERFACE

SW-> ip ospf interface int_1

5) ASSIGNING AN INTERFACE TO AN AREA

SW-> ip ospf interface int_1 area 0.0.0.0

SW-> ip ospf interface int_1 admin-state enable (R8)

OSPF Configuration
4) CREATING AN OSPF INTERFACE
SW-> ip ospf interface int_2
INT 1 INT 2

5) ASSIGNING AN INTERFACE TO AN AREA

AREA 0 AREA 1
SW-> ip ospf interface int_2 area 1.1.1.1

SW-> ip ospf interface int_2 admin-state enable

6) REDISTRIBUTING LOCAL & EXTERNAL ROUTES

SW-> ip route-map RipIntoOspf sequence-number 10 action permit
SW-> ip route-map RipIntoOspf sequence-number 10 match ip-address 192.168.254.0/24 permit
SW-> ip redist rip into ospf route-map RipIntoOspf admin-state enable

7) ENABLING OSPF
SW-> ip ospf admin-state enable

REDIST. REDIST.

AREA 0 AREA 1
RIP
EXTERNAL DOMAIN
OmniSwitch AOS R8

Open Shortest Path First (OSPF) – Advanced Features & Monitoring

Lesson Summary

At the end of this presentation, you will be able to

◼ Identify the advantages of ECMP in OSPF

◼ Choose when to use the Summarization

◼ Choose when to use the Aggregation

◼ Summarize the Graceful Restart feature

◼ Enable the Simple/MD5 Authentication

◼ Determine when to use the Virtual Link

feature

◼ List the main OSPF monitoring

commands
FEATURES
OSPF & ECMP
◼ Aka ECMP (Equal Cost Multi-Path) Routing
⚫ Next-hop packet forwarding to a single destination can occur over multiple “best
paths”

◼ Works for routes with

⚫ Same destination
⚫ Same metric
⚫ Different next-hops

◼ ECMP Per-Flow Load Balancing

⚫ Distributes packets across multiple links based on L3 routing information
⚫ Router discovers multiple paths to a destination > Routing table updated with multiple
entries
⚫ Multiple paths used for multiple sources-destination host pairs

◼ Up to 4 ECMP routes supported

*Per packet Load Balancing is not supported

Summarization
◼ By default, OSPF doesn’t summarize anything

◼ OSPF Summarization advantages

⚫ Smaller routing tables
⚫ Less LSA flooding
⚫ Less bandwith, memory & CPU usage

◼ Summary routes are carried by LSA – Type 3 (Summary LSA)

◼ Internal routes summarization done on the ABR

WITH SUMMARIZATION
AREA 0.0.0.0
192.168.0.0/23 VIA ABR
ABR
WITHOUT SUMMARIZATION
192.168.0.0/24 VIA ABR
192.168.0.0/24 192.168.1.0/24 192.168.1.0/24 VIA ABR

AREA 1.1.1.1
Aggregation
◼ Internal routes: Summarization > External routes: Aggregation

◼ Same advantages as Summarization

⚫ Smaller routing tables
⚫ Less LSA flooding
⚫ Less bandwith, memory & CPU usage

◼ Aggregated routes are carried by LSA – Type 5 (External ASBR LSA)

◼ External routes aggregation done on the ASBR

WITH AGGREGATION
AREA 0.0.0.0
192.168.0.0/23 VIA ABR
ASBR
WITHOUT AGGREGATION
192.168.0.0/24 VIA ABR
192.168.0.0/24 192.168.1.0/24 192.168.1.0/24 VIA ABR

RIP
EXTERNAL DOMAIN
OSPF Interface Authentication
◼ If authentication enabled, neighbors can communicate only if:
⚫ They use the same type of authentication
⚫ They have a matching password or key

◼ 2 types of authentication:
⚫ Simple
 Uses simple clear-text passwords
⚫ MD5
 Encrypted authentication, uses a key and a password
Virtual Link
◼ Reminder: all areas must be connected to the backbone area (Area 0)
⚫ Not possible? Solution: Virtual Link

◼ A Virtual Link is used :

⚫ To connect an area to the backbone through a non-backbone area
⚫ To connect 2 parts of a partitioned backbone through a non-backbone area

◼ The crossed area is called Transit Area

AREA 0.0.0.0 AREA 2.2.2.2 AREA 0.0.0.0 AREA 0.0.0.0

VIRTUAL LINK VIRTUAL LINK

AREA 1.1.1.1 = TRANSIT AREA AREA 1.1.1.1 = TRANSIT AREA

ip ospf virtual-link <transit-area> <router-id>

MONITORING
Monitoring
◼ OSPF Log levels can be modified:
⚫ To monitor the OSPF operation
⚫ To troubleshoot an issue on OSPF

◼ Modifying Log levels allows to have more (or less) information about a specific
protocol/feature (ex. OSPF) in the logs

SEVERITY LEVELS FOR AOS R8

Monitoring
◼ Example of Severity Level modification

⚫ All OSPF sub applications

SW-> swlog appid ospf_0 subapp all level 8

[OR]
SW-> swlog appid ospf_0 subapp all level debug3

⚫ Only the Hello messages

SW-> swlog appid ospf_0 subapp hello level debug3

⚫ For information, below the list of the sub applications

SW-> swlog appid ospf_0 subapp ?

ALL <num> <string>
1=ERROR 2=WARNING 3=RECV 4=SEND 5=FLOOD 6=SPF 7=LSDB
8=RDB 9=AGE 10=VLINK 11=REDIST 12=SUMMARY
13=DBEXCH 14=HELLO 15=AUTH 16=STATE 17=AREA 18=INTF
19=CONFIG 20=INFO 21=SETUP 22=TIME 23=MIP 24=TM
25=RESTART 26=HELPER 27=HOST 28=AUTOCONFIG
Monitoring
◼ Example
⚫ Infrastructure

SW1 SW2

⚫ Problem: SW1 & SW2 are not in FULL state!

SW1 SW2
# of Events = 4, # of Events = 4,
# of Init State Neighbors = 0, # of Init State Neighbors = 0,
# of 2-Way State Neighbors = 0, # of 2-Way State Neighbors = 0,
# of Exchange State Neighbors = 0, # of Exchange State Neighbors = 0,
# of Full State Neighbors = 0, # of Full State Neighbors = 0,
# of type-9 LSAs on this interface = 0, # of type-9 LSAs on this interface = 0,

⚫ Modify the log level to have the maximum verbosity

SW1 -> swlog appid ospf_0 subapp all level debug3

Monitoring
◼ Example
⚫ Check the logs
SW1 -> show log swlog | grep ospf_0
[TRUNCATED]
2017 Oct 20 09:58:57 SW1 swlogd: ospf_0 HELLO debug2(7) [1508493537.082626]
(4226):(457): HELLO from 192.168.0.2 discarded...invalid helloInterval 10
[TRUNCATED]

⚫ Check the Hello Interval on both switches

SW1 SW2
Hello Interval (seconds) = 20, Hello Interval (seconds) = 10,

⚫ The Hello Interval value is not the same on both switches!

⚫ Solution: put the same value on both switches
⚫ Result:

SW1 SW2
# of Init State Neighbors = 0, # of Init State Neighbors = 0,
# of 2-Way State Neighbors = 0, # of 2-Way State Neighbors = 0,
# of Exchange State Neighbors = 0, # of Exchange State Neighbors = 0,
# of Full State Neighbors = 1, # of Full State Neighbors = 1,
OmniSwitch AOS R8

Global Routing Protocols Redistribution

Module Objectives

At the end of this presentation, you will be able to

◼ Understand the layer 3 route

redistribution concept on AOS based
switches
◼ Implement an appropriate route
redistribution in a network with its
different options, then monitor the rule
statements
Overview of Route Map - Route Redistribution

◼ Redistribute routes from a source protocol RIB to a destination protocol

RIB
⚫ Source protocol can be BGP, RIP, OSPF, Local or Static
⚫ Destination protocol can be BGP, RIP or OSPF

Source IP ROUTE MANAGER

Routing
Protocol

RIB

Destination
Routing
Protocol
REDIST ROUTE MAP
Overview of Route Map
-> show ip router database
Route Redistribution -> show ip router database
Legend: + indicates routes in-use
b indicates BFD-enabled static route
i indicates interface static route
r indicates recursive static route, with following address in brackets

Total IPRM IPv4 routes: 4

Destination Gateway Interface Protocol Metric Tag Misc-Info

---------------------+---------------+-----------+--------+-------+----------+--------------
+ 10.0.0.0/24 10.4.116.254 EMP STATIC 1 0
+ 10.4.16.0/24 10.4.116.254 EMP STATIC 1 0
+ 10.4.116.0/24 10.4.116.7 EMP LOCAL 1 0
+ 127.0.0.1/32 127.0.0.1 Loopback LOCAL 1 0

Inactive Static Routes

Destination Gateway Metric Tag Misc-Info
Local
IPRM --------------------+-----------------+------+----------+-----------------
Static
(IP Route Manager)
RIP
OSPF
BGP 1
IS-IS -> show ip redist
Source Routing
RIB
(Routing
Protocol Information
Base)

-> show ip route-pref

Local 3 Redist
Protocol Route Preference Value
------------+------------------------
Local 1
Static Route Best (preferred) routes Static 2
RIP Map OSPF
ISISL1
110
115
OSPF ISISL2 118
RIP 120
BGP
IS-IS 2 EBGP
IBGP
Import
190
200
210

Destination Routing
Protocol -> show ip routes

-> show ip routes FIB

+ = Equal cost multipath routes (Forwarding
Total 1 routes Information RIB - Routing Information Base
Base)
Dest Address Gateway Addr Age Protocol FIB – Forwarding Information Base
------------------+-------------------+----------+-----------
Route Map - Definition
◼ Route map
⚫ Criteria that is used to control redistribution of routes between protocols
⚫ Defined by configuring route map statements

◼ Route Map and Statements

⚫ Action
 Route map name
 Sequence number
 Action, redistribution is permitted or denied based on criteria
⚫ Match
 Criteria that a route must match
 Action statement is applied to the route
⚫ Set
 Modify route information before redistributed into the receiving protocol
 Applied if
 All the route-map criteria is met and
 The action permits redistribution
Route Map - Specifications
◼ Route-map-name ◼ Action
⚫ 200 route maps per switch ⚫ Permit
⚫ Names are 20 characters alpha numeric ⚫ Deny
⚫ Also know as an index

◼ Sequence-number ◼ Match
⚫ 400 sequences statements per switch ⚫ 124 IPv4 addresses
⚫ Sequence range 1 to 100 ⚫ 124 IPv6 addresses
⚫ Default sequence 50 ⚫ 31 IPv4 Address matches
⚫ 12 IPv6 Address matches
⚫ 62 Tags
⚫ 62 IPv4 Interfaces
⚫ 62 IPv6 Interfaces
⚫ 31 Metrics
⚫ 249 Route types
Route Map - Configuration
◼ -> ip route-map myroute-map? ACTION MATCH SEQUENCE-NUMBER SET

• Match • Action
• IP-ADDRESS • permit
• IP-NEXTHOP Action • deny
• IPV4-INTERFACE
• IPV6-ADDRESS
• IPV6-INTERFACE
• IPV6-NEXTHOP
• METRIC Match • Set
• ROUTE-TYPE • Metric 1
• LEVEL2 • effect
• LEVEL1
Set… • add
• INTERNAL ROUTE-MAP • subtract
• EXTERNAL • replace
• TAG • none
IP • metric-type
access- • INTERNAL
• EXTERNAL
list Redist- • Tag
• IP access-list control • Community
• access-list-name • local-preference
• ip-address/mask • Level
• Redist-control • LEVEL1-2
• all-subnets • LEVEL2
• no-subnets • LEVEL1
• aggregate
New Redistribution - Commands

◼ Route map criteria specification

ip route-map route-map-name [sequence-number number] action {permit | deny}

ip route-map route-map-name [sequence-number number] match ip-address {access-list-name | ip-

address/prefixLen} [redist-control {all-subnets | no-subnets | aggregate}] [permit | deny]

ip route-map route-map-name [sequence-number number] set metric metric [effect {add | subtract |
replace | none}]

◼ Rip redistribution
->ip redist {local | static | ospf | isis | bgp} into rip route-map route-map-name

◼ OSPF redistribution
->ip redist {local | static | rip | isis | bgp} into ospf route-map route-map-name
Route Map - Access List Creation

◼ Convenient way to add multiple IPv4 or IPv6 addresses to route-maps

⚫ Maximum 200 per switch

◼ Create the Access List name

-> ip access-list access-list-name

◼ Define access-list statements

-> ip access-list access-list-name address address/mask [action {permit | deny}] [redist-
control {all-subnets | no-subnets | aggregate}]

-> ip access-list ipaddr2

-> ip access-list ipaddr2 address 16.24.2.1/16
-> ip access-list ipaddr2 address 16.24.2.1/16 action deny redist-control allsubnets
-> ip route-map test sequence-number 50 match ip-address ipaddr2
Route Map - Sequencing & Deny Statements
◼ Operation
-> ip route-map myroutemap sequence-number 1 action deny
-> ip route-map myroutemap sequence-number 1 match ip-address 10.0.0.0/8 redist-
control all-subnets permit
-> ip route-map myroutemap sequence-number 2 action permit
-> ip route-map myroutemap sequence-number 2 match ip-address 0.0.0.0/0 redist-
control all-subnets permit
-> ip redist static into rip route-map myroutemap

⚫ Route 10.10.0.0/16 will match sequence-number 1

 Since one of the actions is deny, switch stops processing and does not
redistribute the route

⚫ Route 11.11.0.0/16 will not match sequence-number 1

 Therefore, the processing goes to sequence-number 2 where there is a
match and both actions are permit
 Switch stops processing and redistributes the route
Route Map - Sequencing & Deny Statements

-> ip route-map routemap1 sequence-number 50 action permit

-> ip route-map routemap1 match ip-address 10.0.0.0/8
-> ip route-map routemap1 match tag 4
-> ip route-map routemap1 match tag 5
-> ip route-map routemap1 match ip-address 10.0.0.0/8 redist-control all-subnets
permit
-> ip route-map routemap1 sequence-number 50 set metric 1 effect add

Means match the subnet

10.0.0.0/8 and [tag 4 or tag 5]
Route Map - Monitoring
◼ -> show ip redist
Source Destination
Protocol Protocol Status Route Map
------------+------------+---------+--------------------
LOCAL4 OSPF Enabled ospf_ext

◼ -> show ip access-list

Access Lists: configured: 1 max: 200
Address / Redistribution
Name Prefix Length Effect Control
--------------------+------------------+-------+------------
extip 172.0.0.0/8 permit aggregate

◼ -> show ip route-map

Route Maps: configured: 1 max: 200

Route Map: ospf_ext Sequence Number: 50 Action permit
match ip accesslist extip
Route Map Configuration - Editing & Deleting
◼ Deletes a specific route map set or match entry
-> no ip route-map rip_1 sequence-number 50 set metric 1 effect add

◼ Deletes route map all sequence number of 50 in the rip_1 route map
-> no ip route-map rip_1 sequence-number 50

◼ Deletes the route map rip_1

-> no ip route-map rip_1

Notes: The “no” version of the command that specifies a match or set parameter only deletes that parameter from the
route-map. If a sequence-number is included but no match or set parameters, then only that specific route-map is deleted.
If the command only has a route-map-name, then the entire route-map is deleted.
OmniSwitch AOS R8
OSPF

How to
✓ Implement a OSPF backbone area configuration, different types of areas,
authentication and virtual links on an OmniSwitch.

Contents
1 Topology ........................................................................................ 3
2 Configuration .................................................................................. 4
2.1. Client VLAN Configuration......................................................................... 4
2.2. Configure connections between 6860B and 6900 VC .............................................. 4
3 OSPF Backbone ................................................................................ 5
3.1. OSPF Backbone Logical Diagram .................................................................. 5
3.2. Configuration........................................................................................ 5
3.2.1. Loopback interface configuration ........................................................................ 6
3.3. Verification .......................................................................................... 8
4 OSPF Areas ................................................................................... 13
4.1. OSPF Areas Logical Diagram ..................................................................... 13
4.2. Configuration....................................................................................... 13
4.3. Verification ......................................................................................... 14
5 OSPF Redistribution ......................................................................... 16
6 Access to the DATA server ................................................................. 18
 2
OSPF

7 OSPF Authentication ........................................................................ 20

7.1. Simple Authentication ............................................................................ 20
7.2. MD5 Authentication ............................................................................... 21
8 Stub Area .................................................................................... 22
8.1. OSPF Areas Logical diagram ...................................................................... 22
8.2. Configuration....................................................................................... 22
8.3. Verification ......................................................................................... 24
 3
OSPF

1 Topology
Open Shortest Path First routing (OSPF) is a shortest path first (SPF), or link state, protocol. OSPF is an interior
gateway protocol (IGP) that distributes routing information between routers in a single Autonomous System
(AS). OSPF chooses the least-cost path as the best path. OSPF is suitable for complex networks with large
numbers of routers since it provides faster convergence where multiple flows to a single destination can be
forwarded on one or more interfaces simultaneously.
 4
OSPF

2 Configuration

2.1. Client VLAN Configuration

- On the 6900 Virtual Chassis, create client VLAN and assign an ip interface:

sw1 (6900-A) -> vlan 120

sw1 (6900-A) -> vlan 120 members port 2/1/1 untagged
sw1 (6900-A) -> ip interface int_120 address 192.168.120.1/24 vlan 120
sw1 (6900-A) -> interfaces 2/1/1 admin-state enable

- ON the 6860s, create client VLAN and assign ip interfaces:

sw7 (6860-A) -> vlan 70

sw7 (6860-A) -> vlan 70 members port 1/1/1 untagged
sw7 (6860-A) -> ip interface int_70 address 192.168.70.7/24 vlan 70
sw7 (6860-A) -> interfaces 1/1/1 admin-state enable

sw8 (6860-B) ->vlan 80

sw8 (6860-B) ->vlan 80 members port 1/1/1 untagged
sw8 (6860-B) ->ip interface int_80 address 192.168.80.8/24 vlan 80
sw8 (6860-B) ->interfaces 1/1/1 admin-state enable

2.2. Configure connections between 6860B and 6900 VC

- Configure a backbone VLAN

sw1 (6900-A) -> vlan 218

sw8 (6860-B) -> vlan 218

- Create Link Aggregation

sw1 (6900-A) -> linkagg lacp agg 18 size 2 actor admin-key 18

sw1 (6900-A) -> linkagg lacp port 2/1/5 actor admin-key 18
sw1 (6900-A) -> linkagg lacp port 1/1/6 actor admin-key 18

sw8 (6860-B) -> linkagg lacp agg 18 size 2 actor admin-key 18

sw8 (6860-B) -> linkagg lacp port 1/1/5 actor admin-key 18
sw8 (6860-B) -> linkagg lacp port 1/1/6 actor admin-key 18

- Assign Linkagg to VLAN 218 and VLAN 278

-
sw1 (6900-A) -> vlan 218 members linkagg 18 untagged

sw8 (6860-B) -> vlan 218 members linkagg 18 untagged

- Configure IP interface to VLAN 218

-
sw1 (6900-A) -> ip interface int_218 address 172.16.18.1/24 vlan 218

sw8 (6860-B) -> ip interface int_218 address 172.16.18.8/24 vlan 218

 5
OSPF

- Enable interfaces

sw1 (6900-A) -> interfaces 1/1/6 admin-state enable

sw1 (6900-A) -> interfaces 2/1/5 admin-state enable

sw8 (6860-B) -> interfaces 1/1/5-6 admin-state enable

- Check that you can ping between 6860s and 6900

sw1 (6900-A) -> ping 172.16.18.8

sw1 (6900-A) -> ping 172.16.17.7

sw7 (6860-A) -> ping 172.16.78.8

3 OSPF Backbone
All OSPF networks must have an OSPF backbone area configured

3.1. OSPF Backbone Logical Diagram

3.2. Configuration
- Enable OSPF protocol on 3 switches to advertise all local routes. In order to have a complete
connectivity between all switches, OSPF will be used to advertise dynamically all the routes.

- The first step is to load OSPF protocol and to enable OSPF on the newly created IP interfaces. As all
OSPF networks must have a backbone area, this will be created with 0.0.0.0 as the area identifier.

- Then, the relevant OSPF interfaces will be attached to the backbone.

 6
OSPF

3.2.1. Loopback interface configuration

- Loopback0 is always advertised, even if there are no users on the switch; no route re-distribution is necessary.

sw1 (6900-A) -> ip interface Loopback0 address 192.168.254.1

sw7 (6860-A) -> ip interface Loopback0 address 192.168.254.7

sw8 (6860-B) -> ip interface Loopback0 address 192.168.254.8

- Type the following on the 3 switches:

-> ip load ospf

- Let’s define the router-id and the backbone area on all switches:

sw1 (6900-A) -> ip router router-id 192.168.254.1

sw1 (6900-A) -> ip ospf area 0.0.0.0

sw7 (6860-A) -> ip router router-id 192.168.254.7

sw7 (6860-A) -> ip ospf area 0.0.0.0

sw8 (6860-B) -> ip router router-id 192.168.254.8

sw8 (6860-B) -> ip ospf area 0.0.0.0

- Verify the configuration with the following commands:

sw1 (6900-A) -> show ip ospf

Router Id = 192.168.254.1,
OSPF Version Number = 2,
Admin Status = Disabled,
Area Border Router ? = No,
AS Border Router Status = Disabled,
Route Tag = 0,
SPF Hold Time (in seconds) = 10,
SPF Delay Time (in seconds) = 5,
MTU Checking = Disabled,
# of Routes = 0,
# of AS-External LSAs = 0,
# of self-originated LSAs = 0,
# of LSAs received = 0,
External LSDB Limit = -1,
Exit Overflow Interval = 0,
# of SPF calculations done = 0,
# of Incr SPF calculations done = 0,
# of Init State Nbrs = 0,
# of 2-Way State Nbrs = 0,
# of Exchange State Nbrs = 0,
# of Full State Nbrs = 0,
# of attached areas = 1,
# of Active areas = 0,
# of Transit areas = 0,
# of attached NSSAs = 0,
Default Route Origination = none,
Default Route Metric-Type/Metric = type2 / 1,
BFD Status = Disabled
Opaque Transit Capability = Enabled
 7
OSPF

sw1 (6900-A) -> show ip ospf area 0.0.0.0

Area Identifier = 0.0.0.0,
Admin Status = Enabled,
Operational Status = Down,
Area Type = normal,
Area Summary = Enabled,
Time since last SPF Run = 00h:02m:59s,
# of Area Border Routers known = 0,
# of AS Border Routers known = 0,
# of Active Virtual Links = 0,
# of LSAs in area = 0,
# of SPF Calculations done = 0,
# of Incremental SPF Calculations done = 0,
# of Neighbors in Init State = 0,
# of Neighbors in 2-Way State = 0,
# of Neighbors in Exchange State = 0,
# of Neighbors in Full State = 0,
# of Interfaces attached = 0

Attached Interfaces =

- Verify that there are not any interfaces associated with the backbone area yet:

sw1 (6900-A) -> show ip ospf interface

Interface DR Backup DR Admin Oper BFD
Name Address Address Status Status State Status
---------------------+----------------+----------------+--------+------+-------+-----------

- Repeat these 3 commands on 6860’s to check your management.

- Let’s assign the interfaces to the corresponding OSPF area. This is done in two steps. The first one is to
enable the interfaces into OSPF, and then the interfaces are assigned to their corresponding area:

sw1 (6900-A) -> ip ospf interface int_217

sw1 (6900-A) -> ip ospf interface int_218
sw1 (6900-A) -> ip ospf interface int_217 area 0.0.0.0
sw1 (6900-A) -> ip ospf interface int_218 area 0.0.0.0
sw1 (6900-A) -> ip ospf interface int_217 admin-state enable
sw1 (6900-A) -> ip ospf interface int_218 admin-state enable
sw1 (6900-A) -> ip ospf admin-state enable

sw7 (6860-A) -> ip ospf interface int_217

sw7 (6860-A) -> ip ospf interface int_278
sw7 (6860-A) -> ip ospf interface int_217 area 0.0.0.0
sw7 (6860-A) -> ip ospf interface int_278 area 0.0.0.0
sw7 (6860-A) -> ip ospf interface int_217 admin-state enable
sw7 (6860-A) -> ip ospf interface int_278 admin-state enable
sw7 (6860-A) -> ip ospf admin-state enable

sw8 (6860-B) -> ip ospf interface int_218

sw8 (6860-B) -> ip ospf interface int_278
sw8 (6860-B) -> ip ospf interface int_218 area 0.0.0.0
sw8 (6860-B) -> ip ospf interface int_278 area 0.0.0.0
sw8 (6860-B) -> ip ospf interface int_218 admin-state enable
sw8 (6860-B) -> ip ospf interface int_278 admin-state enable
sw8 (6860-B) -> ip ospf admin-state enable
 8
OSPF

3.3. Verification

- Now that the backbone area has been created on all switches, let’s verify some basic OSPF parameters
on the 3 switches:

sw1 (6900-A) -> show ip ospf

Router Id = 192.168.254.1,
OSPF Version Number = 2,
Admin Status = Enabled,
Area Border Router ? = No,
AS Border Router Status = Disabled,
Route Tag = 0,
SPF Hold Time (in seconds) = 10,
SPF Delay Time (in seconds) = 5,
MTU Checking = Disabled,
# of Routes = 9,
# of AS-External LSAs = 0,
# of self-originated LSAs = 3,
# of LSAs received = 5,
External LSDB Limit = -1,
Exit Overflow Interval = 0,
# of SPF calculations done = 17,
# of Incr SPF calculations done = 0,
# of Init State Nbrs = 0,
# of 2-Way State Nbrs = 0,
# of Exchange State Nbrs = 0,
# of Full State Nbrs = 2,
# of attached areas = 1,
# of Active areas = 1,
# of Transit areas = 0,
# of attached NSSAs = 0,
Default Route Origination = none,
Default Route Metric-Type/Metric = type2 / 1,
BFD Status = Disabled
Redistribute internal BGP routes = Disabled

sw7 (6860-A) -> show ip ospf

Router Id = 192.168.254.7,
OSPF Version Number = 2,
Admin Status = Enabled,
Area Border Router ? = Yes,
AS Border Router Status = Disabled,
Route Tag = 0,
SPF Hold Time (in seconds) = 10,
SPF Delay Time (in seconds) = 5,
MTU Checking = Disabled,
# of Routes = 9,
# of AS-External LSAs = 0,
# of self-originated LSAs = 10,
# of LSAs received = 5,
External LSDB Limit = -1,
Exit Overflow Interval = 0,
# of SPF calculations done = 17,
# of Incr SPF calculations done = 0,
# of Init State Nbrs = 0,
# of 2-Way State Nbrs = 0,
# of Exchange State Nbrs = 0,
# of Full State Nbrs = 2,
# of attached areas = 2,
# of Active areas = 2,
# of Transit areas = 0,
# of attached NSSAs = 0,
Default Route Origination = none,
Default Route Metric-Type/Metric = type2 / 1,
BFD Status = Disabled
Redistribute internal BGP routes = Disabled
 9
OSPF

sw8 (6860-B) -> show ip ospf

Router Id = 192.168.254.8,
OSPF Version Number = 2,
Admin Status = Enabled,
Area Border Router ? = Yes,
AS Border Router Status = Disabled,
Route Tag = 0,
SPF Hold Time (in seconds) = 10,
SPF Delay Time (in seconds) = 5,
MTU Checking = Disabled,
# of Routes = 9,
# of AS-External LSAs = 0,
# of self-originated LSAs = 9,
# of LSAs received = 6,
External LSDB Limit = -1,
Exit Overflow Interval = 0,
# of SPF calculations done = 14,
# of Incr SPF calculations done = 0,
# of Init State Nbrs = 0,
# of 2-Way State Nbrs = 0,
# of Exchange State Nbrs = 0,
# of Full State Nbrs = 2,
# of attached areas = 2,
# of Active areas = 2,
# of Transit areas = 0,
# of attached NSSAs = 0,
Default Route Origination = none,
Default Route Metric-Type/Metric = type2 / 1,
BFD Status = Disabled
Redistribute internal BGP routes = Disabled

- Each switch has 2 neighbors in full state meaning there have been route updates exchanged between
them.

sw1 (6900-A) -> show ip ospf area 0.0.0.0

Area Identifier = 0.0.0.0,
Admin Status = Enabled,
Operational Status = Up,
Area Type = normal,
Area Summary = Enabled,
Time since last SPF Run = 00h:00m:36s,
# of Area Border Routers known = 2,
# of AS Border Routers known = 0,
# of Active Virtual Links = 0,
# of LSAs in area = 8,
# of SPF Calculations done = 15,
# of Incremental SPF Calculations done = 0,
# of Neighbors in Init State = 0,
# of Neighbors in 2-Way State = 0,
# of Neighbors in Exchange State = 0,
# of Neighbors in Full State = 2,
# of Interfaces attached = 2,
Attached Interfaces = int_217, int_218

Sw7 (6860-A) -> show ip ospf area 0.0.0.0

Area Identifier = 0.0.0.0,
Admin Status = Enabled,
Operational Status = Up,
Area Type = normal,
Area Summary = Enabled,
Time since last SPF Run = 01h:33m:24s,
# of Area Border Routers known = 2,
# of AS Border Routers known = 0,
# of Active Virtual Links = 0,
# of LSAs in area = 8,
# of SPF Calculations done = 15,
 10
OSPF

# of Incremental SPF Calculations done = 0,

# of Neighbors in Init State = 0,
# of Neighbors in 2-Way State = 0,
# of Neighbors in Exchange State = 0,
# of Neighbors in Full State = 2,
# of Interfaces attached = 2,
Attached Interfaces = int_217, int_278

sw8 (6860-B) -> show ip ospf area 0.0.0.0

Area Identifier = 0.0.0.0,
Admin Status = Enabled,
Operational Status = Up,
Area Type = normal,
Area Summary = Enabled,
Time since last SPF Run = 02d:16h:29m,
# of Area Border Routers known = 0,
# of AS Border Routers known = 0,
# of Active Virtual Links = 0,
# of LSAs in area = 6,
# of SPF Calculations done = 3,
# of Incremental SPF Calculations done = 0,
# of Neighbors in Init State = 0,
# of Neighbors in 2-Way State = 0,
# of Neighbors in Exchange State = 0,
# of Neighbors in Full State = 2,
# of Interfaces attached = 2,
Attached Interfaces = int_218, int_278

- Now, let’s verify the routes that are seen by each switch.

Notes
The first command shows the routes learned by the switch using any static or dynamic routing protocol. This is
the global routing table. In this example, only LOCAL and OSPF routes are present.
The second one only shows the OSPF routes learned by the switch

sw1 (6900-A) -> show ip routes

+ = Equal cost multipath routes

Total 9 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
127.0.0.1/32 127.0.0.1 3d 2h LOCAL
172.16.17.0/24 172.16.17.1 2d23h LOCAL
172.16.18.0/24 172.16.18.1 2d20h LOCAL
172.16.78.0/24 +172.16.17.7 2d19h OSPF
+172.16.18.8 2d19h OSPF
192.168.120.0/24 192.168.120.1 2d20h LOCAL
192.168.254.1/32 192.168.254.1 2d20h LOCAL
192.168.254.7/32 172.16.17.7 2d19h OSPF
192.168.254.8/32 172.16.18.8 2d19h OSPF

sw1 (6900-A) -> show ip ospf routes

Domain Domain
Destination/Mask Gateway Metric Name ID Type
---------------------+-----------------+--------+--------+--------+----------
172.16.17.0/24 172.16.17.1 1 Vlan 217 Intra
172.16.18.0/24 172.16.18.1 1 Vlan 218 Intra
172.16.78.0/24 172.16.18.8 2 Vlan 218 Intra
172.16.78.0/24 172.16.17.7 2 Vlan 217 Intra
192.168.254.1/32 0.0.0.0 0 N/A Intra
192.168.254.7/32 172.16.17.7 1 Vlan 217 Intra
192.168.254.8/32 172.16.18.8 1 Vlan 218 Intra
 11
OSPF

sw7 (6860-A) -> show ip routes

+ = Equal cost multipath routes

Total 10 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
127.0.0.1/32 127.0.0.1 3d21h LOCAL
172.16.17.0/24 172.16.17.7 2d23h LOCAL
172.16.18.0/24 +172.16.17.1 2d19h OSPF
+172.16.78.8 2d19h OSPF
172.16.78.0/24 172.16.78.7 2d19h LOCAL
192.168.20.0/24 192.168.20.7 2d22h LOCAL
192.168.70.0/24 192.168.70.7 2d19h LOCAL
192.168.254.1/32 172.16.17.1 2d19h OSPF
192.168.254.7/32 192.168.254.7 2d20h LOCAL
192.168.254.8/32 172.16.78.8 2d19h OSPF

sw7 (6860-A) -> show ip ospf routes

Domain Domain
Destination/Mask Gateway Metric Name ID Type
---------------------+-----------------+--------+--------+--------+----------
172.16.17.0/24 172.16.17.7 1 Vlan 217 Intra
172.16.18.0/24 172.16.78.8 2 Vlan 278 Intra
172.16.18.0/24 172.16.17.1 2 Vlan 217 Intra
172.16.78.0/24 172.16.78.7 1 Vlan 278 Intra
192.168.254.1/32 172.16.17.1 1 Vlan 217 Intra
192.168.254.7/32 0.0.0.0 0 N/A Intra
192.168.254.8/32 172.16.78.8 1 Vlan 278 Intra

sw8 (6860-B) -> show ip routes

+ = Equal cost multipath routes

Total 13 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
10.0.0.0/24 10.4.105.254 3d21h STATIC
10.4.5.0/24 10.4.105.254 3d21h STATIC
10.4.105.0/24 10.4.105.8 3d21h LOCAL
127.0.0.1/32 127.0.0.1 3d21h LOCAL
172.16.17.0/24 +172.16.18.1 2d19h OSPF
+172.16.78.7 2d19h OSPF
172.16.18.0/24 172.16.18.8 2d20h LOCAL
172.16.78.0/24 172.16.78.8 2d23h LOCAL
192.168.30.0/24 192.168.30.8 2d21h LOCAL
192.168.80.0/24 192.168.80.8 2d20h LOCAL
192.168.254.1/32 172.16.18.1 2d19h OSPF
192.168.254.7/32 172.16.78.7 2d19h OSPF
192.168.254.8/32 192.168.254.8 2d20h LOCAL

sw8 (6860-B) -> show ip ospf routes

Domain Domain
Destination/Mask Gateway Metric Name ID Type
---------------------+-----------------+--------+--------+--------+----------
172.16.17.0/24 172.16.78.7 2 Vlan 278 Intra
172.16.17.0/24 172.16.18.1 2 Vlan 218 Intra
172.16.18.0/24 172.16.18.8 1 Vlan 218 Intra
172.16.78.0/24 172.16.78.8 1 Vlan 278 Intra
192.168.254.1/32 172.16.18.1 1 Vlan 218 Intra
192.168.254.7/32 172.16.78.7 1 Vlan 278 Intra
192.168.254.8/32 0.0.0.0 0 N/A Intra
 12
OSPF

- Verify that all switches Loopback0 IP addresses are in the routing table. One is LOCAL to the switch
whereas the other two are learned through OSPF.

- Also verify that all other IP interfaces that were configured are also present in the routing table as well.

- Type the following command to verify the Link State DataBase (LSDB)

sw1 (6900-A) -> show ip ospf lsdb

Area Id Type LS Id Orig Router-Id SeqNo Age
----------------+-------+----------------+----------------+------------+-----
0.0.0.0 rtr 192.168.254.1 192.168.254.1 0x8000009b 690
0.0.0.0 rtr 192.168.254.7 192.168.254.7 0x80000099 165
0.0.0.0 rtr 192.168.254.8 192.168.254.8 0x80000095 178
0.0.0.0 net 172.16.17.1 192.168.254.1 0x80000093 330
0.0.0.0 net 172.16.18.1 192.168.254.1 0x80000093 330
0.0.0.0 net 172.16.78.7 192.168.254.7 0x80000093 165

- At this point, the LSDB should include 6 Link State Advertisements (LSA).
- There are 3 routers in the network setup. Each router sends one LSA (rtr)
- There are 3 network segments in the setup (VLANs 217, 218, 278)

- There is a Designated Router elected on each network segment. This DR sends one LSA (net)
- Remember that the switch with the highest priority, or in case of a tie, the highest router ID will be
chosen as a Designated Router and the second highest will be the Backup DR. Let’s check the DR and
BDR status on your switch:
sw1 (6900-A) -> show ip ospf interface

Interface Domain Domain DR Backup DR Admin Oper BFD

Name Name ID Address Address Status Status State Status
---------------------+--------+--------+----------------+----------------+--------+------+-------+--------
int_217 Vlan 217 172.16.17.1 172.16.17.7 enabled up DR disabled
int_218 Vlan 218 172.16.18.1 172.16.18.8 enabled up DR disabled

sw7 (6860-A) -> show ip ospf interface

Interface Domain Domain DR Backup DR Admin Oper BFD
Name Name ID Address Address Status Status State Status
---------------------+--------+--------+----------------+----------------+--------+------+-------+--------
int_217 Vlan 217 172.16.17.1 172.16.17.7 enabled up BDR disabled
int_278 Vlan 278 172.16.78.7 172.16.78.8 enabled up DR disabled

sw8 (6860-B) -> show ip ospf interface

Interface Domain Domain DR Backup DR Admin Oper BFD
Name Name ID Address Address Status Status State Status
---------------------+--------+--------+----------------+----------------+--------+------+-------+--------
int_218 Vlan 218 172.16.18.1 172.16.18.8 enabled up BDR disabled
int_278 Vlan 278 172.16.78.7 172.16.78.8 enabled up BDR disabled

- Type the following to save your running configuration as the next labs are built on this configuration.
-> write memory flash-synchro

- You can also save your running configuration in a file on the flash that will be used for the OSPF virtual
link lab.
- Type the following on all Switches:

-> configuration snapshot all save-ospf-backbone

 13
OSPF

4 OSPF Areas

4.1. OSPF Areas Logical Diagram

o Let’s add VLANs 20 and 30 into our OSPF network in Area 1.1.1.1

4.2. Configuration
On the 6860s create and configure Area 1.1.1.1:

sw7 (6860-A) -> ip ospf area 1.1.1.1

sw7 (6860-A) -> ip ospf interface int_20
sw7 (6860-A) -> ip ospf interface int_20 area 1.1.1.1
sw7 (6860-A) -> ip ospf interface int_20 admin-state enable

sw8 (6860-B) -> ip ospf area 1.1.1.1

sw8 (6860-B) -> ip ospf interface int_30
sw8 (6860-B) -> ip ospf interface int_30 area 1.1.1.1
sw8 (6860-B) -> ip ospf interface int_30 admin-state enable
 14
OSPF

4.3. Verification
- Verify the correct operation of the OSPF setup with the following commands:
sw1 (6900-A) -> show ip ospf area
Area Id AdminStatus Type OperStatus
---------------+-------------+-------------+------------
0.0.0.0 enabled normal up

sw7 (6860-A) -> show ip ospf area

Area Id AdminStatus Type OperStatus
---------------+-------------+-------------+------------
0.0.0.0 enabled normal up
1.1.1.1 enabled normal up

sw8 (6860-B) -> show ip ospf area

Area Id AdminStatus Type OperStatus
---------------+-------------+-------------+------------
0.0.0.0 enabled normal up
1.1.1.1 enabled normal up

- Verify that the new routes have been learned by OSPF and are seen by all switches:

sw1 (6900-A) -> show ip routes

+ = Equal cost multipath routes

Total 11 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
127.0.0.1/32 127.0.0.1 3d 0h LOCAL
172.16.17.0/24 172.16.17.1 2d21h LOCAL
172.16.18.0/24 172.16.18.1 2d18h LOCAL
172.16.78.0/24 +172.16.17.7 2d17h OSPF
+172.16.18.8 2d17h OSPF
192.168.20.0/24 172.16.17.7 00:01:30 OSPF
192.168.30.0/24 172.16.18.8 00:00:43 OSPF
192.168.120.0/24 192.168.120.1 2d18h LOCAL
192.168.254.1/32 192.168.254.1 2d18h LOCAL
192.168.254.7/32 172.16.17.7 2d18h OSPF
192.168.254.8/32 172.16.18.8 2d17h OSPF

sw7 (6860-A) -> show ip routes

+ = Equal cost multipath routes

Total 11 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
127.0.0.1/32 127.0.0.1 3d19h LOCAL
172.16.17.0/24 172.16.17.7 2d21h LOCAL
172.16.18.0/24 +172.16.17.1 2d18h OSPF
+172.16.78.8 2d17h OSPF
172.16.78.0/24 172.16.78.7 2d18h LOCAL
192.168.20.0/24 192.168.20.7 2d20h LOCAL
192.168.30.0/24 172.16.78.8 00:02:04 OSPF
192.168.70.0/24 192.168.70.7 2d18h LOCAL
192.168.254.1/32 172.16.17.1 2d18h OSPF
192.168.254.7/32 192.168.254.7 2d18h LOCAL
192.168.254.8/32 172.16.78.8 2d17h OSPF
 15
OSPF

sw8 (6860-B) -> show ip routes

+ = Equal cost multipath routes

Total 14 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
10.0.0.0/24 10.4.105.254 3d19h STATIC
10.4.5.0/24 10.4.105.254 3d19h STATIC
10.4.105.0/24 10.4.105.8 3d19h LOCAL
127.0.0.1/32 127.0.0.1 3d19h LOCAL
172.16.17.0/24 +172.16.18.1 2d17h OSPF
+172.16.78.7 2d17h OSPF
172.16.18.0/24 172.16.18.8 2d18h LOCAL
172.16.78.0/24 172.16.78.8 2d21h LOCAL
192.168.20.0/24 172.16.78.7 00:02:27 OSPF
192.168.30.0/24 192.168.30.8 2d19h LOCAL
192.168.80.0/24 192.168.80.8 2d18h LOCAL
192.168.254.1/32 172.16.18.1 2d17h OSPF
192.168.254.7/32 172.16.78.7 2d17h OSPF
192.168.254.8/32 192.168.254.8 2d18h LOCAL

- Verify that in the LSDB new LSAs have been added (sumnet). These LSAs have the information of the
networks that belong to a different area:

sw1 (6900-A) -> show ip ospf lsdb

Area Id Type LS Id Orig Router-Id SeqNo Age
----------------+-------+----------------+----------------+------------+-----
0.0.0.0 rtr 192.168.254.1 192.168.254.1 0x8000009c 1364
0.0.0.0 rtr 192.168.254.7 192.168.254.7 0x8000009b 246
0.0.0.0 rtr 192.168.254.8 192.168.254.8 0x80000097 199
0.0.0.0 net 172.16.17.1 192.168.254.1 0x80000094 1004
0.0.0.0 net 172.16.18.1 192.168.254.1 0x80000094 1004
0.0.0.0 net 172.16.78.7 192.168.254.7 0x80000094 839
0.0.0.0 sumnet 192.168.20.0 192.168.254.7 0x80000003 195
0.0.0.0 sumnet 192.168.30.0 192.168.254.8 0x80000002 154

sw7 (6860-A) -> show ip ospf lsdb

Area Id Type LS Id Orig Router-Id SeqNo Age
----------------+-------+----------------+----------------+------------+-----
0.0.0.0 rtr 192.168.254.1 192.168.254.1 0x800000a2 410
0.0.0.0 rtr 192.168.254.7 192.168.254.7 0x800000a1 250
0.0.0.0 rtr 192.168.254.8 192.168.254.8 0x8000009d 220
0.0.0.0 net 172.16.17.1 192.168.254.1 0x80000099 410
0.0.0.0 net 172.16.18.1 192.168.254.1 0x80000099 410
0.0.0.0 net 172.16.78.7 192.168.254.7 0x80000099 244
0.0.0.0 sumnet 192.168.20.0 192.168.254.7 0x80000003 201
0.0.0.0 sumnet 192.168.30.0 192.168.254.8 0x80000002 175
1.1.1.1 rtr 192.168.254.7 192.168.254.7 0x80000009 211
1.1.1.1 sumnet 172.16.17.0 192.168.254.7 0x80000006 245
1.1.1.1 sumnet 172.16.18.0 192.168.254.7 0x80000006 245
1.1.1.1 sumnet 172.16.78.0 192.168.254.7 0x80000006 245
1.1.1.1 sumnet 192.168.30.0 192.168.254.7 0x8000000d 191
1.1.1.1 sumnet 192.168.254.1 192.168.254.7 0x8000000a 214
1.1.1.1 sumnet 192.168.254.8 192.168.254.7 0x8000000a 214

sw8 (6860-B) -> show ip ospf lsdb

Area Id Type LS Id Orig Router-Id SeqNo Age
----------------+-------+----------------+----------------+------------+-----
0.0.0.0 rtr 192.168.254.1 192.168.254.1 0x800000a2 455
0.0.0.0 rtr 192.168.254.7 192.168.254.7 0x800000a1 297
0.0.0.0 rtr 192.168.254.8 192.168.254.8 0x8000009d 264
0.0.0.0 net 172.16.17.1 192.168.254.1 0x80000099 455
0.0.0.0 net 172.16.18.1 192.168.254.1 0x80000099 455
0.0.0.0 net 172.16.78.7 192.168.254.7 0x80000099 290
0.0.0.0 sumnet 192.168.20.0 192.168.254.7 0x80000003 247
0.0.0.0 sumnet 192.168.30.0 192.168.254.8 0x80000002 220
1.1.1.1 rtr 192.168.254.8 192.168.254.8 0x80000009 225
 16
OSPF

1.1.1.1 sumnet 172.16.17.0 192.168.254.8 0x80000006 259

1.1.1.1 sumnet 172.16.18.0 192.168.254.8 0x80000006 259
1.1.1.1 sumnet 172.16.78.0 192.168.254.8 0x80000006 259
1.1.1.1 sumnet 192.168.20.0 192.168.254.8 0x80000003 215
1.1.1.1 sumnet 192.168.254.1 192.168.254.8 0x80000009 259
1.1.1.1 sumnet 192.168.254.7 192.168.254.8 0x80000009 259

5 OSPF Redistribution
- It was demonstrated in the two previous parts of the lab how interfaces running OSPF participate in
distributing routing information within the Autonomous System.
- In this lab we will configure additional interfaces. however, they will not run the OSPF protocol. In
order for them to be reachable, redistribution will need to be configured.
(int_120 on 6900 VC, int_70 on 6860-A and int_80 on 6860-B are seen are local routes)

- to advertise its route, enter:

sw1 (6900-A) -> ip route-map localIntoOspf sequence-number 10 action permit

sw1 (6900-A) -> ip route-map localIntoOspf sequence-number 10 match ip-address 192.168.120.0/24 permit
sw1 (6900-A) -> ip redist local into ospf route-map localIntoOspf admin-state enable

- Check on the 6860 than this new route has been learnt:

sw7 (6860-A) -> show ip routes

+ = Equal cost multipath routes

Total 12 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
127.0.0.1/32 127.0.0.1 3d21h LOCAL
172.16.17.0/24 172.16.17.7 2d23h LOCAL
172.16.18.0/24 +172.16.17.1 2d20h OSPF
+172.16.78.8 2d20h OSPF
172.16.78.0/24 172.16.78.7 2d20h LOCAL
192.168.20.0/24 192.168.20.7 2d22h LOCAL
192.168.30.0/24 172.16.78.8 00:10:49 OSPF
192.168.70.0/24 192.168.70.7 2d20h LOCAL
192.168.120.0/24 172.16.17.1 00:00:16 OSPF
192.168.254.1/32 172.16.17.1 2d20h OSPF
192.168.254.7/32 192.168.254.7 2d20h LOCAL
192.168.254.8/32 172.16.78.8 2d20h OSPF

sw8 (6860-B) -> show ip routes

+ = Equal cost multipath routes

Total 15 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
10.0.0.0/24 10.4.105.254 3d21h STATIC
10.4.5.0/24 10.4.105.254 3d21h STATIC
10.4.105.0/24 10.4.105.8 3d21h LOCAL
127.0.0.1/32 127.0.0.1 3d21h LOCAL
172.16.17.0/24 +172.16.18.1 2d20h OSPF
+172.16.78.7 2d20h OSPF
172.16.18.0/24 172.16.18.8 2d20h LOCAL
172.16.78.0/24 172.16.78.8 2d23h LOCAL
192.168.20.0/24 172.16.78.7 00:12:36 OSPF
192.168.30.0/24 192.168.30.8 2d22h LOCAL
 17
OSPF

192.168.80.0/24 192.168.80.8 2d21h LOCAL

192.168.120.0/24 172.16.18.1 00:01:31 OSPF
192.168.254.1/32 172.16.18.1 2d20h OSPF
192.168.254.7/32 172.16.78.7 2d20h OSPF
192.168.254.8/32 192.168.254.8 2d20h LOCAL

- Vlan 70 is not known by other switches except the 6860-A

- Vlan 80 is not known by other switches except the 6860-B

sw1 (6900-A) -> show ip routes

+ = Equal cost multipath routes
Total 11 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
127.0.0.1/32 127.0.0.1 3d 3h LOCAL
172.16.17.0/24 172.16.17.1 2d23h LOCAL
172.16.18.0/24 172.16.18.1 2d20h LOCAL
172.16.78.0/24 +172.16.17.7 2d20h OSPF
+172.16.18.8 2d20h OSPF
192.168.20.0/24 172.16.17.7 00:14:11 OSPF
192.168.30.0/24 172.16.18.8 00:13:40 OSPF
192.168.120.0/24 192.168.120.1 2d21h LOCAL
192.168.254.1/32 192.168.254.1 2d20h LOCAL
192.168.254.7/32 172.16.17.7 2d20h OSPF
192.168.254.8/32 172.16.18.8 2d20h OSPF

- to advertise these routes, enter:

sw7 (6860-A) -> ip route-map localIntoOspf sequence-number 10 action permit

sw7 (6860-A) -> ip route-map localIntoOspf sequence-number 10 match ip-address 192.168.70.0/24 permit
sw7 (6860-A) -> ip redist local into ospf route-map localIntoOspf admin-state enable

sw8 (6860-B) -> ip route-map localIntoOspf sequence-number 10 action permit

sw8 (6860-B) -> ip route-map localIntoOspf sequence-number 10 match ip-address 192.168.80.0/24 permit
sw8 (6860-B) -> ip redist local into ospf route-map localIntoOspf admin-state enable

- Check on the 6900 than this new route has been learnt:

sw1 (6900-A) -> show ip routes

+ = Equal cost multipath routes
Total 13 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
127.0.0.1/32 127.0.0.1 3d 3h LOCAL
172.16.17.0/24 172.16.17.1 2d23h LOCAL
172.16.18.0/24 172.16.18.1 2d20h LOCAL
172.16.78.0/24 +172.16.17.7 2d20h OSPF
+172.16.18.8 2d20h OSPF
192.168.20.0/24 172.16.17.7 00:16:45 OSPF
192.168.30.0/24 172.16.18.8 00:16:14 OSPF
192.168.70.0/24 172.16.17.7 00:00:57 OSPF
192.168.80.0/24 172.16.18.8 00:00:30 OSPF
192.168.120.0/24 192.168.120.1 2d21h LOCAL
192.168.254.1/32 192.168.254.1 2d20h LOCAL
192.168.254.7/32 172.16.17.7 2d20h OSPF
192.168.254.8/32 172.16.18.8 2d20h OSPF

- Interfaces should be enabled to see them on routing table

sw7 (6860-A) -> interface 1/1/1 admin-state enable

sw8 (6860-B) -> interface 1/1/1 admin-state enable

 18
OSPF

6 Access to the DATA server

- To have an Internet access for VM clients, a pre-configuration has to be done on the OS6900-A

- Manage a VLAN 100 and associated interface on 6900-VC

sw1 (6900-A) -> vlan 100

sw1 (6900-A) -> ip interface int_100 address 192.168.100.1/24 vlan 100
sw1 (6900-A) -> vlan 100 members port 1/1/2 untagged
sw1 (6900-A) -> interfaces 1/1/2 admin-state enable

- to advertise this route, enter:

sw1 (6900-A) -> ip route-map localIntoOspf sequence-number 10 match ip-address 192.168.100.0/24 permit

- Default route 0.0.0.0/0 on 6900 is a static route which should be advertised to other switch Manage a
Redistribution of Static routes

sw1 (6900-A) -> ip static-route 0.0.0.0/0 gateway 192.168.100.108

sw1 (6900-A) -> show ip routes

+ = Equal cost multipath routes

Total 16 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
0.0.0.0/0 192.168.100.108 00:00:05 STATIC
10.0.0.51/32 192.168.100.108 00:17:36 STATIC
127.0.0.1/32 127.0.0.1 3d 3h LOCAL
172.16.17.0/24 172.16.17.1 3d 0h LOCAL
172.16.18.0/24 172.16.18.1 2d21h LOCAL
172.16.78.0/24 +172.16.17.7 2d21h OSPF
+172.16.18.8 2d21h OSPF
192.168.20.0/24 172.16.17.7 01:06:25 OSPF
----| truncated]
 19
OSPF

Notes
The second static route has been managed previously on the conf download to the switch at the beginning of
the training.10.0.0.51 is the IP address of the DNS.

- The previous section showed how to redistribute a local route. The same can be applied to a static
route.
- To redistribute the static route into OSPF another filter must be created since static routes are not
considered part of the OSPF Autonomous System. Type the following:

sw1 (6900-A) -> ip route-map staticIntoOspf sequence-number 10 action permit

sw1 (6900-A) -> ip route-map staticIntoOspf sequence-number 10 match ip-address 0.0.0.0/0 permit
sw1 (6900-A) -> ip redist static into ospf route-map staticIntoOspf admin-state enable

- Check the result on 6860’s

sw7 (6860-A) -> show ip ospf routes

Domain Domain
Destination/Mask Gateway Metric Name ID Type
---------------------+-----------------+--------+--------+--------+----------
0.0.0.0/0 172.16.17.1 1 Vlan 217 AS-Ext (E2)
10.0.0.51/32 172.16.17.1 1 Vlan 217 AS-Ext (E2)
172.16.17.0/24 172.16.17.7 1 Vlan 217 Intra
172.16.18.0/24 172.16.78.8 2 Vlan 278 Intra
172.16.18.0/24 172.16.17.1 2 Vlan 217 Intra
172.16.78.0/24 172.16.78.7 1 Vlan 278 Intra
192.168.20.0/24 192.168.20.7 1 Vlan 20 Intra
192.168.30.0/24 172.16.78.8 2 Vlan 278 Inter
192.168.80.0/24 172.16.78.8 1 Vlan 278 AS-Ext (E2)
192.168.100.0/24 172.16.17.1 1 Vlan 217 AS-Ext (E2)
192.168.120.0/24 172.16.17.1 1 Vlan 217 AS-Ext (E2)
192.168.254.1/32 172.16.17.1 1 Vlan 217 Intra
192.168.254.7/32 0.0.0.0 0 N/A Intra
192.168.254.8/32 172.16.78.8 1 Vlan 278 Intra

sw8 (6860-B) -> show ip ospf routes

Domain Domain
Destination/Mask Gateway Metric Name ID Type
---------------------+-----------------+--------+--------+--------+----------
0.0.0.0/0 172.16.18.1 1 Vlan 218 AS-Ext (E2)
10.0.0.51/32 172.16.18.1 1 Vlan 218 AS-Ext (E2)
172.16.17.0/24 172.16.78.7 2 Vlan 278 Intra
172.16.17.0/24 172.16.18.1 2 Vlan 218 Intra
172.16.18.0/24 172.16.18.8 1 Vlan 218 Intra
172.16.78.0/24 172.16.78.8 1 Vlan 278 Intra
192.168.20.0/24 172.16.78.7 2 Vlan 278 Inter
192.168.30.0/24 192.168.30.8 1 Vlan 30 Intra
192.168.70.0/24 172.16.78.7 1 Vlan 278 AS-Ext (E2)
192.168.100.0/24 172.16.17.1 1 Vlan 217 AS-Ext (E2)
192.168.120.0/24 172.16.18.1 1 Vlan 218 AS-Ext (E2)
192.168.254.1/32 172.16.18.1 1 Vlan 218 Intra
192.168.254.7/32 172.16.78.7 1 Vlan 278 Intra
192.168.254.8/32 0.0.0.0 0 N/A Intra

- The pfsense server has been configured with Rip protocol.

- Manage RIP dynamic protocol on 6900 VC (int_100). And then let’s redistribute local route and static
routes to rip.

sw1 (6900-A) -> ip load rip

sw1 (6900-A) -> ip rip interface int_100 admin-state enable
sw1 (6900-A) -> ip rip admin-state enable
sw1 (6900-A) -> ip route-map local sequence-number 10 action permit
sw1 (6900-A) -> ip route-map local sequence-number 10 match ip-address 0.0.0.0/0 permit
 20
OSPF

sw1 (6900-A) -> ip redist local into rip route-map local admin-state enable
sw1 (6900-A) -> ip redist static into rip route-map local admin-state enable
sw1 (6900-A) -> ip redist ospf into rip route-map local admin-state enable
sw1 (6900-A) -> write memory flash-synchro

- Check the result on 6900-VC

Sw1 (6900-A) -> show ip rip routes

Legends: State: A = Active, H = Holddown, G = Garbage
Destination Gateway State Metric Proto
------------------+-----------------+----+------+------
0.0.0.0/0 +192.168.100.108 A 1 Redist
10.0.0.51/32 +192.168.100.108 A 1 Redist
10.4.5.0/24 +192.168.100.108 A 2 Rip
172.16.17.0/24 +172.16.17.1 A 1 Redist
172.16.18.0/24 +172.16.18.1 A 1 Redist
172.16.78.0/24 +172.16.17.7 A 1 Redist
192.168.20.0/24 +172.16.17.7 A 1 Redist
192.168.30.0/24 +172.16.18.8 A 1 Redist
192.168.70.0/24 +172.16.17.7 A 1 Redist
192.168.80.0/24 +172.16.18.8 A 1 Redist
192.168.100.0/24 +192.168.100.1 A 1 Redist
192.168.100.108 A 2 Rip
192.168.120.0/24 +192.168.120.1 A 1 Redist
192.168.254.1/32 +192.168.254.1 A 1 Redist
192.168.254.7/32 +172.16.17.7 A 1 Redist
192.168.254.8/32 +172.16.18.8 A 1 Redist

7 OSPF Authentication

7.1. Simple Authentication

- Let’s enable simple authentication between 6900 and 6860-A.
- Type the following:
sw1 (6900-A) -> ip ospf interface int_217 auth-type simple
sw1 (6900-A) -> ip ospf interface int_217 auth-key alcatel
sw1 (6900-A) -> show ip ospf neighbor
IP Address Area Id Router Id Vlan State Type
----------------+----------------+----------------+------+-------+--------
172.16.18.8 0.0.0.0 192.168.254.8 218 Full Dynamic

sw7 (6860-A) -> ip ospf interface int_217 auth-type simple

sw7 (6860-A) -> ip ospf interface int_217 auth-key alcatel
sw7 (6860-A) -> show ip ospf interface int_217
…
Authentication Type = simple,
Authentication Key = Set,
…

sw1 (6900-A) -> show ip ospf neighbor

IP Address Area Id Router Id Vlan State Type
----------------+----------------+----------------+------+-------+--------
172.16.17.7 0.0.0.0 192.168.254.7 217 Full Dynamic
172.16.18.8 0.0.0.0 192.168.254.8 218 Full Dynamic

- Verify that the switches have become neighbors once authentication was enabled on both ends of the link
 21
OSPF

7.2. MD5 Authentication

MD5 is a more secure way of configuring authentication when using OSPF. By using MD5, the keys will be
encrypted, unlike simple passwords. A key number and a key string must be supplied for MD5.

- Let’s enable simple authentication between 6900 and 6860-B

- Type the following:

sw1 (6900-A) -> ip ospf interface int_218 auth-type md5

sw1 (6900-A) -> ip ospf interface int_218 md5 1
sw1 (6900-A) -> ip ospf interface int_218 md5 1 key alcatel

sw8 (6860-B) -> ip ospf interface int_218 auth-type md5

sw8 (6860-B) -> ip ospf interface int_218 md5 1
sw8 (6860-B) -> ip ospf interface int_218 md5 1 key alcatel

- These two values will be combined and used in the MD5 hashing algorithm for authentication between the
switches. Check your routing tables, neighbors, and interfaces and enable debugging to display any
problems.

sw1 (6900-A) -> show ip ospf interface int_218

…
Authentication Type = md5,
…
- Save the configuration; it will be used in the next lab.

-> write memory flash-synchro

 22
OSPF

8 Stub Area

8.1. OSPF Areas Logical diagram

8.2. Configuration
- For this Lab, we will add a new 6560 switch to become an internal router for stub area 2.2.2.2
- A router becomes an internal router when it doesn’t have a Backbone connection and is member of only
a single area. For the purposes of the lab, Stub-Switches will be used as an internal router.

