officeserv data server enterprise ip solutions l2 protocol mar, 2006 officeserv lab1 samsung...
Post on 14-Dec-2015
221 Views
Preview:
TRANSCRIPT
OfficeServOfficeServ Data Server Data ServerEnterprise IP Solutions
L2 Protocol
Mar, 2006
OfficeServ Lab1
Samsung Electronics Co., Ltd.
2/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Contents
• STP / RSTP• Port Trunking• IGMP Snooping• VLAN• L2 QoS• Security• Mirroring• Authentication
3/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
STP/RSTP
4/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Rapid Spanning Tree Protocol
• Bridge Parameter– Bridge Priority : Decides the priority of Bridges– Hello Time : Sets the transmission cycle of BPD
U– Max Age Time : Sets the Message Age Time– Forward Time : The time that the state of each
port is changed by level
• Port Parameter– Priority : Standard to select the port to be block
ed when the switch loop is established– Force Version : Communication is progressed vi
a the switch connected to the corresponding port and the BP 여 that a user specifies.
– Path Cost : The path cost according to the bandwidth when the connection with the opponent is established
– Portfast – Link Type : The link is connected as point-to-poi
nt in RSTP
5/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Rapid Spanning Tree Protocol
①
① Designated Bridge Identifier The upper 4 digits represent the bridge priority and the remaining lower digits are expressed as the
system MAC address
② Root Bridge Identifier Among the connected switched, it indicates the identifier of the switch equipment selected as the root
bridge. Therefore, if there is no connection between switched, the Root Bridge Identifier displays the same information as the Designated Bridge Identifier.
③ Root Path Cost When the root bridge is decided, it displays the calculated cost for the path to the root switch
④ Root Port If the current equipment is not the root switch, it indicates the ID of the port corresponding to the root port.
⑤ Last Topology changed
②③④
⑤
6/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Rapid Spanning Tree Protocol
0x8002
The role of the port that selected via the BDPU exchange between switches.
Disable, Alternative, Backup, Designated, Root
If a switch connected to the corresponding port is more close to the root switch, the Designated Root shows the Bridge identifier of the connected switch. Otherwise, Designated Root shows its own Bridge identifier
Port priority Port Index
Discarding, Learning, Forwarding, Blocking
7/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Port Trunking
8/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Port Trunking - GPLIM
The packet is transferred to a port among members included to the trunk group. Select an algorithm to select a port for transfer.
• Up to 8 groups can be generated, and up to 4 ports can be included to a group as members.
• In addition, a member included to a group cannot be included anther group simultaneously.
• Displayed when selecting the trunk configuration as ‘LACP’.
– For the Active, a LACP packet is transferred to the opposite party first, based on the system.
– For the Passive, it is responded only when receiving a packet from the opposite system.
– If the user system and opposite system are all set up as Active, a system that has higher priority is used as a reference.
9/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Port Trunking - GSIM
LACP is distinguished with Static Trunking in that the configuration as the LACP port automatically forms bandwidth
The LACP Configuration window can configure trunk groups and add or delete members
The selection of the algorithm to select the port to sent out the packets.
Select [Port Trunking] [Status] menu to specify the configuration related to Port Trunking
GSIM
10/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
IGMP Snooping
11/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
IGMP Snooping
According to VLANs, the IGMP Snooping can be operated respectively
12/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
IGMP Snooping
Select the VLAN and the Category to configure, enter the time and click the [OK] button to store the configuration
Group Membership The time to exit from the multicast forwarding database list when new report does not exist Last Member Query Timeout The time to wait a response report after sending a query to check if the host is the last host when multicast router receives a leave message from a host. If the report is not replied until the time is elapsed, the host is deleted from the group. Max Response The maximum time until its response when IGMP Snooping query is received Other Query The time until the operation as a querier starts when a query from the multicast router doest not exist
13/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
IGMP Snooping
Querier and Immediate Leave can be set of each VLAN, but Cross VLAN and Flood DPM can be set on a bridge basis.
