Switching Trainning
Switching Trainning
Hands-On session
➢
QA and discussions
➢
NiOS™ : Embedded software platform
for networking devices
-Designed and developed from ground-up to roll out next generation Internet Protocol based services in carrier class
environments
Scalable from single CPU systems to multi-slot, multi-shelf clusters with hundreds of CPU’s and network processing units.
NiOS can be used from HMS devices to core routers
Based on proprietary “Xprocess” event delivery architecture that provides unmatched scalability and performance
Designed to be secure and highly available from ground up, not added as an after thought
Built-in standard based L2 - L7 functionality. Native support for Routing, Bridging, Label switching, QoS, AAA, Security and
Management
Scalable in terms of features, ports and speed – Full Internet Routing table, 10G Ethernet, 1000’s of ports per rack
Virtualization support for developing and testing new features, facilitating hardware software co-development
NiOS™ Platform classification
• Shelf
Components of
•
•
Slot
Sub-Slot
System
•
•
Port
Logical Port
• Controller Card
• Active Controller Card
• Switch Fabric Card
• Power Supply
• Cooling Unit
Naming and Addressing convention
▪ Shelf – Rectangular cabin like structure with slots and guides to
accommodate slot cards
▪ Identified by shelf identifier - shelf-1 to shelf-31
▪ Slot card
▪ Host the payload logic to discharge required functionalities
▪ May be active or passive (based on whether it has processing logic)
▪ May or may not have addressable components (Eg. physical ports)
▪ Identified by slot identifier - slot-1 to slot-32
▪ Sub-Slot card
▪ Fit into other slot cards
▪ Usually added to increase port densities or additional capabilities
▪ Identified by sub-slot identifier - sub-slot-1 to sub-slot-8 and base-slot
Naming and Addressing convention
▪ Physical port
▪ Physical termination point for electrical or optical signals
▪ Eg. fast-ethernet, gigabit-ethernet, ADSL, SONET, WLAN
▪ Identified by port identifier - port-1 to port-512
Naming and Addressing convention
❑Logical port
❑Some ports can be logically divided into multiple ports – used as
separate communication channels
❑ Eg. DS0 channels in a T1 line
❑Identified by logical port identifier - logical-port-1 to logical-port-
32 and base-port
❑Cooling units – special slot card for cooling the system (one or
many such cards)
•Examples:
• Sub-Slot : { shelf-1 { slot-1 base-slot } }
•Logical-Port : { shelf-1 { slot-1 base-slot } { port-1 base-port } }
Slot card types – Hardware Components
▪ Controller Card
▪ Special slot card to manage all the other slot cards in the shelf
▪ May be field replaceable on certain platforms
▪ More than one controller may exist - Active Controller and Stand-by Controller
▪ If there is only one controller, then it is always Active Controller
▪ Switch fabric card – special interconnect card that hosts hardware to enable inter-
slot communication
▪ May be a separate card or may be combined with controller card
▪ Line interface cards (with physical ports) and processing cards (Eg. cards for
deep-packet inspection, routing-engine card)
NiOS™ CLI
CLI Features
▪ Designed for human-system interactions
▪ Secure, highly intuitive, self learnable
▪ Built-In access control mechanisms
▪ Detailed context sensitive help
▪ Highly customizable and automation friendly
▪ Built-In support for command completion, banner support and pagination
• A factory default configuration is available in each NSP device so that an administrator can login
when the system is booted first time.
• • After login to the system with the 'admin' user and password as ‘admin’, the user will be
prompted to change the password.
CLI Access Features
-Console, SSH, telnet
-Simultaneous access by multiple users – same or different user-id
-Maximum 16 CLI sessions, Configurable maximum session limit per user
The console access to the NSP device can be obtained via the console port using
RJ45 to DB9 serial port adapter. An user can access device using command line
interface (CLI) with following console port setting as part of factory default
configuration.
Speed: 115200 bps
Data bits: 8
Stop bit: 1
Parity: none
Flow control: hardware
Command Usage
CLI Modes
➢ Operational - Least privileged mode.
▪ Default mode presented on login – available to all CLI users
▪ Commands and functionalities to collect and monitor operational information
➢ Configuration mode
▪ View
▪ Can do new configurations, make changes in configuration and delete configurations.
Parameter-group – A group of related parameters that define the entire or part behavior of
resource/object in NiOS environment.