Notes
Switches in Stub Areas do not have external routes in their routing database

- Create the connection between 6860-A and 6560-A:

sw7 (6860-A) -> vlan 137

sw7 (6860-A) -> vlan 137 members port 1/1/7 untagged
sw7 (6860-A) -> ip interface int_137 address 172.16.137.7/24 vlan 137
sw7 (6860-A) -> interfaces 1/1/7 admin-state enable

sw3 (6560-A) -> ip interface Loopback0 address 192.168.254.3

sw3 (6560-A) -> vlan 137
sw3 (6560-A) -> vlan 137 members port 1/1/7 untagged
sw3 (6560-A) -> ip interface int_137 address 172.16.137.3/24 vlan 137
sw3 (6560-A) -> interfaces 1/1/7 admin-state enable
 23
OSPF

- Create a client vlan on 6560-A:

sw3 (6560-A) -> vlan 60

sw3 (6560-A) -> vlan 60 members port 1/1/1 untagged
sw3 (6560-A) -> ip interface int_60 address 192.168.60.3/24 vlan 60
sw3 (6560-A) -> interfaces 1/1/1 admin-state enable

- Configure stub area 2.2.2.2 in both 6860 and 6560:

sw7 (6860-A) -> ip ospf area 2.2.2.2

sw7 (6860-A) -> ip ospf area 2.2.2.2 type stub
sw7 (6860-A) -> ip ospf interface int_137
sw7 (6860-A) -> ip ospf interface int_137 area 2.2.2.2
sw7 (6860-A) -> ip ospf interface int_137 admin-state enable

sw3 (6560-A) -> ip load ospf

sw3 (6560-A) -> ip router router-id 192.168.254.3
sw3 (6560-A) -> ip ospf admin-state enable
sw3 (6560-A) -> ip ospf area 2.2.2.2
sw3 (6560-A) -> ip ospf area 2.2.2.2 type stub
sw3 (6560-A) -> ip ospf interface int_137
sw3 (6560-A) -> ip ospf interface int_137 area 2.2.2.2
sw3 (6560-A) -> ip ospf interface int_137 admin-state enable
sw3 (6560-A) -> ip ospf interface int_60
sw3 (6560-A) -> ip ospf interface int_60 area 2.2.2.2
sw3 (6560-A) -> ip ospf interface int_60 admin-state enable

- Check areas:

sw7 (6860-A) -> show ip ospf area

Area Id AdminStatus Type OperStatus
---------------+-------------+-------------+------------
0.0.0.0 enabled normal up
1.1.1.1 enabled normal up
2.2.2.2 enabled stub up

sw3 (6560-A) -> show ip ospf area

sw3 (OS6560-A) -> show ip ospf area

Area Id AdminStatus Type OperStatus
---------------+-------------+-------------+------------
2.2.2.2 enabled stub up
 24
OSPF

8.3. Verification
- Type the following on 6560-A:
sw3 (6560-A) -> show ip ospf routes
Domain Domain
Destination/Mask Gateway Metric Name ID Type
---------------------+-----------------+--------+--------+--------+----------
0.0.0.0/0 172.16.137.7 2 Vlan 137 Inter
172.16.17.0/24 172.16.137.7 2 Vlan 137 Inter
172.16.18.0/24 172.16.137.7 3 Vlan 137 Inter
172.16.78.0/24 172.16.137.7 2 Vlan 137 Inter
172.16.137.0/24 172.16.137.3 1 Vlan 137 Intra
192.168.20.0/24 172.16.137.7 2 Vlan 137 Inter
192.168.30.0/24 172.16.137.7 3 Vlan 137 Inter
192.168.60.0/24 192.168.60.3 1 Vlan 60 Intra
192.168.254.1/32 172.16.137.7 2 Vlan 137 Inter
192.168.254.3/32 0.0.0.0 0 N/A Intra
192.168.254.7/32 172.16.137.7 1 Vlan 137 Intra
192.168.254.8/32 172.16.137.7 2 Vlan 137 Inter

sw7 (6860-A) -> show ip ospf routes

Domain Domain
Destination/Mask Gateway Metric Name ID Type
---------------------+-----------------+--------+--------+--------+----------
0.0.0.0/0 172.16.17.1 1 Vlan 217 AS-Ext (E2)
10.0.0.51/32 172.16.17.1 1 Vlan 217 AS-Ext (E2)
172.16.17.0/24 172.16.17.7 1 Vlan 217 Intra
172.16.18.0/24 172.16.78.8 2 Vlan 278 Intra
172.16.18.0/24 172.16.17.1 2 Vlan 217 Intra
172.16.78.0/24 172.16.78.7 1 Vlan 278 Intra
172.16.137.0/24 172.16.137.7 1 Vlan 137 Intra
192.168.20.0/24 192.168.20.7 1 Vlan 20 Intra
192.168.30.0/24 172.16.78.8 2 Vlan 278 Inter
192.168.60.0/24 172.16.137.3 2 Vlan 137 Intra
192.168.80.0/24 172.16.78.8 1 Vlan 278 AS-Ext (E2)
192.168.100.0/24 172.16.17.1 1 Vlan 217 AS-Ext (E2
192.168.120.0/24 172.16.17.1 1 Vlan 217 AS-Ext (E2)
192.168.254.1/32 172.16.17.1 1 Vlan 217 Intra
192.168.254.3/32 172.16.137.3 1 Vlan 137 Intra
192.168.254.7/32 0.0.0.0 0 N/A Intra
192.168.254.8/32 172.16.78.8 1 Vlan 278 Intra

Notes
On the stub-switch, there should be a default route with a next-hop pointing towards the IP interface of the
backbone switch

How would the stub area be changed into a totally stubby area?
OmniSwitch AOS R8

Graceful Restart
Lesson Summary

At the end of this presentation, you will be able to

◼ Describe Graceful Restart

⚫ Overview
⚫ Configuration
BGP/OSPF/ISIS - Graceful Restart
◼ Router remains on forwarding path when restarting

◼ Neighbors must participate in graceful restart

◼ Reverts to normal routing protocol function if network topology change is

detected during graceful restart
◼ Ex. Router Y continues to list Router X during restart
Router B

Restarting Router X Helping Router Y

Network Segment S

Router A Router C

OSPF Graceful Restart Helping and Restarting Router

Graceful Restart
◼ Without graceful restart

◼ If a router restarts:
Session
Down Reinit. Adj ⚫ Neighbor reinitializes the adjacency and
SPF recalc. SPF recalc. floods out updated LSAs showing that
the restarting router is no longer part of
the network
Updated LSA ⚫ All routers in the area must run SPF
Updated LSA
Restarting Neighbor algorithm to compute new routes
Router

◼ When the restarting router comes up:

Restarting ⚫ ISIS/OSPF adjacency is re-established.
Router
SPF recalc. ⚫ Neighbor floods out new LSAs including
SPF recalc.
the routes from the restarting router
⚫ All routers in the area must run SPF

Updated LSA Updated LSA

algorithm once again. This activity
Updated LSA
Neighbor results in CMM stress for the routers.
⚫ Possible loss of packets due to
forwarding loops
Graceful Restart
◼ With graceful restart
GRACE LSA GRACE LSA

R1 LSACK R2 LSACK R3
RESTARTING ROUTER

◼ Grace LSAs are sent to neighbors either before (planned) or after (unplanned) restart.
⚫ Contain a “grace period”; time in seconds for achieving the OSPF restart.
⚫ May or may not be acknowledged by the neighbors.
⚫ Are “link-local”; only sent to adjacent neighbors

DATA

R1 R2 R3

RESTART PENDING…

◼ During the restart neighbors act as if nothing happened to the restarting router
⚫ The restarting router is still listed as an adjacency.
⚫ Traffic is forwarded to the restarting router
⚫ The restarting router performs non-stop forwarding
Graceful Restart
◼ With Graceful restart

◼ When the restarting router comes up:

⚫ It discovers neighbors and re-establishes adjacencies.
⚫ It synchronizes its LSDB
⚫ It does not send any LSA/LSP because it still has incomplete routing information. If it sent outdated
LSAs/LSPs the neighbors would think that the network had changed forcing them to run SPF calculations
throughout the area

NEIGH. ADJ. NEIGH. ADJ.

R1 GRACE LSA FLUSH R2 GRACE LSA FLUSH R3

LSA LSA

SPF

◼ When the restarting router has synchronized its LSDB:

⚫ It sends out its updated LSAs/LSP. The neighbors do not run SPF algorithm based on these LSAs/LSPs.
⚫ It purges the grace LSAs/LSPs by setting their age to the maximum value. The neighbors see these LSAs/LSPs
as ‘expired’ and discard them

◼ In this way the graceful restart has successfully completed

CLI - Graceful Restart

->ip {ospf/ISIS/BGP} graceful-restart

 Enables graceful restart on the switch

->ip {ospf/ISIS/BGP} restart initiate

 Initiates a planned graceful restart

->ip {ospf/ISIS/BGP} restart-support planned-unplanned / planned-only

 Configures support for the graceful restart feature on an OSPF router

->ip {ospf/ISIS/BGP} restart-helper admin-state enable/disable

 Enables or disables the capability of a router to operate in helper mode in response to a
router performing a graceful restart

->ip {ospf/ISIS/BGP} restart-interval

 Configures the grace period for achieving a graceful OSPF restart

->show ip {ospf/ISIS/BGP} restart

Note: Graceful restart is disabled for OSPF and ISIS and enabled for BGP by default
OmniSwitch R8
DHCP

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Objectives
DHCP

At the end of this module, you will be able to:

• Understand and implement the following features
– DHCP Client
– DHCP Relay
– DHCP Snooping
DHCP Client IP Interface
IP Interface
• Goal :
• The OmniSwitch can be configured with a DHCP Client interface that allows the switch to obtain an IP
address dynamically from a DHCP server
- The DHCP Client interface is configurable on any one VLAN in any VRF instance.
- The DHCP Client interface supports the release and renew functionality according to RFC-2131.
- The Option-60 string can be configured on the OmniSwitch and sent as part of the DHCP discover/request
packet.

-> ip interface dhcp-client [vlan vid] [release | renew] [option-60 string]

-> show ip interface

Total 4 interfaces
Name IP Address Subnet Mask Status Forward Device
-------------------+---------------+----------------+------+-------+--------
Loopback 127.0.0.1 255.0.0.0 UP NO Loopback
Loopback0 1.1.1.1 255.255.255.255 UP YES Loopback0 Compatible OmniSwitch Switches
dhcp-client 0.0.0.0 0.0.0.0 UP YES vlan 12
vlan1000 172.25.167.212 255.255.255.224 DOWN NO vlan 1000
DHCP Client IP Interface
-> ip interface dhcp-client vlan 12
-> show ip interface dhcp-client • When the switch receives a valid IP address lease
Interface Name = dhcp-client
SNMP Interface Index = 13600001,
from a DHCP server:
IP Address
Subnet Mask
=
=
172.16.12.11,
255.255.255.0,
• The IP address and the subnet mask (DHCP Option-1)
Broadcast Address = 172.16.12.255, are assigned to the DHCP Client IP interface
Device = vlan 12,
Encapsulation = eth2, • A default static route is created according to DHCP
Forwarding = enabled,
Administrative State = enabled, Option-3 (Router IP Address)
Operational State = up,
Router MAC = 00:e0:b1:80:00:f0, • The lease is periodically renewed and rebound
Local Proxy ARP
Maximum Transfer Unit
=
=
disabled,
1500,
according to the renew time (DHCP Option-58) and
Primary (config/actual) = yes/yes rebind time (DHCP Option-59) returned by the DHCP
DHCP-CLIENT Parameter Details
Client Status = Active, server
Server IP = 172.16.12.102,
Router Address = 172.16.12.1, • If the lease cannot be renewed within the lease time
Lease Time Remaining
Option-60
=
=
0 days 5 hour 58 min 14 sec,
OmniSwitch-OS6860,
(DHCP Option-51) returned by the DHCP server, the IP
HostName = vxTarget address is released
-> show ip routes • The DHCP Client-enabled IP address serves as the
+ = Equal cost multipath routes primary IP address when multiple addresses are
* = BFD Enabled static route
Total 15 routes configured for a VLAN.
Dest Address Subnet Mask Gateway Addr Age Protocol
------------------+-----------------+----------------+----------+-----------
0.0.0.0 0.0.0.0 172.16.12.1 00:00:10 NETMGMT
2.2.2.2 255.255.255.255 2.2.2.2 03:54:09 LOCAL
127.0.0.1 255.255.255.255 127.0.0.1 03:55:13 LOCAL
172.16.12.0 255.255.255.0 172.16.12.11 00:00:10 LOCAL
DHCP Relay
 DHCP

DHCP Relay SERVER

DHCP
CLIENT

Two types of DHCP relay agents: global and per-interface.

LAN

•A global relay agent forwards DHCP packets to a global destination IP address LAN SWITCH

•A per-interface relay agent is configured on a specific IP interface

ROUTER
that is bound to a VLAN. DHCP RELAY
AGENT
• Only DHCP packets originating from the VLAN that is associated with
the interface are forwarded to a destination IP address defined
for the interface relay agent.
LAN SWITCH

• They are mutually exclusive

LAN

DHCP DHCP
Client Client
DHCP Relay
• By default, the DHCP Relay feature is disabled.
• When the DHCP Relay feature is enabled, DHCP packets are relayed on a global basis or on a per-
interface basis.
sw8 (6860-B) -> show ip dhcp relay
IP DHCP Relay :
ip dhcp relay admin-state {enable | disable DHCP Relay Admin Status = Enable,
Forward Delay(seconds) = 0,
Max number of hops = 16,
Relay Agent Information = Disabled,
Relay Agent Information Policy = Drop,
• Global basis configuration DHCP Relay Opt82 Format = Base MAC,
DHCP Relay Opt82 String = e8:e7:32:b3:3c:f9,
PXE support = Disabled,
• Configuring the Global Relay Agent Relay Mode
Bootup Option
= Global,
= Disable,

ip dhcp relay destination ip_address sw8 (6860-B) -> show ip dhcp relay statistics
Global Statistics :
Reception From Client :
ip dhcp relay destination 192.168.100.102 Total Count = 0, Delta = 0
Forw Delay Violation :
Total Count = 0, Delta = 0
• Removing the Global Relay Agent Max Hops Violation :
Total Count = 0, Delta = 0
Agent Info Violation :
Total Count = 0, Delta = 0
no ip dhcp relay destination ip_address Invalid Gateway IP :
Total Count = 0, Delta = 0
Server Specific Statistics :
From Interface Any to Server 192.168.100.102
Tx Server :
Total Count = 0, Delta = 0
InvAgentInfoFromServer:
Total Count = 0, Delta = 0
DHCP Relay sw8 (6860-B) -> show ip dhcp relay
IP DHCP Relay :
DHCP Relay Admin Status = Enable,
Forward Delay(seconds) = 0,
Max number of hops = 16,
• Configuring a Relay Agent for an IP Interface Relay Agent Information = Disabled,
Relay Agent Information Policy = Drop,
DHCP Relay Opt82 Format = Base MAC,
DHCP Relay Opt82 String = e8:e7:32:b3:3c:f9,
PXE support = Disabled,

• To enable/disable the DHCP Relay per-interface mode Relay Mode

Bootup Option
= Per Interface,
= Disable,

-> ip dhcp relay per-interface-mode

-> no ip dhcp relay per-interface-mode

sw8 (6860-B) -> show ip dhcp relay statistics
Global Statistics :

• To Configure the DHCP relay destination address for Reception From Client :
Total Count = 0, Delta = 0
Forw Delay Violation :
the specified IP interface Total Count =
Max Hops Violation :
0, Delta = 0

Total Count = 0, Delta = 0

Agent Info Violation :

-> ip dhcp relay interface if_name destination ip_address Total Count =

Invalid Gateway IP :
0, Delta = 0

Total Count = 0, Delta = 0

Server Specific Statistics :
From Interface int_20 to Server 192.168.100.102
Tx Server :
Total Count = 0, Delta = 0
InvAgentInfoFromServer:
ip dhcp relay interface int_20 destination 192.168.100.102 Total Count = 0, Delta = 0
DHCP Snooping
DHCP Snooping
DISCOVER
• Globally, per VLAN or per port. REQUEST
• DHCP Snooping feature
ACK/NAK
- Filters DHCP packets between untrusted sources and a
trusted DHCP server
OFFER
- Builds and maintains a binding table (database) to track
access information for external devices
• All DHCP Messages are accepted on trusted ports MAC:
IP:
Lease time:
Type:
Un-trusted Port (dynamic or static)
• Configurable VLAN
ifIndex
• DHCP port status Trusted Port
- Trusted Binding Database
Block DHCP traffic
DHCP traffic is fully allowed
Client only (Request only)
Block (no DHCP traffic allowed)

• Port IP Source Filtering

- on source port - MAC - IP
• Rate Limiting
DHCP Snooping
• Layer 2 DHCP Snooping

- Applies DHCP Snooping functionality to bridged DHCP client/server broadcasts

- Does not require an IP interface on ingress VLAN
- Does not require the use of the relay agent to process DHCP packets
- Both L2 and L3 DHCP Snooping are active when DHCP Snooping is globally enabled

• Untrusted ports only accept DHCP Discover and Request messages

- DHCP Offer and ACK are dropped
VLAN x
DHCP Server Untrusted

Untrusted
Trusted Port
Untrusted
Rogue DHCP
Server
DHCP Snooping
Platforms Supported

• Release 8

By default, DHCP Snooping is disabled

• Enables or disables DHCP Snooping for the switch * os8_cli_87R2-revA.pdf for more options

-> dhcp-snooping admin-state {enable | disable}

• Enables or disables DHCP Snooping on a per VLAN basis

-> dhcp-snooping vlan vlan_id[-vlan_id2] [mac-address-verification|option-82-data-insertion] adminstate {enable| disable}

- mac-address verification: verifying the source MAC address of DHCP packets with the client MAC address contained
in the same packet

- option-82 data-insertion: inserting Option-82 information into DHCP packets.

• Displays the global DHCP Snooping configuration

-> show dhcp-snooping

DHCP Snooping
• DHCP Option-82 feature • Default Agent information
• Enables the relay agent to insert identifying • Circuit ID: VLAN ID and slot/port from where the DHCP
information into client-originated DHCP packets before packet originated
the packets are forwarded to the DHCP server • Remote ID: MAC address of the router interface
associated with the VLAN ID specified in the Circuit ID
Circuit-id suboption
Suboption SubCircuit - id Sub -Circuit id
Type TLV TLV
Circuit - id Lenght Lenght
Lenght

1 20 0 4 VLAN Slot port 1 12 String or Hostname (configurable )

1 byte1 byte 1 byte 1 byte 2 bytes 1 byte 1 byte 1 byte 1 byte 12 bytes (Variable)

Remote-id
•Agent ID
Subremote-id
Suboption TLV
Lenght
Remote-id lenght

2 14 1 12 String or Hostname ( configurable )

1 byte 1 byte 1 byte 1 byte 12 bytes (Variable)

DHCP Option 82
• Configures the type of information that is inserted into both the Circuit ID and Remote ID sub option
fields of the Option-82 field

-> dhcp-snooping option-82 format [base-mac | system-name | user-string string | interface-alias |

autointerface-alias | ascii [{ remote-id | circuit-id} {base-mac | cvlan | interface | interface-alias
| systemname | user-string string | vlan} {delimiter string}]]

• Example

-> dhcp-snooping option-82 format user-string “Building B Server”

-> dhcp-snooping option-82 format system-name
-> dhcp-snooping option-82 format base-mac
-> dhcp-snooping option-82 format interface-alias
-> dhcp-snooping option-82 format auto-interface-alias
DHCP Snooping
• Displays the global DHCP Snooping configuration
-> show dhcp-snooping

• Displays the ports or VLANs on which IP source filtering is enabled

-> show dhcp-snooping ip-source-filter {vlan | port}

• Displays a list of VLANs that have DHCP Snooping enabled and whether or not MAC address verification
and Option-82 data insertion is enabled for each VLAN
-> show dhcp-snooping vlan

• Displays the trust mode and DHCP Snooping violation statistics for all switch ports and link aggregates
that are filtered by DHCP Snooping
-> show dhcp-snooping port

• Clears the DHCP violation counters.

-> dhcp-snooping clear violation-counters {port chassis/slot/port[-port2]} | slot chassis/slot |
linkagg agg_id | all}
OmniSwitch AOS R8
DHCP Server & DHCP Relay

How to
✓ Configure the DHCP Relay feature (aka IP Helper)

Contents
1 Topology ........................................................................................ 2
2 Accessing the DHCP Server .................................................................. 3
3 Testing the DHCP Relay ...................................................................... 5
 2
DHCP Server & DHCP Relay

1 Topology
A DHCP server provides dynamic IP addresses on lease for client interfaces on a network. It manages a pool of IP
addresses and information about client configuration parameters. The DHCP server obtains an IP address
request from the client interfaces.

After obtaining the requests, the DHCP server assigns an IP address, a lease period, and other IP configuration
parameters, such as the subnet mask and the default gateway.

The DHCP Relay feature allows UDP broadcast packets to be forwarded across VLANs that have IP routing
enabled.
 3
DHCP Server & DHCP Relay

2 Accessing the DHCP Server

When DHCP clients and associated servers do not reside on the same IP network or subnet, a DHCP relay agent
can transfer DHCP messages between them.

- Check if there is a route from the 6860 to the DHCP server (192.168.100.102):
sw7 (6860-A) -> show ip routes

+ = Equal cost multipath routes

Total 19 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
0.0.0.0/0 172.16.17.1 00:00:38 OSPF
10.0.0.51/32 172.16.17.1 00:00:38 OSPF
127.0.0.1/32 127.0.0.1 00:42:20 LOCAL
172.16.17.0/24 172.16.17.7 00:40:53 LOCAL
172.16.18.0/24 +172.16.17.1 00:40:09 OSPF
+172.16.78.8 00:40:09 OSPF
172.16.78.0/24 172.16.78.7 00:40:53 LOCAL
192.168.20.0/24 192.168.20.7 00:40:56 LOCAL
192.168.30.0/24 192.168.30.7 00:40:56 LOCAL
192.168.100.0/24 172.16.17.1 00:25:03 OSPF
192.168.254.1/32 172.16.17.1 00:09:59 OSPF
192.168.254.7/32 192.168.254.7 00:09:56 LOCAL
192.168.254.8/32 172.16.78.8 00:09:45 OSPF
---[ truncated]

sw7 (6860-A) -> ping 192.168.100.102

PING 192.168.100.102 (192.168.100.102) 56(84) bytes of data.
64 bytes from 192.168.100.102: icmp_seq=1 ttl=127 time=2.08 ms
64 bytes from 192.168.100.102: icmp_seq=2 ttl=127 time=0.983 ms
64 bytes from 192.168.100.102: icmp_seq=2 ttl=127 time=0.983 ms

sw8 (6860-B) -> show ip routes

+ = Equal cost multipath routes

Total 15 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
0.0.0.0/0 172.16.18.1 6d20h STATIC
10.0.0.0/24 10.4.105.254 6d20h STATIC
10.0.0.51/32 172.16.18.1 6d20h STATIC
10.4.105.0/24 10.4.105.8 6d20h LOCAL
127.0.0.1/32 127.0.0.1 6d20h LOCAL
172.16.17.0/24 +172.16.18.1 6d20h OSPF
+172.16.78.7 6d20h OSPF
172.16.18.0/24 172.16.18.8 6d20h LOCAL
172.16.78.0/24 172.16.78.8 6d20h LOCAL
192.168.20.0/24 172.16.78.7 2d 3h OSPF
192.168.30.0/24 192.168.30.8 2d 3h LOCAL
192.168.100.0/24 172.16.18.1 6d20h OSPF
192.168.254.1/32 172.16.18.1 6d20h OSPF
192.168.254.7/32 172.16.78.7 6d20h OSPF
192.168.254.8/32 192.168.254.8 6d20h LOCAL
---[ truncated]

sw8 (6860-B) -> ping 192.168.100.102

PING 192.168.100.102 (192.168.100.102) 56(84) bytes of data.

64 bytes from 192.168.100.102: icmp_seq=1 ttl=127 time=1.98 ms
64 bytes from 192.168.100.102: icmp_seq=2 ttl=127 time=0.733 ms
64 bytes from 192.168.100.102: icmp_seq=3 ttl=127 time=0.769 ms
 4
DHCP Server & DHCP Relay

- Configure an IP DHCP relay on each switch:

o On the 6860-A:
sw7 (6860-A) -> ip dhcp relay destination 192.168.100.102
sw7 (6860-A) -> ip dhcp relay admin-state enable
sw7 (6860-A) -> show ip dhcp relay
IP DHCP Relay :
DHCP Relay Admin Status = Enable,
Forward Delay(seconds) = 0,
Max number of hops = 16,
Relay Agent Information = Disabled,
Relay Agent Information Policy = Drop,
DHCP Relay Opt82 Format = Base MAC,
DHCP Relay Opt82 String = e8:e7:32:d4:88:95,
PXE support = Disabled,
Relay Mode = Global,
Bootup Option = Disable,

o On the 6860-B:
Sw8 (6860-B) -> ip dhcp relay destination 192.168.100.102
Sw8 (6860-B) -> ip dhcp relay admin-state enable
sw8 (6860-B) -> show ip dhcp relay
IP DHCP Relay :
DHCP Relay Admin Status = Enable,
Forward Delay(seconds) = 0,
Max number of hops = 16,
Relay Agent Information = Disabled,
Relay Agent Information Policy = Drop,
DHCP Relay Opt82 Format = Base MAC,
DHCP Relay Opt82 String = e8:e7:32:cd:57:f3,
PXE support = Disabled,
Relay Mode = Global,
Bootup Option = Disable,

- Assign the VLAN 20 or 30 to the clients connected to the 6360 virtual chassis:
sw5 (6360-A) -> vlan 20 members port 1/1/1 untagged
sw5 (6360-A) -> vlan 20 members port 2/1/1 untagged
sw5 (6360-A) -> vlan 30 members port 1/1/2 untagged
sw5 (6360-A) -> vlan 30 members port 2/1/2 untagged

sw5 (6360-A) -> interfaces 1/1/1-2 admin-state enable

sw5 (6360-A) -> interfaces 2/1/1-2 admin-state enable
 5
DHCP Server & DHCP Relay

sw5 (6360-A) -> show vlan 20 members

port type status
----------+-----------+---------------
1/1/1 default forwarding
2/1/1 default forwarding
0/7 qtagged forwarding
0/8 qtagged dhl-blocking

sw5 (6360-A) -> show vlan 30 members

port type status
----------+-----------+---------------
1/1/2 default forwarding
2/1/2 default forwarding
0/7 qtagged dhl-blocking
0/8 qtagged forwarding

3 Testing the DHCP Relay

- Configure clients 5, 6, 9 and 10 to obtain an IP address and DNS server address automatically:

Tips
The IP DHCP relay feature can also be configured
on a per-VLAN basis.
This can be interesting if different DHCP servers
must serve IP addresses for different subnets.
Here, as we have a unique DHCP server, it’s not
necessary.

- Check the IP DHCP relay statistics:

sw7 (6860-A) -> show ip dhcp relay statistics
Global Statistics :
Reception From Client :
Total Count = 43, Delta = 43
Forw Delay Violation :
Total Count = 0, Delta = 0
Max Hops Violation :
Total Count = 0, Delta = 0
Agent Info Violation :
Total Count = 0, Delta = 0
Invalid Gateway IP :
Total Count = 0, Delta = 0
Server Specific Statistics :
From Interface Any to Server 192.168.100.102
Tx Server :
Total Count = 43, Delta = 43
InvAgentInfoFromServer:
Total Count = 0, Delta = 0
 6
DHCP Server & DHCP Relay

sw8 (6860-B) -> show ip dhcp relay statistics

Global Statistics :
Reception From Client :
Total Count = 40, Delta = 40
Forw Delay Violation :
Total Count = 0, Delta = 0
Max Hops Violation :
Total Count = 0, Delta = 0
Agent Info Violation :
Total Count = 0, Delta = 0
Invalid Gateway IP :
Total Count = 0, Delta = 0
Server Specific Statistics :
From Interface Any to Server 192.168.100.102
Tx Server :
Total Count = 40, Delta = 40
InvAgentInfoFromServer:
Total Count = 0, Delta = 0
OmniSwitch R8
Quality of Service (QoS)

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Objectives
Quality of Service (QoS)

At the end of this module, you will be able to:

• Understand the Quality of Service main principle
• Configure the OmniSwitch for QoS
– Condition
– Action
– Rules
• Monitor the QoS
• Prioritize automatically the IP Phone Traffic
• Policy based routing
• Remote Port Mirroring (RPM)
QOS reminder
QOS
• GOAL
• Decide which traffic needs preferential treatment Basic QOS 802.1p/ToS/DSCP
and which traffic can be adequately served with best * Traffic prioritization * Marking

effort * Bandwidth shaping * Stamping

* Queuing management

Filtering
• HOW IT WORKS Policy Based
* Layer 2 and
Routing
• QoS is implemented on the switch through the use of .
* Routed traffic
Layer 3/4 ACLs

: redirecting
ICMP Policies
Policy Based
* Filtering
- Port-based QoS configuration Mirroring * Prioritizing
.
* Mirror traffic based * Rate limiting traffic
on QoS policies (security)
- User-defined policies

Access Guardian
- Integration with virtual output queuing to manage egress * User Network Profile
congestion

- Auto-QOS configuration
QOS CONFIGURATION
QOS CONFIGURATION
• Step by Step

Global Parameters

Configuring Congestion Management

Configuring QoS Port Parameters

Setting Up Policies

Monitoring policies

Auto-QOS configuration
QOS CONFIGURATION
Global Parameters

Description Command/keyword
By default QoS is enabled on the switch. If QoS policies qos enable/disable
are configured and applied, the switch attemps to
classify and apply relevant policy actions

Displays global information about QoS configuration show qos config

Resets the QoS configuration to its defaults qos reset

Deletes the pending configuration qos revert

Flushes the configuration qos flush

Apply the configuration qos apply

QOS CONFIGURATION
• Step by Step

Configuring Congestion Management

Queue Set Profile
Egress QSets QSI QSet Profile 1
Ports Q1 = SP7, 100% BW
Slot 1 Port 1/1 QSI for port 1/1
Q2 = SP6, 100% BW
1 1
2 2 1 Q3 = SP5, 100% BW
3 3 2 Q4 = SP4, 100% BW
4 4 Q5 = SP3, 100% BW
. 5 3
. 6 4 Q6 = SP2, 100% BW
20 7 5 Q7 = SP1, 100% BW
. 8 Q8 = SP0, 100% BW
6
.
7
Slot 2 8 Strict Priority (SP)
1
2
3
4
.
.
12

* Eg : QSet Profile 1 ( 8SP) :

Port 1/1/1 Port 1/1/3 Port 1/1/1 Port 1/1/3
SP0 SP4
a a
100% a b 100% a
50% 50% SP0 100%
SP0 b
b 100%
100%
Port 1/1/2 Port 1/1/2
QOS CONFIGURATION The following Qset profiles (QSP) are supported:

• Step by Step

Configuring Congestion Management

◼ To change the QSP for a specific QSet instance (QSI)

-> qos qsi port 1/2/1 qsp 2

-> qos qsi linkagg 5 qsp 2
* Eg : QSet Profile 2 (1 EF + 7 SP) :

Port 1/1/1 Port 1/2/1 Port 1/1/1 Port 1/2/1

EF EF
a a
20% b a 0% b
100%
SP5 80% 20% SP5
b b
100% 100%

Port 1/2 Port 1/2

⚫ To change the default QSet profile (QSP 1) to one of the other supported profiles (QSP 2, 3, or 4)
qos qsp system-default 2
QOS CONFIGURATION
• Step by Step

Configuring QoS Port Parameters

Examples :

• To limit the ingress or egress bandwidth for a QoS port -> qos port [chassis]/slot/port
[trusted]
[maximum egress-bandwidth]
-> qos port 1/1/1 maximum egress-bandwidth 10M
[maximum ingress-bandwidth]
[default 802.1p value]
[default dscp value]
• Change the 802.1p value to 7 for the port 1/1/1
[default classification {802.1p | tos |
dscp}]
[dei {ingress | egress}]
-> qos port 1/1/1 default 802.1p 7

• Configure individual ports to recognize 802.1p or ToS

-> qos port 1/1/1 trusted

QOS CONFIGURATION
• Step by Step
A policy (or a policy rule) is made up of :
1. a condition
Setting Up Policies 2. an action
INCOMING PACKET

FORWARDING ENGINE
H
E
A ACTION
D PACKET CLASSIFICATION
E
R

CLASSIFIER (POLICY DATABASE)

CONDITION ACTION

---- ----

GETS POLICIES … …
FROM :
- CLI
- WEBVIEW L2 (source & dest)
- Prioritization, Bandwidth shaping
- POLICYVIEW (OV)
- MAC, VLAN, - ICMP filtering
- Slot/Port, IPMS Filtering - ICMP prioritizing, ICMP rate limiting
- 802.1p/ToS/DSCP marking and mapping
L3/L4 - Policy Based Routing PBR for redirecting
- SIP, DIP, - Routed traffic
- TCP,UDP,IP proto - Policy Based Mirroring
- Source TCP/UDP port - Advanced Layer 2 to 4 Filtering
- Destination TCP/UDP port - Server Load Balancing
QOS CONFIGURATION -> policy condition condition_name

[source ip ip_address [mask netmask]]

[source ipv6 {any | ipv6_address [mask netmask]}
• Step by Step [destination ip ip_address [mask netmask]]
[destination ipv6 {any | ipv6_address [mask netmask]}
[multicast ip ip_address [mask netmask]]
[source network group network_group]
Setting Up Policies [destination network group network_group]
[multicast network group multicast_group]
[destination ip-port port[-port]]
[source tcp-port port[-port]]
[destination tcp-port port[-port]]
Create a policy condition [source udp-port port[-port]]
[destination udp-port port[-port]]
[ethertype etype]
[established]
- Source TCP/UDP port [tcpflags {any | all} flag [mask flag]
- Destination TCP/UDP port [service service]
- Service, service group, TCP flags Layer 4 [service group service_group]
[icmptype type]
[icmpcode code]
[ip protocol protocol] ip protocol
- IP protocol, source IP, multicast IP, destination IP, [ipv6]
- Source network group, destination network group,multicast [tos tos_value tos_mask]
network group [dscp {dscp_value[-value} [dscp_mask]]
[source mac mac_address [mask mac_mask]]
- ToS, DSCP, ICMP type, ICMP code
Layer 3 [destination mac mac_address [mask mac_mask]]
[source mac group group_name]
[destination mac group mac_group]
[source vlan vlan_id]
- Source MAC, source MAC group, destination MAC, [destination vlan vlan_id]
destination MAC group, 802.1p, 802.1p range, ethertype, [802.1p 802.1p_value]
source VLAN, destination VLAN [source port slot/port[-port]]
Layer 2 [source port group group_name}
[destination port slot/port[-port]]
[destination port group group_name]
- Source port, source port group, destination port, …
destination port group Layer 1 Examples

policy condition cond3 source ip 10.10.2.3

policy condition client_traffic source vlan 20

QOS CONFIGURATION
• Step by Step

Setting Up Policies

Create a policy group to include into policy condition

Group Description Command/keyword

Policy port group Slot and port number combinations policy port group group_name slot/port[-port]
[slot/port[-port]...]
Policy mac group Multiple MAC addresses that may be attached policy mac group mac_group mac_address [mask
to a condition mac_mask] [mac_address2 [mask mac_mask2]...]
Policy network group IPv4 source or destination addresses policy network group net_group ip_address [mask
Default “switch” group net_mask] [ip_address2 [mask net_mask2]...]
Includes all IPv4 addresses configured on the
switch
Policy service group TCP or UDP ports or port ranges (source or policy service group service_group service_name1
destination) [service_name2...]

• Examples -> policy port group techports 1/1/1 3/1/1 3/2/1 3/3/1
-> policy condition cond4 source port group techports

-> policy network group netgroup3 173.21.4.0 mask 255.255.255.0 10.10.5.3

-> policy condition cond5 destination network group macgrp2

-> policy mac group macgrp2 08:00:20:00:00:00 mask ff:ff:ff:00:00:00 00:20:DA:05:f6:23

-> policy condition cond5 source mac group macgrp2
QOS CONFIGURATION
• Step by Step

Setting Up Policies
Create a policy action
- Examples :
-> policy action action_name
ACL (disposition drop) [disposition {accept | drop | deny}]
[shared]
Change queuing priority
[priority priority_value]
Update TOS/Diffserv and/or 802.1p priority
[maximum bandwidth bps]
tags
[maximum depth bytes]
802.1p/TOS/Diffserv marking
[tos tos_value]
802.1p/TOS/Diffserv mapping [802.1p 802.1p_value]
Per COS max bandwidth (64K bps) [dcsp dcsp_value]
Maximum depth [map {802.1p | tos | dscp} to {802.1p | tos| dscp} using map_group]
Statistics (# of packets, # of bytes) [permanent gateway ip ip_address]
Ingress policing / Egress shaping [port-disable]
Port Redirection [redirect port slot/port]
[redirect linkagg link_agg]
Routed Traffic Redirection
[no-cache]
Link Aggregate Redirection
[{ingress | egress | ingress egress | no} mirror slot/port]
Port Disable [cir bps [cbs byte] [pir bps] [pbs byte] [counter-color [red-
Mirroring nonred | green-nongreen | green-red |green-yellow | red- yellow]]
Multi-actions support
Ingress Rate Limiting

policy action action2 priority 7

policy action SetBits 802.1p 7

QOS CONFIGURATION
• Step by Step

Setting Up Policies
Does it Match Condition ?

policy action – action default

Use higher Action policy Use Default Action

Mark, Prioritize, Shape

Filter, Mirror,…
Actions Defaults
Description Keyword Default
Whether the flow matching the rule disposition accept
should be accepted or Denied
QOS CONFIGURATION
INCOMING PACKET
PACKET CLASSIFICATION
H
• Step by Step E ACTION
A CONDITION ACTION
D
---- ----
E
Setting Up Policies R
applies to
outgoing
POLICY RULE traffic
Create a policy rule

-> policy rule rule_name [enable | disable] [precedence precedence] [condition condition]
[action action] [validity period name | no validity period] [save] [log [log-interval seconds]]
[count {packets | bytes}] [trap | no trap] [default-list | no default-list]

Examples :

policy condition c1 source ip 10.10.2.3

policy action a1 redirect port 1/1/2

Sets the precedence for rule r1 and turns on logging

-> policy rule r1 precedence 200 condition c1 action a1 log
QOS CONFIGURATION
• Step by Step

Setting Up Policies

- Examples :
Maps traffic destined for port 3/2 with and 802.1p value of 4 to an 802.1p value of 7
-> policy condition Traffic destination port 1/1/1 802.1p 4 802.1P MAPPING

-> policy action SetBits 802.1p 7

-> policy rule Rule2 condition Traffic action SetBits

Sets traffic from 10.10.2.3 to a priority of 7

-> policy condition cond3 source ip 10.10.2.3

SETTING PRIORITY
-> policy action action2 priority 7
-> policy rule my_rule condition cond3 action action2

Configures a validity period for rule r1

-> policy validity-period vp01 hours 13:00 to 19:00 days monday Friday
-> policy rule r1 validity-period vp01
QOS CONFIGURATION
• Step by Step

Monitoring policies

• Displaying the actual number of matches for the configured rules

- -> show active policy rule
Policy From Prec Enab Act Refl Log Trap Save Def Matches
R1 cli 0 Yes Yes No No Yes Yes Yes 2
(L2/3): C1 -> QoS_Action1
R2 cli 0 Yes Yes No No Yes Yes Yes 0
(L2/3): C2 -> QoS_Action1
R3 cli 0 Yes Yes No No Yes Yes Yes 0
(L2/3): C3 -> QoS_Action1

• Rule match counting

- 2 options to configure rule count
• -> policy rule <name> count packets (default)
• Every packet matching a rule will be counted in the “matches” column

• -> policy rule <name> count bytes

• Same but count number of bytes instead of number of packets
QOS CONFIGURATION
• Step by Step

Monitoring policies
 Display the QoS statistics:
-> show qos statistics

 Display global information on the QoS configuration:

-> show qos config

 Affiche le journal des événements QoS. Cette commande affiche également les paquets
abandonnés par les entrées du filtre source IP

-> show qos log

QoS SPECIFICATION
Automatic Prioritization for IP Phone
Traffic
QOS CONFIGURATION
• Automatic Prioritization for IP Phone Traffic
Switch detects traffic coming from ALU phones (based on MAC address)

• Enable by default on the switch

QoS
MAC Address Range Description

00:80:9F:00:00:00 to 00:80:9F:FF:FF:FF Enterprise IP Phones Range

On trusted and un-trusted ports
78:81:02:00:00:00 to 78:81:02:FF:FF:FF Communications IP Phones Range Mac adress = ALE Phone > Priority 5
Non ALE Phone > Default
00:13:FA:00:00:00 to 0:13:FA:FF:FF:FF Lifesize IP Phones Range

48-7A-55-00-00-00 to 48-7A-55-FF-FF-FF ALE 8008 IP Phone MAC Range

• To prioritize the phone traffic instead of merely trusting it

-> qos phones [priority priority_value | trusted]

• To disable automatic IP phone traffic prioritization for the switch

-> qos no phones

• Additional MAC group

- The alaPhones mac group must be redefined

policy mac group alaPhones 00:80:9f:00:00:00 mask ff:ff:ff:00:00:00

Policy Based Routing
Policy Based Routing (PBR)
• QoS policies that will override the normal routing mechanism for traffic matching the policy
condition
- Redirect untrusted traffic to a proxy firewalling server
- i.e specific source traffic (e.g. HTTP, FTP) can be redirected to a cache engine
R2
- Virtual inline deployment
- Done in hardware
24.0.0.0/8
191.24.0.0/16 10.0.0.0/8
190.27.3.0/24
20.0.0.0/8
R3
R1 150.21.0.0/16

Redirect traffic from source 20.0.0.0/8 to Firewall

Policy Based Routing (PBR)
• Conditions
- IP Protocol (i.e. ICMP, TCP, ICMP)
- Source IP address (or network group)
- Destination IP address (or network group)
- Source TCP/UDP port
- Destination TCP/UDP port
- Source TCP/UDP service
- Destination TCP/UDP service
- Source TCP/UDP service group
- Destination TCP/UDP service group
- TOS, DSCP
- Source VLAN
- Source slot/port
- Source slot/port group
• Action
- Define gateway to be used overriding the routing database
- Can be set to local next hop IP or remote hop IP
- -> policy action <action_name> permanent gateway ip <ip address>
Policy Based Routing - Example
• All traffic originating in the 10.10.0.0 network is routed through the firewall, regardless of
whether a route exists
-> policy condition Traffic10 source ip 10.10.0.0 mask 255.255.0.0
-> policy action Firewall permanent gateway ip 192.168.99.254
-> policy rule Redirect_All condition Traffic10 action Firewall
Routed back OR Other destinations

192.168.99.254 Firewall/Gateway
Internet

192.168.10.0 192.168.99.0

2/1
Unknown DA

20.10.0.0 10.10.0.0
Policy Based Routing - Example
• Traffic from the firewall is sent back to the switch to be re-routed
- Adding the source port to the condition allows traffic to not get caught in a loop
-> policy condition TrafficFromFW source IP 10.10.0.0 mask 255.255.0.0 source port 2/1/1
-> policy action To_Internet permanent gateway IP 192.168.10.254
-> policy rule Redirect_Internet condition TrafficFromFW action To_Internet

Routed back OR Other destinations

192.168.99.254 Firewall/Gateway
Internet

192.168.10.0 192.168.99.0

2/1
Unknown DA

20.10.0.0 10.10.0.0
Remote Port Mirroring (RPM)
Remote Port Mirroring (RPM)
• Allows traffic to be carried over the network to a remote switch
• Achieved by using a dedicated remote port mirroring VLAN
• RPM VLAN has to be configured on the source, destination and intermediate switches
• No other traffic is allowed on that VLAN

The following types of traffic will not be mirrored:

- Link Aggregation Control Packets (LACP), 802.1AB (LLDP), 802.1x port authentication, 802.3ag (OAM), Layer 3
control packets, Generic Attribute Registration Protocol (GARP)

SOURCE SWITCH INTERMEDIATE SWITCH DESTINATION SWITCH

DESTINATION PORT

SOURCE PORT
Policy Based Mirroring
• Mirroring is done based on a QoS policy instead of a specific port
- 1 session supported at any given time
• Port Based Mirroring. It can be done on incoming or outgoing traffic or both.
- policy action mirror
• Mirror traffic based on
- Source & Destination addresses
- Address pairs
- Protocols
- VLAN classification
• Port mirroring and monitoring cannot be configured on the same port
INGRESS, EGRESS, OR BOTH INGRESS & EGRESS PACKETS
POLICY ACTION & PORT ASSIGNMENT
DIRECT TRAFFIC TO MIRROR PORT

MIRRORING POLICY
Policy Based Mirroring
• Example 1
• -> policy condition c1 source ip 1.1.1.1
• -> policy action a1 ingress egress mirror 1/1/1
• -> policy rule r1 condition c1 action a1
• -> qos apply

- Policy rule r1 will cause all packets with a source IP of 1.1.1.1 to be ingress and egress mirrored to port 1/1/1

• Example 2
• -> policy condition c1 source ip 1.1.1.1
• -> policy action a2 ingress egress mirror 1/1/1 disposition drop
• -> policy rule r2 condition c1 action a2
• -> qos apply
- Policy rule r2 drops traffic with a source IP of 1.1.1.1, but the mirrored traffic from this source is not dropped and
is forwarded to port 1/1/1
OmniSwitch AOS R8
Quality of Service (QoS)

How to
✓ Configure Quality of Service rules on the OmniSwitches (R6/R8)

Contents
1 Introduction .................................................................................... 2
2 Configuring Port Default 802.1P/ToS/DSCP ............................................... 3
3 Configuring Trusted Ports .................................................................... 3
3.1. Example 1 ........................................................................................... 3
3.2. Example 2 ........................................................................................... 4
4 Configuring the Policies ...................................................................... 4
5 Configuring User ports Security ............................................................. 7
 2
Quality of Service (QoS)

1 Introduction
By default, the QoS feature is enabled on an OmniSwitch. If QoS policies are configured and applied, the switch
will attempt to classify traffic and apply relevant policy actions.

Notes
In this lab, we will not cover all the QoS features. The main objective of this lab is to provide an overview
about how to configure the QoS. For more information, read the Policy Condition Combination table in the
Network Configuration Guide for a list of valid combinations.

Diagram containing all the devices that will be used during this lab:

- Before beginning, reset all the QoS parameters back to default (6360-A):
sw5 (6360-A) -> qos flush
sw5 (6360-A) -> qos apply
sw5 (6360-A) -> show qos config
QoS Configuration
Admin = enable,
Trust ports = no,
Log lines = 10240,
Log level = 6,
Log console = no,
Forward log = no,
User-port filter = spoof ,
User-port shutdown = none,
Phones = trusted,
DEI Mapping = disable,
DEI Marking = disable,
Pending changes = none
 3
Quality of Service (QoS)

2 Configuring Port Default 802.1P/ToS/DSCP

By default, the port default values for 802.1p and ToS/DSCP are 0. To change the default 802.1p or ToS/DSCP
settings for a port, use the qos port default 802.1p or qos port default dscp command.
- Change the 802.1p value to 7 for the port 1/1/1:
sw5 (6360-A) -> show qos port 1/1/1
Slot/ Default Default Bandwidth DEI
Port Active Trust P/DSCP Classification Physical Ingress Egress Map Mark Type
-------+-------+-----+------+--------------+----------+-------+------+------+------+-------------
1/1/1 Yes No 0/ 0 DSCP 100M - - No No ethernet-100M

sw5 (6360-A) -> qos port 1/1/1 default 802.1p 7

sw5 (6360-A) -> show qos port 1/1/1

Slot/ Default Default Bandwidth DEI
Port Active Trust P/DSCP Classification Physical Ingress Egress Map Mark Type
-------+-------+-----+------+--------------+----------+-------+------+------+------+-------------
1/1/1 Yes No 7/ 0 DSCP 100M - - No No ethernet-100M

Notes
In this example above:
- Any untagged traffic (traffic without any 802.1p settings) arriving on port 1/1/1 will be tagged with an
802.1p value of 7 (highest priority).
- If the port is configured to be untrusted, any tagged traffic will be tagged with an 802.1p value of 7.
- If the port is configured to be trusted, any tagged traffic will preserve the 802.1p value in the flow.

By default, switched ports are untrusted.

3 Configuring Trusted Ports

3.1. Example 1

- To configure individual ports to recognize 802.1p or ToS, use the qos port trusted command with the
desired slot/port number:

sw5 (6360-A) -> qos port 1/1/1 trusted

sw5 (6360-A) -> qos apply

sw5 (6360-A) -> show qos port 1/1/1

Slot/ Default Default Bandwidth DEI

Port Active Trust P/DSCP Classification Physical Ingress Egress Map Mark Type
-------+-------+-----+------+--------------+----------+-------+------+------+------+-------------
1/1/1 Yes +Yes 7/ 0 DSCP 100M - - Yes No ethernet-100M

Notes
In this example above, the qos port trusted command specifies that port will be able to recognize and trust
the 802.1p bits. The global setting is active immediately; however, modifying a port configuration requires qos
apply to activate the change.
 4
Quality of Service (QoS)

3.2. Example 2
- In the following example:
o A policy condition “Traffic” is then created to classify traffic containing 802.1p bits set to 4.
o The policy action “SetBits” specifies that the bits will be changed to 7 when the traffic leaves
the switch
o A policy rule called 802.1p_rule puts the condition and the action together.

sw5 (6360-A) -> policy condition Traffic 802.1p 4

sw5 (6360-A) -> policy action SetBits 802.1p 7

sw5 (6360-A) -> policy rule 802.1p_rule condition Traffic action SetBits

sw5 (6360-A) -> qos apply

Notes
802.1p mapping may also be set for Layer 3 traffic, which typically has the 802.1p bits set to 0.

- In the above example, what would happen if ingress traffic on chassis 1 slot 1 port 1 was tagged with an
802.1p value of 5?
----------------------------------------------------------------------------------------------------------------------------- ------

- To view the QoS configuration:

sw5 (6360-A) -> show policy condition
Condition name : Traffic
802.1p = 4

sw5 (6360-A) -> show policy action

Action name : SetBits
802.1p = 7

sw5 (6360-A) -> show policy rule

Rule name : 802.1p_rule
Condition name = Traffic,
Action name = SetBits

4 Configuring the Policies

Let’s consider that the devices located in the VLAN 20 are employees, and the devices located in the VLAN 30
are contractors. We want to prioritize employees’ traffic over contractors’ traffic.

- To create a policy rule to prioritize the traffic from VLAN 20:

o Create a condition for the traffic that you want to prioritize (ex. client_traffic)
o Create an action to prioritize the traffic as highest priority (ex. priority_5)
o Combine the condition and the action into a policy rule (ex. rule1)

sw5 (6360-A) -> policy condition client_traffic source vlan 20

sw5 (6360-A) -> policy action priority_5 802.1p 5
sw5 (6360-A) -> policy rule rule1 condition client_traffic action priority_5
 5
Quality of Service (QoS)

- The rule is not active on the switch until it has been applied:
sw5 (6360-A) -> show active policy rule
Rule name : 802.1p_rule
Condition name = Traffic,
Action name = SetBits

sw5 (6360-A) -> qos apply

sw5 (6360-A) -> show active policy rule

Rule name : 802.1p_rule
Condition name = Traffic,
Action name = SetBits

Rule name : rule1

Condition name = client_traffic,
Action name = priority_5,
Packets = 163,
Bytes = 10249

- In this following example, any flow coming from the VLAN 20 is sent to a queue supporting its maximum
bandwidth requirement. Via the QoS feature, it is also possible to modify the policy action that you have
created earlier to limit the maximum bandwidth:
sw5 (6360-A) -> policy action priority_5 maximum bandwidth 100k
sw5 (6360-A) -> qos apply

sw5 (6360-A) -> show policy action priority_5

Action name : priority_5
Maximum bandwidth = 100K,
802.1p = 5

- The bandwidth can be specified in abbreviated units, in this case, 100k (= 100 kilo bytes).
- Check the management:
sw5 (6360-A) -> show policy condition
Condition name : Traffic
802.1p = 4

Condition name : client_traffic

Source VLAN = 20

sw5 (6360-A) -> show policy action

Action name : SetBits
802.1p = 7

Action name : priority_5

Maximum bandwidth = 100K,
802.1p = 5

sw5 (6360-A) -> show policy rule

Rule name : 802.1p_rule
Condition name = Traffic,
Action name = SetBits

Rule name : rule1

Condition name = client_traffic,
Action name = priority_5

- To specify a precedence value for a rule, use the policy rule command with the precedence keyword:
sw5 (6360-A) -> policy rule rule1 precedence 1000 condition client_traffic action priority_5

- Launch a ping from client 5 (which is in the VLAN 20) to client 9:

C:\> ping 192.168.20.xx (check ip address allocated dynamically to client 9)
 6
Quality of Service (QoS)

- Check the active rule result:

sw5 (6360-A) -> show active policy rule
Rule name : 802.1p_rule
Condition name = Traffic,
Action name = SetBits
Rule name : rule1
Condition name = client_traffic,
Action name = priority_5,
Packets = 12555,
Bytes = 756988,
Green Packets = 6982

As it doesn’t exceed the maximum bandwidth, it should work.

- Now, try to launch a ping by specifying a greater datagram size:
Client5 C:\> ping –l 65000 192.168.20.Xx (check ip address allocated dynamically to client 9)

- Check the active rule result:

sw5 (6360-A) -> show active policy rule
Rule name : 802.1p_rule
Condition name = Traffic,
Action name = SetBits
Rule name : rule1
Condition name = client_traffic,
Action name = priority_5,
Packets = 13527,
Bytes = 1068548,
Green Packets = 7386,
Red Packets = 148

Notes: Green, Yellow, Red?

Tri-Color Marking (TCM) statistics; the number of packets/bytes that are marked Green (low drop precedence),
Yellow (high drop precedence), and Red (always drop).

- Your ping is now using a greater bandwidth, so it shouldn’t work.

- To remove an action parameter or return the parameter to its default, use no with the relevant
keyword:
sw5 (6360-A) -> policy action priority_5 no maximum bandwidth

- By default, rules are enabled. Rules may be disabled or re-enabled through the policy rule command:
sw5 (6360-A) -> policy rule rule1 disable
sw5 (6360-A) -> qos apply
sw5 (6360-A) -> show active policy rule
Rule name : 802.1p_rule
Condition name = Traffic,
Action name = SetBits

sw5 (6360-A) -> policy rule 802.1p_rule disable

sw5 (6360-A) -> qos apply
sw5 (6360-A) -> show active policy rule
No active rules

- Once testing is complete, remove the condition, action and rule:

sw5 (6360-A) -> no policy rule rule1
sw5 (6360-A) -> no policy rule 802.1p_rule
sw5 (6360-A) -> no policy action priority_5
sw5 (6360-A) -> no policy action SetBits
sw5 (6360-A) -> no policy condition Traffic
sw5 (6360-A) -> no policy condition client_traffic
sw5 (6360-A) ->qos apply
 7
Quality of Service (QoS)

sw5 (6360-A) ->show active policy rule

No active rules

Tips > Logs

- Logging a rule may also be useful for determining such things as the source of attacks. Often, at least when
initially configuring your rules, it is recommended to use the log option to monitor how your policies are being
used. To log information about flows that match the policy rule rule1: sw5 (6360-A) -> policy rule rule1 log
- To check the logs: sw5 (6360-A) -> show qos log

5 Configuring User ports Security

If network protocols, like STP, are not blocked from user ports, a rogue device can use these protocols and
disrupt normal network operation.

- To prevent IP source address spoofing, add ports to the port group called UserPorts:

sw5 (6360-A) -> policy port group Userports 1/1/1-2

Notes
This port group does not need to be used in a condition or rule to be effective on flows and only applies to
routed traffic. Ports added to the UserPorts group will block spoofed traffic while still allowing normal traffic
on the port

- To avoid any loop in the network, any user access port used will be blocked if a Spanning Tree frame is
received:
sw5 (6360-A) -> qos user-port shutdown bpdu
OmniVista™ 2500 NMS
Solution Overview

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Lesson Summary
Solution Overview
At the end of this presentation, you will be able to:
• Describe the OmniVista 2500 Purpose
• List the OmniVista 2500 Main Features
Introduction
◼ OmniVista 2500
⚫ Network Management System (NMS)
⚫ Unified Management / Monitoring / Provisioning of LAN & WLAN devices:
 ALE OmniSwitch Switches
 ALE OmniAccess Stellar Access Points
 3rd Party Devices

• PROVISION ALE OMNISWITCH

• MANAGE
• MAINTAIN

OMNIVISTA 2500

3RD 3RD PARTY DEVICES

ALE STELLAR APS

Installation & Administration
◼ Installation ◼ Administration
⚫ OmniVista 2500 = Virtual Appliance ⚫ Web Interface

OmniVista 2500 NMS

Hypervisors
• VMware ESXi
• VirtualBox
• MS Hyper-V
• KVM
Home Page
◼ Applications
⚫ Accessible via a drop
down menu

◼ Dashboard
⚫ OV 2500 Home Page
⚫ Applications widgets
 Quick overview
 Customizable
(add/remove…)
Applications

NETWORK CONFIGURATION UNIFIED ACCESS ADMINISTRATION WLAN

- DISCOVERY - VLANS - UNIFIED PROFILE - CONTROL PANEL - SSIDS
- TOPOLOGY - VXLANS - UNIFIED POLICY - PREFERENCES - WIRELESS INTRUSION
- AP REGISTRATION - IP MULTICAST - MULTIMEDIA SERVICES - AUDIT PROTECTION SYSTEM
- SAA - CLI SCRIPTING - PAID ACCOUNT SERVICES - LICENSE (WIPS)
- LOCATOR - POLICYVIEW - OV SYSTEM HEALTH - RF MANAGEMENT
- NOTIFICATIONS - SIP - HEAT MAP
- VM MANAGER - CAPTIVE PORTAL SECURITY UPAM - FLOOR PLAN
- ANALYTICS - GROUPS - USERS AND USER GROUPS - SUMMARY - CLIENT
- APPLICATION VISIBILITY - APP LAUNCH - AUTHENTICATION SERVERS - AUTHENTICATION
- PROVISIONING - REPORT - QUARANTINE MANAGER - GUEST ACCESS
- I OT - RESOURCE MANAGER - BYOD ACCESS
- SETTINGS
Main Features

• Unified LAN & WLAN Management

• Essential configuration functions
• Simplified user interface

• Device Inventory / Software Update

• Network devices inventory
• Devices backup/restore/update • PROVISION • BACKUP
• MANAGE • RESTORE
• MAINTAIN • UPDATE
Main Features

ADMIN

• Notifications
• Display traps generated by the devices
• Perform an action when receiving
urgent/important traps (send a mail, run an
application, forward the trap…)

• Topology
• Topology view of all the discovered devices
• View information about a specific device
• Perform certain actions (edit/telnet/reboot a
device)
Main Features

ANALYTICS APPLICATION BANDWITH

• Analytics
• View of network resources utilization (users,
devices, applications) R
• Reports generation (usage trends, predictive
analysis of future network utilization…)

• Application Visibility
• Identify and restrict usage of applications that
are used by users (ex. Facebook)
• Uses the DPI feature (Deep Packet Inspection)
Main Features

HEAT MAP

• Floor Plan
• Determine optimal placement of access points
in a location FLOOR PLAN

• Heat Map
• Create & Organize Wi-Fi coverage maps
(“Heat Maps”)
Main Features GUESTS VLAN, EMPLOYEES VLAN,
RESTRICTED ACCESS FULL ACCESS

• Guest Access & BYOD (Bring Your Own Device)

• Secured guest access management
• BYOD: On boarding of employees devices

• Captive Portal
• Integrated captive portal with credentials
management (email, social login, Rainbow...)
• External captive portal redirection

CAPTIVE PORTAL

GUESTS
EMPLOYEE DEVICE
(BYOD)
Main Features

STANDBY

VLAN + RULES
MASTER « CAMERAS »

• High Availability
• 1 OV2500 Master / 1 OV2500 Standby
• Avoid loss of service

• Internet of Things (IoT)

• Automatic discovery of all IoT devices across
the network VLAN + RULES
• Virtual network segmentation « DOOR LOCKS »

• Information on each IoT device connected

(device type, vendor, network location…)
• Real-time and historical summary of IoT
activity
Main Features

3RD PARTY APPLICATION

OMNIVISTA 2500

• Troubleshooting
• Embedded troubleshooting tools
• Rapid isolation of network issues

• APIs
• Northbound RESTful APIs
• Integration of network management functions
with 3rd party ecosystem application
Follow us on…

Follow us on: www.al-enterprise.com

facebook.com/ALUEnterprise

linkedin.com/company/alcatellucententerprise

twitter.com/ALUEnterprise

youtube.com/user/enterpriseALU

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
OmniSwitch AOS R8
OmniVista 2500 NMS-E

OmniVista 2500 NMS Access & OmniSwitches_basic_features

How to
✓ Access to the OmniVista 2500 NMS server
✓ Test connectivity between the OmniVista 2500 and the OmniSwitches
✓ Discover & Manage the OmniSwitches from the OmniVista 2500

Contents
1 Introduction .................................................................................... 3
2 Topology ........................................................................................ 3
3 Powering On the OmniVista 2500 NMS Virtual Machine .................................. 4
4 Configuring the SNMP ......................................................................... 6
4.1. Configuring SNMP in the 6360 VC ................................................................. 6
4.2. Configuring SNMP in the 6900 Virtual Chassis ................................................. 12
4.3. Configuring SNMP in the 6860A .................................................................. 13
4.4. Configuring SNMP in the 6860B .................................................................. 13
 2
OmniVista 2500 NMS Access & OmniSwitches_basic_features

5 Discovering the OmniSwitches in the OmniVista 2500 ................................. 14

5.1. Connect to the OmniVista 2500 ................................................................. 14
5.2. Create a Discovery Profile ....................................................................... 15
5.3. Discover the new devices ........................................................................ 15
6 Displaying the Network Topology ......................................................... 16
7 Creating a VLAN ............................................................................. 18
 3
OmniVista 2500 NMS Access & OmniSwitches_basic_features

1 Introduction
Your company has just bought a set of OmniSwitches and wants to manage them using a centralized platform.
The OmniVista 2500 NMS is a management system that will be used to monitor and configure the switches.

In this lab, your task is to the setup the basic parameters needed in the OmniSwitches and OmniVista server to
be able to discover the switches in the OmniVista, and to arrange them on a map so the physical links between
them can be monitored.

2 Topology

The OmniVista 2500 NMS Virtual Appliance has already been deployed in the R-Lab infrastructure. Its
initial parameters (IP address, size of network, license) have also been configured

The OmniVista 2500 server is configured with an IP address of 192.168.100.107/24

 4
OmniVista 2500 NMS Access & OmniSwitches_basic_features

3 Powering On the OmniVista 2500 NMS Virtual Machine

- Open the vSphere client and log into vCenter:

o Make sure that Use Windows session credentials is checked
o Click on Login button to login into vCenter:

- Select the Virtual Machine PodX_OV (X = R-Lab Number), then right-click on it and select Snapshot ->
Snapshot Manager…:

Warning
THE NAME OF THE VM MAY BE DIFFERENT ACCORDING TO THE OV VERSION INSTALLED IN THE POD.
MAKE SURE THAT YOU ARE SELECTING THE “OV…” VM.
 5
OmniVista 2500 NMS Access & OmniSwitches_basic_features

- In the Snapshot Manager window, Select OV-Init and click on Go to.

- Click Yes to confirm reverting to the snapshot, then click Close:

- Check the progress in the Status Bar, at the bottom of the screen.
- Once it is completed, right-click on the VM PodX_OV and select Power -> Power On

Tips
It takes 10-15 minutes for the OmniVista 2500 NMS virtual machine to boot up completely. You cannot access it
right away. Continue with the following part to learn how to configure the OmniSwitches parameters. You will
come back to the OmniVista later in this lab.
 6
OmniVista 2500 NMS Access & OmniSwitches_basic_features

4 Configuring the SNMP

SNMP is the communication protocol between the OmniSwitches and the OmniVista 2500 NMS.

Your task is to configure the SNMP on the access switches (6360 Virtual Chassis).

For the Access training (215) this management has already been done for the core and distribution
switches. Not for training bootcamp (220) and advanced (216)

4.1. Configuring SNMP in the 6360 VC

- Allow access to all management interfaces including SNMP:
sw5 (6360-A) -> aaa authentication default local
sw5 (6360-A) -> aaa authentication snmp local

- Create an SNMP user account, set the read-write rights, and enable the SHA+DES encryption:
sw5 (6360-A) -> user snmpuserv3 read-write all password Superuser01= sha+des

Fri Jun 25 22:53:15 : AAA Switch-Access INFO message:

+++ User snmpuserv3 created by admin.

