Preview only show first 10 pages with watermark. For full document please download

*****************4g**********5g******/g

   EMBED

  • Rating

  • Date

    August 2018
  • Size

    4.1MB
  • Views

    1,578
  • Categories


Share

Transcript

Netgear 7000 Series Managed switch GSM7312/GSM7324/FSM7326P/GSM7224/GSM7212 Background » Why is a non-blocking architecture important? • Blocking architectures drop traffic when over-subscribed (over-capacity) • Dropping traffic at higher speed means more data lost or more users affected • Data loss in the core of the network is a critical failure » What is L3 switching? • Routing done in a switch • Cheaper and faster than traditional routers » When/Why use L3 switching? • Companies > 100 users • Flat networks bogging down on traffic • Need to segment network to improve performance » VLAN » Sub-networks » How is it different than L2? • L2 uses MAC addresses, limited to one IP network • L3 uses IP addresses, can route to any IP network © .1996-2004 NETGEAR® . All rights reserved 2 Layer2 segmentation - VLAN © .1996-2004 NETGEAR® . All rights reserved 3 Layer3 segmentation - IP Subneting © .1996-2004 NETGEAR® . All rights reserved 4 Layer 2 vs. Layer 3 features Layer 2 features » » » » » » » » » » » » » » SMNP – tested with OpenView RMON (groups 1,2,3 and 9) 802.3x flow control Up to 512 static VLAN groups (IEEE 802.1Q) Protocol Based VLAN 803.3ad LACP Spanning Tree (IEEE 802.1D) Rapid Spanning Tree (IEEE 802.1w) Multiple Spanning Tree (IEEE 802.1s) Port Mirroring DHCP/Bootp Client for automatic IP address setup 802.1x port baswed security Broadcast Storm control IGMP Snooping © .1996-2004 NETGEAR® . All rights reserved Layer 3 features » IP Routing » RIP I, II (Routing Information Protocol) » OSPF V2 (Open Shortest Path First) » VRRP (Virtual Router Redundancy Protocol) • Eliminates single point of failure » DiffServ » ACL 5 Application FVL328 FSM726 GSM712 FSM726S/FSM750S » Core of Network • Sits between WAN device and LAN • Hang as many GSM7xx or FSM7xx switches on it as necessary © .1996-2004 NETGEAR® . All rights reserved 6 GSM7212 » 12 Gigabit ethernet ports. » Each port support optional hot-swapping SFP GBIC slots for fiber connection. » Full layer2 management suite. © .1996-2004 NETGEAR® . All rights reserved 7 GSM7224 » 24 Gigabit Ethernet ports. » 4 SFP GBIC slot for fiber connection. » Full layer2 management suite. © .1996-2004 NETGEAR® . All rights reserved 8 GSM7224 Competitive chart NETGEAR clearly provides the best value! List Price Distribution Price Cost per Port Copper Gigabit ports GBIC/SFP Module slots Bandwidth MAC Addresses MTBF L2 Management L3 Management VLAN Port Trunking Traffic Prioritization (QoS) DiffServe Spanning Tree Rapid Spanning Tree SNMP & RMON Warranty Warranty power supply Netgear GSM7224 3Com SuperStack 3 3824 D-Link DGS-3224TG Dell PowerConnect 5224 $1,425 $999 $42 24 4 48Gbps (non-blocking) 4,000 Yes No Yes Yes Yes Yes Yes Yes Yes $2,795 $1,889 $79 24 4 48Gbps (non-blocking) 16,000 40,000 Yes No Yes Yes Yes Yes Yes Yes Yes $2,199 $1,389 $58 20 4 48Gbps (non-blocking) 32,000 not clear Yes No Yes Yes Yes Yes No Yes $1,600 $62 24 4 48Gbps (non-blocking) 8,000 not clear Yes No Yes Yes Yes No Yes Yes Yes 5 Years 5 Years Limited Lifetime Limited Lifetime Limited Lifetime (5 yr) 3 years 1 year 1 year Notes: GBIC is a standard for Gigabit Ethernet Modules. SFP is Small Form-factor Pluggable, a.k.a. mini GBIC. It is a smaller version of the GBIC module, used with SFP slots The GBIC ports on the GSM7224 are shared with the built-in Copper Gigabit ports, so that there are only two gigabit ports functional at one time.9 © 1996-2004 NETGEAR® . All rights reserved . GSM7312 » 12 Gigabit copper/GBIC combo ports. » Full layer3 management suite. © .1996-2004 NETGEAR® . All rights reserved 10 GSM7312 Competitive chart Get more FLEXIBILITY and FUNCTIONALITY for your money List Price Cost per Port 10/100/1000 Mbps ports Module slots Height Bandwidth/backplane Packet forwarding Packet buffer memory # of priority queues MTBF MAC Addresses L2 Management DiffServ Policy Based QoS Access Control Lists (ACL) Layer 4 prioritization 802.1x Link Aggregation VLAN Rate Limiting Rapid Spanning Tree Multiple Spanning Tree Broadcast Control Jumbo Frames RIP I/RIP II OSPF BGP, DVMRP, PIM- DM/SM IPv6 Routing Redundancy Warranty Warranty power supply NETGEAR GSM7312 3Com SuperStack 3 4900 Cisco 3550-12T D-Link DGS-3308TG $2,550 $213 12 12 SFP (shared) 1U 24 Gbps 17 Mpps 1.5 MB 8 166,000 8,000 Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes No No VRRP 5 years 5 years $3,995 $333 12 4G module 1U 56 Gbps 23 Mpps Not Specified 4 326,000 12,000 Yes Yes Not clear Yes No No Yes Yes No Yes No Yes No Yes No No No XRN Lifetime (5 years after EOL) Lifetime (5 years after EOL) $9,995 $1,000 10 2 GBIC 1.5U 32 Gbps 17 Mps 4 MB 4 114,000 12,000 Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes HSRP Lifetime Lifetime $3,499 $583 6 2 GBIC 1U 16 Gbps 12 Mpps Not Specified 4 Not Specified 8,000 Yes No No No No No Yes Yes No No No Yes No Yes Yes No No ESRP Lifetime (5 years after EOL) 3 years © .1996-2004 NETGEAR® . All rights reserved 11 GSM7324 » 24 Gigabit ethernet ports. » 4 optional hot-swapping SFP GBIC slot for fiber connection. » Full layer3 management suite. © .1996-2004 NETGEAR® . All rights reserved 12 GSM7324 Competitive chart © .1996-2004 NETGEAR® . All rights reserved 13 FSM7326P » 24 10/100 FastEthernet ports. » 2 optional hot-swapping SFP GBIC slots for fiber connection. » IEEE 802.3af Power-over-Ethernet support. • 170W of PoE for Powered Device (PD) such as: » 24 VoIP phones » 15 WG302 Access Points » 10 IP Video cameras (drawing full power) © .1996-2004 NETGEAR® . All rights reserved 14 FSM7326P Competitive chart © .1996-2004 NETGEAR® . All rights reserved 15 GSM7312 Performance Specifications » » » » » » » » Forwarding modes: Store-and-forward Bandwidth: 24Gbps Switch latency: < 20 microsecond for 64-byte frames System memory: 128Mb Packet buffer memory: 122 KB embedded memory per port Flash: 16Mb Address database size: 16000 MAC addresses Addressing: 48 bits © .1996-2004 NETGEAR® . All rights reserved 16 GSM7324 Performance Specifications » » » » » » » » Forwarding modes: Store-and-forward Bandwidth: 40Gbps Switch latency: < 20 microsecond for 64-byte frames System memory: 128Mb Packet buffer memory: 122 KB embedded memory per port Flash: 16Mb Address database size: 16000 MAC addresses Addressing: 48 bits © .1996-2004 NETGEAR® . All rights reserved 17 FSM7326P Performance Specifications » » » » » » » Store and forward. Bandwidth: 8.8 Gbps (non-blocking). < 20 microseconds for 64-bytes frames. System memory: 128MB. Packet buffer memory 32MB. Flash: 16M. Address database size: 8000. © .1996-2004 NETGEAR® . All rights reserved 18 GSM7212 Performance Specifications » » » » » » » » » » Store and forward. Bandwidth: 24 Gbps (non-blocking). < 20 microseconds for 64-bytes frames. System memory: 64MB. Packet buffer memory 171 KB per port. Flash: 8M. Address database size: 8000. Number of VLANs: 256 Number of trunk: 6 Number of queues: 4 © .1996-2004 NETGEAR® . All rights reserved 19 GSM7224 Performance Specifications » » » » » » » » » » Store and forward. Bandwidth: 48 Gbps (non-blocking). < 20 microseconds for 64-bytes frames. System memory: 64MB. Packet buffer memory 122 KB per port. Flash: 8M. Address database size: 8000. Number of VLANs: 228 Number of trunk: 6 Number of queues: 4 © .1996-2004 NETGEAR® . All rights reserved 20 GSM7312 System Specifications » » » » » » » » » » » » » Number of VLAN 228 Maximum VLAN ID 4096 Number of 802.1p traffic class 8 Number of trunks (up to 8 ports) 6 Number of routes 512 Number of routed VLAN 24 Number of ARP entries 2048 Number of ACL (and entries) with 10 entries/rule 100 Number of Queues used for DiffServ 8 Maximum rules per class 8 Maximum instance per policy 10 Maximum attributes per instance 1 Maximum service interfaces 48 © .1996-2004 NETGEAR® . All rights reserved 21 GSM7324 System Specifications » » » » » » » » » » » » » Number of VLAN 228 Maximum VLAN ID 4096 Number of 802.1p traffic class 4 Number of trunks (up to 8 ports) 6 Number of routes 512 Number of routed VLAN 24 