officeserv data server enterprise ip solutions l2 protocol mar, 2006 officeserv lab1 samsung...

OfficeServOfficeServ Data Server Data ServerEnterprise IP Solutions

L2 Protocol

Mar, 2006

OfficeServ Lab1

Samsung Electronics Co., Ltd.

2/57Samsung Confidential & Proprietary InformationCopyright 2006, All Rights Reserved.

74007400

Contents

• STP / RSTP• Port Trunking• IGMP Snooping• VLAN• L2 QoS• Security• Mirroring• Authentication


74007400

STP/RSTP


74007400

Rapid Spanning Tree Protocol

• Bridge Parameter– Bridge Priority : Decides the priority of Bridges– Hello Time : Sets the transmission cycle of BPD

U– Max Age Time : Sets the Message Age Time– Forward Time : The time that the state of each

port is changed by level

• Port Parameter– Priority : Standard to select the port to be block

ed when the switch loop is established– Force Version : Communication is progressed vi

a the switch connected to the corresponding port and the BP 여 that a user specifies.

– Path Cost : The path cost according to the bandwidth when the connection with the opponent is established

– Portfast – Link Type : The link is connected as point-to-poi

nt in RSTP


74007400


①

① Designated Bridge Identifier The upper 4 digits represent the bridge priority and the remaining lower digits are expressed as the

system MAC address

② Root Bridge Identifier Among the connected switched, it indicates the identifier of the switch equipment selected as the root

bridge. Therefore, if there is no connection between switched, the Root Bridge Identifier displays the same information as the Designated Bridge Identifier.

③ Root Path Cost When the root bridge is decided, it displays the calculated cost for the path to the root switch

④ Root Port If the current equipment is not the root switch, it indicates the ID of the port corresponding to the root port.

⑤ Last Topology changed

②③④

⑤


74007400


0x8002

The role of the port that selected via the BDPU exchange between switches.

Disable, Alternative, Backup, Designated, Root

If a switch connected to the corresponding port is more close to the root switch, the Designated Root shows the Bridge identifier of the connected switch. Otherwise, Designated Root shows its own Bridge identifier

Port priority Port Index

Discarding, Learning, Forwarding, Blocking


74007400

Port Trunking


74007400

Port Trunking - GPLIM

The packet is transferred to a port among members included to the trunk group. Select an algorithm to select a port for transfer.

• Up to 8 groups can be generated, and up to 4 ports can be included to a group as members.

• In addition, a member included to a group cannot be included anther group simultaneously.

• Displayed when selecting the trunk configuration as ‘LACP’.

– For the Active, a LACP packet is transferred to the opposite party first, based on the system.

– For the Passive, it is responded only when receiving a packet from the opposite system.

– If the user system and opposite system are all set up as Active, a system that has higher priority is used as a reference.


74007400

Port Trunking - GSIM

LACP is distinguished with Static Trunking in that the configuration as the LACP port automatically forms bandwidth

The LACP Configuration window can configure trunk groups and add or delete members

The selection of the algorithm to select the port to sent out the packets.

Select [Port Trunking] [Status] menu to specify the configuration related to Port Trunking

GSIM


74007400

IGMP Snooping


74007400

IGMP Snooping

According to VLANs, the IGMP Snooping can be operated respectively


74007400

IGMP Snooping

Select the VLAN and the Category to configure, enter the time and click the [OK] button to store the configuration

Group Membership The time to exit from the multicast forwarding database list when new report does not exist Last Member Query Timeout The time to wait a response report after sending a query to check if the host is the last host when multicast router receives a leave message from a host. If the report is not replied until the time is elapsed, the host is deleted from the group. Max Response The maximum time until its response when IGMP Snooping query is received Other Query The time until the operation as a querier starts when a query from the multicast router doest not exist


74007400

IGMP Snooping

Querier and Immediate Leave can be set of each VLAN, but Cross VLAN and Flood DPM can be set on a bridge basis.

