NiOS™ Introduction

CLI and System Administration

Agenda
Introduction to NiOS
➢

Addressing network element components

➢

Getting familiar with NiOS CLI

➢

Basics of System administration

➢

Hands-On session
➢

QA and discussions
➢
NiOS™ : Embedded software platform
for networking devices
-Designed and developed from ground-up to roll out next generation Internet Protocol based services in carrier class
environments

Scalable from single CPU systems to multi-slot, multi-shelf clusters with hundreds of CPU’s and network processing units.
NiOS can be used from HMS devices to core routers

Based on proprietary “Xprocess” event delivery architecture that provides unmatched scalability and performance

Designed to be secure and highly available from ground up, not added as an after thought

Built-in standard based L2 - L7 functionality. Native support for Routing, Bridging, Label switching, QoS, AAA, Security and
Management

Scalable in terms of features, ports and speed – Full Internet Routing table, 10G Ethernet, 1000’s of ports per rack

Virtualization support for developing and testing new features, facilitating hardware software co-development
NiOS™ Platform classification

•Monolithic systems – Typically a 1U or 2U system, with Hot swappable

or fixed configuration sub-slots.
•Multi-Slot Chassis based systems – contains controller card, slot-cards, switch fabric,
cooling unit (all hot swappable and filed replaceable)
 Components of Device

• Shelf
Components of
•
•
Slot
Sub-Slot
System
•
•
Port
Logical Port
• Controller Card
• Active Controller Card
• Switch Fabric Card
• Power Supply
• Cooling Unit
Naming and Addressing convention
▪ Shelf – Rectangular cabin like structure with slots and guides to
accommodate slot cards
▪ Identified by shelf identifier - shelf-1 to shelf-31
▪ Slot card
▪ Host the payload logic to discharge required functionalities
▪ May be active or passive (based on whether it has processing logic)
▪ May or may not have addressable components (Eg. physical ports)
▪ Identified by slot identifier - slot-1 to slot-32
▪ Sub-Slot card
▪ Fit into other slot cards
▪ Usually added to increase port densities or additional capabilities
▪ Identified by sub-slot identifier - sub-slot-1 to sub-slot-8 and base-slot
 Naming and Addressing convention

▪ Physical port
▪ Physical termination point for electrical or optical signals
▪ Eg. fast-ethernet, gigabit-ethernet, ADSL, SONET, WLAN
▪ Identified by port identifier - port-1 to port-512
Naming and Addressing convention
❑Logical port
❑Some ports can be logically divided into multiple ports – used as
separate communication channels
❑ Eg. DS0 channels in a T1 line
❑Identified by logical port identifier - logical-port-1 to logical-port-
32 and base-port

❑Power modules - special slot card to support power supply (one or

many such cards)
❑Typically support for both AC and DC power supplies provided

❑Cooling units – special slot card for cooling the system (one or
many such cards)

•Examples:
• Sub-Slot : { shelf-1 { slot-1 base-slot } }
•Logical-Port : { shelf-1 { slot-1 base-slot } { port-1 base-port } }
Slot card types – Hardware Components
▪ Controller Card
▪ Special slot card to manage all the other slot cards in the shelf
▪ May be field replaceable on certain platforms
▪ More than one controller may exist - Active Controller and Stand-by Controller
▪ If there is only one controller, then it is always Active Controller

▪ Switch fabric card – special interconnect card that hosts hardware to enable inter-
slot communication
▪ May be a separate card or may be combined with controller card

▪ Line interface cards (with physical ports) and processing cards (Eg. cards for
deep-packet inspection, routing-engine card)
NiOS™ CLI
CLI Features
▪ Designed for human-system interactions
▪ Secure, highly intuitive, self learnable
▪ Built-In access control mechanisms
▪ Detailed context sensitive help
▪ Highly customizable and automation friendly
▪ Built-In support for command completion, banner support and pagination
• A factory default configuration is available in each NSP device so that an administrator can login
when the system is booted first time.

• Following parameter-groups are created.

Power On a
• • A cli-user parameter group for user-id 'admin' with password 'admin’
Nivetti Switch
• • A cli-user-group parameter group for group name 'admin' with all access permissions.

• • After login to the system with the 'admin' user and password as ‘admin’, the user will be
prompted to change the password.
CLI Access Features
-Console, SSH, telnet
-Simultaneous access by multiple users – same or different user-id
-Maximum 16 CLI sessions, Configurable maximum session limit per user

The console access to the NSP device can be obtained via the console port using
RJ45 to DB9 serial port adapter. An user can access device using command line
interface (CLI) with following console port setting as part of factory default
configuration.
Speed: 115200 bps
Data bits: 8
Stop bit: 1
Parity: none
Flow control: hardware
Command Usage
CLI Modes
➢ Operational - Least privileged mode.
▪ Default mode presented on login – available to all CLI users
▪ Commands and functionalities to collect and monitor operational information

➢ Configuration mode
▪ View
▪ Can do new configurations, make changes in configuration and delete configurations.

➢ Diagnose – Privileged mode

▪ To diagnose various modules in the system and collect debug information
▪ Reserved for use by technical support and engineering staff
Parameters

A configurable attribute of system running NiOS.

Parameter-group – A group of related parameters that define the entire or part behavior of
resource/object in NiOS environment.

Global parameter-group - This type of parameter-group applies to entire system. There will be
only one instance of a global configuration type. Global configurations don’t have an index – as
there will be only one instance. Configurations of global types cannot be created or deleted by
the user, user can only modify them. The system creates the required global configurations at
startup. A parameter-group representing global configuration is known as global parameter-
group.

Indexed parameter-group - Indexed configurations apply to a particular instance of a resource.