- Declare the OmniVista Server as management station (ex. IP@ of OV2500 Server: 192.168.100.107):
sw5 (6360-A) -> snmp station 192.168.100.107 snmpuserv3 v3 enable

- We will use the Loopback0 IP interface address for the communication between the OmniVista and the
OmniSwitches. Manage the Loopback0 on the switch:
sw5 (6360-A) -> ip interface Loopback0 address 192.168.254.5

sw5 (6360-A) -> show ip interface

Total 3 interfaces
Flags (D=Directly-bound)

Name IP Address Subnet Mask Status Forward Device Flags

--------------------------------+---------------+---------------+------+-------+---------+------
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
Loopback0 192.168.254.5 255.255.255.255 UP YES Loopback0
admin 10.4.5.5 255.255.255.0 UP YES vlan 4001

- Select the IP interface as source for the SNMP protocol:

sw5 (6360-A) -> ip service source-ip Loopback0 snmp

sw5 (6360-A) -> show ip service source-ip

Legend: - no explicit configuration

Application Interface-name
-------------+--------------------------------
dns -
ftp -
ldap -
ntp -
radius -
sflow -
snmp Loopback0
ssh -
swlog -
tacacs -
 7
OmniVista 2500 NMS Access & OmniSwitches_basic_features

telnet -
tftp - -

- Ping the OmniVista via the source interface Loopback0:

sw5 (6360-A) -> ping 192.168.100.107 source-interface Loopback0
PING 192.168.100.107 (192.168.100.107) from 192.168.254.5 : 56(84) bytes of data.
ping: sendmsg: Network is unreachable
ping: sendmsg: Network is unreachable
ping: sendmsg: Network is unreachable
ping: sendmsg: Network is unreachable
ping: sendmsg: Network is unreachable
ping: sendmsg: Network is unreachable

--- 192.168.100.107 ping statistics ---

6 packets transmitted, 0 received, 100% packet loss, time 5110ms

- As it is not working, check the IP routes table on the switch:

sw5 (6360-A) -> show ip routes

+ = Equal cost multipath routes

Total 4 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
10.0.0.0/24 10.4.5.254 3d19h STATIC
10.4.5.0/24 10.4.5.5 3d19h LOCAL
127.0.0.1/32 127.0.0.1 3d19h LOCAL
192.168.254.5/32 192.168.254.5 00:04:58 LOCAL

- There is no route on the OS6360 VC to reach the network 192.168.100.0

- Check the presence of a route to the network 192.168.100.0 on the 6860-A and 6860-B:
sw7 (6860-A) -> show ip routes

+ = Equal cost multipath routes

Total 13 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
0.0.0.0/0 172.16.17.1 18:12:16 STATIC
10.0.0.51/32 172.16.17.1 18:12:16 STATIC
127.0.0.1/32 127.0.0.1 18:14:22 LOCAL
172.16.17.0/24 172.16.17.7 18:13:13 LOCAL
172.16.18.0/24 +172.16.17.1 18:12:18 OSPF
+172.16.78.8 18:12:18 OSPF
172.16.78.0/24 172.16.78.7 18:13:13 LOCAL
----[truncated]---
192.168.20.0/24 192.168.20.7 18:13:13 LOCAL
192.168.30.0/24 192.168.30.7 18:13:13 LOCAL
192.168.100.0/24 172.16.17.1 18:12:16 OSPF
192.168.254.1/32 172.16.17.1 18:12:18 OSPF
192.168.254.7/32 192.168.254.7 18:14:22 LOCAL
192.168.254.8/32 172.16.78.8 18:12:18 OSPF
----[truncated]---

sw8 (6860-B) -> show ip routes

+ = Equal cost multipath routes

Total 15 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
 8
OmniVista 2500 NMS Access & OmniSwitches_basic_features

0.0.0.0/0 172.16.18.1 7d16h STATIC

10.0.0.0/24 10.4.105.254 7d16h STATIC
10.0.0.51/32 172.16.18.1 7d16h STATIC
10.4.105.0/24 10.4.105.8 7d16h LOCAL
127.0.0.1/32 127.0.0.1 7d16h LOCAL
172.16.17.0/24 +172.16.18.1 18:14:20 OSPF
+172.16.78.7 18:13:31 OSPF
172.16.18.0/24 172.16.18.8 7d16h LOCAL
172.16.78.0/24 172.16.78.8 18:14:26 LOCAL
192.168.20.0/24 192.168.20.8 18:44:15 LOCAL
192.168.30.0/24 192.168.30.8 2d23h LOCAL
----[truncated]---
192.168.100.0/24 172.16.18.1 7d16h OSPF
192.168.254.1/32 172.16.18.1 7d16h OSPF
192.168.254.7/32 172.16.78.7 18:13:31 OSPF
192.168.254.8/32 192.168.254.8 7d16h LOCAL
----[truncated]---

- Try to ping the OmniVista from the 6860-A and the 6860-B:
sw7 (6860-A) -> ping 192.168.100.107 source-interface Loopback0
PING 192.168.100.107 (192.168.100.107) from 192.168.254.7 : 56(84) bytes of data.
64 bytes from 192.168.100.107: icmp_seq=1 ttl=63 time=0.729 ms
64 bytes from 192.168.100.107: icmp_seq=2 ttl=63 time=0.562 ms
64 bytes from 192.168.100.107: icmp_seq=3 ttl=63 time=0.577 ms

sw8 (6860-B) -> ping 192.168.100.107 source-interface Loopback0

PING 192.168.100.107 (192.168.100.107) from 192.168.254.8 : 56(84) bytes of data.
64 bytes from 192.168.100.107: icmp_seq=1 ttl=63 time=1.82 ms
64 bytes from 192.168.100.107: icmp_seq=2 ttl=63 time=1.24 ms
64 bytes from 192.168.100.107: icmp_seq=3 ttl=63 time=0.571 ms

To be able to reach the OmniVista 2500 from the 6360 VC, a default route must be created on it.

Notes > Reminder: Connection between the 6360 VC and the 6860s
The 6360 is connected to both 6860s:
- Connection to the 6860-A through the link aggregation 7 (VLAN 57)
- Connection to the 6860-B through the link aggregation 8 (VLAN 57)

- Create an IP interface for the VLAN 57 on the 6360-A VC:

sw5 (6360-A) -> ip interface int_57 address 192.168.57.5/24 vlan 57

sw5 (6360-A) -> show ip interface

Total 4 interfaces
Flags (D=Directly-bound)
Name IP Address Subnet Mask Status Forward Device Flags
--------------------------------+---------------+---------------+------+-------+---------+------
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
Loopback0 192.168.254.5 255.255.255.255 UP YES Loopback0
admin 10.4.5.5 255.255.255.0 UP YES vlan 4001
int_57 192.168.57.5 255.255.255.0 UP YES vlan 57
 9
OmniVista 2500 NMS Access & OmniSwitches_basic_features

- Create an IP interface to the VLAN 57 on the 6860-A:

sw7 (6860-A) -> ip interface int_57 address 192.168.57.7/24 vlan 57

sw7 (6860-A) -> show ip interface

Total 9 interfaces
Flags (D=Directly-bound)
Name IP Address Subnet Mask Status Forward Device Flags
--------------------------------+---------------+---------------+------+-------+---------+------
EMP-CHAS1 10.4.105.7 255.255.255.0 UP NO EMP
EMP-CMMA-CHAS1 0.0.0.0 0.0.0.0 DOWN NO EMP
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
Loopback0 192.168.254.7 255.255.255.255 UP YES Loopback0
int_20 192.168.20.7 255.255.255.0 UP YES vlan 20
int_217 172.16.17.7 255.255.255.0 UP YES vlan 217
int_278 172.16.78.7 255.255.255.0 UP YES vlan 278
int_30 192.168.30.7 255.255.255.0 UP YES vlan 30
int_57 192.168.57.7 255.255.255.0 UP YES vlan 57

- Redistribute this local route to ospf

sw7 (6860-A) -> ip route-map localIntoOspf sequence-number 10 match ip-address 192.168.57.0/24 permit
Notes >
For trainee who attend access training (215). Dynamic routing protocol is fully explained on advanced training.
Objective of this command is to update automatically routing table on core switches via ospf protocol.

Before command (route not known on 6860-A table) After command route available (distribute via 0SPF)

- Create an IP interface to the VLAN 57 on the 6860-B:

sw8 (6860-B) -> ip interface int_57 address 192.168.57.8/24 vlan 57
sw8 (6860-B) -> show ip interface
Total 9 interfaces
Flags (D=Directly-bound)

Name IP Address Subnet Mask Status Forward Device Flags

--------------------------------+---------------+---------------+------+-------+---------+------
EMP-CMMA-CHAS1 0.0.0.0 0.0.0.0 DOWN NO EMP
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
Loopback0 192.168.254.8 255.255.255.255 UP YES Loopback0
admin 10.4.105.8 255.255.255.0 UP YES vlan 4001
int_20 192.168.20.8 255.255.255.0 UP YES vlan 20
int_218 172.16.18.8 255.255.255.0 UP YES vlan 218
int_278 172.16.78.8 255.255.255.0 UP YES vlan 278
int_30 192.168.30.8 255.255.255.0 UP YES vlan 30
int_57 192.168.57.8 255.255.255.0 UP YES vlan 57
 10
OmniVista 2500 NMS Access & OmniSwitches_basic_features

- Redistribute this local route to ospf

sw8 (6860-B) ip route-map localIntoOspf sequence-number 10 match ip-address 192.168.57.0/24 permit
Notes >
For trainee who attend access training (215). Dynamic routing protocol is fully explained on advanced training.
Objective of this command is to update automatically routing table on core switches via ospf protocol.

Before command (route not known on 6900-A table) After command route available (distribute via 0SPF)

- Launch a ping between the 6360 VC and the 6860-A/6860-B:

sw5 (6360-A) -> ping 192.168.57.7

PING 192.168.57.7 (192.168.57.7) 56(84) bytes of data.
64 bytes from 192.168.57.7: icmp_seq=1 ttl=64 time=14.1 ms
64 bytes from 192.168.57.7: icmp_seq=2 ttl=64 time=1.19 ms
64 bytes from 192.168.57.7: icmp_seq=3 ttl=64 time=1.21 ms
64 bytes from 192.168.57.7: icmp_seq=4 ttl=64 time=1.20 ms
^C
--- 192.168.57.7 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 1.193/4.444/14.166/5.613 ms

sw5 (6360-A) -> ping 192.168.57.8

PING 192.168.57.8 (192.168.57.8) 56(84) bytes of data.
64 bytes from 192.168.57.8: icmp_seq=1 ttl=64 time=20.5 ms
64 bytes from 192.168.57.8: icmp_seq=2 ttl=64 time=3.24 ms
64 bytes from 192.168.57.8: icmp_seq=3 ttl=64 time=2.40 ms
64 bytes from 192.168.57.8: icmp_seq=4 ttl=64 time=5.19 ms
64 bytes from 192.168.57.8: icmp_seq=5 ttl=64 time=1.89 ms
64 bytes from 192.168.57.8: icmp_seq=6 ttl=64 time=2.76 ms

--- 192.168.57.8 ping statistics ---

6 packets transmitted, 6 received, 0% packet loss, time 5006ms
rtt min/avg/max/mdev = 1.899/6.019/20.597/6.601 ms
sw5 (6360-A) ->

- Manage 2 default routes on the 6360 VC:

o One going through the 6860-A (metric 1)
o The other one going through 6860-B (metric 2)
sw5 (6360-A) -> ip static-route 0.0.0.0/0 gateway 192.168.57.7 metric 1
sw5 (6360-A) -> ip static-route 0.0.0.0/0 gateway 192.168.57.8 metric 2
 11
OmniVista 2500 NMS Access & OmniSwitches_basic_features

- Try to ping the OmniVista internal address from the int_57 interface:
sw5 (6360-A) -> ping 192.168.100.107 source-interface int_57
PING 192.168.100.107 (192.168.100.107) from 192.168.57.5 : 56(84) bytes of data.
64 bytes from 192.168.100.107: icmp_seq=1 ttl=62 time=1.99 ms
64 bytes from 192.168.100.107: icmp_seq=2 ttl=62 time=2.19 ms
64 bytes from 192.168.100.107: icmp_seq=3 ttl=62 time=2.06 ms
64 bytes from 192.168.100.107: icmp_seq=4 ttl=62 time=2.26 ms
64 bytes from 192.168.100.107: icmp_seq=5 ttl=62 time=2.77 ms
64 bytes from 192.168.100.107: icmp_seq=6 ttl=62 time=1.90 ms

- As we want to use the Loopback0 to communicate with the OmniVista, launch a ping from the Loopback0
interface:
sw5 (6360-A) -> ping 192.168.100.107 source-interface Loopback0
PING 192.168.100.107 (192.168.100.107) from 192.168.254.5 : 56(84) bytes of data.

--- 192.168.100.107 ping statistics ---

6 packets transmitted, 0 received, 100% packet loss, time 5099ms

- Why it is not working?

----------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------

- Check the routes on the 6860-A and 6860-B:

sw7 (6860-A) -> show ip routes

+ = Equal cost multipath routes

Total 14 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
---
192.168.254.1/32 172.16.17.1 18:37:51 OSPF
192.168.254.7/32 192.168.254.7 18:39:55 LOCAL
192.168.254.8/32 172.16.78.8 18:37:51 OSPF
----

sw8 (6860-B) -> show ip routes

+ = Equal cost multipath routes

Total 16 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
----
192.168.254.1/32 172.16.18.1 7d16h OSPF
192.168.254.7/32 172.16.78.7 18:38:38 OSPF
192.168.254.8/32 192.168.254.8 7d16h LOCAL
-----

There is no return route!

 12
OmniVista 2500 NMS Access & OmniSwitches_basic_features

- Create these return route on each 6860: for “192.168.57.5”

sw7 (6860-A) -> ip static-route 192.168.254.5/32 gateway 192.168.57.5

sw8 (6860-B) -> ip static-route 192.168.254.5/32 gateway 192.168.57.5

- Redistribute this local route to ospf

sw7 (6860-A) -> ip route-map "staticIntoOspf" sequence-number 10 action permit

sw7 (6860-A) -> ip route-map staticIntoOspf sequence-number 10 match ip-address 192.168.254.5/32 permit
sw7 (6860-A) -> ip redist static into ospf route-map "staticIntoOspf" admin-state enable

sw8 (6860-A) -> ip route-map "staticIntoOspf" sequence-number 10 action permit

sw8 (6860-A) -> ip route-map staticIntoOspf sequence-number 10 match ip-address 192.168.254.5/32 permit
sw8 (6860-A) -> ip redist static into ospf route-map "staticIntoOspf" admin-state enable

Notes >
For trainee who attend access training (215). Dynamic routing protocol is fully explained on advanced training.
Objective of this command is to update automatically routing table on core switches via ospf protocol.

Notes
These static routes will be automatically broadcasted on the core network thanks to the routing process
running between the core switches (6900 and 6860).

- Check that the route also appears on the 6900-A:

sw1 (6900-A) -> show ip routes

---
192.168.254.5/32 +172.16.17.7 00:00:10 OSPF
+172.16.18.8 00:00:14 OSPF
-----

- Try to ping the OmniVista internal address through the Loopback0 interface:
sw5 (6360-A) -> ping 192.168.100.107 source-interface Loopback0
PING 192.168.100.107 (192.168.100.107) from 192.168.254.5 : 56(84) bytes of data.
64 bytes from 192.168.100.107: icmp_seq=1 ttl=62 time=1.20 ms
64 bytes from 192.168.100.107: icmp_seq=2 ttl=62 time=0.995 ms
64 bytes from 192.168.100.107: icmp_seq=3 ttl=62 time=0.972 ms
64 bytes from 192.168.100.107: icmp_seq=4 ttl=62 time=1.12 ms
64 bytes from 192.168.100.107: icmp_seq=5 ttl=62 time=0.983 ms
64 bytes from 192.168.100.107: icmp_seq=6 ttl=62 time=0.998 ms

--- 192.168.100.107 ping statistics ---

6 packets transmitted, 6 received, 0% packet loss, time 5004ms
rtt min/avg/max/mdev = 0.972/1.045/1.206/0.096 ms
sw5 (6360-A) ->

4.2. Configuring SNMP in the 6900 Virtual Chassis

- Allow access to all management interfaces including SNMP:

Sw1 (6900-A) -> aaa authentication default local
Sw1 (6900-A) -> aaa authentication snmp local

- Create an SNMP user account, set the read-write rights, and enable the SHA+DES encryption:
Sw1 (6900-A) -> user snmpuserv3 read-write all password Superuser01= sha+des
 13
OmniVista 2500 NMS Access & OmniSwitches_basic_features

- Declare the OmniVista Server as management station (ex. IP@ of OV 2500 Server: 192.168.100.107):
Sw1 (6900-A) -> snmp station 192.168.100.107 snmpuserv3 v3 enable
sw1 (6900-A) -> write memory flash-synchro

4.3. Configuring SNMP in the 6860A

- Allow access to all management interfaces including SNMP:

Sw7 (6860-A) -> aaa authentication default local
Sw7 (6860-A) -> aaa authentication snmp local

- Create an SNMP user account, set the read-write rights, and enable the SHA+DES encryption:
Sw7 (6860-A) -> user snmpuserv3 read-write all password Superuser01= sha+des

- Declare the OmniVista Server as management station (ex. IP@ of OV 2500 Server: 192.168.100.107):
Sw7 (6860-A) -> snmp station 192.168.100.107 snmpuserv3 v3 enable
sw7 (6860-A) -> write memory flash-synchro

4.4. Configuring SNMP in the 6860B

- Allow access to all management interfaces including SNMP:

Sw8 (6860-B) -> aaa authentication default local
Sw8 (6860-B) -> aaa authentication snmp local

- Create an SNMP user account, set the read-write rights, and enable the SHA+DES encryption:
Sw8 (6860-B) -> user snmpuserv3 read-write all password Superuser01= sha+des

- Declare the OmniVista Server as management station (ex. IP@ of OV 2500 Server: 192.168.100.107):
Sw8 (6860-B) -> snmp station 192.168.100.107 snmpuserv3 v3 enable
sw8 (6860-B) -> write memory flash-synchro

The Configuration of the OmniSwitches is now complete. The next step consists in discovering the
OmniSwitches in the OmniVista 2500 NMS.
 14
OmniVista 2500 NMS Access & OmniSwitches_basic_features

5 Discovering the OmniSwitches in the OmniVista 2500

Your next task is the discovery of the OmniSwitches in the OmniVista. The following procedure applies to all
new or existing devices that you want to manage from the platform.

5.1. Connect to the OmniVista 2500

- Launch a Web Browser from the Remote Desktop client and enter the following URL according to the
diagram: https://10.4.Pod#.208:8443.

Notes
The Remote-Lab is configured for the OmniVista 2500 NMS platform to be reached directly from the Windows
Desktop of the access machine, allowing an easier access.

- Launch a web browser from the Windows desktop and enter the following URL (see diagram below):
https://10.4.Pod#.208:8443.

- Enter the credentials (admin/switch), then click on Sign In.

 15
OmniVista 2500 NMS Access & OmniSwitches_basic_features

5.2. Create a Discovery Profile

- Select Network > Discovery > Discovery Profiles:
Click on the “+” button to add a new Discovery profile.

- In the Create Discovery Profile screen, General section, enter the following parameters:
Name: Training
CLI/FTP User Name: admin
CLI/FTP Password: switch
Confirm CLI/FTP Password: switch

- Below the General section, click on SNMP, and enter the following parameters:
SNMP Version: SNMPv3
Timeout (msec): 5000
Retry count: 3
User Name: snmpuserv3
Auth & Priv Protocol: SHA+DES
Auth Password: Superuser01=
Confirm Auth Password: Superuser01=
Priv Password: Superuser01=
Confirm Priv Password: Superuser01=

- Click on Create to finish the creation of the Discovery Profile.

5.3. Discover the new devices

- Select Managed Devices on the left menu and then click on Discover New Devices on the top right.
- Select the “+” button on the right and enter the following parameters:
Start IP: 192.168.254.0
End IP: 192.168.254.8
Subnet Mask: 255.255.255.0
Description: Training Switch

- Click on the box to select the Training profile from Choose Discovery Profiles
- Click on “+” to move it to the right

- Click Create and select the ranges from the list (click on the box) and select Discover Now.
 16
OmniVista 2500 NMS Access & OmniSwitches_basic_features

- The discovery process will start. Click on Finish when the discovery is completed.
- You should see the discovered devices in the Managed Devices window. You can also find additional
information about the status of the switch, its IP address, the type of switch discovered, and the
firmware version used.

6 Displaying the Network Topology

The last task for this map consists in arranging the switches in a Map. This will allow to monitor the devices
in a better way as the connections between them are always shown and you can easily identify if a link
failure occurs in your network because the links are continuously updated.

- Click on Network > Topology > Physical Network

- On the top right, click on Map Level Action and then on New map
- Give your network map a Name:
Map Name: training-map

- Select and Add all the discovered switches to this map (click on the square and then “+”) or use add
item icone (> or >>)
- Then click Create
- Arrange the switches according to the initial diagram so all the links are displayed

Any active link is automatically detected by OmniVista LLDP.

 17
OmniVista 2500 NMS Access & OmniSwitches_basic_features

If a link is not being shown in the map, select the switch and look for the Operations window
on the right. Select Poll Device or Poll Link and then wait for a moment to synchronize.

- Left click on a switch to see the various options. From the menu on the right you have the capability to
manage your switches.

Your network can now be managed and monitored from the OmniVista 2500 NMS platform.
 18
OmniVista 2500 NMS Access & OmniSwitches_basic_features

7 Creating a VLAN
The OmniSwitches that have been discovered in the OmniVista 2500 can now be configured from the
OmniVista web administration page. To demonstrate that, we will create, in this part, a VLAN and its
dedicated IP interface on the OmniSwitch 6900-A, all from the OmniVista.

- Create the VLAN 110 on the 6900-A from the OmniVista 2500 web page:
> Select CONFIGURATION > VLANS > VLAN
> Click on Create VLAN by Devices button

1. Devices Selection
> VLAN IDs: 110
> VLAN(s) Description: SERVERS
> Click on the Add/Remove Devices
> Select the 6900-A (192.168.254.1), then click on > to add it as selected
> Click on OK
> Click on Next

2. VLAN Configuration
> Check that Admin Status = Enabled
> Click on Next

3. Default Port Assignment

> For each switch, click on Add Port
> Select the port 1/1/1
> Click on OK
> Click on Next

4. Q-Tagged Port Assignment

> Click on Next (skip this part)

5. Review
> Review the information
> Click on Create

- Create the IP interface int_110 for this new VLAN 110:

> Select CONFIGURATION > VLANS > IP Interface
> Click on the + button
> Name: int_110
> IP Address: 192.168.110.1
> Subnet Mask: 255.255.255.0
> Device Type: VLAN
> VLAN ID: 110
> Devices: select the OS6900-A (192.168.254.1), then click on > to add it as selected
> Click on Create

- Check that the VLAN and IP interface are now displayed in the 6900-A:
sw1 (6900-A) -> show vlan
vlan type admin oper ip mtu name
------+-------+-------+------+------+------+------------------
1 std Ena Ena Dis 1500 VLAN 1
100 std Ena Ena Ena 1500 VLAN 100
110 std Ena Dis Ena 1500 SERVERS
217 std Ena Ena Ena 1500 VLAN 217
218 std Ena Ena Ena 1500 VLAN 218
4094 vcm Ena Ena Dis 1500 VCM IPC
--

sw1 (6900-A) -> show vlan 110 members

port type status
----------+-----------+---------------
1/1/1 default inactive
 19
OmniVista 2500 NMS Access & OmniSwitches_basic_features

sw1 (6900-A) -> show ip interface

Total 10 interfaces
Flags (D=Directly-bound)

Name IP Address Subnet Mask Status Forward Device Flags

--------------------------------+---------------+---------------+------+-------+---------+------
EMP-CHAS1 10.4.11.1 255.255.255.0 UP NO EMP
EMP-CHAS2 10.4.11.2 255.255.255.0 UP NO EMP
EMP-CMMA-CHAS1 0.0.0.0 0.0.0.0 DOWN NO EMP
EMP-CMMA-CHAS2 0.0.0.0 0.0.0.0 DOWN NO EMP
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
Loopback0 192.168.254.1 255.255.255.255 UP YES Loopback0
int_100 192.168.100.1 255.255.255.0 UP YES vlan 100
int_110 192.168.110.1 255.255.255.0 DOWN NO vlan 110
---
int_217 172.16.17.1 255.255.255.0 UP YES vlan 217
int_218 172.16.18.1 255.255.255.0 UP YES vlan 218

- Activate the interface 1/1/1 (where Client 1 is connected):

sw1 (6900-A) -> interfaces 1/1/1 admin-state enable

sw1 (6900-A) -> show ip interface

Total 11 interfaces
Flags (D=Directly-bound)
Name IP Address Subnet Mask Status Forward Device Flags
--------------------------------+---------------+---------------+------+-------+---------+------
EMP-CHAS1 10.4.5.1 255.255.255.0 UP NO EMP
EMP-CHAS2 10.4.5.2 255.255.255.0 UP NO EMP
EMP-CMMA-CHAS1 0.0.0.0 0.0.0.0 DOWN NO EMP
EMP-CMMA-CHAS2 0.0.0.0 0.0.0.0 DOWN NO EMP
Loopback 127.0.0.1 255.255.255.255 UP NO Loopback
Loopback0 192.168.254.1 255.255.255.255 UP YES Loopback0
int-110 192.168.110.1 255.255.255.0 UP YES vlan 110
int_100 192.168.100.1 255.255.255.0 UP YES vlan 100
int_120 192.168.120.1 255.255.255.0 UP YES vlan 120
int_217 172.16.17.1 255.255.255.0 UP YES vlan 217
int_218 172.16.18.1 255.255.255.0 UP YES vlan 218

- For the next lab, configure the following IP address for the Client 1
Client 1:
IP address = 192.168.110.51
Subnet mask = 255.255.255.0
Default Gateway = 192.168.110.1
Preferred DNS Server = 10.0.0.51

- Redistribute this local route to ospf

sw1 (6900-A) -> ip route-map localIntoOspf sequence-number 10 match ip-address 192.168.110.0/24 permit
Notes >
For trainee who attend access training. Dynamic routing protocol is fully explained on advanced training.
Objective of this command is to update automatically routing table on core switches via ospf protocol.

Before command ( route not known on 6860-A table) After command route available (distribute via 0SPF)
 20
OmniVista 2500 NMS Access & OmniSwitches_basic_features
OmniSwitch R8
Access Control Lists (ACL)

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Objectives
Access Control Lists (ACL)

At the end of this module, you will be able to:

• Understand the benefits of using ACLs
• Implement ACL on an OmniSwitch switch
• Advanced ACL Groups
Access Control Lists (ACL)
QOS

GOAL Basic QOS 802.1p/ToS/DSCP

* Marking
• QoS policies used to control * Traffic prioritization

* Stamping
whether or not packet flows * Bandwidth shaping

are allowed or denied at the * Queuing management

switch or router interface Filtering

Policy Based
* Layer 2 and
◼ HOW IT WORKS Routing
.
Layer 3/4 ACLs
* Routed traffic
redirecting
⚫ Policies for ACLs are created in ICMP Policies
the same manner as QoS policies Policy Based
* Filtering
Mirroring * Prioritizing
.
* Mirror traffic based * Rate limiting traffic
on QoS policies (security)
⚫ Customizable Groups for
conditions
 Network group Access Guardian
 MAC group * User Network Profile
 Service group
 Port group
 policy condition

Access Control Lists (ACL) LAYER 2 ACL

CONDITION KEYWORDS

source mac
LAYER 3 ACL
CONDITION KEYWORDS

source ip
MULTICAST ACL
CONDITION KEYWORDS

multicast ip
source mac group source ipv6 multicast network

• Packet classification
destination mac source network group group
destination mac group destination ip destination ip
source vlan destination ipv6 destination vlan
source port destination network destination port
source port group group destination port group
PACKET CLASSIFICATION destination port source ip port destination mac
destination port group destination ip port destination mac group
CONDITION ACTION ethertype service
802.1p service group
DISPOSITION FORWARD / BLOCK ip protocol
---- accept | drop | deny ipv6
OUTGOING TRAFFIC
nh
flow-label
destination port
POLICY RULE destination port group
INCOMING PACKET icmptype
icmpcode
TOS DSCP
policy action source tcp port
destination tcp port
source udp port
accept | drop | deny
destination udp port
established
Tcpflags

policy rule rule_name [enable | disable] [precedence precedence] [condition condition]

[action action] [validity-period name] [save][log [log-interval seconds]]
[count {packets | bytes}] [trap] [default-list]

policy rule rule_name no {validity-period | save | log | trap | default-list}

no policy rule rule_name

Access Control Lists (ACL)
• Step by Step

Global Parameters

Setting Up Policies

Configuration Examples

Monitoring policies
Access Control Lists (ACL)
• Step by Step

Global Parameters

Description Command/keyword
By default QoS is enabled on the switch. If QoS policies qos enable/disable
are configured and applied, the switch attemps to
classify and apply relevant policy actions
Resets the QoS configuration to its defaults qos reset

Deletes the pending configuration qos revert

Flushes the configuration qos flush

Apply the configuration qos apply

* By default, flows that do not match any policies are accepted on the switch
Access Control Lists (ACL) CONDITION
PACKET CLASSIFICATION

ACTION

---- DISPOSITION ACCEPT OR DENIED

• Step by Step
POLICY RULE

Setting Up Policies
LAYER 2 ACL LAYER 3 ACL MULTICAST ACL
1 CONDITION KEYWORDS CONDITION KEYWORDS CONDITION KEYWORDS

-> policy port group pgroup1 1/1/1-5 2/1/1-2 source mac source ip multicast ip
source mac group source ipv6 multicast network group
destination mac source network group destination ip
2 destination mac group destination ip destination vlan
source vlan destination ipv6 destination port
source port destination network group destination port group
-> policy condition c2 source port group pgroup1 source port group source ip port destination mac
destination port destination ip port destination mac group
destination port group service
3 ethertype service group
802.1p ip protocol
ipv6
policy action a1 disposition accept nh
flow-label
destination port
4 destination port group
icmptype
icmpcode
policy rule rule7 precedence 65535 condition c2 TOS DSCP
action a1 source tcp port
destination tcp port
source udp port
5 destination udp port
established
qos apply Tcpflags
 Access Control Lists (ACL)
• Step by Step

Configuration Examples

- Layer 2 ACL :
- Allows all bridged traffic except for traffic matching the source MAC address and VLAN 5

-> policy condition Cond-Deny-Host1 source mac D4:85:64:EC:33:EF source vlan 5

-> policy action Act-deny-Host1 disposition deny
-> policy rule Rule-Deny-Host1 condition Cond-Deny-Host1 action Act-deny-Host1 log
-> qos apply

- Layer 3 ACL
- Deny traffic from source ip address included in netgroup1

--> policy network group netgroup1 192.168.82.0 mask 255.255.255.0 192.60.83.0

-> policy condition lab1 source network group netgroup1
-> policy action deny_traffic disposition deny
-> policy rule lab_rule1 condition lab1 action deny_traffic precedence 65535
-> qos apply
Access Control Lists (ACL)
• Step by Step

Configuration Examples

- Layer 3 ACL :

- Drop the Traffic with a source IP address of 192.68.82.0, a source IP port of 23, using protocol 6 on the switch

-> policy condition addr2 source ip 192.68.82.0 destination tcp-port 23

-> policy action Block disposition deny

-> policy rule FilterL31 condition addr2 action Block

- Layer 3 ACL :

- Flows coming into the switch destined for any of the specified IP in GroupA is allowed on the switch

-> policy network group GroupA 192.60.22.1 192.60.22.2 192.60.22.0

-> policy condition cond7 destination network group GroupA

-> policy action Ok disposition accept

-> policy rule FilterL32 condition cond7 action Ok

Access Control Lists (ACL)
• Step by Step

Monitoring policies

-> show qos statistics

-> show qos config

-> show qos log

-> show active policy rules

Advanced ACL Security Features
Advanced ACL Security Features
• UserPorts
- Reserved Group
- Used by default to prevent spoofed IP addresses on ports
Packets received on the port are dropped if they contain a source IP network address that does not match the IP subnet for the port
Done by creating a port group called UserPorts and adding the ports to that group

-> policy port group UserPorts slot/port[-port] [slot/port[-port]...]

- Profiles can be configured to drop additional traffic such as RIP, OSPF,VRRP, DHCP, DNS,… or BPDUs
- To configure filtering of spoof, rip, ospf , bgp packets
-> qos user-port {filter | shutdown}
{spoof|bgp|bpdu|rip|ospf|vrrp|dvmrp|pim|isis|dhcpserver|dns-reply}

-> policy port group UserPorts 1/1-24 2/1-24 3/1/1 4/1/1

-> qos user-port filter spoof rip ospf bgp

-> show qos log

…
12/17/10 14:27:39 12/17/16 14:27:39 Spoofed traffic triggered user-port shutdown of interface 1/1/21
…
Advanced ACL Security Features
• DropServices
- Reserved Group
- Used in conjunction with UserPorts to drop TCP/UDP packets
- Any services belonging to this group will be dropped if seen on ports included in the UserPorts group
-> policy service tcp135 destination tcp port 135
-> policy service tcp445 destination tcp port 445
-> policy service udp137 destination udp port 137
-> policy service group DropServices tcp135 tcp445 udp137
-> policy port groups UserPorts 1/1/1-24
- Drops all defined traffic seen on ports 1/1/1-24 in the UserPorts group

• Port Disable rule

- Used to administratively disable an interface when matching a policy rule
-> policy condition c1 source tcp port 1-1023
-> policy action a1 port-disable
-> policy rule r1 condition c1 action a1
-> policy port groups UserPorts 1/1/1
- To shutdown port 1/1/1 when packet with source tcp port 1-1023 is received
Advanced ACL Security Features
• ICMP drop rules
• Allows for configuring rules to drop ICMP requests and replies (Pings)
-> policy condition pingEchoRequest source vlan 10 icmptype 8
-> policy action drop disposition drop
-> policy rule noping10 condition pingEchoRequest action drop
Drops all ICMP requests from vlan 10

• TCP connection rules

- Established. Allows established TCP connections
- Tcpflags. Allows examination of specific TCP flags

Configurable recovery timer that automatically re-enables the port

- When not configured, or configured to 0, the port will not be automatically re-enabled

-> interfaces violation-recovery-time <num>

⚫ Time interval to re-enable the UserPort ports automatically after the UserPort ports are disabled
administratively due to receiving a specified type of traffic

-> interfaces violation-recovery-trap {enable | disable}

⚫ UserPort ports to send out a port violation recovery trap when the UserPorts ports get reenabled after a
timeout
Advanced ACL Security Features
• Early ARP discard
• Limitation of number of arp packets sent to CPU
• ARP packets not destined for switch are not processed
• Enabled by default
• ARPs intended for use by a local subnet, AVLAN, VRRP, and Local Proxy ARP are not discarded

• ARP ACLs
• Source IP address examination in the header of ARP packets

• Directed Broadcasts
• IP datagram sent to broadcast address of subnet the user is not on
• Generates large number of responses to a spoofed host
-> ip directed-broadcast disable
OmniSwitch AOS R8
Access Control Lists (ACLs)

How to
✓ Setting up Access Control Lists (ACLs) on the OmniSwitches (R6/R8)
Contents
1 Introduction .................................................................................... 2
1.1. Retrieving client’s information ................................................................... 2
2 Filtering L2 traffic ............................................................................ 3
3 Using the ICMP Filter ......................................................................... 3
4 Filtering HTTP & FTP Traffic ................................................................ 4
4.1. Filtering the FTP Traffic (OmniSwitch 6360 VC) ............................................... 4
4.1.1. Checking the access to the FTP Server .................................................................. 4
4.1.2. Testing the FTP Access .................................................................................... 4
4.2. Filtering the HTTP Traffic ......................................................................... 5
4.3. Filtering the HTTP Traffic ......................................................................... 5
4.4. Testing the Configuration ......................................................................... 5
 2
Access Control Lists (ACLs)

1 Introduction

1.1. Retrieving client’s information

For this lab, you will need some information about client 5 and client 9.
- Retrieve the MAC address of the client 5 and 9 available in the 6360 VC MAC address table:
(example the mac address of your client may differ)

sw5 (6360-A) -> show mac-learning port 1/1/1

Legend: Mac Address: * = address not valid,
Mac Address: & = duplicate static address,

Domain Vlan/SrvcId[ISId/vnId] Mac Address Type Operation Interface

------------+----------------------+-------------------+------------------+-------------+-----------------
VLAN 20 00:50:56:90:22:3c dynamic bridging 1/1/1

sw5 (6360-A) -> show mac-learning port 1/1/2

Legend: Mac Address: * = address not valid,
Mac Address: & = duplicate static address,

Domain Vlan/SrvcId[ISId/vnId] Mac Address Type Operation Interface

------------+----------------------+-------------------+------------------+-------------+-----------------
VLAN 30 00:50:56:90:05:d4 dynamic bridging 1/1/2
 3
Access Control Lists (ACLs)

2 Filtering L2 traffic
- First, reset the ACL/QoS configuration to its default settings:
sw5 (6360-A) -> qos reset
sw5 (6360-A) -> qos flush
sw5 (6360-A) -> qos apply

- Perform a permanent ping test from Client 5 to the gateway (192.168.20.254):

- Deny all the Layer 2 traffic coming from the Client 5:

sw5 (6360-A) -> policy condition cond1 source mac <Client 5 MAC address>
sw5 (6360-A) -> policy action DenyTraffic disposition deny
sw5 (6360-A) -> policy rule Filter1 condition cond1 action DenyTraffic
sw5 (6360-A) -> qos apply

- Is the ping still working?

--------------------------------------------------------------------------------------------------------------------------

- Once the test is done, reset the default bridged disposition:

sw5 (6360-A) -> qos flush
sw5 (6360-A) -> qos reset
sw5 (6360-A) -> qos apply

3 Using the ICMP Filter

In the following example, we want to forbid an ICMP connection (ping) from the client 5 to the database
server (192.168.110.51).

- Launch a permanent ping from the Client 5 to the database server (192.168.110.51):

- Configure the ICMP filter:

sw5 (6360-A) -> policy condition icmpCondition source mac <Client 5 Mac address> ip-protocol 1 destination
ip 192.168.110.51

sw5 (6360-A) -> policy action icmpAction disposition deny

sw5 (6360-A) -> policy rule icmpRule condition icmpCondition action icmpAction
sw5 (6360-A) -> qos apply

- Check the ping on the Client 5. What is the result?

----------------------------------------------------------------------------------------------------------------------------- ------
 4
Access Control Lists (ACLs)

4 Filtering HTTP & FTP Traffic

Let’s get back to the use case where the VLAN 20 is dedicated for the employees, and the VLAN 30 is
dedicated for the contractors. Here are the rules that needs to be applied:

Service Grp = Service Grp =

User Type VLAN
HTTP FTP

Employees 20 ALLOW DENY

Contractors 30 DENY ALLOW

4.1. Filtering the FTP Traffic (OmniSwitch 6360 VC)

4.1.1. Checking the access to the FTP Server

- Before configuring the policies, check the FTP access (192.168.100.102):
o From the client 5 (VLAN 20)
o From the client 9 (VLAN 30)

From the Windows Command Prompt:

C:\> ftp 192.168.100.102

Client 5 Client 9

- To deny the FTP access for the employees (VLAN 20):

sw5 (6360-A) -> policy condition ftpfromvlan20 source vlan 20 destination ip-port 20-21 ip-protocol 6
sw5 (6360-A) -> policy action deny disposition deny
sw5 (6360-A) -> policy rule deny_ftp_employee condition ftpfromvlan20 action deny precedence 65535
sw5 (6360-A) -> qos apply

- Check that you don’t have FTP access from the Client 5 (employee, VLAN 20), but it is still working fine
from the Client 9 (contractor, VLAN 30):

4.1.2. Testing the FTP Access

- Check that you don’t have FTP access from the Client 5 (employee, VLAN 20), but it is still working fine
from the Client 9 (contractor, VLAN 30):
/ Client 5 Client 9
FTP
 5
Access Control Lists (ACLs)

4.2. Filtering the HTTP Traffic

- Before configuring the policies, check the HTTP access:
o From the client 5 (VLAN 20)
o From the client 9 (VLAN 30)
- Notes: Needed to add DNS server or check that the clients have the DNS server entry in the NIC.
Should be ok, provided via dhcp server.

From a web browser (ex. Firefox, Chrome):

URL: www.google.com
Client 5 Client 9

4.3. Filtering the HTTP Traffic

- To deny the HTTP access for the contractors (VLAN 30), create the policy services to identify the port
used by the HTTP protocol:
sw5 (6360-A) -> policy service http1 destination ip-port 80 protocol 6
sw5 (6360-A) -> policy service http2 destination ip-port 8080 protocol 6
sw5 (6360-A) -> policy service http3 destination ip-port 8000 protocol 6
sw5 (6360-A) -> policy service http4 destination ip-port 443 protocol 6
sw5 (6360-A) -> policy service http5 destination ip-port 4343 protocol 6

- Regroup the policy services created in a policy group:

sw5 (6360-A) -> policy service group http from cli http1 http2 http3 http4 http5

- Create the policy condition and the policy rule:

sw5 (6360-A) -> policy condition httpfromvlan30 source vlan 30 destination ip any service group http
sw5 (6360-A) -> policy action deny disposition deny

sw5 (6360-A) -> policy rule deny_http_contractor condition httpfromvlan30 action deny precedence 65535
sw5 (6360-A) -> qos apply

- Check that you don’t have HTTP access from the Client 9 (contractor, VLAN 30), but it is still working
fine from the Client 5 (employee, VLAN 20):

4.4. Testing the Configuration

- Check that you don’t have HTTP access from the Client 9 (contractor, VLAN 30), but it is still working
fine from the Client 5 (employee, VLAN 20):

/ Client 5 Client 9
HTTP
 6
Access Control Lists (ACLs)
OmniSwitch R8
Access Guardian

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Objectives
Access Guardian

At the end of this module, you will be able to:

• Describe Access Guardian
• Setup Access Guardian
• Port
• User Network Profile
• Classification Rule / policy
• Port-Templates
• Authentication server (Radius Server)
• Monitor the management
Access Guardian -Overview
• GOAL
• Role Based Access Control with UNP (Universal Network Profile)
- Auto-sensing, multi-client authentication on a port
Access Guardian -Overview Authentication Method

⚫ MAC-based (non-supplicant)
• HOW IT WORKS ⚫
or
802.1x-based (supplicant)
VLAN ACCESS
10 ALL

EXECUTIVE
RADIUS Access-Request
{ "user"
HIGH HIGH
RADIUS Access-Accept + UNP name User-Password="xxxxxx"
BWDTH PRIORITY Filter-ID = "UNP-name"
}

VLAN INTERNET
30 ONLY

GUEST

MEDIUM LOW UNP R8

BWDTH PRIORITY VLAN ID
VLAN ID

Policy List Policy List

ACL ACL QoS

QoS

Restrict the network access

VLAN NO HR, based on the location of the
20 FINANCE DB user/device
Location
EMPLOYEE Period Chassis/Slot/Port on which the
user is attached Switch Name on
MEDIUM MEDIUM which the user is attached
BWDTH PRIORITY Switch Location String,
identifying a group of Switches

Specifies the days and times during

which a device can access the network
Access Guardian -Overview
• EXAMPLE
Admin and teachers use 802.1X Students can be authenticated via either
• Access control via UNP – Campus authentication 802.1X or MAC based

Admin
Teacher
Student

802.1X - Supplicant Non - Supplicant

1 - Non-802.1X frame sent

1 – 802.1X/EAP Auth. frame sent with user/login 2 - Non-802.1X frame intercepted by switch
2 - EAP intercepted by switch 3 - Switch builds auth. Request using source MAC as
3 – Switch modifies Radius frame with source MAC login/password

4 - Relays authentication frame to Server 4 - Authentication frame is sent to RADIUS Server

5 - Login/password validated 5 - MAC validated

6 - Device moved to appropriate UNP 6 - Device moved to appropriate UNP

7 - Login/password failed 7 - MAC failed

> Device moved to Default UNP for registration > Device moved to Default UNP for registration

Default Admin/Teacher Student

UNP UNP UNP
Access Guardian
Access Guardian flow
• Device classification policies policies conceptual flow
L2 Authentication
UNP Port

No No
802.1X MAC
Enabled?
No Auth
enabled ?
Yes
No
Supplicant? Yes
Classification
Yes Rules
Same branch as
802.1x 802.1x

Server Down Pass Fail

UNP Selection
RADIUS Filter-Id
UNP Profile

Timeout UNP Profile

Classification
Rules
No UNP Not valid UNP
UNP Profile

Server Down Alternate Default

UNP Profile UNP Profile UNP Profile

Block Block Block

Configuration steps
Access Guardian -Configuration Steps-
• STEP BY STEP

Configure ports

Bridge Port
-> unp {port chassis/slot/port1[-port2] | linkagg agg_id1[-agg_id2]} port-type bridge MAC or
802.1x
or
-> unp {port chassis/slot/port1[-port2] | linkagg agg_id[-agg_id2]} 802.1x-authentication Classification
rules
-> unp {port chassis/slot/port1[-port2] | linkagg agg_id[-agg_id2]} mac-authentication

UNP profile
VLAN ID
Example
Policy List
-> unp port 1/1/1 port-type bridge ACL QoS
-> unp port 1/1/1 802.1x-authentication
-> unp port 1/1/1 mac-authentication
Access Guardian -Configuration Steps
• STEP BY STEP

Configure unp policy validity-location

UNP profile
-> unp policy validity-location policy_name [port chassis/slot/port[-port2] | VLAN ID
linkagg agg_id[-agg_id2] [system-name system_name] [system-location system_location]
Policy List
ACL QoS

Example
Location

Period
-> unp policy validity-location ALE-Brest port 1/1/10
-> unp policy validity-location ALE-Brest port 1/1/1-5
Access Guardian -Configuration Steps
• STEP BY STEP

Configure UNP policy validity-period

• Specifies the days and times during which a device can access the network
UNP profile
VLAN ID
-> unp policy validity-period policy_name [days days] [months months] [hours hh:mm to hh:mm] [interval
mm:dd:yy hh:mm to mm:dd:yy hh:mm] [timezone zones]] Policy List
ACL QoS

Example Location

Period
unp policy validity-period “Office-Time”
unp policy validity-period “Office-Time” days MONDAY
unp policy validity-period “Office-Time” days MONDAY time-zone CET
unp policy validity-period “Office-Time” hours 9:00 to 17:00
Access Guardian -Configuration Steps
• STEP BY STEP
UNP profile

Configure UNP policy list, VLAN ID

Policy List
ACL QoS
policy list list_name type unp [enable | disable]

Location
Assigns existing QoS policy rules to the specified QoS policy list. Period

policy list list_name rules rule_name [rule_name2...]

Example : the policies already created (ACL chapter)

-> show active policy rule

Rule name : deny_ftp_employee
Precedence = 65535,
Condition name = ftpfromvlan20,

-> policy list deny_employees type unp enable

-> policy list deny_employees rules deny_ftp_employee
Access Guardian -Configuration Steps
• STEP BY STEP

Configure UNP profile

-> unp profile profile-name qos-policy-list list_name location-policy policy_name period-policy policy_name

-> unp profile profile_name map vlan vlan_id

Example :

-> unp profile employee qos-policy-list deny_employees location-policy ALE-Brest period-policy Office-Time

-> unp profile employee map vlan 20

Access Guardian -Configuration Steps
• STEP BY STEP
UNP Port
L2 Authentication

Configure supplicant device classification policies 802.1X No MAC N

No Auth
enabled ? Enabled? o
Yes
No
-> unp port chassis/slot/port 802.1X-authentication [pass-alternate profile_name] Supplicant? Yes Classification
Rules
Yes Same
branch as
802.1x 802.1x

Server Down Pass Fail

UNP Selection
RADIUS Filter-Id
UNP
Profile
UNP
Timeout Profile

Classification
Configure mac-authentication device classification policies Not valid UNP Rules
No UNP UNP
Profile
Server Default
-> unp port chassis/slot/port mac-authentication [pass-alternate profile_name] Down
Alternate
UNP
UNP
UNP Profile
Profile
Profile

Block Block Block

Access Guardian -Configuration Steps
• STEP BY STEP

UNP Template Properties Specify the configuration

Unp profile Templates parameters that could be enabled
Name
on the UNP port/linkagg
802.1x authentication
802.1x authentication tx-period
UNP-Template 802.1x authentication max_req
802.1x authentication supp-timeout
802.1x MAC authent.
Pass-alternate UNP-profile
authent.
Mac-authentication
Parameters
Example
Mac-authentication pass-alternate
UNP-profile
Classification Default Allow-eap -> unp port-template 802.1X-template
Rules UNP Profile Classification -> unp port-template 802.1x-template 802.1x-authentication
Group-id -> unp port-template 802.1x-template 802.1x-authentication pass-alternate corporate
VLAN -> unp port 2/1/1 port-template 802.1x-template
AAA-profile
Policy
List Bypass
Failure-policy
Alternate AAA Profile -> aaa profile ap-1
UNP Profile -> aaa profile ap-1 device-authentication mac rad1 rad2
Authenticat -> aaa profile ap-1 device-authentication 802.1x rad1 rad2
VLAN ion -> unp port 1/1/5 aaa-profile ap-1
Policy -> unp port 1/2/1-5 aaa-profile ap-1
Accounting
List
-> unp linkagg 10 aaa-profile ap-1
-> unp linkagg 2-5 aaa-profile ap-1

AAA Profile

802.1x authentication
Captive-portal authentication
Mac authentication AAA profiles to define a custom, pre-defined AAA
Radius authentication/accounting configuration that can be applied to a specific set
servers of UNP ports or through a Captive Portal profile.
Syslog servers
Access Guardian -Configuration Steps
⚫ Configure a server as a RADIUS server on the switch.

• STEP BY STEP -> aaa radius-server my_radius host 192.168.100.102 key alcatel-lucent

⚫ Configure the switch “my_radius” for 802.1X device authentication /server accounting
UNP Port -> aaa authentication 802.1x my_radius -> aaa accounting 802.1x my_radius
Teacher
⚫ Create the required VLANs.
802.1X
enabled ? -> vlan 10 admin-state disable name vlan10-block
Yes -> vlan 20 admin-state enable name vlan20-corporate
no
Supplicant? Mac Auth
⚫ Create the required UNP profile and map the profile to VLAN 10 and 20
Yes no -> unp profile corporate -> unp profile def_unp
802.1x -> unp profile corporate map vlan 20 -> unp profile def_unp map vlan 10

Classification
⚫ Enable UNP on ports that will connect to user devices
Pass Fail no
-> unp port 1/1/1 port-type bridge

RADIUS Filter-Id
Default ⚫ Set the default UNP profile on the port
UNP Profile
Block
-> unp port 1/1/1 default-profile def_unp
UNP Profile

⚫ Create an edge template to apply UNP port configuration parameters.

No UNP
-> unp port-template 802.1X-template
Block

⚫ Configure the template and define an alternate UNP profile to use if the RADIUS server
Alternate does not return a UNP profile
UNP Profile -> unp port-template 802.1x-template 802.1x-authentication
-> unp port-template 802.1x-template 802.1x-authentication pass-alternate corporate

⚫ Assign the port template to a UNP port.

Block -> unp port 1/1/1 port-template 802.1x-template

Access Guardian -Configuration Steps
• STEP BY STEP

 Display information about ports configured for 802.1X

Monitoring
show unp chassis/slot/port config
 Display a list of all users (supplicants) for one or more 802.1X ports

show unp user chassis/slot/port

 Display a list of all non-802.1X users (non-supplicants) learned on one or more 802.1X ports

show unp user chassis/slot/port

 Display the Access Guardian status of all users learned on 802.1X ports

show unp user details chassis/slot/port

 Displays a list of RADIUS servers configured for MAC based authentication

show unp user chassis/slot/port statistics

Access Guardian - Configuration Steps
• STEP BY STEP

Monitoring

 Displays Access Guardian 802.1X device classification policies configured for 802.1X ports

show unp classification profile

 Displays information about the global 802.1X configuration on the switch

show aaa device-authentication 802.1x

 Displays information about accounting servers configured for 802.1X port-based network access control

show accounting 802.1x

 Display the Access Guardian status of all users learned on 802.1X ports

show aaa device-authentication mac

Authentication server configuration
Access Guardian - Authentication server configuration
• STEP BY STEP
Configure Authentication Server

 Configure the RADIUS server to use for device authentication (802.1X, MAC, or Captive Portal)

aaa radius-server server_name host {hostname | ip_address | ipv6_address} [hostname2 |

ip_address2 | ipv6_address2] {key secret | hash-key hash_secret | prompt-key}[salt salt |
hash-salt hash_salt] [retransmit retries] [timeout seconds] [auth-port auth_port] [acct-
port acct_port] [vrf-name name] [ssl | no ssl]

 Enable the MAC authentication session timer to determine the amount of time the user session
remains active after a successful login (the default time is set to 12 hours).
aaa mac session-timeout enable

 Example Parameters Default

retries 3
-> aaa radius-server my_radius host 192.168.100.102 key alcatel-lucent
-> aaa authentication 802.1x my_radius seconds 2
-> aaa authentication mac my_radius auth_port 1812
-> aaa accounting 802.1x my_radius acct_port 1813
-> aaa accounting mac my_radius
ssl | no ssl No ssl
-> aaa mac session-timeout enable
Access Guardian - Authentication server configuration
• STEP BY STEP

Choose the source IP interface

 Choose the source IP interface used by the application

-> ip service source-ip {Loopback0 | interface-name} [ldap] [tacacs] [radius]

[snmp] [sflow] [ntp] [swlog] [dns] [telnet] [ftp] [ssh] [tftp] [all]

 Example

ip service source-ip loopback0 radius

-> show ip service source-ip

Application Interface-Name
-----------------+------------------------------
tacacs -
ntp Loopback0
syslog -
ldap-server -
radius Loopback0
ftp -
Access Guardian - Authentication server configuration
• STEP BY STEP

Manage Authentication server down

 Users are moved to a specific profile when RADIUS server is not available

unp auth-server-down profile1 profile_name

 Configures the policy for classifying the device when the authentication server is not reachable

unp auth-server-down-timeout seconds

 Sets re-authentication time for the device to authenticate again with the RADIUS server when it is classified
according to the auth-server-down policy

show unp global configuration

Auth Server Down Profile1 = ag_SrvDownPrf,
Auth Server Down Timeout = 60,

* When authentication server becomes reachable Users are re-authenticated

OmniSwitch AOS R8

Access Guardian

How to
✓ Configure the Access Guardian on OmniSwitch

Contents
1 Introduction .................................................................................... 2
2 Configuring the Access Guardian on the 6360 VC......................................... 3
3 Managing the Access Guardian feature on the 6360 VC ................................. 4
3.1. Declaring the RADIUS Server ...................................................................... 4
3.2. Creating the Policies ............................................................................... 4
3.3. Creating the Policy Lists ........................................................................... 4
3.4. Creating the User Network Profiles .............................................................. 5
3.5. Configuring the User Ports ........................................................................ 5
3.6. Testing the Configuration ......................................................................... 5
3.7. Testing the Radius Configuration................................................................. 5
3.8. Testing the Access Guardian ...................................................................... 6
 2
Access Guardian

1 Introduction
During this lab, we will configure the Access Guardian feature on the access switches, the 6360 VC.
Use ACL rules created in the previous lab and apply it in UNP Profiles.

The authentication of the network users will be done via a RADIUS server. On our infrastructure, the RADIUS
server is installed on a virtual machine (name: AAA Training Server), and its IP address is 192.168.100.102.

Once authenticated, a Universal Network Profile (UNP) will be applied to the network users. More
information about the UNP profiles to create is provided in the following pages of this lab.
 3
Access Guardian

2 Configuring the Access Guardian on the 6360 VC

In the following parts, we will perform the following tasks on the 6360 VC:
- Declaration of the RADIUS server in the OmniSwitch
- Configure the User Network Profiles which will be applied to the network users:

USER TYPE AUTHENTICATION VLAN UNP POLICY LIST

Employee 802.1x 20 UNP-employee deny_employee

Contractor 802.1x 30 UNP-contractor deny_contractor

Notes:
@MAC Auth: as there are no MAC addresses configured on the RADIUS server, the user will be blocked from
accessing the network via a MAC address authentication.

During this lab, we will use the policies (ACLs) on the 6360 VC configured in the ACLs lab, and apply them to
the employee or contractor once authenticated:

Service Grp = Service Grp =

User Type VLAN
HTTP FTP

Employees 20 ALLOW DENY

Contractors 30 DENY ALLOW

 4
Access Guardian

3 Managing the Access Guardian feature on the 6360 VC

3.1. Declaring the RADIUS Server

- Declare the RADIUS Server on the 6360-A:
sw5 (6360-A) ->aaa radius-server my_radius host 192.168.100.102 key alcatel-lucent
sw5 (6360-A) ->aaa device-authentication 802.1x my_radius
sw5 (6360-A) ->aaa device-authentication mac my_radius
sw5 (6360-A) ->aaa accounting 802.1x my_radius
sw5 (6360-A) ->aaa accounting mac my_radius
sw5 (6360-A) ->ip service source-ip Loopback0 radius

3.2. Creating the Policies

- We have already created the policies that we are going to use during this lab (“ACLs” lab) on the 6560.
To check the currently active policies:
sw5 (6360-A) ->show active policy rule
Rule name : deny_ftp_employee
Precedence = 65535,
Condition name = ftpfromvlan20,
Action name = deny
Rule name : deny_http_contractor
Precedence = 65535,
Condition name = httpfromvlan30,
Action name = deny

3.3. Creating the Policy Lists

- Create a policy list to deny the FTP access for the employees (VLAN 20):
sw5 (6360-A) ->policy list deny_employees type unp enable
sw5 (6360-A) ->policy list deny_employees rules deny_ftp_employee

- Create a policy list to deny the HTTP access for the contractors (VLAN 30):
sw5 (6360-A) ->policy list deny_contractors type unp enable
sw5 (6360-A) ->policy list deny_contractors rules deny_http_contractor

- Apply the modifications:

sw5 (6360-A) ->qos apply
 5
Access Guardian

3.4. Creating the User Network Profiles

- Create the UNP edge profiles:
sw5 (6360-A) -> unp profile UNP-employee
sw5 (6360-A) -> unp profile UNP-contractor
sw5 (6360-A) -> unp profile UNP-employee qos-policy-list deny_employees
sw5 (6360-A) -> unp profile UNP-contractor qos-policy-list deny_contractors
sw5 (6360-A) -> unp profile UNP-employee map vlan 20
sw5 (6360-A) -> unp profile UNP-contractor map vlan 30

Notes:
A supplicant user (that seeks to authenticate) is authenticated by the RADIUS Server which sends
back the UNP profile name as Filter-Id attibutes (UNP-employee or UNP-contractor).

3.5. Configuring the User Ports

- Configure authentication on port 1/1/1 (Client 5) :
sw5 (6360-A) -> unp port 1/1/1 port-type bridge
sw5 (6360-A) -> unp port 1/1/1 802.1x-authentication
sw5 (6360-A) -> unp port 1/1/1 mac-authentication

3.6. Testing the Configuration

- To verify the profile configuration for a UNP profile (ex. UNP-contractor):
sw5 (6360-A) -> show unp profile UNP-contractor
Profile Name: UNP-contractor
Qos Policy = deny_contractors,
Location Policy = -,
Period Policy = -,
CP Profile = -,
CP State = Dis,
Authen Flag = Dis,
Mobile Tag = Dis,
SAA Profile = -,
Ingress BW = -,
Egress BW = -,
Ingress Depth = -,
Egress Depth = -,
Inact Interval = 10,
Mac-Mobility = Dis,
Kerberos Auth = Dis

- To verify the VLAN mapping for each profile, type:

sw5 (6360-A) -> show unp profile map vlan
Profile Name Vlan
UNP-employee 20
UNP-contractor 30
Total Profile Vlan-Map Count: 2

3.7. Testing the Radius Configuration

- Check that the RADIUS server is properly configured and reachable:
-> aaa test-radius-server my_radius type authentication user employee password password
Testing Radius Server <192.168.100.102/My_radius>
Access-Challenge from 192.168.100.102 Port 1812 Time: 174 ms
Filter-ID = UNP-employee
Access-Challenge from 192.168.100.102 Port 1812 Time: 16 ms
Filter-ID = UNP-employee
Access-Accept from 192.168.100.102 Port 1812 Time: 18 ms
Returned Attributes
Filter-ID = UNP-employee
User Name = employee
 6
Access Guardian

3.8. Testing the Access Guardian

- Open the Client 5 console from vSphere:

Client 5
Open the Networks
Connections and right-click
on the Pod connection

Click on Properties

Select the Authentication tab

Tips
If the Authentication tab is not available, click on the Start button, Run…, type services.msc and
click Ok. Look for Wired AutoConfig service and start it. Now the Authentication should be
available
 7
Access Guardian

- Check the box Enable IEE

802.1X authentication

- Uncheck the box Cache user

information for subsequent
connections to this network

Click on Settings and uncheck

Validate server certificate.

Keep default authentication

method (Secured password
EAP-MSCHAP v2) and click on
Configure…

Uncheck the box

Automatically use my
windows logon name and
password

Click on OK three times to leave LAN connections properties.

- Reinitialize the port 1/1/1 (where is connected the Client 5):

sw5 (6360-A) -> unp user flush port 1/1/1

- Disable and re-enable the network interface from client 5.

- You should get a pop-up asking to connect on the network.

- Logon now with the following credentials:

User name = employee
Password = password

- Check the user status:

sw5 (6360-A) -> show unp user
User
Port Username Mac address IP Vlan Profile Type Status
-------+-------------+-----------------+---------------+----+-------------+------------+-----------
1/1/1 employee 00:50:56:90:f7:ad 192.168.20.86 20 UNP-employee Bridge Active
 8
Access Guardian

sw5 (6360-A) -> show unp user status

Port Mac address Profile Name Source Type Status Role Name Role Source CP Kerberos Redirect
Access
-------+-----------------+---------------+-------+------+-------------+---------------+-------------+--+--------+--------
1/1/1 00:50:56:90:f7:ad UNP-employee Radius 802.1x Authenticated deny_employees L2-Profile N N Y

sw5 (6360-A) -> show unp user details

Port: 1/1/1
MAC-Address: 00:50:56:90:f7:ad
SAP = -,
Service ID = 0,
VNID = 0 ( 0. 0. 0),
VPNID = 0 ( 0. 0. 0),
ISID = 0,
Access Timestamp = 08/01/2015 03:00:21,
User Name = employee,
IP-Address = 192.168.20.86,
Vlan = 20,
Authentication Type = 802.1x,
Authentication Status = Authenticated,
Authentication Failure Reason = -,
Authentication Retry Count = 0,
Authentication Server IP Used = 192.168.100.102,
Authentication Server Used = my_radius,
Server Reply-Message = -,
Profile = UNP-employee,
Profile Source = Auth - Pass - Server UNP,
Profile From Auth Server = UNP-employee,
Session Timeout = 0,
Classification Profile Rule = -,
Role = deny_employees,
Role Source = L2-Profile,
User Role Rule = -,
Restricted Access = No,
Location Policy Status = -,
Time Policy Status = -,
QMR Status = Passed,
Redirect Url = -,
SIP Call Type = Not in a call,
SIP Media Type = None,
Applications = None,
Encap Value = -

- Reinitialize the port 1/1/1 (where is connected the Client 5):

sw5 (6360-A) -> unp user flush port 1/1/1

- Disable and re-enable the network interface from client 5.

