primergy 10/40gbe connection blade 18/8+2 …manuals.ts.fujitsu.com/file/11970/sbax3-cg-en.pdf ·...
TRANSCRIPT
Page 1 of 47-
PRIMERGY
PRIMERGY 10/40GbE Connection Blade 18/8+2 Configuration Guide
FUJITSU
Page 2 of 47-
CONTENTS
1. CONFIGURING VLAN .......................................................................................... 4
1.1 CONFIGURING UNTAG VLAN .......................................................................................................... 4 1.2 CONFIGURING TAG VLAN............................................................................................................. 4 1.3 CONFIGURING PROTOCOL VLAN .................................................................................................. 5
2. CONFIGURING LINK AGGREGATION ............................................................... 6
2.1 CONFIGURING STATIC LINK AGGREGATION .................................................................................. 6 2.2 CONFIGURING LINK AGGREGATION WITH LACP .......................................................................... 7
3. CONFIGURING BACKUP PORT ......................................................................... 8
4. CONFIGURING MAC FILTERING ........................................................................ 9
4.1 CONFIGURING MAC FILTER 1 ..................................................................................................... 10 4.2 CONFIGURING MAC FILTER 2 ...................................................................................................... 11 4.3 CONFIGURING MAC FILTER 3 ...................................................................................................... 11 4.4 CONFIGURING MAC FILTER 4 ..................................................................................................... 12 4.5 CONFIGURING MAC FILTER 5 ..................................................................................................... 12
5. CONFIGURING STATIC MAC FORWARDING .................................................. 14
6. CONFIGURING QOS ......................................................................................... 15
6.1 CONFIGURING PRIORITY CONTROL .............................................................................................. 15 6.2 CONFIGURING PRIORITY CONTROL REWRITE............................................................................... 15
6.2.1. DSCP value rewrite ........................................................................................................... 16 6.2.2. IP Precedence value rewrite ............................................................................................. 16 6.2.3. Change queue of packets in VLAN .................................................................................. 17
7. CONFIGURING SPANNING TREE .................................................................... 18
7.1 CONFIGURING STP ..................................................................................................................... 18 7.2 CONFIGURING MSTP ................................................................................................................. 19
8. CONFIGURING IGMP SNOOPING .................................................................... 22
9. CONFIGURING MLD SNOOPING ..................................................................... 24
10. CONFIGURING IEEE 802.1X AUTHENTICATION............................................. 26
11. CONFIGURING PORT MIRRORING .................................................................. 29
12. CONFIGURING ETHER L3 MONITORING ........................................................ 30
12.1 CONFIGURING ETHER L3 MONITORING WITH PORT ................................................................... 30 12.2 CONFIGURING ETHER L3 MONITORING WITH LINK AGGREGATION............................................ 31
13. CONFIGURING PORT RECOVERY LIMIT FUNCTION ..................................... 32
14. CONFIGURING IP FILTERING .......................................................................... 34
14.1 CONFIGURING IP FILTER 1 .......................................................................................................... 34 14.2 CONFIGURING IP FILTER 2 (IPV6 FILTERING) ............................................................................ 35 14.3 CONFIGURING IP FILTER 3 .......................................................................................................... 36 14.4 CONFIGURING IP FILTER 4 .......................................................................................................... 37 14.5 CONFIGURING IP FILTER 5 .......................................................................................................... 37
15. CONFIGURING DSCP VALUE CHANGE .......................................................... 38
16. CONFIGURING SNMP AGENT .......................................................................... 39
16.1 CONFIGURING SNMP ................................................................................................................. 39 16.2 CONFIGURING SNMPV3 ............................................................................................................. 39
17. CONFIGURING SYSTEM LOG .......................................................................... 41
Page 3 of 47-
18. CONFIGURING SCHEDULE FUNCTION .......................................................... 42
18.1 CONFIGURING THE RESERVATION OF SWITCHING CONFIGURATION FILE .................................... 42
19. CONFIGURING APPLICATION FILTER ............................................................ 42
20. CONFIGURING IEEE802.1Q TUNNELING ........................................................ 43
21. CONFIGURING CEE .......................................................................................... 46
Page 4 of 47-
1. Configuring VLAN
1.1 Configuring untag vlan This section describes the example of how to configure untag vlan.
[Configuration Target]
Assign Interface0/1 to untag VLAN(VID10)
Assign Interface0/5 to untag VLAN(VID20)
Assign IP address(192.168.20.1/24) VLAN(VID20).
[Commands]
#Assign Interface0/1 to untag VLAN10
(config)#interface 0/1
(config-if)#vlan untag 10
#Assign Interface0/5 to untag VLAN20
(config)#interface 0/5
(config-if)#vlan untag 20
#Assign IP address(192.168.20.1/24) to VLAN(VID20)
(config)#lan 0 ip address 192.168.20.1/24 3
(config)#lan 0 vlan20
#Save the configuration
(config)#save
1.2 Configuring tag VLAN
This section describes the example of how to configure tag vlan.
[Configuration Target]
Assign Interface0/1 to tag VLAN(VID10)
Assign Interface0/5 to tag VLAN(VID20)
Assign VLAN(VID20) to IP address(192.168.20.1/24)
[Commands]
#Assign Interface0/1 to tag VLAN10,20
(config)#interface 0/1
(config-if)#vlan tag 10,20
#Assign Interface0/5 to tag VLAN10,20
(config)#interface 0/5
(config-if)#vlan tag 10,20
#Assign IP address(192.168.20.1/24) to VLAN(VID20)
(config)#lan 0 ip address 192.168.20.1/24 3
(config)#lan 0 vlan20
#Save the configuration
(config)#save
Page 5 of 47-
1.3 Configuring protocol VLAN
This section describes how to configure protocol VLAN which IP protocol packets are
sent/received with VLAN10 and VLAN20. Packets except IP protocol are sent/received with
VLAN100. [Configuration Target]
Assign Interface0/1 to untag VLAN(VID10,100)
Assign Interface0/5 to untag VLAN(VID20,100)
Assign VLAN10,20 to IPv4 Protocol VLAN
Assign IP address(192.168.20.1/24) to VLAN(VID20)
[Commands]
#Assign Interface0/1 to untag VLAN10, 100
(config)#interface 0/1
(config-if)#vlan untag 10,100
#Assign Interface0/5 to untag VLAN20, 100
(config)#interface 0/5
(config-if)#vlan untag 20,100
#Configure VLAN10, 20 as protocol VLAN of IPv4
(config)#vlan 10 protocol ipv4
(config)#vlan 20 protocol ipv4
#Assign IP address 192.168.20.1/24 to VLAN20
(config)#lan 0 ip address 192.168.20.1/24 3
(config)#lan 0 vlan20
Save the configuration
(config)#save
Page 6 of 47-
2. Configuring Link Aggregation
2.1 Configuring Static Link Aggregation This section describes how to configure link aggregation without LACP with 4 links.
[Configuration Target]
Configure static link aggregation with Interface0/19-0/22
Assign IP address(192.168.20.1/24) to VLAN(VID20)
[Commands]
#SBAX3#1
#Assign Interface0/19-0/22 to tag VLAN(VID10,20)
(config)#interface range 0/19-0/22
(config-if)#vlan tag 10,20
#Configure static link aggregation with Interface0/19-0/22
(config)#interface range 0/19-0/22
(config-if)#type linkaggregation 1
(config-if)#vlan untag 20
#Assign VLAN(VID20) to IP address(192.168.20.1/24)
(config)#lan 0 ip address 192.168.20.1/24 3
(config)#lan 0 vlan20
#Save the configuration
(config)#save
#SBAX3#2
#Assign Interface0/19-0/22 to tag VLAN(VID10,20)
(config)#interface range 0/19-0/22
(config-if)#vlan tag 10,20
#Configure static link aggregation with Interface0/19-0/22
(config)#interface range 0/19-0/22
(config-if)#type linkaggregation 1
(config-if)#vlan untag 20
#Assign IP address(192.168.20.2/24) to VLAN(VID20)
(config)#lan 0 ip address 192.168.20.2/24 3
(config)#lan 0 vlan20
#Save the configuration
(config)#save
SBAX3#1 SBAX3#2
Page 7 of 47-
2.2 Configuring Link Aggregation with LACP This section describes how to configure link aggregation with LACP with 4 links.