Querier The operation as IGMP querier when the multicast router does not exist. Immediate Leave Deletes a host from the group immediately when receiving the Leave Message. Cross VLAN Forwards multicast packets to all ports regardless of VLAN. Flood DPM If no member exists in the IGMP group, sets whether to forward multicast packets.
In GSIM board, it is supported using [IGMP snooping] -> [Multicast Filter] menu.
14/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
IGMP Snooping
In GSIM board, it is supported Cross VLAN and Flood DPM function in GPLIM board as shown in the figure below:
Forward group Always forwards multicast packets Filter unregistered group Drops multicast packets when any member pertaining to IGMP group doesn’t exit Forward unregistered group Forwards multicast packets when any member pertaining to IGMP group doesn’t exit
GSIM
15/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
IGMP Snooping
224. 1. 1. 20
Display the information on the members registered in IGMP Group.
Click the [Refresh] button to update the information displayed on the web screen into the latest information.
16/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Virtual LAN (VLAN)
-Port based VLAN
-MAC based VLAN
-802.1Q Tag based VLAN
-Protocol based VLAN
-IP-subnet based VLAN
17/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
VLAN
• GPLIM – 256 VLANs– Mode
• MAC based VLAN• Port based VLAN• 802.1Q Tag based VLAN
• GSIM– 1024 VLANs– Mode
• Port based VLAN• MAC based VLAN• IP based VLAN• Protocol based VLAN
18/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
VLAN - GPLIM(1)
• MAC based VLAN: VLAN is configured for each MAC address
– A MAC based VLAN does not basically contain port information.
– The port serves as a VLAN member by receiving packets.– The ARP packet must be transmitted to the switch to enable
members of a VLAN to exchange packets.
19/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
VLAN - GPLIM(2)
• MAC based VLAN (cont’d)– Select ‘MAC’ from VLAN
Operation Mode
– Select the corresponding VLAN and enter VLAN Name and VLAN ID
– Enter the MAC address into [Classification] menu
20/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
VLAN - GPLIM(3)
• Port Based VLAN– A single port can be assigned to multiple VLANs.– Broadcast packets transmitted by the port is transmitted to all VL
ANs containing the port.– Ports not assigned to any VLANs serve as a single VLAN.
21/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
VLAN - GPLIM(4)
• Port based VLAN (cont’d)– Select ‘Port’ from VLAN
Operation Mode
– Select the corresponding VLAN and enter VLAN Name and VLAN ID
22/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
VLAN - GPLIM(5)
• 802.1Q (IVL/SVL)– 1. Member set
– 2. Untagged set
– 3. PVID (Port VLAN ID)
(Note) If you change the VLAN operation mode, the previous VLAN setting is cleared.
23/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
VLAN - GPLIM(6)
In the [Port]->[VLAN]->[Port VID] menu, set the operation method when an untagged frame is received
Send a frame to VLAN registered in the Port VID‘1’ is a default VLAN that includes all ports
Set drop/pass when an untagged frame is delivered.For drop, tick off the checkbox
24/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
VLAN - GPLIM(7)
• 802.1Q (IVL/SVL) (cont’d)– IVL (Independent VLAN Learning)
• One FDB per each VLAN ID• if individual MAC address learned in one VLAN, learned information NOT us
ed in forwarding decisions relative to all other VLANs
– SVL(Shared VLAN Learning)• One single FDB• if individual MAC address learned in one VLAN, learned information used in f
orwarding decisions relative to all other VLANs
– IVL vs SVL
25/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
VLAN - GPLIM(8)
• Classification– If the VLAN mode is ‘802.1Q’, VLAN ID is decided depending on the
protocol of the packet received.
– Classification Mode• In case of MAC based VLAN, ‘MAC’ is selected.• In case of 802.1Q based VLAN, ‘proto’ is selected.