- Logon now with the following credentials:
User name = contractor
Password = password

- Check the user status:

sw5 (6360-A) -> show unp user
User
Port Username Mac address IP Vlan Profile Type Status
-------+-------------+-----------------+---------------+----+----------------------+------------+---------
1/1/1 contractor 00:50:56:90:f7:ad 192.168.30.81 30 UNP-contractor Bridge Active

sw5 (6360-A) -> show unp user status

Port Mac address Profile Name Source Type Status Role Name Role Source CP Kerberos Redirect
Access
-------+-----------------+--------------+-------+-------+-------------+-----------------+--+--+--------+--------+--------
1/1/1 00:50:56:90:f7:ad UNP-contractor Radius 802.1x Authenticated deny_contractors L2-Profile N N Y
 9
Access Guardian

sw5 (6360-A) -> show unp user details

Port: 1/1/1
MAC-Address: 00:50:56:90:f7:ad
SAP = -,
Service ID = 0,
VNID = 0 ( 0. 0. 0),
VPNID = 0 ( 0. 0. 0),
ISID = 0,
Access Timestamp = 08/01/2015 03:14:52,
User Name = contractor,
IP-Address = 192.168.30.81,
Vlan = 30,
Authentication Type = 802.1x,
Authentication Status = Authenticated,
Authentication Failure Reason = -,
Authentication Retry Count = 0,
Authentication Server IP Used = 192.168.100.102,
Authentication Server Used = my_radius,
Server Reply-Message = -,
Profile = UNP-contractor,
Profile Source = Auth - Pass - Server UNP,
Profile From Auth Server = UNP-contractor,
Session Timeout = 0,
Classification Profile Rule = -,
Role = deny_contractors,
Role Source = L2-Profile,
User Role Rule = -,
Restricted Access = No,
Location Policy Status = -,
Time Policy Status = -,
QMR Status = Passed,
Redirect Url = -,
SIP Call Type = Not in a call,
SIP Media Type = None,
Applications = None,
Encap Value = -

- On client 5
- Go back to the network connection Pod properties, then disable 802.1x on the network interface (from
authentication tab of the LAN connection properties)

- Reinitialize the port 1/1/1 (where is connected the Client 5):

sw5 (6360-A) -> unp user flush port 1/1/1

 10
Access Guardian

- Disable and re-enable the network interface from client 5.

- On the switch check the user status:

sw5 (6360-A) -> show unp user

User
Port Username Mac address IP (V4/V6) Vlan Profile Type Status
-------+--------------------+-----------------+-------------------+----+---------------+------------+-----
------
1/1/1 00:50:56:90:22:3c 00:50:56:90:22:3c 192.168.20.105 20 - Bridge Block

- As there are not any MAC addresses configured on the RADIUS server, then the user is blocked from
accessing the network.

- Save the configuration

sw5 (6360-A) -> write memory flash-synchro

OmniSwitch R8
Link Layer Discovery Protocols (LLDP)

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Objectives
Link Layer Discovery Protocols (LLDP)

At the end of this module, you will be able to:

• Describe how the Link Layer Discovery Protocols (LLDP)
works
• Enable LLDP-MED
Overview
• Goal
• IEEE 802.1AB – Link Layer Discovery Protocol (LLDP)
• Accurate physical topology and device inventory simplifies management and maintenance L2 discovery protocol
• Exchange information with neighboring devices to build a database of adjacent devices
• Enabled by default on the OmniSwitches

port device info

I’m a I’m a
2/22 Switch xxxx
Switch Switch
port device info
2/1 IP-Phone xxxx
1/1 IP-phone xxxx
2/12 IP-Phone xxxx
1/2 PC xxxx
I’m a 2/13 IP-PBX xxxx
I’m a
1/3 Switch xxxx Switch
I’m a Switch
I’m a
Switch Switch I’m a
Switch

I’m an
I’m a
IP-Phone I’m a
PC
I’m a PBX
PC

I’m an
IP-Phone
Protocol Data Unit (LLDP-PDU)
Standard: IEEE 802.1AB
Ethernet Header Link Layer Discovery Protocol Protocol Data Unit (LLDP-PDU)

Port mac Chassis ID Port ID Time To Optional Optional End Of

01:80:c2:00:00:0e
addr.
88:cc TLV TLV Live TLV TLV
…
TLV LLDPPDU TLV

Destination Source Ethertype M M M O O M

addr. addr. For LLDP
Basic Type Length Value (TLV) format

TLV TLV information

TLV header TLV information string
Type string length

7 bits 9 bits 0 – 511 octets

• LLDP PDUs
⚫ Extensions optional fields
 802.1: Vlan name, port vlan
 802.3: MAC Phy
 MED: Power and Capability
 Inventory Management
 Network Policy
Media Endpoint Devices (LLDP-MED)

NETWORK
POLICY

LOCATION ID

EXTENDED
POWER-VIA-MDI

INVENTORY
Configuration
• Enabling LLDP PDU flow on a port, slot, or all ports on a switch
-> lldp {slot/port | slot | chassis} lldpdu {tx | rx | tx-and-rx | disable}

• Enabling LLDP notification status

-> lldp {slot/port | slot | chassis} notification {enable | disable}

• Displaying LLDP information

-> show lldp port 1/1/3 remote-system

Remote LLDP nearest-bridge Agents on Local Port 1/1/3:

Chassis e8:e7:32:f6:15:81, Port 1003:

Remote ID = 4,
Chassis Subtype = 4 (MAC Address),
Port Subtype = 7 (Locally assigned),
Port Description = Alcatel-Lucent OS6860 GNI 1/1/3,
System Name = (null),
System Description = (null),
Capabilities Supported = Bridge Router,
Capabilities Enabled = Bridge Router
Monitoring
• Displaying LLDP information

-> show lldp system-statistics

-> show lldp [slot|slot/port] statistics
-> show lldp local-system
-> show lldp [slot/port | slot] local-port
-> show lldp local-management-address
-> show lldp config

-> show lldp 1/9 config

----------+-------------------------------------------+---------------------+----------
| Admin | Notify | Std TLV | Mgmt | 802.1 | 802.3 | MED
Slot/Port| Status | Trap | Mask | Address | TLV | Mask | Mask
----------+----------+----------+----------+----------+----------+----------+----------
1/9 Rx + Tx Enabled 0xf0 Enabled Enabled 0x80 0xd0
IP Phone (LLDP Network Policy
TLV/Mobile Tag)
LLDP-MED
• Provides VoIP-specific extensions to base LLDP protocol
• TLVs (Type, Length, Value) for
• Device location discovery to allow creation of location databases, including the support for Emergency Call Service
• LAN policy discovery (VLAN, Layer 2 priority, Layer 3 QoS)
• Extended and automated power management for Power over Ethernet devices
• Inventory management

Admin
1 2

Policy: Unkn Policy: Defin

Tagged: No Tagged: Yes
VLAN ID :0 VLAN ID :10
L2 priority:5 L2 priority:7
DSCP: 46 DSCP: 46

IP Phone
LLDP-MED
• Mobile Tag versus 802.1Q Tag

Mobile Tag 802.1Q Tag

Allows mobile ports to receive 802.1Q tagged Not supported on mobile ports
packets

Enabled on the VLAN that will receive tagged Enabled on fixed ports; tags port traffic for
mobile port traffic destination VLAN

Triggers dynamic assignment of tagged mobile Statically assigns (tags) fixed ports to one or more
port traffic to one or more VLANs VLANs
 LLDP Network Policy TLV/Mobile Tag
• Example

OS6860-A 7
1/1/20 1/1/4
151.1.1.0
151.1.1.0

IP Phone 31001

Switch send a LLDP Frame

(OS6860-A) -> vlan 151
(OS6860-A) -> unp profile "voip-temp" mobile-tag
(OS6860-A) -> unp profile "voip-temp" map vlan 151
(OS6860-A) -> unp port 1/1/20 port-type bridge
(OS6860-A) -> unp port 1/1/20 direction both classification trust-tag dynamic-service none
(OS6860-A) -> unp classification lldp med-endpoint ip-phone profile1 "voip-temp"
(OS6860-A) -> lldp network-policy 1 application voice vlan 151 l2-priority 7 dscp 14
(OS6860-A) -> lldp chassis med network-policy 1
(OS6860-A) -> lldp nearest-bridge port 1/1/20 tlv med network-policy enable
(OS6860-A) -> lldp nearest-bridge port 1/1/20 tlv med capability enable
LLDP Network Policies
• Specifying whether or not LLDP-MED TLVs are included in transmitted LLDPDUs
-> lldp {slot/port | slot | chassis} tlv med {power | capability | network
policy} {enable | disable}

• Configuring a local Network Policy on the switch for a specific application type

-> lldp network-policy policy_id application { voice | voice-signaling |

guest-voice | guest-voice-signaling | softphone-voice | video-conferencing
| streaming-video | video-signaling } vlan { untagged | priority-tag |
vlan-id } l2-priority 802.1p_value dscp dscp_value

• Associating an existing network policy to a port, slot, or chassis

-> lldp {slot/port | slot | chassis} med network-policy policy_id

Example – LLDP-MED
• Display the LLDP information of the equipment(s) connected to the switch
-> show lldp remote-system
Remote LLDP Agents on Local Slot/Port 1/14:
Chassis 80:4e:53:c6:00:00, Port 00:80:9f:8e:a4:ab:
Remote ID = 3,
Chassis Subtype = 4 (MAC Address),
Port Subtype = 3 (MAC address),
Port Description = (null),
System Name = (null),
System Description = (null),
Capabilities Supported = Telephone,
Capabilities Enabled = Telephone,
MED Device Type = Endpoint Class III,
MED Capabilities = Capabilities | Power via MDI-PD(33),
MED Extension TLVs Present = Network Policy| Inventory,
MED Power Type = PD Device,
MED Power Source = PSE,
MED Power Priority = Low,
MED Power Value = 5.6 W,
Remote port MAC/PHY AutoNeg = Supported Enabled Capability 0xc036,
Mau Type = 1000BaseTFD - Four-pair Category 5 UTP full duplex mode

-> show lldp remote-system med inventory

Remote LLDP Agents on Local Slot/Port 1/14:

Chassis 80:4e:53:c6:00:00, Port 00:80:9f:8e:a4:ab:

Remote ID = 3,
Hardware Revision = "3GV23021JCDA060921",
Firmware Revision = "NOE 4.20.60",
Software Revision = "NOE 4.20.60",
Serial Number = "FCN00913901069",
Manufacturer Name = "Alcatel-Lucent Enterprise",
Model Name = "IP Touch 8068",
Asset Id = "00:80:9f:8e:a4:ab"
LLDP Network Policy TLV/Mobile Tag
(OS6860-A) -> vlan 151
(OS6860-A) -> unp profile "voip-temp" mobile-tag
IP phone send Multicast LLPD frame (OS6860-A) -> unp profile "voip-temp" map vlan 151
(OS6860-A) -> unp port 1/1/20 port-type bridge
(OS6860-A) -> unp port 1/1/20 direction both classification trust-tag dynamic-service none
(OS6860-A) -> unp classification lldp med-endpoint ip-phone profile1 "voip-temp"
(OS6860-A) -> lldp network-policy 1 application voice vlan 151 l2-priority 7 dscp 14
(OS6860-A) -> lldp chassis med network-policy 1
(OS6860-A) -> lldp nearest-bridge port 1/1/20 tlv med network-policy enable
(OS6860-A) -> lldp nearest-bridge port 1/1/20 tlv med capability enable

OS6860-A 7
1
1/1/20 1/1/4
151.1.1.
0
151.1.1.
0

IP Phone 31001
2

Switch send a LLDP Frame

OmniSwitch AOS R8

Link Layer Discovery Protocol

How to
✓ This lab is designed to familiarize you with the Link Layer Discovery
Protocol (LLDP).

Contents
1 Topology ........................................................................................ 2
2 Configure LLDP ................................................................................ 2
 2
Link Layer Discovery Protocol

1 Topology
Link Layer Discovery Protocol (LLDP) is a standard that provides a solution for the configuration issues
caused by expanding networks. LLDP supports the network management software used for complete
network management. LLDP is implemented as per the IEEE 802.1AB standard.

The exchanged information, passed as LLDPDU, is in TLV (Type, Length, Value) format. The information
available to the network management software must be as new as possible; hence, remote device
information is periodically updated.

Notes
LLDP is enabled by default in reception and transmission

2 Configure LLDP
- To control per port notification status about a change in a remote device associated to a port, use the
following command:
sw5 (6360-A) -> lldp port 1/1/3 notification enable
sw5 (6360-A) -> lldp port 2/1/3 notification enable
sw5 (6360-A) -> lldp port 1/1/4 notification enable
sw5 (6360-A) -> lldp port 2/1/4 notification enable

sw7 (6860-A) -> lldp port 1/1/3 notification enable

sw7 (6860-A) -> lldp port 1/1/4 notification enable
sw7 (6860-A) -> lldp port 1/1/23 notification enable
sw7 (6860-A) -> lldp port 1/1/24 notification enable

sw8 (6860-B) -> lldp port 1/1/3 notification enable

sw8 (6860-B) -> lldp port 1/1/4 notification enable
sw8 (6860-B) -> lldp port 1/1/23 notification enable
sw8 (6860-B) -> lldp port 1/1/24 notification enable

Tips
LLDP is configured at port level (or NI or chassis), but not at linkagg level.
 3
Link Layer Discovery Protocol

- To control per port management TLV to be incorporated in the LLDPDUs, use the following command

sw5 (6360-A) -> lldp port 1/1/3 tlv management port-description enable
sw5 (6360-A) -> lldp port 2/1/3 tlv management port-description enable
sw5 (6360-A) -> lldp port 1/1/4 tlv management port-description enable
sw5 (6360-A) -> lldp port 2/1/4 tlv management port-description enable

sw7 (6860-A) -> lldp port 1/1/3 tlv management port-description enable
sw7 (6860-A) -> lldp port 1/1/4 tlv management port-description enable
sw7 (6860-A) -> lldp port 1/1/23 tlv management port-description enable
sw7 (6860-A) -> lldp port 1/1/24 tlv management port-description enable

sw8 (6860-B) -> lldp port 1/1/3 tlv management port-description enable
sw8 (6860-B) -> lldp port 1/1/4 tlv management port-description enable
sw8 (6860-B) -> lldp port 1/1/23 tlv management port-description enable
sw8 (6860-B) -> lldp port 1/1/24 tlv management port-description enable

- Verify the LLDP per port statistics by entering the following command:
sw7 (6860-A) -> show lldp statistics
Chas/ LLDPDU LLDPDU LLDPDU LLDPDU LLDPDU TLV TLV Device
Slot/Port Tx TxLenErr Rx Errors Discards Unknown Discards Ageouts
----------+----------+----------+----------+----------+----------+----------+----------+----------
1/1/1 65 0 0 0 0 0 0 0
1/1/3 65 0 65 0 0 0 0 0
1/1/4 66 0 64 0 0 0 0 0
1/1/5 65 0 65 0 0 0 0 0
1/1/6 65 0 65 0 0 0 0 0
1/1/23 65 0 64 0 0 0 0 0
1/1/24 64 0 63 0 0 0 0 0

- To verify the remote system information, use the following command:

sw5 (6360-A) -> show lldp remote-system

Remote LLDP nearest-bridge Agents on Local Port 1/1/3:

Chassis e8:e7:32:f6:15:81, Port 1003:

Remote ID = 4,
Chassis Subtype = 4 (MAC Address),
Port Subtype = 7 (Locally assigned),
Port Description = Alcatel-Lucent OS6860 GNI 1/1/3,
System Name = (null),
System Description = (null),
Capabilities Supported = Bridge Router,
Capabilities Enabled = Bridge Router

Remote LLDP nearest-bridge Agents on Local Port 1/1/4:

Chassis e8:e7:32:fc:23:b3, Port 1004:

Remote ID = 7,
Chassis Subtype = 4 (MAC Address),
Port Subtype = 7 (Locally assigned),
Port Description = Alcatel-Lucent OS6860 GNI 1/1/4,
System Name = (null),
System Description = (null),
Capabilities Supported = Bridge Router,
Capabilities Enabled = Bridge Router

Remote LLDP nearest-bridge Agents on Local Port 2/1/3:

Chassis e8:e7:32:fc:23:b3, Port 1003:

Remote ID = 10,
Chassis Subtype = 4 (MAC Address),
Port Subtype = 7 (Locally assigned),
Port Description = Alcatel-Lucent OS6860 GNI 1/1/3,
System Name = (null),
System Description = (null),
 4
Link Layer Discovery Protocol

Capabilities Supported = Bridge Router,

Capabilities Enabled = Bridge Router

Remote LLDP nearest-bridge Agents on Local Port 2/1/4:

Chassis e8:e7:32:f6:15:81, Port 1004:

Remote ID = 4,
Chassis Subtype = 4 (MAC Address),
Port Subtype = 7 (Locally assigned),
Port Description = Alcatel-Lucent OS6860 GNI 1/1/4,
System Name = (null),
System Description = (null),
Capabilities Supported = Bridge Router,
Capabilities Enabled = Bridge Router

[truncated]

- To display local system information, type the following command:

sw7 (6860-A) -> show lldp local-system
Local LLDP Agent System Data:
Chassis ID Subtype = 4 (MAC Address),
Chassis ID = e8:e7:32:f6:15:81,
System Name = Pod20sw7,
System Description = Alcatel-Lucent Enterprise OS6860E-P24 8.7.98.R03 GA, July 05, 2021.,
Capabilities Supported = Bridge Router,
Capabilities Enabled = Bridge Router,
LLDPDU Transmit Interval = 30 seconds,
TTL Hold Multiplier = 4,
Reintialization Delay = 2 seconds,
Maximum Transmit Credit = 5 ,
LLDPDUs in Fast Transmission = 4 ,
LLDPDU Fast Transmit Interval= 1 ,
MIB Notification Interval = 5 seconds,
LLDP Nearest-edge Mode = Disabled,
Management Address Type = 1 (IPv4),
Management IP Address = 192.168.254.7,

- The commands below specify the switch to control per port management TLVs to be incorporated in the
LLDPDUs. This will allow to have additional information such as system description, name, capabilities and
management IP address of neighbouring devices.
 5
Link Layer Discovery Protocol

- Type the following on all 3 switches:

all -> lldp chassis tlv management system-name enable
all -> lldp chassis tlv management system-description enable
all -> lldp chassis tlv management system-capabilities enable
all -> lldp chassis tlv management management-address enable

- To display remote system information, enter the following command:

sw5 (6360-A) -> show lldp remote-system

Remote LLDP nearest-bridge Agents on Local Port 1/1/3:

Chassis e8:e7:32:f6:15:81, Port 1003:

Remote ID = 4,
Chassis Subtype = 4 (MAC Address),
Port Subtype = 7 (Locally assigned),
Port Description = Alcatel-Lucent OS6860 GNI 1/1/3,
System Name = Pod20sw7,
System Description = Alcatel-Lucent Enterprise OS6860E-P24 8.7.98.R03 GA, July 05, 2021.,
Capabilities Supported = Bridge Router,
Capabilities Enabled = Bridge Router,
Management IP Address = 192.168.254.7

Remote LLDP nearest-bridge Agents on Local Port 1/1/4:

Chassis e8:e7:32:fc:23:b3, Port 1004:

Remote ID = 7,
Chassis Subtype = 4 (MAC Address),
Port Subtype = 7 (Locally assigned),
Port Description = Alcatel-Lucent OS6860 GNI 1/1/4,
System Name = Pod20sw8,
System Description = Alcatel-Lucent Enterprise OS6860-24 8.7.98.R03 GA, July 05, 2021.,
Capabilities Supported = Bridge Router,
Capabilities Enabled = Bridge Router,
Management IP Address = 192.168.254.8

Remote LLDP nearest-bridge Agents on Local Port 2/1/3:

Chassis e8:e7:32:fc:23:b3, Port 1003:

Remote ID = 10,
Chassis Subtype = 4 (MAC Address),
Port Subtype = 7 (Locally assigned),
Port Description = Alcatel-Lucent OS6860 GNI 1/1/3,
System Name = Pod20sw8,
System Description = Alcatel-Lucent Enterprise OS6860-24 8.7.98.R03 GA, July 05, 2021.,
Capabilities Supported = Bridge Router,
Capabilities Enabled = Bridge Router,
Management IP Address = 192.168.254.8

Remote LLDP nearest-bridge Agents on Local Port 2/1/4:

Chassis e8:e7:32:f6:15:81, Port 1004:

Remote ID = 4,
Chassis Subtype = 4 (MAC Address),
Port Subtype = 7 (Locally assigned),
Port Description = Alcatel-Lucent OS6860 GNI 1/1/4,
System Name = Pod20sw7,
System Description = Alcatel-Lucent Enterprise OS6860E-P24 8.7.98.R03 GA, July 05, 2021.,
Capabilities Supported = Bridge Router,
Capabilities Enabled = Bridge Router,
Management IP Address = 192.168.254.7

[truncated]

Tips
Compare the output of this command with the same command that was entered before
OmniSwitch R8
Power over Ethernet (PoE)

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
Objectives
Power over Ethernet (PoE)

At the end of this module, you will be able to:

• Setup the Power over Ethernet (PoE) feature
• Monitor the Power over Ethernet (PoE) information
PoE Specifications
Power Over Ethernet

• OmniSwitch switches with PoE capabilities can provide power to a large range of equipments (ex: IP
phones, access points, PTZ cameras,…)

- PoE priority and configurable maximum power per port for power allocation

- Dynamic PoE Allocation: Provide only the amount of power needed by powered devices (PD) up to the total energy
budget for the most efficient power consumption possible

Property 02.3af (802.3at Type 1) "PoE" 802.3at Type 2 "PoE+" 802.3bt Type 802.3bt Type 4 "4PPoE"/"PoE++"
3 "4PPoE"]/"PoE++"

Power available at the PD 12.95 W 25.50 W 51 W 71 W

Maximum power delivered by the 15.40 W 30.0 W 60 W 100 W

EPS

Maximum current Imax 350 mA 600 mA 600 mA per pair 960 mA per pair

Energy Management Three power class levels (1-3) Four power class levels (1-4) Six power class levels (1-6) Eight power class levels (1-8)

Supported cabling Category 3 and Category 5 Category 5 Category 5 Category 5

Power Over Ethernet - OmniSwitch 6860/680N

OMNISWITCH 6860/6860E OMNISWITCH 6860N

OS6860(E)-(P)24
OS6860N-P48M

OS6860(E)-(P)48

OS6860N-P48Z

OS6860E-P24Z8
OS6860N-P24Z8
Power Over Ethernet- OmniSwitch 6560
OS6560

Software AOS 8 base

10M/100M/1G/2,5G
802.3at/bt
User ports
95W POE (Up to 95W on a port)

OS6560-P24Z24
OS6560-P24X4

Multi Gig

Model OS6560-P24X4
24 x 10/100/1G Base-T POE+
Model OS6560-P24Z24 OS6560-48X4
ports
24 x 100/1G/2,5G Base-T ports OS6560-P48X4
2 x SFP 1G ports
POE (802.3af/bt) (Up to 95W
4 x SFP+ 1/10G ports
on a port)

OS6560-P24Z8
OS6560-P48Z16 Model OS6560-P48X4
48 x 10/100/1000 Base-T ports
POE (802.3af/at) (Up to 30W
on a port)
2 x SFP ports
POE (802.3af/at/bt)
Model OS6560-P48Z16
32 x 10/100/1000 Base-T ports
Model OS6560-P24Z8
POE (802.3af/at) (Up to 30W
16 x 10/100/1000 Base- ports
on a port) Model OS6560-48X4
(802.3af/at)
16 x 100/1G/2,5G Base-T ports 48 x 10/100/1000 Base-T ports
8 x 1G / 2,5G Base-T ports
POE (802.3af/at/bt) (Up to 2 x SFP ports
POE (802.3af/at/bt) (Up to
95W on a port) POE (802.3af/at/bt)
95W on a port)
Power Over Ethernet – OmniSwitch 6465

OMNISWITCH 6465

OS6465-P6

OS6465-P12

OS6465-P28
Power Over Ethernet – OmniSwitch 6865

OMNISWITCH 6865

OS6865-P16X

OS6865-U28X

OS6865-U12X
PoE Management on AOS R8
PoE Management
• Displays the power supplies hardware information and current status:
-> show powersupply

Total PS
Chassis/PS Power Type Status Location
-----------+---------+--------+--------+-----------
1/1 920 AC UP Internal
Total 920

• Setting the PoE Operational Status

-> lanpower slot 1/1 service start

• Reactivating / Deactivating power to one port

-> lanpower port 1/1/1 admin-state enable

• Setting the maximum amount of inline power for one port (in mW)
-> lanpower port 1/1/24 power 18000
-> lanpower slot 1/1 maxpower 400 for a slot (in W)
PoE Management
• Setting the PoE Operational Status on a Port
• Disabled by default
-> lanpower port 1/1/1 admin-state enable

• Setting Port Priority Levels (Low, High, Critical)

• Default priority level for a port is low
• Low: In the event of a power management issue, inline power to low-priority ports is interrupted first
• High: This value is used for port(s) that have important, but not mission-critical, devices attached. If
other ports in the chassis have been configured as critical, inline power to high-priority ports is given
second priority.
• Critical: In the event of a power management issue, inline power to critical ports is maintained as long as
possible
-> lanpower port 1/1/6 priority critical
POE Management
• Setting the Capacitor Detection Method
• not compatible with IEEE specification 802.3af
• It should only be enabled to support legacy IP phones

-> lanpower slot 1/1 capacitor-detection enable

• Setting Priority Disconnect Status

• used by the system software in determining whether an incoming PD will be granted or denied power
when there are too few watts remaining in the PoE power budget for an additional device

-> lanpower slot 1/1 priority-disconnect enable

PoE Monitoring
-> show lanpower slot 1/1/1

Port Maximum(mW) Actual Used(mW) Status Priority On/Off Class

----+-----------+---------------+-----------+---------+-------+--------
1 60000 12500 Powered On Low ON *
2 60000 1800 Powered On Low ON *
6 60000 3500 Powered On Low ON *
7 60000 9800 Powered On Low ON *
8 30000 25000 Powered On Low ON *
--------------------------------------------------------------------
15 30000 0 Powered Off Low OFF
16 30000 0 Powered Off Low OFF
17 30000 0 Searching Low ON
--------------------------------------------------------------------
23 30000 0 Searching Low ON
24 30000 0 Searching Low ON

ChassisId 1 Slot 1 Max Watts 450

56.5 Watts Actual Power Consumed
450 Watts Total Power Budget Used
0 Watts Total Power Budget Available
1 Power Supply Available
BPS power: Not Available
PoE Power Management
• Fast PoE : 6860, 6860N, 6865

• Used to provide PoE power a few seconds after powering up the chassis

• Allows the chassis to immediately provide PoE power to any connected device after powering
up without waiting for the chassis to finish booting

• Fast PoE requires an upgraded FPGA/CPLD

-> lanpower fpoe {enable | disable}

• Ex :Release note 8.7.R1

PoE Power Management
• Perpetual PoE : 6860, 6860N, 6865

• provide uninterrupted power to the connected device (PD) even when the switch is restarting or
recharging, such as during a soft restart

-> lanpower ppoe {enable | disable}

• Fast PoE requires an upgraded FPGA/CPLD (see release note)

OmniSwitch AOS R8

Multicast Introduction
Module Objectives

At the end of this presentation, you will be able to

◼ Understand and set up the following

features:
⚫ Multicast technology concepts
⚫ Multicast overview
⚫ IP Multicast Switching (IPMS)
⚫ Internet Group Management Protocol
(IGMP)
⚫ Configuration and Monitoring
⚫ Layer 2 Static Multicast
⚫ IGMP Relay and Throttling
⚫ Storm Control
⚫ Load balancing multicast on Link
Aggregation
Multicast - Overview
◼ Similar to broadcast traffic ◼ Unicast sends one packet per destination

◼ Like selective broadcast ◼ Multicast sends one packet for many

destinations
◼ Only those that request the traffic get it

◼ Allows a one to many communication

rather than one to one

Unicast
Multicast
Multicast - Advantages & Use
◼ Conserves Bandwidth

◼ Uses for multicast

⚫ Resource discovery (OSPF, RIP2, Bootp)
⚫ Multipoint file transfer (Starburst Com.)
⚫ Conferencing: many to many (CuSeeMe)
⚫ Video netcasting (Precept Software IPTV)
⚫ Redundant systems (parallel databases)
⚫ Ghosting Software
⚫ Information distribution in data warehousing
Multicast - Group
◼ Multicast group
⚫ Set of receivers for a multicast transmission
⚫ Identified by a multicast address
⚫ A user that wants to receive multicast transmissions joins the corresponding multicast
group, and becomes a member of that group

◼ IP Multicast service is unreliable

◼ A network must have mechanisms to support such applications in an efficient

manner

◼ After a user joins, the network builds the necessary routing paths so that the
user receives the data sent to the multicast group
Multicast - Addressing
◼ Based on Class “D” IP address values
⚫ From 224.0.0.0 to 239.255.255.255
⚫ Allocated by sending application MAC address derived from IP address
⚫ Least Significant 23 bits of IP address mapped onto MAC address
 IP MultiCast address 224.1.2.3 = 01:00:5E:01:02:03

224.0.0.xxx – Routing protocols and other low level topology discovery and maintenance protocols
Well-Known Class D Address examples

224.0.0.1 All Systems on this Subnet

224.0.0.2 All Routers on this Subnet
224.0.0.4 DVMRP Routers
224.0.0.5 OSPFIGP OSPFIGP All Routers
224.0.0.6 OSPFIGP OSPFIGP Designated Routers
224.0.0.9 RIP2 Routers
224.0.0.13 All PIM Routers
224.0.0.18 VRRP
224.0.0.22 IGMP
224.0.0.19 IPAllL1ISs
224.0.0.20 IPAllL2ISs
224.0.1.xxx – Internetwork control block
232.0.0.0-232.255.255.255 (232/8) Source-Specific Multicast Block
239.xxx.xxx.xxx - Administratively scoped address block

……… (http://www.iana.org/assignments/multicast-addresses)
Multicast - Routing
◼ Multicast router knows who wants traffic

◼ Finds out who is sending the traffic Network

Backbone
◼ Delivers traffic only to those who want it
Video
◼ Routers communicate with each other Server
and users to gather the information Multicast
Switching
◼ Send traffic where it needs to go
IGMP
◼ Multicast Routing deals with networks,
Join
not switch ports
⚫ If one host on a network joins that group,
all hosts on that network receive the traffic

◼ In the switch, a network=router port=a

VLAN, so the traffic is broadcast on all
ports of each network SUBNET
Multicast - Switching - IPMS
◼ Only the client which join a multicast
group received the multicast packet, and
Network
the multicast packet stream will not Backbone
flood to other ports where no client joins
Video
◼ More efficient than multicast routing Server
◼ NI Tables contain: Multicast
Switching
⚫ IP Source Address
⚫ IP Destination Address (group address) IGMP
Join
⚫ Parent source port number
⚫ List of ports that need to receive packet

◼ NIs verify that packet for given

destination address from a certain
source arrives on the parent port
SUBNET
◼ If true, switch/route packet to all ports
in forwarding list
⚫ If false, drop it
IGMP
IGMP Protocol
◼ The Internet Group Management Protocol (IGMP) is a simple protocol for the
support of IP multicast
◼ IGMP is defined in RFC 1112

◼ IGMP operates on a physical network

◼ IGMP is used by multicast routers to keep track of membership in a multicast

group
◼ Support for
 Joining a multicast group
 Query membership
 Send membership reports
Multicast IGMP in a nutshell

Multicast stream is required by one or more multicast clients

Receiver_A Receiver_B Receiver_C

Client sends report requesting

multicast group e.g 225.0.0.1

Router detects the match and

One Router (Per LAN) is querier;
transmits multicast stream
sends periodic query messages 225.0.0.1 to the client

Server offers stream on a

multicast address e.g 225.0.0.1

Multicast stream is offered by one or more multicast servers

IGMP Versions
◼ Protocol used by hosts to send control frames to inform router of the desire to
receive traffic from a MC group
IGMP membership report group
IGMP membership query
IGMP Member Report
IGMP Leave Group (v2 only)
IGMP Query Group (v2 only)
IGMP Source-Specific Join (v3 only)
◼ IGMP v1
⚫ Membership Query
⚫ Membership Report
◼ IGMP v2
⚫ Membership Query
 General Query
 Group-Specific Query
⚫ V2 Membership report (Fast Leave)
⚫ Leave group
V1 Membership Report
⚫
◼ IGMP v3
⚫ Membership query
⚫ V3 Membership report (Explicit Host Tracking)
⚫ V2 Leave group
⚫ V2 Membership report
⚫ V2 Leave group
⚫ V1 Membership report
IGMP - Useful Technical Details
◼ IGMP is a protocol confined to the local segment of the LAN

◼ Is never forwarded by any router and thus always has a Time-To-Live (TTL) of 1

◼ IGMP Host Membership Queries are sent to the "All Systems on this Subnet" class
D address (224.0.0.1)

◼ IGMP "Leave Group" messages are sent to the "All Routers on this Subnet" class
D address (224.0.0.2)
IPv6 Multicast - Overview
◼ Multicast Listener Discovery (MLD)
⚫ Used by IPv6 systems (hosts and routers)
⚫ Reporting of IPv6 multicast group memberships to any neighboring multicast routers
 Similar to IGMP for IPv4

◼ MLD messages are sent with

⚫ Link-local IPv6 Source address
⚫ Hop limit of one
⚫ IPv6 Destination address FF02:0:0:0:0:0:0:16

◼ MLD Version 1
⚫ Forwarding by IPv6 multicast destination addresses

◼ MLD Version 2
⚫ Forwarding by source IPv6 addresses and IPv6 multicast destination addresses

◼ OmniSwitch version supported

⚫ MLDv1 and MLDv2
IPMS
Multicast - Switching vs. Routing Decision
◼ Port list is a combination of hosts and peer routers

◼ Destination Slot/Port can be is a downstream router or a client

⚫ Destination port could be in same or different VLAN
 If in same VLAN, switch packet
 Use IPMS forwarding table to forward packets to ports
 If in different VLAN, route packet
 Use DVMRP/PIM forwarding table to deliver packets to downstream routers
 Change source MAC address to router port MAC address
 Send packet on destination port

◼ IPMS
⚫ Intercepts IGMP packets to track membership by port rather than by network
⚫ Two sets of information are combined to tell switches how to forward/route traffic
⚫ Performance is significantly improved because forwarding decisions are made by
hardware

◼ Forwarding tables created by DVMRP, PIM-SM, PIM-DM and IPMS

How Does Multicast Switching Work?

◼ IP Multicast Switching:
⚫ Based on the IGMP query and report Group Port Src IP Vlan
messages that are snooped, the switch
226.0.0.4 1/5/22 1.1.1.2 2
forwards multicast traffic only to the ports
that requested it 228.1.1.1 1/2/4 2.2.2.3 34

◼ Forwarding Tables created by IGMP

Snooping IGMP Join (228.1.1.1)
1/2/4

1/5/22

Without multicast switching, multicast traffic would be forwarded to the entire VLAN
How Does Multicast Switching Work?
◼ By maintaining this multicast forwarding table, the switch dynamically forward
multicast traffic only to those interfaces that want to receive it as nominal
unicast forwarding does

Forward Mcast
traffic to port on
which the join
Video L3 Multicast message was
Server Switch received

Without multicast switching, multicast traffic would be forwarded to the entire VLAN
Configuring IPMS
◼ The minimum configuration
-> ip multicast admin-state enable

 Enables or disables IP Multicast Switching and Routing on a specific VLAN or globally

-> ip multicast vlan 10 admin-state enable

 Enables or disables IP Multicast Switching and Routing on a specific VLAN or globally

IPMS is disabled by default

Configuring IPMS
◼ The minimum configuration
-> ip multicast querying enable
 Enables or disables IGMP querying on a specific VLAN or globally
 Refers to requesting the network's IGMP group membership information by sending out IGMP
queries

-> ip multicast querier-forwarding enable

 Enables or disables IGMP querier forwarding on the specified VLAN or on the system if no VLAN is
specified.
 Querier-forwarding feature should be enabled if a streaming device is connected to a switch,
which is not a querier
 All multicast traffic is sent to the "Querier" switch

OmniSwitch OmniSwitch OmniSwitch

Configuring IPMS - Options
◼ Configuring IGMP Version
-> ip multicast [vlan vid] version [version]

◼ Configuring IGMP Query Interval

-> ip multicast [vlan vid] query-interval [seconds]

◼ Modifying IGMP Query Response Interval

-> ip multicast [vlan vid] query-response-interval [tenths-of-seconds]

◼ Modifying IGMP Last Member Query Interval

-> ip multicast [vlan vid] last-member-query-interval [tenths-of-seconds]

◼ Configuring IGMP Expire Router Timeout

-> ip multicast [vlan vid] router-timeout [seconds]

◼ Enabling Multicast Zapping

-> ip multicast [vlan vid] zapping [{enable | disable}]
IPMS Monitoring - IGMP Group Membership Table Entries

-> show ip multicast group

Total 2 Groups

Group Address Source Address VLAN Port Mode Static Count Life
---------------+---------------+-----+-----+--------+-------+------+-----
225.0.0.101 0.0.0.0 1 1/1 exclude no 49 239
225.0.0.102 0.0.0.0 1 1/1 exclude no 49 243
239.255.255.250 0.0.0.0 1 1/1 exclude no 48 241
239.255.255.250 0.0.0.0 1 1/24 exclude no 45 239

◼ Group Address ◼ Mode

⚫ IP address of the IP multicast group ⚫ IGMP source filter mode

◼ Source Address ◼ Static

⚫ IP address of the IP multicast source ⚫ Whether it is a static multicast group or not

◼ VLAN ◼ Count
⚫ VLAN associated with the IP multicast group ⚫ Number of IGMP membership requests made

◼ Port ◼ Life
⚫ Slot and port number of the IP multicast ⚫ Life time of the IGMP group membership
group
IPMS Monitoring - IGMP Neighbor Table Entries

-> show ip multicast neighbor

Total 2 Neighbors

Host Address VLAN Port Static Count Life

---------------+-----+-----+-------+------+-----
192.168.10.2 10 1/24 no 76 61
192.168.10.3 10 1/24 no 75 60

◼ Host Address
⚫ IP address of the IP multicast neighbor
◼ VLAN
⚫ VLAN associated with the IP multicast neighbor
◼ Port
⚫ Slot and port number of the IP multicast neighbor
◼ Static
⚫ Whether it is a static IP multicast neighbor or not
◼ Count
⚫ Displays the count of IP multicast neighbor
◼ Life
⚫ Life time of the IP multicast neighbor
IPMS Monitoring - Forwarding Table
-> show ip multicast forward
Total 2 Forwards

Ingress Egress
Group Address Host Address Tunnel Address VLAN Port VLAN Port
---------------+---------------+---------------+-----+-----+-----+-----
225.0.0.101 192.168.100.10 0.0.0.0 1 2/1 1 2/24
225.0.0.102 192.168.100.10 0.0.0.0 1 2/1 1 2/24

◼ Group Address
⚫ IP group address of the IP multicast forward

◼ Host Address
⚫ IP host address of the IP multicast forward

◼ Tunnel Address
⚫ IP source tunnel address of the IP multicast forward

◼ VLAN
⚫ VLAN associated with the IP multicast forward

◼ Port
⚫ Slot and port number of the IP multicast forward
L2 Static Multicast
◼ Configures a static multicast MAC address and assigns the address to one or
more egress ports
⚫ Packets received on ports associated with the specified VLAN that contain a
destination MAC address that matches the static multicast address are forwarded to
the specified egress ports

◼ Static multicast MAC addresses maintained in the Source Learning MAC address
table
-> mac-address-table static-multicast mac-address port_id vlan_id
 used to define a destination multicast MAC address and assign the address to one or more egress
ports within a specified VLAN

-> mac-address-table static-multicast 01:25:9a:5c:2f:10 1/1/24 20

 Assigns the multicast address 01:25:9a:5c:2f:10 to port 1/1/24 in VLAN 20
IGMP - Relay
◼ IGMP Forwarding to Specific Host in L3 Environment
⚫ Encapsulates IGMP packets in an IP packet to a special device/server
 Specifies the destination IP address of a relay host where IGMP host reports and Leave messages
are to be sent
 Notified multicast server forwards a new multicast stream when a subscriber has joined the new
group without relying on the L3 multicast network (e.g. PIM) to propagate this event

Create the helper address

-> ip multicast helper-address 11.107.61.132
Display Helper address information
-> show ip multicast
Status = enabled,
Querying = enabled,
Proxying = disabled,
Spoofing = enabled,
Zapping = disabled,
Querier Forwarding = enabled,
Flood Unknown = enabled,
Version = 3,
Robustness = 2,
Query Interval (seconds) = 125,
Query Response Interval (tenths of seconds) = 100,
Last Member Query Interval (tenths of seconds) = 10,
Unsolicited Report Interval (seconds) = 1,
Router Timeout (seconds) = 90,
Source Timeout (seconds) = 30,
Max-group = 0,
Max-group action = none
Helper-address = 11.107.61.132
IGMP Throttling
◼ Configures the maximum group limit learned per VLAN, per port or globally
⚫ Global

-> ip multicast max-group [num] [action {none | drop | replace}]

⚫ VLAN

-> ip multicast vlan vid max-group [num] [action {none | drop | replace}]

⚫ Port
 Applicable for all VLAN instances of the port
 Per port limit overrides VLAN and global configuration
-> ip multicast port slot|port max-group [num] [action {none | drop | replace}]

⚫ Actions
 None. Disables the maximum group limit configuration
 Drop. Drops the incoming membership request
 Replace. Replaces an existing membership with the incoming membership request
Storm Control
◼ Configuration of different thresholds for each type of storm/flood traffic
⚫ Broadcast
⚫ Multicast
⚫ Unknown Unicast

◼ Thresholds configuration
 rate % num: rate in % of the port speed
 rate mbps num : rate in true mbits per sec
 rate pps num : rate in packet per sec

-> interfaces {slot/port | slot | s/p1-p2} flood [broadcast | multicast | unknown-unicast |

broadcast | all] {enable|disable}

-> interfaces {slot/port | slot | s/p1-p2} flood [broadcast | multicast | unknown-unicast |

broadcast | all] rate {percentage num| mbps num | pps num}

-> interfaces {slot/port | slot | s/p1-p2} flood rate {% num| mbps num | pps num}

-> show interfaces 1/17 flood rate

Slot/ Bcast Bcast Bcast Ucast Ucast Ucast Mcast Mcast Mcast
Port Value Type Status Value Type Status Value Type Status
-----+-------------+-----+---------+----------+-----+-----------+----------+-----+--------
1/17 496 mbps enable 496 mbps enable 496 mbps disable
Load balancing multicast on Link Aggregation
◼ Multicast traffic is by default forwarded through the primary port of the Link
Aggregation Group

◼ Option to enable hashing for non-unicast traffic, which will load balance the
non-unicast traffic across all ports in the Link Aggregation
⚫ If non-ucast option is not specified, link aggregation will only load balance unicast
packets

-> hash-control {brief | extended [udp-tcp-port] | load-balance non-ucast

{enable | disable}}

-> show hash-control

Hash Mode = brief,
Udp-Tcp-Port = disabled

-> show hash-control non-ucast

Non-ucast Hash Status = Disabled
Initial Multicast Packet Buffering
◼ Avoids loss of first multicast packets in a routed environment

-> ip multicast initial-packet-buffer admin-state enable (default: disable)

-> ipv6 multicast initial-packet-buffer admin-state enable

◼ Maximum number of multicast packets that can be buffered by multicast

stream

-> ip multicast initial-packet-buffer max-packet (1 to 10) (default: 4)

-> ipv6 multicast initial-packet-buffer max-packet

◼ Enables or disables initial packet buffering for IPv4 and IPV6 multicast flows on
the specified VLAN or globally on the switch.
-> ip multicast [vlan vlan_id[-vlan_id2]] initial-packet-buffer admin-state {enable | disable}

-> ipv6 multicast [vlan vlan_id[-vlan_id2]] initial-packet-buffer admin-state {enable | disable}

OmniSwitch AOS R8
Multicast switching

How to
✓ This lab is designed to familiarize you with the IP multicast switching
capability on the OmniSwitch family of products

Contents
1 Toplogy ......................................................................................... 2
2 IP Multicast Switching ........................................................................ 3
2.1. Without IPMS enable ............................................................................... 3
2.2. IP Multicast Switching (IPMS) enable ............................................................ 5
 2
Multicast switching

1 Toplogy
Multicast switching is used to efficiently handle multicast traffic by forwarding multicast packets only to the
switch ports that need to receive them

- The configuration for multicast switching is simple, requiring only that the switches be bridged together.
A multicast stream(s) will then be started at the multicast server
- For this lab, we will have 3 clients connected on the same VLAN.
- Check vlan 30 members on 6360-A

sw5 (6360-A) -> show vlan 30 members

port type status
----------+-----------+---------------
1/1/2 default forwarding
2/1/2 default forwarding
0/7 qtagged dhl-blocking
0/8 qtagged forwarding

sw8 (6860-B) -> show vlan 30 members

port type status
----------+-----------+---------------
0/8 qtagged forwarding
0/78 qtagged forwarding

sw8 (6860-B) -> vlan 30 members port 1/1/1 untagged

sw8 (6860-B) -> show vlan 30 members

port type status
----------+-----------+---------------
1/1/1 default forwarding
0/7 qtagged forwarding
0/78 qtagged forwarding

- Get IP addresses from the clients (ipconfig /all) retrieved from dhcp server.

Client 8:

Client 9:

Client 10:

- Try to ping each client from each other to ensure L2 connectivity

 3
Multicast switching

2 IP Multicast Switching

2.1. Without IPMS enable

- Before you begin, notice that Multicast Switching is disabled by default:

sw5 (6360-A) -> show ip multicast

Profile = default,
Status = disabled,
Flood Unknown = disabled,
-----

sw7 (6860-A) -> show ip multicast

Profile = default,
Status = disabled,
Flood Unknown = disabled,

sw8 (6860-B) -> show ip multicast

Profile = default,
Status = disabled,
Flood Unknown = disabled,

- Resets all Layer 2 statistics counters

sw5 (6360-A) -> clear interfaces 2/1/2 l2-statistics

sw5 (6360-A) -> clear interfaces 1/1/2 l2-statistics

sw8 (6860-B) -> clear interfaces 1/1/1 l2-statistics

sw5 (6360-A) -> show interfaces 2/1/2

Chassis/Slot/Port : 2/1/2
Operational Status : up,
Port-Down/Violation Reason: None,
Last Time Link Changed : Sat Jul 3 04:16:15 2021,
Number of Status Change : 1,
Type : Ethernet,
SFP/XFP : N/A,
Interface Type : Copper,
EPP : Disabled,
Link-Quality : N/A,
MAC address : 94:24:e1:7c:79:6c,
BandWidth (Megabits) : 100, Duplex : Full,
Autonegotiation : 1 [ 1000-F 100-F 100-H 10-F 10-H ],
Long Frame Size(Bytes) : 1552,
Inter Frame Gap(Bytes) : 12,
loopback mode : N/A,
Rx :
Bytes Received : 0, Unicast Frames : 0,
Broadcast Frames: 0, M-cast Frames : 0,
UnderSize Frames: 0, OverSize Frames: 0,
Lost Frames : 0, Error Frames : 0,
CRC Error Frames: 0, Alignments Err : 0,
Tx :
Bytes Xmitted : 0, Unicast Frames : 0,
Broadcast Frames: 0, M-cast Frames : 3,
UnderSize Frames: 0, OverSize Frames: 0,
Lost Frames : 0, Collided Frames: 0,
Error Frames : 0, Collisions : 0,
Late collisions : 0, Exc-Collisions : 0
 4
Multicast switching

- Open the “send” application from the client's desktop 8. And fill up as below the tool window.
This tool generates multicast IP packets, with Destination IP address (multicast group) 231.1.1.5 on
stream01.

- Click on start

- As the packets are sent check the counters on the VLAN 30 interfaces of 6360-A :

sw5 (6360-A) -> show interfaces 2/1/2

Chassis/Slot/Port : 2/1/2
Operational Status : up,
Port-Down/Violation Reason: None,
Last Time Link Changed : Tue Jul 6 23:03:13 2021,
Number of Status Change : 3,
Type : Ethernet,
SFP/XFP : N/A,
Interface Type : Copper,
EPP : Disabled,
Link-Quality : N/A,
MAC address : 94:24:e1:7c:79:6d,
BandWidth (Megabits) : 100, Duplex : Full,
Autonegotiation : 1 [ 1000-F 100-F 100-H 10-F 10-H ],
Long Frame Size(Bytes) : 1552,
Inter Frame Gap(Bytes) : 12,
loopback mode : N/A,
Rx :
Bytes Received : 1811, Unicast Frames : 13,
Broadcast Frames: 1, M-cast Frames : 0,
UnderSize Frames: 0, OverSize Frames: 0,
Lost Frames : 0, Error Frames : 0,
CRC Error Frames: 0, Alignments Err : 0,
Tx :
Bytes Xmitted : 33985, Unicast Frames : 15,
Broadcast Frames: 5, M-cast Frames : 387,
UnderSize Frames: 0, OverSize Frames: 0,
Lost Frames : 0, Collided Frames: 0,
Error Frames : 0, Collisions : 0,
Late collisions : 0, Exc-Collisions : 0

sw5 (6360-A) -> show interfaces 1/1/2

 5
Multicast switching

Chassis/Slot/Port : 1/1/2
Operational Status : up,
Port-Down/Violation Reason: None,
Last Time Link Changed : Tue Jul 6 02:14:48 2021,
Number of Status Change : 1,
Type : Ethernet,
SFP/XFP : N/A,
Interface Type : Copper,
EPP : Disabled,
Link-Quality : N/A,
MAC address : 94:24:e1:7c:82:25,
BandWidth (Megabits) : 100, Duplex : Full,
Autonegotiation : 1 [ 1000-F 100-F 100-H 10-F 10-H ],
Long Frame Size(Bytes) : 1552,
Inter Frame Gap(Bytes) : 12,
loopback mode : N/A,
Rx :
Bytes Received : 4020, Unicast Frames : 21,
Broadcast Frames: 2, M-cast Frames : 0,
UnderSize Frames: 0, OverSize Frames: 0,
Lost Frames : 0, Error Frames : 0,
CRC Error Frames: 0, Alignments Err : 0,
Tx :
Bytes Xmitted : 49924, Unicast Frames : 18,
Broadcast Frames: 13, M-cast Frames : 705,
UnderSize Frames: 0, OverSize Frames: 0,
Lost Frames : 0, Collided Frames: 0,
Error Frames : 0, Collisions : 0,
Late collisions : 0, Exc-Collisions : 0

- As you can see in the capture below, by default multicast traffic is flooded on all the port on the same
VLAN as the source.

2.2. IP Multicast Switching (IPMS) enable

- Next, enable IP Multicast Switching (IPMS). With IPMS enabled only ports with devices that requested to
see the stream will have it forwarded. Without it, multicast traffic would be treated as a broadcast and
sent to all ports in the VLAN.

• Open the “send” application from the client's desktop 6. And fill up as below the tool window.
This tool generates multicast IP packets, with Destination IP address (multicast group) 233.1.1.5.

- Enable Multicast Switching:

sw5 (6360-A) -> ip multicast admin-state enable

sw7 (6860-A) -> ip multicast admin-state enable
sw8 (6860-B) -> ip multicast admin-state enable

- Reset all Layer 2 statistics counters

sw5 (6360-A) -> clear interfaces 2/1/1-2 l2-statistics

sw5 (6360-A) -> clear interfaces 1/1/2 l2-statistics

sw8 (6860-B) -> clear interfaces 1/1/1 l2-statistics

 6
Multicast switching

- Check the configuration on the three switches:

sw5 (6360-A) -> show ip multicast
Profile = default,
Status = enabled,

sw7 (6860-A) -> show ip multicast

Profile = default,
Status = enabled,

sw8 (6860-B) -> show ip multicast

Profile = default,
Status = enabled,

sw5 (6360-A) -> clear interfaces 2/1/1-2 l2-statistics

sw5 (6360-A) -> clear interfaces 1/1/2 l2-statistics

- On 6860--B enable Multicast Querying (the switch where the multicast server is connected to):

6860-B -> ip multicast querying enable

- On 6360-A and both 6860, enable Querier Forwarding:

6360-A -> ip multicast querier-forwarding enable

6860-A -> ip multicast querier-forwarding enable
6860-B -> ip multicast querier-forwarding enable

- From client 8, restart the application “send” to send multicast traffic.

 7
Multicast switching

- Open the “receive” application from the client's desktop 9 to subscribe to multicast traffic.( IP address
(multicast group) 233.1.1.5)

- Check multicast forward and group on 6360-A switch

sw5 (6360-A) -> show ip multicast forward

Total 0 Forwards

Ingress Egress
Group Address Host Address Tunnel Address Vlan/Service Vlan/Service Interface
---------------+---------------+---------------+--------------+--------------+----------------------

sw5 (6360-A) -> show ip multicast group

Total 4 Groups

Group Address Source Address Vlan/Service Interface Mode Static Count Life
---------------+---------------+--------------+----------------------+--------+-------+------+-----
231.1.1.5 0.0.0.0 vlan 30 1/1/2 exclude no 3 254
239.255.255.250 0.0.0.0 vlan 30 1/1/2 exclude no 3 227
239.255.255.250 0.0.0.0 vlan 30 2/1/1 exclude no 3 226
239.255.255.250 0.0.0.0 vlan 30 2/1/2 exclude no 4 231

- This shows all IGMP requests seen by the switch

Notes
239.255.255.250 is the multicast address of SSDP (Simple Service Discovery Protocol), basis of the discovery
protocol of universal Plug& Play (UPnP)
 8
Multicast switching

- Check also multicast forward and group on 6860-B :

sw8 (6860-B) -> show ip multicast forward

Total 1 Forwards
Ingress Egress
Group Address Host Address Tunnel Address Vlan/Service Vlan/Service Interface
---------------+---------------+---------------+--------------+--------------+----------------------
231.1.1.5 0.0.0.0 0.0.0.0 vlan 30 vlan 30 0/8

sw8 (6860-B) -> show ip multicast group

Total 4 Groups

Group Address Source Address Vlan/Service Interface Mode Static Count Life
---------------+---------------+--------------+----------------------+--------+-------+------+-----
239.255.255.250 0.0.0.0 vlan 20 0/78 exclude no 7 239
239.255.255.250 0.0.0.0 vlan 30 1/1/1 exclude no 7 245
231.1.1.5 0.0.0.0 vlan 30 0/8 exclude no 5 245
239.255.255.250 0.0.0.0 vlan 30 0/8 exclude no 14 245

- Check also multicast forward and group on 6860-A :

sw7 (6860-A) -> show ip multicast forward

Total 0 Forwards

Ingress Egress
Group Address Host Address Tunnel Address Vlan/Service Vlan/Service Interface
---------------+---------------+---------------+--------------+--------------+----------------------

sw7 (6860-A) -> show ip multicast group

Total 1 Groups

Group Address Source Address Vlan/Service Interface Mode Static Count Life
---------------+---------------+--------------+----------------------+--------+-------+------+-----
239.255.255.250 0.0.0.0 vlan 20 0/7 exclude no 6 196
OmniSwitch AOS R8

Distance Vector Multicast Routing Protocol

Lesson summary

At the end of this presentation, you will be able to

◼ Describe the following Multicast

Features:
⚫ Distance Vector Multicast Routing (DVMRP)
AOS Specifications
◼ Distance Vector Multicast Routing ◼ RFCs Supported
Protocol ⚫ 2667 – IP Tunnel MIB

◼ Similar to RIP ◼ Internet Drafts

◼ Infinity = 32 hops ⚫ DMVRP MIB
 Draft-ietf-idmr-dvmrp-v3-11.txt
◼ Subnet masks in route advertisements

◼ 1 Multicast Protocol per Interface (PIM or ◼ DVMRP Attributes

DVMRP) ⚫ Reverse Path Multicasting
⚫ Neighbor Discovery
◼ 128 interfaces
⚫ Multicast Source Location
◼ 256 neighbors ⚫ Route Report Messages
⚫ Distance Metrics
⚫ Dependent Downstream Routers
⚫ Poison Reverse
⚫ Pruning
⚫ Grafting
⚫ DVMRP Tunnels
Overview
◼ DVMRP Version 3.255 supported
⚫ V3 backward compatible with V1

◼ Supports IP Tunneling
⚫ Unicast connection between two IP Multicast routers for traversing non-multicast
devices

◼ Reverse Path Multicasting

⚫ If a packet arrived on an upstream interface that would be used to transmit packets
back to the source, it is forwarded to the appropriate list of downstream interfaces.
⚫ Otherwise, it is not on the optimal delivery tree and is discarded. In this way,
duplicate packets can be filtered when loops exist in the network topology.

◼ Source location
⚫ Look up route to source to determine which interface to accept traffic on
⚫ The Unicast routing table is propagated
⚫ Split horizon is used (don’t propagate routes on the interface that you learned them
from)
Neighbor Discovery
◼ DVMRP Probe packet

◼ Periodic multicast group address packet

◼ Multicast address packets via 224.0.0.4 (All-DVMRP Routers)

R2

Server

R1 Probe for neighbor

discovery
Client

R3
-> show ip dvmrp neighbor
Neighbor Address Vlan Uptime Expires GenID Version State
---------------+-----+-----------+-----------+---------+---------+-------
143.209.92.214 2 00h:09m:12s 00h:00m:06s 546947509 3.255 active
Flood and Prune
◼ Flood and Prune Protocol
⚫ Multicast traffic is flooded to all downstream routers Flood
 This can be efficient if there are a large number of recipients. Prune
⚫ Routers that do not have clients registered to receive traffic Traffic
will send a DVMRP prune message

Flood Prune
Graft
◼ Grafting:
⚫ Adding a branch to multicast traffic delivery
⚫ If new IGMP membership requests are received, the router sends a “graft” message
 Graft is only used after a prune
 Waits for “graft ack”
 If no ack, re-send
 When prune times out, upstream router starts flooding traffic again (7200 sec.)
⚫ Router receives message, duplicates and sends it to local subscribers, and sends it on (if necessary)

New Tree
Graft

Graft

New Client New Client

RPM - Forwarding Table

Server R1 R2

DVMRP
Forwarding Table

Client
R3
-> show ip multicast forwarding
Source Destination
Mcast Group Source IP Type VLAN Slot/Port Type VLAN Slot/Port
------------+-------------+----+----+---------+----+---+---------- DVMRP Forwarding
224.2.190.33 211.200.1.102 NATV 3 1/13 NATV 2 1/5 Table
224.2.190.33 211.200.1.102 NATV 3 1/13 NATV 4 1/11
224.2.246.33 141.100.1.100 NATV 4 1/11 NATV 2 1/5
Routing Table

Server R1 Route Exchange R2

Route Exchange

Client
R3

-> show ip dvmrp route

Address/Mask Gateway Metric Age Expires Flags
--------------+---------+-----+-----------+---------+-----
11.0.0.0/8 55.0.0.5 2 00h:13m:14s 02m:07s R
22.0.0.0/8 44.0.0.4 2 10h:33m:14s 02m:15s R
44.0.0.0/8 - 10 5h:24m:59s - L
CLI Configuration
◼ Minimum configuration

-> ip load dvmrp

-> ip dvmrp interface <interface_name>
-> ip dvmrp admin-state enable

-> show ip dvmrp interface

-> show ip dvmrp
-> …
OmniSwitch AOS R8

Protocol Independent Multicast (PIM)

Module Objectives

At the end of this presentation, you will be able to

◼ Describe the Protocol Independent

Multicast Routing Protocols
⚫ Protocol Independent Multicast-Sparse
Mode and Protocol Independent Multicast-
Dense Mode
⚫ Operations and configuration
PIM - Sparse Mode (PIM-SM)
AOS Specifications
◼ Protocol Independent Multicast – Sparse Mode version 2

◼ RFCs Supported
⚫ 2362 - Protocol Independent Multicast-Sparse Mode (PIM-SM) Protocol Specification
⚫ 2934 - Protocol Independent Multicast MIB for Ipv4
⚫ 2932 - Ipv4 Multicast Routing MIB
⚫ 3973 - Protocol Independent Multicast-Dense Mode (PIM-DM)
⚫ 3376 - Internet Group Management Protocol
⚫ 4601 - Protocol Independent

◼ 128 interfaces

◼ Maximum RPs allowed in a PIM-SM domain

⚫ 100 (default value is 32)

◼ 1 multicast protocol per interface (PIM or DVMRP)

AOS Specifications
◼ Specifications
PIM-SM - Protocol Overview
◼ PIM-SM is not a flood and prune Source 1
mechanism. It requires explicit joins.
◼ PIM-SM relies on the underlying IGP A1
protocols to make its routing decisions.
◼ It uses a Rendezvous Point (RP) as a B 1000
shared tree where sources send data to
the RP who distributes the data to 100
receivers using a shared tree. A

◼ PIM-SM, like all multicast protocols, uses 100 D

Reverse Path Forwarding (RPF).

100
◼ RPF = Forward a multicast packet only if
C
it is received on an interface that is used
by the router to route to the source.
D1

C1
Neighbor Discovery & Designated Router
◼ Neighbor Discovery

◼ PIM Hello
⚫ Periodic multicast group address packet (224.0.0.13= ALL-PIM-ROUTERS group)
⚫ TTL= 1
⚫ Default = 30 seconds PIM
router
◼ Designated Router (DR)
PIM Hello
⚫ One per subnet, sends join messages to RP
⚫ Election based on:
 Highest Priority PIM Hello PIM Hello

 Highest IP address PIM PIM

router router

◼ If the “DR” times-out, a new “DR” is elected

◼ Interface is added to egress interface list for all groups when first neighbor is
heard
PIM-SM - Rendez-Vous Point Tree RPT
224.2.190.33 R1 R2
◼ Rendezvous Point (RP)
Server RP
⚫ Common forwarding router for a shared
distribution tree
7/11
⚫ Each group has a RP 172.39.2.2 PIM Join
⚫ Receivers send explicit join message to RP
R3
⚫ Each source sends multicast data packets
encapsulated in unicast packets to RP 5/3
(Register message). PIM Join
Client
⚫ RP can be configured statically

◼ Or dynamically through a Bootstrap

router IGMP R4
⚫ Robustness: When the primary RP goes
down, bootstrap protocol can select an
-> show ip multicast forwarding
alternate RP
Source Destination
⚫ A Candidate Rendezvous Point (C-RP) sends Mcast Group Source IP Type VLAN Slot/Port Type VLAN Slot/Port
periodic C-RP advertisements to the BSR ------------+-----------+-----+----+----------+----+----+-----
224.2.190.33 172.39.2.2 NATV 3 7/11 NATV 2 5/3

◼ Shared Distribution Tree/ Rendezvous Register message

Point Tree (RPT)
Multicast Traffic
⚫ The distribution tree for multicast traffic
PIM Join
PIM-SM - Shortest Path Tree (SPT)
◼ Once the last-hop router receives traffic form the RP along the RPT, it sends a
PIM join message towards the source of traffic.
◼ This forms the shortest path tree (SPT), which is rooted at the first-hop router
closest to the source.