There can be more than one instance of an indexed configuration type. Indexed configurations
can be created and deleted by the user. The system also creates certain types of indexed
configurations at startup automatically. A parameter-group representing global configuration is
known as indexed parameter-group
Nested-parameter-group - NiOS supports parameters of different types – Numeric, String, IP address,
Byte stream and Enumerations. Each parameter can be a scalar or a list. A scalar parameter can take
only one value, whereas a list parameter can take multiple values. The values for list parameter can be
addressed either using their position or key.

List Parameter - A list parameter can be manipulated with the help of “add” and “remove” command.
The “add” command adds a value to the list and “remove” command removes the value from the list.
The “add” command is also overloaded to provide help for every list parameter loaded into draft
buffer. When no position is supplied to the ‘add’ command, entries will be added to the tail of the list.
When no option is supplied to the ‘remove’ command, the first entry matching the key description will
be removed.

Tip: “add” and “remove” commands can also take hierarchy of parameters
Supported parameter-group types
Overview of system configuration
Creating parameter-group instance
▪ Only indexed parameter-group instance can be created
▪ Use “create” command to initialize draft buffer
▪ Edit parameter values
▪ “save” the parameter-group instance
▪ Parameter values are validated
▪ Confirmation prompt for overwriting

Ex

Configure > Create Parameter-group console user-group-id

Modifying parameter-group
▪ Both Global and Indexed parameter-group can be modified
▪ Use “modify” command to initialize draft buffer
▪ Edit parameter values
▪ “save” the parameter-group instance
▪ Parameter values are validated
▪ Confirmation prompt for overwriting

Ex –

Configure> modify parameter group bridge system

Deleting parameter-group instance

▪ Only indexed parameter-group instance can be deleted

▪ Use “delete” command to permanently remove the instance from non-volatile

storage
▪ Confirmation prompt
Draft buffer - viewing and navigation
▪ Use “show draft” command to view the parameters and their values

▪ Use “clear draft” command to clear the contents

▪ Use “enter” and “leave” commands to navigate through nested-parameter-

group hierarchy

Configure> Show draft -e

Assign value to scalar parameters

▪ Use “set” command to assign value

▪ Use “set <parameter> ?” to view help message for the parameter
▪ Use “default” command to restore parameter to it’s factory default value
▪ Assign all parameters in a nested-parameter-group using a complex value with
“set” command (skip associating a HSR
▪ set location { shelf-1 { active-controller base-slot } port-1 }
▪ Assign parameter deep inside multiple levels of nested-parameter-group using
“set” command
▪ set location slot sub-slot base-slot
Assign values to list parameter

▪ Use “add” command to add a value to the parameter

▪ Use “add <parameter> ?” to view help message for the parameter
▪ Use “remove” command to remove a value from the parameter
▪ A new value can be added before or after on existing value
▪ A new value can be added at a desired position (offset) in the list
Archiving and retrieving configuration

▪ For system downgrade or any system replacement activity

▪ Archive the configuration using “archive configuration” command to either the
local file system or a remote host with scp, ftp or tftp.
▪ Perform the maintenance activity
▪ Retrieve the configuration using “retrieve configuration” command
▪ It is possible to archive all instances of a parameter-group or even a specific
instance of a parameter-group
▪ Even default parameter values can be archived
Clearing configuration
▪ For downgrading to older software release
▪ Use “clear system configuration” command to clear the configuration and
reboot the system
▪ Clears all configuration in the system. Inventory information like serial number
and license information are not affected by this command.
▪ It is possible to reinitialize the system configuration from a configuration file
stored in the local file system (using archive command)
System administration
System Administration
Setting up console port for CLI access

▪ Factory default configuration available

▪ For console port on active-controller – 115200 bps, no parity, hardware flow-control

▪ Configuration for user with user-id “admin” and password “admin”. This user-id will have
required authorization to edit configuration.

▪ Modify “console” parameter-group to suit your operational requirements

▪ Create as many user-ids (CLI-USER parameter-groups) as required with appropriate authorizations

 Setting system name, location and
contact
▪ Modify “system” parameter-group to set any of the below parameters as
required:

▪ Name of the system

▪ Location of the system – Physical location information Eg. Postal
address or Rack number
▪ Contact information of the personnel in-charge Eg. administrator’s
phone number

operational> configure
configure> modify parameter-group system
configure> set name nspm
configure> set contact demo
configure> set location address bangalore
configure> save
Set system time and date

▪ All NiOS systems equipped with battery backed real-time clock

▪ Provides accurate and non-interrupted calendar time to various services
within the system
▪ Use “set time” command to set time and date in operational mode
▪ Use “show time” command to view current time and date in operational mode
▪ To set the time-zone modify “system” parameter-group
▪ Standard time-zones are supported
▪ Custom time-zone can also be configured
▪ System time can also be derived from NTP servers

l
Remote Management

Remote management allows the NSP device to be managed from a remote

location. An administrator can access the device remotely through SSH or
TELNET.
Management Interface
Management interface allows the users to connect to the network device using a dedicated gigabit-ethernet
port for management traffic to provide out-of-band management. An administrator can access the device
through management ethernet interface using the utilities like SSH or TELNET. Port-25 is the default
management port. Factory default setting will create a network interface with IP address 192.168.1.1/24,
over this port.

Administrator can change the ip address of management port by below method -

configure> modify parameter-group interface management

Info: Parameter group instance loaded for modification.
configure> set ip ipv4 address 10.0.0.150/24
configure> save
Info: Parameter group interface "management" saved
configure> exit

operational> show interface management details

SSH (Secure Socket Shell)
it is a network protocol that provides administrators can access remote devices in a secure way like computer and
other networking devices.