[Configuration Target]
Configure link aggregation with LACP with Interface0/19-0/22
Assign VLAN(VID20) to IP address(192.168.20.1/24)
[Commands]
#SBAX3#1
#Assign Interface0/19-0/22 to tag VLAN(VID10,20)
(config)#interface range 0/19-0/22
(config-if)#vlan tag 10,20
#Configure link aggregation with LACP with Interface0/19-0/22 and set active mode
(config)#interface range 0/19-0/22
(config-if)#type linkaggregation 1
(config)#ll(?)inkaggregation 1 mode active
#Assign IP address(192.168.20.1/24) to VLAN(VID20)
(config)#lan 0 ip address 192.168.20.1/24 3
(config)#lan 0 vlan20
#Save the configuration
(config)#save
#SBAX3#2
#Assign Interface0/19-0/22 to tag VLAN(VID10,20)
(config)#interface range 0/19-0/22
(config-if)#vlan tag 10,20
#Configure link aggregation with LACP with Interface0/19-0/22 and set active mode
(config)#interface range 0/19-0/22
(config-if)#type linkaggregation 1
(config)#ll(?)inkaggregation 1 mode active
#Assign IP address(192.168.20.2/24) to VLAN(VID20)
(config)#lan 0 ip address 192.168.20.2/24 3
(config)#lan 0 vlan20
#Save the configuration
(config)#save
SBAX3#1 SBAX3#2
Page 8 of 47-
3. Configuring Backup Port This section describes how to configure backup port.
[Configuration Target]
Configure backup port group with interface0/19,0/26 and set 0/19 to master port and 0/26 to
backup port.
Configure master port to preference port
[Commands]
#SBAX3#1
#Configure Interface0/19 to master port of backup port(group1).
SBAX3(config)#interface 0/19
SBAX3(config-if)#type backup 1 master
#Configure Interface0/26 to backup port port of backup port(group1).
(config)#interface 0/26
(config-if)#type backup 1 backup
#Configure backup group1 to master port preference mode.
(config)#backup 1 mode master
#Save the configuration
(config)#save
Switch
Backup Port
Switch
Master port
Page 9 of 47-
4. Configuring MAC filtering
This section describes how to configure MAC filtering which can limit network traffic and
restrict network for security with combination of MAC address, Packet , ethernet type, VLAN
ID and CoS value.
[Filtering Condition]
Packet data flow can be controlled by specifying the following parameter.
1)Specify ACL MAC definition and ACL VLAN definition for filter
- Source MAC Information(MAC address/Packet format /Ethernet Type/LSAP)
- Destination MAC Information(MAC address/Packet format/Ethernet Type/LSAP)
- VLAN ID
- CoS Value
- Source IP Information(IP Address/Address Mask)
- Destination IP Information(IP Address/Address Mask)
- Protocol
- TCP/UDP port number
- ICMP TYPE、ICMP CODE
- TOS value、DSCP value of IP packet
2)Specify the interface for MAC filter
3)Specify action(reject or pass) for MAC filter
[Filtering Design Policy]
There are two way for filtering design.
Unexpected
Connection
Unexpected access
Wrong access
Allowed Access
Allowed Server
Page 10 of 47-
A. Pass the specified packets and reject the others.
B. Reject the specified packets and pass the others.
This chapter explains the following examples for A.
-Pass only packets of the specified source MAC address.
-Pass only packets of the specified destination MAC address.
And explains the following example for B.
-Reject only packets of the specified packet format.
Note:
When this function is used with protocol VLAN, MAC filtering for the frame recognized as
protocol VLAN is disabled. Please refer the “vlan protocol” command to know the frames
recognized as protocol VLAN
4.1 Configuring MAC filter 1
This section describes how to configure MAC filter which passes only packets of the specified
source MAC address and rejects the other packets.
[Filtering Design]
VLAN 10 consists of interface0/1-0/8 and they are untag VLAN.
VLAN 20 consists of interface0/1-0/4 and interface0/9-0/12.Interface0/1-0/4 is tag VLAN and
Interface0/9-0/12 is untag VLAN.
Interface0/4-0/8 in VLAN 10 pass packets of the only source MAC address00:0b:01:02:03:04
and rejects the other packets.
[Commands]
#Configure ACL which specifies source MAC address 00:0b:01:02:03:04 and VLAN 10.---(1)
(config)#acl 100 mac 00:0b:01:02:03:04 any any
(config)#acl 100 vlan 10 any
#Configure ACL which specifies all packet format of VLAN10. --- (2)
(config)#acl 110 vlan 10 any
#Configure mac filter which pass packets specified by (1) in interface0/2.
(config)#interface 0/2
(config-if)#macfilter 0 pass 100
#Configure mac filter which rejects packets specified by (2) in interface0/2.
(config)#interface 0/2
(config-if)#macfilter 1 reject 110
Page 11 of 47-
4.2 Configuring MAC filter 2
This section describes how to configure MAC filter which passes only packets of the specified
destination MAC address and rejects the other packets.
[Filtering Design]
VLAN 10 consists of interface0/1-0/8 and they are untag VLAN.
VLAN 20 consists of interface0/1-0/4 and interface0/9-0/12.Interface0/1-0/4 is tag VLAN and
Interface0/9-0/12 is untag VLAN.
Interface0/4-0/8 in VLAN 10 pass packets of the only destination MAC
address00:0b:01:02:03:04 and rejects the other packets.
[Commands]
#Configure ACL which specifies destination MAC address 00:0b:01:02:03:04 and VLAN
10.---(1)
(config)#acl 120 mac any 00:0b:01:02:03:04 any
(config)#acl 120 vlan 10 any
#Configure ACL which specifies all packet format of VLAN10. --- (2)
(config)#acl 110 vlan 10 any
#Configure mac filter which pass packets specified by (1) in interface0/4-0/8
(config)#interface range 0/4-0/8
(config-if)#macfilter 0 pass 120
#Configure mac filter which rejects packets specified by (2) in interface0/4-0/8
(config)#interface range 0/4-0/8
(config-if)#macfilter 1 reject 110
4.3 Configuring MAC filter 3
This section describes how to configure MAC filter which rejects only packets of the specified
destination MAC address and passes the other packets.
[Filtering Design]
VLAN 10 consists of interface0/1-0/8 and they are untag VLAN.
VLAN 20 consists of interface0/1-0/4 and interface0/9-0/12.Interface0/1-0/4 is tag VLAN and
Interface0/9-0/12 is untag VLAN.
Interface0/1-0/4 rejects IP protocol packets and passes the other packets.
[Commands]
#Configure ACL which specifies IP protocol(IP,ARP,Reserve ARP) ---(1)
(config)#acl 130 mac any any ether 0800
(config)#acl 131 mac any any ether 0806
(config)#acl 132 mac any any ether 8035
Configure mac filter which rejects packets specified by (1) in interface0/1-0/4
and rejects packets specified by (2) in interface0/4-0/8
(config)#interface range 0/1-0/4
(config-if)#macfilter 0 reject 130
(config-if)#macfilter 1 reject 131
(config-if)#macfilter 2 reject 132
Page 12 of 47-
4.4 Configuring MAC filter 4
This section describes how to configure MAC filter which rejects only the traffic between the
specified MAC addresses.
[Filtering Design]
VLAN 10 consists of interface0/1-0/4 with untag and 0/5-0/8 with tag.
VLAN 20 consists of interface0/1-0/4 with tag and interface0/5-0/8 with tag.
In VLAN10, Only TCP Traffic is rejected between MAC address 00:0b:01:02:03:04 and
00:0b:11:12:13:14
In VLAN20, Only UDP traffic is rejected between MAC address 00:0b:21:22:23:24 and
00:0b:31:32:33:34.