(S,G) join
Server R1 R2
RP
172.39.2.2

PIM Join R3
Multicast Traffic

Client

R4
PIM-SM - SPT Switchover
◼ Once the multicast traffic goes along the SPT, the last-hop router generates a
PIM prune message towards the RP.
◼ The RP stops sending multicast traffic along the RPT and generates a Register-
Stop message that is sent to the first-hop router
◼ The first-hop router stops the encapsulation of the multicast traffic that was
sent to the RP and forwards the traffic along the SPT.
Server R1 Register-Stop R2
RP
172.39.2.2
Prune

PIM Prune
R3
Multicast Traffic
Prune
Client
The switchover is initiated
automatically by the last DR R4
SPT status is enabled by default
Bootstrap Router
1
◼ BootStrap Router (BSR)
⚫ Keeps routers in network up to date on
reachable C-RPs

◼ Candidate Bootstrap Router (C-BSR)

⚫ Eligible to become a BSR Bootstrap (I want to be BSR)

◼ Bootstrap election mechanism

⚫ Multiple routers configured with a priority 2
⚫ While only a single BSR can be operational
at one time, other routers are available to
take over in the event of a failure

◼ C-RP periodically sends out C-RP

advertisements Bootstrap (I am the new BSR )
⚫ When a BSR receives one of these
advertisements, the associated C-RP is
considered reachable (if it has a valid 3
route)
⚫ BSR then periodically sends its RP set to
neighboring routers in the form of a
Bootstrap message
C-RP (I want to be RP for this group)
Bootstrap Router
◼ Calculation steps for selecting the RP
⚫ RP set = list of reachable C-RPs
⚫ Locate all RPs in RP-Set associated with the most specific advertised group range for
the specific group in the PIM Join message
 All devices with the best priority (lowest value)
 Highest Hash value using the group address, the RP address, and the advertised then elect the
RP with the highest hash value
 RP with the highest IP address

RP-SET
5

RP Group

RP-Set (list of CRP/Group)

PIM - Dense Mode (PIM –DM)
PIM-DM - Overview
◼ Protocol Independent Multicast – Dense Mode

◼ Designed for networks with many receivers

◼ Flood and Prune operation similar to DVMRP

⚫ Does flood all multicast traffic initially
⚫ Performs reverse path forwarding (RPF)

◼ Fully integrated with the existing PIM Sparse Mode

⚫ Still relies on unicast routing protocols such as RIP and OSPF
⚫ Same packet formats as PIM-SM
⚫ Re-using “pim” configuration
⚫ No periodic joins transmitted, only explicitly triggered prunes and grafts
⚫ No Rendezvous Point (RP)
PIM-DM - Flood and Prune

◼ Traffic is flooded throughout the entire network

Server ◼ Routers receive multicast traffic on RPF interfaces

◼ Routers forward to their neighbors

Client ◼ Packets received on non RPF interfaces are

dropped

Client Client

Server

◼ PIM Prunes are sent to stop unwanted traffic

◼ Multicast Traffic flows through network Client

◼ The tree is pruned

◼ Prunes timeout in 3 minutes

Client Client
◼ Traffic is flooded throughout the entire network

◼ Prune process takes place

Flood & Prune process

repeats every 3 minutes
Operation and configuration
PIM - CLI
◼ Minimum configuration

PIM-SM & SSM

-> ip load pim
-> ip pim interface <interface_name >
-> ip pim ssm group group_address/prefix_length [[no] override] [priority priority]
-> ip pim candidate-rp rp_address group-address/prefix_length [priority priority]
[interval seconds]
-> ip pim cbsr <interface_address >
-> ip pim sparse admin-state enable

PIM-DM
-> ip load pim
-> ip pim interface <interface_name >
-> ip pim dense group group_address/prefix_length [[no] override] [priority priority]
-> ip pim sparse admin-state enable
PIM-SM - Advanced Configuration
◼ Candidate Bootstrap Routers (C-BSRs)
-> ip pim cbsr 192.168.3.1 priority 0
 Highest Priority value (0 to 255, default=64) –> Highest IP address

◼ Static RP
-> ip pim static-rp group_address/prefix_length rp_address [[no] override]
[priority priority]
◼ Interface
⚫ Designated Router (DR)
 Highest Priority value (default=1) –> Highest IP address
-> ip pimsm interface int_name dr-priority priority
⚫ Stub
 Specifies to not send any PIM packets via this interface, and to ignore received PIM packets
-> ip pimsm interface int_name stub
◼ SPT Switchover
⚫ Last hop DR switching to the SPT begins once the first data packet is received
->ip pim spt status enable
◼ Source-specific (S, G) Join message
->ip pim rp-threshold value (default=1)
 Specifies the data rate, in bits per second (bps), at which the RP will attempt to switch to native forwarding by issuing a source-
specific (S, G) Join message toward the source
PIM - Monitoring -> show ip pim sparse
Status = enabled,
-> show ip pim? Keepalive Period = 210,
BSR Max RPs = 32,
CANDIDATE-RP
Probe Time = 5,
CBSR
Register Checksum = header,
DENSE
Register Suppress Timeout = 60,
GROUP-MAP
RP Threshold = 1000,
GROUTE
SPT Status = enabled
INTERFACE
-> show ip pim dense
NEIGHBOR
NOTIFICATIONS Status = enabled,
SGROUTE Source Lifetime = 210,
SPARSE State Refresh Interval = 60,
SSM State Refresh Limit Interval = 0,
STATIC-RP State Refresh TTL = 16
-> show ip pim cbsr
CBSR Address = 192.168.3.1,
Status = enabled,
CBSR Priority = 0,
Hash Mask Length = 30,
Elected BSR = False,
Timer = 00h:00m:00s,

-> show ip pim candidate-rp

RP Address Group Address Priority Interval Status

----------------+-------------------+---------+---------+--------
192.168.10.1 225.0.0.101/32 192 60 enabled
PIM - Monitoring

-> show ip pim?

-> show ip pim neighbor
BSR
CANDIDATE-RP
Total 1 Neighbors
CBSR
DENSE
Neighbor Address Interface Name Uptime Expires DR Priority
GROUP-MAP
-----------------+--------------------+-----------+-----------+-----------
GROUTE
INTERFACE 192.168.3.2 vlan3 22h:52m:32s 00h:01m:44s 1
NEIGHBOR
NOTIFICATIONS -> show ip pim group-map
SGROUTE
SPARSE Origin Group Address/Prefix RP Address Mode Precedence
SSM -----------+---------------------+---------------+-----+-----------
STATIC-RP Static RP 228.0.0.0/8 192.168.3.2 asm none
Static SSM 226.0.0.0/8 dm none
Static SSM 231.0.0.0/8 ssm none
RP-set
BSR 225.0.0.0/8 192.168.3.1 asm 20
BSR 225.0.0.0/8 192.168.3.2 asm 30

-> show ip pim ssm group

Group Address/Prefix RP Address Mode Override Precedence Status

--------------------+-----------+-----+--------+----------------------
231.0.0.0/8 0.0.0.0 ssm false none enabled
 PIM - Monitoring
-> show ip pim? -> show ip pim groute
BSR Total 1 (*,G)
CANDIDATE-RP Group Address RP Address RPF Interface Upstream Neighbor UpTime
CBSR ---------------+--------------+-------------------+-------------------+----------
DENSE
225.0.0.101 192.168.3.1 00h:12m:09s
GROUP-MAP
GROUTE
-> show ip pim sgroute
INTERFACE
Legend: Flags: D = Dense, S = Sparse, s = SSM Group,
NEIGHBOR
L = Local, R = RPT, T = SPT, F = Register,
NOTIFICATIONS
P = Pruned, O = Originator
SGROUTE
SPARSE Total 2 (S,G)
SSM Source Address Group Address RPF Interface Upstream Neighbor UpTime Flags
STATIC-RP ---------------+---------------+----------------+-------------------+--------+--------
192.168.100.100 225.0.0.101 vlan100 00h:52m:21s STL
192.168.100.100 226.0.0.102 vlan100 00h:52m:21s DOL

-> show ip mroute

Total 2 Mroutes

Group Address Src Address Upstream Nbr Route Address Proto

---------------+------------------+---------------+-------------------+------
225.0.0.101 192.168.100.100/32 0.0.0.0 192.168.100.1/24 PIM-SM
226.0.0.102 192.168.100.100/32 0.0.0.0 192.168.100.0/24 PIM-DM
PIM - Monitoring

-> show ip pim groute 225.0.0.101 -> show ip pim sgroute 192.168.100.100 225.0.0.101
(*,225.0.0.101) (192.168.100.100,225.0.0.101)
UpTime = 00h:32m:53s UpTime = 01h:15m:49s
RP Address = 192.168.3.1, PIM Mode = ASM,
PIM Mode = ASM, Upstream Join State = Not Joined,
PIM Mode Origin = Static RP, Upstream RPT State = Not Joined,
Upstream Join State = Not Joined, Upstream Join Timer = 00h:00m:00s,
Upstream Join Timer = 00h:00m:00s, Upstream Neighbor = none,
Upstream Neighbor = none, SPT Bit = True,
Interface Specific State: DR Register State = Pruned,
vlan3 DR Register Stop Timer = 00h:00m:00s,
UpTime = 00h:32m:53s, Interface Specific State:
Local Membership = False, vlan3
Join/Prune State = Joined, UpTime = 01h:15m:49s,
Prune Pending Timer = 00h:00m:00s, Local Membership = False,
Join Expiry Timer = 00h:02m:37s, Join/Prune State = Joined,
Assert State = No Info, RPT State = No Info,
Assert Timer = 00h:00m:00s, Prune Pending Timer = 00h:00m:00s,
vlan100 Join Expiry Timer = 00h:02m:49s,
UpTime = 00h:00m:00s, Assert State = No Info,
Local Membership = False, Assert Timer = 00h:00m:00s,
Join/Prune State = No Info, vlan100
Prune Pending Timer = 00h:00m:00s, UpTime = 00h:00m:00s,
Join Expiry Timer = 00h:00m:00s, Local Membership = False,
Assert State = No Info, Join/Prune State = No Info,
Assert Timer = 00h:00m:00s, RPT State = No Info,
Prune Pending Timer = 00h:00m:00s,
Join Expiry Timer = 00h:00m:00s,
Assert State = No Info,
Assert Timer = 00h:00m:00s,
OmniSwitch AOS R8
PIM-SM

How to
✓ This lab is designed to familiarize you with the PIM-SM capability on an
OmniSwitch.

Contents
1 Topology ........................................................................................ 2
2 PIM-SM Configuration ......................................................................... 4
 2
PIM-SM

1 Topology

Protocol-Independent Multicast (PIM) is an IP multicast routing protocol that uses routing information
provided by unicast routing protocols such as RIP and OSPF. PIM is “protocol-independent” because it does
not rely on any particular unicast routing protocol.
 3
PIM-SM

- In the multicast switching lab, all requesting devices in the same VLAN received the multicast stream.
Now let’s move the receivers into different VLANs. This will require the multicast traffic to be routed in
order to reach each receiver. PIM-SM gives us the capability to route multicast traffic.

- A multicast router is by default an IGMP querier, we can disable the querier forwarding on both 6860

6860-A -> ip multicast querier-forwarding disable

6860-B -> ip multicast querier-forwarding disable

- Move back client 8 to vlan 80

sw8 (6860-B) -> vlan 80 members port 1/1/1 untagged

- On the 6900, check that OSPF still runs properly and that all client vlans are reachable:

sw1 (6900-A) -> show ip routes

+ = Equal cost multipath routes

Total 24 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
0.0.0.0/0 192.168.100.108 1d 2h STATIC
10.0.0.51/32 192.168.100.108 1d 2h STATIC
127.0.0.1/32 127.0.0.1 4d 6h LOCAL
172.16.17.0/24 172.16.17.1 4d 2h LOCAL
172.16.18.0/24 172.16.18.1 3d23h LOCAL
172.16.78.0/24 +172.16.17.7 3d23h OSPF
+172.16.18.8 3d23h OSPF
172.16.137.0/24 172.16.17.7 1d 1h OSPF
192.168.20.0/24 172.16.17.7 1d 3h OSPF
192.168.30.0/24 172.16.18.8 1d 3h OSPF
192.168.57.0/24 +172.16.17.7 05:38:55 OSPF
+172.16.18.8 05:35:12 OSPF
192.168.60.0/24 172.16.17.7 1d 1h OSPF
192.168.70.0/24 172.16.17.7 1d 3h OSPF
192.168.80.0/24 172.16.18.8 00:01:50 OSPF
192.168.100.0/24 192.168.100.1 1d 2h LOCAL
192.168.110.0/24 192.168.110.1 00:48:00 LOCAL
192.168.120.0/24 192.168.120.1 4d 0h LOCAL
192.168.254.1/32 192.168.254.1 3d23h LOCAL
192.168.254.3/32 172.16.17.7 1d 1h OSPF
192.168.254.5/32 +172.16.17.7 23:28:17 OSPF
+172.16.18.8 23:25:41 OSPF
192.168.254.7/32 172.16.17.7 3d23h OSPF
192.168.254.8/32 172.16.18.8 3d23h OSPF
 4
PIM-SM

2 PIM-SM Configuration
- Enable PIM-SM in the core routers:

6900 -> ip load pim

6900 -> ip pim sparse admin-state enable

6860-A -> ip load pim

6860-A -> ip pim sparse admin-state enable

6860-B -> ip load pim

6860-B -> ip pim sparse admin-state enable

- Now, we must enable PIM-SM on the necessary interfaces.

6900 -> ip pim interface int_217

6900 -> ip pim interface int_218
6900 -> ip pim interface int_110
6900 -> ip pim cbsr 192.168.110.1

6860-A -> ip pim interface int_217

6860-A -> ip pim interface int_278
6860-A -> ip pim interface int_70
6860-A -> ip pim interface int_20
6860-A -> ip pim interface int_30
6860-A -> ip pim cbsr 192.168.70.7

6860-B -> ip pim interface int_218

6860-B -> ip pim interface int_278
6860-B -> ip pim interface int_80
6860-B -> ip pim interface int_20
6860-B -> ip pim interface int_30
6860-B -> ip pim cbsr 192.168.80.8

- Now, we must define a CRP for a multicast group.

6900 -> ip pim candidate-rp 192.168.110.1 231.1.1.0/24

6860-A -> ip pim candidate-rp 192.168.70.7 231.5.5.0/24

6860-A -> ip pim candidate-rp 192.168.70.7 231.7.7.0/24

6860-B -> ip pim candidate-rp 192.168.80.8 231.10.10.0/24

6860-B -> ip pim candidate-rp 192.168.80.8 231.8.8.0/24

- Check connectivity status on all 3 switches:

sw1 (6900-A) -> show ip pim interface

Total 3 Interfaces

Interface Name IP Address

Designated Hello J/P Oper BFD
Router Interval Interval Status Status
--------------------------------+---------------+---------------+--------+--------+--------+--------
int_217 172.16.17.1 172.16.17.7 30 60 enabled disabled
int_218 172.16.18.1 172.16.18.8 30 60 enabled disabled
int_110 192.168.110.1 192.168.110.1 30 60 enabled disabled
 5
PIM-SM

sw7 (6860-A) -> show ip pim interface

Total 5 Interfaces

Interface Name IP Address Designated Hello J/P Oper BFD

Router Interval Interval Status Status
--------------------------------+---------------+---------------+--------+--------+--------+--------
int_70 192.168.70.7 192.168.70.7 30 60 enabled disabled
int_217 172.16.17.7 172.16.17.7 30 60 enabled disabled
int_20 192.168.20.7 192.168.20.8 30 60 enabled disabled
int_278 172.16.78.7 172.16.78.8 30 60 enabled disabled
int_30 192.168.30.7 192.168.30.8 30 60 enabled disabled

sw8 (6860-B) -> show ip pim interface

Total 5 Interfaces

Interface Name IP Address Designated Hello J/P Oper BFD

Router Interval Interval Status Status
--------------------------------+---------------+---------------+--------+--------+--------+--------
int_278 172.16.78.8 172.16.78.8 30 60 enabled disabled
int_30 192.168.30.8 192.168.30.8 30 60 enabled disabled
int_80 192.168.80.8 192.168.80.8 30 60 disabled disabled
int_218 172.16.18.8 172.16.18.8 30 60 enabled disabled
int_20 192.168.20.8 192.168.20.8 30 60 enabled disabled

- Check the Pim neighbor and group-map

sw1 (6900-A) -> show ip pim neighbor

Total 2 Neighbors

Neighbor Address Interface Name Uptime Expires DR Priority

-----------------+--------------------------------+--------------+--------------+-----------
172.16.17.7 int_217 00h:06m:02s 00h:01m:43s 1
172.16.18.8 int_218 00h:05m:16s 00h:01m:29s 1

sw7 (6860-A) -> show ip pim neighbor

Total 4 Neighbors

Neighbor Address Interface Name Uptime Expires DR Priority

-----------------+--------------------------------+--------------+--------------+-----------
172.16.17.1 int_217 00h:28m:15s 00h:01m:27s 1
192.168.20.8 int_20 00h:27m:07s 00h:01m:38s 1
172.16.78.8 int_278 00h:27m:23s 00h:01m:22s 1
192.168.30.8 int_30 00h:27m:02s 00h:01m:43s 1

sw8 (6860-B) -> show ip pim neighbor

Total 4 Neighbors

Neighbor Address Interface Name Uptime Expires DR Priority

-----------------+--------------------------------+--------------+--------------+-----------
172.16.78.7 int_278 00h:27m:44s 00h:01m:43s 1
192.168.30.7 int_30 00h:27m:20s 00h:01m:32s 1
172.16.18.1 int_218 00h:27m:48s 00h:01m:40s 1
192.168.20.7 int_20 00h:27m:28s 00h:01m:28s 1
 6
PIM-SM

sw1 (6900-A) -> show ip pim group-map

Origin Group Address/Prefix RP Address Mode Precedence

-----------+---------------------+---------------+-----+-----------
BSR 231.1.1.0/24 192.168.110.1 asm 192
BSR 231.5.5.0/24 192.168.70.7 asm 192
BSR 231.7.7.0/24 192.168.70.7 asm 192
BSR 231.8.8.0/24 192.168.80.8 asm 192
BSR 231.10.10.0/24 192.168.80.8 asm 192

Origin Group Address/Prefix RP Address Mode Precedence

-----------+---------------------+---------------+-----+-----------

- Manage the client 1, client 6 and 9 to send and receive multicast traffic as indicated in the tables
below.
Use the application multicast tool from the desktop to do it.
PC Client Send Receive

Client 1 grps: 231.1.1.1 grps: 231.10.10.10

Client 6 grps: 231.10.10.10 grps: 231.5.5.5
Client 9 grps: 231.5.5.5 grps: 231.1.1.1

Example :

PC Client Send PC Client Receive

Client 6 (Vlan 30) grps: 231.10.10.10 Client 1 (vlan 110) grps: 231.10.10.10

-
 7
PIM-SM

- Check the multicast routing table:

sw1 (6900-A) -> show ip pim sgroute

Legend: Flags: D = Dense, S = Sparse, s = SSM Group,

L = Local, R = RPT, T = SPT, F = Register,
P = Pruned, O = Originator

Total 1 (S,G)

Source Address Group Address RPF Interface Upstream Neighbor UpTime Flags
---------------+---------------+--------------------------------+-----------------+--------------+--------
192.168.20.70 231.10.10.10 int_217 172.16.17.7 00h:00m:48s ST

sw7 (6860-A) -> show ip pim sgroute

Legend: Flags: D = Dense, S = Sparse, s = SSM Group,

L = Local, R = RPT, T = SPT, F = Register,
P = Pruned, O = Originator

Total 1 (S,G)

Source Address Group Address RPF Interface Upstream Neighbor UpTime Flags
---------------+---------------+--------------------------------+-----------------+--------------+--------
192.168.20.70 231.10.10.10 int_20 192.168.20.8 00h:02m:18s ST

sw8 (6860-B) -> show ip pim sgroute

Legend: Flags: D = Dense, S = Sparse, s = SSM Group,

L = Local, R = RPT, T = SPT, F = Register,
P = Pruned, O = Originator

Total 1 (S,G)

Source Address Group Address RPF Interface Upstream Neighbor UpTime Flags
---------------+---------------+--------------------------------+-----------------+--------------+--------
192.168.20.70 231.10.10.10 int_20 00h:00m:15s STL

- Do the same with client 6 and 9

PC Client Send Receive

Client 1 grps: 231.1.1.1 grps: 231.10.10.10
Client 6 grps: 231.10.10.10 grps: 231.5.5.5
Client 9 grps: 231.5.5.5 grps: 231.1.1.1
OmniSwitch AOS R8

Ethernet Ring Protocol (ERP)

Ethernet Ring Protocol (ERP)

At the end of this presentation, you will be able to

◼ List & Identify the ERP concepts

◼ Summarize the ERP principle

◼ Identify a failure in the ERP Ring

◼ Explain the recovery process

Overview
◼ Protection switching mechanism

◼ Maintains a loop-free topology in a ring

◼ Fast recovery times (~50 ms)

Ring 2
◼ Dedicated Protocol
⚫ APS (Automatic Protection Switching) Ring 1

◼ AOS OmniSwitch supports ERPv2

Main
◼ Works on single and multiple independent and Ring

laddered rings
Sub - Ring
Concepts
◼ Ring Protection Link (RPL)
⚫ Link between 2 ring switches that is blocked to prevent a loop in the ring

◼ RPL Owner
⚫ Switch hosting the RPL Port
⚫ Blocks traffic on the RPL Port during normal ring operations

◼ R-APS (Ring-Automatic Protection Switching) Messages

⚫ Signal Fail (SF)
 Declared when a failed link or node is detected
⚫ No Request (NR)
 Declared when there are no outstanding conditions (ex. SF) on the node

◼ Service VLAN
⚫ Ring-wide VLAN used for transmission of R-APS messages

◼ Protected VLAN
⚫ VLAN(s) that is/are added to the ERP ring
⚫ ERP determines the forwarding state of protected VLAN(s)
Concepts
◼ 2 ring ports are identified in each switch

◼ 1 link in the ring is identified as the Ring Protection Link (RPL)

◼ One of the switches terminating the RPL is identified as RPL Owner

RPL Owner
RPL Protection Link
RPL port

Normal ring port

RPL port on RPL Owner
Steady State (No Failure)

R-APS MESSAGE
NR (No Request)
RB (RPL blocked)

RPL Owner
RPL Protection Link
Blocked RPL port
Ring Failure
◼ Failure! (Ring Mode: Protection)
⚫ Adjacent ports are blocked
⚫ Signal Failure (SF) R-APS message is sent
⚫ RPL Owner unblocks RPL port

◼ Ring is protection mode

RPL Owner
RPL Protection Link
Unblocked RPL port

SF (Signal Fail) SF (Signal Fail)

R-APS MESSAGE R-APS MESSAGE

Recovery
◼ Recovered Link
⚫ Adjacent nodes remove SF (Signal Failure) and send NR (No Request)
⚫ RPL Owner starts a Wait To Restore (WTR) timer (default: 5 minutes)
⚫ When WTR timer expires, RPL port is blocked
⚫ RPL Owner sends NR/RB (No Request/RPL Blocked)
⚫ Other nodes unblock their ring ports (Ring Mode: Idle)
NR/RB (No Request)

RPL Owner

NR (No Request) NR (No Request)

Laddered Rings (ERPv2)
◼ Laddered rings are composed of:
⚫ A Main ring
⚫ One or more Subtending ring(s) Main
Ring

◼ The Main ring is a fully closed ring (A-B-D-C-A)

◼ The Subtended ring does not include any shared

links with the main ring Subtended
Ring
◼ The Main ring acts as a virtual channel to close the
Subtended ring
⚫ R-APS messages are sent over the virtual channel using
the S-tag (Service VLAN) of the subtended ring

Main Subtended
Ring Ring
ERP CONFIGURATION
ERP Configuration
◼ Step by Step

Create ERP Ring, Service VLAN & MEG Level

Configure the RPL Port

Add Protected VLAN(s)

Enable the ERP Ring

ERP Configuration
◼ Step by Step

Create ERP Ring, Service VLAN & MEG Level

 Create an ERP Ring
 Declare a Service VLAN
 For transmission of R-APS messages

 Define a MEG Level (Management Entity Group)

 Value from 0 to 7
 Must be identical on all the switches belonging to the ERP Ring

Ring 1 1/1
1/2
SVLAN 1001
MEG Level 1 1/3 1/4

ERP Ring
1/1 1/2

1/4 1/3
ERP Configuration
◼ Step by Step

Configure the RPL Port

 The RPL port is unique in an ERP Ring
 Declared on one switch (= RPL Owner)

Ring 1 RPL Owner

1/2 1/1
SVLAN 1001
MEG Level 1 1/3 1/4

ERP Ring
1/1 1/2

1/4 1/3

RPL Port
ERP Configuration
◼ Step by Step

Add Protected VLAN(s)

 VLAN that is added to the ERP ring
 ERP determines the forwarding state of protected VLANs

Ring 1 RPL Owner

1/2 1/1
SVLAN 1001
MEG Level 1 1/3 1/4

Prot. VLAN(s) ERP Ring

• 2 1/1 1/2
• 3
1/4 1/3

RPL Port

Enable the ERP Ring

 Administratively activate the ERP Ring (admin-state enable)
OmniSwitch AOS R8

Ethernet Ring Protection

How to
✓ Create an ERP Ring and check its behavior

Contents
1 Topology ........................................................................................ 2
2 Create a User-defined directories labERP ................................................. 3
3 Configure ERPv2 ring ......................................................................... 3
3.1. Configure VLANs on the switches ................................................................ 3
3.2. Configure the ERP on all switches................................................................ 4
3.3. Make the physical connections according to the lab diagram ................................ 5
3.4. Check the ERP Ring 1 setup by performing some show commands. ......................... 5
4 Lab Check ...................................................................................... 7
4.1. Connect clients to switches ....................................................................... 7
4.2. Test the feature .................................................................................... 7
 2
Ethernet Ring Protection

1 Topology
Ethernet Ring Protection (ERP) is a protection switching mechanism for Ethernet ring topologies, such as
multi-ring and ladder networks. This implementation of ERP uses the Automatic Protection Switching (APS)
protocol to coordinate the prevention of network loops within a bridged Ethernet ring.

- For this lab, we will build an ERP ring made of the two 6560s and two 6900s
Notes
We are going to Create a "User-defined directories" call “labERP” and boot the switches on it for this lab.
At the end of the lab, we are going to restart to working directory to retrieve initial configuration.
 3
Ethernet Ring Protection

2 Create a User-defined directories labERP

- Create a User-defined directories “labERP” and boot the switches from the new user-defined directory
(labERP):
- Type the following to create a user defined directory, copy the contents of the labinit directory to it and
once the switch boots, verify that it booted from the “labERP” directory:

sw1 (6900-A) ->

mkdir labERP
sw1 (6900-A) ->
cp labinit/*.* labERP
sw1 (6900-A) ->
ls labERP
sw1 (6900-A) ->
reload from labERP no rollback-timeout
Confirm Activate (Y/N): y
sw1 (6900-A) -> show running-directory

sw2 (6900-B) ->

mkdir labERP
sw2 (6900-B) ->
cp labinit/*.* labERP
sw2 (6900-B) ->
ls labERP
sw2 (6900-B) ->
reload from labERP no rollback-timeout
Confirm Activate (Y/N): y
sw2 (6900-B) -> show running-directory

sw3 (6560-A) ->

mkdir labERP
sw3 (6560-A) ->
cp labinit/*.* labERP
sw3 (6560-A) ->
ls labERP
sw3 (6560-A) ->
reload from labERP no rollback-timeout
Confirm Activate (Y/N): y
sw3 (6560-A) -> show running-directory

sw4 (6560-B) ->

mkdir labERP
sw4 (6560-B) ->
cp labinit/*.* labERP
sw4 (6560-B) ->
ls labERP
sw4 (6560-B) ->
reload from labERP no rollback-timeout
Confirm Activate (Y/N): y
sw4 (6560-B) -> show running-directory

3 Configure ERPv2 ring

3.1. Configure VLANs on the switches

- On each node belonging to ERP ring, configure VLAN 50 and VLAN 60:

sw3 (6560-A) -> vlan 50 name “Ring1”

sw3 (6560-A) -> vlan 60 name “subnet60”

sw4 (6560-B) -> vlan 50 name “Ring1”

sw4 (6560-B) -> vlan 60 name “subnet60”

sw1 (6900-A) -> vlan 50 name “Ring1”

sw1 (6900-A) -> vlan 60 name “subnet60”

sw2 (6900-B) -> vlan 50 name “Ring1”

sw2 (6900-B) -> vlan 60 name “subnet60”

Notes: VLAN 50 is the Service VLAN for ERP Ring 1, VLAN 60 is a Protected VLAN.
Service VLAN is used for the transmission and reception of R-APS Channel (tagged R-APS
messages) and the ETH CCM (tagged CCM) for a given ring.
 4
Ethernet Ring Protection

- On 6900-A, tag VLAN 50 to the assigned ring ports 1/1/3 and 1/2/1:
sw1 (6900-A) -> vlan 50 members port 1/1/3 tagged
sw1 (6900-A) -> vlan 50 members port 1/2/1 tagged

- On 6900-B tag VLAN 50 to the assigned ring ports 1/1/3 and 1/2/1:
sw2 (6900-B) -> vlan 50 members port 1/1/3 tagged
sw2 (6900-B) -> vlan 50 members port 1/2/1 tagged

- On 6560-A tag VLAN 50 to the assigned ring ports 1/1/3 and 1/1/25:
sw3 (6560-A) -> vlan 50 members port 1/1/3 tagged
sw3 (6560-A) -> vlan 50 members port 1/1/25 tagged

- On 6560-B tag VLAN 50 to the assigned ring ports 1/1/3 and 1/1/25:
sw4 (6560-B) -> vlan 50 members port 1/1/3 tagged
sw4 (6560-B) -> vlan 50 members port 1/1/25 tagged

- On 6900-A set VLAN 60 as port default for the assigned ring ports 1/1/3 and 1/2/1:
sw1 (6900-A) -> vlan 60 members port 1/1/3 untagged
sw1 (6900-A) -> vlan 60 members port 1/2/1 untagged

- On 6900-B set VLAN 60 as port default for the assigned ring ports 1/1/3 and 1/2/1:
sw2 (6900-B) -> vlan 60 members port 1/1/3 untagged
sw2 (6900-B) -> vlan 60 members port 1/2/1 untagged

- On 6560-A set VLAN 60 as port default for the assigned ring ports 1/1/3 and 1/1/25:
sw3 (6560-A) -> vlan 60 members port 1/1/3 untagged
sw3 (6560-A) -> vlan 60 members port 1/1/25 untagged

- On 6560-B set VLAN 60 as port default for the assigned ring ports 1/1/3 and 1/1/25:
sw4 (6560-B) -> vlan 60 members port 1/1/3 untagged
sw4 (6560-B) -> vlan 60 members port 1/1/25 untagged

3.2. Configure the ERP on all switches.

The RPL owner will be switch 1 in this ring.
Notes
One of the nodes in the ERP ring must be configured as RPL, and this node is responsible for blocking and
unblocking the ring on link failure. The RPL port can be a physical or logical port, but only one of the ring ports
can be configured as RPL port. The RPL node can be configured only on a preexisting disabled ring.
The non-existence of a RPL node or the existence of multiple RPL nodes is considered as incorrect
configuration.
When a ring port is configured as RPL port, the node to which the port belongs becomes the RPL owner.

- On 6900-A, configure the ERP as follows:

sw1 (6900-A) -> erp-ring 1 port1 1/1/3 port2 1/2/1 service-vlan 50 level 2
sw1 (6900-A) -> erp-ring 1 rpl-node port 1/1/3
sw1 (6900-A) -> erp-ring 1 wait-to-restore-timer 1
sw1 (6900-A) -> erp-ring 1 enable
 5
Ethernet Ring Protection

- On 6900-B, configure the ERP as follows:

sw2 (6900-B) -> erp-ring 1 port1 1/1/3 port2 1/2/1 service-vlan 50 level 2
sw2 (6900-B) -> erp-ring 1 enable

- On 6560-A, configure the ERP as follows:

sw3 (6560-A) -> erp-ring 1 port1 1/1/3 port2 1/1/25 service-vlan 50 level 2
sw3 (6560-A) -> erp-ring 1 enable

- On 6560-B, configure the ERP as follows:

sw4 (6560-B) -> erp-ring 1 port1 1/1/3 port2 1/1/25 service-vlan 50 level 2
sw4 (6560-B) -> erp-ring 1 enable

Notes
- For ERP Ring 1, the RPL owner is switch 6900-A. Each ring must have its own RPL
- Mandatory parameters for ring creation are a unique ring ID, two physical or logical ports, Service
VLAN and MEG level.
- The maximum number of rings per node that can be created depends on switch model (refer to the
latest AOS Network Configuration guide)
- A maximum number of 16 nodes per ring is recommended.
- Physical switch ports and logical link aggregate ports can be configured as ERP ring ports.

3.3. Make the physical connections according to the lab diagram

- On 6900-A, activate interfaces:

sw1 (6900-A) -> interfaces 1/1/3 admin-state enable
sw1 (6900-A) -> interfaces 1/2/1 admin-state enable
sw1 (6900-A) -> write memory

- On 6900-B, activate interfaces:

sw2 (6900-B) -> interfaces 1/1/3 admin-state enable
sw2 (6900-B) -> interfaces 1/2/1 admin-state enable
sw2 (6900-B) -> write memory

- On 6560-A, activate interfaces:

sw3 (6560-A) -> interfaces 1/1/3 admin-state enable
sw3 (6560-A) -> interfaces 1/1/25 admin-state enable
sw3 (6560-A) -> write memory

- On 6560-B, activate interfaces:

sw4 (6560-B) -> interfaces 1/1/3 admin-state enable
sw4 (6560-B) -> interfaces 1/1/25 admin-state enable
sw4 (6560-B) -> write memory

3.4. Check the ERP Ring 1 setup by performing some show commands.
- On all nodes, check the ERP setup:

-> show erp

-> show erp {<chassis/slot/portSubport> <chassis/slot/port> > |linkagg <aggId>}
-> show erp statistics
-> show erp statistics ring <ringId>
-> show erp statistics ring <ringId> {<chassis/slot/portSubport> <chassis/slot/port> > |linkagg <aggId>}
-> clear erp statistics
-> clear erp statistics ring <ringId>
-> clear erp statistics ring <ringId> {<chassis/slot/portSubport> <chassis/slot/port> > |linkagg <ag
 6
Ethernet Ring Protection

- Example:

sw1 (6900-A) -> show erp

Legends: WTR - Wait to Restore

MEG - Maintenance Entity Group

Ring Ring Ring Ring

Serv WTR Guard MEG Ring Ring Ring Remote
ID Port1 Port2 Status
VLAN Timer Timer Level State Node Profile System ID
(min) (csec)
----------+-------+-------+---------+-----+-----+-----+-----+-----------+--------+--------+---------------
1 1/1/3 1/2/1 enabled 50 1 50 2 idle rpl N/A N/A

Total number of rings configured = 1

sw2 (6900-B) -> show erp

Legends: WTR - Wait To Restore
MEG - Maintenance Entity Group

Ring Ring Ring Ring

Serv WTR Guard MEG Ring Ring Ring Remote
ID Port1 Port2 Status
VLAN Timer Timer Level State Node Profile System ID
(min) (csec)
----------+-------+-------+---------+-----+-----+-----+-----+-----------+--------+--------+---------------
1 1/1/3 1/2/1 enabled 50 5 50 2 idle non-rpl N/A N/A

Total number of rings configured = 1

Notes
ERP Ring States:
- idle: the RPL port is blocking, indicating that the topology is stable. the node is performing normally.
- Protection: on link failure, NI down, or node down of erp nodes. The RPL node is now forwarding and
the ring is said to be protected.
- Pending: The node is recovering from failure. When a node is in pending state, the WTR timer will be
running. All nodes are in pending state till WTR timer expiry.
 7
Ethernet Ring Protection

4 Lab Check

4.1. Connect clients to switches

- Client 1:

Assign IP address 192.168.60.1/24

- On 6900-A:

sw1 (6900-A) -> vlan 60 members port 1/1/1 untagged

sw1 (6900-A) -> interfaces 1/1/1 admin-state enable
sw1 (6900-A) -> write memory

- Client 2:

Assign IP address 192.168.60.2/24

- On 6900-B:

sw2 (6900-B) -> vlan 60 members port 1/1/1 untagged

sw2 (6900-B) -> interfaces 1/1/1 admin-state enable
sw2 (6900-B) -> write memory

- Client 3:

Assign IP address 192.168.60.3/24

- On 6560-A:

sw3 (6560-A) -> vlan 60 members port 1/1/1 untagged

sw3 (6560-A) -> interfaces 1/1/1 admin-state enable
sw3 (6560-A) -> write memory

- Client 4:

Assign IP address 192.168.60.4/24

- On 6560-B:

6560-B-> vlan 60 members port 1/1/1 untagged

6560-B-> interfaces 1/1/1 admin-state enable
6560-B-> write memory

- Ping each other to test connection between them.

4.2. Test the feature

- Launch a continuous ping running between client 1 and 2.

 8
Ethernet Ring Protection

- Then disconnect (disable) a link in ERP Ring 1.

sw3 (6560-A) -> interfaces 1/1/3 admin-state disable

- Check the status of the ERP ring.

What happens?
.................................................................................................................
.................................................................................................................
.................................................................................................................

- Re-connect (enable) the link in ERP Ring 1. Check status of ERP ring. What happens?

sw3 (6560-A) -> interfaces 1/1/3 admin-state enable

.................................................................................................................
.................................................................................................................
.................................................................................................................

- At the end of this lab, restore the four switches to initial configuration by restarting them from "working
directory".

sw1 (6900-A) -> rm -r labERP

sw1 (6900-A) -> reload from working no rollback-timeout

sw2 (6900-B) -> rm -r labERP

sw2 (6900-B) -> reload from working no rollback-timeout

sw3 (6560-A) -> rm -r labERP

sw3 (6560-A) -> reload from working no rollback-timeout

sw4 (6560-B) -> rm -r labERP

sw4 (6560-B) -> reload from working no rollback-timeout
AOS OmniSwitch R8

MACSec
Lesson Summary

At the end of this presentation, you will be able to

◼ Understand MACsec standard

◼ List AOS switches which Support MACsec

◼ Configure and monitor MACsec on

OmniSwitch
⚫ Static Mode
⚫ Dynamic mode

◼ Know software limitations

MACSEC - OVERVIEW
MACSec overview
◼ GOAL
MACsec enable MACsec enable
⚫ Prevents DoS/ M-in-M/playback Switch A Switch B
attacks, intrusion, wire-tapping,
masquerading, etc
Static or Dynamic SA Mode
⚫ Secure most of the traffic on
Ethernet links – LLDP frames,
LACP frames, DHCP/ARP packets,
etc
MACsecDynamic
Host (MACsec) Mode Using EAP
◼ FUNCTIONALITIES
⚫ IEEE 802.1AE standard that provides
encryption and packet Authentication
to IEEE 802.1 frames
◼ AVAILABLE MODES
⚫ Point-to-point security on Ethernet ⚫ Static SA Mode – Switch-to-Switch links
links between directly connected
nodes ⚫ Dynamic SA Mode –
(Data integrity and confidentiality)  Switch-to-Switch links -
 Switch-to-Host links (Using EAP)
⚫ MACSec-enabled links are secured by
matching security keys
MACSec overview
◼ PACKET STRUCTURE

⚫ MACSec packet Specific EtherType

(0x88E5)
⚫ 8-byte or 16-byte SecTag header
containing information about the
decryption key, a packet number
and Secure Channel Identifier
⚫ Payload (which may be optionally
encrypted),
⚫ Integrity Check Value (ICV)
generated by GCM-AES of size 16
bytes.
⚫ Packets are numbered to avoid
replay
MACSec overview
◼ HOW IT WORKS
MACsec enable MACsec
⚫ Each node has at least one transmit and Switch A enable
Switch B
one receive secure channel
1/1/25 1/1/26
⚫ Each associated with a Secure
sci-tx key-chain 1 sci-tx key-chain 2
Channel Identifier (SCI)
SA
SA
⚫ Need to Match receive secure channel,
with an SCI corresponding to the SCI of sci-rx key-chain 2 sci-rx key-chain 1
the transmit secure channel of the peer

⚫ Within each secure channel, secure Key-Chain 1 key1

associations (SA) are defined
key2
Key- Chain 2 Key3
⚫ The SAs hold the encryption keys (SAK –
Key 4
Secure Association Key) identified by
their association number (AN), along with
a packet number (PN).
AOS Switches – MACSEC SUPPORT
MACSec overview

◼ AOS Switches– MACSEC Support

AOS Swithes Port Types

OS6465-P6 and P12 MACSec is supported on all ports

OS6860(E) 10G ports on all E/non-E models

OS6860E-P24Z8/P24 1G/10G ports (not supported on 2.5G ports)

6900-X48C4E Support MACSec on all ports

OS99-CMM (4X10G mode only),

OS9900 Supported
OS99-GNI-48/P48
Modules
OS99-XNI48/P48/U48,P48Z16.

AOS Swithes 6560- 6560- 6560-P48Z16 6560-X10

P24X4/24 P48X4/48X4
X4
Static Mode Ports 1-24 1-48 Ports 1-32

Dynamic Ports 1-24 1-52 Ports 1-48 Ports 1-8

Mode /49-52
MACSEC– CONFIGURATION
MACsec Configuration
◼ MACsec Mode Static SAK –Management step

Get or generate Random Keys Switch A Switch B

Create security keys Static SA Mode

(both switches)

Create key-chain
(both switches)
Up to 4 manually configured SA
Associate security key to key-chain keys are used to secure traffic
(both switches) on the point-to-point link
between two nodes)

Configure sci-tx/sci-rx for a port with key-

chain Enabling option “encryption” if any and
enable MACSEC for the port (both switches)
MACsec Configuration

◼ MACsec Mode Dynamic (Using PSK) - how it works

⚫ Secure-Channel (SCI-TX/SCI-RX) and Switch A Switch B

Secure-Association-Key (SAK) are
exchanged between MACSec connected
links dynamically using MKA (MacSec Key
Agreement Protocol)

⚫ The MKA (IEEE 802.1X-2010) provides the

required session keys and manages the
required encryption keys used by the
underlying MACsec protocol

⚫ The MKA protocol selects one of the

nodes as the key server, which creates a
dynamic SAK and shares it with the node
at the other end over the secure channel
⚫ Once the other end also creates this
dynamic SA key, subsequent traffic is
secured using the new SA.
⚫ Two Keys are used to secure the point-to-point
Ethernet link
 A connectivity association key (CAK) that
secures control plane traffic
 A randomly-generated secure association key
(SAK) that secures data plane traffic
MACsec Configuration
◼ MACsec Mode Dynamic (Using PSK)- Management steps
⚫ A matching pre-shared key is configured on both switches which triggers MKA
protocol to negotiate the cipher suite and generate necessary key (SAK) for
authentication and encryption

Get Random Keys

pre-shared key

Create security keys

Create key-chain

Associate security key to key-chain

Configure dynamic mode /port with key-

chain Enabling option “encryption” if any
and enable MACSEC for the port
MACsec Configuration
◼ MACsec Mode Dynamic (Using EAP) – how it works

⚫ IEEE 802.1X authenticates the endpoint and transmits the necessary cryptographic
keying material to both sides
⚫ Endpoint undergoes authentication and the he switch relays the RADIUS server
response and sniffs the Master key to program it on the connected port.

CAK: The CAK is delivered in the RADIUS vendor-

specific attributes (VSAs) MS-MPPE-Send-Key and
MS-MPPE-Recv-Key.

The host must support MACSec, and must run a

software that allows to enable MACSec-secured
connection with Switch
MACsec Configuration
◼ MACsec Mode Dynamic (Using EAP) - Management steps

Enable MACSEC for the port

to use EAP

Enabled UNP on the port

Create necessary UNP Profile

for learning supplicant

Configure Radius Server used for

802.1x-authentication

If Successful
Radius Auth returns
UNP-Profile “employee“
which ap the vlan
Monitoring commands
◼ Show command

⚫ show interfaces capability

⚫ show configuration snapshot macsec
⚫ show interfaces macsec [<chassis>/<slot>/<port1>[-<port2>]]
⚫ show interfaces macsec static [<chassis>/<slot>/<port>[-<port2>]]
⚫ show interfaces macsec dynamic [<chassis>/<slot>/<port>[-<port2>]]
⚫ show interfaces macsec dynamic details [<chassis>/<slot>/<port>[-<port2>]]
⚫ show interfaces macsec statistics [ <chassis>/<slot>/<port>]
OmniSwitch AOS R8
Macsec

How to
✓ This lab is designed to familiarize you with the MACsec feature

Contents
1 Overview ....................................................................................... 3
2 Topology ........................................................................................ 3
3 Prerequisite .................................................................................... 4
3.1. Initialize both switches ............................................................................ 4
3.2. Check available port for MACsec capability .................................................... 4
3.3. Check available licence MACsec capability ..................................................... 5
3.4. Implement a link between switches ............................................................. 5
4 Static SA Mode – Switch-to-Switch links.................................................... 6
4.1. Configure the keys and keychains ................................................................ 6
4.2. Configure keys and keychain and associate them in both switches ......................... 6
4.2.1. Create security keys ....................................................................................... 6
4.2.2. Create key-chain ........................................................................................... 7
4.2.3. Associate security key to key-chain ...................................................................... 7
4.3. Configure sci-tx/sci-rx for a port ................................................................ 7
4.4. Monitor Macsec implementation ................................................................. 7
4.5. Remove MACsec configuration .................................................................... 8

The Alcatel-Lucent name and logo are trademarks of Nokia used under license by ALE.
 2
Macsec

5 Dynamic SA Mode – Switch-to-Switch links ................................................ 9

5.1. Configure keychain 1 with pre-shared Master key ............................................. 9
5.2. Configure keys and keychain and associate them in both switches ......................... 9
5.3. Monitor Macsec implementation ................................................................ 10
6 MACsec Mode Dynamic (Using EAP) - Management steps .............................. 11
 3
Macsec

Implementation

1 Overview
MACSec provides point-to-point security on Ethernet links between directly connected nodes.
- IEEE standard (802.1AE-2006) for encryption over Ethernet. Encrypt and authenticate all traffic in a LAN
with GCM-AES-128.
Using MACSec prevents DoS attacks, intrusion, wire-tapping, masquerading, etc. MACSec can be used to secure
most of the traffic on Ethernet links – LLDP frames, LACP frames, DHCP/ARP packets, etc
MACSec-enabled links are secured by matching security keys. Data integrity checks are done. Optionally, traffic
can also be encrypted, if enabled by user configuration
Three modes are In AOS OmniSwith:
- Static SA Mode – Switch-to-Switch links
- Dynamic SA Mode – Switch-to-Switch links
- Dynamic SA Mode – Host-to-Switch links
We are going to cover the two first mode in this lab.
- Host-to-Switch links is not covered as Native Window supplicant doesn’t seem to support MACSec.
- Nevertheless an example of configuration step is given at the end of the lab in appendix.

2 Topology

Notes
We are going to Create a "User-defined directories" call “labmacsec” and boot the both switches on it for this
lab.
At the end of the lab, we are going to restart to working directory to retrieve initial configuration.
 4
Macsec

3 Prerequisite

3.1. Initialize both switches

- Create a User-defined directories “labmacsec” and boot the switches from the new user-defined
directory (labmacsec):
- Type the following to create a user defined directory, copy the contents of the WORKING directory to it
and once the switch boots, verify that it booted from the “labmacsec” directory:

sw7 (6860-A) ->

mkdir labmacsec
sw7 (6860-A) ->
cp labinit/*.* labmacsec
sw7 (6860-A) ->
ls labmacsec
sw7 (6860-A) ->
reload from labmacsec no rollback-timeout
Confirm Activate (Y/N): y
sw7 (6860-A) -> show running-directory

sw8 (6860-B)
->mkdir labmacsec
sw8 (6860-B)
->cp labinit/*.* labmacsec
sw8 (6860-B)
->ls labmacsec
sw8 (6860-B)
->reload from labmacsec no rollback-timeout
Confirm Activate (Y/N): y
sw8 (6860-B) ->show running-directory

3.2. Check available port for MACsec capability

sw7 (6860-A) -> show interfaces 1/1/25 capability
Macsec
Ch/Slot/Port AutoNeg Pause Crossover Speed Duplex Supported
--------------+--------+----------------+-----------+------------------+----------+-----------
1/1/25 CAP DIS Tx/Rx/Tx&Rx/DIS - 10G Full YES
1/1/25 DEF DIS DIS - 10G Full -

sw8 (6860-B) -> show interfaces 1/1/25 capability

Macsec
Ch/Slot/Port AutoNeg Pause Crossover Speed Duplex Supported
--------------+--------+----------------+-----------+------------------+----------+-----------
1/1/25 CAP DIS Tx/Rx/Tx&Rx/DIS - 10G Full YES
1/1/25 DEF DIS DIS - 10G Full -
 5
Macsec

3.3. Check available licence MACsec capability

Sw7 (6860-A) -> show license-info

Time (Days) Upgrade Expiration
VC device License Type Remaining Status Date
----+------+---------------+---------------+---------------+--------------+----------------
1 0 Advanced PERM NA NA NA

Sw7 (6860-A) -> cat > licence.dat

1ES2-4{v!-[AQy-hRrK-B$qF-5EGE-}oHt-NJ5K (Then enter and CTRL + D)

Sw7 (6860-A) -> license apply file licence.dat order-id "05200622"

sw8 (6860-A) -> show license-info

Time (Days) Upgrade Expiration
VC device License Type Remaining Status Date
----+------+---------------+---------------+---------------+--------------+----------------
1 0 Advanced PERM NA NA NA
1 0 MACSEC PERM NA NA NA

sw8 (6860-B) -> show license-info

Time (Days) Upgrade Expiration
VC device License Type Remaining Status Date
----+------+---------------+---------------+---------------+--------------+----------------
1 0 Advanced PERM NA NA NA

sw8 (6860-B) -> cat > licence.dat

1ES2-4{v!-[AQy-hRrK-B$qF-5EGE-}oHt-NJ5K (Then enter and CTRL + D)
sw8 (6860-B) ->

sw8 (6860-B) -> license apply file licence.dat order-id "05200622"

sw8 (6860-B) -> show license-info

Time (Days) Upgrade Expiration
VC device License Type Remaining Status Date
----+------+---------------+---------------+---------------+--------------+----------------
1 0 Advanced PERM NA NA NA
1 0 MACSEC PERM NA NA NA

3.4. Implement a link between switches

- Log in to switches and activate the interface

sw7 (6860-A) -> interface 1/1/25 admin-state enable

sw8 (6860-B) -> interface 1/1/25 admin-state enable

- To begin, let’s create a new VLAN and assign an IP address to that VLAN as done previously

sw7 (6860-A) -> vlan 90

sw7 (6860-A) -> ip interface int_90 address 192.168.90.7/24 vlan 90

sw8 (6860-B) -> vlan 90

sw8 (6860-B) -> ip interface int_90 address 192.168.90.8/24 vlan 90

- Assign port to VLAN 90

sw7 (6860-A) -> vlan 90 members port 1/1/25 untagged

sw7 (6860-A) -> show vlan 90 member

sw8 (6860-B) -> vlan 90 members port 1/1/25 untagged

sw8 (6860-B) -> show vlan 90 member
 6
Macsec

- Test connectivity between the two switches

sw8 (6860-B) -> ping 192.168.90.7

PING 192.168.90.7 (192.168.90.7) 56(84) bytes of data.

64 bytes from 192.168.90.7: icmp_seq=1 ttl=64 time=12.3 ms
64 bytes from 192.168.90.7: icmp_seq=2 ttl=64 time=0.609 ms
64 bytes from 192.168.90.7: icmp_seq=3 ttl=64 time=0.682 ms
64 bytes from 192.168.90.7: icmp_seq=4 ttl=64 time=0.627 ms
64 bytes from 192.168.90.7: icmp_seq=5 ttl=64 time=0.643 ms

4 Static SA Mode – Switch-to-Switch links

4.1. Configure the keys and keychains

- Random keys have been already generated by the administrator. The step to generate them on a switch
can be skipped.
- Random keys provided by the administrator are:
Key 1 : f514ab78a8f923225626dd6064d6d67a
Key 2 : 1937463f587115258ea8f0ed62f308e7
Key 3 : 0ad08a30ebdb532d4cb151dc1c0dafd9
Key 4 : b10f0a502c19f0c84acf798322f7efb8
Tips
If you do not have key, use the following command on a switch to generate it.
sw7 (6860-A) -> security key-chain gen-random-key

4.2. Configure keys and keychain and associate them in both switches

4.2.1. Create security keys

- In this example, we used key generated above. If you generate new keys, do not forget to replace it below
in command line
sw7 (6860-A) -> security key 1 algorithm aes-gcm-128 encrypt-key ef68850d93b82fb494843f66f5864cc5

sw7 (6860-A) -> security key 2 algorithm aes-gcm-128 encrypt-key 0641ef514da5c09feee8bf9a96fb22e1

sw7 (6860-A) -> security key 3 algorithm aes-gcm-128 encrypt-key 58b554b11033d1d865ef35ba707e4767

sw7 (6860-A) -> security key 4 algorithm aes-gcm-128 encrypt-key f167cc24fc78950f265a74edcf5cb344

sw8 (6860-B) -> security key 1 algorithm aes-gcm-128 encrypt-key ef68850d93b82fb494843f66f5864cc5

sw8 (6860-B) -> security key 2 algorithm aes-gcm-128 encrypt-key 0641ef514da5c09feee8bf9a96fb22e1

sw8 (6860-B) -> security key 3 algorithm aes-gcm-128 encrypt-key 58b554b11033d1d865ef35ba707e4767

sw8 (6860-B) -> security key 4 algorithm aes-gcm-128 encrypt-key f167cc24fc78950f265a74edcf5cb344

Tips
Up to 4 manually configured SA keys are used to secure traffic on the point-to-point link between two nodes)
 7
Macsec

4.2.2. Create key-chain

sw7 (6860-A) -> security key-chain 1

sw7 (6860-A) -> security key-chain 2

sw8 (6860-B) -> security key-chain 1

sw8 (6860-B) -> security key-chain 2

4.2.3. Associate security key to key-chain

sw7 (6860-A) -> security key-chain 1 key 1-2

sw7 (6860-A) -> security key-chain 2 key 3-4

sw8 (6860-B) -> security key-chain 1 key 1-2

sw8 (6860-B) -> security key-chain 2 key 3-4

4.3. Configure sci-tx/sci-rx for a port

- Configure sci-tx/sci-rx for a port with the above key-chain. Enabling option “encryption” if any and
enable MACSEC for the port
sw7 (6860-A)-> interface 1/1/25 macsec admin-state enable sci-tx key-chain 1 encryption sci-rx key-chain 2 encryption
sw8 (6860-B)-> interface 1/1/25 macsec admin-state enable sci-tx key-chain 2 encryption sci-rx key-chain 1 encryption

4.4. Monitor Macsec implementation

- Show configuration snapshot macsec in both switches

sw7 (6860-A) -> show configuration snapshot macsec
! MAC Security:
interfaces port 1/1/25 macsec mode static
interfaces port 1/1/25 macsec sci-tx key-chain 1 encryption
interfaces port 1/1/25 macsec sci-rx key-chain 2 encryption
interfaces port 1/1/25 macsec admin-state enable

sw8 (6860-B) -> show configuration snapshot macsec

! MAC Security:
interfaces port 1/1/25 macsec mode static
interfaces port 1/1/25 macsec sci-tx key-chain 2 encryption
interfaces port 1/1/25 macsec sci-rx key-chain 1 encryption
interfaces port 1/1/25 macsec admin-state enable

- Test connectivity between the two switches

sw8 (6860-B) -> ping 192.168.90.7

PING 192.168.90.7 (192.168.90.7) 56(84) bytes of data.

64 bytes from 192.168.90.7: icmp_seq=1 ttl=64 time=12.3 ms
64 bytes from 192.168.90.7: icmp_seq=2 ttl=64 time=0.609 ms
64 bytes from 192.168.90.7: icmp_seq=3 ttl=64 time=0.682 ms
64 bytes from 192.168.90.7: icmp_seq=4 ttl=64 time=0.627 ms
64 bytes from 192.168.90.7: icmp_seq=5 ttl=64 time=0.643 ms
---
sw7 (6860-A) -> ping 192.168.90.8
PING 192.168.90.8 (192.168.90.8) 56(84) bytes of data.
64 bytes from 192.168.90.8: icmp_seq=1 ttl=64 time=10.7 ms
64 bytes from 192.168.90.8: icmp_seq=2 ttl=64 time=0.627 ms
64 bytes from 192.168.90.8: icmp_seq=3 ttl=64 time=1.52 ms
64 bytes from 192.168.90.8: icmp_seq=4 ttl=64 time=0.633 ms
64 bytes from 192.168.90.8: icmp_seq=5 ttl=64 time=0.615 ms
 8
Macsec

- Check MACsec interfaces

sw7 (6860-A) -> show interfaces macsec
Chas/Slot/Port Admin-State Mode Encryption
---------------+-------------+------------+-----------------
1/1/25 Enabled Static Enabled

sw8 (6860-B) -> show interfaces macsec

Chas/Slot/Port Admin-State Mode Encryption
---------------+-------------+------------+-----------------
1/1/25 Enabled Static Enabled

sw7 (6860-A) -> show interfaces macsec static

Chas/Slot/Port Admin-State SCI Type Keychain Encryption
---------------+-------------+--------------------+------+-----------+--------------
1/1/25 Enabled - TX 1 Enabled
1/1/25 Enabled - RX 2 Enabled

sw8 (6860-B) -> show interfaces macsec static

Chas/Slot/Port Admin-State SCI Type Keychain Encryption
---------------+-------------+--------------------+------+-----------+--------------
1/1/25 Enabled - TX 2 Enabled
1/1/25 Enabled - RX 1 Enabled

4.5. Remove MACsec configuration

sw7 (6860-A) -> interface port 1/1/25 macsec admin-state disable
sw7 (6860-A) -> no interfaces port 1/1/25 macsec
sw7 (6860-A) -> no security key-chain 1
sw7 (6860-A) -> no security key-chain 2
sw7 (6860-A) -> show configuration snapshot macsec
sw8 (6860-B) -> write memory

sw8 (6860-B) -> interface port 1/1/25 macsec admin-state disable

sw8 (6860-B) -> no interfaces port 1/1/25 macsec
sw8 (6860-B) -> no security key-chain 1
sw8 (6860-B) -> no security key-chain 2
sw8 (6860-B) -> show configuration snapshot macsec
sw8 (6860-B) -> write memory

Tips
//Example for “no” format:
// Un-configure macsec sci-tx params
-> no interface 1/1/25 macsec sci-tx key-chain
-> no interface 1/1/25 macsec sci-tx encryption
-> no interface 1/1/25 macsec sci-tx

// Un-configure macsec sci-rx params

-> no interface 1/1/25 macsec sci-rx 0x2 key-chain
-> no interface 1/1/25 macsec sci-tx 0x2 encryption
-> no interface 1/1/25 sci-tx 0x02
 9
Macsec

5 Dynamic SA Mode – Switch-to-Switch links

5.1. Configure keychain 1 with pre-shared Master key

- Pre-shared Master key have been already generated by the administrator. the step to generate them on a
switch can be skipped.
- Pre-shared Master key provided by the administrator are:

hex-key 0x000102030405060708090a0b0c0d0e0f
keyed-name 0x000102030405060708090a0b0c0d0eff

5.2. Configure keys and keychain and associate them in both switches

- Configure keys
sw7 (6860-A) -> security key 1 algorithm aes-cmac-128 hex-key 0x000102030405060708090a0b0c0d0e0f keyed-
name 0x000102030405060708090a0b0c0d0eff

sw8 (6860-B) -> security key 1 algorithm aes-cmac-128 hex-key 0x000102030405060708090a0b0c0d0e0f keyed-
name 0x000102030405060708090a0b0c0d0eff

- Create key-chain
sw7 (6860-A) -> security key-chain 1

sw8 (6860-B) -> security key-chain 1

- Associate security key to key-chain

sw8 (6860-A) -> security key-chain 1 key 1

sw8 (6860-B) -> security key-chain 1 key 1

- Configure dynamic mode on port with the above key-chain

sw7 (6860-A) -> interfaces port 1/1/25 macsec mode dynamic key-chain 1 encryption

sw7 (6860-A) -> interfaces port 1/1/25 macsec admin-state enable

sw8 (6860-B) -> interfaces port 1/1/25 macsec mode dynamic key-chain 1 encryption

sw8 (6860-B) -> interfaces port 1/1/25 macsec admin-state enable

 10
Macsec

5.3. Monitor Macsec implementation

- Show configuration snapshot macsec in both switches

sw7 (6860-A) -> show configuration snapshot macsec
! MAC Security:
interfaces port 1/1/25 macsec mode dynamic key-chain 1 encryption
interfaces port 1/1/25 macsec admin-state enable

sw8 (6860-B) -> show configuration snapshot macsec

! MAC Security:
interfaces port 1/1/25 macsec mode dynamic key-chain 1 encryption
interfaces port 1/1/25 macsec admin-state enable

- Test connectivity between the two switches

sw8 (6860-B) -> ping 192.168.90.7

PING 192.168.90.7 (192.168.90.7) 56(84) bytes of data.

64 bytes from 192.168.90.7: icmp_seq=1 ttl=64 time=12.3 ms
64 bytes from 192.168.90.7: icmp_seq=2 ttl=64 time=0.609 ms
64 bytes from 192.168.90.7: icmp_seq=3 ttl=64 time=0.682 ms
64 bytes from 192.168.90.7: icmp_seq=4 ttl=64 time=0.627 ms
64 bytes from 192.168.90.7: icmp_seq=5 ttl=64 time=0.643 ms
---
sw7 (6860-A) -> ping 192.168.90.8
PING 192.168.90.8 (192.168.90.8) 56(84) bytes of data.
64 bytes from 192.168.90.8: icmp_seq=1 ttl=64 time=10.7 ms
64 bytes from 192.168.90.8: icmp_seq=2 ttl=64 time=0.627 ms
64 bytes from 192.168.90.8: icmp_seq=3 ttl=64 time=1.52 ms
64 bytes from 192.168.90.8: icmp_seq=4 ttl=64 time=0.633 ms
64 bytes from 192.168.90.8: icmp_seq=5 ttl=64 time=0.615 ms

- Check MACsec interfaces

sw7 (6860-A) -> show interfaces macsec
Chas/Slot/Port Admin-State Mode Encryption
---------------+-------------+------------+-----------------
1/1/25 Enabled Dynamic Enabled

sw8 (6860-B) -> show interfaces macsec

Chas/Slot/Port Admin-State Mode Encryption
---------------+-------------+------------+-----------------
1/1/25 Enabled Dynamic Enabled

sw7 (6860-A) -> show interfaces macsec dynamic

Server Transmit Key
Operation
Chas/Slot/Port Admin-State Mode Keychain Encryption Priority Interval(Sec) Server
Status
----------------+-------------+----------+----------+------------+----------+---------------+--------+----
----------
1/1/25 Enabled keychain 1 Enabled 10 2 NO UP

sw8 (6860-B) -> show interfaces macsec dynamic

Server Transmit Key
Operation
Chas/Slot/Port Admin-State Mode Keychain Encryption Priority Interval(Sec) Server
Status
----------------+-------------+----------+----------+------------+----------+---------------+--------+----
1/1/25 Enabled keychain 1 Enabled 10 2 YES UP
 11
Macsec

- At the end of this lab, restore both switches to initial configuration by restarting them from "working
directory".

sw7 (6860-A) -> rm -r labmacsec

sw7 (6860-A) -> reload from working no rollback-timeout
Confirm Activate (Y/N) : y

Sw8 (6860-B) -> rm -r labmacsec

Sw8 (6860-B) -> reload from working no rollback-timeout
Confirm Activate (Y/N) : y

6 MACsec Mode Dynamic (Using EAP) - Management steps

- This part is not working on remote lab as MACsec are not available on Window XP/7 client host. This is a n
example of management step.