Number of ARP entries 2048 Number of ACL (and entries) with 10 entries/rule 100 Number of Queues used for DiffServ 4 Maximum rules per class 8 Maximum instance per policy 10 Maximum attributes per instance 1 Maximum service interfaces 48 © .1996-2004 NETGEAR® . All rights reserved 22 FSM7326P System Specifications » » » » » » » » » » » » » » Number of MAC address 8000 Number of VLAN 228 Maximum VLAN ID 4096 Number of 802.1p traffic class 4 Number of trunks (up to 8 ports) 6 Number of routes 16 Number of routed VLAN 6 Number of ARP entries 2047 Number of ACL (and entries) with 10 entries/rule 100 Number of Queues used for DiffServ 2 Maximum rules per class 8 Maximum instance per policy 10 Maximum attributes per instance 8 Maximum service interfaces 16 © .1996-2004 NETGEAR® . All rights reserved 23 GSM7324 Front Panel © .1996-2004 NETGEAR® . All rights reserved 24 GSM7312 Front Panel © .1996-2004 NETGEAR® . All rights reserved 25 FSM7326P Front Panel © .1996-2004 NETGEAR® . All rights reserved 26 GSM7212 Front Panel © .1996-2004 NETGEAR® . All rights reserved 27 GSM7224 Front Panel © .1996-2004 NETGEAR® . All rights reserved 28 Firmware » Version 2 » Version 3 • New CLI • Jumbo Frame support • Static LAG support • DHCP Server © .1996-2004 NETGEAR® . All rights reserved 29 Configurations Management Interface » Three ways to manage the switch: • Command Line Interface • Web Browser Interface • SNMP Access » All three: • Provide access to the same information and functions • Grant access via user accounts • Use a Management VLAN with a default ID of 1 » The CLI is accessible via telnet and the serial port • Baud Rate: 9600 Bps • Data bit: 8 • Parity: None • Stop bit: 1 • Flow Control: None © .1996-2004 NETGEAR® . All rights reserved 31 User Account » To access the switch via CLI, Web or SNMP you must login as a user » Two kinds of user: • READWRITE user : » Has the authority to do anything on the system » There is one READWRITE user who is always enabled » The default READWRITE user name is admin • READONLY users : » Can view but not change data » There can be up to five READONLY users » The default READONLY user name is guest » SNMP user accounts are separate from CLI and Web accounts © .1996-2004 NETGEAR® . All rights reserved 32 Setting up user accounts » Access the switch via the serial port • Login the first time using the admin account • By default there is no password • Set up a password for the admin account » Create additional accounts • Create additional READONLY user accounts and password protection as required • Create SNMP user accounts and password protection as required » For greater security specify encryption for account access – Secure HTTP/SSH. © .1996-2004 NETGEAR® . All rights reserved 33 Configurable management VLAN » Configurable Management VLAN: • Management VLAN is used to manage switch over a network • Only one Management VLAN may be associated with a switch • The default Management VLAN ID is 1 • Applies to all network connections » Web, telnet and SNMP • Does not apply to the service port or any routing interfaces • Provides additional control over switch access © .1996-2004 NETGEAR® . All rights reserved 34 Command Line Interface » Access via the serial port or by telnet • Answer the login prompts with a user name and password (blank if none has been set) » CLI commands follow the industry-standard (IS) format • A list of commands is available by typing ? at the prompt • Command help is available by typing the command name followed by ? © .1996-2004 NETGEAR® . All rights reserved 35 CLI Modes The IS-CLI is divided into various modes. The commands available to the operator at any point in time depend upon the mode. At login, the user starts in User Exec Mode. A password is required to enter any other mode. © .1996-2004 NETGEAR® . All rights reserved • • • • • • • • • • • • • • User Exec Mode Privileged Exec Mode - en Global Config Mode – config Vlan Mode – vlan database Interface Config Mode – interface x/x Line Config Mode Policy Map Mode Policy Class Mode Class Map Mode Router Config OSPF Mode Router Config RIP Mode Router Config BGP Mode Bandwidth Provisioning Mode Bwprovisioning - Trafficclass Mode • Bwprovisioning - BWAllocation Mode • DHCP Pool Configuration Mode – ip dhcp pool 36 CLI Tree Structure ROOT User Exec User Exec commands are also accessible in Privileged Exec mode. Enable No Passwd Correct ? Return to Exec prompt Yes Privileged VLAN Bwp Global Config Class Map © .1996-2004 NETGEAR® . All rights reserved Circuit Config Interface Policy Map Line Config Router Config IP Config 37 CLI conventions » Some commands take no parameters: • e.g show inventory, or snmp-server enable traps » Most commands take parameters: • Parameters are positional and must be entered in the correct order • Required parameters (in angle brackets <>) precede optional parameters (in square brackets []) • Use of {} indicates a choice of required values » Begin comments with # » Reverse the action of a command • No • e.g “no vlan 100” # Remove vlan 100 © .1996-2004 NETGEAR® . All rights reserved 38 CLI shortcuts » When enough letters of a command are typed to uniquely identify it, the command may be: • Executed by typing (command abbreviation) • Completed by typing the or (command completion) » The system stores the last 16 commands executed -- access by typing the » Help is accessed by entering a question mark © .1996-2004 NETGEAR® . All rights reserved 39 Network connectivity via CLI » Specify IP address information: • Privileged Exec Mode » network parms [] » Specify MAC address type and local address if not using the burned-in address: • Privileged Exec Mode: » network mac-type {local | burnedin} » network mac-address » Set Management VLAN Id: • Privileged Exec Mode: » network mgmt_vlan <1-4094> -- default 1 » Display settings: • Privileged and User Exec Mode: » show network © .1996-2004 NETGEAR® . All rights reserved 40 Web Interface » http:// » Access using any web browser (e.g. Microsoft Explorer or Netscape) » Use the IP address of the switch as the URL » Type the user account name in the login pop-up box » Provide a password if one has been defined © .1996-2004 NETGEAR® . All rights reserved 41 Using web interface » Navigate using the menus in the left side panel » Pop-up messages are used on the screen as feedback for incorrect input, failed submissions, successful submissions, etc. » Help text is available by clicking on the “help” button » If java is enabled (on the Network Connectivity panel) a picture of the switch is shown – click on a port to bring up the Port Configuration panel © .1996-2004 NETGEAR® . All rights reserved 42 Java Applet © .1996-2004 NETGEAR® . All rights reserved 43 SNMP » Access using network control station » Agent supports SNMPv1, SNMPv2 and SNMPv3 » SNMP user accounts are similar to CLI/Web accounts • A password may be defined • Authentication is available: » MD5 » SHA • Encryption is available: » DES © .1996-2004 NETGEAR® . All rights reserved 44 SNMP structure © .1996-2004 NETGEAR® . All rights reserved 45 MIBs » » » » » » » » » » » » » » » » » RFC 1213 -- Interfaces MIB RFC 1493 -- Bridge MIB RFC 1643 -- Ethernet MIB RFC 1657 -- BGP4 MIB RFC 1724 -- RIP Version 2 MIB RFC 1850 -- OSPF Version 2 MIB RFC 2233 -- Interfaces Group MIB RFC 2674 -- VLAN Bridge MIB RFC 2787 -- Virtual Router Redundancy Protocol RFC 2819 -- RMON MIB RFC 2932 -- IPv4 Multicast Routing MIB RFC 2933 -- IGMP MIB RFC 2934 -- PIM MIB RFC 3289 -- Differentiated Services MIB IEEE 802.3 Annex 30c -- Link Aggregation Plus LVL7 enterprise MIB Draft DVMRP © .1996-2004 NETGEAR® . All rights reserved 46 RMON » SNMP includes a RMON agent. » Supports the RMON MIB, RFC 2819 • Group 1 – Statistics • Group 2 – History • Group 3 – Alarm • Group 9 – Event » No configuration parameters are required. » All communication is via USMDB. © .1996-2004 NETGEAR® . All rights reserved 47 Initial Setup » Default – DHCP » CLI » Web interface © .1996-2004 NETGEAR® . All rights reserved 48 Initial Setup - CLI » Management IP » Default – DHCP » Configure static IP • network protocol none (turn off DHCP) • network parms » Save configuration • copy system:running-config nvram:startup-config » Show current firmware version • en • show hardware © .1996-2004 NETGEAR® . All rights reserved 49 Initial Setup © .1996-2004 NETGEAR® . All rights reserved 50 Initial Setup - Web © .1996-2004 NETGEAR® . All rights reserved 51 Flow Control » Flow Control • Flow control is used to temporarily suspend transmission of data to a device to avoid overloading its receive path • Flow control is implemented as specified in IEEE 802.3 Annexes 31A and 31B (formerly IEEE 802.3x) • Flow control is configurable for: » The entire switch via CLI, Global Config mode: [no] storm-control flowcontrol » The entire switch via SNMP: agentSwitchDot3FlowControlMode » Each port via SNMP (not for Switchcore CXE) agentPortDot3FlowContolMode © .1996-2004 NETGEAR® . All rights reserved 52 Broadcast Storm Recovery » Broadcast Storm Recovery, by port speed: • Broadcast traffic checked against the high threshold • If exceeded, broadcast traffic is discarded until traffic diminishes to the low threshold » CLI -- [disable] enable in Global Config mode: » [no] switchconfig stormcontrol broadcast » Broadcast Storm Thresholds: Link Speed High Low 10 Mbps 20% 10% 100 Mbps 5% 2% 1000 Mbps 5% 2% © .1996-2004 NETGEAR® . All rights reserved 53 Flow control / Broadcast Storm (Web Admin) © .1996-2004 NETGEAR® . All rights reserved 54 Port Configuration » Set port speed and type or have the ports auto-negotiate: • Global Config mode: » speed all {{100 | 10} {half-duplex | full-duplex} | 1000 full-duplex} » [no] auto-negotiate all • Interface Config mode: » speed {{100 | 10} {half-duplex | full-duplex} | 1000 full-duplex} » [no] auto-negotiate » Set maximum transmission unit size: • Interface Config mode: » [no] mtu <1572-9216> » Allows for jumbo frames With firmware version 3.0.3.2 or above, the switches support setting Port speed to 1000M full duplex for copper connection. Fiber connection Has to be auto-negotiated. © .1996-2004 NETGEAR® . All rights reserved 55 Port Configuration (Web admin) © .1996-2004 NETGEAR® . All rights reserved 56 Jumbo Frame (version 3 only) » Jumbo Frame Support • Allows packets longer than the maximum defined in IEEE 802.3 to be received and transmitted • Useful for certain applications -- e.g. Network File Support • May be necessary for DVLAN tagging • Extends the maximum Ethernet frame size from 1518 (1522 with VLAN tag) to 9216 bytes • All devices in the same broadcast domain should support the same maximum frame size • Platform-dependent © .1996-2004 NETGEAR® . All rights reserved 57 Frame size management » Interface Config Mode command: • Set the maximum frame size for an interface » mtu <1522-9216> » Privileged Exec Mode command: • Display the current frame size for an interface » show interface ethernet © .1996-2004 NETGEAR® . All rights reserved 58 Port Mirroring » Any Ethernet port can be used as a probe port by an external network monitor » The probe port transmits a copy of the traffic being mirrored, although not at media speed » The probe port no longer participates in the network, nor in any network protocols » No standards or RFCs apply • The Enterprise Switching MIB is used to support this feature © .1996-2004 NETGEAR® . All rights reserved 59 Port Mirroring Specifications » Only one probe port that will mirror only one mirrored port • Probe port and mirrored port cannot be the same port • LAG interfaces or LAG members cannot be probe or mirrored ports • CPU port cannot be probe or mirrored port » End user configuration is not preserved when a probe is “deconfigured” as a probe port » Cannot mirror traffic to/from the internal bridge/router interface » Directional mirroring, i.e. monitoring only the receive path or the transmit path, is not supported © .1996-2004 NETGEAR® . All rights reserved 60 Port Mirroring CLI » Global Config Mode commands: • Configure probe port and mirrored port » monitor session source destination • Then enable mirroring for box » monitor session mode • To disable the probe and mirrored ports » [no] monitor session • Then disable mirroring for the box » [no] monitor session mode • Add probe port back to any VLANs » Privileged Exec Mode command to display mode and ports: » show monitor © .1996-2004 NETGEAR® . All rights reserved 61 Port Mirroring (Web admin) © .1996-2004 NETGEAR® . All rights reserved 62 DHCP Server – Web config © .1996-2004 NETGEAR® . All rights reserved 63 DHCP Server – Pool Config Manual Binding © .1996-2004 NETGEAR® . All rights reserved 64 DHCP Server – Pool Config Dynamic Binding Using dynamic binding, make sure the network number and network is in the same subnet as the System’s IP/netmask or one of the routing interface’s IP/netmask. © .1996-2004 NETGEAR® . All rights reserved 65 DHCP Server – Reset Config © .1996-2004 NETGEAR® . All rights reserved 66 DHCP Server – Binding Info © .1996-2004 NETGEAR® . All rights reserved 67 DHCP Server – Server Stat © .1996-2004 NETGEAR® . All rights reserved 68 VLAN » Allows a network to be logically segmented without regard to the physically location of devices of the network. » One physical network becomes multiple logical networks. » The logical network may (but not must) correspond to subnets. » Segmentation provides: • Better administration • Better security » The VLAN tag in frames optionally carries priority information. » Traffic between VLANs must be routed. © .1996-2004 NETGEAR® . All rights reserved 69 VLAN » IEEE 802.1Q VLAN support: • Allows a network to be logically segmented without regard to the physical location of devices on the network • One physical network becomes multiple logical networks • The logical networks may (but not must) correspond to subnets • Segmentation provides: » Better administration » Better security » Better management of multicast traffic » While maintaining Layer 2 forwarding speed • The VLAN tag in frames optionally carries priority information • Traffic between VLANs must be routed © .1996-2004 NETGEAR® . All rights reserved 70 VLAN implementation » IEEE 802.1Q VLAN Support • Standard established method to insert VLAN tag into Ethernet frame to specify VLAN membership. • Ports may belong to multiple VLANs • VLAN membership may be based on port or protocol • 802.1p can be optionally added to specify priority. • When an individual port is added to a LAG any VLAN membership is suspended, membership is automatically restored if the port is removed from the LAG. © .1996-2004 NETGEAR® . All rights reserved 71 802.1Q Tagged VLAN Destination Source Destination Source Length/Type TPID TCI Priority © .1996-2004 NETGEAR® . All rights reserved Data CFI Length/Type Data VLAN ID 72 Ingress » Ingress rules: • Acceptable Frame Types parameter defaults to Admit All Frames • Port VLAN ID -- default is 1, can be assigned by port or protocol • Ingress filtering defaults to disabled » Forwarding rules based on: • VLAN membership • Spanning tree state (forwarding) • Frame type (unicast or multicast) • Filters © .1996-2004 NETGEAR® . All rights reserved 73 Egress » Egress rules: • Spanning tree state (forwarding) • VLAN membership • Untagged frames only forwarded if embedded addresses are canonical » Exempt frames: • Spanning tree BPDUs • GVRP BPDUs • Frames used for control purposes, e.g. LAG PDUs, flow control © .1996-2004 NETGEAR® . All rights reserved 74 VLAN CLI » Privileged and User Exec Mode commands: • Display summary information for all configured VLANs » show vlan brief • Display detailed information for a specific VLAN » show vlan <1-4094> • Display port-specific information for one or more VLANs » show vlan port {} © .1996-2004 NETGEAR® . All rights reserved 75 VLAN CLI (Database Mode) » VLAN Database Mode commands: » vlan database • [Delete] create a new VLAN and assign an ID » [no] vlan <2-4094> • [Reset] assign a name to a VLAN, VLAN 1 is always named Default, default for other VLANs is a blank string » [no] vlan name <2-4094> © .1996-2004 NETGEAR® . All rights reserved 76 VLAN CLI (Global Config Mode) » Global Config Mode commands: • Configure the participation of all interfaces for a VLAN » vlan participation all {exclude | include | auto} <1-4094> • Configure the frame acceptance mode of all interfaces for all VLANs » vlan port acceptframe all {all | vlanonly} • [Disable] enable ingress filtering for all interfaces for all VLANs » [no] vlan port ingressfilter all • [Disable] enable transmission of tagged frames for all interfaces for a VLAN » [no] vlan port tagging all <1-4094> • [Reset] set the PVID for all interfaces for all VLANs » [no] vlan port pvid all <1-4094> © .1996-2004 NETGEAR® . All rights reserved 77 VLAN CLI (Interface Config Mode) » Interface Config Mode commands: » config » Interface 0/x • Configure the participation of an interface for a VLAN » vlan participation {exclude | include | auto} <1-4094> • Configure the frame acceptance mode of an interface for all VLANs » vlan acceptframe {all | vlanonly} • [Disable] enable ingress filtering for an interfaces for all VLANs » [no] vlan ingressfilter • [Disable] enable transmission of tagged frames for an interface for a VLAN » [no] vlan tagging <1-4094> • [Reset] set the PVID for an interfaces for all VLANs » [no] vlan pvid <1-4094> © .1996-2004 NETGEAR® . All rights reserved 78 VLAN Web Management © .1996-2004 NETGEAR® . All rights reserved 79 VLAN port config - Web © .1996-2004 NETGEAR® . All rights reserved 80 VLAN Example 1 VLAN1 Create the VLAN Vlan database Vlan 1 Vlan name 1 vlan1 Vlan 2 Vlan name 2 vlan2 Vlan 3 Vlan name 3 vlan3 Vlan 4 Vlan name 4 vlan4 © .1996-2004 NETGEAR® . All rights reserved VLAN2 VLAN3 VLAN4 Assign membership Config Interface 0/1 Vlan participation include 1 Vlan pvid 1 exit Interface 0/2 Vlan participation include 2 Vlan pvid 2 Exit 81 VLAN Example 2 Includes in all the VLANs VLAN1 VLAN2 VLAN3 VLAN4 » Port 1 belongs to all four VLANs. All the port can access port 1 but not each other. » Create common VLAN including all the ports. » Create individual VLAN with each VLAN includes port1. © .1996-2004 NETGEAR® . All rights reserved 82 VLAN trunking » Propagate VLAN information between switches. » VTP (VLAN trunk protocol) – proprietary to Cisco. » Trunk port – connect two switches that share VLAN information. • Includes in all the VLANs that need to be trunked. • Trunk port must be tagged in all VLAN. • GARP (Generic Attributes Registration Protocol) » GVRP and GMRP © .1996-2004 NETGEAR® . All rights reserved 83 VLAN Example 3 Trunk port VLAN1 VLAN2 VLAN3 VLAN4 Trunk port VLAN1 VLAN2 VLAN3 VLAN4 » Include trunk port in all the VLAN » Trunk port is tagged in all the VLAN » PVID of of trunk port doesn’t matter. © .1996-2004 NETGEAR® . All rights reserved 84 VLAN Example 4 Uplink to internet Trunk port VLAN1 VLAN2 VLAN3 VLAN4 Trunk port VLAN1 VLAN2 VLAN3 VLAN4 » » » » Create common VLAN in switch#1. Includes all the ports in common VLAN. PVID of uplink port is VLAN ID of common VLAN. PVIDs of the other ports are their own individual VLAN ID. » Include trunk ports in every VLAN. » Trunk ports need to be tagged in every VLAN. © .1996-2004 NETGEAR® . All rights reserved 85 802.1p » IEEE 802.1p specifies how priority is carried in a packet header » Netgear 7000 series switches supports: • Per port configuration of the default priority for packets received without a priority tag (platform dependent) • Configuration of the mapping of 802.1p priority levels to the switch’s priority queues (per port mapping is platform dependent) » Default mapping: » User priority 0 to traffic class 2 » User priority 1 to traffic class 0 » User priority 2 to traffic class 1 » User priority 3 to traffic class 3 » User priority 4 to traffic class 4 » User priority 5 to traffic class 5 » User priority 6 to traffic class 6 » User priority 7 to traffic class 7 © .1996-2004 NETGEAR® . All rights reserved 86 802.1p CLI » Global Config Mode commands: • Configure the priority for untagged packets for all ports » vlan port priority all » Interface Config Mode commands: • Configure the priority for untagged packets for one port » vlan port priority • Map an 802.1p priority to an internal traffic class for one port (traffic classes are platform dependent) » classofservice dot1pmapping -- valid values are 0-7 for both parameters © .1996-2004 NETGEAR® . All rights reserved 87 802.1p CLI » Privileged or User Exec mode commands: • Display the default 802.1p priority for all ports » show vlan port all • Display the default 802.1p priority for one port » show vlan port • Display the current mapping of 802.1p priorities to internal traffic classes for all ports » show classofservice dot1pmapping • Display the current mapping of 802.1p priorities to internal traffic classes for one port » show classofservice dot1pmapping © .1996-2004 NETGEAR® . All rights reserved 88 802.1p web admin © .1996-2004 NETGEAR® . All rights reserved 89 802.1p web admin © .1996-2004 NETGEAR® . All rights reserved 90 Protocol Based VLAN » Protocol-based filters for selective frame processing » Ingress packet classification by protocol and port reduces unwanted traffic • VLAN ID for untagged or priority-tagged frames based on port and protocol id • Processing for tagged frames is unchanged » Traffic bridged through user specified ports © .1996-2004 NETGEAR® . All rights reserved 91 Protocol Based VLAN © .1996-2004 NETGEAR® . All rights reserved 92 Protocol Based VLAN © .1996-2004 NETGEAR® . All rights reserved 93 PBVLAN Implementation » Uses “VID Set” concept • Multiple VID values per port » Untagged or priority-tagged frame and VID association • Based on port of arrival and the protocol identifier of the frame » Assigning VID • Frame VID selected from the VID Set of arrival port • If Protocol Group Identifier associated with the port is equal to Protocol Group Identifier of the frame, the VID is a member of the VID set • Else, frame VID is the PVID associated with the port © .1996-2004 NETGEAR® . All rights reserved 94 PBVLAN CLI » Global Config commands to manage a PBVLAN: • Create a group and assign a groupid » vlan protocol group • Delete a group » vlan protocol group remove » Privileged Exec Mode display command: • Display information for one or more groups -- use the ‘all’ parameter to find out which groupid was assigned to a new group » show port protocol { | all} © .1996-2004 NETGEAR® . All rights reserved 95 PBVLAN CLI » Global Config Mode commands: • [Remove] add a protocol (IP, IPX or ARP) to a PBVLAN » [no] vlan protocol group add protocol • [Remove] add all interfaces to a PBVLAN » [no] protocol vlan group all » Interface Config Mode commands: • [Remove] add an interface to a PBVLAN » [no] protocol vlan group » VLAN Database Mode commands: • [Remove] attach a VLAN to a PBVLAN » [no] protocol group © .1996-2004 NETGEAR® . All rights reserved 96 PBVLAN (Web Admin) © .1996-2004 NETGEAR® . All rights reserved 97 GARP • GARP provides a generic attribute dissemination protocol used to support other protocols such as GVRP • Used to register and deregister attribute values with other GARP participants within bridged LANs • When a GARP participant declares or withdraws a given attribute, the attribute value is recorded with the applicant state machine for the port from which the declaration or withdrawal was made • There exists a GARP participant per port per GARP application (e.g. GVRP) © .1996-2004 NETGEAR® . All rights reserved 98 GARP VLAN Registration Protocol (GVRP) • GVRP propagates VLAN membership throughout a network • GVRP allows end stations and switches to issue and revoke declarations relating to VLAN membership • VLAN registration is made in the context of the port that receives the GARP PDU and is propagated to the other active ports • GVRP is disabled by default -- user must enable GVRP for the switch and then for individual ports • Dynamic VLANs are aged out after the LeaveAllTimer expires three times without receipt of a join message © .1996-2004 NETGEAR® . All rights reserved 99 GARP Multicast Registration Protocol (GMRP) • GMRP propagates group membership throughout a network • GMRP allows end stations and switches devices to issue and revoke declarations relating to group membership • (De)registration updates the Multicast Forwarding Database -multicast packets only forwarded through ports with a GMRP registration • GMRP is disabled by default -- user must enable GMRP for the switch and then for individual ports © .1996-2004 NETGEAR® . All rights reserved 100 Link Aggregation © .1996-2004 NETGEAR® . All rights reserved 101 Link Aggregation (Trunk) » Link Aggregation (LAG) • Link Aggregation, or Trunking, allows IEEE 802.3 MAC interfaces to be grouped together logically to appear as one physical link • LAG provides automatic redundancy between two devices • Each link of a LAG must run at the same speed and must be in full duplex mode • LAGs behave like any other Ethernet link to VLAN • A LAG can be a member of a VLAN • A LAG is treated as a physical port with the same configuration parameters, spanning tree port priority, path cost, etc. • A router port may be a member of a LAG, but routing will be disabled while it is a member © .1996-2004 NETGEAR® . All rights reserved 102 LAG Implementation » Interface restrictions: • LAG speed may not be changed • Routing is not supported on links in a LAG • An interface can belong to only one LAG » Number of LAGs and number of members vary by platform • Maximum of 8 LAGs with maximum of 8 members each on Reference Platform » Supports IEEE 802.3 Clause 43 with minor exceptions: • No optional features supported, e.g. Marker Generator/Receiver • Mux machine implemented as coupled not independent control • Some MIB variables not supported (see later slide) • Static LAG supported in version 3 only. © .1996-2004 NETGEAR® . All rights reserved 103 Static LAG » Manual Aggregation • If the partner does not respond with LACPDUs, the system will wait 3 seconds and aggregate manually • This configuration should only be enabled if both parties are 802.3ad-compliant and have the protocol enabled • LAGs should be configured and STP enabled on both devices before connecting cables • Manual aggregation uses default values: » If a LACPDU is received with different values the link will drop out » When all member links have dropped out, the group will re-aggregate with the new information • Manual aggregation is disabled by default, and when enabled applies to all LAG interfaces © .1996-2004 NETGEAR® . All rights reserved 104 LAG © .1996-2004 NETGEAR® . All rights reserved 105 LAG CLI » Global Config mode CLI commands to create a LAG: • Configure the LAG » port-channel • Use show port-channel all to display the logical slot/port » port-channel name { | all} » [no] port-channel linktrap { | all} • Delete all ports from a LAG: » deleteport all • Delete a LAG: » no port-channel { | all} © .1996-2004 NETGEAR® . All rights reserved 106 LAG CLI » Interface Config mode CLI commands to configure a LAG: • Add ports: » addport • Delete ports: » deleteport • Delete one or all LAGs: » delete interface { | all} » Privileged Exec mode CLI command to display LAG information: • Returns mode information • Lists members -- slot.port notation, link speed » show port-channel { | all} © .1996-2004 NETGEAR® . All rights reserved 107 Static LAG CLI » Global Config Mode commands to disable/enable static capability for the switch: • port-channel staticcapability » All LAGs with configured members but no active members will now aggregate statically on link up interfaces » No effect on dynamic LAGs • no port-channel staticcapability » Active members of static LAGs will drop. A LAG with no active members will go down » Privileged and User Exec Mode display command: • show port-channel brief » Displays whether static capability is enabled © .1996-2004 NETGEAR® . All rights reserved 108 Link Aggregation - Web © .1996-2004 NETGEAR® . All rights reserved 109 Link Aggregation - Web © .1996-2004 NETGEAR® . All rights reserved 110 Link Aggregation on Netgear managed switches » Smart Switches – Static LAG » 700 series switches – LACP and static LAG » 7000 series switches – LACP and static LAG » Both switches in a LAG has to be using the same type of link aggregation. » Only version 3 firmware support static LAG on the 7000 series switches. © .1996-2004 NETGEAR® . All rights reserved 111 Multicast Forwarding Database » Allows co-existence of different Layer 2 multicast protocols » Maintains a shared VLAN ID-MAC address table » Current users (no component interaction): • GARP Multicast Registration Protocol (GMRP) • IGMP Snooping • Static MAC Filtering » Types of entries: • Static -- configured by the end user • Dynamic (network configured) -- e.g. GMRP • Dynamic (network assisted) -- e.g. IGMP Snooping © .1996-2004 NETGEAR® . All rights reserved 112 MTFD Table – Standard and Management » Standards: • No IEEE standards or IETF RFCs exist » MIBs supported: • Supported by the FASTPATH Enterprise Switching MIB • Objects supported: » agentSwitchMFDBTable » agentSwitchMFDBSummaryTable » CLI display commands: • Display the entire table or a specific entry » show mfdb table • Display the table for a given protocol » show mfdb • Display the MFDB statistics » show mfdb stats © .1996-2004 NETGEAR® . All rights reserved 113 MTFD - CLI » Privileged Exec Mode commands to display MFDB information: • Display one or all multicast entries » show mac-address-table multicast { | all} • Display the GMRP entries » show mac-address-table gmrp • Display the IGMP Snooping entries » show mac-address-table igmpsnooping • Display one or all static MAC filtering entries » show mac-address-table static { | all} • Display the static filtering entries » show mac-address-table staticfiltering • Display the MFDB statistics » show mac-address-table stats © .1996-2004 NETGEAR® . All rights reserved 114 MTFD table » Table entries consist of: • VLAN ID » VLAN IDs 1-4095 when running IVL » VLAN ID 0 only when running SVL • Group MAC address • Up to L7_MFDB_MAX_USERS user components » User components consist of: • One of the component IDs in L7_COMPONENT IDS_t Type • 16 bit entry description » Bitmask of forwarding list of interfaces » Bitmask of filtering list of interfaces » Entries are updated by the controlling protocol © .1996-2004 NETGEAR® . All rights reserved 115 IGMP Snooping » Restricts IP multicast traffic to interested nodes » Builds entries for the Multicast Forwarding Database • IP addresses are collapsed to MAC addresses » 01:00:5E:XX:XX:XX filled in with last 23 bits of IP address » 230.1.2.3 folds into 01:00:5E:01:02:03 • IGMP entries aged out using a configurable query interval timer • IGMP Leave Group messages trigger IGMP Queries • Topology changes trigger IGMP General Queries from STP root bridges © .1996-2004 NETGEAR® . All rights reserved 116 IGMP Snooping » Decodes IGMP Membership Reports (Joins) and Leave Group Messges: • Identifies ports requesting multicast traffic » Decodes IGMP query messages and PIM and DVMRP control frames: • Builds list of multicast routers » Limitations: • Number of entries for IGMP Snooping limited by the size of the Multicast Forwarding Database » Platform-dependent » MFDB is shared with GMRP and Static MAC Filtering © .1996-2004 NETGEAR® . All rights reserved 117 IGMP Snooping Multicast Router Q ue rie s IGMP Snooping switches multicast client IG P MP R IGM eport /J P L eav oint e M int Jo rt/ po ve Re Le a MP P IG IGM IG MTFD Table multicast client © .1996-2004 NETGEAR® . All rights reserved 118 IGMP Snooping Implementation » Implemented in conformance with IETF draft standard dated January 2002 • The Enterprise Switching MIB is used to support this feature » Implementation options chosen: • Multicast router list built based on arrival port of IGMP Queries • Code supports IGMP, DVMRP, PIMv1 and PIMv2 messages (IPPROTO = 2 and IP-PROTO = 103) • Proxy reporting is not supported • Unregistered packets are flooded, no configuration option to suppress this behavior • IGMP and multicast frames are only forwarded within a VLAN © .1996-2004 NETGEAR® . All rights reserved 119 IGMP Snooping Interaction » IGMP and multicast frames are only forwarded within a VLAN » IGMP Snooping may be configured but will not be enabled for: • Interfaces that are members of a LAG » But the LAG itself may be enabled • Interfaces that are enabled for IGMP • Interfaces that are enabled for routing • Interfaces that are enabled for VLAN routing • A port that is configured as a mirror destination port © .1996-2004 NETGEAR® . All rights reserved 120 IGMP Snooping Topology © .1996-2004 NETGEAR® . All rights reserved 121 IGMP Snooping Standard » RFCs/drafts supported • draft-ietf-magma-snoop-02.txt: IGMP and MLD snooping switches • Options implemented/not implemented: » Support detection of Multicast Routers based on arrival of IGMP Queries as well as PIM and DVMRP control frames » Support for topology changes » Multicast Forwarding table is based on VLAN ID/MAC address » Unregistered packets are flooded, no configuration option to suppress this behavior » IGMP and multicast frames are only forwarded within a VLAN » No support for Multicast Router Discovery Protocol » No support for Proxy Reporting © .1996-2004 NETGEAR® . All rights reserved 122 IGMP Snooping MIB » No standard MIB exists for IGMP Snooping » MIB supported in Netgear 7000 series switches: • agentSwitchIGMPSnoopingAdminMode • agentSwitchIGMPSnoopingQueryInterval • agentSwitchIGMPSnoopingMaxResponseTime • agentSwitchIGMPSnoopingMRPExpirationTime • agentSwitchIGMPSnoopingPortMask • agentSwitchIGMPSnoopingMulticastControlFramesProcessed • agentSwitchIGMPSnoopingDataFramesForwarded © .1996-2004 NETGEAR® . All rights reserved 123 IGMP Snooping CLI » Global Config Mode CLI commands: • [Disable] enable IGMP Snooping » [no] set igmp • [Disable] enable IGMP Snooping on all interfaces » [no] set igmp interfacemode all • Commands to configure timers: » [no] set igmp groupmembershipinterval <2-3600> • Default 125 seconds » [no] set igmp maxresponse <1-less than group membership interval> • Default 10 seconds » [no] set igmp mcrtrpresent <0-3600> • Default 0 seconds (no expiration) © .1996-2004 NETGEAR® . All rights reserved 124 IGMP Snooping CLI » Interface Config Mode CLI commands: • [Disable] enable IGMP Snooping on a specific interface » [no] set igmp » Privileged Exec Mode CLI command: • Displays enabled interfaces, timers, and counts of control and data frames processed by the CPU » show igmpsnooping © .1996-2004 NETGEAR® . All rights reserved 125 IGMP Snooping web admin © .1996-2004 NETGEAR® . All rights reserved 126 IGMP Snooping web admin © .1996-2004 NETGEAR® . All rights reserved 127 IGMP Snooping table © .1996-2004 NETGEAR® . All rights reserved 128 IP Subneting © .1996-2004 NETGEAR® . All rights reserved 129 VLAN routing » To the network, the VLAN and router functions are independent entities. » A VLAN can be a port on the router function. » A port is either a VLAN or a router port, not both. » Bridge Layer Processing: • The port will perform normal processing and forward unicast packets to the interface found in the MAC address table » Router Layer Processing: • Packet is associated with a VLAN or a physical interface © .1996-2004 NETGEAR® . All rights reserved 130 VLAN Routing » There is no standard for VLAN Routing. » Only one of the reserved MAC addresses is assigned for all routed VLANs. • It will be added to the forwarding database if any VLAN is enabled for routing » When routing is enabled on a port, STP state is set to forwarding as soon as the link is up. » “Speed” (used for calculating the cost of the VLAN interface) is set to 10Mbps for VLAN Routing I/Fs. © .1996-2004 NETGEAR® . All rights reserved 131 VLAN Routing Limitations » Only IVL is supported with VLAN Routing. • The MAC address is added to each unicast table associated with the routed VLAN » When routing is enabled on a port, it will not participate in Layer 2 activities, e.g. GVRP. » VRRP is currently not supported with VLAN Routing. » Number of routed VLANs is platform-specific. » Each routed VLAN is associated with only one sub-net. » Platform-specific considerations: • May have slow performance on some platforms • Forwarding-plane implementation (implemented for SwitchCore) • VLAN Routing with VRRP (implemented for SwitchCore) © .1996-2004 NETGEAR® . All rights reserved 132 VLAN Routing CLI » From vlan database mode: • CLI command to create routing on a VLAN: » vlan routing - range 1-4094 • CLI command to delete routing on a VLAN: » no vlan routing » From user exec mode: • CLI command to display VLAN routing information for all VLANs with routing enabled. » show ip vlan © .1996-2004 NETGEAR® . All rights reserved 133 VLAN Routing – Web admin © .1996-2004 NETGEAR® . All rights reserved 134 VLAN Routing – Interface admin © .1996-2004 NETGEAR® . All rights reserved 135 VLAN Routing Wizard © .1996-2004 NETGEAR® . All rights reserved 136 RIP » Routing Information Protocol (RIP) • “Interior” gateway protocol for small to medium size networks • Each route characterized by number of gateways, or hops • Sends update message every 30 seconds to all adjacent routers • Version 1 – RFC 1058 » Routes specified by IP destination network and hop count » Updates broadcast to all stations on attached network • Version 2 – RFC 1723 » Addition of subnet mask and gateway to route description » Special multicast address (224.0.0.9) for route updates » Compatibility mode to communicate with RIPv1 routers » Authentication provides security for route table updates • FASTPATH™ has APIs for: » Configuration and gathering statistics © .1996-2004 NETGEAR® . All rights reserved 137 RIP – Web admin © .1996-2004 NETGEAR® . All rights reserved 138 OSPF » Open Shortest path First (OSPF) • An “interior” gateway protocol designed for medium to large scale networks • Uses Hello packets to discover neighboring routers • Link state protocol. Link state advertisements (LSAs) are flooded as a result of network topology changes • Autonomous system hierarchy with intra- and inter-area routing. • Provides a mechanism for authentication of data. • The shortest path algorithm may result in multiple equal cost paths to the same destination. This is useful for load balancing enhancing route redundancy and traffic management. © .1996-2004 NETGEAR® . All rights reserved 139 OSPF – Web admin © .1996-2004 NETGEAR® . All rights reserved 140 BootP / DHCP Relay » Implemented as defined in RFC 1542 (Chapter 4) and RFC 3046 • Supports Circuit ID sub-option • Does not support Remote ID sub-option » Relays BOOTP/DHCP requests when there is no server on the subnet » Requests are regenerated, not forwarded as-is » Configuration required to: • Enable/disable the agent (default = disable) • Enable/disable DHCP agent options (default = disable) • Enable/disable adding each DHCP agent sub-option (default = disable) • Set the forwarding IP address » One per box, not multiple as defined in the RFC © .1996-2004 NETGEAR® . All rights reserved 141 BootP/DHCP relay - CLI » no bootpdhcprelay disable » bootpdhcprelay serverip 10.4.1.50 » bootpdhcprelay cidoptmode © .1996-2004 NETGEAR® . All rights reserved 142 BootP / DHCP Relay – Web config © .1996-2004 NETGEAR® . All rights reserved 143 VRRP » Implemented in accordance with RFC 2338 • Supports only a single IP address per Virtual Router • Supports multiple Virtual Routers per interface » Eliminates the single point of failure associated with static default routes » Dynamically assigns forwarding responsibility for an IP address to one virtual router within the VRRP group » Any of the virtual router’s IP addresses can be used as the default first hop router » Responsibility can be reassigned without reconfiguring the network © .1996-2004 NETGEAR® . All rights reserved 144 VRRP CLI » CLI command to set VRRP for the box: • [no] vrrp disable » CLI commands for a virtual router for an interface: • [no] vrrp enable » CLI commands to set VRRP parms for an interface: • [no] vrrp priority <1-254> • [no] vrrp ip • [no] vrrp preempt • [no] vrrp timers advertise • [no] vrrp authentication • vrrp removedetails © .1996-2004 NETGEAR® . All rights reserved 145 VRRP CLI » CLI command to display VRRP state and statistics for the box: • show vrrp » CLI commands to display VRRP parameters and statistics for interfaces: • show vrrp interface stats • show vrrp interface • show vrrp interface brief © .1996-2004 NETGEAR® . All rights reserved 146 VRRP CLI » CLI command to display VRRP state and statistics for the box: • show vrrp » CLI commands to display VRRP parameters and statistics for interfaces: • show vrrp interface brief » Information on all virtual routers • show vrrp interface • show vrrp interface stats © .1996-2004 NETGEAR® . All rights reserved 147 VRRP – Web admin © .1996-2004 NETGEAR® . All rights reserved 148 Example Internet Internt Connection#1 Internt Connection#2 192.168.1.1 Router Router 192.168.3.1 Port 0.5 192.168.1.100 Default Gateway: 192.168.1.1 Port 0.3: 192.168.3.101 Default Gateway: 192.168.3.1 GSM7312 Switch#2 Backup router Port 0.4 192.168.3.102 VRID: 20 Priority: 200 Virtual address: 192.168.3.101 GSM7312 Switch#1 Master router Layer 2 switch End station © .1996-2004 NETGEAR® . All rights reserved Port 0.3 192.168.3.101 VRID: 20 Priority: 255 Virtual address: 192.168.3.101 192.168.3.100 Default gateway: 192.168.3.101 149 Example 1. Enable routing on the switch. 