[Commands]
#Configure ACL which specifies TCP packets of source MAC address 00:0b:01:02:03:04 and
destination MAC address 00:0b:11:12:13:14. --- (1)
(config)#acl 0 00:0b:01:02:03:04 00:0b:11:12:13:14 any
(config)#acl 0 ip any any 6 any
#Configure ACL which specifies TCP packets of source MAC address 00:0b:11:12:13:14 and
destination MAC address 00:0b:01:02:03:04. --- (2)
(config)#acl 1 00:0b:11:12:13:14 00:0b:01:02:03:04 any
(config)#acl 1 ip any any 6 any
#Configure ACL which specifies UDP packets of source MAC address 00:0b:21:22:23:24 and
destination MAC address 00:0b:31:32:33:34. --- (3)
(config)#acl 2 00:0b:21:22:23:24 00:0b:31:32:33:04 any
(config)#acl 2 ip any any 17 any
#Configure ACL which specifies UDP packets of source MAC address 00:0b:31:32:33:34 and
destination MAC address 00:0b:21:22:23:24. --- (4)
(config)#acl 3 00:0b:21:22:23:24 00:0b:31:32:33:04 any
(config)#acl 3 ip any any 17 any
#Configure mac filter which rejects packets specified by (1) and (2) in VLAN10.
(config)#vlan 10 macfilter 0 reject 0
(config)#vlan 10 macfilter 1 reject 1
#Configure mac filter which rejects packets specified by (3) and (4) in VLAN20.
(config)#vlan 20 macfilter 0 reject 2
(config)#vlan 20 macfilter 1 reject 3
4.5 Configuring MAC filter 5
This section describes how to configure MAC filter which passes only the traffic between the
specified MAC addresses.
[Filtering Design]
VLAN 10 consists of interface0/1-0/4 with untag and 0/5-0/8 with tag.
VLAN 20 consists of interface0/5-0/8 with untag.
In VLAN10, Only IP protocol packets are passed.
In VLAN20, Only FNA protocol packets are passed.
[Commands]
#Configure ACL which specifies IP protocol(IP,ARP,Reserve ARP) ---(1)
(config)#acl 10 mac any any ether 0800
(config)#acl 11 mac any any ether 0806
Page 13 of 47-
(config)#acl 12 mac any any ether 8035
#Configure ACL which specifies FNA format---(2)
(config)#acl 20 mac any any llc 8080
(config)#acl 21 mac any any llc 0000
(config)#acl 22 mac any any llc 0001
#Configure ACL which specifies all packets-----(3)
(config)#acl 30 mac any any any
#Configure mac filter which rejects packets except packets specified by (1) in VLAN10 --(4)
(config)#vlan 10 macfilter 0 pass 10
(config)#vlan 10 macfilter 1 pass 11
(config)#vlan 10 macfilter 2 pass 12
(config)#vlan 10 macfilter 3 reject 30
#Configure mac filter which rejects packets except packets specified by (2) in VLAN20 --(5)
(config)#vlan 20 macfilter 0 pass 20
(config)#vlan 20 macfilter 1 pass 21
(config)#vlan 20 macfilter 2 pass 22
(config)#vlan 20 macfilter 3 reject 30
Page 14 of 47-
5. Configuring Static MAC forwarding
This Section describes how to add MAC address to FDB as static entries.
MAC address can be manually entered in FDB which doesn’t age out and you can avoid
flooding of extra frames to network.
[Configuration Targets]
Assign Interface0/2, 0/5 which Server#1,#2 are connected to VLAN(VID10).
Assign Interface0/10 which Server#3 is connected to VLAN(VID20).
Add MAC address of Servers to FDB as static entry.
Server#1 MAC address: 00:00:00:00:00:11
Server#2 MAC address: 00:00:00:00:00:22
Server#2 MAC address: 00:00:00:00:00:33
[Commands]
#Assign Interface0/2 and 0/5 to untag VLAN(VID10)
(config)#interface range 0/2,0/5
(config-if)#vlan untag 10
#Assign Interface0/10 to untag VLAN(VID20)
(config)#interface 0/10
(config-if)#vlan untag 20
#Add MAC address to FDB in VLAN10.
(config)#vlan 10 forward 0 00:00:00:00:00:11 2
(config)#vlan 10 forward 1 00:00:00:00:00:22 5
#Add MAC address to FDB in VLAN20.
(config)#vlan 20 forward 0 00:00:00:00:00:33 10
#Save the configuration
(config)#save
VLAN10 VLAN20
Server#1 Server#2 Server#3
Page 15 of 47-
6. Configuring QoS 6.1 Configuring priority control This section describes how to configure priority control which assigns egress port queue of
different priority to User priority value(Cos) in VLAN tag.
[Priority Control Design]
Packet Type CoS
Value
Queue class
Managemnet 3 3
Voice
FAX 2 2
Movie 1 1
Other 1 0
0
[Commands
(config)#interface 0/1
(config-if)#qos prioritymap 0 0
(config-if)#qos prioritymap 1 1
(config-if)#qos prioritymap 2 2
(config-if)#qos prioritymap 3 3
6.2 Configuring priority control rewrite
This section describes how to configure priority control rewrite which rewrites priority control
information of packets specified with combination of Mac address, packet format, Ethernet
type, VLAN ID and CoS value.
[Rewrite Condition]
Priority control information can be controlled by specifying the following parameter.
1)Specify ACL MAC definition and ACL VLAN definition for filter
- Source MAC Information(MAC address/Packet format /Ethernet Type/LSAP)
- Destination MAC Information(MAC address/Packet format/Ethernet Type/LSAP)
- VLAN ID
- CoS Value
- Source IP Information(IP Address/Address Mask)
- Destination IP Information(IP Address/Address Mask)
- TCP/UDP port number
- ICMP TYPE、ICMP CODE
- TOS value、DSCP value of IP packet
2)Specify the interface for MAC filter
3)Specify action(reject or pass) for MAC filter
- Rewrite DSCP value
- Rewrite ip precedence value
- Change queue which the received packets in ingress port use in egress port.
Page 16 of 47-
6.2.1. DSCP value rewrite
This section describes how to configure DSCP value rewrite of all ingress packets in the
specified interfaces in VLAN.
[Rewrite request]
VLAN 10 consists of interface0/1-0/8 and they are tag VLAN.
DSCP value of all packets is rewrite to 40 in interface0/1.
[Commands]
#Configure ACL which specifies all packets --- (1)
(config)#acl 120 mac any any any
#Configure DSCP value rewrite which rewrites DSCP value of packets specified by (1) to 40
(config)#interface 0/1
(config-if)#qos aclmap 0 dscp 40 120
#Save the configuration
(config)#save
6.2.2. IP Precedence value rewrite
This section describes how to configure IP precedence value rewrite which rewrites IP
precedence value of packets which has the specified CoS value in the specified port in VLAN.
[Rewrite request]
VLAN 10 consists of interface0/1-0/8 and they are tag VLAN.
IP precedence value of packets which have CoS value 5 is rewrite to 40 in VLAN10.
[Commands]
#Configure ACL which specifies packets of VLAN ID10 and CoS value 5 ---(1)
(config)#acl 150 vlan 10 5
#Configure QoS ACL map which rewrites ip precedence value of packets specified by (1) to 6
in interface0/1-0/8 in VLAN10.
(config)#interface range 0/1-0/8
(config-if)#qos aclmap 0 tos 6 150
#Save the configuration
(config)#save
Page 17 of 47-
6.2.3. Change queue of packets in VLAN
This section describes how to configure change queue function which changes queue which
the received packets in ingress port use in egress port.
[Rewrite request]
VLAN20 consists of interface0/1-0/5 and 0/1-0/4 is tag VLAN. 0/5 is untag VLAN.
Queue of packets of source Mac address 00:0b:01:02:03:04 is changed to 3.
[Commands]
#Configure ACL which specifies source MAC address 00:0b:01:02:03:04 ---(1)
(config)#acl 100 mac 00:0b:01:02:03:04 any any
#Configure QoS ACL map which changes queue of packets specified by(1) in VLAN20.