- Enable MACSEC for the port to use EAP

interfaces port 1/1/1 macsec mode dynamic radius
interfaces port 1/1/1 macsec admin-state enable

- Enabled UNP on the port

unp port 1/1/1 port-type bridge
unp port 1/1/1 802.1x-authentication

- Create necessary UNP Profile for learning supplicant. If Successful Radius Auth returns UNP-Profile
“employee" which ap the vlan 30
vlan 30
unp profile “employee“
unp profile “employee” map vlan 30

- Configure Radius Server used for 802.1x-authentication

aaa radius-server radius host 192.168.100.102 key Alcatel
aaa device-authentication 802.1x radius
 CONSOLE CONNECTIONS
1
ALE NETWORK PRODUCTS
February 22
 OS6900 CONSOLE Console Server

Serial to USB
USB A RJ45 to DB9 Female
console
OS6900 T20/T40/X20/X40 Straight UTP cable

@ 9600 Baud Rate

OS6900-USB-RJ45

Comes in the box

Comes in the box

Console Server

Serial to USB

2
OS6900-USB-RJ45 RJ45 to DB9 Female
RJ45
OS6900 X72/Q32
Straight UTP cable
console

@ 9600 Baud Rate

Comes in the box

Serial to USB

Console Server
RJ45 to DB9 Female

OS6900 RJ45
console
RJ45 to DB9 Female
V72/C32/X48C6/T48C6/V48C8 Straight UTP cable

@ 115200 Baud Rate

February 22

Comes in the box

Male-Male DB9 Adapter

* Connections to Console servers may need Straight or Roll-over UTP cable depending on Console Server model
 OS6900 CONSOLE
USB A
console
Console Roll-over Adapter

OS6900 T20/T40/X20/X40
@ 9600 Baud Rate
OS6900-USB-RJ45
Comes in the box Console Roll-over cable with USB Type A

3
RJ45
OS6900 X72/Q32 console
Console Roll-over Adapter

OR
@ 9600 Baud Rate
Console Roll-over cable with USB Type C

OS6900 RJ45
console

V72/C32/X48C6/T48C6/V48C8
February 22

@ 115200 Baud Rate

 OS6860 CONSOLE
Console Server

Serial to USB
RJ45 to DB9 Female
Micro USB
console
OS6860/OS6860E Straight UTP cable

@ 9600 Baud Rate

OS6860-RS232CBL

Needs to be
ordered separately

Micro USB Serial to USB

console
Micro USB to DB9
Console Server

OS6860N
@ 115200 Baud Rate RJ45 to DB9 Female
Straight UTP cable
February 22

Male-Male DB9 Adapter

* Connections to Console servers may need Straight or Roll-over UTP cable depending on Console Server model
 OS6860 CONSOLE
Comes in the box Requires installation of a driver on PC
https://www.silabs.com/developers/usb-to-uart-bridge-vcp-drivers

OS6860/OS6860E Micro USB Console Roll-over cable with USB Type A

@ 9600 Baud Rate console
OR
Console Roll-over Adapter

5
OS6860-RS232CBL

Needs to be
ordered separately
OR

Console Roll-over cable with USB Type C

Console Roll-over Adapter

OS6860N
OS6860-RS232CBL
@ 115200 Baud Rate Micro USB
console
Needs to be
February 22

ordered separately
 OTHER SWITCHES Console Server

Serial to USB
OS6900-USB-RJ45 RJ45 to DB9 Female

Legacy/New Switches Straight UTP cable

@ 9600 Baud Rate

6350
6360 Comes in the box

6450
RJ45
6465 console

6560
Console Roll-over cable with USB Type A
6 6850
6855
6865 Console Roll-over Adapter

9900
10K
Console Roll-over cable with USB Type C
February 22

* Connections to Console servers may need Straight or Roll-over UTP cable depending on Console Server model
Campus LAN Network Solution
High End Modular L2/L3 Switch Portfolio
OmniSwitch 6900
OmniSwitch 6900-X
High Density 10GigE Switch
High Density 10GigE Switch
• 20 SFP+ ports (1G/10G)
- Up to 32 SFP+ ports on the 6900-X20
640Gbps wire-rate capacity
• 480Mpps OS6900-X20
• Sub microsecond latency
• 128K MAC addresses
• Wire-rate switching and routing
Virtual chassis of up to 6 switches
Redundant hot swappable power supplies, fans AOS
• Optional modules R8
- 1 for OS6900-T20 (in front)
• Front To Back / Back To Front Air Flow LAN Core / Aggregation
Data Center Top of Rack switch
Verticals
OmniSwitch 6900-T
High Density 10GigE Switch
High Density 10GigE Switch OS6900-T20
• 20 10GBase-T ports (IEEE 802.3an)
- Up to 28 10GBase-T ports on the 6900-T20
640Gbps wire-rate capacity/ low latency
• Sub microsecond latency
• 128K MAC addresses
• IPv4 hosts 8K / IPMC 8K
• Wire-rate switching and routing
Virtual chassis of up to 6 switches
Redundant hot swappable power supplies, fans
• Optional modules
- 1 for OS6900-T20 (in front)
• Front to Back / Back to Front Air Flow

Energy Efficient Ethernet IEEE 802.3az

CAT 5e = 55 meters
CAT 6a/7 = 100 meters
1G/10G auto-negotiation
OmniSwitch 6900-V72
High density Multi-gig in 1RU OS6900-V72
• 48 fixed SFP28 (10G/25G) ports
48 SFP28 Ports 6 QSFP28 100G Ports
• 6 fixed QSFP28 (10/25/40/100G) ports
Virtual chassis of up to 6 switches
1+1 redundant PS and 5+1 fan trays
Can be mixed in a Mesh Virtual chassis with X/T
models
VXLAN hardware gateway Hot swappable
fan tray

•Redundant power supplies

(450W, AC or DC)
OmniSwitch 6900-C32
High density Multi-gig in 1RU OS6900-C32

• 128 x 10G ports 32 QSFP28 100G Ports 128 SFP+ 10G ports
with splitter cables
• 72 x 25G ports
Scalable with 32x100G-BaseX ports with QSFP28
connectors
• Operate at 100G/40G/4x25G/4x10G using splitter
cables
• Port connect to a transceiver or DAC cable
Hot swappable
Very Low Latency <600ns fan tray

6.4Tbps switching and 4.8 Gbs throughput •Redundant power supplies

(450W, AC or DC)
Virtual chassis of up to 6 switches
Quad-color LED per data port
2 redundant Power Supplies and 5+1 fan trays
OmniSwitch 6900-C32E
High density Multi-gig in 1RU OS6900-C32E

• 128 x 10G ports 32 QSFP28 100G Ports 128 SFP+ 10G ports
with splitter cables
• 72 x 25G ports
Scalable with 32x100G-BaseX ports with QSFP28
connectors
• Operate at 100G/40G/4x25G/4x10G using splitter
cables
• Port connect to a transceiver or DAC cable
Hot swappable
Very Low Latency <600ns fan tray

6.4Tbps switching and 4.8 Gbs throughput •Redundant power supplies

(450W, AC or DC)
Virtual chassis of up to 6 switches
Quad-color LED per data port
2 redundant Power Supplies and 5+1 fan trays
OmniSwitch 6900-X48C6
Single ASIC with 2.16 Tbps switching capacity.
Multicolored LED front panel
48-port unpopulated SFP+ ports 6 QSFP28 100G Ports

6-port unpopulated QSFP28 interfaces SFP+ ports can

operate at 1/10 GE speeds
QSFP28 ports operate at 100/40/4x25/4x10 GE
48 SFP+ 10G ports
Hardware supports SPB, L3VPN, VXLAN
VC compatible with V72, C32, T48 & X48E •Redundant power supplies
(400W, AC or DC)

6900-X48E supports MACSec on all ports

Hardware characteristics:
Front to Rear & Rear to Front fan trays
Dual redundant power supplies (uses new 400W PSU)
Hot swappable
Virtual Chassis of 6 fan tray
OmniSwitch 6900-T48C6
Single ASIC with 2.16 Tbps switching capacity.
Multicolored LED front panel
48-port 10G-BaseT ports 6 QSFP28 100G Ports

6-port unpopulated QSFP28 interfaces.

10G-BaseT ports can operate at 1/10 GE speeds
QSFP28 ports operate at 100/40/4x25/4x10 GE speeds 48 10G-BaseT 10G
ports
Hardware supports SPB, L3VPN, VXLAN
•Redundant power supplies
VC compatible with V72, C32, X48, X48E (400W, AC or DC)

Hardware characteristics:
Front to Rear & Rear to Front fan trays
Dual redundant power supplies (uses new 400W PSU)
Virtual Chassis of 6 Hot swappable
fan tray
OmniSwitch 6900-X48C4E
Multicolored LED front panel
40-port unpopulated SFP+ ports
4-port unpopulated QSFP28 interfaces 4 QSFP28 100G Ports

SFP+ ports can operate at 1/10 GE speeds

QSFP28 ports operate at 100/40/4x25/4x10 GE
Hardware supports SPB, L3VPN, VXLAN 40 SFP+ 10G ports
6900-X48E supports MACSec on all ports
•Redundant power supplies
Hardware characteristics: (AC or DC)

Front to Rear & Rear to Front fan trays

Dual redundant power supplies

Hot swappable
fan tray
OmniSwitch 6900-V48C8
Multicolored LED front panel
48-port unpopulated SFP28 ports
8-port unpopulated QSFP28 ports 8 QSFP28 100G Ports

SFP28 ports operate at 1G/10G/25G speeds

QSFP28 ports operate at 4X10G/40G/4X25G/100G
Hardware supports SPB, L3VPN, VXLAN 48 SFP28 10G/25G
ports
Hardware characteristics:
•Redundant power supplies
Front to Rear & Rear to Front fan trays (AC or DC)

Dual redundant power supplies

Hot swappable
fan tray
OmniSwitch 6900
Optional modules for X and T Models
OS-HNI-U6 OS-QNI-U3 OS-XNI-U12E
4 x 10G SFP+ ports 3 x 40G QSFP+ ports 12 port SFP+ ports
2 x 40G QSFP+ ports 40G 1G/10G
FC 2G/4G/8G

OS-XNI-U12 OS-XNI-U4 OS-XNI-T8

12 port SFP+ ports 4 port SFP+ ports 8 ports 10GBase-T
1G/10G 1G/10G 100M/1G/10G
OmniSwitch 6900
Power Supplies and Fans
Fully loaded OS6900-xxx requires a single 450w PSU power
Hot-swappable AC and DC PSU
1+1 redundant, removable
PS & Fans (Front-to-Rear Airflow) PS & Fans (Rear-to-Front Airflow)
• AC - OS6900-BP-F • AC - OS6900-BP-R
• DC - OS6900-BPD-F • DC - OS6900-BPD-R

Fans OS6900-FT-F Fans OS6900-FT-R

• Single removable unit • Single removable unit
• Field replaceable tray in the rear of the chassis • Field replaceable tray in the rear of the chassis
 OmniSwitch 6900
Optional Transceivers Support
Gigabit Ethernet Triple-speed SFP+ Fibre Channel SFP-10G-ZR 10-Gigabit SFP+
• SFP-GIG-SX • Optical • 10G SFP+ Optical • SFP-10G-SR
• SFP-GIG-LX • Auto-sensing 2G, 4G, 8G FC • Distance up to 80 km • SFP-10G-LR
• SFP-GIG-LH40 • Single Mode • SFP-10G-ER
• SFP-GIG-LH70 • SFP-10G-LRM
• SFP-GIG-T • SFP-10G-C
40-Gigabit QSFP+
• QSFP-40G-SR
CWDM Gigabit Ethernet • QSFP-40G-C
• SFP-GIG-CWD

Bi-directional Ethernet QSFP-4x10G-C

• SFP-100-BX20LT Direct Attach SFP+
• QSFP-4x10G-C1M
• SFP-100-BX20NU • 1m/3m/7m
• QSFP-4x10G-C3M
• SFP-100-BXLC-D • QSFP-4x10G-C5M
• SFP-100-BXLC-U
• SFP-GIG-BX-D
• SFP-GIG-BX-U QSFP-4x10G-SR
• QSFP-4x10G-SR

Ethernet 100-FX
• SFP-100-LC-MM
• SFP-100-LC-SM15
• SFP-100-LC-SM40
OmniSwitch 6900 Hardware
Buffer And Traffic Management
Switch Advanced Features
• Virtualization with MC-LAG or Virtual Chassis
• Fast network re-convergence and optimal load
balancing with Shortest Path Bridging
• Ease of configuration
Optimum Application Performance with Rich QoS
• Rich application classification capabilities (L2/L3/L4)
• Advanced Queuing and congestion management
- Enhanced Transmission Selection (ETS) 802.1Qaz (DCB)
- Queue Set profiles (SPQ, WFQ, RED, WRED)
• Congestion Notification
- Priority based Flow Control (PFC), IEEE 802.1Qbb (DCB)
- 802.3x
• Core Routing Layer 3 support
• Wire-rate at L2 / L3 (IPv4/v6, unicast and multicast)
• Advanced routing support with protocols such as OSPF,
BGP, PIM-SM, BFD, VRF
OmniSwitch 9900
OmniSwitch 9907
A 7-Slot low latency chassis for Campus LAN
• Core/Distribution
• Edge
High-throughput Campus LAN chassis
• 5.12Tbps Fabric capacity
• 1/10/40/100G
• Virtual Chassis Support (2 Chassis)
Built-in redundancy (MGMT/Fabric/PS/Fans)
All Modules hot-swappable
Internal POE supply/ HPoE up to 75W & 802.3at
support
MACsec, 1588v2 & MPLS ready hardware
AOS
SDN Ready – OpenFlow/VXLAN/OpenStack/REST APIs R8
OmniSwitch 9907
Overview • 2x40G QSFP+ ports per CMM for uplink or VFL connectivity
• Up to 4x40G ports in redundant system
• Each 40G can be divided into 4x10G

• Dedicated CMM Slot (80Gbps Full Duplex bandwidth)

• Universal CMM/NI Slot (80Gbps Full Duplex bandwidth)

11 RU
7 Slots
• 5 Dedicated NI Slots
• 480Gbps Full Duplex bandwidth per slot

• Front accessible redundant PS

• Scalable up to 10800W internal POE power
OmniSwitch 9907
Future Proof Architecture
Innovative direct-connect architecture
• Backplane less
• Each slot connects to the fabric directly
Future-proof for hardware evolution
• Two fabrics for full capacity in phase 1
• Ready to support four fabrics to double the capacity in
the future Rear
• Newer fabrics & NI possible without chassis swap out Front Fabric
Fabrics & fans reside at the rear
Front to back airflow for cooling

Conceptual Side View

OmniSwitch 9907 - CMM
CONSOLE
(RJ45/ Micro-USB)

EMP
1 GigE Ethernet Management Port

Status LEDs 40G QSFP+ Ports

USB Port
 OmniSwitch 9907 - NIs
•NI Cards Connectors Port Speeds Maximum Port Density

•OS99-GNI-48 •RJ45 10/100/1000BaseT 288 (1)

OS99-GNI-P48 •RJ45 10/100/1000BaseT (PoE) 288 (802.3.at) (1)

• 48 (HPoE)

•OS99-GNI-U48 SFP 1G/10G, MACsec on all ports 256 (100FX, 1G)

•OS99-XNI-48 •RJ45 1G/10GBaseT 256 (10G) (2)

• OS99-XNI-U24 SFP+ 1G/10G 144 (10G) (1)

• OS99-XNI-U48 SFP+ 1G/10G 256 (10G) (2)

1) Slot 2 populated with NI

2) 40G Ports on CMM split into 10G
3) currently 2 ports per CMM
OmniSwitch 9907 - Multi-Gig NIs
•NI Cards Connectors Port Speeds Maximum Port Density

OS99-XNI-P48Z16 •RJ45 •1/2.5/5/10 GigE • 48

BaseT PoE
• Ports 1-16 (HPoE)

•8 x 1/2.5/5/10
•OS99-XNI-P24Z8 •RJ45 GigE BaseT PoE • Ports 1-8 (HPoE)

• 40G/100G Base-X
•OS99-CNI-U8 QSFP28 • 8 (32)
• 4x10G/25G Base-X
OmniSwitch 9907
Fabric/ Fan-Tray Modules (Rear)

3 Slots for fan trays

4 Slots for CFM behind fan trays
(2 slots currently used)

▪ OS9900-CFM * ▪ OS9900-fan tray

* Chassis Fabric Module (CFM)

OmniSwitch 9907
System and PoE Power
Common Power for System and PoE
• No external Power Shelf/ PSU needed for PoE
Power budget depends on the number, type (AC, DC) and input voltage (highline, lowline)
System power for board power up takes priority
After system power up all remaining power is available for PoE
System power can be configured to operate in N+1 redundancy mode

Power Supply Available Power per PS

AC at 240V (highline) 3000 W

AC at 120V (lowline) 1200 W 4 slots for power supplies
DC 2500 W
OmniSwitch 9907 - PoE-Power
Provides up to 75 W per port
HPoE
• GNI-P48 & XNI-P48Z16 support 75 watts for ports 1-8 and up to 30 watts for the remaining 40 ports
• For a chassis with single CMM, dual Fabrics, 4x PSU @ 3KW each can provide up to 10,800W of PoE to 6x
GNI-P48)
Standard Max. PoE power per port

IEEE 802.3af 15.4/12.95 watts

IEEE 802.3at 30/25.5 watts
HPoE (first 8 Ports) 75 watts
Follow us on…

Follow us on: www.al-enterprise.com

facebook.com/ALUEnterprise

linkedin.com/company/alcatellucententerprise

twitter.com/ALUEnterprise

youtube.com/user/enterpriseALU
OmniSwitch AOS R6/R8

Advanced IP Interfaces
Lesson summary

At the end of this presentation, you will be able to

◼ Manage the Loopback0 interface

◼ Manage the Local Proxy ARP

◼ Configure the Optional parameters

◼ Configure the DHCP Relay

◼ Understand the IPv6 protocol

Loopback0 Interface
◼ IP interface with a consistent address for network management purposes

◼ Not bound to any VLAN

◼ Always remains operationally active

◼ To identify a Loopback0 interface, enter Loopback0 for the interface name

-> ip interface Loopback0 address <ip address>

◼ Automatically advertised by RIP and OSPF protocols when the interface is created (not by
BGP)

◼ Used for:
⚫ RP (Rendez-Vous Point) in PIMSM
⚫ sFlow Agent IP address
⚫ Source IP of RADIUS authentication
⚫ NTP Client
⚫ BGP peering
⚫ OSPF router-id
⚫ Switch and Traps Identification from an NMS station (i.e OmniVista)
Loopback0 / Selectable Primary IP Interface
◼ Applications will be able to choose the source interface IP
⚫ any IP interface/ loopback
⚫ in the particular VRF based on an application specific command

->ip managed-interface {Loopback0 | interface-name} application [ldap-server] [tacacs]

[radius] [snmp] [sflow] [ntp] [syslog] [dns] [dhcp-server] [telnet] [ftp] [ssh] [tftp] [all]

-> show ip managed-interface

Legend: "-" denotes no explicit configuration
Application Interface-Name
-----------------+------------------------------
tacacs -
sflow -
ntp Loopback0
syslog -
dns -
telnet -
ssh -
tftp -
ldap-server -
radius Loopback0
snmp Loopback0
ftp -
Default IP interface - Mode of Operation

Application Default Setting for the Source IP Address

AAA authentication Server

LDAP Loopback0 if configured, otherwise outgoing interface

TACACS+ Outgoing interface

RADIUS Loopback 0 if configured, otherwise outgoing interface

Switch Management applications

SNMP Loopback 0 if configured, otherwise outgoing interface
(includes traps)
SFLOW Loopback 0 if configured, outgoing IP otherwise

NTP Loopback 0 if configured, otherwise outgoing interface

SYSLOG Outgoing interface

DNS Outgoing interface
DHCP server Outgoing interface

Switch access and utilities

(ping and traceroute command can specific a source address as an optional parameter)

Telnet Outgoing interface

FTP Outgoing interface
SSH Outgoing interface
Includes scp sftp
TFTP Outgoing interface
Address Resolution Protocol (ARP)
◼ The switch stores the hardware address in its ARP cache (ARP table)

◼ The table contains a list of IP addresses and their corresponding MAC addresses

◼ Entries in the table are used to translate 32-bit IP addresses into 48-bit
Ethernet or IEEE 802.3 hardware addresses

◼ Dynamic addresses remain in the table until they time out (Default 300 sec.)

◼ Static entries are permanent and are created using the IP address of the entry
followed by its physical (MAC) address
-> arp 171.11.1.1 00:05:02:c0:7f:11

◼ Use the alias keyword to specify that the switch will act as an alias (proxy) for
this IP address.
-> arp 171.11.1.1 00:05:02:c0:7f:11 alias
Local Proxy ARP
◼ Allows the network administrator to configure proxy functionality on the switch

◼ Enables proxy ARP on a per VLAN basis

◼ All ARP requests received on VLAN member ports are answered with the MAC
address of the VLAN’s virtual IP router port
Switch B
Normal ARP
ARP

Local Proxy ARP

ARP
Switch C
Switch A

PC 1 PC 2
192.168.10.101 192.168.10.102

-> ip interface name [address ip_address] [mask subnet_mask] [admin [enable |

disable]] [vlan vid] [forward | no forward] [local-proxy-arp | no local-proxy-
arp] [eth2 | snap] [primary | no primary]
Proxy ARP Filtering
◼ Extended Proxy ARP Filtering
⚫ Blocks the switch from providing ARP replies for the specified IP address(es).
⚫ It is generally used in conjunction with the Local proxy ARP application
⚫ By default, no ARP filters exist in the switch

-> arp filter ip_address [mask mask] [vid] [sender | target] [allow | block]
-> arp filter 198.0.0.0 mask 255.0.0.0 sender block

-> show arp filter

DHCP Relay
DHCP DHCP
Server Client
◼ Ability to forward DHCP/BootP packets
between VLANs
120.1.1.1
VLAN 2
◼ Global or per-vlan configuration is supported

◼ Multiple DHCP servers

DHCP Relay
⚫ Global DHCP
-> ip helper address {Server Addr} (R6)
-> ip dhcp relay destination {Server Addr} (R8) LAN

⚫ Per-VLAN DHCP
-> ip helper address {Server Addr} vlan {vid} (R6)
130.1.1.1
VLAN 3
⚫ Multiple DHCP Per-VLAN
-> ip helper address {address1} {address2} vlan {vid} (R6)

⚫ Per-Interface DHCP DHCP DHCP

-> ip dhcp relay interface {if-name} destination {Server Client Client
Addr} (R8)
Generic UDP Port Relay
◼ Relay for generic UDP service ports
⚫ i.e., NBNS/NBDD, other well-known UDP service ports, and service ports that are not
well-known

◼ Support for service name and custom ports

⚫ DNS (53), TACACS+ (65), TFTP (69), NTP (123), NBNS (137), NBDD (138)
⚫ Custom port (1-65535)
 Enable relay on the DNS well-known service port
-> ip udp relay DNS

 Enable relay on a user-defined (not well-known) UDP service port

-> ip udp relay 3456

 Assign VLAN 5 as a forwarding VLAN for the DNS well-known service port
-> ip udp relay dns vlan 4

◼ Up to 32 different relays can be defined

OmniSwitch AOS R8

Intelligent Fabric
Lesson summary

At the end of this presentation, you will be able to

◼ Understand the auto fabric

◼ Mount automatically a Virtual Chassis

◼ Mount automatically a LACP

◼ Automate the Routing, SPB, MVRP

Auto-fabric
AUTO-FABRIC
PLUG-N-PLAY ZERO TOUCH DEPLOYMENT

▪ First time bootup

▪ Elements of same family discovered 1- Auto-VC
▪ Virtual Chassis created
▪ Download remote configuration 2- Automatic remote configuration
▪ Discover LACP
3- Auto-LACP
▪ Discover OSPF & IS-IS
▪ IP interface must exist
▪ Neighbor relationship must establish
▪ Pre-defined defaults 4- Auto-Routing
▪ If not established configuration deleted &
disabled

▪ Discover SPB neighbor 5- Auto-SPB Fabric

▪ Pre-defined defaults
▪ If not established configuration deleted &
disabled
6- Auto-Network Profiling
▪ If fabric successful, user & network
port profiles creation
7- Auto-MVRP
▪ Enable VLAN propagation with
MVRP
AUTO-FABRIC
Start up
Switch Power on
Or reload without any
config file

Starting 6900 Boot Process

Mount /dev/sda1
FS is EXT2
Do you want to disable auto-configurations on
this switch [Y/N]?
10s N
Auto-Configurations enabled
Preparing Flash..

If no response or input is [N], then it is assumed to be false.

N Meaning to use auto-VC, RCL and auto-fabric

Y If input is [Y] then auto-VC, RCL and auto-fabric are disabled

Auto-VC

1- Auto-VC

◼ Auto VFL

◼ Auto VFL Default ports

◼ Auto Chassis ID

◼ Auto vs Static

◼ Demo License enabled by default

Valid Advanced or VC Mode

Y vcsetup.cfg exists Y
Demo license • VFL: Auto or Static
Y Y

N N

VC Mode
Y boot.cfg exists? N
Standalone Mode • Auto VFL
Y
• Auto Chassis ID
Auto-VC
Auto VFL feature – Auto VFL ports Auto VFL process runs only on port
explicitly configured as auto VFL
port in vcsetup.cfg or runtime
configuration

Y
1
Auto VFL Ports Auto VFL Detection Process
Automatically detect whether an vcsetup.cfg exists
10G and 40G auto VFL port can become VFL
No copper
N

OS6900-X / T
Assign VFL ID automatically • Last 5 ports of each chassis
2
OS6900: id= 0, 1, 2, 3, 4, 5 • Including ports in expansion slots
Assign VFL ID
• Regardless of SFP+/QSFP presence on those ports

OS6900-Q32
• Last 5 ports of each chassis

• In case of 4x10G splitter cables is used

3 Aggregate Auto VFL • Ports with 4x10G splitter is counted as 4 ports
Aggregate ports in aggregate • Ports with 40G QSFP are counted as 1 port
multiple auto VFL • Ports with no SFP+/QSFP are counted as 1 port
ports
Auto-VC
Auto-Chassis ID
◼ Auto Chassis ID selection only occurs when there is no vcsetup.cfg

◼ Master selection is then run based on lowest MAC address

◼ Upon receiving their new chassis ID, non master units reboot and apply their
new ID
◼ In case of a new chassis insertion, Master Chassis assigns the chassis id of the
new member

vcsetup.cfg

! Virtual Chassis Manager:

virtual-chassis chassis-id 1 configured-chassis-id 1
virtual-chassis vf-link-mode auto
virtual-chassis auto-vf-link-port 1/1/31A
virtual-chassis auto-vf-link-port 1/1/32A
virtual-chassis auto-vf-link-port 1/1/32B
virtual-chassis auto-vf-link-port 1/1/32C
virtual-chassis auto-vf-link-port 1/1/32D
virtual-chassis chassis-id 1 chassis-group 77
Intelligent Fabric
Automatic remote configuration
2- Auto-Predefined config template

◼ RCL is run after Auto VC, and before the rest of Auto Fabric
⚫ May result in no Auto Fabric being run depending on the RCL result
⚫ May be used to enhance Auto Fabric
⚫ The linkagg created by the RCL will be retained for use later and not modified by
regular Auto Linkagg

◼ RCL tries 6 times, 3 each on VLAN 1 and 127 to get DHCP and download
instruction file
◼ To cancel RCL, run command “auto-config-abort”

◼ At the end of RCL, if a vcboot.cfg is downloaded, the box will be reset

⚫ Auto Fabric will only run if the config file has the commands to do so
Intelligent Fabric
Automatic fabric protocols

3- Auto-LACP

4- Auto-Routing

5- Auto-SPB Fabric

6- Auto-Network Profiling

7- Auto-MVRP
Auto-Discovery
Auto-LACP

3- Auto-LACP

◼ LLDP enhancement
⚫ Propriatery TLV used to detect the peer and, in return, receive peer’s system ID
⚫ If LACP negotiation succeeds, form a link aggregation on a detected set of ports

vcboot.cfg

! Link Aggregate:
linkagg lacp agg 127 size 16 admin-state enable
linkagg lacp agg 127 actor admin-key 65535
linkagg lacp port 1/1/1c actor admin-key 65535
linkagg lacp port 2/1/15 actor admin-key 65535
linkagg lacp port 3/1/14 actor admin-key 65535 -> show linkagg port
Chassis/Slot/Port Aggregate SNMP Id Status Agg Oper Link Prim
-------------------+----------+--------+----------+----+-----+-----+----
1/1/1C Dynamic 1003 ATTACHED 127 UP UP NO
2/1/15 Dynamic 101015 ATTACHED 127 UP UP NO
3/1/14 Dynamic 201014 ATTACHED 127 UP UP YES
Auto-Discovery
IP Auto Protocol Configuration
4- Auto-Routing

◼ Supports IP protocols (OSPFv2, OSPFv3, IS-IS) ◼ Protocol network configuration is learned

◼ IP Interface or VRF configuration is not
through Hello packets
concerned ⚫ Determine area, area type, and timers

⚫ DHCP, RCL or user configuration CLI ⚫ Protocols are loaded when the first valid hello is
received
◼ Active during and after the normal auto fabric ⚫ Configure the critical parts in order to form
discovery time adjacencies and share routes
⚫ Runs in parallel with no interdependency ⚫ Will automatically create route-maps to
redistribute local subnet routes into OSPF/ISIS as
◼ Can be started by the following internal routes
⚫ No boot.cfg (out of box)
⚫ Auto fabric discovery started by CLI or boot.cfg
⚫ IP auto protocol started by CLI or boot.cfg
vcboot.cfg
! IP Route Manager:
ip static-route 135.118.225.0/24 gateway 172.25.167.193 metric 1
ip route-map "auto-configure" sequence-number 50 action permit
ip route-map "auto-configure" sequence-number 50 set metric-type internal
ip redist local into ospf route-map "auto-configure" admin-state enable
Auto-Discovery
Auto SPB Fabric
5- Auto-SPB Fabric
vcboot.cfg
◼ SPB configuration ! VLAN:
spb bvlan 4000-4015 admin-state enable
spb bvlan 4000-4015 name "AutoFabric BVLAN"
⚫ To apply a set of default SPB Backbone port mac-learning vlan 4000-4015 disable

configuration on a port or aggregate ! SPB-ISIS:

!spb isis bvlan 4000 ect-id 1
(configured during LACP phase) spb isis bvlan 4001 ect-id 2
spb isis bvlan 4002 ect-id 3
⚫ Network port configuration spb isis bvlan 4003 ect-id 4
spb isis bvlan 4004 ect-id 5
spb isis bvlan 4005 ect-id 6
⚫ If adjacencies not formed during 4 Hello spb isis bvlan 4006 ect-id 7
spb isis bvlan 4007 ect-id 8
intervals (4x9 sec) – NOT a part of SPB spb isis bvlan 4008 ect-id 9
spb isis bvlan 4009 ect-id 10
spb isis bvlan 4010 ect-id 11
spb isis bvlan 4011 ect-id 12
spb isis bvlan 4012 ect-id 13
spb isis bvlan 4013 ect-id 14

◼ Default SPB configuration spb isis bvlan 4014 ect-id 15

spb isis bvlan 4015 ect-id 16
spb isis control-bvlan 4000
⚫ BVLANs 4000-4015 mapped to ECT-IDs 1-16 spb isis interface linkagg 127
spb isis admin-state enable
respectively
-> show vlan
⚫ Control BVLAN: 4000 vlan type admin oper ip mtu name
------+-------+-------+------+------+------+------------------
⚫ Bridge priority: 0x8000 . . . .
14 dyn Ena Ena Dis 1500 VLAN 14
15 dyn Ena Ena Dis 1500 VLAN 15
200 std Ena Ena Ena 1500 VLAN 200
4000 spb Ena Ena Dis 1524 AutoFabric BVLAN
4001 spb Ena Ena Dis 1524 AutoFabric BVLAN
4002 spb Ena Ena Dis 1524 AutoFabric BVLAN
. . .
Auto-Discovery
Auto-Network Profiling
6- Auto-Network Profiling

◼ Access port configuration

◼ User profiles creation

⚫ Single service
 Defines a single service SAP binding that will accept untagged frames
⚫ Auto VLAN service
 Automatically generate SAP bindings for the VLANs concerned by the traffic coming on port as
well as a default untagged service by default
Auto-Network Profiling
Loopback Detection
◼ Eliminate the formation of data loops that are created by people attaching
networks or devices to multiple access ports that offer an open path for data
to flow between the access ports
◼ Edge loop detection available on service access interfaces and LACP links

◼ Even in case of the absence of other loop-detection mechanisms like

STP/RSTP/MSTP
◼ LBD transmits periodic proprietary Multicast MAC frames on the LBD enabled
ports
⚫ Loop detected when receive the frame back on any of the Loop-back detection
enabled port
 Port is disabled (forced down)
 Error Log is issued
 SNMP trap
 Can be re-enabled by user
Auto-Network Profiling
Loopback Detection
◼ Loop Back Detection for SPB-M access ports

◼ LBD frames extended for Service Access ports

⚫ ISID
 Detect loops on a per ISID basis
 Topology of services and VLANs vary from access port to access port
 More LBD frames may be sent per port depending on SAP binding

⚫ Port Path Cost

 Ability to block the slower port

vcboot.cfg

! Loopback Detection:
loopback-detection enable
loopback-detection service-access port 2/1/1 enable
loopback-detection service-access port 3/1/1 enable
Loopback Detection
Service Access Port

SPB Network SPB Network

1/1 2/1 1/1 2/1

AOS Switch with AOS Switch with OS6900 OS6900
OS6900 OS6900 Loopback-detection
Loopback-detection
enable enable
1/2 2/2 1/2 1/3

Legacy or non L2 switch Legacy or non L2 switch

AOS switch AOS switch

• 1/2 and 2/2 are SAP ports having same ISID and path cost
• Loopback-detection is enabled with option ‘service-access’
on ports 1/2 and 2/2
• Traffic loops through 1/2 and 2/2
• Port 2/2 is shutdown in case B has higher bridge identifier,
since 1/2 and 2/2 has equal path costs
• 1/2 and 1/3 are SAP ports having same ISID and path cost
• Loopback-detection is enabled with option ‘service-access’
on ports 1/2 and 1/3
• Traffic loops through 1/2 and 1/3
• Port 1/3 is shutdown as this interface has higher port
identifier, since 1/2 and 1/3 has equal path costs
Auto-Discovery
Auto MVRP
7- Auto-MVRP

◼ MVRP enabled globally after LACP and SPB discovery process

◼ Spanning Tree mode switch to flat

-> show vlan

vlan type admin oper ip mtu name
------+-------+-------+------+------+------+------------------
. . . .
11 dyn Ena Ena Dis 1500 VLAN 11
12 dyn Ena Ena Dis 1500 VLAN 12
13 dyn Ena Ena Dis 1500 VLAN 13 MVRP VLANs
14 dyn Ena Ena Dis 1500 VLAN 14
15 dyn Ena Ena Dis 1500 VLAN 15
200 std Ena Ena Ena 1500 VLAN 200
4000 spb Ena Ena Dis 1524 AutoFabric BVLAN
4001 spb Ena Ena Dis 1524 AutoFabric BVLAN
4002 spb Ena Ena Dis 1524 AutoFabric BVLAN
. . .
Auto Fabric
Administration
vcboot.cfg
! Dynamic auto-fabric:
auto-fabric protocols lacp admin-state disable
auto-fabric protocols spb admin-state disable
auto-fabric protocols mvrp admin-state disable
auto-fabric protocols loopback-detection admin-state disable
auto-fabric protocols ip ospfv2 admin-state disable
auto-fabric protocols ip ospfv3 admin-state disable
auto-fabric protocols ip isis admin-state disable

-> show auto-fabric config

-> auto-fabric admin-state enable
Auto-fabric Status : Disable,
Config Save Timer Status : Disabled, -> auto-fabric config-save admin-state enable
Config Save Timer Interval : 300 seconds,
Default UNP SAP Profile : Auto-vlan,
Discovery Interval : 0 minute(s),
Discovery Status : Idle, -> auto-fabric discovery start
LACP Discovery Status : Enabled,
LBD Discovery Status : Enabled,
MVRP Discovery Status : Enabled,
OSPFv2 Discovery Status : Enabled,
OSPFv3 Discovery Status : Enabled,
ISIS Discovery Status : Enabled,
SPB Discovery Status : Enabled
OmniSwitch AOS R6/R8

Intelligent Fabric

How to
✓ Configure the Intelligent Fabric on the 6900 and 6860

Contents
1 Basic Network Diagram ....................................................................... 2
2 Lab Preparation ............................................................................... 3
2.1. OmniSwitches not used in the configuration ................................................... 3
2.2. OmniSwitches 6900 and 6860-A Configuration ................................................. 3
3 Auto-VC ......................................................................................... 4
4 Auto-LACP ...................................................................................... 8
 2
Intelligent Fabric

1 Basic Network Diagram

The objective of this lab is to achieve automatically the following topology with the Intelligent Fabric.
The Auto-VC feature will automatically create the virtual chassis between the two OmniSwitches 6900 and
the Auto-LACP feature will create the aggregation “127” from the OmniSwitch 6860 to the virtual chassis.
 3
Intelligent Fabric

2 Lab Preparation

2.1. OmniSwitches not used in the configuration

The OmniSwitches not used in the configuration are the Switches 3, 4, 5, 6 and 8.
These Switches should not interact with the three OmniSwitches used in the topology. To do so, launch the
script “reset SW#” (replace # by the Switch number) for each Switch not used in the topology: 3, 4, 5, 6 and
8.

The script “reset SW#” will shut down all the user ports of the Switches. Thus, there will be no interaction
between these Switches and those from the Topology. For example, we will not have an unwanted auto-LACP
between our auto-Virtual Chassis and the other 6860 (Switch 8)
If you don’t want to lose the configuration of the Switches 3, 4, 5, 6 and 8 by running the
script “reset SW#”, you can use an alternative method. This method is to shut down all the
user ports of these Switches with the command :
Sw# -> interfaces 1/1-24 admin down (R6)
Sw# -> interfaces 1/1-24 admin-state disable (R8)

2.2. OmniSwitches 6900 and 6860-A Configuration

The auto-VC (auto-Virtual Chassis) process will be triggered when the Switch is powered on (or reloaded) and
no config file is located in on the switch. In order to match these requirements, all the configuration files
(*.cfg) will be deleted from the flash memory of these three Switches. The three Switches will then be
restarted.
Open a terminal for each Switch (6900-A,6900-B and 6860-A). Log in with the default login and password
(admin / switch).
Enter the commands:
Sw1 (6900-A) -> rm /flash/working/*.cfg
Sw1 (6900-A) -> rm /flash/certified/*.cfg
Sw1 (6900-A) -> reload from working no rollback-timeout
Sw2 (6900-B) -> rm /flash/working/*.cfg
Sw2 (6900-B) -> rm /flash/certified/*.cfg
Sw2 (6900-B) -> reload from working no rollback-timeout
sw7 (6860-A) -> rm /flash/working/*.cfg
sw7 (6860-A) -> rm /flash/certified/*.cfg
Sw7 (6860-A) -> reload from working no rollback-timeout

Notes:
The command “-> rm /flash/…/*.cfg” will delete all configuration files for a stand-alone switch
(boot.cfg) or an already configured virtual chassis (vcboot.cfg and vcsetup.cfg).
 4
Intelligent Fabric

3 Auto-VC
One of the Auto-fabric feature is the Auto-VC (Automatic Virtual Chassis). The Auto-Fabric is enabled by
default on the 6900 and 6860(E).
Auto-VC allows device that have no existing Virtual Chassis (VC) configuration (no config file) to form a VC
with compatible devices without user configuration.
In our case, a Virtual Chassis will be configured automatically between the two OS6900.
The following actions are performed by the Auto-VC feature:
- Auto VFL Ports: Virtual Fabric Link (VFL) Detection Process – Automatically detect whether an auto VFL
port can become VFL. Without a config file (no vcsetup.cfg and no boot.cfg) the last 5 ports of each
chassis are designed as auto VFL port.
- Assign VFL ID: A VFL ID is assigned automatically.
- Auto Chassis ID: Both chassis start with a chassis ID 1 and then begins negotiation. The chassis with the
lowest MAC address is elected Master (Chassis ID 1) and the other chassis will get the chassis ID 2.
During the reload of the Switches, take a look at the terminal of your two OS6900. You will notice these
lines:
Starting 6900 Boot Process
Mount /dev/sda1
FS is EXT2
Do you want to disable auto-configurations on this switch [Y/N]?
Preparing Flash...

Without an input from the user, the Switch will use the default value “Yes” and will activate the auto-Fabric.

If you don’t want to use the auto-fabric feature, enter “N” when this message is displayed.

- Wait for the switch to reboot. You will then see auto-fabric messages displayed in the terminal.
***********************
* *
* Welcome To Rlab LAN *
* Pod 20 Switch 1 *
* 6900-A *
* *
***********************
(none) login:
Thu Feb 9 10:36:19 : capManCmm Chass info message:
+++ CMM: INFO: early NI discover slot 1 waiting module type

Thu Feb 9 10:36:20 : vc_licManager licMgr warning message:

+++ License Manager Notification: You have 45 days left on your demo period.
Alcatel-Lucent Enterprise OS6900-T20 8.3.1.314.R01 GA, September 07, 2016.
Copyright(c), 1994-2014 Alcatel-Lucent. All Rights reserved.
Copyright(c), 2014-2016 Alcatel-Lucent Enterprise. All Rights reserved.

Thu Feb 9 10:36:26 : isisVc init info message:

+++ isisVcEnable@549: Using temporary chassisId 1 (mac 2c:fa:a2:05:cd:a9)

- Here, the chassis gets the default chassis ID 1.

Thu Feb 9 10:36:31 : ipsec key info message:

+++ IPsec master security key not set
chassis mode is
2
[ 73.835476] linux-kernel-bde : Broadcom memory allocated at c4000000/04000000

Thu Feb 9 10:37:38 : vcmNi thread info message:

+++ NI:thread_main@3092: Connecting to VC-ISIS (0/65)

Thu Feb 9 10:38:41 : isisVc vcprot info message:

+++ isisVcUpdateVcNodes@7075: Adding peer chassisId 1* (mac 2c:fa:a2:05:cd:71)
 5
Intelligent Fabric

Thu Feb 9 10:38:46 : isisVc vcprot info message:

+++ isisVcUpdateVcNodes@7417: New Master: chassisId 1 chassisMac 2c:fa:a2:05:cd:71
+++ isisVcUpdateVcNodes@6720: My new chassisId 2

- The MAC address of the remote 6900 is discovered. The negotiation process starts and elects the remote
6900 as the new Master, because the remote 6900 has the lowest MAC address.

Thu Feb 9 10:38:46 : isisVc library(vcmLib) info message:

+++ vcmlib_overwrite_vcsetup_config@8365: Overwriting chassis ID

- As the local chassis has not been elected as the Master and act as the Slave, it’s chassis ID is changed
(Chassis ID 2).

Thu Feb 9 10:38:46 : isisVc vcprot info message:

+++ vcxScheduleChassisReboot@5651: Rebooting chassis in 10 seconds

Thu Feb 9 10:38:56 : isisVc vcprot info message:

+++ vcxRebootChassis@5670: Rebooting chassis now

...

Thu Feb 9 10:39:23 : ChassisSupervisor bootMgr alert message:

+++ _bootMgrRebootCMM: rebooting system

- As the local chassis is not the Master, its chassis ID changed and so, the chassis must restart in order to
apply its new chassis ID.
- This whole process, between the manual reboot and the automatic reboot should last for about 5
minutes.
- On the other 6900, you will get the following logs:
***********************
* *
* Welcome To Rlab LAN *
* Pod 20 Switch 2 *
* 6900-B *
* *
***********************
(none) login:
Thu Feb 9 10:36:16 : capManCmm Chass info message:
+++ CMM: INFO: early NI discover slot 1 waiting module type

Thu Feb 9 10:36:24 : isisVc init info message:

+++ isisVcEnable@549: Using temporary chassisId 1 (mac 2c:fa:a2:05:cd:71)

- Here, the chassis gets the default chassis ID 1.

Thu Feb 9 10:36:28 : ipsec key info message:
+++ IPsec master security key not set
chassis mode is
2
[ 74.355450] linux-kernel-bde : Broadcom memory allocated at c4000000/04000000

Thu Feb 9 10:37:36 : vcmNi thread info message:

+++ NI:thread_main@3092: Connecting to VC-ISIS (0/65)

Thu Feb 9 10:38:40 : isisVc vcprot info message:

+++ isisVcUpdateVcNodes@7075: Adding peer chassisId 1* (mac 2c:fa:a2:05:cd:a9)

Thu Feb 9 10:38:46 : isisVc vcprot info message:

+++ vcxElectionTimerExpiration@1345: I am the Master: chassisId 1 chassisMac 2c:fa:a2:05:cd:71
+++ vcxSetChassisIdAssignment_algo2@6022: Assign myself chassisId 1

- The MAC address of the remote 6900 is discovered. The negotiation process starts and elects the local
6900 as the new Master, because the local 6900 has the lowest MAC address.
Thu Feb 9 10:38:46 : isisVc library(vcmLib) info message:
+++ vcmlib_overwrite_vcsetup_config@8365: Overwriting chassis ID

- The local chassis has been elected as the Master, it’s chassis ID is set to 1.
Thu Feb 9 10:38:51 : vc_licManager licMgr error message:
 6
Intelligent Fabric

+++ alaAfnInstallLicenseFromMaster: Unable to open afnId.txt.

Thu Feb 9 10:38:51 : qosNi Info info message:

+++ VC Takeover in progress.
+++ VC Takeover complete.

- The remote 6900 is rebooting.

Thu Feb 9 10:38:52 : AAA Switch-Access info message:
+++ AAA aaaCsSystemReadyCB: Reveived system ready event
Chassis Supervision: CMM has reached the ready state [L8]

Thu Feb 9 10:38:54 : ChassisSupervisor reloadMgr info message:

+++ Redundancy time expired - updating next running to working

Thu Feb 9 10:39:37 : vcmCmm port_mgr info message:

+++ CMM:vcmCMM_client_rx_pm@2054: VFL link 1/0 down (last 1/2/1) [L2]

Thu Feb 9 10:39:37 : isisVc vcprot info message:

+++ isisVcProcessNodeDown@4249: List of Nodes down: 1
+++ isisVcProcessNodeDown@4290: Deleting peer chassisId 1* (mac 2c:fa:a2:05:cd:a9)

- The remote 6900 is unreachable through the VFL link 1/0, so the local 6900 considers the Virtual Chassis
“Down” for the moment.
- Please wait around 3 minutes after the automatic reboot of the Slave 6900.
- You can check the terminal of the Slave 6900 after its automatic reboot:
Sw1 (6900-A) -> show virtual-chassis topology
Local Chassis: 2
Oper Config Oper
Chas Role Status Chas ID Pri Group MAC-Address
-----+------------+-------------------+--------+-----+------+------------------
2 Unassigned Init 2 100 113 2c:fa:a2:05:cd:a9

Thu Feb 9 10:42:10 : vcmNi thread info message:

+++ NI:thread_main@3092: Connecting to VC-ISIS (0/65)

Thu Feb 9 10:42:50 : isisVc vcprot info message:

+++ isisVcUpdateVcNodes@7059: Adding peer chassisId 1 (mac 2c:fa:a2:05:cd:71)
+++ isisVcUpdateVcNodes@7417: New Master: chassisId 1 chassisMac 2c:fa:a2:05:cd:71

Thu Feb 9 10:42:51 : vcmCmm ipc info message:

+++ CMM:vcmCMM_peer_connected@2460: Remote endpoint (chassis 1, slot 65) [L4]

Sw1 (6900-A) -> show virtual-chassis topology

Local Chassis: 2
Oper Config Oper
Chas Role Status Chas ID Pri Group MAC-Address
-----+------------+-------------------+--------+-----+------+------------------
1 Master Running 1 100 113 2c:fa:a2:05:cd:71
2 Slave Running 2 100 113 2c:fa:a2:05:cd:a9

- Check then the terminal of the Master 6900:

Sw2 (6900-B) -> show virtual-chassis topology
Local Chassis: 1
Oper Config Oper
Chas Role Status Chas ID Pri Group MAC-Address
-----+------------+-------------------+--------+-----+------+------------------
1 Master Running 1 100 113 2c:fa:a2:05:cd:71

Thu Feb 9 10:42:50 : isisVc vcprot info message:

+++ isisVcUpdateVcNodes@7059: Adding peer chassisId 2 (mac 2c:fa:a2:05:cd:a9)

Thu Feb 9 10:42:50 : vcmCmm ipc info message:

+++ CMM:vcmCMM_peer_connected@2460: Remote endpoint (chassis 2, slot 65) [L4]
Sw2 (6900-B) -> show virtual-chassis topology
Local Chassis: 1
Oper Config Oper
Chas Role Status Chas ID Pri Group MAC-Address
-----+------------+-------------------+--------+-----+------+------------------
1 Master Running 1 100 113 2c:fa:a2:05:cd:71
 7
Intelligent Fabric

2 Slave Running 2 100 113 2c:fa:a2:05:cd:a9

- When the Slave 6900 has completed its reboot, it will go into a Virtual Chassis “Init” state. It will then
contact the Master and act as the Slave running in the Virtual Chassis.
- Let’s then have a look to the Virtual-Chassis configuration.
- On the Master 6900 enter the following:
Sw2 (6900-B) -> show virtual-chassis topology
Local Chassis: 1
Oper Config Oper
Chas Role Status Chas ID Pri Group MAC-Address
-----+------------+-------------------+--------+-----+------+------------------
1 Master Running 1 100 113 2c:fa:a2:05:cd:71
2 Slave Running 2 100 113 2c:fa:a2:05:cd:a9

Sw2 (6900-B) -> show virtual-chassis consistency

Legend: * - denotes mandatory consistency which will affect chassis status
licenses-info - A: Advanced; B: Data Center;

Config Oper Oper Config

Chas Chas Chas Hello Control Control
Chas* ID Status Type* Group* Interv Vlan* Vlan License*
------+------+---------+-------+------+-------+--------+--------+----------
1 1 OK OS6900 113 10 4094 4094 AB
2 2 OK OS6900 113 10 4094 4094 AB

Sw2 (6900-B) -> show virtual-chassis auto-vf-link-port

Chassis/Slot/Port Chassis/VFLink ID VFLink member status
-------------------+------------------+--------------------
1/2/1 1/0 Up
1/2/2 1/0 Up
1/2/3 Unassigned Unassigned
1/2/4 Unassigned Unassigned
2/2/1 2/0 Up
2/2/2 2/0 Up
2/2/3 Unassigned Unassigned
2/2/4 Unassigned Unassigned

Sw2 (6900-B) -> show virtual-chassis vf-link

VFLink mode: Auto
Primary Config Active Def Speed
Chassis/VFLink ID Oper Port Port Port Vlan Type
-------------------+----------+---------+-------+-------+---------+-----------
1/0 Up 1/2/2 2 2 1 10G
2/0 Up 2/2/2 2 2 1 10G

- On the Slave 6900 enter the following:

Sw1 (6900-A) -> show virtual-chassis topology
Local Chassis: 2
Oper Config Oper
Chas Role Status Chas ID Pri Group MAC-Address
-----+------------+-------------------+--------+-----+------+------------------
1 Master Running 1 100 113 2c:fa:a2:05:cd:71
2 Slave Running 2 100 113 2c:fa:a2:05:cd:a9

Sw1 (6900-A) -> show virtual-chassis consistency

Legend: * - denotes mandatory consistency which will affect chassis status
licenses-info - A: Advanced; B: Data Center;

Config Oper Oper Config

Chas Chas Chas Hello Control Control
Chas* ID Status Type* Group* Interv Vlan* Vlan License*
------+------+---------+-------+------+-------+--------+--------+----------
1 1 OK OS6900 113 10 4094 4094 AB
2 2 OK OS6900 113 10 4094 4094 AB

Sw1 (6900-A) -> show virtual-chassis auto-vf-link-port

Chassis/Slot/Port Chassis/VFLink ID VFLink member status
-------------------+------------------+--------------------
1/2/1 1/0 Up
1/2/2 1/0 Up
 8
Intelligent Fabric

1/2/3 Unassigned Unassigned

1/2/4 Unassigned Unassigned
2/2/1 2/0 Up
2/2/2 2/0 Up
2/2/3 Unassigned Unassigned
2/2/4 Unassigned Unassigned

Sw1 (6900-A) -> show virtual-chassis vf-link

VFLink mode: Auto

Primary Config Active Def Speed

Chassis/VFLink ID Oper Port Port Port Vlan Type
-------------------+----------+---------+-------+-------+---------+-----------
1/0 Up 1/2/2 2 2 1 10G
2/0 Up 2/2/2 2 2 1 10G

- The Virtual Chassis configuration is correct due to the following points:

Each chassis has its own chassis ID and a Virtual Chassis status “Master” and “Slave”
Both chassis belong to the same Virtual Chassis Group 113.
The two 10G ports of each chassis (2/1 and 2/2) have been elected as VFL ports and are contained in the
same VFL Group.

4 Auto-LACP
One other Auto-fabric feature is the Auto-LACP (Automatic Link Aggregation Protocol).
Auto-LACP uses enhanced LLDP packets in order to detect the peer and in return, receive peer’s system
ID.
If two ports at least are detected, the LACP negotiation will start and the aggregation link is formed.
- If the Switch 7 has been rebooted at the same time than the two Switches 6900, it will reach a ready state
long before the 6900 Virtual Chassis is established.
- The auto-LACP will be configured automatically around 5 minutes after the establishment of the auto-VC.
If you want to speed up the discovery process, you could use the following command to force the auto-
LACP to be discovered :
sw7 (6860-A) -> auto-fabric discovery start

- Compared to the Auto-VC, the Auto-LACP does not generate logs in the console.
- You can still get some logs from the swlog file.
Enter the following command and check the time and date of the switch
sw7 (6860-A) -> show system
Display the swlog file with a timestamp. Replace mm/dd/yyyy and hh:mm:ss by the start time and date of
the 6860-A (its last reboot).
sw7 (6860-A) -> show log swlog timestamp mm/dd/yyyy hh:mm:ss
2014 Feb 19 06:00:21 0S6860 swlogd: dafcCmm cmm info(5) AUTO-FABRIC-EVENT: LINKAGG_AGG_CONFIG: Aggregate
127 created. Key 65535, partner 2c:fa:a2:05:cd:71
2014 Feb 19 06:00:21 0S6860 swlogd: MIP_GATEWAY mipgwd info(5) ---- Logging MIP_SET type, command to be
sent:
2014 Feb 19 06:00:21 0S6860 swlogd: MIP_GATEWAY mipgwd info(5) MIP_SET(4) msg_id(14680090)
(APPID_DAFC_CMM(165/0) -> APPID_LINKAGGREGATION(12)) values:
2014 Feb 19 06:00:21 0S6860 swlogd: MIP_GATEWAY mipgwd info(5) Table(12301/0): alclnkaggAggTable
2014 Feb 19 06:00:21 0S6860 swlogd: dafcCmm cmm info(5) AUTO-FABRIC-EVENT: LINKAGG_AGG_CONFIG: Hash 7 on
aggregate 127 created.

- Enter the following commands on the 6860 and the Master 6900:
SW2 (6900-B) -> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+-------------+---------+----+------------+--------------+-------------
127 Dynamic 40000127 16 ENABLED UP 2 2

SW2 (6900-B) -> show linkagg port

Chassis/Slot/Port Aggregate SNMP Id Status Agg Oper Link Prim

 9
Intelligent Fabric

-------------------+----------+--------+----------+----+-----+-----+----
1/1/6 Dynamic 1006 ATTACHED 127 UP UP YES
2/1/5 Dynamic 101005 ATTACHED 127 UP UP NO

SW7 (6860-A) -> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+-------------+---------+----+------------+--------------+-------------
127 Dynamic 40000127 16 ENABLED UP 2 2

SW7 (6860-A) -> show linkagg port

Chassis/Slot/Port Aggregate SNMP Id Status Agg Oper Link Prim

-------------------+----------+--------+----------+----+-----+-----+----
1/1/5 Dynamic 1005 ATTACHED 127 UP UP NO
1/1/6 Dynamic 1006 ATTACHED 127 UP UP YES

- As you can see, the Aggregation Link has been automatically created. The aggregation ID has the same
value on both switch (6860-A and the VCof 6900). The ports that belong to the aggregation are also the
same.
OmniSwitch AOS R6/R8

AOS OmniSwitch - Upgrade Software image

Lesson summary

At the end of this presentation, you will be able to

◼ Describe how to upgrade a Software

image on a switch
U p g r a d e Software image
◼ Step by Step

Download the Upgrade Files

Analyse Requirements on the release note

FTP the Upgrade Files to the Switch

Upgrade the image file

Verify the Software Upgrade

Upgrade uboot and/or FGPA if mandatory

Certify the Software Upgrade

U p g r a d e Software image
◼ Step by Step

Download the Upgrade Files

 Download and unzip the upgrade files for the appropriate model and release

OS6450 OS6350 OS6465 OS6860 0S6900 OS9900

OS6560 OS6865

Configuratio boot.cfg boot.cfg vcboot.cfg vcboot.cfg vcboot.cfg vcboot.cfg

n Files vcsetup.cfg vcsetup.cfg vcsetup.cfg vcsetup.cfg

Images files KFbase.img KF3base.img Nos.img Uos.img Tos.img Mhost.img

KFos.img KF3os.img Mos.img
KFeni.img KF3eni.img Yos.img Meni.img
KFsecu.img KF3secu.img (V72/C32)

From BPWS
U p g r a d e Software image
◼ Step by Sep

Analyse Requirements on the release note

 Memory Requirements
 UBoot and FPGA Requirements
 Upgrade Instructions
 …

FTP the Upgrade Files to Running directory of the switch

 FTP/SFTP/SCP Client or Server

 TFTP client
 USB
 WebView
 Omnisvista 2500

* Note Running directory ; working or user defined directory

U p g r a d e Software image
◼ Step by Step

Upgrade the image file

 Reload the switch from the Running Directory

Verify the Software Upgrade

 Display version installed

 Display the version running in CMM

Note: If there are any issues after upgrading the switch can be rolled back to the previous certified version
U p g r a d e Software image
◼ Step by Step

Upgrade uboot and/or FGPA if mandatory

 In addition to the AOS images, archive will also contain an uboot and FPGA upgrade kit.
 If require (Release note)
 FTP (Binary) the FPGA upgrade kit and /or Uboot upgrade tar.gz to the /flash directory (primary CMM)
 Reload from running directory

-> update uboot cmm all file u-boot.8.4.1.R03.141.tar.gz

-> update fpga-cpld cmm all file fpga_kit_3312

-> reload from working no rollback-timeout

Note: The command show hardware-info is used

Certify the Software Upgrade

 Verifying the software and that the network is stable

 Certify the new software

-> copy running certified

-> show running-directory
OmniSwitch AOS R6
Multiple VLAN Registration Protocol

How to
✓ This lab is designed to familiarize you with the MVRP feature and learn
how to configure it through the CLI.

Contents
1 Topology ........................................................................................ 2
2 Use MVRP ....................................................................................... 3
2.1. Configure the maximum number of VLANs ...................................................... 3
2.2. Create some dynamic VLANs ...................................................................... 3
2.3. Delete VLAN ......................................................................................... 4
2.4. Revert to 1x1 RSTP mode ......................................................................... 5
 2
Multiple VLAN Registration Protocol

1 Topology
MVRP is used primarily to prune unnecessary broadcast and unknown unicast traffic, and dynamically create
and manage VLANs.
MVRP has to be globally enabled on a switch before it can start forwarding MVRP frames.
In order to have MVRP enabled, switch must be in spanning-tree flat mode.

- At this step our network is configure with STP 1x1, but to enable MVRP we have to be in flat mode.
- To configure STP flat mode type:
6860-A -> spantree mode flat
6860-B -> spantree mode flat
6450-B -> bridge mode flat

- To enable MVRP type:

all -> mvrp enable

Tips
MVRP can be enabled on ports regardless of whether it is globally enabled or not. However, for the port to
become an active participant, MVRP must be globally enabled on the switch. By default, MVRP is disabled on
the ports. To enable MVRP on a specified port, use the mvrp port command

- Enable MVRP on trunk links of all switches:

6450-B -> mvrp port 1/3 enable
6450-B -> mvrp port 1/4 enable

6860-A -> mvrp port 1/1/4 enable

6860-A -> mvrp linkagg 5 enable

6860-B -> mvrp port 1/1/3 enable

6860-B -> mvrp linkagg 5 enable

Notes
MVRP can be configured only on fixed, 802.1 Q and aggregate ports. It cannot be configured on mirror, mobile,
VPLS Access, and VLAN Stacking User ports.
 3
Multiple VLAN Registration Protocol

2 Use MVRP

2.1. Configure the maximum number of VLANs

A switch can create dynamic VLANs using MVRP. By default, the maximum number of dynamic VLANs that
can be created using MVRP is 256. If the VLAN limit to be set is less than the current number of dynamically
learned VLANs, then the new configuration will take effect only after the MVRP is disabled and enabled
again on the switch. If this operation is not done, the VLANs learned earlier are maintained.
- To modify the maximum number of dynamic VLANs the switch is allowed to create, use the command:
6450-B -> mvrp maximum vlan 150
6860-A -> mvrp maximum-vlan 150
6860-B -> mvrp maximum-vlan 150

2.2. Create some dynamic VLANs

- On 6450-B, create a new VLAN 40 :
6450-B -> vlan 40
6450-B -> vlan 40 802.1q 1/3
6450-B -> vlan 40 802.1q 1/4

- Now let’s have a look on the information on the 6860s :

6860-A -> show mvrp port 1/1/4 statistics
Port 1/1/4:
New Received : 10,
Join In Received : 18,
Join Empty Received : 121,
Leave Received : 0,
In Received : 0,
Empty Received : 178042,
Leave All Received : 1,
New Transmitted : 11,
Join In Transmitted : 24,
Join Empty Transmitted : 121,
Leave Transmitted : 0,
In Transmitted : 0,
Empty Transmitted : 212784,
LeaveAll Transmitted : 2,
Failed Registrations : 96,
Total Mrp PDU Received : 45,
Total Mrp PDU Transmitted : 52,
Total Mrp Msgs Received : 447,
Total Mrp Msgs Transmitted : 810,
Invalid Msgs Received : 0

6860-B -> show mvrp port 1/1/3 statistics

Port 1/1/3:
New Received : 10,
Join In Received : 18,
Join Empty Received : 128,
Leave Received : 0,
In Received : 0,
Empty Received : 197976,
Leave All Received : 0,
New Transmitted : 12,
Join In Transmitted : 19,
Join Empty Transmitted : 138,
Leave Transmitted : 0,
In Transmitted : 0,
Empty Transmitted : 216866,
LeaveAll Transmitted : 0,
Failed Registrations : 96,
Total Mrp PDU Received : 50,
Total Mrp PDU Transmitted : 53,
Total Mrp Msgs Received : 468,
Total Mrp Msgs Transmitted : 846,
 4
Multiple VLAN Registration Protocol

Invalid Msgs Received : 0

- Look at the port configuration :

6860-A -> show mvrp port 1/1/4
MVRP Enabled : yes,
Registrar Mode : normal,
Applicant Mode : active,
Join Timer (msec) : 600,
Leave Timer (msec) : 1800,
LeaveAll Timer (msec) : 30000,
Periodic Timer (sec) : 1,
Periodic Tx status : disabled

6860-A -> show mvrp port 1/1/4 last-pdu-origin

Port Last-PDU Origin
-------+--------------------
1/1/4 2c:fa:a2:08:28:63

- Notice that VLAN 40 has been automatically created :

6860-A -> show vlan
vlan type admin oper ip mtu name
------+-------+-------+------+------+------+------------------
1 std Ena Ena Ena 1500 VLAN 1
20 std Ena Ena Ena 1500 VLAN 20
30 std Ena Ena Ena 1500 VLAN 30
40 dyn Ena Ena Dis 1500 VLAN 40
4001 dyn Ena Ena Dis 1500 VLAN 4001
4094 vcm Ena Dis Dis 1500 VCM IPC

6860-B -> show vlan

vlan type admin oper ip mtu name
------+-------+-------+------+------+------+------------------
1 std Ena Ena Ena 1500 VLAN 1
20 std Ena Ena Ena 1500 VLAN 20
30 std Ena Ena Ena 1500 VLAN 30
40 dyn Ena Ena Dis 1500 VLAN 40
4001 std Ena Ena Ena 1500 Admin
4094 vcm Ena Dis Dis 1500 VCM IPC

Notes
The VLAN type is then Dynamic

- And those ports have been dynamically tagged:

6860-A -> show vlan 40 members
port type status
----------+-----------+---------------
1/1/4 dynamic forwarding
0/5 dynamic forwarding

6860-B -> show vlan 40 members

port type status
----------+-----------+---------------
1/1/3 dynamic forwarding
0/5 dynamic blocking

Notes
VLAN are automatically created and port tagged, but of course, there’s no ip interface creation nor association
with MSTI.