On factory default configuration of the system, by default SSHv2 will be enabled with authentication method
'password' on router parameter group.
Administrator can disable SSH services.

operational> configure
Entering configuration mode with exclusive access.
configure> modify parameter-group router system
Info: Parameter group instance loaded for modification.
configure> enter access ssh-server
configure> set enable no
configure> save

Operatiopnal> show router details system - to verify.

Telnet

Telnet is also an application to access network devices remotely.

By default, telnet is disable on Nivetti devices. Telnet works on
TCP port 23.

Enabling Telnet on Nivetti devices

configure> modify parameter-group router system

configure> set access telnet-server enable yes
configure> save
Warning: Telnet is an insecure protocol and could lead to eavesdropping of
packets on the network. Do you want to proceed ? (y/N) y
Info: Parameter group router "system" saved
configure> exit
operational> show router details system - to very
Configuring syslog

▪ Modify “syslog” parameter-group to enable syslog functionality and set the

address of the server

▪ Multiple syslog servers can be configured

▪ Messages forwarded to servers can be filtered

▪ The most recent syslog messages are cached within the system. The cache can
be viewed using “show syslog cache” command.

▪ The maximum size of this cache is configurable

File and network operations
▪ file-read and file-write authorization levels control access to local file system
▪ Commands are supported to create and delete directories or set the current
working directory
▪ File operations like copy, move and delete are supported by corresponding
commands

▪ Network operations like scp, ftp and tftp are supported by corresponding
commands
▪ network authorization is required to use these commands
▪ These commands are useful to load software images from external hosts or
transfer files
 Software release
▪ Use “show version” to view the current software image information

▪ Software release – identified by release type and version number

▪ General Availability (GA) release
▪ Engineering release

▪ Release version is encoded as <major-number>.<minor-number>[.<release-

type>.<revision-number>]

▪ Eg. 4.0 – GA release,

▪ 4.3.e15 – Engineering release over a maintenance release
Managing software images

▪ Every slot card type uses a specific software image for it’s operation
▪ To load an image, copy it into “/images/image/” directory using network operations like scp, ftp
or tftp
▪ Multiple images can co-exist
▪ To view available images use “show image summary” and “show image details” commands
▪ Current image that is qualified for use by the system is called “Active” image. It is always the
valid image that is most recently modified.
▪ To change the current active image use “set image” command
▪ If an active image for a slot-type is deleted, then system chooses the next most recently
modified valid image as the active image.
Management access using SSH
▪ Secure Shell (SSH) is the preferred mode of access for NiOS CLI over network

▪ Parameters like allowed SSH versions and allowed maximum login attempts are
configurable

▪ Both password and public-key authentication are supported to configure SSH

▪ In “network-access” parameter-group add SSH versions to be allowed

▪ In the router through which SSH access is to be allowed, enable “ssh-
server” parameter in “access” nested-parameter-group
Adding a CLI User
• Each CLI user is assigned to a user-group. Authorization levels are assigned to the user-group.

• Create an instance of “cli-user-group” parameter-group and add required authorization

levels required for this group. If the required group already exists, then this step can be
skipped. Save the parameter-group instance.

• Create an instance of “cli-user” parameter-group with appropriate user-id and password. Set
the group-id of this user as the appropriate “cli-user-group” id.

• Set any other required details like name of the user and contact details

• Set the CLI prompt, banner, syslog and pagination parameters for this user, as required

• Save the parameter-group instance

CLI Login Security
CLI login security feature, which including the security policy for user authentication to
access device via command line interface.

Role Based Access Control

Role based access control is an approach to restrict the system access to authorized
users. It assigns different levels of administrative access to different users. In NSP
device administration, users can be created using the cli-user parameter group. Each
user is assigned an authorization-level using the cli-user-group parameter group, which
determines the access levels for the user. The different access level can be assigned to
the user.
 Access Levels and its descriptions
• View-configuration : Allows the users to only view the configurations.

• Modify-configuration : Allows access to view or modify configurations.

• Diagnose : Allows access to diagnose mode for debugging purposes.

• System-control : Allows system level control and shell access.

• File-read : Allows read access to the file system.

• File-write : Allows read/write access to the file system.

• User-management : Allows management of CLI, XMP and SNMP user accounts.

• All : All authorization levels are allowed.

For Example - Configuration of cli-user and cli -user-
group Parameter-group for 'operator' User & provide
access to view and modify configuration -

First create parameter-group cli-user

configure> create parameter-group cli-user

configure> set user-id operator
configure> set password operator@123
configure> set group-id operator
configure> set name operator
configure> save

Then create parameter-group cli-user-group

configure> create parameter-group cli-user-group

configure> set group-id operator
configure> add authorization-levels view-configuration
configure> add authorization-levels modify-configuration
configure> save
Rebooting and controlling power-up state

▪ Use “system reboot” command to reboot the entire system including all the
slot-cards

▪ Use “system slot-card reboot” command to reboot a specific slot-card

▪ Controlling power-up state of slot cards

▪ Use “power-on” parameter in “slot-card” parameter-group

Monitoring NiOS™ network element
▪ To view inventory information use “show shelf summary” and “show shelf details”
commands

▪ To view slot-card information use “show slot-card summary” and “show slot-card
details” command

▪ To view resource usage use “show resource usage” command

▪ Alarms and notifications

▪ Use “show alarm summary” to view any active alarms
Monitoring slot card status using Status LEDs

▪ Available on the face-plate of every Field Replaceable Units (FRU)

▪ Blue LED
▪ Aids in hot-swapping FRU
▪ When it is ON the card is operational and should not be swapped
▪ Pull out the ejectors and wait for this LED to turn OFF before completing
removal
▪ Amber LED
▪ Indicates the working status of the payload
▪ When it is ON the payload has problems and requires attention
▪ Additional LEDs – FRU specific
 Switching

Some Points on Switches -

▪ Switch is a network device and works on Layer-2 in OSI Model. But now a days, technology has been developed
▪ And Layer-3 feature is also added in switches and these switches known as L-2/L-3 Switches.