Global parameter-group - This type of parameter-group applies to entire system. There will be
only one instance of a global configuration type. Global configurations don’t have an index – as
there will be only one instance. Configurations of global types cannot be created or deleted by
the user, user can only modify them. The system creates the required global configurations at
startup. A parameter-group representing global configuration is known as global parameter-
group.
List Parameter - A list parameter can be manipulated with the help of “add” and “remove” command.
The “add” command adds a value to the list and “remove” command removes the value from the list.
The “add” command is also overloaded to provide help for every list parameter loaded into draft
buffer. When no position is supplied to the ‘add’ command, entries will be added to the tail of the list.
When no option is supplied to the ‘remove’ command, the first entry matching the key description will
be removed.
Tip: “add” and “remove” commands can also take hierarchy of parameters
Supported parameter-group types
Overview of system configuration
Creating parameter-group instance
▪ Only indexed parameter-group instance can be created
▪ Use “create” command to initialize draft buffer
▪ Edit parameter values
▪ “save” the parameter-group instance
▪ Parameter values are validated
▪ Confirmation prompt for overwriting
Ex
Ex –
operational> configure
configure> modify parameter-group system
configure> set name nspm
configure> set contact demo
configure> set location address bangalore
configure> save
Set system time and date
l
Remote Management
On factory default configuration of the system, by default SSHv2 will be enabled with authentication method
'password' on router parameter group.
Administrator can disable SSH services.
operational> configure
Entering configuration mode with exclusive access.
configure> modify parameter-group router system
Info: Parameter group instance loaded for modification.
configure> enter access ssh-server
configure> set enable no
configure> save
▪ The most recent syslog messages are cached within the system. The cache can
be viewed using “show syslog cache” command.
▪ Network operations like scp, ftp and tftp are supported by corresponding
commands
▪ network authorization is required to use these commands
▪ These commands are useful to load software images from external hosts or
transfer files
Software release
▪ Use “show version” to view the current software image information
▪ Every slot card type uses a specific software image for it’s operation
▪ To load an image, copy it into “/images/image/” directory using network operations like scp, ftp
or tftp
▪ Multiple images can co-exist
▪ To view available images use “show image summary” and “show image details” commands
▪ Current image that is qualified for use by the system is called “Active” image. It is always the
valid image that is most recently modified.
▪ To change the current active image use “set image” command
▪ If an active image for a slot-type is deleted, then system chooses the next most recently
modified valid image as the active image.
Management access using SSH
▪ Secure Shell (SSH) is the preferred mode of access for NiOS CLI over network
▪ Parameters like allowed SSH versions and allowed maximum login attempts are
configurable
• Create an instance of “cli-user” parameter-group with appropriate user-id and password. Set
the group-id of this user as the appropriate “cli-user-group” id.
• Set any other required details like name of the user and contact details
• Set the CLI prompt, banner, syslog and pagination parameters for this user, as required
▪ Use “system reboot” command to reboot the entire system including all the
slot-cards
▪ To view slot-card information use “show slot-card summary” and “show slot-card
details” command
▪ Switch is a network device and works on Layer-2 in OSI Model. But now a days, technology has been developed
▪ And Layer-3 feature is also added in switches and these switches known as L-2/L-3 Switches.
▪ Switch creates and maintains MAC table and on basis of these MAC Table, Switches perform communication
between hosts.
In Diagnose Mode –
• When we create Vlans, we have to provide ID to every Vlan, which is called Vlan-ID
and it is a numeric value. Also, we can give name to every Vlan as per our reference.
• When we create Vlan, it breaks switch’s broadcast domain and hence Network
Performance is enhanced.
• Member of one Vlan can not communicate with member of other Vlans.
How to Create Vlans-
Steps to configure:
1. Enter configure mode.
2. Modify the interface parameter group instance.
3. Set the name <new-name>.
4. Set the ethernet vlan enable parameter to ‘yes’.
5. Set the ethernet vlan tag parameter to <vlan-id>.
6. Save the configuration.
7. Exit configure mode.
How to create vlans
=====================
To Verify Vlans –
User of Vlan-10 on Switch-1 can talk to user of same Vlan-10 on other switch, then we have to configure
uplink port Gig-3 as a trunk port.