2.3. Delete VLAN

- Check the status of VLAN 40 on 6450 :
6450-B -> show vlan
stree mble src
vlan type admin oper 1x1 flat auth ip tag lrn name
-----+-----+------+------+------+------+----+-----+-----+------+----------
 5
Multiple VLAN Registration Protocol

1 std on on on on off on off on VLAN 1

20 std on on on on off on off on VLAN 20
30 std on on on on off on off on VLAN 30
40 std on on on on off off off on VLAN 40
4001 std on on on on off on off on Administration

- It’s a standard VLAN (comparing with dynamic VLAN on 6860).

- Now delete the VLAN 40 on 6450 :
6450-B -> no vlan 40

- What happens to it ?
6450-B -> show vlan
stree mble src
vlan type admin oper 1x1 flat auth ip tag lrn name
-----+-----+------+------+------+------+----+-----+-----+------+----------
1 std on on on on off on off on VLAN 1
20 std on on on on off on off on VLAN 20
30 std on on on on off on off on VLAN 30
40 mvrp on off off on off off off on VLAN 40
4001 std on on on on off on off on Administration

Tips
The mvrp status in R6 is equal to the dyn status in R7/R8. That means the VLAN 40 has been automatically re-
created.

- Now disable mvrp on the 3 switches :

all -> mvrp disable

6450-B -> show vlan

stree mble src
vlan type admin oper 1x1 flat auth ip tag lrn name
-----+-----+------+------+------+------+----+-----+-----+------+----------
1 std on on on on off on off on VLAN 1
20 std on on on on off on off on VLAN 20
30 std on on on on off on off on VLAN 30
4001 std on on on on off on off on Administration

- The VLAN 40 has now disappear as mvrp is disabled.

2.4. Revert to 1x1 RSTP mode

- For the next lab, it will be easier to continue with per-vlan STP :
6860-A -> spantree mode per-vlan
6860-B -> spantree mode per-vlan
6450-B -> bridge mode 1x1
OmniSwitch AOS R6/R8

Bidirectional Forwarding Detection (BFD)

Module Objectives

At the end of this presentation, you will be able to

◼ Understand the concept of the

Bidirectional Forwarding Detection
feature
◼ Configure the Bidirectional Forwarding
Detection
Bidirectional Forwarding Detection - Overview
◼ Why?
⚫ Layer 2 and layer 3 topologies may be different
⚫ Concurrent connectivity detection and protection/re-routing mechanisms
⚫ Failure detection => critical delay
 Long delays
 False negatives, inconsistent detection methods
 Ambiguous results possible
⚫ Routing protocols use varying methods and timers to detect the loss of connection

◼ IETF BFD Working Group

⚫ Provide fast forwarding path failure detection enabled at the interface and routing
protocol level
⚫ BFD provides a low-overhead and fast two-way connectivity verification between two
systems
⚫ Separate BDD session for each path and data protocol
⚫ No changes to existing protocols
Bidirectional Forwarding Detection - Overview
◼ As a new Hello Protocol

◼ Packets sent at regular intervals

⚫ Neighbor failure detected when packets stop showing up

◼ No discovery protocol, handled by control protocol

◼ Context defined by encapsulating protocol

⚫ 24bytes + headers
⚫ sending inside IPv4 packets signals IPv4 connectivity

◼ Unicast
Bidirectional Forwarding Detection - Overview
◼ Benefits of BFD over other Hello Protocols
⚫ Faster convergence
⚫ Independent of specific media, data and network protocols
⚫ Can be encapsulated within any routing protocol being forwarded between two systems
⚫ Supports BGP,OSPF,VRRP tracking and Static route protocols
⚫ Less CPU-intensive than reduced timer mechanisms for routing protocols
⚫ Detects failures in milliseconds without having to fine-tune routing protocol Hello timers
⚫ Detects one-way link failures
BFD PEER ROUTER Session establishment
Three-way Handshake
S . Down
V
T . Init
O B A R
S
. Up
G T R
P I
F P C P
BFD packets
S V BDF S V
T T
O B A R O B A R
S T S T
G R G R
P I P I
F P C P ADJACENCY F P C P

BDF BDF

BFD PEER ROUTER BFD PEER ROUTER

Bidirectional Forwarding Detection - Modes
◼ Asynchronous mode
⚫ Both endpoints periodically send Hello packets to each other) (default)
⚫ Periodic control packets flow in each direction
⚫ If packet not received within detection time –> session is declared down
⚫ Remove Next Hop Entry, Route Packets to other switches

◼ Demand mode (poll sequence) (not supported currently)

⚫ After session is established – packets are not sent
⚫ Each system has its own way to determine if connected to another system
⚫ Control packets sent only if explicit connection verification is needed
Request

◼ Echo mode Respond

⚫ Echo packets looped or not through remote system
⚫ Slower rate of Control packets
⚫ Echo packets flow in each direction
⚫ Echo mode used in combination with Asynchronous and Demand mode

Echo
Bidirectional Forwarding Detection - Asynchronous Mode

◼ After session is established, BFD control packets flow in each direction

◼ If packet not received within detection time

⚫ Session is declared down
⚫ Sends rapid failure detection notices to respective registered routing protocols in the local router
to initiate the router table recalculation

◼ Generates the least amount of traffic

◼ Most CPU demanding mode

S V S V
T T
O B A R O B A R
S T S T
G R G R
P I P I
F P C P F P C P

BDF BDF

BFD PEER ROUTER BFD PEER ROUTER

-> ip bfd-std mode asynchronous echo {enable|disable}

Bidirectional Forwarding Detection - Echo Function

◼ Slower rate of Control packets

⚫ less CPU burden

◼ Echo packets loop through remote system

◼ Echo mode used in combination with Asynchronous

◼ Enabled by default

S V S V
T Echo T
O B A R O B A R
S T S T
G R G R
P I P I
F P C P F P C P

BDF Echo BDF

BFD PEER ROUTER BFD PEER ROUTER

-> ip bfd-std mode echo-only

Bidirectional Forwarding Detection - Configuration

◼ Enabling the global BFD protocol status for the switch

⚫ -> ip bfd-std status {enable | disable}

◼ Configuring the global transmit time interval for BFD control packets
⚫ -> ip bfd-std transmit transmit-interval (default: 100ms)

◼ Configuring the global receive time interval for BFD control packets
⚫ -> ip bfd-std receive receive-interval (default: 100ms)

◼ Configuring the global operational mode and echo status

⚫ -> ip bfd-std mode {echo-only | demand echo {enable | disable} | asynchronous echo
{enable|disable}}

All of the above global command status are configurable at the BFD interface level
Bidirectional Forwarding Detection - Configuration

◼ Enabling the BFD status for an IGP routing protocol

-> ip {ospf | bgp| dvmrp} bfd-std status {enable | disable}

-> ip {ospf | bgp| dvmrp} interface int_name bfd-std status {enable | disable}

-> ip static-route ip-address/prefixLen gateway ip-address bfd status {enable| disable}

-> vrrp bfd-std {enable | disable}

-> vrrp track num address address bfd-std {enable| disable} (R8)

All of the above global command status are configurable at the BFD interface level
Bidirectional Forwarding Detection - Timer
◼ Specified in microseconds, allowing very fast or very slow detection

◼ Continuous negotiation

⚫ BFD packet transmission intervals

 slower rate determines the transmission rate
 -> ip bfd-std transmit transmit-interval * (def=100ms)
 -> ip bfd-std receive receive-interval * (def=100ms)
 -> ip bfd-std echo interval echo-interval * (def=100ms)

⚫ Session Detection Time

 -> ip bfd-std l2-hold-timer l2-holdtimer-interval * (def=500ms)
 -> ip bfd-std interface interface_name multiplier multiplier_value (def=3)
 Dead interval timer: multiplier_value * “negotiated transmit-interval”

! BFD adjacency will not form if the send-timer on one peer is lower than the receive-timer on another peer
Bidirectional Forwarding Detection – Configuration Example

Sw1 Sw2

1/11 1/12

1/12 1/11 -> show ip bfd-std

-> show ip bfd-std interfaces
-> show ip bfd-std sessions
1/11 1/12

1/12 1/11

Sw3 Sw4

sw1> show ip bfd-std interfaces

Interface Admin Tx Min Rx Multiplier OperStatus
Name Mode Status Interval Interval
----------------+--------------+----------+----------+----------+----------+----------
vlan12 ASYNCHRONOUS enabled 100 100 3 UP
vlan13 ASYNCHRONOUS enabled 100 100 3 UP

sw1> show ip bfd-std sessions

Interface Neighbor State LocalDisc Remote Negotiated Negotiated EchoRx
Address Address Discr Rx Interval Tx Interval
----------------+----------------+------------+----------+----------+-------------+------------+--------
172.30.13.1 172.30.13.3 UP 1 1 100 800 100
172.30.12.1 172.30.12.2 UP 2 1 100 800 100
Bidirectional Forwarding Detection – Configuration Example

VRRP/BFD Remote-address Tracking

! BFD-STD : 10.1.1.2
ip bfd-std echo-interval 100
Vlan 10
ip bfd-std status enable
10.1.1.0
ip bfd-std transmit 100
Sw1 Sw2
ip bfd-std receive 100
ip bfd-std mode echo-only
MASTER 1/11 1/12 BACKUP
ip bfd-std l2-hold-timer 100
ip bfd-std interface vlan10
ip bfd-std interface vlan10 transmit 100 Vlan 2 Vlan 3 Vlan 2 Vlan 3
ip bfd-std interface vlan10 receive 100 192.168.10.247 192.168.11.247 192.168.10.248 192.168.11.248
ip bfd-std interface vlan10 multiplier 1
ip bfd-std interface vlan10 mode echo-only
ip bfd-std interface vlan10 echo-interval 100
ip bfd-std interface vlan10 l2-hold-timer 100
ip bfd-std interface vlan10 status enable ! VRRP
vrrp 1 1 disable
! VRRP : vrrp 1 1 priority 100 preempt interval 1
vrrp bfd-std enable vrrp 1 1 address 192.168.10.250
vrrp track 1 enable priority 75 address 10.1.1.2 bfd-std enable vrrp 1 1 enable
vrrp 1 1 disable vrrp 2 2 disable
vrrp 1 1 priority 150 preempt interval 1 vrrp 2 2 priority 100 preempt interval 1
vrrp 1 1 address 192.168.10.250 vrrp 2 2 address 192.168.11.250
vrrp 1 1 track-association 1 vrrp 2 2 enable
vrrp 1 1 enable
vrrp 2 2 disable
vrrp 2 2 priority 150 preempt interval 1
vrrp 2 2 address 192.168.11.250
vrrp 2 2 track-association 1
vrrp 2 2 enable
Bidirectional Forwarding Detection – Configuration Example

10.1.1.2
Vlan 10
10.1.1.0
Sw1 Sw2

MASTER 1/11 1/12 BACKUP

Vlan 2 Vlan 3 Vlan 2 Vlan 3

192.168.10.247 192.168.11.247 192.168.10.248 192.168.11.248

-> show ip bfd-std session 1

-> show ip bfd-std Interface IP Address = 10.1.1.1,
BFD Version Number = 1, Neighbor IP Address = 10.1.1.2,
Admin Status = Enabled, State = UP,
Transmit Interval = 100, Local discriminator = 1,
Receive Interval = 100, Remote discriminator = 0,
Multiplier = 3, Negotiated Tx interval = 0,
Echo Status = Enabled, Negotiated Rx interval = 100,
Echo Interval = 100, Echo Rx interval = 100,
Mode = ECHO-ONLY, Multiplier = 1,
L2 Hold Down Interval = 100, Tx packet counter = 0,
Protocols Registered = VRRP Rx packet counter = 0,
Protocols Registered: = VRRP

with BFD disabled -- takes around 10 seconds for the backup to become master.
with BFD enabled -- takes less than 3 seconds for the backup to become master.
OmniSwitch AOS R6/R8

Server Load Balancing

Lesson summary

At the end of this presentation, you will be able to

◼ Sum up the concept & characteristics of

SLB
◼ Configure the SLB feature

◼ Understand the Distribution algorithm

◼ Learn about the Server Cluster types

◼ Monitor the Health

◼ Configure a SLB Probe

Concept
◼ Method to logically manage a group of physical servers as one large virtual
server (SLB cluster)
⚫ Cluster is identified and accessed at layer 3 by using a Virtual IP (VIP) address or a QoS
policy condition

192.168.0.10

192.168.0.3 192.168.0.9

192.168.0.5

192.168.0.8

◼ Benefits:
⚫ Cost savings: no costly hardware upgrade to servers
⚫ Scalability: allows up to 16 clusters per switch
⚫ Reliability: provides load-sharing and redundancy
⚫ Flexibility: QoS may be applied to servers
Characteristics
◼ Virtual IP address
⚫ Must be an address in the same subnet as the servers
⚫ SLB cluster automatically creates a proxy ARP for the VIP with the switch’s MAC
address

◼ Designed to work at IP layer or bridge

⚫ Capability to specify if SLB is enforced at L2 or L3

◼ Distribution based on wire-rate load balancing

⚫ Load balancing is based on L3/L4 information
⚫ Using IPSA and IPDA pairs (optionally UDP/TCP ports)
⚫ Policies for server load balancing can be assigned for the purpose of applying ACLs

◼ Servers can belong to multiple clusters

◼ Servers can be distributed on several Nis

◼ All servers must be part of the same VLAN/subnet. Servers do not need to be
physically connected to the SLB switch/router, they can be connected through
L2 switches for that SLB VLAN.
Configuration
◼ Create a loopback adapter in the server
⚫ Define the Virtual IP address to the loopback adapter

◼ Enable SLB globally

-> ip slb admin enable (R6)
-> ip slb admin-state enable (R8)
⚫ policy condition, action and rule are automatically created

◼ Configure the SLB cluster

-> ip slb cluster Web vip 128.241.130.204

◼ Assign physical servers to the SLB cluster

-> ip slb server ip 128.241.130.127 cluster Web
-> ip slb server ip 128.241.130.109 cluster Web

◼ Modify optional parameters, if necessary

⚫ SLB traffic distribution algorithm
⚫ Load balance hashing control algorithm
⚫ Health monitoring
Distribution Algorithm
◼ Default
⚫ Round-robin based on IPSA, SLB-VIP and a random generated number of the SLB-MAC

◼ Alternative
⚫ Weighted Round Robin (WRR)
⚫ SLB cluster distributes traffic according to the relative “weight” a server has within an
SLB cluster
⚫ Aggregate weight of all servers should not exceed 32
-> ip slb server ip <ip-addr> cluster <clstr> admin status <enable | disable> probe <probe>
weight <weight>

Cluster
192.168.100.102
Weight = 3
192.168.100.109
Weight = 2
192.168.100.99
Weight = 1
192.168.100.200
192.168.100.103
Weight = 0
Backup Server Scenario

-> ip slb cluster cl1 vip 192.168.100.200

-> ip slb server ip 192.168.100.102 cluster cl1 weight 1
-> ip slb server ip 192.168.100.99 cluster cl1 weight

Cluster cl1
192.168.100.102
Weight = 1

192.168.100.200 192.168.100.99
Weight = 0

If Server 192.168.100.102 goes down, Server 192.168.100.99 will start receiving

all the traffic
Weighted Round Robin

-> ip slb cluster cl1 vip 192.168.100.200

-> ip slb server ip 192.168.100.99 cluster cl1 weight 1
-> ip slb server ip 192.168.100.109 cluster cl1 weight 2
-> ip slb server ip 192.168.100.102 cluster cl1 weight 3
-> ip slb server ip 192.168.100.103 cluster cl1 weight 0 => use for backup

Cluster cl1
Server A: 192.168.100.102
Weight = 3
Server B:192.168.100.109
Weight = 2
Server C: 192.168.100.99
Weight = 1
192.168.100.200
Server D: 192.168.100.103
Weight = 0

Server A handles three times the traffic of Server C, and Server B twice the traffic
of Server C.
Server D is a backup server
Hashing Control Algorithm
◼ Hashing Control
⚫ Control over the hashing mode AA Source Destination AA
AA Address Address AA
 Link Aggregation
 ECMP
 Server Load Balancing
Server #
◼ Two hashing algorithms available
⚫ Brief Mode: Brief Mode
 UDP/TCP ports not included
 Only Source IP and destination IP addresses are considered
-> hash-control brief
⚫ Extended
 UDP/TCP ports to be included in the hashing algorithm
 Result in more efficient load balancing
-> hash-control extended [udp-tcp-port | no]
AA Source Destination UDP/TCP AA
AA Address Address Port AA
Platform Default Hashing Mode
6850E/6855 Brief
9000E Extended Server #
6860 Brief Extended Mode
6900 Brief
10K Extended
Cluster Modes
◼ SLB Cluster VIP
⚫ Traffic destined to the Virtual IP of the Server Farm
⚫ Each server is also configured with a Loopback Interface for the Virtual IP
⚫ A server can be configured with more than one VIP
 Therefore, a server can belong to more than one SLB cluster

◼ SLB Cluster QoS Condition

⚫ Traffic not destined to the server
 I.e : firewall server simply inspects the packet and sends it back if accepted by the Firewall
policies
VIP mode (L3 only)
◼ Configuring VIP SLB cluster in a routed network
⚫ -> ip slb cluster <cluster_name> vip <vip_address>

-> ip slb cluster WebServer vip 10.0.0.250

-> ip slb server ip 10.0.0.1 cluster WebServer
-> ip slb server ip 10.0.0.2 cluster WebServer
-> ip slb server ip 10.0.0.3 cluster WebServer

VIP 10.0.0.250 (WebServer)

Access the VIP
VLAN 10
IP@ 10.0.0.254 Server 10.0.0.1

VLAN Server 10.0.0.2

VLAN 11
10
L3 Network
Switch Router Server 10.0.0.3
Route to reach VIP
SLB enabled
L2 switch

Routing from VLAN 11 to Server VLAN 10

VIP mode (L3 only)
◼ Configuring VIP SLB cluster in a Bridged network
⚫ -> ip slb cluster <cluster_name> vip <vip_address>

-> ip slb cluster WebServer vip 10.0.0.250

-> ip slb server ip 10.0.0.1 cluster WebServer
-> ip slb server ip 10.0.0.2 cluster WebServer
-> ip slb server ip 10.0.0.3 cluster WebServer

VIP 10.0.0.250 (WebServer)

Access the VIP
VLAN 10
IP@ 10.0.0.254 Server 10.0.0.1

VLAN Server 10.0.0.2

10
L3 Network
Switch Server 10.0.0.3
Route to reach VIP
SLB enabled
L2 switch

Proxy ARP to 10.0.0.250 is used in a bridged network and will force

the bridged packet to be routed
Bridging in VLAN 10
QoS Condition Mode
◼ Configuring QoS Condition SLB cluster in a Routed network
⚫ -> ip slb cluster <cluster_name> condition <condition name> L3

-> policy condition cond1 source port 1/1 destination tcp port 80
-> ip slb cluster Firewall condition cond1 L3
-> ip slb server ip 10.0.0.1 cluster WebServer
-> ip slb server ip 10.0.0.2 cluster WebServer

Cluster « Firewall »
Access the VIP
VLAN 10
IP@ 10.0.0.254 Server 10.0.0.1

VLAN Server 10.0.0.2

VLAN 11
1/1 10
L3 Network
Switch Router
Route to reach VIP
SLB enabled

Routing from VLAN 11 to Server VLAN 10

The server must be configure to receive packet with a destination IP
address that may not match any addresses known to the server.
QoS Condition Mode
◼ Configuring QoS Condition SLB cluster in a Bridged network
⚫ -> ip slb cluster <cluster_name> condition <condition name> L2

-> policy condition cond1 source port 1/1 destination tcp port 80
-> ip slb cluster Firewall condition cond1 L2
-> ip slb server ip 10.0.0.1 cluster WebServer
-> ip slb server ip 10.0.0.2 cluster WebServer

Cluster « Firewall »
Access the VIP
VLAN 10
IP@ 10.0.0.254 Server 10.0.0.1

Server 10.0.0.2
VLAN
1/1 10
L3 Network
Switch
Route to reach VIP
SLB enabled

Bridged Network
The server must be configure to receive packet with a destination MAC
address that is different than the MAC address of the server (i.e.
promiscuous mode)
Health Monitoring
◼ Health Monitoring of the servers based on
⚫ Ethernet link state detection
⚫ IPv4 ICMP ping
⚫ Content Verification Probe
 20 probes per switch
 Basic Probe - PING
 Application probes: ftp, http, https, mail (imap, imaps, pop, pops, smtp), nntp)
 Custom probes - tcp, udp
 Can specify interval, time-out, and retries

◼ Server States
⚫ Disabled: server has been administratively disabled by the user
⚫ No Answer: server has not responded to ping requests from the switch
⚫ Link Down: bad connection to the server
⚫ Discovery: switch is pinging a physical server
⚫ In Service: server can be used for client connections
⚫ Retrying: switch is making another attempt to bring up the server
Server Load Balancing - Probe Configuration
◼ Creating SLB Probes
-> ip slb probe <probe_name> {ftp | http | https | imap | imaps | nntp |
ping | pop | pops | smtp | tcp | udp}

◼ Associating a Probe with a Cluster or Server

-> ip slb cluster <cluster_name> probe <probe_name>

◼ Options
⚫ Probe timeout (ms) and Period (sec)
⚫ TCP/UDP Port
⚫ URL / User Name / Password
 sent to a server as credentails for an HTTP(S) GET operation
⚫ Send
 An ASCII string sent to a server to invoke a response
⚫ Expect
 An ASCII string used to compare a response from a server
-> ip slb probe http_test http
-> ip slb probe http http_test period 10
-> ip slb cluster C1 vip 192.168.160.201
-> ip slb server ip 192.160.160.4 cluster C1 weight 2 probe http_test
-> ip slb server ip 192.160.160.4 cluster C1 weight 4 probe http_test
Probe Configuration

◼ http / https
◼ ping ⚫ USERNAME
⚫ TIMEOUT ⚫ URL
⚫ RETRIES ⚫ TIMEOUT
⚫ PORT ⚫ STATUS
⚫ PERIOD ⚫ RETRIES
⚫ PORT
⚫ PERIOD
⚫ PASSWORD
⚫ EXPECT

◼ tcp / udp
⚫ TIMEOUT
◼ ftp / imap / imaps / pop / pops / smtp / nntp ⚫ SSL
⚫ TIMEOUT ⚫ SEND
⚫ RETRIES ⚫ RETRIES
⚫ PORT ⚫ PORT
⚫ PERIOD ⚫ PERIOD
⚫ NO
⚫ EXPECT
Specifications

Platforms Max number of clusters Max number of Servers

6850E 16 256 (up to 32 per cluster)
6855 16 256 (up to 32 per cluster)
6860 32 1024 (up to 32 per cluster)
9000E 16 256 (up to 32 per cluster)
6900 32 1024 (up to 32 per cluster)
10k 32 1024 (up to 32 per cluster)
Appendixes
Adding and configuring Loopback Adapter Appendixes

on Windows Server

◼ Device Manager > Add Legacy Hardware

⚫ Install the hardware that I manually select from a list (Advanced)
⚫ Network adapters
⚫ Microsoft > Microsoft KM-Test Loopback Adapter (Win 2k12)
⚫ Microsoft > Microsoft Loopback Adapter (Win 2k8 r2)

◼ Starting with Windows Server 2008, Microsoft has implemented a strong host
model which disallowed the host to receive packets on an interface not assgned
as the destination IP address. To configure weak host mode enter the following
commands:
netsh interface ipv4 set interface <LAN Interface Name> weakhostreceive=enabled
netsh interface ipv4 set interface <Loopback Interface Name> weakhostreceive=enabled
netsh interface ipv4 set interface <Loopback Interface Name> weakhostsend=enabled

◼ Assign VIP address to the Loopback adapter

Adding and configuring Loopback Adapter Appendixes

on Linux Server

◼ Add Loopback adapter

ifconfig lo:1 <VIPAddress> broadcast <VIPAddress> netmask 255.255.255.255

◼ Disable ARP replies

⚫ In /etc/sysctl.conf add the following lines:
net.ipv4.conf.eth0.arp_ignore=1
net.ipv4.conf.eth0.arp_announce=2
OmniSwitch AOS R6/R8

Server Load Balancing

How to
✓ This lab is designed to familiarize you with the server load balancing
feature on OmniSwitches.

Contents
1 Topology ........................................................................................ 1
2 Server Load Balancing configuration ....................................................... 1
2.1. Client Configuration ................................................................................ 1
2.2. Client VLAN configuration ......................................................................... 1
2.3. Loopback interface creation on clients ......................................................... 1
2.4. SLB configuration ................................................................................... 2
2.5. Demonstrate SLB ................................................................................... 3
2.6. SLB Load Balancing – Self Guided Section ....................................................... 3
3 Summary ........................................................................................ 4
4 Lab Check ...................................................................................... 4
 1
Server Load Balancing

1 Topology
Virtual Chassis
192.168.110.0 192.168.110.0
1/2/1-2 2/2/1-2
1/1/1 2/1/1
OS6900-A 1 OS6900-B 2
1/1/5 1/1/6 2/1/6 2/1/5 Client 2 VLAN 110
Client 1 VLAN 110

2 Server Load Balancing configuration

Server Load Balancing allows multiple servers to act as one. By assigning a virtual IP address, all traffic
destined for that IP address could be balanced among multiple servers.

2.1. Client Configuration

Client 2 :
IP : 192.168.110.102
Mask : 255.255.255.0
Gateway : 192.168.110.1

2.2. Client VLAN configuration

On the OmniSwitch 6900 Virtual Chassis, type the following:
sw1 (6900-A) -> vlan 110 members port 2/1/1 untagged

You can now check client 2 connectivity by pinging its gateway interface.

2.3. Loopback interface creation on clients

On both clients (1&2), to manually install the Microsoft Loopback adapter in Windows XP, follow these steps:
Click Start, and then click Control Panel.
If you are in Classic view, click Switch to Category View under Control Panel in the left pane.
Double-click Printers and Other Hardware, and then click Next.
Under See Also in the left pane, click Add Hardware, and then click Next.
Click Yes, I have already connected the hardware, and then click Next.
At the bottom of the list, click Add a new hardware device, and then click Next.
Click Install the hardware that I manually select from a list, and then click Next.
Click Network adapters, and then click Next.
In the Manufacturer box, click Microsoft.
In the Network Adapter box, click Microsoft Loopback Adapter, and then click Next.
Click Finish.
Assign the following network properties to the Loopback interface
IP: 192.168.110.100 Mask : 255.255.255.0 no Gateway
 2
Server Load Balancing

2.4. SLB configuration

On the Virtual Chassis, perform the following commands:
sw1 (6900-A) -> ip slb admin-state enable

(This enables the Server Load Balancing feature)

sw1 (6900-A) -> ip slb cluster WorldWideWeb vip 192.168.110.100

(This creates a Server Load Balancing cluster with the virtual IP address of 192.168.20.100). We will now
assign servers to the cluster.
sw1 (6900-A) -> ip slb server ip 192.168.110.101 cluster WorldWideWeb

(This add the server with IP address 192.168.110.101 to the cluster)

sw1 (6900-A) -> ip slb server ip 192.168.110.102 cluster WorldWideWeb

The previous commands added two servers to the cluster named WorldWideWeb. Let’s view some of the SLB
configuration parameters. Type the following:
sw1 (6900-A) -> show ip slb
Admin status : Enabled,
Operational status : In Service,
Number of clusters = 1

sw1 (6900-A) -> show ip slb servers

Admin Operational %
IP addr Cluster Name Status Status Avail
---------------+-----------------------+--------+--------------+-----
192.168.110.101 WorldWideWeb Enabled In Service 100
192.168.110.102 WorldWideWeb Enabled In Service 100

sw1 (6900-A) -> show ip slb clusters

Admin Operational # %
Cluster Name VIP/COND Status Status Srv Avail
-----------------------+---------------+--------+--------------+---+-----
WorldWideWeb 192.168.110.100 Enabled In Service 2 100

sw1 (6900-A) -> show ip slb cluster WorldWideWeb

Cluster WorldWideWeb
VIP : 192.168.110.100,
Type : L3
Admin status : Enabled,
Operational status : In Service,
Ping period (seconds) : 60,
Ping timeout (milliseconds) : 3000,
Ping retries : 3,
Redirect algorithm : round robin,
Probe : None,
Number of packets : 0,
Number of servers : 2
Hash type = ECMP
Server 192.168.20.101
Admin status = Enabled, Operational status = In Service,
Weight = 1, Availability (%) = 100
Server 192.168.20.102
Admin status = Enabled, Operational status = In Service,
Weight = 1, Availability (%) = 100

-> show ip slb cluster WorldWideWeb server 192.168.110.101

Cluster WorldWideWeb
VIP 192.168.110.100
Server 192.168.110.101
Admin weight : 1,
MAC addr : 00:50:56:A1:0D:35,
Slot number : 1,
Port number : 1,
Admin status : Enabled,
Oper status : In Service,
Probe : None,
 3
Server Load Balancing

Availability time (%) : 100,

Ping failures : 0,
Last ping round trip time (milliseconds) : 14,
Probe status : OK

2.5. Demonstrate SLB

Any requests to the 192.168.110.100 IP address will be load balanced to both servers.
From any client, bring up a WEB browser and enter the URL address http://192.168.110.100
You should see the home page of the Server. This is because the OmniSwitch is forwarding the http
request to the virtual IP address to one of the servers participating in SLB.
Type the following:
sw1 (6900-A) -> show ip slb cluster WorldWideWeb
Cluster WorldWideWeb
VIP : 192.168.110.100,
Type : L3,
Admin status : Enabled,
Operational status : In Service,
Ping period (seconds) = 60,
Ping timeout (milliseconds) = 3000,
Ping retries = 3,
Probe = None,
Number of packets = 2,
Number of servers = 2,
Hash type = ECMP
Server 192.168.110.101
Admin status = Enabled, Operational status = In Service,
Weight = 1, Availability (%) = 100
Server 192.168.110.102
Admin status = Enabled, Operational status = In Service,
Weight = 1, Availability (%) = 100

You will see that one of the servers has a flow associated with it. Change the ip address of the client 5 and
connect again to the vip web server, you should be associated with another one.

2.6. SLB Load Balancing – Self Guided Section

Use the knowledge gained from lecture and previous sections of this lab to configure WRR load balancing
and backup scenario, hashing modes (brief or extended).
 4
Server Load Balancing

3 Summary
This lab introduced the configuration of the Server Load Balancing feature of an OmniSwitch. Load
balancing can be used to distribute traffic over multiple servers. This is done using a virtual IP address for
all client requests;

4 Lab Check
- What is an advantage of configuring SLB?
.........................................................................................................................
.........................................................................................................................
- What is the purpose of the Virtual IP address?
.........................................................................................................................
.........................................................................................................................
- What is the purpose of the MS Loopback Adapter?
.........................................................................................................................
.........................................................................................................................
OmniSwitch AOS R6

Link Aggregation

How to
✓ This lab is designed to familiarize you with Static link aggregation.

Contents
1 Topology ........................................................................................ 2
2 Link Aggregation – Static option ............................................................ 2
2.1. Create a Static Link Aggregation ................................................................. 2
2.2. Test the configuration ............................................................................. 3
3 Lab Check ...................................................................................... 4
 2
Link Aggregation

1 Topology
Link Aggregation provides the ability to combine multiple physical ports into a single logical port for added
throughput and redundancy; this can be done statically using OmniChannel or dynamically using the IEEE
802.3ad (LACP) protocol.

2 Link Aggregation – Static option

2.1. Create a Static Link Aggregation

- Define a static link aggregate and set its size on both 6450 by typing :
6450 -> static linkagg 5 size 2

Notes
In this example, 5 represents the aggregate identifier and 2 is the maximum number of ports in the aggregate

- Check to see what you have done; notice the operational status is DOWN.
- Type:
-> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+----------+---------+----+------------+--------------+-------------
5 Static 40000005 2 ENABLED DOWN 0 0

6450 -> show linkagg 5

Static Aggregate
SNMP Id : 40000005,
Aggregate Number : 5,
SNMP Descriptor : Omnichannel Aggregate Number 5 ref 40000005 size 2,
Name : ,
Admin State : ENABLED,
Operational State : DOWN,
Aggregate Size : 2,
Number of Selected Ports : 0,
Number of Reserved Ports : 0,
Number of Attached Ports : 0,
Primary Port : NONE
Port Selection Hash : Source Destination Ip,
Wait To Restore Time : 0 Minutes

- Add ports to your aggregate, type on both 6450 :

6450 -> static agg 1/11 agg num 5

6450 -> static agg 1/12 agg num 5
Notes
If the ports 1/11 and 1/12 of the 6450 are not available, it means that the 6450 has still its stack configuration.
Go to the “Stacking” lab and follow the commands from the part “Delete the Stack”.

- In this example ports 1/11 and 1/12 to aggregate 5 on 6450.

 3
Link Aggregation

- Let’s see what we have accomplished. Type:

-> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+----------+---------+----+------------+--------------+-------------
5 Static 40000005 2 ENABLED DOWN 0 2

6450 -> show linkagg 5

Static Aggregate
SNMP Id : 40000005,
Aggregate Number : 5,
SNMP Descriptor : Omnichannel Aggregate Number 5 ref 40000005 size 2,
Name : ,
Admin State : ENABLED,
Operational State : DOWN,
Aggregate Size : 2,
Aggregate Min-Size : 1,
Number of Selected Ports : 2,
Number of Reserved Ports : 2,
Number of Attached Ports : 0,
Primary Port : NONE

-> show linkagg port

- Now, connect the switches by activating linkagg interfaces :

6450 -> interfaces 1/11-12 admin up

Notes
Ports don't necessarily have to be the same on both ends of the link.

- Using the commands you learned earlier, compare the outputs:

-> show linkagg

Number Aggregate SNMP Id Size Admin State Oper State Att/Sel Ports
-------+----------+---------+----+------------+--------------+-------------
5 Static 40000005 2 ENABLED UP 2 2

6450 -> show linkagg 5

Static Aggregate
SNMP Id : 40000005,
Aggregate Number : 5,
SNMP Descriptor : Omnichannel Aggregate Number 5 ref 40000005 size 2,
Name : ,
Admin State : ENABLED,
Operational State : UP,
Aggregate Size : 2,
Number of Selected Ports : 2,
Number of Reserved Ports : 2,
Number of Attached Ports : 2,
Primary Port : 1/1/11,
Port Selection Hash : Source Destination Ip,
Wait To Restore Time : 0 Minutes

-> show linkagg port

2.2. Test the configuration

- By default, the linkagg is associated with vlan 1. In order to test connectivity, assign an IP address to this
VLAN :

Notes
6450-A already an IP address assigned to vlan 1 from previous lab
 4
Link Aggregation

6450-A -> ip interface int_1 address 192.168.10.5/24 vlan 1

6450-B -> ip interface int_1 address 192.168.10.6/24 vlan 1

- Try to make a ping between both 6450 or both 6860

6450-A -> ping 192.168.10.6
PING 192.168.10.6: 56 data bytes
64 bytes from 192.168.10.6: icmp_seq=0. time=171. ms
64 bytes from 192.168.10.6: icmp_seq=1. time=2. ms
64 bytes from 192.168.10.6: icmp_seq=2. time=2. ms
64 bytes from 192.168.10.6: icmp_seq=3. time=2. ms
64 bytes from 192.168.10.6: icmp_seq=4. time=14. ms
64 bytes from 192.168.10.6: icmp_seq=5. time=68. ms
----192.168.10.6 PING Statistics----
6 packets transmitted, 6 packets received, 0% packet loss
round-trip (ms) min/avg/max = 2/43/171

Notes
There’s no link between 6860 and 6450, so it’s not possible to make a ping between them.

- To demonstrate the redundancy capabilities, experiment with removing a link and monitor the results of
your pings tests
Tips
You can use the command ping <dest_ip_address> count <number> to send more than 6 pings.
To break a ping sequence, press the key CTRL+C
To simulate a link failure, you can bring down the corresponding interface :
interface slot/port admin down (6450)

- We will now perform a similar configuration exercise using the IEEE 802.3ad standard (LACP). Before
proceeding remove the static link aggregation group you created. You can either return your switch to
factory default or remove them manually. Note that you cannot delete a link aggregation group if there
are ports still associated with it:
6450 -> no static linkagg 5
ERROR: LAERR53 Static aggregate not empty deletion failed

6450 -> static agg no 1/11

6450 -> static agg no 1/12
6450 -> no static linkagg 5

- Ensure the link aggregation groups are removed on both switches as described above. There is no need to
disconnect the physical connections to continue to the next lab section.

3 Lab Check

What command is used to check the status of a particular link aggregate?

OmniSwitch AOS R6/R8
6560 Virtual Chassis

Objectif
✓ This lab is designed to familiarize you with the OmniSwitch 6560 Virtual
Chassis feature (VC) and its configuration.

Contents
1 Configuring a Virtual Chassis of 2 OmniSwitchs 6560 .................................... 2
2 Monitoring the Virtual Chassis ............................................................... 3
 2
6560 Virtual Chassis

1 Configuring a Virtual Chassis of 2 OmniSwitchs 6560

In this part, we will configure the Virtual Chassis ID, and group them in a Virtual Chassis Group 1.

- Assign a globally unique chassis identifier to the switch and enable the switch to operate in virtual chassis
mode, on both 6560:
6560-A -> show virtual-chassis topology
6560-A -> virtual-chassis chassis-id 1 configured-chassis-id 1
6560-A -> virtual-chassis chassis-group 1
6560-A -> show virtual-chassis topology

6560-B-> show virtual-chassis topology

6560-B-> virtual-chassis chassis-id 1 configured-chassis-id 2
6560-B-> virtual-chassis chassis-group 1
6560-B-> show virtual-chassis topology

- Manage the 6560-A to be the master chassis, assign a highest chassis priority to it:
6560-A -> virtual-chassis configured-chassis-priority 200

- Configure a virtual fabric link (VFL) and member ports for the VFL:
6560-A -> virtual-chassis auto-vf-link-port 1/1/25
6560-A -> virtual-chassis auto-vf-link-port 1/1/26
6560-A -> write memory

6560-B-> virtual-chassis auto-vf-link-port 1/1/25

6560-B-> virtual-chassis auto-vf-link-port 1/1/26
6560-B-> write memory

VFL is an aggregate of high-speed ports used, between the peers, for inter-chassis traffic and control data
through the IPC-VLAN

- Enable the corresponding interface

6560-A -> interfaces 1/1/25 admin-state enable
6560-A -> interfaces 1/1/26 admin-state enable
6560-A -> write memory

6560-B-> interfaces 1/1/25 admin-state enable

6560-B-> interfaces 1/1/26 admin-state enable
6560-B-> write memory

- Vérifier que les liens virtuel fabric link (vfl) ont bien été créés :
6560-A -> show virtual-chassis vf-link
6560-A -> show virtual-chassis vf-link member-port

6560-B -> show virtual-chassis vf-link

6560-B -> show virtual-chassis vf-link member-port
 3
6560 Virtual Chassis

- Reload the switch after converting the configuration

6560-A -> reload from working no rollback-timeout

6560-B -> reload from working no rollback-timeout

Notes
At the end of Chassis role election process, the Slave chassis will reboot to initialize its parameters and chassis
status.

2 Monitoring the Virtual Chassis

Wait for a moment after reboot, then verify the Virtual-Chassis status settings and the chassis roles.
- Check the virtual-chassis topology:
6560-A -> show virtual-chassis topology
Local Chassis: 1
Oper Config Oper
Chas Role Status Chas ID Pri Group MAC-Address
-----+------------+-------------------+--------+-----+------+------------------
1 Master Running 1 200 1 2c:fa:a2:aa:32:a1
2 Slave Running 2 100 1 2c:fa:a2:a2:f1:9d

- If the status of the OS6560 is not “Running”, check that the System Ready is set to Yes with the command:
6560-A -> debug show virtual-chassis topology
Local Chassis: 1
Oper Config Oper System
Chas Role Status Chas ID Pri Group MAC-Address Ready
-----+------------+-------------------+--------+-----+------+------------------+-------
1 Master Running 1 200 1 2c:fa:a2:aa:32:a1 Yes
2 Slave Running 2 100 1 2c:fa:a2:a2:f1:9d Yes

Notes
The chassis role determines which switch is the master of the Virtual Chassis.
The Master and Slave roles are only active when the operational status of the virtual-chassis feature is up for
both chassis.

- Display the different ports belonging to the VFL link, type:

6560-A -> show virtual-chassis vf-link

VFLink mode: Auto

Primary Config Active Def Speed

Chassis/VFLink ID Oper Port Port Port Vlan Type
-------------------+----------+---------+-------+-------+---------+-----------
1/0 Up 1/1/25 2 2 1 10G
2/0 Up 2/1/25 2 2 1 10G

6560-A -> show virtual-chassis vf-link member-port

VFLink mode: Auto

Chassis/VFLink ID Chassis/Slot/Port Oper Is Primary

-------------------+------------------+----------+-------------
1/0 1/1/25 Up Yes
1/0 1/1/26 Up No
2/0 2/1/25 Up Yes
2/0 2/1/26 Up No

Notes
The “Is Primary” field defines the primary port of the virtual fabric link.
 4
6560 Virtual Chassis

- Verify the consistency of system-level mandatory parameters between the two chassis:

6560-A -> show virtual-chassis consistency

Legend: * - denotes mandatory consistency which will affect chassis status

licenses-info - A: Advanced; B: Data Center;

Config Oper Oper Config

Chas Chas Chas Hello Control Control
Chas* ID Status Type* Group* Interv Vlan* Vlan License*
------+------+---------+-------+------+-------+--------+--------+----------
1 1 OK OS6560 1 15 4094 4094 A
2 2 OK OS6560 1 15 4094 4094 A

Notes
The two chassis in the same Virtual-Chassis group must maintain identical configuration and operational
parameters.

- At the end of this exercise, reinitialize both 6560:

o First, click on the reset shortcut of the MASTER 6560 (ex. 6560-A)

o Then, wait for the SLAVE to restart completely

o Finally, click on the other 6560’s reset shortcut (ex. 6560-B)
OmniSwitch AOS R6/R8

Access Guardian - Captive Portal

Objectives

At the end of this presentation, you will be able to

◼ Describe and Manage the Captive Portal

◼ Monitor the management

Captive Portal-Overview
Captive Portal - Overview
◼ Web Portal for getting user credential
◼ Could be applied to supplicants and non-supplicants
⚫ When an authorized user launches a browser a web page is served to ask for credentials
⚫ Still requires RADIUS for authentication
⚫ Has its own fail/pass policies

AAA Radius

http://www.alcatel-lucent.com
2

1
You have to log in fist!

◼ Useful for guest or contractor to temporarily gaining controlled network access to

the enterprise network
◼ Integrated with the rest of the policies
Captive Portal - Another Access Guardian Policy

Supplicant?
Yes No

MAC No
802.1X authentication
auth
Pass Fail Pass Fail

Captive
RADIUS Profile RADIUS Profile Portal
Captive Portal Captive Portal Captive Portal Captive Portal Pass Fail

Group mobility Captive Portal Group mobility Group mobility Group mobility

Profile Profile Profile Profile Profile RADIUS Profile

Block Block Block Block Block Group mobility

Profile Profile

Block

Block
Policies can be interchanged
Some policies (Captive portal, Profile, Block) are terminal policies (cannot be followed by other policies)
Captive Portal policy will start a new authentication branch
“Fail” branches will only classify devices into non-authenticated Profiles
Captive Portal - Example

Supplicant?
Yes No

Captive
MAC
802.1X Portal
auth

Pass Fail Pass Fail Pass Fail

Radius Profile

Captive Portal Group mobility Captive Portal

Profile

Enterprise users with Known devices (printers, Unknown users

802.1X capable devices IP phones, etc.) (guests, contractors)

Default VLAN Block Block

Captive Portal -Concept

AAA Radius
Supplicants
or
non-supplicants user http://www.alcatel-lucent.com

DHCP
1 Offer
Switch DHCP and DNS Server
DHCP
Default DHCP scope
Request
10.123.0.0/16
Def GW: 10.123.0.1
1 DNS Request DNS server: 10.123.0.1

Pre authentication phase Authentication phase

2

HTTP redirect to
captive portal login
Captive Portal - Customization
◼ Logo
◼ Welcome text
◼ Background image
◼ Company policy file
◼ Customizable banner image
◼ Associated Help pages
R6
/flash/switch
• cpPolicy.html
• logo.png ( prefered ), jpg, gif
• background.png, jpg, gif
• banner.jpg
• cpLoginWelcome.inc
• cpStatusWelcome.inc
• cpFailWelcome.inc
• cpLoginHelp.html
• cpStatusHelp.html
• cpFailHelp.html
• cpBypassHelp.html
R8
/flash/switch/captive_portal/custom_files
• /assets
• /images/logo.jpg
My Company Welcome text message
• /pages/cportal_policy.pdf
• /scripts/cportal_scripts.js
• /styles/cportal_style.css
• /templates
• cportal_login.html
• cportal_redirect.html
• cportal_status.html
• error404.html
• qmr_quarantined.html
• unauth.html
Captive Portal - Customization
◼ Configuring a different subnet for the Captive Portal IP address

⚫ R6 -> 802.1X captive-portal address 10.124.0.1

⚫ R8 -> captive-portal ip-address 10.124.0.1

◼ URL redirection
⚫ capability of redirecting the user to a
 Redirection URL upon successful authentication
 Redirection URL upon failure/bypass authentication (not supported in R8)

⚫ R6 -> 802.1x captive-portal success-redirect-url http://test-cp.com/success.html

⚫ R8 -> captive-portal success-redirect-url http://test-cp.com/success.html
⚫ R6 -> 802.1x captive-portal fail-redirect-url http://test-cp.com/fail.html
⚫ R8 -> fail redirect not supported
Captive Portal - Authentication - Configuration

R6 -> 802.1x slot/port captive-portal policy authentication

pass {group-mobility | vlan vid | default-vlan | block}]
fail {group-mobility | vlan vid | default-vlan | block}
R8 -> unp profile profile_name captive-portal-authentication

Used when successful CP auth does

not return a VLAN ID, returns a
VLAN ID that does not exist,
or when CP auth fails

• For both pass and fail policies, order in which parameters are specified determines the order in
which they are applied
• Type of policy must end with either the default-vlan, block, or captive-portal
• Terminal parameter block parameter is used by default
Access Guardian – Port-Templates (R8)
◼ AAA Profile
⚫ Specifies the default AAA profile for the port Template

◼ Default Edge-Profile
⚫ When template is attached to UNP port/linkagg any existing default profile is
overriden

◼ Pass-alternate
⚫ If classification does not return a valid UNP then the pass-alternate is assigned
Access Guardian - Application Example
Supplicant/Non-Supplicant with Captive Portal Authentication
◼ Corporate supplicant device
⚫ Passes 802.1X authentication
⚫ Assigned a UNP-corporate
◼ Corporate user with non-supplicant, non-corporate device
⚫ Does not trigger 802.1X authentication
⚫ Fails MAC authentication
⚫ Get temporary UNP-captive_portal
⚫ Captive Portal assign UNP-corporate after successful authentication
◼ Guest supplicant device
⚫ Fails 802.1X authentication
⚫ Get temporary UNP-captive_portal
⚫ Captive Portal assign UNP-guest after successful authentication
◼ Guest non-supplicant device
⚫ Fails 802.1X authentication
⚫ Fails MAC authentication
⚫ Get temporary UNP-captive_portal
⚫ Captive Portal assign UNP-guest after successful authentication
◼ Allowed devices
⚫ Passes MAC authentication
⚫ Assigned a UNP-allowed_devices
Supplicant/Non-Supplicant with Captive Portal Authentication

Yes No
Supplicant?

MAC
802.1X auth
Fail Pass
Pass Fail

UNP_Corporate
UNP_devices

Captive
Pass Portal Fail

UNP_Guest

UNP_Corporate

Block
Supplicant/Non-Supplicant with Captive Portal Authentication
1. Configure a RADIUS Server
R6/R8 -> aaa radius-server radius_server host 10.2.3.4 hash-key secret

2. Configure authentication parameters

R6 -> aaa authentication 802.1x radius_server
R6 -> aaa authentication mac radius_server

R8 -> aaa device-authentication 802.1x radius_server

R8 -> aaa device-authentication mac radius_server
R8 -> aaa device-authentication captive-portal radius_server

3. Create the required VLANs

R6/R8 -> vlan 10 name "corporate"
R6/R8 -> vlan 20 name "guest"
R6/R8 -> vlan 30 name "devices"
R8 -> vlan 40 name "captive_portal"
In release 6 captive portal is configured after
a pass or failed authentication of supplicant or
non-supplicant rule. It then inherits of
associated radius server.
Supplicant/Non-Supplicant with Captive Portal Authentication
4. Create the required User Network Profiles and map then to the associated
VLAN
R6 -> aaa user-network-profile name "UNP-corporate" vlan 10
R6 -> aaa user-network-profile name "UNP-guest" vlan 20
R6 -> aaa user-network-profile name "UNP-devices" vlan 30

R8 -> unp profile "UNP-corporate"

R8 -> unp profile "UNP-guest"
R8 -> unp profile "UNP-devices"
R8 -> unp profile "UNP-default"
R8 -> unp profile "UNP-captive_portal"
R8 -> unp profile "UNP-corporate" map vlan 10
R8 -> unp profile "UNP-guest" map vlan 20
R8 -> unp profile "UNP-devices" map vlan 30
R8 -> unp profile "UNP-captive_portal" map vlan 40
R8 -> unp profile "UNP-captive_portal" captive-portal-authentication
Supplicant/Non-Supplicant with Captive Portal Authentication
5. Configure authentication on port (R6)
R6 -> vlan port mobile 1/1
R6 -> vlan port 1/1 802.1x enable
R6 -> 802.1x 1/1 supplicant policy authentication pass user-network-
profile UNP-corporate block fail captive-portal

After successful 802.1x authentication, if the RADIUS server doesn't return a valid UNP, force UNP-
corporate. If 802.1x fail, then redirect to the captive portal authentication

R6 -> 802.1x 1/1 non-supplicant policy authentication pass user-network-

profile UNP-devices block fail captive-portal

After successful MAC authentication, if the RADIUS server doesn't return a valid UNP, force UNP-
devices. If MAC authentication fail, then redirect to the captive portal authentication

R6 -> 802.1x 1/1 captive-portal policy authentication pass user-network-

profile UNP-guest block fail block

After successful captive portal authentication, if the RADIUS server doesn't return a valid UNP, force
UNP-guest. If captive portal authentication fail, then block the device.
Supplicant/Non-Supplicant with Captive Portal Authentication
5. Configure authentication on bridge port (R8)
R8 -> unp port 1/1/1 default-profile UNP-captive_portal
R8 -> unp port 1/1/1 802.1x-authentication enable pass-alternate UNP-
corporate

After successful 802.1x authentication, if the RADIUS server doesn't return a valid UNP, force UNP-corporate. If
802.1x fail, then device is assign the UNP-captive_portal for which captive portal configuration is set.

R8 -> unp port 1/1/1 mac-authentication enable pass-alternate UNP-devices

After successful MAC authentication, if the RADIUS server doesn't return a valid UNP, force UNP-devices. If MAC
fail, then device is assign the UNP-captive_portal for which captive portal configuration is set.

R8 -> captive-portal authentication-pass profile UNP-guest

After successful Captive Portal authentication, if the RADIUS server doesn't return a valid UNP, force UNP-guest.
OmniSwitch AOS R8

Anycast RP
Lesson Summary

At the end of this presentation, you will be able to

◼ Describe Anycast RP functionnality

◼ Summarize PIM Anycast-RP configuration

step
Anycast RP
Source
◼ GOAL
Register
RP2

⚫ Provide fast convergence when a

RP1 OSPF
PIM rendezvous point (RP) router
fails and RP load-sharing
Register Register
⚫ Anycast addressing is a generic
concept and is used in PIM sparse
mode to add load balancing and Client Client
service reliability to RPs Receiver 1 Receiver 2

◼ RFC
Server
Register
RP2
⚫ RFC 4610 Anycast-RP Using
Protocol Independent Multicast
(PIM) RP1 OSPF

⚫ RFC 7761 Protocol Independent

Multicast - Sparse Mode (PIM-SM) Register Register

⚫ RFC 5060 Protocol Independent

Multicast MIB Client
Client
Receiver 1 Receiver 2
Anycast RP
◼ HOW IT WORKS
ip pim static-rp 231.0.0.0/8 10.10.10.1
Source
“Loopback1” 10.10.10.1

RP2
⚫ Uses a single statically defined RP
address (set on a Loopback interface) Register

OSPF
 The RP routers share this Loopback unicast (IGP)

IP address announced as a host address

RP1
“Loopback1”
⚫ Senders and Receivers exchange 10.10.10.1

messages with the nearest RP

 Determined by the Unicast routing table Register Register

(IGP).)

⚫ In case of a failure, the convergence is

the same as the IGP
Client Client
Receiver 1 Receiver 2
⚫ Sources from one RP are known to
other
Anycast RP
◼ Hardware Requirements

◼ Software Requirements as specified in RFC 4610

⚫ This feature will only be supported with PIM-SM

 not supported with PIM-DM, PIM-BIDIR or PIM-SSM

⚫ Maximum of 8 Anycast RP routers to be configured statically

⚫ SPT must be enabled when supporting Anycast-RP

Anycast RP Configuration
Anycast RP Configuration
◼ Step by Step

⚫ Here, we define the specific configuration need to manage Anycast-RP.

⚫ The rest of the network configuration including additional IP interfaces, PIM Interfaces
and OSPF configuration to complete the network setup is outside the scope of this
example

Configure a dedicated Loopback interface

Configure a static RP for a range of multicast groups

Set of router that will act as RPs for the Anycast-RP address

Configure Non-RP Router

Anycast RP Configuration ip interface “Loopback1” address 10.10.10.1 ip interface “Loopback1” address 10.10.10.1

◼ Step by Step
RP1 RP2

Configure a dedicated Loopback interface

Non-RP
 Configure a static RP

 Statically configure the RP address used with Anycast-RP Unique ID

 RP address is 10.10.10.1, which is configured on a Loopback1 interface on both routers
 OSPF has been configured on both routers so this Loopback1 address is then be advertised in
OSPF to all routers in the network

Configure a static RP for a range of multicast groups

ip pim static-rp 231.0.0.0/8 10.10.10.1 ip pim static-rp 231.0.0.0/8 10.10.10.1

Sw1 RP1 Sw7 RP2

 The group address range that the
Anycast-RPs will be responsible for
Sw8 Non-RP

 The Anycast-RP address

ip pim static-rp 231.0.0.0/8 10.10.10.1

 Note: This static configuration should exist on all PIM routers in the PIM domain, not just
those routers that are participating in the Anycast-RP set.
Anycast RP Configuration
◼ Step by Step

Set of router that will act as RPs for the Anycast-RP address

 Configure the RP set Switch Loopback0 manged previously on each switch

ip pim anycast-rp 10.10.10.1 192.168.254.1 ip pim anycast-rp 10.10.10.1 192.168.254.1

 This is the set of all routers ip pim anycast-rp 10.10.10.1 192.168.254.7 ip pim anycast-rp 10.10.10.1 192.168.254.7
which would act as the RP

 Need a LoopbackX interface on each prospective

RP router, which is different than the LoopbackX Sw1 RP1 Sw7 RP2
that is being used as the RP address Loopback0 : 192.168.254.1
Loopback0 : 192.168.254.7
 Eg; Loopback0 : 192.168.354.x (x identified the router)

Sw8 Non-RP
Loopback0 : 192.168.254.8

Configure Non-RP Router

 All other PIM routers that are NOT participating in the Anycast-RP set will still have the
PIM configuration defining the RP, but will not have the anycast-rp specific configuration.

Sw1 RP1 Sw7 RP2

Loopback0 : 192.168.254.7
Loopback0 : 192.168.254.1

Sw8 Non-RP
ip pim static-rp 231.0.0.0/8 10.10.10.1
Loopback0 : 192.168.254.7
OmniSwitch AOS R6/R8
Anycast RP

How to
✓ This lab is designed to familiarize you with the Anycast capability on an
OmniSwitch.

Contents
1 Topology ........................................................................................ 2
2 PIM-SM Configuration ......................................................................... 4
3 Lab Check ...................................................................................... 8
 2
Anycast RP

1 Topology

Protocol-Independent Multicast (PIM) is an IP multicast routing protocol that uses routing information
provided by unicast routing protocols such as RIP and OSPF. PIM is “protocol-independent” because it does
not rely on any particular unicast routing protocol.
 3
Anycast RP

- In the multicast switching lab, all requesting devices in the same VLAN received the multicast stream.
Now let’s move the receivers into different VLANs. This will require the multicast traffic to be routed in
order to reach each receiver. PIM-SM gives us the capability to route multicast traffic.

- Move Clients 9 and 10 into vlan 30 :

6450-A -> vlan 30 port default 1/2

6450-B -> vlan 30 port default 1/2

- As we will route the traffic, we don’t need the querier configured on 6450-A (but we still need to
forward querying) :

6450-A -> ip multicast querying disable

6450-A -> ip multicast querier-forwarding enable

-
- Also, a multicast router is by default an IGMP querier, we can disable the querier forwarding on both
6860

6860-A -> ip multicast querier-forwarding disable

6860-B -> ip multicast querier-forwarding disable

- On the 6900, check that OSPF still runs properly and that all client vlans are reachable :

6900-A -> show ip routes

+ = Equal cost multipath routes

Total 25 routes

Dest Address Gateway Addr Age Protocol

------------------+-------------------+----------+-----------
127.0.0.1/32 127.0.0.1 1d 7h LOCAL
172.16.17.0/24 172.16.17.1 1d 6h LOCAL
172.16.18.0/24 172.16.18.1 1d 6h LOCAL
172.16.78.0/24 +172.16.17.7 05:36:45 OSPF
+172.16.18.8 07:06:25 OSPF
172.16.137.0/24 172.16.17.7 05:06:42 OSPF
172.16.148.0/24 172.16.18.8 04:36:05 OSPF
192.168.20.0/24 +172.16.17.7 05:36:45 OSPF
+172.16.18.8 06:11:44 OSPF
192.168.30.0/24 +172.16.17.7 05:36:45 OSPF
+172.16.18.8 06:11:44 OSPF
192.168.100.0/24 192.168.100.1 1d 5h LOCAL
192.168.110.0/24 192.168.110.1 1d 6h LOCAL
192.168.120.0/24 192.168.120.1 1d 6h LOCAL
192.168.130.0/24 172.16.17.7 04:31:38 OSPF
192.168.140.0/24 172.16.18.8 04:26:32 OSPF
192.168.170.0/24 172.16.17.7 05:36:45 OSPF
192.168.180.0/24 172.16.18.8 07:06:25 OSPF
192.168.254.1/32 192.168.254.1 1d 6h LOCAL
192.168.254.3/32 172.16.17.7 04:31:38 OSPF
192.168.254.4/32 172.16.18.8 04:30:33 OSPF
192.168.254.6/32 +172.16.17.7 05:36:45 OSPF
+172.16.18.8 05:47:38 OSPF
192.168.254.7/32 172.16.17.7 05:36:45 OSPF
192.168.254.8/32 172.16.18.8 07:06:25 OSPF
 4
Anycast RP

2 PIM-SM Configuration
- Enable PIM-SM in the core routers :

6900 -> ip load pim

6900 -> ip pim sparse admin-state enable

6860-A -> ip load pim

6860-A -> ip pim sparse admin-state enable

6860-B -> ip load pim

6860-B -> ip pim sparse admin-state enable

- Now, we must enable PIM-SM on the necessary interfaces.

6900 -> ip pim interface int_217

6900 -> ip pim interface int_218
6900 -> ip pim interface int_110

6860-A -> ip pim interface int_217

6860-A -> ip pim interface int_278
6860-A -> ip pim interface int_170
6860-A -> ip pim interface int_20
6860-A -> ip pim interface int_30

6860-B -> ip pim interface int_218

6860-B -> ip pim interface int_278
6860-B -> ip pim interface int_180
6860-B -> ip pim interface int_20
6860-B -> ip pim interface int_30

- Configure Anycast-RP on three.These routers will be used as the RP. The RP address will be 10.10.10.1,
which will be configured on a Loopback1 interface on the three routers.

6900 -> ip interface “Loopback1” address 10.10.10.1

6860-A -> ip interface “Loopback1” address 10.10.10.1

6860-B -> ip interface “Loopback1” address 10.10.10.1

- OSPF is configured on these routers so this Loopback1 address is advertised in OSPF to all routers in the
network. Different PIM routers in the network will either reach one if these three routers for the RP
depending on the best path metric.

- On the three routers, configure the Anycast-RP address 10.10.10.1. The 231.0.0.0/8 specifies the group
address range that the Anycast-RPs will be responsible for.
-
6900 -> ip pim static-rp 231.0.0.0/8 10.10.10.1

6860-A -> ip pim static-rp 231.0.0.0/8 10.10.10.1

6860-B -> ip pim static-rp 231.0.0.0/8 10.10.10.1

 5
Anycast RP

Note: This static configuration should exist on all PIM routers in the PIM domain, not just those routers
that are participating in the Anycast-RP set.

Next you need to define something called the RP set. This is the set of all routers which would act as
the RP. You need to have a LoopbackX interface on each prospective RP router, which is different than
the LoopbackX that is being used as the RP address.

In our previous configuration, we defined the Loopback0 is defined on all routers with IP address
192.168.254.X/32. This Loopback0 address is already used as the Router ID for OSPF.

This Loopback0 address is used to complete the configuration of the RP set.

Configuration defining the Anycast-RP set must be the same on all routers participating in Anycast-RP

6900-A -> ip pim anycast-rp 10.10.10.1 192.168.254.1

6900-A -> ip pim anycast-rp 10.10.10.1 192.168.254.7
6900-A -> ip pim anycast-rp 10.10.10.1 192.168.254.8

6860-A -> ip pim anycast-rp 10.10.10.1 192.168.254.1

6860-A -> ip pim anycast-rp 10.10.10.1 192.168.254.7
6860-A -> ip pim anycast-rp 10.10.10.1 192.168.254.8

6860-B -> ip pim anycast-rp 10.10.10.1 192.168.254.1

6860-B -> ip pim anycast-rp 10.10.10.1 192.168.254.7
6860-B -> ip pim anycast-rp 10.10.10.1 192.168.254.8

- One thing to note here is that you need to define your own IP address as well as all remote IP addresses
in this RP set so the configuration for the Anycast-RP set will be the same on all RPs in the Anycast-RP
set.