▪ Switch has single broadcast domain and Multiple Collision domains.

▪ Switch uses CSMA/CD mechanism to avoid and detect collision in network.

▪ Switch creates and maintains MAC table and on basis of these MAC Table, Switches perform communication
between hosts.

▪ MAC Address - 48 Bit address which consist Hexa Decimal Values.

▪ Range of Hexa Decimal value is 0 to 9 and A to F and these units are called Nibbles.
▪ Usually MAC address is represented in pair of nibbles and there are 6 pairs of Nibbles in a MAC address.

▪ Example of a MAC address - 2e-ac-4d-0b-11-7e

▪ FF-FF-FF-FF-FF-FF is known ad Broadcast MAC address.
Some Basic Commands on Nivetti Switches
Operational> Show interface all
Operational> Show interface details
Operational> Show resource usage
Operational> Show gigabit-ethernet summary
MAC – Related Configuration Options
In NiOS we have options to configure MAC related options in bridge parameter group and
interface parameter group and we can clear MAC address forwarding table based on
bridge-name, vlan-id, interface and mac address.

MAC Options in Bridge Parameter-group

Steps to configure:
1. Enter configure mode. operational> show interface details ge-01
2. Modify parameter group bridge system
3. Set address-learning <enable/disable>.
4. Set address-expiry-interval [ 0 - 4294967295 ]
5. Set address-spoof-check <enable/disable>
6. Set unknown-destination-flooding <enable/disable>
7. Set forwarding-table-size <1 - 16000>
8. Set notify-mac-address-events <no/yes>
9. Save the configuration.

operational> show bridge details system

operational> show bridge forwarding-table summary system
MAC Options in Interface Parameter-group

configure> modify parameter-group interface ge-01

configure> set bridging address-learning-limit [1 – 16000 ]
Configure>save

operational> show interface details ge-01

Clear MAC Address Table

In Diagnose Mode –

diagnose> clear bridge forwarding-table system

operational> show bridge forwarding-table summary system

No matching entries found.

VLAN – (Virtual Local Area Network)

• A Logical Segmentation of LAN.

• When we create Vlans, we have to provide ID to every Vlan, which is called Vlan-ID
and it is a numeric value. Also, we can give name to every Vlan as per our reference.

• Total 4096 Vlans can be created in a LAN.

• Switch has a single broadcast domain.

• When we create Vlan, it breaks switch’s broadcast domain and hence Network
Performance is enhanced.

• Member of one Vlan can not communicate with member of other Vlans.
 How to Create Vlans-

Steps to configure:
1. Enter configure mode.
2. Modify the interface parameter group instance.
3. Set the name <new-name>.
4. Set the ethernet vlan enable parameter to ‘yes’.
5. Set the ethernet vlan tag parameter to <vlan-id>.
6. Save the configuration.
7. Exit configure mode.
How to create vlans
=====================

Configure> create parameter-group bridge vlan-10

Set enable yes
Save
Configure> create parameter-group bridge vlan-20
Set enable yes
Save
Configure> create parameter-group bridge vlan-30
Set enable yes
Save

Similarly, we can create multiple vlans.

To Verify Vlans –

Operational> show bridge vlan details -a system

Operatonal> show bridge vlan details system 10

Operational> Show bridge vlan summary system

Configuration on SW1

1. Modify the L2 interface parameter group of the port-1

configure> modify parameter-group interface ge-01

configure> set name ge-01-vlan10
configure> set ethernet vlan enable yes
configure> set ethernet vlan tag 10
configure> save

2. Modify the L2 interface parameter group of the port-2

configure> modify parameter-group interface ge-02

Info: Parameter group instance loaded for modification.
configure> set name ge-02-vlan20
configure> set ethernet vlan enable yes
configure> set ethernet vlan tag 20
configure> save

Configure> Show draft -e

Verify the Vlan Configuration-

operational> show interface details ge-01-vlan10

> Interface : ge-01-vlan10
General Information
-------------------
ID : 386
Encapsulation : ethernet
MTU : 1500
Base port type : gigabit-ethernet
Base port location : { shelf-1 { active-controller base- slot } port-1 }
State Information
-----------------
State : up
Last state transition : 16:20:14, Tuesday, December 24, 2019 IST
Work flags : -- -- ----- -----
Ethernet information
--------------------
VLAN tagging : enabled
VLAN ID : 10
Bridging information
--------------------
Bridge : system
 Trunk Port

User of Vlan-10 on Switch-1 can talk to user of same Vlan-10 on other switch, then we have to configure
uplink port Gig-3 as a trunk port.
How to Configure Uplink as Trunk Port on Nivetti switches -
On Switch-1
configure> modify parameter-group interface ge-03
configure> set name ge-03-vlan10
configure> set ethernet vlan enable yes
configure> set ethernet vlan tag 10
configure> save

configure> modify parameter-group interface ge-03

configure> set name ge-03-vlan20
configure> set ethernet vlan enable yes
configure> set ethernet vlan tag 20
configure> save

Verify Trunk Port Configuration

operational> show interface details ge-03-vlan10 ge-03-vlan20

Default Vlan
Default Vlan is that Vlan, which member’s port packets are not tagged.
So by default, if any port, which Is not member of any Vlan,
its packets are untagged packet.

configure> modify parameter-group gigabit-ethernet { shelf-1 { active-

controller base-slot } port-1 }
configure> set default-vlan enable yes
configure> set default-vlan tag 10
configure> save
configure> modify parameter-group gigabit-ethernet { shelf-1 { active-
controller base-slot } port-2 }
configure> set default-vlan enable yes
configure> set default-vlan tag 10
configure> save

Trunk Port Supports both tagged and untagged packets.