26/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
VLAN – GSIM (1)
• Port based VLAN– VLAN Create
– VLAN Edit• Add/Delete members• Egress-Tagged
Egress-TaggedThe packet that sends out to the outside via a port is sent out as Tagged-Packet
27/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
VLAN – GSIM (2)
• The trunk port is set (Static Trunk)– The member port of each
group should have always the same VLAN characteristics.
– The ports with the different VLAN characteristics cannot be involved in the trunk group.
– In case of LACP, if the link of its member port is not connected, the trunk device (po1, po2, …) is hidden.
28/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
VLAN – GSIM (3)
• Port Setup– Set Port ID
– Ingress-Filter• For Security• The type of packets coming
from the port can be limited via the Frame-Type.
– Frame Type• Configure Ingress Packet
(All-Packet/Tagged-Packet)
29/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
VLAN – GSIM (4)
• VLAN Classification– MAC-based VLAN
• Configuration in accordance with the source MAC address of the Untagged packet arriving to the port
– IP-based VLAN• Configure VLAN depending on the IP subnet of the Untagged packet
coming in the port
– Protocol-based VLAN• Configure VLAN depending on the protocol type of the Untagged packet
coming in the corresponding port selected• If the port is set as the trunk group, the same setting is to be made in all
number ports of the trunk group
30/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
VLAN
• Cli command
If you can’t connect to a GPLIM/GSIM board because of VLAN configuration, you have to configure using cli command.
1. Enter “show vlan all bridge 1” command Display current configurations of VLAN.
31/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
VLAN
• Cli command
2. Enter “configure terminal” command 3. Enter “vlan database” command to configure vlan database4. Enter “no vlan 2 bridge 1” command to clear information about VLAN 25. Return ‘enable mode’6. Enter “show vlan all bridge 1” command to display current configurations of VLAN
32/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
L2 QoS
-Port based L2 QoS
-802.1p Tag based L2 QoS
33/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
802.1p tag based L2 QoS
• Assumption for configuration Example– Set L2 QoS for MP, MGI, and IP Phone (ITP).
– MP and MGI are not provided with 802.1p and connected to P1, P7, respectively.
– If the IP Phone is connected to P3, P4, P5, and P6, the 802.1p Tag priority function is provided.
– The IP Phone connected to P3, P4 is provided with 802.1p, and a tag value is set to 7.The IP Phone connected to P5, P6 is also provided with 802.1p, and a tag value is set to 1.
34/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
802.1p tag based L2 QoS
MP
MGI
IP Phone with 7 value of 802.1p tag field
IP Phone with 1 value of 802.1p tag field
Cannot support the 802.1p function
GPLIM
35/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
802.1p tag based L2 QoS
Process 3 packets with a high priority and then one packet with a low priority
If QoS Mode is set to ‘All High before Low’, set the maximum time when a packet with a low priority is not processedIf the set time is reached, packets are first processed
Set this value to high priority
1. From the [Port]->[QoS] menu, select the QoS mode as ‘Weight Round Robin’ or ‘All High before Low’.
2. Since the Tag information with a high priority is 1 and 7, tick off Level1 and 7.
GPLIM
36/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
802.1p tag based L2 QoS
Always, set a high priority for MP and MGI for which 802.1p is not provided
3. From the [Port]->[Config] menu, set the priority of a port to which MP and MGI are connected as High. If set as High, set to ensure that a port with a high priority can be operated even if there is novalue in the Tag field.
GPLIM
37/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Port based L2 QoS
• Assumption for configuration Example– Set L2 QoS for MP, MGI and IP Phone (ITP).
– MP and MGI are not provided with 802.1p, and connected to P1, P7, respectively.
– The IP Phone (ITP) is connected to P3, P4, P5, and P6.802.1p is not supported
38/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Port based L2 QoS
ITP(IP Phone) Without the 802.1p Function
MP
MGI
GPLIM
39/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Port based L2 QoS1. To use the Priority function in the [Port]->[QoS] menu, the QoS mode should be set to ‘Weighted Round Robin’ or ‘All High before Low’. Thus, set the QoS mode as shown in the figure below:
GPLIM
40/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Port based L2 QoS2. In the [Port]->[Config] menu, set the priority of the port to which MP, MGI and IP Phone are connected as High.