2. Enable routing on the interface. 3. Assign IP address to the interface © .1996-2004 NETGEAR® . All rights reserved 150 Example 4. Set up default route to internet connection © .1996-2004 NETGEAR® . All rights reserved 151 Example 5. Enable VRRP on switch. 6. Assign VRID to the interface. 7. Assign a virtual IP. 8. Assign a priority. © .1996-2004 NETGEAR® . All rights reserved 152 Example 9. Create the backup router on switch#2 using the same steps. © .1996-2004 NETGEAR® . All rights reserved 153 QOS Support • Bandwidth Provisioning (Not supported) • Access Control Lists (ACL) • Differentiated Services » Class » Policy » Service © .1996-2004 NETGEAR® . All rights reserved 154 QOS Terminologies » QoS Terms: • Bandwidth Profile » Average BW » Peak BW • Class (match filter) » Source/destination MAC address » Source/destination IP address » Class of Service (IEEE 802.1p priority) value » VLAN information (VLAN ID) » IP Service Type (AKA: ToS bits, Precedence value, DSCP value) » Layer 4 protocol (TCP, UDP etc.) » Layer 4 source/destination ports • Policy » Drop/Send (ACL) » Mark DSCP » Police (to Bandwidth Profile) • Service » Apply Class, Policy to Interface © .1996-2004 NETGEAR® . All rights reserved 155 Bandwidth Provisioning » Permits delivery of varying levels of allocated bandwidth to users on the same physical I/F • Provides Committed Information Rate • Provides Maximum Burst Rate » Allocates bandwidth by mapping a subscriber's traffic profile to a prescribed policy » Actively provisions minimum and maximum bandwidth. » Benefits • Enables control of bandwidth allocated to users, applications, and organizations sharing the same link • Enables delivery of adequate levels of service without over-provisioning network equipment • Reduces risk of network congestion • Prevents a small number of applications or users from consuming all the available bandwidth © .1996-2004 NETGEAR® . All rights reserved 156 Bandwidth Allocation (Traffic Class) » Configuring Bandwidth Provisioning • Create a Traffic Class – type VLAN only • Attach the TC to an interface and assign a VLAN ID • Create a Bandwidth Allocation Profile and assign minimum and maximum bandwidth • Attach the Profile to the Traffic Class • Max of 128 Traffic Classes » VLAN traffic transmitted on the interface is guaranteed the minimum bandwidth » VLAN traffic transmitted on the interface will not exceed the maximum bandwidth © .1996-2004 NETGEAR® . All rights reserved 157 Bandwidth allocation profile » Operator associates Bandwidth Allocation Profile (BAP) with a Traffic Class • BAP defines minimum and maximum bandwidth for a VLAN • Default BAP: min. = 1 Mbps, max. = 100 Mbps • Sum of all min. bandwidth definitions for an interface may not exceed its capability, except for LAGs • There is no limit on max. bandwidth definitions • Maximum of 128 BAPs, including the default © .1996-2004 NETGEAR® . All rights reserved 158 Bandwidth Allocation CLI » Privileged and User Exec mode commands: • Display traffic class information: » show bwp-trafficclass summary » show bwp-trafficclass detailed » show bwp-trafficclass allocatedbw { | all} • Display bandwidth allocation information: » show bwpr-bwallocation summary » show bwp-bwallocation detailed © .1996-2004 NETGEAR® . All rights reserved 159 Bandwidth Allocation CLI » Bwprovisioning Config mode: • [Delete] create a Bandwidth Allocation Profile and change to Bwprovisioning Config mode » [no] bwallocation » Bwprovisioning Config mode: • Configure the maximum bandwidth for the BAP » [no] maxbandwidth -- default 100 Mbps • Configure the minimum bandwidth for the BAP » [no] minbandwidth -- default 1 Mbps © .1996-2004 NETGEAR® . All rights reserved 160 Bandwidth Allocation CLI » Bwprovisioning Config mode: • [Delete] create a traffic class and change to Traffic-Class Config mode » [no] trafficclass » Traffic-Class Config mode: • Associate a VLAN with the traffic class » vlan • Attach an interface to the traffic class » port • Assign the priority for the traffic class » weight • Associate a BAP with the traffic class » bwallocation © .1996-2004 NETGEAR® . All rights reserved 161 ACL » Process: • Create an Access Control List, specifying an ACL ID and a rule • Up to 10 rules can be specified for an ACL, using the same command • Associate the ACL with a protocol using distribute-list » Usage: • If a packet matches Rule 1, the action is taken (permit or deny) • If not, the packet is tested against Rule 2, and so on • If a packet does not match any user defined rules, it will always match the ‘implicit deny’ rule and be dropped © .1996-2004 NETGEAR® . All rights reserved 162 ACL CLI » Global Config Mode commands to create ACLs and rules: • [Delete] create an Access Control List » [no] access-list <0-199> <{permit | deny}> { | } » Privileged and User Exec mode display command: • show ip access-lists © .1996-2004 NETGEAR® . All rights reserved 163 ACL » Host A is allowed access to the Human Resources Network, Host B’s access is blocked © .1996-2004 NETGEAR® . All rights reserved 164 ACL • ACLs are made up of a sequential collection of permit and deny conditions, called rules • Rules can be configured to inspect up to six fields of a packet: » Source IP » Destination IP » Source L4 Port » Destination L4 Port » TOS Byte » Protocol Number • Access control lists are applied one or more interfaces: » For inbound traffic only, or » For outbound traffic only © .1996-2004 NETGEAR® . All rights reserved 165 ACL Support » There is no standard for ACL: • MIB support is provided in the Enterprise MIB » Management via CLI, Web and SNMP » Limitations: • Classification is performed only on the six-tuple field • Maximum number of ACLs is 100 • Maximum number of rules per ACL is 10 • An ACL can be applied to more than one interface, but only in one direction © .1996-2004 NETGEAR® . All rights reserved 166 Creating an ACL » Process: • The user creates an ACL by specifying a number through the • • • • management layer, the ACL ID The user adds new rules to the ACL The user configures the match criteria for the rules The user applies the ACL to one or more interfaces The user specifies the direction, inbound or outbound, to which the list should be applied © .1996-2004 NETGEAR® . All rights reserved 167 ACL CLI » Global Config Mode: • [Delete] create a standard ACL and its rules: » [no] access-list <1-99> {deny | permit} {every | } • [Delete] create an extended ACL and its rules: » [no] access-list <100-199> {deny | permit} {every | {icmp | igmp | ip | tcp | udp | } [{eq { | } | range }] [precedence ] [tos ] [dscp ]} © .1996-2004 NETGEAR® . All rights reserved 168 ACL CLI » Privileged and User Exec Mode: • Display an ACL and all of its rules: » show ip access-lists » Global Config Mode: • Attach an ACL to all interfaces » ip access-group [in | out] » Interface Config Mode: • Attach an ACL to a specific interface » ip access-group [in | out] © .1996-2004 NETGEAR® . All rights reserved 169 ACL – Web admin © .1996-2004 NETGEAR® . All rights reserved 170 ACL Rule – Web admin © .1996-2004 NETGEAR® . All rights reserved 171 ACL Example Internet switch 66.33.22.0/24 192.168.251.130/27 192.168.251.161/27 192.168.251.192/27 Objective: Restrict ssh access from internet to 66.33.22.0/24 while allow access from all internal network. Rules: 1. Allow 66.33.22.0/24 2. Allow 192.168.251.0/24 3. Deny 0.0.0.0/0.0.0.0 4. Permit 0.0.0.0/0.0.0.0 © .1996-2004 NETGEAR® . All rights reserved TCP TCP TCP ALL 192.168.251.130/27 192.168.251.130/27 192.168.251.130/27 0.0.0.0/0.0.0.0 22 22 22 ALL 172 Step 1: Create ACL and apply to interfaces © .1996-2004 NETGEAR® . All rights reserved 173 Step 2: Create