 MVRP – Multi Vlan Registration Protocol
Multiple VLAN Registration Protocol (MVRP) is a Layer 2 messaging protocol defined in IEEE 802.1Q.
It is to manage addition, deletion, and renaming of active VLANs and also automate the administration of
VLAN membership within the network without manual intervention.
MVRP allows the propagation of VLAN information from device to device.

With MVRP, an access switch can be manually configured with all the desired VLANs for the network,
and all other MVRP-enabled switches on the network learn those VLANs dynamically.

The network administrator does not have to manually configure the VLANs
in each of the devices in the topology.

When the VLAN configurations on a switch are changed, MVRP automatically changes
the VLAN configurations in the required switches.
How to Configure MVRP on Nivetti Switches

In Above Network, we can configure MVRP as follows –

On Switch-1
- We have to enable MVRP on Bridge Parameter and then
- Enable MVRP on Port Parameter of uplink Port-2

On Switch-2
- We have to enable MVRP on Bridge Parameter and then
- Enable MVRP on Port Parameter of uplink Port-1
 Configuration Example of MVRP on above topology
Configuration of Switch-1,

1. Enabling MVRP in bridge parameter group

operational> configure
configure> modify parameter-group bridge system
configure> set mvrp enable yes
configure> save

2. Enabling MVRP in port parameter group

operational> configure
Configure>modify parameter-group gigabit-ethernet { shelf-1 { active-
controller base-slot } port-2}
Configure> set mvrp enable yes
configure> save

Similarly ,we have to configure second switch also.

 Inter VLAN Routing (IVR)
IVR is a process of forwarding network traffic from one VLAN to another VLAN using a Layer 3 switch.

Inter-VLAN routing can be enabled by configuring Integrated-vlan Interface parameter group instance.
In Above Diagram, Host-1 is in Vlan 10 and Host-2 is in Vlan-20. Byt default, they can’t communicate with each other.

To them communicate each other, We have to configured Inter Vlan Routing.

Steps to configure:
1. Enter configure mode.
2. Create a L3 VLAN interface/IVI for VLAN-10.
3. Save the configuration.
4. Create a L3 VLAN interface/IVI for VLAN-20.
5. Save the configuration.
6. Modify L2 interface for port-1 to add a vlan-10 interface to that port.
7. Save the configuration.
8. Modify L2 interface for port-2 to add a vlan-20 interface to that port.
9. Save the configuration.
10. Modify gigabit ethernet port-1 parameter group.
11. Set the default-vlan parameter to ‘yes’.
12. Set the default-vlan tag parameter to ‘10’.
13. Save the configuration.
14. Modify gigabit ethernet port-2 parameter group.
15. Set the default-vlan parameter to ‘yes’.
16. Set the default-vlan tag parameter to ‘20’.
17. Save the configuration.
18. Exit configure mode.
1. Create a L3 VLAN interface/IVI for VLAN-10
configure> create parameter-group interface vlan-10
configure> set enable yes
configure> set base virtual-port-address type integrated-vlan
configure> set integrated-vlan bridge system
configure> set integrated-vlan vlan enable yes
configure> set integrated-vlan vlan tag 10
configure> set ip router system
configure> set ip ipv4 enable yes
configure> set ip ipv4 address 1.1.1.1/24
configure> save
2.Create a L3 VLAN interface/IVI for VLAN-20
configure> create parameter-group interface vlan-20
configure> set enable yes
configure> set base virtual-port-address type integrated-vlan
configure> set integrated-vlan bridge system
configure> set integrated-vlan vlan enable yes
configure> set integrated-vlan vlan tag 20
configure> set ip router system
configure> set ip ipv4 enable yes
configure> set ip ipv4 address 2.2.2.2/24
configure> save
Spanning Tree Protocol (STP)
• STP is a loop avoidance mechanism in Local Area Network. When ever there will be
more than one path from source to destination in LAN, due to broadcast properties of
Switches, there is always possibility of loop. To avoid this loop, STP protocol is
developed.
 BPDU – Bridge Protocol Data Unit

BPDUs are Switch’s Hello Packets, which contain certain information about that Switch,
like MAC address of Switch, BID Value, Bridge Priority value, Hello Interval & Dead
Interval, Root Bridge etcs.

Due to Switch’s broadcast property, each switch’s BPDU propagated to all the connected
switches in Network and thus, every switch’s information reaches to each other Switches,
and on basis of these information, a best switch is selected, which is called Root Bridge.
Root Bridge

• Switch having lowest BID, is declared as Root Bridge.

• BID consist of Bridge Priority + Mac address.

• Bydefault Bridge Priority is 32768. It is configurable value and it varies from 0 to 65534.

• Bridge Priority value can be changed by 4096.

• Switch having lowest Bridge priority, will become Root Bridge.

• But, by default, all switch’s bridge priority is same, hence

• Root Bridge selection will be on base on mac address. Lower mac address is preferred.

• But we can manually configure any switch as Root Bridge by lowering its Priority.
 Root Port
• After Selection of Root Bridge, now every switch tries to send its data to Root Bridge and
Root Bridge will send data to destination.
• Since every switch has multiple uplinks port to send data to Root Bridge, best uplink port
will be selected to send data to Root Bridge and that port is called Root Port. All other
uplink port will be known as non-root port.
• The port having lowest Port ID will become Root port.
• Port ID consist of two factor – Port Priority and port number.
• By default, every port has priority value of 128 and hence this factor will be tie, then
Root port selection will be based on port number.
• The Port having lowest port number, will become Root Port. We can manipulate Root
Port selection by lowering the priority value. Lower the priority value, port will become
root port.
Designated Port and Non-Designated Port
In each Lan segment, at leat there are two ports. Out of these two port,
one port will become Designated port and it will be in forwarding mode
while other port is called non-designatd port and it is in blocking mode.