GPLIM
41/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Security
42/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
MAC Authentication
• Assumption for Configuration Example
1. Four PCs has the following MAC addresses:
PC#1 : 00-00-F0-12-34-56
PC#2 : 00-00-F0-AB-CD-EF
PC#3 : 00-00-F0-56-78-9A
PC#4 : 00-00-F0-65-43-21
2. PC#1 is used to connect to P7 only.
PC#2 is used to connect to P5 only.
PC#3 is used to connect to P12 only.
PC#4 is not available.
43/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
MAC Authentication
MP
MGI
GPLIM
PC#2
×○
×
○
PC#1 is used to connect to P7 onlyPC#4 is not authorized
PC#2 and PC#3 are authorized.
PC#4 PC#3
PC#1
44/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
MAC Authentication
1. In the [Port]->[Config] menu, tick off the “Security” of a port whose security is requested.
Disable MAC learningGPLIM
45/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
MAC Authentication
2. In the [Port]->[MAC]->[Static Address] menu, enter a MAC address of PC and information on the port.
MAC address of PC#1, #2, and #3
port 4
port 3
port 6
GPLIM
46/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Mirroring
47/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Port Mirroring
• Assumption for Configuration Example
1. Capture the IP packet information in the Management PC connected to P10.
2. Capture all Tx/Rx data generated from MP.
3. An address of the MP network is 192.168.10.1/24.
4. Check and store the capture information using the Ethereal program in PC.
(Refer to http://www.ethereal.com/download.html )
48/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Port Mirroring
MP
MGI
GPLIM
MP IP : 192.168.10.1/24 MGI IP : 192.168.20.1/24
Management PC
MP <-> MGI Data Traffic
Data Traffic Mirrored From P1 to P10
49/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Port Mirroring
1. From the [Port]->[MISC] menu, select information on Mode, Monitoring Port, Monitored Port. > Monitoring Port: A port to which a PC terminal for viewing data to be captured is connected. > Monitored Port: A port to which a terminal sends/ receives data to be captured is connected.
Port to which MP is connected
Information on a port to which PC is connected
Ingress: Select packet information only received from the Monitored Port to the selected port
Egress: Select packet information only transmitted from the Monitored Port to the selected port
Both: Select packet information only transmitted/received from the Monitored Port to the selected port
50/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Port Mirroring
GSIM
Select [Port] [Mirror Config] menu to perform the port mirroring.To apply the configurations specified to the system,
Port to which MP is connected
Information on a port to which PC is connected
51/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Port Mirroring
2. Start the Ethereal program in the PC connected to the Monitoring Port.3. Enter ‘ip host 192.168.10.1’ in the Filter field. Then, MP IP is 192.168.10.1.4. If you enter as shown below and press OK, only packets with an MP IP are captured, among data monitored from the port to which MP is connected.
52/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Authentication
53/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Authentication (802.1x)
Select [Authentication] [Management] to activate/deactivate the authentication of system. When executing [Run] of Action if Activity is set to Stop, items of [Authentication] [Configuration] can be set.
The host IP address, host, and key should be registered of the Radius server to be used. The default of the Radius Host Port is 1812 port. Click the [OK] button after the setting. Then, the setting is applied.
54/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Authentication (802.1x)
Re-authentication setting and the cycle setting are applied only when setting is changed because there is default value
Control None : Authentication is not performed for the port Force-Authorized : Admits the port forcibly Force-Unauthorized : Block the port forcibly. Auto : Allows the port through authentication from the Radius server and blocks the port
55/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Why IVL? (1)
SVL would not work! (A learned from both port 1 and 4) no STP in the example
56/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Why IVL? (2)
SVL would not work! (A learned from both port 1 and 3) STP enabled, VLAN-aware connector
57/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Why SVL?
58/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.
74007400
Thank you !
top related