(config)#vlan 20 qos aclmap 0 queue 3 100
#Save the configuration
(config)#save
Note:
When this function is used with protocol VLAN, QoS for the frame recognized as protocol
VLAN is disabled. Please refer the “vlan protocol” command to know the frames recognized as
protocol VLAN
When this function is used with MAC filtering, QoS for the frame matched with MAC filtering
disabled.
Page 18 of 47-
7. Configuring Spanning Tree
This section describes how to configure STP.
7.1 Configuring STP
[Configuration Target]
Enable STP
Assign Interface0/17 and 0/26 to VLAN(VID10)
[Commands]
#Assign Interface0/17 and 0/26 to VLAN(VID10)
(config)#interface range 0/17-0/26
(config-if)#vlan untag 10
#Enable STP in Interface0/1 and 0/2.
(config)#interface range 0/1-0/2
(config-if)#stp use on
#Save the configuration
(config)#save
Switch
Switch
Page 19 of 47-
7.2 Configuring MSTP
This section describes how to configure MSTP. MSTP can handle frames per VLAN.
[Configuration Target]
Control frames per VLAN by using MSTP in the following VLAN environment.
[Instance 0]
Bridge Priority: SBAX3#1 -> SBAX3#2 -> SBAX3#3 -> SBAX3#4
[Instance 1]
Bridge Priority: SBAX3#1 -> SBAX3#2 -> SBAX3#3 -> SBAX3#4
VLAN 100、200
[Instance 2]
Bridge Priority: SBAX3#1 -> SBAX3#3 -> SBAX3#2 -> SBAX3#4
VLAN 300
<SBAX3#1>
Connect interface0/19 to SBAX3#2
Connect interafce0/26 to SBAX3#3
Configure STP path cost of interface 0/19 and 0/26 to 20000 for all instances.
SBAX3#1
SBAX3#2
SBAX3#4
SBAX3#3
VLAN100,200
VLAN300
Page 20 of 47-
<SBAX3#2>
Connect interface0/19 to SBAX3#1
Connect interafce0/23 to SBAX3#3
Connect interafce0/26 to SBAX3#4
Configure STP path cost of interface 0/19,0/23 and 0/26 to 20000 for all instances.
<SBAX3#3>
Connect interface0/19 to SBAX3#1
Connect interafce0/23 to SBAX3#2
Connect interafce0/26 to SBAX3#4
Configure STP path cost of interface 0/19,0/23 and 0/26 to 20000 for all instances.
<SBAX3#4>
Connect interface0/19 to SBAX3#2
Connect interafce0/26 to SBAX3#3
Configure STP path cost of interface 0/19 and 0/26 to 20000 for all instances.
Connect the servers of VLAN100 to interface0/20-0/21.
Connect the servers of VLAN200 to interface0/22.
Connect the servers of VLAN300 to interface0/24-0/25.
[Commands]
#SBAX3#1
#Configure STP path cost in interface0/19、0/23.
(config)#interface range 0/19,0/23
(config-if)#stp domain 0 cost 20000
(config-if)#stp domain 1 cost 20000
(config-if)#stp domain 2 cost 20000
#Configure VLAN
(config)#interface range 0/19,0/23
(config-if)#vlan tag 100,200,300
#Configure STP
(config)#stp mode mstp
(config)#stp domain 1 vlan 100,200
(config)#stp domain 2 vlan 300
(config)#stp domain 0 priority 4096
(config)#stp domain 1 priority 4096
(config)#stp domain 2 priority 4096
#Save the configuration
(config)#save
#SBAX3#2
#Configure STP path cost in interface0/19、0/23、0/26
(config)#interface range 0/19,0/23,0/26
(config-if)#stp domain 0 cost 20000
(config-if)#stp domain 1 cost 20000
(config-if)#stp domain 2 cost 20000
#Configure VLAN
(config)#interface range 0/19,0/23,0/26
(config-if)#vlan tag 100,200,300
#Configure STP
Page 21 of 47-
(config)#stp mode mstp
(config)#stp domain 1 vlan 100,200
(config)#stp domain 2 vlan 300
(config)#stp domain 0 priority 8192
(config)#stp domain 1 priority 8192
(config)#stp domain 2 priority 12288
#Save the configuraton
(config)#save
#SBAX3#3
#Configure STP path cost in interface0/19、0/23、0/26
(config)#interface range 0/19,0/23,0/26
(config-if)#stp domain 0 cost 20000
(config-if)#stp domain 1 cost 20000
(config-if)#stp domain 2 cost 20000
#Configure VLAN
(config)#interface range 0/19,0/23,0/26
(config-if)#vlan tag 100,200,300
#Configure STP
(config)#stp mode mstp
(config)#stp domain 1 vlan 100,200
(config)#stp domain 2 vlan 300
(config)#stp domain 0 priority 12288
(config)#stp domain 1 priority 12288
(config)#stp domain 2 priority 8192
#Save the configuration
(config)#save
#SBAX3#4
#Configure STP path cost in interface0/19、0/26
(config)#interface range 0/19,0/26
(config-if)#stp domain 0 cost 20000
(config-if)#stp domain 1 cost 20000
(config-if)#stp domain 2 cost 20000
#Configure VLAN
(config)#interface range 0/19,0/26
(config-if)#vlan tag 100,200,300
#Configure STP
(config)#stp mode mstp
(config)#stp domain 1 vlan 100,200
(config)#stp domain 2 vlan 300
(config)#stp domain 0 priority 32768
(config)#stp domain 1 priority 32768
(config)#stp domain 2 priority 32768
#Save the configuration
(config)#save
Page 22 of 47-
8. Configuring IGMP Snooping
SBAX3 detects the port which requires multicast packets and transfers multicast packets to
just the port by using IGMP snooping. This constrains the flooding of multicast traffic and
avoids transferring unnecessary multicast packets to servers.
Note:
- Network may not work if multicast communication is done without IGMP
- The port which is connected with IGMP Snoop enabled device should be set as multicast
router port.
- If more than 2 multicast routers are connected with SBAX3, the multicast router port
have to be set. If multicaset router port is not set, multicast packets may not be received
at the host which is beyond the multicast router because multicast router port does not
recognize correctly.
- In SBAX3, the entry of the group addresses that is registerd once is not erased, only the
information of output port is erased. The group addresses can be deleted by “clear
igmpsnoop group” command if there are unnecessary group addresses
- When the number of multicast group address is exceeded the limit of registering, the
packet which address is exceeded one is flooded in the same VLAN. IGMP snoop function
should not be used if the number of multicast group is exceeded the limit.
- SBAX3 discriminates only low 23 bit address. SBAX3 deal with “224.1.1.1” and
“225.1.1.1” as the same address. If there are the listeners which registers those address,
they received packets of both addresses.
- When IGMP Snoop become enabled, Source address will be “0.0.0.0” when there are no
“vlan igmpsnoop source” definition. If the device which can not deal with IGMP Query
packets which source address is “0.0.0.0”, configure the source address by “vlan
igmpsnoop source” command. As well, in the network where multicast router is
connected, the larger number than multicast router address should be set as source
address
- In the environment where IGMP V1/V2 is mixed, set “vlan igmpsnoop proxy” as “off”.
- IGMP snooping can not use in the network where other protocol(such as IPv6) is used.
Disabled the function in such environment
- In the network where multicast router is not connected, do not disabled the Querier by
“vlan igmpsnoop querier” command.
Multicast
Router#1 Multicast Router#2
Listener Listener Listener
Sender Sender
Page 23 of 47-
[Configuration Target]
Use IGMP snooping
Listner#1 Port: Interface0/1,0/2
VLAN: 10
Listener#2 Port:Interface0/3,0/4
VLAN:11
Lsitener#3 Port:Interface0/5,0/6
VLAN:12
Multicast router#1 is connected to interface0/25 which VLAN10-12 is assigned with tag VALN.
Multicast router#2 is connected to interface0/26 which VLAN10 is assigned with tag VALN.