Every ports on Root Bridge become Designated port.

Whenever there is change in Topology, TCN BPDU will be generated and

sent out from designated port and on basis of changes occured in
topology, again STP will run and make a loop free topology again.
Mode of STP

There are 5 modes of STP

• Disable Mode
• Blocking Mode
• Listening Mode
• Learning Mone
• Forwarding Mode
Type of STP

• PVSTP
• RSTP
• MSTP
How to enable STP on a switch ?

When we enable STP, by default is it PVST (per vlan spanning tree protocol)
Configure STP on bridge system as follows -

configure> modify parameter-group bridge system

configure> set spanning-tree enable yes
configure> save
And, we have to configure following on each uplink port.

configure> modify parameter-group gigabit-ethernet { shelf-1

{ active-controller base-slot }port-1 }
configure> set spanning-tree enable yes
configure> save
configure> modify parameter-group gigabit-ethernet { shelf-1
{ active-controller base-slot }port-2 }
Info: Parameter group instance loaded for modification.
configure> set spanning-tree enable yes
configure> save
 RSTP – Rapid Spanning Tree Protocol

STP creates a loop free topology in LAN. But whenever there is

change in topology, it takes Upto 50 seconds to reconverge the
network and become loop free again. To make the Convergence fast,
RSTP was introduced. In RSTP, it takes max two to three second to
reconverge And become loop free again.

To Configure RSTP on Switches,

we have to enable RSTP in the bridge parameter group by

following commands

configure> modify parameter-group bridge system

configure> set spanning-tree enable yes
configure> set spanning-tree mode rstp
configure> save

We have to configure above commands on every switch in network.

Rest of commands are as same as configured in past example.

Following Commands are used to see the configuration verification

1. Verify the spanning-tree on bridge

operational> show bridge details system

2. Verify the spanning-tree on port

operational> show gigabit-ethernet details { shelf-1
{ active-controller base-slot } port-1 }

3. Verify the spanning-tree details

operational> show spanning-tree details system

4. Verify the spanning-tree port state and role

operational> show spanning-tree member summary system

5. Verify spanning-tree port details

operational> show spanning-tree member details system { gigabit-ethernet
{ shelf-1 { active-controller base-slot } port-1 } }
Block bpdu on edge:

The block-bpdu-on-edge feature prevents a port receiving any

STP BPDUs on the Edge port or Access Ports.

Bydefault block-bpdu-on-edge will be disabled.

Configuration Example:

To change rstp root protect modify the port parameter group

configure> modify parameter-group gigabit-ethernet { shelf-1 {

active-controller base-slot }port-1 }
configure> set spanning-tree block-bpdu-on-edge yes
configure> save

This command, we have to give on every access ports

Root Protect:
The root protect feature prevents a port from becoming root port.

When a port configured for root protect receives a superior BPDU, then those BPDUs will be blocked.
By default root-protect will be disabled.

Configuration Example:

To change rstp root protect modify the port parameter group

configure> modify parameter-group gigabit-ethernet

{ shelf-1 { active-controller base-slot }port-1 }

configure> set spanning-tree root-protect enable

confiure> save
 ETHER CHANNEL
▪ Bundling of Multiple Ether Links to gain higher speed. For this purpose, LACP Protocol
is used.
▪ Maximum 8 Ports can be bundled.

• LACP is a protocol for the collective handling of multiple physical ports that can be seen as a
single channel for network traffic purposes.
• Link aggregation enables combining multiple links into one logical link to provide redundancy
or to enhance the performance.
• LACP is two types –
• Static LACP
• Dynamic LACP
Configuration of LACP – There are three steps to configure LACP

1. Create Ethernet-Aggregation-Group parameter-group

2. Add ports to the member of lag
3. Configure the LAG interface parameter-group

We have to configure these three steps on both switches.

Configuration on SW1

1. Create ethernet-aggregation-group parameter group

configure>create parameter-group ethernet-aggregation-group lag-1

configure> set enable yes
configure> set type lacp
configure> save

2. Add ports to the member of LAG

configure> modify parameter-group gigabit-ethernet { shelf-1 {

active-controller base-slot } port-1 }
configure> set aggregation-group enable yes
configure> set aggregation-group name lag-1
configure> save
configure> modify parameter-group gigabit-ethernet { shelf-1 {
active-controller base-slot } port-2 }
configure> set aggregation-group enable yes
configure> set aggregation-group name lag-1
configure> save
configure> modify parameter-group gigabit-ethernet { shelf-1 {
active-controller base-slot } port-3 }
configure> set aggregation-group enable yes
configure> set aggregation-group name lag-1
configure> save

3. Configure the LAG interface parameter group

configure> modify parameter-group interface ge-01

configure>set name ge-lag
configure>default base
configure>set base virtual-port-address type ethernet-aggregation-
group
configure>set base virtual-port-address name lag-1
configure>save

Similarly, on Switch-2 also, we have to configured all

above three steps.
Verification of LACP Configuration –
Following Commands can be used to verify LACP configurations

1. Verify the Lacp summary

operational> show ethernet-aggregation-group summary

2. Verify the Lacp details

operational> show ethernet-aggregation-group details lag-1

3.Verify the lacp on port

operational> show gigabit-ethernet details { shelf-1
{ active-controller base-slot } port-1 }

4.Verify the lacp on interface

operational> show interface details ge-lag
Security Features
Port Access Control (PACP)

802.1x is an IEEE standard method which provides a mechanism for authenticating and
authorizing devices attached to LAN ports .

If 801.1x authentication mechanism is enable on a switch port, then device connecting to

That port, must need to authenticate.