How to Configure Uplink as Trunk Port on Nivetti switches -
On Switch-1
configure> modify parameter-group interface ge-03
configure> set name ge-03-vlan10
configure> set ethernet vlan enable yes
configure> set ethernet vlan tag 10
configure> save
With MVRP, an access switch can be manually configured with all the desired VLANs for the network,
and all other MVRP-enabled switches on the network learn those VLANs dynamically.
The network administrator does not have to manually configure the VLANs
in each of the devices in the topology.
When the VLAN configurations on a switch are changed, MVRP automatically changes
the VLAN configurations in the required switches.
How to Configure MVRP on Nivetti Switches
On Switch-2
- We have to enable MVRP on Bridge Parameter and then
- Enable MVRP on Port Parameter of uplink Port-1
Configuration Example of MVRP on above topology
Configuration of Switch-1,
operational> configure
configure> modify parameter-group bridge system
configure> set mvrp enable yes
configure> save
operational> configure
Configure>modify parameter-group gigabit-ethernet { shelf-1 { active-
controller base-slot } port-2}
Configure> set mvrp enable yes
configure> save
Inter-VLAN routing can be enabled by configuring Integrated-vlan Interface parameter group instance.
In Above Diagram, Host-1 is in Vlan 10 and Host-2 is in Vlan-20. Byt default, they can’t communicate with each other.
BPDUs are Switch’s Hello Packets, which contain certain information about that Switch,
like MAC address of Switch, BID Value, Bridge Priority value, Hello Interval & Dead
Interval, Root Bridge etcs.
Due to Switch’s broadcast property, each switch’s BPDU propagated to all the connected
switches in Network and thus, every switch’s information reaches to each other Switches,
and on basis of these information, a best switch is selected, which is called Root Bridge.
Root Bridge
• Bydefault Bridge Priority is 32768. It is configurable value and it varies from 0 to 65534.
• Root Bridge selection will be on base on mac address. Lower mac address is preferred.
• But we can manually configure any switch as Root Bridge by lowering its Priority.
Root Port
• After Selection of Root Bridge, now every switch tries to send its data to Root Bridge and
Root Bridge will send data to destination.
• Since every switch has multiple uplinks port to send data to Root Bridge, best uplink port
will be selected to send data to Root Bridge and that port is called Root Port. All other
uplink port will be known as non-root port.
• The port having lowest Port ID will become Root port.
• Port ID consist of two factor – Port Priority and port number.
• By default, every port has priority value of 128 and hence this factor will be tie, then
Root port selection will be based on port number.
• The Port having lowest port number, will become Root Port. We can manipulate Root
Port selection by lowering the priority value. Lower the priority value, port will become
root port.
Designated Port and Non-Designated Port
In each Lan segment, at leat there are two ports. Out of these two port,
one port will become Designated port and it will be in forwarding mode
while other port is called non-designatd port and it is in blocking mode.
• Disable Mode
• Blocking Mode
• Listening Mode
• Learning Mone
• Forwarding Mode
Type of STP
• PVSTP
• RSTP
• MSTP
How to enable STP on a switch ?
When we enable STP, by default is it PVST (per vlan spanning tree protocol)
Configure STP on bridge system as follows -
Configuration Example:
When a port configured for root protect receives a superior BPDU, then those BPDUs will be blocked.
By default root-protect will be disabled.
Configuration Example:
• LACP is a protocol for the collective handling of multiple physical ports that can be seen as a
single channel for network traffic purposes.
• Link aggregation enables combining multiple links into one logical link to provide redundancy
or to enhance the performance.
• LACP is two types –
• Static LACP
• Dynamic LACP
Configuration of LACP – There are three steps to configure LACP
802.1x is an IEEE standard method which provides a mechanism for authenticating and
authorizing devices attached to LAN ports .
802.1x is an IEEE standard method which provides a mechanism for authenticating and
authorizing devices attached to LAN ports .
In a wired Ethernet LAN, EAPoL (Extensible Authentication Protocol (EAP) over LAN) method is used
to transport EAP packets between Supplicant and an Authenticator over Local Area Network (LAN).
Once the user credentials verified, the switch opens the port to the supplicant.
Supplicants can be authenticated either in single supplicant mode, or multiple supplicant mode.
Single supplicant: Authenticator authenticates only the first supplicant that is connected to a port.