[Commands]
#Enable IGMP snooping
(config)#igmpsnoop use on
(config)#interface range 0/1-0/2 vlan untag 10
(config-if)vlan untag 10
(config)#interface 0/3-0/4
(config-if)#vlan untag 11
(config)#interface 0/5-0/6
(config-if)#vlan untag 12
(config)#interface 0/25
(config-if)#vlan tag 10,11,12
(config)#interface 0/26
(config-if)#vlan untag 10
#Configure the multicast port for VLAN10 which multiple multicast routers are connected
(config)#vlan 10 igmpsnoop router yes 25,26
#Save the configuration
(config)#save
Page 24 of 47-
9. Configuring MLD Snooping
SBAX3 detects the port which requires IPv6 multicast packets and transfers multicast packets
to just the port by using MLD snooping. This constrains the flooding of IPv6 multicast traffic
and avoids transferring unnecessary IPv6 multicast packets to servers.
Note:
- Network may not work if IPv6 multicast communication is done without MLD
- The port which is connected with MLD Snoop enabled device should be set as multicast
router port.
- If more than 2 multicast routers are connected with SBAX3, the multicast router port
have to be set. If multicaset router port is not set, IPv6 multicast packets may not be
received at the host which is beyond the multicast router because multicast router port
does not recognize correctly.
- In SBAX3, the entry of the group addresses that is registerd once is not erased, only the
information of output port is erased. The group addresses can be deleted by “clear
mldsnoop group” command if there are unnecessary group addresses
- When the number of multicast group address is exceeded the limit of registering, the
packet which address is exceeded one is flooded in the same VLAN. MLD snoop function
should not be used if the number of multicast group is exceeded the limit.
- When MLD Snoop become enabled, Source address will be “::” when there are no “vlan
mldsnoop source” definition. If the device which can not deal with MLD Query packets
which source address is “::”, configure the source address by “vlan mldsnoop source”
command. As well, in the network where multicast router is connected, the larger
number than multicast router address should be set as source address
- In the network where IPv4 is used, IGMP snooping function should be enabled too.
- IGMP snooping can not use in the network where other protocol(except IP) is used.
Disabled the function in such environment
- In the network where multicast router is not connected, do not disable the Querier by
“vlan mldsnoop querier” command.
Multicast Router#1
Multicast Router#2
Sender Sender
Listener Listener Listener
Page 25 of 47-
[Configuration Target]
Use MLD snooping
Listner#1 Port: Interface0/1,0/2
VLAN: 10
Listener#2 Port:Interface0/3,0/4
VLAN:11
Lsitener#3 Port:Interface0/5,0/6
VLAN:12
Multicast router#1 is connected to interface0/25 which VLAN10-12 is assigned with tag VALN.
Multicast router#2 is connected to interface0/26 which VLAN10 is assigned with tag VALN.
[Commands]
#Enable MLD snooping
(config)#mldsnoop use on
(config)#interface range 0/1-0/2 vlan untag 10
(config-if)vlan untag 10
(config)#interface 0/3-0/4
(config-if)#vlan untag 11
(config)#interface 0/5-0/6
(config-if)#vlan untag 12
(config)#interface 0/25
(config-if)#vlan tag 10,11,12
(config)#interface 0/26
(config-if)#vlan untag 10
#Configure the multicast port for VLAN10 which multiple multicast routers are connected
(config)#vlan 10 mldsnoop router yes 25,26
#Save the configuration
(config)#save
Page 26 of 47-
10. Configuring IEEE 802.1X Authentication
This section describes how to configure IEEE802.1X authentication.
Note
Don’t assign VLAN ID to ports which use IEEE802.1X authentication.
Configure AAA group ID correctly for IEEE802.1X authentication.
Only EAP-MD5 can be used as authentication method for local authentication.
The following accounting information can not be gotten correctly in multiple authentication
environment per one physical port
- The number of Tx packet
- The number of Rx packet
- The number of Tx byte
- The number of Rx byte
[Configuration Target]
Use IEEE802.1X authentication in interface0/1-0/3.
Authentication database of Interface0/1-0/3 is following
-Interface0/1、0/2 : RADIUS Server
-Interface0/3 : Authentication information set locally
AAA Group ID
-Interface0/1、0/2 :0
-Interface0/3 :1
Authenticated per Supplicant MAC address
Available users in interface 0/3 are following.
User ID Password Assigned VLAN ID
Supp1 Supp1-pass VLAN123
Supp2 Supp2-pass VLAN100
RADIUS Server IP Address: 172.16.1.100
RADIUS Server is connected to VLAN13.
RADIUS Server secret :radius-secret
Collect authentication and accounting information in RADIUS server used by interface 0/1 and
RADIUS Server 172.16.1.100
Supplicant#1 Supplicant#2 Supplicant#3
0/1 0/2 0/3
0/19 0/22 0/26
VLAN10
VLAN11 VLAN100
VLAN123
Page 27 of 47-
0/2
Accounting information and Attribute supported by SBAX3 is following.
-Session time :Acct-Session-Time
- Tx packet number :Acct-Output-Packets
- Rx packet number :Acct-Input-Packets
- Tx byte :Acct-Output-Octets
- Rx byte :Acct-Input-Packets
Note
Configure the following attributes in RADISU server in order to assign VLAN ID to users.
Please see user guide of RADIUS server for how to configure.
name number Attribute value
Tunnel-Type 64 VLAN (13)
Tunnel-Media-Type 65 802 (6)
Tunnel-Private-Group-ID 81 VLAN ID (coded by ASCII code)
When multiple tunnel attributes are configured by tag, the least available value is assigned to
users as VLAN information.
[Commands]
#Enable IEEE802.1X authentication
(config)#dot1x use on
#Configure port which RADIUS server is connected to
(config)#interface 0/26
(config-if)#vlan untag 13
#Configure VLAN for RADIUS server
(config)#lan 0 vlan 13
(config)#lan 0 ip address 172.16.1.101/16 3
#Configure VLAN which supplicants authenticated by IEEE802.1X are connected to
(config)#interface 0/19
(config-if)#vlan untag 10
(config)#interface 0/20
(config-if)#vlan untag 11
(config)#interface 0/21
(config-if)#vlan untag 100
(config)#interface 0/22
(config-if)#vlan untag 123
#Conifgure IEEE802.1X authentication port
(config)#interface 0/1
(config-if)#dot1x aaa 0
(config-if)#dot1x use on
(config)#interface 0/2
(config-if)#dot1x aaa 0
(config-if)#dot1x use on
(config)#interface 0/3
(config-if)#dot1x aaa 1
(config-if)#dot1x use on
#Configure AAA group information using RADIUS server.
(config)#aaa 0 name radiusAuth
(config)#aaa 0 radius service client both
Page 28 of 47-
(config)#aaa 0 radius auth source 172.16.1.101
(config)#aaa 0 radius client server-info auth secret radius-secret
(config)#aaa 0 radius client server-info auth address 172.16.1.100
(config)#aaa 0 radius client server-info accounting secret radius-secret
(config)#aaa 0 radius client server-info accounting address 172.16.1.100
#Configure AAA group information using local authentication information
(config)# aaa 1 name localAuth
(config)# aaa 1 user 0 id Supp1
(config)# aaa 1 user 0 password Supp1-pass
(config)# aaa 1 user 0 supplicant vid 123
(config)# aaa 1 user 1 id Supp2
(config)# aaa 1 user 1 password Supp2-pass
(config)# aaa 1 user 1 supplicant vid 100
#Save the configuration
(config)#save
Page 29 of 47-
11. Configuring Port Mirroring
This section describes how to configure port mirroring function.
You can monitor the Rx/Tx traffic of source port in the target port by using port mirroring
function.
This section explains how to configure source port to interfce0/19 and target port to interface
0/26 and mirror Rx traffic of source port to target port.
[Configuration Target]
Configure interface0/19 to source port(Rx)
Configure interface0/26 to target port.
[Commands]
#Configure interface0/26 to mirror port.