There are two components of 802.1x –

1. Supplicant
2. Authenticator
Port Access Control (PACP)

802.1x is an IEEE standard method which provides a mechanism for authenticating and
authorizing devices attached to LAN ports .

If 801.1x authentication mechanism is enable on a switch port, then device connecting to

That port, must need to authenticate.

There are two components of 802.1x –

1. Supplicant
2. Authenticator
802.1x uses the Extensible Authentication Protocol (EAP) method to exchange messages
during the authentication process.

In a wired Ethernet LAN, EAPoL (Extensible Authentication Protocol (EAP) over LAN) method is used
to transport EAP packets between Supplicant and an Authenticator over Local Area Network (LAN).

Once the user credentials verified, the switch opens the port to the supplicant.

Supplicants can be authenticated either in single supplicant mode, or multiple supplicant mode.

Single supplicant: Authenticator authenticates only the first supplicant that is connected to a port.
All subsequent supplicants are allowed access without further authentication.

Multiple supplicant: Each supplicant is authenticated separately when connected to the port.
Supplicant's that are not 802.1x enabled, can be permitted LAN access by configuring
MAC-based- authentication on the switch port to which the supplicants are connected
NSP switch supports:
• Supplicant and authenticator.
• Local and RADIUS authentication to validate supplicant identity.

EAP Authentication -

A. 802.1x can be enabled by configuring these three Steps –

1. pacp parameter in the gigabit-ethernet parameter group

2. and configuring the pacp-authenticator-policy parameter group. Then
3. Create pacp-user parameter group

Configuration of PACP – can be configure in three steps

1. Create pacp-authentication-policy parameter group

configure> create parameter-group pacp-authenticator-policy test

Confiture> Save
2. To enable the pacp, modify the port parameter group

configure> modify parameter-group gigabit-ethernet { shelf-1

{ active-controller base-slot }port-1 }
configure> set pacp authenticator enable yes
configure> set pacp authenticator policy test
configure> save

3. Create pacp-user parameter group

configure> create parameter-group pacp-user

Configure> set identity eapuser1
configure> set enable yes
configure> set password test@123
configure> save
 Command to Very Configurations -

1. Verify the pacp port state before authentication

operational> show pacp summary

2. Verify the pacp port state after authentication

operational> show pacp summary

3. Verify the pacp port details

operational> show pacp details { gigabit-ethernet { shelf-1 { active-

controller base-slot }port-1 } }
B. MAC Based Authentication
MAC based authentication can be enabled by configuring pacp parameter in the gigabit-ethernet
parameter group and configuring the pacp-authenticator-policy and pacp-user parameter group instance.

1 & 2 Step will be same as in A. Only 3rd Step will be changed as follows -

3. Create pacp-user parameter group

configure> create parameter-group pacp-user

Configure> set identity 00:13:72:84:ad:da
configure> set enable yes
configure> set identity-type mac-based
configure> save

operational> show pacp details { gigabit-ethernet { shelf-1

{ active-controller base-slot } port-1 } }
Per Protocol Resource Utilization –

NSP device supports monitoring and operating efficiency of the switch for each protocol and
also analyze and view the usage or consumption of CPU memory.

Command to check Resource Utilization per protocols

A resource utilization per protocol can be seen by executing show service summary command from diagnose mode.

Configuration verification:

diagnose> show service summary

Output of this command will show all the protocol running on the device and how
Much resource it is using.
 Packet Filtering
Packet filter is a set of rules defined for controlling the network traffic and reducing network attack.
Packet filters are used to filter traffic based on the set of rules defined for the incoming of the network.

It is possible to filter packets based on the below parameters:

• Ethernet header fields
• Source address
• Destination address
• Payload type
• Priority bits

• IP header fields
• Source address
• Destination address
• Protocol type
• DSCP
• Flow labels

• TCP/UDP header fields

• Source port
• Destination port
Network Diagram

EtherNet Packet Filtering (On Switch)

For example, we are creating here a packet-classifier to discard/drop arp packets from source mac address
00:14:22:04:25:37 and allow other incoming packets to allow.
1. Create packet-classifier PG instance and configure the rules with traffic flows to be
matched and the corresponding policies/actions to be applied
configure> create parameter-group packet-classifier pc
configure> set enable yes
configure> set ethernet enable yes
configure> add ethernet rule 1
configure> enter ethernet rule 1
[ packet-classifier:"pc" > ethernet > rule[1] ]
configure> set flow source-address 00:14:22:04:25:37
configure> set flow payload type arp
configure> add action discard
configure> leave
[ packet-classifier:"pc" > ethernet ]
configure> add rule 2
configure> enter rule 2
[ packet-classifier:"pc" > ethernet > rule[2] ]
configure> set flow payload type any
configure> add action allow
configure> save
2. Apply/Attach the packet-classifier on the required interface on which
you want to filter the incoming packets

configure> modify parameter-group interface ge-01

configure> set packet-classifier pc
configure> save

Commands for Configuration verification:

1. Verify the packet-classifier creation and details

operational> show packet-classifier details pc

2. Verify the packet-classifier on interface

operational> show interface details ge-01

IPv4 Packet Filtering –

Packet-filter can be configured based on IPv4/L3 header.