All subsequent supplicants are allowed access without further authentication.
Multiple supplicant: Each supplicant is authenticated separately when connected to the port.
Supplicant's that are not 802.1x enabled, can be permitted LAN access by configuring
MAC-based- authentication on the switch port to which the supplicants are connected
NSP switch supports:
• Supplicant and authenticator.
• Local and RADIUS authentication to validate supplicant identity.
EAP Authentication -
1 & 2 Step will be same as in A. Only 3rd Step will be changed as follows -
NSP device supports monitoring and operating efficiency of the switch for each protocol and
also analyze and view the usage or consumption of CPU memory.
Configuration verification:
Output of this command will show all the protocol running on the device and how
Much resource it is using.
Packet Filtering
Packet filter is a set of rules defined for controlling the network traffic and reducing network attack.
Packet filters are used to filter traffic based on the set of rules defined for the incoming of the network.
• IP header fields
• Source address
• Destination address
• Protocol type
• DSCP
• Flow labels
For example, we are creating here a packet-classifier to discard/drop arp packets from source mac address
00:14:22:04:25:37 and allow other incoming packets to allow.
1. Create packet-classifier PG instance and configure the rules with traffic flows to be
matched and the corresponding policies/actions to be applied
configure> create parameter-group packet-classifier pc
configure> set enable yes
configure> set ethernet enable yes
configure> add ethernet rule 1
configure> enter ethernet rule 1
[ packet-classifier:"pc" > ethernet > rule[1] ]
configure> set flow source-address 00:14:22:04:25:37
configure> set flow payload type arp
configure> add action discard
configure> leave
[ packet-classifier:"pc" > ethernet ]
configure> add rule 2
configure> enter rule 2
[ packet-classifier:"pc" > ethernet > rule[2] ]
configure> set flow payload type any
configure> add action allow
configure> save
2. Apply/Attach the packet-classifier on the required interface on which
you want to filter the incoming packets
1. Create packet-classifier PG instance and configure the rules with traffic flows to be
matched and the corresponding policies/actions to be applied
For example – we are creating a packet-classifier to discard/drop icmp packets from source address
192.168.1.0/24 and allow all other packets on a specific interface.
Switch -
Operational> Configure
configure> create parameter-group packet-classifier pc
configure> set enable yes
configure> set ipv4 enable yes
configure> add ipv4 rule 1
configure> enter ipv4 rule 1
[ packet-classifier:"pc" > ipv4 > rule[1] ]
configure> set flow source-address 192.168.1.0/24
configure> set flow protocol type icmp
configure> add action discard
configure> leave
[ packet-classifier:"pc" > ipv4 ]
configure> add rule 2
configure> enter rule 2
[ packet-classifier:"pc" > ipv4 > rule[2] ]
configure> set flow protocol type any
configure> add action allow
configure> save
2. Apply/Attach the packet-classifier on the required interface on which you want to
filter the incoming packets
Port mirroring is used on a network devices to send a copy of network packets as received
or transmitted on a port to another port. This is primarily used for monitoring of network
traffic by applications such as intrusion detection system, probes etc.
To Verify configuration -
Prerequisite - Need to create Vlan-100 interface on SW1 port-3 and SW2 port-1 and port-2.
1. Verify monitor port details using show gigabit-ethernet details command in switch-1
operational> show gigabit-ethernet details { shelf-1
{ active-controller base-slot } port-1 }
2. Verify analyser port details using show gigabit-ethernet details command in switch-2
operational> show gigabit-ethernet details { shelf-1
{ active-controller base-slot } port-2 }
Power Over Ethernet (PoE)
Power over Ethernet is a technology for supplying electrical power
to network devices over the same cabling used to carry network
traffic.
There are two components of PoE –
1. PD (Powered Devices) - Devices that require power, called Powered
Devices (PDs), such as IP Phones, wireless Access Points, and
digital security camera to receive power in addition to data,
over existing infrastructure without needing to upgrade it.
The combination of data and power capability over one cable makes
product installation easier and potentially safer through avoiding
the need for 230 V at the end device. Energy efficiency may also be
improved by removing local power adapters.
Enabling PoE feature on a port
Configuration on SW
operational> configure
configure> modify parameter-group gigabit-ethernet { shelf-1 { active-
controller base-slot } port-1 }
configure> set poe enable yes
configure> save