Querier The operation as IGMP querier when the multicast router does not exist. Immediate Leave Deletes a host from the group immediately when receiving the Leave Message. Cross VLAN Forwards multicast packets to all ports regardless of VLAN. Flood DPM If no member exists in the IGMP group, sets whether to forward multicast packets.

In GSIM board, it is supported using [IGMP snooping] -> [Multicast Filter] menu.


74007400

IGMP Snooping

In GSIM board, it is supported Cross VLAN and Flood DPM function in GPLIM board as shown in the figure below:

Forward group Always forwards multicast packets Filter unregistered group Drops multicast packets when any member pertaining to IGMP group doesn’t exit Forward unregistered group Forwards multicast packets when any member pertaining to IGMP group doesn’t exit

GSIM


74007400

IGMP Snooping

224. 1. 1. 20

Display the information on the members registered in IGMP Group.

Click the [Refresh] button to update the information displayed on the web screen into the latest information.


74007400

Virtual LAN (VLAN)

-Port based VLAN

-MAC based VLAN

-802.1Q Tag based VLAN

-Protocol based VLAN

-IP-subnet based VLAN


74007400

VLAN

• GPLIM – 256 VLANs– Mode

• MAC based VLAN• Port based VLAN• 802.1Q Tag based VLAN

• GSIM– 1024 VLANs– Mode

• Port based VLAN• MAC based VLAN• IP based VLAN• Protocol based VLAN


74007400

VLAN - GPLIM(1)

• MAC based VLAN: VLAN is configured for each MAC address

– A MAC based VLAN does not basically contain port information.

– The port serves as a VLAN member by receiving packets.– The ARP packet must be transmitted to the switch to enable

members of a VLAN to exchange packets.


74007400

VLAN - GPLIM(2)

• MAC based VLAN (cont’d)– Select ‘MAC’ from VLAN

Operation Mode

– Select the corresponding VLAN and enter VLAN Name and VLAN ID

– Enter the MAC address into [Classification] menu


74007400

VLAN - GPLIM(3)

• Port Based VLAN– A single port can be assigned to multiple VLANs.– Broadcast packets transmitted by the port is transmitted to all VL

ANs containing the port.– Ports not assigned to any VLANs serve as a single VLAN.


74007400

VLAN - GPLIM(4)

• Port based VLAN (cont’d)– Select ‘Port’ from VLAN

Operation Mode

– Select the corresponding VLAN and enter VLAN Name and VLAN ID


74007400

VLAN - GPLIM(5)

• 802.1Q (IVL/SVL)– 1. Member set

– 2. Untagged set

– 3. PVID (Port VLAN ID)

(Note) If you change the VLAN operation mode, the previous VLAN setting is cleared.


74007400

VLAN - GPLIM(6)

In the [Port]->[VLAN]->[Port VID] menu, set the operation method when an untagged frame is received

Send a frame to VLAN registered in the Port VID‘1’ is a default VLAN that includes all ports

Set drop/pass when an untagged frame is delivered.For drop, tick off the checkbox


74007400

VLAN - GPLIM(7)

• 802.1Q (IVL/SVL) (cont’d)– IVL (Independent VLAN Learning)

• One FDB per each VLAN ID• if individual MAC address learned in one VLAN, learned information NOT us

ed in forwarding decisions relative to all other VLANs

– SVL(Shared VLAN Learning)• One single FDB• if individual MAC address learned in one VLAN, learned information used in f

orwarding decisions relative to all other VLANs

– IVL vs SVL


74007400

VLAN - GPLIM(8)

• Classification– If the VLAN mode is ‘802.1Q’, VLAN ID is decided depending on the

protocol of the packet received.

– Classification Mode• In case of MAC based VLAN, ‘MAC’ is selected.• In case of 802.1Q based VLAN, ‘proto’ is selected.


74007400

VLAN – GSIM (1)

• Port based VLAN– VLAN Create

– VLAN Edit• Add/Delete members• Egress-Tagged

Egress-TaggedThe packet that sends out to the outside via a port is sent out as Tagged-Packet


74007400

VLAN – GSIM (2)

• The trunk port is set (Static Trunk)– The member port of each

group should have always the same VLAN characteristics.