Steps to configure IPv4 Packet Filtering -

1. Create packet-classifier PG instance and configure the rules with traffic flows to be
matched and the corresponding policies/actions to be applied

For example – we are creating a packet-classifier to discard/drop icmp packets from source address
192.168.1.0/24 and allow all other packets on a specific interface.
Switch -
Operational> Configure
configure> create parameter-group packet-classifier pc
configure> set enable yes
configure> set ipv4 enable yes
configure> add ipv4 rule 1
configure> enter ipv4 rule 1
[ packet-classifier:"pc" > ipv4 > rule[1] ]
configure> set flow source-address 192.168.1.0/24
configure> set flow protocol type icmp
configure> add action discard
configure> leave
[ packet-classifier:"pc" > ipv4 ]
configure> add rule 2
configure> enter rule 2
[ packet-classifier:"pc" > ipv4 > rule[2] ]
configure> set flow protocol type any
configure> add action allow
configure> save
2. Apply/Attach the packet-classifier on the required interface on which you want to
filter the incoming packets

configure> modify parameter-group interface ge-01

configure> set packet-classifier pc
configure> save

Commands for Configuration verification:

1. Verify the packet-classifier creation and details

operational> show packet-classifier details pc

2. Verify the packet-classifier on interface

operational> show interface details ge-01

 PORT MIRRORING

Port mirroring is used on a network devices to send a copy of network packets as received
or transmitted on a port to another port. This is primarily used for monitoring of network
traffic by applications such as intrusion detection system, probes etc.

Port Mirroring can be done in two way –

1. Local Port Mirroring - When port to be monitored and Analyser, both are on same
switch
2. Remote Port Mirroring – When Port to be monitored and Analyser, both are on
difference Switches.
 1. Local Port Mirroring -

Local Port Mirroring can be configured on Nivetti Switches in 3 Steps –

1. Create traffic monitor port parameter group details

configure> create parameter-group traffic-monitor-port-policy test
configure> add traffic-direction ingress
configure> enter traffic-direction ingress
[ traffic-monitor-port-policy:"test" > traffic-direction[1] ]
configure> set analyser-port-location local
configure> set local-analyser physical-port type gigabit-ethernet
configure> set local-analyser physical-port physical-port-location shelf shelf-1
configure> set local-analyser physical-port physical-port-location slot slot-id activ
configure> set local-analyser physical-port physical-port-location slot sub-slot-id b
configure> set local-analyser physical-port physical-port-location port-id port-3
2. Add port as monitor port

configure> modify parameter-group gigabit-ethernet { shelf-1

{ active-controller base-slot }port-1 }
configure> set traffic-mirror type monitor
configure> add traffic-mirror monitor policies test
configure> save

3. Add port as analyser port

configure> modify parameter-group gigabit-ethernet { shelf-1

{ active-controller base-slot }port-3 }
configure> set traffic-mirror type analyser
configure> save

To Verify configuration -

operational> show gigabit-ethernet details { shelf-1

{ active-controller base-slot } port-1 }

operational> show gigabit-ethernet details { shelf-1

{ active-controller base-slot } port-3 }
Remote Port Mirroring
▪ Monitor and analyser ports are on different switching devices.
▪ Remote vlan is used to carry the mirrored traffic till the switch which has analyser port
▪ Traffic traverses on the normal switch to switch interfaces.
▪ Source vlan will be replaced by remote vlan for the traffic.
Steps to Configure Remote Port Mirroring

Prerequisite - Need to create Vlan-100 interface on SW1 port-3 and SW2 port-1 and port-2.

1. Create traffic monitor port policy parameter group on both Switches

configure> create parameter-group traffic-monitor-port-policy test

configure> add traffic-direction ingress
configure> enter traffic-direction ingress
[ traffic-monitor-port-policy:"test" > traffic-direction[1] ]
configure> set analyser-port-location remote
configure> set remote-analyser bridge system
configure> set remote-analyser vlan-id 100
configure> save

2. Add port as monitor port (Configuration on SW1)

configure> modify parameter-group gigabit-ethernet { shelf-1

{ active-controller base-slot }port-1 }
configure> set traffic-mirror type monitor
configure> add traffic-mirror monitor policies test
configure> save
3. Add port as analyser port (Configuration on SW2 )

configure> modify parameter-group gigabit-ethernet { shelf-1

{ active-controller base-slot }port-2 }
configure> set traffic-mirror type analyser
configure> set traffic-mirror analyser remote enable yes
configure> add traffic-mirror analyser remote sources 1
configure> enter traffic-mirror analyser remote sources 1
[ fast-ethernet:{ shelf-1 { active-controller base-slot }
port-2 } > traffic-mirror > analyser > remote > sources[1] ]
configure> set bridge system
configure> set vlan-id 100
configure> save

1. Verify monitor port details using show gigabit-ethernet details command in switch-1
operational> show gigabit-ethernet details { shelf-1
{ active-controller base-slot } port-1 }
2. Verify analyser port details using show gigabit-ethernet details command in switch-2
operational> show gigabit-ethernet details { shelf-1
{ active-controller base-slot } port-2 }
 Power Over Ethernet (PoE)
Power over Ethernet is a technology for supplying electrical power
to network devices over the same cabling used to carry network
traffic.
There are two components of PoE –
1. PD (Powered Devices) - Devices that require power, called Powered
Devices (PDs), such as IP Phones, wireless Access Points, and
digital security camera to receive power in addition to data,
over existing infrastructure without needing to upgrade it.

2. PSE (Power Sourcing Equipment) – A device that can source power

such as an Ethernet switch is termed Power Sourcing
Equipment(PSE). Power Sourcing Equipment can provide power, along
with data, over existing LAN cabling to Powered Devices.

The combination of data and power capability over one cable makes
product installation easier and potentially safer through avoiding
the need for 230 V at the end device. Energy efficiency may also be
improved by removing local power adapters.
Enabling PoE feature on a port

In above diagram, a Wireless access point is connected to port-1 of SW.

Configuration on SW

operational> configure
configure> modify parameter-group gigabit-ethernet { shelf-1 { active-
controller base-slot } port-1 }
configure> set poe enable yes
configure> save

Operational> Show PoE port summary

operational> show poe port details { gigabit-ethernet { shelf-1 { active-
controller base-slot } port-1 } }
operational> show poe system summary
Jai Hind!