(config)#interface 0/26
(config-if)#type mirror 0 19 rx
#Save the configuration
(config)#save
Source Port
Target Port
Analyzer
Page 30 of 47-
12. Configuring Ether L3 Monitoring
This section describes how to configure L3 Monitoring.
With the use of L3 Monitoring, The port which detects and monitors the errors of the path can
be offline by monitoring the peer with specified ether port.
Note
Offline port have to be online manually by online command.
12.1 Configuring Ether L3 Monitoring with port
[Configuration Target]
Use Interface 0/19
VLAN ID and Network Address is
VLAN ID:1, Network address:192.168.10.0/24
Use Ether L3 Monitoring
[Commands]
#SBAX3#1
#Configure Interface 0/19
(config)#interface range 0/19
(config-if)#vlan untag 1
#Set the IP address 192.168.10.1/24
(config)#lan 0 ip address 192.168.10.1/24 3
(config)#lan 0 vlan 1
#Set the IP address of the destination
(config)#interface 0/19
(config-if)#icmpwatch address 192.168.10.2
#Set the interval of monitoring
(config)#interface 0/19
(config-if)#icmpwatch interval 15s 40s 5s
#Save the configuration
(config)#save
#SBAX3#2
#Configure Interface 0/19
(config)#interface range 0/19
(config-if)#vlan untag 1
#Set the IP address 192.168.10.2/24
(config)#lan 0 ip address 192.168.10.2/24 3
(config)#lan 0 vlan 1
#Save the configuration
Monitor
SBAX3#1 SBAX3#2
Page 31 of 47-
(config)#save
12.2 Configuring Ether L3 Monitoring with Link Aggregation
This section describes how to configure L3 Monitoring with Link Aggregation.
[Configuration Target]
Use Interface 0/1 – 0/4
VLAN ID and Network Address is
VLAN ID:10, Network address:192.168.10.0/24
Use Ether L3 Monitoring
[Commands]
#SBAX3#1
#Configure Interface 0/1 – 0/4
(config)#interface range 0/1 – 0/4
(config-if)#vlan tag 10
#Configure the Link Aggregation with Interface 0/1 – 0/4
(config)# interface range 0/1-0/4
(config-if)#type linkaggregation 1
#Set the IP address 192.168.10.1/24
(config)#lan 0 ip address 192.168.10.1/24 3
(config)#lan 0 vlan 10
#Set the IP address of the destination
(config)#linkaggregation 1 icmpwatch address 192.168.10.2
#Set the interval of monitoring
(config)#linkaggregation 1 icmpwatch interval 15s 40s 5s
#Save the configuration
(config)#save
#SBAX3#2
#Configure Interface 0/1 – 0/4
(config)#interface range 0/1 – 0/4
(config-if)#vlan tag 10
#Configure the Link Aggregation with Interface 0/1 – 0/4
(config)# interface range 0/1-0/4
(config-if)#type linkaggregation 1
#Set the IP address 192.168.10.2/24
(config)#lan 0 ip address 192.168.10.2/24 3
(config)#lan 0 vlan 10
#Save the configuration
(config)#save
Page 32 of 47-
13. Configuring port recovery limit function
This section describes how to configure port offline function
With the use of port offline function, stable network can be keeped because the port can be the
offline state even when it is intermittent failure.
In this example, Master port will be offline when Master is intermittent failure.
[Configuration Target]
SBAX3#1
Use Interface 0/19, 0/26 as backup port
(Interface 0/19 is Master port, Interface 0/26 is backup port, Use Master port preferentially.)
Use offline by the number of link down
Set the upper limit of link down
SBAX3#2
Use Interface 0/19, 0/26 as backup port
(Interface 0/19 is Master port, Interface 0/26 is backup port, Use Master port preferentially.)
Use offline by the number of link down
Set the upper limit of link down
[Commands]
#SBAX3#1
#Set the upper limit of link down on Interface0/19
(config)#interface 0/19
(config-if)#recovery limit 5
#Configure Interface 0/19 as Master port of backup port group
(config)#interface 0/19
(config-if)#type backup 1 master
Jan 01 10:13:43 127.0.0.1 SBAX3: l2nsm: backup 1 definition is invalid. backup port is not
defined.
#(Above message will appear when only backup or master is defined Because both master
and backup have to be defined in backup group. Backup group will be enabled when other
port definition is done.)
#Configure Interface 0/26 as backup port of backup port group
(config)#interface 0/26
(config-if)#type backup 1 backup
#Set the backup group 1 as master port preferential
(config)#backup 1 mode master
SBAX3#1
SBAX3#2
Page 33 of 47-
#Save the configuration
(config)#save
#SBAX3#2
#Set the upper limit of link down on Interface0/19
(config)#interface 0/19
(config-if)#recovery limit 5
#Configure Interface 0/19 as Master port of backup port group
(config)#interface 0/19
(config-if)#type backup 1 master
Jan 01 10:18:13 127.0.0.1 SBAX3: l2nsm: backup 1 definition is invalid. backup port is not
defined.
#Configure Interface 0/26 as backup port of backup port group
(config)#interface 0/26
(config-if)#type backup 1 backup
#Set the backup group 1 as master port preferential
(config)#backup 1 mode master
#Save the configuration
(config)#save
Page 34 of 47-
14. Configuring IP Filtering
This section describes how to configure IP filtering which controls packets by combination of IP
address and port number for network security.
[IP Filtering Condition]
Packet data flow can be controlled by specifying the following parameter in ACL.
- Source IP Information(IP Address/Address Mask/Port Number)
- Destination IP Information(IP Address/Address Mask/Port Number)
- Protocol
- TOS value、DSCP value of IP packet
Hint
How to decide IP address and Address Mask
There are 2 elements for filtering condition, the one is “IP Address”, the other is “Address
mask”. The packets that wil be controlled is only what logical AND of IP address and Address
mask of received packets is coincident with specified IP address.
[IP Filtering design policy]
There are two way for filtering design.
A. Pass the specified packets and reject the others.
B. Reject the specified packets and pass the others.
This chapter explains the following examples for A.
-Pass only packets to access the specified service.
-Pass only packets to the specified server
And explains the following example for B.
-Reject only packets to the specified server
-Reject only ping to the specified server.
Note:
If there are multiple IP filtering condition, priority will be set and it is applied from smallest
number. Network may not work if this priority is not considered when the Filtering is set.
14.1 Configuring IP filter 1
This section describes how to configure IP filter which passes access to Web server and DNS
sever and rejects the other accesses.
[Configuration Target]
Use Interface 0/1
VLAN ID and Network Address is
VLAN ID:10, Network address:192.168.10.0/24
[IP filtering design]
Pass access to Web server from 192.168.1.0/24
Pass access to DNS server from 192.168.1.0/24
Pass ICMP packets
Reject the other packets
[Commands]
#set Interface 0/1
(config)#interface 0/1
(config-if)#vlan tag 10
Page 35 of 47-
#Set the network 192.168.10.0/24
(config)#lan 0 ip address 192.168.10.0/24 3
(config)#lan 0 vlan 10
#Pass TCP packets to port80 of Web Server
(config)#acl 0 ip 192.168.1.0/24 any 6 any
(config)#acl 0 tcp any 80
(config)#lan 0 ip filter 0 pass acl 0
#Pass UDP packets to port53 of DNS server.
(config)#acl 1 ip 192.168.1.0/24 192.168.0.10/32 17 any
(config)#acl 0 udp any 53
(config)#lan 0 ip filter 1 pass acl 1
#Pass ICMP packets
(config)#acl 2 ip any any 1 any
(config)#acl 2 icmp any any
(config)#lan 0 ip filter 2 pass acl 2
#Reject the other packets
(config)#acl 3 ip any any any
(config)#lan 0 ip filter 3 reject acl 3
#Save the configuration
(config)#save
14.2 Configuring IP filter 2 (IPv6 Filtering)
This section describes how to configure IPv6 filter which passes access to Web server and DNS
sever and rejects the other accesses.