– The ports with the different VLAN characteristics cannot be involved in the trunk group.

– In case of LACP, if the link of its member port is not connected, the trunk device (po1, po2, …) is hidden.


74007400

VLAN – GSIM (3)

• Port Setup– Set Port ID

– Ingress-Filter• For Security• The type of packets coming

from the port can be limited via the Frame-Type.

– Frame Type• Configure Ingress Packet

(All-Packet/Tagged-Packet)


74007400

VLAN – GSIM (4)

• VLAN Classification– MAC-based VLAN

• Configuration in accordance with the source MAC address of the Untagged packet arriving to the port

– IP-based VLAN• Configure VLAN depending on the IP subnet of the Untagged packet

coming in the port

– Protocol-based VLAN• Configure VLAN depending on the protocol type of the Untagged packet

coming in the corresponding port selected• If the port is set as the trunk group, the same setting is to be made in all

number ports of the trunk group


74007400

VLAN

• Cli command

If you can’t connect to a GPLIM/GSIM board because of VLAN configuration, you have to configure using cli command.

1. Enter “show vlan all bridge 1” command Display current configurations of VLAN.


74007400

VLAN

• Cli command

2. Enter “configure terminal” command 3. Enter “vlan database” command to configure vlan database4. Enter “no vlan 2 bridge 1” command to clear information about VLAN 25. Return ‘enable mode’6. Enter “show vlan all bridge 1” command to display current configurations of VLAN


74007400

L2 QoS

-Port based L2 QoS

-802.1p Tag based L2 QoS


74007400

802.1p tag based L2 QoS

• Assumption for configuration Example– Set L2 QoS for MP, MGI, and IP Phone (ITP).

– MP and MGI are not provided with 802.1p and connected to P1, P7, respectively.

– If the IP Phone is connected to P3, P4, P5, and P6, the 802.1p Tag priority function is provided.

– The IP Phone connected to P3, P4 is provided with 802.1p, and a tag value is set to 7.The IP Phone connected to P5, P6 is also provided with 802.1p, and a tag value is set to 1.


74007400


MP

MGI

IP Phone with 7 value of 802.1p tag field

IP Phone with 1 value of 802.1p tag field

Cannot support the 802.1p function

GPLIM


74007400


Process 3 packets with a high priority and then one packet with a low priority

If QoS Mode is set to ‘All High before Low’, set the maximum time when a packet with a low priority is not processedIf the set time is reached, packets are first processed

Set this value to high priority

1. From the [Port]->[QoS] menu, select the QoS mode as ‘Weight Round Robin’ or ‘All High before Low’.

2. Since the Tag information with a high priority is 1 and 7, tick off Level1 and 7.

GPLIM


74007400


Always, set a high priority for MP and MGI for which 802.1p is not provided

3. From the [Port]->[Config] menu, set the priority of a port to which MP and MGI are connected as High. If set as High, set to ensure that a port with a high priority can be operated even if there is novalue in the Tag field.

GPLIM


74007400

Port based L2 QoS

• Assumption for configuration Example– Set L2 QoS for MP, MGI and IP Phone (ITP).

– MP and MGI are not provided with 802.1p, and connected to P1, P7, respectively.

– The IP Phone (ITP) is connected to P3, P4, P5, and P6.802.1p is not supported


74007400

Port based L2 QoS

ITP(IP Phone) Without the 802.1p Function

MP

MGI

GPLIM


74007400

Port based L2 QoS1. To use the Priority function in the [Port]->[QoS] menu, the QoS mode should be set to ‘Weighted Round Robin’ or ‘All High before Low’. Thus, set the QoS mode as shown in the figure below:

GPLIM


74007400

Port based L2 QoS2. In the [Port]->[Config] menu, set the priority of the port to which MP, MGI and IP Phone are connected as High.