- Check connectivity status on all 3 switches:

6900-A -> show ip pim interface

Total 3 Interfaces

Interface Name IP Address Designated Hello J/P Oper BFD

Router Interval Interval Status Status
--------------------------------+---------------+---------------+--------+--------+--------+--------
int_110 192.168.110.1 192.168.110.1 30 60 enabled disabled
int_217 172.16.17.1 172.16.17.7 30 60 enabled disabled
int_218 172.16.18.1 172.16.18.8 30 60 enabled disabled

6860-A -> show ip pim interface

Total 5 Interfaces
Interface Name IP Address Designated Hello J/P Oper BFD
Router Interval Interval Status Status
--------------------------------+---------------+---------------+--------+--------+--------+--------
int_20 192.168.20.7 192.168.20.8 30 60 enabled disabled
int_30 192.168.30.7 192.168.30.8 30 60 enabled disabled
int_170 192.168.170.7 192.168.170.7 30 60 enabled disabled
int_217 172.16.17.7 172.16.17.7 30 60 enabled disabled
int_278 172.16.78.7 172.16.78.8 30 60 enabled disabled
 6
Anycast RP

6860-B -> show ip pim interface

Total 5 Interfaces
Interface Name IP Address Designated Hello J/P Oper BFD
Router Interval Interval Status Status
--------------------------------+---------------+---------------+--------+--------+--------+--------
int_20 192.168.20.8 192.168.20.8 30 60 enabled disabled
int_30 192.168.30.8 192.168.30.8 30 60 enabled disabled
int_180 192.168.180.8 192.168.180.8 30 60 enabled disabled
int_218 172.16.18.8 172.16.18.8 30 60 enabled disabled
int_278 172.16.78.8 172.16.78.8 30 60 enabled disabled

- Check the Pim neighbor and group-map

6900-A -> show ip pim neighbor

Total 2 Neighbors

Neighbor Address Interface Name Uptime Expires DR Priority

-----------------+--------------------------------+-----------+-----------+-----------
172.16.17.7 int_217 00h:04m:41s 00h:01m:34s 1
172.16.18.8 int_218 00h:03m:56s 00h:01m:19s 1

6900-A -> show ip pim group-map

Origin Group Address/Prefix RP Address Mode Precedence

-----------+---------------------+---------------+-----+-----------
BSR 231.1.1.0/24 192.168.110.1 asm 192
BSR 231.5.5.0/24 192.168.170.7 asm 192
BSR 231.7.7.0/24 192.168.170.7 asm 192
BSR 231.8.8.0/24 192.168.180.8 asm 192
BSR 231.10.10.0/24 192.168.180.8 asm 192

6900-A -> show ip pim static-rp

Group Address/Prefix RP Address Mode Override Precedence Status

--------------------+---------------+-----+--------+----------+-------
231.0.0.0/8 10.10.10.1 asm false none enabled

6860-A -> show ip pim static-rp

Group Address/Prefix RP Address Mode Override Precedence Status

--------------------+---------------+-----+--------+----------+-------
231.0.0.0/8 10.10.10.1 asm false none enabled

6860-B -> show ip pim static-rp

Group Address/Prefix RP Address Mode Override Precedence Status

--------------------+---------------+-----+--------+----------+-------
231.0.0.0/8 10.10.10.1 asm false none enabled
 7
Anycast RP

- Manage the client 1 , client 5 and 10 to send and receive multicast traffic as indicated in the tables
below.
Use the application multicast tool from the desktop to do it.

PC Client Send Receive

Client 1 grps: 231.1.1.1 grps: 231.10.10.10
Client 5 grps: 231.5.5.5 grps: 231.1.1.1
Client 10 grps: 231.10.10.10 grps: 231.5.5.5

Example given with Client 1

PC Client Send Receive

Client 1 grps: 231.1.1.1 grps: 231.10.10.10

Do the same with client 5 and 10

PC Client Send Receive

Client 5 grps: 231.5.5.5 grps: 231.1.1.1
Client 10 grps: 231.10.10.10 grps: 231.5.5.5
 8
Anycast RP

- Check the multicast routing table :

6900-A -> show ip pim sgroute

Legend: Flags: D = Dense, S = Sparse, s = SSM Group,

L = Local, R = RPT, T = SPT, F = Register,
P = Pruned, O = Originator

Total 3 (S,G)

Source Address Group Address RPF Interface Upstream Neighbor UpTime Flags
---------------+---------------+--------------------------------+-----------------+-----------+--------
192.168.110.50 231.1.1.1 int_110 00h:18m:46s STL
192.168.20.50 231.5.5.5 int_217 172.16.17.7 00h:00m:07s ST
192.168.30.50 231.10.10.10 int_217 172.16.17.7 00h:00m:31s ST

6860-A -> show ip pim sgroute

Legend: Flags: D = Dense, S = Sparse, s = SSM Group,

L = Local, R = RPT, T = SPT, F = Register,
P = Pruned, O = Originator

Total 3 (S,G)

Source Address Group Address RPF Interface Upstream Neighbor UpTime Flags
---------------+---------------+--------------------------------+-----------------+-----------+--------
192.168.110.50 231.1.1.1 int_217 172.16.17.1 00h:00m:05s SR
192.168.20.50 231.5.5.5 int_20 192.168.20.8 00h:03m:04s ST
192.168.30.50 231.10.10.10 int_30 192.168.30.8 00h:03m:01s ST

6860-B -> show ip pim sgroute

Legend: Flags: D = Dense, S = Sparse, s = SSM Group,

L = Local, R = RPT, T = SPT, F = Register,
P = Pruned, O = Originator

Total 3 (S,G)

Source Address Group Address RPF Interface Upstream Neighbor UpTime Flags
---------------+---------------+--------------------------------+-----------------+-----------+--------
192.168.110.50 231.1.1.1 int_218 172.16.18.1 00h:00m:19s ST
192.168.20.50 231.5.5.5 int_20 00h:03m:12s STL
192.168.30.50 231.10.10.10 int_30 00h:03m:15s STL

3 Lab Check

- What is the purpose of PIM-SM?

.................................................................................................................

- What happens to multicast traffic in different VLANs without PIM-SM enabled?

.................................................................................................................

- Is PIM-SM a replacement routing protocol for RIP or OSPF?

.................................................................................................................

- What is the difference between DVMRP and PIM-SM?

.................................................................................................................
Omniswitch AOS R6/R8

Border Gateway Protocol (BGP)

Lesson Summary

At the end of this presentation, you will be able to

◼ Decribe the basic BGP concepts

◼ Perform a basic BGP implementation on

an AOS switch based network
⚫ Specifications
⚫ Concepts
⚫ Attributes
⚫ Basic configuration
⚫ BGP Synchronization
⚫ BGP Policy routing
BGP concepts and basic setup
AOS Specifications
◼ Maximum number of (per router) ◼ RFCs Supported
⚫ BGP Peers
 32 – OS6850E / OS6855 / OS9000E ⚫ 4271–A Border Gateway Protocol 4 (BGP-4)
 512 – OS6860 / OS6900 / OS10K ⚫ 2439–BGP Route Flap Damping
⚫ Routes –
⚫ 3392–Capabilities Advertisement with BGP-4
 65K – OS6850EE / OS6855 / OS9000E
 64K – OS6860 ⚫ 2385–Protection of BGP Sessions via the TCP
 128K – OS6900 MD5 Signature Option
 256K - OS10K
⚫ AS Number Range – 1 to 65535 ⚫ 1997–BGP Communities Attribute
⚫ Local Preference – 0 to 4294967295 ⚫ 4456–BGP Route Reflection: An Alternative
⚫ Confederation IDs – 0 to 65535 to Full MeshInternal BGP (IBGP)
⚫ MED Attribute – 0 to 4294967295 ⚫ 3065–Autonomous System Confederations
◼ Supported BGP Attributes for BGP
⚫ Origin ⚫ 4273–Definitions of Managed Objects for
⚫ AS Path BGP-4
⚫ Next Hop
⚫ 4760–Multiprotocol Extensions for BGP-4
⚫ MED
⚫ Local Preference ⚫ 2545–Use of BGP-4 Multiprotocol Extensions
⚫ Atomic Aggregate for IPv6 Inter-Domain Routing
⚫ Aggregator
⚫ Community
⚫ Originator ID
⚫ Cluster List
BGP Concepts
IGP vs EGP
◼ Two different classes of routing
protocols
⚫ IGP – Internal Gateway Protocol
⚫ EGP – External Gateway Protocol
◼ IGP do not scale well
⚫ SPF algorithm run slow on big routing table
⚫ Not sized for internet routing table
⚫ No policy routing mechanisms

AS AS

ISP

IGP EGP
BGP4
◼ Border Gateway Protocol

◼ Current version: 4

◼ Exterior routing protocol used to make policy

routing decisions between autonomous systems
(AS)
◼ Standardized: RFC 4271 IGP
AS 100
◼ Listens on port 179 / TCP
AS 999
◼ Optional authentication
BGP IGP
⚫ MD5: adds an option to TCP (digest based on
pseudo Header + header + data + shared password)

◼ Point-to-point over directly connected

interfaces or Multi-hop between non adjacent BGP BGP
routers
◼ Routing information is exchanged in BGP AS 1
Update message
IGP
◼ Used to:
⚫ See the Internet Network (received IP routes)
⚫ Advertise our own network (announce IP routes)
⚫ Influence the inbound traffic flow
⚫ Influence the outbound traffic flow
AS definition
◼ Autonomous Systems
OSPF
◼ An autonomous system (AS) is a set of OSPF
routers that are under a single technical
administration OSPF
OSPF
◼ Normally, use a single interior gateway OSPF
protocol and a common set of metrics to
propagate routing information within the
set of routers
◼ To other ASs, an AS appears to have a
single, coherent interior routing plan and
presents a consistent picture of what Destination reachable
destinations are reachable through it
194.10.10.0 /24
◼ Identified by AS number (1-65535) 194.12.10.0 /23
194.13.10.0 /24
Private ASNs from 64512-65535 Etc….
BGP Peering and BGP Neighbors
◼ Internal BGP Neighbor ◼ External BGP Neighbor
⚫ A router that falls under the administrative control ⚫ A router whose administrative and policy
of a single AS and is assumed to follow a consistent control is outside of your AS
policy with other BGP speakers of that AS
⚫ Send and receive BGP information to or
⚫ Internal BGP neighbors are reachable by static
routes, internal routing protocol, or directly from other AS
connected

BGP
BGP
OSPF RIP

BGP

IBGP peering
EBGP peering
◼ Peering
⚫ Two routers with a BGP connection are neighbors or peers
⚫ Peers can be external (EBGP) or internal (IBGP)
⚫ No need of direct connection between IBGP peers
⚫ EBGP peers are usually directly connected
BGP Peer/Neighbor
◼ No dynamic discovery
◼ (Selective) Route exchange
◼ Keepalive mechanism
◼ 4 four message types
⚫ Open
⚫ Keepalive
⚫ Update
⚫ Notification
AS 54
◼ Connection State
⚫ Idle – waiting for incoming connection TCP
port 179
⚫ Connect – setting up a TCP session
⚫ Active – unable to create a TCP session
⚫ OpenSent - sending out its OPEN message
⚫ OpenConfirm – waiting for the KEEPALIVE
message
⚫ Established – BGP session is up
AS 4
BGP Route information
◼ Path Vector Protocol

◼ BGP advertisement is made of:

⚫ Prefix
⚫ Attribute

AS 25
R2
192.168.1.0
R1

AS 54
R3
AS 4
BGP Update
◼ Between BGP neighbors

◼ To advertise new route/prefix

◼ To withdraw previously advertised route/prefix

AS 25
AS 54 192.168.1.0
R1 R3

BGP UPDATE
BGP Attribute (1)
◼ Part of the update message

◼ Variable length

◼ Can be:
⚫ Well-known mandatory
⚫ Well-known discretionary
⚫ Optional transitive
⚫ Optional nontransitive

AS 25
AS 54 192.168.1.0
R1 R3
BGP Attributes overview
AS-Path Attribute
◼ Well-known mandatory attribute

◼ List of traversed ASes

AS 25
R1 192.168.1.0

R2
AS 54 R3
AS 401

R4
AS 23 R5

AS 4

192.168.1.0 AS ( 23,401,54,25)
Next-Hop Attribute (1)
◼ Well-known mandatory attribute

◼ IP address of the next node towards destination

192.168.1.0 AS (25) 10.1.1.3

R1

R3

10.1.1.2

R2

10.1.1.3
AS 25
192.168.1.0
Next-Hop Attribute (2)
◼ IBGP conserves the next hop attribute learned over EBGP

◼ When BGP Synchronization if off, “next-hop-self” can act as workaround to

validate BGP path

192.168.1.0 AS (25) 31.0.0.3/8

31.0.0.1/8
31.0.0.3/8

R3 R1

10.1.1.2/24
R2
AS 25
10.1.1.3/24 192.168.1.0
Origin Attribute
◼ Well-known mandatory attribute

◼ Defines the origin of the path information :

⚫ IGP - the prefix was learned from an IGP
⚫ EGP - the prefix was learned via EGP
⚫ Incomplete - the prefix was learned through redistribution or static routing or
unknown
Local Preference Attribute
◼ Well-known discretionary attribute

◼ Specify a most preferred path to exit an AS

AS 54 AS 250
172.18.0.0

R1 172.18.0.0 /8
Local pref = 200

AS 3400
AS 100
R2
172.18.0.0 /8
Local pref = 100
BGP Local Preference Metric

New York Local AS 200 AS 400

Preference = 300
198.100.28.1 AS 600
Chicago

198.101.24.0

Atlanta
200.100.50.1
AS 300 AS 500
Local
Preference = 200
Atomic Aggregate Attribute
◼ Well-known discretionary attribute

◼ CIDR support (Only BGP 4)

◼ Informs that routes are aggregated

AS 54 AS 650 AS 20

150.215.30.8 /30 150.215.30.4 /30

150.215.30.12 /30

AS 10 150.215.30.0 /28
Multi Exit Discriminator (MED)Attribute
◼ Optional non-transitive attribute

◼ Specify a most preferred path to an AS

AS 54 172.18.0.0/16
R1 MED = 100

R4

R2

172.18.0.0/16
172.18.0.0/16
MED = 200 R3 AS 250
BGP Multi-Exit Discriminator
◼ Inbound Metric
◼ Meaning: “How I prefer receiving the traffic from you”
◼ When two autonomous systems have multiple links with each other, the MED
(Multi-Exit Discriminator) informs the other AS of recommended entrance
points
◼ Lower MED value is preferred
⚫ Default setting for MED = 0

◼ Metric is non-transitive
⚫ Only shared between two autonomous systems
⚫ Passed from one AS to a second AS

◼ When the second AS advertises the networks from the first AS, MED value is
set back to 0 before leaving second AS
BGP Multi-Exit Discriminator

AS 100
MED for
198.100.28.1
198.101.24.0 = 300
AS 200

MED for
198.101.24.0
198.101.24.0 = 100
200.100.50.1

I’ll go through 200.100.50.1 to get to

network 198.101.24.0 because it has a
lower MED, but I’ll remember the other
route in case the pathway though
200.100.50.1 becomes unavailable
BGP Communities
◼ Provide a way of grouping destinations (called communities) to which routing
decisions (such as acceptance, preference, and redistribution) can be applied

◼ Can be passed through and to other AS

◼ Allows to tag various networks and group them into communities

◼ A few predefined communities are listed:

⚫ No-export (networks are not announced to outside AS)
⚫ No-Export-subconed ( sub-confederations)
⚫ No advertise (networks are not announced to any BGP speakers)
BGP Community example

200.100.50.1

AS 300 AS 100
Router B
AS 200
198.101.24.0 198.101.24.0 /21 ISP A
198.101.25.0
198.101.26.0
198.101.27.0
198.101.28.0
198.101.29.0
198.101.30.0
198.101.31.0 Router A
198.101.24.0 /21 Internet
Community Attribute
◼ Optional transitive attribute

◼ Permits to tag routes with an indicator

◼ Filtering can be implemented based on tags

Community Action

NO-EXPORT No adv. to EBGP peers

NO-ADVERTISE No adv. to Any peers

<AS:Community#> User defined policy

BGP Route Selection
◼ Recursive lookup validates the route

◼ route selection process

⚫ Highest Local preference
⚫ Shortest AS-Path
⚫ lowest origin (IGP>EGP>Incomplete)
⚫ Lowest MED
⚫ Closer Next-Hop
⚫ EBGP > IBGP > IGP
⚫ Lowest RID
BGP AOS Configuration
CLI - IBGP/EBGP Basic Setup
◼ Define Router ID
-> ip router router-id

◼ Load and activate BGP

-> ip load BGP
-> ip bgp status enable

◼ Define AS
-> ip bgp autonomous-system 100

◼ Create a BGP peer entry

-> ip bgp neighbor 100.10.1.1

◼ Create Peer relationship with authentication

-> ip bgp neighbor 100.10.1.1 > remote-as
-> ip bgp neighbor < 100.10.1.1 > md5 key
-> ip bgp neighbor < 100.10.1.1 > status enable

-> show ip bgp neighbors

Nbr address As Admin state Oper state BgpId
---------------+-----+-----------+------------+-----------
192.40.4.29 3 enabled estab 192.40.4.29
192.40.4.121 5 disabled idle 0.0.0.0
BGP Peer Session with Loopback0
◼ BGP peering based on the Loopback0 IP interface address of the peering router
⚫ binding the source (i.e., outgoing IP interface for the TCP connection) to its own
configured Loopback0 interface

◼ Loopback0 IP interface address can be used for both Internal and External BGP
peer sessions
-> ip bgp neighbor 100.10.1.1 update-source Loopback0

◼ ebgp-multihop parameter
⚫ For EBGP sessions, if the External peer router is multiple hops away
-> ip bgp neighbor 100.10.1.1 ebgp-multihop
BGP Split Horizon

Routes learned via IBGP should never be

Propagated to other IBGP peers

R1 AS 4
R5
R3

R2
AS 4

R4
BGP Synchronization

A BGP router should not advertise to an EBGP

peer a route learned by IBGP, unless
that route is local or is learned from an IGP

R4
R1 EBGP peers
AS 54
172.31.0.0
IBGP
R5 peers
EBGP peers R3

10.3.0.0 AS 4
R2 23.0.0.0/8

-> ip bgp synchronization

Routing table
◼ AOS Protocol preference to choose which routes goes into routing table
⚫ Local =1
⚫ Static =2
⚫ OSPF = 10
⚫ RIP = 100
⚫ BGP = 200
BGP Path table Local/Static Routes

-> show ip route-pref

Protocol Route
Preference Value
------------+------------------
Local 1
Static 2 OSPF Routes
OSPF 10
RIP 100
BGP 200
Routing table

-> ip route-pref BGP 8

BGP Policy Routing
BGP Policy Routing
◼ AS Path, Community and Prefix lists

◼ Route map

-> ip bgp policy aspath-list “100 300 150” permit/deny

-> ip bgp policy community-list 600:1 permit/deny

-> ip bgp policy prefix-list 172.31.0.0 /16 permit/deny

Route-map example
If BGP update matches aspath-list
If prefix-list = <value>
Set network local_preference = <value>
BGP Policy Matching Flowchart

Match ?
ip bgp policy aspath-list 1
Yes
policy ip bgp policy prefix-list 2
Denied->
Action?
ip bgp policy community-list 3 Evaluation
stopped

Route-map aspath-list 4 Permitted ->

Route-maps
evaluation
Route-map prefix-list 5
NO->
Route-maps ?
Route-map community-list 6 Evaluation
Route-map stopped
Yes
Route-map regexp match 7
NO->
Match?
Route-map prefix match 8 Routes
dropped +

Route-map community match 9 Evaluation

Yes stopped
BGP Policies
◼ -> ip bgp policy aspath-list aspathfilter “^100 200$” action permit
⚫ looks for routes with an AS path with the next hop AS 100, and originating from AS 200
⚫ permits routes that match the regular expression ^100 200$

◼ -> ip bgp policy community-list commfilter 600:1 < action permit /

match-type exact /priority 3
⚫ looks for routes in the community 600:1
 permits routes in community 600:1 to be advertised
 looks for routes that only belong to the community 600:1
 Routes with a high priority number are applied first

◼ -> ip bgp policy prefix-list prefixfilter 12.0.0.0 255.0.0.0 action deny

⚫ denies routes that match the network address 12.0.0.0/8
Route-map policy
◼ Create a route map policy
⚫ -> ip bgp policy route-map mapfilter1

◼ Set the policy action

⚫ -> ip bgp policy route-map mapfilter1 action deny
 mapfilter now denies routes that are filtered

◼ Add conditions to the route map policy

⚫ -> ip bgp policy route-map mapfilter1 aspath-list aspathfilter
⚫ -> ip bgp policy route-map mapfilter1 community-list commfilter

◼ Assigning a Policy to a Peer

⚫ -> ip bgp neighbor 172.22.2.0 route-map mapfilter1 out
 To assign the same policy to route advertisements to the peer
⚫ -> ip bgp neighbor 172.22.2.0 route-map mapfilter1 in
 To filter routes learned from a peer by the route map
OmniSwitch AOS R6/R8

IS-IS
Lesson Summary

At the end of this presentation, you will be able to

◼ Describe the characteristics of the IS-IS

protocol
IS-IS concepts and basic setup
AOS Specifications
◼ Maximum number of (per router)
⚫ Areas - 3
⚫ Maximum number of L1 adjacencies 70
⚫ Maximum number of L2 adjacencies 70
⚫ Maximum number of IS-IS interfaces 70
⚫ Maximum number of Link State Packet
Entries 255
⚫ Maximum number of IS-IS routes 24000
⚫ Maximum number of IS-IS L1 routes 12000
⚫ Maximum number of IS-IS L2 routes 12000
◼ RFCs Supported
⚫ 1142-OSI IS-IS Intra-domain Routing Protocol
⚫ 1195-OSI IS-IS for Routing in TCP/IP and
Dual Environments
⚫ 3373-Three-Way Handshake for
Intermediate System to Intermediate
System (IS-IS) Point-to-Point Adjacencies
⚫ 3567-Intermediate System to Intermediate
⚫ System (IS-IS) Cryptographic Authentication
⚫ 2966-Prefix Distribution with two-level IS-IS
(Route Leaking) support
⚫ 2763-Dynamic Host name exchange support
⚫ 3719-Recommendations for Interoperable
Networks using IS-IS
⚫ 3787-Recommendations for Interoperable IP
⚫ Networks using IS-IS draft-ietf-isis-igp-p2p-
over-lan-05.txt-Point-topoint operation
over LAN in link-state routing protocols
⚫ 5308-IS-IS support for IPv6 (Routing IPv6
with IS-IS)
IS-IS Basics
◼ IS-IS Overview
⚫ OmniSwitch based on RFC 3787

⚫ Link-state driven updates, periodic IS-IS Routes

hellos Router A
10.0.0.0: cost 30 via Router C
*10.0.0.0: cost 20 via Router B
⚫ Uses the SPF algorithm to determine * = Best path
routes

⚫ Area hierarchy, ASs use a two-level

A
hierarchy Packet Flow

⚫ Support for authentication Cost:10

Cost:10

C B
⚫ Support for VLSM and CIDR
Cost:10

⚫ Routing interface parameters 10.0.0.0

◼ IS-IS uses SPF for path determination.

⚫ Layer 2 multicast addressing
◼ SPF uses cost values to determine the best
path to a destination.
⚫ IS-IS TE extensions
IS-IS - ISO Network Addressing
◼ Each IS-IS Router is known as an “Intermediate System”

◼ IS-IS uses unique addressing (OSI NSAP addresses)

◼ Each address identifies the area, system, and selector.

AFI IDI High Order-DSP System ID NSEL

49.0002 18B6.A345.0BF1 00

Area ID System Address NSEL

⚫ Level 1 routing uses the system ID.
⚫ Level 2 routing uses the area address.
⚫ 2 nodes cannot have the same NSAP address.
⚫ 2 nodes within an area cannot have the same system ID.
⚫ The minimum NSAP using local authority is 8 bytes (1 for area, 6 for system, 1 for
SEL).
⚫ The area ID must be minimum 1 byte.
⚫ The AFI should be set to 49 for locally administered IS-IS configurations.
NSAP addressing
◼ Red - the locally administered area ID of each router.

◼ Blue - the system ID of each router.

◼ Black - the NSEL default of “00”.

00:d0:95:f3:c8:ba

{Area-ID} {System-ID} {NSEL}

49.0002.00D0.9501.0101.00 49.0003.00D0.9501.0103.00

Area 49.0002
Area 49.0003

L1/L2

L1
L1 L1/L2

49.0002.00D0.9501.0102.00 49.0003.00D0.9501.0104.00
IS-IS — Packet Format
◼ IS-IS packets use layer 2 encapsulation of the media.
⚫ IS-IS uses Ethernet 802.3/802.2 instead of the Ethernet II used for IP traffic.
⚫ The TLV identifies the type of information in the IS-IS packet.
⚫ IS-IS packets are called PDUs.

MAC LLC IS-IS

IS-IS TLV FCS
Header Header Header

◼ PDUs are encapsulated directly into the layer 2 frame.

◼ There are 4 types of PDUs:

⚫ Hello (ESH, ISH, and IIH) — Maintain adjacencies
⚫ LSP (link-state packet) — Information about neighbors and links, generated by all L1
and L2 routers
⚫ PSNP (Partial Sequence Number PDU) — Specific requests and responses about links,
generated by all L1 and L2 routers
⚫ CSNP — Complete list of LSPs exchanged to maintain database consistency
IS-IS - Terms
◼ DIS
⚫ The IS in a LAN that is designated to perform additional duties. In particular, the DIS
generates link-state PDUs on behalf of the LAN, and treats the LAN as a pseudo node.

◼ Pseudo node
⚫ When a broadcast subnetwork has n connected ISs, the broadcast subnetwork itself is
considered to be a pseudo node. The pseudo node has links to each of the n ISs and
each of the ISs has a single link to the pseudo node (rather than n-1 links to each of
the other ISs). Link-state PDUs are generated on behalf of the pseudo node by the DIS.
IS-IS — Hello Packet Format
◼ Used to discover neighbors and elect the DIS

◼ Sent every 9 seconds from L1 and L2 routers, if they are not the DIS

◼ Sent every 3 seconds from the DIS in broadcast multi-access networks

◼ 3 different formats:
⚫ Level 1 and Level 2 in broadcast subnetworks
⚫ Point-to-point in general topology subnetworks

◼ Highest priority elects the DIS for both L1 and L2 in broadcast networks
⚫ Highest interface MAC address is the tiebreaker if priorities are equal
⚫ DIS assigns the subnetwork ID (DIS NET + SEL)
Link-State PDU (LSP) Format
◼ Slightly different formats for L1 and L2 LSPs

◼ LSP Identifier indicates which router created the LSP

◼ Sequence number indicates relative age of the LSP

⚫ When a router creates a new LSP, the sequence number is incremented.

◼ Reachability information is provided for all local networks from the router that
created the LSP:
⚫ Network prefix
⚫ Metrics
⚫ IP mask

◼ An L1 LSP is flooded to all other L1 routers in the area.

◼ An L2 LSP is flooded to all other L2 routers in the network.

Complete Sequence Number PDU Format
◼ CSNPs used to maintain consistency of link-state database

◼ Contains list of router’s LSPs and their sequence numbers.

◼ A router that receives a CSNP that includes out-of-date LSPs will transmit up-
to-date LSPs.
◼ CSNPs are exchanged at router initialization and periodically afterward to
maintain synchronization.
⚫ Every 10 seconds on broadcast network
⚫ Every 5 seconds on point-to-point link

◼ For each LSP in its database, the CSNP contains:

⚫ Remaining life of the LSP, in seconds
⚫ LSP ID
⚫ LSP sequence number
⚫ Checksum value
Partial Sequence Number PDU Format
◼ PSNPs are used by routers to request a specific LSP.

◼ PSNPs are also used on point-to-point links to acknowledge the receipt of an

LSP (but not on a broadcast link).
◼ A PSNP is similar to a CSNP except that it is a subset of the LSPs from the
database.
◼ A PSNP describes one or more LSPs and contains the following information for
each:
⚫ Remaining life of the LSP, in seconds
⚫ LSP ID
⚫ LSP sequence number
⚫ Checksum value
IS-IS – Network types
◼ IS-IS only supports:
⚫ Broadcast for LAN and multipoint WAN topologies
⚫ Point-to-point for all other topologies

◼ When IS-IS implemented in an NBMA network:

⚫ Broadcast mode assumes fully meshed connectivity.
⚫ Point-to-point assumes true point-to-point connectivity.

◼ LAN and multipoint WAN topologies require the election of a Designated

Intermediate System DIS.
⚫ Hellos are used to create adjacencies and determine router priority.
⚫ The DIS is elected based on the following criteria:
 Only routers with adjacencies are eligible.
 Highest interface priority
 Highest interface MAC address
IS-IS – DIS Election for L1 and L2 Routers
◼ L1 and L2 routers can elect separate DIS routers.

◼ DIS election is based on priority and/or the highest MAC address and is
preemptive.
◼ L1 and L2 can have separate priorities set.

◼ The DIS creates the pseudo node and floods updates over the LAN.

L1 L1/L2 L2

L1 L1 L2
IS-IS — Packet Exchange
◼ L1 and L2 adjacencies use the same procedure.

◼ Adjacency is established when a valid IIH is received:

⚫ L1 adjacency if area IDs are the same and the circuit is L1
⚫ L2 adjacency if the circuit is L2

◼ The initial exchange of IIHs establishes the type of adjacency.

⚫ The 2-way handshake depends on a reliable circuit.

◼ A unique local circuit ID is determined by each IS configuration.

◼ The link’s circuit ID is set by the system with the higher source ID.
⚫ Concatenation of system ID and local circuit ID

◼ Both sides exchange CSNPs.

◼ Update reliability is accomplished by:

⚫ Sending PSNP for all new and duplicate LSPs
⚫ Answering older LSPs with newer LSPs
Configuring IS-IS
◼ Minimum configuration (single area)

-> ip load isis

-> ip isis admin-state enable
-> ip isis area-id 49.0001
-> ip isis activate-ipv4
-> ip isis vlan 5
-> ip isis vlan 5 address-family v4
-> ip isis vlan 5 admin-state enable
IS-IS - CLI Commands
Interface configuration
-> ip isis level-capability level-1
-> ip isis level-capability level-2
-> ip isis level-capability level-1/2
-> ip isis vlan 10 level-capability level-1/2

Monitoring
-> show isis status
-> show ip isis vlan
-> show ip isis vlan detail
-> show ip isis route
-> show ip isis spf
-> show ip isis adjacency
IS-IS - Area types
Area 01 Area 02

L1 L1/L2 L1/L2

L1 L1

L1

L1/L2 Area 04
Area 03
L1/L2

L1 L1 L1
OmniSwitch AOS R6/R8

Security Certifications
Lesson summary

At the end of this presentation, you will be able to

◼ List the compliancy of ALE security on

governmental and federal requirements
ALE security: compliancy, certifications and referencing overview

NDcPP

Common Criteria

CERTIFIED

All security
certifications
to address
governmental
and federal
requirements
Common Criteria
Objectives

◼ The Common Criteria for Information Technology Security

Evaluation (abbreviated as Common Criteria or CC) is an
international standard (ISO/IEC 15408) for software's and IT
products’ security certification.

◼ Common Criteria provides assurance that the process of

specification, implementation and evaluation of a software’s
or IT product’s security has been conducted in a rigorous,
standard and repeatable manner at a level that is
commensurate with the target environment for use.

◼ Common Criteria is used as the basis for a Government driven

certification scheme and typically evaluations are conducted
for the use of Federal Government agencies and critical
infrastructure.
Common Criteria
Common Criteria Recognition Arrangement (CCRA) members

National Information
Assurance Partnership

Swedish Defense Material Administration

Common Criteria
ALE Network

◼ ALE Network equipment that are certified:

8.X
Q2’17

OS6865
OS6350

OS6250
6.X OS6450 OS6860/E OS6900 OS10K OS9900
Q2’17

• Level of certification:
• EAL2 - Structurally Tested
EAL2 requires the cooperation of the developer in terms of the delivery of design
information and test results.
• NDcPP - Network Device collaborative Protection Profile
NDcPP This collaborative Protection Profile (cPP) was developed by the Network
international Technical Community with representatives from industry, Government
Common Criteria
agencies, Common Criteria Test Laboratories, and members of academia.
CERTIFIED
Common Criteria Types
◼ Common Criteria has two types of certifications:
• Protection Profiles USA, UK, Canada and Australia
• Evaluation Assurance Levels Remaining CC countries

◼ NDcpp:
• Network Device common protection profile (NDcpp) applies to switching and
routing products
• Focus is on verifying profile requirements through extensive testing
• Testing is performed by independent lab

◼ EAL:
• Evaluation Assurance Levels (EAL) are from 1 to 7
• Focus is on detailed documentation of the product’s security framework
• Testing is performed by vendor with audit testing by lab

The OmniSwitches are being tested against both certifications

Common Criteria – Why EAL Level 2
◼ Typical levels:
• Level 1 – NDcpp (due to differences in documentation requirements)
• Level 2 – Enterprise grade switches/routers, Printers, Applications
• Level 3 – WAN, Telco switches
• Level 4 – Firewalls, Operating systems
• Level 5 – Smart Cards
• Level 6 – Smart Cards

◼ Details: http://www.commoncriteriaportal.org/products/
Common Criteria – Why Sweden (Csec) was chosen
◼ Common Criteria certification is mutually recognized by all 17 testing and 9 consuming
nations. The top countries were evaluated as possible agencies.

◼ Ability to grant both EAL2 and NDcpp certificates:

⚫ Sweden (CSEC) and Germany (BSI): Both
⚫ United States (NIAP), UK, Canada, Australia : NDcpp only

◼ Time from submittal to grant of certificate:

⚫ Sweden (CSEC): 2 months average
⚫ Germany (BSI): 9-12 months
⚫ United States (NIAP): 12-24 months

◼ Lab coverage for both EAL2 and NDcpp:

⚫ Lab selected has agency recognition in both Sweden and United States
⚫ Allow posting on NIAP (US) common criteria website
Common Criteria – Status
◼ EAL2:

• All items completed and submitted to agency

• Waiting for certification – Expect May

◼ NDcpp:

• Testing by lab is nearing completion

• Minor document updates in progress
• Submission to agency in April
• Certification and posting on CSEC (Sweden) expected June
• Posting on NIAP (United States) to follow
CC mode for AOS
1. 16 additional audit logs such as password change or establishment/termination of session

2. Connection to syslog, radius and ldap servers via TLS 1.1 and 1.2

3. Crypto Key Management – Only allow RSA 2048 bit or larger, verify key destruction. 8.x also supports
ECDSA keys.
4. Crypto Operation – Encryption only with AES in CBC mode of 128 and 256 bits, Crypto signatures with
only RSA 2048 bit, ECDSA SHA2 NIST P-256, and ECDSA SHA2 NIST P-384, SHA-256 used for user
password storage, Keyed-hash only using HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-512, run in FIPS
mode.
5. Password Management – 15 char minimum, storage allowed in SHA1/AES128, SHA256, SHA256/AES128

6. Certificate/Key management – New commands to load, generate, and delete X.509 certificates,
generate key file with RSA 2048, block direct file access
7. Trusted updates – AOS software images are verified prior to reboot and on boot.

8. Insecure protocols blocked – telnet, ftp, tftp, snmp, http, https; radius, ldap and syslog not over TLS

Enlarge the entropy pool to increase randomness and add RSA key generation
JITC
Objectives

The Joint Interoperability Test Command (JITC) is US

Department of Defense's Joint Interoperability Certifier and only
non-Service Operational Test Agency for Information Technology
(IT) / National Security Systems (NSS).

JITC provides risk based Test Evaluation & Certification

services, tools, and environments to ensure Joint Warfighting IT
capabilities are interoperable and support mission needs.
Certified Devices meet the requirements of the Defense
Information Services Area (DISA) Unified Capabilities
Requirements (UCR) Change 1 or 2 Versions.
Certified Network Devices are listed on the DISA Unified
Capabilities (UC) Approved Products List (APL) or UC APL
JITC
ALE Network

◼ ALE OmniSwitch network equipment product families that are being certified as
Core, Distribution and Access Devices under the DISA UCR Assured Services LAN
(ASLAN) are:

OS6860/E OS6865 OS6900 OS9900

Q2
’17
JITC
What does it mean exactly in term of security for ALE Network equipment?

JTIC Certification - STIGS

RTR-3449 JTIC IS IS Routing IPv6
RTR-4384 JITC Certification
RTR-4385 JITC Feature: IPv6 tunneling
RTR-4386 JITC Feature: IPv6 feature parity and protocol compliance
RTR-4387 JITC Feature: SNMP over IPv6
RTR-4388 JITC Feature: IPv6 complete MIBs
RTR-4391 JITC feature: IPv6 Traffic engineering
RTR-4392 JITC feature: SNMPv3
RTR-4394 JITC feature: Radius over IPv6
RTR-4517 JITC STIGS (Security Technical Implementation Guides)
FIPS 140-2
Objectives

The Federal Information Processing Standard 140-2 (FIPS 140-2) is

a U.S. and Canadian co-sponsored security standard for
hardware, software, and firmware solutions. In U.S. government
procurement, all solutions that use cryptography must
complete FIPS 140-2 validation to ensure end users receive a high
degree of security, assurance, and dependability.
Federal agencies using validated cryptographic modules to
protect sensitive government data in computer and
telecommunication systems must use products that have
completed FIPS validation.
FIPS 140-2
ALE Network

◼ ALE Network equipment that are certified:

Q2’17

Q3’17 OS6900
OS6450 TBC

Q3’17
OS6860/E OS6865 TBC
OS6350 OS9900

◼ Level of certification:

• Security Level 1
Basic security requirements are specified for a cryptographic module (e.g., at least one Approved algorithm or
Approved security function shall be used).

• Security Level 2
Security Level 2 improves upon the physical security mechanisms of a Security Level 1 cryptographic module by
requiring features that show evidence of tampering, including tamper-evident coatings or seals that must be broken
to attain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the
module, or pick-resistant locks on covers or doors to protect against unauthorized physical access.
FIPS-140-2 status
◼ AOS 8.x products – Level 1:
1. Testing nearing completion
2. Submission expected April
3. Certification expected June (fast track)

◼ AOS 6.7 products – Level 1:

1. Testing started
2. Submission expected May
3. Certification expected Q3

◼ Omniswitch 6860, 6860E, 6865, 6900 – Level 2:

1. Documentation and testing to start May
2. Certification expected Q3
NATO Certifications

The National Codification Bureaus (NCBs) are the only organizations

in the NATO to deliver NSN (NATO Stock Number) - NNO (Numéro de
Nomenclature OTAN) in France - for equipment - but manufacturers
are not allowed to deal directly with this organization.
In France, only the approved BNN (bureau national de
nomenclature) and some integrators such as Thales, are allowed to
propose new equipment to be added to the NATO equipment list
(get an NSN/NNO).
The French BNN organization is leaded by the French defense
procurement agency – CIMD (centre d'identification des matériels de
la défense).
There are 4 types of LAN switches used by NATO and NATO
countries :
NATO registered - Legacy enterprise LAN switches
ALE - Rugged switches
network equipment - Tempest switches
- Tactical (field) switches
Certifications
❑ NEMA TS-2 Traffic Control
Systems
o 2.2.7.1 PLACEMENT IN
ENVIRONMENTAL
o 2.2.7.2 TRANSIENT TESTS
(POWER SERVICE)
o 2.2.7.3 LOW-TEMPERATURE
LOW-VOLTAGE TESTS
o 2.2.7.4 LOW-TEMPERATURE
HIGH-VOLTAGE TESTS
o 2.2.7.5 HIGH-TEMPERATURE
HIGH-VOLTAGE TESTS
o 2.2.7.6 HIGH-TEMPERATURE
LOW-VOLTAGE TESTS
o 2.2.7.7 TEST TERMINATION
o 2.2.7.8 APPRAISAL OF
EQUIPMENT UNDER TEST
o 2.2.8 VIBRATION TEST
o 2.2.9 SHOCK (IMPACT) TEST
o 2.2.10 POWER INTERRUPTION
TESTS
❑ EN 50121-4 & IEC 62236-4
Railway Application
▪ EN 50121-4 Emissions &
Immunity
o Radiated Emissions (EN 61000- o IEEE 1613 C37.90.3 (ESD)
6-4)
o Conducted Emission (EN 61000- (Radiated RFI)
6-4)
▪ Immunity
o Magnetic Immunity
o Radiated Immunity
o Electrostatic discharge
o Conducted Immunity
o Fast transients
o Surge
o Pulse Magnetic Field
▪ IEC IEEE 1613 Industrial ❑ Industrial Safety
communications networking
▪ UL 508, UL 61010, EN 50021
devices in electric power
❑ Hazardous Location Safety
substations
▪ ISA 12.12.01 (UL 1604), CSA22.2/213
o IEEE 1613 C37.90.2 ❑ Industrial Environmental Cert (IEC
60068-2-1)
o IEEE 1613 C37.90.1 (Fast ▪ Telecontrol equipment and systems,
Operating & Environmental (IEC 60870-2-2)
Transient) IEC 60068-2-1, IEC 60068-2-2, IEC 60068-2-
o IEEE 1613 C37.90.1 13, IEC 60068-2-78
(Oscillatory) o Low Air, High Air
o IEEE 1613 C37.90 (H.V. o High RH, Low Pressure
Impluse) o High Pressure,Condensation
o Vibration, Shock, Free Fall
o IEEE 1613 C37.90
▪ IEC 60721-3-1 Environmental &
(Dielectric Strength)
Severities - Storage
o MFG, Ammonia, Ozone, HF, HCI
o Dust, Static Load
OmniSwitch AOS R8

Multiple Spanning Tree Protocol (MSTP)

Lesson Summary

At the end of this presentation, you will be able to

◼ Reminder on the Multiple STP Protocol

(MSTP)
◼ Learn how to implement
⚫ Multiple STP Protocol (MSTP)
MSTP reminder - Goal
◼ GOAL MST Region1
⚫ Possibility to map several VLANs
to one instance (IEEE 802.1s
standard

◼ HOW IT WORKS CIST

MSTI

⚫ Multiple Spanning Tree Region

concept (Based on RSTP)
CST

⚫ Allows to map one or more VLANs

to a single Spanning Tree instance
 Multiple Spanning Tree Instance
CIST
(MSTI) MSTI
CSTI
MSTI

⚫ Interoperates with IEEE Common CIST

Spanning Tree protocols
MSTI MST Region2
 FLAT 802.1D
 FLAT 802.1w MST Region3
MSTP reminder – STP instances PHYSICAL TOPOLOGY
VLAN 1
◼ HOW IT WORKS VLAN 10
VLAN 20
VLAN 30
⚫ Instead of running one STP VLAN 40
VLAN 50
Instance for every VLAN, MSTP VLAN 60
runs a number of VLAN- Logical topologies
independent STP instances
INSTANCE 0 (= MSTI 0)
(= logical topologies)

⚫ The administrator maps each

VLAN to the most appropriate STP
instance, also called MSTI (MST
Instance) VLAN 1 VLAN 10
VLAN 20

INSTANCE 1 (= MSTI1) INSTANCE 2 (= MSTI 2)

Note: If a VLAN is not mapped to any MSTI, it is

associated to the MSTI 0 (aka IST)

VLAN 30 VLAN 40 VLAN 50 VLAN 60

MSTP reminder - Region
◼ HOW IT WORKS MSTI 0= IST <> VLAN 1
MST Region1
⚫ A MSTP region is
 A collection of switches
Sharing the same view of physical topology

MST Region2
 Partitioning into the same set of logical IST
topologies

⚫ MSTP Region seen as one switch for REGION

CIST 1

the rest of the world REVISION

MSTI NB: 1
IST
CST
⚫ Rest of the world only “aware” of the CST
instance 0 REGION 2 /
CSTI NB: 1
REVISION
MSTI

⚫ Forwards traffic for VLANs which are not

covered by any MSTI

⚫ CST interacts with STP outside the region IST

Achieve this by representing the region as MST Region3
one Virtual spantree REGION 3
REVISION
CSTI NB: 1
MSTI

⚫ MST region sees the outside world via its

CIST/ CST interaction only
MSTP reminder - Intra Region
◼ HOW IT WORKS CIST 0 = VLAN 1
MSTI 1 = VLAN 11 to 13
MSTI 2 = VLAN 14 to 16
⚫ BPDUs are carried through the MSTI 3 = VLAN 17 to 20
network via the MSTI 0 (aka IST,
Internal Spanning Tree) Root spantree
CIST 0
MSTI 1
⚫ Root switch sends out BPDUs with
maximum hop count which is
decremented at each switch as
BPDUs are forwarded. At 0 hop,
the BPDUs are discarded

⚫ One BPDU is exchanged for all

instances over default VLAN VLAN 11 to 20 tagged

⚫ MSTP BPDUs are sent on every

port Root spantree Root spantree
MSTI 3 MSTI 2

⚫ The maximum hop count Note: If a VLAN is not mapped to any MSTI,
supported is 40, default is 20 it is associated to the MSTI 0 (aka IST)
MSTP reminder - Specification

◼ SPECIFICATION
⚫ Instance 0
 Always configured on any 802.1s switch
 Common and Internal Spanning Tree instance
 CIST
 By default, all VLANs are mapped to the CIST

⚫ Up to 16 other instances are supported by Alcatel-Lucent AOS

 Multiple Spanning Tree Instance - MSTI
MSTP CONFIGURATION
MSTP Configuration
◼ Step by Step

S e l e c t t h e F l a t S p a n n i n g Tr e e m o d e

Select the MSTP protocol

Configure MST regions (name, revision level)

Configure MSTIs

Map VLANs to MSTI

Manage Switch Priority

MSTP Configuration
◼ Step by Step

S e l e c t t h e F l a t S p a n n i n g Tr e e m o d e
 Change Spanning Tree mode to flat mode

SW1 SW2

-> spantree mode flat

SW3

Select the MSTP protocol

 Change Spanning Tree protocol to MSTP

-> spantree protocol mstp

MSTP Configuration
◼ Step by Step

Configure MST regions (name, revision level)

 Create a MSTP region

 To belong to the same region,
switches must have the same: SW1 SW2
 Region name
 Revision level
REGION_1
 VLAN to MSTI mapping
REVISION NB: 1
SW3

-> spantree mst region name {mst_region_name}

-> spantree mst region revision level 1
-> spantree msti {msti_id}
-> spantree msti {msti_id} vlan {vlan_id}
MSTP Configuration
◼ Step by Step

Configure MSTIs
 Every switch has a CIST (= MSTI 0)
 Create additional MSTI
 Required to segment VLANs into separate instances

MSTI 0
MSTI 1 SW1 SW2
MSTI 2

REGION_1
REVISION NB: 1
SW3

-> spantree msti {msti_id}

-> spantree msti {msti_id} vlan {vlan_id}
MSTP Configuration
◼ Step by Step

Map VLANs to MSTI

 Assign the VLANs to the MSTIs
 Non assigned VLANs are mapped to the MSTI 0 (CIST)

MSTI 1 <> VLAN 20

MSTI 2 <> VLAN 30 SW1 SW2
CIST 0 <> OTHER VLANS

REGION_1
REVISION NB: 1
SW3

-> spantree msti {msti_id} vlan {vlan_id}

MSTP Configuration
◼ Step by Step

Manage Switch Priority

 Configure the switch priority value for each switch
 Used to determine which switch will be Root spantree

MSTI 1 <> VLAN 20

MSTI 2 <> VLAN 30 SW1 SW2
CIST 0 <> OTHER VLANS RB RB

REGION_1
REVISION NB: 1
RB SW3

 Tips: manage switches priority values to have a different switch assumes the Root
spantree role for each MSTI
 Ex:
SW 1 SW 2 SW 3
MSTI 0 (CIST) 32768 32768 16384
MSTI 1 16384 32768 32768
MSTI 2 32768 16384 32768
Configuring MSTP - Monitoring
-> show spantree msti 3
Monitoring Spanning Tree Parameters for Msti 3
Spanning Tree Status: ON,
Protocol: IEEE Multiple STP,
mode: FLAT (Single STP),
Priority: 4099 (0x1003),
spantree ID: 1003-00:d0:95:bd:2a:e2,
Designated Root: 1003-00:d0:95:bd:2a:e2,
Cost to Root spantree: 0,
Root Port: None,
Next Best Root Cost: 0,
Next Best Root Port: None,
Hold Time: 1,
Topology Changes: 5,
Topology age: 00:06:50,
Current Parameters (seconds)
Max Age = 20,
Forward Delay = 15,
Hello Time = 2
Parameters system uses when attempting to become root
System Max Age = 20,
System Forward Delay = 15,
System Hello Time = 2

-> show spantree mst region

Configuration Name : myregion,

Revision Level : 1,
Configuration Digest : 0x45929389 64c56251 6c821b64 d0862c32,
Revision Max hops : 20,
Cist Instance Number :0
Configuring MSTP - Example
-> spantree mode flat
Example 1 -> spantree protocol mstp
-> spantree mst region name myregion
-> spantree mst region revision 1
-> spantree cist protocol mstp
-> spantree msti 1
-> spantree msti 1 VLAN 1-15
-> spantree msti 2
-> spantree msti 2 VLAN 16-20
-> spantree cist priority 4096
-> spantree msti 1 priority 4096
-> spantree msti 2 priority 8192
-> spantree msti 1 1/1/1 priority 1
-> spantree msti 2 1/1/1 priority 15
-> spantree msti 1 1/1/11 priority 15
-> spantree msti 2 1/1/11 priority 1
-> spantree mode flat
-> spantree protocol mstp
-> spantree mst region name myregion
-> spantree mst region revision 1
-> spantree cist protocol mstp
-> spantree msti 1
-> spantree msti 1 VLAN 1-15
-> spantree msti 2
-> spantree msti 2 VLAN 16-20
-> spantree cist priority 8192
-> spantree msti 1 priority 8192
-> spantree msti 2 priority 4096
-> spantree msti 1 1/1/2 priority 1
-> spantree msti 2 1/1/2 priority 15
-> spantree msti 1 1/1/22 priority 15
-> spantree msti 2 1/1/22 priority 1

Mapping:

Root spantree VLAN 1 -> instance 0 (CIST)

CSTI 0 VLAN 1 to 15 -> instance 1 Root spantree
MSTI 1 VLAN 16 to 20 -> instance 2 MSTI 2
1/1/1 1/1/2
VLAN 1 to 20

1/1/11 1/1/22
Configuring MSTP - Example

Example 1 VLAN 1 to 15 Root spantree

MSTI 2
1/1/1 1/1/2
X
SwitchA SwitchB

1/1/11 1/1/22
X
Root spantree VLAN 16 to 20
CSTI 0
MSTI 1

SwitchA-> show spantree mst port 1/1/1 SwitchB-> show spantree mst port 1/1/2
MST Role State Pth Cst Edge Boundary Op Cnx Vlans MST Role State Pth Cst Edge Boundary Op Cnx Vlans
---+------+-----+--------+----+--------+------+-------- ---+------+-----+--------+----+--------+------+--------
- -
0 DESG FORW 20000 NO NO PTP 0 ROOT FORW 20000 NO NO PTP
1 DESG FORW 20000 NO NO PTP 1-15 1 ROOT FORW 20000 NO NO PTP 1-15
2 ALT BLK 20000 NO NO PTP 2 DESG FORW 20000 NO NO PTP

SwitchA-> show spantree mst port 1/1/11 SwitchB-> show spantree mst port 1/1/22
MST Role State Pth Cst Edge Boundary Op Cnx Vlans MST Role State Pth Cst Edge Boundary Op Cnx Vlans
---+------+-----+--------+----+--------+------+-------- ---+------+-----+--------+----+--------+------+--------
- -
0 DESG FORW 20000 NO NO PTP 100 0 ALT BLK 20000 NO NO PTP 100
1 DESG FORW 20000 NO NO PTP 1 ALT BLK 20000 NO NO PTP
2 ROOT FORW 20000 NO NO PTP 16-20 2 DESG FORW 20000 NO NO PTP 16-20
Configuring MSTP - Example

Example 2 Mapping:
Priority Switch A Switch B Switch C

VLAN 1 -> instance 0 (CIST) CIST 4096 32768 32768

VLAN 2 and 3 -> instance 1
MIST 1 32768 4096 32768
VLAN 4 and 5 -> instance 2

MIST 2 32768 32768 4096

Root spantree
Switch B MSTI 1
Switch B

2/1/1 2/1/3 2/1/1 2/1/3

Traffic Load Sharing

VLAN 2 and 3 VLAN 4 and 5

3/1/2

Root spantree
MSTI 2
1/1/2 3/1/1 3/1/2 1/1/2
1/1/3 1/1/3 3/1/1

Switch A Switch C Switch A Switch C

OmniSwitch AOS R8

Virtual Routing and Forwarding

Lesson summary

At the end of this presentation, you will be able to

◼ VRF Overview

◼ VRF Configuration

◼ VRF route leak

Virtual Routing and Forwarding
◼ Multiple routing instances within the same physical switch

◼ Multiple instances of IP routing protocols, such as static, RIP, IPv4, BGPv4, and
OSPFv2 on the same physical switch
◼ Ability to use duplicate IP addresses across VRF instances

◼ Separate IP routing domains for customer networks

OR
VRF 1

VRF 2

VRF 3
Multi-VRF - VRF awareness
VRF - Virtual Routing and Forwarding
◼ Provides the ability to configure separate ◼ When an IP packet for customer A is
routing instances on the same switch. received on a PE; the VRF A determines
⚫ Segments layer 3 traffic. how to route the packet trough the
provider backbone so that it reaches the
◼ Each Provider Edge (PE) maintains more
intended customer A destination
than one routing table, in addition to the
default routing instance. Customer A
Site 2
⚫ One VRF instance is configured on the PE
for each customer network to which the PE
is connected.
VRF A Customer B
Provider Site 2
Customer A Edge 2
Site 1

VRF A VRF B

Customer B
Site 1 VRF B Service Provider
IP Network
Provider Customer A
Edge 1 Site 3
Customer C
Site 1 VRF C VRF B
Provider
Edge 3
VRF C Customer B
Site 2
VRF - Virtual Routing and Forwarding

VRF

OR Customer
Per VRF QoS
VRF Edge
VRF 1

VRF 2

VRF 3
VRRP
DHCP Server 1

VRRP
DHCP Server 2
Enterprise class MPLS

VRRP
DHCP Server 3
Provider
Edge

7450
ESS
VRF - CLI Commands
◼ Creating a VRF Instance ◼ Assigning IP Interfaces to a VRF Instance
-> vrf create vrpIpOne -> vrf IpOne
IpOne: -> IpOne: -> ip interface intf100 address
100.1.1.1/24 vlan 100
IpOne: ->
◼ Selecting a VRF Instance
IpOne: -> vrf IpTwo
◼ Removing a VRF Instance
IpTwo: ->
-> no vrf IpTwo
*removes associated ip interfaces as well
◼ View a list of the Configured VRF’s
-> show vrf
◼ Returning to the default VRF instance
Virtual Routers Protocols
IpOne: -> vrf default
------------------------------------------ ->
default
IpOne RIP
IpTwo BGP Note: VRF names are case sensitive
Total Number of Virtual Routers: 3

▪ A default VRF instance is automatically configured and available on system startup

VRF - CLI Commands
◼ View a list of the Configured VRF interfaces

-> vrf create IpOne

IpOne: -> show ip interface
Total 1 interfaces
Name IP Address Subnet Mask Status Forward Device
---------------+---------------------------+------------------+-----------+-----------+-----------
intfone 200.1.1.1 255.255.255.0 DOWN NO vlan 200

IpOne: -> vrf default

-> show ip interface
Total 6 interfaces
Name IP Address Subnet Mask Status Forward Device
---------------+--------------------+---------------------+--------+----------+-------
EMP 192.168.10.1 255.255.255.0 DOWN NO EMP
Loopback 127.0.0.1 255.0.0.0 UP NO Loopback
vlan 130 192.168.130.161 255.255.255.0 DOWN NO vlan 130
vlan 2 10.255.11.161 255.255.255.0 UP YES vlan 2
vlan-2000 172.20.0.1 255.255.0.0 UP YES vlan 2000
vlan-2100 172.21.0.1 255.255.0.0 UP YES vlan 2100
Number of Virtual Routers: 3
VRF - Guidelines
◼ A single IP interface, as well as the VLAN associated with the interface, can
only belong to one VRF instance at a time

◼ Once a VLAN is associated with a specific VRF instance, configuring an

interface for that VLAN within the context of any other instance, is not allowed
⚫ For example, if the first IP interface configured for VLAN 100 was associated with the
VRF IpOne instance, then any subsequent IP interface configuration for VLAN 100 is
only allowed within the context of the IpOne instance
⚫ Use of Duplicate VLAN numbers is not supported

◼ A VRF instance can have multiple VLAN associations

⚫ even though a VLAN can only have one VRF association

◼ VRF CLI context is used to determine the association between a specific routing
configuration and a VRF instance
VRF - Specifications
◼ Specifications per switch
VRF Route Leak
◼ VRF Route Leak forwards routes from one VRF routing table to another VRF
routing table, allowing routing from one VRF to a gateway in another VRF.
◼ Route maps are used to import and export routes from the VRFs to the GRT.

200.1.1.0

GRT

200.1.1.0
VRF 192.168.130.160
VRF 1
10.255.11.160
192.168.130.0 172.20.0.0
10.255.11.0 172.21.0.0
VRF 2 172.20.0.0 192.168.140.0
172.21.0.0 10.255.12.0
VRF 3 192.168.1.0 192.168.1.0

OS9000E, 9900, 10K

192.168.140.0
10.255.12.0
192.168.1.0
Configuring VRF Route Leak
◼ Create a route-map to use as a filter for exporting or importing routes.
-> ip route-map R1 action permit
◼ Define protocol preference for export policy route map. This route map controls the
export of routes from the VRF FDB (Forwarding Routing Database) to the GRT (Global
Routing Table).
-> ip route-map R1 match protocol static
◼ Export routes from the source VRF to the GRT
-> ip export route-map R1
◼ Define protocol preference for import policy route map. This route map controls the
import of routes from the GRT.
-> ip route-map R2 match protocol static
◼ Import the leaked routes from the GRT.
-> ip import vrf V1 route-map R2
◼ Configure route preference for imported routes
-> ip route-pref import 100
OmniSwitch AOS R6/R8

IoT (Internet of Things)

Objectives

At the end of this presentation, you will be able to

◼ Describe IoT Device Profiling feature

◼ Describe Device Profiling steps

IoT -Device Profiling Overview
Overview
◼ IoT Device Profiling monitors the devices connecting to the network, detects
and profiles the devices at the switch level

◼ Device Profiling consists of three main components:

⚫ A local signature collector

⚫ A local profiler
local
profiler
⚫ UNP profiling

OmniSwitch®
Signature
DB

DP enable UNP
Overview

◼ IoT (Internet of Things) device profiling allows network administrators to

support and manage smartphones, tablets and other devices connecting to the
network.
◼ IoT device profiling uses DHCP FingerPrinting and MAC OUI to identify IoT
devices.
AAA Radius

OmniSwitch®

Employee DB

IoT Device Profiling

MAC OUI
DHCP fingerprint

Contacts DB
Internet
Overview
◼ MAC OUI: allows devices to be recognized by identifying their MAC addresses.

◼ DHCP FingerPrinting: allows to track the devices on the network and block
those are not allowed access. It also helps in analyzing the future growth by
accessing the trending information.

OmniSwitch®

DP
interface

DP enable
IoT Device Profiling
DHCP client request
Example :
DHCP option 55 (the parameter request list) Microsoft Windows XP option 55 :
and option 60 (the vendor identifier) 1,15,3,6,44,46,47,31,33,249,43
Or
[Mac Vendors] Apple iPhone
1,3,6,15,119,78,79,95,252
Device profiling Steps

• Collect signature and various packet

signature
meta data required for IoT device
collector
identification

IoT Device Profiling

MAC OUI
DHCP fingerprint

local • Identify the IoT devices based on local

profiler device signature database

• use the meta data received from

Signature
signature collector for identifying the
DB
IoT device and its category
Device profiling Steps

• When a device gets identified and

UNP categorized, the UNP profile can be
automatically assigned to the device

UNPs for IoT device categories such as

IoT Device Profiling PoE camera, Temperature sensor, heart-
MAC OUI
DHCP fingerprint
rate monitor, medical imaging etc for
the identified device

• Maintain a database of
identified IoT devices and
Known
Device
un-identified IoT devices Unknown
device DB for qualitative and Device DB
quantitative analysis.

• Admin can classify the

unidentified IoT devices
based on UNP of choice
and update database
OmniSwitch AOS R8

SIP Snooping
OS6860
Lesson summary

At the end of this presentation, you will be able to

◼ Discuss about
⚫ SIP snooping overview
⚫ SIP snooping configuration
Overview
◼ Identify, Mark, Treat and Monitor

◼ Allow the configuration of SIP policy rules

◼ QOS treatments for the media streams / RTP flows being established between
the SIP user agent endpoints.
⚫ Each media stream contains RTP and RTCP flows.
⚫ Marking is done using the DSCP field in IP header.
⚫ Provide user configured QOS treatment for SIP/RTP/RTCP traffic flows based on its
marking.
 QOS treatment will be done by mapping DSCP to queue number and drop precedence

◼ Calculate QOS metric values of delay, jitter, round trip time, R factor and MOS
values of media streams from its corresponding RTCP.
⚫ Raise trap when any of QOS metrics cross user defined threshold.

◼ By default, the SIP packets forwarded by hardware are not subject to any
specific QOS treatment.
⚫ The packets are treated as normal packets and follow the same QOS treatment
according to qos port or policy rules configuration.
Overview
◼ SIP network Components
⚫ Edge switches, aggregation switches and core
switches
⚫ SIP Server (registrar, proxy, redirect, gateway) SIP Proxy
(Call server)
⚫ SIP Phones (User Agents)

◼ SIP snooping operation Core

SIP signaling
⚫ A SIP ACL triggers the setup of HW with SIP
keywords: INVI, UPDA, BYE,…
⚫ Match on keywords copies packet to CPU:
RTP/RTCP flows
“snooping”
⚫ Once RTP and RTCP ports have been negotiated
 ACL is setup in HW for the 4 flows (2 x RTP, 2 x Access
RTCP) Other

RTCP flows are duplicated to CPU for analysis

Video Other

Voice

⚫ When call Ends, HW resources taken for

Video

Voice

RTP/RTCP are freed up

◼ On edge switch, QOS treatment is enforced

for both ingress and egress media streams
Identification of SIP packets
◼ SIP packets are identified based on string value at the beginning of UDP
payload.
⚫ SIP responses always have SIP/2.0 at the beginning.
⚫ SIP requests have their name at the beginning.

◼ SIP packets are identified by doing lookup at starting of UDP payload.

⚫ SIP/2.0
⚫ INVITE
⚫ ACK
⚫ PRACK
⚫ UPDATE
⚫ BYE

◼ SIP Snooping supports a 4 byte lookup, only “INVI” lookup will be done instead
of complete INVITE.

OmniSwitch AOS Release 8 Network Configuration Guide ---> Chapter: Configuring SIP Snooping