[Configuration Target]
Use Interface 0/1
VLAN ID and Network Address is
VLAN ID:10, Network address: 2001:db8:1::/64
[IP filtering design]
Pass access to Web server from 2001:db8:1::/64
Pass access to DNS server from 2001:db8:1::/64
Pass ICMPv6 packets
Reject the other packets
[Commands]
#set Interface 0/1
(config)#interface 0/1
(config-if)#vlan tag 10
#set the network 2001:db8:1::/64
(config)#lan 0 ip6 address 2001:db8:1::/64
(config)#lan 0 vlan 10
#Pass TCP packets to port80 of Web Server
(config)# acl 0 ip6 2001:db8:1::/64 any 6 any
(config)# acl 0 tcp any 80
(config)# lan 0 ip6 filter 0 pass acl 0
#Pass UDP packets to port53 of DNS server.
(config)# acl 1 ip6 2001:db8:1::/64 any 17 any
Page 36 of 47-
(config)# acl 1 udp any 53
(config)# lan 0 ip6 filter 1 pass acl 1
#Pass ICMPv6 packets
(config)# acl 2 ip6 any any 58
(config)# acl 2 icmp any any
(config)# lan 0 ip6 filter 2 pass acl 2
#Reject the other packets
(config)# acl 3 ip6 any any any any
(config)# lan 0 ip6 filter 3 reject acl 3
#Save the configuration
(config)#save
14.3 Configuring IP filter 3
This section describes how to configure IP filter which allows access to specified server in
internal network and DNS sever and rejects the accesses to other servers.
[Configuration Target]
Use Interface 0/1
VLAN ID and Network Address is
VLAN ID:10, Network address:192.168.10.0/24
[IP filtering design]
Allows access to the Web server(192.168.1.5/32) in internal network
Allows access to the DNS server in internal network
Pass ICMP packets
Reject the other packets
[Commands]
#set Interface 0/1
(config)#interface 0/1
(config-if)#vlan tag 10
#Set the network 192.168.10.0/24
(config)#lan 0 ip address 192.168.10.0/24 3
(config)#lan 0 vlan 10
#Pass TCP packets to port80 of Web Server
(config)#acl 0 ip 192.168.1.0/24 any 6 any
(config)#acl 0 tcp any 80
(config)#lan 0 ip filter 0 pass acl 0
#Pass UDP packets to port53 of DNS server.
(config)# acl 1 ip 192.168.0.0/24 192.168.1.10/32 17 any
(config)# acl 1 udp any 53
(config)# lan 0 ip filter 1 pass acl 1
#Pass ICMP packets
(config)#acl 2 ip any any 1 any
(config)#acl 2 icmp any any
(config)#lan 0 ip filter 2 pass acl 2
#Reject the other packets
(config)#acl 3 ip any any any
(config)#lan 0 ip filter 3 reject acl 3
Page 37 of 47-
#Save the configuration
(config)#save
14.4 Configuring IP filter 4
This section describes how to configure IP filter which deny the access only to FTS server in
external network
[Configuration Target]
Use Interface 0/1
VLAN ID and Network Address is
VLAN ID:10, Network address:192.168.10.0/24
[IP filtering design]
Deny access from host in internal network(192.168.1.0/24) to the FTP server(192.168.0.5) in
external network
[Commands]
#set Interface 0/1
(config)#interface 0/1
(config-if)#vlan tag 10
#Set the network 192.168.10.0/24
(config)#lan 0 ip address 192.168.10.0/24 3
(config)#lan 0 vlan 10
#reject FTP packets from internal LAN to 192.168.0.5
(config)# acl 0 ip 192.168.1.0/24 192.168.0.5/32 6 any
(config)# acl 0 tcp any 21
(config)# lan 0 ip filter 0 reject acl 0
#Save the configuration
(config)#save
14.5 Configuring IP filter 5
This section describes how to configure IP filter which deny the only ping(ICMP ECHO) to
specified server in internal network, and allows other ICMP packets, other protocol packets
and packets to other hosts.
[Configuration Target]
Use Interface 0/1
VLAN ID and Network Address is
VLAN ID:10, Network address:192.168.10.0/24
[IP filtering design]
Deny ping(ICMP ECHO) from external host to the server(192.168.1.5/32) in internal network.
Others are all passed
[Commands]
#set Interface 0/1
(config)#interface 0/1
(config-if)#vlan tag 10
#Set the network 192.168.10.0/24
(config)#lan 0 ip address 192.168.10.0/24 3
(config)#lan 0 vlan 10
Page 38 of 47-
#reject ICMP packet of ICMP type 8 to 192.168.1.5/32
(config)# acl 0 ip any 192.168.1.5/32 1 any
(config)# acl 0 icmp 8 any
(config)# lan 0 ip filter 0 reject acl 0
#Pass other all packets
(config)# acl 1 ip any any any any
(config)# lan 0 ip filter 1 pass acl 1
#Save the configuration
(config)#save
15. Configuring DSCP value change
This section describes how to configure DSCP value change which can adapt policy for policy
based network. DSCP value can be changed by the combination of IP address and port number
in the packets which is sent to network from SBAX3 or received from network to SBAX3.
SBAX3 can change DSCP value to specify the following condition in ACL definition.
- Protocol
- Information of source(IP address/Address mask/port number)
- Information of destination(IP address/Address mask/port number)
- TOS or DSCP value of IP packets, or Traffic Class or DSCP value of IPv6 packets
We will explain the example that is on the assumption that network has the following policy
- FTS(DSCP value is 10) is the highest priority
- Others are not set.
[Configuration Target]
- Source IP address/Address mask 192.168.1.0/24
- Source port number No assign
- Destination IP address/Address mask No assign
- Destination port number 20(ftp-data), 21(ftp)
- Protocol TCP
- DSCP value 0
- New DSCP value 10
[Commands]
#change DSCP value from 0 to 10 for FTP server access
(config)#acl 0 ip 192.168.1.0/24 any 6 dscp 0
(config)#acl 0 tcp any 20,21
(config)#lan 0 ip dscp 0 acl 0 10
#Save the configuration
(config)#save
Page 39 of 47-
16. Configuring SNMP Agent
This section describes how to configure SNMP agent which informs MIB information of SNMP
host.
16.1 Configuring SNMP
[Configuration Target]
Use SNMP agent function
Administrator suzuki
System name SBAX3
Location 1F
Agent IP address 192.168.1.1
SNMP host IP address 192.168.1.100
community public00
[Commands]
#Configure SNMPagent information
(config)#snmp agent contact suzuki
(config)#snmp agent sysname SBAX3
(config)#snmp agent location 1F
(config)#snmp agent adress 192.168.1.1
#Configure SNMPhost information
(config)#snmp manager 0 192.168.1.100 public00 off disable
#Enable SNMP agent function
(config)#snmp service on
#Save the configuration
(config)#save
16.2 Configuring SNMPv3
This section describes how to configure for SNMPv3 access
[Configuration Target]
Use SNMP agent function
Administrator suzuki
System name SBAX3
SNMP host 192.168.1.100
lan 0 192.168.1.1
Administrator :Suzuki System name:SBAX3 Agent IP address 192.168.1.1
Inform MIB information against
SNMP request
Page 40 of 47-
Location 1F
Agent address:192.168.1.1
SNMP host address:192.168.1.100
Host address for trap: 192.168.1.100
User name:user00
Authentication protocol:MD5
Password : auth_password
Encryption Protocol : DES
Password: priv_password
MIB view: Only system and interfaces groups are enabled
Only linkDown and linkUp traps are enabled.
[Commands]
#Configure SNMP agent infomration
(config)#snmp agent contact suzuki
(config)#snmp agent sysname SBAX3
(config)#snmp agent location 1F
(config)#snmp agent adress 192.168.1.1
#Configure SNMPv3 Information
(config)#snmp user 0 name user00
(config)#snmp user 0 address 0 192.168.1.100
(config)#snmp user 0 notification 0 192.168.1.100
#Configure Authentication/Encryption protocol
(config)#snmp user 0 auth md5 auth_password
(config)#snmp user 0 priv des priv_password
#Configure MIB view information
(config)#snmp user 0 read view 0
(config)#snmp user 0 notify view 0
(config)#snmp view 0 subtree 0 include system
(config)#snmp view 0 subtree 1 include interfaces
(config)#snmp view 0 subtree 2 include linkdown
(config)#snmp view 0 subtree 3 include linkup
#Enable SNMP Agent function
(config)#snmp service on
#Savte the configuration
(config)#save
Page 41 of 47-
17. Configuring System Log
This section describes how to configure system log function which sends system logs to syslog
server.