GPLIM


74007400

Security


74007400

MAC Authentication

• Assumption for Configuration Example

1. Four PCs has the following MAC addresses:

PC#1 : 00-00-F0-12-34-56

PC#2 : 00-00-F0-AB-CD-EF

PC#3 : 00-00-F0-56-78-9A

PC#4 : 00-00-F0-65-43-21

2. PC#1 is used to connect to P7 only.

PC#2 is used to connect to P5 only.

PC#3 is used to connect to P12 only.

PC#4 is not available.


74007400

MAC Authentication

MP

MGI

GPLIM

PC#2

×○

×

○

PC#1 is used to connect to P7 onlyPC#4 is not authorized

PC#2 and PC#3 are authorized.

PC#4 PC#3

PC#1


74007400

MAC Authentication

1. In the [Port]->[Config] menu, tick off the “Security” of a port whose security is requested.

Disable MAC learningGPLIM


74007400

MAC Authentication

2. In the [Port]->[MAC]->[Static Address] menu, enter a MAC address of PC and information on the port.

MAC address of PC#1, #2, and #3

port 4

port 3

port 6

GPLIM


74007400

Mirroring


74007400

Port Mirroring

• Assumption for Configuration Example

1. Capture the IP packet information in the Management PC connected to P10.

2. Capture all Tx/Rx data generated from MP.

3. An address of the MP network is 192.168.10.1/24.

4. Check and store the capture information using the Ethereal program in PC.

(Refer to http://www.ethereal.com/download.html )


74007400

Port Mirroring

MP

MGI

GPLIM

MP IP : 192.168.10.1/24 MGI IP : 192.168.20.1/24

Management PC

MP <-> MGI Data Traffic

Data Traffic Mirrored From P1 to P10


74007400

Port Mirroring

1. From the [Port]->[MISC] menu, select information on Mode, Monitoring Port, Monitored Port. > Monitoring Port: A port to which a PC terminal for viewing data to be captured is connected. > Monitored Port: A port to which a terminal sends/ receives data to be captured is connected.

Port to which MP is connected

Information on a port to which PC is connected

Ingress: Select packet information only received from the Monitored Port to the selected port

Egress: Select packet information only transmitted from the Monitored Port to the selected port

Both: Select packet information only transmitted/received from the Monitored Port to the selected port


74007400

Port Mirroring

GSIM

Select [Port] [Mirror Config] menu to perform the port mirroring.To apply the configurations specified to the system,

Port to which MP is connected

Information on a port to which PC is connected


74007400

Port Mirroring

2. Start the Ethereal program in the PC connected to the Monitoring Port.3. Enter ‘ip host 192.168.10.1’ in the Filter field. Then, MP IP is 192.168.10.1.4. If you enter as shown below and press OK, only packets with an MP IP are captured, among data monitored from the port to which MP is connected.


74007400

Authentication


74007400

Authentication (802.1x)

Select [Authentication] [Management] to activate/deactivate the authentication of system. When executing [Run] of Action if Activity is set to Stop, items of [Authentication] [Configuration] can be set.

The host IP address, host, and key should be registered of the Radius server to be used. The default of the Radius Host Port is 1812 port. Click the [OK] button after the setting. Then, the setting is applied.


74007400

Authentication (802.1x)

Re-authentication setting and the cycle setting are applied only when setting is changed because there is default value

Control None : Authentication is not performed for the port Force-Authorized : Admits the port forcibly Force-Unauthorized : Block the port forcibly. Auto : Allows the port through authentication from the Radius server and blocks the port


74007400

Why IVL? (1)

SVL would not work! (A learned from both port 1 and 4) no STP in the example


74007400

Why IVL? (2)

SVL would not work! (A learned from both port 1 and 3) STP enabled, VLAN-aware connector


74007400

Why SVL?


74007400

Thank you !

officeserv data server enterprise ip solutions l2 protocol mar, 2006 officeserv lab1 samsung...

Documents

root switch root port

designated root

corresponding port

port trunking slide

root path cost

connected switch

port trunking gplim

level port parameter