rule#1 © .1996-2004 NETGEAR® . All rights reserved 174 Step 3: Define rule#1 © .1996-2004 NETGEAR® . All rights reserved 175 Step 4: Create rule#2 © .1996-2004 NETGEAR® . All rights reserved 176 Step 5: Create rule#3 © .1996-2004 NETGEAR® . All rights reserved 177 Step 6: Create rule#4 © .1996-2004 NETGEAR® . All rights reserved 178 ACL Created © .1996-2004 NETGEAR® . All rights reserved 179 DiffServ - Standard » RFCs/drafts supported • “Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers” (RFC 2474) » No known exceptions, limitations, or omissions • “An Architecture for Differentiated Services” (RFC 2475) » No known exceptions, limitations, or omissions • “Assured Forwarding PHB Group” (RFC 2597) » Most platforms limited to 1 AF class (AF3X) » Relies on hardware implementation for compliance • “An Expedited Forwarding PHB (Per-Hop Behavior)” (RFC 3246) » No known exceptions, limitations, or omissions » Relies on hardware implementation for compliance • “New Terminology and Clarifications for DiffServ” (RFC 3260) » No known exceptions, limitations, or omissions © .1996-2004 NETGEAR® . All rights reserved 180 Diffserv » Classify IP packets into marked traffic streams • Multi-field classification on IP 6-tuple (and more) at edge • IP DSCP/Precedence classification by interior nodes » Condition traffic streams at ingress • Marking, policing » Provision network node resources to handle marked traffic according to per-hop behavior specifications • Bandwidth allocation, queuing, outbound rate shaping » Independent of FASTPATH Switching or Routing • Requires either one as a pre-requisite in the build • Not involved in packet forwarding decision © .1996-2004 NETGEAR® . All rights reserved 181 Diffserv - Edge © .1996-2004 NETGEAR® . All rights reserved 182 DiffServ Interior © .1996-2004 NETGEAR® . All rights reserved 183 DiffServ Limitation » IPv4 packets only » Reference class definitions • Class may reference one other class of same type » ‘all’-to-’all’, ‘any’-to-’any’ » class type ‘acl’ not supported • ‘exclude’ parameter not supported • Total reference class chain limited to 2x max number of rules per class » Minimal configuration “undo” capability • May delete class, policy, policy instance if not currently referenced • Generally, class rules and policy attributes cannot be deleted » Must delete parent class/policy and re-specify » Can sometimes delete rule/attribute if it is most recent one added © .1996-2004 NETGEAR® . All rights reserved 184 DiffServ Support » General DiffServ support » Class type • ‘all’ » Class match fields • Each match condition field • The ‘exclude’ option • Support for masks (for fields that have them) • Support for ranges (e.g., layer 4 port range) » Policy definition • Whether outbound policy classifier is unrestricted • Inbound attributes and styles • Each outbound attribute © .1996-2004 NETGEAR® . All rights reserved 185 DiffServ CLI » Privileged Exec mode display commands • General Diffserv information » show diffserv • Service information » show diffserv service brief {in | out} » show diffserv service {in | out} • Policy information » show policy-map [] » show policy-map interface {in | out} • Class information » show class-map [] • Statistics » show service-policy-map {in | out} © .1996-2004 NETGEAR® . All rights reserved 186 Configure DiffServ on 7000 switches » » » » » » 1. Create DiffServ Class. 2. Select matching criteria for DiffServ Class. 3. Create Policy. 4. Assign classes to policy. 5 Define policy class. 6. Apply policy to interfaces. © .1996-2004 NETGEAR® . All rights reserved 187 DiffServ CLI » Global Config mode commands: • [Disable] enable DiffServ » [no] diffserv • [Delete] create a DiffServ class » [no] class-map [{match-all | match-any | match-access-group }] • Rename a DiffServ class » class-map rename • Attach a policy to all interfaces » service-policy {in | out} » Successful execution of the class-map command: • Changes the mode to Class-Map Config • Class-Map Config commands will apply to the specified classmapname © .1996-2004 NETGEAR® . All rights reserved 188 DiffServ - CLI » Class-Map Config mode commands: • Add match conditions to a class » match [not] cos <0-7> » match [not] {destination-address | source-address} mac » match [not] {dstip | srcip} » match [not] {dstl4port | srcl4port} { | <0-65535> [<065535>]} » match [not] ip dscp » match [not] ip precedence <0-7> » match [not] ip tos » match [not] protocol { | <0-255>} » match [not] vlan <1-4094> » match [not] any © .1996-2004 NETGEAR® . All rights reserved 189 DiffServ - CLI » Global Config mode commands: • [Delete] create a DiffServ policy » [no] policy-map {in | out} • Rename a DiffServ policy » policymap rename » Successful execution of the policy-map command: • Changes the mode to Policy-Map Config • Policy-Map Config commands will apply to the specified policyname » Interface Config mode command: • Attach a policy to an interface » service-policy {in | out} © .1996-2004 NETGEAR® . All rights reserved 190 DiffServ CLI » Policy-Map Config mode command: • Create a class definition instance within the policy • The classname is the name of an existing DiffServ class » class » Successful execution of the class command: • Changes the mode to Policy-Class-Map Config • Policy-Class-Map Config commands will apply to the specified classname © .1996-2004 NETGEAR® . All rights reserved 191 DiffServ CLI » Policy-Class-Map Config mode commands: • Reserve minimum bandwidth » bandwidth kbps <1-4294967295> » bandwidth percent <1-100> • Reserve maximum bandwidth » expedite kbps <1-4294967295> [1-128] » expedite percent <1-100> [1-128] • Specify that packets are to be marked » mark cos <0-7> » mark ip-dscp » mark ip-precedence <0-7> • Establish traffic shaping » shape bps-average <1-4294967295> » shape bps-peak <1-4294967295> <1-4294967295> • Change queue depth management from tail drop to RED » randomdrop <1-250000> <1-500000> <0-100> [<0-1000000> [<0-16>]] © .1996-2004 NETGEAR® . All rights reserved 192 DiffServ CLI » Policy-Class-Map Config mode commands: • Establish traffic policing style » police-simple {<1-4294967295> <1-128> conform-action [violate-action ]} » police-single-rate {<1-4294967295> <1-128> <1-128> conform-action exceed-action [violate-action ]} » police-two-rate {<1-4294967295> <1-128> <1-4294967295> <1-128> conform-action exceed-action [violate-action ]} • Where: » conform-action, exceed-action and violate-action parameters = {drop | set-prec-transmit <0-7> | set-dscp-transmit <0-63> | transmit} © .1996-2004 NETGEAR® . All rights reserved 193 DiffServ – Web admin © .1996-2004 NETGEAR® . All rights reserved 194 DiffServ Class – Web admin © .1996-2004 NETGEAR® . All rights reserved 195 DiffServ Policy – Web admin © .1996-2004 NETGEAR® . All rights reserved 196 DiffServ Policy Class – Web admin © .1996-2004 NETGEAR® . All rights reserved 197 Diffserv Wizard © .1996-2004 NETGEAR® . All rights reserved 198 802.1p priority queue mapping » 4-7 » 0-3 © .1996-2004 NETGEAR® . All rights reserved queue 1 queue 0 High Normal 199 DSCP priority queue mapping » » » » 46 26,28,30 32,40,48,56 Everything else © .1996-2004 NETGEAR® . All rights reserved queue 3 queue 2 queue 1 queue 0 Highest High Low Lowest 200 DiffServ Example Objective: Setting up a NetGear FSM7326P (PoE) switch to prioritize traffic being sent from a ShoreTel VoIP phone system with a DiffServ tag set (EF). © .1996-2004 NETGEAR® . All rights reserved 201 Step 1: Create the DiffServ Class © .1996-2004 NETGEAR® . All rights reserved 202 Step 2: Add matching criteria to the class © .1996-2004 NETGEAR® . All rights reserved 203 Step 3: Create DiffServ Policy © .1996-2004 NETGEAR® . All rights reserved 204 Step 4: Add DiffServ class to policy © .1996-2004 NETGEAR® . All rights reserved 205 Step 5: Create Policy Class Definition © .1996-2004 NETGEAR® . All rights reserved 206 Step 6: Assign DiffServ Policy to interface © .1996-2004 NETGEAR® . All rights reserved 207 Power over Ethernet (FSM7326P) © .1996-2004 NETGEAR® . All rights reserved 208 PoE troubleshooting » devshell hapiPoeDebugHwDump – Must be issue with serial console connection. © .1996-2004 NETGEAR® . All rights reserved 209 Questions and Answers