[Configuration Target]
Configure the following priority
-Priority LOG_ERROR
-Priority LOG_WARNING
-Priority LOG_NOTICE
-Priority LOG_INFO
Syslog server IP address 192.168.1.10
[Commands]
(config)#syslog server 192.168.1.10
Configure System log
(config)#syslog pri error, warm, notice, info
Save the configuration
(config)#save
Syslog server 192.168.1.10
lan 0 192.168.1.1
Send system logs
Page 42 of 47-
18. Configuring Schedule function
This section describes how to configure schedule function. Schedule function of SBAX3 is the
following
- Reservation of switching configuration file
SBAX3 can have 2 configuration files. And we can prepare the configuration in advance for
configuration change of operation, and then we can switch the configuration at specified date
18.1 Configuring the reservation of switching configuration file
[Configuration Target]
The time of switching 2006/12/01 6:30
Configuration change config1 -> config2
[Commands]
#switching the configuration
(config)#addact 0 0612010630 reset conifg 2
Save the configuration
(config)#save
19. Configuring Application Filter
This section describes how to configure application filter function whch can control the access
to the servers that is connected with SBAX3. With this function, Security will be more robust
because we can restrict the terminal which can be used for maintenance or use.
[Configuration Target]
Permit the access to TELNET/FTP/SSH server only from the Host for management
(192.168.1.100)
Permit the access to Time server only from the Host in internal network(192.168.1.0/24).
No restriction for other servers.
Note:
When the packets to SBAX3 is rejected by Ip filtering, we can not access even if permit the
access by application filter
[Commands]
#Reject the default access against the server function
(config)#serverinfo ftp filter default reject
(config)#serverinfo telnet filter default reject
(config)#serverinfo ssh filter default reject
(config)#serverinfo time filter default reject
#Permit the access to the FTP/Telnet/SSH server function from host for management
(config)#acl 0 ip 192.168.1.100/32 any any any
(config)#serverinfo ftp filter 0 accept acl 0
(config)#serverinfo telnet filter 0 accept acl 0
(config)#serverinfo ssh filter 0 accept acl 0
#Permit the access to the Time server function from hosts in internal network
(config)#acl 1 ip 192.168.1.0/24 any any any
(config)#serverinfo tme filter 0 accept acl 1
#Save the configuration
(config)#save
Page 43 of 47-
20. Configuring IEEE802.1Q Tunneling
This section describes how to configure IEEE802.1Q Tunneling of customer A, customer B,
SBAX3#1 and SBAX3#2 in below diagram.
Customer A
interface0/23
tag VLAN10,20
interface0/20, dot1qtunnel
untag VLAN35
interface0/26 interface0/19
tag VLAN 35 / 40
[Service Provider]
Customer B
interface0/23
tag VLAN20,30
Customer A
interface0/23
tag VLAN 10,20
Customer B
interface0/23
tag VLAN 20,30
【SBAX3#1】 【SBAX3#2】
interface0/22
dot1qtunnel
untag VLAN35
interface0/23, dot1qtunnel
untag VLAN40
interface0/19
dot1qtunnel
untag VLAN40
Page 44 of 47-
[Configuration Target]
Customer A
Assign Interface0/23 to tag VLAN10, 20
Customer B,
Assign Interface0/23 to tag VLAN20, 30
SBAX3#1
Assign Interface0/19 to untag VLAN40
Assign Interface0/20 to untag VLAN35
Assign Interface0/26 to tag VLAN35, 40
Configure Interface0/19-0/20 for IEEE802.1Q tunneling port
Configure the use of IEEE802.1Q tunneling port.
SBAX3#2
Assign Interface0/19 to tag VLAN35, 40
Assign Interface0/22 to untag VLAN35
Assign Interface0/23 to untag VLAN40
Configure Interface0/22-0/23 for IEEE802.1Q tunneling port
Configure the use of IEEE802.1Q tunneling port.
[Commands]
#Customer A
# Assign Interface0/23 to tag VLAN10, 20
(config)#interface 0/23
(config-if)#vlan tag 10,20
#Customer A
# Assign Interface0/23 to tag VLAN20, 30
(config)#interface 0/23
(config-if)#vlan tag 20,30
#SBAX3#1
#Assign Interface0/19 to untag VLAN40
(config)#interface 0/19
(config-if)#vlan untag 40
#Assign Interface0/20 to untag VLAN35
(config)#interface 0/20
(config-if)#vlan untag 35
#Assign Interface0/26 to tag VLAN35, 40
(config)#interface 0/26
(config-if)#vlan tag 35,40
#Configure Interface0/19-0/20 for IEEE802.1Q tunneling port
(config)#interface range 0/19-0/20
(config-if)#dot1qtunnel use on
# Configure the use of IEEE802.1Q tunneling port.
(config)#dot1qtunnel use on
#SBAX3#2
#Assign Interface0/19 to tag VLAN35, 40
(config)#interface 0/19
(config-if)#vlan tag 35,40
Page 45 of 47-
#Assign Interface0/22 to untag VLAN35
(config)#interface 0/22
(config-if)#vlan untag 35
#Assign Interface0/23 to untag VLAN40
(config)#interface 0/23
(config-if)#vlan untag 40
#Configure Interface0/22-0/23 for IEEE802.1Q tunneling port
(config)#interface range 0/22-0/23
(config-if)#dot1qtunnel use on
#Configure the use of IEEE802.1Q tunneling port.
(config)#dot1qtunnel use on
#Save the configuration
(config)#save
Page 46 of 47-
21. Configuring CEE
This section describes how to configure CEE function of the example below.
[Configuration Target]
CNA
Setting the port which is connected with SBAX3 to accept DCBX setting(willing bit is on)
SBAX3 / FCoE SW
Assign CEE port to tag VLAN1002
Assign CEE port to untag VLAN1 for FIP frame forwarding.
Configure CEE port of priority group1 as bandwidth 40.
Configure CEE port of priority group2 as bandwidth 60.
Enable PFC setting of priority group2
Configure priority 3 as priority group2 and others are priority group1
Configure FCoE priority as priority 3
Enable CEE function
[Commands]
#SBAX3
#Enable priority group1, 2
(config)# cee priority group 1 use on
(config)# cee priority group 2 use on
#Configure priority 3 as priority group2 and others are priority group1
(config)# cee priority map 1 1 1 2 1 1 1 1
#Assign Interface0/19, 0/23 to tag VLAN1002
(config)# interface range 0/19,0/23
(config-if)# vlan tag 1002
#Assing Interface0/19, 0/23 to untag VLAN1 for FIP frame forwarding
(config-if)# vlan untag 1
#Configure Interface0/19, 0/23 to send/receive LLDP information
(config-if)# lldp mode enable
#Configure weight value of priority group1 for Interface0/19, 0/23 as 40.
(config-if)# cee priority group 1 weight 40
SBAX3
CNA FCoE SW
(FCF)
Interface 0/19
vlan tag 1002
vlan untag1
Interface 0/23
vlan tag 1002
vlan untag1
Page 47 of 47-
#Configure weight value of priority group2 for Interface0/19, 0/23 as 60.
(config-if)# cee priority group 2 weight 40
#Enable PFC for priority group2 for Interface0/19, 0/23 as 60.
(config-if)# cee priority group 2 pfc on
#Configure FCoE priority for Interface0/19, 0/23 as priority 3
(config-if)# dcbx fcoe-priority-bits 08
#Enable CEE function of Interface0/19, 0/23
(config-if)# cee use on
#Enable CEE function of SBAX3
(config-if)# end
(config)# cee mode on
#Save the configuration
(config)#save